-
-
Save o1lo01ol1o/df97356d495a014dc68e9547f78d3f86 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
hydra = { config, lib, pkgs, resources, ... }: | |
{ | |
networking.hostName = "hydra"; | |
networking.firewall.allowedTCPPorts = [config.services.hydra.port 25]; | |
services.nixosManual.showManual = false; | |
services.ntp.enable = false; | |
services.openssh.allowSFTP = false; | |
services.openssh.passwordAuthentication = false; | |
services.hydra = | |
{ enable = true; | |
minimumDiskFree = 10; # GiB | |
minimumDiskFreeEvaluator = 10; # GiB | |
hydraURL = "hydra.localhost.com"; | |
notificationSender = "none@gmail.com"; | |
}; | |
programs.ssh.knownHosts = [ | |
{ hostNames = [ "github.com" ]; publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=="; } | |
{ hostNames = [ "gitlab.com" ]; publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9"; } | |
]; | |
users.extraUsers.root.openssh.authorizedKeys.keys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQChvF8IMxAWUWCQWBvHDzAQtOivoeUzH1VaTBUt06Db680pahgghxlEcEMSTMBjdKMpEo19fMX7kglxqq2ZT2hhs0DUP0y3GMuxnwgjqOWKgvTVVoDuPWD6Pp1CEbaNvw7XNp/i7tpkHINxh4vJ13FuQu0k0pxXUmO7sXk9cIvML+K4xnGrGGWkzLFJGWSgy+hFgsEVBBrHCskvHRebgj9+2Adg1cpylm4Hh1NG0S3LuqBkSS75M5QI/Bv0RKTheWhynuJXlHYh2zLTH+wNvY2yBVaFIBEqx4DJ40HSjiiGMViRK0YLr8z34oCWshJ1ET6y6v666c+qdE0ajAoHopd/"]; | |
users.extraUsers.hydra-queue-runner.openssh.authorizedKeys.keys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQChvF8IMxAWUWCQWBvHDzAQtOivoeUzH1VaTBUt06Db680pahgghxlEcEMSTMBjdKMpEo19fMX7kglxqq2ZT2hhs0DUP0y3GMuxnwgjqOWKgvTVVoDuPWD6Pp1CEbaNvw7XNp/i7tpkHINxh4vJ13FuQu0k0pxXUmO7sXk9cIvML+K4xnGrGGWkzLFJGWSgy+hFgsEVBBrHCskvHRebgj9+2Adg1cpylm4Hh1NG0S3LuqBkSS75M5QI/Bv0RKTheWhynuJXlHYh2zLTH+wNvY2yBVaFIBEqx4DJ40HSjiiGMViRK0YLr8z34oCWshJ1ET6y6v666c+qdE0ajAoHopd/"]; | |
nix = | |
{ useSandbox = true; | |
buildCores = 0; | |
nrBuildUsers = 32; | |
extraOptions = "auto-optimise-store = true"; | |
buildMachines = [ | |
{ hostName = "nixSlave"; | |
system = "x86_64-linux"; | |
supportedFeatures = [ "kvm" "nixos-test" "big-parallel" "benchmark" ]; | |
maxJobs = "12"; | |
# sshUser = "root"; | |
# users.extraUsers.root.openssh.authorizedKeys.keys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQChvF8IMxAWUWCQWBvHDzAQtOivoeUzH1VaTBUt06Db680pahgghxlEcEMSTMBjdKMpEo19fMX7kglxqq2ZT2hhs0DUP0y3GMuxnwgjqOWKgvTVVoDuPWD6Pp1CEbaNvw7XNp/i7tpkHINxh4vJ13FuQu0k0pxXUmO7sXk9cIvML+K4xnGrGGWkzLFJGWSgy+hFgsEVBBrHCskvHRebgj9+2Adg1cpylm4Hh1NG0S3LuqBkSS75M5QI/Bv0RKTheWhynuJXlHYh2zLTH+wNvY2yBVaFIBEqx4DJ40HSjiiGMViRK0YLr8z34oCWshJ1ET6y6v666c+qdE0ajAoHopd/"]; | |
# users.extraUsers.hydra-queue-runner.openssh.authorizedKeys.keys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQChvF8IMxAWUWCQWBvHDzAQtOivoeUzH1VaTBUt06Db680pahgghxlEcEMSTMBjdKMpEo19fMX7kglxqq2ZT2hhs0DUP0y3GMuxnwgjqOWKgvTVVoDuPWD6Pp1CEbaNvw7XNp/i7tpkHINxh4vJ13FuQu0k0pxXUmO7sXk9cIvML+K4xnGrGGWkzLFJGWSgy+hFgsEVBBrHCskvHRebgj9+2Adg1cpylm4Hh1NG0S3LuqBkSS75M5QI/Bv0RKTheWhynuJXlHYh2zLTH+wNvY2yBVaFIBEqx4DJ40HSjiiGMViRK0YLr8z34oCWshJ1ET6y6v666c+qdE0ajAoHopd/"]; | |
} | |
