privatevoid.net/depot
1
1
Fork 0
Code Issues 23 Pull requests 2 Projects 3 Releases Packages Wiki Activity Actions

Platform 23.11 #96

Merged
max merged 47 commits from platform-23.11 into master 2023-12-05 01:59:28 +02:00
Conversation 1 Commits 47 Files changed 72 +741 -1501
72 changed files with 741 additions and 1501 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

47
cluster/services/acme-client/client.nix
View file

@ -1,10 +1,45 @@
{ cluster, config, pkgs, ... }: { cluster, config, depot, lib, pkgs, ... }:
let
authoritativeServers = map
(node: cluster.config.hostLinks.${node}.dnsAuthoritative.tuple)
cluster.config.services.dns.nodes.authoritative;
execScript = pkgs.writeShellScript "acme-dns-exec" ''
action="$1"
subdomain="''${2%.${depot.lib.meta.domain}.}"
key="$3"
umask 77
source "$EXEC_ENV_FILE"
headersFile="$(mktemp)"
echo "X-Direct-Key: $ACME_DNS_DIRECT_STATIC_KEY" > "$headersFile"
case "$action" in
present)
for i in {1..5}; do
${pkgs.curl}/bin/curl -X POST -s -f -H "@$headersFile" \
"${cluster.config.links.acmeDnsApi.url}/update" \
--data '{"subdomain":"'"$subdomain"'","txt":"'"$key"'"}' && break
sleep 5
done
;;
esac
'';
in
{ {
age.secrets.pdns-api-key-acme = cluster.config.vars.pdns-api-key-secret // { owner = "acme"; }; age.secrets.acmeDnsApiKey = {
file = ../dns/acme-dns-direct-key.age;
owner = "acme";
};
security.acme.defaults.credentialsFile = pkgs.writeText "acme-pdns-credentials" '' security.acme.defaults = {
PDNS_API_URL=${cluster.config.links.powerdns-api.url} extraLegoFlags = lib.flatten [
PDNS_API_KEY_FILE=${config.age.secrets.pdns-api-key-acme.path} (map (x: [ "--dns.resolvers" x ]) authoritativeServers)
''; "--dns-timeout" "30"
];
credentialsFile = pkgs.writeText "acme-exec-config" ''
EXEC_PATH=${execScript}
EXEC_ENV_FILE=${config.age.secrets.acmeDnsApiKey.path}
'';
};
} }

11
cluster/services/attic/default.nix
View file

@ -1,3 +1,5 @@
{ config, depot, ... }:
{ {
services.attic = { services.attic = {
nodes = { nodes = {
@ -18,4 +20,13 @@
allow.attic = [ "read" "write" ]; allow.attic = [ "read" "write" ];
}; };
}; };
dns.records = let
serverAddrs = map
(node: depot.hours.${node}.interfaces.primary.addrPublic)
config.services.attic.nodes.server;
in {
cache-api.target = serverAddrs;
cache.target = serverAddrs;
};
} }

5
cluster/services/bitwarden/default.nix Normal file
View file

@ -0,0 +1,5 @@
{ depot, ... }:
{
dns.records.keychain.target = [ depot.hours.VEGAS.interfaces.primary.addrPublic ];
}

12
cluster/services/cdn-shield/default.nix Normal file
View file

@ -0,0 +1,12 @@
{ depot, ... }:
{
dns.records = let
cdnShieldAddr = [ depot.hours.VEGAS.interfaces.primary.addrPublic ];
in {
"fonts-googleapis-com.cdn-shield".target = cdnShieldAddr;
"fonts-gstatic-com.cdn-shield".target = cdnShieldAddr;
"cdnjs-cloudflare-com.cdn-shield".target = cdnShieldAddr;
"wttr-in.cdn-shield".target = cdnShieldAddr;
};
}

2
cluster/services/certificates/internal-wildcard.nix
View file

@ -11,7 +11,7 @@ in
security.acme.certs."internal.${domain}" = { security.acme.certs."internal.${domain}" = {
domain = "*.internal.${domain}"; domain = "*.internal.${domain}";
extraDomainNames = [ "*.internal.${domain}" ]; extraDomainNames = [ "*.internal.${domain}" ];
dnsProvider = "pdns"; dnsProvider = "exec";
group = "nginx"; group = "nginx";
postRun = '' postRun = ''
${pkgs.acl}/bin/setfacl -Rb out/ ${pkgs.acl}/bin/setfacl -Rb out/

16
cluster/services/dns/acme-dns-db-credentials.age Normal file
View file

@ -0,0 +1,16 @@
age-encryption.org/v1
-> ssh-ed25519 NO562A YndVtONpmfFXYB1ASnPHsfczl1UbgZ2vccIrX2pEgx0
VzH2UD583L6wBLMCo6faIGyHR4+zXXOUTgQduEiFOxI
-> ssh-ed25519 5/zT0w +67r5S6PSFEgnrTu3eZpOd3eemZUdDOE+kjUw6GDgUM
jPzlW7hePFgsABUjryePu5yergQ2Qjczmmoxuo6CK+U
-> ssh-ed25519 TCgorQ DGJPjJYpeibxM+8OwofUCdttIT2OdNbvQ66wpWQM8XU
JCNQ3bT21j2ZsxbzA6FieKIui6lsvk1p0nvNOT7YtFo
-> ssh-ed25519 d3WGuA hIl5yluwf1f0DP5ZW1MalGPCj4XFYOu2sofwJSQZ6RE
BSHoe4cdRJlPrkc+taUIaIIUknexlGttzz2d9I3jtmk
-> ssh-ed25519 YIaSKQ EbqXS/XFQHSXCbzDJmg4gGUxP9TX3+vOxWtNQDJ8ih4
hNaWzoFG2iVef4Gm30LilGXYNsVkhmVt9dOvBo02mbM
-> V]i@xRtJ-grease
NEPxMUZa76GclWOasWptt6QS7frMclp9o+kD4KCLJB7ucFOYK7xxWfAEMkjtadfP
m0bbgbw7Jcs9/lA8VNAG2D5jTBayGgpkBQZ4
--- ViqZD8mJEKIMCZ5Q+wRQWR2FX/LMEfUwoumUtHlYabQ
KAÉû¹ÝgZü<šë*DfV6·=äG»+eœ`ºpª±ï÷­<1E>º[Û‘Û û¸¢ºÐý-H1<1B>»Ã›Íí[fV.¾¢HÁ"OhÐñŒ½j•ùö8ïßß$‰;Û‘&5<>äxw§/mŒë<C592>Öß^7îf5ÔµyÏŽÓûC´6”¹U•æýi-R=/_R<5F><52>„·==æà½1˜'Ò qÞ·ŒvÜcwø

21
cluster/services/dns/acme-dns-direct-key.age Normal file
View file

@ -0,0 +1,21 @@
age-encryption.org/v1
-> ssh-ed25519 NO562A 9n5IirzhNBIPRj9Gir+/yQhFH830sgfezsqY5Ulzz3o
VItDDdgfTFcvSq/QpIqTHnfr1VHqfI6nPz+WWKYQjHw
-> ssh-ed25519 5/zT0w MfBZrd8wJjoProwdPqsS9CZ9aYNTXgrYviFDwuchQVM
8WKPYO+i1ZSkPYDrHVJ5Pclj2hEzqwAtf31Agzei444
-> ssh-ed25519 TCgorQ 3QYtSx/2eiFp54W60F8FlERfHx+DUfnXXfugiXNPECg
pBx3If3qihD//Aq8hDWCt+U1tiWoCLUDcg/RyVCD0D0
-> ssh-ed25519 P/nEqQ NImm+vKuL50G2kdD2svmfkwsovmryCSyKyhnZ0duDDo
U0PTKHiCj4SxomnJdgubo+3sStSE+YwvCnrRl7aAS1Q
-> ssh-ed25519 FfIUuQ SRgJoBIoW71SiXuHqlnGqRG5AKUrnQy0ecwznGEGTHA
a0IS3hjMln1tWEjo30A6gYtaV7TJSY4SZDarhahMoLk
-> ssh-ed25519 d3WGuA 0qVNcrYe53Wo46zFJs6UZtX0dq7TUy72WGdGpLqB3yo
jTHE9PfhRw5lbBlfznS+ThkSsab3ioearf91xyPBfdQ
-> ssh-ed25519 YIaSKQ CCcBlAOms2aSkB6pws6tN+4Gf551idI9Zq0rokd0P1c
/3oFp6hf+jggurbcuu0cXdDL8lr6m/LTHEeNgiJt2gg
-> K&wn-grease ,Ewz Jc+dQQRp NU~.
FvDOuTGNaLuCfDelsrRbthjuJT9fBZAQ+kz+7Stoc2wciXV1YpCcOYDHSF38OwRF
X/pyjVudbJKS0Mphda6phw
--- 3JFwCzeJsIgRkTpmy9MAvQ64BCZoa98kNKOuT57WI6Y
O¿¹¸p ž-ÚP¶.+"<22>ðjÔG«
ëÇÐs<>gnz[t ‘ØóÄD÷•RŽÄ½±šmÃl<!Çê6;³Ù÷<C399>†8{ vmvJJ;lR<6C>×[Yà3˜XPËÜ<C38B>ÈPCÿè¯&¦àåYû×2ÃǤxVúÈF{zäQh nW*I$é;°Yc¨@7Ö-k4—À§xãͶx¿µ% <52>¤$z|»Ê“ñœ¹¯<C2B9>ëñ3

109
cluster/services/dns/admin.nix
View file

@ -1,109 +0,0 @@
{ cluster, config, lib, pkgs, depot, ... }:
let
inherit (depot.lib.meta) domain;
inherit (config.links) pdnsAdmin;
inherit (cluster.config) vars;
pdns-api = cluster.config.links.powerdns-api;
dataDirUI = "/srv/storage/private/powerdns-admin";
translateConfig = withQuotes: cfg: let
pythonValue = val: if lib.isString val then "'${val}'"
else if lib.isAttrs val && val ? file then "[(f.read().strip('\\n'), f.close()) for f in [open('${val.file}')]][0][0]"
else if lib.isAttrs val && val ? env then "__import__('os').getenv('${val.env}')"
else if lib.isBool val then (if val then "True" else "False")
else if lib.isInt val then toString val
else throw "translateConfig: unsupported value type";
quote = str: if withQuotes then pythonValue str else str;
configList = lib.mapAttrsToList (n: v: "${n}=${quote v}") cfg;
in lib.concatStringsSep "\n" configList;
in {
age.secrets = {
pdns-admin-oidc-secrets = {
file = ./pdns-admin-oidc-secrets.age;
mode = "0400";
};
pdns-admin-salt = {
file = ./pdns-admin-salt.age;
mode = "0400";
owner = "powerdnsadmin";
group = "powerdnsadmin";
};
pdns-admin-secret = {
file = ./pdns-admin-secret.age;
mode = "0400";
owner = "powerdnsadmin";
group = "powerdnsadmin";
};
pdns-api-key = vars.pdns-api-key-secret // { owner = "powerdnsadmin"; };
};
links.pdnsAdmin.protocol = "http";
networking.firewall = {
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 ];
};
systemd.tmpfiles.rules = [
"d '${dataDirUI}' 0700 powerdnsadmin powerdnsadmin - -"
];
services.powerdns = {
enable = true;
extraConfig = translateConfig false {
api = "yes";
webserver-allow-from = "127.0.0.1, ${vars.meshNet.cidr}";
webserver-address = pdns-api.ipv4;
webserver-port = pdns-api.portStr;
api-key = "$scrypt$ln=14,p=1,r=8$ZRgztsniH1y+F7P/RkXq/w==$QTil5kbJPzygpeQRI2jgo5vK6fGol9YS/NVR95cmWRs=";
};
};
services.powerdns-admin = {
enable = true;
secretKeyFile = config.age.secrets.pdns-admin-secret.path;
saltFile = config.age.secrets.pdns-admin-salt.path;
extraArgs = [ "-b" pdnsAdmin.tuple ];
config = translateConfig true {
SQLALCHEMY_DATABASE_URI = "sqlite:///${dataDirUI}/pda.db";
PDNS_VERSION = pkgs.pdns.version;
PDNS_API_URL = pdns-api.url;
PDNS_API_KEY.file = config.age.secrets.pdns-api-key.path;
SIGNUP_ENABLED = false;
OIDC_OAUTH_ENABLED = true;
OIDC_OAUTH_KEY = "net.privatevoid.dnsadmin1";
OIDC_OAUTH_SECRET.env = "OIDC_OAUTH_SECRET";
OIDC_OAUTH_SCOPE = "openid profile email roles";
OIDC_OAUTH_METADATA_URL = "https://login.${domain}/auth/realms/master/.well-known/openid-configuration";
};
};
systemd.services.powerdns-admin.serviceConfig = {
BindPaths = [
dataDirUI
config.age.secrets.pdns-api-key.path
];
TimeoutStartSec = "300s";
EnvironmentFile = config.age.secrets.pdns-admin-oidc-secrets.path;
};
services.nginx.virtualHosts."dnsadmin.${domain}" = lib.recursiveUpdate
(depot.lib.nginx.vhosts.proxy pdnsAdmin.url)
# backend sends really big headers for some reason
# increase buffer size accordingly
{
locations."/".extraConfig = ''
proxy_busy_buffers_size 512k;
proxy_buffers 4 512k;
proxy_buffer_size 256k;
'';
};
}

