2022-12-06 15:58:17 +01:00
{ config , lib , zentralwerk , . . . }:
2022-09-25 22:04:59 +02:00
let
cachePort = 5000 ;
in
2022-06-22 00:16:03 +02:00
{
2022-11-07 23:13:17 +01:00
# disabled because currently it display `ARRAY(0x4ec2040)` on the website and also uses a perl array in store paths instead of /nix/store
# containers = {
# hydra-ca = {
# autoStart = true;
# config = { ... }: {
# imports = [
# hydra-ca.nixosModules.hydra
# ];
2022-06-24 01:02:11 +02:00
2022-11-07 23:13:17 +01:00
# environment.systemPackages = with pkgs; [ git ];
2022-07-01 01:30:31 +02:00
2022-11-07 23:13:17 +01:00
# networking.firewall.allowedTCPPorts = [ 3001 ];
2022-06-24 01:02:11 +02:00
2022-11-07 23:13:17 +01:00
# nix = {
# settings = {
# allowed-uris = "https://gitea.c3d2.de/ https://github.com/ https://gitlab.com/ ssh://gitea@gitea.c3d2.de/";
# builders-use-substitutes = true;
# experimental-features = "ca-derivations nix-command flakes";
# extra-substituters = "https://cache.ngi0.nixos.org/";
# extra-trusted-public-keys = "cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=";
# substituters = [
# "https://cache.ngi0.nixos.org/"
# ];
# trusted-public-keys = [
# "cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA="
# ];
# };
# };
2022-06-24 01:02:11 +02:00
2022-11-07 23:13:17 +01:00
# nixpkgs = {
# # config.contentAddressedByDefault = true;
# overlays = [ self.overlay ];
# };
2022-06-24 03:01:36 +02:00
2022-11-07 23:13:17 +01:00
# services = {
# hydra-dev = lib.recursiveUpdate config.services.hydra-dev {
# hydraURL = "https://hydra-ca.hq.c3d2.de";
# port = 3001;
# };
# };
2022-07-09 00:58:03 +02:00
2022-11-07 23:13:17 +01:00
# system.stateVersion = "22.05"; # Did you read the comment? No.
# };
# hostAddress = "192.168.100.1";
# localAddress = "192.168.100.2";
# privateNetwork = true;
# };
# };
2022-06-24 01:02:11 +02:00
2022-12-06 15:58:17 +01:00
networking = {
hosts = with zentralwerk . lib . config . site . net . serv ; {
$ { hosts6 . up4 . auth } = [ " a u t h . c 3 d 2 . d e " ] ;
$ { hosts4 . auth } = [ " a u t h . c 3 d 2 . d e " ] ;
} ;
# nat = {
# enable = true;
# externalInterface = "serv";
# internalInterfaces = [ "ve-hydra-ca" ];
# };
} ;
2022-06-24 01:02:11 +02:00
2021-03-12 21:45:12 +01:00
nix = {
2022-06-23 20:22:23 +02:00
buildMachines = [ {
2022-09-21 19:52:41 +02:00
hostName = " c l i e n t @ d a c b e r t . h q . c 3 d 2 . d e " ;
system = lib . concatStringsSep " , " [
" a a r c h 6 4 - l i n u x " " a r m v 6 l - l i n u x " " a r m v 7 l - l i n u x "
] ;
supportedFeatures = [ " k v m " " n i x o s - t e s t " ] ;
maxJobs = 1 ;
2022-06-12 00:16:00 +02:00
} ] ;
2022-01-09 01:50:32 +01:00
daemonCPUSchedPolicy = " i d l e " ;
daemonIOSchedClass = " i d l e " ;
daemonIOSchedPriority = 7 ;
2022-09-21 21:31:30 +02:00
settings = {
allowed-uris = " h t t p : / / h t t p s : / / s s h : / / " ;
builders-use-substitutes = true ;
experimental-features = " c a - d e r i v a t i o n s n i x - c o m m a n d f l a k e s " ;
2022-11-07 23:13:17 +01:00
trusted-users = [ " h y d r a " " r o o t " ] ;
2022-09-21 21:31:30 +02:00
} ;
2021-03-12 21:45:12 +01:00
} ;
2022-12-04 04:58:36 +01:00
c3d2 . simd . arch = " i v y b r i d g e " ;
2022-06-23 20:22:23 +02:00
