Compare commits
342 commits
cadvisor-c
...
main
Author | SHA1 | Date | |
---|---|---|---|
Ilya K | cae763e8dd | ||
Ilya K | 4f1378937f | ||
Ilya K | 7e3074a769 | ||
Ilya K | 3182a036c0 | ||
Ilya K | 54e8282aac | ||
Ilya K | 41be8dc170 | ||
Ilya K | b08330c42b | ||
Ilya K | 268422f653 | ||
Yureka | 4e03cf2309 | ||
Yureka | 00a5d373f3 | ||
Yureka | ec93c94e7e | ||
raito | f56576d644 | ||
raito | 1ae3d7c396 | ||
raito | cca8156e52 | ||
raito | 7df7eaeb9b | ||
Kiara Grouwstra | 5ae71fff99 | ||
raito | 02f8bc7ca4 | ||
raito | e0c029ba43 | ||
raito | 3ed36f74fd | ||
raito | b1f4674da0 | ||
raito | 226eacdeec | ||
Ilya K | 14935c5e92 | ||
raito | bee402fecc | ||
raito | 3efdd0f6c9 | ||
raito | 8c0c7b517f | ||
raito | d5500d7c4e | ||
raito | eaf48a0cdd | ||
raito | e3129fec51 | ||
raito | 437293bdaa | ||
mei (ckie) | df8a57f91a | ||
Yureka | 97bee26977 | ||
Luke Granger-Brown | 84cfbdb050 | ||
Luke Granger-Brown | 6a8f49f180 | ||
Yureka | 06dd4d6e85 | ||
Luke Granger-Brown | de085155a6 | ||
Luke Granger-Brown | 2001012325 | ||
raito | fbf26302b6 | ||
raito | 1701a2b388 | ||
raito | decc9963ee | ||
raito | daa99e83e8 | ||
raito | 160e7c5ecb | ||
raito | b56b8963a2 | ||
raito | 192ba49f7c | ||
raito | 9ad7e7b139 | ||
raito | 96f5d45ff3 | ||
raito | 3df1697289 | ||
raito | 76276a8da3 | ||
raito | 7e205b16d0 | ||
raito | 1e421889e4 | ||
raito | 8838709a95 | ||
raito | 002db9a78f | ||
raito | 6978c1271d | ||
raito | 92560708b8 | ||
raito | 3b6be269d6 | ||
raito | acaaad68bb | ||
raito | 3c9b077bb2 | ||
raito | c23d290647 | ||
raito | c0689e6832 | ||
raito | a2eecd1886 | ||
raito | b5d412a5ba | ||
Yureka | 01f8322df9 | ||
Yureka | 3072dfad55 | ||
Maxine Aubrey | 86e833f52a | ||
raito | 1a862b2b0f | ||
raito | 6d3e14ec27 | ||
Ilya K | 5582a0a29b | ||
Ilya K | 4ddf87fa8e | ||
Ilya K | 98d899fabc | ||
Kiara Grouwstra | b291caac46 | ||
Ilya K | e2c6550796 | ||
raito | 4749d204bf | ||
raito | c86cefe21f | ||
raito | f321ab6450 | ||
Maxine Aubrey | 8d95d1f850 | ||
Maxine Aubrey | 29c1b366c6 | ||
Maxine Aubrey | 16027be2ca | ||
Janik Haag | d780f18534 | ||
Janik Haag | 8acc60e328 | ||
Maxine Aubrey | e3b6cb72b4 | ||
Janik Haag | d462e8ca9c | ||
raito | 94d1881e10 | ||
raito | 132d2866b5 | ||
raito | a14f496db8 | ||
raito | c2ad3d6d26 | ||
raito | 4c7943349b | ||
raito | 9a04ef909b | ||
Ilya K | c1712dc1fa | ||
raito | 8073ae6942 | ||
raito | c38e9b482f | ||
raito | 9063138156 | ||
raito | 322f10d9ae | ||
Ilya K | bf7252c210 | ||
raito | c969625b0f | ||
raito | 1b22c1f0ae | ||
Ilya K | 30d759edf4 | ||
Pierre Bourdon | cd92c9588f | ||
raito | 024b431cbc | ||
raito | d1ffce9336 | ||
Ilya K | aef541829e | ||
raito | 1fc15526d7 | ||
raito | 2544adba8e | ||
raito | 4f4a25a5ad | ||
raito | 702867cd62 | ||
raito | 7cde6e92ae | ||
raito | 42cfa695ea | ||
raito | ac7815321a | ||
raito | db46b01ae9 | ||
raito | c380f29937 | ||
raito | 5dc6165c2e | ||
raito | 0eaaf860d1 | ||
raito | bf1b8d4d19 | ||
raito | 58c0dd3d2e | ||
raito | 8c35dfa8e0 | ||
Yureka | cfc24abfe1 | ||
Yureka | a72a991863 | ||
Pierre Bourdon | f938fcb24e | ||
Pierre Bourdon | 6881351f23 | ||
Pierre Bourdon | d3e053809c | ||
Pierre Bourdon | e2a990c982 | ||
Pierre Bourdon | 5fdce0e2b5 | ||
Pierre Bourdon | ce3a40671c | ||
Pierre Bourdon | 8ffb7e51f1 | ||
Pierre Bourdon | b7d913b22f | ||
Pierre Bourdon | c33326f836 | ||
Pierre Bourdon | 0dd333c573 | ||
Pierre Bourdon | e7f25d6ee2 | ||
Pierre Bourdon | 29babfc5c4 | ||
Pierre Bourdon | 50fadb45e2 | ||
Pierre Bourdon | 37bcb261ab | ||
Pierre Bourdon | 5dd9ad553c | ||
raito | 3f2909dd8a | ||
Pierre Bourdon | 90325344a3 | ||
Pierre Bourdon | 5ace7a63d8 | ||
Pierre Bourdon | 434def3337 | ||
Pierre Bourdon | 8b1ade5580 | ||
Pierre Bourdon | 42b3977e8f | ||
Pierre Bourdon | 17c342b33e | ||
Pierre Bourdon | ca904d7b4e | ||
raito | 84efd0976d | ||
raito | e2f5a7b0e4 | ||
raito | 7388de79c4 | ||
Ilya K | f8cad42b5c | ||
Ilya K | 9ad279a505 | ||
Ilya K | d2f3ca5624 | ||
Yureka | d635042e57 | ||
Yureka | b6375b8294 | ||
Yureka | 420e6915df | ||
Yureka | dbb4e03292 | ||
Yureka | cd0621ba55 | ||
Yureka | dfd48f2179 | ||
Yureka | b1c28cfc7c | ||
Yureka | a69750b495 | ||
Yureka | 77ff556583 | ||
Yureka | fe3cb577c1 | ||
Yureka | 20fc4c8f96 | ||
Yureka | bce44930b1 | ||
Yureka | 27d66d390e | ||
Yureka | 79dea0686b | ||
Yureka | aeb8102ae4 | ||
Yureka | 830dcbf6bc | ||
Yureka | f7907a2915 | ||
Yureka | 93822775a9 | ||
Yureka | dd028656ac | ||
Yureka | 88317d099c | ||
Yureka | 1cbf286f18 | ||
Yureka | 6dc424dd43 | ||
Yureka | 504a443acc | ||
emily | 96d58bbd41 | ||
Yureka | 5154906aac | ||
Yureka | f3828368e6 | ||
Yureka | 314f1cb363 | ||
Yureka | 4e2d21930f | ||
Yureka | dd81b78f7a | ||
Yureka | 537b3b978c | ||
Yureka | 99259356f2 | ||
Yureka | 924b4e7913 | ||
Yureka | 5474832b07 | ||
Yureka | f737c957a5 | ||
Yureka | 15a684c5d7 | ||
raito | bd8aa2eb08 | ||
raito | 22a10e158f | ||
raito | b8a4cd928d | ||
Luke Granger-Brown | 7f29885597 | ||
Yureka | 74e06ac6d0 | ||
hexchen | 3ff9d00f7f | ||
raito | e5a3ce2283 | ||
Tom Hubrecht | 8390caee53 | ||
hexchen | 1b82c2f8fd | ||
hexchen | 26c5e56605 | ||
raito | 6ad9e0416d | ||
Ilya K | bebc7f2586 | ||
Yureka | 297ddbb28c | ||
Yureka | eedc719889 | ||
Pierre Bourdon | d3a8d21429 | ||
Pierre Bourdon | 608c0e5973 | ||
Pierre Bourdon | 30b05d29f5 | ||
