danderson/infra
0
0
Fork 0
forked from the-distro/infra
Code Pull requests Activity

Compare commits

base: danderson:main
Branches Tags
danderson:main
danderson:channel-scripts
danderson:acls
danderson:hexchen/colmena-checker
danderson:hexy/credentials
danderson:buildbot
danderson:ckie/moarr-v4
danderson:gerrit-metrics
danderson:moar-builders
danderson:unplug-epyc
danderson:hydra-wire-up
danderson:matrix
danderson:alertmanager
danderson:fodwatch
danderson:cadvisor-containers
danderson:gerrit-http-clones
danderson:meta01
the-distro:main
the-distro:single-node-ceph
the-distro:storage-project
the-distro:block-crawlers
the-distro:fix-buildbot
the-distro:lukegb/rule-94
the-distro:cache-lix
the-distro:build02-lix
the-distro:lukegb/uptime-kuma-root
the-distro:hydra-metrics
the-distro:builder
the-distro:email-groups
the-distro:cache-ipv4
the-distro:format
the-distro:hexchen/colmena-checker
the-distro:hexy/credentials
the-distro:buildbot
the-distro:ckie/moarr-v4
the-distro:gerrit-metrics
the-distro:moar-builders
the-distro:unplug-epyc
the-distro:hydra-wire-up
the-distro:alertmanager
the-distro:fodwatch
the-distro:cadvisor-containers
the-distro:gerrit-http-clones
the-distro:meta01
..
compare: danderson:fodwatch
Branches Tags
danderson:main
danderson:channel-scripts
danderson:acls
danderson:hexchen/colmena-checker
danderson:hexy/credentials
danderson:buildbot
danderson:ckie/moarr-v4
danderson:gerrit-metrics
danderson:moar-builders
danderson:unplug-epyc
danderson:hydra-wire-up
danderson:matrix
danderson:alertmanager
danderson:fodwatch
danderson:cadvisor-containers
danderson:gerrit-http-clones
danderson:meta01
the-distro:main
the-distro:single-node-ceph
the-distro:storage-project
the-distro:block-crawlers
the-distro:fix-buildbot
the-distro:lukegb/rule-94
the-distro:cache-lix
the-distro:build02-lix
the-distro:lukegb/uptime-kuma-root
the-distro:hydra-metrics
the-distro:builder
the-distro:email-groups
the-distro:cache-ipv4
the-distro:format
the-distro:hexchen/colmena-checker
the-distro:hexy/credentials
the-distro:buildbot
the-distro:ckie/moarr-v4
the-distro:gerrit-metrics
the-distro:moar-builders
the-distro:unplug-epyc
the-distro:hydra-wire-up
the-distro:alertmanager
the-distro:fodwatch
the-distro:cadvisor-containers
the-distro:gerrit-http-clones
the-distro:meta01

2 commits
main ... fodwatch

Author SHA1 Message Date
Raito Bezarius
2b90c5f551 admins: provision jade 
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
 2024-07-05 19:39:44 +02:00
Raito Bezarius
cfc83be763 systems: add fodwatch.forkos.org 
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
 2024-07-05 19:27:33 +02:00
100 changed files with 9837 additions and 10722 deletions
Show stats Expand all files Collapse all files

7
.editorconfig
View file

@ -1,7 +0,0 @@
root = true
[*]
end_of_line = lf
insert_final_newline = true
trim_trailing_whitespace = true
charset = utf-8

6
.gitignore vendored
View file

@ -1,8 +1,4 @@
result
.gcroots
config.tf.json
.direnv
.terraform
.terraform.lock.hcl
secrets/*
!secrets/*.age
.direnv

19
common/admins.nix
View file

@ -3,14 +3,15 @@ let
in {
users.users.root.openssh.authorizedKeys.keys =
keys.users.delroth ++
keys.users.emilylange ++
keys.users.hexchen ++
keys.users.jade ++
keys.users.janik ++
keys.users.k900 ++
keys.users.lukegb ++
keys.users.maxine ++
keys.users.k900 ++
keys.users.raito ++
keys.users.thubrecht ++
keys.users.yuka;
keys.users.maxine ++
keys.users.jade ++
[
# more raito
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJFsZ7PMDt80tYXHyScQajNhqH4wuYg/o0OxfOHaZD4rXuT0VIKflKH1M9LslfHWIEH3XNeqhQOziH9r+Ny5JcM="
];
}

36
common/base-server.nix
View file

@ -1,14 +1,9 @@
{ lib, pkgs, ... }: {
imports = [
./known-ssh-keys.nix
];
nixpkgs.overlays = import ../overlays;
nix.package = lib.mkDefault pkgs.lix;
services.openssh.enable = lib.mkForce true;
networking.nftables.enable = true;
networking.firewall.enable = true;
networking.firewall.logRefusedConnections = false;
networking.firewall.logReversePathDrops = true;
@ -18,41 +13,12 @@
recommendedTlsSettings = lib.mkDefault true;
recommendedProxySettings = lib.mkDefault true;
recommendedGzipSettings = lib.mkDefault true;
eventsConfig = ''
worker_connections 8192;
'';
appendConfig = ''
worker_rlimit_nofile 16384;
'';
};
nix.gc = {
automatic = true;
persistent = true;
dates = lib.mkDefault "daily";
dates = "daily";
options = "--delete-older-than 30d";
};
services.journald.extraConfig = "SystemMaxUse=512M";
boot.kernelParams = [
"panic=30" "boot.panic_on_fail"
];
boot.kernel.sysctl = {
# Set default TCP congestion control algorithm
"net.ipv4.tcp_congestion_control" = "bbr";
# Enable ECN
"net.ipv4.tcp_ecn" = 1;
# Enable TCP fast open
"net.ipv4.tcp_fastopen" = 3;
};
# reduce closure size, feel free to add your locale here
i18n.supportedLocales = [
"en_US.UTF-8/UTF-8"
"fr_FR.UTF-8/UTF-8"
];
}

7
common/default.nix
View file

@ -1,12 +1,9 @@
{
imports = [
./admins.nix
./base-server.nix
./hardening.nix
./nix.nix
./raito-proxy-aware-nginx.nix
./raito-vm.nix
./raito-proxy-aware-nginx.nix
./base-server.nix
./sysadmin
./zsh.nix
];
}

23
common/hardening.nix
View file

@ -1,23 +0,0 @@
{ config, lib, ... }:
{
nix.settings.allowed-users = [ "root" ];
boot.specialFileSystems = lib.mkIf (!config.security.rtkit.enable && !config.security.polkit.enable) {
"/proc".options = [ "hidepid=2" ];
};
boot.kernel.sysctl."kernel.dmesg_restrict" = 1;
services.openssh = {
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
# prevents mutable /home/$user/.ssh/authorized_keys from being loaded to ensure that all user keys are config managed
authorizedKeysFiles = lib.mkForce [
"/etc/ssh/authorized_keys.d/%u"
];
};
users.mutableUsers = false;
}

6
common/known-ssh-keys.nix
View file

@ -1,6 +0,0 @@
{ ... }:
{
programs.ssh.knownHosts = {
"[cl.forkos.org]:29418".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM82mJ259C8Nc+BHHNBeRWXWhL3dfirQhmFbDAwHMle3";
};
}

21
common/nix.nix
View file

@ -1,21 +0,0 @@
{ lib, pkgs, ... }:
{
nix.extraOptions = ''
experimental-features = nix-command flakes
'';
# Provision a useful nixpkgs in NIX_PATH and flake registry on infra
# machines.
nixpkgs.flake = {
source = lib.cleanSource pkgs.path;
setNixPath = true;
setFlakeRegistry = true;
};
# Use our cache and trust its signing key. Still use cache.nixos.org as
# fallback.
nix.settings.substituters = [ "https://cache.forkos.org/" ];
nix.settings.trusted-public-keys = [
"cache.forkos.org:xfXIUJO1yiEITJmYsVmNDa9BFSlgTh/YqZ+4ei1EhQg="
];
}

40
common/ssh-keys.nix
View file

@ -4,51 +4,17 @@
meta01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM5t9gYorOWgpCFDJgb24pyCKIabGpeI2H/UfdvXODcT";
gerrit01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA+eSZu+u9sCynrMlsmFzQHLIELQAuVg0Cs1pBvwb4+A";
fodwatch = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRyTNfvKl5FcSyzGzw+h+bNFNOxdhvI67WdUZ2iIJ1L";
buildbot = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJgIu6ouagYqBeMLfmn1CbaDJMuZcPH9bnUhkht8GfuB";
git = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQJcpkCUOx8+5oukMX6lxrYcIX8FyHu8Mc/3+ieKMUn";
builder-0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBHSNcDGctvlG6BHcJuYIzW9WsBJsts2vpwSketsbXoL";
builder-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIQOGUjERK7Mx8UPM/rbOdMqVyn1sbWqYOG6CbOzH2wm";
builder-2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKzXIqCoYElEKIYgjbSpqEcDeOvV+Wo3Agq3jba83cB";
builder-3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGq0A5233XGt34T097KaEKBUqFvaa7a6nYZRsSO0166l";
builder-4 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB9dVo2xZhgIMDgB1rUj5ApmppL39BtYu/+OFHeduvXr";
builder-5 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE7vZTBxrVHmHpv7slQ8A8XwjjbfN+ZJA0V5C3k0wNBD";
builder-6 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOt1qR/2BRtc6PABuSBulowwJVO6wBNDyEFzh0qsTeOF";
builder-7 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFinAAw1v8TJB8/wcmTVBbHHc4LCYh6z4TO6ViwUPkoh";
builder-8 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKGSWHNeqT0kF/e4yVy2ieW98X5QMyCYIYZh9WTmQDs1";
builder-9 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOhws9zGgocVY36dMtOL+CXadpvRMffxoWMkfEcTBJm7";
builder-10 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE7sgIuTSqZiZhp8TvObSbIEhcHHsL5hcmYA22uzwxth";
builder-11 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEAqFo1qJY7MSUkfB+zxXB8Lpt/Iqz/RR5A+zwhpRWhr";
wob-vpn-gw = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINVytPPW8XnXf/rD5TFzsw//CZc2lBjQLmDzlVGPZsjh";
};
users = {
delroth = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3tjB4KYDok3KlWxdBp/yEmqhhmybd+w0VO4xUwLKKV" ];
emilylange = [ "no-touch-required sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIL7jgq3i+N3gVJhs4shm7Kmw6dIocs2OuR0GBMG1RxfKAAAABHNzaDo=" ];
hexchen = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINJ0tCxsEilAzV6LaNpUpcjzyEn4ptw8kFz3R+Z3YjEF hexchen@backup"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDI3T1eFS77URHZ/HVWkMOqx7W1U54zJtn9C7QWsHOtyH72i/4EVj8SxYqLllElh1kuKUXSUipPeEzVsipFVvfH0wEuTDgFffiSQ3a8lfUgdEBuoySwceEoPgc5deapkOmiDIDeeWlrRe3nqspLRrSWU1DirMxoFPbwqJXRvpl6qJPxRg+2IolDcXlZ6yxB4Vv48vzRfVzZNUz7Pjmy2ebU8PbDoFWL/S3m7yOzQpv3L7KYBz7+rkjuF3AU2vy6CAfIySkVpspZZLtkTGCIJF228ev0e8NvhuN6ZnjzXxVTQOy32HCdPdbBbicu0uHfZ5O7JX9DjGd8kk1r2dnZwwy/ hexchen@yubi5"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4CLJ+mFfq5XiBXROKewmN9WYmj+79bj/AoaR6Iud2pirulot3tkrrLe2cMjiNWFX8CGVqrsAELKUA8EyUTJfStlcTE0/QNESTRmdDaC+lZL41pWUO9KOiD6/0axAhHXrSJ0ScvbqtD0CtpnCKKxtuOflVPoUGZsH9cLKJNRKfEka0H0GgeKb5Tp618R/WNAQOwaCcXzg/nG4Bgv3gJW4Nm9IKy/MwRZqtILi8Mtd+2diTqpMwyNRmbenmRHCQ1vRw46joYkledVqrmSlfSMFgIHI1zRSBXb/JkG2IvIyB5TGbTkC4N2fqJNpH8wnCKuOvs46xmgdiRA26P48C2em3 hexchen@yubi5c"
];
raito = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICaw9ihTG7ucB8P38XdalEWev8+q96e2yNm4B+/I9IJp" ];
k900 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOi9vgVGs+S5kEsUqHPvyMMh1Q9gqL4TcbHoe5d73tun" ];
maxine = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILpWQfhNFdrxMTP/1DwBVuk49f3df9iH7Tbdu8ltIKjr" ];
jade = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNldAg4t13/i69TD786The+U3wbiNUdW2Kc9KNWvEhgpf4y4x4Sft0oYfkPw5cjX4H3APqfD+b7ItAG0GCbwHw6KMYPoVMNK08zBMJUqt1XExbqGeFLqBaeqDsmEAYXJRbjMTAorpOCtgQdoCKK/DvZ51zUWXxT8UBNHSl19Ryv5Ry5VVdbAE35rqs57DQ9+ma6htXnsBEmmnC+1Zv1FE956m/OpBTId50mor7nS2FguAtPZnDPpTd5zl9kZmJEuWCrmy6iinw5V4Uy1mLeZkQv+/FtozbyifCRCvps9nHpv4mBSU5ABLgnRRvXs+D41Jx7xloNADr1nNgpsNrYaTh hed-bot-ssh-tpm-rsa"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKYljH8iPMrH00lOb3ETxRrZimdKzPPEdsJQ5D5ovtOwAAAACnNzaDpzc2hrZXk= ssh:sshkey"
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO4idMfdJxDJuBNOid60d4I+qxj09RHt+YkCYV2eXt6tGrEXg+S8hTQusy/SqooiXUH9pt4tea2RuBPN9+UwrH0= type-a yubikey slot 9a"
];
janik = [
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIJ4yq7oHBO2iPs4xj797a//0ypnBr27sSadKUeL2NsK6AAAABHNzaDo="
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIOYg513QZsVzoyVycXZjg4F3T3+OwtcY3WAhrlfyLgLTAAAABHNzaDo="
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLZxVITpJ8xbiCa/u2gjSSIupeiqOnRh+8tFIoVhCON"
];
k900 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOi9vgVGs+S5kEsUqHPvyMMh1Q9gqL4TcbHoe5d73tun" ];
lukegb = [ ''cert-authority,principals="lukegb" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEqNOwlR7Qa8cbGpDfSCOweDPbAGQOZIcoRgh6s/J8DR'' ];
maxine = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILpWQfhNFdrxMTP/1DwBVuk49f3df9iH7Tbdu8ltIKjr" ];
raito = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICaw9ihTG7ucB8P38XdalEWev8+q96e2yNm4B+/I9IJp"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
];
thubrecht = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn" ];
yuka = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKath4/fDnlv/4fzxkPrQN1ttmoPRNu/m9bEtdPJBDfY cardno:16_933_242" ];
};
}

6
common/sysadmin/default.nix
View file

@ -20,10 +20,6 @@ in
bcc
tcpdump
ncdu
# Useful to invoke `coredumpctl gdb`
gdb
htop
btop
];
] ++ lib.optional (lib.hasAttr "pwru" pkgs) pkgs.pwru;
};
}

16
common/zsh.nix
View file

@ -1,16 +0,0 @@
{ lib, pkgs, config, ... }: {
users.defaultUserShell = pkgs.zsh;
programs.zsh = {
enable = true;
enableCompletion = true;
autosuggestions.enable = true;
interactiveShellInit = ''
${lib.getExe pkgs.nix-your-shell} zsh | source /dev/stdin
'';
promptInit = ''
# https://grml.org/zsh/grml-zsh-refcard.pdf
source ${pkgs.grml-zsh-config}/etc/zsh/zshrc
PS1='%n@${config.networking.fqdn} %/ \$ '
'';
};
}

224
flake.lock
View file

@ -10,11 +10,11 @@
"systems": "systems"
},
"locked": {
"lastModified": 1720546205,
"narHash": "sha256-boCXsjYVxDviyzoEyAk624600f3ZBo/DKtUdvMTpbGY=",
"lastModified": 1718371084,
"narHash": "sha256-abpBi61mg0g+lFFU0zY4C6oP6fBwPzbHPKBGw676xsA=",
"owner": "ryantm",
"repo": "agenix",
"rev": "de96bd907d5fbc3b14fc33ad37d1b9a3cb15edc6",
"rev": "3a56735779db467538fb2e577eda28a9daacaca6",
"type": "github"
},
"original": {
@ -55,29 +55,6 @@
"type": "github"
}
},
"buildbot-nix": {
"inputs": {
"flake-parts": "flake-parts",
"nixpkgs": [
"nixpkgs"
],
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1722939563,
"narHash": "sha256-lMe8aXgF550iQLRaoU+yn8yYQ4x2qiyqANgsFyjfWwA=",
"ref": "refs/heads/non-flakes",
"rev": "4a162a8aa5dad6cecdb33bd8534e67e0bdaeb13f",
"revCount": 295,
"type": "git",
"url": "https://git.lix.systems/lix-project/buildbot-nix.git"
},
"original": {
"ref": "refs/heads/non-flakes",
"type": "git",
"url": "https://git.lix.systems/lix-project/buildbot-nix.git"
}
},
"colmena": {
"inputs": {
"flake-compat": "flake-compat",
@ -155,49 +132,6 @@
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"buildbot-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1706830856,
"narHash": "sha256-a0NYyp+h9hlb7ddVz4LUn1vT/PLwqfrWYcHMvFB1xYg=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "b253292d9c0a5ead9bc98c4e9a26c6312e27d69f",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": {
"nixpkgs-lib": [
"hydra",
"nix-eval-jobs",
"nixpkgs"
]
},
"locked": {
"lastModified": 1719994518,
"narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": {
"locked": {
"lastModified": 1659877975,
@ -251,27 +185,26 @@
},
"hydra": {
"inputs": {
"lix": "lix",
"nix-eval-jobs": "nix-eval-jobs",
"nix": "nix",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1722688238,
"narHash": "sha256-x6BnYtArF6IDs7bS8ExokgAQBOlrxXxD0EOBIlASmfM=",
"lastModified": 1719258100,
"narHash": "sha256-Eu8ausj0RsXV5MraCPezwX+j51iZD0ukif110Yj2+6k=",
"ref": "refs/heads/main",
"rev": "9b5ac87de73ea4646dbb2af979db91f096d29960",
"revCount": 4191,
"rev": "a9a2679793a17325c966dec4cbb27d44b0531694",
"revCount": 4172,
"type": "git",
"url": "https://git.lix.systems/the-distro/hydra.git"
"url": "https://git.lix.systems/lix-project/hydra.git"
},
"original": {
"type": "git",
"url": "https://git.lix.systems/the-distro/hydra.git"
"url": "https://git.lix.systems/lix-project/hydra.git"
}
},
"lix": {
"nix": {
"inputs": {
"flake-compat": "flake-compat_2",
"nix2container": "nix2container",
@ -283,87 +216,17 @@
"pre-commit-hooks": "pre-commit-hooks"
},
"locked": {
"lastModified": 1721091462,
"narHash": "sha256-0cmEeoOiB91BviTJHzIyxkY+Gxv3O8ZnnExVAoXEFGI=",
"lastModified": 1719211568,
"narHash": "sha256-oIgmvhe3CV/36LC0KXgqWnKXma39wabks8U9JBMDfO4=",
"ref": "refs/heads/main",
"rev": "6b4d46e9e0e1dd80e0977684ab20d14bcd1a6bc3",
"revCount": 15967,
"rev": "4c3d93611f2848c56ebc69c85f2b1e18001ed3c7",
"revCount": 15877,
"type": "git",
"url": "https://git.lix.systems/lix-project/lix"
"url": "https://git@git.lix.systems/lix-project/lix"
},
"original": {
"type": "git",
"url": "https://git.lix.systems/lix-project/lix"
}
},
"nix-eval-jobs": {
"inputs": {
"flake-parts": "flake-parts_2",
"lix": [
"hydra",
"lix"
],
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"hydra",
"nixpkgs"
],
"treefmt-nix": "treefmt-nix_2"
},
"locked": {
"lastModified": 1721195872,
"narHash": "sha256-TlvRq634MSl22BWLmpTy2vdtKntbZlsUwdMq8Mp9AWs=",
"ref": "refs/heads/main",
"rev": "c057494450f2d1420726ddb0bab145a5ff4ddfdd",
"revCount": 608,
"type": "git",
"url": "https://git.lix.systems/lix-project/nix-eval-jobs"
},
"original": {
"type": "git",
"url": "https://git.lix.systems/lix-project/nix-eval-jobs"
}
},
"nix-gerrit": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1720891381,
"narHash": "sha256-bdZRPgnkROSejmwMOrlcqHMWmuPIVIzjk6r5FbS+fqU=",
"ref": "refs/heads/main",
"rev": "23dd318e6741ff686d3069c53ecf475eac8a0565",
"revCount": 5,
"type": "git",
"url": "https://git.lix.systems/the-distro/nix-gerrit.git"
},
"original": {
"type": "git",
"url": "https://git.lix.systems/the-distro/nix-gerrit.git"
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
"hydra",
"nix-eval-jobs",
"nixpkgs"
]
},
"locked": {
"lastModified": 1720066371,
"narHash": "sha256-uPlLYH2S0ACj0IcgaK9Lsf4spmJoGejR9DotXiXSBZQ=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "622f829f5fe69310a866c8a6cd07e747c44ef820",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
"url": "https://git@git.lix.systems/lix-project/lix"
}
},
"nix2container": {
@ -384,11 +247,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1721116560,
"narHash": "sha256-++TYlGMAJM1Q+0nMVaWBSEvEUjRs7ZGiNQOpqbQApCU=",
"lastModified": 1719082008,
"narHash": "sha256-jHJSUH619zBQ6WdC21fFAlDxHErKVDJ5fpN0Hgx4sjs=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9355fa86e6f27422963132c2c9aeedb0fb963d93",
"rev": "9693852a2070b398ee123a329e68f0dab5526681",
"type": "github"
},
"original": {
@ -448,14 +311,12 @@
"root": {
"inputs": {
"agenix": "agenix",
"buildbot-nix": "buildbot-nix",
"colmena": "colmena",
"hydra": "hydra",
"lix": [
"hydra",
"lix"
"nix"
],
"nix-gerrit": "nix-gerrit",
"nixpkgs": "nixpkgs",
"terranix": "terranix"
}
@ -527,49 +388,6 @@
"repo": "terranix-examples",
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"buildbot-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1708897213,
"narHash": "sha256-QECZB+Hgz/2F/8lWvHNk05N6NU/rD9bWzuNn6Cv8oUk=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "e497a9ddecff769c2a7cbab51e1ed7a8501e7a3a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"treefmt-nix_2": {
"inputs": {
"nixpkgs": [
"hydra",
"nix-eval-jobs",
"nixpkgs"
]
},
"locked": {
"lastModified": 1721059077,
"narHash": "sha256-gCICMMX7VMSKKt99giDDtRLkHJ0cwSgBtDijJAqTlto=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "0fb28f237f83295b4dd05e342f333b447c097398",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
}
},
"root": "root",

184
flake.nix
View file

@ -11,110 +11,114 @@
colmena.url = "github:zhaofengli/colmena";
colmena.inputs.nixpkgs.follows = "nixpkgs";
hydra.url = "git+https://git.lix.systems/the-distro/hydra.git";
hydra.url = "git+https://git.lix.systems/lix-project/hydra.git";
hydra.inputs.nixpkgs.follows = "nixpkgs";
nix-gerrit.url = "git+https://git.lix.systems/the-distro/nix-gerrit.git";
nix-gerrit.inputs.nixpkgs.follows = "nixpkgs";
buildbot-nix.url = "git+https://git.lix.systems/lix-project/buildbot-nix.git?ref=refs/heads/non-flakes";
buildbot-nix.inputs.nixpkgs.follows = "nixpkgs";
lix.follows = "hydra/lix";
lix.follows = "hydra/nix";
};
outputs = { self, nixpkgs, terranix, colmena, ... } @ inputs:
outputs = { self, nixpkgs, terranix, ... } @ inputs:
let
supportedSystems = [ "x86_64-linux" "aarch64-linux" ];
forEachSystem = f: builtins.listToAttrs (map (system: {
name = system;
value = f system;
}) supportedSystems);
systemBits = forEachSystem (system: rec {
system = "x86_64-linux";
pkgs = import nixpkgs {
localSystem = system;
overlays = [
inputs.hydra.overlays.default
inputs.lix.overlays.default
];
};
lib = pkgs.lib;
terraform = pkgs.opentofu;
terraformCfg = terranix.lib.terranixConfiguration {
inherit system;
pkgs = import nixpkgs {
modules = [ ];
};
in
{
apps.${system} = {
apply = {
type = "app";
program = toString (pkgs.writers.writeBash "apply" ''
set -eo pipefail
rm -f config.tf.json
cp ${terraformCfg} config.tf.json
${lib.getExe terraform} init
${lib.getExe terraform} apply
'');
};
# nix run ".#destroy"
destroy = {
type = "app";
program = toString (pkgs.writers.writeBash "destroy" ''
set -eo pipefail
ln -snf ${terraformCfg} config.tf.json
${lib.getExe terraform} init
${lib.getExe terraform} destroy
'');
};
};
apps.${system}.default = self.apps.${system}.apply;
devShells.${system}.default = pkgs.mkShell {
packages = [
inputs.agenix.packages.${system}.agenix
inputs.colmena.packages.${system}.colmena
];
};
colmena = {
meta.nixpkgs = import nixpkgs {
localSystem = system;
overlays = [
inputs.hydra.overlays.default
inputs.lix.overlays.default
inputs.nix-gerrit.overlays.default
];
};
terraform = pkgs.opentofu;
terraformCfg = terranix.lib.terranixConfiguration {
inherit system;
modules = [
./terraform
{
bagel.gandi.enable = true;
bagel.hydra.enable = true;
}
];
};
});
forEachSystem' = f: forEachSystem (system: (f systemBits.${system}));
inherit (nixpkgs) lib;
in
{
apps = forEachSystem' ({ system, pkgs, terraformCfg, terraform, ... }: {
tf = {
type = "app";
program = toString (pkgs.writers.writeBash "tf" ''
set -eo pipefail
ln -snf ${terraformCfg} config.tf.json
exec ${lib.getExe terraform} "$@"
'');
};
default = self.apps.${system}.tf;
});
devShells = forEachSystem' ({ system, pkgs, ... }: {
default = pkgs.mkShell {
packages = [
inputs.agenix.packages.${system}.agenix
pkgs.opentofu
(pkgs.callPackage ./lib/colmena-wrapper.nix { })
];
};
});
nixosConfigurations = (colmena.lib.makeHive self.outputs.colmena).nodes;
colmena = let
commonModules = [
inputs.agenix.nixosModules.default
inputs.hydra.nixosModules.hydra
inputs.buildbot-nix.nixosModules.buildbot-coordinator
inputs.buildbot-nix.nixosModules.buildbot-worker
./services
./common
];
makeBuilder = i: lib.nameValuePair "builder-${toString i}" {
imports = commonModules;
bagel.baremetal.builders = { enable = true; num = i; netboot = i >= 6; };
};
builders = lib.listToAttrs (lib.genList makeBuilder 12);
in {
meta.nixpkgs = systemBits.x86_64-linux.pkgs;
meta.specialArgs.inputs = inputs;
bagel-box.imports = commonModules ++ [ ./hosts/bagel-box ];
meta01.imports = commonModules ++ [ ./hosts/meta01 ];
gerrit01.imports = commonModules ++ [ ./hosts/gerrit01 ];
fodwatch.imports = commonModules ++ [ ./hosts/fodwatch ];
git.imports = commonModules ++ [ ./hosts/git ];
wob-vpn-gw.imports = commonModules ++ [ ./hosts/wob-vpn-gw ];
buildbot.imports = commonModules ++ [ ./hosts/buildbot ];
public01.imports = commonModules ++ [ ./hosts/public01 ];
} // builders;
bagel-box = {
imports = [
inputs.agenix.nixosModules.default
inputs.hydra.nixosModules.hydra
hydraJobs = builtins.mapAttrs (n: v: v.config.system.build.netbootDir or v.config.system.build.toplevel) self.nixosConfigurations;
buildbotJobs = builtins.mapAttrs (_: v: v.config.system.build.toplevel) self.nixosConfigurations;
./services
./common
./hosts/bagel-box
];
};
meta01 = {
imports = [
inputs.agenix.nixosModules.default
inputs.hydra.nixosModules.hydra
./services
./common
./hosts/meta01.nixpkgs.lahfa.xyz
];
};
gerrit01 = {
imports = [
inputs.agenix.nixosModules.default
inputs.hydra.nixosModules.hydra
./services
./common
./hosts/cl.forkos.org
];
};
fodwatch = {
imports = [
inputs.agenix.nixosModules.default
inputs.hydra.nixosModules.hydra
./services
./common
./hosts/fodwatch.forkos.org
];
};
};
};
}

13
hosts/bagel-box/default.nix
View file

@ -20,7 +20,6 @@
useHostResolvConf = false;
hostName = "bagel-box";
domain = "infra.forkos.org";
nameservers = [ "2001:4860:4860::8844" ];
interfaces.host0.ipv6.addresses = [
@ -40,19 +39,13 @@
hydra.enable = true;
hydra.dbi = "dbi:Pg:dbname=hydra;user=hydra";
# Takes 10 builders (0 → 9).
hydra.builders = lib.genList (i: "builder-${builtins.toString i}") 10;
ofborg.enable = true;
};
bagel.sysadmin.enable = true;
bagel.meta.monitoring.address = "bagel-box.delroth.net";
security.acme.acceptTerms = true;
security.acme.defaults.email = "infra@forkos.org";
security.acme.defaults.email = "bagel@delroth.net";
services.openssh.enable = true;
system.stateVersion = "24.11";
deployment.targetHost = "bagel-box.infra.forkos.org";
deployment.targetHost = "bagel-box.delroth.net";
}

38
hosts/buildbot/default.nix
View file

@ -1,38 +0,0 @@
{
config,
lib,
pkgs,
...
}:
{
networking.hostName = "buildbot";
# TODO: make it the default
networking.domain = "infra.forkos.org";
time.timeZone = "Europe/Paris";
bagel.sysadmin.enable = true;
# Buildbot is proxied.
bagel.raito.v6-proxy-awareness.enable = true;
bagel.hardware.raito-vm = {
enable = true;
networking = {
nat-lan-mac = "BC:24:11:E7:42:8B";
wan = {
address = "2001:bc8:38ee:100:1000::50/64";
mac = "BC:24:11:C9:BA:6C";
};
};
};
bagel.services.buildbot = {
enable = true;
domain = "buildbot.forkos.org";
builders = [ "builder-11" ];
};
i18n.defaultLocale = "en_US.UTF-8";
system.stateVersion = "24.05";
deployment.targetHost = "buildbot.infra.forkos.org";
}

46
hosts/cl.forkos.org/default.nix Executable file
View file

@ -0,0 +1,46 @@
{
config,
lib,
pkgs,
...
}:
{
networking.hostName = "gerrit01";
# TODO: make it the default
networking.domain = "infra.forkos.org";
time.timeZone = "Europe/Paris";
bagel.sysadmin.enable = true;
# Gerrit is proxied.
bagel.raito.v6-proxy-awareness.enable = true;
bagel.hardware.raito-vm = {
enable = true;
networking = {
nat-lan-mac = "bc:24:11:f7:29:6c";
wan = {
address = "2001:bc8:38ee:100:1000::10/64";
mac = "bc:24:11:4a:9d:32";
};
};
};
bagel.meta.monitoring.address = "gerrit01.infra.forkos.org";
fileSystems."/gerrit-data" = {
device = "/dev/disk/by-uuid/d1062305-0dea-4740-9a27-b6b1691862a4";
fsType = "ext4";
};
bagel.services.gerrit = {
enable = true;
domains = [
"cl.forkos.org"
];
data = "/gerrit-data";
};
i18n.defaultLocale = "fr_FR.UTF-8";
system.stateVersion = "24.05";
deployment.targetHost = "gerrit01.infra.forkos.org";
}

2
hosts/fodwatch/default.nix → hosts/fodwatch.forkos.org/default.nix
View file

@ -24,6 +24,8 @@
};
};
bagel.meta.monitoring.address = "fodwatch.infra.forkos.org";
i18n.defaultLocale = "en_US.UTF-8";
system.stateVersion = "24.05";

117
hosts/gerrit01/default.nix
View file

@ -1,117 +0,0 @@
{
config,
lib,
pkgs,
...
}:
{
networking.hostName = "gerrit01";
# TODO: make it the default
networking.domain = "infra.forkos.org";
time.timeZone = "Europe/Paris";
bagel.sysadmin.enable = true;
# Gerrit is proxied.
bagel.raito.v6-proxy-awareness.enable = true;
bagel.hardware.raito-vm = {
enable = true;
networking = {
nat-lan-mac = "bc:24:11:f7:29:6c";
wan = {
address = "2001:bc8:38ee:100:1000::10/64";
mac = "bc:24:11:4a:9d:32";
};
};
};
fileSystems."/gerrit-data" = {
device = "/dev/disk/by-uuid/d1062305-0dea-4740-9a27-b6b1691862a4";
fsType = "ext4";
};
bagel.services.gerrit = {
enable = true;
domains = [
"cl.forkos.org"
];
canonicalDomain = "cl.forkos.org";
data = "/gerrit-data";
};
age.secrets.ows-deploy-key = {
file = ../../secrets/ows-deploy-key.age;
mode = "0600";
owner = "git";
group = "git";
};
bagel.nixpkgs.one-way-sync =
let
mkNixpkgsJob = { timer, branchName, localRefspec ? null }: {
name = "nixpkgs-${branchName}";
fromUri = "https://github.com/NixOS/nixpkgs";
fromRefspec = branchName;
localRefspec = if localRefspec != null then localRefspec else branchName;
inherit timer;
};
in
{
enable = true;
pushUrl = "ssh://ows_bot@cl.forkos.org:29418/nixpkgs";
deployKeyPath = config.age.secrets.ows-deploy-key.path;
branches."refs/heads/main" = mkNixpkgsJob {
timer = "hourly";
branchName = "master";
localRefspec = "main";
};
branches."refs/heads/staging" = mkNixpkgsJob {
timer = "hourly";
branchName = "staging";
};
branches."refs/heads/release-24.05" = mkNixpkgsJob {
timer = "hourly";
branchName = "release-24.05";
};
branches."refs/heads/staging-24.05" = mkNixpkgsJob {
timer = "hourly";
branchName = "staging-24.05";
};
branches."refs/heads/release-23.11" = mkNixpkgsJob {
timer = "hourly";
branchName = "release-23.11";
};
branches."refs/heads/staging-23.11" = mkNixpkgsJob {
timer = "hourly";
branchName = "staging-23.11";
};
# Testing jobs for personal sandbox branches
branches."refs/heads/sandbox/raito/raito-unstable-small" = {
name = "raito-unstable-sync";
fromUri = "https://github.com/NixOS/nixpkgs";
fromRefspec = "nixos-unstable-small";
localRefspec = "sandbox/raito/raito-unstable-small";
timer = "*-*-* 12:00:00";
};
branches."refs/heads/sandbox/raito/raito-nixos-24.05" = {
name = "raito-release-sync";
fromUri = "https://github.com/NixOS/nixpkgs";
fromRefspec = "nixos-24.05";
localRefspec = "sandbox/raito/raito-nixos-24.05";
timer = "daily";
};
};
i18n.defaultLocale = "fr_FR.UTF-8";
system.stateVersion = "24.05";
deployment.targetHost = "gerrit01.infra.forkos.org";
}

49
hosts/git/default.nix
View file

@ -1,49 +0,0 @@
let
ipv6 = {
openssh ="2001:bc8:38ee:100:1000::41";
forgejo = "2001:bc8:38ee:100:1000::40";
};
in
{
networking.hostName = "git";
networking.domain = "infra.forkos.org";
time.timeZone = "Europe/Paris";
bagel.sysadmin.enable = true;
# Forgejo will be proxied.
bagel.raito.v6-proxy-awareness.enable = true;
bagel.hardware.raito-vm = {
enable = true;
networking = {
nat-lan-mac = "BC:24:11:83:71:56";
wan = {
address = "${ipv6.forgejo}/64";
mac = "BC:24:11:0B:8A:81";
};
};
};
# Add one additional IPv6, so we can have both OpenSSH and
# Forgejo's built-in server bind on port :22.
systemd.network.networks."10-wan".networkConfig.Address = [ "${ipv6.openssh}/64" ];
services.openssh.listenAddresses = [{
addr = "[${ipv6.openssh}]";
}];
# Defaults to network.target, but networkd may take a while to settle and set up
# the required (additional) IPv6 address, leading to sshd to not being able to
# bind to the requested IP, crashing 5 times and running into the default
# restart counter limit (5).
systemd.services.sshd.wants = [ "network-online.target" ];
systemd.services.sshd.after = [ "network-online.target" ];
bagel.services.forgejo = {
enable = true;
sshBindAddr = ipv6.forgejo;
};
i18n.defaultLocale = "en_US.UTF-8";
system.stateVersion = "24.05";
deployment.targetHost = "git.infra.forkos.org";
}

1
hosts/meta01/default.nix → hosts/meta01.nixpkgs.lahfa.xyz/default.nix
View file

@ -21,6 +21,7 @@
enable = true;
domain = "netbox.forkos.org";
};
bagel.meta.monitoring.address = "meta01.infra.forkos.org";
bagel.services.prometheus.enable = true;
bagel.services.loki.enable = true;
bagel.services.grafana.enable = true;

32
hosts/public01/default.nix
View file

@ -1,32 +0,0 @@
{
config,
lib,
pkgs,
...
}:
{
networking.hostName = "public01";
# TODO: make it the default
networking.domain = "infra.forkos.org";
time.timeZone = "Europe/Paris";
bagel.sysadmin.enable = true;
# Buildbot is proxied.
bagel.raito.v6-proxy-awareness.enable = true;
bagel.hardware.raito-vm = {
enable = true;
networking = {
nat-lan-mac = "BC:24:11:A4:F7:D3";
wan = {
address = "2001:bc8:38ee:100:1000::60/64";
mac = "BC:24:11:DB:B8:10";
};
};
};
i18n.defaultLocale = "en_US.UTF-8";
system.stateVersion = "24.05";
deployment.targetHost = "public01.infra.forkos.org";
}

126
hosts/wob-vpn-gw/default.nix
View file

@ -1,126 +0,0 @@
{ pkgs, lib, ... }:
{
imports = [
./netboot.nix
];
###### Hardware ######
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ehci_pci" "sd_mod" "sdhci_pci" ];
boot.kernelModules = [ "kvm-amd" ];
boot.loader.grub.device = "/dev/sda";
fileSystems."/" =
{ device = "/dev/disk/by-uuid/58688a5c-e3ce-4868-804b-4e34d1370f36";
fsType = "f2fs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/38caa628-3b6d-4fb4-8767-beee09a196a6";
fsType = "ext2";
};
nixpkgs.hostPlatform = "x86_64-linux";
hardware.cpu.amd.updateMicrocode = true;
# Enable serial output
boot.loader.grub.extraConfig = ''
serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
terminal_input serial
terminal_output serial
'';
boot.kernelParams = [
"console=ttyS0,115200"
"console=tty1"
];
###### Config #######
boot.initrd.systemd.enable = true;
networking.useNetworkd = true;
systemd.network = {
netdevs = {
"40-uplink" = {
netdevConfig = {
Kind = "bond";
Name = "uplink";
};
bondConfig = {
Mode = "802.3ad";
TransmitHashPolicy = "layer3+4";
};
};
"40-oob" = {
netdevConfig = {
Kind = "bond";
Name = "oob";
};
bondConfig = {
Mode = "802.3ad";
TransmitHashPolicy = "layer3+4";
};
};
};
networks = {
"40-enp1s0" = {
name = "enp1s0";
bond = [ "uplink" ];
};
"40-enp2s0" = {
name = "enp2s0";
bond = [ "uplink" ];
};
"40-enp3s0" = {
name = "enp3s0";
bond = [ "oob" ];
};
"40-enp4s0" = {
name = "enp4s0";
bond = [ "oob" ];
};
} // lib.listToAttrs (map (x: lib.nameValuePair "40-bmc${toString x}" {
name = "bmc${toString x}";
address = [ "192.168.1.${toString (x*4 + 1)}/30" ];
#address = [ "192.168.${toString x}.1/24" ];
networkConfig.DHCPServer = true;
}) (lib.genList lib.id 12));
};
networking.nftables.enable = true;
networking.firewall.extraInputRules = ''
iifname { "bmc*" } meta nfproto ipv4 udp dport 67 accept comment "DHCP server"
'';
networking.vlans = lib.listToAttrs (map (x: lib.nameValuePair "bmc${toString x}" {
interface = "oob";
id = 101 + x;
}) (lib.genList lib.id 12));
networking.interfaces = {
uplink = {
ipv6.addresses = [
{
address = "2a01:584:11::2";
prefixLength = 64;
}
];
};
};
networking.defaultGateway6 = { interface = "uplink"; address = "2a01:584:11::1"; };
networking.hostName = "vpn-gw";
networking.domain = "wob01.infra.forkos.org";
deployment.targetHost = "2a01:584:11::2";
bagel.sysadmin.enable = true;
environment.systemPackages = [ pkgs.ipmitool ];
system.stateVersion = "24.05";
}

63
hosts/wob-vpn-gw/netboot.nix
View file

@ -1,63 +0,0 @@
{ config, lib, pkgs, nodes, modulesPath, ... }:
# The way the connection is established is specific to the wob01 site and the Intel S2600KPR blades.
# Proper netboot is not possible, because while the blades and the APU board (which is the netboot
# server here) are in the same L2 network, the uplink connection of each blade is an LACP LAG,
# meaning that the switch on the other side will only enable the port if it sees valid LACP packets.
# We work around this by presenting a virtual floppy drive using the "IUSB" protocol of the BMC.
# This virtual floppy drive contains an per-blade customized initramfs which will initialize the
# network connection including IP configuration and load the actual image off hydra.
let
netboot-server-ip = "2a01:584:11::2";
netbootNodes = lib.filterAttrs (_: node: node.config.bagel.baremetal.builders.enable && node.config.bagel.baremetal.builders.netboot) nodes;
in {
assertions = [
{
assertion = !(lib.elem 443 config.networking.firewall.allowedTCPPorts);
message = ''
Port 443 is in networking.firewalls.allowedTCPPorts, but should be only manually
allowed for specific IPs and source ports in ${builtins.toJSON __curPos}
'';
}
];
systemd.services = lib.mapAttrs' (nodename: node: let
bmcIp = "192.168.1.${toString (node.config.bagel.baremetal.builders.num * 4 + 2)}";
notipxe = node.config.system.build.notipxe.config.system.build.usbImage;
in lib.nameValuePair "iusb-spoof-${nodename}" {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Restart = "always";
};
script = ''
AUTH_TOKEN=$(${pkgs.iusb-spoof}/bin/make-token ${bmcIp})
exec ${pkgs.iusb-spoof}/bin/iusb-spoof -r ${bmcIp} 5123 $AUTH_TOKEN ${notipxe}
'';
}) netbootNodes;
# Since the builders are stateless, they can not store their ssh hostkeys
networking.firewall.allowedTCPPorts = [ 80 ]; # for ACME
networking.firewall.extraInputRules = ''
ip6 saddr 2a01:584:11::/64 tcp sport < 1024 tcp dport 443 accept;
'';
security.acme.acceptTerms = true;
security.acme.defaults.email = "infra@forkos.org";
services.nginx = {
enable = true;
virtualHosts."vpn-gw.wob01.infra.forkos.org" = {
enableACME = true;
forceSSL = true;
locations = lib.mapAttrs' (nodename: node: let
ip = "2a01:584:11::1:${toString node.config.bagel.baremetal.builders.num}";
in lib.nameValuePair "/${nodename}/" {
root = "/var/www";
extraConfig = ''
allow ${ip};
deny all;
'';
}) netbootNodes;
};
};
}

14
lib/colmena-wrapper.nix
View file

@ -1,14 +0,0 @@
# A wrapper for colmena that prevents accidentally deploying changes without
# having pulled.
{ colmena, runCommandNoCC }:
runCommandNoCC "colmena-wrapper"
{
env.colmena = "${colmena}/bin/colmena";
} ''
mkdir -p $out
ln -s ${colmena}/share $out/share
mkdir $out/bin
substituteAll ${./colmena-wrapper.sh.in} $out/bin/colmena
chmod +x $out/bin/colmena
''

29
lib/colmena-wrapper.sh.in
View file

@ -1,29 +0,0 @@
#!/usr/bin/env bash
doChecks() {
# creates refs in the refs/prefetch/remotes/origin namespace
echo "Prefetching repo changes..." >&2
git fetch --quiet --prefetch --no-write-fetch-head origin
diffs=$(git rev-list --left-right --count HEAD...refs/prefetch/remotes/origin/main)
only_in_local=$(echo "$diffs" | cut -f1)
only_in_main=$(echo "$diffs" | cut -f2)
if [[ $only_in_main -gt 0 && ! -v $FOOTGUN_ME_UWU ]]; then
echo >&2
echo "Attempting to deploy when main has $only_in_main commits not in your branch!" >&2
echo "This will probably revert someone's changes. Consider merging them." >&2
echo "If you really mean it, set the environment variable FOOTGUN_ME_UWU" >&2
exit 1
fi
if [[ $only_in_local -gt 0 ]]; then
echo "You have $only_in_local commits not yet pushed to main. Reminder to push them after :)" >&2
fi
}
if [[ $1 == 'apply' ]]; then
doChecks
fi
exec @colmena@ "$@"

5
overlays/default.nix
View file

@ -1,6 +1,3 @@
[
(final: prev: {
iusb-spoof = final.callPackage ./iusb-spoof.nix {};
u-root = final.callPackage ./u-root {};
})
(import ./gerrit.nix)
]

11
overlays/gerrit.nix Normal file
View file

@ -0,0 +1,11 @@
self: super: {
buildGerrit = self.callPackage ../pkgs/gerrit { };
gerrit = self.buildGerrit { };
buildGerritBazelPlugin = self.callPackage ../pkgs/gerrit_plugins/builder.nix {
inherit (self) buildGerrit;
};
gerritPlugins = {
code-owners = self.callPackage ../pkgs/gerrit_plugins/code-owners { };
oauth = self.callPackage ../pkgs/gerrit_plugins/oauth { };
};
}

23
overlays/iusb-spoof.nix
View file

@ -1,23 +0,0 @@
{ rustPlatform, python3, makeWrapper }:
let
pythonEnv = python3.withPackages (p: with p; [ requests ]);
in
rustPlatform.buildRustPackage rec {
pname = "iusb-spoof";
version = "0.1.0";
src = builtins.fetchGit {
url = "https://git.lix.systems/the-distro/iusb-spoof/";
rev = "fafd47986239cc2f4dfbbae74b17555608806581";
};
cargoLock.lockFile = src + "/Cargo.lock";
nativeBuildInputs = [ makeWrapper ];
postInstall = ''
install -Dm644 $src/make-token.py $out/opt/make-token.py
makeWrapper ${pythonEnv.interpreter} $out/bin/make-token --add-flags "$out/opt/make-token.py"
'';
}

20
overlays/u-root/default.nix
View file

@ -1,20 +0,0 @@
{ buildGoModule, fetchFromGitHub }:
buildGoModule rec {
pname = "u-root";
version = "0.14.0";
src = fetchFromGitHub {
owner = "u-root";
repo = "u-root";
rev = "v${version}";
hash = "sha256-8zA3pHf45MdUcq/MA/mf0KCTxB1viHieU/oigYwIPgo=";
};
patches = [
./u-root-allow-https.patch
];
vendorHash = null;
doCheck = false;
}

12
overlays/u-root/u-root-allow-https.patch
View file

@ -1,12 +0,0 @@
diff --git a/pkg/curl/schemes.go b/pkg/curl/schemes.go
index 8bac3bc0..cd396cbc 100644
--- a/pkg/curl/schemes.go
+++ b/pkg/curl/schemes.go
@@ -81,6 +81,7 @@ var (
DefaultSchemes = Schemes{
"tftp": DefaultTFTPClient,
"http": DefaultHTTPClient,
+ "https": DefaultHTTPClient,
"file": &LocalFileClient{},
}
)

59
pkgs/forgejo/branch-view_remove-expensive-commit-divergence-metric.patch
View file

@ -1,59 +0,0 @@
diff --git a/services/repository/branch.go b/services/repository/branch.go
index e1a313749f..5a8d823eef 100644
--- a/services/repository/branch.go
+++ b/services/repository/branch.go
@@ -26,7 +26,6 @@ import (
"code.gitea.io/gitea/modules/timeutil"
webhook_module "code.gitea.io/gitea/modules/webhook"
notify_service "code.gitea.io/gitea/services/notify"
- files_service "code.gitea.io/gitea/services/repository/files"
"xorm.io/builder"
)
@@ -129,21 +128,7 @@ func loadOneBranch(ctx context.Context, repo *repo_model.Repository, dbBranch *g
p := protectedBranches.GetFirstMatched(branchName)
isProtected := p != nil
- var divergence *git.DivergeObject
-
- // it's not default branch
- if repo.DefaultBranch != dbBranch.Name && !dbBranch.IsDeleted {
- var err error
- divergence, err = files_service.CountDivergingCommits(ctx, repo, git.BranchPrefix+branchName)
- if err != nil {
- return nil, fmt.Errorf("CountDivergingCommits: %v", err)
- }
- }
-
- if divergence == nil {
- // tolerate the error that we cannot get divergence
- divergence = &git.DivergeObject{Ahead: -1, Behind: -1}
- }
+ divergence := &git.DivergeObject{Ahead: -1, Behind: -1}
pr, err := issues_model.GetLatestPullRequestByHeadInfo(ctx, repo.ID, branchName)
if err != nil {
diff --git a/templates/repo/branch/list.tmpl b/templates/repo/branch/list.tmpl
index a577fed450..e102796315 100644
--- a/templates/repo/branch/list.tmpl
+++ b/templates/repo/branch/list.tmpl
@@ -102,19 +102,6 @@
{{end}}
</td>
<td class="two wide ui">
- {{if and (not .DBBranch.IsDeleted) $.DefaultBranchBranch}}
- <div class="commit-divergence">
- <div class="bar-group">
- <div class="count count-behind">{{.CommitsBehind}}</div>
- {{/* old code bears 0/0.0 = NaN output, so it might output invalid "width: NaNpx", it just works and doesn't caues any problem. */}}
- <div class="bar bar-behind" style="width: {{Eval 100 "*" .CommitsBehind "/" "(" .CommitsBehind "+" .CommitsAhead "+" 0.0 ")"}}%"></div>
- </div>
- <div class="bar-group">
- <div class="count count-ahead">{{.CommitsAhead}}</div>
- <div class="bar bar-ahead" style="width: {{Eval 100 "*" .CommitsAhead "/" "(" .CommitsBehind "+" .CommitsAhead "+" 0.0 ")"}}%"></div>
- </div>
- </div>
- {{end}}
</td>
<td class="two wide right aligned">
{{if not .LatestPullRequest}}

32
pkgs/forgejo/commit-view_fix-broken-and-expensive-cherry-pick-default-branch-selection.patch
View file

@ -1,32 +0,0 @@
diff --git a/routers/web/repo/commit.go b/routers/web/repo/commit.go
index 718454e063..8fa299710c 100644
--- a/routers/web/repo/commit.go
+++ b/routers/web/repo/commit.go
@@ -408,12 +408,6 @@ func Diff(ctx *context.Context) {
}
}
- ctx.Data["BranchName"], err = commit.GetBranchName()
- if err != nil {
- ctx.ServerError("commit.GetBranchName", err)
- return
- }
-
ctx.HTML(http.StatusOK, tplCommitPage)
}
diff --git a/templates/repo/commit_page.tmpl b/templates/repo/commit_page.tmpl
index c37fb46975..18c9cf18f8 100644
--- a/templates/repo/commit_page.tmpl
+++ b/templates/repo/commit_page.tmpl
@@ -71,8 +71,8 @@
"branchForm" "branch-dropdown-form"
"branchURLPrefix" (printf "%s/_cherrypick/%s/" $.RepoLink .CommitID) "branchURLSuffix" ""
"setAction" true "submitForm" true}}
- <form method="get" action="{{$.RepoLink}}/_cherrypick/{{.CommitID}}/{{if $.BranchName}}{{PathEscapeSegments $.BranchName}}{{else}}{{PathEscapeSegments $.Repository.DefaultBranch}}{{end}}" id="branch-dropdown-form">
- <input type="hidden" name="ref" value="{{if $.BranchName}}{{$.BranchName}}{{else}}{{$.Repository.DefaultBranch}}{{end}}">
+ <form method="get" action="{{$.RepoLink}}/_cherrypick/{{.CommitID}}/{{PathEscapeSegments $.Repository.DefaultBranch}}" id="branch-dropdown-form">
+ <input type="hidden" name="ref" value="{{$.Repository.DefaultBranch}}">
<input type="hidden" name="refType" value="branch">
<input type="hidden" id="cherry-pick-type" name="cherry-pick-type"><br>
<button type="submit" id="cherry-pick-submit" class="ui primary button"></button>

