infra/modules/nixos/hydra.nix

{
  pkgs,
  config,
  lib,
  ...
}:
let
  inherit (lib) concatStringsSep;
  localSystems = [
    "builtin"
    config.nixpkgs.hostPlatform.system
  ] ++ config.nix.settings.extra-platforms;
in
{
  sops.secrets.hydra-admin-password.owner = "hydra";
  sops.secrets.hydra-users.owner = "hydra";

  # hydra-queue-runner needs to read this key for remote building
  sops.secrets.id_buildfarm.owner = "hydra-queue-runner";

  nix.settings.keep-outputs = lib.mkForce false;

  nix.settings.allowed-uris = [
    "git+https:"
    "github:"
    "gitlab:"
    "https:"
    "sourcehut:"
  ];

  sops.secrets.id_buildfarm = { };

  # delete build logs older than 30 days
  systemd.services.hydra-delete-old-logs = {
    startAt = "Sun 05:45";
    serviceConfig.ExecStart = "${pkgs.findutils}/bin/find /var/lib/hydra/build-logs -type f -mtime +30 -delete";
  };

  # not currently needed
  systemd.services = {
    hydra-check-space.enable = false;
    hydra-send-stats.enable = false;
  };

  services.hydra = {
    enable = true;
    # remote builders set in /etc/nix/machines + localhost
    buildMachinesFiles = [
      (pkgs.runCommand "etc-nix-machines" { machines = config.environment.etc."nix/machines".text; } ''
        printf "$machines" > $out
        substituteInPlace $out --replace-fail 'ssh-ng://' 'ssh://'
        substituteInPlace $out --replace-fail ' 80 ' ' 3 '
        substituteInPlace $out --replace-fail ' 8 ' ' 1 '
      '')

      (pkgs.writeText "local" ''
        localhost ${concatStringsSep "," localSystems} - 3 1 ${concatStringsSep "," config.nix.settings.system-features} - -
      '')
    ];
    hydraURL = "https://hydra.nix-community.org";
    notificationSender = "hydra@hydra.nix-community.org";
    port = 3000;
    useSubstitutes = true;
    extraConfig = ''
      evaluator_max_memory_size = 4096
      evaluator_workers = 8
      max_concurrent_evals = 2
      max_output_size = ${builtins.toString (8 * 1024 * 1024 * 1024)}
    '';
  };

  services.nginx.virtualHosts."hydra.nix-community.org" = {
    locations."/".proxyPass = "http://localhost:${toString config.services.hydra.port}";
  };

  # Create user accounts
  # format: user;role;password-hash;email-address;full-name
  # Password hash is computed by applying sha1 to the password.
  systemd.services.hydra-post-init = {
    serviceConfig = {
      Type = "oneshot";
      TimeoutStartSec = "60";
    };
    wantedBy = [ config.systemd.targets.multi-user.name ];
    after = [ config.systemd.services.hydra-server.name ];
    requires = [ config.systemd.services.hydra-server.name ];
    environment = {
      inherit (config.systemd.services.hydra-init.environment) HYDRA_DBI;
    };
    path = [
      config.services.hydra.package
      pkgs.netcat
    ];
    script = ''
      set -e
      while IFS=';' read -r user role passwordhash email fullname; do
        opts=("$user" "--role" "$role" "--password-hash" "$passwordhash")
        if [[ -n "$email" ]]; then
          opts+=("--email-address" "$email")
        fi
        if [[ -n "$fullname" ]]; then
          opts+=("--full-name" "$fullname")
        fi
        hydra-create-user "''${opts[@]}"
      done < ${config.sops.secrets.hydra-users.path}

      while ! nc -z localhost ${toString config.services.hydra.port}; do
        sleep 1
      done

      export HYDRA_ADMIN_PASSWORD=$(cat ${config.sops.secrets.hydra-admin-password.path})
      export URL=http://localhost:${toString config.services.hydra.port}
    '';
  };
}
refactor CI and remote builders 2024-11-21 13:36:17 +10:00			`{`
			`pkgs,`
			`config,`
			`lib,`
			`...`
			`}:`
			`let`
			`inherit (lib) concatStringsSep;`
			`localSystems = [`
			`"builtin"`
			`config.nixpkgs.hostPlatform.system`
			`] ++ config.nix.settings.extra-platforms;`
			`in`
apply treefmt to codebase 2022-12-31 07:24:17 +01:00			`{`
modules/nixos/hydra: refactor 2024-10-27 13:41:54 +10:00			`sops.secrets.hydra-admin-password.owner = "hydra";`
			`sops.secrets.hydra-users.owner = "hydra";`
migrate to sops-nix 2021-09-25 22:35:51 +02:00
modules/nixos/hydra: refactor 2024-10-27 13:41:54 +10:00			`# hydra-queue-runner needs to read this key for remote building`
			`sops.secrets.id_buildfarm.owner = "hydra-queue-runner";`
Revert "modules/nixos/hydra: remove secret" This reverts commit 78a1f03f2eb96da4386ceef282c565098190f187. 2024-07-05 18:31:16 +10:00
refactor CI and remote builders 2024-11-21 13:36:17 +10:00			`nix.settings.keep-outputs = lib.mkForce false;`
modules/nixos/hydra: disable nix.settings.keep-outputs 2024-07-31 12:33:04 +10:00
modules/nixos/hydra: refactor 2024-10-27 13:41:54 +10:00			`nix.settings.allowed-uris = [`
			`"git+https:"`
			`"github:"`
			`"gitlab:"`
			`"https:"`
			`"sourcehut:"`
			`];`
switch back to post-build-hook to push to hydra hydra-notify seems to be single threaded and slow. `post-build-hook` hopefully is executed in parallel. 2022-08-14 15:31:50 +02:00
modules/nixos/hydra: refactor 2024-10-27 13:41:54 +10:00			`sops.secrets.id_buildfarm = { };`
Revert "modules/nixos/hydra: remove secret" This reverts commit 78a1f03f2eb96da4386ceef282c565098190f187. 2024-07-05 18:31:16 +10:00
modules/nixos/hydra: refactor 2024-10-27 13:41:54 +10:00			`# delete build logs older than 30 days`
			`systemd.services.hydra-delete-old-logs = {`
			`startAt = "Sun 05:45";`
			`serviceConfig.ExecStart = "${pkgs.findutils}/bin/find /var/lib/hydra/build-logs -type f -mtime +30 -delete";`
			`};`
hydra: delete old logs periodically 2023-03-21 06:40:06 +01:00
modules/nixos/hydra: disable services 2024-11-18 11:01:54 +10:00			`# not currently needed`
			`systemd.services = {`
			`hydra-check-space.enable = false;`
			`hydra-send-stats.enable = false;`
			`};`

