switch to new queue runner

dev/packages.nix

@@ -9,6 +9,9 @@
     nixComponents = final.nixVersions.nixComponents_2_29;
     rawSrc = inputs.hydra;
   };
+  hydra-queue-runner = final.callPackage (import "${inputs.hydra-queue-runner}/default.nix") {
+    pkgs = final;
+  };
   rfc39 = final.rustPlatform.buildRustPackage {
     pname = "rfc39";
     version = "0-unstable-2025-05-21";

dnscontrol/dnsconfig.js

@@ -66,6 +66,7 @@ var cnames = {
     "nl.meet": "nixnl.codeberg.page.",
     "nur-update": "build03",
     "prometheus": "web02",
+    "queue-runner.hydra": "hydra",
     "temp-cache": "build03",
     // keep-sorted end
 };

flake.nix

@@ -26,6 +26,8 @@
     hercules-ci-effects.inputs.flake-parts.follows = "flake-parts";
     hercules-ci-effects.inputs.nixpkgs.follows = "nixpkgs";
     hercules-ci-effects.url = "github:hercules-ci/hercules-ci-effects";
+    hydra-queue-runner.flake = false;
+    hydra-queue-runner.url = "github:qowoz/hydra-queue-runner/infra";
     hydra.flake = false;
     hydra.url = "github:NixOS/hydra";
     lite-config.url = "github:yelite/lite-config";

hosts/build03/ca.crt

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBkzCCAUWgAwIBAgIUM3IOGPv05wdHhykHyC7J0eYl4qYwBQYDK2VwMD4xHDAa
+BgNVBAoME05peCBDb21tdW5pdHkgSW5mcmExHjAcBgNVBAMMFWh5ZHJhLXF1ZXVl
+LXJ1bm5lci1jYTAgFw0yNTA4MDQwNDMxMTFaGA8yMDc1MDcyMzA0MzExMVowPjEc
+MBoGA1UECgwTTml4IENvbW11bml0eSBJbmZyYTEeMBwGA1UEAwwVaHlkcmEtcXVl
+dWUtcnVubmVyLWNhMCowBQYDK2VwAyEApTUfa9PNgjIqQIU8ur4gJ/EAClvVX+oJ
+hduaCt0iQ+WjUzBRMB0GA1UdDgQWBBSs13lAhWgE2ji+4Yvm6b5bCI9pYjAfBgNV
+HSMEGDAWgBSs13lAhWgE2ji+4Yvm6b5bCI9pYjAPBgNVHRMBAf8EBTADAQH/MAUG
+AytlcANBAIsqwp4tW+P5yAdhZy8rWGeKhwVyKmtkf2EjCeWbxDAVqeQvEXWcP1o0
+SFwPhoW5BaccYOgsrSDq3hY7xs2BUgQ=
+-----END CERTIFICATE-----

hosts/build03/client.crt

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBiDCCATqgAwIBAgIULzcgJlY8HPEN7WebeYdUwmvL0dQwBQYDK2VwMD4xHDAa
+BgNVBAoME05peCBDb21tdW5pdHkgSW5mcmExHjAcBgNVBAMMFWh5ZHJhLXF1ZXVl
+LXJ1bm5lci1jYTAgFw0yNTA4MDQwNDMxMTFaGA8yMDc1MDcyMzA0MzExMVowRDEc
+MBoGA1UECgwTTml4IENvbW11bml0eSBJbmZyYTEkMCIGA1UEAwwbaHlkcmEtcXVl
+dWUtYnVpbGRlci1idWlsZDAzMCowBQYDK2VwAyEAgT2MFRB7qdN1Hx+ipgFOgYVc
+zdDmZtm/jrPS/BOerrCjQjBAMB0GA1UdDgQWBBTR0QWcQtL2JbUeFmoHOO7y8wj7
+5zAfBgNVHSMEGDAWgBSs13lAhWgE2ji+4Yvm6b5bCI9pYjAFBgMrZXADQQCZtrwk
+DknHpZPuceVHJPYYv9mYJvXfbHy5XAUkkS8lMWvH78dIQA+tK0atIvt364HkRBN1
+8pQWdhCU+bkKDDcC
+-----END CERTIFICATE-----

hosts/build03/default.nix

@@ -5,6 +5,7 @@
     ./cache.nix
     ./landscape.nix
     ./postgresql.nix
+    ./queue-runner.nix
     inputs.self.nixosModules.buildbot
     inputs.self.nixosModules.cgroups
     inputs.self.nixosModules.ci-builder

