systems/palatine-hill/hydra.nix

{
  config,
  inputs,
  ...
}:
let
  hydra_notify_prometheus_port = "9199";
  hydra_queue_runner_prometheus_port = "9200";
  postgres_exporter_port = 9187;
  zfs_exporter_port = 9134;
in
{
  systemd.services.hydra-notify.serviceConfig.EnvironmentFile =
    config.sops.secrets."hydra/environment".path;

  nix = {
    extraOptions = ''
      allowed-uris = github: gitlab: git+https:// git+ssh:// https://
      builders-use-substitutes = true
    '';

    buildMachines = [
      {
        hostName = "localhost";
        maxJobs = 2;
        protocol = "ssh-ng";
        speedFactor = 2;
        systems = [
          "x86_64-linux"
          "aarch64-linux"
          "i686-linux"
        ];

        supportedFeatures = [
          "kvm"
          "nixos-test"
          "big-parallel"
          "benchmark"
        ];
      }
    ];
  };

  services = {
    hydra = {
      enable = true;
      package = inputs.hydra.packages.x86_64-linux.hydra.overrideAttrs (old: {
        preCheck = ''
          export YATH_JOB_COUNT=8
          ${old.preCheck or ""}
        '';
      });
      hydraURL = "https://hydra.alicehuston.xyz";
      smtpHost = "alicehuston.xyz";
      notificationSender = "hydra@alicehuston.xyz";
      gcRootsDir = "/ZFS/ZFS-primary/hydra";
      useSubstitutes = true;
      buildMachinesFiles = [ ];
      minimumDiskFree = 50;
      minimumDiskFreeEvaluator = 100;
      extraConfig = ''
        allow_import_from_derivation = true
        <git-input>
          timeout = 3600
        </git-input>
        <githubstatus>
          # check hosts and any declared checks
          jobs = (build-fork-hydra|nix-dotfiles-build):(pr-.*|branch-gh-readonly-queue-.*|branch-main):hosts
          context = ci/hydra: hosts
          inputs = nixexpr
          useShortContext = true
          excludeBuildFromContext = 1
        </githubstatus>
        <githubstatus>
          # check hosts and any declared checks
          jobs = (build-fork-hydra|nix-dotfiles-build):(pr-.*|branch-gh-readonly-queue-.*|branch-main):devChecks
          context = ci/hydra: checks
          inputs = nixexpr
          useShortContext = true
          excludeBuildFromContext = 1
        </githubstatus>
        Include ${config.sops.secrets."alice/gha-hydra-token".path}
        <hydra_notify>
          <prometheus>
            listen_address = 127.0.0.1
            port = ${hydra_notify_prometheus_port}
          </prometheus>
        </hydra_notify>
        queue_runner_metrics_address = 127.0.0.1:${hydra_queue_runner_prometheus_port}
      '';
    };

    # nix-serve = {
    #   enable = true;
    #   secretKeyFile = config.sops.secrets."nix-serve/secret-key".path;
    # };
    prometheus = {
      enable = true;
      webExternalUrl = "https://prom.alicehuston.xyz";
      port = 9001;
      exporters = {
        node = {
          enable = true;
          enabledCollectors = [ "systemd" ];
          port = 9002;
        };
        postgres = {
          enable = true;
          listenAddress = "127.0.0.1";
          port = postgres_exporter_port;
          runAsLocalSuperUser = true;
        };
        zfs = {
          enable = true;
          listenAddress = "127.0.0.1";
          port = zfs_exporter_port;
        };
      };
      scrapeConfigs = [
        {
          job_name = "palatine-hill";
          static_configs = [
            { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; }
          ];
        }
        {
          job_name = "hydra-local";
          static_configs = [
            {
              targets = [
                "127.0.0.1:${hydra_notify_prometheus_port}"
                "127.0.0.1:${hydra_queue_runner_prometheus_port}"
              ];
            }
          ];
        }
        {
          job_name = "postgres-local";
          static_configs = [
            { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.postgres.port}" ]; }
          ];
        }
        {
          job_name = "zfs-local";
          static_configs = [
            { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.zfs.port}" ]; }
          ];
        }
        {
          job_name = "hydra-external";
          scheme = "https";
          static_configs = [ { targets = [ "hydra.alicehuston.xyz" ]; } ];
        }
      ];
    };
  };

