diff --git a/hosts/buildbot/default.nix b/hosts/buildbot/default.nix index a06689e..5748069 100755 --- a/hosts/buildbot/default.nix +++ b/hosts/buildbot/default.nix @@ -28,6 +28,7 @@ bagel.services.buildbot = { enable = true; domain = "buildbot.forkos.org"; + builders = [ "builder-3" ]; }; i18n.defaultLocale = "en_US.UTF-8"; diff --git a/secrets.nix b/secrets.nix index 6bc7773..badeab9 100644 --- a/secrets.nix +++ b/secrets.nix @@ -21,6 +21,7 @@ let buildbot-service-key = [ machines.buildbot ]; # Signing key for Buildbot's specific cache buildbot-signing-key = [ machines.buildbot ]; + buildbot-remote-builder-key = [ machines.buildbot ]; # These are the same password, but nginx wants it in htpasswd format metrics-push-htpasswd = [ machines.meta01 ]; diff --git a/secrets/buildbot-remote-builder-key.age b/secrets/buildbot-remote-builder-key.age new file mode 100644 index 0000000..f3bc083 Binary files /dev/null and b/secrets/buildbot-remote-builder-key.age differ diff --git a/services/baremetal-builder/default.nix b/services/baremetal-builder/default.nix index af661fa..5ae0820 100644 --- a/services/baremetal-builder/default.nix +++ b/services/baremetal-builder/default.nix @@ -28,7 +28,19 @@ in "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAvUT9YBig9LQPHgypIBHQuC32XqDKxlFZ2CfgDi0ZKx" ]; }; - nix.settings.trusted-users = [ "builder" ]; + + users.users.buildbot = { + isSystemUser = true; + group = "nogroup"; + home = "/var/empty"; + shell = "/bin/sh"; + openssh.authorizedKeys.keys = [ + # Do not hardcode Buildbot's public key, selectively + # add the keys of the coordinators that require us. + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGMnOLLX0vGTZbSJrUmF9ZFXt/NIId/MUrEpXmL2vxod" + ]; + }; + nix.settings.trusted-users = [ "builder" "buildbot" ]; nixpkgs.hostPlatform = "x86_64-linux"; diff --git a/services/buildbot/default.nix b/services/buildbot/default.nix index 970b288..5e2565e 100644 --- a/services/buildbot/default.nix +++ b/services/buildbot/default.nix @@ -8,6 +8,7 @@ let cfg = config.bagel.services.buildbot; cfgGerrit = nodes.gerrit01.config.bagel.services.gerrit; + ssh-keys = import ../../common/ssh-keys.nix; inherit (lib) mkEnableOption mkOption mkIf types; in { @@ -16,6 +17,12 @@ in domain = mkOption { type = types.str; }; + + builders = mkOption { + type = types.listOf types.str; + description = "List of builders to configure for Buildbot"; + example = [ "builder-2" "builder-3" ]; + }; }; config = mkIf cfg.enable { @@ -25,6 +32,7 @@ in age.secrets.buildbot-workers.file = ../../secrets/buildbot-workers.age; age.secrets.buildbot-service-key.file = ../../secrets/buildbot-service-key.age; age.secrets.buildbot-signing-key.file = ../../secrets/buildbot-signing-key.age; + age.secrets.buildbot-remote-builder-key.file = ../../secrets/buildbot-remote-builder-key.age; services.nginx.virtualHosts.${cfg.domain} = { forceSSL = true; @@ -94,6 +102,28 @@ in signingKeyFile = config.age.secrets.buildbot-signing-key.path; }; + nix.distributedBuilds = true; + nix.buildMachines = map (n: { + hostName = nodes.${n}.config.networking.fqdn; + protocol = "ssh-ng"; + # Follows Hydra. + maxJobs = 8; + sshKey = config.age.secrets.buildbot-remote-builder-key.path; + sshUser = "buildbot"; + systems = [ "x86_64-linux" ]; + supportedFeatures = nodes.${n}.config.nix.settings.system-features; + # TODO: fix it, see the Hydra file about it. + # IFD already exist in NixOS, so it's fine, I guess. + publicHostKey = builtins.readFile (pkgs.runCommandLocal "in-the-right-form" { + buildInputs = [ + pkgs.coreutils + ]; + } '' + echo -n '${ssh-keys.machines.${n}}' | base64 -w0 > $out + ''); + } + ) cfg.builders; + nix.settings.keep-derivations = true; nix.gc = { automatic = true;