Merge pull request #400 from antifuchs/despecialize-cachix

Rewrite cachix config as pure nix

Author: Mic92

buildbot_nix/buildbot_nix/__init__.py

@@ -1791,20 +1791,6 @@ def configure(self, config: dict[str, Any]) -> None:
 
         eval_lock = util.MasterLock("nix-eval")
 
-        if self.config.cachix is not None:
-            self.config.post_build_steps.append(
-                models.PostBuildStep(
-                    name="Upload cachix",
-                    environment=self.config.cachix.environment,
-                    command=[
-                        "cachix",
-                        "push",
-                        self.config.cachix.name,
-                        models.Interpolate("result-%(prop:attr)s"),
-                    ],
-                )
-            )
-
         global DB  # noqa: PLW0603
         if DB is None:
             DB = FailedBuildDB(Path("failed_builds.dbm"))

buildbot_nix/buildbot_nix/models.py

@@ -56,42 +56,6 @@ def __init__(self, value: str, **kwargs: Any) -> None:
         super().__init__(nix_type="interpolate", value=value)
 
 
-class CachixConfig(BaseModel):
-    name: str
-
-    signing_key_file: Path | None
-    auth_token_file: Path | None
-
-    @property
-    def signing_key(self) -> str:
-        if self.signing_key_file is None:
-            raise InternalError
-        return read_secret_file(self.signing_key_file)
-
-    @property
-    def auth_token(self) -> str:
-        if self.auth_token_file is None:
-            raise InternalError
-        return read_secret_file(self.auth_token_file)
-
-    # TODO why did the original implementation return an empty env if both files were missing?
-    @property
-    def environment(self) -> Mapping[str, str | Interpolate]:
-        environment = {}
-        if self.signing_key_file is not None:
-            environment["CACHIX_SIGNING_KEY"] = Interpolate(
-                f"%(secret:{self.signing_key_file})s"
-            )
-        if self.auth_token_file is not None:
-            environment["CACHIX_AUTH_TOKEN"] = Interpolate(
-                f"%(secret:{self.auth_token_file})s"
-            )
-        return environment
-
-    class Config:
-        fields = exclude_fields(["signing_key", "auth_token"])
-
-
 class GiteaConfig(BaseModel):
     instance_url: str
     topic: str | None
@@ -297,7 +261,6 @@ class WorkerConfig(BaseModel):
 class BuildbotNixConfig(BaseModel):
     db_url: str
     auth_backend: AuthBackendConfig
-    cachix: CachixConfig | None
     gitea: GiteaConfig | None
     github: GitHubConfig | None
     pull_based: PullBasedConfig | None

flake.nix

@@ -76,12 +76,7 @@
             in
             examplesFor "x86_64-linux" // examplesFor "aarch64-linux";
 
-          lib = {
-            interpolate = value: {
-              _type = "interpolate";
-              inherit value;
-            };
-          };
+          lib = import ./nix/lib.nix;
         };
         perSystem =
           {

nix/cachix.nix

@@ -0,0 +1,135 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+let
+  cfg = config.services.buildbot-nix.master;
+  bb-lib = import ./lib.nix;
+in
+{
+  options.services.buildbot-nix.master.cachix = {
+    enable = lib.mkEnableOption "Enable Cachix integration";
+
+    name = lib.mkOption {
+      type = lib.types.str;
+      description = "Cachix name";
+    };
+
+    auth = lib.mkOption {
+      type = lib.types.attrTag {
+        signingKey = lib.mkOption {
+          description = ''
+            Use a signing key to authenticate with Cachix.
+          '';
+
+          type = lib.types.submodule {
+            options.file = lib.mkOption {
+              type = lib.types.path;
+              description = ''
+                Path to a file containing the signing key.
+              '';
+            };
+          };
+        };
+
+        authToken = lib.mkOption {
+          description = ''
+            Use an authentication token to authenticate with Cachix.
+          '';
+
+          type = lib.types.submodule {
+            options.file = lib.mkOption {
+              type = lib.types.path;
+              description = ''
+                Path to a file containing the authentication token.
+              '';
+            };
+          };
+        };
+      };
+    };
+
+    signingKeyFile = lib.mkOption {
+      type = lib.types.nullOr lib.types.path;
+      default = null;
+      visible = false;
+      description = "Cachix signing key";
+    };
+
+    authTokenFile = lib.mkOption {
+      type = lib.types.nullOr lib.types.path;
+      default = null;
+      visible = false;
+      description = "Cachix auth token";
+    };
+  };
+
+  config = lib.mkIf cfg.cachix.enable {
+    services.buildbot-nix.master.cachix.auth =
+      lib.mkIf (cfg.cachix.authTokenFile != null || cfg.cachix.signingKeyFile != null)
+        (
+          if (cfg.cachix.authTokenFile != null) then
+            lib.warn
+              "Obsolete option `services.buildbot-nix.master.cachix.authTokenFile' is used. It was renamed to `services.buildbot-nix.master.cachix.auth.authToken.file'."
+              { authToken.file = cfg.cachix.authTokenFile; }
+          else if (cfg.cachix.signingKeyFile != null) then
+            lib.warn
+              "Obsolete option `services.buildbot-nix.master.cachix.signingKeyFile' is used. It was renamed to `services.buildbot-nix.master.cachix.auth.signingKey.file'."
+              { signingKey.file = cfg.cachix.signingKeyFile; }
+          else
+            throw "Impossible, guarded by mkIf."
+        );
+
+    assertions = [
+      {
+        assertion =
+          let
+            isNull = x: x == null;
+          in
+          isNull cfg.cachix.authTokenFile && isNull cfg.cachix.signingKeyFile
+          || isNull cfg.cachix.authTokenFile && cfg.cachix.enable
+          || isNull cfg.cachix.signingKeyFile && cfg.cachix.enable;
+        message = ''
+          The semantics of `options.services.buildbot-nix.master.cachix` recently changed
+            slightly, the option `name` is no longer null-able. To enable Cachix support
+            use `services.buildbot-nix.master.cachix.enable = true`.
+
+            Furthermore, the options `services.buildbot-nix.master.cachix.authTokenFile` and
+            `services.buildbot-nix.master.cachix.signingKeyFile` were renamed to
+            `services.buildbot-nix.master.cachix.auth.authToken.file` and
+            `services.buildbot-nix.master.cachix.auth.signingKey.file` respectively.
+        '';
+      }
+    ];
+
+    systemd.services.buildbot-master.serviceConfig.LoadCredential =
+      lib.optional (
+        cfg.cachix.auth ? "signingKey"
+      ) "cachix-signing-key:${builtins.toString cfg.cachix.auth.signingKey.file}"
+      ++ lib.optional (
+        cfg.cachix.auth ? "authToken"
+      ) "cachix-auth-token:${builtins.toString cfg.cachix.auth.authToken.file}";
+
+    services.buildbot-nix.master.postBuildSteps = [
+      {
+        name = "Upload cachix";
+        environment = lib.mkMerge [
+          (lib.optionalAttrs (cfg.cachix.auth ? "signingKey") {
+            CACHIX_SIGNING_KEY = bb-lib.interpolate "%(secret:cachix-signing-key)s";
+          })
+          (lib.optionalAttrs (cfg.cachix.auth ? "authToken") {
+            CACHIX_AUTH_TOKEN = bb-lib.interpolate "%(secret:cachix-auth-token)s";
+          })
+        ];
+        command = [
+          "cachix" # note that this is the cachix from the worker's $PATH
+          "push"
+          cfg.cachix.name
+          (bb-lib.interpolate "result-%(prop:attr)s")
+        ];
+      }
+    ];
+  };
+}

nix/lib.nix

@@ -0,0 +1,6 @@
+{
+  interpolate = value: {
+    _type = "interpolate";
+    inherit value;
+  };
+}