soopy.moe / gensokyo
nixos config
fork atom

host(nijika): add buildbot

Cassie Cheung ef098024 0ca1b056

options
unified split
Changed files
+79 -3
creds
sops
nijika
default.yaml
systems
nijika
configuration.nix
services
buildbot.nix
default.nix
+12 -2
creds/sops/nijika/default.yaml 
···

       
2

       
 

       
    auth: ENC[AES256_GCM,data:Mxr5/RN/cHbZTlGBMhtZ3qM/gavzdZ5QZm/Z+cWCayCxzer+dk2LV18W/3Fb+k6ylQDuBYoo9PdnwOA20IvRkdnmUPFI5z7dvmG3sFlM79uL5bzXl8E1AncAAWFbrVaFy9ip8O5vo14iMGP4quxIU9GVRYr2L4NI/7Nc8oCSl/kUQil4wIOn46AsCALalwrgPUzyTi1i5+6L/xSE6pXz15GSjy3G2+FhjxIp2g==,iv:IXgBGWvPGVVFg8NAbrnSr/a+E8k+punmkH1sowXXpFo=,tag:b46Xevxomq3ZXqmXFsThWA==,type:str]


     

       
3

       
 

       
lego:


     

       
4

       
 

       
    cf_token: ENC[AES256_GCM,data:qxF3WPZlhX3G,iv:kNFCT0zJype1OrAqngAOsQRp1zxzGIUJfhTBwhACxTs=,tag:Z6W4fKvGQAfi3ATWaTGg8Q==,type:str]


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
5

       
 

       
sops:


     

       
6

       
 

       
    kms: []


     

       
7

       
 

       
    gcp_kms: []


     
···

       
35

       
 

       
            S0lOdU16bXA5cGxVcHc3VzBWenQrREUKL1AQpV36+pBph9nRNgPQnnBZ/CJ/2R6C


     

       
36

       
 

       
            Gz3Uus0Jf8hLe6fWCnOOZFcI/8JibSBJs0x5LWwC04CJ0J2eWSMHIQ==


     

       
37

       
 

       
            -----END AGE ENCRYPTED FILE-----


     

       
38

       
-

       
    lastmodified: "2025-02-06T05:28:10Z"


     

       
39

       
-

       
    mac: ENC[AES256_GCM,data:GqKR5VkQGacO5IZ7Ya78kSseYnkYwGkRvb/LmjRpBk9BKYLuRP9BtY0rfwW4nvUzGIaX0U3vc5ZCAKM3qeicT0CsTxjP7MOsVNSL4xWTkWIqfw/QDB26Cr+pN6ULaQiKKBLcd4ZOBNnIeclN/clEWbWFjI1Qly7Ap1Q+ihKEaak=,iv:k83KcIeONYoDlswlfqZeVPVN5z0of/0FugYUGa3hn8g=,tag:OmDe1y9EQNyO8dQ153C1Tg==,type:str]


     

       
40

       
 

       
    pgp: []


     

       
41

       
 

       
    unencrypted_suffix: _unencrypted


     

       
42

       
 

       
    version: 3.9.4


     
···

       
2

       
 

       
    auth: ENC[AES256_GCM,data:Mxr5/RN/cHbZTlGBMhtZ3qM/gavzdZ5QZm/Z+cWCayCxzer+dk2LV18W/3Fb+k6ylQDuBYoo9PdnwOA20IvRkdnmUPFI5z7dvmG3sFlM79uL5bzXl8E1AncAAWFbrVaFy9ip8O5vo14iMGP4quxIU9GVRYr2L4NI/7Nc8oCSl/kUQil4wIOn46AsCALalwrgPUzyTi1i5+6L/xSE6pXz15GSjy3G2+FhjxIp2g==,iv:IXgBGWvPGVVFg8NAbrnSr/a+E8k+punmkH1sowXXpFo=,tag:b46Xevxomq3ZXqmXFsThWA==,type:str]


