infra/services/hydra/default.nix

{ hydra }: { lib, pkgs, config, ... }:
with lib; let
  cfg = config;

  hydraPort = 3000;

  upload-to-cachix = pkgs.writeScriptBin "upload-to-cachix" ''
    #!/bin/sh
    set -eu
    set -f # disable globbing

    # skip push if the declarative job spec
    OUT_END=$(echo ''${OUT_PATHS: -10})
    if [ "$OUT_END" == "-spec.json" ]; then
      exit 0
    fi

    export HOME=/root
    exec ${pkgs.cachix}/bin/cachix -c ${config.sops.secrets.nix-community-cachix.path} push nix-community $OUT_PATHS > /tmp/hydra_cachix 2>&1
  '';
in {
  options.services.hydra = {
    adminPasswordFile = mkOption {
      type = types.str;
      description = "The initial password for the Hydra admin account";
    };

    usersFile = mkOption {
      type = types.str;
      description = ''
        declarative user accounts for hydra.
        format: user;role;password-hash;email-address;full-name
        Password hash is computed by applying sha1 to the password.
      '';
    };
  };

  config = {
    sops.secrets.hydra-admin-password.owner = "hydra";
    sops.secrets.hydra-users.owner = "hydra";

    # hydra-queue-runner needs to read this key for remote building
    sops.secrets.id_buildfarm.owner = "hydra-queue-runner";

    nix.extraOptions = ''
      builders-use-substitutes = true
      allowed-uris = https://github.com/nix-community/ https://github.com/NixOS/
      post-build-hook = ${upload-to-cachix}/bin/upload-to-cachix
    '';

    nixpkgs.config = {
      whitelistedLicenses = with lib.licenses; [
        unfreeRedistributable
        issl
      ];
      allowUnfreePredicate = pkg:
        builtins.elem (lib.getName pkg) [
          "cudnn_cudatoolkit"
          "cudatoolkit"
        ];
    };

    services.hydra.package = hydra.packages.${pkgs.system}.default.overrideAttrs (old: {
      # FIXME: somehow tests are only broken when we build on our builder...
      doCheck = false;
    });

    sops.secrets.nix-community-cachix.sopsFile = ../../roles/nix-community-cache.yaml;
    sops.secrets.id_buildfarm = {};

    services.hydra = {
      enable = true;
      hydraURL = "https://hydra.nix-community.org";
      notificationSender = "hydra@hydra.nix-community.org";
      port = hydraPort;
      useSubstitutes = true;
      adminPasswordFile = config.sops.secrets.hydra-admin-password.path;
      usersFile = config.sops.secrets.hydra-users.path;
      extraConfig = ''
        max_output_size = ${builtins.toString (8 * 1024 * 1024 * 1024)}
      '';
    };

    nix = {
      distributedBuilds = true;
      buildMachines = [
        {
          hostName = "localhost";
          systems = ["x86_64-linux" "builtin"];
          maxJobs = 8;
          supportedFeatures = ["nixos-test" "big-parallel" "kvm"];
        }
      ];
    };

    services.postgresql = {
      enable = true;
      ensureDatabases = ["hydra"];
      settings = {
        max_connections = "300";
        effective_cache_size = "4GB";
        shared_buffers = "4GB";
      };
    };

    services.nginx.virtualHosts = {
      "hydra.nix-community.org" = {
        forceSSL = true;
        enableACME = true;
        locations."/".proxyPass = "http://localhost:${toString (config.services.hydra.port)}";
      };
    };

    # Create a admin user and configure a declarative project
    systemd.services.hydra-post-init = {
      serviceConfig = {
        Type = "oneshot";
        TimeoutStartSec = "60";
      };
      wantedBy = ["multi-user.target"];
      after = ["hydra-server.service"];
      requires = ["hydra-server.service"];
      environment = {
        inherit (cfg.systemd.services.hydra-init.environment) HYDRA_DBI;
      };
      path = with pkgs; [config.services.hydra.package netcat];
      script = ''
        set -e
        while IFS=';' read -r user role passwordhash email fullname; do
          opts=("$user" "--role" "$role" "--password-hash" "$passwordhash")
          if [[ -n "$email" ]]; then
            opts+=("--email-address" "$email")
          fi
          if [[ -n "$fullname" ]]; then
            opts+=("--full-name" "$fullname")
          fi
          hydra-create-user "''${opts[@]}"
        done < ${cfg.services.hydra.usersFile}

