Buildkite: Difference between revisions
imported>Mic92 Created page with "NixOS comes with a module to run [https://buildkite.com build-kite] agents: <syntaxHighlight lang=nix> { services.buildkite-agents.builder = { enable = true; # stor..." |
imported>Fufexan m Fix position of runtimePackages |
||
| (7 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
NixOS comes with a module to run [https://buildkite.com | NixOS comes with a module to run [https://buildkite.com buildkite] agents: | ||
<syntaxHighlight lang=nix> | <syntaxHighlight lang=nix> | ||
| Line 8: | Line 8: | ||
tokenPath = "/path/to/token"; | tokenPath = "/path/to/token"; | ||
privateSshKeyPath = "/path/to/ssh/key"; | privateSshKeyPath = "/path/to/ssh/key"; | ||
# tools needed for basic nix-build | |||
runtimePackages = [ | |||
pkgs.gnutar | |||
pkgs.bash | |||
pkgs.nix | |||
pkgs.gzip | |||
pkgs.git | |||
]; | |||
}; | |||
} | |||
</syntaxHighlight> | |||
[https://search.nixos.org/options/?query=services.buildkite Further NixOS options] | |||
== Using buildkite for public repository == | |||
Since buildkite executes code there are some additional security measures to take care of in order to | |||
run buildkite on your own infrastructure. | |||
It is recommend to run the buildkit-agent in a sandbox. In the following example, we use the confinement option to run | |||
in a chroot where only the nix store is mounted. The nix daemon socket is than bind mounted into the chroot. | |||
Make sure that you don't add secrets to your nix store! | |||
<syntaxHighlight lang=nix> | |||
{ pkgs, config, ... }: | |||
{ | |||
# Replace the suffix `<name>` by the name used in `services.buildkite-agents.<name> ` | |||
systemd.services.buildkite-agent-<name> = { | |||
confinement.enable = true; | |||
confinement.packages = config.services.buildkite-agents.<name>.runtimePackages; | |||
serviceConfig = { | |||
BindReadOnlyPaths = [ | |||
config.services.buildkite-agents.<name>.tokenPath | |||
config.services.buildkite-agents.<name>.privateSshKeyPath | |||
"${config.environment.etc."ssl/certs/ca-certificates.crt".source}:/etc/ssl/certs/ca-certificates.crt" | |||
"/etc/machine-id" | |||
# channels are dynamic paths in the nix store, therefore we need to bind mount the whole thing | |||
"/nix/store" | |||
]; | |||
BindPaths = [ | |||
config.services.buildkite-agents.<name>.dataDir | |||
"/nix/var/nix/daemon-socket/socket" | |||
]; | |||
}; | |||
}; | }; | ||
} | } | ||
</syntaxHighlight> | </syntaxHighlight> | ||
Since pull requests can modify the build instructions it is recommend to move <code>.buildkite/pipeline.yml</code> from the repository itself and only provide it via the web interface. Also consider using <code>restrict-eval</code> options to prevent leaking the buildkite's ssh key and api token, since those are still mounted into the chroot. | |||
== See also == | |||
* [[Continuous Integration (CI)]] | |||
[[Category:Applications]] | |||