sercanto/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add buildbot

Browse source
This commit is contained in:
zowoq 2023-10-25 11:53:51 +10:00
parent 64b5a78d49
commit d90801d01f
9 changed files with 260 additions and 0 deletions

18
.sops.yaml
View file

@ -90,6 +90,24 @@ creation_rules:
- *zimbatm
- *zowoq
- *adisbladis
- path_regex: modules/nixos/buildbot-master/.+\.yaml$
key_groups:
- age:
- *build03
- *mic92
- *ryantm
- *zimbatm
- *zowoq
- *adisbladis
- path_regex: modules/nixos/buildbot-worker/.+\.yaml$
key_groups:
- age:
- *build03
- *mic92
- *ryantm
- *zimbatm
- *zowoq
- *adisbladis
- path_regex: modules/nixos/(cachix|hercules-ci)/.+\.yaml$
key_groups:
- age:

28
flake.lock generated
View file

@ -1,5 +1,32 @@
{
"nodes": {
"buildbot-nix": {
"inputs": {
"flake-parts": [
"flake-parts"
],
"nixpkgs": [
"nixpkgs"
],
"treefmt-nix": [
"treefmt-nix"
]
},
"locked": {
"lastModified": 1699084654,
"narHash": "sha256-JOlsEKt5/vKsrXU7zBPYqTSQgeQWMJp5gAMrnMfbms8=",
"owner": "Mic92",
"repo": "buildbot-nix",
"rev": "8df1b9a293973d2e34862d4870fb546af1cae8e4",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "buildbot-nix",
"rev": "8df1b9a293973d2e34862d4870fb546af1cae8e4",
"type": "github"
}
},
"disko": {
"inputs": {
"nixpkgs": [
@ -202,6 +229,7 @@
},
"root": {
"inputs": {
"buildbot-nix": "buildbot-nix",
"disko": "disko",
"flake-parts": "flake-parts",
"hercules-ci-agent": "hercules-ci-agent",

7
flake.nix
View file

@ -28,6 +28,11 @@
nixpkgs-update-github-releases.url = "github:ryantm/nixpkgs-update-github-releases";
nixpkgs-update-github-releases.flake = false;
buildbot-nix.url = "github:Mic92/buildbot-nix/8df1b9a293973d2e34862d4870fb546af1cae8e4";
buildbot-nix.inputs.nixpkgs.follows = "nixpkgs";
buildbot-nix.inputs.flake-parts.follows = "flake-parts";
buildbot-nix.inputs.treefmt-nix.follows = "treefmt-nix";
nur-update.url = "github:nix-community/nur-update";
nur-update.inputs.nixpkgs.follows = "nixpkgs";
@ -149,6 +154,8 @@
flake.nixosModules = {
common = ./modules/nixos/common;
buildbot-master = ./modules/nixos/buildbot-master;
buildbot-worker = ./modules/nixos/buildbot-worker;
builder = ./modules/nixos/builder.nix;
community-builder = ./modules/nixos/community-builder;
github-org-backup = ./modules/nixos/github-org-backup.nix;

2
hosts/build03/configuration.nix
View file

@ -13,6 +13,8 @@
inputs.srvos.nixosModules.mixins-nginx
inputs.srvos.nixosModules.hardware-hetzner-online-amd
inputs.self.nixosModules.common
inputs.self.nixosModules.buildbot-master
inputs.self.nixosModules.buildbot-worker
inputs.self.nixosModules.builder
inputs.self.nixosModules.hercules-ci
inputs.self.nixosModules.watch-store

49
modules/nixos/buildbot-master/default.nix Normal file
View file

@ -0,0 +1,49 @@
{ config, inputs, lib, ... }:
let
buildbotSecrets.sopsFile = ./secrets.yaml;
in
{
imports = [
inputs.buildbot-nix.nixosModules.buildbot-master
];
services.nginx.virtualHosts."buildbot.nix-community.org" = {
enableACME = true;
forceSSL = true;
};
sops.secrets.github-oauth-secret = buildbotSecrets;
sops.secrets.github-token = buildbotSecrets;
sops.secrets.github-webhook-secret = buildbotSecrets;
sops.secrets.nix-workers = buildbotSecrets;
services.buildbot-nix.master = {
enable = true;
buildSystems = [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" ];
domain = "buildbot.nix-community.org";
workersFile = config.sops.secrets.nix-workers.path;
github = {
tokenFile = config.sops.secrets.github-token.path;
webhookSecretFile = config.sops.secrets.github-webhook-secret.path;
oauthSecretFile = config.sops.secrets.github-oauth-secret.path;
oauthId = "9bbd3e8bbfebb197d2ca";
user = "nix-community-buildbot";
admins = [ "adisbladis" "Mic92" "ryantm" "zimbatm" "zowoq" ];
topic = "nix-community-buildbot";
};
};
sops.secrets.cachix-auth-token = buildbotSecrets;
sops.secrets.cachix-name = buildbotSecrets;
systemd.services.buildbot-master.serviceConfig.LoadCredential = [
"cachix-auth-token:${config.sops.secrets.cachix-auth-token.path}"
"cachix-name:${config.sops.secrets.cachix-name.path}"
];
services.buildbot-master.home = "/var/lib/buildbot";
users.users.buildbot = {
isNormalUser = lib.mkForce false;
isSystemUser = true;
};
}

