Merge pull request #121 from Mic92/authz-fix

Improve documentation
This commit is contained in:
Jörg Thalheim 2024-04-15 19:56:48 +02:00 committed by GitHub
commit 7cd975d739
Failed to generate hash of commit
6 changed files with 111 additions and 48 deletions

View file

@ -57,7 +57,8 @@ To integrate with GitHub:
1. **GitHub App**: Set up a GitHub app for Buildbot to enable GitHub user 1. **GitHub App**: Set up a GitHub app for Buildbot to enable GitHub user
authentication on the Buildbot dashboard. authentication on the Buildbot dashboard.
2. **OAuth Credentials**: After installing the app, generate OAuth credentials 2. **OAuth Credentials**: After installing the app, generate OAuth credentials
and configure them in the buildbot-nix NixOS module. and configure them in the buildbot-nix NixOS module. Set the callback url to
`https://<your-domain>/auth/login`.
3. **GitHub Token**: Obtain a GitHub token with `admin:repo_hook` and `repo` 3. **GitHub Token**: Obtain a GitHub token with `admin:repo_hook` and `repo`
permissions. For GitHub organizations, it's advisable to create a separate permissions. For GitHub organizations, it's advisable to create a separate
GitHub user for managing repository webhooks. GitHub user for managing repository webhooks.

View file

@ -11,7 +11,7 @@ from twisted.python import components
def require_env(key: str) -> str: def require_env(key: str) -> str:
val = os.environ.get(key) val = os.environ.get(key)
assert val is not None, "val is not set" assert val is not None, f"{key} environment variable is not set"
return val return val
@ -22,6 +22,9 @@ class WorkerConfig:
.read_text() .read_text()
.rstrip("\r\n") .rstrip("\r\n")
) )
worker_name: str = field(
default_factory=lambda: os.environ.get("WORKER_NAME", socket.gethostname())
)
worker_count: int = int( worker_count: int = int(
os.environ.get("WORKER_COUNT", str(multiprocessing.cpu_count())), os.environ.get("WORKER_COUNT", str(multiprocessing.cpu_count())),
) )
@ -39,8 +42,7 @@ def setup_worker(
basedir = config.buildbot_dir.parent / f"{config.buildbot_dir.name}-{builder_id:03}" basedir = config.buildbot_dir.parent / f"{config.buildbot_dir.name}-{builder_id:03}"
basedir.mkdir(parents=True, exist_ok=True, mode=0o700) basedir.mkdir(parents=True, exist_ok=True, mode=0o700)
hostname = socket.gethostname() workername = f"{config.worker_name}-{builder_id:03}"
workername = f"{hostname}-{builder_id:03}"
keepalive = 600 keepalive = 600
umask = None umask = None
maxdelay = 300 maxdelay = 300

View file

@ -15,61 +15,47 @@ let
inherit (lib) nixosSystem; inherit (lib) nixosSystem;
in in
{ {
# This runs both master and worker on the same machine.
# As the actual build is offloaded with remote builder,
# this also works well for production setups.
"example-master-worker-combined-${system}" = nixosSystem {
inherit system;
modules = [
dummy
buildbot-nix.nixosModules.buildbot-master
buildbot-nix.nixosModules.buildbot-worker
./master.nix
./worker.nix
];
};
"example-master-${system}" = nixosSystem { "example-master-${system}" = nixosSystem {
inherit system; inherit system;
modules = [ modules = [
dummy dummy
({ pkgs, ... }: {
services.buildbot-nix.master = {
enable = true;
domain = "buildbot2.thalheim.io";
workersFile = pkgs.writeText "workers.json" ''
[
{ "name": "eve", "pass": "XXXXXXXXXXXXXXXXXXXX", "cores": 16 }
]
'';
github = {
tokenFile = pkgs.writeText "github-token" "ghp_000000000000000000000000000000000000";
webhookSecretFile = pkgs.writeText "webhookSecret" "00000000000000000000";
oauthSecretFile = pkgs.writeText "oauthSecret" "ffffffffffffffffffffffffffffffffffffffff";
oauthId = "aaaaaaaaaaaaaaaaaaaa";
user = "mic92-buildbot";
admins = [ "Mic92" ];
# All github projects with this topic will be added to buildbot.
# One can trigger a project scan by visiting the Builds -> Builders page and looking for the "reload-github-project" builder.
# This builder has a "Update Github Projects" button that everyone in the github organization can use.
topic = "buildbot-mic92";
};
# optional expose latest store path as text file
# outputsPath = "/var/www/buildbot/nix-outputs";
# optional nix-eval-jobs settings
# evalWorkerCount = 8; # limit number of concurrent evaluations
# evalMaxMemorySize = "2048"; # limit memory usage per evaluation
# optional cachix
#cachix = {
# name = "my-cachix";
# # One of the following is required:
# signingKey = "/var/lib/secrets/cachix-key";
# authToken = "/var/lib/secrets/cachix-token";
#};
};
})
buildbot-nix.nixosModules.buildbot-master buildbot-nix.nixosModules.buildbot-master
./master.nix
# When master and worker run on different machines,
# we need to configure the master to listen on a public address.
# Also check out the buildbot upstream documentation on the master-worker protocol,
# including tls encryption
{
# exposes the master build protocol on port 9989
services.buildbot-master.extraConfig = ''
c["protocols"] = {"pb": {"port": "tcp:9989:interface=\\:\\:"}}
'';
networking.firewall.allowedTCPPorts = [ 9989 ];
}
]; ];
}; };
"example-worker-${system}" = nixosSystem { "example-worker-${system}" = nixosSystem {
inherit system; inherit system;
modules = [ modules = [
dummy dummy
({ pkgs, ... }: {
services.buildbot-nix.worker = {
enable = true;
workerPasswordFile = pkgs.writeText "worker-password-file" "";
};
})
buildbot-nix.nixosModules.buildbot-worker buildbot-nix.nixosModules.buildbot-worker
./worker.nix
# Connects to a master on the ipv6 address 2a09:80c0:102::1
{ services.buildbot-nix.worker.masterUrl = ''tcp:host=2a09\:80c0\:102\:\:1:port=9989''; }
]; ];
}; };
} }

