cluster/services/frangiclave: funny

cluster/secrets/forge-dbCredentials.age

@@ -1,13 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 NO562A YQQrnpQI/qyEZugiRwsrPbW4oMYK/rlmRKAdD3JjYz4
-JRGFqNc4BVflfR4WUuEOym39IhZlUI778NtOFtxE8eY
--> ssh-ed25519 5/zT0w utH25Xa9WQK9hXbKWsEWK5LJtCbhjpDX6JaomxnRaCI
-2MfxxDjs0doUTVsGP9942rx1tyCYsDxhlDo1542BhKQ
--> ssh-ed25519 d3WGuA 6qD02cluQEBqEvupHf93Onlpv8QJJSl/bJm/XqyD+gQ
-bLz/ULSaIW6HnPXDKD5dxCbQWv0VC2R+E5wlj7VxOc0
--> Ovax-grease ^1$]}H G4 FpDF XKHkj{
-IVdVFYcVe9PoHCCqM3GG1pM6xgTZ5r8XWlkBjlQimgaDArotF4dPpsSTpyc
---- wdTYr6EpFPFsDJI0qQf74c6ce+v5ek6j+mgAx2CI9uI
-ÜA³×oÈð:±­‹`ÜVd±å(Kät:fk¼’}3*#MJš<4A>Áõ]ê,¤éÐÈÍ69i›l`ÛÆJKwAè8­y@Ýœ¯à+&ðÖ©s]ÅÓ–›Ç>~Ší„+Úô
-üÁ»<C381>qa©h<C2A9>( YÕ<17>eÇjýI•ê·/ð^å~Ý’wÊ
-ÆÜßÌZî!^þRˆéÿv­¾…ïk‹Êp»ÛPÌ)ý̆ÍpÓV5²F΄ÆÚÙÚÞhBÇ»ßb#Š<>´ùºãi”»¸9ìQy¹¾<C2B9>Êè‹}€ß	ƒ¬E}~ZHûjmyq{òxŠ–Éôß<C3B4>"”éÀ´C#šójÿÐ.ò§yÔ£¸v¦
<0A>ÉÐòê<1“Œúâ¾ìßzâš#/êGñ?që

cluster/services/consul/agent.nix

@@ -10,6 +10,13 @@ let
 in
 
 {
+  system.extraIncantations = {
+    runConsul = i: script: i.execShellWith [ config.services.consul.package ] ''
+      export CONSUL_HTTP_ADDR='${config.links.consulAgent.tuple}'
+      ${script}
+    '';
+  };
+
   links.consulAgent.protocol = "http";
 
   services.consul = {

cluster/services/forge/default.nix

@@ -13,7 +13,6 @@
         nodes = server;
         owner = "forgejo";
       };
-      dbCredentials.nodes = server;
     };
   };
 
@@ -23,6 +22,14 @@
     target = config.hostLinks.${host}.forge.url;
   };
 
+  patroni = config.lib.forService "forge" {
+    databases.forge = {};
+    users.forge.locksmith = {
+      nodes = config.services.forge.nodes.server;
+      format = "raw";
+    };
+  };
+
   garage = config.lib.forService "forge" {
     keys.forgejo.locksmith.nodes = config.services.forge.nodes.server;
     buckets.forgejo.allow.forgejo = [ "read" "write" ];

cluster/services/forge/server.nix

@@ -26,6 +26,7 @@ in
   services.locksmith.waitForSecrets.forgejo = [
     "garage-forgejo-id"
     "garage-forgejo-secret"
+    "patroni-forge"
   ];
 
   services.forgejo = {
@@ -39,7 +40,7 @@ in
       inherit (patroni) port;
       name = "forge";
       user = "forge";
-      passwordFile = secrets.dbCredentials.path;
+      passwordFile = "/run/locksmith/patroni-forge";
     };
     settings = {
       DEFAULT = {

cluster/services/frangiclave/default.nix

@@ -0,0 +1,27 @@
+{ config, ... }:
+
+{
+  services.frangiclave = {
+    nodes = {
+      server = [ "VEGAS" "grail" "prophet" ];
+      cluster = config.services.frangiclave.nodes.server;
+      agent = []; # all nodes, for vault-agent, secret templates, etc.
+    };
+    meshLinks = {
+      server.link.protocol = "http";
+      cluster.link.protocol = "http";
+    };
+    nixos = {
+      server = [
+        ./server.nix
+      ];
+      cluster = [];
+      agent = [];
+    };
+    simulacrum = {
+      enable = true;
+      deps = [ "wireguard" "consul" ];
+      settings = ./test.nix;
+    };
+  };
+}

