2024-07-17 13:43:29 +00:00
|
|
|
|
{
|
|
|
|
|
nodes,
|
|
|
|
|
config,
|
|
|
|
|
lib,
|
|
|
|
|
pkgs,
|
|
|
|
|
...
|
|
|
|
|
}:
|
|
|
|
|
let
|
|
|
|
|
cfg = config.bagel.services.buildbot;
|
|
|
|
|
cfgGerrit = nodes.gerrit01.config.bagel.services.gerrit;
|
2024-07-17 16:18:59 +00:00
|
|
|
|
ssh-keys = import ../../common/ssh-keys.nix;
|
2024-07-17 13:43:29 +00:00
|
|
|
|
inherit (lib) mkEnableOption mkOption mkIf types;
|
|
|
|
|
in
|
|
|
|
|
{
|
|
|
|
|
options.bagel.services.buildbot = {
|
|
|
|
|
enable = mkEnableOption "Buildbot";
|
|
|
|
|
domain = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
};
|
2024-07-17 16:18:59 +00:00
|
|
|
|
|
|
|
|
|
builders = mkOption {
|
|
|
|
|
type = types.listOf types.str;
|
|
|
|
|
description = "List of builders to configure for Buildbot";
|
|
|
|
|
example = [ "builder-2" "builder-3" ];
|
|
|
|
|
};
|
2024-07-17 13:43:29 +00:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
|
|
|
age.secrets.buildbot-worker-password.file = ../../secrets/buildbot-worker-password.age;
|
|
|
|
|
age.secrets.buildbot-oauth-secret.file = ../../secrets/buildbot-oauth-secret.age;
|
|
|
|
|
age.secrets.buildbot-workers.file = ../../secrets/buildbot-workers.age;
|
|
|
|
|
age.secrets.buildbot-service-key.file = ../../secrets/buildbot-service-key.age;
|
|
|
|
|
age.secrets.buildbot-signing-key.file = ../../secrets/buildbot-signing-key.age;
|
2024-07-17 16:18:59 +00:00
|
|
|
|
age.secrets.buildbot-remote-builder-key.file = ../../secrets/buildbot-remote-builder-key.age;
|
2024-07-17 13:43:29 +00:00
|
|
|
|
|
|
|
|
|
services.nginx.virtualHosts.${cfg.domain} = {
|
|
|
|
|
forceSSL = true;
|
|
|
|
|
enableACME = true;
|
2024-07-17 16:42:54 +00:00
|
|
|
|
extraConfig = ''
|
|
|
|
|
add_header Access-Control-Allow-Credentials 'true' always;
|
|
|
|
|
add_header Access-Control-Allow-Origin 'https://cl.forkos.org' always;
|
|
|
|
|
'';
|
2024-07-17 13:43:29 +00:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
services.buildbot-nix.worker = {
|
|
|
|
|
enable = true;
|
|
|
|
|
workerPasswordFile = config.age.secrets.buildbot-worker-password.path;
|
|
|
|
|
# All credits to eldritch horrors for this beauty.
|
|
|
|
|
workerArchitectures =
|
|
|
|
|
{
|
|
|
|
|
# nix-eval-jobs runs under a lock, error reports do not (but are cheap)
|
|
|
|
|
other = 8;
|
|
|
|
|
} // (
|
|
|
|
|
lib.filterAttrs
|
|
|
|
|
(n: v: lib.elem n config.services.buildbot-nix.coordinator.buildSystems)
|
|
|
|
|
(lib.zipAttrsWith
|
|
|
|
|
(_: lib.foldl' lib.add 0)
|
|
|
|
|
(lib.concatMap
|
|
|
|
|
(m: map (s: { ${s} = m.maxJobs; }) m.systems)
|
|
|
|
|
config.nix.buildMachines))
|
|
|
|
|
);
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
services.buildbot-nix.coordinator = {
|
|
|
|
|
enable = true;
|
|
|
|
|
|
|
|
|
|
inherit (cfg) domain;
|
|
|
|
|
|
|
|
|
|
oauth2 = {
|
|
|
|
|
name = "Lix";
|
|
|
|
|
clientId = "forkos-buildbot";
|
|
|
|
|
clientSecretFile = config.age.secrets.buildbot-oauth-secret.path;
|
|
|
|
|
resourceEndpoint = "https://identity.lix.systems";
|
|
|
|
|
authUri = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/auth";
|
|
|
|
|
tokenUri = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
workersFile = config.age.secrets.buildbot-workers.path;
|
|
|
|
|
|
|
|
|
|
allowedOrigins = [
|
|
|
|
|
"*.forkos.org"
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
buildSystems = [
|
|
|
|
|
"x86_64-linux"
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
gerrit = {
|
|
|
|
|
domain = cfgGerrit.canonicalDomain;
|
|
|
|
|
# Manually managed account…
|
|
|
|
|
# TODO: https://git.lix.systems/the-distro/infra/issues/69
|
|
|
|
|
username = "buildbot";
|
|
|
|
|
port = cfgGerrit.port;
|
|
|
|
|
privateKeyFile = config.age.secrets.buildbot-service-key.path;
|
|
|
|
|
projects = [
|
|
|
|
|
"buildbot-test"
|
|
|
|
|
"nixpkgs"
|
|
|
|
|
"infra"
|
|
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
evalWorkerCount = 6;
|
|
|
|
|
evalMaxMemorySize = "4096";
|
|
|
|
|
|
|
|
|
|
signingKeyFile = config.age.secrets.buildbot-signing-key.path;
|
|
|
|
|
};
|
|
|
|
|
|
2024-07-17 16:18:59 +00:00
|
|
|
|
nix.distributedBuilds = true;
|
|
|
|
|
nix.buildMachines = map (n: {
|
|
|
|
|
hostName = nodes.${n}.config.networking.fqdn;
|
|
|
|
|
protocol = "ssh-ng";
|
|
|
|
|
# Follows Hydra.
|
|
|
|
|
maxJobs = 8;
|
|
|
|
|
sshKey = config.age.secrets.buildbot-remote-builder-key.path;
|
|
|
|
|
sshUser = "buildbot";
|
|
|
|
|
systems = [ "x86_64-linux" ];
|
|
|
|
|
supportedFeatures = nodes.${n}.config.nix.settings.system-features;
|
|
|
|
|
# TODO: fix it, see the Hydra file about it.
|
|
|
|
|
# IFD already exist in NixOS, so it's fine, I guess.
|
|
|
|
|
publicHostKey = builtins.readFile (pkgs.runCommandLocal "in-the-right-form" {
|
|
|
|
|
buildInputs = [
|
|
|
|
|
pkgs.coreutils
|
|
|
|
|
];
|
|
|
|
|
} ''
|
|
|
|
|
echo -n '${ssh-keys.machines.${n}}' | base64 -w0 > $out
|
|
|
|
|
'');
|
|
|
|
|
}
|
|
|
|
|
) cfg.builders;
|
|
|
|
|
|
2024-07-17 13:43:29 +00:00
|
|
|
|
nix.settings.keep-derivations = true;
|
|
|
|
|
nix.gc = {
|
|
|
|
|
automatic = true;
|
|
|
|
|
dates = "hourly";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
}
|