Force hydra to use IPv4 only

Enable hydra
2025-10-07 17:24:33 +02:00 · 2025-10-07 17:24:33 +02:00
17 changed files with 42 additions and 150 deletions
--- a/m/common/base.nix
+++ b/m/common/base.nix
@@ -11,13 +11,11 @@
    ./base/hw.nix
    ./base/net.nix
    ./base/nix.nix
    ./base/sys-devices.nix
    ./base/ntp.nix
    ./base/rev.nix
    ./base/ssh.nix
    ./base/users.nix
    ./base/watchdog.nix
    ./base/zsh.nix
    ./base/fish.nix
  ];
 }
--- a/m/common/base/env.nix
+++ b/m/common/base/env.nix
@@ -5,8 +5,6 @@
    vim wget git htop tmux pciutils tcpdump ripgrep nix-index nixos-option
    nix-diff ipmitool freeipmi ethtool lm_sensors cmake gnumake file tree
    ncdu config.boot.kernelPackages.perf ldns pv
    nix-output-monitor
    nixfmt-rfc-style
    # From bsckgs overlay
    osumb
  ];
--- a/m/common/base/fish.nix
+++ b/m/common/base/fish.nix
@@ -1,4 +0,0 @@
 { ... }:
 {
  programs.fish.enable = true;
 }
--- a/m/common/base/sys-devices.nix
+++ b/m/common/base/sys-devices.nix
@@ -1,9 +0,0 @@
 {
  nix.settings.system-features = [ "sys-devices" ];
  programs.nix-required-mounts.enable = true;
  programs.nix-required-mounts.allowedPatterns.sys-devices.paths = [
    "/sys/devices/system/cpu"
    "/sys/devices/system/node"
  ];
 }
--- a/m/common/base/users.nix
+++ b/m/common/base/users.nix
@@ -87,12 +87,6 @@
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIIFiqXqt88VuUfyANkZyLJNiuroIITaGlOOTMhVDKjf abonerib@bsc"
        ];
        shell = pkgs.fish;
        packages = with pkgs; [
          starship
          jujutsu
          neovim
        ];
      };
      vlopez = {
--- a/m/hut/configuration.nix
+++ b/m/hut/configuration.nix
@@ -17,6 +17,7 @@
    ./postgresql.nix
    ./nginx.nix
    ./p.nix
    ./hydra.nix
    #./pxe.nix
  ];
--- a/m/hut/hydra.nix
+++ b/m/hut/hydra.nix
@@ -0,0 +1,15 @@
 { ... }:
 {
  services.hydra = {
    enable = true;
    hydraURL = "http://jungle.bsc.es/hydra"; # externally visible URL
    notificationSender = "hydra@jungle.bsc.es"; # e-mail of Hydra service
    port = 3001;
    # a standalone Hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines
    buildMachinesFiles = [];
    # you will probably also want, otherwise *everything* will be built from scratch
    useSubstitutes = true;
    listenHost = "0.0.0.0"; # Force IPv4
  };
 }
--- a/m/hut/nginx.nix
+++ b/m/hut/nginx.nix
@@ -48,6 +48,17 @@ in
          proxy_pass http://127.0.0.1:5000;
          proxy_redirect http:// $scheme://;
        }
        location /hydra {
          rewrite ^/hydra/(.*) /$1 break;
          proxy_pass http://127.0.0.1:3001;
          proxy_redirect http:// $scheme://;
          proxy_set_header  Host              $host;
          proxy_set_header  X-Real-IP         $remote_addr;
          proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
          proxy_set_header  X-Forwarded-Proto $scheme;
          proxy_set_header  X-Request-Base    /hydra;
        }
        location /lists {
          proxy_pass http://127.0.0.1:8081;
          proxy_redirect http:// $scheme://;
--- a/m/weasel/configuration.nix
+++ b/m/weasel/configuration.nix
@@ -1,11 +1,9 @@
-{ lib, pkgs, ... }:
+{ lib, ... }:
 {
  imports = [
    ../common/ssf.nix
    ../module/hut-substituter.nix
    ./virtualization.nix
    ./hydra.nix
  ];
  # Select this using the ID to avoid mismatches
@@ -32,23 +30,4 @@
      prefixLength = 24;
    } ];
  };
  services.nix-serve = {
    enable = true;
    bindAddress = "0.0.0.0";
    port = 5000;
    package = pkgs.haskell.lib.overrideSrc (pkgs.haskell.packages.ghc96.nix-serve-ng.override { nix = pkgs.nixVersions.nix_2_28; }) {
      src = pkgs.fetchgit {
        url = "https://jungle.bsc.es/git/abonerib/nix-serve-ng.git";
        rev = "9c056641300a826db66b66d7e584b2541d38927a";
        hash = "sha256-y69ZchFiZOU71eyeljcQgLxkLk5JUzZfanq8Yzw4MkI=";
      };
      version = "unstable";
    };
    secretKeyFile = "/var/cache-priv-key.pem";
    # Public key:
    # 10.0.40.6:8jBhIdXEBap+Qo+vc1/fnV9vj43A2oDk839EEheRr/U=
  };
 }
--- a/m/weasel/hydra.nix
+++ b/m/weasel/hydra.nix
@@ -1,52 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  services.hydra = {
    enable = true;
    # Wrap hydra so it puts quiet flag every time... This is dumb and annoying,
    # but i can't override the systemd ExecStart without running into infinite
    # recursion.
    package = pkgs.symlinkJoin {
      name = "hydra-quiet";
      paths = [ pkgs.hydra ];
      postBuild = ''
        for prog in hydra-queue-runner hydra-evaluator ; do
          prev=$(realpath $out/bin/$prog)
          rm $out/bin/$prog
          cat >$out/bin/$prog <<EOF
        #!/bin/sh
        args=()
        for arg in "\$@"; do
          if [ "\$arg" != "-v" ]; then
            args+=("\$arg")
          fi
        done
        exec $prev --quiet "\''${args[@]}"
        EOF
          chmod +x $out/bin/$prog
        done
      '';
    };
    hydraURL = "http://localhost:3001"; # externally visible URL
    notificationSender = "hydra@jungle.bsc.es"; # e-mail of Hydra service
    port = 3001;
    # a standalone Hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines
    buildMachinesFiles = [ ];
    # you will probably also want, otherwise *everything* will be built from scratch
    useSubstitutes = true;
    listenHost = "0.0.0.0"; # Force IPv4
  };
  systemd.services.hydra-send-stats.enable = lib.mkForce false;
  networking.firewall.allowedTCPPorts = [ config.services.hydra.port ];
  nix.settings.extra-allowed-uris = [
    "git+ssh://git@bscpm04.bsc.es"
    "git+ssh://git@gitlab-internal.bsc.es"
    "https://github.com"
    "git+ssh://github.com"
  ];
 }
--- a/m/weasel/virtualization.nix
+++ b/m/weasel/virtualization.nix
@@ -1,40 +0,0 @@
 {
  lib,
  pkgs,
  config,
  ...
 }:
 {
  # Enable common container config files in /etc/containers
  virtualisation.containers.enable = true;
  virtualisation = {
    podman = {
      enable = true;
