From 80c475757185535f20fead3b00dd2c772caeddf8 Mon Sep 17 00:00:00 2001
From: Raito Bezarius <masterancpp@gmail.com>
Date: Thu, 4 Jul 2024 15:18:21 +0200
Subject: [PATCH] gerrit01: add a one-way-sync service

It's basic and does not handle conflicts which needs to be manually
managed.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
---
 hosts/gerrit01/default.nix       |  55 ++++++++++++++
 secrets.nix                      |   2 +
 secrets/ows-deploy-key.age       | Bin 0 -> 733 bytes
 services/gerrit/default.nix      |   1 +
 services/gerrit/one-way-sync.nix | 121 +++++++++++++++++++++++++++++++
 5 files changed, 179 insertions(+)
 create mode 100644 secrets/ows-deploy-key.age
 create mode 100644 services/gerrit/one-way-sync.nix

diff --git a/hosts/gerrit01/default.nix b/hosts/gerrit01/default.nix
index 49e93ae..de3a056 100755
--- a/hosts/gerrit01/default.nix
+++ b/hosts/gerrit01/default.nix
@@ -39,6 +39,61 @@
     data = "/gerrit-data";
   };
 
+  age.secrets.ows-deploy-key = {
+    file = ../../secrets/ows-deploy-key.age;
+    mode = "0600";
+    owner = "git";
+    group = "git";
+  };
+  bagel.nixpkgs.one-way-sync =
+  let
+    mkNixpkgsJob = { timer, branchName }: {
+      name = "nixpkgs-${branchName}";
+      fromUri = "https://github.com/NixOS/nixpkgs";
+      fromRefspec = branchName;
+      localRefspec = "refs/remotes/origin/${branchName}";
+      inherit timer;
+    };
+    in
+  {
+    enable = true;
+
+    pushUrl = "ssh://ows_bot@cl.forkos.org:29418/nixpkgs";
+    deployKeyPath = config.age.secrets.ows-deploy-key.path;
+
+    branches."refs/heads/master" = mkNixpkgsJob {
+      timer = "hourly";
+      branchName = "master";
+    };
+
+    branches."refs/heads/release-24.05" = mkNixpkgsJob {
+      timer = "hourly";
+      branchName = "release-24.05";
+    };
+
+    branches."refs/heads/release-23.11" = mkNixpkgsJob {
+      timer = "hourly";
+      branchName = "release-23.11";
+    };
+
+    # Testing jobs for personal sandbox branches
+    branches."refs/heads/sandbox/raito/raito-unstable-small" = {
+      name = "raito-unstable-sync";
+      fromUri = "https://github.com/NixOS/nixpkgs";
+      fromRefspec = "nixos-unstable-small";
+      localRefspec = "refs/remotes/origin/sandbox/raito/raito-unstable-small";
+      timer = "*-*-* 12:00:00";
+    };
+
+    branches."refs/heads/sandbox/raito/raito-nixos-24.05" = {
+      name = "raito-release-sync";
+      fromUri = "https://github.com/NixOS/nixpkgs";
+      fromRefspec = "nixos-24.05";
+      localRefspec = "refs/remotes/origin/sandbox/raito/raito-nixos-24.05";
+      timer = "daily";
+    };
+  };
+
   i18n.defaultLocale = "fr_FR.UTF-8";
 
   system.stateVersion = "24.05";
diff --git a/secrets.nix b/secrets.nix
index badeab9..8e83190 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -26,6 +26,8 @@ let
     # These are the same password, but nginx wants it in htpasswd format
     metrics-push-htpasswd = [ machines.meta01 ];
     metrics-push-password = builtins.attrValues machines;
+
+    ows-deploy-key = [ machines.gerrit01 ];
   };
 in
   builtins.listToAttrs (
diff --git a/secrets/ows-deploy-key.age b/secrets/ows-deploy-key.age
new file mode 100644
index 0000000000000000000000000000000000000000..d2791d7654d18661f944abe755f8442e79124128
GIT binary patch
literal 733
zcmV<30wVokXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LGDIsuP(dJ2
zL{czeMomy}a%M+2S5;AHFKAY8a4ULIXnJi+Z#iaUVN_UjGi+H=Ffa;2VlPokOHFDt
zc1lY&RZLYfNjEuiXl8X(SZQc+XHheCSwdoHWJzXEaa9T}J|J^*Xf0)AGBq_ZIUq|j
zVmCrTAZJixM?zsqRA^ReaBW6oF>^6&a7%1(NkUV2a6wO3SamdbLvv_PGBZR`3RX5!
zVQETQL3m|wdO>4Jb8>cBQdV|3D@`j}Gi7N(I4fB-S7}T$Xk|-h3N0-yAZ&I)Z+SOW
zb~H<QMM_XqI8;nGYGOxbR&i@-PC`jZO+i6#T1a7GWo|@k3SL~;yf-!nl7k3J_8Amk
zgJ$YXZLbj@&@*>b6j4dGp#_0(f#X;<rp40Yhb;v+4V8Z8U)P}I>AcHFX$Rv&47X*V
z9cise6t`}J<o#yCTFH5gAcu6g7~c}<Yg2{Z&KGF02fu1L?;W<u8;G$1XlzZJH@~4=
z&Y)mzEP*+6ynW|6>Wo9x>%dJ-8`{B6;ty)Ql=>1@Ww7tYxTfN7E{`fN<*m*)ezBI<
z#d_ym$*ASIjk0-)Uoe7?B3~U^Wf7w9qMb(;rkS7;@J`wrTqE+M!pU)cH5>g(ir4@+
z>zo`mEJ_m?5{&kTH38!3ewK^@`kfO(2Kp%ot5^rkzqQCwPZQh*k&!uyetUWX?rLV*
z<*36=S?10ys93>LplE9RGuyY7{X8F{_s#lD$9_nX0tA?F_`~DnEwnDuJ*o5XRtGf%
zF>2l%i`NfB=$Ps`!*%`?S!T3E;0~<}?fUu5b!0<l<Ph9i64g%XrR~38TgLE~PdCr5
zQud3<Y_5&IIx<3<OYHK(X(1Ek{0D2;oLjUHJdIc#YJ`w6$CrIBZ`h^halACqfbRv}
P<YO<=Qu$F-3aD}@5*Ist

