the-distro/infra
9
0
Fork 5
Code Issues 39 Pull requests 8 Packages Projects 1 Releases Wiki Activity
infra/services/buildbot/default.nix
raito 4473717e9f gerrit: introduce buildbot checks plugin 
It's a modified version of @puck's Lix buildbot checks for
gerrit.lix.systems with a slight generalization in the configuration for
many repositories.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-07-18 10:56:46 +02:00

138 lines
4.2 KiB
Nix
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
nodes,
config,
lib,
pkgs,
...
}:
let
cfg = config.bagel.services.buildbot;
cfgGerrit = nodes.gerrit01.config.bagel.services.gerrit;
ssh-keys = import ../../common/ssh-keys.nix;
inherit (lib) mkEnableOption mkOption mkIf types;
in
{
options.bagel.services.buildbot = {
enable = mkEnableOption "Buildbot";
domain = mkOption {
type = types.str;
};
builders = mkOption {
type = types.listOf types.str;
description = "List of builders to configure for Buildbot";
example = [ "builder-2" "builder-3" ];
};
};
config = mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [ 80 443 ];
age.secrets.buildbot-worker-password.file = ../../secrets/buildbot-worker-password.age;
age.secrets.buildbot-oauth-secret.file = ../../secrets/buildbot-oauth-secret.age;
age.secrets.buildbot-workers.file = ../../secrets/buildbot-workers.age;
age.secrets.buildbot-service-key.file = ../../secrets/buildbot-service-key.age;
age.secrets.buildbot-signing-key.file = ../../secrets/buildbot-signing-key.age;
age.secrets.buildbot-remote-builder-key.file = ../../secrets/buildbot-remote-builder-key.age;
services.nginx.virtualHosts.${cfg.domain} = {
forceSSL = true;
enableACME = true;
extraConfig = ''
add_header Access-Control-Allow-Credentials 'true' always;
add_header Access-Control-Allow-Origin 'https://cl.forkos.org' always;
'';
};
services.buildbot-nix.worker = {
enable = true;
workerPasswordFile = config.age.secrets.buildbot-worker-password.path;
# All credits to eldritch horrors for this beauty.
workerArchitectures =
{
# nix-eval-jobs runs under a lock, error reports do not (but are cheap)
other = 8;
} // (
lib.filterAttrs
(n: v: lib.elem n config.services.buildbot-nix.coordinator.buildSystems)
(lib.zipAttrsWith
(_: lib.foldl' lib.add 0)
(lib.concatMap
(m: map (s: { ${s} = m.maxJobs; }) m.systems)
config.nix.buildMachines))
);
};
services.buildbot-nix.coordinator = {
enable = true;
inherit (cfg) domain;
oauth2 = {
name = "Lix";
clientId = "forkos-buildbot";
clientSecretFile = config.age.secrets.buildbot-oauth-secret.path;
resourceEndpoint = "https://identity.lix.systems";
authUri = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/auth";
tokenUri = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token";
};
workersFile = config.age.secrets.buildbot-workers.path;
allowedOrigins = [
"*.forkos.org"
];
buildSystems = [
"x86_64-linux"
];
gerrit = {
domain = cfgGerrit.canonicalDomain;
# Manually managed account…
# TODO: https://git.lix.systems/the-distro/infra/issues/69
username = "buildbot";
port = cfgGerrit.port;
privateKeyFile = config.age.secrets.buildbot-service-key.path;
projects = [
"buildbot-test"
"nixpkgs"
"infra"
];
};
evalWorkerCount = 6;
evalMaxMemorySize = "4096";
signingKeyFile = config.age.secrets.buildbot-signing-key.path;
};
nix.distributedBuilds = true;
nix.buildMachines = map (n: {
hostName = nodes.${n}.config.networking.fqdn;
protocol = "ssh-ng";
# Follows Hydra.
maxJobs = 8;
sshKey = config.age.secrets.buildbot-remote-builder-key.path;
sshUser = "buildbot";
systems = [ "x86_64-linux" ];
supportedFeatures = nodes.${n}.config.nix.settings.system-features;
# TODO: fix it, see the Hydra file about it.
# IFD already exist in NixOS, so it's fine, I guess.
publicHostKey = builtins.readFile (pkgs.runCommandLocal "in-the-right-form" {
buildInputs = [
pkgs.coreutils
];
} ''
echo -n '${ssh-keys.machines.${n}}' | base64 -w0 > $out
'');
}
) cfg.builders;
nix.settings.keep-derivations = true;
nix.gc = {
automatic = true;
dates = "hourly";
};
};
}
Reference in a new issue View git blame Copy permalink