refactor buildbot, watch-store

nix-community · Nov 23, 2023 · 7deb90d · 7deb90d
1 parent 78a1f03
commit 7deb90d
Show file tree

Hide file tree

Showing 9 changed files with 31 additions and 190 deletions.
diff --git a/.sops.yaml b/.sops.yaml
@@ -80,24 +80,6 @@ creation_rules:
           - *zimbatm
           - *zowoq
           - *adisbladis
-  - path_regex: modules/nixos/buildbot-master/.+\.yaml$
-    key_groups:
-      - age:
-          - *build03
-          - *mic92
-          - *ryantm
-          - *zimbatm
-          - *zowoq
-          - *adisbladis
-  - path_regex: modules/nixos/buildbot-worker/.+\.yaml$
-    key_groups:
-      - age:
-          - *build03
-          - *mic92
-          - *ryantm
-          - *zimbatm
-          - *zowoq
-          - *adisbladis
   - path_regex: modules/nixos/hercules-ci/.+\.yaml$
     key_groups:
       - age:

diff --git a/flake.nix b/flake.nix
@@ -154,8 +154,7 @@
         flake.nixosModules = {
           common = ./modules/nixos/common;
 
-          buildbot-master = ./modules/nixos/buildbot-master;
-          buildbot-worker = ./modules/nixos/buildbot-worker;
+          buildbot = ./modules/nixos/buildbot.nix;
           builder = ./modules/nixos/builder.nix;
           community-builder = ./modules/nixos/community-builder;
           github-org-backup = ./modules/nixos/github-org-backup.nix;

diff --git a/hosts/build03/configuration.nix b/hosts/build03/configuration.nix
@@ -13,8 +13,7 @@
     inputs.srvos.nixosModules.mixins-nginx
     inputs.srvos.nixosModules.hardware-hetzner-online-amd
     inputs.self.nixosModules.common
-    inputs.self.nixosModules.buildbot-master
-    inputs.self.nixosModules.buildbot-worker
+    inputs.self.nixosModules.buildbot
     inputs.self.nixosModules.builder
     inputs.self.nixosModules.hercules-ci
     inputs.self.nixosModules.watch-store

diff --git a/hosts/build03/secrets.yaml b/hosts/build03/secrets.yaml
@@ -4,7 +4,13 @@ hydra-admin-password: ENC[AES256_GCM,data:t0vmchbXXIAzvM2nxm4j16N9W67yWRb439M=,i
 nur-update-github-token: ENC[AES256_GCM,data:KIZCx9IeuBHZei2V13iiyHzCedhkkGEd08mVJEc6F0DWQn1wtzC7+w==,iv:pNVRj/RR7wj64g640F7Vo4H10ijsxnrfFQnt6YHBug4=,tag:UlvOMNB5JZbuJaD9TcJ2UQ==,type:str]
 hydra-users: ENC[AES256_GCM,data:askAB+a3bsFvue/j9i6sYSwgOQl+rL+uh+1+z+xizzBOWdTZcvRh5uFHTkg7MV/E7tG7eRByQ7b+v/onJ4+l3rGJJ6qsWtLLLizC1rusngsAXyI9jt66eqpsyacN5kw8cKILjGearptrhUZDWdKpbaHII6fwUbWbjyV5fpoQzNmI4VELWEQMZ50yECfAfCLHx9iTdoMJHPXzhqwvAZ+TbX6TsyqbDrrNauYWNUBhCK7E2tDYAQqOGhxnQWI+gQs=,iv:Baqyd/WfloMuXTiICD2dlvENst8G6YU9rSHdRkTECkU=,tag:z4j5dYcba3aZTyWu5wvkzw==,type:str]
 hetzner-borgbackup-ssh: ENC[AES256_GCM,data:ZNrQp36c3EuERlAYez6SHTLbHK7ZmLNqDpAffTTQARL2zpnjpw1wJQJdm6d6Un1wTjYmHMJ/f1jCKgn389FGiZJwxSLUL4Ko2n5HffBTjZwTeqE1y4XFe6qvAY/LYBmD728ZWOsSWPvoVZOm1dG7LsxxwUZWk2VyDtvODuJBInn19Dn7Tw5VqPjJMJAp5CfAaW8ilEPpdeG0JQfkJkBQj0+pMlpI1EIVDvdZai5fesweUWeaajrPnIjrBbqdFvd8eG9qrTehLM7FvpnT2qllfsCOeQf/KTPEw16I6eGFFm22iPblJgHFPzpu1a2Lvwn+8HcwqSMlGI9poOeV5RwXqBhFX9vozlN8G82csAnehiZmLktyYin1kYF3nfOXFqH9fKxbvXn/1hxQP//GDeoaNlepa/K/w51pj1mgbIXIb5g/PKsHaC7Rv3iDMcYW977+lobA4WnxfWhjA6k/iBb1unkSKbrZs+iHglpOKueAq9g6HO5fJ299eY2+GcmsPU3QKm4W,iv:550mzEValpqVruLQBMMJeJHVyYfaxNHwCvXkvz66qI0=,tag:k48T+9AtJs8GTVchyEP8Jw==,type:str]
-watch-store-token: ENC[AES256_GCM,data:VBEj9g5R/aa3hTDcKl8HRxJOOgl4B+0uyPMRhnrPth6LD7r5tpq4ckPHXqo87kekXMGoMIVeGYaM+E1iOLhnqOUOeOoSs+6NnnrUg2+nHR2gC2xAGZpxc/ntZ5g5DVDi0iw7jzxdd3X5OAru5mi/mDRXOAdeT+jtwLwqBEZ5dHMBRI/gGs2wRVIY0XUG5EQW/M1AYpanRat/jfmWJjuZvlT3MEA=,iv:AP66pQJiP8wl10F3vhwpdRcVKm8PP6U8T0POXa1fFio=,tag:WdI6TgV5D1ZJolOazFV1Ew==,type:str]
+cachix-auth-token: ENC[AES256_GCM,data:LJwxCrkiiHX5iKfxJ3yFQIaBCevFqQnkJpfs5fe7ntmie185liz2Tp+b9IcC091YDbAa/fV8ZBzC8I6T5Kf57fk1ZxaRcqRkZ0a+BXTYUUteLQkC9ECxbkk4CCsZK6vVvdx4509lezQ1TrJnoQ+7YRuH0mI2J5WTxJO9s/1rs43rMTD0AOuXRDbTblu5r5pILxWVBwT6xCVGv5k4V3kiEoQSvg==,iv:8CWE6WIs7s+eTQ+OUbSsUScO4bjzKpyMdHUxUwVUYIw=,tag:jhyDfHxfzMhVb8fPdD41rw==,type:str]
+cachix-name: ENC[AES256_GCM,data:DhzIMyT+B9wvMoK9Iw==,iv:5pnXyQosbF/HFmbDFmfSaz4XWkfiA0/ccfe/yw4LvbM=,tag:E7+u/+aEK83cYygk88ZYOw==,type:str]
+buildbot-github-oauth-secret: ENC[AES256_GCM,data:XDEbK5ahb5qiDdmq2gOyIch/NDFK/qjA6gX3rQ0XZthshiO3OfpAng==,iv:ze2R9Laji2FR1qp3LkeRPfKC0ebH0fF4ZTQ4mLVliUs=,tag:eT0jpnj2v7q3L6vyVLAeeQ==,type:str]
+buildbot-github-token: ENC[AES256_GCM,data:t62X1d2Uw62YwmJnENSS629OrVRT9D2zpkZeF9UR144KZNZ01TxSWA==,iv:Lv3ryF1U5zUQreH9LZa60LZ4sgxVFIR0jd4+VELSkMg=,tag:EyKdmC9goF4UZeUKBDeAzA==,type:str]
+buildbot-github-webhook-secret: ENC[AES256_GCM,data:AtUFcOjLivJt8np5451Wfol5s48R4vW5gJPisT+hMD7dFAvucKriQEY+mcAMqL1X6w==,iv:oBKj9XXu/4mkeH+3KkMlWSx8GnMoXwBugNuG8Uu3XtU=,tag:8cBZVE7TOJf3QEqxfsuF8g==,type:str]
+buildbot-nix-workers: ENC[AES256_GCM,data:taoOzkDugI8zilAAkYjIUPEpE4BK7zQulImKblwDmygGRMYw9y3N6gwxcVOeAu1BusGkFStnMa+6DQz555H00rS8YPKwS16ov0XN1ZmrcrbWS12z2/9NUvq/iI+HpLmVoHTTasM=,iv:0brO1MqB19AQZCXubiTvCwX0jN+Arn7YKg6CQ6Urf9g=,tag:FlHif4EBsjeBaSqveBrPTA==,type:str]
+buildbot-nix-worker-password: ENC[AES256_GCM,data:TaMHVzlzuAHfTBAyqG5JJFwpG2We+wlXva3YJnNkO9KSX9PIhnRHVES72jO63AkhvfBVEg==,iv:rTpaiCYcedcsy115BEDep68Mehb6knes7OxvBrEOrUQ=,tag:dD4Hg4oR3SfpYdP1e8V2jA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -65,8 +71,8 @@ sops:
             WUZQSGQyQy9halJsRTIvb1FGV08zZEEKmjlYY6epTuZKRBcVyjPvJI5XKQtP5Yag
             FMrI+M6hUeyBeCade5C+Y4eGQbt57BWLmsX7u0J1WTlkUSS5j7+wPg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-11-16T06:27:48Z"
-    mac: ENC[AES256_GCM,data:rObEhY3ArAQJjoYkejy3g9AOMHz0ophqG7nfOfZgUnejLmsNqxVlq9tIZCTEOXHT9QbDi34jTEobQLVdqCPX2wL7A4dx/cfDKNEtei8vKm1xAOeGl6gnyCyONQwP7Nqd1rtZCy6lS8ePa8Lyrc6wRL/giDM2yOcV+XR/aH4Jch4=,iv:Y2zYk9K1EGM7cwHNSOdY+OoooWjNfUiUWHKRJ+h8QHA=,tag:Oyjs1hEG4HzI76z2GA73Mg==,type:str]
+    lastmodified: "2023-11-20T23:33:43Z"
+    mac: ENC[AES256_GCM,data:zTFyPd6ev6JgUnjLM1xLbuxodoKlvUPgf68byRkY8Z6jfdETjJXMzvLYdwOxXvU282iAZYzLiQjdoIeUE0nc3UvakaVUqEP0e91MNmBfHyFyvjjeDGX5n3WSbPJOX1BzuQIOsagqY8fewJAY90dCSRTiWrtnnJ/SkVoQJVyCxEw=,iv:VUMfGZ9ihMkd6R6SFJ1ECLJezTyKgb+DL8eN9DnSs8w=,tag:YsDp2l3K0g/ZdL7t9XvNJQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1
diff --git a/modules/nixos/buildbot-master/secrets.yaml b/modules/nixos/buildbot-master/secrets.yaml
diff --git a/modules/nixos/buildbot-worker/default.nix b/modules/nixos/buildbot-worker/default.nix
diff --git a/modules/nixos/buildbot-worker/secrets.yaml b/modules/nixos/buildbot-worker/secrets.yaml
diff --git a/modules/nixos/buildbot-master/default.nix → modules/nixos/buildbot.nix b/modules/nixos/buildbot-master/default.nix → modules/nixos/buildbot.nix
@@ -1,10 +1,8 @@
 { config, inputs, ... }:
-let
-  buildbotSecrets.sopsFile = ./secrets.yaml;
-in
 {
   imports = [
     inputs.buildbot-nix.nixosModules.buildbot-master
+    inputs.buildbot-nix.nixosModules.buildbot-worker
   ];
 
   services.nginx.virtualHosts."buildbot.nix-community.org" = {
@@ -16,10 +14,10 @@ in
     "http://localhost:8011/metrics"
   ];
 
-  sops.secrets.github-oauth-secret = buildbotSecrets;
-  sops.secrets.github-token = buildbotSecrets;
-  sops.secrets.github-webhook-secret = buildbotSecrets;
-  sops.secrets.nix-workers = buildbotSecrets;
+  sops.secrets.buildbot-github-oauth-secret = { };
+  sops.secrets.buildbot-github-token = { };
+  sops.secrets.buildbot-github-webhook-secret = { };
+  sops.secrets.buildbot-nix-workers = { };
 
   services.buildbot-nix.master = {
     enable = true;
@@ -28,23 +26,30 @@ in
     prometheusExporterPort = 8011;
     evalMaxMemorySize = "4096";
     evalWorkerCount = 8;
-    workersFile = config.sops.secrets.nix-workers.path;
+    workersFile = config.sops.secrets.buildbot-nix-workers.path;
     github = {
-      tokenFile = config.sops.secrets.github-token.path;
-      webhookSecretFile = config.sops.secrets.github-webhook-secret.path;
-      oauthSecretFile = config.sops.secrets.github-oauth-secret.path;
+      tokenFile = config.sops.secrets.buildbot-github-token.path;
+      webhookSecretFile = config.sops.secrets.buildbot-github-webhook-secret.path;
+      oauthSecretFile = config.sops.secrets.buildbot-github-oauth-secret.path;
       oauthId = "9bbd3e8bbfebb197d2ca";
       user = "nix-community-buildbot";
       admins = [ "adisbladis" "Mic92" "ryantm" "zimbatm" "zowoq" ];
       topic = "nix-community-buildbot";
     };
   };
 
-  sops.secrets.cachix-auth-token = buildbotSecrets;
-  sops.secrets.cachix-name = buildbotSecrets;
+  sops.secrets.cachix-auth-token = { };
+  sops.secrets.cachix-name = { };
 
   systemd.services.buildbot-master.serviceConfig.LoadCredential = [
     "cachix-auth-token:${config.sops.secrets.cachix-auth-token.path}"
     "cachix-name:${config.sops.secrets.cachix-name.path}"
   ];
+
+  sops.secrets.buildbot-nix-worker-password = { };
+
+  services.buildbot-nix.worker = {
+    enable = true;
+    workerPasswordFile = config.sops.secrets.buildbot-nix-worker-password.path;
+  };
 }
diff --git a/modules/nixos/watch-store.nix b/modules/nixos/watch-store.nix
@@ -1,11 +1,11 @@
 { config, ... }:
 
 {
-  sops.secrets.watch-store-token = { };
+  sops.secrets.cachix-auth-token = { };
 
   services.cachix-watch-store = {
     enable = true;
     cacheName = "nix-community";
-    cachixTokenFile = config.sops.secrets.watch-store-token.path;
+    cachixTokenFile = config.sops.secrets.cachix-auth-token.path;
   };
 }