40
pkgs/forgejo/default.nix
View file

@ -1,40 +0,0 @@
{ forgejo }:
forgejo.overrideAttrs (prev: {
patches = [
# Branch divergence calculations for a single branch may take 100-200ms on something as big
# as nixpkgs. The branch view defaults to 20 branches for each page, taking roughtly 3s to
# calculate each branch sequentially and render, while consuming a single core at 100%.
# The idea is to look into making this less expensive or async.
# But for now, to get this going, we will simply drop that metric.
./branch-view_remove-expensive-commit-divergence-metric.patch
# This is literally broken and eats resources for nothing of value.
# We should upstream this.
# The tl;dr is: It calculates the nearest branch for the requested commit at
# /:owner/:repo/commit/:commit to use it as the default cherry-pick target branch
# selection in a drop-down only users with commit perms can actually view and use.
# It's expensive to calculate and happens on every request to /commit/:commit.
# To add insult to injury, it's hardly of any use: The nearest branch of a commit
# will almost always be a branch that already carries the commit. The branch you
# most likely don't want to cherry-pick to.
./commit-view_fix-broken-and-expensive-cherry-pick-default-branch-selection.patch
# Disable various /:owner/:repo/activity/ sub-views. They are expensive, which is
# totally fine and expected. There is even proper caching in place.
# However, on a scale of nixpkgs, those calculations take ages, while, of course,
# pinning a single CPU core at 100%.
# For now, we will simply disable this feature.
# Due to the 501 status code it returns, the frontend prints a "Not implemented"
# error, saving us from patching the frontend while still providing a helpful
# user-facing error text.
# It should be noted that this particular status code has the downside of being
# in the 5xx range, meaning it will show up as such in our prometheus metrics.
./disable-expensive-repository-activity-stats.patch
# Migrations and pull-mirrors are something easily abused to bring a public instance to a complete halt.
# Both features can be disabled via repository.DISABLE_MIGRATIONS and mirror.ENABLE, but we want to keep
# this functionality for admins.
./limit-migrations-and-pull-mirrors-to-admins.patch
];
})

34
pkgs/forgejo/disable-expensive-repository-activity-stats.patch
View file

@ -1,34 +0,0 @@
diff --git a/routers/web/web.go b/routers/web/web.go
index ee9694f41c..f55b8d6f62 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -57,6 +57,10 @@ import (
"github.com/prometheus/client_golang/prometheus"
)
+func endpointNotImplemented(ctx *context.Context) {
+ ctx.JSON(http.StatusNotImplemented, "This endpoint has been removed due to performance issues with it and as such is not longer implemented.")
+}
+
// optionsCorsHandler return a http handler which sets CORS options if enabled by config, it blocks non-CORS OPTIONS requests.
func optionsCorsHandler() func(next http.Handler) http.Handler {
var corsHandler func(next http.Handler) http.Handler
@@ -1425,15 +1429,15 @@ func registerRoutes(m *web.Route) {
m.Get("/{period}", repo.Activity)
m.Group("/contributors", func() {
m.Get("", repo.Contributors)
- m.Get("/data", repo.ContributorsData)
+ m.Get("/data", endpointNotImplemented)
}, repo.MustBeNotEmpty, context.RequireRepoReaderOr(unit.TypeCode))
m.Group("/code-frequency", func() {
m.Get("", repo.CodeFrequency)
- m.Get("/data", repo.CodeFrequencyData)
+ m.Get("/data", endpointNotImplemented)
}, repo.MustBeNotEmpty, context.RequireRepoReaderOr(unit.TypeCode))
m.Group("/recent-commits", func() {
m.Get("", repo.RecentCommits)
- m.Get("/data", repo.RecentCommitsData)
+ m.Get("/data", endpointNotImplemented)
}, repo.MustBeNotEmpty, context.RequireRepoReaderOr(unit.TypeCode))
}, context.RepoRef(), context.RequireRepoReaderOr(unit.TypeCode, unit.TypePullRequests, unit.TypeIssues, unit.TypeReleases))

53
pkgs/forgejo/limit-migrations-and-pull-mirrors-to-admins.patch
View file

@ -1,53 +0,0 @@
diff --git a/routers/api/v1/repo/migrate.go b/routers/api/v1/repo/migrate.go
index 2caaa130e8..455e89e93e 100644
--- a/routers/api/v1/repo/migrate.go
+++ b/routers/api/v1/repo/migrate.go
@@ -12,7 +12,6 @@ import (
"code.gitea.io/gitea/models"
"code.gitea.io/gitea/models/db"
- "code.gitea.io/gitea/models/organization"
"code.gitea.io/gitea/models/perm"
access_model "code.gitea.io/gitea/models/perm/access"
repo_model "code.gitea.io/gitea/models/repo"
@@ -86,22 +85,7 @@ func Migrate(ctx *context.APIContext) {
}
if !ctx.Doer.IsAdmin {
- if !repoOwner.IsOrganization() && ctx.Doer.ID != repoOwner.ID {
- ctx.Error(http.StatusForbidden, "", "Given user is not an organization.")
- return
- }
-
- if repoOwner.IsOrganization() {
- // Check ownership of organization.
- isOwner, err := organization.OrgFromUser(repoOwner).IsOwnedBy(ctx, ctx.Doer.ID)
- if err != nil {
- ctx.Error(http.StatusInternalServerError, "IsOwnedBy", err)
- return
- } else if !isOwner {
- ctx.Error(http.StatusForbidden, "", "Given user is not owner of organization.")
- return
- }
- }
+ ctx.Error(http.StatusForbidden, "", "You need to be administrator of this Forgejo instance to be able to create mirrors.")
}
remoteAddr, err := forms.ParseRemoteAddr(form.CloneAddr, form.AuthUsername, form.AuthPassword)
diff --git a/routers/web/repo/migrate.go b/routers/web/repo/migrate.go
index 97b0c425ea..554a470eab 100644
--- a/routers/web/repo/migrate.go
+++ b/routers/web/repo/migrate.go
@@ -150,6 +150,12 @@ func handleMigrateRemoteAddrError(ctx *context.Context, err error, tpl base.TplN
// MigratePost response for migrating from external git repository
func MigratePost(ctx *context.Context) {
form := web.GetForm(ctx).(*forms.MigrateRepoForm)
+
+ if !ctx.Doer.IsAdmin {
+ ctx.Error(http.StatusForbidden, "MigratePost: you need to be site administrator to use migrations and mirrors")
+ return
+ }
+
if setting.Repository.DisableMigrations {
ctx.Error(http.StatusForbidden, "MigratePost: the site administrator has disabled migrations")
return

37
pkgs/gerrit/0001-Syntax-highlight-nix.patch Normal file
View file

@ -0,0 +1,37 @@
From 084e4f92fb58f7cd85303ba602fb3c40133c8fcc Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <git@lukegb.com>
Date: Thu, 2 Jul 2020 23:02:32 +0100
Subject: [PATCH 1/3] Syntax highlight nix
---
.../app/embed/diff/gr-syntax-layer/gr-syntax-layer-worker.ts | 1 +
resources/com/google/gerrit/server/mime/mime-types.properties | 1 +
2 files changed, 2 insertions(+)
diff --git a/polygerrit-ui/app/embed/diff/gr-syntax-layer/gr-syntax-layer-worker.ts b/polygerrit-ui/app/embed/diff/gr-syntax-layer/gr-syntax-layer-worker.ts
index a9f88bdd81..385249f280 100644
--- a/polygerrit-ui/app/embed/diff/gr-syntax-layer/gr-syntax-layer-worker.ts
+++ b/polygerrit-ui/app/embed/diff/gr-syntax-layer/gr-syntax-layer-worker.ts
@@ -93,6 +93,7 @@ const LANGUAGE_MAP = new Map<string, string>([
['text/x-vhdl', 'vhdl'],
['text/x-yaml', 'yaml'],
['text/vbscript', 'vbscript'],
+ ['text/x-nix', 'nix'],
]);
const CLASS_PREFIX = 'gr-diff gr-syntax gr-syntax-';
diff --git a/resources/com/google/gerrit/server/mime/mime-types.properties b/resources/com/google/gerrit/server/mime/mime-types.properties
index 2f9561ba2e..739818ec05 100644
--- a/resources/com/google/gerrit/server/mime/mime-types.properties
+++ b/resources/com/google/gerrit/server/mime/mime-types.properties
@@ -149,6 +149,7 @@ mscin = text/x-mscgen
msgenny = text/x-msgenny
nb = text/x-mathematica
nginx.conf = text/x-nginx-conf
+nix = text/x-nix
nsh = text/x-nsis
nsi = text/x-nsis
nt = text/n-triples
--
2.37.3

37
pkgs/gerrit/0002-Syntax-highlight-rules.pl.patch Normal file
View file

@ -0,0 +1,37 @@
From aedf8ac8fa5113843bcd83ff85e2d9f3bffdb16c Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <git@lukegb.com>
Date: Thu, 2 Jul 2020 23:02:43 +0100
Subject: [PATCH 2/3] Syntax highlight rules.pl
---
.../app/embed/diff/gr-syntax-layer/gr-syntax-layer-worker.ts | 1 +
resources/com/google/gerrit/server/mime/mime-types.properties | 1 +
2 files changed, 2 insertions(+)
diff --git a/polygerrit-ui/app/embed/diff/gr-syntax-layer/gr-syntax-layer-worker.ts b/polygerrit-ui/app/embed/diff/gr-syntax-layer/gr-syntax-layer-worker.ts
index 385249f280..7cb3068494 100644
--- a/polygerrit-ui/app/embed/diff/gr-syntax-layer/gr-syntax-layer-worker.ts
+++ b/polygerrit-ui/app/embed/diff/gr-syntax-layer/gr-syntax-layer-worker.ts
@@ -68,6 +68,7 @@ const LANGUAGE_MAP = new Map<string, string>([
['text/x-perl', 'perl'],
['text/x-pgsql', 'pgsql'], // postgresql
['text/x-php', 'php'],
+ ['text/x-prolog', 'prolog'],
['text/x-properties', 'properties'],
['text/x-protobuf', 'protobuf'],
['text/x-puppet', 'puppet'],
diff --git a/resources/com/google/gerrit/server/mime/mime-types.properties b/resources/com/google/gerrit/server/mime/mime-types.properties
index 739818ec05..58eb727bf9 100644
--- a/resources/com/google/gerrit/server/mime/mime-types.properties
+++ b/resources/com/google/gerrit/server/mime/mime-types.properties
@@ -200,6 +200,7 @@ rq = application/sparql-query
rs = text/x-rustsrc
rss = application/xml
rst = text/x-rst
+rules.pl = text/x-prolog
README.md = text/x-gfm
s = text/x-gas
sas = text/x-sas
--
2.37.3

215
pkgs/gerrit/0003-Add-titles-to-CLs-over-HTTP.patch Normal file
View file

@ -0,0 +1,215 @@
From f49c50ca9a84ca374b7bd91c171bbea0457f2c7a Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <git@lukegb.com>
Date: Thu, 2 Jul 2020 23:03:02 +0100
Subject: [PATCH 3/3] Add titles to CLs over HTTP
---
.../gerrit/httpd/raw/IndexHtmlUtil.java | 13 +++-
.../google/gerrit/httpd/raw/IndexServlet.java | 8 ++-
.../google/gerrit/httpd/raw/StaticModule.java | 5 +-
.../gerrit/httpd/raw/TitleComputer.java | 67 +++++++++++++++++++
.../gerrit/httpd/raw/PolyGerritIndexHtml.soy | 4 +-
5 files changed, 89 insertions(+), 8 deletions(-)
create mode 100644 java/com/google/gerrit/httpd/raw/TitleComputer.java
diff --git a/java/com/google/gerrit/httpd/raw/IndexHtmlUtil.java b/java/com/google/gerrit/httpd/raw/IndexHtmlUtil.java
index 72bfe40c3b..439bd73b44 100644
--- a/java/com/google/gerrit/httpd/raw/IndexHtmlUtil.java
+++ b/java/com/google/gerrit/httpd/raw/IndexHtmlUtil.java
@@ -41,6 +41,7 @@ import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
+import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
@@ -62,13 +63,14 @@ public class IndexHtmlUtil {
String faviconPath,
Map<String, String[]> urlParameterMap,
Function<String, SanitizedContent> urlInScriptTagOrdainer,
- String requestedURL)
+ String requestedURL,
+ TitleComputer titleComputer)
throws URISyntaxException, RestApiException {
ImmutableMap.Builder<String, Object> data = ImmutableMap.builder();
data.putAll(
staticTemplateData(
canonicalURL, cdnPath, faviconPath, urlParameterMap, urlInScriptTagOrdainer))
- .putAll(dynamicTemplateData(gerritApi, requestedURL));
+ .putAll(dynamicTemplateData(gerritApi, requestedURL, titleComputer));
Set<String> enabledExperiments = new HashSet<>();
enabledExperiments.addAll(experimentFeatures.getEnabledExperimentFeatures());
// Add all experiments enabled through url
@@ -81,7 +83,8 @@ public class IndexHtmlUtil {
/** Returns dynamic parameters of {@code index.html}. */
public static ImmutableMap<String, Object> dynamicTemplateData(
- GerritApi gerritApi, String requestedURL) throws RestApiException, URISyntaxException {
+ GerritApi gerritApi, String requestedURL, TitleComputer titleComputer)
+ throws RestApiException, URISyntaxException {
ImmutableMap.Builder<String, Object> data = ImmutableMap.builder();
Map<String, SanitizedContent> initialData = new HashMap<>();
Server serverApi = gerritApi.config().server();
@@ -129,6 +132,10 @@ public class IndexHtmlUtil {
}
data.put("gerritInitialData", initialData);
+
+ Optional<String> title = titleComputer.computeTitle(requestedURL);
+ title.ifPresent(s -> data.put("title", s));
+
return data.build();
}
diff --git a/java/com/google/gerrit/httpd/raw/IndexServlet.java b/java/com/google/gerrit/httpd/raw/IndexServlet.java
index fcb821e5ae..e1464b992b 100644
--- a/java/com/google/gerrit/httpd/raw/IndexServlet.java
+++ b/java/com/google/gerrit/httpd/raw/IndexServlet.java
@@ -48,13 +48,15 @@ public class IndexServlet extends HttpServlet {
private final ExperimentFeatures experimentFeatures;
private final SoySauce soySauce;
private final Function<String, SanitizedContent> urlOrdainer;
+ private TitleComputer titleComputer;
IndexServlet(
@Nullable String canonicalUrl,
@Nullable String cdnPath,
@Nullable String faviconPath,
GerritApi gerritApi,
- ExperimentFeatures experimentFeatures) {
+ ExperimentFeatures experimentFeatures,
+ TitleComputer titleComputer) {
this.canonicalUrl = canonicalUrl;
this.cdnPath = cdnPath;
this.faviconPath = faviconPath;
@@ -69,6 +71,7 @@ public class IndexServlet extends HttpServlet {
(s) ->
UnsafeSanitizedContentOrdainer.ordainAsSafe(
s, SanitizedContent.ContentKind.TRUSTED_RESOURCE_URI);
+ this.titleComputer = titleComputer;
}
@Override
@@ -86,7 +89,8 @@ public class IndexServlet extends HttpServlet {
faviconPath,
parameterMap,
urlOrdainer,
- getRequestUrl(req));
+ getRequestUrl(req),
+ titleComputer);
renderer = soySauce.renderTemplate("com.google.gerrit.httpd.raw.Index").setData(templateData);
} catch (URISyntaxException | RestApiException e) {
throw new IOException(e);
diff --git a/java/com/google/gerrit/httpd/raw/StaticModule.java b/java/com/google/gerrit/httpd/raw/StaticModule.java
index 15dcf42e0e..9f56bf33ce 100644
--- a/java/com/google/gerrit/httpd/raw/StaticModule.java
+++ b/java/com/google/gerrit/httpd/raw/StaticModule.java
@@ -241,10 +241,11 @@ public class StaticModule extends ServletModule {
@CanonicalWebUrl @Nullable String canonicalUrl,
@GerritServerConfig Config cfg,
GerritApi gerritApi,
- ExperimentFeatures experimentFeatures) {
+ ExperimentFeatures experimentFeatures,
+ TitleComputer titleComputer) {
String cdnPath = options.devCdn().orElse(cfg.getString("gerrit", null, "cdnPath"));
String faviconPath = cfg.getString("gerrit", null, "faviconPath");
- return new IndexServlet(canonicalUrl, cdnPath, faviconPath, gerritApi, experimentFeatures);
+ return new IndexServlet(canonicalUrl, cdnPath, faviconPath, gerritApi, experimentFeatures, titleComputer);
}
@Provides
diff --git a/java/com/google/gerrit/httpd/raw/TitleComputer.java b/java/com/google/gerrit/httpd/raw/TitleComputer.java
new file mode 100644
index 0000000000..8fd2053ad0
--- /dev/null
+++ b/java/com/google/gerrit/httpd/raw/TitleComputer.java
@@ -0,0 +1,67 @@
+package com.google.gerrit.httpd.raw;
+
+import com.google.common.flogger.FluentLogger;
+import com.google.gerrit.entities.Change;
+import com.google.gerrit.extensions.restapi.ResourceConflictException;
+import com.google.gerrit.extensions.restapi.ResourceNotFoundException;
+import com.google.gerrit.server.change.ChangeResource;
+import com.google.gerrit.server.permissions.PermissionBackendException;
+import com.google.gerrit.server.restapi.change.ChangesCollection;
+import com.google.inject.Inject;
+import com.google.inject.Provider;
+import com.google.inject.Singleton;
+
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.util.Optional;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+@Singleton
+public class TitleComputer {
+ private static final FluentLogger logger = FluentLogger.forEnclosingClass();
+
+ @Inject
+ public TitleComputer(Provider<ChangesCollection> changes) {
+ this.changes = changes;
+ }
+
+ public Optional<String> computeTitle(String requestedURI) {
+ URL url = null;
+ try {
+ url = new URL(requestedURI);
+ } catch (MalformedURLException e) {
+ logger.atWarning().log("Failed to turn %s into a URL.", requestedURI);
+ return Optional.empty();
+ }
+
+ // Try to turn this into a change.
+ Optional<Change.Id> changeId = tryExtractChange(url.getPath());
+ if (changeId.isPresent()) {
+ return titleFromChangeId(changeId.get());
+ }
+
+ return Optional.empty();
+ }
+
+ private static final Pattern extractChangeIdRegex = Pattern.compile("^/(?:c/.*/\\+/)?(?<changeId>[0-9]+)(?:/[0-9]+)?(?:/.*)?$");
+ private final Provider<ChangesCollection> changes;
+
+ private Optional<Change.Id> tryExtractChange(String path) {
+ Matcher m = extractChangeIdRegex.matcher(path);
+ if (!m.matches()) {
+ return Optional.empty();
+ }
+ return Change.Id.tryParse(m.group("changeId"));
+ }
+
+ private Optional<String> titleFromChangeId(Change.Id changeId) {
+ ChangesCollection changesCollection = changes.get();
+ try {
+ ChangeResource changeResource = changesCollection.parse(changeId);
+ return Optional.of(changeResource.getChange().getSubject());
+ } catch (ResourceConflictException | ResourceNotFoundException | PermissionBackendException e) {
+ return Optional.empty();
+ }
+ }
+}
diff --git a/resources/com/google/gerrit/httpd/raw/PolyGerritIndexHtml.soy b/resources/com/google/gerrit/httpd/raw/PolyGerritIndexHtml.soy
index dbfef44dfe..347ee75aab 100644
--- a/resources/com/google/gerrit/httpd/raw/PolyGerritIndexHtml.soy
+++ b/resources/com/google/gerrit/httpd/raw/PolyGerritIndexHtml.soy
@@ -33,10 +33,12 @@
{@param? defaultDashboardHex: ?}
{@param? dashboardQuery: ?}
{@param? userIsAuthenticated: ?}
+ {@param? title: ?}
<!DOCTYPE html>{\n}
<html lang="en">{\n}
<meta charset="utf-8">{\n}
- <meta name="description" content="Gerrit Code Review">{\n}
+ {if $title}<title>{$title} · Gerrit Code Review</title>{\n}{/if}
+ <meta name="description" content="{if $title}{$title} · {/if}Gerrit Code Review">{\n}
<meta name="referrer" content="never">{\n}
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=0">{\n}
--
2.37.3

152
pkgs/gerrit/default.nix Normal file
View file

@ -0,0 +1,152 @@
{ buildFHSUserEnv, writeShellScriptBin, buildBazelPackage, fetchgit, unzip }:
{ name ? "gerrit-${version}", version ? "3.9.1", src ? (fetchgit {
url = "https://gerrit.googlesource.com/gerrit";
rev = "620a819cbf3c64fff7a66798822775ad42c91d8e";
branchName = "v${version}";
sha256 = "sha256:1mdxbgnx3mpxand4wq96ic38bb4yh45q271h40jrk7dk23sgmz02";
fetchSubmodules = true;
}), bazelTargets ? [ "release" "api-skip-javadoc" ]
}:
let
bazelRunScript = writeShellScriptBin "bazel-run" ''
yarn config set cache-folder "$bazelOut/external/yarn_cache"
export HOME="$bazelOut/external/home"
mkdir -p "$bazelOut/external/home"
exec /bin/bazel "$@"
'';
bazelTop = buildFHSUserEnv {
name = "bazel";
targetPkgs = pkgs: [
(pkgs.bazel_5.override { enableNixHacks = true; })
pkgs.jdk17_headless
pkgs.zlib
pkgs.python3
pkgs.curl
pkgs.nodejs
pkgs.yarn
pkgs.git
bazelRunScript
];
runScript = "/bin/bazel-run";
};
bazel = bazelTop // { override = x: bazelTop; };
in
buildBazelPackage {
inherit name version src;
patches = [
./0001-Syntax-highlight-nix.patch
./0002-Syntax-highlight-rules.pl.patch
./0003-Add-titles-to-CLs-over-HTTP.patch
];
inherit bazel bazelTargets;
bazelFlags = [
"--repository_cache="
"--disk_cache="
];
removeRulesCC = false;
fetchConfigured = true;
fetchAttrs = {
sha256 = "sha256-rsYQR6/RO5NM3/fnB3lEmbz876B59QWxWpE3M/Z4rK4=";
preBuild = ''
rm .bazelversion
'';
installPhase = ''
runHook preInstall
# Remove all built in external workspaces, Bazel will recreate them when building
rm -rf $bazelOut/external/{bazel_tools,\@bazel_tools.marker}
rm -rf $bazelOut/external/{embedded_jdk,\@embedded_jdk.marker}
rm -rf $bazelOut/external/{local_config_cc,\@local_config_cc.marker}
rm -rf $bazelOut/external/{local_*,\@local_*.marker}
# Clear markers
find $bazelOut/external -name '@*\.marker' -exec sh -c 'echo > {}' \;
# Remove all vcs files
rm -rf $(find $bazelOut/external -type d -name .git)
rm -rf $(find $bazelOut/external -type d -name .svn)
rm -rf $(find $bazelOut/external -type d -name .hg)
# Removing top-level symlinks along with their markers.
# This is needed because they sometimes point to temporary paths (?).
# For example, in Tensorflow-gpu build:
#sha256:06bmzbcb9717s4b016kcbn8nr9pgaz04i8bnzg7ybkbdwpl8vxvv"; platforms -> NIX_BUILD_TOP/tmp/install/35282f5123611afa742331368e9ae529/_embedded_binaries/platforms
find $bazelOut/external -maxdepth 1 -type l | while read symlink; do
name="$(basename "$symlink")"
rm -rf "$symlink" "$bazelOut/external/@$name.marker"
done
# Patching symlinks to remove build directory reference
find $bazelOut/external -type l | while read symlink; do
new_target="$(readlink "$symlink" | sed "s,$NIX_BUILD_TOP,NIX_BUILD_TOP,")"
rm "$symlink"
ln -sf "$new_target" "$symlink"
done
echo '${bazel.name}' > $bazelOut/external/.nix-bazel-version
# Gerrit fixups:
# Normalize permissions on .yarn-{tarball,metadata} files
test -d $bazelOut/external/yarn_cache && find $bazelOut/external/yarn_cache \( -name .yarn-tarball.tgz -or -name .yarn-metadata.json \) -exec chmod 644 {} +
mkdir $bazelOut/_bits/
find . -name node_modules -prune -print | while read d; do
echo "$d" "$(dirname $d)"
mkdir -p $bazelOut/_bits/$(dirname $d)
cp -R "$d" "$bazelOut/_bits/$(dirname $d)/node_modules"
done
(cd $bazelOut/ && tar czf $out --sort=name --mtime='@1' --owner=0 --group=0 --numeric-owner external/ _bits/)
runHook postInstall
'';
};
buildAttrs = {
preConfigure = ''
rm .bazelversion
[ "$(ls -A $bazelOut/_bits)" ] && cp -R $bazelOut/_bits/* ./ || true
'';
postPatch = ''
# Disable all errorprone checks, since we might be using a different version.
sed -i \
-e '/-Xep:/d' \
-e '/-XepExcludedPaths:/a "-XepDisableAllChecks",' \
tools/BUILD
'';
installPhase = ''
mkdir -p "$out"/webapps/ "$out"/share/api/
cp bazel-bin/release.war "$out"/webapps/gerrit-${version}.war
unzip bazel-bin/api-skip-javadoc.zip -d "$out"/share/api
'';
nativeBuildInputs = [
unzip
];
};
passthru = {
# A list of plugins that are part of the gerrit.war file.
# Use `java -jar gerrit.war ls | grep -Po '(?<=plugins/)[^.]+' | sed -e 's,^,",' -e 's,$,",' | sort` to generate that list.
plugins = [
"codemirror-editor"
"commit-message-length-validator"
"delete-project"
"download-commands"
"gitiles"
"hooks"
"plugin-manager"
"replication"
"reviewnotes"
"singleusergroup"
"webhooks"
];
};
}

