From 8c6b1c3eaaa8b555bddaced3ab6f02695bef1541 Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Sun, 19 Jan 2020 21:19:35 +0100 Subject: [PATCH 1/5] nixos/buildkite-agent: add "user" option This allows buildkite-agent to run as another user. It'll still run builds from /var/lib/buildkite-agent and setup things in there. --- .../buildkite-agent.nix | 29 +++++++++++++------ 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/nixos/modules/services/continuous-integration/buildkite-agent.nix b/nixos/modules/services/continuous-integration/buildkite-agent.nix index 3c9c92bf0527..49160b43c619 100644 --- a/nixos/modules/services/continuous-integration/buildkite-agent.nix +++ b/nixos/modules/services/continuous-integration/buildkite-agent.nix @@ -29,6 +29,8 @@ let ${concatStringsSep "\n" (mapAttrsToList mkHookEntry (filterAttrs (n: v: v != null) cfg.hooks))} ''; + defaultUser = "buildkite-agent"; + in { @@ -56,6 +58,15 @@ in type = types.listOf types.package; }; + user = mkOption { + type = types.str; + default = defaultUser; + description = '' + Set this option when you want to run the buildkite agent as something else + than the default user "buildkite-agent". + ''; + }; + tokenPath = mkOption { type = types.path; description = '' @@ -185,14 +196,14 @@ in }; config = mkIf config.services.buildkite-agent.enable { - users.users.buildkite-agent = - { name = "buildkite-agent"; - home = cfg.dataDir; - createHome = true; - description = "Buildkite agent user"; - extraGroups = [ "keys" ]; - isSystemUser = true; - }; + users.users.buildkite-agent = mkIf (cfg.user == defaultUser) { + name = "buildkite-agent"; + home = cfg.dataDir; + createHome = true; + description = "Buildkite agent user"; + extraGroups = [ "keys" ]; + isSystemUser = true; + }; environment.systemPackages = [ cfg.package ]; @@ -230,7 +241,7 @@ in serviceConfig = { ExecStart = "${cfg.package}/bin/buildkite-agent start --config /var/lib/buildkite-agent/buildkite-agent.cfg"; - User = "buildkite-agent"; + User = cfg.user; RestartSec = 5; Restart = "on-failure"; TimeoutSec = 10; From 7838f0082491e1835221419b3adba0467a4446ce Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Sun, 19 Jan 2020 21:48:59 +0100 Subject: [PATCH 2/5] nixos/buildkite: stop using deprecated option --- .../services/continuous-integration/buildkite-agent.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nixos/modules/services/continuous-integration/buildkite-agent.nix b/nixos/modules/services/continuous-integration/buildkite-agent.nix index 49160b43c619..aa717c466ee6 100644 --- a/nixos/modules/services/continuous-integration/buildkite-agent.nix +++ b/nixos/modules/services/continuous-integration/buildkite-agent.nix @@ -225,8 +225,8 @@ in in '' mkdir -m 0700 -p "${sshDir}" - cp -f "${toString cfg.openssh.privateKeyPath}" "${sshDir}/id_rsa" - chmod 600 "${sshDir}"/id_rsa* + cp -f "${toString cfg.privateSshKeyPath}" "${sshDir}/id_rsa" + chmod 600 "${sshDir}"/id_rsa cat > "${cfg.dataDir}/buildkite-agent.cfg" < Date: Sun, 19 Jan 2020 21:49:19 +0100 Subject: [PATCH 3/5] nixos/buildkite-agent: add gnutar, gzip and git to runtimePackages These are required for nix to do builtins.fetchTarball and builtins.fetchGit, so most likely we want them to be around. --- .../services/continuous-integration/buildkite-agent.