nixos/buildkite: drop user option (#78160)

* nixos/buildkite: drop user option This reverts 8c6b1c3eaa. Turns out, buildkite-agent has logic to write .ssh/known_hosts files and only really works when $HOME and the user homedir are in sync. On top of that, we provision ssh keys in /var/lib/buildkite-agent, which doesn't work if that other users' homedir points elsewhere (we can cheat by setting $HOME, but then getent and $HOME provide conflicting results). So after all, it's better to only run the system-wide buildkite agent as the "buildkite-agent" user only - if one wants to run buildkite as different users, systemd user services might be a better fit. * nixosTests.buildkite-agent: add node with separate user and no ssh key
2020-01-21 14:21:57 +01:00 · 2020-01-21 14:21:57 +01:00 · 0daae2e08c
parent ab10bac1b1
commit 0daae2e08c
2 changed files with 22 additions and 20 deletions
--- a/nixos/modules/services/continuous-integration/buildkite-agent.nix
+++ b/nixos/modules/services/continuous-integration/buildkite-agent.nix
@ -29,8 +29,6 @@ let
    ${concatStringsSep "\n" (mapAttrsToList mkHookEntry (filterAttrs (n: v: v != null) cfg.hooks))}
  '';

-  defaultUser = "buildkite-agent";
-
 in

 {
@ -58,15 +56,6 @@ in
        type = types.listOf types.package;
      };

-      user = mkOption {
-        type = types.str;
-        default = defaultUser;
-        description = ''
-          Set this option when you want to run the buildkite agent as something else
-          than the default user "buildkite-agent".
-        '';
-      };
-
      tokenPath = mkOption {
        type = types.path;
        description = ''
@ -197,7 +186,7 @@ in
  };

  config = mkIf config.services.buildkite-agent.enable {
-    users.users.buildkite-agent = mkIf (cfg.user == defaultUser) {
+    users.users.buildkite-agent = {
      name = "buildkite-agent";
      home = cfg.dataDir;
      createHome = true;
@ -242,7 +231,7 @@ in

        serviceConfig =
          { ExecStart = "${cfg.package}/bin/buildkite-agent start --config /var/lib/buildkite-agent/buildkite-agent.cfg";
-            User = cfg.user;
+            User = "buildkite-agent";
            RestartSec = 5;
            Restart = "on-failure";
            TimeoutSec = 10;
--- a/nixos/tests/buildkite-agent.nix
+++ b/nixos/tests/buildkite-agent.nix
@ -6,18 +6,31 @@ import ./make-test-python.nix ({ pkgs, ... }:
    maintainers = [ flokli ];
  };

-  machine = { pkgs, ... }: {
-    services.buildkite-agent = {
-      enable = true;
-      privateSshKeyPath = (import ./ssh-keys.nix pkgs).snakeOilPrivateKey;
-      tokenPath = (pkgs.writeText "my-token" "5678");
+  nodes = {
+    node1 = { pkgs, ... }: {
+      services.buildkite-agent = {
+        enable = true;
+        privateSshKeyPath = (import ./ssh-keys.nix pkgs).snakeOilPrivateKey;
+        tokenPath = (pkgs.writeText "my-token" "5678");
+      };
+    };
+    # don't configure ssh key, run as a separate user
+    node2 = { pkgs, ...}: {
+      services.buildkite-agent = {
+        enable = true;
+        tokenPath = (pkgs.writeText "my-token" "1234");
+      };
    };
  };

  testScript = ''
+    start_all()
    # we can't wait on the unit to start up, as we obviously can't connect to buildkite,
    # but we can look whether files are set up correctly
-    machine.wait_for_file("/var/lib/buildkite-agent/buildkite-agent.cfg")
-    machine.wait_for_file("/var/lib/buildkite-agent/.ssh/id_rsa")
+
+    node1.wait_for_file("/var/lib/buildkite-agent/buildkite-agent.cfg")
+    node1.wait_for_file("/var/lib/buildkite-agent/.ssh/id_rsa")
+
+    node2.wait_for_file("/var/lib/buildkite-agent/buildkite-agent.cfg")
  '';
 })