Skip to content

nix-community/buildbot-nix

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

995 Commits
.github
.github
 
 
bin
bin
 
 
buildbot_effects
buildbot_effects
 
 
buildbot_nix
buildbot_nix
 
 
checks
checks
 
 
devShells
devShells
 
 
docs
docs
 
 
examples
examples
 
 
formatter
formatter
 
 
herculesCI
herculesCI
 
 
nix
nix
 
 
nixosModules
nixosModules
 
 
packages
packages
 
 
.gitignore
.gitignore
 
 
LICENSE.md
LICENSE.md
 
 
README.md
README.md
 
 
flake.lock
flake.lock
 
 
flake.nix
flake.nix
 
 
pyproject.toml
pyproject.toml
 
 

Repository files navigation

Buildbot-nix

Buildbot-nix is a NixOS module designed to integrate Buildbot, a continuous integration (CI) framework, into the Nix ecosystem. This module is under active development, and while it's generally stable and widely used, please be aware that some APIs may change over time.

Features

  • Fast, Parallel evaluation using nix-eval-jobs
  • Gitea/Github integration:
    • Login with GitHub to control builds
    • CI status notification in pull requests and on the default branch
  • All builds share the same nix store for speed
  • The last attribute of a build is protected from garbage collection
  • Build matrix based on .#checks attributes
  • No arbitrary code runs outside of the Nix sandbox
  • experimental hercules-ci effect to run impure CI steps i.e. deploying NixOS

Getting Started with Buildbot Setup

To set up Buildbot using Buildbot-nix, you can start by exploring the provided examples:

Additionally, you can find real-world examples at the end of this document.

Buildbot masters and workers can be deployed either on the same machine or on separate machines. To support multiple architectures, configure them as nix remote builders. For a practical NixOS example, see this remote builder configuration.

Using buildbot with NixOS 24.05 (stable release)

The module applies custom patches that only apply to buildbot > 4.0.0. To use buildbot-nix with NixOS 24.05, you should therefore not override the nixpkgs input to your own stable version of buildbot-nix and leave it to the default instead that is set to nixos-unstable-small.

So instead of using this in your flake

inputs = {
  buildbot-nix.url = "github:nix-community/buildbot-nix";
  buildbot-nix.inputs.nixpkgs.follows = "nixpkgs";
};

Just use:

inputs = {
  buildbot-nix.url = "github:nix-community/buildbot-nix";
};

An alternative is to point nixpkgs to your own version of nixpkgs-unstable in case you are already using it elsewhere.

Using Buildbot in Your Project

Buildbot-nix automatically triggers builds for your project under these conditions:

  • When a pull request is opened.
  • When a commit is pushed to the default git branch.

It does this by evaluating the .#checks attribute of your project's flake in parallel. Each attribute found results in a separate build step. You can test these builds locally using nix flake check -L or nix-fast-build.

If you need to build other parts of your flake, such as packages or NixOS machines, you should re-export these into the .#checks output. Here are two examples to guide you:

Authentication backend

At the moment buildbot-nix offers two access modes, public and fullyPrivate. public is the default and gives read-only access to all of buildbot, including builds, logs and builders. For read-write access, authentication is still needed, this is controlled by the authBackend option.

fullyPrivate will hide buildbot behind oauth2-proxy which protects the whole buildbot instance. buildbot fetches the currently authenticated user from oauth2-proxy so the same admin, organisation rules apply.

fullyPrivate acccess mode is a workaround as buildbot does not support hiding information natively as now.

Public

For some actions a login is required. The authentication backend is set by the services.buildbot-nix.master.authBackend NixOS option ("github", "gitea", "oidc", or others).

Note: You can configure both GitHub and Gitea integrations simultaneously, regardless of which authentication backend you choose. The auth backend only determines how users log in to the Buildbot interface.

We have the following two roles:

  • Admins:
    • The list of admin usernames is hard-coded in the NixOS configuration.
    • admins can reload the project list
  • Organisation member:
    • All member of the organisation where this repository is located
    • They can restart builds
GitHub Integration

Buildbot-nix uses GitHub App authentication to integrate with GitHub repositories. This enables automatic webhook setup, commit status updates, and secure authentication.

See the GitHub documentation for setup instructions.

Gitea Integration

Buildbot-nix integrates with Gitea using access tokens for repository management and OAuth2 for user authentication. This enables automatic webhook setup, commit status updates, and secure authentication.

See the Gitea documentation for setup instructions.

Generic OIDC Authentication

Buildbot-nix supports generic OpenID Connect (OIDC) authentication, allowing you to use any OIDC-compliant identity provider (Keycloak, PocketID, Authentik, etc.) for user login.

See the OIDC documentation for configuration details.

Fully Private

To enable fully private mode, set acessMode.fullyPrivate to an attrset containing the required options for fully private use, refer to the examples and module implementation (nix/master.nix).

This access mode honors the admins option in addition to the accessMode.fullyPrivate.organisations option. To allow access from certain organisations, you must explicitly list them.

If you've set authBackend previously, unset it, or you will get an error about a conflicting definitions. fullyPrivate requires the authBackend to be set to basichttpauth to function (this is handled by the module, which is why you can leave it unset). For a concrete example please refer to fully-private-github

Per Repository Configuration

Currently buildbot-nix will look for a file named buildbot-nix.toml in the root of whichever branch it's currently evaluating, parse it as TOML and apply the configuration specified. The following table illustrates the supported options.

key type description default example
lock file lock_file str dictates which lock file buildbot-nix will use when evaluating your flake flake.lock have multiple lockfiles, one for nixpkgs-stable, one for nixpkgs-unstable or by default pin an input to a private repo, but have a lockfile with that private repo replaced by a public repo for CI
attribute attribute str which attribute in the flake to evaluate and build checks using a different attribute, like hydraJobs
flake_dir flake_dir str which directory the flake is located . using a different flake, like ./tests

Binary caches

To access the build results on other machines there are two options at the moment

Local binary cache (harmonia)

You can set up a binary cache on your buildbot-worker machine to make its nix store accessible from other machines. Check out the README of the project, for an example configuration

Cachix

Buildbot-nix also supports pushing packages to cachix. Check out the comment out example configuration in our repository.

Attic

Buildbot-nix does not have native support for pushing packages to attic yet. However it's possible to integrate run a systemd service as described in this example configuration. The systemd service watches for changes in the local buildbot-nix store and uploads the contents to the attic cache.

(experimental) Hercules CI effects

See flake.nix for an example and [https://docs.hercules-ci.com/hercules-ci/effects/] for documentation.

You can run hercules-effects locally using the buildbot-effects cli:

$ buildbot-effects --help
usage: buildbot-effects [-h] [--secrets SECRETS] [--rev REV] [--branch BRANCH] [--repo REPO] [--path PATH] {list,run,run-all} ...

Run effects from a hercules-ci flake

positional arguments:
  {list,run,run-all}  Command to run
    list              List available effects
    run               Run an effect
    run-all           Run all effects

options:
  -h, --help          show this help message and exit
  --secrets SECRETS   Path to a json file with secrets
  --rev REV           Git revision to use
  --branch BRANCH     Git branch to use
  --repo REPO         Git repo to prepend to be
  --path PATH         Path to the repository

Example from the buildbot-nix repository:

$ git clone github.com/nix-community/buildbot-nix
$ cd buildbot-nix
$ nix run github:nix-community/buildbot-nix#buildbot-effects -- list
[
  "deploy"
]
$ nix run github:nix-community/buildbot-nix#buildbot-effects -- --branch main run deploy
{branch:main,rev:5d2e0af1cfccfc209b893b89392cf80f5640d936,tag:null}
Hello, world!

Incompatibilities with the lix overlay

The lix overlay overrides nix-eval-jobs with a version that doesn't work with buildbot-nix because of missing features and therefore cannot be used together with the buildbot-nix module.

Possible workaround: Don't use the overlay and only set the nix.package = pkgs.lix; NixOS option.

Real-World Deployments

See Buildbot-nix in action in these deployments:

The following instances run on GitHub:

The following instances integrated with Gitea:

Get in touch

We have a matrix channel at buildbot-nix.

Need commercial support or customization?

For commercial support, please contact Mic92 at joerg@thalheim.io or reach out to Numtide.

About

A nixos module to make buildbot a proper Nix-CI [maintainer=@Mic92,@MagicRB]

Topics

build-with-buildbot

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

220 stars

Watchers

8 watching

Forks

37 forks
Report repository

Releases 4

1.1.0 Latest
Sep 16, 2025
+ 3 releases

Sponsor this project

  •  
Learn more about GitHub Sponsors

Packages

No packages published

Contributors 27
+ 13 contributors

Languages