97
pkgs/gerrit/detzip.go Normal file
View file

@ -0,0 +1,97 @@
package main
import (
"archive/zip"
"flag"
"fmt"
"io"
"log"
"os"
"path/filepath"
"sort"
"strings"
)
var (
exclude = flag.String("exclude", "", "comma-separated list of filenames to exclude (in any directory)")
)
func init() {
flag.Usage = func() {
fmt.Fprintf(flag.CommandLine.Output(), "Usage of %s [zip file] [directory]:\n", os.Args[0])
flag.PrintDefaults()
}
}
func listToMap(ss []string) map[string]bool {
m := make(map[string]bool)
for _, s := range ss {
m[s] = true
}
return m
}
func main() {
flag.Parse()
if flag.NArg() != 2 {
flag.Usage()
os.Exit(1)
}
outPath := flag.Arg(0)
dirPath := flag.Arg(1)
excludeFiles := listToMap(strings.Split(*exclude, ","))
// Aggregate all files first.
var files []string
filepath.Walk(dirPath, func(path string, info os.FileInfo, err error) error {
if err != nil {
return err
}
if info.IsDir() {
return nil
}
if excludeFiles[info.Name()] {
return nil
}
files = append(files, path)
return nil
})
// Create zip
outW, err := os.Create(outPath)
if err != nil {
log.Fatalf("Create(%q): %v", outPath, err)
}
zipW := zip.NewWriter(outW)
// Output files in alphabetical order
sort.Strings(files)
for _, f := range files {
fw, err := zipW.CreateHeader(&zip.FileHeader{
Name: f,
Method: zip.Store,
})
if err != nil {
log.Fatalf("creating %q in zip: %v", f, err)
}
ff, err := os.Open(f)
if err != nil {
log.Fatalf("opening %q: %v", f, err)
}
if _, err := io.Copy(fw, ff); err != nil {
log.Fatalf("copying %q to zip: %v", f, err)
}
ff.Close()
}
if err := zipW.Close(); err != nil {
log.Fatalf("writing ZIP central directory: %v", err)
}
if err := outW.Close(); err != nil {
log.Fatalf("closing ZIP file: %v", err)
}
}

36
pkgs/gerrit_plugins/builder.nix Normal file
View file

@ -0,0 +1,36 @@
{ buildGerrit, gerrit, runCommandLocal, lib }:
{ name
, src
, depsOutputHash
, overlayPluginCmd ? ''
cp -R "${src}" "$out/plugins/${name}"
''
, postPatch ? ""
, patches ? [ ]
}: (buildGerrit {
name = "${name}.jar";
src = runCommandLocal "${name}-src" { } ''
cp -R "${gerrit.src}" "$out"
chmod +w "$out/plugins"
${overlayPluginCmd}
'';
bazelTargets = [ "//plugins/${name}" ];
}).overrideAttrs (super: {
deps = super.deps.overrideAttrs (superDeps: {
outputHash = depsOutputHash;
});
installPhase = ''
cp "bazel-bin/plugins/${name}/${name}.jar" "$out"
'';
postPatch = ''
${super.postPatch or ""}
pushd "plugins/${name}"
${lib.concatMapStringsSep "\n" (patch: ''
patch -p1 < ${patch}
'') patches}
popd
${postPatch}
'';
})

14
pkgs/gerrit_plugins/code-owners/default.nix Normal file
View file

@ -0,0 +1,14 @@
{ fetchgit, buildGerritBazelPlugin, lib }:
buildGerritBazelPlugin {
name = "code-owners";
depsOutputHash = "sha256-Ee2n7R/vi91drR+dNYB0QnGiiqcmz9/pynHhV9yDxdE=";
src = fetchgit {
url = "https://gerrit.googlesource.com/plugins/code-owners";
rev = "e654ae5bda2085bce9a99942bec440e004a114f3";
sha256 = "sha256:14d3x3iqskgw16pvyaa0swh252agj84p9pzlf24l8lgx9d7y4biz";
};
patches = [
./using-usernames.patch
];
}

472
pkgs/gerrit_plugins/code-owners/using-usernames.patch Normal file
View file

@ -0,0 +1,472 @@
commit 29ace6c38ac513f7ec56ca425230d5712c081043
Author: Luke Granger-Brown <git@lukegb.com>
Date: Wed Sep 21 03:15:38 2022 +0100
Add support for usernames and groups
Change-Id: I3ba8527f66216d08e555a6ac4451fe0d1e090de5
diff --git a/java/com/google/gerrit/plugins/codeowners/backend/CodeOwnerResolver.java b/java/com/google/gerrit/plugins/codeowners/backend/CodeOwnerResolver.java
index 70009591..6dc596c9 100644
--- a/java/com/google/gerrit/plugins/codeowners/backend/CodeOwnerResolver.java
+++ b/java/com/google/gerrit/plugins/codeowners/backend/CodeOwnerResolver.java
@@ -17,6 +17,8 @@ package com.google.gerrit.plugins.codeowners.backend;
import static com.google.common.base.Preconditions.checkState;
import static com.google.common.collect.ImmutableMap.toImmutableMap;
import static com.google.common.collect.ImmutableSet.toImmutableSet;
+import static com.google.common.collect.ImmutableSetMultimap.flatteningToImmutableSetMultimap;
+import static com.google.common.collect.ImmutableSetMultimap.toImmutableSetMultimap;
import static com.google.gerrit.plugins.codeowners.backend.CodeOwnersInternalServerErrorException.newInternalServerError;
import static java.util.Objects.requireNonNull;
@@ -25,6 +27,7 @@ import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableMultimap;
import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.ImmutableSetMultimap;
import com.google.common.collect.Iterables;
import com.google.common.collect.Streams;
import com.google.common.flogger.FluentLogger;
@@ -33,17 +36,24 @@ import com.google.gerrit.entities.Project;
import com.google.gerrit.metrics.Timer0;
import com.google.gerrit.plugins.codeowners.backend.config.CodeOwnersPluginConfiguration;
import com.google.gerrit.plugins.codeowners.metrics.CodeOwnerMetrics;
+import com.google.gerrit.server.AnonymousUser;
import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.IdentifiedUser;
import com.google.gerrit.server.account.AccountCache;
import com.google.gerrit.server.account.AccountControl;
import com.google.gerrit.server.account.AccountState;
+import com.google.gerrit.server.account.GroupBackend;
+import com.google.gerrit.server.account.GroupBackends;
+import com.google.gerrit.server.account.InternalGroupBackend;
import com.google.gerrit.server.account.externalids.ExternalId;
import com.google.gerrit.server.account.externalids.ExternalIdCache;
import com.google.gerrit.server.permissions.GlobalPermission;
import com.google.gerrit.server.permissions.PermissionBackend;
import com.google.gerrit.server.permissions.PermissionBackendException;
+import com.google.gerrit.server.util.RequestContext;
+import com.google.gerrit.server.util.ThreadLocalRequestContext;
import com.google.inject.Inject;
+import com.google.inject.OutOfScopeException;
import com.google.inject.Provider;
import java.io.IOException;
import java.nio.file.Path;
@@ -102,6 +112,8 @@ public class CodeOwnerResolver {
@VisibleForTesting public static final String ALL_USERS_WILDCARD = "*";
+ public static final String GROUP_PREFIX = "group:";
+
private final CodeOwnersPluginConfiguration codeOwnersPluginConfiguration;
private final PermissionBackend permissionBackend;
private final Provider<CurrentUser> currentUser;
@@ -112,6 +124,8 @@ public class CodeOwnerResolver {
private final CodeOwnerMetrics codeOwnerMetrics;
private final UnresolvedImportFormatter unresolvedImportFormatter;
private final TransientCodeOwnerCache transientCodeOwnerCache;
+ private final InternalGroupBackend groupBackend;
+ private final ThreadLocalRequestContext context;
// Enforce visibility by default.
private boolean enforceVisibility = true;
@@ -132,7 +146,9 @@ public class CodeOwnerResolver {
PathCodeOwners.Factory pathCodeOwnersFactory,
CodeOwnerMetrics codeOwnerMetrics,
UnresolvedImportFormatter unresolvedImportFormatter,
- TransientCodeOwnerCache transientCodeOwnerCache) {
+ TransientCodeOwnerCache transientCodeOwnerCache,
+ InternalGroupBackend groupBackend,
+ ThreadLocalRequestContext context) {
this.codeOwnersPluginConfiguration = codeOwnersPluginConfiguration;
this.permissionBackend = permissionBackend;
this.currentUser = currentUser;
@@ -143,6 +159,8 @@ public class CodeOwnerResolver {
this.codeOwnerMetrics = codeOwnerMetrics;
this.unresolvedImportFormatter = unresolvedImportFormatter;
this.transientCodeOwnerCache = transientCodeOwnerCache;
+ this.groupBackend = groupBackend;
+ this.context = context;
}
/**
@@ -361,6 +379,12 @@ public class CodeOwnerResolver {
"cannot resolve code owner email %s: no account with this email exists",
CodeOwnerResolver.ALL_USERS_WILDCARD));
}
+ if (codeOwnerReference.email().startsWith(GROUP_PREFIX)) {
+ return OptionalResultWithMessages.createEmpty(
+ String.format(
+ "cannot resolve code owner email %s: this is a group",
+ codeOwnerReference.email()));
+ }
ImmutableList.Builder<String> messageBuilder = ImmutableList.builder();
AtomicBoolean ownedByAllUsers = new AtomicBoolean(false);
@@ -405,9 +429,53 @@ public class CodeOwnerResolver {
ImmutableMultimap<CodeOwnerReference, CodeOwnerAnnotation> annotations) {
requireNonNull(codeOwnerReferences, "codeOwnerReferences");
+ ImmutableSet<String> groupsToResolve =
+ codeOwnerReferences.stream()
+ .map(CodeOwnerReference::email)
+ .filter(ref -> ref.startsWith(GROUP_PREFIX))
+ .map(ref -> ref.substring(GROUP_PREFIX.length()))
+ .collect(toImmutableSet());
+
+ // When we call GroupBackends.findExactSuggestion we need to ensure that we
+ // have a user in context. This is because the suggestion backend is
+ // likely to want to try to check that we can actually see the group it's
+ // returning (which we also check for explicitly, because I have trust
+ // issues).
+ RequestContext oldCtx = context.getContext();
+ // Check if we have a user in the context at all...
+ try {
+ oldCtx.getUser();
+ } catch (OutOfScopeException | NullPointerException e) {
+ // Nope.
+ RequestContext newCtx = () -> {
+ return new AnonymousUser();
+ };
+ context.setContext(newCtx);
+ }
+ ImmutableSetMultimap<String, CodeOwner> resolvedGroups = null;
+ try {
+ resolvedGroups =
+ groupsToResolve.stream()
+ .map(groupName -> GroupBackends.findExactSuggestion(groupBackend, groupName))
+ .filter(groupRef -> groupRef != null)
+ .filter(groupRef -> groupBackend.isVisibleToAll(groupRef.getUUID()))
+ .map(groupRef -> groupBackend.get(groupRef.getUUID()))
+ .collect(flatteningToImmutableSetMultimap(
+ groupRef -> GROUP_PREFIX + groupRef.getName(),
+ groupRef -> accountCache
+ .get(ImmutableSet.copyOf(groupRef.getMembers()))
+ .values().stream()
+ .map(accountState -> CodeOwner.create(accountState.account().id()))));
+ } finally {
+ context.setContext(oldCtx);
+ }
+ ImmutableSetMultimap<CodeOwner, String> usersToGroups =
+ resolvedGroups.inverse();
+
ImmutableSet<String> emailsToResolve =
codeOwnerReferences.stream()
.map(CodeOwnerReference::email)
+ .filter(ref -> !ref.startsWith(GROUP_PREFIX))
.filter(filterOutAllUsersWildCard(ownedByAllUsers))
.collect(toImmutableSet());
@@ -442,7 +510,8 @@ public class CodeOwnerResolver {
ImmutableMap<String, CodeOwner> codeOwnersByEmail =
accountsByEmail.map(mapToCodeOwner()).collect(toImmutableMap(Pair::key, Pair::value));
- if (codeOwnersByEmail.keySet().size() < emailsToResolve.size()) {
+ if (codeOwnersByEmail.keySet().size() < emailsToResolve.size() ||
+ resolvedGroups.keySet().size() < groupsToResolve.size()) {
hasUnresolvedCodeOwners.set(true);
}
@@ -456,7 +525,9 @@ public class CodeOwnerResolver {
cachedCodeOwnersByEmail.entrySet().stream()
.filter(e -> e.getValue().isPresent())
.map(e -> Pair.of(e.getKey(), e.getValue().get()));
- Streams.concat(newlyResolvedCodeOwnersStream, cachedCodeOwnersStream)
+ Stream<Pair<String, CodeOwner>> resolvedGroupsCodeOwnersStream =
+ resolvedGroups.entries().stream().map(e -> Pair.of(e.getKey(), e.getValue()));
+ Streams.concat(Streams.concat(newlyResolvedCodeOwnersStream, cachedCodeOwnersStream), resolvedGroupsCodeOwnersStream)
.forEach(
p -> {
ImmutableSet.Builder<CodeOwnerAnnotation> annotationBuilder = ImmutableSet.builder();
@@ -467,6 +538,12 @@ public class CodeOwnerResolver {
annotationBuilder.addAll(
annotations.get(CodeOwnerReference.create(ALL_USERS_WILDCARD)));
+ // annotations for the groups this user is in apply as well
+ for (String group : usersToGroups.get(p.value())) {
+ annotationBuilder.addAll(
+ annotations.get(CodeOwnerReference.create(group)));
+ }
+
if (!codeOwnersWithAnnotations.containsKey(p.value())) {
codeOwnersWithAnnotations.put(p.value(), new HashSet<>());
}
@@ -570,7 +647,7 @@ public class CodeOwnerResolver {
}
messages.add(String.format("email %s has no domain", email));
- return false;
+ return true; // TVL: we allow domain-less strings which are treated as usernames.
}
/**
@@ -585,11 +662,29 @@ public class CodeOwnerResolver {
*/
private ImmutableMap<String, Collection<ExternalId>> lookupExternalIds(
ImmutableList.Builder<String> messages, ImmutableSet<String> emails) {
+ String[] actualEmails = emails.stream()
+ .filter(email -> email.contains("@"))
+ .toArray(String[]::new);
+ ImmutableSet<String> usernames = emails.stream()
+ .filter(email -> !email.contains("@"))
+ .collect(ImmutableSet.toImmutableSet());
try {
- ImmutableMap<String, Collection<ExternalId>> extIdsByEmail =
- externalIdCache.byEmails(emails.toArray(new String[0])).asMap();
+ ImmutableMap<String, Collection<ExternalId>> extIds =
+ new ImmutableMap.Builder<String, Collection<ExternalId>>()
+ .putAll(externalIdCache.byEmails(actualEmails).asMap())
+ .putAll(externalIdCache.allByAccount().entries().stream()
+ .map(entry -> entry.getValue())
+ .filter(externalId ->
+ externalId.key().scheme() != null &&
+ externalId.key().isScheme(ExternalId.SCHEME_USERNAME) &&
+ usernames.contains(externalId.key().id()))
+ .collect(toImmutableSetMultimap(
+ externalId -> externalId.key().id(),
+ externalId -> externalId))
+ .asMap())
+ .build();
emails.stream()
- .filter(email -> !extIdsByEmail.containsKey(email))
+ .filter(email -> !extIds.containsKey(email))
.forEach(
email -> {
transientCodeOwnerCache.cacheNonResolvable(email);
@@ -598,7 +693,7 @@ public class CodeOwnerResolver {
"cannot resolve code owner email %s: no account with this email exists",
email));
});
- return extIdsByEmail;
+ return extIds;
} catch (IOException e) {
throw newInternalServerError(
String.format("cannot resolve code owner emails: %s", emails), e);
@@ -815,6 +910,15 @@ public class CodeOwnerResolver {
user != null ? user.getLoggableName() : currentUser.get().getLoggableName()));
return true;
}
+ if (!email.contains("@")) {
+ // the email is the username of the account, or a group, or something else.
+ messages.add(
+ String.format(
+ "account %s is visible to user %s",
+ accountState.account().id(),
+ user != null ? user.getLoggableName() : currentUser.get().getLoggableName()));
+ return true;
+ }
if (user != null) {
if (user.hasEmailAddress(email)) {
diff --git a/java/com/google/gerrit/plugins/codeowners/backend/findowners/FindOwnersCodeOwnerConfigParser.java b/java/com/google/gerrit/plugins/codeowners/backend/findowners/FindOwnersCodeOwnerConfigParser.java
index 5f350998..7977ba55 100644
--- a/java/com/google/gerrit/plugins/codeowners/backend/findowners/FindOwnersCodeOwnerConfigParser.java
+++ b/java/com/google/gerrit/plugins/codeowners/backend/findowners/FindOwnersCodeOwnerConfigParser.java
@@ -149,7 +149,8 @@ public class FindOwnersCodeOwnerConfigParser implements CodeOwnerConfigParser {
private static final String EOL = "[\\s]*(#.*)?$"; // end-of-line
private static final String GLOB = "[^\\s,=]+"; // a file glob
- private static final String EMAIL_OR_STAR = "([^\\s<>@,]+@[^\\s<>@#,]+|\\*)";
+ // Also allows usernames, and group:$GROUP_NAME.
+ private static final String EMAIL_OR_STAR = "([^\\s<>@,]+@[^\\s<>@#,]+?|\\*|[a-zA-Z0-9_\\-]+|group:[a-zA-Z0-9_\\-]+)";
private static final String EMAIL_LIST =
"(" + EMAIL_OR_STAR + "(" + COMMA + EMAIL_OR_STAR + ")*)";
diff --git a/javatests/com/google/gerrit/plugins/codeowners/backend/AbstractFileBasedCodeOwnerBackendTest.java b/javatests/com/google/gerrit/plugins/codeowners/backend/AbstractFileBasedCodeOwnerBackendTest.java
index 7ec92959..59cf7e05 100644
--- a/javatests/com/google/gerrit/plugins/codeowners/backend/AbstractFileBasedCodeOwnerBackendTest.java
+++ b/javatests/com/google/gerrit/plugins/codeowners/backend/AbstractFileBasedCodeOwnerBackendTest.java
@@ -424,7 +424,7 @@ public abstract class AbstractFileBasedCodeOwnerBackendTest extends AbstractCode
.commit()
.parent(head)
.message("Add invalid test code owner config")
- .add(JgitPath.of(codeOwnerConfigKey.filePath(getFileName())).get(), "INVALID"));
+ .add(JgitPath.of(codeOwnerConfigKey.filePath(getFileName())).get(), "INVALID!"));
}
// Try to update the code owner config.
diff --git a/javatests/com/google/gerrit/plugins/codeowners/backend/CodeOwnerResolverTest.java b/javatests/com/google/gerrit/plugins/codeowners/backend/CodeOwnerResolverTest.java
index 6171aca9..37699012 100644
--- a/javatests/com/google/gerrit/plugins/codeowners/backend/CodeOwnerResolverTest.java
+++ b/javatests/com/google/gerrit/plugins/codeowners/backend/CodeOwnerResolverTest.java
@@ -24,8 +24,10 @@ import com.google.gerrit.acceptance.TestAccount;
import com.google.gerrit.acceptance.TestMetricMaker;
import com.google.gerrit.acceptance.config.GerritConfig;
import com.google.gerrit.acceptance.testsuite.account.AccountOperations;
+import com.google.gerrit.acceptance.testsuite.group.GroupOperations;
import com.google.gerrit.acceptance.testsuite.request.RequestScopeOperations;
import com.google.gerrit.entities.Account;
+import com.google.gerrit.entities.AccountGroup;
import com.google.gerrit.plugins.codeowners.acceptance.AbstractCodeOwnersTest;
import com.google.gerrit.server.ServerInitiated;
import com.google.gerrit.server.account.AccountsUpdate;
@@ -51,6 +53,7 @@ public class CodeOwnerResolverTest extends AbstractCodeOwnersTest {
@Inject private RequestScopeOperations requestScopeOperations;
@Inject @ServerInitiated private Provider<AccountsUpdate> accountsUpdate;
@Inject private AccountOperations accountOperations;
+ @Inject private GroupOperations groupOperations;
@Inject private ExternalIdNotes.Factory externalIdNotesFactory;
@Inject private TestMetricMaker testMetricMaker;
@Inject private ExternalIdFactory externalIdFactory;
@@ -112,6 +115,18 @@ public class CodeOwnerResolverTest extends AbstractCodeOwnersTest {
.contains(String.format("account %s is visible to user %s", admin.id(), admin.username()));
}
+ @Test
+ public void resolveCodeOwnerReferenceForUsername() throws Exception {
+ OptionalResultWithMessages<CodeOwner> result =
+ codeOwnerResolverProvider
+ .get()
+ .resolveWithMessages(CodeOwnerReference.create(admin.username()));
+ assertThat(result.get()).hasAccountIdThat().isEqualTo(admin.id());
+ assertThat(result)
+ .hasMessagesThat()
+ .contains(String.format("account %s is visible to user %s", admin.id(), admin.username()));
+ }
+
@Test
public void cannotResolveCodeOwnerReferenceForStarAsEmail() throws Exception {
OptionalResultWithMessages<CodeOwner> result =
@@ -127,6 +142,18 @@ public class CodeOwnerResolverTest extends AbstractCodeOwnersTest {
CodeOwnerResolver.ALL_USERS_WILDCARD));
}
+ @Test
+ public void cannotResolveCodeOwnerReferenceForGroup() throws Exception {
+ OptionalResultWithMessages<CodeOwner> result =
+ codeOwnerResolverProvider
+ .get()
+ .resolveWithMessages(CodeOwnerReference.create("group:Administrators"));
+ assertThat(result).isEmpty();
+ assertThat(result)
+ .hasMessagesThat()
+ .contains("cannot resolve code owner email group:Administrators: this is a group");
+ }
+
@Test
public void resolveCodeOwnerReferenceForAmbiguousEmailIfOtherAccountIsInactive()
throws Exception {
@@ -397,6 +424,64 @@ public class CodeOwnerResolverTest extends AbstractCodeOwnersTest {
assertThat(result.hasUnresolvedCodeOwners()).isFalse();
}
+ @Test
+ public void resolvePathCodeOwnersWhenNonVisibleGroupIsUsed() throws Exception {
+ CodeOwnerConfig codeOwnerConfig =
+ CodeOwnerConfig.builder(CodeOwnerConfig.Key.create(project, "master", "/"), TEST_REVISION)
+ .addCodeOwnerSet(
+ CodeOwnerSet.createWithoutPathExpressions("group:Administrators"))
+ .build();
+
+ CodeOwnerResolverResult result =
+ codeOwnerResolverProvider
+ .get()
+ .resolvePathCodeOwners(codeOwnerConfig, Paths.get("/README.md"));
+ assertThat(result.codeOwnersAccountIds()).isEmpty();
+ assertThat(result.ownedByAllUsers()).isFalse();
+ assertThat(result.hasUnresolvedCodeOwners()).isTrue();
+ }
+
+ @Test
+ public void resolvePathCodeOwnersWhenVisibleGroupIsUsed() throws Exception {
+ AccountGroup.UUID createdGroupUUID = groupOperations
+ .newGroup()
+ .name("VisibleGroup")
+ .visibleToAll(true)
+ .addMember(admin.id())
+ .create();
+
+ CodeOwnerConfig codeOwnerConfig =
+ CodeOwnerConfig.builder(CodeOwnerConfig.Key.create(project, "master", "/"), TEST_REVISION)
+ .addCodeOwnerSet(
+ CodeOwnerSet.createWithoutPathExpressions("group:VisibleGroup"))
+ .build();
+
+ CodeOwnerResolverResult result =
+ codeOwnerResolverProvider
+ .get()
+ .resolvePathCodeOwners(codeOwnerConfig, Paths.get("/README.md"));
+ assertThat(result.codeOwnersAccountIds()).containsExactly(admin.id());
+ assertThat(result.ownedByAllUsers()).isFalse();
+ assertThat(result.hasUnresolvedCodeOwners()).isFalse();
+ }
+
+ @Test
+ public void resolvePathCodeOwnersWhenUsernameIsUsed() throws Exception {
+ CodeOwnerConfig codeOwnerConfig =
+ CodeOwnerConfig.builder(CodeOwnerConfig.Key.create(project, "master", "/"), TEST_REVISION)
+ .addCodeOwnerSet(
+ CodeOwnerSet.createWithoutPathExpressions(admin.username()))
+ .build();
+
+ CodeOwnerResolverResult result =
+ codeOwnerResolverProvider
+ .get()
+ .resolvePathCodeOwners(codeOwnerConfig, Paths.get("/README.md"));
+ assertThat(result.codeOwnersAccountIds()).containsExactly(admin.id());
+ assertThat(result.ownedByAllUsers()).isFalse();
+ assertThat(result.hasUnresolvedCodeOwners()).isFalse();
+ }
+
@Test
public void resolvePathCodeOwnersNonResolvableCodeOwnersAreFilteredOut() throws Exception {
CodeOwnerConfig codeOwnerConfig =
@@ -655,7 +740,7 @@ public class CodeOwnerResolverTest extends AbstractCodeOwnersTest {
"domain example.com of email foo@example.org@example.com is allowed");
assertIsEmailDomainAllowed(
"foo@example.org", false, "domain example.org of email foo@example.org is not allowed");
- assertIsEmailDomainAllowed("foo", false, "email foo has no domain");
+ assertIsEmailDomainAllowed("foo", true, "email foo has no domain");
assertIsEmailDomainAllowed(
"foo@example.com@example.org",
false,
diff --git a/javatests/com/google/gerrit/plugins/codeowners/backend/findowners/FindOwnersCodeOwnerConfigParserTest.java b/javatests/com/google/gerrit/plugins/codeowners/backend/findowners/FindOwnersCodeOwnerConfigParserTest.java
index 260e635e..7aab99d0 100644
--- a/javatests/com/google/gerrit/plugins/codeowners/backend/findowners/FindOwnersCodeOwnerConfigParserTest.java
+++ b/javatests/com/google/gerrit/plugins/codeowners/backend/findowners/FindOwnersCodeOwnerConfigParserTest.java
@@ -158,16 +158,42 @@ public class FindOwnersCodeOwnerConfigParserTest extends AbstractCodeOwnerConfig
codeOwnerConfigParser.parse(
TEST_REVISION,
CodeOwnerConfig.Key.create(project, "master", "/"),
- getCodeOwnerConfig(EMAIL_1, "INVALID", "NOT_AN_EMAIL", EMAIL_2)));
+ getCodeOwnerConfig(EMAIL_1, "INVALID!", "NOT!AN_EMAIL", EMAIL_2)));
assertThat(exception.getFullMessage(FindOwnersBackend.CODE_OWNER_CONFIG_FILE_NAME))
.isEqualTo(
String.format(
"invalid code owner config file '/OWNERS' (project = %s, branch = master):\n"
- + " invalid line: INVALID\n"
- + " invalid line: NOT_AN_EMAIL",
+ + " invalid line: INVALID!\n"
+ + " invalid line: NOT!AN_EMAIL",
project));
}
+ @Test
+ public void codeOwnerConfigWithUsernames() throws Exception {
+ assertParseAndFormat(
+ getCodeOwnerConfig(EMAIL_1, "USERNAME", EMAIL_2),
+ codeOwnerConfig ->
+ assertThat(codeOwnerConfig)
+ .hasCodeOwnerSetsThat()
+ .onlyElement()
+ .hasCodeOwnersEmailsThat()
+ .containsExactly(EMAIL_1, "USERNAME", EMAIL_2),
+ getCodeOwnerConfig(EMAIL_1, "USERNAME", EMAIL_2));
+ }
+
+ @Test
+ public void codeOwnerConfigWithGroups() throws Exception {
+ assertParseAndFormat(
+ getCodeOwnerConfig(EMAIL_1, "group:tvl-employees", EMAIL_2),
+ codeOwnerConfig ->
+ assertThat(codeOwnerConfig)
+ .hasCodeOwnerSetsThat()
+ .onlyElement()
+ .hasCodeOwnersEmailsThat()
+ .containsExactly(EMAIL_1, "group:tvl-employees", EMAIL_2),
+ getCodeOwnerConfig(EMAIL_1, "group:tvl-employees", EMAIL_2));
+ }
+
@Test
public void codeOwnerConfigWithComment() throws Exception {
assertParseAndFormat(

