From 4f6d08a33d09a6ae5e51129ba3b0d273b33989c6 Mon Sep 17 00:00:00 2001 From: magic_rb Date: Sun, 2 Jun 2024 16:13:38 +0200 Subject: [PATCH] Improve Nix code and docs Signed-off-by: magic_rb --- README.md | 22 ++++++++++++++--- examples/master.nix | 5 +++- nix/checks/master.nix | 1 - nix/master.nix | 56 ++++++++++++++++++++++++------------------- 4 files changed, 54 insertions(+), 30 deletions(-) diff --git a/README.md b/README.md index 79ebc66..a8e30df 100644 --- a/README.md +++ b/README.md @@ -66,16 +66,32 @@ We have the following two roles: ### Integration with GitHub -To integrate with GitHub: +#### GitHub App + +To integrate with GitHub using app authentication: + +1. **GitHub App**: Set up a GitHub app for Buildbot to enable GitHub user + authentication on the Buildbot dashboard. +2. **GitHub App private key**: Get the app private key and app ID from GitHub, + configure using the buildbot-nix NixOS module. +3. **Install App**: Install the for an organization or specific user. +4. **Refresh GitHub Projects**: Currently buildbot-nix doesn't respond to + changes (new repositories or installations) automatically, it is therefore + necessary to manually trigger a reload or wait for the next periodic reload. + +#### Legacy Token Auth + +To integrate with GitHub using legacy token authentication: 1. **GitHub Token**: Obtain a GitHub token with `admin:repo_hook` and `repo` permissions. For GitHub organizations, it's advisable to create a separate GitHub user for managing repository webhooks. -#### Optional when using GitHub login +### Optional when using GitHub login 1. **GitHub App**: Set up a GitHub app for Buildbot to enable GitHub user - authentication on the Buildbot dashboard. + authentication on the Buildbot dashboard. (can be the same as for GitHub App + auth) 2. **OAuth Credentials**: After installing the app, generate OAuth credentials and configure them in the buildbot-nix NixOS module. Set the callback url to `https:///auth/login`. diff --git a/examples/master.nix b/examples/master.nix index de5cc4f..8d9e366 100644 --- a/examples/master.nix +++ b/examples/master.nix @@ -22,10 +22,13 @@ # Github user used as a CI identity user = "mic92-buildbot"; authType.legacy = { - enable = true; # Github token of the same user tokenFile = pkgs.writeText "github-token" "ghp_000000000000000000000000000000000000"; # FIXME: replace this with a secret not stored in the nix store }; + # authType.app = { + # id = "00000000000000000"; # FIXME: replace with App ID obtained from GitHub + # secretKeyFile = pkgs.writeText "app-secret.key" "00000000000000000000"; # FIXME: replace with App secret key obtained from GitHub + # }; # A random secret used to verify incoming webhooks from GitHub # buildbot-nix will set up a webhook for each project in the organization webhookSecretFile = pkgs.writeText "webhookSecret" "00000000000000000000"; # FIXME: replace this with a secret not stored in the nix store diff --git a/nix/checks/master.nix b/nix/checks/master.nix index 9c06c2c..8b43e88 100644 --- a/nix/checks/master.nix +++ b/nix/checks/master.nix @@ -17,7 +17,6 @@ admins = [ "Mic92" ]; github = { authType.legacy = { - enable = true; tokenFile = pkgs.writeText "github-token" "ghp_000000000000000000000000000000000000"; }; webhookSecretFile = pkgs.writeText "webhookSecret" "00000000000000000000"; diff --git a/nix/master.nix b/nix/master.nix index 73d2602..5ad12e8 100644 --- a/nix/master.nix +++ b/nix/master.nix @@ -124,29 +124,35 @@ in default = cfg.authBackend == "github"; }; - authType = { - legacy = { - enable = lib.mkEnableOption ""; - tokenFile = lib.mkOption { - type = lib.types.path; - description = "Github token file"; - }; - }; - - app = { - enable = lib.mkEnableOption ""; - id = lib.mkOption { - type = lib.types.int; - description = '' - GitHub app ID. - ''; + authType = lib.mkOption { + type = lib.types.attrTag { + legacy = lib.mkOption { + description = "GitHub legacy auth backend"; + type = lib.types.submodule { + options.tokenFile = lib.mkOption { + type = lib.types.path; + description = "Github token file"; + }; + }; }; - secretKeyFile = lib.mkOption { - type = lib.types.str; - description = '' - GitHub app secret key file location. - ''; + app = lib.mkOption { + description = "GitHub legacy auth backend"; + type = lib.types.submodule { + options.id = lib.mkOption { + type = lib.types.int; + description = '' + GitHub app ID. + ''; + }; + + options.secretKeyFile = lib.mkOption { + type = lib.types.str; + description = '' + GitHub app secret key file location. + ''; + }; + }; }; }; }; @@ -311,9 +317,9 @@ in buildbot_user=${builtins.toJSON cfg.github.user}, topic=${builtins.toJSON cfg.github.topic}, auth_type=${ - if cfg.github.authType.legacy.enable then + if cfg.github.authType ? "legacy" then ''AuthTypeLegacy()'' - else if cfg.github.authType.app.enable then + else if cfg.github.authType ? "app" then '' AuthTypeApp( app_id=${toString cfg.github.authType.app.id}, @@ -405,10 +411,10 @@ in ++ lib.optionals (cfg.github.enable) ([ "github-webhook-secret:${cfg.github.webhookSecretFile}" ] - ++ lib.optionals (cfg.github.authType.legacy.enable) [ + ++ lib.optionals (cfg.github.authType ? "legacy") [ "github-token:${cfg.github.authType.legacy.tokenFile}" ] - ++ lib.optionals (cfg.github.authType.app.enable) [ + ++ lib.optionals (cfg.github.authType ? "app") [ "github-app-secret-key:${cfg.github.authType.app.secretKeyFile}" ]) ++ lib.optionals cfg.gitea.enable [