-
-
Notifications
You must be signed in to change notification settings - Fork 98
Hydra Accounts
Anybody can create a Hydra account by signing in with Google. Hydra will create your account automatically when you sign in.
If you use a privacy blocker like uBlock Origin, you will need to disable the extension while logging in. You can re-enable it after.
- Click Sign In
- Then click Sign in with Google
Your account is now created. If you need additional roles, ask in
#infra:nixos.org
or open a ticket on this repository. See Deciding on
Roles.
Note: we strongly prefer users register with a Google account. Creating a Hydra account through this method is labor-intensive and does not provide self-service account management tools.
We will only create an account like this for people who don't have a Google account who also has a responsibility which requires it. For example, we may create a local account for release managers without any Google account.
- Your account name; preferrably, this should match your
maintainers.nix
account name. - Your full name
- Your email address
- The admin will coordinate on how to configure the password.
- Please communicate these over a secure channel of your choosing to the admin.
-
Verify all credentials the user has provided using a second secure channel.
-
Identify the roles appropriate for the user. See Deciding on Roles.
-
Create the hydra user, granting them roles corresponding to a well-known, regular contributor:
hydra-create-user --type hydra --full-name "$account_name" --email-address "$email_address" --password-hash "$hashed_password" --role restart-jobs --role cancel-build
Users should receive as few privileges as possible for them to do accomplish their task. Sometimes, users will have their roles revoked after their access is no longer needed.
A full list of roles are in the Hydra source code at: https://github.com/NixOS/hydra/blob/2d79b0a4da9e2a8ff97c1173aa56fe92e1f4629b/src/root/user.tt#L89-L94 Note: You may need to view a more recent revision of the repository, looking for a similar bit of code.
Some of these roles are more sensitive than others. The following roles are in an increasing order of sensitivity:
-
restart-jobs
(low risk) - The user can instruct Hydra to build a failed job again. -
cancel-build
(low risk) - The user can cancel a queued or running job. -
eval-jobset
(low risk) - The user can trigger an evaluation for a jobset -
bump-to-front
(medium risk) - The user can increase the priority of a job or jobs using "Bump to Front". -
create-projects
(high risk) - The user can create new projects and jobsets. -
admin
- (very high risk) - The user can do anything.
- A regular contributor who is still new may receive
restart-jobs
. - A well-known, regular contributor or package set maintainer may receive
restart-jobs
,cancel-build
andeval-jobset
. - A release manager may receive
restart-jobs
,cancel-build
, andbump-to-front
. - A well-known member of the NixOS security team may receive
restart-jobs
,cancel-build
, andbump-to-front
. - A long-term contributor who is well known by the Infrastructure team might receive
create-projects
. - Only members of the NixOS Infrastructure Team may receive
admin
.