hosts/build03/queue-runner.nix

@@ -0,0 +1,61 @@
+{
+  config,
+  inputs,
+  lib,
+  ...
+}:
+{
+  imports = [ "${inputs.self}/modules/queue-runner/hydra-queue-runner-v2.nix" ];
+
+  sops.secrets.queue-runner-server-key.owner = "nginx";
+
+  nixCommunity.hydra-queue-runner-v2 = {
+    enable = true;
+    settings = {
+      queueTriggerTimerInS = 300;
+      useSubstitutes = true;
+    };
+    rest.port = 9090;
+  };
+
+  services.hydra = {
+    extraConfig = lib.mkAfter ''
+      queue_runner_endpoint = http://localhost:9090
+    '';
+  };
+
+  systemd.services.hydra-queue-runner.enable = false;
+
+  services.nginx.virtualHosts."queue-runner.hydra.nix-community.org" = {
+    # disable defaults
+    enableACME = false;
+    forceSSL = false;
+
+    extraConfig = ''
+      client_max_body_size 5120M;
+      ssl_client_certificate ${./ca.crt};
+      ssl_verify_depth 2;
+      ssl_verify_client on;
+    '';
+
+    sslCertificate = "${./server.crt}";
+    sslCertificateKey = config.sops.secrets.queue-runner-server-key.path;
+    onlySSL = true;
+
+    locations."/".extraConfig = ''
+      # This is necessary so that grpc connections do not get closed early
+      # see https://stackoverflow.com/a/67805465
+      client_body_timeout 31536000s;
+      grpc_pass grpc://[::1]:50051;
+      grpc_read_timeout 31536000s; # 1 year in seconds
+      grpc_send_timeout 31536000s; # 1 year in seconds
+      grpc_socket_keepalive on;
+      grpc_set_header Host $host;
+      grpc_set_header X-Real-IP $remote_addr;
+      grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      grpc_set_header X-Forwarded-Proto $scheme;
+      grpc_set_header X-Client-DN $ssl_client_s_dn;
+      grpc_set_header X-Client-Cert $ssl_client_escaped_cert;
+    '';
+  };
+}

hosts/build03/secrets.yaml

@@ -11,6 +11,9 @@ buildbot-nix-worker-password: ENC[AES256_GCM,data:TaMHVzlzuAHfTBAyqG5JJFwpG2We+w
 buildbot-effects-nix-community-infra: ENC[AES256_GCM,data:wAYSvEza+1xjT/rIp5MtR3HEQe3OscRBtrWF/f6G/z+ftaiWXMfWhW9X8z53I20lzx9a6BqmO4jcWAGmXRSV4TX6wxKsUP9BnzxTImDS41zWfOtHV9sDifk6jmVJyAAsrY8CrebGTmPvWUXEUMmAZkUorQkv8gfxoL66GCtPfqa7d1OSKX8rAXd1YAJL58aXFeD6X6iZqo2tVd1OhlmUuFj5oum+9uLPjCY54IfilLlERw5DdTPDhMBdKt5owR0dpJDmp9t8i0AV2j4Hm36ZsY8L9ket1iB04MlapsUI24RiXHk+aFJqSy+0onvmqeniiBeaa106YomSQAS1cyOp0U+Rcqwhtnh9MNUZzciVXi2F5nkPzA3OcbQh8MDcJ/66z/VUkSac0iMXvr/47d5V0XCm9JSKXuijOUGTu9LRbdEAAQ+gsZ/Z8i6+9d75CeSoVH5Mtm7eU4CbhloNmpAcz5qyFf+sRgWz5qK8z1MwT795P/P/Oi2YQswtwnyLO7UkQ5tCrE+qcFxM9cAAcJzkzGctB5QdHDaPkkpMGic8vpAoYgx3t7Qmasuef96Fhhj4lk10sTTUrWZlnFbmduO/fDOULvisnW/BTpYsnsIPSKREg8wQAu7Fiu9EO0TZOagAQf03EiFDcxosetxPJIXoNWsZK/1LsX+7SnBBklVDtwxu6urOUCW8vYXD4aGZvkTGc6O6vwiOs+oEHd6J7Mes/+23hTzldnFobodwnzbRNVt/WT2FQjX5qFehyxbARL+EtT4MQC4sWGpXSybUs10=,iv:rdLHfK4NbCaMIIhhQd2MfVf1DdKKF9Sqe4Kxuy57yok=,tag:DPxsDTLIhA0d4KPXwseL9g==,type:str]
 temp-cache-key: ENC[AES256_GCM,data:weL92egwmo4z32jXmWjgbfHo6h61+mWwHrHVAg0N8cHzBOjgsAL3NTRgpiiaePw/FcZa1rJ/ygBGyUYJbIq036fxhd1I/Vu+dPFXz7PPIphRj/q8wru21qfLXep39rk+bIqsJJB2++070SCKwgRLb4re9cM05ah3,iv:sX78dExpTL+UFkHWfQmYN8nsZcMCFhrgXwvtzvoWdJA=,tag:j3MNmXSdQEuh9oYP00yJAw==,type:str]
 rfc39-record-ssh-key: ENC[AES256_GCM,data:2jmn3F+y1xFACYfUoxJqp7EAEZVVuDYUGISk7/d8xAfjfpnekAO8OHRVT+RSgLQuVXsV7ffocb3M319+Kgdp5/hRUr7zNlCkBTMdXz9XBHDUmeEjhjtjQCmH0WYRjLgpyDrUY4gk1+EuAIKY0J9MktKJ4JKIxSm0Keei2iByoXxIjQhHDNg48UXQBW0A8ZPqWPmJsHCFtGcQXSVG/rehGqYh2cDC5Q4XpU4Rw1j+ZyE81RakbNxWx/uIVvbQxGuYI3qXyOunllokj5jh8VBQUpz3QdCkIR7dFTuoBy7N79sdZntAqHhNdeZPLpxIVTNwGBzgTvdcA9PCQSIs7TYg7X7l98Z9QQUnSXpg3APz+jlsoOF/icXrcOxJBAPAhBqH/2mBUEjbNiWQR44cZi4Bt6n1LZCA0IniZsBwUFDE9o8a4z70Nc2QGcLLixbWc+g8GtrH1qxtXe2mZ13uWFL1THuIypJzrbGKAPV+NAao9Q60znzWgQiuSkN2eXaGZQLadEXi,iv:wbhy54VM7WqRSgjoyjYKenliXgxjd41lFJdTr+1UH84=,tag:DB7VXqK2RHdadeEHabTwRw==,type:str]
+queue-runner-ca-key: ENC[AES256_GCM,data:aNs2Xk3n6vAJIyFeYEj28Lm89gCAMN8op90Yo5U4HrnoxR+aJnwnF5sbwT989iNAjGpKdgu9KH47lo4maDJRSTLprEKb8ytEpUWTKgq6VTujPhlxDtdqlj2QtTeSJxlrXZwxLs/miH4a/qFUNcbmLJJmPLe+e7w=,iv:iEVZqsJjkXAJ7Dqadf9dyDTtTMLq6DX1gjE3GU11SUY=,tag:hFz/4Syc8vDtrPdKeiBe9w==,type:str]
+queue-runner-server-key: ENC[AES256_GCM,data:cxTbXFV2ckIk468TbrdHrqxZDvGJ7cCaI+/hbfzRtnYmT2W26f3SzjM4EDg9ZCQcXIcdb6Ii/bfCwJj/Yhp60t/o5QuBvYHoNgyrM9v7bRZeNwY3JE5EM64UEIIgSzT/WlOwvf7c+mSS+4n1MfeMoRPZQM5mbOg=,iv:VoL4YPCusW0/XNEBPAyC1SuHRCfvipmHamLxcPlN+ZM=,tag:Lrov4NonT6CRLWs2P9OKig==,type:str]
+queue-runner-client-key: ENC[AES256_GCM,data:CP16NvBDGOC0rOOxZO7EoIzWjdxEhpaPUM35RkkWoSgIlGYoXhT/1k/jaRAnyhfyj7h8rMBQMbgFeXqYAW6B7dTgxtB/HqDL7dZNk1HILhzYyMJlZ5+Px9S+qDutqJjwDhLSh7lyLOWBABjYYWAJEpNQ50Eakmc=,iv:K/FeMftONTpMMVcyfpCJFWhcoULdzwebl/k+aKM9NPw=,tag:VJU1QFjy3HAQQit8AtKPFA==,type:str]
 sops:
     age:
         - recipient: age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
@@ -67,7 +70,7 @@ sops:
             WUZQSGQyQy9halJsRTIvb1FGV08zZEEKmjlYY6epTuZKRBcVyjPvJI5XKQtP5Yag
             FMrI+M6hUeyBeCade5C+Y4eGQbt57BWLmsX7u0J1WTlkUSS5j7+wPg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-01T23:53:43Z"
-    mac: ENC[AES256_GCM,data:McXvWpN6kIprv2BOTCAqtDHiZv4xF3kmaltSJqGzfV3midOC8eeJVBwRhCU53h1TTJXoZU8Ar0cloNkiT1sqFFy8WUcdFC0NHHRnLAGX4ihSuSh5RA2odWUhua9QY73xfBwSGy876bVKtMzDVNMeecjRjBpZFJ3O/8FpKrMig/g=,iv:8iQPZv+jKJqI694cyJ5r0Je4jmvnmIj7QL06kq1ttwc=,tag:xP82ALLVO/Qq50TKx/1pWw==,type:str]
+    lastmodified: "2025-08-04T04:34:06Z"
+    mac: ENC[AES256_GCM,data:qpy+3Ifv9ydOKA51E/EoJjLZVhkEl/CwcqLu+rDCfTw920agoHXUMBeXCsiE3U3WoNPMJQUcQOXUr4MVZ/wtYHnGGqYHDlx3Ap0b1+Kjl0SJxlhpvib3mKpQEXTqh1bB5ylujydaDZasknjncWl96nKJG6KhF6xJE5zDqCaHWrU=,iv:kiLGLOnxIqpu+UpiBqx1pwkBqvncks8DBDqURp1BdGE=,tag:oJp0P+xeBinYhihUsqBWSg==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

hosts/build03/server.crt

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB9DCCAaagAwIBAgIULzcgJlY8HPEN7WebeYdUwmvL0dMwBQYDK2VwMD4xHDAa
+BgNVBAoME05peCBDb21tdW5pdHkgSW5mcmExHjAcBgNVBAMMFWh5ZHJhLXF1ZXVl
+LXJ1bm5lci1jYTAgFw0yNTA4MDQwNDMxMTFaGA8yMDc1MDcyMzA0MzExMVowTTEc
+MBoGA1UECgwTTml4IENvbW11bml0eSBJbmZyYTEtMCsGA1UEAwwkcXVldWUtcnVu
+bmVyLmh5ZHJhLm5peC1jb21tdW5pdHkub3JnMCowBQYDK2VwAyEAZVsAufKBynGu
+MGDtn7Mryt5zkoxJ+Q3D/camesUKjFKjgaQwgaEwCQYDVR0TBAIwADALBgNVHQ8E
+BAMCA+gwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwEwLwYDVR0RBCgwJoIkcXVldWUt
+cnVubmVyLmh5ZHJhLm5peC1jb21tdW5pdHkub3JnMB0GA1UdDgQWBBQNqGtr7msZ
++1Ljn5sXVmxftth3KzAfBgNVHSMEGDAWgBSs13lAhWgE2ji+4Yvm6b5bCI9pYjAF
+BgMrZXADQQCYRvZxS6cFMXTWr0Gy8svwctT6VL2Lfsrvg64SkmBFfFQdmlJpCSI1
+LCPSU5Q3NUMj6ILhZXN7J1cclj54iusD
+-----END CERTIFICATE-----

hosts/build04/client.crt

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBiDCCATqgAwIBAgIULzcgJlY8HPEN7WebeYdUwmvL0dUwBQYDK2VwMD4xHDAa
+BgNVBAoME05peCBDb21tdW5pdHkgSW5mcmExHjAcBgNVBAMMFWh5ZHJhLXF1ZXVl
+LXJ1bm5lci1jYTAgFw0yNTA4MDQwNDMxMTFaGA8yMDc1MDcyMzA0MzExMVowRDEc
+MBoGA1UECgwTTml4IENvbW11bml0eSBJbmZyYTEkMCIGA1UEAwwbaHlkcmEtcXVl
+dWUtYnVpbGRlci1idWlsZDA0MCowBQYDK2VwAyEAHWeEmssQwnUKflXcxOHQ/C+l
+ocBon2fcXLTGHKqEG7WjQjBAMB0GA1UdDgQWBBT0YR68z7ajrcNtOduOKbQpWUpf
+yjAfBgNVHSMEGDAWgBSs13lAhWgE2ji+4Yvm6b5bCI9pYjAFBgMrZXADQQC5Le1B
+C6DawMayrg2mrwYcnlYdI9WZVLPDmtZTzSs74rPHHhSE+qxTueDVU6IQ/3v9extQ
+7cToX7Ts0bMxqeYJ
+-----END CERTIFICATE-----

