infra/services/ofborg/default.nix

{ pkgs, config, lib, ... }:

let
  inherit (lib) mkIf mkMerge;
  cfg = config.bagel.services.ofborg;

  amqpHost = "amqp.forkos.org";
  amqpPort = 5671;
  generators = pkgs.formats.json { };
  configFile = generators.generate "ofborg-config.json" config.bagel.services.ofborg.settings;
  mkOfborgWorker = binaryName: extra: extra // {
    wantedBy = [ "multi-user.target" ];
    description = "ofborg CI service - ${binaryName} worker";
    after = [ "rabbitmq.service" ];
    serviceConfig = {
      DynamicUser = true;
      ExecStart = "${cfg.package}/bin/${binaryName} ${configFile}";
      # TODO: more hardening.
      StateDirectory = "ofborg";
      LogsDirectory = "ofborg";
      WorkingDirectory = "/var/lib/ofborg";
      LoadCredential = [ "rabbitmq-password:${config.age.secrets.rabbitmq-password.path}" ];
    };
  };
in {
  options.bagel.services.ofborg = with lib; {
    rabbitmq.enable = mkEnableOption "ofborg AMQP queue";
    builder.enable = mkEnableOption "ofborg builder worker";
    pastebin.enable = mkEnableOption "ofborg pastebin service";
    mass-rebuilder.enable = mkEnableOption "ofborg evaluator worker for mass rebuilds jobs";
    stats.enable = mkEnableOption "ofborg prometheus worker";

    package = mkPackageOption pkgs "ofborg" { };

    settings = mkOption {
      type = generators.type;
    };
  };

  config = mkMerge [
    {
      age.secrets.rabbitmq-password.file = ../../secrets/floral/rabbitmq-password.age;
      # TODO: move this to global.
      bagel.services.ofborg.settings = {
        rabbitmq = {
          ssl = true;
          host = "amqp.forkos.org";
          virtualhost = "amqp.forkos.org";
          username = "worker";
          password_file = "$CREDENTIALS_DIRECTORY/rabbitmq-password";
        };
        feedback.full_logs = lib.mkDefault true;
        log_storage.path = lib.mkDefault "/var/log/ofborg";
        runner = {
          identity = config.networking.fqdn;
          repos = lib.mkDefault [
            "nixpkgs"
            "ofborg"
          ];

          disable_trusted_users = true;
        };
        checkout.root = lib.mkDefault "/var/lib/ofborg/checkouts";
        nix = {
          system = "x86_64-linux";
          remote = "daemon";
          build_timeout_seconds = 3600;
          initial_heap_size = "4g";
        };

        pastebin = {
          root = "$STATE_DIRECTORY/pastebins";
          db = "$STATE_DIRECTORY/db.json";
        };

        # We use Gerrit.
        vcs = "Gerrit";
        gerrit = {
          instance_uri = "cl.forkos.org";
          ssh_private_key_file = "$CREDENTIALS_DIRECTORY/gerrit-ssh-key";
          ssh_port = 29418;
        };
      };
    }
    (mkIf cfg.rabbitmq.enable {
      services.nginx.enable = true;
      services.rabbitmq = {
        enable = true;
        configItems = {
          "listeners.tcp" = "none";
          "listeners.ssl.default" = builtins.toString amqpPort;
          "ssl_options.certfile" = "${config.security.acme.certs.${amqpHost}.directory}/cert.pem";
          "ssl_options.keyfile" = "${config.security.acme.certs.${amqpHost}.directory}/key.pem";
        };
      };

      security.acme.certs.${amqpHost} = {
        webroot = "/var/lib/acme/.challenges";
        group = "rabbitmq";
      };
      services.nginx.virtualHosts.${amqpHost}.locations."/.well-known/acme-challenge".root =
        "/var/lib/acme/.challenges";
      systemd.services.rabbitmq.requires = ["acme-finished-${amqpHost}.target"];

