forked from the-distro/infra
Compare commits
195 commits
Author | SHA1 | Date | |
---|---|---|---|
cd0621ba55 | |||
dfd48f2179 | |||
b1c28cfc7c | |||
a69750b495 | |||
77ff556583 | |||
fe3cb577c1 | |||
20fc4c8f96 | |||
bce44930b1 | |||
27d66d390e | |||
79dea0686b | |||
aeb8102ae4 | |||
830dcbf6bc | |||
f7907a2915 | |||
93822775a9 | |||
dd028656ac | |||
88317d099c | |||
1cbf286f18 | |||
6dc424dd43 | |||
504a443acc | |||
96d58bbd41 | |||
5154906aac | |||
f3828368e6 | |||
314f1cb363 | |||
4e2d21930f | |||
dd81b78f7a | |||
537b3b978c | |||
99259356f2 | |||
924b4e7913 | |||
5474832b07 | |||
f737c957a5 | |||
15a684c5d7 | |||
bd8aa2eb08 | |||
22a10e158f | |||
b8a4cd928d | |||
7f29885597 | |||
74e06ac6d0 | |||
3ff9d00f7f | |||
e5a3ce2283 | |||
8390caee53 | |||
1b82c2f8fd | |||
26c5e56605 | |||
6ad9e0416d | |||
bebc7f2586 | |||
297ddbb28c | |||
eedc719889 | |||
d3a8d21429 | |||
608c0e5973 | |||
30b05d29f5 | |||
62ccc0282b | |||
d84a43b781 | |||
555728ca0f | |||
60654e45d9 | |||
8aa5761660 | |||
2dc5899660 | |||
adaf4b0aef | |||
f33d828552 | |||
5bde7e2358 | |||
d4f8cb6c87 | |||
95ec496227 | |||
d9809e1e78 | |||
3fa4a25d87 | |||
0ff5eea4ed | |||
03b53234d3 | |||
287a9dc400 | |||
80c4757571 | |||
99649eeb6c | |||
d1e64b6610 | |||
766dc4c383 | |||
65b07a936b | |||
cfa6d79b75 | |||
cd846260e4 | |||
8afcf249d6 | |||
25feb3c9f1 | |||
56a04a6faf | |||
4473717e9f | |||
da7175303c | |||
e00d0331ec | |||
a56426e6c9 | |||
c3394264ba | |||
7789e9ce75 | |||
fda59ee6c0 | |||
cc1e3f2e14 | |||
68d956f1ba | |||
81fc914d79 | |||
87bd42cf1d | |||
34e8b4b98a | |||
5a05e44a95 | |||
234522cc3b | |||
c296d0d46d | |||
95b58de737 | |||
8b9d33d70c | |||
ab9caaf520 | |||
dd069c40d7 | |||
9899b083ad | |||
d4caf7b71a | |||
37ec674984 | |||
e3e60a5e72 | |||
2e86babc8a | |||
2b8f42dcda | |||
f14bba14a3 | |||
0723b7de42 | |||
3c2691d9e2 | |||
a44196fc3c | |||
7a937e837a | |||
ecfe0ec886 | |||
7d9461808c | |||
293bc52ace | |||
64079be3c0 | |||
9189b73a5f | |||
af515792cc | |||
b4deee29af | |||
756341ea4c | |||
bed5ef022f | |||
e6ead602f0 | |||
329f267b02 | |||
b14f155d55 | |||
c8208f42ef | |||
087d17c681 | |||
d2336262fb | |||
f35cfbd567 | |||
58325e30dd | |||
411d514ab9 | |||
f74d1ca0f6 | |||
70e608a8f7 | |||
4e869a9f43 | |||
3cbdbc45f7 | |||
7ba42d99d1 | |||
254e161c07 | |||
a9f45daac8 | |||
787b3af638 | |||
e608b92e4f | |||
e84b362b7a | |||
9e7e6d42ab | |||
f2c2bc5ab6 | |||
f214da9228 | |||
0e24c18815 | |||
2ac0a599fb | |||
0ccf0b023e | |||
82db8f7f1e | |||
7b7a645cfc | |||
39d2352bbc | |||
a7d21e96a0 | |||
c51676a560 | |||
9988811be5 | |||
afaf49eb97 | |||
bc8ef7b5fc | |||
61e8048445 | |||
2ebb0e82e8 | |||
664fa033aa | |||
2308870aa5 | |||
f9f955214f | |||
90e54d7292 | |||
645ad7d062 | |||
a30c1f7d78 | |||
eb21cb6916 | |||
62af42fc97 | |||
7396107bf4 | |||
c0e1d05b3c | |||
3828721e4f | |||
8a9ff8c40d | |||
48579e8818 | |||
8fe33b4e46 | |||
d4e9dcc2a6 | |||
7f46e5d9a4 | |||
512cfdb43e | |||
82395ec8ce | |||
82e074881f | |||
b55475c12e | |||
9f0e601d84 | |||
209f71c63a | |||
563e0685d4 | |||
8d2a367e92 | |||
db8c831c2f | |||
ba0d50624d | |||
40ba3c4ae7 | |||
346a74eabc | |||
e8e262c6a4 | |||
dd6ee53bfe | |||
5ebd71e4d5 | |||
2700ac5efc | |||
caa1fce74e | |||
5f8228536c | |||
078f298b8c | |||
4b0a2cd7e5 | |||
dcd5f68545 | |||
7c6780a2a3 | |||
dd72904bf1 | |||
2e9483936e | |||
30859b2872 | |||
0c68a23275 | |||
8dc7ee9864 | |||
e803c198c1 | |||
578e24e634 | |||
e1a034927c | |||
5b0f3c4541 |
100 changed files with 10775 additions and 9839 deletions
7
.editorconfig
Normal file
7
.editorconfig
Normal file
|
@ -0,0 +1,7 @@
|
|||
root = true
|
||||
|
||||
[*]
|
||||
end_of_line = lf
|
||||
insert_final_newline = true
|
||||
trim_trailing_whitespace = true
|
||||
charset = utf-8
|
6
.gitignore
vendored
6
.gitignore
vendored
|
@ -1,4 +1,8 @@
|
|||
result
|
||||
.gcroots
|
||||
config.tf.json
|
||||
.direnv
|
||||
.direnv
|
||||
.terraform
|
||||
.terraform.lock.hcl
|
||||
secrets/*
|
||||
!secrets/*.age
|
||||
|
|
|
@ -3,14 +3,14 @@ let
|
|||
in {
|
||||
users.users.root.openssh.authorizedKeys.keys =
|
||||
keys.users.delroth ++
|
||||
keys.users.k900 ++
|
||||
keys.users.emilylange ++
|
||||
keys.users.hexchen ++
|
||||
keys.users.jade ++
|
||||
keys.users.janik ++
|
||||
keys.users.k900 ++
|
||||
keys.users.lukegb ++
|
||||
keys.users.maxine ++
|
||||
keys.users.raito ++
|
||||
keys.users.maxine ++
|
||||
[
|
||||
# more raito
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
|
||||
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJFsZ7PMDt80tYXHyScQajNhqH4wuYg/o0OxfOHaZD4rXuT0VIKflKH1M9LslfHWIEH3XNeqhQOziH9r+Ny5JcM="
|
||||
];
|
||||
keys.users.thubrecht ++
|
||||
keys.users.yuka;
|
||||
}
|
||||
|
|
|
@ -1,9 +1,14 @@
|
|||
{ lib, pkgs, ... }: {
|
||||
imports = [
|
||||
./known-ssh-keys.nix
|
||||
];
|
||||
|
||||
nixpkgs.overlays = import ../overlays;
|
||||
|
||||
nix.package = lib.mkDefault pkgs.lix;
|
||||
services.openssh.enable = lib.mkForce true;
|
||||
|
||||
networking.nftables.enable = true;
|
||||
networking.firewall.enable = true;
|
||||
networking.firewall.logRefusedConnections = false;
|
||||
networking.firewall.logReversePathDrops = true;
|
||||
|
@ -13,12 +18,41 @@
|
|||
recommendedTlsSettings = lib.mkDefault true;
|
||||
recommendedProxySettings = lib.mkDefault true;
|
||||
recommendedGzipSettings = lib.mkDefault true;
|
||||
eventsConfig = ''
|
||||
worker_connections 8192;
|
||||
'';
|
||||
appendConfig = ''
|
||||
worker_rlimit_nofile 16384;
|
||||
'';
|
||||
};
|
||||
|
||||
nix.gc = {
|
||||
automatic = true;
|
||||
persistent = true;
|
||||
dates = "daily";
|
||||
dates = lib.mkDefault "daily";
|
||||
options = "--delete-older-than 30d";
|
||||
};
|
||||
|
||||
services.journald.extraConfig = "SystemMaxUse=512M";
|
||||
|
||||
boot.kernelParams = [
|
||||
"panic=30" "boot.panic_on_fail"
|
||||
];
|
||||
|
||||
boot.kernel.sysctl = {
|
||||
# Set default TCP congestion control algorithm
|
||||
"net.ipv4.tcp_congestion_control" = "bbr";
|
||||
|
||||
# Enable ECN
|
||||
"net.ipv4.tcp_ecn" = 1;
|
||||
|
||||
# Enable TCP fast open
|
||||
"net.ipv4.tcp_fastopen" = 3;
|
||||
};
|
||||
|
||||
# reduce closure size, feel free to add your locale here
|
||||
i18n.supportedLocales = [
|
||||
"en_US.UTF-8/UTF-8"
|
||||
"fr_FR.UTF-8/UTF-8"
|
||||
];
|
||||
}
|
||||
|
|
|
@ -1,9 +1,12 @@
|
|||
{
|
||||
imports = [
|
||||
./admins.nix
|
||||
./raito-vm.nix
|
||||
./raito-proxy-aware-nginx.nix
|
||||
./base-server.nix
|
||||
./hardening.nix
|
||||
./nix.nix
|
||||
./raito-proxy-aware-nginx.nix
|
||||
./raito-vm.nix
|
||||
./sysadmin
|
||||
./zsh.nix
|
||||
];
|
||||
}
|
||||
|
|
23
common/hardening.nix
Normal file
23
common/hardening.nix
Normal file
|
@ -0,0 +1,23 @@
|
|||
{ config, lib, ... }:
|
||||
|
||||
{
|
||||
nix.settings.allowed-users = [ "root" ];
|
||||
|
||||
boot.specialFileSystems = lib.mkIf (!config.security.rtkit.enable && !config.security.polkit.enable) {
|
||||
"/proc".options = [ "hidepid=2" ];
|
||||
};
|
||||
|
||||
boot.kernel.sysctl."kernel.dmesg_restrict" = 1;
|
||||
|
||||
services.openssh = {
|
||||
settings.PasswordAuthentication = false;
|
||||
settings.KbdInteractiveAuthentication = false;
|
||||
|
||||
# prevents mutable /home/$user/.ssh/authorized_keys from being loaded to ensure that all user keys are config managed
|
||||
authorizedKeysFiles = lib.mkForce [
|
||||
"/etc/ssh/authorized_keys.d/%u"
|
||||
];
|
||||
};
|
||||
|
||||
users.mutableUsers = false;
|
||||
}
|
6
common/known-ssh-keys.nix
Normal file
6
common/known-ssh-keys.nix
Normal file
|
@ -0,0 +1,6 @@
|
|||
{ ... }:
|
||||
{
|
||||
programs.ssh.knownHosts = {
|
||||
"[cl.forkos.org]:29418".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM82mJ259C8Nc+BHHNBeRWXWhL3dfirQhmFbDAwHMle3";
|
||||
};
|
||||
}
|
21
common/nix.nix
Normal file
21
common/nix.nix
Normal file
|
@ -0,0 +1,21 @@
|
|||
{ lib, pkgs, ... }:
|
||||
{
|
||||
nix.extraOptions = ''
|
||||
experimental-features = nix-command flakes
|
||||
'';
|
||||
|
||||
# Provision a useful nixpkgs in NIX_PATH and flake registry on infra
|
||||
# machines.
|
||||
nixpkgs.flake = {
|
||||
source = lib.cleanSource pkgs.path;
|
||||
setNixPath = true;
|
||||
setFlakeRegistry = true;
|
||||
};
|
||||
|
||||
# Use our cache and trust its signing key. Still use cache.nixos.org as
|
||||
# fallback.
|
||||
nix.settings.substituters = [ "https://cache.forkos.org/" ];
|
||||
nix.settings.trusted-public-keys = [
|
||||
"cache.forkos.org:xfXIUJO1yiEITJmYsVmNDa9BFSlgTh/YqZ+4ei1EhQg="
|
||||
];
|
||||
}
|
|
@ -3,12 +3,52 @@
|
|||
bagel-box = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsO4bNqY04uG13Pg3ubHfRDssTphDLzZ4YUniE5/p+M";
|
||||
meta01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM5t9gYorOWgpCFDJgb24pyCKIabGpeI2H/UfdvXODcT";
|
||||
gerrit01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA+eSZu+u9sCynrMlsmFzQHLIELQAuVg0Cs1pBvwb4+A";
|
||||
fodwatch = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRyTNfvKl5FcSyzGzw+h+bNFNOxdhvI67WdUZ2iIJ1L";
|
||||
buildbot = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJgIu6ouagYqBeMLfmn1CbaDJMuZcPH9bnUhkht8GfuB";
|
||||
git = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQJcpkCUOx8+5oukMX6lxrYcIX8FyHu8Mc/3+ieKMUn";
|
||||
builder-0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBHSNcDGctvlG6BHcJuYIzW9WsBJsts2vpwSketsbXoL";
|
||||
builder-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIQOGUjERK7Mx8UPM/rbOdMqVyn1sbWqYOG6CbOzH2wm";
|
||||
builder-2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKzXIqCoYElEKIYgjbSpqEcDeOvV+Wo3Agq3jba83cB";
|
||||
builder-3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGq0A5233XGt34T097KaEKBUqFvaa7a6nYZRsSO0166l";
|
||||
builder-4 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB9dVo2xZhgIMDgB1rUj5ApmppL39BtYu/+OFHeduvXr";
|
||||
builder-5 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE7vZTBxrVHmHpv7slQ8A8XwjjbfN+ZJA0V5C3k0wNBD";
|
||||
builder-6 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOt1qR/2BRtc6PABuSBulowwJVO6wBNDyEFzh0qsTeOF";
|
||||
builder-7 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFinAAw1v8TJB8/wcmTVBbHHc4LCYh6z4TO6ViwUPkoh";
|
||||
builder-8 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKGSWHNeqT0kF/e4yVy2ieW98X5QMyCYIYZh9WTmQDs1";
|
||||
builder-9 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOhws9zGgocVY36dMtOL+CXadpvRMffxoWMkfEcTBJm7";
|
||||
builder-10 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE7sgIuTSqZiZhp8TvObSbIEhcHHsL5hcmYA22uzwxth";
|
||||
builder-11 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEAqFo1qJY7MSUkfB+zxXB8Lpt/Iqz/RR5A+zwhpRWhr";
|
||||
wob-vpn-gw = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINVytPPW8XnXf/rD5TFzsw//CZc2lBjQLmDzlVGPZsjh";
|
||||
};
|
||||
|
||||
users = {
|
||||
delroth = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3tjB4KYDok3KlWxdBp/yEmqhhmybd+w0VO4xUwLKKV" ];
|
||||
raito = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICaw9ihTG7ucB8P38XdalEWev8+q96e2yNm4B+/I9IJp" ];
|
||||
emilylange = [ "no-touch-required sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIL7jgq3i+N3gVJhs4shm7Kmw6dIocs2OuR0GBMG1RxfKAAAABHNzaDo=" ];
|
||||
hexchen = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINJ0tCxsEilAzV6LaNpUpcjzyEn4ptw8kFz3R+Z3YjEF hexchen@backup"
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDI3T1eFS77URHZ/HVWkMOqx7W1U54zJtn9C7QWsHOtyH72i/4EVj8SxYqLllElh1kuKUXSUipPeEzVsipFVvfH0wEuTDgFffiSQ3a8lfUgdEBuoySwceEoPgc5deapkOmiDIDeeWlrRe3nqspLRrSWU1DirMxoFPbwqJXRvpl6qJPxRg+2IolDcXlZ6yxB4Vv48vzRfVzZNUz7Pjmy2ebU8PbDoFWL/S3m7yOzQpv3L7KYBz7+rkjuF3AU2vy6CAfIySkVpspZZLtkTGCIJF228ev0e8NvhuN6ZnjzXxVTQOy32HCdPdbBbicu0uHfZ5O7JX9DjGd8kk1r2dnZwwy/ hexchen@yubi5"
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4CLJ+mFfq5XiBXROKewmN9WYmj+79bj/AoaR6Iud2pirulot3tkrrLe2cMjiNWFX8CGVqrsAELKUA8EyUTJfStlcTE0/QNESTRmdDaC+lZL41pWUO9KOiD6/0axAhHXrSJ0ScvbqtD0CtpnCKKxtuOflVPoUGZsH9cLKJNRKfEka0H0GgeKb5Tp618R/WNAQOwaCcXzg/nG4Bgv3gJW4Nm9IKy/MwRZqtILi8Mtd+2diTqpMwyNRmbenmRHCQ1vRw46joYkledVqrmSlfSMFgIHI1zRSBXb/JkG2IvIyB5TGbTkC4N2fqJNpH8wnCKuOvs46xmgdiRA26P48C2em3 hexchen@yubi5c"
|
||||
];
|
||||
jade = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNldAg4t13/i69TD786The+U3wbiNUdW2Kc9KNWvEhgpf4y4x4Sft0oYfkPw5cjX4H3APqfD+b7ItAG0GCbwHw6KMYPoVMNK08zBMJUqt1XExbqGeFLqBaeqDsmEAYXJRbjMTAorpOCtgQdoCKK/DvZ51zUWXxT8UBNHSl19Ryv5Ry5VVdbAE35rqs57DQ9+ma6htXnsBEmmnC+1Zv1FE956m/OpBTId50mor7nS2FguAtPZnDPpTd5zl9kZmJEuWCrmy6iinw5V4Uy1mLeZkQv+/FtozbyifCRCvps9nHpv4mBSU5ABLgnRRvXs+D41Jx7xloNADr1nNgpsNrYaTh hed-bot-ssh-tpm-rsa"
|
||||
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKYljH8iPMrH00lOb3ETxRrZimdKzPPEdsJQ5D5ovtOwAAAACnNzaDpzc2hrZXk= ssh:sshkey"
|
||||
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO4idMfdJxDJuBNOid60d4I+qxj09RHt+YkCYV2eXt6tGrEXg+S8hTQusy/SqooiXUH9pt4tea2RuBPN9+UwrH0= type-a yubikey slot 9a"
|
||||
];
|
||||
janik = [
|
||||
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIJ4yq7oHBO2iPs4xj797a//0ypnBr27sSadKUeL2NsK6AAAABHNzaDo="
|
||||
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIOYg513QZsVzoyVycXZjg4F3T3+OwtcY3WAhrlfyLgLTAAAABHNzaDo="
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLZxVITpJ8xbiCa/u2gjSSIupeiqOnRh+8tFIoVhCON"
|
||||
];
|
||||
k900 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOi9vgVGs+S5kEsUqHPvyMMh1Q9gqL4TcbHoe5d73tun" ];
|
||||
lukegb = [ ''cert-authority,principals="lukegb" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEqNOwlR7Qa8cbGpDfSCOweDPbAGQOZIcoRgh6s/J8DR'' ];
|
||||
maxine = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILpWQfhNFdrxMTP/1DwBVuk49f3df9iH7Tbdu8ltIKjr" ];
|
||||
raito = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICaw9ihTG7ucB8P38XdalEWev8+q96e2yNm4B+/I9IJp"
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
|
||||
];
|
||||
thubrecht = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn" ];
|
||||
yuka = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKath4/fDnlv/4fzxkPrQN1ttmoPRNu/m9bEtdPJBDfY cardno:16_933_242" ];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -20,6 +20,10 @@ in
|
|||
bcc
|
||||
tcpdump
|
||||
ncdu
|
||||
] ++ lib.optional (lib.hasAttr "pwru" pkgs) pkgs.pwru;
|
||||
# Useful to invoke `coredumpctl gdb`
|
||||
gdb
|
||||
htop
|
||||
btop
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
16
common/zsh.nix
Normal file
16
common/zsh.nix
Normal file
|
@ -0,0 +1,16 @@
|
|||
{ lib, pkgs, config, ... }: {
|
||||
users.defaultUserShell = pkgs.zsh;
|
||||
programs.zsh = {
|
||||
enable = true;
|
||||
enableCompletion = true;
|
||||
autosuggestions.enable = true;
|
||||
interactiveShellInit = ''
|
||||
${lib.getExe pkgs.nix-your-shell} zsh | source /dev/stdin
|
||||
'';
|
||||
promptInit = ''
|
||||
# https://grml.org/zsh/grml-zsh-refcard.pdf
|
||||
source ${pkgs.grml-zsh-config}/etc/zsh/zshrc
|
||||
PS1='%n@${config.networking.fqdn} %/ \$ '
|
||||
'';
|
||||
};
|
||||
}
|
224
flake.lock
224
flake.lock
|
@ -10,11 +10,11 @@
|
|||
"systems": "systems"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1718371084,
|
||||
"narHash": "sha256-abpBi61mg0g+lFFU0zY4C6oP6fBwPzbHPKBGw676xsA=",
|
||||
"lastModified": 1720546205,
|
||||
"narHash": "sha256-boCXsjYVxDviyzoEyAk624600f3ZBo/DKtUdvMTpbGY=",
|
||||
"owner": "ryantm",
|
||||
"repo": "agenix",
|
||||
"rev": "3a56735779db467538fb2e577eda28a9daacaca6",
|
||||
"rev": "de96bd907d5fbc3b14fc33ad37d1b9a3cb15edc6",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -55,6 +55,29 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"buildbot-nix": {
|
||||
"inputs": {
|
||||
"flake-parts": "flake-parts",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"treefmt-nix": "treefmt-nix"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1722939563,
|
||||
"narHash": "sha256-lMe8aXgF550iQLRaoU+yn8yYQ4x2qiyqANgsFyjfWwA=",
|
||||
"ref": "refs/heads/non-flakes",
|
||||
"rev": "4a162a8aa5dad6cecdb33bd8534e67e0bdaeb13f",
|
||||
"revCount": 295,
|
||||
"type": "git",
|
||||
"url": "https://git.lix.systems/lix-project/buildbot-nix.git"
|
||||
},
|
||||
"original": {
|
||||
"ref": "refs/heads/non-flakes",
|
||||
"type": "git",
|
||||
"url": "https://git.lix.systems/lix-project/buildbot-nix.git"
|
||||
}
|
||||
},
|
||||
"colmena": {
|
||||
"inputs": {
|
||||
"flake-compat": "flake-compat",
|
||||
|
@ -132,6 +155,49 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-parts": {
|
||||
"inputs": {
|
||||
"nixpkgs-lib": [
|
||||
"buildbot-nix",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1706830856,
|
||||
"narHash": "sha256-a0NYyp+h9hlb7ddVz4LUn1vT/PLwqfrWYcHMvFB1xYg=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"rev": "b253292d9c0a5ead9bc98c4e9a26c6312e27d69f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-parts_2": {
|
||||
"inputs": {
|
||||
"nixpkgs-lib": [
|
||||
"hydra",
|
||||
"nix-eval-jobs",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1719994518,
|
||||
"narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-utils": {
|
||||
"locked": {
|
||||
"lastModified": 1659877975,
|
||||
|
@ -185,26 +251,27 @@
|
|||
},
|
||||
"hydra": {
|
||||
"inputs": {
|
||||
"nix": "nix",
|
||||
"lix": "lix",
|
||||
"nix-eval-jobs": "nix-eval-jobs",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1719258100,
|
||||
"narHash": "sha256-Eu8ausj0RsXV5MraCPezwX+j51iZD0ukif110Yj2+6k=",
|
||||
"lastModified": 1722688238,
|
||||
"narHash": "sha256-x6BnYtArF6IDs7bS8ExokgAQBOlrxXxD0EOBIlASmfM=",
|
||||
"ref": "refs/heads/main",
|
||||
"rev": "a9a2679793a17325c966dec4cbb27d44b0531694",
|
||||
"revCount": 4172,
|
||||
"rev": "9b5ac87de73ea4646dbb2af979db91f096d29960",
|
||||
"revCount": 4191,
|
||||
"type": "git",
|
||||
"url": "https://git.lix.systems/lix-project/hydra.git"
|
||||
"url": "https://git.lix.systems/the-distro/hydra.git"
|
||||
},
|
||||
"original": {
|
||||
"type": "git",
|
||||
"url": "https://git.lix.systems/lix-project/hydra.git"
|
||||
"url": "https://git.lix.systems/the-distro/hydra.git"
|
||||
}
|
||||
},
|
||||
"nix": {
|
||||
"lix": {
|
||||
"inputs": {
|
||||
"flake-compat": "flake-compat_2",
|
||||
"nix2container": "nix2container",
|
||||
|
@ -216,17 +283,87 @@
|
|||
"pre-commit-hooks": "pre-commit-hooks"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1719211568,
|
||||
"narHash": "sha256-oIgmvhe3CV/36LC0KXgqWnKXma39wabks8U9JBMDfO4=",
|
||||
"lastModified": 1721091462,
|
||||
"narHash": "sha256-0cmEeoOiB91BviTJHzIyxkY+Gxv3O8ZnnExVAoXEFGI=",
|
||||
"ref": "refs/heads/main",
|
||||
"rev": "4c3d93611f2848c56ebc69c85f2b1e18001ed3c7",
|
||||
"revCount": 15877,
|
||||
"rev": "6b4d46e9e0e1dd80e0977684ab20d14bcd1a6bc3",
|
||||
"revCount": 15967,
|
||||
"type": "git",
|
||||
"url": "https://git@git.lix.systems/lix-project/lix"
|
||||
"url": "https://git.lix.systems/lix-project/lix"
|
||||
},
|
||||
"original": {
|
||||
"type": "git",
|
||||
"url": "https://git@git.lix.systems/lix-project/lix"
|
||||
"url": "https://git.lix.systems/lix-project/lix"
|
||||
}
|
||||
},
|
||||
"nix-eval-jobs": {
|
||||
"inputs": {
|
||||
"flake-parts": "flake-parts_2",
|
||||
"lix": [
|
||||
"hydra",
|
||||
"lix"
|
||||
],
|
||||
"nix-github-actions": "nix-github-actions",
|
||||
"nixpkgs": [
|
||||
"hydra",
|
||||
"nixpkgs"
|
||||
],
|
||||
"treefmt-nix": "treefmt-nix_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1721195872,
|
||||
"narHash": "sha256-TlvRq634MSl22BWLmpTy2vdtKntbZlsUwdMq8Mp9AWs=",
|
||||
"ref": "refs/heads/main",
|
||||
"rev": "c057494450f2d1420726ddb0bab145a5ff4ddfdd",
|
||||
"revCount": 608,
|
||||
"type": "git",
|
||||
"url": "https://git.lix.systems/lix-project/nix-eval-jobs"
|
||||
},
|
||||
"original": {
|
||||
"type": "git",
|
||||
"url": "https://git.lix.systems/lix-project/nix-eval-jobs"
|
||||
}
|
||||
},
|
||||
"nix-gerrit": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1720891381,
|
||||
"narHash": "sha256-bdZRPgnkROSejmwMOrlcqHMWmuPIVIzjk6r5FbS+fqU=",
|
||||
"ref": "refs/heads/main",
|
||||
"rev": "23dd318e6741ff686d3069c53ecf475eac8a0565",
|
||||
"revCount": 5,
|
||||
"type": "git",
|
||||
"url": "https://git.lix.systems/the-distro/nix-gerrit.git"
|
||||
},
|
||||
"original": {
|
||||
"type": "git",
|
||||
"url": "https://git.lix.systems/the-distro/nix-gerrit.git"
|
||||
}
|
||||
},
|
||||
"nix-github-actions": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"hydra",
|
||||
"nix-eval-jobs",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1720066371,
|
||||
"narHash": "sha256-uPlLYH2S0ACj0IcgaK9Lsf4spmJoGejR9DotXiXSBZQ=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nix-github-actions",
|
||||
"rev": "622f829f5fe69310a866c8a6cd07e747c44ef820",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"repo": "nix-github-actions",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nix2container": {
|
||||
|
@ -247,11 +384,11 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1719082008,
|
||||
"narHash": "sha256-jHJSUH619zBQ6WdC21fFAlDxHErKVDJ5fpN0Hgx4sjs=",
|
||||
"lastModified": 1721116560,
|
||||
"narHash": "sha256-++TYlGMAJM1Q+0nMVaWBSEvEUjRs7ZGiNQOpqbQApCU=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "9693852a2070b398ee123a329e68f0dab5526681",
|
||||
"rev": "9355fa86e6f27422963132c2c9aeedb0fb963d93",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -311,12 +448,14 @@
|
|||
"root": {
|
||||
"inputs": {
|
||||
"agenix": "agenix",
|
||||
"buildbot-nix": "buildbot-nix",
|
||||
"colmena": "colmena",
|
||||
"hydra": "hydra",
|
||||
"lix": [
|
||||
"hydra",
|
||||
"nix"
|
||||
"lix"
|
||||
],
|
||||
"nix-gerrit": "nix-gerrit",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"terranix": "terranix"
|
||||
}
|
||||
|
@ -388,6 +527,49 @@
|
|||
"repo": "terranix-examples",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"treefmt-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"buildbot-nix",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1708897213,
|
||||
"narHash": "sha256-QECZB+Hgz/2F/8lWvHNk05N6NU/rD9bWzuNn6Cv8oUk=",
|
||||
"owner": "numtide",
|
||||
"repo": "treefmt-nix",
|
||||
"rev": "e497a9ddecff769c2a7cbab51e1ed7a8501e7a3a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "treefmt-nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"treefmt-nix_2": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"hydra",
|
||||
"nix-eval-jobs",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1721059077,
|
||||
"narHash": "sha256-gCICMMX7VMSKKt99giDDtRLkHJ0cwSgBtDijJAqTlto=",
|
||||
"owner": "numtide",
|
||||
"repo": "treefmt-nix",
|
||||
"rev": "0fb28f237f83295b4dd05e342f333b447c097398",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "treefmt-nix",
|
||||
"type": "github"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
|
|
173
flake.nix
173
flake.nix
|
@ -11,103 +11,110 @@
|
|||
colmena.url = "github:zhaofengli/colmena";
|
||||
colmena.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
hydra.url = "git+https://git.lix.systems/lix-project/hydra.git";
|
||||
hydra.url = "git+https://git.lix.systems/the-distro/hydra.git";
|
||||
hydra.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
lix.follows = "hydra/nix";
|
||||
nix-gerrit.url = "git+https://git.lix.systems/the-distro/nix-gerrit.git";
|
||||
nix-gerrit.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
buildbot-nix.url = "git+https://git.lix.systems/lix-project/buildbot-nix.git?ref=refs/heads/non-flakes";
|
||||
buildbot-nix.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
lix.follows = "hydra/lix";
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs, terranix, ... } @ inputs:
|
||||
outputs = { self, nixpkgs, terranix, colmena, ... } @ inputs:
|
||||
let
|
||||
system = "x86_64-linux";
|
||||
pkgs = import nixpkgs {
|
||||
localSystem = system;
|
||||
overlays = [
|
||||
inputs.hydra.overlays.default
|
||||
inputs.lix.overlays.default
|
||||
];
|
||||
};
|
||||
lib = pkgs.lib;
|
||||
terraform = pkgs.opentofu;
|
||||
terraformCfg = terranix.lib.terranixConfiguration {
|
||||
supportedSystems = [ "x86_64-linux" "aarch64-linux" ];
|
||||
forEachSystem = f: builtins.listToAttrs (map (system: {
|
||||
name = system;
|
||||
value = f system;
|
||||
}) supportedSystems);
|
||||
systemBits = forEachSystem (system: rec {
|
||||
inherit system;
|
||||
modules = [ ];
|
||||
};
|
||||
in
|
||||
{
|
||||
apps.${system} = {
|
||||
apply = {
|
||||
type = "app";
|
||||
program = toString (pkgs.writers.writeBash "apply" ''
|
||||
set -eo pipefail
|
||||
rm -f config.tf.json
|
||||
cp ${terraformCfg} config.tf.json
|
||||
${lib.getExe terraform} init
|
||||
${lib.getExe terraform} apply
|
||||
'');
|
||||
};
|
||||
# nix run ".#destroy"
|
||||
destroy = {
|
||||
type = "app";
|
||||
program = toString (pkgs.writers.writeBash "destroy" ''
|
||||
set -eo pipefail
|
||||
ln -snf ${terraformCfg} config.tf.json
|
||||
${lib.getExe terraform} init
|
||||
${lib.getExe terraform} destroy
|
||||
'');
|
||||
};
|
||||
};
|
||||
apps.${system}.default = self.apps.${system}.apply;
|
||||
|
||||
devShells.${system}.default = pkgs.mkShell {
|
||||
packages = [
|
||||
inputs.agenix.packages.${system}.agenix
|
||||
inputs.colmena.packages.${system}.colmena
|
||||
];
|
||||
};
|
||||
|
||||
colmena = {
|
||||
meta.nixpkgs = import nixpkgs {
|
||||
pkgs = import nixpkgs {
|
||||
localSystem = system;
|
||||
overlays = [
|
||||
inputs.hydra.overlays.default
|
||||
inputs.lix.overlays.default
|
||||
inputs.nix-gerrit.overlays.default
|
||||
];
|
||||
};
|
||||
terraform = pkgs.opentofu;
|
||||
terraformCfg = terranix.lib.terranixConfiguration {
|
||||
inherit system;
|
||||
modules = [
|
||||
./terraform
|
||||
{
|
||||
bagel.gandi.enable = true;
|
||||
bagel.hydra.enable = true;
|
||||
}
|
||||
];
|
||||
};
|
||||
});
|
||||
forEachSystem' = f: forEachSystem (system: (f systemBits.${system}));
|
||||
inherit (nixpkgs) lib;
|
||||
in
|
||||
{
|
||||
apps = forEachSystem' ({ system, pkgs, terraformCfg, terraform, ... }: {
|
||||
tf = {
|
||||
type = "app";
|
||||
program = toString (pkgs.writers.writeBash "tf" ''
|
||||
set -eo pipefail
|
||||
ln -snf ${terraformCfg} config.tf.json
|
||||
exec ${lib.getExe terraform} "$@"
|
||||
'');
|
||||
};
|
||||
|
||||
default = self.apps.${system}.tf;
|
||||
});
|
||||
|
||||
devShells = forEachSystem' ({ system, pkgs, ... }: {
|
||||
default = pkgs.mkShell {
|
||||
packages = [
|
||||
inputs.agenix.packages.${system}.agenix
|
||||
|
||||
pkgs.opentofu
|
||||
|
||||
(pkgs.callPackage ./lib/colmena-wrapper.nix { })
|
||||
];
|
||||
};
|
||||
});
|
||||
|
||||
nixosConfigurations = (colmena.lib.makeHive self.outputs.colmena).nodes;
|
||||
|
||||
colmena = let
|
||||
commonModules = [
|
||||
inputs.agenix.nixosModules.default
|
||||
inputs.hydra.nixosModules.hydra
|
||||
inputs.buildbot-nix.nixosModules.buildbot-coordinator
|
||||
inputs.buildbot-nix.nixosModules.buildbot-worker
|
||||
|
||||
./services
|
||||
./common
|
||||
];
|
||||
|
||||
makeBuilder = i: lib.nameValuePair "builder-${toString i}" {
|
||||
imports = commonModules;
|
||||
bagel.baremetal.builders = { enable = true; num = i; netboot = i >= 6; };
|
||||
};
|
||||
|
||||
builders = lib.listToAttrs (lib.genList makeBuilder 12);
|
||||
in {
|
||||
meta.nixpkgs = systemBits.x86_64-linux.pkgs;
|
||||
meta.specialArgs.inputs = inputs;
|
||||
|
||||
bagel-box = {
|
||||
imports = [
|
||||
inputs.agenix.nixosModules.default
|
||||
inputs.hydra.nixosModules.hydra
|
||||
bagel-box.imports = commonModules ++ [ ./hosts/bagel-box ];
|
||||
meta01.imports = commonModules ++ [ ./hosts/meta01 ];
|
||||
gerrit01.imports = commonModules ++ [ ./hosts/gerrit01 ];
|
||||
fodwatch.imports = commonModules ++ [ ./hosts/fodwatch ];
|
||||
git.imports = commonModules ++ [ ./hosts/git ];
|
||||
wob-vpn-gw.imports = commonModules ++ [ ./hosts/wob-vpn-gw ];
|
||||
buildbot.imports = commonModules ++ [ ./hosts/buildbot ];
|
||||
public01.imports = commonModules ++ [ ./hosts/public01 ];
|
||||
} // builders;
|
||||
|
||||
./services
|
||||
./common
|
||||
./hosts/bagel-box
|
||||
];
|
||||
};
|
||||
|
||||
meta01 = {
|
||||
imports = [
|
||||
inputs.agenix.nixosModules.default
|
||||
inputs.hydra.nixosModules.hydra
|
||||
|
||||
./services
|
||||
./common
|
||||
./hosts/meta01.nixpkgs.lahfa.xyz
|
||||
];
|
||||
};
|
||||
|
||||
gerrit01 = {
|
||||
imports = [
|
||||
inputs.agenix.nixosModules.default
|
||||
inputs.hydra.nixosModules.hydra
|
||||
|
||||
./services
|
||||
./common
|
||||
./hosts/cl.forkos.org
|
||||
];
|
||||
};
|
||||
};
|
||||
hydraJobs = builtins.mapAttrs (n: v: v.config.system.build.netbootDir or v.config.system.build.toplevel) self.nixosConfigurations;
|
||||
buildbotJobs = builtins.mapAttrs (_: v: v.config.system.build.toplevel) self.nixosConfigurations;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -20,6 +20,7 @@
|
|||
useHostResolvConf = false;
|
||||
|
||||
hostName = "bagel-box";
|
||||
domain = "infra.forkos.org";
|
||||
nameservers = [ "2001:4860:4860::8844" ];
|
||||
|
||||
interfaces.host0.ipv6.addresses = [
|
||||
|
@ -39,13 +40,19 @@
|
|||
|
||||
hydra.enable = true;
|
||||
hydra.dbi = "dbi:Pg:dbname=hydra;user=hydra";
|
||||
# Takes 10 builders (0 → 9).
|
||||
hydra.builders = lib.genList (i: "builder-${builtins.toString i}") 10;
|
||||
|
||||
ofborg.enable = true;
|
||||
};
|
||||
bagel.meta.monitoring.address = "bagel-box.delroth.net";
|
||||
|
||||
bagel.sysadmin.enable = true;
|
||||
|
||||
security.acme.acceptTerms = true;
|
||||
security.acme.defaults.email = "bagel@delroth.net";
|
||||
security.acme.defaults.email = "infra@forkos.org";
|
||||
|
||||
services.openssh.enable = true;
|
||||
|
||||
deployment.targetHost = "bagel-box.delroth.net";
|
||||
system.stateVersion = "24.11";
|
||||
deployment.targetHost = "bagel-box.infra.forkos.org";
|
||||
}
|
||||
|
|
38
hosts/buildbot/default.nix
Executable file
38
hosts/buildbot/default.nix
Executable file
|
@ -0,0 +1,38 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
{
|
||||
networking.hostName = "buildbot";
|
||||
# TODO: make it the default
|
||||
networking.domain = "infra.forkos.org";
|
||||
|
||||
time.timeZone = "Europe/Paris";
|
||||
|
||||
bagel.sysadmin.enable = true;
|
||||
# Buildbot is proxied.
|
||||
bagel.raito.v6-proxy-awareness.enable = true;
|
||||
bagel.hardware.raito-vm = {
|
||||
enable = true;
|
||||
networking = {
|
||||
nat-lan-mac = "BC:24:11:E7:42:8B";
|
||||
wan = {
|
||||
address = "2001:bc8:38ee:100:1000::50/64";
|
||||
mac = "BC:24:11:C9:BA:6C";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
bagel.services.buildbot = {
|
||||
enable = true;
|
||||
domain = "buildbot.forkos.org";
|
||||
builders = [ "builder-11" ];
|
||||
};
|
||||
|
||||
i18n.defaultLocale = "en_US.UTF-8";
|
||||
|
||||
system.stateVersion = "24.05";
|
||||
deployment.targetHost = "buildbot.infra.forkos.org";
|
||||
}
|
|
@ -1,46 +0,0 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
{
|
||||
networking.hostName = "gerrit01";
|
||||
# TODO: make it the default
|
||||
networking.domain = "infra.forkos.org";
|
||||
|
||||
time.timeZone = "Europe/Paris";
|
||||
|
||||
bagel.sysadmin.enable = true;
|
||||
# Gerrit is proxied.
|
||||
bagel.raito.v6-proxy-awareness.enable = true;
|
||||
bagel.hardware.raito-vm = {
|
||||
enable = true;
|
||||
networking = {
|
||||
nat-lan-mac = "bc:24:11:f7:29:6c";
|
||||
wan = {
|
||||
address = "2001:bc8:38ee:100:1000::10/64";
|
||||
mac = "bc:24:11:4a:9d:32";
|
||||
};
|
||||
};
|
||||
};
|
||||
bagel.meta.monitoring.address = "gerrit01.infra.forkos.org";
|
||||
|
||||
fileSystems."/gerrit-data" = {
|
||||
device = "/dev/disk/by-uuid/d1062305-0dea-4740-9a27-b6b1691862a4";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
bagel.services.gerrit = {
|
||||
enable = true;
|
||||
domains = [
|
||||
"cl.forkos.org"
|
||||
];
|
||||
data = "/gerrit-data";
|
||||
};
|
||||
|
||||
i18n.defaultLocale = "fr_FR.UTF-8";
|
||||
|
||||
system.stateVersion = "24.05";
|
||||
deployment.targetHost = "gerrit01.infra.forkos.org";
|
||||
}
|
31
hosts/fodwatch/default.nix
Executable file
31
hosts/fodwatch/default.nix
Executable file
|
@ -0,0 +1,31 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
{
|
||||
networking.hostName = "fodwatch";
|
||||
networking.domain = "infra.forkos.org";
|
||||
|
||||
time.timeZone = "Europe/Paris";
|
||||
|
||||
bagel.sysadmin.enable = true;
|
||||
# Fodwatch will be proxied.
|
||||
bagel.raito.v6-proxy-awareness.enable = true;
|
||||
bagel.hardware.raito-vm = {
|
||||
enable = true;
|
||||
networking = {
|
||||
nat-lan-mac = "BC:24:11:F2:17:F8";
|
||||
wan = {
|
||||
address = "2001:bc8:38ee:100:1000::30/64";
|
||||
mac = "BC:24:11:69:74:D0";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
i18n.defaultLocale = "en_US.UTF-8";
|
||||
|
||||
system.stateVersion = "24.05";
|
||||
deployment.targetHost = "fodwatch.infra.forkos.org";
|
||||
}
|
117
hosts/gerrit01/default.nix
Executable file
117
hosts/gerrit01/default.nix
Executable file
|
@ -0,0 +1,117 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
{
|
||||
networking.hostName = "gerrit01";
|
||||
# TODO: make it the default
|
||||
networking.domain = "infra.forkos.org";
|
||||
|
||||
time.timeZone = "Europe/Paris";
|
||||
|
||||
bagel.sysadmin.enable = true;
|
||||
# Gerrit is proxied.
|
||||
bagel.raito.v6-proxy-awareness.enable = true;
|
||||
bagel.hardware.raito-vm = {
|
||||
enable = true;
|
||||
networking = {
|
||||
nat-lan-mac = "bc:24:11:f7:29:6c";
|
||||
wan = {
|
||||
address = "2001:bc8:38ee:100:1000::10/64";
|
||||
mac = "bc:24:11:4a:9d:32";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
fileSystems."/gerrit-data" = {
|
||||
device = "/dev/disk/by-uuid/d1062305-0dea-4740-9a27-b6b1691862a4";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
bagel.services.gerrit = {
|
||||
enable = true;
|
||||
domains = [
|
||||
"cl.forkos.org"
|
||||
];
|
||||
canonicalDomain = "cl.forkos.org";
|
||||
data = "/gerrit-data";
|
||||
};
|
||||
|
||||
age.secrets.ows-deploy-key = {
|
||||
file = ../../secrets/ows-deploy-key.age;
|
||||
mode = "0600";
|
||||
owner = "git";
|
||||
group = "git";
|
||||
};
|
||||
bagel.nixpkgs.one-way-sync =
|
||||
let
|
||||
mkNixpkgsJob = { timer, branchName, localRefspec ? null }: {
|
||||
name = "nixpkgs-${branchName}";
|
||||
fromUri = "https://github.com/NixOS/nixpkgs";
|
||||
fromRefspec = branchName;
|
||||
localRefspec = if localRefspec != null then localRefspec else branchName;
|
||||
inherit timer;
|
||||
};
|
||||
in
|
||||
{
|
||||
enable = true;
|
||||
|
||||
pushUrl = "ssh://ows_bot@cl.forkos.org:29418/nixpkgs";
|
||||
deployKeyPath = config.age.secrets.ows-deploy-key.path;
|
||||
|
||||
branches."refs/heads/main" = mkNixpkgsJob {
|
||||
timer = "hourly";
|
||||
branchName = "master";
|
||||
localRefspec = "main";
|
||||
};
|
||||
|
||||
branches."refs/heads/staging" = mkNixpkgsJob {
|
||||
timer = "hourly";
|
||||
branchName = "staging";
|
||||
};
|
||||
|
||||
branches."refs/heads/release-24.05" = mkNixpkgsJob {
|
||||
timer = "hourly";
|
||||
branchName = "release-24.05";
|
||||
};
|
||||
|
||||
branches."refs/heads/staging-24.05" = mkNixpkgsJob {
|
||||
timer = "hourly";
|
||||
branchName = "staging-24.05";
|
||||
};
|
||||
|
||||
branches."refs/heads/release-23.11" = mkNixpkgsJob {
|
||||
timer = "hourly";
|
||||
branchName = "release-23.11";
|
||||
};
|
||||
|
||||
branches."refs/heads/staging-23.11" = mkNixpkgsJob {
|
||||
timer = "hourly";
|
||||
branchName = "staging-23.11";
|
||||
};
|
||||
|
||||
# Testing jobs for personal sandbox branches
|
||||
branches."refs/heads/sandbox/raito/raito-unstable-small" = {
|
||||
name = "raito-unstable-sync";
|
||||
fromUri = "https://github.com/NixOS/nixpkgs";
|
||||
fromRefspec = "nixos-unstable-small";
|
||||
localRefspec = "sandbox/raito/raito-unstable-small";
|
||||
timer = "*-*-* 12:00:00";
|
||||
};
|
||||
|
||||
branches."refs/heads/sandbox/raito/raito-nixos-24.05" = {
|
||||
name = "raito-release-sync";
|
||||
fromUri = "https://github.com/NixOS/nixpkgs";
|
||||
fromRefspec = "nixos-24.05";
|
||||
localRefspec = "sandbox/raito/raito-nixos-24.05";
|
||||
timer = "daily";
|
||||
};
|
||||
};
|
||||
|
||||
i18n.defaultLocale = "fr_FR.UTF-8";
|
||||
|
||||
system.stateVersion = "24.05";
|
||||
deployment.targetHost = "gerrit01.infra.forkos.org";
|
||||
}
|
49
hosts/git/default.nix
Normal file
49
hosts/git/default.nix
Normal file
|
@ -0,0 +1,49 @@
|
|||
let
|
||||
ipv6 = {
|
||||
openssh ="2001:bc8:38ee:100:1000::41";
|
||||
forgejo = "2001:bc8:38ee:100:1000::40";
|
||||
};
|
||||
in
|
||||
{
|
||||
networking.hostName = "git";
|
||||
networking.domain = "infra.forkos.org";
|
||||
|
||||
time.timeZone = "Europe/Paris";
|
||||
|
||||
bagel.sysadmin.enable = true;
|
||||
# Forgejo will be proxied.
|
||||
bagel.raito.v6-proxy-awareness.enable = true;
|
||||
bagel.hardware.raito-vm = {
|
||||
enable = true;
|
||||
networking = {
|
||||
nat-lan-mac = "BC:24:11:83:71:56";
|
||||
wan = {
|
||||
address = "${ipv6.forgejo}/64";
|
||||
mac = "BC:24:11:0B:8A:81";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Add one additional IPv6, so we can have both OpenSSH and
|
||||
# Forgejo's built-in server bind on port :22.
|
||||
systemd.network.networks."10-wan".networkConfig.Address = [ "${ipv6.openssh}/64" ];
|
||||
services.openssh.listenAddresses = [{
|
||||
addr = "[${ipv6.openssh}]";
|
||||
}];
|
||||
# Defaults to network.target, but networkd may take a while to settle and set up
|
||||
# the required (additional) IPv6 address, leading to sshd to not being able to
|
||||
# bind to the requested IP, crashing 5 times and running into the default
|
||||
# restart counter limit (5).
|
||||
systemd.services.sshd.wants = [ "network-online.target" ];
|
||||
systemd.services.sshd.after = [ "network-online.target" ];
|
||||
|
||||
bagel.services.forgejo = {
|
||||
enable = true;
|
||||
sshBindAddr = ipv6.forgejo;
|
||||
};
|
||||
|
||||
i18n.defaultLocale = "en_US.UTF-8";
|
||||
|
||||
system.stateVersion = "24.05";
|
||||
deployment.targetHost = "git.infra.forkos.org";
|
||||
}
|
|
@ -21,7 +21,6 @@
|
|||
enable = true;
|
||||
domain = "netbox.forkos.org";
|
||||
};
|
||||
bagel.meta.monitoring.address = "meta01.infra.forkos.org";
|
||||
bagel.services.prometheus.enable = true;
|
||||
bagel.services.loki.enable = true;
|
||||
bagel.services.grafana.enable = true;
|
32
hosts/public01/default.nix
Executable file
32
hosts/public01/default.nix
Executable file
|
@ -0,0 +1,32 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
{
|
||||
networking.hostName = "public01";
|
||||
# TODO: make it the default
|
||||
networking.domain = "infra.forkos.org";
|
||||
|
||||
time.timeZone = "Europe/Paris";
|
||||
|
||||
bagel.sysadmin.enable = true;
|
||||
# Buildbot is proxied.
|
||||
bagel.raito.v6-proxy-awareness.enable = true;
|
||||
bagel.hardware.raito-vm = {
|
||||
enable = true;
|
||||
networking = {
|
||||
nat-lan-mac = "BC:24:11:A4:F7:D3";
|
||||
wan = {
|
||||
address = "2001:bc8:38ee:100:1000::60/64";
|
||||
mac = "BC:24:11:DB:B8:10";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
i18n.defaultLocale = "en_US.UTF-8";
|
||||
|
||||
system.stateVersion = "24.05";
|
||||
deployment.targetHost = "public01.infra.forkos.org";
|
||||
}
|
126
hosts/wob-vpn-gw/default.nix
Normal file
126
hosts/wob-vpn-gw/default.nix
Normal file
|
@ -0,0 +1,126 @@
|
|||
{ pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./netboot.nix
|
||||
];
|
||||
|
||||
###### Hardware ######
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ehci_pci" "sd_mod" "sdhci_pci" ];
|
||||
boot.kernelModules = [ "kvm-amd" ];
|
||||
|
||||
boot.loader.grub.device = "/dev/sda";
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-uuid/58688a5c-e3ce-4868-804b-4e34d1370f36";
|
||||
fsType = "f2fs";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/38caa628-3b6d-4fb4-8767-beee09a196a6";
|
||||
fsType = "ext2";
|
||||
};
|
||||
|
||||
nixpkgs.hostPlatform = "x86_64-linux";
|
||||
|
||||
hardware.cpu.amd.updateMicrocode = true;
|
||||
|
||||
# Enable serial output
|
||||
boot.loader.grub.extraConfig = ''
|
||||
serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
|
||||
terminal_input serial
|
||||
terminal_output serial
|
||||
'';
|
||||
boot.kernelParams = [
|
||||
"console=ttyS0,115200"
|
||||
"console=tty1"
|
||||
];
|
||||
|
||||
###### Config #######
|
||||
|
||||
boot.initrd.systemd.enable = true;
|
||||
|
||||
networking.useNetworkd = true;
|
||||
|
||||
systemd.network = {
|
||||
netdevs = {
|
||||
"40-uplink" = {
|
||||
netdevConfig = {
|
||||
Kind = "bond";
|
||||
Name = "uplink";
|
||||
};
|
||||
bondConfig = {
|
||||
Mode = "802.3ad";
|
||||
TransmitHashPolicy = "layer3+4";
|
||||
};
|
||||
};
|
||||
"40-oob" = {
|
||||
netdevConfig = {
|
||||
Kind = "bond";
|
||||
Name = "oob";
|
||||
};
|
||||
bondConfig = {
|
||||
Mode = "802.3ad";
|
||||
TransmitHashPolicy = "layer3+4";
|
||||
};
|
||||
};
|
||||
};
|
||||
networks = {
|
||||
"40-enp1s0" = {
|
||||
name = "enp1s0";
|
||||
bond = [ "uplink" ];
|
||||
};
|
||||
"40-enp2s0" = {
|
||||
name = "enp2s0";
|
||||
bond = [ "uplink" ];
|
||||
};
|
||||
"40-enp3s0" = {
|
||||
name = "enp3s0";
|
||||
bond = [ "oob" ];
|
||||
};
|
||||
"40-enp4s0" = {
|
||||
name = "enp4s0";
|
||||
bond = [ "oob" ];
|
||||
};
|
||||
} // lib.listToAttrs (map (x: lib.nameValuePair "40-bmc${toString x}" {
|
||||
name = "bmc${toString x}";
|
||||
address = [ "192.168.1.${toString (x*4 + 1)}/30" ];
|
||||
#address = [ "192.168.${toString x}.1/24" ];
|
||||
networkConfig.DHCPServer = true;
|
||||
}) (lib.genList lib.id 12));
|
||||
};
|
||||
|
||||
networking.nftables.enable = true;
|
||||
networking.firewall.extraInputRules = ''
|
||||
iifname { "bmc*" } meta nfproto ipv4 udp dport 67 accept comment "DHCP server"
|
||||
'';
|
||||
|
||||
networking.vlans = lib.listToAttrs (map (x: lib.nameValuePair "bmc${toString x}" {
|
||||
interface = "oob";
|
||||
id = 101 + x;
|
||||
}) (lib.genList lib.id 12));
|
||||
|
||||
networking.interfaces = {
|
||||
uplink = {
|
||||
ipv6.addresses = [
|
||||
{
|
||||
address = "2a01:584:11::2";
|
||||
prefixLength = 64;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
networking.defaultGateway6 = { interface = "uplink"; address = "2a01:584:11::1"; };
|
||||
|
||||
networking.hostName = "vpn-gw";
|
||||
networking.domain = "wob01.infra.forkos.org";
|
||||
|
||||
deployment.targetHost = "2a01:584:11::2";
|
||||
|
||||
bagel.sysadmin.enable = true;
|
||||
|
||||
environment.systemPackages = [ pkgs.ipmitool ];
|
||||
|
||||
system.stateVersion = "24.05";
|
||||
}
|
63
hosts/wob-vpn-gw/netboot.nix
Normal file
63
hosts/wob-vpn-gw/netboot.nix
Normal file
|
@ -0,0 +1,63 @@
|
|||
{ config, lib, pkgs, nodes, modulesPath, ... }:
|
||||
|
||||
# The way the connection is established is specific to the wob01 site and the Intel S2600KPR blades.
|
||||
# Proper netboot is not possible, because while the blades and the APU board (which is the netboot
|
||||
# server here) are in the same L2 network, the uplink connection of each blade is an LACP LAG,
|
||||
# meaning that the switch on the other side will only enable the port if it sees valid LACP packets.
|
||||
# We work around this by presenting a virtual floppy drive using the "IUSB" protocol of the BMC.
|
||||
# This virtual floppy drive contains an per-blade customized initramfs which will initialize the
|
||||
# network connection including IP configuration and load the actual image off hydra.
|
||||
|
||||
let
|
||||
netboot-server-ip = "2a01:584:11::2";
|
||||
netbootNodes = lib.filterAttrs (_: node: node.config.bagel.baremetal.builders.enable && node.config.bagel.baremetal.builders.netboot) nodes;
|
||||
in {
|
||||
|
||||
assertions = [
|
||||
{
|
||||
assertion = !(lib.elem 443 config.networking.firewall.allowedTCPPorts);
|
||||
message = ''
|
||||
Port 443 is in networking.firewalls.allowedTCPPorts, but should be only manually
|
||||
allowed for specific IPs and source ports in ${builtins.toJSON __curPos}
|
||||
'';
|
||||
}
|
||||
];
|
||||
|
||||
systemd.services = lib.mapAttrs' (nodename: node: let
|
||||
bmcIp = "192.168.1.${toString (node.config.bagel.baremetal.builders.num * 4 + 2)}";
|
||||
notipxe = node.config.system.build.notipxe.config.system.build.usbImage;
|
||||
in lib.nameValuePair "iusb-spoof-${nodename}" {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
Restart = "always";
|
||||
};
|
||||
script = ''
|
||||
AUTH_TOKEN=$(${pkgs.iusb-spoof}/bin/make-token ${bmcIp})
|
||||
exec ${pkgs.iusb-spoof}/bin/iusb-spoof -r ${bmcIp} 5123 $AUTH_TOKEN ${notipxe}
|
||||
'';
|
||||
}) netbootNodes;
|
||||
|
||||
# Since the builders are stateless, they can not store their ssh hostkeys
|
||||
networking.firewall.allowedTCPPorts = [ 80 ]; # for ACME
|
||||
networking.firewall.extraInputRules = ''
|
||||
ip6 saddr 2a01:584:11::/64 tcp sport < 1024 tcp dport 443 accept;
|
||||
'';
|
||||
security.acme.acceptTerms = true;
|
||||
security.acme.defaults.email = "infra@forkos.org";
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts."vpn-gw.wob01.infra.forkos.org" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations = lib.mapAttrs' (nodename: node: let
|
||||
ip = "2a01:584:11::1:${toString node.config.bagel.baremetal.builders.num}";
|
||||
in lib.nameValuePair "/${nodename}/" {
|
||||
root = "/var/www";
|
||||
extraConfig = ''
|
||||
allow ${ip};
|
||||
deny all;
|
||||
'';
|
||||
}) netbootNodes;
|
||||
};
|
||||
};
|
||||
}
|
14
lib/colmena-wrapper.nix
Normal file
14
lib/colmena-wrapper.nix
Normal file
|
@ -0,0 +1,14 @@
|
|||
# A wrapper for colmena that prevents accidentally deploying changes without
|
||||
# having pulled.
|
||||
{ colmena, runCommandNoCC }:
|
||||
runCommandNoCC "colmena-wrapper"
|
||||
{
|
||||
env.colmena = "${colmena}/bin/colmena";
|
||||
} ''
|
||||
mkdir -p $out
|
||||
ln -s ${colmena}/share $out/share
|
||||
mkdir $out/bin
|
||||
|
||||
substituteAll ${./colmena-wrapper.sh.in} $out/bin/colmena
|
||||
chmod +x $out/bin/colmena
|
||||
''
|
29
lib/colmena-wrapper.sh.in
Executable file
29
lib/colmena-wrapper.sh.in
Executable file
|
@ -0,0 +1,29 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
doChecks() {
|
||||
# creates refs in the refs/prefetch/remotes/origin namespace
|
||||
echo "Prefetching repo changes..." >&2
|
||||
git fetch --quiet --prefetch --no-write-fetch-head origin
|
||||
|
||||
diffs=$(git rev-list --left-right --count HEAD...refs/prefetch/remotes/origin/main)
|
||||
only_in_local=$(echo "$diffs" | cut -f1)
|
||||
only_in_main=$(echo "$diffs" | cut -f2)
|
||||
|
||||
if [[ $only_in_main -gt 0 && ! -v $FOOTGUN_ME_UWU ]]; then
|
||||
echo >&2
|
||||
echo "Attempting to deploy when main has $only_in_main commits not in your branch!" >&2
|
||||
echo "This will probably revert someone's changes. Consider merging them." >&2
|
||||
echo "If you really mean it, set the environment variable FOOTGUN_ME_UWU" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [[ $only_in_local -gt 0 ]]; then
|
||||
echo "You have $only_in_local commits not yet pushed to main. Reminder to push them after :)" >&2
|
||||
fi
|
||||
}
|
||||
|
||||
if [[ $1 == 'apply' ]]; then
|
||||
doChecks
|
||||
fi
|
||||
|
||||
exec @colmena@ "$@"
|
|
@ -1,3 +1,6 @@
|
|||
[
|
||||
(import ./gerrit.nix)
|
||||
(final: prev: {
|
||||
iusb-spoof = final.callPackage ./iusb-spoof.nix {};
|
||||
u-root = final.callPackage ./u-root {};
|
||||
})
|
||||
]
|
||||
|
|
|
@ -1,11 +0,0 @@
|
|||
self: super: {
|
||||
buildGerrit = self.callPackage ../pkgs/gerrit { };
|
||||
gerrit = self.buildGerrit { };
|
||||
buildGerritBazelPlugin = self.callPackage ../pkgs/gerrit_plugins/builder.nix {
|
||||
inherit (self) buildGerrit;
|
||||
};
|
||||
gerritPlugins = {
|
||||
code-owners = self.callPackage ../pkgs/gerrit_plugins/code-owners { };
|
||||
oauth = self.callPackage ../pkgs/gerrit_plugins/oauth { };
|
||||
};
|
||||
}
|
23
overlays/iusb-spoof.nix
Normal file
23
overlays/iusb-spoof.nix
Normal file
|
@ -0,0 +1,23 @@
|
|||
{ rustPlatform, python3, makeWrapper }:
|
||||
let
|
||||
pythonEnv = python3.withPackages (p: with p; [ requests ]);
|
||||
in
|
||||
|
||||
rustPlatform.buildRustPackage rec {
|
||||
pname = "iusb-spoof";
|
||||
version = "0.1.0";
|
||||
|
||||
src = builtins.fetchGit {
|
||||
url = "https://git.lix.systems/the-distro/iusb-spoof/";
|
||||
rev = "fafd47986239cc2f4dfbbae74b17555608806581";
|
||||
};
|
||||
|
||||
cargoLock.lockFile = src + "/Cargo.lock";
|
||||
|
||||
nativeBuildInputs = [ makeWrapper ];
|
||||
|
||||
postInstall = ''
|
||||
install -Dm644 $src/make-token.py $out/opt/make-token.py
|
||||
makeWrapper ${pythonEnv.interpreter} $out/bin/make-token --add-flags "$out/opt/make-token.py"
|
||||
'';
|
||||
}
|
20
overlays/u-root/default.nix
Normal file
20
overlays/u-root/default.nix
Normal file
|
@ -0,0 +1,20 @@
|
|||
{ buildGoModule, fetchFromGitHub }:
|
||||
|
||||
buildGoModule rec {
|
||||
pname = "u-root";
|
||||
version = "0.14.0";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "u-root";
|
||||
repo = "u-root";
|
||||
rev = "v${version}";
|
||||
hash = "sha256-8zA3pHf45MdUcq/MA/mf0KCTxB1viHieU/oigYwIPgo=";
|
||||
};
|
||||
|
||||
patches = [
|
||||
./u-root-allow-https.patch
|
||||
];
|
||||
|
||||
vendorHash = null;
|
||||
doCheck = false;
|
||||
}
|
12
overlays/u-root/u-root-allow-https.patch
Normal file
12
overlays/u-root/u-root-allow-https.patch
Normal file
|
@ -0,0 +1,12 @@
|
|||
diff --git a/pkg/curl/schemes.go b/pkg/curl/schemes.go
|
||||
index 8bac3bc0..cd396cbc 100644
|
||||
--- a/pkg/curl/schemes.go
|
||||
+++ b/pkg/curl/schemes.go
|
||||
@@ -81,6 +81,7 @@ var (
|
||||
DefaultSchemes = Schemes{
|
||||
"tftp": DefaultTFTPClient,
|
||||
"http": DefaultHTTPClient,
|
||||
+ "https": DefaultHTTPClient,
|
||||
"file": &LocalFileClient{},
|
||||
}
|
||||
)
|
|
@ -0,0 +1,59 @@
|
|||
diff --git a/services/repository/branch.go b/services/repository/branch.go
|
||||
index e1a313749f..5a8d823eef 100644
|
||||
--- a/services/repository/branch.go
|
||||
+++ b/services/repository/branch.go
|
||||
@@ -26,7 +26,6 @@ import (
|
||||
"code.gitea.io/gitea/modules/timeutil"
|
||||
webhook_module "code.gitea.io/gitea/modules/webhook"
|
||||
notify_service "code.gitea.io/gitea/services/notify"
|
||||
- files_service "code.gitea.io/gitea/services/repository/files"
|
||||
|
||||
"xorm.io/builder"
|
||||
)
|
||||
@@ -129,21 +128,7 @@ func loadOneBranch(ctx context.Context, repo *repo_model.Repository, dbBranch *g
|
||||
p := protectedBranches.GetFirstMatched(branchName)
|
||||
isProtected := p != nil
|
||||
|
||||
- var divergence *git.DivergeObject
|
||||
-
|
||||
- // it's not default branch
|
||||
- if repo.DefaultBranch != dbBranch.Name && !dbBranch.IsDeleted {
|
||||
- var err error
|
||||
- divergence, err = files_service.CountDivergingCommits(ctx, repo, git.BranchPrefix+branchName)
|
||||
- if err != nil {
|
||||
- return nil, fmt.Errorf("CountDivergingCommits: %v", err)
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- if divergence == nil {
|
||||
- // tolerate the error that we cannot get divergence
|
||||
- divergence = &git.DivergeObject{Ahead: -1, Behind: -1}
|
||||
- }
|
||||
+ divergence := &git.DivergeObject{Ahead: -1, Behind: -1}
|
||||
|
||||
pr, err := issues_model.GetLatestPullRequestByHeadInfo(ctx, repo.ID, branchName)
|
||||
if err != nil {
|
||||
diff --git a/templates/repo/branch/list.tmpl b/templates/repo/branch/list.tmpl
|
||||
index a577fed450..e102796315 100644
|
||||
--- a/templates/repo/branch/list.tmpl
|
||||
+++ b/templates/repo/branch/list.tmpl
|
||||
@@ -102,19 +102,6 @@
|
||||
{{end}}
|
||||
</td>
|
||||
<td class="two wide ui">
|
||||
- {{if and (not .DBBranch.IsDeleted) $.DefaultBranchBranch}}
|
||||
- <div class="commit-divergence">
|
||||
- <div class="bar-group">
|
||||
- <div class="count count-behind">{{.CommitsBehind}}</div>
|
||||
- {{/* old code bears 0/0.0 = NaN output, so it might output invalid "width: NaNpx", it just works and doesn't caues any problem. */}}
|
||||
- <div class="bar bar-behind" style="width: {{Eval 100 "*" .CommitsBehind "/" "(" .CommitsBehind "+" .CommitsAhead "+" 0.0 ")"}}%"></div>
|
||||
- </div>
|
||||
- <div class="bar-group">
|
||||
- <div class="count count-ahead">{{.CommitsAhead}}</div>
|
||||
- <div class="bar bar-ahead" style="width: {{Eval 100 "*" .CommitsAhead "/" "(" .CommitsBehind "+" .CommitsAhead "+" 0.0 ")"}}%"></div>
|
||||
- </div>
|
||||
- </div>
|
||||
- {{end}}
|
||||
</td>
|
||||
<td class="two wide right aligned">
|
||||
{{if not .LatestPullRequest}}
|
|
@ -0,0 +1,32 @@
|
|||
diff --git a/routers/web/repo/commit.go b/routers/web/repo/commit.go
|
||||
index 718454e063..8fa299710c 100644
|
||||
--- a/routers/web/repo/commit.go
|
||||
+++ b/routers/web/repo/commit.go
|
||||
@@ -408,12 +408,6 @@ func Diff(ctx *context.Context) {
|
||||
}
|
||||
}
|
||||
|
||||
- ctx.Data["BranchName"], err = commit.GetBranchName()
|
||||
- if err != nil {
|
||||
- ctx.ServerError("commit.GetBranchName", err)
|
||||
- return
|
||||
- }
|
||||
-
|
||||
ctx.HTML(http.StatusOK, tplCommitPage)
|
||||
}
|
||||
|
||||
diff --git a/templates/repo/commit_page.tmpl b/templates/repo/commit_page.tmpl
|
||||
index c37fb46975..18c9cf18f8 100644
|
||||
--- a/templates/repo/commit_page.tmpl
|
||||
+++ b/templates/repo/commit_page.tmpl
|
||||
@@ -71,8 +71,8 @@
|
||||
"branchForm" "branch-dropdown-form"
|
||||
"branchURLPrefix" (printf "%s/_cherrypick/%s/" $.RepoLink .CommitID) "branchURLSuffix" ""
|
||||
"setAction" true "submitForm" true}}
|
||||
- <form method="get" action="{{$.RepoLink}}/_cherrypick/{{.CommitID}}/{{if $.BranchName}}{{PathEscapeSegments $.BranchName}}{{else}}{{PathEscapeSegments $.Repository.DefaultBranch}}{{end}}" id="branch-dropdown-form">
|
||||
- <input type="hidden" name="ref" value="{{if $.BranchName}}{{$.BranchName}}{{else}}{{$.Repository.DefaultBranch}}{{end}}">
|
||||
+ <form method="get" action="{{$.RepoLink}}/_cherrypick/{{.CommitID}}/{{PathEscapeSegments $.Repository.DefaultBranch}}" id="branch-dropdown-form">
|
||||
+ <input type="hidden" name="ref" value="{{$.Repository.DefaultBranch}}">
|
||||
<input type="hidden" name="refType" value="branch">
|
||||
<input type="hidden" id="cherry-pick-type" name="cherry-pick-type"><br>
|
||||
<button type="submit" id="cherry-pick-submit" class="ui primary button"></button>
|
40
pkgs/forgejo/default.nix
Normal file
40
pkgs/forgejo/default.nix
Normal file
|
@ -0,0 +1,40 @@
|
|||
{ forgejo }:
|
||||
|
||||
forgejo.overrideAttrs (prev: {
|
||||
patches = [
|
||||
# Branch divergence calculations for a single branch may take 100-200ms on something as big
|
||||
# as nixpkgs. The branch view defaults to 20 branches for each page, taking roughtly 3s to
|
||||
# calculate each branch sequentially and render, while consuming a single core at 100%.
|
||||
# The idea is to look into making this less expensive or async.
|
||||
# But for now, to get this going, we will simply drop that metric.
|
||||
./branch-view_remove-expensive-commit-divergence-metric.patch
|
||||
|
||||
# This is literally broken and eats resources for nothing of value.
|
||||
# We should upstream this.
|
||||
# The tl;dr is: It calculates the nearest branch for the requested commit at
|
||||
# /:owner/:repo/commit/:commit to use it as the default cherry-pick target branch
|
||||
# selection in a drop-down only users with commit perms can actually view and use.
|
||||
# It's expensive to calculate and happens on every request to /commit/:commit.
|
||||
# To add insult to injury, it's hardly of any use: The nearest branch of a commit
|
||||
# will almost always be a branch that already carries the commit. The branch you
|
||||
# most likely don't want to cherry-pick to.
|
||||
./commit-view_fix-broken-and-expensive-cherry-pick-default-branch-selection.patch
|
||||
|
||||
# Disable various /:owner/:repo/activity/ sub-views. They are expensive, which is
|
||||
# totally fine and expected. There is even proper caching in place.
|
||||
# However, on a scale of nixpkgs, those calculations take ages, while, of course,
|
||||
# pinning a single CPU core at 100%.
|
||||
# For now, we will simply disable this feature.
|
||||
# Due to the 501 status code it returns, the frontend prints a "Not implemented"
|
||||
# error, saving us from patching the frontend while still providing a helpful
|
||||
# user-facing error text.
|
||||
# It should be noted that this particular status code has the downside of being
|
||||
# in the 5xx range, meaning it will show up as such in our prometheus metrics.
|
||||
./disable-expensive-repository-activity-stats.patch
|
||||
|
||||
# Migrations and pull-mirrors are something easily abused to bring a public instance to a complete halt.
|
||||
# Both features can be disabled via repository.DISABLE_MIGRATIONS and mirror.ENABLE, but we want to keep
|
||||
# this functionality for admins.
|
||||
./limit-migrations-and-pull-mirrors-to-admins.patch
|
||||
];
|
||||
})
|
|
@ -0,0 +1,34 @@
|
|||
diff --git a/routers/web/web.go b/routers/web/web.go
|
||||
index ee9694f41c..f55b8d6f62 100644
|
||||
--- a/routers/web/web.go
|
||||
+++ b/routers/web/web.go
|
||||
@@ -57,6 +57,10 @@ import (
|
||||
"github.com/prometheus/client_golang/prometheus"
|
||||
)
|
||||
|
||||
+func endpointNotImplemented(ctx *context.Context) {
|
||||
+ ctx.JSON(http.StatusNotImplemented, "This endpoint has been removed due to performance issues with it and as such is not longer implemented.")
|
||||
+}
|
||||
+
|
||||
// optionsCorsHandler return a http handler which sets CORS options if enabled by config, it blocks non-CORS OPTIONS requests.
|
||||
func optionsCorsHandler() func(next http.Handler) http.Handler {
|
||||
var corsHandler func(next http.Handler) http.Handler
|
||||
@@ -1425,15 +1429,15 @@ func registerRoutes(m *web.Route) {
|
||||
m.Get("/{period}", repo.Activity)
|
||||
m.Group("/contributors", func() {
|
||||
m.Get("", repo.Contributors)
|
||||
- m.Get("/data", repo.ContributorsData)
|
||||
+ m.Get("/data", endpointNotImplemented)
|
||||
}, repo.MustBeNotEmpty, context.RequireRepoReaderOr(unit.TypeCode))
|
||||
m.Group("/code-frequency", func() {
|
||||
m.Get("", repo.CodeFrequency)
|
||||
- m.Get("/data", repo.CodeFrequencyData)
|
||||
+ m.Get("/data", endpointNotImplemented)
|
||||
}, repo.MustBeNotEmpty, context.RequireRepoReaderOr(unit.TypeCode))
|
||||
m.Group("/recent-commits", func() {
|
||||
m.Get("", repo.RecentCommits)
|
||||
- m.Get("/data", repo.RecentCommitsData)
|
||||
+ m.Get("/data", endpointNotImplemented)
|
||||
}, repo.MustBeNotEmpty, context.RequireRepoReaderOr(unit.TypeCode))
|
||||
}, context.RepoRef(), context.RequireRepoReaderOr(unit.TypeCode, unit.TypePullRequests, unit.TypeIssues, unit.TypeReleases))
|
||||
|
|
@ -0,0 +1,53 @@
|
|||
diff --git a/routers/api/v1/repo/migrate.go b/routers/api/v1/repo/migrate.go
|
||||
index 2caaa130e8..455e89e93e 100644
|
||||
--- a/routers/api/v1/repo/migrate.go
|
||||
+++ b/routers/api/v1/repo/migrate.go
|
||||
@@ -12,7 +12,6 @@ import (
|
||||
|
||||
"code.gitea.io/gitea/models"
|
||||
"code.gitea.io/gitea/models/db"
|
||||
- "code.gitea.io/gitea/models/organization"
|
||||
"code.gitea.io/gitea/models/perm"
|
||||
access_model "code.gitea.io/gitea/models/perm/access"
|
||||
repo_model "code.gitea.io/gitea/models/repo"
|
||||
@@ -86,22 +85,7 @@ func Migrate(ctx *context.APIContext) {
|
||||
}
|
||||
|
||||
if !ctx.Doer.IsAdmin {
|
||||
- if !repoOwner.IsOrganization() && ctx.Doer.ID != repoOwner.ID {
|
||||
- ctx.Error(http.StatusForbidden, "", "Given user is not an organization.")
|
||||
- return
|
||||
- }
|
||||
-
|
||||
- if repoOwner.IsOrganization() {
|
||||
- // Check ownership of organization.
|
||||
- isOwner, err := organization.OrgFromUser(repoOwner).IsOwnedBy(ctx, ctx.Doer.ID)
|
||||
- if err != nil {
|
||||
- ctx.Error(http.StatusInternalServerError, "IsOwnedBy", err)
|
||||
- return
|
||||
- } else if !isOwner {
|
||||
- ctx.Error(http.StatusForbidden, "", "Given user is not owner of organization.")
|
||||
- return
|
||||
- }
|
||||
- }
|
||||
+ ctx.Error(http.StatusForbidden, "", "You need to be administrator of this Forgejo instance to be able to create mirrors.")
|
||||
}
|
||||
|
||||
remoteAddr, err := forms.ParseRemoteAddr(form.CloneAddr, form.AuthUsername, form.AuthPassword)
|
||||
diff --git a/routers/web/repo/migrate.go b/routers/web/repo/migrate.go
|
||||
index 97b0c425ea..554a470eab 100644
|
||||
--- a/routers/web/repo/migrate.go
|
||||
+++ b/routers/web/repo/migrate.go
|
||||
@@ -150,6 +150,12 @@ func handleMigrateRemoteAddrError(ctx *context.Context, err error, tpl base.TplN
|
||||
// MigratePost response for migrating from external git repository
|
||||
func MigratePost(ctx *context.Context) {
|
||||
form := web.GetForm(ctx).(*forms.MigrateRepoForm)
|
||||
+
|
||||
+ if !ctx.Doer.IsAdmin {
|
||||
+ ctx.Error(http.StatusForbidden, "MigratePost: you need to be site administrator to use migrations and mirrors")
|
||||
+ return
|
||||
+ }
|
||||
+
|
||||
if setting.Repository.DisableMigrations {
|
||||
ctx.Error(http.StatusForbidden, "MigratePost: the site administrator has disabled migrations")
|
||||
return
|
|
@ -1,37 +0,0 @@
|
|||
From 084e4f92fb58f7cd85303ba602fb3c40133c8fcc Mon Sep 17 00:00:00 2001
|
||||
From: Luke Granger-Brown <git@lukegb.com>
|
||||
Date: Thu, 2 Jul 2020 23:02:32 +0100
|
||||
Subject: [PATCH 1/3] Syntax highlight nix
|
||||
|
||||
---
|
||||
.../app/embed/diff/gr-syntax-layer/gr-syntax-layer-worker.ts | 1 +
|
||||
resources/com/google/gerrit/server/mime/mime-types.properties | 1 +
|
||||
2 files changed, 2 insertions(+)
|
||||
|
||||
diff --git a/polygerrit-ui/app/embed/diff/gr-syntax-layer/gr-syntax-layer-worker.ts b/polygerrit-ui/app/embed/diff/gr-syntax-layer/gr-syntax-layer-worker.ts
|
||||
index a9f88bdd81..385249f280 100644
|
||||
--- a/polygerrit-ui/app/embed/diff/gr-syntax-layer/gr-syntax-layer-worker.ts
|
||||
+++ b/polygerrit-ui/app/embed/diff/gr-syntax-layer/gr-syntax-layer-worker.ts
|
||||
@@ -93,6 +93,7 @@ const LANGUAGE_MAP = new Map<string, string>([
|
||||
['text/x-vhdl', 'vhdl'],
|
||||
['text/x-yaml', 'yaml'],
|
||||
['text/vbscript', 'vbscript'],
|
||||
+ ['text/x-nix', 'nix'],
|
||||
]);
|
||||
|
||||
const CLASS_PREFIX = 'gr-diff gr-syntax gr-syntax-';
|
||||
diff --git a/resources/com/google/gerrit/server/mime/mime-types.properties b/resources/com/google/gerrit/server/mime/mime-types.properties
|
||||
index 2f9561ba2e..739818ec05 100644
|
||||
--- a/resources/com/google/gerrit/server/mime/mime-types.properties
|
||||
+++ b/resources/com/google/gerrit/server/mime/mime-types.properties
|
||||
@@ -149,6 +149,7 @@ mscin = text/x-mscgen
|
||||
msgenny = text/x-msgenny
|
||||
nb = text/x-mathematica
|
||||
nginx.conf = text/x-nginx-conf
|
||||
+nix = text/x-nix
|
||||
nsh = text/x-nsis
|
||||
nsi = text/x-nsis
|
||||
nt = text/n-triples
|
||||
--
|
||||
2.37.3
|
||||
|
|
@ -1,37 +0,0 @@
|
|||
From aedf8ac8fa5113843bcd83ff85e2d9f3bffdb16c Mon Sep 17 00:00:00 2001
|
||||
From: Luke Granger-Brown <git@lukegb.com>
|
||||
Date: Thu, 2 Jul 2020 23:02:43 +0100
|
||||
Subject: [PATCH 2/3] Syntax highlight rules.pl
|
||||
|
||||
---
|
||||
.../app/embed/diff/gr-syntax-layer/gr-syntax-layer-worker.ts | 1 +
|
||||
resources/com/google/gerrit/server/mime/mime-types.properties | 1 +
|
||||
2 files changed, 2 insertions(+)
|
||||
|
||||
diff --git a/polygerrit-ui/app/embed/diff/gr-syntax-layer/gr-syntax-layer-worker.ts b/polygerrit-ui/app/embed/diff/gr-syntax-layer/gr-syntax-layer-worker.ts
|
||||
index 385249f280..7cb3068494 100644
|
||||
--- a/polygerrit-ui/app/embed/diff/gr-syntax-layer/gr-syntax-layer-worker.ts
|
||||
+++ b/polygerrit-ui/app/embed/diff/gr-syntax-layer/gr-syntax-layer-worker.ts
|
||||
@@ -68,6 +68,7 @@ const LANGUAGE_MAP = new Map<string, string>([
|
||||
['text/x-perl', 'perl'],
|
||||
['text/x-pgsql', 'pgsql'], // postgresql
|
||||
['text/x-php', 'php'],
|
||||
+ ['text/x-prolog', 'prolog'],
|
||||
['text/x-properties', 'properties'],
|
||||
['text/x-protobuf', 'protobuf'],
|
||||
['text/x-puppet', 'puppet'],
|
||||
diff --git a/resources/com/google/gerrit/server/mime/mime-types.properties b/resources/com/google/gerrit/server/mime/mime-types.properties
|
||||
index 739818ec05..58eb727bf9 100644
|
||||
--- a/resources/com/google/gerrit/server/mime/mime-types.properties
|
||||
+++ b/resources/com/google/gerrit/server/mime/mime-types.properties
|
||||
@@ -200,6 +200,7 @@ rq = application/sparql-query
|
||||
rs = text/x-rustsrc
|
||||
rss = application/xml
|
||||
rst = text/x-rst
|
||||
+rules.pl = text/x-prolog
|
||||
README.md = text/x-gfm
|
||||
s = text/x-gas
|
||||
sas = text/x-sas
|
||||
--
|
||||
2.37.3
|
||||
|
|
@ -1,215 +0,0 @@
|
|||
From f49c50ca9a84ca374b7bd91c171bbea0457f2c7a Mon Sep 17 00:00:00 2001
|
||||
From: Luke Granger-Brown <git@lukegb.com>
|
||||
Date: Thu, 2 Jul 2020 23:03:02 +0100
|
||||
Subject: [PATCH 3/3] Add titles to CLs over HTTP
|
||||
|
||||
---
|
||||
.../gerrit/httpd/raw/IndexHtmlUtil.java | 13 +++-
|
||||
.../google/gerrit/httpd/raw/IndexServlet.java | 8 ++-
|
||||
.../google/gerrit/httpd/raw/StaticModule.java | 5 +-
|
||||
.../gerrit/httpd/raw/TitleComputer.java | 67 +++++++++++++++++++
|
||||
.../gerrit/httpd/raw/PolyGerritIndexHtml.soy | 4 +-
|
||||
5 files changed, 89 insertions(+), 8 deletions(-)
|
||||
create mode 100644 java/com/google/gerrit/httpd/raw/TitleComputer.java
|
||||
|
||||
diff --git a/java/com/google/gerrit/httpd/raw/IndexHtmlUtil.java b/java/com/google/gerrit/httpd/raw/IndexHtmlUtil.java
|
||||
index 72bfe40c3b..439bd73b44 100644
|
||||
--- a/java/com/google/gerrit/httpd/raw/IndexHtmlUtil.java
|
||||
+++ b/java/com/google/gerrit/httpd/raw/IndexHtmlUtil.java
|
||||
@@ -41,6 +41,7 @@ import java.util.Collections;
|
||||
import java.util.HashMap;
|
||||
import java.util.HashSet;
|
||||
import java.util.Map;
|
||||
+import java.util.Optional;
|
||||
import java.util.Set;
|
||||
import java.util.function.Function;
|
||||
|
||||
@@ -62,13 +63,14 @@ public class IndexHtmlUtil {
|
||||
String faviconPath,
|
||||
Map<String, String[]> urlParameterMap,
|
||||
Function<String, SanitizedContent> urlInScriptTagOrdainer,
|
||||
- String requestedURL)
|
||||
+ String requestedURL,
|
||||
+ TitleComputer titleComputer)
|
||||
throws URISyntaxException, RestApiException {
|
||||
ImmutableMap.Builder<String, Object> data = ImmutableMap.builder();
|
||||
data.putAll(
|
||||
staticTemplateData(
|
||||
canonicalURL, cdnPath, faviconPath, urlParameterMap, urlInScriptTagOrdainer))
|
||||
- .putAll(dynamicTemplateData(gerritApi, requestedURL));
|
||||
+ .putAll(dynamicTemplateData(gerritApi, requestedURL, titleComputer));
|
||||
Set<String> enabledExperiments = new HashSet<>();
|
||||
enabledExperiments.addAll(experimentFeatures.getEnabledExperimentFeatures());
|
||||
// Add all experiments enabled through url
|
||||
@@ -81,7 +83,8 @@ public class IndexHtmlUtil {
|
||||
|
||||
/** Returns dynamic parameters of {@code index.html}. */
|
||||
public static ImmutableMap<String, Object> dynamicTemplateData(
|
||||
- GerritApi gerritApi, String requestedURL) throws RestApiException, URISyntaxException {
|
||||
+ GerritApi gerritApi, String requestedURL, TitleComputer titleComputer)
|
||||
+ throws RestApiException, URISyntaxException {
|
||||
ImmutableMap.Builder<String, Object> data = ImmutableMap.builder();
|
||||
Map<String, SanitizedContent> initialData = new HashMap<>();
|
||||
Server serverApi = gerritApi.config().server();
|
||||
@@ -129,6 +132,10 @@ public class IndexHtmlUtil {
|
||||
}
|
||||
|
||||
data.put("gerritInitialData", initialData);
|
||||
+
|
||||
+ Optional<String> title = titleComputer.computeTitle(requestedURL);
|
||||
+ title.ifPresent(s -> data.put("title", s));
|
||||
+
|
||||
return data.build();
|
||||
}
|
||||
|
||||
diff --git a/java/com/google/gerrit/httpd/raw/IndexServlet.java b/java/com/google/gerrit/httpd/raw/IndexServlet.java
|
||||
index fcb821e5ae..e1464b992b 100644
|
||||
--- a/java/com/google/gerrit/httpd/raw/IndexServlet.java
|
||||
+++ b/java/com/google/gerrit/httpd/raw/IndexServlet.java
|
||||
@@ -48,13 +48,15 @@ public class IndexServlet extends HttpServlet {
|
||||
private final ExperimentFeatures experimentFeatures;
|
||||
private final SoySauce soySauce;
|
||||
private final Function<String, SanitizedContent> urlOrdainer;
|
||||
+ private TitleComputer titleComputer;
|
||||
|
||||
IndexServlet(
|
||||
@Nullable String canonicalUrl,
|
||||
@Nullable String cdnPath,
|
||||
@Nullable String faviconPath,
|
||||
GerritApi gerritApi,
|
||||
- ExperimentFeatures experimentFeatures) {
|
||||
+ ExperimentFeatures experimentFeatures,
|
||||
+ TitleComputer titleComputer) {
|
||||
this.canonicalUrl = canonicalUrl;
|
||||
this.cdnPath = cdnPath;
|
||||
this.faviconPath = faviconPath;
|
||||
@@ -69,6 +71,7 @@ public class IndexServlet extends HttpServlet {
|
||||
(s) ->
|
||||
UnsafeSanitizedContentOrdainer.ordainAsSafe(
|
||||
s, SanitizedContent.ContentKind.TRUSTED_RESOURCE_URI);
|
||||
+ this.titleComputer = titleComputer;
|
||||
}
|
||||
|
||||
@Override
|
||||
@@ -86,7 +89,8 @@ public class IndexServlet extends HttpServlet {
|
||||
faviconPath,
|
||||
parameterMap,
|
||||
urlOrdainer,
|
||||
- getRequestUrl(req));
|
||||
+ getRequestUrl(req),
|
||||
+ titleComputer);
|
||||
renderer = soySauce.renderTemplate("com.google.gerrit.httpd.raw.Index").setData(templateData);
|
||||
} catch (URISyntaxException | RestApiException e) {
|
||||
throw new IOException(e);
|
||||
diff --git a/java/com/google/gerrit/httpd/raw/StaticModule.java b/java/com/google/gerrit/httpd/raw/StaticModule.java
|
||||
index 15dcf42e0e..9f56bf33ce 100644
|
||||
--- a/java/com/google/gerrit/httpd/raw/StaticModule.java
|
||||
+++ b/java/com/google/gerrit/httpd/raw/StaticModule.java
|
||||
@@ -241,10 +241,11 @@ public class StaticModule extends ServletModule {
|
||||
@CanonicalWebUrl @Nullable String canonicalUrl,
|
||||
@GerritServerConfig Config cfg,
|
||||
GerritApi gerritApi,
|
||||
- ExperimentFeatures experimentFeatures) {
|
||||
+ ExperimentFeatures experimentFeatures,
|
||||
+ TitleComputer titleComputer) {
|
||||
String cdnPath = options.devCdn().orElse(cfg.getString("gerrit", null, "cdnPath"));
|
||||
String faviconPath = cfg.getString("gerrit", null, "faviconPath");
|
||||
- return new IndexServlet(canonicalUrl, cdnPath, faviconPath, gerritApi, experimentFeatures);
|
||||
+ return new IndexServlet(canonicalUrl, cdnPath, faviconPath, gerritApi, experimentFeatures, titleComputer);
|
||||
}
|
||||
|
||||
@Provides
|
||||
diff --git a/java/com/google/gerrit/httpd/raw/TitleComputer.java b/java/com/google/gerrit/httpd/raw/TitleComputer.java
|
||||
new file mode 100644
|
||||
index 0000000000..8fd2053ad0
|
||||
--- /dev/null
|
||||
+++ b/java/com/google/gerrit/httpd/raw/TitleComputer.java
|
||||
@@ -0,0 +1,67 @@
|
||||
+package com.google.gerrit.httpd.raw;
|
||||
+
|
||||
+import com.google.common.flogger.FluentLogger;
|
||||
+import com.google.gerrit.entities.Change;
|
||||
+import com.google.gerrit.extensions.restapi.ResourceConflictException;
|
||||
+import com.google.gerrit.extensions.restapi.ResourceNotFoundException;
|
||||
+import com.google.gerrit.server.change.ChangeResource;
|
||||
+import com.google.gerrit.server.permissions.PermissionBackendException;
|
||||
+import com.google.gerrit.server.restapi.change.ChangesCollection;
|
||||
+import com.google.inject.Inject;
|
||||
+import com.google.inject.Provider;
|
||||
+import com.google.inject.Singleton;
|
||||
+
|
||||
+import java.net.MalformedURLException;
|
||||
+import java.net.URL;
|
||||
+import java.util.Optional;
|
||||
+import java.util.regex.Matcher;
|
||||
+import java.util.regex.Pattern;
|
||||
+
|
||||
+@Singleton
|
||||
+public class TitleComputer {
|
||||
+ private static final FluentLogger logger = FluentLogger.forEnclosingClass();
|
||||
+
|
||||
+ @Inject
|
||||
+ public TitleComputer(Provider<ChangesCollection> changes) {
|
||||
+ this.changes = changes;
|
||||
+ }
|
||||
+
|
||||
+ public Optional<String> computeTitle(String requestedURI) {
|
||||
+ URL url = null;
|
||||
+ try {
|
||||
+ url = new URL(requestedURI);
|
||||
+ } catch (MalformedURLException e) {
|
||||
+ logger.atWarning().log("Failed to turn %s into a URL.", requestedURI);
|
||||
+ return Optional.empty();
|
||||
+ }
|
||||
+
|
||||
+ // Try to turn this into a change.
|
||||
+ Optional<Change.Id> changeId = tryExtractChange(url.getPath());
|
||||
+ if (changeId.isPresent()) {
|
||||
+ return titleFromChangeId(changeId.get());
|
||||
+ }
|
||||
+
|
||||
+ return Optional.empty();
|
||||
+ }
|
||||
+
|
||||
+ private static final Pattern extractChangeIdRegex = Pattern.compile("^/(?:c/.*/\\+/)?(?<changeId>[0-9]+)(?:/[0-9]+)?(?:/.*)?$");
|
||||
+ private final Provider<ChangesCollection> changes;
|
||||
+
|
||||
+ private Optional<Change.Id> tryExtractChange(String path) {
|
||||
+ Matcher m = extractChangeIdRegex.matcher(path);
|
||||
+ if (!m.matches()) {
|
||||
+ return Optional.empty();
|
||||
+ }
|
||||
+ return Change.Id.tryParse(m.group("changeId"));
|
||||
+ }
|
||||
+
|
||||
+ private Optional<String> titleFromChangeId(Change.Id changeId) {
|
||||
+ ChangesCollection changesCollection = changes.get();
|
||||
+ try {
|
||||
+ ChangeResource changeResource = changesCollection.parse(changeId);
|
||||
+ return Optional.of(changeResource.getChange().getSubject());
|
||||
+ } catch (ResourceConflictException | ResourceNotFoundException | PermissionBackendException e) {
|
||||
+ return Optional.empty();
|
||||
+ }
|
||||
+ }
|
||||
+}
|
||||
diff --git a/resources/com/google/gerrit/httpd/raw/PolyGerritIndexHtml.soy b/resources/com/google/gerrit/httpd/raw/PolyGerritIndexHtml.soy
|
||||
index dbfef44dfe..347ee75aab 100644
|
||||
--- a/resources/com/google/gerrit/httpd/raw/PolyGerritIndexHtml.soy
|
||||
+++ b/resources/com/google/gerrit/httpd/raw/PolyGerritIndexHtml.soy
|
||||
@@ -33,10 +33,12 @@
|
||||
{@param? defaultDashboardHex: ?}
|
||||
{@param? dashboardQuery: ?}
|
||||
{@param? userIsAuthenticated: ?}
|
||||
+ {@param? title: ?}
|
||||
<!DOCTYPE html>{\n}
|
||||
<html lang="en">{\n}
|
||||
<meta charset="utf-8">{\n}
|
||||
- <meta name="description" content="Gerrit Code Review">{\n}
|
||||
+ {if $title}<title>{$title} · Gerrit Code Review</title>{\n}{/if}
|
||||
+ <meta name="description" content="{if $title}{$title} · {/if}Gerrit Code Review">{\n}
|
||||
<meta name="referrer" content="never">{\n}
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=0">{\n}
|
||||
|
||||
--
|
||||
2.37.3
|
||||
|
|
@ -1,152 +0,0 @@
|
|||
{ buildFHSUserEnv, writeShellScriptBin, buildBazelPackage, fetchgit, unzip }:
|
||||
{ name ? "gerrit-${version}", version ? "3.9.1", src ? (fetchgit {
|
||||
url = "https://gerrit.googlesource.com/gerrit";
|
||||
rev = "620a819cbf3c64fff7a66798822775ad42c91d8e";
|
||||
branchName = "v${version}";
|
||||
sha256 = "sha256:1mdxbgnx3mpxand4wq96ic38bb4yh45q271h40jrk7dk23sgmz02";
|
||||
fetchSubmodules = true;
|
||||
}), bazelTargets ? [ "release" "api-skip-javadoc" ]
|
||||
}:
|
||||
let
|
||||
bazelRunScript = writeShellScriptBin "bazel-run" ''
|
||||
yarn config set cache-folder "$bazelOut/external/yarn_cache"
|
||||
export HOME="$bazelOut/external/home"
|
||||
mkdir -p "$bazelOut/external/home"
|
||||
exec /bin/bazel "$@"
|
||||
'';
|
||||
bazelTop = buildFHSUserEnv {
|
||||
name = "bazel";
|
||||
targetPkgs = pkgs: [
|
||||
(pkgs.bazel_5.override { enableNixHacks = true; })
|
||||
pkgs.jdk17_headless
|
||||
pkgs.zlib
|
||||
pkgs.python3
|
||||
pkgs.curl
|
||||
pkgs.nodejs
|
||||
pkgs.yarn
|
||||
pkgs.git
|
||||
bazelRunScript
|
||||
];
|
||||
runScript = "/bin/bazel-run";
|
||||
};
|
||||
bazel = bazelTop // { override = x: bazelTop; };
|
||||
in
|
||||
buildBazelPackage {
|
||||
inherit name version src;
|
||||
|
||||
patches = [
|
||||
./0001-Syntax-highlight-nix.patch
|
||||
./0002-Syntax-highlight-rules.pl.patch
|
||||
./0003-Add-titles-to-CLs-over-HTTP.patch
|
||||
];
|
||||
|
||||
inherit bazel bazelTargets;
|
||||
|
||||
bazelFlags = [
|
||||
"--repository_cache="
|
||||
"--disk_cache="
|
||||
];
|
||||
|
||||
removeRulesCC = false;
|
||||
fetchConfigured = true;
|
||||
|
||||
fetchAttrs = {
|
||||
sha256 = "sha256-rsYQR6/RO5NM3/fnB3lEmbz876B59QWxWpE3M/Z4rK4=";
|
||||
preBuild = ''
|
||||
rm .bazelversion
|
||||
'';
|
||||
|
||||
installPhase = ''
|
||||
runHook preInstall
|
||||
|
||||
# Remove all built in external workspaces, Bazel will recreate them when building
|
||||
rm -rf $bazelOut/external/{bazel_tools,\@bazel_tools.marker}
|
||||
rm -rf $bazelOut/external/{embedded_jdk,\@embedded_jdk.marker}
|
||||
rm -rf $bazelOut/external/{local_config_cc,\@local_config_cc.marker}
|
||||
rm -rf $bazelOut/external/{local_*,\@local_*.marker}
|
||||
|
||||
# Clear markers
|
||||
find $bazelOut/external -name '@*\.marker' -exec sh -c 'echo > {}' \;
|
||||
|
||||
# Remove all vcs files
|
||||
rm -rf $(find $bazelOut/external -type d -name .git)
|
||||
rm -rf $(find $bazelOut/external -type d -name .svn)
|
||||
rm -rf $(find $bazelOut/external -type d -name .hg)
|
||||
|
||||
# Removing top-level symlinks along with their markers.
|
||||
# This is needed because they sometimes point to temporary paths (?).
|
||||
# For example, in Tensorflow-gpu build:
|
||||
#sha256:06bmzbcb9717s4b016kcbn8nr9pgaz04i8bnzg7ybkbdwpl8vxvv"; platforms -> NIX_BUILD_TOP/tmp/install/35282f5123611afa742331368e9ae529/_embedded_binaries/platforms
|
||||
find $bazelOut/external -maxdepth 1 -type l | while read symlink; do
|
||||
name="$(basename "$symlink")"
|
||||
rm -rf "$symlink" "$bazelOut/external/@$name.marker"
|
||||
done
|
||||
|
||||
# Patching symlinks to remove build directory reference
|
||||
find $bazelOut/external -type l | while read symlink; do
|
||||
new_target="$(readlink "$symlink" | sed "s,$NIX_BUILD_TOP,NIX_BUILD_TOP,")"
|
||||
rm "$symlink"
|
||||
ln -sf "$new_target" "$symlink"
|
||||
done
|
||||
|
||||
echo '${bazel.name}' > $bazelOut/external/.nix-bazel-version
|
||||
|
||||
# Gerrit fixups:
|
||||
# Normalize permissions on .yarn-{tarball,metadata} files
|
||||
test -d $bazelOut/external/yarn_cache && find $bazelOut/external/yarn_cache \( -name .yarn-tarball.tgz -or -name .yarn-metadata.json \) -exec chmod 644 {} +
|
||||
|
||||
mkdir $bazelOut/_bits/
|
||||
find . -name node_modules -prune -print | while read d; do
|
||||
echo "$d" "$(dirname $d)"
|
||||
mkdir -p $bazelOut/_bits/$(dirname $d)
|
||||
cp -R "$d" "$bazelOut/_bits/$(dirname $d)/node_modules"
|
||||
done
|
||||
|
||||
(cd $bazelOut/ && tar czf $out --sort=name --mtime='@1' --owner=0 --group=0 --numeric-owner external/ _bits/)
|
||||
|
||||
runHook postInstall
|
||||
'';
|
||||
};
|
||||
|
||||
buildAttrs = {
|
||||
preConfigure = ''
|
||||
rm .bazelversion
|
||||
|
||||
[ "$(ls -A $bazelOut/_bits)" ] && cp -R $bazelOut/_bits/* ./ || true
|
||||
'';
|
||||
postPatch = ''
|
||||
# Disable all errorprone checks, since we might be using a different version.
|
||||
sed -i \
|
||||
-e '/-Xep:/d' \
|
||||
-e '/-XepExcludedPaths:/a "-XepDisableAllChecks",' \
|
||||
tools/BUILD
|
||||
'';
|
||||
installPhase = ''
|
||||
mkdir -p "$out"/webapps/ "$out"/share/api/
|
||||
cp bazel-bin/release.war "$out"/webapps/gerrit-${version}.war
|
||||
unzip bazel-bin/api-skip-javadoc.zip -d "$out"/share/api
|
||||
'';
|
||||
|
||||
nativeBuildInputs = [
|
||||
unzip
|
||||
];
|
||||
};
|
||||
|
||||
passthru = {
|
||||
# A list of plugins that are part of the gerrit.war file.
|
||||
# Use `java -jar gerrit.war ls | grep -Po '(?<=plugins/)[^.]+' | sed -e 's,^,",' -e 's,$,",' | sort` to generate that list.
