b12f/os
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
os/hosts/nougat-2/concourse.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

138 lines
3.6 KiB
Nix
Raw Normal View History

nougat-2 concourse setup
2023-07-02 10:48:34 +00:00
{
config,
lib,
pkgs,
self,
...
}: let
pubsolarDomain = import ./pubsolar-domain.nix;
getSecret = name:
lib.attrsets.setAttrByPath [name] {
file = "${self}/secrets/${name}.age";
mode = "600";
owner = "concourse";
};
keys = [
"concourse-session-signing-key"
"concourse-worker-key"
"concourse-tsa-host-key"
];
secrets =
[
"concourse-secrets"
"concourse-db-secrets"
]
++ keys;
in {
age.secrets = lib.lists.foldl (a: b: a // getSecret b) {} secrets;
users.users.concourse = {
description = "Concourse Service";
home = "/var/lib/concourse";
useDefaultShell = true;
group = "concourse";
isSystemUser = true;
};
users.groups.concourse = {};
user and group juggling
2023-07-02 18:36:30 +00:00
users.groups.postgres = {};
ids.uids.concourse = 995;
ids.gids.concourse = 995;
nougat-2 concourse setup
2023-07-02 10:48:34 +00:00
systemd.tmpfiles.rules = [
Fix concourse & caddy startup
2023-07-03 11:20:13 +00:00
"d '/data/concourse/db' 0770 root postgres - -"
nougat-2 concourse setup
2023-07-02 10:48:34 +00:00
];
user and group juggling
2023-07-02 18:36:30 +00:00
system.activationScripts.mkConcourseNet = let
docker = config.virtualisation.oci-containers.backend;
dockerBin = "${pkgs.${docker}}/bin/${docker}";
in ''
${dockerBin} network inspect concourse-net >/dev/null 2>&1 || ${dockerBin} network create concourse-net --subnet 172.20.0.0/24
'';
Fix concourse & caddy startup
2023-07-03 11:20:13 +00:00
containers.concourse = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.101.0";
localAddress = "192.168.107.0";
hostAddress6 = "fc00::1";
localAddress6 = "fc00::7";
bindMounts = {
"/var/lib/postgresql/14" = {
hostPath = "/data/concourse/db";
isReadOnly = false;
};
"${config.age.secrets.keycloak-database-password.path}" = {
hostPath = "${config.age.secrets.keycloak-database-password.path}";
isReadOnly = true;
};
};
config = {
networking.nameservers = ["1.1.1.1"];
nougat-2 concourse setup
2023-07-02 10:48:34 +00:00
virtualisation.oci-containers = {
containers."concourse-db" = {
image = "postgres:14";
autoStart = true;
user and group juggling
2023-07-02 18:36:30 +00:00
user = builtins.toString config.ids.uids.postgres;
nougat-2 concourse setup
2023-07-02 10:48:34 +00:00
volumes = [
"/data/concourse/db:/var/lib/postgresql/data"
];
extraOptions = [
"--network=concourse-net"
];
environmentFiles = [
config.age.secrets.concourse-db-secrets.path
];
};
containers."concourse" = {
image = "concourse/concourse:7.9.1";
autoStart = true;
user and group juggling
2023-07-02 18:36:30 +00:00
user = builtins.toString config.ids.uids.concourse;
nougat-2 concourse setup
2023-07-02 10:48:34 +00:00
ports = [
"8080:8080"
];
dependsOn = ["concourse-db"];
extraOptions = [
"--network=concourse-net"
];
volumes = [
"${config.age.secrets.concourse-session-signing-key.path}:/keys/session_signing_key"
"${config.age.secrets.concourse-worker-key.path}:/keys/worker_key"
"${config.age.secrets.concourse-tsa-host-key.path}:/keys/tsa_host_key"
];
environment = {
CONCOURSE_EXTERNAL_URL = "https://ci.${pubsolarDomain}";
CONCOURSE_ADD_LOCAL_USER = "crew:changeme";
CONCOURSE_MAIN_TEAM_LOCAL_USER = "crew";
# instead of relying on the default "detect"
CONCOURSE_WORKER_BAGGAGECLAIM_DRIVER = "overlay";
CONCOURSE_X_FRAME_OPTIONS = "allow";
CONCOURSE_CONTENT_SECURITY_POLICY = "*";
CONCOURSE_CLUSTER_NAME = "pub.solar";
CONCOURSE_WORKER_CONTAINERD_DNS_SERVER = "8.8.8.8";
CONCOURSE_SESSION_SIGNING_KEY = "/keys/session_signing_key";
CONCOURSE_TSA_HOST_KEY = "/keys/tsa_host_key";
CONCOURSE_TSA_AUTHORIZED_KEYS = "/keys/worker_key";
# For ARM-based machine, change the Concourse runtime to "houdini"
CONCOURSE_WORKER_RUNTIME = "containerd";
};
environmentFiles = [
config.age.secrets.concourse-secrets.path
];
};
};
}
Reference in a new issue Copy permalink