{config, pkgs, ...}: let deploy-container = pkgs.writeScriptBin "deploy-nixos-container" '' pushd $2 nixos-container update $1 --flake $2#$3 git reset --hard HEAD git clean -fdx git reflog expire --expire=now --all git repack -ad # Remove dangling objects from packfiles git prune # Remove dangling loose objects popd ''; in { imports = [ # ./nix-serve.nix ]; services.hydra = { enable = true; hydraURL = "https://hydra.syzygial.cc"; port = 3500; notificationSender = "hydra@localhost"; buildMachinesFiles = []; useSubstitutes = true; extraConfig = '' enable = 1 ''; }; nix.extraOptions = '' allowed-uris = https://github.com/ https://git.savannah.gnu.org/ https://git.syzygial.cc https://gitlab.com https://sr.ht ''; systemd.services.hydra = { serviceConfig = { RestartSec = "20s"; }; }; users.users."hydra" = { openssh.authorizedKeys.keys = [ ]; packages = [ ]; }; # Deployment User users.users.hydra-deploy = { isNormalUser = true; home = "/var/lib/hydra/deploy"; description = "Hydra Deployment User"; extraGroups = [ "hydra" ]; packages = [ deploy-container ]; }; # TODO: Configure authorizedKeys between # hydra-queue-runner and hydra-deploy security.sudo.extraRules = [ { users = ["hydra-deploy"]; commands = [ { command = "${deploy-container}/bin/deploy-nixos-container *"; options = ["NOPASSWD"]; } ]; } ]; networking.nat = { enable = true; internalInterfaces = [ "ve-newalan" "ve-handyhelper" ]; externalInterface = "enp0s25"; enableIPv6 = true; }; nix.buildMachines = [ { hostName = "localhost"; system = "x86_64-linux"; supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"]; maxJobs = 8; } ]; services.caddy.virtualHosts = { "hydra.syzygial.cc" = { extraConfig = '' reverse_proxy localhost:${toString config.services.hydra.port} ''; }; }; }