modules/consul-distributed-services: wait for consul-ready.target, use system management token

modules/consul-service-registry: wait for consul-ready.target, use system management token
cluster/services/consul: laod system management token on startup WIP
2024-11-10 14:40:10 +02:00 · 2024-11-10 14:40:10 +02:00 · 2024-11-10 14:40:10 +02:00 · 2024-11-10 14:40:10 +02:00 · 2024-11-10 14:40:10 +02:00 · 2024-11-10 14:40:10 +02:00
42 changed files with 416 additions and 699 deletions
--- a/cluster/lib/mesh.nix
+++ b/cluster/lib/mesh.nix
@ -3,12 +3,14 @@
 {
  hostLinks = lib.pipe config.services [
    (lib.filterAttrs (_: svc: svc.meshLinks != {}))
-    (lib.mapAttrsToList (svcName: svc: lib.mapAttrsToList (name: cfg: lib.genAttrs svc.nodes.${name} (hostName: {
-      ${cfg.name} = { ... }: {
-        imports = [ cfg.link ];
-        ipv4 = config.vars.mesh.${hostName}.meshIp;
-      };
-    })) svc.meshLinks))
+    (lib.mapAttrsToList (svcName: svc:
+      lib.mapAttrsToList (groupName: links:
+        lib.genAttrs svc.nodes.${groupName} (hostName: lib.mapAttrs (_: cfg: { ... }: {
+          imports = [ cfg.link ];
+          ipv4 = config.vars.mesh.${hostName}.meshIp;
+        }) links)
+      ) svc.meshLinks
+    ))
    (map lib.mkMerge)
    lib.mkMerge
  ];
--- a/cluster/lib/service-module.nix
+++ b/cluster/lib/service-module.nix
@ -38,12 +38,8 @@ in
    };
    meshLinks = mkOption {
      description = "Create host links on the mesh network.";
-      type = types.attrsOf (types.submodule ({ name, ... }: {
+      type = types.attrsOf (types.attrsOf (types.submodule {
        options = {
-          name = mkOption {
-            type = types.str;
-            default = "${serviceName}-${name}";
-          };
          link = mkOption {
            type = types.deferredModule;
            default = {};
--- a/cluster/services/acme-client/client.nix
+++ b/cluster/services/acme-client/client.nix
@ -74,7 +74,7 @@ in
      serviceConfig = {
        Restart = "on-failure";
        RestartMaxDelaySec = 30;
-        RestartStesp = 5;
+        RestartSteps = 5;
        RestartMode = "direct";
      };
    };
--- a/cluster/services/attic/default.nix
+++ b/cluster/services/attic/default.nix
@ -16,10 +16,7 @@
        ./nar-serve.nix
      ];
    };
-    meshLinks.server = {
-      name = "attic";
-      link.protocol = "http";
-    };
+    meshLinks.server.attic.link.protocol = "http";
    secrets = let
      inherit (config.services.attic) nodes;
    in {
--- a/cluster/services/attic/server.nix
+++ b/cluster/services/attic/server.nix
@ -9,17 +9,13 @@ let
 in

 {
-  imports = [
-    depot.inputs.attic.nixosModules.atticd
-  ];
-
  services.locksmith.waitForSecrets.atticd = [ "garage-attic" ];

  services.atticd = {
    enable = true;
    package = depot.inputs.attic.packages.attic-server;

-    credentialsFile = secrets.serverToken.path;
+    environmentFile = secrets.serverToken.path;
    mode = if isMonolith then "monolithic" else "api-server";

    settings = {
@ -69,6 +65,7 @@ in
    serviceConfig = {
      DynamicUser = lib.mkForce false;
      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ];
+      SystemCallFilter = lib.mkAfter [ "@resources" ];
    };
    environment = {
      AWS_SHARED_CREDENTIALS_FILE = "/run/locksmith/garage-attic";
@ -80,6 +77,7 @@ in
    mode = if isMonolith then "manual" else "direct";
    definition = {
      name = "atticd";
+      id = "atticd-${config.services.atticd.mode}";
      address = link.ipv4;
      inherit (link) port;
      checks = [
--- a/cluster/services/consul/agent.nix
+++ b/cluster/services/consul/agent.nix
@ -28,6 +28,35 @@ in
      bootstrap_expect = builtins.length cfg.nodes.agent;
      addresses.http = config.links.consulAgent.ipv4;
      ports.http = config.links.consulAgent.port;
+      acl = {
+        enabled = true;
+        default_policy = "deny";
+      };
+    };
+  };
+
+  systemd.services = {
+    consul.serviceConfig.Type = "notify";
+    consul-load-smt = {
+      wantedBy = [ "consul.service" ];
+      after = [ "consul.service" ];
+      environment.CONSUL_HTTP_ADDR = config.links.consulAgent.tuple;
+      path = [
+        config.services.consul.package
+      ];
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+      };
+      script = ''
+        while ! test -e /run/locksmith/consul-systemManagementToken; do
+          echo Waiting for System Management Token
+          systemctl start locksmith.service
+          sleep 5
+        done
+        export CONSUL_HTTP_TOKEN_FILE=/run/locksmith/consul-systemManagementToken
+        consul acl set-agent-token default "$(< /run/locksmith/consul-systemManagementToken)" # TODO: don't leak token on cmdline
+      '';
    };
  };

--- a/cluster/services/consul/bootstrap.nix
+++ b/cluster/services/consul/bootstrap.nix
@ -0,0 +1,65 @@
+{ cluster, config, lib, pkgs, ... }:
+
+let
+  sentinelFile = "/var/lib/consul/nixos-acl-bootstrapped";
+  bootstrapTokenFile = "/run/keys/consul-bootstrap-token";
+  bootstrapConfig = "consul-bootstrap-config.json";
+  writeRules = rules: pkgs.writeText "consul-policy.json" (builtins.toJSON rules);
+in
+
+{
+  systemd.services = {
+    consul-acl-bootstrap = {
+      requires = [ "consul.service" ];
+      after = [ "consul.service" ];
+      wantedBy = [ "multi-user.target" ];
+  
+      unitConfig.ConditionPathExists = "!${sentinelFile}";
+      serviceConfig = {
+        Type = "oneshot";
+        PrivateTmp = true;
+      };
+      environment.CONSUL_HTTP_ADDR = config.links.consulAgent.tuple;
+      path = [
+        config.services.consul.package
+        pkgs.jq
+      ];
+      script = ''
+        umask 77
+        if consul acl bootstrap --format=json > ${bootstrapConfig}; then
+          echo Bootstrapping:
+          jq -r .SecretID < ${bootstrapConfig} > ${bootstrapTokenFile}
+          export CONSUL_HTTP_TOKEN_FILE=${bootstrapTokenFile}
+          consul acl policy create --name operator-read --description "Read-only operator actions" --rules @${writeRules { operator = "read"; }}
+          consul acl policy create --name smt-read --description "Allow reading the encrypted system management token" --rules @${writeRules { key_prefix."secrets/locksmith/consul-systemManagementToken/".policy = "read"; }}
+          consul acl token update --id 00000000-0000-0000-0000-000000000002 --append-policy-name operator-read --append-policy-name smt-read
+        else
+          echo Bootstrap is already in progress elsewhere.
+          touch ${sentinelFile}
+        fi
+      '';
+    };
+    locksmith-provider-consul = {
+      unitConfig.ConditionPathExists = bootstrapTokenFile;
+      distributed.enable = lib.mkForce false;
+      environment = {
+        CONSUL_HTTP_ADDR = config.links.consulAgent.tuple;
+        CONSUL_HTTP_TOKEN_FILE = bootstrapTokenFile;
+      };
+      postStop = ''
+        rm -f ${bootstrapTokenFile}
+        touch ${sentinelFile}
+      '';
+    };
+  };
+
+  services.locksmith.providers.consul = {
+    wantedBy = [ "consul-acl-bootstrap.service" ];
+    after = [ "consul-acl-bootstrap.service" ];
+    secrets.systemManagementToken = {
+      nodes = cluster.config.services.consul.nodes.agent;
+      checkUpdate = "test -e ${bootstrapTokenFile}";
+      command = "cat ${bootstrapTokenFile}";
+    };
+  };
+}
--- a/cluster/services/consul/default.nix
+++ b/cluster/services/consul/default.nix
@ -14,6 +14,7 @@ in
    nodes = {
      agent = [ "checkmate" "grail" "thunderskin" "VEGAS" "prophet" ];
      ready = config.services.consul.nodes.agent;
+      bootstrap = [ "grail" "VEGAS" ];
    };
    nixos = {
      agent = [
@ -21,10 +22,11 @@ in
        ./remote-api.nix
      ];
      ready = ./ready.nix;
+      bootstrap = ./bootstrap.nix;
    };
    simulacrum = {
      enable = true;
-      deps = [ "wireguard" ];
+      deps = [ "wireguard" "locksmith" ];
      settings = ./test.nix;
    };
  };
--- a/cluster/services/consul/ready.nix
+++ b/cluster/services/consul/ready.nix
@ -51,4 +51,9 @@ in
      Type = "oneshot";
    };
  };
+
+  systemd.targets.consul-ready = {
+    description = "Consul is Ready";
+    requires = [ "consul-ready.service" ] ++ lib.optional config.services.consul.enable "consul-load-smt.service";
+  };
 }
--- a/cluster/services/consul/test.nix
+++ b/cluster/services/consul/test.nix
@ -1,8 +1,4 @@
-{ lib, ... }:
-
 {
-  defaults.options.services.locksmith = lib.mkSinkUndeclaredOptions { };
-
  testScript = ''
    import json

