forked from the-distro/infra
buildbot: add support for remote builders via baremetal machines
For now, only builder-3 is used. Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
This commit is contained in:
parent
e00d0331ec
commit
da7175303c
5 changed files with 45 additions and 1 deletions
|
@ -28,6 +28,7 @@
|
|||
bagel.services.buildbot = {
|
||||
enable = true;
|
||||
domain = "buildbot.forkos.org";
|
||||
builders = [ "builder-3" ];
|
||||
};
|
||||
|
||||
i18n.defaultLocale = "en_US.UTF-8";
|
||||
|
|
|
@ -21,6 +21,7 @@ let
|
|||
buildbot-service-key = [ machines.buildbot ];
|
||||
# Signing key for Buildbot's specific cache
|
||||
buildbot-signing-key = [ machines.buildbot ];
|
||||
buildbot-remote-builder-key = [ machines.buildbot ];
|
||||
|
||||
# These are the same password, but nginx wants it in htpasswd format
|
||||
metrics-push-htpasswd = [ machines.meta01 ];
|
||||
|
|
BIN
secrets/buildbot-remote-builder-key.age
Normal file
BIN
secrets/buildbot-remote-builder-key.age
Normal file
Binary file not shown.
|
@ -28,7 +28,19 @@ in
|
|||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAvUT9YBig9LQPHgypIBHQuC32XqDKxlFZ2CfgDi0ZKx"
|
||||
];
|
||||
};
|
||||
nix.settings.trusted-users = [ "builder" ];
|
||||
|
||||
users.users.buildbot = {
|
||||
isSystemUser = true;
|
||||
group = "nogroup";
|
||||
home = "/var/empty";
|
||||
shell = "/bin/sh";
|
||||
openssh.authorizedKeys.keys = [
|
||||
# Do not hardcode Buildbot's public key, selectively
|
||||
# add the keys of the coordinators that require us.
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGMnOLLX0vGTZbSJrUmF9ZFXt/NIId/MUrEpXmL2vxod"
|
||||
];
|
||||
};
|
||||
nix.settings.trusted-users = [ "builder" "buildbot" ];
|
||||
|
||||
|
||||
nixpkgs.hostPlatform = "x86_64-linux";
|
||||
|
|
|
@ -8,6 +8,7 @@
|
|||
let
|
||||
cfg = config.bagel.services.buildbot;
|
||||
cfgGerrit = nodes.gerrit01.config.bagel.services.gerrit;
|
||||
ssh-keys = import ../../common/ssh-keys.nix;
|
||||
inherit (lib) mkEnableOption mkOption mkIf types;
|
||||
in
|
||||
{
|
||||
|
@ -16,6 +17,12 @@ in
|
|||
domain = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
|
||||
builders = mkOption {
|
||||
type = types.listOf types.str;
|
||||
description = "List of builders to configure for Buildbot";
|
||||
example = [ "builder-2" "builder-3" ];
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
@ -25,6 +32,7 @@ in
|
|||
age.secrets.buildbot-workers.file = ../../secrets/buildbot-workers.age;
|
||||
age.secrets.buildbot-service-key.file = ../../secrets/buildbot-service-key.age;
|
||||
age.secrets.buildbot-signing-key.file = ../../secrets/buildbot-signing-key.age;
|
||||
age.secrets.buildbot-remote-builder-key.file = ../../secrets/buildbot-remote-builder-key.age;
|
||||
|
||||
services.nginx.virtualHosts.${cfg.domain} = {
|
||||
forceSSL = true;
|
||||
|
@ -94,6 +102,28 @@ in
|
|||
signingKeyFile = config.age.secrets.buildbot-signing-key.path;
|
||||
};
|
||||
|
||||
nix.distributedBuilds = true;
|
||||
nix.buildMachines = map (n: {
|
||||
hostName = nodes.${n}.config.networking.fqdn;
|
||||
protocol = "ssh-ng";
|
||||
# Follows Hydra.
|
||||
maxJobs = 8;
|
||||
sshKey = config.age.secrets.buildbot-remote-builder-key.path;
|
||||
sshUser = "buildbot";
|
||||
systems = [ "x86_64-linux" ];
|
||||
supportedFeatures = nodes.${n}.config.nix.settings.system-features;
|
||||
# TODO: fix it, see the Hydra file about it.
|
||||
# IFD already exist in NixOS, so it's fine, I guess.
|
||||
publicHostKey = builtins.readFile (pkgs.runCommandLocal "in-the-right-form" {
|
||||
buildInputs = [
|
||||
pkgs.coreutils
|
||||
];
|
||||
} ''
|
||||
echo -n '${ssh-keys.machines.${n}}' | base64 -w0 > $out
|
||||
'');
|
||||
}
|
||||
) cfg.builders;
|
||||
|
||||
nix.settings.keep-derivations = true;
|
||||
nix.gc = {
|
||||
automatic = true;
|
||||
|
|
Loading…
Reference in a new issue