diff --git a/configuration/hydra-build-machine/default.nix b/configuration/hydra-build-machine/default.nix new file mode 100644 index 0000000..b27bef5 --- /dev/null +++ b/configuration/hydra-build-machine/default.nix @@ -0,0 +1,16 @@ +{ ... }: + +{ + + # Allow Hydra to fetch remote URLs in restricted mode + nix.settings.allowed-uris = "http: https: git+https: github:"; + + services.openssh.settings= { + PermitRootLogin = "yes"; + }; + + users.extraUsers.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMv8Lbca/CR4das3HJ2F/sQ9dA7kdGS1hSVTt5lX4diP root@hydra-1" + ]; + +} diff --git a/flake.lock b/flake.lock index bcb95f2..77b5df6 100644 --- a/flake.lock +++ b/flake.lock @@ -283,11 +283,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1713537308, - "narHash": "sha256-XtTSSIB2DA6tOv+l0FhvfDMiyCmhoRbNB+0SeInZkbk=", + "lastModified": 1713714899, + "narHash": "sha256-+z/XjO3QJs5rLE5UOf015gdVauVRQd2vZtsFkaXBq2Y=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5c24cf2f0a12ad855f444c30b2421d044120c66f", + "rev": "6143fc5eeb9c4f00163267708e26191d1e918932", "type": "github" }, "original": { diff --git a/hosts/hydra-1/build-machines.nix b/hosts/hydra-1/build-machines.nix new file mode 100644 index 0000000..36c001e --- /dev/null +++ b/hosts/hydra-1/build-machines.nix @@ -0,0 +1,36 @@ +{ ... }: + +{ + + nix = { + distributedBuilds = true; + buildMachines = [ + { + hostName = "hydra-1.net.clerie.de"; + sshUser = "root"; + systems = [ + "x86_64-linux" + "armv6l-linux" + "armv7l-linux" + "aarch64-linux" + ]; + sshKey = "/var/lib/hydra/id_ed25519"; + } + { + hostName = "hydra-2.net.clerie.de"; + sshUser = "root"; + systems = [ + "x86_64-linux" + "armv6l-linux" + "armv7l-linux" + "aarch64-linux" + ]; + sshKey = "/var/lib/hydra/id_ed25519"; + } + ]; + }; + + programs.ssh.knownHosts."hydra-1.net.clerie.de".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE2xQBCsFBCwL9n4OP/bPngtNO1fy9kPw13Z/NDoba16 root@hydra-1"; + programs.ssh.knownHosts."hydra-2.net.clerie.de".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZED9QM+qe7sB6R6atvP6WNaI2sC2nh7TTsD6kgRpnr root@hydra-2"; + +} diff --git a/hosts/hydra-1/configuration.nix b/hosts/hydra-1/configuration.nix index 8179409..bc31992 100644 --- a/hosts/hydra-1/configuration.nix +++ b/hosts/hydra-1/configuration.nix @@ -5,6 +5,11 @@ [ ./hardware-configuration.nix ../../configuration/proxmox-vm + ../../configuration/hydra-build-machine + + ./build-machines.nix + ./hydra.nix + ./nix-cache.nix ]; boot.loader.grub.enable = true; @@ -25,94 +30,7 @@ networking.defaultGateway = { address = "192.168.10.1"; interface = "ens19"; }; networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ]; - nix = { - settings.allowed-uris = "http: https: git+https: github:"; - distributedBuilds = true; - buildMachines = [ - { - hostName = "localhost"; - systems = [ - "x86_64-linux" - "armv6l-linux" - "armv7l-linux" - "aarch64-linux" - ]; - } - { - hostName = "hydra-2.net.clerie.de"; - sshUser = "root"; - systems = [ - "x86_64-linux" - "armv6l-linux" - "armv7l-linux" - "aarch64-linux" - ]; - sshKey = "/var/lib/hydra/id_ed25519"; - publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSURaRUQ5UU0rcWU3c0I2UjZhdHZQNldOYUkyc0Mybmg3VFRzRDZrZ1JwbnIgcm9vdEBoeWRyYS0yCg=="; - } - ]; - }; - - programs.ssh.knownHosts."hydra-1.net.clerie.de".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE2xQBCsFBCwL9n4OP/bPngtNO1fy9kPw13Z/NDoba16 root@hydra-1"; - programs.ssh.knownHosts."hydra-2.net.clerie.de".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZED9QM+qe7sB6R6atvP6WNaI2sC2nh7TTsD6kgRpnr root@hydra-2"; - - services.openssh.settings = { - PermitRootLogin = "yes"; - }; - - users.extraUsers.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMv8Lbca/CR4das3HJ2F/sQ9dA7kdGS1hSVTt5lX4diP root@hydra-1" - ]; - - services.hydra = { - enable = true; - port = 3001; - hydraURL = "https://hydra.clerie.de"; - listenHost = "localhost"; - notificationSender = "noreply@hydra.clerie.de"; - useSubstitutes = true; - extraConfig = '' - binary_cache_public_uri = https://nix-cache.clerie.de - ''; - }; - - services.harmonia = { - enable = true; - settings.bind = "[::1]:5005"; - signKeyPath = config.sops.secrets.nix-cache-key.path; - }; - services.nginx.enable = true; - services.nginx.virtualHosts = { - "hydra.clerie.de" = { - enableACME = true; - forceSSL = true; - locations = { - "/" = { - proxyPass = "http://localhost:3001"; - }; - }; - }; - "nix-cache.clerie.de" = { - enableACME = true; - forceSSL = true; - locations."