feat(buildbot-nix-0): configure postBuildSteps to sign and upload to …

…holo's cache
holochain · Oct 31, 2024 · 2bfab86 · 2bfab86
1 parent a83bcbb
commit 2bfab86
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 28 deletions.
diff --git a/modules/flake-parts/nixosConfigurations.buildbot-nix-0/configuration.nix b/modules/flake-parts/nixosConfigurations.buildbot-nix-0/configuration.nix
@@ -47,6 +47,12 @@
       oauthId = "Iv23liqmAiBw8ab9EF61";
       topic = "holo-chain-buildbot-nix-0";
     };
+
+    buildbot-secrets = {
+      # NOTE: for security reasons this secret is kept out of the public repo
+      "cacheHoloHost2secret" = "/var/lib/secrets/cache.holo.host-2/secret";
+      "awsSharedCredentialsFile" = config.sops.secrets.holo-host-aws-shared-credentials.path;
+    };
   };
 
   networking = {
@@ -194,6 +200,9 @@
   sops.secrets.buildbot-nix-workers = { };
   # sops.secrets.cachix-auth-token = {};
 
+  systemd.services.buildbot-master.serviceConfig.LoadCredential = builtins.map (
+    kv: "${kv.name}:${kv.value}"
+  ) (lib.attrsets.attrsToList config.passthru.buildbot-secrets);
   services.buildbot-nix.master = {
     enable = true;
     admins = [
@@ -230,10 +239,9 @@
       inherit (config.passthru.buildbot-nix) oauthId topic;
     };
 
-    postBuildSteps = [
-      {
-        name = "post-build-step-test";
-        environment =
+    postBuildSteps =
+      let
+        commonEnvironment =
           let
             props = lib.attrsets.genAttrs [
               "attr"
@@ -267,27 +275,37 @@
             props' = lib.attrsets.mapAttrs' (name: value: lib.nameValuePair "PROP_${name}" value) props;
           in
           props';
-        command = [
-          (builtins.toString (
-            pkgs.writeShellScript "post-buld-step-test-script" ''
-              set -eEu -o pipefail
-
-              echo Running example postBuildStep...
-
-              echo args: "$@"
-              env
-              pwd
-              ls -lha
-              ls -lha ..
-              ls -lha ../..
-
-              echo Done.
-            ''
-          ))
-        ];
-      }
 
-    ];
+      in
+      [
+        {
+          /*
+            TODO(observe): verify any of these aren't required
+
+            ```nix
+            binary_cache_public_uri = https://cache.holo.host
+            log_prefix = https://cache.holo.host/
+            server_store_uri = https://cache.holo.host?local-nar-cache=/var/cache/hydra/nar-cache
+            upload_logs_to_binary_cache = true
+            ```
+          */
+          name = "sign-and-upload";
+          environment =
+            commonEnvironment
+            # verified with
+            # nix-repl> (builtins.elemAt nixosConfigurations.buildbot-nix-0.config.services.buildbot-nix.master.postBuildSteps 1).environment
+            // builtins.listToAttrs (
+              builtins.map (
+                name:
+                lib.attrsets.nameValuePair "SECRET_${name}" (
+                  self.inputs.buildbot-nix.lib.interpolate "%(secret:${name})s"
+                )
+              ) (builtins.attrNames config.passthru.buildbot-secrets)
+            );
+          command = [ (lib.getExe' self.packages.${pkgs.system}.postbuildstepper "postbuildstepper") ];
+        }
+
+      ];
   };
 
