2022-06-12 15:39:15 +00:00
|
|
|
{
|
|
|
|
system,
|
|
|
|
nix-packages,
|
|
|
|
lib,
|
|
|
|
config,
|
|
|
|
pkgs,
|
|
|
|
...
|
|
|
|
}: let
|
2022-06-12 15:42:42 +00:00
|
|
|
inherit ((import ../../utils/getInternalIP.nix config)) listenIPs;
|
2022-06-12 15:39:15 +00:00
|
|
|
listenStatements =
|
|
|
|
lib.concatStringsSep "\n" (builtins.map (ip: "listen ${ip}:443 http3;") listenIPs)
|
|
|
|
+ ''
|
|
|
|
add_header Alt-Svc 'h3=":443"';
|
|
|
|
'';
|
2022-06-11 13:33:50 +00:00
|
|
|
clean-cache = nix-packages.packages.${system}.clean-s3-cache;
|
2022-04-25 08:49:27 +00:00
|
|
|
machines = pkgs.writeText "machines" ''
|
2022-04-30 08:39:45 +00:00
|
|
|
localhost armv7l-linux,aarch64-linux,powerpc-linux,powerpc64-linux,powerpc64le-linux,riscv32-linux,riscv64-linux,wasm32-wasi,x86_64-linux,i686-linux - 12 1 kvm,nixos-test,big-parallel,benchmark,gccarch-znver1,gccarch-skylake,ca-derivations -
|
2022-04-25 08:49:27 +00:00
|
|
|
'';
|
2022-09-29 19:33:31 +00:00
|
|
|
post-build-hook = pkgs.writeScript "post-build-hook" ''
|
|
|
|
#!/bin/sh
|
|
|
|
set -euf
|
|
|
|
export IFS=' '
|
|
|
|
systemd_unitname=upload-derivation@$(${pkgs.systemd}/bin/systemd-escape "$DRV_PATH")
|
|
|
|
${pkgs.systemd}/bin/systemctl start "$systemd_unitname" --no-block
|
|
|
|
'';
|
|
|
|
upload-script = pkgs.writeScript "upload-script" ''
|
|
|
|
#!/bin/sh
|
|
|
|
set -xefu
|
|
|
|
${pkgs.nix}/bin/nix store sign --key-file ${config.sops.secrets."services/hydra/cache-key".path} $1
|
|
|
|
${pkgs.nix}/bin/nix copy --to 's3://cache-chir-rs?scheme=https&endpoint=s3.us-west-000.backblazeb2.com&secret-key=${config.sops.secrets."services/hydra/cache-key".path}&multipart-upload=true&compression=zstd&compression-level=15' $1
|
2022-06-04 14:01:04 +00:00
|
|
|
'';
|
2022-06-12 15:39:15 +00:00
|
|
|
in {
|
2022-02-18 14:49:19 +00:00
|
|
|
imports = [
|
|
|
|
./postgres.nix
|
2022-02-18 15:58:36 +00:00
|
|
|
../../modules/hydra.nix
|
2022-02-18 14:49:19 +00:00
|
|
|
];
|
|
|
|
services.hydra = {
|
|
|
|
enable = true;
|
2022-05-16 12:07:54 +00:00
|
|
|
package = pkgs.hydra-unstable;
|
2022-04-15 08:27:53 +00:00
|
|
|
hydraURL = "https://hydra.chir.rs/";
|
2022-02-18 14:49:19 +00:00
|
|
|
notificationSender = "hydra@chir.rs";
|
2022-02-18 14:56:22 +00:00
|
|
|
useSubstitutes = true;
|
2022-06-25 07:25:21 +00:00
|
|
|
port = 3001;
|
2022-02-18 15:58:36 +00:00
|
|
|
extraConfig = ''
|
|
|
|
<gitea_authorization>
|
|
|
|
darkkirb = #gitea_token#
|
|
|
|
</gitea_authorization>
|
2022-04-10 12:07:53 +00:00
|
|
|
<github_authorization>
|
2022-04-15 09:41:10 +00:00
|
|
|
DarkKirb = Bearer #github_token#
|
2022-04-10 12:07:53 +00:00
|
|
|
</github_authorization>
|
2022-04-15 08:09:53 +00:00
|
|
|
<githubstatus>
|
|
|
|
jobs = .*
|
|
|
|
</githubstatus>
|
2022-05-03 09:31:27 +00:00
|
|
|
<hydra_notify>
|
|
|
|
<prometheus>
|
|
|
|
listen_address = 127.0.0.1
|
|
|
|
port = 9199
|
|
|
|
</prometheus>
|
|
|
|
</hydra_notify>
|
2022-02-18 15:58:36 +00:00
|
|
|
'';
|
|
|
|
giteaTokenFile = "/run/secrets/services/hydra/gitea_token";
|
2022-04-10 12:07:53 +00:00
|
|
|
githubTokenFile = "/run/secrets/services/hydra/github_token";
|
2022-04-30 08:43:02 +00:00
|
|
|
buildMachinesFiles = [
|
2022-04-30 08:39:45 +00:00
|
|
|
"${machines}"
|
|
|
|
"/run/hydra-machines"
|
|
|
|
];
|
2022-02-18 14:49:19 +00:00
|
|
|
};
|
2022-06-12 15:39:15 +00:00
|
|
|
networking.firewall.interfaces."wg0".allowedTCPPorts = [9199];
|
2022-09-22 07:38:32 +00:00
|
|
|
nix.settings.allowed-uris = ["https://github.com/" "https://git.chir.rs/" "https://darkkirb.de/" "https://git.neo-layout.org/" "https://static.darkkirb.de/" "https://gist.github.com/" "https://git.kescher.at/" "https://akkoma.dev/" "https://gitlab.com/" "https://api.github.com/" "https://git.sr.ht/"];
