diff --git a/config/hosts/hydra/configuration.nix b/config/hosts/hydra/configuration.nix new file mode 100644 index 0000000..a4c612e --- /dev/null +++ b/config/hosts/hydra/configuration.nix @@ -0,0 +1,9 @@ +{ ... }: + +{ + networking = { + hostName = "hydra"; + }; + + system.stateVersion = "24.05"; +} diff --git a/config/hosts/hydra/default.nix b/config/hosts/hydra/default.nix new file mode 100644 index 0000000..f621711 --- /dev/null +++ b/config/hosts/hydra/default.nix @@ -0,0 +1,11 @@ +{ ... }: + +{ + imports = [ + ./configuration.nix + ./hydra.nix + ./networking.nix + ./nginx.nix + ./nix.nix + ]; +} diff --git a/config/hosts/hydra/hydra.nix b/config/hosts/hydra/hydra.nix new file mode 100644 index 0000000..f315710 --- /dev/null +++ b/config/hosts/hydra/hydra.nix @@ -0,0 +1,15 @@ +{ ... }: + +{ + services.hydra = { + enable = true; + listenHost = "localhost"; + port = 3000; + hydraURL = "https://hydra.hamburg.ccc.de/"; + # E-Mail configuration requires some work/investigation still. + notificationSender = "no-reply@hydra.hamburg.ccc.de"; + useSubstitutes = true; + minimumDiskFree = 8; + minimumDiskFreeEvaluator = 2; + }; +} diff --git a/config/hosts/hydra/networking.nix b/config/hosts/hydra/networking.nix new file mode 100644 index 0000000..82cec55 --- /dev/null +++ b/config/hosts/hydra/networking.nix @@ -0,0 +1,22 @@ +{ ... }: + +{ + networking = { + interfaces.net0 = { + ipv4.addresses = [ + { + address = "172.31.17.163"; + prefixLength = 25; + } + ]; + }; + defaultGateway = "172.31.17.129"; + nameservers = [ "212.12.50.158" "192.76.134.90" ]; + search = [ "hamburg.ccc.de" ]; + }; + + systemd.network.links."10-net0" = { + matchConfig.MACAddress = "BC:24:11:45:7C:D6"; + linkConfig.Name = "net0"; + }; +} diff --git a/config/hosts/hydra/nginx.nix b/config/hosts/hydra/nginx.nix new file mode 100644 index 0000000..49ca2e1 --- /dev/null +++ b/config/hosts/hydra/nginx.nix @@ -0,0 +1,58 @@ +{ config, pkgs, ... }: + +let + domain = "hydra.hamburg.ccc.de"; +in +{ + services.nginx = { + enable = true; + + virtualHosts = { + "acme-${domain}" = { + default = true; + enableACME = true; + serverName = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 31820; + } + ]; + }; + + "${domain}" = { + default = true; + forceSSL = true; + useACMEHost = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + + locations."/" = { + proxyPass = "http://${config.services.hydra.listenHost}:${builtins.toString config.services.hydra.port}"; + }; + + extraConfig = '' + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 172.31.17.140; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + ''; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 8443 31820 ]; + networking.firewall.allowedUDPPorts = [ 8443 ]; +} diff --git a/config/hosts/hydra/nix.nix b/config/hosts/hydra/nix.nix new file mode 100644 index 0000000..b95e469 --- /dev/null +++ b/config/hosts/hydra/nix.nix @@ -0,0 +1,10 @@ +{ ... }: + +{ + # Allow Hydra to fetch flake inputs. + nix.settings.allowed-uris = [ + "github:" + "https://github.com/" + "https://git.hamburg.ccc.de/" + ]; +} diff --git a/deployment_configuration.json b/deployment_configuration.json index dd0f43d..20b9f00 100644 --- a/deployment_configuration.json +++ b/deployment_configuration.json @@ -32,6 +32,9 @@ }, "penpot": { "targetHostname": "penpot-intern.hamburg.ccc.de" + }, + "hydra": { + "targetHostname": "hydra-intern.hamburg.ccc.de" } } } diff --git a/flake.nix b/flake.nix index 0b43bda..a6d9a0a 100644 --- a/flake.nix +++ b/flake.nix @@ -254,6 +254,16 @@ ./config/hosts/penpot ]; }; + + hydra = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + ./config/common + ./config/proxmox-vm + ./config/extra/prometheus-exporter.nix + ./config/hosts/hydra + ]; + }; }; packages.x86_64-linux = {