Simplify flake and expose host pkgs

The configuration of the machines is now moved to m/
2023-06-14 17:28:00 +02:00
parent 801bb4ba3c
commit a43016ebee
29 changed files with 39 additions and 112 deletions
--- a/m/hut/configuration.nix
+++ b/m/hut/configuration.nix
@@ -0,0 +1,28 @@
+{ config, pkgs, agenix, ... }:
+
+{
+  imports = [
+    ../common/main.nix
+
+    ./gitlab-runner.nix
+    ./monitoring.nix
+    ./nfs.nix
+    ./slurm-daemon.nix
+    agenix.nixosModules.default
+  ];
+
+  # Select the this using the ID to avoid mismatches
+  boot.loader.grub.device = "/dev/disk/by-id/ata-INTEL_SSDSC2BB240G7_PHDV6462004Y240AGN";
+
+  networking = {
+    hostName = "hut";
+    interfaces.eno1.ipv4.addresses = [ {
+      address = "10.0.40.7";
+      prefixLength = 24;
+    } ];
+    interfaces.ibp5s0.ipv4.addresses = [ {
+      address = "10.0.42.7";
+      prefixLength = 24;
+    } ];
+  };
+}
--- a/m/hut/gitlab-runner.nix
+++ b/m/hut/gitlab-runner.nix
@@ -0,0 +1,62 @@
+{ pkgs, lib, config, ... }:
+
+{
+  age.secrets."secrets/ovni-token".file = ./secrets/ovni-token.age;
+  age.secrets."secrets/nosv-token".file = ./secrets/nosv-token.age;
+
+  services.gitlab-runner = {
+    enable = true;
+    settings.concurrent = 5;
+    services = {
+      ovni-shell = {
+        registrationConfigFile = config.age.secrets."secrets/ovni-token".path;
+        executor = "shell";
+        tagList = [ "nix" "xeon" ];
+        environmentVariables = {
+          SHELL = "${pkgs.bash}/bin/bash";
+        };
+      };
+      ovni-docker = {
+        registrationConfigFile = config.age.secrets."secrets/ovni-token".path;
+        dockerImage = "debian:stable";
+        tagList = [ "docker" "xeon" ];
+        registrationFlags = [ "--docker-network-mode host" ];
+        environmentVariables = {
+          https_proxy = "http://localhost:23080";
+          http_proxy = "http://localhost:23080";
+        };
+      };
+      nosv-docker = {
+        registrationConfigFile = config.age.secrets."secrets/nosv-token".path;
+        dockerImage = "debian:stable";
+        tagList = [ "docker" "xeon" ];
+        registrationFlags = [
+          "--docker-network-mode host"
+          "--docker-cpus 56"
+        ];
+        environmentVariables = {
+          https_proxy = "http://localhost:23080";
+          http_proxy = "http://localhost:23080";
+        };
+      };
+    };
+  };
+
+  #systemd.services.gitlab-runner.serviceConfig.Shell = "${pkgs.bash}/bin/bash";
+  systemd.services.gitlab-runner.serviceConfig.DynamicUser = lib.mkForce false;
+  systemd.services.gitlab-runner.serviceConfig.User = "gitlab-runner";
+  systemd.services.gitlab-runner.serviceConfig.Group = "gitlab-runner";
+  systemd.services.gitlab-runner.serviceConfig.ExecStart = lib.mkForce
+    ''${pkgs.gitlab-runner}/bin/gitlab-runner run --config ''${HOME}/.gitlab-runner/config.toml --listen-address "127.0.0.1:9252" --working-directory ''${HOME}'';
+
+  users.users.gitlab-runner = {
+    uid = config.ids.uids.gitlab-runner;
+    #isNormalUser = true;
+    home = "/var/lib/gitlab-runner";
+    description = "Gitlab Runner";
+    group = "gitlab-runner";
+    extraGroups = [ "docker" ];
+    createHome = true;
+  };
+  users.groups.gitlab-runner.gid = config.ids.gids.gitlab-runner;
+}
--- a/m/hut/monitoring.nix
+++ b/m/hut/monitoring.nix
@@ -0,0 +1,66 @@
+{ config, lib, ... }:
+
+{
+  services.grafana = {
+    enable = true;
+    settings = {
+      server = {
+        domain = "jungle.bsc.es";
