69 lines
1.7 KiB
Nix
69 lines
1.7 KiB
Nix
{ config, lib, pkgs, inputs, ... }:
|
|
with lib; {
|
|
options = {
|
|
xinCI = {
|
|
enable = mkEnableOption "Configure host as a xin CI host.";
|
|
user = mkOption {
|
|
type = types.str;
|
|
default = "root";
|
|
description = ''
|
|
User who will own the private key.
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
imports = [ ../modules/ts-rev-prox.nix ];
|
|
config = mkIf config.xinCI.enable {
|
|
sops.defaultSopsFile = config.xin-secrets.ci;
|
|
sops.secrets = {
|
|
po_env = { owner = config.xinCI.user; };
|
|
ci_ed25519_key = {
|
|
mode = "400";
|
|
owner = config.xinCI.user;
|
|
};
|
|
ci_ed25519_pub = {
|
|
mode = "444";
|
|
owner = config.xinCI.user;
|
|
};
|
|
bin_cache_priv_key = {
|
|
mode = "400";
|
|
owner = "root";
|
|
group = "wheel";
|
|
};
|
|
bin_cache_pub_key = {
|
|
mode = "444";
|
|
owner = "root";
|
|
group = "wheel";
|
|
};
|
|
ts_proxy_env = {
|
|
mode = "400";
|
|
owner = config.services.tsrevprox.user;
|
|
};
|
|
};
|
|
environment.systemPackages = [ inputs.po.packages.${pkgs.system}.po ];
|
|
|
|
nix = {
|
|
settings.allowed-users = [ "root" config.xinCI.user "nix-serve" ];
|
|
};
|
|
services = {
|
|
tsrevprox = {
|
|
enable = true;
|
|
reverseName = "nix-binary-cache";
|
|
envFile = config.sops.secrets.ts_proxy_env.path;
|
|
};
|
|
nix-serve = {
|
|
package = pkgs.nix-serve.override {
|
|
nix =
|
|
inputs.unstable.legacyPackages.x86_64-linux.nixVersions.nix_2_12;
|
|
};
|
|
enable = true;
|
|
secretKeyFile = config.sops.secrets.bin_cache_priv_key.path;
|
|
bindAddress = "127.0.0.1";
|
|
};
|
|
};
|
|
|
|
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
|
|
};
|
|
}
|