buildbot: init #68
|
@ -25,7 +25,7 @@
|
|||
nix.gc = {
|
||||
automatic = true;
|
||||
persistent = true;
|
||||
dates = "daily";
|
||||
dates = lib.mkDefault "daily";
|
||||
options = "--delete-older-than 30d";
|
||||
};
|
||||
|
||||
|
|
|
@ -64,11 +64,11 @@
|
|||
"treefmt-nix": "treefmt-nix"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1715022238,
|
||||
"narHash": "sha256-sDD6WWJXJ/1j07aQE0RAUlrQBekXABtEKm7gtaTN45w=",
|
||||
"lastModified": 1721229951,
|
||||
"narHash": "sha256-RO7jlz2T0h9l7Hmij6Iy3qdYps33wDuAoBMQ21ROvyw=",
|
||||
"ref": "refs/heads/refactor",
|
||||
"rev": "d5e3345097cdda5c74bccddb27abb5b5c84eff5b",
|
||||
"revCount": 257,
|
||||
"rev": "8286c1028b2a69ee72680dc06d26bd80665ce02a",
|
||||
"revCount": 262,
|
||||
"type": "git",
|
||||
"url": "https://git.lix.systems/lix-project/buildbot-nix.git"
|
||||
},
|
||||
|
|
|
@ -13,6 +13,15 @@ let
|
|||
loki-environment = [ machines.meta01 ];
|
||||
gerrit-prometheus-bearer-token = [ machines.gerrit01 machines.meta01 ];
|
||||
|
||||
buildbot-worker-password = [ machines.buildbot ];
|
||||
buildbot-oauth-secret = [ machines.buildbot ];
|
||||
buildbot-workers = [ machines.buildbot ];
|
||||
# Private SSH key to Gerrit
|
||||
# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx52RUPWzTa2rBA96xcnGjjzAboNN/hm6gW+Q6JiSos
|
||||
buildbot-service-key = [ machines.buildbot ];
|
||||
# Signing key for Buildbot's specific cache
|
||||
buildbot-signing-key = [ machines.buildbot ];
|
||||
|
||||
# These are the same password, but nginx wants it in htpasswd format
|
||||
metrics-push-htpasswd = [ machines.meta01 ];
|
||||
metrics-push-password = builtins.attrValues machines;
|
||||
|
|
20
secrets/buildbot-oauth-secret.age
Normal file
20
secrets/buildbot-oauth-secret.age
Normal file
|
@ -0,0 +1,20 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 87T2Ig vfLpqc38U9RwGG1QmSSl5YTXcOU0eoTrpmBjVpP+9xE
|
||||
XbCUtuC9G9zSyVIgUmH0TO2sdH/3YjAf1erstVAUnHQ
|
||||
-> ssh-ed25519 K3b7BA zk89m8PXhx59Jf7ovoSvASaaOZqMQxiGMEB/ZF2iFFs
|
||||
pCfQv3PRw0IMjjXnjTxasVaAZVdfrRhmiRDVK3Pr2GI
|
||||
-> ssh-ed25519 +qVung ry8P1mOJwSHAXk9XaNGOLRLH2Q6QIxTueoBz+IcS/0M
|
||||
q9JsGjlS7HQqscAvOO2aSWlH3ruQC5ozDCkDBwp7g0o
|
||||
-> ssh-rsa krWCLQ
|
||||
DG2BpVdLziPUuo2HJfzDg/+aqugaOTfmVV+hEFjRV/B9pX90WnLCxp0lNpeNpTdU
|
||||