+        root_url = "%(protocol)s://%(domain)s/grafana";
+        serve_from_sub_path = true;
+        http_port = 2342;
+        http_addr = "127.0.0.1";
+      };
+      feature_toggles.publicDashboards = true;
+    };
+  };
+
+  services.prometheus = {
+    enable = true;
+    port = 9001;
+  };
+
+  systemd.services.prometheus-ipmi-exporter.serviceConfig.DynamicUser = lib.mkForce false;
+  systemd.services.prometheus-ipmi-exporter.serviceConfig.PrivateDevices = lib.mkForce false;
+
+  virtualisation.docker.daemon.settings = {
+    metrics-addr = "127.0.0.1:9323";
+  };
+
+  # Required to allow the smartctl exporter to read the nvme0 character device,
+  # see the commit message on:
+  # https://github.com/NixOS/nixpkgs/commit/12c26aca1fd55ab99f831bedc865a626eee39f80
+  services.udev.extraRules = ''
+    SUBSYSTEM=="nvme", KERNEL=="nvme[0-9]*", GROUP="disk"
+  '';
+
+  services.prometheus = {
+
+    exporters = {
+      ipmi.enable = true;
+      ipmi.group = "root";
+      ipmi.user = "root";
+      node = {
+        enable = true;
+        enabledCollectors = [ "systemd" ];
+        port = 9002;
+      };
+      smartctl.enable = true;
+    };
+
+    scrapeConfigs = [
+      {
+        job_name = "xeon07";
+        static_configs = [{
+          targets = [
+            "127.0.0.1:${toString config.services.prometheus.exporters.node.port}"
+            "127.0.0.1:${toString config.services.prometheus.exporters.ipmi.port}"
+            "127.0.0.1:9323"
+            "127.0.0.1:9252"
+            "127.0.0.1:${toString config.services.prometheus.exporters.smartctl.port}"
+          ];
+        }];
+      }
+    ];
+  };
+}
--- a/m/hut/nfs.nix
+++ b/m/hut/nfs.nix
@@ -0,0 +1,9 @@
+{ ... }:
+
+{
+  services.nfs.server.enable = true;
+  services.nfs.server.exports = ''
+    /nix 10.0.40.0/24(ro,sync,no_subtree_check,root_squash)
+  '';
+  networking.firewall.allowedTCPPorts = [ 2049 ];
+}
--- a/m/hut/secrets.nix
+++ b/m/hut/secrets.nix
@@ -0,0 +1,9 @@
+let
+  root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIII/1TNArcwA6D47mgW4TArwlxQRpwmIGiZDysah40Gb";
+  system = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO7jIp6JRnRWTMDsTB/aiaICJCl4x8qmKMPSs4lCqP1";
+  systems = [ root system ];
+in
+{
+  "secrets/ovni-token.age".publicKeys = systems;
+  "secrets/nosv-token.age".publicKeys = systems;
+}
--- a/m/hut/secrets/nosv-token.age
+++ b/m/hut/secrets/nosv-token.age
--- a/m/hut/secrets/ovni-token.age
+++ b/m/hut/secrets/ovni-token.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 MSF3dg Ivlduky3TjzCthY9RB/Jb0+MouX2FYW06hoNdQ+f818
+NKnuQrTQBXjTArXG6/5KV5cdg/9JUk/l3vVdYq0fXOE
+-> ssh-ed25519 HY2yRg 1ZCKpZ7sXNPgllHoozCgyW8NqK2TCoyCYZdug6YeJkM
+BEeThDkjfaK9S5a81HcyaZv9zobKANVMEimduc/IO54
+-> &eB%}y-grease o;.XY Yirz }Xh\DG
+CkLRClqWRkCr7n8o5UV9+kdCik2iTG/dI1s666CKcgxbAPohmryJzOKdgRLyzCf0
+CSPMUfrixmuQtuShigtmY6Pm2A
+--- GEuNMnWZ3+B6QNXv7s7bfJdJ2bJAAW+jbfHQZ0UQB+k
+<EFBFBD><EFBFBD>3<EFBFBD><EFBFBD>.<2E>-<2D>Ӯ<EFBFBD>ƿD<C6BF><44><EFBFBD>{\<5C><><EFBFBD>%<25><>R0<>߷<EFBFBD><DFB7><EFBFBD><EFBFBD><EFBFBD><EFBFBD>|<7C>P<EFBFBD>F<EFBFBD><46>x<EFBFBD>s<1E>_P<5F><50>x`4<>,<2C>z35<33>L<EFBFBD><4C><01>drj<72>2<EFBFBD><02>^<5E>
+<EFBFBD><EFBFBD>]<5D>h<>4~AP<41><EFBFBD>e3fT<66>E<EFBFBD>l*<2A>8z.<2E><><EFBFBD>x2<78>0<>7
--- a/m/hut/slurm-daemon.nix
+++ b/m/hut/slurm-daemon.nix
@@ -0,0 +1,10 @@
+{ ... }:
+
+{
+  services.slurm = {
+    server.enable = true;
+    partitionName = [
+      "xeon Nodes=xeon[01-02,07] Default=YES MaxTime=INFINITE State=UP"
+    ];
+  };
+}