make it possible to disable github
This commit is contained in:
parent
5d2711a587
commit
6ae08b645c
|
@ -32,8 +32,7 @@ from .secrets import read_secret_file
|
||||||
@dataclass
|
@dataclass
|
||||||
class GiteaConfig:
|
class GiteaConfig:
|
||||||
instance_url: str
|
instance_url: str
|
||||||
oauth_id: str
|
oauth_id: str | None
|
||||||
admins: list[str]
|
|
||||||
|
|
||||||
oauth_secret_name: str = "gitea-oauth-secret"
|
oauth_secret_name: str = "gitea-oauth-secret"
|
||||||
token_secret_name: str = "gitea-token"
|
token_secret_name: str = "gitea-token"
|
||||||
|
@ -183,6 +182,7 @@ class GiteaBackend(GitBackend):
|
||||||
return None
|
return None
|
||||||
|
|
||||||
def create_auth(self) -> AuthBase:
|
def create_auth(self) -> AuthBase:
|
||||||
|
assert self.config.oauth_id is not None, "Gitea requires an OAuth ID to be set"
|
||||||
return GiteaAuth(
|
return GiteaAuth(
|
||||||
"https://" + self.config.instance_url,
|
"https://" + self.config.instance_url,
|
||||||
self.config.oauth_id,
|
self.config.oauth_id,
|
||||||
|
|
|
@ -65,7 +65,7 @@ class ReloadGithubProjects(BuildStep):
|
||||||
|
|
||||||
@dataclass
|
@dataclass
|
||||||
class GithubConfig:
|
class GithubConfig:
|
||||||
oauth_id: str
|
oauth_id: str | None
|
||||||
|
|
||||||
# TODO unused
|
# TODO unused
|
||||||
buildbot_user: str
|
buildbot_user: str
|
||||||
|
@ -121,6 +121,7 @@ class GithubBackend(GitBackend):
|
||||||
return AvatarGitHub(token=self.config.token())
|
return AvatarGitHub(token=self.config.token())
|
||||||
|
|
||||||
def create_auth(self) -> AuthBase:
|
def create_auth(self) -> AuthBase:
|
||||||
|
assert self.config.oauth_id is not None, "GitHub OAuth ID is required"
|
||||||
return GitHubAuth(
|
return GitHubAuth(
|
||||||
self.config.oauth_id,
|
self.config.oauth_id,
|
||||||
read_secret_file(self.config.oauth_secret_name),
|
read_secret_file(self.config.oauth_secret_name),
|
||||||
|
|
150
nix/master.nix
150
nix/master.nix
|
@ -5,16 +5,25 @@
|
||||||
}:
|
}:
|
||||||
let
|
let
|
||||||
cfg = config.services.buildbot-nix.master;
|
cfg = config.services.buildbot-nix.master;
|
||||||
inherit
|
inherit (lib) mkRenamedOptionModule;
|
||||||
(lib)
|
|
||||||
mkRenamedOptionModule
|
|
||||||
;
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
(mkRenamedOptionModule
|
(mkRenamedOptionModule
|
||||||
[ "services" "buildbot-nix" "master" "github" "admins" ]
|
[
|
||||||
[ "services" "buildbot-nix" "master" "admins" ])
|
"services"
|
||||||
|
"buildbot-nix"
|
||||||
|
"master"
|
||||||
|
"github"
|
||||||
|
"admins"
|
||||||
|
]
|
||||||
|
[
|
||||||
|
"services"
|
||||||
|
"buildbot-nix"
|
||||||
|
"master"
|
||||||
|
"admins"
|
||||||
|
]
|
||||||
|
)
|
||||||
];
|
];
|
||||||
|
|
||||||
options = {
|
options = {
|
||||||
|
@ -26,7 +35,11 @@ in
|
||||||
description = "Postgresql database url";
|
description = "Postgresql database url";
|
||||||
};
|
};
|
||||||
authBackend = lib.mkOption {
|
authBackend = lib.mkOption {
|
||||||
type = lib.types.enum [ "github" "gitea" "none" ];
|
type = lib.types.enum [
|
||||||
|
"github"
|
||||||
|
"gitea"
|
||||||
|
"none"
|
||||||
|
];
|
||||||
default = "github";
|
default = "github";
|
||||||
description = ''
|
description = ''
|
||||||
Which OAuth2 backend to use.
