julian/dotfiles
1
0
Fork 0
Code Issues Pull Requests Actions Releases Wiki Activity

builder: setup as jenkins node

Browse Source
This commit is contained in:
Julian Mutter
2025-10-05 15:33:58 +02:00
parent d28c7d870c
commit 2dba549787
2 changed files with 63 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
hosts/builder/default.nix
View File

@@ -1,7 +1,11 @@
# sudo nixos-rebuild switch --flake .#builder --target-host root@192.168.3.118 # sudo nixos-rebuild switch --flake .#builder --target-host root@192.168.3.118
# or # or
# deploy .#builder # deploy .#builder
{config, ...}: { {
config,
pkgs,
...
}: {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
@@ -11,6 +15,7 @@
networking.hostName = "builder"; networking.hostName = "builder";
system.stateVersion = "23.11"; system.stateVersion = "23.11";
users.mutableUsers = false;
users.users.nix = { users.users.nix = {
isNormalUser = true; isNormalUser = true;
description = "Nix"; description = "Nix";
@@ -103,9 +108,28 @@
services.openssh = { services.openssh = {
enable = true; enable = true;
# require public key authentication for better security # require public key authentication for better security
settings.PasswordAuthentication = true; settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false; settings.KbdInteractiveAuthentication = false;
settings.PermitRootLogin = "yes"; settings.PermitRootLogin = "yes";
# Add older algorithms for jenkins ssh-agents-plugin to be compatible
settings.Macs = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
"hmac-sha2-512"
"hmac-sha2-256"
"umac-128@openssh.com"
];
settings.KexAlgorithms = [
"diffie-hellman-group-exchange-sha1"
"diffie-hellman-group14-sha1"
"mlkem768x25519-sha256"
"sntrup761x25519-sha512"
"sntrup761x25519-sha512@openssh.com"
"curve25519-sha256"
"curve25519-sha256@libssh.org"
"diffie-hellman-group-exchange-sha256"
];
}; };
users.users."root".openssh.authorizedKeys.keys = [ users.users."root".openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjSZYdoF/51F+ykcBAYVCzCPTF5EEigWBL1APiR0h+H julian@aspi" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjSZYdoF/51F+ykcBAYVCzCPTF5EEigWBL1APiR0h+H julian@aspi"
@@ -203,7 +227,16 @@
url = "https://gitlab.julian-mutter.de"; url = "https://gitlab.julian-mutter.de";
name = "builder"; name = "builder";
tokenFile = config.sops.secrets."gitea_token".path; tokenFile = config.sops.secrets."gitea_token".path;
labels = []; # use default labels labels = [
# provide a debian base with nodejs for actions
"debian-latest:docker://node:18-bullseye"
# fake the ubuntu name, because node provides no ubuntu builds
"ubuntu-latest:docker://node:18-bullseye"
# devenv
"devenv:docker://ghcr.io/cachix/devenv/devenv:latest"
# provide native execution on the host
"nixos:host"
];
}; };
virtualisation.docker.enable = true; virtualisation.docker.enable = true;
@@ -274,4 +307,28 @@
"/var/run/docker.sock:/var/run/docker.sock" "/var/run/docker.sock:/var/run/docker.sock"
]; ];
}; };
### Jenkins node
users.users.jenkins = {
createHome = true;
home = "/var/lib/jenkins";
group = "jenkins";
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ36sQhVz3kUEi8754G7r3rboihhG4iqFK/UvQm6SING jenkins@home"
];
packages = with pkgs; [
git
devenv
];
extraGroups = [
"docker"
];
};
users.groups.jenkins = {};
programs.java = {
enable = true;
package = pkgs.jdk21; # Same as jenkins version on home
};
} }

6
hosts/builder/secrets.yaml
View File

File diff suppressed because one or more lines are too long