      # Required for containers under podman-compose to be able to talk to each other.
      defaultNetwork.settings.dns_enabled = true;
    };
  };
  # We cannot use /home since nfs does not support fileattrs needed by podman
  systemd.tmpfiles.settings = {
    "podman-users" = lib.mapAttrs' (
      name: value:
      lib.nameValuePair ("/var/lib/podman-users/" + name) {
        d = {
          group = value.group;
          mode = value.homeMode;
          user = name;
        };
      }
    ) (lib.filterAttrs (_: x: x.isNormalUser) config.users.users);
  };
  # Useful other development tools
  environment.systemPackages = with pkgs; [
    dive # look into docker image layers
    podman-tui # status of containers in the terminal
    podman-compose # start group of containers for dev
  ];
 }
--- a/overlay.nix
+++ b/overlay.nix
@@ -62,7 +62,7 @@ let
  };
  tests = rec {
-    hwloc = callPackage ./test/bugs/hwloc.nix { };
+    #hwloc = callPackage ./test/bugs/hwloc.nix { }; # Broken, no /sys
    #sigsegv = callPackage ./test/reproducers/sigsegv.nix { };
    hello-c = callPackage ./test/compilers/hello-c.nix { };
    hello-cpp = callPackage ./test/compilers/hello-cpp.nix { };
--- a/test/bugs/hwloc.nix
+++ b/test/bugs/hwloc.nix
@@ -6,7 +6,6 @@
 stdenv.mkDerivation {
  name = "hwloc-test";
  requiredSystemFeatures = [ "sys-devices" ];
  src = ./.;
@@ -15,7 +14,7 @@ stdenv.mkDerivation {
  buildPhase = ''
    ls -l /sys
    gcc -lhwloc hwloc.c -o hwloc
-    strace ./hwloc > $out
+    strace ./hwloc
  '';
 }
--- a/test/compilers/clang-openmp-ld.nix
+++ b/test/compilers/clang-openmp-ld.nix
@@ -23,8 +23,9 @@ in stdenv.mkDerivation {
  dontUnpack = true;
  dontConfigure = true;
-  # nOS-V requires access to /sys/devices to request NUMA information
+  # nOS-V requires access to /sys/devices to request NUMA information. It will
-  requiredSystemFeatures = [ "sys-devices" ];
+  # fail to run otherwise, so we disable the sandbox for this test.
  __noChroot = true;
  buildInputs = [ openmp ];
--- a/test/compilers/clang-openmp-nosv.nix
+++ b/test/compilers/clang-openmp-nosv.nix
@@ -36,8 +36,9 @@ in stdenv.mkDerivation {
  dontUnpack = true;
  dontConfigure = true;
-  # nOS-V requires access to /sys/devices to request NUMA information
+  # nOS-V requires access to /sys/devices to request NUMA information. It will
-  requiredSystemFeatures = [ "sys-devices" ];
+  # fail to run otherwise, so we disable the sandbox for this test.
  __noChroot = true;
  buildInputs = [ nosv ];
--- a/test/compilers/clang-openmp.nix
+++ b/test/compilers/clang-openmp.nix
@@ -24,8 +24,9 @@ in stdenv.mkDerivation {
  dontUnpack = true;
  dontConfigure = true;
-  # nOS-V requires access to /sys/devices to request NUMA information
+  # nOS-V requires access to /sys/devices to request NUMA information. It will
-  requiredSystemFeatures = [ "sys-devices" ];
+  # fail to run otherwise, so we disable the sandbox for this test.
  __noChroot = true;
  buildPhase = ''
    set -x
--- a/test/compilers/ompss2.nix
+++ b/test/compilers/ompss2.nix
@@ -25,10 +25,9 @@ stdenv.mkDerivation rec {
  hardeningDisable = [ "all" ];
  #NIX_DEBUG = 1;
  buildInputs = [ ]; #strace gdb;
-
+  # NODES requires access to /sys/devices to request NUMA information. It will
-  # NODES requires access to /sys/devices to request NUMA information
+  # fail to run otherwise, so we disable the sandbox for this test.
-  requiredSystemFeatures = [ "sys-devices" ];
+  __noChroot = true;
  buildPhase = ''
    set -x
    #$CC -v
Author	SHA1	Message	Date
Aleix Boné	3fd212176f	Force hydra to use IPv4 only	2025-10-07 17:24:33 +02:00
Aleix Boné	3f4106707e	Enable hydra	2025-10-07 17:24:33 +02:00