infra/services/hydra/default.nix

127 lines
3.6 KiB
Nix

{ config, lib, pkgs, ... }:
let
cfg = config.bagel.services.hydra;
narCacheDir = "/var/cache/hydra/nar-cache";
port = 3000;
mkCacheSettings = settings: builtins.concatStringsSep "&" (
lib.mapAttrsToList (k: v: "${k}=${v}") settings
);
in {
options.bagel.services.hydra = with lib; {
enable = mkEnableOption "Hydra coordinator";
dbi = mkOption {
type = types.str;
description = "DBI connection string for the Hydra postgres database";
};
};
config = lib.mkIf cfg.enable {
age.secrets.hydra-s3-credentials.file = ../../secrets/hydra-s3-credentials.age;
age.secrets.hydra-ssh-key-priv.owner = "hydra-queue-runner";
age.secrets.hydra-ssh-key-priv.file = ../../secrets/hydra-ssh-key-priv.age;
systemd.tmpfiles.rules = [
"d /var/cache/hydra 0755 hydra hydra - -"
"d ${narCacheDir} 0755 hydra hydra 1d -"
];
# XXX: Otherwise services.hydra-dev overwrites it to only hydra-queue-runner...
#
# Can be removed once this is added to some common config template.
nix.settings.trusted-users = [ "root" "@wheel" ];
services.hydra-dev = {
enable = true;
listenHost = "localhost";
port = port;
dbi = cfg.dbi;
hydraURL = "https://hydra.bagel.delroth.net";
useSubstitutes = false;
notificationSender = "bagel@delroth.net";
# XXX: hydra overlay sets pkgs.hydra, but hydra's nixos module uses
# pkgs.hydra_unstable...
package = pkgs.hydra;
buildMachinesFiles = [
(pkgs.writeText "hydra-builders.conf" ''
ssh://bagel-builder@epyc.infra.newtype.fr i686-linux,x86_64-linux ${config.age.secrets.hydra-ssh-key-priv.path} 8 1 big-parallel,kvm,nixos-test - c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSU9YVDlJbml0MU1oS3Q0cmpCQU5McTB0MGJQd3cvV1FaOTZ1QjRBRURybWwgcm9vdEBuaXhvcwo=
'')
];
extraConfig = ''
store_uri = s3://bagel-cache?${mkCacheSettings {
endpoint = "s3.delroth.net";
region = "garage";
#secret-key = "TODO";
compression = "zstd";
log-compression = "br";
ls-compression = "br";
write-nar-listing = "1";
}}
server_store_uri = https://bagel-cache.s3-web.delroth.net?local-nar-cache=${narCacheDir}
binary_cache_public_url = https://bagel-cache.s3-web.delroth.net
log_prefix = https://bagel-cache.s3-web.delroth.net
upload_logs_to_binary_cache = true
evaluator_workers = 4
evaluator_max_memory_size = 4096
max_concurrent_evals = 1
allow_import_from_derivation = false
max_output_size = ${builtins.toString (3 * 1024 * 1024 * 1024)}
max_db_connections = 100
'';
};
systemd.services.hydra-queue-runner.serviceConfig.EnvironmentFile =
config.age.secrets.hydra-s3-credentials.path;
services.nginx = {
enable = true;
enableReload = true;
recommendedBrotliSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedZstdSettings = true;
proxyTimeout = "900s";
appendConfig = ''
worker_processes auto;
'';
virtualHosts."hydra.bagel.delroth.net" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
};
locations."/static/" = {
alias = "${config.services.hydra-dev.package}/libexec/hydra/root/static/";
};
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
};
}