expose cachix options explictly

Author: Mic92

buildbot_nix/__init__.py

@@ -417,11 +417,25 @@ def nix_eval_config(
     )
 
 
+@dataclass
+class CachixConfig:
+    name: str
+    signing_key_secret_name: str | None = None
+    auth_token_secret_name: str | None = None
+
+    def cachix_env(self) -> dict[str, str]:
+        env = {}
+        if self.signing_key_secret_name is not None:
+            env["CACHIX_SIGNING_KEY"] = util.Secret(self.signing_key_secret_name)
+        if self.auth_token_secret_name is not None:
+            env["CACHIX_AUTH_TOKEN"] = util.Secret(self.auth_token_secret_name)
+        return env
+
+
 def nix_build_config(
     project: GithubProject,
     worker_names: list[str],
-    has_cachix_auth_token: bool = False,
-    has_cachix_signing_key: bool = False,
+    cachix: CachixConfig | None = None,
     outputs_path: Path | None = None,
 ) -> util.BuilderConfig:
     """
@@ -454,19 +468,15 @@ def nix_build_config(
             haltOnFailure=True,
         )
     )
-    if has_cachix_auth_token or has_cachix_signing_key:
-        if has_cachix_signing_key:
-            env = dict(CACHIX_SIGNING_KEY=util.Secret("cachix-signing-key"))
-        else:
-            env = dict(CACHIX_AUTH_TOKEN=util.Secret("cachix-auth-token"))
+    if cachix:
         factory.addStep(
             steps.ShellCommand(
                 name="Upload cachix",
-                env=env,
+                env=cachix.cachix_env(),
                 command=[
                     "cachix",
                     "push",
-                    util.Secret("cachix-name"),
+                    cachix.name,
                     util.Interpolate("result-%(prop:attr)s"),
                 ],
             )
@@ -572,13 +582,13 @@ def token(self) -> str:
 def config_for_project(
     config: dict[str, Any],
     project: GithubProject,
-    credentials: str,
     worker_names: list[str],
     github: GithubConfig,
     nix_supported_systems: list[str],
     nix_eval_worker_count: int,
     nix_eval_max_memory_size: int,
     eval_lock: util.WorkerLock,
+    cachix: CachixConfig | None = None,
     outputs_path: Path | None = None,
 ) -> Project:
     config["projects"].append(Project(project.name))
@@ -635,12 +645,6 @@ def config_for_project(
             ),
         ]
     )
-    has_cachix_auth_token = os.path.isfile(
-        os.path.join(credentials, "cachix-auth-token")
-    )
-    has_cachix_signing_key = os.path.isfile(
-        os.path.join(credentials, "cachix-signing-key")
-    )
     config["builders"].extend(
         [
             # Since all workers run on the same machine, we only assign one of them to do the evaluation.
@@ -657,8 +661,7 @@ def config_for_project(
             nix_build_config(
                 project,
                 worker_names,
-                has_cachix_auth_token,
-                has_cachix_signing_key,
+                cachix=cachix,
                 outputs_path=outputs_path,
             ),
             nix_skipped_build_config(project, [SKIPPED_BUILDER_NAME]),
@@ -756,6 +759,7 @@ def __init__(
         nix_eval_worker_count: int | None,
         nix_eval_max_memory_size: int,
         nix_workers_secret_name: str = "buildbot-nix-workers",
+        cachix: CachixConfig | None = None,
         outputs_path: str | None = None,
     ) -> None:
         super().__init__()
@@ -765,7 +769,7 @@ def __init__(
         self.nix_supported_systems = nix_supported_systems
         self.github = github
         self.url = url
-        self.systemd_credentials_dir = os.environ["CREDENTIALS_DIRECTORY"]
+        self.cachix = cachix
         if outputs_path is None:
             self.outputs_path = None
         else:
@@ -803,13 +807,13 @@ def configure(self, config: dict[str, Any]) -> None:
             config_for_project(
                 config,
                 project,
-                self.systemd_credentials_dir,
                 worker_names,
                 self.github,
                 self.nix_supported_systems,
                 self.nix_eval_worker_count or multiprocessing.cpu_count(),
                 self.nix_eval_max_memory_size,
                 eval_lock,
+                self.cachix,
                 self.outputs_path,
             )
 

examples/default.nix

@@ -36,12 +36,20 @@ in
             user = "mic92-buildbot";
             admins = [ "Mic92" ];
           };
-          # optional
+          # optional expose latest store path as text file
           # outputsPath = "/var/www/buildbot/nix-outputs";
 
