From e28655f58ea42d7e32f18de3aa978464afa3b825 Mon Sep 17 00:00:00 2001 From: Sridhar Ratnakumar Date: Mon, 27 Mar 2023 12:59:10 -0400 Subject: [PATCH] Use jenkins-nix-ci --- .sops.yaml | 9 + flake.lock | 481 +++++++++++++++++++++++++++++++++++++++++++--- flake.nix | 24 +++ nixos/jenkins.nix | 148 +------------- secrets.yaml | 41 ++++ 5 files changed, 532 insertions(+), 171 deletions(-) create mode 100644 .sops.yaml create mode 100644 secrets.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..adc5d6f --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,9 @@ +keys: + - &admin_srid age1zdwstn787x2a7hllksjk0zpdx3wdvy3fju8hk33a583jtv3d8q9qsvzfan + - &server_pce age1k2efalw74pce98ff2qa45hadkgew5q43gluefr7l4y4cqg6ul5ms8rlcep +creation_rules: + - path_regex: secrets.yaml$ + key_groups: + - age: + - *admin_srid + - *server_pce diff --git a/flake.lock b/flake.lock index 094cf88..5083d43 100644 --- a/flake.lock +++ b/flake.lock @@ -72,6 +72,26 @@ "type": "github" } }, + "deploy-rs": { + "inputs": { + "flake-compat": "flake-compat_2", + "nixpkgs": "nixpkgs_5", + "utils": "utils_3" + }, + "locked": { + "lastModified": 1674127017, + "narHash": "sha256-QO1xF7stu5ZMDLbHN30LFolMAwY6TVlzYvQoUs1RD68=", + "owner": "serokell", + "repo": "deploy-rs", + "rev": "8c9ea9605eed20528bf60fae35a2b613b901fd77", + "type": "github" + }, + "original": { + "owner": "serokell", + "repo": "deploy-rs", + "type": "github" + } + }, "ema": { "flake": false, "locked": { @@ -165,6 +185,54 @@ "type": "github" } }, + "flake-compat_3": { + "flake": false, + "locked": { + "lastModified": 1606424373, + "narHash": "sha256-oq8d4//CJOrVj+EcOaSXvMebvuTkmBJuT5tzlfewUnQ=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "99f1c2157fba4bfe6211a321fd0ee43199025dbf", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_4": { + "flake": false, + "locked": { + "lastModified": 1606424373, + "narHash": "sha256-oq8d4//CJOrVj+EcOaSXvMebvuTkmBJuT5tzlfewUnQ=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "99f1c2157fba4bfe6211a321fd0ee43199025dbf", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_5": { + "flake": false, + "locked": { + "lastModified": 1668681692, + "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" @@ -223,6 +291,24 @@ "inputs": { "nixpkgs-lib": "nixpkgs-lib_4" }, + "locked": { + "lastModified": 1678379998, + "narHash": "sha256-TZdfNqftHhDuIFwBcN9MUThx5sQXCTeZk9je5byPKRw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "c13d60b89adea3dc20704c045ec4d50dd964d447", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_5": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib_5" + }, "locked": { "lastModified": 1672877861, "narHash": "sha256-ROnSmsk5grROL6gnHBnSdqlPPBrBJMApCeB7xzY567M=", @@ -252,6 +338,36 @@ "type": "github" } }, + "flake-root_2": { + "locked": { + "lastModified": 1671378805, + "narHash": "sha256-yqGxyzMN2GuppwG3dTWD1oiKxi+jGYP7D1qUSc5vKhI=", + "owner": "srid", + "repo": "flake-root", + "rev": "dc7ba6166e478804a9da6881aa48c45d300075cf", + "type": "github" + }, + "original": { + "owner": "srid", + "repo": "flake-root", + "type": "github" + } + }, + "flake-root_3": { + "locked": { + "lastModified": 