63 lines
1.9 KiB
Nix
63 lines
1.9 KiB
Nix
{ lib, config, ... }:
|
|
{
|
|
age.secrets = {
|
|
hydraS3 = {
|
|
file = ../../secrets/hydra-s3.age;
|
|
group = "hydra";
|
|
mode = "0440";
|
|
};
|
|
} // lib.mapAttrs' (k: lib.nameValuePair "hydra-database-credentials-for-${k}")
|
|
(lib.genAttrs [ "hydra-queue-runner" "hydra-www" "hydra" ]
|
|
(x:
|
|
{
|
|
file = ../../secrets/hydra-db-credentials.age;
|
|
group = "hydra";
|
|
owner = x;
|
|
mode = "0400";
|
|
}
|
|
)
|
|
);
|
|
|
|
services.hydra = {
|
|
enable = true;
|
|
dbi = "dbi:Pg:dbname=hydra;host=10.1.0.1;user=hydra;";
|
|
hydraURL = "https://hydra.privatevoid.net";
|
|
notificationSender = "hydra@privatevoid.net";
|
|
buildMachinesFiles = [ "/etc/nix/hydra-machines" ];
|
|
useSubstitutes = true;
|
|
extraConfig = ''
|
|
store_uri = s3://nix-store?scheme=https&endpoint=object-storage.privatevoid.net&secret-key=/etc/hydra/bincache.key
|
|
server_store_uri = https://cache.privatevoid.net
|
|
'';
|
|
extraEnv = {
|
|
AWS_SHARED_CREDENTIALS_FILE = config.age.secrets.hydraS3.path;
|
|
PGPASSFILE = config.age.secrets."hydra-database-credentials-for-hydra".path;
|
|
};
|
|
};
|
|
|
|
# override weird hydra module stuff
|
|
|
|
systemd.services = {
|
|
hydra-send-stats = lib.mkForce {};
|
|
} // lib.genAttrs [ "hydra-notify" "hydra-queue-runner" "hydra-server" ]
|
|
(x: let
|
|
name = if x == "hydra-server" then "hydra-www" else
|
|
if x == "hydra-notify" then "hydra-queue-runner" else x;
|
|
in {
|
|
environment = {
|
|
PGPASSFILE = lib.mkForce config.age.secrets."hydra-database-credentials-for-${name}".path;
|
|
};
|
|
}
|
|
);
|
|
|
|
nix.extraOptions = lib.mkForce ''
|
|
allowed-uris = https://git.privatevoid.net
|
|
keep-outputs = true
|
|
keep-derivations = true
|
|
'';
|
|
|
|
programs.ssh.knownHosts.git = {
|
|
hostNames = [ "git" "git.services.privatevoid.net" ];
|
|
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0rChVEO9Qt7hr7vyiyOP7N45CjaxssFCZNOPCszEQi";
|
|
};
|
|
}
|