From 519754cf5b2ba9f50cb2d05d9d7c96a49b00a118 Mon Sep 17 00:00:00 2001 From: Simon Hauser Date: Tue, 25 Nov 2025 15:21:43 +0100 Subject: [PATCH 1/3] chore: bump queue-builder --- flake.lock | 22 ++++++++++++---------- flake.nix | 2 +- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/flake.lock b/flake.lock index cb0aeaf..029ff84 100644 --- a/flake.lock +++ b/flake.lock @@ -473,15 +473,16 @@ ] }, "locked": { - "lastModified": 1769551408, - "narHash": "sha256-8FaW2OxI5JVjU8ONvK9rH4xQfDA/MAaI5YXvsFuPyP4=", + "lastModified": 1769981687, + "narHash": "sha256-RPIu0Bf/xVOBziUJc77BevQPFdKSoYOJkvCEFiJVFWY=", "owner": "helsinki-systems", "repo": "hydra-queue-runner", - "rev": "3d54e589b425fceaf5c59ba61613544e04fc8ff8", + "rev": "9a4b91a715c8d3dae7b11383f63ca8b7c5034c78", "type": "github" }, "original": { "owner": "helsinki-systems", + "ref": "feat/fod_v2", "repo": "hydra-queue-runner", "type": "github" } @@ -513,16 +514,17 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1769818627, - "narHash": "sha256-34oYEWcr8pDkkmxHs1HTI0irAlniUeZCkOsOXWD7now=", - "owner": "nixos", - "repo": "infra", - "rev": "03c2c0d024ec64a069d9766556ad7590b426edac", + "lastModified": 1769984451, + "narHash": "sha256-brwNsEUrQq9ofHpjkqJXxpWO2rZwFYnI2Gc4AV15Sb0=", + "owner": "helsinki-systems", + "repo": "nixos-infra", + "rev": "7799262f1023be0cf535d734da06b0cf2078cb79", "type": "github" }, "original": { - "owner": "nixos", - "repo": "infra", + "owner": "helsinki-systems", + "ref": "upd/queue-runner", + "repo": "nixos-infra", "type": "github" } }, diff --git a/flake.nix b/flake.nix index 210d995..250e7c4 100644 --- a/flake.nix +++ b/flake.nix @@ -33,7 +33,7 @@ inputs.nixpkgs.follows = "nixpkgs"; }; infra = { - url = "github:nixos/infra"; + url = "github:helsinki-systems/nixos-infra/upd/queue-runner"; inputs = { nixpkgs.follows = "nixpkgs"; nixpkgs-unstable.follows = "nixpkgs-unstable"; From b75a54a76be181e5d1a51f913e2502cf7e7a069b Mon Sep 17 00:00:00 2001 From: Simon Hauser Date: Sun, 30 Nov 2025 19:36:27 +0100 Subject: [PATCH 2/3] feat: deploy fod-checker --- non-critical-infra/hosts/build04.ofborg.org/default.nix | 2 ++ non-critical-infra/hosts/eval04.ofborg.org/default.nix | 2 ++ 2 files changed, 4 insertions(+) diff --git a/non-critical-infra/hosts/build04.ofborg.org/default.nix b/non-critical-infra/hosts/build04.ofborg.org/default.nix index 753841c..0e40c0c 100644 --- a/non-critical-infra/hosts/build04.ofborg.org/default.nix +++ b/non-critical-infra/hosts/build04.ofborg.org/default.nix @@ -46,6 +46,8 @@ enable = true; queueRunnerAddr = "https://queue-runner.staging-hydra.nixos.org"; maxJobs = 2; + supportedFeatures = [ "fod-checker" ]; + mandatoryFeatures = [ "fod-checker" ]; mtls = { serverRootCaCertPath = "${inputs.infra}/non-critical-infra/hosts/staging-hydra/ca.crt"; clientCertPath = "${./client.crt}"; diff --git a/non-critical-infra/hosts/eval04.ofborg.org/default.nix b/non-critical-infra/hosts/eval04.ofborg.org/default.nix index 70972bb..1df5a4b 100644 --- a/non-critical-infra/hosts/eval04.ofborg.org/default.nix +++ b/non-critical-infra/hosts/eval04.ofborg.org/default.nix @@ -48,6 +48,8 @@ enable = true; queueRunnerAddr = "https://queue-runner.staging-hydra.nixos.org"; maxJobs = 2; + supportedFeatures = [ "fod-checker" ]; + mandatoryFeatures = [ "fod-checker" ]; mtls = { serverRootCaCertPath = "${inputs.infra}/non-critical-infra/hosts/staging-hydra/ca.crt"; clientCertPath = "${./client.crt}"; From d3aa265d27cb01e80830ce0be7e06e3d830431db Mon Sep 17 00:00:00 2001 From: Simon Hauser Date: Sun, 30 Nov 2025 20:58:58 +0100 Subject: [PATCH 3/3] feat: nix/fod firewall deployment --- .../hosts/build04.ofborg.org/default.nix | 2 +- .../hosts/eval04.ofborg.org/default.nix | 2 +- non-critical-infra/modules/ofborg/common.nix | 21 ++++++++++++++++++- 3 files changed, 22 insertions(+), 3 deletions(-) diff --git a/non-critical-infra/hosts/build04.ofborg.org/default.nix b/non-critical-infra/hosts/build04.ofborg.org/default.nix index 0e40c0c..5faa4e8 100644 --- a/non-critical-infra/hosts/build04.ofborg.org/default.nix +++ b/non-critical-infra/hosts/build04.ofborg.org/default.nix @@ -45,7 +45,7 @@ services.queue-builder-dev = { enable = true; queueRunnerAddr = "https://queue-runner.staging-hydra.nixos.org"; - maxJobs = 2; + maxJobs = 4; supportedFeatures = [ "fod-checker" ]; mandatoryFeatures = [ "fod-checker" ]; mtls = { diff --git a/non-critical-infra/hosts/eval04.ofborg.org/default.nix b/non-critical-infra/hosts/eval04.ofborg.org/default.nix index 1df5a4b..b9874fc 100644 --- a/non-critical-infra/hosts/eval04.ofborg.org/default.nix +++ b/non-critical-infra/hosts/eval04.ofborg.org/default.nix @@ -47,7 +47,7 @@ services.queue-builder-dev = { enable = true; queueRunnerAddr = "https://queue-runner.staging-hydra.nixos.org"; - maxJobs = 2; + maxJobs = 4; supportedFeatures = [ "fod-checker" ]; mandatoryFeatures = [ "fod-checker" ]; mtls = { diff --git a/non-critical-infra/modules/ofborg/common.nix b/non-critical-infra/modules/ofborg/common.nix index 45075a2..7e93461 100644 --- a/non-critical-infra/modules/ofborg/common.nix +++ b/non-critical-infra/modules/ofborg/common.nix @@ -5,9 +5,28 @@ "${inputs.infra}/modules/common.nix" "${inputs.infra}/non-critical-infra/modules/common.nix" ./ofborg-config.nix + "${inputs.nixpkgs-unstable}/nixos/modules/services/system/nix-daemon-firewall.nix" ]; - nix.gc.automatic = true; + nix = { + gc.automatic = true; + firewall = { + enable = true; + allowedTCPPorts = [ + 21 # access to ftp files + 22 # fetchGit + 34 + "http" + 443 + "30000-31000" + ]; + allowedUDPPorts = [ + 53 # DNS + 443 # QUIC/HTTP3 + ]; + }; + }; + networking.nftables.flushRuleset = false; # TODO wire up exporters # TODO loki