modules/consul-distributed-services: wait for consul-ready.target, use system management token

cluster/services/consul/agent.nix

@@ -28,6 +28,35 @@ in
       bootstrap_expect = builtins.length cfg.nodes.agent;
       addresses.http = config.links.consulAgent.ipv4;
       ports.http = config.links.consulAgent.port;
+      acl = {
+        enabled = true;
+        default_policy = "deny";
+      };
+    };
+  };
+
+  systemd.services = {
+    consul.serviceConfig.Type = "notify";
+    consul-load-smt = {
+      wantedBy = [ "consul.service" ];
+      after = [ "consul.service" ];
+      environment.CONSUL_HTTP_ADDR = config.links.consulAgent.tuple;
+      path = [
+        config.services.consul.package
+      ];
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+      };
+      script = ''
+        while ! test -e /run/locksmith/consul-systemManagementToken; do
+          echo Waiting for System Management Token
+          systemctl start locksmith.service
+          sleep 5
+        done
+        export CONSUL_HTTP_TOKEN_FILE=/run/locksmith/consul-systemManagementToken
+        consul acl set-agent-token default "$(< /run/locksmith/consul-systemManagementToken)" # TODO: don't leak token on cmdline
+      '';
     };
   };
 

cluster/services/consul/bootstrap.nix

@@ -0,0 +1,65 @@
+{ cluster, config, lib, pkgs, ... }:
+
+let
+  sentinelFile = "/var/lib/consul/nixos-acl-bootstrapped";
+  bootstrapTokenFile = "/run/keys/consul-bootstrap-token";
+  bootstrapConfig = "consul-bootstrap-config.json";
+  writeRules = rules: pkgs.writeText "consul-policy.json" (builtins.toJSON rules);
+in
+
+{
+  systemd.services = {
+    consul-acl-bootstrap = {
+      requires = [ "consul.service" ];
+      after = [ "consul.service" ];
+      wantedBy = [ "multi-user.target" ];
+  
+      unitConfig.ConditionPathExists = "!${sentinelFile}";
+      serviceConfig = {
+        Type = "oneshot";
+        PrivateTmp = true;
+      };
+      environment.CONSUL_HTTP_ADDR = config.links.consulAgent.tuple;
+      path = [
+        config.services.consul.package
+        pkgs.jq
+      ];
+      script = ''
+        umask 77
+        if consul acl bootstrap --format=json > ${bootstrapConfig}; then
+          echo Bootstrapping:
+          jq -r .SecretID < ${bootstrapConfig} > ${bootstrapTokenFile}
+          export CONSUL_HTTP_TOKEN_FILE=${bootstrapTokenFile}
+          consul acl policy create --name operator-read --description "Read-only operator actions" --rules @${writeRules { operator = "read"; }}
+          consul acl policy create --name smt-read --description "Allow reading the encrypted system management token" --rules @${writeRules { key_prefix."secrets/locksmith/consul-systemManagementToken/".policy = "read"; }}
+          consul acl token update --id 00000000-0000-0000-0000-000000000002 --append-policy-name operator-read --append-policy-name smt-read
+        else
+          echo Bootstrap is already in progress elsewhere.
+          touch ${sentinelFile}
+        fi
+      '';
+    };
+    locksmith-provider-consul = {
+      unitConfig.ConditionPathExists = bootstrapTokenFile;
+      distributed.enable = lib.mkForce false;
+      environment = {
+        CONSUL_HTTP_ADDR = config.links.consulAgent.tuple;
+        CONSUL_HTTP_TOKEN_FILE = bootstrapTokenFile;
+      };
+      postStop = ''
+        rm -f ${bootstrapTokenFile}
+        touch ${sentinelFile}
+      '';
+    };
+  };
+
+  services.locksmith.providers.consul = {
+    wantedBy = [ "consul-acl-bootstrap.service" ];
+    after = [ "consul-acl-bootstrap.service" ];
+    secrets.systemManagementToken = {
+      nodes = cluster.config.services.consul.nodes.agent;
+      checkUpdate = "test -e ${bootstrapTokenFile}";
+      command = "cat ${bootstrapTokenFile}";
+    };
+  };
+}

