[perso/Immae/Config/Nix.git] / nixops / modules / buildbot / default.nix

{ lib, pkgs, config, myconfig, mylibs, ... }:
let
  varDir = "/var/lib/buildbot";
  buildslist_src = mylibs.fetchedGitPrivate ./buildslist.json;
  buildslist_yarn = pkgs.yarn2nix.mkYarnModules {
    name = "buildslist-yarn-modules";
    packageJSON = "${buildslist_src.src}/package.json";
    yarnLock = "${buildslist_src.src}/yarn.lock";
  };
  buildslist_bower = pkgs.buildBowerComponents {
    name = "buildslist";
    generated = ./bower.nix;
    src = "${buildslist_src.src}/guanlecoja/";
  };

  buildslist = pkgs.python3Packages.buildPythonPackage rec {
    pname = "buildbot-buildslist";
    inherit (pkgs.buildbot-pkg) version;

    preConfigure = ''
      export HOME=$PWD
      cp -a ${buildslist_yarn}/node_modules .
      chmod -R u+w node_modules
      cp -a ${buildslist_bower}/bower_components ./libs
      chmod -R u+w libs
      '';
    propagatedBuildInputs = with pkgs.python3Packages; [
      (klein.overridePythonAttrs(old: { checkPhase = ""; }))
      buildbot-pkg
    ];
    nativeBuildInputs = with pkgs; [ yarn nodejs ];
    buildInputs = [ buildslist_yarn buildslist_bower ];

    doCheck = false;
    src = buildslist_src.src;
  };
  buildbot_common = pkgs.python3Packages.buildPythonPackage rec {
    name = "buildbot_common";
    src = ./common;
    format = "other";
    installPhase = ''
      mkdir -p $out/${pkgs.python3.pythonForBuild.sitePackages}
      cp -a $src $out/${pkgs.python3.pythonForBuild.sitePackages}/buildbot_common
      '';
  };
  buildbot = pkgs.python3Packages.buildbot-full.withPlugins ([ buildslist ]);
in
{
  options = {
    services.buildbot.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = ''
        Whether to enable buildbot.
      '';
    };
  };

  config = lib.mkIf config.services.buildbot.enable {
    ids.uids.buildbot = myconfig.env.buildbot.user.uid;
    ids.gids.buildbot = myconfig.env.buildbot.user.gid;

    users.groups.buildbot.gid = config.ids.gids.buildbot;
    users.users.buildbot = {
      name = "buildbot";
      uid = config.ids.uids.buildbot;
      group = "buildbot";
      description = "Buildbot user";
      home = varDir;
    };

    services.myWebsites.tools.vhostConfs.git.extraConfig = lib.attrsets.mapAttrsToList (k: project: ''
        RedirectMatch permanent "^/buildbot/${project.name}$" "/buildbot/${project.name}/"
        RewriteEngine On
        RewriteRule ^/buildbot/${project.name}/ws(.*)$   unix:///run/buildbot/${project.name}.sock|ws://git.immae.eu/ws$1 [P,NE,QSA,L]
        ProxyPass /buildbot/${project.name}/             unix:///run/buildbot/${project.name}.sock|http://${project.name}-git.immae.eu/
        ProxyPassReverse /buildbot/${project.name}/      unix:///run/buildbot/${project.name}.sock|http://${project.name}-git.immae.eu/
        <Location /buildbot/${project.name}/>
          Use LDAPConnect
          Require ldap-group cn=users,ou=${project.name},cn=buildbot,ou=services,dc=immae,dc=eu