]; | |
}; | |
}; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
let | |
region = "us-east-1"; | |
accessKeyId = "dev"; | |
sshConfig = '' | |
Host github | |
IdentityFile id_rsa | |
Host gitlab | |
IdentityFile id_rsa | |
Host * | |
IdentityFile /run/keys/hqr-secret | |
''; | |
ec2 = { pkgs, resources, ... }: | |
{ deployment.targetEnv = "ec2"; | |
deployment.ec2.accessKeyId = accessKeyId; | |
deployment.ec2.region = region; | |
deployment.ec2.instanceType = "t2.medium"; | |
deployment.ec2.keyPair = "hydraCI"; | |
deployment.ec2.privateKey = "hydraCI.pem"; | |
deployment.ec2.securityGroups = [resources.ec2SecurityGroups.sg.name]; | |
deployment.ec2.ebsInitialRootDiskSize = 120; | |
# deployment.keys.root-secret.text = pkgs.lib.readFile /Users/timpierson/Work/aws-hydra/hydraCI.pem; | |
# deployment.keys.root-secret.user = "root"; | |
# deployment.keys.root-secret.group = "wheel"; | |
# deployment.keys.root-secret.permissions = "0640"; | |
deployment.keys.hqr-secret.text = pkgs.lib.readFile /Users/timpierson/Work/aws-hydra/hydraCI.pem; | |
deployment.keys.hqr-secret.user = "hydra-queue-runner"; | |
deployment.keys.hqr-secret.group = "hydra"; | |
deployment.keys.hqr-secret.permissions = "0640"; | |
# systemd.services.my-service = { | |
# after = [ "my-secret-key.service" ]; | |
# wants = [ "my-secret-key.service" ]; | |
# script = '' | |
# echo ${sshConfig} > | |
# ''; | |
users.extraUsers.root.openssh.authorizedKeys.keys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQChvF8IMxAWUWCQWBvHDzAQtOivoeUzH1VaTBUt06Db680pahgghxlEcEMSTMBjdKMpEo19fMX7kglxqq2ZT2hhs0DUP0y3GMuxnwgjqOWKgvTVVoDuPWD6Pp1CEbaNvw7XNp/i7tpkHINxh4vJ13FuQu0k0pxXUmO7sXk9cIvML+K4xnGrGGWkzLFJGWSgy+hFgsEVBBrHCskvHRebgj9+2Adg1cpylm4Hh1NG0S3LuqBkSS75M5QI/Bv0RKTheWhynuJXlHYh2zLTH+wNvY2yBVaFIBEqx4DJ40HSjiiGMViRK0YLr8z34oCWshJ1ET6y6v666c+qdE0ajAoHopd/"]; | |
users.extraUsers.hydra-queue-runner.openssh.authorizedKeys.keys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQChvF8IMxAWUWCQWBvHDzAQtOivoeUzH1VaTBUt06Db680pahgghxlEcEMSTMBjdKMpEo19fMX7kglxqq2ZT2hhs0DUP0y3GMuxnwgjqOWKgvTVVoDuPWD6Pp1CEbaNvw7XNp/i7tpkHINxh4vJ13FuQu0k0pxXUmO7sXk9cIvML+K4xnGrGGWkzLFJGWSgy+hFgsEVBBrHCskvHRebgj9+2Adg1cpylm4Hh1NG0S3LuqBkSS75M5QI/Bv0RKTheWhynuJXlHYh2zLTH+wNvY2yBVaFIBEqx4DJ40HSjiiGMViRK0YLr8z34oCWshJ1ET6y6v666c+qdE0ajAoHopd/"]; | |
}; | |
ec2Build = { pkgs, resources, ... }: | |
{ users.extraUsers.hydra-queue-runner = { | |
