Compare commits

...

3 commits

Author SHA1 Message Date
Skyler Grey 198b4dff20 feat(baxter): Add buildbot CI
All checks were successful
buildbot/nix-eval Build done.
For a while we've been lacking a CI, which has led to problems such as
an inability to enforce REUSE, as well as an inability to build and
deploy docs-site automatically

Buildbot is commonly used (nix-community, lix, etc.), and very
extensible, which we hope will benefit us over something like Hydra or
Typhon

The buildbot instance is available at https://builds.auxolotl.org
2024-07-27 00:08:27 +00:00
Skyler Grey e8e8b54465 chore(reuse): Remove unused license 2024-07-25 22:51:41 +00:00
Skyler Grey 919b3c4e73 feat: Add agenix-rekey
Agenix-rekey is a project which uses rage to encrypt secrets for hosts
where they're needed. We'll need it for a future commit with buildbot
2024-07-25 22:50:00 +00:00
26 changed files with 776 additions and 95 deletions

View file

@ -1,10 +0,0 @@
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: Auxolotl Infrastructure
Upstream-Contact: Auxolotl Infrastructure Committee <infrastructure@auxolotl.org>
Source: https://auxolotl.org
# Sample paragraph, commented out:
#
# Files: src/*
# Copyright: $YEAR $NAME <$CONTACT>
# License: ...

View file

@ -1,9 +0,0 @@
MIT License
Copyright (c) <year> <copyright holders>
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

24
REUSE.toml Normal file
View file

@ -0,0 +1,24 @@
# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
#
# SPDX-License-Identifier: CC0-1.0
version = 1
SPDX-PackageName = "Auxolotl Infrastructure"
SPDX-PackageSupplier = "Auxolotl Infrastructure Committee <infrastructure@auxolotl.org>"
SPDX-PackageDownloadLocation = "https://auxolotl.org"
[[annotations]]
path = "secrets/generated/**"
SPDX-FileCopyrightText = "2024 Auxolotl Infrastructure Contributors"
SPDX-License-Identifier = "CC0-1.0"
[[annotations]]
path = "secrets/rekeyed/**"
SPDX-FileCopyrightText = "2024 Auxolotl Infrastructure Contributors"
SPDX-License-Identifier = "CC0-1.0"
[[annotations]]
path = "**/*.age"
SPDX-FileCopyrightText = "2024 Auxolotl Infrastructure Contributors"
SPDX-License-Identifier = "CC0-1.0"