@ -11,12 +7,12 @@
    with subtest("should form cluster"):
      nodes = [ n for n in machines if n != nowhere ]
      for machine in nodes:
-        machine.succeed("systemctl start consul-ready.service")
+        machine.succeed("systemctl start consul-ready.target")
      for machine in nodes:
        consulConfig = json.loads(machine.succeed("cat /etc/consul.json"))
        addr = consulConfig["addresses"]["http"]
        port = consulConfig["ports"]["http"]
-        setEnv = f"CONSUL_HTTP_ADDR={addr}:{port}"
+        setEnv = f"CONSUL_HTTP_ADDR={addr}:{port} CONSUL_HTTP_TOKEN_FILE=/run/locksmith/consul-systemManagementToken"
        memberList = machine.succeed(f"{setEnv} consul members --status=alive")
        for machine2 in nodes:
          assert machine2.name in memberList
--- a/cluster/services/forge/default.nix
+++ b/cluster/services/forge/default.nix
@ -4,10 +4,7 @@
  services.forge = {
    nodes.server = [ "VEGAS" ];
    nixos.server = ./server.nix;
-    meshLinks.server = {
-      name = "forge";
-      link.protocol = "http";
-    };
+    meshLinks.server.forge.link.protocol = "http";
    secrets = with config.services.forge.nodes; {
      oidcSecret = {
        nodes = server;
--- a/cluster/services/idm/client.nix
+++ b/cluster/services/idm/client.nix
@ -1,4 +1,4 @@
-{ cluster, config, pkgs, utils, ... }:
+{ cluster, config, lib, pkgs, utils, ... }:

 let
  frontendLink = cluster.config.links.idm;
@ -39,9 +39,8 @@ in
  security = {
    pam.services.sudo = { config, ... }: {
      rules.auth.rssh = {
+        enable = lib.mkForce true;
        order = config.rules.auth.unix.order - 10;
-        control = "sufficient";
-        modulePath = "${pkgs.pam_rssh}/lib/libpam_rssh.so";
        settings = {
          authorized_keys_command = "/etc/ssh/authorized_keys_command_kanidm";
          authorized_keys_command_user = "nobody";
--- a/cluster/services/idm/server.nix
+++ b/cluster/services/idm/server.nix
@ -33,6 +33,9 @@ in
      ldapbindaddress = "${ldapLink.ipv4}:${ldapLink.portStr}";
      origin = frontendLink.url;
      inherit domain;
+      online_backup = {
+        versions = 7;
+      };
    };
  };

--- a/cluster/services/ipfs/default.nix
+++ b/cluster/services/ipfs/default.nix
@ -29,10 +29,7 @@
      io-tweaks = [ "VEGAS" ];
      remote-api = [ "VEGAS" ];
    };
-    meshLinks.gateway = {
-      name = "ipfsGateway";
-      link.protocol = "http";
-    };
+    meshLinks.gateway.ipfsGateway.link.protocol = "http";
    nixos = {
      node = [
        ./node.nix
--- a/cluster/services/ipfs/monitoring.nix
+++ b/cluster/services/ipfs/monitoring.nix
@ -9,7 +9,7 @@ in
    environment = {
      OTEL_TRACES_EXPORTER = "otlp";
      OTEL_EXPORTER_OTLP_PROTOCOL = "grpc";
-      OTEL_EXPORTER_OTLP_ENDPOINT = cluster.config.links.tempo-otlp-grpc.url;
+      OTEL_EXPORTER_OTLP_ENDPOINT = "${cluster.config.ways.ingest-traces-otlp.url}:443";
      OTEL_TRACES_SAMPLER = "parentbased_traceidratio";
      OTEL_TRACES_SAMPLER_ARG = "0.50";
    };
--- a/cluster/services/monitoring/client.nix
+++ b/cluster/services/monitoring/client.nix
@ -26,7 +26,7 @@ in {
        name = "logging";
        positions.filename = "\${STATE_DIRECTORY:/tmp}/logging-positions.yaml";
        clients = singleton {
-          url = "${cluster.config.ways.monitoring-logs.url}/loki/api/v1/push";
+          url = "${cluster.config.ways.ingest-logs.url}/loki/api/v1/push";
        };
        scrape_configs = singleton {
          job_name = "journal";
--- a/cluster/services/monitoring/default.nix
+++ b/cluster/services/monitoring/default.nix
@ -18,26 +18,6 @@ in
      protocol = "http";
      ipv4 = meshIpFor "server";
    };
-    tempo = {
-      protocol = "http";
-      ipv4 = meshIpFor "server";
-    };
-    tempo-grpc = {
-      protocol = "http";
-      ipv4 = "127.0.0.1";
-    };
-    tempo-otlp-http = {
-      protocol = "http";
-      ipv4 = meshIpFor "server";
-    };
-    tempo-otlp-grpc = {
-      protocol = "http";
-      ipv4 = meshIpFor "server";
-    };
-    tempo-zipkin-http = {
-      protocol = "http";
-      ipv4 = meshIpFor "server";
-    };
  };
  hostLinks = lib.genAttrs config.services.monitoring.nodes.grafana (name: {
    grafana = {
@ -51,6 +31,7 @@ in
      blackbox = [ "checkmate" "grail" "prophet" ];
      grafana = [ "VEGAS" "prophet" ];
      logging = [ "VEGAS" "grail" ];
+      tracing = [ "VEGAS" "grail" ];
      server = [ "VEGAS" ];
    };
    nixos = {
@ -61,14 +42,19 @@ in
        ./provisioning/dashboards.nix
      ];
      logging = ./logging.nix;
+      tracing = ./tracing.nix;
      server = [
        ./server.nix
-        ./tracing.nix
      ];
    };
-    meshLinks.logging = {
-      name = "loki";
-      link.protocol = "http";
+    meshLinks = {
+      logging.loki.link.protocol = "http";
+      tracing = {
+        tempo.link.protocol = "http";
+        tempo-otlp-http.link.protocol = "http";
+        tempo-otlp-grpc.link.protocol = "grpc";
+        tempo-zipkin-http.link.protocol = "http";
+      };
    };
  };

@ -82,29 +68,51 @@ in
        nodes = config.services.monitoring.nodes.logging;
        format = "envFile";
      };
-      tempo = { };
+      tempo-ingest.locksmith = {
+        nodes = config.services.monitoring.nodes.tracing;
+        format = "envFile";
+      };
+      tempo-query.locksmith = {
+        nodes = config.services.monitoring.nodes.tracing;
+        format = "envFile";
+      };
    };
    buckets = {
      loki-chunks.allow = {
        loki-ingest = [ "read" "write" ];
        loki-query = [ "read" ];
      };
-      tempo-chunks.allow.tempo = [ "read" "write" ];
+      tempo-chunks.allow = {
+        tempo-ingest = [ "read" "write" ];
+        tempo-query = [ "read" ];
+      };
    };
  };

-  ways = config.lib.forService "monitoring" {
-    monitoring = {
-      consulService = "grafana";
-      extras.locations."/".proxyWebsockets = true;
-    };
-    monitoring-logs = {
+  ways = let
+    query = consulService: {
+      inherit consulService;
+      internal = true;
+      extras.extraConfig = ''
+        proxy_read_timeout 3600s;
+      '';
+    };
+    ingest = consulService: {
+      inherit consulService;
      internal = true;
-      consulService = "loki";
      extras.extraConfig = ''
        client_max_body_size 4G;
        proxy_read_timeout 3600s;
      '';
    };
+  in config.lib.forService "monitoring" {
+    monitoring = {
+      consulService = "grafana";
+      extras.locations."/".proxyWebsockets = true;
+    };
+    monitoring-logs = query "loki";
+    monitoring-traces = query "tempo";
+    ingest-logs = ingest "loki";
+    ingest-traces-otlp = ingest "tempo-ingest-otlp-grpc" // { grpc = true; };
  };
 }
--- a/cluster/services/monitoring/grafana-ha.nix
+++ b/cluster/services/monitoring/grafana-ha.nix
@ -73,6 +73,16 @@ in
          inherit (cluster.config.ways.monitoring-logs) url;
          type = "loki";
        }
+        {
+          name = "Tempo";
+          uid = "P214B5B846CF3925F";
+          inherit (cluster.config.ways.monitoring-traces) url;
+          type = "tempo";
+          jsonData = {
+            serviceMap.datasourceUid = "PBFA97CFB590B2093";
+            nodeGraph.enabled = true;
+          };
+        }
      ];
    };
  };
--- a/cluster/services/monitoring/secrets/tempo-secrets.age
+++ b/cluster/services/monitoring/secrets/tempo-secrets.age
@ -1,16 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 NO562A KhCGp7PAMGrEdzRxBrsW4tRk30JwpI+4lPzrRCUhSw4
-8s7WqA5c3zS1euN5R+jfFNBdvr8OQW8P4NFeqtNsIKo
-> ssh-ed25519 5/zT0w 79hJQ2H76EZTW7YcQFCtKaS5Kbssx4Z8dPFjIVzRgFk
-A1fDJbUnyIRy+kWa3PhJNj/SdRPlcEy6FYsAfnuZ2AQ
-> ssh-ed25519 d3WGuA aylkdL1KliM1NfrYDGlG8X6YjXvVUCU4sV90I+a840U
-6sXdqIPjtoNSylZRh1DCghHOwDo+fC7WB4QWQoWmG48
-> //gd+2-grease baUWA$3 z-qs3W O/2.1W
-Sfq3+rkMJhpUTTmcos5TaaUtX2Ip9pciHAZLiWPix+C9N7ccac/1W5RNedMJCLsq
-MQ+xKzexf8+hgNVhKOksvbKBBROXqk1bUOKk8w3OgFPmmByzmCBUwkdkeu5DFTYR
-rg
--- kUl1uIPRkM5y7C68kdN22pMKXP7gazyha4PE+ap0Jqw
-w>×Àè¥
-<15>CÈ,\‰ßœI¯ˆúHxG@^Çá“PåÃþÙÏlw6µŽ{þ’rb‘é5æ†T>Êñ
-ÚWÜ¤X4Kp(ß?9ˆß^^oP3f </v3N$ê¤sÓbŽ¾>O™÷œ+òN0Î¬ïµàDtêŽ5Vº#è ¶³‘Uã îŸ#y|›@ŒGzSi»ô*·HùüŽ]
-êŽ€5›
--- a/cluster/services/monitoring/tracing.nix
+++ b/cluster/services/monitoring/tracing.nix
@ -1,14 +1,16 @@
 { cluster, config, pkgs, ... }:

 let
-  inherit (cluster.config) links;
+  inherit (cluster.config.links) prometheus-ingest;
+  inherit (config.links) tempo-grpc;
+  links = cluster.config.hostLinks.${config.networking.hostName};
  dataDir = "/srv/storage/private/tempo";
  tempoConfig = {
    server = {
      http_listen_address = links.tempo.ipv4;
      http_listen_port = links.tempo.port;
-      grpc_listen_address = links.tempo-grpc.ipv4;
-      grpc_listen_port = links.tempo-grpc.port;
+      grpc_listen_address = tempo-grpc.ipv4;
+      grpc_listen_port = tempo-grpc.port;
    };
    distributor.receivers = {
      otlp = {
@ -19,7 +21,7 @@ let
      };
      zipkin.endpoint = links.tempo-zipkin-http.tuple;
    };
-    querier.frontend_worker.frontend_address = links.tempo-grpc.tuple;
+    querier.frontend_worker.frontend_address = tempo-grpc.tuple;
    ingester = {
      trace_idle_period = "30s";
      max_block_bytes = 1000000;
@ -56,7 +58,7 @@ let
        path = "${dataDir}/generator/wal";
        remote_write = [
          {
-            url = "${links.prometheus-ingest.url}/api/v1/write";
+            url = "${prometheus-ingest.url}/api/v1/write";
            send_exemplars = true;
          }
        ];
@ -68,7 +70,11 @@ let
    ];
  };
 in {
-  age.secrets.tempoSecrets.file = ./secrets/tempo-secrets.age;
+  links.tempo-grpc.protocol = "http";
+
+  services.locksmith.waitForSecrets.tempo = [
+    "garage-tempo-ingest"
+  ];

  users.users.tempo = {
    isSystemUser = true;
@ -81,24 +87,53 @@ in {

  systemd.services.tempo = {
    wantedBy = [ "multi-user.target" ];
+    distributed = {
+      enable = true;
+      registerServices = [
+        "tempo"
+        "tempo-ingest-otlp-grpc"
+      ];
+    };
    serviceConfig = {
      User = "tempo";
      Group = "tempo";
      ExecStart = "${pkgs.tempo}/bin/tempo -config.file=${pkgs.writeText "tempo.yaml" (builtins.toJSON tempoConfig)}";
      PrivateTmp = true;
-      EnvironmentFile = config.age.secrets.tempoSecrets.path;
+      EnvironmentFile = "/run/locksmith/garage-tempo-ingest";
    };
  };
-  services.grafana.provision.datasources.settings.datasources = [
-    {
-      name = "Tempo";
-      uid = "P214B5B846CF3925F";
-      inherit (links.tempo) url;
-      type = "tempo";
-      jsonData = {
-        serviceMap.datasourceUid = "PBFA97CFB590B2093"; # prometheus
-        nodeGraph.enabled = true;
+
+  consul.services = {
+    tempo = {
+      mode = "manual";
+      definition = {
+        name = "tempo";
+        address = links.tempo.ipv4;
+        inherit (links.tempo) port;
+        checks = [
+          {
+            name = "Tempo";
+            id = "service:tempo:backend";
+            interval = "5s";
+            http = "${links.tempo.url}/ready";
+          }
+        ];
      };
-    }
-  ];
+    };
+    tempo-ingest-otlp-grpc = {
+      mode = "manual";
+      definition = {
+        name = "tempo-ingest-otlp-grpc";
+        address = links.tempo-otlp-grpc.ipv4;
+        inherit (links.tempo-otlp-grpc) port;
+        checks = [
+          {
+            name = "Tempo Service Status";
+            id = "service:tempo-ingest-otlp-grpc:tempo";
+            alias_service = "tempo";
+          }
+        ];
+      };
+    };
+  };
 }
--- a/cluster/services/sso/default.nix
+++ b/cluster/services/sso/default.nix
@ -1,4 +1,4 @@
-{ depot, ... }:
+{ config, depot, ... }:

 {
  services.sso = {
@ -18,4 +18,12 @@
    login.target = ssoAddr;
    account.target = ssoAddr;
  };
+
+  patroni = config.lib.forService "sso" {
+    databases.keycloak = {};
+    users.keycloak.locksmith = {
+      nodes = config.services.sso.nodes.host;
+      format = "raw";
+    };
+  };
 }
--- a/cluster/services/sso/host.nix
+++ b/cluster/services/sso/host.nix
@ -8,12 +8,10 @@ in
 {
  links.keycloak.protocol = "http";

-  age.secrets.keycloak-dbpass = {
-    file = ../../../secrets/keycloak-dbpass.age;
-    owner = "root";
-    group = "root";
-    mode = "0400";
-  };
+  services.locksmith.waitForSecrets.keycloak = [
+    "patroni-keycloak"
+  ];
+
  services.nginx.virtualHosts = { 
    "${login}" = lib.recursiveUpdate (vhosts.proxy kc.url) {
      locations = {
@ -36,13 +34,14 @@ in
      host = patroni.ipv4;
      inherit (patroni) port;
      useSSL = false;
-      passwordFile = config.age.secrets.keycloak-dbpass.path;
+      passwordFile = "/run/locksmith/patroni-keycloak";
    };
    settings = {
+      http-enabled = true;
      http-host = kc.ipv4;
      http-port = kc.port;
      hostname = login;
-      proxy = "edge";
+      proxy-headers = "xforwarded";
      # for backcompat, TODO: remove
      http-relative-path = "/auth";
    };
@ -54,7 +53,7 @@ in
      "-Dotel.traces.exporter=otlp"
    ];
    OTEL_EXPORTER_OTLP_PROTOCOL = "grpc";
-    OTEL_EXPORTER_OTLP_ENDPOINT = cluster.config.links.tempo-otlp-grpc.url;
+    OTEL_EXPORTER_OTLP_ENDPOINT = cluster.config.ways.ingest-traces-otlp.url;
    OTEL_TRACES_SAMPLER = "parentbased_traceidratio";
    OTEL_TRACES_SAMPLER_ARG = "0.50";
  };
--- a/cluster/services/storage/default.nix
+++ b/cluster/services/storage/default.nix
@ -56,7 +56,7 @@ in
    };
    simulacrum = {
      enable = true;
-      deps = [ "wireguard" "consul" "locksmith" "dns" "incandescence" ];
+      deps = [ "wireguard" "consul" "locksmith" "dns" "incandescence" "ways" ];
      settings = ./simulacrum/test.nix;
    };
  };
--- a/cluster/services/storage/garage-gateway.nix
+++ b/cluster/services/storage/garage-gateway.nix
@ -36,10 +36,9 @@ in
        inherit (linkWeb) port;
        checks = [
          {
-            name = "Garage Node";
-            id = "service:garage-web:node";
-            interval = "5s";
-            http = "${config.links.garageMetrics.url}/health";
+            name = "Garage Service Status";
+            id = "service:garage-web:garage";
+            alias_service = "garage";
          }
        ];
      };
--- a/cluster/services/ways/host.nix
+++ b/cluster/services/ways/host.nix
@ -25,7 +25,14 @@ in
            ];
            locations = lib.mkMerge [
              {
-                "/".proxyPass = cfg.target;
+                "/" = if cfg.grpc then {
+                  extraConfig = ''
+                    set $nix_proxy_grpc_target ${cfg.target};
+                    grpc_pass $nix_proxy_grpc_target;
+                  '';
+                } else {
+                  proxyPass = cfg.target;
+                };
                "${cfg.healthCheckPath}".extraConfig = "access_log off;";
              }
              {
@ -82,11 +89,11 @@ in
            '') consulServiceWays;
          in pkgs.writeText "ways-upstreams.ctmpl" (lib.concatStringsSep "\n" (lib.unique upstreams));
          destination = "/run/consul-template/nginx-ways-upstreams.conf";
-          exec.command = [
-            "${config.services.nginx.package}/bin/nginx"
-            "-s" "reload"
-            "-g" "pid /run/nginx/nginx.pid;"
-          ];
+          exec.command = lib.singleton (pkgs.writeShellScript "ways-reload" ''
+            if ${config.systemd.package}/bin/systemctl is-active nginx.service; then
+              exec ${config.services.nginx.package}/bin/nginx -s reload -g 'pid /run/nginx/nginx.pid;'
+            fi
+          '');
        }
      ];
    };
--- a/cluster/services/ways/options/way.nix
+++ b/cluster/services/ways/options/way.nix
@ -35,6 +35,12 @@ with lib;
      };
    };

+    grpc = mkOption {
+      description = "Whether this endpoint is a gRPC service.";
+      type = types.bool;
+      default = false;
+    };
+
    target = mkOption {
      type = types.str;
    };
@ -101,7 +107,7 @@ with lib;
    (lib.mkIf options.consulService.isDefined {
      useConsul = true;
      nginxUpstreamName = "ways_upstream_${builtins.hashString "md5" options.consulService.value}";
-      target = "http://${options.nginxUpstreamName.value}";
+      target = "${if config.grpc then "grpc" else "http"}://${options.nginxUpstreamName.value}";
    })
    (lib.mkIf options.bucket.isDefined {
      consulService = "garage-web";
--- a/flake.lock
+++ b/flake.lock
@ -10,11 +10,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1722339003,
-        "narHash": "sha256-ZeS51uJI30ehNkcZ4uKqT4ZDARPyqrHADSKAwv5vVCU=",
+        "lastModified": 1723293904,
+        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "3f1dae074a12feb7327b4bf43cbac0d124488bb7",
+        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
        "type": "github"
      },
      "original": {
@ -29,9 +29,8 @@
        "flake-compat": [
          "blank"
        ],
-        "flake-utils": [
-          "repin-flake-utils"
-        ],
+        "flake-parts": "flake-parts",
+        "nix-github-actions": "nix-github-actions",
        "nixpkgs": [
          "nixpkgs"
        ],
@ -40,11 +39,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1722472866,
-        "narHash": "sha256-GJIz4M5HDB948Ex/8cPvbkrNzl/eKUE7/c21JBu4lb8=",
+        "lastModified": 1730906442,
+        "narHash": "sha256-tBuyb8jWBSHHgcIrOfiyQJZGY1IviMzH2V74t7gWfgI=",
        "owner": "zhaofengli",
        "repo": "attic",
-        "rev": "e127acbf9a71ebc0c26bc8e28346822e0a6e16ba",
+        "rev": "d0b66cf897e4d55f03d341562c9821dc4e566e54",
        "type": "github"
      },
      "original": {
@ -76,11 +75,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1717025063,
-        "narHash": "sha256-dIubLa56W9sNNz0e8jGxrX3CAkPXsq7snuFA/Ie6dn8=",
+        "lastModified": 1722960479,
+        "narHash": "sha256-NhCkJJQhD5GUib8zN9JrmYGMwt4lCRp6ZVNzIiYCl0Y=",
        "owner": "ipetkov",
        "repo": "crane",
-        "rev": "480dff0be03dac0e51a8dfc26e882b0d123a450e",
+        "rev": "4c6c77920b8d44cd6660c1621dea6b3fc4b4c4f4",
        "type": "github"
      },
      "original": {
@ -118,11 +117,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1722113426,
-        "narHash": "sha256-Yo/3loq572A8Su6aY5GP56knpuKYRvM2a1meP9oJZCw=",
+        "lastModified": 1728330715,
+        "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=",
        "owner": "numtide",
        "repo": "devshell",
-        "rev": "67cce7359e4cd3c45296fb4aaf6a19e2a9c757ae",
+        "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef",
        "type": "github"
      },
      "original": {
@ -190,6 +189,7 @@
    "flake-parts": {
      "inputs": {
        "nixpkgs-lib": [
+          "attic",
          "nixpkgs"
        ]
      },
@ -208,6 +208,26 @@
      }
    },
    "flake-parts_2": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1730504689,
+        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_3": {
      "inputs": {
        "nixpkgs-lib": [
          "nix-super",
@ -268,11 +288,11 @@
        "nixpkgs": "nixpkgs"
      },
      "locked": {
-        "lastModified": 1720223941,
-        "narHash": "sha256-QDbU8LZzcUSqBp1CBqDj/f5Wd/sdgQ8pZwRWueoMUL4=",
+        "lastModified": 1723736589,
+        "narHash": "sha256-/Vdg5ZKtP71ZEKVV6JXlrOEu0CM2Flcs+nwDmWRzgjQ=",
        "owner": "hercules-ci",
        "repo": "hercules-ci-agent",
-        "rev": "2e10fb21fc2e07edf40763b73443e5934bd40947",
+        "rev": "c303cc8e437c0fd26b9452472e7df5aa374e9177",
        "type": "github"
      },
      "original": {
@ -291,11 +311,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1719226092,
-        "narHash": "sha256-YNkUMcCUCpnULp40g+svYsaH1RbSEj6s4WdZY/SHe38=",
+        "lastModified": 1730903510,
+        "narHash": "sha256-mnynlrPeiW0nUQ8KGZHb3WyxAxA3Ye/BH8gMjdoKP6E=",
        "owner": "hercules-ci",
        "repo": "hercules-ci-effects",
-        "rev": "11e4b8dc112e2f485d7c97e1cee77f9958f498f5",
+        "rev": "b89ac4d66d618b915b1f0a408e2775fe3821d141",
        "type": "github"
      },
      "original": {
@ -399,11 +419,11 @@
        "systems": "systems_2"
      },
      "locked": {
-        "lastModified": 1722409392,
-        "narHash": "sha256-8QuMS00EutmqzAIPxyJEPxM8EHiWlSKs6E2Htoh3Kes=",
+        "lastModified": 1725623828,
+        "narHash": "sha256-5Zrn72PO9yBaNO4Gd5uOsEmRpYH5rVAFKOQ5h2PxyhU=",
        "owner": "numtide",
        "repo": "nar-serve",
-        "rev": "9d0eff868d328fe67c60c26c8ba50e0b9d8de867",
+        "rev": "e5c749a444f2d14f381c75ef3a8feaa82c333b92",
        "type": "github"
      },
      "original": {
@ -414,11 +434,11 @@
    },
    "nix-filter": {
      "locked": {
-        "lastModified": 1710156097,
-        "narHash": "sha256-1Wvk8UP7PXdf8bCCaEoMnOT1qe5/Duqgj+rL8sRQsSM=",
+        "lastModified": 1730207686,
+        "narHash": "sha256-SCHiL+1f7q9TAnxpasriP6fMarWE5H43t25F5/9e28I=",
        "owner": "numtide",
        "repo": "nix-filter",
-        "rev": "3342559a24e85fc164b295c3444e8a139924675b",
+        "rev": "776e68c1d014c3adde193a18db9d738458cd2ba4",
        "type": "github"
      },
      "original": {
@ -427,10 +447,31 @@
        "type": "github"
      }
    },
+    "nix-github-actions": {
+      "inputs": {
+        "nixpkgs": [
+          "attic",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1729742964,
+        "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "type": "github"
+      }
+    },
    "nix-super": {
      "inputs": {
        "flake-compat": "flake-compat_2",
-        "flake-parts": "flake-parts_2",
+        "flake-parts": "flake-parts_3",
        "libgit2": "libgit2",
        "nixpkgs": "nixpkgs_3",
        "nixpkgs-regression": [
@ -504,11 +545,11 @@
    },
    "nixpkgs_4": {
      "locked": {
-        "lastModified": 1722539632,
-        "narHash": "sha256-g4L+I8rDl7RQy5x8XcEMqNO49LFhrHTzVBqXtG2+FGo=",
+        "lastModified": 1730785428,
+        "narHash": "sha256-Zwl8YgTVJTEum+L+0zVAWvXAGbWAuXHax3KzuejaDyo=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "f2d6c7123138044e0c68902268bd8f37dd7e2fa7",
+        "rev": "4aa36568d413aca0ea84a1684d2d46f55dbabad7",
        "type": "github"
      },
      "original": {
@ -557,11 +598,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1710146030,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "lastModified": 1726560853,
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
        "type": "github"
      },
      "original": {
@ -577,7 +618,7 @@
        "blank": "blank",
        "devshell": "devshell",
        "drv-parts": "drv-parts",
-        "flake-parts": "flake-parts",
+        "flake-parts": "flake-parts_2",
        "hercules-ci-agent": "hercules-ci-agent",
        "hercules-ci-effects": "hercules-ci-effects",
        "hyprspace": "hyprspace",
--- a/flake.nix
+++ b/flake.nix
@ -54,7 +54,6 @@
        nixpkgs.follows = "nixpkgs";
        nixpkgs-stable.follows = "nixpkgs";
        flake-compat.follows = "blank";
-        flake-utils.follows = "repin-flake-utils";
      };
    };

--- a/modules/consul-distributed-services/default.nix
+++ b/modules/consul-distributed-services/default.nix
@ -26,11 +26,13 @@ in

      cfg = v.distributed;

-      svc = config.consul.services.${cfg.registerService};
+      svcs = map (x: config.consul.services.${x}) cfg.registerServices;

      runWithRegistration = pkgs.writeShellScript "run-with-registration" ''
-        trap '${svc.commands.deregister}' EXIT
-        ${svc.commands.register}
+        trap '${lib.concatStringsSep ";" (map (svc: svc.commands.deregister) svcs)}' EXIT
+        ${lib.concatStringsSep "\n" (
+          map (svc: svc.commands.register) svcs
+        )}
        ''${@}
      '';

@ -43,16 +45,17 @@ in
      hasSpecialPrefix = elem (substring 0 1 ExecStart) [ "@" "-" ":" "+" "!" ];
    in assert !hasSpecialPrefix; pkgs.writeTextDir "etc/systemd/system/${n}.service.d/distributed.conf" ''
      [Unit]
-      Requires=consul-ready.service
-      After=consul-ready.service
+      Requires=consul-ready.target
+      After=consul-ready.target

      [Service]
      ExecStartPre=${waitForConsul} 'services/${n}%i'
      ExecStart=
-      ExecStart=${consul}/bin/consul lock --name=${n} --n=${toString cfg.replicas} --shell=false --child-exit-code 'services/${n}%i' ${optionalString (cfg.registerService != null) runWithRegistration} ${ExecStart}
+      ExecStart=${consul}/bin/consul lock --name=${n} --n=${toString cfg.replicas} --shell=false --child-exit-code 'services/${n}%i' ${optionalString (cfg.registerServices != []) runWithRegistration} ${ExecStart}
      Environment="CONSUL_HTTP_ADDR=${consulHttpAddr}"
+      Environment="CONSUL_HTTP_TOKEN_FILE=/run/locksmith/consul-systemManagementToken"
      ${optionalString (v.serviceConfig ? RestrictAddressFamilies) "RestrictAddressFamilies=AF_NETLINK"}
-      ${optionalString (cfg.registerService != null) "ExecStopPost=${svc.commands.deregister}"}
+      ${optionalString (cfg.registerServices != []) (lib.concatStringsSep "\n" (map (svc: "ExecStopPost=${svc.commands.deregister}") svcs))}
    ''))
  ];
 }
--- a/modules/consul-service-registry/default.nix
+++ b/modules/consul-service-registry/default.nix
@ -12,6 +12,7 @@ let

  consulRegisterScript = pkgs.writeShellScript "consul-register" ''
    export CONSUL_HTTP_ADDR='${consulHttpAddr}'
+    export CONSUL_HTTP_TOKEN_FILE=/run/locksmith/consul-systemManagementToken
    while ! ${consul} services register "$1"; do
      sleep 1
    done
@ -19,6 +20,7 @@ let

  consulDeregisterScript = pkgs.writeShellScript "consul-deregister" ''
    export CONSUL_HTTP_ADDR='${consulHttpAddr}'
+    export CONSUL_HTTP_TOKEN_FILE=/run/locksmith/consul-systemManagementToken
    for i in {1..5}; do
      if ${consul} services deregister "$1"; then
        break
@ -81,8 +83,8 @@ let
    }.${mode};
    value = {
      direct = {
-        after = [ "consul-ready.service" ];
-        requires = [ "consul-ready.service" ];
+        after = [ "consul-ready.target" ];
+        requires = [ "consul-ready.target" ];
        serviceConfig = {
          ExecStartPost = register servicesJson;
          ExecStopPost = deregister servicesJson;
--- a/modules/systemd-extras/distributed.nix
+++ b/modules/systemd-extras/distributed.nix
@ -17,6 +17,11 @@ with lib;
          type = with types; nullOr str;
          default = null;
        };
+        registerServices = mkOption {
+          description = "Consul services to register when this service gets started.";
+          type = with types; listOf str;
+          default = if config.distributed.registerService == null then [ ] else [ config.distributed.registerService ];
+        };
      };
    }));
  };
--- a/packages/checks/keycloak-custom-jre.nix
+++ b/packages/checks/keycloak-custom-jre.nix
@ -7,7 +7,8 @@ nixosTest {
    package = keycloak;
    database.passwordFile = builtins.toFile "keycloak-test-password" "kcnixostest1234";
    settings = {
-      proxy = "edge";
+      http-enabled = true;
+      proxy-headers = "xforwarded";
      hostname = "keycloak.local";
    };
  };
--- a/packages/patched-derivations.nix
+++ b/packages/patched-derivations.nix
@ -18,6 +18,10 @@ super: rec {
    };
  };

+  jitsi-meet-insecure = let
+    olm-insecure = assert builtins.length super.olm.meta.knownVulnerabilities > 0; super.olm.overrideAttrs (o: { meta = o.meta // { knownVulnerabilities = []; }; });
+  in super.jitsi-meet.override { olm = olm-insecure; };
+
  jre17_standard = let
    jre = super.jre_minimal.override {
      jdk = super.jdk17_headless;
@ -46,7 +50,7 @@ super: rec {

  prometheus-jitsi-exporter = patch super.prometheus-jitsi-exporter "patches/base/prometheus-jitsi-exporter";

-  s3ql = (patch super.s3ql "patches/base/s3ql").overrideAttrs (old: {
+  s3ql = super.s3ql.overrideAttrs (old: {
    propagatedBuildInputs = old.propagatedBuildInputs ++ [
      super.python3Packages.packaging
      super.python3Packages.systemd
--- a/packages/shadows.nix
+++ b/packages/shadows.nix
@ -9,7 +9,9 @@

    options.shadows = lib.mkOption {
      type = with lib.types; lazyAttrsOf package;
-      default = { };
+      default = {
+        jitsi-meet = self'.packages.jitsi-meet-insecure;
+      };
    };
  };
 }
--- a/patches/base/kanidm/unixd-authenticated.patch
+++ b/patches/base/kanidm/unixd-authenticated.patch
@ -1,25 +1,28 @@
-diff --git a/unix_integration/src/idprovider/kanidm.rs b/unix_integration/src/idprovider/kanidm.rs
-index 6fc015756..31593f03e 100644
--- a/unix_integration/src/idprovider/kanidm.rs
-+++ b/unix_integration/src/idprovider/kanidm.rs
-@@ -4,6 +4,7 @@ use kanidm_client::{ClientError, KanidmClient, StatusCode};
- use kanidm_proto::internal::OperationError;
+diff --git a/unix_integration/resolver/src/idprovider/kanidm.rs b/unix_integration/resolver/src/idprovider/kanidm.rs
+index 63cedb4d5..35c45fb0e 100644
+--- a/unix_integration/resolver/src/idprovider/kanidm.rs
+++ b/unix_integration/resolver/src/idprovider/kanidm.rs
+@@ -7,6 +7,7 @@ use kanidm_proto::internal::OperationError;
 use kanidm_proto::v1::{UnixGroupToken, UnixUserToken};
- use tokio::sync::{broadcast, RwLock};
+ use std::collections::BTreeSet;
+ use std::time::{Duration, SystemTime};
 +use std::env;
+ use tokio::sync::{broadcast, Mutex};
 
- use super::interface::{
-     // KeyStore,
-@@ -25,12 +26,28 @@ const TAG_IDKEY: &str = "idkey";
- 
- pub struct KanidmProvider {
-     client: RwLock<KanidmClient>,
+ use kanidm_lib_crypto::CryptoPolicy;
+@@ -38,6 +39,8 @@ struct KanidmProviderInternal {
+     hmac_key: HmacKey,
+     crypto_policy: CryptoPolicy,
+     pam_allow_groups: BTreeSet<String>,
 +    auth_name: Option<String>,
 +    auth_password: Option<String>,
 }
 
- impl KanidmProvider {
-     pub fn new(client: KanidmClient) -> Self {
+ pub struct KanidmProvider {
+@@ -102,6 +105,19 @@ impl KanidmProvider {
+             .map(|GroupMap { local, with }| (local, Id::Name(with)))
+             .collect();
+ 
 +        let env_username: Option<String>;
 +        let env_password: Option<String>;
 +        match (env::var_os("KANIDM_NAME"), env::var_os("KANIDM_PASSWORD")) {
@ -32,23 +35,29 @@ index 6fc015756..31593f03e 100644
 +                env_password = None;
 +            }
 +        }
-         KanidmProvider {
-             client: RwLock::new(client),
-+            auth_name: env_username,
-+            auth_password: env_password,
-         }
+
+         Ok(KanidmProvider {
+             inner: Mutex::new(KanidmProviderInternal {
+                 state: CacheState::OfflineNextCheck(now),
+@@ -109,6 +125,8 @@ impl KanidmProvider {
+                 hmac_key,
+                 crypto_policy,
+                 pam_allow_groups,
+                auth_name: env_username,
+                auth_password: env_password
+             }),
+             map_group,
+         })
+@@ -256,7 +274,11 @@ impl KanidmProviderInternal {
     }
- }
-@@ -118,7 +135,11 @@ impl IdProvider for KanidmProvider {
 
