dotfiles/nixos-config
1
0
Fork 0
mirror of https://github.com/srid/nixos-config.git synced 2025-12-26 23:14:57 +08:00
Code Issues Projects Releases Packages Wiki Activity Actions

Use jenkins-nix-ci

Browse source
This commit is contained in:
Sridhar Ratnakumar 2023-03-27 12:59:10 -04:00
parent a3cccbf351
commit e28655f58e
5 changed files with 532 additions and 171 deletions
Download patch file Download diff file Expand all files Collapse all files

9
.sops.yaml Normal file
View file

@ -0,0 +1,9 @@
keys:
- &admin_srid age1zdwstn787x2a7hllksjk0zpdx3wdvy3fju8hk33a583jtv3d8q9qsvzfan
- &server_pce age1k2efalw74pce98ff2qa45hadkgew5q43gluefr7l4y4cqg6ul5ms8rlcep
creation_rules:
- path_regex: secrets.yaml$
key_groups:
- age:
- *admin_srid
- *server_pce

481
flake.lock generated
View file

@ -72,6 +72,26 @@
"type": "github"
}
},
"deploy-rs": {
"inputs": {
"flake-compat": "flake-compat_2",
"nixpkgs": "nixpkgs_5",
"utils": "utils_3"
},
"locked": {
"lastModified": 1674127017,
"narHash": "sha256-QO1xF7stu5ZMDLbHN30LFolMAwY6TVlzYvQoUs1RD68=",
"owner": "serokell",
"repo": "deploy-rs",
"rev": "8c9ea9605eed20528bf60fae35a2b613b901fd77",
"type": "github"
},
"original": {
"owner": "serokell",
"repo": "deploy-rs",
"type": "github"
}
},
"ema": {
"flake": false,
"locked": {
@ -165,6 +185,54 @@
"type": "github"
}
},
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1606424373,
"narHash": "sha256-oq8d4//CJOrVj+EcOaSXvMebvuTkmBJuT5tzlfewUnQ=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "99f1c2157fba4bfe6211a321fd0ee43199025dbf",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_4": {
"flake": false,
"locked": {
"lastModified": 1606424373,
"narHash": "sha256-oq8d4//CJOrVj+EcOaSXvMebvuTkmBJuT5tzlfewUnQ=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "99f1c2157fba4bfe6211a321fd0ee43199025dbf",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_5": {
"flake": false,
"locked": {
"lastModified": 1668681692,
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
@ -223,6 +291,24 @@
"inputs": {
"nixpkgs-lib": "nixpkgs-lib_4"
},
"locked": {
"lastModified": 1678379998,
"narHash": "sha256-TZdfNqftHhDuIFwBcN9MUThx5sQXCTeZk9je5byPKRw=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "c13d60b89adea3dc20704c045ec4d50dd964d447",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_5": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib_5"
},
"locked": {
"lastModified": 1672877861,
"narHash": "sha256-ROnSmsk5grROL6gnHBnSdqlPPBrBJMApCeB7xzY567M=",
@ -252,6 +338,36 @@
"type": "github"
}
},
"flake-root_2": {
"locked": {
"lastModified": 1671378805,
"narHash": "sha256-yqGxyzMN2GuppwG3dTWD1oiKxi+jGYP7D1qUSc5vKhI=",
"owner": "srid",
"repo": "flake-root",
"rev": "dc7ba6166e478804a9da6881aa48c45d300075cf",
"type": "github"
},
"original": {
"owner": "srid",
"repo": "flake-root",
"type": "github"
}
},
"flake-root_3": {
"locked": {
"lastModified": 1671378805,
"narHash": "sha256-yqGxyzMN2GuppwG3dTWD1oiKxi+jGYP7D1qUSc5vKhI=",
"owner": "srid",
"repo": "flake-root",
"rev": "dc7ba6166e478804a9da6881aa48c45d300075cf",
"type": "github"
},
"original": {
"owner": "srid",
"repo": "flake-root",
"type": "github"
}
},
"flake-utils": {
"locked": {
"lastModified": 1667395993,
@ -282,6 +398,36 @@
"type": "github"
}
},
