diff options
| author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-16 16:09:37 +0200 |
|---|---|---|
| committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-16 16:49:36 +0200 |
| commit | 6984f454ea1c476169b3721721529c2c5bb13eb9 (patch) | |
| tree | 16c79789e03185673590f46fa965025e48424812 /nixops | |
| parent | 906065a0b7aada3282309791a051e71e5e1cf16d (diff) | |
| download | Nix-6984f454ea1c476169b3721721529c2c5bb13eb9.tar.gz Nix-6984f454ea1c476169b3721721529c2c5bb13eb9.tar.zst Nix-6984f454ea1c476169b3721721529c2c5bb13eb9.zip | |
Move buildbot secrets to a secure location
Related issue: https://git.immae.eu/mantisbt/view.php?id=122
Diffstat (limited to 'nixops')
| -rw-r--r-- | nixops/modules/buildbot/default.nix | 86 |
1 files changed, 64 insertions, 22 deletions
diff --git a/nixops/modules/buildbot/default.nix b/nixops/modules/buildbot/default.nix index ff1c697..057b58b 100644 --- a/nixops/modules/buildbot/default.nix +++ b/nixops/modules/buildbot/default.nix | |||
| @@ -96,6 +96,7 @@ in | |||
| 96 | group = "buildbot"; | 96 | group = "buildbot"; |
| 97 | description = "Buildbot user"; | 97 | description = "Buildbot user"; |
| 98 | home = varDir; | 98 | home = varDir; |
| 99 | extraGroups = [ "keys" ]; | ||
| 99 | }; | 100 | }; |
| 100 | 101 | ||
| 101 | services.myWebsites.tools.vhostConfs.git.extraConfig = lib.attrsets.mapAttrsToList (k: project: '' | 102 | services.myWebsites.tools.vhostConfs.git.extraConfig = lib.attrsets.mapAttrsToList (k: project: '' |
| @@ -115,18 +116,70 @@ in | |||
| 115 | <RequireAny> | 116 | <RequireAny> |
| 116 | Require local | 117 | Require local |
| 117 | Require ldap-group cn=users,ou=${project.name},cn=buildbot,ou=services,dc=immae,dc=eu | 118 | Require ldap-group cn=users,ou=${project.name},cn=buildbot,ou=services,dc=immae,dc=eu |
| 118 | ${if lib.attrsets.hasAttr "webhookTokens" project then '' | 119 | Include /run/keys/buildbot/${project.name}/buildbot-${project.name}-webhook-httpd-include |
| 119 | Require expr "req('Access-Key') in { ${builtins.concatStringsSep ", " (map (x: "'${x}'") project.webhookTokens)} }" | ||
| 120 | '' else ""} | ||
| 121 | </RequireAny> | 120 | </RequireAny> |
| 122 | </Location> | 121 | </Location> |
| 123 | '') myconfig.env.buildbot.projects; | 122 | '') myconfig.env.buildbot.projects; |
| 124 | 123 | ||
| 125 | system.activationScripts = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" { | 124 | system.activationScripts = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" { |
| 126 | deps = [ "users" "wrappers" ]; | 125 | deps = [ "users" "wrappers" ]; |
| 127 | text = let | 126 | text = '' |
| 127 | install -m 0755 -o buildbot -g buildbot -d /run/buildbot/ | ||
| 128 | install -m 0755 -o buildbot -g buildbot -d ${varDir} | ||
| 129 | ${project.activationScript} | ||
| 130 | ''; | ||
| 131 | }) myconfig.env.buildbot.projects; | ||
| 132 | |||
| 133 | deployment.keys = lib.attrsets.listToAttrs ( | ||
| 134 | lib.lists.flatten ( | ||
| 135 | lib.attrsets.mapAttrsToList (k: project: | ||
| 136 | lib.attrsets.mapAttrsToList (k: v: | ||
