stonehenge: install marge bot and renovate bot

2026-02-13 20:40:27 -03:00 · 2026-02-13 20:40:27 -03:00 · afe1dc40fc
commit afe1dc40fc
parent b6415a9d8f
11 changed files with 894 additions and 2 deletions
--- a/hosts/stonehenge/default.nix
+++ b/hosts/stonehenge/default.nix
@ -12,6 +12,9 @@
    ./nebula-vpn.nix
    ./vagrant.nix

+    ./gitlab-marge-bot.nix
+    ./renovate-bot.nix
+
    ../../system/sops.nix
    ../../system/nix.nix
  ];
--- a/hosts/stonehenge/gitlab-marge-bot.nix
+++ b/hosts/stonehenge/gitlab-marge-bot.nix
@ -0,0 +1,41 @@
+{
+  config,
+  self,
+  pkgs,
+  ...
+}:
+
+let
+  s = config.sops.secrets;
+  cfg = config.services.marge-bot;
+
+  secretConfig = {
+    owner = cfg.user;
+    group = cfg.group;
+    sopsFile = ../../secrets/stonehenge/default.yaml;
+  };
+in
+{
+  services.marge-bot = {
+    enable = true;
+    package = self.packages.${pkgs.system}.marge-bot;
+    gitlabUrl = "https://gitlab.wopus.dev";
+    authTokenFile = s."gitlab-marge-bot/token".path;
+    sshKeyFile = s."gitlab-marge-bot/ssh-secret-key".path;
+    settings = {
+      ci-timeout = "60min";
+      add-part-of = true;
+      add-reviewers = true;
+      keep-reviewers = true;
+      keep-commits = true;
+      impersonate-approvers = true;
+
+      batch = true;
+      use-no-ff-batches = true;
+      skip-ci-batches = true;
+    };
+  };
+
+  sops.secrets."gitlab-marge-bot/token" = secretConfig;
+  sops.secrets."gitlab-marge-bot/ssh-secret-key" = secretConfig;
+}
--- a/hosts/stonehenge/renovate-bot.nix
+++ b/hosts/stonehenge/renovate-bot.nix
@ -0,0 +1,49 @@
+{ config, pkgs, ... }:
+let
+  cfg = config.services.renovate-bot;
+  s = config.sops.secrets;
+in
+{
+  services.renovate-bot = {
+    enable = true;
+    schedule = "*-*-* *:00:00";
+    logLevel = "info";
+
+    platform = "gitlab";
+    endpoint = "https://gitlab.wopus.dev/api/v4";
+    tokenFile = s."renovate-bot/token".path;
+    envFile = s."renovate-bot/env".path;
+
+    extraPackages = with pkgs; [
+      nodejs
+      rustc
+      cargo
+      php
+      phpPackages.composer
+    ];
+
+    settings = {
+      autodiscover = true;
+      labels = [ "renovate" ];
+      rebaseWhen = "conflicted";
+
+      cacheDir = "/var/lib/renovate-bot/cache";
+      persistRepoData = true;
+      prConcurrentLimit = 2;
+      branchConcurrentLimit = 2;
+    };
+  };
+
+  sops.secrets."renovate-bot/token" = {
+    owner = cfg.user;
+    group = cfg.group;
+    mode = "0400";
+    sopsFile = ../../secrets/stonehenge/default.yaml;
+  };
+  sops.secrets."renovate-bot/env" = {
+    owner = cfg.user;
+    group = cfg.group;
+    mode = "0400";
+    sopsFile = ../../secrets/stonehenge/default.yaml;
+  };
+}