First attempt at making declarative VMs

In order to make buildbot more secure, the builds need to happen inside
VMs so that they can be thrown out on demand when not needed.

This commit implements this facility on dilion, and also defines
declaratively some previous VMs which used to run on the machine.

1 files changed, 17 insertions, 1 deletions

diff --git a/modules/private/buildbot/default.nix b/modules/private/buildbot/default.nix
index d6753e5..ac34845 100644
--- a/modules/private/buildbot/default.nix
+++ b/modules/private/buildbot/default.nix
@@ -107,7 +107,12 @@ in
                 project_env = with lib.attrsets;
                   mapAttrs' (k: v: nameValuePair "BUILDBOT_${k}" v) project.environment //
                   mapAttrs' (k: v: nameValuePair "BUILDBOT_PATH_${k}" (v pkgs)) (attrByPath ["builderPaths"] {} project) //
-                  { BUILDBOT_PROJECT_DIR = ./projects + "/${project.name}"; };
+                  {
+                    BUILDBOT_PROJECT_DIR = ./projects + "/${project.name}";
+                    BUILDBOT_WORKER_PORT = builtins.toString project.workerPort;
+                    BUILDBOT_HOST = config.hostEnv.fqdn;
+                    BUILDBOT_VIRT_URL = "qemu+ssh://libvirt@dilion.immae.eu/system";
+                  };
                 in builtins.concatStringsSep "\n"
                   (lib.mapAttrsToList (envK: envV: "${envK}=${envV}") project_env);
             }
@@ -126,6 +131,13 @@ in
         permissions = "0600";
         user = "buildbot";
         group = "buildbot";
+        text = config.myEnv.buildbot.workerPassword;
+        dest = "buildbot/worker_password";
+      }
+      {
+        permissions = "0600";
+        user = "buildbot";
+        group = "buildbot";
         text = builtins.readFile "${config.myEnv.privateFiles}/buildbot_ssh_key";
         dest = "buildbot/ssh_key";
       }
@@ -135,6 +147,7 @@ in
       restart = true;
       paths = [
         "/var/secrets/buildbot/ldap"
+        "/var/secrets/buildbot/worker_password"
         "/var/secrets/buildbot/ssh_key"
         "/var/secrets/buildbot/${project.name}/environment_file"
       ] ++ lib.attrsets.mapAttrsToList (k: v: "/var/secrets/buildbot/${project.name}/${k}") project.secrets;
@@ -144,6 +157,7 @@ in
       description = "buildbot slice";
     };
 
+    networking.firewall.allowedTCPPorts = lib.attrsets.mapAttrsToList (k: v: v.workerPort) config.myEnv.buildbot.projects;
     systemd.services = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" {
       description = "Buildbot Continuous Integration Server ${project.name}.";
       after = [ "network-online.target" ];
@@ -196,6 +210,7 @@ in
       buildbot_secrets=${varDir}/${project.name}/secrets
       install -m 0700 -o buildbot -g buildbot -d $buildbot_secrets
       install -Dm600 -o buildbot -g buildbot -T /var/secrets/buildbot/ldap $buildbot_secrets/ldap
+      install -Dm600 -o buildbot -g buildbot -T /var/secrets/buildbot/worker_password $buildbot_secrets/worker_password
       ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList
         (k: v: "install -Dm600 -o buildbot -g buildbot -T /var/secrets/buildbot/${project.name}/${k} $buildbot_secrets/${k}") project.secrets
       )}
@@ -213,6 +228,7 @@ in
         });
         HOME = "${varDir}/${project.name}";
         PYTHONPATH = "${buildbot.pythonModule.withPackages (self: project.pythonPackages self pkgs ++ [
+          pkgs.python3Packages.libvirt
           pkgs.python3Packages.wokkel
           pkgs.python3Packages.treq pkgs.python3Packages.ldap3 buildbot
           pkgs.python3Packages.buildbot-worker