aboutsummaryrefslogtreecommitdiff
path: root/nixops
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2019-04-25 01:37:05 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2019-04-25 01:37:05 +0200
commitca330baa14da56456ec538b232a91e1c443241bb (patch)
treedcc4dba95c31e7c71f934f5ef125fcd0f70fa736 /nixops
parent44742a43dac86a79274486a9b73a349c5d4ec631 (diff)
downloadNix-ca330baa14da56456ec538b232a91e1c443241bb.tar.gz
Nix-ca330baa14da56456ec538b232a91e1c443241bb.tar.zst
Nix-ca330baa14da56456ec538b232a91e1c443241bb.zip
Migrte buildbot to new secrets
Diffstat (limited to 'nixops')
-rw-r--r--nixops/modules/buildbot/default.nix40
1 files changed, 20 insertions, 20 deletions
diff --git a/nixops/modules/buildbot/default.nix b/nixops/modules/buildbot/default.nix
index 057b58b..aa8df36 100644
--- a/nixops/modules/buildbot/default.nix
+++ b/nixops/modules/buildbot/default.nix
@@ -116,7 +116,7 @@ in
116 <RequireAny> 116 <RequireAny>
117 Require local 117 Require local
118 Require ldap-group cn=users,ou=${project.name},cn=buildbot,ou=services,dc=immae,dc=eu 118 Require ldap-group cn=users,ou=${project.name},cn=buildbot,ou=services,dc=immae,dc=eu
119 Include /run/keys/buildbot/${project.name}/buildbot-${project.name}-webhook-httpd-include 119 Include /var/secrets/buildbot/${project.name}/webhook-httpd-include
120 </RequireAny> 120 </RequireAny>
121 </Location> 121 </Location>
122 '') myconfig.env.buildbot.projects; 122 '') myconfig.env.buildbot.projects;
@@ -130,52 +130,51 @@ in
130 ''; 130 '';
131 }) myconfig.env.buildbot.projects; 131 }) myconfig.env.buildbot.projects;
132 132
133 deployment.keys = lib.attrsets.listToAttrs ( 133 mySecrets.keys = (
134 lib.lists.flatten ( 134 lib.lists.flatten (
135 lib.attrsets.mapAttrsToList (k: project: 135 lib.attrsets.mapAttrsToList (k: project:
136 lib.attrsets.mapAttrsToList (k: v: 136 lib.attrsets.mapAttrsToList (k: v:
137 lib.attrsets.nameValuePair "buildbot-${project.name}-${k}" { 137 {
138 permissions = "0600"; 138 permissions = "0600";
139 user = "buildbot"; 139 user = "buildbot";
140 group = "buildbot"; 140 group = "buildbot";
141 text = v; 141 text = v;
142 destDir = "/run/keys/buildbot/${project.name}"; 142 dest = "buildbot/${project.name}/${k}";
143 } 143 }
144 ) project.secrets 144 ) project.secrets
145 ++ [ 145 ++ [
146 (lib.attrsets.nameValuePair "buildbot-${project.name}-webhook-httpd-include" { 146 {
147 permissions = "0600"; 147 permissions = "0600";
148 user = "wwwrun"; 148 user = "wwwrun";
149 group = "wwwrun"; 149 group = "wwwrun";
150 text = lib.optionalString (lib.attrsets.hasAttr "webhookTokens" project) '' 150 text = lib.optionalString (lib.attrsets.hasAttr "webhookTokens" project) ''
151 Require expr "req('Access-Key') in { ${builtins.concatStringsSep ", " (map (x: "'${x}'") project.webhookTokens)} }" 151 Require expr "req('Access-Key') in { ${builtins.concatStringsSep ", " (map (x: "'${x}'") project.webhookTokens)} }"
152 ''; 152 '';
153 destDir = "/run/keys/buildbot/${project.name}"; 153 dest = "buildbot/${project.name}/webhook-httpd-include";
154 }) 154 }
155 ] 155 ]
156 ) myconfig.env.buildbot.projects 156 ) myconfig.env.buildbot.projects
157 ) 157 )
158 ) // { 158 ) ++ [
159 buildbot-ldap = { 159 {
160 permissions = "0600"; 160 permissions = "0600";
161 user = "buildbot"; 161 user = "buildbot";
162 group = "buildbot"; 162 group = "buildbot";
163 text = myconfig.env.buildbot.ldap.password; 163 text = myconfig.env.buildbot.ldap.password;
164 destDir = "/run/keys/buildbot"; 164 dest = "buildbot/ldap";
165 }; 165 }
166 buildbot-ssh-key = { 166 {
167 permissions = "0600"; 167 permissions = "0600";
168 user = "buildbot"; 168 user = "buildbot";
169 group = "buildbot"; 169 group = "buildbot";
170 text = builtins.readFile "${myconfig.privateFiles}/buildbot_ssh_key"; 170 text = builtins.readFile "${myconfig.privateFiles}/buildbot_ssh_key";
171 destDir = "/run/keys/buildbot"; 171 dest = "buildbot/ssh_key";
172 }; 172 }
173 }; 173 ];
174 174
175 systemd.services = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" { 175 systemd.services = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" {
176 description = "Buildbot Continuous Integration Server ${project.name}."; 176 description = "Buildbot Continuous Integration Server ${project.name}.";
177 after = [ "network-online.target" "keys.target" ]; 177 after = [ "network-online.target" ];
178 wants = [ "keys.target" ];
179 wantedBy = [ "multi-user.target" ]; 178 wantedBy = [ "multi-user.target" ];
180 path = project.packages pkgs ++ (project.pythonPackages buildbot.pythonModule pkgs); 179 path = project.packages pkgs ++ (project.pythonPackages buildbot.pythonModule pkgs);
181 preStart = let 180 preStart = let
@@ -220,12 +219,13 @@ in
220 rm -f ${varDir}/${project.name}/buildbot.tac 219 rm -f ${varDir}/${project.name}/buildbot.tac
221 fi 220 fi
222 ln -sf ${tac_file} ${varDir}/${project.name}/buildbot.tac 221 ln -sf ${tac_file} ${varDir}/${project.name}/buildbot.tac
223 install -Dm600 -o buildbot -g buildbot -T /run/keys/buildbot/buildbot-ssh-key ${varDir}/buildbot_key 222 # different buildbots may be trying that simultaneously, add the || true to avoid complaining in case of race
223 install -Dm600 -o buildbot -g buildbot -T /var/secrets/buildbot/ssh_key ${varDir}/buildbot_key || true
224 buildbot_secrets=${varDir}/${project.name}/secrets 224 buildbot_secrets=${varDir}/${project.name}/secrets
225 install -m 0700 -o buildbot -g buildbot -d $buildbot_secrets 225 install -m 0700 -o buildbot -g buildbot -d $buildbot_secrets
226 install -Dm600 -o buildbot -g buildbot -T /run/keys/buildbot/buildbot-ldap $buildbot_secrets/ldap 226 install -Dm600 -o buildbot -g buildbot -T /var/secrets/buildbot/ldap $buildbot_secrets/ldap
227 ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList 227 ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList
228 (k: v: "install -Dm600 -o buildbot -g buildbot -T /run/keys/buildbot/${project.name}/buildbot-${project.name}-${k} $buildbot_secrets/${k}") project.secrets 228 (k: v: "install -Dm600 -o buildbot -g buildbot -T /var/secrets/buildbot/${project.name}/${k} $buildbot_secrets/${k}") project.secrets
229 )} 229 )}
230 ''; 230 '';
231 environment = let 231 environment = let