From d2336262fb84b5190ba0793b0431ff544a31bcf3 Mon Sep 17 00:00:00 2001
From: Pierre Bourdon <delroth@gmail.com>
Date: Wed, 10 Jul 2024 18:52:22 +0200
Subject: [PATCH] hydra: set allowed URIs in restricted mode for flake inputs

---
 services/hydra/default.nix | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/services/hydra/default.nix b/services/hydra/default.nix
index 1e54281..9240d76 100644
--- a/services/hydra/default.nix
+++ b/services/hydra/default.nix
@@ -64,6 +64,15 @@ in {
     # Can be removed once this is added to some common config template.
     nix.settings.trusted-users = [ "root" "hydra" "hydra-www" "@wheel" ];
 
+    # Because Hydra can't fetch flake inputs otherwise... also yes, this
+    # prefix-based matching is absurdly bad.
+    nix.settings.allowed-uris = [
+      "github:"
+      "https://github.com/"
+      "https://git.lix.systems/"
+      "https://git@git.lix.systems/"
+    ];
+
     services.hydra-dev = {
       enable = true;