        while ! nc -z localhost ${toString hydraPort}; do
          sleep 1
        done

        export HYDRA_ADMIN_PASSWORD=$(cat ${cfg.services.hydra.adminPasswordFile})
        export URL=http://localhost:${toString hydraPort}
      '';
    };
  };
}
fix hydra instead of using local builder via ssh 2022-09-29 21:11:42 +02:00			`{ hydra }: { lib, pkgs, config, ... }:`
run nixpkgs-fmt 2022-08-14 16:49:30 +02:00			`with lib; let`
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`cfg = config;`
hydra.nix-community.com is up! 2020-01-12 21:15:32 +01:00
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`hydraPort = 3000;`
switch back to post-build-hook to push to hydra hydra-notify seems to be single threaded and slow. `post-build-hook` hopefully is executed in parallel. 2022-08-14 15:31:50 +02:00
			`upload-to-cachix = pkgs.writeScriptBin "upload-to-cachix" ''`
			`#!/bin/sh`
			`set -eu`
			`set -f # disable globbing`

			`# skip push if the declarative job spec`
			`OUT_END=$(echo ''${OUT_PATHS: -10})`
			`if [ "$OUT_END" == "-spec.json" ]; then`
			`exit 0`
			`fi`

			`export HOME=/root`
			`exec ${pkgs.cachix}/bin/cachix -c ${config.sops.secrets.nix-community-cachix.path} push nix-community $OUT_PATHS > /tmp/hydra_cachix 2>&1`
			`'';`
fix hydra instead of using local builder via ssh 2022-09-29 21:11:42 +02:00			`in {`
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`options.services.hydra = {`
			`adminPasswordFile = mkOption {`
			`type = types.str;`
			`description = "The initial password for the Hydra admin account";`
			`};`
hydra.nix-community.com is up! 2020-01-12 21:15:32 +01:00
declarative hydra users 2021-03-06 18:03:01 +01:00			`usersFile = mkOption {`
			`type = types.str;`
			`description = ''`
			`declarative user accounts for hydra.`
			`format: user;role;password-hash;email-address;full-name`
			`Password hash is computed by applying sha1 to the password.`
			`'';`
			`};`
hydra.nix-community.com is up! 2020-01-12 21:15:32 +01:00			`};`
hydra: fix remote build 2022-09-29 19:50:43 +02:00
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`config = {`
fix module evaluation 2021-09-29 19:50:50 +02:00			`sops.secrets.hydra-admin-password.owner = "hydra";`
			`sops.secrets.hydra-users.owner = "hydra";`
migrate to sops-nix 2021-09-25 22:35:51 +02:00
hydra: allow to read ssh remote builder key 2022-08-14 17:23:05 +02:00			`# hydra-queue-runner needs to read this key for remote building`
			`sops.secrets.id_buildfarm.owner = "hydra-queue-runner";`

switch back to post-build-hook to push to hydra hydra-notify seems to be single threaded and slow. `post-build-hook` hopefully is executed in parallel. 2022-08-14 15:31:50 +02:00			`nix.extraOptions = ''`
			`builders-use-substitutes = true`
			`allowed-uris = https://github.com/nix-community/ https://github.com/NixOS/`
			`post-build-hook = ${upload-to-cachix}/bin/upload-to-cachix`
			`'';`

build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`nixpkgs.config = {`
			`whitelistedLicenses = with lib.licenses; [`
			`unfreeRedistributable`
			`issl`
			`];`
run nixpkgs-fmt 2022-08-14 16:49:30 +02:00			`allowUnfreePredicate = pkg:`
			`builtins.elem (lib.getName pkg) [`
			`"cudnn_cudatoolkit"`
			`"cudatoolkit"`
			`];`
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`};`

fix hydra instead of using local builder via ssh 2022-09-29 21:11:42 +02:00			`services.hydra.package = hydra.packages.${pkgs.system}.default.overrideAttrs (old: {`
			`# FIXME: somehow tests are only broken when we build on our builder...`
			`doCheck = false;`
			`});`
switch to flake 2022-04-10 20:57:52 +02:00
switch back to post-build-hook to push to hydra hydra-notify seems to be single threaded and slow. `post-build-hook` hopefully is executed in parallel. 2022-08-14 15:31:50 +02:00			`sops.secrets.nix-community-cachix.sopsFile = ../../roles/nix-community-cache.yaml;`
fix hydra instead of using local builder via ssh 2022-09-29 21:11:42 +02:00			`sops.secrets.id_buildfarm = {};`
enable aarch64 builder in hydra fixes https://github.com/nix-community/infra/issues/220 2022-08-13 14:34:38 +02:00
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`services.hydra = {`
			`enable = true;`
hydra: defaults to https urls 2021-03-06 13:59:44 +01:00			`hydraURL = "https://hydra.nix-community.org";`
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`notificationSender = "hydra@hydra.nix-community.org";`
			`port = hydraPort;`
			`useSubstitutes = true;`
move hydra projects to terraform 2022-05-14 22:18:06 +02:00			`adminPasswordFile = config.sops.secrets.hydra-admin-password.path;`
			`usersFile = config.sops.secrets.hydra-users.path;`
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`extraConfig = ''`
			`max_output_size = ${builtins.toString (8 * 1024 * 1024 * 1024)}`
			`'';`
			`};`

