infra/modules/nixos/hydra/default.nix

132 lines
4.1 KiB
Nix
Raw Normal View History

2023-05-17 08:03:45 +10:00
{ lib, inputs, pkgs, config, ... }:
2023-05-26 15:54:37 +10:00
let
upload-to-cachix = pkgs.writeScriptBin "upload-to-cachix" ''
#!/bin/sh
set -eu
set -f # disable globbing
# skip push if the declarative job spec
OUT_END=$(echo ''${OUT_PATHS: -10})
if [ "$OUT_END" == "-spec.json" ]; then
exit 0
fi
export HOME=/root
exec ${pkgs.cachix}/bin/cachix -c ${config.sops.secrets.nix-community-cachix.path} push nix-community $OUT_PATHS > /tmp/hydra_cachix 2>&1
'';
in
2022-12-31 07:24:17 +01:00
{
options.services.hydra = {
2023-04-14 12:56:31 +10:00
adminPasswordFile = lib.mkOption {
type = lib.types.str;
description = "The initial password for the Hydra admin account";
};
2020-01-12 21:15:32 +01:00
2023-04-14 12:56:31 +10:00
usersFile = lib.mkOption {
type = lib.types.str;
2021-03-06 18:03:01 +01:00
description = ''
declarative user accounts for hydra.
format: user;role;password-hash;email-address;full-name
Password hash is computed by applying sha1 to the password.
'';
};
2020-01-12 21:15:32 +01:00
};
2022-09-29 19:50:43 +02:00
config = {
2021-09-29 19:50:50 +02:00
sops.secrets.hydra-admin-password.owner = "hydra";
sops.secrets.hydra-users.owner = "hydra";
2021-09-25 22:35:51 +02:00
# hydra-queue-runner needs to read this key for remote building
sops.secrets.id_buildfarm.owner = "hydra-queue-runner";
nix.settings.allowed-uris = [
"https://github.com/nix-community/"
"https://github.com/NixOS/"
];
2023-05-26 15:54:37 +10:00
nix.settings.post-build-hook = "${upload-to-cachix}/bin/upload-to-cachix";
2023-05-17 07:21:20 +10:00
sops.secrets.nix-community-cachix.sopsFile = "${toString inputs.self}/modules/nixos/nix-community-cache/secrets.yaml";
2022-12-31 07:24:17 +01:00
sops.secrets.id_buildfarm = { };
2023-03-21 06:40:06 +01:00
# delete build logs older than 30 days
systemd.services.hydra-delete-old-logs = {
startAt = "Sun 05:45";
serviceConfig.ExecStart = "${pkgs.findutils}/bin/find /var/lib/hydra/build-logs -type f -mtime +30 -delete";
};
services.hydra = {
enable = true;
# remote builders set in /etc/nix/machines + localhost
buildMachinesFiles = [
"/etc/nix/machines"
(pkgs.writeText "local" ''
localhost x86_64-linux,builtin - 8 1 nixos-test,big-parallel,kvm - -
'')
];
2021-03-06 13:59:44 +01:00
hydraURL = "https://hydra.nix-community.org";
notificationSender = "hydra@hydra.nix-community.org";
2023-04-14 12:56:31 +10:00
port = 3000;
useSubstitutes = true;
2022-05-14 22:18:06 +02:00
adminPasswordFile = config.sops.secrets.hydra-admin-password.path;
usersFile = config.sops.secrets.hydra-users.path;
extraConfig = ''
max_output_size = ${builtins.toString (8 * 1024 * 1024 * 1024)}
'';
};
2020-10-21 19:15:05 +02:00
services.postgresql = {
enable = true;
2022-12-31 07:24:17 +01:00
ensureDatabases = [ "hydra" ];
settings = {
2022-09-29 19:50:43 +02:00
max_connections = "300";
effective_cache_size = "4GB";
shared_buffers = "4GB";
};
2020-10-21 19:15:05 +02:00
};
2021-04-21 23:23:08 +02:00
services.nginx.virtualHosts = {
"hydra.nix-community.org" = {
forceSSL = true;
enableACME = true;
2023-01-01 15:30:41 +01:00
locations."/".proxyPass = "http://localhost:${toString config.services.hydra.port}";
2021-04-21 23:23:08 +02:00
};
};
# Create a admin user and configure a declarative project
2021-03-06 18:03:01 +01:00
systemd.services.hydra-post-init = {
serviceConfig = {
Type = "oneshot";
TimeoutStartSec = "60";
};
2022-12-31 07:24:17 +01:00
wantedBy = [ "multi-user.target" ];
after = [ "hydra-server.service" ];
requires = [ "hydra-server.service" ];
environment = {
2023-04-14 12:56:31 +10:00
inherit (config.systemd.services.hydra-init.environment) HYDRA_DBI;
};
2023-04-14 12:56:31 +10:00
path = [ config.services.hydra.package pkgs.netcat ];
script = ''
set -e
2021-03-06 20:36:42 +01:00
while IFS=';' read -r user role passwordhash email fullname; do
2021-03-06 18:03:01 +01:00
opts=("$user" "--role" "$role" "--password-hash" "$passwordhash")
if [[ -n "$email" ]]; then
opts+=("--email-address" "$email")
fi
if [[ -n "$fullname" ]]; then
opts+=("--full-name" "$fullname")
fi
2021-03-06 20:36:42 +01:00
hydra-create-user "''${opts[@]}"
2023-04-14 12:56:31 +10:00
done < ${config.services.hydra.usersFile}
2023-04-14 12:56:31 +10:00
while ! nc -z localhost ${toString config.services.hydra.port}; do
sleep 1
done
2020-01-12 21:15:32 +01:00
2023-04-14 12:56:31 +10:00
export HYDRA_ADMIN_PASSWORD=$(cat ${config.services.hydra.adminPasswordFile})
export URL=http://localhost:${toString config.services.hydra.port}
2022-05-14 22:18:06 +02:00
'';
};
2020-01-12 21:15:32 +01:00
};
}