Compare commits
13 commits
436882c3eb
...
665a750e35
Author | SHA1 | Date | |
---|---|---|---|
665a750e35 | |||
ab998c8fb9 | |||
bb7d5c1c7d | |||
eaee10ec70 | |||
df0bd6b4eb | |||
c007bbeeb9 | |||
c1cb1ffcad | |||
4fe922bcd0 | |||
adb78e633c | |||
ebdb7c8aef | |||
9051ce73c6 | |||
8fa0e5abe3 | |||
47b713ca58 |
7 changed files with 157 additions and 25 deletions
18
flake.lock
18
flake.lock
|
@ -746,6 +746,23 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"ofborg": {
|
||||||
|
"flake": false,
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1734205511,
|
||||||
|
"narHash": "sha256-yyQ05iZ5OsSM68JAqFmLHcrvtQfKQfl5iKHEMUvC+wI=",
|
||||||
|
"ref": "refs/heads/vcs-generalization",
|
||||||
|
"rev": "3af7e6976b995037132f971c6af78e00096ca9dd",
|
||||||
|
"revCount": 1487,
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.lix.systems/the-distro/ofborg.git"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"ref": "refs/heads/vcs-generalization",
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.lix.systems/the-distro/ofborg.git"
|
||||||
|
}
|
||||||
|
},
|
||||||
"pre-commit-hooks": {
|
"pre-commit-hooks": {
|
||||||
"flake": false,
|
"flake": false,
|
||||||
"locked": {
|
"locked": {
|
||||||
|
@ -794,6 +811,7 @@
|
||||||
],
|
],
|
||||||
"nix-gerrit": "nix-gerrit",
|
"nix-gerrit": "nix-gerrit",
|
||||||
"nixpkgs": "nixpkgs_2",
|
"nixpkgs": "nixpkgs_2",
|
||||||
|
"ofborg": "ofborg",
|
||||||
"stateless-uptime-kuma": "stateless-uptime-kuma",
|
"stateless-uptime-kuma": "stateless-uptime-kuma",
|
||||||
"terranix": "terranix"
|
"terranix": "terranix"
|
||||||
}
|
}
|
||||||
|
|
|
@ -19,6 +19,9 @@
|
||||||
nix-gerrit.url = "git+https://git.lix.systems/the-distro/nix-gerrit.git?ref=refs/heads/bump-minor-3_10";
|
nix-gerrit.url = "git+https://git.lix.systems/the-distro/nix-gerrit.git?ref=refs/heads/bump-minor-3_10";
|
||||||
nix-gerrit.inputs.nixpkgs.follows = "nixpkgs";
|
nix-gerrit.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|
||||||
|
ofborg.url = "git+https://git.lix.systems/the-distro/ofborg.git?ref=refs/heads/vcs-generalization";
|
||||||
|
ofborg.flake = false;
|
||||||
|
|
||||||
gerrit-dashboard.url = "git+https://git.lix.systems/the-distro/gerrit-monitoring.git";
|
gerrit-dashboard.url = "git+https://git.lix.systems/the-distro/gerrit-monitoring.git";
|
||||||
gerrit-dashboard.flake = false;
|
gerrit-dashboard.flake = false;
|
||||||
|
|
||||||
|
@ -42,7 +45,7 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = { self, nixpkgs, terranix, colmena, ... } @ inputs:
|
outputs = { self, nixpkgs, terranix, colmena, ofborg, ... } @ inputs:
|
||||||
let
|
let
|
||||||
supportedSystems = [ "x86_64-linux" "aarch64-linux" ];
|
supportedSystems = [ "x86_64-linux" "aarch64-linux" ];
|
||||||
forEachSystem = f: builtins.listToAttrs (map (system: {
|
forEachSystem = f: builtins.listToAttrs (map (system: {
|
||||||
|
@ -58,6 +61,9 @@
|
||||||
inputs.lix.overlays.default
|
inputs.lix.overlays.default
|
||||||
inputs.nix-gerrit.overlays.default
|
inputs.nix-gerrit.overlays.default
|
||||||
inputs.channel-scripts.overlays.default
|
inputs.channel-scripts.overlays.default
|
||||||
|
(import inputs.ofborg {
|
||||||
|
pkgs = import nixpkgs { localSystem = system; };
|
||||||
|
}).overlay
|
||||||
(import "${inputs.stateless-uptime-kuma}/overlay.nix")
|
(import "${inputs.stateless-uptime-kuma}/overlay.nix")
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
