Compare commits
8 commits
master
...
pr-consul-
Author | SHA1 | Date | |
---|---|---|---|
ca8d7cbe30 | |||
feb0b2a40a | |||
5704e358e0 | |||
9c260fd0f7 | |||
fe50d53c91 | |||
1db4170226 | |||
994554bafd | |||
297f5d2584 |
27 changed files with 340 additions and 160 deletions
|
@ -28,6 +28,35 @@ in
|
|||
bootstrap_expect = builtins.length cfg.nodes.agent;
|
||||
addresses.http = config.links.consulAgent.ipv4;
|
||||
ports.http = config.links.consulAgent.port;
|
||||
acl = {
|
||||
enabled = true;
|
||||
default_policy = "deny";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services = {
|
||||
consul.serviceConfig.Type = "notify";
|
||||
consul-load-smt = {
|
||||
wantedBy = [ "consul.service" ];
|
||||
after = [ "consul.service" ];
|
||||
environment.CONSUL_HTTP_ADDR = config.links.consulAgent.tuple;
|
||||
path = [
|
||||
config.services.consul.package
|
||||
];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
};
|
||||
script = ''
|
||||
while ! test -e /run/locksmith/consul-systemManagementToken; do
|
||||
echo Waiting for System Management Token
|
||||
systemctl start locksmith.service
|
||||
sleep 5
|
||||
done
|
||||
export CONSUL_HTTP_TOKEN_FILE=/run/locksmith/consul-systemManagementToken
|
||||
consul acl set-agent-token default "$(< /run/locksmith/consul-systemManagementToken)" # TODO: don't leak token on cmdline
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
|
|
65
cluster/services/consul/bootstrap.nix
Normal file
65
cluster/services/consul/bootstrap.nix
Normal file
|
@ -0,0 +1,65 @@
|
|||
{ cluster, config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
sentinelFile = "/var/lib/consul/nixos-acl-bootstrapped";
|
||||
bootstrapTokenFile = "/run/keys/consul-bootstrap-token";
|
||||
bootstrapConfig = "consul-bootstrap-config.json";
|
||||
writeRules = rules: pkgs.writeText "consul-policy.json" (builtins.toJSON rules);
|
||||
in
|
||||
|
||||
{
|
||||
systemd.services = {
|
||||
consul-acl-bootstrap = {
|
||||
requires = [ "consul.service" ];
|
||||
after = [ "consul.service" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
unitConfig.ConditionPathExists = "!${sentinelFile}";
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
PrivateTmp = true;
|
||||
};
|
||||
environment.CONSUL_HTTP_ADDR = config.links.consulAgent.tuple;
|
||||
path = [
|
||||
config.services.consul.package
|
||||
pkgs.jq
|
||||
];
|
||||
script = ''
|
||||
umask 77
|
||||
if consul acl bootstrap --format=json > ${bootstrapConfig}; then
|
||||
echo Bootstrapping:
|
||||
jq -r .SecretID < ${bootstrapConfig} > ${bootstrapTokenFile}
|
||||
export CONSUL_HTTP_TOKEN_FILE=${bootstrapTokenFile}
|
||||
consul acl policy create --name operator-read --description "Read-only operator actions" --rules @${writeRules { operator = "read"; }}
|
||||
consul acl policy create --name smt-read --description "Allow reading the encrypted system management token" --rules @${writeRules { key_prefix."secrets/locksmith/consul-systemManagementToken/".policy = "read"; }}
|
||||
consul acl token update --id 00000000-0000-0000-0000-000000000002 --append-policy-name operator-read --append-policy-name smt-read
|
||||
else
|
||||
echo Bootstrap is already in progress elsewhere.
