diff --git a/flake.lock b/flake.lock index 5125259..ff60e97 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,49 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "systems": "systems" + }, + "locked": { + "lastModified": 1720546205, + "narHash": "sha256-boCXsjYVxDviyzoEyAk624600f3ZBo/DKtUdvMTpbGY=", + "owner": "ryantm", + "repo": "agenix", + "rev": "de96bd907d5fbc3b14fc33ad37d1b9a3cb15edc6", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "agenix-rekey": { + "inputs": { + "devshell": "devshell", + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks": "pre-commit-hooks" + }, + "locked": { + "lastModified": 1721402988, + "narHash": "sha256-O5j5y5gpssVF5FNsSF7joTyrlW//LpwyLk6yBWgQ0VE=", + "owner": "oddlama", + "repo": "agenix-rekey", + "rev": "3f1c787e2092d9c13142ae7572cc1c52b68f1c4c", + "type": "github" + }, + "original": { + "owner": "oddlama", + "repo": "agenix-rekey", + "type": "github" + } + }, "auxolotl-website": { "inputs": { "nixpkgs": [ @@ -21,9 +65,51 @@ "url": "https://git.auxolotl.org/auxolotl/website" } }, + "buildbot-nix": { + "inputs": { + "flake-parts": "flake-parts", + "nixpkgs": "nixpkgs_2", + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1721402843, + "narHash": "sha256-/DiRx6TgI/3KcrgO5SAs0FjLz68j7lqp3kf8MbfSCcw=", + "owner": "nix-community", + "repo": "buildbot-nix", + "rev": "5bdbb7609689989a79f7d6e6e59c4b7985634230", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "buildbot-nix", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "deploy-rs": { "inputs": { - "flake-compat": "flake-compat_2", + "flake-compat": "flake-compat_3", "nixpkgs": [ "nixpkgs" ], @@ -43,7 +129,45 @@ "type": "github" } }, + "devshell": { + "inputs": { + "nixpkgs": [ + "agenix-rekey", + "nixpkgs" + ], + "systems": "systems_2" + }, + "locked": { + "lastModified": 1695195896, + "narHash": "sha256-pq9q7YsGXnQzJFkR5284TmxrLNFc0wo4NQ/a5E93CQU=", + "owner": "numtide", + "repo": "devshell", + "rev": "05d40d17bf3459606316e3e9ec683b784ff28f16", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "devshell", + "type": "github" + } + }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1650374568, @@ -59,7 +183,7 @@ "type": "github" } }, - "flake-compat_2": { + "flake-compat_3": { "flake": false, "locked": { "lastModified": 1696426674, @@ -75,7 +199,7 @@ "type": "github" } }, - "flake-compat_3": { + "flake-compat_4": { "flake": false, "locked": { "lastModified": 1650374568, @@ -91,61 +215,28 @@ "type": "github" } }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "buildbot-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719994518, + "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { - "inputs": { - "systems": "systems" - }, - "locked": { - "lastModified": 1694529238, - "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils-plus": { - "inputs": { - "flake-utils": "flake-utils" - }, - "locked": { - "lastModified": 1696331477, - "narHash": "sha256-YkbRa/1wQWdWkVJ01JvV+75KIdM37UErqKgTf0L54Fk=", - "owner": "gytis-ivaskevicius", - "repo": "flake-utils-plus", - "rev": "bfc53579db89de750b25b0c5e7af299e0c06d7d3", - "type": "github" - }, - "original": { - "owner": "gytis-ivaskevicius", - "repo": "flake-utils-plus", - "type": "github" - } - }, - "flake-utils-plus_2": { - "inputs": { - "flake-utils": "flake-utils_2" - }, - "locked": { - "lastModified": 1696331477, - "narHash": "sha256-YkbRa/1wQWdWkVJ01JvV+75KIdM37UErqKgTf0L54Fk=", - "owner": "gytis-ivaskevicius", - "repo": "flake-utils-plus", - "rev": "bfc53579db89de750b25b0c5e7af299e0c06d7d3", - "type": "github" - }, - "original": { - "owner": "gytis-ivaskevicius", - "repo": "flake-utils-plus", - "type": "github" - } - }, - "flake-utils_2": { "inputs": { "systems": "systems_3" }, @@ -163,7 +254,170 @@ "type": "github" } }, + "flake-utils-plus": { + "inputs": { + "flake-utils": "flake-utils_2" + }, + "locked": { + "lastModified": 1696331477, + "narHash": "sha256-YkbRa/1wQWdWkVJ01JvV+75KIdM37UErqKgTf0L54Fk=", + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "bfc53579db89de750b25b0c5e7af299e0c06d7d3", + "type": "github" + }, + "original": { + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "type": "github" + } + }, + "flake-utils-plus_2": { + "inputs": { + "flake-utils": "flake-utils_3" + }, + "locked": { + "lastModified": 1696331477, + "narHash": "sha256-YkbRa/1wQWdWkVJ01JvV+75KIdM37UErqKgTf0L54Fk=", + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "bfc53579db89de750b25b0c5e7af299e0c06d7d3", + "type": "github" + }, + "original": { + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems_4" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { + "inputs": { + "systems": "systems_6" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "agenix-rekey", + "pre-commit-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1660459072, + "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, "nixpkgs": { + "locked": { + "lastModified": 1703013332, + "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1685801374, + "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c37ca420157f4abc31e26f436c1145f8951ff373", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1721215108, + "narHash": "sha256-aOiSBcftoGye0spDdIylZE6TVTo7C/B4atYH25tSemQ=", + "owner": "Nixos", + "repo": "nixpkgs", + "rev": "7edc243443b44444eba596557de03ee52beca2eb", + "type": "github" + }, + "original": { + "owner": "Nixos", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1719848872, "narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=", @@ -179,18 +433,49 @@ "type": "github" } }, + "pre-commit-hooks": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils": [ + "agenix-rekey", + "flake-utils" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "agenix-rekey", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1694364351, + "narHash": "sha256-oadhSCqopYXxURwIA6/Anpe5IAG11q2LhvTJNP5zE6o=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "4f883a76282bc28eb952570afc3d8a1bf6f481d7", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { + "agenix": "agenix", + "agenix-rekey": "agenix-rekey", "auxolotl-website": "auxolotl-website", + "buildbot-nix": "buildbot-nix", "deploy-rs": "deploy-rs", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_3", "snowfall-lib": "snowfall-lib_2", "unstable": "unstable" } }, "snowfall-lib": { "inputs": { - "flake-compat": "flake-compat", + "flake-compat": "flake-compat_2", "flake-utils-plus": "flake-utils-plus", "nixpkgs": [ "auxolotl-website", @@ -213,7 +498,7 @@ }, "snowfall-lib_2": { "inputs": { - "flake-compat": "flake-compat_3", + "flake-compat": "flake-compat_4", "flake-utils-plus": "flake-utils-plus_2", "nixpkgs": [ "nixpkgs" @@ -279,6 +564,72 @@ "type": "github" } }, + "systems_4": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_5": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_6": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "buildbot-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1721059077, + "narHash": "sha256-gCICMMX7VMSKKt99giDDtRLkHJ0cwSgBtDijJAqTlto=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "0fb28f237f83295b4dd05e342f333b447c097398", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, "unstable": { "locked": { "lastModified": 1714906307, @@ -297,7 +648,7 @@ }, "utils": { "inputs": { - "systems": "systems_2" + "systems": "systems_5" }, "locked": { "lastModified": 1701680307, diff --git a/flake.nix b/flake.nix index 4e23335..e89fee2 100644 --- a/flake.nix +++ b/flake.nix @@ -8,7 +8,6 @@ inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - snowfall-lib = { url = "github:snowfallorg/lib/dev"; inputs.nixpkgs.follows = "nixpkgs"; @@ -26,6 +25,9 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + buildbot-nix.url = "github:nix-community/buildbot-nix"; + # Do not override nixpkgs in buildbot-nix (see https://github.com/nix-community/buildbot-nix) + deploy-rs = { url = "github:serokell/deploy-rs"; inputs.nixpkgs.follows = "nixpkgs"; @@ -52,6 +54,8 @@ systems.modules.nixos = [ inputs.agenix.nixosModules.default inputs.agenix-rekey.nixosModules.default + inputs.buildbot-nix.nixosModules.buildbot-master + inputs.buildbot-nix.nixosModules.buildbot-worker ]; deploy = lib.mkDeploy { diff --git a/modules/nixos/auxolotl/services/ci/master/default.nix b/modules/nixos/auxolotl/services/ci/master/default.nix new file mode 100644 index 0000000..5fef202 --- /dev/null +++ b/modules/nixos/auxolotl/services/ci/master/default.nix @@ -0,0 +1,110 @@ +# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors +# +# SPDX-License-Identifier: GPL-3.0-only + +{ + lib, + pkgs, + config, + inputs, + ... +}: let + cfg = config.auxolotl.services.ci.master; +in { + options.auxolotl.services.ci.master = { + enable = lib.mkEnableOption "Enable the buildbot-nix master on this server"; + + forgeUrl = lib.mkOption { + type = lib.types.str; + default = "https://${config.auxolotl.services.forge.subdomain}.${config.auxolotl.services.forge.domain}"; + description = "The url your gitea/forgejo forge is hosted at"; + }; + + domain = lib.mkOption { + type = lib.types.str; + default = "auxolotl.org"; + description = "The domain name for the website."; + }; + + subdomain = lib.mkOption { + type = lib.types.str; + default = "builds"; + description = "The subdomain for the website."; + }; + + oauth = { + clientId = lib.mkOption { + type = lib.types.str; + description = "The client ID for your gitea/forgejo app"; + }; + clientSecretFile = lib.mkOption { + type = lib.types.str; + description = "A file containing the client secret for your gitea/forgejo app, readable by the 'buildbot' user"; + }; + }; + + tokenFile = lib.mkOption { + type = lib.types.str; + description = "A file containing the personal access token for your gitea/forgejo user. You should probably make a new 'ci' user for this purpose, although this is not strictly required"; + }; + + webhookSecretFile = lib.mkOption { + type = lib.types.str; + description = "A file containing the secret for your gitea/forgejo triggering webhooks"; + }; + + databasePasswordFile = lib.mkOption { + type = lib.types.str; + description = "A file containing the password for the buildbot postgres user"; + }; + + workersFile = lib.mkOption { + type = lib.types.str; + description = "A file containing a list of workers, passwords, etc. as JSON. See https://github.com/nix-community/buildbot-nix/blob/5bdbb7609689989a79f7d6e6e59c4b7985634230/examples/master.nix#L13 for an example"; + }; + }; + + config = lib.mkIf cfg.enable { + services.buildbot-nix.master = { + enable = true; + + authBackend = "gitea"; # Forgejo and gitea are similar enough to ... + + gitea = { + inherit (cfg) tokenFile webhookSecretFile; + + instanceUrl = cfg.forgeUrl; + + oauthId = cfg.oauth.clientId; + oauthSecretFile = cfg.oauth.clientSecretFile; + }; + + admins = [ + "jakehamilton" + "isabelroses" + "minion" + + "AxelSilverdew" + "coded" + "srd424" + ]; + # Admins is currently Steering+Infrastructure committees + # We should consider how best to proceed with this... + + workersFile = cfg.workersFile; + buildSystems = [ pkgs.hostPlatform.system ]; + + domain = "${cfg.subdomain}.${cfg.domain}"; + useHTTPS = true; + + buildbotNixpkgs = pkgs; + + outputsPath = "/var/lib/buildbot/outputs"; + }; + + services.nginx.virtualHosts."${cfg.subdomain}.${cfg.domain}" = { + forceSSL = true; + enableACME = true; + }; + }; +} diff --git a/modules/nixos/auxolotl/services/ci/worker/default.nix b/modules/nixos/auxolotl/services/ci/worker/default.nix new file mode 100644 index 0000000..c135bd4 --- /dev/null +++ b/modules/nixos/auxolotl/services/ci/worker/default.nix @@ -0,0 +1,40 @@ +# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors +# +# SPDX-License-Identifier: GPL-3.0-only + +{ + lib, + pkgs, + config, + inputs, + ... +}: let + cfg = config.auxolotl.services.ci.worker; +in { + options.auxolotl.services.ci.worker = { + enable = lib.mkEnableOption "Enable a buildbot-nix worker on this server"; + + masterUrl = lib.mkOption { + type = lib.types.str; + description = "The master url for the buildbot worker"; + default = if config.auxolotl.services.ci.master.enable + then "tcp:host=localhost:port=9989" + else throw "auxolotl.services.ci.worker: You must either set a master URL or run a master on this server"; + }; + + workerPasswordFile = lib.mkOption { + type = lib.types.str; + description = "A file containing the password for this worker"; + }; + }; + + config = lib.mkIf cfg.enable { + services.buildbot-nix.worker = { + enable = true; + + buildbotNixpkgs = pkgs; + + inherit (cfg) masterUrl workerPasswordFile; + }; + }; +} diff --git a/secrets/generated/baxter/services.ci.master.webhookSecretFile.age b/secrets/generated/baxter/services.ci.master.webhookSecretFile.age new file mode 100644 index 0000000..810d4b1 --- /dev/null +++ b/secrets/generated/baxter/services.ci.master.webhookSecretFile.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> piv-p256 xE4ypg A70wMCisOjVzR3ug4BLjnWaiySAkBRDLS80G5F+HgP90 +5eo4VyKyOpO3s1ab5tYWrPJLp2NDoNfOLssPJz1X6sM +-> piv-p256 Hpt/+Q Ap55RMoW+ydJ/CWdY4f+dT3m+e6iKe+OJlE3ORgH5jl/ +XjwSs/jqumcvnOsfKM97NbjuKelP7bxz87fXqDajmto +-> piv-p256 zfskmQ A6uIgMEgAQONVDgcpqh935TcbNVHPdGR+a8y2fsY0dw4 +0eByad5OHK5Gap5Eq+jA5j1cWHS8q6cKvR9VKD5gXg4 +-> LOt-grease %/=M +fgFp1gevlSUjaT26jP0yiRZNh3H9IlhZtJDt61WublxpuNhISVSNSqXat86tXjOZ +iEd+ +--- 8HghOj3gAYLyGa2/z7ep5TbdSmrzhi7Bv333id6/XRY +O:&-3sQsDF<̅ fDXb.TxdR 3YBqs"Nlٚ \ No newline at end of file diff --git