infra/modules/nixos/hydra.nix

{ pkgs, config, ... }:
{
  config = {
    sops.secrets.hydra-admin-password.owner = "hydra";
    sops.secrets.hydra-users.owner = "hydra";

    nix.settings.allowed-uris = [
      "https://github.com/nix-community/"
      "https://github.com/NixOS/"
    ];

    # delete build logs older than 30 days
    systemd.services.hydra-delete-old-logs = {
      startAt = "Sun 05:45";
      serviceConfig.ExecStart = "${pkgs.findutils}/bin/find /var/lib/hydra/build-logs -type f -mtime +30 -delete";
    };

    services.hydra = {
      enable = true;
      # remote builders set in /etc/nix/machines + localhost
      buildMachinesFiles = [
        (pkgs.runCommand "etc-nix-machines"
          {
            machines = config.environment.etc."nix/machines".text;
          } ''
          printf "$machines" > $out
          substituteInPlace $out --replace 'ssh-ng://' 'ssh://'
        '')

        (pkgs.writeText "local" ''
          localhost x86_64-linux,builtin - 8 1 nixos-test,big-parallel,kvm - -
        '')
      ];
      hydraURL = "https://hydra.nix-community.org";
      notificationSender = "hydra@hydra.nix-community.org";
      port = 3000;
      useSubstitutes = true;
      extraConfig = ''
        max_output_size = ${builtins.toString (8 * 1024 * 1024 * 1024)}
      '';
    };

    services.nginx.virtualHosts = {
      "hydra.nix-community.org" = {
        forceSSL = true;
        enableACME = true;
        locations."/".proxyPass = "http://localhost:${toString config.services.hydra.port}";
      };
    };

    # Create user accounts
    # format: user;role;password-hash;email-address;full-name
    # Password hash is computed by applying sha1 to the password.
    systemd.services.hydra-post-init = {
      serviceConfig = {
        Type = "oneshot";
        TimeoutStartSec = "60";
      };
      wantedBy = [ "multi-user.target" ];
      after = [ "hydra-server.service" ];
      requires = [ "hydra-server.service" ];
      environment = {
        inherit (config.systemd.services.hydra-init.environment) HYDRA_DBI;
      };
      path = [ config.services.hydra.package pkgs.netcat ];
      script = ''
        set -e
        while IFS=';' read -r user role passwordhash email fullname; do
          opts=("$user" "--role" "$role" "--password-hash" "$passwordhash")
          if [[ -n "$email" ]]; then
            opts+=("--email-address" "$email")
          fi
          if [[ -n "$fullname" ]]; then
            opts+=("--full-name" "$fullname")
          fi
          hydra-create-user "''${opts[@]}"
        done < ${config.sops.secrets.hydra-users.path}

        while ! nc -z localhost ${toString config.services.hydra.port}; do
          sleep 1
        done

        export HYDRA_ADMIN_PASSWORD=$(cat ${config.sops.secrets.hydra-admin-password.path})
        export URL=http://localhost:${toString config.services.hydra.port}
      '';
    };
  };
}
modules/nixos/hydra: drop options 2023-12-07 09:53:36 +10:00			`{ pkgs, config, ... }:`
apply treefmt to codebase 2022-12-31 07:24:17 +01:00			`{`
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`config = {`
fix module evaluation 2021-09-29 19:50:50 +02:00			`sops.secrets.hydra-admin-password.owner = "hydra";`
			`sops.secrets.hydra-users.owner = "hydra";`
migrate to sops-nix 2021-09-25 22:35:51 +02:00
services/hydra: switch to nix.setttings and remove redundant builders-use-substitutes 2023-04-12 12:35:41 +10:00			`nix.settings.allowed-uris = [`
			`"https://github.com/nix-community/"`
			`"https://github.com/NixOS/"`
			`];`
switch back to post-build-hook to push to hydra hydra-notify seems to be single threaded and slow. `post-build-hook` hopefully is executed in parallel. 2022-08-14 15:31:50 +02:00
hydra: delete old logs periodically 2023-03-21 06:40:06 +01:00			`# delete build logs older than 30 days`
			`systemd.services.hydra-delete-old-logs = {`
			`startAt = "Sun 05:45";`
			`serviceConfig.ExecStart = "${pkgs.findutils}/bin/find /var/lib/hydra/build-logs -type f -mtime +30 -delete";`
			`};`

