Support using SSH to fetch repositories on Gitea

Signed-off-by: magic_rb <[email protected]>
nix-community · Jan 1, 2025 · 4c3b50e · 4c3b50e
1 parent 4bc762d
commit 4c3b50e
Show file tree

Hide file tree

Showing 7 changed files with 67 additions and 1 deletion.
diff --git a/buildbot_nix/buildbot_nix/__init__.py b/buildbot_nix/buildbot_nix/__init__.py
@@ -1057,6 +1057,8 @@ def nix_eval_config(
             method="clean",
             submodules=True,
             haltOnFailure=True,
+            sshPrivateKey=project.private_key_path.read_text() if project.private_key_path else None,
+            sshKnownHosts=project.known_hosts_path.read_text() if project.known_hosts_path else None,
         ),
     )
     drv_gcroots_dir = util.Interpolate(
@@ -1406,6 +1408,8 @@ def buildbot_effects_config(
             method="clean",
             submodules=True,
             haltOnFailure=True,
+            sshPrivateKey=project.private_key_path.read_text() if project.private_key_path else None,
+            sshKnownHosts=project.known_hosts_path.read_text() if project.known_hosts_path else None,
         ),
     )
     secrets_list = []

diff --git a/buildbot_nix/buildbot_nix/gitea_projects.py b/buildbot_nix/buildbot_nix/gitea_projects.py
@@ -61,7 +61,10 @@ def __init__(
 
     def get_project_url(self) -> str:
         url = urlparse(self.config.instance_url)
-        return f"{url.scheme}://git:%(secret:{self.config.token_file})s@{url.hostname}/{self.name}"
+        if self.config.ssh_private_key_file:
+            return self.data.ssh_url
+        else:
+            return f"{url.scheme}://git:%(secret:{self.config.token_file})s@{url.hostname}/{self.name}"
 
     def create_change_source(self) -> ChangeSource | None:
         return None
@@ -113,6 +116,15 @@ def belongs_to_org(self) -> bool:
         # TODO Gitea doesn't include this information
         return False  # self.data["owner"]["type"] == "Organization"
 
+    @property
+    def private_key_path(self) -> Path | None:
+        return self.config.ssh_private_key_file
+
+    @property
+    def known_hosts_path(self) -> Path | None:
+        return self.config.ssh_known_hosts_file
+
+
 
 class GiteaBackend(GitBackend):
     config: GiteaConfig

diff --git a/buildbot_nix/buildbot_nix/github_projects.py b/buildbot_nix/buildbot_nix/github_projects.py
@@ -770,6 +770,14 @@ def topics(self) -> list[str]:
     def belongs_to_org(self) -> bool:
         return self.data.owner.ttype == "Organization"
 
+    @property
+    def private_key_path(self) -> Path | None:
+        return None
+
+    @property
+    def known_hosts_path(self) -> Path | None:
+        return None
+
 
 def refresh_projects(
     github_token: str,

diff --git a/buildbot_nix/buildbot_nix/models.py b/buildbot_nix/buildbot_nix/models.py
@@ -94,6 +94,9 @@ class GiteaConfig(BaseModel):
     oauth_id: str | None
     oauth_secret_file: Path | None
 
+    ssh_private_key_file: Path | None
+    ssh_known_hosts_file: Path | None
+
     @property
     def token(self) -> str:
         return read_secret_file(self.token_file)

diff --git a/buildbot_nix/buildbot_nix/projects.py b/buildbot_nix/buildbot_nix/projects.py
@@ -1,5 +1,6 @@
 from abc import ABC, abstractmethod
 from typing import Any
+from pathlib import Path
 
 from buildbot.changes.base import ChangeSource
 from buildbot.config.builder import BuilderConfig
@@ -125,3 +126,13 @@ def topics(self) -> list[str]:
     @abstractmethod
     def belongs_to_org(self) -> bool:
         pass
+
+    @property
+    @abstractmethod
+    def private_key_path(self) -> Path | None:
+        pass
+
+    @property
+    @abstractmethod
+    def known_hosts_path(self) -> Path | None:
+        pass
diff --git a/buildbot_nix/buildbot_nix/pull_based/project.py b/buildbot_nix/buildbot_nix/pull_based/project.py
@@ -1,5 +1,6 @@
 from typing import Any
 from urllib.parse import ParseResult, urlparse
+from pathlib import Path
 
 from buildbot.changes.base import ChangeSource
 from buildbot.changes.gitpoller import GitPoller
@@ -99,3 +100,11 @@ def topics(self) -> list[str]:
     @property
     def belongs_to_org(self) -> bool:
         return False
+
+    @property
+    def private_key_path(self) -> Path | None:
+        return None
+
+    @property
+    def known_hosts_path(self) -> Path | None:
+        return None
diff --git a/nix/master.nix b/nix/master.nix
@@ -368,6 +368,23 @@ in
             If null, all projects that the buildbot Gitea user has access to, are built.
           '';
         };
+
+        sshPrivateKeyFile = lib.mkOption {
+          type = lib.types.nullOr lib.types.path;
+          default = null;
+          description = ''
+            If non-null the specified SSH key will be used to fetch all configured repositories.
+          '';
+        };
+
+        sshKnownHostsFile = lib.mkOption {
+          type = lib.types.nullOr lib.types.path;
+          default = null;
+          description = ''
+            If non-null the specified known hosts file will be matched against when connecting to
+            repositories over SSH.
+          '';
+        };
       };
       github = {
         enable = lib.mkEnableOption "Enable GitHub integration" // {
@@ -801,6 +818,8 @@ in
                         instance_url = cfg.gitea.instanceUrl;
                         oauth_id = cfg.gitea.oauthId;
                         topic = cfg.gitea.topic;
+                        ssh_private_key_file = cfg.gitea.sshPrivateKeyFile;
+                        ssh_known_hosts_file = cfg.gitea.sshKnownHostsFile;
                       };
                   github =
                     if !cfg.github.enable then