chore: fix vhost and username for ofborg

Username and vhost creation are out of band and manual.

$ cd /var/lib/rabbitmq
$ sudo -u rabbitmq rabbitmqctl create_user ofborg $pwd
$ sudo -u rabbitmq rabbitmqctl set_permissions ofborg '.*' '.*' '.*'

Here's a simple way to reproduce that setup on the RabbitMQ server.

Doing better will require the Vault server which will come soon anyway.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>

flake.lock

@@ -746,6 +746,23 @@
         "type": "github"
       }
     },
+    "ofborg": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1734205511,
+        "narHash": "sha256-yyQ05iZ5OsSM68JAqFmLHcrvtQfKQfl5iKHEMUvC+wI=",
+        "ref": "refs/heads/vcs-generalization",
+        "rev": "3af7e6976b995037132f971c6af78e00096ca9dd",
+        "revCount": 1487,
+        "type": "git",
+        "url": "https://git.lix.systems/the-distro/ofborg.git"
+      },
+      "original": {
+        "ref": "refs/heads/vcs-generalization",
+        "type": "git",
+        "url": "https://git.lix.systems/the-distro/ofborg.git"
+      }
+    },
     "pre-commit-hooks": {
       "flake": false,
       "locked": {
@@ -794,6 +811,7 @@
         ],
         "nix-gerrit": "nix-gerrit",
         "nixpkgs": "nixpkgs_2",
+        "ofborg": "ofborg",
         "stateless-uptime-kuma": "stateless-uptime-kuma",
         "terranix": "terranix"
       }

flake.nix

@@ -19,6 +19,9 @@
     nix-gerrit.url = "git+https://git.lix.systems/the-distro/nix-gerrit.git?ref=refs/heads/bump-minor-3_10";
     nix-gerrit.inputs.nixpkgs.follows = "nixpkgs";
 
+    ofborg.url = "git+https://git.lix.systems/the-distro/ofborg.git?ref=refs/heads/vcs-generalization";
+    ofborg.flake = false;
+
     gerrit-dashboard.url = "git+https://git.lix.systems/the-distro/gerrit-monitoring.git";
     gerrit-dashboard.flake = false;
 
@@ -42,7 +45,7 @@
     };
   };
 
-  outputs = { self, nixpkgs, terranix, colmena, ... } @ inputs:
+  outputs = { self, nixpkgs, terranix, colmena, ofborg, ... } @ inputs:
   let
     supportedSystems = [ "x86_64-linux" "aarch64-linux" ];
     forEachSystem = f: builtins.listToAttrs (map (system: {
@@ -58,6 +61,9 @@
           inputs.lix.overlays.default
           inputs.nix-gerrit.overlays.default
           inputs.channel-scripts.overlays.default
+          (import inputs.ofborg {
+            pkgs = import nixpkgs { localSystem = system; };
+          }).overlay
           (import "${inputs.stateless-uptime-kuma}/overlay.nix")
         ];
       };

hosts/bagel-box/default.nix

@@ -37,7 +37,13 @@
 
   bagel.services = {
     postgres.enable = true;
-    ofborg.enable = true;
+    ofborg = {
+      rabbitmq.enable = true;
+      mass-rebuilder.enable = true;
+      pastebin.enable = true;
+      builder.enable = true;
+      stats.enable = true;
+    };
   };
 
   bagel.sysadmin.enable = true;

secrets.nix

@@ -46,6 +46,7 @@ let
 
       postgres-ca-priv = [ machines.bagel-box ];
       postgres-tls-priv = [ machines.bagel-box ];
+      rabbitmq-password = [ machines.bagel-box ];
 
       newsletter-secrets = [ machines.public01 ];
       s3-revproxy-api-keys = [ machines.public01 ];

services/ofborg/default.nix

@@ -1,22 +1,101 @@
-{ config, lib, ... }:
+{ pkgs, config, lib, ... }:
 
 let
+  inherit (lib) mkIf mkMerge;
   cfg = config.bagel.services.ofborg;
 
   amqpHost = "amqp.forkos.org";
   amqpPort = 5671;
+  generators = pkgs.formats.json { };
+  configFile = generators.generate "ofborg-config.json" config.bagel.services.ofborg.settings;
+  mkOfborgWorker = binaryName: extra: extra // {
+    wantedBy = [ "multi-user.target" ];
+    description = "ofborg CI service - ${binaryName} worker";
+    after = [ "rabbitmq.service" ];
+    serviceConfig = {
+      DynamicUser = true;
+      ExecStart = "${cfg.package}/bin/${binaryName} ${configFile}";
+      # TODO: more hardening.
+      StateDirectory = "ofborg";
+      LogsDirectory = "ofborg";
+      WorkingDirectory = "/var/lib/ofborg";
+      LoadCredential = [ "rabbitmq-password:${config.age.secrets.rabbitmq-password.path}" ];
+    };
+  };
 in {
   options.bagel.services.ofborg = with lib; {
-    enable = mkEnableOption "ofborg coordinator";
+    rabbitmq.enable = mkEnableOption "ofborg AMQP queue";
+    builder.enable = mkEnableOption "ofborg builder worker";
+    pastebin.enable = mkEnableOption "ofborg pastebin service";
+    statcheck-worker.enable = mkEnableOption "ofborg status & checks worker";
+    mass-rebuilder.enable = mkEnableOption "ofborg evaluator worker for mass rebuilds jobs";
+    stats.enable = mkEnableOption "ofborg prometheus worker";
+
+    gerrit-events-streamer.enable = mkEnableOption "ofborg's Gerrit event streamer";
+
+    package = mkPackageOption pkgs "ofborg" { };
+
+    settings = mkOption {
+      type = generators.type;
+    };
   };
 