|
||||
touch ${sentinelFile}
|
||||
fi
|
||||
'';
|
||||
};
|
||||
locksmith-provider-consul = {
|
||||
unitConfig.ConditionPathExists = bootstrapTokenFile;
|
||||
distributed.enable = lib.mkForce false;
|
||||
environment = {
|
||||
CONSUL_HTTP_ADDR = config.links.consulAgent.tuple;
|
||||
CONSUL_HTTP_TOKEN_FILE = bootstrapTokenFile;
|
||||
};
|
||||
postStop = ''
|
||||
rm -f ${bootstrapTokenFile}
|
||||
touch ${sentinelFile}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
services.locksmith.providers.consul = {
|
||||
wantedBy = [ "consul-acl-bootstrap.service" ];
|
||||
after = [ "consul-acl-bootstrap.service" ];
|
||||
secrets.systemManagementToken = {
|
||||
nodes = cluster.config.services.consul.nodes.agent;
|
||||
checkUpdate = "test -e ${bootstrapTokenFile}";
|
||||
command = "cat ${bootstrapTokenFile}";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -14,6 +14,7 @@ in
|
|||
nodes = {
|
||||
agent = [ "checkmate" "grail" "thunderskin" "VEGAS" "prophet" ];
|
||||
ready = config.services.consul.nodes.agent;
|
||||
bootstrap = [ "grail" "VEGAS" ];
|
||||
};
|
||||
nixos = {
|
||||
agent = [
|
||||
|
@ -21,10 +22,11 @@ in
|
|||
./remote-api.nix
|
||||
];
|
||||
ready = ./ready.nix;
|
||||
bootstrap = ./bootstrap.nix;
|
||||
};
|
||||
simulacrum = {
|
||||
enable = true;
|
||||
deps = [ "wireguard" ];
|
||||
deps = [ "wireguard" "locksmith" ];
|
||||
settings = ./test.nix;
|
||||
};
|
||||
};
|
||||
|
|
|
@ -51,4 +51,9 @@ in
|
|||
Type = "oneshot";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.targets.consul-ready = {
|
||||
description = "Consul is Ready";
|
||||
requires = [ "consul-ready.service" ] ++ lib.optional config.services.consul.enable "consul-load-smt.service";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,8 +1,4 @@
|
|||
{ lib, ... }:
|
||||
|
||||
{
|
||||
defaults.options.services.locksmith = lib.mkSinkUndeclaredOptions { };
|
||||
|
||||
testScript = ''
|
||||
import json
|
||||
|
||||
|
@ -11,12 +7,12 @@
|
|||
with subtest("should form cluster"):
|
||||
nodes = [ n for n in machines if n != nowhere ]
|
||||
for machine in nodes:
|
||||
machine.succeed("systemctl start consul-ready.service")
|
||||
machine.succeed("systemctl start consul-ready.target")
|
||||
for machine in nodes:
|
||||
consulConfig = json.loads(machine.succeed("cat /etc/consul.json"))
|
||||
addr = consulConfig["addresses"]["http"]
|
||||
port = consulConfig["ports"]["http"]
|
||||
setEnv = f"CONSUL_HTTP_ADDR={addr}:{port}"
|
||||
setEnv = f"CONSUL_HTTP_ADDR={addr}:{port} CONSUL_HTTP_TOKEN_FILE=/run/locksmith/consul-systemManagementToken"
|
||||
memberList = machine.succeed(f"{setEnv} consul members --status=alive")
|
||||
for machine2 in nodes:
|
||||
assert machine2.name in memberList
|
||||
|
|
|
@ -1,36 +0,0 @@
|
|||
{ lib, ... }:
|
||||
|
||||
{
|
||||
ways.registry.static = { depot, pkgs, ... }: pkgs.writeTextDir "flake-registry.json" (let
|
||||
flakes = {
|
||||
depot = {
|
||||
type = "tarball";
|
||||
url = "https://forge.${depot.lib.meta.domain}/${depot.lib.meta.domain}/depot/archive/master.tar.gz";
|
||||
};
|
||||
depot-nixpkgs = {
|
||||
type = "github";
|
||||
owner = "NixOS";
|
||||
repo = "nixpkgs";
|
||||
inherit (depot.inputs.nixpkgs.sourceInfo) rev narHash lastModified;
|
||||
};
|
||||
blank = {
|
||||
type = "github";
|
||||
owner = "divnix";
|
||||
repo = "blank";
|
||||
inherit (depot.inputs.blank.sourceInfo) rev narHash lastModified;
|
||||
};
|
||||
} // import ./extra-flakes.nix;
|
||||
in builtins.toJSON {
|
||||
version = 2;
|
||||