97
cluster/services/dns/authoritative.nix
View file

@ -7,32 +7,42 @@ let
link = cluster.config.hostLinks.${hostName}.dnsAuthoritative; link = cluster.config.hostLinks.${hostName}.dnsAuthoritative;
patroni = cluster.config.links.patroni-pg-access; patroni = cluster.config.links.patroni-pg-access;
inherit (cluster.config.hostLinks.${hostName}) acmeDnsApi;
otherDnsServers = lib.pipe (with cluster.config.services.dns.otherNodes; (master hostName) ++ (slave hostName)) [ otherDnsServers = lib.pipe (cluster.config.services.dns.otherNodes.authoritative hostName) [
(map (node: cluster.config.hostLinks.${node}.dnsAuthoritative.tuple)) (map (node: cluster.config.hostLinks.${node}.dnsAuthoritative.tuple))
(lib.concatStringsSep " ") (lib.concatStringsSep " ")
]; ];
translateConfig = cfg: let recordsList = lib.mapAttrsToList (lib.const lib.id) cluster.config.dns.records;
configList = lib.mapAttrsToList (n: v: "${n}=${v}") cfg; recordsPartitioned = lib.partition (record: record.rewrite.target == null) recordsList;
in lib.concatStringsSep "\n" configList;
rewriteRecords = lib.filterAttrs (_: record: record.rewrite.target != null) cluster.config.dns.records; staticRecords = let
escape = type: {
TXT = builtins.toJSON;
}.${type} or lib.id;
rewrites = lib.mapAttrsToList (_: record: let recordName = record: {
"@" = "${record.root}.";
}.${record.name} or "${record.name}.${record.root}.";
in lib.flatten (
map (record: map (target: "${recordName record} ${record.type} ${escape record.type target}") record.target) recordsPartitioned.right
);
rewrites = map (record: let
maybeEscapeRegex = str: if record.rewrite.type == "regex" then "${lib.escapeRegex str}$" else str; maybeEscapeRegex = str: if record.rewrite.type == "regex" then "${lib.escapeRegex str}$" else str;
in "rewrite stop name ${record.rewrite.type} ${record.name}${maybeEscapeRegex ".${record.root}."} ${record.rewrite.target}. answer auto") rewriteRecords; in "rewrite stop name ${record.rewrite.type} ${record.name}${maybeEscapeRegex ".${record.root}."} ${record.rewrite.target}. answer auto") recordsPartitioned.wrong;
rewriteConf = pkgs.writeText "coredns-rewrites.conf" (lib.concatStringsSep "\n" rewrites); rewriteConf = pkgs.writeText "coredns-rewrites.conf" (lib.concatStringsSep "\n" rewrites);
in { in {
links.localAuthoritativeDNS = {}; links.localAuthoritativeDNS = {};
age.secrets = { age.secrets = {
pdns-db-credentials = { acmeDnsDbCredentials = {
file = ./pdns-db-credentials.age; file = ./acme-dns-db-credentials.age;
mode = "0400"; };
owner = "pdns"; acmeDnsDirectKey = {
group = "pdns"; file = ./acme-dns-direct-key.age;
}; };
}; };
@ -41,23 +51,33 @@ in {
allowedUDPPorts = [ 53 ]; allowedUDPPorts = [ 53 ];
}; };
services.powerdns = { services.acme-dns = {
enable = true; enable = true;
extraConfig = translateConfig { package = depot.packages.acme-dns;
launch = "gpgsql"; settings = {
local-address = config.links.localAuthoritativeDNS.tuple; general = {
gpgsql-host = patroni.ipv4; listen = config.links.localAuthoritativeDNS.tuple;
gpgsql-port = patroni.portStr; inherit domain;
gpgsql-dbname = "powerdns"; nsadmin = "hostmaster.${domain}";
gpgsql-user = "powerdns"; nsname = "eu1.ns.${domain}";
gpgsql-extra-connection-parameters = "passfile=${config.age.secrets.pdns-db-credentials.path}"; records = staticRecords;
version-string = "Private Void DNS"; };
enable-lua-records = "yes"; api = {
expand-alias = "yes"; ip = acmeDnsApi.ipv4;
resolver = "127.0.0.1:8600"; inherit (acmeDnsApi) port;
};
database = {
engine = "postgres";
connection = "postgres://acmedns@${patroni.tuple}/acmedns?sslmode=disable";
};
}; };
}; };
systemd.services.acme-dns.serviceConfig.EnvironmentFile = with config.age.secrets; [
acmeDnsDbCredentials.path
acmeDnsDirectKey.path
];
services.coredns = { services.coredns = {
enable = true; enable = true;
config = '' config = ''
@ -85,18 +105,29 @@ in {
}; };
systemd.services.coredns = { systemd.services.coredns = {
after = [ "pdns.service" ]; after = [ "acme-dns.service" ];
}; };
consul.services.pdns = { consul.services = {
mode = "external"; authoritative-dns = {
definition = { unit = "acme-dns";
name = "authoritative-dns-backend"; definition = {
address = config.links.localAuthoritativeDNS.ipv4; name = "authoritative-dns-backend";
port = config.links.localAuthoritativeDNS.port; address = config.links.localAuthoritativeDNS.ipv4;
port = config.links.localAuthoritativeDNS.port;
checks = lib.singleton {
interval = "60s";
tcp = config.links.localAuthoritativeDNS.tuple;
};
};
};
acme-dns.definition = {
name = "acme-dns";
address = acmeDnsApi.ipv4;
port = acmeDnsApi.port;
checks = lib.singleton { checks = lib.singleton {
interval = "60s"; interval = "60s";
tcp = config.links.localAuthoritativeDNS.tuple; http = "${acmeDnsApi.url}/health";
}; };
}; };
}; };

33
cluster/services/dns/coredns.nix
View file

@ -13,10 +13,9 @@ let
(lib.concatStringsSep " ") (lib.concatStringsSep " ")
]; ];
authoritativeServers = lib.pipe (with cluster.config.services.dns.nodes; master ++ slave) [ authoritativeServers = map
(map (node: cluster.config.hostLinks.${node}.dnsAuthoritative.tuple)) (node: cluster.config.hostLinks.${node}.dnsAuthoritative.tuple)
(lib.concatStringsSep ";") cluster.config.services.dns.nodes.authoritative;
];
inherit (depot.packages) stevenblack-hosts; inherit (depot.packages) stevenblack-hosts;
dot = config.security.acme.certs."securedns.${domain}"; dot = config.security.acme.certs."securedns.${domain}";
@ -43,7 +42,7 @@ in
}; };
security.acme.certs."securedns.${domain}" = { security.acme.certs."securedns.${domain}" = {
dnsProvider = "pdns"; dnsProvider = "exec";
# using a different ACME provider because Android Private DNS is fucky # using a different ACME provider because Android Private DNS is fucky
server = "https://api.buypass.com/acme/directory"; server = "https://api.buypass.com/acme/directory";
reloadServices = [ reloadServices = [
@ -54,29 +53,29 @@ in
services.coredns = { services.coredns = {
enable = true; enable = true;
config = '' config = ''
.:${link.portStr} { (localresolver) {
${lib.optionalString (interfaces ? vstub) "bind ${interfaces.vstub.addr}"}
bind 127.0.0.1
bind ${link.ipv4}
hosts ${stevenblack-hosts} { hosts ${stevenblack-hosts} {
fallthrough fallthrough
} }
chaos "Private Void DNS" info@privatevoid.net chaos "Private Void DNS" info@privatevoid.net
forward hyprspace. 127.80.1.53:5380 forward hyprspace. 127.80.1.53:5380
forward ${domain}. ${lib.concatStringsSep " " authoritativeServers} {
policy random
}
forward . ${backend.tuple} ${otherRecursors} { forward . ${backend.tuple} ${otherRecursors} {
policy sequential policy sequential
} }
} }
.:${link.portStr} {
${lib.optionalString (interfaces ? vstub) "bind ${interfaces.vstub.addr}"}
bind 127.0.0.1
bind ${link.ipv4}
import localresolver
}
tls://.:853 { tls://.:853 {
bind ${interfaces.primary.addr} bind ${interfaces.primary.addr}
tls {$CREDENTIALS_DIRECTORY}/dot-cert.pem {$CREDENTIALS_DIRECTORY}/dot-key.pem tls {$CREDENTIALS_DIRECTORY}/dot-cert.pem {$CREDENTIALS_DIRECTORY}/dot-key.pem
hosts ${stevenblack-hosts} { import localresolver
fallthrough
}
chaos "Private Void DNS" info@privatevoid.net
forward . ${backend.tuple} ${otherRecursors} {
policy sequential
}
} }
''; '';
}; };
@ -86,7 +85,7 @@ in
dnssecValidation = "process"; dnssecValidation = "process";
forwardZones = { forwardZones = {
# optimize queries against our own domain # optimize queries against our own domain
"${domain}" = authoritativeServers; "${domain}" = lib.concatStringsSep ";" authoritativeServers;
}; };
dns = { dns = {
inherit (backend) port; inherit (backend) port;

31
cluster/services/dns/default.nix
View file

@ -7,28 +7,31 @@ in
{ {
imports = [ imports = [
./options.nix ./options.nix
./nodes.nix
./ns-records.nix
]; ];
vars.pdns-api-key-secret = {
file = ./pdns-api-key.age;
mode = "0400";
};
links = { links = {
dnsResolver = { dnsResolver = {
ipv4 = hours.VEGAS.interfaces.vstub.addr; ipv4 = hours.VEGAS.interfaces.vstub.addr;
port = 53; port = 53;
}; };
powerdns-api = { acmeDnsApi = {
ipv4 = config.vars.mesh.VEGAS.meshIp; hostname = "acme-dns-challenge.internal.${depot.lib.meta.domain}";
protocol = "http"; protocol = "http";
}; };
}; };
hostLinks = lib.mkMerge [ hostLinks = lib.mkMerge [
(lib.genAttrs (with cfg.nodes; master ++ slave) (node: { (lib.genAttrs cfg.nodes.authoritative (node: {
dnsAuthoritative = { dnsAuthoritative = {
ipv4 = hours.${node}.interfaces.primary.addrPublic; ipv4 = hours.${node}.interfaces.primary.addrPublic;
port = 53; port = 53;
}; };
acmeDnsApi = {
ipv4 = config.vars.mesh.${node}.meshIp;
inherit (config.links.acmeDnsApi) port;
protocol = "http";
};
})) }))
(lib.genAttrs cfg.nodes.coredns (node: { (lib.genAttrs cfg.nodes.coredns (node: {
dnsResolver = { dnsResolver = {
@ -44,21 +47,19 @@ in
]; ];
services.dns = { services.dns = {
nodes = { nodes = {
master = [ "VEGAS" ]; authoritative = [ "VEGAS" "checkmate" "prophet" ];
slave = [ "checkmate" "prophet" ];
coredns = [ "checkmate" "VEGAS" ]; coredns = [ "checkmate" "VEGAS" ];
client = [ "checkmate" "grail" "thunderskin" "VEGAS" "prophet" ]; client = [ "checkmate" "grail" "thunderskin" "VEGAS" "prophet" ];
}; };
nixos = { nixos = {
master = [ authoritative = ./authoritative.nix;
./authoritative.nix
./admin.nix
];
slave = ./authoritative.nix;
coredns = ./coredns.nix; coredns = ./coredns.nix;
client = ./client.nix; client = ./client.nix;
}; };
}; };
dns.records.securedns.consulService = "securedns"; dns.records = {
securedns.consulService = "securedns";
"acme-dns-challenge.internal".consulService = "acme-dns";
};
} }

11
cluster/services/dns/nodes.nix Normal file
View file

@ -0,0 +1,11 @@
{ depot, lib, ... }:
{
dns.records = lib.mapAttrs' (name: hour: {
name = lib.toLower "${name}.${hour.enterprise.subdomain}";
value = {
type = "A";
target = [ hour.interfaces.primary.addrPublic ];
};
}) depot.gods.fromLight;
}

26
cluster/services/dns/ns-records.nix Normal file
View file

@ -0,0 +1,26 @@
{ config, depot, lib, ... }:
let
cfg = config.services.dns;
nsNodes = lib.imap1 (idx: node: {
name = "eu${toString idx}.ns";
value = {
type = "A";
target = [ depot.hours.${node}.interfaces.primary.addrPublic ];
};
}) cfg.nodes.authoritative;
in
{
dns.records = lib.mkMerge [
(lib.listToAttrs nsNodes)
{
NS = {
name = "@";
type = "NS";
target = map (ns: "${ns.name}.${depot.lib.meta.domain}.") nsNodes;
};
}
];
}

2
cluster/services/dns/options.nix
View file

@ -19,7 +19,7 @@ let
}; };
type = mkOption { type = mkOption {
type = types.enum [ "A" "CNAME" "AAAA" "NS" "MX" "SOA" ]; type = types.enum [ "A" "CNAME" "AAAA" "NS" "MX" "SOA" "TXT" ];
default = "A"; default = "A";
}; };
target = mkOption { target = mkOption {

BIN
cluster/services/dns/pdns-admin-oidc-secrets.age
View file

Binary file not shown.

11
cluster/services/dns/pdns-admin-salt.age
View file

@ -1,11 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 NO562A d/YNanH/cHoFLPp8WcCXHh/LQLRwaUa95JiRLbgb8RI
UPEHpnHHTU6dGKi2MbApEspcpt1lFtFZ4XJjShL7OoE
-> ssh-ed25519 5/zT0w Rv9ZS5P2Eca3npPLR7yym/XTRSDfVmgRwH1pAGR79T8
4A/KXc2wxxokfDAwWYf0ZTUEzQ8ldkC+zRNZY3KjBTs
-> ssh-ed25519 d3WGuA 2R0kaVjuhU3wT9pjj214zkEaHYNSlMxf9Z+MfBssHwY
EU5LWk6xfohWM/3sAqYtUvFmRgIPxOLXHnlqbsQ3+ok
-> -|(-grease W=cc~ O2q5
FZzh/ZwDS2EqvVZ9NErmUwCMN72op1Qy
--- Ducan3ugRJC3dmWLr7+FKok+WmInOgOzW0ccYeqAFAQ
Ì•ãÆ*Q. SC<53>ûf¹‰*`5<>„ÑÖw"~ÍxwÜ*–ã\êÙ"²ÅtŒ 'É0ï™<C3AF>ï

12
cluster/services/dns/pdns-admin-secret.age
View file

@ -1,12 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 NO562A hUR+UdHnpazhANM8DKToI5Th3lv1aAuxZ1IQKvCOv34
PvsiSym8YdleDULLnWuTs1x08KO3EmAg/AAjulgrgqE
-> ssh-ed25519 5/zT0w qMXS2xLOLv/+l6brG11i+3FwHdrhlmxZBNtBiU9hu2g
BlFYPvH4mFJRMHTlHwnBdJb6QcugylwZuT5bgSKcQa0
-> ssh-ed25519 d3WGuA k2fRQ3+HyZP+bb/gkVKQqUmbITJLPm9tGp67DbRfiCs
RX9CACfYpYKvSqyfXjvEokTGsp4+ECQBD8i1ehD5xRg
-> IB@F$9G-grease
cXRgUVdIPGEjft1CJA
--- si16Det/GwF7GLHLt0ha8v4rFFeJXyhEylIiqzZVAK8
Ö°å¤pÐǺ#ê4^©— ~u Uuç­aòQ´Bâj˜(N)qÃ<"¤%ì’,V9û5ZÔh§#W«[»ò¶”"Mÿ&”îäøÖýá+%Œ«„SQ€B÷ÞÕÀèÕyàÜî<aéó]P$´Ä±B¨½qQÑÉQ‡M‰TË
·s¹mÿ~qWÖ«çêõÜ×Ì=.Q“"ù”Þø¶ÏnqRk<52>=ÏcÿçüßÃqv¢¾>#ŠÏ«²tïwq,÷ »3YyIq}Ê“ì>sgíz™ûs±Þ ¸ƆFÄPê|ÍüÅ¡=ùÃþ~KQR,DZuÐ+ÕºZGHëa=‹©;ÀõC.ÏuVShÅ$Và€AË9Ð= ?•¢

BIN
cluster/services/dns/pdns-api-key.age
View file

Binary file not shown.

