From 200690c9aecec1f38c1a62a65916df2950e1afe7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Thu, 24 Jun 2021 22:24:15 +0200 Subject: First attempt at making declarative VMs In order to make buildbot more secure, the builds need to happen inside VMs so that they can be thrown out on demand when not needed. This commit implements this facility on dilion, and also defines declaratively some previous VMs which used to run on the machine. --- modules/private/buildbot/default.nix | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) (limited to 'modules/private/buildbot/default.nix') diff --git a/modules/private/buildbot/default.nix b/modules/private/buildbot/default.nix index d6753e5..ac34845 100644 --- a/modules/private/buildbot/default.nix +++ b/modules/private/buildbot/default.nix @@ -107,7 +107,12 @@ in project_env = with lib.attrsets; mapAttrs' (k: v: nameValuePair "BUILDBOT_${k}" v) project.environment // mapAttrs' (k: v: nameValuePair "BUILDBOT_PATH_${k}" (v pkgs)) (attrByPath ["builderPaths"] {} project) // - { BUILDBOT_PROJECT_DIR = ./projects + "/${project.name}"; }; + { + BUILDBOT_PROJECT_DIR = ./projects + "/${project.name}"; + BUILDBOT_WORKER_PORT = builtins.toString project.workerPort; + BUILDBOT_HOST = config.hostEnv.fqdn; + BUILDBOT_VIRT_URL = "qemu+ssh://libvirt@dilion.immae.eu/system"; + }; in builtins.concatStringsSep "\n" (lib.mapAttrsToList (envK: envV: "${envK}=${envV}") project_env); } @@ -122,6 +127,13 @@ in text = config.myEnv.buildbot.ldap.password; dest = "buildbot/ldap"; } + { + permissions = "0600"; + user = "buildbot"; + group = "buildbot"; + text = config.myEnv.buildbot.workerPassword; + dest = "buildbot/worker_password"; + } { permissions = "0600"; user = "buildbot"; @@ -135,6 +147,7 @@ in restart = true; paths = [ "/var/secrets/buildbot/ldap" + "/var/secrets/buildbot/worker_password" "/var/secrets/buildbot/ssh_key" "/var/secrets/buildbot/${project.name}/environment_file" ] ++ lib.attrsets.mapAttrsToList (k: v: "/var/secrets/buildbot/${project.name}/${k}") project.secrets; @@ -144,6 +157,7 @@ in description = "buildbot slice"; }; + networking.firewall.allowedTCPPorts = lib.attrsets.mapAttrsToList (k: v: v.workerPort) config.myEnv.buildbot.projects; systemd.services = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" { description = "Buildbot Continuous Integration Server ${project.name}."; after = [ "network-online.target" ]; @@ -196,6 +210,7 @@ in buildbot_secrets=${varDir}/${project.name}/secrets install -m 0700 -o buildbot -g buildbot -d $buildbot_secrets install -Dm600 -o buildbot -g buildbot -T /var/secrets/buildbot/ldap $buildbot_secrets/ldap + install -Dm600 -o buildbot -g buildbot -T /var/secrets/buildbot/worker_password $buildbot_secrets/worker_password ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (k: v: "install -Dm600 -o buildbot -g buildbot -T /var/secrets/buildbot/${project.name}/${k} $buildbot_secrets/${k}") project.secrets )} @@ -213,6 +228,7 @@ in }); HOME = "${varDir}/${project.name}"; PYTHONPATH = "${buildbot.pythonModule.withPackages (self: project.pythonPackages self pkgs ++ [ + pkgs.python3Packages.libvirt pkgs.python3Packages.wokkel pkgs.python3Packages.treq pkgs.python3Packages.ldap3 buildbot pkgs.python3Packages.buildbot-worker -- cgit v1.2.3