View file

@ -1,5 +1,49 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": "nixpkgs",
"systems": "systems"
},
"locked": {
"lastModified": 1720546205,
"narHash": "sha256-boCXsjYVxDviyzoEyAk624600f3ZBo/DKtUdvMTpbGY=",
"owner": "ryantm",
"repo": "agenix",
"rev": "de96bd907d5fbc3b14fc33ad37d1b9a3cb15edc6",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"agenix-rekey": {
"inputs": {
"devshell": "devshell",
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks": "pre-commit-hooks"
},
"locked": {
"lastModified": 1721402988,
"narHash": "sha256-O5j5y5gpssVF5FNsSF7joTyrlW//LpwyLk6yBWgQ0VE=",
"owner": "oddlama",
"repo": "agenix-rekey",
"rev": "3f1c787e2092d9c13142ae7572cc1c52b68f1c4c",
"type": "github"
},
"original": {
"owner": "oddlama",
"repo": "agenix-rekey",
"type": "github"
}
},
"auxolotl-website": {
"inputs": {
"nixpkgs": [
@ -21,20 +65,62 @@
"url": "https://git.auxolotl.org/auxolotl/website"
}
},
"buildbot-nix": {
"inputs": {
"flake-parts": "flake-parts",
"nixpkgs": "nixpkgs_2",
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1722025605,
"narHash": "sha256-WKgvUD1V5w3GQ/uycqHMmYXhYvbB0T0EnKFeQ8hb6j8=",
"owner": "nix-community",
"repo": "buildbot-nix",
"rev": "225d286fa78389329168befc5d26888e317d0d0d",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "buildbot-nix",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1700795494,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"deploy-rs": {
"inputs": {
"flake-compat": "flake-compat_2",
"flake-compat": "flake-compat_3",
"nixpkgs": [
"nixpkgs"
],
"utils": "utils"
},
"locked": {
"lastModified": 1711973905,
"narHash": "sha256-UFKME/N1pbUtn+2Aqnk+agUt8CekbpuqwzljivfIme8=",
"lastModified": 1718194053,
"narHash": "sha256-FaGrf7qwZ99ehPJCAwgvNY5sLCqQ3GDiE/6uLhxxwSY=",
"owner": "serokell",
"repo": "deploy-rs",
"rev": "88b3059b020da69cbe16526b8d639bd5e0b51c8b",
"rev": "3867348fa92bc892eba5d9ddb2d7a97b9e127a8a",
"type": "github"
},
"original": {
@ -43,7 +129,45 @@
"type": "github"
}
},
"devshell": {
"inputs": {
"nixpkgs": [
"agenix-rekey",
"nixpkgs"
],
"systems": "systems_2"
},
"locked": {
"lastModified": 1695195896,
"narHash": "sha256-pq9q7YsGXnQzJFkR5284TmxrLNFc0wo4NQ/a5E93CQU=",
"owner": "numtide",
"repo": "devshell",
"rev": "05d40d17bf3459606316e3e9ec683b784ff28f16",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "devshell",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1650374568,
@ -59,7 +183,7 @@
"type": "github"
}
},
"flake-compat_2": {
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1696426674,
@ -75,7 +199,7 @@
"type": "github"
}
},
"flake-compat_3": {
"flake-compat_4": {
"flake": false,
"locked": {
"lastModified": 1650374568,
@ -91,61 +215,28 @@
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"buildbot-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1719994518,
"narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1694529238,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils-plus": {
"inputs": {
"flake-utils": "flake-utils"
},
"locked": {
"lastModified": 1696331477,
"narHash": "sha256-YkbRa/1wQWdWkVJ01JvV+75KIdM37UErqKgTf0L54Fk=",
"owner": "gytis-ivaskevicius",
"repo": "flake-utils-plus",
"rev": "bfc53579db89de750b25b0c5e7af299e0c06d7d3",
"type": "github"
},
"original": {
"owner": "gytis-ivaskevicius",
"repo": "flake-utils-plus",
"type": "github"
}
},
"flake-utils-plus_2": {
"inputs": {
"flake-utils": "flake-utils_2"
},
"locked": {
"lastModified": 1696331477,
"narHash": "sha256-YkbRa/1wQWdWkVJ01JvV+75KIdM37UErqKgTf0L54Fk=",
"owner": "gytis-ivaskevicius",
"repo": "flake-utils-plus",
"rev": "bfc53579db89de750b25b0c5e7af299e0c06d7d3",
"type": "github"
},
"original": {
"owner": "gytis-ivaskevicius",
"repo": "flake-utils-plus",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_3"
},
@ -163,13 +254,177 @@
"type": "github"
}
},
"flake-utils-plus": {
"inputs": {
"flake-utils": "flake-utils_2"
},
"locked": {
"lastModified": 1696331477,
"narHash": "sha256-YkbRa/1wQWdWkVJ01JvV+75KIdM37UErqKgTf0L54Fk=",
"owner": "gytis-ivaskevicius",
"repo": "flake-utils-plus",
"rev": "bfc53579db89de750b25b0c5e7af299e0c06d7d3",
"type": "github"
},
"original": {
"owner": "gytis-ivaskevicius",
"repo": "flake-utils-plus",
"type": "github"
