Skip to content

Instantly share code, notes, and snippets.

@o1lo01ol1o

o1lo01ol1o/hydra.nix Secret

Created June 7, 2019 02:11
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save o1lo01ol1o/df97356d495a014dc68e9547f78d3f86 to your computer and use it in GitHub Desktop.
Save o1lo01ol1o/df97356d495a014dc68e9547f78d3f86 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
hydra.nix
{
hydra = { config, lib, pkgs, resources, ... }:
{
networking.hostName = "hydra";
networking.firewall.allowedTCPPorts = [config.services.hydra.port 25];
services.nixosManual.showManual = false;
services.ntp.enable = false;
services.openssh.allowSFTP = false;
services.openssh.passwordAuthentication = false;
services.hydra =
{ enable = true;
minimumDiskFree = 10; # GiB
minimumDiskFreeEvaluator = 10; # GiB
hydraURL = "hydra.localhost.com";
notificationSender = "none@gmail.com";
};
programs.ssh.knownHosts = [
{ hostNames = [ "github.com" ]; publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=="; }
{ hostNames = [ "gitlab.com" ]; publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9"; }
];
users.extraUsers.root.openssh.authorizedKeys.keys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQChvF8IMxAWUWCQWBvHDzAQtOivoeUzH1VaTBUt06Db680pahgghxlEcEMSTMBjdKMpEo19fMX7kglxqq2ZT2hhs0DUP0y3GMuxnwgjqOWKgvTVVoDuPWD6Pp1CEbaNvw7XNp/i7tpkHINxh4vJ13FuQu0k0pxXUmO7sXk9cIvML+K4xnGrGGWkzLFJGWSgy+hFgsEVBBrHCskvHRebgj9+2Adg1cpylm4Hh1NG0S3LuqBkSS75M5QI/Bv0RKTheWhynuJXlHYh2zLTH+wNvY2yBVaFIBEqx4DJ40HSjiiGMViRK0YLr8z34oCWshJ1ET6y6v666c+qdE0ajAoHopd/"];
users.extraUsers.hydra-queue-runner.openssh.authorizedKeys.keys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQChvF8IMxAWUWCQWBvHDzAQtOivoeUzH1VaTBUt06Db680pahgghxlEcEMSTMBjdKMpEo19fMX7kglxqq2ZT2hhs0DUP0y3GMuxnwgjqOWKgvTVVoDuPWD6Pp1CEbaNvw7XNp/i7tpkHINxh4vJ13FuQu0k0pxXUmO7sXk9cIvML+K4xnGrGGWkzLFJGWSgy+hFgsEVBBrHCskvHRebgj9+2Adg1cpylm4Hh1NG0S3LuqBkSS75M5QI/Bv0RKTheWhynuJXlHYh2zLTH+wNvY2yBVaFIBEqx4DJ40HSjiiGMViRK0YLr8z34oCWshJ1ET6y6v666c+qdE0ajAoHopd/"];
nix =
{ useSandbox = true;
buildCores = 0;
nrBuildUsers = 32;
extraOptions = "auto-optimise-store = true";
buildMachines = [
{ hostName = "nixSlave";
system = "x86_64-linux";
supportedFeatures = [ "kvm" "nixos-test" "big-parallel" "benchmark" ];
maxJobs = "12";
