2022-03-16 19:34:58 +00:00
|
|
|
{ lib, config, pkgs, ... }:
|
2022-03-12 09:37:16 +00:00
|
|
|
let
|
|
|
|
listenIPs = (import ../../utils/getInternalIP.nix config).listenIPs;
|
|
|
|
listenStatements = lib.concatStringsSep "\n" (builtins.map (ip: "listen ${ip}:443 http3;") listenIPs) + ''
|
|
|
|
add_header Alt-Svc 'h3=":443"';
|
|
|
|
'';
|
2022-03-16 19:34:58 +00:00
|
|
|
clean-cache = pkgs.callPackage ../../packages/clean-s3-cache.nix { };
|
2022-03-12 09:37:16 +00:00
|
|
|
in
|
|
|
|
{
|
2022-02-18 14:49:19 +00:00
|
|
|
imports = [
|
|
|
|
./postgres.nix
|
2022-02-18 15:58:36 +00:00
|
|
|
../../modules/hydra.nix
|
2022-02-18 14:49:19 +00:00
|
|
|
];
|
|
|
|
services.hydra = {
|
|
|
|
enable = true;
|
2022-04-15 08:27:53 +00:00
|
|
|
hydraURL = "https://hydra.chir.rs/";
|
2022-02-18 14:49:19 +00:00
|
|
|
notificationSender = "hydra@chir.rs";
|
2022-02-18 14:56:22 +00:00
|
|
|
useSubstitutes = true;
|
2022-02-18 15:58:36 +00:00
|
|
|
extraConfig = ''
|
|
|
|
<gitea_authorization>
|
|
|
|
darkkirb = #gitea_token#
|
|
|
|
</gitea_authorization>
|
2022-04-10 12:07:53 +00:00
|
|
|
<github_authorization>
|
2022-04-15 09:41:10 +00:00
|
|
|
DarkKirb = Bearer #github_token#
|
2022-04-10 12:07:53 +00:00
|
|
|
</github_authorization>
|
2022-04-15 08:09:53 +00:00
|
|
|
<githubstatus>
|
|
|
|
jobs = .*
|
|
|
|
</githubstatus>
|
2022-04-24 20:54:42 +00:00
|
|
|
store_uri = s3://cache-chir-rs?scheme=https&endpoint=s3.us-west-000.backblazeb2.com&secret-key=${config.sops.secrets."services/hydra/cache-key".path}&multipart-upload=true&compression=zstd&compression-level=15
|
2022-02-18 15:58:36 +00:00
|
|
|
'';
|
|
|
|
giteaTokenFile = "/run/secrets/services/hydra/gitea_token";
|
2022-04-10 12:07:53 +00:00
|
|
|
githubTokenFile = "/run/secrets/services/hydra/github_token";
|
2022-02-18 14:49:19 +00:00
|
|
|
};
|
|
|
|
services.postgresql.ensureDatabases = [ "hydra" ];
|
|
|
|
services.postgresql.ensureUsers = [
|
|
|
|
{
|
|
|
|
name = "hydra";
|
|
|
|
ensurePermissions = {
|
|
|
|
"DATABASE hydra" = "ALL PRIVILEGES";
|
|
|
|
};
|
|
|
|
}
|
|
|
|
];
|
2022-04-16 12:23:59 +00:00
|
|
|
nix.settings.allowed-uris = [ "https://github.com/" "https://git.chir.rs/" "https://darkkirb.de/" "https://git.neo-layout.org/" "https://static.darkkirb.de/" ];
|
2022-02-18 16:04:53 +00:00
|
|
|
sops.secrets."services/hydra/gitea_token" = { };
|
2022-04-10 12:07:53 +00:00
|
|
|
sops.secrets."services/hydra/github_token" = { };
|
2022-04-24 20:54:42 +00:00
|
|
|
sops.secrets."services/hydra/cache-key" = {
|
|
|
|
owner = "hydra-queue-runner";
|
|
|
|
};
|
2022-04-15 08:59:11 +00:00
|
|
|
services.nginx.virtualHosts."hydra.chir.rs" = {
|
2022-03-12 09:37:16 +00:00
|
|
|
listenAddresses = listenIPs;
|
2022-04-15 08:59:11 +00:00
|
|
|
sslCertificate = "/var/lib/acme/chir.rs/cert.pem";
|
|
|
|
sslCertificateKey = "/var/lib/acme/chir.rs/key.pem";
|
2022-03-12 09:37:16 +00:00
|
|
|
locations."/" = {
|
|
|
|
proxyPass = "http://127.0.0.1:3000";
|
|
|
|
proxyWebsockets = true;
|
|
|
|
};
|
|
|
|
extraConfig = listenStatements;
|
|
|
|
};
|
2022-04-20 08:24:42 +00:00
|
|
|
services.nginx.virtualHosts."hydra.int.chir.rs" = {
|
|
|
|
listenAddresses = listenIPs;
|
|
|
|
sslCertificate = "/var/lib/acme/int.chir.rs/cert.pem";
|
|
|
|
sslCertificateKey = "/var/lib/acme/int.chir.rs/key.pem";
|
|
|
|
locations."/" = {
|
|
|
|
proxyPass = "http://127.0.0.1:3000";
|
|
|
|
proxyWebsockets = true;
|
|
|
|
};
|
|
|
|
extraConfig = listenStatements;
|
|
|
|
};
|
2022-03-16 19:34:58 +00:00
|
|
|
systemd.services.clean-s3-cache = {
|
|
|
|
enable = true;
|
|
|
|
description = "Clean up S3 cache";
|
|
|
|
serviceConfig = {
|
2022-03-20 06:32:01 +00:00
|
|
|
ExecStart = "${clean-cache}/bin/clean-s3-cache.py";
|
2022-03-16 19:34:58 +00:00
|
|
|
};
|
|
|
|
};
|
|
|
|
systemd.timers.clean-s3-cache = {
|
|
|
|
enable = true;
|
|
|
|
description = "Clean up S3 cache";
|
2022-03-20 06:32:01 +00:00
|
|
|
requires = [ "clean-s3-cache.service" ];
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
2022-03-16 19:34:58 +00:00
|
|
|
timerConfig = {
|
|
|
|
OnBootSec = 300;
|
|
|
|
OnUnitActiveSec = 604800;
|
|
|
|
};
|
|
|
|
};
|
2022-04-13 12:35:20 +00:00
|
|
|
sops.secrets."services/hydra/aws_credentials" = {
|
|
|
|
owner = "hydra-queue-runner";
|
|
|
|
path = "/var/lib/hydra/queue-runner/.aws/credentials";
|
|
|
|
restartUnits = [ "hydra-queue-runner.service" ];
|
|
|
|
};
|
2022-02-18 14:49:19 +00:00
|
|
|
}
|