diff options
| author | Max Audron <audron@cocaine.farm> | 2023-10-17 16:06:20 +0200 |
|---|---|---|
| committer | Max Audron <audron@cocaine.farm> | 2023-10-17 16:06:34 +0200 |
| commit | 767c382e1e81ddbec447055f57132e62f850e048 (patch) | |
| tree | efd0faea0365c621107c0c8d7a172481668b4d8b | |
| parent | force ssl on nginx hosts (diff) | |
deploy hydra
| -rw-r--r-- | flake.nix | 2 | ||||
| -rw-r--r-- | modules/default.nix | 1 | ||||
| -rw-r--r-- | modules/hydra/default.nix | 30 | ||||
| -rw-r--r-- | modules/hydra/hydra.conf | 47 | ||||
| m--------- | secrets | 0 |
5 files changed, 79 insertions, 1 deletions
@@ -29,7 +29,7 @@ nixosConfigurations = with self.nixosModules; { # vultr-image = mkSystem [ common users image vultr ]; - ettves = mkSystem [ (import ./machines/ettves) common users wireguard crypto kubernetes zfs teamspeak postgresql quassel powerdns acme authentik ]; + ettves = mkSystem [ (import ./machines/ettves) common users wireguard crypto kubernetes zfs teamspeak postgresql quassel powerdns acme authentik hydra ]; phaenn = mkSystem [ (import ./machines/phaenn) common users wireguard crypto kubernetes zfs acme tlmp ]; fra01 = mkSystem [ (import ./machines/fra01) common users wireguard crypto kubernetes vultr bgp powerdns acme ]; nyc01 = mkSystem [ (import ./machines/nyc01) common users wireguard crypto kubernetes vultr bgp powerdns acme ]; diff --git a/modules/default.nix b/modules/default.nix index 60bb257..edd9d98 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -18,5 +18,6 @@ postgresql = import ./postgresql; quassel = import ./quassel; powerdns = import ./powerdns; + hydra = import ./hydra; tlmp = import ./tlmp; } diff --git a/modules/hydra/default.nix b/modules/hydra/default.nix new file mode 100644 index 0000000..7e0064b --- /dev/null +++ b/modules/hydra/default.nix @@ -0,0 +1,30 @@ +{ self, config, lib, pkgs, ... }: + +with self.lib.nginx; +{ + services.hydra = { + enable = true; + hydraURL = "https://hydra.vapor.systems"; + notificationSender = "hydra@localhost"; + buildMachinesFiles = [ ]; + useSubstitutes = true; + extraConfig = lib.readFile ./hydra.conf; + }; + + secrets = { + hydraLdap = { + source = ../../secrets/authentik/hydra; + dest = "/var/lib/hydra/ldap-password.conf"; + owner = "hydra"; + group = "hydra"; + permissions = "0440"; + }; + }; + + services.nginx = { + enable = true; + virtualHosts = { + "hydra.vapor.systems" = (proxyDomain "vapor.systems" "http://127.0.0.1:3000/"); + }; + }; +} diff --git a/modules/hydra/hydra.conf b/modules/hydra/hydra.conf new file mode 100644 index 0000000..27a1046 --- /dev/null +++ b/modules/hydra/hydra.conf @@ -0,0 +1,47 @@ +<ldap> + <config> + <credential> + class = Password + password_field = password + password_type = self_check + </credential> + <store> + class = LDAP + ldap_server = 10.10.0.1 + <ldap_server_options> + timeout = 30 + debug = 2 + </ldap_server_options> + binddn = "cn=hydra,ou=users,dc=hydra,dc=vapor,dc=systems" + include ldap-password.conf + start_tls = 0 + <start_tls_options> + verify = none + </start_tls_options> + user_basedn = "ou=users,dc=hydra,dc=vapor,dc=systems" + user_filter = "(&(objectClass=inetOrgPerson)(cn=%s))" + user_scope = one + user_field = cn + <user_search_options> + deref = always + </user_search_options> + # Important for role mappings to work: + use_roles = 1 + role_basedn = "ou=groups,dc=hydra,dc=vapor,dc=systems" + role_filter = "(&(objectClass=groupOfNames)(member=%s))" + role_scope = one + role_field = cn + role_value = dn + <role_search_options> + deref = always + </role_search_options> + </store> + </config> + <role_mapping> + # Make all users in the hydra_admin group Hydra admins + admin = admin + # Allow all users in the dev group to restart jobs and cancel builds + dev = restart-jobs + dev = cancel-build + </role_mapping> +</ldap> diff --git a/secrets b/secrets -Subproject ad732a0047f3695e3fcb3ee78bb79e646d4e129 +Subproject c35252f91550a36de5b326441248ebccb7f829f |