Merge pull request 'Drop GitLab' (#121) from pr-drop-gitlab into master

Reviewed-on: #121

cluster/services/consul/agent.nix

@@ -28,35 +28,6 @@ in
       bootstrap_expect = builtins.length cfg.nodes.agent;
       addresses.http = config.links.consulAgent.ipv4;
       ports.http = config.links.consulAgent.port;
-      acl = {
-        enabled = true;
-        default_policy = "deny";
-      };
-    };
-  };
-
-  systemd.services = {
-    consul.serviceConfig.Type = "notify";
-    consul-load-smt = {
-      wantedBy = [ "consul.service" ];
-      after = [ "consul.service" ];
-      environment.CONSUL_HTTP_ADDR = config.links.consulAgent.tuple;
-      path = [
-        config.services.consul.package
-      ];
-      serviceConfig = {
-        Type = "oneshot";
-        RemainAfterExit = true;
-      };
-      script = ''
-        while ! test -e /run/locksmith/consul-systemManagementToken; do
-          echo Waiting for System Management Token
-          systemctl start locksmith.service
-          sleep 5
-        done
-        export CONSUL_HTTP_TOKEN_FILE=/run/locksmith/consul-systemManagementToken
-        consul acl set-agent-token default "$(< /run/locksmith/consul-systemManagementToken)" # TODO: don't leak token on cmdline
-      '';
     };
   };
 

cluster/services/consul/bootstrap.nix

@@ -1,65 +0,0 @@
-{ cluster, config, lib, pkgs, ... }:
-
-let
-  sentinelFile = "/var/lib/consul/nixos-acl-bootstrapped";
-  bootstrapTokenFile = "/run/keys/consul-bootstrap-token";
-  bootstrapConfig = "consul-bootstrap-config.json";
-  writeRules = rules: pkgs.writeText "consul-policy.json" (builtins.toJSON rules);
-in
-
-{
-  systemd.services = {
-    consul-acl-bootstrap = {
-      requires = [ "consul.service" ];
-      after = [ "consul.service" ];
-      wantedBy = [ "multi-user.target" ];
-  
-      unitConfig.ConditionPathExists = "!${sentinelFile}";
-      serviceConfig = {
-        Type = "oneshot";
-        PrivateTmp = true;
-      };
-      environment.CONSUL_HTTP_ADDR = config.links.consulAgent.tuple;
-      path = [
-        config.services.consul.package
-        pkgs.jq
-      ];
-      script = ''
-        umask 77
-        if consul acl bootstrap --format=json > ${bootstrapConfig}; then
-          echo Bootstrapping:
-          jq -r .SecretID < ${bootstrapConfig} > ${bootstrapTokenFile}
-          export CONSUL_HTTP_TOKEN_FILE=${bootstrapTokenFile}
-          consul acl policy create --name operator-read --description "Read-only operator actions" --rules @${writeRules { operator = "read"; }}
-          consul acl policy create --name smt-read --description "Allow reading the encrypted system management token" --rules @${writeRules { key_prefix."secrets/locksmith/consul-systemManagementToken/".policy = "read"; }}
-          consul acl token update --id 00000000-0000-0000-0000-000000000002 --append-policy-name operator-read --append-policy-name smt-read
-        else
-          echo Bootstrap is already in progress elsewhere.
-          touch ${sentinelFile}
-        fi
-      '';
-    };
-    locksmith-provider-consul = {
-      unitConfig.ConditionPathExists = bootstrapTokenFile;
-      distributed.enable = lib.mkForce false;
-      environment = {
-        CONSUL_HTTP_ADDR = config.links.consulAgent.tuple;
-        CONSUL_HTTP_TOKEN_FILE = bootstrapTokenFile;
-      };
-      postStop = ''
-        rm -f ${bootstrapTokenFile}
-        touch ${sentinelFile}
-      '';
-    };
-  };
-
-  services.locksmith.providers.consul = {
-    wantedBy = [ "consul-acl-bootstrap.service" ];
-    after = [ "consul-acl-bootstrap.service" ];
-    secrets.systemManagementToken = {
-      nodes = cluster.config.services.consul.nodes.agent;
-      checkUpdate = "test -e ${bootstrapTokenFile}";
-      command = "cat ${bootstrapTokenFile}";
-    };
-  };
-}