cluster/services/consul/default.nix

@@ -14,6 +14,7 @@ in
     nodes = {
       agent = [ "checkmate" "grail" "thunderskin" "VEGAS" "prophet" ];
       ready = config.services.consul.nodes.agent;
+      bootstrap = [ "grail" "VEGAS" ];
     };
     nixos = {
       agent = [
@@ -21,10 +22,11 @@ in
         ./remote-api.nix
       ];
       ready = ./ready.nix;
+      bootstrap = ./bootstrap.nix;
     };
     simulacrum = {
       enable = true;
-      deps = [ "wireguard" ];
+      deps = [ "wireguard" "locksmith" ];
       settings = ./test.nix;
     };
   };

cluster/services/consul/ready.nix

@@ -51,4 +51,9 @@ in
       Type = "oneshot";
     };
   };
+
+  systemd.targets.consul-ready = {
+    description = "Consul is Ready";
+    requires = [ "consul-ready.service" ] ++ lib.optional config.services.consul.enable "consul-load-smt.service";
+  };
 }

cluster/services/consul/test.nix

@@ -1,8 +1,4 @@
-{ lib, ... }:
-
 {
-  defaults.options.services.locksmith = lib.mkSinkUndeclaredOptions { };
-
   testScript = ''
     import json
 
@@ -11,12 +7,12 @@
     with subtest("should form cluster"):
       nodes = [ n for n in machines if n != nowhere ]
       for machine in nodes:
-        machine.succeed("systemctl start consul-ready.service")
+        machine.succeed("systemctl start consul-ready.target")
       for machine in nodes:
         consulConfig = json.loads(machine.succeed("cat /etc/consul.json"))
         addr = consulConfig["addresses"]["http"]
         port = consulConfig["ports"]["http"]
-        setEnv = f"CONSUL_HTTP_ADDR={addr}:{port}"
+        setEnv = f"CONSUL_HTTP_ADDR={addr}:{port} CONSUL_HTTP_TOKEN_FILE=/run/locksmith/consul-systemManagementToken"
         memberList = machine.succeed(f"{setEnv} consul members --status=alive")
         for machine2 in nodes:
           assert machine2.name in memberList

cluster/services/flake-reegistry/default.nix

@@ -1,36 +0,0 @@
-{ lib, ... }:
-
-{
-  ways.registry.static = { depot, pkgs, ... }: pkgs.writeTextDir "flake-registry.json" (let
-    flakes = {
-      depot = {
-        type = "tarball";
-        url = "https://forge.${depot.lib.meta.domain}/${depot.lib.meta.domain}/depot/archive/master.tar.gz";
-      };
-      depot-nixpkgs = {
-        type = "github";
-        owner = "NixOS";
-        repo = "nixpkgs";
-        inherit (depot.inputs.nixpkgs.sourceInfo) rev narHash lastModified;
-      };
-      blank = {
-        type = "github";
-        owner = "divnix";
-        repo = "blank";
-        inherit (depot.inputs.blank.sourceInfo) rev narHash lastModified;
-      };
-    } // import ./extra-flakes.nix;
-  in builtins.toJSON {
-    version = 2;
-    flakes = lib.pipe flakes [
-      (lib.attrsToList)
-      (map (f: {
-        from = {
-          type = "indirect";
-          id = f.name;
-        };
-        to = f.value;
-      }))
-    ];
-  });
-}

cluster/services/flake-reegistry/extra-flakes.nix

@@ -1,18 +0,0 @@
-let
-  github = owner: repo: {
-    type = "github";
-    inherit owner repo;
-  };
-in {
-  # own 
-  hyprspace = github "hyprspace" "hyprspace";
-  ai = github "nixified-ai" "flake";
-  nix-super = github "privatevoid-net" "nix-super";
-  nixpak = github "nixpak" "nixpak";
-
-  # other
-  nix = github "NixOS" "nix";
-  flake-parts = github "hercules-ci" "flake-parts";
-  home-manager = github "nix-community" "home-manager";
-  dream2nix = github "nix-community" "dream2nix";
-}

cluster/services/gitlab/default.nix

@@ -0,0 +1,10 @@
+{ depot, ... }:
+
+{
+  services.gitlab = {
+    nodes.host = [ "VEGAS" ];
+    nixos.host = ./host.nix;
+  };
+
+  dns.records.git.target = [ depot.hours.VEGAS.interfaces.primary.addrPublic ];
+}

cluster/services/gitlab/host.nix

@@ -0,0 +1,94 @@
+{ cluster, config, lib, depot, ... }:
+
+let
+  inherit (depot.lib.meta) domain adminEmail;
+
+  patroni = cluster.config.links.patroni-pg-access;
+
+  mkSecret = name: {
+    owner = "gitlab";
+    group = "gitlab";
+    mode = "0400";
+    file = ../../../secrets/${name}.age;
+  };
+
+  secrets = lib.mapAttrs (_: v: v.path) config.age.secrets;
+
+  cfg = config.services.gitlab;
+in
+
+{
+  age.secrets = lib.flip lib.genAttrs mkSecret [
+    "gitlab-db-credentials"
+    "gitlab-initial-root-password"
+    "gitlab-openid-secret"
+    "gitlab-secret-db"
+    "gitlab-secret-jws"
+    "gitlab-secret-otp"
+    "gitlab-secret-secret"
+  ];
+
+  services.gitlab = {
+    enable = true;
+    https = true;
+    host = "git.${domain}";
+    port = 443;
+
+    databaseCreateLocally = false;
+    databaseHost = patroni.ipv4;
+    extraDatabaseConfig = { inherit (patroni) port; };
+    databaseUsername = "gitlab";
+    databasePasswordFile = secrets.gitlab-db-credentials;
+
+    initialRootEmail = adminEmail;
+
+    statePath = "/srv/storage/private/gitlab/state";
+
+    smtp = {
+      enable = true;
+      inherit domain;
+    };
+
+    initialRootPasswordFile = secrets.gitlab-initial-root-password;
+
+    secrets = with secrets; {
+      dbFile = gitlab-secret-db;
+      jwsFile = gitlab-secret-jws;
+      otpFile = gitlab-secret-otp;
+      secretFile = gitlab-secret-secret;
+    };
+
+    extraConfig = {
+      omniauth = {
+        enabled = true;
+        auto_sign_in_with_provider = "openid_connect";
+        allow_single_sign_on = ["openid_connect"];
+        block_auto_created_users = false;
+        providers = [
+
+          {
+            name = "openid_connect";
+            label = "Private Void Account";
+            args = {
+              name = "openid_connect";
+              scope = ["openid" "profile"];
+              response_type = "code";
+              issuer = "https://login.${domain}/auth/realms/master";
+              discovery = true;
+              client_auth_method = "query";
+              uid_field = "preferred_username";
+              client_options = {
+                identifier = "net.privatevoid.git2";
+                secret = { _secret = secrets.gitlab-openid-secret; };
+                redirect_uri = "https://${cfg.host}/users/auth/openid_connect/callback";
+              };
+            };
+          }
+          
+        ];
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."${cfg.host}" = depot.lib.nginx.vhosts.proxy "http://unix:/run/gitlab/gitlab-workhorse.socket";
+}

cluster/services/nextcloud/host.nix

@@ -18,7 +18,7 @@ in
     };
   };
   services.nextcloud = {
-    package = pkgs.nextcloud30;
+    package = pkgs.nextcloud29;
     enable = true;
     https = true;
     hostName = "storage.${depot.lib.meta.domain}";

cluster/services/ways/host.nix

@@ -1,15 +1,11 @@
-{ cluster, config, depot, lib, pkgs, ... }:
+{ cluster, config, lib, pkgs, ... }:
 
 let
   externalWays = lib.filterAttrs (_: cfg: !cfg.internal) cluster.config.ways;
 
   internalWays = lib.filterAttrs (_: cfg: cfg.internal) cluster.config.ways;
 
