Compare commits

...

646 commits

Author SHA1 Message Date
66788cff0c Merge pull request 'Flake Registry' (#122) from pr-flake-registry into master
Reviewed-on: #122
2024-11-13 11:57:57 +02:00
Max
0d95f7488d modules/nix-config: use new registry 2024-11-12 13:07:37 +01:00
Max
0bf8a8e97c cluster/services/flake-registry: init 2024-11-12 13:06:17 +01:00
Max
9179fa9cce cluster/services/ways: support static targets 2024-11-12 11:27:27 +01:00
Max
7d94ffda85 cluster/services/nextcloud: nextcloud29 -> nextcloud30 2024-11-10 14:18:20 +01:00
Max
42627235d1 cluster/services/idm: fix rssh 2024-11-10 13:07:33 +01:00
Max
886ddd9a1a cluster/services/attic: enable @resources syscall group 2024-11-10 04:15:28 +01:00
hercules-ci[bot]
15af41e3c4
Merge pull request #114 from privatevoid-net/pr-flake-update
`flake.lock`: Update
2024-11-09 22:36:14 +00:00
Max
e92e710ff3 cluster/services/storage: depend on ways in simulacrum 2024-11-09 19:24:01 +01:00
Max
d16dd6de7b cluster/services/ways: only reload nginx if actually running 2024-11-09 19:24:01 +01:00
Max
05b584c748 packages: shadow jitsi-meet with jitsi-meet-insecure 2024-11-09 19:24:01 +01:00
Max
3cbb9c5d55 packages/jitsi-meet-insecure: init 2024-11-09 19:24:01 +01:00
Max
726491e780 fixup! packages/kanidm: update unixd-authenticated.patch 2024-11-09 19:24:01 +01:00
Max
ad7de0d455 cluster/services/attic: services.atticd.credentialsFile -> services.atticd.environmentFile 2024-11-09 19:24:01 +01:00
Max
b4dc1daee1 checks/keycloak: proxy -> proxy-headers 2024-11-09 19:24:01 +01:00
Max
64a21084a6 packages/kanidm: update unixd-authenticated.patch 2024-11-09 19:24:01 +01:00
Max
7b87ff4ee8 cluster/services/attic: use module from nixpkgs 2024-11-09 19:24:01 +01:00
Max
0f453dc64f cluster/services/sso: proxy -> proxy-headers 2024-11-09 19:24:01 +01:00
Max
b7fee02359 packages/s3ql: unpatch 2024-11-09 19:24:01 +01:00
Max
93c19ef735 meta: remove flake-utils follow for attic 2024-11-09 19:24:01 +01:00
Max
0226b22444 flake.lock: Update
Flake lock file updates:

• Updated input 'agenix':
    'github:ryantm/agenix/3f1dae074a12feb7327b4bf43cbac0d124488bb7?narHash=sha256-ZeS51uJI30ehNkcZ4uKqT4ZDARPyqrHADSKAwv5vVCU%3D' (2024-07-30)
  → 'github:ryantm/agenix/f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41?narHash=sha256-b%2Buqzj%2BWa6xgMS9aNbX4I%2BsXeb5biPDi39VgvSFqFvU%3D' (2024-08-10)
• Updated input 'attic':
    'github:zhaofengli/attic/e127acbf9a71ebc0c26bc8e28346822e0a6e16ba?narHash=sha256-GJIz4M5HDB948Ex/8cPvbkrNzl/eKUE7/c21JBu4lb8%3D' (2024-08-01)
  → 'github:zhaofengli/attic/d0b66cf897e4d55f03d341562c9821dc4e566e54?narHash=sha256-tBuyb8jWBSHHgcIrOfiyQJZGY1IviMzH2V74t7gWfgI%3D' (2024-11-06)
• Updated input 'attic/crane':
    'github:ipetkov/crane/480dff0be03dac0e51a8dfc26e882b0d123a450e?narHash=sha256-dIubLa56W9sNNz0e8jGxrX3CAkPXsq7snuFA/Ie6dn8%3D' (2024-05-29)
  → 'github:ipetkov/crane/4c6c77920b8d44cd6660c1621dea6b3fc4b4c4f4?narHash=sha256-NhCkJJQhD5GUib8zN9JrmYGMwt4lCRp6ZVNzIiYCl0Y%3D' (2024-08-06)
• Added input 'attic/flake-parts':
    'github:hercules-ci/flake-parts/8471fe90ad337a8074e957b69ca4d0089218391d?narHash=sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC%2Bx4%3D' (2024-08-01)
• Added input 'attic/flake-parts/nixpkgs-lib':
    follows 'attic/nixpkgs'
• Removed input 'attic/flake-utils'
• Added input 'attic/nix-github-actions':
    'github:nix-community/nix-github-actions/e04df33f62cdcf93d73e9a04142464753a16db67?narHash=sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9%2BBV1h%2BMpA%3D' (2024-10-24)
• Added input 'attic/nix-github-actions/nixpkgs':
    follows 'attic/nixpkgs'
• Updated input 'devshell':
    'github:numtide/devshell/67cce7359e4cd3c45296fb4aaf6a19e2a9c757ae?narHash=sha256-Yo/3loq572A8Su6aY5GP56knpuKYRvM2a1meP9oJZCw%3D' (2024-07-27)
  → 'github:numtide/devshell/dd6b80932022cea34a019e2bb32f6fa9e494dfef?narHash=sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg%3D' (2024-10-07)
• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/8471fe90ad337a8074e957b69ca4d0089218391d?narHash=sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC%2Bx4%3D' (2024-08-01)
  → 'github:hercules-ci/flake-parts/506278e768c2a08bec68eb62932193e341f55c90?narHash=sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS%2Bb4tfNFCwE%3D' (2024-11-01)
• Updated input 'hercules-ci-agent':
    'github:hercules-ci/hercules-ci-agent/2e10fb21fc2e07edf40763b73443e5934bd40947?narHash=sha256-QDbU8LZzcUSqBp1CBqDj/f5Wd/sdgQ8pZwRWueoMUL4%3D' (2024-07-05)
  → 'github:hercules-ci/hercules-ci-agent/c303cc8e437c0fd26b9452472e7df5aa374e9177?narHash=sha256-/Vdg5ZKtP71ZEKVV6JXlrOEu0CM2Flcs%2BnwDmWRzgjQ%3D' (2024-08-15)
• Updated input 'hercules-ci-effects':
    'github:hercules-ci/hercules-ci-effects/11e4b8dc112e2f485d7c97e1cee77f9958f498f5?narHash=sha256-YNkUMcCUCpnULp40g%2BsvYsaH1RbSEj6s4WdZY/SHe38%3D' (2024-06-24)
  → 'github:hercules-ci/hercules-ci-effects/b89ac4d66d618b915b1f0a408e2775fe3821d141?narHash=sha256-mnynlrPeiW0nUQ8KGZHb3WyxAxA3Ye/BH8gMjdoKP6E%3D' (2024-11-06)
• Updated input 'nar-serve':
    'github:numtide/nar-serve/9d0eff868d328fe67c60c26c8ba50e0b9d8de867?narHash=sha256-8QuMS00EutmqzAIPxyJEPxM8EHiWlSKs6E2Htoh3Kes%3D' (2024-07-31)
  → 'github:numtide/nar-serve/e5c749a444f2d14f381c75ef3a8feaa82c333b92?narHash=sha256-5Zrn72PO9yBaNO4Gd5uOsEmRpYH5rVAFKOQ5h2PxyhU%3D' (2024-09-06)
• Updated input 'nix-filter':
    'github:numtide/nix-filter/3342559a24e85fc164b295c3444e8a139924675b?narHash=sha256-1Wvk8UP7PXdf8bCCaEoMnOT1qe5/Duqgj%2BrL8sRQsSM%3D' (2024-03-11)
  → 'github:numtide/nix-filter/776e68c1d014c3adde193a18db9d738458cd2ba4?narHash=sha256-SCHiL%2B1f7q9TAnxpasriP6fMarWE5H43t25F5/9e28I%3D' (2024-10-29)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/f2d6c7123138044e0c68902268bd8f37dd7e2fa7?narHash=sha256-g4L%2BI8rDl7RQy5x8XcEMqNO49LFhrHTzVBqXtG2%2BFGo%3D' (2024-08-01)
  → 'github:NixOS/nixpkgs/4aa36568d413aca0ea84a1684d2d46f55dbabad7?narHash=sha256-Zwl8YgTVJTEum%2BL%2B0zVAWvXAGbWAuXHax3KzuejaDyo%3D' (2024-11-05)
• Updated input 'repin-flake-utils':
    'github:numtide/flake-utils/b1d9ab70662946ef0850d488da1c9019f3a9752a?narHash=sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ%3D' (2024-03-11)
  → 'github:numtide/flake-utils/c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a?narHash=sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ%3D' (2024-09-17)
2024-11-09 19:24:01 +01:00
Max
aa46d46d9d cluster/services/sso: use patroni incandescence 2024-08-28 17:01:41 +02:00
Max
272b4ddd01 cluster/services/acme-client: fix typo
thank you, Big Hyuge
2024-08-24 13:18:11 +02:00
Max
da0b09b993 cluster/services/idm: enable online backups 2024-08-23 16:05:52 +02:00
Max
ce4087d6d1 cluster/services/attic: use more distinct consul service IDs 2024-08-23 03:36:19 +02:00
Max
91816529fd cluster/services/storage: use alias_service for garage-web's health check 2024-08-23 03:11:54 +02:00
Max
db3abe717d cluster/services/ipfs: explicitly specify port in tempo address 2024-08-23 03:07:17 +02:00
Max
8a44287c36 cluster/services/sso: use correct tempo address 2024-08-23 02:50:48 +02:00
Max
e1b53161c3 cluster/services/ipfs: use correct tempo address 2024-08-23 02:50:43 +02:00
Max
9063ecb5f4 cluster/services/monitoring: make tempo HA 2024-08-23 02:50:18 +02:00
Max
25bd410599 cluster/services/ways: support gRPC 2024-08-23 02:50:01 +02:00
Max
06041f8498 modules/consul-distributed-services: support registering multiple services 2024-08-23 02:49:42 +02:00
Max
94d678b93b modules/systemd-extras: distributed: support registering multiple services 2024-08-23 02:49:23 +02:00
Max
f55a60d0bb cluster: restructure meshLinks 2024-08-23 01:06:38 +02:00
Max
4713febf4b cluster/services/monitoring: add ingest-logs endpoint 2024-08-23 00:32:44 +02:00
Max
6f32855cb7 cluster/services/monitoring: display storage info on postgres dashboard 2024-08-21 01:28:31 +02:00
Max
fdcec6f812 cluster/services/forge: define db 2024-08-17 00:41:41 +02:00
Max
c2319e4ce6 devShells/default: remove hci 2024-08-17 00:40:29 +02:00
Max
1c38f23093 packages/hci: drop 2024-08-17 00:40:29 +02:00
5269b1f638 Merge pull request 'The Simulacrum: Stage 6' (#114) from pr-simulacrum-stage-6 into master
Reviewed-on: https://forge.privatevoid.net///privatevoid.net/depot/pulls/114
2024-08-17 01:13:16 +03:00
Max
51cf6dabc2 cluster/services/consul: stub locksmith options in test 2024-08-16 23:54:23 +02:00
Max
81fafdfd04 cluster/services/wireguard: stub locksmith options in test 2024-08-16 23:54:23 +02:00
Max
dfec17da62 checks/s3ql-upgrade: stub locksmith options 2024-08-16 23:54:23 +02:00
Max
ad65ad500e cluster/services/storage: define snakeoil passphrase for heresy, ensure encryption 2024-08-16 23:54:23 +02:00
Max
9272c555bc modules/external-storage: implement detectFs for s3c4 2024-08-16 23:54:23 +02:00
Max
46f04058f9 cluster/services/storage: use locksmith secrets for external storage 2024-08-16 23:54:23 +02:00
Max
f3039ec402 checks/garage: drop 2024-08-16 23:54:23 +02:00
Max
7287fcb5db cluster/services/storage: test in simulacrum 2024-08-16 23:54:23 +02:00
Max
59ff96697d cluster/services/storage: use incandescence 2024-08-16 23:54:23 +02:00
Max
1a7efa6732 modules/external-storage: support locksmith secrets 2024-08-16 21:58:22 +02:00
Max
e53f766f9d cluster/services/storage: implement s3ql key format 2024-08-16 21:58:22 +02:00
81e4ae46e6 Merge pull request 'The Simulacrum: Stage 5' (#113) from pr-simulacrum-stage-5 into master
Reviewed-on: https://forge.privatevoid.net///privatevoid.net/depot/pulls/113
2024-08-16 20:54:11 +03:00
Max
f4f35c3ae3 cluster/services/ways: test in simulacrum 2024-08-16 19:27:07 +02:00
Max
af2808833a cluster/services/hercules-ci-multi-agent: use forService 2024-08-16 15:26:13 +02:00
Max
8dcd4f39e1 cluster/services/monitoring: use forService 2024-08-16 15:26:13 +02:00
Max
77d92b7c1f cluster/services/forge: use forService 2024-08-16 15:26:13 +02:00
Max
55b60f30d6 cluster/services/attic: use forService 2024-08-16 15:26:13 +02:00
5a68c052a9 Merge pull request 'The Simulacrum: Stage 4' (#112) from pr-simulacrum-stage-4 into master
Reviewed-on: https://forge.privatevoid.net///privatevoid.net/depot/pulls/112
2024-08-16 03:37:48 +03:00
Max
f5b085a074 cluster/services/dns: test in simulacrum 2024-08-16 02:29:00 +02:00
Max
e0d513be30 cluster/services/dns: never reload coredns 2024-08-16 02:27:58 +02:00
Max
79478c44ed cluster/services/acme-client: implement augment for external ACME services 2024-08-16 02:27:58 +02:00
Max
d9317cd69a cluster/services/dns: use patroni incandescence 2024-08-16 02:27:58 +02:00
Max
1e2b63a290 cluster/services/patroni: keep at least 2GB of WAL 2024-08-15 23:16:22 +02:00
Max
5257d4e70b cluster/services/patroni: test takeovers 2024-08-15 01:07:22 +02:00
Max
c5a8cfe852 cluster/services/patroni: take over existing databases and users 2024-08-15 01:07:18 +02:00
Max
340383f160 cluster/services/incandescence: destroy without waiting for change 2024-08-14 19:38:49 +02:00
Max
76f08600af cluster/services/incandescence: don't try to filter destruction if no objects declared 2024-08-14 19:20:22 +02:00
8d7d178d9d Merge pull request 'The Simulacrum: Stage 3' (#110) from pr-simulacrum-stage-3 into master
Reviewed-on: https://forge.privatevoid.net///privatevoid.net/depot/pulls/110
2024-08-14 18:59:06 +03:00
Max
ff0744f600 cluster/services/patroni: enable synchronous mode 2024-08-14 17:35:49 +02:00
Max
a61f97cccf cluster/services/patroni: wait for consul 2024-08-14 17:35:49 +02:00
Max
2a45b0b8e9 checks/patroni: drop 2024-08-14 17:35:49 +02:00
Max
ca4564f25d cluster/services/patroni: test in simulacrum 2024-08-14 17:35:49 +02:00
Max
c57976a299 cluster/services/patroni: add simulacrum deps 2024-08-14 16:12:12 +02:00
Max
e87a1b23e9 cluster/services/locksmith: add simulacrum deps 2024-08-14 16:12:12 +02:00
Max
fe89d1d3c3 cluster/services/chant: add simulacrum deps 2024-08-14 16:12:10 +02:00
Max
204d3f77eb cluster/services/patroni: implement incandescence provider for databases and users 2024-08-14 16:12:10 +02:00
Max
3b1e82b33f cluster/services/locksmith: only run secret generation command once 2024-08-14 16:12:10 +02:00
Max
c92f1c5ed8 cluster/services/locksmith: support skipping secret updates 2024-08-14 16:12:10 +02:00
54ba01d8cd Merge pull request 'Incandescence' (#111) from pr-incandescence into master
Reviewed-on: https://forge.privatevoid.net///privatevoid.net/depot/pulls/111
2024-08-14 17:11:27 +03:00
Max
d015c77ffa cluster/services/incandescence: test in simulacrum 2024-08-14 16:00:35 +02:00
Max
d1c0e9d7f9 cluster/services/incandescence: add base layout for ascensions 2024-08-14 14:54:35 +02:00
Max
4f6ea4eb8c cluster/services/incandescence: init 2024-08-14 14:54:35 +02:00
69a6e1a577 Merge pull request 'The Simulacrum: Stage 2' (#109) from pr-simulacrum-stage-2 into master
Reviewed-on: https://forge.privatevoid.net///privatevoid.net/depot/pulls/109
2024-08-14 00:34:12 +03:00
Max
6943166a2c modules/system-info: drop 2024-08-13 22:15:21 +02:00
Max
f097de64c7 cluster/services/consul: test in simulacrum 2024-08-13 22:15:20 +02:00
cb92fb49f2 Merge pull request 'The Simulacrum: Stage 1' (#108) from pr-simulacrum-stage-1 into master
Reviewed-on: https://forge.privatevoid.net///privatevoid.net/depot/pulls/108
2024-08-13 22:06:49 +03:00
Max
a54f20d779 modules/motd: use fixed rev 2024-08-13 20:59:43 +02:00
Max
a10f8c18ee cluster/services/wireguard: test in simulacrum 2024-08-13 20:43:39 +02:00
Max
e2ebdd097e cluster/simulacrum: recursive service deps 2024-08-13 20:43:39 +02:00
Max
f37fed0ebb cluster/simulacrum: implement nowhere, fix networking 2024-08-13 20:43:39 +02:00
Max
c1720ec30d packages/catalog: expose simulacrum checks differently 2024-08-13 18:52:59 +02:00
Max
4b76b6ed47 cluster/simulacrum: expose checks 2024-08-13 18:52:59 +02:00
Max
62fbeb02c0 cluster/lib: implement config.lib.forService for better option filtering 2024-08-13 18:52:59 +02:00
Max
f140de7a1a cluster/simulacrum: set testConfig 2024-08-13 18:52:59 +02:00
Max
fa0d6f046b cluster/lib: introduce testConfig 2024-08-13 18:52:59 +02:00
Max
40fd5c4be9 cluster/services/wireguard: make simulacrum compatible 2024-08-13 18:52:59 +02:00
Max
da9b933bb8 cluster/simulacrum: init 2024-08-13 18:52:59 +02:00
Max
b28898c3ae cluster/lib: implement simulacrum options 2024-08-13 18:52:59 +02:00
Max
532a569c66 cluster/lib: implement injectNixosConfigForServices to select individual services 2024-08-13 18:52:59 +02:00
Max
55866c153d checks: add fake external storage module 2024-08-13 18:52:59 +02:00
Max
80bf651812 checks: add snakeoil ssh key 2024-08-13 18:52:53 +02:00
Max
df14a9a513 cluster/services/nginx: move acme config 2024-08-12 02:53:15 +02:00
Max
d59abfb678 cluster/services/acme-client: move acme config, wait for authoritative DNS to work 2024-08-12 02:53:15 +02:00
Max
a285c57d5b cluster/services/ways: don't render empty upstream blocks 2024-08-12 02:53:15 +02:00
Max
415fd7f076 lib/nginx: use dynamic proxy targets in proxyGhost 2024-08-12 02:53:15 +02:00
Max
e347273e5b packages/catalog: don't use meta.description 2024-08-03 01:55:32 +02:00
Max
7ca4cead09 cluster/services/monitoring: make loki HA 2024-08-03 00:56:13 +02:00
Max
201f07efc3 cluster/services/monitoring: use lockmith for loki 2024-08-03 00:37:06 +02:00
Max
9f158f15a4 cluster/services/monitoring: run loki over ways 2024-08-03 00:12:15 +02:00
Max
549cbdb6c8 cluster/services/ways: expose url 2024-08-03 00:11:46 +02:00
Max
e81aad5619 cluster/services/ways: support internal services properly 2024-08-02 23:56:16 +02:00
Max
5d26d45916 cluster/services/attic: make HA 2024-08-02 22:46:45 +02:00
Max
1fe6324c37 cluster/services/patroni: run haproxy on grail 2024-08-02 22:46:27 +02:00
Max
341be59cec cluster/services/nginx: use proper resolvers 2024-08-02 22:46:05 +02:00
Max
064f306f10 cluster/services/irc: pkgs.kanidm -> config.services.kanidm.package 2024-08-02 12:51:05 +02:00
Max
5b429dd356 cluster/services/idm: pkgs.kanidm -> config.services.kanidm.package 2024-08-02 12:50:42 +02:00
Max
2b4df99bf8 packages: unshadow kanidm 2024-08-02 12:42:26 +02:00
Max
827ca9bbb8 packages/npins: cargoSha256 -> cargoHash 2024-08-02 12:41:19 +02:00
hercules-ci[bot]
9076ac4fc8
Merge pull request #112 from privatevoid-net/pr-flake-update
`flake.lock`: Update
2024-08-02 02:51:57 +00:00
Hercules CI Effects
9bb1275587 flake.lock: Update
Flake lock file updates:

• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/9227223f6d922fee3c7b190b2cc238a99527bbb7' (2024-07-03)
  → 'github:hercules-ci/flake-parts/8471fe90ad337a8074e957b69ca4d0089218391d' (2024-08-01)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/43c433f2931b803dbe7853e0438ea0744ee48574' (2024-08-01)
  → 'github:NixOS/nixpkgs/f2d6c7123138044e0c68902268bd8f37dd7e2fa7' (2024-08-01)
2024-08-02 02:20:49 +00:00
Max
9f61cea276
Merge pull request #111 from privatevoid-net/pr-flake-update
flake.lock: Update
2024-08-02 01:25:05 +02:00
Max
a21a003aea packages/s3ql: remove ssl monkeypatch (backport from 5.2.1) 2024-08-02 01:09:54 +02:00
Max
ace350216e meta: remove unnecessary follows 2024-08-01 22:52:20 +02:00
Max
fc628796a9 flake.lock: Update
Flake lock file updates:

• Updated input 'agenix':
    'github:ryantm/agenix/3a56735779db467538fb2e577eda28a9daacaca6?narHash=sha256-abpBi61mg0g%2BlFFU0zY4C6oP6fBwPzbHPKBGw676xsA%3D' (2024-06-14)
  → 'github:ryantm/agenix/3f1dae074a12feb7327b4bf43cbac0d124488bb7?narHash=sha256-ZeS51uJI30ehNkcZ4uKqT4ZDARPyqrHADSKAwv5vVCU%3D' (2024-07-30)
• Updated input 'attic':
    'github:zhaofengli/attic/717cc95983cdc357bc347d70be20ced21f935843?narHash=sha256-kH04ReTjxOpQumgWnqy40vvQLSnLGxWP6RF3nq5Esrk%3D' (2024-06-01)
  → 'github:zhaofengli/attic/e127acbf9a71ebc0c26bc8e28346822e0a6e16ba?narHash=sha256-GJIz4M5HDB948Ex/8cPvbkrNzl/eKUE7/c21JBu4lb8%3D' (2024-08-01)
• Updated input 'devshell':
    'github:numtide/devshell/1ebbe68d57457c8cae98145410b164b5477761f4?narHash=sha256-Q0OEFqe35fZbbRPPRdrjTUUChKVhhWXz3T9ZSKmaoVY%3D' (2024-06-03)
  → 'github:numtide/devshell/67cce7359e4cd3c45296fb4aaf6a19e2a9c757ae?narHash=sha256-Yo/3loq572A8Su6aY5GP56knpuKYRvM2a1meP9oJZCw%3D' (2024-07-27)
• Removed input 'devshell/flake-utils'
• Updated input 'hercules-ci-agent':
    'github:hercules-ci/hercules-ci-agent/c37b2ada2dd001bc4be6771bcdea680b0b93fb94?narHash=sha256-p6cC%2B0/c6GCBPtBkSnaOrhwLWl%2BuyoWYl/dReg%2Bjcsk%3D' (2024-06-26)
  → 'github:hercules-ci/hercules-ci-agent/2e10fb21fc2e07edf40763b73443e5934bd40947?narHash=sha256-QDbU8LZzcUSqBp1CBqDj/f5Wd/sdgQ8pZwRWueoMUL4%3D' (2024-07-05)
• Updated input 'hercules-ci-agent/nixpkgs':
    'github:NixOS/nixpkgs/2893f56de08021cffd9b6b6dfc70fd9ccd51eb60?narHash=sha256-ECni%2BIkwXjusHsm9Sexdtq8weAq/yUyt1TWIemXt3Ko%3D' (2024-06-24)
  → 'github:NixOS/nixpkgs/00d80d13810dbfea8ab4ed1009b09100cca86ba8?narHash=sha256-H3%2BEC5cYuq%2BgQW8y0lSrrDZfH71LB4DAf%2BTDFyvwCNA%3D' (2024-07-01)
• Updated input 'hyprspace':
    'github:hyprspace/hyprspace/76a3f73a42c2f9bbeb4c56afa4b30a98a283b79f?narHash=sha256-WqIRfqqQwcSrJNPVRxbvCG6uZvKNuPruBL85VcnESRA%3D' (2024-07-15)
  → 'github:hyprspace/hyprspace/b54fd70812b98994630cfa6aac17ad7c2be9b468?narHash=sha256-zWajCfHFqPa3Z72DHcxBUq4bmcCu1lpEKUbZZewpYOE%3D' (2024-07-15)
• Updated input 'nar-serve':
    'github:numtide/nar-serve/a1458804bb1ab9f1a44101e56a010ca95b8e8309?narHash=sha256-yM/ICgmMxUAk/feKojy/Jul8jh4OaVBhQoIChA6Vvq8%3D' (2024-05-26)
  → 'github:numtide/nar-serve/9d0eff868d328fe67c60c26c8ba50e0b9d8de867?narHash=sha256-8QuMS00EutmqzAIPxyJEPxM8EHiWlSKs6E2Htoh3Kes%3D' (2024-07-31)
• Removed input 'nar-serve/flake-utils'
• Added input 'nar-serve/systems':
    'github:nix-systems/default/da67096a3b9bf56a91d16901293e51ba5b49a27e?narHash=sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768%3D' (2023-04-09)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/d586b644539e41fafcee09f9b40a6552252dbdb4?narHash=sha256-KPxjth7cCwNeTV9jJ90lPu8b/wMi3hcAnUbZ5NzogjA%3D' (2024-07-04)
  → 'github:NixOS/nixpkgs/43c433f2931b803dbe7853e0438ea0744ee48574?narHash=sha256-kJ/MgnoLxuVVnGcVrnZuzZ2eUasKhD7SJG/HI8ugWVQ%3D' (2024-08-01)
2024-08-01 22:52:20 +02:00
Max
29696add2f cluster/services/hercules-ci-multi-agent: limit cores for Nix 2024-08-01 22:13:10 +02:00
Max
c0038700e0 cluster/services/hercules-ci-multi-agent: limit concurrentTasks 2024-08-01 22:12:59 +02:00
Max
467bb80bbe hosts: set hardware info 2024-08-01 20:47:57 +02:00
Max
ca153bb54d hosts: implement hardware options 2024-08-01 20:44:02 +02:00
Max
36a5dd6927 cluster/services/c-f32aebf5: drop 2024-07-25 12:51:55 +02:00
Max
b9d0c97887 VEGAS/database: drop 2024-07-23 20:15:46 +02:00
Max
af61824dc9 cluster/services/sso: integrate VEGAS/oauth2-proxy 2024-07-23 20:15:46 +02:00
Max
9b59388c3c cluster/services/wireguard: move storm from VEGAS/wireguard-server 2024-07-22 00:25:18 +02:00
Max
3289e05101 cluster/services/mail: move from VEGAS/mail 2024-07-22 00:25:18 +02:00
Max
6ccc263100 cluster/services/sso: move from VEGAS/sso 2024-07-22 00:25:18 +02:00
Max
e85c6bb2c8 cluster/services/bitwarden: move from VEGAS/bitwarden 2024-07-22 00:24:46 +02:00
Max
78f97dfcad cluster/services/gitlab: move from VEGAS/gitlab 2024-07-22 00:24:42 +02:00
Max
63002031d6 cluster/services/soda: move from VEGAS 2024-07-20 22:23:31 +02:00
Max
c7f89489da cluster/services/reflex: move from VEGAS/reflex 2024-07-20 22:22:25 +02:00
Max
9ed7d26952 cluster/services/fbi: move from VEGAS/fbi 2024-07-20 22:22:14 +02:00
Max
0961e81a9f packages/stop-using-nix-env: update ephemeral shells link 2024-07-20 22:20:22 +02:00
Max
32dcdf6601 checks/ascensions: define consulAgent link 2024-07-17 23:50:18 +02:00
Max
0e8abeb78b cluster/services/consul: only require consul if enabled 2024-07-17 23:38:00 +02:00
Max
c3073e347b checks/ascensions: use consul-ready 2024-07-17 23:23:04 +02:00
Max
4957c6f07f checks/garage: use consul-ready 2024-07-17 23:22:13 +02:00
Max
03bfb51682 cluster/services/consul: use separate node group for consul-ready 2024-07-17 23:22:02 +02:00
Max
c922615666 cluster/services/storage: better support for internal storage 2024-07-17 23:00:33 +02:00
Max
33264bf43b cluster/lib: switch to lazyAttrsOf 2024-07-17 23:00:25 +02:00
Max
fa57c810c0 cluster: use consul-ready when waiting for consul 2024-07-17 22:41:06 +02:00
Max
9aa1f29e24 modules: use consul-ready when waiting for consul 2024-07-17 22:41:03 +02:00
Max
d2ab37f3b1 cluster/services/consul: implement consul-ready 2024-07-17 22:40:58 +02:00
Max
725d71cd47 checks/garage: define consulAgent link 2024-07-17 22:20:23 +02:00
Max
825efc9b29 hosts: optionally set CONSUL_HTTP_ADDR from /etc/consul.json 2024-07-17 22:14:48 +02:00
Max
5616f4887a cluster/services/*: use consulAgent link 2024-07-17 22:06:41 +02:00
Max
52008b6f0a cluster/services/consul: set agent HTTP API port 2024-07-17 22:06:36 +02:00
Max
0888ecce1a cluster/services/forge: use separate domain for ssh access 2024-07-17 00:48:01 +02:00
Max
d77b511442 cluster/services/forge: disable direct serve from s3 2024-07-17 00:41:32 +02:00
Max
f430db7d8d checks: rework age-dummy-secrets 2024-07-16 23:08:35 +02:00
Max
d720ba41a6 cluster/services/consul: set bootstrap_expect 2024-07-16 22:56:25 +02:00
Max
fa36c5879c hosts: use dynamic primary interface name 2024-07-16 20:14:30 +02:00
Max
601fc03e32 lib.summon: drop reflection 2024-07-16 14:29:48 +02:00
Max
f39a48c425 treewide: depot.reflection -> config.reflection 2024-07-16 14:29:48 +02:00
Max
7422adb13a modules/reflection: init 2024-07-16 14:01:32 +02:00
Max
f84eb995cd hosts: use shadows 2024-07-16 02:17:31 +02:00
Max
8938d311a5 packages: implement shadows 2024-07-16 02:17:23 +02:00
Max
5dd4589459 cluster/services/attic: set attic package 2024-07-16 02:14:59 +02:00
Max
7067120b9a cluster/services/idm: set kanidm package 2024-07-16 02:02:53 +02:00
Max
c53745df89 VEGAS/api: drop 2024-07-16 02:02:53 +02:00
Max
81e44bf522 hosts: set nixpkgs.pkgs 2024-07-16 02:02:53 +02:00
Max
af1cd6e0b6 modules/autopatch: drop and replace with modules/nixpkgs-config 2024-07-16 02:02:48 +02:00
Max
e62fbfea71 modules/autopatch: remove tempo 2024-07-16 02:01:42 +02:00
Max
fa9a46ca36 checks/tempo: drop 2024-07-16 01:59:43 +02:00
Max
6cb00992e9 packages/tempo: drop 2024-07-16 01:57:04 +02:00
Max
a7ead3d5e0 flake.lock: Update
Flake lock file updates:

• Updated input 'hyprspace':
    'github:hyprspace/hyprspace/565f297061e9b9dd1f078e695523a8431f3d7d83?narHash=sha256-CCXoaAjMjxrwSbw0GpfVR6Svn7n4l6%2BMct4f0ghYH44%3D' (2024-07-04)
  → 'github:hyprspace/hyprspace/76a3f73a42c2f9bbeb4c56afa4b30a98a283b79f?narHash=sha256-WqIRfqqQwcSrJNPVRxbvCG6uZvKNuPruBL85VcnESRA%3D' (2024-07-15)
2024-07-15 19:57:15 +02:00
Max
3e2b98ef6a cluster/services/forge: add blackbox monitoring 2024-07-11 00:29:36 +02:00
Max
04e6a96a06 cluster/services/storage: update garage blackbox url 2024-07-11 00:27:40 +02:00
Max
cf93588840 cluster/services/locksmith: fix default values 2024-07-11 00:08:02 +02:00
Max
ceba7852da checks/garage: add dummy option for locksmith providers 2024-07-11 00:00:28 +02:00
Max
e73a340ff0 cluster/services/attic: switch to locksmith secrets 2024-07-10 23:54:07 +02:00
Max
a8041ec87f cluster/services/locksmith: fix path handling in waiting for secrets 2024-07-10 23:50:31 +02:00
Max
72e19de53a cluster/services/forge: switch to locksmith secrets 2024-07-10 23:20:54 +02:00
Max
55741bc8f6 cluster/services/locksmith: allow waiting for keys 2024-07-10 23:20:54 +02:00
Max
d7f816ee39 cluster/services/storage: provision garage keys with locksmith 2024-07-10 23:20:54 +02:00
Max
1d59d4e4f6 cluster/services/locksmith: implement provider options 2024-07-10 23:20:54 +02:00
Max
e791be03a4 cluster/services/chant: wait for services to finish 2024-07-10 17:36:46 +02:00
Max
e3ed1611c8 cluster/services/locksmith: init 2024-07-10 17:22:58 +02:00
Max
607fb9a28c cluster/services/chant: init 2024-07-10 15:51:05 +02:00
Max
5f3661d06a modules/systemd-extras: support chants 2024-07-10 15:49:38 +02:00
bffd063523 Merge pull request 'packages/openbao: init at 2.0.0-beta20240618' (#103) from pr-openbao into master
Reviewed-on: #103
2024-07-10 03:17:42 +03:00
Max
51b8484ffc packages/openbao: init at 2.0.0-beta20240618 2024-07-10 01:52:18 +02:00
Max
a66af5d0e4 cluster/services/forge: update deprecated settings 2024-07-09 20:40:55 +02:00
Max
d2781a0377 modules/hydra: drop 2024-07-08 22:34:21 +02:00
Max
b3644b8630 cluster/services/monitoring: provision dashboards correctly 2024-07-08 22:00:00 +02:00
Max
e642871738 cluster/services/monitoring: add new dashboards 2024-07-08 21:56:28 +02:00
Max
49e720f56a cluster/services/monitoring: update dashboards 2024-07-08 21:55:25 +02:00
adc5668228 Merge branch 'pr-cluster-secrets' into 'master'
Cluster secrets

See merge request private-void/depot!55
2024-07-08 19:23:10 +00:00
Max
624961c85e secrets: clean 2024-07-08 20:53:24 +02:00
Max
b87b3d000d cluster/services/patroni: use cluster secrets 2024-07-08 20:22:38 +02:00
Max
f8f6e27e6f cluster/services/matrix: use cluster secrets 2024-07-08 19:48:28 +02:00
Max
f17786fccb cluster/services/ipfs: use cluster secrets 2024-07-08 19:48:28 +02:00
Max
30c80b6942 cluster/services/attic: use cluster secrets 2024-07-08 19:48:28 +02:00
Max
579eed6b51 cluster/services/irc: use cluster secrets 2024-07-08 19:48:28 +02:00
Max
7b95308f0d cluster/services/idm: use cluster secrets 2024-07-08 19:48:28 +02:00
Max
deaa423c86 cluster/services/hercules-ci-multi-agent: refactor, use cluster secrets 2024-07-08 19:48:28 +02:00
Max
96c34332ca cluster/services/wireguard: use cluster secrets 2024-07-08 19:48:28 +02:00
Max
804e7b0363 cluster/services/cachix-deploy-agent: use cluster secrets 2024-07-08 19:48:28 +02:00
Max
0c4e603e86 cluster/services/forge: use cluster secrets 2024-07-08 19:48:28 +02:00
Max
04031ef198 cluster/services/search: use cluster secrets 2024-07-08 19:48:28 +02:00
Max
482a594aa1 cluster/lib: set restartTriggers for changing secrets 2024-07-08 19:48:28 +02:00
Max
22ae42673f cluster/catalog: add actions for secrets 2024-07-08 16:32:08 +02:00
Max
dcc1e1ce83 cluster/catalog: refactor 2024-07-08 16:32:08 +02:00
Max
5727bdb37e cluster/lib: inject secrets into agenix modules 2024-07-08 16:32:08 +02:00
Max
8adc26c5c3 cluster/lib: add secrets options 2024-07-08 16:00:59 +02:00
Max
0a390ad0d7 cluster/services/object-storage: drop 2024-07-07 23:42:29 +02:00
Max
8a53e376bd cluster/services/content-delivery: expose bucket at cdn subdomain 2024-07-07 23:41:37 +02:00
Max
4cacd03afb cluster/services/ways: support buckets 2024-07-07 23:38:56 +02:00
Max
7570369072 treewide: remove some useless files 2024-07-06 22:57:15 +02:00
Max
8aaa15dd16 packages/catalog: add packages and pins 2024-07-06 22:57:15 +02:00
4db993b108 Merge branch 'pr-void-cli-paisano' into 'master'
Void CLI

See merge request private-void/depot!54
2024-07-06 14:11:13 +00:00
Max
934d5fee0f gitignore: add .nixos-test-history 2024-07-06 00:05:29 +02:00
Max
986a8e8866 packages/catalog: init 2024-07-06 00:02:08 +02:00
Max
b8ff5d7d03 cluster/catalog: init 2024-07-06 00:02:08 +02:00
Max
986df6e838 lib/catalog: init 2024-07-06 00:02:08 +02:00
Max
9bdaff208d catalog: init 2024-07-06 00:02:08 +02:00
Max
62ec584812 gitignore: add .cache 2024-07-06 00:02:08 +02:00
Max
efc86f6b13 lib: expose 2024-07-06 00:02:08 +02:00
Max
f5bd160d85 devShells/default: add void cli 2024-07-06 00:02:08 +02:00
Max
047397747d packages/void: init at 0.15.0+dev 2024-07-06 00:02:08 +02:00
hercules-ci[bot]
2b9d593102
Merge pull request #106 from privatevoid-net/pr-flake-update
`flake.lock`: Update
2024-07-05 02:42:25 +00:00
Hercules CI Effects
a327757c6f flake.lock: Update
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/88f3dab52d2cc42945f70f4e84c4505dedaa377d' (2024-07-03)
  → 'github:NixOS/nixpkgs/d586b644539e41fafcee09f9b40a6552252dbdb4' (2024-07-04)
2024-07-05 02:18:38 +00:00
hercules-ci[bot]
ccaa746166
Merge pull request #105 from privatevoid-net/pr-flake-update
`flake.lock`: Update
2024-07-04 21:26:15 +00:00
Max
278803e474 cluster/services/matrix: lib.cartesianProductOfSets -> lib.cartesianProduct 2024-07-04 22:17:35 +02:00
Hercules CI Effects
4441e0aa46 flake.lock: Update
Flake lock file updates:

• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8' (2024-06-01)
  → 'github:hercules-ci/flake-parts/9227223f6d922fee3c7b190b2cc238a99527bbb7' (2024-07-03)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/eb1ba314aff505efb42bce45f47542a517fc3c03' (2024-06-29)
  → 'github:NixOS/nixpkgs/88f3dab52d2cc42945f70f4e84c4505dedaa377d' (2024-07-03)
2024-07-04 22:17:35 +02:00
Max
faff22a9a1 cluster/services/ipfs: fix add_header placement 2024-07-04 22:15:30 +02:00
Max
4f3abd5a8e cluster/services/content-delivery: enable bucket website access for content-delivery 2024-07-04 22:08:02 +02:00
Max
4be09304ae cluster/services/hercules-ci-multi-agent: enable bucket website access for nix-store 2024-07-04 22:07:09 +02:00
Max
60b18c9ccb cluster/services/storage: support bucket website mode 2024-07-04 22:06:25 +02:00
Max
b98a603968 flake.lock: Update
Flake lock file updates:

• Updated input 'hyprspace':
    'github:hyprspace/hyprspace/e2e2cd7723cca661fb4c50396a6fde5f82c9331c?narHash=sha256-tGhKCelgMzuoYZkENWT6xcrCi6XMgnoc%2Bdg/awGuny4%3D' (2024-06-29)
  → 'github:hyprspace/hyprspace/565f297061e9b9dd1f078e695523a8431f3d7d83?narHash=sha256-CCXoaAjMjxrwSbw0GpfVR6Svn7n4l6%2BMct4f0ghYH44%3D' (2024-07-04)
2024-07-04 21:13:43 +02:00
05224f75f1 Merge branch 'pr-cluster-reverse-proxy' into 'master'
Ways

See merge request private-void/depot!53
2024-07-04 19:05:21 +00:00
Max
c81aec9b9a cluster/services/storage: switch garage to ways 2024-07-04 20:51:50 +02:00
Max
b8067c6a33 cluster/services/ways: serialize acme cert updates 2024-07-04 20:51:50 +02:00
Max
c358714cbe cluster/services/ways: unique upstreams 2024-07-04 20:51:50 +02:00
Max
e2397ac946 cluster/services/ipfs: switch to ways 2024-07-04 20:51:50 +02:00
Max
ac047b189d cluster/services/ways: support wildcards 2024-07-04 19:51:52 +02:00
Max
a2cbfb9c25 cluster/services/monitoring: switch to ways 2024-07-04 17:31:59 +02:00
Max
a39ef182d4 cluster/services/ways: support multiple backends via consul services 2024-07-04 17:03:39 +02:00
Max
c484a2cf02 cluster/services/forge: switch to ways 2024-07-04 15:51:30 +02:00
Max
01f113046f cluster/lib: implement meshLinks 2024-07-04 15:51:30 +02:00
Max
98cb84c4d0 cluster/services/ways: init 2024-07-04 15:51:30 +02:00
Max
e68ec76011 cluster/services/forge: switch to s3 storage 2024-07-04 00:26:07 +02:00
Max
b13746f395 cluster/services/forge: add s3 bucket 2024-07-02 17:07:43 +02:00
Max
db709b6309 cluster/services/ipfs: update cluster peer id for prophet 2024-07-02 16:48:29 +02:00
Max
2e2841264f VEGAS/mail: use dns01 for certifcate 2024-07-02 16:47:48 +02:00
Max
e2e3e01eb0 packages/excalidraw: 0.0.0+d1e4421 -> 0.0.0+04668d8 2024-07-01 00:28:20 +02:00
Max
f52cb141ec packages/searxng: 1.0.0pre_e99ebb3 -> 1.0.0pre_39aaac4 2024-06-30 23:03:24 +02:00
Max
eb1b5088c0 packages/stevenblack-hosts: 3.14.28 -> 3.14.82 2024-06-30 23:03:13 +02:00
Max
c6f4a639e3 cluster/services/monitoring: use upstream grafana 2024-06-30 23:00:46 +02:00
Max
1ca195949f packages/grafana: drop 2024-06-30 23:00:34 +02:00
Max
f686655282
Merge pull request #104 from privatevoid-net/pr-flake-update
`flake.lock`: Update
2024-06-30 02:47:11 +02:00
Max
bf0aad67e0 cluster/services/hercules-ci-multi-agent: mkPackageOptionMD -> mkPackageOption 2024-06-30 00:49:24 +02:00
Max
c9c46a678a cluster/services/warehouse: hardware.opengl -> hardware.graphics 2024-06-30 00:48:32 +02:00
Max
030db77d48 VEGAS/gitlab: remove gitlab runner 2024-06-30 00:47:52 +02:00
Max
c29e780cfd packages/jellyfin: ffmpeg -> jellyfin-ffmpeg 2024-06-29 22:35:00 +02:00
Max
3fd854d760 flake.lock: Update
Flake lock file updates:

• Updated input 'agenix':
    'github:ryantm/agenix/c2fc0762bbe8feb06a2e59a364fa81b3a57671c9?narHash=sha256-UIGtLO89RxKt7RF2iEgPikSdU53r6v/6WYB0RW3k89I%3D' (2024-05-24)
  → 'github:ryantm/agenix/3a56735779db467538fb2e577eda28a9daacaca6?narHash=sha256-abpBi61mg0g%2BlFFU0zY4C6oP6fBwPzbHPKBGw676xsA%3D' (2024-06-14)
• Updated input 'hercules-ci-agent':
    'github:hercules-ci/hercules-ci-agent/563357eae6bbbdf9073e933e9b18d63809207ce4?narHash=sha256-PUJkw3Qa0hHkxQf8u9/ybzo3QJVTEvEPhSfp1hBblBM%3D' (2024-05-20)
  → 'github:hercules-ci/hercules-ci-agent/c37b2ada2dd001bc4be6771bcdea680b0b93fb94?narHash=sha256-p6cC%2B0/c6GCBPtBkSnaOrhwLWl%2BuyoWYl/dReg%2Bjcsk%3D' (2024-06-26)
• Updated input 'hercules-ci-agent/nixpkgs':
    'github:NixOS/nixpkgs/2057814051972fa1453ddfb0d98badbea9b83c06?narHash=sha256-5ZSVkFadZbFP1THataCaSf0JH2cAH3S29hU9rrxTEqk%3D' (2024-05-12)
  → 'github:NixOS/nixpkgs/2893f56de08021cffd9b6b6dfc70fd9ccd51eb60?narHash=sha256-ECni%2BIkwXjusHsm9Sexdtq8weAq/yUyt1TWIemXt3Ko%3D' (2024-06-24)
• Updated input 'hercules-ci-effects':
    'github:hercules-ci/hercules-ci-effects/c0302ec12d569532a6b6bd218f698bc402e93adc?narHash=sha256-6q6ojsp/Z9P2goqnxyfCSzFOD92T3Uobmj8oVAicUOs%3D' (2024-04-23)
  → 'github:hercules-ci/hercules-ci-effects/11e4b8dc112e2f485d7c97e1cee77f9958f498f5?narHash=sha256-YNkUMcCUCpnULp40g%2BsvYsaH1RbSEj6s4WdZY/SHe38%3D' (2024-06-24)
• Updated input 'hyprspace':
    'github:hyprspace/hyprspace/df73583638e3d59896fcd302ef40f070232b970d?narHash=sha256-t%2BfOnCYA2TzyP1AKfDuzxYOJlgkUvHdT1Ug5mgHrenQ%3D' (2024-06-05)
  → 'github:hyprspace/hyprspace/e2e2cd7723cca661fb4c50396a6fde5f82c9331c?narHash=sha256-tGhKCelgMzuoYZkENWT6xcrCi6XMgnoc%2Bdg/awGuny4%3D' (2024-06-29)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/844ccd07fb2aa17250952aee34a6fefd914b4638?narHash=sha256-wODpVx0FtLHnyKIOnm4V7fE9P8Pg12u/8ytY%2B%2BVYMK0%3D' (2024-06-06)
  → 'github:NixOS/nixpkgs/eb1ba314aff505efb42bce45f47542a517fc3c03?narHash=sha256-mlxmTqtlBR2CwbucuDpZ49ROKRJGeojCHkkY1Nd6Kw8%3D' (2024-06-29)
2024-06-29 22:30:55 +02:00
Max
03f227a4d1 cluster/services/content-delivery: init 2024-06-29 22:10:31 +02:00
Max
2995b78bc7 cluster/services/attic: remove minio fallback 2024-06-29 21:48:59 +02:00
Max
221a74793c cluster/services/c-f32aebf5: implement control stuff 2024-06-29 21:17:24 +02:00
Max
598f9a1a1e cluster/services/c-f32aebf5: fix restarting, perform daily backups and auto-restarts 2024-06-13 22:06:36 +02:00
Max
38ce5a40d5 packages/s3ql: reorder patches 2024-06-09 22:38:59 +02:00
Max
9dce56ffb6 packages/s3ql: always copy buffer in comprenc 2024-06-09 22:28:26 +02:00
Max
b680f81e69 packages/s3ql: correctly determine buffer length when pre-seeked 2024-06-07 23:58:54 +02:00
Max
d5c85b6a7c packages/s3ql: support whence argument in CacheEntry.seek 2024-06-07 23:45:41 +02:00
Max
dd2633413a packages/s3ql: correctly send body length for plain data 2024-06-07 22:33:53 +02:00
Max
6f6883f4a1 cluster/services/storage: update external storage secret for prophet 2024-06-07 03:23:55 +02:00
Max
3427f9db21 cluster/services/storage: upgrade s3ql filesystems 2024-06-07 03:15:20 +02:00
Max
799a1dede9 cluster/services/storage: prepare for s3ql upgrades 2024-06-07 02:55:50 +02:00
Max
46d2a4056a cluster/services/monitoring: fix loki config for 3.0.0 2024-06-07 01:34:37 +02:00
Max
6cdd866f97 VEGAS/mail: enable some sieve extensions 2024-06-07 01:05:17 +02:00
6d36a2a639 Merge branch 'platform-unstable' into 'master'
Platform Unstable

See merge request private-void/depot!52
2024-06-06 21:17:34 +00:00
Max
2b7c629304 hosts: wait 15 minutes before first reboot 2024-06-06 23:06:02 +02:00
Max
5e2dd277fd checks/s3ql-upgrade: init 2024-06-06 23:04:19 +02:00
Max
7328897f8b packages/s3ql: add missing packaging dependency 2024-06-06 23:04:19 +02:00
Max
82278da2e5 checks/ipfs-cluster-upgrade: init 2024-06-06 23:04:17 +02:00
Max
890622750c cluster/services/forge: chown dataDir 2024-06-06 21:24:57 +02:00
Max
75b6d3e2f5 cluster/services/forge: services.forgejo.appName -> services.forgejo.settings.DEFAULT.APP_NAME 2024-06-06 21:24:57 +02:00
Max
efe0ede612 cluster/services/forge: services.gitea -> services.forgejo 2024-06-06 21:24:57 +02:00
Max
d51f5ba633 VEGAS/mail: services.dovecot2.sieveScripts -> services.dovecot2.sieve.scripts 2024-06-06 21:24:57 +02:00
Max
fc1bad5663 cluster/services/nextcloud: services.nextcloud.config.overwriteProtocol -> services.nextcloud.settings.overwriteprotocol 2024-06-06 21:24:57 +02:00
Max
219d298ae2 VEGAS/mail: depend on network-online.target 2024-06-06 21:24:57 +02:00
Max
f2fa8aa087 cluster/services/nginx: depend on network-online.target 2024-06-06 21:24:57 +02:00
Max
251dfc446e checks/patroni: fix for 3.3.0 2024-06-06 21:24:57 +02:00
Max
fdac4f0f82 VEGAS/oauth2-proxy: use keycloak's domain for redirects 2024-06-06 21:24:57 +02:00
Max
0ce1427d36 VEGAS/oauth2-proxy: remove custom extraConfig stuff 2024-06-06 21:24:57 +02:00
Max
d8c0fd5ea2 cluster/services/storage: use s3v4 signatures for external storage 2024-06-06 21:24:57 +02:00
Max
087076e0f0 packages/s3ql: backport s3v4 signature support from 5.2.0 2024-06-06 21:24:57 +02:00
Max
55f1180bb5 packages/kanidm: rebase patchset 2024-06-06 21:24:57 +02:00
Max
43c4afdb25 packages/forgejo: rebase patchset 2024-06-06 21:24:57 +02:00
Max
c3dc26b1bf modules/system-recovery: drop sa_alex, remove initialHashedPassword, add new ssh keys 2024-06-06 21:24:57 +02:00
Max
a1894736cc packages/keycloak: drop 2024-06-06 21:24:57 +02:00
Max
75a4987efe cluster/services/storage: make replication_mode a string 2024-06-06 21:24:57 +02:00
Max
ae4385d6d3 packages/checks/{ascensions,garage}: use our consul package 2024-06-06 21:24:57 +02:00
Max
7f9881e932 cluster/services/ipfs: use new oauth2-proxy options format 2024-06-06 21:24:57 +02:00
Max
c6caf2d384 VEGAS/api: use new oauth2-proxy options format 2024-06-06 21:24:57 +02:00
Max
9981581cbd VEGAS/oauth2-proxy: services.oauth2_proxy -> services.oauth2-proxy 2024-06-06 21:24:57 +02:00
Max
eaa53cd05d cluster/services/ipfs: use upstream ipfs-cluster package 2024-06-06 21:24:57 +02:00
Max
88a7ec10dc packages/ipfs-cluster: drop 2024-06-06 21:24:57 +02:00
Max
57c2e69397 hosts/deploy.nix: use our consul package 2024-06-06 21:24:57 +02:00
Max
5b9d428f84 cluster/services/consul: use our consul package 2024-06-06 21:24:57 +02:00
Max
b98485516b packages/consul: init at 1.16.4 2024-06-06 21:24:57 +02:00
Max
a6d76804b0 flake.lock: Update
Flake lock file updates:

• Updated input 'attic':
    'github:zhaofengli/attic/4dbdbee45728d8ce5788db6461aaaa89d98081f0?narHash=sha256-0O4v6e4a1toxXZ2gf5INhg4WPE5C5T%2BSVvsBt%2B45Mcc%3D' (2024-03-29)
  → 'github:zhaofengli/attic/717cc95983cdc357bc347d70be20ced21f935843?narHash=sha256-kH04ReTjxOpQumgWnqy40vvQLSnLGxWP6RF3nq5Esrk%3D' (2024-06-01)
• Updated input 'attic/crane':
    'github:ipetkov/crane/7195c00c272fdd92fc74e7d5a0a2844b9fadb2fb?narHash=sha256-tWJqzajIvYcaRWxn%2BcLUB9L9Pv4dQ3Bfit/YjU5ze3g%3D' (2023-12-18)
  → 'github:ipetkov/crane/480dff0be03dac0e51a8dfc26e882b0d123a450e?narHash=sha256-dIubLa56W9sNNz0e8jGxrX3CAkPXsq7snuFA/Ie6dn8%3D' (2024-05-29)
• Updated input 'devshell':
    'github:numtide/devshell/12e914740a25ea1891ec619bb53cf5e6ca922e40?narHash=sha256-wtBhsdMJA3Wa32Wtm1eeo84GejtI43pMrFrmwLXrsEc%3D' (2024-04-19)
  → 'github:numtide/devshell/1ebbe68d57457c8cae98145410b164b5477761f4?narHash=sha256-Q0OEFqe35fZbbRPPRdrjTUUChKVhhWXz3T9ZSKmaoVY%3D' (2024-06-03)
• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/8dc45382d5206bd292f9c2768b8058a8fd8311d9?narHash=sha256-/GJvTdTpuDjNn84j82cU6bXztE0MSkdnTWClUCRub78%3D' (2024-05-16)
  → 'github:hercules-ci/flake-parts/2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8?narHash=sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw%3D' (2024-06-01)
• Updated input 'nar-serve':
    'github:numtide/nar-serve/84a77d8ab3ddec9d8090d2f0bc6718484e2d94ea?narHash=sha256-LAsxgaWKTxOVZVpNrUG9ZrHMnzNMKKxKciVitxdgylE%3D' (2021-07-16)
  → 'github:numtide/nar-serve/a1458804bb1ab9f1a44101e56a010ca95b8e8309?narHash=sha256-yM/ICgmMxUAk/feKojy/Jul8jh4OaVBhQoIChA6Vvq8%3D' (2024-05-26)
• Updated input 'nix-super/nixpkgs':
    follows 'nixpkgs'
  → 'github:NixOS/nixpkgs/b550fe4b4776908ac2a861124307045f8e717c8e?narHash=sha256-7kkJQd4rZ%2BvFrzWu8sTRtta5D1kBG0LSRYAfhtmMlSo%3D' (2024-02-28)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/4da08daf9eafaafe9a23a1154f87e51c15f99806?narHash=sha256-CDrqjliWZePpUb%2B%2BX27U1IP0oYoGB4NdCpUezEk9FzM%3D' (2024-05-30)
  → 'github:NixOS/nixpkgs/844ccd07fb2aa17250952aee34a6fefd914b4638?narHash=sha256-wODpVx0FtLHnyKIOnm4V7fE9P8Pg12u/8ytY%2B%2BVYMK0%3D' (2024-06-06)
2024-06-06 21:24:57 +02:00
Max
fe8a7e3768 meta: use latest nar-serve 2024-06-06 21:24:10 +02:00
Max
b5297afb08 meta: don't replace Nix Super's nixpkgs 2024-06-06 21:24:10 +02:00
Max
a19861a5c0 meta: NixOS Unstable 2024-06-06 21:24:10 +02:00
Max
637f048ee3 modules/external-storage: wait for MainPID to exit 2024-06-06 21:00:55 +02:00
Max
3cda1e1488 modules/ipfs: don't chown config 2024-06-06 21:00:55 +02:00
Max
144cdb2a14 modules/external-storage: s3qladm upgrade 2024-06-06 21:00:55 +02:00
Max
31e0a1fd83 modules/external-storage: don't umount if already unmounted 2024-06-06 21:00:55 +02:00
Max
1283d32691 modules/external-storage: support local backends that aren't underlays 2024-06-06 21:00:54 +02:00
Max
cb15c55220 flake.lock: Update
Flake lock file updates:

• Updated input 'hyprspace':
    'github:hyprspace/hyprspace/d97924b908475021b3e7c7edf86a0b9761d3bef8?narHash=sha256-hLVg%2BAncJx2LrseX2NCR77d3S5BYJBerYl/f9D8xEdg%3D' (2024-06-01)
  → 'github:hyprspace/hyprspace/df73583638e3d59896fcd302ef40f070232b970d?narHash=sha256-t%2BfOnCYA2TzyP1AKfDuzxYOJlgkUvHdT1Ug5mgHrenQ%3D' (2024-06-05)
2024-06-06 21:00:54 +02:00
Max
db1f1263f4 modules/hyprspace: use upstream module 2024-06-05 20:15:19 +02:00
Max
1cc18c5480 cluster/services/hercules-ci-multi-agent/modules/multi-agent-refactored: don't use getExe 2024-06-05 20:15:04 +02:00
Max
8766c44419 cluster/services/c-f32aebf5: init 2024-06-05 18:15:30 +02:00
Max
206d6a2ba6 cluster/services/dns: drop DS queries 2024-06-05 02:53:50 +02:00
Max
5bd296ab6c cluster/services/dns: heavily limit cpu and memory 2024-06-05 01:20:24 +02:00
Max
6318a87236 cluster/services/dns: remove tracing 2024-06-04 22:10:12 +02:00
Max
a2f34efb41 cluster/services/dns: only serve stale entries if upstream is not available 2024-06-04 20:51:36 +02:00
Max
7e7eac04a0 cluster/services/nextcloud: nextcloud28 -> nextcloud29 2024-06-04 20:14:38 +02:00
Max
ab13d2c437 cluster/services/nextcloud: nextcloud27 -> nextcloud28 2024-06-04 20:07:33 +02:00
Max
fe26456ae9 cluster/services/ipfs: prepare ipfs-cluster for ascension 2024-06-04 19:59:08 +02:00
Max
b5e4aeb266 cluster/services/forge: prepare for ascension 2024-06-04 19:54:44 +02:00
Max
82f34e96f2 cluster/services/matrix: use DNS01 challenge for cinny cert 2024-06-01 22:01:48 +02:00
Max
4e7c83361b cluster/services/websites: host hyprspace docs 2024-06-01 21:36:39 +02:00
Max
9e749b336d flake.lock: Update
Flake lock file updates:

• Updated input 'hyprspace':
    'github:privatevoid-net/hyprspace/121b22faf77884a03ddc039f7474ed413b2ff471?narHash=sha256-gRPDFMIcwZKM/YxUs/XQBf/Y/HJwRu6XY3%2BpWN9hE1Q%3D' (2024-05-28)
  → 'github:hyprspace/hyprspace/d97924b908475021b3e7c7edf86a0b9761d3bef8?narHash=sha256-hLVg%2BAncJx2LrseX2NCR77d3S5BYJBerYl/f9D8xEdg%3D' (2024-06-01)
2024-06-01 21:12:17 +02:00
Max
bc4e0a772a meta: update hyprspace url 2024-06-01 21:12:06 +02:00
hercules-ci[bot]
8ca089e977
Merge pull request #102 from privatevoid-net/pr-flake-update
`flake.lock`: Update
2024-06-01 11:49:17 +00:00
Hercules CI Effects
e27f9e11af flake.lock: Update
Flake lock file updates:

• Updated input 'agenix':
    'github:ryantm/agenix/8d37c5bdeade12b6479c85acd133063ab53187a0' (2024-05-09)
  → 'github:ryantm/agenix/c2fc0762bbe8feb06a2e59a364fa81b3a57671c9' (2024-05-24)
• Updated input 'hyprspace':
    'github:privatevoid-net/hyprspace/b90995b3c9d643dbf829bba7351c50610d70d41a' (2024-05-23)
  → 'github:privatevoid-net/hyprspace/121b22faf77884a03ddc039f7474ed413b2ff471' (2024-05-28)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/dff68ababdd2c2616d03f26546ba632f5f09d3c6' (2024-05-22)
  → 'github:NixOS/nixpkgs/4da08daf9eafaafe9a23a1154f87e51c15f99806' (2024-05-30)
2024-05-31 02:20:28 +00:00
Max
a1235005a3 packages/cinny: build on all platforms 2024-05-29 10:31:01 +02:00
Max
3a61f93b5b cluster/services/matrix: host static resources redundantly 2024-05-29 10:17:49 +02:00
Max
c4ee4559f6 cluster/services/hercules-ci-multi-agent: add hyprspace org 2024-05-24 22:51:57 +02:00
hercules-ci[bot]
ef7522b80d
Merge pull request #101 from privatevoid-net/pr-flake-update
`flake.lock`: Update
2024-05-24 11:56:01 +00:00
Hercules CI Effects
087ed4a053 flake.lock: Update
Flake lock file updates:

• Updated input 'hercules-ci-agent':
    'github:hercules-ci/hercules-ci-agent/459c8a35a501f0d7d9d4a842505c61bd36b119e3' (2024-05-16)
  → 'github:hercules-ci/hercules-ci-agent/563357eae6bbbdf9073e933e9b18d63809207ce4' (2024-05-20)
• Updated input 'hyprspace':
    'github:privatevoid-net/hyprspace/0c8f66c404c98f5cfd895ebe24e439e37409e80a' (2024-05-14)
  → 'github:privatevoid-net/hyprspace/b90995b3c9d643dbf829bba7351c50610d70d41a' (2024-05-23)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/5aab418b48c79823439d0f71b1e1a1c9300cd4fc' (2024-05-16)
  → 'github:NixOS/nixpkgs/dff68ababdd2c2616d03f26546ba632f5f09d3c6' (2024-05-22)
2024-05-24 02:22:37 +00:00
Max
e4b2eae2c3 cluster/services/monitoring: keep grafana running 2024-05-17 19:29:05 +02:00
hercules-ci[bot]
ead45cfb2f
Merge pull request #100 from privatevoid-net/pr-flake-update
`flake.lock`: Update
2024-05-17 13:35:51 +00:00
Max
4c62674c4b checks/keycloak: use custom keycloak package 2024-05-17 14:41:25 +02:00
Max
cf320af23d packages/garage: fix https://git.deuxfleurs.fr/Deuxfleurs/garage/issues/695 2024-05-17 14:39:45 +02:00
Max
40cd0f90a6 packages/keycloak: init at 24.0.4 2024-05-17 14:12:01 +02:00
Max
a7cc61d97e packages/keycloak: init at 24.0.4 2024-05-17 14:12:01 +02:00
Max
58394ea184 packages/jellyfin: unpatch 2024-05-17 14:12:01 +02:00
Max
c445867b16 cluster/services/dns: use new hyprspace dns server address 2024-05-17 14:12:01 +02:00
Max
add60347fa flake.lock: Update
Flake lock file updates:

• Added input 'hyprspace':
    'github:privatevoid-net/hyprspace/0c8f66c404c98f5cfd895ebe24e439e37409e80a?narHash=sha256-CNGszsuNwWSiUJqFGH2OeMCOpSrhaw7%2BlogFZFenu68%3D' (2024-05-14)
• Added input 'hyprspace/flake-parts':
    follows 'flake-parts'
• Added input 'hyprspace/nixpkgs':
    'github:NixOS/nixpkgs/7bb2ccd8cdc44c91edba16c48d2c8f331fb3d856?narHash=sha256-Drmja/f5MRHZCskS6mvzFqxEaZMeciScCTFxWVLqWEY%3D' (2024-04-25)
2024-05-17 14:12:01 +02:00
Max
621f93e310 modules/hyprspace: use external package 2024-05-17 14:08:40 +02:00
Max
5a6d473d93 meta: add hyprspace input 2024-05-17 14:08:40 +02:00
Max
0824e12cac packages/hyprspace: drop 2024-05-17 14:08:40 +02:00
Max
a7ae49128e VEGAS/vault, cluster/services/vault: drop 2024-05-17 14:08:40 +02:00
Max
3d12645d38 packages/grafana: 10.3.1 -> 10.4.2 2024-05-17 14:08:40 +02:00
Max
c537e38d33 packages/garage: update patchset for 0.8.7 2024-05-17 14:08:40 +02:00
Max
e27894579a flake.lock: Update
Flake lock file updates:

• Updated input 'agenix':
    'github:ryantm/agenix/8cb01a0e717311680e0cbca06a76cbceba6f3ed6?narHash=sha256-PAdwm5QqdlwIqGrfzzvzZubM%2BFXtilekQ/FA0cI49/o%3D' (2024-02-13)
  → 'github:ryantm/agenix/8d37c5bdeade12b6479c85acd133063ab53187a0?narHash=sha256-2T7CHTqBXJJ3ZC6R/4TXTcKoXWHcvubKNj9SfomURnw%3D' (2024-05-09)
• Updated input 'attic':
    'github:zhaofengli/attic/6eabc3f02fae3683bffab483e614bebfcd476b21?narHash=sha256-wSZjK%2BrOXn%2BUQiP1NbdNn5/UW6UcBxjvlqr2wh%2B%2BMbM%3D' (2024-02-14)
  → 'github:zhaofengli/attic/4dbdbee45728d8ce5788db6461aaaa89d98081f0?narHash=sha256-0O4v6e4a1toxXZ2gf5INhg4WPE5C5T%2BSVvsBt%2B45Mcc%3D' (2024-03-29)
• Updated input 'devshell':
    'github:numtide/devshell/83cb93d6d063ad290beee669f4badf9914cc16ec?narHash=sha256-USpGLPme1IuqG78JNqSaRabilwkCyHmVWY0M9vYyqEA%3D' (2024-01-15)
  → 'github:numtide/devshell/12e914740a25ea1891ec619bb53cf5e6ca922e40?narHash=sha256-wtBhsdMJA3Wa32Wtm1eeo84GejtI43pMrFrmwLXrsEc%3D' (2024-04-19)
• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/b253292d9c0a5ead9bc98c4e9a26c6312e27d69f?narHash=sha256-a0NYyp%2Bh9hlb7ddVz4LUn1vT/PLwqfrWYcHMvFB1xYg%3D' (2024-02-01)
  → 'github:hercules-ci/flake-parts/8dc45382d5206bd292f9c2768b8058a8fd8311d9?narHash=sha256-/GJvTdTpuDjNn84j82cU6bXztE0MSkdnTWClUCRub78%3D' (2024-05-16)
• Updated input 'hercules-ci-agent':
    'github:hercules-ci/hercules-ci-agent/fa0a146c8711761606f01f06be7018696e419438?narHash=sha256-7FXt8lznqCO8w3c0YFcq1slwueqEb73n/yeTai0gSpc%3D' (2024-02-21)
  → 'github:hercules-ci/hercules-ci-agent/459c8a35a501f0d7d9d4a842505c61bd36b119e3?narHash=sha256-X040hL0QF2uDhOqTrGIFqrpb9bTH/OOYLa34pjqT6NY%3D' (2024-05-16)
• Updated input 'hercules-ci-agent/nixpkgs':
    'github:NixOS/nixpkgs/b98a4e1746acceb92c509bc496ef3d0e5ad8d4aa?narHash=sha256-FyF489fYNAUy7b6dkYV6rGPyzp%2B4tThhr80KNAaF/yY%3D' (2024-02-18)
  → 'github:NixOS/nixpkgs/2057814051972fa1453ddfb0d98badbea9b83c06?narHash=sha256-5ZSVkFadZbFP1THataCaSf0JH2cAH3S29hU9rrxTEqk%3D' (2024-05-12)
• Updated input 'hercules-ci-effects':
    'github:hercules-ci/hercules-ci-effects/0ca27bd58e4d5be3135a4bef66b582e57abe8f4a?narHash=sha256-xU/KC1PWqq5zL9dQ9wYhcdgxAwdeF/dJCLPH3PNZEBg%3D' (2024-02-21)
  → 'github:hercules-ci/hercules-ci-effects/c0302ec12d569532a6b6bd218f698bc402e93adc?narHash=sha256-6q6ojsp/Z9P2goqnxyfCSzFOD92T3Uobmj8oVAicUOs%3D' (2024-04-23)
• Updated input 'nix-filter':
    'github:numtide/nix-filter/3449dc925982ad46246cfc36469baf66e1b64f17?narHash=sha256-kcw1yFeJe9N4PjQji9ZeX47jg0p9A0DuU4djKvg1a7I%3D' (2024-01-15)
  → 'github:numtide/nix-filter/3342559a24e85fc164b295c3444e8a139924675b?narHash=sha256-1Wvk8UP7PXdf8bCCaEoMnOT1qe5/Duqgj%2BrL8sRQsSM%3D' (2024-03-11)
• Updated input 'nix-super':
    'gitlab:max/nix-super/661b025c79eac08beda593ede47b41b2052e8ebf?narHash=sha256-ZhXujNwvwTDLmCpYb7h2bTDdZG4h97hEYjzBmKP8p2U%3D' (2023-12-07)
  → 'gitlab:max/nix-super/5ecd820c18b1aaa3c8ee257a7a9a2624c4107031?narHash=sha256-JctHGT1oa4pet4PgUKRM7pf0w%2BqGe0a/ahVij8bee3o%3D' (2024-04-22)
• Added input 'nix-super/flake-parts':
    'github:hercules-ci/flake-parts/9126214d0a59633752a136528f5f3b9aa8565b7d?narHash=sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm%2BGpZNw%3D' (2024-04-01)
• Added input 'nix-super/flake-parts/nixpkgs-lib':
    follows 'nix-super/nixpkgs'
• Removed input 'nix-super/lowdown-src'
• Added input 'nix-super/pre-commit-hooks':
    'github:cachix/pre-commit-hooks.nix/40e6053ecb65fcbf12863338a6dcefb3f55f1bf8?narHash=sha256-nMirxrGteNAl9sWiOhoN5tIHyjBbVi5e2tgZUgZlK3Y%3D' (2024-04-12)
• Added input 'nix-super/pre-commit-hooks/flake-compat':
    follows 'nix-super'
• Added input 'nix-super/pre-commit-hooks/flake-utils':
    'github:numtide/flake-utils/5aed5285a952e0b949eb3ba02c12fa4fcfef535f?narHash=sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau%2B/OdUAjtQ0rA%3D' (2022-11-02)
• Added input 'nix-super/pre-commit-hooks/gitignore':
    follows 'nix-super'
• Added input 'nix-super/pre-commit-hooks/nixpkgs':
    follows 'nix-super/nixpkgs'
• Added input 'nix-super/pre-commit-hooks/nixpkgs-stable':
    follows 'nix-super/nixpkgs'
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/e6d61b7214a8df4fa5a0e3d76506f12689585bab?narHash=sha256-WzeyGUHjvDlVWTw0q03O3WaQevZzjk7gRWQ6RdlCnE4%3D' (2024-02-21)
  → 'github:NixOS/nixpkgs/5aab418b48c79823439d0f71b1e1a1c9300cd4fc?narHash=sha256-1vHvNbkDx2%2BPIJoTzehdaFH8BLPTTIwUFkUL%2BMY53h0%3D' (2024-05-16)
• Updated input 'repin-flake-utils':
    'github:numtide/flake-utils/1ef2e671c3b0c19053962c07dbda38332dcebf26?narHash=sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA%3D' (2024-01-15)
  → 'github:numtide/flake-utils/b1d9ab70662946ef0850d488da1c9019f3a9752a?narHash=sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ%3D' (2024-03-11)
2024-05-17 14:08:40 +02:00
Max
b57bb71002 VEGAS/backbone-routing: remove wgmv 2024-04-30 03:28:44 +02:00
Max
3f9e7a04b5 VEGAS/fbi: use tor 2024-04-30 03:22:36 +02:00
Max
5c67cc7880 cluster/services/search: use tor 2024-04-30 03:10:33 +02:00
Max
eccf23ce9e cluster/services/tor: init 2024-04-30 02:34:51 +02:00
Max
e36260c449 cluster/services/attic: doh 2024-04-25 02:14:08 +02:00
Max
7929c28b7d packages/hyprspace: allocate multiple packets 2024-04-23 23:34:59 +02:00
Max
3e3eec0fb1 packages/hyprspace: select peers by name or ID prefix 2024-04-22 15:04:33 +02:00
Max
aadc5f3e7b packages/hyprspace: print node names in route show 2024-04-22 14:48:32 +02:00
Max
a4d5782a7f packages/hyprspace: print node names in status 2024-04-22 14:40:03 +02:00
Max
48454cc245 packages/hyprspace: lock reuseable streams 2024-04-22 09:17:06 +02:00
Max
56c171960e checks/garage: add garageWeb link 2024-04-22 01:17:51 +02:00
Max
2596229ac8 packages/hyprspace: 0.8.3 -> 0.8.4 2024-04-21 23:45:56 +02:00
Max
06b6ad5569 packages/hyprspace: sendPacket in parallel 2024-04-21 23:45:56 +02:00
Max
5d2b42f9f8 packages/hyprspace: prevent connection loops 2024-04-21 23:45:56 +02:00
Max
9ae4ed5ce9 cluster/services/attic: also use the garage bucket for the binary cache 2024-04-21 23:43:28 +02:00
Max
964ab05fad cluster/services/nginx: enable proxyResolveWhileRunning 2024-04-21 23:41:13 +02:00
Max
c26db970ac cluster/services/storage: host garage web endpoint 2024-04-21 23:40:21 +02:00
Max
45af3167b2 cluster/services/hercules-ci-multi-agent: use garage 2024-04-19 18:26:35 +02:00
Max
048f03d1d3 VEGAS/mail: use extra mode for postfix fail2ban 2024-03-13 08:56:53 +01:00
hercules-ci[bot]
f2e8e92c24
Merge pull request #98 from privatevoid-net/pr-flake-update
`flake.lock`: Update
2024-02-29 07:29:47 +00:00
Hercules CI Effects
f44610825f flake.lock: Update
Flake lock file updates:

• Updated input 'hercules-ci-agent':
    'github:hercules-ci/hercules-ci-agent/9f6779e23afb401e3fe2346d615f19e20bb040e1' (2024-02-14)
  → 'github:hercules-ci/hercules-ci-agent/fa0a146c8711761606f01f06be7018696e419438' (2024-02-21)
• Updated input 'hercules-ci-agent/nixpkgs':
    'github:NixOS/nixpkgs/f9d39fb9aff0efee4a3d5f4a6d7c17701d38a1d8' (2024-02-11)
  → 'github:NixOS/nixpkgs/b98a4e1746acceb92c509bc496ef3d0e5ad8d4aa' (2024-02-18)
• Updated input 'hercules-ci-effects':
    'github:hercules-ci/hercules-ci-effects/d5cbf433a6ae9cae05400189a8dbc6412a03ba16' (2023-12-31)
  → 'github:hercules-ci/hercules-ci-effects/0ca27bd58e4d5be3135a4bef66b582e57abe8f4a' (2024-02-21)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/0ca77ade2a34c5466be6d54f1267507860c95da8' (2024-02-15)
  → 'github:NixOS/nixpkgs/e6d61b7214a8df4fa5a0e3d76506f12689585bab' (2024-02-21)
2024-02-23 02:20:17 +00:00
hercules-ci[bot]
53c07b61b2
Merge pull request #97 from privatevoid-net/pr-flake-update
`flake.lock`: Update
2024-02-22 11:41:39 +00:00
Max
dc7f39c905 Revert "cluster/services/attic: auto-restart atticd"
This reverts commit 6a51b09f8c.
Done upstream now.
2024-02-22 11:26:22 +01:00
Hercules CI Effects
f4cf09e721 flake.lock: Update
Flake lock file updates:

• Updated input 'agenix':
    'github:ryantm/agenix/417caa847f9383e111d1397039c9d4337d024bf0' (2023-12-24)
  → 'github:ryantm/agenix/8cb01a0e717311680e0cbca06a76cbceba6f3ed6' (2024-02-13)
• Updated input 'attic':
    'github:zhaofengli/attic/fbe252a5c21febbe920c025560cbd63b20e24f3b' (2024-01-18)
  → 'github:zhaofengli/attic/6eabc3f02fae3683bffab483e614bebfcd476b21' (2024-02-14)
• Updated input 'hercules-ci-agent':
    'github:hercules-ci/hercules-ci-agent/d1b8efd21d1832291e58bd99805eea8f8194d07b' (2024-02-07)
  → 'github:hercules-ci/hercules-ci-agent/9f6779e23afb401e3fe2346d615f19e20bb040e1' (2024-02-14)
• Updated input 'hercules-ci-agent/nixpkgs':
    'github:NixOS/nixpkgs/faf912b086576fd1a15fca610166c98d47bc667e' (2024-02-05)
  → 'github:NixOS/nixpkgs/f9d39fb9aff0efee4a3d5f4a6d7c17701d38a1d8' (2024-02-11)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/620b309240d774a0ea00611d8291f96141c1e60e' (2024-02-08)
  → 'github:NixOS/nixpkgs/0ca77ade2a34c5466be6d54f1267507860c95da8' (2024-02-15)
2024-02-16 02:23:42 +00:00
Max
6a51b09f8c cluster/services/attic: auto-restart atticd 2024-02-12 22:49:51 +01:00
hercules-ci[bot]
ddf31e5e0c
Merge pull request #96 from privatevoid-net/pr-flake-update
`flake.lock`: Update
2024-02-09 14:06:16 +00:00
Max
6060d6d59b packages/grafana: 10.2.0 -> 10.3.1 2024-02-09 13:13:07 +01:00
Max
b15a5956ec flake.lock: Update
Flake lock file updates:

• Updated input 'devshell/flake-utils':
    'github:numtide/flake-utils/4022d587cbbfd70fe950c1e2083a02621806a725' (2023-12-04)
  → follows 'repin-flake-utils'
• Removed input 'devshell/flake-utils/systems'
2024-02-09 13:08:05 +01:00
Max
68896fde84 meta: fix follows 2024-02-09 13:08:02 +01:00
Hercules CI Effects
56a306ead6 flake.lock: Update
Flake lock file updates:

• Updated input 'hercules-ci-agent':
    'github:hercules-ci/hercules-ci-agent/e08125e80cb3bd596dec5d24b2134088a72e3f6e' (2024-02-01)
  → 'github:hercules-ci/hercules-ci-agent/d1b8efd21d1832291e58bd99805eea8f8194d07b' (2024-02-07)
• Updated input 'hercules-ci-agent/nixpkgs':
    'github:NixOS/nixpkgs/97b17f32362e475016f942bbdfda4a4a72a8a652' (2024-01-29)
  → 'github:NixOS/nixpkgs/faf912b086576fd1a15fca610166c98d47bc667e' (2024-02-05)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/25e3d4c0d3591c99929b1ec07883177f6ea70c9d' (2024-02-01)
  → 'github:NixOS/nixpkgs/620b309240d774a0ea00611d8291f96141c1e60e' (2024-02-08)
2024-02-09 02:21:03 +00:00
Hercules CI Effects
8230c5f777 flake.lock: Update
Flake lock file updates:

• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/07f6395285469419cf9d078f59b5b49993198c00' (2024-01-11)
  → 'github:hercules-ci/flake-parts/b253292d9c0a5ead9bc98c4e9a26c6312e27d69f' (2024-02-01)
• Updated input 'hercules-ci-agent':
    'github:hercules-ci/hercules-ci-agent/d3bec2bf1f042e033b4893fbc59bab141060f3c0' (2024-01-24)
  → 'github:hercules-ci/hercules-ci-agent/e08125e80cb3bd596dec5d24b2134088a72e3f6e' (2024-02-01)
• Updated input 'hercules-ci-agent/nixpkgs':
    'github:NixOS/nixpkgs/612f97239e2cc474c13c9dafa0df378058c5ad8d' (2024-01-21)
  → 'github:NixOS/nixpkgs/97b17f32362e475016f942bbdfda4a4a72a8a652' (2024-01-29)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/72d28a6d71c30f0242c18317520bc3f4d822e794' (2024-01-25)
  → 'github:NixOS/nixpkgs/25e3d4c0d3591c99929b1ec07883177f6ea70c9d' (2024-02-01)
2024-02-02 02:19:50 +00:00
Max
40a3521bc1 cluster/services/meet: don't use SCTP datachannel 2024-01-27 09:27:06 +01:00
Hercules CI Effects
4854afadc4 flake.lock: Update
Flake lock file updates:

• Updated input 'hercules-ci-agent':
    'github:hercules-ci/hercules-ci-agent/999be50c04489d74719a62371831f8e73da98ad4' (2024-01-17)
  → 'github:hercules-ci/hercules-ci-agent/d3bec2bf1f042e033b4893fbc59bab141060f3c0' (2024-01-24)
• Updated input 'hercules-ci-agent/nixpkgs':
    'github:NixOS/nixpkgs/c3e128f3c0ecc1fb04aef9f72b3dcc2f6cecf370' (2024-01-15)
  → 'github:NixOS/nixpkgs/612f97239e2cc474c13c9dafa0df378058c5ad8d' (2024-01-21)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/8ae7c0e4333357288dc0ce3b6ae2c1685bf11fe0' (2024-01-18)
  → 'github:NixOS/nixpkgs/72d28a6d71c30f0242c18317520bc3f4d822e794' (2024-01-25)
2024-01-26 02:20:22 +00:00
Hercules CI Effects
ff03caccef flake.lock: Update
Flake lock file updates:

• Updated input 'attic':
    'github:zhaofengli/attic/e6bedf1869f382cfc51b69848d6e09d51585ead6' (2024-01-02)
  → 'github:zhaofengli/attic/fbe252a5c21febbe920c025560cbd63b20e24f3b' (2024-01-18)
• Updated input 'devshell':
    'github:numtide/devshell/d45f45b634c624d2be705973b2af3b9bec29deff' (2024-01-11)
  → 'github:numtide/devshell/83cb93d6d063ad290beee669f4badf9914cc16ec' (2024-01-15)
• Updated input 'hercules-ci-agent':
    'github:hercules-ci/hercules-ci-agent/6521d0f3c82ff1d2a00df10a5c5f4c7a67b048ef' (2024-01-10)
  → 'github:hercules-ci/hercules-ci-agent/999be50c04489d74719a62371831f8e73da98ad4' (2024-01-17)
• Updated input 'hercules-ci-agent/nixpkgs':
    'github:NixOS/nixpkgs/46ae0210ce163b3cba6c7da08840c1d63de9c701' (2024-01-06)
  → 'github:NixOS/nixpkgs/c3e128f3c0ecc1fb04aef9f72b3dcc2f6cecf370' (2024-01-15)
• Updated input 'nix-filter':
    'github:numtide/nix-filter/c843418ecfd0344ecb85844b082ff5675e02c443' (2023-12-04)
  → 'github:numtide/nix-filter/3449dc925982ad46246cfc36469baf66e1b64f17' (2024-01-15)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/2e09003f67b5c8a3e798bf5065a35a262aa5fae7' (2024-01-11)
  → 'github:NixOS/nixpkgs/8ae7c0e4333357288dc0ce3b6ae2c1685bf11fe0' (2024-01-18)
• Updated input 'repin-flake-utils':
    'github:numtide/flake-utils/4022d587cbbfd70fe950c1e2083a02621806a725' (2023-12-04)
  → 'github:numtide/flake-utils/1ef2e671c3b0c19053962c07dbda38332dcebf26' (2024-01-15)
2024-01-19 02:20:15 +00:00
hercules-ci[bot]
174bdfcce3
Merge pull request #95 from privatevoid-net/pr-flake-update
`flake.lock`: Update
2024-01-14 00:34:37 +00:00
Hercules CI Effects
848389d30c flake.lock: Update
Flake lock file updates:

• Updated input 'devshell':
    'github:numtide/devshell/44ddedcbcfc2d52a76b64fb6122f209881bd3e1e' (2023-12-05)
  → 'github:numtide/devshell/d45f45b634c624d2be705973b2af3b9bec29deff' (2024-01-11)
• Added input 'devshell/flake-utils':
    'github:numtide/flake-utils/4022d587cbbfd70fe950c1e2083a02621806a725' (2023-12-04)
• Added input 'devshell/flake-utils/systems':
    'github:nix-systems/default/da67096a3b9bf56a91d16901293e51ba5b49a27e' (2023-04-09)
• Removed input 'devshell/systems'
• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/88a2cd8166694ba0b6cb374700799cec53aef527' (2024-01-01)
  → 'github:hercules-ci/flake-parts/07f6395285469419cf9d078f59b5b49993198c00' (2024-01-11)
• Updated input 'hercules-ci-agent':
    'github:hercules-ci/hercules-ci-agent/b3f75480a62c346c3c4fb01b8d98e4490d7b8604' (2024-01-03)
  → 'github:hercules-ci/hercules-ci-agent/6521d0f3c82ff1d2a00df10a5c5f4c7a67b048ef' (2024-01-10)
• Updated input 'hercules-ci-agent/nixpkgs':
    'github:NixOS/nixpkgs/b0d36bd0a420ecee3bc916c91886caca87c894e9' (2023-12-30)
  → 'github:NixOS/nixpkgs/46ae0210ce163b3cba6c7da08840c1d63de9c701' (2024-01-06)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/53c1e67df5a23fd62761134ca1d0a48dbaa1deff' (2024-01-04)
  → 'github:NixOS/nixpkgs/2e09003f67b5c8a3e798bf5065a35a262aa5fae7' (2024-01-11)
2024-01-12 02:21:02 +00:00
hercules-ci[bot]
14b894afec
Merge pull request #94 from privatevoid-net/pr-flake-update
`flake.lock`: Update
2024-01-05 02:49:10 +00:00
Hercules CI Effects
ff78b2d0e7 flake.lock: Update
Flake lock file updates:

• Updated input 'attic':
    'github:zhaofengli/attic/bdafd64910bb2b861cf90fa15f1fc93318b6fbf6' (2023-12-19)
  → 'github:zhaofengli/attic/e6bedf1869f382cfc51b69848d6e09d51585ead6' (2024-01-02)
• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5' (2023-12-01)
  → 'github:hercules-ci/flake-parts/88a2cd8166694ba0b6cb374700799cec53aef527' (2024-01-01)
• Updated input 'hercules-ci-agent':
    'github:hercules-ci/hercules-ci-agent/429ef2392873f2d249096bad07250ce73c88a736' (2023-12-27)
  → 'github:hercules-ci/hercules-ci-agent/b3f75480a62c346c3c4fb01b8d98e4490d7b8604' (2024-01-03)
• Updated input 'hercules-ci-agent/nixpkgs':
    'github:NixOS/nixpkgs/6df37dc6a77654682fe9f071c62b4242b5342e04' (2023-12-22)
  → 'github:NixOS/nixpkgs/b0d36bd0a420ecee3bc916c91886caca87c894e9' (2023-12-30)
• Updated input 'hercules-ci-effects':
    'github:hercules-ci/hercules-ci-effects/31b6cd7569191bfcd0a548575b0e2ef953ed7d09' (2023-11-26)
  → 'github:hercules-ci/hercules-ci-effects/d5cbf433a6ae9cae05400189a8dbc6412a03ba16' (2023-12-31)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/5ddac5872d390fbdff50a63f06f9f08c3c7101c7' (2023-12-28)
  → 'github:NixOS/nixpkgs/53c1e67df5a23fd62761134ca1d0a48dbaa1deff' (2024-01-04)
2024-01-05 02:20:39 +00:00
Max
5a519d3a48 cluster/services/certificates: setfacl on current directory 2023-12-31 04:02:51 +01:00
Max
30e926a654 cluster/services/dns: don't rewrite NS and SOA requests 2023-12-30 14:12:38 +01:00
hercules-ci[bot]
71ac9de188
Merge pull request #93 from privatevoid-net/pr-flake-update
`flake.lock`: Update
2023-12-29 02:55:03 +00:00
Hercules CI Effects
505872e7bd flake.lock: Update
Flake lock file updates:

• Updated input 'agenix':
    'github:ryantm/agenix/17090d105af1b9f941109c1e12d6e3a596657f97' (2023-12-20)
  → 'github:ryantm/agenix/417caa847f9383e111d1397039c9d4337d024bf0' (2023-12-24)
• Updated input 'agenix/darwin':
    'github:lnl7/nix-darwin/87b9d090ad39b25b2400029c64825fc2a8868943' (2023-01-09)
  → 'github:lnl7/nix-darwin/4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d' (2023-11-24)
• Updated input 'agenix/home-manager':
    'github:nix-community/home-manager/32d3e39c491e2f91152c84f8ad8b003420eab0a1' (2023-04-22)
  → 'github:nix-community/home-manager/3bfaacf46133c037bb356193bd2f1765d9dc82c1' (2023-12-20)
• Added input 'agenix/systems':
    'github:nix-systems/default/da67096a3b9bf56a91d16901293e51ba5b49a27e' (2023-04-09)
• Updated input 'hercules-ci-agent':
    'github:hercules-ci/hercules-ci-agent/fa3d0964f8679a4aae4ca353e6085b2d96b52f1e' (2023-12-20)
  → 'github:hercules-ci/hercules-ci-agent/429ef2392873f2d249096bad07250ce73c88a736' (2023-12-27)
• Updated input 'hercules-ci-agent/nixpkgs':
    'github:NixOS/nixpkgs/91a00709aebb3602f172a0bf47ba1ef013e34835' (2023-12-17)
  → 'github:NixOS/nixpkgs/6df37dc6a77654682fe9f071c62b4242b5342e04' (2023-12-22)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/cd2fef8ebbf47c315ff6b774a11fdd910504de8d' (2023-12-20)
  → 'github:NixOS/nixpkgs/5ddac5872d390fbdff50a63f06f9f08c3c7101c7' (2023-12-28)
2023-12-29 02:20:36 +00:00
Hercules CI Effects
b07c6c2e94 flake.lock: Update
Flake lock file updates:

• Updated input 'agenix':
    'github:ryantm/agenix/13ac9ac6d68b9a0896e3d43a082947233189e247' (2023-11-29)
  → 'github:ryantm/agenix/17090d105af1b9f941109c1e12d6e3a596657f97' (2023-12-20)
• Updated input 'attic':
    'github:zhaofengli/attic/e9918bc6be268da6fa97af6ced15193d8a0421c0' (2023-10-25)
  → 'github:zhaofengli/attic/bdafd64910bb2b861cf90fa15f1fc93318b6fbf6' (2023-12-19)
• Updated input 'attic/crane':
    'github:ipetkov/crane/105e27adb70a9890986b6d543a67761cbc1964a2' (2023-03-04)
  → 'github:ipetkov/crane/7195c00c272fdd92fc74e7d5a0a2844b9fadb2fb' (2023-12-18)
• Removed input 'attic/crane/flake-compat'
• Removed input 'attic/crane/flake-utils'
• Removed input 'attic/crane/rust-overlay'
• Removed input 'attic/crane/rust-overlay/flake-utils'
• Removed input 'attic/crane/rust-overlay/nixpkgs'
• Updated input 'hercules-ci-agent':
    'github:hercules-ci/hercules-ci-agent/63ecc2cdc74beaca24e07697a88efc43b3ded607' (2023-12-14)
  → 'github:hercules-ci/hercules-ci-agent/fa3d0964f8679a4aae4ca353e6085b2d96b52f1e' (2023-12-20)
• Updated input 'hercules-ci-agent/nixpkgs':
    'github:NixOS/nixpkgs/a9bf124c46ef298113270b1f84a164865987a91c' (2023-12-11)
  → 'github:NixOS/nixpkgs/91a00709aebb3602f172a0bf47ba1ef013e34835' (2023-12-17)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/750644b56300bfa3312710e47ab087904e0c655b' (2023-12-13)
  → 'github:NixOS/nixpkgs/cd2fef8ebbf47c315ff6b774a11fdd910504de8d' (2023-12-20)
2023-12-22 02:22:10 +00:00
hercules-ci[bot]
aa73d6535e
Merge pull request #92 from privatevoid-net/pr-flake-update
`flake.lock`: Update
2023-12-16 13:47:10 +00:00
Max
fe7bc3966a checks/searxng: retry curl 2023-12-16 14:34:57 +01:00
Hercules CI Effects
0c91f2a281 flake.lock: Update
Flake lock file updates:

• Updated input 'hercules-ci-agent':
    'github:hercules-ci/hercules-ci-agent/910c3fca45472d794a23c5b25fb4056044df1985' (2023-12-07)
  → 'github:hercules-ci/hercules-ci-agent/63ecc2cdc74beaca24e07697a88efc43b3ded607' (2023-12-14)
• Updated input 'hercules-ci-agent/nixpkgs':
    'github:NixOS/nixpkgs/91050ea1e57e50388fa87a3302ba12d188ef723a' (2023-12-01)
  → 'github:NixOS/nixpkgs/a9bf124c46ef298113270b1f84a164865987a91c' (2023-12-11)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/8fef9eee026f0d95c06b5880ef9c1af0f643aadf' (2023-12-07)
  → 'github:NixOS/nixpkgs/750644b56300bfa3312710e47ab087904e0c655b' (2023-12-13)
2023-12-15 02:21:20 +00:00
Hercules CI Effects
266d84668e flake.lock: Update
Flake lock file updates:

• Updated input 'devshell':
    'github:numtide/devshell/7ad1c417c87e98e56dcef7ecd0e0a2f2e5669d51' (2023-11-24)
  → 'github:numtide/devshell/44ddedcbcfc2d52a76b64fb6122f209881bd3e1e' (2023-12-05)
• Updated input 'hercules-ci-agent':
    'github:hercules-ci/hercules-ci-agent/6750a787c56e1a75b271d2113adb14d37f762d88' (2023-11-08)
  → 'github:hercules-ci/hercules-ci-agent/910c3fca45472d794a23c5b25fb4056044df1985' (2023-12-07)
• Updated input 'hercules-ci-agent/nixpkgs':
    'github:NixOS/nixpkgs/85f1ba3e51676fa8cc604a3d863d729026a6b8eb' (2023-11-04)
  → 'github:NixOS/nixpkgs/91050ea1e57e50388fa87a3302ba12d188ef723a' (2023-12-01)
• Updated input 'nix-filter':
    'github:numtide/nix-filter/41fd48e00c22b4ced525af521ead8792402de0ea' (2023-09-16)
  → 'github:numtide/nix-filter/c843418ecfd0344ecb85844b082ff5675e02c443' (2023-12-04)
• Updated input 'nix-super':
    'gitlab:max/nix-super/c076362db8b438c921d9bbe196ede50205f788c6' (2023-11-25)
  → 'gitlab:max/nix-super/661b025c79eac08beda593ede47b41b2052e8ebf' (2023-12-07)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/1bce6a1791a513af2727e5b668b3cd9ba76cb0bf' (2023-11-30)
  → 'github:NixOS/nixpkgs/8fef9eee026f0d95c06b5880ef9c1af0f643aadf' (2023-12-07)
• Updated input 'repin-flake-utils':
    'github:numtide/flake-utils/ff7b65b44d01cf9ba6a71320833626af21126384' (2023-09-12)
  → 'github:numtide/flake-utils/4022d587cbbfd70fe950c1e2083a02621806a725' (2023-12-04)
2023-12-08 02:21:16 +00:00
Max
400664edf8 cluster/services/idm: enable sudo auth with pam_rssh 2023-12-06 01:01:09 +01:00
Max
42e2fb5af6 cluster/services/soda: add internal dns record 2023-12-05 23:25:57 +01:00
Max
82bf6c028a cluster/services/nextcloud: nextcloud26 -> nextcloud27 2023-12-05 22:55:07 +01:00
Max
7972c40a4d cluster/services/idm: remove backported pam module 2023-12-05 22:42:25 +01:00
Max
98903689b5 hosts: use system profile to detect kernel updates 2023-12-05 01:13:15 +01:00
4bec53ce01 Merge branch 'platform-23.11' into 'master'
Platform 23.11

See merge request private-void/depot!51
2023-12-04 23:59:27 +00:00
Max
b0e81bf75a packages/powerdns-admin: drop 2023-12-04 23:33:20 +01:00
Max
0943c410c3 cluster: switch to exec dns01 provider 2023-12-04 23:33:20 +01:00
Max
bfd7a4214c cluster/services/acme-client: switch to acme-dns with custom script 2023-12-04 23:33:20 +01:00
Max
3231b65a26 cluster/services/cdn-shield: init 2023-12-04 23:33:20 +01:00
Max
0fef0fca66 cluster/services/n8n: init 2023-12-04 23:33:20 +01:00
Max
779429c289 cluster/services/gitlab: init 2023-12-04 23:33:20 +01:00
Max
2a49d440f7 cluster/services/vault: init 2023-12-04 23:33:20 +01:00
Max
f1e68e7e28 cluster/services/reflex: init 2023-12-04 23:33:20 +01:00
Max
195fe56279 cluster/services/bitwarden: init 2023-12-04 23:33:20 +01:00
Max
5150894720 cluster/services/ipfs: more dns records 2023-12-04 23:33:20 +01:00
Max
bde04dac87 cluster/services/websites: add dns records for old sites 2023-12-04 23:33:20 +01:00
Max
0a6755dac5 cluster/services/sso: init 2023-12-04 23:33:20 +01:00
Max
9abd4b6c0a cluster/services/attic: add dns records 2023-12-04 23:33:20 +01:00
Max
6d22f7bdb7 cluster/services/meet: add dns records 2023-12-04 23:33:20 +01:00
Max
001f6cd078 cluster/services/fbi: init 2023-12-04 23:33:20 +01:00
Max
e961260700 cluster/services/object-storage: add dns records 2023-12-04 23:33:20 +01:00
Max
38d8894676 cluster/services/nextcloud: add dns records 2023-12-04 23:33:20 +01:00
Max
bbaf0b0c14 cluster/services/soda: add dns records 2023-12-04 23:33:20 +01:00
Max
cb8744b99a cluster/services/matrix: add dns records 2023-12-04 23:33:20 +01:00
Max
38d22c1964 cluster/services/warehouse: add dns records 2023-12-04 23:33:20 +01:00
Max
4aadf0c482 cluster/services/forge: add dns records 2023-12-04 23:33:20 +01:00
Max
7d7714db4c cluster/services/search: add dns records 2023-12-04 23:33:20 +01:00
Max
b24f73bc4b cluster/services/idm: add dns records 2023-12-04 23:33:20 +01:00
Max
93ceb5c0ea cluster/services/websites: add top-level dns record 2023-12-04 23:33:20 +01:00
Max
eae6934b92 cluster/services/dns: add nameserver records 2023-12-04 23:33:20 +01:00
Max
afb95e1d3b cluster/services/mail: init 2023-12-04 23:33:20 +01:00
Max
a09b8ff7c5 cluster/services/dns: create dns records for machines 2023-12-04 23:33:20 +01:00
Max
2a9fdfa4f9 cluster/services/dns: switch to acme-dns, host static records 2023-12-04 23:33:20 +01:00
Max
eaa4bdb449 cluster/services/dns: support TXT records 2023-12-04 23:28:02 +01:00
Max
b0bff5c9b0 packages/acme-dns: init patched 2023-12-04 23:27:25 +01:00
Max
8ebbd3e3b5 packages: vendorSha256 -> vendorHash 2023-12-02 19:32:42 +01:00
Max
28d2e668f7 VEGAS/api: WEBHOOK_URL -> webhookUrl 2023-12-02 19:27:36 +01:00
Max
6f54fa16ca packages/dvc: drop 2023-12-02 19:23:53 +01:00
Max
ac21ac314a packages/kanidm: update patchset 2023-12-02 19:06:15 +01:00
Max
b485a93df4 cluster/services/storage: use consul catalog api for garage discovery 2023-12-02 13:40:51 +01:00
Max
3a03005445 flake.lock: Update
Flake lock file updates:

• Removed input 'deploy-rs'
• Removed input 'deploy-rs/flake-compat'
• Removed input 'deploy-rs/nixpkgs'
• Removed input 'deploy-rs/utils'
2023-12-02 02:54:50 +01:00
Max
75f3a25d3b meta: drop deploy-rs 2023-12-02 02:54:45 +01:00
Max
2aeea7be7f modules/deploy-rs-receiver: drop 2023-12-02 02:53:57 +01:00
Max
1554d59c7d cluster/services/nextcloud: remove enableBrokenCiphersForSSE 2023-12-02 02:48:44 +01:00
Max
75042860ac packages/garage: update patchset 2023-12-02 01:20:04 +01:00
Max
fe49607203 VEGAS/mail: switch fail2ban jails to submodule style 2023-12-02 01:14:52 +01:00
Max
d378ff9d06 modules/fail2ban: switch to submodule style 2023-12-02 01:12:26 +01:00
Max
f973ca2084 cluster/services/storage: mkForce garage's StateDirectory 2023-12-02 01:06:20 +01:00
Max
ce7654740a packages/tempo: 2.2.1 -> 2.3.0 2023-12-02 00:59:35 +01:00
Max
ce6a19387a flake.lock: Update
Flake lock file updates:

• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/8c9fa2545007b49a5db5f650ae91f227672c3877' (2023-11-01)
  → 'github:hercules-ci/flake-parts/34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5' (2023-12-01)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/d2332963662edffacfddfad59ff4f709dde80ffe' (2023-11-30)
  → 'github:NixOS/nixpkgs/1bce6a1791a513af2727e5b668b3cd9ba76cb0bf' (2023-11-30)
2023-12-02 00:59:35 +01:00
Max
e37587ce80 meta: NixOS 23.11 2023-12-02 00:58:39 +01:00
Max
8981df6382 packages/grafana: 10.1.5 -> 10.2.0 2023-12-02 00:58:39 +01:00
Max
79b6798fe6 cluster/services/attic: enable garbage collection 2023-12-02 00:18:10 +01:00
Max
9c9c8d250d Revert "cluster/services/attic: use DynamicUser"
This reverts commit 2a75c2ae02.
2023-12-02 00:10:58 +01:00
Max
02ea8d50c7 cluster/services/attic: wait for postgresql 2023-12-01 23:22:01 +01:00
Max
2a75c2ae02 cluster/services/attic: use DynamicUser 2023-12-01 23:21:36 +01:00
Max
abc3b0b324 modules/consul-service-registry: wait for consul 2023-12-01 23:14:50 +01:00
Max
03e802bcab cluster/services/ipfs: give ipfs-cluster more time to start 2023-12-01 23:12:42 +01:00
Max
b35a8c7222
Merge pull request #91 from privatevoid-net/pr-flake-update
`flake.lock`: Update
2023-12-01 20:04:21 +01:00
Max
21eafc3428 flake.lock: Update
Flake lock file updates:

• Updated input 'agenix':
    'github:ryantm/agenix/daf42cb35b2dc614d1551e37f96406e4c4a2d3e4' (2023-10-08)
  → 'github:ryantm/agenix/13ac9ac6d68b9a0896e3d43a082947233189e247' (2023-11-29)
• Updated input 'devshell':
    'github:numtide/devshell/1aed986e3c81a4f6698e85a7452cbfcc4b31a36e' (2023-10-27)
  → 'github:numtide/devshell/7ad1c417c87e98e56dcef7ecd0e0a2f2e5669d51' (2023-11-24)
• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/f76e870d64779109e41370848074ac4eaa1606ec' (2023-10-29)
  → 'github:hercules-ci/flake-parts/8c9fa2545007b49a5db5f650ae91f227672c3877' (2023-11-01)
• Updated input 'hercules-ci-agent':
    'github:hercules-ci/hercules-ci-agent/e44538cf90ecd8173a6edf75f9a14364d3b9962f' (2023-10-29)
  → 'github:hercules-ci/hercules-ci-agent/6750a787c56e1a75b271d2113adb14d37f762d88' (2023-11-08)
• Updated input 'hercules-ci-agent/nixpkgs':
    'github:NixOS/nixpkgs/0fbe93c5a7cac99f90b60bdf5f149383daaa615f' (2023-07-02)
  → 'github:NixOS/nixpkgs/85f1ba3e51676fa8cc604a3d863d729026a6b8eb' (2023-11-04)
• Updated input 'hercules-ci-effects':
    'github:hercules-ci/hercules-ci-effects/300e0af24a1bbe32d115beb182efb01785582c45' (2023-10-24)
  → 'github:hercules-ci/hercules-ci-effects/31b6cd7569191bfcd0a548575b0e2ef953ed7d09' (2023-11-26)
• Updated input 'nix-super':
    'gitlab:max/nix-super/ba035e1ea339a97e6ba6a1dd79e0c0e334240234' (2023-10-15)
  → 'gitlab:max/nix-super/c076362db8b438c921d9bbe196ede50205f788c6' (2023-11-25)
• Added input 'nix-super/libgit2':
    'github:libgit2/libgit2/45fd9ed7ae1a9b74b957ef4f337bc3c8b3df01b5' (2023-10-18)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/187ac4d3f3a63ac088a02a2b156e41f7bbe28480' (2023-10-27)
  → 'github:NixOS/nixpkgs/d2332963662edffacfddfad59ff4f709dde80ffe' (2023-11-30)
2023-12-01 19:13:24 +01:00
Max
5efcf070a6 checks/garage: sync on all jobs instead of just ascend-garage-layout 2023-12-01 19:13:24 +01:00
Max
d8f58c6eff packages/cinny: 2.2.6 -> 3.2.0 2023-12-01 19:13:24 +01:00
Max
6d432278ce packages/excalidraw: 0.0.0+1184a8c -> 0.0.0+d1e4421 2023-12-01 19:13:24 +01:00
Max
c0ba4276d9 packages/stevenblack-hosts: 3.13.22 -> 3.14.28 2023-12-01 19:13:24 +01:00
Max
7800d6f4e9 packages/searxng: 1.0.0pre_018b0a9 -> 1.0.0pre_e99ebb3 2023-12-01 19:13:24 +01:00
Max
b30ed4958f modules/nix-config: disable AWS IMDS lookups 2023-12-01 19:11:05 +01:00
Max
993cb7f967 cluster/services/hercules-ci-multi-agent: disable AWS IMDS lookups
so this was the reason hci has been so fucking slow substituting things

fuck you, jeff
2023-12-01 18:28:34 +01:00
Max
4b34be5916 packages/cachix: init with patch 2023-12-01 17:45:27 +01:00
Max
24722bf586 cluster/services/hercules-ci-multi-agent: move agent processes to builder.slice 2023-12-01 01:05:55 +01:00
Max
c9f37b962a modules/nix-config: tune scheduling priorities, move to builder.slice 2023-12-01 01:04:39 +01:00
Max
ff4e3af21e cluster/services/patroni: move one worker from prophet to grail 2023-12-01 00:25:13 +01:00
Max
d554a3a3e1 VEGAS/reflex: remove max.cachix.org 2023-11-11 20:18:43 +01:00
Max
9227c66448 cluster/services/storage: increase garage upload size limit 2023-11-11 20:01:02 +01:00
Max
4f9e72af6c packages/reflex-cache: pass content to ipfs_fetch_task directly if possible 2023-11-10 00:53:49 +01:00
Max
089e570054 packages/reflex-cache: don't 502 if pinning to ipfs cluster fails 2023-11-10 00:51:12 +01:00
Max
8edd39d462 packages/reflex-cache: use GET for pre-flight nar request 2023-11-10 00:37:43 +01:00
Max
ac6eac4889 packages/reflex-cache: use better ipfs chunking 2023-11-10 00:36:26 +01:00
Max
bd08dcda97 packages/reflex-cache: decompress xz 2023-11-10 00:31:41 +01:00
Max
4c25e003b7 cluster/services/storage: monitor garage with blackbox 2023-11-09 21:42:13 +01:00
Max
0ce00ad1dc cluster/services/monitoring: move tempo to s3 2023-11-08 23:10:10 +01:00
Max
bbfdd6440c cluster/services/monitoring: enable env var resolution in loki config 2023-11-08 19:55:19 +01:00
Max
ee8750f748 cluster/services/monitoring: prepare loki for s3 2023-11-07 22:22:24 +01:00
Max
7fdafae1c2 hosts: deploy in individual effects 2023-11-07 17:15:25 +01:00
Max
f88749fd95 cluster/services/monitoring: create buckets for loki and tempo 2023-11-06 20:53:20 +01:00
Max
fbead1652a packages/hyprspace: add another bootstrap peer 2023-11-06 01:11:21 +01:00
Max
e16072630f packages/s3ql: limit signed headers 2023-11-05 03:48:07 +01:00
Max
2d1d8c5370 cluster/services/storage: disable-expect100 2023-11-05 01:11:17 +01:00
Max
a087445358 cluster/services/monitoring: move one blackbox agent from VEGAS to grail 2023-11-05 00:12:19 +01:00
Max
d6fe67c14e cluster/services/storage: use external s3 endpoint for remote storage 2023-11-04 23:36:19 +01:00
Max
edad34b631 packages/s3ql: fix signatures for standard ports 2023-11-04 23:31:16 +01:00
Max
b332dc4a4e cluster/services/storage: scrape metrics from garage 2023-11-04 20:12:11 +01:00
Max
eefc380890 cluster/services/dns: trace coredns 2023-11-04 03:59:27 +01:00
Max
83b9ed9c09 cluster/services/monitoring: fix tempo, add zipkin endpoint 2023-11-04 03:59:17 +01:00
Max
3c7cb33820 cluster/services/monitoring: make tempo-grpc listen on localhost 2023-11-04 03:22:20 +01:00
Max
da9c1cca67 cluster/services/storage: rotate storage auth for prophet 2023-11-04 02:09:22 +01:00
Max
eb69940c8f cluster/services/attic: rotate s3 credentials 2023-11-04 02:08:07 +01:00
Max
2aed1f4df2 cluster/services/storage: add grail to garage cluster 2023-11-04 02:07:29 +01:00
Max
84644cfbf6 cluster/services/monitoring: enable monitoring on grail 2023-11-04 01:24:34 +01:00
Max
df1b0e1850 cluster/services/certificates: allow grail to use the internal wildcard cert 2023-11-04 01:18:50 +01:00
Max
491666c17a cluster/services/consul: add grail 2023-11-04 01:17:59 +01:00
Max
20991ec5d8 cluster/services/acme-dns-client: add grail 2023-11-04 01:17:59 +01:00
Max
55c0b848a6 cluster/services/nginx: add grail 2023-11-04 01:17:59 +01:00
Max
6cb9c5a9f3 cluster/services/dns: add grail to clients 2023-11-04 01:17:59 +01:00
Max
5200dab0eb cluster/services/cachix-deploy-agent: add grail 2023-11-04 01:17:59 +01:00
Max
d3eb8dd849 hosts/grail: enable hyprspace 2023-11-04 01:17:59 +01:00
Max
2c01ab818a cluster/services/idm: add grail to clients 2023-11-04 00:47:04 +01:00
Max
125732e03a cluster/services/wireguard: add grail to mesh 2023-11-04 00:47:04 +01:00
Max
be013f184e hosts/grail: init 2023-11-04 00:24:43 +01:00
Max
0752d1e1d8 cluster/services/storage: don't explicitly set port in s3 endpoint url 2023-11-03 22:09:45 +01:00
Max
971d53e9ea cluster/services/attic: use external garage endpoint 2023-11-03 21:46:40 +01:00
Max
fdf3980e3f cluster/services/storage: use cluster link 2023-11-03 21:45:36 +01:00
Max
e1c4f0e9ec cluster/services/storage: use the actual health endpoint 2023-11-03 21:33:46 +01:00
Max
6a2299e049 cluster/services/storage: fix garage gateway proxy config 2023-11-03 21:17:54 +01:00
Max
4f49aad9dd cluster/services/storage: split garage config for tests 2023-11-03 20:57:35 +01:00
Max
8f8c2bc0ce cluster/services/storage: garage health endpoint does not like HEAD 2023-11-03 20:47:34 +01:00
Max
024dcc78b0 cluster/services/storage: expose garage 2023-11-03 20:40:34 +01:00
Max
13d1dd572f cluster/services/consul: add dns records 2023-11-03 01:58:32 +01:00
Max
07544555c7 cluster/services/ipfs: simplify regex 2023-11-02 23:59:02 +01:00
Max
b60a1cd5a2 cluster/services/dns: fix regex handling 2023-11-02 23:58:49 +01:00
Max
2bdb62b255 cluster/services/ipfs: use regex rewrite type 2023-11-02 23:56:38 +01:00
Max
b2c9676a49 cluster/services/websites: rewrite.target -> consulService 2023-11-02 23:55:33 +01:00
Max
e3b6d66991 cluster/services/dns: fix typo 2023-11-02 23:55:10 +01:00
Max
d65fb75f78 cluster/services/websites: add dns records 2023-11-02 23:50:27 +01:00
Max
5284c0f6d5 cluster/services/irc: add dns records 2023-11-02 23:45:34 +01:00
Max
58f60eef45 cluster/services/ipfs: add dns records 2023-11-02 23:43:58 +01:00
Max
88754861db cluster/services/dns: support alternative rewrite types in declarative dns 2023-11-02 23:42:59 +01:00
Max
7ff75a72f5 cluster/services/dns: add dns records 2023-11-02 23:21:22 +01:00
Max
b217be06d5 cluster/services/monitoring: add dns records 2023-11-02 23:15:09 +01:00
Max
6102a4ccca cluster/services/dns: implement basic declarative dns 2023-11-02 23:11:13 +01:00
Max
b24e82be3f cluster/services/storage: add grep to runGarage 2023-11-02 19:53:07 +01:00
Max
db416ab9e2 cluster/services/storage: remove broken incantation 2023-11-02 19:50:10 +01:00
Max
b2e30146d9 cluster/services/storage: remove checkmate from garage cluster 2023-11-02 19:13:34 +01:00
Max
7c3ee49b82 cluster/services/storage: limit garage memory usage on low-memory nodes 2023-11-02 03:37:11 +01:00
Max
10c5d853d7 cluster/services/storage: move prophet storage to S3 2023-11-02 03:22:28 +01:00
Max
25f3b2da0a cluster/services/storage: fix config for heresy 2023-11-02 03:21:57 +01:00
Max
c4b7a72f99 modules/external-storage: support non-local backends, make encryption optional 2023-11-02 02:46:40 +01:00
Max
907bdf2c74 modules/external-storage: use s3ql from depot 2023-11-01 23:13:50 +01:00
Max
8086d5615e packages/s3ql: init with S3v4 auth patch 2023-11-01 23:12:22 +01:00
Max
bf3be62281 hosts/prophet: enable zram 2023-11-01 19:45:08 +01:00
Max
cbdae3116d modules/consul-distributed-services: use unique name for pre-flight-check 2023-11-01 15:13:22 +01:00
Max
4d0d1d2254 cluster/services/attic: move to garage 2023-10-31 22:19:08 +01:00
Max
9edfe4f2de cluster/services/storage: allow configuring garage buckets and keys through cluster options 2023-10-31 18:41:40 +01:00
Max
2ca2094d3a
Merge pull request #86 from privatevoid-net/svc-garage
Garage Service
2023-10-31 16:42:27 +01:00
Max
cec2fc0bc1 cluster/services/storage: serviceConfig.RequiresMountsFor -> unitConfig.RequiresMountsFor 2023-10-31 15:37:15 +01:00
Max
5d4c4a09fc modules/ascensions: always wantedBy multi-user.target 2023-10-31 15:37:15 +01:00
Max
8814c21e3f checks/garage: wait for ascend-garage-layout before switching 2023-10-31 15:37:15 +01:00
Max
d7bcdd706b checks/garage: -q 2023-10-31 15:37:15 +01:00
Max
8dc57c36ea packages/garage: don't panic on SIGPIPE 2023-10-31 15:37:15 +01:00
Max
d87865d6c0 checks/garage: use 2-space indents 2023-10-30 23:06:06 +01:00
Max
123c5adef6 checks/garage: test declarative keys and buckets 2023-10-30 23:06:06 +01:00
Max
f4779a8512 cluster/services/storage: declarative garage keys and buckets 2023-10-30 23:06:06 +01:00
Max
95375b7fda checks/garage: init 2023-10-30 23:06:06 +01:00
Max
7eb3eea599 cluster/services/storage: externalize garage layout implementation 2023-10-30 23:06:06 +01:00
Max
4cf87bac0e modules/consul-distributed-services: wait for consul to start 2023-10-30 23:06:06 +01:00
Max
5267d14b48 modules/{consul-distributed-services,consul-service-registry}: set CONSUL_HTTP_ADDR 2023-10-30 23:06:06 +01:00
Max
0025a4bb2a checks: add age dummy secrets NixOS module 2023-10-30 23:06:06 +01:00
Max
1b3a990866 cluster/services/storage: add garage 2023-10-30 23:06:06 +01:00
Max
8061af645d modules/external-storage: support setting uid and gid for underlays 2023-10-30 23:06:06 +01:00
Max
a656a5c895 packages/garage: init at 0.8 2023-10-30 23:06:06 +01:00
Max
c877404caf cluster/services/idm: fix infra-admins policy tmpfiles rules 2023-10-30 01:57:03 +01:00
Max
4f31e37014 cluster/services/idm: wait for nscd before starting idm-nss-ready 2023-10-30 01:40:43 +01:00
Max
f1f3cdc668 checks/jellyfin-stateless: wait for config file to be rewritten 2023-10-29 20:44:28 +01:00
hercules-ci[bot]
ab728bb8d6
Merge pull request #90 from privatevoid-net/pr-flake-update
`flake.lock`: Update
2023-10-29 16:58:41 +00:00
Max
bcff413e1b flake.lock: Update
Flake lock file updates:

• Updated input 'attic':
    'github:zhaofengli/attic/b43d12082e34bceb26038bdad0438fd68804cfcd' (2023-08-16)
  → 'github:zhaofengli/attic/e9918bc6be268da6fa97af6ced15193d8a0421c0' (2023-10-25)
• Updated input 'devshell':
    'github:numtide/devshell/cd4e2fda3150dd2f689caeac07b7f47df5197c31' (2023-09-29)
  → 'github:numtide/devshell/1aed986e3c81a4f6698e85a7452cbfcc4b31a36e' (2023-10-27)
• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/c9afaba3dfa4085dbd2ccb38dfade5141e33d9d4' (2023-10-03)
  → 'github:hercules-ci/flake-parts/f76e870d64779109e41370848074ac4eaa1606ec' (2023-10-29)
• Updated input 'hercules-ci-agent':
    'github:hercules-ci/hercules-ci-agent/3f076fe6678a713fb342f0742717bee6c7fe597d' (2023-10-13)
  → 'github:hercules-ci/hercules-ci-agent/e44538cf90ecd8173a6edf75f9a14364d3b9962f' (2023-10-29)
• Updated input 'hercules-ci-effects':
    'github:hercules-ci/hercules-ci-effects/178b36dc3a75c96efc25477d45eafc37ba1fafc3' (2023-10-11)
  → 'github:hercules-ci/hercules-ci-effects/300e0af24a1bbe32d115beb182efb01785582c45' (2023-10-24)
• Removed input 'hercules-ci-effects/hercules-ci-agent'
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/ebb21e46b3440c0fd840e5c27c7581fa5ed435ca' (2023-10-20)
  → 'github:NixOS/nixpkgs/187ac4d3f3a63ac088a02a2b156e41f7bbe28480' (2023-10-27)
2023-10-29 15:46:06 +01:00
Max
127869e5ea meta: switch to hercules-ci-agent master 2023-10-29 15:45:30 +01:00
Max
5aa60f065d meta: remove unneeded follow 2023-10-29 15:44:51 +01:00
Max
f6813d933d cluster/services/hercules-ci-multi-agent: remove some hardening options that break effects 2023-10-29 15:22:56 +01:00
Max
bcaecf492a modules/hyprspace: run on multiple ports for firewall resilience 2023-10-27 21:49:00 +02:00
Max
7a6720092d packages/hyprspace: 0.8.2 -> 0.8.3
- implement delegated HTTP routing
- set user agent string
2023-10-27 20:33:57 +02:00
Max
7916856d92 cluster/services/ipfs: update config, host routing API endpoint 2023-10-27 19:22:39 +02:00
Max
a8ec626ba9 modules/ipfs: use attrsOf anything for extraConfig 2023-10-27 19:21:01 +02:00
Max
1df4295d48 packages/ipfs: 0.16.0 -> 0.23.0 2023-10-27 19:20:19 +02:00
Max
15261f5aa8 packages/hyprspace: init: print simple config snippet for peer entry 2023-10-27 03:17:42 +02:00
Max
ed3d8fd7ab packages/hyprspace: don't segfault when reading config fails 2023-10-27 03:06:54 +02:00
Max
f6e6815aa5 modules/hyprspace: use new config format 2023-10-27 00:45:16 +02:00
Max
9954f8eb03 packages/hyprspace: 0.7.1 -> 0.8.0
- config overhaul
- remove unnecessary cli args
- remove down command
2023-10-27 00:32:18 +02:00
Max
7086f652a8 packages/hyprspace: 0.7.0 -> 0.7.1
- implement route add, route del
2023-10-26 03:31:05 +02:00
Max
451da5558a cluster/services/hercules-ci-multi-agent: set home directory 2023-10-26 02:14:31 +02:00
Max
55d19314a9 cluster/services/hercules-ci-multi-agent: use hercules-ci-agent package from flake 2023-10-26 02:14:20 +02:00
Max
2335305284 cluster/services/hercules-ci-multi-agent: use kranzes' refactored modules 2023-10-26 01:35:31 +02:00
Max
ea29ed2375 VEGAS/mail: adjust ldap settings for idm-ldap 2023-10-25 19:30:49 +02:00
Max
25b62a503e lib/identity: move to idm-ldap 2023-10-25 19:30:00 +02:00
Max
1754fc1048 VEGAS/sso: drop ident 2023-10-25 17:44:28 +02:00
Max
b5b1923ef0 cluster/services/matrix: change ldap config 2023-10-25 17:33:59 +02:00
Max
0ed53e9a3f secrets: fix flake url 2023-10-25 17:33:08 +02:00
Max
cf807b7b61 cluster/services/dns: expose hyprspace namespace on coredns 2023-10-24 23:41:34 +02:00
Max
542d7e95f8 cluster/services/consul: host remote API on vstub 2023-10-24 23:41:06 +02:00
Max
4f9680966b hosts: remove hyprspace static address support, create vstub everywhere, route vstub through hyprspace 2023-10-24 23:39:00 +02:00
Max
964b5dbe12 modules/networking: init with vstub from backbone-routing 2023-10-24 23:38:11 +02:00
Max
b11d28ebad modules/hyprspace: use new config format 2023-10-24 23:37:36 +02:00
Max
e0790998d3 packages/hyprspace: 0.6.5 -> 0.7.0
- dynamic addressing
- DNS
- switch to cidranger for routing
- auto add routes to tun device
- pex: shut up
2023-10-24 23:34:12 +02:00
Max
58edff1542 modules/hyprspace: yml -> json 2023-10-23 23:15:31 +02:00
Max
dc51c4250c packages/hyprspace: ban yaml from existence 2023-10-23 23:12:48 +02:00
Max
16384da670 packages/hyprspace: imagine 2023-10-23 00:08:46 +02:00
Max
33782687e9 packages/hyprspace: remove manual routing support 2023-10-22 23:39:39 +02:00
Max
80fadfae3c packages/hyprspace: elaborate on why opening a packet stream failed 2023-10-22 22:59:47 +02:00
Max
819816c019 packages/grafana: 9.5.1 -> 10.1.5 2023-10-22 16:39:59 +02:00
Max
e5c61bc0cf packages/hyprspace: update vendorSha256 2023-10-22 15:31:01 +02:00
Max
f3495beea7 modules/hyprspace: enable metrics 2023-10-22 15:20:28 +02:00
Max
e0569ac31e packages/hyprspace: enable optional prometheus metrics endpoint 2023-10-22 15:14:16 +02:00
Max
43c5e4b68f packages/hyprspace: new bootstrap peers 2023-10-22 14:38:09 +02:00
Max
c9594f1121 packages/hyprspace: EnableAutoRelay -> EnableAutoRelayWithPeerSource 2023-10-22 14:26:50 +02:00
Max
7994f822c4 packages/hyprspace: io/ioutil -> io 2023-10-22 14:20:58 +02:00
Max
c3b5e04772 packages/hyprspace: 0.6.4 -> 0.6.5
go-libp2p: 0.30.0 -> 0.31.0
2023-10-22 14:19:34 +02:00
Max
402f25ccc5 cluster/services/idm: fix stdout buffering for idm-nss-ready 2023-10-22 13:50:22 +02:00
hercules-ci[bot]
7364def41d
Merge pull request #89 from privatevoid-net/pr-flake-update
`flake.lock`: Update
2023-10-20 16:52:16 +00:00
Hercules CI Effects
8f1c5d4aee flake.lock: Update
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/6f87c4d764f400d76bafab0f2d940e93aff91a73' (2023-10-15)
  → 'github:NixOS/nixpkgs/ebb21e46b3440c0fd840e5c27c7581fa5ed435ca' (2023-10-20)
2023-10-20 18:17:31 +02:00
Max
80e3680953 packages/build-support: fix hydrateAssetDirectory 2023-10-20 15:07:54 +02:00
hercules-ci[bot]
e09cdb52ff
Merge pull request #87 from privatevoid-net/pr-flake-update
`flake.lock`: Update
2023-10-19 21:48:21 +00:00
Max
009546d819 packages/powerdns-admin: remove dependency on python3-saml 2023-10-19 22:33:26 +02:00
Max
a2d99f6082 checks/jellyfin-stateless: fix synchronization 2023-10-19 00:20:28 +02:00
Max
d3b2006f46 flake.lock: Update
Flake lock file updates:

• Updated input 'agenix':
    'github:ryantm/agenix/d8c973fd228949736dedf61b7f8cc1ece3236792' (2023-07-24)
  → 'github:ryantm/agenix/daf42cb35b2dc614d1551e37f96406e4c4a2d3e4' (2023-10-08)
• Updated input 'devshell':
    'github:numtide/devshell/2aa26972b951bc05c3632d4e5ae683cb6771a7c6' (2023-08-23)
  → 'github:numtide/devshell/cd4e2fda3150dd2f689caeac07b7f47df5197c31' (2023-09-29)
• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/59cf3f1447cfc75087e7273b04b31e689a8599fb' (2023-08-01)
  → 'github:hercules-ci/flake-parts/c9afaba3dfa4085dbd2ccb38dfade5141e33d9d4' (2023-10-03)
• Updated input 'hercules-ci-effects':
    'github:hercules-ci/hercules-ci-effects/0a63bfa3f00a3775ea3a6722b247880f1ffe91ce' (2023-07-15)
  → 'github:hercules-ci/hercules-ci-effects/178b36dc3a75c96efc25477d45eafc37ba1fafc3' (2023-10-11)
• Updated input 'nix-filter':
    'github:numtide/nix-filter/d90c75e8319d0dd9be67d933d8eb9d0894ec9174' (2023-06-19)
  → 'github:numtide/nix-filter/41fd48e00c22b4ced525af521ead8792402de0ea' (2023-09-16)
• Updated input 'nix-super':
    'gitlab:max/nix-super/0007178284d0247631af40931b7039d42bfc0da5' (2023-08-24)
  → 'gitlab:max/nix-super/ba035e1ea339a97e6ba6a1dd79e0c0e334240234' (2023-10-15)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/841889913dfd06a70ffb39f603e29e46f45f0c1a' (2023-08-30)
  → 'github:NixOS/nixpkgs/6f87c4d764f400d76bafab0f2d940e93aff91a73' (2023-10-15)
• Updated input 'repin-flake-utils':
    'github:numtide/flake-utils/f9e7cf818399d17d347f847525c5a5a8032e4e44' (2023-08-23)
  → 'github:numtide/flake-utils/ff7b65b44d01cf9ba6a71320833626af21126384' (2023-09-12)
2023-10-19 00:17:55 +02:00
Max
65e4ee8868 flake.lock: Update
Flake lock file updates:

• Updated input 'hercules-ci-agent':
    'github:hercules-ci/hercules-ci-agent/344b8b1079731a8c1e144119174f684fb492e03a' (2023-08-30)
  → 'github:hercules-ci/hercules-ci-agent/3f076fe6678a713fb342f0742717bee6c7fe597d' (2023-10-13)
2023-10-19 00:17:18 +02:00
Max
5f537e24bb meta: switch to experimental Hercules CI Agent 0.10 2023-10-19 00:17:16 +02:00
Max
5153c5f8a6 checks/ascensions: fix synchronization 2023-10-19 00:17:16 +02:00
Max
b96ea0d6cb
Merge pull request #88 from Gerg-L/master
massive improvements
2023-09-19 17:43:45 +02:00
Gerg-L
31260502a8
massive improvements 2023-09-19 10:19:27 -04:00
Max
163f111a81 cluster/services/meet: remove blackbox check 2023-09-04 16:39:54 +02:00
ee2045a148 Merge branch 'ascensions' into 'master'
Ascensions