          SetEnvIf X-Url-Scheme https HTTPS=1
          ProxyPreserveHost On
        </Location>
        <Location /buildbot/${project.name}/change_hook/base>
          <RequireAny>
            Require local
            Require ldap-group cn=users,ou=${project.name},cn=buildbot,ou=services,dc=immae,dc=eu
            ${if lib.attrsets.hasAttr "webhookTokens" project then ''
              Require expr "req('Access-Key') in { ${builtins.concatStringsSep ", " (map (x: "'${x}'") project.webhookTokens)} }"
              '' else ""}
          </RequireAny>
        </Location>
        '') myconfig.env.buildbot.projects;

    system.activationScripts = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" {
      deps = [ "users" "wrappers" ];
      text = let
        master-cfg = "${buildbot_common}/${pkgs.python3.pythonForBuild.sitePackages}/buildbot_common/master.cfg";
        buildbot_key = pkgs.writeText "buildbot_key" (builtins.readFile "${myconfig.privateFiles}/buildbot_ssh_key");
        tac_file = pkgs.writeText "buildbot.tac" ''
            import os

            from twisted.application import service
            from buildbot.master import BuildMaster

            basedir = '${varDir}/${project.name}'
            rotateLength = 10000000
            maxRotatedFiles = 10
            configfile = '${master-cfg}'

            # Default umask for server
            umask = None

            # if this is a relocatable tac file, get the directory containing the TAC
            if basedir == '.':
                import os
                basedir = os.path.abspath(os.path.dirname(__file__))

            # note: this line is matched against to check that this is a buildmaster
            # directory; do not edit it.
            application = service.Application('buildmaster')
            from twisted.python.logfile import LogFile
            from twisted.python.log import ILogObserver, FileLogObserver
            logfile = LogFile.fromFullPath(os.path.join(basedir, "twistd.log"), rotateLength=rotateLength,
                                            maxRotatedFiles=maxRotatedFiles)
            application.setComponent(ILogObserver, FileLogObserver(logfile).emit)

            m = BuildMaster(basedir, configfile, umask)
            m.setServiceParent(application)
            m.log_rotation.rotateLength = rotateLength
            m.log_rotation.maxRotatedFiles = maxRotatedFiles
          '';
      in ''
      install -m 0755 -o buildbot -g buildbot -d /run/buildbot/
      install -m 0755 -o buildbot -g buildbot -d ${varDir}
      if [ ! -f ${varDir}/${project.name}/buildbot.tac ]; then
        $wrapperDir/sudo -u buildbot ${buildbot}/bin/buildbot create-master -c "${master-cfg}" "${varDir}/${project.name}"
        rm -f ${varDir}/${project.name}/master.cfg.sample
        rm -f ${varDir}/${project.name}/buildbot.tac
      fi
      ln -sf ${tac_file} ${varDir}/${project.name}/buildbot.tac
      install -Dm600 -o buildbot -g buildbot -T ${buildbot_key} ${varDir}/buildbot_key
      buildbot_secrets=${varDir}/${project.name}/secrets
      install -m 0600 -o buildbot -g buildbot -d $buildbot_secrets
      echo "${myconfig.env.buildbot.ldap.password}" > $buildbot_secrets/ldap
      ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList
        (k: v: "echo ${lib.strings.escapeShellArg v} > $buildbot_secrets/${k}") project.secrets
      )}
      chown -R buildbot:buildbot $buildbot_secrets
      chmod -R u=rX,go=- $buildbot_secrets
      ${project.activationScript}
      '';
    }) myconfig.env.buildbot.projects;

    systemd.services = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" {
      description = "Buildbot Continuous Integration Server ${project.name}.";
      after = [ "network-online.target" ];
      wantedBy = [ "multi-user.target" ];
      path = project.packages pkgs ++ (project.pythonPackages buildbot.pythonModule pkgs);
      environment = let
        project_env = lib.attrsets.mapAttrs' (k: v: lib.attrsets.nameValuePair "BUILDBOT_${k}" v) project.environment;
        buildbot_config = pkgs.python3Packages.buildPythonPackage (rec {
          name = "buildbot_config-${project.name}";
          src = ./projects + "/${project.name}";
          format = "other";
          installPhase = ''
            mkdir -p $out/${pkgs.python3.pythonForBuild.sitePackages}
            cp -a $src $out/${pkgs.python3.pythonForBuild.sitePackages}/buildbot_config
            '';
        });
        HOME = "${varDir}/${project.name}";
        PYTHONPATH = "${buildbot.pythonModule.withPackages (self: project.pythonPackages self pkgs ++ [
          pkgs.python3Packages.treq pkgs.python3Packages.ldap3 buildbot
          pkgs.python3Packages.buildbot-worker
          buildbot_common buildbot_config
        ])}/${buildbot.pythonModule.sitePackages}${if project.pythonPathHome then ":${varDir}/${project.name}/.local/${pkgs.python3.pythonForBuild.sitePackages}" else ""}";
      in project_env // { inherit PYTHONPATH HOME; };

      serviceConfig = {
        Type = "forking";
        User = "buildbot";
        Group = "buildbot";
        WorkingDirectory = "${varDir}/${project.name}";
        ExecStart = "${buildbot}/bin/buildbot start";
      };
    }) myconfig.env.buildbot.projects;
  };
}
Commit	Line	Data
587b9e34	1	{ lib, pkgs, config, myconfig, mylibs, ... }:
9fb4205e IB	2	let
	3	varDir = "/var/lib/buildbot";
	4	buildslist_src = mylibs.fetchedGitPrivate ./buildslist.json;
caa08508	5	buildslist_yarn = pkgs.yarn2nix.mkYarnModules {
9fb4205e IB	6	name = "buildslist-yarn-modules";
	7	packageJSON = "${buildslist_src.src}/package.json";
	8	yarnLock = "${buildslist_src.src}/yarn.lock";
	9	};
caa08508	10	buildslist_bower = pkgs.buildBowerComponents {
9fb4205e IB	11	name = "buildslist";
	12	generated = ./bower.nix;
	13	src = "${buildslist_src.src}/guanlecoja/";
	14	};
	15
caa08508	16	buildslist = pkgs.python3Packages.buildPythonPackage rec {
9fb4205e	17	pname = "buildbot-buildslist";
caa08508	18	inherit (pkgs.buildbot-pkg) version;
9fb4205e IB	19
	20	preConfigure = ''
	21	export HOME=$PWD
	22	cp -a ${buildslist_yarn}/node_modules .
	23	chmod -R u+w node_modules
	24	cp -a ${buildslist_bower}/bower_components ./libs
	25	chmod -R u+w libs
	26	'';
caa08508	27	propagatedBuildInputs = with pkgs.python3Packages; [
9fb4205e IB	28	(klein.overridePythonAttrs(old: { checkPhase = ""; }))
	29	buildbot-pkg
	30	];
caa08508	31	nativeBuildInputs = with pkgs; [ yarn nodejs ];
9fb4205e IB	32	buildInputs = [ buildslist_yarn buildslist_bower ];
	33
	34	doCheck = false;
	35	src = buildslist_src.src;
	36	};
caa08508	37	buildbot_common = pkgs.python3Packages.buildPythonPackage rec {
e2b96bf5 IB	38	name = "buildbot_common";
e2b96bf5 IB	39	src = ./common;
9fb4205e IB	40	format = "other";
9fb4205e IB	41	installPhase = ''
caa08508 IB	42	mkdir -p $out/${pkgs.python3.pythonForBuild.sitePackages}
caa08508 IB	43	cp -a $src $out/${pkgs.python3.pythonForBuild.sitePackages}/buildbot_common
9fb4205e	44	'';
e2b96bf5	45	};
caa08508	46	buildbot = pkgs.python3Packages.buildbot-full.withPlugins ([ buildslist ]);
9fb4205e IB	47	in
	48	{
	49	options = {
	50	services.buildbot.enable = lib.mkOption {
	51	type = lib.types.bool;
	52	default = false;
	53	description = ''
	54	Whether to enable buildbot.
	55	'';
	56	};
	57	};
	58
	59	config = lib.mkIf config.services.buildbot.enable {
	60	ids.uids.buildbot = myconfig.env.buildbot.user.uid;
	61	ids.gids.buildbot = myconfig.env.buildbot.user.gid;
	62
	63	users.groups.buildbot.gid = config.ids.gids.buildbot;
	64	users.users.buildbot = {
	65	name = "buildbot";
	66	uid = config.ids.uids.buildbot;
	67	group = "buildbot";
	68	description = "Buildbot user";
	69	home = varDir;
	70	};
	71
	72	services.myWebsites.tools.vhostConfs.git.extraConfig = lib.attrsets.mapAttrsToList (k: project: ''
	73	RedirectMatch permanent "^/buildbot/${project.name}$" "/buildbot/${project.name}/"
	74	RewriteEngine On
	75	RewriteRule ^/buildbot/${project.name}/ws(.*)$ unix:///run/buildbot/${project.name}.sock\|ws://git.immae.eu/ws$1 [P,NE,QSA,L]
	76	ProxyPass /buildbot/${project.name}/ unix:///run/buildbot/${project.name}.sock\|http://${project.name}-git.immae.eu/
	77	ProxyPassReverse /buildbot/${project.name}/ unix:///run/buildbot/${project.name}.sock\|http://${project.name}-git.immae.eu/
	78	<Location /buildbot/${project.name}/>
	79	Use LDAPConnect
e2b96bf5	80	Require ldap-group cn=users,ou=${project.name},cn=buildbot,ou=services,dc=immae,dc=eu
9fb4205e IB	81
	82	SetEnvIf X-Url-Scheme https HTTPS=1
	83	ProxyPreserveHost On
	84	</Location>
	85	<Location /buildbot/${project.name}/change_hook/base>
85817848 IB	86	<RequireAny>
	87	Require local
	88	Require ldap-group cn=users,ou=${project.name},cn=buildbot,ou=services,dc=immae,dc=eu
	89	${if lib.attrsets.hasAttr "webhookTokens" project then ''
	90	Require expr "req('Access-Key') in { ${builtins.concatStringsSep ", " (map (x: "'${x}'") project.webhookTokens)} }"
	91	'' else ""}
	92	</RequireAny>
9fb4205e IB	93	</Location>
	94	'') myconfig.env.buildbot.projects;
	95
	96	system.activationScripts = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" {
	97	deps = [ "users" "wrappers" ];
	98	text = let
caa08508	99	master-cfg = "${buildbot_common}/${pkgs.python3.pythonForBuild.sitePackages}/buildbot_common/master.cfg";
e2b96bf5 IB	100	buildbot_key = pkgs.writeText "buildbot_key" (builtins.readFile "${myconfig.privateFiles}/buildbot_ssh_key");
	101	tac_file = pkgs.writeText "buildbot.tac" ''
	102	import os
	103
	104	from twisted.application import service
	105	from buildbot.master import BuildMaster
	106
	107	basedir = '${varDir}/${project.name}'
	108	rotateLength = 10000000
	109	maxRotatedFiles = 10
	110	configfile = '${master-cfg}'
	111
	112	# Default umask for server
	113	umask = None
	114
	115	# if this is a relocatable tac file, get the directory containing the TAC
	116	if basedir == '.':
	117	import os
	118	basedir = os.path.abspath(os.path.dirname(__file__))
	119
	120	# note: this line is matched against to check that this is a buildmaster
	121	# directory; do not edit it.
	122	application = service.Application('buildmaster')
	123	from twisted.python.logfile import LogFile
	124	from twisted.python.log import ILogObserver, FileLogObserver
	125	logfile = LogFile.fromFullPath(os.path.join(basedir, "twistd.log"), rotateLength=rotateLength,
	126	maxRotatedFiles=maxRotatedFiles)
	127	application.setComponent(ILogObserver, FileLogObserver(logfile).emit)
	128
	129	m = BuildMaster(basedir, configfile, umask)
	130	m.setServiceParent(application)
	131	m.log_rotation.rotateLength = rotateLength
	132	m.log_rotation.maxRotatedFiles = maxRotatedFiles
	133	'';
9fb4205e IB	134	in ''
	135	install -m 0755 -o buildbot -g buildbot -d /run/buildbot/