"flake-utils_3": {
"locked": {
"lastModified": 1623875721,
"narHash": "sha256-A8BU7bjS5GirpAUv4QA+QnJ4CceLHkcXdRp4xITDB0s=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "f7e004a55b120c02ecb6219596820fcd32ca8772",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_4": {
"locked": {
"lastModified": 1623875721,
"narHash": "sha256-A8BU7bjS5GirpAUv4QA+QnJ4CceLHkcXdRp4xITDB0s=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "f7e004a55b120c02ecb6219596820fcd32ca8772",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"haskell-flake": {
"locked": {
"lastModified": 1668167720,
@ -371,6 +517,71 @@
"type": "github"
}
},
"jenkins-nix-ci": {
"inputs": {
"deploy-rs": "deploy-rs",
"flake-parts": "flake-parts_4",
"flake-root": "flake-root_3",
"jenkinsPlugins2nix": "jenkinsPlugins2nix",
"nixos-flake": "nixos-flake",
"nixpkgs": "nixpkgs_7",
"sops-nix": "sops-nix"
},
"locked": {
"lastModified": 1679934843,
"narHash": "sha256-qSaNkqgKgyieNUw7pV6OFZsoZEhYrkZlTeioXeCE13g=",
"owner": "juspay",
"repo": "jenkins-nix-ci",
"rev": "87e1cdd42bd23642337647af6547bf78b03b17f5",
"type": "github"
},
"original": {
"owner": "juspay",
"ref": "flake-module",
"repo": "jenkins-nix-ci",
"type": "github"
}
},
"jenkinsPlugins2nix": {
"inputs": {
"flake-compat": "flake-compat_3",
"flake-utils": "flake-utils_3",
"nixpkgs": "nixpkgs_6"
},
"locked": {
"lastModified": 1629079129,
"narHash": "sha256-OKNtUKjANDK0wEFypSsHuJuolg76OYEVPsNAwUBbLS4=",
"owner": "Fuuzetsu",
"repo": "jenkinsPlugins2nix",
"rev": "fabb57351f23a6d458a638510b926d4c3f452ec2",
"type": "github"
},
"original": {
"owner": "Fuuzetsu",
"repo": "jenkinsPlugins2nix",
"type": "github"
}
},
"jenkinsPlugins2nix_2": {
"inputs": {
"flake-compat": "flake-compat_4",
"flake-utils": "flake-utils_4",
"nixpkgs": "nixpkgs_9"
},
"locked": {
"lastModified": 1629079129,
"narHash": "sha256-OKNtUKjANDK0wEFypSsHuJuolg76OYEVPsNAwUBbLS4=",
"owner": "Fuuzetsu",
"repo": "jenkinsPlugins2nix",
"rev": "fabb57351f23a6d458a638510b926d4c3f452ec2",
"type": "github"
},
"original": {
"owner": "Fuuzetsu",
"repo": "jenkinsPlugins2nix",
"type": "github"
}
},
"naersk": {
"inputs": {
"nixpkgs": [
@ -437,9 +648,9 @@
},
"nix-serve-ng": {
"inputs": {
"flake-compat": "flake-compat_2",
"nixpkgs": "nixpkgs_5",
"utils": "utils_3"
"flake-compat": "flake-compat_5",
"nixpkgs": "nixpkgs_10",
"utils": "utils_4"
},
"locked": {
"lastModified": 1669427214,
@ -456,6 +667,21 @@
}
},
"nixos-flake": {
"locked": {
"lastModified": 1679404711,
"narHash": "sha256-RNrCfkA9yGhuy3HrXY9NZsUg6yu8qcxwPoc9o9NwiI0=",
"owner": "srid",
"repo": "nixos-flake",
"rev": "0d1ae4383d9bc18fcd3857917616188f6ae61ff4",
"type": "github"
},
"original": {
"owner": "srid",
"repo": "nixos-flake",
"type": "github"
}
},
"nixos-flake_2": {
"locked": {
"lastModified": 1679328115,
"narHash": "sha256-LHd+h6YY7ftxn8DpTjHLfsjh477KiGsD6ddulUpTvNQ=",
@ -487,7 +713,7 @@
},
"nixos-shell": {
"inputs": {
"nixpkgs": "nixpkgs_6"
"nixpkgs": "nixpkgs_11"
},
"locked": {
"lastModified": 1646257415,
@ -590,6 +816,24 @@
}
},
"nixpkgs-lib_4": {
"locked": {
"dir": "lib",
"lastModified": 1678375444,
"narHash": "sha256-XIgHfGvjFvZQ8hrkfocanCDxMefc/77rXeHvYdzBMc8=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "130fa0baaa2b93ec45523fdcde942f6844ee9f6e",