cluster/services/consul/default.nix

@@ -14,7 +14,6 @@ in
     nodes = {
       agent = [ "checkmate" "grail" "thunderskin" "VEGAS" "prophet" ];
       ready = config.services.consul.nodes.agent;
-      bootstrap = [ "grail" "VEGAS" ];
     };
     nixos = {
       agent = [
@@ -22,11 +21,10 @@ in
         ./remote-api.nix
       ];
       ready = ./ready.nix;
-      bootstrap = ./bootstrap.nix;
     };
     simulacrum = {
       enable = true;
-      deps = [ "wireguard" "locksmith" ];
+      deps = [ "wireguard" ];
       settings = ./test.nix;
     };
   };

cluster/services/consul/ready.nix

@@ -51,9 +51,4 @@ in
       Type = "oneshot";
     };
   };
-
-  systemd.targets.consul-ready = {
-    description = "Consul is Ready";
-    requires = [ "consul-ready.service" ] ++ lib.optional config.services.consul.enable "consul-load-smt.service";
-  };
 }

cluster/services/consul/test.nix

@@ -1,4 +1,8 @@
+{ lib, ... }:
+
 {
+  defaults.options.services.locksmith = lib.mkSinkUndeclaredOptions { };
+
   testScript = ''
     import json
 
@@ -7,12 +11,12 @@
     with subtest("should form cluster"):
       nodes = [ n for n in machines if n != nowhere ]
       for machine in nodes:
-        machine.succeed("systemctl start consul-ready.target")
+        machine.succeed("systemctl start consul-ready.service")
       for machine in nodes:
         consulConfig = json.loads(machine.succeed("cat /etc/consul.json"))
         addr = consulConfig["addresses"]["http"]
         port = consulConfig["ports"]["http"]
-        setEnv = f"CONSUL_HTTP_ADDR={addr}:{port} CONSUL_HTTP_TOKEN_FILE=/run/locksmith/consul-systemManagementToken"
+        setEnv = f"CONSUL_HTTP_ADDR={addr}:{port}"
         memberList = machine.succeed(f"{setEnv} consul members --status=alive")
         for machine2 in nodes:
           assert machine2.name in memberList

cluster/services/flake-reegistry/default.nix

@@ -0,0 +1,36 @@
+{ lib, ... }:
+
+{
+  ways.registry.static = { depot, pkgs, ... }: pkgs.writeTextDir "flake-registry.json" (let
+    flakes = {
+      depot = {
+        type = "tarball";
+        url = "https://forge.${depot.lib.meta.domain}/${depot.lib.meta.domain}/depot/archive/master.tar.gz";
+      };
+      depot-nixpkgs = {
+        type = "github";
+        owner = "NixOS";
+        repo = "nixpkgs";
+        inherit (depot.inputs.nixpkgs.sourceInfo) rev narHash lastModified;
+      };
+      blank = {
+        type = "github";
+        owner = "divnix";
+        repo = "blank";
+        inherit (depot.inputs.blank.sourceInfo) rev narHash lastModified;
+      };
+    } // import ./extra-flakes.nix;
+  in builtins.toJSON {
+    version = 2;
+    flakes = lib.pipe flakes [
+      (lib.attrsToList)
+      (map (f: {
+        from = {
+          type = "indirect";
+          id = f.name;
+        };
+        to = f.value;
+      }))
+    ];
+  });
+}

cluster/services/flake-reegistry/extra-flakes.nix

@@ -0,0 +1,18 @@
+let
+  github = owner: repo: {
+    type = "github";
+    inherit owner repo;
+  };
+in {
+  # own 
+  hyprspace = github "hyprspace" "hyprspace";
+  ai = github "nixified-ai" "flake";
+  nix-super = github "privatevoid-net" "nix-super";
+  nixpak = github "nixpak" "nixpak";
+
+  # other
+  nix = github "NixOS" "nix";
+  flake-parts = github "hercules-ci" "flake-parts";
+  home-manager = github "nix-community" "home-manager";
+  dream2nix = github "nix-community" "dream2nix";
+}

