forked from the-distro/infra
raito
f4588aff2b
This introduces the private SSH key for Gerrit event streaming. Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
152 lines
5.4 KiB
Nix
152 lines
5.4 KiB
Nix
{ pkgs, config, lib, ... }:
|
|
|
|
let
|
|
inherit (lib) mkIf mkMerge optional hasAttr;
|
|
cfg = config.bagel.services.ofborg;
|
|
|
|
amqpHost = "amqp.forkos.org";
|
|
amqpPort = 5671;
|
|
generators = pkgs.formats.json { };
|
|
configFile = generators.generate "ofborg-config.json" config.bagel.services.ofborg.settings;
|
|
mkOfborgWorker = binaryName: extra: extra // {
|
|
wantedBy = [ "multi-user.target" ];
|
|
description = "ofborg CI service - ${binaryName} worker";
|
|
after = [ "rabbitmq.service" ];
|
|
serviceConfig = {
|
|
DynamicUser = true;
|
|
ExecStart = "${cfg.package}/bin/${binaryName} ${configFile}";
|
|
# TODO: more hardening.
|
|
StateDirectory = "ofborg";
|
|
LogsDirectory = "ofborg";
|
|
RuntimeDirectory = "ofborg";
|
|
WorkingDirectory = "/var/lib/ofborg";
|
|
LoadCredential =
|
|
optional (hasAttr "rabbitmq-password" config.age.secrets) "rabbitmq-password:${config.age.secrets.rabbitmq-password.path}"
|
|
++ optional (hasAttr "gerrit-event-listener-ssh-key" config.age.secrets) "gerrit-ssh-key:${config.age.secrets.gerrit-event-listener-ssh-key.path}";
|
|
Environment = [
|
|
"XDG_STATE_HOME=/run/ofborg"
|
|
];
|
|
};
|
|
};
|
|
in {
|
|
options.bagel.services.ofborg = with lib; {
|
|
rabbitmq.enable = mkEnableOption "ofborg AMQP queue";
|
|
builder.enable = mkEnableOption "ofborg builder worker";
|
|
pastebin.enable = mkEnableOption "ofborg pastebin service";
|
|
statcheck-worker.enable = mkEnableOption "ofborg status & checks worker";
|
|
mass-rebuilder.enable = mkEnableOption "ofborg evaluator worker for mass rebuilds jobs";
|
|
stats.enable = mkEnableOption "ofborg prometheus worker";
|
|
|
|
gerrit-event-streamer.enable = mkEnableOption "ofborg's Gerrit event streamer";
|
|
gerrit-generic-vcs-filter.enable = mkEnableOption "ofborg's Gerrit event transformer to generic VCS events";
|
|
|
|
package = mkPackageOption pkgs "ofborg" { };
|
|
|
|
settings = mkOption {
|
|
type = generators.type;
|
|
};
|
|
};
|
|
|
|
config = mkMerge [
|
|
{
|
|
# TODO: move this to global.
|
|
bagel.services.ofborg.settings = {
|
|
rabbitmq = {
|
|
ssl = true;
|
|
host = "amqp.forkos.org";
|
|
virtualhost = "/";
|
|
username = "ofborg";
|
|
password_file = "$CREDENTIALS_DIRECTORY/rabbitmq-password";
|
|
};
|
|
feedback.full_logs = lib.mkDefault true;
|
|
log_storage.path = lib.mkDefault "/var/log/ofborg";
|
|
runner = {
|
|
identity = config.networking.fqdn;
|
|
repos = lib.mkDefault [
|
|
"nixpkgs"
|
|
"ofborg"
|
|
];
|
|
|
|
disable_trusted_users = true;
|
|
};
|
|
checkout.root = lib.mkDefault "/var/lib/ofborg/checkouts";
|
|
nix = {
|
|
system = "x86_64-linux";
|
|
remote = "daemon";
|
|
build_timeout_seconds = 3600;
|
|
initial_heap_size = "4g";
|
|
};
|
|
|
|
pastebin = {
|
|
root = "$STATE_DIRECTORY/pastebins";
|
|
db = "$STATE_DIRECTORY/db.json";
|
|
};
|
|
|
|
statcheck = {
|
|
db = "$STATE_DIRECTORY/db.sqlite";
|
|
};
|
|
|
|
# We use Gerrit.
|
|
vcs = "Gerrit";
|
|
gerrit = {
|
|
instance_uri = "cl.forkos.org";
|
|
username = "ofborg-event-listener";
|
|
ssh_private_key_file = "$CREDENTIALS_DIRECTORY/gerrit-ssh-key";
|
|
ssh_port = 29418;
|
|
};
|
|
};
|
|
}
|
|
(mkIf cfg.rabbitmq.enable {
|
|
age.secrets.rabbitmq-password.file = ../../secrets/floral/rabbitmq-password.age;
|
|
services.nginx.enable = true;
|
|
services.rabbitmq = {
|
|
enable = true;
|
|
configItems = {
|
|
"listeners.tcp" = "none";
|
|
"listeners.ssl.default" = builtins.toString amqpPort;
|
|
"ssl_options.certfile" = "${config.security.acme.certs.${amqpHost}.directory}/cert.pem";
|
|
"ssl_options.keyfile" = "${config.security.acme.certs.${amqpHost}.directory}/key.pem";
|
|
};
|
|
};
|
|
|
|
security.acme.certs.${amqpHost} = {
|
|
webroot = "/var/lib/acme/.challenges";
|
|
group = "rabbitmq";
|
|
};
|
|
services.nginx.virtualHosts.${amqpHost}.locations."/.well-known/acme-challenge".root =
|
|
"/var/lib/acme/.challenges";
|
|
systemd.services.rabbitmq.requires = ["acme-finished-${amqpHost}.target"];
|
|
|
|
networking.firewall.allowedTCPPorts = [ amqpPort ];
|
|
})
|
|
(mkIf cfg.pastebin.enable {
|
|
systemd.services.ofborg-pastebin = mkOfborgWorker "pastebin-worker" { };
|
|
})
|
|
(mkIf cfg.statcheck-worker.enable {
|
|
systemd.services.ofborg-statcheck-worker = mkOfborgWorker "statcheck-worker" { };
|
|
})
|
|
(mkIf cfg.gerrit-event-streamer.enable {
|
|
age.secrets.gerrit-event-listener-ssh-key.file = ../../secrets/floral/gerrit-event-listener-ssh-key.age;
|
|
systemd.services.ofborg-gerrit-event-streamer = mkOfborgWorker "gerrit-event-streamer" {
|
|
path = [ pkgs.openssh ];
|
|
};
|
|
})
|
|
(mkIf cfg.gerrit-generic-vcs-filter.enable {
|
|
systemd.services.ofborg-gerrit-generic-vcs-filter = mkOfborgWorker "gerrit-generic-vcs-filter" { };
|
|
})
|
|
(mkIf cfg.mass-rebuilder.enable {
|
|
systemd.services.ofborg-mass-rebuilder = mkOfborgWorker "mass-rebuilder" { };
|
|
})
|
|
(mkIf cfg.builder.enable {
|
|
systemd.services.ofborg-builder = mkOfborgWorker "builder" { };
|
|
})
|
|
(mkIf cfg.stats.enable {
|
|
systemd.services.ofborg-stats = mkOfborgWorker "stats" { };
|
|
})
|
|
];
|
|
# systemd.services.ofborg-log-message-collector = {};
|
|
# systemd.services.ofborg-evaluation-filter = {};
|
|
# systemd.services.ofborg-vcs-comment-filter = {};
|
|
# systemd.services.ofborg-vcs-comment-poster = {};
|
|
}
|