From 7789e9ce75c656bcfcaf60720b544232f55df5e9 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 17 Jul 2024 15:43:29 +0200 Subject: [PATCH] services/buildbot: init Signed-off-by: Raito Bezarius --- common/base-server.nix | 2 +- flake.lock | 8 +-- secrets.nix | 9 +++ secrets/buildbot-oauth-secret.age | 20 ++++++ secrets/buildbot-service-key.age | Bin 0 -> 1429 bytes secrets/buildbot-signing-key.age | Bin 0 -> 1133 bytes secrets/buildbot-worker-password.age | 20 ++++++ secrets/buildbot-workers.age | 22 ++++++ services/buildbot/default.nix | 103 +++++++++++++++++++++++++++ services/default.nix | 1 + 10 files changed, 180 insertions(+), 5 deletions(-) create mode 100644 secrets/buildbot-oauth-secret.age create mode 100644 secrets/buildbot-service-key.age create mode 100644 secrets/buildbot-signing-key.age create mode 100644 secrets/buildbot-worker-password.age create mode 100644 secrets/buildbot-workers.age create mode 100644 services/buildbot/default.nix diff --git a/common/base-server.nix b/common/base-server.nix index 57d6eab..3f5616e 100644 --- a/common/base-server.nix +++ b/common/base-server.nix @@ -25,7 +25,7 @@ nix.gc = { automatic = true; persistent = true; - dates = "daily"; + dates = lib.mkDefault "daily"; options = "--delete-older-than 30d"; }; diff --git a/flake.lock b/flake.lock index 0f3747d..38d1859 100644 --- a/flake.lock +++ b/flake.lock @@ -64,11 +64,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1715022238, - "narHash": "sha256-sDD6WWJXJ/1j07aQE0RAUlrQBekXABtEKm7gtaTN45w=", + "lastModified": 1721229951, + "narHash": "sha256-RO7jlz2T0h9l7Hmij6Iy3qdYps33wDuAoBMQ21ROvyw=", "ref": "refs/heads/refactor", - "rev": "d5e3345097cdda5c74bccddb27abb5b5c84eff5b", - "revCount": 257, + "rev": "8286c1028b2a69ee72680dc06d26bd80665ce02a", + "revCount": 262, "type": "git", "url": "https://git.lix.systems/lix-project/buildbot-nix.git" }, diff --git a/secrets.nix b/secrets.nix index e4b3446..6bc7773 100644 --- a/secrets.nix +++ b/secrets.nix @@ -13,6 +13,15 @@ let loki-environment = [ machines.meta01 ]; gerrit-prometheus-bearer-token = [ machines.gerrit01 machines.meta01 ]; + buildbot-worker-password = [ machines.buildbot ]; + buildbot-oauth-secret = [ machines.buildbot ]; + buildbot-workers = [ machines.buildbot ]; + # Private SSH key to Gerrit + # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx52RUPWzTa2rBA96xcnGjjzAboNN/hm6gW+Q6JiSos + buildbot-service-key = [ machines.buildbot ]; + # Signing key for Buildbot's specific cache + buildbot-signing-key = [ machines.buildbot ]; + # These are the same password, but nginx wants it in htpasswd format metrics-push-htpasswd = [ machines.meta01 ]; metrics-push-password = builtins.attrValues machines; diff --git a/secrets/buildbot-oauth-secret.age b/secrets/buildbot-oauth-secret.age new file mode 100644 index 0000000..94e62b4 --- /dev/null +++ b/secrets/buildbot-oauth-secret.age @@ -0,0 +1,20 @@ +age-encryption.org/v1 +-> ssh-ed25519 87T2Ig vfLpqc38U9RwGG1QmSSl5YTXcOU0eoTrpmBjVpP+9xE +XbCUtuC9G9zSyVIgUmH0TO2sdH/3YjAf1erstVAUnHQ +-> ssh-ed25519 K3b7BA zk89m8PXhx59Jf7ovoSvASaaOZqMQxiGMEB/ZF2iFFs +pCfQv3PRw0IMjjXnjTxasVaAZVdfrRhmiRDVK3Pr2GI +-> ssh-ed25519 +qVung ry8P1mOJwSHAXk9XaNGOLRLH2Q6QIxTueoBz+IcS/0M +q9JsGjlS7HQqscAvOO2aSWlH3ruQC5ozDCkDBwp7g0o +-> ssh-rsa krWCLQ +DG2BpVdLziPUuo2HJfzDg/+aqugaOTfmVV+hEFjRV/B9pX90WnLCxp0lNpeNpTdU +v889q7ojKs6jHuJGsUwUPy29Jn9PHOecE/gpcRTt6BI4/2JiwF2brLV+dVbWSOEv +6lf9ecjmbJ/vbHnh94Aqa6kfBREazsZSYPGTAwNdcOdHRsoiK1PKCJmxPvZnfGuY +o6144GTqTIGnxvbdlJ7XPzS8KEoP0SfPb2PFhfq6+z4JPdm116rhXIErPZNcQynP +y0f/TRJPSu5QZ2YzZmwyBTpUqSQx1MWrY/5T3e0cCLY6d2E6evbnPb8eauJl3XHd +I/kqqFKigixDBUPNlwW19Q +-> ssh-ed25519 /vwQcQ Q1589zmSRC/Wvgi1TUfsr6itT7QvBpqsNteNmPhHtHs +Gt3/5u8NW8dcJubLZuiBQjwPIfLNbFQNIAk5+MIoSo0 +-> ssh-ed25519 0R97PA j2DEcmdRz8hOGvkwn6r/6vqPTdNo2AtZKSAjBdQ2n1Y ++w7ky1+gP0O93DXeADjMdBu43Dxno1meh7idgjNdojg +--- 2exgH3r1FIdc2mrQEC0XQmqO3r1bfKZdjWZttrilThE +],A``ㅊ'&T }q1\K7K'K`lxF i# \ No newline at end of file diff --git a/secrets/buildbot-service-key.age b/secrets/buildbot-service-key.age new file mode 100644 index 0000000000000000000000000000000000000000..d4bad7ff2456b74dea2a7ffb54c58ce17555dd39 GIT binary patch literal 1429 zcmZ9KYmCzb0LKp@Jcj0sfZ|DHMoqwRtlgt)IS<*ocIzJ9tL+|u+I3sob0+4}S*hY`-BGJ}Ql%!R_<;;XP&P#m*ex-NPPhe& z@*vG`O*>ppW1J-s&Z|=#1ZW{QE4xj&1@kBs4i<2&0q7QxV9AO*8f9RECE{<0njo>N z>`roSw@T0+J0E3GsZ6PSg|Nalo1f6_7J++^W~wr3i8tawpA*+>;dD$;Xxe5^W@*5p zH)#|o;g*1nREtosXaaP$K^Ou|NGfAu0Rc%>!Afy7Kv_*3;1pOWt4i{Oh@{sWPYQvE zbe|?GtWlCDk`aRh!-yCFs|}`#X22jDFXx*n*vbf!Dphh7dl(f7B;=)%-gw1Tv*H+l zC^-;@YYZLc5^3B}XHd2f&v2y>=@21RBAt9f4-tM`=OMcbEtFWKCODHCnr1Xa@?v#b zNH|F@U2_C6x8#Qng*xSkhpm{}WSS%;7O;k0Cq#@aatb3i3r$#UREbIvX_!N?T*L|S zCQXfrB$Be|b+c7t4Uu#zDJJXTbi>N zC}$0Fnl)4A1SICNp*6Pw6=_cnF?*q^9WTpbnBz;HsPn$<`@c2U8xbyI^wrG3L>(9s zA-$OQ#G;LOga8>XUeP5?PV=I~j|Y6Sx<4IIAF$Y06Yl4^~ya zp$1}-Mh8rE4haSyqybUH5q28kfYl!syr{=*@#TwR+^;r#!3sr#L94w{DligEst{XM zlss?n+7d}?qr!2r=9Do>K%s)>$w!f}PZomyq~;?7nxfU^m`)qo+uMx=uRl}dA|)+D z#w05)AvSw33i=`{t)r+S+wzp(MgkU+PVt5#i6b4GwvNQy|LmGQb6;QY_&e7YcCJnj zIcLp1{lTujO#iQ-eMWxr{3$bsF1-Hut&PNwwMT}J&%QG!cYwZd{fVVB=Z(hBr_Ft5 zx3;dhbnw&<8=yPOFRs}!Y1)VoqClm;3wH0EgYRxJBzvYVHgj3W*tfmsKI=NMlIp(t zP%CuyQLt^>8|m8DYxaLPmCs(d{L>46x7ir6h<;$;0 z9e@3{#CwJNc+7QsopA7z;mWAja(Mh|wK8MX-PIVL+B@2N=HA2o@56frSH!+qKYXAo z>>ObX|APjBfG8du`g3mht6B_fH!f Y{%Wij*uLY_-%pBo%kII@GId$uf9~oQ0{{R3 literal 0 HcmV?d00001 diff --git a/secrets/buildbot-signing-key.age b/secrets/buildbot-signing-key.age new file mode 100644 index 0000000000000000000000000000000000000000..2028dbfc54f37ea425a00c1cbfdf58a4d7cf398b GIT binary patch literal 1133 zcmZ9~NvPul0LF1eQHVOYpbUdTPl9G@nlxz|MWxxAv`y0{X*NY@(llF}q-l1Tn+GqC zaZqtVamIrph{_Cj5CjELTn6+c3c@=$GN1=}g9kn7bEoF922IR`s5rHT_JJOn*Q(!w{(;u9vg@E~RCJD8t=}vz~T^liIjz;pCuYLzppF zl@ZV9mQh3VWI?i&sMP$(dR8P=@?y9%<9fb4cw`DJgU2|IDyi*{wAilQo)N}C z3h#x2OFfEOF+6FXC7mi`WUL5P z0O1uXXj>|TkvK%Pj!6_*&Ma9rC)of=d1!4Z8%-)P$|9%LcDK{E09mjY#P1|DwO6D! z!g4E8SGiB1h0;f8*>%iVQ$k#oBQWqOg+dmAP1Vs_Px8V-5*<5HANvXv!}aaxQpxl5a}H=9*p+$2Cg6e)bCDQRzN75*+YJYyi2 z$8R5Z3l-(up10(YbSY^r=IESjIoxt8**!`CAQs$I!A$hH zAYXG8jf_CKf#5aRW6g4;`irqW$qR|6=k7_ZBN6y)&=MOp9Pd-lT`d|^Gj*mxXdFyr zESdTpdm$<^jr)RDuf09cEC`vD#9U+{#n%`q#1Ui7+JlKD>r1VpaLcfC;6N;#7-+ZK zt*%{8R(Va+L#Ez<&2F%n1=E3QGb5`s5R&LG9Ew1-@i5o}(sxgM@bbGi-mkbTUtd4` z;iqSxx%g}UTuibm}=U4G%>6Hs0 zT_Xq6^TV_M2#cqyi`U<{{gYqL9G!Zkx$xv|XU{!HUA^Zc ssh-ed25519 87T2Ig y4P08L2yYSjVcWdbRCqWSCM+WcgqXpxOwr1Ip2Ipd3Q +7C/3MXVbAX0HIdEULKu0bc9q2U+4mPDiDb2l5rRwBI4 +-> ssh-ed25519 K3b7BA wl46ZMqLHMOTG3RojLVgwC2hskjUJWUGZ4h9dwBYaws +xxrJQ8Ws1evKgfKej8WwbucuArULWNtCdMlSDdVNe6E +-> ssh-ed25519 +qVung 4fix0OAAyW/34W1HVfc5ivIr8ijqNz0Vz8oWaSY2lyk +8ZAguZR31I0hysn265ELYeYwrLiDx07BepG0w1R8uhU +-> ssh-rsa krWCLQ +vRU5uF64cQZwJrGr0oBRBJFo2mr30pz6yhXwEm4BJjKt/yCCikggPUFTW/KOjnqZ +JcUoLpeDVIk3+FBJl4p3PVRn1pjRUve4vEcNAEjmkVgBwiZWtpfE6vVLn5pIvm+A +nwybTTwMJomDTLDsMOq0Ur+S3rw4Nb6ADqDKhmjlmlaSlTqxUmZoznQduoSSINI/ +VJw/+VjwFxsMxdD5swxEAcrDk2rKoQLrfO83PO3HNMX5SmYHHYEaWB0/YeLgvi8a +4OBueRKLWOiy2WUCqtxiQG5XYGYNdgOKIeNLnPNH6RRwFoBz7Zmn2uuQjmysY9h8 +lryoR6quxdOTRTL2WwGPAw +-> ssh-ed25519 /vwQcQ 8sOHrthroDrjuL14hij7sPiK9BGlOLzKG1pBe5+HMFw +vQqm96T/H5tINHJxnfi6DYm9YO9UAaj8etmk7K0GJ7U +-> ssh-ed25519 0R97PA Dd3db0zh0/ZUsm3UgsWRbGz9mVvm8s3W2HQkjTM6L3k +/+IRsPs2KoqEYnxmFoKmNc/00jOesKXv33rO4Yx+l68 +--- jPrqv7h6AGoqNl1LCOtzXvU4dKK2PnGsj/FqhstbSGw +f+`ϙ+]&w=:$UQ7hKU1_Yz0%\NL0o ޼5~_ Z7x[\v[o \ No newline at end of file diff --git a/secrets/buildbot-workers.age b/secrets/buildbot-workers.age new file mode 100644 index 0000000..dcd9c20 --- /dev/null +++ b/secrets/buildbot-workers.age @@ -0,0 +1,22 @@ +age-encryption.org/v1 +-> ssh-ed25519 87T2Ig arwhM8DLVpft4PdPw4A6ZoPk5KqXORhE9iDG6etDOzk +ZVNgF/J3YiCTj2lq2280vU95pX36cpH+sT/wRjmExHk +-> ssh-ed25519 K3b7BA fBr1rUtTQVs0LLSR6RVX1eJBEpYs3COyJITpGm4ngi0 +jfYyrD/0gh1QCAq8SnsWjUQin3g21NEgCQAlCc6uQ9g +-> ssh-ed25519 +qVung cJEfk9HdCsdVmuhI7OAgWsly4P5o/n9JbPRtsDZ2FVY +MJvfsbd9+pbhG1BwF4xVafqu+LvPy3geN7n9MALFP68 +-> ssh-rsa krWCLQ +PuiiAwETSr4SDb4XOtn6AECDJedzd3KfTAsjrq3giwCrjfSqYeTpBaH8mhf4t5D5 +fAXHtIoChcZNb1dhxQtP0r4A4cy1faf87XGkOwAeikFv9S8cMjjgZ71sX8g8Srp/ +Mjla0+5CVGRsUMcev/t9uMj04qHDtr7swbjLoOPwvCQBUWHZrOA/Fq/T2g9qU32g +YQgxtR3zzseb/vOFHzpWc6fkR8UO0j1H1hyFkJ1XkipeQ5UIwg0g57lsPkNXuZfI +BbKzzg521HChK5ssibITLdtp6piwIpxHUxwSNpLXG8vbT33e24kFEeTZ0QX4NStl +r6U4j3NL1lPChpdSIhy/2Q +-> ssh-ed25519 /vwQcQ Q8Hxbxto0EN1odEFt/dNfeK1l4xSIO9lY/ewYpa1DgY +4jeNmuwK4tvJzX62/x/1aq+L4R6dD61akUmo0+GCICc +-> ssh-ed25519 0R97PA of4aEATYi3ad7nYvexirIErAWbsLOW1ijGPc/IETSCU +qT/O8DIYaMm0MlvS9eVBSe2th16yDHODlT1VgF9iLDI +--- rWScSs0yVovPOWI2zmDTIyLJdBIRlKIPu6jivzty7p8 +d}EmiKCy5L`GTZ^Q?g2|S +g2F `_jl 1GfWƃ0 H) +{\í<^#JgJJGJh>2G%Tra B \ No newline at end of file diff --git a/services/buildbot/default.nix b/services/buildbot/default.nix new file mode 100644 index 0000000..970b288 --- /dev/null +++ b/services/buildbot/default.nix @@ -0,0 +1,103 @@ +{ + nodes, + config, + lib, + pkgs, + ... +}: +let + cfg = config.bagel.services.buildbot; + cfgGerrit = nodes.gerrit01.config.bagel.services.gerrit; + inherit (lib) mkEnableOption mkOption mkIf types; +in +{ + options.bagel.services.buildbot = { + enable = mkEnableOption "Buildbot"; + domain = mkOption { + type = types.str; + }; + }; + + config = mkIf cfg.enable { + networking.firewall.allowedTCPPorts = [ 80 443 ]; + age.secrets.buildbot-worker-password.file = ../../secrets/buildbot-worker-password.age; + age.secrets.buildbot-oauth-secret.file = ../../secrets/buildbot-oauth-secret.age; + age.secrets.buildbot-workers.file = ../../secrets/buildbot-workers.age; + age.secrets.buildbot-service-key.file = ../../secrets/buildbot-service-key.age; + age.secrets.buildbot-signing-key.file = ../../secrets/buildbot-signing-key.age; + + services.nginx.virtualHosts.${cfg.domain} = { + forceSSL = true; + enableACME = true; + }; + + services.buildbot-nix.worker = { + enable = true; + workerPasswordFile = config.age.secrets.buildbot-worker-password.path; + # All credits to eldritch horrors for this beauty. + workerArchitectures = + { + # nix-eval-jobs runs under a lock, error reports do not (but are cheap) + other = 8; + } // ( + lib.filterAttrs + (n: v: lib.elem n config.services.buildbot-nix.coordinator.buildSystems) + (lib.zipAttrsWith + (_: lib.foldl' lib.add 0) + (lib.concatMap + (m: map (s: { ${s} = m.maxJobs; }) m.systems) + config.nix.buildMachines)) + ); + }; + + services.buildbot-nix.coordinator = { + enable = true; + + inherit (cfg) domain; + + oauth2 = { + name = "Lix"; + clientId = "forkos-buildbot"; + clientSecretFile = config.age.secrets.buildbot-oauth-secret.path; + resourceEndpoint = "https://identity.lix.systems"; + authUri = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/auth"; + tokenUri = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token"; + }; + + workersFile = config.age.secrets.buildbot-workers.path; + + allowedOrigins = [ + "*.forkos.org" + ]; + + buildSystems = [ + "x86_64-linux" + ]; + + gerrit = { + domain = cfgGerrit.canonicalDomain; + # Manually managed account… + # TODO: https://git.lix.systems/the-distro/infra/issues/69 + username = "buildbot"; + port = cfgGerrit.port; + privateKeyFile = config.age.secrets.buildbot-service-key.path; + projects = [ + "buildbot-test" + "nixpkgs" + "infra" + ]; + }; + + evalWorkerCount = 6; + evalMaxMemorySize = "4096"; + + signingKeyFile = config.age.secrets.buildbot-signing-key.path; + }; + + nix.settings.keep-derivations = true; + nix.gc = { + automatic = true; + dates = "hourly"; + }; + }; +} diff --git a/services/default.nix b/services/default.nix index 0599eb5..27dacfd 100644 --- a/services/default.nix +++ b/services/default.nix @@ -8,5 +8,6 @@ ./postgres ./forgejo ./baremetal-builder + ./buildbot ]; }