build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`services.hydra = {`
			`enable = true;`
hydra: switch to buildMachinesFiles (#303) 2022-10-30 06:38:47 +10:00			`# remote builders set in /etc/nix/machines + localhost`
			`buildMachinesFiles = [`
modules/nixos/hydra: copy /etc/nix/machines, use ssh 2024-01-07 12:44:01 +10:00			`(pkgs.runCommand "etc-nix-machines"`
			`{`
			`machines = config.environment.etc."nix/machines".text;`
			`} ''`
			`printf "$machines" > $out`
			`substituteInPlace $out --replace 'ssh-ng://' 'ssh://'`
			`'')`
hydra: switch to buildMachinesFiles (#303) 2022-10-30 06:38:47 +10:00
			`(pkgs.writeText "local" ''`
			`localhost x86_64-linux,builtin - 8 1 nixos-test,big-parallel,kvm - -`
			`'')`
			`];`
hydra: defaults to https urls 2021-03-06 13:59:44 +01:00			`hydraURL = "https://hydra.nix-community.org";`
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`notificationSender = "hydra@hydra.nix-community.org";`
services/hydra: refactor 2023-04-14 12:56:31 +10:00			`port = 3000;`
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`useSubstitutes = true;`
			`extraConfig = ''`
			`max_output_size = ${builtins.toString (8 * 1024 * 1024 * 1024)}`
			`'';`
			`};`

move hydra to build03 2021-04-21 23:23:08 +02:00			`services.nginx.virtualHosts = {`
			`"hydra.nix-community.org" = {`
			`forceSSL = true;`
			`enableACME = true;`
apply statix simplication 2023-01-01 15:30:41 +01:00			`locations."/".proxyPass = "http://localhost:${toString config.services.hydra.port}";`
move hydra to build03 2021-04-21 23:23:08 +02:00			`};`
			`};`

modules/nixos/hydra: drop options 2023-12-07 09:53:36 +10:00			`# Create user accounts`
			`# format: user;role;password-hash;email-address;full-name`
			`# Password hash is computed by applying sha1 to the password.`
declarative hydra users 2021-03-06 18:03:01 +01:00			`systemd.services.hydra-post-init = {`
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`serviceConfig = {`
			`Type = "oneshot";`
			`TimeoutStartSec = "60";`
			`};`
apply treefmt to codebase 2022-12-31 07:24:17 +01:00			`wantedBy = [ "multi-user.target" ];`
			`after = [ "hydra-server.service" ];`
			`requires = [ "hydra-server.service" ];`
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`environment = {`
services/hydra: refactor 2023-04-14 12:56:31 +10:00			`inherit (config.systemd.services.hydra-init.environment) HYDRA_DBI;`
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`};`
services/hydra: refactor 2023-04-14 12:56:31 +10:00			`path = [ config.services.hydra.package pkgs.netcat ];`
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`script = ''`
			`set -e`
hydra: declarative users fixups 2021-03-06 20:36:42 +01:00			`while IFS=';' read -r user role passwordhash email fullname; do`
declarative hydra users 2021-03-06 18:03:01 +01:00			`opts=("$user" "--role" "$role" "--password-hash" "$passwordhash")`
			`if [[ -n "$email" ]]; then`
			`opts+=("--email-address" "$email")`
			`fi`
			`if [[ -n "$fullname" ]]; then`
			`opts+=("--full-name" "$fullname")`
			`fi`
hydra: declarative users fixups 2021-03-06 20:36:42 +01:00			`hydra-create-user "''${opts[@]}"`
modules/nixos/hydra: drop options 2023-12-07 09:53:36 +10:00			`done < ${config.sops.secrets.hydra-users.path}`
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00
services/hydra: refactor 2023-04-14 12:56:31 +10:00			`while ! nc -z localhost ${toString config.services.hydra.port}; do`
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`sleep 1`
			`done`
hydra.nix-community.com is up! 2020-01-12 21:15:32 +01:00
modules/nixos/hydra: drop options 2023-12-07 09:53:36 +10:00			`export HYDRA_ADMIN_PASSWORD=$(cat ${config.sops.secrets.hydra-admin-password.path})`
services/hydra: refactor 2023-04-14 12:56:31 +10:00			`export URL=http://localhost:${toString config.services.hydra.port}`
move hydra projects to terraform 2022-05-14 22:18:06 +02:00			`'';`
build01: deploy Hydra with declarative projects (#17) Declarative projects can be added to Hydra through a PR (nobody needs to use the admin account to provision them). 2020-04-17 22:12:42 +02:00			`};`
hydra.nix-community.com is up! 2020-01-12 21:15:32 +01:00			`};`
			`}`
No results found.