zoey/config
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

fix(signing): add signing to hydra

Browse source
This commit is contained in:
zack 2024-10-19 02:11:34 -04:00
parent e03a579a93
commit 22d238c29e
No known key found for this signature in database
GPG key ID: 5F873416BCF59F35
3 changed files with 37 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

4
flake.nix
View file

@ -3,10 +3,10 @@
nixConfig = { nixConfig = {
extra-substituters = [ extra-substituters = [
"https://zackartz.cachix.org" "https://hydra.zoeys.computer"
]; ];
extra-trusted-public-keys = [ extra-trusted-public-keys = [
"zackartz.cachix.org-1:nrEfVZF8MVX0Lnt73KwYzH2kwDzFuAoR5VPjuUd4R30=" "hydra.zoeys.computer-1:ssh-ed25519:0000000b7373682d65643235353139000000205f061b28bd7b23ff28347b79ac7719587c471904487cebc19172a682240256cc"
]; ];
}; };

52
modules/nixos/sites/hydra/default.nix
View file

@ -7,17 +7,31 @@
with lib; with lib;
with lib.custom; let with lib.custom; let
cfg = config.sites.hydra; cfg = config.sites.hydra;
sec = config.age.secrets;
in { in {
options.sites.hydra = with types; { options.sites.hydra = with types; {
enable = mkBoolOpt false "Enable Hydra"; enable = mkBoolOpt false "Enable Hydra";
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
age.secrets = {
hydra_key = {
owner = "hydra";
group = "hydra";
file = ./sec/hydra_key.age;
};
};
services.hydra = { services.hydra = {
enable = true; enable = true;
hydraURL = "https://hydra.zoeys.computer"; hydraURL = "https://hydra.zoeys.computer";
useSubstitutes = true; useSubstitutes = true;
notificationSender = "hydra@localhost"; # e-mail of hydra service notificationSender = "hydra@localhost"; # e-mail of hydra service
extraConfig = ''
binary_cache_secret_key_file = ${sec.hydra_key.path}
'';
}; };
services.nginx.virtualHosts."hydra.zoeys.computer" = { services.nginx.virtualHosts."hydra.zoeys.computer" = {
@ -28,23 +42,27 @@ in {
}; };
}; };
nix.settings.allowed-uris = [ users.users.hydra.extraGroups = ["keys"];
"github:"
"https://github.com"
"git+https://github.com/"
"git+ssh://github.com/"
"git+https://git.zoeys.computer/"
"git+ssh://git.zoeys.computer/"
];
nix.buildMachines = [ nix = {
{ settings.allowed-uris = [
hostName = "localhost"; "github:"
protocol = null; "https://github.com"
system = "x86_64-linux"; "git+https://github.com/"
supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"]; "git+ssh://github.com/"
maxJobs = 8; "git+https://git.zoeys.computer/"
} "git+ssh://git.zoeys.computer/"
]; ];
trustedUsers = ["hydra"]; # Ensure hydra user is trusted for nix
buildMachines = [
{
hostName = "localhost";
protocol = null;
system = "x86_64-linux";
supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"];
maxJobs = 8;
}
];
};
}; };
} }

BIN
modules/nixos/sites/hydra/sec/hydra_key.age Normal file
View file

Binary file not shown.