From decc9963eeddf60f3309bf87c4bfd901f29e4568 Mon Sep 17 00:00:00 2001
From: Raito Bezarius <masterancpp@gmail.com>
Date: Sat, 5 Oct 2024 18:18:12 +0200
Subject: [PATCH] feat: add buildbot.lix.systems

This introduces a new Buildbot instance using all the previous work.

This is a "Raito's VM" hardware type.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
---
 common/ssh-keys.nix                         |   2 +
 flake.nix                                   |   1 +
 hosts/buildbot-lix/default.nix              |  69 ++++++++++++++++++++
 secrets.nix                                 |   8 +++
 secrets/lix/buildbot-oauth-secret.age       |   7 ++
 secrets/lix/buildbot-remote-builder-key.age | Bin 0 -> 631 bytes
 secrets/lix/buildbot-service-key.age        | Bin 0 -> 1319 bytes
 secrets/lix/buildbot-signing-key.age        |   6 ++
 secrets/lix/buildbot-worker-password.age    | Bin 0 -> 277 bytes
 secrets/lix/buildbot-workers.age            |   6 ++
 10 files changed, 99 insertions(+)
 create mode 100644 hosts/buildbot-lix/default.nix
 create mode 100644 secrets/lix/buildbot-oauth-secret.age
 create mode 100644 secrets/lix/buildbot-remote-builder-key.age
 create mode 100644 secrets/lix/buildbot-service-key.age
 create mode 100644 secrets/lix/buildbot-signing-key.age
 create mode 100644 secrets/lix/buildbot-worker-password.age
 create mode 100644 secrets/lix/buildbot-workers.age

diff --git a/common/ssh-keys.nix b/common/ssh-keys.nix
index 426d953..4b747cc 100644
--- a/common/ssh-keys.nix
+++ b/common/ssh-keys.nix
@@ -27,6 +27,8 @@
     build02-aarch64-lix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGdJE375pe58RJbhKwXRp3D//+SJ3ssiVZrLsM9CLHn0";
     build01-aarch64-darwin-lix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVf1uO0lv5UBti/naW/+amqLxvWZg+StXk9aM+lJ7e4";
 
+    buildbot-lix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFoVSh35UqNQZ6ZZ1c6CzqERC40ovQ/KDXz8pC7nNlkR";
+
     # Raito infrastructure
     epyc-newtype-fr = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOXT9Init1MhKt4rjBANLq0t0bPww/WQZ96uB4AEDrml";
   };
diff --git a/flake.nix b/flake.nix
index b7783e6..75c44e8 100644
--- a/flake.nix
+++ b/flake.nix
@@ -198,6 +198,7 @@
       build-coord.imports = floralInfraModules ++ [ ./hosts/build-coord ];
 
       build01-aarch64-lix.imports = lixInfraModules ++ [ ./hosts/build01-aarch64-lix ];
+      buildbot-lix.imports = lixInfraModules ++ [ ./hosts/buildbot-lix ];
     } // builders;
 