"type": "github"
},
"original": {
"dir": "lib",
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-lib_5": {
"locked": {
"dir": "lib",
"lastModified": 1672350804,
@ -609,8 +853,8 @@
},
"nixpkgs-match": {
"inputs": {
"flake-parts": "flake-parts_4",
"nixpkgs": "nixpkgs_8"
"flake-parts": "flake-parts_5",
"nixpkgs": "nixpkgs_13"
},
"locked": {
"lastModified": 1672924430,
@ -626,6 +870,117 @@
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1679748960,
"narHash": "sha256-BP8XcYHyj1NxQi04RpyNW8e7KiXSoI+Fy1tXIK2GfdA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "da26ae9f6ce2c9ab380c0f394488892616fc5a6a",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-22.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1679748960,
"narHash": "sha256-BP8XcYHyj1NxQi04RpyNW8e7KiXSoI+Fy1tXIK2GfdA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "da26ae9f6ce2c9ab380c0f394488892616fc5a6a",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-22.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_10": {
"locked": {
"lastModified": 1669391192,
"narHash": "sha256-f/2TqduZWcdq/pPddu1E7plNmcOuzt1IN4Fh3LSUKmM=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ce1f9354959ae1493916f2e551ecc32e79b4a473",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "master",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_11": {
"locked": {
"lastModified": 1628465643,
"narHash": "sha256-QSNw9bDq9uGUniQQtakRuw4m21Jxugm23SXLVgEV4DM=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6ef4f522d63f22b40004319778761040d3197390",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-unstable",
"type": "indirect"
}
},
"nixpkgs_12": {
"locked": {
"lastModified": 1678819893,
"narHash": "sha256-lfA6WGdxPsPkBK5Y19ltr5Sn7v7MlT+jpZ4nUgco0Xs=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "7067edc68c035e21780259ed2d26e1f164addaa2",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_13": {
"locked": {
"lastModified": 1672756850,
"narHash": "sha256-Smbq3+fitwA13qsTMeaaurv09/KVbZfW7m7lINwzDGA=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "298add347c2bbce14020fcb54051f517c391196b",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_14": {
"locked": {
"lastModified": 1679734080,
"narHash": "sha256-z846xfGLlon6t9lqUzlNtBOmsgQLQIZvR6Lt2dImk1M=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "dbf5322e93bcc6cfc52268367a8ad21c09d76fea",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 0,
@ -672,42 +1027,43 @@
},
"nixpkgs_5": {
"locked": {
"lastModified": 1669391192,
"narHash": "sha256-f/2TqduZWcdq/pPddu1E7plNmcOuzt1IN4Fh3LSUKmM=",
"lastModified": 1671417167,
"narHash": "sha256-JkHam6WQOwZN1t2C2sbp1TqMv3TVRjzrdoejqfefwrM=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ce1f9354959ae1493916f2e551ecc32e79b4a473",
"rev": "bb31220cca6d044baa6dc2715b07497a2a7c4bc7",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "master",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_6": {
"locked": {
"lastModified": 1628465643,
"narHash": "sha256-QSNw9bDq9uGUniQQtakRuw4m21Jxugm23SXLVgEV4DM=",
"lastModified": 1622516815,
"narHash": "sha256-ZjBd81a6J3TwtlBr3rHsZspYUwT9OdhDk+a/SgSEf7I=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6ef4f522d63f22b40004319778761040d3197390",
