buildbot: init #68
|
@ -25,7 +25,7 @@
|
||||||
nix.gc = {
|
nix.gc = {
|
||||||
automatic = true;
|
automatic = true;
|
||||||
persistent = true;
|
persistent = true;
|
||||||
dates = "daily";
|
dates = lib.mkDefault "daily";
|
||||||
options = "--delete-older-than 30d";
|
options = "--delete-older-than 30d";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -64,11 +64,11 @@
|
||||||
"treefmt-nix": "treefmt-nix"
|
"treefmt-nix": "treefmt-nix"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1715022238,
|
"lastModified": 1721229951,
|
||||||
"narHash": "sha256-sDD6WWJXJ/1j07aQE0RAUlrQBekXABtEKm7gtaTN45w=",
|
"narHash": "sha256-RO7jlz2T0h9l7Hmij6Iy3qdYps33wDuAoBMQ21ROvyw=",
|
||||||
"ref": "refs/heads/refactor",
|
"ref": "refs/heads/refactor",
|
||||||
"rev": "d5e3345097cdda5c74bccddb27abb5b5c84eff5b",
|
"rev": "8286c1028b2a69ee72680dc06d26bd80665ce02a",
|
||||||
"revCount": 257,
|
"revCount": 262,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "https://git.lix.systems/lix-project/buildbot-nix.git"
|
"url": "https://git.lix.systems/lix-project/buildbot-nix.git"
|
||||||
},
|
},
|
||||||
|
|
|
@ -13,6 +13,15 @@ let
|
||||||
loki-environment = [ machines.meta01 ];
|
loki-environment = [ machines.meta01 ];
|
||||||
gerrit-prometheus-bearer-token = [ machines.gerrit01 machines.meta01 ];
|
gerrit-prometheus-bearer-token = [ machines.gerrit01 machines.meta01 ];
|
||||||
|
|
||||||
|
buildbot-worker-password = [ machines.buildbot ];
|
||||||
|
buildbot-oauth-secret = [ machines.buildbot ];
|
||||||
|
buildbot-workers = [ machines.buildbot ];
|
||||||
|
# Private SSH key to Gerrit
|
||||||
|
# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx52RUPWzTa2rBA96xcnGjjzAboNN/hm6gW+Q6JiSos
|
||||||
|
buildbot-service-key = [ machines.buildbot ];
|
||||||
|
# Signing key for Buildbot's specific cache
|
||||||
|
buildbot-signing-key = [ machines.buildbot ];
|
||||||
|
|
||||||
# These are the same password, but nginx wants it in htpasswd format
|
# These are the same password, but nginx wants it in htpasswd format
|
||||||
metrics-push-htpasswd = [ machines.meta01 ];
|
metrics-push-htpasswd = [ machines.meta01 ];
|
||||||
metrics-push-password = builtins.attrValues machines;
|
metrics-push-password = builtins.attrValues machines;
|
||||||
|
|
20
secrets/buildbot-oauth-secret.age
Normal file
20
secrets/buildbot-oauth-secret.age
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 87T2Ig vfLpqc38U9RwGG1QmSSl5YTXcOU0eoTrpmBjVpP+9xE
|
||||||
|
XbCUtuC9G9zSyVIgUmH0TO2sdH/3YjAf1erstVAUnHQ
|
||||||
|
-> ssh-ed25519 K3b7BA zk89m8PXhx59Jf7ovoSvASaaOZqMQxiGMEB/ZF2iFFs
|
||||||
|
pCfQv3PRw0IMjjXnjTxasVaAZVdfrRhmiRDVK3Pr2GI
|
||||||
|
