Refactor cachix config into a postBuildStep

It's not necessary to keep the cachix configuration as a special python module key. As the config gets translated into a post_build_step in python, we can just as easily do that in nix, and reduce the layers of indirection that somebody (say, somebody adding a new caching system) has to look through.

Author: antifuchs

buildbot_nix/buildbot_nix/__init__.py

@@ -1791,20 +1791,6 @@ def configure(self, config: dict[str, Any]) -> None:
 
         eval_lock = util.MasterLock("nix-eval")
 
-        if self.config.cachix is not None:
-            self.config.post_build_steps.append(
-                models.PostBuildStep(
-                    name="Upload cachix",
-                    environment=self.config.cachix.environment,
-                    command=[
-                        "cachix",
-                        "push",
-                        self.config.cachix.name,
-                        models.Interpolate("result-%(prop:attr)s"),
-                    ],
-                )
-            )
-
         global DB  # noqa: PLW0603
         if DB is None:
             DB = FailedBuildDB(Path("failed_builds.dbm"))

buildbot_nix/buildbot_nix/models.py

@@ -56,42 +56,6 @@ def __init__(self, value: str, **kwargs: Any) -> None:
         super().__init__(nix_type="interpolate", value=value)
 
 
-class CachixConfig(BaseModel):
-    name: str
-
-    signing_key_file: Path | None
-    auth_token_file: Path | None
-
-    @property
-    def signing_key(self) -> str:
-        if self.signing_key_file is None:
-            raise InternalError
-        return read_secret_file(self.signing_key_file)
-
-    @property
-    def auth_token(self) -> str:
-        if self.auth_token_file is None:
-            raise InternalError
-        return read_secret_file(self.auth_token_file)
-
-    # TODO why did the original implementation return an empty env if both files were missing?
-    @property
-    def environment(self) -> Mapping[str, str | Interpolate]:
-        environment = {}
-        if self.signing_key_file is not None:
-            environment["CACHIX_SIGNING_KEY"] = Interpolate(
-                f"%(secret:{self.signing_key_file})s"
-            )
-        if self.auth_token_file is not None:
-            environment["CACHIX_AUTH_TOKEN"] = Interpolate(
-                f"%(secret:{self.auth_token_file})s"
-            )
-        return environment
-
-    class Config:
-        fields = exclude_fields(["signing_key", "auth_token"])
-
-
 class GiteaConfig(BaseModel):
     instance_url: str
     topic: str | None
@@ -297,7 +261,6 @@ class WorkerConfig(BaseModel):
 class BuildbotNixConfig(BaseModel):
     db_url: str
     auth_backend: AuthBackendConfig
-    cachix: CachixConfig | None
     gitea: GiteaConfig | None
     github: GitHubConfig | None
     pull_based: PullBasedConfig | None

nix/master.nix

@@ -8,6 +8,7 @@ let
   cfg = config.services.buildbot-nix.master;
   inherit (config.services.buildbot-nix) packages;
   inherit (lib) mkRemovedOptionModule mkRenamedOptionModule;
+  bb-lib = import ./lib.nix;
 
   interpolateType = lib.mkOptionType {
     name = "interpolate";
@@ -685,41 +686,7 @@ in
         isSystemUser = true;
       };
 
-      services.buildbot-nix.master.cachix.auth =
-        lib.mkIf (cfg.cachix.authTokenFile != null || cfg.cachix.signingKeyFile != null)
-          (
-            if (cfg.cachix.authTokenFile != null) then
-              lib.warn
-                "Obsolete option `services.buildbot-nix.master.cachix.authTokenFile' is used. It was renamed to `services.buildbot-nix.master.cachix.auth.authToken.file'."
-                { authToken.file = cfg.cachix.authTokenFile; }
-            else if (cfg.cachix.signingKeyFile != null) then
-              lib.warn
-                "Obsolete option `services.buildbot-nix.master.cachix.signingKeyFile' is used. It was renamed to `services.buildbot-nix.master.cachix.auth.signingKey.file'."
-                { signingKey.file = cfg.cachix.signingKeyFile; }
-            else
-              throw "Impossible, guarded by mkIf."
-          );
-
       assertions = [
-        {
-          assertion =
-            let
-              isNull = x: x == null;
-            in
-            isNull cfg.cachix.authTokenFile && isNull cfg.cachix.signingKeyFile
-            || isNull cfg.cachix.authTokenFile && cfg.cachix.enable
-            || isNull cfg.cachix.signingKeyFile && cfg.cachix.enable;
-          message = ''
-            The semantics of `options.services.buildbot-nix.master.cachix` recently changed
-            slightly, the option `name` is no longer null-able. To enable Cachix support
-            use `services.buildbot-nix.master.cachix.enable = true`.
-
-            Furthermore, the options `services.buildbot-nix.master.cachix.authTokenFile` and
-            `services.buildbot-nix.master.cachix.signingKeyFile` were renamed to
-            `services.buildbot-nix.master.cachix.auth.authToken.file` and
-            `services.buildbot-nix.master.cachix.auth.signingKey.file` respectively.
-          '';
-        }
         {
           assertion = lib.versionAtLeast packages.buildbot.version "4.0.0";
           message = ''
@@ -780,15 +747,6 @@ in
                 (pkgs.formats.json { }).generate "buildbot-nix-config.json" {
                   db_url = cfg.dbUrl;
                   auth_backend = cfg.authBackend;
-                  cachix =
-                    if !cfg.cachix.enable then
-                      null
-                    else
-                      {
-                        name = cfg.cachix.name;
-                        signing_key_file = if cfg.cachix.auth ? "signingKey" then "cachix-signing-key" else null;
-                        auth_token_file = if cfg.cachix.auth ? "authToken" then "cachix-auth-token" else null;
-                      };
                   gitea =
                     if !cfg.gitea.enable then
                       null
@@ -902,12 +860,6 @@ in
             )
             ++ lib.optional (cfg.authBackend == "gitea") "gitea-oauth-secret:${cfg.gitea.oauthSecretFile}"
             ++ lib.optional (cfg.authBackend == "github") "github-oauth-secret:${cfg.github.oauthSecretFile}"
-            ++ lib.optional (
-              cfg.cachix.enable && cfg.cachix.auth ? "signingKey"
-            ) "cachix-signing-key:${builtins.toString cfg.cachix.auth.signingKey.file}"
-            ++ lib.optional (
-              cfg.cachix.enable && cfg.cachix.auth ? "authToken"
-            ) "cachix-auth-token:${builtins.toString cfg.cachix.auth.authToken.file}"
             ++ lib.optionals cfg.gitea.enable [
               "gitea-token:${cfg.gitea.tokenFile}"
               "gitea-webhook-secret:${cfg.gitea.webhookSecretFile}"
@@ -1031,5 +983,67 @@ in
         '';
       };
     })
+    (lib.mkIf cfg.cachix.enable {
+      services.buildbot-nix.master.cachix.auth =
+        lib.mkIf (cfg.cachix.authTokenFile != null || cfg.cachix.signingKeyFile != null)
+          (
+            if (cfg.cachix.authTokenFile != null) then
+              lib.warn
+                "Obsolete option `services.buildbot-nix.master.cachix.authTokenFile' is used. It was renamed to `services.buildbot-nix.master.cachix.auth.authToken.file'."
+                { authToken.file = cfg.cachix.authTokenFile; }
+            else if (cfg.cachix.signingKeyFile != null) then
+              lib.warn
+                "Obsolete option `services.buildbot-nix.master.cachix.signingKeyFile' is used. It was renamed to `services.buildbot-nix.master.cachix.auth.signingKey.file'."
+                { signingKey.file = cfg.cachix.signingKeyFile; }
+            else
+              throw "Impossible, guarded by mkIf."
+          );
+
+      assertions = [
+        {
+          assertion =
+            let
+              isNull = x: x == null;
+            in
+            isNull cfg.cachix.authTokenFile && isNull cfg.cachix.signingKeyFile
+            || isNull cfg.cachix.authTokenFile && cfg.cachix.enable
+            || isNull cfg.cachix.signingKeyFile && cfg.cachix.enable;
+          message = ''
+            The semantics of `options.services.buildbot-nix.master.cachix` recently changed
+            slightly, the option `name` is no longer null-able. To enable Cachix support
+            use `services.buildbot-nix.master.cachix.enable = true`.
+
+            Furthermore, the options `services.buildbot-nix.master.cachix.authTokenFile` and
+            `services.buildbot-nix.master.cachix.signingKeyFile` were renamed to
+            `services.buildbot-nix.master.cachix.auth.authToken.file` and
+            `services.buildbot-nix.master.cachix.auth.signingKey.file` respectively.
+          '';
+        }
+      ];
+
+      systemd.services.buildbot-master.serviceConfig.LoadCredential =
+        lib.optional (
+          cfg.cachix.auth ? "signingKey"
+        ) "cachix-signing-key:${builtins.toString cfg.cachix.auth.signingKey.file}"
+        ++ lib.optional (
+          cfg.cachix.auth ? "authToken"
+        ) "cachix-auth-token:${builtins.toString cfg.cachix.auth.authToken.file}";
+
+      services.buildbot-nix.master.postBuildSteps = [
+        {
+          name = "Upload cachix";
+          environment = {
+            CACHIX_SIGNING_KEY = bb-lib.interpolate "%(secret:cachix-signing-key)s";
+            CACHIX_AUTH_TOKEN = bb-lib.interpolate "%(secret:cachix-auth-token)s";
+          };
+          command = [
+            "cachix" # note that this is the cachix from the worker's $PATH
+            "push"
+            cfg.cachix.name
+            (bb-lib.interpolate "result-%(prop:attr)s")
+          ];
+        }
+      ];
+    })
   ];
 }