cluster/services/frangiclave/server.nix

@@ -0,0 +1,34 @@
+{ cluster, config, depot, lib, ... }:
+
+let
+  apiLink = cluster.config.hostLinks.${config.networking.hostName}.frangiclave-server;
+  clusterLink = cluster.config.hostLinks.${config.networking.hostName}.frangiclave-cluster;
+in
+
+{
+  services.vault = {
+    enable = true;
+    package = depot.packages.openbao;
+    address = apiLink.tuple;
+    extraConfig = /*hcl*/ ''
+      api_addr = "${apiLink.url}"
+      cluster_addr = "${clusterLink.url}"
+    '';
+
+    storageBackend = "raft";
+    storageConfig = /*hcl*/ ''
+      node_id = "x${builtins.hashString "sha256" "frangiclave-node-${config.networking.hostName}"}"
+      ${
+        lib.pipe (cluster.config.services.frangiclave.otherNodes.server config.networking.hostName) [
+          (map (node: cluster.config.hostLinks.${node}.frangiclave-server))
+          (map (link: /*hcl*/ ''
+            retry_join {
+              leader_api_addr = "${link.url}"
+            }
+          ''))
+          (lib.concatStringsSep "\n")
+        ]
+      }
+    '';
+  };
+}

cluster/services/frangiclave/test.nix

@@ -0,0 +1,12 @@
+{ lib, ... }:
+
+{
+  interactive.defaults = { cluster, config, ... }: {
+    config = lib.mkIf config.services.vault.enable {
+      environment.variables.VAULT_ADDR = cluster.config.hostLinks.${config.networking.hostName}.frangiclave-server.url;
+      environment.systemPackages = [ config.services.vault.package ];
+    };
+  };
+
+  testScript = "assert False";
+}

cluster/services/incandescence/provider.nix

@@ -125,4 +125,14 @@ in
     wantedBy = [ "incandescence-${provider}.target" ];
     after = [ "incandescence-${provider}.target" ];
   }) (filterAttrs (_: providerConfig: providerConfig.locksmith) cfg.providers);
+
+  system.ascensions = mapAttrs' (provider: providerConfig: {
+    name = "incandescence-${provider}";
+    value = {
+      distributed = true;
+      requiredBy = map (formula: "ignite-${provider}-${formula}-create.service") (lib.attrNames providerConfig.formulae);
+      before = map (formula: "ignite-${provider}-${formula}-create.service") (lib.attrNames providerConfig.formulae);
+      incantations = lib.mkDefault (i: []);
+    };
+  }) cfg.providers;
 }

cluster/services/patroni/create-databases.nix

@@ -79,6 +79,10 @@ in
           echo "*:*:*:${user}:$(cat /run/keys/locksmith-provider-patroni-${user})"
           rm -f /run/keys/locksmith-provider-patroni-${user}
         '';
+        raw = ''
+          cat /run/keys/locksmith-provider-patroni-${user}
+          rm -f /run/keys/locksmith-provider-patroni-${user}
+        '';
       }.${userConfig.locksmith.format};
       checkUpdate = "test -e /run/keys/locksmith-provider-patroni-${user}";
       inherit (userConfig.locksmith) nodes;

cluster/services/patroni/options.nix

@@ -26,7 +26,7 @@ in
               default = [];
             };
             format = mkOption {
-              type = enum [ "pgpass" "envFile" ];
+              type = enum [ "pgpass" "envFile" "raw" ];
               default = "pgpass";
             };
           };

cluster/services/storage/default.nix

@@ -39,6 +39,7 @@ in
         ./garage.nix
         ./garage-options.nix
         ./garage-layout.nix
+        ./incandescence-ascensions.nix
       ] ++ lib.optionals config.simulacrum [
         ./simulacrum/snakeoil-rpc-secret.nix
       ];

cluster/services/storage/incandescence-ascensions.nix

@@ -0,0 +1,18 @@
+{ config, lib, ... }:
+
+{
+  system.ascensions = {
+    incandescence-garage = lib.mkIf (config.services.incandescence.providers ? garage) {
+      incantations = i: [
+        (i.runGarage /*bash*/ ''
+          garage bucket list | tail -n +2 | cut -d' ' -f3 | while read bucket; do
+            ${i.runConsul /*bash*/ ''consul kv put "services/incandescence/providers/garage/formulae/bucket/$1/alive" true''} "$bucket"
+          done
+          garage key list | tail -n +2 | cut -d' ' -f5 | while read key; do
+            ${i.runConsul /*bash*/ ''consul kv put "services/incandescence/providers/garage/formulae/key/$1/alive" true''} "$key"
+          done
+        '')
+      ];
+    };
+  };
+}