blob: bfa985ad8fe6014d39b55966ff72221324dc9231 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
|
{ config, lib, pkgs, ... }:
let
hydraPort = (import ../data/aliases.nix).services.hydra.port;
in
{
networking.firewall.allowedTCPPorts = [ hydraPort ];
virtualisation.virtualbox.host.enable = true;
services.hydra = {
enable = true;
hydraURL = "https://hydra.orbekk.com";
notificationSender = "kj+hydra@orbekk.com";
port = hydraPort;
extraConfig = ''
store-uri = file:///nix/store?secret-key=/opt/secret/hydra_key/hydra.orbekk.com-1/secret
'';
};
# From https://github.com/input-output-hk/iohk-nixops
systemd.services.hydra-manual-setup = {
description = "Create Keys for Hydra";
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = true;
wantedBy = [ "multi-user.target" ];
requires = [ "hydra-init.service" ];
after = [ "hydra-init.service" ];
environment = config.systemd.services.hydra-init.environment;
script = ''
if [ ! -e /opt/secret/hydra_key/initialized ]; then
# create signing keys
/run/current-system/sw/bin/install -d -m 551 /opt/secret/hydra_key/hydra.orbekk.com-1
/run/current-system/sw/bin/nix-store --generate-binary-cache-key hydra.orbekk.com-1 /opt/secret/hydra_key/hydra.orbekk.com-1/secret /opt/secret/hydra_key/hydra.orbekk.com-1/public
/run/current-system/sw/bin/chown -R hydra:hydra /opt/secret/hydra_key
/run/current-system/sw/bin/chmod 440 /opt/secret/hydra_key/hydra.orbekk.com-1/secret
/run/current-system/sw/bin/chmod 444 /opt/secret/hydra_key/hydra.orbekk.com-1/public
# done
touch /opt/secret/hydra_key/initialized
fi
'';
};
nix = {
distributedBuilds = true;
nrBuildUsers = 30;
# Enable this if I run low on disk.
gc.automatic = lib.mkForce false;
buildMachines = [
{
hostName = "localhost";
systems = [ "x86_64-linux" "i686-linux" ];
maxJobs = "16";
supportedFeatures = [ "kvm" "nixos-test" "big-parallel" "benchmark" ];
}
];
extraOptions = "auto-optimise-store = true";
};
nixpkgs.config = {
allowUnfree = true;
};
}
|