-> ssh-ed25519 +qVung ry8P1mOJwSHAXk9XaNGOLRLH2Q6QIxTueoBz+IcS/0M
|
||||||
|
q9JsGjlS7HQqscAvOO2aSWlH3ruQC5ozDCkDBwp7g0o
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
DG2BpVdLziPUuo2HJfzDg/+aqugaOTfmVV+hEFjRV/B9pX90WnLCxp0lNpeNpTdU
|
||||||
|
v889q7ojKs6jHuJGsUwUPy29Jn9PHOecE/gpcRTt6BI4/2JiwF2brLV+dVbWSOEv
|
||||||
|
6lf9ecjmbJ/vbHnh94Aqa6kfBREazsZSYPGTAwNdcOdHRsoiK1PKCJmxPvZnfGuY
|
||||||
|
o6144GTqTIGnxvbdlJ7XPzS8KEoP0SfPb2PFhfq6+z4JPdm116rhXIErPZNcQynP
|
||||||
|
y0f/TRJPSu5QZ2YzZmwyBTpUqSQx1MWrY/5T3e0cCLY6d2E6evbnPb8eauJl3XHd
|
||||||
|
I/kqqFKigixDBUPNlwW19Q
|
||||||
|
-> ssh-ed25519 /vwQcQ Q1589zmSRC/Wvgi1TUfsr6itT7QvBpqsNteNmPhHtHs
|
||||||
|
Gt3/5u8NW8dcJubLZuiBQjwPIfLNbFQNIAk5+MIoSo0
|
||||||
|
-> ssh-ed25519 0R97PA j2DEcmdRz8hOGvkwn6r/6vqPTdNo2AtZKSAjBdQ2n1Y
|
||||||
|
+w7ky1+gP0O93DXeADjMdBu43Dxno1meh7idgjNdojg
|
||||||
|
--- 2exgH3r1FIdc2mrQEC0XQmqO3r1bfKZdjWZttrilThE
|
||||||
|
œ]†‰,A`ç‚Øõ€ýï`ã…Š'&±T£ÇöŸ¸}q1à\K”ðì°7íKÏ'KóßÞ`lx›³‡F
i¸ì#÷
|
BIN
secrets/buildbot-service-key.age
Normal file
BIN
secrets/buildbot-service-key.age
Normal file
Binary file not shown.
BIN
secrets/buildbot-signing-key.age
Normal file
BIN
secrets/buildbot-signing-key.age
Normal file
Binary file not shown.
20
secrets/buildbot-worker-password.age
Normal file
20
secrets/buildbot-worker-password.age
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 87T2Ig y4P08L2yYSjVcWdbRCqWSCM+WcgqXpxOwr1Ip2Ipd3Q
|
||||||
|
7C/3MXVbAX0HIdEULKu0bc9q2U+4mPDiDb2l5rRwBI4
|
||||||
|
-> ssh-ed25519 K3b7BA wl46ZMqLHMOTG3RojLVgwC2hskjUJWUGZ4h9dwBYaws
|
||||||
|
xxrJQ8Ws1evKgfKej8WwbucuArULWNtCdMlSDdVNe6E
|
||||||
|
-> ssh-ed25519 +qVung 4fix0OAAyW/34W1HVfc5ivIr8ijqNz0Vz8oWaSY2lyk
|
||||||
|
8ZAguZR31I0hysn265ELYeYwrLiDx07BepG0w1R8uhU
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
vRU5uF64cQZwJrGr0oBRBJFo2mr30pz6yhXwEm4BJjKt/yCCikggPUFTW/KOjnqZ
|
||||||
|
JcUoLpeDVIk3+FBJl4p3PVRn1pjRUve4vEcNAEjmkVgBwiZWtpfE6vVLn5pIvm+A
|
||||||
|
nwybTTwMJomDTLDsMOq0Ur+S3rw4Nb6ADqDKhmjlmlaSlTqxUmZoznQduoSSINI/
|
||||||
|
VJw/+VjwFxsMxdD5swxEAcrDk2rKoQLrfO83PO3HNMX5SmYHHYEaWB0/YeLgvi8a
|
||||||
|
4OBueRKLWOiy2WUCqtxiQG5XYGYNdgOKIeNLnPNH6RRwFoBz7Zmn2uuQjmysY9h8
|
||||||
|
lryoR6quxdOTRTL2WwGPAw
|
||||||
|
-> ssh-ed25519 /vwQcQ 8sOHrthroDrjuL14hij7sPiK9BGlOLzKG1pBe5+HMFw
|
||||||
|
vQqm96T/H5tINHJxnfi6DYm9YO9UAaj8etmk7K0GJ7U
|
||||||
|
-> ssh-ed25519 0R97PA Dd3db0zh0/ZUsm3UgsWRbGz9mVvm8s3W2HQkjTM6L3k
|
||||||
|
/+IRsPs2KoqEYnxmFoKmNc/00jOesKXv33rO4Yx+l68
|
||||||
|
--- jPrqv7h6AGoqNl1LCOtzXvU4dKK2PnGsj/FqhstbSGw
|
||||||
|
³»f+`Ï™+á½]&§w=ù¯:í$UQÀ7§ÁÀháÅK©¿U‚ÓÁ1_YßzËË0<C38B>%\<5C>N…Lë0oæö
½Þ¼‰Ï5~¥¼_
ÓZïã7xµ¤[ø\ú¤Úv[‹o
|
22
secrets/buildbot-workers.age
Normal file
22
secrets/buildbot-workers.age