     

       
3

       
 

       
lego:


     

       
4

       
 

       
    cf_token: ENC[AES256_GCM,data:qxF3WPZlhX3G,iv:kNFCT0zJype1OrAqngAOsQRp1zxzGIUJfhTBwhACxTs=,tag:Z6W4fKvGQAfi3ATWaTGg8Q==,type:str]


     

       
5

       
+

       
buildbot:


     

       
6

       
+

       
    workers:


     

       
7

       
+

       
        renko: ENC[AES256_GCM,data:8E8bAVCp8PB0xNMiSAg/ReDFuviteJ2nySwb/EmCiEi+21Xta8hLMb4zd70kUGd9bUdKvX4KsGYZaU3XFHopv/0WFJETgutDtNNLf/EwQE4O+r8hqamLml3IUBzeQrYEuMbwJmkMTtilVGr8TO30/NrOjAX7zlvpZazJBE6mROMgjnmi4i/1bwu7D865avJCYID6COHsmBSbRSCOsnODybtScuGMJq5+2FIseg==,iv:Hw4nV0UPtkABXCz/bTj7GPk+tar/Q2Xhe1DjJGXF3R8=,tag:AA2L7B4GEacHvJ5j+a87+A==,type:str]


     

       
8

       
+

       
    gitea:


     

       
9

       
+

       
        webhook_secret: ENC[AES256_GCM,data:8BPEMEFSZmOaloDzd0ufrHIMC8KnGfRPd/jOOSrM0QfGLs+yQe83Sd2MfwwB77SMXfXCIEZwCh+bzXdf/3ila3yM1cFknFZLUCXuzstQWfJ0P9rxWe2s2A==,iv:FcPe8rDrr3M3CQs5wwwQk4b+L5lbfvEQ9BfsxdxpHfk=,tag:q0VESxUJSJglKzyiz01eQA==,type:str]


     

       
10

       
+

       
        token: ENC[AES256_GCM,data:XszEjcK7HSWPAhZXf6TrqjWHlLQceabFZYqoM8ipg3fGqpMul7AGeA==,iv:GvsAbfIe5AfZY7pg3ctiUYt+MZlqgbhvrM56W34OaOA=,tag:3x8qCZBBy0gB8Hr/L5b1XQ==,type:str]


     

       
11

       
+

       
        client_secret: ENC[AES256_GCM,data:8POpHFTwpp6lMr6P8qqJPjkGho90Etv42YwsnUUDf2mlB9pa7GJp0mg6i225UWiynlHehzTlVG0=,iv:+xG7eOUVBnDel1uxfOy4wK19KUZI8Eac+3BRuof+720=,tag:EjA3lHZfeJr7O0bsaaEjBg==,type:str]


     

       
12

       
+

       
    gh:


     

       
13

       
+

       
        webhook_secret: ENC[AES256_GCM,data:3D62C0VFcyriTuyr+zs8gqYQ5uagtAAtGXarJkPr6gcHnUq6G8a715p6alPbCORmODF37jCriu64+221F4vSj1fFH7+imOUmWCgUai0BJOXiZPDDEC2XyA==,iv:Xd/q8SozAHZA/x3X6LvEKmhaFVKCRuPuOH9pEE2QjzQ=,tag:sXqIUxuEDIjcP+ac6fTUIQ==,type:str]


     