}
},
"flake-utils-plus_2": {
"inputs": {
"flake-utils": "flake-utils_3"
},
"locked": {
"lastModified": 1715533576,
"narHash": "sha256-fT4ppWeCJ0uR300EH3i7kmgRZnAVxrH+XtK09jQWihk=",
"owner": "gytis-ivaskevicius",
"repo": "flake-utils-plus",
"rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f",
"type": "github"
},
"original": {
"owner": "gytis-ivaskevicius",
"repo": "flake-utils-plus",
"rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_4"
},
"locked": {
"lastModified": 1694529238,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_6"
},
"locked": {
"lastModified": 1694529238,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"agenix-rekey",
"pre-commit-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1660459072,
"narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703113217,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1719848872,
"narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=",
"lastModified": 1703013332,
"narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1685801374,
"narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c37ca420157f4abc31e26f436c1145f8951ff373",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1721838734,
"narHash": "sha256-o87oh2nLDzZ1E9+j1I6GaEvd9865OWGYvxaPSiH9DEU=",
"owner": "Nixos",
"repo": "nixpkgs",
"rev": "1855c9961e0bfa2e776fa4b58b7d43149eeed431",
"type": "github"
},
"original": {
"owner": "Nixos",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1721743106,
"narHash": "sha256-adRZhFpBTnHiK3XIELA3IBaApz70HwCYfv7xNrHjebA=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8",
"rev": "dc14ed91132ee3a26255d01d8fd0c1f5bff27b2f",
"type": "github"
},
"original": {
@ -179,18 +434,49 @@
"type": "github"
}
},
"pre-commit-hooks": {
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": [
"agenix-rekey",
"flake-utils"
],
"gitignore": "gitignore",
"nixpkgs": [
"agenix-rekey",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1694364351,
"narHash": "sha256-oadhSCqopYXxURwIA6/Anpe5IAG11q2LhvTJNP5zE6o=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "4f883a76282bc28eb952570afc3d8a1bf6f481d7",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": {
"inputs": {
"agenix": "agenix",
"agenix-rekey": "agenix-rekey",
"auxolotl-website": "auxolotl-website",
"buildbot-nix": "buildbot-nix",
"deploy-rs": "deploy-rs",
"nixpkgs": "nixpkgs",
"nixpkgs": "nixpkgs_3",
"snowfall-lib": "snowfall-lib_2",
"unstable": "unstable"
}
},
"snowfall-lib": {
"inputs": {
"flake-compat": "flake-compat",
"flake-compat": "flake-compat_2",
"flake-utils-plus": "flake-utils-plus",
"nixpkgs": [
"auxolotl-website",
@ -213,18 +499,18 @@
},
"snowfall-lib_2": {
"inputs": {
"flake-compat": "flake-compat_3",
"flake-compat": "flake-compat_4",
"flake-utils-plus": "flake-utils-plus_2",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1713814392,
"narHash": "sha256-IanrgtpgDqxGfzNczstspPljAHKaY0e4DGvYgdAwC1Y=",
"lastModified": 1717625599,
"narHash": "sha256-qX9VJizFEoiRWDEiVs5+2w4FclQNQVVPvGPESsZ1F8k=",
"owner": "snowfallorg",
"repo": "lib",
"rev": "91ab40c2e01cc1bade8092604370964ee86e9317",
"rev": "5a10d2e37b6c6223763fa7c00b974875e49f93cc",
"type": "github"
},
"original": {
@ -279,13 +565,79 @@
"type": "github"
}
},
"systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_5": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_6": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"buildbot-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1721769617,
"narHash": "sha256-6Pqa0bi5nV74IZcENKYRToRNM5obo1EQ+3ihtunJ014=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "8db8970be1fb8be9c845af7ebec53b699fe7e009",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"unstable": {
"locked": {
"lastModified": 1714906307,
"narHash": "sha256-UlRZtrCnhPFSJlDQE7M0eyhgvuuHBTe1eJ9N9AQlJQ0=",
"lastModified": 1721743106,
"narHash": "sha256-adRZhFpBTnHiK3XIELA3IBaApz70HwCYfv7xNrHjebA=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "25865a40d14b3f9cf19f19b924e2ab4069b09588",
"rev": "dc14ed91132ee3a26255d01d8fd0c1f5bff27b2f",
"type": "github"
},
"original": {
@ -297,7 +649,7 @@
},
"utils": {
"inputs": {
"systems": "systems_2"
"systems": "systems_5"
},
"locked": {
"lastModified": 1701680307,

