From 198b4dff207893bd366a4b22b6658a7cc6a4c47b Mon Sep 17 00:00:00 2001 From: Skyler Grey Date: Tue, 2 Jul 2024 22:46:30 +0000 Subject: [PATCH] feat(baxter): Add buildbot CI For a while we've been lacking a CI, which has led to problems such as an inability to enforce REUSE, as well as an inability to build and deploy docs-site automatically Buildbot is commonly used (nix-community, lix, etc.), and very extensible, which we hope will benefit us over something like Hydra or Typhon The buildbot instance is available at https://builds.auxolotl.org --- flake.lock | 498 +++++++++++++++--- flake.nix | 6 +- .../auxolotl/services/ci/master/default.nix | 112 ++++ .../auxolotl/services/ci/worker/default.nix | 40 ++ .../services.ci.master.webhookSecretFile.age | 12 + .../services.ci.worker.workerPasswordFile.age | Bin 0 -> 615 bytes ...cee6517c6-services.ci.master.tokenFile.age | 7 + ...vices.ci.master.oauth.clientSecretFile.age | Bin 0 -> 433 bytes ...f-services.ci.master.webhookSecretFile.age | 7 + ...75-services.ci.master.workersFile.json.age | Bin 0 -> 351 bytes ...-services.ci.worker.workerPasswordFile.age | 7 + systems/x86_64-linux/baxter/default.nix | 41 ++ ...vices.ci.master.oauth.clientSecretFile.age | 12 + .../baxter/services.ci.master.tokenFile.age | 11 + .../services.ci.master.workersFile.json.age | Bin 0 -> 658 bytes 15 files changed, 679 insertions(+), 74 deletions(-) create mode 100644 modules/nixos/auxolotl/services/ci/master/default.nix create mode 100644 modules/nixos/auxolotl/services/ci/worker/default.nix create mode 100644 secrets/generated/baxter/services.ci.master.webhookSecretFile.age create mode 100644 secrets/generated/baxter/services.ci.worker.workerPasswordFile.age create mode 100644 secrets/rekeyed/baxter/24951ab2dd459b4cbdfa83ecee6517c6-services.ci.master.tokenFile.age create mode 100644 secrets/rekeyed/baxter/58a73a00f6ce9881f5206f8ab350466b-services.ci.master.oauth.clientSecretFile.age create mode 100644 secrets/rekeyed/baxter/611a4946b7c2a4de9aa8f6175cf92d7f-services.ci.master.webhookSecretFile.age create mode 100644 secrets/rekeyed/baxter/9ffbe2a747e0bcdc4d670cf7d47d3575-services.ci.master.workersFile.json.age create mode 100644 secrets/rekeyed/baxter/be4852d28a22f490934108662e4718f4-services.ci.worker.workerPasswordFile.age create mode 100644 systems/x86_64-linux/baxter/services.ci.master.oauth.clientSecretFile.age create mode 100644 systems/x86_64-linux/baxter/services.ci.master.tokenFile.age create mode 100644 systems/x86_64-linux/baxter/services.ci.master.workersFile.json.age diff --git a/flake.lock b/flake.lock index 5125259..07cb3e0 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,49 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "systems": "systems" + }, + "locked": { + "lastModified": 1720546205, + "narHash": "sha256-boCXsjYVxDviyzoEyAk624600f3ZBo/DKtUdvMTpbGY=", + "owner": "ryantm", + "repo": "agenix", + "rev": "de96bd907d5fbc3b14fc33ad37d1b9a3cb15edc6", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "agenix-rekey": { + "inputs": { + "devshell": "devshell", + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks": "pre-commit-hooks" + }, + "locked": { + "lastModified": 1721402988, + "narHash": "sha256-O5j5y5gpssVF5FNsSF7joTyrlW//LpwyLk6yBWgQ0VE=", + "owner": "oddlama", + "repo": "agenix-rekey", + "rev": "3f1c787e2092d9c13142ae7572cc1c52b68f1c4c", + "type": "github" + }, + "original": { + "owner": "oddlama", + "repo": "agenix-rekey", + "type": "github" + } + }, "auxolotl-website": { "inputs": { "nixpkgs": [ @@ -21,20 +65,62 @@ "url": "https://git.auxolotl.org/auxolotl/website" } }, + "buildbot-nix": { + "inputs": { + "flake-parts": "flake-parts", + "nixpkgs": "nixpkgs_2", + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1722025605, + "narHash": "sha256-WKgvUD1V5w3GQ/uycqHMmYXhYvbB0T0EnKFeQ8hb6j8=", + "owner": "nix-community", + "repo": "buildbot-nix", + "rev": "225d286fa78389329168befc5d26888e317d0d0d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "buildbot-nix", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "deploy-rs": { "inputs": { - "flake-compat": "flake-compat_2", + "flake-compat": "flake-compat_3", "nixpkgs": [ "nixpkgs" ], "utils": "utils" }, "locked": { - "lastModified": 1711973905, - "narHash": "sha256-UFKME/N1pbUtn+2Aqnk+agUt8CekbpuqwzljivfIme8=", + "lastModified": 1718194053, + "narHash": "sha256-FaGrf7qwZ99ehPJCAwgvNY5sLCqQ3GDiE/6uLhxxwSY=", "owner": "serokell", "repo": "deploy-rs", - "rev": "88b3059b020da69cbe16526b8d639bd5e0b51c8b", + "rev": "3867348fa92bc892eba5d9ddb2d7a97b9e127a8a", "type": "github" }, "original": { @@ -43,7 +129,45 @@ "type": "github" } }, + "devshell": { + "inputs": { + "nixpkgs": [ + "agenix-rekey", + "nixpkgs" + ], + "systems": "systems_2" + }, + "locked": { + "lastModified": 1695195896, + "narHash": "sha256-pq9q7YsGXnQzJFkR5284TmxrLNFc0wo4NQ/a5E93CQU=", + "owner": "numtide", + "repo": "devshell", + "rev": "05d40d17bf3459606316e3e9ec683b784ff28f16", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "devshell", + "type": "github" + } + }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1650374568, @@ -59,7 +183,7 @@ "type": "github" } }, - "flake-compat_2": { + "flake-compat_3": { "flake": false, "locked": { "lastModified": 1696426674, @@ -75,7 +199,7 @@ "type": "github" } }, - "flake-compat_3": { + "flake-compat_4": { "flake": false, "locked": { "lastModified": 1650374568, @@ -91,61 +215,28 @@ "type": "github" } }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "buildbot-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719994518, + "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { - "inputs": { - "systems": "systems" - }, - "locked": { - "lastModified": 1694529238, - "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils-plus": { - "inputs": { - "flake-utils": "flake-utils" - }, - "locked": { - "lastModified": 1696331477, - "narHash": "sha256-YkbRa/1wQWdWkVJ01JvV+75KIdM37UErqKgTf0L54Fk=", - "owner": "gytis-ivaskevicius", - "repo": "flake-utils-plus", - "rev": "bfc53579db89de750b25b0c5e7af299e0c06d7d3", - "type": "github" - }, - "original": { - "owner": "gytis-ivaskevicius", - "repo": "flake-utils-plus", - "type": "github" - } - }, - "flake-utils-plus_2": { - "inputs": { - "flake-utils": "flake-utils_2" - }, - "locked": { - "lastModified": 1696331477, - "narHash": "sha256-YkbRa/1wQWdWkVJ01JvV+75KIdM37UErqKgTf0L54Fk=", - "owner": "gytis-ivaskevicius", - "repo": "flake-utils-plus", - "rev": "bfc53579db89de750b25b0c5e7af299e0c06d7d3", - "type": "github" - }, - "original": { - "owner": "gytis-ivaskevicius", - "repo": "flake-utils-plus", - "type": "github" - } - }, - "flake-utils_2": { "inputs": { "systems": "systems_3" }, @@ -163,13 +254,177 @@ "type": "github" } }, + "flake-utils-plus": { + "inputs": { + "flake-utils": "flake-utils_2" + }, + "locked": { + "lastModified": 1696331477, + "narHash": "sha256-YkbRa/1wQWdWkVJ01JvV+75KIdM37UErqKgTf0L54Fk=", + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "bfc53579db89de750b25b0c5e7af299e0c06d7d3", + "type": "github" + }, + "original": { + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "type": "github" + } + }, + "flake-utils-plus_2": { + "inputs": { + "flake-utils": "flake-utils_3" + }, + "locked": { + "lastModified": 1715533576, + "narHash": "sha256-fT4ppWeCJ0uR300EH3i7kmgRZnAVxrH+XtK09jQWihk=", + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f", + "type": "github" + }, + "original": { + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems_4" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { + "inputs": { + "systems": "systems_6" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "agenix-rekey", + "pre-commit-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1660459072, + "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, "nixpkgs": { "locked": { - "lastModified": 1719848872, - "narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=", + "lastModified": 1703013332, + "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1685801374, + "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c37ca420157f4abc31e26f436c1145f8951ff373", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1721838734, + "narHash": "sha256-o87oh2nLDzZ1E9+j1I6GaEvd9865OWGYvxaPSiH9DEU=", + "owner": "Nixos", + "repo": "nixpkgs", + "rev": "1855c9961e0bfa2e776fa4b58b7d43149eeed431", + "type": "github" + }, + "original": { + "owner": "Nixos", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1721743106, + "narHash": "sha256-adRZhFpBTnHiK3XIELA3IBaApz70HwCYfv7xNrHjebA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8", + "rev": "dc14ed91132ee3a26255d01d8fd0c1f5bff27b2f", "type": "github" }, "original": { @@ -179,18 +434,49 @@ "type": "github" } }, + "pre-commit-hooks": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils": [ + "agenix-rekey", + "flake-utils" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "agenix-rekey", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1694364351, + "narHash": "sha256-oadhSCqopYXxURwIA6/Anpe5IAG11q2LhvTJNP5zE6o=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "4f883a76282bc28eb952570afc3d8a1bf6f481d7", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { + "agenix": "agenix", + "agenix-rekey": "agenix-rekey", "auxolotl-website": "auxolotl-website", + "buildbot-nix": "buildbot-nix", "deploy-rs": "deploy-rs", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_3", "snowfall-lib": "snowfall-lib_2", "unstable": "unstable" } }, "snowfall-lib": { "inputs": { - "flake-compat": "flake-compat", + "flake-compat": "flake-compat_2", "flake-utils-plus": "flake-utils-plus", "nixpkgs": [ "auxolotl-website", @@ -213,18 +499,18 @@ }, "snowfall-lib_2": { "inputs": { - "flake-compat": "flake-compat_3", + "flake-compat": "flake-compat_4", "flake-utils-plus": "flake-utils-plus_2", "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1713814392, - "narHash": "sha256-IanrgtpgDqxGfzNczstspPljAHKaY0e4DGvYgdAwC1Y=", + "lastModified": 1717625599, + "narHash": "sha256-qX9VJizFEoiRWDEiVs5+2w4FclQNQVVPvGPESsZ1F8k=", "owner": "snowfallorg", "repo": "lib", - "rev": "91ab40c2e01cc1bade8092604370964ee86e9317", + "rev": "5a10d2e37b6c6223763fa7c00b974875e49f93cc", "type": "github" }, "original": { @@ -279,13 +565,79 @@ "type": "github" } }, + "systems_4": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_5": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_6": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "buildbot-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1721769617, + "narHash": "sha256-6Pqa0bi5nV74IZcENKYRToRNM5obo1EQ+3ihtunJ014=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "8db8970be1fb8be9c845af7ebec53b699fe7e009", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, "unstable": { "locked": { - "lastModified": 1714906307, - "narHash": "sha256-UlRZtrCnhPFSJlDQE7M0eyhgvuuHBTe1eJ9N9AQlJQ0=", + "lastModified": 1721743106, + "narHash": "sha256-adRZhFpBTnHiK3XIELA3IBaApz70HwCYfv7xNrHjebA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "25865a40d14b3f9cf19f19b924e2ab4069b09588", + "rev": "dc14ed91132ee3a26255d01d8fd0c1f5bff27b2f", "type": "github" }, "original": { @@ -297,7 +649,7 @@ }, "utils": { "inputs": { - "systems": "systems_2" + "systems": "systems_5" }, "locked": { "lastModified": 1701680307, diff --git a/flake.nix b/flake.nix index 4e23335..e89fee2 100644 --- a/flake.nix +++ b/flake.nix @@ -8,7 +8,6 @@ inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - snowfall-lib = { url = "github:snowfallorg/lib/dev"; inputs.nixpkgs.follows = "nixpkgs"; @@ -26,6 +25,9 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + buildbot-nix.url = "github:nix-community/buildbot-nix"; + # Do not override nixpkgs in buildbot-nix (see https://github.com/nix-community/buildbot-nix) + deploy-rs = { url = "github:serokell/deploy-rs"; inputs.nixpkgs.follows = "nixpkgs"; @@ -52,6 +54,8 @@ systems.modules.nixos = [ inputs.agenix.nixosModules.default inputs.agenix-rekey.nixosModules.default + inputs.buildbot-nix.nixosModules.buildbot-master + inputs.buildbot-nix.nixosModules.buildbot-worker ]; deploy = lib.mkDeploy { diff --git a/modules/nixos/auxolotl/services/ci/master/default.nix b/modules/nixos/auxolotl/services/ci/master/default.nix new file mode 100644 index 0000000..754df30 --- /dev/null +++ b/modules/nixos/auxolotl/services/ci/master/default.nix @@ -0,0 +1,112 @@ +# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors +# +# SPDX-License-Identifier: GPL-3.0-only + +{ + lib, + pkgs, + config, + inputs, + ... +}: let + cfg = config.auxolotl.services.ci.master; +in { + options.auxolotl.services.ci.master = { + enable = lib.mkEnableOption "Enable the buildbot-nix master on this server"; + + forgeUrl = lib.mkOption { + type = lib.types.str; + default = "https://${config.auxolotl.services.forge.subdomain}.${config.auxolotl.services.forge.domain}"; + description = "The url your gitea/forgejo forge is hosted at"; + }; + + domain = lib.mkOption { + type = lib.types.str; + default = "auxolotl.org"; + description = "The domain name for the website."; + }; + + subdomain = lib.mkOption { + type = lib.types.str; + default = "builds"; + description = "The subdomain for the website."; + }; + + oauth = { + clientId = lib.mkOption { + type = lib.types.str; + description = "The client ID for your gitea/forgejo app"; + }; + clientSecretFile = lib.mkOption { + type = lib.types.str; + description = "A file containing the client secret for your gitea/forgejo app, readable by the 'buildbot' user"; + }; + }; + + tokenFile = lib.mkOption { + type = lib.types.str; + description = "A file containing the personal access token for your gitea/forgejo user. You should probably make a new 'ci' user for this purpose, although this is not strictly required"; + }; + + webhookSecretFile = lib.mkOption { + type = lib.types.str; + description = "A file containing the secret for your gitea/forgejo triggering webhooks"; + }; + + databasePasswordFile = lib.mkOption { + type = lib.types.str; + description = "A file containing the password for the buildbot postgres user"; + }; + + workersFile = lib.mkOption { + type = lib.types.str; + description = "A file containing a list of workers, passwords, etc. as JSON. See https://github.com/nix-community/buildbot-nix/blob/5bdbb7609689989a79f7d6e6e59c4b7985634230/examples/master.nix#L13 for an example"; + }; + }; + + config = lib.mkIf cfg.enable { + services.buildbot-nix.master = { + enable = true; + + authBackend = "gitea"; # Forgejo and gitea are similar enough to ... + + gitea = { + inherit (cfg) tokenFile webhookSecretFile; + + instanceUrl = cfg.forgeUrl; + + oauthId = cfg.oauth.clientId; + oauthSecretFile = cfg.oauth.clientSecretFile; + + topic = null; + }; + + admins = [ + "jakehamilton" + "isabelroses" + "minion" + + "AxelSilverdew" + "coded" + "srd424" + ]; + # Admins is currently Steering+Infrastructure committees + # We should consider how best to proceed with this... + + workersFile = cfg.workersFile; + buildSystems = [ pkgs.hostPlatform.system ]; + + domain = "${cfg.subdomain}.${cfg.domain}"; + useHTTPS = true; + + buildbotNixpkgs = pkgs; + + outputsPath = "/var/lib/buildbot/outputs"; + }; + + services.nginx.virtualHosts."${cfg.subdomain}.${cfg.domain}" = { + forceSSL = true; + enableACME = true; + }; + }; +} diff --git a/modules/nixos/auxolotl/services/ci/worker/default.nix b/modules/nixos/auxolotl/services/ci/worker/default.nix new file mode 100644 index 0000000..c135bd4 --- /dev/null +++ b/modules/nixos/auxolotl/services/ci/worker/default.nix @@ -0,0 +1,40 @@ +# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors +# +# SPDX-License-Identifier: GPL-3.0-only + +{ + lib, + pkgs, + config, + inputs, + ... +}: let + cfg = config.auxolotl.services.ci.worker; +in { + options.auxolotl.services.ci.worker = { + enable = lib.mkEnableOption "Enable a buildbot-nix worker on this server"; + + masterUrl = lib.mkOption { + type = lib.types.str; + description = "The master url for the buildbot worker"; + default = if config.auxolotl.services.ci.master.enable + then "tcp:host=localhost:port=9989" + else throw "auxolotl.services.ci.worker: You must either set a master URL or run a master on this server"; + }; + + workerPasswordFile = lib.mkOption { + type = lib.types.str; + description = "A file containing the password for this worker"; + }; + }; + + config = lib.mkIf cfg.enable { + services.buildbot-nix.worker = { + enable = true; + + buildbotNixpkgs = pkgs; + + inherit (cfg) masterUrl workerPasswordFile; + }; + }; +} diff --git a/secrets/generated/baxter/services.ci.master.webhookSecretFile.age b/secrets/generated/baxter/services.ci.master.webhookSecretFile.age new file mode 100644 index 0000000..810d4b1 --- /dev/null +++ b/secrets/generated/baxter/services.ci.master.webhookSecretFile.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> piv-p256 xE4ypg A70wMCisOjVzR3ug4BLjnWaiySAkBRDLS80G5F+HgP90 +5eo4VyKyOpO3s1ab5tYWrPJLp2NDoNfOLssPJz1X6sM +-> piv-p256 Hpt/+Q Ap55RMoW+ydJ/CWdY4f+dT3m+e6iKe+OJlE3ORgH5jl/ +XjwSs/jqumcvnOsfKM97NbjuKelP7bxz87fXqDajmto +-> piv-p256 zfskmQ A6uIgMEgAQONVDgcpqh935TcbNVHPdGR+a8y2fsY0dw4 +0eByad5OHK5Gap5Eq+jA5j1cWHS8q6cKvR9VKD5gXg4 +-> LOt-grease %/=M +fgFp1gevlSUjaT26jP0yiRZNh3H9IlhZtJDt61WublxpuNhISVSNSqXat86tXjOZ +iEd+ +--- 8HghOj3gAYLyGa2/z7ep5TbdSmrzhi7Bv333id6/XRY +O:&-3sQsDF<̅ fDXb.TxdR 3YBqs"Nlٚ \ No newline at end of file diff --git a/secrets/generated/baxter/services.ci.worker.workerPasswordFile.age b/secrets/generated/baxter/services.ci.worker.workerPasswordFile.age new file mode 100644 index 0000000000000000000000000000000000000000..cc74ebfbbd0ea1c8522f99003ba6b27997d9c803 GIT binary patch literal 615 zcmY+t_?BN}4Jxsik<=tM@p z>yQ?ewoP4`E{OpabVJWw1tHvCP`PY~=d5m;qwui7F$3Elaa4)1e!I$NqPn}6?qvjs zLuID1eUQ<;#OrX)$dMpsAq%n71Y}O@Va4#cKTUcIOqfbK=X8jenV6Kh6l2Qq&sp_s z9WDP^L8q(H#Mo6gnSz`4qEuG#hy6RXs9q-eC|w^X#?PkX(;~G-s%?7{|6W8OWK*G!=49 zl#?9-u6-C*t8OJ`u4)*R80Mk4R|rDj7iCJ!@m1((bQc1tY01MCI_DJ0)$~rK8(AyH zs_Aa6jjc9_HxqUv*RjI4VA_^cnwr-Tf*=jWkb2CR&MhoK)iQEtxyweZBXpb!@T>=D zK@P|PK1%EaLjSzG`sL%R=chN$9(?_cZeM<~eEFtMvF9N q&xiQ^w^yR~*VMzuzwUjYUHs?(y!i3#()G{z*0=pz`zNo>gVVq9+|!x> literal 0 HcmV?d00001 diff --git a/secrets/rekeyed/baxter/24951ab2dd459b4cbdfa83ecee6517c6-services.ci.master.tokenFile.age b/secrets/rekeyed/baxter/24951ab2dd459b4cbdfa83ecee6517c6-services.ci.master.tokenFile.age new file mode 100644 index 0000000..c65bcee --- /dev/null +++ b/secrets/rekeyed/baxter/24951ab2dd459b4cbdfa83ecee6517c6-services.ci.master.tokenFile.