|
Which OAuth2 backend to use.
|
||||||
|
@ -52,7 +65,9 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
gitea = {
|
gitea = {
|
||||||
enable = lib.mkEnableOption "Enable Gitea integration";
|
enable = lib.mkEnableOption "Enable Gitea integration" // {
|
||||||
|
default = cfg.authBackend == "gitea";
|
||||||
|
};
|
||||||
|
|
||||||
tokenFile = lib.mkOption {
|
tokenFile = lib.mkOption {
|
||||||
type = lib.types.path;
|
type = lib.types.path;
|
||||||
|
@ -60,19 +75,21 @@ in
|
||||||
};
|
};
|
||||||
webhookSecretFile = lib.mkOption {
|
webhookSecretFile = lib.mkOption {
|
||||||
type = lib.types.path;
|
type = lib.types.path;
|
||||||
description = "Github webhook secret file";
|
description = "Gitea webhook secret file";
|
||||||
};
|
};
|
||||||
oauthSecretFile = lib.mkOption {
|
oauthSecretFile = lib.mkOption {
|
||||||
type = lib.types.path;
|
type = lib.types.nullOr lib.types.path;
|
||||||
|
default = null;
|
||||||
description = "Gitea oauth secret file";
|
description = "Gitea oauth secret file";
|
||||||
};
|
};
|
||||||
|
|
||||||
instanceURL = lib.mkOption {
|
instanceUrl = lib.mkOption {
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
description = "Gitea instance URL";
|
description = "Gitea instance URL";
|
||||||
};
|
};
|
||||||
oauthId = lib.mkOption {
|
oauthId = lib.mkOption {
|
||||||
type = lib.types.str;
|
type = lib.types.nullOr lib.types.str;
|
||||||
|
default = null;
|
||||||
description = "Gitea oauth id. Used for the login button";
|
description = "Gitea oauth id. Used for the login button";
|
||||||
};
|
};
|
||||||
topic = lib.mkOption {
|
topic = lib.mkOption {
|
||||||
|
@ -85,7 +102,9 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
github = {
|
github = {
|
||||||
disable = lib.mkEnableOption "Disable GitHub integration";
|
enable = lib.mkEnableOption "Enable GitHub integration" // {
|
||||||
|
default = cfg.authBackend == "github";
|
||||||
|
};
|
||||||
|
|
||||||
tokenFile = lib.mkOption {
|
tokenFile = lib.mkOption {
|
||||||
type = lib.types.path;
|
type = lib.types.path;
|
||||||
|
@ -96,7 +115,8 @@ in
|
||||||
description = "Github webhook secret file";
|
description = "Github webhook secret file";
|
||||||
};
|
};
|
||||||
oauthSecretFile = lib.mkOption {
|
oauthSecretFile = lib.mkOption {
|
||||||
type = lib.types.path;
|
type = lib.types.nullOr lib.types.path;
|
||||||
|
default = null;
|
||||||
description = "Github oauth secret file";
|
description = "Github oauth secret file";
|
||||||
};
|
};
|
||||||
# TODO: make this an option
|
# TODO: make this an option
|
||||||
|
@ -106,7 +126,8 @@ in
|
||||||
# Authorization callback URL: https://buildbot.numtide.com/auth/login
|
# Authorization callback URL: https://buildbot.numtide.com/auth/login
|
||||||
# oauth_token: 2516248ec6289e4d9818122cce0cbde39e4b788d
|
# oauth_token: 2516248ec6289e4d9818122cce0cbde39e4b788d
|
||||||
oauthId = lib.mkOption {
|
oauthId = lib.mkOption {
|
||||||
type = lib.types.str;
|
type = lib.types.nullOr lib.types.str;
|
||||||
|
default = null;
|
||||||
description = "Github oauth id. Used for the login button";
|
description = "Github oauth id. Used for the login button";
