Commit e73937bd authored by Valentin Reis's avatar Valentin Reis
Browse files

[deployment] displacing the hydra farm to the desktop machine.

parent f594fd54
No preview for this file type
......@@ -11,12 +11,12 @@ in
network.description = "argo-ci";
network.enableRollback = false;
main =
hydra =
{ config, ... }:
{
require=argomodules;
environment.argo.known-hosts.enable=true;
environment.argo.provider-tacc.enable=true;
environment.argo.provider-openspace.enable=true;
environment.argo.root-access.enable=true;
environment.argo.ssh-config.enable=true;
......@@ -25,7 +25,7 @@ in
imports = [ "${hydraSrc}/hydra-module.nix" ];
deployment.targetEnv = "none";
deployment.targetHost = "argo.freux.fr";
deployment.targetHost = "140.221.10.9";
i18n.defaultLocale = "en_US.UTF-8";
services.ntp.enable = false;
......@@ -37,7 +37,8 @@ in
};
nix = {
package = pkgs.nixUnstable; trustedUsers = [ "hydra" ]; binaryCaches = [ "http://argo.freux.fr/cache" "https://cache.nixos.org" ];
sshServe= { inherit keys; enable=true;};
package = pkgs.nixUnstable; trustedUsers = [ "hydra" ]; binaryCaches = [ "https://cache.nixos.org" ];
useChroot = true;
nrBuildUsers = 30;
distributedBuilds = true;
......@@ -65,22 +66,27 @@ in
networking = {
firewall = {
allowedTCPPorts=[ 2210 80 443];
allowedUDPPorts=[ 2210 80 443];
allowedTCPPorts=[ 2210 80 443 8081];
allowedUDPPorts=[ 2210 80 443 8081];
};
};
services.nginx = {
enable = true;
user = "hydra-queue-runner";
group= "hydra";
virtualHosts = {
"argo.freux.fr" = {
"140.221.10.9" = {
basicAuth = { argo = "${builtins.readFile ./auth_argo.secret}"; };
enableACME = true;
forceSSL = true;
locations."/cache".root="/var/lib/hydra-cache";
#enableACME = true;
#forceSSL = true;
locations."/store".root="/nix";
locations."/store".extraConfig="autoindex on;";
locations."/cache".root="/var/lib/hydra";
locations."/cache".extraConfig="autoindex on;";
locations."/"= {
proxyPass="http://localhost:6080/";
extraConfig = ''
proxy_redirect http://127.0.0.1:6080 https://argo.freux.fr;
proxy_redirect http://127.0.0.1:6080 http://140.221.10.9;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
......@@ -91,7 +97,7 @@ in
locations."/hydra"= {
proxyPass="http://localhost:8080/";
extraConfig = ''
proxy_redirect http://127.0.0.1:8080 https://argo.freux.fr/hydra;
proxy_redirect http://127.0.0.1:8080 http://140.221.10.9/hydra;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
......@@ -106,21 +112,23 @@ in
services.hydra = {
useSubstitutes = true;
enable = true;
hydraURL = "https://argo.freux.fr/hydra";
hydraURL = "http://140.221.10.9/hydra";
listenHost = "localhost";
notificationSender = "hydra@example.org";
port = 8080;
extraConfig = ''
store_uri = file:///var/lib/hydra-cache?secret-key=/etc/hydra.example.org-1/secret
store_uri = file:///var/lib/hydra/cache?secret-key=/etc/nix/140.221.10.9/secret
using_frontend_proxy 1
base_uri argo.freux.fr/hydra
binary_cache_public_uri argo.freux.fr/cache
base_uri 140.221.10.9/hydra
binary_cache_public_uri 140.221.10.9/cache
max_output_size = 4294967296
secret-key=/etc/nix/hydra.example.org-1/secret
secret-key=/etc/nix/140.221.10.9/secret
'';
buildMachinesFiles = [ "/etc/nix/machines" ];
};
environment.systemPackages = [ pkgs.nix-serve ];
services.postgresql = {
package = pkgs.postgresql94;
dataDir = "/var/db/postgresql-${config.services.postgresql.package.psqlSchema}";
......@@ -153,11 +161,14 @@ in
/run/current-system/sw/bin/hydra-create-user fre --full-name 'Valentin Reis' --email-address 'fre@freux.fr' --password foobar --role admin
/run/current-system/sw/bin/hydra-create-user swann --full-name 'Swann Perarnau' --email-address 'swann@anl.gov' --password swannswann --role admin
# create signing keys
/run/current-system/sw/bin/install -d -m 551 /etc/nix/hydra.example.org-1
/run/current-system/sw/bin/nix-store --generate-binary-cache-key hydra.example.org-1 /etc/nix/hydra.example.org-1/secret /etc/nix/hydra.example.org-1/public
/run/current-system/sw/bin/chown -R hydra:hydra /etc/nix/hydra.example.org-1
/run/current-system/sw/bin/chmod 440 /etc/nix/hydra.example.org-1/secret
/run/current-system/sw/bin/chmod 444 /etc/nix/hydra.example.org-1/public
/run/current-system/sw/bin/install -d -m 551 /etc/nix/140.221.10.9
/run/current-system/sw/bin/nix-store --generate-binary-cache-key 140.221.10.9 /etc/nix/140.221.10.9/secret /etc/nix/140.221.10.9/public
/run/current-system/sw/bin/chown -R hydra:hydra /etc/nix/140.221.10.9
/run/current-system/sw/bin/chmod 440 /etc/nix/140.221.10.9/secret
/run/current-system/sw/bin/chmod 444 /etc/nix/140.221.10.9/public
#store
/run/current-system/sw/bin/install -d -m 766 /var/lib/hydra/cache
/run/current-system/sw/bin/chown -R hydra-queue-runner:hydra /var/lib/hydra/cache
# done
touch ~hydra/.setup-is-complete
fi
......
