From 9a04ef909b3a7c093acb8fa83258cf58f27855f1 Mon Sep 17 00:00:00 2001
From: Raito Bezarius <masterancpp@gmail.com>
Date: Fri, 2 Aug 2024 00:33:42 +0200
Subject: [PATCH] feat(nixpkgs): run oxidized channel scripts

We don't need weird Perl scripts where we are going. Here's a streaming
channel-scripts deployment with plenty of bells, including OTLP.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
---
 common/channels.nix                        |  32 +++
 flake.lock                                 |  21 ++
 flake.nix                                  |   4 +
 hosts/gerrit01/default.nix                 |  20 ++
 secrets.nix                                |   2 +
 secrets/s3-channel-keys.age                | Bin 0 -> 1220 bytes
 secrets/s3-channel-staging-keys.age        | Bin 0 -> 1220 bytes
 services/channel-scripts/default.nix       | 229 +++++++++++++++++++++
 services/channel-scripts/service-order.nix |  63 ++++++
 services/default.nix                       |   1 +
 10 files changed, 372 insertions(+)
 create mode 100644 common/channels.nix
 create mode 100644 secrets/s3-channel-keys.age
 create mode 100644 secrets/s3-channel-staging-keys.age
 create mode 100644 services/channel-scripts/default.nix
 create mode 100644 services/channel-scripts/service-order.nix

diff --git a/common/channels.nix b/common/channels.nix
new file mode 100644
index 0000000..4c6311c
--- /dev/null
+++ b/common/channels.nix
@@ -0,0 +1,32 @@
+# Taken from https://github.com/NixOS/infra/blob/master/channels.nix
+{
+  # "Channel name" = {
+  #   # This should be the <value> part of
+  #   # https://hydra.forkos.org/job/<value>/latest-finished
+  #   job = "project/jobset/jobname";
+  #
+  #   # When adding a new version, determine if it needs to be tagged as a
+  #   # variant -- for example:
+  #   # nixos-xx.xx         => primary
+  #   # nixos-xx.xx-small   => small
+  #   # nixos-xx.xx-darwin  => darwin
+  #   # nixos-xx.xx-aarch64 => aarch64
+  #   variant = "primary";
+  #
+  #   # Channel Status:
+  #   # '*-unstable' channels are always "rolling"
+  #   # Otherwise a release generally progresses through the following phases:
+  #   #
+  #   #  - Directly after branch off                   => "beta"
+  #   #  - Once the channel is released                => "stable"
+  #   #  - Once the next channel is released           => "deprecated"
+  #   #  - N months after the next channel is released => "unmaintained"
+  #   #    (check the release notes for when this should happen)
+  #   status = "beta";
+  # };
+  "forkos-unstable" = {
+    job = "forkos/nixos-main/tested";
+    variant = "primary";
+    status = "rolling";
+  };
+}
diff --git a/flake.lock b/flake.lock
index 0c2181a..e0039cf 100644
--- a/flake.lock
+++ b/flake.lock
@@ -101,6 +101,26 @@
         "url": "https://git.lix.systems/lix-project/buildbot-nix.git"
       }
     },
+    "channel-scripts": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1725125429,
+        "narHash": "sha256-NUnlreY8tdWTzAMY82hMxEhvsv9bKCCG4qAQ0LJanHA=",
+        "ref": "refs/heads/main",
+        "rev": "cb5a2a2b07570fcbe3ad128d3d2a147305524600",
+        "revCount": 258,
+        "type": "git",
+        "url": "https://git.lix.systems/the-distro/channel-scripts.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.lix.systems/the-distro/channel-scripts.git"
+      }
+    },
     "colmena": {
       "inputs": {
         "flake-compat": "flake-compat",
@@ -684,6 +704,7 @@
       "inputs": {
         "agenix": "agenix",
         "buildbot-nix": "buildbot-nix",
+        "channel-scripts": "channel-scripts",
         "colmena": "colmena",
         "gerrit-dashboard": "gerrit-dashboard",
         "grapevine": "grapevine",
diff --git a/flake.nix b/flake.nix
index 9349bcf..10fabcf 100644
--- a/flake.nix
+++ b/flake.nix
@@ -25,6 +25,9 @@
     buildbot-nix.url = "git+https://git.lix.systems/lix-project/buildbot-nix.git?ref=refs/heads/non-flakes";
     buildbot-nix.inputs.nixpkgs.follows = "nixpkgs";
 
