hydra: nixops 2 is very undocumented and pretty much broken atm

apps/influxdb/.gitignore

@@ -1,4 +0,0 @@
-*.env
-!*.env.example
-influx-configs
-

apps/influxdb/config/influx-configs.example

@@ -1,6 +0,0 @@
-[default]
-  url = "http://localhost:8086"
-  token = "some-admin-token"
-  org = "someOrganization"
-  active = true
-

apps/influxdb/docker-compose.yml

@@ -1,30 +0,0 @@
-# yaml-language-server: $schema=https://raw.githubusercontent.com/compose-spec/compose-spec/master/schema/compose-spec.json
-version: '3'
-services:
-  influxdb:
-    image: influxdb:2.5.1-alpine
-    env_file: influxdb.env
-    volumes:
-    - influx_data:/var/lib/influxdb2
-    - ./config:/etc/influxdb2
-    networks: [felia]
-    ports:
-    - 8086:8086
-    restart: unless-stopped
-
-  # provider:
-  #   image: python:3.9.15-buster
-  #   restart: unless-stopped
-  #   command: bash -c "/usr/src/app/install-pip.sh && python /usr/src/app/provider.py"
-  #   volumes:
-  #   - ./provider:/usr/src/app
-  #   environment:
-  #     INFLUXDB_URL: http://influxdb:8086
-
-volumes:
-  influx_data:
-
-networks:
-  felia:
-    name: felia-nginx-net
-

apps/influxdb/influxdb.env.example

@@ -1,6 +0,0 @@
-DOCKER_INFLUXDB_INIT_MODE=setup
-DOCKER_INFLUXDB_INIT_USERNAME=some-username
-DOCKER_INFLUXDB_INIT_PASSWORD=some-password
-DOCKER_INFLUXDB_INIT_ORG=someOrganization
-DOCKER_INFLUXDB_INIT_BUCKET=initial-bucket
-DOCKER_INFLUXDB_INIT_ADMIN_TOKEN=some-admin-token

cloudflare-nginx/README.md

@@ -8,7 +8,7 @@ NixOS on WSL (felia-1). This deployment works on Docker WSL of Felia node.
 
 ## How to apply changes
 
-- Push changes
-- Access Felia (Windows), pull the changes
-- `cloudflare-nginx/scripts/reload_nginx.sh` on a Docker client that connected to Felia
+The current way to apply the changes is to push to Felia's git server and 
+`cloudflare-nginx/scripts/reload_nginx.sh` on a Docker client that connected to Felia
+
 

cloudflare-nginx/nginx/conf.d/c4c.pegasust.com.conf

@@ -25,7 +25,6 @@ server {
 
     location / {
         proxy_pass http://c4c-secret-manager-vault-1:8200;
-        # proxy_pass http://influxdb-influxdb-1:8086;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

cloudflare-nginx/nginx/conf.d/influxdb.felia.cloud.conf

@@ -1,27 +0,0 @@
-# NOTE: Felia is under Cox ISP, which blocks port 80 anyways.
-# we're just going to leave it like this for now
-# server {
-#     listen 80;
-#     listen [::]:80;
-#     server_name localhost;
-#     return 302 https://$server_name$request_uri;
-# }
-
-server {
-    # SSL configuration
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
-
-    include /etc/nginx/ssl_params;
-
-    server_name influxdb.felia.cloud;
-
-    location / {
-        # proxy_pass http://localhost:8086;
-        proxy_pass http://influxdb-influxdb-1:8086;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    }
-}
-

hydra/.envrc

@@ -0,0 +1,4 @@
+if command -v nix-shell &> /dev/null
+then
+    use flake
+fi

hydra/flake.lock

@@ -0,0 +1,42 @@
+{
+  "nodes": {
+    "flake-utils": {
+      "locked": {
+        "lastModified": 1667395993,
+        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1670064435,
+        "narHash": "sha256-+ELoY30UN+Pl3Yn7RWRPabykwebsVK/kYE9JsIsUMxQ=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "61a8a98e6d557e6dd7ed0cdb54c3a3e3bbc5e25c",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-unstable",
+        "type": "indirect"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

hydra/flake.nix

@@ -0,0 +1,14 @@
+{
+  description = "My Hydra deployment for felia.cloud";
+  inputs = {
+    nixpkgs.url = "nixpkgs/nixos-unstable";
+    flake-utils.url = "github:numtide/flake-utils";
+  };
+  outputs = { self, nixpkgs, flake-utils, ... }@my_inputs: flake-utils.lib.eachDefaultSystem (sys:
+    let pkgs = import nixpkgs { system=sys; };
+    in
+    {
+      devShells = import ./shell.nix { inherit pkgs; };
+    }
+  );
+}

hydra/infra/simple_hydra.nix

@@ -0,0 +1,106 @@
+{
+  my-hydra =
+    { config
+    , pkgs
+    , keyFiles ? [
+        ../ssh/pi.pub
+        ../ssh/fel.pub
+        ../ssh/felia.pub
+        ../ssh/fel_ed.pub
+        ../ssh/hwtr-prince.pub
+        ../ssh/nixos_felia.pub
+      ]
+    , ...
+    }:
+    let
+      host = "pixi";
+    in
+    {
+      services.postfix = {
+        enable = true;
+        setSendmail = true;
+      };
+      services.postgresql = {
+        enable = true;
+        package = pkgs.postgresql;
+        identMap = ''
+          hydra-users hydra hydra
+          hydra-users hydra-queue-runner hydra
+          hydra-users hydra-www hydra
+          hydra-users root postgres
+          hydra-users postgres postgres
+        '';
+      };
+      services.hydra =
+        let
+          hydraUrl = "https://hydra.felia.cloud";
+          hydraEmail = "hydra@felia.cloud";
+        in
+        {
+          enable = true;
+          # Whether to use binary cache to download store paths. Binary substitutions 
+          # HTTP requests that slow down queue monitor thread significantly. Don't 
+          # enable this feature unless active binary cache is absolutely trustworthy
+          useSubstitutes = true;
+          hydraURL = hydraUrl;
+          notificationSender = hydraEmail;
+          buildMachinesFiles = [ ];
+          extraConfig = ''
+            store_uri = file:///var/lib/hydra/cache?secret-key=/etc/nix/${host}/secret
+            binary_cache_secret_key_file = /etc/nix/${host}/secret
+            binary_cache_dir = /var/lib/hydra/cache
+          '';
+        };
+      services.nginx = {
+        enable = true;
+        recommendedProxySettings = true;
+        virtualHosts."hydra.felia.cloud" = {
+          forceSSL = true;
+          enableACME = true;
+          locations."/".proxyPass = "http://localhost:3000";
+        };
+      };
+      systemd.services.hydra-manual-setup = {
+        description = "Create Admin User for Hydra";
+        serviceConfig.Type = "oneshot";
+        serviceConfig.RemainAfterExit = true;
+        wantedBy = [ "multi-user.target" ];
+        requires = [ "hydra-init.service" ];
+        after = [ "hydra-init.service" ];
+        environment = builtins.removeAttrs (config.systemd.services.hydra-init.environment) [ "PATH" ];
+        scripts = ''
+          if [ ! -e ~hydra/.setup-is-complete ]; then
+            # create signing keys
+            /run/current-system/sw/bin/install -d -m 551 /etc/nix/${host}
+            /run/current-system/sw/bin/nix-store --generate-binary-cache-key ${host} /etc/nix/${host}/secret /etc/nix/${host}/public
+            /run/current-system/sw/bin/chown -R hydra:hydra /etc/nix/${host}
+            /run/current-system/sw/bin/chmod 440 /etc/nix/${host}/secret
+            /run/current-system/sw/bin/chmod 444 /etc/nix/${host}/public
+            # create cache
+            /run/current-system/sw/bin/install -d -m 755 /var/lib/hydra/cache
+            /run/current-system/sw/bin/chown -R hydra-queue-runner:hydra /var/lib/hydra/cache
+            # done
+            touch ~hydra/.setup-is-complete
+          fi
+        '';
+      };
+      nix.gc = {
+        automatic = true;
+        # garbage collect every day at 3:15 AM, local time
+        dates = "15 3 * * *";
+      };
+      nix.autoOptimiseStore = true;
+      nix.trustedUsers = [ "hydra" "hydra-evaluator" "hydra-queue-runner" ];
+      nix.buildMachines = [
+        {
+          hostName = "localhost";
+          systems = [ "x86_64-linux" "i686-linux" ];
+          maxJobs = 6;
+          # for building VirtualBox VMs as build artifacts, you might need other
+          # features depending on what you are doing
+          supportedFeatures = [ ];
+        }
+      ];
+      networking.firewall.allowedTCPPorts = [ config.services.hydra.port ];
+    };
+}

hydra/infra/vbox.nix

@@ -0,0 +1,30 @@
+{
+  my-hydra =
+    { config
+    , pkgs
+    , keyFiles ? [
+        ../ssh/pi.pub
+        ../ssh/fel.pub
+        ../ssh/felia.pub
+        ../ssh/fel_ed.pub
+        ../ssh/hwtr-prince.pub
+        ../ssh/nixos_felia.pub
+      ]
+    , ...
+    }: {
+      deployment.targetEnv = "virtualbox";
+      deployment.virtualbox = {
+        memorySize = 2048;
+        vcpu = 1;
+        headless = true;
+      };
+      services.nixosManual.showManual = false;
+      services.ntp.enable = true; # time daemon
+      services.openssh.allowSFTP = false;
+      services.openssh.passwordAuthentication = false;
+      users = {
+        mutableUsers = false; # frozen user config
+        users.root.openssh.authorizedKeys.keyFiles = keyFiles;
+      };
+    };
+}

hydra/shell.nix

@@ -0,0 +1,15 @@
+{ pkgs ? import <nixpkgs> { }
+}:
+let shellHookAfter = ''
+  echo "Welcome to Felia\'s Hydra setup"
+  echo "TODO: Actually write a MOTD here LOL"
+''; in
+rec {
+  nixops = pkgs.mkShell {
+    nativeBuildInputs = [ pkgs.nixops_unstable ];
+    shellHook = ''
+        echo "profile: nixops"
+    ''+shellHookAfter;
+  };
+  default = nixops;
+}

hydra/ssh/authorized_keys

@@ -0,0 +1,5 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCgmng5xL/auvI2F8ufFAfId2Ey55ONHjgnKKSEWLVWkPMutXT3BCnSglNAuEVRLX2zfzg3beQd80AHTow+qro5QWI/rYfeL1QPNEwoThbRFcvtWLTlgzBGA4ejjpIF9sCPNp0sXrrQRfxRP7w4b23BcRJQcsDoaEtKGKJZ2GQIoOafkYypwcunANb54EAouZTfHEPKDr26Gfw8usc2Sae32G/80QLBF2jGabyexJjNE3F6hdJTwq5iiqIVdSr4ue82zo3M8jBdtCMDGaOliI5RWSa9iuX9o2scCGDU69Gkw7ma+JHOP/e9Z8sUz03TkjPbEnGi3EC3YAHEoDzmwqTi07hppCuzacLB5NZ9UZ1g5PzBIZR8TJTONngT08EQyGrkNv2sUnn0dtBqve5tHR04NuXy65ym7Iwl2DDVbAL0NlM4gKWzOGZ2CnSLT0WmkG2sQKU37NmS2pBJ8RXJBatUFe4vQVzqlFj39iRGIBV5XR0I9xcxDfCxBHFs3aIqAqE= hwtr@hwtr-prince
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDAW4E8L/zGkcqixJo1102ddqeexoBMHIhXRXpWR3dTmJtbaaVbo4+rHRsjHPvHif9CRfi+BQ8CHG3zmBjH7DZPZIRCVtkms1EDe1k/G3fEnfgYc6gboJfoTdLkVjNOtdStTi03dCA/riQqUKc7/v16R5ZXIAmNCnmMHelObCSDPzYg8psZAUk1ZZY//pnhp9JRPsC2JxsshN7HCNIED9aFgrJkvUt+wUVGjVHzyQwyR6J7m1yyoivTwdmYdulG7OriLeeNq8vkoDmLGgLSC+zKehzJYOZsH3EKuxuZjQ3J9tK/NseQOhsQglRHE/OvphMwT/J96gl9dZR/LQXp4S6hwLccTzFfs8rLaTOIK6CEpqBUuBonot/1vJP5j5E73hfkHwZO7TQKwfXtpRCxCl5Nm3cB2Y3kz5mArDiwWioVsX4qd0XR0F9MFtuTVTn2f4K/Gwr9P3XMkLWXU1+1KbQiWIg+Zf5DpQgBW5HWryZzsMcjyMC2I2BJCl6Q+V8ofSM= nixos@Felia
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD49VHCU8S6zqNsaS0SFiVqULmOWtyVOIeteYSOznzTHJ0dVjXnamuj/uVsSXRkYIIdAkABWQm9WKELUC2SBBE7DgDj+Izv3cO7QkAJ9v1cxV1P1efrTytz8XtyX++XYygxXCwZ5zyqxhSF5ZW+FO0CNRx1cNisAhF6AMzoXRsyF1dqNioitXTN0xh0xx2mR0Bb3zy1kYNZVwn1uBYyd4Hz6CBgJ7Xi6d/STXWcmc0XnEJTllNSQNEpI6vJjL62JmUPubqDjVKh4awiPRPiw9By1FGaGVtHhOZ+8AvVMTps07GNVJ+XZi1DJLmeItpiCwYsWh96HCp3lup0onLzubpP pi@raspberrypi
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClSDhyOeehUOIMdRonTDD9h7kBbzC3c/QG650S7vfhLE67UNt5tuUjazQg7pFj3O/5WnyqCpBOMJoPaSZ0S5gGdo4h4xatPUBAGDjMygKhg4VA0x7Lr3Tbc1CF8dyuRKVlB+aIWLIyLHHPL5wDao7tnvmuCGKDyaV8XFaKpzRZqAlpfn8svR90Y4wNFYr1V+F+Y6r8reB1Rph6A9BY4niDKY0MbFhvTj6VJQf++1ji0FziACVpYI9aqAcZ4ngReUtgWiIsnq5UMfrEk0vYBG/3KsYElaRig76Bucz1fBA16iAgQua1hthPifsw8vmaK5k6Q3c2SOdc5PGF6IlTfSGJ root@Fel
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0Z5noQn3mHy5yiN3n6YyOKRhlQT6fx4NLmI/3d4vY6 root@Fel

hydra/ssh/fel.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClSDhyOeehUOIMdRonTDD9h7kBbzC3c/QG650S7vfhLE67UNt5tuUjazQg7pFj3O/5WnyqCpBOMJoPaSZ0S5gGdo4h4xatPUBAGDjMygKhg4VA0x7Lr3Tbc1CF8dyuRKVlB+aIWLIyLHHPL5wDao7tnvmuCGKDyaV8XFaKpzRZqAlpfn8svR90Y4wNFYr1V+F+Y6r8reB1Rph6A9BY4niDKY0MbFhvTj6VJQf++1ji0FziACVpYI9aqAcZ4ngReUtgWiIsnq5UMfrEk0vYBG/3KsYElaRig76Bucz1fBA16iAgQua1hthPifsw8vmaK5k6Q3c2SOdc5PGF6IlTfSGJ root@Fel

hydra/ssh/felia.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDAW4E8L/zGkcqixJo1102ddqeexoBMHIhXRXpWR3dTmJtbaaVbo4+rHRsjHPvHif9CRfi+BQ8CHG3zmBjH7DZPZIRCVtkms1EDe1k/G3fEnfgYc6gboJfoTdLkVjNOtdStTi03dCA/riQqUKc7/v16R5ZXIAmNCnmMHelObCSDPzYg8psZAUk1ZZY//pnhp9JRPsC2JxsshN7HCNIED9aFgrJkvUt+wUVGjVHzyQwyR6J7m1yyoivTwdmYdulG7OriLeeNq8vkoDmLGgLSC+zKehzJYOZsH3EKuxuZjQ3J9tK/NseQOhsQglRHE/OvphMwT/J96gl9dZR/LQXp4S6hwLccTzFfs8rLaTOIK6CEpqBUuBonot/1vJP5j5E73hfkHwZO7TQKwfXtpRCxCl5Nm3cB2Y3kz5mArDiwWioVsX4qd0XR0F9MFtuTVTn2f4K/Gwr9P3XMkLWXU1+1KbQiWIg+Zf5DpQgBW5HWryZzsMcjyMC2I2BJCl6Q+V8ofSM= nixos@Felia

hydra/ssh/hwtr-prince.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCgmng5xL/auvI2F8ufFAfId2Ey55ONHjgnKKSEWLVWkPMutXT3BCnSglNAuEVRLX2zfzg3beQd80AHTow+qro5QWI/rYfeL1QPNEwoThbRFcvtWLTlgzBGA4ejjpIF9sCPNp0sXrrQRfxRP7w4b23BcRJQcsDoaEtKGKJZ2GQIoOafkYypwcunANb54EAouZTfHEPKDr26Gfw8usc2Sae32G/80QLBF2jGabyexJjNE3F6hdJTwq5iiqIVdSr4ue82zo3M8jBdtCMDGaOliI5RWSa9iuX9o2scCGDU69Gkw7ma+JHOP/e9Z8sUz03TkjPbEnGi3EC3YAHEoDzmwqTi07hppCuzacLB5NZ9UZ1g5PzBIZR8TJTONngT08EQyGrkNv2sUnn0dtBqve5tHR04NuXy65ym7Iwl2DDVbAL0NlM4gKWzOGZ2CnSLT0WmkG2sQKU37NmS2pBJ8RXJBatUFe4vQVzqlFj39iRGIBV5XR0I9xcxDfCxBHFs3aIqAqE= hwtr@hwtr-prince

hydra/ssh/nixos_felia.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDAW4E8L/zGkcqixJo1102ddqeexoBMHIhXRXpWR3dTmJtbaaVbo4+rHRsjHPvHif9CRfi+BQ8CHG3zmBjH7DZPZIRCVtkms1EDe1k/G3fEnfgYc6gboJfoTdLkVjNOtdStTi03dCA/riQqUKc7/v16R5ZXIAmNCnmMHelObCSDPzYg8psZAUk1ZZY//pnhp9JRPsC2JxsshN7HCNIED9aFgrJkvUt+wUVGjVHzyQwyR6J7m1yyoivTwdmYdulG7OriLeeNq8vkoDmLGgLSC+zKehzJYOZsH3EKuxuZjQ3J9tK/NseQOhsQglRHE/OvphMwT/J96gl9dZR/LQXp4S6hwLccTzFfs8rLaTOIK6CEpqBUuBonot/1vJP5j5E73hfkHwZO7TQKwfXtpRCxCl5Nm3cB2Y3kz5mArDiwWioVsX4qd0XR0F9MFtuTVTn2f4K/Gwr9P3XMkLWXU1+1KbQiWIg+Zf5DpQgBW5HWryZzsMcjyMC2I2BJCl6Q+V8ofSM= nixos@Felia

hydra/ssh/pi.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD49VHCU8S6zqNsaS0SFiVqULmOWtyVOIeteYSOznzTHJ0dVjXnamuj/uVsSXRkYIIdAkABWQm9WKELUC2SBBE7DgDj+Izv3cO7QkAJ9v1cxV1P1efrTytz8XtyX++XYygxXCwZ5zyqxhSF5ZW+FO0CNRx1cNisAhF6AMzoXRsyF1dqNioitXTN0xh0xx2mR0Bb3zy1kYNZVwn1uBYyd4Hz6CBgJ7Xi6d/STXWcmc0XnEJTllNSQNEpI6vJjL62JmUPubqDjVKh4awiPRPiw9By1FGaGVtHhOZ+8AvVMTps07GNVJ+XZi1DJLmeItpiCwYsWh96HCp3lup0onLzubpP pi@raspberrypi

hydra/xtasks/deploy.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env sh
+SCRIPT_DIR="$(realpath $(dirname $0))"
+PROJ_ROOT="${SCRIPT_DIR}/.."
+
+# create a deployment of simple_hydra
+nixops create ${PROJ_ROOT}/infra/{vbox,simple_hydra}.nix -d simple_hydra
+
+nixops info -d simple_hydra
+