infra/modules/nixos/hydra/default.nix

{ lib, inputs, pkgs, config, ... }:
let
  upload-to-cachix = pkgs.writeScriptBin "upload-to-cachix" ''
    #!/bin/sh
    set -eu
    set -f # disable globbing

    # skip push if the declarative job spec
    OUT_END=$(echo ''${OUT_PATHS: -10})
    if [ "$OUT_END" == "-spec.json" ]; then
      exit 0
    fi

    export HOME=/root
    exec ${pkgs.cachix}/bin/cachix -c ${config.sops.secrets.nix-community-cachix.path} push nix-community $OUT_PATHS > /tmp/hydra_cachix 2>&1
  '';
in
{
  options.services.hydra = {
    adminPasswordFile = lib.mkOption {
      type = lib.types.str;
      description = "The initial password for the Hydra admin account";
    };

    usersFile = lib.mkOption {
      type = lib.types.str;
      description = ''
        declarative user accounts for hydra.
        format: user;role;password-hash;email-address;full-name
        Password hash is computed by applying sha1 to the password.
      '';
    };
  };

  config = {
    sops.secrets.hydra-admin-password.owner = "hydra";
    sops.secrets.hydra-users.owner = "hydra";

    # hydra-queue-runner needs to read this key for remote building
    sops.secrets.id_buildfarm.owner = "hydra-queue-runner";

    nix.settings.allowed-uris = [
      "https://github.com/nix-community/"
      "https://github.com/NixOS/"
    ];
    nix.settings.post-build-hook = "${upload-to-cachix}/bin/upload-to-cachix";

    sops.secrets.nix-community-cachix.sopsFile = "${toString inputs.self}/modules/nixos/nix-community-cache/secrets.yaml";
    sops.secrets.id_buildfarm = { };

    # delete build logs older than 30 days
    systemd.services.hydra-delete-old-logs = {
      startAt = "Sun 05:45";
      serviceConfig.ExecStart = "${pkgs.findutils}/bin/find /var/lib/hydra/build-logs -type f -mtime +30 -delete";
    };

    services.hydra = {
      enable = true;
      # remote builders set in /etc/nix/machines + localhost
      buildMachinesFiles = [
        "/etc/nix/machines"

        (pkgs.writeText "local" ''
          localhost x86_64-linux,builtin - 8 1 nixos-test,big-parallel,kvm - -
        '')
      ];
      hydraURL = "https://hydra.nix-community.org";
      notificationSender = "hydra@hydra.nix-community.org";
      port = 3000;
      useSubstitutes = true;
      adminPasswordFile = config.sops.secrets.hydra-admin-password.path;
      usersFile = config.sops.secrets.hydra-users.path;
      extraConfig = ''
        max_output_size = ${builtins.toString (8 * 1024 * 1024 * 1024)}
      '';
    };

    services.postgresql = {
      enable = true;
      ensureDatabases = [ "hydra" ];
      settings = {
        max_connections = "300";
        effective_cache_size = "4GB";
        shared_buffers = "4GB";
      };
    };

    services.nginx.virtualHosts = {
      "hydra.nix-community.org" = {
        forceSSL = true;
        enableACME = true;
        locations."/".proxyPass = "http://localhost:${toString config.services.hydra.port}";
      };
    };

    # Create a admin user and configure a declarative project
    systemd.services.hydra-post-init = {
      serviceConfig = {
        Type = "oneshot";
        TimeoutStartSec = "60";
      };
      wantedBy = [ "multi-user.target" ];
      after = [ "hydra-server.service" ];
      requires = [ "hydra-server.service" ];
      environment = {
        inherit (config.systemd.services.hydra-init.environment) HYDRA_DBI;
      };
      path = [ config.services.hydra.package pkgs.netcat ];
      script = ''
        set -e
        while IFS=';' read -r user role passwordhash email fullname; do
          opts=("$user" "--role" "$role" "--password-hash" "$passwordhash")
          if [[ -n "$email" ]]; then
            opts+=("--email-address" "$email")
          fi
          if [[ -n "$fullname" ]]; then
            opts+=("--full-name" "$fullname")
          fi
          hydra-create-user "''${opts[@]}"
        done < ${config.services.hydra.usersFile}

        while ! nc -z localhost ${toString config.services.hydra.port}; do
          sleep 1
        done

        export HYDRA_ADMIN_PASSWORD=$(cat ${config.services.hydra.adminPasswordFile})
        export URL=http://localhost:${toString config.services.hydra.port}
      '';
    };
  };
}
use `inputs.self` for file paths 2023-05-17 08:03:45 +10:00			`{ lib, inputs, pkgs, config, ... }:`
switch back to post-build-hook 2023-05-26 15:54:37 +10:00			`let`
			`upload-to-cachix = pkgs.writeScriptBin "upload-to-cachix" ''`
			`#!/bin/sh`
			`set -eu`
			`set -f # disable globbing`

			`# skip push if the declarative job spec`
			`OUT_END=$(echo ''${OUT_PATHS: -10})`
			`if [ "$OUT_END" == "-spec.json" ]; then`
			`exit 0`
			`fi`

			`export HOME=/root`
			`exec ${pkgs.cachix}/bin/cachix -c ${config.sops.secrets.nix-community-cachix.path} push nix-community $OUT_PATHS > /tmp/hydra_cachix 2>&1`
			`'';`
			`in`
apply treefmt to codebase 2022-12-31 07:24:17 +01:00			`{`
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`options.services.hydra = {`
services/hydra: refactor 2023-04-14 12:56:31 +10:00			`adminPasswordFile = lib.mkOption {`
			`type = lib.types.str;`
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`description = "The initial password for the Hydra admin account";`
			`};`
hydra.nix-community.com is up! 2020-01-12 21:15:32 +01:00
services/hydra: refactor 2023-04-14 12:56:31 +10:00			`usersFile = lib.mkOption {`
			`type = lib.types.str;`
declarative hydra users 2021-03-06 18:03:01 +01:00			`description = ''`
			`declarative user accounts for hydra.`
			`format: user;role;password-hash;email-address;full-name`
			`Password hash is computed by applying sha1 to the password.`
			`'';`
			`};`
hydra.nix-community.com is up! 2020-01-12 21:15:32 +01:00			`};`
hydra: fix remote build 2022-09-29 19:50:43 +02:00
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`config = {`
fix module evaluation 2021-09-29 19:50:50 +02:00			`sops.secrets.hydra-admin-password.owner = "hydra";`
			`sops.secrets.hydra-users.owner = "hydra";`
migrate to sops-nix 2021-09-25 22:35:51 +02:00
hydra: allow to read ssh remote builder key 2022-08-14 17:23:05 +02:00			`# hydra-queue-runner needs to read this key for remote building`
			`sops.secrets.id_buildfarm.owner = "hydra-queue-runner";`

services/hydra: switch to nix.setttings and remove redundant builders-use-substitutes 2023-04-12 12:35:41 +10:00			`nix.settings.allowed-uris = [`
			`"https://github.com/nix-community/"`
			`"https://github.com/NixOS/"`
			`];`
switch back to post-build-hook 2023-05-26 15:54:37 +10:00			`nix.settings.post-build-hook = "${upload-to-cachix}/bin/upload-to-cachix";`
switch back to post-build-hook to push to hydra hydra-notify seems to be single threaded and slow. `post-build-hook` hopefully is executed in parallel. 2022-08-14 15:31:50 +02:00
roles, services: refactor into modules 2023-05-17 07:21:20 +10:00			`sops.secrets.nix-community-cachix.sopsFile = "${toString inputs.self}/modules/nixos/nix-community-cache/secrets.yaml";`
apply treefmt to codebase 2022-12-31 07:24:17 +01:00			`sops.secrets.id_buildfarm = { };`
enable aarch64 builder in hydra fixes https://github.com/nix-community/infra/issues/220 2022-08-13 14:34:38 +02:00
hydra: delete old logs periodically 2023-03-21 06:40:06 +01:00			`# delete build logs older than 30 days`
			`systemd.services.hydra-delete-old-logs = {`
			`startAt = "Sun 05:45";`
			`serviceConfig.ExecStart = "${pkgs.findutils}/bin/find /var/lib/hydra/build-logs -type f -mtime +30 -delete";`
			`};`

build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`services.hydra = {`
			`enable = true;`
hydra: switch to buildMachinesFiles (#303) 2022-10-30 06:38:47 +10:00			`# remote builders set in /etc/nix/machines + localhost`
			`buildMachinesFiles = [`
			`"/etc/nix/machines"`

			`(pkgs.writeText "local" ''`
			`localhost x86_64-linux,builtin - 8 1 nixos-test,big-parallel,kvm - -`
			`'')`
			`];`
hydra: defaults to https urls 2021-03-06 13:59:44 +01:00			`hydraURL = "https://hydra.nix-community.org";`
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`notificationSender = "hydra@hydra.nix-community.org";`
services/hydra: refactor 2023-04-14 12:56:31 +10:00			`port = 3000;`
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`useSubstitutes = true;`
move hydra projects to terraform 2022-05-14 22:18:06 +02:00			`adminPasswordFile = config.sops.secrets.hydra-admin-password.path;`
			`usersFile = config.sops.secrets.hydra-users.path;`
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`extraConfig = ''`
			`max_output_size = ${builtins.toString (8 * 1024 * 1024 * 1024)}`
			`'';`
			`};`

hydra: increase Postgresql cache size 2020-10-21 19:15:05 +02:00			`services.postgresql = {`
			`enable = true;`
apply treefmt to codebase 2022-12-31 07:24:17 +01:00			`ensureDatabases = [ "hydra" ];`
niv update (#46) * remove vpsadmin We're not using this at the moment * niv update 2021-01-03 00:53:49 +00:00			`settings = {`
hydra: fix remote build 2022-09-29 19:50:43 +02:00			`max_connections = "300";`
niv update (#46) * remove vpsadmin We're not using this at the moment * niv update 2021-01-03 00:53:49 +00:00			`effective_cache_size = "4GB";`
			`shared_buffers = "4GB";`
			`};`
hydra: increase Postgresql cache size 2020-10-21 19:15:05 +02:00			`};`

move hydra to build03 2021-04-21 23:23:08 +02:00			`services.nginx.virtualHosts = {`
			`"hydra.nix-community.org" = {`
			`forceSSL = true;`
			`enableACME = true;`
apply statix simplication 2023-01-01 15:30:41 +01:00			`locations."/".proxyPass = "http://localhost:${toString config.services.hydra.port}";`
move hydra to build03 2021-04-21 23:23:08 +02:00			`};`
			`};`

build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`# Create a admin user and configure a declarative project`
declarative hydra users 2021-03-06 18:03:01 +01:00			`systemd.services.hydra-post-init = {`
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`serviceConfig = {`
			`Type = "oneshot";`
			`TimeoutStartSec = "60";`
			`};`
apply treefmt to codebase 2022-12-31 07:24:17 +01:00			`wantedBy = [ "multi-user.target" ];`
			`after = [ "hydra-server.service" ];`
			`requires = [ "hydra-server.service" ];`
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`environment = {`
services/hydra: refactor 2023-04-14 12:56:31 +10:00			`inherit (config.systemd.services.hydra-init.environment) HYDRA_DBI;`
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`};`
services/hydra: refactor 2023-04-14 12:56:31 +10:00			`path = [ config.services.hydra.package pkgs.netcat ];`
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`script = ''`
			`set -e`
hydra: declarative users fixups 2021-03-06 20:36:42 +01:00			`while IFS=';' read -r user role passwordhash email fullname; do`
declarative hydra users 2021-03-06 18:03:01 +01:00			`opts=("$user" "--role" "$role" "--password-hash" "$passwordhash")`
			`if [[ -n "$email" ]]; then`
			`opts+=("--email-address" "$email")`
			`fi`
			`if [[ -n "$fullname" ]]; then`
			`opts+=("--full-name" "$fullname")`
			`fi`
hydra: declarative users fixups 2021-03-06 20:36:42 +01:00			`hydra-create-user "''${opts[@]}"`
services/hydra: refactor 2023-04-14 12:56:31 +10:00			`done < ${config.services.hydra.usersFile}`
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00
services/hydra: refactor 2023-04-14 12:56:31 +10:00			`while ! nc -z localhost ${toString config.services.hydra.port}; do`
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`sleep 1`
			`done`
hydra.nix-community.com is up! 2020-01-12 21:15:32 +01:00
services/hydra: refactor 2023-04-14 12:56:31 +10:00			`export HYDRA_ADMIN_PASSWORD=$(cat ${config.services.hydra.adminPasswordFile})`
			`export URL=http://localhost:${toString config.services.hydra.port}`
move hydra projects to terraform 2022-05-14 22:18:06 +02:00			`'';`
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`};`
hydra.nix-community.com is up! 2020-01-12 21:15:32 +01:00			`};`
			`}`
No results found.