forked from the-distro/infra
buildbot: add support for remote builders via baremetal machines
For now, only builder-3 is used. Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
This commit is contained in:
parent
e00d0331ec
commit
da7175303c
5 changed files with 45 additions and 1 deletions
|
@ -28,6 +28,7 @@
|
||||||
bagel.services.buildbot = {
|
bagel.services.buildbot = {
|
||||||
enable = true;
|
enable = true;
|
||||||
domain = "buildbot.forkos.org";
|
domain = "buildbot.forkos.org";
|
||||||
|
builders = [ "builder-3" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
i18n.defaultLocale = "en_US.UTF-8";
|
i18n.defaultLocale = "en_US.UTF-8";
|
||||||
|
|
|
@ -21,6 +21,7 @@ let
|
||||||
buildbot-service-key = [ machines.buildbot ];
|
buildbot-service-key = [ machines.buildbot ];
|
||||||
# Signing key for Buildbot's specific cache
|
# Signing key for Buildbot's specific cache
|
||||||
buildbot-signing-key = [ machines.buildbot ];
|
buildbot-signing-key = [ machines.buildbot ];
|
||||||
|
buildbot-remote-builder-key = [ machines.buildbot ];
|
||||||
|
|
||||||
# These are the same password, but nginx wants it in htpasswd format
|
# These are the same password, but nginx wants it in htpasswd format
|
||||||
metrics-push-htpasswd = [ machines.meta01 ];
|
metrics-push-htpasswd = [ machines.meta01 ];
|
||||||
|
|
BIN
secrets/buildbot-remote-builder-key.age
Normal file
BIN
secrets/buildbot-remote-builder-key.age
Normal file
Binary file not shown.
|
@ -28,7 +28,19 @@ in
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAvUT9YBig9LQPHgypIBHQuC32XqDKxlFZ2CfgDi0ZKx"
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAvUT9YBig9LQPHgypIBHQuC32XqDKxlFZ2CfgDi0ZKx"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
nix.settings.trusted-users = [ "builder" ];
|
|
||||||
|
users.users.buildbot = {
|
||||||
|
isSystemUser = true;
|
||||||
|
group = "nogroup";
|
||||||
|
home = "/var/empty";
|
||||||
|
shell = "/bin/sh";
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
# Do not hardcode Buildbot's public key, selectively
|
||||||
|
# add the keys of the coordinators that require us.
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGMnOLLX0vGTZbSJrUmF9ZFXt/NIId/MUrEpXmL2vxod"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
nix.settings.trusted-users = [ "builder" "buildbot" ];
|
||||||
|
|
||||||
|
|
||||||
nixpkgs.hostPlatform = "x86_64-linux";
|
nixpkgs.hostPlatform = "x86_64-linux";
|
||||||
|
|
|
@ -8,6 +8,7 @@
|
||||||
let
|
let
|
||||||
cfg = config.bagel.services.buildbot;
|
cfg = config.bagel.services.buildbot;
|
||||||
cfgGerrit = nodes.gerrit01.config.bagel.services.gerrit;
|
cfgGerrit = nodes.gerrit01.config.bagel.services.gerrit;
|
||||||
|
ssh-keys = import ../../common/ssh-keys.nix;
|
||||||
inherit (lib) mkEnableOption mkOption mkIf types;
|
inherit (lib) mkEnableOption mkOption mkIf types;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
@ -16,6 +17,12 @@ in
|
||||||
domain = mkOption {
|
domain = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
builders = mkOption {
|
||||||
|
type = types.listOf types.str;
|
||||||
|
description = "List of builders to configure for Buildbot";
|
||||||
|
example = [ "builder-2" "builder-3" ];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
|
@ -25,6 +32,7 @@ in
|
||||||
age.secrets.buildbot-workers.file = ../../secrets/buildbot-workers.age;
|
age.secrets.buildbot-workers.file = ../../secrets/buildbot-workers.age;
|
||||||
age.secrets.buildbot-service-key.file = ../../secrets/buildbot-service-key.age;
|
age.secrets.buildbot-service-key.file = ../../secrets/buildbot-service-key.age;
|
||||||
age.secrets.buildbot-signing-key.file = ../../secrets/buildbot-signing-key.age;
|
age.secrets.buildbot-signing-key.file = ../../secrets/buildbot-signing-key.age;
|
||||||
|
age.secrets.buildbot-remote-builder-key.file = ../../secrets/buildbot-remote-builder-key.age;
|
||||||
|
|
||||||
services.nginx.virtualHosts.${cfg.domain} = {
|
services.nginx.virtualHosts.${cfg.domain} = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
@ -94,6 +102,28 @@ in
|
||||||
signingKeyFile = config.age.secrets.buildbot-signing-key.path;
|
signingKeyFile = config.age.secrets.buildbot-signing-key.path;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
nix.distributedBuilds = true;
|
||||||
|
nix.buildMachines = map (n: {
|
||||||
|
hostName = nodes.${n}.config.networking.fqdn;
|
||||||
|
protocol = "ssh-ng";
|
||||||
|
# Follows Hydra.
|
||||||
|
maxJobs = 8;
|
||||||
|
sshKey = config.age.secrets.buildbot-remote-builder-key.path;
|
||||||
|
sshUser = "buildbot";
|
||||||
|
systems = [ "x86_64-linux" ];
|
||||||
|
supportedFeatures = nodes.${n}.config.nix.settings.system-features;
|
||||||
|
# TODO: fix it, see the Hydra file about it.
|
||||||
|
# IFD already exist in NixOS, so it's fine, I guess.
|
||||||
|
publicHostKey = builtins.readFile (pkgs.runCommandLocal "in-the-right-form" {
|
||||||
|
buildInputs = [
|
||||||
|
pkgs.coreutils
|
||||||
|
];
|
||||||
|
} ''
|
||||||
|
echo -n '${ssh-keys.machines.${n}}' | base64 -w0 > $out
|
||||||
|
'');
|
||||||
|
}
|
||||||
|
) cfg.builders;
|
||||||
|
|
||||||
nix.settings.keep-derivations = true;
|
nix.settings.keep-derivations = true;
|
||||||
nix.gc = {
|
nix.gc = {
|
||||||
automatic = true;
|
automatic = true;
|
||||||
|
|
Loading…
Reference in a new issue