nix-dotfiles/hosts/tsuki/services/hydra.nix

{ pkgs, unstable-pkgs, secrets, ... }:
{
  # Follow instructions for setup:
  # https://gist.github.com/joepie91/c26f01a787af87a96f967219234a8723
  services.hydra = {
    enable = true;
    hydraURL = "https://hydra.nani.wtf";
    listenHost = "localhost";
    notificationSender = "hydra@nani.wtf";
    useSubstitutes = true;
    package = unstable-pkgs.hydra_unstable;
    buildMachinesFiles = [];
    dbi = "dbi:Pg:dbname=hydra;host=/var/run/postgresql;user=hydra;";
  };

  systemd.slices.system-hydra = {
    description = "Nix Hydra slice";
    requires = [
      "system.slice"
      "postgresql.service"
    ];
    after = [ "system.slice" ];
  };

  systemd.services = {
    hydra-evaluator.serviceConfig.Slice = "system-hydra.slice";
    hydra-init.serviceConfig.Slice = "system-hydra.slice";
    hydra-notify.serviceConfig.Slice = "system-hydra.slice";
    hydra-queue-runner.serviceConfig.Slice = "system-hydra.slice";
    hydra-send-stats.serviceConfig.Slice = "system-hydra.slice";
    hydra-server.serviceConfig.Slice = "system-hydra.slice";
  };

  systemd.timers = {
    hydra-check-space.timerConfig.Slice = "system-hydra.slice";
    hydra-compress-logs.timerConfig.Slice = "system-hydra.slice";
    hydra-update-gc-roots.timerConfig.Slice = "system-hydra.slice";
  };

  systemd.services.hydra-server.serviceConfig = {
    Slice = "system-hydra.slice";
    ReadOnlyPaths = [
      "/nix/"
      "/var/lib/hydra/scm/"
    ];
    ReadWritePaths = [
      "/nix/var/nix/gcroots/hydra/"
      "/nix/var/nix/daemon-socket/socket"
    ];

    LockPersonality = true;
    # MemoryDenyWriteExecute = false;
    NoNewPrivileges = true;
    PermissionsStartOnly = true;
    PrivateDevices = true;
    PrivateMounts = true;
    # PrivateNetwork=false
    PrivateTmp = true;
    PrivateUsers = true;
    ProtectClock = true;
    ProtectControlGroups = true;
    ProtectHome = true;
    ProtectHostname = true;
    ProtectKernelLogs = true;
    ProtectKernelModules = true;
    ProtectKernelTunables = true;
    ProtectSystem = "strict";
    RemoveIPC = true;
    Restart = "always";
    RestrictNamespaces = true;
    RestrictRealtime = true;
    RestrictSUIDSGID = true;
    # StateDirectory=hydra/www
    # StateDirectoryMode=700
    SystemCallArchitectures = "native";
    SystemCallFilter = "@system-service";
  };
}
Use hydra with unstable nix tool 2022-09-22 00:51:00 +02:00			`{ pkgs, unstable-pkgs, secrets, ... }:`
Initial commit 2022-03-07 16:01:52 +01:00			`{`
Several changes 2022-06-22 20:16:57 +02:00			`# Follow instructions for setup:`
			`# https://gist.github.com/joepie91/c26f01a787af87a96f967219234a8723`
Initial commit 2022-03-07 16:01:52 +01:00			`services.hydra = {`
			`enable = true;`
add 'https' to hydra link for proper website links 2022-09-22 01:58:26 +02:00			`hydraURL = "https://hydra.nani.wtf";`
tsuki/hydra: put all services below `system-hydra.slice` 2023-07-12 01:37:22 +02:00			`listenHost = "localhost";`
Initial commit 2022-03-07 16:01:52 +01:00			`notificationSender = "hydra@nani.wtf";`
Several changes 2022-06-22 20:16:57 +02:00			`useSubstitutes = true;`
Use hydra with unstable nix tool 2022-09-22 00:51:00 +02:00			`package = unstable-pkgs.hydra_unstable;`
			`buildMachinesFiles = [];`
tsuki/hydra: put all services below `system-hydra.slice` 2023-07-12 01:37:22 +02:00			`dbi = "dbi:Pg:dbname=hydra;host=/var/run/postgresql;user=hydra;";`
			`};`

			`systemd.slices.system-hydra = {`
			`description = "Nix Hydra slice";`
			`requires = [`
			`"system.slice"`
			`"postgresql.service"`
			`];`
			`after = [ "system.slice" ];`
			`};`

			`systemd.services = {`
			`hydra-evaluator.serviceConfig.Slice = "system-hydra.slice";`
			`hydra-init.serviceConfig.Slice = "system-hydra.slice";`
			`hydra-notify.serviceConfig.Slice = "system-hydra.slice";`
			`hydra-queue-runner.serviceConfig.Slice = "system-hydra.slice";`
			`hydra-send-stats.serviceConfig.Slice = "system-hydra.slice";`
			`hydra-server.serviceConfig.Slice = "system-hydra.slice";`
			`};`

			`systemd.timers = {`
			`hydra-check-space.timerConfig.Slice = "system-hydra.slice";`
			`hydra-compress-logs.timerConfig.Slice = "system-hydra.slice";`
			`hydra-update-gc-roots.timerConfig.Slice = "system-hydra.slice";`
Initial commit 2022-03-07 16:01:52 +01:00			`};`
tsuki/hydra: harden server unit 2024-01-23 05:36:39 +01:00
			`systemd.services.hydra-server.serviceConfig = {`
			`Slice = "system-hydra.slice";`
			`ReadOnlyPaths = [`
			`"/nix/"`
			`"/var/lib/hydra/scm/"`
			`];`
			`ReadWritePaths = [`
			`"/nix/var/nix/gcroots/hydra/"`
			`"/nix/var/nix/daemon-socket/socket"`
			`];`

			`LockPersonality = true;`
			`# MemoryDenyWriteExecute = false;`
			`NoNewPrivileges = true;`
			`PermissionsStartOnly = true;`
			`PrivateDevices = true;`
			`PrivateMounts = true;`
			`# PrivateNetwork=false`
			`PrivateTmp = true;`
			`PrivateUsers = true;`
			`ProtectClock = true;`
			`ProtectControlGroups = true;`
			`ProtectHome = true;`
			`ProtectHostname = true;`
			`ProtectKernelLogs = true;`
			`ProtectKernelModules = true;`
			`ProtectKernelTunables = true;`
			`ProtectSystem = "strict";`
			`RemoveIPC = true;`
			`Restart = "always";`
			`RestrictNamespaces = true;`
			`RestrictRealtime = true;`
			`RestrictSUIDSGID = true;`
			`# StateDirectory=hydra/www`
			`# StateDirectoryMode=700`
			`SystemCallArchitectures = "native";`
			`SystemCallFilter = "@system-service";`
			`};`
Initial commit 2022-03-07 16:01:52 +01:00			`}`