VEGAS: reintroduce Hydra

hosts/VEGAS/services/hydra/default.nix

@@ -0,0 +1,83 @@
+{ pkgs, lib, config, tools, ... }:
+let
+  inherit (tools.meta) domain;
+in
+{
+  age.secrets = {
+    hydraS3 = {
+      file = ../../../../secrets/hydra-s3.age;
+      group = "hydra";
+      mode = "0440";
+    };
+    hydra-bincache-key = {
+      file = ../../../../secrets/hydra-bincache.age;
+      group = "hydra";
+      mode = "0440";
+    };
+    hydra-builder-key = {
+      file = ../../../../secrets/hydra-builder-key.age;
+      group = "hydra";
+      mode = "0440";
+    };
+  } // lib.mapAttrs' (k: v: lib.nameValuePair "hydra-database-credentials-for-${k}" v)
+  (lib.genAttrs [ "hydra-queue-runner" "hydra-www" "hydra" ]
+    (x:
+      {
+        file = ../../../../secrets/hydra-db-credentials.age;
+        group = "hydra";
+        owner = x;
+        mode = "0400";
+      }
+    )
+  );
+
+  reservePortsFor = [ "hydra" ];
+
+  services.nginx.virtualHosts."hydra.${domain}" = tools.nginx.vhosts.proxy "http://127.0.0.1:${config.portsStr.hydra}";
+
+  services.oauth2_proxy.nginx.virtualHosts = [ "hydra.${domain}" ];
+
+  services.hydra = {
+    enable = true;
+    dbi = "dbi:Pg:dbname=hydra;host=127.0.0.1;user=hydra;";
+    hydraURL = "https://hydra.${domain}";
+    port = config.ports.hydra;
+    notificationSender = "hydra@${domain}";
+    buildMachinesFiles = [ "/etc/nix/hydra-machines" ];
+    useSubstitutes = true;
+    extraConfig = ''
+      store_uri = s3://nix-store?scheme=https&endpoint=object-storage.${domain}&secret-key=${config.age.secrets.hydra-bincache-key.path}
+      server_store_uri = https://cache.${domain}
+    '';
+    extraEnv = {
+      AWS_SHARED_CREDENTIALS_FILE = config.age.secrets.hydraS3.path;
+      PGPASSFILE = config.age.secrets."hydra-database-credentials-for-hydra".path;
+    };
+  };
+
+  # override weird hydra module stuff
+
+  systemd.services = { 
+    hydra-send-stats = lib.mkForce {};
+  } // lib.genAttrs [ "hydra-notify" "hydra-queue-runner" "hydra-server" ]
+  (x: let
+      name = if x == "hydra-server" then "hydra-www" else
+             if x == "hydra-notify" then "hydra-queue-runner" else x;
+    in {
+      environment = {
+        PGPASSFILE = lib.mkForce config.age.secrets."hydra-database-credentials-for-${name}".path;
+      };
+    }
+  );
+
+  nix.extraOptions = lib.mkForce ''
+    allowed-uris = https://git.${domain}
+    keep-outputs = true
+    keep-derivations = true
+  '';
+
+  programs.ssh.knownHosts.git = {
+    hostNames = [ "git.${domain}" ];
+    publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0rChVEO9Qt7hr7vyiyOP7N45CjaxssFCZNOPCszEQi";
+  };
+}

hosts/VEGAS/system.nix

@@ -24,6 +24,7 @@
       # TODO: fix this one
       ./services/forum
       ./services/git
+      ./services/hydra
       ./services/hyprspace
       ./services/ipfs
       ./services/jokes

secrets/hydra-bincache.age

@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 NO562A vynPDZ/n0OZX4jP6jsMo3/pDeG/NESWJWjZorI1rHlY
+l/IQr1YzAJYbxxbxodZj5kcWN3Hc/R+mjHoJqmV+k+c
+-> ssh-ed25519 5/zT0w N5oKG8G0hwcy+HycLjY7c0W9POT0TEJvgtadpLmPNx4
+vwC8wKbrbXsv4kzpM5x6UqDm8BASDW8XkhlGb4ipPLY
+-> ssh-ed25519 d3WGuA +ey3gnIvah3koWvYYtB9ExdAwZMAkG++ZGpiSvgz2HI
+qdRoXNKAD+oAxve9HHLediZYJLi2vdUfAf+XpEOYk/g
+-> 0a>-grease P0 Q?[H ~e=yXc$ ^f*
+1qwFvyh1k2Co61fNx9+AWJc88ayznRmqnX7YaWPp+/ULiUEW3kcaRxiG260SNgNg
+4kI3UIas3tTO912iFZpl
+--- QsGqhfZUEjxeYpzIYVUK/gwyTRM6fIub6PCNB7NphMY
+…ôT<EFBFBD>>k3ùüÐOÛy_ЖÔ"1¿ºo#´
ÔðI‘¾ŽœÚáÚ¿oœ½©:{+;3ßS‡<fpY<'F=*E±E«ÊÞèGÆ(ÎÏ1çòÒ…Û†4êÐ@ñ‰}×ÚöÇ—ÃÕžÍ_«ž…ü?m;æê<n<>P<EFBFBD>ãâÂr~"<22>²Y
+b1O¨AË

