m 3 buildbot/master: add secrets

krebs/3modules/buildbot/master.nix

@@ -132,6 +132,16 @@ let
       '';
     };
 
+    secrets = mkOption {
+      default = [];
+      type = types.listOf types.str;
+      example = [ "cac.json" ];
+      description = ''
+        List of all the secrets in <secrets> which should be copied into the
+        buildbot master directory.
+      '';
+    };
+
     slaves = mkOption {
       default = {};
       type = types.attrsOf types.str;
@@ -344,10 +354,10 @@ let
           fi
           # always override the master.cfg
           cp ${buildbot-master-config} ${workdir}/master.cfg
+
           # copy secrets
-          cp ${secretsdir}/cac.json ${workdir}
-          cp ${secretsdir}/retiolum-ci.rsa_key.priv \
-             ${workdir}/retiolum.rsa_key.priv
+          ${ concatMapStringsSep "\n"
+            (f: "cp ${secretsdir}/${f} ${workdir}/${f}" ) cfg.secrets }
           # sanity
           ${buildbot}/bin/buildbot checkconfig ${workdir}
 

shared/2configs/buildbot-standalone.nix

@@ -8,6 +8,9 @@ in {
   };
   networking.firewall.allowedTCPPorts = [ 8010 9989 ];
   krebs.buildbot.master = {
+    secrets = [
+      "cac.json"
+    ];
     slaves = {
       testslave =  "krebspass";
       omo = "krebspass";
@@ -93,9 +96,8 @@ in {
   # slave needs 2 files:
   # * cac.json
   # * retiolum
-  for file in ["cac.json", "retiolum.rsa_key.priv"]:
-    s.addStep(steps.FileDownload(mastersrc="${config.krebs.buildbot.master.workDir}/{}".format(file),
-                            slavedest=file))
+  s.addStep(steps.FileDownload(mastersrc="${config.krebs.buildbot.master.workDir}/cac.json", slavedest="cac.json"))
+  s.addStep(steps.FileDownload(mastersrc="${config.krebs.buildbot.master.workDir}/retiolum-ci.rsa_key.priv", slavedest="retiolum.rsa_key.priv"))
 
   addShell(s, name="infest-cac-centos7",env=env,
               sigtermTime=60,           # SIGTERM 1 minute before SIGKILL