aboutsummaryrefslogtreecommitdiff
path: root/nixops
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2019-04-16 16:09:37 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2019-04-16 16:49:36 +0200
commit6984f454ea1c476169b3721721529c2c5bb13eb9 (patch)
tree16c79789e03185673590f46fa965025e48424812 /nixops
parent906065a0b7aada3282309791a051e71e5e1cf16d (diff)
downloadNix-6984f454ea1c476169b3721721529c2c5bb13eb9.tar.gz
Nix-6984f454ea1c476169b3721721529c2c5bb13eb9.tar.zst
Nix-6984f454ea1c476169b3721721529c2c5bb13eb9.zip
Move buildbot secrets to a secure location
Related issue: https://git.immae.eu/mantisbt/view.php?id=122
Diffstat (limited to 'nixops')
-rw-r--r--nixops/modules/buildbot/default.nix86
1 files changed, 64 insertions, 22 deletions
diff --git a/nixops/modules/buildbot/default.nix b/nixops/modules/buildbot/default.nix
index ff1c697..057b58b 100644
--- a/nixops/modules/buildbot/default.nix
+++ b/nixops/modules/buildbot/default.nix
@@ -96,6 +96,7 @@ in
96 group = "buildbot"; 96 group = "buildbot";
97 description = "Buildbot user"; 97 description = "Buildbot user";
98 home = varDir; 98 home = varDir;
99 extraGroups = [ "keys" ];
99 }; 100 };
100 101
101 services.myWebsites.tools.vhostConfs.git.extraConfig = lib.attrsets.mapAttrsToList (k: project: '' 102 services.myWebsites.tools.vhostConfs.git.extraConfig = lib.attrsets.mapAttrsToList (k: project: ''
@@ -115,18 +116,70 @@ in
115 <RequireAny> 116 <RequireAny>
116 Require local 117 Require local
117 Require ldap-group cn=users,ou=${project.name},cn=buildbot,ou=services,dc=immae,dc=eu 118 Require ldap-group cn=users,ou=${project.name},cn=buildbot,ou=services,dc=immae,dc=eu
118 ${if lib.attrsets.hasAttr "webhookTokens" project then '' 119 Include /run/keys/buildbot/${project.name}/buildbot-${project.name}-webhook-httpd-include
119 Require expr "req('Access-Key') in { ${builtins.concatStringsSep ", " (map (x: "'${x}'") project.webhookTokens)} }"
120 '' else ""}
121 </RequireAny> 120 </RequireAny>
122 </Location> 121 </Location>
123 '') myconfig.env.buildbot.projects; 122 '') myconfig.env.buildbot.projects;
124 123
125 system.activationScripts = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" { 124 system.activationScripts = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" {
126 deps = [ "users" "wrappers" ]; 125 deps = [ "users" "wrappers" ];
127 text = let 126 text = ''
127 install -m 0755 -o buildbot -g buildbot -d /run/buildbot/
128 install -m 0755 -o buildbot -g buildbot -d ${varDir}
129 ${project.activationScript}
130 '';
131 }) myconfig.env.buildbot.projects;
132
133 deployment.keys = lib.attrsets.listToAttrs (
134 lib.lists.flatten (
135 lib.attrsets.mapAttrsToList (k: project:
136 lib.attrsets.mapAttrsToList (k: v:
137 lib.attrsets.nameValuePair "buildbot-${project.name}-${k}" {
138 permissions = "0600";
139 user = "buildbot";
140 group = "buildbot";
141 text = v;
142 destDir = "/run/keys/buildbot/${project.name}";
143 }
144 ) project.secrets
145 ++ [
146 (lib.attrsets.nameValuePair "buildbot-${project.name}-webhook-httpd-include" {
147 permissions = "0600";
148 user = "wwwrun";
149 group = "wwwrun";
150 text = lib.optionalString (lib.attrsets.hasAttr "webhookTokens" project) ''
151 Require expr "req('Access-Key') in { ${builtins.concatStringsSep ", " (map (x: "'${x}'") project.webhookTokens)} }"
152 '';
153 destDir = "/run/keys/buildbot/${project.name}";
154 })
155 ]
156 ) myconfig.env.buildbot.projects
157 )
158 ) // {
159 buildbot-ldap = {
160 permissions = "0600";
161 user = "buildbot";
162 group = "buildbot";
163 text = myconfig.env.buildbot.ldap.password;
164 destDir = "/run/keys/buildbot";
165 };
166 buildbot-ssh-key = {
167 permissions = "0600";
168 user = "buildbot";
169 group = "buildbot";
170 text = builtins.readFile "${myconfig.privateFiles}/buildbot_ssh_key";
171 destDir = "/run/keys/buildbot";
172 };
173 };
174
175 systemd.services = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" {
176 description = "Buildbot Continuous Integration Server ${project.name}.";
