Improve Nix code and docs

Signed-off-by: magic_rb <richard@brezak.sk>
This commit is contained in:
magic_rb 2024-06-02 16:13:38 +02:00 committed by Mic92
parent 475fbf3952
commit 4f6d08a33d
4 changed files with 54 additions and 30 deletions

View file

@ -66,16 +66,32 @@ We have the following two roles:
### Integration with GitHub ### Integration with GitHub
To integrate with GitHub: #### GitHub App
To integrate with GitHub using app authentication:
1. **GitHub App**: Set up a GitHub app for Buildbot to enable GitHub user
authentication on the Buildbot dashboard.
2. **GitHub App private key**: Get the app private key and app ID from GitHub,
configure using the buildbot-nix NixOS module.
3. **Install App**: Install the for an organization or specific user.
4. **Refresh GitHub Projects**: Currently buildbot-nix doesn't respond to
changes (new repositories or installations) automatically, it is therefore
necessary to manually trigger a reload or wait for the next periodic reload.
#### Legacy Token Auth
To integrate with GitHub using legacy token authentication:
1. **GitHub Token**: Obtain a GitHub token with `admin:repo_hook` and `repo` 1. **GitHub Token**: Obtain a GitHub token with `admin:repo_hook` and `repo`
permissions. For GitHub organizations, it's advisable to create a separate permissions. For GitHub organizations, it's advisable to create a separate
GitHub user for managing repository webhooks. GitHub user for managing repository webhooks.
#### Optional when using GitHub login ### Optional when using GitHub login
1. **GitHub App**: Set up a GitHub app for Buildbot to enable GitHub user 1. **GitHub App**: Set up a GitHub app for Buildbot to enable GitHub user
authentication on the Buildbot dashboard. authentication on the Buildbot dashboard. (can be the same as for GitHub App
auth)
2. **OAuth Credentials**: After installing the app, generate OAuth credentials 2. **OAuth Credentials**: After installing the app, generate OAuth credentials
and configure them in the buildbot-nix NixOS module. Set the callback url to and configure them in the buildbot-nix NixOS module. Set the callback url to
`https://<your-domain>/auth/login`. `https://<your-domain>/auth/login`.

View file

@ -22,10 +22,13 @@
# Github user used as a CI identity # Github user used as a CI identity
user = "mic92-buildbot"; user = "mic92-buildbot";
authType.legacy = { authType.legacy = {
enable = true;
# Github token of the same user # Github token of the same user
tokenFile = pkgs.writeText "github-token" "ghp_000000000000000000000000000000000000"; # FIXME: replace this with a secret not stored in the nix store tokenFile = pkgs.writeText "github-token" "ghp_000000000000000000000000000000000000"; # FIXME: replace this with a secret not stored in the nix store
}; };
# authType.app = {
# id = "00000000000000000"; # FIXME: replace with App ID obtained from GitHub
# secretKeyFile = pkgs.writeText "app-secret.key" "00000000000000000000"; # FIXME: replace with App secret key obtained from GitHub
# };
# A random secret used to verify incoming webhooks from GitHub # A random secret used to verify incoming webhooks from GitHub
# buildbot-nix will set up a webhook for each project in the organization # buildbot-nix will set up a webhook for each project in the organization
webhookSecretFile = pkgs.writeText "webhookSecret" "00000000000000000000"; # FIXME: replace this with a secret not stored in the nix store webhookSecretFile = pkgs.writeText "webhookSecret" "00000000000000000000"; # FIXME: replace this with a secret not stored in the nix store

View file

@ -17,7 +17,6 @@
admins = [ "Mic92" ]; admins = [ "Mic92" ];
github = { github = {
authType.legacy = { authType.legacy = {
enable = true;
tokenFile = pkgs.writeText "github-token" "ghp_000000000000000000000000000000000000"; tokenFile = pkgs.writeText "github-token" "ghp_000000000000000000000000000000000000";
}; };
webhookSecretFile = pkgs.writeText "webhookSecret" "00000000000000000000"; webhookSecretFile = pkgs.writeText "webhookSecret" "00000000000000000000";

View file

@ -124,25 +124,29 @@ in
default = cfg.authBackend == "github"; default = cfg.authBackend == "github";
}; };
authType = { authType = lib.mkOption {
legacy = { type = lib.types.attrTag {
enable = lib.mkEnableOption ""; legacy = lib.mkOption {
tokenFile = lib.mkOption { description = "GitHub legacy auth backend";
type = lib.types.submodule {
options.tokenFile = lib.mkOption {
type = lib.types.path; type = lib.types.path;
description = "Github token file"; description = "Github token file";
}; };
}; };
};
app = { app = lib.mkOption {
enable = lib.mkEnableOption ""; description = "GitHub legacy auth backend";
id = lib.mkOption { type = lib.types.submodule {
options.id = lib.mkOption {
type = lib.types.int; type = lib.types.int;
description = '' description = ''
GitHub app ID. GitHub app ID.
''; '';
}; };
secretKeyFile = lib.mkOption { options.secretKeyFile = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = '' description = ''
GitHub app secret key file location. GitHub app secret key file location.
@ -150,6 +154,8 @@ in
}; };
}; };
}; };
};
};
webhookSecretFile = lib.mkOption { webhookSecretFile = lib.mkOption {
type = lib.types.path; type = lib.types.path;
@ -311,9 +317,9 @@ in
buildbot_user=${builtins.toJSON cfg.github.user}, buildbot_user=${builtins.toJSON cfg.github.user},
topic=${builtins.toJSON cfg.github.topic}, topic=${builtins.toJSON cfg.github.topic},
auth_type=${ auth_type=${
if cfg.github.authType.legacy.enable then if cfg.github.authType ? "legacy" then
''AuthTypeLegacy()'' ''AuthTypeLegacy()''
else if cfg.github.authType.app.enable then else if cfg.github.authType ? "app" then
'' ''
AuthTypeApp( AuthTypeApp(
app_id=${toString cfg.github.authType.app.id}, app_id=${toString cfg.github.authType.app.id},
@ -405,10 +411,10 @@ in
++ lib.optionals (cfg.github.enable) ([ ++ lib.optionals (cfg.github.enable) ([
"github-webhook-secret:${cfg.github.webhookSecretFile}" "github-webhook-secret:${cfg.github.webhookSecretFile}"
] ]
++ lib.optionals (cfg.github.authType.legacy.enable) [ ++ lib.optionals (cfg.github.authType ? "legacy") [
"github-token:${cfg.github.authType.legacy.tokenFile}" "github-token:${cfg.github.authType.legacy.tokenFile}"
] ]
++ lib.optionals (cfg.github.authType.app.enable) [ ++ lib.optionals (cfg.github.authType ? "app") [
"github-app-secret-key:${cfg.github.authType.app.secretKeyFile}" "github-app-secret-key:${cfg.github.authType.app.secretKeyFile}"
]) ])
++ lib.optionals cfg.gitea.enable [ ++ lib.optionals cfg.gitea.enable [