20
cluster/services/dns/pdns-db-credentials.age
View file

@ -1,20 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 NO562A OQaDWMrfvfQoluWFIldZgZFEdqzFfXhPvO6BqOZofnU
qoUEZlKSTNJ53jgTK9eP2GDJogugtCfKqBaVH7mCqZY
-> ssh-ed25519 5/zT0w U5w9w/DE+zDgw4YI6DDVAMSaAAcR+3+BIioVXAGMfHg
9Ps2qB+P2DWDdYPRPuzmBECWzJ90LVq8B71LlrO0Gyk
-> ssh-ed25519 TCgorQ s91OjOZH6825aSBRfiSN+ODBOJvbjff6s2fzf/8o2Wk
zJI/5oKwagyOJUy1siwAcZ7wcsEMUyekYjP7TlsAjoY
-> ssh-ed25519 d3WGuA 1gPF8W/p+wVclVrMGbvnBAO9IvSX9G8qNEaKpHeX23w
L4N6MxD5SeEhqcjRx1e8M/rMtK2Qg+elYgKCHkHi71o
-> ssh-ed25519 YIaSKQ eOwUbPa6RceRM4zsB8lHSCYtSJoLX1Fqs8CdzM7qkCQ
8OPkkFP0B+uN0zBZAUmEgogp97YO+qlvsG6wnMwkzLw
-> L_-grease 51PFh7A
k9hZ2FbD3JDWGN8/WFjOCM0Ud/uvQhZZDceL/Esa8cfp
--- v5Noo1KII/WFJxNGjEO2hqdhgHdastilx/M1vFos5dE
 mÄÜ´Räx¡˜ ÐòÁ¬;ä³ÁH°pæ áµå-ìásÌïaÎᙵ­Ô ™÷Ð4ö®y ˆÑYýÀïQ<>ûÂHPe 0Ó0[ÙÕ» É
ÔŽÜyÖ'ª±¨|È2[q<>—ÀÛ<C380><C39B>WS/dö.ÏQÁÒÙé49ÆÄ,͆±¢}o¦<6F>Ú ÍGO¦k€rGMGœ&öÊ¡²
4Óá"8.êm槫¹<C2AB>7Pku ð@XAå$• >·¦+Äì|Çå–è<1F> ÎVtn¡”Â|Cµ>\a<>2
{U²´ªÝs <0B>Ù èé¾Ï÷„b½É‡Â<E280BA>¿½gÀ.sœ3‡M24[š+ÀU£ÊD!PØ´õù7Á[½_†ºÁ>aº¿Õ3
Šñs

12
cluster/services/fbi/default.nix Normal file
View file

@ -0,0 +1,12 @@
{ depot, ... }:
{
dns.records = let
fbiAddr = [ depot.hours.VEGAS.interfaces.primary.addrPublic ];
in {
fbi-index.target = fbiAddr;
fbi-requests.target = fbiAddr;
radarr.target = fbiAddr;
sonarr.target = fbiAddr;
};
}

6
cluster/services/forge/default.nix
View file

@ -1,6 +1,12 @@
{ config, depot, ... }:
{ {
services.forge = { services.forge = {
nodes.server = [ "VEGAS" ]; nodes.server = [ "VEGAS" ];
nixos.server = ./server.nix; nixos.server = ./server.nix;
}; };
dns.records.forge.target = map
(node: depot.hours.${node}.interfaces.primary.addrPublic)
config.services.forge.nodes.server;
} }

5
cluster/services/gitlab/default.nix Normal file
View file

@ -0,0 +1,5 @@
{ depot, ... }:
{
dns.records.git.target = [ depot.hours.VEGAS.interfaces.primary.addrPublic ];
}

18
cluster/services/idm/default.nix
View file

@ -34,4 +34,22 @@
]; ];
}; };
}; };
dns.records = let
serverAddrsPublic = map
(node: depot.hours.${node}.interfaces.primary.addrPublic)
config.services.idm.nodes.server;
serverAddrsInternal = map
(node: config.vars.mesh.${node}.meshIp)
config.services.idm.nodes.server;
in {
idm = {
type = "A";
target = serverAddrsPublic;
};
"idm-ldap.internal" = {
type = "A";
target = serverAddrsInternal;
};
};
} }

2
cluster/services/idm/server.nix
View file

@ -18,7 +18,7 @@ in
security.acme.certs = { security.acme.certs = {
"internal.${domain}".reloadServices = [ "kanidm.service" ]; "internal.${domain}".reloadServices = [ "kanidm.service" ];
"idm.${domain}" = { "idm.${domain}" = {
dnsProvider = "pdns"; dnsProvider = "exec";
webroot = lib.mkForce null; webroot = lib.mkForce null;
}; };
}; };

2
cluster/services/ipfs/cluster.nix
View file

@ -81,7 +81,7 @@ in {
services.nginx.virtualHosts."pin.${domain}" = vhosts.proxy "http://unix:${pinSvcSocket}"; services.nginx.virtualHosts."pin.${domain}" = vhosts.proxy "http://unix:${pinSvcSocket}";
users.users.nginx.extraGroups = [ cfg.group ]; users.users.nginx.extraGroups = [ cfg.group ];
security.acme.certs."pin.${domain}" = { security.acme.certs."pin.${domain}" = {
dnsProvider = "pdns"; dnsProvider = "exec";
webroot = lib.mkForce null; webroot = lib.mkForce null;
}; };
} }

8
cluster/services/ipfs/default.nix
View file

@ -52,11 +52,15 @@
dns.records = { dns.records = {
p2p.consulService = "ipfs-gateway"; p2p.consulService = "ipfs-gateway";
"\\.ipfs" = { pin.consulService = "ipfs-gateway";
"ipfs.admin".target = map
(node: depot.hours.${node}.interfaces.primary.addrPublic)
config.services.ipfs.nodes.remote-api;
"^[^_].+\\.ipfs" = {
consulService = "ipfs-gateway"; consulService = "ipfs-gateway";
rewrite.type = "regex"; rewrite.type = "regex";
}; };
"\\.ipns" = { "^[^_].+\\.ipns" = {
consulService = "ipfs-gateway"; consulService = "ipfs-gateway";
rewrite.type = "regex"; rewrite.type = "regex";
}; };

4
cluster/services/ipfs/gateway.nix
View file

@ -48,12 +48,12 @@ in
security.acme.certs."ipfs.${domain}" = { security.acme.certs."ipfs.${domain}" = {
domain = "*.ipfs.${domain}"; domain = "*.ipfs.${domain}";
extraDomainNames = [ "*.ipns.${domain}" ]; extraDomainNames = [ "*.ipns.${domain}" ];
dnsProvider = "pdns"; dnsProvider = "exec";
group = "nginx"; group = "nginx";
}; };
security.acme.certs."p2p.${domain}" = { security.acme.certs."p2p.${domain}" = {
dnsProvider = "pdns"; dnsProvider = "exec";
webroot = lib.mkForce null; webroot = lib.mkForce null;
}; };

2
cluster/services/irc/irc-host.nix
View file

@ -82,7 +82,7 @@ in {
params.ngircd.bits = 2048; params.ngircd.bits = 2048;
}; };
security.acme.certs."${serverName}" = { security.acme.certs."${serverName}" = {
dnsProvider = "pdns"; dnsProvider = "exec";
group = "ngircd"; group = "ngircd";
reloadServices = [ "ngircd" ]; reloadServices = [ "ngircd" ];
extraDomainNames = [ linkGlobalSecure.ipv4 ]; extraDomainNames = [ linkGlobalSecure.ipv4 ];

43
cluster/services/mail/default.nix Normal file
View file

@ -0,0 +1,43 @@
{ depot, ... }:
{
dns.records = let
inherit (depot.lib.meta) domain adminEmail;
mailServerAddr = depot.hours.VEGAS.interfaces.primary.addrPublic;
mxAlias = {
type = "CNAME";
target = [ "mx.${domain}." ];
};
in {
mx = {
type = "A";
target = [ mailServerAddr ];
};
smtp = mxAlias;
imap = mxAlias;
mail = mxAlias;
MX = {
name = "@";
type = "MX";
target = [ "0 mx.${domain}." ];
};
# compat for old email aliases
"max.admin" = {
type = "MX";
target = [ "0 mx.${domain}." ];
};
SPF = {
name = "@";
type = "TXT";
target = [ "v=spf1 mx a ip4:${mailServerAddr} ~all" ];
};
_dmarc = {
type = "TXT";
target = [ "v=DMARC1; p=reject; rua=mailto:${adminEmail}; ruf=mailto:${adminEmail}; sp=quarantine; ri=604800" ];
};
"${domain}._domainkey" = {
type = "TXT";
target = [ "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9Q5VrGWEcG/CWZSWJl0tRQR3uiOkPH7AcNH+H7Gpa5S/E7tLZNyWuKOmNCRi/FKeqXcD5zIfI1sYsWZKOE70Un/ShCdRUzwD1Em8bO6yz/BbY1cBxHBQdCrH2ylMgn3UW0X1rM75EgJntAYkOqovtL78BtDbUhagO/0MTFpySpQIDAQAB" ];
};
};
}

13
cluster/services/matrix/default.nix
View file

@ -1,4 +1,4 @@
{ depot, ... }: { config, depot, ... }:
{ {
services.matrix = { services.matrix = {
@ -16,4 +16,15 @@
address = "https://matrix.${depot.lib.meta.domain}/_matrix/federation/v1/version"; address = "https://matrix.${depot.lib.meta.domain}/_matrix/federation/v1/version";
module = "https2xx"; module = "https2xx";
}; };
dns.records = let
homeserverAddrs = map
(node: depot.hours.${node}.interfaces.primary.addrPublic)
config.services.matrix.nodes.homeserver;
in {
matrix.target = homeserverAddrs;
chat.target = homeserverAddrs;
stun.target = homeserverAddrs;
turn.target = homeserverAddrs;
};
} }

6
cluster/services/meet/default.nix
View file

@ -1,6 +1,12 @@
{ config, depot, ... }:
{ {
services.meet = { services.meet = {
nodes.host = [ "prophet" ]; nodes.host = [ "prophet" ];
nixos.host = ./host.nix; nixos.host = ./host.nix;
}; };
dns.records.meet.target = map
(node: depot.hours.${node}.interfaces.primary.addrPublic)
config.services.meet.nodes.host;
} }

2
cluster/services/monitoring/grafana-ha.nix
View file

@ -103,7 +103,7 @@ in
}; };
security.acme.certs."monitoring.${domain}" = { security.acme.certs."monitoring.${domain}" = {
dnsProvider = "pdns"; dnsProvider = "exec";
webroot = lib.mkForce null; webroot = lib.mkForce null;
}; };

5
cluster/services/n8n/default.nix Normal file
View file

@ -0,0 +1,5 @@
{ depot, ... }:
{
dns.records.api.target = [ depot.hours.VEGAS.interfaces.primary.addrPublic ];
}

6
cluster/services/nextcloud/default.nix
View file

@ -1,4 +1,4 @@
{ depot, ... }: { config, depot, ... }:
{ {
services.nextcloud = { services.nextcloud = {
@ -10,4 +10,8 @@
address = "https://storage.${depot.lib.meta.domain}/status.php"; address = "https://storage.${depot.lib.meta.domain}/status.php";
module = "nextcloudStatus"; module = "nextcloudStatus";
}; };
dns.records.storage.target = map
(node: depot.hours.${node}.interfaces.primary.addrPublic)
config.services.nextcloud.nodes.host;
} }

1
cluster/services/nextcloud/host.nix
View file

@ -19,7 +19,6 @@ in
}; };
services.nextcloud = { services.nextcloud = {
package = pkgs.nextcloud26; package = pkgs.nextcloud26;
enableBrokenCiphersForSSE = false;
enable = true; enable = true;
https = true; https = true;
hostName = "storage.${depot.lib.meta.domain}"; hostName = "storage.${depot.lib.meta.domain}";

12
cluster/services/object-storage/default.nix
View file

@ -1,4 +1,4 @@
{ depot, ... }: { config, depot, ... }:
{ {
services.object-storage = { services.object-storage = {
@ -10,4 +10,14 @@
address = "https://object-storage.${depot.lib.meta.domain}/minio/health/live"; address = "https://object-storage.${depot.lib.meta.domain}/minio/health/live";
module = "https2xx"; module = "https2xx";
}; };
dns.records = let
serverAddrs = map
(node: depot.hours.${node}.interfaces.primary.addrPublic)
config.services.object-storage.nodes.host;
in {
object-storage.target = serverAddrs;
"console.object-storage".target = serverAddrs;
cdn.target = serverAddrs;
};
} }

5
cluster/services/reflex/default.nix Normal file
View file

@ -0,0 +1,5 @@
{ depot, ... }:
{
dns.records.reflex.target = [ depot.hours.VEGAS.interfaces.primary.addrPublic ];
}

6
cluster/services/search/default.nix
View file

@ -1,4 +1,4 @@
{ depot, ... }: { config, depot, ... }:
{ {
services.search = { services.search = {
@ -10,4 +10,8 @@
address = "https://search.${depot.lib.meta.domain}/healthz"; address = "https://search.${depot.lib.meta.domain}/healthz";
module = "https2xx"; module = "https2xx";
}; };
dns.records.search.target = map
(node: depot.hours.${node}.interfaces.primary.addrPublic)
config.services.search.nodes.host;
} }

2
cluster/services/soda/default.nix
View file

@ -5,4 +5,6 @@
address = "soda.int.${depot.lib.meta.domain}:22"; address = "soda.int.${depot.lib.meta.domain}:22";
module = "sshConnect"; module = "sshConnect";
}; };
dns.records.soda.target = [ depot.hours.VEGAS.interfaces.primary.addrPublic ];
} }

10
cluster/services/sso/default.nix Normal file
View file

@ -0,0 +1,10 @@
{ depot, ... }:
{
dns.records = let
ssoAddr = [ depot.hours.VEGAS.interfaces.primary.addrPublic ];
in {
login.target = ssoAddr;
account.target = ssoAddr;
};
}

2
cluster/services/storage/garage-gateway.nix
View file

@ -20,7 +20,7 @@ in
}; };
}; };
security.acme.certs.${link.hostname} = { security.acme.certs.${link.hostname} = {
dnsProvider = "pdns"; dnsProvider = "exec";
webroot = lib.mkForce null; webroot = lib.mkForce null;
}; };

3
cluster/services/storage/garage.nix
View file

@ -39,7 +39,6 @@ in
rpc_secret_file = config.age.secrets.garageRpcSecret.path; rpc_secret_file = config.age.secrets.garageRpcSecret.path;
consul_discovery = { consul_discovery = {
consul_http_addr = "http://127.0.0.1:8500"; consul_http_addr = "http://127.0.0.1:8500";
api = "agent";
service_name = "garage-discovery"; service_name = "garage-discovery";
}; };
s3_api = { s3_api = {
@ -71,7 +70,7 @@ in
ProtectSystem = true; ProtectSystem = true;
User = "garage"; User = "garage";
Group = "garage"; Group = "garage";
StateDirectory = lib.removePrefix "/var/lib/" cfg.settings.metadata_dir; StateDirectory = lib.mkForce (lib.removePrefix "/var/lib/" cfg.settings.metadata_dir);
}; };
}; };
} }

5
cluster/services/vault/default.nix Normal file
View file

@ -0,0 +1,5 @@
{ depot, ... }:
{
dns.records.vault.target = [ depot.hours.VEGAS.interfaces.primary.addrPublic ];
}

6
cluster/services/warehouse/default.nix
View file

@ -1,6 +1,12 @@
{ config, depot, ... }:
{ {
services.warehouse = { services.warehouse = {
nodes.host = [ "VEGAS" ]; nodes.host = [ "VEGAS" ];
nixos.host = [ ./host.nix ]; nixos.host = [ ./host.nix ];
}; };
dns.records.warehouse.target = map
(node: depot.hours.${node}.interfaces.primary.addrPublic)
config.services.warehouse.nodes.host;
} }

29
cluster/services/websites/default.nix
View file

@ -6,7 +6,7 @@ let
acmeUseDNS = name: conf: { acmeUseDNS = name: conf: {
name = conf.useACMEHost or conf.serverName or name; name = conf.useACMEHost or conf.serverName or name;
value = { value = {
dnsProvider = "pdns"; dnsProvider = "exec";
webroot = null; webroot = null;
}; };
}; };
@ -51,7 +51,28 @@ in
}; };
}; };
dns.records = lib.genAttrs [ "www" "draw" "stop-using-nix-env" "whoami" ] (lib.const { dns.records = let
consulService = "static-lb"; oldStaticAddr = [ depot.hours.VEGAS.interfaces.primary.addrPublic ];
}); in lib.mkMerge [
(lib.genAttrs [ "www" "draw" "stop-using-nix-env" "whoami" ] (lib.const {
consulService = "static-lb";
}))
{
CNAME = {
name = "@";
type = "CNAME";
target = [ "www.${domain}." ];
};
autoconfig.target = oldStaticAddr;
ktp.target = oldStaticAddr;
legacy.target = oldStaticAddr;
# jokes
"bone-ds-dc.com-ldap".target = oldStaticAddr;
rzentrale.target = oldStaticAddr;
wunschnachricht.target = oldStaticAddr;
}
];
} }