cluster/services/gitlab/default.nix

@@ -1,10 +0,0 @@
-{ depot, ... }:
-
-{
-  services.gitlab = {
-    nodes.host = [ "VEGAS" ];
-    nixos.host = ./host.nix;
-  };
-
-  dns.records.git.target = [ depot.hours.VEGAS.interfaces.primary.addrPublic ];
-}

cluster/services/gitlab/host.nix

@@ -1,94 +0,0 @@
-{ cluster, config, lib, depot, ... }:
-
-let
-  inherit (depot.lib.meta) domain adminEmail;
-
-  patroni = cluster.config.links.patroni-pg-access;
-
-  mkSecret = name: {
-    owner = "gitlab";
-    group = "gitlab";
-    mode = "0400";
-    file = ../../../secrets/${name}.age;
-  };
-
-  secrets = lib.mapAttrs (_: v: v.path) config.age.secrets;
-
-  cfg = config.services.gitlab;
-in
-
-{
-  age.secrets = lib.flip lib.genAttrs mkSecret [
-    "gitlab-db-credentials"
-    "gitlab-initial-root-password"
-    "gitlab-openid-secret"
-    "gitlab-secret-db"
-    "gitlab-secret-jws"
-    "gitlab-secret-otp"
-    "gitlab-secret-secret"
-  ];
-
-  services.gitlab = {
-    enable = true;
-    https = true;
-    host = "git.${domain}";
-    port = 443;
-
-    databaseCreateLocally = false;
-    databaseHost = patroni.ipv4;
-    extraDatabaseConfig = { inherit (patroni) port; };
-    databaseUsername = "gitlab";
-    databasePasswordFile = secrets.gitlab-db-credentials;
-
-    initialRootEmail = adminEmail;
-
-    statePath = "/srv/storage/private/gitlab/state";
-
-    smtp = {
-      enable = true;
-      inherit domain;
-    };
-
-    initialRootPasswordFile = secrets.gitlab-initial-root-password;
-
-    secrets = with secrets; {
-      dbFile = gitlab-secret-db;
-      jwsFile = gitlab-secret-jws;
-      otpFile = gitlab-secret-otp;
-      secretFile = gitlab-secret-secret;
-    };
-
-    extraConfig = {
-      omniauth = {
-        enabled = true;
-        auto_sign_in_with_provider = "openid_connect";
-        allow_single_sign_on = ["openid_connect"];
-        block_auto_created_users = false;
-        providers = [
-
-          {
-            name = "openid_connect";
-            label = "Private Void Account";
-            args = {
-              name = "openid_connect";
-              scope = ["openid" "profile"];
-              response_type = "code";
-              issuer = "https://login.${domain}/auth/realms/master";
-              discovery = true;
-              client_auth_method = "query";
-              uid_field = "preferred_username";
-              client_options = {
-                identifier = "net.privatevoid.git2";
-                secret = { _secret = secrets.gitlab-openid-secret; };
-                redirect_uri = "https://${cfg.host}/users/auth/openid_connect/callback";
-              };
-            };
-          }
-          
-        ];
-      };
-    };
-  };
-
-  services.nginx.virtualHosts."${cfg.host}" = depot.lib.nginx.vhosts.proxy "http://unix:/run/gitlab/gitlab-workhorse.socket";
-}

cluster/services/nextcloud/host.nix

@@ -18,7 +18,7 @@ in
     };
   };
   services.nextcloud = {
-    package = pkgs.nextcloud29;
+    package = pkgs.nextcloud30;
     enable = true;
     https = true;
     hostName = "storage.${depot.lib.meta.domain}";

cluster/services/ways/host.nix

@@ -1,11 +1,15 @@
-{ cluster, config, lib, pkgs, ... }:
+{ cluster, config, depot, lib, pkgs, ... }:
 
 let
   externalWays = lib.filterAttrs (_: cfg: !cfg.internal) cluster.config.ways;
 
   internalWays = lib.filterAttrs (_: cfg: cfg.internal) cluster.config.ways;
 
