xin/configs/ci.nix

109 lines
2.7 KiB
Nix

{ config, lib, pkgs, inputs, xinlib, ... }:
let
jobs = [
{
name = "xin-ci-update";
user = "qbit";
script = "cd ~/src/xin && ./bin/ci update";
startAt = "23:00";
path = [ ];
}
{
name = "xin-ci";
user = "qbit";
script = "cd ~/src/xin && ./bin/ci";
startAt = "*:30:00";
path = [ ];
}
];
patchedNixServeNg = _: super: {
nix = super.nix-serve-ng.overrideAttrs (_: {
patches = [
(pkgs.fetchpatch {
name = "initStore.patch";
url ="https://patch-diff.githubusercontent.com/raw/aristanetworks/nix-serve-ng/pull/23.diff";
hash = "sha256-tLIOMbqEB6zw87taqxs5zGtqgIvE0F6gxxfs8C6ShX8=";
})
];
});
};
in with lib; {
options = {
xinCI = {
enable = mkEnableOption "Configure host as a xin CI host.";
user = mkOption {
type = types.str;
default = "root";
description = ''
User who will own the CI private key.
'';
};
};
};
imports = [ ../modules/ts-rev-prox.nix ];
config = mkIf config.xinCI.enable {
sops.defaultSopsFile = config.xin-secrets.ci;
sops.secrets = {
po_env = { owner = config.xinCI.user; };
ci_ed25519_key = {
mode = "400";
owner = config.xinCI.user;
};
ci_ed25519_pub = {
mode = "444";
owner = config.xinCI.user;
};
bin_cache_priv_key = {
mode = "400";
owner = "root";
group = "wheel";
};
bin_cache_pub_key = {
mode = "444";
owner = "root";
group = "wheel";
};
ts_proxy_env = {
mode = "400";
owner = config.services.tsrevprox.user;
};
};
environment.systemPackages = with pkgs; [
inputs.po.packages.${pkgs.system}.po
keychain
];
nix = {
#settings.allowed-users = [ "root" config.xinCI.user "nix-serve" ];
settings.allowed-users = [ "root" config.xinCI.user "harmonia" ];
};
systemd.services = lib.listToAttrs (builtins.map xinlib.jobToService jobs);
services = {
tsrevprox = {
enable = true;
reverseName = "nix-binary-cache";
envFile = config.sops.secrets.ts_proxy_env.path;
};
harmonia = {
enable = true;
signKeyPath = config.sops.secrets.bin_cache_priv_key.path;
settings = {
bind = "127.0.0.1:5000";
};
};
#nix-serve = {
# package = pkgs.nix-serve-ng;
# enable = true;
# secretKeyFile = config.sops.secrets.bin_cache_priv_key.path;
# bindAddress = "127.0.0.1";
#};
};
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
};
}