literal 0
HcmV?d00001

diff --git a/services/gerrit/default.nix b/services/gerrit/default.nix
index 61e7ca8..7b2c72b 100644
--- a/services/gerrit/default.nix
+++ b/services/gerrit/default.nix
@@ -36,6 +36,7 @@ in
 
   imports = [
     ./www.nix
+    ./one-way-sync.nix
   ];
 
   config = mkIf cfg.enable {
diff --git a/services/gerrit/one-way-sync.nix b/services/gerrit/one-way-sync.nix
new file mode 100644
index 0000000..dfd0a4a
--- /dev/null
+++ b/services/gerrit/one-way-sync.nix
@@ -0,0 +1,121 @@
+{ lib, config, pkgs, ... }:
+let
+  cfg = config.bagel.nixpkgs.one-way-sync;
+  inherit (lib) mkIf mkOption mkEnableOption types mapAttrs';
+
+  mkSyncTimer = { name, timer, ... }: {
+    wantedBy = [ "timers.target" ];
+
+    timerConfig = {
+      OnCalendar = timer;
+      Persistent = true;
+      Unit = "ows-${name}.service";
+    };
+  };
+  mkSyncService = targetRef: { name, fromUri, fromRefspec, localRefspec, ... }: {
+    path = [ pkgs.gitFull pkgs.openssh ];
+    script = ''
+      set -x
+      trap "git worktree prune && git worktree remove -f ${name}" EXIT
+
+      if [ ! -d "/var/lib/onewaysync/nixpkgs" ]; then
+        echo "First run, synchronizing nixpkgs..."
+        git clone https://cl.forkos.org/nixpkgs /var/lib/onewaysync/nixpkgs
+      fi
+
+      cd /var/lib/onewaysync/nixpkgs
+      echo "Syncing ${fromUri}:${fromRefspec} to /var/lib/onewaysync/nixpkgs:${targetRef}"
+      echo "Current ref: $EXPECTED_REF"
+      git worktree add -f ${cfg.workingDir}/${name} ${localRefspec}
+      cd ${cfg.workingDir}/${name}
+      git pull origin ${fromRefspec}
+      EXPECTED_REF=$(git rev-list ${localRefspec} | head -1)
+      git fetch ${fromUri} ${fromRefspec}
+      git rebase FETCH_HEAD
+      GIT_SSH_COMMAND='ssh -i ${cfg.deployKeyPath}' git push ${cfg.pushUrl} HEAD:${targetRef} --force-with-lease=${targetRef}:$EXPECTED_REF --force-if-includes
+    '';
+    serviceConfig = {
+      User = "git";
+      Group = "git";
+      Type = "oneshot";
+      RuntimeDirectory = "onewaysync";
+      WorkingDirectory = cfg.workingDir;
+      StateDirectory = "onewaysync";
+    };
+  };
+in
+{
+  options.bagel.nixpkgs.one-way-sync = {
+    enable = mkEnableOption "the one-way sync from GitHub repositories";
+
+    referenceDir = mkOption {
+      type = types.str;
+      default = "/var/lib/gerrit/git/nixpkgs.git";
+      description = "Local repository reference";
+    };
+
+    workingDir = mkOption {
+      type = types.str;
+      default = "/run/onewaysync/";
+      description = "Working directory for the service";
+    };
+
+    pushUrl = mkOption {
+      type = types.str;
+      example = "ssh://...";
+      description = "Push URL for the target repository";
+    };
+
+    deployKeyPath = mkOption {
+      type = types.path;
+      example = "/run/agenix.d/ows-priv-key";
+      description = "Deployment private SSH key to push to the repository";
+    };
+
+    branches = mkOption {
+      type = types.attrsOf (types.submodule ({ ... }:
+      {
+        options = {
+          name = mkOption {
+            type = types.str;
+            description = "User-friendly name";
+          };
+
+          fromUri = mkOption {
+            type = types.str;
+            description = "Git URI from which we need to sync";
+          };
+
+          fromRefspec = mkOption {
+            type = types.str;
+            description = "refspec for the fetch";
+          };
+
+          localRefspec = mkOption {
+            type = types.str;
+            default = "local refspec in the local repository to get the expected reference and avoid stale info";
+          };
+
+          timer = mkOption {
+            type = types.str;
+            description = "Calendar format everytime we need to run the sync";
+          };
+        };
+      }));
+
+      description = "Set of branches mapping from cl.forkos.org to other Git repositories";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.timers = mapAttrs' (name: value: {
+      name = "ows-${value.name}";
+      value = mkSyncTimer value;
+    }) cfg.branches;
+
+    systemd.services = mapAttrs' (name: value: {
+      name = "ows-${value.name}";
+      value = mkSyncService name value;
+    }) cfg.branches;
+  };
+}