16
pkgs/gerrit_plugins/oauth/default.nix Normal file
View file

@ -0,0 +1,16 @@
{ buildGerritBazelPlugin, fetchgit }:
buildGerritBazelPlugin rec {
name = "oauth";
depsOutputHash = "sha256-4/+E0BwkA+rYYCy7y3G9xF86DJj+CFzPZUNXC5HN5wc=";
src = fetchgit {
url = "https://gerrit.googlesource.com/plugins/oauth";
rev = "b27cf3ea820eec2ddd22d217fc839261692ccdb0";
sha256 = "1m654ibgzprrhcl0wpzqrmq8drpgx6rzlw0ha16l1fi2zv5idkk2";
};
overlayPluginCmd = ''
chmod +w "$out" "$out/plugins/external_plugin_deps.bzl"
cp -R "${src}" "$out/plugins/${name}"
cp "${src}/external_plugin_deps.bzl" "$out/plugins/external_plugin_deps.bzl"
'';
}

20
secrets.nix
View file

@ -1,33 +1,19 @@
let
keys = import common/ssh-keys.nix;
commonKeys = keys.users.delroth ++ keys.users.raito;
commonKeys = keys.users.delroth;
secrets = with keys; {
hydra-s3-credentials = [ machines.bagel-box ];
hydra-signing-priv = [ machines.bagel-box ];
hydra-ssh-key-priv = [ machines.bagel-box ];
netbox-environment = [ machines.meta01 ];
mimir-environment = [ machines.meta01 ];
grafana-oauth-secret = [ machines.meta01 ];
loki-environment = [ machines.meta01 ];
gerrit-prometheus-bearer-token = [ machines.gerrit01 machines.meta01 ];
buildbot-worker-password = [ machines.buildbot ];
buildbot-oauth-secret = [ machines.buildbot ];
buildbot-workers = [ machines.buildbot ];
# Private SSH key to Gerrit
# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx52RUPWzTa2rBA96xcnGjjzAboNN/hm6gW+Q6JiSos
buildbot-service-key = [ machines.buildbot ];
# Signing key for Buildbot's specific cache
buildbot-signing-key = [ machines.buildbot ];
buildbot-remote-builder-key = [ machines.buildbot ];
# These are the same password, but nginx wants it in htpasswd format
metrics-push-htpasswd = [ machines.meta01 ];
metrics-push-password = builtins.attrValues machines;
ows-deploy-key = [ machines.gerrit01 ];
loki-htpasswd = [ machines.meta01 ];
promtail-password = builtins.attrValues machines;
};
in
builtins.listToAttrs (

20
secrets/buildbot-oauth-secret.age
View file

@ -1,20 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 87T2Ig g15A5EWi9IhaxPFS6SD6YYm/aFnC0Dum7zK8/ZUtW0s
791D6C8mAy2dhDAlqRQ+q41FlQTJX2WfZQPjuwetP2A
-> ssh-ed25519 K3b7BA cJY9qIFVmucmMJLTFffkRCNYeudZl+8Yrm5SkxQ4eSI
97nXyKffZGoGJ6252UKUEJHiFgdk8XUkAAkXy2PLepM
-> ssh-ed25519 +qVung HMBSUjfmaFLVx64epj0djkqNMe3CdKN1fxAVuu+Dtmg
AxT62n2p/pP9WZmmuHClSKKgXhr4FjEQpEs0HfdNGfw
-> ssh-rsa krWCLQ
N0Duz2bONcCUZ76QhPsCJ4BHHWqzFdZLqFdl+6GeW+tgIp2Nb4la8eNfgzYGSwTy
53bRePNMIBTkChXFYt/4fUdqaiiVYg25swMeVLQBJnjJkcAks0Gf44FXLIaoPr1M
56rtixpSX31WDKwHbUF/40G6Xut8KNlI8BdwiOl9ibgnuEf4mYQbwFbRQbLMK5IK
Rf/7SEmAqqfY/HG1RqqgCs4kEpvFTKqEEDpgjOoyS2tyKN2351jya91YzotLja4I
sLoMg/G3UNtxfdaCgK7TP4IxV9blkVMDPAbyR622VbS0sEa7uJGzb86jDDsZXaKX
9iWK9n4hMKZDv9gBbhTIWg
-> ssh-ed25519 /vwQcQ hMkCrUcLGxdZMYgi1D1Kr5qUdGNfza2UTvRJKiHObgM
7Lz70zSMPk/tsU1CZGOk/BPA7NSSnSJgFbG5TjyOXvA
-> ssh-ed25519 0R97PA OQjDTknVmrYVclcqlT31YjZx+3a/0GxfjuVQFmPJ7UQ
KMGTMfO/mO5EAYacyz1hmHnQgzunRqkDeglhbGVNWe4
--- ScDZvSiVSjNXm8TSoLSAM+KpcFORnCXiemYbCBcz2jQ
™ŸÄhÜ}E¹ÊœËíUÌùᢌƒÿ…<C3BF>é™k¢ág[<5B>ñCƒ"<22>NÛj•u5« <0C>ÄCXÕöÈGt¡TOmñ

BIN
secrets/buildbot-remote-builder-key.age
View file

Binary file not shown.

BIN
secrets/buildbot-service-key.age
View file

Binary file not shown.

BIN
secrets/buildbot-signing-key.age
View file

Binary file not shown.

20
secrets/buildbot-worker-password.age
View file

@ -1,20 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 87T2Ig df+IMqWM/HNjaY74zibFQIdUdC3K7uQlm3U9R9NUtFY
hPSbCuWvqy/7FEj7YScYztyt5GVx4Y7tgGuKKkSKoRg
-> ssh-ed25519 K3b7BA xN8wzUKHqjOb/tqA+EI+0H0MSQRihRfydchwVqYWAVU
maLMpZe8orvTT6Av+YkhT8FcG4dc7bzDgOW339nSw1g
-> ssh-ed25519 +qVung oM1uphTbjI54t4U9jNd1zORqpjBG17MwDf2eNDmOlkg
oUHVuQt2SHIwtV82pgnKJ7g2jcVBAHWOzPK46otoh34
-> ssh-rsa krWCLQ
eYspf5hUKdFQl1RxPaNTj0viAPd+kzp8Xbwn+q6fSITMacmyTY5J8FckLx2YXDxy
Qm/OsEK0ZOvxnHMrL0oAJjKSy/MamE+9heT3QO+LUN30QxbOIOqHMrl3waadWZdx
ZGOWK+r+dKGYNsxFv+t1Y/4DBKKzlXFWhJ0aL7nMOqq9+Ca+UZuE41j7eWGGPPLy
fuW/iOVVxQ+EEeCDpatQSrFPKaeWCCVP9oIDFtE4dsKxubMa4EpUoag0UvEIW182
UGS8BvMqYgx+obqJDkhXXBK9apmJS2ojcfdtCbNOCV9Ett72Nm/iY5NjLprFMLde
8wWGA6s3hBOP39lq0eiSxw
-> ssh-ed25519 /vwQcQ 3zLcLDaDVhIn2knezexYM5Fqu/O9wwORnJIhsXHqgj0
HchGikQMgkDj0qQgtDdsdKokV+nMjdv6t0uVISeU7Q8
-> ssh-ed25519 0R97PA 6lm6B6B3dzSdhdcf5rjyTu+7cCtWRxVpWeapJX3nbQo
x/w4dEfFyxPi4lbNEqgjEblPVfQyj+q1JjeQHiVFhDw
--- oo5BK1pG+43amUg803Uv511RNtdQ/PDwlXUrV/AbOAA
…ÙUqÆçïµ[f7ƒêŒë¼¨FìˆY<13>™Ùm¶ØLS?Úℶ‡÷ƒöæ<Kø©F¤z¥V^³U¨N»¯ôƒ)zÔ<7A>¥ž@<40>SÀF€Y‡ËG2^žƒ˜à„» N|

BIN
secrets/buildbot-workers.age
View file

Binary file not shown.

22
secrets/gerrit-prometheus-bearer-token.age
View file

@ -1,22 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 2D+APA jiLDQ8JlYhaivXQQhjEfZrGWn7o6Wd2OMrLorEVSPns
qRzHYcBhtGSm4RW7C4oW+VWSzHiDXkCN6bGeej2Gcpo
-> ssh-ed25519 j2r2qQ OcnIHB/vJoKuvhsT9dx1B+5lXguARtB9wSquW2KBB3M
pgzC2KOFi3Yj1gCPemVK3a9Grv2SkwZ6AI1EFdh4hoc
-> ssh-ed25519 K3b7BA ibHY8wN3rNit1mO2dJZ44rwLylMaR39a7Oz3CGV561o
4ElWORF/4lVEz33CJiuFG4rwUSIIOyi2L/W7Td7MX5M
-> ssh-ed25519 +qVung q4DDHS3M24kke2NCcpHEaUbUgoQB6QwnmDiwmdIOuBw
Yfa6v23oezdDICE8I0UaVCShKlx9lN3DnBnSb63LU64
-> ssh-rsa krWCLQ
gLBHP4Z8EBW1y7Yf9sfWMU+/fJ4WWp+NGRR7ebO5GwUeYobDYm/eYQ7rD3Q9k0rF
kU51GYBaO7m5gLqc2Tq4+YjE2/EXDvjqkDSoyNrjQaaGTLqzvPYlCvKWyROjqJjX
UwzPbQx5XVIKNgpsR9e6/hoJiJbDpavM+HQo+1zwoKAg5FvZZkE5UnIiSjuAxMgR
+tmrhBfHEYkpbCCrXVE0jLCup8gPIci1PyXWkdhJy+HyHVkbYowGwNawNobNr1cF
dJ5IU8P/DSSqZ1qWSl6ju7JKjzXU2Xq87/g7wJyrKGpe37pJmPIT86nCJTut+AK9
iFED/y/p5NCtohyhztosgA
-> ssh-ed25519 /vwQcQ rzEjV56G+USMdpWklrGQSHuzG8d+S0zWhhwrmuyTyiA
y+uMRG8NdAD0H4ipRN+sJPn1P0CGs4bk+U4qtetP3O0
-> ssh-ed25519 0R97PA ULWdDUjDg9oTEOqzCKUJl8yN+qwwmlSi1PFwRvr7aWM
YWaE+STxKfQzxYMtP/cA20q0atXLdsjeA5nJyl2f8iI
--- Avs8hTgLwcBy8hyYWjR/Jbs5YaKozv2oBmGs51ckquA
·Ü<C2B7>ÝàÕò`@½Óµ3ž ¼½5è½bY%³A†Z=KiÐÑ76,¢w,1žŒèáÎôkØåRšAÄFuÎÎ

25
secrets/grafana-oauth-secret.age
View file

@ -1,20 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 j2r2qQ JSveX4zYEjb4jJH4eg4oXA6r3oc0jBx8NgjhN9JrjlQ
1ZIr/XFClbwJHn0ppJnolpb4QlgZOA8JX5OjjY4x6pU
-> ssh-ed25519 K3b7BA sXUjuZFK0PL/KndxRCJCM5Kg8OmVseRZNWG8mL1alRc
U9MMgDtqtmsS1W5i04Pa/b4JBTSjK6FffZxgYI3phtg
-> ssh-ed25519 +qVung FNSElbiw0frYcsO0xoyPQgRGqAe/aVX21dTB6yk+GQg
zHT/xU+yfXYSBO2HLwoHrGf5ns6BDVb8MlhVVQCBlOc
-> ssh-rsa krWCLQ
ye0mLiYeyvlp4EZX7mZ3F7B9V9JSeoiCodzccS+5qIEd6gr+RTHSnKYqwf/nwf8F
qKLwbxWjpmkIzBWeswy8AJ8159aucGEmB+3/tTSwd+QlRkru4Z/7jtfU64KQttgt
vaRfc9J/85AJJ2V6Sw/xG8SgxyLBbp/XIN2+tmb0g3kAWiuLcrLk3H/MsfmxDVXg
RQjugP5K2+fEZc77dHQTrMI58K9TrSw1zYA1ee8J/fl9IJ7J77qi5UgizY+YfX8T
SmR9DeYUe+hKgCB2k/KgAxp4WOQNgUOFBTsE5FW+kQQpfGx5aqR6vCYU+CPsA3Zb
FwV0l+g4FUVy+xAtqaGSAQ
-> ssh-ed25519 /vwQcQ fbnK1jYiUwUsgD8sSTboJCBfcuwJXKNCaJaWYuIfmVk
Uj2+uBABMTxq1MBsiHXgkdFMOpIN7gfxoJVKOQff1Pw
-> ssh-ed25519 0R97PA yYOb6AYAFWvm7W2KYT5v9zznkF4Di/vatH48Xgx0x2E
yUm+MKj9496BkdX2FpLyhML7budUyqT1hL9hpghxSnI
--- ogCPBrmdbeDorj3t5BL05ge6VngXBpUEDW4qaaKIa0U
%¨šÚlD]Ϫ?©ßŠÑ(ÿ†E/Wu穉T¶îç[}ž$ÁÍS„Šˆ^[:¸]he0XUœp¸äq<C3A4>`0A
-> ssh-ed25519 j2r2qQ Xl0fSOuF0xNTJrtVGdRLRIszd15LFrG5KCFNvSBK4Go
qSEMBBw90jz4j8elpoUeyS4CTLBhZtNDhLNigesJq+0
-> ssh-ed25519 K3b7BA cKI0twKiuuTKv1Js4jqt5v8cOqpxEMY9dmVghgJtbzw
K5o31XP/nLsswsrMaxnIzCXVUtJqmJWoFglWFsV7+AQ
--- X8pvqCHeCQ0LjzcjIHThkqp6YeOOT8dBMLuktgdgeY4
sZÓ¸ŠíØ[þ²X<C2B2>“¡èÅ®Š5°=÷6)ÇT¿Q†N{•x³I1ƒ!ÓÜøB ƒzš*×íåL~K

BIN
secrets/hydra-s3-credentials.age
View file

Binary file not shown.

20
secrets/hydra-signing-priv.age
View file

@ -1,20 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 +HUDfA NMyTM3c++HKU2klLjAbUUFS81k21LUwEoqR1OUBuLjU
OrKxpksxoay93URtmN9HhnK43QrM/Gs0qRuENZvHWJI
-> ssh-ed25519 K3b7BA LloEGN8cbVvGraHs5cPIZRJJyTPFrmmeGwZyqov9m2U
XPvNpQT3aFVoidOhmePGgiTyytIWtd4rs59Qq9xl/I4
-> ssh-ed25519 +qVung 3hat0gKIl1WjXnkP6p+/8RyTxZkaVnLgV9B8plICPlY
jmRKWCUCDpDExmq4SEq8WpqQheBSRD4uqrTgxy2u6PM
-> ssh-rsa krWCLQ
QPOl96dmoxY5YtMmL68+6MQpGwZc68ajaRkcEKmYYu4/XB+mffRKsNtyiKJQwEi7
szvAced8C4RMNrCf3xyF77Sm1UV8YCyaHyplb2/yjv5YDvCDwTp2GnadDoAaLrXU
jf6ocI8409XWQHEEEofHZRjmfmIBUx1lTwbGFMt48V7MZdadFjXmSmUMvxsu/Rj5
NLjoPNRBzqPIw6U7nTSmkG2HOeHlA9Z5a33MsXYs8NPH22Spjjy+VvxrLv8VAjnf
7kGjviW4ZcdEQ7Aox+9V+6qArrIy7lJ9lOIZA2LueCtKhQAmKnInFxRyyN0Nk4ls
tjlBFJQEG2v14iaHENwRAg
-> ssh-ed25519 /vwQcQ o7qseMFb4ViV7ylSl2ug7xFZn7GZGqCapWRCq2vyVVs
hKqzk9BcK5l0VhLfPONKKv6SRnDCw2n+RoaeQbOnT8Y
-> ssh-ed25519 0R97PA DTEowwoCXTMGxfQIXOnwn5fjlih0UmQJCKs2II4gCVY
8BpVhUV8qg3zcCJe7OwHoJrfYIpBtOquqhFyfZx7mRQ
--- r2NmEyV0/Goas5lXMHeFoafcrbMHvs4ob0Zg4cVil3w
=TÏ`Ô}%xÖ¸œêFt Æêlãµ)•ò1Ð]Œ<DvwFøè:Qf@nÇÀU=~FžË-Ò!©ò÷þÌ«i6wXtü'k®ç`)AäûÌtI1Tî£U+Ú~×aÒÉПONƒÄèLþI£p@œT)¤'_ÞoDö0»,JfGVó­k/

BIN
secrets/hydra-ssh-key-priv.age
View file

Binary file not shown.

28
secrets/loki-environment.age
View file

@ -1,21 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 j2r2qQ 6qyr94uky6B36UOY0jd5NXgF2rJ3RWBUzZ32c5iOTmY
fjlI3fjYjwyNQBs4K4pq/5c7oBkf5XUXoGlBOBpmPu4
-> ssh-ed25519 K3b7BA N9VYT/ZslG07KldzO8sPE5TiYYwxJqpYU87ED4PuBXw
P1s9L57prPqM4fjcYHv+g0rgP/NvFr13CgCxthVHZ4c
-> ssh-ed25519 +qVung Ry8uUFsmYmP+Urw46lhAsCc3S+QiWu1mn8J3rIy+KFQ
iB7xAfdpHwOzAnLvosJb+F50QKsOYWr7CHC3srsS6ME
-> ssh-rsa krWCLQ
w0xIVFtUghdAO7SxZD10rBMtdQESEvYUEKxnWzLh0cjcRhaVT/BXSZQsKV2Rupoo
nDL5uy0k+tPXm0HroZ6VkZ0fH/lOpeUR69ZvJmClKql3Fnf1385+5BvT719cbbaq
yll49gx0+ms/oB9jS3SPwbOg+UJgnkZCeu9138h3MG7yWNtVuA9l5hsJioVvOVlS
Z5EXbjdQR9xYjSwR+b8MYZ97ej5fXpuULEopbx2wXt84u1e67vTETqflitR7lrzy
A6F65g35aagPJZGHzfrKVToy3pfXm9ky/30DolWLD0DpG7G6o/8afy8O4yBAGlv3
ZLTaUbrdILSz2ff1Njx4Nw
-> ssh-ed25519 /vwQcQ YqqmX/f4whOk97kCgSPo6oj/274eYlBWtS+OahAAQ34
hoCbhupzSTx+wNIorzYGHyGvU/L8unKEyD7Bqq23YP0
-> ssh-ed25519 0R97PA 17SDtfT9GzAsIsQB24AmYXpW8v4+LEakup+tdFroHTk
HIvBhAGA2GMVWFBP3OTFEn+XpPFBJDOJDK3SQ94mNKM
--- CD1QrxYGAhhy+l7U5kOXn1shCwz8pYJNuGRugPxmzJw
ñY ¾ÆN Ï<>x ™êÿrR^z[¤ã¸è…•ªa”z
óæÔÉ¿Ïžu0c¯c;y<>Ÿ¢& {ñèxA]þ†¨Q¨¼_:̱ í€öUoiDl (‹ÅëwÝKi,j.oFyÌ°$}•Y§@1”È™„Y£²è¶u Ò*¡ÏþÅ<C3BE>¥™0…
-> ssh-ed25519 j2r2qQ w0lLquFUUcmEZ/Fh1YSt85tAJkBwavORQbwMr7gMqF4
J4T+EHm1uHbCZkAUNoNcB9uGSz082mFL8+dkCnvYQnM
-> ssh-ed25519 K3b7BA 28bJZgBPPc2KIE5+b8LJuQ5L4YAiRAJzucEuOqXHdVM
7hKENFr8QX0jpwuuQEjGFrUywJuhL1Tdi2V4/gR8JWE
--- GSPZxz39TMMWv0qhotNgnXa5679Q7VK8JGjQjI7A8oM
J˛\@F“N• łĺ2®ô¨w×!Ż1Vf»§<C2BB>Ž·ŢO˛CÓw®®V°ŁšĚş.^݆ w‡n4äŕdW-Öľ"@0¨úąEĎż·°ck,]M}xŤřĚťˇŰy°[×ÁJ:!č‘ !ř螀c¬
BëąR
nřę€ţŔáĆ^9í¤M<ú

7
secrets/loki-htpasswd.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 j2r2qQ nLWy3WcVJWCl3rXkhcSbp1joqmkk06QnxhCZ4UtSvmw
iQ+Hx/vhiFgkWfbxHwGjxMBEqzyGww4/9do3W7V/y1Y
-> ssh-ed25519 K3b7BA RkF2ADcjOGtivl9MrhO/HFwxlTAkbFHWL3iinUldMiM
7q/zdVTMLevukZjkHtcN88iYzfTLvq2s3QdkgsFSO9M
--- 1b2HiK06vJPqBgHVDD0QELOtfkl7/rlgGS9uI1mSbus
„uܧoL;õå¬" 4¦Û»Z¼˜@§öãƒÐ3+93Q4óÄ o•ŒØwé“„6<>M-²DkJn´;ñ*g <0A>Yœ75ËSò)Ù°©

21
secrets/metrics-push-htpasswd.age
View file

@ -1,21 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 j2r2qQ sIYTVOTWNToDSNa4qiIaSoac7zka54g/opQ70q1SAA8
2Z1mlCWxjakHqRbArU2BkT7B/Dx0XKH7kCnBa+OYI+s
-> ssh-ed25519 K3b7BA PGyd27M/Hmk6qpRf8bcI4QWrS0vrPgjiZzaXvKQkJDQ
ixrciiNR/th0FM9MxVx/omHdI61EmAhTA465SjxECF8
-> ssh-ed25519 +qVung Q7k74fDLKwCdzobz0b6ByS2LrhMOIC58Ofto0gpBLFE
p4CIje+sO/nOaO1lzAY9n2HYLUKxEvKDbxeR6dOyM00
-> ssh-rsa krWCLQ
ezrZTitn0/BRD0K7e2K53qz9AZCa0aHlzFSuyzqyVJLdAZUxBUnfBwmGuJgKTa4Q
fWsXBs+L65hkcL6/VKS7oSGGyoEHmoPFKbb08B6FKLHt9V1td5xbHIoTYbvSavUA
g3wpTUa4eG3ivcu96VjyyBKTAc7LN7h7dSMbvvP5tpWT5vL+WstCdFf7zzUL9HBS
yI8dzEbCQIgAAaHj90MREgIIgIB27Dn1PvkEBGYky5ybBRa3DXVyqnX0dDtsXWpK
ipRPDV7HC1+x2TlqQjD5ED737r/AP573IXbnRLSEWnGDjtd/JWQmfOO3JACoRjU6
qfb5SSDT9QriuWSow7CDhQ
-> ssh-ed25519 /vwQcQ duuo3BGe4Q1MHMljgzmtpzvtiOvAHqKu2HS9SBxLuhE
GCwccbE5lX5uPIri/7Vn6hzpfL7ouJBFU14bKjl6yTM
-> ssh-ed25519 0R97PA WIFf8tbMlmNrNFF5tRcL+mOJ40SvIdppAtItWtxzCk8
miU7Z4poEVMZCeAEef1VS0jouCDxGro2xLEE3hnRJEQ
--- Iaff5rxl9r1qEnlpkOpGyBGtAvGMLyBlJQ45iInuAnw
cýI±C«¤2ˆ7µ ½³Ú“nZMþ`œ{7È`¨½V@ñyzÀÅžª€)ÛY‰DÄßÇX—o“óä ~<òš5Tpúx
ÓRÏÜö

57
secrets/metrics-push-password.age
View file

@ -1,57 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 +HUDfA SrjyocQ2U/mcmsVX3bhTDPiNfnRepZ+J//d4JkVrQ0w
MELfJrKcLlC3rWKHdMZKZyXB0ztzmZUjWUcT8ibP8vE
-> ssh-ed25519 87T2Ig IN9MMxRNzgKHBmGwidVWIvq2xpNVkbioWjG0lf+B5zM
sXIXfrTak7E8isigDDnrzvjJli5ma5f9fOJnWCdDRpU
-> ssh-ed25519 wIR2ZA 4DD/V3Xq1B2t8Zb11MnvtSZ3Oq5Glvka93g313dVSyU
TrQiCJGOtitCCfNy0PdaRaPnk2mYCEPKtnOtdAzGolg
-> ssh-ed25519 oGiV/Q W67zxBlGYg3PhUbwBiGE2vVoIl455R+4g3EClZKwulI
2sldkyyBUGxhXRCoa/vW5LrxbI0TqerOeOqrTtzY3Mo
-> ssh-ed25519 gO3aog YVF4hdjNYxOPE8v95BENIb6khsu0+tztaPNNCsXoWDE
LLX/uofYt5/HQ7q5L35UK2t05rOlhCDnC4SIJx0bNtM
-> ssh-ed25519 r/iJSw RMwg0xLCOVA+wc08f67kkUVIgy6W3Ypd3jRkRHFA+l4
KR5RElZHGzzLU9hjr3Qg3NwudDxMtHqcf2t6xjDMz+U
-> ssh-ed25519 N/+Clw BBYMWbIT8dXcD7SU+LrIuFeM+2RodGF2rW1ubx/W9mU
yANEUWhFtNkx3VArOTTW+rREcxwzkN47CD2kK6JsMns
-> ssh-ed25519 CtkSZw wy5ZfWI6tqN3OZDqRZvb6lhj8Pt+GrP3YryqhjH0ugo
OtY/WsGkJJghGGAh4cfZOxkg/WcYJ4w2gu4Hu9VHntc
-> ssh-ed25519 keg2lg lzE0HqDHBwDyuc5m5T9YSxxTgEk4mOQWY3l7a1+QKD0
cn07YAocsIrSeWo1ZGyFzq3un8kdpEuS6zYpKs7G/iI
-> ssh-ed25519 H885DA eZJW1T2VPMhDs/ygauDFdd1Md3D830ysel1yUZkZoSI
wpq1+ndzQWUUN2yYMKnEZrOcgCuqKIrDjaeX+XpkQgk
-> ssh-ed25519 Rq7K4Q CQ+Y2k5F8Q79GF5PQh8qDmxWgrKcqJHjAodVBqKqQkc
SkcUl6dFoBQmPOOjTEopgcn5vzLH2oHICymAAS7nsAQ
-> ssh-ed25519 vvyRpw nW2eCEqQ6uCT9RgIJyCSpP4JHwQtKDSiBBp1wdVFtTE
DQcHIBTNqvFVYV1fXbGhu0pCwa++knjLpCVFC3npaS0
-> ssh-ed25519 aSEktQ 7SEG8F8UyH0gR9uT+mFfBIXsAIUFnNd2bZgyJ8C/gVQ
JTlr5eIhpepOoCxi54nrG7Wjxq9CXZYkb33kd2urdak
-> ssh-ed25519 cD6JxA QKVkY0MS3LeJf+YfwJT2yysuseg8tSAEGHOBgHFsVkc
IpAAWCWxHNg1MOBjG+JNXcTE/xNrDW8+5Cz/hNWVYvU
-> ssh-ed25519 1qYEfw pA2G6CxFosIcXsBnTUfN1wsPs3Ue5aMzo7wameAacXM
av7xGnRkh57JtgF37QtaF//eYS/pHqznHY4DJewRp5s
-> ssh-ed25519 2D+APA SOSVjgiiugDWg9HeFIlaLa+mo3q8AHhntl1tHEB6QUQ
QINZr847DASGM32Si6t1mHH6fCkKnq/sa1+3IXhaSlE
-> ssh-ed25519 eTSU6g NuV8gm/Ijo6BpZptiYua2bnYNoxuHcOtce9zGNyi0yo
E4zAIpZN5eTWJanPEwS7B6RfnnMRLDaOj+5l5L4GdCk
-> ssh-ed25519 j2r2qQ PpKKKAJikQKWAaYvDhIoiPeTkWtE1chw8lCpZ4O+LHs
4kR0ZNRMt0fljaOu3UgqVrUFnc6v916IyKdYkvz/zfA
-> ssh-ed25519 C/bBAQ m7XsRBwlHgWXifCif/8H9TcSqs0so5hha2T4tCq6qn4
QltQrR6Y3Im4xo8DtpzN5kMsHNfkpG0FE6Y2GnkrH5Y
-> ssh-ed25519 K3b7BA x91SNkgN6NSlw2FZnliA+c6zoTYyeuZh2iT+Rl+qtT4
nKU6GcX4WLTRncStiW6BS7iK7zlCVhn55FPjRNniqSc
-> ssh-ed25519 +qVung opSEU5VaLZcm4GhcKlNtG/Ut0jU6oTYQuqvnDkuSGT4
ny6Wfsi/PIj5A9q/fwL3vwnkft/yH6fqlPIXo0cklfY
-> ssh-rsa krWCLQ
p5Y5fVwyG2s7m9ClsgbcVz/fSF2lJvbXxuN8O4b6sp+QiABmSGs0R3pZuf1v9xBr
Jc0JWhl4vvvb9F9WUbJR50hIpdWo6iX4vrz3TnSvPFmnpUpRfe+a29ZJhp0vCA4a
HVaOJGlnGZ5BdSkvPslGVCPu684OmO/veL5G1H7xmN6yg2b3n7SaGF7A4+rpVqgI
6GZiFpnM6LpyKyoTyXRL0ghzjhwggQCCnBaN7GIUhvPacPdilAJWmnagQzx8aZpT
LRe1WAeKH2Lbar4UNeot3MzWkZxUXyyWszTMe1ca94N3jY7MG8adzX3guMykP5qA
eya7UOphIwkQKlVB3N5bfQ
-> ssh-ed25519 /vwQcQ xQFghc3LzwG82u+h80e3NdfbCh85OKdai32pwvS3uzs
MdUPg9BHvPX85jWnV7evkNekPrzoJuT8FP0l/mhfZDk
-> ssh-ed25519 0R97PA 8cDQRKrujysaUiD5OxdrpmWn7ZZCJ9SNbLYtWuTSmXg
HFa/6WbK4aMK3cKEMEycyiclTu8jOcCMcr1R7Ebh73c
--- wZAdkwtibHAVLCqtfmZ54ZtPwDPogkRwfKREBR2xOeY
[‹‰Ã×÷ÂûȹÂÃökRîub<75>çГRö
†qþà«ÎHÈbe{Y gÿ<67>mÀ¿¥Ûs®Æ¬„[-p¸

BIN
secrets/mimir-environment.age
View file

Binary file not shown.

BIN
secrets/netbox-environment.age
View file

Binary file not shown.

BIN
secrets/ows-deploy-key.age
View file

Binary file not shown.

12
secrets/promtail-password.age Normal file
View file

@ -0,0 +1,12 @@
age-encryption.org/v1
-> ssh-ed25519 +HUDfA ZUM0ACC/NIekvX1PkCiXTHaTeE3ybudmY3piHw2iekQ
cHj94FIR6gNJ3Hw9FI7K15OYgxbjkajGtCftD+2Mr8c
-> ssh-ed25519 2D+APA tzlyOnAXnLxXO/47n45sFPiJF3FXd98UU5ajPhD2wSs
P8ZdUiBeME17SU2BpMgOq4plyAqgzLOQWHa1+Q7cjYo
-> ssh-ed25519 j2r2qQ 3OikD9JOmug7kdPAPz+JT/ryB6xBQhu2+cwS9h5sKGI
XiIuxOyey2I6hmqabUCPzLc85q/1r9OwVGjHWYNQsp0
-> ssh-ed25519 K3b7BA Bdqcqt4GgLzuSiEnIyImDiOQGwyIhhozRXMmNrp7glI
65joZcnl0Hqe90Th2EdVgbcxUJFpy3fOgk6oPiSHh2A
--- 6x6BFNypc+u3DpsHX3SajwEy1TqsAtbFei0ddRpEoBg
äªUG¾xj4»®Îþ‡b=óžóñ¼Rd<52>3sHYÝ Ô<>*Qµ9Ã6n34&äw»~h!§ ^„[êš

29
services/baremetal-builder/assignments.nix
View file

@ -1,29 +0,0 @@
# This file contains information on which builder(s) are providing how many
# job slots and providing which nix features
let
genBuilders = { offset ? 0, count, f }: builtins.genList (x: rec { name = "builder-${toString (offset + x)}"; value = f name; }) count;
in builtins.listToAttrs (
# The first 8 builders are general purpose hydra builders
genBuilders { count = 8; f = name: {
cores = 8;
max-jobs = 8;
supported-features = [ "kvm" "nixos-test" ];
required-features = [ ];
}; }
++
# The last 2 builders are exclusively for big-parallel
genBuilders { offset = 8; count = 2; f = name: {
cores = 20;
max-jobs = 1;
supported-features = [ "kvm" "nixos-test" "big-parallel" ];
required-features = [ "big-parallel" ];
}; }
++
# These are not currently used for hydra
genBuilders { offset = 10; count = 2; f = name: {
cores = 8;
max-jobs = 8;
supported-features = [ "kvm" "nixos-test" "big-parallel" ];
required-features = [ ];
}; }
)

199
services/baremetal-builder/default.nix
View file

@ -1,199 +0,0 @@
{ pkgs, lib, config, ... }:
let
cfg = config.bagel.baremetal.builders;
in
{
imports = [ ./netboot.nix ];
options = {
bagel.baremetal.builders = {
enable = lib.mkEnableOption "baremetal bagel oven";
netboot = lib.mkEnableOption "netboot";
num = lib.mkOption {
type = lib.types.int;
};
};
};
config = lib.mkIf cfg.enable {
boot.initrd.availableKernelModules = [ "ahci" "ehci_pci" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
users.users.builder = {
isSystemUser = true;
group = "nogroup";
home = "/var/empty";
shell = "/bin/sh";
openssh.authorizedKeys.keys = [
# Do not hardcode Hydra's public key, selectively
# add the keys of the coordinators that require us.
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAvUT9YBig9LQPHgypIBHQuC32XqDKxlFZ2CfgDi0ZKx"
];
};
users.users.buildbot = {
isSystemUser = true;
group = "nogroup";
home = "/var/empty";
shell = "/bin/sh";
openssh.authorizedKeys.keys = [
# Do not hardcode Buildbot's public key, selectively
# add the keys of the coordinators that require us.
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGMnOLLX0vGTZbSJrUmF9ZFXt/NIId/MUrEpXmL2vxod"
];
};
nix.settings = {
inherit ((import ./assignments.nix).${config.networking.hostName}) max-jobs cores;
};
services.openssh.extraConfig = ''
Match User buildbot
AllowAgentForwarding no
AllowTcpForwarding no
PermitTTY no
PermitTunnel no
X11Forwarding no
ForceCommand ${config.nix.package.out}/bin/nix-daemon --store /mnt --stdio
Match All
'';
nixpkgs.hostPlatform = "x86_64-linux";
hardware.cpu.intel.updateMicrocode = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.initrd.systemd.enable = true;
boot.initrd.services.lvm.enable = true;
boot.kernel.sysctl."fs.xfs.xfssyncd_centisecs" = "12000";
fileSystems = lib.mkMerge [
(lib.mkIf (!cfg.netboot) {
"/" = {
device = "/dev/disk/by-label/root";
fsType = "xfs";
};
"/boot" = {
device = "/dev/disk/by-label/BOOT";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
})
{
"/mnt" = {
device = "/dev/disk/by-label/hydra";
fsType = "xfs";
options = ["logbsize=256k"];
};
# We want the tmp filesystem on the same filesystem as the hydra store, so that builds can use reflinks
"/tmp" = {
device = "/mnt/tmp";
options = [ "bind" ];
};
}
];
swapDevices = lib.optionals (!cfg.netboot) [
{
device = "/swapfile";
size = 50 * 1024; # 50GiB
}
];
zramSwap = {
enable = true;
memoryPercent = 25;
};
boot.kernelParams = [
"console=tty1"
"console=ttyS0,115200"
];
networking.useNetworkd = true;
networking.hostName = "builder-${toString cfg.num}";
networking.domain = "wob01.infra.forkos.org";
systemd.network = {
netdevs = {
"40-uplink" = {
netdevConfig = {
Kind = "bond";
Name = "uplink";
};
bondConfig = {
Mode = "802.3ad";
TransmitHashPolicy = "layer3+4";
};
};
};
networks = {
"40-eno1" = {
name = "eno1";
bond = [ "uplink" ];
};
"40-eno2" = {
name = "eno2";
bond = [ "uplink" ];
};
};
};
networking.interfaces.uplink.ipv6.addresses = [
{ address = "2a01:584:11::1:${toString cfg.num}"; prefixLength = 64; }
];
networking.defaultGateway6 = { interface = "uplink"; address = "2a01:584:11::1"; };
deployment.targetHost = "2a01:584:11::1:${toString cfg.num}";
deployment.tags = [ "builders" ];
# Why can't we have nice things? https://bugs.openjdk.org/browse/JDK-8170568
services.coredns = {
enable = true;
config = ''
. {
bind lo
forward . 2001:4860:4860::6464
template ANY A { rcode NOERROR }
}
'';
};
services.resolved.enable = false;
networking.resolvconf.useLocalResolver = true;
# Hydra blasts ssh connections and does not multiplex. Loosen some of the
# rate limiting.
services.openssh.settings = {
MaxStartups = "500:30:1000";
};
systemd.services.hydra-gc = {
wantedBy = [ "multi-user.target" ];
description = "Nix Garbage Collector";
script = ''
while : ; do
percent_filled=$(($(stat -f --format="100-(100*%a/%b)" /mnt)))
if [ "$percent_filled" -gt "54" ]; then
${config.nix.package.out}/bin/nix-store --gc --max-freed 50G --store /mnt
else
break
fi
done
'';
serviceConfig.Type = "oneshot";
serviceConfig.User = "builder";
};
systemd.timers.hydra-gc = {
timerConfig.OnUnitInactiveSec = "10min";
wantedBy = [ "timers.target" ];
};
systemd.timers.hydra-gc.timerConfig.Persistent = true;
bagel.sysadmin.enable = true;
environment.systemPackages = [ pkgs.ipmitool ];
system.stateVersion = "24.05";
};
}

169
services/baremetal-builder/netboot.nix
View file

@ -1,169 +0,0 @@
{ modulesPath, pkgs, lib, config, extendModules, ... }@node:
let
cfg = config.bagel.baremetal.builders;
in
{
config = lib.mkIf (cfg.enable && cfg.netboot) {
systemd.services.sshd.after = [ "provision-ssh-hostkey.service" ];
systemd.services.provision-ssh-hostkey = {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
mkdir -p /etc/ssh
umask 0077
until ${pkgs.iputils}/bin/ping -c 1 vpn-gw.wob01.infra.forkos.org; do sleep 1; done
${pkgs.curl}/bin/curl --local-port 25-1024 https://vpn-gw.wob01.infra.forkos.org/${config.networking.hostName}/ssh_host_ed25519_key > /etc/ssh/ssh_host_ed25519_key
# Run the activation script again to trigger agenix decryption
/run/current-system/activate
'';
};
system.build = {
# Build a kernel and initramfs which will download the IPXE script from hydra using
# u-root pxeboot tool and kexec into the final netbooted system.
notipxe = import (modulesPath + "/..") {
system = "x86_64-linux";
configuration =
{ pkgs, config, ... }:
{
system.stateVersion = "24.11";
boot.initrd.availableKernelModules = [ "ahci" "ehci_pci" "usb_storage" "usbhid" "sd_mod" "igb" "bonding" ];
boot.kernelParams = [ "console=ttyS0,115200" "panic=1" "boot.panic_on_fail" ];
#boot.initrd.systemd.emergencyAccess = true;
networking.hostName = "${node.config.networking.hostName}-boot";
nixpkgs.overlays = import ../../overlays;
boot.loader.grub.enable = false;
fileSystems."/".device = "bogus"; # this config will never be booted
boot.initrd.systemd.enable = true;
boot.initrd.systemd.network = {
enable = true;
networks = node.config.systemd.network.networks;
netdevs = node.config.systemd.network.netdevs;
};
boot.initrd.systemd.storePaths = [
"${pkgs.u-root}/bin/pxeboot"
"${pkgs.iputils}/bin/ping"
];
boot.initrd.systemd.services.kexec = {
serviceConfig.Restart = "on-failure";
serviceConfig.Type = "oneshot";
wantedBy = [ "initrd-root-fs.target" ];
before = [ "sysroot.mount" ];
script = ''
ln -sf /dev/console /dev/tty
until ${pkgs.iputils}/bin/ping -c 1 hydra.forkos.org; do sleep 1; done
${pkgs.u-root}/bin/pxeboot -v -ipv4=false -file https://hydra.forkos.org/job/infra/main/${node.config.networking.hostName}/latest/download-by-type/file/ipxe
'';
};
boot.initrd.systemd.contents."/etc/ssl/certs/ca-certificates.crt".source = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
boot.initrd.services.resolved.enable = false;
boot.initrd.systemd.contents."/etc/resolv.conf".text = ''
nameserver 2001:4860:4860::6464
'';
boot.initrd.systemd.contents."/etc/systemd/journald.conf".text = ''
[Journal]
ForwardToConsole=yes
MaxLevelConsole=debug
'';
# Provide a bootable USB drive image
system.build.usbImage = pkgs.callPackage ({ stdenv, runCommand, dosfstools, e2fsprogs, mtools, libfaketime, util-linux, nukeReferences }:
runCommand "boot-img-${node.config.networking.hostName}" {
nativeBuildInputs = [ dosfstools e2fsprogs libfaketime mtools util-linux ];
outputs = [ "out" "firmware_part" ];
} ''
export img=$out
truncate -s 40M $img
sfdisk $img <<EOF
label: gpt
label-id: F222513B-DED1-49FA-B591-20CE86A2FE7F
type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B, bootable
EOF
# Create a FAT32 /boot/firmware partition of suitable size into firmware_part.img
eval $(partx $img -o START,SECTORS --nr 1 --pairs)
truncate -s $((2081 * 512 + SECTORS * 512)) firmware_part.img
mkfs.vfat --invariant -i 2e24ec82 -n BOOT firmware_part.img
# Populate the files intended for /boot/firmware
mkdir -p firmware/EFI/BOOT firmware/loader/entries
cp ${pkgs.systemd}/lib/systemd/boot/efi/systemd-boot*.efi firmware/EFI/BOOT/BOOT${lib.toUpper stdenv.hostPlatform.efiArch}.EFI
cat > firmware/loader/loader.conf << EOF
default foo
EOF
cat > firmware/loader/entries/default.conf << EOF
title Default
linux /EFI/${pkgs.stdenv.hostPlatform.linux-kernel.target}
initrd /EFI/initrd
options init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams}
EOF
cp ${config.system.build.kernel}/${pkgs.stdenv.hostPlatform.linux-kernel.target} firmware/EFI/${pkgs.stdenv.hostPlatform.linux-kernel.target}
cp ${config.system.build.initialRamdisk}/${config.system.boot.loader.initrdFile} firmware/EFI/initrd
find firmware -exec touch --date=2000-01-01 {} +
# Copy the populated /boot/firmware into the SD image
cd firmware
# Force a fixed order in mcopy for better determinism, and avoid file globbing
for d in $(find . -type d -mindepth 1 | sort); do
faketime "2000-01-01 00:00:00" mmd -i ../firmware_part.img "::/$d"
done
for f in $(find . -type f | sort); do
mcopy -pvm -i ../firmware_part.img "$f" "::/$f"
done
cd ..
# Verify the FAT partition before copying it.
fsck.vfat -vn firmware_part.img
dd conv=notrunc if=firmware_part.img of=$img seek=$START count=$SECTORS
cp firmware_part.img $firmware_part
''
) {};
}
;
};
# This is the config which will actually be booted
netbootVariant = extendModules {
modules = [
(
{ modulesPath, ... }:
{
imports = [ (modulesPath + "/installer/netboot/netboot.nix") ];
}
)
];
};
# A derivation combining all the artifacts required for netbooting for the hydra job
netbootDir = let
kernelTarget = pkgs.stdenv.hostPlatform.linux-kernel.target;
build = config.system.build.netbootVariant.config.system.build;
in
pkgs.symlinkJoin {
name = "netboot";
paths = [
build.netbootRamdisk
build.kernel
build.netbootIpxeScript
];
postBuild = ''
mkdir -p $out/nix-support
echo "file ${kernelTarget} $out/${kernelTarget}" >> $out/nix-support/hydra-build-products
echo "file initrd $out/initrd" >> $out/nix-support/hydra-build-products
echo "file ipxe $out/netboot.ipxe" >> $out/nix-support/hydra-build-products
'';
preferLocalBuild = true;
};
};
};
}

142
services/buildbot/default.nix
View file

@ -1,142 +0,0 @@
{
nodes,
config,
lib,
pkgs,
...
}:
let
cfg = config.bagel.services.buildbot;
cfgGerrit = nodes.gerrit01.config.bagel.services.gerrit;
ssh-keys = import ../../common/ssh-keys.nix;
inherit (lib) mkEnableOption mkOption mkIf types;
in
{
options.bagel.services.buildbot = {
enable = mkEnableOption "Buildbot";
domain = mkOption {
type = types.str;
};
builders = mkOption {
type = types.listOf types.str;
description = "List of builders to configure for Buildbot";
example = [ "builder-2" "builder-3" ];
};
};
config = mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [ 80 443 ];
age.secrets.buildbot-worker-password.file = ../../secrets/buildbot-worker-password.age;
age.secrets.buildbot-oauth-secret.file = ../../secrets/buildbot-oauth-secret.age;
age.secrets.buildbot-workers.file = ../../secrets/buildbot-workers.age;
age.secrets.buildbot-service-key.file = ../../secrets/buildbot-service-key.age;
age.secrets.buildbot-signing-key = {
file = ../../secrets/buildbot-signing-key.age;
owner = "buildbot-worker";
group = "buildbot-worker";
};
age.secrets.buildbot-remote-builder-key = {
file = ../../secrets/buildbot-remote-builder-key.age;
owner = "buildbot-worker";
group = "buildbot-worker";
};
services.nginx.virtualHosts.${cfg.domain} = {
forceSSL = true;
enableACME = true;
extraConfig = ''
add_header Access-Control-Allow-Credentials 'true' always;
add_header Access-Control-Allow-Origin 'https://cl.forkos.org' always;
'';
};
services.buildbot-nix.worker = {
enable = true;
workerPasswordFile = config.age.secrets.buildbot-worker-password.path;
# All credits to eldritch horrors for this beauty.
workerArchitectures =
{
# nix-eval-jobs runs under a lock, error reports do not (but are cheap)
other = 8;
} // (
lib.filterAttrs
(n: v: lib.elem n config.services.buildbot-nix.coordinator.buildSystems)
(lib.zipAttrsWith
(_: lib.foldl' lib.add 0)
(lib.concatMap
(m: map (s: { ${s} = m.maxJobs; }) m.systems)
config.services.buildbot-nix.coordinator.buildMachines))
);
};
services.buildbot-nix.coordinator = {
enable = true;
inherit (cfg) domain;
debugging.enable = true;
oauth2 = {
name = "Lix";
clientId = "forkos-buildbot";
clientSecretFile = config.age.secrets.buildbot-oauth-secret.path;
resourceEndpoint = "https://identity.lix.systems";
authUri = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/auth";
tokenUri = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token";
};
# TODO(raito): this is not really necessary, we never have remote buildbot workers.
# we can replace all of this with automatic localworker generation on buildbot-nix side.
workersFile = config.age.secrets.buildbot-workers.path;
allowedOrigins = [
"*.forkos.org"
];
# TODO(raito): is that really necessary when we can just collect buildMachines' systems?
buildSystems = [
"x86_64-linux"
];
buildMachines = map (n: {
hostName = nodes.${n}.config.networking.fqdn;
protocol = "ssh-ng";
# Follows Hydra.
maxJobs = 8;
sshKey = config.age.secrets.buildbot-remote-builder-key.path;
sshUser = "buildbot";
systems = [ "x86_64-linux" ];
supportedFeatures = nodes.${n}.config.nix.settings.system-features;
# Contrary to how Nix works, here we can specify non-base64 public host keys.
publicHostKey = ssh-keys.machines.${n};
}
) cfg.builders;
gerrit = {
domain = cfgGerrit.canonicalDomain;
# Manually managed account…
# TODO: https://git.lix.systems/the-distro/infra/issues/69
username = "buildbot";
port = cfgGerrit.port;
privateKeyFile = config.age.secrets.buildbot-service-key.path;
projects = [
"buildbot-test"
"nixpkgs"
"infra"
];
};
evalWorkerCount = 6;
evalMaxMemorySize = "4096";
signingKeyFile = config.age.secrets.buildbot-signing-key.path;
};
nix.settings.keep-derivations = true;
nix.gc = {
automatic = true;
dates = "hourly";
};
};
}

10
services/default.nix
View file

@ -1,13 +1,9 @@
{
imports = [
./gerrit
./hydra
./monitoring
./netbox
./ofborg
./postgres
./forgejo
./baremetal-builder
./buildbot
./netbox
./gerrit
./monitoring
];
}

143
services/forgejo/default.nix
View file

@ -1,143 +0,0 @@
{ pkgs, lib, config, ... }:
let
cfg = config.bagel.services.forgejo;
inherit (lib) mkIf mkEnableOption mkOption types;
domain = "git.forkos.org";
in
{
options.bagel.services.forgejo = {
enable = mkEnableOption "Forgejo";
sshBindAddr = mkOption {
type = types.str;
};
};
config = mkIf cfg.enable {
services.forgejo = {
enable = true;
package = pkgs.callPackage ../../pkgs/forgejo { };
database = {
type = "postgres";
createDatabase = true;
};
lfs.enable = true;
settings = {
DEFAULT = {
APP_NAME = "ForkOS";
};
server = {
PROTOCOL = "http+unix";
ROOT_URL = "https://${domain}/";
DOMAIN = "${domain}";
BUILTIN_SSH_SERVER_USER = "git";
SSH_PORT = 22;
SSH_LISTEN_HOST = cfg.sshBindAddr;
START_SSH_SERVER = true;
};
session = {
PROVIDER = "redis";
PROVIDER_CONFIG = "network=unix,addr=${config.services.redis.servers.forgejo.unixSocket},db=0";
COOKIE_NAME = "session";
};
service = {
DISABLE_REGISTRATION = true;
DEFAULT_KEEP_EMAIL_PRIVATE = true;
};
"service.explore" = {
DISABLE_USERS_PAGE = true;
};
oauth2_client = {
REGISTER_EMAIL_CONFIRM = false;
ENABLE_AUTO_REGISTRATION = true;
};
# TODO: transactional mails
cache = {
ADAPTER = "redis";
HOST = "network=unix,addr=${config.services.redis.servers.forgejo.unixSocket},db=1";
ITEM_TTL = "72h"; # increased from default 16h
};
ui = {
SHOW_USER_EMAIL = false;
};
repository = {
# Forks in forgejo are suprisingly expensive because they are full git clones.
# If we do want to enable forks, we can write a small patch that disables
# only for repositories that are as large as nixpkgs.
DISABLE_FORKS = true;
};
packages = {
# Forgejo's various package registries can easily take up a lot of space.
# We could either store the blobs on some slower disks but larger, or even
# better, use an s3 bucket for it. But until we actually have a use-case for
# this feature, we will simply keep it disabled for now.
ENABLED = false;
};
indexer = {
REPO_INDEXER_REPO_TYPES = "sources,mirrors,templates"; # skip forks
REPO_INDEXER_ENABLED = true;
ISSUE_INDEXER_TYPE = "bleve";
};
"git.timeout" = {
MIGRATE = 3600; # increase from default 600 (seconds) for something as large as nixpkgs on a slow uplink
};
log = {
LEVEL = "Warn";
};
};
};
systemd.services.forgejo = {
serviceConfig = lib.optionalAttrs (config.services.forgejo.settings.server.SSH_PORT < 1024) {
AmbientCapabilities = lib.mkForce "CAP_NET_BIND_SERVICE";
CapabilityBoundingSet = lib.mkForce "CAP_NET_BIND_SERVICE";
PrivateUsers = lib.mkForce false;
};
# start Forgejo *after* sshd.service, so in case Forgejo tries to wildcard bind :22 due to
# a bug or whatever, we don't lose OpenSSH in a race.
wants = [ "sshd.service" "redis-forgejo.service" ];
requires = [ "sshd.service" "redis-forgejo.service" ];
};
services.redis.servers.forgejo = {
enable = true;
user = "forgejo";
};
services.nginx = {
enable = true;
virtualHosts.${domain} = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}";
};
};
networking.firewall.allowedTCPPorts = [
80
443
config.services.forgejo.settings.server.SSH_PORT
];
};
}

