Merge pull request #132 from Mic92/gitea-fixes

make it possible to disable github
This commit is contained in:
Jörg Thalheim 2024-04-30 17:35:45 +02:00 committed by GitHub
commit cda191b7aa
Failed to generate hash of commit
3 changed files with 123 additions and 60 deletions

View file

@ -32,8 +32,7 @@ from .secrets import read_secret_file
@dataclass
class GiteaConfig:
instance_url: str
oauth_id: str
admins: list[str]
oauth_id: str | None
oauth_secret_name: str = "gitea-oauth-secret"
token_secret_name: str = "gitea-token"
@ -183,6 +182,7 @@ class GiteaBackend(GitBackend):
return None
def create_auth(self) -> AuthBase:
assert self.config.oauth_id is not None, "Gitea requires an OAuth ID to be set"
return GiteaAuth(
"https://" + self.config.instance_url,
self.config.oauth_id,

View file

@ -65,7 +65,7 @@ class ReloadGithubProjects(BuildStep):
@dataclass
class GithubConfig:
oauth_id: str
oauth_id: str | None
# TODO unused
buildbot_user: str
@ -121,6 +121,7 @@ class GithubBackend(GitBackend):
return AvatarGitHub(token=self.config.token())
def create_auth(self) -> AuthBase:
assert self.config.oauth_id is not None, "GitHub OAuth ID is required"
return GitHubAuth(
self.config.oauth_id,
read_secret_file(self.config.oauth_secret_name),

View file

@ -5,16 +5,25 @@
}:
let
cfg = config.services.buildbot-nix.master;
inherit
(lib)
mkRenamedOptionModule
;
inherit (lib) mkRenamedOptionModule;
in
{
imports = [
(mkRenamedOptionModule
[ "services" "buildbot-nix" "master" "github" "admins" ]
[ "services" "buildbot-nix" "master" "admins" ])
[
"services"
"buildbot-nix"
"master"
"github"
"admins"
]
[
"services"
"buildbot-nix"
"master"
"admins"
]
)
];
options = {
@ -26,7 +35,11 @@ in
description = "Postgresql database url";
};
authBackend = lib.mkOption {
type = lib.types.enum [ "github" "gitea" "none" ];
type = lib.types.enum [
"github"
"gitea"
"none"
];
default = "github";
description = ''
Which OAuth2 backend to use.
@ -52,7 +65,9 @@ in
};
};
gitea = {
enable = lib.mkEnableOption "Enable Gitea integration";
enable = lib.mkEnableOption "Enable Gitea integration" // {
default = cfg.authBackend == "gitea";
};
tokenFile = lib.mkOption {
type = lib.types.path;
@ -60,19 +75,21 @@ in
};
webhookSecretFile = lib.mkOption {
type = lib.types.path;
description = "Github webhook secret file";
description = "Gitea webhook secret file";
};
oauthSecretFile = lib.mkOption {
type = lib.types.path;
type = lib.types.nullOr lib.types.path;
default = null;
description = "Gitea oauth secret file";
};
instanceURL = lib.mkOption {
instanceUrl = lib.mkOption {
type = lib.types.str;
description = "Gitea instance URL";
};
oauthId = lib.mkOption {
type = lib.types.str;
type = lib.types.nullOr lib.types.str;
default = null;
description = "Gitea oauth id. Used for the login button";
};
topic = lib.mkOption {
@ -85,7 +102,9 @@ in
};
};
github = {
disable = lib.mkEnableOption "Disable GitHub integration";
enable = lib.mkEnableOption "Enable GitHub integration" // {
default = cfg.authBackend == "github";
};
tokenFile = lib.mkOption {
type = lib.types.path;
@ -96,7 +115,8 @@ in
description = "Github webhook secret file";
};
oauthSecretFile = lib.mkOption {
type = lib.types.path;
type = lib.types.nullOr lib.types.path;
default = null;
description = "Github oauth secret file";
};
# TODO: make this an option
@ -106,7 +126,8 @@ in
# Authorization callback URL: https://buildbot.numtide.com/auth/login
# oauth_token: 2516248ec6289e4d9818122cce0cbde39e4b788d
oauthId = lib.mkOption {
type = lib.types.str;
type = lib.types.nullOr lib.types.str;
default = null;
description = "Github oauth id. Used for the login button";
};
# Most likely you want to use the same user as for the buildbot
@ -180,9 +201,20 @@ in
assertions = [
{
assertion = cfg.cachix.name != null -> cfg.cachix.signingKeyFile != null || cfg.cachix.authTokenFile != null;
assertion =
cfg.cachix.name != null -> cfg.cachix.signingKeyFile != null || cfg.cachix.authTokenFile != null;
message = "if cachix.name is provided, then cachix.signingKeyFile and cachix.authTokenFile must be set";
}
{
assertion =
cfg.authBackend != "github" || (cfg.github.oauthId != null && cfg.github.oauthSecretFile != null);
message = ''If config.services.buildbot-nix.master.authBackend is set to "github", then config.services.buildbot-nix.master.github.oauthId and config.services.buildbot-nix.master.github.oauthSecretFile have to be set.'';
}
{
assertion =
cfg.authBackend != "gitea" || (cfg.gitea.oauthId != null && cfg.gitea.oauthSecretFile != null);
message = ''config.services.buildbot-nix.master.authBackend is set to "gitea", then config.services.buildbot-nix.master.gitea.oauthId and config.services.buildbot-nix.master.gitea.oauthSecretFile have to be set.'';
}
];
services.buildbot-master = {
@ -205,25 +237,46 @@ in
''
NixConfigurator(
auth_backend=${builtins.toJSON cfg.authBackend},
github=${if cfg.github.disable then "None" else "GithubConfig(
github=${
if (!cfg.github.enable) then
"None"
else
"GithubConfig(
oauth_id=${builtins.toJSON cfg.github.oauthId},
buildbot_user=${builtins.toJSON cfg.github.user},
topic=${builtins.toJSON cfg.github.topic},
)"},
gitea=${if !cfg.gitea.enable then "None" else "GiteaConfig(
instance_url=${builtins.toJSON cfg.gitea.instanceURL},
)"
},
gitea=${
if !cfg.gitea.enable then
"None"
else
"GiteaConfig(
instance_url=${builtins.toJSON cfg.gitea.instanceUrl},
oauth_id=${builtins.toJSON cfg.gitea.oauthId},
topic=${builtins.toJSON cfg.gitea.topic},
)"},
cachix=${if cfg.cachix.name == null then "None" else "CachixConfig(
)"
},
cachix=${
if cfg.cachix.name == null then
"None"
else
"CachixConfig(
name=${builtins.toJSON cfg.cachix.name},
