diff --git a/buildbot_nix/__init__.py b/buildbot_nix/__init__.py index 6f2435c..c5673a4 100644 --- a/buildbot_nix/__init__.py +++ b/buildbot_nix/__init__.py @@ -597,15 +597,15 @@ def nix_build_config( factory=factory, ) - -def read_secret_file(secret_name: str) -> str: +def assemble_secret_file_path(secret_name: str) -> Path: directory = os.environ.get("CREDENTIALS_DIRECTORY") if directory is None: print("directory not set", file=sys.stderr) sys.exit(1) - return Path(directory).joinpath(secret_name).read_text().rstrip() - + return Path(directory).joinpath(secret_name) +def read_secret_file(secret_name: str) -> str: + return assemble_secret_file_path(secret_name).read_text().rstrip() def config_for_project( config: dict[str, Any], diff --git a/nix/coordinator.nix b/nix/coordinator.nix index 06cd0c2..fe946e3 100644 --- a/nix/coordinator.nix +++ b/nix/coordinator.nix @@ -188,7 +188,7 @@ in home = "/var/lib/buildbot"; extraImports = '' from datetime import timedelta - from buildbot_nix import GerritNixConfigurator, read_secret_file, make_oauth2_method, OAuth2Config + from buildbot_nix import GerritNixConfigurator, read_secret_file, make_oauth2_method, OAuth2Config, assemble_secret_file_path # TODO(raito): make me configurable from the NixOS module. # how? @@ -209,7 +209,7 @@ in "${cfg.gerrit.domain}", "${cfg.gerrit.username}", "${toString cfg.gerrit.port}", - "${cfg.gerrit.privateKeyFile}", + assemble_secret_file_path('buildbot-service-private-key'), projects=${builtins.toJSON cfg.gerrit.projects}, allowed_origins=${builtins.toJSON cfg.allowedOrigins}, url=${builtins.toJSON config.services.buildbot-master.buildbotUrl}, @@ -269,6 +269,7 @@ in LoadCredential = [ "buildbot-nix-workers:${cfg.workersFile}" "buildbot-oauth2-secret:${cfg.oauth2.clientSecretFile}" + "buildbot-service-private-key:${cfg.gerrit.privateKeyFile}" ]; }; };