expose cachix options explictly
This commit is contained in:
mergify[bot]
parent
00f4ee3adf
commit
f56e43267d
|
|
@ -417,11 +417,25 @@ def nix_eval_config(
|
|||
)
|
||||
|
||||
|
||||
@dataclass
|
||||
class CachixConfig:
|
||||
name: str
|
||||
signing_key_secret_name: str | None = None
|
||||
auth_token_secret_name: str | None = None
|
||||
|
||||
def cachix_env(self) -> dict[str, str]:
|
||||
env = {}
|
||||
if self.signing_key_secret_name is not None:
|
||||
env["CACHIX_SIGNING_KEY"] = util.Secret(self.signing_key_secret_name)
|
||||
if self.auth_token_secret_name is not None:
|
||||
env["CACHIX_AUTH_TOKEN"] = util.Secret(self.auth_token_secret_name)
|
||||
return env
|
||||
|
||||
|
||||
def nix_build_config(
|
||||
project: GithubProject,
|
||||
worker_names: list[str],
|
||||
has_cachix_auth_token: bool = False,
|
||||
has_cachix_signing_key: bool = False,
|
||||
cachix: CachixConfig | None = None,
|
||||
outputs_path: Path | None = None,
|
||||
) -> util.BuilderConfig:
|
||||
"""
|
||||
|
|
@ -454,19 +468,15 @@ def nix_build_config(
|
|||
haltOnFailure=True,
|
||||
)
|
||||
)
|
||||
if has_cachix_auth_token or has_cachix_signing_key:
|
||||
if has_cachix_signing_key:
|
||||
env = dict(CACHIX_SIGNING_KEY=util.Secret("cachix-signing-key"))
|
||||
else:
|
||||
env = dict(CACHIX_AUTH_TOKEN=util.Secret("cachix-auth-token"))
|
||||
if cachix:
|
||||
factory.addStep(
|
||||
steps.ShellCommand(
|
||||
name="Upload cachix",
|
||||
env=env,
|
||||
env=cachix.cachix_env(),
|
||||
command=[
|
||||
"cachix",
|
||||
"push",
|
||||
util.Secret("cachix-name"),
|
||||
cachix.name,
|
||||
util.Interpolate("result-%(prop:attr)s"),
|
||||
],
|
||||
)
|
||||
|
|
@ -572,13 +582,13 @@ class GithubConfig:
|
|||
def config_for_project(
|
||||
config: dict[str, Any],
|
||||
project: GithubProject,
|
||||
credentials: str,
|
||||
worker_names: list[str],
|
||||
github: GithubConfig,
|
||||
nix_supported_systems: list[str],
|
||||
nix_eval_worker_count: int,
|
||||
nix_eval_max_memory_size: int,
|
||||
eval_lock: util.WorkerLock,
|
||||
cachix: CachixConfig | None = None,
|
||||
outputs_path: Path | None = None,
|
||||
) -> Project:
|
||||
config["projects"].append(Project(project.name))
|
||||
|
|
@ -635,12 +645,6 @@ def config_for_project(
|
|||
),
|
||||
]
|
||||
)
|
||||
has_cachix_auth_token = os.path.isfile(
|
||||
os.path.join(credentials, "cachix-auth-token")
|
||||
)
|
||||
has_cachix_signing_key = os.path.isfile(
|
||||
os.path.join(credentials, "cachix-signing-key")
|
||||
)
|
||||
config["builders"].extend(
|
||||
[
|
||||
# Since all workers run on the same machine, we only assign one of them to do the evaluation.
|
||||
|
|
@ -657,8 +661,7 @@ def config_for_project(
|
|||
nix_build_config(
|
||||
project,
|
||||
worker_names,
|
||||
has_cachix_auth_token,
|
||||
has_cachix_signing_key,
|
||||
cachix=cachix,
|
||||
outputs_path=outputs_path,
|
||||
),
|
||||
nix_skipped_build_config(project, [SKIPPED_BUILDER_NAME]),
|
||||
|
|
@ -756,6 +759,7 @@ class NixConfigurator(ConfiguratorBase):
|
|||
nix_eval_worker_count: int | None,
|
||||
nix_eval_max_memory_size: int,
|
||||
nix_workers_secret_name: str = "buildbot-nix-workers",
|
||||
cachix: CachixConfig | None = None,
|
||||
outputs_path: str | None = None,
|
||||
) -> None:
|
||||
super().__init__()
|
||||
|
|
@ -765,7 +769,7 @@ class NixConfigurator(ConfiguratorBase):
|
|||
self.nix_supported_systems = nix_supported_systems
|
||||
self.github = github
|
||||
self.url = url
|
||||
self.systemd_credentials_dir = os.environ["CREDENTIALS_DIRECTORY"]
|
||||
self.cachix = cachix
|
||||
if outputs_path is None:
|
||||
self.outputs_path = None
|
||||
else:
|
||||
|
|
@ -803,13 +807,13 @@ class NixConfigurator(ConfiguratorBase):
|
|||
config_for_project(
|
||||
config,
|
||||
project,
|
||||
self.systemd_credentials_dir,
|
||||
worker_names,
|
||||
self.github,
|
||||
self.nix_supported_systems,
|
||||
self.nix_eval_worker_count or multiprocessing.cpu_count(),
|
||||
self.nix_eval_max_memory_size,
|
||||
eval_lock,
|
||||
self.cachix,
|
||||
self.outputs_path,
|
||||
)
|
||||
|
||||
|
|
|
|||
|
|
@ -36,12 +36,20 @@ in
|
|||
user = "mic92-buildbot";
|
||||
admins = [ "Mic92" ];
|
||||
};
|
||||
# optional
|
||||
# optional expose latest store path as text file
|
||||
# outputsPath = "/var/www/buildbot/nix-outputs";
|
||||
|
||||
# optional nix-eval-jobs settings
|
||||
# evalWorkerCount = 8; # limit number of concurrent evaluations
|
||||
# evalMaxMemorySize = "2048"; # limit memory usage per evaluation
|
||||
|
||||
# optional cachix
|
||||
#cachix = {
|
||||
# name = "my-cachix";
|
||||
# # One of the following is required:
|
||||
# signingKey = "/var/lib/secrets/cachix-key";
|
||||
# authToken = "/var/lib/secrets/cachix-token";
|
||||
#};
|
||||
};
|
||||
})
|
||||
buildbot-nix.nixosModules.buildbot-master
|
||||
|
|
|
|||
|
|
@ -15,6 +15,25 @@ in
|
|||
default = "postgresql://@/buildbot";
|
||||
description = "Postgresql database url";
|
||||
};
|
||||
cachix = {
|
||||
name = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.str;
|
||||
default = null;
|
||||
description = "Cachix name";
|
||||
};
|
||||
|
||||
signingKeyFile = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.path;
|
||||
default = null;
|
||||
description = "Cachix signing key";
|
||||
};
|
||||
|
||||
authTokenFile = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.str;
|
||||
default = null;
|
||||
description = "Cachix auth token";
|
||||
};
|
||||
};
|
||||
github = {
|
||||
tokenFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
|
|
@ -107,6 +126,13 @@ in
|
|||
isSystemUser = true;
|
||||
};
|
||||
|
||||
assertions = [
|
||||
{
|
||||
assertion = cfg.cachix.name != null -> cfg.cachix.signingKeyFile != null || cfg.cachix.authTokenFile != null;
|
||||
message = "if cachix.name is provided, then cachix.signingKeyFile and cachix.authTokenFile must be set";
|
||||
}
|
||||
];
|
||||
|
||||
services.buildbot-master = {
|
||||
enable = true;
|
||||
|
||||
|
|
@ -118,7 +144,7 @@ in
|
|||
home = "/var/lib/buildbot";
|
||||
extraImports = ''
|
||||
from datetime import timedelta
|
||||
from buildbot_nix import GithubConfig, NixConfigurator
|
||||
from buildbot_nix import GithubConfig, NixConfigurator, CachixConfig
|
||||
'';
|
||||
configurators = [
|
||||
''
|
||||
|
|
@ -132,9 +158,14 @@ in
|
|||
buildbot_user=${builtins.toJSON cfg.github.user},
|
||||
topic=${builtins.toJSON cfg.github.topic},
|
||||
),
|
||||
cachix=${if cfg.cachix.name == null then "None" else "CachixConfig(
|
||||
name=${builtins.toJSON cfg.cachix.name},
|
||||
signing_key_secret_name=${if cfg.cachix.signingKeyFile != null then builtins.toJSON "cachix-signing-key" else "None"},
|
||||
auth_token_secret_name=${if cfg.cachix.authTokenFile != null then builtins.toJSON "cachix-auth-token" else "None"},
|
||||
"}),
|
||||
url=${builtins.toJSON config.services.buildbot-master.buildbotUrl},
|
||||
nix_eval_max_memory_size=${builtins.toJSON cfg.evalMaxMemorySize},
|
||||
nix_eval_worker_count=${if cfg.evalWorkerCount == null then "None" else builtins.toJSON cfg.evalWorkerCount},
|
||||
nix_eval_worker_count=${if cfg.evalWorkerCount == null then "None" else builtins.toString cfg.evalWorkerCount},
|
||||
nix_supported_systems=${builtins.toJSON cfg.buildSystems},
|
||||
outputs_path=${if cfg.outputsPath == null then "None" else builtins.toJSON cfg.outputsPath},
|
||||
)
|
||||
|
|
@ -166,7 +197,11 @@ in
|
|||
"github-webhook-secret:${cfg.github.webhookSecretFile}"
|
||||
"github-oauth-secret:${cfg.github.oauthSecretFile}"
|
||||
"buildbot-nix-workers:${cfg.workersFile}"
|
||||
];
|
||||
]
|
||||
++ lib.optional (cfg.cachix.signingKeyFile != null)
|
||||
"cachix-signing-key:${builtins.toString cfg.cachix.signingKeyFile}"
|
||||
++ lib.optional (cfg.cachix.authTokenFile != null)
|
||||
"cachix-auth-token:${builtins.toString cfg.cachix.authTokenFile}";
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue