Compare commits

...

13 commits

Author SHA1 Message Date
665a750e35 chore: fix vhost and username for ofborg
Username and vhost creation are out of band and manual.

$ cd /var/lib/rabbitmq
$ sudo -u rabbitmq rabbitmqctl create_user ofborg $pwd
$ sudo -u rabbitmq rabbitmqctl set_permissions ofborg '.*' '.*' '.*'

Here's a simple way to reproduce that setup on the RabbitMQ server.

Doing better will require the Vault server which will come soon anyway.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-15 18:19:49 +01:00
ab998c8fb9 chore: bump ofborg
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-15 17:25:42 +01:00
bb7d5c1c7d chore: re-encrypt rabbitmq password
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-15 17:25:35 +01:00
eaee10ec70 chore: bump ofborg
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-15 16:51:45 +01:00
df0bd6b4eb feat: introduce statcheck worker
Status & checks RPC & event queue.

The status & checks is set by the rest of OfBorg, the web service needs
to be exposed.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-15 16:51:45 +01:00
c007bbeeb9 feat: introduce ofborg gerrit streamer
This pipes events from Gerrit into the whole AMQP broker and enable all
the system to react to VCS changes.

We need a filter to transform raw Gerrit events into ofBorg specific
events that we will continue to send in the system.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-15 16:51:45 +01:00
c1cb1ffcad feat: update ofborg
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-15 16:51:45 +01:00
4fe922bcd0 feat: introduce ofborg mass rebuilder
With Gerrit support.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-15 16:51:45 +01:00
adb78e633c feat: introduce ofborg pastebin service
The web service is not available yet.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-15 16:51:45 +01:00
ebdb7c8aef fix: introduce the newest branch of ofborg
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-15 16:51:45 +01:00
9051ce73c6 fix: disable IPv4 on amqp.forkos.org
Otherwise, the renew fails all the time!

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-15 16:51:45 +01:00
8fa0e5abe3 feat: introduce ofborg stats
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-15 16:51:45 +01:00
47b713ca58 feat: introduce ofborg builder
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-15 16:51:45 +01:00
7 changed files with 157 additions and 25 deletions

View file

@ -746,6 +746,23 @@
"type": "github" "type": "github"
} }
}, },
"ofborg": {
"flake": false,
"locked": {
"lastModified": 1734205511,
"narHash": "sha256-yyQ05iZ5OsSM68JAqFmLHcrvtQfKQfl5iKHEMUvC+wI=",
"ref": "refs/heads/vcs-generalization",
"rev": "3af7e6976b995037132f971c6af78e00096ca9dd",
"revCount": 1487,
"type": "git",
"url": "https://git.lix.systems/the-distro/ofborg.git"
},
"original": {
"ref": "refs/heads/vcs-generalization",
"type": "git",
"url": "https://git.lix.systems/the-distro/ofborg.git"
}
},
"pre-commit-hooks": { "pre-commit-hooks": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -794,6 +811,7 @@
], ],
"nix-gerrit": "nix-gerrit", "nix-gerrit": "nix-gerrit",
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs_2",
"ofborg": "ofborg",
"stateless-uptime-kuma": "stateless-uptime-kuma", "stateless-uptime-kuma": "stateless-uptime-kuma",
"terranix": "terranix" "terranix": "terranix"
} }

View file

@ -19,6 +19,9 @@
nix-gerrit.url = "git+https://git.lix.systems/the-distro/nix-gerrit.git?ref=refs/heads/bump-minor-3_10"; nix-gerrit.url = "git+https://git.lix.systems/the-distro/nix-gerrit.git?ref=refs/heads/bump-minor-3_10";
nix-gerrit.inputs.nixpkgs.follows = "nixpkgs"; nix-gerrit.inputs.nixpkgs.follows = "nixpkgs";
ofborg.url = "git+https://git.lix.systems/the-distro/ofborg.git?ref=refs/heads/vcs-generalization";
ofborg.flake = false;
gerrit-dashboard.url = "git+https://git.lix.systems/the-distro/gerrit-monitoring.git"; gerrit-dashboard.url = "git+https://git.lix.systems/the-distro/gerrit-monitoring.git";
gerrit-dashboard.flake = false; gerrit-dashboard.flake = false;
@ -42,7 +45,7 @@
}; };
}; };
outputs = { self, nixpkgs, terranix, colmena, ... } @ inputs: outputs = { self, nixpkgs, terranix, colmena, ofborg, ... } @ inputs:
let let
supportedSystems = [ "x86_64-linux" "aarch64-linux" ]; supportedSystems = [ "x86_64-linux" "aarch64-linux" ];
forEachSystem = f: builtins.listToAttrs (map (system: { forEachSystem = f: builtins.listToAttrs (map (system: {
@ -58,6 +61,9 @@
inputs.lix.overlays.default inputs.lix.overlays.default
inputs.nix-gerrit.overlays.default inputs.nix-gerrit.overlays.default
inputs.channel-scripts.overlays.default inputs.channel-scripts.overlays.default
(import inputs.ofborg {
pkgs = import nixpkgs { localSystem = system; };
}).overlay
(import "${inputs.stateless-uptime-kuma}/overlay.nix") (import "${inputs.stateless-uptime-kuma}/overlay.nix")
]; ];
}; };

View file

@ -37,7 +37,13 @@
bagel.services = { bagel.services = {
postgres.enable = true; postgres.enable = true;
ofborg.enable = true; ofborg = {
rabbitmq.enable = true;
mass-rebuilder.enable = true;
pastebin.enable = true;
builder.enable = true;
stats.enable = true;
};
}; };
bagel.sysadmin.enable = true; bagel.sysadmin.enable = true;

View file

@ -46,6 +46,7 @@ let
postgres-ca-priv = [ machines.bagel-box ]; postgres-ca-priv = [ machines.bagel-box ];
postgres-tls-priv = [ machines.bagel-box ]; postgres-tls-priv = [ machines.bagel-box ];
rabbitmq-password = [ machines.bagel-box ];
newsletter-secrets = [ machines.public01 ]; newsletter-secrets = [ machines.public01 ];
s3-revproxy-api-keys = [ machines.public01 ]; s3-revproxy-api-keys = [ machines.public01 ];

Binary file not shown.

View file

@ -1,37 +1,137 @@
{ config, lib, ... }: { pkgs, config, lib, ... }:
let let
inherit (lib) mkIf mkMerge;
cfg = config.bagel.services.ofborg; cfg = config.bagel.services.ofborg;
amqpHost = "amqp.forkos.org"; amqpHost = "amqp.forkos.org";
amqpPort = 5671; amqpPort = 5671;
generators = pkgs.formats.json { };
configFile = generators.generate "ofborg-config.json" config.bagel.services.ofborg.settings;
mkOfborgWorker = binaryName: extra: extra // {
wantedBy = [ "multi-user.target" ];
description = "ofborg CI service - ${binaryName} worker";
after = [ "rabbitmq.service" ];
serviceConfig = {
DynamicUser = true;
ExecStart = "${cfg.package}/bin/${binaryName} ${configFile}";
# TODO: more hardening.
StateDirectory = "ofborg";
LogsDirectory = "ofborg";
WorkingDirectory = "/var/lib/ofborg";
LoadCredential = [ "rabbitmq-password:${config.age.secrets.rabbitmq-password.path}" ];
};
};
in { in {
options.bagel.services.ofborg = with lib; { options.bagel.services.ofborg = with lib; {
enable = mkEnableOption "ofborg coordinator"; rabbitmq.enable = mkEnableOption "ofborg AMQP queue";
builder.enable = mkEnableOption "ofborg builder worker";
pastebin.enable = mkEnableOption "ofborg pastebin service";
statcheck-worker.enable = mkEnableOption "ofborg status & checks worker";
mass-rebuilder.enable = mkEnableOption "ofborg evaluator worker for mass rebuilds jobs";
stats.enable = mkEnableOption "ofborg prometheus worker";
gerrit-events-streamer.enable = mkEnableOption "ofborg's Gerrit event streamer";
package = mkPackageOption pkgs "ofborg" { };
settings = mkOption {
type = generators.type;
};
}; };
config = lib.mkIf cfg.enable { config = mkMerge [
services.rabbitmq = { {
enable = true; age.secrets.rabbitmq-password.file = ../../secrets/floral/rabbitmq-password.age;
configItems = { # TODO: move this to global.
"listeners.tcp" = "none"; bagel.services.ofborg.settings = {
"listeners.ssl.default" = builtins.toString amqpPort; rabbitmq = {
ssl = true;
host = "amqp.forkos.org";
virtualhost = "/";
username = "ofborg";
password_file = "$CREDENTIALS_DIRECTORY/rabbitmq-password";
};
feedback.full_logs = lib.mkDefault true;
log_storage.path = lib.mkDefault "/var/log/ofborg";
runner = {
identity = config.networking.fqdn;
repos = lib.mkDefault [
"nixpkgs"
"ofborg"
];
"ssl_options.certfile" = "${config.security.acme.certs.${amqpHost}.directory}/cert.pem"; disable_trusted_users = true;
"ssl_options.keyfile" = "${config.security.acme.certs.${amqpHost}.directory}/key.pem"; };
checkout.root = lib.mkDefault "/var/lib/ofborg/checkouts";
