nixos-config/modules/services/dmz/hydra.nix

{ lib, config, pkgs, ... }:

{
    services = {
      hydra = {
        enable = true;
        hydraURL = "https://hydra.home.opel-online.de";
        listenHost = "127.0.0.1";
        notificationSender = "hydra@localhost";
        useSubstitutes = true;
        minimumDiskFree = 30;
      };
      nix-serve = {
          enable = true;
          port = 5001;
          bindAddress = "127.0.0.1";
          secretKeyFile = config.age.secrets."keys/nixsign".path;
      };
      nginx = {
        enable = true;
        virtualHosts = {
          "home.opel-online.de" = {
            enableACME = true;
            forceSSL = true;
            default = true;
            locations."/".return = "503";
          };
          "hydra.home.opel-online.de" = {
            useACMEHost = "home.opel-online.de";
            forceSSL = true;
            locations."/".proxyPass = "http://localhost:3000";
          };
          "cache.home.opel-online.de" = {
            useACMEHost = "home.opel-online.de";
            forceSSL = true;
            locations."/".proxyPass = "http://localhost:5001";
          };
        };
      };
    };

    security.acme = {
      acceptTerms = true;
      defaults = {
        email = "webmaster@kabtop.de";
        #server = "https://acme-staging-v02.api.letsencrypt.org/directory";
        dnsResolver = "1.1.1.1:53";
      };
      certs = {
        "home.opel-online.de" = {
          domain = "*.home.opel-online.de";
          dnsProvider = "netcup";
          environmentFile = config.age.secrets."services/acme/opel-online".path;
          webroot = null;
          #extraDomainNames = [
          #  "hydra.home.opel-online.de"
          #  "cache.home.opel-online.de"
          #];
        };
      };
    };
    
    nix = {
      settings.trusted-users = [
        "hydra"
      ];

      extraOptions = ''
        secret-key-files = ${config.age.secrets."keys/nixsign".path}
      '';
    };
    
    age.secrets."keys/nixsign" = {
      file = ../../../secrets/keys/nixservepriv.age;
      owner = "hydra";
    };
    age.secrets."services/acme/opel-online" = {
      file = ../../../secrets/services/acme/opel-online.age;
      owner = "acme";
    };


}
hosts: dmz: enable hydra 2024-05-05 19:39:35 +02:00			`{ lib, config, pkgs, ... }:`

			`{`
services: hydra: create acme and reverse proxy 2024-05-31 18:07:39 +02:00			`services = {`
			`hydra = {`
			`enable = true;`
hosts: dmz: nix-serve: add reverse proxy 2024-05-31 20:42:16 +02:00			`hydraURL = "https://hydra.home.opel-online.de";`
hosts: dmz: acme: increase propagation timeout, use wildcard 2024-06-02 12:27:03 +02:00			`listenHost = "127.0.0.1";`
services: hydra: create acme and reverse proxy 2024-05-31 18:07:39 +02:00			`notificationSender = "hydra@localhost";`
			`useSubstitutes = true;`
hosts: dmz: nix-serve: add reverse proxy 2024-05-31 20:42:16 +02:00			`minimumDiskFree = 30;`
services: hydra: create acme and reverse proxy 2024-05-31 18:07:39 +02:00			`};`
			`nix-serve = {`
			`enable = true;`
			`port = 5001;`
hosts: dmz: nix-serve: add reverse proxy 2024-05-31 20:42:16 +02:00			`bindAddress = "127.0.0.1";`
services: hydra: create acme and reverse proxy 2024-05-31 18:07:39 +02:00			`secretKeyFile = config.age.secrets."keys/nixsign".path;`
			`};`
			`nginx = {`
			`enable = true;`
			`virtualHosts = {`
hosts: dmz: acme: increase propagation timeout, use wildcard 2024-06-02 12:27:03 +02:00			`"home.opel-online.de" = {`
services: hydra: create acme and reverse proxy 2024-05-31 18:07:39 +02:00			`enableACME = true;`
			`forceSSL = true;`
hosts: dmz: acme: increase propagation timeout, use wildcard 2024-06-02 12:27:03 +02:00			`default = true;`
			`locations."/".return = "503";`
			`};`
			`"hydra.home.opel-online.de" = {`
			`useACMEHost = "home.opel-online.de";`
			`forceSSL = true;`
services: hydra: fix reverse proxy and firewall 2024-05-31 19:46:43 +02:00			`locations."/".proxyPass = "http://localhost:3000";`
services: hydra: create acme and reverse proxy 2024-05-31 18:07:39 +02:00			`};`
hosts: dmz: nix-serve: add reverse proxy 2024-05-31 20:42:16 +02:00			`"cache.home.opel-online.de" = {`
hosts: dmz: acme: increase propagation timeout, use wildcard 2024-06-02 12:27:03 +02:00			`useACMEHost = "home.opel-online.de";`
hosts: dmz: nix-serve: add reverse proxy 2024-05-31 20:42:16 +02:00			`forceSSL = true;`
			`locations."/".proxyPass = "http://localhost:5001";`
			`};`
services: hydra: create acme and reverse proxy 2024-05-31 18:07:39 +02:00			`};`
			`};`
test hydra jobs test hydra jobs test hydra jobs test hydra jobs test hydra jobs hydra add signing key flake restructure secrets: rekey secrets: rekey hydra fix key path hydra fix key path services: hydra: typo in nix.conf 2024-05-20 10:29:52 +02:00			`};`

