Commit graph

437 commits

Author SHA1 Message Date
53ee244c6a feat(secrets): init the bagel-box vault token
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2025-01-02 18:39:43 +01:00
43dd43dfe5 feat(services/secrets-agent): init
This initialize a secret agent using systemd-openbao available for any
system.

For now, it only supports the token authentication method.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2025-01-02 18:37:24 +01:00
b267cffc0e feat(terraform/vault): support for tokens generation
We create the first machine-level token for bagel-box which has the
policy CI.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2025-01-02 18:37:24 +01:00
1a5e5a6adb feat(systems): inject systemd-openbao project
This brings the openbao agent, a Go proxy to make the link between
systemd's LoadCredential and the openbao agent.

All that remains is to configure authentication on every system we need
to use OpenBao and then the templates for every secret we care about.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2025-01-01 03:43:13 +01:00
81cdc4698a feat(systems): trust our infra chain on all systems
We remove one CA to send to all systems (infra CA).

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2025-01-01 03:43:13 +01:00
dc3e5792d0 feat(systems): trust our ICA2 chain on all systems
Later, we should ensure we trust only our infra chain on all systems to
allow parallel paths that have nothing to do with the infrastructure or
multi-tenancy.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2025-01-01 02:07:14 +01:00
c9aa82ba49 feat(terraform): support declarative subCAs and their Vault policies
We can now derive an infinite amount of subCAs as long as we do not
violate extensions constraints.

Additionally, we can build Vault policies specific to the PKI endpoint
without encoding the mountpoints.

Additionally, we can build Vault roles specific to the PKI endpoint
without encoding the mountpoints.

This adds an example of deep-derivation.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2025-01-01 01:54:37 +01:00
efeeecb7e2 feat(terraform): support declarative Vault policies
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-31 20:54:00 +01:00
ed64fb31ed chore: add BAO_ADDR in the devshell to point to our Vault deployment
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-31 18:29:57 +01:00
fb267d4184 feat: add openbao to the dev shell
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-31 18:01:30 +01:00
43ca7c7187 fix: forgotten ../ in the path for the signed ICA1
Oopsie, I had in my local tree, merged too fast. I really need CI :'(.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-31 17:56:26 +01:00
8c9c060eb4 feat: enable ICA2 and insert ICA1 in Vault
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-31 17:50:39 +01:00
1bb6e8a681 feat: sign the ICA1 CSR
This introduces a bunch of facilities for PKI manipulations.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-31 17:50:23 +01:00
02b140aa3d chore: rewire everything to a single flake-compat
Please do not make me do more Flakes bullshit, I hate this so hard.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-31 17:37:22 +01:00
4c9c432ab8 chore(terraform/dns): fix the builder CNAMEs
They were not pointing to the right thing I think.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-30 18:22:23 +01:00
4eb8adb60c chore(terraform/dnsimple): upgrade to 1.8.0
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-30 18:22:02 +01:00
75afd39d3b feat(pki): init the root CA
This is our first CA, stored on an offline NitroHSM held by Raito.
Expiry date is set in 3650 days.

This was initialized at 38C3 on day 4, in presence of:

- 4 witness
- 3 board members

This was not backupped on the same day to other HSMs.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-30 17:22:25 +01:00
10ffc0684c feat(terraform/vault/pki): init
This initialize a PKI setup that will now require a root initialization
token for the Vault.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-30 17:22:25 +01:00
fe87407c65 chore(gerrit): go back to refs/heads/main
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-29 17:39:54 +01:00
53dc94ca00 chore: reformat properly the library file
Missed reformatting.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-23 21:43:22 +01:00
8fda6facde fix: add neutral element for chainAttrs
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-23 21:43:06 +01:00
b541b78145 chore: connect terraform to the hive
This way, we can autogenerate records for storage and builders nodes by
reading directly the configuration.

This makes evaluation of `nix run .#tf` slower, but this makes things
more safer and easier, so it's good.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-23 21:30:38 +01:00
cf98ed80dc chore: introduce finer-grained baremetal management
for multiple roles such as storage or builders.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-23 21:30:38 +01:00
f593645cde
feat(forgejo): add robots.txt 2024-12-23 21:22:11 +01:00
e930a17b0b
fix(forgejo): lower cache.last_commit TTL to limit size of the cache
We really don't want to cache them for a year, which is the default.

Yes, computing them may be expensive, but not worth a multi-gigabyte
redis database that takes minutes to load into RAM on service (re)start.
2024-12-18 17:03:49 +01:00
4e87e35bb5
feat(forgejo): offload custom forgejo package into its own repository
It has been a recurring issue that flake lockfile bumps in this repo
here make the forgejo patches no longer apply.

