buildbot: init #68

Merged
raito merged 8 commits from buildbot into main 2024-07-18 08:58:00 +00:00
10 changed files with 180 additions and 5 deletions
Showing only changes of commit 7789e9ce75 - Show all commits

View file

@ -25,7 +25,7 @@
nix.gc = {
automatic = true;
persistent = true;
dates = "daily";
dates = lib.mkDefault "daily";
options = "--delete-older-than 30d";
};

View file

@ -64,11 +64,11 @@
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1715022238,
"narHash": "sha256-sDD6WWJXJ/1j07aQE0RAUlrQBekXABtEKm7gtaTN45w=",
"lastModified": 1721229951,
"narHash": "sha256-RO7jlz2T0h9l7Hmij6Iy3qdYps33wDuAoBMQ21ROvyw=",
"ref": "refs/heads/refactor",
"rev": "d5e3345097cdda5c74bccddb27abb5b5c84eff5b",
"revCount": 257,
"rev": "8286c1028b2a69ee72680dc06d26bd80665ce02a",
"revCount": 262,
"type": "git",
"url": "https://git.lix.systems/lix-project/buildbot-nix.git"
},

View file

@ -13,6 +13,15 @@ let
loki-environment = [ machines.meta01 ];
gerrit-prometheus-bearer-token = [ machines.gerrit01 machines.meta01 ];
buildbot-worker-password = [ machines.buildbot ];
buildbot-oauth-secret = [ machines.buildbot ];
buildbot-workers = [ machines.buildbot ];
# Private SSH key to Gerrit
# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx52RUPWzTa2rBA96xcnGjjzAboNN/hm6gW+Q6JiSos
buildbot-service-key = [ machines.buildbot ];
# Signing key for Buildbot's specific cache
buildbot-signing-key = [ machines.buildbot ];
# These are the same password, but nginx wants it in htpasswd format
metrics-push-htpasswd = [ machines.meta01 ];
metrics-push-password = builtins.attrValues machines;

View file

@ -0,0 +1,20 @@
age-encryption.org/v1
-> ssh-ed25519 87T2Ig vfLpqc38U9RwGG1QmSSl5YTXcOU0eoTrpmBjVpP+9xE
XbCUtuC9G9zSyVIgUmH0TO2sdH/3YjAf1erstVAUnHQ
-> ssh-ed25519 K3b7BA zk89m8PXhx59Jf7ovoSvASaaOZqMQxiGMEB/ZF2iFFs
pCfQv3PRw0IMjjXnjTxasVaAZVdfrRhmiRDVK3Pr2GI
-> ssh-ed25519 +qVung ry8P1mOJwSHAXk9XaNGOLRLH2Q6QIxTueoBz+IcS/0M
q9JsGjlS7HQqscAvOO2aSWlH3ruQC5ozDCkDBwp7g0o
-> ssh-rsa krWCLQ
DG2BpVdLziPUuo2HJfzDg/+aqugaOTfmVV+hEFjRV/B9pX90WnLCxp0lNpeNpTdU
v889q7ojKs6jHuJGsUwUPy29Jn9PHOecE/gpcRTt6BI4/2JiwF2brLV+dVbWSOEv
6lf9ecjmbJ/vbHnh94Aqa6kfBREazsZSYPGTAwNdcOdHRsoiK1PKCJmxPvZnfGuY
o6144GTqTIGnxvbdlJ7XPzS8KEoP0SfPb2PFhfq6+z4JPdm116rhXIErPZNcQynP
y0f/TRJPSu5QZ2YzZmwyBTpUqSQx1MWrY/5T3e0cCLY6d2E6evbnPb8eauJl3XHd
I/kqqFKigixDBUPNlwW19Q
-> ssh-ed25519 /vwQcQ Q1589zmSRC/Wvgi1TUfsr6itT7QvBpqsNteNmPhHtHs
Gt3/5u8NW8dcJubLZuiBQjwPIfLNbFQNIAk5+MIoSo0
-> ssh-ed25519 0R97PA j2DEcmdRz8hOGvkwn6r/6vqPTdNo2AtZKSAjBdQ2n1Y
+w7ky1+gP0O93DXeADjMdBu43Dxno1meh7idgjNdojg
--- 2exgH3r1FIdc2mrQEC0XQmqO3r1bfKZdjWZttrilThE
œ]†‰,A`ç‚Øõ€ýï`ã…Š'&±T£Ç öŸ¸}q1à\K”ðì°7íKÏ'KóßÞ`lx³‡F i¸ì#÷

Binary file not shown.

Binary file not shown.

View file

@ -0,0 +1,20 @@
age-encryption.org/v1
-> ssh-ed25519 87T2Ig y4P08L2yYSjVcWdbRCqWSCM+WcgqXpxOwr1Ip2Ipd3Q
7C/3MXVbAX0HIdEULKu0bc9q2U+4mPDiDb2l5rRwBI4
-> ssh-ed25519 K3b7BA wl46ZMqLHMOTG3RojLVgwC2hskjUJWUGZ4h9dwBYaws
xxrJQ8Ws1evKgfKej8WwbucuArULWNtCdMlSDdVNe6E
-> ssh-ed25519 +qVung 4fix0OAAyW/34W1HVfc5ivIr8ijqNz0Vz8oWaSY2lyk
8ZAguZR31I0hysn265ELYeYwrLiDx07BepG0w1R8uhU
-> ssh-rsa krWCLQ
vRU5uF64cQZwJrGr0oBRBJFo2mr30pz6yhXwEm4BJjKt/yCCikggPUFTW/KOjnqZ
JcUoLpeDVIk3+FBJl4p3PVRn1pjRUve4vEcNAEjmkVgBwiZWtpfE6vVLn5pIvm+A
nwybTTwMJomDTLDsMOq0Ur+S3rw4Nb6ADqDKhmjlmlaSlTqxUmZoznQduoSSINI/
VJw/+VjwFxsMxdD5swxEAcrDk2rKoQLrfO83PO3HNMX5SmYHHYEaWB0/YeLgvi8a
4OBueRKLWOiy2WUCqtxiQG5XYGYNdgOKIeNLnPNH6RRwFoBz7Zmn2uuQjmysY9h8
lryoR6quxdOTRTL2WwGPAw
-> ssh-ed25519 /vwQcQ 8sOHrthroDrjuL14hij7sPiK9BGlOLzKG1pBe5+HMFw
vQqm96T/H5tINHJxnfi6DYm9YO9UAaj8etmk7K0GJ7U
-> ssh-ed25519 0R97PA Dd3db0zh0/ZUsm3UgsWRbGz9mVvm8s3W2HQkjTM6L3k
/+IRsPs2KoqEYnxmFoKmNc/00jOesKXv33rO4Yx+l68
--- jPrqv7h6AGoqNl1LCOtzXvU4dKK2PnGsj/FqhstbSGw
³»f+`Ï™+á½]&§w=ù¯:í$UQÀ7§ÁÀháÅK©¿UÓÁ1_YßzËË0<C38B>%\<5C>N…Lë0oæö ½Þ¼‰Ï5~¥¼_ ÓZïã7xµ¤[ø\ú¤Úv[o

View file

@ -0,0 +1,22 @@
age-encryption.org/v1
-> ssh-ed25519 87T2Ig arwhM8DLVpft4PdPw4A6ZoPk5KqXORhE9iDG6etDOzk
ZVNgF/J3YiCTj2lq2280vU95pX36cpH+sT/wRjmExHk
-> ssh-ed25519 K3b7BA fBr1rUtTQVs0LLSR6RVX1eJBEpYs3COyJITpGm4ngi0
jfYyrD/0gh1QCAq8SnsWjUQin3g21NEgCQAlCc6uQ9g
-> ssh-ed25519 +qVung cJEfk9HdCsdVmuhI7OAgWsly4P5o/n9JbPRtsDZ2FVY
MJvfsbd9+pbhG1BwF4xVafqu+LvPy3geN7n9MALFP68
-> ssh-rsa krWCLQ
PuiiAwETSr4SDb4XOtn6AECDJedzd3KfTAsjrq3giwCrjfSqYeTpBaH8mhf4t5D5
fAXHtIoChcZNb1dhxQtP0r4A4cy1faf87XGkOwAeikFv9S8cMjjgZ71sX8g8Srp/
Mjla0+5CVGRsUMcev/t9uMj04qHDtr7swbjLoOPwvCQBUWHZrOA/Fq/T2g9qU32g
YQgxtR3zzseb/vOFHzpWc6fkR8UO0j1H1hyFkJ1XkipeQ5UIwg0g57lsPkNXuZfI
BbKzzg521HChK5ssibITLdtp6piwIpxHUxwSNpLXG8vbT33e24kFEeTZ0QX4NStl
r6U4j3NL1lPChpdSIhy/2Q
-> ssh-ed25519 /vwQcQ Q8Hxbxto0EN1odEFt/dNfeK1l4xSIO9lY/ewYpa1DgY
4jeNmuwK4tvJzX62/x/1aq+L4R6dD61akUmo0+GCICc
-> ssh-ed25519 0R97PA of4aEATYi3ad7nYvexirIErAWbsLOW1ijGPc/IETSCU
qT/O8DIYaMm0MlvS9eVBSe2th16yDHODlT1VgF9iLDI
--- rWScSs0yVovPOWI2zmDTIyLJdBIRlKIPu6jivzty7p8
…ûê<EFBFBD>Ñdß}EmiêKCûy5žL`G×ßÑTÙZ^Q?g2Ì|×ò«S
g2ÿ¶¤F `êà_´ÿjòl ÈÐ1ÝGðˆf€ñW<C3B1>¾Æƒ0ÏùÀðÌ º¼çHÁ)á€
{µ²‚µ\êí<^—#Jþg¤éJˆ‡GßJøh>²2<>´“G%<25>±ÅTra †B

