{ config, lib, pkgs, ... }: let cfg = config.bagel.services.hydra; narCacheDir = "/var/cache/hydra/nar-cache"; port = 3000; mkCacheSettings = settings: builtins.concatStringsSep "&" ( lib.mapAttrsToList (k: v: "${k}=${v}") settings ); in { options.bagel.services.hydra = with lib; { enable = mkEnableOption "Hydra coordinator"; dbi = mkOption { type = types.str; description = "DBI connection string for the Hydra postgres database"; }; }; config = lib.mkIf cfg.enable { age.secrets.hydra-s3-credentials.file = ../../secrets/hydra-s3-credentials.age; age.secrets.hydra-ssh-key-priv.owner = "hydra-queue-runner"; age.secrets.hydra-ssh-key-priv.file = ../../secrets/hydra-ssh-key-priv.age; systemd.tmpfiles.rules = [ "d /var/cache/hydra 0755 hydra hydra - -" "d ${narCacheDir} 0755 hydra hydra 1d -" ]; # XXX: Otherwise services.hydra-dev overwrites it to only hydra-queue-runner... # # Can be removed once this is added to some common config template. nix.settings.trusted-users = [ "root" "@wheel" ]; services.hydra-dev = { enable = true; listenHost = "localhost"; port = port; dbi = cfg.dbi; hydraURL = "https://hydra.bagel.delroth.net"; useSubstitutes = false; notificationSender = "bagel@delroth.net"; # XXX: hydra overlay sets pkgs.hydra, but hydra's nixos module uses # pkgs.hydra_unstable... package = pkgs.hydra; buildMachinesFiles = [ (pkgs.writeText "hydra-builders.conf" '' ssh://bagel-builder@epyc.infra.newtype.fr i686-linux,x86_64-linux ${config.age.secrets.hydra-ssh-key-priv.path} 8 1 big-parallel,kvm,nixos-test - c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUJwcFBwKzhsdDFSTDNodW5aaGlXRUUvY1laaHJXYjFzaVhKVWpiU2l6Rzggcm9vdEBlcHljCg== '') ]; extraConfig = '' store_uri = s3://bagel-cache?${mkCacheSettings { endpoint = "s3.delroth.net"; region = "garage"; #secret-key = "TODO"; compression = "zstd"; log-compression = "br"; ls-compression = "br"; write-nar-listing = "1"; }} server_store_uri = https://bagel-cache.s3-web.delroth.net?local-nar-cache=${narCacheDir} binary_cache_public_url = https://bagel-cache.s3-web.delroth.net log_prefix = https://bagel-cache.s3-web.delroth.net upload_logs_to_binary_cache = true evaluator_workers = 4 evaluator_max_memory_size = 4096 max_concurrent_evals = 1 allow_import_from_derivation = false max_output_size = ${builtins.toString (3 * 1024 * 1024 * 1024)} max_db_connections = 100 ''; }; systemd.services.hydra-queue-runner.serviceConfig.EnvironmentFile = config.age.secrets.hydra-s3-credentials.path; services.nginx = { enable = true; enableReload = true; recommendedBrotliSettings = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; recommendedZstdSettings = true; proxyTimeout = "900s"; appendConfig = '' worker_processes auto; ''; virtualHosts."hydra.bagel.delroth.net" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:${builtins.toString port}"; }; locations."/static/" = { alias = "${config.services.hydra-dev.package}/libexec/hydra/root/static/"; }; }; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; }; }