"rev": "7e9b0dff974c89e070da1ad85713ff3c20b0ca97",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-unstable",
"type": "indirect"
"owner": "NixOS",
"ref": "21.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_7": {
"locked": {
"lastModified": 1678819893,
"narHash": "sha256-lfA6WGdxPsPkBK5Y19ltr5Sn7v7MlT+jpZ4nUgco0Xs=",
"lastModified": 1679172431,
"narHash": "sha256-XEh5gIt5otaUbEAPUY5DILUTyWe1goAyeqQtmwaFPyI=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "7067edc68c035e21780259ed2d26e1f164addaa2",
"rev": "1603d11595a232205f03d46e635d919d1e1ec5b9",
"type": "github"
},
"original": {
@ -719,20 +1075,36 @@
},
"nixpkgs_8": {
"locked": {
"lastModified": 1672756850,
"narHash": "sha256-Smbq3+fitwA13qsTMeaaurv09/KVbZfW7m7lINwzDGA=",
"owner": "nixos",
"lastModified": 1679734080,
"narHash": "sha256-z846xfGLlon6t9lqUzlNtBOmsgQLQIZvR6Lt2dImk1M=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "298add347c2bbce14020fcb54051f517c391196b",
"rev": "dbf5322e93bcc6cfc52268367a8ad21c09d76fea",
"type": "github"
},
"original": {
"owner": "nixos",
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_9": {
"locked": {
"lastModified": 1622516815,
"narHash": "sha256-ZjBd81a6J3TwtlBr3rHsZspYUwT9OdhDk+a/SgSEf7I=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "7e9b0dff974c89e070da1ad85713ff3c20b0ca97",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "21.05",
"repo": "nixpkgs",
"type": "github"
}
},
"pre-commit-hooks-nix": {
"inputs": {
"flake-utils": "flake-utils_2",
@ -763,19 +1135,61 @@
"emacs-overlay": "emacs-overlay",
"emanote": "emanote",
"flake-parts": "flake-parts_2",
"flake-root": "flake-root_2",
"hci": "hci",
"home-manager": "home-manager",
"jenkins-nix-ci": "jenkins-nix-ci",
"jenkinsPlugins2nix": "jenkinsPlugins2nix_2",
"nix-darwin": "nix-darwin_2",
"nix-serve-ng": "nix-serve-ng",
"nixos-flake": "nixos-flake",
"nixos-flake": "nixos-flake_2",
"nixos-hardware": "nixos-hardware",
"nixos-shell": "nixos-shell",
"nixos-vscode-server": "nixos-vscode-server",
"nixpkgs": "nixpkgs_7",
"nixpkgs": "nixpkgs_12",
"nixpkgs-match": "nixpkgs-match",
"sops-nix": "sops-nix_2",
"zk-nvim": "zk-nvim"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": "nixpkgs_8",
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1679799335,
"narHash": "sha256-YrnDyftm0Mk4JLuw3sDBPNfSjk054N0dqQx8FW4JqDM=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "4740f80ca6e756915aaaa0a9c5fbb61ba09cc145",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"sops-nix_2": {
"inputs": {
"nixpkgs": "nixpkgs_14",
"nixpkgs-stable": "nixpkgs-stable_2"
},
"locked": {
"lastModified": 1679799335,
"narHash": "sha256-YrnDyftm0Mk4JLuw3sDBPNfSjk054N0dqQx8FW4JqDM=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "4740f80ca6e756915aaaa0a9c5fbb61ba09cc145",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"treefmt-nix": {
"locked": {
"lastModified": 1672170030,
@ -836,6 +1250,21 @@
"type": "github"
}
},
"utils_4": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"zk-nvim": {
"flake": false,
"locked": {

24
flake.nix
View file

@ -10,8 +10,12 @@
home-manager.url = "github:nix-community/home-manager";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
agenix.url = "github:ryantm/agenix";
sops-nix.url = "github:Mic92/sops-nix";
