privatevoid.net/depot
1
1
Fork 0
Code Issues 25 Pull requests 2 Projects 3 Releases Packages Wiki Activity Actions

Compare commits

base: privatevoid.net:master
Branches Tags
privatevoid.net:master
privatevoid.net:pr-simulacrum-performance
privatevoid.net:pr-drop-gitlab
privatevoid.net:pr-s3ql-5.2.2-fix
privatevoid.net:staging
privatevoid.net:pr-hyprspace-libp2p-0.37-test
privatevoid.net:pr-consul-acl
privatevoid.net:pr-hci-no-ifd
privatevoid.net:pr-frangiclave
privatevoid.net:attic-ha
privatevoid.net:pg-auto-migrations
privatevoid.net:pkg-ircbot
privatevoid.net:d2n-bug-symlink-bin
..
compare: privatevoid.net:pr-consul-acl
Branches Tags
privatevoid.net:master
privatevoid.net:pr-simulacrum-performance
privatevoid.net:pr-drop-gitlab
privatevoid.net:pr-s3ql-5.2.2-fix
privatevoid.net:staging
privatevoid.net:pr-hyprspace-libp2p-0.37-test
privatevoid.net:pr-consul-acl
privatevoid.net:pr-hci-no-ifd
privatevoid.net:pr-frangiclave
privatevoid.net:attic-ha
privatevoid.net:pg-auto-migrations
privatevoid.net:pkg-ircbot
privatevoid.net:d2n-bug-symlink-bin

8 commits
master ... pr-consul-

Author SHA1 Message Date
Max
ca8d7cbe30 modules/consul-distributed-services: wait for consul-ready.target, use system management token 2024-11-10 14:40:10 +02:00
Max
feb0b2a40a modules/consul-service-registry: wait for consul-ready.target, use system management token 2024-11-10 14:40:10 +02:00
Max
5704e358e0 cluster/services/consul: laod system management token on startup WIP 2024-11-10 14:40:10 +02:00
Max
9c260fd0f7 cluster/services/consul: adjust test 2024-11-10 14:40:10 +02:00
Max
fe50d53c91 cluster/services/consul: define readiness target 2024-11-10 14:40:10 +02:00
Max
1db4170226 cluster/services/consul: bootstrap ACLs 2024-11-10 14:40:10 +02:00
Max
994554bafd cluster/services/consul: Type=notify 2024-11-10 14:40:10 +02:00
Max
297f5d2584 cluster/services/consul: enable ACLs 2024-11-10 14:40:10 +02:00
44 changed files with 456 additions and 1975 deletions
Show stats Expand all files Collapse all files

29
cluster/services/consul/agent.nix
View file

@ -28,6 +28,35 @@ in
bootstrap_expect = builtins.length cfg.nodes.agent;
addresses.http = config.links.consulAgent.ipv4;
ports.http = config.links.consulAgent.port;
acl = {
enabled = true;
default_policy = "deny";
};
};
};
systemd.services = {
consul.serviceConfig.Type = "notify";
consul-load-smt = {
wantedBy = [ "consul.service" ];
after = [ "consul.service" ];
environment.CONSUL_HTTP_ADDR = config.links.consulAgent.tuple;
path = [
config.services.consul.package
];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
while ! test -e /run/locksmith/consul-systemManagementToken; do
echo Waiting for System Management Token
systemctl start locksmith.service
sleep 5
done
export CONSUL_HTTP_TOKEN_FILE=/run/locksmith/consul-systemManagementToken
consul acl set-agent-token default "$(< /run/locksmith/consul-systemManagementToken)" # TODO: don't leak token on cmdline
'';
};
};

65
cluster/services/consul/bootstrap.nix Normal file
View file

@ -0,0 +1,65 @@
{ cluster, config, lib, pkgs, ... }:
let
sentinelFile = "/var/lib/consul/nixos-acl-bootstrapped";
bootstrapTokenFile = "/run/keys/consul-bootstrap-token";
bootstrapConfig = "consul-bootstrap-config.json";
writeRules = rules: pkgs.writeText "consul-policy.json" (builtins.toJSON rules);
in
{
systemd.services = {
consul-acl-bootstrap = {
requires = [ "consul.service" ];
after = [ "consul.service" ];
wantedBy = [ "multi-user.target" ];
unitConfig.ConditionPathExists = "!${sentinelFile}";
serviceConfig = {
Type = "oneshot";
PrivateTmp = true;
};
environment.CONSUL_HTTP_ADDR = config.links.consulAgent.tuple;
path = [
config.services.consul.package
pkgs.jq
];
script = ''
umask 77
if consul acl bootstrap --format=json > ${bootstrapConfig}; then
echo Bootstrapping:
jq -r .SecretID < ${bootstrapConfig} > ${bootstrapTokenFile}
export CONSUL_HTTP_TOKEN_FILE=${bootstrapTokenFile}
consul acl policy create --name operator-read --description "Read-only operator actions" --rules @${writeRules { operator = "read"; }}
consul acl policy create --name smt-read --description "Allow reading the encrypted system management token" --rules @${writeRules { key_prefix."secrets/locksmith/consul-systemManagementToken/".policy = "read"; }}
consul acl token update --id 00000000-0000-0000-0000-000000000002 --append-policy-name operator-read --append-policy-name smt-read
else
echo Bootstrap is already in progress elsewhere.
touch ${sentinelFile}
fi
'';
};
locksmith-provider-consul = {
unitConfig.ConditionPathExists = bootstrapTokenFile;
distributed.enable = lib.mkForce false;
environment = {
CONSUL_HTTP_ADDR = config.links.consulAgent.tuple;
CONSUL_HTTP_TOKEN_FILE = bootstrapTokenFile;
};
postStop = ''
rm -f ${bootstrapTokenFile}
touch ${sentinelFile}
'';
};
};
services.locksmith.providers.consul = {
wantedBy = [ "consul-acl-bootstrap.service" ];
after = [ "consul-acl-bootstrap.service" ];
secrets.systemManagementToken = {
nodes = cluster.config.services.consul.nodes.agent;
checkUpdate = "test -e ${bootstrapTokenFile}";
command = "cat ${bootstrapTokenFile}";
};
};
}

4
cluster/services/consul/default.nix
View file

@ -14,6 +14,7 @@ in
nodes = {
agent = [ "checkmate" "grail" "thunderskin" "VEGAS" "prophet" ];
ready = config.services.consul.nodes.agent;
bootstrap = [ "grail" "VEGAS" ];
};
nixos = {
agent = [
@ -21,10 +22,11 @@ in
./remote-api.nix
];
ready = ./ready.nix;
bootstrap = ./bootstrap.nix;
};
simulacrum = {
enable = true;
deps = [ "wireguard" ];
deps = [ "wireguard" "locksmith" ];
settings = ./test.nix;
};
};

