Commit 85622d75 authored by Valentin Reis's avatar Valentin Reis

argo hydra deployment.

parent 6bbe6a1e
Pipeline #3671 failed with stage
import ./pkgs/default.nix
......@@ -4,28 +4,25 @@
let
keys = [ (pkgs.lib.readFile keys/id_rsa_vrg.pub) ];
argopkgs = import ../pkgs {};
hydraSrc = builtins.fetchTarball https://github.com/nixos/hydra/archive/master.tar.gz;
in
{
network.description = "argo-ci";
network.enableRollback = false;
main =
{ nodes, ... }:
{ nodes, config, ... }:
{
imports = [
./providers/openstack-tacc.nix
"${hydraSrc}/hydra-module.nix"
];
networking = {
firewall = {
allowedTCPPorts=[
22
8080 # micro-ci
];
allowedUDPPorts=[
22
8080 # micro-ci
];
allowedTCPPorts=[ 22 config.services.hydra.port ];
allowedUDPPorts=[ 22 ];
};
};
......@@ -53,5 +50,136 @@ in
boot.kernelParams = [ "console=tty1" ];
boot.kernelPackages = pkgs.linuxPackages_latest;
i18n.defaultLocale = "en_US.UTF-8";
services.nixosManual.showManual = false;
services.ntp.enable = false;
services.openssh.allowSFTP = false;
assertions = pkgs.lib.singleton {
assertion = pkgs.system == "x86_64-linux";
message = "unsupported system ${pkgs.system}";
};
environment.etc = pkgs.lib.singleton {
target = "nix/id_buildfarm";
source = keys/id_buildfarm;
uid = config.ids.uids.hydra;
gid = config.ids.gids.hydra;
mode = "0440";
};
nix = {
useChroot = true;
nrBuildUsers = 30;
distributedBuilds = true;
buildMachines = [
{ hostName = "slave1"; maxJobs = 1; speedFactor = 1; sshKey = "/etc/nix/id_buildfarm"; sshUser = "root"; system = "x86_64-linux"; }
];
extraOptions = "auto-optimise-store = true";
};
services.hydra = {
enable = true;
hydraURL = "http://129.114.111.116";
notificationSender = "hydra@example.org";
port = 8080;
extraConfig = "binary_cache_secret_key_file = /etc/nix/hydra.example.org-1/secret";
buildMachinesFiles = [ "/etc/nix/machines" ];
};
services.postgresql = {
package = pkgs.postgresql94;
dataDir = "/var/db/postgresql-${config.services.postgresql.package.psqlSchema}";
};
systemd.services.hydra-manual-setup = {
description = "Create Admin User for Hydra";
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = true;
wantedBy = [ "multi-user.target" ];
requires = [ "hydra-init.service" ];
after = [ "hydra-init.service" ];
environment = config.systemd.services.hydra-init.environment;
script = ''
if [ ! -e ~hydra/.setup-is-complete ]; then
# create admin user
/run/current-system/sw/bin/hydra-create-user alice --full-name 'Alice Q. User' --email-address 'alice@example.org' --password foobar --role admin
# create signing keys
/run/current-system/sw/bin/install -d -m 551 /etc/nix/hydra.example.org-1
/run/current-system/sw/bin/nix-store --generate-binary-cache-key hydra.example.org-1 /etc/nix/hydra.example.org-1/secret /etc/nix/hydra.example.org-1/public
