2023-09-12 08:44:05 -06:00
|
|
|
{ config
|
|
|
|
, lib
|
|
|
|
, pkgs
|
|
|
|
, inputs
|
|
|
|
, xinlib
|
|
|
|
, ...
|
|
|
|
}:
|
|
|
|
let
|
2023-09-03 19:58:14 -06:00
|
|
|
#inherit (xinlib) prIsOpen;
|
2023-02-02 11:49:18 -07:00
|
|
|
jobs = [
|
2024-04-02 21:21:39 -06:00
|
|
|
{
|
|
|
|
name = "xin-ci-update";
|
|
|
|
user = "qbit";
|
|
|
|
script = "cd ~/src/xin && ./bin/ci update";
|
2024-07-08 07:15:04 -06:00
|
|
|
startAt = "Mon,Thu 23:00";
|
2024-04-02 21:21:39 -06:00
|
|
|
path = [ ];
|
|
|
|
}
|
2023-02-02 11:49:18 -07:00
|
|
|
{
|
|
|
|
name = "xin-ci";
|
2023-03-03 07:06:30 -07:00
|
|
|
user = "qbit";
|
2023-02-10 05:19:13 -07:00
|
|
|
script = "cd ~/src/xin && ./bin/ci";
|
2023-02-04 07:12:41 -07:00
|
|
|
startAt = "*:30:00";
|
2023-09-12 08:44:05 -06:00
|
|
|
path = [ ];
|
2023-02-02 11:49:18 -07:00
|
|
|
}
|
|
|
|
];
|
2023-07-11 09:12:50 -06:00
|
|
|
in
|
2023-09-12 08:44:05 -06:00
|
|
|
with lib; {
|
|
|
|
options = {
|
|
|
|
xinCI = {
|
|
|
|
enable = mkEnableOption "Configure host as a xin CI host.";
|
2023-02-03 06:05:43 -07:00
|
|
|
|
2023-09-12 08:44:05 -06:00
|
|
|
user = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "root";
|
|
|
|
description = ''
|
|
|
|
User who will own the CI private key.
|
|
|
|
'';
|
2023-01-31 12:55:00 -07:00
|
|
|
};
|
|
|
|
};
|
2023-09-12 08:44:05 -06:00
|
|
|
};
|
2023-01-31 12:55:00 -07:00
|
|
|
|
2023-09-12 08:44:05 -06:00
|
|
|
config = mkIf config.xinCI.enable {
|
|
|
|
sops.defaultSopsFile = config.xin-secrets.ci;
|
|
|
|
sops.secrets = {
|
|
|
|
po_env = { owner = config.xinCI.user; };
|
|
|
|
ci_ed25519_key = {
|
|
|
|
mode = "400";
|
|
|
|
owner = config.xinCI.user;
|
2023-01-31 12:55:00 -07:00
|
|
|
};
|
2023-09-12 08:44:05 -06:00
|
|
|
ci_ed25519_pub = {
|
|
|
|
mode = "444";
|
|
|
|
owner = config.xinCI.user;
|
|
|
|
};
|
|
|
|
ci_signing_ed25519_key = {
|
|
|
|
mode = "400";
|
|
|
|
owner = config.xinCI.user;
|
|
|
|
};
|
|
|
|
ci_signing_ed25519_pub = {
|
|
|
|
mode = "444";
|
|
|
|
owner = config.xinCI.user;
|
|
|
|
};
|
|
|
|
bin_cache_priv_key = {
|
|
|
|
mode = "400";
|
|
|
|
owner = "root";
|
|
|
|
group = "wheel";
|
|
|
|
};
|
|
|
|
bin_cache_pub_key = {
|
|
|
|
mode = "444";
|
|
|
|
owner = "root";
|
|
|
|
group = "wheel";
|
|
|
|
};
|
|
|
|
ts_proxy_env = {
|
|
|
|
mode = "400";
|
2024-06-18 13:11:56 -06:00
|
|
|
owner = config.services.ts-reverse-proxy.servers."nix-binary-cache".user;
|
2023-07-11 09:12:50 -06:00
|
|
|
};
|
2023-09-12 08:44:05 -06:00
|
|
|
};
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
|
|
inputs.po.packages.${pkgs.system}.po
|
|
|
|
keychain
|
2023-10-22 08:39:05 -06:00
|
|
|
mosh
|
2023-09-12 08:44:05 -06:00
|
|
|
];
|
2023-02-02 11:49:18 -07:00
|
|
|
|
2023-10-22 09:14:06 -06:00
|
|
|
networking = {
|
|
|
|
firewall = {
|
|
|
|
interfaces = {
|
|
|
|
"tailscale0" = {
|
|
|
|
allowedUDPPortRanges = [
|
|
|
|
{
|
|
|
|
from = 60000;
|
|
|
|
to = 61000;
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
2023-10-22 08:57:15 -06:00
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2023-09-12 08:44:05 -06:00
|
|
|
nix = {
|
|
|
|
settings.allowed-users = [ "root" config.xinCI.user "harmonia" ];
|
2024-05-24 13:02:46 -06:00
|
|
|
gc = {
|
|
|
|
automatic = true;
|
|
|
|
dates = "daily";
|
|
|
|
options = "--delete-older-than 60d";
|
|
|
|
};
|
2023-09-12 08:44:05 -06:00
|
|
|
};
|
2023-07-03 07:19:20 -06:00
|
|
|
|
2023-09-12 08:44:05 -06:00
|
|
|
systemd.services = lib.listToAttrs (builtins.map xinlib.jobToService jobs);
|
2023-01-31 12:55:00 -07:00
|
|
|
|
2023-09-12 08:44:05 -06:00
|
|
|
services = {
|
2024-06-18 13:11:56 -06:00
|
|
|
ts-reverse-proxy.servers."nix-binary-cache" = {
|
2023-09-12 08:44:05 -06:00
|
|
|
enable = true;
|
|
|
|
};
|
|
|
|
harmonia = {
|
|
|
|
enable = true;
|
|
|
|
signKeyPath = config.sops.secrets.bin_cache_priv_key.path;
|
|
|
|
settings = { bind = "127.0.0.1:5000"; };
|
|
|
|
};
|
2023-07-11 09:12:50 -06:00
|
|
|
};
|
2023-09-12 08:44:05 -06:00
|
|
|
|
|
|
|
boot.binfmt.emulatedSystems = [ "aarch64-linux" "armv6l-linux" ];
|
|
|
|
};
|
|
|
|
}
|