No need to do it manually.
In the future, we should rework a bit the permissions for various
accounts.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
This adds the counterpart of the mTLS for RabbitMQ connections.
This required:
- an update in OfBorg
- some trick to have a PKCS#12 container
- move to a binary-specific runtime directory
And this is not even done due to OfBorg sending auth mechanism = PLAIN
instead of EXTERNAL. I did not figure out yet how to send the right
thing.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
It's impossible to recover the path resource IDs from the Terraform
resource IDs form.
Let's just add the path component and do the right thing.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
This initialize a secret agent using systemd-openbao available for any
system.
For now, it only supports the token authentication method.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
This brings the openbao agent, a Go proxy to make the link between
systemd's LoadCredential and the openbao agent.
All that remains is to configure authentication on every system we need
to use OpenBao and then the templates for every secret we care about.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
Later, we should ensure we trust only our infra chain on all systems to
allow parallel paths that have nothing to do with the infrastructure or
multi-tenancy.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
We can now derive an infinite amount of subCAs as long as we do not
violate extensions constraints.
Additionally, we can build Vault policies specific to the PKI endpoint
without encoding the mountpoints.
Additionally, we can build Vault roles specific to the PKI endpoint
without encoding the mountpoints.
This adds an example of deep-derivation.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
This is our first CA, stored on an offline NitroHSM held by Raito.
Expiry date is set in 3650 days.
This was initialized at 38C3 on day 4, in presence of:
- 4 witness
- 3 board members
This was not backupped on the same day to other HSMs.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
This way, we can autogenerate records for storage and builders nodes by
reading directly the configuration.
This makes evaluation of `nix run .#tf` slower, but this makes things
more safer and easier, so it's good.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
We really don't want to cache them for a year, which is the default.
Yes, computing them may be expensive, but not worth a multi-gigabyte
redis database that takes minutes to load into RAM on service (re)start.
It has been a recurring issue that flake lockfile bumps in this repo
here make the forgejo patches no longer apply.
The dedicated repository (nix-forgejo) solves this by not overriding the
existing forgejo derivation from nixpkgs but rather having its own.
Additionally, nix-forgejo pins and uses a "known good" nixpkgs revision
itself, unless `pkgs` is passed on import.
So if issues should arise after a flake bump, we can use that revision
by modifying our import statement, or we can rollback the nix-forgejo
revision itself.
Moving forgejo out of tree also makes iterating on it a lot easier and
opens a lot of other possibilities :)
Username and vhost creation are out of band and manual.
$ cd /var/lib/rabbitmq
$ sudo -u rabbitmq rabbitmqctl create_user ofborg $pwd
$ sudo -u rabbitmq rabbitmqctl set_permissions ofborg '.*' '.*' '.*'
Here's a simple way to reproduce that setup on the RabbitMQ server.
Doing better will require the Vault server which will come soon anyway.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
Status & checks RPC & event queue.
The status & checks is set by the rest of OfBorg, the web service needs
to be exposed.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
This pipes events from Gerrit into the whole AMQP broker and enable all
the system to react to VCS changes.
We need a filter to transform raw Gerrit events into ofBorg specific
events that we will continue to send in the system.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>