{ config, lib, pkgs, ... }:
with lib;
{
}
{ config, lib, pkgs, ... }:
with lib;
{
imports = [
<nixpkgs/nixos/modules/profiles/headless.nix>
<nixpkgs/nixos/modules/profiles/qemu-guest.nix>
];
config = {
boot.growPartition=true;
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
autoResize = true;
};
boot.kernelParams = [ "console=ttyS0" ];
boot.loader.grub.device = "/dev/vda";
boot.loader.timeout = 0;
# Allow root logins
services.openssh = {
enable = true;
permitRootLogin = "prohibit-password";
passwordAuthentication = mkDefault false;
};
services.cloud-init.enable = true;
# Put /tmp and /var on /ephemeral0, which has a lot more space.
# Unfortunately we can't do this with the `fileSystems' option
# because it has no support for creating the source of a bind
# mount. Also, "move" /nix to /ephemeral0 by layering a unionfs-fuse
# mount on top of it so we have a lot more space for Nix operations.
/*
boot.initrd.postMountCommands =
''
mkdir -m 1777 -p $targetRoot/ephemeral0/tmp
mkdir -m 1777 -p $targetRoot/tmp
mount --bind $targetRoot/ephemeral0/tmp $targetRoot/tmp
mkdir -m 755 -p $targetRoot/ephemeral0/var
mkdir -m 755 -p $targetRoot/var
mount --bind $targetRoot/ephemeral0/var $targetRoot/var
mkdir -p /unionfs-chroot/ro-nix
mount --rbind $targetRoot/nix /unionfs-chroot/ro-nix
mkdir -p /unionfs-chroot/rw-nix
mkdir -m 755 -p $targetRoot/ephemeral0/nix
mount --rbind $targetRoot/ephemeral0/nix /unionfs-chroot/rw-nix
unionfs -o allow_other,cow,nonempty,chroot=/unionfs-chroot,max_files=32768 /rw-nix=RW:/ro-nix=RO $targetRoot/nix
'';
boot.initrd.supportedFilesystems = [ "unionfs-fuse" ];
*/
};
}
......@@ -3,4 +3,5 @@
./root-access
./ssh-config
./provider-tacc
./provider-openspace
]
{ config, lib, pkgs, ... }:
with lib;
let
cfg=config.environment.argo.provider-openspace;
in
{
options.environment.argo.provider-openspace = {
enable = mkEnableOption "provider_openspace";
};
imports = [
<nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];
config = mkIf config.environment.argo.provider-openspace.enable {
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/192f3663-c482-4a75-85a3-3fb57890ca54";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/DD53-C402";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/c3efe248-c89b-4992-bdac-1886cabdfca1"; }
];
nix.maxJobs = lib.mkDefault 4;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
};
}
......@@ -14,7 +14,7 @@ in
<nixpkgs/nixos/modules/profiles/qemu-guest.nix>
];
config = {
config = mkIf config.environment.argo.provider-tacc.enable {
boot.growPartition=true;
boot.kernelParams = [ "console=tty1" ];
#boot.kernelParams = [ "console=ttyS0" ];
......@@ -36,12 +36,6 @@ in
boot.loader.grub.device = "/dev/vda";
boot.loader.timeout = 0;
services.openssh = {
enable = true;
permitRootLogin = "prohibit-password";
passwordAuthentication = mkDefault false;
};
services.cloud-init.enable = true;
};
}
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC43Mdq5Q8i/cfcF+Y0rveBPGEJVoTE+lotZEMOdX8zJs89QinbfqjTJiqAM6cksMOFcM+iJ01LpKWAx1+EVFT4kkVphGHahiSuL86OuD/46d3dd3pwbmmRsQLjQvDzs+R3BHljWbfh4kt2R3DklChFM+u14EWu62M1QSRhNHgTGhwOfWZj1sw770c4TqovFgfc0k7aKLfJfd4227IkWwor1AaGVKBJIjIQFVki4ELWQ3IlpohVwDW734gU3AZ64Jnm22I+ebN4bIhoOYdSsLBPfDNDMTNcLKeTLzZN/929BqPtJaYSpDsR1EUl6NcwA75KsP1PZEYXd3UG8zHPnbOt valentin.reis@gmail.com
......@@ -20,6 +20,8 @@ in
services.openssh.enable = true;
services.openssh.passwordAuthentication = false;
services.openssh.permitRootLogin = "prohibit-password";
users.users.root.openssh.authorizedKeys.keys = keys ;
users.extraUsers.fre = {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment