This adds the counterpart of the mTLS for RabbitMQ connections.
This required:
- an update in OfBorg
- some trick to have a PKCS#12 container
- move to a binary-specific runtime directory
And this is not even done due to OfBorg sending auth mechanism = PLAIN
instead of EXTERNAL. I did not figure out yet how to send the right
thing.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
This brings the openbao agent, a Go proxy to make the link between
systemd's LoadCredential and the openbao agent.
All that remains is to configure authentication on every system we need
to use OpenBao and then the templates for every secret we care about.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
We can now derive an infinite amount of subCAs as long as we do not
violate extensions constraints.
Additionally, we can build Vault policies specific to the PKI endpoint
without encoding the mountpoints.
Additionally, we can build Vault roles specific to the PKI endpoint
without encoding the mountpoints.
This adds an example of deep-derivation.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
This way, we can autogenerate records for storage and builders nodes by
reading directly the configuration.
This makes evaluation of `nix run .#tf` slower, but this makes things
more safer and easier, so it's good.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
It has been a recurring issue that flake lockfile bumps in this repo
here make the forgejo patches no longer apply.
The dedicated repository (nix-forgejo) solves this by not overriding the
existing forgejo derivation from nixpkgs but rather having its own.
Additionally, nix-forgejo pins and uses a "known good" nixpkgs revision
itself, unless `pkgs` is passed on import.
So if issues should arise after a flake bump, we can use that revision
by modifying our import statement, or we can rollback the nix-forgejo
revision itself.
Moving forgejo out of tree also makes iterating on it a lot easier and
opens a lot of other possibilities :)
This introduces a new Buildbot instance using all the previous work.
This is a "Raito's VM" hardware type.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
This is the first Lix machine we are enrolling in our infrastructure
(!).
It's using all the previous commits to make it cozy with our current
infra style.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
This way, we can mark tenancy appropriately in a common expression and
add all machines altogether in the same entrypoint.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
In the process of adding multi-tenant infrastructure, it seems relevant
to add finer-grained ACLs.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
We don't need weird Perl scripts where we are going. Here's a streaming
channel-scripts deployment with plenty of bells, including OTLP.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
This partially reverts commit d2f3ca5624.
Said commit requires IFD to eval, which is generally unwanted, and is
currently forbidden on Hydra (imo: rightfully so, we should try to
properly separate evals from builds).
The services/ file for grapevine is kept but will not work without the
flake.nix change reapplied.