-  byMode = lib.pipe cluster.config.ways [
+  consulServiceWays = lib.filterAttrs (_: cfg: cfg.useConsul) cluster.config.ways;
-    (lib.attrsToList)
-    (lib.groupBy (way: way.value.mode))
-    (lib.mapAttrs (n: v: lib.listToAttrs v))
-  ];
 in
 
 {
@@ -29,13 +25,7 @@ in
             ];
             locations = lib.mkMerge [
               {
-                "/" = if cfg.mode == "static" then {
+                "/" = if cfg.grpc then {
-                  root = cfg.static {
-                    inherit depot;
-                    inherit pkgs;
-                    inherit (pkgs) system;
-                  };
-                } else if cfg.grpc then {
                   extraConfig = ''
                     set $nix_proxy_grpc_target ${cfg.target};
                     grpc_pass $nix_proxy_grpc_target;
@@ -57,7 +47,7 @@ in
       };
     }) cluster.config.ways;
 
-    appendHttpConfig = lib.mkIf (byMode.consul != {}) ''
+    appendHttpConfig = lib.mkIf (consulServiceWays != {}) ''
       include /run/consul-template/nginx-ways-*.conf;
     '';
   };
@@ -77,7 +67,7 @@ in
     value.distributed.enable = true;
   }) externalWays;
 
-  services.consul-template.instances.ways = lib.mkIf (byMode.consul != {}) {
+  services.consul-template.instances.ways = lib.mkIf (consulServiceWays != {}) {
     user = "nginx";
     group = "nginx";
     settings = {
@@ -96,7 +86,7 @@ in
               {{ else }}
               # upstream ${cfg.nginxUpstreamName} (${cfg.consulService}): no servers available
               {{ end }}
-            '') byMode.consul;
+            '') consulServiceWays;
           in pkgs.writeText "ways-upstreams.ctmpl" (lib.concatStringsSep "\n" (lib.unique upstreams));
           destination = "/run/consul-template/nginx-ways-upstreams.conf";
           exec.command = lib.singleton (pkgs.writeShellScript "ways-reload" ''

cluster/services/ways/options/way.nix

@@ -58,10 +58,6 @@ with lib;
       type = types.str;
     };
 
-    static = mkOption {
-      type = with types; functionTo (coercedTo package (package: "${package.webroot or package}") str);
-    };
-
     healthCheckPath = mkOption {
       type = types.path;
       default = "/.well-known/ways/internal-health-check";
@@ -73,10 +69,10 @@ with lib;
       default = "https://${name}.${config.domainSuffix}";
     };
 
-    mode = mkOption {
+    useConsul = mkOption {
-      type = types.enum [ "simple" "consul" "static" ];
+      type = types.bool;
       internal = true;
-      default = "simple";
+      default = false;
     };
 
     nginxUpstreamName = mkOption {
@@ -109,15 +105,12 @@ with lib;
 
   config = lib.mkMerge [
     (lib.mkIf options.consulService.isDefined {
-      mode = "consul";
+      useConsul = true;
       nginxUpstreamName = "ways_upstream_${builtins.hashString "md5" options.consulService.value}";
       target = "${if config.grpc then "grpc" else "http"}://${options.nginxUpstreamName.value}";
     })
     (lib.mkIf options.bucket.isDefined {
       consulService = "garage-web";
     })
-    (lib.mkIf options.static.isDefined {
-      mode = "static";
-    })
   ];
 }

flake.lock

@@ -173,11 +173,11 @@
     "flake-compat_2": {
       "flake": false,
       "locked": {
-        "lastModified": 1696426674,
+        "lastModified": 1673956053,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
         "type": "github"
       },
       "original": {
@@ -235,11 +235,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1719994518,
+        "lastModified": 1712014858,
-        "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
+        "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
+        "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d",
         "type": "github"
       },
       "original": {
@@ -248,34 +248,18 @@
         "type": "github"
       }
     },
-    "git-hooks-nix": {
+    "flake-utils": {
-      "inputs": {
-        "flake-compat": [
-          "nix-super"
-        ],
-        "gitignore": [
-          "nix-super"
-        ],
-        "nixpkgs": [
-          "nix-super",
-          "nixpkgs"
-        ],
-        "nixpkgs-stable": [
-          "nix-super",
-          "nixpkgs"
-        ]
-      },
       "locked": {
-        "lastModified": 1721042469,
+        "lastModified": 1667395993,
-        "narHash": "sha256-6FPUl7HVtvRHCCBQne7Ylp4p+dpP3P/OYuzjztZ4s70=",
+        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
-        "owner": "cachix",
+        "owner": "numtide",
-        "repo": "git-hooks.nix",
+        "repo": "flake-utils",
-        "rev": "f451c19376071a90d8c58ab1a953c6e9840527fd",
+        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
         "type": "github"
       },
       "original": {
-        "owner": "cachix",
+        "owner": "numtide",
-        "repo": "git-hooks.nix",
+        "repo": "flake-utils",
         "type": "github"
       }
     },
@@ -385,16 +369,15 @@
     "libgit2": {
       "flake": false,
       "locked": {
-        "lastModified": 1715853528,
+        "lastModified": 1697646580,
-        "narHash": "sha256-J2rCxTecyLbbDdsyBWn9w7r3pbKRMkI9E7RvRgAqBdY=",
+        "narHash": "sha256-oX4Z3S9WtJlwvj0uH9HlYcWv+x1hqp8mhXl7HsLu2f0=",
         "owner": "libgit2",
         "repo": "libgit2",
-        "rev": "36f7e21ad757a3dacc58cf7944329da6bc1d6e96",
+        "rev": "45fd9ed7ae1a9b74b957ef4f337bc3c8b3df01b5",
         "type": "github"
       },
       "original": {
         "owner": "libgit2",
-        "ref": "v1.8.1",
         "repo": "libgit2",
         "type": "github"
       }
@@ -489,26 +472,27 @@
       "inputs": {
         "flake-compat": "flake-compat_2",
         "flake-parts": "flake-parts_3",
-        "git-hooks-nix": "git-hooks-nix",
         "libgit2": "libgit2",
         "nixpkgs": "nixpkgs_3",
-        "nixpkgs-23-11": [
-          "blank"
-        ],
         "nixpkgs-regression": [
           "blank"
-        ]
+        ],
+        "pre-commit-hooks": "pre-commit-hooks"
       },
       "locked": {
-        "lastModified": 1731271232,
+        "host": "git.privatevoid.net",
-        "narHash": "sha256-HSNUAfhtG/A2hnrzPMT3asZZ2Wb3dAmedOr1VzptOCg=",
+        "lastModified": 1713821351,
-        "rev": "1eb19dd804a83d99c497118af8ab781eee569c65",
+        "narHash": "sha256-JctHGT1oa4pet4PgUKRM7pf0w+qGe0a/ahVij8bee3o=",
-        "type": "tarball",
+        "owner": "max",
-        "url": "https://forge.privatevoid.net/api/v1/repos/max/nix-super/archive/1eb19dd804a83d99c497118af8ab781eee569c65.tar.gz"
+        "repo": "nix-super",
+        "rev": "5ecd820c18b1aaa3c8ee257a7a9a2624c4107031",
+        "type": "gitlab"
       },
       "original": {
-        "type": "tarball",
+        "host": "git.privatevoid.net",
-        "url": "https://forge.privatevoid.net/max/nix-super/archive/master.tar.gz"
+        "owner": "max",
+        "repo": "nix-super",
+        "type": "gitlab"
       }
     },
     "nixpkgs": {
@@ -545,16 +529,16 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1723688146,
+        "lastModified": 1709083642,
-        "narHash": "sha256-sqLwJcHYeWLOeP/XoLwAtYjr01TISlkOfz+NG82pbdg=",
+        "narHash": "sha256-7kkJQd4rZ+vFrzWu8sTRtta5D1kBG0LSRYAfhtmMlSo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c3d4ac725177c030b1e289015989da2ad9d56af0",
+        "rev": "b550fe4b4776908ac2a861124307045f8e717c8e",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-24.05",
+        "ref": "release-23.11",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -575,6 +559,38 @@
         "type": "github"
       }
     },
+    "pre-commit-hooks": {
+      "inputs": {
+        "flake-compat": [
+          "nix-super"
+        ],
+        "flake-utils": "flake-utils",
+        "gitignore": [
+          "nix-super"
+        ],
+        "nixpkgs": [
+          "nix-super",
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": [
+          "nix-super",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1712897695,
+        "narHash": "sha256-nMirxrGteNAl9sWiOhoN5tIHyjBbVi5e2tgZUgZlK3Y=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "40e6053ecb65fcbf12863338a6dcefb3f55f1bf8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
     "repin-flake-utils": {
       "inputs": {
         "systems": [

flake.nix

@@ -30,10 +30,9 @@
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small";
 
     nix-super = {
-      url = "https://forge.privatevoid.net/max/nix-super/archive/master.tar.gz";
+      url = "gitlab:max/nix-super?host=git.privatevoid.net";
       inputs = {
         nixpkgs-regression.follows = "blank";
-        nixpkgs-23-11.follows = "blank";
       };
     };
 

modules/consul-distributed-services/default.nix

@@ -45,14 +45,15 @@ in
       hasSpecialPrefix = elem (substring 0 1 ExecStart) [ "@" "-" ":" "+" "!" ];
     in assert !hasSpecialPrefix; pkgs.writeTextDir "etc/systemd/system/${n}.service.d/distributed.conf" ''
       [Unit]
-      Requires=consul-ready.service
+      Requires=consul-ready.target
-      After=consul-ready.service
+      After=consul-ready.target
 
       [Service]
       ExecStartPre=${waitForConsul} 'services/${n}%i'
       ExecStart=
       ExecStart=${consul}/bin/consul lock --name=${n} --n=${toString cfg.replicas} --shell=false --child-exit-code 'services/${n}%i' ${optionalString (cfg.registerServices != []) runWithRegistration} ${ExecStart}
       Environment="CONSUL_HTTP_ADDR=${consulHttpAddr}"
+      Environment="CONSUL_HTTP_TOKEN_FILE=/run/locksmith/consul-systemManagementToken"
       ${optionalString (v.serviceConfig ? RestrictAddressFamilies) "RestrictAddressFamilies=AF_NETLINK"}
       ${optionalString (cfg.registerServices != []) (lib.concatStringsSep "\n" (map (svc: "ExecStopPost=${svc.commands.deregister}") svcs))}
     ''))

modules/consul-service-registry/default.nix

@@ -12,6 +12,7 @@ let
 
   consulRegisterScript = pkgs.writeShellScript "consul-register" ''
     export CONSUL_HTTP_ADDR='${consulHttpAddr}'
+    export CONSUL_HTTP_TOKEN_FILE=/run/locksmith/consul-systemManagementToken
     while ! ${consul} services register "$1"; do
       sleep 1
     done
@@ -19,6 +20,7 @@ let
 
   consulDeregisterScript = pkgs.writeShellScript "consul-deregister" ''
     export CONSUL_HTTP_ADDR='${consulHttpAddr}'
+    export CONSUL_HTTP_TOKEN_FILE=/run/locksmith/consul-systemManagementToken
     for i in {1..5}; do
       if ${consul} services deregister "$1"; then
         break
@@ -81,8 +83,8 @@ let
     }.${mode};
     value = {
       direct = {
-        after = [ "consul-ready.service" ];
+        after = [ "consul-ready.target" ];
-        requires = [ "consul-ready.service" ];
+        requires = [ "consul-ready.target" ];
         serviceConfig = {
           ExecStartPost = register servicesJson;
           ExecStopPost = deregister servicesJson;

modules/nix-config/server.nix

@@ -14,7 +14,7 @@
       experimental-features = nix-command flakes cgroups
       use-cgroups = true
       builders-use-substitutes = true
-      flake-registry = https://registry.${depot.lib.meta.domain}/flake-registry.json
+      flake-registry = https://git.${depot.lib.meta.domain}/private-void/registry/-/raw/master/registry.json
       
       # For Hercules CI agent
       narinfo-cache-negative-ttl = 0

packages/patched-derivations.nix

@@ -50,8 +50,9 @@ super: rec {
 
   prometheus-jitsi-exporter = patch super.prometheus-jitsi-exporter "patches/base/prometheus-jitsi-exporter";
 
-  s3ql = (patch super.s3ql "patches/base/s3ql").overrideAttrs (old: {
+  s3ql = super.s3ql.overrideAttrs (old: {
     propagatedBuildInputs = old.propagatedBuildInputs ++ [
+      super.python3Packages.packaging
       super.python3Packages.systemd
     ];
   });

patches/base/s3ql/metadata-accurate-length.patch

@@ -1,13 +0,0 @@
-diff --git a/src/s3ql/database.py b/src/s3ql/database.py
-index 1c6df119..f3a47781 100644
---- a/src/s3ql/database.py
-+++ b/src/s3ql/database.py
-@@ -677,7 +677,7 @@ def upload_metadata(
-             )
-             obj = METADATA_OBJ_NAME % (blockno, params.seq_no)
-             fh.seek(blockno * blocksize)
--            backend.write_fh(obj, fh, len_=blocksize)
-+            backend.write_fh(obj, fh, len_=min(blocksize, db_size - blockno * blocksize))
- 
-         if not update_params:
-             return

secrets.nix

@@ -16,6 +16,13 @@ in with hosts;
   "cluster/services/storage/secrets/garage-rpc-secret.age".publicKeys = max ++ map systemKeys [ grail VEGAS prophet ];
   "cluster/services/storage/secrets/storage-box-credentials.age".publicKeys = max ++ map systemKeys [ grail VEGAS prophet ];
   "secrets/dovecot-ldap-token.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "secrets/gitlab-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "secrets/gitlab-initial-root-password.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "secrets/gitlab-openid-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "secrets/gitlab-secret-db.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "secrets/gitlab-secret-jws.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "secrets/gitlab-secret-otp.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "secrets/gitlab-secret-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "secrets/hyprspace-key-checkmate.age".publicKeys = max ++ map systemKeys [ checkmate ];
   "secrets/hyprspace-key-grail.age".publicKeys = max ++ map systemKeys [ grail ];
   "secrets/hyprspace-key-thunderskin.age".publicKeys = max ++ map systemKeys [ thunderskin ];

secrets/gitlab-initial-root-password.age

@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 NO562A XRrOSniXZk7nvufR3liJ3ocjX257eenhQUYZdlYCpl4
+ctZGdEgc9SgWka/3R/2WW4G9m1DHIk7HLKaBNyUeHtE
+-> ssh-ed25519 5/zT0w k3z9vLsjCPABV2kTRMC3xiriW+4BwSdvnk02Xtoi3zk
+w43L1pm8VvwxVp6k8NJA73afZtPGfD8eCb2koa2goZQ
+-> ssh-ed25519 d3WGuA Bi1l2WS3kL5Y5NoVh7jAja3BG9LXxem801SSR76j52s
+fKhRIb+Ug3sW4JI2rczNnh3Frx/EEnbQfhTUGdwLSo8
+-> AOy-grease dju$ xL|5Hh q(A
+h0bIKBg8yQBMqNR8M9DlA/wZWWFB+sdo4ApLXvTT19Moz3E5Vly8N2XKHrV3ggCE
+Vn2a3snrXDrWxqQgfQEfJo7FnydItRcgO7ZDOuNAlnooyk0
+--- 9bMYjHMQsJt4fqnmE2ezRzN4AoKIrlRKAqh8pYRw8SQ
+øÜ™‹j‡>ü‘râ|ˆ>˜º<CB9C>–QÌ7¬p²¾ïÐdð¤hëÝÏ Î3œü»€¤ÃÐÿ57´âð˜{ïžZ9áLš´ééÖ$DU$—0YÙ º3ÐBMÍã‰ü@oáªU¶_ßÁ¡dÅDݶ<C39D>5jq/¿‰…j’`›6›<36>Z‡îi—åAÄÞ&Q¯”œ¬¢Ê¡*Õ•:R%+ ôò<C3B4>É¡ù£Ì

secrets/gitlab-openid-secret.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 NO562A ZCflrN3Tm5CiGr6ajyHWUBB/tQqvBuZkwTrJDrd/aV0
+ItnkxqiZTCT77SDnG0JgzaQlDL3LZ96V+kzjxjAJx5s
+-> ssh-ed25519 5/zT0w WoKnbgmzpR+HuLdXYCOkPfScle7g7U+NGA/YAmyfIhk
+pNfp+gOVyTfnXpVDRXuk16RyjlWjDILrO7Gibh7nRmU
+-> ssh-ed25519 d3WGuA L5xjtPNva83jZWsu2bCbcgaDNlou5BFVMsFkR8+L+2Q
+4+UtIsyOgY0NAuHtdg4lBJwMyZWquRsmRNeQ+YXqeA0
+-> hD-grease q%QV%; &/
+jl4ZKGU+SBSR0xhJN0yz7sV2uW/+Yhw
+--- 1LIvBjAzD1lUotPXuI4cPHSfUsMFbEaGjE/t+KnQcW4
+AWeûÛ
¨Ë¯e¤	c[ ÖÌ3mÁíyÍΈÐñè6½
g{7›rd€_Ê7ØWPö©':ð¢uË›ùá¨N

secrets/gitlab-secret-otp.age

@@ -0,0 +1,14 @@
+age-encryption.org/v1
+-> ssh-ed25519 NO562A su6ATd6CDJ/TD/nAPw1K4ZmELBDdNLZI63DsZl0zCF0
+J+2ZXXZArtjDDLIaQL6HaEdawHo8tonMdzHf45IQMO4
+-> ssh-ed25519 5/zT0w wdKMnoA5/huvtT/jyj1Aixf9nKtkzcyPSs1yoUpxoAk
+yGiW4Zg0h4NGkdU0BZiWzC+72CJZK6pJdrSBuZCVGAE
+-> ssh-ed25519 d3WGuA p4QVeohmXdTo8v0Wh2pkEoyqMhZhmdrblBpq39ENnVk
+7TybdsMNokMu+2q5ESnvdcNwAeWTl/5XGZltzJ7etjI
+-> Q-grease KJL\,Pw& c!aOPX
+C6DVdLd90RXPgjf22U5Y8OsW9O9rkfE3kY0LGQhmmjCSZ7yHde4bhOAVNeNronxE
+xFy8GtD+ZllI4NPUSyl3Y/90//H2fVUb32WA3Ga5WJmksrGXzg
+--- yWDk0jbHXLxwE9jWTT85ORZy0Pw20jaRVihmkKfGnKo
+@# 
+Q)F:ÀŽ¤¶GÍû	#ógÒº¡¤«L…Ê-k{Tëd+˜´8žà܃üäá/è¹-Žaæ…Ë\O*—°!^Réãy÷›@Z/o™~I€
+œ[ô°¼PO’Â'vüše^ø,…?¢»Òo¼¸MÆ
]1
W
ƒËFò‹JëÄ™Ññ¨ôBý&y¼
yŸìVv‘_<E28098> %‹ûÇ<C3BB>«'