nixos-config/config/services/hydra.nix

139 lines
4.8 KiB
Nix
Raw Normal View History

2022-06-12 15:39:15 +00:00
{
system,
nix-packages,
lib,
config,
pkgs,
...
}: let
2022-06-12 15:42:42 +00:00
inherit ((import ../../utils/getInternalIP.nix config)) listenIPs;
2022-06-12 15:39:15 +00:00
listenStatements =
lib.concatStringsSep "\n" (builtins.map (ip: "listen ${ip}:443 http3;") listenIPs)
+ ''
add_header Alt-Svc 'h3=":443"';
'';
2022-06-11 13:33:50 +00:00
clean-cache = nix-packages.packages.${system}.clean-s3-cache;
2022-04-25 08:49:27 +00:00
machines = pkgs.writeText "machines" ''
2022-04-30 08:39:45 +00:00
localhost armv7l-linux,aarch64-linux,powerpc-linux,powerpc64-linux,powerpc64le-linux,riscv32-linux,riscv64-linux,wasm32-wasi,x86_64-linux,i686-linux - 12 1 kvm,nixos-test,big-parallel,benchmark,gccarch-znver1,gccarch-skylake,ca-derivations -
2022-04-25 08:49:27 +00:00
'';
2022-06-04 14:01:04 +00:00
run_deploy = pkgs.writeScript "run_deploy" ''
export GITHUB_TOKEN=$(cat /run/secrets/services/hydra/github_token)
${pkgs.github-cli}/bin/gh workflow run deploy.yml -R
'';
2022-06-12 15:39:15 +00:00
in {
2022-02-18 14:49:19 +00:00
imports = [
./postgres.nix
2022-02-18 15:58:36 +00:00
../../modules/hydra.nix
2022-02-18 14:49:19 +00:00
];
services.hydra = {
enable = true;
package = pkgs.hydra-unstable;
2022-04-15 08:27:53 +00:00
hydraURL = "https://hydra.chir.rs/";
2022-02-18 14:49:19 +00:00
notificationSender = "hydra@chir.rs";
2022-02-18 14:56:22 +00:00
useSubstitutes = true;
2022-06-25 07:25:21 +00:00
port = 3001;
2022-02-18 15:58:36 +00:00
extraConfig = ''
<gitea_authorization>
darkkirb = #gitea_token#
</gitea_authorization>
2022-04-10 12:07:53 +00:00
<github_authorization>
DarkKirb = Bearer #github_token#
2022-04-10 12:07:53 +00:00
</github_authorization>
2022-04-15 08:09:53 +00:00
<githubstatus>
jobs = .*
</githubstatus>
2022-05-03 09:31:27 +00:00
<hydra_notify>
<prometheus>
listen_address = 127.0.0.1
port = 9199
</prometheus>
</hydra_notify>
2022-06-04 14:01:04 +00:00
<runcommand>
2022-06-30 11:56:20 +00:00
job = *:*:*
2022-06-30 12:14:33 +00:00
command = nix copy --to 's3://cache-chir-rs?scheme=https&endpoint=s3.us-west-000.backblazeb2.com&secret-key=${config.sops.secrets."services/hydra/cache-key".path}&multipart-upload=true&compression=zstd&compression-level=15' $(cat $HYDRA_JSON | ${pkgs.jq}/bin/jq -r '.products[].path')
2022-06-04 14:01:04 +00:00
</runcommand>
2022-06-30 11:56:20 +00:00
binary_cache_secret_key_file = ${config.sops.secrets."services/hydra/cache-key".path}
2022-02-18 15:58:36 +00:00
'';
giteaTokenFile = "/run/secrets/services/hydra/gitea_token";
2022-04-10 12:07:53 +00:00
githubTokenFile = "/run/secrets/services/hydra/github_token";
buildMachinesFiles = [
2022-04-30 08:39:45 +00:00
"${machines}"
"/run/hydra-machines"
];
2022-02-18 14:49:19 +00:00
};
2022-06-12 15:39:15 +00:00
