staging-hydra: switch to nixos-infra branch

.github/workflows/ci.yml

@@ -75,6 +75,60 @@ jobs:
           name: nixos-infra-dev
           authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"
       - run: nix run --inputs-from . nixpkgs#nix-fast-build -- --skip-cached --no-nom --flake '.#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel'
+  # ofborg machines share most of their closure, so build all of one arch in a
+  # single job to reuse the store between them.
+  nixos-ofborg-x86_64:
+    name: NixOS ofborg (x86_64)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+      - uses: cachix/install-nix-action@616559265b40713947b9c190a8ff4b507b5df49b # v31
+      - uses: cachix/cachix-action@1eb2ef646ac0255473d23a5907ad7b04ce94065c # v17
+        with:
+          name: nixos-infra-dev
+          authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"
+      - run: nix run --inputs-from . nixpkgs#nix-fast-build -- --skip-cached --no-nom --flake '.#ciSystems.ofborg-x86_64-linux'
+  nixos-ofborg-aarch64:
+    name: NixOS ofborg (aarch64)
+    runs-on: ubuntu-22.04-arm
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+      - uses: cachix/install-nix-action@616559265b40713947b9c190a8ff4b507b5df49b # v31
+      - uses: cachix/cachix-action@1eb2ef646ac0255473d23a5907ad7b04ce94065c # v17
+        with:
+          name: nixos-infra-dev
+          authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"
+      - run: nix run --inputs-from . nixpkgs#nix-fast-build -- --skip-cached --no-nom --flake '.#ciSystems.ofborg-aarch64-linux'
+  nix-darwin-ofborg:
+    name: nix-darwin ofborg (aarch64)
+    runs-on: macos-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+      - uses: cachix/install-nix-action@616559265b40713947b9c190a8ff4b507b5df49b # v31
+      - uses: cachix/cachix-action@1eb2ef646ac0255473d23a5907ad7b04ce94065c # v17
+        with:
+          name: nixos-infra-dev
+          authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"
+      - run: nix run --inputs-from . nixpkgs#nix-fast-build -- --skip-cached --no-nom --flake '.#ciSystems.ofborg-aarch64-darwin'
+  nix-darwin-ofborg-x86_64:
+    name: nix-darwin ofborg (x86_64)
+    runs-on: macos-15-intel
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+      - uses: cachix/install-nix-action@616559265b40713947b9c190a8ff4b507b5df49b # v31
+      - uses: cachix/cachix-action@1eb2ef646ac0255473d23a5907ad7b04ce94065c # v17
+        with:
+          name: nixos-infra-dev
+          authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"
+      - run: nix run --inputs-from . nixpkgs#nix-fast-build -- --skip-cached --no-nom --flake '.#ciSystems.ofborg-x86_64-darwin'
   nix-darwin:
     runs-on: macos-latest
     strategy:

checks/flake-module.nix

@@ -1,5 +1,40 @@
-{ ... }:
+{ self, lib, ... }:
 {
+  # Group machine toplevels by architecture so CI can build all hosts of one
+  # arch in a single nix-fast-build invocation (the ofborg fleet in particular
+  # shares almost its entire closure). Hosts are listed explicitly to avoid
+  # forcing evaluation of every configuration just to learn its system.
+  flake.ciSystems =
+    let
+      nixos = names: lib.genAttrs names (n: self.nixosConfigurations.${n}.config.system.build.toplevel);
+      darwin = names: lib.genAttrs names (n: self.darwinConfigurations.${n}.config.system.build.toplevel);
+    in
+    {
+      ofborg-x86_64-linux = nixos [
+        "core01.ofborg.org"
+        "build01.ofborg.org"
+        "build02.ofborg.org"
+        "build03.ofborg.org"
+        "build04.ofborg.org"
+      ];
+      ofborg-aarch64-linux = nixos [
+        "eval01.ofborg.org"
+        "eval02.ofborg.org"
+        "eval03.ofborg.org"
+        "eval04.ofborg.org"
+        "build05.ofborg.org"
+      ];
+      ofborg-aarch64-darwin = darwin [
+        "nixos-foundation-macstadium-44911207"
+        "nixos-foundation-macstadium-44911104"
+      ];
+      ofborg-x86_64-darwin = darwin [
+        "nixos-foundation-macstadium-44911305"
+        "nixos-foundation-macstadium-44911362"
+        "nixos-foundation-macstadium-44911507"
+      ];
+    };
+
   perSystem =
     { self', lib, ... }:
     {

