Change buildbot environment variables to secrets location

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2021-01-29 14:14:41 +0100
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2021-01-29 14:14:41 +0100
commit: dcb8ad4c0358735ba97fe83071f79b294bed8967 (patch)
tree: da1adcaf5687a0dda70e6006b6b213101f9a0c70
parent: 50abe6fce134066851479a0df09a1db0a7219df2 (diff)
download: Nix-dcb8ad4c0358735ba97fe83071f79b294bed8967.tar.gz
Nix-dcb8ad4c0358735ba97fe83071f79b294bed8967.tar.zst
Nix-dcb8ad4c0358735ba97fe83071f79b294bed8967.zip
2 files changed, 16 insertions, 5 deletions
diff --git a/modules/private/buildbot/default.nix b/modules/private/buildbot/default.nix
index 6674ad7..d6753e5 100644
--- a/modules/private/buildbot/default.nix
+++ b/modules/private/buildbot/default.nix
@@ -98,6 +98,19 @@ in
                '';
              dest = "buildbot/${project.name}/webhook-httpd-include";
            }
+            {
+              permissions = "0600";
+              user = "buildbot";
+              group = "buildbot";
+              dest = "buildbot/${project.name}/environment_file";
+              text = let
+                project_env = with lib.attrsets;
+                  mapAttrs' (k: v: nameValuePair "BUILDBOT_${k}" v) project.environment //
+                  mapAttrs' (k: v: nameValuePair "BUILDBOT_PATH_${k}" (v pkgs)) (attrByPath ["builderPaths"] {} project) //
+                  { BUILDBOT_PROJECT_DIR = ./projects + "/${project.name}"; };
+                in builtins.concatStringsSep "\n"
+                  (lib.mapAttrsToList (envK: envV: "${envK}=${envV}") project_env);
+            }
          ]
        ) config.myEnv.buildbot.projects
      )
@@ -123,6 +136,7 @@ in
      paths = [
        "/var/secrets/buildbot/ldap"
        "/var/secrets/buildbot/ssh_key"
+        "/var/secrets/buildbot/${project.name}/environment_file"
      ] ++ lib.attrsets.mapAttrsToList (k: v: "/var/secrets/buildbot/${project.name}/${k}") project.secrets;
    }) config.myEnv.buildbot.projects;
@@ -188,10 +202,6 @@ in
      ${buildbot}/bin/buildbot upgrade-master ${varDir}/${project.name}
      '';
      environment = let
-        project_env = with lib.attrsets;
-          mapAttrs' (k: v: nameValuePair "BUILDBOT_${k}" v) project.environment //
-          mapAttrs' (k: v: nameValuePair "BUILDBOT_PATH_${k}" (v pkgs)) (attrByPath ["builderPaths"] {} project) //
-          { BUILDBOT_PROJECT_DIR = ./projects + "/${project.name}"; };
        buildbot_config = pkgs.python3Packages.buildPythonPackage (rec {
          name = "buildbot_config-${project.name}";
          src = ./projects + "/${project.name}";
@@ -208,7 +218,7 @@ in
          pkgs.python3Packages.buildbot-worker
          buildbot_common buildbot_config
        ])}/${buildbot.pythonModule.sitePackages}${if project.pythonPathHome then ":${varDir}/${project.name}/.local/${pkgs.python3.pythonForBuild.sitePackages}" else ""}";
-      in project_env // { inherit PYTHONPATH HOME; };
+      in { inherit PYTHONPATH HOME; };
      serviceConfig = {
        Slice = "buildbot.slice";
@@ -221,6 +231,7 @@ in
        SupplementaryGroups = "keys";
        WorkingDirectory = "${varDir}/${project.name}";
        ExecStart = "${buildbot}/bin/buildbot start";
+        EnvironmentFile = "/var/secrets/buildbot/${project.name}/environment_file";
      };
    }) config.myEnv.buildbot.projects;
  };
diff --git a/nixops/secrets b/nixops/secrets
-Subproject 3a74f309999f47dc843a61a23bd4799a23f8ffa
+Subproject e570ae5038b922f24b946b2c54af2d4b51f1bae
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2021-01-29 14:14:41 +0100
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2021-01-29 14:14:41 +0100
commit	dcb8ad4c0358735ba97fe83071f79b294bed8967 (patch)
tree	da1adcaf5687a0dda70e6006b6b213101f9a0c70
parent	50abe6fce134066851479a0df09a1db0a7219df2 (diff)
download	Nix-dcb8ad4c0358735ba97fe83071f79b294bed8967.tar.gz Nix-dcb8ad4c0358735ba97fe83071f79b294bed8967.tar.zst Nix-dcb8ad4c0358735ba97fe83071f79b294bed8967.zip