services/buildbot: init

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>

common/base-server.nix

@@ -25,7 +25,7 @@
   nix.gc = {
     automatic = true;
     persistent = true;
-    dates = "daily";
+    dates = lib.mkDefault "daily";
     options = "--delete-older-than 30d";
   };
 

flake.lock

@@ -64,11 +64,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1715022238,
-        "narHash": "sha256-sDD6WWJXJ/1j07aQE0RAUlrQBekXABtEKm7gtaTN45w=",
+        "lastModified": 1721229951,
+        "narHash": "sha256-RO7jlz2T0h9l7Hmij6Iy3qdYps33wDuAoBMQ21ROvyw=",
         "ref": "refs/heads/refactor",
-        "rev": "d5e3345097cdda5c74bccddb27abb5b5c84eff5b",
-        "revCount": 257,
+        "rev": "8286c1028b2a69ee72680dc06d26bd80665ce02a",
+        "revCount": 262,
         "type": "git",
         "url": "https://git.lix.systems/lix-project/buildbot-nix.git"
       },

secrets.nix

@@ -13,6 +13,15 @@ let
     loki-environment = [ machines.meta01 ];
     gerrit-prometheus-bearer-token = [ machines.gerrit01 machines.meta01 ];
 
+    buildbot-worker-password = [ machines.buildbot ];
+    buildbot-oauth-secret = [ machines.buildbot ];
+    buildbot-workers = [ machines.buildbot ];
+    # Private SSH key to Gerrit
+    # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx52RUPWzTa2rBA96xcnGjjzAboNN/hm6gW+Q6JiSos
+    buildbot-service-key = [ machines.buildbot ];
+    # Signing key for Buildbot's specific cache
+    buildbot-signing-key = [ machines.buildbot ];
+
     # These are the same password, but nginx wants it in htpasswd format
     metrics-push-htpasswd = [ machines.meta01 ];
     metrics-push-password = builtins.attrValues machines;

secrets/buildbot-oauth-secret.age

@@ -0,0 +1,20 @@
+age-encryption.org/v1
+-> ssh-ed25519 87T2Ig vfLpqc38U9RwGG1QmSSl5YTXcOU0eoTrpmBjVpP+9xE
+XbCUtuC9G9zSyVIgUmH0TO2sdH/3YjAf1erstVAUnHQ
+-> ssh-ed25519 K3b7BA zk89m8PXhx59Jf7ovoSvASaaOZqMQxiGMEB/ZF2iFFs
+pCfQv3PRw0IMjjXnjTxasVaAZVdfrRhmiRDVK3Pr2GI
+-> ssh-ed25519 +qVung ry8P1mOJwSHAXk9XaNGOLRLH2Q6QIxTueoBz+IcS/0M
+q9JsGjlS7HQqscAvOO2aSWlH3ruQC5ozDCkDBwp7g0o
+-> ssh-rsa krWCLQ
+DG2BpVdLziPUuo2HJfzDg/+aqugaOTfmVV+hEFjRV/B9pX90WnLCxp0lNpeNpTdU
+v889q7ojKs6jHuJGsUwUPy29Jn9PHOecE/gpcRTt6BI4/2JiwF2brLV+dVbWSOEv
+6lf9ecjmbJ/vbHnh94Aqa6kfBREazsZSYPGTAwNdcOdHRsoiK1PKCJmxPvZnfGuY
+o6144GTqTIGnxvbdlJ7XPzS8KEoP0SfPb2PFhfq6+z4JPdm116rhXIErPZNcQynP
+y0f/TRJPSu5QZ2YzZmwyBTpUqSQx1MWrY/5T3e0cCLY6d2E6evbnPb8eauJl3XHd
+I/kqqFKigixDBUPNlwW19Q
+-> ssh-ed25519 /vwQcQ Q1589zmSRC/Wvgi1TUfsr6itT7QvBpqsNteNmPhHtHs
+Gt3/5u8NW8dcJubLZuiBQjwPIfLNbFQNIAk5+MIoSo0
+-> ssh-ed25519 0R97PA j2DEcmdRz8hOGvkwn6r/6vqPTdNo2AtZKSAjBdQ2n1Y
++w7ky1+gP0O93DXeADjMdBu43Dxno1meh7idgjNdojg
+--- 2exgH3r1FIdc2mrQEC0XQmqO3r1bfKZdjWZttrilThE
+œ]†‰,A`ç‚Øõ€ýï`ã…Š'&±T£ÇöŸ¸}q1à\K”ðì°7íKÏ'KóßÞ`lx›³‡F
i¸ì#÷