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 Z9MeFA 5MtkO2R8f6CVXX4c2n3BOiAMzExUSwfm4u+TQIHamEg +i3SUH1s0UYAUhfZmCkrBw7BN5NTTtQIwGl0ITQht0XM +-> [[E3wgE-grease xW^ t/4SAoK@ +8dSbS93buyIBRyWFPg +--- 4ySt+P89sGFFAdDieoRwozA/Hsq+FqA2wWNcMwQ3a74 +TTUV+E{YDLM_.P$y^mO͚S(S;TgN(N aT Q \ No newline at end of file diff --git a/secrets/rekeyed/baxter/58a73a00f6ce9881f5206f8ab350466b-services.ci.master.oauth.clientSecretFile.age b/secrets/rekeyed/baxter/58a73a00f6ce9881f5206f8ab350466b-services.ci.master.oauth.clientSecretFile.age new file mode 100644 index 0000000000000000000000000000000000000000..1422b169d59237e3149a2a2965f0183f1fa0a73f GIT binary patch literal 433 zcmV;i0Z#s5XJsvAZewzJaCB*JZZ23)QcVSC5V>NYiW@c_vVKPH%YG_SEQE_;0Gj9rVH*+{KS1@R7 zdP-4KQ*>fSNK{i}aZ^iUQg=6DZdNiuO?gdHQ8HpkMokJWJ|IwYFl-c`sINVOnNqLO5z!QhHBCO>PQVYcvWiEiE8ucr|i3 zVn#(XYHV|NMR;sWQgTE$WMp<|WHxGbN_k01RC0AqFmi1+N^=T>Q2>BS#)qCJzTG!{ zVu#ypVLR*gvpv^w34lQZrg8~;t3#-sso=xT-6ND2>rO&4yuz9NkZwIr2p(0{@F&N3 b{ ssh-ed25519 Z9MeFA 3AdBBzRTHv35vrflVzH1z/8YV5SJykizTzOtKOgucRI +eU/l9cWEF9ix2fK8YqqlHuBdJdISERVVZAdRnAXfKFA +-> Cf*79d-grease +Mft5A1hDcFzr+nA1uE6kNLlN26I +--- HkABm597GfKIRwYRHvYV6tCoFeiNN3tAEEgnctlGCo8 +x^qc73^јNZHh?8GӔTw]y,Q8H xVG+O$y \ No newline at end of file diff --git a/secrets/rekeyed/baxter/9ffbe2a747e0bcdc4d670cf7d47d3575-services.ci.master.workersFile.json.age b/secrets/rekeyed/baxter/9ffbe2a747e0bcdc4d670cf7d47d3575-services.ci.master.workersFile.json.age new file mode 100644 index 0000000000000000000000000000000000000000..02eb3a862a2caffc36004a79ffb6c113d738e46f GIT binary patch literal 351 zcmV-l0igb2XJsvAZewzJaCB*JZZ2cyl#+Z&yTFa&|IHcSU1$Pee5_S}{>8Woc(CQ+ID-F-KxrcQ6V>X)i-HQ&mt* zRxv_DOm9bNHfb_uXLU|daY0owS8G{oZDdbaWKB16FG&h5J|IPXVSXgE^Y-&?xPhodE>N^ff~ zP(yNaRxe>sSSvX(R&ZlM3f%zy-IJ)~q1X^-U#)~8Y5+(Hp!LNK!ti)TDM({-E6EG0 z*DY_<65Kr7|6k>6H&aAKBbs xb5U`_f|S4K@VMRQlxg3qJbpLp2Anoff&xL%nmgpYanw;7zvkyN}EiID&R literal 0 HcmV?d00001 diff --git a/secrets/rekeyed/baxter/be4852d28a22f490934108662e4718f4-services.ci.worker.workerPasswordFile.age b/secrets/rekeyed/baxter/be4852d28a22f490934108662e4718f4-services.ci.worker.workerPasswordFile.age new file mode 100644 index 0000000..df80bfa --- /dev/null +++ b/secrets/rekeyed/baxter/be4852d28a22f490934108662e4718f4-services.ci.worker.workerPasswordFile.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 Z9MeFA EOHfjGuxu4lGCf1BVX4yI6GEULyMjqgijUjozsNxCnk +9cT0bTKNP73guNnwSmDVn+gSZwnF4Wweq4DlvHdWUkA +-> )|AUL?-grease +&*1J$ uR@9HO ,nfE ULx2MW"l +7Z3ZhFGj/dlmd6s1W2AESyALUeslyMrLiVN6X+Uo8w +--- 2i6p/11kcpcMhZUItUPfqCUp+9ykJq+T4mGg1oYw7gE +$w4؎r}(1hue&f>40G\D.%<&dK\ \ No newline at end of file diff --git a/systems/x86_64-linux/baxter/default.nix b/systems/x86_64-linux/baxter/default.nix index 3841c2a..5f754c8 100644 --- a/systems/x86_64-linux/baxter/default.nix +++ b/systems/x86_64-linux/baxter/default.nix @@ -46,8 +46,49 @@ services = { ssh.enable = true; forge.enable = true; + + ci = { + master = { + enable = true; + + tokenFile = config.age.secrets."services.ci.master.tokenFile".path; + webhookSecretFile = config.age.secrets."services.ci.master.webhookSecretFile".path; + oauth = { + clientId = "76e70591-79a6-4a2f-8319-317f46800519"; + clientSecretFile = config.age.secrets."services.ci.master.oauth.clientSecretFile".path; + }; + + workersFile = config.age.secrets."services.ci.master.workersFile.json".path; + }; + worker = { + enable = true; + workerPasswordFile = config.age.secrets."services.ci.worker.workerPasswordFile".path; + }; + }; }; }; + age.secrets."services.ci.master.tokenFile" = { + rekeyFile = ./services.ci.master.tokenFile.age; + group = "buildbot"; + }; + age.secrets."services.ci.master.webhookSecretFile" = { + generator.script = "alnum"; + group = "buildbot"; + }; + age.secrets."services.ci.master.oauth.clientSecretFile" = { + rekeyFile = ./services.ci.master.oauth.clientSecretFile.age; + group = "buildbot"; + }; + age.secrets."services.ci.master.workersFile.json" = { + rekeyFile = ./services.ci.master.workersFile.json.age; + group = "buildbot"; + }; + + age.secrets."services.ci.worker.workerPasswordFile" = { + generator.script = "alnum"; + group = "buildbot"; + }; + system.stateVersion = "23.11"; } diff --git a/systems/x86_64-linux/baxter/services.ci.master.oauth.clientSecretFile.age b/systems/x86_64-linux/baxter/services.ci.master.oauth.clientSecretFile.age new file mode 100644 index 0000000..1c09e17 --- /dev/null +++ b/systems/x86_64-linux/baxter/services.ci.master.oauth.clientSecretFile.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> piv-p256 xE4ypg A+D0j6/XAOWgbzbOKKNX3IaA0RCZSYG1lWXNL7ErYKjh +p3kgqbWj5T0D1pbStNRjHpKPbv4sMvrHXDpBk5Ym8LE +-> piv-p256 Hpt/+Q AgIoOHkn/1EJRoaMHTVR2nO2ub1F2UoRjYaJIpmvXzty +tGfVG9kUG94wZSwwkFEcJK6ehvaHHUVa1eJBXjyQnW4 +-> piv-p256 zfskmQ AhG7AZlLuJ2JwfojMJIZKAjGlgUgssK2JlsBjcAkdehP +Yr8a6Cx7S08KBYkbTYoPHAROllXvGsMkS1lKv+3cP4I +-> D^7VNXi7-grease C !pw j +nIH+2iyF2LotQqzFroxVIgeFVnvMjYhsO27Egb7UU/zavBgrY2Grc30v3AptjT2j +I4q23DfwVcU5OYXq4HYHnC4zwKI +--- XOlDFARRpwZ/ew4vOTsDt5dkAfTNNfmVKfVB+2fGwHE +.a-.= c9:P7d96 1 b;24f!nCFjJm׫rwt%F{QI  \ No newline at end of file diff --git a/systems/x86_64-linux/baxter/services.ci.master.tokenFile.age b/systems/x86_64-linux/baxter/services.ci.master.tokenFile.age new file mode 100644 index 0000000..e8c3dd7 --- /dev/null +++ b/systems/x86_64-linux/baxter/services.ci.master.tokenFile.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> piv-p256 xE4ypg Ags6YIwJfw361Tg6pfdxGUZDDegofZk+xIPWpEbSps02 +oSq4ycmqQjeYrnBDAb1PyK8KnWySOyukcvhS8OXW82A +-> piv-p256 Hpt/+Q AgvQ2nuF4CELPs7L9OJEeoXk2TpPLNWkQ8TYrZIyJiZ3 +KFkj1om15tbZVCM1zmG7/zjhJSGwRDSP5wfB+9HuBP4 +-> piv-p256 zfskmQ A551KXlyYGw0E4X3VUSnyPEdXdEIcQBoLFbf4yoc2pEF +JEheQDNOFweKrO8AfKyS2acuzpN77g/qwdHJzWXzUew +-> 6U;sLGZs-grease 6 +Ug2KSn6pQ5KWyTb7A3l/dN3G8C9v3QlJp4PXzw +--- 8jZf5hxeOQO2fk9vafkEkpAlHEXKO/EZIrP0YkLkI+4 +(Kwk`ލ.Qv{q <|rDIoϮnZQlj#46lZ"UF2Y! \ No newline at end of file diff --git a/systems/x86_64-linux/baxter/services.ci.master.workersFile.json.age b/systems/x86_64-linux/baxter/services.ci.master.workersFile.json.age new file mode 100644 index 0000000000000000000000000000000000000000..682cd66ef342037db52552fb23cc065571570e80 GIT binary patch literal 658 zcmY+;%WKnc003YG4;s+J#NrNOrVfNqo8Q``EvS(6m85yBk2LK>FiF#_&Dy-$qzN({ zf)_=-$n@k6D(Jz3O!VYIyr`QBJLnLn7e&OAg0F*f9`_e~pR8+9t*1JH)o+`HIH`)CtyYp6#>x_p@j{Iwhn`WcsUcv>Wf2uSiL@#z z9EAC7p7fa@SN0^-k)>uaEZS8L2?s1w;S+`4pc&wqDxQ7FK*A&9oxDUd22(I3y6o$CCD6e%lBKi>oWMw)H-s3?lN!Wg z?PObV2a`BkMr(*Y0C5 zCQzm+1`RfD^#-_H?@Z`O3=gOnT}rWnO8X5&9cFT9N{6D+C@fP6%qICx#sgGWZe*Bh zCYh5;UYLkyZAG`^O%_y#LLgWT=)8+9V zL$A+1nIC^Tf8g1^yRrAD)~;R~jjYTq?Tsk2M~QmDwO7$M_l`X{`DgCNHYIqs>r&*( F!+&CE>~8=7 literal 0 HcmV?d00001