From d3afa7f13d3f2ef1b70047ca4cd6978cf4b798d6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Tue, 30 Apr 2024 13:17:19 +0200
Subject: [PATCH] add buildbot

---
 flake.lock               | 27 ++++++++++++++++++++++++++
 flake.nix                |  7 ++++++-
 modules/buildbot.nix     | 42 ++++++++++++++++++++++++++++++++++++++++
 modules/flake-module.nix |  6 ++++++
 4 files changed, 81 insertions(+), 1 deletion(-)
 create mode 100644 modules/buildbot.nix

diff --git a/flake.lock b/flake.lock
index d1e1e24..60293de 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,31 @@
 {
   "nodes": {
+    "buildbot-nix": {
+      "inputs": {
+        "flake-parts": [
+          "flake-parts"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "treefmt-nix": [
+          "treefmt-nix"
+        ]
+      },
+      "locked": {
+        "lastModified": 1714469730,
+        "narHash": "sha256-jdTHiOGnqo9S4lzSPsGZECUIePrOE0/COCCP4lzBW9A=",
+        "owner": "Mic92",
+        "repo": "buildbot-nix",
+        "rev": "508ceb885636a0a949793f5c7924091b532fa10f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "buildbot-nix",
+        "type": "github"
+      }
+    },
     "clan-core": {
       "inputs": {
         "disko": "disko",
@@ -148,6 +174,7 @@
     },
     "root": {
       "inputs": {
+        "buildbot-nix": "buildbot-nix",
         "clan-core": "clan-core",
         "disko": "disko_2",
         "flake-parts": "flake-parts",
diff --git a/flake.nix b/flake.nix
index bbe4db7..69604e2 100644
--- a/flake.nix
+++ b/flake.nix
@@ -24,11 +24,16 @@
     # Use the version of nixpkgs that has been tested to work with SrvOS
     srvos.inputs.nixpkgs.follows = "nixpkgs";
 
-    clan-core.url = "git+https://git.clan.lol/clan/clan-core?ref=synapse";
+    clan-core.url = "git+https://git.clan.lol/clan/clan-core?ref=error-handling";
     clan-core.inputs.flake-parts.follows = "flake-parts";
     clan-core.inputs.nixpkgs.follows = "nixpkgs";
     clan-core.inputs.treefmt-nix.follows = "treefmt-nix";
     clan-core.inputs.sops-nix.follows = "sops-nix";
+
+    buildbot-nix.url = "github:Mic92/buildbot-nix";
+    buildbot-nix.inputs.nixpkgs.follows = "nixpkgs";
+    buildbot-nix.inputs.flake-parts.follows = "flake-parts";
+    buildbot-nix.inputs.treefmt-nix.follows = "treefmt-nix";
   };
 
   outputs = inputs@{ flake-parts, ... }:
diff --git a/modules/buildbot.nix b/modules/buildbot.nix
new file mode 100644
index 0000000..2135239
--- /dev/null
+++ b/modules/buildbot.nix
@@ -0,0 +1,42 @@
+{ config, ... }:
+{
+  services.buildbot-nix.master = {
+    enable = true;
+    # Domain name under which the buildbot frontend is reachable
+    domain = "buildbot.clan.lol";
+    # The workers file configures credentials for the buildbot workers to connect to the master.
+    # "name" is the configured worker name in services.buildbot-nix.worker.name of a worker
+    # (defaults to the hostname of the machine)
+    # "pass" is the password for the worker configured in `services.buildbot-nix.worker.workerPasswordFile`
+    # "cores" is the number of cpu cores the worker has.
+    # The number must match as otherwise potentially not enought buildbot-workers are created.
+    workersFile = config.sops.secrets.buildbot-workers-file.path;
+
+    gitea = {
+      enable = true;
+      instanceUrl = "https://git.clan.lol";
+      oauthSecretFile = config.sops.secrets.oauth-secret-file.path;
+      oauthId = "adb3425c-490f-4558-9487-8f8940d2925b";
+      topic = "buildbot-clan";
+    };
+
+    # optional nix-eval-jobs settings
+    evalWorkerCount = 10; # limit number of concurrent evaluations
+    evalMaxMemorySize = "4096"; # limit memory usage per evaluation
+  };
+
+  # Optional: Enable acme/TLS in nginx (recommended)
+  services.nginx.virtualHosts.${config.services.buildbot-nix.master.domain} = {
+    forceSSL = true;
+    useACME = true;
+  };
+
+  services.buildbot-nix.worker = {
+    enable = true;
+    workerPasswordFile = config.sops.secrets.buildbot-worker-password-file.path;
+  };
+
+  sops.secrets.oauth-secret-file = { };
+  sops.secrets.workers-file = { };
+  sops.secrets.worker-password-file = { };
+}
diff --git a/modules/flake-module.nix b/modules/flake-module.nix
index 1605dd0..f56d5c5 100644
--- a/modules/flake-module.nix
+++ b/modules/flake-module.nix
@@ -15,6 +15,12 @@
       ./initrd-networking.nix
     ];
 
+    buildbot.imports = [
+      inputs.buildbot-nix.nixosModules.master
+      inputs.buildbot-nix.nixosModules.worker
+      ./buildbot.nix
+    ];
+
     web01.imports = [
       self.nixosModules.server
       inputs.srvos.nixosModules.mixins-nginx