raito | 62ccc0282b | ||
Yureka | d84a43b781 | ||
Yureka | 555728ca0f | ||
raito | 60654e45d9 | ||
raito | 8aa5761660 | ||
Yureka | 2dc5899660 | ||
Yureka | adaf4b0aef | ||
Pierre Bourdon | f33d828552 | ||
Yureka | 5bde7e2358 | ||
Yureka | d4f8cb6c87 | ||
Yureka | 95ec496227 | ||
Yureka | d9809e1e78 | ||
Yureka | 3fa4a25d87 | ||
Yureka | 0ff5eea4ed | ||
Pierre Bourdon | 03b53234d3 | ||
Yureka | 287a9dc400 | ||
raito | 80c4757571 | ||
raito | 99649eeb6c | ||
Ilya K | d1e64b6610 | ||
Ilya K | 766dc4c383 | ||
Ilya K | 65b07a936b | ||
Janik Haag | cfa6d79b75 | ||
raito | cd846260e4 | ||
raito | 8afcf249d6 | ||
raito | 25feb3c9f1 | ||
raito | 56a04a6faf | ||
raito | 4473717e9f | ||
raito | da7175303c | ||
raito | e00d0331ec | ||
raito | a56426e6c9 | ||
raito | c3394264ba | ||
raito | 7789e9ce75 | ||
raito | fda59ee6c0 | ||
emily | cc1e3f2e14 | ||
raito | 68d956f1ba | ||
raito | 81fc914d79 | ||
raito | 87bd42cf1d | ||
raito | 34e8b4b98a | ||
Pierre Bourdon | 5a05e44a95 | ||
Pierre Bourdon | 234522cc3b | ||
Luke Granger-Brown | c296d0d46d | ||
emily | 95b58de737 | ||
emily | 8b9d33d70c | ||
emily | ab9caaf520 | ||
emily | dd069c40d7 | ||
emily | 9899b083ad | ||
emily | d4caf7b71a | ||
raito | 37ec674984 | ||
Luke Granger-Brown | e3e60a5e72 | ||
Luke Granger-Brown | 2e86babc8a | ||
Luke Granger-Brown | 2b8f42dcda | ||
Luke Granger-Brown | f14bba14a3 | ||
raito | 0723b7de42 | ||
mei (ckie) | 3c2691d9e2 | ||
Luke Granger-Brown | a44196fc3c | ||
Ilya K | 7a937e837a | ||
Pierre Bourdon | ecfe0ec886 | ||
Pierre Bourdon | 7d9461808c | ||
Pierre Bourdon | 293bc52ace | ||
Pierre Bourdon | 64079be3c0 | ||
Janik Haag | 9189b73a5f | ||
Janik Haag | af515792cc | ||
Janik Haag | b4deee29af | ||
Pierre Bourdon | 756341ea4c | ||
Janik Haag | bed5ef022f | ||
Yureka | e6ead602f0 | ||
Yureka | 329f267b02 | ||
Yureka | b14f155d55 | ||
Pierre Bourdon | c8208f42ef | ||
Pierre Bourdon | 087d17c681 | ||
Pierre Bourdon | d2336262fb | ||
Pierre Bourdon | f35cfbd567 | ||
Pierre Bourdon | 58325e30dd | ||
Pierre Bourdon | 411d514ab9 | ||
Pierre Bourdon | f74d1ca0f6 | ||
Pierre Bourdon | 70e608a8f7 | ||
Yureka | 4e869a9f43 | ||
Yureka | 3cbdbc45f7 | ||
Yureka | 7ba42d99d1 | ||
Ilya K | 254e161c07 | ||
Ilya K | a9f45daac8 | ||
Ilya K | 787b3af638 | ||
Ilya K | e608b92e4f | ||
Ilya K | e84b362b7a | ||
Ilya K | 9e7e6d42ab | ||
Pierre Bourdon | f2c2bc5ab6 | ||
Pierre Bourdon | f214da9228 | ||
Pierre Bourdon | 0e24c18815 | ||
Pierre Bourdon | 2ac0a599fb | ||
raito | 0ccf0b023e | ||
Luke Granger-Brown | 82db8f7f1e | ||
raito | 7b7a645cfc | ||
Yureka | 39d2352bbc | ||
Yureka | a7d21e96a0 | ||
raito | c51676a560 | ||
raito | 9988811be5 | ||
Pierre Bourdon | afaf49eb97 | ||
Pierre Bourdon | bc8ef7b5fc | ||
Pierre Bourdon | 61e8048445 | ||
Pierre Bourdon | 2ebb0e82e8 | ||
raito | 664fa033aa | ||
raito | 2308870aa5 | ||
raito | f9f955214f | ||
raito | 90e54d7292 | ||
raito | 645ad7d062 | ||
raito | a30c1f7d78 | ||
Yureka | eb21cb6916 | ||
Yureka | 62af42fc97 | ||
Yureka | 7396107bf4 | ||
Yureka | c0e1d05b3c | ||
raito | 3828721e4f | ||
Luke Granger-Brown | 8a9ff8c40d | ||
raito | 48579e8818 | ||
raito | 8fe33b4e46 | ||
Luke Granger-Brown | d4e9dcc2a6 | ||
Pierre Bourdon | 7f46e5d9a4 | ||
raito | 512cfdb43e | ||
raito | 82395ec8ce | ||
Ilya K | 82e074881f | ||
Ilya K | b55475c12e | ||
Ilya K | 9f0e601d84 | ||
Ilya K | 209f71c63a | ||
Ilya K | 563e0685d4 | ||
emily | 8d2a367e92 | ||
emily | db8c831c2f | ||
Ilya K | ba0d50624d | ||
Ilya K | 40ba3c4ae7 | ||
Ilya K | 346a74eabc | ||
Ilya K | e8e262c6a4 | ||
Luke Granger-Brown | dd6ee53bfe | ||
Pierre Bourdon | 5ebd71e4d5 | ||
Pierre Bourdon | 2700ac5efc | ||
Pierre Bourdon | caa1fce74e | ||
Pierre Bourdon | 5f8228536c | ||
Pierre Bourdon | 078f298b8c | ||
Pierre Bourdon | 4b0a2cd7e5 | ||
Pierre Bourdon | dcd5f68545 | ||
Pierre Bourdon | 7c6780a2a3 | ||
Pierre Bourdon | dd72904bf1 | ||
Pierre Bourdon | 2e9483936e | ||
Pierre Bourdon | 30859b2872 | ||
Pierre Bourdon | 0c68a23275 | ||
raito | 8dc7ee9864 | ||
raito | e803c198c1 | ||
raito | 578e24e634 | ||
raito | e1a034927c |
7
.editorconfig
Normal file
7
.editorconfig
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
root = true
|
||||||
|
|
||||||
|
[*]
|
||||||
|
end_of_line = lf
|
||||||
|
insert_final_newline = true
|
||||||
|
trim_trailing_whitespace = true
|
||||||
|
charset = utf-8
|
9
.envrc
9
.envrc
|
@ -1,2 +1,11 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
# the shebang is ignored, but nice for editors
|
||||||
|
|
||||||
# shellcheck shell=bash
|
# shellcheck shell=bash
|
||||||
|
if type -P lorri &>/dev/null; then
|
||||||
|
eval "$(lorri direnv --flake .)"
|
||||||
|
else
|
||||||
|
echo 'while direnv evaluated .envrc, could not find the command "lorri" [https://github.com/nix-community/lorri]'
|
||||||
use flake
|
use flake
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
4
.gitignore
vendored
4
.gitignore
vendored
|
@ -2,3 +2,7 @@ result
|
||||||
.gcroots
|
.gcroots
|
||||||
config.tf.json
|
config.tf.json
|
||||||
.direnv
|
.direnv
|
||||||
|
.terraform
|
||||||
|
.terraform.lock.hcl
|
||||||
|
secrets/*
|
||||||
|
!secrets/*.age
|
||||||
|
|
33
README.md
33
README.md
|
@ -1 +1,32 @@
|
||||||
Infrastructure for the donut shaped thing that is absolutely not a donut.
|
# Infrastructure for the donut shaped thing that is absolutely not a donut.
|
||||||
|
|
||||||
|
## Quick start
|
||||||
|
|
||||||
|
### Build the infrastructure
|
||||||
|
|
||||||
|
```
|
||||||
|
$ colmena build --on @localboot
|
||||||
|
```
|
||||||
|
|
||||||
|
Notice that `@localboot` is load-bearing as we have some machines that _cannot be_ deployed with vanilla Colmena. Fixing this is welcome.
|
||||||
|
|
||||||
|
### Recommended deploy process
|
||||||
|
|
||||||
|
```
|
||||||
|
$ colmena apply dry-activate $machine # Verify that the nvd log is reasonable.
|
||||||
|
$ colmena apply $machine
|
||||||
|
```
|
||||||
|
|
||||||
|
### Recommended upgrade process
|
||||||
|
|
||||||
|
```
|
||||||
|
$ nix flake update
|
||||||
|
$ colmena apply dry-activate --on @localboot # Verify that the nvd log is reasonable. Run it twice to get only NVD logs shown.
|
||||||
|
$ colmena apply --on @localboot
|
||||||
|
```
|
||||||
|
|
||||||
|
## Troubleshooting
|
||||||
|
|
||||||
|
### I failed to deploy `gerrit01`
|
||||||
|
|
||||||
|
Our Gerrit source build is known to have some hiccups sometimes, we are always interested in build logs, feel free to attach information in a new issue so we can make it more reliable.
|
||||||
|
|
|
@ -1,16 +1,47 @@
|
||||||
|
{ lib, ... }:
|
||||||
let
|
let
|
||||||
keys = import ./ssh-keys.nix;
|
inherit (lib) genAttrs;
|
||||||
in {
|
in
|
||||||
users.users.root.openssh.authorizedKeys.keys =
|
# Note: to add somefew in this list.
|
||||||
keys.users.delroth ++
|
# Ensure their SSH key is already in common/ssh-keys.nix with
|
||||||
keys.users.k900 ++
|
# the same username for here, so that the keys is automatically added.
|
||||||
keys.users.raito ++
|
{
|
||||||
keys.users.maxine ++
|
bagel.groups = {
|
||||||
[
|
floral-infra.members = [
|
||||||
# more raito
|
"delroth"
|
||||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
|
"emilylange"
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
|
"hexchen"
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
|
"jade"
|
||||||
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJFsZ7PMDt80tYXHyScQajNhqH4wuYg/o0OxfOHaZD4rXuT0VIKflKH1M9LslfHWIEH3XNeqhQOziH9r+Ny5JcM="
|
"janik"
|
||||||
|
"k900"
|
||||||
|
"maxine"
|
||||||
|
"raito"
|
||||||
|
"thubrecht"
|
||||||
|
"winter"
|
||||||
|
"yuka"
|
||||||
|
"ckie"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
lix-infra.members = [
|
||||||
|
"raito"
|
||||||
|
"hexchen"
|
||||||
|
"jade"
|
||||||
|
"pennae"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
bagel.users = genAttrs [
|
||||||
|
"delroth"
|
||||||
|
"emilylange"
|
||||||
|
"hexchen"
|
||||||
|
"jade"
|
||||||
|
"janik"
|
||||||
|
"k900"
|
||||||
|
"maxine"
|
||||||
|
"raito"
|
||||||
|
"thubrecht"
|
||||||
|
"winter"
|
||||||
|
"yuka"
|
||||||
|
"ckie"
|
||||||
|
"pennae"
|
||||||
|
] (name: {});
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,9 +1,16 @@
|
||||||
{ lib, pkgs, ... }: {
|
{ lib, pkgs, ... }: {
|
||||||
|
imports = [
|
||||||
|
./known-ssh-keys.nix
|
||||||
|
./cgroups.nix
|
||||||
|
];
|
||||||
|
|
||||||
nixpkgs.overlays = import ../overlays;
|
nixpkgs.overlays = import ../overlays;
|
||||||
|
|
||||||
nix.package = lib.mkDefault pkgs.lix;
|
nix.package = lib.mkDefault pkgs.lix;
|
||||||
|
system.tools.nixos-option.enable = false;
|
||||||
services.openssh.enable = lib.mkForce true;
|
services.openssh.enable = lib.mkForce true;
|
||||||
|
|
||||||
|
networking.nftables.enable = true;
|
||||||
networking.firewall.enable = true;
|
networking.firewall.enable = true;
|
||||||
networking.firewall.logRefusedConnections = false;
|
networking.firewall.logRefusedConnections = false;
|
||||||
networking.firewall.logReversePathDrops = true;
|
networking.firewall.logReversePathDrops = true;
|
||||||
|
@ -13,12 +20,56 @@
|
||||||
recommendedTlsSettings = lib.mkDefault true;
|
recommendedTlsSettings = lib.mkDefault true;
|
||||||
recommendedProxySettings = lib.mkDefault true;
|
recommendedProxySettings = lib.mkDefault true;
|
||||||
recommendedGzipSettings = lib.mkDefault true;
|
recommendedGzipSettings = lib.mkDefault true;
|
||||||
|
eventsConfig = ''
|
||||||
|
worker_connections 8192;
|
||||||
|
'';
|
||||||
|
appendConfig = ''
|
||||||
|
worker_rlimit_nofile 16384;
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
nix.gc = {
|
nix.gc = {
|
||||||
automatic = true;
|
automatic = true;
|
||||||
persistent = true;
|
persistent = true;
|
||||||
dates = "daily";
|
dates = lib.mkDefault "daily";
|
||||||
options = "--delete-older-than 30d";
|
options = lib.mkDefault "--delete-older-than 30d";
|
||||||
|
};
|
||||||
|
|
||||||
|
services.journald.extraConfig = "SystemMaxUse=512M";
|
||||||
|
|
||||||
|
boot.kernelParams = [
|
||||||
|
"panic=30" "boot.panic_on_fail"
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.kernel.sysctl = {
|
||||||
|
# Set default TCP congestion control algorithm
|
||||||
|
"net.ipv4.tcp_congestion_control" = "bbr";
|
||||||
|
|
||||||
|
# Enable ECN
|
||||||
|
"net.ipv4.tcp_ecn" = 1;
|
||||||
|
|
||||||
|
# Enable TCP fast open
|
||||||
|
"net.ipv4.tcp_fastopen" = 3;
|
||||||
|
};
|
||||||
|
|
||||||
|
# reduce closure size, feel free to add your locale here
|
||||||
|
i18n.supportedLocales = [
|
||||||
|
"en_US.UTF-8/UTF-8"
|
||||||
|
"fr_FR.UTF-8/UTF-8"
|
||||||
|
];
|
||||||
|
|
||||||
|
time.timeZone = "UTC";
|
||||||
|
|
||||||
|
security.acme.acceptTerms = true;
|
||||||
|
security.acme.defaults.email = "infra@forkos.org";
|
||||||
|
|
||||||
|
# Enable system diffs.
|
||||||
|
system.activationScripts.system-diff = {
|
||||||
|
supportsDryActivation = true; # safe: only outputs to stdout
|
||||||
|
text = ''
|
||||||
|
if [ -e /run/current-system ]; then
|
||||||
|
PATH=$PATH:${pkgs.nix}/bin ${pkgs.nvd}/bin/nvd diff /run/current-system $systemConfig
|
||||||
|
fi
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
83
common/cgroups.nix
Normal file
83
common/cgroups.nix
Normal file
|
@ -0,0 +1,83 @@
|
||||||
|
# Relatively inspired by fbtax2:
|
||||||
|
# https://facebookmicrosites.github.io/cgroup2/docs/fbtax-results.html
|
||||||
|
#
|
||||||
|
# See also the Chris Down talk at LISA'21:
|
||||||
|
# https://www.usenix.org/conference/lisa21/presentation/down
|
||||||
|
{ ... }:
|
||||||
|
let
|
||||||
|
systemCriticalSliceConfig = {
|
||||||
|
ManagedOOMMemoryPressure = "kill";
|
||||||
|
|
||||||
|
# guarantee availability of memory
|
||||||
|
MemoryMin = "192M";
|
||||||
|
# default 100
|
||||||
|
IOWeight = 1000;
|
||||||
|
# default 100
|
||||||
|
CPUWeight = 1000;
|
||||||
|
};
|
||||||
|
in
|
||||||
|
{
|
||||||
|
systemd.oomd = {
|
||||||
|
enable = true;
|
||||||
|
# why not, we have cgroups at user level now so it'll just kill the
|
||||||
|
# terminal
|
||||||
|
enableRootSlice = true;
|
||||||
|
enableSystemSlice = true;
|
||||||
|
enableUserSlices = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.enableCgroupAccounting = true;
|
||||||
|
|
||||||
|
systemd.services.nix-daemon = {
|
||||||
|
serviceConfig = {
|
||||||
|
# FIXME: how do i deprioritize this for memory
|
||||||
|
CPUWeight = 10;
|
||||||
|
IOWeight = 10;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.slices.hostcritical = {
|
||||||
|
description = "Ensures that services to keep the system alive remain alive";
|
||||||
|
|
||||||
|
unitConfig = {
|
||||||
|
# required to avoid a dependency cycle on systemd-oomd. systemd will
|
||||||
|
# actually guess this right but we should fix it anyway.
|
||||||
|
DefaultDependencies = false;
|
||||||
|
};
|
||||||
|
|
||||||
|
sliceConfig = systemCriticalSliceConfig;
|
||||||
|
};
|
||||||
|
|
||||||
|
# make root logins higher priority for resources
|
||||||
|
systemd.slices."user-0" = {
|
||||||
|
sliceConfig = systemCriticalSliceConfig;
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
systemd.slices.system = {
|
||||||
|
sliceConfig = {
|
||||||
|
ManagedOOMMemoryPressure = "kill";
|
||||||
|
ManagedOOMMemoryPressureLimit = "50%";
|
||||||
|
|
||||||
|
IOWeight = 100;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.sshd = {
|
||||||
|
serviceConfig = {
|
||||||
|
Slice = "hostcritical.slice";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.systemd-oomd = {
|
||||||
|
serviceConfig = {
|
||||||
|
Slice = "hostcritical.slice";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.systemd-journald = {
|
||||||
|
serviceConfig = {
|
||||||
|
Slice = "hostcritical.slice";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
32
common/channels.nix
Normal file
32
common/channels.nix
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
# Taken from https://github.com/NixOS/infra/blob/master/channels.nix
|
||||||
|
{
|
||||||
|
# "Channel name" = {
|
||||||
|
# # This should be the <value> part of
|
||||||
|
# # https://hydra.forkos.org/job/<value>/latest-finished
|
||||||
|
# job = "project/jobset/jobname";
|
||||||
|
#
|
||||||
|
# # When adding a new version, determine if it needs to be tagged as a
|
||||||
|
# # variant -- for example:
|
||||||
|
# # nixos-xx.xx => primary
|
||||||
|
# # nixos-xx.xx-small => small
|
||||||
|
# # nixos-xx.xx-darwin => darwin
|
||||||
|
# # nixos-xx.xx-aarch64 => aarch64
|
||||||
|
# variant = "primary";
|
||||||
|
#
|
||||||
|
# # Channel Status:
|
||||||
|
# # '*-unstable' channels are always "rolling"
|
||||||
|
# # Otherwise a release generally progresses through the following phases:
|
||||||
|
# #
|
||||||
|
# # - Directly after branch off => "beta"
|
||||||
|
# # - Once the channel is released => "stable"
|
||||||
|
# # - Once the next channel is released => "deprecated"
|
||||||
|
# # - N months after the next channel is released => "unmaintained"
|
||||||
|
# # (check the release notes for when this should happen)
|
||||||
|
# status = "beta";
|
||||||
|
# };
|
||||||
|
"forkos-unstable" = {
|
||||||
|
job = "forkos/nixos-main/tested";
|
||||||
|
variant = "primary";
|
||||||
|
status = "rolling";
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,9 +1,14 @@
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
./admins.nix
|
./admins.nix
|
||||||
./raito-vm.nix
|
./server-acl.nix
|
||||||
./raito-proxy-aware-nginx.nix
|
|
||||||
./base-server.nix
|
./base-server.nix
|
||||||
|
./hardening.nix
|
||||||
|
./nix.nix
|
||||||
|
./raito-proxy-aware-nginx.nix
|
||||||
./sysadmin
|
./sysadmin
|
||||||
|
./hardware
|
||||||
|
./zsh.nix
|
||||||
|
./secrets.nix
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
23
common/hardening.nix
Normal file
23
common/hardening.nix
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
{ config, lib, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
nix.settings.allowed-users = [ "root" ];
|
||||||
|
|
||||||
|
boot.specialFileSystems = lib.mkIf (!config.security.rtkit.enable && !config.security.polkit.enable) {
|
||||||
|
"/proc".options = [ "hidepid=2" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
boot.kernel.sysctl."kernel.dmesg_restrict" = 1;
|
||||||
|
|
||||||
|
services.openssh = {
|
||||||
|
settings.PasswordAuthentication = false;
|
||||||
|
settings.KbdInteractiveAuthentication = false;
|
||||||
|
|
||||||
|
# prevents mutable /home/$user/.ssh/authorized_keys from being loaded to ensure that all user keys are config managed
|
||||||
|
authorizedKeysFiles = lib.mkForce [
|
||||||
|
"/etc/ssh/authorized_keys.d/%u"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
users.mutableUsers = false;
|
||||||
|
}
|
7
common/hardware/default.nix
Normal file
7
common/hardware/default.nix
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
{ ... }: {
|
||||||
|
imports = [
|
||||||
|
./raito-vm.nix
|
||||||
|
./oracle-vm.nix
|
||||||
|
./hetzner.nix
|
||||||
|
];
|
||||||
|
}
|
76
common/hardware/hetzner.nix
Normal file
76
common/hardware/hetzner.nix
Normal file
|
@ -0,0 +1,76 @@
|
||||||
|
|
||||||
|
{ lib, config, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.bagel.hardware.hetzner;
|
||||||
|
inherit (lib) mkEnableOption mkIf mkOption types;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.bagel.hardware.hetzner = {
|
||||||
|
enable = mkEnableOption "Hetzner's hardware defaults";
|
||||||
|
|
||||||
|
platformType = mkOption {
|
||||||
|
# Only VMs are supported.
|
||||||
|
type = types.enum [ "virtual-machine" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
system = mkOption {
|
||||||
|
# Only the aarch64-linux VM Hetzner is supported.
|
||||||
|
type = types.enum [ "aarch64-linux" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.wan = {
|
||||||
|
mac = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
description = "MAC address of the WAN interface in the Hetzner machine";
|
||||||
|
};
|
||||||
|
address = mkOption {
|
||||||
|
type = types.listOf types.str;
|
||||||
|
description = "List of static addresses attached to the WAN interface";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
# A bunch of stuff is virtio.
|
||||||
|
boot.initrd.availableKernelModules = [
|
||||||
|
"xhci_pci"
|
||||||
|
"usbhid"
|
||||||
|
"sr_mod"
|
||||||
|
"virtio_gpu"
|
||||||
|
"virtio_scsi"
|
||||||
|
"virtio_rng"
|
||||||
|
"virtio_pci"
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.loader.systemd-boot.enable = true;
|
||||||
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
|
|
||||||
|
networking.useDHCP = lib.mkDefault false;
|
||||||
|
|
||||||
|
# Stolen from the netplan provided by aarch64 Ubuntu images.
|
||||||
|
systemd.network.enable = true;
|
||||||
|
systemd.network.links."10-wan" = {
|
||||||
|
linkConfig.Name = "wan";
|
||||||
|
matchConfig.MACAddress = cfg.networking.mac;
|
||||||
|
};
|
||||||
|
systemd.network.networks."10-wan" = {
|
||||||
|
matchConfig.Name = "wan";
|
||||||
|
networkingConfig.Address = cfg.networking.address;
|
||||||
|
linkConfig.RequiredForOnline = true;
|
||||||
|
DHCP = "ipv4";
|
||||||
|
routes = [
|
||||||
|
{
|
||||||
|
routeConfig = {
|
||||||
|
Destination = "::/0";
|
||||||
|
GatewayOnLink = true;
|
||||||
|
Gateway = "fe80::1";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
dhcpV4Config = {
|
||||||
|
RouteMetric = 100;
|
||||||
|
UseMTU = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
52
common/hardware/oracle-vm.nix
Normal file
52
common/hardware/oracle-vm.nix
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
|
||||||
|
{ lib, config, modulesPath, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.bagel.hardware.oracle-vm;
|
||||||
|
inherit (lib) mkEnableOption mkIf mkOption types;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.bagel.hardware.oracle-vm = {
|
||||||
|
enable = mkEnableOption "Oracle's VM hardware defaults";
|
||||||
|
|
||||||
|
system = mkOption {
|
||||||
|
# Only the free Oracle VMs are supported.
|
||||||
|
type = types.enum [ "aarch64-linux" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# Imports a bunch of virtio modules.
