search

NixOS / hydra

Hydra, the Nix-based continuous build system
http://nixos.org/hydra
GNU General Public License v3.0
1.18k stars 300 forks source link

Setup Hydra for private repository #555

Open rsoeldner opened 6 years ago

rsoeldner commented 6 years ago

Hey, I still struggle with setting up hydra for private my project using nixops. I did the following steps:

hydra.nix:

{
  hydra = { config, lib, pkgs, resources, ... }:
  { networking.hostName = "hydra";
    networking.firewall.allowedTCPPorts = [config.services.hydra.port 25];

    services.hydra =
    { enable = true;
      minimumDiskFree = 10; # GiB
      minimumDiskFreeEvaluator = 10; # GiB
      hydraURL = "hydra.localhost.com";
      notificationSender = "robert@gmail.com";
    };
    programs.ssh.knownHosts = [
      { hostNames = [ "github.com" ]; publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=="; }
      ];

    nix =
    { useSandbox = true;
      buildCores =  0;
      nrBuildUsers = 32;

      buildMachines = [
        { hostName = "localhost";
          system = "x86_64-linux";
          supportedFeatures = [ "kvm" "nixos-test" "big-parallel" "benchmark" ];
          maxJobs = "12";
        }
      ];
    };
  };
}

and infrastructure:

let
region = "us-east-1";
accessKeyId = "dev";

ec2 = { resources, ... }:
{ deployment.targetEnv = "ec2";
  deployment.ec2.accessKeyId = accessKeyId;
  deployment.ec2.region = region;
  deployment.ec2.instanceType = "t2.medium";
  deployment.ec2.keyPair = resources.ec2KeyPairs.agent;
  deployment.ec2.securityGroups = [resources.ec2SecurityGroups.sg.name];
  deployment.ec2.ebsInitialRootDiskSize = 100;
};

in
{
  hydra = ec2;

  resources.ec2KeyPairs.agent =
  { inherit region accessKeyId; };

  resources.ec2SecurityGroups = {
    sg = { resources, lib, config, ... }:
    {
      inherit region accessKeyId;
      rules = [
        { toPort = 22; fromPort = 22; sourceIp = "0.0.0.0/0"; }
        { toPort = 3000; fromPort = 3000; sourceIp = "0.0.0.0/0";}
        { toPort = 25; fromPort = 25; sourceIp = "0.0.0.0/0"; }
      ];
    };
  };
}

I did the following additional steps:

nixops create aws.nix hydra.nix -d hydra
nixops deploy -d hydra
 .....
nixops ssh -d hydra hydra
hydra-init
hydra-create-user robert --password abc --role admin
sudo -u hydra -i
ssh-keygen

I added the public key as a deployment key for this specific private repository on github.com. After this I moved to the hydra web UI, added a New Project with:

Enable: true
Identifier: blaApp
Display name: bla bla

I added a jobset:

Status: Enabled
Identifier: app
Description bla bla
Nix expression: release.nix in appSrc
Scheduling shares: 1

with a Add a new input as:

input name: app
type: git checkout
value: git@github.com:user/repo.git

When triggering evaluation i receive the following evaluation error:

error fetching latest change from git repo at `git@github.com:user/repo.git':
Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Maybe @cleverca22 or someone else can have a look at this ?

Thank you really much.

smatting commented 6 years ago

@rsoeldner I could sucessfully evaluate and build from private repos by defining <ssh-config-file> as a jobset input. See fetchgit for details.

EDIT: Actually that's not true. For the evaluator to work I had to copy the deploy key to ~/.ssh/id_rsa

o1lo01ol1o commented 6 years ago

I've just setup a single machine hydra server from here and I've added ssh keys and configs for the root user /root/.ssh/*. I'm able to clone and ssh into my private gitlab accounts from the root account but I'm not able to get hydra to do so:

git@gitlab.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

I've set ssh-config-file=/root/.ssh/config as an input.

Could anyone advise?

smatting commented 6 years ago

iirc for me it worked after setting public read permissions on config and key. I suspect the jobs don't run as root

o1lo01ol1o commented 6 years ago

@smatting thanks, it required moving the keys to /var/lib/hydra and giving permissions to the hydra user.

robinp commented 5 years ago

As I remarked in https://github.com/NixOS/nixpkgs/issues/4004#issuecomment-513152322, I didn't see the ssh-config-file jobset input to be picked up. I selected Git checkout as input type. Maybe that doesn't trigger the right fetchGit?

How do you configure your checkout exactly? My Hydra version is Hydra 2019-02-01 (using nix-2.2.2).