nix-config/hosts/hydra/hydra.nix

{ hostRegistry, config, lib, pkgs, ... }:
{
  nix = {
    extraOptions = ''
      allowed-uris = http:// https:// ssh://
    '';
    trustedUsers = [ "hydra" "root" ];
    buildMachines = [{
      hostName = "localhost";
      system = lib.concatStringsSep "," ([
        pkgs.system
        "i686-linux"
      ] ++ config.boot.binfmt.emulatedSystems);
      supportedFeatures = [ "big-parallel" "benchmark" "kvm" "nixos-test" ];
      inherit (config.nix) maxJobs;
      # } {
      #   hostName = "client@dacbert.hq.c3d2.de";
      #   system = lib.concatStringsSep "," [
      #     "aarch64-linux" "armv6l-linux" "armv7l-linux"
      #   ];
      #   supportedFeatures = [ "kvm" "benchmark" "nixos-test" ];
      #   maxJobs = 1;
    }];

    daemonCPUSchedPolicy = "idle";
    daemonIOSchedClass = "idle";
    daemonIOSchedPriority = 7;
  };

  services = {
    hydra-dev = {
      enable = true;
      hydraURL = "https://hydra.hq.c3d2.de";
      logo = ./c3d2.svg;
      minimumDiskFree = 1;
      minimumDiskFreeEvaluator = 1;
      notificationSender = "hydra@spam.works";
      useSubstitutes = true;
      extraConfig =
        let
          key = config.sops.secrets."nix-serve/secretKey".path;
        in
        ''
          binary_cache_secret_key_file = ${key}
          evaluator_workers = 1
          evaluator_max_memory_size = 2048
          max_output_size = 4294967296
          store_uri = auto?secret-key=${key}&write-nar-listing=1&ls-compression=zstd&log-compression=zstd
          upload_logs_to_binary_cache = true
        '';
    };

    nginx =
      let
        hydraVhost = {
          forceSSL = true;
          enableACME = true;
          locations."/".proxyPass =
            "http://localhost:${toString config.services.hydra.port}";
        };
      in
      {
        enable = true;
        virtualHosts = {
          "hydra.hq.c3d2.de" = hydraVhost // {
            default = true;
          };
          "hydra.serv.zentralwerk.org" = hydraVhost;
          # TODO: remove
          "nix-serve.hq.c3d2.de" = hydraVhost;
        };
      };
  };

  sops.secrets."nix-serve/secretKey".mode = "0444";

  systemd.services = {
    hydra-evaluator.serviceConfig = {
      CPUWeight = 2;
      MemoryHigh = "96G";
      MemoryMax = "96G";
      MemorySwapMax = "96G";
    };
    nix-daemon.serviceConfig = {
      LimitNOFILE = lib.mkForce 8192;
      CPUWeight = 5;
      MemoryHigh = "64G";
      MemoryMax = "64G";
      MemorySwapMax = "64G";
    };
  };
}