= /" = { - return = ''200 'Nix Cache by clerie\n\nPublic key:\n\n nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g=\n\nNixOS Configuration:\n\n nix.settings = {\n substituters = [\n "https://nix-cache.clerie.de"\n ];\n trusted-public-keys = [\n "nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g="\n ];\n }\n\nTry:\n\n nix build --substituters "https://nix-cache.clerie.de" \\\n --trusted-public-keys "nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g=" \\\n "git+https://git.clerie.de/clerie/fieldpoc.git#fieldpoc"\n\n.-*..*-.' ''; - extraConfig = '' - types { } default_type "text/plain; charset=utf-8"; - ''; - }; - locations."/" = { - proxyPass = "http://[::1]:5005"; - extraConfig = '' - proxy_redirect http:// https://; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - ''; - }; - }; - }; networking.firewall.allowedTCPPorts = [ 80 443 ]; diff --git a/hosts/hydra-1/hydra.nix b/hosts/hydra-1/hydra.nix new file mode 100644 index 0000000..1ab8fee --- /dev/null +++ b/hosts/hydra-1/hydra.nix @@ -0,0 +1,28 @@ +{ ... }: + +{ + services.hydra = { + enable = true; + port = 3001; + hydraURL = "https://hydra.clerie.de"; + listenHost = "localhost"; + notificationSender = "noreply@hydra.clerie.de"; + useSubstitutes = true; + extraConfig = '' + binary_cache_public_uri = https://nix-cache.clerie.de + ''; + }; + + services.nginx.virtualHosts = { + "hydra.clerie.de" = { + enableACME = true; + forceSSL = true; + locations = { + "/" = { + proxyPass = "http://localhost:3001"; + }; + }; + }; + }; + +} diff --git a/hosts/hydra-1/nix-cache.nix b/hosts/hydra-1/nix-cache.nix new file mode 100644 index 0000000..fbfc206 --- /dev/null +++ b/hosts/hydra-1/nix-cache.nix @@ -0,0 +1,33 @@ +{ config, pkgs, ... }: + +{ + + services.harmonia = { + enable = true; + settings.bind = "[::1]:5005"; + signKeyPath = config.sops.secrets.nix-cache-key.path; + }; + + services.nginx.virtualHosts = { + "nix-cache.clerie.de" = { + enableACME = true; + forceSSL = true; + locations."= /" = { + return = ''200 'Nix Cache by clerie\n\nPublic key:\n\n nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g=\n\nNixOS Configuration:\n\n nix.settings = {\n substituters = [\n "https://nix-cache.clerie.de"\n ];\n trusted-public-keys = [\n "nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g="\n ];\n }\n\nTry:\n\n nix build --substituters "https://nix-cache.clerie.de" \\\n --trusted-public-keys "nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g=" \\\n "git+https://git.clerie.de/clerie/fieldpoc.git#fieldpoc"\n\n.-*..*-.' ''; + extraConfig = '' + types { } default_type "text/plain; charset=utf-8"; + ''; + }; + locations."/" = { + proxyPass = "http://[::1]:5005"; + extraConfig = '' + proxy_redirect http:// https://; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + ''; + }; + }; + }; + +} diff --git a/hosts/hydra-2/configuration.nix b/hosts/hydra-2/configuration.nix index e738724..418600b 100644 --- a/hosts/hydra-2/configuration.nix +++ b/hosts/hydra-2/configuration.nix @@ -5,6 +5,7 @@ [ ./hardware-configuration.nix ../../configuration/proxmox-vm + ../../configuration/hydra-build-machine ]; boot.loader.grub.enable = true; @@ -25,17 +26,6 @@ networking.defaultGateway = { address = "141.24.50.1"; interface = "ens18"; }; networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ]; - # Allow Hydra to fetch remote URLs in restricted mode - nix.settings.allowed-uris = "http: https: git+https: github:"; - - services.openssh.settings= { - PermitRootLogin = "yes"; - }; - - users.extraUsers.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMv8Lbca/CR4das3HJ2F/sQ9dA7kdGS1hSVTt5lX4diP root@hydra-1" - ]; - clerie.monitoring = { enable = true; id = "211";