6
cluster/services/consul/ready.nix
View file

@ -49,7 +49,11 @@ in
DynamicUser = true;
TimeoutStartSec = "5m";
Type = "oneshot";
StartLimitBurst = 25;
};
};
systemd.targets.consul-ready = {
description = "Consul is Ready";
requires = [ "consul-ready.service" ] ++ lib.optional config.services.consul.enable "consul-load-smt.service";
};
}

8
cluster/services/consul/test.nix
View file

@ -1,8 +1,4 @@
{ lib, ... }:
{
defaults.options.services.locksmith = lib.mkSinkUndeclaredOptions { };
testScript = ''
import json
@ -11,12 +7,12 @@
with subtest("should form cluster"):
nodes = [ n for n in machines if n != nowhere ]
for machine in nodes:
machine.succeed("systemctl start consul-ready.service")
machine.succeed("systemctl start consul-ready.target")
for machine in nodes:
consulConfig = json.loads(machine.succeed("cat /etc/consul.json"))
addr = consulConfig["addresses"]["http"]
port = consulConfig["ports"]["http"]
setEnv = f"CONSUL_HTTP_ADDR={addr}:{port}"
setEnv = f"CONSUL_HTTP_ADDR={addr}:{port} CONSUL_HTTP_TOKEN_FILE=/run/locksmith/consul-systemManagementToken"
memberList = machine.succeed(f"{setEnv} consul members --status=alive")
for machine2 in nodes:
assert machine2.name in memberList

1
cluster/services/fbi/host.nix
View file

@ -30,7 +30,6 @@ with depot.lib.nginx;
};
sonarr = {
enable = true;
package = depot.packages.sonarr5;
};
prowlarr = {
enable = true;

36
cluster/services/flake-reegistry/default.nix
View file

@ -1,36 +0,0 @@
{ lib, ... }:
{
ways.registry.static = { depot, pkgs, ... }: pkgs.writeTextDir "flake-registry.json" (let
flakes = {
depot = {
type = "tarball";
url = "https://forge.${depot.lib.meta.domain}/${depot.lib.meta.domain}/depot/archive/master.tar.gz";
};
depot-nixpkgs = {
type = "github";
owner = "NixOS";
repo = "nixpkgs";
inherit (depot.inputs.nixpkgs.sourceInfo) rev narHash lastModified;
};
blank = {
type = "github";
owner = "divnix";
repo = "blank";
inherit (depot.inputs.blank.sourceInfo) rev narHash lastModified;
};
} // import ./extra-flakes.nix;
in builtins.toJSON {
version = 2;
flakes = lib.pipe flakes [
(lib.attrsToList)
(map (f: {
from = {
type = "indirect";
id = f.name;
};
to = f.value;
}))
];
});
}

18
cluster/services/flake-reegistry/extra-flakes.nix
View file

@ -1,18 +0,0 @@
let
github = owner: repo: {
type = "github";
inherit owner repo;
};
in {
# own
hyprspace = github "hyprspace" "hyprspace";
ai = github "nixified-ai" "flake";
nix-super = github "privatevoid-net" "nix-super";
nixpak = github "nixpak" "nixpak";
# other
nix = github "NixOS" "nix";
flake-parts = github "hercules-ci" "flake-parts";
home-manager = github "nix-community" "home-manager";
dream2nix = github "nix-community" "dream2nix";
}

10
cluster/services/gitlab/default.nix Normal file
View file

@ -0,0 +1,10 @@
{ depot, ... }:
{
services.gitlab = {
nodes.host = [ "VEGAS" ];
nixos.host = ./host.nix;
};
dns.records.git.target = [ depot.hours.VEGAS.interfaces.primary.addrPublic ];
}

94
cluster/services/gitlab/host.nix Normal file
View file

@ -0,0 +1,94 @@
{ cluster, config, lib, depot, ... }:
let
inherit (depot.lib.meta) domain adminEmail;
patroni = cluster.config.links.patroni-pg-access;
mkSecret = name: {
owner = "gitlab";
group = "gitlab";
mode = "0400";
file = ../../../secrets/${name}.age;
};
secrets = lib.mapAttrs (_: v: v.path) config.age.secrets;
cfg = config.services.gitlab;
in
{
age.secrets = lib.flip lib.genAttrs mkSecret [
"gitlab-db-credentials"
"gitlab-initial-root-password"
"gitlab-openid-secret"
"gitlab-secret-db"
"gitlab-secret-jws"
"gitlab-secret-otp"
"gitlab-secret-secret"
];
services.gitlab = {
enable = true;
https = true;
host = "git.${domain}";
port = 443;
databaseCreateLocally = false;
databaseHost = patroni.ipv4;
extraDatabaseConfig = { inherit (patroni) port; };
databaseUsername = "gitlab";
databasePasswordFile = secrets.gitlab-db-credentials;
initialRootEmail = adminEmail;
statePath = "/srv/storage/private/gitlab/state";
smtp = {
enable = true;
inherit domain;
};
initialRootPasswordFile = secrets.gitlab-initial-root-password;
secrets = with secrets; {
dbFile = gitlab-secret-db;
jwsFile = gitlab-secret-jws;
otpFile = gitlab-secret-otp;
secretFile = gitlab-secret-secret;
};
extraConfig = {
omniauth = {
enabled = true;
auto_sign_in_with_provider = "openid_connect";
allow_single_sign_on = ["openid_connect"];
block_auto_created_users = false;
providers = [
{
name = "openid_connect";
label = "Private Void Account";
args = {
name = "openid_connect";
scope = ["openid" "profile"];
response_type = "code";
issuer = "https://login.${domain}/auth/realms/master";
discovery = true;
client_auth_method = "query";
uid_field = "preferred_username";
client_options = {
identifier = "net.privatevoid.git2";
secret = { _secret = secrets.gitlab-openid-secret; };
redirect_uri = "https://${cfg.host}/users/auth/openid_connect/callback";
};
};
}
];
};
};
};
services.nginx.virtualHosts."${cfg.host}" = depot.lib.nginx.vhosts.proxy "http://unix:/run/gitlab/gitlab-workhorse.socket";
}

22
cluster/services/matrix/bridges/discord.nix Normal file
View file

@ -0,0 +1,22 @@
{ cluster, depot, ... }:
let
inherit (depot.lib.meta) domain;
in
{
services.matrix-appservice-discord = {
enable = true;
environmentFile = cluster.config.services.matrix.secrets.discordAppServiceToken.path;
settings = {
bridge = {
inherit domain;
homeserverUrl = "https://matrix.${domain}:443";
disablePresence = false;
disableTypingNotifications = false;
disableDeletionForwarding = false;
enableSelfServiceBridging = true;
disableReadReceipts = false;
disableJoinLeaveNotifications = true;
};
};
};
}