	136	install -m 0755 -o buildbot -g buildbot -d ${varDir}
	137	if [ ! -f ${varDir}/${project.name}/buildbot.tac ]; then
	138	$wrapperDir/sudo -u buildbot ${buildbot}/bin/buildbot create-master -c "${master-cfg}" "${varDir}/${project.name}"
	139	rm -f ${varDir}/${project.name}/master.cfg.sample
e2b96bf5	140	rm -f ${varDir}/${project.name}/buildbot.tac
9fb4205e	141	fi
e2b96bf5 IB	142	ln -sf ${tac_file} ${varDir}/${project.name}/buildbot.tac
e2b96bf5 IB	143	install -Dm600 -o buildbot -g buildbot -T ${buildbot_key} ${varDir}/buildbot_key
9fb4205e IB	144	buildbot_secrets=${varDir}/${project.name}/secrets
	145	install -m 0600 -o buildbot -g buildbot -d $buildbot_secrets
	146	echo "${myconfig.env.buildbot.ldap.password}" > $buildbot_secrets/ldap
	147	${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList
	148	(k: v: "echo ${lib.strings.escapeShellArg v} > $buildbot_secrets/${k}") project.secrets
	149	)}
	150	chown -R buildbot:buildbot $buildbot_secrets
	151	chmod -R u=rX,go=- $buildbot_secrets
	152	${project.activationScript}
	153	'';
	154	}) myconfig.env.buildbot.projects;
	155
	156	systemd.services = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" {
	157	description = "Buildbot Continuous Integration Server ${project.name}.";
	158	after = [ "network-online.target" ];
	159	wantedBy = [ "multi-user.target" ];
caa08508	160	path = project.packages pkgs ++ (project.pythonPackages buildbot.pythonModule pkgs);
9fb4205e IB	161	environment = let
9fb4205e IB	162	project_env = lib.attrsets.mapAttrs' (k: v: lib.attrsets.nameValuePair "BUILDBOT_${k}" v) project.environment;
caa08508	163	buildbot_config = pkgs.python3Packages.buildPythonPackage (rec {
9fb4205e	164	name = "buildbot_config-${project.name}";
e2b96bf5	165	src = ./projects + "/${project.name}";
9fb4205e IB	166	format = "other";
9fb4205e IB	167	installPhase = ''
caa08508 IB	168	mkdir -p $out/${pkgs.python3.pythonForBuild.sitePackages}
caa08508 IB	169	cp -a $src $out/${pkgs.python3.pythonForBuild.sitePackages}/buildbot_config
9fb4205e IB	170	'';
	171	});
	172	HOME = "${varDir}/${project.name}";
caa08508 IB	173	PYTHONPATH = "${buildbot.pythonModule.withPackages (self: project.pythonPackages self pkgs ++ [
	174	pkgs.python3Packages.treq pkgs.python3Packages.ldap3 buildbot
	175	pkgs.python3Packages.buildbot-worker
9fb4205e	176	buildbot_common buildbot_config
caa08508	177	])}/${buildbot.pythonModule.sitePackages}${if project.pythonPathHome then ":${varDir}/${project.name}/.local/${pkgs.python3.pythonForBuild.sitePackages}" else ""}";
9fb4205e IB	178	in project_env // { inherit PYTHONPATH HOME; };
	179
	180	serviceConfig = {
	181	Type = "forking";
	182	User = "buildbot";
	183	Group = "buildbot";
	184	WorkingDirectory = "${varDir}/${project.name}";
	185	ExecStart = "${buildbot}/bin/buildbot start";
	186	};
	187	}) myconfig.env.buildbot.projects;
	188	};
	189	}