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 87T2Ig arwhM8DLVpft4PdPw4A6ZoPk5KqXORhE9iDG6etDOzk
|
||||||
|
ZVNgF/J3YiCTj2lq2280vU95pX36cpH+sT/wRjmExHk
|
||||||
|
-> ssh-ed25519 K3b7BA fBr1rUtTQVs0LLSR6RVX1eJBEpYs3COyJITpGm4ngi0
|
||||||
|
jfYyrD/0gh1QCAq8SnsWjUQin3g21NEgCQAlCc6uQ9g
|
||||||
|
-> ssh-ed25519 +qVung cJEfk9HdCsdVmuhI7OAgWsly4P5o/n9JbPRtsDZ2FVY
|
||||||
|
MJvfsbd9+pbhG1BwF4xVafqu+LvPy3geN7n9MALFP68
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
PuiiAwETSr4SDb4XOtn6AECDJedzd3KfTAsjrq3giwCrjfSqYeTpBaH8mhf4t5D5
|
||||||
|
fAXHtIoChcZNb1dhxQtP0r4A4cy1faf87XGkOwAeikFv9S8cMjjgZ71sX8g8Srp/
|
||||||
|
Mjla0+5CVGRsUMcev/t9uMj04qHDtr7swbjLoOPwvCQBUWHZrOA/Fq/T2g9qU32g
|
||||||
|
YQgxtR3zzseb/vOFHzpWc6fkR8UO0j1H1hyFkJ1XkipeQ5UIwg0g57lsPkNXuZfI
|
||||||
|
BbKzzg521HChK5ssibITLdtp6piwIpxHUxwSNpLXG8vbT33e24kFEeTZ0QX4NStl
|
||||||
|
r6U4j3NL1lPChpdSIhy/2Q
|
||||||
|
-> ssh-ed25519 /vwQcQ Q8Hxbxto0EN1odEFt/dNfeK1l4xSIO9lY/ewYpa1DgY
|
||||||
|
4jeNmuwK4tvJzX62/x/1aq+L4R6dD61akUmo0+GCICc
|
||||||
|
-> ssh-ed25519 0R97PA of4aEATYi3ad7nYvexirIErAWbsLOW1ijGPc/IETSCU
|
||||||
|
qT/O8DIYaMm0MlvS9eVBSe2th16yDHODlT1VgF9iLDI
|
||||||
|
--- rWScSs0yVovPOWI2zmDTIyLJdBIRlKIPu6jivzty7p8
|
||||||
|
…ûê<EFBFBD>Ñdß}EmiêKCûy5žL`G×ßÑTÙZ^Q?g2Ì|×ò«S
|
||||||
|
g2ÿ¶¤F`êà_´ÿjòl
ÈÐ1ÝGðˆf€ñW<C3B1>¾Æƒ0ÏùÀðÌ º¼çHÁ)á€
|
||||||
|
{µ²‚µ\êÃ<^—#Jþg¤éJJ¹ˆ‡GßJøh>²2…<>´“G%<25>±ÅTra†B
|
103
services/buildbot/default.nix
Normal file
103
services/buildbot/default.nix
Normal file
|
@ -0,0 +1,103 @@
|
||||||
|
{
|
||||||
|
nodes,
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
let
|
||||||
|
cfg = config.bagel.services.buildbot;
|
||||||
|
cfgGerrit = nodes.gerrit01.config.bagel.services.gerrit;
|
||||||
|
inherit (lib) mkEnableOption mkOption mkIf types;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.bagel.services.buildbot = {
|
||||||
|
enable = mkEnableOption "Buildbot";
|
||||||
|
domain = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
|
age.secrets.buildbot-worker-password.file = ../../secrets/buildbot-worker-password.age;
|
||||||
|
age.secrets.buildbot-oauth-secret.file = ../../secrets/buildbot-oauth-secret.age;
|
||||||
|
age.secrets.buildbot-workers.file = ../../secrets/buildbot-workers.age;
|
||||||
|
age.secrets.buildbot-service-key.file = ../../secrets/buildbot-service-key.age;
|
||||||
|
age.secrets.buildbot-signing-key.file = ../../secrets/buildbot-signing-key.age;
|
||||||
|
|
||||||
|
services.nginx.virtualHosts.${cfg.domain} = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.buildbot-nix.worker = {
|
||||||
|
enable = true;
|
||||||
|
workerPasswordFile = config.age.secrets.buildbot-worker-password.path;
