From 8963bb3542bdcd4f9cf2117ad61e8462c7a0d852 Mon Sep 17 00:00:00 2001
From: Kabbone <tobias@opel-online.de>
Date: Sat, 10 May 2025 10:52:15 +0200
Subject: [PATCH] move hydra to kabtop

---
 modules/services/server/default.nix |  1 +
 modules/services/server/hydra.nix   | 82 +++++++++++++++++++++++++++++
 2 files changed, 83 insertions(+)
 create mode 100644 modules/services/server/hydra.nix

diff --git a/modules/services/server/default.nix b/modules/services/server/default.nix
index 206392f..e1e7d1a 100644
--- a/modules/services/server/default.nix
+++ b/modules/services/server/default.nix
@@ -17,6 +17,7 @@
   ./nextcloud.nix
   ./matrix.nix
   ./coturn.nix
+  ./hydra.nix
 #  ./ollama.nix
 ]
 
diff --git a/modules/services/server/hydra.nix b/modules/services/server/hydra.nix
new file mode 100644
index 0000000..333e54e
--- /dev/null
+++ b/modules/services/server/hydra.nix
@@ -0,0 +1,82 @@
+{ lib, config, pkgs, ... }:
+
+{
+    services = {
+      hydra = {
+        enable = true;
+        hydraURL = "https://hydra.ci.kabtop.de";
+        listenHost = "127.0.0.1";
+        notificationSender = "hydra@kabtop.de";
+        useSubstitutes = true;
+        minimumDiskFree = 8;
+      };
+      nix-serve = {
+          enable = true;
+          port = 5001;
+          bindAddress = "127.0.0.1";
+          secretKeyFile = config.age.secrets."keys/nixsign".path;
+      };
+      nginx = {
+        enable = true;
+        recommendedProxySettings = true;
+        recommendedTlsSettings = true;
+        recommendedGzipSettings = true;
+        recommendedOptimisation = true;
+        virtualHosts = {
+          "ci.kabtop.de" = {
+            enableACME = true;
+            forceSSL = true;
+            default = true;
+            locations."/".return = "503";
+          };
+          "hydra.ci.kabtop.de" = {
+            enableACME = true;
+            forceSSL = true;
+            locations."/" = {
+              proxyPass = "http://localhost:3000";
+              extraConfig = ''
+                proxy_set_header X-Forwarded-Port 443;
+              '';
+            };
+          };
+          "cache.ci.kabtop.de" = {
+            enableACME = true;
+            forceSSL = true;
+            locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
+          };
+        };
+      };
+    };
+
+    security.acme = {
+      acceptTerms = true;
+      defaults = {
+        email = "webmaster@kabtop.de";
+        webroot = "/var/lib/acme/acme-challenge";
+        #server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+      };
+    };
+    
+    nix = {
+      settings = {
+        trusted-users = [
+          "hydra"
+        ];
+        allowed-uris = [
+	  "github:"
+	  "https://github.com/"
+  	  "git+ssh://github.com/"
+  	];
+      };
+
+      extraOptions = ''
+        secret-key-files = ${config.age.secrets."keys/nixsign".path}
+      '';
+    };
+    
+    age.secrets."keys/nixsign" = {
+      file = ../../../secrets/keys/nixservepriv.age;
+      owner = "hydra";
+    };
+
+}