Properly fully fix Cachix

Signed-off-by: magic_rb <[email protected]>

Author: MagicRB

buildbot_nix/__init__.py

@@ -29,6 +29,7 @@
 from twisted.internet import defer
 from twisted.logger import Logger
 
+from . import models
 from .common import (
     slugify_project_name,
 )
@@ -944,15 +945,15 @@ def configure(self, config: dict[str, Any]) -> None:
         eval_lock = util.MasterLock("nix-eval")
 
         if self.config.cachix is not None:
-            self.post_build_steps.append(
-                steps.ShellCommand(
+            self.config.post_build_steps.append(
+                models.PostBuildStep(
                     name="Upload cachix",
-                    env=self.cachix.cachix_env(),
+                    environment=self.config.cachix.environment,
                     command=[
                         "cachix",
                         "push",
-                        self.cachix.name,
-                        util.Interpolate("result-%(prop:attr)s"),
+                        self.config.cachix.name,
+                        models.Interpolate("result-%(prop:attr)s"),
                     ],
                 )
             )
@@ -994,7 +995,7 @@ def configure(self, config: dict[str, Any]) -> None:
                 ],
             )
             config["services"].append(backend.create_reporter())
-            config.setdefault("secretProviders", [])
+            config.setdefault("secretsProviders", [])
             config["secretsProviders"].extend(backend.create_secret_providers())
 
         systemd_secrets = SecretInAFile(

buildbot_nix/models.py

@@ -1,3 +1,4 @@
+from collections.abc import Mapping
 from enum import Enum
 from pathlib import Path
 
@@ -22,6 +23,19 @@ class AuthBackendConfig(str, Enum):
     none = "none"
 
 
+# note that serialization isn't correct, as there is no way to *rename* the field `nix_type` to `_type`,
+# one must always specify `by_alias = True`, such as `model_dump(by_alias = True)`, relevant issue:
+# https://github.com/pydantic/pydantic/issues/8379
+class Interpolate(BaseModel):
+    model_config = ConfigDict(populate_by_name=True)
+
+    nix_type: str = Field(alias="_type")
+    value: str
+
+    def __init__(self, value: str) -> None:
+        super().__init__(nix_type="interpolate", value=value)
+
+
 class CachixConfig(BaseModel):
     name: str
 
@@ -42,10 +56,16 @@ def auth_token(self) -> str:
 
     # TODO why did the original implementation return an empty env if both files were missing?
     @property
-    def environment(self) -> dict[str, str]:
+    def environment(self) -> Mapping[str, str | Interpolate]:
         environment = {}
-        environment["CACHIX_SIGNING_KEY"] = util.Secret(self.signing_key_file)
-        environment["CACHIX_AUTH_TOKEN"] = util.Secret(self.auth_token_file)
+        if self.signing_key_file is not None:
+            environment["CACHIX_SIGNING_KEY"] = Interpolate(
+                f"%(secret:{self.signing_key_file})s"
+            )
+        if self.auth_token_file is not None:
+            environment["CACHIX_AUTH_TOKEN"] = Interpolate(
+                f"%(secret:{self.auth_token_file})s"
+            )
         return environment
 
     class Config:
@@ -133,19 +153,9 @@ def oauth_secret(self) -> str:
         return read_secret_file(self.oauth_secret_file)
 
 
-# note that serialization isn't correct, as there is no way to *rename* the field `nix_type` to `_type`,
-# one must always specify `by_alias = True`, such as `model_dump(by_alias = True)`, relevant issue:
-# https://github.com/pydantic/pydantic/issues/8379
-class Interpolate(BaseModel):
-    model_config = ConfigDict(populate_by_name=True)
-
-    nix_type: str = Field(alias="_type")
-    value: str
-
-
 class PostBuildStep(BaseModel):
     name: str
-    environment: dict[str, str | Interpolate]
+    environment: Mapping[str, str | Interpolate]
     command: list[str | Interpolate]
 
     def to_buildstep(self) -> steps.BuildStep:
@@ -156,7 +166,7 @@ def maybe_interpolate(value: str | Interpolate) -> str | util.Interpolate:
 
         return steps.ShellCommand(
             name=self.name,
-            env={k: maybe_interpolate(k) for k in self.environment},
+            env={k: maybe_interpolate(self.environment[k]) for k in self.environment},
             command=[maybe_interpolate(x) for x in self.command],
         )
 

nix/master.nix

@@ -613,8 +613,8 @@ in
                     else
                       {
                         name = cfg.cachix.name;
-                        signing_key_file = if cfg.cachix.auth ? "signingKey" then cfg.cachix.auth.signingKey.file else null;
-                        auth_token_file = if cfg.cachix.auth ? "authToken" then cfg.cachix.authTokenFile else null;
+                        signing_key_file = if cfg.cachix.auth ? "signingKey" then "cachix-signing-key" else null;
+                        auth_token_file = if cfg.cachix.auth ? "authToken" then "cachix-auth-token" else null;
                       };
                   gitea =
                     if !cfg.gitea.enable then
@@ -735,11 +735,11 @@ in
             ++ lib.optional (cfg.authBackend == "gitea") "gitea-oauth-secret:${cfg.gitea.oauthSecretFile}"
             ++ lib.optional (cfg.authBackend == "github") "github-oauth-secret:${cfg.github.oauthSecretFile}"
             ++ lib.optional (
-              cfg.cachix.enable && cfg.cachix ? "signingKey"
-            ) "cachix-signing-key:${builtins.toString cfg.cachix.signingKeyFile}"
+              cfg.cachix.enable && cfg.cachix.auth ? "signingKey"
+            ) "cachix-signing-key:${builtins.toString cfg.cachix.auth.signingKey.file}"
             ++ lib.optional (
-              cfg.cachix.enable && cfg.cachix ? "authToken"
-            ) "cachix-auth-token:${builtins.toString cfg.cachix.authTokenFile}"
+              cfg.cachix.enable && cfg.cachix.auth ? "authToken"
+            ) "cachix-auth-token:${builtins.toString cfg.cachix.auth.authToken.file}"
             ++ lib.optionals cfg.gitea.enable [
               "gitea-token:${cfg.gitea.tokenFile}"
               "gitea-webhook-secret:${cfg.gitea.webhookSecretFile}"