-  consulServiceWays = lib.filterAttrs (_: cfg: cfg.useConsul) cluster.config.ways;
+  byMode = lib.pipe cluster.config.ways [
+    (lib.attrsToList)
+    (lib.groupBy (way: way.value.mode))
+    (lib.mapAttrs (n: v: lib.listToAttrs v))
+  ];
 in
 
 {
@@ -25,7 +29,13 @@ in
             ];
             locations = lib.mkMerge [
               {
-                "/" = if cfg.grpc then {
+                "/" = if cfg.mode == "static" then {
+                  root = cfg.static {
+                    inherit depot;
+                    inherit pkgs;
+                    inherit (pkgs) system;
+                  };
+                } else if cfg.grpc then {
                   extraConfig = ''
                     set $nix_proxy_grpc_target ${cfg.target};
                     grpc_pass $nix_proxy_grpc_target;
@@ -47,7 +57,7 @@ in
       };
     }) cluster.config.ways;
 
-    appendHttpConfig = lib.mkIf (consulServiceWays != {}) ''
+    appendHttpConfig = lib.mkIf (byMode.consul != {}) ''
       include /run/consul-template/nginx-ways-*.conf;
     '';
   };
@@ -67,7 +77,7 @@ in
     value.distributed.enable = true;
   }) externalWays;
 
-  services.consul-template.instances.ways = lib.mkIf (consulServiceWays != {}) {
+  services.consul-template.instances.ways = lib.mkIf (byMode.consul != {}) {
     user = "nginx";
     group = "nginx";
     settings = {
@@ -86,7 +96,7 @@ in
               {{ else }}
               # upstream ${cfg.nginxUpstreamName} (${cfg.consulService}): no servers available
               {{ end }}
-            '') consulServiceWays;
+            '') byMode.consul;
           in pkgs.writeText "ways-upstreams.ctmpl" (lib.concatStringsSep "\n" (lib.unique upstreams));
           destination = "/run/consul-template/nginx-ways-upstreams.conf";
           exec.command = lib.singleton (pkgs.writeShellScript "ways-reload" ''

cluster/services/ways/options/way.nix

@@ -58,6 +58,10 @@ with lib;
       type = types.str;
     };
 
+    static = mkOption {
+      type = with types; functionTo (coercedTo package (package: "${package.webroot or package}") str);
+    };
+
     healthCheckPath = mkOption {
       type = types.path;
       default = "/.well-known/ways/internal-health-check";
@@ -69,10 +73,10 @@ with lib;
       default = "https://${name}.${config.domainSuffix}";
     };
 
-    useConsul = mkOption {
-      type = types.bool;
+    mode = mkOption {
+      type = types.enum [ "simple" "consul" "static" ];
       internal = true;
-      default = false;
+      default = "simple";
     };
 
     nginxUpstreamName = mkOption {
@@ -105,12 +109,15 @@ with lib;
 
   config = lib.mkMerge [
     (lib.mkIf options.consulService.isDefined {
-      useConsul = true;
+      mode = "consul";
       nginxUpstreamName = "ways_upstream_${builtins.hashString "md5" options.consulService.value}";
       target = "${if config.grpc then "grpc" else "http"}://${options.nginxUpstreamName.value}";
     })
     (lib.mkIf options.bucket.isDefined {
       consulService = "garage-web";
     })
+    (lib.mkIf options.static.isDefined {
+      mode = "static";
+    })
   ];
 }

flake.lock

@@ -173,11 +173,11 @@
     "flake-compat_2": {
       "flake": false,
       "locked": {
-        "lastModified": 1673956053,
-        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
         "type": "github"
       },
       "original": {
@@ -235,11 +235,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1712014858,
-        "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=",
+        "lastModified": 1719994518,
+        "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d",
+        "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
         "type": "github"
       },
       "original": {
@@ -248,18 +248,34 @@
         "type": "github"
       }
     },
-    "flake-utils": {
+    "git-hooks-nix": {
+      "inputs": {
+        "flake-compat": [
+          "nix-super"
+        ],
+        "gitignore": [
+          "nix-super"
+        ],
+        "nixpkgs": [
+          "nix-super",
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": [
+          "nix-super",
+          "nixpkgs"
+        ]
+      },
       "locked": {
-        "lastModified": 1667395993,
-        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "lastModified": 1721042469,
+        "narHash": "sha256-6FPUl7HVtvRHCCBQne7Ylp4p+dpP3P/OYuzjztZ4s70=",
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "rev": "f451c19376071a90d8c58ab1a953c6e9840527fd",
         "type": "github"
       },
       "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
         "type": "github"
       }
     },
@@ -369,15 +385,16 @@
     "libgit2": {
       "flake": false,
       "locked": {
-        "lastModified": 1697646580,
-        "narHash": "sha256-oX4Z3S9WtJlwvj0uH9HlYcWv+x1hqp8mhXl7HsLu2f0=",
+        "lastModified": 1715853528,
+        "narHash": "sha256-J2rCxTecyLbbDdsyBWn9w7r3pbKRMkI9E7RvRgAqBdY=",
         "owner": "libgit2",
         "repo": "libgit2",
-        "rev": "45fd9ed7ae1a9b74b957ef4f337bc3c8b3df01b5",
+        "rev": "36f7e21ad757a3dacc58cf7944329da6bc1d6e96",
         "type": "github"
       },
       "original": {
         "owner": "libgit2",
+        "ref": "v1.8.1",
         "repo": "libgit2",
         "type": "github"
       }
@@ -472,27 +489,26 @@
       "inputs": {
         "flake-compat": "flake-compat_2",
         "flake-parts": "flake-parts_3",
+        "git-hooks-nix": "git-hooks-nix",
         "libgit2": "libgit2",
         "nixpkgs": "nixpkgs_3",
-        "nixpkgs-regression": [
+        "nixpkgs-23-11": [
           "blank"
         ],
-        "pre-commit-hooks": "pre-commit-hooks"
+        "nixpkgs-regression": [
+          "blank"
+        ]
       },
       "locked": {
-        "host": "git.privatevoid.net",
-        "lastModified": 1713821351,
-        "narHash": "sha256-JctHGT1oa4pet4PgUKRM7pf0w+qGe0a/ahVij8bee3o=",
-        "owner": "max",
-        "repo": "nix-super",
-        "rev": "5ecd820c18b1aaa3c8ee257a7a9a2624c4107031",
-        "type": "gitlab"
+        "lastModified": 1731271232,
+        "narHash": "sha256-HSNUAfhtG/A2hnrzPMT3asZZ2Wb3dAmedOr1VzptOCg=",
+        "rev": "1eb19dd804a83d99c497118af8ab781eee569c65",
+        "type": "tarball",
+        "url": "https://forge.privatevoid.net/api/v1/repos/max/nix-super/archive/1eb19dd804a83d99c497118af8ab781eee569c65.tar.gz"
       },
       "original": {
-        "host": "git.privatevoid.net",
-        "owner": "max",
-        "repo": "nix-super",
-        "type": "gitlab"
+        "type": "tarball",
+        "url": "https://forge.privatevoid.net/max/nix-super/archive/master.tar.gz"
       }
     },
     "nixpkgs": {
@@ -529,16 +545,16 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1709083642,
-        "narHash": "sha256-7kkJQd4rZ+vFrzWu8sTRtta5D1kBG0LSRYAfhtmMlSo=",
+        "lastModified": 1723688146,
+        "narHash": "sha256-sqLwJcHYeWLOeP/XoLwAtYjr01TISlkOfz+NG82pbdg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b550fe4b4776908ac2a861124307045f8e717c8e",
+        "rev": "c3d4ac725177c030b1e289015989da2ad9d56af0",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "release-23.11",
+        "ref": "nixos-24.05",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -559,38 +575,6 @@
         "type": "github"
       }
     },
-    "pre-commit-hooks": {
-      "inputs": {
-        "flake-compat": [
-          "nix-super"
-        ],
-        "flake-utils": "flake-utils",
-        "gitignore": [
-          "nix-super"
-        ],
-        "nixpkgs": [
-          "nix-super",
-          "nixpkgs"
-        ],
-        "nixpkgs-stable": [
-          "nix-super",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1712897695,
-        "narHash": "sha256-nMirxrGteNAl9sWiOhoN5tIHyjBbVi5e2tgZUgZlK3Y=",
-        "owner": "cachix",
-        "repo": "pre-commit-hooks.nix",
-        "rev": "40e6053ecb65fcbf12863338a6dcefb3f55f1bf8",
-        "type": "github"
-      },
-      "original": {
-        "owner": "cachix",
-        "repo": "pre-commit-hooks.nix",
-        "type": "github"
-      }
-    },
     "repin-flake-utils": {
       "inputs": {
         "systems": [

