From f4588aff2bc0765d436c43a8c25890e1f4879950 Mon Sep 17 00:00:00 2001
From: Raito Bezarius <masterancpp@gmail.com>
Date: Mon, 16 Dec 2024 00:25:26 +0100
Subject: [PATCH] feat: listen on Gerrit events and rewrite them as generic VCS
 events

This introduces the private SSH key for Gerrit event streaming.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
---
 flake.lock                                    |   8 +++---
 hosts/bagel-box/default.nix                   |  12 +++++++--
 secrets.nix                                   |   1 +
 .../floral/gerrit-event-listener-ssh-key.age  | Bin 0 -> 1417 bytes
 services/ofborg/default.nix                   |  24 ++++++++++++++----
 5 files changed, 34 insertions(+), 11 deletions(-)
 create mode 100644 secrets/floral/gerrit-event-listener-ssh-key.age

diff --git a/flake.lock b/flake.lock
index 5a29de4..7dc5874 100644
--- a/flake.lock
+++ b/flake.lock
@@ -749,11 +749,11 @@
     "ofborg": {
       "flake": false,
       "locked": {
-        "lastModified": 1734205511,
-        "narHash": "sha256-yyQ05iZ5OsSM68JAqFmLHcrvtQfKQfl5iKHEMUvC+wI=",
+        "lastModified": 1734308727,
+        "narHash": "sha256-/bJhMZQ5VSblvgqAR9hSLwdm5pxenn/UMY8pDDVSquI=",
         "ref": "refs/heads/vcs-generalization",
-        "rev": "3af7e6976b995037132f971c6af78e00096ca9dd",
-        "revCount": 1487,
+        "rev": "7bcc8fa584c66f317923337658974c0525e5779f",
+        "revCount": 1495,
         "type": "git",
         "url": "https://git.lix.systems/the-distro/ofborg.git"
       },
diff --git a/hosts/bagel-box/default.nix b/hosts/bagel-box/default.nix
index c0445dc..a7abf5f 100644
--- a/hosts/bagel-box/default.nix
+++ b/hosts/bagel-box/default.nix
@@ -39,9 +39,17 @@
     postgres.enable = true;
     ofborg = {
       rabbitmq.enable = true;
-      mass-rebuilder.enable = true;
       pastebin.enable = true;
-      builder.enable = true;
+      # TODO: statcheck.enable = true;
+
+      mass-rebuilder.enable = true;
+      # TODO: enable once ready.
+      builder.enable = false;
+
+      gerrit-event-streamer.enable = true;
+      gerrit-generic-vcs-filter.enable = true;
+
+      # FIXME: plug into our prometheus stack.
       stats.enable = true;
     };
   };
diff --git a/secrets.nix b/secrets.nix
index bbeb35b..7136b6c 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -47,6 +47,7 @@ let
       postgres-ca-priv = [ machines.bagel-box ];
       postgres-tls-priv = [ machines.bagel-box ];
       rabbitmq-password = [ machines.bagel-box ];
+      gerrit-event-listener-ssh-key = [ machines.bagel-box ];
 
       newsletter-secrets = [ machines.public01 ];
       s3-revproxy-api-keys = [ machines.public01 ];
diff --git a/secrets/floral/gerrit-event-listener-ssh-key.age b/secrets/floral/gerrit-event-listener-ssh-key.age
new file mode 100644
index 0000000000000000000000000000000000000000..efd403a3e34b56028072c2092c74c8bb1562c158
GIT binary patch
literal 1417
zcmZY7`;XHE0KjqhLE(mS7|`HhaKMR3*{zSgDhjlFcJH?9w$_Mt-MX#av)lR@8X}R1
zBxnM{MIjz%!Xa-I)F3|K!b?d6z2pdR7(6hdo~T5`6MoQN_(lJMPx8%|&*v<;il7*^
zX0cl7sVaG^3YjcR%#B9DlFPz&JA|5n0OJucb5W8AJ`ejyM@p`{i(E=}B*}2B3Zap-
zwcTQ^44v}YG_EBPrgSR-xY&FpPA5}T3llV+OMywkPvb41uKRIAX|qMFR%}#k|I_Np
zRwZw?^O;=Jnu`bA4Ofmxg`7kV*L0lprXzJlb$SUXR1zF%&Y<!phf|0<oRPGjH`FF8
z1aYB_Awrof@wJ@06w6XMv=V{}XxYu&)szNrmX(w{OqwJu!nI_oSx{gw6bzEqjDUL!
zloAV+1I|XX#K55J$0G(%4G2zqM2`kUmhizeA(BP0M&c%r)fF#B3qr8whVfbqqM3A(
zz?C4=PHPzCMar%Wo)CgDz0fYO2vZev?s8f*T1^P7G9}!kNPG%urI8wx6>(pQHBwAM
zhf_^E$?HU{6$=RIb|F+O(2z!RD3X(W)i@t9Ja!#$_!Ya|gjyA;T~fk&y6siGP|+#+
z8IH$2(J19*LA#ZpP_7k+>u#GZf+^vcU#g-7Nzy~UT!E*mRue8}lQE`PXf!B?1lJrm
zpM&D5U={_7lp`F5qSa#78xreW#BOazrG$zRft;TT3Ux*X#CF}3VbY2xZ3jRe{kLMu
zP?dxSAn(?`dy-YvNP#pLn_QWQQ86FrBT`08gcG1%Y~)cmfvdQu0+X6YpnXn}ry{0s
zs(=7dI1Zq^zYG)*&O>JWwQAB&0(QBYV8o^$B1$qRXW9R1AcZ>Pn3>c>k<EI`Le!RG
zLyc-A1cJ_ZMpgZ)n9hm1U<>3+E(6KRnyKaz(g9X$S6VpfsX!#F#Y6d8Np+R9rrT4b
z8EaJM8cDm)M*LR`AsHu*nX?8GLYjoHBs6tcplm9iEkTqoD|-_fPHTt(Bppq^o3$aV
ziB4d+4KT1kOl1WaLm&!vR}HCRtpqEWPf!Rn66V^@S`)`i7K_C!vyHr*0SPHt^xC6{
z&&a_Mj%npHu@d5=Q5Q&RnlBj7i@0pMuAj78_};km^s`xF#@Wh8>+e*U$D*~d7u_J;
zSa-1f=!Um<&RM>h>Yw+@;>4}vSm&GXU#?%+KDo1l9@>GfdFk8NcK&*7y=DDxm#?hU
zYIoqnmi}2kF8X|N-%vksxMpk|eQ)8p`S;WZ#)kLL+!O9Uedy<|;bR>(WrYl6wx8az
z;MCIY#d}Z2@vpCOo{{RM>Bt9bmn<k9pD-*AU76ppaQeN2r*@2dGJ9x(Yf9}IVt3z`
z=k}~R(7xL9OXMB@8&P9wf6s|UI(8N4E6LrekvIS!m5=-|`Bd+BpKY0V{^iif$LlBE
zP}iOj-TNPS;r#0UKQD}D_WpjPcVhFwM+Tnw<4It|yVW~QpWSV?F1yc4$lJDkdh^z%
zc}oXwf3Y$8llf%g;a$(KB@V8tPoBDIH&<3icXf>4zizmz@A}0V2iINc?wM8i=1l6L
zqx;TIo09D0$Ig9851J+&{p!QB`m)ZyR;;|%*Ks5ER+sD2^)0WC{k>si{w8c@SKNEi
z24SN|dV4RQ*uQo3#@vBxH>b=Eo>=|3)UjsezVU&LHwVAJ{nWdgrD%A0>(Ka)*D18$
JHD_kW;6JpQ6L<gs

