Add terranix config for hydra container

Signed-off-by: Magic_RB <magic_rb@redalder.org>
2024-11-22 08:04:20 +01:00 · 2023-06-15 23:07:28 +02:00 · 2023-06-15 23:07:28 +02:00 · 8ab965a374
parent c09fea6f75
commit 8ab965a374
2 changed files with 241 additions and 0 deletions
--- a/terranix/containers/hydra/default.nix
+++ b/terranix/containers/hydra/default.nix
@ -0,0 +1,54 @@
 { config, elib, ... }:
 let
  inherit (elib)
    nfsVolume
    nomadJob;
  flake_host = "";
  flake_rev = "";
  flake_ref = "";
  flake_sha = "";
 in
 {
  resource."nomad_volume"."hydra-db" = nfsVolume {
    volume_name = "hydra-db";
    access_mode = "single-node-writer";
    server = "blowhole.hosts.in.redalder.org";
    share = "/var/nfs/hydra-db";
    mount_flags = [ "nfsvers=3" "hard" "async" ];
  };
  resource."nomad_volume"."hydra-data" = nfsVolume {
    volume_name   = "hydra-data";
    access_mode = "single-node-writer";
    server = "blowhole.hosts.in.redalder.org";
    share = "/var/nfs/hydra-data";
    mount_flags = [ "nfsvers=3" "hard" "async" ];
  };
  resource."nomad_volume"."hydra-nix" = nfsVolume {
    volume_name   = "hydra-nix";
    access_mode = "single-node-writer";
    server = "blowhole.hosts.in.redalder.org";
    share = "/var/nfs/hydra-nix";
    mount_flags = [ "nfsvers=3" "hard" "async" ];
  };
  resource."vault_policy"."hydra-policy" = {
    name = "hydra-policy";
    policy = ''
      path "kv/data/hydra" {
        capabilities = ["read"]
      }
    '';
  };
  resource."nomad_job"."hydra" = nomadJob {
    jobspec = ./job.hcl;
    vars = {
      flake_ref = "${flake_host}?rev=${flake_rev}&ref=${flake_ref}";
      flake_sha = flake_sha;
    };
  };
 }
--- a/terranix/containers/hydra/job.hcl
+++ b/terranix/containers/hydra/job.hcl
@ -0,0 +1,187 @@
 variable "flake_ref" {
  type = string
 }
 variable "flake_sha" {
  type = string
 }
 job "hydra" {
  datacenters = [ "homelab-1" ]
  type = "service"
  constraint {
    attribute = "${attr.unique.hostname}"
    value = "blowhole"
  }
  group "svc" {
    count = 1
    volume "hydra-data" {
      type = "csi"
      source = "hydra-data"
      read_only = false
      attachment_mode = "file-system"
      access_mode     = "single-node-writer"
    }
    volume "hydra-nix" {
      type = "csi"
      source = "hydra-nix"
      read_only = false
      attachment_mode = "file-system"
      access_mode     = "single-node-writer"
    }
    volume "hydra-db" {
      type = "csi"
      source = "hydra-db"
      read_only = false
      attachment_mode = "file-system"
      access_mode     = "single-node-writer"
    }
    restart {
      attempts = 5
      delay = "5s"
    }
    network {
      mode = "bridge"
    }
    service {
      name = "hydra"
      port = "3000"
      check {
        type = "http"
        address_mode = "alloc"
        path = "/"
        port = "3000"
        interval = "2s"
        timeout = "2s"
      }
      connect {
        sidecar_service {}
      }
    }
    task "hydra" {
      driver = "docker"
      volume_mount {
        volume = "hydra-data"
        destination = "/var/lib/hydra"
        read_only = false
      }
      volume_mount {
        volume = "hydra-nix"
        destination = "/nix-persist"
        read_only = false
      }
      config {
        nix_flake_ref = "${var.flake_ref}#nixngSystems.hydra.config.system.build.toplevel"
        nix_flake_sha = var.flake_sha
        entrypoint = [ "init" ]
        devices = [
          {
            host_path = "/dev/fuse"
            container_path = "/dev/fuse"
          }
        ]
        privileged = true
      }
      vault {
        policies = ["hydra-policy"]
      }
      resources {
        cpu = 4000
        memory = 4096
        memory_max = 8096
      }
      template {
        data = <<EOF
 {{ with secret "kv/data/hydra" }}{{ .Data.data.nixbuild_key }}{{ end }}
 EOF
        destination = "secrets/ssh-key"
        perms = "400"
      }
      template {
        data = <<EOF
 dbi:Pg:dbname=hydra;host=127.0.0.1;port=5432;user=hydra;
 EOF
        destination = "local/dbi"
      }
      template {
        data = <<EOF
 127.0.0.1:*:*:hydra:{{ with secret "kv/data/hydra" }}{{ .Data.data.pgpass}}{{ end }}
 EOF
        destination = "secrets/pgpass"
        perms = "400"
      }
      template {
        data = <<EOF
 127.0.0.1:*:*:hydra:{{ with secret "kv/data/hydra" }}{{ .Data.data.pgpass}}{{ end }}
 EOF
        destination = "secrets/pgpass-www"
        perms = "400"
      }
      template {
        data = <<EOF
 127.0.0.1:*:*:hydra:{{ with secret "kv/data/hydra" }}{{ .Data.data.pgpass}}{{ end }}
 EOF
        destination = "secrets/pgpass-queue-runner"
        perms = "400"
      }
    }
    task "postgresql" {
      driver = "docker"
      volume_mount {
        volume = "hydra-db"
        destination = "/var/lib/postgresql"
        read_only = false
      }
      config {
        nix_flake_ref = "${var.flake_ref}#nixngSystems.hydraPostgresql.config.system.build.toplevel"
        nix_flake_sha = var.flake_sha
        entrypoint = [ "init" ]
      }
      resources {
        cpu = 500
        memory = 128
        memory_max = 256
      }
      template {
        data = <<EOF
 alter user hydra with encrypted password '{{ with secret "kv/data/hydra" }}{{ .Data.data.pgpass}}{{ end }}';
 EOF
        destination = "secrets/init.sql"
      }
      vault {
        policies = ["hydra-policy"]
      }
    }
  }
 }