1
cluster/services/matrix/default.nix
View file

@ -10,6 +10,7 @@
homeserver = [
./homeserver.nix
./coturn.nix
./bridges/discord.nix
];
static = [
./federation.nix

5
cluster/services/matrix/homeserver.nix
View file

@ -77,6 +77,9 @@ in {
# HACK: upstream has a weird assertion that doesn't work with our HAProxy setup
# this host gets overridden by dbConfigOut
database = lib.recursiveUpdate dbConfig.database { args.host = "_patroni.local"; };
app_service_config_files = [
"/etc/synapse/discord-registration.yaml"
];
turn_uris = let
combinations = lib.cartesianProduct {
proto = [ "udp" "tcp" ];
@ -112,7 +115,7 @@ in {
};
};
systemd.services = lib.mkMerge [
(lib.genAttrs [ "coturn" "matrix-synapse" ] (_: {
(lib.genAttrs [ "coturn" "matrix-appservice-discord" "matrix-synapse" ] (_: {
serviceConfig = {
Slice = "communications.slice";
};

2
cluster/services/monitoring/server.nix
View file

@ -7,7 +7,7 @@ in
enable = true;
listenAddress = prometheus-ingest.ipv4;
inherit (prometheus-ingest) port;
extraFlags = [ "--web.enable-remote-write-receiver" ];
extraFlags = [ "--enable-feature=remote-write-receiver" ];
globalConfig = {
scrape_interval = "60s";
};

2
cluster/services/nextcloud/host.nix
View file

@ -18,7 +18,7 @@ in
};
};
services.nextcloud = {
package = pkgs.nextcloud30;
package = pkgs.nextcloud29;
enable = true;
https = true;
hostName = "storage.${depot.lib.meta.domain}";

2
cluster/services/patroni/default.nix
View file

@ -14,7 +14,7 @@
};
services.patroni = {
nodes = {
worker = [ "grail" "VEGAS" ];
worker = [ "grail" "thunderskin" "VEGAS" ];
haproxy = [ "checkmate" "grail" "VEGAS" "prophet" ];
};
nixos = {

9
cluster/services/patroni/simulacrum/test.nix
View file

@ -1,9 +1,8 @@
{ cluster, lib, ... }:
{ cluster, ... }:
let
clusterName = "poseidon";
link = cluster.config.links.patroni-pg-access;
expectedReplicas = (lib.length cluster.config.services.patroni.nodes.worker) - 1;
in
{
defaults = { depot, pkgs, ... }: {
@ -27,7 +26,7 @@ in
def booted(nodes):
return filter(lambda node: node.booted, nodes)
def wait_for_all_nodes_ready(expected_replicas=${toString expectedReplicas}):
def wait_for_all_nodes_ready(expected_replicas=2):
booted_nodes = booted(nodes)
for node in booted_nodes:
node.wait_for_unit("patroni.service")
@ -72,7 +71,7 @@ in
for node in nodes:
node.crash()
wait_for_all_nodes_ready(${toString (expectedReplicas - 1)})
wait_for_all_nodes_ready(1)
# Execute some queries while a node is down.
run_dummy_queries()
@ -108,8 +107,6 @@ in
clients[0].succeed(f"{setEnv} consul kv delete --recurse services/incandescence/providers/patroni/formulae/database/existingdb")
clients[0].succeed(f"{setEnv} consul kv delete --recurse services/incandescence/providers/patroni/formulae/user/existinguser")
for client in clients:
node.systemctl("start locksmith.service")
for node in nodes:
node.systemctl("restart incandescence-patroni.target")
clients[0].succeed("[[ $(psql -h ${link.ipv4} -p ${link.portStr} -U postgres --tuples-only --csv --command=\"SELECT pg_roles.rolname FROM pg_database JOIN pg_roles ON pg_database.datdba = pg_roles.oid WHERE pg_database.datname = 'existingdb'\") == existinguser ]]")

12
cluster/services/sso/host.nix
View file

@ -46,5 +46,15 @@ in
http-relative-path = "/auth";
};
};
systemd.services.keycloak.serviceConfig.TimeoutStartSec = 300;
systemd.services.keycloak.environment = {
JAVA_OPTS = builtins.concatStringsSep " " [
"-javaagent:${depot.packages.opentelemetry-java-agent-bin}"
"-Dotel.resource.attributes=service.name=keycloak"
"-Dotel.traces.exporter=otlp"
];
OTEL_EXPORTER_OTLP_PROTOCOL = "grpc";
OTEL_EXPORTER_OTLP_ENDPOINT = cluster.config.ways.ingest-traces-otlp.url;
OTEL_TRACES_SAMPLER = "parentbased_traceidratio";
OTEL_TRACES_SAMPLER_ARG = "0.50";
};
}

22
cluster/services/ways/host.nix
View file

@ -1,15 +1,11 @@
{ cluster, config, depot, lib, pkgs, ... }:
{ cluster, config, lib, pkgs, ... }:
let
externalWays = lib.filterAttrs (_: cfg: !cfg.internal) cluster.config.ways;
internalWays = lib.filterAttrs (_: cfg: cfg.internal) cluster.config.ways;
byMode = lib.pipe cluster.config.ways [
(lib.attrsToList)
(lib.groupBy (way: way.value.mode))
(lib.mapAttrs (n: v: lib.listToAttrs v))
];
consulServiceWays = lib.filterAttrs (_: cfg: cfg.useConsul) cluster.config.ways;
in
{
@ -29,13 +25,7 @@ in
];
locations = lib.mkMerge [
{
"/" = if cfg.mode == "static" then {
root = cfg.static {
inherit depot;
inherit pkgs;
inherit (pkgs) system;
};
} else if cfg.grpc then {
"/" = if cfg.grpc then {
extraConfig = ''
set $nix_proxy_grpc_target ${cfg.target};
grpc_pass $nix_proxy_grpc_target;
@ -57,7 +47,7 @@ in
};
}) cluster.config.ways;
appendHttpConfig = lib.mkIf (byMode.consul != {}) ''
appendHttpConfig = lib.mkIf (consulServiceWays != {}) ''
include /run/consul-template/nginx-ways-*.conf;
'';
};
@ -77,7 +67,7 @@ in
value.distributed.enable = true;
}) externalWays;
services.consul-template.instances.ways = lib.mkIf (byMode.consul != {}) {
services.consul-template.instances.ways = lib.mkIf (consulServiceWays != {}) {
user = "nginx";
group = "nginx";
settings = {
@ -96,7 +86,7 @@ in
{{ else }}
# upstream ${cfg.nginxUpstreamName} (${cfg.consulService}): no servers available
{{ end }}
'') byMode.consul;
'') consulServiceWays;
in pkgs.writeText "ways-upstreams.ctmpl" (lib.concatStringsSep "\n" (lib.unique upstreams));
destination = "/run/consul-template/nginx-ways-upstreams.conf";
exec.command = lib.singleton (pkgs.writeShellScript "ways-reload" ''