71
modules/nixos/buildbot-master/secrets.yaml Normal file
View file

@ -0,0 +1,71 @@
github-oauth-secret: ENC[AES256_GCM,data:/yz5IXVGItgBrJ0ISA9hfWojXo/GlW16hmGiWFxY7fnzIYL3q47Raw==,iv:B8u0ezCiquMqnO1V5Z9hz/MGZRtXF6mRa/24ffFBzAI=,tag:soVcm+N5tu00gHm9nCGnvw==,type:str]
github-token: ENC[AES256_GCM,data:vzHJ31K+/JkfSMe+SJ1dq74CQNSZYPOFe7rf8nuhupGIFGSwhvtOYA==,iv:viPK9T6MMUcnRDDi7PiJ1oYQJ3S3qmVv6b2m6Tsz9H4=,tag:B6dYki6Qz29eGQ84WZHFcQ==,type:str]
github-webhook-secret: ENC[AES256_GCM,data:KXJurFMX0cG1UDYb+ecvmEnHoN9ojWd4QToZAqwGW080LMZlq89Z221Pk+MYK5h61w==,iv:b7JJi8tqmwdnB8c4iepzGH51iBnj0WRbjYTsPNpt5F4=,tag:/9f7RL+dW7JJjs6CXqqcQw==,type:str]
nix-workers: ENC[AES256_GCM,data:3lkpS+zOOAvdotdVnC4xwgcbqMST/zRuaiDYd4Q3+LK6j/XUAbCJhrAM+0GcrZhrmKWpioIEfWD7YMQQfyXRZ/5Voyo9Q9uSRbazCOSRD88yCTaTKt6zLytYJm+Y6hBgfCBDWyM=,iv:Jwg0QwojQbxiN5bycq1xvEr+3dSijP5zvy9UtLsDyqw=,tag:j3qG+sV97zQKwdTiJ2ZUKw==,type:str]
cachix-auth-token: ENC[AES256_GCM,data:I7AmKu+19oOuos7VvmfmMpOJR8pP/E046Ndy4l30oIJRprH75Zs41h/7k2MTPj41IAdKqPtwUR+cc40eb3z5auoOEPKJZjUWjXYAKOPR7Mn5wampEQ7WR20m7+iLD0DB445hyaPQHd5sYh7OWjl6C7RtqveM5nT9UujJuF7oL4FBQvvw7Ojm78e4zqvo9y1z0s1ewd832+lImPCTR8byrSUIrA==,iv:YwvVELf4/xFsDsrISrDzPaAb9Ogm/0KTV87i6P4YUts=,tag:5s8AqPNcoyTzSW4xvmJslg==,type:str]
cachix-name: ENC[AES256_GCM,data:2AJ6BLlxOVGLTalrMw==,iv:n9PhB6yHcDoHQt0Zk/UeY9gpTqhDTQOHWq/TS3GaalY=,tag:DXu+BvGjMPO3pcMNp8XVwQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxY3g4YVJsdVU1TWtrQlpG
VVhjWVptcGJaZHVoV05xQkVOaVdmU3FNTGlBCjZRWXp4NjNncW9FcE5vcnVrVHZm
Q2xmRlJ4RDFBejdDWWsySkpub1ZGQmsKLS0tIG0yMmRtTFhMblpmUVVzaWtWMjRj
ZnBjRStKbnlzQUgwbkpadjVPS1RqNjAKoV+zf1GNzr8K3+849KHZulrWvZKTd1xi
PymU5Yxo7W8H6L6EtlmRvpFhbfGk0oBlWvFdY06jreE5ganofsougw==
-----END AGE ENCRYPTED FILE-----
- recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3Q2VqM2tGa3BjSjUvd2xh
WGpHZFFiT3llZ2orVHVxUTFPaURuWEtXL0hZCjNwanl5RFB2dTJXUjR3Ylordkwz