|
@ -37,7 +37,13 @@
|
||||||
|
|
||||||
bagel.services = {
|
bagel.services = {
|
||||||
postgres.enable = true;
|
postgres.enable = true;
|
||||||
ofborg.enable = true;
|
ofborg = {
|
||||||
|
rabbitmq.enable = true;
|
||||||
|
mass-rebuilder.enable = true;
|
||||||
|
pastebin.enable = true;
|
||||||
|
builder.enable = true;
|
||||||
|
stats.enable = true;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
bagel.sysadmin.enable = true;
|
bagel.sysadmin.enable = true;
|
||||||
|
|
|
@ -46,6 +46,7 @@ let
|
||||||
|
|
||||||
postgres-ca-priv = [ machines.bagel-box ];
|
postgres-ca-priv = [ machines.bagel-box ];
|
||||||
postgres-tls-priv = [ machines.bagel-box ];
|
postgres-tls-priv = [ machines.bagel-box ];
|
||||||
|
rabbitmq-password = [ machines.bagel-box ];
|
||||||
|
|
||||||
newsletter-secrets = [ machines.public01 ];
|
newsletter-secrets = [ machines.public01 ];
|
||||||
s3-revproxy-api-keys = [ machines.public01 ];
|
s3-revproxy-api-keys = [ machines.public01 ];
|
||||||
|
|
BIN
secrets/floral/rabbitmq-password.age
Normal file
BIN
secrets/floral/rabbitmq-password.age
Normal file
Binary file not shown.
|
@ -1,37 +1,137 @@
|
||||||
{ config, lib, ... }:
|
{ pkgs, config, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
|
inherit (lib) mkIf mkMerge;
|
||||||
cfg = config.bagel.services.ofborg;
|
cfg = config.bagel.services.ofborg;
|
||||||
|
|
||||||
amqpHost = "amqp.forkos.org";
|
amqpHost = "amqp.forkos.org";
|
||||||
amqpPort = 5671;
|
amqpPort = 5671;
|
||||||
|
generators = pkgs.formats.json { };
|
||||||
|
configFile = generators.generate "ofborg-config.json" config.bagel.services.ofborg.settings;
|
||||||
|
mkOfborgWorker = binaryName: extra: extra // {
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
description = "ofborg CI service - ${binaryName} worker";
|
||||||
|
after = [ "rabbitmq.service" ];
|
||||||
|
serviceConfig = {
|
||||||
|
DynamicUser = true;
|
||||||
|
ExecStart = "${cfg.package}/bin/${binaryName} ${configFile}";
|
||||||
|
# TODO: more hardening.
|
||||||
|
StateDirectory = "ofborg";
|
||||||
|
LogsDirectory = "ofborg";
|
||||||
|
WorkingDirectory = "/var/lib/ofborg";
|
||||||
|
LoadCredential = [ "rabbitmq-password:${config.age.secrets.rabbitmq-password.path}" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
in {
|
in {
|
||||||
options.bagel.services.ofborg = with lib; {
|
options.bagel.services.ofborg = with lib; {
|
||||||
enable = mkEnableOption "ofborg coordinator";
|
rabbitmq.enable = mkEnableOption "ofborg AMQP queue";
|
||||||
|
builder.enable = mkEnableOption "ofborg builder worker";
|
||||||
|
pastebin.enable = mkEnableOption "ofborg pastebin service";
|
||||||
|
statcheck-worker.enable = mkEnableOption "ofborg status & checks worker";
|
||||||
|
mass-rebuilder.enable = mkEnableOption "ofborg evaluator worker for mass rebuilds jobs";
|
||||||
|
stats.enable = mkEnableOption "ofborg prometheus worker";
|
||||||
|
|
||||||
|
gerrit-events-streamer.enable = mkEnableOption "ofborg's Gerrit event streamer";
|
||||||
|
|
||||||
|
package = mkPackageOption pkgs "ofborg" { };
|
||||||
|
|
||||||
|
settings = mkOption {
|
||||||
|
type = generators.type;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkIf cfg.enable {
|
config = mkMerge [
|
||||||
services.rabbitmq = {
|
{
|
||||||
enable = true;
|
age.secrets.rabbitmq-password.file = ../../secrets/floral/rabbitmq-password.age;