a/secrets/generated/baxter/services.ci.worker.workerPasswordFile.age b/secrets/generated/baxter/services.ci.worker.workerPasswordFile.age new file mode 100644 index 0000000..cc74ebf Binary files /dev/null and b/secrets/generated/baxter/services.ci.worker.workerPasswordFile.age differ diff --git a/secrets/rekeyed/baxter/24951ab2dd459b4cbdfa83ecee6517c6-services.ci.master.tokenFile.age b/secrets/rekeyed/baxter/24951ab2dd459b4cbdfa83ecee6517c6-services.ci.master.tokenFile.age new file mode 100644 index 0000000..c65bcee --- /dev/null +++ b/secrets/rekeyed/baxter/24951ab2dd459b4cbdfa83ecee6517c6-services.ci.master.tokenFile.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 Z9MeFA 5MtkO2R8f6CVXX4c2n3BOiAMzExUSwfm4u+TQIHamEg +i3SUH1s0UYAUhfZmCkrBw7BN5NTTtQIwGl0ITQht0XM +-> [[E3wgE-grease xW^ t/4SAoK@ +8dSbS93buyIBRyWFPg +--- 4ySt+P89sGFFAdDieoRwozA/Hsq+FqA2wWNcMwQ3a74 +TTUV+E{YDLM_.P$y^mO͚S(S;TgN(N aT Q \ No newline at end of file diff --git a/secrets/rekeyed/baxter/58a73a00f6ce9881f5206f8ab350466b-services.ci.master.oauth.clientSecretFile.age b/secrets/rekeyed/baxter/58a73a00f6ce9881f5206f8ab350466b-services.ci.master.oauth.clientSecretFile.age new file mode 100644 index 0000000..1422b16 Binary files /dev/null and b/secrets/rekeyed/baxter/58a73a00f6ce9881f5206f8ab350466b-services.ci.master.oauth.clientSecretFile.age differ diff --git a/secrets/rekeyed/baxter/611a4946b7c2a4de9aa8f6175cf92d7f-services.ci.master.webhookSecretFile.age b/secrets/rekeyed/baxter/611a4946b7c2a4de9aa8f6175cf92d7f-services.ci.master.webhookSecretFile.age new file mode 100644 index 0000000..08dc330 --- /dev/null +++ b/secrets/rekeyed/baxter/611a4946b7c2a4de9aa8f6175cf92d7f-services.ci.master.webhookSecretFile.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 Z9MeFA 3AdBBzRTHv35vrflVzH1z/8YV5SJykizTzOtKOgucRI +eU/l9cWEF9ix2fK8YqqlHuBdJdISERVVZAdRnAXfKFA +-> Cf*79d-grease +Mft5A1hDcFzr+nA1uE6kNLlN26I +--- HkABm597GfKIRwYRHvYV6tCoFeiNN3tAEEgnctlGCo8 +x^qc73^јNZHh?8GӔTw]y,Q8H xVG+O$y \ No newline at end of file diff --git a/secrets/rekeyed/baxter/9ffbe2a747e0bcdc4d670cf7d47d3575-services.ci.master.workersFile.json.age b/secrets/rekeyed/baxter/9ffbe2a747e0bcdc4d670cf7d47d3575-services.ci.master.workersFile.json.age new file mode 100644 index 0000000..02eb3a8 Binary files /dev/null and b/secrets/rekeyed/baxter/9ffbe2a747e0bcdc4d670cf7d47d3575-services.ci.master.workersFile.json.age differ diff --git a/secrets/rekeyed/baxter/be4852d28a22f490934108662e4718f4-services.ci.worker.workerPasswordFile.age b/secrets/rekeyed/baxter/be4852d28a22f490934108662e4718f4-services.ci.worker.workerPasswordFile.age new file mode 100644 index 0000000..df80bfa --- /dev/null +++ b/secrets/rekeyed/baxter/be4852d28a22f490934108662e4718f4-services.ci.worker.workerPasswordFile.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 Z9MeFA EOHfjGuxu4lGCf1BVX4yI6GEULyMjqgijUjozsNxCnk +9cT0bTKNP73guNnwSmDVn+gSZwnF4Wweq4DlvHdWUkA +-> )|AUL?-grease +&*1J$ uR@9HO ,nfE ULx2MW"l +7Z3ZhFGj/dlmd6s1W2AESyALUeslyMrLiVN6X+Uo8w +--- 2i6p/11kcpcMhZUItUPfqCUp+9ykJq+T4mGg1oYw7gE +$w4؎r}(1hue&f>40G\D.%<&dK\ \ No newline at end of file diff --git a/systems/x86_64-linux/baxter/default.nix b/systems/x86_64-linux/baxter/default.nix index 3841c2a..5f754c8 100644 --- a/systems/x86_64-linux/baxter/default.nix +++ b/systems/x86_64-linux/baxter/default.nix @@ -46,8 +46,49 @@ services = { ssh.enable = true; forge.enable = true; + + ci = { + master = { + enable = true; + + tokenFile = config.age.secrets."services.ci.master.tokenFile".path; + webhookSecretFile = config.age.secrets."services.ci.master.webhookSecretFile".path; + oauth = { + clientId = "76e70591-79a6-4a2f-8319-317f46800519"; + clientSecretFile = config.age.secrets."services.ci.master.oauth.clientSecretFile".path; + }; + + workersFile = config.age.secrets."services.ci.master.workersFile.json".path; + }; + worker = { + enable = true; + workerPasswordFile = config.age.secrets."services.ci.worker.workerPasswordFile".path; + }; + }; }; }; + age.secrets."services.ci.master.tokenFile" = { + rekeyFile = ./services.ci.master.tokenFile.age; + group = "buildbot"; + }; + age.secrets."services.ci.master.webhookSecretFile" = { + generator.script = "alnum"; + group = "buildbot"; + }; + age.secrets."services.ci.master.oauth.clientSecretFile" = { + rekeyFile = ./services.ci.master.oauth.clientSecretFile.age; + group = "buildbot"; + }; + age.secrets."services.ci.master.workersFile.json" = { + rekeyFile = ./services.ci.master.workersFile.json.age; + group = "buildbot"; + }; + + age.secrets."services.ci.worker.workerPasswordFile" = { + generator.script = "alnum"; + group = "buildbot"; + }; + system.stateVersion = "23.11"; } diff --git a/systems/x86_64-linux/baxter/services.ci.master.oauth.clientSecretFile.age b/systems/x86_64-linux/baxter/services.ci.master.oauth.clientSecretFile.age new file mode 100644 index 0000000..1c09e17 --- /dev/null +++ b/systems/x86_64-linux/baxter/services.ci.master.oauth.clientSecretFile.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> piv-p256 xE4ypg A+D0j6/XAOWgbzbOKKNX3IaA0RCZSYG1lWXNL7ErYKjh +p3kgqbWj5T0D1pbStNRjHpKPbv4sMvrHXDpBk5Ym8LE +-> piv-p256 Hpt/+Q AgIoOHkn/1EJRoaMHTVR2nO2ub1F2UoRjYaJIpmvXzty +tGfVG9kUG94wZSwwkFEcJK6ehvaHHUVa1eJBXjyQnW4 +-> piv-p256 zfskmQ AhG7AZlLuJ2JwfojMJIZKAjGlgUgssK2JlsBjcAkdehP +Yr8a6Cx7S08KBYkbTYoPHAROllXvGsMkS1lKv+3cP4I +-> D^7VNXi7-grease C !pw j +nIH+2iyF2LotQqzFroxVIgeFVnvMjYhsO27Egb7UU/zavBgrY2Grc30v3AptjT2j +I4q23DfwVcU5OYXq4HYHnC4zwKI +--- XOlDFARRpwZ/ew4vOTsDt5dkAfTNNfmVKfVB+2fGwHE +.a-.= c9:P7d96 1 b;24f!nCFjJm׫rwt%F{QI  \ No newline at end of file diff --git a/systems/x86_64-linux/baxter/services.ci.master.tokenFile.age b/systems/x86_64-linux/baxter/services.ci.master.tokenFile.age new file mode 100644 index 0000000..e8c3dd7 --- /dev/null +++ b/systems/x86_64-linux/baxter/services.ci.master.tokenFile.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> piv-p256 xE4ypg Ags6YIwJfw361Tg6pfdxGUZDDegofZk+xIPWpEbSps02 +oSq4ycmqQjeYrnBDAb1PyK8KnWySOyukcvhS8OXW82A +-> piv-p256 Hpt/+Q AgvQ2nuF4CELPs7L9OJEeoXk2TpPLNWkQ8TYrZIyJiZ3 +KFkj1om15tbZVCM1zmG7/zjhJSGwRDSP5wfB+9HuBP4 +-> piv-p256 zfskmQ A551KXlyYGw0E4X3VUSnyPEdXdEIcQBoLFbf4yoc2pEF +JEheQDNOFweKrO8AfKyS2acuzpN77g/qwdHJzWXzUew +-> 6U;sLGZs-grease 6 +Ug2KSn6pQ5KWyTb7A3l/dN3G8C9v3QlJp4PXzw +--- 8jZf5hxeOQO2fk9vafkEkpAlHEXKO/EZIrP0YkLkI+4 +(Kwk`ލ.Qv{q <|rDIoϮnZQlj#46lZ"UF2Y! \ No newline at end of file diff --git a/systems/x86_64-linux/baxter/services.ci.master.workersFile.json.age b/systems/x86_64-linux/baxter/services.ci.master.workersFile.json.age new file mode 100644 index 0000000..682cd66 Binary files /dev/null and b/systems/x86_64-linux/baxter/services.ci.master.workersFile.json.age differ