flake.nix

@@ -24,7 +24,7 @@
     };
 
     hydra-staging = {
-      url = "github:NixOS/hydra";
+      url = "github:NixOS/hydra/nixos-infra";
       inputs.nixpkgs.follows = "nixpkgs";
       # Can be kept in sync I suppose for now.
       inputs.nix.follows = "nix";
@@ -106,6 +106,17 @@
       url = "github:nix-community/nixpkgs-swh";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    ofborg = {
+      url = "github:NixOS/ofborg";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    ofborg-viewer = {
+      url = "github:NixOS/ofborg-viewer";
+      flake = false;
+    };
+
   };
   outputs =
     inputs@{ flake-parts, ... }:

macs/.sops.yaml

@@ -0,0 +1,58 @@
+keys:
+  - &hexa age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x
+  - &simon age17ez23w2kpxl0gcdx4ehcglkcfcfnv4qz0gq2n8ylxwx4yrtjpvjqxfasua
+  - &dasJ age1lz3mvem0rgfxj7uavth8du4xsw23wp5ts77m5vvclxyj5mjxfujs0jgtcz
+  - &mic92 age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+  - &mic92-mac age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h
+  - &nixos-foundation-macstadium-44911305-ofborg-org age1x608lllmu7gdfjnn6c8mvmmguft5f22fu7g38wv3ckmzqy2usq0q5u2ekx
+  - &nixos-foundation-macstadium-44911362-ofborg-org age1d0u5ukkwsf47x4jv6uklcc4j3ljnmyz879syya2qneagz0t42cqqyf09dt
+  - &nixos-foundation-macstadium-44911507-ofborg-org age1s0m24l3s29jr345uxk5j8zq7kd4sln3rvf0pdtd6afum3smtxsyqtjra0z
+  - &nixos-foundation-macstadium-44911207-ofborg-org age1f6u77gvh94fk5fdh53lp04nk87cvjmwy2q3hjdlhd83mhlp0jg0s7rupux
+  - &nixos-foundation-macstadium-44911104-ofborg-org age14gkxeqaehj2m38sesnc6fyd4c3hqjt7tqjz6q7lrult3uaahxcysdxt67n
+
+creation_rules:
+  - path_regex: secrets/nixos-foundation-macstadium-44911305.yml
+    key_groups:
+      - age:
+          - *nixos-foundation-macstadium-44911305-ofborg-org
+          - *hexa
+          - *simon
+          - *dasJ
+          - *mic92
+          - *mic92-mac
+  - path_regex: secrets/nixos-foundation-macstadium-44911362.yml
+    key_groups:
+      - age:
+          - *nixos-foundation-macstadium-44911362-ofborg-org
+          - *hexa
+          - *simon
+          - *dasJ
+          - *mic92
+          - *mic92-mac
+  - path_regex: secrets/nixos-foundation-macstadium-44911507.yml
+    key_groups:
+      - age:
+          - *nixos-foundation-macstadium-44911507-ofborg-org
+          - *hexa
+          - *simon
+          - *dasJ
+          - *mic92
+          - *mic92-mac
+  - path_regex: secrets/nixos-foundation-macstadium-44911207.yml
+    key_groups:
+      - age:
+          - *nixos-foundation-macstadium-44911207-ofborg-org
+          - *hexa
+          - *simon
+          - *dasJ
+          - *mic92
+          - *mic92-mac
+  - path_regex: secrets/nixos-foundation-macstadium-44911104.yml
+    key_groups:
+      - age:
+          - *nixos-foundation-macstadium-44911104-ofborg-org
+          - *hexa
+          - *simon
+          - *dasJ
+          - *mic92
+          - *mic92-mac