# sshUser = "root";
# users.extraUsers.root.openssh.authorizedKeys.keys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQChvF8IMxAWUWCQWBvHDzAQtOivoeUzH1VaTBUt06Db680pahgghxlEcEMSTMBjdKMpEo19fMX7kglxqq2ZT2hhs0DUP0y3GMuxnwgjqOWKgvTVVoDuPWD6Pp1CEbaNvw7XNp/i7tpkHINxh4vJ13FuQu0k0pxXUmO7sXk9cIvML+K4xnGrGGWkzLFJGWSgy+hFgsEVBBrHCskvHRebgj9+2Adg1cpylm4Hh1NG0S3LuqBkSS75M5QI/Bv0RKTheWhynuJXlHYh2zLTH+wNvY2yBVaFIBEqx4DJ40HSjiiGMViRK0YLr8z34oCWshJ1ET6y6v666c+qdE0ajAoHopd/"];
# users.extraUsers.hydra-queue-runner.openssh.authorizedKeys.keys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQChvF8IMxAWUWCQWBvHDzAQtOivoeUzH1VaTBUt06Db680pahgghxlEcEMSTMBjdKMpEo19fMX7kglxqq2ZT2hhs0DUP0y3GMuxnwgjqOWKgvTVVoDuPWD6Pp1CEbaNvw7XNp/i7tpkHINxh4vJ13FuQu0k0pxXUmO7sXk9cIvML+K4xnGrGGWkzLFJGWSgy+hFgsEVBBrHCskvHRebgj9+2Adg1cpylm4Hh1NG0S3LuqBkSS75M5QI/Bv0RKTheWhynuJXlHYh2zLTH+wNvY2yBVaFIBEqx4DJ40HSjiiGMViRK0YLr8z34oCWshJ1ET6y6v666c+qdE0ajAoHopd/"];
}
];
};
};
}
Raw
infra.nix
let
region = "us-east-1";
accessKeyId = "dev";
sshConfig = ''
Host github
IdentityFile id_rsa
Host gitlab
IdentityFile id_rsa
Host *
IdentityFile /run/keys/hqr-secret
'';
ec2 = { pkgs, resources, ... }:
{ deployment.targetEnv = "ec2";
deployment.ec2.accessKeyId = accessKeyId;
deployment.ec2.region = region;
deployment.ec2.instanceType = "t2.medium";
deployment.ec2.keyPair = "hydraCI";
deployment.ec2.privateKey = "hydraCI.pem";
deployment.ec2.securityGroups = [resources.ec2SecurityGroups.sg.name];
deployment.ec2.ebsInitialRootDiskSize = 120;
# deployment.keys.root-secret.text = pkgs.lib.readFile /Users/timpierson/Work/aws-hydra/hydraCI.pem;
# deployment.keys.root-secret.user = "root";
# deployment.keys.root-secret.group = "wheel";
# deployment.keys.root-secret.permissions = "0640";
deployment.keys.hqr-secret.text = pkgs.lib.readFile /Users/timpierson/Work/aws-hydra/hydraCI.pem;
deployment.keys.hqr-secret.user = "hydra-queue-runner";
deployment.keys.hqr-secret.group = "hydra";
deployment.keys.hqr-secret.permissions = "0640";
# systemd.services.my-service = {
# after = [ "my-secret-key.service" ];
# wants = [ "my-secret-key.service" ];
# script = ''
# echo ${sshConfig} >
# '';
users.extraUsers.root.openssh.authorizedKeys.keys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQChvF8IMxAWUWCQWBvHDzAQtOivoeUzH1VaTBUt06Db680pahgghxlEcEMSTMBjdKMpEo19fMX7kglxqq2ZT2hhs0DUP0y3GMuxnwgjqOWKgvTVVoDuPWD6Pp1CEbaNvw7XNp/i7tpkHINxh4vJ13FuQu0k0pxXUmO7sXk9cIvML+K4xnGrGGWkzLFJGWSgy+hFgsEVBBrHCskvHRebgj9+2Adg1cpylm4Hh1NG0S3LuqBkSS75M5QI/Bv0RKTheWhynuJXlHYh2zLTH+wNvY2yBVaFIBEqx4DJ40HSjiiGMViRK0YLr8z34oCWshJ1ET6y6v666c+qdE0ajAoHopd/"];
users.extraUsers.hydra-queue-runner.openssh.authorizedKeys.keys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQChvF8IMxAWUWCQWBvHDzAQtOivoeUzH1VaTBUt06Db680pahgghxlEcEMSTMBjdKMpEo19fMX7kglxqq2ZT2hhs0DUP0y3GMuxnwgjqOWKgvTVVoDuPWD6Pp1CEbaNvw7XNp/i7tpkHINxh4vJ13FuQu0k0pxXUmO7sXk9cIvML+K4xnGrGGWkzLFJGWSgy+hFgsEVBBrHCskvHRebgj9+2Adg1cpylm4Hh1NG0S3LuqBkSS75M5QI/Bv0RKTheWhynuJXlHYh2zLTH+wNvY2yBVaFIBEqx4DJ40HSjiiGMViRK0YLr8z34oCWshJ1ET6y6v666c+qdE0ajAoHopd/"];