-     // Needs .read on all types except re-auth.
-     async fn provider_authenticate(&self, _tpm: &mut tpm::BoxedDynTpm) -> Result<(), IdpError> {
-        match self.client.write().await.auth_anonymous().await {
+     async fn attempt_online(&mut self, _tpm: &mut tpm::BoxedDynTpm, now: SystemTime) -> bool {
+-        match self.client.auth_anonymous().await {
 +        let auth_method = match (&self.auth_name, &self.auth_password) {
-+            (Some(name), Some(password)) => self.client.write().await.auth_simple_password(name, password).await,
-+            _ => self.client.write().await.auth_anonymous().await
+            (Some(name), Some(password)) => self.client.auth_simple_password(name, password).await,
+            _ => self.client.auth_anonymous().await
 +        };
 +        match auth_method {
-             Ok(_uat) => Ok(()),
-             Err(err) => {
-                 error!(?err, "Provider authentication failed");
+             Ok(_uat) => {
+                 self.state = CacheState::Online;
+                 true
--- a/patches/base/s3ql/0000-cache-entry-seek-whence.patch
+++ b/patches/base/s3ql/0000-cache-entry-seek-whence.patch
@ -1,18 +0,0 @@
-diff --git a/src/s3ql/block_cache.py b/src/s3ql/block_cache.py
-index a4b55fd1..267b9a12 100644
--- a/src/s3ql/block_cache.py
-+++ b/src/s3ql/block_cache.py
-@@ -86,10 +86,10 @@ class CacheEntry:
-     def flush(self):
-         self.fh.flush()
- 
-    def seek(self, off):
-+    def seek(self, off, whence=0):
-         if self.pos != off:
-            self.fh.seek(off)
-            self.pos = off
-+            self.fh.seek(off, whence)
-+            self.pos = self.fh.tell()
- 
-     def tell(self):
-         return self.pos
--- a/patches/base/s3ql/0001-fix-plain-block-size.patch
+++ b/patches/base/s3ql/0001-fix-plain-block-size.patch
@ -1,26 +0,0 @@
-diff --git a/src/s3ql/backends/comprenc.py b/src/s3ql/backends/comprenc.py
-index 6402fec1..9ed3627e 100644
--- a/src/s3ql/backends/comprenc.py
-+++ b/src/s3ql/backends/comprenc.py
-@@ -276,7 +276,7 @@ class ComprencBackend(AbstractBackend):
-             buf.seek(0)
-             fh = buf
- 
-        return self.backend.write_fh(key, fh, meta_raw)
-+        return self.backend.write_fh(key, fh, meta_raw, len_=len_ if meta_raw['compression'] == 'None'and meta_raw['encryption'] == 'None' else None)
- 
-     def contains(self, key):
-         return self.backend.contains(key)
-diff --git a/src/s3ql/database.py b/src/s3ql/database.py
-index bb4054e6..c2142bf6 100644
--- a/src/s3ql/database.py
-+++ b/src/s3ql/database.py
-@@ -659,7 +659,7 @@ def upload_metadata(
-             )
-             obj = METADATA_OBJ_NAME % (blockno, params.seq_no)
-             fh.seek(blockno * blocksize)
-            backend.write_fh(obj, fh, len_=blocksize)
-+            backend.write_fh(obj, fh, len_=min(blocksize, db_size - blockno * blocksize))
- 
-         if not update_params:
-             return
--- a/patches/base/s3ql/0002-comprenc-always-copy.patch
+++ b/patches/base/s3ql/0002-comprenc-always-copy.patch
@ -1,17 +0,0 @@
-diff --git a/src/s3ql/backends/comprenc.py b/src/s3ql/backends/comprenc.py
-index 9ed3627e..db419bb7 100644
--- a/src/s3ql/backends/comprenc.py
-+++ b/src/s3ql/backends/comprenc.py
-@@ -276,6 +276,12 @@ class ComprencBackend(AbstractBackend):
-             buf.seek(0)
-             fh = buf
- 
-+        if meta_raw['compression'] == 'None' and meta_raw['encryption'] == 'None':
-+            buf = io.BytesIO()
-+            copyfh(fh, buf, len_)
-+            buf.seek(0)
-+            fh = buf
-+        
-         return self.backend.write_fh(key, fh, meta_raw, len_=len_ if meta_raw['compression'] == 'None'and meta_raw['encryption'] == 'None' else None)
- 
-     def contains(self, key):
--- a/patches/base/s3ql/remove-ssl-monkeypatch.patch
+++ b/patches/base/s3ql/remove-ssl-monkeypatch.patch
@ -1,12 +0,0 @@
-diff --git a/tests/t0_http.py b/tests/t0_http.py
-index 66ed564f..36bebab1 100755
--- a/tests/t0_http.py
-+++ b/tests/t0_http.py
-@@ -289,7 +289,6 @@ def do_GET(self):
- 
-     # We don't *actually* want to establish SSL, that'd be
-     # to complex for our mock server
-    monkeypatch.setattr('ssl.match_hostname', lambda x, y: True)
-     conn = HTTPConnection(
-         test_host,
-         test_port,
--- a/patches/base/s3ql/s3c-accurate-length.patch
+++ b/patches/base/s3ql/s3c-accurate-length.patch
@ -1,26 +0,0 @@
-commit 1edbbcf08d5701ea38f13fca7491418318aebca9
-Author: Max <max@privatevoid.net>
-Date:   Fri Jun 7 23:31:08 2024 +0200
-
-    accurate length
-
-diff --git a/src/s3ql/backends/s3c.py b/src/s3ql/backends/s3c.py
-index 2995ca4f..3c3c79ab 100644
--- a/src/s3ql/backends/s3c.py
-+++ b/src/s3ql/backends/s3c.py
-@@ -387,9 +387,13 @@ class Backend(AbstractBackend):
-         '''
- 
-         off = fh.tell()
-+        fh.seek(0, os.SEEK_END)
-+        actual_len = fh.tell() - off
-+        fh.seek(off, os.SEEK_SET)
-         if len_ is None:
-            fh.seek(0, os.SEEK_END)
-            len_ = fh.tell()
-+            len_ = actual_len
-+        else:
-+            len_ = min(len_, actual_len)
-         return self._write_fh(key, fh, off, len_, metadata or {})
- 
-     @retry
--- a/patches/base/s3ql/s3v4.patch
+++ b/patches/base/s3ql/s3v4.patch
@ -1,392 +0,0 @@
-From 11e3a9cea77cd8498d874f7fd69a938af4da68cd Mon Sep 17 00:00:00 2001
-From: xeji <36407913+xeji@users.noreply.github.com>
-Date: Thu, 28 Mar 2024 22:19:11 +0100
-Subject: [PATCH] new backend s3c4: s3c with V4 request signatures (#349)
-
---
- rst/backends.rst              |  15 ++++
- src/s3ql/backends/__init__.py |   3 +-
- src/s3ql/backends/s3.py       | 100 ++----------------------
- src/s3ql/backends/s3c4.py     | 140 ++++++++++++++++++++++++++++++++++
- src/s3ql/parse_args.py        |   2 +-
- tests/mock_server.py          |  11 +++
- 6 files changed, 174 insertions(+), 97 deletions(-)
- create mode 100644 src/s3ql/backends/s3c4.py
-
-diff --git a/rst/backends.rst b/rst/backends.rst
-index 7220ee96..4bc68387 100644
--- a/rst/backends.rst
-+++ b/rst/backends.rst
-@@ -341,6 +341,14 @@ can be an arbitrary prefix that will be prepended to all object names
- used by S3QL. This allows you to store several S3QL file systems in
- the same bucket.
- 
-+`s3c://` authenticates API requests using AWS V2 signatures, which are
-+deprecated by AWS but still accepted by many S3 compatible services.
-+
-+`s3c4://` denotes a variant of this backend that works the same
-+but uses AWS V4 signatures for request authentication instead: ::
-+
-+   s3c4://<hostname>:<port>/<bucketname>/<prefix>
-+
- The S3 compatible backend accepts the following backend options:
- 
- .. option:: no-ssl
-@@ -385,6 +393,13 @@ The S3 compatible backend accepts the following backend options:
-    necessary if your storage server does not return a valid response
-    body for a successful copy operation.
- 
-+.. option:: sig-region=<region>
-+
-+   For `s3c4://` variant only: Region to use for calculating V4
-+   request signatures. Contrary to S3, the region is not a defined 
-+   part of the storage URL and must be specified separately.
-+   Defaults to `us-east-1`.
-+
- .. _`S3 COPY API`: http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectCOPY.html
- .. __: https://doc.s3.amazonaws.com/proposals/copy.html
- 
-diff --git a/src/s3ql/backends/__init__.py b/src/s3ql/backends/__init__.py
-index a1335762..442828cd 100644
--- a/src/s3ql/backends/__init__.py
-+++ b/src/s3ql/backends/__init__.py
-@@ -6,7 +6,7 @@
- This work can be distributed under the terms of the GNU GPLv3.
- '''
- 
-from . import gs, local, rackspace, s3, s3c, swift, swiftks
-+from . import gs, local, rackspace, s3, s3c, s3c4, swift, swiftks
- from .b2.b2_backend import B2Backend
- 
- #: Mapping from storage URL prefixes to backend classes
-@@ -15,6 +15,7 @@
-     'local': local.Backend,
-     'gs': gs.Backend,
-     's3c': s3c.Backend,
-+    's3c4': s3c4.Backend,
-     'swift': swift.Backend,
-     'swiftks': swiftks.Backend,
-     'rackspace': rackspace.Backend,
-diff --git a/src/s3ql/backends/s3.py b/src/s3ql/backends/s3.py
-index e05a49ba..5548a855 100644
--- a/src/s3ql/backends/s3.py
-+++ b/src/s3ql/backends/s3.py
-@@ -15,7 +15,7 @@
- from xml.sax.saxutils import escape as xml_escape
- 
- from ..logging import QuietError
-from . import s3c
-+from . import s3c4
- from .common import retry
- from .s3c import get_S3Error
- 
-@@ -28,22 +28,23 @@
- # pylint: disable=E1002,E1101
- 
- 
-class Backend(s3c.Backend):
-+class Backend(s3c4.Backend):
-     """A backend to store data in Amazon S3
- 
-     This class uses standard HTTP connections to connect to S3.
-     """
- 
-    known_options = (s3c.Backend.known_options | {'sse', 'rrs', 'ia', 'oia', 'it'}) - {
-+    known_options = (s3c4.Backend.known_options | {'sse', 'rrs', 'ia', 'oia', 'it'}) - {
-         'dumb-copy',
-         'disable-expect100',
-+        'sig-region',
-     }
- 
