Hydra, update lock, other stuffs

Author: TymanWasTaken

flake.lock

@@ -103,6 +103,10 @@
             };
         in
         {
+            hydraJobs = {
+                vps = self.nixosConfigurations.vps.config.system.build.toplevel;
+            };
+
             nixosConfigurations = {
                 "vps" = nixpkgs.lib.nixosSystem (
                     let

flake.nix

@@ -129,6 +129,7 @@ https://*.polyfrost.org {
 	@dex host dex.polyfrost.org
 	@plus-staging host plus-staging.polyfrost.org
 	@plus-admin host plus-admin.polyfrost.org
+	@hydra host hydra.polyfrost.org
 
 	# Handle all other containers
 	handle @grafana {
@@ -166,6 +167,10 @@ https://*.polyfrost.org {
 		}
 	}
 
+	handle @hydra {
+	    reverse_proxy host.containers:3000
+	}
+
 	# Handle all unmatched requests as a 404
 	handle {
 		error "Not Found" 404

nixos/hosts/vps/config/services/caddy/Caddyfile

@@ -13,7 +13,10 @@
                 containerIps:
                 lib.mapAttrs' (name: value: lib.attrsets.nameValuePair value [ "${name}.containers" ]) containerIps;
         in
-        (mkHosts ips.v4.containers) // (mkHosts ips.v6.containers);
+        (mkHosts ips.v4.containers) // (mkHosts ips.v6.containers) // {
+            "${ips.v4.host}" = [ "host.containers" ];
+            "${ips.v6.host}" = [ "host.containers" ];
+        };
 
     services.caddy = {
         enable = true;
@@ -23,7 +26,7 @@
                 "github.com/caddy-dns/cloudflare@v0.2.2-0.20250506153119-35fb8474f57d"
                 "github.com/WeidiDeng/caddy-cloudflare-ip@v0.0.0-20231130002422-f53b62aa13cb"
             ];
-            hash = "sha256-MhLXRQd6EjQ/yfOpMbr6X/sIXgdhQwXaxkIBmUKAK2I=";
+            hash = "sha256-ldD2gIlEthnLbRckH+BPKKde95gNPEJbXHTQEjBnE0Q=";
         };
 
         configFile = ./Caddyfile;

nixos/hosts/vps/config/services/caddy/container.nix

@@ -5,6 +5,7 @@
 
         ./backend
         ./caddy
+        ./hydra
         ./monitoring
         ./plus
         ./polyhelper

nixos/hosts/vps/config/services/default.nix

@@ -0,0 +1,15 @@
+{ config, ... }:
+{
+    services.hydra = {
+        enable = true;
+        hydraURL = "https://hydra.polyfrost.org";
+        useSubstitutes = true;
+        dbi = "dbi:Pg:dbname=hydra;host=${config.custom.nixos-containers.networking.addresses.v6.containers.postgres};user=hydra";
+        port = 3000;
+        listenHost = "*";
+        notificationSender = "hydra@localhost";
+        extraConfig = ''
+            allow_import_from_derivation = true
+        '';
+    };
+}

nixos/hosts/vps/config/services/hydra/default.nix

@@ -30,6 +30,8 @@
             };
 
             analytics.reporting_enabled = false;
+
+            security.secret_key = "SW2YcwTIb9zpOOhoPsMm"; # yes this is the default from nix. no i don't care. anyone can decrypt the database if they get access to it
         };
 
         provision = {

nixos/hosts/vps/config/services/monitoring/container/grafana.nix

@@ -36,6 +36,9 @@ in
     networking = {
         # Let containers access host ports conditionally
         firewall.extraInputRules = ''
+            ip saddr ${containerIps.v4.containers.caddy} tcp dport 3000 accept comment "Allow caddy to access hydra"
+            ip6 saddr ${containerIps.v6.containers.caddy} tcp dport 3000 accept comment "Allow caddy to access hydra"
+
             ip saddr ${containerIps.v4.containers.monitoring} tcp dport 9100 accept comment "Allow monitoring to access node exporter"
             ip6 saddr ${containerIps.v6.containers.monitoring} tcp dport 9100 accept comment "Allow monitoring to access node exporter"
         '';

nixos/hosts/vps/config/services/networking.nix

@@ -11,6 +11,7 @@ let
         "forgejo" = ips.v6.containers.forgejo;
         "dex" = ips.v6.containers.dex;
         "plus" = ips.v6.containers.plus;
+        "hydra" = ips.v6.host;
     };
     mkAuthEntry =
         { name, value }:

nixos/hosts/vps/config/services/postgres/container.nix

@@ -39,7 +39,7 @@
         (final: prev: {
             inherit (prev.lixPackageSets.stable)
                 nixpkgs-review
-                nix-eval-jobs
+                # nix-eval-jobs
                 nix-fast-build
                 colmena
                 ;