43
flake.lock
View file

@ -119,34 +119,6 @@
"type": "github" "type": "github"
} }
}, },
"deploy-rs": {
"inputs": {
"flake-compat": [
"blank"
],
"nixpkgs": [
"nixpkgs"
],
"utils": [
"repin-flake-utils"
]
},
"locked": {
"host": "git.privatevoid.net",
"lastModified": 1638903228,
"narHash": "sha256-mEbLD0A9gp159pFtdK4n1Yp2uFSE1T2nOr8BkfwgrC8=",
"owner": "max",
"repo": "deploy-rs",
"rev": "0d11e93f47be21051683e1b38f6b0dcb3f0a71cf",
"type": "gitlab"
},
"original": {
"host": "git.privatevoid.net",
"owner": "max",
"repo": "deploy-rs",
"type": "gitlab"
}
},
"devshell": { "devshell": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -233,11 +205,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1698882062, "lastModified": 1701473968,
"narHash": "sha256-HkhafUayIqxXyHH1X8d9RDl1M2CkFgZLjKD3MzabiEo=", "narHash": "sha256-YcVE5emp1qQ8ieHUnxt1wCZCC3ZfAS+SRRWZ2TMda7E=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "8c9fa2545007b49a5db5f650ae91f227672c3877", "rev": "34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -474,16 +446,16 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1701362232, "lastModified": 1701374686,
"narHash": "sha256-GVdzxL0lhEadqs3hfRLuj+L1OJFGiL/L7gCcelgBlsw=", "narHash": "sha256-xaJPtgvTuUGSPba8p3+ezCJjKnVij77ai8OE2bnTC0E=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "d2332963662edffacfddfad59ff4f709dde80ffe", "rev": "1bce6a1791a513af2727e5b668b3cd9ba76cb0bf",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixos-23.05-small", "ref": "nixos-23.11-small",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@ -513,7 +485,6 @@
"agenix": "agenix", "agenix": "agenix",
"attic": "attic", "attic": "attic",
"blank": "blank", "blank": "blank",
"deploy-rs": "deploy-rs",
"devshell": "devshell", "devshell": "devshell",
"drv-parts": "drv-parts", "drv-parts": "drv-parts",
"flake-parts": "flake-parts", "flake-parts": "flake-parts",

11
flake.nix
View file

@ -26,7 +26,7 @@
inputs = { inputs = {
systems.url = "github:privatevoid-net/nix-systems-default-linux"; systems.url = "github:privatevoid-net/nix-systems-default-linux";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05-small"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11-small";
nix-super = { nix-super = {
url = "gitlab:max/nix-super?host=git.privatevoid.net"; url = "gitlab:max/nix-super?host=git.privatevoid.net";
@ -36,15 +36,6 @@
}; };
}; };
deploy-rs = {
url = "gitlab:max/deploy-rs?host=git.privatevoid.net";
inputs = {
nixpkgs.follows = "nixpkgs";
flake-compat.follows = "blank";
utils.follows = "repin-flake-utils";
};
};
agenix = { agenix = {
url = "github:ryantm/agenix"; url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";

2
hosts/VEGAS/services/api/default.nix
View file

@ -13,6 +13,7 @@ in
services.n8n = { services.n8n = {
enable = true; enable = true;
webhookUrl = "https://${apiAddr}";
settings = { settings = {
inherit (config.links.api) port; inherit (config.links.api) port;
}; };
@ -22,7 +23,6 @@ in
N8N_LISTEN_ADDRESS = "127.0.0.1"; N8N_LISTEN_ADDRESS = "127.0.0.1";
N8N_ENDPOINT_WEBHOOK = "api"; N8N_ENDPOINT_WEBHOOK = "api";
N8N_ENDPOINT_WEBHOOK_TEST = "test"; N8N_ENDPOINT_WEBHOOK_TEST = "test";
WEBHOOK_URL = "https://${apiAddr}";
}; };
services.nginx.virtualHosts."${apiAddr}" = lib.recursiveUpdate proxy { services.nginx.virtualHosts."${apiAddr}" = lib.recursiveUpdate proxy {

4
hosts/VEGAS/services/mail/imap.nix
View file

@ -80,7 +80,5 @@ in {
systemd.services.dovecot2.serviceConfig.ExecStartPre = [ "${writeLdapConfig}/bin/write-ldap-config" ]; systemd.services.dovecot2.serviceConfig.ExecStartPre = [ "${writeLdapConfig}/bin/write-ldap-config" ];
services.fail2ban.jails.dovecot = '' services.fail2ban.jails.dovecot = {};
enabled = true
'';
} }

9
hosts/VEGAS/services/mail/postfix.nix
View file

@ -93,9 +93,8 @@ in
systemd.services.postfix.after = [ "network-online.target" "network-addresses-${interfaces.primary.link}.service" "network-addresses-vstub.service" ]; systemd.services.postfix.after = [ "network-online.target" "network-addresses-${interfaces.primary.link}.service" "network-addresses-vstub.service" ];
systemd.services.postfix-setup.after = [ "network-online.target" "network-addresses-${interfaces.primary.link}.service" "network-addresses-vstub.service" ]; systemd.services.postfix-setup.after = [ "network-online.target" "network-addresses-${interfaces.primary.link}.service" "network-addresses-vstub.service" ];
services.fail2ban.jails.postfix = '' services.fail2ban.jails.postfix.settings = {
enabled = true mode = "aggressive";
mode = aggressive findtime = "43200";
findtime = 43200 };
'';
} }

1
modules/autopatch/default.nix
View file

@ -7,7 +7,6 @@
inherit (patched) inherit (patched)
kanidm kanidm
powerdns-admin
prometheus-jitsi-exporter prometheus-jitsi-exporter
tempo tempo
; ;

21
modules/deploy-rs-receiver/default.nix
View file

@ -1,21 +0,0 @@
{
security.sudo.extraRules = [
{
users = [ "deploy" ];
commands = [
"NOPASSWD: /nix/store/*-activate-rs/activate-rs"
"NOPASSWD: /run/current-system/sw/bin/rm /tmp/deploy-rs-canary-*"
];
runAs = "root";
}
];
nix.settings.trusted-users = [ "deploy" ];
users.users.deploy = {
isNormalUser = true;
uid = 1999;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmdWfmAs/0rno8zJlhBFMY2SumnHbTNdZUXJqxgd9ON max@jericho"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL5C7mC5S2gM0K6x0L/jNwAeQYbFSzs16Q73lONUlIkL max@TITAN"
];
};
}

6
modules/fail2ban/default.nix
View file

@ -3,11 +3,7 @@
services.fail2ban = { services.fail2ban = {
enable = true; enable = true;
banaction = "iptables-multiport[blocktype=DROP]"; banaction = "iptables-multiport[blocktype=DROP]";
jails.sshd = '' jails.sshd.settings.mode = "aggressive";
enabled = true
port = 22
mode = aggressive
'';
ignoreIP = [ ignoreIP = [
"10.0.0.0/8" "10.0.0.0/8"
depot.reflection.interfaces.primary.addr depot.reflection.interfaces.primary.addr

2
modules/part.nix
View file

@ -10,7 +10,6 @@ in
ascensions = ./ascensions; ascensions = ./ascensions;
consul-distributed-services = ./consul-distributed-services; consul-distributed-services = ./consul-distributed-services;
consul-service-registry = ./consul-service-registry; consul-service-registry = ./consul-service-registry;
deploy-rs-receiver = ./deploy-rs-receiver;
effect-receiver = ./effect-receiver; effect-receiver = ./effect-receiver;
enterprise = ./enterprise; enterprise = ./enterprise;
external-storage = ./external-storage; external-storage = ./external-storage;
@ -50,7 +49,6 @@ in
ascensions ascensions
consul-distributed-services consul-distributed-services
consul-service-registry consul-service-registry
deploy-rs-receiver
effect-receiver effect-receiver
external-storage external-storage
fail2ban fail2ban

8
packages/monitoring/grafana/default.nix
View file

@ -2,7 +2,7 @@
buildGoModule rec { buildGoModule rec {
pname = "grafana"; pname = "grafana";
version = "10.1.5"; version = "10.2.0";
excludedPackages = [ "alert_webhook_listener" "clean-swagger" "release_publisher" "slow_proxy" "slow_proxy_mac" "macaron" "devenv" "modowners" ]; excludedPackages = [ "alert_webhook_listener" "clean-swagger" "release_publisher" "slow_proxy" "slow_proxy_mac" "macaron" "devenv" "modowners" ];
@ -10,15 +10,15 @@ buildGoModule rec {
rev = "v${version}"; rev = "v${version}";
owner = "grafana"; owner = "grafana";
repo = "grafana"; repo = "grafana";
hash = "sha256-/caja157OKe9atqZLDzw2oTwhWLNa5DxcgO1iueKow4="; hash = "sha256-PNKvu7DfVHzBaRGM/Zej0oI5pbi6gPta+ZzVEXXmTsI=";
}; };
srcStatic = fetchurl { srcStatic = fetchurl {
url = "https://dl.grafana.com/oss/release/grafana-${version}.linux-amd64.tar.gz"; url = "https://dl.grafana.com/oss/release/grafana-${version}.linux-amd64.tar.gz";
hash = "sha256-7LGs/8pbZMEwXHBSPac+guJ3GcYBS3qIRz7JeqZuVQ0="; hash = "sha256-KE026VWxlJYzRqTqry4h8vm1NIXB7sJUucz+W/s1eoE=";
}; };
vendorHash = "sha256-KXgGtNHUi+k41GC3Wc5hbJw4k5fxq/p0Je6Q6UZwhtw="; vendorHash = "sha256-Mybo7ZVP7fwmBwloC3jHJnqPmhbj1DQSwz8T2onkL3Y=";
nativeBuildInputs = [ wire ]; nativeBuildInputs = [ wire ];

2
packages/networking/hyprspace/project.nix
View file

@ -30,7 +30,7 @@
]); ]);
}; };
vendorSha256 = "sha256-VBCgFbJixBh+pKfYGJVapHqWBpUFfvjl1cwOER2Li6Y="; vendorHash = "sha256-VBCgFbJixBh+pKfYGJVapHqWBpUFfvjl1cwOER2Li6Y=";
ldflags = [ "-s" "-w" "-X github.com/hyprspace/hyprspace/cli.appVersion=${version}" ]; ldflags = [ "-s" "-w" "-X github.com/hyprspace/hyprspace/cli.appVersion=${version}" ];

2
packages/networking/ipfs-cluster/project.nix
View file

@ -43,7 +43,7 @@
]); ]);
}; };
vendorSha256 = "sha256-EpZQ7br+ChoAGIj0g6pdpWvFeOFOn2i+6YRBgtzoO+A="; vendorHash = "sha256-EpZQ7br+ChoAGIj0g6pdpWvFeOFOn2i+6YRBgtzoO+A=";
doCheck = false; doCheck = false;

59
packages/patched-derivations.nix
View file

@ -2,57 +2,12 @@ let
tools = import ./lib/tools.nix; tools = import ./lib/tools.nix;
pins = import ./sources; pins = import ./sources;
dvcMd5ToSha256 = old: {
postPatch = (old.postPatch or "") + ''
grep -Rwl md5 | xargs sed -i s/md5/sha256/g
'';
};
dvcYamlToJson = old: {
postPatch = (old.postPatch or "") + ''
grep -Rwl yaml | xargs sed -i s/yaml/json/g
grep -Rwl ruamel.json | xargs sed -i s/ruamel.json/ruamel.yaml/g
'';
};
in with tools; in with tools;
super: rec { super: rec {
acme-dns = patch super.acme-dns "patches/base/acme-dns";
cachix = patch super.cachix "patches/base/cachix"; cachix = patch super.cachix "patches/base/cachix";
dvc = patch (super.dvc.overrideAttrs (old: let
filteredBaseDeps = super.lib.subtractLists [
super.python3Packages.dvc-data
super.python3Packages.dvc-http
] old.propagatedBuildInputs;
baseDeps = filteredBaseDeps ++ [
dvc-data
dvc-http
];
patched = dvcMd5ToSha256 old;
patched' = dvcYamlToJson patched;
in patched' // {
propagatedBuildInputs = with super.python3Packages; baseDeps ++ [
aiobotocore
boto3
(s3fs.overrideAttrs (_: { postPatch = ''
substituteInPlace requirements.txt \
--replace "fsspec==2023.3.0" "fsspec" \
--replace "aiobotocore~=2.1.0" "aiobotocore"
'';
}))
];
})) "patches/base/dvc";
dvc-data = (super.python3Packages.dvc-data.override {
inherit dvc-objects;
}).overrideAttrs dvcMd5ToSha256;
dvc-http = super.python3Packages.dvc-http.override {
inherit dvc-objects;
};
dvc-objects = super.python3Packages.dvc-objects.overrideAttrs dvcMd5ToSha256;
forgejo = patch super.forgejo "patches/base/forgejo"; forgejo = patch super.forgejo "patches/base/forgejo";
garage = patch super.garage_0_8 "patches/base/garage"; garage = patch super.garage_0_8 "patches/base/garage";
@ -89,14 +44,6 @@ super: rec {
postgresql = super.postgresql_14; postgresql = super.postgresql_14;
powerdns-admin = let
package = super.powerdns-admin.override {
python3 = super.python3.override {
packageOverrides = _: _: { python3-saml = null; };
};
};
in patch package "patches/base/powerdns-admin";
prometheus-jitsi-exporter = patch super.prometheus-jitsi-exporter "patches/base/prometheus-jitsi-exporter"; prometheus-jitsi-exporter = patch super.prometheus-jitsi-exporter "patches/base/prometheus-jitsi-exporter";
s3ql = (patch super.s3ql "patches/base/s3ql").overrideAttrs (old: { s3ql = (patch super.s3ql "patches/base/s3ql").overrideAttrs (old: {
@ -105,7 +52,7 @@ super: rec {
]; ];
}); });
tempo = (super.tempo.override { buildGoModule = super.buildGo119Module; }).overrideAttrs (_: { tempo = (super.tempo.override { buildGoModule = super.buildGo121Module; }).overrideAttrs (_: {
version = builtins.substring 1 (-1) pins.tempo.version; version = builtins.substring 1 (-1) pins.tempo.version;
src = super.npins.mkSource pins.tempo; src = super.npins.mkSource pins.tempo;
subPackages = [ "cmd/tempo" ]; subPackages = [ "cmd/tempo" ];

4
packages/patched-inputs.nix
View file

@ -8,8 +8,6 @@
{ {
packages = filters.doFilter filters.packages rec { packages = filters.doFilter filters.packages rec {
inherit (packages.deploy-rs) deploy-rs;
nix-super = packages.nix-super.nix; nix-super = packages.nix-super.nix;
agenix = packages.agenix.agenix.override { nix = nix-super; }; agenix = packages.agenix.agenix.override { nix = nix-super; };
@ -17,4 +15,4 @@
hci = packages.hercules-ci-agent.hercules-ci-cli; hci = packages.hercules-ci-agent.hercules-ci-cli;
}; };
}; };
} }

4
packages/projects.nix
View file

@ -56,8 +56,6 @@
in { in {
tools = with flakePkgs; [ tools = with flakePkgs; [
agenix agenix
deploy-rs
dvc
graf graf
hci hci
npins npins
@ -70,4 +68,4 @@
}; };
}; };
}; };
} }

