{ config, lib, pkgs, ... }: { networking.hostName = "gerrit01"; # TODO: make it the default networking.domain = "infra.forkos.org"; bagel.sysadmin.enable = true; # Gerrit is proxied. bagel.raito.v6-proxy-awareness.enable = true; bagel.hardware.raito-vm = { enable = true; networking = { nat-lan-mac = "bc:24:11:f7:29:6c"; wan = { address = "2001:bc8:38ee:100:1000::10/64"; mac = "bc:24:11:4a:9d:32"; }; }; }; # Block all these crawlers!! bagel.services.nginx.crawler-blocker.enable = true; fileSystems."/gerrit-data" = { device = "/dev/disk/by-uuid/d1062305-0dea-4740-9a27-b6b1691862a4"; fsType = "ext4"; }; bagel.services.gerrit = { enable = true; pyroscope.enable = true; domains = [ "cl.forkos.org" ]; canonicalDomain = "cl.forkos.org"; data = "/gerrit-data"; }; age.secrets.ows-deploy-key = { file = ../../secrets/floral/ows-deploy-key.age; mode = "0600"; owner = "git"; group = "git"; }; bagel.nixpkgs.one-way-sync = let mkNixpkgsJob = { timer, fromRefspec, localRefspec ? fromRefspec }: { fromUri = "https://github.com/NixOS/nixpkgs"; inherit fromRefspec localRefspec timer; }; mkLocalJob = { timer, fromRefspec, localRefspec }: { fromUri = "https://cl.forkos.org/nixpkgs"; inherit fromRefspec localRefspec timer; }; in { enable = true; stateDirectory = "/gerrit-data/ows"; pushUrl = "ssh://ows_bot@cl.forkos.org:29418/nixpkgs"; deployKeyPath = config.age.secrets.ows-deploy-key.path; # Sync main -> staging-next -> staging branches."main-to-staging-next" = mkLocalJob { timer = "00/8:20:00"; # every 8 hours, 20 minutes past the full hour fromRefspec = "main"; localRefspec = "staging-next"; }; branches."staging-next-to-staging" = mkLocalJob { timer = "00/8:40:00"; # every 8 hours, 40 minutes past the full hour fromRefspec = "staging-next"; localRefspec = "staging"; }; # Sync nixpkgs -> fork branches."nixpkgs-master" = mkNixpkgsJob { timer = "hourly"; fromRefspec = "master"; localRefspec = "main"; }; branches."nixpkgs-staging" = mkNixpkgsJob { timer = "hourly"; fromRefspec = "staging"; }; branches."nixpkgs-release-24.05" = mkNixpkgsJob { timer = "hourly"; fromRefspec = "release-24.05"; }; branches."nixpkgs-staging-24.05" = mkNixpkgsJob { timer = "hourly"; fromRefspec = "staging-24.05"; }; branches."nixpkgs-release-23.11" = mkNixpkgsJob { timer = "hourly"; fromRefspec = "release-23.11"; }; branches."nixpkgs-staging-23.11" = mkNixpkgsJob { timer = "hourly"; fromRefspec = "staging-23.11"; }; }; age.secrets.s3-channel-staging-keys.file = ../../secrets/floral/s3-channel-staging-keys.age; bagel.nixpkgs.channel-scripts = { enable = true; otlp.enable = true; nixpkgsUrl = "https://cl.forkos.org/nixpkgs.git"; hydraUrl = "https://hydra.forkos.org"; binaryCacheUrl = "https://cache.forkos.org"; baseUriForGitRevisions = "https://cl.forkos.org/plugins/gitiles/nixpkgs/+"; s3 = { release = "bagel-channel-scripts-test"; channel = "bagel-channel-scripts-test"; }; releaseBucketCredentialsFile = config.age.secrets.s3-channel-staging-keys.path; deployKeyFile = config.age.secrets.priv-ssh-key.path; extraArgs = [ "--bypass-preflight-checks" ]; channels = import ../../common/channels.nix; }; i18n.defaultLocale = "fr_FR.UTF-8"; system.stateVersion = "24.05"; deployment.targetHost = "gerrit01.infra.forkos.org"; }