           # optional nix-eval-jobs settings
           # evalWorkerCount = 8; # limit number of concurrent evaluations
           # evalMaxMemorySize = "2048"; # limit memory usage per evaluation
+
+          # optional cachix
+          #cachix = {
+          #  name = "my-cachix";
+          #  # One of the following is required:
+          #  signingKey = "/var/lib/secrets/cachix-key";
+          #  authToken = "/var/lib/secrets/cachix-token";
+          #};
         };
       })
       buildbot-nix.nixosModules.buildbot-master

nix/master.nix

@@ -15,6 +15,25 @@ in
         default = "postgresql://@/buildbot";
         description = "Postgresql database url";
       };
+      cachix = {
+        name = lib.mkOption {
+          type = lib.types.nullOr lib.types.str;
+          default = null;
+          description = "Cachix name";
+        };
+
+        signingKeyFile = lib.mkOption {
+          type = lib.types.nullOr lib.types.path;
+          default = null;
+          description = "Cachix signing key";
+        };
+
+        authTokenFile = lib.mkOption {
+          type = lib.types.nullOr lib.types.str;
+          default = null;
+          description = "Cachix auth token";
+        };
+      };
       github = {
         tokenFile = lib.mkOption {
           type = lib.types.path;
@@ -107,6 +126,13 @@ in
       isSystemUser = true;
     };
 
+    assertions = [
+      {
+        assertion = cfg.cachix.name != null -> cfg.cachix.signingKeyFile != null || cfg.cachix.authTokenFile != null;
+        message = "if cachix.name is provided, then cachix.signingKeyFile and cachix.authTokenFile must be set";
+      }
+    ];
+
     services.buildbot-master = {
       enable = true;
 
@@ -118,7 +144,7 @@ in
       home = "/var/lib/buildbot";
       extraImports = ''
         from datetime import timedelta
-        from buildbot_nix import GithubConfig, NixConfigurator
+        from buildbot_nix import GithubConfig, NixConfigurator, CachixConfig
       '';
       configurators = [
         ''
@@ -132,9 +158,14 @@ in
                   buildbot_user=${builtins.toJSON cfg.github.user},
                   topic=${builtins.toJSON cfg.github.topic},
               ),
+              cachix=${if cfg.cachix.name == null then "None" else "CachixConfig(
+                  name=${builtins.toJSON cfg.cachix.name},
+                  signing_key_secret_name=${if cfg.cachix.signingKeyFile != null then builtins.toJSON "cachix-signing-key" else "None"},
+                  auth_token_secret_name=${if cfg.cachix.authTokenFile != null then builtins.toJSON "cachix-auth-token" else "None"},
+              "}),
               url=${builtins.toJSON config.services.buildbot-master.buildbotUrl},
               nix_eval_max_memory_size=${builtins.toJSON cfg.evalMaxMemorySize},
-              nix_eval_worker_count=${if cfg.evalWorkerCount == null then "None" else builtins.toJSON cfg.evalWorkerCount},
+              nix_eval_worker_count=${if cfg.evalWorkerCount == null then "None" else builtins.toString cfg.evalWorkerCount},
               nix_supported_systems=${builtins.toJSON cfg.buildSystems},
               outputs_path=${if cfg.outputsPath == null then "None" else builtins.toJSON cfg.outputsPath},
           )
@@ -166,7 +197,11 @@ in
           "github-webhook-secret:${cfg.github.webhookSecretFile}"
           "github-oauth-secret:${cfg.github.oauthSecretFile}"
           "buildbot-nix-workers:${cfg.workersFile}"
-        ];
+        ]
+        ++ lib.optional (cfg.cachix.signingKeyFile != null)
+          "cachix-signing-key:${builtins.toString cfg.cachix.signingKeyFile}"
+        ++ lib.optional (cfg.cachix.authTokenFile != null)
+          "cachix-auth-token:${builtins.toString cfg.cachix.authTokenFile}";
       };
     };