flake.nix

@@ -30,9 +30,10 @@
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small";
 
     nix-super = {
-      url = "gitlab:max/nix-super?host=git.privatevoid.net";
+      url = "https://forge.privatevoid.net/max/nix-super/archive/master.tar.gz";
       inputs = {
         nixpkgs-regression.follows = "blank";
+        nixpkgs-23-11.follows = "blank";
       };
     };
 

modules/consul-distributed-services/default.nix

@@ -45,15 +45,14 @@ in
       hasSpecialPrefix = elem (substring 0 1 ExecStart) [ "@" "-" ":" "+" "!" ];
     in assert !hasSpecialPrefix; pkgs.writeTextDir "etc/systemd/system/${n}.service.d/distributed.conf" ''
       [Unit]
-      Requires=consul-ready.target
-      After=consul-ready.target
+      Requires=consul-ready.service
+      After=consul-ready.service
 
       [Service]
       ExecStartPre=${waitForConsul} 'services/${n}%i'
       ExecStart=
       ExecStart=${consul}/bin/consul lock --name=${n} --n=${toString cfg.replicas} --shell=false --child-exit-code 'services/${n}%i' ${optionalString (cfg.registerServices != []) runWithRegistration} ${ExecStart}
       Environment="CONSUL_HTTP_ADDR=${consulHttpAddr}"
-      Environment="CONSUL_HTTP_TOKEN_FILE=/run/locksmith/consul-systemManagementToken"
       ${optionalString (v.serviceConfig ? RestrictAddressFamilies) "RestrictAddressFamilies=AF_NETLINK"}
       ${optionalString (cfg.registerServices != []) (lib.concatStringsSep "\n" (map (svc: "ExecStopPost=${svc.commands.deregister}") svcs))}
     ''))

modules/consul-service-registry/default.nix

@@ -12,7 +12,6 @@ let
 
   consulRegisterScript = pkgs.writeShellScript "consul-register" ''
     export CONSUL_HTTP_ADDR='${consulHttpAddr}'
-    export CONSUL_HTTP_TOKEN_FILE=/run/locksmith/consul-systemManagementToken
     while ! ${consul} services register "$1"; do
       sleep 1
     done
@@ -20,7 +19,6 @@ let
 
   consulDeregisterScript = pkgs.writeShellScript "consul-deregister" ''
     export CONSUL_HTTP_ADDR='${consulHttpAddr}'
-    export CONSUL_HTTP_TOKEN_FILE=/run/locksmith/consul-systemManagementToken
     for i in {1..5}; do
       if ${consul} services deregister "$1"; then
         break
@@ -83,8 +81,8 @@ let
     }.${mode};
     value = {
       direct = {
-        after = [ "consul-ready.target" ];
-        requires = [ "consul-ready.target" ];
+        after = [ "consul-ready.service" ];
+        requires = [ "consul-ready.service" ];
         serviceConfig = {
           ExecStartPost = register servicesJson;
           ExecStopPost = deregister servicesJson;

modules/nix-config/server.nix

@@ -14,7 +14,7 @@
       experimental-features = nix-command flakes cgroups
       use-cgroups = true
       builders-use-substitutes = true
-      flake-registry = https://git.${depot.lib.meta.domain}/private-void/registry/-/raw/master/registry.json
+      flake-registry = https://registry.${depot.lib.meta.domain}/flake-registry.json
       