Closes #37

See merge request private-void/depot!49
2023-09-03 22:11:12 +00:00
Max
8fd6f67a8f hosts/VEGAS: enable zram 2023-09-03 22:40:16 +02:00
Max
a6de5e2e3d checks: only run on x86_64-linux 2023-09-03 21:34:36 +02:00
Max
d51e5e4847 modules/ascensions: allow specifying custom incantations 2023-09-03 21:23:08 +02:00
Max
72f3cead67 checks/ascensions: add more incantations 2023-09-03 21:23:08 +02:00
Max
cfa64284fa checks: add generic consul module 2023-09-03 21:23:08 +02:00
Max
48d635db6a checks/ascensions: init 2023-09-03 02:18:19 +02:00
Max
f9daec023f modules/ascension: init 2023-09-03 02:18:19 +02:00
3376200e80 Merge branch 'refactor' into 'master'
Massive Refactor

See merge request private-void/depot!50
2023-09-02 23:21:14 +00:00
Max
ae48e4807a treewide: massive refactor 2023-09-03 01:11:49 +02:00
hercules-ci[bot]
8b96787bc2
Merge pull request #85 from privatevoid-net/pr-flake-update
`flake.lock`: Update
2023-09-01 02:44:42 +00:00
Hercules CI Effects
992cec4206 flake.lock: Update
Flake lock file updates:

• Updated input 'hercules-ci-agent':
    'github:hercules-ci/hercules-ci-agent/367dd8cd649b57009a6502e878005a1e54ad78c5' (2023-07-05)
  → 'github:hercules-ci/hercules-ci-agent/344b8b1079731a8c1e144119174f684fb492e03a' (2023-08-30)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/9977d6e3dd3bcd105dff6cdc8627cb50eb03999f' (2023-08-26)
  → 'github:NixOS/nixpkgs/841889913dfd06a70ffb39f603e29e46f45f0c1a' (2023-08-30)
2023-09-01 02:19:31 +00:00
40dcac1931 Merge branch 'jellyfin-stateless' into 'master'
Towards Stateless Jellyfin

Closes #39

See merge request private-void/depot!48
2023-08-28 22:37:45 +00:00
Max
fb7e1163a0 checks/jellyfin-stateless: init 2023-08-29 00:24:28 +02:00
Max
6a4b07f036 cluster/services/warehouse: workaround for ffmpeg config bug 2023-08-29 00:23:47 +02:00
Max
9245b0909e cluster/services/warehouse: move from VEGAS 2023-08-28 23:30:00 +02:00
Max
2ff899cd3e modules/consul-service-registry: limit number of retries for deregister 2023-08-27 16:41:12 +02:00
Max
f423f868c5 cluster/services/monitoring: grafana: use distributed service 2023-08-27 16:26:17 +02:00
Max
6635ea516d modules/consul-distributed-services: init 2023-08-27 16:25:44 +02:00
Max
e81345d4a0 modules/systemd-extras: introduce distributed service interface 2023-08-27 16:25:29 +02:00
Max
514f5c9001 modules/external-storage: set SuccessExitStatus 2023-08-27 01:44:21 +02:00
hercules-ci[bot]
c27f53eec1
Merge pull request #84 from privatevoid-net/pr-flake-update
`flake.lock`: Update
2023-08-26 22:40:32 +00:00
Max
5f3f73f20b modules/nix-config: use cgroups 2023-08-26 22:50:19 +02:00
Hercules CI Effects
93e0a24a27 flake.lock: Update
Flake lock file updates:

• Updated input 'devshell':
    'github:numtide/devshell/f9238ec3d75cefbb2b42a44948c4e8fb1ae9a205' (2023-07-03)
  → 'github:numtide/devshell/2aa26972b951bc05c3632d4e5ae683cb6771a7c6' (2023-08-23)
• Updated input 'nix-super':
    'gitlab:max/nix-super/65e8abac80cc06f9f05147b51908a47549e9342e' (2023-08-13)
  → 'gitlab:max/nix-super/0007178284d0247631af40931b7039d42bfc0da5' (2023-08-24)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/53baed0863ff7df14b14444b779ddfaa80621f1a' (2023-08-17)
  → 'github:NixOS/nixpkgs/9977d6e3dd3bcd105dff6cdc8627cb50eb03999f' (2023-08-26)
• Updated input 'repin-flake-utils':
    'github:numtide/flake-utils/919d646de7be200f3bf08cb76ae1f09402b6f9b4' (2023-07-11)
  → 'github:numtide/flake-utils/f9e7cf818399d17d347f847525c5a5a8032e4e44' (2023-08-23)
2023-08-26 20:45:29 +00:00
675 changed files with 9706 additions and 67225 deletions

3
.dvc/.gitignore vendored
View file

@ -1,3 +0,0 @@
/config.local
/tmp
/cache

View file

@ -1,5 +0,0 @@
[core]
remote = cdn
['remote "cdn"']
url = s3://content-delivery/assets
endpointurl = https://object-storage.privatevoid.net

View file

@ -1,3 +0,0 @@
# Add patterns of files dvc should ignore, which could improve
# the performance. Learn more at
# https://dvc.org/doc/user-guide/dvcignore

2
.gitignore vendored
View file

@ -3,3 +3,5 @@ result
result-*
**/.direnv/
.data/
.cache/
.nixos-test-history

10
catalog/part.nix Normal file
View file

@ -0,0 +1,10 @@
{ lib, ... }:
{
perSystem = {
options.catalog = lib.mkOption {
type = with lib.types; lazyAttrsOf (lazyAttrsOf (lazyAttrsOf (submodule ./target.nix)));
default = {};
};
};
}

31
catalog/target.nix Normal file
View file

@ -0,0 +1,31 @@
{ lib, name, ... }:
{
options = {
description = lib.mkOption {
type = lib.types.str;
default = name;
};
actions = lib.mkOption {
type = with lib.types; lazyAttrsOf (submodule {
options = {
description = lib.mkOption {
type = lib.types.str;
default = name;
};
command = lib.mkOption {
type = lib.types.str;
};
packages = lib.mkOption {
type = with lib.types; listOf package;
default = [];
};
};
});
default = {};
};
};
}

View file

@ -0,0 +1,6 @@
{
imports = [
./services.nix
./secrets.nix
];
}

View file

@ -0,0 +1,73 @@
{ config, lib, withSystem, ... }:
let
inherit (config) cluster hours;
in
{
perSystem = { config, pkgs, system, ... }: {
catalog.cluster = {
secrets = lib.pipe cluster.config.services [
(lib.mapAttrsToList (svcName: svcConfig: lib.mapAttrsToList (secretName: secretConfig: {
name = "${svcName}/${secretName}";
value = {
description = "Cluster secret '${secretName}' of service '${svcName}'";
actions = let
agenixRules = builtins.toFile "agenix-rules-shim.nix" /*nix*/ ''
builtins.fromJSON (builtins.readFile (builtins.getEnv "AGENIX_KEYS_JSON"))
'';
mkKeys = secretFile: nodes: builtins.toFile "agenix-keys.json" (builtins.toJSON {
"${secretFile}".publicKeys = (map (hour: hours.${hour}.ssh.id.publicKey) nodes) ++ cluster.config.secrets.extraKeys;
});
setupCommands = secretFile: nodes: let
agenixKeysJson = mkKeys secretFile nodes;
in ''
export RULES='${agenixRules}'
export AGENIX_KEYS_JSON='${agenixKeysJson}'
mkdir -p "$PRJ_ROOT/cluster/secrets"
cd "$PRJ_ROOT/cluster/secrets"
'';
in (lib.optionalAttrs (secretConfig.generate != null) {
generateSecret = {
description = "Generate this secret";
command = if secretConfig.shared then let
secretFile = "${svcName}-${secretName}.age";
in ''
${setupCommands secretFile secretConfig.nodes}
${withSystem system secretConfig.generate} | agenix -e '${secretFile}'
'' else lib.concatStringsSep "\n" (map (node: let
secretFile = "${svcName}-${secretName}-${node}.age";
in ''
${setupCommands secretFile [ node ]}
${withSystem system secretConfig.generate} | agenix -e '${secretFile}'
'') secretConfig.nodes);
};
}) // (if secretConfig.shared then let
secretFile = "${svcName}-${secretName}.age";
in {
editSecret = {
description = "Edit this secret";
command = ''
${setupCommands secretFile secretConfig.nodes}
agenix -e '${secretFile}'
'';
};
} else lib.mapAttrs' (name: lib.nameValuePair "editSecretInstance-${name}") (lib.genAttrs secretConfig.nodes (node: let
secretFile = "${svcName}-${secretName}-${node}.age";
in {
description = "Edit this secret for '${node}'";
command = ''
${setupCommands secretFile [ node ]}
agenix -e '${secretFile}'
'';
})));
};
}) svcConfig.secrets))
lib.concatLists
lib.listToAttrs
];
};
};
}

View file

@ -0,0 +1,52 @@
{ config, lib, ... }:
let
inherit (config) cluster flake;
in
{
perSystem = { config, pkgs, ... }: {
catalog.cluster = {
services = lib.mapAttrs (name: svc: {
description = "Cluster service: ${name}";
actions = let
mkDeployAction = { description, agents }: {
inherit description;
packages = [
config.packages.cachix
pkgs.tmux
];
command = let
cachixDeployJson = pkgs.writeText "cachix-deploy.json" (builtins.toJSON {
agents = lib.genAttrs agents (name: builtins.unsafeDiscardStringContext flake.nixosConfigurations.${name}.config.system.build.toplevel);
});
in ''
set -e
echo building ${toString (lib.length agents)} configurations in parallel
tmux new-session ${lib.concatStringsSep " split-window " (
map (host: let
drvPath = builtins.unsafeDiscardStringContext flake.nixosConfigurations.${host}.config.system.build.toplevel.drvPath;
in '' 'echo building configuration for ${host}; nix build -L --no-link --store "ssh-ng://${host}" --eval-store auto "${drvPath}^*"'\; '') agents
)} select-layout even-vertical
source ~/.config/cachix/deploy
cachix deploy activate ${cachixDeployJson}
echo
'';
};
in {
deployAll = mkDeployAction {
description = "Deploy ALL groups of this service.";
agents = lib.unique (lib.concatLists (lib.attrValues svc.nodes));
};
} // lib.mapAttrs' (group: agents: {
name = "deployGroup-${group}";
value = mkDeployAction {
description = "Deploy the '${group}' group of this service.";
inherit agents;
};
}) svc.nodes;
}) cluster.config.services;
};
};
}

View file

@ -1,4 +1,4 @@
{ lib, depot, hostName }:
{ lib, depot }:
lib.evalModules {
specialArgs = {
@ -7,15 +7,17 @@ lib.evalModules {
modules = [
# Arbitrary variables to reference across multiple services
./lib/vars
{ vars = { inherit hostName; }; }
# Cluster-level port-magic
../modules/port-magic
../tools/inject.nix
./lib/services.nix
./lib/inject-nixos-config.nix
./lib/port-magic-multi.nix
./lib/mesh.nix
./lib/secrets.nix
./lib/testing.nix
./lib/lib.nix
./import-services.nix
];

View file

@ -1,15 +0,0 @@
hostName:
{ depot, lib, ... }:
let
cluster = import ./. { inherit lib depot hostName; };
in
{
_module.args.cluster = {
inherit (cluster.config) vars;
inherit (cluster.config.vars) hosts;
inherit (cluster) config;
};
imports = cluster.config.out.injectedNixosConfig;
}

View file

@ -1,10 +1,10 @@
{ lib, ... }:
{ config, lib, ... }:
with lib;
{
options.out.injectedNixosConfig = mkOption {
description = "NixOS configuration modules to inject into the host.";
type = with types; listOf anything;
default = {};
options.out = mkOption {
description = "Output functions.";
type = with types; lazyAttrsOf (functionTo raw);
default = const [];
};
}

12
cluster/lib/lib.nix Normal file
View file

@ -0,0 +1,12 @@
{ config, lib, ... }:
{
options.lib = {
forService = lib.mkOption {
description = "Enable these definitions for a particular service only.";
type = lib.types.functionTo lib.types.raw;
readOnly = true;
default = service: lib.mkIf (!config.simulacrum || lib.any (s: s == service) config.testConfig.activeServices);
};
};
}

17
cluster/lib/mesh.nix Normal file
View file

@ -0,0 +1,17 @@
{ config, lib, ... }:
{
hostLinks = lib.pipe config.services [
(lib.filterAttrs (_: svc: svc.meshLinks != {}))
(lib.mapAttrsToList (svcName: svc:
lib.mapAttrsToList (groupName: links:
lib.genAttrs svc.nodes.${groupName} (hostName: lib.mapAttrs (_: cfg: { ... }: {
imports = [ cfg.link ];
ipv4 = config.vars.mesh.${hostName}.meshIp;
}) links)
) svc.meshLinks
))
(map lib.mkMerge)
lib.mkMerge
];
}

14
cluster/lib/secrets.nix Normal file
View file

@ -0,0 +1,14 @@
{ lib, ... }:
{
options.secrets = {
extraKeys = lib.mkOption {
type = with lib.types; listOf str;
description = "Additional keys with which to encrypt all secrets.";
default = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL5C7mC5S2gM0K6x0L/jNwAeQYbFSzs16Q73lONUlIkL max@TITAN"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmdWfmAs/0rno8zJlhBFMY2SumnHbTNdZUXJqxgd9ON max@jericho"
];
};
};
}

View file

@ -1,14 +1,16 @@
vars:
{ config, lib, ... }:
{ config, lib, name, ... }:
with lib;
let
notSelf = x: x != vars.hostName;
filterGroup = builtins.filter notSelf;
filterGroup = group: hostName: builtins.filter (x: x != hostName) group;
serviceName = name;
in
{
imports = [
./services/secrets.nix
];
options = {
nodes = mkOption {
description = ''
@ -21,12 +23,12 @@ in
* X evaluators, Y smallBuilders, Z bigBuilders
etc.
'';
type = with types; attrsOf (oneOf [ str (listOf str) ]);
type = with types; lazyAttrsOf (oneOf [ str (listOf str) ]);
default = [];
};
otherNodes = mkOption {
description = "Other nodes in the group.";
type = with types; attrsOf (listOf str);
type = with types; lazyAttrsOf (functionTo (listOf str));
default = [];
};
nixos = mkOption {
@ -34,6 +36,36 @@ in
type = with types; attrs;
default = {};
};
meshLinks = mkOption {
description = "Create host links on the mesh network.";
type = types.attrsOf (types.attrsOf (types.submodule {
options = {
link = mkOption {
type = types.deferredModule;
default = {};
};
config.otherNodes = builtins.mapAttrs (_: filterGroup) config.nodes;
};
}));
default = {};
};
simulacrum = {
enable = mkEnableOption "testing this service in the Simulacrum";
deps = mkOption {
description = "Other services to include.";
type = with types; listOf str;
default = [];
};
settings = mkOption {
description = "NixOS test configuration.";
type = types.deferredModule;
default = {};
};
augments = mkOption {
description = "Cluster augments (will be propagated).";
type = types.deferredModule;
default = {};
};
};
};
config.otherNodes = builtins.mapAttrs (const filterGroup) config.nodes;
}

View file

@ -2,18 +2,48 @@
with lib;
let
getHostConfigurations = svcConfig: hostName:
getHostConfigurations = hostName: svcName: svcConfig: let
serviceConfigs =
lib.mapAttrsToList (groupName: _: svcConfig.nixos.${groupName})
(lib.filterAttrs (_: lib.elem hostName) svcConfig.nodes);
getServiceConfigurations = svcConfig: getHostConfigurations svcConfig config.vars.hostName;
secretsConfig = let
secrets = lib.filterAttrs (_: secret: lib.any (node: node == hostName) secret.nodes) svcConfig.secrets;
in {
age.secrets = lib.mapAttrs' (secretName: secretConfig: {
name = "cluster-${svcName}-${secretName}";
value = {
inherit (secretConfig) path mode owner group;
file = ../secrets/${svcName}-${secretName}${lib.optionalString (!secretConfig.shared) "-${hostName}"}.age;
};
}) secrets;
systemd.services = lib.mkMerge (lib.mapAttrsToList (secretName: secretConfig: lib.genAttrs secretConfig.services (systemdServiceName: {
restartTriggers = [ "${../secrets/${svcName}-${secretName}${lib.optionalString (!secretConfig.shared) "-${hostName}"}.age}" ];
})) secrets);
};
in serviceConfigs ++ [
secretsConfig
];
introspectionModule._module.args.cluster = {
inherit (config) vars;
inherit config;
};
in
{
options.services = mkOption {
description = "Cluster services.";
type = with types; attrsOf (submodule (import ./service-module.nix config.vars));
type = with types; attrsOf (submodule ./service-module.nix);
default = {};
};
config.out.injectedNixosConfig = lib.flatten (lib.mapAttrsToList (_: getServiceConfigurations) config.services);
config.out = {
injectNixosConfigForServices = services: hostName: (lib.flatten (lib.mapAttrsToList (getHostConfigurations hostName) (lib.getAttrs services config.services))) ++ [
introspectionModule
];
injectNixosConfig = config.out.injectNixosConfigForServices (lib.attrNames config.services);
};
}

View file

@ -0,0 +1,57 @@
{ lib, name, ... }:
let
serviceName = name;
in
{
options.secrets = lib.mkOption {
type = lib.types.lazyAttrsOf (lib.types.submodule ({ config, name, ... }: {
options = {
shared = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Whether this secret should be the same on all nodes.";
};
nodes = lib.mkOption {
type = with lib.types; listOf str;
default = [ ];
};
generate = lib.mkOption {
type = with lib.types; nullOr (functionTo str);
description = "Command used to generate this secret.";
default = null;
};
path = lib.mkOption {
type = lib.types.path;
default = "/run/agenix/cluster-${serviceName}-${name}";
};
mode = lib.mkOption {
type = lib.types.str;
default = "0400";
};
owner = lib.mkOption {
type = lib.types.str;
default = "root";
};
group = lib.mkOption {
type = lib.types.str;
default = "root";
};
services = lib.mkOption {
type = with lib.types; listOf str;
description = "Services to restart when this secret changes.";
default = [];
};
};
}));
default = {};
};
}

15
cluster/lib/testing.nix Normal file
View file

@ -0,0 +1,15 @@
{ lib, ... }:
{
options = {
simulacrum = lib.mkOption {
description = "Whether we are in the Simulacrum.";
type = lib.types.bool;
default = false;
};
testConfig = lib.mkOption {
type = lib.types.attrs;
readOnly = true;
};
};
}

16
cluster/part.nix Normal file
View file

@ -0,0 +1,16 @@
{ depot, lib, ... }:
{
imports = [
./catalog
./simulacrum/checks.nix
];
options.cluster = lib.mkOption {
type = lib.types.raw;
};
config.cluster = import ./. {
inherit depot lib;
};
}

Binary file not shown.

View file

@ -0,0 +1,13 @@
age-encryption.org/v1
-> ssh-ed25519 d3WGuA ZLjCSe5wrN6abvvRmQjE+VXtRr+avP/CLPD7djXNr0M
g8i9ambJGL2Q+ZLB6c6MxV9BryAgX4qZctJ9qByJ4n8
-> ssh-ed25519 P/nEqQ zSGcZuufOAnTkPr74ZjwyISdLlfxBxqgmyWivxq1/Uo
gArusBfIfsZ5/gwMYHLzDHTbgVGWDttbi0IAhvclRO4
-> ssh-ed25519 YIaSKQ J4Fy0VSjdMPRgzysQptIUKiRR0TAgu0q1BYhtIpGkWU
kKzmF3OUbGU40d33R15nMraUDZiFRoz9Z00XjjSk9Jw
-> ssh-ed25519 NO562A BNQV8JodzTiNs/V+rFQxcsrhKJ3nRIFtWk6VxHzCRio
ZyauAdOrPbADSDdBQoB+39MB2r7Ro4d0XwZIjf2z9Jo
-> ssh-ed25519 5/zT0w hdMuyOmNKTlMKPn4w9VQFVXZkJNm1XSPAZ/Zip5WW04
wcnur+BRQPqKzpV3vl7pn1VIGRK3GxQEUaQIefrZuI4
--- 5AdxXgFmDm2w012QjpJ3gqlbfvkPm8fkEJjm8kV18G0
f§äIT¼-ÿY!ŒÍ,Vu<56>Â9õÿöBFrœŠ´½4ù™BÕÝ/®UäH˜¸ž #ƒˆç ÄÝÕº†®UóQ¢ÿŽx$G{ÅŠMà2¡^/˜§¥Éè?12É¿t1©¿í¸&[}nêDAÛlýÑ ýˆ8uG®éZŽ×b ¯èàîåd:@ÿ!Õþ jîƒÚáÈNµrâlA³~

Binary file not shown.

View file

@ -0,0 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 NO562A jNUNRaIQC1DUBiacnWc3xjMUAxnAgiyJhRA74cof3Ec
oZZq1AQ3F0nvrk7KpinLWgT3cIoCYZ5R1s0us69OI8E
-> ssh-ed25519 5/zT0w FmoxaTg75/xaDmSOHL5Xs6QOr5rLG/sr5TmPMfkOqxw
XXQrFxxt5GOzXgJoPY8U71NSYi/IWmL3QrenvOuQ43Q
-> ssh-ed25519 YIaSKQ ++dqG+dr8ie+4sPW7L+eVkXvOVvM+/oBR722S2sQsSg
879pmnhOtZ/MiMUwDlyujykQXNmCepI2FSU2QcvvkrA
--- QcvlVdv2fYMKmT/aCpTjdmGJ+9KnUvZCZNtl7WhgCbw
ï!jÊwŸ~×f%ÝJ>˜H ³·2ü9¬¥.VhþÅ·<C385>²«O!$iÄ<>ÝžÔ<>4\_̆J¸„šÀT>²J£î8Y´\ÁI³kÕ ýïk—tŒG(ÃAO¦#Ùš“#Ü(· øÍáô0éh=[ÈRîw•Uj¸iVý2ÁÕ(ìÊBGgÔ„^L7fÍÊ«"zVµ<56>nÃ)ÑõË÷9½ï<IäõúÃÍw1Š

View file

@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 NO562A eB0Rkoz721eI1UlyAhHWIrBnTEFoh6z3UL24EljaNzA
dNsoal+y68XM4HXRyg1PUmrWilW1n3h78TmTcqHFEjc
-> ssh-ed25519 5/zT0w SF16JelBZe0vZtzNEHiEfprJOqzoyxhTH3ldQdbo5wE
95wJNWQEGqHj4Pknnk1RrgWPOqZOhlNsSvFTv8rfc08
-> ssh-ed25519 YIaSKQ 68vS4sQGTDEaTVVxfs/xeTv379MQ3JE7iyLb1PbUuis
1Bh53X0QFednXw74lQ+FbqNDkLBra9rx6nOybcD3FiQ
--- HIcPirpTTtlUUGEemDXND/nwiWs4BEhM4rYX18mx71E
箜_Ÿvw©\ˆ¯j2æVrK(™á2åÚ@ξ€;Y®AQAƒlMÛá[ÙÁW â—ßÆ€Ñ<v#"ùóBŒO€™É^ ©¦-­ø¡+ž*m}¦<>ª\“ª¡gÒ¹'kÓ2I~T¾wM|¼jó¬˜+*BÖ%æ°xx€Ó¸õ{Ž O™;Fd„M“
 ÝPÙEB¡mãdBý¡¿¨[•¼í5Þf˜‰ü#öL- ¢³.4gŽ”FnÀ£q¬òv<C3B2>SV¹¥°÷¤êYÉkä·ï@ÓçlRn
!¸'mÿSGìqóÊÖ“0dY1ïL!Jñðä üIÿw

View file

@ -0,0 +1,12 @@
age-encryption.org/v1
-> ssh-ed25519 NO562A 2Su0u03W90TKuR0wg1/dcokIbTzO5eATBmkFPyqfJG0
IhBAWy5YYFFOqG9hc+AkVrKewTls84SFV9Kz/lOTV2U
-> ssh-ed25519 5/zT0w YsyFCW1FsiGwiYJNYCITlLWk6Y5dR3K5v+gJqlsWQTg
vtR1GCT2zrHNco/yPvMqQmlPyDja53lSRsO1DmnCSlo
-> ssh-ed25519 P/nEqQ c8l4fOuvZn9V8+6vpRpGNGldEi4iA+5qVg1B+jArU1w
zgS0urO8MZYo8cZq5Nz/R1x9cZ0vZgppJx6X5UecJ0s
-> ?^lS,zDo-grease ^ZMN! V*+oK^9 GyJ[
ZATLlHQ+kFjStI2ykQXq+KhvAR+XeW+POj6cJ59awzpMwq8JGbyaE1m5Cq8XA6u3
xFE6
--- 3JfCfv5CJYKGuvnbvoymhHhfkM99NkYMdGOL3Xicga8
ðíçqÂ`ë#Ññ„oq6üÄÑZÃõ˜<>Žh$wH"©läNøØ£¨IÛL3ä¯uYWŽœ<11>T¹À*G<>x¦nD2IÈ ù«y+]ßT{gäð©<C3B0>ìÓinœÖÈçßEa¥ìœk¸zοP ”M…

Binary file not shown.

View file

@ -0,0 +1,15 @@
age-encryption.org/v1
-> ssh-ed25519 NO562A o0R34LvRy19TseKFBi6iJVJSpuPWamIlL1UnX95+yVU
9yjfDbf7J9q/L2Z8OkFlOcniYNfO9YJBdtNkLyQAzF4
-> ssh-ed25519 5/zT0w AqcfbKIO1vE0TjkDvZOkCcMeRCz5ATfQZyoKecoDWQE
beYLRlS/ZzteQ1MNhyGuIenuEHSRqkzYJRasomThBLU
-> ssh-ed25519 FfIUuQ 9JeHQPQgOYSzA2cjR6jwisZYPRRYGQMSyOW49LVEo30
TAd1otmjEo1CvOVX3gZe2rk6Rk/IEjF2DllpQ9+o6ak
-> ssh-ed25519 d3WGuA 1RNgW2d+Nh66Li4hAsP7/3ATZsqHWL+9pwNqPej1ykw
tN6e8kBNz4tknvWBrVoQ6nABbeglac6AVUlz32ZFMzA
-> ssh-ed25519 P/nEqQ oHqCnNvCWIprBbVy0w2LdHBaJllbNwD+WbdAgIFrhww
6Dgnv/HyYaFzAiRUySqYVjBPScLMK8M9Roo8UCqMGEM
-> 4Vf|uj93-grease x5,kZ; -xgrjD8
6Gw1SIrH9N0GVksuPQm46tD/7Ckn6vkG5Z9CDhu4hj4YO1X8ug
--- eo6VHBS0rJXNXA4MFGBtVfJRQ7hNNJ7PMeMjvE1Hms8
7<EFBFBD>¸ATº<>ÖŸ@OXåø?$ýÛ“XeÞ<>{T|P†.3;EºÌ3mLÛã"o“´"õcèí—”#ü,"Í¥CtÒô½;¥ÂˆÒ³IÚR FOócD"âúK;¯{HÛÝ×ký™.d[sƒ·/¼R!àvk.®®W°ñÿãºóç×<C3A7>ƒ6{Íþ °òn<C3B2>­È_M,¶½¬6o`Óô£?×@…ŠRX¨ ñù´€()É<>UPëâ o9qÙFJûˆÆÂúDkŒ#{D‰+[pÞu½õÌkúÊÎlMVêm+™ kDiŸ­‡ó”l¤œûT=·ji6.ªUS¦–ö³óŽ\Æ-s€¦b«!eɳ‰:¿/—°NgŒSï—«¸

Binary file not shown.

Binary file not shown.

Binary file not shown.

View file

@ -0,0 +1,12 @@
age-encryption.org/v1
-> ssh-ed25519 NO562A BNIU8M5X5C4LSiie6S4zVraFQAsyGKAv7BwLVIXHiFM
LLcXZ7tiTUnN+tJLwqqs1hLZ8usCDWqNVGr1lAn5OQs
-> ssh-ed25519 5/zT0w H/SGf0oYVg/JCd07bicWL1LWQwExr0gbi+gV1j7Fy2M
yHjguPtS8ItpY+pAR3lLVpXQxq7d3cuQYU5DHs2qjMc
-> ssh-ed25519 P/nEqQ z1us0mTbOuLrkI7n6doG+JVFAuqwZvC0dEfdGauM+Fg
P/tKnt5gZ66HAWR0/pqpmJMHp6hLbcjwE3BhO9NCkZY
-> ((I-grease
r66LwGiqumMp/NlcnLgOaxZ7cfQMBCr4Rq9aJdjUck69113hNf4orC/bGVCDhmdu
s1cSHPVw1hys
--- FxWSO98U5IDaGPs57hzO70gVN/ELN0/UxKKmIoxadks
1ÊnûEHvóî_QíÄV†7¬Çæ•Ãܲé¶m¡z2'ÛÎ¥¯zWÚ)¼Ôç.»!ãi#¬TXÎT‰k[Fy üˆEë!>á¨tÁ !

View file

@ -0,0 +1,60 @@
{ config, pkgs, ... }:
let
lift = config;
in
{
nowhere.names = {
"acme-v02.api.letsencrypt.org" = "stepCa";
"api.buypass.com" = "stepCa";
};
nodes.nowhere = { config, ... }: {
links.stepCa.protocol = "https";
environment.etc.step-ca-password.text = "";
services = {
step-ca = {
enable = true;
address = config.links.stepCa.ipv4;
inherit (config.links.stepCa) port;
intermediatePasswordFile = "/etc/step-ca-password";
settings = {
root = "${lift.nowhere.certs.ca}/ca.pem";
crt = "${lift.nowhere.certs.intermediate}/cert.pem";
key = "${lift.nowhere.certs.intermediate}/cert-key.pem";
address = config.links.stepCa.tuple;
db = {
type = "badgerv2";
dataSource = "/var/lib/step-ca/db";
};
authority.provisioners = [
{
type = "ACME";
name = "snakeoil";
challenges = [
"dns-01"
"http-01"
];
}
];
};
};
nginx.virtualHosts = {
"acme-v02.api.letsencrypt.org".locations."/".extraConfig = ''
rewrite /directory /acme/snakeoil/directory break;
'';
"api.buypass.com".locations."/".extraConfig = ''
rewrite /acme/directory /acme/snakeoil/directory break;
'';
};
};
};
defaults.environment.etc."dummy-secrets/acmeDnsApiKey".text = "ACME_DNS_DIRECT_STATIC_KEY=simulacrum";
defaults.environment.etc."dummy-secrets/acmeDnsDirectKey".text = "ACME_DNS_DIRECT_STATIC_KEY=simulacrum";
defaults.environment.etc."dummy-secrets/acmeDnsDbCredentials".text = "PGPASSWORD=simulacrum";
}

View file

@ -1,10 +1,82 @@
{ cluster, config, pkgs, ... }:
{ cluster, config, depot, lib, pkgs, ... }:
let
authoritativeServers = map
(node: cluster.config.hostLinks.${node}.dnsAuthoritative.tuple)
cluster.config.services.dns.nodes.authoritative;
execScript = pkgs.writeShellScript "acme-dns-exec" ''
action="$1"
subdomain="''${2%.${depot.lib.meta.domain}.}"
key="$3"
umask 77
source "$EXEC_ENV_FILE"
headersFile="$(mktemp)"
echo "X-Direct-Key: $ACME_DNS_DIRECT_STATIC_KEY" > "$headersFile"
case "$action" in
present)
for i in {1..5}; do
${pkgs.curl}/bin/curl -X POST -s -f -H "@$headersFile" \
"${cluster.config.links.acmeDnsApi.url}/update" \
--data '{"subdomain":"'"$subdomain"'","txt":"'"$key"'"}' && break
sleep 5
done
;;
esac
'';
in
{
age.secrets.pdns-api-key-acme = cluster.config.vars.pdns-api-key-secret // { owner = "acme"; };
age.secrets.acmeDnsApiKey = {
file = ../dns/acme-dns-direct-key.age;
owner = "acme";
};
security.acme.defaults.credentialsFile = pkgs.writeText "acme-pdns-credentials" ''
PDNS_API_URL=${cluster.config.links.powerdns-api.url}
PDNS_API_KEY_FILE=${config.age.secrets.pdns-api-key-acme.path}
security.acme.acceptTerms = true;
security.acme.maxConcurrentRenewals = 0;
security.acme.defaults = {
email = depot.lib.meta.adminEmail;
extraLegoFlags = lib.flatten [
(map (x: [ "--dns.resolvers" x ]) authoritativeServers)
"--dns-timeout" "30"
];
credentialsFile = pkgs.writeText "acme-exec-config" ''
EXEC_PATH=${execScript}
EXEC_ENV_FILE=${config.age.secrets.acmeDnsApiKey.path}
'';
};
systemd.services = lib.mapAttrs' (name: value: {
name = "acme-${name}";
value = {
distributed.enable = value.dnsProvider != null;
preStart = let
serverList = lib.pipe authoritativeServers [
(map (x: "@${x}"))
(map (lib.replaceStrings [":53"] [""]))
lib.escapeShellArgs
];
domainList = lib.pipe ([ value.domain ] ++ value.extraDomainNames) [
(map (x: "${x}."))
(map (lib.replaceStrings ["*"] ["x"]))
lib.unique
lib.escapeShellArgs
];
in ''
echo Testing availability of authoritative DNS servers
for i in {1..60}; do
${pkgs.dig}/bin/dig +short ${serverList} ${domainList} >/dev/null && break
echo Retry [$i/60]
sleep 10
done
echo Available
'';
serviceConfig = {
Restart = "on-failure";
RestartMaxDelaySec = 30;
RestartSteps = 5;
RestartMode = "direct";
};
};
}) config.security.acme.certs;
}

View file

@ -1,6 +1,7 @@
{
services.acme-client = {
nodes.client = [ "checkmate" "thunderskin" "VEGAS" "prophet" ];
nodes.client = [ "checkmate" "grail" "thunderskin" "VEGAS" "prophet" ];
nixos.client = ./client.nix;
simulacrum.augments = ./augment.nix;
};
}

View file

@ -1,11 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 NO562A mLMev+YA6zSxAWIIlwseZk8Skl4hfNNsWQPmLV7DxTo
AEi55ZXzyYbZyludcP5Yywx7QDgFODh6z8+M2nxMAl4
-> ssh-ed25519 5/zT0w 91baPvXx4UdmyYCCIqc1M+Cb7pqdSx3/cgmfuexeUgY
kePQp8flAsXPMLxJiQPoJuHEPPI+FzaSF+VL9U9jhwI
-> ssh-ed25519 d3WGuA U8Q68hN+5fI4xto/lpCiVyts00ezCzftfLvFFew7aiY
B4wv05Y2gpl5qjV1Rbc6JSJk3coN6TFMB5FspwzLnlI
-> :0eX-grease
ghW6iCUZj0e04I8Ba3CHzg
--- aHnzzTi1WxtHXGcQO1hNgmy04wyyObmYBcSq5fmbnAg
Ñdï<EFBFBD>ÎÁŽ#¹<>¬sä®nƒŒó¤ž§F#5IZ<49><5A>¯áË2wb®×¨âÑÞüËoœkm÷ÒåN&"¤ü0LeÑzI jx—µzxF€´>ršúEq´Ý¤¥Anx¿šB!@‰ÕŸÆò2r©:ïm5í-Xl5çAåðÌSV¿R3`Ð艨{ÿò<C3BF>ï©#ÍJgHÖ‡ÊÉg

View file

@ -1,13 +1,16 @@
{ config, tools, ... }:
with tools.nginx;
let
addrSplit' = builtins.split ":" config.services.minio.listenAddress;
addrSplit = builtins.filter builtins.isString addrSplit';
host' = builtins.head addrSplit;
host = if host' == "" then "127.0.0.1" else host';
port = builtins.head (builtins.tail addrSplit);
in
{ config, cluster, depot, lib, ... }:
with depot.lib.nginx;
{
links = {
atticNixStoreInternalRedirect.protocol = "http";
garageNixStoreInternalRedirect.protocol = "http";
};
security.acme.certs."cache.${depot.lib.meta.domain}" = {
dnsProvider = "exec";
webroot = lib.mkForce null;
};
services.nginx.upstreams = {
nar-serve.extraConfig = ''
random;
@ -15,25 +18,25 @@ in
server ${config.links.nar-serve-nixos-org.tuple} fail_timeout=0;
'';
nix-store.servers = {
"${config.links.atticServer.tuple}" = {
"${config.links.garageNixStoreInternalRedirect.tuple}" = {
fail_timeout = 0;
};
"${host}:${port}" = {
"${config.links.atticNixStoreInternalRedirect.tuple}" = {
fail_timeout = 0;
backup = true;
};
};
};
services.nginx.appendHttpConfig = ''
proxy_cache_path /var/cache/nginx/nixstore levels=1:2 keys_zone=nixstore:10m max_size=10g inactive=24h use_temp_path=off;
'';
services.nginx.virtualHosts."cache.${tools.meta.domain}" = vhosts.basic // {
services.nginx.virtualHosts = {
"cache.${depot.lib.meta.domain}" = vhosts.basic // {
locations = {
"= /".return = "302 /404";
"/" = {
proxyPass = "http://nix-store/nix-store$request_uri";
proxyPass = "http://nix-store";
extraConfig = ''
proxy_next_upstream error http_500 http_404;
proxy_next_upstream error http_500 http_502 http_404;
'';
};
"/nix/store" = {
@ -51,4 +54,37 @@ in
proxy_cache_valid 200 24h;
'';
};
"garage-nix-store.internal.${depot.lib.meta.domain}" = {
serverName = "127.0.0.1";
listen = [
{
addr = "127.0.0.1";
inherit (config.links.garageNixStoreInternalRedirect) port;
}
];
locations."/" = {
proxyPass = with cluster.config.links.garageWeb; "${protocol}://nix-store.${hostname}";
recommendedProxySettings = false;
extraConfig = ''
proxy_set_header Host "nix-store.${cluster.config.links.garageWeb.hostname}";
'';
};
};
"attic-nix-store.internal.${depot.lib.meta.domain}" = {
serverName = "127.0.0.1";
listen = [
{
addr = "127.0.0.1";
inherit (config.links.atticNixStoreInternalRedirect) port;
}
];
locations."/" = {
proxyPass = "https://cache-api.${depot.lib.meta.domain}/nix-store$request_uri";
recommendedProxySettings = false;
extraConfig = ''
proxy_set_header Host "cache-api.${depot.lib.meta.domain}";
'';
};
};
};
}

View file

@ -1,14 +1,60 @@
{ config, depot, ... }:
{
services.attic = {
nodes = {
server = [ "VEGAS" ];
monolith = [ "VEGAS" "prophet" ];
server = [ "VEGAS" "grail" "prophet" ];
};
nixos = {
monolith = [
./server.nix
];
server = [
./server.nix
./binary-cache.nix
./nar-serve.nix
];
};
meshLinks.server.attic.link.protocol = "http";
secrets = let
inherit (config.services.attic) nodes;
in {
serverToken = {
nodes = nodes.server;
};
dbCredentials = {
nodes = nodes.server;
owner = "atticd";
};
};
};
garage = config.lib.forService "attic" {
keys.attic.locksmith = {
nodes = config.services.attic.nodes.server;
owner = "atticd";
format = "aws";
};
buckets.attic = {
allow.attic = [ "read" "write" ];
};
};
dns.records = let
serverAddrs = map
(node: depot.hours.${node}.interfaces.primary.addrPublic)
config.services.attic.nodes.server;
in config.lib.forService "attic" {
cache.target = serverAddrs;
};
ways = config.lib.forService "attic" {
cache-api = {
consulService = "atticd";
extras.extraConfig = ''
client_max_body_size 4G;
'';
};
};
}

View file

@ -1,4 +1,4 @@
{ config, depot, tools, ... }:
{ config, depot, ... }:
let
mkNarServe = NAR_CACHE_URL: PORT: {
@ -17,6 +17,6 @@
nar-serve-nixos-org.protocol = "http";
};
systemd.services.nar-serve-self = mkNarServe "https://cache.${tools.meta.domain}" config.links.nar-serve-self.portStr;
systemd.services.nar-serve-self = mkNarServe "https://cache.${depot.lib.meta.domain}" config.links.nar-serve-self.portStr;
systemd.services.nar-serve-nixos-org = mkNarServe "https://cache.nixos.org" config.links.nar-serve-nixos-org.portStr;
}

View file

@ -1,38 +1,47 @@
{ config, depot, lib, tools, ... }:
{ cluster, config, depot, lib, ... }:
let
dataDir = "/srv/storage/private/attic";
inherit (cluster.config.services.attic) secrets;
link = cluster.config.hostLinks.${config.networking.hostName}.attic;
isMonolith = lib.elem config.networking.hostName cluster.config.services.attic.nodes.monolith;
in
{
imports = [
depot.inputs.attic.nixosModules.atticd
];
age.secrets.atticServerToken.file = ./attic-server-token.age;
links.atticServer.protocol = "http";
services.locksmith.waitForSecrets.atticd = [ "garage-attic" ];
services.atticd = {
enable = true;
package = depot.inputs.attic.packages.attic-server;
credentialsFile = config.age.secrets.atticServerToken.path;
environmentFile = secrets.serverToken.path;
mode = if isMonolith then "monolithic" else "api-server";
settings = {
listen = config.links.atticServer.tuple;
listen = link.tuple;
chunking = {
nar-size-threshold = 512 * 1024;
min-size = 64 * 1024;
avg-size = 512 * 1024;
max-size = 1024 * 1024;
nar-size-threshold = 0;
min-size = 0;
avg-size = 0;
max-size = 0;
};
database.url = "sqlite://${dataDir}/server.db?mode=rwc";
compression.type = "none";
database.url = "postgresql://attic@${cluster.config.links.patroni-pg-access.tuple}/attic";
storage = {
type = "local";
path = "${dataDir}/chunks";
type = "s3";
region = "us-east-1";
endpoint = cluster.config.links.garageS3.url;
bucket = "attic";
};
garbage-collection = {
interval = "2 weeks";
default-retention-period = "3 months";
};
};
};
@ -41,20 +50,44 @@ in
users.atticd = {
isSystemUser = true;
group = "atticd";
home = dataDir;
home = "/var/lib/atticd";
createHome = true;
};
groups.atticd = {};
};
systemd.services.atticd.serviceConfig = {
systemd.services.atticd = {
after = [ "postgresql.service" ];
distributed = lib.mkIf isMonolith {
enable = true;
registerService = "atticd";
};
serviceConfig = {
DynamicUser = lib.mkForce false;
ReadWritePaths = [ dataDir ];
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ];
SystemCallFilter = lib.mkAfter [ "@resources" ];
};
environment = {
AWS_SHARED_CREDENTIALS_FILE = "/run/locksmith/garage-attic";
PGPASSFILE = secrets.dbCredentials.path;
};
};
services.nginx.virtualHosts."cache-api.${tools.meta.domain}" = tools.nginx.vhosts.proxy config.links.atticServer.url // {
extraConfig = ''
client_max_body_size 4G;
'';
consul.services.atticd = {
mode = if isMonolith then "manual" else "direct";
definition = {
name = "atticd";
id = "atticd-${config.services.atticd.mode}";
address = link.ipv4;
inherit (link) port;
checks = [
{
name = "Attic Server";
id = "service:atticd:backend";
interval = "5s";
http = link.url;
}
];
};
};
}

View file

@ -0,0 +1,10 @@
{ depot, ... }:
{
services.bitwarden = {
nodes.host = [ "VEGAS" ];
nixos.host = ./host.nix;
};
dns.records.keychain.target = [ depot.hours.VEGAS.interfaces.primary.addrPublic ];
}

View file

@ -1,5 +1,5 @@
{ config, lib, tools, ... }:
with tools.nginx;
{ config, lib, depot, ... }:
with depot.lib.nginx;
{
links.bitwarden.protocol = "http";

View file

@ -1,10 +1,9 @@
{ config, ... }:
{ cluster, depot, ... }:
{
age.secrets.cachixDeployToken.file = ./credentials/${config.networking.hostName}.age;
services.cachix-agent = {
enable = true;
credentialsFile = config.age.secrets.cachixDeployToken.path;
credentialsFile = cluster.config.services.cachix-deploy-agent.secrets.token.path;
package = depot.packages.cachix;
};
}

View file

@ -1,6 +1,10 @@
{
services.cachix-deploy-agent = {
nodes.agent = [ "checkmate" "prophet" "VEGAS" "thunderskin" ];
services.cachix-deploy-agent = { config, ... }: {
nodes.agent = [ "checkmate" "grail" "prophet" "VEGAS" "thunderskin" ];
nixos.agent = ./agent.nix;
secrets.token = {
nodes = config.nodes.agent;
shared = false;
};
};
}

View file

@ -0,0 +1,12 @@
{ depot, ... }:
{
dns.records = let
cdnShieldAddr = [ depot.hours.VEGAS.interfaces.primary.addrPublic ];
in {
"fonts-googleapis-com.cdn-shield".target = cdnShieldAddr;
"fonts-gstatic-com.cdn-shield".target = cdnShieldAddr;
"cdnjs-cloudflare-com.cdn-shield".target = cdnShieldAddr;
"wttr-in.cdn-shield".target = cdnShieldAddr;
};
}

View file

@ -1,7 +1,7 @@
{
services.certificates = {
nodes = {
internal-wildcard = [ "checkmate" "thunderskin" "VEGAS" "prophet" ];
internal-wildcard = [ "checkmate" "grail" "thunderskin" "VEGAS" "prophet" ];
};
nixos = {
internal-wildcard = [

View file

@ -1,7 +1,7 @@
{ config, lib, pkgs, tools, ... }:
{ config, lib, pkgs, depot, ... }:
let
inherit (tools.meta) domain;
inherit (depot.lib.meta) domain;
extraGroups = [ "nginx" ]
++ lib.optional config.services.kanidm.enableServer "kanidm";
@ -11,12 +11,12 @@ in
security.acme.certs."internal.${domain}" = {
domain = "*.internal.${domain}";
extraDomainNames = [ "*.internal.${domain}" ];
dnsProvider = "pdns";
dnsProvider = "exec";
group = "nginx";
postRun = ''
${pkgs.acl}/bin/setfacl -Rb out/
${pkgs.acl}/bin/setfacl -Rb .
${lib.concatStringsSep "\n" (
map (group: "${pkgs.acl}/bin/setfacl -Rm g:${group}:rX out/") extraGroups
map (group: "${pkgs.acl}/bin/setfacl -Rm g:${group}:rX .") extraGroups
)}
'';
};

View file

@ -0,0 +1,11 @@
{ config, ... }:
{
services.chant = {
nodes.listener = config.services.consul.nodes.agent;
nixos.listener = [
./listener.nix
];
simulacrum.deps = [ "consul" ];
};
}

View file

@ -0,0 +1,82 @@
{ config, lib, pkgs, ... }:
let
consul = config.links.consulAgent;
validTargets = lib.pipe config.systemd.services [
(lib.filterAttrs (name: value: value.chant.enable))
lib.attrNames
];
validTargetsJson = pkgs.writeText "chant-targets.json" (builtins.toJSON validTargets);
eventHandler = pkgs.writers.writePython3 "chant-listener-event-handler" {
flakeIgnore = [ "E501" ];
} ''
import json
import sys
import os
import subprocess
import base64
validTargets = set()
with open("${validTargetsJson}", "r") as f:
validTargets = set(json.load(f))
events = json.load(sys.stdin)
cacheDir = os.getenv("CACHE_DIRECTORY", "/var/cache/chant")
indexFile = f"{cacheDir}/index"
oldIndex = "old-index"
if os.path.isfile(indexFile):
with open(indexFile, "r") as f:
oldIndex = f.readline()
newIndex = os.getenv("CONSUL_INDEX", "no-index")
if oldIndex != newIndex:
triggers = set()
for event in events:
if event["Name"].startswith("chant:"):
target = event["Name"].removeprefix("chant:")
if target not in validTargets:
print(f"Skipping invalid target: {target}")
continue
with open(f"/run/chant/{target}", "wb") as f:
if event["Payload"] is not None:
f.write(base64.b64decode(event["Payload"]))
triggers.add(target)
for trigger in triggers:
subprocess.run(["${config.systemd.package}/bin/systemctl", "start", f"{trigger}.service"])
with open(indexFile, "w") as f:
f.write(newIndex)
'';
in
{
systemd.services.chant-listener = {
description = "Chant Listener";
wantedBy = [ "multi-user.target" ];
requires = [ "consul-ready.service" ];
after = [ "consul-ready.service" ];
serviceConfig = {
ExecStart = "${config.services.consul.package}/bin/consul watch --type=event ${eventHandler}";
RuntimeDirectory = "chant";
RuntimeDirectoryMode = "0700";
CacheDirectory = "chant";
CacheDirectoryMode = "0700";
RestartSec = 60;
Restart = "always";
IPAddressDeny = [ "any" ];
IPAddressAllow = [ consul.ipv4 ];
};
environment = {
CONSUL_HTTP_ADDR = consul.tuple;
};
};
}

View file

@ -1,7 +1,7 @@
{ config, cluster, lib, tools, ... }:
{ config, cluster, depot, ... }:
let
inherit (tools.meta) domain;
inherit (depot.lib.meta) domain;
inherit (config.networking) hostName;
inherit (cluster.config) hostLinks;
cfg = cluster.config.services.consul;
@ -10,9 +10,12 @@ let
in
{
links.consulAgent.protocol = "http";
services.consul = {
enable = true;
webUi = true;
package = depot.packages.consul;
extraConfig = {
datacenter = "eu-central";
domain = "sd-magic.${domain}.";
@ -21,12 +24,16 @@ in
node_name = config.networking.hostName;
bind_addr = hl.ipv4;
ports.serf_lan = hl.port;
retry_join = map (hostName: hostLinks.${hostName}.consul.tuple) cfg.otherNodes.agent;
retry_join = map (hostName: hostLinks.${hostName}.consul.tuple) (cfg.otherNodes.agent hostName);
bootstrap_expect = builtins.length cfg.nodes.agent;
addresses.http = config.links.consulAgent.ipv4;
ports.http = config.links.consulAgent.port;
};
};
services.grafana-agent.settings.integrations.consul_exporter = {
enabled = true;
instance = hostName;
server = config.links.consulAgent.url;
};
}

View file

@ -11,10 +11,23 @@ in
};
});
services.consul = {
nodes.agent = [ "checkmate" "thunderskin" "VEGAS" "prophet" ];
nixos.agent = [
nodes = {
agent = [ "checkmate" "grail" "thunderskin" "VEGAS" "prophet" ];
ready = config.services.consul.nodes.agent;
};
nixos = {
agent = [
./agent.nix
./remote-api.nix
];
ready = ./ready.nix;
};
simulacrum = {
enable = true;
deps = [ "wireguard" ];
settings = ./test.nix;
};
};
dns.records."consul-remote.internal".consulService = "consul-remote";
}

