A NixOS module to run Jenkins, optimized specifically for running projects using Nix.
- Fully nixified
- Jenkins configuration declared in Nix (via configuration-as-code plugin)
- sops-nix for secrets management, for use in Jenkins credentials. Known limitation: only JSON format is supported.
- Jenkins plugins are managed by jenkinsPlugins2nix
- Isolated build agents
- NixOS containers as build agents (runs in local node)
- External SSH slaves (useful to run macOS build nodes)
- CI features as NixOS modules, encapsulated along with their associated groovy library for referencing in
Jenkinsfile-
nix: providesnixCI(using nixci) to build all flake outputs, and setsenv.FLAKE_OUTPUTSto the list of outputs built.- Uses
--no-update-lock-file(thus fails on out of syncflake.lockfiles) - Supports sub flakes (example) via
nixci
- Uses
- cachix: provides
cachixPushandcachixUsepipeline stepscachixPushwill push theenv.FLAKE_OUTPUTSbuilt by thenixfeature
- docker: provides
dockerPushpipeline step -
githubApp: provides Github integration for CI status reporting
-
To update the plugins, run nix-prefetch-jenkins-plugins > nix/jenkins/plugins.nix. nix-prefetch-jenkins-plugins must have been added to the devShell. See the aforementioned example.
We use sops-nix to manage secrets used by the individual CI features. Convert your SSH key (ed25519) to age, which sops uses. With macOS & 1Password, it would look like:
nix run nixpkgs#ssh-to-age <<< "$(op read 'op://Personal/id_ed25519/public key')"
nix run nixpkgs#ssh-to-age -- --private-key -i <(op read 'op://Personal/id_ed25519/actual private') > ~/.config/sops/age/keys.txt
# ^ $HOME/Library/Application\ Support/sops/age/keys.txt actuallyYou also want to get the host key (ssh-keyscan localhost | ssh-to-age) of the machine being deployed.
Put both these public age keys in .sops.yaml of the repository.