diff --git a/.gitattributes b/.gitattributes index af4fe8b..84c4b22 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1 +1,3 @@ flake.lock linguist-generated=true +*.age linguist-generated=true +nixos/jenkins/plugins.nix linguist-generated=true diff --git a/flake.nix b/flake.nix index 978d82c..3309f90 100644 --- a/flake.nix +++ b/flake.nix @@ -57,6 +57,7 @@ ./systems/hetzner/ax101.nix ./nixos/server/harden.nix ./nixos/docker.nix + ./nixos/jenkins.nix # ./nixos/hercules.nix # I host a Nix cache # (import ./nixos/cache-server.nix { diff --git a/nixos/jenkins.nix b/nixos/jenkins.nix new file mode 100644 index 0000000..0b2cc4d --- /dev/null +++ b/nixos/jenkins.nix @@ -0,0 +1,162 @@ +{ pkgs, config, ... }: + +# TODO: +# - Build agents (SSH slave) +# - NixOS slave: container separation? +# - macOS slave (later) +let + # The port to run Jenkins on. + port = 9091; + # The domain in which Jenkins is exposed to the outside world through nginx. + domain = "jenkins.srid.ca"; + + # Config for configuration-as-code-plugin + # + # This enable us to configure Jenkins declaratively rather than fiddle with + # the UI manually. + # cf: + # https://github.com/mjuh/nixos-jenkins/blob/master/nixos/modules/services/continuous-integration/jenkins/jenkins.nix + cascConfig = { + credentials = { + system.domainCredentials = [ + { + credentials = [ + { + basicSSHUserPrivateKey = { + id = "ssh-privkey"; + username = "jenkins"; + privateKeySource.directEntry.privateKey = + casc.readFile config.age.secrets.jenkins-ssh-privkey.path; + }; + } + { + # Instructions for creating this Github App are at: + # https://github.com/jenkinsci/github-branch-source-plugin/blob/master/docs/github-app.adoc#configuration-as-code-plugin + githubApp = { + appID = "307056"; # https://github.com/apps/jenkins-srid + description = "Github App - jenkins-srid"; + id = "github-app"; + privateKey = casc.readFile config.age.secrets.jenkins-github-app-privkey.path; + }; + } + { + string = { + id = "cachix-auth-token"; + description = "srid.cachix.org auth token"; + secret = casc.json "value" (casc.readFile config.age.secrets.srid-cachix-auth-token.path); + }; + } + { + string = { + id = "docker-pass"; + description = "sridca Docker password"; + secret = casc.json "value" (casc.readFile config.age.secrets.srid-docker-pass.path); + }; + } + ]; + } + ]; + }; + jenkins = { + numExecutors = 6; + securityRealm = { + local = { + allowsSignup = false; + }; + }; + /* + nodes = [ + { + permanent = { + name = "jenkins-agent-contaiiner"; + remoteFS = "/var/lib/jenkins/"; + launcher.ssh = { + host = "undefined"; + port = 22; + }; + }; + } + ]; + */ + }; + unclassified.location.url = "https://${domain}/"; + }; + + # Functions for working with configuration-as-code-plugin syntax. + # https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#additional-variable-substitution + casc = { + readFile = path: + "$" + "{readFile:" + path + "}"; + json = k: x: + "$" + "{json:" + k + ":" + x + "}"; + }; +in +{ + imports = [ + ./docker.nix + ]; + services.jenkins.extraGroups = [ "docker" ]; + + age.secrets.jenkins-ssh-privkey = { + owner = "jenkins"; + file = ../secrets/jenkins-ssh-privkey.age; + }; + age.secrets.jenkins-github-app-privkey = { + owner = "jenkins"; + file = ../secrets/jenkins-github-app-privkey.age; + }; + age.secrets.srid-cachix-auth-token = { + owner = "jenkins"; + file = ../secrets/srid-cachix-auth-token.age; + }; + age.secrets.srid-docker-pass = { + owner = "jenkins"; + file = ../secrets/srid-docker-pass.age; + }; + + services.jenkins = { + enable = true; + inherit port; + environment = { + CASC_JENKINS_CONFIG = + builtins.toString (pkgs.writeText "jenkins.json" (builtins.toJSON cascConfig)); + }; + packages = with pkgs; [ + # Add packages used by Jenkins plugins here. + git + bash # 'sh' step requires this + coreutils + which + nix + cachix + docker + ]; + # ./jenkins/update-plugins.sh + plugins = import ./jenkins/plugins.nix { + inherit (pkgs) fetchurl stdenv; + }; + extraJavaOptions = [ + # Useful when the 'sh' step b0rks. + # https://stackoverflow.com/a/66098536/55246 + "-Dorg.jenkinsci.plugins.durabletask.BourneShellScript.LAUNCH_DIAGNOSTICS=true" + ]; + }; + + # To allow the local node to run as builder, supporting nix builds. + # This should not be necessary with external build agents. + nix.settings.allowed-users = [ "jenkins" ]; + nix.settings.trusted-users = [ "jenkins" ]; + + services.nginx = { + virtualHosts.