Improve remote building

This commit is contained in:
Charlotte 🦝 Delenk 2023-01-14 14:57:00 +01:00
parent ff6870bcb7
commit e776a3be17
Signed by: darkkirb
GPG key ID: AB2BD8DAF2E37122
13 changed files with 66 additions and 60 deletions

View file

@ -74,6 +74,11 @@
key = "aws/credentials"; key = "aws/credentials";
path = "/root/.aws/credentials"; path = "/root/.aws/credentials";
}; };
sops.secrets."ssh/builder_id_ed25519" = {
sopsFile = ../secrets/shared.yaml;
owner = "root";
key = "ssh/builder_id_ed25519";
};
networking.nameservers = ["fd0d:a262:1fa6:e621:b4e1:08ff:e658:6f49" "fd0d:a262:1fa6:e621:746d:4523:5c04:1453"]; networking.nameservers = ["fd0d:a262:1fa6:e621:b4e1:08ff:e658:6f49" "fd0d:a262:1fa6:e621:746d:4523:5c04:1453"];
# Archetype configuration # Archetype configuration

View file

@ -3,7 +3,6 @@ desktop: {pkgs, ...}: {
(import ../programs/zsh.nix desktop) (import ../programs/zsh.nix desktop)
(import ../programs/helix desktop) (import ../programs/helix desktop)
../programs/tmux.nix ../programs/tmux.nix
../programs/ssh.nix
../programs/taskwarrior.nix ../programs/taskwarrior.nix
../programs/mail.nix ../programs/mail.nix
]; ];

View file

@ -5,6 +5,7 @@
imports = imports =
[ [
(import ./base.nix desktop) (import ./base.nix desktop)
../programs/ssh.nix
../programs/gpg.nix ../programs/gpg.nix
../programs/git.nix ../programs/git.nix
../programs/direnv.nix ../programs/direnv.nix

View file

@ -1,5 +1,6 @@
{pkgs, ...}: { {pkgs, ...}: {
imports = [ imports = [
(import ./base.nix false) (import ./base.nix false)
../programs/builders.nix
]; ];
} }

View file

@ -16,6 +16,7 @@
./services/named-submissive.nix ./services/named-submissive.nix
./services/shitalloverme.nix ./services/shitalloverme.nix
./services/chir.rs ./services/chir.rs
./users/remote-build.nix
]; ];
boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "usbhid"]; boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "usbhid"];

View file

@ -33,6 +33,7 @@
./services/drone.nix ./services/drone.nix
./services/drone-runner-docker.nix ./services/drone-runner-docker.nix
./services/docker.nix ./services/docker.nix
./users/remote-build.nix
]; ];
hardware.cpu.amd.updateMicrocode = true; hardware.cpu.amd.updateMicrocode = true;
@ -301,11 +302,4 @@
max_parallel_workers = 12; max_parallel_workers = 12;
max_parallel_maintenance_workers = 4; max_parallel_maintenance_workers = 4;
}; };
users.users.darkkirb.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpO0Lh7eOE/EBttb/XWZ6ISiJ0RkmBYfruq3U6linEz root@nixos-8gb-fsn1-1"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKB8oH1XbuGrKn/SeguXz96sw4AjJQQvZyAdpptotzOr root@thinkrac"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAN/rVZJuwiO44LwOqimpH4zyGehYUMF2ZhYFXUCkupP hydra-queue-runner@nas"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLEmOYG4xipOh2YsWGbQtvoJXQzToQDotyCRFnHpVP5 root@instance-20221213-1915"
];
} }

View file

@ -81,6 +81,15 @@ in {
speedFactor = 2; speedFactor = 2;
supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark" "gccarch-znver2" "gccarch-znver1" "gccarch-skylake" "ca-derivations"]; supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark" "gccarch-znver2" "gccarch-znver1" "gccarch-skylake" "ca-derivations"];
} }
{
hostName = "build-aarch64";
systems = [
"aarch64-linux"
];
maxJobs = 2;
speedFactor = 10;
supportedFeatures = ["nixos-test" "benchmark" "ca-derivations"];
}
]; ];
distributedBuilds = true; distributedBuilds = true;
}; };

