e9a3849417
Flake lock file updates: • Updated input 'flake-parts': 'github:hercules-ci/flake-parts/4d34ce6412bc450b1d4208c953dc97c7fc764f1a' (2024-05-01) → 'github:hercules-ci/flake-parts/e5d10a24b66c3ea8f150e47dfdb0416ab7c3390e' (2024-05-02) • Updated input 'nixpkgs': 'github:Nixos/nixpkgs/23cc2b1f071baee1853de7d93df6167bdfe57aa6' (2024-05-01) → 'github:Nixos/nixpkgs/9a22fecda3caa5fb5ae716fab63c5b8f0b7e1060' (2024-05-04) |
||
---|---|---|
.github | ||
bin | ||
buildbot_effects | ||
buildbot_nix | ||
examples | ||
nix | ||
.gitignore | ||
.mergify.yml | ||
default.nix | ||
flake.lock | ||
flake.nix | ||
pyproject.toml | ||
README.md |
Buildbot-nix
Buildbot-nix is a NixOS module designed to integrate Buildbot, a continuous integration (CI) framework, into the Nix ecosystem. This module is under active development, and while it's generally stable and widely used, please be aware that some APIs may change over time.
Getting Started with Buildbot Setup
To set up Buildbot using Buildbot-nix, you can start by exploring the provided examples:
- Check out the basic setup in example.
- Learn about configuring the Buildbot master in master module.
- Understand how to set up a Buildbot worker in worker module.
Additionally, you can find real-world examples at the end of this document.
Buildbot masters and workers can be deployed either on the same machine or on separate machines. To support multiple architectures, configure them as nix remote builders. For a practical NixOS example, see this remote builder configuration.
Using Buildbot in Your Project
Buildbot-nix automatically triggers builds for your project under these conditions:
- When a pull request is opened.
- When a commit is pushed to the default git branch.
It does this by evaluating the .#checks
attribute of your project's flake in
parallel. Each attribute found results in a separate build step. You can test
these builds locally using nix flake check -L
or
nix-fast-build.
If you need to build other parts of your flake, such as packages or NixOS
machines, you should re-export these into the .#checks
output. Here are two
examples to guide you:
- Using flake-parts.
- A plain flake example.
Authentication backend
At the moment all projects are visible without authentication.
For some actions a login is required. This login can either be based on GitHub
or on Gitea (more logins may follow). The backend is set by the
services.buildbot-nix.master.authBackend
NixOS option.
We have the following two roles:
- Admins:
- The list of admin usernames is hard-coded in the NixOS configuration.
- admins can reload the project list
- Organisation member:
- All member of the organisation where this repository is located
- They can restart builds
Integration with GitHub
To integrate with GitHub:
- GitHub Token: Obtain a GitHub token with
admin:repo_hook
andrepo
permissions. For GitHub organizations, it's advisable to create a separate GitHub user for managing repository webhooks.
Optional when using GitHub login
- GitHub App: Set up a GitHub app for Buildbot to enable GitHub user authentication on the Buildbot dashboard.
- OAuth Credentials: After installing the app, generate OAuth credentials
and configure them in the buildbot-nix NixOS module. Set the callback url to
https://<your-domain>/auth/login
.
Afterwards add the configured github topic to every project that should build with buildbot-nix. Notice that the buildbot user needs to have admin access to this repository because it needs to install a webhook.
Integration with Gitea
To integrate with Gitea
- Gitea Token Obtain a Gitea token with the following permissions
write:repository
andwrite:user
permission. For Gitea organizations, it's advisable to create a separate Gitea user. Buildbot-nix will use this token to automatically setup a webhook in the repository. - Gitea App: (optional). This is optional, when using GitHub as the
authentication backend for buildbot. Set up a OAuth2 app for Buildbot in the
Applications section. This can be done in the global "Site adminstration"
settings (only available for admins) or in a Gitea organisation or in your
personal settings. As redirect url set
https://buildbot.your-buildbot-domain.com/auth/login
, wherebuildbot.your-buildbot-domain.com
should be replaced with the actual domain that your buildbot is running on.
Afterwards add the configured gitea topic to every project that should build with buildbot-nix. Notice that the buildbot user needs to have repository write access to this repository because it needs to install a webhook in the repository.
Binary caches
To access the build results on other machines there are two options at the moment
Local binary cache (harmonia)
You can set up a binary cache on your buildbot-worker machine to make its nix store accessible from other machines. Check out the README of the project, for an example configuration
Cachix
Buildbot-nix also supports pushing packages to cachix. Check out the comment out example configuration in our repository.
Real-World Deployments
See Buildbot-nix in action in these deployments:
The following instances run on GitHub:
- Nix-community infra: Configuration | Instance
- Mic92's dotfiles: Configuration | Instance
- Technical University Munich: Configuration | Instance
- Numtide: Instance
The following instances integrated with Gitea:
- Clan infra: Configuration | Instance