Raito Bezarius
92560708b8
Lix may have its own secrets and we want to maintain a certain generalization level on the NixOS modules, so we can decorrelate which secret we select dynamically by having a simple tenancy hierarchy system. This unfortunately requires to rewrite all call sites with a floral prefix until we migrate them to the simple internal secret module which is aware of this. Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
148 lines
4 KiB
Nix
Executable file
148 lines
4 KiB
Nix
Executable file
{
|
||
config,
|
||
lib,
|
||
pkgs,
|
||
...
|
||
}:
|
||
{
|
||
networking.hostName = "gerrit01";
|
||
# TODO: make it the default
|
||
networking.domain = "infra.forkos.org";
|
||
|
||
bagel.sysadmin.enable = true;
|
||
# Gerrit is proxied.
|
||
bagel.raito.v6-proxy-awareness.enable = true;
|
||
bagel.hardware.raito-vm = {
|
||
enable = true;
|
||
networking = {
|
||
nat-lan-mac = "bc:24:11:f7:29:6c";
|
||
wan = {
|
||
address = "2001:bc8:38ee:100:1000::10/64";
|
||
mac = "bc:24:11:4a:9d:32";
|
||
};
|
||
};
|
||
};
|
||
|
||
fileSystems."/gerrit-data" = {
|
||
device = "/dev/disk/by-uuid/d1062305-0dea-4740-9a27-b6b1691862a4";
|
||
fsType = "ext4";
|
||
};
|
||
|
||
bagel.services.gerrit = {
|
||
enable = true;
|
||
pyroscope.enable = true;
|
||
domains = [
|
||
"cl.forkos.org"
|
||
];
|
||
canonicalDomain = "cl.forkos.org";
|
||
data = "/gerrit-data";
|
||
};
|
||
|
||
age.secrets.ows-deploy-key = {
|
||
file = ../../secrets/floral/ows-deploy-key.age;
|
||
mode = "0600";
|
||
owner = "git";
|
||
group = "git";
|
||
};
|
||
bagel.nixpkgs.one-way-sync =
|
||
let
|
||
mkNixpkgsJob = { timer, fromRefspec, localRefspec ? fromRefspec }: {
|
||
fromUri = "https://github.com/NixOS/nixpkgs";
|
||
inherit fromRefspec localRefspec timer;
|
||
};
|
||
mkLocalJob = { timer, fromRefspec, localRefspec }: {
|
||
fromUri = "https://cl.forkos.org/nixpkgs";
|
||
inherit fromRefspec localRefspec timer;
|
||
};
|
||
in
|
||
{
|
||
enable = true;
|
||
|
||
pushUrl = "ssh://ows_bot@cl.forkos.org:29418/nixpkgs";
|
||
deployKeyPath = config.age.secrets.ows-deploy-key.path;
|
||
|
||
# Sync main -> staging-next -> staging
|
||
branches."main-to-staging-next" = mkLocalJob {
|
||
timer = "00/8:20:00"; # every 8 hours, 20 minutes past the full hour
|
||
fromRefspec = "main";
|
||
localRefspec = "staging-next";
|
||
};
|
||
branches."staging-next-to-staging" = mkLocalJob {
|
||
timer = "00/8:40:00"; # every 8 hours, 40 minutes past the full hour
|
||
fromRefspec = "staging-next";
|
||
localRefspec = "staging";
|
||
};
|
||
|
||
# Sync nixpkgs -> fork
|
||
branches."nixpkgs-master" = mkNixpkgsJob {
|
||
timer = "hourly";
|
||
fromRefspec = "master";
|
||
localRefspec = "main";
|
||
};
|
||
|
||
branches."nixpkgs-staging" = mkNixpkgsJob {
|
||
timer = "hourly";
|
||
fromRefspec = "staging";
|
||
};
|
||
|
||
branches."nixpkgs-release-24.05" = mkNixpkgsJob {
|
||
timer = "hourly";
|
||
fromRefspec = "release-24.05";
|
||
};
|
||
|
||
branches."nixpkgs-staging-24.05" = mkNixpkgsJob {
|
||
timer = "hourly";
|
||
fromRefspec = "staging-24.05";
|
||
};
|
||
|
||
branches."nixpkgs-release-23.11" = mkNixpkgsJob {
|
||
timer = "hourly";
|
||
fromRefspec = "release-23.11";
|
||
};
|
||
|
||
branches."nixpkgs-staging-23.11" = mkNixpkgsJob {
|
||
timer = "hourly";
|
||
fromRefspec = "staging-23.11";
|
||
};
|
||
|
||
# Testing jobs for personal sandbox branches
|
||
branches."raito-unstable-sync" = {
|
||
fromUri = "https://github.com/NixOS/nixpkgs";
|
||
fromRefspec = "nixos-unstable-small";
|
||
localRefspec = "sandbox/raito/raito-unstable-small";
|
||
timer = "*-*-* 12:00:00";
|
||
};
|
||
|
||
branches."raito-release-sync" = {
|
||
fromUri = "https://github.com/NixOS/nixpkgs";
|
||
fromRefspec = "nixos-24.05";
|
||
localRefspec = "sandbox/raito/raito-nixos-24.05";
|
||
timer = "daily";
|
||
};
|
||
};
|
||
|
||
age.secrets.s3-channel-staging-keys.file = ../../secrets/s3-channel-staging-keys.age;
|
||
bagel.nixpkgs.channel-scripts = {
|
||
enable = true;
|
||
otlp.enable = true;
|
||
nixpkgsUrl = "https://cl.forkos.org/nixpkgs.git";
|
||
hydraUrl = "https://hydra.forkos.org";
|
||
binaryCacheUrl = "https://cache.forkos.org";
|
||
baseUriForGitRevisions = "https://cl.forkos.org/plugins/gitiles/nixpkgs/+";
|
||
s3 = {
|
||
release = "bagel-channel-scripts-test";
|
||
channel = "bagel-channel-scripts-test";
|
||
};
|
||
releaseBucketCredentialsFile = config.age.secrets.s3-channel-staging-keys.path;
|
||
deployKeyFile = config.age.secrets.priv-ssh-key.path;
|
||
extraArgs = [
|
||
"--bypass-preflight-checks"
|
||
];
|
||
channels = import ../../common/channels.nix;
|
||
};
|
||
|
||
i18n.defaultLocale = "fr_FR.UTF-8";
|
||
|
||
system.stateVersion = "24.05";
|
||
deployment.targetHost = "gerrit01.infra.forkos.org";
|
||
}
|