{ lib, config, pkgs, ... }: { services = { hydra = { enable = true; hydraURL = "https://hydra.ci.kabtop.de"; listenHost = "127.0.0.1"; notificationSender = "hydra@kabtop.de"; useSubstitutes = true; minimumDiskFree = 8; }; nix-serve = { enable = true; port = 5001; bindAddress = "127.0.0.1"; secretKeyFile = config.age.secrets."keys/nixsign".path; }; nginx = { enable = true; recommendedProxySettings = true; recommendedTlsSettings = true; recommendedGzipSettings = true; recommendedOptimisation = true; virtualHosts = { "ci.kabtop.de" = { enableACME = true; forceSSL = true; default = true; locations."/".return = "503"; }; "hydra.ci.kabtop.de" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://localhost:3000"; extraConfig = '' proxy_set_header X-Forwarded-Port 443; ''; }; }; "cache.ci.kabtop.de" = { enableACME = true; forceSSL = true; locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}"; }; }; }; }; security.acme = { acceptTerms = true; defaults = { email = "webmaster@kabtop.de"; webroot = "/var/lib/acme/acme-challenge"; #server = "https://acme-staging-v02.api.letsencrypt.org/directory"; }; }; nix = { settings = { trusted-users = [ "hydra" ]; allowed-uris = [ "github:" "https://github.com/" "git+ssh://github.com/" ]; }; extraOptions = '' secret-key-files = ${config.age.secrets."keys/nixsign".path} ''; }; age.secrets."keys/nixsign" = { file = ../../../secrets/keys/nixservepriv.age; owner = "hydra"; }; }