Update hydra service with sops options.

This commit is contained in:
Kevin Baensch 2023-09-10 15:32:53 +02:00
parent c2aa9993ec
commit 1c9cd2be49
Signed by: derped
GPG key ID: C0F1D326C7626543

View file

@ -42,7 +42,7 @@ in mkIf (elem "hydra" config.machine.services) {
# hydra.conf: binary_cache_secret_key_file is deprecated and ignored. use store_uri=...?secret-key= instead # hydra.conf: binary_cache_secret_key_file is deprecated and ignored. use store_uri=...?secret-key= instead
extraConfig = '' extraConfig = ''
max_output_size = 4294967296 max_output_size = 4294967296
store_uri = file://${cacheDir}?secret-key=${cfg.secretPath}/hydra_cache&write-nar-listing=1&ls-compression=br&log-compression=br store_uri = file://${cacheDir}?secret-key=${config.sops.secrets."services.hydra.secretKey".path}&write-nar-listing=1&ls-compression=br&log-compression=br
# add ?local-nar-cache= to set nar cache location # add ?local-nar-cache= to set nar cache location
server_store_uri = https://cache.${cfg.domain} server_store_uri = https://cache.${cfg.domain}
binary_cache_public_uri https://cache.${cfg.domain} binary_cache_public_uri https://cache.${cfg.domain}
@ -54,7 +54,7 @@ in mkIf (elem "hydra" config.machine.services) {
enable = true; enable = true;
bindAddress = "0.0.0.0"; bindAddress = "0.0.0.0";
port = 5000; port = 5000;
secretKeyFile = "${cfg.secretPath}/hydra_cache"; secretKeyFile = config.sops.secrets."services.hydra.secretKey".path;
extraParams = '' extraParams = ''
# Dont know how to change the store root yet... # Dont know how to change the store root yet...
# --user hydra-queue-runner # --user hydra-queue-runner
@ -64,4 +64,8 @@ in mkIf (elem "hydra" config.machine.services) {
}; };
systemd.services.nix-serve.serviceConfig.User = mkForce "hydra"; systemd.services.nix-serve.serviceConfig.User = mkForce "hydra";
systemd.services.nix-serve.environment.NIX_STORE_DIR = cacheDir; systemd.services.nix-serve.environment.NIX_STORE_DIR = cacheDir;
sops.secrets."services/hydra/secretKey" = {
owner = "hydra";
group = "hydra";
};
} }