guix/maintenance
2
0
Fork 0
mirror of git://git.savannah.gnu.org/guix/maintenance.git synced 2023-12-14 03:33:04 +01:00
Code Issues Releases Wiki Activity
maintenance/hydra/berlin.scm
Ricardo Wurmus 37538c56d9
hydra/berlin: Add mumi/devel. 
* hydra/berlin.scm (mumi/devel): New variable.
Use it in the mumi service.
2020-06-16 22:20:27 +02:00

346 lines
15 KiB
Scheme
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

;; OS configuration for "berlin", the frontend of the compile farm
;; hosted at the MDC.
(use-modules (gnu) (guix) (sysadmin services) (sysadmin people) (sysadmin dns)
(sysadmin web)
(guix git-download)
(srfi srfi-1))
(use-service-modules base databases dns monitoring networking admin shepherd)
(use-package-modules admin certs emacs linux mail monitoring
ssh tls tor vim package-management
version-control
web wget ci rsync
guile-xyz)
(define %sysadmins
;; The sysadmins.
(list (sysadmin (name "ludo")
(full-name "Ludovic Courtès")
(ssh-public-key (local-file "keys/ssh/ludo.pub")))
(sysadmin (name "rekado")
(full-name "Ricardo Wurmus")
(ssh-public-key (local-file "keys/ssh/rekado.pub")))
(sysadmin (name "andreas")
(full-name "Andreas Enge")
(ssh-public-key (local-file "keys/ssh/andreas.pub")))
(sysadmin (name "mbakke")
(full-name "Marius Bakke")
(ssh-public-key (local-file "keys/ssh/mbakke.pub")))
(sysadmin (name "g_bor")
(full-name "Gábor Boskovits")
(ssh-public-key (local-file "keys/ssh/g_bor.pub")))
(sysadmin (name "nckx")
(full-name "Tobias Geerinckx-Rice")
(ssh-public-key (local-file "keys/ssh/nckx.pub")))
(sysadmin (name "mathieu")
(full-name "Mathieu Othacehe")
(ssh-public-key (local-file "keys/ssh/mathieu.pub")))
(sysadmin (name "pimi")
(full-name "Mădălin Patrascu")
(ssh-public-key (local-file "keys/ssh/pimi.pub")))))
(include "nginx/berlin.scm")
;;;
;;; Operating system.
;;;
(define %motd
;; Message of the day!
(plain-file "motd"
"\
░░░ ░░░
░░▒▒░░░░░░░░░ ░░░░░░░░░▒▒░░
░░▒▒▒▒▒░░░░░░░ ░░░░░░░▒▒▒▒▒░
░▒▒▒░░▒▒▒▒▒ ░░░░░░░▒▒░
░▒▒▒▒░ ░░░░░░
▒▒▒▒▒ ░░░░░░
▒▒▒▒▒ ░░░░░
░▒▒▒▒▒ ░░░░░ Welcome to berlin!
▒▒▒▒▒ ░░░░░
▒▒▒▒▒ ░░░░░
░▒▒▒▒▒░░░░░
▒▒▒▒▒▒░░░
▒▒▒▒▒▒░
Best practices:
1. Store everything in guix-maintenance.git.
2. Use the Git checkouts of Guix and guix-maintenance in ~root.
3. Notify guix-sysadmin@gnu.org when reconfiguring.
4. Notify guix-sysadmin@gnu.org when something goes wrong.
5. Notify ricardo.wurmus@mdc-berlin.de or rekado@elephly.net when the
machine doesn't respond. Only Ricardo has access to the serial console
to reset the machine.
Happy hacking!\n"))
(define %copy-kernel-and-initrd
;; The storage device where the root file system is is invisible to GRUB.
;; Thus, copy the kernel and initrd to /store, where GRUB will be able to
;; find them.
(with-imported-modules '((guix build utils))
#~(begin
(use-modules (guix build utils))
(for-each (lambda (file)
(let ((target (string-append "/store/" (basename file))))
(unless (file-exists? target)
(format #t "copying '~a' to /store...~%" file)
(copy-recursively file target
#:log (%make-void-port "w")))))
;; /run/current-system/kernel is a profile. The trick
;; below allows us to get at its actual directory name,
;; which is what 'grub.cfg' refers to.