-  config = lib.mkIf cfg.enable {
+  config = mkMerge [
+    {
+      age.secrets.rabbitmq-password.file = ../../secrets/floral/rabbitmq-password.age;
+      # TODO: move this to global.
+      bagel.services.ofborg.settings = {
+        rabbitmq = {
+          ssl = true;
+          host = "amqp.forkos.org";
+          virtualhost = "/";
+          username = "ofborg";
+          password_file = "$CREDENTIALS_DIRECTORY/rabbitmq-password";
+        };
+        feedback.full_logs = lib.mkDefault true;
+        log_storage.path = lib.mkDefault "/var/log/ofborg";
+        runner = {
+          identity = config.networking.fqdn;
+          repos = lib.mkDefault [
+            "nixpkgs"
+            "ofborg"
+          ];
+
+          disable_trusted_users = true;
+        };
+        checkout.root = lib.mkDefault "/var/lib/ofborg/checkouts";
+        nix = {
+          system = "x86_64-linux";
+          remote = "daemon";
+          build_timeout_seconds = 3600;
+          initial_heap_size = "4g";
+        };
+
+        pastebin = {
+          root = "$STATE_DIRECTORY/pastebins";
+          db = "$STATE_DIRECTORY/db.json";
+        };
+
+        statcheck = {
+          db = "$STATE_DIRECTORY/db.sqlite";
+        };
+
+        # We use Gerrit.
+        vcs = "Gerrit";
+        gerrit = {
+          instance_uri = "cl.forkos.org";
+          ssh_private_key_file = "$CREDENTIALS_DIRECTORY/gerrit-ssh-key";
+          ssh_port = 29418;
+        };
+      };
+    }
+    (mkIf cfg.rabbitmq.enable {
+      services.nginx.enable = true;
       services.rabbitmq = {
         enable = true;
         configItems = {
           "listeners.tcp" = "none";
           "listeners.ssl.default" = builtins.toString amqpPort;
-
           "ssl_options.certfile" = "${config.security.acme.certs.${amqpHost}.directory}/cert.pem";
           "ssl_options.keyfile" = "${config.security.acme.certs.${amqpHost}.directory}/key.pem";
         };
@@ -26,12 +105,33 @@ in {
         webroot = "/var/lib/acme/.challenges";
         group = "rabbitmq";
       };
-
-    services.nginx.enable = true;
       services.nginx.virtualHosts.${amqpHost}.locations."/.well-known/acme-challenge".root =
         "/var/lib/acme/.challenges";
       systemd.services.rabbitmq.requires = ["acme-finished-${amqpHost}.target"];
 
-    networking.firewall.allowedTCPPorts = [ 80 443 amqpPort ];
-  };
+      networking.firewall.allowedTCPPorts = [ amqpPort ];
+    })
+    (mkIf cfg.pastebin.enable {
+      systemd.services.ofborg-pastebin = mkOfborgWorker "pastebin-worker" { };
+    })
+    (mkIf cfg.statcheck-worker.enable {
+      systemd.services.ofborg-statcheck-worker = mkOfborgWorker "statcheck-worker" { };
+    })
+    (mkIf cfg.gerrit-events-streamer.enable {
+      systemd.services.ofborg-gerrit-streamer = mkOfborgWorker "gerrit-events-streamer" { };
+    })
+    (mkIf cfg.mass-rebuilder.enable {
+      systemd.services.ofborg-mass-rebuilder = mkOfborgWorker "mass-rebuilder" { };
+    })
+    (mkIf cfg.builder.enable {
+      systemd.services.ofborg-builder = mkOfborgWorker "builder" { };
+    })
+    (mkIf cfg.stats.enable {
+      systemd.services.ofborg-stats = mkOfborgWorker "stats" { };
+    })
+  ];
+    # systemd.services.ofborg-log-message-collector = {};
+    # systemd.services.ofborg-evaluation-filter = {};
+    # systemd.services.ofborg-vcs-comment-filter = {};
+    # systemd.services.ofborg-vcs-comment-poster = {};
 }

terraform/dnsimple.nix

@@ -101,7 +101,8 @@ in
           # git.p.forkos.org is the proxy variant of the Forgejo server.
           (record "git" 300 "CNAME" "git.p.forkos.org")
           (record "netbox" 300 "CNAME" "meta01.infra.p.forkos.org")
-          (record "amqp" 300 "CNAME" "bagel-box.infra.p.forkos.org")
+          # It's not a public service, so no IPv4 for it.
+          (record "amqp" 300 "CNAME" "bagel-box.infra.forkos.org")
           (record "grafana" 300 "CNAME" "meta01.infra.p.forkos.org")
           (record "hydra" 300 "CNAME" "build-coord.wob01.infra.p.forkos.org")
           (record "vault" 300 "CNAME" "build-coord.wob01.infra.p.forkos.org")