{ lib, config, pkgs, ... }:
{
services = {
hydra = {
enable = true;
hydraURL = "https://hydra.ci.kabtop.de";
listenHost = "127.0.0.1";
notificationSender = "hydra@kabtop.de";
useSubstitutes = true;
minimumDiskFree = 8;
};
nix-serve = {
enable = true;
port = 5001;
bindAddress = "127.0.0.1";
secretKeyFile = config.age.secrets."keys/nixsign".path;
};
nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
virtualHosts = {
"ci.kabtop.de" = {
enableACME = true;
forceSSL = true;
default = true;
locations."/".return = "503";
};
"hydra.ci.kabtop.de" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:3000";
extraConfig = ''
proxy_set_header X-Forwarded-Port 443;
'';
};
};
"cache.ci.kabtop.de" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
};
};
};
};
security.acme = {
acceptTerms = true;
defaults = {
email = "webmaster@kabtop.de";
webroot = "/var/lib/acme/acme-challenge";
#server = "https://acme-staging-v02.api.letsencrypt.org/directory";
};
};
nix = {
settings = {
trusted-users = [
"hydra"
];
allowed-uris = [
"github:"
"https://github.com/"
"git+ssh://github.com/"
];
};
extraOptions = ''
secret-key-files = ${config.age.secrets."keys/nixsign".path}
'';
};
age.secrets."keys/nixsign" = {
file = ../../../secrets/keys/nixservepriv.age;
owner = "hydra";
};
}