8
packages/sources/sources.json
View file

@ -61,10 +61,10 @@
}, },
"pre_releases": false, "pre_releases": false,
"version_upper_bound": null, "version_upper_bound": null,
"version": "v2.2.1", "version": "v2.3.0",
"revision": "77c009c9d315d61207ff3b31c02f94d5749b4bad", "revision": "0b0f48ea2dea728b06ba93bb505fb96b4224fcae",
"url": "https://api.github.com/repos/grafana/tempo/tarball/v2.2.1", "url": "https://api.github.com/repos/grafana/tempo/tarball/v2.3.0",
"hash": "0biv47mlnsl60nh5z45d3gd4l5avv04l2scmpvyhcrj2fa3abnbh" "hash": "08rh22zmx7j5gxsqn4cjr1lg5frmq0bgq8iyvdlgmml5xdbkqj90"
} }
}, },
"version": 2 "version": 2

2
packages/system-filter.nix
View file

@ -1,12 +1,10 @@
{ {
packages = { packages = {
cinny = [ "x86_64-linux" ]; cinny = [ "x86_64-linux" ];
dvc = [ "x86_64-linux" ];
hci = [ "x86_64-linux" ]; hci = [ "x86_64-linux" ];
hydra = [ "x86_64-linux" ]; hydra = [ "x86_64-linux" ];
jellyfin = [ "x86_64-linux" ]; jellyfin = [ "x86_64-linux" ];
keycloak = [ "x86_64-linux" ]; keycloak = [ "x86_64-linux" ];
powerdns-admin = [ "x86_64-linux" ];
prometheus-jitsi-exporter = [ "aarch64-linux" ]; prometheus-jitsi-exporter = [ "aarch64-linux" ];
searxng = [ "x86_64-linux" ]; searxng = [ "x86_64-linux" ];
tempo = [ "x86_64-linux" ]; tempo = [ "x86_64-linux" ];

3
packages/websites/landing/project.nix
View file

@ -24,9 +24,6 @@
help = pkgs.hugo.meta.description; help = pkgs.hugo.meta.description;
command = "exec ${pkgs.hugo}/bin/hugo ${hugoArgsStr} \"$@\""; command = "exec ${pkgs.hugo}/bin/hugo ${hugoArgsStr} \"$@\"";
}; };
tools = with self'.packages; [
dvc
];
}; };
packages.landing = with pkgs; let packages.landing = with pkgs; let

182
patches/base/acme-dns/direct.patch Normal file
View file

@ -0,0 +1,182 @@
diff --git a/acmetxt.go b/acmetxt.go
index 63454a6..e7ba7ea 100644
--- a/acmetxt.go
+++ b/acmetxt.go
@@ -12,6 +12,7 @@ import (
type ACMETxt struct {
Username uuid.UUID
Password string
+ Direct bool
ACMETxtPost
AllowFrom cidrslice
}
diff --git a/api.go b/api.go
index 864256c..beb16c4 100644
--- a/api.go
+++ b/api.go
@@ -82,15 +82,15 @@ func webUpdatePost(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
// NOTE: An invalid subdomain should not happen - the auth handler should
// reject POSTs with an invalid subdomain before this handler. Reject any
// invalid subdomains anyway as a matter of caution.
- if !validSubdomain(a.Subdomain) {
+ if !a.Direct && !validSubdomain(a.Subdomain) {
log.WithFields(log.Fields{"error": "subdomain", "subdomain": a.Subdomain, "txt": a.Value}).Debug("Bad update data")
updStatus = http.StatusBadRequest
upd = jsonError("bad_subdomain")
- } else if !validTXT(a.Value) {
+ } else if !a.Direct && !validTXT(a.Value) {
log.WithFields(log.Fields{"error": "txt", "subdomain": a.Subdomain, "txt": a.Value}).Debug("Bad update data")
updStatus = http.StatusBadRequest
upd = jsonError("bad_txt")
- } else if validSubdomain(a.Subdomain) && validTXT(a.Value) {
+ } else if a.Direct || (validSubdomain(a.Subdomain) && validTXT(a.Value)) {
err := DB.Update(a.ACMETxtPost)
if err != nil {
log.WithFields(log.Fields{"error": err.Error()}).Debug("Error while trying to update record")
diff --git a/auth.go b/auth.go
index c09f8b4..c91214d 100644
--- a/auth.go
+++ b/auth.go
@@ -6,6 +6,7 @@ import (
"fmt"
"net"
"net/http"
+ "os"
"github.com/julienschmidt/httprouter"
log "github.com/sirupsen/logrus"
@@ -20,6 +21,18 @@ const ACMETxtKey key = 0
func Auth(update httprouter.Handle) httprouter.Handle {
return func(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
postData := ACMETxt{}
+ directKey := r.Header.Get("X-Direct-Key")
+ if directKey != "" && directKey == os.Getenv("ACME_DNS_DIRECT_STATIC_KEY") {
+ dec := json.NewDecoder(r.Body)
+ err := dec.Decode(&postData)
+ if err != nil {
+ log.WithFields(log.Fields{"error": "json_error", "string": err.Error()}).Error("Decode error")
+ }
+ postData.Direct = true
+ ctx := context.WithValue(r.Context(), ACMETxtKey, postData)
+ update(w, r.WithContext(ctx), p)
+ return
+ }
userOK := false
user, err := getUserFromRequest(r)
if err == nil {
diff --git a/db.go b/db.go
index 3534728..4a389ac 100644
--- a/db.go
+++ b/db.go
@@ -35,7 +35,7 @@ var userTable = `
var txtTable = `
CREATE TABLE IF NOT EXISTS txt(
- Subdomain TEXT NOT NULL,
+ Subdomain TEXT NOT NULL PRIMARY KEY,
Value TEXT NOT NULL DEFAULT '',
LastUpdate INT
);`
@@ -43,7 +43,7 @@ var txtTable = `
var txtTablePG = `
CREATE TABLE IF NOT EXISTS txt(
rowid SERIAL,
- Subdomain TEXT NOT NULL,
+ Subdomain TEXT NOT NULL PRIMARY KEY,
Value TEXT NOT NULL DEFAULT '',
LastUpdate INT
);`
@@ -250,7 +250,6 @@ func (d *acmedb) GetByUsername(u uuid.UUID) (ACMETxt, error) {
func (d *acmedb) GetTXTForDomain(domain string) ([]string, error) {
d.Lock()
defer d.Unlock()
- domain = sanitizeString(domain)
var txts []string
getSQL := `
SELECT Value FROM txt WHERE Subdomain=$1 LIMIT 2
@@ -289,9 +288,11 @@ func (d *acmedb) Update(a ACMETxtPost) error {
timenow := time.Now().Unix()
updSQL := `
- UPDATE txt SET Value=$1, LastUpdate=$2
- WHERE rowid=(
- SELECT rowid FROM txt WHERE Subdomain=$3 ORDER BY LastUpdate LIMIT 1)
+ INSERT INTO txt (Value, LastUpdate, Subdomain)
+ VALUES ($1, $2, $3)
+ ON CONFLICT (Subdomain) DO UPDATE SET
+ Value = excluded.Value,
+ LastUpdate = excluded.LastUpdate;
`
if Config.Database.Engine == "sqlite3" {
updSQL = getSQLiteStmt(updSQL)
diff --git a/db_test.go b/db_test.go
index beca9c1..b775cf4 100644
--- a/db_test.go
+++ b/db_test.go
@@ -251,19 +251,12 @@ func TestGetTXTForDomain(t *testing.T) {
t.Errorf("No rows returned for GetTXTForDomain [%s]", reg.Subdomain)
}
- var val1found = false
var val2found = false
for _, v := range regDomainSlice {
- if v == txtval1 {
- val1found = true
- }
if v == txtval2 {
val2found = true
}
}
- if !val1found {
- t.Errorf("No TXT value found for val1")
- }
if !val2found {
t.Errorf("No TXT value found for val2")
}
diff --git a/dns.go b/dns.go
index 9a3b06b..6e8b3d8 100644
--- a/dns.go
+++ b/dns.go
@@ -195,16 +195,12 @@ func (d *DNSServer) answer(q dns.Question) ([]dns.RR, int, bool, error) {
var err error
var txtRRs []dns.RR
var authoritative = d.isAuthoritative(q)
- if !d.isOwnChallenge(q.Name) && !d.answeringForDomain(q.Name) {
+ if !d.answeringForDomain(q.Name) {
rcode = dns.RcodeNameError
}
r, _ := d.getRecord(q)
if q.Qtype == dns.TypeTXT {
- if d.isOwnChallenge(q.Name) {
- txtRRs, err = d.answerOwnChallenge(q)
- } else {
- txtRRs, err = d.answerTXT(q)
- }
+ txtRRs, err = d.answerTXT(q)
if err == nil {
r = append(r, txtRRs...)
}
@@ -219,7 +215,7 @@ func (d *DNSServer) answer(q dns.Question) ([]dns.RR, int, bool, error) {
func (d *DNSServer) answerTXT(q dns.Question) ([]dns.RR, error) {
var ra []dns.RR
- subdomain := sanitizeDomainQuestion(q.Name)
+ subdomain, _ := strings.CutSuffix(sanitizeDomainQuestion(q.Name), "."+d.Domain)
atxt, err := d.DB.GetTXTForDomain(subdomain)
if err != nil {
log.WithFields(log.Fields{"error": err.Error()}).Debug("Error while trying to get record")
diff --git a/util.go b/util.go
index 163683d..007907d 100644
--- a/util.go
+++ b/util.go
@@ -83,6 +83,10 @@ func generatePassword(length int) string {
func sanitizeDomainQuestion(d string) string {
dom := strings.ToLower(d)
+ // HACK
+ if strings.HasPrefix(dom, "_acme-challenge") {
+ return dom
+ }
firstDot := strings.Index(d, ".")
if firstDot > 0 {
dom = dom[0:firstDot]

13
patches/base/acme-dns/do-not-lowercase-records.patch Normal file
View file

@ -0,0 +1,13 @@
diff --git a/dns.go b/dns.go
index a01fb9c..9a3b06b 100644
--- a/dns.go
+++ b/dns.go
@@ -51,7 +51,7 @@ func (d *DNSServer) Start(errorChannel chan error) {
// ParseRecords parses a slice of DNS record string
func (d *DNSServer) ParseRecords(config DNSConfig) {
for _, v := range config.General.StaticRecords {
- rr, err := dns.NewRR(strings.ToLower(v))
+ rr, err := dns.NewRR(v)
if err != nil {
log.WithFields(log.Fields{"error": err.Error(), "rr": v}).Warning("Could not parse RR from config")
continue

