dotfiles/nixos/systems/blowhole/buildbot.nix
magic_rb 6b3ba18d70
Make buildbot-nix workers secret, actually secret, duh
Signed-off-by: magic_rb <magic_rb@redalder.org>
2024-07-24 21:31:21 +02:00

109 lines
3.5 KiB
Nix

{
inputs',
pkgs,
config,
...
}: {
services.hashicorp.vault-agent = {
settings.template = let
buildbotRestart =
pkgs.writeShellScript "buildbot-reload.sh"
''
sudo systemd-run -P --machine klipper /run/current-system/sw/bin/bash -l -c \
'systemctl try-reload-or-restart container@buildbot' || true
'';
in
map (v: v // {command = buildbotRestart;}) [
{
source = pkgs.writeText "buildbot.github_oauth_secret.vtmpl" ''
{{ with secret "kv/data/cluster/buildbot/buildbot" }}{{ .Data.data.oauth_secret }}{{ end }}
'';
destination = "/run/secrets/buildbot/github_oauth_secret";
}
{
source = pkgs.writeText "buildbot.github_token.vtmpl" ''
{{ with secret "kv/data/cluster/buildbot/buildbot" }}{{ .Data.data.token }}{{ end }}
'';
destination = "/run/secrets/buildbot/github_token";
}
{
source = pkgs.writeText "buildbot.github_webhook_secret.vtmpl" ''
{{ with secret "kv/data/cluster/buildbot/buildbot" }}{{ .Data.data.webhook_secret }}{{ end }}
'';
destination = "/run/secrets/buildbot/github_webhook_secret";
}
{
source = pkgs.writeText "buildbot.gitea_token.vtmpl" ''
{{ with secret "kv/data/cluster/buildbot/gitea" }}{{ .Data.data.token }}{{ end }}
'';
destination = "/run/secrets/buildbot/gitea_token";
}
{
source = pkgs.writeText "buildbot.gitea.oauth_secret.vtmpl" ''
{{ with secret "kv/data/cluster/buildbot/gitea" }}{{ .Data.data.oauth_secret }}{{ end }}
'';
destination = "/run/secrets/buildbot/gitea_oauth_secret";
}
{
source = pkgs.writeText "buildbot.github.app_private_key.vtmpl" ''
{{ with secret "kv/data/cluster/buildbot/buildbot" }}{{ .Data.data.app_private_key }}{{ end }}
'';
destination = "/run/secrets/buildbot/github_app_private_key.pem";
}
{
source = pkgs.writeText "buildbot.wordker_secret.vtmpl" ''
{{ with secret "kv/data/cluster/buildbot/buildbot" }}{{ .Data.data.worker_secret }}{{ end }}
'';
destination = "/run/secrets/buildbot/worker_secret";
}
{
source = pkgs.writeText "buildbot.wordkers.json.vtmpl" ''
[
{ "name": "buildbot", "pass": "{{ with secret "kv/data/cluster/buildbot/buildbot" }}{{ .Data.data.worker_secret }}{{ end }}", "cores": 24 }
]
'';
destination = "/run/secrets/buildbot/workers.json";
}
];
};
containers.buildbot = {
ephemeral = true;
autoStart = true;
privateNetwork = false;
bindMounts = {
"/var/lib/buildbot" = {
hostPath = "/mnt/kyle/infrastructure/buildbot/data";
isReadOnly = false;
};
"/var/lib/postgresql" = {
hostPath = "/mnt/kyle/infrastructure/buildbot/database";
isReadOnly = false;
};
"/secret" = {
hostPath = "/run/secrets/buildbot";
isReadOnly = true;
};
};
specialArgs = {
inherit inputs';
};
nixpkgs = inputs'.buildbot-nix.inputs.nixpkgs;
config = {
boot.isContainer = true;
nix.settings = config.nix.settings;
nix.package = config.nix.package;
imports = [
../buildbot-container/buildbot.nix
];
networking.hostName = "buildbot";
};
};
}