|
||||||
|
imports = [
|
||||||
|
"${modulesPath}/profiles/qemu-guest.nix"
|
||||||
|
];
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
boot.loader.systemd-boot.enable = true;
|
||||||
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
|
boot.initrd.systemd.enable = true;
|
||||||
|
|
||||||
|
boot.initrd.availableKernelModules = [
|
||||||
|
"xhci_pci" "virtio_pci" "usbhid" "sr_mod"
|
||||||
|
];
|
||||||
|
boot.initrd.kernelModules = [ ];
|
||||||
|
boot.kernelModules = [ ];
|
||||||
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = cfg.system;
|
||||||
|
|
||||||
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
|
# still possible to use this option, but it's recommended to use it in conjunction
|
||||||
|
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||||
|
networking.useDHCP = lib.mkDefault false;
|
||||||
|
# Examples:
|
||||||
|
# 2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
|
||||||
|
# link/ether 02:00:17:00:91:6e brd ff:ff:ff:ff:ff:ff
|
||||||
|
# inet 10.0.0.94/24 brd 10.0.0.255 scope global dynamic noprefixroute enp0s3
|
||||||
|
# valid_lft 44162sec preferred_lft 33362sec
|
||||||
|
# inet6 fe80::17ff:fe00:916e/64 scope link
|
||||||
|
# valid_lft forever preferred_lft forever
|
||||||
|
# [root@build02-aarch64-lahfa:~]# ip r
|
||||||
|
# default via 10.0.0.1 dev enp0s3 proto dhcp src 10.0.0.94 metric 1002 mtu 9000
|
||||||
|
networking.interfaces.enp0s3.useDHCP = lib.mkDefault true;
|
||||||
|
};
|
||||||
|
}
|
|
@ -30,8 +30,6 @@ in
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
services.qemuGuest.enable = true;
|
services.qemuGuest.enable = true;
|
||||||
systemd.network.enable = true;
|
systemd.network.enable = true;
|
||||||
security.acme.defaults.email = "bagel-acme@lahfa.xyz";
|
|
||||||
security.acme.acceptTerms = true;
|
|
||||||
networking.useDHCP = lib.mkDefault false;
|
networking.useDHCP = lib.mkDefault false;
|
||||||
|
|
||||||
systemd.network.networks."10-nat-lan" = {
|
systemd.network.networks."10-nat-lan" = {
|
7
common/known-ssh-keys.nix
Normal file
7
common/known-ssh-keys.nix
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
programs.ssh.knownHosts = {
|
||||||
|
"[cl.forkos.org]:29418".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM82mJ259C8Nc+BHHNBeRWXWhL3dfirQhmFbDAwHMle3";
|
||||||
|
"[gerrit.lix.systems]:2022".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICC/S6Z56uhv7zBMutkV0nU8eDuRcl3trykGWBch4L/l";
|
||||||
|
};
|
||||||
|
}
|
21
common/nix.nix
Normal file
21
common/nix.nix
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
{ lib, pkgs, ... }:
|
||||||
|
{
|
||||||
|
nix.extraOptions = ''
|
||||||
|
experimental-features = nix-command flakes
|
||||||
|
'';
|
||||||
|
|
||||||
|
# Provision a useful nixpkgs in NIX_PATH and flake registry on infra
|
||||||
|
# machines.
|
||||||
|
nixpkgs.flake = {
|
||||||
|
source = lib.cleanSource pkgs.path;
|
||||||
|
setNixPath = true;
|
||||||
|
setFlakeRegistry = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
# Use our cache and trust its signing key. Still use cache.nixos.org as
|
||||||
|
# fallback.
|
||||||
|
nix.settings.substituters = [ "https://cache.forkos.org/" ];
|
||||||
|
nix.settings.trusted-public-keys = [
|
||||||
|
"cache.forkos.org:xfXIUJO1yiEITJmYsVmNDa9BFSlgTh/YqZ+4ei1EhQg="
|
||||||
|
];
|
||||||
|
}
|
|
@ -1,9 +1,10 @@
|
||||||
# This enables an IPv6-only server which is proxied by kurisu.lahfa.xyz to have proper IPv4 logs via PROXY protocol.
|
# This enables an IPv6-only server which is proxied by kurisu.lahfa.xyz to have proper IPv4 logs via PROXY protocol.
|
||||||
{ config, lib, ... }:
|
{ config, lib, ... }:
|
||||||
let
|
let
|
||||||
inherit (lib) mkEnableOption mkIf;
|
inherit (lib) mkEnableOption mkIf concatStringsSep;
|
||||||
cfg = config.bagel.raito.v6-proxy-awareness;
|
cfg = config.bagel.raito.v6-proxy-awareness;
|
||||||
allowedUpstream = "2001:bc8:38ee:99::1/128";
|
# outside of raito infra inside of raito infra
|
||||||
|
allowedUpstreams = [ "2001:bc8:38ee::1/128" "2001:bc8:38ee:99::1/128" ];
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.bagel.raito.v6-proxy-awareness.enable = mkEnableOption "the kurisu.lahfa.xyz's sniproxy awareness for NGINX";
|
options.bagel.raito.v6-proxy-awareness.enable = mkEnableOption "the kurisu.lahfa.xyz's sniproxy awareness for NGINX";
|
||||||
|
@ -20,8 +21,8 @@ in
|
||||||
];
|
];
|
||||||
|
|
||||||
appendHttpConfig = ''
|
appendHttpConfig = ''
|
||||||
# Kurisu node
|
# Kurisu nodes
|
||||||
set_real_ip_from ${allowedUpstream};
|
${concatStringsSep "\n" (map (up: "set_real_ip_from ${up};") allowedUpstreams)}
|
||||||
real_ip_header proxy_protocol;
|
real_ip_header proxy_protocol;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
@ -29,7 +30,7 @@ in
|
||||||
# Move to nftables if firewall is enabled.
|
# Move to nftables if firewall is enabled.
|
||||||
networking.nftables.enable = true;
|
networking.nftables.enable = true;
|
||||||
networking.firewall.extraInputRules = ''
|
networking.firewall.extraInputRules = ''
|
||||||
ip6 saddr ${allowedUpstream} tcp dport 444 accept
|
${concatStringsSep "\n" (map (up: "ip6 saddr ${up} tcp dport 444 accept") allowedUpstreams)}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
22
common/secrets.nix
Normal file
22
common/secrets.nix
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
## This is a simple secret abstraction with multi-tenancy awareness.
|
||||||
|
{ config, lib, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.bagel.secrets;
|
||||||
|
inherit (lib) mkOption types genAttrs;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.bagel.secrets = {
|
||||||
|
tenant = mkOption {
|
||||||
|
type = types.enum [ "lix" "floral" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
files = mkOption {
|
||||||
|
type = types.listOf types.str;
|
||||||
|
default = [ ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config.age.secrets = genAttrs cfg.files (secretFile: {
|
||||||
|
file = ../secrets/${cfg.tenant}/${secretFile}.age;
|
||||||
|
});
|
||||||
|
}
|
69
common/server-acl.nix
Normal file
69
common/server-acl.nix
Normal file
|
@ -0,0 +1,69 @@
|
||||||
|
{ lib, config, ... }:
|
||||||
|
let
|
||||||
|
keys = import ./ssh-keys.nix;
|
||||||
|
inherit (lib) mkOption types length concatMap listToAttrs catAttrs attrValues;
|
||||||
|
cfgAdmins = config.bagel.admins;
|
||||||
|
cfgGroups = config.bagel.groups;
|
||||||
|
cfgUsers = config.bagel.users;
|
||||||
|
|
||||||
|
userOpts = { name, ... }: {
|
||||||
|
options = {
|
||||||
|
sshKeys = mkOption {
|
||||||
|
type = types.listOf types.str;
|
||||||
|
description = "List of SSH keys associated to this user, defaults to `ssh-keys.nix` entries.";
|
||||||
|
default = keys.users.${name} or [ ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
groupOpts = { name, ... }: {
|
||||||
|
options = {
|
||||||
|
members = mkOption {
|
||||||
|
type = types.listOf types.str;
|
||||||
|
description = "List of users member of this group";
|
||||||
|
example = [ "raito" ];
|
||||||
|
default = [ ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# There might be duplicate in that list. We will turn it into an attribute set.
