mirror of
https://git.sr.ht/~magic_rb/dotfiles
synced 2024-11-26 18:16:13 +01:00
76 lines
2 KiB
Nix
76 lines
2 KiB
Nix
{
|
|
inputs',
|
|
pkgs,
|
|
config,
|
|
...
|
|
}: {
|
|
services.hashicorp.vault-agent = {
|
|
settings.template = let
|
|
buildbotRestart =
|
|
pkgs.writeShellScript "buildbot-reload.sh"
|
|
''
|
|
sudo systemd-run -P --machine klipper /run/current-system/sw/bin/bash -l -c \
|
|
'systemctl try-reload-or-restart container@buildbot' || true
|
|
'';
|
|
in
|
|
map (v: v // {command = buildbotRestart;}) [
|
|
{
|
|
source = pkgs.writeText "envoy-klipper.token.vtmpl" ''
|
|
{{ with secret "kv/data/cluster/buildbot/buildbot" }}{{ .Data.data.oauth_secret }}{{ end }}
|
|
'';
|
|
destination = "/run/secrets/buildbot/oauth_secret";
|
|
}
|
|
{
|
|
source = pkgs.writeText "envoy-klipper.token.vtmpl" ''
|
|
{{ with secret "kv/data/cluster/buildbot/buildbot" }}{{ .Data.data.token }}{{ end }}
|
|
'';
|
|
destination = "/run/secrets/buildbot/token";
|
|
}
|
|
{
|
|
source = pkgs.writeText "envoy-klipper.token.vtmpl" ''
|
|
{{ with secret "kv/data/cluster/buildbot/buildbot" }}{{ .Data.data.webhook_secret }}{{ end }}
|
|
'';
|
|
destination = "/run/secrets/buildbot/webhook_secret";
|
|
}
|
|
];
|
|
};
|
|
|
|
containers.buildbot = {
|
|
ephemeral = true;
|
|
autoStart = true;
|
|
privateNetwork = false;
|
|
|
|
bindMounts = {
|
|
"/var/lib/buildbot" = {
|
|
hostPath = "/mnt/kyle/infrastructure/buildbot/data";
|
|
isReadOnly = false;
|
|
};
|
|
"/var/lib/postgresql" = {
|
|
hostPath = "/mnt/kyle/infrastructure/buildbot/database";
|
|
isReadOnly = false;
|
|
};
|
|
"/secret" = {
|
|
hostPath = "/run/secrets/buildbot";
|
|
isReadOnly = true;
|
|
};
|
|
};
|
|
|
|
specialArgs = {
|
|
inherit inputs';
|
|
};
|
|
|
|
config = {
|
|
boot.isContainer = true;
|
|
|
|
nix.settings = config.nix.settings;
|
|
nix.package = config.nix.package;
|
|
|
|
imports = [
|
|
../buildbot-container/buildbot.nix
|
|
];
|
|
|
|
networking.hostName = "buildbot";
|
|
};
|
|
};
|
|
}
|