612
patches/base/dvc-data/md5-to-sha256.patch
View file

@ -1,612 +0,0 @@
commit d7d093fcb91b0d21faf36dbf62924f23b45abb9b
Author: Max <max@privatevoid.net>
Date: Sat Dec 17 14:23:59 2022 +0100
md5 to sha256 for 2.17.0
diff --git a/src/dvc_data/build.py b/src/dvc_data/build.py
index 3656ca5..3837763 100644
--- a/src/dvc_data/build.py
+++ b/src/dvc_data/build.py
@@ -63,7 +63,7 @@ def _build_file(path, fs, name, odb=None, upload_odb=None, dry_run=False):
state = odb.state if odb else None
meta, hash_info = hash_file(path, fs, name, state=state)
if upload_odb and not dry_run:
- assert odb and name == "md5"
+ assert odb and name == "sha256"
return _upload_file(path, fs, odb, upload_odb)
oid = hash_info.value
@@ -195,9 +195,9 @@ def _get_staging(odb: "HashFileDB") -> "ReferenceHashFileDB":
def _build_external_tree_info(odb, tree, name):
# NOTE: used only for external outputs. Initial reasoning was to be
# able to validate .dir files right in the workspace (e.g. check s3
- # etag), but could be dropped for manual validation with regular md5,
+ # etag), but could be dropped for manual validation with regular sha256,
# that would be universal for all clouds.
- assert odb and name != "md5"
+ assert odb and name != "sha256"
oid = tree.hash_info.value
odb.add(tree.path, tree.fs, oid)
@@ -253,7 +253,7 @@ def build(
**kwargs,
)
logger.debug("built tree '%s'", obj)
- if name != "md5":
+ if name != "sha256":
obj = _build_external_tree_info(odb, obj, name)
else:
meta, obj = _build_file(
diff --git a/src/dvc_data/cli.py b/src/dvc_data/cli.py
index 2348875..ece639a 100644
--- a/src/dvc_data/cli.py
+++ b/src/dvc_data/cli.py
@@ -29,8 +29,8 @@ from dvc_data.diff import ROOT
from dvc_data.diff import diff as _diff
from dvc_data.hashfile.db import HashFileDB
from dvc_data.hashfile.hash import algorithms_available
-from dvc_data.hashfile.hash import file_md5 as _file_md5
-from dvc_data.hashfile.hash import fobj_md5 as _fobj_md5
+from dvc_data.hashfile.hash import file_sha256 as _file_sha256
+from dvc_data.hashfile.hash import fobj_sha256 as _fobj_sha256
from dvc_data.hashfile.hash_info import HashInfo
from dvc_data.hashfile.obj import HashFile
from dvc_data.hashfile.state import State
@@ -93,7 +93,7 @@ app = Application(
@app.command(name="hash", help="Compute checksum of the file")
def hash_file(
file: Path = file_type,
- name: HashEnum = typer.Option("md5", "-n", "--name"),
+ name: HashEnum = typer.Option("sha256", "-n", "--name"),
progress: bool = typer.Option(False, "--progress", "-p"),
text: Optional[bool] = typer.Option(None, "--text/--binary", "-t/-b"),
):
@@ -108,9 +108,9 @@ def hash_file(
with callback:
if path == "-":
fobj = callback.wrap_attr(sys.stdin.buffer)
- hash_value = _fobj_md5(fobj, text=text, name=hash_name)
+ hash_value = _fobj_sha256(fobj, text=text, name=hash_name)
else:
- hash_value = _file_md5(
+ hash_value = _file_sha256(
path, name=hash_name, callback=callback, text=text
)
print(hash_name, hash_value, sep=": ")
@@ -262,7 +262,7 @@ def build(
fs = MemoryFileSystem()
fs.put_file(sys.stdin.buffer, fs_path)
- object_store, _, obj = _build(odb, fs_path, fs, name="md5")
+ object_store, _, obj = _build(odb, fs_path, fs, name="sha256")
if write:
_transfer(
object_store,
@@ -285,7 +285,7 @@ def ls(oid: str = typer.Argument(..., allow_dash=True)):
odb = get_odb()
oid = from_shortoid(odb, oid)
try:
- tree = Tree.load(odb, HashInfo("md5", oid))
+ tree = Tree.load(odb, HashInfo("sha256", oid))
except ObjectFormatError as exc:
typer.echo(exc, err=True)
raise typer.Exit(1) from exc
@@ -454,7 +454,7 @@ def apply_op(odb, obj, application):
)
fs = LocalFileSystem()
- _, meta, new_obj = _build(odb, path, fs, "md5")
+ _, meta, new_obj = _build(odb, path, fs, "sha256")
odb.add(path, fs, new_obj.hash_info.value, hardlink=False)
return obj.add(new, meta, new_obj.hash_info)
diff --git a/src/dvc_data/fs.py b/src/dvc_data/fs.py
index c972981..ac45ad3 100644
--- a/src/dvc_data/fs.py
+++ b/src/dvc_data/fs.py
@@ -47,7 +47,7 @@ class DataFileSystem(AbstractFileSystem): # pylint:disable=abstract-method
if info["type"] == "directory":
raise IsADirectoryError
- value = info.get("md5")
+ value = info.get("sha256")
if not value:
raise FileNotFoundError
@@ -142,7 +142,7 @@ class DataFileSystem(AbstractFileSystem): # pylint:disable=abstract-method
def checksum(self, path):
info = self.info(path)
- md5 = info.get("md5")
- if md5:
- return md5
+ sha256 = info.get("sha256")
+ if sha256:
+ return sha256
raise NotImplementedError
diff --git a/src/dvc_data/hashfile/hash.py b/src/dvc_data/hashfile/hash.py
index 9bef01d..03f731c 100644
--- a/src/dvc_data/hashfile/hash.py
+++ b/src/dvc_data/hashfile/hash.py
@@ -42,7 +42,7 @@ class HashStreamFile(io.IOBase):
def __init__(
self,
fobj: BinaryIO,
- hash_name: str = "md5",
+ hash_name: str = "sha256",
text: Optional[bool] = None,
) -> None:
self.fobj = fobj
@@ -77,11 +77,11 @@ class HashStreamFile(io.IOBase):
return self.hasher.name
-def fobj_md5(
+def fobj_sha256(
fobj: BinaryIO,
chunk_size: int = 2**20,
text: Optional[bool] = None,
- name="md5",
+ name="sha256",
) -> str:
# ideally, we want the heuristics to be applied in a similar way,
# regardless of the size of the first chunk,
@@ -95,17 +95,17 @@ def fobj_md5(
return stream.hash_value
-def file_md5(
+def file_sha256(
fname: "AnyFSPath",
fs: "FileSystem" = localfs,
callback: "Callback" = DEFAULT_CALLBACK,
text: Optional[bool] = None,
- name: str = "md5",
+ name: str = "sha256",
) -> str:
size = fs.size(fname) or 0
callback.set_size(size)
with fs.open(fname, "rb") as fobj:
- return fobj_md5(callback.wrap_attr(fobj), text=text, name=name)
+ return fobj_sha256(callback.wrap_attr(fobj), text=text, name=name)
def _adapt_info(info: Dict[str, Any], scheme: str) -> Dict[str, Any]:
@@ -139,8 +139,8 @@ def _hash_file(
func = getattr(fs, name)
return str(func(path)), info
- if name == "md5":
- return file_md5(path, fs, callback=callback), info
+ if name == "sha256":
+ return file_sha256(path, fs, callback=callback), info
raise NotImplementedError
@@ -162,7 +162,7 @@ class LargeFileHashingCallback(TqdmCallback):
if self.size and self.size > self.LARGE_FILE_SIZE:
if not self._logged:
logger.info(
- f"Computing md5 for a large file '{self.fname}'. "
+ f"Computing sha256 for a large file '{self.fname}'. "
"This is only done once."
)
self._logged = True
diff --git a/src/dvc_data/hashfile/utils.py b/src/dvc_data/hashfile/utils.py
index ea2da9c..b1e7726 100644
--- a/src/dvc_data/hashfile/utils.py
+++ b/src/dvc_data/hashfile/utils.py
@@ -38,7 +38,7 @@ def get_mtime_and_size(
# We track file changes and moves, which cannot be detected with simply
# max(mtime(f) for f in non_ignored_files)
- hasher = hashlib.md5()
+ hasher = hashlib.sha256()
hasher.update(json.dumps(files_mtimes, sort_keys=True).encode("utf-8"))
mtime = hasher.hexdigest()
return mtime, size
diff --git a/src/dvc_data/objects/tree.py b/src/dvc_data/objects/tree.py
index 4f11fa4..7c8b417 100644
--- a/src/dvc_data/objects/tree.py
+++ b/src/dvc_data/objects/tree.py
@@ -81,7 +81,7 @@ class Tree(HashFile):
memfs.pipe_file(path, self.as_bytes())
self.fs = memfs
self.path = path
- _, self.hash_info = hash_file(path, memfs, "md5")
+ _, self.hash_info = hash_file(path, memfs, "sha256")
assert self.hash_info.value
self.hash_info.value += ".dir"
self.oid = self.hash_info.value
diff --git a/tests/hashfile/test_hash.py b/tests/hashfile/test_hash.py
index ca920d8..59bf765 100644
--- a/tests/hashfile/test_hash.py
+++ b/tests/hashfile/test_hash.py
@@ -2,21 +2,21 @@ from os import fspath
from dvc_objects.fs import LocalFileSystem
-from dvc_data.hashfile.hash import file_md5
+from dvc_data.hashfile.hash import file_sha256
-def test_file_md5(tmp_path):
+def test_file_sha256(tmp_path):
foo = tmp_path / "foo"
foo.write_text("foo content", encoding="utf8")
fs = LocalFileSystem()
- assert file_md5(fspath(foo), fs) == file_md5(fspath(foo), fs)
+ assert file_sha256(fspath(foo), fs) == file_sha256(fspath(foo), fs)
-def test_file_md5_crlf(tmp_path):
+def test_file_sha256_crlf(tmp_path):
fs = LocalFileSystem()
cr = tmp_path / "cr"
crlf = tmp_path / "crlf"
cr.write_bytes(b"a\nb\nc")
crlf.write_bytes(b"a\r\nb\r\nc")
- assert file_md5(fspath(cr), fs) == file_md5(fspath(crlf), fs)
+ assert file_sha256(fspath(cr), fs) == file_sha256(fspath(crlf), fs)
diff --git a/tests/hashfile/test_hash_stream.py b/tests/hashfile/test_hash_stream.py
index a003a29..e67b7c1 100644
--- a/tests/hashfile/test_hash_stream.py
+++ b/tests/hashfile/test_hash_stream.py
@@ -3,7 +3,7 @@ from os import fspath
import pytest
from dvc_objects.fs import LocalFileSystem
-from dvc_data.hashfile.hash import HashStreamFile, file_md5
+from dvc_data.hashfile.hash import HashStreamFile, file_sha256
from dvc_data.hashfile.istextfile import DEFAULT_CHUNK_SIZE, istextfile
@@ -23,7 +23,7 @@ def test_hashed_stream_reader(tmp_path):
assert stream_reader.read(1) == b"o"
assert stream_reader.tell() == 3
- hex_digest = file_md5(fspath(foo), LocalFileSystem())
+ hex_digest = file_sha256(fspath(foo), LocalFileSystem())
assert stream_reader.is_text
assert hex_digest == stream_reader.hash_value
@@ -46,7 +46,7 @@ def test_hashed_stream_reader_as_chunks(tmp_path):
assert stream_reader.tell() == actual_size == total_read
- hex_digest = file_md5(fspath(foo), LocalFileSystem())
+ hex_digest = file_sha256(fspath(foo), LocalFileSystem())
assert not stream_reader.is_text
assert hex_digest == stream_reader.hash_value
@@ -68,7 +68,7 @@ def test_hashed_stream_reader_compatibility(tmp_path, contents):
stream_reader.read(chunk_size)
local_fs = LocalFileSystem()
- hex_digest = file_md5(fspath(data), local_fs)
+ hex_digest = file_sha256(fspath(data), local_fs)
assert stream_reader.is_text is istextfile(fspath(data), local_fs)
assert stream_reader.hash_value == hex_digest
diff --git a/tests/hashfile/test_obj.py b/tests/hashfile/test_obj.py
index 01e9fc2..6c47b3c 100644
--- a/tests/hashfile/test_obj.py
+++ b/tests/hashfile/test_obj.py
@@ -3,7 +3,7 @@ from dvc_data.hashfile.obj import HashFile
def test_obj(tmp_upath):
- hash_info = HashInfo("md5", "123456")
+ hash_info = HashInfo("sha256", "123456")
obj = HashFile(tmp_upath, tmp_upath.fs, hash_info)
assert obj.path == tmp_upath
assert obj.fs == tmp_upath.fs
diff --git a/tests/objects/test_tree.py b/tests/objects/test_tree.py
index 6c514ba..611a72f 100644
--- a/tests/objects/test_tree.py
+++ b/tests/objects/test_tree.py
@@ -13,57 +13,57 @@ from dvc_data.objects.tree import Tree, _merge
([], {}),
(
[
- {"md5": "def", "relpath": "zzz"},
- {"md5": "123", "relpath": "foo"},
- {"md5": "abc", "relpath": "aaa"},
- {"md5": "456", "relpath": "bar"},
+ {"sha256": "def", "relpath": "zzz"},
+ {"sha256": "123", "relpath": "foo"},
+ {"sha256": "abc", "relpath": "aaa"},
+ {"sha256": "456", "relpath": "bar"},
],
{
- ("zzz",): (None, HashInfo("md5", "def")),
- ("foo",): (None, HashInfo("md5", "123")),
- ("bar",): (None, HashInfo("md5", "456")),
- ("aaa",): (None, HashInfo("md5", "abc")),
+ ("zzz",): (None, HashInfo("sha256", "def")),
+ ("foo",): (None, HashInfo("sha256", "123")),
+ ("bar",): (None, HashInfo("sha256", "456")),
+ ("aaa",): (None, HashInfo("sha256", "abc")),
},
),
(
[
- {"md5": "123", "relpath": "dir/b"},
- {"md5": "456", "relpath": "dir/z"},
- {"md5": "789", "relpath": "dir/a"},
- {"md5": "abc", "relpath": "b"},
- {"md5": "def", "relpath": "a"},
- {"md5": "ghi", "relpath": "z"},
- {"md5": "jkl", "relpath": "dir/subdir/b"},
- {"md5": "mno", "relpath": "dir/subdir/z"},
- {"md5": "pqr", "relpath": "dir/subdir/a"},
+ {"sha256": "123", "relpath": "dir/b"},
+ {"sha256": "456", "relpath": "dir/z"},
+ {"sha256": "789", "relpath": "dir/a"},
+ {"sha256": "abc", "relpath": "b"},
+ {"sha256": "def", "relpath": "a"},
+ {"sha256": "ghi", "relpath": "z"},
+ {"sha256": "jkl", "relpath": "dir/subdir/b"},
+ {"sha256": "mno", "relpath": "dir/subdir/z"},
+ {"sha256": "pqr", "relpath": "dir/subdir/a"},
],
{
("dir", "b"): (
None,
- HashInfo("md5", "123"),
+ HashInfo("sha256", "123"),
),
("dir", "z"): (
None,
- HashInfo("md5", "456"),
+ HashInfo("sha256", "456"),
),
("dir", "a"): (
None,
- HashInfo("md5", "789"),
+ HashInfo("sha256", "789"),
),
- ("b",): (None, HashInfo("md5", "abc")),
- ("a",): (None, HashInfo("md5", "def")),
- ("z",): (None, HashInfo("md5", "ghi")),
+ ("b",): (None, HashInfo("sha256", "abc")),
+ ("a",): (None, HashInfo("sha256", "def")),
+ ("z",): (None, HashInfo("sha256", "ghi")),
("dir", "subdir", "b"): (
None,
- HashInfo("md5", "jkl"),
+ HashInfo("sha256", "jkl"),
),
("dir", "subdir", "z"): (
None,
- HashInfo("md5", "mno"),
+ HashInfo("sha256", "mno"),
),
("dir", "subdir", "a"): (
None,
- HashInfo("md5", "pqr"),
+ HashInfo("sha256", "pqr"),
),
},
),
@@ -81,19 +81,19 @@ def test_list(lst, trie_dict):
({}, 0),
(
{
- ("a",): (Meta(size=1), HashInfo("md5", "abc")),
- ("b",): (Meta(size=2), HashInfo("md5", "def")),
- ("c",): (Meta(size=3), HashInfo("md5", "ghi")),
- ("dir", "foo"): (Meta(size=4), HashInfo("md5", "jkl")),
- ("dir", "bar"): (Meta(size=5), HashInfo("md5", "mno")),
- ("dir", "baz"): (Meta(size=6), HashInfo("md5", "pqr")),
+ ("a",): (Meta(size=1), HashInfo("sha256", "abc")),
+ ("b",): (Meta(size=2), HashInfo("sha256", "def")),
+ ("c",): (Meta(size=3), HashInfo("sha256", "ghi")),
+ ("dir", "foo"): (Meta(size=4), HashInfo("sha256", "jkl")),
+ ("dir", "bar"): (Meta(size=5), HashInfo("sha256", "mno")),
+ ("dir", "baz"): (Meta(size=6), HashInfo("sha256", "pqr")),
},
6,
),
(
{
- ("a",): (Meta(size=1), HashInfo("md5", "abc")),
- ("b",): (Meta(), HashInfo("md5", "def")),
+ ("a",): (Meta(size=1), HashInfo("sha256", "abc")),
+ ("b",): (Meta(), HashInfo("sha256", "def")),
},
2,
),
@@ -110,15 +110,15 @@ def test_nfiles(trie_dict, nfiles):
[
{},
{
- ("a",): (None, HashInfo("md5", "abc")),
- ("b",): (None, HashInfo("md5", "def")),
- ("c",): (None, HashInfo("md5", "ghi")),
- ("dir", "foo"): (None, HashInfo("md5", "jkl")),
- ("dir", "bar"): (None, HashInfo("md5", "mno")),
- ("dir", "baz"): (None, HashInfo("md5", "pqr")),
- ("dir", "subdir", "1"): (None, HashInfo("md5", "stu")),
- ("dir", "subdir", "2"): (None, HashInfo("md5", "vwx")),
- ("dir", "subdir", "3"): (None, HashInfo("md5", "yz")),
+ ("a",): (None, HashInfo("sha256", "abc")),
+ ("b",): (None, HashInfo("sha256", "def")),
+ ("c",): (None, HashInfo("sha256", "ghi")),
+ ("dir", "foo"): (None, HashInfo("sha256", "jkl")),
+ ("dir", "bar"): (None, HashInfo("sha256", "mno")),
+ ("dir", "baz"): (None, HashInfo("sha256", "pqr")),
+ ("dir", "subdir", "1"): (None, HashInfo("sha256", "stu")),
+ ("dir", "subdir", "2"): (None, HashInfo("sha256", "vwx")),
+ ("dir", "subdir", "3"): (None, HashInfo("sha256", "yz")),
},
],
)
@@ -135,63 +135,63 @@ def test_items(trie_dict):
[
({}, {}, {}, {}),
(
- {("foo",): HashInfo("md5", "123")},
+ {("foo",): HashInfo("sha256", "123")},
{
- ("foo",): HashInfo("md5", "123"),
- ("bar",): HashInfo("md5", "345"),
+ ("foo",): HashInfo("sha256", "123"),
+ ("bar",): HashInfo("sha256", "345"),
},
{
- ("foo",): HashInfo("md5", "123"),
- ("baz",): HashInfo("md5", "678"),
+ ("foo",): HashInfo("sha256", "123"),
+ ("baz",): HashInfo("sha256", "678"),
},
{
- ("foo",): HashInfo("md5", "123"),
- ("bar",): HashInfo("md5", "345"),
- ("baz",): HashInfo("md5", "678"),
+ ("foo",): HashInfo("sha256", "123"),
+ ("bar",): HashInfo("sha256", "345"),
+ ("baz",): HashInfo("sha256", "678"),
},
),
(
{
- ("common",): HashInfo("md5", "123"),
- ("subdir", "foo"): HashInfo("md5", "345"),
+ ("common",): HashInfo("sha256", "123"),
+ ("subdir", "foo"): HashInfo("sha256", "345"),
},
{
- ("common",): HashInfo("md5", "123"),
- ("subdir", "foo"): HashInfo("md5", "345"),
- ("subdir", "bar"): HashInfo("md5", "678"),
+ ("common",): HashInfo("sha256", "123"),
+ ("subdir", "foo"): HashInfo("sha256", "345"),
+ ("subdir", "bar"): HashInfo("sha256", "678"),
},
{
- ("common",): HashInfo("md5", "123"),
- ("subdir", "foo"): HashInfo("md5", "345"),
- ("subdir", "baz"): HashInfo("md5", "91011"),
+ ("common",): HashInfo("sha256", "123"),
+ ("subdir", "foo"): HashInfo("sha256", "345"),
+ ("subdir", "baz"): HashInfo("sha256", "91011"),
},
{
- ("common",): HashInfo("md5", "123"),
- ("subdir", "foo"): HashInfo("md5", "345"),
- ("subdir", "bar"): HashInfo("md5", "678"),
- ("subdir", "baz"): HashInfo("md5", "91011"),
+ ("common",): HashInfo("sha256", "123"),
+ ("subdir", "foo"): HashInfo("sha256", "345"),
+ ("subdir", "bar"): HashInfo("sha256", "678"),
+ ("subdir", "baz"): HashInfo("sha256", "91011"),
},
),
(
{},
- {("foo",): HashInfo("md5", "123")},
- {("bar",): HashInfo("md5", "456")},
+ {("foo",): HashInfo("sha256", "123")},
+ {("bar",): HashInfo("sha256", "456")},
{
- ("foo",): HashInfo("md5", "123"),
- ("bar",): HashInfo("md5", "456"),
+ ("foo",): HashInfo("sha256", "123"),
+ ("bar",): HashInfo("sha256", "456"),
},
),
(
{},
{},
- {("bar",): HashInfo("md5", "123")},
- {("bar",): HashInfo("md5", "123")},
+ {("bar",): HashInfo("sha256", "123")},
+ {("bar",): HashInfo("sha256", "123")},
),
(
{},
- {("bar",): HashInfo("md5", "123")},
+ {("bar",): HashInfo("sha256", "123")},
{},
- {("bar",): HashInfo("md5", "123")},
+ {("bar",): HashInfo("sha256", "123")},
),
],
)
diff --git a/tests/test_index.py b/tests/test_index.py
index c6404fa..635bf66 100644
--- a/tests/test_index.py
+++ b/tests/test_index.py
@@ -17,8 +17,8 @@ def odb(tmp_upath_factory, as_filesystem):
data = tmp_upath_factory.mktemp() / "data.dir"
data.write_bytes(
- b'[{"md5": "c157a79031e1c40f85931829bc5fc552", "relpath": "bar"}, '
- b'{"md5": "258622b1688250cb619f3c9ccaefb7eb", "relpath": "baz"}]'
+ b'[{"sha256": "c157a79031e1c40f85931829bc5fc552", "relpath": "bar"}, '
+ b'{"sha256": "258622b1688250cb619f3c9ccaefb7eb", "relpath": "baz"}]'
)
bar = tmp_upath_factory.mktemp() / "bar"
@@ -46,13 +46,13 @@ def test_fs(tmp_upath, odb, as_filesystem):
("foo",): DataIndexEntry(
odb=odb,
hash_info=HashInfo(
- name="md5", value="d3b07384d113edec49eaa6238ad5ff00"
+ name="sha256", value="d3b07384d113edec49eaa6238ad5ff00"
),
),
("data",): DataIndexEntry(
odb=odb,
hash_info=HashInfo(
- name="md5",
+ name="sha256",
value="1f69c66028c35037e8bf67e5bc4ceb6a.dir",
),
),
@@ -80,22 +80,22 @@ def test_build(tmp_upath, odb, as_filesystem):
},
)
build(index, tmp_upath, as_filesystem(tmp_upath.fs))
- assert index[("foo",)].hash_info.name == "md5"
+ assert index[("foo",)].hash_info.name == "sha256"
assert (
index[("foo",)].hash_info.value == "d3b07384d113edec49eaa6238ad5ff00"
)
assert index[("foo",)].odb == odb
- assert index[("data",)].hash_info.name == "md5"
+ assert index[("data",)].hash_info.name == "sha256"
assert (
index[("data",)].hash_info.value
== "1f69c66028c35037e8bf67e5bc4ceb6a.dir"
)
- assert index[("data", "bar")].hash_info.name == "md5"
+ assert index[("data", "bar")].hash_info.name == "sha256"
assert (
index[("data", "bar")].hash_info.value
== "c157a79031e1c40f85931829bc5fc552"
)
- assert index[("data", "baz")].hash_info.name == "md5"
+ assert index[("data", "baz")].hash_info.name == "sha256"
assert (
index[("data", "baz")].hash_info.value
== "258622b1688250cb619f3c9ccaefb7eb"
@@ -108,13 +108,13 @@ def test_checkout(tmp_upath, odb, as_filesystem):
("foo",): DataIndexEntry(
odb=odb,
hash_info=HashInfo(
- name="md5", value="d3b07384d113edec49eaa6238ad5ff00"
+ name="sha256", value="d3b07384d113edec49eaa6238ad5ff00"
),
),
("data",): DataIndexEntry(
odb=odb,
hash_info=HashInfo(
- name="md5",
+ name="sha256",
value="1f69c66028c35037e8bf67e5bc4ceb6a.dir",
),
),