SVlHRDI5V1hnaE90ZUxFb3NmMlhlcDQKLS0tIDVFUldoNC94K25IM0YweE5qQTZG
UERPempUcDQ3R256K2dvdzlaQjFXcDgKB1rd8yZZCtBq+wzOFxn0HRoGHb3bn8Q4
vDeZTW2iqnMq7A4Cnxjh2q3JdqRtbx3hsy1yT6bup/NAV0ijCJagDA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5bjBrRW03Y25ZNllnYmxH
ZlUySUt0d0d0K0VWL29DWGtrRnQ4bFlxZDFJClZ3QUxyVGgxLy8rWklHUGwwZ29L
QytzYitLU2FiMnRmU0tNS2R4WUJlTUEKLS0tIGtaK3dJenZPYWhwN2JqNFJxM0x6
cGs4QzdtY0NUekJpemVIbksvZWhhN00K1HM2TnDA4MmM7fWEkH3ZTsT18ijctmx8
zmmDddgPeh7ykFZZte1NZRrdwOrFDQoNWX3J5/NMh6r+JFvcsmfphQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmM3orSC9oUllLMjkxV0hV
cDhQc3BDUHZFWkw0UVpuNEFHRUQ5TVBBd2hrCmJqU3dNam5QYkJyR0ZaWStKQkZJ
RUIwVzVVb0gxWjhncmRZR1Q2WGZ6eXcKLS0tIDBrWitacnY3L3R6dmJDU3M4L0tS
Y1BhaEFEYnorY3hvbXlSVHQ0Y1VvUG8KF/aAnJcFVQpc3AsUC+liR4kCyA21nKLr
6lhfFn63Y6wVNyvL7tWlL47FrYlC9A2XQ+/EesbEU/N6aL4f08wUDQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzSFR5U044WE0xNEtmeUt2
M2hlV2prRjY4Z3JydVhIVWNxTWxrSWlTUFNJCjc2SjF6dU9lK24xNUcxZzhrbjBB
VDBFdlowY0JNZmVHd2JGb2hDdXI2b1kKLS0tIFdvdlZHUXcyaHQ5OXBxN1NLYlJo
ZnFnenRIUVFzbmpIYm9uQmhTbVQxZXcK+75G1gYVywrfnP4HaiQZTf+/wpFyG9dk
YQ3Dbv3nDs8QPheae1OiDpBr9HpwpirtcHiApUnxUQ5Sp4a1jKkn0Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0d1V3Rnd5bVRTWC9tcHpV
STRtd2NiWFV5YWhscFhWNW11QS9LTnA1RmhNCkR5eGFRVmVoTFJCRG1TN3FRTEZQ
T0pnZFg2WGN0cVQ3UHhqd014WUtCRE0KLS0tIDVOcGF4ODNrNmdzelRsdm5McnRx
eFVkODlCM2c5bjY2aGE3ZDF4cXNQZFUKY0lMEJvwSnzLAbBk1vi9IurCCil+7Sxm
cNdk6vKJloBX7SwjoThrE6Yx+NrTVpFenzCSqU1b8/DZfjZBU9Disw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-03T13:43:29Z"
mac: ENC[AES256_GCM,data:Gp1yE0nP1ynDC5ZmdD7/hGbGtpyz7NKV4nO5uWsL74n5165o0Yn1U5oMlLs6ua2DrQGQXkQip/0uXIbF4lGfqQEgnjqvRf6VF7WjaRY+U0bP5uF7w6KgyS9U7Cd5rxmNzfbq2/gAqvLvo7bd2waGX/lbGiOEXSavA0UNUCukhgU=,iv:G9YYOBo3cdJqawDqxR4qnjjq3YIfyvOb3q85hnZ/57Q=,tag:8UXmHk3kTVZ1j9h2OwSqLw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