nix = {
system = "x86_64-linux";
remote = "daemon";
build_timeout_seconds = 3600;
initial_heap_size = "4g";
};
pastebin = {
root = "$STATE_DIRECTORY/pastebins";
db = "$STATE_DIRECTORY/db.json";
};
statcheck = {
db = "$STATE_DIRECTORY/db.sqlite";
};
# We use Gerrit.
vcs = "Gerrit";
gerrit = {
instance_uri = "cl.forkos.org";
ssh_private_key_file = "$CREDENTIALS_DIRECTORY/gerrit-ssh-key";
ssh_port = 29418;
};
};
}
(mkIf cfg.rabbitmq.enable {
services.nginx.enable = true;
services.rabbitmq = {
enable = true;
configItems = {
"listeners.tcp" = "none";
"listeners.ssl.default" = builtins.toString amqpPort;
"ssl_options.certfile" = "${config.security.acme.certs.${amqpHost}.directory}/cert.pem";
"ssl_options.keyfile" = "${config.security.acme.certs.${amqpHost}.directory}/key.pem";
};
}; };
};
security.acme.certs.${amqpHost} = { security.acme.certs.${amqpHost} = {
webroot = "/var/lib/acme/.challenges"; webroot = "/var/lib/acme/.challenges";
group = "rabbitmq"; group = "rabbitmq";
}; };
services.nginx.virtualHosts.${amqpHost}.locations."/.well-known/acme-challenge".root =
"/var/lib/acme/.challenges";
systemd.services.rabbitmq.requires = ["acme-finished-${amqpHost}.target"];
services.nginx.enable = true; networking.firewall.allowedTCPPorts = [ amqpPort ];
services.nginx.virtualHosts.${amqpHost}.locations."/.well-known/acme-challenge".root = })
"/var/lib/acme/.challenges"; (mkIf cfg.pastebin.enable {
systemd.services.rabbitmq.requires = ["acme-finished-${amqpHost}.target"]; systemd.services.ofborg-pastebin = mkOfborgWorker "pastebin-worker" { };
})
networking.firewall.allowedTCPPorts = [ 80 443 amqpPort ]; (mkIf cfg.statcheck-worker.enable {
}; systemd.services.ofborg-statcheck-worker = mkOfborgWorker "statcheck-worker" { };
})
(mkIf cfg.gerrit-events-streamer.enable {
systemd.services.ofborg-gerrit-streamer = mkOfborgWorker "gerrit-events-streamer" { };
})
(mkIf cfg.mass-rebuilder.enable {
systemd.services.ofborg-mass-rebuilder = mkOfborgWorker "mass-rebuilder" { };
})
(mkIf cfg.builder.enable {
systemd.services.ofborg-builder = mkOfborgWorker "builder" { };
})
(mkIf cfg.stats.enable {
systemd.services.ofborg-stats = mkOfborgWorker "stats" { };
})
];
# systemd.services.ofborg-log-message-collector = {};
# systemd.services.ofborg-evaluation-filter = {};
# systemd.services.ofborg-vcs-comment-filter = {};
# systemd.services.ofborg-vcs-comment-poster = {};
} }

View file

@ -101,7 +101,8 @@ in
# git.p.forkos.org is the proxy variant of the Forgejo server. # git.p.forkos.org is the proxy variant of the Forgejo server.
(record "git" 300 "CNAME" "git.p.forkos.org") (record "git" 300 "CNAME" "git.p.forkos.org")
(record "netbox" 300 "CNAME" "meta01.infra.p.forkos.org") (record "netbox" 300 "CNAME" "meta01.infra.p.forkos.org")
(record "amqp" 300 "CNAME" "bagel-box.infra.p.forkos.org") # It's not a public service, so no IPv4 for it.
(record "amqp" 300 "CNAME" "bagel-box.infra.forkos.org")
(record "grafana" 300 "CNAME" "meta01.infra.p.forkos.org") (record "grafana" 300 "CNAME" "meta01.infra.p.forkos.org")
(record "hydra" 300 "CNAME" "build-coord.wob01.infra.p.forkos.org") (record "hydra" 300 "CNAME" "build-coord.wob01.infra.p.forkos.org")
(record "vault" 300 "CNAME" "build-coord.wob01.infra.p.forkos.org") (record "vault" 300 "CNAME" "build-coord.wob01.infra.p.forkos.org")