71
patches/base/dvc-objects/md5-to-sha256.patch
View file

@ -1,71 +0,0 @@
commit 2065fc148ce77be68c95a81a05391e1bb35da79d
Author: Max <max@privatevoid.net>
Date: Sat Dec 17 14:35:20 2022 +0100
md5 to sha256 for 2.17.0
diff --git a/src/dvc_objects/db.py b/src/dvc_objects/db.py
index 0f0ab16..3b87fdb 100644
--- a/src/dvc_objects/db.py
+++ b/src/dvc_objects/db.py
@@ -229,7 +229,7 @@ class ObjectDB:
returned.
NOTE: For large remotes the list of oids will be very
- big(e.g. 100M entries, md5 for each is 32 bytes, so ~3200Mb list)
+ big(e.g. 100M entries, sha256 for each is 32 bytes, so ~3200Mb list)
and we don't really need all of it at the same time, so it makes
sense to use a generator to gradually iterate over it, without
keeping all of it in memory.
diff --git a/src/dvc_objects/fs/__init__.py b/src/dvc_objects/fs/__init__.py
index d236fdc..74db3fe 100644
--- a/src/dvc_objects/fs/__init__.py
+++ b/src/dvc_objects/fs/__init__.py
@@ -62,7 +62,7 @@ def get_fs_cls(remote_conf, cls=None, scheme=None):
def as_filesystem(
fs: "AbstractFileSystem",
- checksum: str = "md5",
+ checksum: str = "sha256",
object_based: bool = False,
**fs_args,
) -> "FileSystem":
diff --git a/src/dvc_objects/fs/implementations/local.py b/src/dvc_objects/fs/implementations/local.py
index 7f888ec..3e1a61a 100644
--- a/src/dvc_objects/fs/implementations/local.py
+++ b/src/dvc_objects/fs/implementations/local.py
@@ -167,7 +167,7 @@ class LocalFileSystem(FileSystem):
sep = os.sep
protocol = "local"
- PARAM_CHECKSUM = "md5"
+ PARAM_CHECKSUM = "sha256"
PARAM_PATH = "path"
TRAVERSE_PREFIX_LEN = 2
diff --git a/src/dvc_objects/fs/implementations/memory.py b/src/dvc_objects/fs/implementations/memory.py
index 97702cb..c5b5ad7 100644
--- a/src/dvc_objects/fs/implementations/memory.py
+++ b/src/dvc_objects/fs/implementations/memory.py
@@ -3,7 +3,7 @@ from ..base import FileSystem
class MemoryFileSystem(FileSystem): # pylint:disable=abstract-method
protocol = "memory"
- PARAM_CHECKSUM = "md5"
+ PARAM_CHECKSUM = "sha256"
def __init__(self, global_store=True, trie_based=False, fs=None, **kwargs):
super().__init__(fs=fs, **kwargs)
diff --git a/src/dvc_objects/fs/implementations/ssh.py b/src/dvc_objects/fs/implementations/ssh.py
index 8b93faf..8aed5e4 100644
--- a/src/dvc_objects/fs/implementations/ssh.py
+++ b/src/dvc_objects/fs/implementations/ssh.py
@@ -24,7 +24,7 @@ def ask_password(host, user, port):
class SSHFileSystem(FileSystem):
protocol = "ssh"
REQUIRES = {"sshfs": "sshfs"}
- PARAM_CHECKSUM = "md5"
+ PARAM_CHECKSUM = "sha256"
@classmethod
def _strip_protocol(cls, path: str) -> str:

267
patches/base/dvc/no-analytics.patch
View file

@ -1,267 +0,0 @@
diff --git a/dvc/analytics.py b/dvc/analytics.py
deleted file mode 100644
index 6e3dc91..0000000
--- a/dvc/analytics.py
+++ /dev/null
@@ -1,156 +0,0 @@
-import json
-import logging
-import os
-
-from .env import DVC_NO_ANALYTICS
-
-logger = logging.getLogger(__name__)
-
-
-def collect_and_send_report(args=None, return_code=None):
- """
- Collect information from the runtime/environment and the command
- being executed into a report and send it over the network.
-
- To prevent analytics from blocking the execution of the main thread,
- sending the report is done in a separate process.
-
- The inter-process communication happens through a file containing the
- report as a JSON, where the _collector_ generates it and the _sender_
- removes it after sending it.
- """
- import tempfile
-
- from dvc.daemon import daemon
-
- report = {}
-
- # Include command execution information on the report only when available.
- if args and hasattr(args, "func"):
- report.update({"cmd_class": args.func.__name__})
-
- if return_code is not None:
- report.update({"cmd_return_code": return_code})
-
- with tempfile.NamedTemporaryFile(delete=False, mode="w") as fobj:
- json.dump(report, fobj)
- daemon(["analytics", fobj.name])
-
-
-def is_enabled():
- from dvc.config import Config, to_bool
- from dvc.utils import env2bool
-
- if env2bool("DVC_TEST"):
- return False
-
- enabled = not os.getenv(DVC_NO_ANALYTICS)
- if enabled:
- enabled = to_bool(
- Config.from_cwd(validate=False).get("core", {}).get("analytics", "true")
- )
-
- logger.debug("Analytics is %sabled.", "en" if enabled else "dis")
-
- return enabled
-
-
-def send(path):
- """
- Side effect: Removes the report after sending it.
-
- The report is generated and stored in a temporary file, see:
- `collect_and_send_report`. Sending happens on another process,
- thus, the need of removing such file afterwards.
- """
- import requests
-
- url = "https://analytics.dvc.org"
- headers = {"content-type": "application/json"}
-
- with open(path, encoding="utf-8") as fobj:
- report = json.load(fobj)
-
- report.update(_runtime_info())
-
- try:
- requests.post(url, json=report, headers=headers, timeout=5)
- except requests.exceptions.RequestException:
- logger.debug("failed to send analytics report", exc_info=True)
-
- os.remove(path)
-
-
-def _scm_in_use():
- from dvc.exceptions import NotDvcRepoError
- from dvc.repo import Repo
- from dvc.scm import NoSCM
-
- from .scm import SCM, SCMError
-
- try:
- scm = SCM(root_dir=Repo.find_root())
- return type(scm).__name__
- except SCMError:
- return NoSCM.__name__
- except NotDvcRepoError:
- pass
-
-
-def _runtime_info():
- """
- Gather information from the environment where DVC runs to fill a report.
- """
- from iterative_telemetry import _generate_ci_id, find_or_create_user_id
-
- from dvc import __version__
- from dvc.utils import is_binary
-
- ci_id = _generate_ci_id()
- if ci_id:
- group_id, user_id = ci_id
- else:
- group_id, user_id = None, find_or_create_user_id()
-
- return {
- "dvc_version": __version__,
- "is_binary": is_binary(),
- "scm_class": _scm_in_use(),
- "system_info": _system_info(),
- "user_id": user_id,
- "group_id": group_id,
- }
-
-
-def _system_info():
- import platform
- import sys
-
- import distro
-
- system = platform.system()
-
- if system == "Windows":
- version = sys.getwindowsversion() # type: ignore[attr-defined]
-
- return {
- "os": "windows",
- "windows_version_build": version.build,
- "windows_version_major": version.major,
- "windows_version_minor": version.minor,
- "windows_version_service_pack": version.service_pack,
- }
-
- if system == "Darwin":
- return {"os": "mac", "mac_version": platform.mac_ver()[0]}
-
- if system == "Linux":
- return {
- "os": "linux",
- "linux_distro": distro.id(),
- "linux_distro_like": distro.like(),
- "linux_distro_version": distro.version(),
- }
-
- # We don't collect data for any other system.
- raise NotImplementedError
diff --git a/dvc/cli/__init__.py b/dvc/cli/__init__.py
index 274b564..b601d84 100644
--- a/dvc/cli/__init__.py
+++ b/dvc/cli/__init__.py
@@ -236,11 +236,6 @@ def main(argv=None): # noqa: C901, PLR0912, PLR0915
ret = _log_exceptions(exc) or 255
try:
- from dvc import analytics
-
- if analytics.is_enabled():
- analytics.collect_and_send_report(args, ret)
-
return ret
finally:
logger.setLevel(outer_log_level)
diff --git a/dvc/commands/daemon.py b/dvc/commands/daemon.py
index 35d6e90..d5a7b6e 100644
--- a/dvc/commands/daemon.py
+++ b/dvc/commands/daemon.py
@@ -26,15 +26,6 @@ class CmdDaemonUpdater(CmdDaemonBase):
return 0
-class CmdDaemonAnalytics(CmdDaemonBase):
- def run(self):
- from dvc import analytics
-
- analytics.send(self.args.target)
-
- return 0
-
-
def add_parser(subparsers, parent_parser):
DAEMON_HELP = "Service daemon."
daemon_parser = subparsers.add_parser(
@@ -59,15 +50,3 @@ def add_parser(subparsers, parent_parser):
help=DAEMON_UPDATER_HELP,
)
daemon_updater_parser.set_defaults(func=CmdDaemonUpdater)
-
- DAEMON_ANALYTICS_HELP = "Send dvc usage analytics."
- daemon_analytics_parser = daemon_subparsers.add_parser(
- "analytics",
- parents=[parent_parser],
- description=DAEMON_ANALYTICS_HELP,
- help=DAEMON_ANALYTICS_HELP,
- )
- daemon_analytics_parser.add_argument(
- "target", help="Analytics file."
- ).complete = completion.FILE
- daemon_analytics_parser.set_defaults(func=CmdDaemonAnalytics)
diff --git a/dvc/commands/init.py b/dvc/commands/init.py
index ca44919..05730aa 100644
--- a/dvc/commands/init.py
+++ b/dvc/commands/init.py
@@ -3,7 +3,6 @@ import logging
import colorama
-from dvc import analytics
from dvc.cli.command import CmdBaseNoRepo
from dvc.cli.utils import append_doc_link
from dvc.utils import boxify
@@ -15,16 +14,6 @@ logger = logging.getLogger(__name__)
def _welcome_message():
from dvc.ui import ui
- if analytics.is_enabled():
- ui.write(
- boxify(
- "DVC has enabled anonymous aggregate usage analytics.\n"
- "Read the analytics documentation (and how to opt-out) here:\n"
- + fmt_link("https://dvc.org/doc/user-guide/analytics"),
- border_color="red",
- )
- )
-
msg = (
"{yellow}What's next?{nc}\n"
"{yellow}------------{nc}\n"
diff --git a/dvc/config_schema.py b/dvc/config_schema.py
index 2e36e90..3d9e402 100644
--- a/dvc/config_schema.py
+++ b/dvc/config_schema.py
@@ -144,7 +144,6 @@ SCHEMA = {
"remote": Lower,
"checksum_jobs": All(Coerce(int), Range(1)),
Optional("interactive", default=False): Bool,
- Optional("analytics", default=True): Bool,
Optional("hardlink_lock", default=False): Bool,
Optional("no_scm", default=False): Bool,
Optional("autostage", default=False): Bool,
diff --git a/dvc/env.py b/dvc/env.py
index 081ec9d..06c1332 100644
--- a/dvc/env.py
+++ b/dvc/env.py
@@ -7,7 +7,6 @@ DVC_EXP_GIT_REMOTE = "DVC_EXP_GIT_REMOTE"
DVC_EXP_NAME = "DVC_EXP_NAME"
DVC_GLOBAL_CONFIG_DIR = "DVC_GLOBAL_CONFIG_DIR"
DVC_IGNORE_ISATTY = "DVC_IGNORE_ISATTY"
-DVC_NO_ANALYTICS = "DVC_NO_ANALYTICS"
DVC_PAGER = "DVC_PAGER"
DVC_ROOT = "DVC_ROOT"
DVC_SHOW_TRACEBACK = "DVC_SHOW_TRACEBACK"