|
||||||
};
|
};
|
||||||
# Most likely you want to use the same user as for the buildbot
|
# Most likely you want to use the same user as for the buildbot
|
||||||
|
@ -180,9 +201,20 @@ in
|
||||||
|
|
||||||
assertions = [
|
assertions = [
|
||||||
{
|
{
|
||||||
assertion = cfg.cachix.name != null -> cfg.cachix.signingKeyFile != null || cfg.cachix.authTokenFile != null;
|
assertion =
|
||||||
|
cfg.cachix.name != null -> cfg.cachix.signingKeyFile != null || cfg.cachix.authTokenFile != null;
|
||||||
message = "if cachix.name is provided, then cachix.signingKeyFile and cachix.authTokenFile must be set";
|
message = "if cachix.name is provided, then cachix.signingKeyFile and cachix.authTokenFile must be set";
|
||||||
}
|
}
|
||||||
|
{
|
||||||
|
assertion =
|
||||||
|
cfg.authBackend != "github" || (cfg.github.oauthId != null && cfg.github.oauthSecretFile != null);
|
||||||
|
message = ''If config.services.buildbot-nix.master.authBackend is set to "github", then config.services.buildbot-nix.master.github.oauthId and config.services.buildbot-nix.master.github.oauthSecretFile have to be set.'';
|
||||||
|
}
|
||||||
|
{
|
||||||
|
assertion =
|
||||||
|
cfg.authBackend != "gitea" || (cfg.gitea.oauthId != null && cfg.gitea.oauthSecretFile != null);
|
||||||
|
message = ''config.services.buildbot-nix.master.authBackend is set to "gitea", then config.services.buildbot-nix.master.gitea.oauthId and config.services.buildbot-nix.master.gitea.oauthSecretFile have to be set.'';
|
||||||
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
services.buildbot-master = {
|
services.buildbot-master = {
|
||||||
|
@ -205,25 +237,46 @@ in
|
||||||
''
|
''
|
||||||
NixConfigurator(
|
NixConfigurator(
|
||||||
auth_backend=${builtins.toJSON cfg.authBackend},
|
auth_backend=${builtins.toJSON cfg.authBackend},
|
||||||
github=${if cfg.github.disable then "None" else "GithubConfig(
|
github=${
|
||||||
|
if (!cfg.github.enable) then
|
||||||
|
"None"
|
||||||
|
else
|
||||||
|
"GithubConfig(
|
||||||
oauth_id=${builtins.toJSON cfg.github.oauthId},
|
oauth_id=${builtins.toJSON cfg.github.oauthId},
|
||||||
buildbot_user=${builtins.toJSON cfg.github.user},
|
buildbot_user=${builtins.toJSON cfg.github.user},
|
||||||
topic=${builtins.toJSON cfg.github.topic},
|
topic=${builtins.toJSON cfg.github.topic},
|
||||||
)"},
|
)"
|
||||||
gitea=${if !cfg.gitea.enable then "None" else "GiteaConfig(
|
},
|
||||||
instance_url=${builtins.toJSON cfg.gitea.instanceURL},
|
gitea=${
|
||||||
|
if !cfg.gitea.enable then
|
||||||
|
"None"
|
||||||
|
else
|
||||||
|
"GiteaConfig(
|
||||||
|
instance_url=${builtins.toJSON cfg.gitea.instanceUrl},
|
||||||
oauth_id=${builtins.toJSON cfg.gitea.oauthId},
|
oauth_id=${builtins.toJSON cfg.gitea.oauthId},
|
||||||
topic=${builtins.toJSON cfg.gitea.topic},
|
topic=${builtins.toJSON cfg.gitea.topic},
|
||||||
)"},
|
)"
|
||||||
cachix=${if cfg.cachix.name == null then "None" else "CachixConfig(
|
},
|
||||||
|
cachix=${
|
||||||
|
if cfg.cachix.name == null then
|
||||||
|
"None"
|
||||||
|
else
|
||||||
|
"CachixConfig(
|
||||||
name=${builtins.toJSON cfg.cachix.name},
|
name=${builtins.toJSON cfg.cachix.name},
|
||||||
signing_key_secret_name=${if cfg.cachix.signingKeyFile != null then builtins.toJSON "cachix-signing-key" else "None"},
|
signing_key_secret_name=${
|
||||||
auth_token_secret_name=${if cfg.cachix.authTokenFile != null then builtins.toJSON "cachix-auth-token" else "None"},
|
if cfg.cachix.signingKeyFile != null then builtins.toJSON "cachix-signing-key" else "None"
|
||||||
)"},
|
},
|
||||||
|
auth_token_secret_name=${
|
||||||
|
if cfg.cachix.authTokenFile != null then builtins.toJSON "cachix-auth-token" else "None"
|
||||||
|
},
|
||||||
|
)"
|
||||||
|
},
|
||||||
admins=${builtins.toJSON cfg.admins},
|
admins=${builtins.toJSON cfg.admins},
|
||||||
url=${builtins.toJSON config.services.buildbot-master.buildbotUrl},
|
url=${builtins.toJSON config.services.buildbot-master.buildbotUrl},
|
||||||
nix_eval_max_memory_size=${builtins.toJSON cfg.evalMaxMemorySize},
|
nix_eval_max_memory_size=${builtins.toJSON cfg.evalMaxMemorySize},
|
||||||
nix_eval_worker_count=${if cfg.evalWorkerCount == null then "None" else builtins.toString cfg.evalWorkerCount},
|
nix_eval_worker_count=${
|
||||||
|
if cfg.evalWorkerCount == null then "None" else builtins.toString cfg.evalWorkerCount
|
||||||
|
},
|
||||||
nix_supported_systems=${builtins.toJSON cfg.buildSystems},
|
nix_supported_systems=${builtins.toJSON cfg.buildSystems},
|
||||||
outputs_path=${if cfg.outputsPath == null then "None" else builtins.toJSON cfg.outputsPath},
|
outputs_path=${if cfg.outputsPath == null then "None" else builtins.toJSON cfg.outputsPath},
|
||||||
)
|
)
|
||||||
|
@ -237,9 +290,11 @@ in
|
||||||
"${if hasSSL then "https" else "http"}://${cfg.domain}/";
|
"${if hasSSL then "https" else "http"}://${cfg.domain}/";
|
||||||
dbUrl = config.services.buildbot-nix.master.dbUrl;
|
dbUrl = config.services.buildbot-nix.master.dbUrl;
|
||||||
# Can be dropped after we have 24.05 everywhere
|
# Can be dropped after we have 24.05 everywhere
|
||||||
package = lib.mkIf (lib.versionOlder pkgs.buildbot.version "3.10.0") (pkgs.buildbot.overrideAttrs (old: {
|
package = lib.mkIf (lib.versionOlder pkgs.buildbot.version "3.10.0") (
|
||||||
|
pkgs.buildbot.overrideAttrs (old: {
|
||||||
patches = old.patches ++ [ ./0001-allow-secrets-to-be-group-readable.patch ];
|
patches = old.patches ++ [ ./0001-allow-secrets-to-be-group-readable.patch ];
|
||||||
}));
|
})
|
||||||
|
);
|
||||||
pythonPackages = ps: [
|
pythonPackages = ps: [
|
||||||
ps.requests
|
ps.requests
|
||||||
ps.treq
|
ps.treq
|
||||||
|
@ -255,20 +310,25 @@ in
|
||||||
after = [ "postgresql.service" ];
|
after = [ "postgresql.service" ];
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
# in master.py we read secrets from $CREDENTIALS_DIRECTORY
|
# in master.py we read secrets from $CREDENTIALS_DIRECTORY
|
||||||
LoadCredential = [
|
LoadCredential =
|
||||||
|
[ "buildbot-nix-workers:${cfg.workersFile}" ]
|
||||||
|
++ lib.optional (cfg.authBackend == "gitea") "gitea-oauth-secret:${cfg.gitea.oauthSecretFile}"
|
||||||
|
++ lib.optional (cfg.authBackend == "github") "github-oauth-secret:${cfg.github.oauthSecretFile}"
|
||||||
|
++ lib.optional
|
||||||
|
(
|
||||||
|
