From 2dba549787fa68d59f10f7cc8a3c404f1db0e3aa Mon Sep 17 00:00:00 2001 From: Julian Mutter Date: Sun, 5 Oct 2025 15:33:58 +0200 Subject: [PATCH] builder: setup as jenkins node --- hosts/builder/default.nix | 63 ++++++++++++++++++++++++++++++++++++-- hosts/builder/secrets.yaml | 6 ++-- 2 files changed, 63 insertions(+), 6 deletions(-) diff --git a/hosts/builder/default.nix b/hosts/builder/default.nix index 75fa83a..3795a86 100644 --- a/hosts/builder/default.nix +++ b/hosts/builder/default.nix @@ -1,7 +1,11 @@ # sudo nixos-rebuild switch --flake .#builder --target-host root@192.168.3.118 # or # deploy .#builder -{config, ...}: { +{ + config, + pkgs, + ... +}: { imports = [ ./hardware-configuration.nix @@ -11,6 +15,7 @@ networking.hostName = "builder"; system.stateVersion = "23.11"; + users.mutableUsers = false; users.users.nix = { isNormalUser = true; description = "Nix"; @@ -103,9 +108,28 @@ services.openssh = { enable = true; # require public key authentication for better security - settings.PasswordAuthentication = true; + settings.PasswordAuthentication = false; settings.KbdInteractiveAuthentication = false; settings.PermitRootLogin = "yes"; + # Add older algorithms for jenkins ssh-agents-plugin to be compatible + settings.Macs = [ + "hmac-sha2-512-etm@openssh.com" + "hmac-sha2-256-etm@openssh.com" + "umac-128-etm@openssh.com" + "hmac-sha2-512" + "hmac-sha2-256" + "umac-128@openssh.com" + ]; + settings.KexAlgorithms = [ + "diffie-hellman-group-exchange-sha1" + "diffie-hellman-group14-sha1" + "mlkem768x25519-sha256" + "sntrup761x25519-sha512" + "sntrup761x25519-sha512@openssh.com" + "curve25519-sha256" + "curve25519-sha256@libssh.org" + "diffie-hellman-group-exchange-sha256" + ]; }; users.users."root".openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjSZYdoF/51F+ykcBAYVCzCPTF5EEigWBL1APiR0h+H julian@aspi" @@ -203,7 +227,16 @@ url = "https://gitlab.julian-mutter.de"; name = "builder"; tokenFile = config.sops.secrets."gitea_token".path; - labels = []; # use default labels + labels = [ + # provide a debian base with nodejs for actions + "debian-latest:docker://node:18-bullseye" + # fake