{ lib, pkgs, config, ... }:
with lib;
let
cfg = config.luj.buildbot;
port = "1810";
package = pkgs.python3Packages.buildbot-worker;
python = package.pythonModule;
home = "/var/lib/buildbot-worker";
buildbotDir = "${home}/worker";
in
{
options.luj.buildbot = {
enable = mkEnableOption "activate buildbot service";
nginx.enable = mkEnableOption "activate nginx";
nginx.subdomain = mkOption {
type = types.str;
};
};
config = mkIf cfg.enable {
# Buildbot master
services.buildbot-master = {
enable = true;
masterCfg = "${./.}/master.py";
pythonPackages = ps: [
ps.requests
ps.treq
ps.psycopg2
ps.buildbot-worker
pkgs.buildbot-badges
];
};
systemd.services.buildbot-master = {
reloadIfChanged = true;
environment = {
PORT = port;
# Github app used for the login button
GITHUB_OAUTH_ID = "355493f668a8e1aa10cf";
GITHUB_ORG = "JulienMalka";
GITHUB_REPO = "nix-config";
BUILDBOT_URL = "https://ci.julienmalka.me/";
BUILDBOT_GITHUB_USER = "JulienMalka";
# comma seperated list of users that are allowed to login to buildbot and do stuff
GITHUB_ADMINS = "JulienMalka";
};
serviceConfig = {
# Restart buildbot with a delay. This time way we can use buildbot to deploy itself.
ExecReload = "+${pkgs.systemd}/bin/systemd-run --on-active=60 ${pkgs.systemd}/bin/systemctl restart buildbot-master";
# in master.py we read secrets from $CREDENTIALS_DIRECTORY
LoadCredential = [
"github-token:${config.sops.secrets.github-token.path}"
"github-webhook-secret:${config.sops.secrets.github-webhook-secret.path}"
"github-oauth-secret:${config.sops.secrets.github-oauth-secret.path}"
"buildbot-nix-workers:${config.sops.secrets.buildbot-nix-workers.path}"
];
};
};
sops.secrets = {
github-token = {
format = "binary";
sopsFile = ../../secrets/github-token-secret;
};
github-webhook-secret = {
format = "binary";
sopsFile = ../../secrets/github-webhook-secret;
};
github-oauth-secret = {
format = "binary";
sopsFile = ../../secrets/github-oauth-secret;
};
buildbot-nix-workers = {
format = "binary";
sopsFile = ../../secrets/buildbot-nix-workers;
};
};
services.nginx.virtualHosts."ci.julienmalka.me" =
{
extraConfig = "ssl_session_timeout 1440m;";
locations."/".proxyPass = "http://127.0.0.1:1810/";
locations."/sse" = {
proxyPass = "http://127.0.0.1:1810/sse/";
# proxy buffering will prevent sse to work
extraConfig = "proxy_buffering off;";
};
locations."/ws" = {
proxyPass = "http://127.0.0.1:1810/ws";
proxyWebsockets = true;
# raise the proxy timeout for the websocket
extraConfig = "proxy_read_timeout 6000s;";
};
};
#buildbot worker
nix.settings.allowed-users = [ "buildbot-worker" ];
users.users.buildbot-worker = {
description = "Buildbot Worker User.";
isSystemUser = true;
createHome = true;
home = "/var/lib/buildbot-worker";
group = "buildbot-worker";
useDefaultShell = true;
};
users.groups.buildbot-worker = { };
systemd.services.buildbot-worker = {
reloadIfChanged = true;
description = "Buildbot Worker.";
after = [ "network.target" "buildbot-master.service" ];
wantedBy = [ "multi-user.target" ];
path = [
pkgs.unstable.nix-eval-jobs
pkgs.git
pkgs.gh
pkgs.nix
pkgs.nix-output-monitor
];
environment.PYTHONPATH = "${python.withPackages (_: [package])}/${python.sitePackages}";
environment.MASTER_URL = ''tcp:host=localhost:port=9989'';
environment.BUILDBOT_DIR = buildbotDir;
environment.WORKER_PASSWORD_FILE = config.sops.secrets.buildbot-nix-worker-password.path;
serviceConfig = {
Type = "simple";
User = "buildbot-worker";
Group = "buildbot-worker";
WorkingDirectory = home;
# Restart buildbot with a delay. This time way we can use buildbot to deploy itself.
ExecReload = "+${pkgs.systemd}/bin/systemd-run --on-active=60 ${pkgs.systemd}/bin/systemctl restart buildbot-worker";
ExecStart = "${python.pkgs.twisted}/bin/twistd --nodaemon --pidfile= --logfile - --python ${./worker.py}";
};
};
sops.secrets.buildbot-nix-worker-password = {
format = "binary";
owner = "buildbot-worker";
sopsFile = ../../secrets/buildbot-nix-worker-password;
};
};
}