59
examples/master.nix Normal file
View file

@ -0,0 +1,59 @@
{ pkgs, ... }:
{
services.buildbot-nix.master = {
enable = true;
# Domain name under which the buildbot frontend is reachable
domain = "buildbot2.thalheim.io";
# The workers file configures credentials for the buildbot workers to connect to the master.
# "name" is the configured worker name in services.buildbot-nix.worker.name of a worker
# (defaults to the hostname of the machine)
# "pass" is the password for the worker configured in `services.buildbot-nix.worker.workerPasswordFile`
# "cores" is the number of cpu cores the worker has.
# The number must match as otherwise potentially not enought buildbot-workers are created.
workersFile = pkgs.writeText "workers.json" ''
[
{ "name": "eve", "pass": "XXXXXXXXXXXXXXXXXXXX", "cores": 16 }
]
'';
github = {
# Github user used as a CI identity
user = "mic92-buildbot";
# Github token of the same user
tokenFile = pkgs.writeText "github-token" "ghp_000000000000000000000000000000000000";
# A random secret used to verify incoming webhooks from GitHub
# buildbot-nix will set up a webhook for each project in the organization
webhookSecretFile = pkgs.writeText "webhookSecret" "00000000000000000000";
# Either create a GitHub app or an OAuth app
# After creating the app, press "Generate a new client secret" and fill in the client ID and secret below
oauthId = "aaaaaaaaaaaaaaaaaaaa";
oauthSecretFile = pkgs.writeText "oauthSecret" "ffffffffffffffffffffffffffffffffffffffff";
# Users in this list will be able to reload the project list.
# All other user in the organization will be able to restart builds or evaluations.
admins = [ "Mic92" ];
# All github projects with this topic will be added to buildbot.
# One can trigger a project scan by visiting the Builds -> Builders page and looking for the "reload-github-project" builder.
# This builder has a "Update Github Projects" button that everyone in the github organization can use.
topic = "buildbot-mic92";
};
# optional expose latest store path as text file
# outputsPath = "/var/www/buildbot/nix-outputs";
# optional nix-eval-jobs settings
# evalWorkerCount = 8; # limit number of concurrent evaluations
# evalMaxMemorySize = "2048"; # limit memory usage per evaluation
# optional cachix
#cachix = {
# name = "my-cachix";
# # One of the following is required:
# signingKey = "/var/lib/secrets/cachix-key";
# authToken = "/var/lib/secrets/cachix-token";
#};
};
# Optional: Enable acme/TLS in nginx (recommended)
#services.nginx.virtualHosts.${config.services.buildbot-nix.master.domain} = {
# forceSSL = true;
# useACME = true;
#};
}

7
examples/worker.nix Normal file
View file

@ -0,0 +1,7 @@
{ pkgs, ... }:
{
services.buildbot-nix.worker = {
enable = true;
workerPasswordFile = pkgs.writeText "worker-password-file" "XXXXXXXXXXXXXXXXXXXX";
};
}

View file

@ -13,6 +13,11 @@ in
options = { options = {
services.buildbot-nix.worker = { services.buildbot-nix.worker = {
enable = lib.mkEnableOption "buildbot-worker"; enable = lib.mkEnableOption "buildbot-worker";
name = lib.mkOption {
type = lib.types.str;
default = config.networking.hostName;
description = "The buildbot worker name.";
};
package = lib.mkOption { package = lib.mkOption {
type = lib.types.package; type = lib.types.package;
default = pkgs.buildbot-worker; default = pkgs.buildbot-worker;
@ -70,7 +75,10 @@ in
OOMPolicy = "continue"; OOMPolicy = "continue";
LoadCredential = [ "worker-password-file:${cfg.workerPasswordFile}" ]; LoadCredential = [ "worker-password-file:${cfg.workerPasswordFile}" ];
Environment = [ "WORKER_PASSWORD_FILE=%d/worker-password-file" ]; Environment = [
"WORKER_PASSWORD_FILE=%d/worker-password-file"
"WORKER_NAME=${cfg.name}"
];
Type = "simple"; Type = "simple";
User = "buildbot-worker"; User = "buildbot-worker";
Group = "buildbot-worker"; Group = "buildbot-worker";