View file

@ -0,0 +1,54 @@
{ config, lib, pkgs, ... }:
let
consulReady = pkgs.writers.writeHaskellBin "consul-ready" {
libraries = with pkgs.haskellPackages; [ aeson http-conduit watchdog ];
} ''
{-# LANGUAGE OverloadedStrings #-}
import Control.Watchdog
import Control.Exception
import System.IO
import Network.HTTP.Simple
import Data.Aeson
flushLogger :: WatchdogLogger String
flushLogger taskErr delay = do
defaultLogger taskErr delay
hFlush stdout
data ConsulHealth = ConsulHealth {
healthy :: Bool
}
instance FromJSON ConsulHealth where
parseJSON (Object v) = ConsulHealth <$> (v .: "Healthy")
handleException ex = case ex of
(SomeException _) -> return $ Left "Consul is not active"
main :: IO ()
main = watchdog $ do
setInitialDelay 300_000
setMaximumDelay 30_000_000
setLoggingAction flushLogger
watch $ handle handleException $ do
res <- httpJSON "${config.links.consulAgent.url}/v1/operator/autopilot/health"
case getResponseBody res of
ConsulHealth True -> return $ Right ()
ConsulHealth False -> return $ Left "Consul is unhealthy"
'';
in
{
systemd.services.consul-ready = {
description = "Wait for Consul";
requires = lib.mkIf config.services.consul.enable [ "consul.service" ];
after = lib.mkIf config.services.consul.enable [ "consul.service" ];
serviceConfig = {
ExecStart = lib.getExe consulReady;
DynamicUser = true;
TimeoutStartSec = "5m";
Type = "oneshot";
};
};
}

View file

@ -1,14 +1,15 @@
{ config, cluster, depot, lib, tools, ... }:
{ config, depot, lib, ... }:
let
inherit (tools.meta) domain;
inherit (depot.reflection) hyprspace;
inherit (depot.lib.meta) domain;
frontendDomain = "consul-remote.internal.${domain}";
inherit (config.reflection.interfaces.vstub) addr;
in
{
services.nginx.virtualHosts.${frontendDomain} = tools.nginx.vhosts.proxy "http://127.0.0.1:8500" // {
listenAddresses = lib.singleton hyprspace.addr;
services.nginx.virtualHosts.${frontendDomain} = depot.lib.nginx.vhosts.proxy config.links.consulAgent.url // {
listenAddresses = lib.singleton addr;
enableACME = false;
useACMEHost = "internal.${domain}";
};
@ -18,13 +19,13 @@ in
mode = "external";
definition = {
name = "consul-remote";
address = hyprspace.addr;
address = addr;
port = 443;
checks = [
{
name = "Frontend";
id = "service:consul-remote:frontend";
http = "https://${hyprspace.addr}/v1/status/leader";
http = "https://${addr}/v1/status/leader";
tls_server_name = frontendDomain;
header.Host = lib.singleton frontendDomain;
interval = "60s";
@ -32,7 +33,7 @@ in
{
name = "Backend";
id = "service:consul-remote:backend";
http = "http://127.0.0.1:8500/v1/status/leader";
http = "${config.links.consulAgent.url}/v1/status/leader";
interval = "30s";
}
];

View file

@ -0,0 +1,24 @@
{ lib, ... }:
{
defaults.options.services.locksmith = lib.mkSinkUndeclaredOptions { };
testScript = ''
import json
start_all()
with subtest("should form cluster"):
nodes = [ n for n in machines if n != nowhere ]
for machine in nodes:
machine.succeed("systemctl start consul-ready.service")
for machine in nodes:
consulConfig = json.loads(machine.succeed("cat /etc/consul.json"))
addr = consulConfig["addresses"]["http"]
port = consulConfig["ports"]["http"]
setEnv = f"CONSUL_HTTP_ADDR={addr}:{port}"
memberList = machine.succeed(f"{setEnv} consul members --status=alive")
for machine2 in nodes:
assert machine2.name in memberList
'';
}

View file

@ -0,0 +1,7 @@
{
garage = {
buckets.content-delivery.web.enable = true;
};
ways.cdn.bucket = "content-delivery";
}

View file

@ -0,0 +1,21 @@
age-encryption.org/v1
-> ssh-ed25519 NO562A 9n5IirzhNBIPRj9Gir+/yQhFH830sgfezsqY5Ulzz3o
VItDDdgfTFcvSq/QpIqTHnfr1VHqfI6nPz+WWKYQjHw
-> ssh-ed25519 5/zT0w MfBZrd8wJjoProwdPqsS9CZ9aYNTXgrYviFDwuchQVM
8WKPYO+i1ZSkPYDrHVJ5Pclj2hEzqwAtf31Agzei444
-> ssh-ed25519 TCgorQ 3QYtSx/2eiFp54W60F8FlERfHx+DUfnXXfugiXNPECg
pBx3If3qihD//Aq8hDWCt+U1tiWoCLUDcg/RyVCD0D0
-> ssh-ed25519 P/nEqQ NImm+vKuL50G2kdD2svmfkwsovmryCSyKyhnZ0duDDo
U0PTKHiCj4SxomnJdgubo+3sStSE+YwvCnrRl7aAS1Q
-> ssh-ed25519 FfIUuQ SRgJoBIoW71SiXuHqlnGqRG5AKUrnQy0ecwznGEGTHA
a0IS3hjMln1tWEjo30A6gYtaV7TJSY4SZDarhahMoLk
-> ssh-ed25519 d3WGuA 0qVNcrYe53Wo46zFJs6UZtX0dq7TUy72WGdGpLqB3yo
jTHE9PfhRw5lbBlfznS+ThkSsab3ioearf91xyPBfdQ
-> ssh-ed25519 YIaSKQ CCcBlAOms2aSkB6pws6tN+4Gf551idI9Zq0rokd0P1c
/3oFp6hf+jggurbcuu0cXdDL8lr6m/LTHEeNgiJt2gg
-> K&wn-grease ,Ewz Jc+dQQRp NU~.
FvDOuTGNaLuCfDelsrRbthjuJT9fBZAQ+kz+7Stoc2wciXV1YpCcOYDHSF38OwRF
X/pyjVudbJKS0Mphda6phw
--- 3JFwCzeJsIgRkTpmy9MAvQ64BCZoa98kNKOuT57WI6Y
O¿¹¸p ž-ÚP¶.+"<22>ðjÔG«
ëÇÐs<>gnz[t ‘ØóÄD÷•RŽÄ½±šmÃl<!Çê6;³Ù÷<C399>†8{ vmvJJ;lR<6C>×[Yà3˜XPËÜ<C38B>ÈPCÿè¯&¦àåYû×2ÃǤxVúÈF{zäQh nW*I$é;°Yc¨@7Ö-k4—À§xãͶx¿µ% <52>¤$z|»Ê“ñœ¹¯<C2B9>ëñ3

View file

@ -1,109 +0,0 @@
{ cluster, config, lib, pkgs, tools, ... }:
let
inherit (tools.meta) domain;
inherit (config.links) pdnsAdmin;
inherit (cluster.config) vars;
pdns-api = cluster.config.links.powerdns-api;
dataDirUI = "/srv/storage/private/powerdns-admin";
translateConfig = withQuotes: cfg: let
pythonValue = val: if lib.isString val then "'${val}'"
else if lib.isAttrs val && val ? file then "[(f.read().strip('\\n'), f.close()) for f in [open('${val.file}')]][0][0]"
else if lib.isAttrs val && val ? env then "__import__('os').getenv('${val.env}')"
else if lib.isBool val then (if val then "True" else "False")
else if lib.isInt val then toString val
else throw "translateConfig: unsupported value type";
quote = str: if withQuotes then pythonValue str else str;
configList = lib.mapAttrsToList (n: v: "${n}=${quote v}") cfg;
in lib.concatStringsSep "\n" configList;
in {
age.secrets = {
pdns-admin-oidc-secrets = {
file = ./pdns-admin-oidc-secrets.age;
mode = "0400";
};
pdns-admin-salt = {
file = ./pdns-admin-salt.age;
mode = "0400";
owner = "powerdnsadmin";
group = "powerdnsadmin";
};
pdns-admin-secret = {
file = ./pdns-admin-secret.age;
mode = "0400";
owner = "powerdnsadmin";
group = "powerdnsadmin";
};
pdns-api-key = vars.pdns-api-key-secret // { owner = "powerdnsadmin"; };
};
links.pdnsAdmin.protocol = "http";
networking.firewall = {
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 ];
};
systemd.tmpfiles.rules = [
"d '${dataDirUI}' 0700 powerdnsadmin powerdnsadmin - -"
];
services.powerdns = {
enable = true;
extraConfig = translateConfig false {
api = "yes";
webserver-allow-from = "127.0.0.1, ${vars.meshNet.cidr}";
webserver-address = pdns-api.ipv4;
webserver-port = pdns-api.portStr;
api-key = "$scrypt$ln=14,p=1,r=8$ZRgztsniH1y+F7P/RkXq/w==$QTil5kbJPzygpeQRI2jgo5vK6fGol9YS/NVR95cmWRs=";
};
};
services.powerdns-admin = {
enable = true;
secretKeyFile = config.age.secrets.pdns-admin-secret.path;
saltFile = config.age.secrets.pdns-admin-salt.path;
extraArgs = [ "-b" pdnsAdmin.tuple ];
config = translateConfig true {
SQLALCHEMY_DATABASE_URI = "sqlite:///${dataDirUI}/pda.db";
PDNS_VERSION = pkgs.pdns.version;
PDNS_API_URL = pdns-api.url;
PDNS_API_KEY.file = config.age.secrets.pdns-api-key.path;
SIGNUP_ENABLED = false;
OIDC_OAUTH_ENABLED = true;
OIDC_OAUTH_KEY = "net.privatevoid.dnsadmin1";
OIDC_OAUTH_SECRET.env = "OIDC_OAUTH_SECRET";
OIDC_OAUTH_SCOPE = "openid profile email roles";
OIDC_OAUTH_METADATA_URL = "https://login.${domain}/auth/realms/master/.well-known/openid-configuration";
};
};
systemd.services.powerdns-admin.serviceConfig = {
BindPaths = [
dataDirUI
config.age.secrets.pdns-api-key.path
];
TimeoutStartSec = "300s";
EnvironmentFile = config.age.secrets.pdns-admin-oidc-secrets.path;
};
services.nginx.virtualHosts."dnsadmin.${domain}" = lib.recursiveUpdate
(tools.nginx.vhosts.proxy pdnsAdmin.url)
# backend sends really big headers for some reason
# increase buffer size accordingly
{
locations."/".extraConfig = ''
proxy_busy_buffers_size 512k;
proxy_buffers 4 512k;
proxy_buffer_size 256k;
'';
};
}

View file

@ -1,30 +1,50 @@
{ cluster, config, depot, lib, tools, ... }:
{ cluster, config, depot, lib, pkgs, ... }:
let
inherit (depot.reflection) interfaces;
inherit (tools.meta) domain;
inherit (config.reflection) interfaces;
inherit (depot.lib.meta) domain;
inherit (config.networking) hostName;
link = cluster.config.hostLinks.${hostName}.dnsAuthoritative;
patroni = cluster.config.links.patroni-pg-access;
inherit (cluster.config.hostLinks.${hostName}) acmeDnsApi;
otherDnsServers = lib.pipe (with cluster.config.services.dns.otherNodes; master ++ slave) [
otherDnsServers = lib.pipe (cluster.config.services.dns.otherNodes.authoritative hostName) [
(map (node: cluster.config.hostLinks.${node}.dnsAuthoritative.tuple))
(lib.concatStringsSep " ")
];
translateConfig = cfg: let
configList = lib.mapAttrsToList (n: v: "${n}=${v}") cfg;
in lib.concatStringsSep "\n" configList;
recordsList = lib.mapAttrsToList (lib.const lib.id) cluster.config.dns.records;
recordsPartitioned = lib.partition (record: record.rewrite.target == null) recordsList;
staticRecords = let
escape = type: {
TXT = builtins.toJSON;
}.${type} or lib.id;
recordName = record: {
"@" = "${record.root}.";
}.${record.name} or "${record.name}.${record.root}.";
in lib.flatten (
map (record: map (target: "${recordName record} ${record.type} ${escape record.type target}") record.target) recordsPartitioned.right
);
rewrites = map (record: let
maybeEscapeRegex = str: if record.rewrite.type == "regex" then "${lib.escapeRegex str}$" else str;
in "rewrite stop name ${record.rewrite.type} ${record.name}${maybeEscapeRegex ".${record.root}."} ${record.rewrite.target}. answer auto") recordsPartitioned.wrong;
rewriteConf = pkgs.writeText "coredns-rewrites.conf" ''
rewrite stop type DS DS
rewrite stop type NS NS
rewrite stop type SOA SOA
${lib.concatStringsSep "\n" rewrites}
'';
in {
links.localAuthoritativeDNS = {};
age.secrets = {
pdns-db-credentials = {
file = ./pdns-db-credentials.age;
mode = "0400";
owner = "pdns";
group = "pdns";
acmeDnsDirectKey = {
file = ./acme-dns-direct-key.age;
};
};
@ -33,22 +53,36 @@ in {
allowedUDPPorts = [ 53 ];
};
services.powerdns = {
services.acme-dns = {
enable = true;
extraConfig = translateConfig {
launch = "gpgsql";
local-address = config.links.localAuthoritativeDNS.tuple;
gpgsql-host = patroni.ipv4;
gpgsql-port = patroni.portStr;
gpgsql-dbname = "powerdns";
gpgsql-user = "powerdns";
gpgsql-extra-connection-parameters = "passfile=${config.age.secrets.pdns-db-credentials.path}";
version-string = "Private Void DNS";
enable-lua-records = "yes";
expand-alias = "yes";
resolver = "127.0.0.1:8600";
package = depot.packages.acme-dns;
settings = {
general = {
listen = config.links.localAuthoritativeDNS.tuple;
inherit domain;
nsadmin = "hostmaster.${domain}";
nsname = "eu1.ns.${domain}";
records = staticRecords;
};
api = {
ip = acmeDnsApi.ipv4;
inherit (acmeDnsApi) port;
};
database = {
engine = "postgres";
connection = "postgres://acmedns@${patroni.tuple}/acmedns?sslmode=disable";
};
};
};
services.locksmith.waitForSecrets.acme-dns = [
"patroni-acmedns"
];
systemd.services.acme-dns.serviceConfig.EnvironmentFile = with config.age.secrets; [
"/run/locksmith/patroni-acmedns"
acmeDnsDirectKey.path
];
services.coredns = {
enable = true;
@ -60,10 +94,14 @@ in {
success 4000 86400
denial 0
prefetch 3
serve_stale 86400s
serve_stale 86400s verify
}
template ANY DS {
rcode NXDOMAIN
}
forward service.eu-central.sd-magic.${domain} 127.0.0.1:8600
forward addr.eu-central.sd-magic.${domain} 127.0.0.1:8600
import ${rewriteConf}
forward . ${config.links.localAuthoritativeDNS.tuple} ${otherDnsServers} {
policy sequential
}
@ -72,11 +110,17 @@ in {
};
systemd.services.coredns = {
after = [ "pdns.service" ];
after = [ "acme-dns.service" ];
serviceConfig = {
MemoryMax = "200M";
MemorySwapMax = "50M";
CPUQuota = "25%";
};
};
consul.services.pdns = {
mode = "external";
consul.services = {
authoritative-dns = {
unit = "acme-dns";
definition = {
name = "authoritative-dns-backend";
address = config.links.localAuthoritativeDNS.ipv4;
@ -87,4 +131,14 @@ in {
};
};
};
acme-dns.definition = {
name = "acme-dns";
address = acmeDnsApi.ipv4;
port = acmeDnsApi.port;
checks = lib.singleton {
interval = "60s";
http = "${acmeDnsApi.url}/health";
};
};
};
}

View file

@ -1,23 +1,21 @@
{ cluster, config, depot, lib, pkgs, tools, ... }:
{ cluster, config, depot, lib, ... }:
let
inherit (depot.reflection) interfaces hyprspace;
inherit (tools.meta) domain;
inherit (config.links) localRecursor;
inherit (config.reflection) interfaces;
inherit (depot.lib.meta) domain;
inherit (config.networking) hostName;
link = cluster.config.hostLinks.${hostName}.dnsResolver;
backend = cluster.config.hostLinks.${hostName}.dnsResolverBackend;
otherRecursors = lib.pipe (cluster.config.services.dns.otherNodes.coredns) [
otherRecursors = lib.pipe (cluster.config.services.dns.otherNodes.coredns hostName) [
(map (node: cluster.config.hostLinks.${node}.dnsResolverBackend.tuple))
(lib.concatStringsSep " ")
];
authoritativeServers = lib.pipe (with cluster.config.services.dns.nodes; master ++ slave) [
(map (node: cluster.config.hostLinks.${node}.dnsAuthoritative.tuple))
(lib.concatStringsSep ";")
];
authoritativeServers = map
(node: cluster.config.hostLinks.${node}.dnsAuthoritative.tuple)
cluster.config.services.dns.nodes.authoritative;
inherit (depot.packages) stevenblack-hosts;
dot = config.security.acme.certs."securedns.${domain}";
@ -37,14 +35,17 @@ in
];
before = [ "acme-securedns.${domain}.service" ];
wants = [ "acme-finished-securedns.${domain}.target" ];
serviceConfig.LoadCredential = [
serviceConfig = {
LoadCredential = [
"dot-cert.pem:${dot.directory}/fullchain.pem"
"dot-key.pem:${dot.directory}/key.pem"
];
ExecReload = lib.mkForce [];
};
};
security.acme.certs."securedns.${domain}" = {
dnsProvider = "pdns";
dnsProvider = "exec";
# using a different ACME provider because Android Private DNS is fucky
server = "https://api.buypass.com/acme/directory";
reloadServices = [
@ -55,29 +56,29 @@ in
services.coredns = {
enable = true;
config = ''
(localresolver) {
hosts ${stevenblack-hosts} {
fallthrough
}
chaos "Private Void DNS" info@privatevoid.net
forward hyprspace. 127.43.104.80:11355
forward ${domain}. ${lib.concatStringsSep " " authoritativeServers} {
policy random
}
forward . ${backend.tuple} ${otherRecursors} {
policy sequential
}
}
.:${link.portStr} {
${lib.optionalString (interfaces ? vstub) "bind ${interfaces.vstub.addr}"}
bind 127.0.0.1
bind ${link.ipv4}
${lib.optionalString hyprspace.enable "bind ${hyprspace.addr}"}
hosts ${stevenblack-hosts} {
fallthrough
}
chaos "Private Void DNS" info@privatevoid.net
forward . ${backend.tuple} ${otherRecursors} {
policy sequential
}
import localresolver
}
tls://.:853 {
bind ${interfaces.primary.addr}
tls {$CREDENTIALS_DIRECTORY}/dot-cert.pem {$CREDENTIALS_DIRECTORY}/dot-key.pem
hosts ${stevenblack-hosts} {
fallthrough
}
chaos "Private Void DNS" info@privatevoid.net
forward . ${backend.tuple} ${otherRecursors} {
policy sequential
}
import localresolver
}
'';
};
@ -87,7 +88,7 @@ in
dnssecValidation = "process";
forwardZones = {
# optimize queries against our own domain
"${domain}" = authoritativeServers;
"${domain}" = lib.concatStringsSep ";" authoritativeServers;
};
dns = {
inherit (backend) port;

View file

@ -1,30 +1,37 @@
{ config, depot, lib, ... }:
let
inherit (depot.config) hours;
inherit (depot) hours;
cfg = config.services.dns;
in
{
vars.pdns-api-key-secret = {
file = ./pdns-api-key.age;
mode = "0400";
};
imports = [
./options.nix
./nodes.nix
./ns-records.nix
];
links = {
dnsResolver = {
ipv4 = hours.VEGAS.interfaces.vstub.addr;
port = 53;
};
powerdns-api = {
ipv4 = config.vars.mesh.VEGAS.meshIp;
acmeDnsApi = {
hostname = "acme-dns-challenge.internal.${depot.lib.meta.domain}";
protocol = "http";
};
};
hostLinks = lib.mkMerge [
(lib.genAttrs (with cfg.nodes; master ++ slave) (node: {
(lib.genAttrs cfg.nodes.authoritative (node: {
dnsAuthoritative = {
ipv4 = hours.${node}.interfaces.primary.addrPublic;
port = 53;
};
acmeDnsApi = {
ipv4 = config.vars.mesh.${node}.meshIp;
inherit (config.links.acmeDnsApi) port;
protocol = "http";
};
}))
(lib.genAttrs cfg.nodes.coredns (node: {
dnsResolver = {
@ -40,19 +47,34 @@ in
];
services.dns = {
nodes = {
master = [ "VEGAS" ];
slave = [ "checkmate" "prophet" ];
authoritative = [ "VEGAS" "checkmate" "prophet" ];
coredns = [ "checkmate" "VEGAS" ];
client = [ "checkmate" "thunderskin" "VEGAS" "prophet" ];
client = [ "checkmate" "grail" "thunderskin" "VEGAS" "prophet" ];
};
nixos = {
master = [
./authoritative.nix
./admin.nix
];
slave = ./authoritative.nix;
authoritative = ./authoritative.nix;
coredns = ./coredns.nix;
client = ./client.nix;
};
simulacrum = {
enable = true;
deps = [ "consul" "acme-client" "patroni" ];
settings = ./test.nix;
};
};
patroni = {
databases.acmedns = {};
users.acmedns = {
locksmith = {
nodes = config.services.dns.nodes.authoritative;
format = "envFile";
};
};
};
dns.records = {
securedns.consulService = "securedns";
"acme-dns-challenge.internal".consulService = "acme-dns";
};
}

View file

@ -0,0 +1,11 @@
{ depot, lib, ... }:
{
dns.records = lib.mapAttrs' (name: hour: {
name = lib.toLower "${name}.${hour.enterprise.subdomain}";
value = {
type = "A";
target = [ hour.interfaces.primary.addrPublic ];
};
}) depot.gods.fromLight;
}

View file

@ -0,0 +1,26 @@
{ config, depot, lib, ... }:
let
cfg = config.services.dns;
nsNodes = lib.imap1 (idx: node: {
name = "eu${toString idx}.ns";
value = {
type = "A";
target = [ depot.hours.${node}.interfaces.primary.addrPublic ];
};
}) cfg.nodes.authoritative;
in
{
dns.records = lib.mkMerge [
(lib.listToAttrs nsNodes)
{
NS = {
name = "@";
type = "NS";
target = map (ns: "${ns.name}.${depot.lib.meta.domain}.") nsNodes;
};
}
];
}

View file

@ -0,0 +1,61 @@
{ depot, lib, ... }:
with lib;
let
recordType = types.submodule ({ config, name, ... }: {
options = {
root = mkOption {
type = types.str;
default = depot.lib.meta.domain;
};
consulServicesRoot = mkOption {
type = types.str;
default = "service.eu-central.sd-magic.${depot.lib.meta.domain}";
};
name = mkOption {
type = types.str;
default = name;
};
type = mkOption {
type = types.enum [ "A" "CNAME" "AAAA" "NS" "MX" "SOA" "TXT" ];
default = "A";
};
target = mkOption {
type = with types; listOf str;
};
ttl = mkOption {
type = types.ints.unsigned;
default = 86400;
};
consulService = mkOption {
type = with types; nullOr str;
default = null;
};
rewrite = {
target = mkOption {
type = with types; nullOr str;
default = null;
};
type = mkOption {
type = types.enum [ "exact" "substring" "prefix" "suffix" "regex" ];
default = "exact";
};
};
};
config = {
rewrite.target = mkIf (config.consulService != null) "${config.consulService}.${config.consulServicesRoot}";
};
});
in
{
options.dns = {
records = mkOption {
type = with types; attrsOf recordType;
default = {};
};
};
}

View file

@ -1,11 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 NO562A d/YNanH/cHoFLPp8WcCXHh/LQLRwaUa95JiRLbgb8RI
UPEHpnHHTU6dGKi2MbApEspcpt1lFtFZ4XJjShL7OoE
-> ssh-ed25519 5/zT0w Rv9ZS5P2Eca3npPLR7yym/XTRSDfVmgRwH1pAGR79T8
4A/KXc2wxxokfDAwWYf0ZTUEzQ8ldkC+zRNZY3KjBTs
-> ssh-ed25519 d3WGuA 2R0kaVjuhU3wT9pjj214zkEaHYNSlMxf9Z+MfBssHwY
EU5LWk6xfohWM/3sAqYtUvFmRgIPxOLXHnlqbsQ3+ok
-> -|(-grease W=cc~ O2q5
FZzh/ZwDS2EqvVZ9NErmUwCMN72op1Qy
--- Ducan3ugRJC3dmWLr7+FKok+WmInOgOzW0ccYeqAFAQ
Ì•ãÆ*Q. SC<53>ûf¹‰*`5<>„ÑÖw"~ÍxwÜ*–ã\êÙ"²ÅtŒ 'É0ï™<C3AF>ï

View file

@ -1,12 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 NO562A hUR+UdHnpazhANM8DKToI5Th3lv1aAuxZ1IQKvCOv34
PvsiSym8YdleDULLnWuTs1x08KO3EmAg/AAjulgrgqE
-> ssh-ed25519 5/zT0w qMXS2xLOLv/+l6brG11i+3FwHdrhlmxZBNtBiU9hu2g
BlFYPvH4mFJRMHTlHwnBdJb6QcugylwZuT5bgSKcQa0
-> ssh-ed25519 d3WGuA k2fRQ3+HyZP+bb/gkVKQqUmbITJLPm9tGp67DbRfiCs
RX9CACfYpYKvSqyfXjvEokTGsp4+ECQBD8i1ehD5xRg
-> IB@F$9G-grease
cXRgUVdIPGEjft1CJA
--- si16Det/GwF7GLHLt0ha8v4rFFeJXyhEylIiqzZVAK8
Ö°å¤pÐǺ#ê4^©— ~u Uuç­aòQ´Bâj˜(N)qÃ<"¤%ì’,V9û5ZÔh§#W«[»ò¶”"Mÿ&”îäøÖýá+%Œ«„SQ€B÷ÞÕÀèÕyàÜî<aéó]P$´Ä±B¨½qQÑÉQ‡M‰TË
·s¹mÿ~qWÖ«çêõÜ×Ì=.Q“"ù”Þø¶ÏnqRk<52>=ÏcÿçüßÃqv¢¾>#ŠÏ«²tïwq,÷ »3YyIq}Ê“ì>sgíz™ûs±Þ ¸ƆFÄPê|ÍüÅ¡=ùÃþ~KQR,DZuÐ+ÕºZGHëa=‹©;ÀõC.ÏuVShÅ$Và€AË9Ð= ?•¢

Some files were not shown because too many files have changed in this diff Show more