make it possible to disable github
This commit is contained in:
Jörg Thalheim
parent
5d2711a587
commit
6ae08b645c
|
|
@ -32,8 +32,7 @@ from .secrets import read_secret_file
|
|||
@dataclass
|
||||
class GiteaConfig:
|
||||
instance_url: str
|
||||
oauth_id: str
|
||||
admins: list[str]
|
||||
oauth_id: str | None
|
||||
|
||||
oauth_secret_name: str = "gitea-oauth-secret"
|
||||
token_secret_name: str = "gitea-token"
|
||||
|
|
@ -183,6 +182,7 @@ class GiteaBackend(GitBackend):
|
|||
return None
|
||||
|
||||
def create_auth(self) -> AuthBase:
|
||||
assert self.config.oauth_id is not None, "Gitea requires an OAuth ID to be set"
|
||||
return GiteaAuth(
|
||||
"https://" + self.config.instance_url,
|
||||
self.config.oauth_id,
|
||||
|
|
|
|||
|
|
@ -65,7 +65,7 @@ class ReloadGithubProjects(BuildStep):
|
|||
|
||||
@dataclass
|
||||
class GithubConfig:
|
||||
oauth_id: str
|
||||
oauth_id: str | None
|
||||
|
||||
# TODO unused
|
||||
buildbot_user: str
|
||||
|
|
@ -121,6 +121,7 @@ class GithubBackend(GitBackend):
|
|||
return AvatarGitHub(token=self.config.token())
|
||||
|
||||
def create_auth(self) -> AuthBase:
|
||||
assert self.config.oauth_id is not None, "GitHub OAuth ID is required"
|
||||
return GitHubAuth(
|
||||
self.config.oauth_id,
|
||||
read_secret_file(self.config.oauth_secret_name),
|
||||
|
|
|
|||
176
nix/master.nix
176
nix/master.nix
|
|
@ -5,16 +5,25 @@
|
|||
}:
|
||||
let
|
||||
cfg = config.services.buildbot-nix.master;
|
||||
inherit
|
||||
(lib)
|
||||
mkRenamedOptionModule
|
||||
;
|
||||
inherit (lib) mkRenamedOptionModule;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
(mkRenamedOptionModule
|
||||
[ "services" "buildbot-nix" "master" "github" "admins" ]
|
||||
[ "services" "buildbot-nix" "master" "admins" ])
|
||||
[
|
||||
"services"
|
||||
"buildbot-nix"
|
||||
"master"
|
||||
"github"
|
||||
"admins"
|
||||
]
|
||||
[
|
||||
"services"
|
||||
"buildbot-nix"
|
||||
"master"
|
||||
"admins"
|
||||
]
|
||||
)
|
||||
];
|
||||
|
||||
options = {
|
||||
|
|
@ -26,7 +35,11 @@ in
|
|||
description = "Postgresql database url";
|
||||
};
|
||||
authBackend = lib.mkOption {
|
||||
type = lib.types.enum [ "github" "gitea" "none" ];
|
||||
type = lib.types.enum [
|
||||
"github"
|
||||
"gitea"
|
||||
"none"
|
||||
];
|
||||
default = "github";
|
||||
description = ''
|
||||
Which OAuth2 backend to use.