  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ/E/y4UJQid6/0D9babh8l/3jTDJRXqZQ5rPcoxwm1j root@palatine-hill"
  ];

  users.users.hydra-queue-runner.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ/E/y4UJQid6/0D9babh8l/3jTDJRXqZQ5rPcoxwm1j root@palatine-hill"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINHtwvfXg/QFjMAjC4JRjlMAaGPgEfSyhpprNpqbGSJn hydra-queue-runner@palatine-hill"
  ];

  sops = {
    secrets = {
      "hydra/environment".owner = "hydra";
      # "nix-serve/secret-key".owner = "root";
      "alice/gha-hydra-token" = {
        sopsFile = ../../users/alice/secrets.yaml;
        owner = "hydra";
        group = "hydra";
        mode = "440";
      };
    };
  };
}
refactor palatine-hill, add some packages to artemision, hypr zoom restart 2024-06-06 23:34:14 -04:00			`{`
			`config,`
re-enable hydra 2025-03-26 02:43:56 -04:00			`inputs,`
refactor palatine-hill, add some packages to artemision, hypr zoom restart 2024-06-06 23:34:14 -04:00			`...`
			`}:`
finalize hydra promtheus config 2024-06-22 22:33:07 -04:00			`let`
add queue runner to prometheus 2024-06-22 23:03:20 -04:00			`hydra_notify_prometheus_port = "9199";`
			`hydra_queue_runner_prometheus_port = "9200";`
add otel and honeycomb 2026-05-03 12:34:42 -04:00			`postgres_exporter_port = 9187;`
			`zfs_exporter_port = 9134;`
finalize hydra promtheus config 2024-06-22 22:33:07 -04:00			`in`
refactor palatine-hill, add some packages to artemision, hypr zoom restart 2024-06-06 23:34:14 -04:00			`{`
			`systemd.services.hydra-notify.serviceConfig.EnvironmentFile =`
			`config.sops.secrets."hydra/environment".path;`

			`nix = {`
			`extraOptions = ''`
			`allowed-uris = github: gitlab: git+https:// git+ssh:// https://`
			`builders-use-substitutes = true`
			`'';`

			`buildMachines = [`
			`{`
			`hostName = "localhost";`
			`maxJobs = 2;`
			`protocol = "ssh-ng";`
			`speedFactor = 2;`
			`systems = [`
			`"x86_64-linux"`
			`"aarch64-linux"`
			`"i686-linux"`
			`];`

			`supportedFeatures = [`
			`"kvm"`
			`"nixos-test"`
			`"big-parallel"`
			`"benchmark"`
			`];`
			`}`
			`];`
			`};`

			`services = {`
			`hydra = {`
			`enable = true;`
limit yath cores 2025-12-07 18:47:06 -05:00			`package = inputs.hydra.packages.x86_64-linux.hydra.overrideAttrs (old: {`
change checkPhase to preCheck 2025-12-07 22:17:24 -05:00			`preCheck = ''`
limit yath cores 2025-12-07 18:47:06 -05:00			`export YATH_JOB_COUNT=8`
change checkPhase to preCheck 2025-12-07 22:17:24 -05:00			`${old.preCheck or ""}`
limit yath cores 2025-12-07 18:47:06 -05:00			`'';`
			`});`
add githubstatus to hydra 2024-07-07 23:50:55 -04:00			`hydraURL = "https://hydra.alicehuston.xyz";`
refactor palatine-hill, add some packages to artemision, hypr zoom restart 2024-06-06 23:34:14 -04:00			`smtpHost = "alicehuston.xyz";`
			`notificationSender = "hydra@alicehuston.xyz";`
			`gcRootsDir = "/ZFS/ZFS-primary/hydra";`
			`useSubstitutes = true;`
			`buildMachinesFiles = [ ];`
			`minimumDiskFree = 50;`
			`minimumDiskFreeEvaluator = 100;`
			`extraConfig = ''`
hydra ifd fixes 2026-04-13 23:48:42 -04:00			`allow_import_from_derivation = true`
refactor palatine-hill, add some packages to artemision, hypr zoom restart 2024-06-06 23:34:14 -04:00			`<git-input>`
			`timeout = 3600`
			`</git-input>`
add githubstatus to hydra 2024-07-07 13:43:39 -04:00			`<githubstatus>`
modify hydra notify targets, given agg job 2024-07-07 21:35:37 -04:00			`# check hosts and any declared checks`
add branch-main to checks 2024-07-27 23:59:16 -04:00			`jobs = (build-fork-hydra\|nix-dotfiles-build):(pr-.\|branch-gh-readonly-queue-.\|branch-main):hosts`
add devchecks agg job, update hydra config 2024-07-07 21:41:40 -04:00			`context = ci/hydra: hosts`
			`inputs = nixexpr`
			`useShortContext = true`
			`excludeBuildFromContext = 1`
			`</githubstatus>`
			`<githubstatus>`
			`# check hosts and any declared checks`
add branch-main to checks 2024-07-27 23:59:16 -04:00			`jobs = (build-fork-hydra\|nix-dotfiles-build):(pr-.\|branch-gh-readonly-queue-.\|branch-main):devChecks`
add devchecks agg job, update hydra config 2024-07-07 21:41:40 -04:00			`context = ci/hydra: checks`
add githubstatus to hydra 2024-07-07 13:43:39 -04:00			`inputs = nixexpr`
add githubstatus to hydra 2024-07-07 23:50:55 -04:00			`useShortContext = true`
add githubstatus to hydra 2024-07-07 13:43:39 -04:00			`excludeBuildFromContext = 1`
			`</githubstatus>`
refactor palatine-hill, add some packages to artemision, hypr zoom restart 2024-06-06 23:34:14 -04:00			`Include ${config.sops.secrets."alice/gha-hydra-token".path}`
add prometheus to hydra 2024-06-22 21:58:37 -04:00			`<hydra_notify>`
			`<prometheus>`
			`listen_address = 127.0.0.1`
add queue runner to prometheus 2024-06-22 23:03:20 -04:00			`port = ${hydra_notify_prometheus_port}`
add prometheus to hydra 2024-06-22 21:58:37 -04:00			`</prometheus>`
			`</hydra_notify>`
external url and fix queue address 2024-06-22 23:08:48 -04:00			`queue_runner_metrics_address = 127.0.0.1:${hydra_queue_runner_prometheus_port}`
refactor palatine-hill, add some packages to artemision, hypr zoom restart 2024-06-06 23:34:14 -04:00			`'';`
			`};`