View file

@ -20,6 +20,7 @@
nixos-hardware.nixosModules.common-pc-ssd nixos-hardware.nixosModules.common-pc-ssd
./services/postgres.nix ./services/postgres.nix
./services/drone-runner-docker.nix ./services/drone-runner-docker.nix
./users/remote-build.nix
]; ];
hardware.cpu.amd.updateMicrocode = true; hardware.cpu.amd.updateMicrocode = true;
boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "sr_mod" "k10temp"]; boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "sr_mod" "k10temp"];
@ -156,33 +157,6 @@
"riscv64-linux" "riscv64-linux"
"wasm32-wasi" "wasm32-wasi"
]; ];
nix.buildMachines = lib.mkForce [
#{
# hostName = "build-nas";
# systems = [ "x86_64-linux" ];
# maxJobs = 12;
# speedFactor = 1;
# supportedFeatures = [ "gccarch-znver1" "ca-derivations" ];
#}
{
maxJobs = 16;
speedFactor = 2;
hostName = "localhost";
systems = [
"armv7l-linux"
"aarch64-linux"
"powerpc-linux"
"powerpc64-linux"
"powerpc64le-linux"
"riscv32-linux"
"riscv64-linux"
"wasm32-wasi"
"x86_64-linux"
"i686-linux"
];
supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark" "gccarch-znver2" "gccarch-znver1" "gccarch-skylake" "ca-derivations"];
}
];
hardware.enableRedistributableFirmware = true; hardware.enableRedistributableFirmware = true;
nix.daemonCPUSchedPolicy = "idle"; nix.daemonCPUSchedPolicy = "idle";
nix.daemonIOSchedClass = "idle"; nix.daemonIOSchedClass = "idle";
@ -196,14 +170,7 @@
endpoint = "192.168.2.1:51820"; endpoint = "192.168.2.1:51820";
} }
]; ];
# Build server stuff
users.users.darkkirb.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpO0Lh7eOE/EBttb/XWZ6ISiJ0RkmBYfruq3U6linEz root@nixos-8gb-fsn1-1"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKB8oH1XbuGrKn/SeguXz96sw4AjJQQvZyAdpptotzOr root@thinkrac"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAN/rVZJuwiO44LwOqimpH4zyGehYUMF2ZhYFXUCkupP hydra-queue-runner@nas"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLEmOYG4xipOh2YsWGbQtvoJXQzToQDotyCRFnHpVP5 root@instance-20221213-1915"
];
nix.settings.system-features = [ nix.settings.system-features = [
"kvm" "kvm"
"nixos-test" "nixos-test"

View file

@ -0,0 +1,28 @@
_: {
programs.ssh = {
enable = true;
matchBlocks = {
"build-nas" = {
hostname = "nas.int.chir.rs";
identitiesOnly = true;
identityFile = "/run/secrets/builder_id_ed25519";
port = 22;
user = "remote-build";
};
"build-pc" = {
hostname = "nutty-noon.int.chir.rs";
identitiesOnly = true;
identityFile = "/run/secrets/builder_id_ed25519";
port = 22;
user = "remote-build";
};
"build-aarch64" = {
hostname = "instance-20221213-1915.int.chir.rs";
identitiesOnly = true;
identityFile = "/run/secrets/builder_id_ed25519";
port = 22;
user = "remote-build";
};
};
};
}

View file

@ -3,21 +3,5 @@ _: {
controlMaster = "auto"; controlMaster = "auto";
controlPersist = "10m"; controlPersist = "10m";
enable = true; enable = true;
matchBlocks = {
"build-nas" = {
hostname = "backup.int.chir.rs";
identitiesOnly = true;
identityFile = "~/.ssh/id_ed25519";
port = 22;
user = "darkkirb";
};
"build-pc" = {
hostname = "nutty-noon.int.chir.rs";
identitiesOnly = true;
identityFile = "~/.ssh/id_ed25519";
port = 22;
user = "darkkirb";
};
};
}; };
} }

View file

@ -15,6 +15,7 @@
clean-cache = nix-packages.packages.${system}.clean-s3-cache; clean-cache = nix-packages.packages.${system}.clean-s3-cache;
machines = pkgs.writeText "machines" '' machines = pkgs.writeText "machines" ''
localhost armv7l-linux,aarch64-linux,powerpc-linux,powerpc64-linux,powerpc64le-linux,riscv32-linux,riscv64-linux,wasm32-wasi,x86_64-linux,i686-linux - 12 1 kvm,nixos-test,big-parallel,benchmark,gccarch-znver1,gccarch-skylake,ca-derivations - localhost armv7l-linux,aarch64-linux,powerpc-linux,powerpc64-linux,powerpc64le-linux,riscv32-linux,riscv64-linux,wasm32-wasi,x86_64-linux,i686-linux - 12 1 kvm,nixos-test,big-parallel,benchmark,gccarch-znver1,gccarch-skylake,ca-derivations -
ssh://build-aarch64 aarch64-linux - 2 10 nixos-test,benchmark,ca-derivations -
''; '';
in { in {
imports = [ imports = [
@ -121,4 +122,5 @@ in {
}; };
}; };
nix.settings.trusted-users = ["@hydra"]; nix.settings.trusted-users = ["@hydra"];
sops.secrets."ssh/builder_id_ed25519".owner = lib.mkForce "hydra";
} }

View file

@ -0,0 +1,13 @@
{config, ...}: {
users.users.remote-build = {
createHome = true;
description = "Remote builder";
group = "users";
home = "/home/remote-build";
isNormalUser = true;
uid = 1002;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINN5Q/L2FyB3DIgdJRYnTGHW3naw5VQ9coOdwHYmv0aZ darkkirb@thinkrac"
];
};
}