|
2022-06-12 15:39:15 +00:00
|
|
|
sops.secrets."services/hydra/gitea_token" = {};
|
|
|
|
sops.secrets."services/hydra/github_token" = {};
|
2022-04-24 20:54:42 +00:00
|
|
|
sops.secrets."services/hydra/cache-key" = {
|
2022-06-30 11:56:20 +00:00
|
|
|
owner = "hydra-www";
|
|
|
|
mode = "0440";
|
2022-04-24 20:54:42 +00:00
|
|
|
};
|
2022-08-26 16:45:19 +00:00
|
|
|
services.caddy.virtualHosts."hydra.int.chir.rs" = {
|
2022-08-28 13:18:42 +00:00
|
|
|
useACMEHost = "int.chir.rs";
|
2022-08-26 15:28:14 +00:00
|
|
|
extraConfig = ''
|
|
|
|
import baseConfig
|
|
|
|
|
2022-08-26 16:45:19 +00:00
|
|
|
reverse_proxy http://127.0.0.1:${toString config.services.hydra.port} {
|
|
|
|
trusted_proxies private_ranges
|
|
|
|
}
|
2022-08-26 15:28:14 +00:00
|
|
|
'';
|
2022-04-20 08:24:42 +00:00
|
|
|
};
|
2022-03-16 19:34:58 +00:00
|
|
|
systemd.services.clean-s3-cache = {
|
|
|
|
enable = true;
|
|
|
|
description = "Clean up S3 cache";
|
|
|
|
serviceConfig = {
|
2022-03-20 06:32:01 +00:00
|
|
|
ExecStart = "${clean-cache}/bin/clean-s3-cache.py";
|
2022-03-16 19:34:58 +00:00
|
|
|
};
|
|
|
|
};
|
|
|
|
systemd.timers.clean-s3-cache = {
|
|
|
|
enable = true;
|
|
|
|
description = "Clean up S3 cache";
|
2022-06-12 15:39:15 +00:00
|
|
|
requires = ["clean-s3-cache.service"];
|
|
|
|
wantedBy = ["multi-user.target"];
|
2022-03-16 19:34:58 +00:00
|
|
|
timerConfig = {
|
|
|
|
OnBootSec = 300;
|
|
|
|
OnUnitActiveSec = 604800;
|
|
|
|
};
|
|
|
|
};
|
2022-04-13 12:35:20 +00:00
|
|
|
sops.secrets."services/hydra/aws_credentials" = {
|
2022-06-30 14:43:03 +00:00
|
|
|
owner = "hydra-queue-runner";
|
|
|
|
path = "/var/lib/hydra/queue-runner/.aws/credentials";
|
2022-06-30 11:56:20 +00:00
|
|
|
restartUnits = ["hydra-notify.service"];
|
2022-04-13 12:35:20 +00:00
|
|
|
};
|
2022-04-30 08:39:45 +00:00
|
|
|
systemd.services.update-hydra-hosts = {
|
|
|
|
description = "Update hydra hosts";
|
|
|
|
serviceConfig = {
|
|
|
|
Type = "oneshot";
|
|
|
|
};
|
|
|
|
script = ''
|
2022-04-30 09:02:54 +00:00
|
|
|
if ${pkgs.iputils}/bin/ping -c 1 nutty-noon.int.chir.rs; then
|
2022-04-30 08:39:45 +00:00
|
|
|
echo "build-pc armv7l-linux,aarch64-linux,powerpc-linux,powerpc64-linux,powerpc64le-linux,riscv32-linux,riscv64-linux,wasm32-wasi,x86_64-linux,i686-linux - 16 2 kvm,nixos-test,big-parallel,benchmark,gccarch-znver2,gccarch-znver1,gccarch-skylake,ca-derivations -" > /run/hydra-machines
|
2022-05-03 05:56:00 +00:00
|
|
|
else
|
|
|
|
rm -f /run/hydra-machines
|
2022-04-30 08:39:45 +00:00
|
|
|
fi
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
systemd.timers.update-hydra-hosts = {
|
|
|
|
enable = true;
|
|
|
|
description = "Update hydra hosts";
|
2022-06-12 15:39:15 +00:00
|
|
|
requires = ["update-hydra-hosts.service"];
|
|
|
|
wantedBy = ["multi-user.target"];
|
2022-04-30 08:39:45 +00:00
|
|
|
timerConfig = {
|
|
|
|
OnBootSec = 300;
|
|
|
|
OnUnitActiveSec = 300;
|
|
|
|
};
|
|
|
|
};
|
2022-09-29 19:33:31 +00:00
|
|
|
systemd.services."upload-derivation@" = {
|
|
|
|
description = "Upload %I to the nix cache";
|
|
|
|
onFailure = lib.mkForce [];
|
|
|
|
serviceConfig = {
|
|
|
|
Restart = "on-failure";
|
|
|
|
RestartSec = 30;
|
|
|
|
User = "hydra-queue-runner";
|
|
|
|
Group = "hydra";
|
|
|
|
ExecStart = "${upload-script} %I";
|
|
|
|
};
|
|
|
|
};
|
2022-07-02 08:38:50 +00:00
|
|
|
nix.settings.trusted-users = ["@hydra"];
|
2022-09-29 19:33:31 +00:00
|
|
|
nix.settings.post-build-hook = "${post-build-hook}";
|
2022-02-18 14:49:19 +00:00
|
|
|
}
|