Merge pull request #20 from nix-community/hydra-20.03

Hydra + 20.03 upgrade

.github/workflows/nix.yml

@@ -7,9 +7,8 @@ jobs:
     steps:
     - uses: actions/checkout@v2
     - uses: cachix/install-nix-action@v8
-    - uses: cachix/cachix-action@v5
+    - uses: numtide/cachix-action@only-cache
       with:
         name: nix-community
         signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
-        # Only needed for private caches
-        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+    - run: nix-build

build01/buildkite.nix

@@ -1,17 +1,9 @@
 { pkgs, ... }:
 
 {
-  services.buildkite-agent = {
+  services.buildkite-agents.ci = {
     enable = true;
     tokenPath = "/run/keys/buildkite-token";
-    openssh.privateKeyPath = builtins.toPath "/run/keys/buildkite-agent-key";
-    openssh.publicKeyPath = builtins.toPath "/run/keys/buildkite-agent-key.pub";
-
-    runtimePackages = [
-      pkgs.gnutar
-      pkgs.bash
-      pkgs.nix
-      pkgs.gzip
-    ];
+    privateSshKeyPath = builtins.toPath "/run/keys/buildkite-agent-key";
   };
 }

build01/configuration.nix

@@ -11,6 +11,7 @@ in
     ./buildkite.nix
     ./gitlab.nix
     ./hydra.nix
+    ./hydra-declarative-projects.nix
     ./cache.nix
     ./nixpkgs-update.nix
 
@@ -50,6 +51,9 @@ in
   boot.kernelPackages = pkgs.linuxPackages_latest;
   boot.supportedFilesystems = [ "zfs" ];
 
-  system.stateVersion = "19.09";
+  security.acme.email = "trash@nix-community.org";
+  security.acme.acceptTerms = true;
+
+  system.stateVersion = "20.03";
 
 }

build01/hydra-declarative-projects.nix

@@ -0,0 +1,13 @@
+{ lib, pkgs, config, ... }:
+
+{
+  services.hydra.declarativeProjects = {
+    emacs-overlay = {
+      displayName = "Emacs Overlay";
+      inputValue = "https://github.com/nix-community/emacs-overlay";
+      specFile = "hydra/spec.json";
+      description = "Bleeding edge emacs overlay";
+      homepage = "https://github.com/nix-community/emacs-overlay";
+    };
+  };
+}

build01/hydra.nix

@@ -7,7 +7,7 @@ let
 
   hydraPort = 3000;
   hydraAdmin = "admin";
-  hydraAdminPasswordFile = "/var/keys/hydra-admin-password";
+  hydraAdminPasswordFile = "/run/keys/hydra-admin-password";
 
   createDeclarativeProjectScript = pkgs.stdenv.mkDerivation {
     name = "create-declarative-project";
@@ -84,7 +84,7 @@ in {
     services.nginx = {
       enable = true;
       virtualHosts = {
-        "hydra.nix-community.com" = {
+        "hydra.nix-community.org" = {
           forceSSL = true;
           enableACME = true;
           locations."/" = {
@@ -138,7 +138,7 @@ in {
       environment = {
         inherit (cfg.systemd.services.hydra-init.environment) HYDRA_DBI;
       };
-      path = with pkgs; [ hydra netcat ];
+      path = with pkgs; [ hydra-unstable netcat ];
       script = ''
         set -e
         export HYDRA_ADMIN_PASSWORD=$(cat ${cfg.services.hydra.adminPasswordFile})

default.nix

@@ -8,7 +8,7 @@ let
       inherit configuration system;
     };
 in
-  pkgs.nix-community-infra // rec {
-    build01 = importNixOS ./build01/configuration.nix "x86_64-linux";
-    build01-system = build01.system;
-  }
+pkgs.nix-community-infra // rec {
+  build01 = importNixOS ./build01/configuration.nix "x86_64-linux";
+  build01-system = build01.system;
+}

deployment.nix

@@ -1,7 +1,5 @@
 let
-
-  secrets = import ./secrets;
-
+  secrets = import ./secrets.nix;
 in
 {
 
@@ -18,19 +16,19 @@ in
 
         deployment.keys.buildkite-token = {
           text = secrets.buildkite-token;
-          user = "buildkite-agent";
+          user = "buildkite-agent-ci";
           permissions = "0600";
         };
 
         deployment.keys.buildkite-agent-key = {
           text = secrets.buildkite-agent-key;
-          user = "buildkite-agent";
+          user = "buildkite-agent-ci";
           permissions = "0600";
         };
 
         deployment.keys."buildkite-agent-key.pub" = {
           text = secrets."buildkite-agent-key.pub";
-          user = "buildkite-agent";
+          user = "buildkite-agent-ci";
           permissions = "0600";
         };
 
@@ -81,7 +79,7 @@ in
 
         deployment.keys.github-nixpkgs-swh-key = {
           text = secrets.github-nixpkgs-swh-key;
-          user = "buildkite-agent";
+          user = "buildkite-agent-ci";
           permissions = "0400";
         };
 

nix/sources.json

@@ -5,10 +5,10 @@
         "homepage": "https://github.com/NixOS/nixpkgs",
         "owner": "NixOS",
         "repo": "nixpkgs-channels",
-        "rev": "aa561c6fb4f48974639a9e2b76fdd3e15b2abfd4",
-        "sha256": "15p0lbf227l26mvvpqi62nry3h0b249hig9fgpnsl6a3rlp6bj2v",
+        "rev": "b61999e4ad60c351b4da63ae3ff43aae3c0bbdfb",
+        "sha256": "0cggpdks4qscyirqwfprgdl91mlhjlw24wkg0riapk5f2g2llbpq",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs-channels/archive/aa561c6fb4f48974639a9e2b76fdd3e15b2abfd4.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs-channels/archive/b61999e4ad60c351b4da63ae3ff43aae3c0bbdfb.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs-update": {

secrets.nix

@@ -0,0 +1,23 @@
+with builtins;
+let
+  # Copied from <nixpkgs/lib>
+  removeSuffix = suffix: str:
+    let
+      sufLen = stringLength suffix;
+      sLen = stringLength str;
+    in
+    if
+      sufLen <= sLen && suffix == substring (sLen - sufLen) sufLen str
+    then
+      substring 0 (sLen - sufLen) str
+    else
+      str;
+
+  # Copied from <nixpkgs/lib>
+  fileContents = file: removeSuffix "\n" (builtins.readFile file);
+
+  readSecret = name: fileContents (./secrets + "/${name}");
+in
+mapAttrs
+  (name: type: if type != "directory" then readSecret name else null)
+  (readDir ./secrets)