xin/configs/ci.nix

{
  config,
  lib,
  pkgs,
  inputs,
  xinlib,
  ...
}:
let
  #inherit (xinlib) prIsOpen;
  jobs = [
    {
      name = "xin-ci-update";
      user = "qbit";
      script = "cd ~/src/xin && ./bin/ci update";
      startAt = "23:00";
      path = [ ];
    }
    {
      name = "xin-ci";
      user = "qbit";
      script = "cd ~/src/xin && ./bin/ci";
      startAt = "*:30:00";
      path = [ ];
    }
  ];
in
with lib;
{
  options = {
    xinCI = {
      enable = mkEnableOption "Configure host as a xin CI host.";

      user = mkOption {
        type = types.str;
        default = "root";
        description = ''
          User who will own the CI private key.
        '';
      };
    };
  };

  imports = [ ../modules/ts-rev-prox.nix ];
  config = mkIf config.xinCI.enable {
    sops.defaultSopsFile = config.xin-secrets.ci;
    sops.secrets = {
      po_env = {
        owner = config.xinCI.user;
      };
      ci_ed25519_key = {
        mode = "400";
        owner = config.xinCI.user;
      };
      ci_ed25519_pub = {
        mode = "444";
        owner = config.xinCI.user;
      };
      ci_signing_ed25519_key = {
        mode = "400";
        owner = config.xinCI.user;
      };
      ci_signing_ed25519_pub = {
        mode = "444";
        owner = config.xinCI.user;
      };
      bin_cache_priv_key = {
        mode = "400";
        owner = "root";
        group = "wheel";
      };
      bin_cache_pub_key = {
        mode = "444";
        owner = "root";
        group = "wheel";
      };
      ts_proxy_env = {
        mode = "400";
        owner = config.services.tsrevprox.user;
      };
    };
    environment.systemPackages = with pkgs; [
      inputs.po.packages.${pkgs.system}.po
      keychain
      mosh
    ];

    networking = {
      firewall = {
        interfaces = {
          "tailscale0" = {
            allowedUDPPortRanges = [
              {
                from = 60000;
                to = 61000;
              }
            ];
          };
        };
      };
    };

    nix = {
      #settings.allowed-users = [ "root" config.xinCI.user "nix-serve" ];
      settings.allowed-users = [
        "root"
        config.xinCI.user
        "harmonia"
      ];
    };

    systemd.services = lib.listToAttrs (builtins.map xinlib.jobToService jobs);

    services = {
      tsrevprox = {
        enable = true;
        reverseName = "nix-binary-cache";
      };
      harmonia = {
        enable = true;
        signKeyPath = config.sops.secrets.bin_cache_priv_key.path;
        settings = {
          bind = "127.0.0.1:5000";
        };
      };
    };

