hydra deployment

hydra/.envrc

@@ -0,0 +1,4 @@
+if command -v nix-shell &> /dev/null
+then
+    use flake
+fi

hydra/flake.lock

@@ -0,0 +1,42 @@
+{
+  "nodes": {
+    "flake-utils": {
+      "locked": {
+        "lastModified": 1667395993,
+        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1670064435,
+        "narHash": "sha256-+ELoY30UN+Pl3Yn7RWRPabykwebsVK/kYE9JsIsUMxQ=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "61a8a98e6d557e6dd7ed0cdb54c3a3e3bbc5e25c",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-unstable",
+        "type": "indirect"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

hydra/flake.nix

@@ -0,0 +1,14 @@
+{
+  description = "My Hydra deployment for felia.cloud";
+  inputs = {
+    nixpkgs.url = "nixpkgs/nixos-unstable";
+    flake-utils.url = "github:numtide/flake-utils";
+  };
+  outputs = { self, nixpkgs, flake-utils, ... }@my_inputs: flake-utils.lib.eachDefaultSystem (sys:
+    let pkgs = import nixpkgs { system=sys; };
+    in
+    {
+      devShells = import ./shell.nix { inherit pkgs; };
+    }
+  );
+}

hydra/infra/simple_hydra.nix

@@ -0,0 +1,106 @@
+{
+  my-hydra =
+    { config
+    , pkgs
+    , keyFiles ? [
+        ../ssh/pi.pub
+        ../ssh/fel.pub
+        ../ssh/felia.pub
+        ../ssh/fel_ed.pub
+        ../ssh/hwtr-prince.pub
+        ../ssh/nixos_felia.pub
+      ]
+    , ...
+    }:
+    let
+      host = "pixi";
+    in
+    {
+      services.postfix = {
+        enable = true;
+        setSendmail = true;
+      };
+      services.postgresql = {
+        enable = true;
+        package = pkgs.postgresql;
+        identMap = ''
+          hydra-users hydra hydra
+          hydra-users hydra-queue-runner hydra
+          hydra-users hydra-www hydra
+          hydra-users root postgres
+          hydra-users postgres postgres
+        '';
+      };
+      services.hydra =
+        let
+          hydraUrl = "https://hydra.felia.cloud";
+          hydraEmail = "hydra@felia.cloud";
+        in
+        {
+          enable = true;
+          # Whether to use binary cache to download store paths. Binary substitutions 
+          # HTTP requests that slow down queue monitor thread significantly. Don't 
+          # enable this feature unless active binary cache is absolutely trustworthy
+          useSubstitutes = true;
+          hydraURL = hydraUrl;
+          notificationSender = hydraEmail;
+          buildMachinesFiles = [ ];
+          extraConfig = ''
+            store_uri = file:///var/lib/hydra/cache?secret-key=/etc/nix/${host}/secret
+            binary_cache_secret_key_file = /etc/nix/${host}/secret
+            binary_cache_dir = /var/lib/hydra/cache
+          '';
+        };
+      services.nginx = {
+        enable = true;
+        recommendedProxySettings = true;
+        virtualHosts."hydra.felia.cloud" = {
+          forceSSL = true;
+          enableACME = true;
+          locations."/".proxyPass = "http://localhost:3000";
+        };
+      };
+      systemd.services.hydra-manual-setup = {
+        description = "Create Admin User for Hydra";
+        serviceConfig.Type = "oneshot";
+        serviceConfig.RemainAfterExit = true;
+        wantedBy = [ "multi-user.target" ];
+        requires = [ "hydra-init.service" ];
+        after = [ "hydra-init.service" ];
+        environment = builtins.removeAttrs (config.systemd.services.hydra-init.environment) [ "PATH" ];
+        scripts = ''
+          if [ ! -e ~hydra/.setup-is-complete ]; then
+            # create signing keys
+            /run/current-system/sw/bin/install -d -m 551 /etc/nix/${host}
+            /run/current-system/sw/bin/nix-store --generate-binary-cache-key ${host} /etc/nix/${host}/secret /etc/nix/${host}/public
+            /run/current-system/sw/bin/chown -R hydra:hydra /etc/nix/${host}
+            /run/current-system/sw/bin/chmod 440 /etc/nix/${host}/secret
+            /run/current-system/sw/bin/chmod 444 /etc/nix/${host}/public
+            # create cache
+            /run/current-system/sw/bin/install -d -m 755 /var/lib/hydra/cache
+            /run/current-system/sw/bin/chown -R hydra-queue-runner:hydra /var/lib/hydra/cache
+            # done
+            touch ~hydra/.setup-is-complete
+          fi
+        '';
+      };
+      nix.gc = {
+        automatic = true;
+        # garbage collect every day at 3:15 AM, local time
+        dates = "15 3 * * *";
+      };
+      nix.autoOptimiseStore = true;
+      nix.trustedUsers = [ "hydra" "hydra-evaluator" "hydra-queue-runner" ];
+      nix.buildMachines = [
+        {
+          hostName = "localhost";
+          systems = [ "x86_64-linux" "i686-linux" ];
+          maxJobs = 6;
+          # for building VirtualBox VMs as build artifacts, you might need other
+          # features depending on what you are doing
+          supportedFeatures = [ ];
+        }
+      ];
+      networking.firewall.allowedTCPPorts = [ config.services.hydra.port ];
+    };
+}