|
||||||
|
allowedMembers = listToAttrs (
|
||||||
|
map (member: {
|
||||||
|
name = member;
|
||||||
|
value = cfgUsers.${member};
|
||||||
|
}) (concatMap (allowedGroup: cfgGroups.${allowedGroup}.members) cfgAdmins.allowedGroups));
|
||||||
|
|
||||||
|
rootKeys = concatMap ({ sshKeys, ... }: sshKeys) (attrValues allowedMembers);
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.bagel.users = mkOption {
|
||||||
|
type = types.attrsOf (types.submodule userOpts);
|
||||||
|
description = "User configuration for server ACLs";
|
||||||
|
};
|
||||||
|
|
||||||
|
options.bagel.groups = mkOption {
|
||||||
|
type = types.attrsOf (types.submodule groupOpts);
|
||||||
|
description = "Group configuration for server ACLs";
|
||||||
|
};
|
||||||
|
|
||||||
|
options.bagel.admins = {
|
||||||
|
allowedGroups = mkOption {
|
||||||
|
type = types.listOf types.str;
|
||||||
|
default = [ "catch-all" ];
|
||||||
|
description = "List of groups which are allowed to admin this machine.";
|
||||||
|
example = [ "lix" "build-infra" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = {
|
||||||
|
assertions = [
|
||||||
|
{ assertion = length config.users.users.root.openssh.authorizedKeys.keys > 0;
|
||||||
|
# TODO: you can add printing of `concatStringsSep ", " cfg.allowedGroups` to diagnose
|
||||||
|
# which are the allowed groups and existing admins.
|
||||||
|
message = "root@${config.networking.fqdnOrHostName} has no SSH key attached, this machine will lose its access if you deploy it successfully! Set a valid `bagel.admins.allowedGroups` or ensure you have at least one administrator of the relevant group registered";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
users.users.root.openssh.authorizedKeys.keys = rootKeys;
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,14 +1,72 @@
|
||||||
{
|
{
|
||||||
machines = {
|
machines = {
|
||||||
|
# Floral
|
||||||
bagel-box = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsO4bNqY04uG13Pg3ubHfRDssTphDLzZ4YUniE5/p+M";
|
bagel-box = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsO4bNqY04uG13Pg3ubHfRDssTphDLzZ4YUniE5/p+M";
|
||||||
meta01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM5t9gYorOWgpCFDJgb24pyCKIabGpeI2H/UfdvXODcT";
|
meta01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM5t9gYorOWgpCFDJgb24pyCKIabGpeI2H/UfdvXODcT";
|
||||||
|
public01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPBy8G8rfLA6E9i+t5kjVafxU1c2NXATXKxoXTH4Kgtm";
|
||||||
gerrit01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA+eSZu+u9sCynrMlsmFzQHLIELQAuVg0Cs1pBvwb4+A";
|
gerrit01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA+eSZu+u9sCynrMlsmFzQHLIELQAuVg0Cs1pBvwb4+A";
|
||||||
|
fodwatch = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRyTNfvKl5FcSyzGzw+h+bNFNOxdhvI67WdUZ2iIJ1L";
|
||||||
|
buildbot = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJgIu6ouagYqBeMLfmn1CbaDJMuZcPH9bnUhkht8GfuB";
|
||||||
|
git = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQJcpkCUOx8+5oukMX6lxrYcIX8FyHu8Mc/3+ieKMUn";
|
||||||
|
build-coord = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpAEJP7F+XtJBpQP1jTzwXwQgJrFxwEJjPf/rnCXkJA";
|
||||||
|
builder-0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBHSNcDGctvlG6BHcJuYIzW9WsBJsts2vpwSketsbXoL";
|
||||||
|
builder-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIQOGUjERK7Mx8UPM/rbOdMqVyn1sbWqYOG6CbOzH2wm";
|
||||||
|
builder-2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKzXIqCoYElEKIYgjbSpqEcDeOvV+Wo3Agq3jba83cB";
|
||||||
|
builder-3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGq0A5233XGt34T097KaEKBUqFvaa7a6nYZRsSO0166l";
|
||||||
|
builder-4 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB9dVo2xZhgIMDgB1rUj5ApmppL39BtYu/+OFHeduvXr";
|
||||||
|
builder-5 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE7vZTBxrVHmHpv7slQ8A8XwjjbfN+ZJA0V5C3k0wNBD";
|
||||||
|
builder-6 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOt1qR/2BRtc6PABuSBulowwJVO6wBNDyEFzh0qsTeOF";
|
||||||
|
builder-7 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFinAAw1v8TJB8/wcmTVBbHHc4LCYh6z4TO6ViwUPkoh";
|
||||||
|
builder-8 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKGSWHNeqT0kF/e4yVy2ieW98X5QMyCYIYZh9WTmQDs1";
|
||||||
|
builder-9 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOhws9zGgocVY36dMtOL+CXadpvRMffxoWMkfEcTBJm7";
|
||||||
|
builder-10 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE7sgIuTSqZiZhp8TvObSbIEhcHHsL5hcmYA22uzwxth";
|
||||||
|
wob-vpn-gw = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINVytPPW8XnXf/rD5TFzsw//CZc2lBjQLmDzlVGPZsjh";
|
||||||
|
|
||||||
|
# Lix
|
||||||
|
build01-aarch64-lix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICC69NZD/zhIB/wUb5odg46bss5g8hH2fDl22bk4qeSW";
|
||||||
|
build02-aarch64-lix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGdJE375pe58RJbhKwXRp3D//+SJ3ssiVZrLsM9CLHn0";
|
||||||
|
build01-aarch64-darwin-lix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVf1uO0lv5UBti/naW/+amqLxvWZg+StXk9aM+lJ7e4";
|
||||||
|
|
||||||
|
buildbot-lix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFoVSh35UqNQZ6ZZ1c6CzqERC40ovQ/KDXz8pC7nNlkR";
|
||||||
|
|
||||||
|
# Raito infrastructure
|
||||||
|
epyc-newtype-fr = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOXT9Init1MhKt4rjBANLq0t0bPww/WQZ96uB4AEDrml";
|
||||||
};
|
};
|
||||||
|
|
||||||
users = {
|
users = {
|
||||||
delroth = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3tjB4KYDok3KlWxdBp/yEmqhhmybd+w0VO4xUwLKKV" ];
|
delroth = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3tjB4KYDok3KlWxdBp/yEmqhhmybd+w0VO4xUwLKKV" ];
|
||||||