View file

@ -8,17 +8,26 @@
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
unstable.url = "github:nixos/nixpkgs/nixos-unstable";
snowfall-lib = {
url = "github:snowfallorg/lib/dev";
inputs.nixpkgs.follows = "nixpkgs";
};
agenix.url = "github:ryantm/agenix";
agenix-rekey = {
url = "github:oddlama/agenix-rekey";
inputs.nixpkgs.follows = "nixpkgs";
};
auxolotl-website = {
url = "git+https://git.auxolotl.org/auxolotl/website";
inputs.nixpkgs.follows = "nixpkgs";
};
buildbot-nix.url = "github:nix-community/buildbot-nix";
# Do not override nixpkgs in buildbot-nix (see https://github.com/nix-community/buildbot-nix)
deploy-rs = {
url = "github:serokell/deploy-rs";
inputs.nixpkgs.follows = "nixpkgs";
@ -37,8 +46,16 @@
};
in
lib.mkFlake {
overlays = with inputs; [
auxolotl-website.overlays.default
overlays = [
inputs.auxolotl-website.overlays.default
inputs.agenix-rekey.overlays.default
];
systems.modules.nixos = [
inputs.agenix.nixosModules.default
inputs.agenix-rekey.nixosModules.default
inputs.buildbot-nix.nixosModules.buildbot-master
inputs.buildbot-nix.nixosModules.buildbot-worker
];
deploy = lib.mkDeploy {
@ -49,6 +66,11 @@
};
};
agenix-rekey = inputs.agenix-rekey.configure {
userFlake = inputs.self;
nodes = inputs.self.nixosConfigurations;
};
checks =
builtins.mapAttrs
(system: deploy-lib: deploy-lib.deployChecks inputs.self.deploy)

View file

@ -0,0 +1,18 @@
# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
#
# SPDX-License-Identifier: GPL-3.0-only
{ config, lib, pkgs, inputs, ... }:
{
age.rekey = {
masterIdentities = [
"${inputs.self}/secrets/keys/minion/collabora-yubikey.pub"
"${inputs.self}/secrets/keys/minion/tiny-yubikey.pub"
"${inputs.self}/secrets/keys/minion/iyubikey.pub"
];
storageMode = "local";
generatedSecretsDir = "${inputs.self}/secrets/generated/${config.networking.hostName}";
localStorageDir = "${inputs.self}/secrets/rekeyed/${config.networking.hostName}";
};
}

View file

@ -0,0 +1,112 @@
# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
#
# SPDX-License-Identifier: GPL-3.0-only
{
lib,
pkgs,
config,
inputs,
...
}: let
cfg = config.auxolotl.services.ci.master;
in {
options.auxolotl.services.ci.master = {
enable = lib.mkEnableOption "Enable the buildbot-nix master on this server";
forgeUrl = lib.mkOption {
type = lib.types.str;
default = "https://${config.auxolotl.services.forge.subdomain}.${config.auxolotl.services.forge.domain}";
description = "The url your gitea/forgejo forge is hosted at";
};
domain = lib.mkOption {
type = lib.types.str;
default = "auxolotl.org";
description = "The domain name for the website.";
};
subdomain = lib.mkOption {
type = lib.types.str;
default = "builds";
description = "The subdomain for the website.";
};
oauth = {
clientId = lib.mkOption {
type = lib.types.str;
description = "The client ID for your gitea/forgejo app";
};
clientSecretFile = lib.mkOption {
type = lib.types.str;
description = "A file containing the client secret for your gitea/forgejo app, readable by the 'buildbot' user";
};
};
tokenFile = lib.mkOption {
type = lib.types.str;
description = "A file containing the personal access token for your gitea/forgejo user. You should probably make a new 'ci' user for this purpose, although this is not strictly required";
};
webhookSecretFile = lib.mkOption {
type = lib.types.str;
description = "A file containing the secret for your gitea/forgejo triggering webhooks";
};
databasePasswordFile = lib.mkOption {
type = lib.types.str;
description = "A file containing the password for the buildbot postgres user";
};
workersFile = lib.mkOption {
type = lib.types.str;
description = "A file containing a list of workers, passwords, etc. as JSON. See https://github.com/nix-community/buildbot-nix/blob/5bdbb7609689989a79f7d6e6e59c4b7985634230/examples/master.nix#L13 for an example";
};
};
config = lib.mkIf cfg.enable {
services.buildbot-nix.master = {
enable = true;
authBackend = "gitea"; # Forgejo and gitea are similar enough to ...
gitea = {
inherit (cfg) tokenFile webhookSecretFile;
instanceUrl = cfg.forgeUrl;
oauthId = cfg.oauth.clientId;
oauthSecretFile = cfg.oauth.clientSecretFile;
topic = null;
};
admins = [
"jakehamilton"
"isabelroses"
"minion"
"AxelSilverdew"
"coded"
"srd424"
];
# Admins is currently Steering+Infrastructure committees
# We should consider how best to proceed with this...
workersFile = cfg.workersFile;
buildSystems = [ pkgs.hostPlatform.system ];
domain = "${cfg.subdomain}.${cfg.domain}";
useHTTPS = true;
buildbotNixpkgs = pkgs;
outputsPath = "/var/lib/buildbot/outputs";
};
services.nginx.virtualHosts."${cfg.subdomain}.${cfg.domain}" = {
forceSSL = true;
enableACME = true;
};
};
}