${domain} = { + forceSSL = true; + enableACME = true; + locations."/".extraConfig = '' + proxy_pass http://localhost:${toString port}; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + ''; + }; + }; +} diff --git a/nixos/jenkins/plugins.nix b/nixos/jenkins/plugins.nix new file mode 100644 index 0000000..f63a146 --- /dev/null +++ b/nixos/jenkins/plugins.nix @@ -0,0 +1,647 @@ +{ stdenv, fetchurl }: + let + mkJenkinsPlugin = { name, src }: + stdenv.mkDerivation { + inherit name src; + phases = "installPhase"; + installPhase = "cp \$src \$out"; + }; + in { + apache-httpcomponents-client-4-api = mkJenkinsPlugin { + name = "apache-httpcomponents-client-4-api"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/apache-httpcomponents-client-4-api/4.5.14-150.v7a_b_9d17134a_5/apache-httpcomponents-client-4-api.hpi"; + sha256 = "ec6919c2ae115234535ed79947e5c3a20e97ebc566d4f0990944f88f84864dc4"; + }; + }; + blueocean-commons = mkJenkinsPlugin { + name = "blueocean-commons"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/blueocean-commons/1.27.3/blueocean-commons.hpi"; + sha256 = "d397762452ee2998d2984fe9475c85236a06b8d35d78bdb9bbc382b58258e75b"; + }; + }; + blueocean-core-js = mkJenkinsPlugin { + name = "blueocean-core-js"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/blueocean-core-js/1.27.3/blueocean-core-js.hpi"; + sha256 = "7305281db350d6dea7d3c96976c4b204b279164d359a0e4c0a8b6e4ea3410c07"; + }; + }; + blueocean-rest = mkJenkinsPlugin { + name = "blueocean-rest"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/blueocean-rest/1.27.3/blueocean-rest.hpi"; + sha256 = "22abb9c3626e5ee059d4782c1d5cb630446961d1c634692a388b4a783e07458c"; + }; + }; + blueocean-web = mkJenkinsPlugin { + name = "blueocean-web"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/blueocean-web/1.27.3/blueocean-web.hpi"; + sha256 = "f65be13547d2b5600cd448439a1b06261c7530755de472376f6351120604ed73"; + }; + }; + bootstrap5-api = mkJenkinsPlugin { + name = "bootstrap5-api"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/bootstrap5-api/5.2.2-1/bootstrap5-api.hpi"; + sha256 = "025f21e5ebfdde6197425f457a93ccb2ba3811c623c3c21d5f3234c4c79ff872"; + }; + }; + bouncycastle-api = mkJenkinsPlugin { + name = "bouncycastle-api"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/bouncycastle-api/2.27/bouncycastle-api.hpi"; + sha256 = "3837ee8f7402bf4a4dc90f6a228a6086086205bc755e119eadff2b15faf908a3"; + }; + }; + branch-api = mkJenkinsPlugin { + name = "branch-api"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/branch-api/2.1071.v1a_188a_562481/branch-api.hpi"; + sha256 = "16f3f3afdb4684e8558eec3c5c7d2523affa78c01b83fa822fb6379aa1470cf8"; + }; + }; + caffeine-api = mkJenkinsPlugin { + name = "caffeine-api"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/caffeine-api/2.9.3-65.v6a_47d0f4d1fe/caffeine-api.hpi"; + sha256 = "649fb9a4f730024d30b4890182e9d1c41ff388664fd81786b6cf5ddf9367d89e"; + }; + }; + checks-api = mkJenkinsPlugin { + name = "checks-api"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/checks-api/2.0.0/checks-api.hpi"; + sha256 = "a38772be178edd899e1963267541530fc074a8529f88254ad0cf512f7ae89a9b"; + }; + }; + cloudbees-folder = mkJenkinsPlugin { + name = "cloudbees-folder"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/cloudbees-folder/6.815.v0dd5a_cb_40e0e/cloudbees-folder.hpi"; + sha256 = "cd045bc885fc7b147765fdae56ef3c6ffd98ade2aed7086fd4a691e270b83f04"; + }; + }; + command-launcher = mkJenkinsPlugin { + name = "command-launcher"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/command-launcher/90.v669d7ccb_7c31/command-launcher.hpi"; + sha256 = "38e6bf4f404d2f8264b338b773a1c930e12143f97c18bd67d6c9661427a6ada8"; + }; + }; + commons-lang3-api = mkJenkinsPlugin { + name = "commons-lang3-api"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/commons-lang3-api/3.12.0-36.vd97de6465d5b_/commons-lang3-api.hpi"; + sha256 = "98dfff9f21370d6808392fd811f90a6e173e705970309877596032be1b917ad1"; + }; + }; + commons-text-api = mkJenkinsPlugin { + name = "commons-text-api"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/commons-text-api/1.10.0-36.vc008c8fcda_7b_/commons-text-api.hpi"; + sha256 = "250120de1e1e56e246b6180324d99d161a073d4dfbbf8adc2552de92f1bf2ceb"; + }; + }; + conditional-buildstep = mkJenkinsPlugin { + name = "conditional-buildstep"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/conditional-buildstep/1.4.2/conditional-buildstep.hpi"; + sha256 = "919be166db7b7f90c1445b7dd37981e60880929362908439ba20cb25799fc98f"; + }; + }; + config-file-provider = mkJenkinsPlugin { + name = "config-file-provider"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/config-file-provider/3.11.1/config-file-provider.hpi"; + sha256 = "c026f18419f3f67521ebcfb3c58797f3f3acf27766919ef3d40691eeedf3761b"; + }; + }; + configuration-as-code = mkJenkinsPlugin { + name = "configuration-as-code"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/configuration-as-code/1569.vb_72405b_80249/configuration-as-code.hpi"; + sha256 = "853fa7fcb19fa4d0b661ef8df953b2cf1c8e8727a8a51370dd92cd3b1ed9c56f"; + }; + }; + credentials = mkJenkinsPlugin { + name = "credentials"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/credentials/1224.vc23ca_a_9a_2cb_0/credentials.hpi"; + sha256 = "23674ca9c570e36597166d9b5a629383546548594ad9f7f7ffe13594231d16bb"; + }; + }; + credentials-binding = mkJenkinsPlugin { + name = "credentials-binding"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/credentials-binding/523.vd859a_4b_122e6/credentials-binding.hpi"; + sha256 = "0a9e850728268d2750fe941ef63e35ca0eb42dfa3f425056cbd630a90d9d089a"; + }; + }; + display-url-api = mkJenkinsPlugin { + name = "display-url-api"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/display-url-api/2.3.7/display-url-api.hpi"; + sha256 = "1d35d2e9727821c63609a672e872a68172696e8aa81ec6ea07816086f95c684d"; + }; + }; + durable-task = mkJenkinsPlugin { + name = "durable-task"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/durable-task/504.vb10d1ae5ba2f/durable-task.hpi"; + sha256 = "0c79fdd0a04852987c8457953f89d5089fffb20d78331fabd58647b966268340"; + }; + }; + echarts-api = mkJenkinsPlugin { + name = "echarts-api"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/echarts-api/5.4.0-2/echarts-api.hpi"; + sha256 = "a13dd94cc3a4ed4f3fcb61686ba1e15d9acab4293fcab4ad2e997e6bf16a357f"; + }; + }; + font-awesome-api = mkJenkinsPlugin { + name = "font-awesome-api"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/font-awesome-api/6.3.0-1/font-awesome-api.hpi"; + sha256 = "0921f3834035368c728959a15d8e1bf26de85703f78e0c09a9e9dadd99c80dc7"; + }; + }; + git = mkJenkinsPlugin { + name = "git"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/git/5.0.0/git.hpi"; + sha256 = "5ad8e2f6ef7b9bec00c889092fc702ef21c1d4a334a5c9c8f00cffa65cf63605"; + }; + }; + git-client = mkJenkinsPlugin { + name = "git-client"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/git-client/4.2.0/git-client.hpi"; + sha256 = "42c84f73e80fe47041d6ecd66b3f98d4f239fd460b7b727d14a78174bc8ae40e"; + }; + }; + github = mkJenkinsPlugin { + name = "github"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/github/1.37.0/github.hpi"; + sha256 = "9314887062bc880504dab25a3958844fe613cb9268d77f00906d11fe8c669d6d"; + }; + }; + github-api = mkJenkinsPlugin { + name = "github-api"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/github-api/1.303-417.ve35d9dd78549/github-api.hpi"; + sha256 = "3d241357ff65631c97b0abb130fe72c421b842923cd09efdfb363f12e910b17e"; + }; + }; + github-branch-source = mkJenkinsPlugin { + name = "github-branch-source"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/github-branch-source/1701.v00cc8184df93/github-branch-source.hpi"; + sha256 = "fb882a78b4fb3962a11f8175ab02d8bf05fe41321a9206dc7b7dd7a3f1d25123"; + }; + }; + instance-identity = mkJenkinsPlugin { + name = "instance-identity"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/instance-identity/142.v04572ca_5b_265/instance-identity.hpi"; + sha256 = "0545ef7fa6b5240f2baf1a385464e5d4f2ab43ac5784460c82d4eb1e5f2dbd6f"; + }; + }; + ionicons-api = mkJenkinsPlugin { + name = "ionicons-api"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/ionicons-api/45.vf54fca_5d2154/ionicons-api.hpi"; + sha256 = "56b1e6377326e36f8d98e7e992aa2a6622e9e556efc78b2408a5418eedf6074b"; + }; + }; + jackson2-api = mkJenkinsPlugin { + name = "jackson2-api"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/jackson2-api/2.14.2-319.v37853346a_229/jackson2-api.hpi"; + sha256 = "a8e9fce51913f55ec42924cb92447c807eb9d8560f8fa6648a5231d31118f896"; + }; + }; + jakarta-activation-api = mkJenkinsPlugin { + name = "jakarta-activation-api"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/jakarta-activation-api/2.0.1-3/jakarta-activation-api.hpi"; + sha256 = "fa99c0288dcd24e7bbc857974d07a622d19d48ba71a39564b6c1fa9a14773ed1"; + }; + }; + jakarta-mail-api = mkJenkinsPlugin { + name = "jakarta-mail-api"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/jakarta-mail-api/2.0.1-3/jakarta-mail-api.hpi"; + sha256 = "af8d0ed38eed3231a078291c4c5f1f0c342970a860a88cdd11ff3ebb606bd3b7"; + }; + }; + javadoc = mkJenkinsPlugin { + name = "javadoc"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/javadoc/226.v71211feb_e7e9/javadoc.hpi"; + sha256 = "a2913b6b99f0d204400ddfcbf6ef50edaa0e869a4f0fde2c38f13432943a762d"; + }; + }; + javax-activation-api = mkJenkinsPlugin { + name = "javax-activation-api"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/javax-activation-api/1.2.0-6/javax-activation-api.hpi"; + sha256 = "8af800837a3bddca75d7f962fbcf535d1c3c214f323fa57c141cecdde61516a9"; + }; + }; + jaxb = mkJenkinsPlugin { + name = "jaxb"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/jaxb/2.3.8-1/jaxb.hpi"; + sha256 = "607213a0b4d959f9982ef53e908c8cfc37f2334e38bb49487f7f8eed6b6c4956"; + }; + }; + jenkins-design-language = mkJenkinsPlugin { + name = "jenkins-design-language"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/jenkins-design-language/1.27.3/jenkins-design-language.hpi"; + sha256 = "e67a942df722a6732d8b5aa3297924acf302aef954a9e306a80b8ccd10c6ae58"; + }; + }; + jjwt-api = mkJenkinsPlugin { + name = "jjwt-api"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/jjwt-api/0.11.5-77.v646c772fddb_0/jjwt-api.hpi"; + sha256 = "cc10fc60c47fe60a585224dad45dde166dd0268cf6efc9967fbf870e3601ceb2"; + }; + }; + job-dsl = mkJenkinsPlugin { + name = "job-dsl"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/job-dsl/1.81.1/job-dsl.hpi"; + sha256 = "3fdef67437ed807a66f47d844fc51b3291726b0c503d061c77a5e685f79a644c"; + }; + }; + jquery3-api = mkJenkinsPlugin { + name = "jquery3-api"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/jquery3-api/3.6.3-1/jquery3-api.hpi"; + sha256 = "4ecbb0dae33e23fa525e54d5ae9ed21ffaea87b4f5b403d7ba1c66f00b098bce"; + }; + }; + jsch = mkJenkinsPlugin { + name = "jsch"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/jsch/0.1.55.61.va_e9ee26616e7/jsch.hpi"; + sha256 = "8379691a06b084540ce6b70c11fc055720098d262b717cf46429a2afd6ca8ee6"; + }; + }; + junit = mkJenkinsPlugin { + name = "junit"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/junit/1189.v1b_e593637fa_e/junit.hpi"; + sha256 = "4df91b00e439844382c4b58fb27a1530591a882a02f7a2645e0f63b29c5e46d2"; + }; + }; + mailer = mkJenkinsPlugin { + name = "mailer"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/mailer/448.v5b_97805e3767/mailer.hpi"; + sha256 = "0b5f9925bb002b286e2ea46fa8157b3b957845c8d9cedf57cb00ede6bfe46609"; + }; + }; + managed-scripts = mkJenkinsPlugin { + name = "managed-scripts"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/managed-scripts/1.5.6/managed-scripts.hpi"; + sha256 = "72ae9dcd4085bdfbe810c1e04e30269520db6a1cefba339e34c13f39fa8384b8"; + }; + }; + mapdb-api = mkJenkinsPlugin { + name = "mapdb-api"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/mapdb-api/1.0.9-28.vf251ce40855d/mapdb-api.hpi"; + sha256 = "b924749b6445270cd2ed881f81925fedd71f67a2993473b9172e1e7a9a4023be"; + }; + }; + matrix-project = mkJenkinsPlugin { + name = "matrix-project"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/matrix-project/785.v06b_7f47b_c631/matrix-project.hpi"; + sha256 = "e42f01c243f2a5797649438cbf523b7a76b40d1ff3cf9075898fe1e824f2e525"; + }; + }; + maven-plugin = mkJenkinsPlugin { + name = "maven-plugin"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/maven-plugin/3.21/maven-plugin.hpi"; + sha256 = "86e4a8ede78fcd5bea375685ba29713f5e08ee07467a3c6bc768d5aa3ff51e01"; + }; + }; + metrics = mkJenkinsPlugin { + name = "metrics"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/metrics/4.2.13-420.vea_2f17932dd6/metrics.hpi"; + sha256 = "ccdd21e7890530e555285cfd4efe4ea2e33215b99ad1901afdb867fffb554e57"; + }; + }; + mina-sshd-api-common = mkJenkinsPlugin { + name = "mina-sshd-api-common"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/mina-sshd-api-common/2.9.2-50.va_0e1f42659a_a/mina-sshd-api-common.hpi"; + sha256 = "a364ceb83947f6e94616b8b848a7527a04f7d0e4e2f1eaf0af41cc615906ca65"; + }; + }; + mina-sshd-api-core = mkJenkinsPlugin { + name = "mina-sshd-api-core"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/mina-sshd-api-core/2.9.2-50.va_0e1f42659a_a/mina-sshd-api-core.hpi"; + sha256 = "4499a7c8bb533e0f06b53860628923ddefc3ceeeffaee8031cde1487f295aba8"; + }; + }; + node-iterator-api = mkJenkinsPlugin { + name = "node-iterator-api"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/node-iterator-api/49.v58a_8b_35f8363/node-iterator-api.hpi"; + sha256 = "106b4ba84478412d2f7bb30fa7e4aad13c5235b235cfbbf62f072904342969ea"; + }; + }; + okhttp-api = mkJenkinsPlugin { + name = "okhttp-api"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/okhttp-api/4.10.0-132.v7a_7b_91cef39c/okhttp-api.hpi"; + sha256 = "d64fcc0e29c76c5b0197f8585267f53ffa96e0ea0709c7aa4a4ecd0eccfeb6ca"; + }; + }; + parameterized-trigger = mkJenkinsPlugin { + name = "parameterized-trigger"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/parameterized-trigger/2.45/parameterized-trigger.hpi"; + sha256 = "58d1441fb5cfb4837c67d4d87a8925f45d8e99a1472a8f8010fbecc0b6ecfed9"; + }; + }; + pipeline-build-step = mkJenkinsPlugin { + name = "pipeline-build-step"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/pipeline-build-step/487.va_823138eee8b_/pipeline-build-step.hpi"; + sha256 = "01db32de84bd43857590788a9cca2f60578f5c67fdb3816eab46b3eda7594774"; + }; + }; + pipeline-groovy-lib = mkJenkinsPlugin { + name = "pipeline-groovy-lib"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/pipeline-groovy-lib/629.vb_5627b_ee2104/pipeline-groovy-lib.hpi"; + sha256 = "f8a10d0784b6548678ba6758effc1267df0fa62fa86191648355c303cd042746"; + }; + }; + pipeline-input-step = mkJenkinsPlugin { + name = "pipeline-input-step"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/pipeline-input-step/466.v6d0a_5df34f81/pipeline-input-step.hpi"; + sha256 = "81fbb12caffea58e298d0662a2fff4cc2ad087b92718d917f5c00b63909a8fe0"; + }; + }; + pipeline-milestone-step = mkJenkinsPlugin { + name = "pipeline-milestone-step"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/pipeline-milestone-step/111.v449306f708b_7/pipeline-milestone-step.hpi"; + sha256 = "48bea7547ad989b0c1abb550c3e2ff27bb48d7ff7685e84c0f39d5148bf6fd6b"; + }; + }; + pipeline-model-api = mkJenkinsPlugin { + name = "pipeline-model-api"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/pipeline-model-api/2.2118.v31fd5b_9944b_5/pipeline-model-api.hpi"; + sha256 = "ed6320e23aa3287f53ab1dedc4e56ad7c318479b6959b13c3b7f169ab2143377"; + }; + }; + pipeline-model-definition = mkJenkinsPlugin { + name = "pipeline-model-definition"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/pipeline-model-definition/2.2118.v31fd5b_9944b_5/pipeline-model-definition.hpi"; + sha256 = "0bba171131e7c8af33db91302879b0ad026b55dd0213a7fc78160e3ea0621e4d"; + }; + }; + pipeline-model-extensions = mkJenkinsPlugin { + name = "pipeline-model-extensions"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/pipeline-model-extensions/2.2118.v31fd5b_9944b_5/pipeline-model-extensions.hpi"; + sha256 = "44312fa6a8b93de1287be8f9269cb442a17518ec38b235751593674d4bbf07d8"; + }; + }; + pipeline-stage-step = mkJenkinsPlugin { + name = "pipeline-stage-step"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/pipeline-stage-step/305.ve96d0205c1c6/pipeline-stage-step.hpi"; + sha256 = "8d5112dd70d9912f33bdb64858bbfa718372ab79447fa91f1e07fdb41c05bb7e"; + }; + }; + pipeline-stage-tags-metadata = mkJenkinsPlugin { + name = "pipeline-stage-tags-metadata"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/pipeline-stage-tags-metadata/2.2118.v31fd5b_9944b_5/pipeline-stage-tags-metadata.hpi"; + sha256 = "4cefb0f311c3b962c8b085bf54367d416121e7b011aede9af9ba34d9cc3eee53"; + }; + }; + plain-credentials = mkJenkinsPlugin { + name = "plain-credentials"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/plain-credentials/143.v1b_df8b_d3b_e48/plain-credentials.hpi"; + sha256 = "23a74199dcb19659e19c9d92e4797b40bc9feb48400ce56ae43fa4d9520df901"; + }; + }; + plugin-util-api = mkJenkinsPlugin { + name = "plugin-util-api"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/plugin-util-api/3.1.0/plugin-util-api.hpi"; + sha256 = "12097d17bdfb1cb44f8c3e6ccba82b14041bba83b34ef9c1f75ae33f00b62412"; + }; + }; + project-inheritance = mkJenkinsPlugin { + name = "project-inheritance"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/project-inheritance/21.04.03/project-inheritance.hpi"; + sha256 = "c7e714d2a096ceb719f9a91eb61d12c6da1619f139254ce91db1ead58520ecf7"; + }; + }; + promoted-builds = mkJenkinsPlugin { + name = "promoted-builds"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/promoted-builds/892.vd6219fc0a_efb/promoted-builds.hpi"; + sha256 = "1f0483c03cfd227a8d8e1924a08aeb43f23a2414dd7602ba4c4871e3a6447ea6"; + }; + }; + rebuild = mkJenkinsPlugin { + name = "rebuild"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/rebuild/1.34/rebuild.hpi"; + sha256 = "84e3ac4876488adb8649172ace2132a6fd887faf0809235154e40d330d912a74"; + }; + }; + run-condition = mkJenkinsPlugin { + name = "run-condition"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/run-condition/1.5/run-condition.hpi"; + sha256 = "7ed94d7196676c00e45b5bf7e191831eee0e49770dced1c266b8055980b339ca"; + }; + }; + scm-api = mkJenkinsPlugin { + name = "scm-api"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/scm-api/631.v9143df5b_e4a_a/scm-api.hpi"; + sha256 = "981a908f2b2af2fd7947d2c2dc58bb0e85185ba3a0a741f1f948cd904d3bdb30"; + }; + }; + script-security = mkJenkinsPlugin { + name = "script-security"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/script-security/1229.v4880b_b_e905a_6/script-security.hpi"; + sha256 = "c2a36c560e04a099a4037a08298a8b87bb514ae739b915fd882ba07b2fbf25e6"; + }; + }; + snakeyaml-api = mkJenkinsPlugin { + name = "snakeyaml-api"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/snakeyaml-api/1.33-95.va_b_a_e3e47b_fa_4/snakeyaml-api.hpi"; + sha256 = "c6cc0607f773e3b026ab2c121856b905f97415c9b1fb20e884cd6297e8d0bf21"; + }; + }; + ssh-credentials = mkJenkinsPlugin { + name = "ssh-credentials"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/ssh-credentials/305.v8f4381501156/ssh-credentials.hpi"; + sha256 = "008ffb999ce9c7949c1299e1305007178bd0bedfd4c8401d6a4e92eeba635ff4"; + }; + }; + ssh-slaves = mkJenkinsPlugin { + name = "ssh-slaves"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/ssh-slaves/2.877.v365f5eb_a_b_eec/ssh-slaves.hpi"; + sha256 = "64dd557487fbab57c35d78e241e07f6596a46fb43723031a4c1c3d783e50d016"; + }; + }; + structs = mkJenkinsPlugin { + name = "structs"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/structs/324.va_f5d6774f3a_d/structs.hpi"; + sha256 = "65dd0a68c663b08e30ed254f37549e9ccfab18d27e4f1182cc7eed6d4d02c958"; + }; + }; + subversion = mkJenkinsPlugin { + name = "subversion"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/subversion/2.17.1/subversion.hpi"; + sha256 = "8647902fe5786df248cb9a2c77322210871270a6c233de7426cbc2706738be3c"; + }; + }; + support-core = mkJenkinsPlugin { + name = "support-core"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/support-core/1266.v6d096c154c90/support-core.hpi"; + sha256 = "31d3e23cd5ecc08c13aa8584ae69ee7bede124199a503983db5ed9ed607906df"; + }; + }; + theme-manager = mkJenkinsPlugin { + name = "theme-manager"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/theme-manager/1.6/theme-manager.hpi"; + sha256 = "1ea4f6b571befade0611ddb104cd49b94ecd41a427deadfcf3cb504903222d63"; + }; + }; + token-macro = mkJenkinsPlugin { + name = "token-macro"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/token-macro/321.vd7cc1f2a_52c8/token-macro.hpi"; + sha256 = "095084f680c37f7d18d6468e2c4aecd74430f324c1d6ebb23d8551d34debdadb"; + }; + }; + trilead-api = mkJenkinsPlugin { + name = "trilead-api"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/trilead-api/2.84.v72119de229b_7/trilead-api.hpi"; + sha256 = "72ee883ee83a94a0a84e9821123ae3f1eb09e7650896c5e0a78be8d0df50bde8"; + }; + }; + variant = mkJenkinsPlugin { + name = "variant"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/variant/59.vf075fe829ccb/variant.hpi"; + sha256 = "14ac8250e7ff958e45d8e47c05d5cb495602a34737a7a2680e9e364798624fb3"; + }; + }; + vsphere-cloud = mkJenkinsPlugin { + name = "vsphere-cloud"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/vsphere-cloud/2.27/vsphere-cloud.hpi"; + sha256 = "b584e8c515cdf41fa47740087677e11af80c402ef6c4fb5f153b9d8e05ccbdea"; + }; + }; + workflow-aggregator = mkJenkinsPlugin { + name = "workflow-aggregator"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/workflow-aggregator/596.v8c21c963d92d/workflow-aggregator.hpi"; + sha256 = "45933e33058d48c6f3e70a37f31ecb65e48939ce91d46bc98b60f5595316c1d1"; + }; + }; + workflow-api = mkJenkinsPlugin { + name = "workflow-api"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/workflow-api/1208.v0cc7c6e0da_9e/workflow-api.hpi"; + sha256 = "b99225d0926f1956a516ad30e8fb4c0f904c92f835be7c91a9d6a17fa8c78d88"; + }; + }; + workflow-basic-steps = mkJenkinsPlugin { + name = "workflow-basic-steps"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/workflow-basic-steps/1010.vf7a_b_98e847c1/workflow-basic-steps.hpi"; + sha256 = "2106fde9cc20fb037f2f9b33b0684fb7817b4f40d4e73f0ed2e20bcaa3fd9159"; + }; + }; + workflow-cps = mkJenkinsPlugin { + name = "workflow-cps"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/workflow-cps/3641.vf58904a_b_b_5d8/workflow-cps.hpi"; + sha256 = "e2d62c1dd6d2d51b3cf1d3bff9901052dfca3f0f0da5b4df670cc7c7b4379771"; + }; + }; + workflow-durable-task-step = mkJenkinsPlugin { + name = "workflow-durable-task-step"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/workflow-durable-task-step/1234.v019404b_3832a/workflow-durable-task-step.hpi"; + sha256 = "d3a1eebc10aece2a9c5cafd3c4c457d641dc201cf92b86ef80ae0e151ea11507"; + }; + }; + workflow-job = mkJenkinsPlugin { + name = "workflow-job"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/workflow-job/1284.v2fe8ed4573d4/workflow-job.hpi"; + sha256 = "c1eda23a02c4599b209901cd8340bc705e472432a73337b8d6e01b329ca3f3f2"; + }; + }; + workflow-multibranch = mkJenkinsPlugin { + name = "workflow-multibranch"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/workflow-multibranch/733.v109046189126/workflow-multibranch.hpi"; + sha256 = "539e0d6a50f840af044ee4976b2e027b6ac4947d45a371c32a2352259f28a2d9"; + }; + }; + workflow-scm-step = mkJenkinsPlugin { + name = "workflow-scm-step"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/workflow-scm-step/400.v6b_89a_1317c9a_/workflow-scm-step.hpi"; + sha256 = "c0ed89da3228bfa5215b6a1724ca4a76dbbe2b939d8c4efdaa6a5a976a3145ed"; + }; + }; + workflow-step-api = mkJenkinsPlugin { + name = "workflow-step-api"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/workflow-step-api/639.v6eca_cd8c04a_a_/workflow-step-api.hpi"; + sha256 = "e297994ef4892b292fed850431cafe5a687fe64fbb9ddf9b7938d2b74db81763"; + }; + }; + workflow-support = mkJenkinsPlugin { + name = "workflow-support"; + src = fetchurl { + url = "https://updates.jenkins-ci.org/download/plugins/workflow-support/839.v35e2736cfd5c/workflow-support.hpi"; + sha256 = "3fe54cab155ad9bac49d3a98df1377f5795f8acf556f829ac48b32f5567c02bd"; + }; + }; + } \ No newline at end of file diff --git a/nixos/jenkins/update-plugins.sh b/nixos/jenkins/update-plugins.sh new file mode 100755 index 0000000..902b838 --- /dev/null +++ b/nixos/jenkins/update-plugins.sh @@ -0,0 +1,14 @@ +#!/bin/sh +set -e +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +PLUGINS_NIX="${SCRIPT_DIR}/plugins.nix" +echo "Updating ${PLUGINS_NIX}" +set -x +nix run github:Fuuzetsu/jenkinsPlugins2nix -- \ + -p github-api \ + -p git \ + -p github-branch-source \ + -p workflow-aggregator \ + -p ssh-slaves \ + -p configuration-as-code \ + > ${PLUGINS_NIX} diff --git a/secrets/jenkins-github-app-privkey.age b/secrets/jenkins-github-app-privkey.age new file mode 100644 index 0000000..fea9b33 Binary files /dev/null and b/secrets/jenkins-github-app-privkey.age differ diff --git a/secrets/jenkins-ssh-privkey.age b/secrets/jenkins-ssh-privkey.age new file mode 100644 index 0000000..ce2c070 --- /dev/null +++ b/secrets/jenkins-ssh-privkey.age @@ -0,0 +1,18 @@ +age-encryption.org/v1 +-> ssh-rsa sNTFlg +debFJnMQu6VYOy3GKosgCg3+qoc/9E2Al1jmOfrYCdir/0MVRBYEDgmSzB2SJll4 +65Poa9RZqBpPZ2g6xTKpa7VotQxhdGDWa0GXLyj8JawqCg7slBSMhp/ixw8bY7jA +W0M+pfCBhgebhl/77CHcPuM+ZJ5SyTaRh2tgDKaTEOcHvvh6E+TVlIn45gUuzx+b +TAaAgzYyHG56MCwF054easEkss/cdQaIz02rlWqgJYDf0SGd1IjCaiQl8f+ZgM4j +W8mgmaOqKTtsgh+ykqoFP6tbV5+L3AelbZ3cYi/0dDCk2k6SRy1O8i6wbUMvmrQI +N+N/YdecVkWynIePujLQLQ +-> ssh-ed25519 96IXNQ 6kNGDSEsoEV42FKppOrHmsLbt1lTv1Th0V3Y/62FAys +8TiQJnkvER6stps/B9H4+wH2ZbRFLWnAJLJNiuKS4lU +-> ssh-ed25519 Zqspmg bCy5N9RCiE5PMGmxfhQPxoArq+OmvHEagiyuRM3ZryE +zW056z0XFGm06Sx158vnhwLagTn0og8tN5WQYOyHFGA +-> ^kTdp*-grease w $063GJO# &'? :#x +1mlqmNmBfDGFqH9v82rSxBDq2oDOTqQGQQ/pL/0PfBufbXqKMcjX4F8xhXaacBr1 +wrKLiA +--- DPmB1o/bO+UXSiPm/SEPKZOuGy7JE2I08SuZWQMb8mc +pgGqu΂5zYD+;qTH6ZVNBO#0&cpjSuH.N!He6U N7'sil׎'6d"$r2\Ӂf6C + :a[فtLaؓ{җ"߿1 ^^r?&Hqnr)&o~_5?N<.-CۚKJFHcm|ScMVR@/u<3iDpuFIՃr|A./aaD Į~yqP[]srbOП%pV:6”PZ}h7}'nV8poFY*EYu_Mv3wMmMdX \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 16c4217..03186a8 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -9,4 +9,8 @@ in # agenix -r -i =(op read 'op://Personal/id_rsa/private key') { "cache-priv-key.age".publicKeys = keys; + "jenkins-ssh-privkey.age".publicKeys = keys; + "jenkins-github-app-privkey.age".publicKeys = keys; + "srid-cachix-auth-token.age".publicKeys = keys; + "srid-docker-pass.age".publicKeys = keys; } diff --git a/secrets/srid-cachix-auth-token.age b/secrets/srid-cachix-auth-token.age new file mode 100644 index 0000000..d686402 Binary files /dev/null and b/secrets/srid-cachix-auth-token.age differ diff --git a/secrets/srid-docker-pass.age b/secrets/srid-docker-pass.age new file mode 100644 index 0000000..01d53e5 --- /dev/null +++ b/secrets/srid-docker-pass.age @@ -0,0 +1,17 @@ +age-encryption.org/v1 +-> ssh-rsa sNTFlg +M9Dt+kUeZ6dbQ8a/cOpZSXgw5dATlt5G4jE2on2rS0K+IGteHvq5bPkYSH9dWeIr +giT3LM8FARKLsXgGOxsIxu0bgwUmp2qoc1fMaDroW7wVwFL+ly8Dl1a9of4V8XC2 +8/K/Mm2HubZJe3L/15u2CQ6IDH5JoZF+ckV/mA4G56CCByjAkn/KVwynuqNeLWq7 +iczpuDbI9re/nChLXZ4Gm/nCl9iwFfSwaZIBAeeKiJ9vJPOFJOiSj8l8OUlNHpyl +3Uj/AeFgxpmjJvuaZjRAjuikeIVNDQpW3xslx2+lKP8K78fv0/ZELzhJYY0m3qEx +8ooqYf7Qg3pAjx9/QuxzOw +-> ssh-ed25519 96IXNQ fN4mSlev/oFwGFB25V+PLAhdQVQYzOftPdNwgJv/2FA +TEYYqD14vgIkj6yP1bKkrSpmkrq8wJoR/Y9ooBRZSgo +-> ssh-ed25519 Zqspmg br8SoJ3Fp5AogfTVWXOk0r4gkjnNYPx6lz7gwVxD41E +nCkvAGK2lD69n05sGQ2ouGgPsiFd7cnrFh7uJ+nzsC8 +-> d.p/,a}J-grease +DoAgE6jK3hDAAlqvG+SSJiO4SG0X7Qi4KSqvwvDd6EiDKOrBTYl20k1vKa6tXJ+0 +MHEGNxUSiNmuApzthOo99U9sCCUxJ/i3lI9tz9PpYDr0p71/HnxUMhg0EW4 +--- LevtDUV5O/eoOQLCyfFA0OVgKpognIa+UhwV96l6XhM +3K\I2u[偳}=M-ҝ"2;[՚rةW1j+ ¤URKn \ No newline at end of file