|
||||
|
|
@ -52,7 +65,9 @@ in
|
|||
};
|
||||
};
|
||||
gitea = {
|
||||
enable = lib.mkEnableOption "Enable Gitea integration";
|
||||
enable = lib.mkEnableOption "Enable Gitea integration" // {
|
||||
default = cfg.authBackend == "gitea";
|
||||
};
|
||||
|
||||
tokenFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
|
|
@ -60,19 +75,21 @@ in
|
|||
};
|
||||
webhookSecretFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
description = "Github webhook secret file";
|
||||
description = "Gitea webhook secret file";
|
||||
};
|
||||
oauthSecretFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
type = lib.types.nullOr lib.types.path;
|
||||
default = null;
|
||||
description = "Gitea oauth secret file";
|
||||
};
|
||||
|
||||
instanceURL = lib.mkOption {
|
||||
instanceUrl = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "Gitea instance URL";
|
||||
};
|
||||
oauthId = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
type = lib.types.nullOr lib.types.str;
|
||||
default = null;
|
||||
description = "Gitea oauth id. Used for the login button";
|
||||
};
|
||||
topic = lib.mkOption {
|
||||
|
|
@ -85,7 +102,9 @@ in
|
|||
};
|
||||
};
|
||||
github = {
|
||||
disable = lib.mkEnableOption "Disable GitHub integration";
|
||||
enable = lib.mkEnableOption "Enable GitHub integration" // {
|
||||
default = cfg.authBackend == "github";
|
||||
};
|
||||
|
||||
tokenFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
|
|
@ -96,7 +115,8 @@ in
|
|||
description = "Github webhook secret file";
|
||||
};
|
||||
oauthSecretFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
type = lib.types.nullOr lib.types.path;
|
||||
default = null;
|
||||
description = "Github oauth secret file";
|
||||
};
|
||||
# TODO: make this an option
|
||||
|
|
@ -106,7 +126,8 @@ in
|
|||
# Authorization callback URL: https://buildbot.numtide.com/auth/login
|
||||
# oauth_token: 2516248ec6289e4d9818122cce0cbde39e4b788d
|
||||
oauthId = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
type = lib.types.nullOr lib.types.str;
|
||||
default = null;
|
||||
description = "Github oauth id. Used for the login button";
|
||||
};
|
||||
# Most likely you want to use the same user as for the buildbot
|
||||
|
|
@ -180,9 +201,20 @@ in
|
|||
|
||||
assertions = [
|
||||
{
|
||||
assertion = cfg.cachix.name != null -> cfg.cachix.signingKeyFile != null || cfg.cachix.authTokenFile != null;
|
||||
assertion =
|
||||
cfg.cachix.name != null -> cfg.cachix.signingKeyFile != null || cfg.cachix.authTokenFile != null;
|
||||
message = "if cachix.name is provided, then cachix.signingKeyFile and cachix.authTokenFile must be set";
|
||||
}
|
||||
{
|
||||
assertion =
|
||||
cfg.authBackend != "github" || (cfg.github.oauthId != null && cfg.github.oauthSecretFile != null);
|
||||
message = ''If config.services.buildbot-nix.master.authBackend is set to "github", then config.services.buildbot-nix.master.github.oauthId and config.services.buildbot-nix.master.github.oauthSecretFile have to be set.'';
|
||||
}
|
||||
{
|
||||
assertion =
|
||||
cfg.authBackend != "gitea" || (cfg.gitea.oauthId != null && cfg.gitea.oauthSecretFile != null);
|
||||
message = ''config.services.buildbot-nix.master.authBackend is set to "gitea", then config.services.buildbot-nix.master.gitea.oauthId and config.services.buildbot-nix.master.gitea.oauthSecretFile have to be set.'';