-     def __init__(self, options):
-         self.region = None
-        self.signing_key = None
-         super().__init__(options)
-         self._set_storage_options(self._extra_put_headers)
-+        self.sig_region = self.region
- 
-     def _parse_storage_url(self, storage_url, ssl_context):
-         hit = re.match(r'^s3s?://([^/]+)/([^/]+)(?:/(.*))?$', storage_url)
-@@ -147,94 +148,3 @@ def _delete_multi(self, keys):
- 
-         except:
-             self.conn.discard()
-
-    def _authorize_request(self, method, path, headers, subres, query_string):
-        '''Add authorization information to *headers*'''
-
-        # See http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html
-
-        now = time.gmtime()
-        # now = time.strptime('Fri, 24 May 2013 00:00:00 GMT',
-        #                    '%a, %d %b %Y %H:%M:%S GMT')
-
-        ymd = time.strftime('%Y%m%d', now)
-        ymdhms = time.strftime('%Y%m%dT%H%M%SZ', now)
-
-        headers['x-amz-date'] = ymdhms
-        headers['x-amz-content-sha256'] = 'UNSIGNED-PAYLOAD'
-        # headers['x-amz-content-sha256'] = hashlib.sha256(body).hexdigest()
-        headers.pop('Authorization', None)
-
-        auth_strs = [method]
-        auth_strs.append(urllib.parse.quote(path))
-
-        if query_string:
-            s = urllib.parse.urlencode(
-                query_string, doseq=True, quote_via=urllib.parse.quote
-            ).split('&')
-        else:
-            s = []
-        if subres:
-            s.append(urllib.parse.quote(subres) + '=')
-        if s:
-            s = '&'.join(sorted(s))
-        else:
-            s = ''
-        auth_strs.append(s)
-
-        # Headers
-        sig_hdrs = sorted(x.lower() for x in headers.keys())
-        for hdr in sig_hdrs:
-            auth_strs.append('%s:%s' % (hdr, headers[hdr].strip()))
-        auth_strs.append('')
-        auth_strs.append(';'.join(sig_hdrs))
-        auth_strs.append(headers['x-amz-content-sha256'])
-        can_req = '\n'.join(auth_strs)
-        # log.debug('canonical request: %s', can_req)
-
-        can_req_hash = hashlib.sha256(can_req.encode()).hexdigest()
-        str_to_sign = (
-            "AWS4-HMAC-SHA256\n"
-            + ymdhms
-            + '\n'
-            + '%s/%s/s3/aws4_request\n' % (ymd, self.region)
-            + can_req_hash
-        )
-        # log.debug('string to sign: %s', str_to_sign)
-
-        if self.signing_key is None or self.signing_key[1] != ymd:
-            self.update_signing_key(ymd)
-        signing_key = self.signing_key[0]
-
-        sig = hmac_sha256(signing_key, str_to_sign.encode(), hex=True)
-
-        cred = '%s/%04d%02d%02d/%s/s3/aws4_request' % (
-            self.login,
-            now.tm_year,
-            now.tm_mon,
-            now.tm_mday,
-            self.region,
-        )
-
-        headers['Authorization'] = (
-            'AWS4-HMAC-SHA256 '
-            'Credential=%s,'
-            'SignedHeaders=%s,'
-            'Signature=%s' % (cred, ';'.join(sig_hdrs), sig)
-        )
-
-    def update_signing_key(self, ymd):
-        date_key = hmac_sha256(("AWS4" + self.password).encode(), ymd.encode())
-        region_key = hmac_sha256(date_key, self.region.encode())
-        service_key = hmac_sha256(region_key, b's3')
-        signing_key = hmac_sha256(service_key, b'aws4_request')
-
-        self.signing_key = (signing_key, ymd)
-
-
-def hmac_sha256(key, msg, hex=False):
-    d = hmac.new(key, msg, hashlib.sha256)
-    if hex:
-        return d.hexdigest()
-    else:
-        return d.digest()
-diff --git a/src/s3ql/backends/s3c4.py b/src/s3ql/backends/s3c4.py
-new file mode 100644
-index 00000000..37ff0b7a
--- /dev/null
-+++ b/src/s3ql/backends/s3c4.py
-@@ -0,0 +1,140 @@
-+'''
-+s3c4.py - this file is part of S3QL.
-+
-+Copyright © 2008 Nikolaus Rath <Nikolaus@rath.org>
-+
-+This work can be distributed under the terms of the GNU GPLv3.
-+'''
-+
-+import hashlib
-+import hmac
-+import logging
-+import re
-+import time
-+import urllib.parse
-+from xml.sax.saxutils import escape as xml_escape
-+
-+from ..logging import QuietError
-+from . import s3c
-+from .common import retry
-+from .s3c import get_S3Error
-+
-+log = logging.getLogger(__name__)
-+
-+# Maximum number of keys that can be deleted at once
-+MAX_KEYS = 1000
-+
-+# Pylint goes berserk with false positives
-+# pylint: disable=E1002,E1101
-+
-+
-+class Backend(s3c.Backend):
-+    """A backend to stored data in some S3 compatible storage service.
-+
-+    This classes uses AWS Signature V4 for authorization.
-+    """
-+
-+    known_options = s3c.Backend.known_options | {'sig-region'}
-+
-+    def __init__(self, options):
-+        self.sig_region = options.backend_options.get('sig-region', 'us-east-1')
-+        self.signing_key = None
-+        super().__init__(options)
-+
-+    def __str__(self):
-+        return 's3c4://%s/%s/%s' % (self.hostname, self.bucket_name, self.prefix)
-+
-+    def _authorize_request(self, method, path, headers, subres, query_string):
-+        '''Add authorization information to *headers*'''
-+
-+        # See http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html
-+
-+        now = time.gmtime()
-+        # now = time.strptime('Fri, 24 May 2013 00:00:00 GMT',
-+        #                    '%a, %d %b %Y %H:%M:%S GMT')
-+
-+        ymd = time.strftime('%Y%m%d', now)
-+        ymdhms = time.strftime('%Y%m%dT%H%M%SZ', now)
-+
-+        # add non-standard port to host header, needed for correct signature
-+        if self.port != 443:
-+            headers['host'] = '%s:%s' % (self.hostname, self.port)
-+
-+        headers['x-amz-date'] = ymdhms
-+        headers['x-amz-content-sha256'] = 'UNSIGNED-PAYLOAD'
-+
-+        headers.pop('Authorization', None)
-+
-+        auth_strs = [method]
-+        auth_strs.append(urllib.parse.quote(path))
-+
-+        if query_string:
-+            s = urllib.parse.urlencode(
-+                query_string, doseq=True, quote_via=urllib.parse.quote
-+            ).split('&')
-+        else:
-+            s = []
-+        if subres:
-+            s.append(urllib.parse.quote(subres) + '=')
-+        if s:
-+            s = '&'.join(sorted(s))
-+        else:
-+            s = ''
-+        auth_strs.append(s)
-+
-+        # Headers
-+        sig_hdrs = sorted(x.lower() for x in headers.keys())
-+        for hdr in sig_hdrs:
-+            auth_strs.append('%s:%s' % (hdr, headers[hdr].strip()))
-+        auth_strs.append('')
-+        auth_strs.append(';'.join(sig_hdrs))
-+        auth_strs.append(headers['x-amz-content-sha256'])
-+        can_req = '\n'.join(auth_strs)
-+        # log.debug('canonical request: %s', can_req)
-+
-+        can_req_hash = hashlib.sha256(can_req.encode()).hexdigest()
-+        str_to_sign = (
-+            "AWS4-HMAC-SHA256\n"
-+            + ymdhms
-+            + '\n'
-+            + '%s/%s/s3/aws4_request\n' % (ymd, self.sig_region)
-+            + can_req_hash
-+        )
-+        # log.debug('string to sign: %s', str_to_sign)
-+
-+        if self.signing_key is None or self.signing_key[1] != ymd:
-+            self.update_signing_key(ymd)
-+        signing_key = self.signing_key[0]
-+
-+        sig = hmac_sha256(signing_key, str_to_sign.encode(), hex=True)
-+
-+        cred = '%s/%04d%02d%02d/%s/s3/aws4_request' % (
-+            self.login,
-+            now.tm_year,
-+            now.tm_mon,
-+            now.tm_mday,
-+            self.sig_region,
-+        )
-+
-+        headers['Authorization'] = (
-+            'AWS4-HMAC-SHA256 '
-+            'Credential=%s,'
-+            'SignedHeaders=%s,'
-+            'Signature=%s' % (cred, ';'.join(sig_hdrs), sig)
-+        )
-+
-+    def update_signing_key(self, ymd):
-+        date_key = hmac_sha256(("AWS4" + self.password).encode(), ymd.encode())
-+        region_key = hmac_sha256(date_key, self.sig_region.encode())
-+        service_key = hmac_sha256(region_key, b's3')
-+        signing_key = hmac_sha256(service_key, b'aws4_request')
-+
-+        self.signing_key = (signing_key, ymd)
-+
-+
-+def hmac_sha256(key, msg, hex=False):
-+    d = hmac.new(key, msg, hashlib.sha256)
-+    if hex:
-+        return d.hexdigest()
-+    else:
-+        return d.digest()
-diff --git a/src/s3ql/parse_args.py b/src/s3ql/parse_args.py
-index 272e10c7..24ad50f4 100644
--- a/src/s3ql/parse_args.py
-+++ b/src/s3ql/parse_args.py
-@@ -374,7 +374,7 @@ def storage_url_type(s):
-     # slash (even when using a prefix), but we can't do that now because it
-     # would make file systems created without trailing slash inaccessible.
-     if re.match(r'^(s3|gs)://[^/]+$', s) or re.match(
-        r'^(s3c|swift(ks)?|rackspace)://[^/]+/[^/]+$', s
-+        r'^(s3c|s3c4|swift(ks)?|rackspace)://[^/]+/[^/]+$', s
-     ):
-         s += '/'
- 
-diff --git a/tests/mock_server.py b/tests/mock_server.py
-index b453e705..e3084065 100644
--- a/tests/mock_server.py
-+++ b/tests/mock_server.py