services = {
2022-11-07 23:13:17 +01:00
hydra = {
2022-06-23 20:22:23 +02:00
enable = true ;
2022-09-21 20:24:48 +02:00
buildMachinesFiles = [
" / e t c / n i x / m a c h i n e s "
" / v a r / l i b / h y d r a / m a c h i n e s "
] ;
2022-06-23 20:22:23 +02:00
hydraURL = " h t t p s : / / h y d r a . h q . c 3 d 2 . d e " ;
logo = ./c3d2.svg ;
2022-09-21 21:31:30 +02:00
minimumDiskFree = 50 ;
minimumDiskFreeEvaluator = 50 ;
2022-06-23 20:22:23 +02:00
notificationSender = " h y d r a @ s p a m . w o r k s " ;
useSubstitutes = true ;
extraConfig =
let
key = config . sops . secrets . " n i x - s e r v e / s e c r e t K e y " . path ;
in
''
binary_cache_secret_key_file = $ { key }
2022-06-23 23:24:04 +02:00
evaluator_workers = 4
2022-06-23 20:22:23 +02:00
evaluator_max_memory_size = 2048
2022-09-21 21:31:30 +02:00
max_output_size = $ { toString ( 5 * 1024 * 1024 * 1024 ) } # sd card and raw images
2022-06-23 20:22:23 +02:00
store_uri = auto ? secret-key = $ { key } & write-nar-listing = 1 & ls-compression = zstd & log-compression = zstd
upload_logs_to_binary_cache = true
2022-12-06 15:58:17 +01:00
# https://hydra.nixos.org/build/196107287/download/1/hydra/configuration.html#using-ldap-as-authentication-backend-optional
<ldap>
<config>
<credential>
class = Password
password_field = password
password_type = self_check
< /credential >
<store>
class = LDAP
ldap_server = auth . c3d2 . de
<ldap_server_options>
scheme = ldaps
timeout = 10
< /ldap_server_options >
binddn = " u i d = s e a r c h , o u = u s e r s , d c = c 3 d 2 , d c = d e "
include ldap-password . conf
start_tls = 0
<start_tls_options>
ciphers = TLS_AES_256_GCM_SHA384
sslversion = tlsv1_3
# verify = none
< /start_tls_options >
user_basedn = " o u = u s e r s , d c = c 3 d 2 , d c = d e "
user_filter = " ( & ( o b j e c t c l a s s = p e r s o n ) ( u i d = % s ) ) "
user_scope = one
user_field = uid
<user_search_options>
deref = always
< /user_search_options >
# Important for role mappings to work:
use_roles = 1
role_basedn = " o u = g r o u p s , d c = c 3 d 2 , d c = d e "
role_filter = " ( & ( o b j e c t c l a s s = g r o u p ) ( % s ) ) "
role_scope = one
role_field = cn
role_value = dn
<role_search_options>
deref = always
< /role_search_options >
< /store >
< /config >
<role_mapping>
# maps directly to user roles
# Make all users in the hydra-admin group Hydra admins
hydra-admins = admin
# Allow all users in the dev group to restart jobs and cancel builds
#dev = restart-jobs
#dev = cancel-build
< /role_mapping >
< /ldap >
2022-06-23 20:22:23 +02:00
'' ;
} ;
2022-09-25 22:04:59 +02:00
# A rust nix binary cache
harmonia = {
enable = true ;
settings = {
bind = " 1 2 7 . 0 . 0 . 1 : ${ toString cachePort } " ;
2022-12-06 15:58:17 +01:00
workers = 20 ;
2022-09-25 22:04:59 +02:00
max_connection_rate = 1024 ;
priority = 30 ;
2022-09-25 23:03:34 +02:00
sign_key_path = config . sops . secrets . " n i x - s e r v e / s e c r e t K e y " . path ;
2022-09-25 22:04:59 +02:00
} ;
} ;
2022-06-23 20:22:23 +02:00
nginx =
let
hydraVhost = {
forceSSL = true ;
enableACME = true ;
2022-06-24 01:02:11 +02:00
locations . " / " . proxyPass = " h t t p : / / l o c a l h o s t : ${ toString config . services . hydra . port } " ;
