{ makeSystem, nixpkgs, hydra, nix, }: makeSystem { system = "x86_64-linux"; name = "nixng-hydra"; inherit nixpkgs; config = { pkgs, config, lib, nglib, ... }: { config = { dumb-init = { enable = true; type.services = {}; }; nix = { package = nix.packages.${pkgs.stdenv.system}.nix; loadNixDb = true; persistNix = "/nix-persist"; config = { experimental-features = ["nix-command" "flakes"]; sandbox = true; trusted-public-keys = ["cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="]; substituters = ["https://cache.nixos.org/"]; ignored-acls = ["system.nfs4_acl"]; allowed-uris = [ "https://gitea.redalder.org" "https://github.com" "https://gitlab.com" "https://git.sr.ht" "https://raw.githubusercontent.com" "https://patch-diff.githubusercontent.com" "https://media.forgecdn.net" "https://github.com" "https://git.savannah.gnu.org" "github:" ]; builders-use-substitutes = true; builders = "@/etc/nix/machines"; secret-key-files = "/secrets/nix-key.private"; extra-platforms = ["i686-linux" "aarch64-linux"]; }; }; services.hydra = { enable = true; package = hydra.packages.x86_64-linux.hydra; hydraURL = "https://hydra.redalder.org"; notificationSender = "hydra@redalder.org"; useSubstitutes = true; adjustNiceness = true; minimumDiskFree = 200; minimumDiskFreeEvaluator = 100; dbiFile = "/local/dbi"; config = { compress_num_threads = 4; evaluator_max_memory_size = "2048M"; store_uri = "daemon?secret-key=/secrets/nix-key.private"; binary_cache_secret_key_file = "/secrets/nix-key.private"; server_store_uri = "daemon?secret-key=/secrets/nix-key.private"; }; }; services.socklog = { enable = true; unix = "/dev/log"; }; init.services.pgpass = { script = pkgs.writeShellScript "pgpass" '' ln -nsf /secrets/pgpass /var/lib/hydra/pgpass ln -nsf /secrets/pgpass-www /var/lib/hydra/pgpass-www ln -nsf /secrets/pgpass-queue-runner /var/lib/hydra/pgpass-queue-runner chown hydra:hydra /secrets/pgpass chown hydra-www:hydra /secrets/pgpass-www chown hydra-queue-runner:hydra /secrets/pgpass-queue-runner sv down pgpass ''; enabled = true; }; services.crond.crontabs.autogc = { jobs = let storegc = pkgs.writeShellScript "storegc" '' nix-collect-garbage -d ''; in [ "0 4 * * * root ${storegc}" ]; }; init.services.nix-daemon.environment.PATH = with pkgs; lib.makeBinPath [ utillinux runit busybox openssh gzip ]; system.activation = let machines = pkgs.writeText "machines" '' eu.nixbuild.net x86_64-linux,aarch64-linux,i686-linux - 100 5 benchmark,big-parallel localhost x86_64-linux - 2 1 benchmark,big-parallel,kvm,nixos-test,local ''; nix-machines = nglib.dag.dagEntryAnywhere '' export PATH=${pkgs.busybox}/bin mkdir -p /etc/nix ln -s ${machines} /etc/nix/machines ''; ssh_config = pkgs.writeText "ssh_config" '' Host eu.nixbuild.net PubkeyAcceptedKeyTypes ssh-ed25519 IdentityFile /ssh-key ''; ssh_known_hosts = pkgs.writeText "ssh_known_hosts" '' eu.nixbuild.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPIQCZc54poJ8vqawd8TraNryQeJnvH1eLpIDgbiqymM ''; ssh = nglib.dag.dagEntryAnywhere '' export PATH=${pkgs.busybox}/bin mkdir -p /etc/ssh ln -s ${ssh_config} /etc/ssh/ssh_config ln -s ${ssh_known_hosts} /etc/ssh/ssh_known_hosts ''; ssh-key = nglib.dag.dagEntryAfter ["users"] '' export PATH=${pkgs.busybox}/bin cp /secrets/ssh-key /ssh-key chmod 600 /ssh-key chown hydra-queue-runner:root /ssh-key ''; in { inherit ssh-key ssh nix-machines; }; }; }; }