From 2bfab86bc1ce0ad704af475ff4561cf82d925395 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Thu, 31 Oct 2024 13:27:40 +0100 Subject: [PATCH] feat(buildbot-nix-0): configure postBuildSteps to sign and upload to holo's cache --- .../configuration.nix | 72 ++++++++++++------- secrets/buildbot-nix-0/secrets.yaml | 5 +- 2 files changed, 49 insertions(+), 28 deletions(-) diff --git a/modules/flake-parts/nixosConfigurations.buildbot-nix-0/configuration.nix b/modules/flake-parts/nixosConfigurations.buildbot-nix-0/configuration.nix index 7fef28b..829f9aa 100644 --- a/modules/flake-parts/nixosConfigurations.buildbot-nix-0/configuration.nix +++ b/modules/flake-parts/nixosConfigurations.buildbot-nix-0/configuration.nix @@ -47,6 +47,12 @@ oauthId = "Iv23liqmAiBw8ab9EF61"; topic = "holo-chain-buildbot-nix-0"; }; + + buildbot-secrets = { + # NOTE: for security reasons this secret is kept out of the public repo + "cacheHoloHost2secret" = "/var/lib/secrets/cache.holo.host-2/secret"; + "awsSharedCredentialsFile" = config.sops.secrets.holo-host-aws-shared-credentials.path; + }; }; networking = { @@ -194,6 +200,9 @@ sops.secrets.buildbot-nix-workers = { }; # sops.secrets.cachix-auth-token = {}; + systemd.services.buildbot-master.serviceConfig.LoadCredential = builtins.map ( + kv: "${kv.name}:${kv.value}" + ) (lib.attrsets.attrsToList config.passthru.buildbot-secrets); services.buildbot-nix.master = { enable = true; admins = [ @@ -230,10 +239,9 @@ inherit (config.passthru.buildbot-nix) oauthId topic; }; - postBuildSteps = [ - { - name = "post-build-step-test"; - environment = + postBuildSteps = + let + commonEnvironment = let props = lib.attrsets.genAttrs [ "attr" @@ -267,27 +275,37 @@ props' = lib.attrsets.mapAttrs' (name: value: lib.nameValuePair "PROP_${name}" value) props; in props'; - command = [ - (builtins.toString ( - pkgs.writeShellScript "post-buld-step-test-script" '' - set -eEu -o pipefail - - echo Running example postBuildStep... - - echo args: "$@" - env - pwd - ls -lha - ls -lha .. - ls -lha ../.. - - echo Done. - '' - )) - ]; - } - ]; + in + [ + { + /* + TODO(observe): verify any of these aren't required + + ```nix + binary_cache_public_uri = https://cache.holo.host + log_prefix = https://cache.holo.host/ + server_store_uri = https://cache.holo.host?local-nar-cache=/var/cache/hydra/nar-cache + upload_logs_to_binary_cache = true + ``` + */ + name = "sign-and-upload"; + environment = + commonEnvironment + # verified with + # nix-repl> (builtins.elemAt nixosConfigurations.buildbot-nix-0.config.services.buildbot-nix.master.postBuildSteps 1).environment + // builtins.listToAttrs ( + builtins.map ( + name: + lib.attrsets.nameValuePair "SECRET_${name}" ( + self.inputs.buildbot-nix.lib.interpolate "%(secret:${name})s" + ) + ) (builtins.attrNames config.passthru.buildbot-secrets) + ); + command = [ (lib.getExe' self.packages.