the ubuntu name, because node provides no ubuntu builds + "ubuntu-latest:docker://node:18-bullseye" + # devenv + "devenv:docker://ghcr.io/cachix/devenv/devenv:latest" + # provide native execution on the host + "nixos:host" + ]; }; virtualisation.docker.enable = true; @@ -274,4 +307,28 @@ "/var/run/docker.sock:/var/run/docker.sock" ]; }; + + ### Jenkins node + users.users.jenkins = { + createHome = true; + home = "/var/lib/jenkins"; + group = "jenkins"; + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ36sQhVz3kUEi8754G7r3rboihhG4iqFK/UvQm6SING jenkins@home" + ]; + packages = with pkgs; [ + git + devenv + ]; + extraGroups = [ + "docker" + ]; + }; + + users.groups.jenkins = {}; + programs.java = { + enable = true; + package = pkgs.jdk21; # Same as jenkins version on home + }; } diff --git a/hosts/builder/secrets.yaml b/hosts/builder/secrets.yaml index 8df1468..3c8336a 100644 --- a/hosts/builder/secrets.yaml +++ b/hosts/builder/secrets.yaml @@ -1,5 +1,5 @@ gitlab_runner_token: ENC[AES256_GCM,data:6H/9h58DpDOJRgeiFl4PXnkEWywLml94t2+5L31xEqg0ZiWNe1cftO4wzG6l5oUz1awqXHpuXNNHjK1PwPxUwqbHwnRN0BN5g2r5CImLVd3KyV5ULWj3FeGPlrsQY8RyNrqRQocbL+Hoqjnzy/3zWywA0yQMx451yY4MDAnmPscSiyXW4Z4Yp3Xrbv0vRA6elg==,iv:wxsHRCTYqqD2IQhfU5yNipudn9q0sFlo3eV/GNLjjWA=,tag:8lx+gImsgRtCz7M6COM9mg==,type:str] -gitea_token: ENC[AES256_GCM,data:FuLEQRo8NtCIsGhtksbaKTZGliiR/5lRr6wHQCArUNN1IXFpPW49k/hZl20Wgg==,iv:MN7FBNIms/5Q841gfikk4WMaqyuXOTSQifC9IKFF0AM=,tag:RZFnJ49RZ+z9kXoTHdtYug==,type:str] +gitea_token: ENC[AES256_GCM,data:/7hmQG8tI1U/6IvuQNkTsj6QTpIok7fMnzbHR9qqR6b998dwdHX1BZ9JPSg2Ww==,iv:MnDip5nw7v69qpnWrrNZ+6mT1AoSFJO8F+Q55OqQ+p0=,tag:DIi1TbuHHrWZfrPixu4tOw==,type:str] attic_token: ENC[AES256_GCM,data:6FUnkQk4f9lAlhPXGDljVl98s0I86BNQV0RQb2xc6vIv//izJUlk7LFROTQew9bd1nezUI8vpyMqRtkC2l2t2wrzLaX2JIS039NKaxgCnKPQlgBKlaxS/aZTXtonB/fHCZeIVpTU9OilJ8TXA0g6DGfgdzj7MFHZi23TJON+/yEqOOQVjT9qFVIbR6oz4L8pq8YI+rdNfUV3yyrBcPrxj0sjZaRjfWM4QYStkmj7m7++IUCWsGKVKTd3SXSWGi30glnk1RxyLhj9U4qnFKw+9Dt3wiIoWoexq1bEEiZ8KWiQ9PGCXzkco4zfQt6oVhkhSo+VTAS8bO/K8P9hT3YVqcfnldXRwZuFaKsp+2u2+8mmkbwXHtvFEg6ufnYJjqDNUtx4FoP/1t0urpMTz8lc6qNI/WEesv94YTico