DEVELOPMENT ENVIRONMENT

~liljamo/nix-arta

ref: 9b348150e31e5e9b248705c3b46783c95c8f1979 nix-arta/systems/hosts/sqbuilds/default.nix -rw-r--r-- 2.5 KiB
9b348150Jonni Liljamo wip(systems/hosts/sqbuilds): initial sqbuilds config 2 months ago 
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

{
  config,
  pkgs,
  ...
}: {
  imports = [
    ./hardware-configuration.nix
  ];

  sops.secrets."srht/networkKey" = {};
  sops.secrets."srht/serviceKey" = {};
  sops.secrets."srht/webhooksPrivateKey" = {};
  sops.secrets."srht/builds/clientSecret" = {};

  sops.secrets."srht/pgpPrivateKey" = {
    group = "pgpkeys";
    mode = "0440";
  };
  sops.secrets."srht/pgpPublicKey" = {
    group = "pgpkeys";
    mode = "0440";
  };

  users.groups.pgpkeys.members = [
    "buildsrht"
  ];

  services.sourcehut = {
    enable = true;
    redis.enable = true;
    settings = {
      "sr.ht" = {
        owner-email = "jonni@liljamo.com";
        owner-name = "Jonni Liljamo";
        global-domain = "src.quest";
        network-key = config.sops.secrets."srht/networkKey".path;
        service-key = config.sops.secrets."srht/serviceKey".path;
      };
      mail = {
        # FIXME: runners should not need this, but the module requires it,
        #        pls fix
        error-from = "no-reply@src.quest";
        error-to = "jonni@liljamo.com";
        pgp-key-id = "F86655FF033B89F88E4F57C193C69331A06D888D";
        pgp-privkey = config.sops.secrets."srht/pgpPrivateKey".path;
        pgp-pubkey = config.sops.secrets."srht/pgpPrivateKey".path;
        smtp-from = "no-reply@src.quest";
      };
      webhooks.private-key = config.sops.secrets."srht/webhooksPrivateKey".path;
      "builds.sr.ht" = {
        migrate-on-upgrade = false;
        origin = "https://builds.src.quest";
        connection-string = "postgresql://buildsrht@gostir:5432/builds.sr.ht?sslmode=disable";

        oauth-client-id = "b239c860-1507-4398-bd56-969c2ac9a5d1";
        oauth-client-secret = config.sops.secrets."srht/builds/clientSecret".path;
      };
      "builds.sr.ht::worker" = {
        name = "sqbuilds";
        timeout = "45m";
        bind-address = "0.0.0.0:8080";
      };
      "meta.sr.ht".origin = "https://meta.src.quest";
    };
    builds = {
      enable = true;
      enableWorker = true;
      images = let
        pkgs_unstable = builtins.fetchGit {
          url = "https://github.com/NixOS/nixpkgs";
          # NOTE: last updated 29.8.2024
          rev = "a6292e34000dc93d43bccf78338770c1c5ec8a99";
          ref = "nixos-unstable";
        };
        image_from_nixpkgs = pkgs_unstable: (import "${pkgs.sourcehut.buildsrht}/lib/images/nixos/image.nix" {
          pkgs = import pkgs_unstable {system = "x86_64-linux";};
        });
      in {
        nixos.unstable.x86_64 = image_from_nixpkgs pkgs_unstable;
      };
    };
  };

  system.stateVersion = "24.05";
}