From 6466155768a74db357b39017fdaa16b69d948808 Mon Sep 17 00:00:00 2001
From: Raito Bezarius <masterancpp@gmail.com>
Date: Thu, 2 Jan 2025 18:24:01 +0100
Subject: [PATCH] feat(services/ofborg/rabbitmq): pre-provision accounts,
 vhosts and permissions

No need to do it manually.

In the future, we should rework a bit the permissions for various
accounts.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
---
 services/ofborg/default.nix | 50 +++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)

diff --git a/services/ofborg/default.nix b/services/ofborg/default.nix
index 3fbde05..de092f3 100644
--- a/services/ofborg/default.nix
+++ b/services/ofborg/default.nix
@@ -8,6 +8,40 @@ let
   amqpPort = 5671;
   generators = pkgs.formats.json { };
   configFile = generators.generate "ofborg-config.json" config.bagel.services.ofborg.settings;
+  mkOfborgUser = binaryName: {
+    name = "ofborg-${binaryName}";
+    tags = [ ];
+  };
+  mkOfborgPermissions = binaryName: {
+    user = "ofborg-${binaryName}";
+    vhost = "/";
+
+    # TODO(security): harden this.
+    configure = ".*";
+    read = ".*";
+    write = ".*";
+  };
+  mkOperatorUser = name: {
+    inherit name;
+    tags = [ "administrator" ];
+  };
+  mkOperatorPermissions = user: {
+    inherit user;
+    vhost = "/";
+
+    # TODO(security): should root operators be able to configure?
+    configure = ".*";
+    read = ".*";
+    write = ".*";
+  };
+  ofborgBinaries = [
+    "pastebin"
+    "gerrit-event-streamer"
+    "gerrit-generic-vcs-filter"
+    "mass-rebuilder"
+    "builder"
+    "stats"
+  ];
   mkOfborgWorker = binaryName: extra: extra // {
     vault = {
       template = ''
@@ -164,6 +198,22 @@ in {
           # TLS authentication via X.509
           "auth_mechanisms.1" = "EXTERNAL";
           "ssl_cert_login_from" = "common_name";
+          # Automatic import of users on first boot.
+          "definitions.skip_if_unchanged" = "true";
+          "definitions.import_backend" = "local_filesystem";
+          "definitions.local.path" = "${pkgs.writeText "rabbitmq-defs.json" (builtins.toJSON {
+            # Generate users with no password hash for all operators.
+            # So they can login using mTLS.
+            users = map mkOfborgUser ofborgBinaries
+            ++ map mkOperatorUser [ "raito" ];
+            permissions = map mkOfborgPermissions ofborgBinaries ++ map mkOperatorPermissions [ "raito" ];
+            # The default vhost where we do our things.
+            vhosts = [
+              {
+                name = "/";
+              }
+            ];
+          })}";
         };
       };
     })