Merge pull request #132 from Mic92/gitea-fixes

make it possible to disable github
This commit is contained in:
Jörg Thalheim 2024-04-30 17:35:45 +02:00 committed by GitHub
commit cda191b7aa
Failed to generate hash of commit
3 changed files with 123 additions and 60 deletions

View file

@ -32,8 +32,7 @@ from .secrets import read_secret_file
@dataclass @dataclass
class GiteaConfig: class GiteaConfig:
instance_url: str instance_url: str
oauth_id: str oauth_id: str | None
admins: list[str]
oauth_secret_name: str = "gitea-oauth-secret" oauth_secret_name: str = "gitea-oauth-secret"
token_secret_name: str = "gitea-token" token_secret_name: str = "gitea-token"
@ -183,6 +182,7 @@ class GiteaBackend(GitBackend):
return None return None
def create_auth(self) -> AuthBase: def create_auth(self) -> AuthBase:
assert self.config.oauth_id is not None, "Gitea requires an OAuth ID to be set"
return GiteaAuth( return GiteaAuth(
"https://" + self.config.instance_url, "https://" + self.config.instance_url,
self.config.oauth_id, self.config.oauth_id,

View file

@ -65,7 +65,7 @@ class ReloadGithubProjects(BuildStep):
@dataclass @dataclass
class GithubConfig: class GithubConfig:
oauth_id: str oauth_id: str | None
# TODO unused # TODO unused
buildbot_user: str buildbot_user: str
@ -121,6 +121,7 @@ class GithubBackend(GitBackend):
return AvatarGitHub(token=self.config.token()) return AvatarGitHub(token=self.config.token())
def create_auth(self) -> AuthBase: def create_auth(self) -> AuthBase:
assert self.config.oauth_id is not None, "GitHub OAuth ID is required"
return GitHubAuth( return GitHubAuth(
self.config.oauth_id, self.config.oauth_id,
read_secret_file(self.config.oauth_secret_name), read_secret_file(self.config.oauth_secret_name),

View file

@ -5,16 +5,25 @@
}: }:
let let
cfg = config.services.buildbot-nix.master; cfg = config.services.buildbot-nix.master;
inherit inherit (lib) mkRenamedOptionModule;
(lib)
mkRenamedOptionModule
;
in in
{ {
imports = [ imports = [
(mkRenamedOptionModule (mkRenamedOptionModule
[ "services" "buildbot-nix" "master" "github" "admins" ] [
[ "services" "buildbot-nix" "master" "admins" ]) "services"
"buildbot-nix"
"master"
"github"
"admins"
]
[
"services"
"buildbot-nix"
"master"
"admins"
]
)
]; ];
options = { options = {
@ -26,7 +35,11 @@ in
description = "Postgresql database url"; description = "Postgresql database url";
}; };
authBackend = lib.mkOption { authBackend = lib.mkOption {
type = lib.types.enum [ "github" "gitea" "none" ]; type = lib.types.enum [
"github"
"gitea"
"none"
];
default = "github"; default = "github";
description = '' description = ''
Which OAuth2 backend to use. Which OAuth2 backend to use.
@ -52,7 +65,9 @@ in
}; };
}; };
gitea = { gitea = {
enable = lib.mkEnableOption "Enable Gitea integration"; enable = lib.mkEnableOption "Enable Gitea integration" // {
default = cfg.authBackend == "gitea";
};
tokenFile = lib.mkOption { tokenFile = lib.mkOption {
type = lib.types.path; type = lib.types.path;
@ -60,19 +75,21 @@ in
}; };
webhookSecretFile = lib.mkOption { webhookSecretFile = lib.mkOption {
type = lib.types.path; type = lib.types.path;
description = "Github webhook secret file"; description = "Gitea webhook secret file";
}; };
oauthSecretFile = lib.mkOption { oauthSecretFile = lib.mkOption {
type = lib.types.path; type = lib.types.nullOr lib.types.path;
default = null;
description = "Gitea oauth secret file"; description = "Gitea oauth secret file";
}; };
instanceURL = lib.mkOption { instanceUrl = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "Gitea instance URL"; description = "Gitea instance URL";
}; };
oauthId = lib.mkOption { oauthId = lib.mkOption {
type = lib.types.str; type = lib.types.nullOr lib.types.str;
default = null;
description = "Gitea oauth id. Used for the login button"; description = "Gitea oauth id. Used for the login button";
}; };
topic = lib.mkOption { topic = lib.mkOption {
@ -85,7 +102,9 @@ in
}; };
}; };
github = { github = {
disable = lib.mkEnableOption "Disable GitHub integration"; enable = lib.mkEnableOption "Enable GitHub integration" // {
default = cfg.authBackend == "github";
};
tokenFile = lib.mkOption { tokenFile = lib.mkOption {
type = lib.types.path; type = lib.types.path;
@ -96,7 +115,8 @@ in
description = "Github webhook secret file"; description = "Github webhook secret file";
}; };
oauthSecretFile = lib.mkOption { oauthSecretFile = lib.mkOption {
type = lib.types.path; type = lib.types.nullOr lib.types.path;
default = null;
description = "Github oauth secret file"; description = "Github oauth secret file";
}; };
# TODO: make this an option # TODO: make this an option
@ -106,7 +126,8 @@ in
# Authorization callback URL: https://buildbot.numtide.com/auth/login # Authorization callback URL: https://buildbot.numtide.com/auth/login
# oauth_token: 2516248ec6289e4d9818122cce0cbde39e4b788d # oauth_token: 2516248ec6289e4d9818122cce0cbde39e4b788d
oauthId = lib.mkOption { oauthId = lib.mkOption {
type = lib.types.str; type = lib.types.nullOr lib.types.str;
default = null;
description = "Github oauth id. Used for the login button"; description = "Github oauth id. Used for the login button";
}; };
# Most likely you want to use the same user as for the buildbot # Most likely you want to use the same user as for the buildbot
@ -180,9 +201,20 @@ in
assertions = [ assertions = [
{ {
assertion = cfg.cachix.name != null -> cfg.cachix.signingKeyFile != null || cfg.cachix.authTokenFile != null; assertion =
cfg.cachix.name != null -> cfg.cachix.signingKeyFile != null || cfg.cachix.authTokenFile != null;
message = "if cachix.name is provided, then cachix.signingKeyFile and cachix.authTokenFile must be set"; message = "if cachix.name is provided, then cachix.signingKeyFile and cachix.authTokenFile must be set";
} }
{
assertion =
cfg.authBackend != "github" || (cfg.github.oauthId != null && cfg.github.oauthSecretFile != null);
message = ''If config.services.buildbot-nix.master.authBackend is set to "github", then config.services.buildbot-nix.master.github.oauthId and config.services.buildbot-nix.master.github.oauthSecretFile have to be set.'';
}
{
assertion =
cfg.authBackend != "gitea" || (cfg.gitea.oauthId != null && cfg.gitea.oauthSecretFile != null);
message = ''config.services.buildbot-nix.master.authBackend is set to "gitea", then config.services.buildbot-nix.master.gitea.oauthId and config.services.buildbot-nix.master.gitea.oauthSecretFile have to be set.'';
}
]; ];
services.buildbot-master = { services.buildbot-master = {
@ -205,25 +237,46 @@ in
'' ''
NixConfigurator( NixConfigurator(
auth_backend=${builtins.toJSON cfg.authBackend}, auth_backend=${builtins.toJSON cfg.authBackend},
github=${if cfg.github.disable then "None" else "GithubConfig( github=${
if (!cfg.github.enable) then
"None"
else
"GithubConfig(
oauth_id=${builtins.toJSON cfg.github.oauthId}, oauth_id=${builtins.toJSON cfg.github.oauthId},
buildbot_user=${builtins.toJSON cfg.github.user}, buildbot_user=${builtins.toJSON cfg.github.user},
topic=${builtins.toJSON cfg.github.topic}, topic=${builtins.toJSON cfg.github.topic},
)"}, )"
gitea=${if !cfg.gitea.enable then "None" else "GiteaConfig( },
instance_url=${builtins.toJSON cfg.gitea.instanceURL}, gitea=${
if !cfg.gitea.enable then
"None"
else
"GiteaConfig(
instance_url=${builtins.toJSON cfg.gitea.instanceUrl},
oauth_id=${builtins.toJSON cfg.gitea.oauthId}, oauth_id=${builtins.toJSON cfg.gitea.oauthId},
topic=${builtins.toJSON cfg.gitea.topic}, topic=${builtins.toJSON cfg.gitea.topic},
)"}, )"
cachix=${if cfg.cachix.name == null then "None" else "CachixConfig( },
cachix=${
if cfg.cachix.name == null then
"None"
else
"CachixConfig(
name=${builtins.toJSON cfg.cachix.name}, name=${builtins.toJSON cfg.cachix.name},
signing_key_secret_name=${if cfg.cachix.signingKeyFile != null then builtins.toJSON "cachix-signing-key" else "None"}, signing_key_secret_name=${
auth_token_secret_name=${if cfg.cachix.authTokenFile != null then builtins.toJSON "cachix-auth-token" else "None"}, if cfg.cachix.signingKeyFile != null then builtins.toJSON "cachix-signing-key" else "None"
)"}, },
auth_token_secret_name=${
if cfg.cachix.authTokenFile != null then builtins.toJSON "cachix-auth-token" else "None"
},
)"
},
admins=${builtins.toJSON cfg.admins}, admins=${builtins.toJSON cfg.admins},
url=${builtins.toJSON config.services.buildbot-master.buildbotUrl}, url=${builtins.toJSON config.services.buildbot-master.buildbotUrl},
nix_eval_max_memory_size=${builtins.toJSON cfg.evalMaxMemorySize}, nix_eval_max_memory_size=${builtins.toJSON cfg.evalMaxMemorySize},
nix_eval_worker_count=${if cfg.evalWorkerCount == null then "None" else builtins.toString cfg.evalWorkerCount}, nix_eval_worker_count=${
if cfg.evalWorkerCount == null then "None" else builtins.toString cfg.evalWorkerCount
},
nix_supported_systems=${builtins.toJSON cfg.buildSystems}, nix_supported_systems=${builtins.toJSON cfg.buildSystems},
outputs_path=${if cfg.outputsPath == null then "None" else builtins.toJSON cfg.outputsPath}, outputs_path=${if cfg.outputsPath == null then "None" else builtins.toJSON cfg.outputsPath},
) )
@ -237,9 +290,11 @@ in
"${if hasSSL then "https" else "http"}://${cfg.domain}/"; "${if hasSSL then "https" else "http"}://${cfg.domain}/";
dbUrl = config.services.buildbot-nix.master.dbUrl; dbUrl = config.services.buildbot-nix.master.dbUrl;
# Can be dropped after we have 24.05 everywhere # Can be dropped after we have 24.05 everywhere
package = lib.mkIf (lib.versionOlder pkgs.buildbot.version "3.10.0") (pkgs.buildbot.overrideAttrs (old: { package = lib.mkIf (lib.versionOlder pkgs.buildbot.version "3.10.0") (
patches = old.patches ++ [ ./0001-allow-secrets-to-be-group-readable.patch ]; pkgs.buildbot.overrideAttrs (old: {
})); patches = old.patches ++ [ ./0001-allow-secrets-to-be-group-readable.patch ];
})
);
pythonPackages = ps: [ pythonPackages = ps: [
ps.requests ps.requests
ps.treq ps.treq
@ -255,21 +310,26 @@ in
after = [ "postgresql.service" ]; after = [ "postgresql.service" ];
serviceConfig = { serviceConfig = {
# in master.py we read secrets from $CREDENTIALS_DIRECTORY # in master.py we read secrets from $CREDENTIALS_DIRECTORY
LoadCredential = [ LoadCredential =
"github-token:${cfg.github.tokenFile}" [ "buildbot-nix-workers:${cfg.workersFile}" ]
"github-webhook-secret:${cfg.github.webhookSecretFile}" ++ lib.optional (cfg.authBackend == "gitea") "gitea-oauth-secret:${cfg.gitea.oauthSecretFile}"
"github-oauth-secret:${cfg.github.oauthSecretFile}" ++ lib.optional (cfg.authBackend == "github") "github-oauth-secret:${cfg.github.oauthSecretFile}"
"buildbot-nix-workers:${cfg.workersFile}" ++ lib.optional
] (
++ lib.optional (cfg.cachix.signingKeyFile != null) cfg.cachix.signingKeyFile != null
"cachix-signing-key:${builtins.toString cfg.cachix.signingKeyFile}" ) "cachix-signing-key:${builtins.toString cfg.cachix.signingKeyFile}"
++ lib.optional (cfg.cachix.authTokenFile != null) ++ lib.optional
"cachix-auth-token:${builtins.toString cfg.cachix.authTokenFile}" (
++ lib.optionals cfg.gitea.enable [ cfg.cachix.authTokenFile != null
"gitea-oauth-secret:${cfg.gitea.oauthSecretFile}" ) "cachix-auth-token:${builtins.toString cfg.cachix.authTokenFile}"
"gitea-webhook-secret:${cfg.gitea.webhookSecretFile}" ++ lib.optionals (cfg.github.enable) [
"gitea-token:${cfg.gitea.tokenFile}" "github-token:${cfg.github.tokenFile}"
]; "github-webhook-secret:${cfg.github.webhookSecretFile}"
]
++ lib.optionals cfg.gitea.enable [
"gitea-token:${cfg.gitea.tokenFile}"
"gitea-webhook-secret:${cfg.gitea.webhookSecretFile}"
];
# Needed because it tries to reach out to github on boot. # Needed because it tries to reach out to github on boot.
# FIXME: if github is not available, we shouldn't fail buildbot, instead it should just try later again in the background # FIXME: if github is not available, we shouldn't fail buildbot, instead it should just try later again in the background
@ -281,10 +341,12 @@ in
services.postgresql = { services.postgresql = {
enable = true; enable = true;
ensureDatabases = [ "buildbot" ]; ensureDatabases = [ "buildbot" ];
ensureUsers = [{ ensureUsers = [
name = "buildbot"; {
ensureDBOwnership = true; name = "buildbot";
}]; ensureDBOwnership = true;
}
];
}; };
services.nginx.enable = true; services.nginx.enable = true;
@ -302,16 +364,16 @@ in
# raise the proxy timeout for the websocket # raise the proxy timeout for the websocket
extraConfig = "proxy_read_timeout 6000s;"; extraConfig = "proxy_read_timeout 6000s;";
}; };
} // lib.optionalAttrs (cfg.outputsPath != null) { } // lib.optionalAttrs (cfg.outputsPath != null) { "/nix-outputs".root = cfg.outputsPath; };
"/nix-outputs".root = cfg.outputsPath;
};
}; };
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules =
# delete legacy gcroot location, can be dropped after 2024-06-01 [
"R /var/lib/buildbot-worker/gcroot - - - - -" # delete legacy gcroot location, can be dropped after 2024-06-01
] ++ lib.optional (cfg.outputsPath != null) "R /var/lib/buildbot-worker/gcroot - - - - -"
# Allow buildbot-master to write to this directory ]
"d ${cfg.outputsPath} 0755 buildbot buildbot - -"; ++ lib.optional (cfg.outputsPath != null)
# Allow buildbot-master to write to this directory
"d ${cfg.outputsPath} 0755 buildbot buildbot - -";
}; };
} }