privatevoid.net/depot
1
1
Fork 0
Code Issues 25 Pull requests 2 Projects 3 Releases Packages Wiki Activity Actions

Compare commits

base: privatevoid.net:efb9fccdf1f9c596b0d5f83042715ef475c4eeff
Branches Tags
privatevoid.net:master
privatevoid.net:pr-simulacrum-performance
privatevoid.net:pr-drop-gitlab
privatevoid.net:pr-s3ql-5.2.2-fix
privatevoid.net:staging
privatevoid.net:pr-hyprspace-libp2p-0.37-test
privatevoid.net:pr-consul-acl
privatevoid.net:pr-hci-no-ifd
privatevoid.net:pr-frangiclave
privatevoid.net:attic-ha
privatevoid.net:pg-auto-migrations
privatevoid.net:pkg-ircbot
privatevoid.net:d2n-bug-symlink-bin
..
compare: privatevoid.net:2dd786949df76dbc0ea7f461d5ead8f34ca9eff3
Branches Tags
privatevoid.net:master
privatevoid.net:pr-simulacrum-performance
privatevoid.net:pr-drop-gitlab
privatevoid.net:pr-s3ql-5.2.2-fix
privatevoid.net:staging
privatevoid.net:pr-hyprspace-libp2p-0.37-test
privatevoid.net:pr-consul-acl
privatevoid.net:pr-hci-no-ifd
privatevoid.net:pr-frangiclave
privatevoid.net:attic-ha
privatevoid.net:pg-auto-migrations
privatevoid.net:pkg-ircbot
privatevoid.net:d2n-bug-symlink-bin

26 commits
efb9fccdf1 ... 2dd786949d

Author SHA1 Message Date
Max
2dd786949d cluster/services/storage: register existing keys and buckets in incandescence 2024-08-16 02:53:52 +02:00
Max
64717857b7 cluster/services/consul: implement runConsul incantation 2024-08-16 02:53:52 +02:00
Max
94c32ca191 cluster/services/forge: define db 2024-08-16 02:53:52 +02:00
Max
6afe7b775c cluster/services/storage: define snakeoil passphrase for heresy, ensure encryption 2024-08-16 02:53:52 +02:00
Max
1ee39bc9f8 cluster/services/ways: add simulacrum deps 2024-08-16 02:53:52 +02:00
Max
80227ba3b5 cluster/services/storage: use recursive simulacrum deps 2024-08-16 02:53:52 +02:00
Max
5edb4620a8 cluster/services/forge: use forService 2024-08-16 02:53:52 +02:00
Max
1b4c0d9ade cluster/services/dns: use patroni incandescence 2024-08-16 02:53:52 +02:00
Max
055119d2c9 modules/external-storage: implement detectFs for s3c4 2024-08-16 02:53:52 +02:00
Max
437e905b03 cluster/services/storage: use locksmith secrets for external storage 2024-08-16 02:53:52 +02:00
Max
23de86063e cluster/services/storage: adjust test 2024-08-16 02:53:52 +02:00
Max
61aa03374d cluster/services/storage: use incandescence 2024-08-16 02:53:52 +02:00
Max
aaeba9a3b8 modules/external-storage: support locksmith secrets 2024-08-16 02:53:52 +02:00
Max
9f056ba318 cluster/services/storage: implement s3ql key format 2024-08-16 02:53:52 +02:00
Max
5e4ec68ac7 cluster/services/hercules-ci-multi-agent: use forService 2024-08-16 02:53:52 +02:00
Max
06afea67f8 cluster/services/monitoring: use forService 2024-08-16 02:53:52 +02:00
Max
0732ab921f checks/garage: drop 2024-08-16 02:53:52 +02:00
Max
f19b90b99f cluster/services/forge: use forService 2024-08-16 02:53:52 +02:00
Max
e9ce4095a7 cluster/services/attic: use forService 2024-08-16 02:53:52 +02:00
Max
2617a14042 cluster/services/storage: test in simulacrum 2024-08-16 02:53:52 +02:00
Max
a632b08588 cluster/catalog: support snakeoil secrets 2024-08-16 02:53:52 +02:00
Max Headroom
5a68c052a9 Merge pull request 'The Simulacrum: Stage 4' (#112) from pr-simulacrum-stage-4 into master 
Reviewed-on: https://forge.privatevoid.net///privatevoid.net/depot/pulls/112
 2024-08-16 03:37:48 +03:00
Max
f5b085a074 cluster/services/dns: test in simulacrum 2024-08-16 02:29:00 +02:00
Max
e0d513be30 cluster/services/dns: never reload coredns 2024-08-16 02:27:58 +02:00
Max
79478c44ed cluster/services/acme-client: implement augment for external ACME services 2024-08-16 02:27:58 +02:00
Max
d9317cd69a cluster/services/dns: use patroni incandescence 2024-08-16 02:27:58 +02:00
4 changed files with 57 additions and 20 deletions
Show stats Expand all files Collapse all files