networking.firewall.interfaces."wg0".allowedTCPPorts = [9199];
nix.settings.allowed-uris = ["https://github.com/" "https://git.chir.rs/" "https://darkkirb.de/" "https://git.neo-layout.org/" "https://static.darkkirb.de/"];
sops.secrets."services/hydra/gitea_token" = {};
sops.secrets."services/hydra/github_token" = {};
2022-04-24 20:54:42 +00:00
sops.secrets."services/hydra/cache-key" = {
2022-06-30 11:56:20 +00:00
owner = "hydra-www";
mode = "0440";
2022-04-24 20:54:42 +00:00
};
2022-04-15 08:59:11 +00:00
services.nginx.virtualHosts."hydra.chir.rs" = {
listenAddresses = listenIPs;
2022-04-15 08:59:11 +00:00
sslCertificate = "/var/lib/acme/chir.rs/cert.pem";
sslCertificateKey = "/var/lib/acme/chir.rs/key.pem";
locations."/" = {
2022-06-25 07:25:21 +00:00
proxyPass = "http://127.0.0.1:${toString config.services.hydra.port}";
proxyWebsockets = true;
};
extraConfig = listenStatements;
};
services.nginx.virtualHosts."hydra.int.chir.rs" = {
listenAddresses = listenIPs;
sslCertificate = "/var/lib/acme/int.chir.rs/cert.pem";
sslCertificateKey = "/var/lib/acme/int.chir.rs/key.pem";
locations."/" = {
2022-06-25 07:25:21 +00:00
proxyPass = "http://127.0.0.1:${toString config.services.hydra.port}";
proxyWebsockets = true;
};
extraConfig = listenStatements;
};
systemd.services.clean-s3-cache = {
enable = true;
description = "Clean up S3 cache";
serviceConfig = {
ExecStart = "${clean-cache}/bin/clean-s3-cache.py";
};
};
systemd.timers.clean-s3-cache = {
enable = true;
description = "Clean up S3 cache";
2022-06-12 15:39:15 +00:00
requires = ["clean-s3-cache.service"];
wantedBy = ["multi-user.target"];
timerConfig = {
OnBootSec = 300;
OnUnitActiveSec = 604800;
};
};
2022-04-13 12:35:20 +00:00
sops.secrets."services/hydra/aws_credentials" = {
2022-06-30 14:43:03 +00:00
owner = "hydra-queue-runner";
path = "/var/lib/hydra/queue-runner/.aws/credentials";
2022-06-30 11:56:20 +00:00
restartUnits = ["hydra-notify.service"];
2022-04-13 12:35:20 +00:00
};
2022-04-30 08:39:45 +00:00
systemd.services.update-hydra-hosts = {
description = "Update hydra hosts";
serviceConfig = {
Type = "oneshot";
};
script = ''
2022-04-30 09:02:54 +00:00
if ${pkgs.iputils}/bin/ping -c 1 nutty-noon.int.chir.rs; then
2022-04-30 08:39:45 +00:00
echo "build-pc armv7l-linux,aarch64-linux,powerpc-linux,powerpc64-linux,powerpc64le-linux,riscv32-linux,riscv64-linux,wasm32-wasi,x86_64-linux,i686-linux - 16 2 kvm,nixos-test,big-parallel,benchmark,gccarch-znver2,gccarch-znver1,gccarch-skylake,ca-derivations -" > /run/hydra-machines
else
rm -f /run/hydra-machines
2022-04-30 08:39:45 +00:00
fi
'';
};
systemd.timers.update-hydra-hosts = {
enable = true;
description = "Update hydra hosts";
2022-06-12 15:39:15 +00:00
requires = ["update-hydra-hosts.service"];
wantedBy = ["multi-user.target"];
2022-04-30 08:39:45 +00:00
timerConfig = {
OnBootSec = 300;
OnUnitActiveSec = 300;
};
};
2022-02-18 14:49:19 +00:00
}