       # For Hercules CI agent
       narinfo-cache-negative-ttl = 0

packages/patched-derivations.nix

@@ -50,9 +50,8 @@ super: rec {
 
   prometheus-jitsi-exporter = patch super.prometheus-jitsi-exporter "patches/base/prometheus-jitsi-exporter";
 
-  s3ql = super.s3ql.overrideAttrs (old: {
+  s3ql = (patch super.s3ql "patches/base/s3ql").overrideAttrs (old: {
     propagatedBuildInputs = old.propagatedBuildInputs ++ [
-      super.python3Packages.packaging
       super.python3Packages.systemd
     ];
   });

patches/base/s3ql/metadata-accurate-length.patch

@@ -0,0 +1,13 @@
+diff --git a/src/s3ql/database.py b/src/s3ql/database.py
+index 1c6df119..f3a47781 100644
+--- a/src/s3ql/database.py
++++ b/src/s3ql/database.py
+@@ -677,7 +677,7 @@ def upload_metadata(
+             )
+             obj = METADATA_OBJ_NAME % (blockno, params.seq_no)
+             fh.seek(blockno * blocksize)
+-            backend.write_fh(obj, fh, len_=blocksize)
++            backend.write_fh(obj, fh, len_=min(blocksize, db_size - blockno * blocksize))
+ 
+         if not update_params:
+             return

secrets.nix

@@ -16,13 +16,6 @@ in with hosts;
   "cluster/services/storage/secrets/garage-rpc-secret.age".publicKeys = max ++ map systemKeys [ grail VEGAS prophet ];
   "cluster/services/storage/secrets/storage-box-credentials.age".publicKeys = max ++ map systemKeys [ grail VEGAS prophet ];
   "secrets/dovecot-ldap-token.age".publicKeys = max ++ map systemKeys [ VEGAS ];
-  "secrets/gitlab-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
-  "secrets/gitlab-initial-root-password.age".publicKeys = max ++ map systemKeys [ VEGAS ];
-  "secrets/gitlab-openid-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
-  "secrets/gitlab-secret-db.age".publicKeys = max ++ map systemKeys [ VEGAS ];
-  "secrets/gitlab-secret-jws.age".publicKeys = max ++ map systemKeys [ VEGAS ];
-  "secrets/gitlab-secret-otp.age".publicKeys = max ++ map systemKeys [ VEGAS ];
-  "secrets/gitlab-secret-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "secrets/hyprspace-key-checkmate.age".publicKeys = max ++ map systemKeys [ checkmate ];
   "secrets/hyprspace-key-grail.age".publicKeys = max ++ map systemKeys [ grail ];
   "secrets/hyprspace-key-thunderskin.age".publicKeys = max ++ map systemKeys [ thunderskin ];

