From 0daae2e08c1b5c0d4141f6655d38bac7b70569e7 Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Tue, 21 Jan 2020 14:21:57 +0100 Subject: nixos/buildkite: drop user option (#78160) * nixos/buildkite: drop user option This reverts 8c6b1c3eaaa8b555bddaced3ab6f02695bef1541. Turns out, buildkite-agent has logic to write .ssh/known_hosts files and only really works when $HOME and the user homedir are in sync. On top of that, we provision ssh keys in /var/lib/buildkite-agent, which doesn't work if that other users' homedir points elsewhere (we can cheat by setting $HOME, but then getent and $HOME provide conflicting results). So after all, it's better to only run the system-wide buildkite agent as the "buildkite-agent" user only - if one wants to run buildkite as different users, systemd user services might be a better fit. * nixosTests.buildkite-agent: add node with separate user and no ssh key --- .../continuous-integration/buildkite-agent.nix | 15 ++---------- nixos/tests/buildkite-agent.nix | 27 ++++++++++++++++------ 2 files changed, 22 insertions(+), 20 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/continuous-integration/buildkite-agent.nix b/nixos/modules/services/continuous-integration/buildkite-agent.nix index 418a7bc1a46..58bce654941 100644 --- a/nixos/modules/services/continuous-integration/buildkite-agent.nix +++ b/nixos/modules/services/continuous-integration/buildkite-agent.nix @@ -29,8 +29,6 @@ let ${concatStringsSep "\n" (mapAttrsToList mkHookEntry (filterAttrs (n: v: v != null) cfg.hooks))} ''; - defaultUser = "buildkite-agent"; - in { @@ -58,15 +56,6 @@ in type = types.listOf types.package; }; - user = mkOption { - type = types.str; - default = defaultUser; - description = '' - Set this option when you want to run the buildkite agent as something else - than the default user "buildkite-agent". - ''; - }; - tokenPath = mkOption { type = types.path; description = '' @@ -197,7 +186,7 @@ in }; config = mkIf config.services.buildkite-agent.enable { - users.users.buildkite-agent = mkIf (cfg.user == defaultUser) { + users.users.buildkite-agent = { name = "buildkite-agent"; home = cfg.dataDir; createHome = true; @@ -242,7 +231,7 @@ in serviceConfig = { ExecStart = "${cfg.package}/bin/buildkite-agent start --config /var/lib/buildkite-agent/buildkite-agent.cfg"; - User = cfg.user; + User = "buildkite-agent"; RestartSec = 5; Restart = "on-failure"; TimeoutSec = 10; diff --git a/nixos/tests/buildkite-agent.nix b/nixos/tests/buildkite-agent.nix index 042ce389eb8..3c824c9aedf 100644 --- a/nixos/tests/buildkite-agent.nix +++ b/nixos/tests/buildkite-agent.nix @@ -6,18 +6,31 @@ import ./make-test-python.nix ({ pkgs, ... }: maintainers = [ flokli ]; }; - machine = { pkgs, ... }: { - services.buildkite-agent = { - enable = true; - privateSshKeyPath = (import ./ssh-keys.nix pkgs).snakeOilPrivateKey; - tokenPath = (pkgs.writeText "my-token" "5678"); + nodes = { + node1 = { pkgs, ... }: { + services.buildkite-agent = { + enable = true; + privateSshKeyPath = (import ./ssh-keys.nix pkgs).snakeOilPrivateKey; + tokenPath = (pkgs.writeText "my-token" "5678"); + }; + }; + # don't configure ssh key, run as a separate user + node2 = { pkgs, ...}: { + services.buildkite-agent = { + enable = true; + tokenPath = (pkgs.writeText "my-token" "1234"); + }; }; }; testScript = '' + start_all() # we can't wait on the unit to start up, as we obviously can't connect to buildkite, # but we can look whether files are set up correctly - machine.wait_for_file("/var/lib/buildkite-agent/buildkite-agent.cfg") - machine.wait_for_file("/var/lib/buildkite-agent/.ssh/id_rsa") + + node1.wait_for_file("/var/lib/buildkite-agent/buildkite-agent.cfg") + node1.wait_for_file("/var/lib/buildkite-agent/.ssh/id_rsa") + + node2.wait_for_file("/var/lib/buildkite-agent/buildkite-agent.cfg") ''; }) -- cgit 1.4.1