|
||||
plugins = [
|
||||
"codemirror-editor"
|
||||
"commit-message-length-validator"
|
||||
"delete-project"
|
||||
"download-commands"
|
||||
"gitiles"
|
||||
"hooks"
|
||||
"plugin-manager"
|
||||
"replication"
|
||||
"reviewnotes"
|
||||
"singleusergroup"
|
||||
"webhooks"
|
||||
];
|
||||
};
|
||||
}
|
|
@ -1,97 +0,0 @@
|
|||
package main
|
||||
|
||||
import (
|
||||
"archive/zip"
|
||||
"flag"
|
||||
"fmt"
|
||||
"io"
|
||||
"log"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"sort"
|
||||
"strings"
|
||||
)
|
||||
|
||||
var (
|
||||
exclude = flag.String("exclude", "", "comma-separated list of filenames to exclude (in any directory)")
|
||||
)
|
||||
|
||||
func init() {
|
||||
flag.Usage = func() {
|
||||
fmt.Fprintf(flag.CommandLine.Output(), "Usage of %s [zip file] [directory]:\n", os.Args[0])
|
||||
flag.PrintDefaults()
|
||||
}
|
||||
}
|
||||
|
||||
func listToMap(ss []string) map[string]bool {
|
||||
m := make(map[string]bool)
|
||||
for _, s := range ss {
|
||||
m[s] = true
|
||||
}
|
||||
return m
|
||||
}
|
||||
|
||||
func main() {
|
||||
flag.Parse()
|
||||
if flag.NArg() != 2 {
|
||||
flag.Usage()
|
||||
os.Exit(1)
|
||||
}
|
||||
|
||||
outPath := flag.Arg(0)
|
||||
dirPath := flag.Arg(1)
|
||||
|
||||
excludeFiles := listToMap(strings.Split(*exclude, ","))
|
||||
|
||||
// Aggregate all files first.
|
||||
var files []string
|
||||
filepath.Walk(dirPath, func(path string, info os.FileInfo, err error) error {
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if info.IsDir() {
|
||||
return nil
|
||||
}
|
||||
if excludeFiles[info.Name()] {
|
||||
return nil
|
||||
}
|
||||
files = append(files, path)
|
||||
return nil
|
||||
})
|
||||
|
||||
// Create zip
|
||||
outW, err := os.Create(outPath)
|
||||
if err != nil {
|
||||
log.Fatalf("Create(%q): %v", outPath, err)
|
||||
}
|
||||
|
||||
zipW := zip.NewWriter(outW)
|
||||
|
||||
// Output files in alphabetical order
|
||||
sort.Strings(files)
|
||||
for _, f := range files {
|
||||
fw, err := zipW.CreateHeader(&zip.FileHeader{
|
||||
Name: f,
|
||||
Method: zip.Store,
|
||||
})
|
||||
if err != nil {
|
||||
log.Fatalf("creating %q in zip: %v", f, err)
|
||||
}
|
||||
|
||||
ff, err := os.Open(f)
|
||||
if err != nil {
|
||||
log.Fatalf("opening %q: %v", f, err)
|
||||
}
|
||||
if _, err := io.Copy(fw, ff); err != nil {
|
||||
log.Fatalf("copying %q to zip: %v", f, err)
|
||||
}
|
||||
ff.Close()
|
||||
}
|
||||
|
||||
if err := zipW.Close(); err != nil {
|
||||
log.Fatalf("writing ZIP central directory: %v", err)
|
||||
}
|
||||
if err := outW.Close(); err != nil {
|
||||
log.Fatalf("closing ZIP file: %v", err)
|
||||
}
|
||||
}
|
|
@ -1,36 +0,0 @@
|
|||
{ buildGerrit, gerrit, runCommandLocal, lib }:
|
||||
{ name
|
||||
, src
|
||||
, depsOutputHash
|
||||
, overlayPluginCmd ? ''
|
||||
cp -R "${src}" "$out/plugins/${name}"
|
||||
''
|
||||
, postPatch ? ""
|
||||
, patches ? [ ]
|
||||
}: (buildGerrit {
|
||||
name = "${name}.jar";
|
||||
|
||||
src = runCommandLocal "${name}-src" { } ''
|
||||
cp -R "${gerrit.src}" "$out"
|
||||
chmod +w "$out/plugins"
|
||||
${overlayPluginCmd}
|
||||
'';
|
||||
|
||||
bazelTargets = [ "//plugins/${name}" ];
|
||||
}).overrideAttrs (super: {
|
||||
deps = super.deps.overrideAttrs (superDeps: {
|
||||
outputHash = depsOutputHash;
|
||||
});
|
||||
installPhase = ''
|
||||
cp "bazel-bin/plugins/${name}/${name}.jar" "$out"
|
||||
'';
|
||||
postPatch = ''
|
||||
${super.postPatch or ""}
|
||||
pushd "plugins/${name}"
|
||||
${lib.concatMapStringsSep "\n" (patch: ''
|
||||
patch -p1 < ${patch}
|
||||
'') patches}
|
||||
popd
|
||||
${postPatch}
|
||||
'';
|
||||
})
|
|
@ -1,14 +0,0 @@
|
|||
{ fetchgit, buildGerritBazelPlugin, lib }:
|
||||
|
||||
buildGerritBazelPlugin {
|
||||
name = "code-owners";
|
||||
depsOutputHash = "sha256-Ee2n7R/vi91drR+dNYB0QnGiiqcmz9/pynHhV9yDxdE=";
|
||||
src = fetchgit {
|
||||
url = "https://gerrit.googlesource.com/plugins/code-owners";
|
||||
rev = "e654ae5bda2085bce9a99942bec440e004a114f3";
|
||||
sha256 = "sha256:14d3x3iqskgw16pvyaa0swh252agj84p9pzlf24l8lgx9d7y4biz";
|
||||
};
|
||||
patches = [
|
||||
./using-usernames.patch
|
||||
];
|
||||
}
|
|
@ -1,472 +0,0 @@
|
|||
commit 29ace6c38ac513f7ec56ca425230d5712c081043
|
||||
Author: Luke Granger-Brown <git@lukegb.com>
|
||||
Date: Wed Sep 21 03:15:38 2022 +0100
|
||||
|
||||
Add support for usernames and groups
|
||||
|
||||
Change-Id: I3ba8527f66216d08e555a6ac4451fe0d1e090de5
|
||||
|
||||
diff --git a/java/com/google/gerrit/plugins/codeowners/backend/CodeOwnerResolver.java b/java/com/google/gerrit/plugins/codeowners/backend/CodeOwnerResolver.java
|
||||
index 70009591..6dc596c9 100644
|
||||
--- a/java/com/google/gerrit/plugins/codeowners/backend/CodeOwnerResolver.java
|
||||
+++ b/java/com/google/gerrit/plugins/codeowners/backend/CodeOwnerResolver.java
|
||||
@@ -17,6 +17,8 @@ package com.google.gerrit.plugins.codeowners.backend;
|
||||
import static com.google.common.base.Preconditions.checkState;
|
||||
import static com.google.common.collect.ImmutableMap.toImmutableMap;
|
||||
import static com.google.common.collect.ImmutableSet.toImmutableSet;
|
||||
+import static com.google.common.collect.ImmutableSetMultimap.flatteningToImmutableSetMultimap;
|
||||
+import static com.google.common.collect.ImmutableSetMultimap.toImmutableSetMultimap;
|
||||
import static com.google.gerrit.plugins.codeowners.backend.CodeOwnersInternalServerErrorException.newInternalServerError;
|
||||
import static java.util.Objects.requireNonNull;
|
||||
|
||||
@@ -25,6 +27,7 @@ import com.google.common.collect.ImmutableList;
|
||||
import com.google.common.collect.ImmutableMap;
|
||||
import com.google.common.collect.ImmutableMultimap;
|
||||
import com.google.common.collect.ImmutableSet;
|
||||
+import com.google.common.collect.ImmutableSetMultimap;
|
||||
import com.google.common.collect.Iterables;
|
||||
import com.google.common.collect.Streams;
|
||||
import com.google.common.flogger.FluentLogger;
|
||||
@@ -33,17 +36,24 @@ import com.google.gerrit.entities.Project;
|
||||
import com.google.gerrit.metrics.Timer0;
|
||||
import com.google.gerrit.plugins.codeowners.backend.config.CodeOwnersPluginConfiguration;
|
||||
import com.google.gerrit.plugins.codeowners.metrics.CodeOwnerMetrics;
|
||||
+import com.google.gerrit.server.AnonymousUser;
|
||||
import com.google.gerrit.server.CurrentUser;
|
||||
import com.google.gerrit.server.IdentifiedUser;
|
||||
import com.google.gerrit.server.account.AccountCache;
|
||||
import com.google.gerrit.server.account.AccountControl;
|
||||
import com.google.gerrit.server.account.AccountState;
|
||||
+import com.google.gerrit.server.account.GroupBackend;
|
||||
+import com.google.gerrit.server.account.GroupBackends;
|
||||
+import com.google.gerrit.server.account.InternalGroupBackend;
|
||||
import com.google.gerrit.server.account.externalids.ExternalId;
|
||||
import com.google.gerrit.server.account.externalids.ExternalIdCache;
|
||||
import com.google.gerrit.server.permissions.GlobalPermission;
|
||||
import com.google.gerrit.server.permissions.PermissionBackend;
|
||||
import com.google.gerrit.server.permissions.PermissionBackendException;
|
||||
+import com.google.gerrit.server.util.RequestContext;
|
||||
+import com.google.gerrit.server.util.ThreadLocalRequestContext;
|
||||
import com.google.inject.Inject;
|
||||
+import com.google.inject.OutOfScopeException;
|
||||
import com.google.inject.Provider;
|
||||
import java.io.IOException;
|
||||
import java.nio.file.Path;
|
||||
@@ -102,6 +112,8 @@ public class CodeOwnerResolver {
|
||||
|
||||
@VisibleForTesting public static final String ALL_USERS_WILDCARD = "*";
|
||||
|
||||
+ public static final String GROUP_PREFIX = "group:";
|
||||
+
|
||||
private final CodeOwnersPluginConfiguration codeOwnersPluginConfiguration;
|
||||
private final PermissionBackend permissionBackend;
|
||||
private final Provider<CurrentUser> currentUser;
|
||||
@@ -112,6 +124,8 @@ public class CodeOwnerResolver {
|
||||
private final CodeOwnerMetrics codeOwnerMetrics;
|
||||
private final UnresolvedImportFormatter unresolvedImportFormatter;
|
||||
private final TransientCodeOwnerCache transientCodeOwnerCache;
|
||||
+ private final InternalGroupBackend groupBackend;
|
||||
+ private final ThreadLocalRequestContext context;
|
||||
|
||||
// Enforce visibility by default.
|
||||
private boolean enforceVisibility = true;
|
||||
@@ -132,7 +146,9 @@ public class CodeOwnerResolver {
|
||||
PathCodeOwners.Factory pathCodeOwnersFactory,
|
||||
CodeOwnerMetrics codeOwnerMetrics,
|
||||
UnresolvedImportFormatter unresolvedImportFormatter,
|
||||
- TransientCodeOwnerCache transientCodeOwnerCache) {
|
||||
+ TransientCodeOwnerCache transientCodeOwnerCache,
|
||||
+ InternalGroupBackend groupBackend,
|
||||
+ ThreadLocalRequestContext context) {
|
||||
this.codeOwnersPluginConfiguration = codeOwnersPluginConfiguration;
|
||||
this.permissionBackend = permissionBackend;
|
||||
this.currentUser = currentUser;
|
||||
@@ -143,6 +159,8 @@ public class CodeOwnerResolver {
|
||||
this.codeOwnerMetrics = codeOwnerMetrics;
|
||||
this.unresolvedImportFormatter = unresolvedImportFormatter;
|
||||
this.transientCodeOwnerCache = transientCodeOwnerCache;
|
||||
+ this.groupBackend = groupBackend;
|
||||
+ this.context = context;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -361,6 +379,12 @@ public class CodeOwnerResolver {
|
||||
"cannot resolve code owner email %s: no account with this email exists",
|
||||
CodeOwnerResolver.ALL_USERS_WILDCARD));
|
||||
}
|
||||
+ if (codeOwnerReference.email().startsWith(GROUP_PREFIX)) {
|
||||
+ return OptionalResultWithMessages.createEmpty(
|
||||
+ String.format(
|
||||
+ "cannot resolve code owner email %s: this is a group",
|
||||
+ codeOwnerReference.email()));
|
||||
+ }
|
||||
|
||||
ImmutableList.Builder<String> messageBuilder = ImmutableList.builder();
|
||||
AtomicBoolean ownedByAllUsers = new AtomicBoolean(false);
|
||||
@@ -405,9 +429,53 @@ public class CodeOwnerResolver {
|
||||
ImmutableMultimap<CodeOwnerReference, CodeOwnerAnnotation> annotations) {
|
||||
requireNonNull(codeOwnerReferences, "codeOwnerReferences");
|
||||
|
||||
+ ImmutableSet<String> groupsToResolve =
|
||||
+ codeOwnerReferences.stream()
|
||||
+ .map(CodeOwnerReference::email)
|
||||
+ .filter(ref -> ref.startsWith(GROUP_PREFIX))
|
||||
+ .map(ref -> ref.substring(GROUP_PREFIX.length()))
|
||||
+ .collect(toImmutableSet());
|
||||
+
|
||||
+ // When we call GroupBackends.findExactSuggestion we need to ensure that we
|
||||
+ // have a user in context. This is because the suggestion backend is
|
||||
+ // likely to want to try to check that we can actually see the group it's
|
||||
+ // returning (which we also check for explicitly, because I have trust
|
||||
+ // issues).
|
||||
+ RequestContext oldCtx = context.getContext();
|
||||
+ // Check if we have a user in the context at all...
|
||||
+ try {
|
||||
+ oldCtx.getUser();
|
||||
+ } catch (OutOfScopeException | NullPointerException e) {
|
||||
+ // Nope.
|
||||
+ RequestContext newCtx = () -> {
|
||||
+ return new AnonymousUser();
|
||||
+ };
|
||||
+ context.setContext(newCtx);
|
||||
+ }
|
||||
+ ImmutableSetMultimap<String, CodeOwner> resolvedGroups = null;
|
||||
+ try {
|
||||
+ resolvedGroups =
|
||||
+ groupsToResolve.stream()
|
||||
+ .map(groupName -> GroupBackends.findExactSuggestion(groupBackend, groupName))
|
||||
+ .filter(groupRef -> groupRef != null)
|
||||
+ .filter(groupRef -> groupBackend.isVisibleToAll(groupRef.getUUID()))
|
||||
+ .map(groupRef -> groupBackend.get(groupRef.getUUID()))
|
||||
+ .collect(flatteningToImmutableSetMultimap(
|
||||
+ groupRef -> GROUP_PREFIX + groupRef.getName(),
|
||||
+ groupRef -> accountCache
|
||||
+ .get(ImmutableSet.copyOf(groupRef.getMembers()))
|
||||
+ .values().stream()
|
||||
+ .map(accountState -> CodeOwner.create(accountState.account().id()))));
|
||||
+ } finally {
|
||||
+ context.setContext(oldCtx);
|
||||
+ }
|
||||
+ ImmutableSetMultimap<CodeOwner, String> usersToGroups =
|
||||
+ resolvedGroups.inverse();
|
||||
+
|
||||
ImmutableSet<String> emailsToResolve =
|
||||
codeOwnerReferences.stream()
|
||||
.map(CodeOwnerReference::email)
|
||||
+ .filter(ref -> !ref.startsWith(GROUP_PREFIX))
|
||||
.filter(filterOutAllUsersWildCard(ownedByAllUsers))
|
||||
.collect(toImmutableSet());
|
||||
|
||||
@@ -442,7 +510,8 @@ public class CodeOwnerResolver {
|
||||
ImmutableMap<String, CodeOwner> codeOwnersByEmail =
|
||||
accountsByEmail.map(mapToCodeOwner()).collect(toImmutableMap(Pair::key, Pair::value));
|
||||
|
||||
- if (codeOwnersByEmail.keySet().size() < emailsToResolve.size()) {
|
||||
+ if (codeOwnersByEmail.keySet().size() < emailsToResolve.size() ||
|
||||
+ resolvedGroups.keySet().size() < groupsToResolve.size()) {
|
||||
hasUnresolvedCodeOwners.set(true);
|
||||
}
|
||||
|
||||
@@ -456,7 +525,9 @@ public class CodeOwnerResolver {
|
||||
cachedCodeOwnersByEmail.entrySet().stream()
|
||||
.filter(e -> e.getValue().isPresent())
|
||||
.map(e -> Pair.of(e.getKey(), e.getValue().get()));
|
||||
- Streams.concat(newlyResolvedCodeOwnersStream, cachedCodeOwnersStream)
|
||||
+ Stream<Pair<String, CodeOwner>> resolvedGroupsCodeOwnersStream =
|
||||
+ resolvedGroups.entries().stream().map(e -> Pair.of(e.getKey(), e.getValue()));
|
||||
+ Streams.concat(Streams.concat(newlyResolvedCodeOwnersStream, cachedCodeOwnersStream), resolvedGroupsCodeOwnersStream)
|
||||
.forEach(
|
||||
p -> {
|
||||
ImmutableSet.Builder<CodeOwnerAnnotation> annotationBuilder = ImmutableSet.builder();
|
||||
@@ -467,6 +538,12 @@ public class CodeOwnerResolver {
|
||||
annotationBuilder.addAll(
|
||||
annotations.get(CodeOwnerReference.create(ALL_USERS_WILDCARD)));
|
||||
|
||||
+ // annotations for the groups this user is in apply as well
|
||||
+ for (String group : usersToGroups.get(p.value())) {
|
||||
+ annotationBuilder.addAll(
|
||||
+ annotations.get(CodeOwnerReference.create(group)));
|
||||
+ }
|
||||
+
|
||||
if (!codeOwnersWithAnnotations.containsKey(p.value())) {
|
||||
codeOwnersWithAnnotations.put(p.value(), new HashSet<>());
|
||||
}
|
||||
@@ -570,7 +647,7 @@ public class CodeOwnerResolver {
|
||||
}
|
||||
|
||||
messages.add(String.format("email %s has no domain", email));
|
||||
- return false;
|
||||
+ return true; // TVL: we allow domain-less strings which are treated as usernames.
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -585,11 +662,29 @@ public class CodeOwnerResolver {
|
||||
*/
|
||||
private ImmutableMap<String, Collection<ExternalId>> lookupExternalIds(
|
||||
ImmutableList.Builder<String> messages, ImmutableSet<String> emails) {
|
||||
+ String[] actualEmails = emails.stream()
|
||||
+ .filter(email -> email.contains("@"))
|
||||
+ .toArray(String[]::new);
|
||||
+ ImmutableSet<String> usernames = emails.stream()
|
||||
+ .filter(email -> !email.contains("@"))
|
||||
+ .collect(ImmutableSet.toImmutableSet());
|
||||
try {
|
||||
- ImmutableMap<String, Collection<ExternalId>> extIdsByEmail =
|
||||
- externalIdCache.byEmails(emails.toArray(new String[0])).asMap();
|
||||
+ ImmutableMap<String, Collection<ExternalId>> extIds =
|
||||
+ new ImmutableMap.Builder<String, Collection<ExternalId>>()
|
||||
+ .putAll(externalIdCache.byEmails(actualEmails).asMap())
|
||||
+ .putAll(externalIdCache.allByAccount().entries().stream()
|
||||
+ .map(entry -> entry.getValue())
|
||||
+ .filter(externalId ->
|
||||
+ externalId.key().scheme() != null &&
|
||||
+ externalId.key().isScheme(ExternalId.SCHEME_USERNAME) &&
|
||||
+ usernames.contains(externalId.key().id()))
|
||||
+ .collect(toImmutableSetMultimap(
|
||||
+ externalId -> externalId.key().id(),
|
||||
+ externalId -> externalId))
|
||||
+ .asMap())
|
||||
+ .build();
|
||||
emails.stream()
|
||||
- .filter(email -> !extIdsByEmail.containsKey(email))
|
||||
+ .filter(email -> !extIds.containsKey(email))
|
||||
.forEach(
|
||||
email -> {
|
||||
transientCodeOwnerCache.cacheNonResolvable(email);
|
||||
@@ -598,7 +693,7 @@ public class CodeOwnerResolver {
|
||||
"cannot resolve code owner email %s: no account with this email exists",
|
||||
email));
|
||||
});
|
||||
- return extIdsByEmail;
|
||||
+ return extIds;
|
||||
} catch (IOException e) {
|
||||
throw newInternalServerError(
|
||||
String.format("cannot resolve code owner emails: %s", emails), e);
|
||||
@@ -815,6 +910,15 @@ public class CodeOwnerResolver {
|
||||
user != null ? user.getLoggableName() : currentUser.get().getLoggableName()));
|
||||
return true;
|
||||
}
|
||||
+ if (!email.contains("@")) {
|
||||
+ // the email is the username of the account, or a group, or something else.
|
||||
+ messages.add(
|
||||
+ String.format(
|
||||
+ "account %s is visible to user %s",
|
||||
+ accountState.account().id(),
|
||||
+ user != null ? user.getLoggableName() : currentUser.get().getLoggableName()));
|
||||
+ return true;
|
||||
+ }
|
||||
|
||||
if (user != null) {
|
||||
if (user.hasEmailAddress(email)) {
|
||||
diff --git a/java/com/google/gerrit/plugins/codeowners/backend/findowners/FindOwnersCodeOwnerConfigParser.java b/java/com/google/gerrit/plugins/codeowners/backend/findowners/FindOwnersCodeOwnerConfigParser.java
|
||||
index 5f350998..7977ba55 100644
|
||||
--- a/java/com/google/gerrit/plugins/codeowners/backend/findowners/FindOwnersCodeOwnerConfigParser.java
|
||||
+++ b/java/com/google/gerrit/plugins/codeowners/backend/findowners/FindOwnersCodeOwnerConfigParser.java
|
||||
@@ -149,7 +149,8 @@ public class FindOwnersCodeOwnerConfigParser implements CodeOwnerConfigParser {
|
||||
private static final String EOL = "[\\s]*(#.*)?$"; // end-of-line
|
||||
private static final String GLOB = "[^\\s,=]+"; // a file glob
|
||||
|
||||
- private static final String EMAIL_OR_STAR = "([^\\s<>@,]+@[^\\s<>@#,]+|\\*)";
|
||||
+ // Also allows usernames, and group:$GROUP_NAME.
|
||||
+ private static final String EMAIL_OR_STAR = "([^\\s<>@,]+@[^\\s<>@#,]+?|\\*|[a-zA-Z0-9_\\-]+|group:[a-zA-Z0-9_\\-]+)";
|
||||
private static final String EMAIL_LIST =
|
||||
"(" + EMAIL_OR_STAR + "(" + COMMA + EMAIL_OR_STAR + ")*)";
|
||||
|
||||
diff --git a/javatests/com/google/gerrit/plugins/codeowners/backend/AbstractFileBasedCodeOwnerBackendTest.java b/javatests/com/google/gerrit/plugins/codeowners/backend/AbstractFileBasedCodeOwnerBackendTest.java
|
||||
index 7ec92959..59cf7e05 100644
|
||||
--- a/javatests/com/google/gerrit/plugins/codeowners/backend/AbstractFileBasedCodeOwnerBackendTest.java
|
||||
+++ b/javatests/com/google/gerrit/plugins/codeowners/backend/AbstractFileBasedCodeOwnerBackendTest.java
|
||||
@@ -424,7 +424,7 @@ public abstract class AbstractFileBasedCodeOwnerBackendTest extends AbstractCode
|
||||
.commit()
|
||||
.parent(head)
|
||||
.message("Add invalid test code owner config")
|
||||
- .add(JgitPath.of(codeOwnerConfigKey.filePath(getFileName())).get(), "INVALID"));
|
||||
+ .add(JgitPath.of(codeOwnerConfigKey.filePath(getFileName())).get(), "INVALID!"));
|
||||
}
|
||||
|
||||
// Try to update the code owner config.
|
||||
diff --git a/javatests/com/google/gerrit/plugins/codeowners/backend/CodeOwnerResolverTest.java b/javatests/com/google/gerrit/plugins/codeowners/backend/CodeOwnerResolverTest.java
|
||||
index 6171aca9..37699012 100644
|
||||
--- a/javatests/com/google/gerrit/plugins/codeowners/backend/CodeOwnerResolverTest.java
|
||||
+++ b/javatests/com/google/gerrit/plugins/codeowners/backend/CodeOwnerResolverTest.java
|
||||
@@ -24,8 +24,10 @@ import com.google.gerrit.acceptance.TestAccount;
|
||||
import com.google.gerrit.acceptance.TestMetricMaker;
|
||||
import com.google.gerrit.acceptance.config.GerritConfig;
|
||||
import com.google.gerrit.acceptance.testsuite.account.AccountOperations;
|
||||
+import com.google.gerrit.acceptance.testsuite.group.GroupOperations;
|
||||
import com.google.gerrit.acceptance.testsuite.request.RequestScopeOperations;
|
||||
import com.google.gerrit.entities.Account;
|
||||
+import com.google.gerrit.entities.AccountGroup;
|
||||
import com.google.gerrit.plugins.codeowners.acceptance.AbstractCodeOwnersTest;
|
||||
import com.google.gerrit.server.ServerInitiated;
|
||||
import com.google.gerrit.server.account.AccountsUpdate;
|
||||
@@ -51,6 +53,7 @@ public class CodeOwnerResolverTest extends AbstractCodeOwnersTest {
|
||||
@Inject private RequestScopeOperations requestScopeOperations;
|
||||
@Inject @ServerInitiated private Provider<AccountsUpdate> accountsUpdate;
|
||||
@Inject private AccountOperations accountOperations;
|
||||
+ @Inject private GroupOperations groupOperations;
|
||||
@Inject private ExternalIdNotes.Factory externalIdNotesFactory;
|
||||
@Inject private TestMetricMaker testMetricMaker;
|
||||
@Inject private ExternalIdFactory externalIdFactory;
|
||||
@@ -112,6 +115,18 @@ public class CodeOwnerResolverTest extends AbstractCodeOwnersTest {
|
||||
.contains(String.format("account %s is visible to user %s", admin.id(), admin.username()));
|
||||
}
|
||||
|
||||
+ @Test
|
||||
+ public void resolveCodeOwnerReferenceForUsername() throws Exception {
|
||||
+ OptionalResultWithMessages<CodeOwner> result =
|
||||
+ codeOwnerResolverProvider
|
||||
+ .get()
|
||||
+ .resolveWithMessages(CodeOwnerReference.create(admin.username()));
|
||||
+ assertThat(result.get()).hasAccountIdThat().isEqualTo(admin.id());
|
||||
+ assertThat(result)
|
||||
+ .hasMessagesThat()
|
||||
+ .contains(String.format("account %s is visible to user %s", admin.id(), admin.username()));
|
||||
+ }
|
||||
+
|
||||
@Test
|
||||
public void cannotResolveCodeOwnerReferenceForStarAsEmail() throws Exception {
|
||||
OptionalResultWithMessages<CodeOwner> result =
|
||||
@@ -127,6 +142,18 @@ public class CodeOwnerResolverTest extends AbstractCodeOwnersTest {
|
||||
CodeOwnerResolver.ALL_USERS_WILDCARD));
|
||||
}
|
||||
|
||||
+ @Test
|
||||
+ public void cannotResolveCodeOwnerReferenceForGroup() throws Exception {
|
||||
+ OptionalResultWithMessages<CodeOwner> result =
|
||||
+ codeOwnerResolverProvider
|
||||
+ .get()
|
||||
+ .resolveWithMessages(CodeOwnerReference.create("group:Administrators"));
|
||||
+ assertThat(result).isEmpty();
|
||||
+ assertThat(result)
|
||||
+ .hasMessagesThat()
|
||||
+ .contains("cannot resolve code owner email group:Administrators: this is a group");
|
||||
+ }
|
||||
+
|
||||
@Test
|
||||
public void resolveCodeOwnerReferenceForAmbiguousEmailIfOtherAccountIsInactive()
|
||||
throws Exception {
|
||||
@@ -397,6 +424,64 @@ public class CodeOwnerResolverTest extends AbstractCodeOwnersTest {
|
||||
assertThat(result.hasUnresolvedCodeOwners()).isFalse();
|
||||
}
|
||||
|
||||
+ @Test
|
||||
+ public void resolvePathCodeOwnersWhenNonVisibleGroupIsUsed() throws Exception {
|
||||
+ CodeOwnerConfig codeOwnerConfig =
|
||||
+ CodeOwnerConfig.builder(CodeOwnerConfig.Key.create(project, "master", "/"), TEST_REVISION)
|
||||
+ .addCodeOwnerSet(
|
||||
+ CodeOwnerSet.createWithoutPathExpressions("group:Administrators"))
|
||||
+ .build();
|
||||
+
|
||||
+ CodeOwnerResolverResult result =
|
||||
+ codeOwnerResolverProvider
|
||||
+ .get()
|
||||
+ .resolvePathCodeOwners(codeOwnerConfig, Paths.get("/README.md"));
|
||||
+ assertThat(result.codeOwnersAccountIds()).isEmpty();
|
||||
+ assertThat(result.ownedByAllUsers()).isFalse();
|
||||
+ assertThat(result.hasUnresolvedCodeOwners()).isTrue();
|
||||
+ }
|
||||
+
|
||||
+ @Test
|
||||
+ public void resolvePathCodeOwnersWhenVisibleGroupIsUsed() throws Exception {
|
||||
+ AccountGroup.UUID createdGroupUUID = groupOperations
|
||||
+ .newGroup()
|
||||
+ .name("VisibleGroup")
|
||||
+ .visibleToAll(true)
|
||||
+ .addMember(admin.id())
|
||||
+ .create();
|
||||
+
|
||||
+ CodeOwnerConfig codeOwnerConfig =
|
||||
+ CodeOwnerConfig.builder(CodeOwnerConfig.Key.create(project, "master", "/"), TEST_REVISION)
|
||||
+ .addCodeOwnerSet(
|
||||
+ CodeOwnerSet.createWithoutPathExpressions("group:VisibleGroup"))
|
||||
+ .build();
|
||||
+
|
||||
+ CodeOwnerResolverResult result =
|
||||
+ codeOwnerResolverProvider
|
||||
+ .get()
|
||||
+ .resolvePathCodeOwners(codeOwnerConfig, Paths.get("/README.md"));
|
||||
+ assertThat(result.codeOwnersAccountIds()).containsExactly(admin.id());
|
||||
+ assertThat(result.ownedByAllUsers()).isFalse();
|
||||
+ assertThat(result.hasUnresolvedCodeOwners()).isFalse();
|
||||
+ }
|
||||
+
|
||||
+ @Test
|
||||
+ public void resolvePathCodeOwnersWhenUsernameIsUsed() throws Exception {
|
||||
+ CodeOwnerConfig codeOwnerConfig =
|
||||
+ CodeOwnerConfig.builder(CodeOwnerConfig.Key.create(project, "master", "/"), TEST_REVISION)
|
||||
+ .addCodeOwnerSet(
|
||||
+ CodeOwnerSet.createWithoutPathExpressions(admin.username()))
|
||||
+ .build();
|
||||
+
|
||||
+ CodeOwnerResolverResult result =
|
||||
+ codeOwnerResolverProvider
|
||||
+ .get()
|
||||
+ .resolvePathCodeOwners(codeOwnerConfig, Paths.get("/README.md"));
|
||||
+ assertThat(result.codeOwnersAccountIds()).containsExactly(admin.id());
|
||||
+ assertThat(result.ownedByAllUsers()).isFalse();
|
||||
+ assertThat(result.hasUnresolvedCodeOwners()).isFalse();
|
||||
+ }
|
||||
+
|
||||
@Test
|
||||
public void resolvePathCodeOwnersNonResolvableCodeOwnersAreFilteredOut() throws Exception {
|
||||
CodeOwnerConfig codeOwnerConfig =
|
||||
@@ -655,7 +740,7 @@ public class CodeOwnerResolverTest extends AbstractCodeOwnersTest {
|
||||
"domain example.com of email foo@example.org@example.com is allowed");
|
||||
assertIsEmailDomainAllowed(
|
||||
"foo@example.org", false, "domain example.org of email foo@example.org is not allowed");
|
||||
- assertIsEmailDomainAllowed("foo", false, "email foo has no domain");
|
||||
+ assertIsEmailDomainAllowed("foo", true, "email foo has no domain");
|
||||
assertIsEmailDomainAllowed(
|
||||
"foo@example.com@example.org",
|
||||
false,
|
||||
diff --git a/javatests/com/google/gerrit/plugins/codeowners/backend/findowners/FindOwnersCodeOwnerConfigParserTest.java b/javatests/com/google/gerrit/plugins/codeowners/backend/findowners/FindOwnersCodeOwnerConfigParserTest.java
|
||||
index 260e635e..7aab99d0 100644
|
||||
--- a/javatests/com/google/gerrit/plugins/codeowners/backend/findowners/FindOwnersCodeOwnerConfigParserTest.java
|
||||
+++ b/javatests/com/google/gerrit/plugins/codeowners/backend/findowners/FindOwnersCodeOwnerConfigParserTest.java
|
||||
@@ -158,16 +158,42 @@ public class FindOwnersCodeOwnerConfigParserTest extends AbstractCodeOwnerConfig
|
||||
codeOwnerConfigParser.parse(
|
||||
TEST_REVISION,
|
||||
CodeOwnerConfig.Key.create(project, "master", "/"),
|
||||
- getCodeOwnerConfig(EMAIL_1, "INVALID", "NOT_AN_EMAIL", EMAIL_2)));
|
||||
+ getCodeOwnerConfig(EMAIL_1, "INVALID!", "NOT!AN_EMAIL", EMAIL_2)));
|
||||
assertThat(exception.getFullMessage(FindOwnersBackend.CODE_OWNER_CONFIG_FILE_NAME))
|
||||
.isEqualTo(
|
||||
String.format(
|
||||
"invalid code owner config file '/OWNERS' (project = %s, branch = master):\n"
|
||||
- + " invalid line: INVALID\n"
|
||||
- + " invalid line: NOT_AN_EMAIL",
|
||||
+ + " invalid line: INVALID!\n"
|
||||
+ + " invalid line: NOT!AN_EMAIL",
|
||||
project));
|
||||
}
|
||||
|
||||
+ @Test
|
||||
+ public void codeOwnerConfigWithUsernames() throws Exception {
|
||||
+ assertParseAndFormat(
|
||||
+ getCodeOwnerConfig(EMAIL_1, "USERNAME", EMAIL_2),
|
||||
+ codeOwnerConfig ->
|
||||
+ assertThat(codeOwnerConfig)
|
||||
+ .hasCodeOwnerSetsThat()
|
||||
+ .onlyElement()
|
||||
+ .hasCodeOwnersEmailsThat()
|
||||
+ .containsExactly(EMAIL_1, "USERNAME", EMAIL_2),
|
||||
+ getCodeOwnerConfig(EMAIL_1, "USERNAME", EMAIL_2));
|
||||
+ }
|
||||
+
|
||||
+ @Test
|
||||
+ public void codeOwnerConfigWithGroups() throws Exception {
|
||||
+ assertParseAndFormat(
|
||||
+ getCodeOwnerConfig(EMAIL_1, "group:tvl-employees", EMAIL_2),
|
||||
+ codeOwnerConfig ->
|
||||
+ assertThat(codeOwnerConfig)
|
||||
+ .hasCodeOwnerSetsThat()
|
||||
+ .onlyElement()
|
||||
+ .hasCodeOwnersEmailsThat()
|
||||
+ .containsExactly(EMAIL_1, "group:tvl-employees", EMAIL_2),
|
||||
+ getCodeOwnerConfig(EMAIL_1, "group:tvl-employees", EMAIL_2));
|
||||
+ }
|
||||
+
|
||||
@Test
|
||||
public void codeOwnerConfigWithComment() throws Exception {
|
||||
assertParseAndFormat(
|
|
@ -1,16 +0,0 @@
|
|||
{ buildGerritBazelPlugin, fetchgit }:
|
||||
|
||||
buildGerritBazelPlugin rec {
|
||||
name = "oauth";
|
||||
depsOutputHash = "sha256-4/+E0BwkA+rYYCy7y3G9xF86DJj+CFzPZUNXC5HN5wc=";
|
||||
src = fetchgit {
|
||||
url = "https://gerrit.googlesource.com/plugins/oauth";
|
||||
rev = "b27cf3ea820eec2ddd22d217fc839261692ccdb0";
|
||||
sha256 = "1m654ibgzprrhcl0wpzqrmq8drpgx6rzlw0ha16l1fi2zv5idkk2";
|
||||
};
|
||||
overlayPluginCmd = ''
|
||||
chmod +w "$out" "$out/plugins/external_plugin_deps.bzl"
|
||||
cp -R "${src}" "$out/plugins/${name}"
|
||||
cp "${src}/external_plugin_deps.bzl" "$out/plugins/external_plugin_deps.bzl"
|
||||
'';
|
||||
}
|
20
secrets.nix
20
secrets.nix
|
@ -1,19 +1,33 @@
|
|||
let
|
||||
keys = import common/ssh-keys.nix;
|
||||
|
||||
commonKeys = keys.users.delroth;
|
||||
commonKeys = keys.users.delroth ++ keys.users.raito;
|
||||
|
||||
secrets = with keys; {
|
||||
hydra-s3-credentials = [ machines.bagel-box ];
|
||||
hydra-signing-priv = [ machines.bagel-box ];
|
||||
hydra-ssh-key-priv = [ machines.bagel-box ];
|
||||
netbox-environment = [ machines.meta01 ];
|
||||
mimir-environment = [ machines.meta01 ];
|
||||
grafana-oauth-secret = [ machines.meta01 ];
|
||||
loki-environment = [ machines.meta01 ];
|
||||
gerrit-prometheus-bearer-token = [ machines.gerrit01 machines.meta01 ];
|
||||
|
||||
buildbot-worker-password = [ machines.buildbot ];
|
||||
buildbot-oauth-secret = [ machines.buildbot ];
|
||||
buildbot-workers = [ machines.buildbot ];
|
||||
# Private SSH key to Gerrit
|
||||
# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx52RUPWzTa2rBA96xcnGjjzAboNN/hm6gW+Q6JiSos
|
||||
buildbot-service-key = [ machines.buildbot ];
|
||||
# Signing key for Buildbot's specific cache
|
||||
buildbot-signing-key = [ machines.buildbot ];
|
||||
buildbot-remote-builder-key = [ machines.buildbot ];
|
||||
|
||||
# These are the same password, but nginx wants it in htpasswd format
|
||||
loki-htpasswd = [ machines.meta01 ];
|
||||
promtail-password = builtins.attrValues machines;
|
||||
metrics-push-htpasswd = [ machines.meta01 ];
|
||||
metrics-push-password = builtins.attrValues machines;
|
||||
|
||||
ows-deploy-key = [ machines.gerrit01 ];
|
||||
};
|
||||
in
|
||||
builtins.listToAttrs (
|
||||
|
|
20
secrets/buildbot-oauth-secret.age
Normal file
20
secrets/buildbot-oauth-secret.age
Normal file
|
@ -0,0 +1,20 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 87T2Ig g15A5EWi9IhaxPFS6SD6YYm/aFnC0Dum7zK8/ZUtW0s
|
||||
791D6C8mAy2dhDAlqRQ+q41FlQTJX2WfZQPjuwetP2A
|
||||
-> ssh-ed25519 K3b7BA cJY9qIFVmucmMJLTFffkRCNYeudZl+8Yrm5SkxQ4eSI
|
||||
97nXyKffZGoGJ6252UKUEJHiFgdk8XUkAAkXy2PLepM
|
||||
-> ssh-ed25519 +qVung HMBSUjfmaFLVx64epj0djkqNMe3CdKN1fxAVuu+Dtmg
|
||||
AxT62n2p/pP9WZmmuHClSKKgXhr4FjEQpEs0HfdNGfw
|
||||
-> ssh-rsa krWCLQ
|
||||
N0Duz2bONcCUZ76QhPsCJ4BHHWqzFdZLqFdl+6GeW+tgIp2Nb4la8eNfgzYGSwTy
|
||||
53bRePNMIBTkChXFYt/4fUdqaiiVYg25swMeVLQBJnjJkcAks0Gf44FXLIaoPr1M
|
||||
56rtixpSX31WDKwHbUF/40G6Xut8KNlI8BdwiOl9ibgnuEf4mYQbwFbRQbLMK5IK
|
||||
Rf/7SEmAqqfY/HG1RqqgCs4kEpvFTKqEEDpgjOoyS2tyKN2351jya91YzotLja4I
|
||||
sLoMg/G3UNtxfdaCgK7TP4IxV9blkVMDPAbyR622VbS0sEa7uJGzb86jDDsZXaKX
|
||||
9iWK9n4hMKZDv9gBbhTIWg
|
||||
-> ssh-ed25519 /vwQcQ hMkCrUcLGxdZMYgi1D1Kr5qUdGNfza2UTvRJKiHObgM
|
||||
7Lz70zSMPk/tsU1CZGOk/BPA7NSSnSJgFbG5TjyOXvA
|
||||
-> ssh-ed25519 0R97PA OQjDTknVmrYVclcqlT31YjZx+3a/0GxfjuVQFmPJ7UQ
|
||||
KMGTMfO/mO5EAYacyz1hmHnQgzunRqkDeglhbGVNWe4
|
||||
--- ScDZvSiVSjNXm8TSoLSAM+KpcFORnCXiemYbCBcz2jQ
|
||||
™ŸÄhÜ}E¹ÊœËíUÌùᢌƒÿ…<C3BF>é™k¢ág[<5B>ñCƒ"<22>–NÛj•u5«<0C>ÄCXÕöÈGt¡TOmñ
|
BIN
secrets/buildbot-remote-builder-key.age
Normal file
BIN
secrets/buildbot-remote-builder-key.age
Normal file
Binary file not shown.