       
14

       
+

       
        private_key: ENC[AES256_GCM,data:uTd7A0C0Px3KWCNpUiWKjgKnZEm5fX3549UdbDLQPJ2ic96MpsE4HnT4uen9oJat3n1bqO5TDyU9NBr6Qv6uZx3esdM9z8wcGG9W5l8oyIMQpCHmLrtak9VP19f+GWRXhGjYxJBEFwC+wzvfsQUekVhr9jcwKKrup1gxJow31JEbmzxmkVXAMmrkhO2iMNN75iYwptXmLrptkpjKFs/c18jtJIv4q3V/D0QhXlNueG6bOlAaLp4yifJNrcptEX4D2svU15wkP8jv2TzrW3ug5y6XV0o0dy8FndioofGHW+7weyFENdS+5rDvFyplFVHdzyqsyUAx2CZ6rl6xzLPekQuuNDOTOPfhCftoBA0Se/FchdlLuyihtB4emZ03/VlBDCS1ff8AI639Pdgntaq2gfWY6fH81BVXET1TCLVutGnvdvTX5pJ/ykAg6O9kaSAHXLLVtG843JoxkrRmUWT3sgymYTAPfXiuMCRFQrSCE/tY/avOatHoVYg3ARalZQsoSQpGgpiACWYdsgFCB0aOVK4Ip4wXrs4qKARGrC3429cqsHz7c8zeq0mclNEKjumqvYfuR4f2mseL/4wL5iD+byo2xYR0yW5kY6WdpEJhp87i1+dNM1i73kyCMMOt8yia1AUrGV6EPNRIBZl7Ggk8C6ijJQDnI4gYZZhLYtNPVyxGFWQ+CqRsTFGUpaG++a29BW+DdIEcM3Xs5GjXOiI19xfmllp4JC/enUjzW+Y/lJPtkrJmPyVpY6QRmUVUFUhIzRGenCICpkqwcZVmAw7gs88ojKSlElXnQsbervttx9PK7Fc3x87c7YEyG4FrYX4fORJ9kwsdnsXT6hT7bYZQFJj7BtEu42Pl5RSABwvOisZRee47AnhCt0RYacpxr5pGxmUBhAffUtan7hL0fDxocypQf5jCtTObSoh4iEDV4DGQNb0Rwl9kEL6y+NCGk5gOFo1IJiP4Ez9BgduDTkU05xnTY+lNn5eIxMy0XZFtbSO9YjyzP6lG6Xvg9BcFAw6AC+T9Vn1B/lLK69A8WKEhbtUNZJedJhI1+muj4qqwQaXnLYRbZuK/rCsyaHEy9XmSdEHiG4f7gnYYDf/BSfFMlo1uN8wwPpVLE+H8hg54GFT7VSSegaDlFt6AjG/0K53F0439yFHYTbrvJwBC4ethBfIvHo22qD6HHuE0alokLOi5eO/noty5JE9jyC9qteMuXASc76ocDND2qH2W0/YT5QnNR9pKSZvjX/2Dd0ue2CWNRuCJAiGnYvssT1qyOTeg3gUfmv4IK2Sk353qYGTyD0a/nr2o0kbd8kXQZMBWX45B3o46FK2X3LWrF3STWfCbZCDX6ss614fqdSUMc1oEa6gLnozQz6R5ztlnNPQXL+LnBPO09jwHJHUgWun44+CeKpGO/QreoumQFlgoPM1/+bt5dKC+ihZVowAOyay6DhADiuq22M4lxTHwoaf6WlUXzhsWvDi8Q5mxQDqo/86p6nXF+dcYjQpqTE9uc3muMiXgWmUi6p1w0/ghVU63Etce18Aok0dqdYQ9P/4sAZHhUceYZxoicPSh9GhcmH6Klpzzl3J+UKo0PPl/ELB0Kgn2tQl1/IcIKeQA8BzfsTVfBYKpNpPHnjV8RFI4lKVnrTQRNH6a33JzZAODSQ7a0Ae1isHUf0OEAWJpizxU+ty4vCJHPZk0fXM8/XS8RwBES4rvl6AqMLB+cOG1JYHvOG4NnYa7ocQJTlhBQyddRaZQTvpKfdb8IQ7VQMBvCsc0/ibtRlLBtBJvXmVlb8mnjhptChLW3A2cp9vK4i1pUvk3UPZECOmnGAWcjpeA0yKQDw6DMdm96xKZ5Fe/Ar2u1DzJJeWvIbysaEv63kTuF2tMx2NAA8ywIK85sjipPQddW2Y497pTuXzlmUYVDy9zI0C0ROqEv7+uzFErbweHecBn+cSWHitQDA5ksBRDiokRzz2ZeqU6h57uz/40icV5FVAGNqTNBTGblwvZhVEV91ifCgDQghsKySyNS+TE1lm5slL5m6t6teKgQve/hPnOxRCYNaZM/vriHuyM4oPkVdi9CKzb7tZ60wjQp0etvWIWh8dtqOb3h2CRoetETQi7DkLvQVCc3gfPNUlqnQ/fsfs95CHJrojbxi6+rMV6G+WxZgClxKUdHg9RH/ztAiYDI4q6mUvqcWymQn28Odq+SNzpyeedXYwoRmhPysnSW7aon0PKeV+sqK+XVN7nFQ==,iv:D+0OvrNDG3smrRilANSQvB2DLcT4sUpdrgfV2im5miw=,tag:NIa2WL+hgERc8GshcQ0EiQ==,type:str]