|
||||||
|
# All credits to eldritch horrors for this beauty.
|
||||||
|
workerArchitectures =
|
||||||
|
{
|
||||||
|
# nix-eval-jobs runs under a lock, error reports do not (but are cheap)
|
||||||
|
other = 8;
|
||||||
|
} // (
|
||||||
|
lib.filterAttrs
|
||||||
|
(n: v: lib.elem n config.services.buildbot-nix.coordinator.buildSystems)
|
||||||
|
(lib.zipAttrsWith
|
||||||
|
(_: lib.foldl' lib.add 0)
|
||||||
|
(lib.concatMap
|
||||||
|
(m: map (s: { ${s} = m.maxJobs; }) m.systems)
|
||||||
|
config.nix.buildMachines))
|
||||||
|
);
|
||||||
|
};
|
||||||
|
|
||||||
|
services.buildbot-nix.coordinator = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
inherit (cfg) domain;
|
||||||
|
|
||||||
|
oauth2 = {
|
||||||
|
name = "Lix";
|
||||||
|
clientId = "forkos-buildbot";
|
||||||
|
clientSecretFile = config.age.secrets.buildbot-oauth-secret.path;
|
||||||
|
resourceEndpoint = "https://identity.lix.systems";
|
||||||
|
authUri = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/auth";
|
||||||
|
tokenUri = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token";
|
||||||
|
};
|
||||||
|
|
||||||
|
workersFile = config.age.secrets.buildbot-workers.path;
|
||||||
|
|
||||||
|
allowedOrigins = [
|
||||||
|
"*.forkos.org"
|
||||||
|
];
|
||||||
|
|
||||||
|
buildSystems = [
|
||||||
|
"x86_64-linux"
|
||||||
|
];
|
||||||
|
|
||||||
|
gerrit = {
|
||||||
|
domain = cfgGerrit.canonicalDomain;
|
||||||
|
# Manually managed account…
|
||||||
|
# TODO: https://git.lix.systems/the-distro/infra/issues/69
|
||||||
|
username = "buildbot";
|
||||||
|
port = cfgGerrit.port;
|
||||||
|
privateKeyFile = config.age.secrets.buildbot-service-key.path;
|
||||||
|
projects = [
|
||||||
|
"buildbot-test"
|
||||||
|
"nixpkgs"
|
||||||
|
"infra"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
evalWorkerCount = 6;
|
||||||
|
evalMaxMemorySize = "4096";
|
||||||
|
|
||||||
|
signingKeyFile = config.age.secrets.buildbot-signing-key.path;
|
||||||
|
};
|
||||||
|
|
||||||
|
nix.settings.keep-derivations = true;
|
||||||
|
nix.gc = {
|
||||||
|
automatic = true;
|
||||||
|
dates = "hourly";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -8,5 +8,6 @@
|
||||||
./postgres
|
./postgres
|
||||||
./forgejo
|
./forgejo
|
||||||
./baremetal-builder
|
./baremetal-builder
|
||||||
|
./buildbot
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue