[perso/Immae/Config/Nix.git] / nixops / modules / buildbot / default.nix

{ lib, pkgs, config, myconfig, mylibs, ... }:
let
  varDir = "/var/lib/buildbot";
  buildslist_src = mylibs.fetchedGitPrivate ./buildslist.json;
  buildslist_yarn = pkgs.yarn2nix.mkYarnModules {
    name = "buildslist-yarn-modules";
    packageJSON = "${buildslist_src.src}/package.json";
    yarnLock = "${buildslist_src.src}/yarn.lock";
  };
  buildslist_bower = pkgs.buildBowerComponents {
    name = "buildslist";
    generated = ./bower.nix;
    src = "${buildslist_src.src}/guanlecoja/";
  };

  buildslist = pkgs.python3Packages.buildPythonPackage rec {
    pname = "buildbot-buildslist";
    inherit (pkgs.buildbot-pkg) version;

    preConfigure = ''
      export HOME=$PWD
      cp -a ${buildslist_yarn}/node_modules .
      chmod -R u+w node_modules
      cp -a ${buildslist_bower}/bower_components ./libs
      chmod -R u+w libs
      '';
    propagatedBuildInputs = with pkgs.python3Packages; [
      (klein.overridePythonAttrs(old: { checkPhase = ""; }))
      buildbot-pkg
    ];
    nativeBuildInputs = with pkgs; [ yarn nodejs ];
    buildInputs = [ buildslist_yarn buildslist_bower ];

    doCheck = false;
    src = buildslist_src.src;
  };
  buildbot_common = pkgs.python3Packages.buildPythonPackage rec {
    name = "buildbot_common";
    src = ./common;
    format = "other";
    installPhase = ''
      mkdir -p $out/${pkgs.python3.pythonForBuild.sitePackages}
      cp -a $src $out/${pkgs.python3.pythonForBuild.sitePackages}/buildbot_common
      '';
  };
  buildbot = pkgs.python3Packages.buildbot-full.withPlugins ([ buildslist ]);
in
{
  options = {
    services.buildbot.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = ''
        Whether to enable buildbot.
      '';
    };
  };

  config = lib.mkIf config.services.buildbot.enable {
    nixpkgs.overlays = [ (self: super: rec {
      python3 = super.python3.override {
        packageOverrides = python-self: python-super: {
          wokkel = python-self.buildPythonPackage rec {
            pname = "wokkel";
            version = "18.0.0";
            src = python-self.fetchPypi {
              inherit pname version;
              sha256 = "1spq44gg8gsviqx1dvlmjpgfc0wk0jpyx4ap01y2pad1ai9cw016";
            };
            propagatedBuildInputs = with python-self; [ twisted.extras.tls twisted incremental dateutil ];
            doChecks = false;
          };
          apprise = python-self.buildPythonPackage rec {
            pname = "apprise";
            version = "0.7.4";
            src = (mylibs.fetchedGithub ./apprise.json).src;
            propagatedBuildInputs = with python-self; [ decorator
            requests requests_oauthlib oauthlib urllib3 six click
            markdown pyyaml sleekxmpp
            ];
            doChecks = false;
          };
        };
      };
    }) ];

    ids.uids.buildbot = myconfig.env.buildbot.user.uid;
    ids.gids.buildbot = myconfig.env.buildbot.user.gid;

    users.groups.buildbot.gid = config.ids.gids.buildbot;
    users.users.buildbot = {
      name = "buildbot";
      uid = config.ids.uids.buildbot;
      group = "buildbot";
      description = "Buildbot user";
      home = varDir;
    };

    services.myWebsites.tools.vhostConfs.git.extraConfig = lib.attrsets.mapAttrsToList (k: project: ''
        RedirectMatch permanent "^/buildbot/${project.name}$" "/buildbot/${project.name}/"
        RewriteEngine On
        RewriteRule ^/buildbot/${project.name}/ws(.*)$   unix:///run/buildbot/${project.name}.sock|ws://git.immae.eu/ws$1 [P,NE,QSA,L]
        ProxyPass /buildbot/${project.name}/             unix:///run/buildbot/${project.name}.sock|http://${project.name}-git.immae.eu/
        ProxyPassReverse /buildbot/${project.name}/      unix:///run/buildbot/${project.name}.sock|http://${project.name}-git.immae.eu/
        <Location /buildbot/${project.name}/>
          Use LDAPConnect
          Require ldap-group cn=users,ou=${project.name},cn=buildbot,ou=services,dc=immae,dc=eu