nixos-hardware.url = "github:NixOS/nixos-hardware";
nixos-flake.url = "github:srid/nixos-flake";
jenkins-nix-ci.url = "github:juspay/jenkins-nix-ci/flake-module";
flake-root.url = "github:srid/flake-root";
jenkinsPlugins2nix.url = "github:Fuuzetsu/jenkinsPlugins2nix";
# nixos-flake.url = "path:/Users/srid/code/nixos-flake";
# CI server
@ -42,18 +46,35 @@
systems = [ "x86_64-linux" "aarch64-darwin" ];
imports = [
inputs.nixos-flake.flakeModule
inputs.jenkins-nix-ci.flakeModule
inputs.flake-root.flakeModule
./users
./home
./nixos
./nix-darwin
];
jenkins-nix-ci = {
domain = "jenkins.srid.ca";
plugins = [
"github-api"
"git"
"github-branch-source"
"workflow-aggregator"
"ssh-slaves"
"configuration-as-code"
];
plugins-file = "nixos/jenkins/plugins.nix";
};
flake = {
# Configurations for Linux (NixOS) systems
nixosConfigurations = {
pce = self.nixos-flake.lib.mkLinuxSystem {
imports = [
self.nixosModules.default # Defined in nixos/default.nix
self.nixosModules.jenkins-master
inputs.sops-nix.nixosModules.sops
./systems/hetzner/ax101.nix
./nixos/server/harden.nix
./nixos/docker.nix
@ -65,6 +86,7 @@
# domain = "cache.srid.ca";
# })
];
sops.defaultSopsFile = ./secrets.yaml;
};
};
@ -85,6 +107,8 @@
devShells.default = pkgs.mkShell {
buildInputs = [
pkgs.nixpkgs-fmt
pkgs.sops
pkgs.ssh-to-age
inputs'.agenix.packages.agenix
];
};

148
nixos/jenkins.nix
View file

@ -1,158 +1,16 @@
{ pkgs, config, ... }:
{ flake, ... }:
# TODO:
# - Build agents (SSH slave)
# - NixOS slave: container separation?
# - macOS slave (later)
let
# The port to run Jenkins on.
port = 9091;
# The domain in which Jenkins is exposed to the outside world through nginx.
domain = "jenkins.srid.ca";
# Config for configuration-as-code-plugin
#
# This enable us to configure Jenkins declaratively rather than fiddle with
# the UI manually.
# cf:
# https://github.com/mjuh/nixos-jenkins/blob/master/nixos/modules/services/continuous-integration/jenkins/jenkins.nix
cascConfig = {
credentials = {
system.domainCredentials = [
{
credentials = [
{
basicSSHUserPrivateKey = {
id = "ssh-privkey";
username = "jenkins";
privateKeySource.directEntry.privateKey =
casc.readFile config.age.secrets.jenkins-ssh-privkey.path;
};
}
{
# Instructions for creating this Github App are at:
# https://github.com/jenkinsci/github-branch-source-plugin/blob/master/docs/github-app.adoc#configuration-as-code-plugin
githubApp = {
appID = "307056"; # https://github.com/apps/jenkins-srid
description = "Github App - jenkins-srid";
id = "github-app";
privateKey = casc.readFile config.age.secrets.jenkins-github-app-privkey.path;
};
}
{
string = {
id = "cachix-auth-token";
description = "srid.cachix.org auth token";
secret = casc.json "value" (casc.readFile config.age.secrets.srid-cachix-auth-token.path);
};
}
{
string = {
id = "docker-pass";
description = "sridca Docker password";
secret = casc.json "value" (casc.readFile config.age.secrets.srid-docker-pass.path);
};
}
];
}
];
};
jenkins = {
numExecutors = 6;
securityRealm = {
local = {
allowsSignup = false;
};
};
/*
nodes = [
{
permanent = {
name = "jenkins-agent-contaiiner";
remoteFS = "/var/lib/jenkins/";
launcher.ssh = {
host = "undefined";
port = 22;
};
};
}
];
*/
};
unclassified.location.url = "https://${domain}/";
};
# Functions for working with configuration-as-code-plugin syntax.
# https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#additional-variable-substitution
casc = {
readFile = path:
"$" + "{readFile:" + path + "}";
json = k: x:
"$" + "{json:" + k + ":" + x + "}";
};
in
{
imports = [
./docker.nix
];
services.jenkins.extraGroups = [ "docker" ];
age.secrets.jenkins-ssh-privkey = {
owner = "jenkins";
file = ../secrets/jenkins-ssh-privkey.age;
};
age.secrets.jenkins-github-app-privkey = {
owner = "jenkins";
file = ../secrets/jenkins-github-app-privkey.age;
};
age.secrets.srid-cachix-auth-token = {
owner = "jenkins";
file = ../secrets/srid-cachix-auth-token.age;
};
age.secrets.srid-docker-pass = {
owner = "jenkins";
file = ../secrets/srid-docker-pass.age;
};
services.jenkins = {
enable = true;
inherit port;
environment = {
CASC_JENKINS_CONFIG =
builtins.toString (pkgs.writeText "jenkins.json" (builtins.toJSON cascConfig));
};
packages = with pkgs; [
# Add packages used by Jenkins plugins here.
git
bash # 'sh' step requires this
coreutils
which
nix
cachix
docker
];
# ./jenkins/update-plugins.sh
plugins = import ./jenkins/plugins.nix {
inherit (pkgs) fetchurl stdenv;
};
extraJavaOptions = [
# Useful when the 'sh' step b0rks.
# https://stackoverflow.com/a/66098536/55246
"-Dorg.jenkinsci.plugins.durabletask.BourneShellScript.LAUNCH_DIAGNOSTICS=true"
];
};
# To allow the local node to run as builder, supporting nix builds.
# This should not be necessary with external build agents.
nix.settings.allowed-users = [ "jenkins" ];
nix.settings.trusted-users = [ "jenkins" ];
services.nginx = {
virtualHosts.${domain} = {
virtualHosts.${flake.config.jenkins-nix-ci.domain} = {
forceSSL = true;
enableACME = true;
locations."/".extraConfig = ''
proxy_pass http://localhost:${toString port};
proxy_pass http://localhost:${toString flake.config.jenkins-nix-ci.port};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

41
secrets.yaml Normal file
View file

@ -0,0 +1,41 @@
jenkins-nix-ci:
cachix-auth-token:
description: ENC[AES256_GCM,data:hQY1vf8vZOZDwCuNOe0G6AKFyEtY0mF/oGA=,iv:lCWFjd+0yoGMZPKsRaFOHvdNzPJKbSQpz/Py+j8JKso=,tag:4Dm3JscWDqJc9yqP0r/3RA==,type:str]
secret: ENC[AES256_GCM,data:evRAdPnirloK9knQkZLMXGKgNzjrZUXBPc1idCYRry3hTt0f70Y6PWluX9owyWhRoxVAbPAt6/8tEfnICsZSbvQsuBsMPQ5WNWfuNgO+yiGuaWuM8LJ78VKAuaYFmWHjR9MCOycRFAr5tgPtb9vhNEUGgrCHLPEhVLdb5kPz3U+QhwmQpc5HMuLnP2K8WJXajAOTHpY=,iv:Re3z9NZ1EdwXfGDjG7KEXOogPIdtZrmSf9plfqRaS3A=,tag:dSm18mst/5iRWpAu1jipFw==,type:str]
docker-login:
description: ENC[AES256_GCM,data:QuhV50TZWO+791XIoZbHHPY/QAVd5afPdacUyXLABQw=,iv:Al6ubEaXMOjvFKxh1rbrT621ZEMqG12E6pFDx4tZZok=,tag:F04n/T9/ZoX6PFHr76b0kg==,type:str]
user: ENC[AES256_GCM,data:sR9lVeb4,iv:QRdHIr+R5FV96U1uYCfq2Cezq3apvGPlB90EplLWXec=,tag:aoaC8wmpzJr4stp0HM8ZXQ==,type:str]
pass: ENC[AES256_GCM,data:297e7NEKjyzNXRlv3f+uGyKu,iv:LxcaCG4Tz1xbfr9VJ3suQSnemZFHK7hHRSwrfnM44iY=,tag:GLHHpjHcU4rJ1h/WTG83CA==,type:str]
github-app:
appID: ENC[AES256_GCM,data:WmR2IH9X,iv:S/1+XqfQ68rr8ia7bXGDZ/hVWi1t0Y3JQVYLyvJp26c=,tag:0+a0Es5h8eklkHR39H/rzQ==,type:str]
description: ENC[AES256_GCM,data:C1swvIs+o/nALqbZ3mvnq7IeupIDTvFmEA==,iv:QpMN3VuuAkehGcvFxEPYyHoILIdJHhkuHxhQi7dQY8g=,tag:1H02Z5PimzSq6rsj/h5SQA==,type:str]
privateKey: ENC[AES256_GCM,data:QH6r9TXHFjAPlHhSmY8ZvHESnDyAFsrLDqBkEb0CjnDPF2dPRUYzM6xec6JLKxiK1a/y2El0moOuZJlPkbS9HHuJpmyUSoVL35Q/B9wV79/uhQ+O+6ngCo+WYFELX5VnjSFzBdUphSmO8QCrT4MwEz3NEGai2joVjn12xTo8US2aCZAsFj03D2qVZgmtdVwXjrOf/nNkoOW8sYMWqfQ5ZsKQAqU3PbfqqWinKPc7+r1rx0fBmhzVHBcEjeUkgdeh1WwLZyUqju3u+mY1F8izz1bhXK+5CeIdjdnwJXdvbab77ZowuzssENk8xowlvPxp+pvIhWBz99WSu+fegwJEEsibn0iIG13nw2XJnzWk5q2WVSqoKXr+phKWlZRDdf6dLXJjCdBbgOpQ3BMgyNiqqi0UsL6Sx5p/Xf8y6VejxnQnzdSp9Cng2NJ2yQNAlbY9G9e0biqrXbb2Uoo3qL0PcnJPa5Ny8HbJrrC5zUd9Ylrg0moeY1cv25vMSkolLUqjZzW1INpcSCcUT3BSdYEoa9JSIccGNaFV0u8jf9XoMBrkj5UT9YgASxmr98oBOhigImkL/uS8CiJP13EP75581GhgqnPlYVgkeAStcVxDrPMWLyxxjpc7fOMTtX+pqenFZjJO94SxI4/QMIEDdfVat6/BK4F+8DlHtZZt1gbpU9R1H5XmkPCcGQBwv0SpKkyq8r7FdDSjPq97mu7D2x8llKG6xi2S4PjZ68fd5zcyXCjD0UtwtzJMajsLvTLwnArnC2ioi0DpxqotXgh3/0q+ucPxNCdCqcwfOwweSm5hBAjIfF0ybKzaZe7dMUmutdi7OaiKxuvcJ/EGOBRzATUXUrdIO/dsynxcLqN4b39hxQR8PPJJ07ydyWqqSujjRHw1eQQXmu9Bx3YQdsMZS+b0wbezdd8BZ0aQlkftUXIlTUCWV7jNXLH2pBzHjh4laA4JfpDagzztUd8GDmmWfd4upHHgXIKU++vYQDBojbP+RiDu2Ipj03RPfePpBgSSCTJQPcnEYkI1w5acao7+DFC9uHb3WYWFv3/Ahk8mNNu063ergF95sfSA/uKE8YPOLp4NCa48CrrFiA6Gizo21ECNT28OV3YfIXP2jrQQIsDoaKAAH9fSwGdDyy8i63HXaduPw5eCtDg3IUZj25s7MEGpVPNO79RT2Ml0fkzu3jW0qo2V6DZMNouQSYZDJMK7UGqKK7o9eALzZpZ09t52jvBnUQtIXiqPAt3pUckxaIU5o/7Yh0xQ97vcj7kQtu+OaBba5EDxm8Bl3YoW5G/hmuK6EHeFFRVSJqvuetpttNI/dFeqmBI+YEwuQpULy3G89h2QgJXVgWciHuokYqqfaGwZ9u2Ot1HhMyJuiMi5IhL5WfyIK/gJlcMnFy8VQ7iGcIIbB1HBP7UCQytsaieBAtDjVRO9zhxAkmNvBJrq7DXpIdvzilcRc/F8Ca2fxTmNEtBVH29ZMvgbfOnEz/cUb57jAhFn/Es3pel0eY2IwaG+eQldp4Kh9M998Fgq1yhU+xxKtpObOznWZtjyoUczS7YB6WQfFzliPXDmNwgynWM1AeBbwJ5T7wEH412Bx3lNkWtMpdDYqv+QJ+HYQdr6f7CT9hLaK2I5QoSdMBvWGrDRP/GkMx0gkYndWzPhz7xdCrgAD0izfOPqdgAH2wUs1Yre27RNIijkg5FEDuDD6zyug09pXeXpofNwgjCyCMeKpd/E/JkfDedcOrrAgHpBIAbnYq8MSD7lz0QZlRLcP1+oN46m0pqF1TqvWgc6vNkpUwXWHGXcuHkJ8G0cgfmHewS4B3sqiLmrNtu2K4WfbRg/88hFcIMnBGIkNff2X01iPLoXtc6isVWowf6WpshlXFBjRov0QXsXO4SYlVRwsXEzZPd7Wbdp1Bam/rwcTg9fDn+nlQ4t5y7lIe8KeCva1Y+mQ43sozaqh9iCXAojN62gmTD/cpJSQZT8icKhFOwh610Yq/WWnc+8sh0AIza7jwCMcE8r5e/4FSNjtS+ZJ4fuyn2J+wrULj6vdE/P9NItDHXFM3QihKVABFzexT/CmfS//8GnO8qG2cF/DJpchL15isfc2IVAI9cou1hs1sIxK+/K9paCqPex3WDUipAWawimwMdKLkMceDiW3qoIbRz2GlV7bXX76N/4xxRj9O8ISp32CjOaIXXrb0fqzhuwvG6BT2ru6+aLGGbFS0AxS/y8KYaYLcCwvlT0qk1o0W59c73TMyavvLirj9C8/rWBUCl6oTAtfnS/1Qej,iv:tRTD+S6OWCFa3Qt49QD43ilWl2C+7J439rWhpeR3y7M=,tag:atq1eoV0072dIK0/FFvw/Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1zdwstn787x2a7hllksjk0zpdx3wdvy3fju8hk33a583jtv3d8q9qsvzfan
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyeTNDemZrSnlCNUo5RnZ4
QjJSM2xXRktqM08xUS9HMVVRSDRnRnEzSXlVCkZoS3F5QkE0NGl0aDdPN0V5bjhZ
RC94YUNGd2k3enNnNFB4Vkd4WUZmQVkKLS0tIDNOa2Fmc3U3aDdDNGcvdU90YkRS
cjRSSk4vaXRoWTJsZVI4NEl6MWJRMEEKq8gdNGFBfA8Yc6Pkm3BnHTni+mar2eSB
Arrjfw2QPUiSnlko9bU7DkC9vfPfVq4YRfpz0yHbomg4Jn7C7j2qZA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1k2efalw74pce98ff2qa45hadkgew5q43gluefr7l4y4cqg6ul5ms8rlcep
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsK3l2bG9uU3RVdjFzNFIw
c21QS2o4aXZvbG5WTGthNUFrWDZxNEtwTWo0CnB0KzB1T2o2NFkrcFVKT01iRWR1
MVdjMVJOMm1qRE1iSHptdWduemw5aUUKLS0tIDF4QWxIRWNsbFRZbjRJTmxrRHYx
emg4aVZsMHNWOHgvcFM0ZDY5cllIMFUKN0ty9yucC/LxZIUdUo6ooF5QCbMR9c/G
zcuiXvN1wM5bd4zNO3X0g9t3x6j6/VyGbw5j0srSW0tJOFhXq8Zlsw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-03-27T16:42:41Z"
mac: ENC[AES256_GCM,data:8h6PK4ftPwmXZoYDDQ6MjNZaRdz/3RhMAw1JTcu2jjLwbH8ekKyEUMxjZV/4Ux7T9Yb5JrJ5HLG+BoQQ++xT/X+WchTlVLkUvoY3vGx49MHY2Gg4nh6JwVYn59rA4TtJirDrK5PgtWf3I3pvOpG1GvI5cpezRLIplLJkOUZNLAE=,iv:Y4gPpuNhDV0lQdJzkxtbtRVCxtxwOSg0NRYdvfE5UHQ=,tag:Ef4C6eLOkObUkCd6Gh0X+g==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3