Buildkite: Difference between revisions
imported>Mic92 Created page with "NixOS comes with a module to run [https://buildkite.com build-kite] agents: <syntaxHighlight lang=nix> { services.buildkite-agents.builder = { enable = true; # stor..." |
imported>Mic92 add sandbox builds |
||
| Line 9: | Line 9: | ||
privateSshKeyPath = "/path/to/ssh/key"; | privateSshKeyPath = "/path/to/ssh/key"; | ||
}; | }; | ||
# tools needed for basic nix-build | |||
runtimePackages = [ | |||
pkgs.gnutar | |||
pkgs.bash | |||
pkgs.nix | |||
pkgs.gzip | |||
pkgs.git | |||
]; | |||
} | } | ||
</syntaxHighlight> | </syntaxHighlight> | ||
[https://nixos.org/nixos/options.html#services.buildkite Further NixOS options] | [https://nixos.org/nixos/options.html#services.buildkite Further NixOS options] | ||
== Using buildkite for public repository == | |||
Since buildkite executes code there are some additional security measures to take care of in order to | |||
run buildkite on your own infrastructure. | |||
It is recommend to run the buildkit-agent in a sandbox. In the following example, we use the confinement option to run | |||
in a chroot where only the nix store is mounted. The nix daemon socket is than bind mounted into the chroot. | |||
Make sure that you don't add secrets to your nix store! | |||
```nix | |||
{ pkgs, config, ... }: | |||
{ | |||
# Replace the suffix `<name>` by the name used in `services.buildkite-agents.<name> ` | |||
systemd.services.buildkite-agent-<name> = { | |||
confinement.enable = true; | |||
confinement.packages = config.services.buildkite-agents.<name>.runtimePackages; | |||
serviceConfig = { | |||
BindReadOnlyPaths = [ | |||
config.services.buildkite-agents.<name>.tokenPath | |||
config.services.buildkite-agents.<name>.privateSshKeyPath | |||
"${config.environment.etc."ssl/certs/ca-certificates.crt".source}:/etc/ssl/certs/ca-certificates.crt" | |||
"/etc/machine-id" | |||
# channels are dynamic paths in the nix store, therefore we need to bind mount the whole thing | |||
"/nix/store" | |||
]; | |||
BindPaths = [ | |||
config.services.buildkite-agents.<name>.dataDir | |||
"/nix/var/nix/daemon-socket/socket" | |||
]; | |||
}; | |||
}; | |||
} | |||
``` | |||
Since pull requests can modify the build instructions it is recommend to move <code>.buildkite/pipeline.yml</code> from the repository itself and only provide it via the web interface. Also consider using <code>restrict-eval</code> options to prevent leaking the buildkite's ssh key and api token, since those are still mounte into the chroot. | |||