From 9b348150e31e5e9b248705c3b46783c95c8f1979 Mon Sep 17 00:00:00 2001 From: Jonni Liljamo Date: Sat, 31 Aug 2024 14:01:52 +0300 Subject: [PATCH] wip(systems/hosts/sqbuilds): initial sqbuilds config --- secrets/sqbuilds/secrets.yaml | 12 ++++- systems/hosts/sqbuilds/default.nix | 80 +++++++++++++++++++++++++++++- 2 files changed, 89 insertions(+), 3 deletions(-) diff --git a/secrets/sqbuilds/secrets.yaml b/secrets/sqbuilds/secrets.yaml index 0711281..7d04ea4 100644 --- a/secrets/sqbuilds/secrets.yaml +++ b/secrets/sqbuilds/secrets.yaml @@ -1,5 +1,13 @@ rootPwd: ENC[AES256_GCM,data:MQZkunxuLZc0vBOj+vXj3EQgabppTr3+SLcdzr7wCTP6JHm/XIQIVYZJj/BbZiJLSg8x5CKmoQQo7/duKYjELqaHjVUq371h6Leu//xwMunArS1Od663Me3rvPVf84/IfCjRKH1uxZVi/A==,iv:GY3zXrxpINlW4UcHPTmCs2mDvlm3IXtyRrzH4AKnTHI=,tag:84rTfWmJ0tmxkdoHtXj4BA==,type:str] liljamoPwd: ENC[AES256_GCM,data:y3f+cofbh27klaRoHgxLiPa6iZuIGkSqL9/9HJ5cv8Eq4iRupmvg6l1GezodxpYilh3fkoZX+QjxcMxw9+3yb+ou3sw/tDicOtR1Ly6oBrYaNZWSs8JukMsAZx49g+fGNcmf6E8cd6Qv/w==,iv:mn5mPRhxOAleaSNx2vR5f9vHqC3i1kru1Emfvj9vymQ=,tag:dMGPsrr9AyRzb8GuwfrclA==,type:str] +srht: + builds: + clientSecret: ENC[AES256_GCM,data:IwXBAdQZCZKOoUG+bvFh7UlWejf4f4Tbi3XiUX6ThfhMRaDSthuJjdOpWa3wxWksRKKBUkVjwhDRpkmCLi/FZ8vaPWsBZFUD8JPXQfbDUljkvvw5WIbTXg==,iv:JRBBtS0RxmFtmyo600xV9cFfJYsO5CEfxW4o8156R8Q=,tag:RlXPz7GW4ZKh1k/Yw/y8Rg==,type:str] + networkKey: ENC[AES256_GCM,data:H7AB7F6psZvZTog7Cts5vqzbyQoBuSGAF8yDGQJju0sTvezPXJdxE33tdec=,iv:li4ZNZYx/fSMbV3A+XoITnNNZW7pYk2dQxCdBXskiJ0=,tag:BHPd/U8UTpSafS0C7+nFKA==,type:str] + serviceKey: ENC[AES256_GCM,data:43yBrEDDzuKdfKlJhKLvHNcyNINkUFr9n715MCfbXbdKWnpqLbG91dTxC8W5wSTtD1puf3CdNeGYRjExr2Fm5g==,iv:vYpn1lmYRxl4PR33vxOH3W1VqCymTnidSPeBdwa6XxA=,tag://1ddjQYUlgnJ0Nxbn2f2A==,type:str] + webhooksPrivateKey: ENC[AES256_GCM,data:nuHwiFOknZwnlgFL3WPHXeLLdg/7aaAJusoBB/i2vM6N+wg0oDcpyxAlw1g=,iv:HSN7A4xZeijAO3pMKLrGVn5mJMhNP9uK6RiBVC0Uv3A=,tag:tqVM4+7PLDnF0R4FEm+MQA==,type:str] + pgpPrivateKey: ENC[AES256_GCM,data:5QGB,iv:myHiXoxQNS+68dvW3YbxR9kXgpkTlmbYOpM9fZK09Tk=,tag:KvgSWk7P92ceAewoht1fIw==,type:str] + pgpPublicKey: ENC[AES256_GCM,data:EVcE,iv:+ugm/G4Hwmz0wLKuywHqJ0SolTV8ObtN6LoKAu4G62Y=,tag:LM8Xz1DwKuLDPtidEA+7og==,type:str] sops: kms: [] gcp_kms: [] @@ -15,8 +23,8 @@ sops: VmkrdmhMNThtQXFXTlJ0bDhmMUhFSlEKkzfSaOjBiGrs0ts1TT23UluOFV9lASlz 8d4SoUSNwP+Nq6XZcp29qbdUL+Mfs3qJEL6Ii6F/jKoGuDno4MGJ5w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-25T15:54:44Z" - mac: ENC[AES256_GCM,data:CQUsMXPcqErOvtr9N8UovbcNfM2qBIpANP989Kryd6urcznupAVcyIY/je/8o56Y/yUT+STridiaPHC68FfS0SG1KtuhgU5ejNr4VJudCpWgsGmkjH89xAKl9/WzFxDaMMAbKa2y+M0xN2yAqy85LavoWXNYfrII2IYwJBFJYeg=,iv:tYVkPYHnd0OZz4NUUIauTqyJZceNpiquB4WwJuSTsW8=,tag:EPLGDBB3JZZNjzg0PX37iw==,type:str] + lastmodified: "2024-08-29T14:26:56Z" + mac: ENC[AES256_GCM,data:GW6umDxXYLfAuTNz5fdQqo22uAcvKfvri1PURJorRFOtXqXN7MJNyiCUDzx23ucCH/tCvrYOZWMYTCWNMa3qg/Vrs1fDfaNwIdMh3O9UnaMeTANJa9PBhcCdbYiAEDVfpmamd4r9p2lez88hjuke+FsixtzrrMkaszFsuLRdm8w=,iv:OLi+IZtjO7vLyTW+R6iKbh6XCliIVSAuNpAHglw5XJc=,tag:CCbBEZb3q7zwoVTlNdt1Lw==,type:str] pgp: - created_at: "2024-08-25T18:37:14Z" enc: |- diff --git a/systems/hosts/sqbuilds/default.nix b/systems/hosts/sqbuilds/default.nix index b240834..b7e2f7d 100644 --- a/systems/hosts/sqbuilds/default.nix +++ b/systems/hosts/sqbuilds/default.nix @@ -1,7 +1,85 @@ -{...}: { +{ + config, + pkgs, + ... +}: { imports = [ ./hardware-configuration.nix ]; + sops.secrets."srht/networkKey" = {}; + sops.secrets."srht/serviceKey" = {}; + sops.secrets."srht/webhooksPrivateKey" = {}; + sops.secrets."srht/builds/clientSecret" = {}; + + sops.secrets."srht/pgpPrivateKey" = { + group = "pgpkeys"; + mode = "0440"; + }; + sops.secrets."srht/pgpPublicKey" = { + group = "pgpkeys"; + mode = "0440"; + }; + + users.groups.pgpkeys.members = [ + "buildsrht" + ]; + + services.sourcehut = { + enable = true; + redis.enable = true; + settings = { + "sr.ht" = { + owner-email = "jonni@liljamo.com"; + owner-name = "Jonni Liljamo"; + global-domain = "src.quest"; + network-key = config.sops.secrets."srht/networkKey".path; + service-key = config.sops.secrets."srht/serviceKey".path; + }; + mail = { + # FIXME: runners should not need this, but the module requires it, + # pls fix + error-from = "no-reply@src.quest"; + error-to = "jonni@liljamo.com"; + pgp-key-id = "F86655FF033B89F88E4F57C193C69331A06D888D"; + pgp-privkey = config.sops.secrets."srht/pgpPrivateKey".path; + pgp-pubkey = config.sops.secrets."srht/pgpPrivateKey".path; + smtp-from = "no-reply@src.quest"; + }; + webhooks.private-key = config.sops.secrets."srht/webhooksPrivateKey".path; + "builds.sr.ht" = { + migrate-on-upgrade = false; + origin = "https://builds.src.quest"; + connection-string = "postgresql://buildsrht@gostir:5432/builds.sr.ht?sslmode=disable"; + + oauth-client-id = "b239c860-1507-4398-bd56-969c2ac9a5d1"; + oauth-client-secret = config.sops.secrets."srht/builds/clientSecret".path; + }; + "builds.sr.ht::worker" = { + name = "sqbuilds"; + timeout = "45m"; + bind-address = "0.0.0.0:8080"; + }; + "meta.sr.ht".origin = "https://meta.src.quest"; + }; + builds = { + enable = true; + enableWorker = true; + images = let + pkgs_unstable = builtins.fetchGit { + url = "https://github.com/NixOS/nixpkgs"; + # NOTE: last updated 29.8.2024 + rev = "a6292e34000dc93d43bccf78338770c1c5ec8a99"; + ref = "nixos-unstable"; + }; + image_from_nixpkgs = pkgs_unstable: (import "${pkgs.sourcehut.buildsrht}/lib/images/nixos/image.nix" { + pkgs = import pkgs_unstable {system = "x86_64-linux";}; + }); + in { + nixos.unstable.x86_64 = image_from_nixpkgs pkgs_unstable; + }; + }; + }; + system.stateVersion = "24.05"; } -- 2.44.1