feat(services/ofborg/rabbitmq): pre-provision accounts, vhosts and permissions

No need to do it manually. In the future, we should rework a bit the permissions for various accounts. Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2025-01-02 18:24:01 +01:00 · 2025-01-02 18:24:01 +01:00 · 6466155768
commit 6466155768
parent ab87514fe5
1 changed files with 50 additions and 0 deletions
--- a/services/ofborg/default.nix
+++ b/services/ofborg/default.nix
@ -8,6 +8,40 @@ let
  amqpPort = 5671;
  generators = pkgs.formats.json { };
  configFile = generators.generate "ofborg-config.json" config.bagel.services.ofborg.settings;
+  mkOfborgUser = binaryName: {
+    name = "ofborg-${binaryName}";
+    tags = [ ];
+  };
+  mkOfborgPermissions = binaryName: {
+    user = "ofborg-${binaryName}";
+    vhost = "/";
+
+    # TODO(security): harden this.
+    configure = ".*";
+    read = ".*";
+    write = ".*";
+  };
+  mkOperatorUser = name: {
+    inherit name;
+    tags = [ "administrator" ];
+  };
+  mkOperatorPermissions = user: {
+    inherit user;
+    vhost = "/";
+
+    # TODO(security): should root operators be able to configure?
+    configure = ".*";
+    read = ".*";
+    write = ".*";
+  };
+  ofborgBinaries = [
+    "pastebin"
+    "gerrit-event-streamer"
+    "gerrit-generic-vcs-filter"
+    "mass-rebuilder"
+    "builder"
+    "stats"
+  ];
  mkOfborgWorker = binaryName: extra: extra // {
    vault = {
      template = ''
@ -164,6 +198,22 @@ in {
          # TLS authentication via X.509
          "auth_mechanisms.1" = "EXTERNAL";
          "ssl_cert_login_from" = "common_name";
+          # Automatic import of users on first boot.
+          "definitions.skip_if_unchanged" = "true";
+          "definitions.import_backend" = "local_filesystem";
+          "definitions.local.path" = "${pkgs.writeText "rabbitmq-defs.json" (builtins.toJSON {
+            # Generate users with no password hash for all operators.
+            # So they can login using mTLS.
+            users = map mkOfborgUser ofborgBinaries
+            ++ map mkOperatorUser [ "raito" ];
+            permissions = map mkOfborgPermissions ofborgBinaries ++ map mkOperatorPermissions [ "raito" ];
+            # The default vhost where we do our things.
+            vhosts = [
+              {
+                name = "/";
+              }
+            ];
+          })}";
        };
      };
    })