secrets/buildbot-worker-password.age

@@ -0,0 +1,20 @@
+age-encryption.org/v1
+-> ssh-ed25519 87T2Ig y4P08L2yYSjVcWdbRCqWSCM+WcgqXpxOwr1Ip2Ipd3Q
+7C/3MXVbAX0HIdEULKu0bc9q2U+4mPDiDb2l5rRwBI4
+-> ssh-ed25519 K3b7BA wl46ZMqLHMOTG3RojLVgwC2hskjUJWUGZ4h9dwBYaws
+xxrJQ8Ws1evKgfKej8WwbucuArULWNtCdMlSDdVNe6E
+-> ssh-ed25519 +qVung 4fix0OAAyW/34W1HVfc5ivIr8ijqNz0Vz8oWaSY2lyk
+8ZAguZR31I0hysn265ELYeYwrLiDx07BepG0w1R8uhU
+-> ssh-rsa krWCLQ
+vRU5uF64cQZwJrGr0oBRBJFo2mr30pz6yhXwEm4BJjKt/yCCikggPUFTW/KOjnqZ
+JcUoLpeDVIk3+FBJl4p3PVRn1pjRUve4vEcNAEjmkVgBwiZWtpfE6vVLn5pIvm+A
+nwybTTwMJomDTLDsMOq0Ur+S3rw4Nb6ADqDKhmjlmlaSlTqxUmZoznQduoSSINI/
+VJw/+VjwFxsMxdD5swxEAcrDk2rKoQLrfO83PO3HNMX5SmYHHYEaWB0/YeLgvi8a
+4OBueRKLWOiy2WUCqtxiQG5XYGYNdgOKIeNLnPNH6RRwFoBz7Zmn2uuQjmysY9h8
+lryoR6quxdOTRTL2WwGPAw
+-> ssh-ed25519 /vwQcQ 8sOHrthroDrjuL14hij7sPiK9BGlOLzKG1pBe5+HMFw
+vQqm96T/H5tINHJxnfi6DYm9YO9UAaj8etmk7K0GJ7U
+-> ssh-ed25519 0R97PA Dd3db0zh0/ZUsm3UgsWRbGz9mVvm8s3W2HQkjTM6L3k
+/+IRsPs2KoqEYnxmFoKmNc/00jOesKXv33rO4Yx+l68
+--- jPrqv7h6AGoqNl1LCOtzXvU4dKK2PnGsj/FqhstbSGw
+³»f+`Ï™+á½]&§w=ù¯:í$UQÀ7§ÁÀháÅK©¿U‚ÓÁ1_YßzËË0<C38B>%\<5C>N…Lë0oæö
½Þ¼‰Ï5~¥¼_
ÓZïã7xµ¤[ø\ú¤Úv[‹o

secrets/buildbot-workers.age

@@ -0,0 +1,22 @@
+age-encryption.org/v1
+-> ssh-ed25519 87T2Ig arwhM8DLVpft4PdPw4A6ZoPk5KqXORhE9iDG6etDOzk
+ZVNgF/J3YiCTj2lq2280vU95pX36cpH+sT/wRjmExHk
+-> ssh-ed25519 K3b7BA fBr1rUtTQVs0LLSR6RVX1eJBEpYs3COyJITpGm4ngi0
+jfYyrD/0gh1QCAq8SnsWjUQin3g21NEgCQAlCc6uQ9g
+-> ssh-ed25519 +qVung cJEfk9HdCsdVmuhI7OAgWsly4P5o/n9JbPRtsDZ2FVY
+MJvfsbd9+pbhG1BwF4xVafqu+LvPy3geN7n9MALFP68
+-> ssh-rsa krWCLQ
+PuiiAwETSr4SDb4XOtn6AECDJedzd3KfTAsjrq3giwCrjfSqYeTpBaH8mhf4t5D5
+fAXHtIoChcZNb1dhxQtP0r4A4cy1faf87XGkOwAeikFv9S8cMjjgZ71sX8g8Srp/
+Mjla0+5CVGRsUMcev/t9uMj04qHDtr7swbjLoOPwvCQBUWHZrOA/Fq/T2g9qU32g
+YQgxtR3zzseb/vOFHzpWc6fkR8UO0j1H1hyFkJ1XkipeQ5UIwg0g57lsPkNXuZfI
+BbKzzg521HChK5ssibITLdtp6piwIpxHUxwSNpLXG8vbT33e24kFEeTZ0QX4NStl
+r6U4j3NL1lPChpdSIhy/2Q
+-> ssh-ed25519 /vwQcQ Q8Hxbxto0EN1odEFt/dNfeK1l4xSIO9lY/ewYpa1DgY
+4jeNmuwK4tvJzX62/x/1aq+L4R6dD61akUmo0+GCICc
+-> ssh-ed25519 0R97PA of4aEATYi3ad7nYvexirIErAWbsLOW1ijGPc/IETSCU
+qT/O8DIYaMm0MlvS9eVBSe2th16yDHODlT1VgF9iLDI
+--- rWScSs0yVovPOWI2zmDTIyLJdBIRlKIPu6jivzty7p8
+…ûê<EFBFBD>Ñdß}EmiêKCûy5žL`G×ßÑTÙZ^Q?g2Ì|×ò«S
+g2ÿ¶¤F`êà_´ÿjòl
ÈÐ1ÝGðˆf€ñW<C3B1>¾Æƒ0ÏùÀðÌ º¼çHÁ)á€
+{µ²‚µ\êí<^—#Jþg¤éJJ¹ˆ‡GßJøh>²2…<>´“G%<25>±ÅTra†B

services/buildbot/default.nix

@@ -0,0 +1,103 @@
+{
+  nodes,
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.bagel.services.buildbot;
+  cfgGerrit = nodes.gerrit01.config.bagel.services.gerrit;
+  inherit (lib) mkEnableOption mkOption mkIf types;
+in
+{
+  options.bagel.services.buildbot = {
+    enable = mkEnableOption "Buildbot";
+    domain = mkOption {
+      type = types.str;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+    age.secrets.buildbot-worker-password.file = ../../secrets/buildbot-worker-password.age;
+    age.secrets.buildbot-oauth-secret.file = ../../secrets/buildbot-oauth-secret.age;
+    age.secrets.buildbot-workers.file = ../../secrets/buildbot-workers.age;
+    age.secrets.buildbot-service-key.file = ../../secrets/buildbot-service-key.age;
+    age.secrets.buildbot-signing-key.file = ../../secrets/buildbot-signing-key.age;
+
+    services.nginx.virtualHosts.${cfg.domain} = {
+      forceSSL = true;
+      enableACME = true;
+    };
+
+    services.buildbot-nix.worker = {
+      enable = true;
+      workerPasswordFile = config.age.secrets.buildbot-worker-password.path;
+      # All credits to eldritch horrors for this beauty.
+      workerArchitectures =
+      {
+        # nix-eval-jobs runs under a lock, error reports do not (but are cheap)
+        other = 8;
+      } // (
+        lib.filterAttrs
+          (n: v: lib.elem n config.services.buildbot-nix.coordinator.buildSystems)
+          (lib.zipAttrsWith
+            (_: lib.foldl' lib.add 0)
+            (lib.concatMap
+              (m: map (s: { ${s} = m.maxJobs; }) m.systems)
+              config.nix.buildMachines))
+        );
+    };
+
+    services.buildbot-nix.coordinator = {
+      enable = true;
+
+      inherit (cfg) domain;
+
+      oauth2 = {
+        name = "Lix";
+        clientId = "forkos-buildbot";
+        clientSecretFile = config.age.secrets.buildbot-oauth-secret.path;
+        resourceEndpoint = "https://identity.lix.systems";
+        authUri = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/auth";
+        tokenUri = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token";
+      };
+
+      workersFile = config.age.secrets.buildbot-workers.path;
+
+      allowedOrigins = [
+        "*.forkos.org"
+      ];
+
+      buildSystems = [
+        "x86_64-linux"
+      ];
+
+      gerrit = {
+        domain = cfgGerrit.canonicalDomain;
+        # Manually managed account…
+        # TODO: https://git.lix.systems/the-distro/infra/issues/69
+        username = "buildbot";
+        port = cfgGerrit.port;
+        privateKeyFile = config.age.secrets.buildbot-service-key.path;
+        projects = [
+          "buildbot-test"
+          "nixpkgs"
+          "infra"
+        ];
+      };
+
+      evalWorkerCount = 6;
+      evalMaxMemorySize = "4096";
+
+      signingKeyFile = config.age.secrets.buildbot-signing-key.path;
+    };
+
+    nix.settings.keep-derivations = true;
+    nix.gc = {
+      automatic = true;
+      dates = "hourly";
+    };
+  };
+}

services/default.nix

@@ -8,5 +8,6 @@
     ./postgres
     ./forgejo
     ./baremetal-builder
+    ./buildbot
   ];
 }