          SetEnvIf X-Url-Scheme https HTTPS=1
          ProxyPreserveHost On
        </Location>
        <Location /buildbot/${project.name}/change_hook/base>
          <RequireAny>
            Require local
            Require ldap-group cn=users,ou=${project.name},cn=buildbot,ou=services,dc=immae,dc=eu
            ${if lib.attrsets.hasAttr "webhookTokens" project then ''
              Require expr "req('Access-Key') in { ${builtins.concatStringsSep ", " (map (x: "'${x}'") project.webhookTokens)} }"
              '' else ""}
          </RequireAny>
        </Location>
        '') myconfig.env.buildbot.projects;

    system.activationScripts = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" {
      deps = [ "users" "wrappers" ];
      text = let
        master-cfg = "${buildbot_common}/${pkgs.python3.pythonForBuild.sitePackages}/buildbot_common/master.cfg";
        buildbot_key = pkgs.writeText "buildbot_key" (builtins.readFile "${myconfig.privateFiles}/buildbot_ssh_key");
        tac_file = pkgs.writeText "buildbot.tac" ''
            import os

            from twisted.application import service
            from buildbot.master import BuildMaster

            basedir = '${varDir}/${project.name}'
            rotateLength = 10000000
            maxRotatedFiles = 10
            configfile = '${master-cfg}'

            # Default umask for server
            umask = None

            # if this is a relocatable tac file, get the directory containing the TAC
            if basedir == '.':
                import os
                basedir = os.path.abspath(os.path.dirname(__file__))

            # note: this line is matched against to check that this is a buildmaster
            # directory; do not edit it.
            application = service.Application('buildmaster')
            from twisted.python.logfile import LogFile
            from twisted.python.log import ILogObserver, FileLogObserver
            logfile = LogFile.fromFullPath(os.path.join(basedir, "twistd.log"), rotateLength=rotateLength,
                                            maxRotatedFiles=maxRotatedFiles)
            application.setComponent(ILogObserver, FileLogObserver(logfile).emit)

            m = BuildMaster(basedir, configfile, umask)
            m.setServiceParent(application)
            m.log_rotation.rotateLength = rotateLength
            m.log_rotation.maxRotatedFiles = maxRotatedFiles
          '';
      in ''
      install -m 0755 -o buildbot -g buildbot -d /run/buildbot/
      install -m 0755 -o buildbot -g buildbot -d ${varDir}
      if [ ! -f ${varDir}/${project.name}/buildbot.tac ]; then
        $wrapperDir/sudo -u buildbot ${buildbot}/bin/buildbot create-master -c "${master-cfg}" "${varDir}/${project.name}"
        rm -f ${varDir}/${project.name}/master.cfg.sample
        rm -f ${varDir}/${project.name}/buildbot.tac
      fi
      ln -sf ${tac_file} ${varDir}/${project.name}/buildbot.tac
      install -Dm600 -o buildbot -g buildbot -T ${buildbot_key} ${varDir}/buildbot_key
      buildbot_secrets=${varDir}/${project.name}/secrets
      install -m 0600 -o buildbot -g buildbot -d $buildbot_secrets
      echo "${myconfig.env.buildbot.ldap.password}" > $buildbot_secrets/ldap
      ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList
        (k: v: "echo ${lib.strings.escapeShellArg v} > $buildbot_secrets/${k}") project.secrets
      )}
      chown -R buildbot:buildbot $buildbot_secrets
      chmod -R u=rX,go=- $buildbot_secrets
      ${project.activationScript}
      '';
    }) myconfig.env.buildbot.projects;

