Added private s3 binary cache

2024-03-10 14:28:44 -07:00 · 2024-03-10 14:28:44 -07:00 · 4bd2c41976
commit 4bd2c41976
parent 9480e24301
7 changed files with 157 additions and 0 deletions
--- a/modules/nixos/services/hydra/default.nix
+++ b/modules/nixos/services/hydra/default.nix
@ -25,9 +25,44 @@ in {
        certificate.
      '';
    };
+
+    secretKeyPath = mkOption {
+      type = str;
+      description = ''
+        The secret key used to sign builds uploaded to s3.
+      '';
+    };
+
+    s3Bucket = mkOption {
+      type = str;
+      description = ''
+        The s3 bucket name where build artifacts will be uploaded.
+      '';
+    };
+
+    s3Scheme = mkOption {
+      type = str;
+      default = "https";
+      description = ''
+        The scheme to use when connecting to s3.
+      '';
+    };
+
+    s3Endpoint = mkOption {
+      type = str;
+      description = ''
+        The s3 server endpoint.
+
+        Should use `amazonaws.com` if using amazon AWS.
+      '';
+    };
  };

  config = mkIf cfg.enable {
+    age.secrets = {
+      hydra-aws-creds.file = ../../../../secrets/hydra-aws-creds.age;
+    };
+
    # NOTE: Need to create user to allow web configuration
    # sudo -u hydra hydra-create-user alice \
    #   --full-name 'Alice Q. User' \
@ -41,6 +76,13 @@ in {
      notificationSender = "hydra@localhost";
      buildMachinesFiles = [];
      useSubstitutes = true;
+      extraConfig = ''
+        store_uri = s3://${cfg.s3Bucket}?compression=zstd&parallel-compression=true&write-nar-listing=1&ls-compression=br&log-compression=br&scheme=${cfg.s3Scheme}&endpoint=${cfg.s3Endpoint}&secret-key=${cfg.secretKeyPath}
+      '';
+    };
+
+    systemd.services."hydra-queue-runner".serviceConfig = {
+      EnvironmentFile = config.age.secrets.hydra-aws-creds.path;
    };

    services.nginx = {