+gC0rEUkLSN0GHSC4sO3mIwYRaKM6CiEAey+f5E8TD+yIGRELRSbZfjwZiLcqauruq9BpW1ZsanLwPXYmyo/TR88cWlfvnugxEmZB3FhoXhm3cSTN4pRtaBVoZdatlyL7Jvhdr4igHd3cuigxeLTj89rvxkYXJznwQHkFfdi3/bepnuDGEP5gHgV61D/TVsNJk0d/4TnEQhDEgURS4P7DoIpItkgCnVfdP9d5ZOd0mNN7jiOQL5t6kUdTAhOfjr704a493IT+qexpnyFj4FUxwdAWqodrS/3x1oMBVG72tklIC2RmzFdvXWxPYOVPXHWrLDq4eSvCedzbXijKF0ThM7G1JieGK2y0/MaF5D2qLVQ5y5v9vgFSHqDCT1yXFLpDqXJ0GMmI3EQ4hM9EniWZEQVIvHi/uGI+IwJIZBt1Svu3v4q6bi94/TDtMcOQoJahbD4pn6E08lXZ0E32Sr1SGfF6WvjU8TzIkEY5c+SdbksnOZgcVuBGZdv5Mbjpcr29X55Q2ikf6nyCsmcBDv0FFyIijQtbexPocVnpx497Rw0uhPjyU/tYLHEVhYZEKee2v1bn1YRhIO1q/QcHSaSplNcG7lFztVIVZVeYMlyNqubUAn9w6/z9FVhzKvJOuZoE5fnWAhIiKtWlQ+bxkU1iRJREcBCHCcqNl5Y9KkvtXcFBJx2o5n+WIVDfmttLWB3ilipXYxXhw1YosliZTi6ESzhr3wihxxtWo1Oz/ZNBYJHWr2nEtXcay6tRg2JcsF8oOaAo2zAIj+2cM+zmomPSDt6NkBYf1xy/D9cKfaZy97ify9hgCQ9fPXeosinUvz9SoWuYbni3hk1IGtztLtA27mh4OMJ03exuzpchDKvJIUfayjdbkXTTag2Akre7EiXrHeKbVC9iV2EeoA6EPGHt9RPhrRbk182ca4YQE+KP8zTSJGS1msK1pisvhMo5RlH6f2Sg4PQHev/eFkYU4Lv/UymS7ijwH5832a7ZoYjhyQ5R3ycUPld5+1MOtFPGudAiSjbzyi/ugV1FCI9PbI5U8SkPq410Xf+hdCpH/BK7lr3Js6ZBwZTF8pClQiRsYghu1AcAMgW8YQXQ9wiIq9lx1oTGN6n4TW/QL2mA5f7zjEWzpAqoLlLU+9LVaUG4iBL4NyDJqAeOYaMNguRBRVr16NzFyqpzHO7ceG4BMKSvVRGWDFhHLDWK6AQClvDk+olqPIQX2nCQj2G7E+l3/70yK0AJmlzwJU9iD/4oP6Frvaqd+U+qhq8+Gzab/8WigQA594pJOflQyRHWwQP8y8bGjMm0/+o0GIeO8ZBGiVL9zzQuu7OiB0rLj9X4vJzz8n9OaHNZ5+US9DVrmI/u+hl47nhBrpCu7RFGt9VpBi8LWyLR7xAWR75nwzgBQEv0eGJQ+2Hf8jnLnVmIxRqzqCUJPI5latSeniIE25Fq2mUSebRDcj32e+b8kx8X+SjmvBtzOACwi/P+qdfnox0Lfcc5eFfqV+R8I+gczYTqRUIEKbwUgxyTsOwZ6XJDlvHIf68wZbqT8iB18YbltuMVFdvom93md91ZMzKujz7VtxirjW1bbFHSBQ31sN93c5TldYHgHmhnhtZTvpjf9mjzgufbCD+wlVRZF2K5LPPIxTSbsMam/5YU+wBGKBVLAHiN8Jt6yY2wzwiRGvnUYrm3pLR48pL+g9jHbSuF1N9WKjf4hhQnEGrnEmRzLx274Rnvxq6OY6qt0sNz6Dz7rNQT1U2mySYRNfkuTOvv/BwqckALnxPboprw3S9QiPZSKc7MEGZcSlY6dzQ5YrBju+jAow/MR0Ou6PjJU2C1JwesdXwYtMEWpFRwwMxzVMf7iDa85j/Kr1FJNjwG1RfIbz3gUuZhObDWHb3FdEyiP4wjGlNzxJBiuulosa5TNRKFSqFisVIIM2c/05/cGR3otiMayJBNK8GidomH4SLdmfe9VafRtRUZcSZ0nJe4zUPecnIrpBwRFvh5PB6Nnf4vOuh8InbxdMa7TxsrZejDuufbq/zJmTKfUad0LRuUgyjevSGFt9t7zlww9gl+fG3ZYQs3hLR+XHM9YTc7aedpghdr2NHDwqAhFiDaqlIfHPN/J4dP64DA4DZOa/DLklfogo7dknCKpZYY49+YFGPbJLPoXLTEhJaJDunS1iVOvaN/GSEqSMqgCUbNPI3i3t2VALQEM9F+rSA481vfmyv/FHoNPYtkSK8uzOvFfYhrQSMI+wXb7hE7HxKPayNZ7gf9J2tYVyO/IcZNaVA8VT7tcWZuwYCmEl+HwBvpOXH9zLtQW4x/QY0Fs6nn9x5MrDQAfXjWpIfr4OucvaHNR0owOa2JLbRsxznjY2CR9jugOPwt99dBgYWH4RcnJ7nw2FUiTxlGkj3b6SqpZra3Pqmtt0AKePFrci6mmdmsYHDkVkpkCgRfAnuxPfM7igxrVzuxLRbRRkiY+sybjsKaEQpNwgJL2/Qr1nf369r0NwoEhYLSqYDC84r889pzEkNESVJMMcRe4b+2x/adkkxKhOxotwNzzQLgbLR/GCUqfoqjlkgg0jaZkePCGQDdF4slepTzOB7M7qnyR0lA2CFEyJkjf+pIXg22NDQbvMY4eCXgXkhusApoi70QGqmUb2sL0EJIyEW9UrHXLXwkuIcghXYl24oyQVBZptWPsv1vRE0JYrWF3WWRQBlhJFQs5llZCc/IMUfM4aTq3LXoSQt04vdy4Dce8/U7MrsPtKhBGq5kL+EKUHjrKexKAQ6ExKzqOvp289cqEU4RisqqB8Lo64QEETIMjJGtDYlwanSJvMYUrgw7UB//l/za4QSly0KWelyTAaeaJ7ABIcWxM0Bs1ZdSuWMMfFMqfiPZloKFWV6rbgQnmzIgCsmAkIpxtxZTxqpmDRH+Ebb07aNEq7FDsTBwHQU9QkGbFU1j24pzjoknpCzGY+RBRePFgj+57sLlh2/Pc1JQUkcCEyZy5ESMmFhVf7xTIqDAPyi9UqNdxhq/QX60ji2hhf7aO7DWu/pLzOOqWx5rOgn5uPPpCH3Sx8IBpo5WTQi6IehQ7XnpSjQ1xba2JKEg/PEvnk1mfqzZVQAU5xGC2fEc508xaSQd9HgJ18jQKn46qLOg/3cLixCKTQ7BL5VLgMr9/l8GgL+1hZeWJ51iUMW1mEf/fAFMwatcuiq1mAIg4C8kGuwgVrke0ZXudfOxCgQXsrSuuSavbMUpbNf1A5aUm+z3DSvAy6cGQrX6H33EpgUicR7oLSM7HHPMjDCd7RWx7rdqZSsGj6d7ArLEfxy47peI/nITCjsKN/aXLOmBpbIt9K3YzyPf6KpqAyfLzRMdeAfT1SmFb1YJsdWRaPemBadMVWT+pDgTgnUvjZyh4iQwExrh88cqpmdpHWA51sTO7SDQ938xd9GoS7KrdA/WnI0eWilG4peU4sQz/R9jjO6XJvoz0FAgMbqlUxNRsFG0Ppcgxhva4ILStU5DOTu1rZoerHYP3X4KpeUqFbzO+YfMuIbWrg/iIbtgn4BfGFmF0h8uGWI9/9+78+13lgNrnqUSswl+XQX+yPA+Pji9rfF8+8MHywsAudOTplHXh/xd7TUnMOpfoQX01sw8KrryLbJM0Q31rMSnM+zXFQzBnMc1HlVl7l/eerjfiUnkO0HExQH8xdzLr2UbaeqFntyTh/GsxjAiF+950xU2czXJiWTSMVozT5oB5PVua1E58nJxb9gOpOZyNFHivHd+w+aSky9l5n9APtEBwn+3/AzstnstscqrfkAGFdDfSOSUr79Ts6Vg4H3FgxZQetlSPyE6RAdVVsWwfo2uOhzid6VDiCDUR3PWoYt9yta9oqYmUFMB3hf5J+VM4c4p4BgCJ5UxNuebAZrxgw7KVdEIQJEB4k6FFvQ8nYmb1TGM2yWlniZwqZ0DNVBwBZdLZHSZdke6Z3zGVzJlI2Dkna0VvPMuo9lxPRPCdcKCbqNAYFE8TvIIBrSekKtqSo+znb9u1/4F0AJGOfUBiunQoTvNxEK+d6/HyvNH+hz5MCjw3iDK8n8M6a7ZvG3py0LEDw5fmhTNMBrGNO8uJaWDSfO8xP9wWlOVofABkAIS4tajx+PTqRWnzd3U+5rUMfkJYmhJQzSbfNcRoZojNi+cxJVO6NGVgtyOd9do4F9cUnN0lj38vJagUPreX5WNaZjdUdRkVP10HHSslSvTJVD/uOz0GURDIECmOpHpj4x/vC0sudjMYEOAhZP4xcahS+74OTPsPQVxh/