    systemd.services = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" {
      description = "Buildbot Continuous Integration Server ${project.name}.";
      after = [ "network-online.target" ];
      wantedBy = [ "multi-user.target" ];
      path = project.packages pkgs ++ (project.pythonPackages buildbot.pythonModule pkgs);
      environment = let
        project_env = lib.attrsets.mapAttrs' (k: v: lib.attrsets.nameValuePair "BUILDBOT_${k}" v) project.environment;
        buildbot_config = pkgs.python3Packages.buildPythonPackage (rec {
          name = "buildbot_config-${project.name}";
          src = ./projects + "/${project.name}";
          format = "other";
          installPhase = ''
            mkdir -p $out/${pkgs.python3.pythonForBuild.sitePackages}
            cp -a $src $out/${pkgs.python3.pythonForBuild.sitePackages}/buildbot_config
            '';
        });
        HOME = "${varDir}/${project.name}";
        PYTHONPATH = "${buildbot.pythonModule.withPackages (self: project.pythonPackages self pkgs ++ [
          pkgs.python3Packages.wokkel
          pkgs.python3Packages.treq pkgs.python3Packages.ldap3 buildbot
          pkgs.python3Packages.buildbot-worker
          buildbot_common buildbot_config
        ])}/${buildbot.pythonModule.sitePackages}${if project.pythonPathHome then ":${varDir}/${project.name}/.local/${pkgs.python3.pythonForBuild.sitePackages}" else ""}";
      in project_env // { inherit PYTHONPATH HOME; };

      serviceConfig = {
        Type = "forking";
        User = "buildbot";
        Group = "buildbot";
        WorkingDirectory = "${varDir}/${project.name}";
        ExecStart = "${buildbot}/bin/buildbot start";
      };
    }) myconfig.env.buildbot.projects;
  };
}
Commit	Line	Data
587b9e34	1	{ lib, pkgs, config, myconfig, mylibs, ... }:
9fb4205e IB	2	let
	3	varDir = "/var/lib/buildbot";
	4	buildslist_src = mylibs.fetchedGitPrivate ./buildslist.json;
caa08508	5	buildslist_yarn = pkgs.yarn2nix.mkYarnModules {
9fb4205e IB	6	name = "buildslist-yarn-modules";
	7	packageJSON = "${buildslist_src.src}/package.json";
	8	yarnLock = "${buildslist_src.src}/yarn.lock";
	9	};
caa08508	10	buildslist_bower = pkgs.buildBowerComponents {
9fb4205e IB	11	name = "buildslist";
	12	generated = ./bower.nix;
	13	src = "${buildslist_src.src}/guanlecoja/";
	14	};
	15
caa08508	16	buildslist = pkgs.python3Packages.buildPythonPackage rec {
9fb4205e	17	pname = "buildbot-buildslist";
caa08508	18	inherit (pkgs.buildbot-pkg) version;
9fb4205e IB	19
	20	preConfigure = ''
	21	export HOME=$PWD
	22	cp -a ${buildslist_yarn}/node_modules .
	23	chmod -R u+w node_modules
	24	cp -a ${buildslist_bower}/bower_components ./libs
	25	chmod -R u+w libs
	26	'';
caa08508	27	propagatedBuildInputs = with pkgs.python3Packages; [
9fb4205e IB	28	(klein.overridePythonAttrs(old: { checkPhase = ""; }))
	29	buildbot-pkg
	30	];
caa08508	31	nativeBuildInputs = with pkgs; [ yarn nodejs ];
9fb4205e IB	32	buildInputs = [ buildslist_yarn buildslist_bower ];
	33
	34	doCheck = false;
	35	src = buildslist_src.src;
	36	};
caa08508	37	buildbot_common = pkgs.python3Packages.buildPythonPackage rec {
e2b96bf5 IB	38	name = "buildbot_common";
e2b96bf5 IB	39	src = ./common;
9fb4205e IB	40	format = "other";
9fb4205e IB	41	installPhase = ''
caa08508 IB	42	mkdir -p $out/${pkgs.python3.pythonForBuild.sitePackages}
caa08508 IB	43	cp -a $src $out/${pkgs.python3.pythonForBuild.sitePackages}/buildbot_common
9fb4205e	44	'';
e2b96bf5	45	};
caa08508	46	buildbot = pkgs.python3Packages.buildbot-full.withPlugins ([ buildslist ]);
9fb4205e IB	47	in
	48	{
	49	options = {
	50	services.buildbot.enable = lib.mkOption {
	51	type = lib.types.bool;
	52	default = false;
	53	description = ''
	54	Whether to enable buildbot.
	55	'';
	56	};
	57	};
	58
	59	config = lib.mkIf config.services.buildbot.enable {
256d607c IB	60	nixpkgs.overlays = [ (self: super: rec {
	61	python3 = super.python3.override {
	62	packageOverrides = python-self: python-super: {
	63	wokkel = python-self.buildPythonPackage rec {
	64	pname = "wokkel";
	65	version = "18.0.0";
	66	src = python-self.fetchPypi {
	67	inherit pname version;
	68	sha256 = "1spq44gg8gsviqx1dvlmjpgfc0wk0jpyx4ap01y2pad1ai9cw016";
	69	};
	70	propagatedBuildInputs = with python-self; [ twisted.extras.tls twisted incremental dateutil ];
	71	doChecks = false;
	72	};
	73	apprise = python-self.buildPythonPackage rec {
	74	pname = "apprise";
	75	version = "0.7.4";
	76	src = (mylibs.fetchedGithub ./apprise.json).src;
	77	propagatedBuildInputs = with python-self; [ decorator
	78	requests requests_oauthlib oauthlib urllib3 six click
	79	markdown pyyaml sleekxmpp
	80	];
	81	doChecks = false;
	82	};
	83	};
	84	};
	85	}) ];
	86
9fb4205e IB	87	ids.uids.buildbot = myconfig.env.buildbot.user.uid;
	88	ids.gids.buildbot = myconfig.env.buildbot.user.gid;
	89
	90	users.groups.buildbot.gid = config.ids.gids.buildbot;
	91	users.users.buildbot = {
	92	name = "buildbot";
	93	uid = config.ids.uids.buildbot;
	94	group = "buildbot";
	95	description = "Buildbot user";
	96	home = varDir;
	97	};
	98
	99	services.myWebsites.tools.vhostConfs.git.extraConfig = lib.attrsets.mapAttrsToList (k: project: ''
	100	RedirectMatch permanent "^/buildbot/${project.name}$" "/buildbot/${project.name}/"
	101	RewriteEngine On
	102	RewriteRule ^/buildbot/${project.name}/ws(.*)$ unix:///run/buildbot/${project.name}.sock\|ws://git.immae.eu/ws$1 [P,NE,QSA,L]
	103	ProxyPass /buildbot/${project.name}/ unix:///run/buildbot/${project.name}.sock\|http://${project.name}-git.immae.eu/
	104	ProxyPassReverse /buildbot/${project.name}/ unix:///run/buildbot/${project.name}.sock\|http://${project.name}-git.immae.eu/
	105	<Location /buildbot/${project.name}/>
	106	Use LDAPConnect
e2b96bf5	107	Require ldap-group cn=users,ou=${project.name},cn=buildbot,ou=services,dc=immae,dc=eu
9fb4205e IB	108
	109	SetEnvIf X-Url-Scheme https HTTPS=1
	110	ProxyPreserveHost On
	111	</Location>
	112	<Location /buildbot/${project.name}/change_hook/base>
85817848 IB	113	<RequireAny>
	114	Require local
	115	Require ldap-group cn=users,ou=${project.name},cn=buildbot,ou=services,dc=immae,dc=eu
	116	${if lib.attrsets.hasAttr "webhookTokens" project then ''
	117	Require expr "req('Access-Key') in { ${builtins.concatStringsSep ", " (map (x: "'${x}'") project.webhookTokens)} }"