flakes = lib.pipe flakes [
|
||||
(lib.attrsToList)
|
||||
(map (f: {
|
||||
from = {
|
||||
type = "indirect";
|
||||
id = f.name;
|
||||
};
|
||||
to = f.value;
|
||||
}))
|
||||
];
|
||||
});
|
||||
}
|
|
@ -1,18 +0,0 @@
|
|||
let
|
||||
github = owner: repo: {
|
||||
type = "github";
|
||||
inherit owner repo;
|
||||
};
|
||||
in {
|
||||
# own
|
||||
hyprspace = github "hyprspace" "hyprspace";
|
||||
ai = github "nixified-ai" "flake";
|
||||
nix-super = github "privatevoid-net" "nix-super";
|
||||
nixpak = github "nixpak" "nixpak";
|
||||
|
||||
# other
|
||||
nix = github "NixOS" "nix";
|
||||
flake-parts = github "hercules-ci" "flake-parts";
|
||||
home-manager = github "nix-community" "home-manager";
|
||||
dream2nix = github "nix-community" "dream2nix";
|
||||
}
|
10
cluster/services/gitlab/default.nix
Normal file
10
cluster/services/gitlab/default.nix
Normal file
|
@ -0,0 +1,10 @@
|
|||
{ depot, ... }:
|
||||
|
||||
{
|
||||
services.gitlab = {
|
||||
nodes.host = [ "VEGAS" ];
|
||||
nixos.host = ./host.nix;
|
||||
};
|
||||
|
||||
dns.records.git.target = [ depot.hours.VEGAS.interfaces.primary.addrPublic ];
|
||||
}
|
94
cluster/services/gitlab/host.nix
Normal file
94
cluster/services/gitlab/host.nix
Normal file
|
@ -0,0 +1,94 @@
|
|||
{ cluster, config, lib, depot, ... }:
|
||||
|
||||
let
|
||||
inherit (depot.lib.meta) domain adminEmail;
|
||||
|
||||
patroni = cluster.config.links.patroni-pg-access;
|
||||
|
||||
mkSecret = name: {
|
||||
owner = "gitlab";
|
||||
group = "gitlab";
|
||||
mode = "0400";
|
||||
file = ../../../secrets/${name}.age;
|
||||
};
|
||||
|
||||
secrets = lib.mapAttrs (_: v: v.path) config.age.secrets;
|
||||
|
||||
cfg = config.services.gitlab;
|
||||
in
|
||||
|
||||
{
|
||||
age.secrets = lib.flip lib.genAttrs mkSecret [
|
||||
"gitlab-db-credentials"
|
||||
"gitlab-initial-root-password"
|
||||
"gitlab-openid-secret"
|
||||
"gitlab-secret-db"
|
||||
"gitlab-secret-jws"
|
||||
"gitlab-secret-otp"
|
||||
"gitlab-secret-secret"
|
||||
];
|
||||
|
||||
services.gitlab = {
|
||||
enable = true;
|
||||
https = true;
|
||||
host = "git.${domain}";
|
||||
port = 443;
|
||||
|
||||
databaseCreateLocally = false;
|
||||
databaseHost = patroni.ipv4;
|
||||
extraDatabaseConfig = { inherit (patroni) port; };
|
||||
databaseUsername = "gitlab";
|
||||
databasePasswordFile = secrets.gitlab-db-credentials;
|
||||
|
||||
initialRootEmail = adminEmail;
|
||||
|
||||
statePath = "/srv/storage/private/gitlab/state";
|
||||
|
||||
smtp = {
|
||||
enable = true;
|
||||
inherit domain;
|
||||
};
|
||||
|
||||
initialRootPasswordFile = secrets.gitlab-initial-root-password;
|
||||
|
||||
secrets = with secrets; {
|
||||
dbFile = gitlab-secret-db;
|
||||
jwsFile = gitlab-secret-jws;
|
||||
otpFile = gitlab-secret-otp;
|
||||
secretFile = gitlab-secret-secret;
|
||||
};
|
||||
|
||||
extraConfig = {
|
||||
omniauth = {
|
||||
enabled = true;
|
||||
auto_sign_in_with_provider = "openid_connect";
|
||||
allow_single_sign_on = ["openid_connect"];
|
||||
block_auto_created_users = false;
|
||||
providers = [
|
||||
|
||||
{
|
||||
name = "openid_connect";
|
||||
label = "Private Void Account";
|
||||
args = {
|
||||
name = "openid_connect";
|
||||
scope = ["openid" "profile"];
|
||||
response_type = "code";
|
||||
issuer = "https://login.${domain}/auth/realms/master";
|
||||
discovery = true;
|
||||
client_auth_method = "query";
|
||||
uid_field = "preferred_username";
|
||||
client_options = {
|
||||
identifier = "net.privatevoid.git2";
|
||||