53
patches/base/garage/print-chill-pills.patch
View file

@ -54,8 +54,31 @@ index 11cae4e..ffef3fa 100644
#[derive(Clone)] #[derive(Clone)]
pub struct Db(pub(crate) Arc<dyn IDb>); pub struct Db(pub(crate) Arc<dyn IDb>);
diff --git a/src/format-table/lib.rs b/src/format-table/lib.rs
index 55252ba..4d8caf1 100644
--- a/src/format-table/lib.rs
+++ b/src/format-table/lib.rs
@@ -13,6 +13,18 @@
//! A table to be formatted is a `Vec<String>`, containing one string per line.
//! Table columns in each line are separated by a `\t` character.
+use std::io::Write;
+
+macro_rules! print {
+ () => (print!("\n"));
+ ($fmt:expr) => ({
+ write!(std::io::stdout(), $fmt).unwrap_or(())
+ });
+ ($fmt:expr, $($arg:tt)*) => ({
+ write!(std::io::stdout(), $fmt, $($arg)*).unwrap_or(())
+ })
+}
+
/// Format a table and return the result as a string.
pub fn format_table_to_string(data: Vec<String>) -> String {
let data = data
diff --git a/src/garage/cli/cmd.rs b/src/garage/cli/cmd.rs diff --git a/src/garage/cli/cmd.rs b/src/garage/cli/cmd.rs
index 0d73588..6bf4ecc 100644 index cb7a898..97093e6 100644
--- a/src/garage/cli/cmd.rs --- a/src/garage/cli/cmd.rs
+++ b/src/garage/cli/cmd.rs +++ b/src/garage/cli/cmd.rs
@@ -13,6 +13,28 @@ use garage_model::helper::error::Error as HelperError; @@ -13,6 +13,28 @@ use garage_model::helper::error::Error as HelperError;
@ -111,7 +134,7 @@ index 20813f1..f4baea2 100644
pub fn node_id_command(config_file: PathBuf, quiet: bool) -> Result<(), Error> { pub fn node_id_command(config_file: PathBuf, quiet: bool) -> Result<(), Error> {
diff --git a/src/garage/cli/layout.rs b/src/garage/cli/layout.rs diff --git a/src/garage/cli/layout.rs b/src/garage/cli/layout.rs
index 3884bb9..ef55a66 100644 index dc5315a..193fd97 100644
--- a/src/garage/cli/layout.rs --- a/src/garage/cli/layout.rs
+++ b/src/garage/cli/layout.rs +++ b/src/garage/cli/layout.rs
@@ -8,6 +8,28 @@ use garage_rpc::*; @@ -8,6 +8,28 @@ use garage_rpc::*;
@ -144,7 +167,7 @@ index 3884bb9..ef55a66 100644
cmd: LayoutOperation, cmd: LayoutOperation,
system_rpc_endpoint: &Endpoint<SystemRpc, ()>, system_rpc_endpoint: &Endpoint<SystemRpc, ()>,
diff --git a/src/garage/cli/util.rs b/src/garage/cli/util.rs diff --git a/src/garage/cli/util.rs b/src/garage/cli/util.rs
index 2c6be2f..db6f25d 100644 index 1140cf2..e4c4d18 100644
--- a/src/garage/cli/util.rs --- a/src/garage/cli/util.rs
+++ b/src/garage/cli/util.rs +++ b/src/garage/cli/util.rs
@@ -17,6 +17,28 @@ use garage_model::s3::version_table::Version; @@ -17,6 +17,28 @@ use garage_model::s3::version_table::Version;
@ -177,10 +200,10 @@ index 2c6be2f..db6f25d 100644
println!("List of buckets:"); println!("List of buckets:");
diff --git a/src/k2v-client/bin/k2v-cli.rs b/src/k2v-client/bin/k2v-cli.rs diff --git a/src/k2v-client/bin/k2v-cli.rs b/src/k2v-client/bin/k2v-cli.rs
index cdd63cc..dfa4df4 100644 index b9461c8..b9cc148 100644
--- a/src/k2v-client/bin/k2v-cli.rs --- a/src/k2v-client/bin/k2v-cli.rs
+++ b/src/k2v-client/bin/k2v-cli.rs +++ b/src/k2v-client/bin/k2v-cli.rs
@@ -11,6 +11,28 @@ use rusoto_core::Region; @@ -10,6 +10,28 @@ use format_table::format_table;
use clap::{Parser, Subcommand}; use clap::{Parser, Subcommand};
@ -242,23 +265,3 @@ index 1030e3a..47eca49 100644
/// The layout of the cluster, i.e. the list of roles /// The layout of the cluster, i.e. the list of roles
/// which are assigned to each cluster node /// which are assigned to each cluster node
#[derive(Clone, Debug, Serialize, Deserialize)] #[derive(Clone, Debug, Serialize, Deserialize)]
diff --git a/src/util/formater.rs b/src/util/formater.rs
index 2ea53eb..cc7d8a4 100644
--- a/src/util/formater.rs
+++ b/src/util/formater.rs
@@ -1,3 +1,15 @@
+use std::io::Write;
+
+macro_rules! print {
+ () => (print!("\n"));
+ ($fmt:expr) => ({
+ write!(std::io::stdout(), $fmt).unwrap_or(())
+ });
+ ($fmt:expr, $($arg:tt)*) => ({
+ write!(std::io::stdout(), $fmt, $($arg)*).unwrap_or(())
+ })
+}
+
pub fn format_table_to_string(data: Vec<String>) -> String {
let data = data
.iter()

152
patches/base/kanidm/unixd-authenticated.patch
View file

@ -1,106 +1,54 @@
diff --git a/unix_integration/src/cache.rs b/unix_integration/src/cache.rs diff --git a/unix_integration/src/idprovider/kanidm.rs b/unix_integration/src/idprovider/kanidm.rs
index d2d442ab8..6c8de0309 100644 index d1b02de0f..599dec6d5 100644
--- a/unix_integration/src/cache.rs --- a/unix_integration/src/idprovider/kanidm.rs
+++ b/unix_integration/src/cache.rs +++ b/unix_integration/src/idprovider/kanidm.rs
@@ -34,6 +34,8 @@ enum CacheState { @@ -2,6 +2,7 @@ use async_trait::async_trait;
pub struct CacheLayer { use kanidm_client::{ClientError, KanidmClient, StatusCode};
db: Db, use kanidm_proto::v1::{OperationError, UnixGroupToken, UnixUserToken};
use tokio::sync::RwLock;
+use std::env;
use super::interface::{
AuthCacheAction, AuthCredHandler, AuthRequest, AuthResult, GroupToken, Id, IdProvider,
@@ -11,12 +12,28 @@ use crate::unix_proto::PamAuthRequest;
pub struct KanidmProvider {
client: RwLock<KanidmClient>, client: RwLock<KanidmClient>,
+ auth_name: Option<String>, + auth_name: Option<String>,
+ auth_password: Option<String>, + auth_password: Option<String>,
state: Mutex<CacheState>, }
pam_allow_groups: BTreeSet<String>,
timeout_seconds: u64, impl KanidmProvider {
@@ -65,6 +67,8 @@ impl CacheLayer { pub fn new(client: KanidmClient) -> Self {
timeout_seconds: u64, + let env_username: Option<String>;
// + let env_password: Option<String>;
client: KanidmClient, + match (env::var_os("KANIDM_NAME"), env::var_os("KANIDM_PASSWORD")) {
+ auth_name: Option<String>, + (Some(username), Some(password)) => {
+ auth_password: Option<String>, + env_username = Some(username.into_string().unwrap());
pam_allow_groups: Vec<String>, + env_password = Some(password.into_string().unwrap());
default_shell: String, + },
home_prefix: String, + _ => {
@@ -91,6 +95,8 @@ impl CacheLayer { + env_username = None;
Ok(CacheLayer { + env_password = None;
db, + }
+ }
KanidmProvider {
client: RwLock::new(client), client: RwLock::new(client),
+ auth_name, + auth_name: env_username,
+ auth_password, + auth_password: env_password,
state: Mutex::new(CacheState::OfflineNextCheck(SystemTime::now())), }
timeout_seconds, }
pam_allow_groups: pam_allow_groups.into_iter().collect(), }
@@ -945,7 +951,11 @@ impl CacheLayer { @@ -73,7 +90,11 @@ impl From<UnixGroupToken> for GroupToken {
false impl IdProvider for KanidmProvider {
} // Needs .read on all types except re-auth.
CacheState::OfflineNextCheck(_time) => { async fn provider_authenticate(&self) -> Result<(), IdpError> {
- match self.client.write().await.auth_anonymous().await { - match self.client.write().await.auth_anonymous().await {
+ let auth_method = match (&self.auth_name, &self.auth_password) { + let auth_method = match (&self.auth_name, &self.auth_password) {
+ (Some(name), Some(password)) => self.client.write().await.auth_simple_password(name, password).await, + (Some(name), Some(password)) => self.client.write().await.auth_simple_password(name, password).await,
+ _ => self.client.write().await.auth_anonymous().await + _ => self.client.write().await.auth_anonymous().await
+ }; + };
+ match auth_method { + match auth_method {
Ok(_uat) => { Ok(_uat) => Ok(()),
debug!("OfflineNextCheck -> authenticated"); Err(err) => {
self.set_cachestate(CacheState::Online).await; error!(?err, "Provider authentication failed");
diff --git a/unix_integration/src/daemon.rs b/unix_integration/src/daemon.rs
index e4bf558c6..d6916d851 100644
--- a/unix_integration/src/daemon.rs
+++ b/unix_integration/src/daemon.rs
@@ -415,6 +415,24 @@ async fn main() -> ExitCode {
.env("KANIDM_CLIENT_CONFIG")
.action(ArgAction::StoreValue),
)
+ .arg(
+ Arg::new("name")
+ .takes_value(true)
+ .help("Set the name to use to authenticate")
+ .short('D')
+ .long("name")
+ .env("KANIDM_NAME")
+ .action(ArgAction::StoreValue),
+ )
+ .arg(
+ Arg::new("password")
+ .hide(true)
+ .takes_value(true)
+ .help("Set the password to use to authenticate")
+ .long("password")
+ .env("KANIDM_PASSWORD")
+ .action(ArgAction::StoreValue),
+ )
.get_matches();
if clap_args.get_flag("debug") {
@@ -510,6 +528,10 @@ async fn main() -> ExitCode {
}
}
+ let auth_username = clap_args.get_one::<String>("name");
+
+ let auth_password = clap_args.get_one::<String>("password");
+
// setup
let cb = match KanidmClientBuilder::new().read_options_from_optional_config(&cfg_path) {
Ok(v) => v,
@@ -637,6 +659,8 @@ async fn main() -> ExitCode {
cfg.db_path.as_str(), // The sqlite db path
cfg.cache_timeout,
rsclient,
+ auth_username.as_deref().cloned(),
+ auth_password.as_deref().cloned(),
cfg.pam_allowed_login_groups.clone(),
cfg.default_shell.clone(),
cfg.home_prefix.clone(),
diff --git a/unix_integration/tests/cache_layer_test.rs b/unix_integration/tests/cache_layer_test.rs
index cff5e8ba8..a68b35be2 100644
--- a/unix_integration/tests/cache_layer_test.rs
+++ b/unix_integration/tests/cache_layer_test.rs
@@ -103,6 +103,8 @@ async fn setup_test(fix_fn: Fixture) -> (CacheLayer, KanidmClient) {
"", // The sqlite db path, this is in memory.
300,
rsclient,
+ None,
+ None,
vec!["allowed_group".to_string()],
DEFAULT_SHELL.to_string(),
DEFAULT_HOME_PREFIX.to_string(),

13
patches/base/powerdns-admin/fix-userinfo.patch
View file

@ -1,13 +0,0 @@
diff --git a/powerdnsadmin/routes/index.py b/powerdnsadmin/routes/index.py
index 3a6f55c..417e05f 100644
--- a/powerdnsadmin/routes/index.py
+++ b/powerdnsadmin/routes/index.py
@@ -392,7 +392,7 @@ def login():
return authenticate_user(user, 'Azure OAuth')
if 'oidc_token' in session:
- user_data = json.loads(oidc.get('userinfo').text)
+ user_data = oidc.userinfo()
oidc_username = user_data[Setting().get('oidc_oauth_username')]
oidc_first_name = user_data[Setting().get('oidc_oauth_firstname')]
oidc_last_name = user_data[Setting().get('oidc_oauth_last_name')]

7
secrets.nix
View file

@ -13,11 +13,8 @@ in with hosts;
"cluster/services/cachix-deploy-agent/credentials/prophet.age".publicKeys = max ++ map systemKeys [ prophet ]; "cluster/services/cachix-deploy-agent/credentials/prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
"cluster/services/cachix-deploy-agent/credentials/VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "cluster/services/cachix-deploy-agent/credentials/VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"cluster/services/cachix-deploy-agent/credentials/thunderskin.age".publicKeys = max ++ map systemKeys [ thunderskin ]; "cluster/services/cachix-deploy-agent/credentials/thunderskin.age".publicKeys = max ++ map systemKeys [ thunderskin ];
"cluster/services/dns/pdns-admin-oidc-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "cluster/services/dns/acme-dns-direct-key.age".publicKeys = max ++ map systemKeys [ checkmate grail thunderskin VEGAS prophet ];
"cluster/services/dns/pdns-admin-salt.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "cluster/services/dns/acme-dns-db-credentials.age".publicKeys = max ++ map systemKeys [ checkmate VEGAS prophet ];
"cluster/services/dns/pdns-admin-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"cluster/services/dns/pdns-api-key.age".publicKeys = max ++ map systemKeys [ checkmate grail thunderskin VEGAS prophet ];
"cluster/services/dns/pdns-db-credentials.age".publicKeys = max ++ map systemKeys [ checkmate VEGAS prophet ];
"cluster/services/forge/credentials/forgejo-oidc-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "cluster/services/forge/credentials/forgejo-oidc-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"cluster/services/forge/credentials/forgejo-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "cluster/services/forge/credentials/forgejo-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"cluster/services/hercules-ci-multi-agent/secrets/hci-cache-config.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ]; "cluster/services/hercules-ci-multi-agent/secrets/hci-cache-config.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];