diff --git a/buildbot_nix/__init__.py b/buildbot_nix/__init__.py index 6997d92..97efefc 100644 --- a/buildbot_nix/__init__.py +++ b/buildbot_nix/__init__.py @@ -417,11 +417,25 @@ def nix_eval_config( ) +@dataclass +class CachixConfig: + name: str + signing_key_secret_name: str | None = None + auth_token_secret_name: str | None = None + + def cachix_env(self) -> dict[str, str]: + env = {} + if self.signing_key_secret_name is not None: + env["CACHIX_SIGNING_KEY"] = util.Secret(self.signing_key_secret_name) + if self.auth_token_secret_name is not None: + env["CACHIX_AUTH_TOKEN"] = util.Secret(self.auth_token_secret_name) + return env + + def nix_build_config( project: GithubProject, worker_names: list[str], - has_cachix_auth_token: bool = False, - has_cachix_signing_key: bool = False, + cachix: CachixConfig | None = None, outputs_path: Path | None = None, ) -> util.BuilderConfig: """ @@ -454,19 +468,15 @@ def nix_build_config( haltOnFailure=True, ) ) - if has_cachix_auth_token or has_cachix_signing_key: - if has_cachix_signing_key: - env = dict(CACHIX_SIGNING_KEY=util.Secret("cachix-signing-key")) - else: - env = dict(CACHIX_AUTH_TOKEN=util.Secret("cachix-auth-token")) + if cachix: factory.addStep( steps.ShellCommand( name="Upload cachix", - env=env, + env=cachix.cachix_env(), command=[ "cachix", "push", - util.Secret("cachix-name"), + cachix.name, util.Interpolate("result-%(prop:attr)s"), ], ) @@ -572,13 +582,13 @@ class GithubConfig: def config_for_project( config: dict[str, Any], project: GithubProject, - credentials: str, worker_names: list[str], github: GithubConfig, nix_supported_systems: list[str], nix_eval_worker_count: int, nix_eval_max_memory_size: int, eval_lock: util.WorkerLock, + cachix: CachixConfig | None = None, outputs_path: Path | None = None, ) -> Project: config["projects"].append(Project(project.name)) @@ -635,12 +645,6 @@ def config_for_project( ), ] ) - has_cachix_auth_token = os.path.isfile( - os.path.join(credentials, "cachix-auth-token") - ) - has_cachix_signing_key = os.path.isfile( - os.path.join(credentials, "cachix-signing-key") - ) config["builders"].extend( [ # Since all workers run on the same machine, we only assign one of them to do the evaluation. @@ -657,8 +661,7 @@ def config_for_project( nix_build_config( project, worker_names, - has_cachix_auth_token, - has_cachix_signing_key, + cachix=cachix, outputs_path=outputs_path, ), nix_skipped_build_config(project, [SKIPPED_BUILDER_NAME]), @@ -756,6 +759,7 @@ class NixConfigurator(ConfiguratorBase): nix_eval_worker_count: int | None, nix_eval_max_memory_size: int, nix_workers_secret_name: str = "buildbot-nix-workers", + cachix: CachixConfig | None = None, outputs_path: str | None = None, ) -> None: super().__init__() @@ -765,7 +769,7 @@ class NixConfigurator(ConfiguratorBase): self.nix_supported_systems = nix_supported_systems self.github = github self.url = url - self.systemd_credentials_dir = os.environ["CREDENTIALS_DIRECTORY"] + self.cachix = cachix if outputs_path is None: self.outputs_path = None else: @@ -803,13 +807,13 @@ class NixConfigurator(ConfiguratorBase): config_for_project( config, project, - self.systemd_credentials_dir, worker_names, self.github, self.nix_supported_systems, self.nix_eval_worker_count or multiprocessing.cpu_count(), self.nix_eval_max_memory_size, eval_lock, + self.cachix, self.outputs_path, ) diff --git a/examples/default.nix b/examples/default.nix index b1d4ac8..bb0598e 100644 --- a/examples/default.nix +++ b/examples/default.nix @@ -36,12 +36,20 @@ in user = "mic92-buildbot"; admins = [ "Mic92" ]; }; - # optional + # optional expose latest store path as text file # outputsPath = "/var/www/buildbot/nix-outputs"; # optional nix-eval-jobs settings # evalWorkerCount = 8; # limit number of concurrent evaluations # evalMaxMemorySize = "2048"; # limit memory usage per evaluation + + # optional cachix + #cachix = { + # name = "my-cachix"; + # # One of the following is required: + # signingKey = "/var/lib/secrets/cachix-key"; + # authToken = "/var/lib/secrets/cachix-token"; + #}; }; }) buildbot-nix.nixosModules.buildbot-master diff --git a/nix/master.nix b/nix/master.nix index 867f7fc..60474a1 100644 --- a/nix/master.nix +++ b/nix/master.nix @@ -15,6 +15,25 @@ in default = "postgresql://@/buildbot"; description = "Postgresql database url"; }; + cachix = { + name = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "Cachix name"; + }; + + signingKeyFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + description = "Cachix signing key"; + }; + + authTokenFile = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "Cachix auth token"; + }; + }; github = { tokenFile = lib.mkOption { type = lib.types.path; @@ -107,6 +126,13 @@ in isSystemUser = true; }; + assertions = [ + { + assertion = cfg.cachix.name != null -> cfg.cachix.signingKeyFile != null || cfg.cachix.authTokenFile != null; + message = "if cachix.name is provided, then cachix.signingKeyFile and cachix.authTokenFile must be set"; + } + ]; + services.buildbot-master = { enable = true; @@ -118,7 +144,7 @@ in home = "/var/lib/buildbot"; extraImports = '' from datetime import timedelta - from buildbot_nix import GithubConfig, NixConfigurator + from buildbot_nix import GithubConfig, NixConfigurator, CachixConfig ''; configurators = [ '' @@ -132,9 +158,14 @@ in buildbot_user=${builtins.toJSON cfg.github.user}, topic=${builtins.toJSON cfg.github.topic}, ), + cachix=${if cfg.cachix.name == null then "None" else "CachixConfig( + name=${builtins.toJSON cfg.cachix.name}, + signing_key_secret_name=${if cfg.cachix.signingKeyFile != null then builtins.toJSON "cachix-signing-key" else "None"}, + auth_token_secret_name=${if cfg.cachix.authTokenFile != null then builtins.toJSON "cachix-auth-token" else "None"}, + "}), url=${builtins.toJSON config.services.buildbot-master.buildbotUrl}, nix_eval_max_memory_size=${builtins.toJSON cfg.evalMaxMemorySize}, - nix_eval_worker_count=${if cfg.evalWorkerCount == null then "None" else builtins.toJSON cfg.evalWorkerCount}, + nix_eval_worker_count=${if cfg.evalWorkerCount == null then "None" else builtins.toString cfg.evalWorkerCount}, nix_supported_systems=${builtins.toJSON cfg.buildSystems}, outputs_path=${if cfg.outputsPath == null then "None" else builtins.toJSON cfg.outputsPath}, ) @@ -166,7 +197,11 @@ in "github-webhook-secret:${cfg.github.webhookSecretFile}" "github-oauth-secret:${cfg.github.oauthSecretFile}" "buildbot-nix-workers:${cfg.workersFile}" - ]; + ] + ++ lib.optional (cfg.cachix.signingKeyFile != null) + "cachix-signing-key:${builtins.toString cfg.cachix.signingKeyFile}" + ++ lib.optional (cfg.cachix.authTokenFile != null) + "cachix-auth-token:${builtins.toString cfg.cachix.authTokenFile}"; }; };