/run/current-system/sw/bin/chown -R hydra:hydra /etc/nix/hydra.example.org-1
/run/current-system/sw/bin/chmod 440 /etc/nix/hydra.example.org-1/secret
/run/current-system/sw/bin/chmod 444 /etc/nix/hydra.example.org-1/public
# done
touch ~hydra/.setup-is-complete
fi
'';
};
#users.users.hydra-www.uid = config.ids.uids.hydra-www;
#users.users.hydra-queue-runner.uid = config.ids.uids.hydra-queue-runner;
#users.users.hydra.uid = config.ids.uids.hydra;
#users.groups.hydra.gid = config.ids.gids.hydra;
};
slave1 =
{ nodes, ... }:
{
imports = [
./providers/openstack-tacc.nix
];
networking = {
firewall = {
allowedTCPPorts=[ 22 ];
allowedUDPPorts=[ 22 ];
};
};
deployment.targetEnv = "none";
deployment.targetHost = "129.114.111.114";
users.extraUsers.fre = {
isNormalUser = true;
extraGroups= ["wheel"];
openssh.authorizedKeys.keys = keys;
};
services.openssh.enable = true;
services.openssh.passwordAuthentication = false;
users.users.root.openssh.authorizedKeys.keys = keys ;
systemd.services = {
"serial-getty@ttyS0".enable = pkgs.lib.mkForce true;
"getty@tty1".enable = pkgs.lib.mkForce true;
"getty@tty1".wantedBy = [ "getty.target" ];
};
boot.kernelParams = [ "console=tty1" ];
boot.kernelPackages = pkgs.linuxPackages_latest;
i18n.defaultLocale = "en_US.UTF-8";
nix.useChroot = true;
nix.nrBuildUsers = 30;
services.nixosManual.showManual = false;
services.ntp.enable = false;
services.openssh.allowSFTP = false;
nix.gc = {
automatic = true;
dates = "05:15";
options = ''--max-freed "$((32 * 1024**3 - 1024 * $(df -P -k /nix/store | tail -n 1 | ${pkgs.gawk}/bin/awk '{ print $4 }')))"'';
};
users.extraUsers.root.openssh.authorizedKeys.keys = pkgs.lib.singleton ''
command="nice -n20 nix-store --serve --write" ${pkgs.lib.readFile ./keys/id_buildfarm.pub}
'';
};
}
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAuAs76VgLc6U7qudgmjJQ6vDp/ovmZ5PrABkdJSL/LgHqrU/2
xtqzdDBgAjCOdBVGaA7q3aypWRJ+PySZ5nIhM+n3Ue4rXUStyCYsA69bEiu+X5e4
PhRg6iDBJzMft6mJjCSWdBzf1evbhhPXl2Bt2dx6okBWikH1s+1zvMT6Skl06Aiz
zYPhUt2YafVSA781fGGsnIuaFAcEvvWWvpA1AUMi6RwAKlhHoOEoulf2/3CurAdP
fIunccEi7hFZ4olNPmYZ+5G+3Z2SWKWICKbr7bZG0LbKZ66LVjfYriG7HUfKKvTd
H1Tyr/qldRHBSezb6ZyPgCOb6T/ETEmqWrj9GwIDAQABAoIBACyFmzKxt+N7/1ky
q+3hai3Lpe+MDGrWH61gZeqL8stAb3MJuxsT4QGkijU9ZdizJNsbcLm7gSQpEx1X
T1uuFFYorUnGofroGFoo0dD6ZL+akW0ymMF70I4S6mb/ORcHDl02pKbmLUfkzLA8
sJTQIQLpEUma4tSDbFrggHUT+bBqdveNLfHeCFf/6OQ5+OqJu0Q83bIeWBwn3HtJ
aYOaHnsj+SfJal7cwo+owcjiFpX1+Txes0VZJVM0QCY3GMOHXAg87eM0pNGJK2Ve
u1xX7pSBV23NMT/nQYUf/Vq4wRKolWfCG0NxKNEPtoSQyAG0keYQtUqojjr2L2kS
neWQU+ECgYEA9IVwoZL7mNf+SgmvZQYa65I7K8QMJi1m3urr3QpqMqEGK5z0aAqY
Pi+6odfIisKEeaxVg0xfz545s/wDg5Ijj/NuSOZXbpe27Kk8TKr7DEvQ5TlcUus+
ab0NJjEu4KKVSnFwfhfgdsjnUW9/8w29YyUgLz2NhP0Jd79IhXyPJcMCgYEAwK8A