16
cluster/services/dns/acme-dns-db-credentials.age
View file

@ -1,16 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 NO562A YndVtONpmfFXYB1ASnPHsfczl1UbgZ2vccIrX2pEgx0
VzH2UD583L6wBLMCo6faIGyHR4+zXXOUTgQduEiFOxI
-> ssh-ed25519 5/zT0w +67r5S6PSFEgnrTu3eZpOd3eemZUdDOE+kjUw6GDgUM
jPzlW7hePFgsABUjryePu5yergQ2Qjczmmoxuo6CK+U
-> ssh-ed25519 TCgorQ DGJPjJYpeibxM+8OwofUCdttIT2OdNbvQ66wpWQM8XU
JCNQ3bT21j2ZsxbzA6FieKIui6lsvk1p0nvNOT7YtFo
-> ssh-ed25519 d3WGuA hIl5yluwf1f0DP5ZW1MalGPCj4XFYOu2sofwJSQZ6RE
BSHoe4cdRJlPrkc+taUIaIIUknexlGttzz2d9I3jtmk
-> ssh-ed25519 YIaSKQ EbqXS/XFQHSXCbzDJmg4gGUxP9TX3+vOxWtNQDJ8ih4
hNaWzoFG2iVef4Gm30LilGXYNsVkhmVt9dOvBo02mbM
-> V]i@xRtJ-grease
NEPxMUZa76GclWOasWptt6QS7frMclp9o+kD4KCLJB7ucFOYK7xxWfAEMkjtadfP
m0bbgbw7Jcs9/lA8VNAG2D5jTBayGgpkBQZ4
--- ViqZD8mJEKIMCZ5Q+wRQWR2FX/LMEfUwoumUtHlYabQ
KAÉû¹ÝgZü<šë*DfV6·=äG»+eœ`ºpª±ï÷­<1E>º[Û‘Û û¸¢ºÐý-H1<1B>»Ã›Íí[fV.¾¢HÁ"OhÐñŒ½j•ùö8ïßß$‰;Û‘&5<>äxw§/mŒë<C592>Öß^7îf5ÔµyÏŽÓûC´6”¹U•æýi-R=/_R<5F><52>„·==æà½1˜'Ò qÞ·ŒvÜcwø

5
cluster/services/dns/coredns.nix
View file

@ -35,10 +35,13 @@ in
];
before = [ "acme-securedns.${domain}.service" ];
wants = [ "acme-finished-securedns.${domain}.target" ];
serviceConfig.LoadCredential = [
serviceConfig = {
LoadCredential = [
"dot-cert.pem:${dot.directory}/fullchain.pem"
"dot-key.pem:${dot.directory}/key.pem"
];
ExecReload = lib.mkForce [];
};
};
security.acme.certs."securedns.${domain}" = {

15
cluster/services/dns/default.nix
View file

@ -56,6 +56,21 @@ in
coredns = ./coredns.nix;
client = ./client.nix;
};
simulacrum = {
enable = true;
deps = [ "consul" "acme-client" "patroni" ];
settings = ./test.nix;
};
};
patroni = {
databases.acmedns = {};
users.acmedns = {
locksmith = {
nodes = config.services.dns.nodes.authoritative;
format = "envFile";
};
};
};
patroni = {

35
cluster/services/dns/test.nix Normal file
View file

@ -0,0 +1,35 @@
{ cluster, ... }:
let
inherit (cluster._module.specialArgs.depot.lib.meta) domain;
in
{
nodes.nowhere = { pkgs, ... }: {
passthru = cluster;
environment.systemPackages = [
pkgs.knot-dns
pkgs.openssl
];
};
testScript = ''
import json
nodeNames = json.loads('${builtins.toJSON cluster.config.services.dns.nodes.authoritative}')
dotNames = json.loads('${builtins.toJSON cluster.config.services.dns.nodes.coredns}')
nodes = [ n for n in machines if n.name in nodeNames ]
dotServers = [ n for n in machines if n.name in dotNames ]
start_all()
with subtest("should allow external name resolution for own domain"):
for node in nodes:
node.wait_for_unit("coredns.service")
nowhere.wait_until_succeeds("[[ $(kdig +short securedns.${domain} | wc -l) -ne 0 ]]", timeout=60)
nowhere.fail("[[ $(kdig +short example.com | wc -l) -ne 0 ]]")
with subtest("should have valid certificate on DoT endpoint"):
for node in dotServers:
node.wait_for_unit("acme-finished-securedns.${domain}.target")
nowhere.wait_until_succeeds("openssl </dev/null s_client -connect securedns.${domain}:853 -verify_return_error -strict -verify_hostname securedns.${domain}", timeout=60)
'';
}