Improved NixOS module for Hydra (WIP) #501
Conversation
hydra-module.nix
Outdated
| @@ -64,7 +67,7 @@ with rec { | |||
| }; | |||
|
|
|||
| package = mkOption { | |||
| type = types.path; | |||
| type = types.package; | |||
There was a problem hiding this comment.
The NixOS module documentation recommends types.package over types.path, but there may be some people taking advantage of the current state of affairs; feel free to let me know if this is the case.
hydra-module.nix
Outdated
| env = { | ||
| NIX_REMOTE = "daemon"; | ||
| # FIXME: why isn't this removed yet? we've been on 17.03 for a while now | ||
| SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt"; # Remove in 16.03 |
|
@domenkozar I have a lot more options added locally; I'll push later today |
|
We could do the indentation modernization in a separate PR too just to get that out of the way. |
|
@domenkozar: I just sent up all the stuff I've written; it's messy and probably doesn't evaluate yet |
hydra-module.nix
Outdated
| }); | ||
|
|
||
| types = lib.types // { | ||
| oneof = list: ( |
There was a problem hiding this comment.
It seems like oneof is not used anywhere else within the pull request
Also, oneof seems very similar to types.enum
There was a problem hiding this comment.
oneof is not the same as enum, as enum cannot take any NixOS option type; it can only take values.
hydra-module.nix
Outdated
| }; | ||
|
|
||
| { | ||
| foldr = lib.lists.fold; |
There was a problem hiding this comment.
Yeah, I was testing this on a nixpkgs version without foldr.
hydra-module.nix
Outdated
|
|
||
| { | ||
| foldr = lib.lists.fold; | ||
| foldr1 = foldToFold1 lists.foldr; |
There was a problem hiding this comment.
All of the fold*1 utilities seem like they are unused in this pull request. The only exception is foldr1 but that is used within oneof which is in turn not used elsewhere
hydra-module.nix
Outdated
| foldr1 = foldToFold1 lists.foldr; | ||
| foldl = lib.lists.foldl; | ||
| foldl1 = foldToFold1 lists.foldl; | ||
| foldl' = lib.lists.foldl'; |
There was a problem hiding this comment.
Why does this add foldl' to lib.lists when it's already an attribute of lib.lists? Same comment for foldl
hydra-module.nix
Outdated
| forceDeep = x: builtins.deepSeq x x; | ||
|
|
||
| strings = lib.strings // { | ||
| intercalate = str: list: lib.concatStrings (lib.intersperse str list); |
There was a problem hiding this comment.
intercalate already exists in the standard library as lib.concatMapStringsSep
hydra-module.nix
Outdated
|
|
||
| forceWHNF = x: builtins.seq x x; | ||
| forceDeep = x: builtins.deepSeq x x; |
There was a problem hiding this comment.
This pull request does not use forceWHNF and forceDeep
Also forceWHNF does not do anything because seq x x = x
hydra-module.nix
Outdated
| @@ -62,15 +130,16 @@ in | |||
| }; | |||
|
|
|||
| package = mkOption { | |||
| type = types.path; | |||
| #default = pkgs.hydra; | |||
| type = types.package; | |||
There was a problem hiding this comment.
You should probably avoid making unrelated breaking changes when submitting a large PR, because if this change breaks anything we can't easily roll back
|
|
||
| }; | ||
| googleClientID = mkOption { |
There was a problem hiding this comment.
Is this googleClientID a secret or is it safe to store in the configuration?
There was a problem hiding this comment.
Would it be possible to template the Hydra configuration at run-time during the systemd.services.hydra-init.preStart by reading the secret from a preconfigured system path (i.e. /etc/hydra/googleClientID or maybe something under /run)? That way you don't need to worry about the secret being publicly readable inside the /nix/store and the secret key file can have appropriate permissions set so that only the hydra daemon can read the file
(Same question for any other secrets these changes may require)
There was a problem hiding this comment.
This is not a bad idea. Will investigate.
There was a problem hiding this comment.
+1. I think it's currently impossible to configure Hydra with the current NixOS module without putting e.g. github auth tokens in the nix store.
There was a problem hiding this comment.
@ElvishJerricco: I have an example NixOps deploy of Hydra that patches Hydra to fix this. You can see the deploy here:
https://github.com/dhall-lang/dhall-lang/tree/master/nixops
... and the patch here:
https://github.com/dhall-lang/dhall-lang/blob/master/nixops/hydra.patch
hydra-module.nix
Outdated
| default = 100; | ||
| example = 1000; | ||
| description = '' | ||
| FIXME: lol |
There was a problem hiding this comment.
Did you intend to keep this FIXME? :)
|
|
||
| }; | ||
| googleClientID = mkOption { |
There was a problem hiding this comment.
Would it be possible to template the Hydra configuration at run-time during the systemd.services.hydra-init.preStart by reading the secret from a preconfigured system path (i.e. /etc/hydra/googleClientID or maybe something under /run)? That way you don't need to worry about the secret being publicly readable inside the /nix/store and the secret key file can have appropriate permissions set so that only the hydra daemon can read the file
(Same question for any other secrets these changes may require)
| parameter key. | ||
| ''; | ||
| # FIXME: ensure that the above is actually true | ||
| # https://github.com/NixOS/nix/blob/2fd8f8bb99a2832b3684878c020ba47322e79332/src/libstore/store-api.hh#L693-L718 |
There was a problem hiding this comment.
Could you create a GitHub issue against the nix repository for this and link that issue here?
hydra-module.nix
Outdated
| group = "hydra"; | ||
| useDefaultShell = true; | ||
| home = "${baseDir}/queue-runner"; # really only to keep SSH happy | ||
| storeURI = mkOption { |
There was a problem hiding this comment.
It looks like this option is not used yet
| # then you should set `auth = "foo";`. | ||
| # | ||
| # There can be multiple <githubstatus> stanzas. | ||
| makeGithubStatusStanza = ( |
There was a problem hiding this comment.
It looks like these make*Stanza are not used yet?
There was a problem hiding this comment.
the intention is to fold the semantics defined by these functions into hydra-module.nix and then delete temporary.nix altogether
|
Related issue: NixOS/nix#1556 |
taktoa
force-pushed
the
taktoa/module
branch
from
4dbe2ea
to
8a714cf
Compare
|
@taktoa sorry I just have a bit of time over weekends, is this ready for review? |
|
Sorry, not yet, I've been busy with other things. |
|
Gentle but enthusiastic ping! :) |
|
Seconding that ping! |
|
yep, was actually working on this a couple days ago |
|
@taktoa this hasn’t been touched in a while. I think several people had shown interest in this and you apparently invested quite some work. Do you have any intentions to pick this up again at some point? Maybe you could try to break this down instead into smaller changes that are easier and more feasible to get done and merged? It had been 2 years but maybe there is still some interest on your side. |
|
Sorry, but I just don't have the cycles these days. I'd be happy to let someone take this work over. |
I'm working on making the Hydra configuration more declarative; I think the current state of affairs where you literally have to reverse-engineer the Perl source to figure out what options you can give in
services.hydra.extraConfigis embarrassing; you'd think that Hydra, of all projects, would be really usable with NixOS.My ultimate plan is what I call "Fully Declarative Hydra": every aspect of Hydra's state should be specified in the NixOS module except the build and evaluation history.