View file

@ -0,0 +1,40 @@
# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
#
# SPDX-License-Identifier: GPL-3.0-only
{
lib,
pkgs,
config,
inputs,
...
}: let
cfg = config.auxolotl.services.ci.worker;
in {
options.auxolotl.services.ci.worker = {
enable = lib.mkEnableOption "Enable a buildbot-nix worker on this server";
masterUrl = lib.mkOption {
type = lib.types.str;
description = "The master url for the buildbot worker";
default = if config.auxolotl.services.ci.master.enable
then "tcp:host=localhost:port=9989"
else throw "auxolotl.services.ci.worker: You must either set a master URL or run a master on this server";
};
workerPasswordFile = lib.mkOption {
type = lib.types.str;
description = "A file containing the password for this worker";
};
};
config = lib.mkIf cfg.enable {
services.buildbot-nix.worker = {
enable = true;
buildbotNixpkgs = pkgs;
inherit (cfg) masterUrl workerPasswordFile;
};
};
}

View file

@ -0,0 +1,12 @@
age-encryption.org/v1
-> piv-p256 xE4ypg A70wMCisOjVzR3ug4BLjnWaiySAkBRDLS80G5F+HgP90
5eo4VyKyOpO3s1ab5tYWrPJLp2NDoNfOLssPJz1X6sM
-> piv-p256 Hpt/+Q Ap55RMoW+ydJ/CWdY4f+dT3m+e6iKe+OJlE3ORgH5jl/
XjwSs/jqumcvnOsfKM97NbjuKelP7bxz87fXqDajmto
-> piv-p256 zfskmQ A6uIgMEgAQONVDgcpqh935TcbNVHPdGR+a8y2fsY0dw4
0eByad5OHK5Gap5Eq+jA5j1cWHS8q6cKvR9VKD5gXg4
-> LOt-grease %/=M
fgFp1gevlSUjaT26jP0yiRZNh3H9IlhZtJDt61WublxpuNhISVSNSqXat86tXjOZ
iEd+
--- 8HghOj3gAYLyGa2/z7ep5TbdSmrzhi7Bv333id6/XRY
µÕOåš:¤&-<2D>ý3ºÜõsÔQsDµFª<¥§è¹Ùá‘ØÑÌ… fDXb.TxdR ùú3Y¯Bó«æqs¤<73>¸Æ"NÛlÕÙš

View file

@ -0,0 +1,7 @@
# Serial: 20652804, Slot: 1
# Name: MINION_COLLABORA_YUBIKEY
# Created: Sun, 21 Jul 2024 12:55:44 +0000
# PIN policy: Once (A PIN is required once per session, if set)
# Touch policy: Always (A physical touch is required for every decryption)
# Recipient: age1yubikey1qd38ggwk5h8y877qwx4kkt3jz89fd4483v843ps450z5fl2uwgc82x8tsz8
AGE-PLUGIN-YUBIKEY-1QS3NKQVZC38R9FS6T2PNZ

View file

@ -0,0 +1,3 @@
SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
SPDX-License-Identifier: GPL-3.0-only

View file

@ -0,0 +1,7 @@
# Serial: 24039462, Slot: 1
# Name: MINION_iYUBIKEY
# Created: Sun, 21 Jul 2024 12:57:17 +0000
# PIN policy: Once (A PIN is required once per session, if set)
# Touch policy: Always (A physical touch is required for every decryption)
# Recipient: age1yubikey1qfczekkv6thu32q5fv272pmzca86rqf4pn4083h9qvfgytrmycquqz23c3d
AGE-PLUGIN-YUBIKEY-1YMGXUQVZEHAJFXGQ57UKA

View file

@ -0,0 +1,3 @@
SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
SPDX-License-Identifier: GPL-3.0-only

View file

@ -0,0 +1,7 @@
# Serial: 23751432, Slot: 1
# Name: MINION_TINY_YUBIKEY
# Created: Sun, 21 Jul 2024 12:49:01 +0000
# PIN policy: Once (A PIN is required once per session, if set)
# Touch policy: Always (A physical touch is required for every decryption)
# Recipient: age1yubikey1qf92p7gj5k8pavnzrzg644plfqcpkc8laj2l4avdfnem2re08tuqsu7ynnf
AGE-PLUGIN-YUBIKEY-1PP4K5QVZR6DHL7G8RVVJ0

View file

@ -0,0 +1,3 @@
SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
SPDX-License-Identifier: GPL-3.0-only

View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 Z9MeFA 5MtkO2R8f6CVXX4c2n3BOiAMzExUSwfm4u+TQIHamEg
i3SUH1s0UYAUhfZmCkrBw7BN5NTTtQIwGl0ITQht0XM
-> [[E3wgE-grease xW^ t/4SAoK@
8dSbS93buyIBRyWFPg
--- 4ySt+P89sGFFAdDieoRwozA/Hsq+FqA2wWNcMwQ3a74
ÒTT—UV©+E{ºY…D—LêåM_Ä.ç˜P<CB9C>$y“^<5E>ømOä¦çÍšSÈ(÷S;¯T—úgN<67>ù®Õí(ìóNà aT šQò

View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 Z9MeFA 3AdBBzRTHv35vrflVzH1z/8YV5SJykizTzOtKOgucRI
eU/l9cWEF9ix2fK8YqqlHuBdJdISERVVZAdRnAXfKFA
-> Cf*79d-grease
Mft5A1hDcFzr+nA1uE6kNLlN26I
--- HkABm597GfKIRwYRHvYV6tCoFeiNN3tAEEgnctlGCo8
xÛ^qû©Äcµ73^À—ÃåјNüZHh?½8G²ÜüëöÓ”T½¿«w]y¢£,ªQ³8<C2B3>·»<02>Ñ ·ˆÿx¿VG+³Oÿ$y´

View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 Z9MeFA EOHfjGuxu4lGCf1BVX4yI6GEULyMjqgijUjozsNxCnk
9cT0bTKNP73guNnwSmDVn+gSZwnF4Wweq4DlvHdWUkA
-> )|AUL?-grease +&*1J$ uR@9HO ,nfE ULx2MW"l
7Z3ZhFGj/dlmd6s1W2AESyALUeslyMrLiVN6X+Uo8w
--- 2i6p/11kcpcMhZUItUPfqCUp+9ykJq+T4mGg1oYw7gE
ê‰ë$¶<>Ìw•ã4ØŽ—úrºâõÝÈ}(1h®ue€ÂàÈ&æøf³à>í¯Ø4À0G»\DºÁ.„ú%°âë<Ç&dKØ

View file

@ -6,10 +6,12 @@
mkShell,
reuse,
deploy-rs,
agenix-rekey,
}:
mkShell {
packages = [
reuse # Used to provide licenses & copyright attribution
deploy-rs # Used to deploy to our servers
agenix-rekey # Used to manage secrets
];
}

View file

@ -7,12 +7,15 @@
{
pkgs,
modulesPath,
config,
...
}: {
imports = [
(modulesPath + "/virtualisation/digital-ocean-config.nix")
];
age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM4rfWCoqby2qIcq/KVEWCKZVvIxr6h4GxJcsCQYffj+";
boot.loader.grub.enable = true;
virtualisation.digitalOcean.rebuildFromUserData = false;
@ -43,8 +46,49 @@
services = {
ssh.enable = true;
forge.enable = true;
ci = {
master = {
enable = true;
tokenFile = config.age.secrets."services.ci.master.tokenFile".path;
webhookSecretFile = config.age.secrets."services.ci.master.webhookSecretFile".path;
oauth = {
clientId = "76e70591-79a6-4a2f-8319-317f46800519";
clientSecretFile = config.age.secrets."services.ci.master.oauth.clientSecretFile".path;
};
workersFile = config.age.secrets."services.ci.master.workersFile.json".path;
};
worker = {
enable = true;
workerPasswordFile = config.age.secrets."services.ci.worker.workerPasswordFile".path;
};
};
};
};
age.secrets."services.ci.master.tokenFile" = {
rekeyFile = ./services.ci.master.tokenFile.age;
group = "buildbot";
};
age.secrets."services.ci.master.webhookSecretFile" = {
generator.script = "alnum";
group = "buildbot";
};
age.secrets."services.ci.master.oauth.clientSecretFile" = {
rekeyFile = ./services.ci.master.oauth.clientSecretFile.age;
group = "buildbot";
};
age.secrets."services.ci.master.workersFile.json" = {
rekeyFile = ./services.ci.master.workersFile.json.age;
group = "buildbot";
};
age.secrets."services.ci.worker.workerPasswordFile" = {
generator.script = "alnum";
group = "buildbot";
};
system.stateVersion = "23.11";
}

View file

@ -0,0 +1,12 @@
age-encryption.org/v1
-> piv-p256 xE4ypg A+D0j6/XAOWgbzbOKKNX3IaA0RCZSYG1lWXNL7ErYKjh
p3kgqbWj5T0D1pbStNRjHpKPbv4sMvrHXDpBk5Ym8LE
-> piv-p256 Hpt/+Q AgIoOHkn/1EJRoaMHTVR2nO2ub1F2UoRjYaJIpmvXzty
tGfVG9kUG94wZSwwkFEcJK6ehvaHHUVa1eJBXjyQnW4
-> piv-p256 zfskmQ AhG7AZlLuJ2JwfojMJIZKAjGlgUgssK2JlsBjcAkdehP
Yr8a6Cx7S08KBYkbTYoPHAROllXvGsMkS1lKv+3cP4I
-> D^7VNXi7-grease C !pw j
nIH+2iyF2LotQqzFroxVIgeFVnvMjYhsO27Egb7UU/zavBgrY2Grc30v3AptjT2j
I4q23DfwVcU5OYXq4HYHnC4zwKI
--- XOlDFARRpwZ/ew4vOTsDt5dkAfTNNfmVKfVB+2fGwHE
à£ì.a-.=<3D>Ô cÂ9ò:éP¸<12>ˆ7d96œ 1 b<>;2ÿ4f××!ŽnCFùŽÉjÒJm‡×«rˆöwëÛtµ<74>%áðëFþ{QÖI¾ ½

View file

@ -0,0 +1,11 @@
age-encryption.org/v1
-> piv-p256 xE4ypg Ags6YIwJfw361Tg6pfdxGUZDDegofZk+xIPWpEbSps02
oSq4ycmqQjeYrnBDAb1PyK8KnWySOyukcvhS8OXW82A
-> piv-p256 Hpt/+Q AgvQ2nuF4CELPs7L9OJEeoXk2TpPLNWkQ8TYrZIyJiZ3
KFkj1om15tbZVCM1zmG7/zjhJSGwRDSP5wfB+9HuBP4
-> piv-p256 zfskmQ A551KXlyYGw0E4X3VUSnyPEdXdEIcQBoLFbf4yoc2pEF
JEheQDNOFweKrO8AfKyS2acuzpN77g/qwdHJzWXzUew
-> 6U;sLGZs-grease 6
Ug2KSn6pQ5KWyTb7A3l/dN3G8C9v3QlJp4PXzw
--- 8jZf5hxeOQO2fk9vafkEkpAlHEXKO/EZIrP0YkLkI+4
ãÏ(K¦wÂk`Þ<>.Qv{q <©¿á|rÉDàIoÏ®nZQšÌl§<6C>Ìjû#ü46lZÉÁ¨ž®UF2ŒY²!ÁÄÎ