switch to new queue runner

Author: zowoq

dev/genca.sh

@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+# https://github.com/NixOS/infra/blob/5d020952f5b870ff323904035347cd768530617d/non-critical-infra/hosts/staging-hydra/genca.sh
+set -x
+
+hosts="build03 build04"
+
+O="Nix Community Infra"
+
+newDir="$(date '+%Y-%m-%dT%H:%M')"
+mkdir "${newDir}"
+cd "${newDir}" || exit
+
+openssl genpkey -algorithm Ed25519 -out ca.key
+openssl req -x509 -new -nodes -key ca.key -sha256 -days 18250 -out ca.crt \
+  -subj "/O=${O}/CN=hydra-queue-runner-ca"
+
+cat <<EOF >server.cnf
+[req]
+prompt             = no
+x509_extensions    = v3_req
+req_extensions     = v3_req
+default_md         = sha256
+distinguished_name = req_distinguished_name
+
+[req_distinguished_name]
+O  = ${O}
+CN = queue-runner.hydra.nix-community.org
+
+[v3_req]
+basicConstraints = CA:FALSE
+keyUsage         = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage = critical, serverAuth
+subjectAltName   = @alt_names
+
+[alt_names]
+DNS.1 = queue-runner.hydra.nix-community.org
+EOF
+
+openssl genpkey -algorithm Ed25519 -out server.key
+openssl req -new -key server.key -out server.csr -config server.cnf
+openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 18250 -sha256 -extfile server.cnf -extensions v3_req
+
+for host in ${hosts}; do
+  openssl genpkey -algorithm Ed25519 -out "client-${host}.key"
+  openssl req -new -key "client-${host}.key" -out "client-${host}.csr" \
+    -subj "/O=${O}/CN=hydra-queue-builder-${host}"
+  openssl x509 -req -in "client-${host}.csr" -CA ca.crt -CAkey ca.key -CAcreateserial -out "client-${host}.crt" -days 18250 -sha256
+done
+
+rm -rf -- *.csr *.srl
+rm server.cnf
+
+cd - || exit

dnscontrol/dnsconfig.js

@@ -65,6 +65,7 @@ var cnames = {
     "nl.meet": "nixnl.codeberg.page.",
     "nur-update": "build03",
     "prometheus": "web02",
+    "queue-runner.hydra": "build03",
     "temp-cache": "build03",
     // keep-sorted end
 };

flake.lock

@@ -38,6 +38,8 @@
     nixbsd.inputs.nixpkgs.follows = "nixbsd-nixpkgs";
     nixbsd.url = "github:qowoz/nixbsd/tmp3-community";
     nixos-facter-modules.url = "github:nix-community/nixos-facter-modules";
+    nixos-infra.flake = false;
+    nixos-infra.url = "github:NixOS/infra";
     nixpkgs-update-github-releases.flake = false;
     nixpkgs-update-github-releases.url = "github:nix-community/nixpkgs-update-github-releases";
     nixpkgs-update.inputs.mmdoc.follows = "empty";

flake.nix

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBkzCCAUWgAwIBAgIUM3IOGPv05wdHhykHyC7J0eYl4qYwBQYDK2VwMD4xHDAa
+BgNVBAoME05peCBDb21tdW5pdHkgSW5mcmExHjAcBgNVBAMMFWh5ZHJhLXF1ZXVl
+LXJ1bm5lci1jYTAgFw0yNTA4MDQwNDMxMTFaGA8yMDc1MDcyMzA0MzExMVowPjEc
+MBoGA1UECgwTTml4IENvbW11bml0eSBJbmZyYTEeMBwGA1UEAwwVaHlkcmEtcXVl
+dWUtcnVubmVyLWNhMCowBQYDK2VwAyEApTUfa9PNgjIqQIU8ur4gJ/EAClvVX+oJ
+hduaCt0iQ+WjUzBRMB0GA1UdDgQWBBSs13lAhWgE2ji+4Yvm6b5bCI9pYjAfBgNV
+HSMEGDAWgBSs13lAhWgE2ji+4Yvm6b5bCI9pYjAPBgNVHRMBAf8EBTADAQH/MAUG
+AytlcANBAIsqwp4tW+P5yAdhZy8rWGeKhwVyKmtkf2EjCeWbxDAVqeQvEXWcP1o0
+SFwPhoW5BaccYOgsrSDq3hY7xs2BUgQ=
+-----END CERTIFICATE-----