     

       
15

       
 

       
sops:


     

       
16

       
 

       
    kms: []


     

       
17

       
 

       
    gcp_kms: []


     
···

       
45

       
 

       
            S0lOdU16bXA5cGxVcHc3VzBWenQrREUKL1AQpV36+pBph9nRNgPQnnBZ/CJ/2R6C


     

       
46

       
 

       
            Gz3Uus0Jf8hLe6fWCnOOZFcI/8JibSBJs0x5LWwC04CJ0J2eWSMHIQ==


     

       
47

       
 

       
            -----END AGE ENCRYPTED FILE-----


     

       
48

       
+

       
    lastmodified: "2025-02-06T13:40:54Z"


     

       
49

       
+

       
    mac: ENC[AES256_GCM,data:LrNE7/kZCi4gsj/oNTvrtbkvzYjLH/b1KlmPYStxlk2YO9o0ibbp3d3Q2OQRvY4AEZlGOEhYrTDcWKCRYkzvrC+QUH/aW89Q4VTIjelc/jVD6EZRCotXNFNlfkuaZHvf1lqduZhobssp8CHoiLZT6HDgFDZVtjhvQWMeeirQwcg=,iv:xKIoPa1+DSf/eccZGsN++c0PXgmE1c4NrJeuAcdXzFo=,tag:hBblYc1HfnIvwdpVRw9lHQ==,type:str]


     

       
50

       
 

       
    pgp: []


     

       
51

       
 

       
    unencrypted_suffix: _unencrypted


     

       
52

       
 

       
    version: 3.9.4
+3 -1
systems/nijika/configuration.nix 
···

       
1

       
-

       
{...}: {


     

       
2

       
 

       
  imports = [


     

       
3

       
 

       
    ./services


     

       
4

       
 

       
    ./networking.nix # generated at runtime by nixos-infect


     

       

       

       
     

       

       

       
     

       
5

       
 

       
  ];


     

       
6

       
 

       



     

       
7

       
 

       
  gensokyo.presets = {


     
···

       
1

       
+

       
{inputs, ...}: {


     

       
2

       
 

       
  imports = [


     

       
3

       
 

       
    ./services


     

       
4

       
 

       
    ./networking.nix # generated at runtime by nixos-infect


     

       
5

       
+

       



     

       
6

       
+

       
    inputs.buildbot-nix.nixosModules.buildbot-master


     

       
7

       
 

       
  ];


     

       
8

       
 

       



     

       
9

       
 

       
  gensokyo.presets = {
+63
systems/nijika/services/buildbot.nix 
···

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     
···

       
1

       
+

       
{


     

       
2

       
+

       
  _utils,


     

       
3

       
+

       
  lib,


     

       
4

       
+

       
  config,


     

       
5

       
+

       
  ...


     

       
6

       
+

       
}: let


     

       
7

       
+

       
  secrets = _utils.setupSecrets config {


     

       
8

       
+

       
    namespace = "buildbot";


     

       
9

       
+

       
    secrets = [


     

       
10

       
+

       
      "gh/private_key"


     

       
11

       
+

       
      "gh/webhook_secret"


     

       
12

       
+

       
      "gitea/token"


     

       
13

       
+

       
      "gitea/client_secret"


     

       
14

       
+

       
      "gitea/webhook_secret"


     

       
15

       
+

       



     

       
16

       
+

       
      "workers/renko"


     

       
17

       
+

       
    ];


     

       
18

       
+

       
  };


     

       
19

       
+

       
  mkWorker = name: cores: {


     

       
20

       
+

       
    inherit name cores;


     

       
21

       
+

       
    pass = secrets.placeholder "workers/${name}";


     

       
22

       
+

       
  };


     

       
23

       
+

       
in {


     

       
24

       
+

       
  imports = [


     

       
25

       
+

       
    secrets.generate


     

       
26

       
+

       
    (secrets.mkTemplate "buildbot.workers.json" (builtins.toJSON [


     

       
27

       
+

       
      (mkWorker "renko" 12)


     

       
28

       
+

       
    ]))


     

       
29

       
+

       
  ];


     

       
30

       
+

       



     

       
31

       
+

       
  services.buildbot-nix.master = {


     

       
32

       
+

       
    enable = true;


     

       
33

       
+

       
    domain = "ci.soopy.moe";


     

       
34

       
+

       
    useHTTPS = true;


     

       
35

       
+

       
    admins = ["soopyc"];


     

       
36

       
+

       
    accessMode.public = {};


     

       
37

       
+

       
    workersFile = secrets.getTemplate "buildbot.workers.json";


     

       
38

       
+

       



     

       
39

       
+

       
    # forges configuration


     

       
40

       
+

       
    authBackend = "gitea";


     

       
41

       
+

       
    github = {


     

       
42

       
+

       
      enable = true;


     

       
43

       
+

       
      webhookSecretFile = secrets.get "gh/webhook_secret";


     

       
44

       
+

       
      authType.app = {


     

       
45

       
+

       
        id = 1135740;


     

       
46

       
+

       
        secretKeyFile = secrets.get "gh/private_key";


     

       
47

       
+

       
      };


     

       
48

       
+

       
    };


     

       
49

       
+

       
    gitea = {


     

       
50

       
+

       
      enable = true;


     

       
51

       
+

       
      tokenFile = secrets.get "gitea/token";


     

       
52

       
+

       
      webhookSecretFile = secrets.get "gitea/webhook_secret";


     

       
53

       
+

       
      instanceUrl = "https://patchy.soopy.moe";


     

       
54

       
+

       
      oauthId = "4c9061a1-2ec9-42bb-a80c-8f3124f13b29";


     

       
55

       
+

       
      oauthSecretFile = secrets.get "gitea/client_secret";


     

       
56

       
+

       
    };


     

       
57

       
+

       
  };


     

       
58

       
+

       



     

       
59

       
+

       
  services.nginx.virtualHosts.${config.services.buildbot-nix.master.domain} = _utils.mkVhost {


     

       
60

       
+

       
    useACMEHost = lib.mkForce null;


     

       
61

       
+

       
    enableACME = true;


     

       
62

       
+

       
  };


     

       
63

       
+

       
}
+1
systems/nijika/services/default.nix 
···

       
1

       
 

       
{...}: {


     

       
2

       
 

       
  imports = [


     

       
3

       
 

       
    ./fallback_page


     

       

       

       
     

       
4

       
 

       
  ];


     

       
5

       
 

       
}


     
···

       
1

       
 

       
{...}: {


     

       
2

       
 

       
  imports = [


     

       
3

       
 

       
    ./fallback_page


     

       
4

       
+

       
    ./buildbot.nix


     

       
5

       
 

       
  ];


     

       
6

       
 

       
}