builder: setup as jenkins node

2025-10-05 15:33:58 +02:00
parent d28c7d870c
commit 2dba549787
2 changed files with 63 additions and 6 deletions
--- a/hosts/builder/default.nix
+++ b/hosts/builder/default.nix
@@ -1,7 +1,11 @@
 # sudo nixos-rebuild switch --flake .#builder --target-host root@192.168.3.118
 # or
 # deploy .#builder
-{config, ...}: {
+{
+  config,
+  pkgs,
+  ...
+}: {
  imports = [
    ./hardware-configuration.nix

@@ -11,6 +15,7 @@
  networking.hostName = "builder";
  system.stateVersion = "23.11";

+  users.mutableUsers = false;
  users.users.nix = {
    isNormalUser = true;
    description = "Nix";
@@ -103,9 +108,28 @@
  services.openssh = {
    enable = true;
    # require public key authentication for better security
-    settings.PasswordAuthentication = true;
+    settings.PasswordAuthentication = false;
    settings.KbdInteractiveAuthentication = false;
    settings.PermitRootLogin = "yes";
+    # Add older algorithms for jenkins ssh-agents-plugin to be compatible
+    settings.Macs = [
+      "hmac-sha2-512-etm@openssh.com"
+      "hmac-sha2-256-etm@openssh.com"
+      "umac-128-etm@openssh.com"
+      "hmac-sha2-512"
+      "hmac-sha2-256"
+      "umac-128@openssh.com"
+    ];
+    settings.KexAlgorithms = [
+      "diffie-hellman-group-exchange-sha1"
+      "diffie-hellman-group14-sha1"
+      "mlkem768x25519-sha256"
+      "sntrup761x25519-sha512"
+      "sntrup761x25519-sha512@openssh.com"
+      "curve25519-sha256"
+      "curve25519-sha256@libssh.org"
+      "diffie-hellman-group-exchange-sha256"
+    ];
  };
  users.users."root".openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjSZYdoF/51F+ykcBAYVCzCPTF5EEigWBL1APiR0h+H julian@aspi"
@@ -203,7 +227,16 @@
    url = "https://gitlab.julian-mutter.de";
    name = "builder";
    tokenFile = config.sops.secrets."gitea_token".path;
-    labels = []; # use default labels
+    labels = [
+      # provide a debian base with nodejs for actions
+      "debian-latest:docker://node:18-bullseye"
+      # fake the ubuntu name, because node provides no ubuntu builds
+      "ubuntu-latest:docker://node:18-bullseye"
+      # devenv
+      "devenv:docker://ghcr.io/cachix/devenv/devenv:latest"
+      # provide native execution on the host
+      "nixos:host"
+    ];
  };

  virtualisation.docker.enable = true;
@@ -274,4 +307,28 @@
      "/var/run/docker.sock:/var/run/docker.sock"
    ];
  };
+
+  ### Jenkins node
+  users.users.jenkins = {
+    createHome = true;
+    home = "/var/lib/jenkins";
+    group = "jenkins";
+    isNormalUser = true;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ36sQhVz3kUEi8754G7r3rboihhG4iqFK/UvQm6SING jenkins@home"
+    ];
+    packages = with pkgs; [
+      git
+      devenv
+    ];
+    extraGroups = [
+      "docker"
+    ];
+  };
+
+  users.groups.jenkins = {};
+  programs.java = {
+    enable = true;
+    package = pkgs.jdk21; # Same as jenkins version on home
+  };
 }