15
cluster/services/ways/options/way.nix
View file

@ -58,10 +58,6 @@ with lib;
type = types.str;
};
static = mkOption {
type = with types; functionTo (coercedTo package (package: "${package.webroot or package}") str);
};
healthCheckPath = mkOption {
type = types.path;
default = "/.well-known/ways/internal-health-check";
@ -73,10 +69,10 @@ with lib;
default = "https://${name}.${config.domainSuffix}";
};
mode = mkOption {
type = types.enum [ "simple" "consul" "static" ];
useConsul = mkOption {
type = types.bool;
internal = true;
default = "simple";
default = false;
};
nginxUpstreamName = mkOption {
@ -109,15 +105,12 @@ with lib;
config = lib.mkMerge [
(lib.mkIf options.consulService.isDefined {
mode = "consul";
useConsul = true;
nginxUpstreamName = "ways_upstream_${builtins.hashString "md5" options.consulService.value}";
target = "${if config.grpc then "grpc" else "http"}://${options.nginxUpstreamName.value}";
})
(lib.mkIf options.bucket.isDefined {
consulService = "garage-web";
})
(lib.mkIf options.static.isDefined {
mode = "static";
})
];
}

188
flake.lock generated
View file

@ -10,11 +10,11 @@
"systems": "systems"
},
"locked": {
"lastModified": 1736955230,
"narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=",
"lastModified": 1723293904,
"narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
"owner": "ryantm",
"repo": "agenix",
"rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c",
"rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
"type": "github"
},
"original": {
@ -39,11 +39,11 @@
]
},
"locked": {
"lastModified": 1738524606,
"narHash": "sha256-hPYEJ4juK3ph7kbjbvv7PlU1D9pAkkhl+pwx8fZY53U=",
"lastModified": 1730906442,
"narHash": "sha256-tBuyb8jWBSHHgcIrOfiyQJZGY1IviMzH2V74t7gWfgI=",
"owner": "zhaofengli",
"repo": "attic",
"rev": "ff8a897d1f4408ebbf4d45fa9049c06b3e1e3f4e",
"rev": "d0b66cf897e4d55f03d341562c9821dc4e566e54",
"type": "github"
},
"original": {
@ -117,11 +117,11 @@
]
},
"locked": {
"lastModified": 1735644329,
"narHash": "sha256-tO3HrHriyLvipc4xr+Ewtdlo7wM1OjXNjlWRgmM7peY=",
"lastModified": 1728330715,
"narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=",
"owner": "numtide",
"repo": "devshell",
"rev": "f7795ede5b02664b57035b3b757876703e2c3eac",
"rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef",
"type": "github"
},
"original": {
@ -173,11 +173,11 @@
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
@ -214,11 +214,11 @@
]
},
"locked": {
"lastModified": 1738453229,
"narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=",
"lastModified": 1730504689,
"narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd",
"rev": "506278e768c2a08bec68eb62932193e341f55c90",
"type": "github"
},
"original": {
@ -235,11 +235,11 @@
]
},
"locked": {
"lastModified": 1719994518,
"narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
"lastModified": 1712014858,
"narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
"rev": "9126214d0a59633752a136528f5f3b9aa8565b7d",
"type": "github"
},
"original": {
@ -248,34 +248,18 @@
"type": "github"
}
},
"git-hooks-nix": {
"inputs": {
"flake-compat": [
"nix-super"
],
"gitignore": [
"nix-super"
],
"nixpkgs": [
"nix-super",
"nixpkgs"
],
"nixpkgs-stable": [
"nix-super",
"nixpkgs"
]
},
"flake-utils": {
"locked": {
"lastModified": 1721042469,
"narHash": "sha256-6FPUl7HVtvRHCCBQne7Ylp4p+dpP3P/OYuzjztZ4s70=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "f451c19376071a90d8c58ab1a953c6e9840527fd",
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
@ -304,11 +288,11 @@
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1736919270,
"narHash": "sha256-cGd3JaoHeN7g+qLrvvwR+1RbJ0oTJp3LiHDL3OlJJUg=",
"lastModified": 1723736589,
"narHash": "sha256-/Vdg5ZKtP71ZEKVV6JXlrOEu0CM2Flcs+nwDmWRzgjQ=",
"owner": "hercules-ci",
"repo": "hercules-ci-agent",
"rev": "cae08186393d9736f2b3a5d30b2c7efe5569e337",
"rev": "c303cc8e437c0fd26b9452472e7df5aa374e9177",
"type": "github"
},
"original": {
@ -327,11 +311,11 @@
]
},
"locked": {
"lastModified": 1738237977,
"narHash": "sha256-oJN/yvRL7G0WlR/hTkQIjFbPkzCV+sFnNB/38Tb9RL4=",
"lastModified": 1730903510,
"narHash": "sha256-mnynlrPeiW0nUQ8KGZHb3WyxAxA3Ye/BH8gMjdoKP6E=",
"owner": "hercules-ci",
"repo": "hercules-ci-effects",
"rev": "6d1b6d5d59758b4f5f05745f774fc13cdc59da43",
"rev": "b89ac4d66d618b915b1f0a408e2775fe3821d141",
"type": "github"
},
"original": {
@ -369,11 +353,11 @@
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1736693502,
"narHash": "sha256-v4pmfHApR11CNLVMko9uqDU3jYFYrNkEYB/5gLf7ubY=",
"lastModified": 1721084841,
"narHash": "sha256-zWajCfHFqPa3Z72DHcxBUq4bmcCu1lpEKUbZZewpYOE=",
"owner": "hyprspace",
"repo": "hyprspace",
"rev": "a5957e485ff0c2e9133e7da5408ec1273681688e",
"rev": "b54fd70812b98994630cfa6aac17ad7c2be9b468",
"type": "github"
},
"original": {
@ -385,16 +369,15 @@
"libgit2": {
"flake": false,
"locked": {
"lastModified": 1715853528,
"narHash": "sha256-J2rCxTecyLbbDdsyBWn9w7r3pbKRMkI9E7RvRgAqBdY=",
"lastModified": 1697646580,
"narHash": "sha256-oX4Z3S9WtJlwvj0uH9HlYcWv+x1hqp8mhXl7HsLu2f0=",
"owner": "libgit2",
"repo": "libgit2",
"rev": "36f7e21ad757a3dacc58cf7944329da6bc1d6e96",
"rev": "45fd9ed7ae1a9b74b957ef4f337bc3c8b3df01b5",
"type": "github"
},
"original": {
"owner": "libgit2",
"ref": "v1.8.1",
"repo": "libgit2",
"type": "github"
}
@ -451,11 +434,11 @@
},
"nix-filter": {
"locked": {
"lastModified": 1731533336,
"narHash": "sha256-oRam5PS1vcrr5UPgALW0eo1m/5/pls27Z/pabHNy2Ms=",
"lastModified": 1730207686,
"narHash": "sha256-SCHiL+1f7q9TAnxpasriP6fMarWE5H43t25F5/9e28I=",
"owner": "numtide",
"repo": "nix-filter",
"rev": "f7653272fd234696ae94229839a99b73c9ab7de0",
"rev": "776e68c1d014c3adde193a18db9d738458cd2ba4",
"type": "github"
},
"original": {
@ -489,35 +472,36 @@
"inputs": {
"flake-compat": "flake-compat_2",
"flake-parts": "flake-parts_3",
"git-hooks-nix": "git-hooks-nix",
"libgit2": "libgit2",
"nixpkgs": "nixpkgs_3",
"nixpkgs-23-11": [
"blank"
],
"nixpkgs-regression": [
"blank"
]
],
"pre-commit-hooks": "pre-commit-hooks"
},
"locked": {
"lastModified": 1733338937,
"narHash": "sha256-rciw6KIBxnH4utK+7B0bnhexz+hFJ53YE4xAPvPS/SE=",
"rev": "09416ef0230295a5645532874a662a798e14087b",
"type": "tarball",
"url": "https://forge.privatevoid.net/api/v1/repos/max/nix-super/archive/09416ef0230295a5645532874a662a798e14087b.tar.gz"
"host": "git.privatevoid.net",
"lastModified": 1713821351,
"narHash": "sha256-JctHGT1oa4pet4PgUKRM7pf0w+qGe0a/ahVij8bee3o=",
"owner": "max",
"repo": "nix-super",
"rev": "5ecd820c18b1aaa3c8ee257a7a9a2624c4107031",
"type": "gitlab"
},
"original": {
"type": "tarball",
"url": "https://forge.privatevoid.net/max/nix-super/archive/master.tar.gz"
"host": "git.privatevoid.net",
"owner": "max",
"repo": "nix-super",
"type": "gitlab"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1736798957,
"narHash": "sha256-qwpCtZhSsSNQtK4xYGzMiyEDhkNzOCz/Vfu4oL2ETsQ=",
"lastModified": 1719848872,
"narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9abb87b552b7f55ac8916b6fc9e5cb486656a2f3",
"rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8",
"type": "github"
},
"original": {
@ -529,11 +513,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1735834308,
"narHash": "sha256-dklw3AXr3OGO4/XT1Tu3Xz9n/we8GctZZ75ZWVqAVhk=",
"lastModified": 1714076141,
"narHash": "sha256-Drmja/f5MRHZCskS6mvzFqxEaZMeciScCTFxWVLqWEY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6df24922a1400241dae323af55f30e4318a6ca65",
"rev": "7bb2ccd8cdc44c91edba16c48d2c8f331fb3d856",
"type": "github"
},
"original": {
@ -545,27 +529,27 @@
},
"nixpkgs_3": {
"locked": {
"lastModified": 1723688146,
"narHash": "sha256-sqLwJcHYeWLOeP/XoLwAtYjr01TISlkOfz+NG82pbdg=",
"lastModified": 1709083642,
"narHash": "sha256-7kkJQd4rZ+vFrzWu8sTRtta5D1kBG0LSRYAfhtmMlSo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c3d4ac725177c030b1e289015989da2ad9d56af0",
"rev": "b550fe4b4776908ac2a861124307045f8e717c8e",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"ref": "release-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_4": {
"locked": {
"lastModified": 1738758495,
"narHash": "sha256-CZ8T4vP3ag2hwkpSZjatxJb55ouszvmnWw09qxGW9TU=",
"lastModified": 1730785428,
"narHash": "sha256-Zwl8YgTVJTEum+L+0zVAWvXAGbWAuXHax3KzuejaDyo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ceaea203f3ae1787b1bd13f021f686391696fc5b",
"rev": "4aa36568d413aca0ea84a1684d2d46f55dbabad7",
"type": "github"
},
"original": {
@ -575,6 +559,38 @@
"type": "github"
}
},
"pre-commit-hooks": {
"inputs": {
"flake-compat": [
"nix-super"
],
"flake-utils": "flake-utils",
"gitignore": [
"nix-super"
],
"nixpkgs": [
"nix-super",
"nixpkgs"
],
"nixpkgs-stable": [
"nix-super",
"nixpkgs"
]
},
"locked": {
"lastModified": 1712897695,
"narHash": "sha256-nMirxrGteNAl9sWiOhoN5tIHyjBbVi5e2tgZUgZlK3Y=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "40e6053ecb65fcbf12863338a6dcefb3f55f1bf8",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"repin-flake-utils": {
"inputs": {
"systems": [
@ -582,11 +598,11 @@
]
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github"
},
"original": {

3
flake.nix
View file

@ -30,10 +30,9 @@
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small";
nix-super = {
url = "https://forge.privatevoid.net/max/nix-super/archive/master.tar.gz";
url = "gitlab:max/nix-super?host=git.privatevoid.net";
inputs = {
nixpkgs-regression.follows = "blank";
nixpkgs-23-11.follows = "blank";
};
};

5
modules/consul-distributed-services/default.nix
View file

@ -45,14 +45,15 @@ in
hasSpecialPrefix = elem (substring 0 1 ExecStart) [ "@" "-" ":" "+" "!" ];
in assert !hasSpecialPrefix; pkgs.writeTextDir "etc/systemd/system/${n}.service.d/distributed.conf" ''
[Unit]
Requires=consul-ready.service
After=consul-ready.service
Requires=consul-ready.target
After=consul-ready.target
[Service]
ExecStartPre=${waitForConsul} 'services/${n}%i'
ExecStart=
ExecStart=${consul}/bin/consul lock --name=${n} --n=${toString cfg.replicas} --shell=false --child-exit-code 'services/${n}%i' ${optionalString (cfg.registerServices != []) runWithRegistration} ${ExecStart}
Environment="CONSUL_HTTP_ADDR=${consulHttpAddr}"
Environment="CONSUL_HTTP_TOKEN_FILE=/run/locksmith/consul-systemManagementToken"
${optionalString (v.serviceConfig ? RestrictAddressFamilies) "RestrictAddressFamilies=AF_NETLINK"}
${optionalString (cfg.registerServices != []) (lib.concatStringsSep "\n" (map (svc: "ExecStopPost=${svc.commands.deregister}") svcs))}
''))