	118	'' else ""}
	119	</RequireAny>
9fb4205e IB	120	</Location>
	121	'') myconfig.env.buildbot.projects;
	122
	123	system.activationScripts = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" {
	124	deps = [ "users" "wrappers" ];
	125	text = let
caa08508	126	master-cfg = "${buildbot_common}/${pkgs.python3.pythonForBuild.sitePackages}/buildbot_common/master.cfg";
e2b96bf5 IB	127	buildbot_key = pkgs.writeText "buildbot_key" (builtins.readFile "${myconfig.privateFiles}/buildbot_ssh_key");
	128	tac_file = pkgs.writeText "buildbot.tac" ''
	129	import os
	130
	131	from twisted.application import service
	132	from buildbot.master import BuildMaster
	133
	134	basedir = '${varDir}/${project.name}'
	135	rotateLength = 10000000
	136	maxRotatedFiles = 10
	137	configfile = '${master-cfg}'
	138
	139	# Default umask for server
	140	umask = None
	141
	142	# if this is a relocatable tac file, get the directory containing the TAC
	143	if basedir == '.':
	144	import os
	145	basedir = os.path.abspath(os.path.dirname(__file__))
	146
	147	# note: this line is matched against to check that this is a buildmaster
	148	# directory; do not edit it.
	149	application = service.Application('buildmaster')
	150	from twisted.python.logfile import LogFile
	151	from twisted.python.log import ILogObserver, FileLogObserver
	152	logfile = LogFile.fromFullPath(os.path.join(basedir, "twistd.log"), rotateLength=rotateLength,
	153	maxRotatedFiles=maxRotatedFiles)
	154	application.setComponent(ILogObserver, FileLogObserver(logfile).emit)
	155
	156	m = BuildMaster(basedir, configfile, umask)
	157	m.setServiceParent(application)
	158	m.log_rotation.rotateLength = rotateLength
	159	m.log_rotation.maxRotatedFiles = maxRotatedFiles
	160	'';
9fb4205e IB	161	in ''
	162	install -m 0755 -o buildbot -g buildbot -d /run/buildbot/
	163	install -m 0755 -o buildbot -g buildbot -d ${varDir}
	164	if [ ! -f ${varDir}/${project.name}/buildbot.tac ]; then
	165	$wrapperDir/sudo -u buildbot ${buildbot}/bin/buildbot create-master -c "${master-cfg}" "${varDir}/${project.name}"
	166	rm -f ${varDir}/${project.name}/master.cfg.sample
e2b96bf5	167	rm -f ${varDir}/${project.name}/buildbot.tac
9fb4205e	168	fi
e2b96bf5 IB	169	ln -sf ${tac_file} ${varDir}/${project.name}/buildbot.tac
e2b96bf5 IB	170	install -Dm600 -o buildbot -g buildbot -T ${buildbot_key} ${varDir}/buildbot_key
9fb4205e IB	171	buildbot_secrets=${varDir}/${project.name}/secrets
	172	install -m 0600 -o buildbot -g buildbot -d $buildbot_secrets
	173	echo "${myconfig.env.buildbot.ldap.password}" > $buildbot_secrets/ldap
	174	${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList
	175	(k: v: "echo ${lib.strings.escapeShellArg v} > $buildbot_secrets/${k}") project.secrets
	176	)}
	177	chown -R buildbot:buildbot $buildbot_secrets
	178	chmod -R u=rX,go=- $buildbot_secrets
	179	${project.activationScript}
	180	'';
	181	}) myconfig.env.buildbot.projects;
	182
	183	systemd.services = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" {
	184	description = "Buildbot Continuous Integration Server ${project.name}.";
	185	after = [ "network-online.target" ];
	186	wantedBy = [ "multi-user.target" ];
caa08508	187	path = project.packages pkgs ++ (project.pythonPackages buildbot.pythonModule pkgs);
9fb4205e IB	188	environment = let
9fb4205e IB	189	project_env = lib.attrsets.mapAttrs' (k: v: lib.attrsets.nameValuePair "BUILDBOT_${k}" v) project.environment;
caa08508	190	buildbot_config = pkgs.python3Packages.buildPythonPackage (rec {
9fb4205e	191	name = "buildbot_config-${project.name}";
e2b96bf5	192	src = ./projects + "/${project.name}";
9fb4205e IB	193	format = "other";
9fb4205e IB	194	installPhase = ''
caa08508 IB	195	mkdir -p $out/${pkgs.python3.pythonForBuild.sitePackages}
caa08508 IB	196	cp -a $src $out/${pkgs.python3.pythonForBuild.sitePackages}/buildbot_config
9fb4205e IB	197	'';
	198	});
	199	HOME = "${varDir}/${project.name}";
caa08508	200	PYTHONPATH = "${buildbot.pythonModule.withPackages (self: project.pythonPackages self pkgs ++ [
256d607c	201	pkgs.python3Packages.wokkel
caa08508 IB	202	pkgs.python3Packages.treq pkgs.python3Packages.ldap3 buildbot
caa08508 IB	203	pkgs.python3Packages.buildbot-worker
9fb4205e	204	buildbot_common buildbot_config
caa08508	205	])}/${buildbot.pythonModule.sitePackages}${if project.pythonPathHome then ":${varDir}/${project.name}/.local/${pkgs.python3.pythonForBuild.sitePackages}" else ""}";
9fb4205e IB	206	in project_env // { inherit PYTHONPATH HOME; };
	207
	208	serviceConfig = {
	209	Type = "forking";
	210	User = "buildbot";
	211	Group = "buildbot";
	212	WorkingDirectory = "${varDir}/${project.name}";
	213	ExecStart = "${buildbot}/bin/buildbot start";
	214	};
	215	}) myconfig.env.buildbot.projects;
	216	};
	217	}