hydra/infra/vbox.nix

@@ -0,0 +1,30 @@
+{
+  my-hydra =
+    { config
+    , pkgs
+    , keyFiles ? [
+        ../ssh/pi.pub
+        ../ssh/fel.pub
+        ../ssh/felia.pub
+        ../ssh/fel_ed.pub
+        ../ssh/hwtr-prince.pub
+        ../ssh/nixos_felia.pub
+      ]
+    , ...
+    }: {
+      deployment.targetEnv = "virtualbox";
+      deployment.virtualbox = {
+        memorySize = 2048;
+        vcpu = 1;
+        headless = true;
+      };
+      services.nixosManual.showManual = false;
+      services.ntp.enable = true; # time daemon
+      services.openssh.allowSFTP = false;
+      services.openssh.passwordAuthentication = false;
+      users = {
+        mutableUsers = false; # frozen user config
+        users.root.openssh.authorizedKeys.keyFiles = keyFiles;
+      };
+    };
+}

hydra/shell.nix

@@ -0,0 +1,15 @@
+{ pkgs ? import <nixpkgs> { }
+}:
+let shellHookAfter = ''
+  echo "Welcome to Felia\'s Hydra setup"
+  echo "TODO: Actually write a MOTD here LOL"
+''; in
+rec {
+  nixops = pkgs.mkShell {
+    nativeBuildInputs = [ pkgs.nixops_unstable ];
+    shellHook = ''
+        echo "profile: nixops"
+    ''+shellHookAfter;
+  };
+  default = nixops;
+}