Os5gt/418DwfFs3eESxiecHbz9X2RHUX48yyx84pdIpHyhyZa/dg0+nkqDVbUFCH
dw7/dZSHaVncgeK5AJG1zep2BqupZsQ071vwWw4+97455Y+c5qeDd7NEPUc5nm5w
lyHdgIysksQOEPr5IE1XR6ElyVvQ2vt78e+p3ckCgYB6XAgHooCqdHN4Yy5U1GBG
P6/Cb+FQfWm75TzQKLUJztBCpNEc+yhB/ipbcJqW7U3TgSxtfpt3Tos7iMHNZiTL
lRo7+qAH5H2SIgHdr7Xe6lWHT1Pm3ncl/IeG9BesK0+fp/KN9q7JYjF269/QJbD+
2wYm/ZtC0EiblqnYuoL7dwKBgQCsvzixgD1uN9cb3orw4vjo5KYVCxyLJQR5M5GL
hgXy5H5+IUtjhGh4R3zkAJojxFJtmwUYVLXrMJKGfS4YtK+wNvKL/lx6doSVwerD
feXrfMYvTriRe0Pr9tsDAhF37tdVlyYSGSaBDZ3apzMFPj0EHNLXQT6jXFHPQhBJ
Q9lDIQKBgQCdcfVGjoJ4hQoSkTbyaUEl0mYiz7wlg6p5iX/OXe9HK3RIwf5JCKOD
gN0VFfhpjvI8AJUehX2OKK+60MG8Mxv3p34XKN58FB4uJGjapJ/VYLNYc1F4TgLa
0uAo7cIlGEMnKF0A4/jAeCHbUNPeX/a3QRMZE71rdTtuLkYYWIFPEA==
-----END RSA PRIVATE KEY-----
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4CzvpWAtzpTuq52CaMlDq8On+i+Znk+sAGR0lIv8uAeqtT/bG2rN0MGACMI50FUZoDurdrKlZEn4/JJnmciEz6fdR7itdRK3IJiwDr1sSK75fl7g+FGDqIMEnMx+3qYmMJJZ0HN/V69uGE9eXYG3Z3HqiQFaKQfWz7XO8xPpKSXToCLPNg+FS3Zhp9VIDvzV8Yayci5oUBwS+9Za+kDUBQyLpHAAqWEeg4Si6V/b/cK6sB098i6dxwSLuEVniiU0+Zhn7kb7dnZJYpYgIpuvttkbQtspnrotWN9iuIbsdR8oq9N0fVPKv+qV1EcFJ7NvpnI+AI5vpP8RMSapauP0b hydra@hydra.example.org
{ config, lib, pkgs, ... }:
with lib;
{
imports = [
<nixpkgs/nixos/modules/profiles/headless.nix>
<nixpkgs/nixos/modules/profiles/qemu-guest.nix>
];
config = {
boot.growPartition=true;
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
autoResize = true;
};
boot.kernelParams = [ "console=ttyS0" ];
boot.loader.grub.device = "/dev/vda";
boot.loader.timeout = 0;
# Allow root logins
services.openssh = {
enable = true;
permitRootLogin = "prohibit-password";
passwordAuthentication = mkDefault false;
};
services.cloud-init.enable = true;
# Put /tmp and /var on /ephemeral0, which has a lot more space.
# Unfortunately we can't do this with the `fileSystems' option
# because it has no support for creating the source of a bind
# mount. Also, "move" /nix to /ephemeral0 by layering a unionfs-fuse
# mount on top of it so we have a lot more space for Nix operations.
/*
boot.initrd.postMountCommands =
''
mkdir -m 1777 -p $targetRoot/ephemeral0/tmp
mkdir -m 1777 -p $targetRoot/tmp
mount --bind $targetRoot/ephemeral0/tmp $targetRoot/tmp
mkdir -m 755 -p $targetRoot/ephemeral0/var
mkdir -m 755 -p $targetRoot/var
mount --bind $targetRoot/ephemeral0/var $targetRoot/var
mkdir -p /unionfs-chroot/ro-nix
mount --rbind $targetRoot/nix /unionfs-chroot/ro-nix
mkdir -p /unionfs-chroot/rw-nix
mkdir -m 755 -p $targetRoot/ephemeral0/nix
mount --rbind $targetRoot/ephemeral0/nix /unionfs-chroot/rw-nix
unionfs -o allow_other,cow,nonempty,chroot=/unionfs-chroot,max_files=32768 /rw-nix=RW:/ro-nix=RO $targetRoot/nix
'';
boot.initrd.supportedFilesystems = [ "unionfs-fuse" ];
*/
};
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment