{ config, inputs, ... }: let buildbotSecrets.sopsFile = ./secrets.yaml; in { imports = [ inputs.buildbot-nix.nixosModules.buildbot-master ]; services.nginx.virtualHosts."buildbot.nix-community.org" = { enableACME = true; forceSSL = true; }; services.telegraf.extraConfig.inputs.prometheus.urls = [ "http://localhost:8011/metrics" ]; sops.secrets.github-oauth-secret = buildbotSecrets; sops.secrets.github-token = buildbotSecrets; sops.secrets.github-webhook-secret = buildbotSecrets; sops.secrets.nix-workers = buildbotSecrets; services.buildbot-nix.master = { enable = true; buildSystems = [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" ]; domain = "buildbot.nix-community.org"; prometheusExporterPort = 8011; evalMaxMemorySize = "4096"; evalWorkerCount = 8; workersFile = config.sops.secrets.nix-workers.path; github = { tokenFile = config.sops.secrets.github-token.path; webhookSecretFile = config.sops.secrets.github-webhook-secret.path; oauthSecretFile = config.sops.secrets.github-oauth-secret.path; oauthId = "9bbd3e8bbfebb197d2ca"; user = "nix-community-buildbot"; admins = [ "adisbladis" "Mic92" "ryantm" "zimbatm" "zowoq" ]; topic = "nix-community-buildbot"; }; }; sops.secrets.cachix-auth-token = buildbotSecrets; sops.secrets.cachix-name = buildbotSecrets; systemd.services.buildbot-master.serviceConfig.LoadCredential = [ "cachix-auth-token:${config.sops.secrets.cachix-auth-token.path}" "cachix-name:${config.sops.secrets.cachix-name.path}" ]; }