secret = { _secret = secrets.gitlab-openid-secret; };
|
||||
redirect_uri = "https://${cfg.host}/users/auth/openid_connect/callback";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."${cfg.host}" = depot.lib.nginx.vhosts.proxy "http://unix:/run/gitlab/gitlab-workhorse.socket";
|
||||
}
|
|
@ -18,7 +18,7 @@ in
|
|||
};
|
||||
};
|
||||
services.nextcloud = {
|
||||
package = pkgs.nextcloud30;
|
||||
package = pkgs.nextcloud29;
|
||||
enable = true;
|
||||
https = true;
|
||||
hostName = "storage.${depot.lib.meta.domain}";
|
||||
|
|
|
@ -1,15 +1,11 @@
|
|||
{ cluster, config, depot, lib, pkgs, ... }:
|
||||
{ cluster, config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
externalWays = lib.filterAttrs (_: cfg: !cfg.internal) cluster.config.ways;
|
||||
|
||||
internalWays = lib.filterAttrs (_: cfg: cfg.internal) cluster.config.ways;
|
||||
|
||||
byMode = lib.pipe cluster.config.ways [
|
||||
(lib.attrsToList)
|
||||
(lib.groupBy (way: way.value.mode))
|
||||
(lib.mapAttrs (n: v: lib.listToAttrs v))
|
||||
];
|
||||
consulServiceWays = lib.filterAttrs (_: cfg: cfg.useConsul) cluster.config.ways;
|
||||
in
|
||||
|
||||
{
|
||||
|
@ -29,13 +25,7 @@ in
|
|||
];
|
||||
locations = lib.mkMerge [
|
||||
{
|
||||
"/" = if cfg.mode == "static" then {
|
||||
root = cfg.static {
|
||||
inherit depot;
|
||||
inherit pkgs;
|
||||
inherit (pkgs) system;
|
||||
};
|
||||
} else if cfg.grpc then {
|
||||
"/" = if cfg.grpc then {
|
||||
extraConfig = ''
|
||||
set $nix_proxy_grpc_target ${cfg.target};
|
||||
grpc_pass $nix_proxy_grpc_target;
|
||||
|
@ -57,7 +47,7 @@ in
|
|||
};
|
||||
}) cluster.config.ways;
|
||||
|
||||
appendHttpConfig = lib.mkIf (byMode.consul != {}) ''
|
||||
appendHttpConfig = lib.mkIf (consulServiceWays != {}) ''
|
||||
include /run/consul-template/nginx-ways-*.conf;
|
||||
'';
|
||||
};
|
||||
|
@ -77,7 +67,7 @@ in
|
|||
value.distributed.enable = true;
|
||||
}) externalWays;
|
||||
|
||||
services.consul-template.instances.ways = lib.mkIf (byMode.consul != {}) {
|
||||
services.consul-template.instances.ways = lib.mkIf (consulServiceWays != {}) {
|
||||
user = "nginx";
|
||||
group = "nginx";
|
||||
settings = {
|
||||
|
@ -96,7 +86,7 @@ in
|
|||
{{ else }}
|
||||
# upstream ${cfg.nginxUpstreamName} (${cfg.consulService}): no servers available
|
||||
{{ end }}
|
||||
'') byMode.consul;
|
||||
'') consulServiceWays;
|
||||
in pkgs.writeText "ways-upstreams.ctmpl" (lib.concatStringsSep "\n" (lib.unique upstreams));
|
||||
destination = "/run/consul-template/nginx-ways-upstreams.conf";
|
||||
exec.command = lib.singleton (pkgs.writeShellScript "ways-reload" ''
|
||||
|
|
|
@ -58,10 +58,6 @@ with lib;
|
|||
type = types.str;
|
||||
};
|
||||
|
||||
static = mkOption {
|
||||
type = with types; functionTo (coercedTo package (package: "${package.webroot or package}") str);
|
||||
};
|
||||
|
||||
healthCheckPath = mkOption {
|
||||
type = types.path;
|
||||
default = "/.well-known/ways/internal-health-check";
|
||||
|
@ -73,10 +69,10 @@ with lib;
|
|||
default = "https://${name}.${config.domainSuffix}";
|
||||
};
|
||||
|
||||
mode = mkOption {
|
||||
type = types.enum [ "simple" "consul" "static" ];
|
||||
useConsul = mkOption {
|
||||
type = types.bool;
|
||||
internal = true;
|
||||
default = "simple";
|
||||
default = false;
|
||||
};
|
||||
|
||||
nginxUpstreamName = mkOption {
|
||||
|
@ -109,15 +105,12 @@ with lib;
|
|||
|
||||
config = lib.mkMerge [
|
||||
(lib.mkIf options.consulService.isDefined {
|
||||
mode = "consul";
|
||||
useConsul = true;
|
||||