| 137 | lib.attrsets.nameValuePair "buildbot-${project.name}-${k}" { | ||
| 138 | permissions = "0600"; | ||
| 139 | user = "buildbot"; | ||
| 140 | group = "buildbot"; | ||
| 141 | text = v; | ||
| 142 | destDir = "/run/keys/buildbot/${project.name}"; | ||
| 143 | } | ||
| 144 | ) project.secrets | ||
| 145 | ++ [ | ||
| 146 | (lib.attrsets.nameValuePair "buildbot-${project.name}-webhook-httpd-include" { | ||
| 147 | permissions = "0600"; | ||
| 148 | user = "wwwrun"; | ||
| 149 | group = "wwwrun"; | ||
| 150 | text = lib.optionalString (lib.attrsets.hasAttr "webhookTokens" project) '' | ||
| 151 | Require expr "req('Access-Key') in { ${builtins.concatStringsSep ", " (map (x: "'${x}'") project.webhookTokens)} }" | ||
| 152 | ''; | ||
| 153 | destDir = "/run/keys/buildbot/${project.name}"; | ||
| 154 | }) | ||
| 155 | ] | ||
| 156 | ) myconfig.env.buildbot.projects | ||
| 157 | ) | ||
| 158 | ) // { | ||
| 159 | buildbot-ldap = { | ||
| 160 | permissions = "0600"; | ||
| 161 | user = "buildbot"; | ||
| 162 | group = "buildbot"; | ||
| 163 | text = myconfig.env.buildbot.ldap.password; | ||
| 164 | destDir = "/run/keys/buildbot"; | ||
| 165 | }; | ||
| 166 | buildbot-ssh-key = { | ||
| 167 | permissions = "0600"; | ||
| 168 | user = "buildbot"; | ||
| 169 | group = "buildbot"; | ||
| 170 | text = builtins.readFile "${myconfig.privateFiles}/buildbot_ssh_key"; | ||
| 171 | destDir = "/run/keys/buildbot"; | ||
| 172 | }; | ||
| 173 | }; | ||
| 174 | |||
| 175 | systemd.services = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" { | ||
| 176 | description = "Buildbot Continuous Integration Server ${project.name}."; | ||
| 177 | after = [ "network-online.target" "keys.target" ]; | ||
| 178 | wants = [ "keys.target" ]; | ||
| 179 | wantedBy = [ "multi-user.target" ]; | ||
| 180 | path = project.packages pkgs ++ (project.pythonPackages buildbot.pythonModule pkgs); | ||
| 181 | preStart = let | ||
| 128 | master-cfg = "${buildbot_common}/${pkgs.python3.pythonForBuild.sitePackages}/buildbot_common/master.cfg"; | 182 | master-cfg = "${buildbot_common}/${pkgs.python3.pythonForBuild.sitePackages}/buildbot_common/master.cfg"; |
| 129 | buildbot_key = pkgs.writeText "buildbot_key" (builtins.readFile "${myconfig.privateFiles}/buildbot_ssh_key"); | ||
| 130 | tac_file = pkgs.writeText "buildbot.tac" '' | 183 | tac_file = pkgs.writeText "buildbot.tac" '' |
| 131 | import os | 184 | import os |
| 132 | 185 | ||
| @@ -161,32 +214,20 @@ in | |||
| 161 | m.log_rotation.maxRotatedFiles = maxRotatedFiles | 214 | m.log_rotation.maxRotatedFiles = maxRotatedFiles |
| 162 | ''; | 215 | ''; |
| 163 | in '' | 216 | in '' |
| 164 | install -m 0755 -o buildbot -g buildbot -d /run/buildbot/ | ||
| 165 | install -m 0755 -o buildbot -g buildbot -d ${varDir} | ||
| 166 | if [ ! -f ${varDir}/${project.name}/buildbot.tac ]; then | 217 | if [ ! -f ${varDir}/${project.name}/buildbot.tac ]; then |
| 167 | $wrapperDir/sudo -u buildbot ${buildbot}/bin/buildbot create-master -c "${master-cfg}" "${varDir}/${project.name}" | 218 | ${buildbot}/bin/buildbot create-master -c "${master-cfg}" "${varDir}/${project.name}" |
| 168 | rm -f ${varDir}/${project.name}/master.cfg.sample | 219 | rm -f ${varDir}/${project.name}/master.cfg.sample |
| 169 | rm -f ${varDir}/${project.name}/buildbot.tac | 220 | rm -f ${varDir}/${project.name}/buildbot.tac |
| 170 | fi | 221 | fi |
| 171 | ln -sf ${tac_file} ${varDir}/${project.name}/buildbot.tac | 222 | ln -sf ${tac_file} ${varDir}/${project.name}/buildbot.tac |
| 172 | install -Dm600 -o buildbot -g buildbot -T ${buildbot_key} ${varDir}/buildbot_key | 223 | install -Dm600 -o buildbot -g buildbot -T /run/keys/buildbot/buildbot-ssh-key ${varDir}/buildbot_key |
| 173 | buildbot_secrets=${varDir}/${project.name}/secrets | 224 | buildbot_secrets=${varDir}/${project.name}/secrets |
| 174 | install -m 0600 -o buildbot -g buildbot -d $buildbot_secrets | 225 | install -m 0700 -o buildbot -g buildbot -d $buildbot_secrets |
| 175 | echo "${myconfig.env.buildbot.ldap.password}" > $buildbot_secrets/ldap | 226 | install -Dm600 -o buildbot -g buildbot -T /run/keys/buildbot/buildbot-ldap $buildbot_secrets/ldap |
| 176 | ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList | 227 | ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList |
| 177 | (k: v: "echo ${lib.strings.escapeShellArg v} > $buildbot_secrets/${k}") project.secrets | 228 | (k: v: "install -Dm600 -o buildbot -g buildbot -T /run/keys/buildbot/${project.name}/buildbot-${project.name}-${k} $buildbot_secrets/${k}") project.secrets |
| 178 | )} | 229 | )} |
| 179 | chown -R buildbot:buildbot $buildbot_secrets | ||
| 180 | chmod -R u=rX,go=- $buildbot_secrets | ||
| 181 | ${project.activationScript} | ||
| 182 | ''; | 230 | ''; |
| 183 | }) myconfig.env.buildbot.projects; | ||
| 184 | |||
| 185 | systemd.services = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" { | ||
| 186 | description = "Buildbot Continuous Integration Server ${project.name}."; | ||
| 187 | after = [ "network-online.target" ]; | ||
| 188 | wantedBy = [ "multi-user.target" ]; | ||
| 189 | path = project.packages pkgs ++ (project.pythonPackages buildbot.pythonModule pkgs); | ||
| 190 | environment = let | 231 | environment = let |
| 191 | project_env = lib.attrsets.mapAttrs' (k: v: lib.attrsets.nameValuePair "BUILDBOT_${k}" v) project.environment; | 232 | project_env = lib.attrsets.mapAttrs' (k: v: lib.attrsets.nameValuePair "BUILDBOT_${k}" v) project.environment; |
| 192 | buildbot_config = pkgs.python3Packages.buildPythonPackage (rec { | 233 | buildbot_config = pkgs.python3Packages.buildPythonPackage (rec { |
| @@ -211,6 +252,7 @@ in | |||
| 211 | Type = "forking"; | 252 | Type = "forking"; |
| 212 | User = "buildbot"; | 253 | User = "buildbot"; |
| 213 | Group = "buildbot"; | 254 | Group = "buildbot"; |
| 255 | SupplementaryGroups = "keys"; | ||
| 214 | WorkingDirectory = "${varDir}/${project.name}"; | 256 | WorkingDirectory = "${varDir}/${project.name}"; |
| 215 | ExecStart = "${buildbot}/bin/buildbot start"; | 257 | ExecStart = "${buildbot}/bin/buildbot start"; |
| 216 | }; | 258 | }; |