New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improved NixOS module for Hydra (WIP) #501
Conversation
hydra-module.nix
Outdated
@@ -64,7 +67,7 @@ with rec { | |||
}; | |||
|
|||
package = mkOption { | |||
type = types.path; | |||
type = types.package; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The NixOS module documentation recommends types.package
over types.path
, but there may be some people taking advantage of the current state of affairs; feel free to let me know if this is the case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This essentially (minus all the styling changes that are hard to track) adds following NixOS options for Hydra:
- googleClientID
- private
- storeMode
Obviously needs documentation :)
hydra-module.nix
Outdated
env = { | ||
NIX_REMOTE = "daemon"; | ||
# FIXME: why isn't this removed yet? we've been on 17.03 for a while now | ||
SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt"; # Remove in 16.03 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's remove it.
@domenkozar I have a lot more options added locally; I'll push later today |
We could do the indentation modernization in a separate PR too just to get that out of the way. |
@domenkozar: I just sent up all the stuff I've written; it's messy and probably doesn't evaluate yet |
hydra-module.nix
Outdated
}); | ||
|
||
types = lib.types // { | ||
oneof = list: ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems like oneof
is not used anywhere else within the pull request
Also, oneof
seems very similar to types.enum
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oneof
is not the same as enum
, as enum
cannot take any NixOS option type; it can only take values.
hydra-module.nix
Outdated
}; | ||
|
||
{ | ||
foldr = lib.lists.fold; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nixpkgs
masteralready has
foldr`
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I was testing this on a nixpkgs version without foldr
.
hydra-module.nix
Outdated
|
||
{ | ||
foldr = lib.lists.fold; | ||
foldr1 = foldToFold1 lists.foldr; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All of the fold*1
utilities seem like they are unused in this pull request. The only exception is foldr1
but that is used within oneof
which is in turn not used elsewhere
hydra-module.nix
Outdated
foldr1 = foldToFold1 lists.foldr; | ||
foldl = lib.lists.foldl; | ||
foldl1 = foldToFold1 lists.foldl; | ||
foldl' = lib.lists.foldl'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why does this add foldl'
to lib.lists
when it's already an attribute of lib.lists
? Same comment for foldl
hydra-module.nix
Outdated
forceDeep = x: builtins.deepSeq x x; | ||
|
||
strings = lib.strings // { | ||
intercalate = str: list: lib.concatStrings (lib.intersperse str list); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
intercalate
already exists in the standard library as lib.concatMapStringsSep
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good to know!
hydra-module.nix
Outdated
|
||
forceWHNF = x: builtins.seq x x; | ||
forceDeep = x: builtins.deepSeq x x; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This pull request does not use forceWHNF
and forceDeep
Also forceWHNF
does not do anything because seq x x = x
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point on forceWHNF
.
hydra-module.nix
Outdated
@@ -62,15 +130,16 @@ in | |||
}; | |||
|
|||
package = mkOption { | |||
type = types.path; | |||
#default = pkgs.hydra; | |||
type = types.package; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should probably avoid making unrelated breaking changes when submitting a large PR, because if this change breaks anything we can't easily roll back
|
||
}; | ||
googleClientID = mkOption { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this googleClientID
a secret or is it safe to store in the configuration?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it is a secret.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it be possible to template the Hydra configuration at run-time during the systemd.services.hydra-init.preStart
by reading the secret from a preconfigured system path (i.e. /etc/hydra/googleClientID
or maybe something under /run
)? That way you don't need to worry about the secret being publicly readable inside the /nix/store
and the secret key file can have appropriate permissions set so that only the hydra
daemon can read the file
(Same question for any other secrets these changes may require)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not a bad idea. Will investigate.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1. I think it's currently impossible to configure Hydra with the current NixOS module without putting e.g. github auth tokens in the nix store.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ElvishJerricco: I have an example NixOps deploy of Hydra that patches Hydra to fix this. You can see the deploy here:
https://github.com/dhall-lang/dhall-lang/tree/master/nixops
... and the patch here:
https://github.com/dhall-lang/dhall-lang/blob/master/nixops/hydra.patch
hydra-module.nix
Outdated
default = 100; | ||
example = 1000; | ||
description = '' | ||
FIXME: lol |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did you intend to keep this FIXME? :)
|
||
}; | ||
googleClientID = mkOption { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it be possible to template the Hydra configuration at run-time during the systemd.services.hydra-init.preStart
by reading the secret from a preconfigured system path (i.e. /etc/hydra/googleClientID
or maybe something under /run
)? That way you don't need to worry about the secret being publicly readable inside the /nix/store
and the secret key file can have appropriate permissions set so that only the hydra
daemon can read the file
(Same question for any other secrets these changes may require)
parameter key. | ||
''; | ||
# FIXME: ensure that the above is actually true | ||
# https://github.com/NixOS/nix/blob/2fd8f8bb99a2832b3684878c020ba47322e79332/src/libstore/store-api.hh#L693-L718 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you create a GitHub issue against the nix
repository for this and link that issue here?
hydra-module.nix
Outdated
group = "hydra"; | ||
useDefaultShell = true; | ||
home = "${baseDir}/queue-runner"; # really only to keep SSH happy | ||
storeURI = mkOption { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like this option is not used yet
# then you should set `auth = "foo";`. | ||
# | ||
# There can be multiple <githubstatus> stanzas. | ||
makeGithubStatusStanza = ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like these make*Stanza
are not used yet?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the intention is to fold the semantics defined by these functions into hydra-module.nix
and then delete temporary.nix
altogether
Related issue: NixOS/nix#1556 |
4dbe2ea
to
8a714cf
Compare
@taktoa sorry I just have a bit of time over weekends, is this ready for review? |
Sorry, not yet, I've been busy with other things. |
Gentle but enthusiastic ping! :) |
Seconding that ping! |
yep, was actually working on this a couple days ago |
@taktoa this hasn’t been touched in a while. I think several people had shown interest in this and you apparently invested quite some work. Do you have any intentions to pick this up again at some point? Maybe you could try to break this down instead into smaller changes that are easier and more feasible to get done and merged? It had been 2 years but maybe there is still some interest on your side. |
Sorry, but I just don't have the cycles these days. I'd be happy to let someone take this work over. |
I'm working on making the Hydra configuration more declarative; I think the current state of affairs where you literally have to reverse-engineer the Perl source to figure out what options you can give in
services.hydra.extraConfig
is embarrassing; you'd think that Hydra, of all projects, would be really usable with NixOS.My ultimate plan is what I call "Fully Declarative Hydra": every aspect of Hydra's state should be specified in the NixOS module except the build and evaluation history.