View file

@ -0,0 +1,103 @@
{
nodes,
config,
lib,
pkgs,
...
}:
let
cfg = config.bagel.services.buildbot;
cfgGerrit = nodes.gerrit01.config.bagel.services.gerrit;
inherit (lib) mkEnableOption mkOption mkIf types;
in
{
options.bagel.services.buildbot = {
enable = mkEnableOption "Buildbot";
domain = mkOption {
type = types.str;
};
};
config = mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [ 80 443 ];
age.secrets.buildbot-worker-password.file = ../../secrets/buildbot-worker-password.age;
age.secrets.buildbot-oauth-secret.file = ../../secrets/buildbot-oauth-secret.age;
age.secrets.buildbot-workers.file = ../../secrets/buildbot-workers.age;
age.secrets.buildbot-service-key.file = ../../secrets/buildbot-service-key.age;
age.secrets.buildbot-signing-key.file = ../../secrets/buildbot-signing-key.age;
services.nginx.virtualHosts.${cfg.domain} = {
forceSSL = true;
enableACME = true;
};
services.buildbot-nix.worker = {
enable = true;
workerPasswordFile = config.age.secrets.buildbot-worker-password.path;
# All credits to eldritch horrors for this beauty.
workerArchitectures =
{
# nix-eval-jobs runs under a lock, error reports do not (but are cheap)
other = 8;
} // (
lib.filterAttrs
(n: v: lib.elem n config.services.buildbot-nix.coordinator.buildSystems)
(lib.zipAttrsWith
(_: lib.foldl' lib.add 0)
(lib.concatMap
(m: map (s: { ${s} = m.maxJobs; }) m.systems)
config.nix.buildMachines))
);
};
services.buildbot-nix.coordinator = {
enable = true;
inherit (cfg) domain;
oauth2 = {
name = "Lix";
clientId = "forkos-buildbot";
clientSecretFile = config.age.secrets.buildbot-oauth-secret.path;
resourceEndpoint = "https://identity.lix.systems";
authUri = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/auth";
tokenUri = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token";
};
workersFile = config.age.secrets.buildbot-workers.path;
allowedOrigins = [
"*.forkos.org"
];
buildSystems = [
"x86_64-linux"
];
gerrit = {
domain = cfgGerrit.canonicalDomain;
# Manually managed account…
# TODO: https://git.lix.systems/the-distro/infra/issues/69
username = "buildbot";
port = cfgGerrit.port;
privateKeyFile = config.age.secrets.buildbot-service-key.path;
projects = [
"buildbot-test"
"nixpkgs"
"infra"
];
};
evalWorkerCount = 6;
evalMaxMemorySize = "4096";
signingKeyFile = config.age.secrets.buildbot-signing-key.path;
};
nix.settings.keep-derivations = true;
nix.gc = {
automatic = true;
dates = "hourly";
};
};
}

View file

@ -8,5 +8,6 @@
./postgres
./forgejo
./baremetal-builder
./buildbot
];
}