dotfiles/nixos/systems/blowhole/buildbot.nix

76 lines
2 KiB
Nix
Raw Normal View History

{
inputs',
pkgs,
config,
...
}: {
services.hashicorp.vault-agent = {
settings.template = let
buildbotRestart =
pkgs.writeShellScript "buildbot-reload.sh"
''
sudo systemd-run -P --machine klipper /run/current-system/sw/bin/bash -l -c \
'systemctl try-reload-or-restart container@buildbot' || true
'';
in
map (v: v // {command = buildbotRestart;}) [
{
source = pkgs.writeText "envoy-klipper.token.vtmpl" ''
{{ with secret "kv/data/cluster/buildbot/buildbot" }}{{ .Data.data.oauth_secret }}{{ end }}
'';
destination = "/run/secrets/buildbot/oauth_secret";
}
{
source = pkgs.writeText "envoy-klipper.token.vtmpl" ''
{{ with secret "kv/data/cluster/buildbot/buildbot" }}{{ .Data.data.token }}{{ end }}
'';
destination = "/run/secrets/buildbot/token";
}
{
source = pkgs.writeText "envoy-klipper.token.vtmpl" ''
{{ with secret "kv/data/cluster/buildbot/buildbot" }}{{ .Data.data.webhook_secret }}{{ end }}
'';
destination = "/run/secrets/buildbot/webhook_secret";
}
];
};
containers.buildbot = {
ephemeral = true;
autoStart = true;
privateNetwork = false;
bindMounts = {
"/var/lib/buildbot" = {
hostPath = "/mnt/kyle/infrastructure/buildbot/data";
isReadOnly = false;
};
"/var/lib/postgresql" = {
hostPath = "/mnt/kyle/infrastructure/buildbot/database";
isReadOnly = false;
};
"/secret" = {
hostPath = "/run/secrets/buildbot";
isReadOnly = true;
};
};
specialArgs = {
inherit inputs';
};
config = {
boot.isContainer = true;
nix.settings = config.nix.settings;
nix.package = config.nix.package;
imports = [
../buildbot-container/buildbot.nix
];
networking.hostName = "buildbot";
};
};
}