alejandro-angulo/dotfiles
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
dotfiles/modules/nixos/services/hydra/default.nix

110 lines
2.7 KiB
Nix
Raw Blame History

{
config,
lib,
namespace,
...
}: let
cfg = config.${namespace}.services.hydra;
in {
options.${namespace}.services.hydra = with lib; {
enable = mkEnableOption "hydra";
hostname = mkOption {
type = types.str;
default = "hydra.kilonull.com";
description = ''
The hostname for the hydra instance
'';
};
acmeCertName = mkOption {
type = types.str;
default = "";
description = ''
If set to a non-empty string, forces SSL with the supplied acme
certificate.
'';
};
secretKeyPath = mkOption {
type = types.str;
description = ''
The secret key used to sign builds uploaded to s3.
'';
};
s3Bucket = mkOption {
type = types.str;
description = ''
The s3 bucket name where build artifacts will be uploaded.
'';
};
s3Scheme = mkOption {
type = types.str;
default = "https";
description = ''
The scheme to use when connecting to s3.
'';
};
s3Endpoint = mkOption {
type = types.str;
description = ''
The s3 server endpoint.
Should use `amazonaws.com` if using amazon AWS.
'';
};
};
config = lib.mkIf cfg.enable {
age.secrets = {
hydra-aws-creds.file = ../../../../secrets/hydra-aws-creds.age;
};
# NOTE: Need to create user to allow web configuration
# sudo -u hydra hydra-create-user alice \
# --full-name 'Alice Q. User' \
# --email-address 'alice@example.org' \
# --password-prompt \
# --role admin
services.hydra = {
enable = true;
hydraURL = "https://${cfg.hostname}";
notificationSender = "hydra@localhost";
buildMachinesFiles = [];
useSubstitutes = true;
extraConfig = ''
store_uri = s3://${cfg.s3Bucket}?compression=zstd&parallel-compression=true&write-nar-listing=1&ls-compression=br&log-compression=br&scheme=${cfg.s3Scheme}&endpoint=${cfg.s3Endpoint}&secret-key=${cfg.secretKeyPath}
'';
};
systemd.services."hydra-queue-runner".serviceConfig = {
EnvironmentFile = config.age.secrets.hydra-aws-creds.path;
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts."hydra.kilonull.com" =
{
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.hydra.port}";
};
}
// lib.optionalAttrs (cfg.acmeCertName != "") {
forceSSL = true;
useACMEHost = cfg.acmeCertName;
};
};
nix.settings = {
allowed-users = [
"hydra"
"hydra-www"
];
allowed-uris = ["github:" "https://github.com/" "https://gitea.kilonull.com/"];
};
};
}
Reference in a new issue View git blame Copy permalink