${pkgs.system}.postbuildstepper "postbuildstepper") ]; + } + + ]; }; # magic_rb: @@ -307,6 +325,8 @@ ]; sops.secrets.holo-host-github-environment-secrets = { }; - systemd.services.nix-daemon.serviceConfig.EnvironmentFile = - config.sops.secrets.holo-host-github-environment-secrets.path; + sops.secrets.holo-host-aws-shared-credentials = { }; + systemd.services.nix-daemon.serviceConfig = { + EnvironmentFile = [ config.sops.secrets.holo-host-github-environment-secrets.path ]; + }; } diff --git a/secrets/buildbot-nix-0/secrets.yaml b/secrets/buildbot-nix-0/secrets.yaml index 247769d..d37af2e 100644 --- a/secrets/buildbot-nix-0/secrets.yaml +++ b/secrets/buildbot-nix-0/secrets.yaml @@ -20,6 +20,7 @@ buildbot-github-webhook-secret: ENC[AES256_GCM,data:uGBf61+hqBwRzbXhdzaJqR23smFB buildbot-nix-workers: ENC[AES256_GCM,data:PfYOhXRZDjBl5pmZjTXr1a4fM5Fxqcnb3t9kdk37dmGMx7dqho7ke2546PiRJQSoJBZAe6jjxTgxI5UmU1VErItc0oJT3xSNDpuD8QqVuSQTZ+guAU4idRR6Hg==,iv:VA1NAGmsXC12XomWuIy1C9POPYFktJC9g5KsETFVVvM=,tag:XsUCniGlUg7IlJtSUkUmWw==,type:str] buildbot-nix-worker-password: ENC[AES256_GCM,data:96s+7HzGRAznb/3757jS+JnOXBI2yapm5FNgyferFs4=,iv:7cnQMrmGD0bhz9NWnM5n8G0WbhPfYo8g0usdd2IFRiA=,tag:FPHTk0Om17L1C4GzcK2hjQ==,type:str] holo-host-github-environment-secrets: ENC[AES256_GCM,data:q+CD/hSJEYFYoUcoR/6uCUvRRUNwIEAnMlNknX6KhXwhMm043cDfscQ0W5cKWy1SPxq9HLY7YsDXTMwSTT1wpEL+Ai9PfYKUkC81mLJUrf8RMN7ydYUkKMO5TzAk/c8izmHyocqbWPsYHkLUK8Nr,iv:nA7PTg3Nq/sF2nanzPg7+dqpcEZmSrT02f7L1qdd66Q=,tag:RWSu/GgCO0pOY4LQOj/UQQ==,type:str] +holo-host-aws-shared-credentials: ENC[AES256_GCM,data:RCoLA7oYGersXqIZtehqCdWCFI9D2drY5OqSg9SCqkeFP7xbTw1t2pge6vFktZ0PWr84n96h52jY4t7M4hWNYiEb6czrL7zF8cacOlL335HRiDLacv4IS2Lk00AEvEP9mmE2OhHXJ/2c6ZN17OuVR+Pp4nSscStwciM866U9t5+OKehzzLw=,iv:/E8Qeo5VD20JteihvZgR057rCArudSUt2+gdAx4Eq4c=,tag:7MF9eNozQjvfNdEzu4vL0Q==,type:str] sops: kms: [] gcp_kms: [] @@ -44,8 +45,8 @@ sops: RU8yUUhwcmFpTmlRQzVHcmJRUVhNZWcKDNgiTWktwmVLKvrYhm7OUNgTQa1y+Bdc N4N+lnkn657Ji21zr1X9kDsvJoXASZXj2qkwuHzIpJgz3SMri0F2Ow== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-27T16:57:12Z" - mac: ENC[AES256_GCM,data:Na0PsD2oaNWK/VhlpyYEoORm3j6/g8fVyPNeViDdpREctQwcJ2mw5dHVi4yGOzoQBW6FnClW/xnO1G3ugXiFErBqDOeLuDWHOfyquI8gMgeMchYRhNTR83WKygOEE8rM5QAcmjFrGS0qfJ9hjAa016iImWEeXqvYyZr5v41AjAA=,iv:ge/xyUO14F4KIgqW8dQqWXOpSNMyggbJxfvZFJd4qWI=,tag:ZlNaFn6lav4zFfgfShi7ag==,type:str] + lastmodified: "2024-10-19T18:04:25Z" + mac: ENC[AES256_GCM,data:AaGps5HfEOgOruIwm1UbaMUdusA0Y8SpIAhaAuRtfbCOOisQGUQYuWkKIw9Fqm5A97lJcqrKEkYg1rI6aRXUYg070gNYNT13YgeAnD2ZqZZnHY1izm2iO0bOJK6tBA4pHYdcpe+NnSYkAF7FgbiJkpTHHBD9luI1eHkWM+x9pXg=,iv:u8fZOJLR7LnkxHAw6mYmY1pMEXkP5+rzjG+uMvkhSik=,tag:5aduXpzBCiRYpwodgCXGcg==,type:str] pgp: - created_at: "2024-10-07T16:27:41Z" enc: |-