2022-06-23 20:22:23 +02:00
} ;
in
{
enable = true ;
virtualHosts = {
" h y d r a . h q . c 3 d 2 . d e " = hydraVhost // {
default = true ;
} ;
2022-11-07 23:13:17 +01:00
# "hydra-ca.hq.c3d2.de" = hydraVhost // {
# locations."/".proxyPass = "http://192.168.100.2:3001";
# };
2022-06-23 20:22:23 +02:00
" h y d r a . s e r v . z e n t r a l w e r k . o r g " = hydraVhost ;
2022-09-25 22:04:59 +02:00
" n i x - s e r v e . h q . c 3 d 2 . d e " = {
forceSSL = true ;
enableACME = true ;
locations . " / " . proxyPass = " h t t p : / / l o c a l h o s t : ${ toString cachePort } " ;
} ;
2022-06-23 20:22:23 +02:00
} ;
} ;
2022-07-04 00:50:49 +02:00
resolved . enable = false ;
2021-03-12 21:45:12 +01:00
} ;
2022-06-12 17:26:32 +02:00
2022-07-31 18:13:03 +02:00
sops = {
defaultSopsFile = ./secrets.yaml ;
2022-12-05 01:57:19 +01:00
secrets . " n i x - s e r v e / s e c r e t K e y " = {
mode = " 4 4 0 " ;
owner = config . users . users . hydra-queue-runner . name ;
inherit ( config . users . users . hydra-queue-runner ) group ;
} ;
2022-12-06 15:58:17 +01:00
secrets . " l d a p / s e a r c h - u s e r - p w " = {
mode = " 4 4 0 " ;
owner = config . users . users . hydra-queue-runner . name ;
inherit ( config . users . users . hydra-queue-runner ) group ;
path = " / v a r / l i b / h y d r a / l d a p - p a s s w o r d . c o n f " ;
} ;
2022-07-31 18:13:03 +02:00
} ;
2022-06-23 20:22:23 +02:00
2022-05-07 00:50:01 +02:00
systemd . services = {
hydra-evaluator . serviceConfig = {
2022-05-07 02:49:46 +02:00
CPUWeight = 2 ;
2022-06-23 23:24:04 +02:00
MemoryHigh = " 6 4 G " ;
MemoryMax = " 6 4 G " ;
MemorySwapMax = " 6 4 G " ;
2022-05-07 00:50:01 +02:00
} ;
2022-09-21 19:52:41 +02:00
2022-09-21 20:24:48 +02:00
hydra-init . preStart = let
2022-10-20 17:41:55 +02:00
makesSenseForQemuUser = feature :
! ( builtins . elem feature [ " k v m " " b e n c h m a r k " ] ) ;
# strips features that don't make sense on qemu-user
extraPlatformSystemFeatures =
builtins . filter makesSenseForQemuUser config . nix . settings . system-features ;
2022-12-05 01:55:19 +01:00
in
# both entries cannot have localhost alone because then hydra would merge them together but we want explictily two to not allow benchmarkts for binfmt emulated arches
''
2022-09-21 20:24:48 +02:00
cat < < EOF > ~/machines
2022-10-20 17:41:55 +02:00
localhost x86_64-linux - $ { toString config . nix . settings . max-jobs } 10 $ { lib . concatStringsSep " , " config . nix . settings . system-features } -
2022-12-05 01:55:19 +01:00
hydra @ localhost $ { lib . concatStringsSep " , " config . nix . settings . extra-platforms } - $ { toString config . nix . settings . max-jobs } 10 $ { lib . concatStringsSep " , " extraPlatformSystemFeatures } -
2022-09-21 20:24:48 +02:00
EOF
'' ;
2022-06-13 15:48:05 +02:00
nix-daemon . serviceConfig = {
2022-05-07 02:49:46 +02:00
CPUWeight = 5 ;
2022-06-23 22:10:06 +02:00
MemoryHigh = " 6 4 G " ;
MemoryMax = " 6 4 G " ;
MemorySwapMax = " 6 4 G " ;
2022-06-12 17:26:32 +02:00
} ;
2022-05-07 02:49:46 +02:00
} ;
2022-12-05 01:57:19 +01:00
# allow reading nix-serve secret
users . users . harmonia . extraGroups = [ " h y d r a " ] ;
2021-03-12 21:45:12 +01:00
}