dotfiles/nixos/systems/buildbot-container/buildbot.nix
magic_rb 6b3ba18d70
Make buildbot-nix workers secret, actually secret, duh
Signed-off-by: magic_rb <magic_rb@redalder.org>
2024-07-24 21:31:21 +02:00

92 lines
2.3 KiB
Nix

{
pkgs,
inputs',
lib,
...
}: let
inherit
(lib)
mkForce
;
inherit
(inputs'.buildbot-nix.lib)
interpolate
;
in {
imports = [
inputs'.buildbot-nix.nixosModules.buildbot-master
inputs'.buildbot-nix.nixosModules.buildbot-worker
];
services.nginx.virtualHosts."buildbot.redalder.org".listen = [
{
addr = "10.64.2.1";
port = 8833;
}
];
environment.systemPackages = with pkgs; [
git
];
services.buildbot-master.buildbotUrl = mkForce "https://buildbot.redalder.org/";
services.buildbot-nix.master = {
enable = true;
jobReportLimit = 50;
domain = "buildbot.redalder.org";
workersFile = "/secret/workers.json";
admins = ["magic_rb" "MagicRB"];
authBackend = "gitea";
gitea = {
enable = true;
tokenFile = "/secret/gitea_token";
instanceUrl = "https://codeberg.org";
oauthId = "b862a7fa-04ba-462e-b495-2cecc1e6bb18";
webhookSecretFile = "/secret/github_webhook_secret";
oauthSecretFile = "/secret/gitea_oauth_secret";
topic = "build-with-buildbot";
};
github = {
enable = true;
webhookSecretFile = "/secret/github_webhook_secret";
oauthId = "Iv1.9602794c2e5a475b";
oauthSecretFile = "/secret/github_oauth_secret";
topic = "buildbot-magicrb";
authType.app = {
secretKeyFile = "/secret/github_app_private_key.pem";
id = 881425;
};
# authType.legacy = {
# tokenFile = "/secret/github_token";
# };
};
# optional expose latest store path as text file
# outputsPath = "/var/www/buildbot/nix-outputs";
# optional nix-eval-jobs settings
evalWorkerCount = 2; # limit number of concurrent evaluations
evalMaxMemorySize = "4096"; # limit memory usage per evaluation
# postBuildSteps = [
# {
# name = "Testing out the steps";
# command = [
# (lib.getExe' pkgs.coreutils "printf")
# (interpolate "Interpolated %(prop:out_path)s!\n")
# ];
# }
# ];
};
# Optional: Enable acme/TLS in nginx (recommended)
#services.nginx.virtualHosts.${config.services.buildbot-nix.master.domain} = {
# forceSSL = true;
# useACME = true;
#};
services.buildbot-nix.worker = {
enable = true;
workerPasswordFile = "/secret/worker_secret";
};
}