1671378805, + "narHash": "sha256-yqGxyzMN2GuppwG3dTWD1oiKxi+jGYP7D1qUSc5vKhI=", + "owner": "srid", + "repo": "flake-root", + "rev": "dc7ba6166e478804a9da6881aa48c45d300075cf", + "type": "github" + }, + "original": { + "owner": "srid", + "repo": "flake-root", + "type": "github" + } + }, "flake-utils": { "locked": { "lastModified": 1667395993, @@ -282,6 +398,36 @@ "type": "github" } }, + "flake-utils_3": { + "locked": { + "lastModified": 1623875721, + "narHash": "sha256-A8BU7bjS5GirpAUv4QA+QnJ4CceLHkcXdRp4xITDB0s=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "f7e004a55b120c02ecb6219596820fcd32ca8772", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_4": { + "locked": { + "lastModified": 1623875721, + "narHash": "sha256-A8BU7bjS5GirpAUv4QA+QnJ4CceLHkcXdRp4xITDB0s=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "f7e004a55b120c02ecb6219596820fcd32ca8772", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "haskell-flake": { "locked": { "lastModified": 1668167720, @@ -371,6 +517,71 @@ "type": "github" } }, + "jenkins-nix-ci": { + "inputs": { + "deploy-rs": "deploy-rs", + "flake-parts": "flake-parts_4", + "flake-root": "flake-root_3", + "jenkinsPlugins2nix": "jenkinsPlugins2nix", + "nixos-flake": "nixos-flake", + "nixpkgs": "nixpkgs_7", + "sops-nix": "sops-nix" + }, + "locked": { + "lastModified": 1679934843, + "narHash": "sha256-qSaNkqgKgyieNUw7pV6OFZsoZEhYrkZlTeioXeCE13g=", + "owner": "juspay", + "repo": "jenkins-nix-ci", + "rev": "87e1cdd42bd23642337647af6547bf78b03b17f5", + "type": "github" + }, + "original": { + "owner": "juspay", + "ref": "flake-module", + "repo": "jenkins-nix-ci", + "type": "github" + } + }, + "jenkinsPlugins2nix": { + "inputs": { + "flake-compat": "flake-compat_3", + "flake-utils": "flake-utils_3", + "nixpkgs": "nixpkgs_6" + }, + "locked": { + "lastModified": 1629079129, + "narHash": "sha256-OKNtUKjANDK0wEFypSsHuJuolg76OYEVPsNAwUBbLS4=", + "owner": "Fuuzetsu", + "repo": "jenkinsPlugins2nix", + "rev": "fabb57351f23a6d458a638510b926d4c3f452ec2", + "type": "github" + }, + "original": { + "owner": "Fuuzetsu", + "repo": "jenkinsPlugins2nix", + "type": "github" + } + }, + "jenkinsPlugins2nix_2": { + "inputs": { + "flake-compat": "flake-compat_4", + "flake-utils": "flake-utils_4", + "nixpkgs": "nixpkgs_9" + }, + "locked": { + "lastModified": 1629079129, + "narHash": "sha256-OKNtUKjANDK0wEFypSsHuJuolg76OYEVPsNAwUBbLS4=", + "owner": "Fuuzetsu", + "repo": "jenkinsPlugins2nix", + "rev": "fabb57351f23a6d458a638510b926d4c3f452ec2", + "type": "github" + }, + "original": { + "owner": "Fuuzetsu", + "repo": "jenkinsPlugins2nix", + "type": "github" + } + }, "naersk": { "inputs": { "nixpkgs": [ @@ -437,9 +648,9 @@ }, "nix-serve-ng": { "inputs": { - "flake-compat": "flake-compat_2", - "nixpkgs": "nixpkgs_5", - "utils": "utils_3" + "flake-compat": "flake-compat_5", + "nixpkgs": "nixpkgs_10", + "utils": "utils_4" }, "locked": { "lastModified": 1669427214, @@ -456,6 +667,21 @@ } }, "nixos-flake": { + "locked": { + "lastModified": 1679404711, + "narHash": "sha256-RNrCfkA9yGhuy3HrXY9NZsUg6yu8qcxwPoc9o9NwiI0=", + "owner": "srid", + "repo": "nixos-flake", + "rev": "0d1ae4383d9bc18fcd3857917616188f6ae61ff4", + "type": "github" + }, + "original": { + "owner": "srid", + "repo": "nixos-flake", + "type": "github" + } + }, + "nixos-flake_2": { "locked": { "lastModified": 1679328115, "narHash": "sha256-LHd+h6YY7ftxn8DpTjHLfsjh477KiGsD6ddulUpTvNQ=", @@ -487,7 +713,7 @@ }, "nixos-shell": { "inputs": { - "nixpkgs": "nixpkgs_6" + "nixpkgs": "nixpkgs_11" }, "locked": { "lastModified": 1646257415, @@ -590,6 +816,24 @@ } }, "nixpkgs-lib_4": { + "locked": { + "dir": "lib", + "lastModified": 1678375444, + "narHash": "sha256-XIgHfGvjFvZQ8hrkfocanCDxMefc/77rXeHvYdzBMc8=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "130fa0baaa2b93ec45523fdcde942f6844ee9f6e", + "type": "github" + }, + "original": { + "dir": "lib", + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-lib_5": { "locked": { "dir": "lib", "lastModified": 1672350804, @@ -609,8 +853,8 @@ }, "nixpkgs-match": { "inputs": { - "flake-parts": "flake-parts_4", - "nixpkgs": "nixpkgs_8" + "flake-parts": "flake-parts_5", + "nixpkgs": "nixpkgs_13" }, "locked": { "lastModified": 1672924430, @@ -626,6 +870,117 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1679748960, + "narHash": "sha256-BP8XcYHyj1NxQi04RpyNW8e7KiXSoI+Fy1tXIK2GfdA=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "da26ae9f6ce2c9ab380c0f394488892616fc5a6a", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1679748960, + "narHash": "sha256-BP8XcYHyj1NxQi04RpyNW8e7KiXSoI+Fy1tXIK2GfdA=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "da26ae9f6ce2c9ab380c0f394488892616fc5a6a", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_10": { + "locked": { + "lastModified": 1669391192, + "narHash": "sha256-f/2TqduZWcdq/pPddu1E7plNmcOuzt1IN4Fh3LSUKmM=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ce1f9354959ae1493916f2e551ecc32e79b4a473", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "master", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_11": { + "locked": { + "lastModified": 1628465643, + "narHash": "sha256-QSNw9bDq9uGUniQQtakRuw4m21Jxugm23SXLVgEV4DM=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "6ef4f522d63f22b40004319778761040d3197390", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-unstable", + "type": "indirect" + } + }, + "nixpkgs_12": { + "locked": { + "lastModified": 1678819893, + "narHash": "sha256-lfA6WGdxPsPkBK5Y19ltr5Sn7v7MlT+jpZ4nUgco0Xs=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "7067edc68c035e21780259ed2d26e1f164addaa2", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_13": { + "locked": { + "lastModified": 1672756850, + "narHash": "sha256-Smbq3+fitwA13qsTMeaaurv09/KVbZfW7m7lINwzDGA=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "298add347c2bbce14020fcb54051f517c391196b", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_14": { + "locked": { + "lastModified": 