1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
{
config,
lib,
pkgs,
...
}: {
imports = [
./hardware-configuration.nix
];
sops.secrets."srht/networkKey" = {};
sops.secrets."srht/serviceKey" = {};
sops.secrets."srht/webhooksPrivateKey" = {};
sops.secrets."srht/builds/clientSecret" = {};
sops.secrets."srht/pgpPrivateKey" = {
group = "pgpkeys";
mode = "0440";
};
sops.secrets."srht/pgpPublicKey" = {
group = "pgpkeys";
mode = "0440";
};
users.groups.pgpkeys.members = [
"buildsrht"
];
services.sourcehut = {
enable = true;
redis.enable = false;
settings = {
"sr.ht" = {
owner-email = "jonni@liljamo.com";
owner-name = "Jonni Liljamo";
global-domain = "src.quest";
network-key = config.sops.secrets."srht/networkKey".path;
service-key = config.sops.secrets."srht/serviceKey".path;
};
mail = {
# FIXME: runners should not need this, but the module requires it,
# pls fix
error-from = "no-reply@src.quest";
error-to = "jonni@liljamo.com";
pgp-key-id = "F86655FF033B89F88E4F57C193C69331A06D888D";
pgp-privkey = config.sops.secrets."srht/pgpPrivateKey".path;
pgp-pubkey = config.sops.secrets."srht/pgpPrivateKey".path;
smtp-from = "no-reply@src.quest";
};
webhooks.private-key = config.sops.secrets."srht/webhooksPrivateKey".path;
"builds.sr.ht" = {
migrate-on-upgrade = false;
origin = "https://builds.src.quest";
connection-string = "postgresql://buildsrht@gostir:5432/builds.sr.ht?sslmode=disable";
redis = "redis://gostir:6379/2";
oauth-client-id = "b239c860-1507-4398-bd56-969c2ac9a5d1";
oauth-client-secret = config.sops.secrets."srht/builds/clientSecret".path;
};
"builds.sr.ht::worker" = {
name = "sqbuilds";
timeout = "45m";
bind-address = "0.0.0.0:8080";
};
"meta.sr.ht".origin = "https://meta.src.quest";
};
meta = {
enable = true; # FIXME: runner should not need, but the config file is
# not generated if not enabled...
redis.host = "redis://gostir:6379/0";
};
builds = {
enable = true;
redis.host = "redis://gostir:6379/0";
enableWorker = true;
images = {
#nixos.unstable.x86_64 = image_from_nixpkgs pkgs_unstable;
/*
nixos."24.05".x86_64 = let # TODO: current buildsrht version is out of date,
# and doesn't have 24.05
pkgs_stable = builtins.fetchGit {
url = "https://github.com/NixOS/nixpkgs";
# NOTE: last updated 1.9.2024
rev = "6e99f2a27d600612004fbd2c3282d614bfee6421";
ref = "nixos-24.05";
};
pkgs = import pkgs_stable {system = "x86_64-linux";};
image = pkgs_unstable: (import "${pkgs.sourcehut.buildsrht}/lib/images/nixos/image.nix" {
pkgs = pkgs;
hostPlatform = "x86_64-linux";
});
in
image pkgs;
*/
nixos.unstable.x86_64 = let
# TODO: this is lying to the system, but whatever
pkgs_stable = builtins.fetchGit {
url = "https://github.com/NixOS/nixpkgs";
# NOTE: last updated 1.9.2024
rev = "6e99f2a27d600612004fbd2c3282d614bfee6421";
ref = "nixos-24.05";
};
pkgs = import pkgs_stable {system = "x86_64-linux";};
image = pkgs_unstable: (import "${pkgs.sourcehut.buildsrht}/lib/images/nixos/image.nix" {
pkgs = pkgs;
hostPlatform = "x86_64-linux";
});
in
image pkgs;
};
};
};
# NOTE: the following services are not required, but are enabled by the
# options defined above, yes the module needs some work
systemd.services."metasrht".wantedBy = lib.mkForce [];
systemd.services."metasrht-api".wantedBy = lib.mkForce [];
systemd.services."metasrht-webhooks".wantedBy = lib.mkForce [];
systemd.services."buildsrht-api".wantedBy = lib.mkForce [];
system.stateVersion = "24.05";
}