secrets/hydra-db-credentials.age

@@ -1,12 +1,13 @@
 age-encryption.org/v1
--> ssh-ed25519 NO562A 8y69PgCxhGnJyWidqAWhMu5W6KmOyrPj6Yq6CH2zeXs
+-> ssh-ed25519 NO562A 2mzFHjK9i8fyL0zyjnybBhrxeLH16HvaLJISMYlFdlE
-L+qJsxC0eJJZ6QkHk/mif/jSrlV135nYV36p8I2VABI
+2++wa0Q68+V4fuNgEtDITWHBAntLCboQX1Wr8V4rfhY
--> ssh-ed25519 5/zT0w 4EzS5JYeSpxinLyP1dPDar2uN/HP+mZ1SpaFrO4Z9T8
+-> ssh-ed25519 5/zT0w UlpYqYcgGoK+3Jh+32fRl1LalH6qQW9xBs2XJV330jw
-E3FWjk7Ma1+XYls0tZyVzt9rdeVC2Cxd7p0aXR8BMmY
+MRwsma8NA/iIQHZY5RsN0+O/F+wgeSDzER1xplV53SI
--> ssh-ed25519 8Ib2bg IU8rm12IoW6rjJvtKZQjPypE6//B8N+zT6aYOsGsagQ
+-> ssh-ed25519 d3WGuA ZckbCouGX+ejfXAh6YlqvS3rAE+a2E5Dq51ipN5Rj1I
-V1gwYZ2mSmwwRGrQy+5Yi6X2jc7cuSb4i8ug78TgNNs
+kjRzHB9f3Yxt6JmdyaY8v+tfSGYXhzK9gXpIKK+H8dI
--> 8?D(x;Zq-grease
+-> 7\#Ai~>-grease iP
-eLVD9rsrAlXCtjq1xYeWksV+NrZJGLWIpVXOS/L5G6YoS5tmZfPIEpIJ75wylUSu
+xLUdD+infWycRZXJlvvLFUc4u1gb/i8SUCVaKU3pPd0mwks3xySJ8AnbmBM4lrH5
-dCmo2xg
+CTbMBrqJHE7EV6HSwyKezuKL++MvAyvbYIyRJZT6onS9zMKW8jlL
---- K4HxduHKm3NBmH/0fWai2n4O+6H7JF/4tkjc+2GQjtg
+--- nMzQdRhiAuVZQGTi8JlgTq/sgJUmTvScDZh28n2yV4g
-Í».>Ø—9æ$¨ZòÂÄßoÓ˜ÃCé€4R'Ú<>¥p¯20A^~½“¤B<C2A4>X=b—Jó<4A>¾gàßm¬¯n‹¾RÖÅÅ8{†Œë’s ,ùdiEá±~Ï¢‰p!¹ñ¯ü
º{‹½)¸¹Šž>WB²¡½È-Q	‹nV
	¨A:¼
+<EFBFBD>1+%°i/(›F‡X§ˆåµâ
£‰¥¦°ö`Ô‹‡^†œ]ë	…Š8}YÔy¨xÒ‡\lo(1°$x	Fv·! zÑìweº?­±ƒ”a`ÃôMPP„>9š¯_º\
+›£¬²òL;ØÐ(üB%<25>"fÛ&6ß]¼d<C2BC>$Ü1àAŸ

secrets/secrets.nix

@@ -9,8 +9,10 @@ in with hosts;
   "discourse-adminpass.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "discourse-dbpass.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "gitea-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
-  "hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ styx ];
+  "hydra-bincache.age".publicKeys = max ++ map systemKeys [ VEGAS ];
-  "hydra-s3.age".publicKeys = max ++ map systemKeys [ styx ];
+  "hydra-builder-key.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "hydra-s3.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "hyprspace-key-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "keycloak-dbpass.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "matrix-appservice-discord-token.age".publicKeys = max ++ map systemKeys [ VEGAS ];