79 lines
2.3 KiB
Nix
79 lines
2.3 KiB
Nix
{ pkgs, unstable-pkgs, secrets, ... }:
|
|
{
|
|
# Follow instructions for setup:
|
|
# https://gist.github.com/joepie91/c26f01a787af87a96f967219234a8723
|
|
services.hydra = {
|
|
enable = true;
|
|
hydraURL = "https://hydra.nani.wtf";
|
|
listenHost = "localhost";
|
|
notificationSender = "hydra@nani.wtf";
|
|
useSubstitutes = true;
|
|
package = unstable-pkgs.hydra_unstable;
|
|
buildMachinesFiles = [];
|
|
dbi = "dbi:Pg:dbname=hydra;host=/var/run/postgresql;user=hydra;";
|
|
};
|
|
|
|
systemd.slices.system-hydra = {
|
|
description = "Nix Hydra slice";
|
|
requires = [
|
|
"system.slice"
|
|
"postgresql.service"
|
|
];
|
|
after = [ "system.slice" ];
|
|
};
|
|
|
|
systemd.services = {
|
|
hydra-evaluator.serviceConfig.Slice = "system-hydra.slice";
|
|
hydra-init.serviceConfig.Slice = "system-hydra.slice";
|
|
hydra-notify.serviceConfig.Slice = "system-hydra.slice";
|
|
hydra-queue-runner.serviceConfig.Slice = "system-hydra.slice";
|
|
hydra-send-stats.serviceConfig.Slice = "system-hydra.slice";
|
|
hydra-server.serviceConfig.Slice = "system-hydra.slice";
|
|
};
|
|
|
|
systemd.timers = {
|
|
hydra-check-space.timerConfig.Slice = "system-hydra.slice";
|
|
hydra-compress-logs.timerConfig.Slice = "system-hydra.slice";
|
|
hydra-update-gc-roots.timerConfig.Slice = "system-hydra.slice";
|
|
};
|
|
|
|
systemd.services.hydra-server.serviceConfig = {
|
|
Slice = "system-hydra.slice";
|
|
ReadOnlyPaths = [
|
|
"/nix/"
|
|
"/var/lib/hydra/scm/"
|
|
];
|
|
ReadWritePaths = [
|
|
"/nix/var/nix/gcroots/hydra/"
|
|
"/nix/var/nix/daemon-socket/socket"
|
|
];
|
|
|
|
LockPersonality = true;
|
|
# MemoryDenyWriteExecute = false;
|
|
NoNewPrivileges = true;
|
|
PermissionsStartOnly = true;
|
|
PrivateDevices = true;
|
|
PrivateMounts = true;
|
|
# PrivateNetwork=false
|
|
PrivateTmp = true;
|
|
PrivateUsers = true;
|
|
ProtectClock = true;
|
|
ProtectControlGroups = true;
|
|
ProtectHome = true;
|
|
ProtectHostname = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelTunables = true;
|
|
ProtectSystem = "strict";
|
|
RemoveIPC = true;
|
|
Restart = "always";
|
|
RestrictNamespaces = true;
|
|
RestrictRealtime = true;
|
|
RestrictSUIDSGID = true;
|
|
# StateDirectory=hydra/www
|
|
# StateDirectoryMode=700
|
|
SystemCallArchitectures = "native";
|
|
SystemCallFilter = "@system-service";
|
|
};
|
|
}
|