From da7175303c5309da4645383c974acebed9d30c8b Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 17 Jul 2024 18:18:59 +0200 Subject: [PATCH] buildbot: add support for remote builders via baremetal machines For now, only builder-3 is used. Signed-off-by: Raito Bezarius --- hosts/buildbot/default.nix | 1 + secrets.nix | 1 + secrets/buildbot-remote-builder-key.age | Bin 0 -> 1417 bytes services/baremetal-builder/default.nix | 14 ++++++++++- services/buildbot/default.nix | 30 ++++++++++++++++++++++++ 5 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 secrets/buildbot-remote-builder-key.age diff --git a/hosts/buildbot/default.nix b/hosts/buildbot/default.nix index a06689e..5748069 100755 --- a/hosts/buildbot/default.nix +++ b/hosts/buildbot/default.nix @@ -28,6 +28,7 @@ bagel.services.buildbot = { enable = true; domain = "buildbot.forkos.org"; + builders = [ "builder-3" ]; }; i18n.defaultLocale = "en_US.UTF-8"; diff --git a/secrets.nix b/secrets.nix index 6bc7773..badeab9 100644 --- a/secrets.nix +++ b/secrets.nix @@ -21,6 +21,7 @@ let buildbot-service-key = [ machines.buildbot ]; # Signing key for Buildbot's specific cache buildbot-signing-key = [ machines.buildbot ]; + buildbot-remote-builder-key = [ machines.buildbot ]; # These are the same password, but nginx wants it in htpasswd format metrics-push-htpasswd = [ machines.meta01 ]; diff --git a/secrets/buildbot-remote-builder-key.age b/secrets/buildbot-remote-builder-key.age new file mode 100644 index 0000000000000000000000000000000000000000..f3bc083f6d09623a65c7955a72fc173ed49bfca5 GIT binary patch literal 1417 zcmZ9~`;XHE0KoABtsLgeVx494IKSi1EZ+f^rugCjz2`h>xH6g}>mFeDf8=f~}zB z8l8HpR8yAJ8Y0++EVgH@&8B24CJJi@YMTy1Nx)2*Jq#WL67G z!IT5@2Xa77fpiV@y1Aw$Qmd&>I0Z;ef3YS5e2L}Trk2eC0+dWcj9LN^Q*er@q>kLH zkR$9i*yTw#CtVBO=^m0<>EvdihE(0L3NR=E3KrIq&%u7 zNF~0^6p9H5lM%5Ar{hgaI*b+F-Ub0PWe#;fBw6+7xd?@7L@`T+%MP$zbwFkfjkC?W zTB9jgD~*&d!dPNnXQZYvESB_neKn3SBeZF-g6d@*Kqv@R%5@}6;(5K04{2P7YY2pr z)=PSr463vv zm@Xygde+~NoLbmIOLST`Koo%tDqREvB{Apw^#oPHv zQfkXNEbYNy##hQlYnE^#R{*kgJOO8za4is1m6#%=KLGl|Dw2Xn7xk9$2dYIR2{?oP|62Y9_x379ZXxOpm?p(P0~!3Hd_0>atzm4}9XD)4B*SD(c_sg4O$0kaj zU%Ku~o#`3-^v~D%KaLxbujd%E*DpH1z3a`(15cB#%Fzou*o7x{Pgp%X)Q=zL7p~g- z*Nm4I{ZN=Y`sB>SD8dd;=y{RWBBKNSNA~SKxldeP8ywqtbnDg~{r}{rEk1SMmCW$V zylV43-g)np@XiaVkA;!=kIt+#FxO;l_99e?y<#?%vsb zwrkU&HT;g=Cm#8CPkHz)+nwFB_MF@?P#~7yS{hq_d|qMG+S^l`TVC^@5B=JIZOd)2 z`^Uh!kqwirgZJCEvuD0A3A0Y@nsVt{-;i}~V*F!7 zniVv^|4H11mf!wt{^7BAmcH+F6*nLI=G@#KPib}J`4#ZMGUdy~M`l!)96)-xzt5+~ z-te3rSr%JAe-m@#^7JLs7hRn3(5On!B#u4!^SX^6Z9K59_XKha?cTrtsq$Cw(n;0F MH0$9*`@b0c9~WE}ZU6uP literal 0 HcmV?d00001 diff --git a/services/baremetal-builder/default.nix b/services/baremetal-builder/default.nix index af661fa..5ae0820 100644 --- a/services/baremetal-builder/default.nix +++ b/services/baremetal-builder/default.nix @@ -28,7 +28,19 @@ in "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAvUT9YBig9LQPHgypIBHQuC32XqDKxlFZ2CfgDi0ZKx" ]; }; - nix.settings.trusted-users = [ "builder" ]; + + users.users.buildbot = { + isSystemUser = true; + group = "nogroup"; + home = "/var/empty"; + shell = "/bin/sh"; + openssh.authorizedKeys.keys = [ + # Do not hardcode Buildbot's public key, selectively + # add the keys of the coordinators that require us. + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGMnOLLX0vGTZbSJrUmF9ZFXt/NIId/MUrEpXmL2vxod" + ]; + }; + nix.settings.trusted-users = [ "builder" "buildbot" ]; nixpkgs.hostPlatform = "x86_64-linux"; diff --git a/services/buildbot/default.nix b/services/buildbot/default.nix index 970b288..5e2565e 100644 --- a/services/buildbot/default.nix +++ b/services/buildbot/default.nix @@ -8,6 +8,7 @@ let cfg = config.bagel.services.buildbot; cfgGerrit = nodes.gerrit01.config.bagel.services.gerrit; + ssh-keys = import ../../common/ssh-keys.nix; inherit (lib) mkEnableOption mkOption mkIf types; in { @@ -16,6 +17,12 @@ in domain = mkOption { type = types.str; }; + + builders = mkOption { + type = types.listOf types.str; + description = "List of builders to configure for Buildbot"; + example = [ "builder-2" "builder-3" ]; + }; }; config = mkIf cfg.enable { @@ -25,6 +32,7 @@ in age.secrets.buildbot-workers.file = ../../secrets/buildbot-workers.age; age.secrets.buildbot-service-key.file = ../../secrets/buildbot-service-key.age; age.secrets.buildbot-signing-key.file = ../../secrets/buildbot-signing-key.age; + age.secrets.buildbot-remote-builder-key.file = ../../secrets/buildbot-remote-builder-key.age; services.nginx.virtualHosts.${cfg.domain} = { forceSSL = true; @@ -94,6 +102,28 @@ in signingKeyFile = config.age.secrets.buildbot-signing-key.path; }; + nix.distributedBuilds = true; + nix.buildMachines = map (n: { + hostName = nodes.${n}.config.networking.fqdn; + protocol = "ssh-ng"; + # Follows Hydra. + maxJobs = 8; + sshKey = config.age.secrets.buildbot-remote-builder-key.path; + sshUser = "buildbot"; + systems = [ "x86_64-linux" ]; + supportedFeatures = nodes.${n}.config.nix.settings.system-features; + # TODO: fix it, see the Hydra file about it. + # IFD already exist in NixOS, so it's fine, I guess. + publicHostKey = builtins.readFile (pkgs.runCommandLocal "in-the-right-form" { + buildInputs = [ + pkgs.coreutils + ]; + } '' + echo -n '${ssh-keys.machines.${n}}' | base64 -w0 > $out + ''); + } + ) cfg.builders; + nix.settings.keep-derivations = true; nix.gc = { automatic = true;