hosts/build04/secrets.yaml

@@ -0,0 +1,61 @@
+queue-runner-client-key: ENC[AES256_GCM,data:MONqxLGUOaVBbn8G432CphX3TkfdYSqX3SzGpQfQ60xgZXBbug2VrJKS0i7JxFgRWxeWwZUqz3o5ZXTR9etUqGhVxnlEFNFYpH7tnKlyeJb+b7Vg9GJJA7DgxJH7C/5YHCEEbqEiLDCFjp9D1ImwdGK1RgjPORc=,iv:ZiooKszkmu6UqjFka6kO5BHTXYotsnj3/nkKuEll2tw=,tag:RsaXGwZAdj9p68bF3I9XNg==,type:str]
+sops:
+    age:
+        - recipient: age1r464z5e2shvnh9ekzapgghevr9wy7spd4d7pt5a89ucdk6kr6yhqzv5gkj
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4Qm4xS2xtblV6SkdHSlhj
+            NFRoZkMvd2pRY09MZmt2d2l1OVFMU1IrS2hvCjRFYkpWbGlsdTNwRUxndjJhYzdx
+            L21FOWVHV0tNeVZvaGJPYlNuL0pXdmsKLS0tIE96YTVTaFQ4YnM3MzNoUVRCbXg4
+            cWtRcENweEhnb0x2cWtJOUdOcElzeFUKvmP1L/hBMt1/rekkZVAuW7l+c9YjUor6
+            vIpJlOPYKgWOoiWmCAyI9oDd8ieWYAVlw2DCpq9/SmnXn0yXNGTTJg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAranZjYWw3LzdtMTAxWWdk
+            cXo0aVNKS1Y2ZERkQUtVUk0rbE9zaXByK0M0CmVwaXpqUThKSEcxV2ZhU0VkRGov
+            MU1jNTIwNUxLTExUVXZVKzBjcGRkTkEKLS0tIE0wSzRhT09KWmdqNmk4aklKbEp5
+            NXFiV1JIaEQyRHd6SzgvVStnb3pkaTQKBvOkeDmhas+oj+Aw2ZZLz2UanJcRjyeH
+            d5vllyoUIqg1+S9GbNIYHGbvhytLaSJlljvLRmYEx7rwRzv95DIP1Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvaDZTSG9hYzlyYzVHQnlF
+            dmo4cFlSYThCT0hQUUdTVzN2RGxINDRBY1VNCjZVVTZ0NDJPenVzYmM3cGRleDhH
+            SDA4TmZNZjlESUplemZiNE83V045TUkKLS0tIEpWaUluSXMxRFNwTEJLMFU5QXpP
+            S3hFckJGNit1aVFCc0ZIT0N4OWlGaXMKVwYgsIAUDvGJVB/7t1zFIx2V7wMztpLb
+            4MsfIxQqhn8SnAwiEpu0wCQHLjQncXPVZhFnXy1Zqd5q0dtG5yAsRg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEQ05VVHpqelY1ZkVTTnlu
+            TU9LUnNoYmJoZmU4VW1GSVYrZ3VFakpBQkZrClBReUR5cjV5ZXp1RnhCdTZDaVN5
+            Z2RyWlJRYTNRVVNJSHFzWXVaTVdQMjAKLS0tIGtGVkJuY3BhbFIyR3dKMEJRQzBt
+            Wkw4ZVo4NUhZTkNNNUxUbWw3SU9HbkUKW2orZiOVtl54drQB13JDjN/mtsKmpmWb
+            6TmvEt7qNyxlu1HpkeywuzT7iDbUqyh3t23Cp1UxsYnyS2djXEFDwA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSNWkxLzFwTC90UGV0UnJu
+            aXJERFNHMFBaMHdnSk1RQ3d0OWowcGc0YjN3CmlNQnpzbUZJWUo5ZTF2UUNZbVBq
+            eUhocjczaXZVMm03c2x2dzJVV2ZhU1kKLS0tIHFXbVUvKy9UT1MzY2NQV1hwck1x
+            VkhuYUpmcTVOdFhHNzB1WjIvY1RzNTAKqQ4iuiG2PqIFXu7T8/CVsRtC49Ydqzsh
+            mMDcYwHc/7/6by23CudFgqJ6RwrMPKR1laSokhIYNbhUpU2uJjvJvA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Sm4wQUVXdm1NdjBqMHFB
+            Wk0yV3VRejU1cy9QK05hcDJqbThFeG5LampJCjdlU2V5MWlTSkhIVnpHcGkwU1l0
+            WW5teE04eXpPckF3bmt6a1JoMnZ4bTQKLS0tIEtud0tXaGFVaXEzbXVFaVlTT0k2
+            VStSb0NaZG5yczdaaXdsUmU3U2RTUTAKJ2IVAccM023SboKeWDaO1B4zzCrMdEPS
+            pdCMhZXIq0DJL415+081IEcx7/UxYx4vfxcJa2Kyu8aRfMXTwTg6kQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-08-04T04:34:19Z"
+    mac: ENC[AES256_GCM,data:6UWlFNdHDst6El8o1PRxNSvLyGWxX7AtTmTRq3TfZxLY3ROD4coxwXnGpf+xolCV/EZZYLXS98wmts3YhUv7LuOPEY8jroh8T5c7x9sBeA8EuQUXDkxDZgD+DtjeqwSAA+5op8SdbVPhtBtH0bKoGAdNp/Ep800aCpSwRqyJlEw=,iv:4hotQiNPfLJ6GXQldtbzKoB+sfZRvX5ctVy3c+D1z38=,tag:edOe2Ef03YRQ1lKxfSo1Cw==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2

modules/nixos/ci-builder.nix

@@ -1,3 +1,24 @@
 {
-  imports = [ ../shared/ci-builder.nix ];
+  config,
+  inputs,
+  ...
+}:
+{
+  imports = [
+    ../shared/ci-builder.nix
+    "${inputs.self}/modules/queue-runner/hydra-queue-builder-v2.nix"
+  ];
+
+  sops.secrets.queue-runner-client-key.owner = "hydra-queue-builder";
+
+  nixCommunity.hydra-queue-builder-v2 = {
+    enable = true;
+    queueRunnerAddr = "https://queue-runner.hydra.nix-community.org";
+    mtls = {
+      serverRootCaCertPath = "${../../hosts/build03/ca.crt}";
+      clientCertPath = "${../../hosts/${config.networking.hostName}/client.crt}";
+      clientKeyPath = config.sops.secrets.queue-runner-client-key.path;
+      domainName = "queue-runner.hydra.nix-community.org";
+    };
+  };
 }

modules/nixos/hydra.nix

@@ -4,20 +4,17 @@
   lib,
   ...
 }:
-let
-  inherit (lib) concatStringsSep;
-  localSystems = [
-    "builtin"
-    pkgs.stdenv.hostPlatform.system
-  ];
-in
 {
   sops.secrets.hydra-admin-password.owner = "hydra";
   sops.secrets.hydra-users.owner = "hydra";
 
   # hydra-queue-runner needs to read this key for remote building
   sops.secrets.id_buildfarm.owner = "hydra-queue-runner";
 
+  nix.settings.extra-allowed-users = [
+    "hydra-www"
+    "hydra"
+  ];
   nix.settings.keep-outputs = lib.mkForce false;
 
   nix.settings.allowed-uris = [
@@ -42,22 +39,15 @@ in
     hydra-send-stats.enable = false;
   };
 
-  environment.etc."nix/hydra/localhost".text = ''
-    localhost ${concatStringsSep "," localSystems} - 3 1 ${concatStringsSep "," config.nix.settings.system-features} - -
-  '';
   environment.etc."nix/hydra/machines".source =
     pkgs.runCommand "machines" { machines = config.environment.etc."nix/machines".text; }
       ''
-        printf "$machines" | grep -e bsd -e linux > $out
-        substituteInPlace $out --replace-fail 'ssh-ng://' 'ssh://'
-        substituteInPlace $out --replace-fail ' 80 ' ' 3 '
+        printf "$machines" | grep -e bsd > $out
       '';
 
   services.hydra = {
     enable = true;
-    # remote builders set in /etc/nix/machines + localhost
     buildMachinesFiles = [
-      "/etc/nix/hydra/localhost"
       "/etc/nix/hydra/machines"
     ];
     hydraURL = "https://hydra.nix-community.org";