6
modules/consul-service-registry/default.nix
View file

@ -12,6 +12,7 @@ let
consulRegisterScript = pkgs.writeShellScript "consul-register" ''
export CONSUL_HTTP_ADDR='${consulHttpAddr}'
export CONSUL_HTTP_TOKEN_FILE=/run/locksmith/consul-systemManagementToken
while ! ${consul} services register "$1"; do
sleep 1
done
@ -19,6 +20,7 @@ let
consulDeregisterScript = pkgs.writeShellScript "consul-deregister" ''
export CONSUL_HTTP_ADDR='${consulHttpAddr}'
export CONSUL_HTTP_TOKEN_FILE=/run/locksmith/consul-systemManagementToken
for i in {1..5}; do
if ${consul} services deregister "$1"; then
break
@ -81,8 +83,8 @@ let
}.${mode};
value = {
direct = {
after = [ "consul-ready.service" ];
requires = [ "consul-ready.service" ];
after = [ "consul-ready.target" ];
requires = [ "consul-ready.target" ];
serviceConfig = {
ExecStartPost = register servicesJson;
ExecStopPost = deregister servicesJson;

2
modules/nix-config/server.nix
View file

@ -14,7 +14,7 @@
experimental-features = nix-command flakes cgroups
use-cgroups = true
builders-use-substitutes = true
flake-registry = https://registry.${depot.lib.meta.domain}/flake-registry.json
flake-registry = https://git.${depot.lib.meta.domain}/private-void/registry/-/raw/master/registry.json
# For Hercules CI agent
narinfo-cache-negative-ttl = 0

10
modules/nixpkgs-config/default.nix
View file

@ -1,15 +1,9 @@
{ depot, lib, pkgs, ... }:
{ depot, lib, ... }:
{
imports = [
depot.inputs.nixpkgs.nixosModules.readOnlyPkgs
];
options.nixpkgs.system = lib.mkOption {
type = lib.types.str;
default = pkgs.system;
readOnly = true;
};
config.nixpkgs.overlays = lib.mkForce [];
nixpkgs.overlays = lib.mkForce [];
}

1
packages/checks/s3ql-upgrade.nix
View file

@ -56,6 +56,7 @@ testers.runNixOSTest {
machine.succeed("echo HelloWorld > /srv/test/hello/world.txt")
with subtest("should upgrade"):
machine.succeed("systemctl stop remote-storage-test.service")
machine.succeed("/run/current-system/specialisation/upgrade/bin/switch-to-configuration test")
machine.wait_for_unit("remote-storage-test.service")
machine.succeed("systemctl is-active remote-storage-test.service")

34
packages/patched-derivations.nix
View file

@ -2,13 +2,6 @@ let
tools = import ./lib/tools.nix;
pins = import ./sources;
acceptVulnerabilities = drv:
assert drv.meta ? knownVulnerabilities && builtins.length drv.meta.knownVulnerabilities > 0;
drv.overrideAttrs (old: {
meta = old.meta // {
knownVulnerabilities = [];
};
});
in with tools;
super: rec {
acme-dns = patch super.acme-dns "patches/base/acme-dns";
@ -26,7 +19,7 @@ super: rec {
};
jitsi-meet-insecure = let
olm-insecure = acceptVulnerabilities super.olm;
olm-insecure = assert builtins.length super.olm.meta.knownVulnerabilities > 0; super.olm.overrideAttrs (o: { meta = o.meta // { knownVulnerabilities = []; }; });
in super.jitsi-meet.override { olm = olm-insecure; };
jre17_standard = let
@ -57,31 +50,10 @@ super: rec {
prometheus-jitsi-exporter = patch super.prometheus-jitsi-exporter "patches/base/prometheus-jitsi-exporter";
s3ql = (patch super.s3ql "patches/base/s3ql").overrideAttrs (old: {
s3ql = super.s3ql.overrideAttrs (old: {
propagatedBuildInputs = old.propagatedBuildInputs ++ [
super.python3Packages.packaging
super.python3Packages.systemd
];
});
sonarr5 = let
version = "5.0.0.12";
src = super.fetchFromGitHub {
owner = "Sonarr";
repo = "Sonarr";
tag = "v${version}";
hash = "sha256-Pw+dvXNp0kQSwK+y3xZzcDivy45zgpqfZe1OUM8GOqY=";
};
in super.sonarr.override {
buildDotnetModule = args: super.buildDotnetModule (args // {
inherit version src;
nugetDeps = ./servers/sonarr/deps.json;
dotnet-sdk = super.dotnetCorePackages.sdk_8_0;
dotnet-runtime = super.dotnetCorePackages.aspnetcore_8_0;
dotnetFlags = map (builtins.replaceStrings ["net6.0" super.sonarr.version] ["net8.0" version]) args.dotnetFlags;
});
fetchYarnDeps = args: super.fetchYarnDeps (args // {
yarnLock = "${src}/yarn.lock";
hash = "sha256-ckaU3me5fGcOhK0m8BzMWaXc+zPpYyu+GhUHLts9edY=";
});
};
}