v889q7ojKs6jHuJGsUwUPy29Jn9PHOecE/gpcRTt6BI4/2JiwF2brLV+dVbWSOEv
|
||||
6lf9ecjmbJ/vbHnh94Aqa6kfBREazsZSYPGTAwNdcOdHRsoiK1PKCJmxPvZnfGuY
|
||||
o6144GTqTIGnxvbdlJ7XPzS8KEoP0SfPb2PFhfq6+z4JPdm116rhXIErPZNcQynP
|
||||
y0f/TRJPSu5QZ2YzZmwyBTpUqSQx1MWrY/5T3e0cCLY6d2E6evbnPb8eauJl3XHd
|
||||
I/kqqFKigixDBUPNlwW19Q
|
||||
-> ssh-ed25519 /vwQcQ Q1589zmSRC/Wvgi1TUfsr6itT7QvBpqsNteNmPhHtHs
|
||||
Gt3/5u8NW8dcJubLZuiBQjwPIfLNbFQNIAk5+MIoSo0
|
||||
-> ssh-ed25519 0R97PA j2DEcmdRz8hOGvkwn6r/6vqPTdNo2AtZKSAjBdQ2n1Y
|
||||
+w7ky1+gP0O93DXeADjMdBu43Dxno1meh7idgjNdojg
|
||||
--- 2exgH3r1FIdc2mrQEC0XQmqO3r1bfKZdjWZttrilThE
|
||||
œ]†‰,A`ç‚Øõ€ýï`ã…Š'&±T£ÇöŸ¸}q1à\K”ðì°7íKÏ'KóßÞ`lx›³‡F
i¸ì#÷
|
BIN
secrets/buildbot-service-key.age
Normal file
BIN
secrets/buildbot-service-key.age
Normal file
Binary file not shown.
BIN
secrets/buildbot-signing-key.age
Normal file
BIN
secrets/buildbot-signing-key.age
Normal file
Binary file not shown.
20
secrets/buildbot-worker-password.age
Normal file
20
secrets/buildbot-worker-password.age
Normal file
|
@ -0,0 +1,20 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 87T2Ig y4P08L2yYSjVcWdbRCqWSCM+WcgqXpxOwr1Ip2Ipd3Q
|
||||
7C/3MXVbAX0HIdEULKu0bc9q2U+4mPDiDb2l5rRwBI4
|
||||
-> ssh-ed25519 K3b7BA wl46ZMqLHMOTG3RojLVgwC2hskjUJWUGZ4h9dwBYaws
|
||||
xxrJQ8Ws1evKgfKej8WwbucuArULWNtCdMlSDdVNe6E
|
||||
-> ssh-ed25519 +qVung 4fix0OAAyW/34W1HVfc5ivIr8ijqNz0Vz8oWaSY2lyk
|
||||
8ZAguZR31I0hysn265ELYeYwrLiDx07BepG0w1R8uhU
|
||||
-> ssh-rsa krWCLQ
|
||||
vRU5uF64cQZwJrGr0oBRBJFo2mr30pz6yhXwEm4BJjKt/yCCikggPUFTW/KOjnqZ
|
||||
JcUoLpeDVIk3+FBJl4p3PVRn1pjRUve4vEcNAEjmkVgBwiZWtpfE6vVLn5pIvm+A
|
||||
nwybTTwMJomDTLDsMOq0Ur+S3rw4Nb6ADqDKhmjlmlaSlTqxUmZoznQduoSSINI/
|
||||
VJw/+VjwFxsMxdD5swxEAcrDk2rKoQLrfO83PO3HNMX5SmYHHYEaWB0/YeLgvi8a
|
||||
4OBueRKLWOiy2WUCqtxiQG5XYGYNdgOKIeNLnPNH6RRwFoBz7Zmn2uuQjmysY9h8
|
||||
lryoR6quxdOTRTL2WwGPAw
|
||||
-> ssh-ed25519 /vwQcQ 8sOHrthroDrjuL14hij7sPiK9BGlOLzKG1pBe5+HMFw
|
||||
vQqm96T/H5tINHJxnfi6DYm9YO9UAaj8etmk7K0GJ7U
|
||||
-> ssh-ed25519 0R97PA Dd3db0zh0/ZUsm3UgsWRbGz9mVvm8s3W2HQkjTM6L3k
|
||||
/+IRsPs2KoqEYnxmFoKmNc/00jOesKXv33rO4Yx+l68
|
||||
--- jPrqv7h6AGoqNl1LCOtzXvU4dKK2PnGsj/FqhstbSGw
|
||||
³»f+`Ï™+á½]&§w=ù¯:í$UQÀ7§ÁÀháÅK©¿U‚ÓÁ1_YßzËË0<C38B>%\<5C>N…Lë0oæö
½Þ¼‰Ï5~¥¼_
ÓZïã7xµ¤[ø\ú¤Úv[‹o
|
22
secrets/buildbot-workers.age
Normal file
22