     hydraJobs = builtins.mapAttrs (n: v: v.config.system.build.netbootDir or v.config.system.build.toplevel) self.nixosConfigurations;
diff --git a/hosts/buildbot-lix/default.nix b/hosts/buildbot-lix/default.nix
new file mode 100644
index 0000000..91d8b78
--- /dev/null
+++ b/hosts/buildbot-lix/default.nix
@@ -0,0 +1,69 @@
+# Configuration for a virtual machine in Raito's micro-DC basement.
+# 32 vCPU (2014 grade Xeon though)
+# 32GB RAM
+# 30GB SSD
+# 500GB HDD
+# All specifications can be upgraded to a certain extent, just ask Raito.
+# Hosts the coordinator for Buildbot.
+#
+# vim: et:ts=2:sw=2:
+#
+{ lib, modulesPath, ... }: {
+  networking.hostName = "buildbot";
+  networking.domain = "lix.systems";
+
+  zramSwap.enable = true;
+
+  bagel.sysadmin.enable = true;
+  # Buildbot is proxied.
+  bagel.raito.v6-proxy-awareness.enable = true;
+  bagel.hardware.raito-vm = {
+    enable = true;
+    networking = {
+      nat-lan-mac = "BC:24:11:75:62:42";
+      wan = {
+        mac = "BC:24:11:B2:5F:2E";
+        address = "2001:bc8:38ee:100::200/56";
+      };
+    };
+  };
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  bagel.services.buildbot = {
+    enable = true;
+    domain = "buildbot.lix.systems";
+    gerrit =
+    {
+      domain = "gerrit.lix.systems";
+      port = 2022;
+      username = "buildbot";
+    };
+    cors.allowedOrigin = "*.lix.systems";
+    projects = [
+      "lix"
+      "lix-installer"
+    ];
+    buildSystems = [
+      "x86_64-linux"
+      "aarch64-linux"
+      "aarch64-darwin"
+      # Too slow.
+      /* "x86_64-darwin" */
+    ];
+    # Lix is not allowed to use yet Floral's x86_64 builders for now.
+    builders = [ ];
+  };
+
+  # This machine does not use /nix from btrfs, and instead uses a store on a bigger disk.
+  fileSystems."/nix" =
+    lib.mkForce
+    { device = "/dev/disk/by-uuid/1815ca49-d0b0-4b99-8aec-0d790498ba6f";
+      fsType = "xfs";
+      neededForBoot = true;
+      options = [ "relatime" ];
+    };
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  system.stateVersion = "24.05";
+  deployment.targetHost = "buildbot.lix.systems";
+}
diff --git a/secrets.nix b/secrets.nix
index ab40910..193c217 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -53,6 +53,14 @@ let
     };
 
     lix = {
+      buildbot-worker-password = [ machines.buildbot-lix ];
+      buildbot-oauth-secret = [ machines.buildbot-lix ];
+      buildbot-workers = [ machines.buildbot-lix ];
+      # Private SSH key to Gerrit
+      # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx52RUPWzTa2rBA96xcnGjjzAboNN/hm6gW+Q6JiSos
+      buildbot-service-key = [ machines.buildbot-lix ];
+      # Signing key for Buildbot's specific cache
+      buildbot-signing-key = [ machines.buildbot-lix ];
       buildbot-remote-builder-key = [ machines.buildbot-lix ];
     };
   };
diff --git a/secrets/lix/buildbot-oauth-secret.age b/secrets/lix/buildbot-oauth-secret.age
new file mode 100644
index 0000000..55f8548
--- /dev/null
+++ b/secrets/lix/buildbot-oauth-secret.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 Ao+7Wg q7oRHUUlAvD8OUbpPT7d6eLMPWU0YS/verYTDE5BCkY
+/87/1uqOvRYeqel9IjnFmGyF9SXUQD8MTgfcj91b/Fs
+--- ulIeB91NJ7z/64h9BCLSD9/RW/zwv3m1Zo2ovNuInv8
+Μ�}�Ӛ#�p� o>�*v����s?[���L
+��z�r��?R���7<�
+�i!�{X����
\ No newline at end of file
diff --git a/secrets/lix/buildbot-remote-builder-key.age b/secrets/lix/buildbot-remote-builder-key.age
new file mode 100644
index 0000000000000000000000000000000000000000..3e619868fca4616aefac62e38b151132f00170e7
GIT binary patch
literal 631
zcmV--0*L)#XJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LL2oNJS7#tN
zcuh!ZY-w>YGHOz4RWx!pWHoYXFI6#gX>CSyac)#GS~q!bQfDwSM{f#YPgrPUbxCC}
zSuaC5c6WGEPAft=N-s`ib8jzraaKt|F>6w8W@t4<ZFdSSEiE8cOnO0bH7htUMn-Q!
zYDzOnabrqIPBBPJNqJ&<VRL72H&RVAH8y%$QDX`RXpHCY({o;PPoT{jVyo@4&N#gE
zOffTBiODpFKT9w(u#ll2)5$LsjNPWJ;+=gwr$kQ6M%5U&@i^!(jg>)$vnvJstKTy=
z@L7=g!i7B<CB{|3vKGzgV8|-=Od0HM=|h2&I2Yn=Luw`}v;l}o{7!oq)Dc}O<&dEr
zjJ)a>wiq*YW!!DKw;7f+RHma5CvG?#ism33gq{Lhu))`yr|P_%{wIL@xwLiPde){d
z1#ts@z)L6~LOPETp!}Q1=)|b-7k0+%C-`umx<r#=h~}ie?$A78K}l#sMCif0&&5ed
zyF7eMIxfwc`!9#`x)Av(rm>-pmF1(2lCO{~3Jqo&3(Xl`2g%{~*IR-FpBYbEDCns*
zAIBJ2;ykD}7$n2!Eh_;qO9;|P-hj^QsbQ96EM?gD;J5O|Ric+#gnj=E)14y}HQo|y
zE4yrK>PC)?2$p#lARYifV>(9RB@+>p2$k4i4%;_!FUlo(`$o;)twe^rcD6{$(NAE;
z(aSUPr)I;r0MDoNPsozPYa*4-utB+$fkIk(k!?6)h$DS$B?H5_2n>lmH`v0R+=zuA
RbN<3w-zqr-Ile0cT0%M}6|4XN