The dedicated repository (nix-forgejo) solves this by not overriding the
existing forgejo derivation from nixpkgs but rather having its own.

Additionally, nix-forgejo pins and uses a "known good" nixpkgs revision
itself, unless `pkgs` is passed on import.

So if issues should arise after a flake bump, we can use that revision
by modifying our import statement, or we can rollback the nix-forgejo
revision itself.

Moving forgejo out of tree also makes iterating on it a lot easier and
opens a lot of other possibilities :)
2024-12-18 03:39:37 +01:00
f4588aff2b feat: listen on Gerrit events and rewrite them as generic VCS events
This introduces the private SSH key for Gerrit event streaming.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-16 01:25:53 +01:00
90038e80a2 fix: do not propagate rabbitmq-password to all nodes
This was a mistake.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-16 00:25:54 +01:00
665a750e35 chore: fix vhost and username for ofborg
Username and vhost creation are out of band and manual.

$ cd /var/lib/rabbitmq
$ sudo -u rabbitmq rabbitmqctl create_user ofborg $pwd
$ sudo -u rabbitmq rabbitmqctl set_permissions ofborg '.*' '.*' '.*'

Here's a simple way to reproduce that setup on the RabbitMQ server.

Doing better will require the Vault server which will come soon anyway.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-15 18:19:49 +01:00
ab998c8fb9 chore: bump ofborg
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-15 17:25:42 +01:00
bb7d5c1c7d chore: re-encrypt rabbitmq password
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-15 17:25:35 +01:00
eaee10ec70 chore: bump ofborg
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-15 16:51:45 +01:00
df0bd6b4eb feat: introduce statcheck worker
Status & checks RPC & event queue.

The status & checks is set by the rest of OfBorg, the web service needs
to be exposed.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-15 16:51:45 +01:00
c007bbeeb9 feat: introduce ofborg gerrit streamer
This pipes events from Gerrit into the whole AMQP broker and enable all
the system to react to VCS changes.

We need a filter to transform raw Gerrit events into ofBorg specific
events that we will continue to send in the system.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-15 16:51:45 +01:00
c1cb1ffcad feat: update ofborg
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-15 16:51:45 +01:00
4fe922bcd0 feat: introduce ofborg mass rebuilder
With Gerrit support.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-15 16:51:45 +01:00
adb78e633c feat: introduce ofborg pastebin service
The web service is not available yet.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-15 16:51:45 +01:00
ebdb7c8aef fix: introduce the newest branch of ofborg
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-15 16:51:45 +01:00
9051ce73c6 fix: disable IPv4 on amqp.forkos.org
Otherwise, the renew fails all the time!

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-15 16:51:45 +01:00
8fa0e5abe3 feat: introduce ofborg stats
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-15 16:51:45 +01:00
47b713ca58 feat: introduce ofborg builder
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-15 16:51:45 +01:00
436882c3eb fix(services/vault): proxy pass to the local vault server web port
Oopsie, forgot that commit.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-15 16:51:11 +01:00
14f5bc10a1 chore(pkgs/openbao): 2.0.2 -> 2.1.0
https://openbao.org/docs/release-notes/2-1-0/
https://openbao.org/docs/release-notes/2-0-0/#203
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-15 16:42:48 +01:00
a4d4ff8041 feat(build-coord): enable first Vault instance on it
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-15 16:30:21 +01:00
2c4e60760f feat: introduce a Vault module for secrets management
Via a fork of the Linux Foundation, called OpenBao.

The module supports high availability but we only have one node for now.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-14 21:49:44 +01:00
dc23bb7054 feat: introduce awareness module for WAN addresses
Introduce a data-only module to perform abstraction on the deployment,
we use it for WAN for now.

The usecase is service discovery for simple cases.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-14 21:47:53 +01:00
84899b48ea feat(channel-scripts): support push to git and automatic cleanup of failed streaming
Now, we won't pile a bunch of failed streaming attempts and this will
automatically push to git.

Credentials are left to be done for the push to actually work.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-14 19:06:47 +01:00
c3b1a3d1da feat(gerrit01): upgrade to Gerrit 3.10.3
And monitor the performance situation as always.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-14 17:13:18 +01:00
980709cc02 chore(ows): remove Raito personal sandbox branches
I am not using those branches anymore, we can remove them.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-14 14:42:22 +00:00
112f60afd1 feat(ows): support moving away onewaysync
We are running into too many out of disk space situations with OWS on
the main disk.

This way, we can reuse the Gerrit disk for all that data, which
hopefully, is quite shared with Gerrit.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-14 14:42:22 +00:00