|
||||
}
|
||||
];
|
||||
|
||||
services.buildbot-master = {
|
||||
|
|
@ -205,25 +237,46 @@ in
|
|||
''
|
||||
NixConfigurator(
|
||||
auth_backend=${builtins.toJSON cfg.authBackend},
|
||||
github=${if cfg.github.disable then "None" else "GithubConfig(
|
||||
github=${
|
||||
if (!cfg.github.enable) then
|
||||
"None"
|
||||
else
|
||||
"GithubConfig(
|
||||
oauth_id=${builtins.toJSON cfg.github.oauthId},
|
||||
buildbot_user=${builtins.toJSON cfg.github.user},
|
||||
topic=${builtins.toJSON cfg.github.topic},
|
||||
)"},
|
||||
gitea=${if !cfg.gitea.enable then "None" else "GiteaConfig(
|
||||
instance_url=${builtins.toJSON cfg.gitea.instanceURL},
|
||||
)"
|
||||
},
|
||||
gitea=${
|
||||
if !cfg.gitea.enable then
|
||||
"None"
|
||||
else
|
||||
"GiteaConfig(
|
||||
instance_url=${builtins.toJSON cfg.gitea.instanceUrl},
|
||||
oauth_id=${builtins.toJSON cfg.gitea.oauthId},
|
||||
topic=${builtins.toJSON cfg.gitea.topic},
|
||||
)"},
|
||||
cachix=${if cfg.cachix.name == null then "None" else "CachixConfig(
|
||||
)"
|
||||
},
|
||||
cachix=${
|
||||
if cfg.cachix.name == null then
|
||||
"None"
|
||||
else
|
||||
"CachixConfig(
|
||||
name=${builtins.toJSON cfg.cachix.name},
|
||||
signing_key_secret_name=${if cfg.cachix.signingKeyFile != null then builtins.toJSON "cachix-signing-key" else "None"},
|
||||
auth_token_secret_name=${if cfg.cachix.authTokenFile != null then builtins.toJSON "cachix-auth-token" else "None"},
|
||||
)"},
|
||||
signing_key_secret_name=${
|
||||
if cfg.cachix.signingKeyFile != null then builtins.toJSON "cachix-signing-key" else "None"
|
||||
},
|
||||
auth_token_secret_name=${
|
||||
if cfg.cachix.authTokenFile != null then builtins.toJSON "cachix-auth-token" else "None"
|
||||
},
|
||||
)"
|
||||
},
|
||||
admins=${builtins.toJSON cfg.admins},
|
||||
url=${builtins.toJSON config.services.buildbot-master.buildbotUrl},
|
||||
nix_eval_max_memory_size=${builtins.toJSON cfg.evalMaxMemorySize},
|
||||
nix_eval_worker_count=${if cfg.evalWorkerCount == null then "None" else builtins.toString cfg.evalWorkerCount},
|
||||
nix_eval_worker_count=${
|
||||
if cfg.evalWorkerCount == null then "None" else builtins.toString cfg.evalWorkerCount
|
||||
},
|
||||
nix_supported_systems=${builtins.toJSON cfg.buildSystems},
|
||||
outputs_path=${if cfg.outputsPath == null then "None" else builtins.toJSON cfg.outputsPath},
|
||||
)
|
||||
|
|
@ -237,9 +290,11 @@ in
|
|||
"${if hasSSL then "https" else "http"}://${cfg.domain}/";
|
||||
dbUrl = config.services.buildbot-nix.master.dbUrl;
|
||||
# Can be dropped after we have 24.05 everywhere
|
||||
package = lib.mkIf (lib.versionOlder pkgs.buildbot.version "3.10.0") (pkgs.buildbot.overrideAttrs (old: {
|
||||
patches = old.patches ++ [ ./0001-allow-secrets-to-be-group-readable.patch ];
|
||||
}));
|
||||
package = lib.mkIf (lib.versionOlder pkgs.buildbot.version "3.10.0") (
|
||||
pkgs.buildbot.overrideAttrs (old: {
|
||||
patches = old.patches ++ [ ./0001-allow-secrets-to-be-group-readable.patch ];
|
||||
})
|
||||
);
|
||||
pythonPackages = ps: [
|
||||
ps.requests
|
||||
ps.treq
|
||||
|
|
@ -255,21 +310,26 @@ in
|
|||
after = [ "postgresql.service" ];
|
||||
serviceConfig = {
|
||||
# in master.py we read secrets from $CREDENTIALS_DIRECTORY
|
||||