   # magic_rb:
@@ -307,6 +325,8 @@
   ];
 
   sops.secrets.holo-host-github-environment-secrets = { };
-  systemd.services.nix-daemon.serviceConfig.EnvironmentFile =
-    config.sops.secrets.holo-host-github-environment-secrets.path;
+  sops.secrets.holo-host-aws-shared-credentials = { };
+  systemd.services.nix-daemon.serviceConfig = {
+    EnvironmentFile = [ config.sops.secrets.holo-host-github-environment-secrets.path ];
+  };
 }
diff --git a/secrets/buildbot-nix-0/secrets.yaml b/secrets/buildbot-nix-0/secrets.yaml
@@ -20,6 +20,7 @@ buildbot-github-webhook-secret: ENC[AES256_GCM,data:uGBf61+hqBwRzbXhdzaJqR23smFB
 buildbot-nix-workers: ENC[AES256_GCM,data:PfYOhXRZDjBl5pmZjTXr1a4fM5Fxqcnb3t9kdk37dmGMx7dqho7ke2546PiRJQSoJBZAe6jjxTgxI5UmU1VErItc0oJT3xSNDpuD8QqVuSQTZ+guAU4idRR6Hg==,iv:VA1NAGmsXC12XomWuIy1C9POPYFktJC9g5KsETFVVvM=,tag:XsUCniGlUg7IlJtSUkUmWw==,type:str]
 buildbot-nix-worker-password: ENC[AES256_GCM,data:96s+7HzGRAznb/3757jS+JnOXBI2yapm5FNgyferFs4=,iv:7cnQMrmGD0bhz9NWnM5n8G0WbhPfYo8g0usdd2IFRiA=,tag:FPHTk0Om17L1C4GzcK2hjQ==,type:str]
 holo-host-github-environment-secrets: ENC[AES256_GCM,data:q+CD/hSJEYFYoUcoR/6uCUvRRUNwIEAnMlNknX6KhXwhMm043cDfscQ0W5cKWy1SPxq9HLY7YsDXTMwSTT1wpEL+Ai9PfYKUkC81mLJUrf8RMN7ydYUkKMO5TzAk/c8izmHyocqbWPsYHkLUK8Nr,iv:nA7PTg3Nq/sF2nanzPg7+dqpcEZmSrT02f7L1qdd66Q=,tag:RWSu/GgCO0pOY4LQOj/UQQ==,type:str]
+holo-host-aws-shared-credentials: ENC[AES256_GCM,data:RCoLA7oYGersXqIZtehqCdWCFI9D2drY5OqSg9SCqkeFP7xbTw1t2pge6vFktZ0PWr84n96h52jY4t7M4hWNYiEb6czrL7zF8cacOlL335HRiDLacv4IS2Lk00AEvEP9mmE2OhHXJ/2c6ZN17OuVR+Pp4nSscStwciM866U9t5+OKehzzLw=,iv:/E8Qeo5VD20JteihvZgR057rCArudSUt2+gdAx4Eq4c=,tag:7MF9eNozQjvfNdEzu4vL0Q==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -44,8 +45,8 @@ sops:
             RU8yUUhwcmFpTmlRQzVHcmJRUVhNZWcKDNgiTWktwmVLKvrYhm7OUNgTQa1y+Bdc
             N4N+lnkn657Ji21zr1X9kDsvJoXASZXj2qkwuHzIpJgz3SMri0F2Ow==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-27T16:57:12Z"
-    mac: ENC[AES256_GCM,data:Na0PsD2oaNWK/VhlpyYEoORm3j6/g8fVyPNeViDdpREctQwcJ2mw5dHVi4yGOzoQBW6FnClW/xnO1G3ugXiFErBqDOeLuDWHOfyquI8gMgeMchYRhNTR83WKygOEE8rM5QAcmjFrGS0qfJ9hjAa016iImWEeXqvYyZr5v41AjAA=,iv:ge/xyUO14F4KIgqW8dQqWXOpSNMyggbJxfvZFJd4qWI=,tag:ZlNaFn6lav4zFfgfShi7ag==,type:str]
+    lastmodified: "2024-10-19T18:04:25Z"
+    mac: ENC[AES256_GCM,data:AaGps5HfEOgOruIwm1UbaMUdusA0Y8SpIAhaAuRtfbCOOisQGUQYuWkKIw9Fqm5A97lJcqrKEkYg1rI6aRXUYg070gNYNT13YgeAnD2ZqZZnHY1izm2iO0bOJK6tBA4pHYdcpe+NnSYkAF7FgbiJkpTHHBD9luI1eHkWM+x9pXg=,iv:u8fZOJLR7LnkxHAw6mYmY1pMEXkP5+rzjG+uMvkhSik=,tag:5aduXpzBCiRYpwodgCXGcg==,type:str]
     pgp:
         - created_at: "2024-10-07T16:27:41Z"
           enc: |-