Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secrets for hercules-ci style effects #307

Merged
merged 3 commits into from
Oct 5, 2024
Merged

Secrets for hercules-ci style effects #307

merged 3 commits into from
Oct 5, 2024

Conversation

antifuchs
Copy link
Contributor

This PR to another PR (sorry for the complexity) is what I use currently to build and deploy my flake-based personal system configuration. This holds all the changes I had to make to get flyctl deploy working for docker images built in my flake:

  • Add /var/tmp as a tmpfs mount point in the bwrapped effects runner
  • Flush at the end of writing secrets.json before passing it to bwrap (otherwise that file would be empty, thanks python buffering).
  • Make per-repo secrets configurable and pass those through from the nix config to the buildbot master plugin, to each worker, and pick that up in the buildbot_effects commandline invocation.

With these changes, I have successfully run a flyctl deploy with the access token sourced from secrets passed in on that per-repo basis.

@antifuchs antifuchs force-pushed the hercules-secrets branch 2 times, most recently from 07c462a to 1b2d7eb Compare October 1, 2024 19:34
@antifuchs
Copy link
Contributor Author

This PR might address the question around secrets in #115. It's not public-key encrypted (and there remains the question on whether this unduly exposes secrets to forks, if we ever make other branches have effects), but it's a start I think.

@antifuchs antifuchs force-pushed the hercules-secrets branch 2 times, most recently from 6461241 to 10945ae Compare October 1, 2024 23:19
Mic92
Mic92 reviewed Oct 2, 2024
View reviewed changes
buildbot_effects/__init__.py Outdated Show resolved Hide resolved
Mic92
Mic92 reviewed Oct 2, 2024
View reviewed changes
buildbot_effects/__init__.py Outdated Show resolved Hide resolved
@antifuchs
Copy link
Contributor Author

Updated to address the TMPDIR comment.

@antifuchs
Properly finalize writing to the munged secrets.json
2097d35 
A mere .write doesn't flush the write out (it's fully-buffered), so
the bwrapped secrets remain empty. Tricky!
@antifuchs
Configure & thread per-repo secrets through to the effects runner
df2f680 
* Add a nixpkgs configuration setting effects.perRepoSecretFiles,
  which associates a repository with a path containing a hci
  secrets.json-style file (that could be sourced from sops-nix or
  agenix).

* Configure that and pass the secrets to effects running in projects
  for the respective repositories.
@antifuchs
Set TMPDIR to /tmp and clear all other temporary dir variables
b90a18d 
`nix develop` sets TMPDIR, TMP, TEMP, TEMPDIR to a directory that
doesn't exist in the new tmpfs, which some programs don't take too
kindly to. Instead, let's override the TMPDIR variable with a
temporary dir that we know exists & is good. Just for hygiene
reasons (and to keep others from tearing their hair out), just unset
the other temporary directory variables.
@Mic92 Mic92 merged commit 85379c2 into nix-community:hercules Oct 5, 2024
3 checks passed
@antifuchs antifuchs deleted the hercules-secrets branch October 5, 2024 15:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mic92 Mic92 Mic92 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@antifuchs @Mic92