deploy hydra

3 files changed, 78 insertions, 0 deletions

diff --git a/modules/default.nix b/modules/default.nix
index 60bb257..edd9d98 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -18,5 +18,6 @@
   postgresql = import ./postgresql;
   quassel = import ./quassel;
   powerdns = import ./powerdns;
+  hydra = import ./hydra;
   tlmp = import ./tlmp;
 }
diff --git a/modules/hydra/default.nix b/modules/hydra/default.nix
new file mode 100644
index 0000000..7e0064b
--- /dev/null
+++ b/modules/hydra/default.nix
@@ -0,0 +1,30 @@
+{ self, config, lib, pkgs, ... }:
+
+with self.lib.nginx;
+{
+  services.hydra = {
+    enable = true;
+    hydraURL = "https://hydra.vapor.systems";
+    notificationSender = "hydra@localhost";
+    buildMachinesFiles = [ ];
+    useSubstitutes = true;
+    extraConfig = lib.readFile ./hydra.conf;
+  };
+
+  secrets = {
+    hydraLdap = {
+      source = ../../secrets/authentik/hydra;
+      dest = "/var/lib/hydra/ldap-password.conf";
+      owner = "hydra";
+      group = "hydra";
+      permissions = "0440";
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "hydra.vapor.systems" = (proxyDomain "vapor.systems" "http://127.0.0.1:3000/");
+    };
+  };
+}
diff --git a/modules/hydra/hydra.conf b/modules/hydra/hydra.conf
new file mode 100644
index 0000000..27a1046
--- /dev/null
+++ b/modules/hydra/hydra.conf
@@ -0,0 +1,47 @@
+<ldap>
+  <config>
+    <credential>
+      class = Password
+      password_field = password
+      password_type = self_check
+    </credential>
+    <store>
+      class = LDAP
+      ldap_server = 10.10.0.1
+      <ldap_server_options>
+        timeout = 30
+        debug = 2
+      </ldap_server_options>
+      binddn = "cn=hydra,ou=users,dc=hydra,dc=vapor,dc=systems"
+      include ldap-password.conf
+      start_tls = 0
+      <start_tls_options>
+        verify = none
+      </start_tls_options>
+      user_basedn = "ou=users,dc=hydra,dc=vapor,dc=systems"
+      user_filter = "(&(objectClass=inetOrgPerson)(cn=%s))"
+      user_scope = one
+      user_field = cn
+      <user_search_options>
+        deref = always
+      </user_search_options>
+      # Important for role mappings to work:
+      use_roles = 1
+      role_basedn = "ou=groups,dc=hydra,dc=vapor,dc=systems"
+      role_filter = "(&(objectClass=groupOfNames)(member=%s))"
+      role_scope = one
+      role_field = cn
+      role_value = dn
+      <role_search_options>
+        deref = always
+      </role_search_options>
+    </store>
+  </config>
+  <role_mapping>
+    # Make all users in the hydra_admin group Hydra admins
+    admin = admin
+    # Allow all users in the dev group to restart jobs and cancel builds
+    dev = restart-jobs
+    dev = cancel-build
+  </role_mapping>
+</ldap>