BIN
secrets/buildbot-service-key.age
Normal file
BIN
secrets/buildbot-service-key.age
Normal file
Binary file not shown.
BIN
secrets/buildbot-signing-key.age
Normal file
BIN
secrets/buildbot-signing-key.age
Normal file
Binary file not shown.
20
secrets/buildbot-worker-password.age
Normal file
20
secrets/buildbot-worker-password.age
Normal file
|
@ -0,0 +1,20 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 87T2Ig df+IMqWM/HNjaY74zibFQIdUdC3K7uQlm3U9R9NUtFY
|
||||
hPSbCuWvqy/7FEj7YScYztyt5GVx4Y7tgGuKKkSKoRg
|
||||
-> ssh-ed25519 K3b7BA xN8wzUKHqjOb/tqA+EI+0H0MSQRihRfydchwVqYWAVU
|
||||
maLMpZe8orvTT6Av+YkhT8FcG4dc7bzDgOW339nSw1g
|
||||
-> ssh-ed25519 +qVung oM1uphTbjI54t4U9jNd1zORqpjBG17MwDf2eNDmOlkg
|
||||
oUHVuQt2SHIwtV82pgnKJ7g2jcVBAHWOzPK46otoh34
|
||||
-> ssh-rsa krWCLQ
|
||||
eYspf5hUKdFQl1RxPaNTj0viAPd+kzp8Xbwn+q6fSITMacmyTY5J8FckLx2YXDxy
|
||||
Qm/OsEK0ZOvxnHMrL0oAJjKSy/MamE+9heT3QO+LUN30QxbOIOqHMrl3waadWZdx
|
||||
ZGOWK+r+dKGYNsxFv+t1Y/4DBKKzlXFWhJ0aL7nMOqq9+Ca+UZuE41j7eWGGPPLy
|
||||
fuW/iOVVxQ+EEeCDpatQSrFPKaeWCCVP9oIDFtE4dsKxubMa4EpUoag0UvEIW182
|
||||
UGS8BvMqYgx+obqJDkhXXBK9apmJS2ojcfdtCbNOCV9Ett72Nm/iY5NjLprFMLde
|
||||
8wWGA6s3hBOP39lq0eiSxw
|
||||
-> ssh-ed25519 /vwQcQ 3zLcLDaDVhIn2knezexYM5Fqu/O9wwORnJIhsXHqgj0
|
||||
HchGikQMgkDj0qQgtDdsdKokV+nMjdv6t0uVISeU7Q8
|
||||
-> ssh-ed25519 0R97PA 6lm6B6B3dzSdhdcf5rjyTu+7cCtWRxVpWeapJX3nbQo
|
||||
x/w4dEfFyxPi4lbNEqgjEblPVfQyj+q1JjeQHiVFhDw
|
||||
--- oo5BK1pG+43amUg803Uv511RNtdQ/PDwlXUrV/AbOAA
|
||||
…ÙUqÆçïµ[f7ƒêŒë¼¨FìˆY<13>™Ùm¶ØLS?Úℶ‡÷ƒöæ<Kø©F¤z¥V^³U¨N»¯ôƒ)zÔ<7A>¥ž@<40>SÀF€Y‡ËG2^žƒ˜à„»N|
|
BIN
secrets/buildbot-workers.age
Normal file
BIN
secrets/buildbot-workers.age
Normal file
Binary file not shown.
22
secrets/gerrit-prometheus-bearer-token.age
Normal file
22
secrets/gerrit-prometheus-bearer-token.age
Normal file
|
@ -0,0 +1,22 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 2D+APA jiLDQ8JlYhaivXQQhjEfZrGWn7o6Wd2OMrLorEVSPns
|
||||
qRzHYcBhtGSm4RW7C4oW+VWSzHiDXkCN6bGeej2Gcpo
|
||||
-> ssh-ed25519 j2r2qQ OcnIHB/vJoKuvhsT9dx1B+5lXguARtB9wSquW2KBB3M
|
||||
pgzC2KOFi3Yj1gCPemVK3a9Grv2SkwZ6AI1EFdh4hoc
|
||||
-> ssh-ed25519 K3b7BA ibHY8wN3rNit1mO2dJZ44rwLylMaR39a7Oz3CGV561o
|
||||
4ElWORF/4lVEz33CJiuFG4rwUSIIOyi2L/W7Td7MX5M
|
||||
-> ssh-ed25519 +qVung q4DDHS3M24kke2NCcpHEaUbUgoQB6QwnmDiwmdIOuBw
|
||||
Yfa6v23oezdDICE8I0UaVCShKlx9lN3DnBnSb63LU64
|
||||
-> ssh-rsa krWCLQ
|
||||
gLBHP4Z8EBW1y7Yf9sfWMU+/fJ4WWp+NGRR7ebO5GwUeYobDYm/eYQ7rD3Q9k0rF
|
||||
kU51GYBaO7m5gLqc2Tq4+YjE2/EXDvjqkDSoyNrjQaaGTLqzvPYlCvKWyROjqJjX
|
||||
UwzPbQx5XVIKNgpsR9e6/hoJiJbDpavM+HQo+1zwoKAg5FvZZkE5UnIiSjuAxMgR
|
||||
+tmrhBfHEYkpbCCrXVE0jLCup8gPIci1PyXWkdhJy+HyHVkbYowGwNawNobNr1cF
|
||||
dJ5IU8P/DSSqZ1qWSl6ju7JKjzXU2Xq87/g7wJyrKGpe37pJmPIT86nCJTut+AK9
|
||||
iFED/y/p5NCtohyhztosgA
|
||||
-> ssh-ed25519 /vwQcQ rzEjV56G+USMdpWklrGQSHuzG8d+S0zWhhwrmuyTyiA
|
||||
y+uMRG8NdAD0H4ipRN+sJPn1P0CGs4bk+U4qtetP3O0
|
||||
-> ssh-ed25519 0R97PA ULWdDUjDg9oTEOqzCKUJl8yN+qwwmlSi1PFwRvr7aWM
|
||||
YWaE+STxKfQzxYMtP/cA20q0atXLdsjeA5nJyl2f8iI
|
||||
--- Avs8hTgLwcBy8hyYWjR/Jbs5YaKozv2oBmGs51ckquA
|
||||
Wœ·Ü<C2B7>dŸ›ÝàÕò`@½Óµ3ž ‚¼½5è½b›Y%³A†Z=KiÐÑ76,¢w,1žŒèáÎôkØåRšAÄ‚FuÎÎ
|
|
@ -1,7 +1,20 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 j2r2qQ Xl0fSOuF0xNTJrtVGdRLRIszd15LFrG5KCFNvSBK4Go
|
||||
qSEMBBw90jz4j8elpoUeyS4CTLBhZtNDhLNigesJq+0
|
||||
-> ssh-ed25519 K3b7BA cKI0twKiuuTKv1Js4jqt5v8cOqpxEMY9dmVghgJtbzw
|
||||
K5o31XP/nLsswsrMaxnIzCXVUtJqmJWoFglWFsV7+AQ
|
||||
--- X8pvqCHeCQ0LjzcjIHThkqp6YeOOT8dBMLuktgdgeY4
|
||||
sZÓ¸ŠíØ[þ²X<C2B2>“¡èÅ®Š5°=÷6)ÇT¿Q†‘N{•x³I1ƒ!Ó–ÜøB
ƒzš*×íåL~K
|
||||
-> ssh-ed25519 j2r2qQ JSveX4zYEjb4jJH4eg4oXA6r3oc0jBx8NgjhN9JrjlQ
|
||||
1ZIr/XFClbwJHn0ppJnolpb4QlgZOA8JX5OjjY4x6pU
|
||||
-> ssh-ed25519 K3b7BA sXUjuZFK0PL/KndxRCJCM5Kg8OmVseRZNWG8mL1alRc
|
||||
U9MMgDtqtmsS1W5i04Pa/b4JBTSjK6FffZxgYI3phtg
|
||||
-> ssh-ed25519 +qVung FNSElbiw0frYcsO0xoyPQgRGqAe/aVX21dTB6yk+GQg
|
||||
zHT/xU+yfXYSBO2HLwoHrGf5ns6BDVb8MlhVVQCBlOc
|
||||
-> ssh-rsa krWCLQ
|
||||
ye0mLiYeyvlp4EZX7mZ3F7B9V9JSeoiCodzccS+5qIEd6gr+RTHSnKYqwf/nwf8F
|
||||
qKLwbxWjpmkIzBWeswy8AJ8159aucGEmB+3/tTSwd+QlRkru4Z/7jtfU64KQttgt
|
||||
vaRfc9J/85AJJ2V6Sw/xG8SgxyLBbp/XIN2+tmb0g3kAWiuLcrLk3H/MsfmxDVXg
|
||||
RQjugP5K2+fEZc77dHQTrMI58K9TrSw1zYA1ee8J/fl9IJ7J77qi5UgizY+YfX8T
|
||||
SmR9DeYUe+hKgCB2k/KgAxp4WOQNgUOFBTsE5FW+kQQpfGx5aqR6vCYU+CPsA3Zb
|
||||
FwV0l+g4FUVy+xAtqaGSAQ
|
||||
-> ssh-ed25519 /vwQcQ fbnK1jYiUwUsgD8sSTboJCBfcuwJXKNCaJaWYuIfmVk
|
||||
Uj2+uBABMTxq1MBsiHXgkdFMOpIN7gfxoJVKOQff1Pw
|
||||
-> ssh-ed25519 0R97PA yYOb6AYAFWvm7W2KYT5v9zznkF4Di/vatH48Xgx0x2E
|
||||
yUm+MKj9496BkdX2FpLyhML7budUyqT1hL9hpghxSnI
|
||||
--- ogCPBrmdbeDorj3t5BL05ge6VngXBpUEDW4qaaKIa0U
|
||||
%¨šÚlD]Ϫ?©ßŠÑ(ÿ†E/Wu穉T¶îç[}ž$ÁÍS„Šˆ^[:¸]he0XUœp¸äq<C3A4>`0A
|
Binary file not shown.
20
secrets/hydra-signing-priv.age
Normal file
20
secrets/hydra-signing-priv.age
Normal file
|
@ -0,0 +1,20 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 +HUDfA NMyTM3c++HKU2klLjAbUUFS81k21LUwEoqR1OUBuLjU
|
||||
OrKxpksxoay93URtmN9HhnK43QrM/Gs0qRuENZvHWJI
|
||||
-> ssh-ed25519 K3b7BA LloEGN8cbVvGraHs5cPIZRJJyTPFrmmeGwZyqov9m2U
|
||||
XPvNpQT3aFVoidOhmePGgiTyytIWtd4rs59Qq9xl/I4
|
||||
-> ssh-ed25519 +qVung 3hat0gKIl1WjXnkP6p+/8RyTxZkaVnLgV9B8plICPlY
|
||||
jmRKWCUCDpDExmq4SEq8WpqQheBSRD4uqrTgxy2u6PM
|
||||
-> ssh-rsa krWCLQ
|
||||
QPOl96dmoxY5YtMmL68+6MQpGwZc68ajaRkcEKmYYu4/XB+mffRKsNtyiKJQwEi7
|
||||
szvAced8C4RMNrCf3xyF77Sm1UV8YCyaHyplb2/yjv5YDvCDwTp2GnadDoAaLrXU
|
||||
jf6ocI8409XWQHEEEofHZRjmfmIBUx1lTwbGFMt48V7MZdadFjXmSmUMvxsu/Rj5
|
||||
NLjoPNRBzqPIw6U7nTSmkG2HOeHlA9Z5a33MsXYs8NPH22Spjjy+VvxrLv8VAjnf
|
||||
7kGjviW4ZcdEQ7Aox+9V+6qArrIy7lJ9lOIZA2LueCtKhQAmKnInFxRyyN0Nk4ls
|
||||
tjlBFJQEG2v14iaHENwRAg
|
||||
-> ssh-ed25519 /vwQcQ o7qseMFb4ViV7ylSl2ug7xFZn7GZGqCapWRCq2vyVVs
|
||||
hKqzk9BcK5l0VhLfPONKKv6SRnDCw2n+RoaeQbOnT8Y
|
||||
-> ssh-ed25519 0R97PA DTEowwoCXTMGxfQIXOnwn5fjlih0UmQJCKs2II4gCVY
|
||||
8BpVhUV8qg3zcCJe7OwHoJrfYIpBtOquqhFyfZx7mRQ
|
||||
--- r2NmEyV0/Goas5lXMHeFoafcrbMHvs4ob0Zg4cVil3w
|
||||
=‚TÏ`Ô}%xÖ¸œêFtÆêlãµ)•ò1Ð]Œ<DvwFøè:Qf@nÇÀU=~FžË-Ò!©ò÷þÌ«i6wXtü'k®ç`)A›äûÌtI1Tî£U+Ú~×’aÒÉПONƒÄèLþI£p@œT)¤'_ÞoDö0»,JfGVók’/
|
Binary file not shown.
|
@ -1,9 +1,21 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 j2r2qQ w0lLquFUUcmEZ/Fh1YSt85tAJkBwavORQbwMr7gMqF4
|
||||
J4T+EHm1uHbCZkAUNoNcB9uGSz082mFL8+dkCnvYQnM
|
||||
-> ssh-ed25519 K3b7BA 28bJZgBPPc2KIE5+b8LJuQ5L4YAiRAJzucEuOqXHdVM
|
||||
7hKENFr8QX0jpwuuQEjGFrUywJuhL1Tdi2V4/gR8JWE
|
||||
--- GSPZxz39TMMWv0qhotNgnXa5679Q7VK8JGjQjI7A8oM
|
||||
J˛\@F“N• łĺ…2‹®ô¨w×!Ż1Vf»§<C2BB>Ž·’ŢO˛CÓw®®V°ŁšĚş.^݆ 7Ťw‡n4äŕdW-Öľ"@0¨úąEĎż·°ck,]M}xŤřĚťˇŰy°[×ÁJ:!č‘ !ř螀c¬
|
||||
BëąR
|
||||
nřę€ţŔáĆ^9í¤–M<ú
|
||||
-> ssh-ed25519 j2r2qQ 6qyr94uky6B36UOY0jd5NXgF2rJ3RWBUzZ32c5iOTmY
|
||||
fjlI3fjYjwyNQBs4K4pq/5c7oBkf5XUXoGlBOBpmPu4
|
||||
-> ssh-ed25519 K3b7BA N9VYT/ZslG07KldzO8sPE5TiYYwxJqpYU87ED4PuBXw
|
||||
P1s9L57prPqM4fjcYHv+g0rgP/NvFr13CgCxthVHZ4c
|
||||
-> ssh-ed25519 +qVung Ry8uUFsmYmP+Urw46lhAsCc3S+QiWu1mn8J3rIy+KFQ
|
||||
iB7xAfdpHwOzAnLvosJb+F50QKsOYWr7CHC3srsS6ME
|
||||
-> ssh-rsa krWCLQ
|
||||
w0xIVFtUghdAO7SxZD10rBMtdQESEvYUEKxnWzLh0cjcRhaVT/BXSZQsKV2Rupoo
|
||||
nDL5uy0k+tPXm0HroZ6VkZ0fH/lOpeUR69ZvJmClKql3Fnf1385+5BvT719cbbaq
|
||||
yll49gx0+ms/oB9jS3SPwbOg+UJgnkZCeu9138h3MG7yWNtVuA9l5hsJioVvOVlS
|
||||
Z5EXbjdQR9xYjSwR+b8MYZ97ej5fXpuULEopbx2wXt84u1e67vTETqflitR7lrzy
|
||||
A6F65g35aagPJZGHzfrKVToy3pfXm9ky/30DolWLD0DpG7G6o/8afy8O4yBAGlv3
|
||||
ZLTaUbrdILSz2ff1Njx4Nw
|
||||
-> ssh-ed25519 /vwQcQ YqqmX/f4whOk97kCgSPo6oj/274eYlBWtS+OahAAQ34
|
||||
hoCbhupzSTx+wNIorzYGHyGvU/L8unKEyD7Bqq23YP0
|
||||
-> ssh-ed25519 0R97PA 17SDtfT9GzAsIsQB24AmYXpW8v4+LEakup+tdFroHTk
|
||||
HIvBhAGA2GMVWFBP3OTFEn+XpPFBJDOJDK3SQ94mNKM
|
||||
--- CD1QrxYGAhhy+l7U5kOXn1shCwz8pYJNuGRugPxmzJw
|
||||
ñY¾Æ‹N Ï<>x
™êÿrR^z[¤ã¸è…•ªa”z
|
||||
óæÔÉ¿Ïžu0c¯c;y<>Ÿ¢›&{ñèxA]‚þ†¨Q¨¼_:̱ í€öUoiDl (‹ÅëwÝKi,j.oFyÌ°$}•Y§@1”È™„Y£²è¶u Ò*¡ÏþÅ<C3BE>¥™0…
|
|
@ -1,7 +0,0 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 j2r2qQ nLWy3WcVJWCl3rXkhcSbp1joqmkk06QnxhCZ4UtSvmw
|
||||
iQ+Hx/vhiFgkWfbxHwGjxMBEqzyGww4/9do3W7V/y1Y
|
||||
-> ssh-ed25519 K3b7BA RkF2ADcjOGtivl9MrhO/HFwxlTAkbFHWL3iinUldMiM
|
||||
7q/zdVTMLevukZjkHtcN88iYzfTLvq2s3QdkgsFSO9M
|
||||
--- 1b2HiK06vJPqBgHVDD0QELOtfkl7/rlgGS9uI1mSbus
|
||||
„uܧoL;õå¬"
4¦Û»Z¼˜@§öãƒÐ’3+93Q4óÄ o•ŒØwé“„6<>M-²DkJn´;ñ*g
<0A>OÛYœ75ËSò)Ù°©
|
21
secrets/metrics-push-htpasswd.age
Normal file
21
secrets/metrics-push-htpasswd.age
Normal file
|
@ -0,0 +1,21 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 j2r2qQ sIYTVOTWNToDSNa4qiIaSoac7zka54g/opQ70q1SAA8
|
||||
2Z1mlCWxjakHqRbArU2BkT7B/Dx0XKH7kCnBa+OYI+s
|
||||
-> ssh-ed25519 K3b7BA PGyd27M/Hmk6qpRf8bcI4QWrS0vrPgjiZzaXvKQkJDQ
|
||||
ixrciiNR/th0FM9MxVx/omHdI61EmAhTA465SjxECF8
|
||||
-> ssh-ed25519 +qVung Q7k74fDLKwCdzobz0b6ByS2LrhMOIC58Ofto0gpBLFE
|
||||
p4CIje+sO/nOaO1lzAY9n2HYLUKxEvKDbxeR6dOyM00
|
||||
-> ssh-rsa krWCLQ
|
||||
ezrZTitn0/BRD0K7e2K53qz9AZCa0aHlzFSuyzqyVJLdAZUxBUnfBwmGuJgKTa4Q
|
||||
fWsXBs+L65hkcL6/VKS7oSGGyoEHmoPFKbb08B6FKLHt9V1td5xbHIoTYbvSavUA
|
||||
g3wpTUa4eG3ivcu96VjyyBKTAc7LN7h7dSMbvvP5tpWT5vL+WstCdFf7zzUL9HBS
|
||||
yI8dzEbCQIgAAaHj90MREgIIgIB27Dn1PvkEBGYky5ybBRa3DXVyqnX0dDtsXWpK
|
||||
ipRPDV7HC1+x2TlqQjD5ED737r/AP573IXbnRLSEWnGDjtd/JWQmfOO3JACoRjU6
|
||||
qfb5SSDT9QriuWSow7CDhQ
|
||||
-> ssh-ed25519 /vwQcQ duuo3BGe4Q1MHMljgzmtpzvtiOvAHqKu2HS9SBxLuhE
|
||||
GCwccbE5lX5uPIri/7Vn6hzpfL7ouJBFU14bKjl6yTM
|
||||
-> ssh-ed25519 0R97PA WIFf8tbMlmNrNFF5tRcL+mOJ40SvIdppAtItWtxzCk8
|
||||
miU7Z4poEVMZCeAEef1VS0jouCDxGro2xLEE3hnRJEQ
|
||||
--- Iaff5rxl9r1qEnlpkOpGyBGtAvGMLyBlJQ45iInuAnw
|
||||
cýI±C«¤2ˆ7µ ½³Ú“nZMþ`œ{7È`¨½V@ñyzÀÅžª€)ÛY‰DÄßÇX—o“óä ~<PÙ›òš5Tpúx
|
||||
ÓRÏÜö
|
57
secrets/metrics-push-password.age
Normal file
57
secrets/metrics-push-password.age
Normal file
|
@ -0,0 +1,57 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 +HUDfA SrjyocQ2U/mcmsVX3bhTDPiNfnRepZ+J//d4JkVrQ0w
|
||||
MELfJrKcLlC3rWKHdMZKZyXB0ztzmZUjWUcT8ibP8vE
|
||||
-> ssh-ed25519 87T2Ig IN9MMxRNzgKHBmGwidVWIvq2xpNVkbioWjG0lf+B5zM
|
||||
sXIXfrTak7E8isigDDnrzvjJli5ma5f9fOJnWCdDRpU
|
||||
-> ssh-ed25519 wIR2ZA 4DD/V3Xq1B2t8Zb11MnvtSZ3Oq5Glvka93g313dVSyU
|
||||
TrQiCJGOtitCCfNy0PdaRaPnk2mYCEPKtnOtdAzGolg
|
||||
-> ssh-ed25519 oGiV/Q W67zxBlGYg3PhUbwBiGE2vVoIl455R+4g3EClZKwulI
|
||||
2sldkyyBUGxhXRCoa/vW5LrxbI0TqerOeOqrTtzY3Mo
|
||||
-> ssh-ed25519 gO3aog YVF4hdjNYxOPE8v95BENIb6khsu0+tztaPNNCsXoWDE
|
||||
LLX/uofYt5/HQ7q5L35UK2t05rOlhCDnC4SIJx0bNtM
|
||||
-> ssh-ed25519 r/iJSw RMwg0xLCOVA+wc08f67kkUVIgy6W3Ypd3jRkRHFA+l4
|
||||
KR5RElZHGzzLU9hjr3Qg3NwudDxMtHqcf2t6xjDMz+U
|
||||
-> ssh-ed25519 N/+Clw BBYMWbIT8dXcD7SU+LrIuFeM+2RodGF2rW1ubx/W9mU
|
||||
yANEUWhFtNkx3VArOTTW+rREcxwzkN47CD2kK6JsMns
|
||||
-> ssh-ed25519 CtkSZw wy5ZfWI6tqN3OZDqRZvb6lhj8Pt+GrP3YryqhjH0ugo
|
||||
OtY/WsGkJJghGGAh4cfZOxkg/WcYJ4w2gu4Hu9VHntc
|
||||
-> ssh-ed25519 keg2lg lzE0HqDHBwDyuc5m5T9YSxxTgEk4mOQWY3l7a1+QKD0
|
||||
cn07YAocsIrSeWo1ZGyFzq3un8kdpEuS6zYpKs7G/iI
|
||||
-> ssh-ed25519 H885DA eZJW1T2VPMhDs/ygauDFdd1Md3D830ysel1yUZkZoSI
|
||||
wpq1+ndzQWUUN2yYMKnEZrOcgCuqKIrDjaeX+XpkQgk
|
||||
-> ssh-ed25519 Rq7K4Q CQ+Y2k5F8Q79GF5PQh8qDmxWgrKcqJHjAodVBqKqQkc
|
||||
SkcUl6dFoBQmPOOjTEopgcn5vzLH2oHICymAAS7nsAQ
|
||||
-> ssh-ed25519 vvyRpw nW2eCEqQ6uCT9RgIJyCSpP4JHwQtKDSiBBp1wdVFtTE
|
||||
DQcHIBTNqvFVYV1fXbGhu0pCwa++knjLpCVFC3npaS0
|
||||
-> ssh-ed25519 aSEktQ 7SEG8F8UyH0gR9uT+mFfBIXsAIUFnNd2bZgyJ8C/gVQ
|
||||
JTlr5eIhpepOoCxi54nrG7Wjxq9CXZYkb33kd2urdak
|
||||
-> ssh-ed25519 cD6JxA QKVkY0MS3LeJf+YfwJT2yysuseg8tSAEGHOBgHFsVkc
|
||||
IpAAWCWxHNg1MOBjG+JNXcTE/xNrDW8+5Cz/hNWVYvU
|
||||
-> ssh-ed25519 1qYEfw pA2G6CxFosIcXsBnTUfN1wsPs3Ue5aMzo7wameAacXM
|
||||
av7xGnRkh57JtgF37QtaF//eYS/pHqznHY4DJewRp5s
|
||||
-> ssh-ed25519 2D+APA SOSVjgiiugDWg9HeFIlaLa+mo3q8AHhntl1tHEB6QUQ
|
||||
QINZr847DASGM32Si6t1mHH6fCkKnq/sa1+3IXhaSlE
|
||||
-> ssh-ed25519 eTSU6g NuV8gm/Ijo6BpZptiYua2bnYNoxuHcOtce9zGNyi0yo
|
||||
E4zAIpZN5eTWJanPEwS7B6RfnnMRLDaOj+5l5L4GdCk
|
||||
-> ssh-ed25519 j2r2qQ PpKKKAJikQKWAaYvDhIoiPeTkWtE1chw8lCpZ4O+LHs
|
||||
4kR0ZNRMt0fljaOu3UgqVrUFnc6v916IyKdYkvz/zfA
|
||||
-> ssh-ed25519 C/bBAQ m7XsRBwlHgWXifCif/8H9TcSqs0so5hha2T4tCq6qn4
|
||||
QltQrR6Y3Im4xo8DtpzN5kMsHNfkpG0FE6Y2GnkrH5Y
|
||||
-> ssh-ed25519 K3b7BA x91SNkgN6NSlw2FZnliA+c6zoTYyeuZh2iT+Rl+qtT4
|
||||
nKU6GcX4WLTRncStiW6BS7iK7zlCVhn55FPjRNniqSc
|
||||
-> ssh-ed25519 +qVung opSEU5VaLZcm4GhcKlNtG/Ut0jU6oTYQuqvnDkuSGT4
|
||||
ny6Wfsi/PIj5A9q/fwL3vwnkft/yH6fqlPIXo0cklfY
|
||||
-> ssh-rsa krWCLQ
|
||||
p5Y5fVwyG2s7m9ClsgbcVz/fSF2lJvbXxuN8O4b6sp+QiABmSGs0R3pZuf1v9xBr
|
||||
Jc0JWhl4vvvb9F9WUbJR50hIpdWo6iX4vrz3TnSvPFmnpUpRfe+a29ZJhp0vCA4a
|
||||
HVaOJGlnGZ5BdSkvPslGVCPu684OmO/veL5G1H7xmN6yg2b3n7SaGF7A4+rpVqgI
|
||||
6GZiFpnM6LpyKyoTyXRL0ghzjhwggQCCnBaN7GIUhvPacPdilAJWmnagQzx8aZpT
|
||||
LRe1WAeKH2Lbar4UNeot3MzWkZxUXyyWszTMe1ca94N3jY7MG8adzX3guMykP5qA
|
||||
eya7UOphIwkQKlVB3N5bfQ
|
||||
-> ssh-ed25519 /vwQcQ xQFghc3LzwG82u+h80e3NdfbCh85OKdai32pwvS3uzs
|
||||
MdUPg9BHvPX85jWnV7evkNekPrzoJuT8FP0l/mhfZDk
|
||||
-> ssh-ed25519 0R97PA 8cDQRKrujysaUiD5OxdrpmWn7ZZCJ9SNbLYtWuTSmXg
|
||||
HFa/6WbK4aMK3cKEMEycyiclTu8jOcCMcr1R7Ebh73c
|
||||
--- wZAdkwtibHAVLCqtfmZ54ZtPwDPogkRwfKREBR2xOeY
|
||||
[‹‰Ã×÷ÂûȹÂÃökR‘î\Äub<75>çГRö
|
||||
‚†qþà«‘ÎHÈbe{Y
gÿ<67>mÀ¿¥Ûs®Æ¬„[-p¸
|
Binary file not shown.
