Improve Nix code and docs

Signed-off-by: magic_rb <richard@brezak.sk>
This commit is contained in:
magic_rb 2024-06-02 16:13:38 +02:00 committed by Mic92
parent 475fbf3952
commit 4f6d08a33d
4 changed files with 54 additions and 30 deletions

View file

@ -66,16 +66,32 @@ We have the following two roles:
### Integration with GitHub
To integrate with GitHub:
#### GitHub App
To integrate with GitHub using app authentication:
1. **GitHub App**: Set up a GitHub app for Buildbot to enable GitHub user
authentication on the Buildbot dashboard.
2. **GitHub App private key**: Get the app private key and app ID from GitHub,
configure using the buildbot-nix NixOS module.
3. **Install App**: Install the for an organization or specific user.
4. **Refresh GitHub Projects**: Currently buildbot-nix doesn't respond to
changes (new repositories or installations) automatically, it is therefore
necessary to manually trigger a reload or wait for the next periodic reload.
#### Legacy Token Auth
To integrate with GitHub using legacy token authentication:
1. **GitHub Token**: Obtain a GitHub token with `admin:repo_hook` and `repo`
permissions. For GitHub organizations, it's advisable to create a separate
GitHub user for managing repository webhooks.
#### Optional when using GitHub login
### Optional when using GitHub login
1. **GitHub App**: Set up a GitHub app for Buildbot to enable GitHub user
authentication on the Buildbot dashboard.
authentication on the Buildbot dashboard. (can be the same as for GitHub App
auth)
2. **OAuth Credentials**: After installing the app, generate OAuth credentials
and configure them in the buildbot-nix NixOS module. Set the callback url to
`https://<your-domain>/auth/login`.

View file

@ -22,10 +22,13 @@
# Github user used as a CI identity
user = "mic92-buildbot";
authType.legacy = {
enable = true;
# Github token of the same user
tokenFile = pkgs.writeText "github-token" "ghp_000000000000000000000000000000000000"; # FIXME: replace this with a secret not stored in the nix store
};
# authType.app = {
# id = "00000000000000000"; # FIXME: replace with App ID obtained from GitHub
# secretKeyFile = pkgs.writeText "app-secret.key" "00000000000000000000"; # FIXME: replace with App secret key obtained from GitHub
# };
# A random secret used to verify incoming webhooks from GitHub
# buildbot-nix will set up a webhook for each project in the organization
webhookSecretFile = pkgs.writeText "webhookSecret" "00000000000000000000"; # FIXME: replace this with a secret not stored in the nix store

View file

@ -17,7 +17,6 @@
admins = [ "Mic92" ];
github = {
authType.legacy = {
enable = true;
tokenFile = pkgs.writeText "github-token" "ghp_000000000000000000000000000000000000";
};
webhookSecretFile = pkgs.writeText "webhookSecret" "00000000000000000000";

View file

@ -124,25 +124,29 @@ in
default = cfg.authBackend == "github";
};
authType = {
legacy = {
enable = lib.mkEnableOption "";
tokenFile = lib.mkOption {
authType = lib.mkOption {
type = lib.types.attrTag {
legacy = lib.mkOption {
description = "GitHub legacy auth backend";
type = lib.types.submodule {
options.tokenFile = lib.mkOption {
type = lib.types.path;
description = "Github token file";
};
};
};
app = {
enable = lib.mkEnableOption "";
id = lib.mkOption {
app = lib.mkOption {
description = "GitHub legacy auth backend";
type = lib.types.submodule {
options.id = lib.mkOption {
type = lib.types.int;
description = ''
GitHub app ID.
'';
};
secretKeyFile = lib.mkOption {
options.secretKeyFile = lib.mkOption {
type = lib.types.str;
description = ''
GitHub app secret key file location.
@ -150,6 +154,8 @@ in
};
};
};
};
};
webhookSecretFile = lib.mkOption {
type = lib.types.path;
@ -311,9 +317,9 @@ in
buildbot_user=${builtins.toJSON cfg.github.user},
topic=${builtins.toJSON cfg.github.topic},
auth_type=${
if cfg.github.authType.legacy.enable then
if cfg.github.authType ? "legacy" then
''AuthTypeLegacy()''
else if cfg.github.authType.app.enable then
else if cfg.github.authType ? "app" then
''
AuthTypeApp(
app_id=${toString cfg.github.authType.app.id},
@ -405,10 +411,10 @@ in
++ lib.optionals (cfg.github.enable) ([
"github-webhook-secret:${cfg.github.webhookSecretFile}"
]
++ lib.optionals (cfg.github.authType.legacy.enable) [
++ lib.optionals (cfg.github.authType ? "legacy") [
"github-token:${cfg.github.authType.legacy.tokenFile}"
]
++ lib.optionals (cfg.github.authType.app.enable) [
++ lib.optionals (cfg.github.authType ? "app") [
"github-app-secret-key:${cfg.github.authType.app.secretKeyFile}"
])
++ lib.optionals cfg.gitea.enable [