hydra/ssh/authorized_keys

@@ -0,0 +1,5 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCgmng5xL/auvI2F8ufFAfId2Ey55ONHjgnKKSEWLVWkPMutXT3BCnSglNAuEVRLX2zfzg3beQd80AHTow+qro5QWI/rYfeL1QPNEwoThbRFcvtWLTlgzBGA4ejjpIF9sCPNp0sXrrQRfxRP7w4b23BcRJQcsDoaEtKGKJZ2GQIoOafkYypwcunANb54EAouZTfHEPKDr26Gfw8usc2Sae32G/80QLBF2jGabyexJjNE3F6hdJTwq5iiqIVdSr4ue82zo3M8jBdtCMDGaOliI5RWSa9iuX9o2scCGDU69Gkw7ma+JHOP/e9Z8sUz03TkjPbEnGi3EC3YAHEoDzmwqTi07hppCuzacLB5NZ9UZ1g5PzBIZR8TJTONngT08EQyGrkNv2sUnn0dtBqve5tHR04NuXy65ym7Iwl2DDVbAL0NlM4gKWzOGZ2CnSLT0WmkG2sQKU37NmS2pBJ8RXJBatUFe4vQVzqlFj39iRGIBV5XR0I9xcxDfCxBHFs3aIqAqE= hwtr@hwtr-prince
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDAW4E8L/zGkcqixJo1102ddqeexoBMHIhXRXpWR3dTmJtbaaVbo4+rHRsjHPvHif9CRfi+BQ8CHG3zmBjH7DZPZIRCVtkms1EDe1k/G3fEnfgYc6gboJfoTdLkVjNOtdStTi03dCA/riQqUKc7/v16R5ZXIAmNCnmMHelObCSDPzYg8psZAUk1ZZY//pnhp9JRPsC2JxsshN7HCNIED9aFgrJkvUt+wUVGjVHzyQwyR6J7m1yyoivTwdmYdulG7OriLeeNq8vkoDmLGgLSC+zKehzJYOZsH3EKuxuZjQ3J9tK/NseQOhsQglRHE/OvphMwT/J96gl9dZR/LQXp4S6hwLccTzFfs8rLaTOIK6CEpqBUuBonot/1vJP5j5E73hfkHwZO7TQKwfXtpRCxCl5Nm3cB2Y3kz5mArDiwWioVsX4qd0XR0F9MFtuTVTn2f4K/Gwr9P3XMkLWXU1+1KbQiWIg+Zf5DpQgBW5HWryZzsMcjyMC2I2BJCl6Q+V8ofSM= nixos@Felia
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD49VHCU8S6zqNsaS0SFiVqULmOWtyVOIeteYSOznzTHJ0dVjXnamuj/uVsSXRkYIIdAkABWQm9WKELUC2SBBE7DgDj+Izv3cO7QkAJ9v1cxV1P1efrTytz8XtyX++XYygxXCwZ5zyqxhSF5ZW+FO0CNRx1cNisAhF6AMzoXRsyF1dqNioitXTN0xh0xx2mR0Bb3zy1kYNZVwn1uBYyd4Hz6CBgJ7Xi6d/STXWcmc0XnEJTllNSQNEpI6vJjL62JmUPubqDjVKh4awiPRPiw9By1FGaGVtHhOZ+8AvVMTps07GNVJ+XZi1DJLmeItpiCwYsWh96HCp3lup0onLzubpP pi@raspberrypi
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClSDhyOeehUOIMdRonTDD9h7kBbzC3c/QG650S7vfhLE67UNt5tuUjazQg7pFj3O/5WnyqCpBOMJoPaSZ0S5gGdo4h4xatPUBAGDjMygKhg4VA0x7Lr3Tbc1CF8dyuRKVlB+aIWLIyLHHPL5wDao7tnvmuCGKDyaV8XFaKpzRZqAlpfn8svR90Y4wNFYr1V+F+Y6r8reB1Rph6A9BY4niDKY0MbFhvTj6VJQf++1ji0FziACVpYI9aqAcZ4ngReUtgWiIsnq5UMfrEk0vYBG/3KsYElaRig76Bucz1fBA16iAgQua1hthPifsw8vmaK5k6Q3c2SOdc5PGF6IlTfSGJ root@Fel
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0Z5noQn3mHy5yiN3n6YyOKRhlQT6fx4NLmI/3d4vY6 root@Fel

hydra/ssh/fel.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClSDhyOeehUOIMdRonTDD9h7kBbzC3c/QG650S7vfhLE67UNt5tuUjazQg7pFj3O/5WnyqCpBOMJoPaSZ0S5gGdo4h4xatPUBAGDjMygKhg4VA0x7Lr3Tbc1CF8dyuRKVlB+aIWLIyLHHPL5wDao7tnvmuCGKDyaV8XFaKpzRZqAlpfn8svR90Y4wNFYr1V+F+Y6r8reB1Rph6A9BY4niDKY0MbFhvTj6VJQf++1ji0FziACVpYI9aqAcZ4ngReUtgWiIsnq5UMfrEk0vYBG/3KsYElaRig76Bucz1fBA16iAgQua1hthPifsw8vmaK5k6Q3c2SOdc5PGF6IlTfSGJ root@Fel

hydra/ssh/felia.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDAW4E8L/zGkcqixJo1102ddqeexoBMHIhXRXpWR3dTmJtbaaVbo4+rHRsjHPvHif9CRfi+BQ8CHG3zmBjH7DZPZIRCVtkms1EDe1k/G3fEnfgYc6gboJfoTdLkVjNOtdStTi03dCA/riQqUKc7/v16R5ZXIAmNCnmMHelObCSDPzYg8psZAUk1ZZY//pnhp9JRPsC2JxsshN7HCNIED9aFgrJkvUt+wUVGjVHzyQwyR6J7m1yyoivTwdmYdulG7OriLeeNq8vkoDmLGgLSC+zKehzJYOZsH3EKuxuZjQ3J9tK/NseQOhsQglRHE/OvphMwT/J96gl9dZR/LQXp4S6hwLccTzFfs8rLaTOIK6CEpqBUuBonot/1vJP5j5E73hfkHwZO7TQKwfXtpRCxCl5Nm3cB2Y3kz5mArDiwWioVsX4qd0XR0F9MFtuTVTn2f4K/Gwr9P3XMkLWXU1+1KbQiWIg+Zf5DpQgBW5HWryZzsMcjyMC2I2BJCl6Q+V8ofSM= nixos@Felia

hydra/ssh/hwtr-prince.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCgmng5xL/auvI2F8ufFAfId2Ey55ONHjgnKKSEWLVWkPMutXT3BCnSglNAuEVRLX2zfzg3beQd80AHTow+qro5QWI/rYfeL1QPNEwoThbRFcvtWLTlgzBGA4ejjpIF9sCPNp0sXrrQRfxRP7w4b23BcRJQcsDoaEtKGKJZ2GQIoOafkYypwcunANb54EAouZTfHEPKDr26Gfw8usc2Sae32G/80QLBF2jGabyexJjNE3F6hdJTwq5iiqIVdSr4ue82zo3M8jBdtCMDGaOliI5RWSa9iuX9o2scCGDU69Gkw7ma+JHOP/e9Z8sUz03TkjPbEnGi3EC3YAHEoDzmwqTi07hppCuzacLB5NZ9UZ1g5PzBIZR8TJTONngT08EQyGrkNv2sUnn0dtBqve5tHR04NuXy65ym7Iwl2DDVbAL0NlM4gKWzOGZ2CnSLT0WmkG2sQKU37NmS2pBJ8RXJBatUFe4vQVzqlFj39iRGIBV5XR0I9xcxDfCxBHFs3aIqAqE= hwtr@hwtr-prince

hydra/ssh/nixos_felia.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDAW4E8L/zGkcqixJo1102ddqeexoBMHIhXRXpWR3dTmJtbaaVbo4+rHRsjHPvHif9CRfi+BQ8CHG3zmBjH7DZPZIRCVtkms1EDe1k/G3fEnfgYc6gboJfoTdLkVjNOtdStTi03dCA/riQqUKc7/v16R5ZXIAmNCnmMHelObCSDPzYg8psZAUk1ZZY//pnhp9JRPsC2JxsshN7HCNIED9aFgrJkvUt+wUVGjVHzyQwyR6J7m1yyoivTwdmYdulG7OriLeeNq8vkoDmLGgLSC+zKehzJYOZsH3EKuxuZjQ3J9tK/NseQOhsQglRHE/OvphMwT/J96gl9dZR/LQXp4S6hwLccTzFfs8rLaTOIK6CEpqBUuBonot/1vJP5j5E73hfkHwZO7TQKwfXtpRCxCl5Nm3cB2Y3kz5mArDiwWioVsX4qd0XR0F9MFtuTVTn2f4K/Gwr9P3XMkLWXU1+1KbQiWIg+Zf5DpQgBW5HWryZzsMcjyMC2I2BJCl6Q+V8ofSM= nixos@Felia

hydra/ssh/pi.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD49VHCU8S6zqNsaS0SFiVqULmOWtyVOIeteYSOznzTHJ0dVjXnamuj/uVsSXRkYIIdAkABWQm9WKELUC2SBBE7DgDj+Izv3cO7QkAJ9v1cxV1P1efrTytz8XtyX++XYygxXCwZ5zyqxhSF5ZW+FO0CNRx1cNisAhF6AMzoXRsyF1dqNioitXTN0xh0xx2mR0Bb3zy1kYNZVwn1uBYyd4Hz6CBgJ7Xi6d/STXWcmc0XnEJTllNSQNEpI6vJjL62JmUPubqDjVKh4awiPRPiw9By1FGaGVtHhOZ+8AvVMTps07GNVJ+XZi1DJLmeItpiCwYsWh96HCp3lup0onLzubpP pi@raspberrypi