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nixos/modules/services/continuous-integration/buildkite-agent.nix b/nixos/modules/services/continuous-integration/buildkite-agent.nix index aa717c466ee6..66f04b0a424b 100644 --- a/nixos/modules/services/continuous-integration/buildkite-agent.nix +++ b/nixos/modules/services/continuous-integration/buildkite-agent.nix @@ -52,8 +52,8 @@ in }; runtimePackages = mkOption { - default = [ pkgs.bash pkgs.nix ]; - defaultText = "[ pkgs.bash pkgs.nix ]"; + default = [ pkgs.bash pkgs.gnutar pkgs.gzip pkgs.git pkgs.nix ]; + defaultText = "[ pkgs.bash pkgs.gnutar pkgs.gzip pkgs.git pkgs.nix ]"; description = "Add programs to the buildkite-agent environment"; type = types.listOf types.package; }; From a208e6eb994b997542528371ffa483c7deda98fe Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Sun, 19 Jan 2020 21:50:52 +0100 Subject: [PATCH 4/5] nixosTests.buildkite: add test --- nixos/tests/all-tests.nix | 1 + nixos/tests/buildkite-agent.nix | 23 +++++++++++++++++++++++ 2 files changed, 24 insertions(+) create mode 100644 nixos/tests/buildkite-agent.nix diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index ceeab2c21d92..eb69457fb7e9 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -33,6 +33,7 @@ in bind = handleTest ./bind.nix {}; bittorrent = handleTest ./bittorrent.nix {}; #blivet = handleTest ./blivet.nix {}; # broken since 2017-07024 + buildkite-agent = handleTest ./buildkite-agent.nix {}; boot = handleTestOn ["x86_64-linux"] ./boot.nix {}; # syslinux is unsupported on aarch64 boot-stage1 = handleTest ./boot-stage1.nix {}; borgbackup = handleTest ./borgbackup.nix {}; diff --git a/nixos/tests/buildkite-agent.nix b/nixos/tests/buildkite-agent.nix new file mode 100644 index 000000000000..042ce389eb8a --- /dev/null +++ b/nixos/tests/buildkite-agent.nix @@ -0,0 +1,23 @@ +import ./make-test-python.nix ({ pkgs, ... }: + +{ + name = "buildkite-agent"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ flokli ]; + }; + + machine = { pkgs, ... }: { + services.buildkite-agent = { + enable = true; + privateSshKeyPath = (import ./ssh-keys.nix pkgs).snakeOilPrivateKey; + tokenPath = (pkgs.writeText "my-token" "5678"); + }; + }; + + testScript = '' + # we can't wait on the unit to start up, as we obviously can't connect to buildkite, + # but we can look whether files are set up correctly + machine.wait_for_file("/var/lib/buildkite-agent/buildkite-agent.cfg") + machine.wait_for_file("/var/lib/buildkite-agent/.ssh/id_rsa") + ''; +}) From 4b73d3c4441601c8e42063031c6bb0eaa0fec67e Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Mon, 20 Jan 2020 10:28:47 +0100 Subject: [PATCH 5/5] nixos/buildkite: make privateSshKeyPath optional When only cloning public repos, or when the ssh key is provided by different means, we don't need to manage it here. --- .../services/continuous-integration/buildkite-agent.nix | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/nixos/modules/services/continuous-integration/buildkite-agent.nix b/nixos/modules/services/continuous-integration/buildkite-agent.nix index 66f04b0a424b..418a7bc1a468 100644 --- a/nixos/modules/services/continuous-integration/buildkite-agent.nix +++ b/nixos/modules/services/continuous-integration/buildkite-agent.nix @@ -104,7 +104,8 @@ in }; privateSshKeyPath = mkOption { - type = types.path; + type = types.nullOr types.path; + default = null; ## maximum care is taken so that secrets (ssh keys and the CI token) ## don't end up in the Nix store. apply = final: if final == null then null else toString final; @@ -223,11 +224,11 @@ in sshDir = "${cfg.dataDir}/.ssh"; tagStr = lib.concatStringsSep "," (lib.mapAttrsToList (name: value: "${name}=${value}") cfg.tags); in - '' + optionalString (cfg.privateSshKeyPath != null) '' mkdir -m 0700 -p "${sshDir}" cp -f "${toString cfg.privateSshKeyPath}" "${sshDir}/id_rsa" chmod 600 "${sshDir}"/id_rsa - + '' + '' cat > "${cfg.dataDir}/buildkite-agent.cfg" <