fruitbasket/modules/hydra.nix

{ config, ... }:
let
  domain = "hydra.${config.networking.domain}";
in
{
  sops.secrets."hydra_ldap_search" = { owner = "hydra"; group = "hydra"; mode = "440"; };
  nix.settings.allowed-uris = [ "https://github.com/nix-community" ]; # whitelisted to fetch nix-index
  services.hydra = {
    enable = true;
    port = 4000;
    hydraURL = domain;
    notificationSender = "hydra@localhost";
    buildMachinesFiles = [ ];
    useSubstitutes = true;
    extraConfig = ''
      <ldap>
        <config>
          <credential>
            class = Password
            password_field = password
            password_type = self_check
          </credential>
          <store>
            class = LDAP
            ldap_server = localhost
            <ldap_server_options>
              timeout = 30
            </ldap_server_options>
            binddn = "uid=search,ou=users,dc=ifsr,dc=de"
            include ${config.sops.secrets.hydra_ldap_search.path}
            start_tls = 0
            <start_tls_options>
              verify = none
            </start_tls_options>
            user_basedn = "ou=users,dc=ifsr,dc=de"
            user_filter = "(&(objectClass=posixAccount)(uid=%s))"
            user_scope = one
            user_field = uid
            <user_search_options>
              deref = always
            </user_search_options>
            # Important for role mappings to work:
            use_roles = 1
            role_basedn = "ou=groups,dc=ifsr,dc=de"
            role_filter = "(&(objectClass=groupOfNames)(member=%s))"
            role_scope = one
            role_field = cn
            role_value = dn
            <role_search_options>
              deref = always
            </role_search_options>
          </store>
        </config>
        <role_mapping>
          # Make all users in the hydra_admin group Hydra admins
          admins = admin
        </role_mapping>
      </ldap>
    '';

  };
  services.nginx.virtualHosts."${domain}" = {
    locations."/" = {
      proxyPass = "http://127.0.0.1:${toString config.services.hydra.port}";
    };
  };
}
hydra: init 2023-08-23 16:53:43 +02:00			`{ config, ... }:`
			`let`
refactor: fsr.domain -> networking.domain 2023-09-17 20:10:55 +02:00			`domain = "hydra.${config.networking.domain}";`
hydra: init 2023-08-23 16:53:43 +02:00			`in`
			`{`
hydra: ldap fixes 2023-08-23 17:12:08 +02:00			`sops.secrets."hydra_ldap_search" = { owner = "hydra"; group = "hydra"; mode = "440"; };`
nix: allow fetching the index from github 2023-09-20 22:20:49 +02:00			`nix.settings.allowed-uris = [ "https://github.com/nix-community" ]; # whitelisted to fetch nix-index`
hydra: init 2023-08-23 16:53:43 +02:00			`services.hydra = {`
			`enable = true;`
			`port = 4000;`
			`hydraURL = domain;`
			`notificationSender = "hydra@localhost";`
			`buildMachinesFiles = [ ];`
			`useSubstitutes = true;`
			`extraConfig = ''`
hydra: ldap fixes 2023-08-23 17:12:08 +02:00			`<ldap>`
hydra: init 2023-08-23 16:53:43 +02:00			`<config>`
			`<credential>`
			`class = Password`
			`password_field = password`
			`password_type = self_check`
			`</credential>`
			`<store>`
			`class = LDAP`
			`ldap_server = localhost`
			`<ldap_server_options>`
			`timeout = 30`
			`</ldap_server_options>`
hydra: ldap fixes 2023-08-23 17:12:08 +02:00			`binddn = "uid=search,ou=users,dc=ifsr,dc=de"`
hydra: init 2023-08-23 16:53:43 +02:00			`include ${config.sops.secrets.hydra_ldap_search.path}`
			`start_tls = 0`
			`<start_tls_options>`
			`verify = none`
			`</start_tls_options>`
			`user_basedn = "ou=users,dc=ifsr,dc=de"`
hydra: ldap fixes 2023-08-23 17:12:08 +02:00			`user_filter = "(&(objectClass=posixAccount)(uid=%s))"`
hydra: init 2023-08-23 16:53:43 +02:00			`user_scope = one`
hydra: ldap fixes 2023-08-23 17:12:08 +02:00			`user_field = uid`
hydra: init 2023-08-23 16:53:43 +02:00			`<user_search_options>`
			`deref = always`
			`</user_search_options>`
			`# Important for role mappings to work:`
			`use_roles = 1`
			`role_basedn = "ou=groups,dc=ifsr,dc=de"`
			`role_filter = "(&(objectClass=groupOfNames)(member=%s))"`
			`role_scope = one`
			`role_field = cn`
			`role_value = dn`
			`<role_search_options>`
			`deref = always`
			`</role_search_options>`
hydra: ldap fixes 2023-08-23 17:12:08 +02:00			`</store>`
hydra: init 2023-08-23 16:53:43 +02:00			`</config>`
			`<role_mapping>`
			`# Make all users in the hydra_admin group Hydra admins`
			`admins = admin`
			`</role_mapping>`
			`</ldap>`
			`'';`

			`};`
			`services.nginx.virtualHosts."${domain}" = {`
			`locations."/" = {`
			`proxyPass = "http://127.0.0.1:${toString config.services.hydra.port}";`
			`};`
			`};`
			`}`