buildbot: add support for remote builders via baremetal machines

For now, only builder-3 is used.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>

hosts/buildbot/default.nix

@@ -28,6 +28,7 @@
   bagel.services.buildbot = {
     enable = true;
     domain = "buildbot.forkos.org";
+    builders = [ "builder-3" ];
   };
 
   i18n.defaultLocale = "en_US.UTF-8";

secrets.nix

@@ -21,6 +21,7 @@ let
     buildbot-service-key = [ machines.buildbot ];
     # Signing key for Buildbot's specific cache
     buildbot-signing-key = [ machines.buildbot ];
+    buildbot-remote-builder-key = [ machines.buildbot ];
 
     # These are the same password, but nginx wants it in htpasswd format
     metrics-push-htpasswd = [ machines.meta01 ];

services/baremetal-builder/default.nix

@@ -28,7 +28,19 @@ in
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAvUT9YBig9LQPHgypIBHQuC32XqDKxlFZ2CfgDi0ZKx"
       ];
     };
-    nix.settings.trusted-users = [ "builder" ];
+
+    users.users.buildbot = {
+      isSystemUser = true;
+      group = "nogroup";
+      home = "/var/empty";
+      shell = "/bin/sh";
+      openssh.authorizedKeys.keys = [
+        # Do not hardcode Buildbot's public key, selectively
+        # add the keys of the coordinators that require us.
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGMnOLLX0vGTZbSJrUmF9ZFXt/NIId/MUrEpXmL2vxod"
+      ];
+    };
+    nix.settings.trusted-users = [ "builder" "buildbot" ];
 
 
     nixpkgs.hostPlatform = "x86_64-linux";

services/buildbot/default.nix

@@ -8,6 +8,7 @@
 let
   cfg = config.bagel.services.buildbot;
   cfgGerrit = nodes.gerrit01.config.bagel.services.gerrit;
+  ssh-keys = import ../../common/ssh-keys.nix;
   inherit (lib) mkEnableOption mkOption mkIf types;
 in
 {
@@ -16,6 +17,12 @@ in
     domain = mkOption {
       type = types.str;
     };
+
+    builders = mkOption {
+      type = types.listOf types.str;
+      description = "List of builders to configure for Buildbot";
+      example = [ "builder-2" "builder-3" ];
+    };
   };
 
   config = mkIf cfg.enable {
@@ -25,6 +32,7 @@ in
     age.secrets.buildbot-workers.file = ../../secrets/buildbot-workers.age;
     age.secrets.buildbot-service-key.file = ../../secrets/buildbot-service-key.age;
     age.secrets.buildbot-signing-key.file = ../../secrets/buildbot-signing-key.age;
+    age.secrets.buildbot-remote-builder-key.file = ../../secrets/buildbot-remote-builder-key.age;
 
     services.nginx.virtualHosts.${cfg.domain} = {
       forceSSL = true;
@@ -94,6 +102,28 @@ in
       signingKeyFile = config.age.secrets.buildbot-signing-key.path;
     };
 
+    nix.distributedBuilds = true;
+    nix.buildMachines = map (n: {
+        hostName = nodes.${n}.config.networking.fqdn;
+        protocol = "ssh-ng";
+        # Follows Hydra.
+        maxJobs = 8;
+        sshKey = config.age.secrets.buildbot-remote-builder-key.path;
+        sshUser = "buildbot";
+        systems = [ "x86_64-linux" ];
+        supportedFeatures = nodes.${n}.config.nix.settings.system-features;
+        # TODO: fix it, see the Hydra file about it.
+        # IFD already exist in NixOS, so it's fine, I guess.
+        publicHostKey = builtins.readFile (pkgs.runCommandLocal "in-the-right-form" {
+          buildInputs = [
+            pkgs.coreutils
+          ];
+        } ''
+          echo -n '${ssh-keys.machines.${n}}' | base64 -w0 > $out
+        '');
+      }
+    ) cfg.builders;
+
     nix.settings.keep-derivations = true;
     nix.gc = {
       automatic = true;