|
||||||
configItems = {
|
# TODO: move this to global.
|
||||||
"listeners.tcp" = "none";
|
bagel.services.ofborg.settings = {
|
||||||
"listeners.ssl.default" = builtins.toString amqpPort;
|
rabbitmq = {
|
||||||
|
ssl = true;
|
||||||
|
host = "amqp.forkos.org";
|
||||||
|
virtualhost = "/";
|
||||||
|
username = "ofborg";
|
||||||
|
password_file = "$CREDENTIALS_DIRECTORY/rabbitmq-password";
|
||||||
|
};
|
||||||
|
feedback.full_logs = lib.mkDefault true;
|
||||||
|
log_storage.path = lib.mkDefault "/var/log/ofborg";
|
||||||
|
runner = {
|
||||||
|
identity = config.networking.fqdn;
|
||||||
|
repos = lib.mkDefault [
|
||||||
|
"nixpkgs"
|
||||||
|
"ofborg"
|
||||||
|
];
|
||||||
|
|
||||||
"ssl_options.certfile" = "${config.security.acme.certs.${amqpHost}.directory}/cert.pem";
|
disable_trusted_users = true;
|
||||||
"ssl_options.keyfile" = "${config.security.acme.certs.${amqpHost}.directory}/key.pem";
|
};
|
||||||
|
checkout.root = lib.mkDefault "/var/lib/ofborg/checkouts";
|
||||||
|
nix = {
|
||||||
|
system = "x86_64-linux";
|
||||||
|
remote = "daemon";
|
||||||
|
build_timeout_seconds = 3600;
|
||||||
|
initial_heap_size = "4g";
|
||||||
|
};
|
||||||
|
|
||||||
|
pastebin = {
|
||||||
|
root = "$STATE_DIRECTORY/pastebins";
|
||||||
|
db = "$STATE_DIRECTORY/db.json";
|
||||||
|
};
|
||||||
|
|
||||||
|
statcheck = {
|
||||||
|
db = "$STATE_DIRECTORY/db.sqlite";
|
||||||
|
};
|
||||||
|
|
||||||
|
# We use Gerrit.
|
||||||
|
vcs = "Gerrit";
|
||||||
|
gerrit = {
|
||||||
|
instance_uri = "cl.forkos.org";
|
||||||
|
ssh_private_key_file = "$CREDENTIALS_DIRECTORY/gerrit-ssh-key";
|
||||||
|
ssh_port = 29418;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
(mkIf cfg.rabbitmq.enable {
|
||||||
|
services.nginx.enable = true;
|
||||||
|
services.rabbitmq = {
|
||||||
|
enable = true;
|
||||||
|
configItems = {
|
||||||
|
"listeners.tcp" = "none";
|
||||||
|
"listeners.ssl.default" = builtins.toString amqpPort;
|
||||||
|
"ssl_options.certfile" = "${config.security.acme.certs.${amqpHost}.directory}/cert.pem";
|
||||||
|
"ssl_options.keyfile" = "${config.security.acme.certs.${amqpHost}.directory}/key.pem";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
|
||||||
|
|
||||||
security.acme.certs.${amqpHost} = {
|
security.acme.certs.${amqpHost} = {
|
||||||
webroot = "/var/lib/acme/.challenges";
|
webroot = "/var/lib/acme/.challenges";
|
||||||
group = "rabbitmq";
|
group = "rabbitmq";
|
||||||
};
|
};
|
||||||
|
services.nginx.virtualHosts.${amqpHost}.locations."/.well-known/acme-challenge".root =
|
||||||
|
"/var/lib/acme/.challenges";
|
||||||
|
systemd.services.rabbitmq.requires = ["acme-finished-${amqpHost}.target"];
|
||||||
|
|
||||||
services.nginx.enable = true;
|
networking.firewall.allowedTCPPorts = [ amqpPort ];
|
||||||
services.nginx.virtualHosts.${amqpHost}.locations."/.well-known/acme-challenge".root =
|
})
|
||||||
"/var/lib/acme/.challenges";
|
(mkIf cfg.pastebin.enable {
|
||||||
systemd.services.rabbitmq.requires = ["acme-finished-${amqpHost}.target"];
|
systemd.services.ofborg-pastebin = mkOfborgWorker "pastebin-worker" { };
|
||||||
|
})
|
||||||
networking.firewall.allowedTCPPorts = [ 80 443 amqpPort ];
|
(mkIf cfg.statcheck-worker.enable {
|
||||||
};
|
systemd.services.ofborg-statcheck-worker = mkOfborgWorker "statcheck-worker" { };
|
||||||
|
})
|
||||||
|
(mkIf cfg.gerrit-events-streamer.enable {
|
||||||
|
systemd.services.ofborg-gerrit-streamer = mkOfborgWorker "gerrit-events-streamer" { };
|
||||||
|
})
|
||||||
|
(mkIf cfg.mass-rebuilder.enable {
|
||||||
|
systemd.services.ofborg-mass-rebuilder = mkOfborgWorker "mass-rebuilder" { };
|
||||||
|
})
|
||||||
|
(mkIf cfg.builder.enable {
|
||||||
|
systemd.services.ofborg-builder = mkOfborgWorker "builder" { };
|
||||||
|
})
|
||||||
|
(mkIf cfg.stats.enable {
|
||||||
|
systemd.services.ofborg-stats = mkOfborgWorker "stats" { };
|
||||||
|
})
|
||||||
|
];
|
||||||
|
# systemd.services.ofborg-log-message-collector = {};
|
||||||
|
# systemd.services.ofborg-evaluation-filter = {};
|
||||||
|
# systemd.services.ofborg-vcs-comment-filter = {};
|
||||||
|
# systemd.services.ofborg-vcs-comment-poster = {};
|
||||||
}
|
}
|
||||||
|
|
|
@ -101,7 +101,8 @@ in
|
||||||
# git.p.forkos.org is the proxy variant of the Forgejo server.
|
# git.p.forkos.org is the proxy variant of the Forgejo server.
|
||||||
(record "git" 300 "CNAME" "git.p.forkos.org")
|
(record "git" 300 "CNAME" "git.p.forkos.org")
|
||||||
(record "netbox" 300 "CNAME" "meta01.infra.p.forkos.org")
|
(record "netbox" 300 "CNAME" "meta01.infra.p.forkos.org")
|
||||||
(record "amqp" 300 "CNAME" "bagel-box.infra.p.forkos.org")
|
# It's not a public service, so no IPv4 for it.
|
||||||
|
(record "amqp" 300 "CNAME" "bagel-box.infra.forkos.org")
|
||||||
(record "grafana" 300 "CNAME" "meta01.infra.p.forkos.org")
|
(record "grafana" 300 "CNAME" "meta01.infra.p.forkos.org")
|
||||||
(record "hydra" 300 "CNAME" "build-coord.wob01.infra.p.forkos.org")
|
(record "hydra" 300 "CNAME" "build-coord.wob01.infra.p.forkos.org")
|
||||||
(record "vault" 300 "CNAME" "build-coord.wob01.infra.p.forkos.org")
|
(record "vault" 300 "CNAME" "build-coord.wob01.infra.p.forkos.org")
|
||||||
|
|
Loading…
Reference in a new issue