literal 0
HcmV?d00001

diff --git a/secrets/lix/buildbot-service-key.age b/secrets/lix/buildbot-service-key.age
new file mode 100644
index 0000000000000000000000000000000000000000..43cbccba27e53163543dc74099e312e34e940d2f
GIT binary patch
literal 1319
zcmZ9~{g2ZG0LF3k5OsJO0zpB6A>f6Sb6vM~D-fXFu6ya;+O6w$qPTTyyRKW;ZC$qk
zg5<pLCIN{NA#i~^-a!QfR4&NdfhdY#jsQZ?U<e>aG~`49@qXbK{({dpPo9L3ZcgX9
zVy#flDEZfvqF}0+4b4-HrIOg3PC+niMva&P*jT}skC(NI9|A23FEK@ro97cH4;eHC
zxFk}xVWvzWg6Wuw=x)Z42jU(qLc22whY*QI5-@0`^djjNO?J19%(1Dg;vy_o-k~aw
zYJeKm@`ACbMO~#p+^OfokY6QQL8oq~L<y*bnHZ^Bg2j3qFXJ9N!p02_jgD5GG>Z#7
z>y>aI>T(frIV{5VxVIjvTfGRPmhIsnB61J4Vku$F7FmanGMMoiPZ6v=X-+_N6?5Re
zAS;J}EFO@8mI_cV5ERvtMME(KN9|-bBj5z?MY)(}a@V<_pEl&<If*4(6??$%6r7T+
z7$^WOHB*3*<f_S;C6ZNCW5FuyL%gVm4Fv<WxDv9`*(8Ppl~y@wF#A(MOd&j!2P!8?
zQU=g8C*o#+47okNl(#j2C9>wU>a;|paH|ch<}xYFnvTkLP4LQ~*k6!CstT&f0YI^+
zfSxG92uA?178oU<yb6>+yWpio90`+kzHX<&qD<=rv;xzF<U|wklpzE&XqHeckPH_j
zm&2UQ;HZP4oVE(?i3^NS)I}y$2WUvqDXS>~Rt1`3Dq&3*B_AD4)eS)?lJ^w^k;}qS
zUh-JV99*$e57&P9BvVDFILesUVy%p>+Pq#^75Fq)BJu?`!3t(3ozXHXq?H87mGH7j
z2Wa46vcd*Av)#kWsX#H{k7=SU1p%Z&QW{F5Boo1~uqkC>vyW;ZjoLz((W5c$n%mFi
zAw8W;huEYDVL463Gjsu|MItUO5Y{YeFzL!=4Hy=xQ!%-2%Yk7w>2()eu9iBJLeY2<
z(#0U)vh??9wW1R0*P5G+lv&R4nzg3(&m$y2he(<WgeW=kSy!zU2mGaENUriltHlo*
zZlB*eYbieS{Ky6EcQ!;P-g<7x^2YA)yqCKTgZ6RYtzB!M`1I!Xe}3A(Q~Z15x}~)f
z0~WQ9o(+!?xHf)Gv~lHF@{`SjZ@%&MmIECF%QGHaXg^RMV)P%GcJ_CqiK#6kpBa6%
zQ+;W4VsJ<2h933BS;yexyY~DnY~)X_yn&F@uk3HAzd6Tv4Cs1l?u}K(;bT_6a+PW8
zm3D9!D!%32eW@p>gwGwiI-$XId&#Jt`TM@=txfs3<sR|d_a`i;?=J1SyKCs~)0ZdQ
z+c|Rmx|stH|9bq3@k7BC9^ZS+!VeppM(Dn~$+m`fw!!|R2M5hL(<EK`?A7m<h3yNW
zuCbTjYQuinGakItKAC^8<Hy~%PrTpPw|4T9-us<bhK*lwecPSxd9I1vvumt9XHew&
zCQFHW`{;c5-=1%_DBC-x{?Rds{9x2r{vwdQIOe|x&6{RWTUYH}Ol)Sqy<R=Hc*}k3
z-XQ(>sk4^`Oe+m)vh*DsA)O(k$7ZDu=k|<x`uS^IXKe8LQrpdCjfal(Ogi<tb<sig
z&vnCIxYV#<@$p96m&5=1e4M;<|LVuG@6J7Zt!w3l=^H;v9oXg>{=>=3Q)W*dxB7hV
E|M|ZA1^@s6

literal 0
HcmV?d00001

diff --git a/secrets/lix/buildbot-signing-key.age b/secrets/lix/buildbot-signing-key.age
new file mode 100644
index 0000000..2929b2e
--- /dev/null
+++ b/secrets/lix/buildbot-signing-key.age
@@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 Ao+7Wg EMpfs0EpWwaIKAoUBfEkyAHLIwi6JnGG6RvUWM5LjnU
+LKiwUBNc791U/GVRNlRPZE/TEMJjcFFrLruFJhiyiOI
+--- 0khp8u+4vHgGyQqP05m473Eo09eyOUZLI5+EK4olzoc
+N3(
+���
xRq��f��;��3�~R��
C^�+f��1���x�����Sؗh�
��˰G��n�YI��:7�!�u�H�y/�����.���^�lC��U���5c�:]�N�&'M���-���HF�D0��cj� ��~
\ No newline at end of file
diff --git a/secrets/lix/buildbot-worker-password.age b/secrets/lix/buildbot-worker-password.age
new file mode 100644
index 0000000000000000000000000000000000000000..2eb92caaa349f70a3059e88673992cc951f77f5e
GIT binary patch
literal 277
zcmV+w0qXu?XJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LL2oNJS7#tJ
zHbz)0M^t8Hc{g!TQ+QWmHd;_pQEe||GI>W%PjpdnS1V_2S7c;DXH^PxW@KV#IYu&4
zL{Vf&QBzY-Sao4`FK{$5W=~c!F;{UydSpd0Hd8q;IYkOBEiE8IOjt^7Z&Fxxb5&ww
zSZ;H3Ojt%UIV(p?RAMkqZcb@(Rz_J)NqAypN=XU;pT<4ck}~?#YrXBwOA<mKEsi8S
z#;Tf=3TLb$mYNgA<1{Qo%A4MVBv5Q<SvVC<1~>W$XK5fpEg3*0X_nT)wftdcn*z`C
b4)|cIH}D&N_ycqZ>l{+$*@$a&2BHLiWpZS%

literal 0
HcmV?d00001

diff --git a/secrets/lix/buildbot-workers.age b/secrets/lix/buildbot-workers.age
new file mode 100644
index 0000000..71aaa06
--- /dev/null
+++ b/secrets/lix/buildbot-workers.age
@@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 Ao+7Wg RPKKoI5l5cYVdSvOxTHCUtwceac4vSi3+vlaqHr8kQg
+qbgTHCeQDNM30IJNZ/BU6wgryJwB316H5GWWaYB/wng
+--- GuFi3GSRdlBJ5YRjfAVyFDZ+4TH575kFJLnFp5847N0
+-��H��*x�M7�t<,4���^�5@v�����,Z�M�g=M
+� 3v�Jī���Nz�8'<^'4&W�f"������\�����wmz�lAl|+���K�~68�E���k�8�?S&�aM��~���]Vf� �Jxa�D��x
\ No newline at end of file