literal 0
HcmV?d00001

diff --git a/services/ofborg/default.nix b/services/ofborg/default.nix
index 9f79bc8..fff6b20 100644
--- a/services/ofborg/default.nix
+++ b/services/ofborg/default.nix
@@ -1,7 +1,7 @@
 { pkgs, config, lib, ... }:
 
 let
-  inherit (lib) mkIf mkMerge;
+  inherit (lib) mkIf mkMerge optional hasAttr;
   cfg = config.bagel.services.ofborg;
 
   amqpHost = "amqp.forkos.org";
@@ -18,8 +18,14 @@ let
       # TODO: more hardening.
       StateDirectory = "ofborg";
       LogsDirectory = "ofborg";
+      RuntimeDirectory = "ofborg";
       WorkingDirectory = "/var/lib/ofborg";
-      LoadCredential = [ "rabbitmq-password:${config.age.secrets.rabbitmq-password.path}" ];
+      LoadCredential =
+        optional (hasAttr "rabbitmq-password" config.age.secrets) "rabbitmq-password:${config.age.secrets.rabbitmq-password.path}"
+        ++ optional (hasAttr "gerrit-event-listener-ssh-key" config.age.secrets) "gerrit-ssh-key:${config.age.secrets.gerrit-event-listener-ssh-key.path}";
+      Environment = [
+        "XDG_STATE_HOME=/run/ofborg"
+      ];
     };
   };
 in {
@@ -31,7 +37,8 @@ in {
     mass-rebuilder.enable = mkEnableOption "ofborg evaluator worker for mass rebuilds jobs";
     stats.enable = mkEnableOption "ofborg prometheus worker";
 
-    gerrit-events-streamer.enable = mkEnableOption "ofborg's Gerrit event streamer";
+    gerrit-event-streamer.enable = mkEnableOption "ofborg's Gerrit event streamer";
+    gerrit-generic-vcs-filter.enable = mkEnableOption "ofborg's Gerrit event transformer to generic VCS events";
 
     package = mkPackageOption pkgs "ofborg" { };
 
@@ -83,6 +90,7 @@ in {
         vcs = "Gerrit";
         gerrit = {
           instance_uri = "cl.forkos.org";
+          username = "ofborg-event-listener";
           ssh_private_key_file = "$CREDENTIALS_DIRECTORY/gerrit-ssh-key";
           ssh_port = 29418;
         };
@@ -117,8 +125,14 @@ in {
     (mkIf cfg.statcheck-worker.enable {
       systemd.services.ofborg-statcheck-worker = mkOfborgWorker "statcheck-worker" { };
     })
-    (mkIf cfg.gerrit-events-streamer.enable {
-      systemd.services.ofborg-gerrit-streamer = mkOfborgWorker "gerrit-events-streamer" { };
+    (mkIf cfg.gerrit-event-streamer.enable {
+      age.secrets.gerrit-event-listener-ssh-key.file = ../../secrets/floral/gerrit-event-listener-ssh-key.age;
+      systemd.services.ofborg-gerrit-event-streamer = mkOfborgWorker "gerrit-event-streamer" {
+        path = [ pkgs.openssh ];
+      };
+    })
+    (mkIf cfg.gerrit-generic-vcs-filter.enable {
+      systemd.services.ofborg-gerrit-generic-vcs-filter = mkOfborgWorker "gerrit-generic-vcs-filter" { };
     })
     (mkIf cfg.mass-rebuilder.enable {
       systemd.services.ofborg-mass-rebuilder = mkOfborgWorker "mass-rebuilder" { };