83 lines
2.1 KiB
Nix
83 lines
2.1 KiB
Nix
{ lib, config, pkgs, ... }:
|
|
|
|
{
|
|
services = {
|
|
hydra = {
|
|
enable = true;
|
|
hydraURL = "https://hydra.ci.kabtop.de";
|
|
listenHost = "127.0.0.1";
|
|
notificationSender = "hydra@kabtop.de";
|
|
useSubstitutes = true;
|
|
minimumDiskFree = 8;
|
|
};
|
|
nix-serve = {
|
|
enable = true;
|
|
port = 5001;
|
|
bindAddress = "127.0.0.1";
|
|
secretKeyFile = config.age.secrets."keys/nixsign".path;
|
|
};
|
|
nginx = {
|
|
enable = true;
|
|
recommendedProxySettings = true;
|
|
recommendedTlsSettings = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
virtualHosts = {
|
|
"ci.kabtop.de" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
default = true;
|
|
locations."/".return = "503";
|
|
};
|
|
"hydra.ci.kabtop.de" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
locations."/" = {
|
|
proxyPass = "http://localhost:3000";
|
|
extraConfig = ''
|
|
proxy_set_header X-Forwarded-Port 443;
|
|
'';
|
|
};
|
|
};
|
|
"cache.ci.kabtop.de" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults = {
|
|
email = "webmaster@kabtop.de";
|
|
webroot = "/var/lib/acme/acme-challenge";
|
|
#server = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
|
};
|
|
};
|
|
|
|
nix = {
|
|
settings = {
|
|
trusted-users = [
|
|
"hydra"
|
|
];
|
|
allowed-uris = [
|
|
"github:"
|
|
"https://github.com/"
|
|
"git+ssh://github.com/"
|
|
];
|
|
};
|
|
|
|
extraOptions = ''
|
|
secret-key-files = ${config.age.secrets."keys/nixsign".path}
|
|
'';
|
|
};
|
|
|
|
age.secrets."keys/nixsign" = {
|
|
file = ../../../secrets/keys/nixservepriv.age;
|
|
owner = "hydra";
|
|
};
|
|
|
|
}
|