secrets/buildbot-workers.age
Normal file
|
@ -0,0 +1,22 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 87T2Ig arwhM8DLVpft4PdPw4A6ZoPk5KqXORhE9iDG6etDOzk
|
||||
ZVNgF/J3YiCTj2lq2280vU95pX36cpH+sT/wRjmExHk
|
||||
-> ssh-ed25519 K3b7BA fBr1rUtTQVs0LLSR6RVX1eJBEpYs3COyJITpGm4ngi0
|
||||
jfYyrD/0gh1QCAq8SnsWjUQin3g21NEgCQAlCc6uQ9g
|
||||
-> ssh-ed25519 +qVung cJEfk9HdCsdVmuhI7OAgWsly4P5o/n9JbPRtsDZ2FVY
|
||||
MJvfsbd9+pbhG1BwF4xVafqu+LvPy3geN7n9MALFP68
|
||||
-> ssh-rsa krWCLQ
|
||||
PuiiAwETSr4SDb4XOtn6AECDJedzd3KfTAsjrq3giwCrjfSqYeTpBaH8mhf4t5D5
|
||||
fAXHtIoChcZNb1dhxQtP0r4A4cy1faf87XGkOwAeikFv9S8cMjjgZ71sX8g8Srp/
|
||||
Mjla0+5CVGRsUMcev/t9uMj04qHDtr7swbjLoOPwvCQBUWHZrOA/Fq/T2g9qU32g
|
||||
YQgxtR3zzseb/vOFHzpWc6fkR8UO0j1H1hyFkJ1XkipeQ5UIwg0g57lsPkNXuZfI
|
||||
BbKzzg521HChK5ssibITLdtp6piwIpxHUxwSNpLXG8vbT33e24kFEeTZ0QX4NStl
|
||||
r6U4j3NL1lPChpdSIhy/2Q
|
||||
-> ssh-ed25519 /vwQcQ Q8Hxbxto0EN1odEFt/dNfeK1l4xSIO9lY/ewYpa1DgY
|
||||
4jeNmuwK4tvJzX62/x/1aq+L4R6dD61akUmo0+GCICc
|
||||
-> ssh-ed25519 0R97PA of4aEATYi3ad7nYvexirIErAWbsLOW1ijGPc/IETSCU
|
||||
qT/O8DIYaMm0MlvS9eVBSe2th16yDHODlT1VgF9iLDI
|
||||
--- rWScSs0yVovPOWI2zmDTIyLJdBIRlKIPu6jivzty7p8
|
||||
…ûê<EFBFBD>Ñdß}EmiêKCûy5žL`G×ßÑTÙZ^Q?g2Ì|×ò«S
|
||||
g2ÿ¶¤F`êà_´ÿjòl
ÈÐ1ÝGðˆf€ñW<C3B1>¾Æƒ0ÏùÀðÌ º¼çHÁ)á€
|
||||
{µ²‚µ\êÃ<^—#Jþg¤éJJ¹ˆ‡GßJøh>²2…<>´“G%<25>±ÅTra†B
|
103
services/buildbot/default.nix
Normal file
103
services/buildbot/default.nix
Normal file
|
@ -0,0 +1,103 @@
|
|||
{
|
||||
nodes,
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
cfg = config.bagel.services.buildbot;
|
||||
cfgGerrit = nodes.gerrit01.config.bagel.services.gerrit;
|
||||
inherit (lib) mkEnableOption mkOption mkIf types;
|
||||
in
|
||||
{
|
||||
options.bagel.services.buildbot = {
|
||||
enable = mkEnableOption "Buildbot";
|
||||
domain = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
age.secrets.buildbot-worker-password.file = ../../secrets/buildbot-worker-password.age;
|
||||
age.secrets.buildbot-oauth-secret.file = ../../secrets/buildbot-oauth-secret.age;
|
||||
age.secrets.buildbot-workers.file = ../../secrets/buildbot-workers.age;
|
||||
age.secrets.buildbot-service-key.file = ../../secrets/buildbot-service-key.age;
|
||||
age.secrets.buildbot-signing-key.file = ../../secrets/buildbot-signing-key.age;
|
||||
|
||||