(list (dirname
(canonicalize-path "/run/current-system/kernel/bzImage"))
(dirname (canonicalize-path "/run/current-system/initrd")))))))
(define-public mumi-devel
(let ((commit "f06b3d7de137b3b1bf95e02de747bdd663bb61bd")
(revision "6"))
(package (inherit mumi)
(name "mumi")
(version (git-version "0.0.1" revision commit))
(source (origin
(method git-fetch)
(uri (git-reference
(url "https://git.elephly.net/software/mumi.git")
(commit commit)))
(file-name (git-file-name name version))
(sha256
(base32
"0yn1ry2zl9s7cbaz1znnxhx4i3ja6bxw1qmmfbzajsj2zic7cxs8"))))
(inputs
`(("guile-fibers" ,(package (inherit guile-fibers)
(arguments (substitute-keyword-arguments
(package-arguments guile-fibers)
((#:tests? _ #f) #f)))))
,@(alist-delete "guile-fibers" (package-inputs mumi)))))))
(operating-system
(host-name "berlin.guix.gnu.org")
(timezone "Europe/Berlin")
(locale "en_US.utf8")
;; Allow access through the serial console at 141.80.167.201; the
;; management interface can only be accessed through selected
;; servers within the MDC campus network.
(kernel-arguments '("console=tty0"
"console=ttyS0,115200"))
;; The Dell server need these kernel modules for the
;; RAID controller.
(initrd-modules (append (list "megaraid_sas" "scsi_transport_sas"
"mpt3sas" "libsas")
%base-initrd-modules))
;; Show the GRUB menu on the serial interface.
(bootloader (bootloader-configuration
(bootloader grub-bootloader)
(target "/dev/sda")
(terminal-inputs '(serial))
(terminal-outputs '(serial))))
(file-systems (cons*
;; The root file system resides on just a single
;; disk, no RAID :-/
(file-system
(device (file-system-label "my-root"))
(mount-point "/")
(type "ext4"))
;; This is a large external storage array
;; connected via 2 HBA cards. We only mount it
;; through one of the HBA cards. We would need
;; to use multipathd otherwise.
(file-system
(device (uuid "a6455b66-59d2-40bd-bddb-0c572bb62a2f"))
(mount-point "/gnu")
(type "ext4"))
;; Bind mount cache to large external storage.
(file-system
(device "/gnu/cache")
(mount-point "/var/cache")
(flags '(bind-mount))
(type "none"))
;; Access root file system without bind mounts.
(file-system
(device "/")
(mount-point "/mnt/root-fs")
(flags '(bind-mount))
(type "none"))
%base-file-systems))
;; Local admin account for MDC maintenance.
(users (cons (user-account
(name "bi-admin")
(comment "Local admin")
(group "users")
(supplementary-groups '("wheel"))
(home-directory "/home/bi-admin"))
%base-user-accounts))
(packages (cons* certbot emacs wget iptables
jnettop openssh rsync
;; This is needed to set GIT_SSL_CAINFO allowing
;; Cuirass to fetch sources via HTTPS.
nss-certs
;; This is for git-receive-pack et al
git-minimal
;; This is for the mumi mailer
msmtp
;; This is for bypassing the firewall...
torsocks
%base-packages))
(services (cons*
(simple-service 'copy-kernel+initrd-to-/store
activation-service-type
%copy-kernel-and-initrd)
;; Connection to the DMZ for public access
;; This is a 10G port.
(static-networking-service "eno2d1"
"141.80.181.40"
#:netmask "255.255.255.0"
#:gateway "141.80.181.1")
;; Connection to build nodes
(static-networking-service "eno1"
"141.80.167.131"
#:netmask "255.255.255.192")
;; Allow login over serial console.
(agetty-service (agetty-configuration
(tty "ttyS0")
(baud-rate "115200")))
;; DNS
(service knot-service-type
(knot-configuration
(zones (list (knot-zone-configuration
(domain "guix.gnu.org")
(master '("bayfront-master"))
(acl '("notify-allow")))))
(acls (list (knot-acl-configuration
(id "notify-allow")
(address (list bayfront-ip4))
(action '(notify)))))
(remotes (list (knot-remote-configuration
(id "bayfront-master")
(address (list bayfront-ip4)))))))
;; Monitoring
(service prometheus-node-exporter-service-type)
(service zabbix-agent-service-type)
(service zabbix-server-service-type
(zabbix-server-configuration
(include-files '("/root/zabbix-pass"))
(extra-options "AlertScriptsPath=/root/zabbix-alert-scripts\n")))
(service zabbix-front-end-service-type
(zabbix-front-end-configuration
(nginx (list %zabbix-nginx-server))
(db-secret-file "/root/zabbix-front-end-secrets")))
;; For the Zabbix database. It was created by manually
;; following the instructions here:
;; https://www.zabbix.com/documentation/3.0/manual/appendix/install/db_scripts
(postgresql-service)
(service ntp-service-type)
;; Make SSH and HTTP/HTTPS available over Tor.
(tor-hidden-service "http"
'((22 "127.0.0.1:22")
(80 "127.0.0.1:80")
(443 "127.0.0.1:443")))
(service tor-service-type)
(service nginx-service-type %nginx-configuration)
;; Runnning guix.gnu.org.
(service static-web-site-service-type
(static-web-site-configuration
(git-url
"https://git.savannah.gnu.org/git/guix/guix-artwork.git")
(directory "/srv/guix.gnu.org")
(build-file "website/.guix.scm")))
;; 'wip-i18n' branch of guix.gnu.org.
(service static-web-site-service-type
(static-web-site-configuration
(git-url
"https://git.savannah.gnu.org/git/guix/guix-artwork.git")
(git-ref '(branch . "wip-i18n"))
(directory "/srv/guix.gnu.org-i18n")
(build-file "website/.guix.scm")
(cache-directory "guix.gnu.org-i18n") ;avoid collision
(environment-variables
'(("GUIX_WEB_SITE_ROOT_PATH" . "/.i18n")))))
;; Manual for the latest stable release.
(service static-web-site-service-type
(static-web-site-configuration
(git-url "https://git.savannah.gnu.org/git/guix.git")
(git-ref '(branch . "version-1.1.0"))
(directory "/srv/guix-manual")
(build-file "doc/build.scm")
(environment-variables
'(("GUIX_MANUAL_VERSION" . "1.1.0")
("GUIX_WEB_SITE_URL" . "/")))))
;; Manual for 'master'.
(service static-web-site-service-type
(static-web-site-configuration
(git-url "https://git.savannah.gnu.org/git/guix.git")
(directory "/srv/guix-manual-devel")
;; XXX: Use a different cache directory to work around
;; the fact that (guix git) would use a same-named
;; checkout directory for 'master' and for the branch
;; above. Since both mcron jobs run at the same time,
;; they would end up using one branch or the other, in
;; a non-deterministic way.
(cache-directory "guix-master-manual")
(build-file "doc/build.scm")
(environment-variables
'(("GUIX_WEB_SITE_URL" . "/")))))
;; Cookbook for 'master'.
(service static-web-site-service-type
(static-web-site-configuration
(git-url "https://git.savannah.gnu.org/git/guix.git")
(directory "/srv/guix-cookbook")
;; XXX: Use a different cache directory (see above).
(cache-directory "guix-cookbook-master")
(build-file "doc/build.scm")
(environment-variables
'(("GUIX_MANUAL" . "guix-cookbook")
("GUIX_WEB_SITE_URL" . "/")))))
;; GWL web site.
(service gwl-web-service-type)
(service mumi-service-type
(mumi-configuration
(mumi mumi-devel)
(sender "issues.guix.gnu.org@elephly.net")
(smtp "sendmail:///var/mumi/mumi-mailer")))
;; For the Mumi mailer queue
(service redis-service-type)
(frontend-services %sysadmins
#:gc-threshold (* 3 TiB)
#:systems '("x86_64-linux" "i686-linux"
"aarch64-linux")
#:motd %motd
#:publish-workers 8
#:max-jobs 20))))
View git blame Copy permalink