macs/flake-module.nix

@@ -34,5 +34,60 @@
       # M2 8C, 24G, 1TB (Oakhost)
       eager-heisenberg = mkNixDarwin "eager-heisenberg" ./profiles/m2.large.nix;
       kind-lumiere = mkNixDarwin "kind-lumiere" ./profiles/m2.large.nix;
-    };
+    }
+    // inputs.nixpkgs.lib.listToAttrs (
+      map
+        (cfg: {
+          name = cfg.hostname;
+          value = inputs.darwin.lib.darwinSystem {
+            system = "${cfg.system}-darwin";
+
+            specialArgs = {
+              inherit inputs;
+            };
+
+            modules = [
+              ./ofborg-common.nix
+              ./profiles/${cfg.profile or "ofborg-${cfg.system}"}.nix
+              "${inputs.sops-nix}/modules/nix-darwin"
+              { networking.hostName = cfg.hostname; }
+            ];
+          };
+        })
+        [
+          # MacStadium ofborg builders
+          {
+            hostname = "nixos-foundation-macstadium-44911305";
+            system = "x86_64";
+            ip = "208.83.1.173";
+            # 12 CPU cores, 32 GB RAM, 500 GB disk
+          }
+          {
+            hostname = "nixos-foundation-macstadium-44911362";
+            system = "x86_64";
+            ip = "208.83.1.175";
+            # 12 CPU cores, 32 GB RAM, 500 GB disk
+          }
+          {
+            hostname = "nixos-foundation-macstadium-44911507";
+            system = "x86_64";
+            ip = "208.83.1.186";
+            # 12 CPU cores, 32 GB RAM, 500 GB disk
+          }
+          {
+            hostname = "nixos-foundation-macstadium-44911207";
+            system = "aarch64";
+            profile = "ofborg-m1";
+            ip = "208.83.1.145";
+            # 8 CPU cores, 16 GB RAM, 256 GB disk
+          }
+          {
+            hostname = "nixos-foundation-macstadium-44911104";
+            system = "aarch64";
+            profile = "ofborg-m1";
+            ip = "208.83.1.181";
+            # 8 CPU cores, 16 GB RAM, 256 GB disk
+          }
+        ]
+    );
 }

macs/mac-exec

@@ -9,6 +9,12 @@ HOSTS=(
 	"customer@eager-heisenberg.mac.nixos.org"
 	"customer@kind-lumiere.mac.nixos.org"
 	"root@norwegian-blue.mac.nixos.org"
+	# ofborg (MacStadium)
+	"root@mac01.ofborg.org"
+	"root@mac02.ofborg.org"
+	"root@mac03.ofborg.org"
+	"root@mac04.ofborg.org"
+	"root@mac05.ofborg.org"
 )
 PIDS=()
 

macs/mac-update

@@ -17,5 +17,11 @@ update hetzner@sweeping-filly.mac.nixos.org
 update customer@eager-heisenberg.mac.nixos.org
 update customer@kind-lumiere.mac.nixos.org
 update root@norwegian-blue.mac.nixos.org
+# ofborg (MacStadium)
+update root@mac01.ofborg.org
+update root@mac02.ofborg.org
+update root@mac03.ofborg.org
+update root@mac04.ofborg.org
+update root@mac05.ofborg.org
 
 wait "${PIDS[@]}"

macs/ofborg-ca/client-nixos-foundation-macstadium-44911104.crt

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBrzCCAWGgAwIBAgIUW+L+r4Nl4TaYFRdwkVjhMNk2K7kwBQYDK2VwMEMxCzAJ
+BgNVBAYTAkRFMRQwEgYDVQQKDAtOaXhPUyBJbmZyYTEeMBwGA1UEAwwVaHlkcmEt
+cXVldWUtcnVubmVyLWNhMCAXDTI1MDgzMTE0MTA0OVoYDzIwNzUwODE5MTQxMDQ5
+WjBmMQswCQYDVQQGEwJERTEUMBIGA1UECgwLTml4T1MgSW5mcmExQTA/BgNVBAMM
+OGh5ZHJhLXF1ZXVlLWJ1aWxkZXItbml4b3MtZm91bmRhdGlvbi1tYWNzdGFkaXVt
+LTQ0OTExMTA0MCowBQYDK2VwAyEAwg81We0emvtttglMSqZALqqHPQGkpM3j21+z
+ikmyM/6jQjBAMB0GA1UdDgQWBBS5ahdd+XKK/AI8jN7fdXWo6oYn0zAfBgNVHSME
+GDAWgBTTBAboHFMq1jCXLC7IPRpWv/WviDAFBgMrZXADQQAG5KMpDZ9Od7v42Qcx
+jpmEu9sSUB0XMzN0XYkIwIgRDK7jEmG1CbX19Vco1eBiA+MW+JFCmJP7JBM1lHx3
++BwO
+-----END CERTIFICATE-----