Binary file not shown.
BIN
secrets/ows-deploy-key.age
Normal file
BIN
secrets/ows-deploy-key.age
Normal file
Binary file not shown.
|
@ -1,12 +0,0 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 +HUDfA ZUM0ACC/NIekvX1PkCiXTHaTeE3ybudmY3piHw2iekQ
|
||||
cHj94FIR6gNJ3Hw9FI7K15OYgxbjkajGtCftD+2Mr8c
|
||||
-> ssh-ed25519 2D+APA tzlyOnAXnLxXO/47n45sFPiJF3FXd98UU5ajPhD2wSs
|
||||
P8ZdUiBeME17SU2BpMgOq4plyAqgzLOQWHa1+Q7cjYo
|
||||
-> ssh-ed25519 j2r2qQ 3OikD9JOmug7kdPAPz+JT/ryB6xBQhu2+cwS9h5sKGI
|
||||
XiIuxOyey2I6hmqabUCPzLc85q/1r9OwVGjHWYNQsp0
|
||||
-> ssh-ed25519 K3b7BA Bdqcqt4GgLzuSiEnIyImDiOQGwyIhhozRXMmNrp7glI
|
||||
65joZcnl0Hqe90Th2EdVgbcxUJFpy3fOgk6oPiSHh2A
|
||||
--- 6x6BFNypc+u3DpsHX3SajwEy1TqsAtbFei0ddRpEoBg
|
||||
|
||||
äªUG¾xj4»®Îþ‡b=óžóñ¼Rd<52>3sHYÝÔ<>*Qµ9Ã6‚n‹34&äw›»~h!§
^„[êš
|
29
services/baremetal-builder/assignments.nix
Normal file
29
services/baremetal-builder/assignments.nix
Normal file
|
@ -0,0 +1,29 @@
|
|||
# This file contains information on which builder(s) are providing how many
|
||||
# job slots and providing which nix features
|
||||
let
|
||||
genBuilders = { offset ? 0, count, f }: builtins.genList (x: rec { name = "builder-${toString (offset + x)}"; value = f name; }) count;
|
||||
in builtins.listToAttrs (
|
||||
# The first 8 builders are general purpose hydra builders
|
||||
genBuilders { count = 8; f = name: {
|
||||
cores = 8;
|
||||
max-jobs = 8;
|
||||
supported-features = [ "kvm" "nixos-test" ];
|
||||
required-features = [ ];
|
||||
}; }
|
||||
++
|
||||
# The last 2 builders are exclusively for big-parallel
|
||||
genBuilders { offset = 8; count = 2; f = name: {
|
||||
cores = 20;
|
||||
max-jobs = 1;
|
||||
supported-features = [ "kvm" "nixos-test" "big-parallel" ];
|
||||
required-features = [ "big-parallel" ];
|
||||
}; }
|
||||
++
|
||||
# These are not currently used for hydra
|
||||
genBuilders { offset = 10; count = 2; f = name: {
|
||||
cores = 8;
|
||||
max-jobs = 8;
|
||||
supported-features = [ "kvm" "nixos-test" "big-parallel" ];
|
||||
required-features = [ ];
|
||||
}; }
|
||||
)
|
199
services/baremetal-builder/default.nix
Normal file
199
services/baremetal-builder/default.nix
Normal file
|
@ -0,0 +1,199 @@
|
|||
{ pkgs, lib, config, ... }:
|
||||
let
|
||||
cfg = config.bagel.baremetal.builders;
|
||||
in
|
||||
{
|
||||
imports = [ ./netboot.nix ];
|
||||
|
||||
options = {
|
||||
|
||||
bagel.baremetal.builders = {
|
||||
enable = lib.mkEnableOption "baremetal bagel oven";
|
||||
netboot = lib.mkEnableOption "netboot";
|
||||
num = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
boot.initrd.availableKernelModules = [ "ahci" "ehci_pci" "usb_storage" "usbhid" "sd_mod" ];
|
||||
boot.initrd.kernelModules = [ "dm-snapshot" ];
|
||||
|
||||
users.users.builder = {
|
||||
isSystemUser = true;
|
||||
group = "nogroup";
|
||||
home = "/var/empty";
|
||||
shell = "/bin/sh";
|
||||
openssh.authorizedKeys.keys = [
|
||||
# Do not hardcode Hydra's public key, selectively
|
||||
# add the keys of the coordinators that require us.
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAvUT9YBig9LQPHgypIBHQuC32XqDKxlFZ2CfgDi0ZKx"
|
||||
];
|
||||
};
|
||||
|
||||
users.users.buildbot = {
|
||||
isSystemUser = true;
|
||||
group = "nogroup";
|
||||
home = "/var/empty";
|
||||
shell = "/bin/sh";
|
||||
openssh.authorizedKeys.keys = [
|
||||
# Do not hardcode Buildbot's public key, selectively
|
||||
# add the keys of the coordinators that require us.
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGMnOLLX0vGTZbSJrUmF9ZFXt/NIId/MUrEpXmL2vxod"
|
||||
];
|
||||
};
|
||||
nix.settings = {
|
||||
inherit ((import ./assignments.nix).${config.networking.hostName}) max-jobs cores;
|
||||
};
|
||||
|
||||
services.openssh.extraConfig = ''
|
||||
Match User buildbot
|
||||
AllowAgentForwarding no
|
||||
AllowTcpForwarding no
|
||||
PermitTTY no
|
||||
PermitTunnel no
|
||||
X11Forwarding no
|
||||
ForceCommand ${config.nix.package.out}/bin/nix-daemon --store /mnt --stdio
|
||||
Match All
|
||||
'';
|
||||
|
||||
nixpkgs.hostPlatform = "x86_64-linux";
|
||||
hardware.cpu.intel.updateMicrocode = true;
|
||||
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
boot.initrd.systemd.enable = true;
|
||||
|
||||
boot.initrd.services.lvm.enable = true;
|
||||
|
||||
boot.kernel.sysctl."fs.xfs.xfssyncd_centisecs" = "12000";
|
||||
fileSystems = lib.mkMerge [
|
||||
(lib.mkIf (!cfg.netboot) {
|
||||
"/" = {
|
||||
device = "/dev/disk/by-label/root";
|
||||
fsType = "xfs";
|
||||
};
|
||||
|
||||
"/boot" = {
|
||||
device = "/dev/disk/by-label/BOOT";
|
||||
fsType = "vfat";
|
||||
options = [ "fmask=0022" "dmask=0022" ];
|
||||
};
|
||||
})
|
||||
{
|
||||
"/mnt" = {
|
||||
device = "/dev/disk/by-label/hydra";
|
||||
fsType = "xfs";
|
||||
options = ["logbsize=256k"];
|
||||
};
|
||||
|
||||
# We want the tmp filesystem on the same filesystem as the hydra store, so that builds can use reflinks
|
||||
"/tmp" = {
|
||||
device = "/mnt/tmp";
|
||||
options = [ "bind" ];
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
swapDevices = lib.optionals (!cfg.netboot) [
|
||||
{
|
||||
device = "/swapfile";
|
||||
size = 50 * 1024; # 50GiB
|
||||
}
|
||||
];
|
||||
|
||||
zramSwap = {
|
||||
enable = true;
|
||||
memoryPercent = 25;
|
||||
};
|
||||
|
||||
boot.kernelParams = [
|
||||
"console=tty1"
|
||||
"console=ttyS0,115200"
|
||||
];
|
||||
|
||||
networking.useNetworkd = true;
|
||||
networking.hostName = "builder-${toString cfg.num}";
|
||||
networking.domain = "wob01.infra.forkos.org";
|
||||
|
||||
systemd.network = {
|
||||
netdevs = {
|
||||
"40-uplink" = {
|
||||
netdevConfig = {
|
||||
Kind = "bond";
|
||||
Name = "uplink";
|
||||
};
|
||||
bondConfig = {
|
||||
Mode = "802.3ad";
|
||||
TransmitHashPolicy = "layer3+4";
|
||||
};
|
||||
};
|
||||
};
|
||||
networks = {
|
||||
"40-eno1" = {
|
||||
name = "eno1";
|
||||
bond = [ "uplink" ];
|
||||
};
|
||||
"40-eno2" = {
|
||||
name = "eno2";
|
||||
bond = [ "uplink" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
networking.interfaces.uplink.ipv6.addresses = [
|
||||
{ address = "2a01:584:11::1:${toString cfg.num}"; prefixLength = 64; }
|
||||
];
|
||||
networking.defaultGateway6 = { interface = "uplink"; address = "2a01:584:11::1"; };
|
||||
deployment.targetHost = "2a01:584:11::1:${toString cfg.num}";
|
||||
deployment.tags = [ "builders" ];
|
||||
|
||||
# Why can't we have nice things? https://bugs.openjdk.org/browse/JDK-8170568
|
||||
services.coredns = {
|
||||
enable = true;
|
||||
config = ''
|
||||
. {
|
||||
bind lo
|
||||
forward . 2001:4860:4860::6464
|
||||
template ANY A { rcode NOERROR }
|
||||
}
|
||||
'';
|
||||
};
|
||||
services.resolved.enable = false;
|
||||
networking.resolvconf.useLocalResolver = true;
|
||||
|
||||
# Hydra blasts ssh connections and does not multiplex. Loosen some of the
|
||||
# rate limiting.
|
||||
services.openssh.settings = {
|
||||
MaxStartups = "500:30:1000";
|
||||
};
|
||||
|
||||
systemd.services.hydra-gc = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
description = "Nix Garbage Collector";
|
||||
script = ''
|
||||
while : ; do
|
||||
percent_filled=$(($(stat -f --format="100-(100*%a/%b)" /mnt)))
|
||||
if [ "$percent_filled" -gt "54" ]; then
|
||||
${config.nix.package.out}/bin/nix-store --gc --max-freed 50G --store /mnt
|
||||
else
|
||||
break
|
||||
fi
|
||||
done
|
||||
'';
|
||||
serviceConfig.Type = "oneshot";
|
||||
serviceConfig.User = "builder";
|
||||
};
|
||||
systemd.timers.hydra-gc = {
|
||||
timerConfig.OnUnitInactiveSec = "10min";
|
||||
wantedBy = [ "timers.target" ];
|
||||
};
|
||||
systemd.timers.hydra-gc.timerConfig.Persistent = true;
|
||||
|
||||
bagel.sysadmin.enable = true;
|
||||
|
||||
environment.systemPackages = [ pkgs.ipmitool ];
|
||||
|
||||
system.stateVersion = "24.05";
|
||||
};
|
||||
}
|
169
services/baremetal-builder/netboot.nix
Normal file
169
services/baremetal-builder/netboot.nix
Normal file
|
@ -0,0 +1,169 @@
|
|||
{ modulesPath, pkgs, lib, config, extendModules, ... }@node:
|
||||
let
|
||||
cfg = config.bagel.baremetal.builders;
|
||||
in
|
||||
{
|
||||
config = lib.mkIf (cfg.enable && cfg.netboot) {
|
||||
systemd.services.sshd.after = [ "provision-ssh-hostkey.service" ];
|
||||
systemd.services.provision-ssh-hostkey = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
};
|
||||
script = ''
|
||||
mkdir -p /etc/ssh
|
||||
umask 0077
|
||||
until ${pkgs.iputils}/bin/ping -c 1 vpn-gw.wob01.infra.forkos.org; do sleep 1; done
|
||||
${pkgs.curl}/bin/curl --local-port 25-1024 https://vpn-gw.wob01.infra.forkos.org/${config.networking.hostName}/ssh_host_ed25519_key > /etc/ssh/ssh_host_ed25519_key
|
||||
# Run the activation script again to trigger agenix decryption
|
||||
/run/current-system/activate
|
||||
'';
|
||||
};
|
||||
|
||||
system.build = {
|
||||
|
||||
# Build a kernel and initramfs which will download the IPXE script from hydra using
|
||||
# u-root pxeboot tool and kexec into the final netbooted system.
|
||||
notipxe = import (modulesPath + "/..") {
|
||||
system = "x86_64-linux";
|
||||
configuration =
|
||||
{ pkgs, config, ... }:
|
||||
|
||||
{
|
||||
system.stateVersion = "24.11";
|
||||
boot.initrd.availableKernelModules = [ "ahci" "ehci_pci" "usb_storage" "usbhid" "sd_mod" "igb" "bonding" ];
|
||||
boot.kernelParams = [ "console=ttyS0,115200" "panic=1" "boot.panic_on_fail" ];
|
||||
#boot.initrd.systemd.emergencyAccess = true;
|
||||
networking.hostName = "${node.config.networking.hostName}-boot";
|
||||
nixpkgs.overlays = import ../../overlays;
|
||||
boot.loader.grub.enable = false;
|
||||
fileSystems."/".device = "bogus"; # this config will never be booted
|
||||
boot.initrd.systemd.enable = true;
|
||||
boot.initrd.systemd.network = {
|
||||
enable = true;
|
||||
networks = node.config.systemd.network.networks;
|
||||
netdevs = node.config.systemd.network.netdevs;
|
||||
};
|
||||
boot.initrd.systemd.storePaths = [
|
||||
"${pkgs.u-root}/bin/pxeboot"
|
||||
"${pkgs.iputils}/bin/ping"
|
||||
];
|
||||
boot.initrd.systemd.services.kexec = {
|
||||
serviceConfig.Restart = "on-failure";
|
||||
serviceConfig.Type = "oneshot";
|
||||
wantedBy = [ "initrd-root-fs.target" ];
|
||||
before = [ "sysroot.mount" ];
|
||||
script = ''
|
||||
ln -sf /dev/console /dev/tty
|
||||
until ${pkgs.iputils}/bin/ping -c 1 hydra.forkos.org; do sleep 1; done
|
||||
${pkgs.u-root}/bin/pxeboot -v -ipv4=false -file https://hydra.forkos.org/job/infra/main/${node.config.networking.hostName}/latest/download-by-type/file/ipxe
|
||||
'';
|
||||
};
|
||||
boot.initrd.systemd.contents."/etc/ssl/certs/ca-certificates.crt".source = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
|
||||
boot.initrd.services.resolved.enable = false;
|
||||
boot.initrd.systemd.contents."/etc/resolv.conf".text = ''
|
||||
nameserver 2001:4860:4860::6464
|
||||
'';
|
||||
boot.initrd.systemd.contents."/etc/systemd/journald.conf".text = ''
|
||||
[Journal]
|
||||
ForwardToConsole=yes
|
||||
MaxLevelConsole=debug
|
||||
'';
|
||||
|
||||
# Provide a bootable USB drive image
|
||||
system.build.usbImage = pkgs.callPackage ({ stdenv, runCommand, dosfstools, e2fsprogs, mtools, libfaketime, util-linux, nukeReferences }:
|
||||
runCommand "boot-img-${node.config.networking.hostName}" {
|
||||
nativeBuildInputs = [ dosfstools e2fsprogs libfaketime mtools util-linux ];
|
||||
outputs = [ "out" "firmware_part" ];
|
||||
} ''
|
||||
export img=$out
|
||||
truncate -s 40M $img
|
||||
|
||||
sfdisk $img <<EOF
|
||||
label: gpt
|
||||
label-id: F222513B-DED1-49FA-B591-20CE86A2FE7F
|
||||
|
||||
type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B, bootable
|
||||
EOF
|
||||
|
||||
# Create a FAT32 /boot/firmware partition of suitable size into firmware_part.img
|
||||
eval $(partx $img -o START,SECTORS --nr 1 --pairs)
|
||||
truncate -s $((2081 * 512 + SECTORS * 512)) firmware_part.img
|
||||
|
||||
mkfs.vfat --invariant -i 2e24ec82 -n BOOT firmware_part.img
|
||||
|
||||
# Populate the files intended for /boot/firmware
|
||||
mkdir -p firmware/EFI/BOOT firmware/loader/entries
|
||||
cp ${pkgs.systemd}/lib/systemd/boot/efi/systemd-boot*.efi firmware/EFI/BOOT/BOOT${lib.toUpper stdenv.hostPlatform.efiArch}.EFI
|
||||
|
||||
cat > firmware/loader/loader.conf << EOF
|
||||
default foo
|
||||
EOF
|
||||
cat > firmware/loader/entries/default.conf << EOF
|
||||
title Default
|
||||
linux /EFI/${pkgs.stdenv.hostPlatform.linux-kernel.target}
|
||||
initrd /EFI/initrd
|
||||
options init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams}
|
||||
EOF
|
||||
cp ${config.system.build.kernel}/${pkgs.stdenv.hostPlatform.linux-kernel.target} firmware/EFI/${pkgs.stdenv.hostPlatform.linux-kernel.target}
|
||||
cp ${config.system.build.initialRamdisk}/${config.system.boot.loader.initrdFile} firmware/EFI/initrd
|
||||
|
||||
find firmware -exec touch --date=2000-01-01 {} +
|
||||
# Copy the populated /boot/firmware into the SD image
|
||||
cd firmware
|
||||
# Force a fixed order in mcopy for better determinism, and avoid file globbing
|
||||
for d in $(find . -type d -mindepth 1 | sort); do
|
||||
faketime "2000-01-01 00:00:00" mmd -i ../firmware_part.img "::/$d"
|
||||
done
|
||||
for f in $(find . -type f | sort); do
|
||||
mcopy -pvm -i ../firmware_part.img "$f" "::/$f"
|
||||
done
|
||||
cd ..
|
||||
|
||||
# Verify the FAT partition before copying it.
|
||||
fsck.vfat -vn firmware_part.img
|
||||
dd conv=notrunc if=firmware_part.img of=$img seek=$START count=$SECTORS
|
||||
|
||||
cp firmware_part.img $firmware_part
|
||||
''
|
||||
) {};
|
||||
}
|
||||
;
|
||||
};
|
||||
|
||||
# This is the config which will actually be booted
|
||||
netbootVariant = extendModules {
|
||||
modules = [
|
||||
(
|
||||
{ modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports = [ (modulesPath + "/installer/netboot/netboot.nix") ];
|
||||
}
|
||||
)
|
||||
];
|
||||
};
|
||||
# A derivation combining all the artifacts required for netbooting for the hydra job
|
||||
netbootDir = let
|
||||
kernelTarget = pkgs.stdenv.hostPlatform.linux-kernel.target;
|
||||
build = config.system.build.netbootVariant.config.system.build;
|
||||
in
|
||||
pkgs.symlinkJoin {
|
||||
name = "netboot";
|
||||
paths = [
|
||||
build.netbootRamdisk
|
||||
build.kernel
|
||||
build.netbootIpxeScript
|
||||
];
|
||||
postBuild = ''
|
||||
mkdir -p $out/nix-support
|
||||
echo "file ${kernelTarget} $out/${kernelTarget}" >> $out/nix-support/hydra-build-products
|
||||
echo "file initrd $out/initrd" >> $out/nix-support/hydra-build-products
|
||||
echo "file ipxe $out/netboot.ipxe" >> $out/nix-support/hydra-build-products
|
||||
'';
|
||||
preferLocalBuild = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
142
services/buildbot/default.nix
Normal file
142
services/buildbot/default.nix
Normal file
|
@ -0,0 +1,142 @@
|
|||
{
|
||||
nodes,
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
cfg = config.bagel.services.buildbot;
|
||||
cfgGerrit = nodes.gerrit01.config.bagel.services.gerrit;
|
||||
ssh-keys = import ../../common/ssh-keys.nix;
|
||||
inherit (lib) mkEnableOption mkOption mkIf types;
|
||||
in
|
||||
{
|
||||
options.bagel.services.buildbot = {
|
||||
enable = mkEnableOption "Buildbot";
|
||||
domain = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
|
||||
builders = mkOption {
|
||||
type = types.listOf types.str;
|
||||
description = "List of builders to configure for Buildbot";
|
||||
example = [ "builder-2" "builder-3" ];
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
age.secrets.buildbot-worker-password.file = ../../secrets/buildbot-worker-password.age;
|
||||
age.secrets.buildbot-oauth-secret.file = ../../secrets/buildbot-oauth-secret.age;
|
||||
age.secrets.buildbot-workers.file = ../../secrets/buildbot-workers.age;
|
||||
age.secrets.buildbot-service-key.file = ../../secrets/buildbot-service-key.age;
|
||||
age.secrets.buildbot-signing-key = {
|
||||
file = ../../secrets/buildbot-signing-key.age;
|
||||
owner = "buildbot-worker";
|
||||
group = "buildbot-worker";
|
||||
};
|
||||
age.secrets.buildbot-remote-builder-key = {
|
||||
file = ../../secrets/buildbot-remote-builder-key.age;
|
||||
owner = "buildbot-worker";
|
||||
group = "buildbot-worker";
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts.${cfg.domain} = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
extraConfig = ''
|
||||
add_header Access-Control-Allow-Credentials 'true' always;
|
||||
add_header Access-Control-Allow-Origin 'https://cl.forkos.org' always;
|
||||
'';
|
||||
};
|
||||
|
||||
services.buildbot-nix.worker = {
|
||||
enable = true;
|
||||
workerPasswordFile = config.age.secrets.buildbot-worker-password.path;
|
||||
# All credits to eldritch horrors for this beauty.
|
||||
workerArchitectures =
|
||||
{
|
||||
# nix-eval-jobs runs under a lock, error reports do not (but are cheap)
|
||||
other = 8;
|
||||
} // (
|
||||
lib.filterAttrs
|
||||
(n: v: lib.elem n config.services.buildbot-nix.coordinator.buildSystems)
|
||||
(lib.zipAttrsWith
|
||||
(_: lib.foldl' lib.add 0)
|
||||
(lib.concatMap
|
||||
(m: map (s: { ${s} = m.maxJobs; }) m.systems)
|
||||
config.services.buildbot-nix.coordinator.buildMachines))
|
||||
);
|
||||
};
|
||||
|
||||
services.buildbot-nix.coordinator = {
|
||||
enable = true;
|
||||
|
||||
inherit (cfg) domain;
|
||||
|
||||
debugging.enable = true;
|
||||
|
||||
oauth2 = {
|
||||
name = "Lix";
|
||||
clientId = "forkos-buildbot";
|
||||
clientSecretFile = config.age.secrets.buildbot-oauth-secret.path;
|
||||
resourceEndpoint = "https://identity.lix.systems";
|
||||
authUri = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/auth";
|
||||
tokenUri = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token";
|
||||
};
|
||||
|
||||
# TODO(raito): this is not really necessary, we never have remote buildbot workers.
|
||||
# we can replace all of this with automatic localworker generation on buildbot-nix side.
|
||||
workersFile = config.age.secrets.buildbot-workers.path;
|
||||
|
||||
allowedOrigins = [
|
||||
"*.forkos.org"
|
||||
];
|
||||
|
||||
# TODO(raito): is that really necessary when we can just collect buildMachines' systems?
|
||||
buildSystems = [
|
||||
"x86_64-linux"
|
||||
];
|
||||
|
||||
buildMachines = map (n: {
|
||||
hostName = nodes.${n}.config.networking.fqdn;
|
||||
protocol = "ssh-ng";
|
||||
# Follows Hydra.
|
||||
maxJobs = 8;
|
||||
sshKey = config.age.secrets.buildbot-remote-builder-key.path;
|
||||
sshUser = "buildbot";
|
||||
systems = [ "x86_64-linux" ];
|
||||
supportedFeatures = nodes.${n}.config.nix.settings.system-features;
|
||||
# Contrary to how Nix works, here we can specify non-base64 public host keys.
|
||||
publicHostKey = ssh-keys.machines.${n};
|
||||
}
|
||||
) cfg.builders;
|
||||
|
||||
gerrit = {
|
||||
domain = cfgGerrit.canonicalDomain;
|
||||
# Manually managed account…
|
||||
# TODO: https://git.lix.systems/the-distro/infra/issues/69
|
||||
username = "buildbot";
|
||||
port = cfgGerrit.port;
|
||||
privateKeyFile = config.age.secrets.buildbot-service-key.path;
|
||||
projects = [
|
||||
"buildbot-test"
|
||||
"nixpkgs"
|
||||
"infra"
|
||||
];
|
||||
};
|
||||
|
||||
evalWorkerCount = 6;
|
||||
evalMaxMemorySize = "4096";
|
||||
|
||||
signingKeyFile = config.age.secrets.buildbot-signing-key.path;
|
||||
};
|
||||
|
||||
nix.settings.keep-derivations = true;
|
||||
nix.gc = {
|
||||
automatic = true;
|
||||
dates = "hourly";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,9 +1,13 @@
|
|||
{
|
||||
imports = [
|
||||
./hydra
|
||||
./postgres
|
||||
./netbox
|
||||
./gerrit
|
||||
./hydra
|
||||
./monitoring
|
||||
./netbox
|
||||
./ofborg
|
||||
./postgres
|
||||
./forgejo
|
||||
./baremetal-builder
|
||||
./buildbot
|
||||
];
|
||||
}
|
||||
|
|
143
services/forgejo/default.nix
Normal file
143
services/forgejo/default.nix
Normal file
|
@ -0,0 +1,143 @@
|
|||
{ pkgs, lib, config, ... }:
|
||||
|
||||
|
||||
let
|
||||
cfg = config.bagel.services.forgejo;
|
||||
inherit (lib) mkIf mkEnableOption mkOption types;
|
||||
|
||||
domain = "git.forkos.org";
|
||||
in
|
||||
{
|
||||
options.bagel.services.forgejo = {
|
||||
enable = mkEnableOption "Forgejo";
|
||||
sshBindAddr = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
services.forgejo = {
|
||||
enable = true;
|
||||
|
||||
package = pkgs.callPackage ../../pkgs/forgejo { };
|
||||
|
||||
database = {
|
||||
type = "postgres";
|
||||
createDatabase = true;
|
||||
};
|
||||
|
||||
lfs.enable = true;
|
||||
|
||||
settings = {
|
||||
DEFAULT = {
|
||||
APP_NAME = "ForkOS";
|
||||
};
|
||||
|
||||
server = {
|
||||
PROTOCOL = "http+unix";
|
||||
ROOT_URL = "https://${domain}/";
|
||||
DOMAIN = "${domain}";
|
||||
|
||||
BUILTIN_SSH_SERVER_USER = "git";
|
||||
SSH_PORT = 22;
|
||||
SSH_LISTEN_HOST = cfg.sshBindAddr;
|
||||
START_SSH_SERVER = true;
|
||||
};
|
||||
|
||||
session = {
|
||||
PROVIDER = "redis";
|
||||
PROVIDER_CONFIG = "network=unix,addr=${config.services.redis.servers.forgejo.unixSocket},db=0";
|
||||
COOKIE_NAME = "session";
|
||||
};
|
||||
|
||||
service = {
|
||||
DISABLE_REGISTRATION = true;
|
||||
DEFAULT_KEEP_EMAIL_PRIVATE = true;
|
||||
};
|
||||
|
||||
"service.explore" = {
|
||||
DISABLE_USERS_PAGE = true;
|
||||
};
|
||||
|
||||
oauth2_client = {
|
||||
REGISTER_EMAIL_CONFIRM = false;
|
||||
ENABLE_AUTO_REGISTRATION = true;
|
||||
};
|
||||
|
||||
# TODO: transactional mails
|
||||
|
||||
cache = {
|
||||
ADAPTER = "redis";
|
||||
HOST = "network=unix,addr=${config.services.redis.servers.forgejo.unixSocket},db=1";
|
||||
ITEM_TTL = "72h"; # increased from default 16h
|
||||
};
|
||||
|
||||
ui = {
|
||||
SHOW_USER_EMAIL = false;
|
||||
};
|
||||
|
||||
repository = {
|
||||
# Forks in forgejo are suprisingly expensive because they are full git clones.
|
||||
# If we do want to enable forks, we can write a small patch that disables
|
||||
# only for repositories that are as large as nixpkgs.
|
||||
DISABLE_FORKS = true;
|
||||
};
|
||||
|
||||
packages = {
|
||||
# Forgejo's various package registries can easily take up a lot of space.
|
||||
# We could either store the blobs on some slower disks but larger, or even
|
||||
# better, use an s3 bucket for it. But until we actually have a use-case for
|
||||
# this feature, we will simply keep it disabled for now.
|
||||
ENABLED = false;
|
||||
};
|
||||
|
||||
indexer = {
|
||||
REPO_INDEXER_REPO_TYPES = "sources,mirrors,templates"; # skip forks
|
||||
REPO_INDEXER_ENABLED = true;
|
||||
ISSUE_INDEXER_TYPE = "bleve";
|
||||
};
|
||||
|
||||
"git.timeout" = {
|
||||
MIGRATE = 3600; # increase from default 600 (seconds) for something as large as nixpkgs on a slow uplink
|
||||
};
|
||||
|
||||
log = {
|
||||
LEVEL = "Warn";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.forgejo = {
|
||||
serviceConfig = lib.optionalAttrs (config.services.forgejo.settings.server.SSH_PORT < 1024) {
|
||||
AmbientCapabilities = lib.mkForce "CAP_NET_BIND_SERVICE";
|
||||
CapabilityBoundingSet = lib.mkForce "CAP_NET_BIND_SERVICE";
|
||||
PrivateUsers = lib.mkForce false;
|
||||
};
|
||||
|
||||
# start Forgejo *after* sshd.service, so in case Forgejo tries to wildcard bind :22 due to
|
||||
# a bug or whatever, we don't lose OpenSSH in a race.
|
||||
wants = [ "sshd.service" "redis-forgejo.service" ];
|
||||
requires = [ "sshd.service" "redis-forgejo.service" ];
|
||||
};
|
||||
|
||||
services.redis.servers.forgejo = {
|
||||
enable = true;
|
||||
user = "forgejo";
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts.${domain} = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/".proxyPass = "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}";
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
80
|
||||
443
|
||||
config.services.forgejo.settings.server.SSH_PORT
|
||||
];
|
||||
};
|
||||
}
|
113
services/gerrit/checks.js
Normal file
113
services/gerrit/checks.js
Normal file
|
@ -0,0 +1,113 @@
|
|||
/* Inspired from the Lix setup.
|
||||
* Original-Author: puckipedia
|
||||
*/
|
||||
Gerrit.install((plugin) => {
|
||||
// TODO: can we just use `plugin.serverInfo().plugin` and control the settings over there.
|
||||
const configuration = {
|
||||
baseUri: @BASE_URI@,
|
||||
supportedProjects: @SUPPORTED_PROJECTS@,
|
||||
};
|
||||
|
||||
function makeBuildbotUri(suffix) {
|
||||
return `${configuration.baseUri}/${suffix}`;
|
||||
}
|
||||
|
||||
let builders = [];
|
||||
let fetchBuilders = async () => {
|
||||
if (builders.length > 0) return;
|
||||
let data = await (await fetch(makeBuildbotUri(`api/v2/builders`), { credentials: 'include' })).json();
|
||||
builders = data.builders;
|
||||
};
|
||||
|
||||
|
||||
let checksProvider;
|
||||
checksProvider = {
|
||||
async fetch({ repo, patchsetSha, changeNumber, patchsetNumber }, runBefore = false) {
|
||||
if (!configuration.supportedProjects.includes(repo)) {
|
||||
return { responseCode: 'OK' };
|
||||
}
|
||||
|
||||
let num = changeNumber.toString(10);
|
||||
|
||||
let branch = `refs/changes/${num.substr(-2)}/${num}/${patchsetNumber}`;
|
||||
|
||||
let changeFetch = await fetch(makeBuildbotUri(`api/v2/changes?limit=1&order=-changeid&revision=${patchsetSha}&branch=${branch}`), { credentials: 'include' });
|
||||
if (changeFetch.status == 400) {
|
||||
if ((await changeFetch.json()).error === 'invalid origin' && !runBefore) {
|
||||
return await checksProvider.fetch({ repo, patchsetSha, changeNumber, patchsetNumber }, true);
|
||||
}
|
||||
|
||||
return { responseCode: 'OK' };
|
||||
} else if (changeFetch.status === 403) {
|
||||
return { responseCode: 'NOT_LOGGED_IN', loginCallback() {
|
||||
window.open(configuration.baseUri);
|
||||
} };
|
||||
}
|
||||
|
||||
let changes = await changeFetch.json();
|
||||
if (changes.meta.total === 0) {
|
||||
return { responseCode: 'OK' };
|
||||
}
|
||||
|
||||
let { changeid } = changes.changes[0];
|
||||
let { builds } = await (await fetch(makeBuildbotUri(`api/v2/changes/${changeid}/builds?property=owners&property=workername`), { credentials: 'include' })).json();
|
||||
await fetchBuilders();
|
||||
let links = [];
|
||||
let runs = [];
|
||||
for (let build of builds) {
|
||||
let name = `unknown builder ${build.builderid}`;
|
||||
for (let builder of builders) {
|
||||
if (builder.builderid === build.builderid) {
|
||||
name = builder.name;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (name === `${repo}/nix-eval`) {
|
||||
links.push({
|
||||
url: makeBuildbotUri(`#/builders/${build.builderid}/builds/${build.number}`),
|
||||
primary: true,
|
||||
icon: 'external',
|
||||
});
|
||||
}
|
||||
|
||||
let checkrun = {
|
||||
attempt: build.buildrequestid,
|
||||
// FIXME: generalize this accordingly once auto-discovery is available.