nginxUpstreamName = "ways_upstream_${builtins.hashString "md5" options.consulService.value}";
|
||||
target = "${if config.grpc then "grpc" else "http"}://${options.nginxUpstreamName.value}";
|
||||
})
|
||||
(lib.mkIf options.bucket.isDefined {
|
||||
consulService = "garage-web";
|
||||
})
|
||||
(lib.mkIf options.static.isDefined {
|
||||
mode = "static";
|
||||
})
|
||||
];
|
||||
}
|
||||
|
|
116
flake.lock
116
flake.lock
|
@ -173,11 +173,11 @@
|
|||
"flake-compat_2": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1696426674,
|
||||
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
|
||||
"lastModified": 1673956053,
|
||||
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
|
||||
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -235,11 +235,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1719994518,
|
||||
"narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
|
||||
"lastModified": 1712014858,
|
||||
"narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
|
||||
"rev": "9126214d0a59633752a136528f5f3b9aa8565b7d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -248,34 +248,18 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"git-hooks-nix": {
|
||||
"inputs": {
|
||||
"flake-compat": [
|
||||
"nix-super"
|
||||
],
|
||||
"gitignore": [
|
||||
"nix-super"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nix-super",
|
||||
"nixpkgs"
|
||||
],
|
||||
"nixpkgs-stable": [
|
||||
"nix-super",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"flake-utils": {
|
||||
"locked": {
|
||||
"lastModified": 1721042469,
|
||||
"narHash": "sha256-6FPUl7HVtvRHCCBQne7Ylp4p+dpP3P/OYuzjztZ4s70=",
|
||||
"owner": "cachix",
|
||||
"repo": "git-hooks.nix",
|
||||
"rev": "f451c19376071a90d8c58ab1a953c6e9840527fd",
|
||||
"lastModified": 1667395993,
|
||||
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "cachix",
|
||||
"repo": "git-hooks.nix",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
|
@ -385,16 +369,15 @@
|
|||
"libgit2": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1715853528,
|
||||
"narHash": "sha256-J2rCxTecyLbbDdsyBWn9w7r3pbKRMkI9E7RvRgAqBdY=",
|
||||
"lastModified": 1697646580,
|
||||
"narHash": "sha256-oX4Z3S9WtJlwvj0uH9HlYcWv+x1hqp8mhXl7HsLu2f0=",
|
||||
"owner": "libgit2",
|
||||
"repo": "libgit2",
|
||||
"rev": "36f7e21ad757a3dacc58cf7944329da6bc1d6e96",
|
||||
"rev": "45fd9ed7ae1a9b74b957ef4f337bc3c8b3df01b5",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "libgit2",
|
||||
"ref": "v1.8.1",
|
||||
"repo": "libgit2",
|
||||
"type": "github"
|
||||
}
|
||||
|
@ -489,26 +472,27 @@
|
|||
"inputs": {
|
||||
"flake-compat": "flake-compat_2",
|
||||
"flake-parts": "flake-parts_3",
|
||||
"git-hooks-nix": "git-hooks-nix",
|
||||
"libgit2": "libgit2",
|
||||
"nixpkgs": "nixpkgs_3",
|
||||
"nixpkgs-23-11": [
|
||||
"blank"
|
||||
],
|
||||
"nixpkgs-regression": [
|
||||
"blank"
|
||||
]
|
||||
],
|
||||
"pre-commit-hooks": "pre-commit-hooks"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1731271232,
|
||||
"narHash": "sha256-HSNUAfhtG/A2hnrzPMT3asZZ2Wb3dAmedOr1VzptOCg=",
|
||||
"rev": "1eb19dd804a83d99c497118af8ab781eee569c65",
|
||||
"type": "tarball",
|
||||
"url": "https://forge.privatevoid.net/api/v1/repos/max/nix-super/archive/1eb19dd804a83d99c497118af8ab781eee569c65.tar.gz"
|
||||
"host": "git.privatevoid.net",
|
||||
"lastModified": 1713821351,
|
||||
"narHash": "sha256-JctHGT1oa4pet4PgUKRM7pf0w+qGe0a/ahVij8bee3o=",
|
||||
"owner": "max",
|
||||
"repo": "nix-super",
|
||||
"rev": "5ecd820c18b1aaa3c8ee257a7a9a2624c4107031",
|
||||
"type": "gitlab"
|
||||
},
|
||||
"original": {
|
||||
"type": "tarball",
|
||||
"url": "https://forge.privatevoid.net/max/nix-super/archive/master.tar.gz"
|
||||
"host": "git.privatevoid.net",
|
||||
"owner": "max",
|
||||
"repo": "nix-super",
|
||||
"type": "gitlab"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
|
@ -545,16 +529,16 @@
|
|||
},
|
||||
"nixpkgs_3": {
|
||||
"locked": {
|
||||
"lastModified": 1723688146,
|
||||
"narHash": "sha256-sqLwJcHYeWLOeP/XoLwAtYjr01TISlkOfz+NG82pbdg=",
|
||||
"lastModified": 1709083642,
|
||||
"narHash": "sha256-7kkJQd4rZ+vFrzWu8sTRtta5D1kBG0LSRYAfhtmMlSo=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "c3d4ac725177c030b1e289015989da2ad9d56af0",
|
||||
"rev": "b550fe4b4776908ac2a861124307045f8e717c8e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-24.05",
|
||||
"ref": "release-23.11",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
|
@ -575,6 +559,38 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"pre-commit-hooks": {
|
||||
"inputs": {
|
||||
"flake-compat": [
|
||||
"nix-super"
|
||||
],
|
||||
"flake-utils": "flake-utils",
|
||||
"gitignore": [
|
||||
"nix-super"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nix-super",
|
||||
"nixpkgs"
|
||||
],
|
||||
"nixpkgs-stable": [
|
||||
"nix-super",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1712897695,
|
||||
"narHash": "sha256-nMirxrGteNAl9sWiOhoN5tIHyjBbVi5e2tgZUgZlK3Y=",
|
||||
"owner": "cachix",
|
||||
"repo": "pre-commit-hooks.nix",
|
||||
"rev": "40e6053ecb65fcbf12863338a6dcefb3f55f1bf8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "cachix",
|
||||
"repo": "pre-commit-hooks.nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"repin-flake-utils": {
|
||||
"inputs": {
|
||||
"systems": [
|
||||
|
|
|
@ -30,10 +30,9 @@
|
|||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small";
|
||||
|
||||
nix-super = {
|
||||
url = "https://forge.privatevoid.net/max/nix-super/archive/master.tar.gz";
|
||||
url = "gitlab:max/nix-super?host=git.privatevoid.net";
|
||||
inputs = {
|
||||
nixpkgs-regression.follows = "blank";
|
||||
nixpkgs-23-11.follows = "blank";
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -45,14 +45,15 @@ in
|
|||
hasSpecialPrefix = elem (substring 0 1 ExecStart) [ "@" "-" ":" "+" "!" ];
|
||||
in assert !hasSpecialPrefix; pkgs.writeTextDir "etc/systemd/system/${n}.service.d/distributed.conf" ''
|
||||
[Unit]
|
||||
Requires=consul-ready.service
|
||||
After=consul-ready.service
|
||||
Requires=consul-ready.target
|
||||
After=consul-ready.target
|
||||
|
||||
[Service]
|
||||
ExecStartPre=${waitForConsul} 'services/${n}%i'
|
||||
ExecStart=
|
||||
ExecStart=${consul}/bin/consul lock --name=${n} --n=${toString cfg.replicas} --shell=false --child-exit-code 'services/${n}%i' ${optionalString (cfg.registerServices != []) runWithRegistration} ${ExecStart}
|
||||
Environment="CONSUL_HTTP_ADDR=${consulHttpAddr}"
|
||||
Environment="CONSUL_HTTP_TOKEN_FILE=/run/locksmith/consul-systemManagementToken"
|
||||
${optionalString (v.serviceConfig ? RestrictAddressFamilies) "RestrictAddressFamilies=AF_NETLINK"}
|
||||
${optionalString (cfg.registerServices != []) (lib.concatStringsSep "\n" (map (svc: "ExecStopPost=${svc.commands.deregister}") svcs))}
|
||||
''))
|
||||
|
|
|
@ -12,6 +12,7 @@ let
|
|||
|
||||
consulRegisterScript = pkgs.writeShellScript "consul-register" ''
|
||||
export CONSUL_HTTP_ADDR='${consulHttpAddr}'
|
||||
export CONSUL_HTTP_TOKEN_FILE=/run/locksmith/consul-systemManagementToken
|
||||