      networking.firewall.allowedTCPPorts = [ amqpPort ];
    })
    (mkIf cfg.pastebin.enable {
      systemd.services.ofborg-pastebin = mkOfborgWorker "pastebin-worker" { };
    })
    (mkIf cfg.mass-rebuilder.enable {
      systemd.services.ofborg-mass-rebuilder = mkOfborgWorker "mass-rebuilder" { };
    })
    (mkIf cfg.builder.enable {
      systemd.services.ofborg-builder = mkOfborgWorker "builder" { };
    })
    (mkIf cfg.stats.enable {
      systemd.services.ofborg-stats = mkOfborgWorker "stats" { };
    })
  ];
    # systemd.services.ofborg-log-message-collector = {};
    # systemd.services.ofborg-evaluation-filter = {};
    # systemd.services.ofborg-vcs-comment-filter = {};
    # systemd.services.ofborg-vcs-comment-poster = {};
}
feat: introduce ofborg builder Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-10-28 14:38:29 +00:00			`{ pkgs, config, lib, ... }:`
services: add ofborg, currently running rabbitmq only 2024-07-08 21:55:11 +00:00
			`let`
feat: introduce ofborg builder Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-10-28 14:38:29 +00:00			`inherit (lib) mkIf mkMerge;`
services: add ofborg, currently running rabbitmq only 2024-07-08 21:55:11 +00:00			`cfg = config.bagel.services.ofborg;`

			`amqpHost = "amqp.forkos.org";`
			`amqpPort = 5671;`
feat: introduce ofborg builder Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-10-28 14:38:29 +00:00			`generators = pkgs.formats.json { };`
			`configFile = generators.generate "ofborg-config.json" config.bagel.services.ofborg.settings;`
			`mkOfborgWorker = binaryName: extra: extra // {`
			`wantedBy = [ "multi-user.target" ];`
			`description = "ofborg CI service - ${binaryName} worker";`
			`after = [ "rabbitmq.service" ];`
			`serviceConfig = {`
			`DynamicUser = true;`
			`ExecStart = "${cfg.package}/bin/${binaryName} ${configFile}";`
			`# TODO: more hardening.`
			`StateDirectory = "ofborg";`
			`LogsDirectory = "ofborg";`
			`WorkingDirectory = "/var/lib/ofborg";`
			`LoadCredential = [ "rabbitmq-password:${config.age.secrets.rabbitmq-password.path}" ];`
			`};`
			`};`
services: add ofborg, currently running rabbitmq only 2024-07-08 21:55:11 +00:00			`in {`
			`options.bagel.services.ofborg = with lib; {`
feat: introduce ofborg builder Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-10-28 14:38:29 +00:00			`rabbitmq.enable = mkEnableOption "ofborg AMQP queue";`
			`builder.enable = mkEnableOption "ofborg builder worker";`
feat: introduce ofborg pastebin service The web service is not available yet. Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-11-14 18:27:11 +00:00			`pastebin.enable = mkEnableOption "ofborg pastebin service";`
feat: introduce ofborg mass rebuilder With Gerrit support. Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-11-14 17:53:51 +00:00			`mass-rebuilder.enable = mkEnableOption "ofborg evaluator worker for mass rebuilds jobs";`
feat: introduce ofborg stats Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-10-28 17:12:41 +00:00			`stats.enable = mkEnableOption "ofborg prometheus worker";`
services: add ofborg, currently running rabbitmq only 2024-07-08 21:55:11 +00:00
feat: introduce ofborg builder Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-10-28 14:38:29 +00:00			`package = mkPackageOption pkgs "ofborg" { };`
services: add ofborg, currently running rabbitmq only 2024-07-08 21:55:11 +00:00
feat: introduce ofborg builder Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-10-28 14:38:29 +00:00			`settings = mkOption {`
			`type = generators.type;`
services: add ofborg, currently running rabbitmq only 2024-07-08 21:55:11 +00:00			`};`
feat: introduce ofborg builder Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-10-28 14:38:29 +00:00			`};`
services: add ofborg, currently running rabbitmq only 2024-07-08 21:55:11 +00:00
feat: introduce ofborg builder Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-10-28 14:38:29 +00:00			`config = mkMerge [`
			`{`
			`age.secrets.rabbitmq-password.file = ../../secrets/floral/rabbitmq-password.age;`
			`# TODO: move this to global.`
			`bagel.services.ofborg.settings = {`
			`rabbitmq = {`
			`ssl = true;`
			`host = "amqp.forkos.org";`
			`virtualhost = "amqp.forkos.org";`
			`username = "worker";`
			`password_file = "$CREDENTIALS_DIRECTORY/rabbitmq-password";`
			`};`
			`feedback.full_logs = lib.mkDefault true;`
			`log_storage.path = lib.mkDefault "/var/log/ofborg";`
			`runner = {`
			`identity = config.networking.fqdn;`
			`repos = lib.mkDefault [`
			`"nixpkgs"`
			`"ofborg"`
			`];`
ofborg: enable nginx for certs 2024-11-17 11:48:08 +00:00
feat: introduce ofborg builder Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-10-28 14:38:29 +00:00			`disable_trusted_users = true;`
			`};`
			`checkout.root = lib.mkDefault "/var/lib/ofborg/checkouts";`
			`nix = {`
			`system = "x86_64-linux";`
			`remote = "daemon";`
			`build_timeout_seconds = 3600;`
			`initial_heap_size = "4g";`
			`};`
feat: introduce ofborg pastebin service The web service is not available yet. Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-11-14 18:27:11 +00:00
			`pastebin = {`
			`root = "$STATE_DIRECTORY/pastebins";`
			`db = "$STATE_DIRECTORY/db.json";`
			`};`
feat: introduce ofborg mass rebuilder With Gerrit support. Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-11-14 17:53:51 +00:00
			`# We use Gerrit.`
			`vcs = "Gerrit";`
			`gerrit = {`
			`instance_uri = "cl.forkos.org";`
			`ssh_private_key_file = "$CREDENTIALS_DIRECTORY/gerrit-ssh-key";`
			`ssh_port = 29418;`
			`};`
feat: introduce ofborg builder Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-10-28 14:38:29 +00:00			`};`
			`}`
			`(mkIf cfg.rabbitmq.enable {`
			`services.nginx.enable = true;`
			`services.rabbitmq = {`
			`enable = true;`
			`configItems = {`
			`"listeners.tcp" = "none";`
			`"listeners.ssl.default" = builtins.toString amqpPort;`
			`"ssl_options.certfile" = "${config.security.acme.certs.${amqpHost}.directory}/cert.pem";`
			`"ssl_options.keyfile" = "${config.security.acme.certs.${amqpHost}.directory}/key.pem";`
			`};`
			`};`
services: add ofborg, currently running rabbitmq only 2024-07-08 21:55:11 +00:00
feat: introduce ofborg builder Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-10-28 14:38:29 +00:00			`security.acme.certs.${amqpHost} = {`
			`webroot = "/var/lib/acme/.challenges";`
			`group = "rabbitmq";`
			`};`
			`services.nginx.virtualHosts.${amqpHost}.locations."/.well-known/acme-challenge".root =`
			`"/var/lib/acme/.challenges";`
			`systemd.services.rabbitmq.requires = ["acme-finished-${amqpHost}.target"];`