hosts/build03/ca.crt

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBiDCCATqgAwIBAgIULzcgJlY8HPEN7WebeYdUwmvL0dQwBQYDK2VwMD4xHDAa
+BgNVBAoME05peCBDb21tdW5pdHkgSW5mcmExHjAcBgNVBAMMFWh5ZHJhLXF1ZXVl
+LXJ1bm5lci1jYTAgFw0yNTA4MDQwNDMxMTFaGA8yMDc1MDcyMzA0MzExMVowRDEc
+MBoGA1UECgwTTml4IENvbW11bml0eSBJbmZyYTEkMCIGA1UEAwwbaHlkcmEtcXVl
+dWUtYnVpbGRlci1idWlsZDAzMCowBQYDK2VwAyEAgT2MFRB7qdN1Hx+ipgFOgYVc
+zdDmZtm/jrPS/BOerrCjQjBAMB0GA1UdDgQWBBTR0QWcQtL2JbUeFmoHOO7y8wj7
+5zAfBgNVHSMEGDAWgBSs13lAhWgE2ji+4Yvm6b5bCI9pYjAFBgMrZXADQQCZtrwk
+DknHpZPuceVHJPYYv9mYJvXfbHy5XAUkkS8lMWvH78dIQA+tK0atIvt364HkRBN1
+8pQWdhCU+bkKDDcC
+-----END CERTIFICATE-----

hosts/build03/client.crt

@@ -4,6 +4,7 @@
     ./builders.nix
     ./cache.nix
     ./postgresql.nix
+    ./queue-runner.nix
     inputs.self.nixosModules.buildbot
     inputs.self.nixosModules.cgroups
     inputs.self.nixosModules.ci-builder

hosts/build03/default.nix

@@ -0,0 +1,60 @@
+{
+  config,
+  inputs,
+  lib,
+  ...
+}:
+{
+  imports = [ "${inputs.nixos-infra}/non-critical-infra/modules/hydra-queue-runner-v2.nix" ];
+
+  sops.secrets.queue-runner-server-key.owner = "nginx";
+
+  services.hydra-queue-runner-v2 = {
+    enable = true;
+    settings = {
+      useSubstitutes = true;
+    };
+    rest.port = 9090;
+  };
+
+  services.hydra = {
+    extraConfig = lib.mkAfter ''
+      queue_runner_endpoint = http://localhost:9090
+    '';
+  };
+
+  systemd.services.hydra-queue-runner.enable = false;
+
+  services.nginx.virtualHosts."queue-runner.hydra.nix-community.org" = {
+    # disable defaults
+    enableACME = false;
+    forceSSL = false;
+
+    extraConfig = ''
+      client_max_body_size 5120M;
+      ssl_client_certificate ${./ca.crt};
+      ssl_verify_depth 2;
+      ssl_verify_client on;
+    '';
+
+    sslCertificate = ./server.crt;
+    sslCertificateKey = config.sops.secrets.queue-runner-server-key.path;
+    onlySSL = true;
+
+    locations."/".extraConfig = ''
+      # This is necessary so that grpc connections do not get closed early
+      # see https://stackoverflow.com/a/67805465
+      client_body_timeout 31536000s;
+      grpc_pass grpc://[::1]:50051;
+      grpc_read_timeout 31536000s; # 1 year in seconds
+      grpc_send_timeout 31536000s; # 1 year in seconds
+      grpc_socket_keepalive on;
+      grpc_set_header Host $host;
+      grpc_set_header X-Real-IP $remote_addr;
+      grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      grpc_set_header X-Forwarded-Proto $scheme;
+      grpc_set_header X-Client-DN $ssl_client_s_dn;
+      grpc_set_header X-Client-Cert $ssl_client_escaped_cert;
+    '';
+  };
+}