while ! ${consul} services register "$1"; do
|
||||
sleep 1
|
||||
done
|
||||
|
@ -19,6 +20,7 @@ let
|
|||
|
||||
consulDeregisterScript = pkgs.writeShellScript "consul-deregister" ''
|
||||
export CONSUL_HTTP_ADDR='${consulHttpAddr}'
|
||||
export CONSUL_HTTP_TOKEN_FILE=/run/locksmith/consul-systemManagementToken
|
||||
for i in {1..5}; do
|
||||
if ${consul} services deregister "$1"; then
|
||||
break
|
||||
|
@ -81,8 +83,8 @@ let
|
|||
}.${mode};
|
||||
value = {
|
||||
direct = {
|
||||
after = [ "consul-ready.service" ];
|
||||
requires = [ "consul-ready.service" ];
|
||||
after = [ "consul-ready.target" ];
|
||||
requires = [ "consul-ready.target" ];
|
||||
serviceConfig = {
|
||||
ExecStartPost = register servicesJson;
|
||||
ExecStopPost = deregister servicesJson;
|
||||
|
|
|
@ -14,7 +14,7 @@
|
|||
experimental-features = nix-command flakes cgroups
|
||||
use-cgroups = true
|
||||
builders-use-substitutes = true
|
||||
flake-registry = https://registry.${depot.lib.meta.domain}/flake-registry.json
|
||||
flake-registry = https://git.${depot.lib.meta.domain}/private-void/registry/-/raw/master/registry.json
|
||||
|
||||
# For Hercules CI agent
|
||||
narinfo-cache-negative-ttl = 0
|
||||
|
|
|
@ -50,8 +50,9 @@ super: rec {
|
|||
|
||||
prometheus-jitsi-exporter = patch super.prometheus-jitsi-exporter "patches/base/prometheus-jitsi-exporter";
|
||||
|
||||
s3ql = (patch super.s3ql "patches/base/s3ql").overrideAttrs (old: {
|
||||
s3ql = super.s3ql.overrideAttrs (old: {
|
||||
propagatedBuildInputs = old.propagatedBuildInputs ++ [
|
||||
super.python3Packages.packaging
|
||||
super.python3Packages.systemd
|
||||
];
|
||||
});
|
||||
|
|
|
@ -1,13 +0,0 @@
|
|||
diff --git a/src/s3ql/database.py b/src/s3ql/database.py
|
||||
index 1c6df119..f3a47781 100644
|
||||
--- a/src/s3ql/database.py
|
||||
+++ b/src/s3ql/database.py
|
||||
@@ -677,7 +677,7 @@ def upload_metadata(
|
||||
)
|
||||
obj = METADATA_OBJ_NAME % (blockno, params.seq_no)
|
||||
fh.seek(blockno * blocksize)
|
||||
- backend.write_fh(obj, fh, len_=blocksize)
|
||||
+ backend.write_fh(obj, fh, len_=min(blocksize, db_size - blockno * blocksize))
|
||||
|
||||
if not update_params:
|
||||
return
|
|
@ -16,6 +16,13 @@ in with hosts;
|
|||
"cluster/services/storage/secrets/garage-rpc-secret.age".publicKeys = max ++ map systemKeys [ grail VEGAS prophet ];
|
||||
"cluster/services/storage/secrets/storage-box-credentials.age".publicKeys = max ++ map systemKeys [ grail VEGAS prophet ];
|
||||
"secrets/dovecot-ldap-token.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"secrets/gitlab-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"secrets/gitlab-initial-root-password.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"secrets/gitlab-openid-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"secrets/gitlab-secret-db.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"secrets/gitlab-secret-jws.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"secrets/gitlab-secret-otp.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"secrets/gitlab-secret-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"secrets/hyprspace-key-checkmate.age".publicKeys = max ++ map systemKeys [ checkmate ];
|
||||
"secrets/hyprspace-key-grail.age".publicKeys = max ++ map systemKeys [ grail ];
|
||||
"secrets/hyprspace-key-thunderskin.age".publicKeys = max ++ map systemKeys [ thunderskin ];
|
||||
|
|
BIN
secrets/gitlab-db-credentials.age
Normal file
BIN
secrets/gitlab-db-credentials.age
Normal file
Binary file not shown.