|
||||
checkName: name.replace(/^hydraJobs\./, ''),
|
||||
externalId: build.buildrequestid.toString(),
|
||||
status: build.complete ? 'COMPLETED' : (typeof build.started_at !== 'number' ? 'SCHEDULED' : 'RUNNING'),
|
||||
checkLink: makeBuildbotUri(`#/builders/${build.builderid}/builds/${build.number}`),
|
||||
labelName: 'Verified',
|
||||
results: [],
|
||||
links: [{
|
||||
url: makeBuildbotUri(`#/builders/${build.builderid}/builds/${build.number}`),
|
||||
primary: true,
|
||||
icon: 'external',
|
||||
}],
|
||||
};
|
||||
|
||||
if (build.started_at !== null) {
|
||||
checkrun.startedTimestamp = new Date(build.started_at * 1000);
|
||||
}
|
||||
|
||||
if (build.complete_at !== null) {
|
||||
checkrun.finishedTimestamp = new Date(build.complete_at * 1000);
|
||||
}
|
||||
|
||||
if (build.results !== null) {
|
||||
checkrun.results = [{
|
||||
category: build.results < 2 ? 'SUCCESS' : 'ERROR',
|
||||
summary: build.state_string,
|
||||
}];
|
||||
}
|
||||
|
||||
runs.push(checkrun);
|
||||
}
|
||||
|
||||
return { responseCode: 'OK', runs, links };
|
||||
}
|
||||
};
|
||||
|
||||
plugin.checks().register(checksProvider);
|
||||
});
|
|
@ -3,9 +3,11 @@
|
|||
{ pkgs, config, lib, ... }:
|
||||
|
||||
let
|
||||
inherit (lib) mkEnableOption mkIf mkOption types;
|
||||
inherit (lib) mkEnableOption mkIf mkOption types head;
|
||||
cfgGerrit = config.services.gerrit;
|
||||
cfg = config.bagel.services.gerrit;
|
||||
|
||||
jdk = pkgs.openjdk21_headless;
|
||||
in
|
||||
{
|
||||
options.bagel.services.gerrit = {
|
||||
|
@ -14,21 +16,33 @@ in
|
|||
type = types.listOf types.str;
|
||||
description = "List of domains that Gerrit will answer to";
|
||||
};
|
||||
canonicalDomain = mkOption {
|
||||
type = types.str;
|
||||
description = "Canonical domain for this Gerrit instance";
|
||||
default = head cfg.domains;
|
||||
};
|
||||
data = mkOption {
|
||||
type = types.path;
|
||||
default = "/var/lib/gerrit";
|
||||
description = "Root of data directory for the Gerrit";
|
||||
};
|
||||
port = mkOption {
|
||||
type = types.port;
|
||||
default = 29418;
|
||||
readOnly = true;
|
||||
description = "Port for the Gerrit SSH server";
|
||||
};
|
||||
};
|
||||
|
||||
imports = [
|
||||
./www.nix
|
||||
./one-way-sync.nix
|
||||
];
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
networking.firewall.allowedTCPPorts = [ 29418 ];
|
||||
networking.firewall.allowedTCPPorts = [ cfg.port ];
|
||||
|
||||
environment.systemPackages = [ pkgs.openjdk17_headless ];
|
||||
environment.systemPackages = [ jdk ];
|
||||
|
||||
fileSystems."/var/lib/gerrit" = mkIf (cfg.data != "/var/lib/gerrit") {
|
||||
device = cfg.data;
|
||||
|
@ -56,20 +70,31 @@ in
|
|||
"webhooks"
|
||||
];
|
||||
|
||||
plugins = with pkgs.gerritPlugins; [
|
||||
plugins = with pkgs.gerritPlugins; [
|
||||
oauth
|
||||
metrics-reporter-prometheus
|
||||
# Buildbot checks plugin (writeText because services.gerrit.plugins expects packages)
|
||||
(pkgs.runCommand "checks.js" {
|
||||
BASE_URI = builtins.toJSON "https://buildbot.forkos.org";
|
||||
SUPPORTED_PROJECTS = builtins.toJSON [
|
||||
"infra"
|
||||
"nixpkgs"
|
||||
"buildbot-test"
|
||||
];
|
||||
}
|
||||
''
|
||||
echo "configuring buildbot checks plugin for $BASE_URI with $SUPPORTED_PROJECTS project list"
|
||||
substitute ${./checks.js} $out \
|
||||
--replace-fail "@BASE_URI@" "$BASE_URI" \
|
||||
--replace-fail "@SUPPORTED_PROJECTS@" "$SUPPORTED_PROJECTS"
|
||||
'')
|
||||
];
|
||||
|
||||
package = pkgs.gerrit;
|
||||
|
||||
jvmHeapLimit = "32g";
|
||||
|
||||
# In some NixOS channel bump, the default version of OpenJDK has
|
||||
# changed to one that is incompatible with our current version of
|
||||
# Gerrit.
|
||||
#
|
||||
# TODO(tazjin): Update Gerrit and remove this when possible.
|
||||
jvmPackage = pkgs.openjdk17_headless;
|
||||
jvmPackage = jdk;
|
||||
|
||||
settings = {
|
||||
# Performance settings
|
||||
|
@ -104,7 +129,7 @@ in
|
|||
core.packedGitMmap = true;
|
||||
|
||||
## Takes more CPU but the transfer is smaller.
|
||||
pack.deltacompression = false;
|
||||
pack.deltacompression = true;
|
||||
pack.threads = 8;
|
||||
|
||||
# FIXME(raito):
|
||||
|
@ -117,7 +142,7 @@ in
|
|||
# Other settings
|
||||
log.jsonLogging = true;
|
||||
log.textLogging = false;
|
||||
sshd.advertisedAddress = "cl.forkos.org:29418";
|
||||
sshd.advertisedAddress = "${cfg.canonicalDomain}:${toString cfg.port}";
|
||||
cache.web_sessions.maxAge = "3 months";
|
||||
plugins.allowRemoteAdmin = false;
|
||||
change.enableAttentionSet = true;
|
||||
|
@ -132,7 +157,7 @@ in
|
|||
# Configures gerrit for being reverse-proxied by nginx as per
|
||||
# https://gerrit-review.googlesource.com/Documentation/config-reverseproxy.html
|
||||
gerrit = {
|
||||
canonicalWebUrl = "https://cl.forkos.org";
|
||||
canonicalWebUrl = "https://${cfg.canonicalDomain}";
|
||||
docUrl = "/Documentation";
|
||||
defaultBranch = "refs/heads/main";
|
||||
};
|
||||
|
@ -149,7 +174,7 @@ in
|
|||
# Auto-link other CLs
|
||||
commentlink.gerrit = {
|
||||
match = "cl/(\\d+)";
|
||||
link = "https://cl.forkos.org/$1";
|
||||
link = "https://${cfg.canonicalDomain}/$1";
|
||||
};
|
||||
|
||||
# Configures integration with Keycloak, which then integrates with a
|
||||
|
@ -221,6 +246,14 @@ in
|
|||
User = "git";
|
||||
Group = "git";
|
||||
};
|
||||
environment.REVWALK_USE_PRIORITY_QUEUE = "true";
|
||||
};
|
||||
|
||||
age.secrets.gerrit-prometheus-bearer-token.file = ../../secrets/gerrit-prometheus-bearer-token.age;
|
||||
bagel.monitoring.grafana-agent.exporters.gerrit = {
|
||||
port = 4778; # grrt
|
||||
bearerTokenFile = config.age.secrets.gerrit-prometheus-bearer-token.path;
|
||||
scrapeConfig.metrics_path = "/plugins/metrics-reporter-prometheus/metrics";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
132
services/gerrit/one-way-sync.nix
Normal file
132
services/gerrit/one-way-sync.nix
Normal file
|
@ -0,0 +1,132 @@
|
|||
{ lib, config, pkgs, ... }:
|
||||
let
|
||||
cfg = config.bagel.nixpkgs.one-way-sync;
|
||||
inherit (lib) mkIf mkOption mkEnableOption types mapAttrs';
|
||||
|
||||
mkSyncTimer = { name, timer, ... }: {
|
||||
wantedBy = [ "timers.target" ];
|
||||
|
||||
timerConfig = {
|
||||
OnCalendar = timer;
|
||||
Persistent = true;
|
||||
Unit = "ows-${name}.service";
|
||||
};
|
||||
};
|
||||
mkSyncService = targetRef: { name, fromUri, fromRefspec, localRefspec, ... }: {
|
||||
path = [ pkgs.gitFull pkgs.openssh pkgs.lix ];
|
||||
script = ''
|
||||
set -xe
|
||||
RUNTIME_DIRECTORY="/run/onewaysync-${name}"
|
||||
trap "git worktree remove -f "$RUNTIME_DIRECTORY"/${name}" EXIT
|
||||
|
||||
if [ ! -d "/var/lib/onewaysync/nixpkgs" ]; then
|
||||
echo "First run, synchronizing nixpkgs..."
|
||||
git clone https://cl.forkos.org/nixpkgs /var/lib/onewaysync/nixpkgs
|
||||
fi
|
||||
|
||||
cd /var/lib/onewaysync/nixpkgs
|
||||
echo "Syncing ${fromUri}:${fromRefspec} to /var/lib/onewaysync/nixpkgs:${targetRef}"
|
||||
echo "Current ref: $EXPECTED_REF"
|
||||
git worktree add -f "$RUNTIME_DIRECTORY"/${name} refs/remotes/origin/${localRefspec}
|
||||
cd "$RUNTIME_DIRECTORY"/${name}
|
||||
git pull origin ${localRefspec}
|
||||
EXPECTED_REF=$(git rev-list refs/remotes/origin/${localRefspec} | head -1)
|
||||
git config user.name Fork-o-Tron
|
||||
git config user.email noreply@forkos.org
|
||||
git fetch ${fromUri} ${fromRefspec}
|
||||
'' + lib.optionalString (!(lib.hasInfix "staging" localRefspec)) ''
|
||||
OLD_STDENV=$(nix eval -f . stdenv.outPath --store "$RUNTIME_DIRECTORY")
|
||||
'' + ''
|
||||
git merge FETCH_HEAD
|
||||
'' + lib.optionalString (!(lib.hasInfix "staging" localRefspec)) ''
|
||||
NEW_STDENV=$(nix eval -f . stdenv.outPath --store "$RUNTIME_DIRECTORY")
|
||||
# Do not allow auto-merging a staging iteration
|
||||
test "$OLD_STDENV" = "$NEW_STDENV"
|
||||
'' + ''
|
||||
GIT_SSH_COMMAND='ssh -i ${cfg.deployKeyPath}' git push ${cfg.pushUrl} HEAD:${targetRef}
|
||||
'';
|
||||
serviceConfig = {
|
||||
User = "git";
|
||||
Group = "git";
|
||||
Type = "oneshot";
|
||||
RuntimeDirectory = "onewaysync-${name}";
|
||||
WorkingDirectory = "/run/onewaysync-${name}";
|
||||
StateDirectory = "onewaysync";
|
||||
};
|
||||
};
|
||||
in
|
||||
{
|
||||
options.bagel.nixpkgs.one-way-sync = {
|
||||
enable = mkEnableOption "the one-way sync from GitHub repositories";
|
||||
|
||||
referenceDir = mkOption {
|
||||
type = types.str;
|
||||
default = "/var/lib/gerrit/git/nixpkgs.git";
|
||||
description = "Local repository reference";
|
||||
};
|
||||
|
||||
workingDir = mkOption {
|
||||
type = types.str;
|
||||
default = "/run/onewaysync/";
|
||||
description = "Working directory for the service";
|
||||
};
|
||||
|
||||
pushUrl = mkOption {
|
||||
type = types.str;
|
||||
example = "ssh://...";
|
||||
description = "Push URL for the target repository";
|
||||
};
|
||||
|
||||
deployKeyPath = mkOption {
|
||||
type = types.path;
|
||||
example = "/run/agenix.d/ows-priv-key";
|
||||
description = "Deployment private SSH key to push to the repository";
|
||||
};
|
||||
|
||||
branches = mkOption {
|
||||
type = types.attrsOf (types.submodule ({ ... }:
|
||||
{
|
||||
options = {
|
||||
name = mkOption {
|
||||
type = types.str;
|
||||
description = "User-friendly name";
|
||||
};
|
||||
|
||||
fromUri = mkOption {
|
||||
type = types.str;
|
||||
description = "Git URI from which we need to sync";
|
||||
};
|
||||
|
||||
fromRefspec = mkOption {
|
||||
type = types.str;
|
||||
description = "refspec for the fetch";
|
||||
};
|
||||
|
||||
localRefspec = mkOption {
|
||||
type = types.str;
|
||||
default = "local refspec in the local repository to get the expected reference and avoid stale info";
|
||||
};
|
||||
|
||||
timer = mkOption {
|
||||
type = types.str;
|
||||
description = "Calendar format everytime we need to run the sync";
|
||||
};
|
||||
};
|
||||
}));
|
||||
|
||||
description = "Set of branches mapping from cl.forkos.org to other Git repositories";
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
systemd.timers = mapAttrs' (name: value: {
|
||||
name = "ows-${value.name}";
|
||||
value = mkSyncTimer value;
|
||||
}) cfg.branches;
|
||||
|
||||
systemd.services = mapAttrs' (name: value: {
|
||||
name = "ows-${value.name}";
|
||||
value = mkSyncService name value;
|
||||
}) cfg.branches;
|
||||
};
|
||||
}
|
|
@ -25,7 +25,7 @@ in
|
|||
# The :443 suffix is a workaround for https://b.tvl.fyi/issues/88.
|
||||
proxy_set_header Host $host:443;
|
||||
# Gerrit can throw a lot of data.
|
||||
proxy_buffering on;
|
||||
proxy_buffering off;
|
||||
# NGINX should not give up super fast. Things can take time.
|
||||
proxy_read_timeout 3600;
|
||||
}
|
||||
|
|
|
@ -1,14 +1,51 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
{ nodes, config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
cfg = config.bagel.services.hydra;
|
||||
ssh-keys = import ../../common/ssh-keys.nix;
|
||||
|
||||
narCacheDir = "/var/cache/hydra/nar-cache";
|
||||
port = 3000;
|
||||
|
||||
mkCacheSettings = settings: builtins.concatStringsSep "&" (
|
||||
lib.mapAttrsToList (k: v: "${k}=${v}") settings
|
||||
);
|
||||
);
|
||||
|
||||
# XXX: to support Nix's dumb public host key syntax (base64'd), this outputs
|
||||
# a string with shell-style command interpolations: $(...).
|
||||
mkBaremetalBuilder = {
|
||||
parallelBuilds,
|
||||
publicHostKey,
|
||||
host,
|
||||
speedFactor ? 1,
|
||||
user ? "builder",
|
||||
supportedSystems ? [ "i686-linux" "x86_64-linux" ],
|
||||
supportedFeatures ? [ "big-parallel" "kvm" "nixos-test" ],
|
||||
requiredFeatures ? [ ]
|
||||
}:
|
||||
let
|
||||
supportedFeatures_ = if (supportedFeatures != []) then lib.concatStringsSep "," supportedFeatures else "-";
|
||||
requiredFeatures_ = if (requiredFeatures != []) then lib.concatStringsSep "," requiredFeatures else "-";
|
||||
in
|
||||
"ssh://${user}@${host}?remote-store=/mnt ${lib.concatStringsSep "," supportedSystems} ${config.age.secrets.hydra-ssh-key-priv.path} ${toString parallelBuilds} ${toString speedFactor} ${supportedFeatures_} ${requiredFeatures_} $(echo -n '${publicHostKey}' | base64 -w0)";
|
||||
|
||||
# TODO:
|
||||
# - generalize to new architectures
|
||||
# - generalize to new features
|
||||
baremetalBuilders = lib.concatStringsSep "\n"
|
||||
(map (n: let
|
||||
assignments = (import ../baremetal-builder/assignments.nix).${n} or {
|
||||
inherit (nodes.${n}.config.nix.settings) max-jobs;
|
||||
supported-features = [ "big-parallel" "kvm" "nixos-test" ];
|
||||
required-features = [];
|
||||
};
|
||||
in mkBaremetalBuilder {
|
||||
parallelBuilds = assignments.max-jobs;
|
||||
supportedFeatures = assignments.supported-features;
|
||||
requiredFeatures = assignments.required-features;
|
||||
publicHostKey = ssh-keys.machines.${n};
|
||||
host = nodes.${n}.config.networking.fqdn;
|
||||
}) cfg.builders);
|
||||
in {
|
||||
options.bagel.services.hydra = with lib; {
|
||||
enable = mkEnableOption "Hydra coordinator";
|
||||
|
@ -17,11 +54,24 @@ in {
|
|||
type = types.str;
|
||||
description = "DBI connection string for the Hydra postgres database";
|
||||
};
|
||||
|
||||
builders = mkOption {
|
||||
type = types.listOf types.str;
|
||||
description = "List of builders to configure for Hydra";
|
||||
example = [ "builder-0" "builder-1" ];
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
# TODO: we should assert or warn that the builders
|
||||
# does indeed have our public SSH key and are *builders*
|
||||
# as a simple evaluation preflight check.
|
||||
|
||||
age.secrets.hydra-s3-credentials.file = ../../secrets/hydra-s3-credentials.age;
|
||||
|
||||
age.secrets.hydra-signing-priv.owner = "hydra-queue-runner";
|
||||
age.secrets.hydra-signing-priv.file = ../../secrets/hydra-signing-priv.age;
|
||||
|
||||
age.secrets.hydra-ssh-key-priv.owner = "hydra-queue-runner";
|
||||
age.secrets.hydra-ssh-key-priv.file = ../../secrets/hydra-ssh-key-priv.age;
|
||||
|
||||
|
@ -33,7 +83,16 @@ in {
|
|||
# XXX: Otherwise services.hydra-dev overwrites it to only hydra-queue-runner...
|
||||
#
|
||||
# Can be removed once this is added to some common config template.
|
||||
nix.settings.trusted-users = [ "root" "@wheel" ];
|
||||
nix.settings.trusted-users = [ "root" "hydra" "hydra-www" "@wheel" ];
|
||||
|
||||
# Because Hydra can't fetch flake inputs otherwise... also yes, this
|
||||
# prefix-based matching is absurdly bad.
|
||||
nix.settings.allowed-uris = [
|
||||
"github:"
|
||||
"https://github.com/"
|
||||
"https://git.lix.systems/"
|
||||
"https://git@git.lix.systems/"
|
||||
];
|
||||
|
||||
services.hydra-dev = {
|
||||
enable = true;
|
||||
|
@ -42,18 +101,20 @@ in {
|
|||
port = port;
|
||||
dbi = cfg.dbi;
|
||||
|
||||
hydraURL = "https://hydra.bagel.delroth.net";
|
||||
hydraURL = "https://hydra.forkos.org";
|
||||
useSubstitutes = false;
|
||||
|
||||
notificationSender = "bagel@delroth.net";
|
||||
notificationSender = "hydra@forkos.org";
|
||||
|
||||
# XXX: hydra overlay sets pkgs.hydra, but hydra's nixos module uses
|
||||
# pkgs.hydra_unstable...
|
||||
package = pkgs.hydra;
|
||||
|
||||
buildMachinesFiles = [
|
||||
(pkgs.writeText "hydra-builders.conf" ''
|
||||
ssh://bagel-builder@epyc.infra.newtype.fr i686-linux,x86_64-linux ${config.age.secrets.hydra-ssh-key-priv.path} 8 1 big-parallel,kvm,nixos-test - c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSU9YVDlJbml0MU1oS3Q0cmpCQU5McTB0MGJQd3cvV1FaOTZ1QjRBRURybWwgcm9vdEBuaXhvcwo=
|
||||
(pkgs.runCommandNoCC "hydra-builders.conf" {} ''
|
||||
cat >$out <<EOF
|
||||
${baremetalBuilders}
|
||||
EOF
|
||||
'')
|
||||
];
|
||||
|
||||
|
@ -62,7 +123,7 @@ in {
|
|||
endpoint = "s3.delroth.net";
|
||||
region = "garage";
|
||||
|
||||
#secret-key = "TODO";
|
||||
secret-key = config.age.secrets.hydra-signing-priv.path;
|
||||
|
||||
compression = "zstd";
|
||||
log-compression = "br";
|
||||
|
@ -77,7 +138,7 @@ in {
|
|||
|
||||
upload_logs_to_binary_cache = true
|
||||
|
||||
evaluator_workers = 4
|
||||
evaluator_workers = 16
|
||||
evaluator_max_memory_size = 4096
|
||||
max_concurrent_evals = 1
|
||||
|
||||
|
@ -88,8 +149,11 @@ in {
|
|||
'';
|
||||
};
|
||||
|
||||
systemd.services.hydra-queue-runner.serviceConfig.EnvironmentFile =
|
||||
config.age.secrets.hydra-s3-credentials.path;
|
||||
systemd.services.hydra-queue-runner = {
|
||||
# FIXME: should probably be set in the upstream Hydra module?
|
||||
wants = [ "network-online.target" ];
|
||||
serviceConfig.EnvironmentFile = config.age.secrets.hydra-s3-credentials.path;
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
@ -108,7 +172,7 @@ in {
|
|||
worker_processes auto;
|
||||
'';
|
||||
|
||||
virtualHosts."hydra.bagel.delroth.net" = {
|
||||
virtualHosts."hydra.forkos.org" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
|
||||
|
|
129
services/monitoring/agent.nix
Normal file
129
services/monitoring/agent.nix
Normal file
|
@ -0,0 +1,129 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
let
|
||||
cfg = config.bagel.monitoring.grafana-agent;
|
||||
inherit (lib) mkEnableOption mkOption mkIf types;
|
||||
passwordAsCredential = "\${CREDENTIALS_DIRECTORY}/password";
|
||||
in
|
||||
{
|
||||
options.bagel.monitoring.grafana-agent = {
|
||||
enable = (mkEnableOption "Grafana Agent") // { default = true; };
|
||||
|
||||
exporters = mkOption {
|
||||
description = ''
|
||||
Set of additional exporters to scrape.
|
||||
|
||||
The attribute name will be used as `job_name`
|
||||
internally, which ends up exported as `job` label
|
||||
on all metrics of that exporter.
|
||||
'';
|
||||
type = types.attrsOf (types.submodule ({ config, name, ... }: {
|
||||
options.port = mkOption {
|
||||
description = "Exporter port";
|
||||
type = types.int;
|
||||
};
|
||||
options.bearerTokenFile = mkOption {
|
||||
description = "File containing a bearer token";
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
};
|
||||
|
||||
options.scrapeConfig = mkOption {
|
||||
description = "Prometheus scrape config";
|
||||
type = types.attrs;
|
||||
};
|
||||
config.scrapeConfig = lib.mkMerge [{
|
||||
job_name = name;
|
||||
static_configs = [
|
||||
{ targets = [ "localhost:${toString config.port}" ]; }
|
||||
];
|
||||
} (lib.mkIf (config.bearerTokenFile != null) {
|
||||
authorization.credentials_file = "\${CREDENTIALS_DIRECTORY}/${name}-bearer-token";
|
||||
})];
|
||||
|
||||
options.secrets = mkOption {
|
||||
description = "Secrets required for scrape config";
|
||||
type = types.attrs;
|
||||
internal = true;
|
||||
default = {};
|
||||
};
|
||||
config.secrets = lib.mkIf (config.bearerTokenFile != null) {
|
||||
"${name}-bearer-token" = config.bearerTokenFile;
|
||||
};
|
||||
}));
|
||||
default = {};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
age.secrets.grafana-agent-password.file = ../../secrets/metrics-push-password.age;
|
||||
|
||||
services.grafana-agent = {
|
||||
enable = true;
|
||||
credentials = lib.mkMerge ([{ password = config.age.secrets.grafana-agent-password.path; }] ++
|
||||
lib.mapAttrsToList (name: value: value.secrets) config.bagel.monitoring.grafana-agent.exporters);
|
||||
settings = {
|
||||
metrics = {
|
||||
global.remote_write = [
|
||||
{
|
||||
url = "https://mimir.forkos.org/api/v1/push";
|
||||
basic_auth = {
|
||||
username = "promtail";
|
||||
password_file = passwordAsCredential;
|
||||
};
|
||||
}
|
||||
];
|
||||
global.external_labels.hostname = config.networking.hostName;
|
||||
configs = [
|
||||
{
|
||||
name = config.networking.hostName;
|
||||
scrape_configs = lib.mapAttrsToList (name: value: value.scrapeConfig) config.bagel.monitoring.grafana-agent.exporters;
|
||||
}
|
||||
];
|
||||
};
|
||||
logs = {
|
||||
global.clients = [
|
||||
{
|
||||
url = "https://loki.forkos.org/loki/api/v1/push";
|
||||
basic_auth = {
|
||||
username = "promtail";
|
||||
password_file = passwordAsCredential;
|
||||
};
|
||||
}
|
||||
];
|
||||
configs = [
|
||||
{
|
||||
name = "journald";
|
||||
scrape_configs = [
|
||||
{
|
||||
job_name = "system";
|
||||
journal = {
|
||||
max_age = "12h";
|
||||
labels = {
|
||||
job = "systemd-journal";
|
||||
host = config.networking.hostName;
|
||||
};
|
||||
};
|
||||
relabel_configs = [
|
||||
{
|
||||
source_labels = [ "__journal__systemd_unit" ];
|
||||
target_label = "unit";
|
||||
}
|
||||
];
|
||||
}
|
||||
];
|
||||
}
|
||||
];
|
||||
positions_directory = "\${STATE_DIRECTORY}/positions";
|
||||
};
|
||||
integrations.node_exporter.enable_collectors = [
|
||||
"processes"
|
||||
"systemd"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -2,6 +2,6 @@
|
|||
imports = [
|
||||
./exporters
|
||||
./lgtm
|
||||
./promtail.nix
|
||||
./agent.nix
|
||||
];
|
||||
}
|
|
@ -1,34 +0,0 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
let
|
||||
cfg = config.bagel.monitoring.exporters.baseline;
|
||||
inherit (lib) mkEnableOption mkIf;
|
||||
in
|
||||
{
|
||||
options.bagel.monitoring.exporters.baseline.enable = (mkEnableOption "Standard set of exporters") // { default = true; };
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
services.prometheus.exporters.node = {
|
||||
enable = true;
|
||||
enabledCollectors = [
|
||||
"processes"
|
||||
"systemd"
|
||||
];
|
||||
port = 9101;
|
||||
};
|
||||
|
||||
services.cadvisor = {
|
||||
enable = true;
|
||||
port = 9102;
|
||||
listenAddress = "0.0.0.0";
|
||||
};
|
||||
|
||||
bagel.meta.monitoring.exporters = [
|
||||
{ port = 9101; }
|
||||
{ port = 9102; }
|
||||
];
|
||||
};
|
||||
}
|
22
services/monitoring/exporters/cadvisor.nix
Normal file
22
services/monitoring/exporters/cadvisor.nix
Normal file
|
@ -0,0 +1,22 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
let
|
||||
cfg = config.bagel.monitoring.exporters.cadvisor;
|
||||
inherit (lib) mkEnableOption mkIf;
|
||||
in
|
||||
{
|
||||
options.bagel.monitoring.exporters.cadvisor.enable = (mkEnableOption "Standard cAdvisor") // { default = !config.boot.isContainer; };
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
services.cadvisor = {
|
||||
enable = true;
|
||||
port = 9102;
|
||||
listenAddress = "0.0.0.0";
|
||||
};
|
||||
|
||||
bagel.monitoring.grafana-agent.exporters.cadvisor.port = 9102;
|
||||
};
|
||||
}
|
|
@ -1,36 +1,7 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (lib) mkOption types;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
./baseline.nix
|
||||
./cadvisor.nix
|
||||
./nginx.nix
|
||||
./postgres.nix
|
||||
];
|
||||
|
||||
options.bagel = {
|
||||
meta.monitoring = {
|
||||
address = mkOption {
|
||||
description = "Node's public address";
|
||||
type = types.str;
|
||||
};
|
||||
exporters = mkOption {
|
||||
description = "List of all exporters to scrape";
|
||||
type = types.listOf (types.submodule {
|
||||
options.port = mkOption {
|
||||
description = "Exporter port";
|
||||
type = types.int;
|
||||
};
|
||||
});
|
||||
default = [];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config.networking.firewall.allowedTCPPorts = map (e: e.port) config.bagel.meta.monitoring.exporters;
|
||||
}
|
|
@ -30,8 +30,6 @@ in
|
|||
];
|
||||
};
|
||||
|
||||
bagel.meta.monitoring.exporters = [
|
||||
{ port = 9103; }
|
||||
];
|
||||
bagel.monitoring.grafana-agent.exporters.nginxlog.port = 9103;
|
||||
};
|
||||
}
|
|
@ -24,8 +24,6 @@ in
|
|||
|
||||
services.postgresql.settings.shared_preload_libraries = "pg_stat_statements";
|
||||
|
||||
bagel.meta.monitoring.exporters = [
|
||||
{ port = 9104; }
|
||||
];
|
||||
bagel.monitoring.grafana-agent.exporters.postgres.port = 9104;
|
||||
};
|
||||
}
|
5
services/monitoring/lgtm/alerts/demo.yaml
Normal file
5
services/monitoring/lgtm/alerts/demo.yaml
Normal file
|
@ -0,0 +1,5 @@
|
|||
groups:
|
||||
- name: Demo alerts
|
||||
rules:
|
||||
- alert: Demo alert
|
||||
expr: 1
|
|
@ -26,7 +26,6 @@
|
|||
"fiscalYearStartMonth": 0,
|
||||
"gnetId": 15947,
|
||||
"graphTooltip": 0,
|
||||
"id": 4,
|
||||
"links": [],
|
||||
"liveNow": false,
|
||||
"panels": [
|
||||
|
@ -93,7 +92,7 @@
|
|||
},
|
||||
"editorMode": "code",
|
||||
"exemplar": true,
|
||||
"expr": "sum(rate(nginx_http_response_count_total{status=~\"^2..\",instance=\"$host\"}[1m])) / sum(rate(nginx_http_response_count_total{instance=\"$host\"}[1m])) * 100",
|
||||
"expr": "sum(rate(nginx_http_response_count_total{status=~\"^2..\",hostname=\"$hostname\"}[1m])) / sum(rate(nginx_http_response_count_total{hostname=\"$hostname\"}[1m])) * 100",
|
||||
"hide": false,
|
||||
"interval": "",
|
||||
"legendFormat": "2** status codes",
|
||||
|
@ -106,7 +105,7 @@
|
|||
"uid": "mimir"
|
||||
},
|
||||
"exemplar": true,
|
||||
"expr": "sum(rate(nginx_http_response_count_total{status=~\"^4..\",instance=\"$host\"}[1m])) / sum(rate(nginx_http_response_count_total{instance=\"$host\"}[1m])) * 100",
|
||||
"expr": "sum(rate(nginx_http_response_count_total{status=~\"^4..\",hostname=\"$hostname\"}[1m])) / sum(rate(nginx_http_response_count_total{hostname=\"$hostname\"}[1m])) * 100",
|
||||
"interval": "",
|
||||
"legendFormat": "4** status codes",
|
||||
"refId": "A"
|
||||
|
@ -117,7 +116,7 @@
|
|||
"uid": "mimir"
|
||||
},
|
||||
"exemplar": true,
|
||||
"expr": "sum(rate(nginx_http_response_count_total{status=~\"^5..\",instance=\"$host\"}[1m])) / sum(rate(nginx_http_response_count_total{instance=\"$host\"}[1m])) * 100",
|
||||
"expr": "sum(rate(nginx_http_response_count_total{status=~\"^5..\",hostname=\"$hostname\"}[1m])) / sum(rate(nginx_http_response_count_total{hostname=\"$hostname\"}[1m])) * 100",
|
||||
"hide": false,
|
||||
"interval": "",
|
||||
"legendFormat": "5** status codes",
|
||||
|
@ -216,7 +215,7 @@
|
|||
"uid": "mimir"
|
||||
},
|
||||
"exemplar": true,
|
||||
"expr": "sum(rate(nginx_http_response_time_seconds_count{instance=\"$host\"}[1m])) ",
|
||||
"expr": "sum(rate(nginx_http_response_time_seconds_count{hostname=\"$hostname\"}[1m])) ",
|
||||
"format": "time_series",
|
||||
"interval": "",
|
||||
"intervalFactor": 1,
|
||||
|
@ -316,7 +315,7 @@
|
|||
"uid": "mimir"
|
||||
},
|
||||
"exemplar": true,
|
||||
"expr": "sum(rate(nginx_http_response_size_bytes{instance=\"$host\"}[5m])) ",
|
||||
"expr": "sum(rate(nginx_http_response_size_bytes{hostname=\"$hostname\"}[5m])) ",
|
||||
"format": "time_series",
|
||||
"interval": "",
|
||||
"intervalFactor": 1,
|
||||
|
@ -414,7 +413,7 @@
|
|||
"uid": "mimir"
|
||||
},
|
||||
"exemplar": true,
|
||||
"expr": "sum(rate(nginx_http_response_time_seconds_sum{instance=\"$host\"}[5m])) / sum(rate(nginx_http_response_time_seconds_count{instance=\"$host\"}[5m])) ",
|
||||
"expr": "sum(rate(nginx_http_response_time_seconds_sum{hostname=\"$hostname\"}[5m])) / sum(rate(nginx_http_response_time_seconds_count{hostname=\"$hostname\"}[5m])) ",
|
||||
"format": "time_series",
|
||||
"interval": "",
|
||||
"intervalFactor": 1,
|
||||
|
@ -513,7 +512,7 @@
|
|||
"uid": "mimir"
|
||||
},
|
||||
"exemplar": true,
|
||||
"expr": "sum(rate(nginx_http_response_count_total{instance=\"$host\"}[1m])) by (status)",
|
||||
"expr": "sum(rate(nginx_http_response_count_total{hostname=\"$hostname\"}[1m])) by (status)",
|
||||
"format": "time_series",
|
||||
"interval": "",
|
||||
"intervalFactor": 1,
|
||||
|
@ -612,7 +611,7 @@
|
|||
"uid": "mimir"
|
||||
},
|
||||
"exemplar": true,
|
||||
"expr": "nginx_http_response_time_seconds{quantile=\"0.9\",method=\"GET\",status=~\"2[0-9]*\",instance=~\"$host\"}",
|
||||
"expr": "nginx_http_response_time_seconds{quantile=\"0.9\",method=\"GET\",status=~\"2[0-9]*\",hostname=~\"$hostname\"}",
|
||||
"format": "time_series",
|
||||
"interval": "",
|
||||
"intervalFactor": 1,
|
||||
|
@ -631,25 +630,25 @@
|
|||
"list": [
|
||||
{
|
||||
"current": {
|
||||
"isNone": true,
|
||||
"selected": false,
|
||||
"text": "None",
|
||||
"value": ""
|
||||
"selected": true,
|
||||
"text": "bagel-box",
|
||||
"value": "bagel-box"
|
||||
},
|
||||
"datasource": {
|
||||
"type": "prometheus",
|
||||
"uid": "mimir"
|
||||
},
|
||||
"definition": "label_values(nginx_http_response_count_total,instance)",
|
||||
"definition": "label_values(nginx_http_response_count_total,hostname)",
|
||||
"hide": 0,
|
||||
"includeAll": false,
|
||||
"label": "Host:",
|
||||
"multi": false,
|
||||
"name": "host",
|
||||
"name": "hostname",
|
||||
"options": [],
|
||||
"query": {
|
||||
"query": "label_values(nginx_http_response_count_total,instance)",
|
||||
"refId": "StandardVariableQuery"
|
||||
"qryType": 1,
|
||||
"query": "label_values(nginx_http_response_count_total,hostname)",
|
||||
"refId": "PrometheusVariableQueryEditor-VariableQuery"
|
||||
},
|
||||
"refresh": 1,
|
||||
"regex": "",
|
||||
|
@ -692,6 +691,6 @@
|
|||
"timezone": "",
|
||||
"title": "NGINX Log Metrics [M]",
|
||||
"uid": "JfOTY2Pnk",
|
||||
"version": 4,
|
||||
"version": 1,
|
||||
"weekStart": ""
|
||||
}
|
File diff suppressed because it is too large
Load diff
File diff suppressed because it is too large
Load diff
File diff suppressed because it is too large
Load diff
|
@ -2,6 +2,6 @@
|
|||
imports = [
|
||||
./grafana.nix
|
||||
./loki.nix
|
||||
./prometheus.nix
|
||||
./mimir.nix
|
||||
];
|
||||
}
|
|
@ -36,6 +36,12 @@ in
|
|||
host = "/run/postgresql";
|
||||
};
|
||||
|
||||
"auth.anonymous" = {
|
||||
enabled = true;
|
||||
org_name = "Main Org.";
|
||||
org_role = "Viewer";
|
||||
};
|
||||
|
||||
"auth.generic_oauth" = {
|
||||
enabled = true;
|
||||
|
||||
|
@ -92,6 +98,7 @@ in
|
|||
uid = "mimir";
|
||||
access = "proxy";
|
||||
url = "http://127.0.0.1:9009/prometheus";
|
||||
isDefault = true;
|
||||
}
|
||||
{
|
||||
name = "Loki";
|
||||
|
@ -100,6 +107,17 @@ in
|
|||
access = "proxy";
|
||||
url = "http://127.0.0.1:9090/";
|
||||
}
|
||||
{
|
||||
name = "Mimir Alertmanager";
|
||||
type = "alertmanager";
|
||||
uid = "mimir-alertmanager";
|
||||
access = "proxy";
|
||||
url = "http://127.0.0.1:9009/";
|
||||
jsonData = {
|
||||
handleGrafanaManagedAlerts = true;
|
||||
implementation = "mimir";
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
@ -129,5 +147,7 @@ in
|
|||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
bagel.monitoring.grafana-agent.exporters.grafana.port = 2342;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -12,8 +12,8 @@ in
|
|||
|
||||
config = mkIf cfg.enable {
|
||||
age.secrets = {
|
||||
loki-htpasswd = {
|
||||
file = ../../../secrets/loki-htpasswd.age;
|
||||
metrics-push-htpasswd = {
|
||||
file = ../../../secrets/metrics-push-htpasswd.age;
|
||||
owner = "nginx";
|
||||
};
|
||||
loki-environment.file = ../../../secrets/loki-environment.age;
|
||||
|
@ -88,13 +88,22 @@ in
|
|||
|
||||
systemd.services.loki.serviceConfig.EnvironmentFile = [ config.age.secrets.loki-environment.path ];
|
||||
|
||||
services.nginx.virtualHosts."loki.forkos.org" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/loki/api/v1/push" = {
|
||||
proxyPass = "http://localhost:${toString config.services.loki.configuration.server.http_listen_port}";
|
||||
basicAuthFile = config.age.secrets.loki-htpasswd.path;
|
||||
services.nginx = {
|
||||
upstreams.loki = {
|
||||
servers."127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}" = {};
|
||||
extraConfig = "keepalive 16;";
|
||||
};
|
||||
|
||||
virtualHosts."loki.forkos.org" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/loki/api/v1/push" = {
|
||||
proxyPass = "http://loki";
|
||||
basicAuthFile = config.age.secrets.metrics-push-htpasswd.path;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
bagel.monitoring.grafana-agent.exporters.loki.port = 9090;
|
||||
};
|
||||
}
|
||||
|
|
115
services/monitoring/lgtm/mimir.nix
Normal file
115
services/monitoring/lgtm/mimir.nix
Normal file
|
@ -0,0 +1,115 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
cfg = config.bagel.services.prometheus;
|
||||
inherit (lib) mkEnableOption mkIf;
|
||||
|
||||
mimirPort = config.services.mimir.configuration.server.http_listen_port;
|
||||
in
|
||||
{
|
||||
options.bagel.services.prometheus.enable = mkEnableOption "Prometheus scraper";
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
age.secrets = {
|
||||
metrics-push-htpasswd = {
|
||||
file = ../../../secrets/metrics-push-htpasswd.age;
|
||||
owner = "nginx";
|
||||
};
|
||||
mimir-environment.file = ../../../secrets/mimir-environment.age;
|
||||
};
|
||||
|
||||
services.mimir = {
|
||||
enable = true;
|
||||
extraFlags = ["--config.expand-env=true"];
|
||||
configuration = {
|
||||
target = "all,alertmanager";
|
||||
|
||||
multitenancy_enabled = false;
|
||||
|
||||
common.storage = {
|
||||
backend = "s3";
|
||||
s3 = {
|
||||
endpoint = "s3.delroth.net";
|
||||
bucket_name = "bagel-mimir";
|
||||
secret_access_key = "\${S3_KEY}"; # This is a secret injected via an environment variable
|
||||
access_key_id = "\${S3_KEY_ID}";
|
||||
};
|
||||
};
|
||||
|
||||
server = {
|
||||
http_listen_port = 9009;
|
||||
grpc_server_max_recv_msg_size = 104857600;
|
||||
grpc_server_max_send_msg_size = 104857600;
|
||||
grpc_server_max_concurrent_streams = 1000;
|
||||
};
|
||||
|
||||
ingester.ring.replication_factor = 1;
|
||||
|
||||
distributor.instance_limits.max_ingestion_rate = 0; # unlimited
|
||||
limits = {
|
||||
ingestion_rate = 1000000; # can't set to unlimited :(
|
||||
out_of_order_time_window = "12h";
|
||||
max_global_series_per_user = 0; # unlimited
|
||||
};
|
||||
|
||||
blocks_storage.backend = "s3";
|
||||
ruler_storage = {
|
||||
backend = "local";
|
||||
local.directory = pkgs.runCommand "mimir-rules" {} ''
|
||||
mkdir -p $out
|
||||
ln -s ${./alerts} $out/anonymous
|
||||
'';
|
||||
};
|
||||
|
||||
alertmanager = {
|
||||
sharding_ring.replication_factor = 1;
|
||||
fallback_config_file = pkgs.writers.writeYAML "alertmanager.yaml" {
|
||||
route = {
|
||||
group_by = ["alertname"];
|
||||
receiver = "matrix";
|
||||
};
|
||||
receivers = [
|
||||
{
|
||||
name = "matrix";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
alertmanager_storage.backend = "filesystem";
|
||||
|
||||
ruler.alertmanager_url = "http://localhost:${toString mimirPort}/alertmanager";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.mimir = {