};
ec2Build = { pkgs, resources, ... }:
{ users.extraUsers.hydra-queue-runner = {
home = "/home/hydra-queue-runner";
extraGroups = [ "wheel" "networkmanager" "keys" ];
createHome = true;
shell = "/bin/sh";
isNormalUser = true;
};
deployment.targetEnv = "ec2";
deployment.ec2.accessKeyId = accessKeyId;
deployment.ec2.region = region;
deployment.ec2.instanceType = "t2.medium";
deployment.ec2.keyPair = "hydraCI";
deployment.ec2.privateKey = "hydraCI.pem";
deployment.ec2.securityGroups = [resources.ec2SecurityGroups.sg.name];
deployment.ec2.ebsInitialRootDiskSize = 120;
deployment.keys.root-secret.text = pkgs.lib.readFile /Users/timpierson/Work/aws-hydra/hydraCI.pem;
deployment.keys.root-secret.user = "root";
deployment.keys.root-secret.group = "wheel";
deployment.keys.root-secret.permissions = "0640";
services.nixosManual.showManual = false;
services.ntp.enable = false;
services.openssh.allowSFTP = false;
services.openssh.passwordAuthentication = false;
users.extraUsers.root.openssh.authorizedKeys.keys = pkgs.lib.singleton ''
command="nix-store --serve --write" ${pkgs.lib.readFile /Users/timpierson/Work/aws-hydra/hydraCI.pub}
'';
users.extraUsers.hydra-queue-runner.openssh.authorizedKeys.keys = pkgs.lib.singleton ''
command="nix-store --serve --write" ${pkgs.lib.readFile /Users/timpierson/Work/aws-hydra/hydraCI.pub}
'';
# hydra-queue-runner@nixslave doesn't exist on that machine! must make user
# Aborted: cannot connect to ‘nixSlave’: hydra-queue-runner@nixslave: Permission denied (publickey,password,keyboard-interactive).
nix.gc = {
automatic = true;
dates = "05:15";
options = ''--max-freed "$((32 * 1024**3 - 1024 * $(df -P -k /nix/store | tail -n 1 | ${pkgs.gawk}/bin/awk '{ print $4 }')))"'';
};
# users.extraUsers.root.openssh.authorizedKeys.keys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQChvF8IMxAWUWCQWBvHDzAQtOivoeUzH1VaTBUt06Db680pahgghxlEcEMSTMBjdKMpEo19fMX7kglxqq2ZT2hhs0DUP0y3GMuxnwgjqOWKgvTVVoDuPWD6Pp1CEbaNvw7XNp/i7tpkHINxh4vJ13FuQu0k0pxXUmO7sXk9cIvML+K4xnGrGGWkzLFJGWSgy+hFgsEVBBrHCskvHRebgj9+2Adg1cpylm4Hh1NG0S3LuqBkSS75M5QI/Bv0RKTheWhynuJXlHYh2zLTH+wNvY2yBVaFIBEqx4DJ40HSjiiGMViRK0YLr8z34oCWshJ1ET6y6v666c+qdE0ajAoHopd/"];
};
in
{
hydra = ec2;
nixSlave = ec2Build;
resources.ec2KeyPairs.agent =
{ inherit region accessKeyId; };
resources.ec2SecurityGroups = {
sg = { resources, lib, config, ... }:
{
inherit region accessKeyId;
rules = [
{ toPort = 22; fromPort = 22; sourceIp = "0.0.0.0/0"; }
{ toPort = 3000; fromPort = 3000; sourceIp = "0.0.0.0/0";}
{ toPort = 25; fromPort = 25; sourceIp = "0.0.0.0/0"; }
];
};
};
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment