fix(service/hydra): remove restrict-eval and adjust settings

hosts/faunus-ater/modules/hydra.nix

@@ -6,10 +6,23 @@
 }: {
   services.hydra = {
     enable = true;
-    package = pkgs.hydra;
-    notificationSender = "hydra@home";
-    hydraURL = "http://faunus-ater:${builtins.toString config.services.hydra.port}";
+    package = pkgs.hydra.overrideAttrs (old: {
+      patches =
+        (
+          if old ? patches
+          then old.patches
+          else []
+        )
+        ++ [
+          ../../../patches/hydra-replace-restrict-with-pure-eval.patch
+        ];
+    });
+    notificationSender = "hydra@hydra.tammena.me";
+    hydraURL = "https://hydra.tammena.me";
     minimumDiskFree = 10;
+    extraConfig = ''
+      evaluator_restrict_eval = false
+    '';
     useSubstitutes = true;
   };
 
@@ -47,9 +60,6 @@
     Host *
       StrictHostKeyChecking accept-new
   '';
-  nix.extraOptions = ''
-    allowed-uris = http: https: github
-  '';
 
   systemd.services."hydra-initial-setup" = {
     description = "Setup hydra admin password once";

patches/hydra-replace-restrict-with-pure-eval.patch

@@ -0,0 +1,13 @@
+diff --git a/src/hydra-eval-jobs/hydra-eval-jobs.cc b/src/hydra-eval-jobs/hydra-eval-jobs.cc
+index 2794cc62..bd6416e9 100644
+--- a/src/hydra-eval-jobs/hydra-eval-jobs.cc
++++ b/src/hydra-eval-jobs/hydra-eval-jobs.cc
+@@ -327,7 +327,7 @@ int main(int argc, char * * argv)
+ 
+         /* Prevent access to paths outside of the Nix search path and
+            to the environment. */
+-        evalSettings.restrictEval = true;
++        evalSettings.restrictEval = config->getBoolOption("evaluator_restrict_eval", true);
+ 
+         /* When building a flake, use pure evaluation (no access to
+            'getEnv', 'currentSystem' etc. */