signing_key_secret_name=${if cfg.cachix.signingKeyFile != null then builtins.toJSON "cachix-signing-key" else "None"},
auth_token_secret_name=${if cfg.cachix.authTokenFile != null then builtins.toJSON "cachix-auth-token" else "None"},
)"},
signing_key_secret_name=${
if cfg.cachix.signingKeyFile != null then builtins.toJSON "cachix-signing-key" else "None"
},
auth_token_secret_name=${
if cfg.cachix.authTokenFile != null then builtins.toJSON "cachix-auth-token" else "None"
},
)"
},
admins=${builtins.toJSON cfg.admins},
url=${builtins.toJSON config.services.buildbot-master.buildbotUrl},
nix_eval_max_memory_size=${builtins.toJSON cfg.evalMaxMemorySize},
nix_eval_worker_count=${if cfg.evalWorkerCount == null then "None" else builtins.toString cfg.evalWorkerCount},
nix_eval_worker_count=${
if cfg.evalWorkerCount == null then "None" else builtins.toString cfg.evalWorkerCount
},
nix_supported_systems=${builtins.toJSON cfg.buildSystems},
outputs_path=${if cfg.outputsPath == null then "None" else builtins.toJSON cfg.outputsPath},
)
@ -237,9 +290,11 @@ in
"${if hasSSL then "https" else "http"}://${cfg.domain}/";
dbUrl = config.services.buildbot-nix.master.dbUrl;
# Can be dropped after we have 24.05 everywhere
package = lib.mkIf (lib.versionOlder pkgs.buildbot.version "3.10.0") (pkgs.buildbot.overrideAttrs (old: {
patches = old.patches ++ [ ./0001-allow-secrets-to-be-group-readable.patch ];
}));
package = lib.mkIf (lib.versionOlder pkgs.buildbot.version "3.10.0") (
pkgs.buildbot.overrideAttrs (old: {
patches = old.patches ++ [ ./0001-allow-secrets-to-be-group-readable.patch ];
})
);
pythonPackages = ps: [
ps.requests
ps.treq
@ -255,21 +310,26 @@ in
after = [ "postgresql.service" ];
serviceConfig = {
# in master.py we read secrets from $CREDENTIALS_DIRECTORY
LoadCredential = [
"github-token:${cfg.github.tokenFile}"
"github-webhook-secret:${cfg.github.webhookSecretFile}"
"github-oauth-secret:${cfg.github.oauthSecretFile}"
"buildbot-nix-workers:${cfg.workersFile}"
]
++ lib.optional (cfg.cachix.signingKeyFile != null)
"cachix-signing-key:${builtins.toString cfg.cachix.signingKeyFile}"
++ lib.optional (cfg.cachix.authTokenFile != null)
"cachix-auth-token:${builtins.toString cfg.cachix.authTokenFile}"
++ lib.optionals cfg.gitea.enable [
"gitea-oauth-secret:${cfg.gitea.oauthSecretFile}"
"gitea-webhook-secret:${cfg.gitea.webhookSecretFile}"
"gitea-token:${cfg.gitea.tokenFile}"
];
LoadCredential =
[ "buildbot-nix-workers:${cfg.workersFile}" ]
++ lib.optional (cfg.authBackend == "gitea") "gitea-oauth-secret:${cfg.gitea.oauthSecretFile}"
++ lib.optional (cfg.authBackend == "github") "github-oauth-secret:${cfg.github.oauthSecretFile}"
++ lib.optional
(
cfg.cachix.signingKeyFile != null
) "cachix-signing-key:${builtins.toString cfg.cachix.signingKeyFile}"
++ lib.optional
(
cfg.cachix.authTokenFile != null
) "cachix-auth-token:${builtins.toString cfg.cachix.authTokenFile}"
++ lib.optionals (cfg.github.enable) [
"github-token:${cfg.github.tokenFile}"
"github-webhook-secret:${cfg.github.webhookSecretFile}"
]
++ lib.optionals cfg.gitea.enable [
"gitea-token:${cfg.gitea.tokenFile}"
"gitea-webhook-secret:${cfg.gitea.webhookSecretFile}"
];
# Needed because it tries to reach out to github on boot.
# FIXME: if github is not available, we shouldn't fail buildbot, instead it should just try later again in the background
@ -281,10 +341,12 @@ in
services.postgresql = {
enable = true;
ensureDatabases = [ "buildbot" ];
ensureUsers = [{
name = "buildbot";
ensureDBOwnership = true;
}];
ensureUsers = [
{
name = "buildbot";
ensureDBOwnership = true;
}
];
};
services.nginx.enable = true;
@ -302,16 +364,16 @@ in
# raise the proxy timeout for the websocket
extraConfig = "proxy_read_timeout 6000s;";
};
} // lib.optionalAttrs (cfg.outputsPath != null) {
"/nix-outputs".root = cfg.outputsPath;
};
} // lib.optionalAttrs (cfg.outputsPath != null) { "/nix-outputs".root = cfg.outputsPath; };
};
systemd.tmpfiles.rules = [
# delete legacy gcroot location, can be dropped after 2024-06-01
"R /var/lib/buildbot-worker/gcroot - - - - -"
] ++ lib.optional (cfg.outputsPath != null)
# Allow buildbot-master to write to this directory
"d ${cfg.outputsPath} 0755 buildbot buildbot - -";
systemd.tmpfiles.rules =
[
# delete legacy gcroot location, can be dropped after 2024-06-01
"R /var/lib/buildbot-worker/gcroot - - - - -"
]
++ lib.optional (cfg.outputsPath != null)
# Allow buildbot-master to write to this directory
"d ${cfg.outputsPath} 0755 buildbot buildbot - -";
};
}