services.nginx.virtualHosts.${cfg.domain} = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
};
|
||||
|
||||
services.buildbot-nix.worker = {
|
||||
enable = true;
|
||||
workerPasswordFile = config.age.secrets.buildbot-worker-password.path;
|
||||
# All credits to eldritch horrors for this beauty.
|
||||
workerArchitectures =
|
||||
{
|
||||
# nix-eval-jobs runs under a lock, error reports do not (but are cheap)
|
||||
other = 8;
|
||||
} // (
|
||||
lib.filterAttrs
|
||||
(n: v: lib.elem n config.services.buildbot-nix.coordinator.buildSystems)
|
||||
(lib.zipAttrsWith
|
||||
(_: lib.foldl' lib.add 0)
|
||||
(lib.concatMap
|
||||
(m: map (s: { ${s} = m.maxJobs; }) m.systems)
|
||||
config.nix.buildMachines))
|
||||
);
|
||||
};
|
||||
|
||||
services.buildbot-nix.coordinator = {
|
||||
enable = true;
|
||||
|
||||
inherit (cfg) domain;
|
||||
|
||||
oauth2 = {
|
||||
name = "Lix";
|
||||
clientId = "forkos-buildbot";
|
||||
clientSecretFile = config.age.secrets.buildbot-oauth-secret.path;
|
||||
resourceEndpoint = "https://identity.lix.systems";
|
||||
authUri = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/auth";
|
||||
tokenUri = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token";
|
||||
};
|
||||
|
||||
workersFile = config.age.secrets.buildbot-workers.path;
|
||||
|
||||
allowedOrigins = [
|
||||
"*.forkos.org"
|
||||
];
|
||||
|
||||
buildSystems = [
|
||||
"x86_64-linux"
|
||||
];
|
||||
|
||||
gerrit = {
|
||||
domain = cfgGerrit.canonicalDomain;
|
||||
# Manually managed account…
|
||||
# TODO: https://git.lix.systems/the-distro/infra/issues/69
|
||||
username = "buildbot";
|
||||
port = cfgGerrit.port;
|
||||
privateKeyFile = config.age.secrets.buildbot-service-key.path;
|
||||
projects = [
|
||||
"buildbot-test"
|
||||
"nixpkgs"
|
||||
"infra"
|
||||
];
|
||||
};
|
||||
|
||||
evalWorkerCount = 6;
|
||||
evalMaxMemorySize = "4096";
|
||||
|
||||
signingKeyFile = config.age.secrets.buildbot-signing-key.path;
|
||||
};
|
||||
|
||||
nix.settings.keep-derivations = true;
|
||||
nix.gc = {
|
||||
automatic = true;
|
||||
dates = "hourly";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -8,5 +8,6 @@
|
|||
./postgres
|
||||
./forgejo
|
||||
./baremetal-builder
|
||||
./buildbot
|
||||
];
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue