From 6ae08b645c226c783bb2ee58aa872a5952f7038c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Tue, 30 Apr 2024 15:45:39 +0200 Subject: [PATCH] make it possible to disable github --- buildbot_nix/gitea_projects.py | 4 +- buildbot_nix/github_projects.py | 3 +- nix/master.nix | 176 +++++++++++++++++++++----------- 3 files changed, 123 insertions(+), 60 deletions(-) diff --git a/buildbot_nix/gitea_projects.py b/buildbot_nix/gitea_projects.py index a52841e..b343e8b 100644 --- a/buildbot_nix/gitea_projects.py +++ b/buildbot_nix/gitea_projects.py @@ -32,8 +32,7 @@ from .secrets import read_secret_file @dataclass class GiteaConfig: instance_url: str - oauth_id: str - admins: list[str] + oauth_id: str | None oauth_secret_name: str = "gitea-oauth-secret" token_secret_name: str = "gitea-token" @@ -183,6 +182,7 @@ class GiteaBackend(GitBackend): return None def create_auth(self) -> AuthBase: + assert self.config.oauth_id is not None, "Gitea requires an OAuth ID to be set" return GiteaAuth( "https://" + self.config.instance_url, self.config.oauth_id, diff --git a/buildbot_nix/github_projects.py b/buildbot_nix/github_projects.py index 5323bbf..ded8dd1 100644 --- a/buildbot_nix/github_projects.py +++ b/buildbot_nix/github_projects.py @@ -65,7 +65,7 @@ class ReloadGithubProjects(BuildStep): @dataclass class GithubConfig: - oauth_id: str + oauth_id: str | None # TODO unused buildbot_user: str @@ -121,6 +121,7 @@ class GithubBackend(GitBackend): return AvatarGitHub(token=self.config.token()) def create_auth(self) -> AuthBase: + assert self.config.oauth_id is not None, "GitHub OAuth ID is required" return GitHubAuth( self.config.oauth_id, read_secret_file(self.config.oauth_secret_name), diff --git a/nix/master.nix b/nix/master.nix index b88f048..c08ad2f 100644 --- a/nix/master.nix +++ b/nix/master.nix @@ -5,16 +5,25 @@ }: let cfg = config.services.buildbot-nix.master; - inherit - (lib) - mkRenamedOptionModule - ; + inherit (lib) mkRenamedOptionModule; in { imports = [ (mkRenamedOptionModule - [ "services" "buildbot-nix" "master" "github" "admins" ] - [ "services" "buildbot-nix" "master" "admins" ]) + [ + "services" + "buildbot-nix" + "master" + "github" + "admins" + ] + [ + "services" + "buildbot-nix" + "master" + "admins" + ] + ) ]; options = { @@ -26,7 +35,11 @@ in description = "Postgresql database url"; }; authBackend = lib.mkOption { - type = lib.types.enum [ "github" "gitea" "none" ]; + type = lib.types.enum [ + "github" + "gitea" + "none" + ]; default = "github"; description = '' Which OAuth2 backend to use. @@ -52,7 +65,9 @@ in }; }; gitea = { - enable = lib.mkEnableOption "Enable Gitea integration"; + enable = lib.mkEnableOption "Enable Gitea integration" // { + default = cfg.authBackend == "gitea"; + }; tokenFile = lib.mkOption { type = lib.types.path; @@ -60,19 +75,21 @@ in }; webhookSecretFile = lib.mkOption { type = lib.types.path; - description = "Github webhook secret file"; + description = "Gitea webhook secret file"; }; oauthSecretFile = lib.mkOption { - type = lib.types.path; + type = lib.types.nullOr lib.types.path; + default = null; description = "Gitea oauth secret file"; }; - instanceURL = lib.mkOption { + instanceUrl = lib.mkOption { type = lib.types.str; description = "Gitea instance URL"; }; oauthId = lib.mkOption { - type = lib.types.str; + type = lib.types.nullOr lib.types.str; + default = null; description = "Gitea oauth id. Used for the login button"; }; topic = lib.mkOption { @@ -85,7 +102,9 @@ in }; }; github = { - disable = lib.mkEnableOption "Disable GitHub integration"; + enable = lib.mkEnableOption "Enable GitHub integration" // { + default = cfg.authBackend == "github"; + }; tokenFile = lib.mkOption { type = lib.types.path; @@ -96,7 +115,8 @@ in description = "Github webhook secret file"; }; oauthSecretFile = lib.mkOption { - type = lib.types.path; + type = lib.types.nullOr lib.types.path; + default = null; description = "Github oauth secret file"; }; # TODO: make this an option @@ -106,7 +126,8 @@ in # Authorization callback URL: https://buildbot.numtide.com/auth/login # oauth_token: 2516248ec6289e4d9818122cce0cbde39e4b788d oauthId = lib.mkOption { - type = lib.types.str; + type = lib.types.nullOr lib.types.str; + default = null; description = "Github oauth id. Used for the login button"; }; # Most likely you want to use the same user as for the buildbot @@ -180,9 +201,20 @@ in assertions = [ { - assertion = cfg.cachix.name != null -> cfg.cachix.signingKeyFile != null || cfg.cachix.authTokenFile != null; + assertion = + cfg.cachix.name != null -> cfg.cachix.signingKeyFile != null || cfg.cachix.authTokenFile != null; message = "if cachix.name is provided, then cachix.signingKeyFile and cachix.authTokenFile must be set"; } + { + assertion = + cfg.authBackend != "github" || (cfg.github.oauthId != null && cfg.github.oauthSecretFile != null); + message = ''If config.services.buildbot-nix.master.authBackend is set to "github", then config.services.buildbot-nix.master.github.oauthId and config.services.buildbot-nix.master.github.oauthSecretFile have to be set.''; + } + { + assertion = + cfg.authBackend != "gitea" || (cfg.gitea.oauthId != null && cfg.gitea.oauthSecretFile != null); + message = ''config.services.buildbot-nix.master.authBackend is set to "gitea", then config.services.buildbot-nix.master.gitea.oauthId and config.services.buildbot-nix.master.gitea.oauthSecretFile have to be set.''; + } ]; services.buildbot-master = { @@ -205,25 +237,46 @@ in '' NixConfigurator( auth_backend=${builtins.toJSON cfg.authBackend}, - github=${if cfg.github.disable then "None" else "GithubConfig( + github=${ + if (!cfg.github.enable) then + "None" + else + "GithubConfig( oauth_id=${builtins.toJSON cfg.github.oauthId}, buildbot_user=${builtins.toJSON cfg.github.user}, topic=${builtins.toJSON cfg.github.topic}, - )"}, - gitea=${if !cfg.gitea.enable then "None" else "GiteaConfig( - instance_url=${builtins.toJSON cfg.gitea.instanceURL}, + )" + }, + gitea=${ + if !cfg.gitea.enable then + "None" + else + "GiteaConfig( + instance_url=${builtins.toJSON cfg.gitea.instanceUrl}, oauth_id=${builtins.toJSON cfg.gitea.oauthId}, topic=${builtins.toJSON cfg.gitea.topic}, - )"}, - cachix=${if cfg.cachix.name == null then "None" else "CachixConfig( + )" + }, + cachix=${ + if cfg.cachix.name == null then + "None" + else + "CachixConfig( name=${builtins.toJSON cfg.cachix.name}, - signing_key_secret_name=${if cfg.cachix.signingKeyFile != null then builtins.toJSON "cachix-signing-key" else "None"}, - auth_token_secret_name=${if cfg.cachix.authTokenFile != null then builtins.toJSON "cachix-auth-token" else "None"}, - )"}, + signing_key_secret_name=${ + if cfg.cachix.signingKeyFile != null then builtins.toJSON "cachix-signing-key" else "None" + }, + auth_token_secret_name=${ + if cfg.cachix.authTokenFile != null then builtins.toJSON "cachix-auth-token" else "None" + }, + )" + }, admins=${builtins.toJSON cfg.admins}, url=${builtins.toJSON config.services.buildbot-master.buildbotUrl}, nix_eval_max_memory_size=${builtins.toJSON cfg.evalMaxMemorySize}, - nix_eval_worker_count=${if cfg.evalWorkerCount == null then "None" else builtins.toString cfg.evalWorkerCount}, + nix_eval_worker_count=${ + if cfg.evalWorkerCount == null then "None" else builtins.toString cfg.evalWorkerCount + }, nix_supported_systems=${builtins.toJSON cfg.buildSystems}, outputs_path=${if cfg.outputsPath == null then "None" else builtins.toJSON cfg.outputsPath}, ) @@ -237,9 +290,11 @@ in "${if hasSSL then "https" else "http"}://${cfg.domain}/"; dbUrl = config.services.buildbot-nix.master.dbUrl; # Can be dropped after we have 24.05 everywhere - package = lib.mkIf (lib.versionOlder pkgs.buildbot.version "3.10.0") (pkgs.buildbot.overrideAttrs (old: { - patches = old.patches ++ [ ./0001-allow-secrets-to-be-group-readable.patch ]; - })); + package = lib.mkIf (lib.versionOlder pkgs.buildbot.version "3.10.0") ( + pkgs.buildbot.overrideAttrs (old: { + patches = old.patches ++ [ ./0001-allow-secrets-to-be-group-readable.patch ]; + }) + ); pythonPackages = ps: [ ps.requests ps.treq @@ -255,21 +310,26 @@ in after = [ "postgresql.service" ]; serviceConfig = { # in master.py we read secrets from $CREDENTIALS_DIRECTORY - LoadCredential = [ - "github-token:${cfg.github.tokenFile}" - "github-webhook-secret:${cfg.github.webhookSecretFile}" - "github-oauth-secret:${cfg.github.oauthSecretFile}" - "buildbot-nix-workers:${cfg.workersFile}" - ] - ++ lib.optional (cfg.cachix.signingKeyFile != null) - "cachix-signing-key:${builtins.toString cfg.cachix.signingKeyFile}" - ++ lib.optional (cfg.cachix.authTokenFile != null) - "cachix-auth-token:${builtins.toString cfg.cachix.authTokenFile}" - ++ lib.optionals cfg.gitea.enable [ - "gitea-oauth-secret:${cfg.gitea.oauthSecretFile}" - "gitea-webhook-secret:${cfg.gitea.webhookSecretFile}" - "gitea-token:${cfg.gitea.tokenFile}" - ]; + LoadCredential = + [ "buildbot-nix-workers:${cfg.workersFile}" ] + ++ lib.optional (cfg.authBackend == "gitea") "gitea-oauth-secret:${cfg.gitea.oauthSecretFile}" + ++ lib.optional (cfg.authBackend == "github") "github-oauth-secret:${cfg.github.oauthSecretFile}" + ++ lib.optional + ( + cfg.cachix.signingKeyFile != null + ) "cachix-signing-key:${builtins.toString cfg.cachix.signingKeyFile}" + ++ lib.optional + ( + cfg.cachix.authTokenFile != null + ) "cachix-auth-token:${builtins.toString cfg.cachix.authTokenFile}" + ++ lib.optionals (cfg.github.enable) [ + "github-token:${cfg.github.tokenFile}" + "github-webhook-secret:${cfg.github.webhookSecretFile}" + ] + ++ lib.optionals cfg.gitea.enable [ + "gitea-token:${cfg.gitea.tokenFile}" + "gitea-webhook-secret:${cfg.gitea.webhookSecretFile}" + ]; # Needed because it tries to reach out to github on boot. # FIXME: if github is not available, we shouldn't fail buildbot, instead it should just try later again in the background @@ -281,10 +341,12 @@ in services.postgresql = { enable = true; ensureDatabases = [ "buildbot" ]; - ensureUsers = [{ - name = "buildbot"; - ensureDBOwnership = true; - }]; + ensureUsers = [ + { + name = "buildbot"; + ensureDBOwnership = true; + } + ]; }; services.nginx.enable = true; @@ -302,16 +364,16 @@ in # raise the proxy timeout for the websocket extraConfig = "proxy_read_timeout 6000s;"; }; - } // lib.optionalAttrs (cfg.outputsPath != null) { - "/nix-outputs".root = cfg.outputsPath; - }; + } // lib.optionalAttrs (cfg.outputsPath != null) { "/nix-outputs".root = cfg.outputsPath; }; }; - systemd.tmpfiles.rules = [ - # delete legacy gcroot location, can be dropped after 2024-06-01 - "R /var/lib/buildbot-worker/gcroot - - - - -" - ] ++ lib.optional (cfg.outputsPath != null) - # Allow buildbot-master to write to this directory - "d ${cfg.outputsPath} 0755 buildbot buildbot - -"; + systemd.tmpfiles.rules = + [ + # delete legacy gcroot location, can be dropped after 2024-06-01 + "R /var/lib/buildbot-worker/gcroot - - - - -" + ] + ++ lib.optional (cfg.outputsPath != null) + # Allow buildbot-master to write to this directory + "d ${cfg.outputsPath} 0755 buildbot buildbot - -"; }; }