View file

@ -1,5 +1,7 @@
aws: aws:
credentials: ENC[AES256_GCM,data:Y+SbRqf7VotqN9CDMa8SmwBx+nlODeQScr7nlH90qyoa+5GtdDlgvqtbHJ4yE7QoiOBsG/CZ4sBnpXadyUhM8Erq8M2q0CAvlrb3oqgtNAgrkiLueqPAC6kTVBhsDolgWdrkMA8FVifwwqBtns9M7Q==,iv:4XheIFj90luZWxErPppOdphbw7ZXlGbeieSUl97eHAA=,tag:CrCDqHOXTRezf47vsdVAdw==,type:str] credentials: ENC[AES256_GCM,data:Y+SbRqf7VotqN9CDMa8SmwBx+nlODeQScr7nlH90qyoa+5GtdDlgvqtbHJ4yE7QoiOBsG/CZ4sBnpXadyUhM8Erq8M2q0CAvlrb3oqgtNAgrkiLueqPAC6kTVBhsDolgWdrkMA8FVifwwqBtns9M7Q==,iv:4XheIFj90luZWxErPppOdphbw7ZXlGbeieSUl97eHAA=,tag:CrCDqHOXTRezf47vsdVAdw==,type:str]
ssh:
builder_id_ed25519: ENC[AES256_GCM,data:SjNV5HtKVjQd+cwCPGGgT9bSFKhdwJxqGclCBfWAm4UzTco/ho3TZV9OX/BxI/W0ztzSlctFUecOi98qAdtWX737dlyVmQpkGcvbDIQWt6JqpWRGsLsJ1lhlmSOIS1jkASyGksCLaSou3FZ1+dQ2+BWyh9XjWpC7nCGvEHsGOn8cCSj3tlV8cloBZKzxpwEXkEUmpZpuJb0PZp8LL0okxLF553NxClS1zty0cmucRcR71ObevwiWvJmJNI9Un1D4FhSDYFHffoOtmyHixZnNRMI8gW7Cx1suHIsslrsI4YgmD+QxJrIkx96ajkPzIBPsMu5mO+h8y2epEJpRenbTMhgdQvnspsJ1PrWOzsHWMTI9EsjmiZZEsk6lRiVgnOQwf0Bc+Sf4uro6TcbgsIWJdwOthXWi7s72JHfGHqcP03eQyA8wZf21w4oTGh4L5aDtwb29fOLdSv1xf20PP5Qiy4iUdvCV7tdsLcEA0i3aUeJCkklk9cUoWELT+Vu6CqMxnLbSeKHnP452EkK52EZnpn1MNVtFczPWW+oj,iv:7KO7yFoHCttTpw6gDcZRA43qW6F1a8xqpa5VRYUerz4=,tag:OlCbnoS0vQO1Wyn6iWlYDw==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -51,8 +53,8 @@ sops:
ZFNubXhZdG1KVDB1d0FWOVVDS1ovOHcKO5m7BFeZzt+nBfaZJoH8Pkw6aeDExQrQ ZFNubXhZdG1KVDB1d0FWOVVDS1ovOHcKO5m7BFeZzt+nBfaZJoH8Pkw6aeDExQrQ
Gfp6KQ0oJOuquhZtMW0GpLuKnuQjjGEBaIbcZcR4OosKKlLYfOKabA== Gfp6KQ0oJOuquhZtMW0GpLuKnuQjjGEBaIbcZcR4OosKKlLYfOKabA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-14T15:34:33Z" lastmodified: "2023-01-14T13:36:39Z"
mac: ENC[AES256_GCM,data:8Fnws66NKfdVl+0+63HZvgt+PTxTZ6L6y9sh2hFtWR8RNeDTmtfZXOrJhJjU8XRUogQovnv+qSn8hmMRQ4f0tw1+jEIjEMqGV9ex2YWhsryvuhKbXH11un7UYObCxiwhTbxq6aOQLJ+74V3a2YLWTnKBd3X383EV1QrH/quXOIg=,iv:8yIW+mCveO59Kb4dXxIUzMT2/PGfknDDBoxGBRQNaE8=,tag:4BJpIdEeMeNCvOEXmvsSPQ==,type:str] mac: ENC[AES256_GCM,data:tES+i3vMTywPJ6DnYw9sKdVvixmgLBJ27tjMSJvOdeMth4p3soQA6RicRzQCgBlMXC+dHXpCMmvvtQrzDpFudiG6+xUPW/cz77ARdgzOWLOSD8cgzOp5XBI3koFOq5pxK7v1GMv7IG01pFKEMVes8mGUQXvu+eXMx1ZPcQrQuxI=,iv:1DYSbBNR8l2VLTnst+Aw+nSLPOKc+jCpZ9ViPERbWq4=,tag:9+f2s9FSUajVqQXb0eziKg==,type:str]
pgp: pgp:
- created_at: "2022-12-14T15:34:33Z" - created_at: "2022-12-14T15:34:33Z"
enc: | enc: |