    boot.binfmt.emulatedSystems = [
      "aarch64-linux"
      "armv6l-linux"
    ];
  };
}
fmt: test nixfmt-rfc-style 2024-02-18 12:23:08 -07:00			`{`
			`config,`
			`lib,`
			`pkgs,`
			`inputs,`
			`xinlib,`
			`...`
all: switch to nixpkgs-fmt 2023-09-12 08:44:05 -06:00			`}:`
			`let`
fmt 2023-09-03 19:58:14 -06:00			`#inherit (xinlib) prIsOpen;`
ci: move all the job scheduling to the ci module, add an update task - run a build every hour - run an update daily 2023-02-02 11:49:18 -07:00			`jobs = [`
			`{`
			`name = "xin-ci-update";`
ci: switch to a system service 2023-03-03 07:06:30 -07:00			`user = "qbit";`
ci: back to explicit path call 2023-02-10 05:19:13 -07:00			`script = "cd ~/src/xin && ./bin/ci update";`
ci: run update at 11 2023-02-04 09:12:08 -07:00			`startAt = "23:00";`
all: switch to nixpkgs-fmt 2023-09-12 08:44:05 -06:00			`path = [ ];`
ci: move all the job scheduling to the ci module, add an update task - run a build every hour - run an update daily 2023-02-02 11:49:18 -07:00			`}`
			`{`
			`name = "xin-ci";`
ci: switch to a system service 2023-03-03 07:06:30 -07:00			`user = "qbit";`
ci: back to explicit path call 2023-02-10 05:19:13 -07:00			`script = "cd ~/src/xin && ./bin/ci";`
ci: stagger timing a bit 2023-02-04 07:12:41 -07:00			`startAt = "*:30:00";`
all: switch to nixpkgs-fmt 2023-09-12 08:44:05 -06:00			`path = [ ];`
ci: move all the job scheduling to the ci module, add an update task - run a build every hour - run an update daily 2023-02-02 11:49:18 -07:00			`}`
			`];`
all: format with alejandra 2023-07-11 09:12:50 -06:00			`in`
fmt: test nixfmt-rfc-style 2024-02-18 12:23:08 -07:00			`with lib;`
			`{`
all: switch to nixpkgs-fmt 2023-09-12 08:44:05 -06:00			`options = {`
			`xinCI = {`
			`enable = mkEnableOption "Configure host as a xin CI host.";`
ci: don't rely on direnv for establishing the build env 2023-02-03 06:05:43 -07:00
all: switch to nixpkgs-fmt 2023-09-12 08:44:05 -06:00			`user = mkOption {`
			`type = types.str;`
			`default = "root";`
			`description = ''`
			`User who will own the CI private key.`
			`'';`
overlay: add matrix-synapse -> 1.76.0 2023-01-31 12:55:00 -07:00			`};`
			`};`
all: switch to nixpkgs-fmt 2023-09-12 08:44:05 -06:00			`};`
overlay: add matrix-synapse -> 1.76.0 2023-01-31 12:55:00 -07:00
all: switch to nixpkgs-fmt 2023-09-12 08:44:05 -06:00			`imports = [ ../modules/ts-rev-prox.nix ];`
			`config = mkIf config.xinCI.enable {`
			`sops.defaultSopsFile = config.xin-secrets.ci;`
			`sops.secrets = {`
fmt: test nixfmt-rfc-style 2024-02-18 12:23:08 -07:00			`po_env = {`
			`owner = config.xinCI.user;`
			`};`
all: switch to nixpkgs-fmt 2023-09-12 08:44:05 -06:00			`ci_ed25519_key = {`
			`mode = "400";`
			`owner = config.xinCI.user;`
overlay: add matrix-synapse -> 1.76.0 2023-01-31 12:55:00 -07:00			`};`
all: switch to nixpkgs-fmt 2023-09-12 08:44:05 -06:00			`ci_ed25519_pub = {`
			`mode = "444";`
			`owner = config.xinCI.user;`
			`};`
			`ci_signing_ed25519_key = {`
			`mode = "400";`
			`owner = config.xinCI.user;`
			`};`
			`ci_signing_ed25519_pub = {`
			`mode = "444";`
			`owner = config.xinCI.user;`
			`};`
			`bin_cache_priv_key = {`
			`mode = "400";`
			`owner = "root";`
			`group = "wheel";`
			`};`
			`bin_cache_pub_key = {`
			`mode = "444";`
			`owner = "root";`
			`group = "wheel";`
			`};`
			`ts_proxy_env = {`
			`mode = "400";`
			`owner = config.services.tsrevprox.user;`
all: format with alejandra 2023-07-11 09:12:50 -06:00			`};`
all: switch to nixpkgs-fmt 2023-09-12 08:44:05 -06:00			`};`
			`environment.systemPackages = with pkgs; [`
			`inputs.po.packages.${pkgs.system}.po`
			`keychain`
ci: install mosh 2023-10-22 08:39:05 -06:00			`mosh`
all: switch to nixpkgs-fmt 2023-09-12 08:44:05 -06:00			`];`
ci: move all the job scheduling to the ci module, add an update task - run a build every hour - run an update daily 2023-02-02 11:49:18 -07:00
ci: fix networking definition 2023-10-22 09:14:06 -06:00			`networking = {`
			`firewall = {`
			`interfaces = {`
			`"tailscale0" = {`
			`allowedUDPPortRanges = [`
			`{`
			`from = 60000;`
			`to = 61000;`
			`}`
			`];`
			`};`
ci: listen for mosh on tailscale0 2023-10-22 08:57:15 -06:00			`};`
			`};`
			`};`

all: switch to nixpkgs-fmt 2023-09-12 08:44:05 -06:00			`nix = {`
			`#settings.allowed-users = [ "root" config.xinCI.user "nix-serve" ];`
fmt: test nixfmt-rfc-style 2024-02-18 12:23:08 -07:00			`settings.allowed-users = [`
			`"root"`
			`config.xinCI.user`
			`"harmonia"`
			`];`
all: switch to nixpkgs-fmt 2023-09-12 08:44:05 -06:00			`};`
ci: stand up temporary cron job to run systemd timed stuff until 238971 lands 2023-07-03 07:19:20 -06:00
all: switch to nixpkgs-fmt 2023-09-12 08:44:05 -06:00			`systemd.services = lib.listToAttrs (builtins.map xinlib.jobToService jobs);`
overlay: add matrix-synapse -> 1.76.0 2023-01-31 12:55:00 -07:00
all: switch to nixpkgs-fmt 2023-09-12 08:44:05 -06:00			`services = {`
			`tsrevprox = {`
			`enable = true;`
			`reverseName = "nix-binary-cache";`
			`};`
			`harmonia = {`
			`enable = true;`
			`signKeyPath = config.sops.secrets.bin_cache_priv_key.path;`
fmt: test nixfmt-rfc-style 2024-02-18 12:23:08 -07:00			`settings = {`
			`bind = "127.0.0.1:5000";`
			`};`
all: switch to nixpkgs-fmt 2023-09-12 08:44:05 -06:00			`};`
all: format with alejandra 2023-07-11 09:12:50 -06:00			`};`
all: switch to nixpkgs-fmt 2023-09-12 08:44:05 -06:00
fmt: test nixfmt-rfc-style 2024-02-18 12:23:08 -07:00			`boot.binfmt.emulatedSystems = [`
			`"aarch64-linux"`
			`"armv6l-linux"`
			`];`
all: switch to nixpkgs-fmt 2023-09-12 08:44:05 -06:00			`};`
			`}`