177 after = [ "network-online.target" "keys.target" ];
178 wants = [ "keys.target" ];
179 wantedBy = [ "multi-user.target" ];
180 path = project.packages pkgs ++ (project.pythonPackages buildbot.pythonModule pkgs);
181 preStart = let
128 master-cfg = "${buildbot_common}/${pkgs.python3.pythonForBuild.sitePackages}/buildbot_common/master.cfg"; 182 master-cfg = "${buildbot_common}/${pkgs.python3.pythonForBuild.sitePackages}/buildbot_common/master.cfg";
129 buildbot_key = pkgs.writeText "buildbot_key" (builtins.readFile "${myconfig.privateFiles}/buildbot_ssh_key");
130 tac_file = pkgs.writeText "buildbot.tac" '' 183 tac_file = pkgs.writeText "buildbot.tac" ''
131 import os 184 import os
132 185
@@ -161,32 +214,20 @@ in
161 m.log_rotation.maxRotatedFiles = maxRotatedFiles 214 m.log_rotation.maxRotatedFiles = maxRotatedFiles
162 ''; 215 '';
163 in '' 216 in ''
164 install -m 0755 -o buildbot -g buildbot -d /run/buildbot/
165 install -m 0755 -o buildbot -g buildbot -d ${varDir}
166 if [ ! -f ${varDir}/${project.name}/buildbot.tac ]; then 217 if [ ! -f ${varDir}/${project.name}/buildbot.tac ]; then
167 $wrapperDir/sudo -u buildbot ${buildbot}/bin/buildbot create-master -c "${master-cfg}" "${varDir}/${project.name}" 218 ${buildbot}/bin/buildbot create-master -c "${master-cfg}" "${varDir}/${project.name}"
168 rm -f ${varDir}/${project.name}/master.cfg.sample 219 rm -f ${varDir}/${project.name}/master.cfg.sample
169 rm -f ${varDir}/${project.name}/buildbot.tac 220 rm -f ${varDir}/${project.name}/buildbot.tac
170 fi 221 fi
171 ln -sf ${tac_file} ${varDir}/${project.name}/buildbot.tac 222 ln -sf ${tac_file} ${varDir}/${project.name}/buildbot.tac
172 install -Dm600 -o buildbot -g buildbot -T ${buildbot_key} ${varDir}/buildbot_key 223 install -Dm600 -o buildbot -g buildbot -T /run/keys/buildbot/buildbot-ssh-key ${varDir}/buildbot_key
173 buildbot_secrets=${varDir}/${project.name}/secrets 224 buildbot_secrets=${varDir}/${project.name}/secrets
174 install -m 0600 -o buildbot -g buildbot -d $buildbot_secrets 225 install -m 0700 -o buildbot -g buildbot -d $buildbot_secrets
175 echo "${myconfig.env.buildbot.ldap.password}" > $buildbot_secrets/ldap 226 install -Dm600 -o buildbot -g buildbot -T /run/keys/buildbot/buildbot-ldap $buildbot_secrets/ldap
176 ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList 227 ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList
177 (k: v: "echo ${lib.strings.escapeShellArg v} > $buildbot_secrets/${k}") project.secrets 228 (k: v: "install -Dm600 -o buildbot -g buildbot -T /run/keys/buildbot/${project.name}/buildbot-${project.name}-${k} $buildbot_secrets/${k}") project.secrets
178 )} 229 )}
179 chown -R buildbot:buildbot $buildbot_secrets
180 chmod -R u=rX,go=- $buildbot_secrets
181 ${project.activationScript}
182 ''; 230 '';
183 }) myconfig.env.buildbot.projects;
184
185 systemd.services = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" {
186 description = "Buildbot Continuous Integration Server ${project.name}.";
187 after = [ "network-online.target" ];
188 wantedBy = [ "multi-user.target" ];
189 path = project.packages pkgs ++ (project.pythonPackages buildbot.pythonModule pkgs);
190 environment = let 231 environment = let
191 project_env = lib.attrsets.mapAttrs' (k: v: lib.attrsets.nameValuePair "BUILDBOT_${k}" v) project.environment; 232 project_env = lib.attrsets.mapAttrs' (k: v: lib.attrsets.nameValuePair "BUILDBOT_${k}" v) project.environment;
192 buildbot_config = pkgs.python3Packages.buildPythonPackage (rec { 233 buildbot_config = pkgs.python3Packages.buildPythonPackage (rec {
@@ -211,6 +252,7 @@ in
211 Type = "forking"; 252 Type = "forking";
212 User = "buildbot"; 253 User = "buildbot";
213 Group = "buildbot"; 254 Group = "buildbot";
255 SupplementaryGroups = "keys";
214 WorkingDirectory = "${varDir}/${project.name}"; 256 WorkingDirectory = "${varDir}/${project.name}";
215 ExecStart = "${buildbot}/bin/buildbot start"; 257 ExecStart = "${buildbot}/bin/buildbot start";
216 }; 258 };