infra/systems/x86_64-linux/baxter/default.nix

# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
#
# SPDX-License-Identifier: GPL-3.0-only

# baxter
# 209.38.149.197
{
  pkgs,
  modulesPath,
  config,
  ...
}: {
  imports = [
    (modulesPath + "/virtualisation/digital-ocean-config.nix")
  ];

  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM4rfWCoqby2qIcq/KVEWCKZVvIxr6h4GxJcsCQYffj+";

  boot.loader.grub.enable = true;

  virtualisation.digitalOcean.rebuildFromUserData = false;

  networking.firewall.allowedTCPPorts = [
    80
    443
  ];

  environment.systemPackages = with pkgs; [
    neovim
  ];

  auxolotl = {
    nix.enable = true;

    users.infra.enable = true;

    security = {
      doas.enable = true;

      acme = {
        enable = true;
        email = "jake.hamilton@hey.com";
      };
    };

    services = {
      ssh.enable = true;
      forge.enable = true;

      ci = {
        master = {
          enable = true;

          tokenFile = config.age.secrets."services.ci.master.tokenFile".path;
          webhookSecretFile = config.age.secrets."services.ci.master.webhookSecretFile".path;
          oauth = {
            clientId = "76e70591-79a6-4a2f-8319-317f46800519";
            clientSecretFile = config.age.secrets."services.ci.master.oauth.clientSecretFile".path;
          };

          workersFile = config.age.secrets."services.ci.master.workersFile.json".path;
        };
        worker = {
          enable = true;
          workerPasswordFile = config.age.secrets."services.ci.worker.workerPasswordFile".path;
        };
      };
    };
  };

  age.secrets."services.ci.master.tokenFile" = {
    rekeyFile = ./services.ci.master.tokenFile.age;
    group = "buildbot";
  };
  age.secrets."services.ci.master.webhookSecretFile" = {
    generator.script = "alnum";
    group = "buildbot";
  };
  age.secrets."services.ci.master.oauth.clientSecretFile" = {
    rekeyFile = ./services.ci.master.oauth.clientSecretFile.age;
    group = "buildbot";
  };
  age.secrets."services.ci.master.workersFile.json" = {
    rekeyFile = ./services.ci.master.workersFile.json.age;
    group = "buildbot";
  };

  age.secrets."services.ci.worker.workerPasswordFile" = {
    generator.script = "alnum";
    group = "buildbot";
  };

  system.stateVersion = "23.11";
}