home = "/home/hydra-queue-runner"; | |
extraGroups = [ "wheel" "networkmanager" "keys" ]; | |
createHome = true; | |
shell = "/bin/sh"; | |
isNormalUser = true; | |
}; | |
deployment.targetEnv = "ec2"; | |
deployment.ec2.accessKeyId = accessKeyId; | |
deployment.ec2.region = region; | |
deployment.ec2.instanceType = "t2.medium"; | |
deployment.ec2.keyPair = "hydraCI"; | |
deployment.ec2.privateKey = "hydraCI.pem"; | |
deployment.ec2.securityGroups = [resources.ec2SecurityGroups.sg.name]; | |
deployment.ec2.ebsInitialRootDiskSize = 120; | |
deployment.keys.root-secret.text = pkgs.lib.readFile /Users/timpierson/Work/aws-hydra/hydraCI.pem; | |
deployment.keys.root-secret.user = "root"; | |
deployment.keys.root-secret.group = "wheel"; | |
deployment.keys.root-secret.permissions = "0640"; | |
services.nixosManual.showManual = false; | |
services.ntp.enable = false; | |
services.openssh.allowSFTP = false; | |
services.openssh.passwordAuthentication = false; | |
users.extraUsers.root.openssh.authorizedKeys.keys = pkgs.lib.singleton '' | |
command="nix-store --serve --write" ${pkgs.lib.readFile /Users/timpierson/Work/aws-hydra/hydraCI.pub} | |
''; | |
users.extraUsers.hydra-queue-runner.openssh.authorizedKeys.keys = pkgs.lib.singleton '' | |
command="nix-store --serve --write" ${pkgs.lib.readFile /Users/timpierson/Work/aws-hydra/hydraCI.pub} | |
''; | |
# hydra-queue-runner@nixslave doesn't exist on that machine! must make user | |
# Aborted: cannot connect to ‘nixSlave’: hydra-queue-runner@nixslave: Permission denied (publickey,password,keyboard-interactive). | |
nix.gc = { | |
automatic = true; | |
dates = "05:15"; | |
options = ''--max-freed "$((32 * 1024**3 - 1024 * $(df -P -k /nix/store | tail -n 1 | ${pkgs.gawk}/bin/awk '{ print $4 }')))"''; | |
}; | |
# users.extraUsers.root.openssh.authorizedKeys.keys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQChvF8IMxAWUWCQWBvHDzAQtOivoeUzH1VaTBUt06Db680pahgghxlEcEMSTMBjdKMpEo19fMX7kglxqq2ZT2hhs0DUP0y3GMuxnwgjqOWKgvTVVoDuPWD6Pp1CEbaNvw7XNp/i7tpkHINxh4vJ13FuQu0k0pxXUmO7sXk9cIvML+K4xnGrGGWkzLFJGWSgy+hFgsEVBBrHCskvHRebgj9+2Adg1cpylm4Hh1NG0S3LuqBkSS75M5QI/Bv0RKTheWhynuJXlHYh2zLTH+wNvY2yBVaFIBEqx4DJ40HSjiiGMViRK0YLr8z34oCWshJ1ET6y6v666c+qdE0ajAoHopd/"]; | |
}; | |
in | |
{ | |
hydra = ec2; | |
nixSlave = ec2Build; | |
resources.ec2KeyPairs.agent = | |
{ inherit region accessKeyId; }; | |
resources.ec2SecurityGroups = { | |
sg = { resources, lib, config, ... }: | |
{ | |
inherit region accessKeyId; | |
rules = [ | |
{ toPort = 22; fromPort = 22; sourceIp = "0.0.0.0/0"; } | |
{ toPort = 3000; fromPort = 3000; sourceIp = "0.0.0.0/0";} | |
{ toPort = 25; fromPort = 25; sourceIp = "0.0.0.0/0"; } | |
]; | |
}; | |
}; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment