{ config, lib, pkgs, ... }: let cfg = config.services.hydra; in { services.hydra = { enable = true; listenHost = "127.0.0.1"; port = 3003; hydraURL = "https://hydra.sbruder.de"; notificationSender = "hydra@sbruder.de"; buildMachinesFiles = [ (pkgs.writeText "hydra-build-machines" '' # hostname system sshKey maxJobs speedFactor mandatory+supportedFeatures mandatoryFeatures localhost x86_64-linux - 4 1 kvm,nixos-test '') ]; useSubstitutes = true; minimumDiskFreeEvaluator = 10; minimumDiskFree = 10; extraConfig = '' store_uri = file:///data/cache/nix-binary-cache?secret-key=${config.sops.secrets.binary-cache-secret-key.path} upload_logs_to_binary_cache = true ''; }; sops.secrets.binary-cache-secret-key.owner = "hydra-queue-runner"; systemd.services.hydra-queue-runner.serviceConfig = { SupplementaryGroups = lib.singleton "keys"; Nice = 10; IOSchedulingPriority = 5; }; # Hydra uses restricted eval, which by default does not work with flakes that # use git+https inputs nix.extraOptions = '' allowed-uris = https://git.sbruder.de/ ''; services.nginx.virtualHosts."hydra.sbruder.de" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://${cfg.listenHost}:${toString cfg.port}"; }; }; }