raito = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICaw9ihTG7ucB8P38XdalEWev8+q96e2yNm4B+/I9IJp" ];
|
emilylange = [ "no-touch-required sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIL7jgq3i+N3gVJhs4shm7Kmw6dIocs2OuR0GBMG1RxfKAAAABHNzaDo=" ];
|
||||||
|
hexchen = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINJ0tCxsEilAzV6LaNpUpcjzyEn4ptw8kFz3R+Z3YjEF hexchen@backup"
|
||||||
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDI3T1eFS77URHZ/HVWkMOqx7W1U54zJtn9C7QWsHOtyH72i/4EVj8SxYqLllElh1kuKUXSUipPeEzVsipFVvfH0wEuTDgFffiSQ3a8lfUgdEBuoySwceEoPgc5deapkOmiDIDeeWlrRe3nqspLRrSWU1DirMxoFPbwqJXRvpl6qJPxRg+2IolDcXlZ6yxB4Vv48vzRfVzZNUz7Pjmy2ebU8PbDoFWL/S3m7yOzQpv3L7KYBz7+rkjuF3AU2vy6CAfIySkVpspZZLtkTGCIJF228ev0e8NvhuN6ZnjzXxVTQOy32HCdPdbBbicu0uHfZ5O7JX9DjGd8kk1r2dnZwwy/ hexchen@yubi5"
|
||||||
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4CLJ+mFfq5XiBXROKewmN9WYmj+79bj/AoaR6Iud2pirulot3tkrrLe2cMjiNWFX8CGVqrsAELKUA8EyUTJfStlcTE0/QNESTRmdDaC+lZL41pWUO9KOiD6/0axAhHXrSJ0ScvbqtD0CtpnCKKxtuOflVPoUGZsH9cLKJNRKfEka0H0GgeKb5Tp618R/WNAQOwaCcXzg/nG4Bgv3gJW4Nm9IKy/MwRZqtILi8Mtd+2diTqpMwyNRmbenmRHCQ1vRw46joYkledVqrmSlfSMFgIHI1zRSBXb/JkG2IvIyB5TGbTkC4N2fqJNpH8wnCKuOvs46xmgdiRA26P48C2em3 hexchen@yubi5c"
|
||||||
|
];
|
||||||
|
jade = [
|
||||||
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNldAg4t13/i69TD786The+U3wbiNUdW2Kc9KNWvEhgpf4y4x4Sft0oYfkPw5cjX4H3APqfD+b7ItAG0GCbwHw6KMYPoVMNK08zBMJUqt1XExbqGeFLqBaeqDsmEAYXJRbjMTAorpOCtgQdoCKK/DvZ51zUWXxT8UBNHSl19Ryv5Ry5VVdbAE35rqs57DQ9+ma6htXnsBEmmnC+1Zv1FE956m/OpBTId50mor7nS2FguAtPZnDPpTd5zl9kZmJEuWCrmy6iinw5V4Uy1mLeZkQv+/FtozbyifCRCvps9nHpv4mBSU5ABLgnRRvXs+D41Jx7xloNADr1nNgpsNrYaTh hed-bot-ssh-tpm-rsa"
|
||||||
|
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKYljH8iPMrH00lOb3ETxRrZimdKzPPEdsJQ5D5ovtOwAAAACnNzaDpzc2hrZXk= ssh:sshkey"
|
||||||
|
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO4idMfdJxDJuBNOid60d4I+qxj09RHt+YkCYV2eXt6tGrEXg+S8hTQusy/SqooiXUH9pt4tea2RuBPN9+UwrH0= type-a yubikey slot 9a"
|
||||||
|
];
|
||||||
|
janik = [
|
||||||
|
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIJ4yq7oHBO2iPs4xj797a//0ypnBr27sSadKUeL2NsK6AAAABHNzaDo="
|
||||||
|
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIOYg513QZsVzoyVycXZjg4F3T3+OwtcY3WAhrlfyLgLTAAAABHNzaDo="
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLZxVITpJ8xbiCa/u2gjSSIupeiqOnRh+8tFIoVhCON"
|
||||||
|
];
|
||||||
k900 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOi9vgVGs+S5kEsUqHPvyMMh1Q9gqL4TcbHoe5d73tun" ];
|
k900 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOi9vgVGs+S5kEsUqHPvyMMh1Q9gqL4TcbHoe5d73tun" ];
|
||||||
|
lukegb = [ ''cert-authority,principals="lukegb" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEqNOwlR7Qa8cbGpDfSCOweDPbAGQOZIcoRgh6s/J8DR'' ];
|
||||||
maxine = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILpWQfhNFdrxMTP/1DwBVuk49f3df9iH7Tbdu8ltIKjr" ];
|
maxine = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILpWQfhNFdrxMTP/1DwBVuk49f3df9iH7Tbdu8ltIKjr" ];
|
||||||
|
raito = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICaw9ihTG7ucB8P38XdalEWev8+q96e2yNm4B+/I9IJp"
|
||||||
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
|
||||||
|
];
|
||||||
|
thubrecht = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn" ];
|
||||||
|
yuka = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIxQ3NYBi8v1f/vhxLKDcA6upmX0pctRDbnK6SER5OUR yureka" ];
|
||||||
|
winter = [ "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIH/LDRUG+U+++UmlxvA2kspioTjktQZ8taDcHq8gVlkfAAAABHNzaDo=" ];
|
||||||
|
ckie = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3uTwzSSMAPg84fwbNp2cq9+BdLFeA1VzDGth4zCAbz https://mei.puppycat.house" ];
|
||||||
|
pennae = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC5Wf5/IbyFpdziWfwxkQqxOf3r1L9pYn6xQBEKFwmMY"
|
||||||
|
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIK8icXjHkb4XzbIVN3djH4CE7RvgGd+3xbG4cgh0Yls5AAAABHNzaDo="
|
||||||
|
];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -13,13 +13,21 @@ in
|
||||||
tmux
|
tmux
|
||||||
rsync
|
rsync
|
||||||
fd
|
fd
|
||||||
|
eza
|
||||||
|
grc
|
||||||
ripgrep
|
ripgrep
|
||||||
|
delta
|
||||||
|
tshark
|
||||||
pv
|
pv
|
||||||
kitty.terminfo
|
kitty.terminfo
|
||||||
config.boot.kernelPackages.perf
|
config.boot.kernelPackages.perf
|
||||||
bcc
|
bcc
|
||||||
tcpdump
|
tcpdump
|
||||||
ncdu
|
ncdu
|
||||||
] ++ lib.optional (lib.hasAttr "pwru" pkgs) pkgs.pwru;
|
# Useful to invoke `coredumpctl gdb`
|
||||||
|
gdb
|
||||||
|
htop
|
||||||
|
btop
|
||||||
|
];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
15
common/zsh.nix
Normal file
15
common/zsh.nix
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
{ lib, pkgs, config, ... }: {
|
||||||
|
programs.zsh = {
|
||||||
|
enable = true;
|
||||||
|
enableCompletion = true;
|
||||||
|
autosuggestions.enable = true;
|
||||||
|
interactiveShellInit = ''
|
||||||
|
${lib.getExe pkgs.nix-your-shell} zsh | source /dev/stdin
|
||||||
|
'';
|
||||||
|
promptInit = ''
|
||||||
|
# https://grml.org/zsh/grml-zsh-refcard.pdf
|
||||||
|
source ${pkgs.grml-zsh-config}/etc/zsh/zshrc
|
||||||
|
PS1='%n@${config.networking.fqdn} %/ \$ '
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
43
dashboards/default.nix
Normal file
43
dashboards/default.nix
Normal file
|
@ -0,0 +1,43 @@
|
||||||
|
{ gerrit-dashboard, stdenv, symlinkJoin, jsonnet, fetchFromGitHub, lib, ... }:
|
||||||
|
let
|
||||||
|
inherit (lib) concatMapStringsSep;
|
||||||
|
datasource-id = "mimir";
|
||||||
|
in
|
||||||
|
rec {
|
||||||
|
grafonnet = fetchFromGitHub {
|
||||||
|
owner = "grafana";
|
||||||
|
repo = "grafonnet-lib";
