diff options
-rw-r--r-- | nixops/modules/buildbot/default.nix | 40 |
1 files changed, 20 insertions, 20 deletions
diff --git a/nixops/modules/buildbot/default.nix b/nixops/modules/buildbot/default.nix index 057b58b..aa8df36 100644 --- a/nixops/modules/buildbot/default.nix +++ b/nixops/modules/buildbot/default.nix | |||
@@ -116,7 +116,7 @@ in | |||
116 | <RequireAny> | 116 | <RequireAny> |
117 | Require local | 117 | Require local |
118 | Require ldap-group cn=users,ou=${project.name},cn=buildbot,ou=services,dc=immae,dc=eu | 118 | Require ldap-group cn=users,ou=${project.name},cn=buildbot,ou=services,dc=immae,dc=eu |
119 | Include /run/keys/buildbot/${project.name}/buildbot-${project.name}-webhook-httpd-include | 119 | Include /var/secrets/buildbot/${project.name}/webhook-httpd-include |
120 | </RequireAny> | 120 | </RequireAny> |
121 | </Location> | 121 | </Location> |
122 | '') myconfig.env.buildbot.projects; | 122 | '') myconfig.env.buildbot.projects; |
@@ -130,52 +130,51 @@ in | |||
130 | ''; | 130 | ''; |
131 | }) myconfig.env.buildbot.projects; | 131 | }) myconfig.env.buildbot.projects; |
132 | 132 | ||
133 | deployment.keys = lib.attrsets.listToAttrs ( | 133 | mySecrets.keys = ( |
134 | lib.lists.flatten ( | 134 | lib.lists.flatten ( |
135 | lib.attrsets.mapAttrsToList (k: project: | 135 | lib.attrsets.mapAttrsToList (k: project: |
136 | lib.attrsets.mapAttrsToList (k: v: | 136 | lib.attrsets.mapAttrsToList (k: v: |
137 | lib.attrsets.nameValuePair "buildbot-${project.name}-${k}" { | 137 | { |
138 | permissions = "0600"; | 138 | permissions = "0600"; |
139 | user = "buildbot"; | 139 | user = "buildbot"; |
140 | group = "buildbot"; | 140 | group = "buildbot"; |
141 | text = v; | 141 | text = v; |
142 | destDir = "/run/keys/buildbot/${project.name}"; | 142 | dest = "buildbot/${project.name}/${k}"; |
143 | } | 143 | } |
144 | ) project.secrets | 144 | ) project.secrets |
145 | ++ [ | 145 | ++ [ |
146 | (lib.attrsets.nameValuePair "buildbot-${project.name}-webhook-httpd-include" { | 146 | { |
147 | permissions = "0600"; | 147 | permissions = "0600"; |
148 | user = "wwwrun"; | 148 | user = "wwwrun"; |
149 | group = "wwwrun"; | 149 | group = "wwwrun"; |
150 | text = lib.optionalString (lib.attrsets.hasAttr "webhookTokens" project) '' | 150 | text = lib.optionalString (lib.attrsets.hasAttr "webhookTokens" project) '' |
151 | Require expr "req('Access-Key') in { ${builtins.concatStringsSep ", " (map (x: "'${x}'") project.webhookTokens)} }" | 151 | Require expr "req('Access-Key') in { ${builtins.concatStringsSep ", " (map (x: "'${x}'") project.webhookTokens)} }" |
152 | ''; | 152 | ''; |
153 | destDir = "/run/keys/buildbot/${project.name}"; | 153 | dest = "buildbot/${project.name}/webhook-httpd-include"; |
154 | }) | 154 | } |
155 | ] | 155 | ] |
156 | ) myconfig.env.buildbot.projects | 156 | ) myconfig.env.buildbot.projects |
157 | ) | 157 | ) |
158 | ) // { | 158 | ) ++ [ |
159 | buildbot-ldap = { | 159 | { |
160 | permissions = "0600"; | 160 | permissions = "0600"; |
161 | user = "buildbot"; | 161 | user = "buildbot"; |
162 | group = "buildbot"; | 162 | group = "buildbot"; |
163 | text = myconfig.env.buildbot.ldap.password; | 163 | text = myconfig.env.buildbot.ldap.password; |
164 | destDir = "/run/keys/buildbot"; | 164 | dest = "buildbot/ldap"; |
165 | }; | 165 | } |
166 | buildbot-ssh-key = { | 166 | { |
167 | permissions = "0600"; | 167 | permissions = "0600"; |
168 | user = "buildbot"; | 168 | user = "buildbot"; |
169 | group = "buildbot"; | 169 | group = "buildbot"; |
170 | text = builtins.readFile "${myconfig.privateFiles}/buildbot_ssh_key"; | 170 | text = builtins.readFile "${myconfig.privateFiles}/buildbot_ssh_key"; |
171 | destDir = "/run/keys/buildbot"; | 171 | dest = "buildbot/ssh_key"; |
172 | }; | 172 | } |
173 | }; | 173 | ]; |
174 | 174 | ||
175 | systemd.services = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" { | 175 | systemd.services = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" { |
176 | description = "Buildbot Continuous Integration Server ${project.name}."; | 176 | description = "Buildbot Continuous Integration Server ${project.name}."; |
177 | after = [ "network-online.target" "keys.target" ]; | 177 | after = [ "network-online.target" ]; |
178 | wants = [ "keys.target" ]; | ||
179 | wantedBy = [ "multi-user.target" ]; | 178 | wantedBy = [ "multi-user.target" ]; |
180 | path = project.packages pkgs ++ (project.pythonPackages buildbot.pythonModule pkgs); | 179 | path = project.packages pkgs ++ (project.pythonPackages buildbot.pythonModule pkgs); |
181 | preStart = let | 180 | preStart = let |
@@ -220,12 +219,13 @@ in | |||
220 | rm -f ${varDir}/${project.name}/buildbot.tac | 219 | rm -f ${varDir}/${project.name}/buildbot.tac |
221 | fi | 220 | fi |
222 | ln -sf ${tac_file} ${varDir}/${project.name}/buildbot.tac | 221 | ln -sf ${tac_file} ${varDir}/${project.name}/buildbot.tac |
223 | install -Dm600 -o buildbot -g buildbot -T /run/keys/buildbot/buildbot-ssh-key ${varDir}/buildbot_key | 222 | # different buildbots may be trying that simultaneously, add the || true to avoid complaining in case of race |
223 | install -Dm600 -o buildbot -g buildbot -T /var/secrets/buildbot/ssh_key ${varDir}/buildbot_key || true | ||
224 | buildbot_secrets=${varDir}/${project.name}/secrets | 224 | buildbot_secrets=${varDir}/${project.name}/secrets |
225 | install -m 0700 -o buildbot -g buildbot -d $buildbot_secrets | 225 | install -m 0700 -o buildbot -g buildbot -d $buildbot_secrets |
226 | install -Dm600 -o buildbot -g buildbot -T /run/keys/buildbot/buildbot-ldap $buildbot_secrets/ldap | 226 | install -Dm600 -o buildbot -g buildbot -T /var/secrets/buildbot/ldap $buildbot_secrets/ldap |
227 | ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList | 227 | ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList |
228 | (k: v: "install -Dm600 -o buildbot -g buildbot -T /run/keys/buildbot/${project.name}/buildbot-${project.name}-${k} $buildbot_secrets/${k}") project.secrets | 228 | (k: v: "install -Dm600 -o buildbot -g buildbot -T /var/secrets/buildbot/${project.name}/${k} $buildbot_secrets/${k}") project.secrets |
229 | )} | 229 | )} |
230 | ''; | 230 | ''; |
231 | environment = let | 231 | environment = let |