-@@ -292,6 +292,16 @@ def send_error(self, status, message=None, code='', resource='', extra_headers=N
-             self.wfile.write(content)
- 
- 
-+class S3C4RequestHandler(S3CRequestHandler):
-+    '''Request Handler for s3c4 backend
-+
-+    Currently identical to S3CRequestHandler since mock request handlers
-+    do not check request signatures.
-+    '''
-+
-+    pass
-+
-+
- class BasicSwiftRequestHandler(S3CRequestHandler):
-     '''A request handler implementing a subset of the OpenStack Swift Interface
- 
-@@ -569,6 +579,7 @@ def inline_error(http_status, body):
- #: corresponding storage urls
- handler_list = [
-     (S3CRequestHandler, 's3c://%(host)s:%(port)d/s3ql_test'),
-+    (S3C4RequestHandler, 's3c4://%(host)s:%(port)d/s3ql_test'),
-     # Special syntax only for testing against mock server
-     (BasicSwiftRequestHandler, 'swift://%(host)s:%(port)d/s3ql_test'),
-     (CopySwiftRequestHandler, 'swift://%(host)s:%(port)d/s3ql_test'),
--- a/secrets/keycloak-dbpass.age
+++ b/secrets/keycloak-dbpass.age
Author	SHA1	Message	Date
Max	ca8d7cbe30	modules/consul-distributed-services: wait for consul-ready.target, use system management token	2024-11-10 14:40:10 +02:00
Max	feb0b2a40a	modules/consul-service-registry: wait for consul-ready.target, use system management token	2024-11-10 14:40:10 +02:00
Max	5704e358e0	cluster/services/consul: laod system management token on startup WIP	2024-11-10 14:40:10 +02:00
Max	9c260fd0f7	cluster/services/consul: adjust test	2024-11-10 14:40:10 +02:00
Max	fe50d53c91	cluster/services/consul: define readiness target	2024-11-10 14:40:10 +02:00
Max	1db4170226	cluster/services/consul: bootstrap ACLs	2024-11-10 14:40:10 +02:00
Max	994554bafd	cluster/services/consul: Type=notify	2024-11-10 14:40:10 +02:00
Max	297f5d2584	cluster/services/consul: enable ACLs	2024-11-10 14:40:10 +02:00
Max	42627235d1	cluster/services/idm: fix rssh	2024-11-10 13:07:33 +01:00
Max	886ddd9a1a	cluster/services/attic: enable @resources syscall group	2024-11-10 04:15:28 +01:00
hercules-ci[bot]	15af41e3c4	Merge pull request #114 from privatevoid-net/pr-flake-update `flake.lock`: Update	2024-11-09 22:36:14 +00:00
Max	e92e710ff3	cluster/services/storage: depend on ways in simulacrum	2024-11-09 19:24:01 +01:00
Max	d16dd6de7b	cluster/services/ways: only reload nginx if actually running	2024-11-09 19:24:01 +01:00
Max	05b584c748	packages: shadow jitsi-meet with jitsi-meet-insecure	2024-11-09 19:24:01 +01:00
Max	3cbb9c5d55	packages/jitsi-meet-insecure: init	2024-11-09 19:24:01 +01:00
Max	726491e780	fixup! packages/kanidm: update unixd-authenticated.patch	2024-11-09 19:24:01 +01:00
Max	ad7de0d455	cluster/services/attic: services.atticd.credentialsFile -> services.atticd.environmentFile	2024-11-09 19:24:01 +01:00
Max	b4dc1daee1	checks/keycloak: proxy -> proxy-headers	2024-11-09 19:24:01 +01:00
Max	64a21084a6	packages/kanidm: update unixd-authenticated.patch	2024-11-09 19:24:01 +01:00
Max	7b87ff4ee8	cluster/services/attic: use module from nixpkgs	2024-11-09 19:24:01 +01:00
Max	0f453dc64f	cluster/services/sso: proxy -> proxy-headers	2024-11-09 19:24:01 +01:00
Max	b7fee02359	packages/s3ql: unpatch	2024-11-09 19:24:01 +01:00
Max	93c19ef735	meta: remove flake-utils follow for attic	2024-11-09 19:24:01 +01:00
Max	0226b22444	flake.lock: Update Flake lock file updates: • Updated input 'agenix': 'github:ryantm/agenix/3f1dae074a12feb7327b4bf43cbac0d124488bb7?narHash=sha256-ZeS51uJI30ehNkcZ4uKqT4ZDARPyqrHADSKAwv5vVCU%3D' (2024-07-30) → 'github:ryantm/agenix/f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41?narHash=sha256-b%2Buqzj%2BWa6xgMS9aNbX4I%2BsXeb5biPDi39VgvSFqFvU%3D' (2024-08-10) • Updated input 'attic': 'github:zhaofengli/attic/e127acbf9a71ebc0c26bc8e28346822e0a6e16ba?narHash=sha256-GJIz4M5HDB948Ex/8cPvbkrNzl/eKUE7/c21JBu4lb8%3D' (2024-08-01) → 'github:zhaofengli/attic/d0b66cf897e4d55f03d341562c9821dc4e566e54?narHash=sha256-tBuyb8jWBSHHgcIrOfiyQJZGY1IviMzH2V74t7gWfgI%3D' (2024-11-06) • Updated input 'attic/crane': 'github:ipetkov/crane/480dff0be03dac0e51a8dfc26e882b0d123a450e?narHash=sha256-dIubLa56W9sNNz0e8jGxrX3CAkPXsq7snuFA/Ie6dn8%3D' (2024-05-29) → 'github:ipetkov/crane/4c6c77920b8d44cd6660c1621dea6b3fc4b4c4f4?narHash=sha256-NhCkJJQhD5GUib8zN9JrmYGMwt4lCRp6ZVNzIiYCl0Y%3D' (2024-08-06) • Added input 'attic/flake-parts': 'github:hercules-ci/flake-parts/8471fe90ad337a8074e957b69ca4d0089218391d?narHash=sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC%2Bx4%3D' (2024-08-01) • Added input 'attic/flake-parts/nixpkgs-lib': follows 'attic/nixpkgs' • Removed input 'attic/flake-utils' • Added input 'attic/nix-github-actions': 'github:nix-community/nix-github-actions/e04df33f62cdcf93d73e9a04142464753a16db67?narHash=sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9%2BBV1h%2BMpA%3D' (2024-10-24) • Added input 'attic/nix-github-actions/nixpkgs': follows 'attic/nixpkgs' • Updated input 'devshell': 'github:numtide/devshell/67cce7359e4cd3c45296fb4aaf6a19e2a9c757ae?narHash=sha256-Yo/3loq572A8Su6aY5GP56knpuKYRvM2a1meP9oJZCw%3D' (2024-07-27) → 'github:numtide/devshell/dd6b80932022cea34a019e2bb32f6fa9e494dfef?narHash=sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg%3D' (2024-10-07) • Updated input 'flake-parts': 'github:hercules-ci/flake-parts/8471fe90ad337a8074e957b69ca4d0089218391d?narHash=sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC%2Bx4%3D' (2024-08-01) → 'github:hercules-ci/flake-parts/506278e768c2a08bec68eb62932193e341f55c90?narHash=sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS%2Bb4tfNFCwE%3D' (2024-11-01) • Updated input 'hercules-ci-agent': 'github:hercules-ci/hercules-ci-agent/2e10fb21fc2e07edf40763b73443e5934bd40947?narHash=sha256-QDbU8LZzcUSqBp1CBqDj/f5Wd/sdgQ8pZwRWueoMUL4%3D' (2024-07-05) → 'github:hercules-ci/hercules-ci-agent/c303cc8e437c0fd26b9452472e7df5aa374e9177?narHash=sha256-/Vdg5ZKtP71ZEKVV6JXlrOEu0CM2Flcs%2BnwDmWRzgjQ%3D' (2024-08-15) • Updated input 'hercules-ci-effects': 'github:hercules-ci/hercules-ci-effects/11e4b8dc112e2f485d7c97e1cee77f9958f498f5?narHash=sha256-YNkUMcCUCpnULp40g%2BsvYsaH1RbSEj6s4WdZY/SHe38%3D' (2024-06-24) → 'github:hercules-ci/hercules-ci-effects/b89ac4d66d618b915b1f0a408e2775fe3821d141?narHash=sha256-mnynlrPeiW0nUQ8KGZHb3WyxAxA3Ye/BH8gMjdoKP6E%3D' (2024-11-06) • Updated input 'nar-serve': 'github:numtide/nar-serve/9d0eff868d328fe67c60c26c8ba50e0b9d8de867?narHash=sha256-8QuMS00EutmqzAIPxyJEPxM8EHiWlSKs6E2Htoh3Kes%3D' (2024-07-31) → 'github:numtide/nar-serve/e5c749a444f2d14f381c75ef3a8feaa82c333b92?narHash=sha256-5Zrn72PO9yBaNO4Gd5uOsEmRpYH5rVAFKOQ5h2PxyhU%3D' (2024-09-06) • Updated input 'nix-filter': 'github:numtide/nix-filter/3342559a24e85fc164b295c3444e8a139924675b?narHash=sha256-1Wvk8UP7PXdf8bCCaEoMnOT1qe5/Duqgj%2BrL8sRQsSM%3D' (2024-03-11) → 'github:numtide/nix-filter/776e68c1d014c3adde193a18db9d738458cd2ba4?narHash=sha256-SCHiL%2B1f7q9TAnxpasriP6fMarWE5H43t25F5/9e28I%3D' (2024-10-29) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/f2d6c7123138044e0c68902268bd8f37dd7e2fa7?narHash=sha256-g4L%2BI8rDl7RQy5x8XcEMqNO49LFhrHTzVBqXtG2%2BFGo%3D' (2024-08-01) → 'github:NixOS/nixpkgs/4aa36568d413aca0ea84a1684d2d46f55dbabad7?narHash=sha256-Zwl8YgTVJTEum%2BL%2B0zVAWvXAGbWAuXHax3KzuejaDyo%3D' (2024-11-05) • Updated input 'repin-flake-utils': 'github:numtide/flake-utils/b1d9ab70662946ef0850d488da1c9019f3a9752a?narHash=sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ%3D' (2024-03-11) → 'github:numtide/flake-utils/c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a?narHash=sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ%3D' (2024-09-17)	2024-11-09 19:24:01 +01:00
Max	aa46d46d9d	cluster/services/sso: use patroni incandescence	2024-08-28 17:01:41 +02:00
Max	272b4ddd01	cluster/services/acme-client: fix typo thank you, Big Hyuge	2024-08-24 13:18:11 +02:00
Max	da0b09b993	cluster/services/idm: enable online backups	2024-08-23 16:05:52 +02:00
Max	ce4087d6d1	cluster/services/attic: use more distinct consul service IDs	2024-08-23 03:36:19 +02:00
Max	91816529fd	cluster/services/storage: use alias_service for garage-web's health check	2024-08-23 03:11:54 +02:00
Max	db3abe717d	cluster/services/ipfs: explicitly specify port in tempo address	2024-08-23 03:07:17 +02:00
Max	8a44287c36	cluster/services/sso: use correct tempo address	2024-08-23 02:50:48 +02:00
Max	e1b53161c3	cluster/services/ipfs: use correct tempo address	2024-08-23 02:50:43 +02:00
Max	9063ecb5f4	cluster/services/monitoring: make tempo HA	2024-08-23 02:50:18 +02:00
Max	25bd410599	cluster/services/ways: support gRPC	2024-08-23 02:50:01 +02:00
Max	06041f8498	modules/consul-distributed-services: support registering multiple services	2024-08-23 02:49:42 +02:00
Max	94d678b93b	modules/systemd-extras: distributed: support registering multiple services	2024-08-23 02:49:23 +02:00
Max	f55a60d0bb	cluster: restructure meshLinks	2024-08-23 01:06:38 +02:00
Max	4713febf4b	cluster/services/monitoring: add ingest-logs endpoint	2024-08-23 00:32:44 +02:00