1692
packages/servers/sonarr/deps.json
View file

File diff suppressed because it is too large Load diff

28
packages/sources/sources.json
View file

@ -9,10 +9,10 @@
},
"pre_releases": false,
"version_upper_bound": null,
"version": "v4.2.3",
"revision": "a142630ff970e47303fb0aeff0f7cad6f6fbdaf3",
"url": "https://api.github.com/repos/cinnyapp/cinny/tarball/v4.2.3",
"hash": "1dh1kxfkl69l6dmwria60s37qnbip4yz29n3l5jfw4lz218i1186"
"version": "v3.2.0",
"revision": "9ecb233763048c730d24ddacecc8c002d3c8fc89",
"url": "https://api.github.com/repos/cinnyapp/cinny/tarball/v3.2.0",
"hash": "17ndz0x5zws2y533c3wa80mhk0k5n1d4il9agv04aglpd75vn1n0"
},
"excalidraw": {
"type": "Git",
@ -22,9 +22,9 @@
"repo": "excalidraw"
},
"branch": "master",
"revision": "302664e500c7f2ee44a1f107d8f4680c0254305b",
"url": "https://github.com/excalidraw/excalidraw/archive/302664e500c7f2ee44a1f107d8f4680c0254305b.tar.gz",
"hash": "02a9jy73lqgmb8h2zcs37h932gzxg7ky2pvb65wd7kcqrcybpp6n"
"revision": "04668d8263b35bf76f1390b25abeeed4181820f6",
"url": "https://github.com/excalidraw/excalidraw/archive/04668d8263b35bf76f1390b25abeeed4181820f6.tar.gz",
"hash": "10vxvyzx5nw2f0ykw3ng5lh2hiy6nrgpdqiypmcq9caxi6qn7h11"
},
"searxng": {
"type": "Git",
@ -34,9 +34,9 @@
"repo": "searxng"
},
"branch": "master",
"revision": "6324a9752a2b21a1dcb709c7fb643e361189163e",
"url": "https://github.com/searxng/searxng/archive/6324a9752a2b21a1dcb709c7fb643e361189163e.tar.gz",
"hash": "0b2wy613mds5xl5pqizrb8ncbhk1m8xcbnnsycqks1vypyvr00q4"
"revision": "39aaac40d63d53555b7fc12d56f0825c85ecf567",
"url": "https://github.com/searxng/searxng/archive/39aaac40d63d53555b7fc12d56f0825c85ecf567.tar.gz",
"hash": "0bhlh28n7p36v1q67xqmzxz6icm7kqgqxiyz806swfzykp9hfzxg"
},
"stevenblack-hosts": {
"type": "GitRelease",
@ -47,10 +47,10 @@
},
"pre_releases": false,
"version_upper_bound": null,
"version": "3.15.15",
"revision": "a39424667f67c4f9836126fefa2fb25fe83839b6",
"url": "https://api.github.com/repos/StevenBlack/hosts/tarball/3.15.15",
"hash": "0kpha475jsw8fbq2z1mn4m94a6a5skgmkia0q6w8sh8lba30y9y3"
"version": "3.14.82",
"revision": "73ef1823bb9b76d6cbde5d349e82eed0d5dcb4cb",
"url": "https://api.github.com/repos/StevenBlack/hosts/tarball/3.14.82",
"hash": "1f3d1m27xph8canm7ll0c2fbh6gzf4pfqmrbhix1fg2hxz1pwbqm"
}
},
"version": 2

1
packages/system-filter.nix
View file

@ -5,7 +5,6 @@
keycloak = [ "x86_64-linux" ];
prometheus-jitsi-exporter = [ "aarch64-linux" ];
searxng = [ "x86_64-linux" ];
sonarr5 = [ "x86_64-linux" ];
tempo = [ "x86_64-linux" ];
};
}

2
packages/web-apps/cinny/default.nix
View file

@ -11,7 +11,7 @@ let
src = fetchzip {
name = "cinny-tarball-${version}";
url = "https://github.com/${repo.owner}/${repo.repo}/releases/download/${cinny.version}/cinny-${cinny.version}.tar.gz";
sha256 = "sha256-T2XKSR59lZoazTN0boQhBOYZTac/a+K1OZrgeKwsbvU=";
sha256 = "sha256-4mOMVwwoR8NJVD7kikXAEN3kUAoH5hYHz0md0LYX7bo=";
};
buildCommand = ''

2
packages/web-apps/excalidraw/default.nix
View file

@ -27,7 +27,7 @@ let
offlineCache = fetchYarnDeps {
name = "excalidraw-yarn-cache-${builtins.hashString "sha256" (builtins.readFile "${excalidraw}/yarn.lock")}";
yarnLock = src + "/yarn.lock";
hash = "sha256-SthMtDZtGGTVRYYRHIPUbQe8ixZ9XSFMAl35MMN4JHY=";
hash = "sha256-iEk6yh+2sQkm/oucAGj16x/SpKc1WqXYtYTos82R0bQ=";
};
configurePhase = ''

3
packages/web-apps/searxng/default.nix
View file

@ -50,9 +50,6 @@ toPythonModule (buildPythonApplication rec {
fasttext-predict
pybind11
pytomlpp
msgspec
typer
isodate
(callPackage ./deps/chompjs.nix {})
];

34
patches/base/kanidm/unixd-authenticated.patch
View file

@ -1,5 +1,5 @@
diff --git a/unix_integration/resolver/src/idprovider/kanidm.rs b/unix_integration/resolver/src/idprovider/kanidm.rs
index d0a6a8159..7ebc0449d 100644
index 63cedb4d5..35c45fb0e 100644
--- a/unix_integration/resolver/src/idprovider/kanidm.rs
+++ b/unix_integration/resolver/src/idprovider/kanidm.rs
@@ -7,6 +7,7 @@ use kanidm_proto::internal::OperationError;
@ -10,7 +10,7 @@ index d0a6a8159..7ebc0449d 100644
use tokio::sync::{broadcast, Mutex};
use kanidm_lib_crypto::CryptoPolicy;
@@ -39,6 +40,8 @@ struct KanidmProviderInternal {
@@ -38,6 +39,8 @@ struct KanidmProviderInternal {
hmac_key: HmacKey,
crypto_policy: CryptoPolicy,
pam_allow_groups: BTreeSet<String>,
@ -19,7 +19,7 @@ index d0a6a8159..7ebc0449d 100644
}
pub struct KanidmProvider {
@@ -103,6 +106,19 @@ impl KanidmProvider {
@@ -102,6 +105,19 @@ impl KanidmProvider {
.map(|GroupMap { local, with }| (local, Id::Name(with)))
.collect();
@ -39,7 +39,7 @@ index d0a6a8159..7ebc0449d 100644
Ok(KanidmProvider {
inner: Mutex::new(KanidmProviderInternal {
state: CacheState::OfflineNextCheck(now),
@@ -110,6 +126,8 @@ impl KanidmProvider {
@@ -109,6 +125,8 @@ impl KanidmProvider {
hmac_key,
crypto_policy,
pam_allow_groups,
@ -48,16 +48,16 @@ index d0a6a8159..7ebc0449d 100644
}),
map_group,
})
@@ -262,7 +280,11 @@ impl KanidmProviderInternal {
let mut max_attempts = 3;
while max_attempts > 0 {
max_attempts -= 1;
- match self.client.auth_anonymous().await {
+ let auth_method = match (&self.auth_name, &self.auth_password) {
+ (Some(name), Some(password)) => self.client.auth_simple_password(name, password).await,
+ _ => self.client.auth_anonymous().await
+ };
+ match auth_method {
Ok(_uat) => {
debug!("provider is now online");
self.state = CacheState::Online;
@@ -256,7 +274,11 @@ impl KanidmProviderInternal {
}
async fn attempt_online(&mut self, _tpm: &mut tpm::BoxedDynTpm, now: SystemTime) -> bool {
- match self.client.auth_anonymous().await {
+ let auth_method = match (&self.auth_name, &self.auth_password) {
+ (Some(name), Some(password)) => self.client.auth_simple_password(name, password).await,
+ _ => self.client.auth_anonymous().await
+ };
+ match auth_method {
Ok(_uat) => {
self.state = CacheState::Online;
true