1679734080, + "narHash": "sha256-z846xfGLlon6t9lqUzlNtBOmsgQLQIZvR6Lt2dImk1M=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "dbf5322e93bcc6cfc52268367a8ad21c09d76fea", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 0, @@ -672,42 +1027,43 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1669391192, - "narHash": "sha256-f/2TqduZWcdq/pPddu1E7plNmcOuzt1IN4Fh3LSUKmM=", + "lastModified": 1671417167, + "narHash": "sha256-JkHam6WQOwZN1t2C2sbp1TqMv3TVRjzrdoejqfefwrM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ce1f9354959ae1493916f2e551ecc32e79b4a473", + "rev": "bb31220cca6d044baa6dc2715b07497a2a7c4bc7", "type": "github" }, "original": { "owner": "NixOS", - "ref": "master", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } }, "nixpkgs_6": { "locked": { - "lastModified": 1628465643, - "narHash": "sha256-QSNw9bDq9uGUniQQtakRuw4m21Jxugm23SXLVgEV4DM=", + "lastModified": 1622516815, + "narHash": "sha256-ZjBd81a6J3TwtlBr3rHsZspYUwT9OdhDk+a/SgSEf7I=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6ef4f522d63f22b40004319778761040d3197390", + "rev": "7e9b0dff974c89e070da1ad85713ff3c20b0ca97", "type": "github" }, "original": { - "id": "nixpkgs", - "ref": "nixos-unstable", - "type": "indirect" + "owner": "NixOS", + "ref": "21.05", + "repo": "nixpkgs", + "type": "github" } }, "nixpkgs_7": { "locked": { - "lastModified": 1678819893, - "narHash": "sha256-lfA6WGdxPsPkBK5Y19ltr5Sn7v7MlT+jpZ4nUgco0Xs=", + "lastModified": 1679172431, + "narHash": "sha256-XEh5gIt5otaUbEAPUY5DILUTyWe1goAyeqQtmwaFPyI=", "owner": "nixos", "repo": "nixpkgs", - "rev": "7067edc68c035e21780259ed2d26e1f164addaa2", + "rev": "1603d11595a232205f03d46e635d919d1e1ec5b9", "type": "github" }, "original": { @@ -719,20 +1075,36 @@ }, "nixpkgs_8": { "locked": { - "lastModified": 1672756850, - "narHash": "sha256-Smbq3+fitwA13qsTMeaaurv09/KVbZfW7m7lINwzDGA=", - "owner": "nixos", + "lastModified": 1679734080, + "narHash": "sha256-z846xfGLlon6t9lqUzlNtBOmsgQLQIZvR6Lt2dImk1M=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "298add347c2bbce14020fcb54051f517c391196b", + "rev": "dbf5322e93bcc6cfc52268367a8ad21c09d76fea", "type": "github" }, "original": { - "owner": "nixos", + "owner": "NixOS", "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } }, + "nixpkgs_9": { + "locked": { + "lastModified": 1622516815, + "narHash": "sha256-ZjBd81a6J3TwtlBr3rHsZspYUwT9OdhDk+a/SgSEf7I=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "7e9b0dff974c89e070da1ad85713ff3c20b0ca97", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "21.05", + "repo": "nixpkgs", + "type": "github" + } + }, "pre-commit-hooks-nix": { "inputs": { "flake-utils": "flake-utils_2", @@ -763,19 +1135,61 @@ "emacs-overlay": "emacs-overlay", "emanote": "emanote", "flake-parts": "flake-parts_2", + "flake-root": "flake-root_2", "hci": "hci", "home-manager": "home-manager", + "jenkins-nix-ci": "jenkins-nix-ci", + "jenkinsPlugins2nix": "jenkinsPlugins2nix_2", "nix-darwin": "nix-darwin_2", "nix-serve-ng": "nix-serve-ng", - "nixos-flake": "nixos-flake", + "nixos-flake": "nixos-flake_2", "nixos-hardware": "nixos-hardware", "nixos-shell": "nixos-shell", "nixos-vscode-server": "nixos-vscode-server", - "nixpkgs": "nixpkgs_7", + "nixpkgs": "nixpkgs_12", "nixpkgs-match": "nixpkgs-match", + "sops-nix": "sops-nix_2", "zk-nvim": "zk-nvim" } }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_8", + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1679799335, + "narHash": "sha256-YrnDyftm0Mk4JLuw3sDBPNfSjk054N0dqQx8FW4JqDM=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "4740f80ca6e756915aaaa0a9c5fbb61ba09cc145", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, + "sops-nix_2": { + "inputs": { + "nixpkgs": "nixpkgs_14", + "nixpkgs-stable": "nixpkgs-stable_2" + }, + "locked": { + "lastModified": 1679799335, + "narHash": "sha256-YrnDyftm0Mk4JLuw3sDBPNfSjk054N0dqQx8FW4JqDM=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "4740f80ca6e756915aaaa0a9c5fbb61ba09cc145", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "treefmt-nix": { "locked": { "lastModified": 1672170030, @@ -836,6 +1250,21 @@ "type": "github" } }, + "utils_4": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "zk-nvim": { "flake": false, "locked": { diff --git a/flake.nix b/flake.nix index 3309f90..f2ccfc5 100644 --- a/flake.nix +++ b/flake.nix @@ -10,8 +10,12 @@ home-manager.url = "github:nix-community/home-manager"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; agenix.url = "github:ryantm/agenix"; + sops-nix.url = "github:Mic92/sops-nix"; nixos-hardware.url = "github:NixOS/nixos-hardware"; nixos-flake.url = "github:srid/nixos-flake"; + jenkins-nix-ci.url = "github:juspay/jenkins-nix-ci/flake-module"; + flake-root.url = "github:srid/flake-root"; + jenkinsPlugins2nix.url = "github:Fuuzetsu/jenkinsPlugins2nix"; # nixos-flake.url = "path:/Users/srid/code/nixos-flake"; # CI server @@ -42,18 +46,35 @@ systems = [ "x86_64-linux" "aarch64-darwin" ]; imports = [ inputs.nixos-flake.flakeModule + inputs.jenkins-nix-ci.flakeModule + inputs.flake-root.flakeModule ./users ./home ./nixos ./nix-darwin ]; + jenkins-nix-ci = { + domain = "jenkins.srid.ca"; + plugins = [ + "github-api" + "git" + "github-branch-source" + "workflow-aggregator" + "ssh-slaves" + "configuration-as-code" + ]; + plugins-file = "nixos/jenkins/plugins.nix"; + }; + flake = { # Configurations for Linux (NixOS) systems nixosConfigurations = { pce = self.nixos-flake.lib.mkLinuxSystem { imports = [ self.nixosModules.default # Defined in nixos/default.nix + self.nixosModules.jenkins-master + inputs.sops-nix.nixosModules.sops ./systems/hetzner/ax101.nix ./nixos/server/harden.nix ./nixos/docker.nix @@ -65,6 +86,7 @@ # domain = "cache.srid.ca"; # }) ]; + sops.defaultSopsFile = ./secrets.yaml; }; }; @@ -85,6 +107,8 @@ devShells.default = pkgs.mkShell { buildInputs = [ pkgs.nixpkgs-fmt + pkgs.sops + pkgs.ssh-to-age inputs'.agenix.packages.agenix ]; }; diff --git a/nixos/jenkins.nix b/nixos/jenkins.nix index 0b2cc4d..334e951 100644 --- a/nixos/jenkins.nix +++ b/nixos/jenkins.nix @@ -1,158 +1,16 @@ -{ pkgs, config, ... }: +{ flake, ... }: # TODO: # - Build agents (SSH slave) # - NixOS slave: container separation? # - macOS slave (later) -let - # The port to run Jenkins on. - port = 9091; - # The domain in which Jenkins is exposed to the outside world through nginx. - domain = "jenkins.srid.ca"; - - # Config for configuration-as-code-plugin - # - # This enable us to configure Jenkins declaratively rather than fiddle with - # the UI manually. - # cf: - # https://github.com/mjuh/nixos-jenkins/blob/master/nixos/modules/services/continuous-integration/jenkins/jenkins.nix - cascConfig = { - credentials = { - system.domainCredentials = [ - { - credentials = [ - { - basicSSHUserPrivateKey = { - id = "ssh-privkey"; - username = "jenkins"; - privateKeySource.directEntry.privateKey = - casc.readFile config.age.secrets.jenkins-ssh-privkey.path; - }; - } - { - # Instructions for creating this Github App are at: - # https://github.com/jenkinsci/github-branch-source-plugin/blob/master/docs/github-app.adoc#configuration-as-code-plugin - githubApp = { - appID = "307056"; # https://github.com/apps/jenkins-srid - description = "Github App - jenkins-srid"; - id = "github-app"; - privateKey = casc.readFile config.age.secrets.jenkins-github-app-privkey.path; - }; - } - { - string = { - id = "cachix-auth-token"; - description = "srid.cachix.org auth token"; - secret = casc.json "value" (casc.readFile config.age.secrets.srid-cachix-auth-token.path); - }; - } - { - string = { - id = "docker-pass"; - description = "sridca Docker password"; - secret = casc.json "value" (casc.readFile config.age.secrets.srid-docker-pass.path); - }; - } - ]; - } - ]; - }; - jenkins = { - numExecutors = 6; - securityRealm = { - local = { - allowsSignup = false; - }; - }; - /* - nodes = [ - { - permanent = { - name = "jenkins-agent-contaiiner"; - remoteFS = "/var/lib/jenkins/"; - launcher.ssh = { - host = "undefined"; - port = 22; - }; - }; - } - ]; - */ - }; - unclassified.location.url = "https://${domain}/"; - }; - - # Functions for working with configuration-as-code-plugin syntax. - # https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#additional-variable-substitution - casc = { - readFile = path: - "$" + "{readFile:" + path + "}"; - json = k: x: - "$" + "{json:" + k + ":" + x + "}"; - }; -in { - imports = [ - ./docker.nix - ]; - services.jenkins.extraGroups = [ "docker" ]; - - age.secrets.jenkins-ssh-privkey = { - owner = "jenkins"; - file = ../secrets/jenkins-ssh-privkey.age; - }; - age.secrets.jenkins-github-app-privkey = { - owner = "jenkins"; - file = ../secrets/jenkins-github-app-privkey.age; - }; - age.secrets.srid-cachix-auth-token = { - owner = "jenkins"; - file = ../secrets/srid-cachix-auth-token.age; - }; - age.secrets.srid-docker-pass = { - owner = "jenkins"; - file = ../secrets/srid-docker-pass.age; - }; - - services.jenkins = { - enable = true; - inherit port; - environment = { - CASC_JENKINS_CONFIG = - builtins.toString (pkgs.writeText "jenkins.json" (builtins.toJSON cascConfig)); - }; - packages = with pkgs; [ - # Add packages used by Jenkins plugins here. - git - bash # 'sh' step requires this - coreutils - which - nix - cachix - docker - ]; - # ./jenkins/update-plugins.sh - plugins = import ./jenkins/plugins.nix { - inherit (pkgs) fetchurl stdenv; - }; - extraJavaOptions = [ - # Useful when the 'sh' step b0rks. - # https://stackoverflow.com/a/66098536/55246 - "-Dorg.jenkinsci.plugins.durabletask.BourneShellScript.LAUNCH_DIAGNOSTICS=true" - ]; - }; - - # To allow the local node to run as builder, supporting nix builds. - # This should not be necessary with external build agents. - nix.settings.allowed-users = [ "jenkins" ]; - nix.settings.trusted-users = [ "jenkins" ]; - services.nginx = { - virtualHosts.${domain} = { + virtualHosts.${flake.config.jenkins-nix-ci.domain} = { forceSSL = true; enableACME = true; locations."/".extraConfig = '' - proxy_pass http://localhost:${toString port}; + proxy_pass http://localhost:${toString flake.config.jenkins-nix-ci.port}; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; diff --git a/secrets.yaml b/secrets.yaml new file mode 100644 index 0000000..a4de839 --- /dev/null +++ b/secrets.yaml @@ -0,0 +1,41 @@ +jenkins-nix-ci: + cachix-auth-token: + description: ENC[AES256_GCM,data:hQY1vf8vZOZDwCuNOe0G6AKFyEtY0mF/oGA=,iv:lCWFjd+0yoGMZPKsRaFOHvdNzPJKbSQpz/Py+j8JKso=,tag:4Dm3JscWDqJc9yqP0r/3RA==,type:str] + secret: ENC[AES256_GCM,data:evRAdPnirloK9knQkZLMXGKgNzjrZUXBPc1idCYRry3hTt0f70Y6PWluX9owyWhRoxVAbPAt6/8tEfnICsZSbvQsuBsMPQ5WNWfuNgO+yiGuaWuM8LJ78VKAuaYFmWHjR9MCOycRFAr5tgPtb9vhNEUGgrCHLPEhVLdb5kPz3U+QhwmQpc5HMuLnP2K8WJXajAOTHpY=,iv:Re3z9NZ1EdwXfGDjG7KEXOogPIdtZrmSf9plfqRaS3A=,tag:dSm18mst/5iRWpAu1jipFw==,type:str] + docker-login: + description: ENC[AES256_GCM,data:QuhV50TZWO+791XIoZbHHPY/QAVd5afPdacUyXLABQw=,iv:Al6ubEaXMOjvFKxh1rbrT621ZEMqG12E6pFDx4tZZok=,tag:F04n/T9/ZoX6PFHr76b0kg==,type:str] + user: ENC[AES256_GCM,data:sR9lVeb4,iv:QRdHIr+R5FV96U1uYCfq2Cezq3apvGPlB90EplLWXec=,tag:aoaC8wmpzJr4stp0HM8ZXQ==,type:str] + pass: ENC[AES256_GCM,data:297e7NEKjyzNXRlv3f+uGyKu,iv:LxcaCG4Tz1xbfr9VJ3suQSnemZFHK7hHRSwrfnM44iY=,tag:GLHHpjHcU4rJ1h/WTG83CA==,type:str] + github-app: + appID: ENC[AES256_GCM,data:WmR2IH9X,iv:S/1+XqfQ68rr8ia7bXGDZ/hVWi1t0Y3JQVYLyvJp26c=,tag:0+a0Es5h8eklkHR39H/rzQ==,type:str] + description: ENC[AES256_GCM,data:C1swvIs+o/nALqbZ3mvnq7IeupIDTvFmEA==,iv:QpMN3VuuAkehGcvFxEPYyHoILIdJHhkuHxhQi7dQY8g=,tag:1H02Z5PimzSq6rsj/h5SQA==,type:str] + privateKey: ENC[AES256_GCM,data:QH6r9TXHFjAPlHhSmY8ZvHESnDyAFsrLDqBkEb0CjnDPF2dPRUYzM6xec6JLKxiK1a/y2El0moOuZJlPkbS9HHuJpmyUSoVL35Q/B9wV79/uhQ+O+6ngCo+WYFELX5VnjSFzBdUphSmO8QCrT4MwEz3NEGai2joVjn12xTo8US2aCZAsFj03D2qVZgmtdVwXjrOf/nNkoOW8sYMWqfQ5ZsKQAqU3PbfqqWinKPc7+r1rx0fBmhzVHBcEjeUkgdeh1WwLZyUqju3u+mY1F8izz1bhXK+5CeIdjdnwJXdvbab77ZowuzssENk8xowlvPxp+pvIhWBz99WSu+fegwJEEsibn0iIG13nw2XJnzWk5q2WVSqoKXr+phKWlZRDdf6dLXJjCdBbgOpQ3BMgyNiqqi0UsL6Sx5p/Xf8y6VejxnQnzdSp9Cng2NJ2yQNAlbY9G9e0biqrXbb2Uoo3qL0PcnJPa5Ny8HbJrrC5zUd9Ylrg0moeY1cv25vMSkolLUqjZzW1INpcSCcUT3BSdYEoa9JSIccGNaFV0u8jf9XoMBrkj5UT9YgASxmr98oBOhigImkL/uS8CiJP13EP75581GhgqnPlYVgkeAStcVxDrPMWLyxxjpc7fOMTtX+pqenFZjJO94SxI4/QMIEDdfVat6/BK4F+8DlHtZZt1gbpU9R1H5XmkPCcGQBwv0SpKkyq8r7FdDSjPq97mu7D2x8llKG6xi2S4PjZ68fd5zcyXCjD0UtwtzJMajsLvTLwnArnC2ioi0DpxqotXgh3/0q+ucPxNCdCqcwfOwweSm5hBAjIfF0ybKzaZe7dMUmutdi7OaiKxuvcJ/EGOBRzATUXUrdIO/dsynxcLqN4b39hxQR8PPJJ07ydyWqqSujjRHw1eQQXmu9Bx3YQdsMZS+b0wbezdd8BZ0aQlkftUXIlTUCWV7jNXLH2pBzHjh4laA4JfpDagzztUd8GDmmWfd4upHHgXIKU++vYQDBojbP+RiDu2Ipj03RPfePpBgSSCTJQPcnEYkI1w5acao7+DFC9uHb3WYWFv3/Ahk8mNNu063ergF95sfSA/uKE8YPOLp4NCa48CrrFiA6Gizo21ECNT28OV3YfIXP2jrQQIsDoaKAAH9fSwGdDyy8i63HXaduPw5eCtDg3IUZj25s7MEGpVPNO79RT2Ml0fkzu3jW0qo2V6DZMNouQSYZDJMK7UGqKK7o9eALzZpZ09t52jvBnUQtIXiqPAt3pUckxaIU5o/7Yh0xQ97vcj7kQtu+OaBba5EDxm8Bl3YoW5G/hmuK6EHeFFRVSJqvuetpttNI/dFeqmBI+YEwuQpULy3G89h2QgJXVgWciHuokYqqfaGwZ9u2Ot1HhMyJuiMi5IhL5WfyIK/gJlcMnFy8VQ7iGcIIbB1HBP7UCQytsaieBAtDjVRO9zhxAkmNvBJrq7DXpIdvzilcRc/F8Ca2fxTmNEtBVH29ZMvgbfOnEz/cUb57jAhFn/Es3pel0eY2IwaG+eQldp4Kh9M998Fgq1yhU+xxKtpObOznWZtjyoUczS7YB6WQfFzliPXDmNwgynWM1AeBbwJ5T7wEH412Bx3lNkWtMpdDYqv+QJ+HYQdr6f7CT9hLaK2I5QoSdMBvWGrDRP/GkMx0gkYndWzPhz7xdCrgAD0izfOPqdgAH2wUs1Yre27RNIijkg5FEDuDD6zyug09pXeXpofNwgjCyCMeKpd/E/JkfDedcOrrAgHpBIAbnYq8MSD7lz0QZlRLcP1+oN46m0pqF1TqvWgc6vNkpUwXWHGXcuHkJ8G0cgfmHewS4B3sqiLmrNtu2K4WfbRg/88hFcIMnBGIkNff2X01iPLoXtc6isVWowf6WpshlXFBjRov0QXsXO4SYlVRwsXEzZPd7Wbdp1Bam/rwcTg9fDn+nlQ4t5y7lIe8KeCva1Y+mQ43sozaqh9iCXAojN62gmTD/cpJSQZT8icKhFOwh610Yq/WWnc+8sh0AIza7jwCMcE8r5e/4FSNjtS+ZJ4fuyn2J+wrULj6vdE/P9NItDHXFM3QihKVABFzexT/CmfS//8GnO8qG2cF/DJpchL15isfc2IVAI9cou1hs1sIxK+/K9paCqPex3WDUipAWawimwMdKLkMceDiW3qoIbRz2GlV7bXX76N/4xxRj9O8ISp32CjOaIXXrb0fqzhuwvG6BT2ru6+aLGGbFS0AxS/y8KYaYLcCwvlT0qk1o0W59c73TMyavvLirj9C8/rWBUCl6oTAtfnS/1Qej,iv:tRTD+S6OWCFa3Qt49QD43ilWl2C+7J439rWhpeR3y7M=,tag:atq1eoV0072dIK0/FFvw/Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1zdwstn787x2a7hllksjk0zpdx3wdvy3fju8hk33a583jtv3d8q9qsvzfan + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyeTNDemZrSnlCNUo5RnZ4 + QjJSM2xXRktqM08xUS9HMVVRSDRnRnEzSXlVCkZoS3F5QkE0NGl0aDdPN0V5bjhZ + RC94YUNGd2k3enNnNFB4Vkd4WUZmQVkKLS0tIDNOa2Fmc3U3aDdDNGcvdU90YkRS + cjRSSk4vaXRoWTJsZVI4NEl6MWJRMEEKq8gdNGFBfA8Yc6Pkm3BnHTni+mar2eSB + Arrjfw2QPUiSnlko9bU7DkC9vfPfVq4YRfpz0yHbomg4Jn7C7j2qZA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1k2efalw74pce98ff2qa45hadkgew5q43gluefr7l4y4cqg6ul5ms8rlcep + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsK3l2bG9uU3RVdjFzNFIw + c21QS2o4aXZvbG5WTGthNUFrWDZxNEtwTWo0CnB0KzB1T2o2NFkrcFVKT01iRWR1 + MVdjMVJOMm1qRE1iSHptdWduemw5aUUKLS0tIDF4QWxIRWNsbFRZbjRJTmxrRHYx + emg4aVZsMHNWOHgvcFM0ZDY5cllIMFUKN0ty9yucC/LxZIUdUo6ooF5QCbMR9c/G + zcuiXvN1wM5bd4zNO3X0g9t3x6j6/VyGbw5j0srSW0tJOFhXq8Zlsw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-03-27T16:42:41Z" + mac: ENC[AES256_GCM,data:8h6PK4ftPwmXZoYDDQ6MjNZaRdz/3RhMAw1JTcu2jjLwbH8ekKyEUMxjZV/4Ux7T9Yb5JrJ5HLG+BoQQ++xT/X+WchTlVLkUvoY3vGx49MHY2Gg4nh6JwVYn59rA4TtJirDrK5PgtWf3I3pvOpG1GvI5cpezRLIplLJkOUZNLAE=,iv:Y4gPpuNhDV0lQdJzkxtbtRVCxtxwOSg0NRYdvfE5UHQ=,tag:Ef4C6eLOkObUkCd6Gh0X+g==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3