13
modules/nixos/buildbot-worker/default.nix Normal file
View file

@ -0,0 +1,13 @@
{ config, inputs, ... }:
{
imports = [
inputs.buildbot-nix.nixosModules.buildbot-worker
];
sops.secrets.nix-worker-password.sopsFile = ./secrets.yaml;
services.buildbot-nix.worker = {
enable = true;
workerPasswordFile = config.sops.secrets.nix-worker-password.path;
};
}

66
modules/nixos/buildbot-worker/secrets.yaml Normal file
View file

@ -0,0 +1,66 @@
nix-worker-password: ENC[AES256_GCM,data:xyhJOiM8n6QeXkVX0AVbINwomkrbWQo/o/frsS1YDzO8LuWFJklcML7h6cvQ2TP0veioSQ==,iv:ncjF03HGejeeWVdi0WYcmyvfQqhBvg9POWKA0VYKChM=,tag:hO40gcVi9OTAsrzQqjQz2Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSQi9ScWJFRkZheWtoRW1y
VjJibmVuWWpmS3loS0M1dE9uZjBuQnZTa1NjCmx4ME9WUCtsL0Z3bTEvNEVVSlho
UjJ1YnFDTlRiOVVzWEw5L2ovYWxIM2sKLS0tIDhKcVRnaFl5ZUU0UWZ5VEhYNS9R
ZmxWbm5wUUk2d2wvN2ZlZkVhUXVoKzgKho7Dfk0PyOCkKaDV2O7rNZpDhEd/KhfB
n/mGfIcfAPacSA3GitipaNvZvmwgZ/02hec8zvrKNCH7zA5O9SHAGg==
-----END AGE ENCRYPTED FILE-----
- recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiRTUrWVF4S3REWFhWalBz
R21GazlTRk93NnA3QVdDUVd2L3RsK0lSU3pzCm54Q0NtZG0zdzhXZ0tZU2JFQnd5
VExpQUg0aGZXKytZMzJHVkc3N0trclEKLS0tIHRvbWkzTWRrVzVUUFNUT3UxT0ox
MjFTdDFMdEo3Qk1CcnhSN1JKZjNqNVEKCuat4qnUemUijV6i3abvFWRfw44JjoUe
4tUmQoPxNVah/mUlZYk6Ny8gg21YCq6BONo0JLHkoxiQ5UCRSxyVHw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaZzdQcnNkekJMaW0xb1Vl
bml2SGE3aVg4OW51U2xCM3h2UnBzdlFZdVNNCkdVVCtTL0Z4MGo2V09pQUlUZ3lh
T3B5TkU5WTlyeDJ0aVYveUFiOTU4Z0kKLS0tIFZpc0JRQ2Myc2hzVEs1QWlNaFNB
RS9EL0d0WTQ3bEM0b01PQ1VhWXpKc1EKhP2NSIIdJDvVMT+0E1yVGc5OMxPDaorx
H/JHNI4/FCmdjuVLf8IrFXz8J9c7Uzl9tBz78rsfFXqJdNFYRr57gQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwZFMzUEZZaFh5WlBTZjhR
L0RNWFJNUUoyZFVuNFc3VFZXVDZWQmhQdlZJCk1QVHhSdXlwSktZOWNKQjd2OStG
NVlMdzBNbVRpN2V4TDl0RGpnbDNvc1UKLS0tIHd2MC9qYVFYT2RyMHk1WkRiSVdm
a0o3Z1lUbXpmNVNSckg0NlQzdk5sUncKTMVSmlGSKIj1Sbjbai2QTy/ps2eyDWR8
sFroWeQyxIVuhCADYhFvMMk2m1tPfqYGhqpNLHTLD5FzW6nhcAKMbg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYVU1zMzR5bWt1OTUzejlG
MmtXZ0ZNWElHOEVYeDdWQzFNcERrRHhMN0R3CjJoSlozaWNrMG1sUlJvSWhMN3lC
WGpqNGZpcHNxZmpwM3puZVloblVzOXcKLS0tIHg2QmxpeDk3OE9HK0lWQ1BiOEx6
U1BaZVFXZGhZSkJnZFB2OUs0VStWOW8KoVLv73qIeTyt2Xq+rkHpQ9APgNENaaYX
AdnJmCSLQyituj01/sGZxI5L69J9BP8C+Kxse/53mqwOCJ6YnYYmgA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdTByOStOVmVubXZjZ3RM
MjJQdVU3b2tWRVNFL09uSzhnL3RnZTlJalN3CmR1Z0VXcmZwZW9RUzBTT0hReEtR
TkJ3ZGVEVjhpN1lMWE85MktGUWI5bUEKLS0tIDlqUTVwQlJqQkNmWlBFVXdDT09r
dmgzbk1sUExITU5nM3E3Sy9SbmxSclUKf06KTNpWl9kPkGFwPqSEPcUbRcCUVGd9
9aQZhqzi4s13Mn1UjDMvBkjfL9o1bQSFEbQKjQpVcUkdsMzurlAtZw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-10-29T03:08:31Z"
mac: ENC[AES256_GCM,data:1/1rNQVAu7+sP4I4LbTwFOcBo2p0yKexd+1qz6YtPMtIgmIr61DPCMUSPchnQsP9vzj3qqbdAgqBw9xtDzEDDHdicxFZM9qrNJ+aqUuHVF3KzkyR+qPiC9Bzzb9j/CqSc1zvT4UNZSmGl5xymvO+q+2Sb5rRcC1B3EEC1e1+Klc=,iv:KZdDuTqeY6V5Fjxp8glYRz/iFd5soj5fYCRMTOY/U/c=,tag:PW02PH6PSux8rdNpL31ObA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

6
modules/nixos/monitoring/telegraf.nix
View file

@ -1,6 +1,12 @@
{
services.telegraf.extraConfig.inputs = {
http_response = [
{
urls = [ "https://buildbot.nix-community.org/" ];
response_string_match = "Buildbot Web UI";
tags.host = "build03.nix-community.org";
tags.org = "nix-community";
}
{
urls = [ "https://hydra.nix-community.org/" ];
response_string_match = "hosted on this server";