113
services/gerrit/checks.js
View file

@ -1,113 +0,0 @@
/* Inspired from the Lix setup.
* Original-Author: puckipedia
*/
Gerrit.install((plugin) => {
// TODO: can we just use `plugin.serverInfo().plugin` and control the settings over there.
const configuration = {
baseUri: @BASE_URI@,
supportedProjects: @SUPPORTED_PROJECTS@,
};
function makeBuildbotUri(suffix) {
return `${configuration.baseUri}/${suffix}`;
}
let builders = [];
let fetchBuilders = async () => {
if (builders.length > 0) return;
let data = await (await fetch(makeBuildbotUri(`api/v2/builders`), { credentials: 'include' })).json();
builders = data.builders;
};
let checksProvider;
checksProvider = {
async fetch({ repo, patchsetSha, changeNumber, patchsetNumber }, runBefore = false) {
if (!configuration.supportedProjects.includes(repo)) {
return { responseCode: 'OK' };
}
let num = changeNumber.toString(10);
let branch = `refs/changes/${num.substr(-2)}/${num}/${patchsetNumber}`;
let changeFetch = await fetch(makeBuildbotUri(`api/v2/changes?limit=1&order=-changeid&revision=${patchsetSha}&branch=${branch}`), { credentials: 'include' });
if (changeFetch.status == 400) {
if ((await changeFetch.json()).error === 'invalid origin' && !runBefore) {
return await checksProvider.fetch({ repo, patchsetSha, changeNumber, patchsetNumber }, true);
}
return { responseCode: 'OK' };
} else if (changeFetch.status === 403) {
return { responseCode: 'NOT_LOGGED_IN', loginCallback() {
window.open(configuration.baseUri);
} };
}
let changes = await changeFetch.json();
if (changes.meta.total === 0) {
return { responseCode: 'OK' };
}
let { changeid } = changes.changes[0];
let { builds } = await (await fetch(makeBuildbotUri(`api/v2/changes/${changeid}/builds?property=owners&property=workername`), { credentials: 'include' })).json();
await fetchBuilders();
let links = [];
let runs = [];
for (let build of builds) {
let name = `unknown builder ${build.builderid}`;
for (let builder of builders) {
if (builder.builderid === build.builderid) {
name = builder.name;
break;
}
}
if (name === `${repo}/nix-eval`) {
links.push({
url: makeBuildbotUri(`#/builders/${build.builderid}/builds/${build.number}`),
primary: true,
icon: 'external',
});
}
let checkrun = {
attempt: build.buildrequestid,
// FIXME: generalize this accordingly once auto-discovery is available.
checkName: name.replace(/^hydraJobs\./, ''),
externalId: build.buildrequestid.toString(),
status: build.complete ? 'COMPLETED' : (typeof build.started_at !== 'number' ? 'SCHEDULED' : 'RUNNING'),
checkLink: makeBuildbotUri(`#/builders/${build.builderid}/builds/${build.number}`),
labelName: 'Verified',
results: [],
links: [{
url: makeBuildbotUri(`#/builders/${build.builderid}/builds/${build.number}`),
primary: true,
icon: 'external',
}],
};
if (build.started_at !== null) {
checkrun.startedTimestamp = new Date(build.started_at * 1000);
}
if (build.complete_at !== null) {
checkrun.finishedTimestamp = new Date(build.complete_at * 1000);
}
if (build.results !== null) {
checkrun.results = [{
category: build.results < 2 ? 'SUCCESS' : 'ERROR',
summary: build.state_string,
}];
}
runs.push(checkrun);
}
return { responseCode: 'OK', runs, links };
}
};
plugin.checks().register(checksProvider);
});

61
services/gerrit/default.nix
View file

@ -3,11 +3,9 @@
{ pkgs, config, lib, ... }:
let
inherit (lib) mkEnableOption mkIf mkOption types head;
inherit (lib) mkEnableOption mkIf mkOption types;
cfgGerrit = config.services.gerrit;
cfg = config.bagel.services.gerrit;
jdk = pkgs.openjdk21_headless;
in
{
options.bagel.services.gerrit = {
@ -16,33 +14,21 @@ in
type = types.listOf types.str;
description = "List of domains that Gerrit will answer to";
};
canonicalDomain = mkOption {
type = types.str;
description = "Canonical domain for this Gerrit instance";
default = head cfg.domains;
};
data = mkOption {
type = types.path;
default = "/var/lib/gerrit";
description = "Root of data directory for the Gerrit";
};
port = mkOption {
type = types.port;
default = 29418;
readOnly = true;
description = "Port for the Gerrit SSH server";
};
};
imports = [
./www.nix
./one-way-sync.nix
];
config = mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [ cfg.port ];
networking.firewall.allowedTCPPorts = [ 29418 ];
environment.systemPackages = [ jdk ];
environment.systemPackages = [ pkgs.openjdk17_headless ];
fileSystems."/var/lib/gerrit" = mkIf (cfg.data != "/var/lib/gerrit") {
device = cfg.data;
@ -70,31 +56,20 @@ in
"webhooks"
];
plugins = with pkgs.gerritPlugins; [
plugins = with pkgs.gerritPlugins; [
oauth
metrics-reporter-prometheus
# Buildbot checks plugin (writeText because services.gerrit.plugins expects packages)
(pkgs.runCommand "checks.js" {
BASE_URI = builtins.toJSON "https://buildbot.forkos.org";
SUPPORTED_PROJECTS = builtins.toJSON [
"infra"
"nixpkgs"
"buildbot-test"
];
}
''
echo "configuring buildbot checks plugin for $BASE_URI with $SUPPORTED_PROJECTS project list"
substitute ${./checks.js} $out \
--replace-fail "@BASE_URI@" "$BASE_URI" \
--replace-fail "@SUPPORTED_PROJECTS@" "$SUPPORTED_PROJECTS"
'')
];
package = pkgs.gerrit;
jvmHeapLimit = "32g";
jvmPackage = jdk;
# In some NixOS channel bump, the default version of OpenJDK has
# changed to one that is incompatible with our current version of
# Gerrit.
#
# TODO(tazjin): Update Gerrit and remove this when possible.
jvmPackage = pkgs.openjdk17_headless;
settings = {
# Performance settings
@ -129,7 +104,7 @@ in
core.packedGitMmap = true;
## Takes more CPU but the transfer is smaller.
pack.deltacompression = true;
pack.deltacompression = false;
pack.threads = 8;
# FIXME(raito):
@ -142,7 +117,7 @@ in
# Other settings
log.jsonLogging = true;
log.textLogging = false;
sshd.advertisedAddress = "${cfg.canonicalDomain}:${toString cfg.port}";
sshd.advertisedAddress = "cl.forkos.org:29418";
cache.web_sessions.maxAge = "3 months";
plugins.allowRemoteAdmin = false;
change.enableAttentionSet = true;
@ -157,7 +132,7 @@ in
# Configures gerrit for being reverse-proxied by nginx as per
# https://gerrit-review.googlesource.com/Documentation/config-reverseproxy.html
gerrit = {
canonicalWebUrl = "https://${cfg.canonicalDomain}";
canonicalWebUrl = "https://cl.forkos.org";
docUrl = "/Documentation";
defaultBranch = "refs/heads/main";
};
@ -174,7 +149,7 @@ in
# Auto-link other CLs
commentlink.gerrit = {
match = "cl/(\\d+)";
link = "https://${cfg.canonicalDomain}/$1";
link = "https://cl.forkos.org/$1";
};
# Configures integration with Keycloak, which then integrates with a
@ -246,14 +221,6 @@ in
User = "git";
Group = "git";
};
environment.REVWALK_USE_PRIORITY_QUEUE = "true";
};
age.secrets.gerrit-prometheus-bearer-token.file = ../../secrets/gerrit-prometheus-bearer-token.age;
bagel.monitoring.grafana-agent.exporters.gerrit = {
port = 4778; # grrt
bearerTokenFile = config.age.secrets.gerrit-prometheus-bearer-token.path;
scrapeConfig.metrics_path = "/plugins/metrics-reporter-prometheus/metrics";
};
};
}

132
services/gerrit/one-way-sync.nix
View file

@ -1,132 +0,0 @@
{ lib, config, pkgs, ... }:
let
cfg = config.bagel.nixpkgs.one-way-sync;
inherit (lib) mkIf mkOption mkEnableOption types mapAttrs';
mkSyncTimer = { name, timer, ... }: {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = timer;
Persistent = true;
Unit = "ows-${name}.service";
};
};
mkSyncService = targetRef: { name, fromUri, fromRefspec, localRefspec, ... }: {
path = [ pkgs.gitFull pkgs.openssh pkgs.lix ];
script = ''
set -xe
RUNTIME_DIRECTORY="/run/onewaysync-${name}"
trap "git worktree remove -f "$RUNTIME_DIRECTORY"/${name}" EXIT
if [ ! -d "/var/lib/onewaysync/nixpkgs" ]; then
echo "First run, synchronizing nixpkgs..."
git clone https://cl.forkos.org/nixpkgs /var/lib/onewaysync/nixpkgs
fi
cd /var/lib/onewaysync/nixpkgs
echo "Syncing ${fromUri}:${fromRefspec} to /var/lib/onewaysync/nixpkgs:${targetRef}"
echo "Current ref: $EXPECTED_REF"
git worktree add -f "$RUNTIME_DIRECTORY"/${name} refs/remotes/origin/${localRefspec}
cd "$RUNTIME_DIRECTORY"/${name}
git pull origin ${localRefspec}
EXPECTED_REF=$(git rev-list refs/remotes/origin/${localRefspec} | head -1)
git config user.name Fork-o-Tron
git config user.email noreply@forkos.org
git fetch ${fromUri} ${fromRefspec}
'' + lib.optionalString (!(lib.hasInfix "staging" localRefspec)) ''
OLD_STDENV=$(nix eval -f . stdenv.outPath --store "$RUNTIME_DIRECTORY")
'' + ''
git merge FETCH_HEAD
'' + lib.optionalString (!(lib.hasInfix "staging" localRefspec)) ''
NEW_STDENV=$(nix eval -f . stdenv.outPath --store "$RUNTIME_DIRECTORY")
# Do not allow auto-merging a staging iteration
test "$OLD_STDENV" = "$NEW_STDENV"
'' + ''
GIT_SSH_COMMAND='ssh -i ${cfg.deployKeyPath}' git push ${cfg.pushUrl} HEAD:${targetRef}
'';
serviceConfig = {
User = "git";
Group = "git";
Type = "oneshot";
RuntimeDirectory = "onewaysync-${name}";
WorkingDirectory = "/run/onewaysync-${name}";
StateDirectory = "onewaysync";
};
};
in
{
options.bagel.nixpkgs.one-way-sync = {
enable = mkEnableOption "the one-way sync from GitHub repositories";
referenceDir = mkOption {
type = types.str;
default = "/var/lib/gerrit/git/nixpkgs.git";
description = "Local repository reference";
};
workingDir = mkOption {
type = types.str;
default = "/run/onewaysync/";
description = "Working directory for the service";
};
pushUrl = mkOption {
type = types.str;
example = "ssh://...";
description = "Push URL for the target repository";
};
deployKeyPath = mkOption {
type = types.path;
example = "/run/agenix.d/ows-priv-key";
description = "Deployment private SSH key to push to the repository";
};
branches = mkOption {
type = types.attrsOf (types.submodule ({ ... }:
{
options = {
name = mkOption {
type = types.str;
description = "User-friendly name";
};
fromUri = mkOption {
type = types.str;
description = "Git URI from which we need to sync";
};
fromRefspec = mkOption {
type = types.str;
description = "refspec for the fetch";
};
localRefspec = mkOption {
type = types.str;
default = "local refspec in the local repository to get the expected reference and avoid stale info";
};
timer = mkOption {
type = types.str;
description = "Calendar format everytime we need to run the sync";
};
};
}));
description = "Set of branches mapping from cl.forkos.org to other Git repositories";
};
};
config = mkIf cfg.enable {
systemd.timers = mapAttrs' (name: value: {
name = "ows-${value.name}";
value = mkSyncTimer value;
}) cfg.branches;
systemd.services = mapAttrs' (name: value: {
name = "ows-${value.name}";
value = mkSyncService name value;
}) cfg.branches;
};
}

2
services/gerrit/www.nix
View file

@ -25,7 +25,7 @@ in
# The :443 suffix is a workaround for https://b.tvl.fyi/issues/88.
proxy_set_header Host $host:443;
# Gerrit can throw a lot of data.
proxy_buffering off;
proxy_buffering on;
# NGINX should not give up super fast. Things can take time.
proxy_read_timeout 3600;
}

88
services/hydra/default.nix
View file

@ -1,51 +1,14 @@
{ nodes, config, lib, pkgs, ... }:
{ config, lib, pkgs, ... }:
let
cfg = config.bagel.services.hydra;
ssh-keys = import ../../common/ssh-keys.nix;
narCacheDir = "/var/cache/hydra/nar-cache";
port = 3000;
mkCacheSettings = settings: builtins.concatStringsSep "&" (
lib.mapAttrsToList (k: v: "${k}=${v}") settings
);
# XXX: to support Nix's dumb public host key syntax (base64'd), this outputs
# a string with shell-style command interpolations: $(...).
mkBaremetalBuilder = {
parallelBuilds,
publicHostKey,
host,
speedFactor ? 1,
user ? "builder",
supportedSystems ? [ "i686-linux" "x86_64-linux" ],
supportedFeatures ? [ "big-parallel" "kvm" "nixos-test" ],
requiredFeatures ? [ ]
}:
let
supportedFeatures_ = if (supportedFeatures != []) then lib.concatStringsSep "," supportedFeatures else "-";
requiredFeatures_ = if (requiredFeatures != []) then lib.concatStringsSep "," requiredFeatures else "-";
in
"ssh://${user}@${host}?remote-store=/mnt ${lib.concatStringsSep "," supportedSystems} ${config.age.secrets.hydra-ssh-key-priv.path} ${toString parallelBuilds} ${toString speedFactor} ${supportedFeatures_} ${requiredFeatures_} $(echo -n '${publicHostKey}' | base64 -w0)";
# TODO:
# - generalize to new architectures
# - generalize to new features
baremetalBuilders = lib.concatStringsSep "\n"
(map (n: let
assignments = (import ../baremetal-builder/assignments.nix).${n} or {
inherit (nodes.${n}.config.nix.settings) max-jobs;
supported-features = [ "big-parallel" "kvm" "nixos-test" ];
required-features = [];
};
in mkBaremetalBuilder {
parallelBuilds = assignments.max-jobs;
supportedFeatures = assignments.supported-features;
requiredFeatures = assignments.required-features;
publicHostKey = ssh-keys.machines.${n};
host = nodes.${n}.config.networking.fqdn;
}) cfg.builders);
);
in {
options.bagel.services.hydra = with lib; {
enable = mkEnableOption "Hydra coordinator";
@ -54,24 +17,11 @@ in {
type = types.str;
description = "DBI connection string for the Hydra postgres database";
};
builders = mkOption {
type = types.listOf types.str;
description = "List of builders to configure for Hydra";
example = [ "builder-0" "builder-1" ];
};
};
config = lib.mkIf cfg.enable {
# TODO: we should assert or warn that the builders
# does indeed have our public SSH key and are *builders*
# as a simple evaluation preflight check.
age.secrets.hydra-s3-credentials.file = ../../secrets/hydra-s3-credentials.age;
age.secrets.hydra-signing-priv.owner = "hydra-queue-runner";
age.secrets.hydra-signing-priv.file = ../../secrets/hydra-signing-priv.age;
age.secrets.hydra-ssh-key-priv.owner = "hydra-queue-runner";
age.secrets.hydra-ssh-key-priv.file = ../../secrets/hydra-ssh-key-priv.age;
@ -83,16 +33,7 @@ in {
# XXX: Otherwise services.hydra-dev overwrites it to only hydra-queue-runner...
#
# Can be removed once this is added to some common config template.
nix.settings.trusted-users = [ "root" "hydra" "hydra-www" "@wheel" ];
# Because Hydra can't fetch flake inputs otherwise... also yes, this
# prefix-based matching is absurdly bad.
nix.settings.allowed-uris = [
"github:"
"https://github.com/"
"https://git.lix.systems/"
"https://git@git.lix.systems/"
];
nix.settings.trusted-users = [ "root" "@wheel" ];
services.hydra-dev = {
enable = true;
@ -101,20 +42,18 @@ in {
port = port;
dbi = cfg.dbi;
hydraURL = "https://hydra.forkos.org";
hydraURL = "https://hydra.bagel.delroth.net";
useSubstitutes = false;
notificationSender = "hydra@forkos.org";
notificationSender = "bagel@delroth.net";
# XXX: hydra overlay sets pkgs.hydra, but hydra's nixos module uses
# pkgs.hydra_unstable...
package = pkgs.hydra;
buildMachinesFiles = [
(pkgs.runCommandNoCC "hydra-builders.conf" {} ''
cat >$out <<EOF
${baremetalBuilders}
EOF
(pkgs.writeText "hydra-builders.conf" ''
ssh://bagel-builder@epyc.infra.newtype.fr i686-linux,x86_64-linux ${config.age.secrets.hydra-ssh-key-priv.path} 8 1 big-parallel,kvm,nixos-test - c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSU9YVDlJbml0MU1oS3Q0cmpCQU5McTB0MGJQd3cvV1FaOTZ1QjRBRURybWwgcm9vdEBuaXhvcwo=
'')
];
@ -123,7 +62,7 @@ in {
endpoint = "s3.delroth.net";
region = "garage";
secret-key = config.age.secrets.hydra-signing-priv.path;
#secret-key = "TODO";
compression = "zstd";
log-compression = "br";
@ -138,7 +77,7 @@ in {
upload_logs_to_binary_cache = true
evaluator_workers = 16
evaluator_workers = 4
evaluator_max_memory_size = 4096
max_concurrent_evals = 1
@ -149,11 +88,8 @@ in {
'';
};
systemd.services.hydra-queue-runner = {
# FIXME: should probably be set in the upstream Hydra module?
wants = [ "network-online.target" ];
serviceConfig.EnvironmentFile = config.age.secrets.hydra-s3-credentials.path;
};
systemd.services.hydra-queue-runner.serviceConfig.EnvironmentFile =
config.age.secrets.hydra-s3-credentials.path;
services.nginx = {
enable = true;
@ -172,7 +108,7 @@ in {
worker_processes auto;
'';
virtualHosts."hydra.forkos.org" = {
virtualHosts."hydra.bagel.delroth.net" = {
forceSSL = true;
enableACME = true;

129
services/monitoring/agent.nix
View file

@ -1,129 +0,0 @@
{
config,
lib,
...
}:
let
cfg = config.bagel.monitoring.grafana-agent;
inherit (lib) mkEnableOption mkOption mkIf types;
passwordAsCredential = "\${CREDENTIALS_DIRECTORY}/password";
in
{
options.bagel.monitoring.grafana-agent = {
enable = (mkEnableOption "Grafana Agent") // { default = true; };
exporters = mkOption {
description = ''
Set of additional exporters to scrape.
The attribute name will be used as `job_name`
internally, which ends up exported as `job` label
on all metrics of that exporter.
'';
type = types.attrsOf (types.submodule ({ config, name, ... }: {
options.port = mkOption {
description = "Exporter port";
type = types.int;
};
options.bearerTokenFile = mkOption {
description = "File containing a bearer token";
type = types.nullOr types.path;
default = null;
};
options.scrapeConfig = mkOption {
description = "Prometheus scrape config";
type = types.attrs;
};
config.scrapeConfig = lib.mkMerge [{
job_name = name;
static_configs = [
{ targets = [ "localhost:${toString config.port}" ]; }
];
} (lib.mkIf (config.bearerTokenFile != null) {
authorization.credentials_file = "\${CREDENTIALS_DIRECTORY}/${name}-bearer-token";
})];
options.secrets = mkOption {
description = "Secrets required for scrape config";
type = types.attrs;
internal = true;
default = {};
};
config.secrets = lib.mkIf (config.bearerTokenFile != null) {
"${name}-bearer-token" = config.bearerTokenFile;
};
}));
default = {};
};
};
config = mkIf cfg.enable {
age.secrets.grafana-agent-password.file = ../../secrets/metrics-push-password.age;
services.grafana-agent = {
enable = true;
credentials = lib.mkMerge ([{ password = config.age.secrets.grafana-agent-password.path; }] ++
lib.mapAttrsToList (name: value: value.secrets) config.bagel.monitoring.grafana-agent.exporters);
settings = {
metrics = {
global.remote_write = [
{
url = "https://mimir.forkos.org/api/v1/push";
basic_auth = {
username = "promtail";
password_file = passwordAsCredential;
};
}
];
global.external_labels.hostname = config.networking.hostName;
configs = [
{
name = config.networking.hostName;
scrape_configs = lib.mapAttrsToList (name: value: value.scrapeConfig) config.bagel.monitoring.grafana-agent.exporters;
}
];
};
logs = {
global.clients = [
{
url = "https://loki.forkos.org/loki/api/v1/push";
basic_auth = {
username = "promtail";
password_file = passwordAsCredential;
};
}
];
configs = [
{
name = "journald";
scrape_configs = [
{
job_name = "system";
journal = {
max_age = "12h";
labels = {
job = "systemd-journal";
host = config.networking.hostName;
};
};
relabel_configs = [
{
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}
];
}
];
}
];
positions_directory = "\${STATE_DIRECTORY}/positions";
};
integrations.node_exporter.enable_collectors = [
"processes"
"systemd"
];
};
};
};
}

2
services/monitoring/default.nix
View file

@ -2,6 +2,6 @@
imports = [
./exporters
./lgtm
./agent.nix
./promtail.nix
];
}

34
services/monitoring/exporters/baseline.nix Normal file
View file

@ -0,0 +1,34 @@
{
config,
lib,
...
}:
let
cfg = config.bagel.monitoring.exporters.baseline;
inherit (lib) mkEnableOption mkIf;
in
{
options.bagel.monitoring.exporters.baseline.enable = (mkEnableOption "Standard set of exporters") // { default = true; };
config = mkIf cfg.enable {
services.prometheus.exporters.node = {
enable = true;
enabledCollectors = [
"processes"
"systemd"
];
port = 9101;
};
services.cadvisor = {
enable = true;
port = 9102;
listenAddress = "0.0.0.0";
};
bagel.meta.monitoring.exporters = [
{ port = 9101; }
{ port = 9102; }
];
};
}

22
services/monitoring/exporters/cadvisor.nix
View file

@ -1,22 +0,0 @@
{
config,
lib,
...
}:
let
cfg = config.bagel.monitoring.exporters.cadvisor;
inherit (lib) mkEnableOption mkIf;
in
{
options.bagel.monitoring.exporters.cadvisor.enable = (mkEnableOption "Standard cAdvisor") // { default = !config.boot.isContainer; };
config = mkIf cfg.enable {
services.cadvisor = {
enable = true;
port = 9102;
listenAddress = "0.0.0.0";
};
bagel.monitoring.grafana-agent.exporters.cadvisor.port = 9102;
};
}

31
services/monitoring/exporters/default.nix
View file

@ -1,7 +1,36 @@
{
config,
lib,
...
}:
let
inherit (lib) mkOption types;
in
{
imports = [
./cadvisor.nix
./baseline.nix
./nginx.nix
./postgres.nix
];
options.bagel = {
meta.monitoring = {
address = mkOption {
description = "Node's public address";
type = types.str;
};
exporters = mkOption {
description = "List of all exporters to scrape";
type = types.listOf (types.submodule {
options.port = mkOption {
description = "Exporter port";
type = types.int;
};
});
default = [];
};
};
};
config.networking.firewall.allowedTCPPorts = map (e: e.port) config.bagel.meta.monitoring.exporters;
}

4
services/monitoring/exporters/nginx.nix
View file

@ -30,6 +30,8 @@ in
];
};
bagel.monitoring.grafana-agent.exporters.nginxlog.port = 9103;
bagel.meta.monitoring.exporters = [
{ port = 9103; }
];
};
}

4
services/monitoring/exporters/postgres.nix
View file

@ -24,6 +24,8 @@ in
services.postgresql.settings.shared_preload_libraries = "pg_stat_statements";
bagel.monitoring.grafana-agent.exporters.postgres.port = 9104;
bagel.meta.monitoring.exporters = [
{ port = 9104; }
];
};
}