+    channel-scripts.url = "git+https://git.lix.systems/the-distro/channel-scripts.git";
+    channel-scripts.inputs.nixpkgs.follows = "nixpkgs";
+
     lix.follows = "hydra/lix";
 
     grapevine = {
@@ -51,6 +54,7 @@
           inputs.hydra.overlays.default
           inputs.lix.overlays.default
           inputs.nix-gerrit.overlays.default
+          inputs.channel-scripts.overlays.default
         ];
       };
       terraform = pkgs.opentofu;
diff --git a/hosts/gerrit01/default.nix b/hosts/gerrit01/default.nix
index cb05025..a532697 100755
--- a/hosts/gerrit01/default.nix
+++ b/hosts/gerrit01/default.nix
@@ -121,6 +121,26 @@
     };
   };
 
+  age.secrets.s3-channel-staging-keys.file = ../../secrets/s3-channel-staging-keys.age;
+  bagel.nixpkgs.channel-scripts = {
+    enable = true;
+    otlp.enable = true;
+    nixpkgsUrl = "https://cl.forkos.org/nixpkgs.git";
+    hydraUrl = "https://hydra.forkos.org";
+    binaryCacheUrl = "https://cache.forkos.org";
+    baseUriForGitRevisions = "https://cl.forkos.org/plugins/gitiles/nixpkgs/+";
+    s3 = {
+      release = "bagel-channel-scripts-test";
+      channel = "bagel-channel-scripts-test";
+    };
+    releaseBucketCredentialsFile = config.age.secrets.s3-channel-staging-keys.path;
+    deployKeyFile = config.age.secrets.priv-ssh-key.path;
+    extraArgs = [
+      "--bypass-preflight-checks"
+    ];
+    channels = import ../../common/channels.nix;
+  };
+
   i18n.defaultLocale = "fr_FR.UTF-8";
 
   system.stateVersion = "24.05";
diff --git a/secrets.nix b/secrets.nix
index deb69e9..083da3f 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -33,6 +33,8 @@ let
     metrics-push-password = builtins.attrValues machines;
 
     ows-deploy-key = [ machines.gerrit01 ];
+    s3-channel-staging-keys = [ machines.gerrit01 ];
+    s3-channel-keys = [ machines.gerrit01 ];
 
     postgres-ca-priv = [ machines.bagel-box ];
     postgres-tls-priv = [ machines.bagel-box ];
diff --git a/secrets/s3-channel-keys.age b/secrets/s3-channel-keys.age
new file mode 100644
index 0000000000000000000000000000000000000000..e1d62041535ce743b89dff5ac6fe656cdb8bfe55
GIT binary patch
literal 1220
zcmZA0TdUgy00;2F(1-XibWR0P3v-Bu+9Yk7RNW+(rYDzPlD4^2o#vkOlC({eG!Yzg
z=omObPy|KYz=03jo9xVaM11gaU=D{4g)<a3+<ci2It7)9dpSPr6a3(R(OtV}2j)DR
zF8nZfG@QGo1O|$G3Q^=0Z3{tBxK==DkmwKv&f!}#nN$#3uzi$XBtyY(E#NXTUebdw
z>L-KI)Kz&Naq9pmOsXmcE;AbHO#1bKVuZ`VIISrV%Xh5Fv|;2eOJ*uyzkjpFmko?0
z3g&#l$(hlwYmVjl_ClLLGNnm!Q08HJBI|q;p$%`KG6)NF6Lk_!^v-DFFpIKHm?}H>
z5Cmo9l-E-%3<rYApeq$Pk8ak$nH&dh!NaOcz07&NVQQ7wAnx-rPE;!jE`)*1sR#zq
zoT+$GFgAhQ79|X4@d4qYWTvEJi$>#CJ|~f(gNIZ-Ubq<Vv~VP=Z))>MFO232C5S-V
zfbyo)HwK8~_!(7Ad!U)4l8?vSh{JK0ti(_yo0FrNFOUOtiqAaEBW$JA(*#{gb)d&v
zAcvR^+RDXVmMBqdMp!?<>_)=?os?}W!91etx`As;H6%LqhA_Z;y(Ok;Zat7YKq}5f
z+ibI5u1%G8Op-n^jcluiCDd3^gIT#%Q$|A&W>SQ)$%)0vc9pG97iq=gv5sH>JmWRs
z7T%P=<-DBC)Q-@g;5nB_mTQh6jkBl_2|Sb(Z$#=sWyZj44xHFkstg<MM4*7KldH+f
zOzcuQj$#NRt~ATA#dV{W#NkuDK~X~k5;WhzF+a_lk-sb_juJ@1tS;$_r2!$LgiJHl
z!WsoDE<}T*;c4k++MByAC8=nNg*n;lwwpvE&^0l0#yL6hDs@&JEunZ^nU`ZX_8F}i
zEt{?en5IMouGi6e%^}gAkf>XA1~Uogk$%o(P&H;Pnrp&iZsq@OH#JDAVK-iq&RVIf
z+DxEkWJBW{A)5qApxRy>=$2U$WxPHTJ1}kyO`uz~b%9WZwiYgH+8FXjEx(<Q!9|yu
zv5tghG?N>KB9>AJC>D!_-grP{rZv%r?w}VqLYu+KS}z-+BGWaofL~xjBO@J?vYWuU
z2kPuM552Iwe)@W%K6m)yFV#}>i}&xnaBTMvC-|qI*>donll$_QdfWEbPOrcEp0jn<
z9X)vz+zxd2UcR!8_#1xRUp=$;lj8@zs~r3Bt=%u*@>_Q5u^qRblQs^oomt&__LU3Y
z?p*f{K7VP~8_-kBi{8&y4(#3{-uJ<$Yis8}yZWo)M%1qOjz8NUos_p9da!V6jDLN1
z_3fi4g?-1l7f+Y}`swnXJF~^5507trdF|cXJ5TJqOFTmU`_*lq*WGZn_|C}Kdu08Q
t!9OR?7rwv$;K!YH^4i(0!Lu9t|Jc}pJihwyp{pJG&9!y%#P6?N_zxXUwCex>

