usecases/server/hydra-server.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

inputs:

{ config, lib, pkgs, ... }:

{
  options = with lib; {
    services.hydra.secretKeyLocation = mkOption {
      type = types.str;
      description = ''
        Absolute location to the secret key used to sign builds
      '';
    };
  };

  config = {
    services.hydra = {
      enable = true;
      hydraURL = lib.mkDefault "https://hydra.${config.networking.fqdn}";
      notificationSender = lib.mkDefault "hydra@${config.networking.fqdn}";
      # Don't build *everything* from source
      useSubstitutes = true;
      extraConfig = ''
        binary_cache_secret_key_file = ${config.services.hydra.secretKeyLocation}
        store_uri = auto?secret-key=${config.services.hydra.secretKeyLocation}
      '';
      package = pkgs.hydra-unstable;
    };

    nix.allowedUsers = [ "@hydra" ];

    networking.firewall.interfaces.${config.topology.mainVpn.interfaceName}.allowedTCPPorts = [
      config.services.hydra.port
    ];
  };
}