hosts/build03/queue-runner.nix

@@ -11,6 +11,9 @@ buildbot-nix-worker-password: ENC[AES256_GCM,data:TaMHVzlzuAHfTBAyqG5JJFwpG2We+w
 buildbot-effects-nix-community-infra: ENC[AES256_GCM,data:wAYSvEza+1xjT/rIp5MtR3HEQe3OscRBtrWF/f6G/z+ftaiWXMfWhW9X8z53I20lzx9a6BqmO4jcWAGmXRSV4TX6wxKsUP9BnzxTImDS41zWfOtHV9sDifk6jmVJyAAsrY8CrebGTmPvWUXEUMmAZkUorQkv8gfxoL66GCtPfqa7d1OSKX8rAXd1YAJL58aXFeD6X6iZqo2tVd1OhlmUuFj5oum+9uLPjCY54IfilLlERw5DdTPDhMBdKt5owR0dpJDmp9t8i0AV2j4Hm36ZsY8L9ket1iB04MlapsUI24RiXHk+aFJqSy+0onvmqeniiBeaa106YomSQAS1cyOp0U+Rcqwhtnh9MNUZzciVXi2F5nkPzA3OcbQh8MDcJ/66z/VUkSac0iMXvr/47d5V0XCm9JSKXuijOUGTu9LRbdEAAQ+gsZ/Z8i6+9d75CeSoVH5Mtm7eU4CbhloNmpAcz5qyFf+sRgWz5qK8z1MwT795P/P/Oi2YQswtwnyLO7UkQ5tCrE+qcFxM9cAAcJzkzGctB5QdHDaPkkpMGic8vpAoYgx3t7Qmasuef96Fhhj4lk10sTTUrWZlnFbmduO/fDOULvisnW/BTpYsnsIPSKREg8wQAu7Fiu9EO0TZOagAQf03EiFDcxosetxPJIXoNWsZK/1LsX+7SnBBklVDtwxu6urOUCW8vYXD4aGZvkTGc6O6vwiOs+oEHd6J7Mes/+23hTzldnFobodwnzbRNVt/WT2FQjX5qFehyxbARL+EtT4MQC4sWGpXSybUs10=,iv:rdLHfK4NbCaMIIhhQd2MfVf1DdKKF9Sqe4Kxuy57yok=,tag:DPxsDTLIhA0d4KPXwseL9g==,type:str]
 temp-cache-key: ENC[AES256_GCM,data:weL92egwmo4z32jXmWjgbfHo6h61+mWwHrHVAg0N8cHzBOjgsAL3NTRgpiiaePw/FcZa1rJ/ygBGyUYJbIq036fxhd1I/Vu+dPFXz7PPIphRj/q8wru21qfLXep39rk+bIqsJJB2++070SCKwgRLb4re9cM05ah3,iv:sX78dExpTL+UFkHWfQmYN8nsZcMCFhrgXwvtzvoWdJA=,tag:j3MNmXSdQEuh9oYP00yJAw==,type:str]
 rfc39-record-ssh-key: ENC[AES256_GCM,data:2jmn3F+y1xFACYfUoxJqp7EAEZVVuDYUGISk7/d8xAfjfpnekAO8OHRVT+RSgLQuVXsV7ffocb3M319+Kgdp5/hRUr7zNlCkBTMdXz9XBHDUmeEjhjtjQCmH0WYRjLgpyDrUY4gk1+EuAIKY0J9MktKJ4JKIxSm0Keei2iByoXxIjQhHDNg48UXQBW0A8ZPqWPmJsHCFtGcQXSVG/rehGqYh2cDC5Q4XpU4Rw1j+ZyE81RakbNxWx/uIVvbQxGuYI3qXyOunllokj5jh8VBQUpz3QdCkIR7dFTuoBy7N79sdZntAqHhNdeZPLpxIVTNwGBzgTvdcA9PCQSIs7TYg7X7l98Z9QQUnSXpg3APz+jlsoOF/icXrcOxJBAPAhBqH/2mBUEjbNiWQR44cZi4Bt6n1LZCA0IniZsBwUFDE9o8a4z70Nc2QGcLLixbWc+g8GtrH1qxtXe2mZ13uWFL1THuIypJzrbGKAPV+NAao9Q60znzWgQiuSkN2eXaGZQLadEXi,iv:wbhy54VM7WqRSgjoyjYKenliXgxjd41lFJdTr+1UH84=,tag:DB7VXqK2RHdadeEHabTwRw==,type:str]
+queue-runner-ca-key: ENC[AES256_GCM,data:aNs2Xk3n6vAJIyFeYEj28Lm89gCAMN8op90Yo5U4HrnoxR+aJnwnF5sbwT989iNAjGpKdgu9KH47lo4maDJRSTLprEKb8ytEpUWTKgq6VTujPhlxDtdqlj2QtTeSJxlrXZwxLs/miH4a/qFUNcbmLJJmPLe+e7w=,iv:iEVZqsJjkXAJ7Dqadf9dyDTtTMLq6DX1gjE3GU11SUY=,tag:hFz/4Syc8vDtrPdKeiBe9w==,type:str]
+queue-runner-server-key: ENC[AES256_GCM,data:cxTbXFV2ckIk468TbrdHrqxZDvGJ7cCaI+/hbfzRtnYmT2W26f3SzjM4EDg9ZCQcXIcdb6Ii/bfCwJj/Yhp60t/o5QuBvYHoNgyrM9v7bRZeNwY3JE5EM64UEIIgSzT/WlOwvf7c+mSS+4n1MfeMoRPZQM5mbOg=,iv:VoL4YPCusW0/XNEBPAyC1SuHRCfvipmHamLxcPlN+ZM=,tag:Lrov4NonT6CRLWs2P9OKig==,type:str]
+queue-runner-client-key: ENC[AES256_GCM,data:CP16NvBDGOC0rOOxZO7EoIzWjdxEhpaPUM35RkkWoSgIlGYoXhT/1k/jaRAnyhfyj7h8rMBQMbgFeXqYAW6B7dTgxtB/HqDL7dZNk1HILhzYyMJlZ5+Px9S+qDutqJjwDhLSh7lyLOWBABjYYWAJEpNQ50Eakmc=,iv:K/FeMftONTpMMVcyfpCJFWhcoULdzwebl/k+aKM9NPw=,tag:VJU1QFjy3HAQQit8AtKPFA==,type:str]
 sops:
     age:
         - recipient: age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
@@ -67,7 +70,7 @@ sops:
             WUZQSGQyQy9halJsRTIvb1FGV08zZEEKmjlYY6epTuZKRBcVyjPvJI5XKQtP5Yag
             FMrI+M6hUeyBeCade5C+Y4eGQbt57BWLmsX7u0J1WTlkUSS5j7+wPg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-01T23:53:43Z"
-    mac: ENC[AES256_GCM,data:McXvWpN6kIprv2BOTCAqtDHiZv4xF3kmaltSJqGzfV3midOC8eeJVBwRhCU53h1TTJXoZU8Ar0cloNkiT1sqFFy8WUcdFC0NHHRnLAGX4ihSuSh5RA2odWUhua9QY73xfBwSGy876bVKtMzDVNMeecjRjBpZFJ3O/8FpKrMig/g=,iv:8iQPZv+jKJqI694cyJ5r0Je4jmvnmIj7QL06kq1ttwc=,tag:xP82ALLVO/Qq50TKx/1pWw==,type:str]
+    lastmodified: "2025-08-04T04:34:06Z"
+    mac: ENC[AES256_GCM,data:qpy+3Ifv9ydOKA51E/EoJjLZVhkEl/CwcqLu+rDCfTw920agoHXUMBeXCsiE3U3WoNPMJQUcQOXUr4MVZ/wtYHnGGqYHDlx3Ap0b1+Kjl0SJxlhpvib3mKpQEXTqh1bB5ylujydaDZasknjncWl96nKJG6KhF6xJE5zDqCaHWrU=,iv:kiLGLOnxIqpu+UpiBqx1pwkBqvncks8DBDqURp1BdGE=,tag:oJp0P+xeBinYhihUsqBWSg==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