literal 0
HcmV?d00001

diff --git a/secrets/s3-channel-staging-keys.age b/secrets/s3-channel-staging-keys.age
new file mode 100644
index 0000000000000000000000000000000000000000..a26a25d8bc3292941c44900f443c27414fea6398
GIT binary patch
literal 1220
zcmZXT+pF6I0Eb1U4|U)~wmF?rHV2OEm|N2{GAC)%q)mEB(xgp;7jkQorn#qA=F>Qn
zu^}>W15qC)qM(8x!VV1ah~qq{I};oTigLW*9O%oOZUe>hG9Tt&@WJ={ewuA9S%Hzv
zqs$G1$HT-1Cva}*P(DqaCCfxG3?}jj1&}<M*QB;=FWf#VXkw3wD<h1u>R_ulrcEW{
z6Tu*9r<qQ}jw0l=ngX_+CT?+^UWHAwfhgBCGHLlxlP`=N5b)-Btyvf`4f}Q)hw6Bl
z%+DpQi4)1V?M$K0jIKif*d;<k?GS|Bq__$;X`zJyjY$hTN6$0P@iL`Tq9|GKj;O8~
zEDB9@01G@el2kG+xdgz>m{xc@4T!trz|ISnDK{FtHLdfRHt2wQpAQpW1ZkQ;nzrP(
zqk%s4WqM8)a)wg%)I^*H1EdZFIHwJ9i{&U8&?aIHK<4dUDbZ?BkJ02?v?SH?Uec>H
zgj`w>M8pLaPSI#D0>HJ2g-YA0;-u7~0E1B)@C^{f$V$m5HXLC_O<Imph9%k2t$qeE
zIUa>ImGa8tP5o2GgY+`RLo^$J#8}cKzl3_JOthSKgNVU`887IC9mK30_90mv0$nCo
zh_$-QfrWWgA3{iz;eFj0`m!=;*YJws!!F$mfxv_nlQK~%E!Vops95yov>7QwALVlt
zQt?K!iaw&4PTw=8A|bZ`FGyJiVMZ+)qCu$ILz-?Z4dpnJi$iHvnUD>?ibS(1iw$xB
zOk+3~*)t_-EfBTJ`Z!T>CEic67Qu=Mj#(K)2}7njlfkYw<*_l5G1jPI_sy)!S93(i
zFRBx+BH$8eWmRKjb{zMAC4rNvU<i4(W`yiann@}|b=_8}+v|4<!*+4g1Bgw+VadTt
z4jx&sQq2KfyQ57CBZ1Ext1ju21Z8W^w2bmzi8gU3Hv6@t$8nwUf7{-A2_zEu=1asF
z0$M8BF9-32gzC6AuQm**o^p&TXoe8CU^?tm#Y#$rISmA)I-+7--QqQ8=JGxdLWZ{>
zJ(DMd5~AzmFsN!JTHEY)X(=zVb6->Kri24+i;T)3!IS|NOT((jm5Ok)U)EU9QR)MO
z%)Pqf!uA)=>^^z!(cOEVVBUQ2{XN&tU)NrK??!ybQ&RlO+11Lqi)UBW!DkaXTU&(0
zUil5QxAFUx6HAx=cwptg^0DpV=((%n`A<H+uLkT~`7=WQdAj=IJv+YNx3Rka@Zoj1
z`q<!G@oQ`Chs)CO4}Lsx^6rnGJwKjpJ+Q@))-Q+$4_ps!KJ@d(cQ@8f|8nEt<(Jmo
zGnW?2`Zw2}-?{5}^Kbb6eP7k~yp|nZw(ouTdfoZ*UE`v0^NX7+N4BnPd+XSz%X`bu
vNZVdtIdy#f$???>yU}Ux(8xXY&aXRmUD<El_1Bg=r*A)kA36H@Z$JGD26e5&

literal 0
HcmV?d00001

diff --git a/services/channel-scripts/default.nix b/services/channel-scripts/default.nix
new file mode 100644
index 0000000..082301f
--- /dev/null
+++ b/services/channel-scripts/default.nix
@@ -0,0 +1,229 @@
+{ lib, config, pkgs, ... }:
+let
+  inherit (lib) mkEnableOption mkOption types mkIf mapAttrsToList mkPackageOption concatStringsSep;
+  cfg = config.bagel.nixpkgs.channel-scripts;
+  toml = pkgs.formats.toml { };
+  configFile = toml.generate "forkos.toml" cfg.settings;
+  orderLib = import ./service-order.nix { inherit lib; };
+  makeUpdateJob = channelName: mainJob: {
+    name = "update-${channelName}";
+    value = {
+      description = "Update channel ${channelName}";
+      path = with pkgs; [ git ];
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = false;
+        User = "channel-scripts";
+        DynamicUser = true;
+        StateDirectory = "channel-scripts";
+        MemoryHigh = "80%";
+        EnvironmentFile = [
+          cfg.releaseBucketCredentialsFile
+        ];
+        Environment = cfg.extraEnvironment;
+      };
+      unitConfig.After = [ "networking.target" ];
+      script =
+      ''
+        # A stateful copy of nixpkgs
+        dir=/var/lib/channel-scripts/nixpkgs
+        if ! [[ -e $dir ]]; then
+          git clone --bare ${cfg.nixpkgsUrl} $dir
+        fi
+        GIT_DIR=$dir git config remote.origin.fetch '+refs/heads/*:refs/remotes/origin/*'
+
+        # TODO: use escapeShellArgs
+        exec ${cfg.package}/bin/mirror-forkos -c ${configFile} ${concatStringsSep " " cfg.extraArgs} apply ${channelName} ${mainJob}
+      '';
+    };
+  };
+  updateJobs = orderLib.mkOrderedChain (mapAttrsToList (n: { job, ... }: makeUpdateJob n job) cfg.channels);
+  channelOpts = { ... }: {
+    options = {
+      job = mkOption {
+        type = types.str;
+        example = "nixos/trunk-combined/tested";
+      };
+
+      variant = mkOption {
+        type = types.enum [ "primary" "small" "darwin" "aarch64" ];
+        example = "primary";
+      };
+
+      status = mkOption {
+        type = types.enum [ "beta" "stable" "deprecated" "unmaintained" "rolling" ];
+        example = "rolling";
+      };
+    };
+  };
+in
+{
+  options.bagel.nixpkgs.channel-scripts = {
+    enable = mkEnableOption ''the channel scripts.
+      Fast forwarding channel branches which are read-only except for this privileged bot
+      based on our Hydra acceptance tests.
+    '';
+
+    otlp.enable = mkEnableOption "the OTLP export process";
+
+    s3 = {
+      release = mkOption {
+        type = types.str;
+      };
+
+      channel = mkOption {
+        type = types.str;
+      };
+    };
+
+    package = mkPackageOption pkgs "mirror-forkos" { };
+
+    settings = mkOption {
+      type = types.attrsOf types.anything;
+    };
+
+    nixpkgsUrl = mkOption {
+      type = types.str;
+      default = "https://cl.forkos.org/nixpkgs.git";
+      description = "URL to the nixpkgs repository to clone and to push to";
+    };
+
+    binaryCacheUrl = mkOption {
+      type = types.str;
+      default = "https://cache.forkos.org";
+      description = "URL to the binary cache";
+    };
+
+    baseUriForGitRevisions = mkOption {
+      type = types.str;
+      description = "Base URI to generate link to a certain revision";
+    };
+
+    extraArgs = mkOption {
+      type = types.listOf types.str;
+      default = [ ];
+      description = "Extra arguments passed to the mirroring program";
+    };
+
+    releaseBucketCredentialsFile = mkOption {
+      type = types.path;
+      description = ''Path to the release bucket credentials file exporting S3-style environment variables.
+        For example, `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` for the S3 operations to work.
+      '';
+    };
+
+    deployKeyFile = mkOption {
+      type = types.path;
+      description = ''Path to the private SSH key which is allowed to deploy things to the protected channel references on the Git repository.
+      '';
+    };
+
+    hydraUrl = mkOption {
+      type = types.str;
+      default = "https://hydra.forkos.org";
+      description = "URL to the Hydra instance";
+    };
+
+    channels = mkOption {
+      type = types.attrsOf (types.submodule channelOpts);
+      description = "List of channels to mirror";
+    };
+
+    extraEnvironment = mkOption {
+      type = types.listOf types.str;
+      default = [
+        "RUST_LOG=info"
+      ];
+    };
+  };
+
+  config = mkIf cfg.enable {
+    bagel.nixpkgs.channel-scripts.settings = {
+      hydra_uri = cfg.hydraUrl;
+      binary_cache_uri = cfg.binaryCacheUrl;
+      base_git_uri_for_revision = cfg.baseUriForGitRevisions;
+      nixpkgs_dir = "/var/lib/channel-scripts/nixpkgs";
+      s3_release_bucket_name = cfg.s3.release;
+      s3_channel_bucket_name = cfg.s3.channel;
+    };
+
+#     services.alloy = {
+#       enable = cfg.otlp.enable;
+#     };
+#
+#     bagel.services.channel-scripts.extraEnvironment = mkIf cfg.otlp.enable {
+#       OTLP_EXPORTER_OTLP_ENDPOINT = "127.0.0.1:9000";
+#       OTEL_EXPORTER_OTLP_PROTOCOL = "grpc";
+#     };
+#
+#     environment.etc."alloy/config.alloy".text = ''
+#       otelcol.auth.basic "forkos" {
+#         username = "promtail"
+#         password = env("/run/credentials/alloy.service/password")
+#       }
+#       otelcol.receiver.otlp "default" {
+#         grpc {
+#           endpoint = "127.0.0.1:9000"
+#         }
+#
+#         output {
+#           metrics = [otelcol.processor.batch.default.input]
+#           logs    = [otelcol.processor.batch.default.input]
+#           traces  = [otelcol.processor.batch.default.input]
+#         }
+#       }
+#
+#       otelcol.processor.batch "default" {
+#         output {
+#           metrics = [otelcol.exporter.otlp.default.input]
+#           logs    = [otelcol.exporter.otlp.default.input]
+#           traces  = [otelcol.exporter.otlp.default.input]
+#         }
+#       }
+#
+#       otelcol.exporter.otlp "default" {
+#         client {
+#           endpoint {
+#             url = "https://tempo.forkos.org"
+#             basic_auth {
+#               username = "promtail"
+#               password_file = "/run/credentials/alloy.service/password"
+#             }
+#           }
+#         }
+#       }
+#     '';
+#
+    users.users.channel-scripts = {
+      description = "Channel scripts user";
+      isSystemUser = true;
+      group = "channel-scripts";
+    };
+    users.groups.channel-scripts = {};
+
+    systemd.services = (lib.listToAttrs updateJobs) // {
+      "update-all-channels" = {
+        description = "Start all channel updates.";
+        unitConfig = {
+          After = map
+            (service: "${service.name}.service")
+            updateJobs;
+          Wants = map
+            (service: "${service.name}.service")
+            updateJobs;
+        };
+        script = "true";
+      };
+    };
+
+    systemd.timers."update-all-channels" = {
+      description = "Start all channel updates.";
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnUnitInactiveSec = 600;
+        OnBootSec = 900;
+        AccuracySec = 300;
+      };
+    };
+  };
+}
diff --git a/services/channel-scripts/service-order.nix b/services/channel-scripts/service-order.nix
new file mode 100644
index 0000000..f41e555
--- /dev/null
+++ b/services/channel-scripts/service-order.nix
@@ -0,0 +1,63 @@
+# Vendored from https://raw.githubusercontent.com/NixOS/infra/master/lib/service-order.nix
+# TODO: get rid of me?
+# Ordering Services
+#
+# Given a set of services, make them run one at a time in a specific
+# order, on a timer.
+{ lib }:
+{
+  # Given a list of systemd service, give each one an After
+  # attribute, so they start in a specific order. The returned
+  # list can be converted in to a systemd.services attrset with
+  # `lib.listToAttrs`.
+  #
+  # Example:
+  #
+  #  mkOrderedChain [
+  #    { name = "foo"; value = { script = "true"; }; }
+  #    { name = "bar"; value = { script = "true"; }; }
+  #  ]
+  #
+  # => [
+  #  {
+  #    name = "foo";
+  #    value = {
+  #      script = "true";
+  #      unitConfig = { After = []; };
+  #    };
+  #  }
+  #  {
+  #    name = "bar";
+  #    value = {
+  #      script = "true";
+  #      unitConfig = { After = [ "bar" ]; };
+  #    };
+  #  }
+  #
+  mkOrderedChain = jobs: let
+    unitConfigFrom = job: job.unitConfig or {};
+    afterFrom = job: (unitConfigFrom job).After or [];
+    previousFrom = collector:
+      if collector ? previous
+      then [collector.previous]
+      else [];
+
+      ordered = builtins.foldl'
+        (collector: item: {
+          services = collector.services
+          ++ [{
+            inherit (item) name;
+            value = item.value // {
+              unitConfig = (unitConfigFrom item.value) //
+              {
+                After = (afterFrom item.value) ++
+                  (previousFrom collector);
+              };
+            };
+          }];
+          previous = "${item.name}.service";
+        })
+        { services = []; }
+        jobs;
+  in ordered.services;
+}
diff --git a/services/default.nix b/services/default.nix
index 9d009b5..3009878 100644
--- a/services/default.nix
+++ b/services/default.nix
@@ -1,6 +1,7 @@
 {
   imports = [
     ./gerrit
+    ./channel-scripts
     ./hydra
     ./matrix
     ./monitoring