cfg.cachix.signingKeyFile != null
|
||||||
|
) "cachix-signing-key:${builtins.toString cfg.cachix.signingKeyFile}"
|
||||||
|
++ lib.optional
|
||||||
|
(
|
||||||
|
cfg.cachix.authTokenFile != null
|
||||||
|
) "cachix-auth-token:${builtins.toString cfg.cachix.authTokenFile}"
|
||||||
|
++ lib.optionals (cfg.github.enable) [
|
||||||
"github-token:${cfg.github.tokenFile}"
|
"github-token:${cfg.github.tokenFile}"
|
||||||
"github-webhook-secret:${cfg.github.webhookSecretFile}"
|
"github-webhook-secret:${cfg.github.webhookSecretFile}"
|
||||||
"github-oauth-secret:${cfg.github.oauthSecretFile}"
|
|
||||||
"buildbot-nix-workers:${cfg.workersFile}"
|
|
||||||
]
|
]
|
||||||
++ lib.optional (cfg.cachix.signingKeyFile != null)
|
|
||||||
"cachix-signing-key:${builtins.toString cfg.cachix.signingKeyFile}"
|
|
||||||
++ lib.optional (cfg.cachix.authTokenFile != null)
|
|
||||||
"cachix-auth-token:${builtins.toString cfg.cachix.authTokenFile}"
|
|
||||||
++ lib.optionals cfg.gitea.enable [
|
++ lib.optionals cfg.gitea.enable [
|
||||||
"gitea-oauth-secret:${cfg.gitea.oauthSecretFile}"
|
|
||||||
"gitea-webhook-secret:${cfg.gitea.webhookSecretFile}"
|
|
||||||
"gitea-token:${cfg.gitea.tokenFile}"
|
"gitea-token:${cfg.gitea.tokenFile}"
|
||||||
|
"gitea-webhook-secret:${cfg.gitea.webhookSecretFile}"
|
||||||
];
|
];
|
||||||
|
|
||||||
# Needed because it tries to reach out to github on boot.
|
# Needed because it tries to reach out to github on boot.
|
||||||
|
@ -281,10 +341,12 @@ in
|
||||||
services.postgresql = {
|
services.postgresql = {
|
||||||
enable = true;
|
enable = true;
|
||||||
ensureDatabases = [ "buildbot" ];
|
ensureDatabases = [ "buildbot" ];
|
||||||
ensureUsers = [{
|
ensureUsers = [
|
||||||
|
{
|
||||||
name = "buildbot";
|
name = "buildbot";
|
||||||
ensureDBOwnership = true;
|
ensureDBOwnership = true;
|
||||||
}];
|
}
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.enable = true;
|
services.nginx.enable = true;
|
||||||
|
@ -302,15 +364,15 @@ in
|
||||||
# raise the proxy timeout for the websocket
|
# raise the proxy timeout for the websocket
|
||||||
extraConfig = "proxy_read_timeout 6000s;";
|
extraConfig = "proxy_read_timeout 6000s;";
|
||||||
};
|
};
|
||||||
} // lib.optionalAttrs (cfg.outputsPath != null) {
|
} // lib.optionalAttrs (cfg.outputsPath != null) { "/nix-outputs".root = cfg.outputsPath; };
|
||||||
"/nix-outputs".root = cfg.outputsPath;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.tmpfiles.rules = [
|
systemd.tmpfiles.rules =
|
||||||
|
[
|
||||||
# delete legacy gcroot location, can be dropped after 2024-06-01
|
# delete legacy gcroot location, can be dropped after 2024-06-01
|
||||||
"R /var/lib/buildbot-worker/gcroot - - - - -"
|
"R /var/lib/buildbot-worker/gcroot - - - - -"
|
||||||
] ++ lib.optional (cfg.outputsPath != null)
|
]
|
||||||
|
++ lib.optional (cfg.outputsPath != null)
|
||||||
# Allow buildbot-master to write to this directory
|
# Allow buildbot-master to write to this directory
|
||||||
"d ${cfg.outputsPath} 0755 buildbot buildbot - -";
|
"d ${cfg.outputsPath} 0755 buildbot buildbot - -";
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in a new issue