modules/nixos/hydra: refactor 2024-10-27 13:41:54 +10:00			`services.hydra = {`
			`enable = true;`
			`# remote builders set in /etc/nix/machines + localhost`
			`buildMachinesFiles = [`
			`(pkgs.runCommand "etc-nix-machines" { machines = config.environment.etc."nix/machines".text; } ''`
modules/nixos/hydra: add darwin builder 2024-10-17 08:47:32 +10:00			`printf "$machines" > $out`
modules/nixos/hydra: refactor 2024-10-27 13:41:54 +10:00			`substituteInPlace $out --replace-fail 'ssh-ng://' 'ssh://'`
modules/nixos/hydra: increase max-jobs to 3 2024-11-17 11:20:58 +10:00			`substituteInPlace $out --replace-fail ' 80 ' ' 3 '`
modules/nixos/hydra: add darwin builder 2024-10-17 08:47:32 +10:00			`substituteInPlace $out --replace-fail ' 8 ' ' 1 '`
modules/nixos/hydra: refactor 2024-10-27 13:41:54 +10:00			`'')`
hydra: switch to buildMachinesFiles (#303) 2022-10-30 06:38:47 +10:00
modules/nixos/hydra: refactor 2024-10-27 13:41:54 +10:00			`(pkgs.writeText "local" ''`
refactor CI and remote builders 2024-11-21 13:36:17 +10:00			`localhost ${concatStringsSep "," localSystems} - 3 1 ${concatStringsSep "," config.nix.settings.system-features} - -`
modules/nixos/hydra: refactor 2024-10-27 13:41:54 +10:00			`'')`
			`];`
			`hydraURL = "https://hydra.nix-community.org";`
			`notificationSender = "hydra@hydra.nix-community.org";`
			`port = 3000;`
			`useSubstitutes = true;`
			`extraConfig = ''`
			`evaluator_max_memory_size = 4096`
			`evaluator_workers = 8`
			`max_concurrent_evals = 2`
			`max_output_size = ${builtins.toString (8 * 1024 * 1024 * 1024)}`
			`'';`
			`};`
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00
modules/nixos/hydra: refactor 2024-10-27 13:41:54 +10:00			`services.nginx.virtualHosts."hydra.nix-community.org" = {`
			`locations."/".proxyPass = "http://localhost:${toString config.services.hydra.port}";`
			`};`
move hydra to build03 2021-04-21 23:23:08 +02:00
modules/nixos/hydra: refactor 2024-10-27 13:41:54 +10:00			`# Create user accounts`
			`# format: user;role;password-hash;email-address;full-name`
			`# Password hash is computed by applying sha1 to the password.`
			`systemd.services.hydra-post-init = {`
			`serviceConfig = {`
			`Type = "oneshot";`
			`TimeoutStartSec = "60";`
			`};`
use systemd unit name attribute 2024-11-09 21:49:54 +10:00			`wantedBy = [ config.systemd.targets.multi-user.name ];`
			`after = [ config.systemd.services.hydra-server.name ];`
			`requires = [ config.systemd.services.hydra-server.name ];`
modules/nixos/hydra: refactor 2024-10-27 13:41:54 +10:00			`environment = {`
			`inherit (config.systemd.services.hydra-init.environment) HYDRA_DBI;`
			`};`
			`path = [`
			`config.services.hydra.package`
			`pkgs.netcat`
			`];`
			`script = ''`
			`set -e`
			`while IFS=';' read -r user role passwordhash email fullname; do`
			`opts=("$user" "--role" "$role" "--password-hash" "$passwordhash")`
			`if [[ -n "$email" ]]; then`
			`opts+=("--email-address" "$email")`
			`fi`
			`if [[ -n "$fullname" ]]; then`
			`opts+=("--full-name" "$fullname")`
			`fi`
			`hydra-create-user "''${opts[@]}"`
			`done < ${config.sops.secrets.hydra-users.path}`
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00
modules/nixos/hydra: refactor 2024-10-27 13:41:54 +10:00			`while ! nc -z localhost ${toString config.services.hydra.port}; do`
			`sleep 1`
			`done`
hydra.nix-community.com is up! 2020-01-12 21:15:32 +01:00
modules/nixos/hydra: refactor 2024-10-27 13:41:54 +10:00			`export HYDRA_ADMIN_PASSWORD=$(cat ${config.sops.secrets.hydra-admin-password.path})`
			`export URL=http://localhost:${toString config.services.hydra.port}`
			`'';`
hydra.nix-community.com is up! 2020-01-12 21:15:32 +01:00			`};`
			`}`
No results found.