13
patches/base/s3ql/metadata-accurate-length.patch
View file

@ -1,13 +0,0 @@
diff --git a/src/s3ql/database.py b/src/s3ql/database.py
index 1c6df119..f3a47781 100644
--- a/src/s3ql/database.py
+++ b/src/s3ql/database.py
@@ -677,7 +677,7 @@ def upload_metadata(
)
obj = METADATA_OBJ_NAME % (blockno, params.seq_no)
fh.seek(blockno * blocksize)
- backend.write_fh(obj, fh, len_=blocksize)
+ backend.write_fh(obj, fh, len_=min(blocksize, db_size - blockno * blocksize))
if not update_params:
return

7
secrets.nix
View file

@ -16,6 +16,13 @@ in with hosts;
"cluster/services/storage/secrets/garage-rpc-secret.age".publicKeys = max ++ map systemKeys [ grail VEGAS prophet ];
"cluster/services/storage/secrets/storage-box-credentials.age".publicKeys = max ++ map systemKeys [ grail VEGAS prophet ];
"secrets/dovecot-ldap-token.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"secrets/gitlab-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"secrets/gitlab-initial-root-password.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"secrets/gitlab-openid-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"secrets/gitlab-secret-db.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"secrets/gitlab-secret-jws.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"secrets/gitlab-secret-otp.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"secrets/gitlab-secret-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"secrets/hyprspace-key-checkmate.age".publicKeys = max ++ map systemKeys [ checkmate ];
"secrets/hyprspace-key-grail.age".publicKeys = max ++ map systemKeys [ grail ];
"secrets/hyprspace-key-thunderskin.age".publicKeys = max ++ map systemKeys [ thunderskin ];

BIN
secrets/gitlab-db-credentials.age Normal file
View file

Binary file not shown.

12
secrets/gitlab-initial-root-password.age Normal file
View file

@ -0,0 +1,12 @@
age-encryption.org/v1
-> ssh-ed25519 NO562A XRrOSniXZk7nvufR3liJ3ocjX257eenhQUYZdlYCpl4
ctZGdEgc9SgWka/3R/2WW4G9m1DHIk7HLKaBNyUeHtE
-> ssh-ed25519 5/zT0w k3z9vLsjCPABV2kTRMC3xiriW+4BwSdvnk02Xtoi3zk
w43L1pm8VvwxVp6k8NJA73afZtPGfD8eCb2koa2goZQ
-> ssh-ed25519 d3WGuA Bi1l2WS3kL5Y5NoVh7jAja3BG9LXxem801SSR76j52s
fKhRIb+Ug3sW4JI2rczNnh3Frx/EEnbQfhTUGdwLSo8
-> AOy-grease dju$ xL|5Hh q(A
h0bIKBg8yQBMqNR8M9DlA/wZWWFB+sdo4ApLXvTT19Moz3E5Vly8N2XKHrV3ggCE
Vn2a3snrXDrWxqQgfQEfJo7FnydItRcgO7ZDOuNAlnooyk0
--- 9bMYjHMQsJt4fqnmE2ezRzN4AoKIrlRKAqh8pYRw8SQ
øÜ™j‡râ|ˆ>˜º<CB9C>QÌ7¬p²¾ïÐdð¤hëÝÏ Î3œü»€¤ÃÐÿ57´âð˜{ïžZ9á´é éÖ$DU$—0YÙ º3ÐBMÍã‰ü@oáªU¶_ßÁ¡dÅDݶ<C39D>5jq/¿‰…j`6<36>Z‡îi—åAÄÞ&Q¯”œ¬¢Ê¡*Õ•:R%+ ôò<C3B4>É¡ù£Ì

11
secrets/gitlab-openid-secret.age Normal file
View file

@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 NO562A ZCflrN3Tm5CiGr6ajyHWUBB/tQqvBuZkwTrJDrd/aV0
ItnkxqiZTCT77SDnG0JgzaQlDL3LZ96V+kzjxjAJx5s
-> ssh-ed25519 5/zT0w WoKnbgmzpR+HuLdXYCOkPfScle7g7U+NGA/YAmyfIhk
pNfp+gOVyTfnXpVDRXuk16RyjlWjDILrO7Gibh7nRmU
-> ssh-ed25519 d3WGuA L5xjtPNva83jZWsu2bCbcgaDNlou5BFVMsFkR8+L+2Q
4+UtIsyOgY0NAuHtdg4lBJwMyZWquRsmRNeQ+YXqeA0
-> hD-grease q%QV%; &/
jl4ZKGU+SBSR0xhJN0yz7sV2uW/+Yhw
--- 1LIvBjAzD1lUotPXuI4cPHSfUsMFbEaGjE/t+KnQcW4
AWeûۨ˯e¤ c[ ÖÌ 3mÁíyÍΈÐñè6½ g{7rd€_Ê7ØWPö©':ð¢uË ùá¨N

BIN
secrets/gitlab-secret-db.age Normal file
View file

Binary file not shown.

BIN
secrets/gitlab-secret-jws.age Normal file
View file

Binary file not shown.

14
secrets/gitlab-secret-otp.age Normal file
View file

@ -0,0 +1,14 @@
age-encryption.org/v1
-> ssh-ed25519 NO562A su6ATd6CDJ/TD/nAPw1K4ZmELBDdNLZI63DsZl0zCF0
J+2ZXXZArtjDDLIaQL6HaEdawHo8tonMdzHf45IQMO4
-> ssh-ed25519 5/zT0w wdKMnoA5/huvtT/jyj1Aixf9nKtkzcyPSs1yoUpxoAk
yGiW4Zg0h4NGkdU0BZiWzC+72CJZK6pJdrSBuZCVGAE
-> ssh-ed25519 d3WGuA p4QVeohmXdTo8v0Wh2pkEoyqMhZhmdrblBpq39ENnVk
7TybdsMNokMu+2q5ESnvdcNwAeWTl/5XGZltzJ7etjI
-> Q-grease KJL\,Pw& c!aOPX
C6DVdLd90RXPgjf22U5Y8OsW9O9rkfE3kY0LGQhmmjCSZ7yHde4bhOAVNeNronxE
xFy8GtD+ZllI4NPUSyl3Y/90//H2fVUb32WA3Ga5WJmksrGXzg
--- yWDk0jbHXLxwE9jWTT85ORZy0Pw20jaRVihmkKfGnKo
@#
Q)F:ÀŽ¤¶GÍû # 󺡤«L…Ê-k{Tëd+˜´8žà܃üäá/è¹-Žaæ…Ë\O*—°!^Réãy÷@Z/o™~I€
œ[ô°¼POÂ'vüše^ø,…?¢»Òo¼¸]1WƒËFòJëÄ™Ññ¨ôBý&y¼ yŸìVv_<E28098> %ûÇ<C3BB>«'

BIN
secrets/gitlab-secret-secret.age Normal file
View file

Binary file not shown.