secrets/gitlab-initial-root-password.age

@@ -1,12 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 NO562A XRrOSniXZk7nvufR3liJ3ocjX257eenhQUYZdlYCpl4
-ctZGdEgc9SgWka/3R/2WW4G9m1DHIk7HLKaBNyUeHtE
--> ssh-ed25519 5/zT0w k3z9vLsjCPABV2kTRMC3xiriW+4BwSdvnk02Xtoi3zk
-w43L1pm8VvwxVp6k8NJA73afZtPGfD8eCb2koa2goZQ
--> ssh-ed25519 d3WGuA Bi1l2WS3kL5Y5NoVh7jAja3BG9LXxem801SSR76j52s
-fKhRIb+Ug3sW4JI2rczNnh3Frx/EEnbQfhTUGdwLSo8
--> AOy-grease dju$ xL|5Hh q(A
-h0bIKBg8yQBMqNR8M9DlA/wZWWFB+sdo4ApLXvTT19Moz3E5Vly8N2XKHrV3ggCE
-Vn2a3snrXDrWxqQgfQEfJo7FnydItRcgO7ZDOuNAlnooyk0
---- 9bMYjHMQsJt4fqnmE2ezRzN4AoKIrlRKAqh8pYRw8SQ
-øÜ™‹j‡>ü‘râ|ˆ>˜º<CB9C>–QÌ7¬p²¾ïÐdð¤hëÝÏ Î3œü»€¤ÃÐÿ57´âð˜{ïžZ9áLš´ééÖ$DU$—0YÙ º3ÐBMÍã‰ü@oáªU¶_ßÁ¡dÅDݶ<C39D>5jq/¿‰…j’`›6›<36>Z‡îi—åAÄÞ&Q¯”œ¬¢Ê¡*Õ•:R%+ ôò<C3B4>É¡ù£Ì

secrets/gitlab-openid-secret.age

@@ -1,11 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 NO562A ZCflrN3Tm5CiGr6ajyHWUBB/tQqvBuZkwTrJDrd/aV0
-ItnkxqiZTCT77SDnG0JgzaQlDL3LZ96V+kzjxjAJx5s
--> ssh-ed25519 5/zT0w WoKnbgmzpR+HuLdXYCOkPfScle7g7U+NGA/YAmyfIhk
-pNfp+gOVyTfnXpVDRXuk16RyjlWjDILrO7Gibh7nRmU
--> ssh-ed25519 d3WGuA L5xjtPNva83jZWsu2bCbcgaDNlou5BFVMsFkR8+L+2Q
-4+UtIsyOgY0NAuHtdg4lBJwMyZWquRsmRNeQ+YXqeA0
--> hD-grease q%QV%; &/
-jl4ZKGU+SBSR0xhJN0yz7sV2uW/+Yhw
---- 1LIvBjAzD1lUotPXuI4cPHSfUsMFbEaGjE/t+KnQcW4
-AWeûÛ
¨Ë¯e¤	c[ ÖÌ3mÁíyÍΈÐñè6½
g{7›rd€_Ê7ØWPö©':ð¢uË›ùá¨N

secrets/gitlab-secret-otp.age

@@ -1,14 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 NO562A su6ATd6CDJ/TD/nAPw1K4ZmELBDdNLZI63DsZl0zCF0
-J+2ZXXZArtjDDLIaQL6HaEdawHo8tonMdzHf45IQMO4
--> ssh-ed25519 5/zT0w wdKMnoA5/huvtT/jyj1Aixf9nKtkzcyPSs1yoUpxoAk
-yGiW4Zg0h4NGkdU0BZiWzC+72CJZK6pJdrSBuZCVGAE
--> ssh-ed25519 d3WGuA p4QVeohmXdTo8v0Wh2pkEoyqMhZhmdrblBpq39ENnVk
-7TybdsMNokMu+2q5ESnvdcNwAeWTl/5XGZltzJ7etjI
--> Q-grease KJL\,Pw& c!aOPX
-C6DVdLd90RXPgjf22U5Y8OsW9O9rkfE3kY0LGQhmmjCSZ7yHde4bhOAVNeNronxE
-xFy8GtD+ZllI4NPUSyl3Y/90//H2fVUb32WA3Ga5WJmksrGXzg
---- yWDk0jbHXLxwE9jWTT85ORZy0Pw20jaRVihmkKfGnKo
-@# 
-Q)F:ÀŽ¤¶GÍû	#ógÒº¡¤«L…Ê-k{Tëd+˜´8žà܃üäá/è¹-Žaæ…Ë\O*—°!^Réãy÷›@Z/o™~I€
-œ[ô°¼PO’Â'vüše^ø,…?¢»Òo¼¸MÆ
]1
W
ƒËFò‹JëÄ™Ññ¨ôBý&y¼
yŸìVv‘_<E28098> %‹ûÇ<C3BB>«'