diff --git a/hosts/VEGAS/services/hydra/default.nix b/hosts/VEGAS/services/hydra/default.nix new file mode 100644 index 0000000..7678e73 --- /dev/null +++ b/hosts/VEGAS/services/hydra/default.nix @@ -0,0 +1,83 @@ +{ pkgs, lib, config, tools, ... }: +let + inherit (tools.meta) domain; +in +{ + age.secrets = { + hydraS3 = { + file = ../../../../secrets/hydra-s3.age; + group = "hydra"; + mode = "0440"; + }; + hydra-bincache-key = { + file = ../../../../secrets/hydra-bincache.age; + group = "hydra"; + mode = "0440"; + }; + hydra-builder-key = { + file = ../../../../secrets/hydra-builder-key.age; + group = "hydra"; + mode = "0440"; + }; + } // lib.mapAttrs' (k: v: lib.nameValuePair "hydra-database-credentials-for-${k}" v) + (lib.genAttrs [ "hydra-queue-runner" "hydra-www" "hydra" ] + (x: + { + file = ../../../../secrets/hydra-db-credentials.age; + group = "hydra"; + owner = x; + mode = "0400"; + } + ) + ); + + reservePortsFor = [ "hydra" ]; + + services.nginx.virtualHosts."hydra.${domain}" = tools.nginx.vhosts.proxy "http://127.0.0.1:${config.portsStr.hydra}"; + + services.oauth2_proxy.nginx.virtualHosts = [ "hydra.${domain}" ]; + + services.hydra = { + enable = true; + dbi = "dbi:Pg:dbname=hydra;host=127.0.0.1;user=hydra;"; + hydraURL = "https://hydra.${domain}"; + port = config.ports.hydra; + notificationSender = "hydra@${domain}"; + buildMachinesFiles = [ "/etc/nix/hydra-machines" ]; + useSubstitutes = true; + extraConfig = '' + store_uri = s3://nix-store?scheme=https&endpoint=object-storage.${domain}&secret-key=${config.age.secrets.hydra-bincache-key.path} + server_store_uri = https://cache.${domain} + ''; + extraEnv = { + AWS_SHARED_CREDENTIALS_FILE = config.age.secrets.hydraS3.path; + PGPASSFILE = config.age.secrets."hydra-database-credentials-for-hydra".path; + }; + }; + + # override weird hydra module stuff + + systemd.services = { + hydra-send-stats = lib.mkForce {}; + } // lib.genAttrs [ "hydra-notify" "hydra-queue-runner" "hydra-server" ] + (x: let + name = if x == "hydra-server" then "hydra-www" else + if x == "hydra-notify" then "hydra-queue-runner" else x; + in { + environment = { + PGPASSFILE = lib.mkForce config.age.secrets."hydra-database-credentials-for-${name}".path; + }; + } + ); + + nix.extraOptions = lib.mkForce '' + allowed-uris = https://git.${domain} + keep-outputs = true + keep-derivations = true + ''; + + programs.ssh.knownHosts.git = { + hostNames = [ "git.${domain}" ]; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0rChVEO9Qt7hr7vyiyOP7N45CjaxssFCZNOPCszEQi"; + }; +} diff --git a/hosts/VEGAS/system.nix b/hosts/VEGAS/system.nix index b5fdfda..06b4e72 100644 --- a/hosts/VEGAS/system.nix +++ b/hosts/VEGAS/system.nix @@ -24,6 +24,7 @@ # TODO: fix this one ./services/forum ./services/git + ./services/hydra ./services/hyprspace ./services/ipfs ./services/jokes diff --git a/secrets/hydra-bincache.age b/secrets/hydra-bincache.age new file mode 100644 index 0000000..8e3ec51 --- /dev/null +++ b/secrets/hydra-bincache.age @@ -0,0 +1,13 @@ +age-encryption.org/v1 +-> ssh-ed25519 NO562A vynPDZ/n0OZX4jP6jsMo3/pDeG/NESWJWjZorI1rHlY +l/IQr1YzAJYbxxbxodZj5kcWN3Hc/R+mjHoJqmV+k+c +-> ssh-ed25519 5/zT0w N5oKG8G0hwcy+HycLjY7c0W9POT0TEJvgtadpLmPNx4 +vwC8wKbrbXsv4kzpM5x6UqDm8BASDW8XkhlGb4ipPLY +-> ssh-ed25519 d3WGuA +ey3gnIvah3koWvYYtB9ExdAwZMAkG++ZGpiSvgz2HI +qdRoXNKAD+oAxve9HHLediZYJLi2vdUfAf+XpEOYk/g +-> 0a>-grease P0 Q?[H ~e=yXc$ ^f* +1qwFvyh1k2Co61fNx9+AWJc88ayznRmqnX7YaWPp+/ULiUEW3kcaRxiG260SNgNg +4kI3UIas3tTO912iFZpl +--- QsGqhfZUEjxeYpzIYVUK/gwyTRM6fIub6PCNB7NphMY +T>k3Oy_Ж"1o#Iڿo:{+;3S<fpY<'F=*EEG( 1 ҅ۆ4@}Ǘ՞_?m;ê ssh-ed25519 NO562A 8y69PgCxhGnJyWidqAWhMu5W6KmOyrPj6Yq6CH2zeXs -L+qJsxC0eJJZ6QkHk/mif/jSrlV135nYV36p8I2VABI --> ssh-ed25519 5/zT0w 4EzS5JYeSpxinLyP1dPDar2uN/HP+mZ1SpaFrO4Z9T8 -E3FWjk7Ma1+XYls0tZyVzt9rdeVC2Cxd7p0aXR8BMmY --> ssh-ed25519 8Ib2bg IU8rm12IoW6rjJvtKZQjPypE6//B8N+zT6aYOsGsagQ -V1gwYZ2mSmwwRGrQy+5Yi6X2jc7cuSb4i8ug78TgNNs --> 8?D(x;Zq-grease -eLVD9rsrAlXCtjq1xYeWksV+NrZJGLWIpVXOS/L5G6YoS5tmZfPIEpIJ75wylUSu -dCmo2xg ---- K4HxduHKm3NBmH/0fWai2n4O+6H7JF/4tkjc+2GQjtg -ͻ.>9$ZoӘC4R'ڏp20A^~BX=bJgmnR8{s,diE~Ϣp!{)>WB-Q nV A: \ No newline at end of file +-> ssh-ed25519 NO562A 2mzFHjK9i8fyL0zyjnybBhrxeLH16HvaLJISMYlFdlE +2++wa0Q68+V4fuNgEtDITWHBAntLCboQX1Wr8V4rfhY +-> ssh-ed25519 5/zT0w UlpYqYcgGoK+3Jh+32fRl1LalH6qQW9xBs2XJV330jw +MRwsma8NA/iIQHZY5RsN0+O/F+wgeSDzER1xplV53SI +-> ssh-ed25519 d3WGuA ZckbCouGX+ejfXAh6YlqvS3rAE+a2E5Dq51ipN5Rj1I +kjRzHB9f3Yxt6JmdyaY8v+tfSGYXhzK9gXpIKK+H8dI +-> 7\#Ai~>-grease iP +xLUdD+infWycRZXJlvvLFUc4u1gb/i8SUCVaKU3pPd0mwks3xySJ8AnbmBM4lrH5 +CTbMBrqJHE7EV6HSwyKezuKL++MvAyvbYIyRJZT6onS9zMKW8jlL +--- nMzQdRhiAuVZQGTi8JlgTq/sgJUmTvScDZh28n2yV4g +1+%i/(FX`ԋ^] 8}Yy x\lo(1$x Fv!zwe?a`MPP> 9_\ +L;(B%"f&6]d$1A \ No newline at end of file diff --git a/secrets/hydra-s3.age b/secrets/hydra-s3.age index 63c3ecb..b8438f7 100644 Binary files a/secrets/hydra-s3.age and b/secrets/hydra-s3.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 7602101..abd8c05 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -9,8 +9,10 @@ in with hosts; "discourse-adminpass.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "discourse-dbpass.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "gitea-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ]; - "hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ styx ]; - "hydra-s3.age".publicKeys = max ++ map systemKeys [ styx ]; + "hydra-bincache.age".publicKeys = max ++ map systemKeys [ VEGAS ]; + "hydra-builder-key.age".publicKeys = max ++ map systemKeys [ VEGAS ]; + "hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ]; + "hydra-s3.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "hyprspace-key-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "keycloak-dbpass.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "matrix-appservice-discord-token.age".publicKeys = max ++ map systemKeys [ VEGAS ];