macs/ofborg-ca/client-nixos-foundation-macstadium-44911207.crt

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBrzCCAWGgAwIBAgIUW+L+r4Nl4TaYFRdwkVjhMNk2K7gwBQYDK2VwMEMxCzAJ
+BgNVBAYTAkRFMRQwEgYDVQQKDAtOaXhPUyBJbmZyYTEeMBwGA1UEAwwVaHlkcmEt
+cXVldWUtcnVubmVyLWNhMCAXDTI1MDgzMTE0MTA0OVoYDzIwNzUwODE5MTQxMDQ5
+WjBmMQswCQYDVQQGEwJERTEUMBIGA1UECgwLTml4T1MgSW5mcmExQTA/BgNVBAMM
+OGh5ZHJhLXF1ZXVlLWJ1aWxkZXItbml4b3MtZm91bmRhdGlvbi1tYWNzdGFkaXVt
+LTQ0OTExMjA3MCowBQYDK2VwAyEAeyeFq3u3hksc07IGBITcq0/go+iD4+DriPSb
+yAq+/nyjQjBAMB0GA1UdDgQWBBS/UHOeRtG8+xozoDTcYxcMpVYjzzAfBgNVHSME
+GDAWgBTTBAboHFMq1jCXLC7IPRpWv/WviDAFBgMrZXADQQCFQNs1ZiKpnY60MdFn
+H7NaQ7Jis0n665CjKWFKIEFdr2C+UZovnzSZYfl9UqxGjb3udfUK/6Z4Rqbf6cGH
+SRAP
+-----END CERTIFICATE-----

macs/ofborg-ca/client-nixos-foundation-macstadium-44911305.crt

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBrzCCAWGgAwIBAgIUW+L+r4Nl4TaYFRdwkVjhMNk2K7UwBQYDK2VwMEMxCzAJ
+BgNVBAYTAkRFMRQwEgYDVQQKDAtOaXhPUyBJbmZyYTEeMBwGA1UEAwwVaHlkcmEt
+cXVldWUtcnVubmVyLWNhMCAXDTI1MDgzMTE0MTA0OVoYDzIwNzUwODE5MTQxMDQ5
+WjBmMQswCQYDVQQGEwJERTEUMBIGA1UECgwLTml4T1MgSW5mcmExQTA/BgNVBAMM
+OGh5ZHJhLXF1ZXVlLWJ1aWxkZXItbml4b3MtZm91bmRhdGlvbi1tYWNzdGFkaXVt
+LTQ0OTExMzA1MCowBQYDK2VwAyEAQ6HvVxrDKl8JIAli/QNz8Ot4zcR9biiQOcQI
+mZLgekGjQjBAMB0GA1UdDgQWBBTTHQ/eJCYE8KTgVfhRq0RQThpONDAfBgNVHSME
+GDAWgBTTBAboHFMq1jCXLC7IPRpWv/WviDAFBgMrZXADQQDuIgw6XDf2Bpg2dFGz
+0GvVRlIDbv6paOdZDKhPqKuZIvXgYK6xtXJyYkODtPgkLjTkIufyX79o7zwtJATP
+oAwH
+-----END CERTIFICATE-----

macs/ofborg-ca/client-nixos-foundation-macstadium-44911362.crt

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBrzCCAWGgAwIBAgIUW+L+r4Nl4TaYFRdwkVjhMNk2K7YwBQYDK2VwMEMxCzAJ
+BgNVBAYTAkRFMRQwEgYDVQQKDAtOaXhPUyBJbmZyYTEeMBwGA1UEAwwVaHlkcmEt
+cXVldWUtcnVubmVyLWNhMCAXDTI1MDgzMTE0MTA0OVoYDzIwNzUwODE5MTQxMDQ5
+WjBmMQswCQYDVQQGEwJERTEUMBIGA1UECgwLTml4T1MgSW5mcmExQTA/BgNVBAMM
+OGh5ZHJhLXF1ZXVlLWJ1aWxkZXItbml4b3MtZm91bmRhdGlvbi1tYWNzdGFkaXVt
+LTQ0OTExMzYyMCowBQYDK2VwAyEA70JtJD1NetW22ggjqF6LY8plCNn4jpMJm1Aa
+I0JoImOjQjBAMB0GA1UdDgQWBBQEVVeckjstcg3RWqa7G884FbpnvzAfBgNVHSME
+GDAWgBTTBAboHFMq1jCXLC7IPRpWv/WviDAFBgMrZXADQQBcdGmZ0e69HfUN8E/1
+sQfFeaqwzX5jc3RhHnjViLP4OUcqWnYeqAT+ELwaucOdkMp47SgJIaUn12FEG+i/
+oC4C
+-----END CERTIFICATE-----