{ hostRegistry, hydra-ca, config, lib, pkgs, ... }: { containers = { hydra-ca = { autoStart = true; config = { ... }: { imports = [ hydra-ca.nixosModules.hydra ]; environment.systemPackages = with pkgs; [ git ]; networking.firewall.allowedTCPPorts = [ 3001 ]; nix = { settings = { substituters = [ "https://cache.ngi0.nixos.org/" ]; trusted-public-keys = [ "cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=" ]; }; extraOptions = '' allowed-uris = https://gitea.c3d2.de/ https://github.com/ https://gitlab.com/ ssh://gitea@gitea.c3d2.de/ builders-use-substitutes = true experimental-features = ca-derivations nix-command flakes extra-substituters = https://cache.ngi0.nixos.org/ extra-trusted-public-keys = cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA= ''; }; nixpkgs.overlays = [ (import ../../overlay) ]; services = { hydra-dev = lib.recursiveUpdate config.services.hydra-dev { hydraURL = "https://hydra-ca.hq.c3d2.de"; port = 3001; }; }; }; hostAddress = "192.168.100.1"; localAddress = "192.168.100.2"; privateNetwork = true; }; }; networking.nat = { enable = true; externalInterface = "serv"; internalInterfaces = [ "ve-hydra-ca" ]; }; nix = { extraOptions = lib.mkForce '' allowed-uris = http:// https:// ssh:// builders-use-substitutes = true experimental-features = ca-derivations nix-command flakes ''; trustedUsers = [ "hydra" "root" ]; buildMachines = [{ hostName = "localhost"; system = lib.concatStringsSep "," ([ pkgs.system "i686-linux" ] ++ config.boot.binfmt.emulatedSystems); supportedFeatures = [ "big-parallel" "benchmark" "kvm" "nixos-test" ]; inherit (config.nix) maxJobs; # } { # hostName = "client@dacbert.hq.c3d2.de"; # system = lib.concatStringsSep "," [ # "aarch64-linux" "armv6l-linux" "armv7l-linux" # ]; # supportedFeatures = [ "kvm" "benchmark" "nixos-test" ]; # maxJobs = 1; }]; daemonCPUSchedPolicy = "idle"; daemonIOSchedClass = "idle"; daemonIOSchedPriority = 7; }; services = { hydra-dev = { enable = true; hydraURL = "https://hydra.hq.c3d2.de"; logo = ./c3d2.svg; minimumDiskFree = 1; minimumDiskFreeEvaluator = 1; notificationSender = "hydra@spam.works"; useSubstitutes = true; extraConfig = let key = config.sops.secrets."nix-serve/secretKey".path; in '' binary_cache_secret_key_file = ${key} evaluator_workers = 4 evaluator_max_memory_size = 2048 store_uri = auto?secret-key=${key}&write-nar-listing=1&ls-compression=zstd&log-compression=zstd upload_logs_to_binary_cache = true ''; }; nginx = let hydraVhost = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://localhost:${toString config.services.hydra.port}"; }; in { enable = true; virtualHosts = { "hydra.hq.c3d2.de" = hydraVhost // { default = true; }; "hydra-ca.hq.c3d2.de" = hydraVhost // { locations."/".proxyPass = "http://192.168.100.2:3001"; }; "hydra.serv.zentralwerk.org" = hydraVhost; "nix-serve.hq.c3d2.de" = hydraVhost; # TODO: remove }; }; resolved.enable = false; }; sops.secrets."nix-serve/secretKey".mode = "0444"; systemd.services = { hydra-evaluator.serviceConfig = { CPUWeight = 2; MemoryHigh = "64G"; MemoryMax = "64G"; MemorySwapMax = "64G"; }; nix-daemon.serviceConfig = { LimitNOFILE = lib.mkForce 8192; CPUWeight = 5; MemoryHigh = "64G"; MemoryMax = "64G"; MemorySwapMax = "64G"; }; }; }