			`networking.firewall.allowedTCPPorts = [ amqpPort ];`
			`})`
feat: introduce ofborg pastebin service The web service is not available yet. Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-11-14 18:27:11 +00:00			`(mkIf cfg.pastebin.enable {`
			`systemd.services.ofborg-pastebin = mkOfborgWorker "pastebin-worker" { };`
			`})`
feat: introduce ofborg mass rebuilder With Gerrit support. Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-11-14 17:53:51 +00:00			`(mkIf cfg.mass-rebuilder.enable {`
			`systemd.services.ofborg-mass-rebuilder = mkOfborgWorker "mass-rebuilder" { };`
			`})`
feat: introduce ofborg builder Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-10-28 14:38:29 +00:00			`(mkIf cfg.builder.enable {`
			`systemd.services.ofborg-builder = mkOfborgWorker "builder" { };`
			`})`
feat: introduce ofborg stats Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-10-28 17:12:41 +00:00			`(mkIf cfg.stats.enable {`
			`systemd.services.ofborg-stats = mkOfborgWorker "stats" { };`
			`})`
feat: introduce ofborg builder Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-10-28 14:38:29 +00:00			`];`
			`# systemd.services.ofborg-log-message-collector = {};`
			`# systemd.services.ofborg-evaluation-filter = {};`
			`# systemd.services.ofborg-vcs-comment-filter = {};`
			`# systemd.services.ofborg-vcs-comment-poster = {};`
services: add ofborg, currently running rabbitmq only 2024-07-08 21:55:11 +00:00			`}`