add various plex/arr services, remove nix-serve, add lynis config 2025-05-05 17:17:31 -04:00			`# nix-serve = {`
			`# enable = true;`
			`# secretKeyFile = config.sops.secrets."nix-serve/secret-key".path;`
			`# };`
add prometheus to hydra 2024-06-22 21:58:37 -04:00			`prometheus = {`
			`enable = true;`
external url and fix queue address 2024-06-22 23:08:48 -04:00			`webExternalUrl = "https://prom.alicehuston.xyz";`
set port 2024-06-22 22:05:20 -04:00			`port = 9001;`
add otel and honeycomb 2026-05-03 12:34:42 -04:00			`exporters = {`
			`node = {`
			`enable = true;`
			`enabledCollectors = [ "systemd" ];`
			`port = 9002;`
			`};`
			`postgres = {`
			`enable = true;`
			`listenAddress = "127.0.0.1";`
			`port = postgres_exporter_port;`
			`runAsLocalSuperUser = true;`
			`};`
			`zfs = {`
			`enable = true;`
			`listenAddress = "127.0.0.1";`
			`port = zfs_exporter_port;`
			`};`
add prometheus to hydra 2024-06-22 21:58:37 -04:00			`};`
			`scrapeConfigs = [`
			`{`
finalize hydra promtheus config 2024-06-22 22:33:07 -04:00			`job_name = "palatine-hill";`
			`static_configs = [`
			`{ targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; }`
			`];`
			`}`
			`{`
			`job_name = "hydra-local";`
add queue runner to prometheus 2024-06-22 23:03:20 -04:00			`static_configs = [`
			`{`
			`targets = [`
			`"127.0.0.1:${hydra_notify_prometheus_port}"`
			`"127.0.0.1:${hydra_queue_runner_prometheus_port}"`
			`];`
			`}`
			`];`
finalize hydra promtheus config 2024-06-22 22:33:07 -04:00			`}`
add otel and honeycomb 2026-05-03 12:34:42 -04:00			`{`
			`job_name = "postgres-local";`
			`static_configs = [`
			`{ targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.postgres.port}" ]; }`
			`];`
			`}`
			`{`
			`job_name = "zfs-local";`
			`static_configs = [`
			`{ targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.zfs.port}" ]; }`
			`];`
			`}`
finalize hydra promtheus config 2024-06-22 22:33:07 -04:00			`{`
			`job_name = "hydra-external";`
			`scheme = "https";`
			`static_configs = [ { targets = [ "hydra.alicehuston.xyz" ]; } ];`
add prometheus to hydra 2024-06-22 21:58:37 -04:00			`}`
			`];`
			`};`
refactor palatine-hill, add some packages to artemision, hypr zoom restart 2024-06-06 23:34:14 -04:00			`};`

			`users.users.root.openssh.authorizedKeys.keys = [`
			`"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ/E/y4UJQid6/0D9babh8l/3jTDJRXqZQ5rPcoxwm1j root@palatine-hill"`
			`];`

			`users.users.hydra-queue-runner.openssh.authorizedKeys.keys = [`
			`"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ/E/y4UJQid6/0D9babh8l/3jTDJRXqZQ5rPcoxwm1j root@palatine-hill"`
			`"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINHtwvfXg/QFjMAjC4JRjlMAaGPgEfSyhpprNpqbGSJn hydra-queue-runner@palatine-hill"`
			`];`

			`sops = {`
			`secrets = {`
			`"hydra/environment".owner = "hydra";`
add various plex/arr services, remove nix-serve, add lynis config 2025-05-05 17:17:31 -04:00			`# "nix-serve/secret-key".owner = "root";`
refactor palatine-hill, add some packages to artemision, hypr zoom restart 2024-06-06 23:34:14 -04:00			`"alice/gha-hydra-token" = {`
			`sopsFile = ../../users/alice/secrets.yaml;`
			`owner = "hydra";`
			`group = "hydra";`
			`mode = "440";`
			`};`
			`};`
			`};`
			`}`