hosts/build03/secrets.yaml

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB9DCCAaagAwIBAgIULzcgJlY8HPEN7WebeYdUwmvL0dMwBQYDK2VwMD4xHDAa
+BgNVBAoME05peCBDb21tdW5pdHkgSW5mcmExHjAcBgNVBAMMFWh5ZHJhLXF1ZXVl
+LXJ1bm5lci1jYTAgFw0yNTA4MDQwNDMxMTFaGA8yMDc1MDcyMzA0MzExMVowTTEc
+MBoGA1UECgwTTml4IENvbW11bml0eSBJbmZyYTEtMCsGA1UEAwwkcXVldWUtcnVu
+bmVyLmh5ZHJhLm5peC1jb21tdW5pdHkub3JnMCowBQYDK2VwAyEAZVsAufKBynGu
+MGDtn7Mryt5zkoxJ+Q3D/camesUKjFKjgaQwgaEwCQYDVR0TBAIwADALBgNVHQ8E
+BAMCA+gwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwEwLwYDVR0RBCgwJoIkcXVldWUt
+cnVubmVyLmh5ZHJhLm5peC1jb21tdW5pdHkub3JnMB0GA1UdDgQWBBQNqGtr7msZ
++1Ljn5sXVmxftth3KzAfBgNVHSMEGDAWgBSs13lAhWgE2ji+4Yvm6b5bCI9pYjAF
+BgMrZXADQQCYRvZxS6cFMXTWr0Gy8svwctT6VL2Lfsrvg64SkmBFfFQdmlJpCSI1
+LCPSU5Q3NUMj6ILhZXN7J1cclj54iusD
+-----END CERTIFICATE-----