5
services/monitoring/lgtm/alerts/demo.yaml
View file

@ -1,5 +0,0 @@
groups:
- name: Demo alerts
rules:
- alert: Demo alert
expr: 1

35
services/monitoring/lgtm/dashboards/nginx.json
View file

@ -26,6 +26,7 @@
"fiscalYearStartMonth": 0,
"gnetId": 15947,
"graphTooltip": 0,
"id": 4,
"links": [],
"liveNow": false,
"panels": [
@ -92,7 +93,7 @@
},
"editorMode": "code",
"exemplar": true,
"expr": "sum(rate(nginx_http_response_count_total{status=~\"^2..\",hostname=\"$hostname\"}[1m])) / sum(rate(nginx_http_response_count_total{hostname=\"$hostname\"}[1m])) * 100",
"expr": "sum(rate(nginx_http_response_count_total{status=~\"^2..\",instance=\"$host\"}[1m])) / sum(rate(nginx_http_response_count_total{instance=\"$host\"}[1m])) * 100",
"hide": false,
"interval": "",
"legendFormat": "2** status codes",
@ -105,7 +106,7 @@
"uid": "mimir"
},
"exemplar": true,
"expr": "sum(rate(nginx_http_response_count_total{status=~\"^4..\",hostname=\"$hostname\"}[1m])) / sum(rate(nginx_http_response_count_total{hostname=\"$hostname\"}[1m])) * 100",
"expr": "sum(rate(nginx_http_response_count_total{status=~\"^4..\",instance=\"$host\"}[1m])) / sum(rate(nginx_http_response_count_total{instance=\"$host\"}[1m])) * 100",
"interval": "",
"legendFormat": "4** status codes",
"refId": "A"
@ -116,7 +117,7 @@
"uid": "mimir"
},
"exemplar": true,
"expr": "sum(rate(nginx_http_response_count_total{status=~\"^5..\",hostname=\"$hostname\"}[1m])) / sum(rate(nginx_http_response_count_total{hostname=\"$hostname\"}[1m])) * 100",
"expr": "sum(rate(nginx_http_response_count_total{status=~\"^5..\",instance=\"$host\"}[1m])) / sum(rate(nginx_http_response_count_total{instance=\"$host\"}[1m])) * 100",
"hide": false,
"interval": "",
"legendFormat": "5** status codes",
@ -215,7 +216,7 @@
"uid": "mimir"
},
"exemplar": true,
"expr": "sum(rate(nginx_http_response_time_seconds_count{hostname=\"$hostname\"}[1m])) ",
"expr": "sum(rate(nginx_http_response_time_seconds_count{instance=\"$host\"}[1m])) ",
"format": "time_series",
"interval": "",
"intervalFactor": 1,
@ -315,7 +316,7 @@
"uid": "mimir"
},
"exemplar": true,
"expr": "sum(rate(nginx_http_response_size_bytes{hostname=\"$hostname\"}[5m])) ",
"expr": "sum(rate(nginx_http_response_size_bytes{instance=\"$host\"}[5m])) ",
"format": "time_series",
"interval": "",
"intervalFactor": 1,
@ -413,7 +414,7 @@
"uid": "mimir"
},
"exemplar": true,
"expr": "sum(rate(nginx_http_response_time_seconds_sum{hostname=\"$hostname\"}[5m])) / sum(rate(nginx_http_response_time_seconds_count{hostname=\"$hostname\"}[5m])) ",
"expr": "sum(rate(nginx_http_response_time_seconds_sum{instance=\"$host\"}[5m])) / sum(rate(nginx_http_response_time_seconds_count{instance=\"$host\"}[5m])) ",
"format": "time_series",
"interval": "",
"intervalFactor": 1,
@ -512,7 +513,7 @@
"uid": "mimir"
},
"exemplar": true,
"expr": "sum(rate(nginx_http_response_count_total{hostname=\"$hostname\"}[1m])) by (status)",
"expr": "sum(rate(nginx_http_response_count_total{instance=\"$host\"}[1m])) by (status)",
"format": "time_series",
"interval": "",
"intervalFactor": 1,
@ -611,7 +612,7 @@
"uid": "mimir"
},
"exemplar": true,
"expr": "nginx_http_response_time_seconds{quantile=\"0.9\",method=\"GET\",status=~\"2[0-9]*\",hostname=~\"$hostname\"}",
"expr": "nginx_http_response_time_seconds{quantile=\"0.9\",method=\"GET\",status=~\"2[0-9]*\",instance=~\"$host\"}",
"format": "time_series",
"interval": "",
"intervalFactor": 1,
@ -630,25 +631,25 @@
"list": [
{
"current": {
"selected": true,
"text": "bagel-box",
"value": "bagel-box"
"isNone": true,
"selected": false,
"text": "None",
"value": ""
},
"datasource": {
"type": "prometheus",
"uid": "mimir"
},
"definition": "label_values(nginx_http_response_count_total,hostname)",
"definition": "label_values(nginx_http_response_count_total,instance)",
"hide": 0,
"includeAll": false,
"label": "Host:",
"multi": false,
"name": "hostname",
"name": "host",
"options": [],
"query": {
"qryType": 1,
"query": "label_values(nginx_http_response_count_total,hostname)",
"refId": "PrometheusVariableQueryEditor-VariableQuery"
"query": "label_values(nginx_http_response_count_total,instance)",
"refId": "StandardVariableQuery"
},
"refresh": 1,
"regex": "",
@ -691,6 +692,6 @@
"timezone": "",
"title": "NGINX Log Metrics [M]",
"uid": "JfOTY2Pnk",
"version": 1,
"version": 4,
"weekStart": ""
}

582
services/monitoring/lgtm/dashboards/node_exporter.json
View file

File diff suppressed because it is too large Load diff

13362
services/monitoring/lgtm/dashboards/postgres.json
View file

File diff suppressed because it is too large Load diff

1718
services/monitoring/lgtm/dashboards/postgres2.json
View file

File diff suppressed because it is too large Load diff

2
services/monitoring/lgtm/default.nix
View file

@ -2,6 +2,6 @@
imports = [
./grafana.nix
./loki.nix
./mimir.nix
./prometheus.nix
];
}

22
services/monitoring/lgtm/grafana.nix
View file

@ -36,12 +36,6 @@ in
host = "/run/postgresql";
};
"auth.anonymous" = {
enabled = true;
org_name = "Main Org.";
org_role = "Viewer";
};
"auth.generic_oauth" = {
enabled = true;
@ -98,7 +92,6 @@ in
uid = "mimir";
access = "proxy";
url = "http://127.0.0.1:9009/prometheus";
isDefault = true;
}
{
name = "Loki";
@ -107,17 +100,6 @@ in
access = "proxy";
url = "http://127.0.0.1:9090/";
}
{
name = "Mimir Alertmanager";
type = "alertmanager";
uid = "mimir-alertmanager";
access = "proxy";
url = "http://127.0.0.1:9009/";
jsonData = {
handleGrafanaManagedAlerts = true;
implementation = "mimir";
};
}
];
};
};
@ -147,7 +129,5 @@ in
};
};
};
bagel.monitoring.grafana-agent.exporters.grafana.port = 2342;
};
};
}

25
services/monitoring/lgtm/loki.nix
View file

@ -12,8 +12,8 @@ in
config = mkIf cfg.enable {
age.secrets = {
metrics-push-htpasswd = {
file = ../../../secrets/metrics-push-htpasswd.age;
loki-htpasswd = {
file = ../../../secrets/loki-htpasswd.age;
owner = "nginx";
};
loki-environment.file = ../../../secrets/loki-environment.age;
@ -88,22 +88,13 @@ in
systemd.services.loki.serviceConfig.EnvironmentFile = [ config.age.secrets.loki-environment.path ];
services.nginx = {
upstreams.loki = {
servers."127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}" = {};
extraConfig = "keepalive 16;";
};
virtualHosts."loki.forkos.org" = {
enableACME = true;
forceSSL = true;
locations."/loki/api/v1/push" = {
proxyPass = "http://loki";
basicAuthFile = config.age.secrets.metrics-push-htpasswd.path;
};
services.nginx.virtualHosts."loki.forkos.org" = {
enableACME = true;
forceSSL = true;
locations."/loki/api/v1/push" = {
proxyPass = "http://localhost:${toString config.services.loki.configuration.server.http_listen_port}";
basicAuthFile = config.age.secrets.loki-htpasswd.path;
};
};
bagel.monitoring.grafana-agent.exporters.loki.port = 9090;
};
}

115
services/monitoring/lgtm/mimir.nix
View file

@ -1,115 +0,0 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.bagel.services.prometheus;
inherit (lib) mkEnableOption mkIf;
mimirPort = config.services.mimir.configuration.server.http_listen_port;
in
{
options.bagel.services.prometheus.enable = mkEnableOption "Prometheus scraper";
config = mkIf cfg.enable {
age.secrets = {
metrics-push-htpasswd = {
file = ../../../secrets/metrics-push-htpasswd.age;
owner = "nginx";
};
mimir-environment.file = ../../../secrets/mimir-environment.age;
};
services.mimir = {
enable = true;
extraFlags = ["--config.expand-env=true"];
configuration = {
target = "all,alertmanager";
multitenancy_enabled = false;
common.storage = {
backend = "s3";
s3 = {
endpoint = "s3.delroth.net";
bucket_name = "bagel-mimir";
secret_access_key = "\${S3_KEY}"; # This is a secret injected via an environment variable
access_key_id = "\${S3_KEY_ID}";
};
};
server = {
http_listen_port = 9009;
grpc_server_max_recv_msg_size = 104857600;
grpc_server_max_send_msg_size = 104857600;
grpc_server_max_concurrent_streams = 1000;
};
ingester.ring.replication_factor = 1;
distributor.instance_limits.max_ingestion_rate = 0; # unlimited
limits = {
ingestion_rate = 1000000; # can't set to unlimited :(
out_of_order_time_window = "12h";
max_global_series_per_user = 0; # unlimited
};
blocks_storage.backend = "s3";
ruler_storage = {
backend = "local";
local.directory = pkgs.runCommand "mimir-rules" {} ''
mkdir -p $out
ln -s ${./alerts} $out/anonymous
'';
};
alertmanager = {
sharding_ring.replication_factor = 1;
fallback_config_file = pkgs.writers.writeYAML "alertmanager.yaml" {
route = {
group_by = ["alertname"];
receiver = "matrix";
};
receivers = [
{
name = "matrix";
}
];
};
};
alertmanager_storage.backend = "filesystem";
ruler.alertmanager_url = "http://localhost:${toString mimirPort}/alertmanager";
};
};
systemd.services.mimir = {
# Mimir tries to determine its own IP address for gossip purposes,
# even when it's the only instance, and fails if it can't find one.
# Avoid that by ensuring it starts after the network is set up.
wants = [ "network-online.target" ];
after = ["network-online.target"];
serviceConfig.EnvironmentFile = [ config.age.secrets.mimir-environment.path ];
};
services.nginx = {
upstreams.mimir = {
servers."127.0.0.1:${toString mimirPort}" = {};
extraConfig = "keepalive 16;";
};
virtualHosts."mimir.forkos.org" = {
enableACME = true;
forceSSL = true;
locations."/api/v1/push" = {
proxyPass = "http://mimir";
basicAuthFile = config.age.secrets.metrics-push-htpasswd.path;
};
};
};
bagel.monitoring.grafana-agent.exporters.mimir.port = 9009;
};
}

83
services/monitoring/lgtm/prometheus.nix Normal file
View file

@ -0,0 +1,83 @@
{
config,
lib,
nodes,
...
}:
let
cfg = config.bagel.services.prometheus;
inherit (lib) mkEnableOption mkIf;
forEachMachine = fn: map fn (builtins.attrValues nodes);
allMetas = forEachMachine (machine: {
name = machine.config.networking.hostName;
address = machine.config.bagel.meta.monitoring.address or null;
exporters = machine.config.bagel.meta.monitoring.exporters or [];
});
scrapableMetas = builtins.filter (m: m.address != null && m.exporters != []) allMetas;
toJobConfig = m: {
job_name = m.name;
static_configs = [
{ targets = map (e: m.address + ":" + (toString e.port)) m.exporters; }
];
};
jobConfigs = map toJobConfig scrapableMetas;
in
{
options.bagel.services.prometheus.enable = mkEnableOption "Prometheus scraper";
config = mkIf cfg.enable {
age.secrets.mimir-environment.file = ../../../secrets/mimir-environment.age;
services.prometheus = {
enable = true;
enableAgentMode = true;
listenAddress = "127.0.0.1";
port = 9001;
globalConfig.scrape_interval = "15s";
scrapeConfigs = jobConfigs;
remoteWrite = [
{ url = "http://localhost:9009/api/v1/push"; }
];
};
services.mimir = {
enable = true;
extraFlags = ["--config.expand-env=true"];
configuration = {
multitenancy_enabled = false;
common.storage = {
backend = "s3";
s3 = {
endpoint = "s3.delroth.net";
bucket_name = "bagel-mimir";
secret_access_key = "\${S3_KEY}"; # This is a secret injected via an environment variable
access_key_id = "\${S3_KEY_ID}";
};
};
server = {
http_listen_port = 9009;
grpc_server_max_recv_msg_size = 104857600;
grpc_server_max_send_msg_size = 104857600;
grpc_server_max_concurrent_streams = 1000;
};
ingester.ring.replication_factor = 1;
blocks_storage.backend = "s3";
ruler_storage = {
backend = "local";
local.directory = ./alerts;
};
};
};
systemd.services.mimir.serviceConfig.EnvironmentFile = [ config.age.secrets.mimir-environment.path ];
};
}

53
services/monitoring/promtail.nix Normal file
View file

@ -0,0 +1,53 @@
{
config,
lib,
...
}:
let
cfg = config.bagel.monitoring.promtail;
inherit (lib) mkEnableOption mkIf;
in
{
options.bagel.monitoring.promtail.enable = (mkEnableOption "Promtail log export") // { default = true; };
config = mkIf cfg.enable {
age.secrets.promtail-password = {
file = ../../secrets/promtail-password.age;
owner = "promtail";
};
services.promtail = {
enable = true;
configuration = {
server.disable = true;
clients = [
{
url = "https://loki.forkos.org/loki/api/v1/push";
basic_auth = {
username = "promtail";
password_file = config.age.secrets.promtail-password.path;
};
}
];
scrape_configs = [
{
job_name = "system";
journal = {
max_age = "12h";
labels = {
job = "systemd-journal";
host = config.networking.hostName;
};
};
relabel_configs = [
{
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}
];
}
];
};
};
};
}

8
services/netbox/default.nix
View file

@ -29,7 +29,7 @@ in
listenAddress = "127.0.0.1";
settings = {
ALLOWED_HOSTS = [ cfg.domain ];
REMOTE_AUTH_BACKEND = "social_core.backends.open_id_connect.OpenIdConnectAuth";
# REMOTE_AUTH_BACKEND = "social_core.backends.open_id_connect.OpenIdConnectAuth";
};
extraConfig = lib.mkForce ''
@ -37,9 +37,9 @@ in
SECRET_KEY = env["SECRET_KEY"]
SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = env["NETBOX_OIDC_URL"]
SOCIAL_AUTH_OIDC_KEY = env["NETBOX_OIDC_KEY"]
SOCIAL_AUTH_OIDC_SECRET = env["NETBOX_OIDC_SECRET"]
# SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = env["NETBOX_OIDC_URL"]
# SOCIAL_AUTH_OIDC_KEY = env["NETBOX_OIDC_KEY"]
# SOCIAL_AUTH_OIDC_SECRET = env["NETBOX_OIDC_SECRET"]
'';
};

35
services/ofborg/default.nix
View file

@ -1,35 +0,0 @@
{ config, lib, ... }:
let
cfg = config.bagel.services.ofborg;
amqpHost = "amqp.forkos.org";
amqpPort = 5671;
in {
options.bagel.services.ofborg = with lib; {
enable = mkEnableOption "ofborg coordinator";
};
config = lib.mkIf cfg.enable {
services.rabbitmq = {
enable = true;
configItems = {
"listeners.tcp" = "none";
"listeners.ssl.default" = builtins.toString amqpPort;
"ssl_options.certfile" = "${config.security.acme.certs.${amqpHost}.directory}/cert.pem";
"ssl_options.keyfile" = "${config.security.acme.certs.${amqpHost}.directory}/key.pem";
};
};
security.acme.certs.${amqpHost} = {
webroot = "/var/lib/acme/.challenges";
group = "rabbitmq";
};
services.nginx.virtualHosts.${amqpHost}.locations."/.well-known/acme-challenge".root =
"/var/lib/acme/.challenges";
systemd.services.rabbitmq.requires = ["acme-finished-${amqpHost}.target"];
networking.firewall.allowedTCPPorts = [ amqpPort ];
};
}

7
terraform/common.nix
View file

@ -1,7 +0,0 @@
{
# Until we get some kind of KMS operational, store secrets in the state file.
terraform.required_providers.secret = {
version = "~> 1.2.1";
source = "numtide/secret";
};
}

8
terraform/default.nix
View file

@ -1,8 +0,0 @@
{
imports = [
./common.nix
./gandi.nix
./hydra.nix
./state.nix
];
}

94
terraform/gandi.nix
View file

@ -1,94 +0,0 @@
{ lib, config, ... }:
let
inherit (lib) mkEnableOption mkIf tf genList;
cfg = config.bagel.gandi;
in
{
options.bagel.gandi = {
enable = mkEnableOption "the Gandi DNS configuration";
};
config = mkIf cfg.enable {
terraform.required_providers.gandi = {
version = "~> 2.3.0";
source = "go-gandi/gandi";
};
resource.secret_resource.gandi_pat.lifecycle.prevent_destroy = true;
provider.gandi = {
personal_access_token = tf.ref "resource.secret_resource.gandi_pat.value";
};
resource.gandi_livedns_domain.forkos_org = {
name = "forkos.org";
};
resource.gandi_livedns_record = let
record = name: ttl: type: values: {
inherit name ttl type values;
};
proxyRecords = name: ttl: type: values: [
# kurisu.lahfa.xyz running a sniproxy:
(record name ttl "A" ["163.172.69.160"])
(record name ttl type values)
];
# Creates a extra *.p record pointing to the sniproxy
dualProxyRecords = name: ttl: type: values: lib.flatten [
(record name ttl type values)
(proxyRecords "${name}.p" ttl type values)
];
# TODO: make less fragile and have actual unique and stable names
canonicalName = record: let
name = builtins.replaceStrings ["." "@"] ["_" "_root_"] record.name;
in
"forkos_org_${record.type}_${name}";
forkosRecords = records:
builtins.listToAttrs (map (record: {
name = canonicalName record;
value = record // {
zone = tf.ref "resource.gandi_livedns_domain.forkos_org.id";
};
}) (lib.flatten records));
in forkosRecords ([
# (record "@" 3600 "A" ["163.172.69.160"])
(record "@" 3600 "AAAA" ["2001:bc8:38ee:100:1000::20"])
(dualProxyRecords "bagel-box.infra" 3600 "AAAA" ["2001:bc8:38ee:100:100::1"])
(dualProxyRecords "gerrit01.infra" 3600 "AAAA" ["2001:bc8:38ee:100:1000::10"])
(dualProxyRecords "meta01.infra" 3600 "AAAA" ["2001:bc8:38ee:100:1000::20"])
(dualProxyRecords "fodwatch.infra" 3600 "AAAA" ["2001:bc8:38ee:100:1000::30"])
# git.infra.forkos.org exposes opensshd
(dualProxyRecords "git.infra" 3600 "AAAA" ["2001:bc8:38ee:100:1000::41"])
# git.p.forkos.org exposes forgejo ssh server.
(proxyRecords "git.p" 3600 "AAAA" ["2001:bc8:38ee:100:1000::40"])
(dualProxyRecords "buildbot.infra" 3600 "AAAA" ["2001:bc8:38ee:100:1000::50"])
(dualProxyRecords "public01.infra" 3600 "AAAA" ["2001:bc8:38ee:100:1000::60"])
(record "cl" 3600 "CNAME" ["gerrit01.infra.p"])
(record "fodwatch" 3600 "CNAME" ["fodwatch.infra.p"])
# git.p.forkos.org is the proxy variant of the Forgejo server.
(record "git" 3600 "CNAME" ["git.p"])
(record "netbox" 3600 "CNAME" ["meta01.infra.p"])
(record "amqp" 3600 "CNAME" ["bagel-box.infra.p"])
(record "grafana" 3600 "CNAME" ["meta01.infra.p"])
(record "hydra" 3600 "CNAME" ["bagel-box.infra.p"])
(record "loki" 3600 "CNAME" ["meta01.infra.p"])
(record "mimir" 3600 "CNAME" ["meta01.infra.p"])
(record "matrix" 3600 "CNAME" ["meta01.infra.p"])
(record "buildbot" 3600 "CNAME" ["buildbot.infra.p"])
(record "b" 3600 "CNAME" ["public01.infra.p"])
# S3 in delroth's basement
(record "cache" 3600 "CNAME" ["smol.delroth.net."])
(record "vpn-gw.wob01.infra" 3600 "AAAA" [ "2a01:584:11::2" ])
# TODO: do not hardcode, just reuse the Colmena hive module outputs to generate all the required details.
] ++ map (index: record "builder-${toString index}.wob01.infra" 3600 "AAAA" [ "2a01:584:11::1:${toString index}" ]) (genList lib.id 12));
};
}

328
terraform/hydra.nix
View file

@ -1,328 +0,0 @@
{ lib, config, ... }:
let
inherit (lib) mkEnableOption mkIf types mkOption tf;
cfg = config.bagel.hydra;
in
{
options.bagel.hydra = {
enable = mkEnableOption "the Hydra jobsets";
};
config = mkIf cfg.enable {
terraform.required_providers.hydra = {
version = "~> 0.1";
source = "DeterminateSystems/hydra";
};
resource.secret_resource.hydra_password.lifecycle.prevent_destroy = true;
provider.hydra = {
host = "https://hydra.forkos.org";
username = "terraform";
password = tf.ref "resource.secret_resource.hydra_password.value";
};
resource.hydra_project.forkos = {
name = "forkos";
display_name = "ForkOS";
description = "ForkOS packages collection";
homepage = "https://cl.forkos.org";
owner = "terraform";
enabled = true;
visible = true;
};
resource.hydra_jobset.k900-experiments = {
project = config.resource.hydra_project.forkos.name;
state = "enabled";
visible = true;
name = "nixpkgs-experiments";
type = "legacy";
description = "experiments branch to test things for K900";
nix_expression = {
file = "nixos/release.nix";
input = "nixpkgs";
};
check_interval = 0;
scheduling_shares = 3000;
keep_evaluations = 3;
email_notifications = false;
input = [
{
name = "nixpkgs";
type = "git";
value = "https://github.com/nixos/nixpkgs 03ff49192b044786362c8c94d8501eac5c6eada4";
notify_committers = false;
}
{
name = "officialRelease";
type = "boolean";
value = false;
}
{
name = "supportedSystems";
type = "nix";
value = ''[ "x86_64-linux" ]'';
}
];
};
resource.hydra_jobset.raito-nixos-rolling-small = {
project = config.resource.hydra_project.forkos.name;
state = "enabled";
visible = true;
name = "raito-nixos-rolling-small";
type = "legacy";
description = "master branch for raito-nixos";
nix_expression = {
file = "pkgs/top-level/release.nix";
input = "nixpkgs";
};
check_interval = 0;
scheduling_shares = 3000;
keep_evaluations = 3;
email_notifications = false;
input = [
{
name = "nixpkgs";
type = "git";
value = "https://cl.forkos.org/nixpkgs";
notify_committers = false;
}
{
name = "officialRelease";
type = "boolean";
value = "false";
notify_committers = false;
}
{
name = "supportedSystems";
type = "nix";
value = ''[ "x86_64-linux" ]'';
}
];
};
resource.hydra_jobset.delroth-nixpkgs-staging-small = {
project = config.resource.hydra_project.forkos.name;
state = "enabled";
visible = true;
name = "delroth-nixpkgs-staging-small";
type = "legacy";
description = "small eval of nixpkgs staging for testing";
nix_expression = {
file = "pkgs/top-level/release-small.nix";
input = "nixpkgs";
};
check_interval = 0;
scheduling_shares = 3000;
keep_evaluations = 3;
email_notifications = false;
input = [
{
name = "nixpkgs";
type = "git";
value = "https://github.com/nixos/nixpkgs staging";
notify_committers = false;
}
{
name = "officialRelease";
type = "boolean";
value = "false";
notify_committers = false;
}
{
name = "supportedSystems";
type = "nix";
value = ''[ "x86_64-linux" ]'';
}
];
};
resource.hydra_project.infra = {
name = "infra";
display_name = "ForkOS Infra";
description = "ForkOS infra repository";
homepage = "https://git.lix.system/the-distro/infra";
owner = "terraform";
enabled = true;
visible = true;
};
resource.hydra_jobset.infra_main = {
project = config.resource.hydra_project.infra.name;
state = "enabled";
visible = true;
name = "main";
type = "flake";
description = "main branch for the infra repo";
flake_uri = "git+https://git.lix.systems/the-distro/infra";
check_interval = 600;
scheduling_shares = 3000;
keep_evaluations = 5;
email_notifications = false;
};
resource.hydra_project.hydra = {
name = "hydra";
display_name = "ForkOS Hydra";
description = "ForkOS hydra fork";
homepage = "https://git.lix.system/lix-project/hydra";
owner = "terraform";
enabled = true;
visible = true;
};
resource.hydra_jobset.hydra_main = {
project = config.resource.hydra_project.hydra.name;
state = "enabled";
visible = true;
name = "main";
type = "flake";
description = "main branch for the hydra repo";
flake_uri = "git+https://git.lix.systems/lix-project/hydra";
check_interval = 600;
scheduling_shares = 3000;
keep_evaluations = 5;
email_notifications = false;
};
resource.hydra_jobset.nixos-staging-next-small = {
project = config.resource.hydra_project.forkos.name;
state = "enabled";
visible = true;
name = "nixos-staging-next-small";
type = "legacy";
description = "nixos jobset for the staging-next branch";
nix_expression = {
file = "nixos/release-small.nix";
input = "nixpkgs";
};
check_interval = 0;
scheduling_shares = 3000;
keep_evaluations = 3;
email_notifications = false;
input = [
{
name = "nixpkgs";
type = "git";
value = "https://cl.forkos.org/nixpkgs staging-next";
notify_committers = false;
}
{
name = "officialRelease";
type = "boolean";
value = "false";
notify_committers = false;
}
{
name = "supportedSystems";
type = "nix";
value = ''[ "x86_64-linux" ]'';
}
];
};
resource.hydra_jobset.nixpkgs-staging-next = {
project = config.resource.hydra_project.forkos.name;
state = "enabled";
visible = true;
name = "nixpkgs-staging-next";
type = "legacy";
description = "nixpkgs jobset for the staging-next branch";
nix_expression = {
file = "pkgs/top-level/release.nix";
input = "nixpkgs";
};
check_interval = 0;
scheduling_shares = 3000;
keep_evaluations = 3;
email_notifications = false;
input = [
{
name = "nixpkgs";
type = "git";
value = "https://cl.forkos.org/nixpkgs staging-next";
notify_committers = false;
}
{
name = "officialRelease";
type = "boolean";
value = "false";
notify_committers = false;
}
{
name = "supportedSystems";
type = "nix";
value = ''[ "x86_64-linux" ]'';
}
];
};
resource.hydra_jobset.nixos-main = {
project = config.resource.hydra_project.forkos.name;
state = "enabled";
visible = true;
name = "nixos-main";
type = "legacy";
description = "nixos jobset for the main branch";
nix_expression = {
file = "nixos/release-combined.nix";
input = "nixpkgs";
};
check_interval = 0;
scheduling_shares = 3000;
keep_evaluations = 3;
email_notifications = false;
input = [
{
name = "nixpkgs";
type = "git";
value = "https://cl.forkos.org/nixpkgs main";
notify_committers = false;
}
{
name = "officialRelease";
type = "boolean";
value = "false";
notify_committers = false;
}
{
name = "supportedSystems";
type = "nix";
value = ''[ "x86_64-linux" ]'';
}
];
};
};
}

21
terraform/state.nix
View file

@ -1,21 +0,0 @@
{
# We use terraform.backend.s3 directly instead of the type-checked Terranix
# backend.s3 options. The latter does not support setting arbitrary s3
# endpoints.
#
# Note: currently requires the user to provide AWS_ACCESS_KEY_ID as well as
# AWS_SECRET_ACCESS_KEY in their environment variables.
terraform.backend.s3 = {
endpoints.s3 = "s3.delroth.net";
region = "garage";
bucket = "bagel-terraform-state";
key = "state";
# It's just a dump Garage server, don't try to be smart.
skip_credentials_validation = true;
skip_region_validation = true;
skip_requesting_account_id = true;
skip_metadata_api_check = true;
};
}