LoadCredential = [
|
||||
"github-token:${cfg.github.tokenFile}"
|
||||
"github-webhook-secret:${cfg.github.webhookSecretFile}"
|
||||
"github-oauth-secret:${cfg.github.oauthSecretFile}"
|
||||
"buildbot-nix-workers:${cfg.workersFile}"
|
||||
]
|
||||
++ lib.optional (cfg.cachix.signingKeyFile != null)
|
||||
"cachix-signing-key:${builtins.toString cfg.cachix.signingKeyFile}"
|
||||
++ lib.optional (cfg.cachix.authTokenFile != null)
|
||||
"cachix-auth-token:${builtins.toString cfg.cachix.authTokenFile}"
|
||||
++ lib.optionals cfg.gitea.enable [
|
||||
"gitea-oauth-secret:${cfg.gitea.oauthSecretFile}"
|
||||
"gitea-webhook-secret:${cfg.gitea.webhookSecretFile}"
|
||||
"gitea-token:${cfg.gitea.tokenFile}"
|
||||
];
|
||||
LoadCredential =
|
||||
[ "buildbot-nix-workers:${cfg.workersFile}" ]
|
||||
++ lib.optional (cfg.authBackend == "gitea") "gitea-oauth-secret:${cfg.gitea.oauthSecretFile}"
|
||||
++ lib.optional (cfg.authBackend == "github") "github-oauth-secret:${cfg.github.oauthSecretFile}"
|
||||
++ lib.optional
|
||||
(
|
||||
cfg.cachix.signingKeyFile != null
|
||||
) "cachix-signing-key:${builtins.toString cfg.cachix.signingKeyFile}"
|
||||
++ lib.optional
|
||||
(
|
||||
cfg.cachix.authTokenFile != null
|
||||
) "cachix-auth-token:${builtins.toString cfg.cachix.authTokenFile}"
|
||||
++ lib.optionals (cfg.github.enable) [
|
||||
"github-token:${cfg.github.tokenFile}"
|
||||
"github-webhook-secret:${cfg.github.webhookSecretFile}"
|
||||
]
|
||||
++ lib.optionals cfg.gitea.enable [
|
||||
"gitea-token:${cfg.gitea.tokenFile}"
|
||||
"gitea-webhook-secret:${cfg.gitea.webhookSecretFile}"
|
||||
];
|
||||
|
||||
# Needed because it tries to reach out to github on boot.
|
||||
# FIXME: if github is not available, we shouldn't fail buildbot, instead it should just try later again in the background
|
||||
|
|
@ -281,10 +341,12 @@ in
|
|||
services.postgresql = {
|
||||
enable = true;
|
||||
ensureDatabases = [ "buildbot" ];
|
||||
ensureUsers = [{
|
||||
name = "buildbot";
|
||||
ensureDBOwnership = true;
|
||||
}];
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "buildbot";
|
||||
ensureDBOwnership = true;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
services.nginx.enable = true;
|
||||
|
|
@ -302,16 +364,16 @@ in
|
|||
# raise the proxy timeout for the websocket
|
||||
extraConfig = "proxy_read_timeout 6000s;";
|
||||
};
|
||||
} // lib.optionalAttrs (cfg.outputsPath != null) {
|
||||
"/nix-outputs".root = cfg.outputsPath;
|
||||
};
|
||||
} // lib.optionalAttrs (cfg.outputsPath != null) { "/nix-outputs".root = cfg.outputsPath; };
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
# delete legacy gcroot location, can be dropped after 2024-06-01
|
||||
"R /var/lib/buildbot-worker/gcroot - - - - -"
|
||||
] ++ lib.optional (cfg.outputsPath != null)
|
||||
# Allow buildbot-master to write to this directory
|
||||
"d ${cfg.outputsPath} 0755 buildbot buildbot - -";
|
||||
systemd.tmpfiles.rules =
|
||||
[
|
||||
# delete legacy gcroot location, can be dropped after 2024-06-01
|
||||
"R /var/lib/buildbot-worker/gcroot - - - - -"
|
||||
]
|
||||
++ lib.optional (cfg.outputsPath != null)
|
||||
# Allow buildbot-master to write to this directory
|
||||
"d ${cfg.outputsPath} 0755 buildbot buildbot - -";
|
||||
};
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue