From b4ab40f74633c6e536bb01d113fc145c0c2cfd7f Mon Sep 17 00:00:00 2001
From: Raito Bezarius <raito@lix.systems>
Date: Mon, 6 May 2024 19:39:16 +0200
Subject: [PATCH] chore(gerrit): offer projects configuration and factor out
 private SSH keys

Previously, we needed to hardcode the URL for private SSH keys,
this is cleaned up and we can iterate over each project for its
configuration.

Configuration is at deployment time.

Signed-off-by: Raito Bezarius <raito@lix.systems>
---
 buildbot_nix/__init__.py | 41 +++++++++++++++++++++++++---------------
 nix/coordinator.nix      |  9 +++++++++
 2 files changed, 35 insertions(+), 15 deletions(-)

diff --git a/buildbot_nix/__init__.py b/buildbot_nix/__init__.py
index 147b9ea..2c982e7 100644
--- a/buildbot_nix/__init__.py
+++ b/buildbot_nix/__init__.py
@@ -81,6 +81,8 @@ class BuildbotNixError(Exception):
 class GerritProject:
     # `project` field.
     name: str
+    # Private SSH key path to access Gerrit API
+    private_sshkey_path: str
 
 class BuildTrigger(steps.BuildStep):
     def __init__(
@@ -652,7 +654,7 @@ def config_for_project(
         ],
     )
     gerrit_private_key = None
-    with open('/var/lib/buildbot/master/id_gerrit', 'r') as f:
+    with open(project.private_sshkey_path, 'r') as f:
         gerrit_private_key = f.read()
 
     if gerrit_private_key is None:
@@ -775,6 +777,7 @@ class GerritNixConfigurator(ConfiguratorBase):
         gerrit_user: str,
         gerrit_port: int,
         gerrit_sshkey_path: str,
+        projects: list[str],
         url: str,
         nix_supported_systems: list[str],
         nix_eval_worker_count: int | None,
@@ -788,17 +791,24 @@ class GerritNixConfigurator(ConfiguratorBase):
         self.gerrit_server = gerrit_server
         self.gerrit_user = gerrit_user
         self.gerrit_port = gerrit_port
+        self.gerrit_sshkey_path = gerrit_sshkey_path
+        self.projects = projects
+
         self.nix_workers_secret_name = nix_workers_secret_name
         self.nix_eval_max_memory_size = nix_eval_max_memory_size
         self.nix_eval_worker_count = nix_eval_worker_count
         self.nix_supported_systems = nix_supported_systems
+
         self.gerrit_change_source = GerritChangeSource(gerrit_server, gerrit_user, gerritport=gerrit_port, identity_file=gerrit_sshkey_path)
+
         self.url = url
         self.prometheus_config = prometheus_config
+
         if binary_cache_config is not None:
             self.binary_cache_config = S3BinaryCacheConfig(**binary_cache_config)
         else:
             self.binary_cache_config = None
+
         self.signing_keyfile = signing_keyfile
 
     def configure(self, config: dict[str, Any]) -> None:
@@ -819,24 +829,24 @@ class GerritNixConfigurator(ConfiguratorBase):
 
         eval_lock = util.MasterLock("nix-eval")
 
-        # Configure the Lix project.
-        config_for_project(
-            config,
-            GerritProject(name="lix"),
-            worker_names,
-            self.nix_supported_systems,
-            self.nix_eval_worker_count or multiprocessing.cpu_count(),
-            self.nix_eval_max_memory_size,
-            eval_lock,
-            signing_keyfile=self.signing_keyfile,
-            binary_cache_config=self.binary_cache_config
-        )
+        for project in self.projects:
+            config_for_project(
+                config,
+                GerritProject(name=project, private_sshkey_path=self.gerrit_sshkey_path),
+                worker_names,
+                self.nix_supported_systems,
+                self.nix_eval_worker_count or multiprocessing.cpu_count(),
+                self.nix_eval_max_memory_size,
+                eval_lock,
+                signing_keyfile=self.signing_keyfile,
+                binary_cache_config=self.binary_cache_config
+            )
 
         config["change_source"] = self.gerrit_change_source
         config["services"].append(
             reporters.GerritStatusPush(self.gerrit_server, self.gerrit_user,
-                                       port=2022,
-                                       identity_file='/var/lib/buildbot/master/id_gerrit',
+                                       port=self.gerrit_port,
+                                       identity_file=self.gerrit_sshkey_path,
                                        summaryCB=None,
                                        startCB=None,
                                        wantSteps=True,
@@ -853,6 +863,7 @@ class GerritNixConfigurator(ConfiguratorBase):
             if not ref.startswith('refs/changes/'):
                 return ref
             return ref.rsplit('/', 1)[0]
+
         config["services"].append(
             util.OldBuildCanceller(
                 "lix_build_canceller",
diff --git a/nix/coordinator.nix b/nix/coordinator.nix
index acb7d2f..e92a581 100644
--- a/nix/coordinator.nix
+++ b/nix/coordinator.nix
@@ -98,6 +98,14 @@ in
           '';
           example = "/var/lib/buildbot/master/id_gerrit";
         };
+
+        projects = lib.mkOption {
+          type = lib.types.listOf lib.types.str;
+          description = ''
+            List of projects which are to check on Gerrit.
+          '';
+          example = [ "lix" ];
+        };
       };
 
       binaryCache = {
@@ -162,6 +170,7 @@ in
               "${cfg.gerrit.username}",
               "${toString cfg.gerrit.port}",
               "${cfg.gerrit.privateKeyFile}",
+              projects=${builtins.toJSON cfg.gerrit.projects},
               url=${builtins.toJSON config.services.buildbot-master.buildbotUrl},
               nix_eval_max_memory_size=${builtins.toJSON cfg.evalMaxMemorySize},
               nix_eval_worker_count=${if cfg.evalWorkerCount == null then "None" else builtins.toString cfg.evalWorkerCount},