run nixpkgs-fmt 2022-08-14 16:49:30 +02:00			`nix = {`
			`distributedBuilds = true;`
			`buildMachines = [`
			`{`
fix hydra instead of using local builder via ssh 2022-09-29 21:11:42 +02:00			`hostName = "localhost";`
			`systems = ["x86_64-linux" "builtin"];`
run nixpkgs-fmt 2022-08-14 16:49:30 +02:00			`maxJobs = 8;`
fix hydra instead of using local builder via ssh 2022-09-29 21:11:42 +02:00			`supportedFeatures = ["nixos-test" "big-parallel" "kvm"];`
run nixpkgs-fmt 2022-08-14 16:49:30 +02:00			`}`
			`];`
			`};`

hydra: increase Postgresql cache size 2020-10-21 19:15:05 +02:00			`services.postgresql = {`
			`enable = true;`
hydra: fix remote build 2022-09-29 19:50:43 +02:00			`ensureDatabases = ["hydra"];`
niv update (#46) * remove vpsadmin We're not using this at the moment * niv update 2021-01-03 00:53:49 +00:00			`settings = {`
hydra: fix remote build 2022-09-29 19:50:43 +02:00			`max_connections = "300";`
niv update (#46) * remove vpsadmin We're not using this at the moment * niv update 2021-01-03 00:53:49 +00:00			`effective_cache_size = "4GB";`
			`shared_buffers = "4GB";`
			`};`
hydra: increase Postgresql cache size 2020-10-21 19:15:05 +02:00			`};`

move hydra to build03 2021-04-21 23:23:08 +02:00			`services.nginx.virtualHosts = {`
			`"hydra.nix-community.org" = {`
			`forceSSL = true;`
			`enableACME = true;`
			`locations."/".proxyPass = "http://localhost:${toString (config.services.hydra.port)}";`
			`};`
			`};`

build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`# Create a admin user and configure a declarative project`
declarative hydra users 2021-03-06 18:03:01 +01:00			`systemd.services.hydra-post-init = {`
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`serviceConfig = {`
			`Type = "oneshot";`
			`TimeoutStartSec = "60";`
			`};`
fix hydra instead of using local builder via ssh 2022-09-29 21:11:42 +02:00			`wantedBy = ["multi-user.target"];`
			`after = ["hydra-server.service"];`
			`requires = ["hydra-server.service"];`
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`environment = {`
			`inherit (cfg.systemd.services.hydra-init.environment) HYDRA_DBI;`
			`};`
fix hydra instead of using local builder via ssh 2022-09-29 21:11:42 +02:00			`path = with pkgs; [config.services.hydra.package netcat];`
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`script = ''`
			`set -e`
hydra: declarative users fixups 2021-03-06 20:36:42 +01:00			`while IFS=';' read -r user role passwordhash email fullname; do`
declarative hydra users 2021-03-06 18:03:01 +01:00			`opts=("$user" "--role" "$role" "--password-hash" "$passwordhash")`
			`if [[ -n "$email" ]]; then`
			`opts+=("--email-address" "$email")`
			`fi`
			`if [[ -n "$fullname" ]]; then`
			`opts+=("--full-name" "$fullname")`
			`fi`
hydra: declarative users fixups 2021-03-06 20:36:42 +01:00			`hydra-create-user "''${opts[@]}"`
declarative hydra users 2021-03-06 18:03:01 +01:00			`done < ${cfg.services.hydra.usersFile}`
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00
			`while ! nc -z localhost ${toString hydraPort}; do`
			`sleep 1`
			`done`
hydra.nix-community.com is up! 2020-01-12 21:15:32 +01:00
declarative hydra users 2021-03-06 18:03:01 +01:00			`export HYDRA_ADMIN_PASSWORD=$(cat ${cfg.services.hydra.adminPasswordFile})`
			`export URL=http://localhost:${toString hydraPort}`
move hydra projects to terraform 2022-05-14 22:18:06 +02:00			`'';`
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`};`
hydra.nix-community.com is up! 2020-01-12 21:15:32 +01:00			`};`
			`}`
No results found.