From 3cd6f216a3eb192891067f0897c96b2578642c60 Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jo@mein.io>
Date: Sun, 12 Apr 2020 00:16:26 +0200
Subject: [PATCH] buildslave: update to Debian 10, introduce TLS support

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---
 docker/buildslave/Dockerfile     | 47 +++++++++++++++++---------------
 docker/buildslave/files/start.sh | 11 ++++++--
 docker/config.ini                |  4 +--
 docker/docker-compose.yml        |  8 ++++++
 4 files changed, 44 insertions(+), 26 deletions(-)

diff --git a/docker/buildslave/Dockerfile b/docker/buildslave/Dockerfile
index 96919bd..9ee3ae4 100644
--- a/docker/buildslave/Dockerfile
+++ b/docker/buildslave/Dockerfile
@@ -1,4 +1,4 @@
-FROM        debian:9
+FROM        debian:10
 MAINTAINER  OpenWrt Maintainers
 
 ARG         DEBIAN_FRONTEND=noninteractive
@@ -9,27 +9,30 @@ ENV         BUILDSLAVE_DESCRIPTION Buildslave Docker Instance
 
 USER root
 
-RUN apt-get update && \
-    apt-get install -y \
-	pwgen \
-	locales \
-	buildbot-slave \
-	build-essential \
-	git-core \
-	subversion \
-	libncurses5-dev \
-	gawk \
-	unzip \
-	pv \
-	gosu \
-	signify-openbsd \
-	python3 \
-	wget \
-	curl \
-	ccache \
-	rsync && \
-    apt-get clean && \
-    localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
+RUN echo 'deb http://deb.debian.org/debian testing main' \
+		> /etc/apt/sources.list.d/testing.list && \
+	apt-get update && \
+	apt-get install -t buster -y \
+		pwgen \
+		locales \
+		build-essential \
+		git-core \
+		subversion \
+		libncurses5-dev \
+		gawk \
+		unzip \
+		pv \
+		gosu \
+		signify-openbsd \
+		python3 \
+		wget \
+		curl \
+		ccache \
+		rsync && \
+	apt-get install -t testing -y \
+		buildbot-worker && \
+	apt-get clean && \
+	localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
 
 ENV LANG=en_US.utf8
 
diff --git a/docker/buildslave/files/start.sh b/docker/buildslave/files/start.sh
index 0067fb3..56f878d 100644
--- a/docker/buildslave/files/start.sh
+++ b/docker/buildslave/files/start.sh
@@ -12,13 +12,20 @@
 
 rm -f /builder/buildbot.tac
 
-/usr/bin/buildslave create-slave --force --umask=022 /builder \
+/usr/bin/buildbot-worker create-worker --force --umask="0o22" /builder \
     "$BUILDSLAVE_MASTER" "$BUILDSLAVE_NAME" "$BUILDSLAVE_PASSWORD"
 
+if [ "$BUILDSLAVE_TLS" = 1 ]; then
+	sed -i \
+		-e 's#(buildmaster_host, port, #(None, None, #' \
+		-e 's#allow_shutdown=allow_shutdown#&, connection_string="TLS:%s:%d:trustRoots=/certs" %(buildmaster_host, port)#' \
+		/builder/buildbot.tac
+fi
+
 echo "$BUILDSLAVE_ADMIN" > /builder/info/admin
 echo "$BUILDSLAVE_DESCRIPTION" > /builder/info/host
 
 unset BUILDSLAVE_ADMIN BUILDSLAVE_DESCRIPTION BUILDSLAVE_MASTER BUILDSLAVE_NAME BUILDSLAVE_PASSWORD
 
 rm -f /builder/twistd.pid
-exec /usr/bin/buildslave start --nodaemon /builder
+exec /usr/bin/buildbot-worker start --nodaemon /builder
diff --git a/docker/config.ini b/docker/config.ini
index 09e4258..79c3e6b 100644
--- a/docker/config.ini
+++ b/docker/config.ini
@@ -9,7 +9,7 @@ status_user = admin
 status_password = admin
 buildbot_url = http://buildmaster-phase1:8010/
 expire = 1209600
-port = 9989
+port = ssl:9989:privateKey=/certs/master.key:certKey=/certs/master.crt
 config_seed = # Seed configuration
 	CONFIG_BUILDBOT=y
 	CONFIG_DEVEL=y
@@ -22,7 +22,7 @@ status_bind = tcp:8011:interface=0.0.0.0
 status_user = admin
 status_password = admin
 buildbot_url = http://buildmaster-phase2:8011/
-port = 9990
+port = ssl:9990:privateKey=/certs/master.key:certKey=/certs/master.crt
 persistent = false
 
 [repo]
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index 93f7c83..28f0b9e 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -29,6 +29,8 @@ services:
       - '9989:9989'
     volumes:
       - './config.ini:/config.ini'
+      - './certs/buildmaster-phase1.crt:/certs/master.crt'
+      - './certs/buildmaster-phase1.key:/certs/master.key'
       - './build/master-phase1:/master'
 
   buildmaster-phase2:
@@ -46,6 +48,8 @@ services:
       - '9990:9990'
     volumes:
       - './config.ini:/config.ini'
+      - './certs/buildmaster-phase2.crt:/certs/master.crt'
+      - './certs/buildmaster-phase2.key:/certs/master.key'
       - './build/master-phase2:/master'
 
   buildslave-phase1:
@@ -59,10 +63,12 @@ services:
       BUILDSLAVE_MASTER: buildmaster-phase1:9989
       BUILDSLAVE_NAME: buildslave-phase1
       BUILDSLAVE_PASSWORD: secret
+      BUILDSLAVE_TLS: '1'
     links:
       - 'rsync-server'
       - 'buildmaster-phase1'
     volumes:
+      - './certs/ca.crt:/certs/ca.pem'
       - './build/slave-phase1:/builder'
 
   buildslave-phase2:
@@ -76,8 +82,10 @@ services:
       BUILDSLAVE_MASTER: buildmaster-phase2:9990
       BUILDSLAVE_NAME: buildslave-phase2
       BUILDSLAVE_PASSWORD: secret
+      BUILDSLAVE_TLS: '1'
     links:
       - 'rsync-server'
       - 'buildmaster-phase2'
     volumes:
+      - './certs/ca.crt:/certs/ca.pem'
       - './build/slave-phase2:/builder'
-- 
2.30.2