12
secrets/gitlab-initial-root-password.age
Normal file
12
secrets/gitlab-initial-root-password.age
Normal file
|
@ -0,0 +1,12 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 NO562A XRrOSniXZk7nvufR3liJ3ocjX257eenhQUYZdlYCpl4
|
||||
ctZGdEgc9SgWka/3R/2WW4G9m1DHIk7HLKaBNyUeHtE
|
||||
-> ssh-ed25519 5/zT0w k3z9vLsjCPABV2kTRMC3xiriW+4BwSdvnk02Xtoi3zk
|
||||
w43L1pm8VvwxVp6k8NJA73afZtPGfD8eCb2koa2goZQ
|
||||
-> ssh-ed25519 d3WGuA Bi1l2WS3kL5Y5NoVh7jAja3BG9LXxem801SSR76j52s
|
||||
fKhRIb+Ug3sW4JI2rczNnh3Frx/EEnbQfhTUGdwLSo8
|
||||
-> AOy-grease dju$ xL|5Hh q(A
|
||||
h0bIKBg8yQBMqNR8M9DlA/wZWWFB+sdo4ApLXvTT19Moz3E5Vly8N2XKHrV3ggCE
|
||||
Vn2a3snrXDrWxqQgfQEfJo7FnydItRcgO7ZDOuNAlnooyk0
|
||||
--- 9bMYjHMQsJt4fqnmE2ezRzN4AoKIrlRKAqh8pYRw8SQ
|
||||
øÜ™‹j‡>ü‘râ|ˆ>˜º<CB9C>–QÌ7¬p²¾ïÐdð¤hëÝÏ Î3œü»€¤ÃÐÿ57´âð˜{ïžZ9áLš´ééÖ$DU$—0YÙ º3ÐBMÍã‰ü@oáªU¶_ßÁ¡dÅDݶ<C39D>5jq/¿‰…j’`›6›<36>Z‡îi—åAÄÞ&Q¯”œ¬¢Ê¡*Õ•:R%+ ôò<C3B4>É¡ù£Ì
|
11
secrets/gitlab-openid-secret.age
Normal file
11
secrets/gitlab-openid-secret.age
Normal file
|
@ -0,0 +1,11 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 NO562A ZCflrN3Tm5CiGr6ajyHWUBB/tQqvBuZkwTrJDrd/aV0
|
||||
ItnkxqiZTCT77SDnG0JgzaQlDL3LZ96V+kzjxjAJx5s
|
||||
-> ssh-ed25519 5/zT0w WoKnbgmzpR+HuLdXYCOkPfScle7g7U+NGA/YAmyfIhk
|
||||
pNfp+gOVyTfnXpVDRXuk16RyjlWjDILrO7Gibh7nRmU
|
||||
-> ssh-ed25519 d3WGuA L5xjtPNva83jZWsu2bCbcgaDNlou5BFVMsFkR8+L+2Q
|
||||
4+UtIsyOgY0NAuHtdg4lBJwMyZWquRsmRNeQ+YXqeA0
|
||||
-> hD-grease q%QV%; &/
|
||||
jl4ZKGU+SBSR0xhJN0yz7sV2uW/+Yhw
|
||||
--- 1LIvBjAzD1lUotPXuI4cPHSfUsMFbEaGjE/t+KnQcW4
|
||||
AWeûۨ˯e¤ c[ ÖÌ3mÁíyÍΈÐñè6½
g{7›rd€_Ê7ØWPö©':ð¢uË›ùá¨N
|
BIN
secrets/gitlab-secret-db.age
Normal file
BIN
secrets/gitlab-secret-db.age
Normal file
Binary file not shown.
BIN
secrets/gitlab-secret-jws.age
Normal file
BIN
secrets/gitlab-secret-jws.age
Normal file
Binary file not shown.
14
secrets/gitlab-secret-otp.age
Normal file
14
secrets/gitlab-secret-otp.age
Normal file
|
@ -0,0 +1,14 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 NO562A su6ATd6CDJ/TD/nAPw1K4ZmELBDdNLZI63DsZl0zCF0
|
||||
J+2ZXXZArtjDDLIaQL6HaEdawHo8tonMdzHf45IQMO4
|
||||
-> ssh-ed25519 5/zT0w wdKMnoA5/huvtT/jyj1Aixf9nKtkzcyPSs1yoUpxoAk
|
||||
yGiW4Zg0h4NGkdU0BZiWzC+72CJZK6pJdrSBuZCVGAE
|
||||
-> ssh-ed25519 d3WGuA p4QVeohmXdTo8v0Wh2pkEoyqMhZhmdrblBpq39ENnVk
|
||||
7TybdsMNokMu+2q5ESnvdcNwAeWTl/5XGZltzJ7etjI
|
||||
-> Q-grease KJL\,Pw& c!aOPX
|
||||
C6DVdLd90RXPgjf22U5Y8OsW9O9rkfE3kY0LGQhmmjCSZ7yHde4bhOAVNeNronxE
|
||||
xFy8GtD+ZllI4NPUSyl3Y/90//H2fVUb32WA3Ga5WJmksrGXzg
|
||||
--- yWDk0jbHXLxwE9jWTT85ORZy0Pw20jaRVihmkKfGnKo
|
||||
@#
|
||||
Q)F:ÀŽ¤¶GÍû #ógÒº¡¤«L…Ê-k{Tëd+˜´8žà܃üäá/è¹-Žaæ…Ë\O*—°!^Réãy÷›@Z/o™~I€
|
||||
œ[ô°¼PO’Â'vüše^ø,…?¢»Òo¼¸MÆ]1WƒËFò‹JëÄ™Ññ¨ôBý&y¼
yŸìVv‘_<E28098> %‹ûÇ<C3BB>«'
|
BIN
secrets/gitlab-secret-secret.age
Normal file
BIN
secrets/gitlab-secret-secret.age
Normal file
Binary file not shown.
Loading…
Reference in a new issue