Merge pull request #14 from Mic92/fixes

add patch to make systemd LoadCredential work again
This commit is contained in:
Jörg Thalheim 2023-10-27 11:04:47 +02:00 committed by GitHub
commit 850233c1f0
Failed to generate hash of commit
9 changed files with 118 additions and 32 deletions

6
.github/dependabot.yml vendored Normal file
View file

@ -0,0 +1,6 @@
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"

23
.github/workflows/update-flake-lock.yml vendored Normal file
View file

@ -0,0 +1,23 @@
name: "Update flakes"
on:
repository_dispatch:
workflow_dispatch:
schedule:
- cron: '38 0 * * 0,4'
permissions:
pull-requests: write
contents: write
jobs:
createPullRequest:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Nix
uses: cachix/install-nix-action@v23
with:
github_access_token: ${{ secrets.GITHUB_TOKEN }}
- name: Update flake.lock
uses: DeterminateSystems/update-flake-lock@v20
with:
pr-labels: | # Labels to be set on the PR
merge-queue

View file

@ -19,28 +19,25 @@ in
inherit system; inherit system;
modules = [ modules = [
dummy dummy
{ ({ pkgs, ... }: {
services.buildbot-nix.master = { services.buildbot-nix.master = {
enable = true; enable = true;
domain = "buildbot2.thalheim.io"; domain = "buildbot2.thalheim.io";
workersFile = "/var/lib/secrets/buildbot-nix/workers.json"; workersFile = pkgs.writeText "workers.json" ''
[
{ "name": "eve", "pass": "XXXXXXXXXXXXXXXXXXXX", "cores": 16 }
]
'';
github = { github = {
tokenFile = "/var/lib/secrets/buildbot-nix/github-token"; tokenFile = pkgs.writeText "github-token" "ghp_000000000000000000000000000000000000";
webhookSecretFile = "/var/lib/secrets/buildbot-nix/github-webhook-secret"; webhookSecretFile = pkgs.writeText "webhookSecret" "00000000000000000000";
oauthSecretFile = "/var/lib/secrets/buildbot-nix/github-oauth-secret"; oauthSecretFile = pkgs.writeText "oauthSecret" "ffffffffffffffffffffffffffffffffffffffff";
oauthId = "aaaaaaaaaaaaaaaaaaaa"; oauthId = "aaaaaaaaaaaaaaaaaaaa";
user = "mic92-buildbot"; user = "mic92-buildbot";
admins = [ "Mic92" ]; admins = [ "Mic92" ];
}; };
}; };
services.nginx.virtualHosts."buildbot2.thalheim.io" = { })
enableACME = true;
forceSSL = true;
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
security.acme.acceptTerms = true;
security.acme.defaults.email = "joerg.acme@thalheim.io";
}
buildbot-nix.nixosModules.buildbot-master buildbot-nix.nixosModules.buildbot-master
]; ];
}; };
@ -48,12 +45,12 @@ in
inherit system; inherit system;
modules = [ modules = [
dummy dummy
{ ({ pkgs, ... }: {
services.buildbot-nix.worker = { services.buildbot-nix.worker = {
enable = true; enable = true;
workerPasswordFile = "/var/lib/secrets/buildbot-nix/worker-password"; workerPasswordFile = pkgs.writeText "worker-password-file" "";
}; };
} })
buildbot-nix.nixosModules.buildbot-worker buildbot-nix.nixosModules.buildbot-worker
]; ];
}; };

View file

@ -7,11 +7,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1693611461, "lastModified": 1696343447,
"narHash": "sha256-aPODl8vAgGQ0ZYFIRisxYG5MOGSkIczvu2Cd8Gb9+1Y=", "narHash": "sha256-B2xAZKLkkeRFG5XcHHSXXcP7To9Xzr59KXeZiRf4vdQ=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "7f53fdb7bdc5bb237da7fefef12d099e4fd611ca", "rev": "c9afaba3dfa4085dbd2ccb38dfade5141e33d9d4",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -22,11 +22,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1697009197, "lastModified": 1698266953,
"narHash": "sha256-viVRhBTFT8fPJTb1N3brQIpFZnttmwo3JVKNuWRVc3s=", "narHash": "sha256-jf72t7pC8+8h8fUslUYbWTX5rKsRwOzRMX8jJsGqDXA=",
"owner": "Nixos", "owner": "Nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "01441e14af5e29c9d27ace398e6dd0b293e25a54", "rev": "75a52265bda7fd25e06e3a67dee3f0354e73243c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -50,11 +50,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1695290086, "lastModified": 1697388351,
"narHash": "sha256-ol6licpIAzc9oMsEai/9YZhgSMcrnlnD/3ulMLGNKL0=", "narHash": "sha256-63N2eBpKaziIy4R44vjpUu8Nz5fCJY7okKrkixvDQmY=",
"owner": "numtide", "owner": "numtide",
"repo": "treefmt-nix", "repo": "treefmt-nix",
"rev": "e951529be2e7c669487de78f5aef8597bbae5fca", "rev": "aae39f64f5ecbe89792d05eacea5cb241891292a",
"type": "github" "type": "github"
}, },
"original": { "original": {

View file

@ -18,7 +18,7 @@
imports = [ imports = [
./nix/checks/flake-module.nix ./nix/checks/flake-module.nix
] ++ inputs.nixpkgs.lib.optional (inputs.treefmt-nix ? flakeModule) ./nix/treefmt/flake-module.nix; ] ++ inputs.nixpkgs.lib.optional (inputs.treefmt-nix ? flakeModule) ./nix/treefmt/flake-module.nix;
systems = [ "x86_64-linux" "aarch64-linux" ]; systems = [ "x86_64-linux" ];
flake = { flake = {
nixosModules.buildbot-master = ./nix/master.nix; nixosModules.buildbot-master = ./nix/master.nix;
nixosModules.buildbot-worker = ./nix/worker.nix; nixosModules.buildbot-worker = ./nix/worker.nix;

View file

@ -0,0 +1,47 @@
From 41bd68a23e605fb97b0fccff2af00a39cfd386f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Sat, 14 Oct 2023 11:45:30 +0200
Subject: [PATCH] allow secrets to be group-readable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Systemd's LoadCredential feature makes have the following 0o440 permissions.
Services cannot modify secrets or their permission.
By relaxing the check we allow buildbot to use secrets provided by systemd.
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
master/buildbot/secrets/providers/file.py | 2 +-
master/buildbot/test/unit/test_secret_in_file.py | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/master/buildbot/secrets/providers/file.py b/master/buildbot/secrets/providers/file.py
index 11daf327a..293a9f410 100644
--- a/buildbot/secrets/providers/file.py
+++ b/buildbot/secrets/providers/file.py
@@ -32,7 +32,7 @@ class SecretInAFile(SecretProviderBase):
def checkFileIsReadOnly(self, dirname, secretfile):
filepath = os.path.join(dirname, secretfile)
obs_stat = stat.S_IMODE(os.stat(filepath).st_mode)
- if (obs_stat & 0o77) != 0 and os.name == "posix":
+ if (obs_stat & 0o7) != 0 and os.name == "posix":
config.error(f"Permissions {oct(obs_stat)} on file {secretfile} are too open."
" It is required that your secret files are NOT"
" accessible by others!")
diff --git a/master/buildbot/test/unit/test_secret_in_file.py b/master/buildbot/test/unit/test_secret_in_file.py
index 01750172d..041b9654f 100644
--- a/buildbot/test/unit/test_secret_in_file.py
+++ b/buildbot/test/unit/test_secret_in_file.py
@@ -57,7 +57,7 @@ def testCheckConfigErrorSecretInAFileService(self):
if os.name != "posix":
self.skipTest("Permission checks only works on posix systems")
filepath = self.createFileTemp(self.tmp_dir, "tempfile2.txt",
- chmodRights=stat.S_IRGRP)
+ chmodRights=stat.S_IROTH)
expctd_msg_error = " on file tempfile2.txt are too " \
"open. It is required that your secret files are" \
" NOT accessible by others!"
--
2.42.0

View file

@ -2,18 +2,22 @@
name = "from-nixos"; name = "from-nixos";
nodes = { nodes = {
# `self` here is set by using specialArgs in `lib.nix` # `self` here is set by using specialArgs in `lib.nix`
node1 = { self, ... }: { node1 = { self, pkgs, ... }: {
imports = [ imports = [
self.nixosModules.buildbot-master self.nixosModules.buildbot-master
]; ];
services.buildbot-nix.master = { services.buildbot-nix.master = {
enable = true; enable = true;
domain = "buildbot2.thalheim.io"; domain = "buildbot2.thalheim.io";
workersFile = "/var/lib/secrets/buildbot-nix/workers.json"; workersFile = pkgs.writeText "workers.json" ''
[
{ "name": "eve", "pass": "XXXXXXXXXXXXXXXXXXXX", "cores": 16 }
]
'';
github = { github = {
tokenFile = "/var/lib/secrets/buildbot-nix/github-token"; tokenFile = pkgs.writeText "github-token" "ghp_000000000000000000000000000000000000";
webhookSecretFile = "/var/lib/secrets/buildbot-nix/github-webhook-secret"; webhookSecretFile = pkgs.writeText "webhookSecret" "00000000000000000000";
oauthSecretFile = "/var/lib/secrets/buildbot-nix/github-oauth-secret"; oauthSecretFile = pkgs.writeText "oauthSecret" "ffffffffffffffffffffffffffffffffffffffff";
oauthId = "aaaaaaaaaaaaaaaaaaaa"; oauthId = "aaaaaaaaaaaaaaaaaaaa";
user = "mic92-buildbot"; user = "mic92-buildbot";
admins = [ "Mic92" ]; admins = [ "Mic92" ];

View file

@ -122,13 +122,22 @@ in
in in
"${if hasSSL then "https" else "http"}://${cfg.domain}/"; "${if hasSSL then "https" else "http"}://${cfg.domain}/";
dbUrl = config.services.buildbot-nix.master.dbUrl; dbUrl = config.services.buildbot-nix.master.dbUrl;
package = (pkgs.buildbot.overrideAttrs (old: {
patches = old.patches ++ [ ./0001-allow-secrets-to-be-group-readable.patch ];
}));
pythonPackages = ps: [ pythonPackages = ps: [
ps.requests ps.requests
ps.treq ps.treq
ps.psycopg2 ps.psycopg2
(ps.toPythonModule pkgs.buildbot-worker) (ps.toPythonModule pkgs.buildbot-worker)
ps.setuptools
pkgs.buildbot-plugins.www pkgs.buildbot-plugins.www
pkgs.buildbot-plugins.www-react pkgs.buildbot-plugins.www-react
pkgs.buildbot-plugins.console-view
pkgs.buildbot-plugins.waterfall-view
pkgs.buildbot-plugins.grid-view
pkgs.buildbot-plugins.wsgi-dashboards
pkgs.buildbot-plugins.badges
]; ];
}; };

View file

@ -25,7 +25,7 @@ in
description = "The buildbot master url."; description = "The buildbot master url.";
}; };
workerPasswordFile = lib.mkOption { workerPasswordFile = lib.mkOption {
type = lib.types.str; type = lib.types.path;
description = "The buildbot worker password file."; description = "The buildbot worker password file.";
}; };
}; };