fuuko: Add hydra

machines/fuuko/configuration.nix

@@ -12,6 +12,7 @@
     ./services/gitea.nix
     ./services/grafana.nix
     ./services/hedgedoc.nix
+    ./services/hydra.nix
     ./services/matrix
     ./services/media-backup.nix
     ./services/media.nix

machines/fuuko/services/hydra.nix

@@ -0,0 +1,52 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.hydra;
+in
+{
+  services.hydra = {
+    enable = true;
+    listenHost = "127.0.0.1";
+    port = 3003;
+    hydraURL = "https://hydra.sbruder.de";
+    notificationSender = "hydra@sbruder.de";
+    buildMachinesFiles = [
+      (pkgs.writeText "hydra-build-machines" ''
+        # hostname system sshKey maxJobs speedFactor mandatory+supportedFeatures mandatoryFeatures
+        localhost x86_64-linux - 4 1 kvm,nixos-test
+      '')
+    ];
+    useSubstitutes = true;
+
+    minimumDiskFreeEvaluator = 10;
+    minimumDiskFree = 10;
+
+    extraConfig = ''
+      store_uri = file:///data/cache/nix-binary-cache?secret-key=${config.sops.secrets.binary-cache-secret-key.path}
+
+      upload_logs_to_binary_cache = true
+    '';
+  };
+
+  sops.secrets.binary-cache-secret-key.owner = "hydra-queue-runner";
+  systemd.services.hydra-queue-runner.serviceConfig = {
+    SupplementaryGroups = lib.singleton "keys";
+
+    Nice = 10;
+    IOSchedulingPriority = 5;
+  };
+
+  # Hydra uses restricted eval, which by default does not work with flakes that
+  # use git+https inputs
+  nix.extraOptions = ''
+    allowed-uris = https://git.sbruder.de/
+  '';
+
+  services.nginx.virtualHosts."hydra.sbruder.de" = {
+    enableACME = true;
+    forceSSL = true;
+
+    locations."/" = {
+      proxyPass = "http://${cfg.listenHost}:${toString cfg.port}";
+    };
+  };
+}