services: hydra: create acme and reverse proxy 2024-05-31 18:07:39 +02:00			`security.acme = {`
			`acceptTerms = true;`
hosts: dmz: nix-serve: add reverse proxy 2024-05-31 20:42:16 +02:00			`defaults = {`
			`email = "webmaster@kabtop.de";`
hosts: dmz: nix-serve: add reverse proxy 2024-05-31 20:56:09 +02:00			`#server = "https://acme-staging-v02.api.letsencrypt.org/directory";`
hosts: dmz: acme: increase propagation timeout, use wildcard 2024-06-02 12:27:03 +02:00			`dnsResolver = "1.1.1.1:53";`
hosts: dmz: nix-serve: add reverse proxy 2024-05-31 20:56:09 +02:00			`};`
			`certs = {`
hosts: dmz: acme: increase propagation timeout, use wildcard 2024-06-02 12:27:03 +02:00			`"home.opel-online.de" = {`
			`domain = "*.home.opel-online.de";`
hosts: dmz: nix-serve: add reverse proxy 2024-05-31 20:56:09 +02:00			`dnsProvider = "netcup";`
			`environmentFile = config.age.secrets."services/acme/opel-online".path;`
			`webroot = null;`
hosts: dmz: acme: increase propagation timeout, use wildcard 2024-06-02 12:27:03 +02:00			`#extraDomainNames = [`
			`# "hydra.home.opel-online.de"`
			`# "cache.home.opel-online.de"`
			`#];`
hosts: dmz: nix-serve: add reverse proxy 2024-05-31 20:56:09 +02:00			`};`
services: hydra: create acme and reverse proxy 2024-05-31 18:07:39 +02:00			`};`
			`};`

test hydra jobs test hydra jobs test hydra jobs test hydra jobs test hydra jobs hydra add signing key flake restructure secrets: rekey secrets: rekey hydra fix key path hydra fix key path services: hydra: typo in nix.conf 2024-05-20 10:29:52 +02:00			`nix = {`
			`settings.trusted-users = [`
			`"hydra"`
			`];`

			`extraOptions = ''`
			`secret-key-files = ${config.age.secrets."keys/nixsign".path}`
			`'';`
			`};`

			`age.secrets."keys/nixsign" = {`
			`file = ../../../secrets/keys/nixservepriv.age;`
			`owner = "hydra";`
			`};`
services: hydra: create acme and reverse proxy 2024-05-31 18:07:39 +02:00			`age.secrets."services/acme/opel-online" = {`
services: hydra: create acme and reverse proxy -- fix path and api 2024-05-31 18:27:51 +02:00			`file = ../../../secrets/services/acme/opel-online.age;`
services: hydra: create acme and reverse proxy 2024-05-31 18:07:39 +02:00			`owner = "acme";`
			`};`
test hydra jobs test hydra jobs test hydra jobs test hydra jobs test hydra jobs hydra add signing key flake restructure secrets: rekey secrets: rekey hydra fix key path hydra fix key path services: hydra: typo in nix.conf 2024-05-20 10:29:52 +02:00
hosts: dmz: enable hydra 2024-05-05 19:39:35 +02:00
			`}`