pqUTM769m/cLgSc5d5zKxw4osvEUczFyg3VpzdNnT+jS1VTWRH/q8KW/KmYg9QDt7hfwBF6hd3ZTu/zs+VlPYofkNnGS7x6Z0Lp2HBXryem+UgvQ4x50TUcWejPlejQ2BZNZ0l+kByrub2coDybwRSeDjHVy3qEGIrsqizWRRVl+k5GSguVEk/phwCaoUo0PkGSP/Ee3yurL8AWXcA0G0FP5GBLpqWv0MqNJT8vDAm0XXSdLL/3n8w+bWmah9XxyzEBVUNebhdV48dsAMKAjViLEsTm//HdWJ4Qe6suF58lKNPiHHsPWh/PcYtJZwHT4AYSOqNkE5W19BAbcRfuvQdmmaKzV2kLqvxBUyClBOTa179FuvKoCyjolJcF7at8JAzLVFAUAvNTTvm6EwDBc5QINyEq0TAxUXdGZqr/XGBH1di1bn7kBrznJX12/aj33ALHzyBSkiDdm0NihLLIq8qOzZt1VvClxLnh25MRD8VC2WfbzN16BRa2vSuBBw4YtxkX34fzailOW6dLNurGimx3lb3Jvq/jcxP1apGF05KVYtZJGK4GHLkhvB7a2MOWRmUAk9EcstY3dV/mE3HqTINDZaFcSUpJByV0oxHxTwooX8vz969z10HEmig3wCCcN/c5ziUaPPejrp1iMltf3q5IDyIKkVJp1JeCaEN0rEOkJckHQz52Bu5p74hPYtEYO57IQ9dcv8cYhy6sMIHheKZwiU9RgWkDc1v4Jsy904E3IsLXL6RdEWJbHQjOj2ga1LfsyCEk2JFwqVeHh73Hu2fF2b9NRNLoBYVx6XdaSBL0Qb3PVaFOIXTRceGuE82Ku85V6W/SjrdmTnpk/BVgKj2iTX+RiLDlFKHr4Ya8xM9lxQbruWR8LfWEx92KlLid20A9US/or+lg+1i+fCX8l/6hFlEVYPy6Obht7OP4eQXZuco3pFpSQbSM1bjWQ6AuNa/ZmJCAgVpB7XDlrUatVHSJnijhrVVtuhjlqLo+4nWWnQJc7QTXLRe07iCxxbtNmfKE5/jcJL00q/NMT1u2vnTTf3jOFxKEz9/cYyf1S711aWT4UaRxTKDpkClXVVZ2B3oTEA4X9yGLhRj5gG3sXPvmXCntO8mzRZRAkgItukn6dfJr5vj10YaH8pbf66uc/IQ==,iv:V70uGJmhe1yZ9iKk0DX3dmtiFDLs2lBBxu/ik2D+m7A=,tag:gehDQTppsgxM1wJG8F9lfg==,type:str] sops: age: @@ -21,7 +21,7 @@ sops: eWFYMlY1MmEvWjVid2NJTmFMK0FXWWcKOtUk1kcSTj5UOBLESMwQLG+LtIDwUtMz l5k02Zw2whQh6IrAqXhJSUpT6AiXSoYtcy5nNjZsoC53xsfLfu97kA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-07-09T18:19:28Z" - mac: ENC[AES256_GCM,data:ochFZs3Wk3rdTGWttPwSLEX+FD6+9Hz8156rbb55BD8Rhgy9Cn2ZeqtGF3vnYlQ4aMWa6SeAaNrHUKqS0g6og/rIH//esQsqvu+vzN1CwV81Z+XB3Xt2kL5l3dR6Jo//N3PGDyIMLAB7aLlztf5tYR4DkofE3wcQePFQXQJEJFI=,iv:rt47fTXobRye0RP/YK1m6FvLBGDOfO5GczwJPArUwzE=,tag:139mbYE78sRbmQiA574/qw==,type:str] + lastmodified: "2025-10-01T11:36:49Z" + mac: ENC[AES256_GCM,data:iZauHY/S5kLS6RMj0EfIbLOrT1sZ6oldREUVfnzhmzog9l/EBIVQoKTuAVfwkGSxn5BqVDhWhmcTZjgGyhhFEkAa51B1l+XhFRCB6WrNMh+Ks9vXg/IkBEKci1Pv4+lwkadEWGp+jXOB8lg+CwcWS4Mltg+IB1PRPf2V3NWluGc=,iv:u/FHeDeq1aefzf3t/NNI3VP/RRJ7XINiLvTWisXEkcM=,tag:9sfZZigb00gg/ZQIig5ylw==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2