|
||||
# Mimir tries to determine its own IP address for gossip purposes,
|
||||
# even when it's the only instance, and fails if it can't find one.
|
||||
# Avoid that by ensuring it starts after the network is set up.
|
||||
wants = [ "network-online.target" ];
|
||||
after = ["network-online.target"];
|
||||
serviceConfig.EnvironmentFile = [ config.age.secrets.mimir-environment.path ];
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
upstreams.mimir = {
|
||||
servers."127.0.0.1:${toString mimirPort}" = {};
|
||||
extraConfig = "keepalive 16;";
|
||||
};
|
||||
|
||||
virtualHosts."mimir.forkos.org" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/api/v1/push" = {
|
||||
proxyPass = "http://mimir";
|
||||
basicAuthFile = config.age.secrets.metrics-push-htpasswd.path;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
bagel.monitoring.grafana-agent.exporters.mimir.port = 9009;
|
||||
};
|
||||
}
|
|
@ -1,83 +0,0 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
nodes,
|
||||
...
|
||||
}:
|
||||
let
|
||||
cfg = config.bagel.services.prometheus;
|
||||
inherit (lib) mkEnableOption mkIf;
|
||||
|
||||
forEachMachine = fn: map fn (builtins.attrValues nodes);
|
||||
|
||||
allMetas = forEachMachine (machine: {
|
||||
name = machine.config.networking.hostName;
|
||||
address = machine.config.bagel.meta.monitoring.address or null;
|
||||
exporters = machine.config.bagel.meta.monitoring.exporters or [];
|
||||
});
|
||||
|
||||
scrapableMetas = builtins.filter (m: m.address != null && m.exporters != []) allMetas;
|
||||
|
||||
toJobConfig = m: {
|
||||
job_name = m.name;
|
||||
static_configs = [
|
||||
{ targets = map (e: m.address + ":" + (toString e.port)) m.exporters; }
|
||||
];
|
||||
};
|
||||
|
||||
jobConfigs = map toJobConfig scrapableMetas;
|
||||
in
|
||||
{
|
||||
options.bagel.services.prometheus.enable = mkEnableOption "Prometheus scraper";
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
age.secrets.mimir-environment.file = ../../../secrets/mimir-environment.age;
|
||||
|
||||
services.prometheus = {
|
||||
enable = true;
|
||||
enableAgentMode = true;
|
||||
listenAddress = "127.0.0.1";
|
||||
port = 9001;
|
||||
globalConfig.scrape_interval = "15s";
|
||||
scrapeConfigs = jobConfigs;
|
||||
remoteWrite = [
|
||||
{ url = "http://localhost:9009/api/v1/push"; }
|
||||
];
|
||||
};
|
||||
|
||||
services.mimir = {
|
||||
enable = true;
|
||||
extraFlags = ["--config.expand-env=true"];
|
||||
configuration = {
|
||||
multitenancy_enabled = false;
|
||||
|
||||
common.storage = {
|
||||
backend = "s3";
|
||||
s3 = {
|
||||
endpoint = "s3.delroth.net";
|
||||
bucket_name = "bagel-mimir";
|
||||
secret_access_key = "\${S3_KEY}"; # This is a secret injected via an environment variable
|
||||
access_key_id = "\${S3_KEY_ID}";
|
||||
};
|
||||
};
|
||||
|
||||
server = {
|
||||
http_listen_port = 9009;
|
||||
grpc_server_max_recv_msg_size = 104857600;
|
||||
grpc_server_max_send_msg_size = 104857600;
|
||||
grpc_server_max_concurrent_streams = 1000;
|
||||
};
|
||||
|
||||
ingester.ring.replication_factor = 1;
|
||||
|
||||
blocks_storage.backend = "s3";
|
||||
ruler_storage = {
|
||||
backend = "local";
|
||||
local.directory = ./alerts;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.mimir.serviceConfig.EnvironmentFile = [ config.age.secrets.mimir-environment.path ];
|
||||
};
|
||||
}
|
|
@ -1,53 +0,0 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
let
|
||||
cfg = config.bagel.monitoring.promtail;
|
||||
inherit (lib) mkEnableOption mkIf;
|
||||
in
|
||||
{
|
||||
options.bagel.monitoring.promtail.enable = (mkEnableOption "Promtail log export") // { default = true; };
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
age.secrets.promtail-password = {
|
||||
file = ../../secrets/promtail-password.age;
|
||||
owner = "promtail";
|
||||
};
|
||||
|
||||
services.promtail = {
|
||||
enable = true;
|
||||
configuration = {
|
||||
server.disable = true;
|
||||
clients = [
|
||||
{
|
||||
url = "https://loki.forkos.org/loki/api/v1/push";
|
||||
basic_auth = {
|
||||
username = "promtail";
|
||||
password_file = config.age.secrets.promtail-password.path;
|
||||
};
|
||||
}
|
||||
];
|
||||
scrape_configs = [
|
||||
{
|
||||
job_name = "system";
|
||||
journal = {
|
||||
max_age = "12h";
|
||||
labels = {
|
||||
job = "systemd-journal";
|
||||
host = config.networking.hostName;
|
||||
};
|
||||
};
|
||||
relabel_configs = [
|
||||
{
|
||||
source_labels = [ "__journal__systemd_unit" ];
|
||||
target_label = "unit";
|
||||
}
|
||||
];
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -29,7 +29,7 @@ in
|
|||
listenAddress = "127.0.0.1";
|
||||
settings = {
|
||||
ALLOWED_HOSTS = [ cfg.domain ];
|
||||
# REMOTE_AUTH_BACKEND = "social_core.backends.open_id_connect.OpenIdConnectAuth";
|
||||
REMOTE_AUTH_BACKEND = "social_core.backends.open_id_connect.OpenIdConnectAuth";
|
||||
};
|
||||
|
||||
extraConfig = lib.mkForce ''
|
||||
|
@ -37,9 +37,9 @@ in
|
|||
|
||||
SECRET_KEY = env["SECRET_KEY"]
|
||||
|
||||
# SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = env["NETBOX_OIDC_URL"]
|
||||
# SOCIAL_AUTH_OIDC_KEY = env["NETBOX_OIDC_KEY"]
|
||||
# SOCIAL_AUTH_OIDC_SECRET = env["NETBOX_OIDC_SECRET"]
|
||||
SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = env["NETBOX_OIDC_URL"]
|
||||
SOCIAL_AUTH_OIDC_KEY = env["NETBOX_OIDC_KEY"]
|
||||
SOCIAL_AUTH_OIDC_SECRET = env["NETBOX_OIDC_SECRET"]
|
||||
'';
|
||||
};
|
||||
|
||||
|
|
35
services/ofborg/default.nix
Normal file
35
services/ofborg/default.nix
Normal file
|
@ -0,0 +1,35 @@
|
|||
{ config, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.bagel.services.ofborg;
|
||||
|
||||
amqpHost = "amqp.forkos.org";
|
||||
amqpPort = 5671;
|
||||
in {
|
||||
options.bagel.services.ofborg = with lib; {
|
||||
enable = mkEnableOption "ofborg coordinator";
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
services.rabbitmq = {
|
||||
enable = true;
|
||||
configItems = {
|
||||
"listeners.tcp" = "none";
|
||||
"listeners.ssl.default" = builtins.toString amqpPort;
|
||||
|
||||
"ssl_options.certfile" = "${config.security.acme.certs.${amqpHost}.directory}/cert.pem";
|
||||
"ssl_options.keyfile" = "${config.security.acme.certs.${amqpHost}.directory}/key.pem";
|
||||
};
|
||||
};
|
||||
|
||||
security.acme.certs.${amqpHost} = {
|
||||
webroot = "/var/lib/acme/.challenges";
|
||||
group = "rabbitmq";
|
||||
};
|
||||
services.nginx.virtualHosts.${amqpHost}.locations."/.well-known/acme-challenge".root =
|
||||
"/var/lib/acme/.challenges";
|
||||
systemd.services.rabbitmq.requires = ["acme-finished-${amqpHost}.target"];
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ amqpPort ];
|
||||
};
|
||||
}
|
7
terraform/common.nix
Normal file
7
terraform/common.nix
Normal file
|
@ -0,0 +1,7 @@
|
|||
{
|
||||
# Until we get some kind of KMS operational, store secrets in the state file.
|
||||
terraform.required_providers.secret = {
|
||||
version = "~> 1.2.1";
|
||||
source = "numtide/secret";
|
||||
};
|
||||
}
|
8
terraform/default.nix
Normal file
8
terraform/default.nix
Normal file
|
@ -0,0 +1,8 @@
|
|||
{
|
||||
imports = [
|
||||
./common.nix
|
||||
./gandi.nix
|
||||
./hydra.nix
|
||||
./state.nix
|
||||
];
|
||||
}
|
94
terraform/gandi.nix
Normal file
94
terraform/gandi.nix
Normal file
|
@ -0,0 +1,94 @@
|
|||
{ lib, config, ... }:
|
||||
let
|
||||
inherit (lib) mkEnableOption mkIf tf genList;
|
||||
cfg = config.bagel.gandi;
|
||||
in
|
||||
{
|
||||
options.bagel.gandi = {
|
||||
enable = mkEnableOption "the Gandi DNS configuration";
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
terraform.required_providers.gandi = {
|
||||
version = "~> 2.3.0";
|
||||
source = "go-gandi/gandi";
|
||||
};
|
||||
|
||||
resource.secret_resource.gandi_pat.lifecycle.prevent_destroy = true;
|
||||
|
||||
provider.gandi = {
|
||||
personal_access_token = tf.ref "resource.secret_resource.gandi_pat.value";
|
||||
};
|
||||
|
||||
resource.gandi_livedns_domain.forkos_org = {
|
||||
name = "forkos.org";
|
||||
};
|
||||
|
||||
resource.gandi_livedns_record = let
|
||||
record = name: ttl: type: values: {
|
||||
inherit name ttl type values;
|
||||
};
|
||||
|
||||
proxyRecords = name: ttl: type: values: [
|
||||
# kurisu.lahfa.xyz running a sniproxy:
|
||||
(record name ttl "A" ["163.172.69.160"])
|
||||
(record name ttl type values)
|
||||
];
|
||||
|
||||
# Creates a extra *.p record pointing to the sniproxy
|
||||
dualProxyRecords = name: ttl: type: values: lib.flatten [
|
||||
(record name ttl type values)
|
||||
(proxyRecords "${name}.p" ttl type values)
|
||||
];
|
||||
|
||||
# TODO: make less fragile and have actual unique and stable names
|
||||
canonicalName = record: let
|
||||
name = builtins.replaceStrings ["." "@"] ["_" "_root_"] record.name;
|
||||
in
|
||||
"forkos_org_${record.type}_${name}";
|
||||
|
||||
forkosRecords = records:
|
||||
builtins.listToAttrs (map (record: {
|
||||
name = canonicalName record;
|
||||
value = record // {
|
||||
zone = tf.ref "resource.gandi_livedns_domain.forkos_org.id";
|
||||
};
|
||||
}) (lib.flatten records));
|
||||
|
||||
in forkosRecords ([
|
||||
# (record "@" 3600 "A" ["163.172.69.160"])
|
||||
(record "@" 3600 "AAAA" ["2001:bc8:38ee:100:1000::20"])
|
||||
|
||||
(dualProxyRecords "bagel-box.infra" 3600 "AAAA" ["2001:bc8:38ee:100:100::1"])
|
||||
(dualProxyRecords "gerrit01.infra" 3600 "AAAA" ["2001:bc8:38ee:100:1000::10"])
|
||||
(dualProxyRecords "meta01.infra" 3600 "AAAA" ["2001:bc8:38ee:100:1000::20"])
|
||||
(dualProxyRecords "fodwatch.infra" 3600 "AAAA" ["2001:bc8:38ee:100:1000::30"])
|
||||
# git.infra.forkos.org exposes opensshd
|
||||
(dualProxyRecords "git.infra" 3600 "AAAA" ["2001:bc8:38ee:100:1000::41"])
|
||||
# git.p.forkos.org exposes forgejo ssh server.
|
||||
(proxyRecords "git.p" 3600 "AAAA" ["2001:bc8:38ee:100:1000::40"])
|
||||
(dualProxyRecords "buildbot.infra" 3600 "AAAA" ["2001:bc8:38ee:100:1000::50"])
|
||||
(dualProxyRecords "public01.infra" 3600 "AAAA" ["2001:bc8:38ee:100:1000::60"])
|
||||
|
||||
(record "cl" 3600 "CNAME" ["gerrit01.infra.p"])
|
||||
(record "fodwatch" 3600 "CNAME" ["fodwatch.infra.p"])
|
||||
# git.p.forkos.org is the proxy variant of the Forgejo server.
|
||||
(record "git" 3600 "CNAME" ["git.p"])
|
||||
(record "netbox" 3600 "CNAME" ["meta01.infra.p"])
|
||||
(record "amqp" 3600 "CNAME" ["bagel-box.infra.p"])
|
||||
(record "grafana" 3600 "CNAME" ["meta01.infra.p"])
|
||||
(record "hydra" 3600 "CNAME" ["bagel-box.infra.p"])
|
||||
(record "loki" 3600 "CNAME" ["meta01.infra.p"])
|
||||
(record "mimir" 3600 "CNAME" ["meta01.infra.p"])
|
||||
(record "matrix" 3600 "CNAME" ["meta01.infra.p"])
|
||||
(record "buildbot" 3600 "CNAME" ["buildbot.infra.p"])
|
||||
(record "b" 3600 "CNAME" ["public01.infra.p"])
|
||||
|
||||
# S3 in delroth's basement
|
||||
(record "cache" 3600 "CNAME" ["smol.delroth.net."])
|
||||
|
||||
(record "vpn-gw.wob01.infra" 3600 "AAAA" [ "2a01:584:11::2" ])
|
||||
# TODO: do not hardcode, just reuse the Colmena hive module outputs to generate all the required details.
|
||||
] ++ map (index: record "builder-${toString index}.wob01.infra" 3600 "AAAA" [ "2a01:584:11::1:${toString index}" ]) (genList lib.id 12));
|
||||
};
|
||||
}
|
328
terraform/hydra.nix
Normal file
328
terraform/hydra.nix
Normal file
|
@ -0,0 +1,328 @@
|
|||
{ lib, config, ... }:
|
||||
let
|
||||
inherit (lib) mkEnableOption mkIf types mkOption tf;
|
||||
cfg = config.bagel.hydra;
|
||||
in
|
||||
{
|
||||
options.bagel.hydra = {
|
||||
enable = mkEnableOption "the Hydra jobsets";
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
terraform.required_providers.hydra = {
|
||||
version = "~> 0.1";
|
||||
source = "DeterminateSystems/hydra";
|
||||
};
|
||||
|
||||
resource.secret_resource.hydra_password.lifecycle.prevent_destroy = true;
|
||||
|
||||
provider.hydra = {
|
||||
host = "https://hydra.forkos.org";
|
||||
username = "terraform";
|
||||
password = tf.ref "resource.secret_resource.hydra_password.value";
|
||||
};
|
||||
|
||||
resource.hydra_project.forkos = {
|
||||
name = "forkos";
|
||||
display_name = "ForkOS";
|
||||
description = "ForkOS packages collection";
|
||||
homepage = "https://cl.forkos.org";
|
||||
owner = "terraform";
|
||||
enabled = true;
|
||||
visible = true;
|
||||
};
|
||||
|
||||
resource.hydra_jobset.k900-experiments = {
|
||||
project = config.resource.hydra_project.forkos.name;
|
||||
state = "enabled";
|
||||
visible = true;
|
||||
name = "nixpkgs-experiments";
|
||||
type = "legacy";
|
||||
description = "experiments branch to test things for K900";
|
||||
|
||||
nix_expression = {
|
||||
file = "nixos/release.nix";
|
||||
input = "nixpkgs";
|
||||
};
|
||||
|
||||
check_interval = 0;
|
||||
scheduling_shares = 3000;
|
||||
keep_evaluations = 3;
|
||||
|
||||
email_notifications = false;
|
||||
|
||||
input = [
|
||||
{
|
||||
name = "nixpkgs";
|
||||
type = "git";
|
||||
value = "https://github.com/nixos/nixpkgs 03ff49192b044786362c8c94d8501eac5c6eada4";
|
||||
notify_committers = false;
|
||||
}
|
||||
{
|
||||
name = "officialRelease";
|
||||
type = "boolean";
|
||||
value = false;
|
||||
}
|
||||
{
|
||||
name = "supportedSystems";
|
||||
type = "nix";
|
||||
value = ''[ "x86_64-linux" ]'';
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
resource.hydra_jobset.raito-nixos-rolling-small = {
|
||||
project = config.resource.hydra_project.forkos.name;
|
||||
state = "enabled";
|
||||
visible = true;
|
||||
name = "raito-nixos-rolling-small";
|
||||
type = "legacy";
|
||||
description = "master branch for raito-nixos";
|
||||
|
||||
nix_expression = {
|
||||
file = "pkgs/top-level/release.nix";
|
||||
input = "nixpkgs";
|
||||
};
|
||||
|
||||
check_interval = 0;
|
||||
scheduling_shares = 3000;
|
||||
keep_evaluations = 3;
|
||||
|
||||
email_notifications = false;
|
||||
|
||||
input = [
|
||||
{
|
||||
name = "nixpkgs";
|
||||
type = "git";
|
||||
value = "https://cl.forkos.org/nixpkgs";
|
||||
notify_committers = false;
|
||||
}
|
||||
{
|
||||
name = "officialRelease";
|
||||
type = "boolean";
|
||||
value = "false";
|
||||
notify_committers = false;
|
||||
}
|
||||
{
|
||||
name = "supportedSystems";
|
||||
type = "nix";
|
||||
value = ''[ "x86_64-linux" ]'';
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
resource.hydra_jobset.delroth-nixpkgs-staging-small = {
|
||||
project = config.resource.hydra_project.forkos.name;
|
||||
state = "enabled";
|
||||
visible = true;
|
||||
name = "delroth-nixpkgs-staging-small";
|
||||
type = "legacy";
|
||||
description = "small eval of nixpkgs staging for testing";
|
||||
|
||||
nix_expression = {
|
||||
file = "pkgs/top-level/release-small.nix";
|
||||
input = "nixpkgs";
|
||||
};
|
||||
|
||||
check_interval = 0;
|
||||
scheduling_shares = 3000;
|
||||
keep_evaluations = 3;
|
||||
|
||||
email_notifications = false;
|
||||
|
||||
input = [
|
||||
{
|
||||
name = "nixpkgs";
|
||||
type = "git";
|
||||
value = "https://github.com/nixos/nixpkgs staging";
|
||||
notify_committers = false;
|
||||
}
|
||||
{
|
||||
name = "officialRelease";
|
||||
type = "boolean";
|
||||
value = "false";
|
||||
notify_committers = false;
|
||||
}
|
||||
{
|
||||
name = "supportedSystems";
|
||||
type = "nix";
|
||||
value = ''[ "x86_64-linux" ]'';
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
resource.hydra_project.infra = {
|
||||
name = "infra";
|
||||
display_name = "ForkOS Infra";
|
||||
description = "ForkOS infra repository";
|
||||
homepage = "https://git.lix.system/the-distro/infra";
|
||||
owner = "terraform";
|
||||
enabled = true;
|
||||
visible = true;
|
||||
};
|
||||
|
||||
resource.hydra_jobset.infra_main = {
|
||||
project = config.resource.hydra_project.infra.name;
|
||||
state = "enabled";
|
||||
visible = true;
|
||||
name = "main";
|
||||
type = "flake";
|
||||
description = "main branch for the infra repo";
|
||||
|
||||
flake_uri = "git+https://git.lix.systems/the-distro/infra";
|
||||
|
||||
check_interval = 600;
|
||||
scheduling_shares = 3000;
|
||||
keep_evaluations = 5;
|
||||
|
||||
email_notifications = false;
|
||||
};
|
||||
|
||||
resource.hydra_project.hydra = {
|
||||
name = "hydra";
|
||||
display_name = "ForkOS Hydra";
|
||||
description = "ForkOS hydra fork";
|
||||
homepage = "https://git.lix.system/lix-project/hydra";
|
||||
owner = "terraform";
|
||||
enabled = true;
|
||||
visible = true;
|
||||
};
|
||||
|
||||
resource.hydra_jobset.hydra_main = {
|
||||
project = config.resource.hydra_project.hydra.name;
|
||||
state = "enabled";
|
||||
visible = true;
|
||||
name = "main";
|
||||
type = "flake";
|
||||
description = "main branch for the hydra repo";
|
||||
|
||||
flake_uri = "git+https://git.lix.systems/lix-project/hydra";
|
||||
|
||||
check_interval = 600;
|
||||
scheduling_shares = 3000;
|
||||
keep_evaluations = 5;
|
||||
|
||||
email_notifications = false;
|
||||
};
|
||||
|
||||
resource.hydra_jobset.nixos-staging-next-small = {
|
||||
project = config.resource.hydra_project.forkos.name;
|
||||
state = "enabled";
|
||||
visible = true;
|
||||
name = "nixos-staging-next-small";
|
||||
type = "legacy";
|
||||
description = "nixos jobset for the staging-next branch";
|
||||
|
||||
nix_expression = {
|
||||
file = "nixos/release-small.nix";
|
||||
input = "nixpkgs";
|
||||
};
|
||||
|
||||
check_interval = 0;
|
||||
scheduling_shares = 3000;
|
||||
keep_evaluations = 3;
|
||||
|
||||
email_notifications = false;
|
||||
|
||||
input = [
|
||||
{
|
||||
name = "nixpkgs";
|
||||
type = "git";
|
||||
value = "https://cl.forkos.org/nixpkgs staging-next";
|
||||
notify_committers = false;
|
||||
}
|
||||
{
|
||||
name = "officialRelease";
|
||||
type = "boolean";
|
||||
value = "false";
|
||||
notify_committers = false;
|
||||
}
|
||||
{
|
||||
name = "supportedSystems";
|
||||
type = "nix";
|
||||
value = ''[ "x86_64-linux" ]'';
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
resource.hydra_jobset.nixpkgs-staging-next = {
|
||||
project = config.resource.hydra_project.forkos.name;
|
||||
state = "enabled";
|
||||
visible = true;
|
||||
name = "nixpkgs-staging-next";
|
||||
type = "legacy";
|
||||
description = "nixpkgs jobset for the staging-next branch";
|
||||
|
||||
nix_expression = {
|
||||
file = "pkgs/top-level/release.nix";
|
||||
input = "nixpkgs";
|
||||
};
|
||||
|
||||
check_interval = 0;
|
||||
scheduling_shares = 3000;
|
||||
keep_evaluations = 3;
|
||||
|
||||
email_notifications = false;
|
||||
|
||||
input = [
|
||||
{
|
||||
name = "nixpkgs";
|
||||
type = "git";
|
||||
value = "https://cl.forkos.org/nixpkgs staging-next";
|
||||
notify_committers = false;
|
||||
}
|
||||
{
|
||||
name = "officialRelease";
|
||||
type = "boolean";
|
||||
value = "false";
|
||||
notify_committers = false;
|
||||
}
|
||||
{
|
||||
name = "supportedSystems";
|
||||
type = "nix";
|
||||
value = ''[ "x86_64-linux" ]'';
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
resource.hydra_jobset.nixos-main = {
|
||||
project = config.resource.hydra_project.forkos.name;
|
||||
state = "enabled";
|
||||
visible = true;
|
||||
name = "nixos-main";
|
||||
type = "legacy";
|
||||
description = "nixos jobset for the main branch";
|
||||
|
||||
nix_expression = {
|
||||
file = "nixos/release-combined.nix";
|
||||
input = "nixpkgs";
|
||||
};
|
||||
|
||||
check_interval = 0;
|
||||
scheduling_shares = 3000;
|
||||
keep_evaluations = 3;
|
||||
|
||||
email_notifications = false;
|
||||
|
||||
input = [
|
||||
{
|
||||
name = "nixpkgs";
|
||||
type = "git";
|
||||
value = "https://cl.forkos.org/nixpkgs main";
|
||||
notify_committers = false;
|
||||
}
|
||||
{
|
||||
name = "officialRelease";
|
||||
type = "boolean";
|
||||
value = "false";
|
||||
notify_committers = false;
|
||||
}
|
||||
{
|
||||
name = "supportedSystems";
|
||||
type = "nix";
|
||||
value = ''[ "x86_64-linux" ]'';
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
21
terraform/state.nix
Normal file
21
terraform/state.nix
Normal file
|
@ -0,0 +1,21 @@
|
|||
{
|
||||
# We use terraform.backend.s3 directly instead of the type-checked Terranix
|
||||
# backend.s3 options. The latter does not support setting arbitrary s3
|
||||
# endpoints.
|
||||
#
|
||||
# Note: currently requires the user to provide AWS_ACCESS_KEY_ID as well as
|
||||
# AWS_SECRET_ACCESS_KEY in their environment variables.
|
||||
|
||||
terraform.backend.s3 = {
|
||||
endpoints.s3 = "s3.delroth.net";
|
||||
region = "garage";
|
||||
bucket = "bagel-terraform-state";
|
||||
key = "state";
|
||||
|
||||
# It's just a dump Garage server, don't try to be smart.
|
||||
skip_credentials_validation = true;
|
||||
skip_region_validation = true;
|
||||
skip_requesting_account_id = true;
|
||||
skip_metadata_api_check = true;
|
||||
};
|
||||
}
|
Loading…
Reference in a new issue