|
||||||
|
# TODO: figure out how to read the jsonnet lockfile
|
||||||
|
# and propagate this a bit cleverly.
|
||||||
|
rev = "a1d61cce1da59c71409b99b5c7568511fec661ea";
|
||||||
|
hash = "sha256-fs5JZJbcL6sQXBjYhp5eeRtjTFw0J1O/BcwBC8Vm9EM=";
|
||||||
|
};
|
||||||
|
buildJsonnetDashboards = dashboardSrc: targets: stdenv.mkDerivation {
|
||||||
|
name = "jsonnet-grafana-dashboards";
|
||||||
|
src = dashboardSrc;
|
||||||
|
buildInputs = [ jsonnet ];
|
||||||
|
buildPhase = ''
|
||||||
|
runHook preBuild
|
||||||
|
mkdir -p $out
|
||||||
|
${concatMapStringsSep "\n" (target: "jsonnet -J ${grafonnet} --ext-str datasource=${datasource-id} --ext-code publish=true $src/${target} > $out/${baseNameOf target}.json") targets}
|
||||||
|
runHook postBuild
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
allDashboards = symlinkJoin {
|
||||||
|
name = "all-jsonnet-dashboards";
|
||||||
|
paths = [
|
||||||
|
(buildJsonnetDashboards gerrit-dashboard [
|
||||||
|
"dashboards/gerrit/caches/gerrit-caches.jsonnet"
|
||||||
|
"dashboards/gerrit/fetch-clone/gerrit-fetch-clone.jsonnet"
|
||||||
|
"dashboards/gerrit/fetch-clone/gerrit-phases.jsonnet"
|
||||||
|
"dashboards/gerrit/healthcheck/gerrit-healthcheck.jsonnet"
|
||||||
|
"dashboards/gerrit/latency/gerrit-push-latency.jsonnet"
|
||||||
|
"dashboards/gerrit/latency/gerrit-ui-actions-latency.jsonnet"
|
||||||
|
"dashboards/gerrit/overview/gerrit-overview.jsonnet"
|
||||||
|
"dashboards/gerrit/process/gerrit-process.jsonnet"
|
||||||
|
"dashboards/gerrit/queues/gerrit-queues.jsonnet"
|
||||||
|
])
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
711
flake.lock
711
flake.lock
|
@ -10,11 +10,11 @@
|
||||||
"systems": "systems"
|
"systems": "systems"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1718371084,
|
"lastModified": 1723293904,
|
||||||
"narHash": "sha256-abpBi61mg0g+lFFU0zY4C6oP6fBwPzbHPKBGw676xsA=",
|
"narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
|
||||||
"owner": "ryantm",
|
"owner": "ryantm",
|
||||||
"repo": "agenix",
|
"repo": "agenix",
|
||||||
"rev": "3a56735779db467538fb2e577eda28a9daacaca6",
|
"rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -23,14 +23,38 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"attic": {
|
||||||
|
"inputs": {
|
||||||
|
"crane": "crane",
|
||||||
|
"flake-compat": "flake-compat_2",
|
||||||
|
"flake-parts": "flake-parts_2",
|
||||||
|
"nix-github-actions": "nix-github-actions_2",
|
||||||
|
"nixpkgs": "nixpkgs",
|
||||||
|
"nixpkgs-stable": "nixpkgs-stable"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1730257295,
|
||||||
|
"narHash": "sha256-OQl+aAsKiyygvpzck1u0sZf/R4T9zM903CgNDFmmzA8=",
|
||||||
|
"owner": "zhaofengli",
|
||||||
|
"repo": "attic",
|
||||||
|
"rev": "48c8b395bfbc6b76c7eae74df6c74351255a095c",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "zhaofengli",
|
||||||
|
"ref": "main",
|
||||||
|
"repo": "attic",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"bats-assert": {
|
"bats-assert": {
|
||||||
"flake": false,
|
"flake": false,
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1636059754,
|
"lastModified": 1692829535,
|
||||||
"narHash": "sha256-ewME0l27ZqfmAwJO4h5biTALc9bDLv7Bl3ftBzBuZwk=",
|
"narHash": "sha256-oDqhUQ6Xg7a3xx537SWLGRzqP3oKKeyY4UYGCdz9z/Y=",
|
||||||
"owner": "bats-core",
|
"owner": "bats-core",
|
||||||
"repo": "bats-assert",
|
"repo": "bats-assert",
|
||||||
"rev": "34551b1d7f8c7b677c1a66fc0ac140d6223409e5",
|
"rev": "e2d855bc78619ee15b0c702b5c30fb074101159f",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -42,11 +66,11 @@
|
||||||
"bats-support": {
|
"bats-support": {
|
||||||
"flake": false,
|
"flake": false,
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1548869839,
|
"lastModified": 1693050811,
|
||||||
"narHash": "sha256-Gr4ntadr42F2Ks8Pte2D4wNDbijhujuoJi4OPZnTAZU=",
|
"narHash": "sha256-PxJaH16+QrsfZqtkWVt5K6TwJB5gjIXnbGo+MB84WIU=",
|
||||||
"owner": "bats-core",
|
"owner": "bats-core",
|
||||||
"repo": "bats-support",
|
"repo": "bats-support",
|
||||||
"rev": "d140a65044b2d6810381935ae7f0c94c7023c8c3",
|
"rev": "9bf10e876dd6b624fe44423f0b35e064225f7556",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -55,21 +79,65 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"buildbot-nix": {
|
||||||
|
"inputs": {
|
||||||
|
"flake-parts": "flake-parts",
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
],
|
||||||
|
"treefmt-nix": "treefmt-nix"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1730064416,
|
||||||
|
"narHash": "sha256-Opbtu9hKijGkEx+GYbSu3MJms3lFxZmAGTFyckguWMM=",
|
||||||
|
"ref": "refs/heads/forkos",
|
||||||
|
"rev": "79137b14f3cb376204f739f44b05aebfc288ca89",
|
||||||
|
"revCount": 310,
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.lix.systems/lix-project/buildbot-nix.git"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"ref": "refs/heads/forkos",
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.lix.systems/lix-project/buildbot-nix.git"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"channel-scripts": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1725128016,
|
||||||
|
"narHash": "sha256-4TvaXELsl+1OcGNgqB/5HVXVxBvdIQkhJsY4FyiDcNU=",
|
||||||
|
"ref": "refs/heads/main",
|
||||||
|
"rev": "23b6c38ed7e11417bf624f6e4fb6cde0d2be6400",
|
||||||
|
"revCount": 261,
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.lix.systems/the-distro/channel-scripts.git"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.lix.systems/the-distro/channel-scripts.git"
|
||||||
|
}
|
||||||
|
},
|
||||||
"colmena": {
|
"colmena": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"flake-compat": "flake-compat",
|
"flake-compat": "flake-compat",
|
||||||
"flake-utils": "flake-utils",
|
"flake-utils": "flake-utils",
|
||||||
|
"nix-github-actions": "nix-github-actions",
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
"nixpkgs"
|
"nixpkgs"
|
||||||
],
|
],
|
||||||
"stable": "stable"
|
"stable": "stable"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1711386353,
|
"lastModified": 1731527002,
|
||||||
"narHash": "sha256-gWEpb8Hybnoqb4O4tmpohGZk6+aerAbJpywKcFIiMlg=",
|
"narHash": "sha256-dI9I6suECoIAmbS4xcrqF8r2pbmed8WWm5LIF1yWPw8=",
|
||||||
"owner": "zhaofengli",
|
"owner": "zhaofengli",
|
||||||
"repo": "colmena",
|
"repo": "colmena",
|
||||||
"rev": "cd65ef7a25cdc75052fbd04b120aeb066c3881db",
|
"rev": "e3ad42138015fcdf2524518dd564a13145c72ea1",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -78,6 +146,44 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"crane": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"grapevine",
|
||||||
|
"attic",
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1722960479,
|
||||||
|
"narHash": "sha256-NhCkJJQhD5GUib8zN9JrmYGMwt4lCRp6ZVNzIiYCl0Y=",
|
||||||
|
"owner": "ipetkov",
|
||||||
|
"repo": "crane",
|
||||||
|
"rev": "4c6c77920b8d44cd6660c1621dea6b3fc4b4c4f4",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "ipetkov",
|
||||||
|
"repo": "crane",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"crane_2": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1730060262,
|
||||||
|
"narHash": "sha256-RMgSVkZ9H03sxC+Vh4jxtLTCzSjPq18UWpiM0gq6shQ=",
|
||||||
|
"owner": "ipetkov",
|
||||||
|
"repo": "crane",
|
||||||
|
"rev": "498d9f122c413ee1154e8131ace5a35a80d8fa76",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "ipetkov",
|
||||||
|
"ref": "master",
|
||||||
|
"repo": "crane",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"darwin": {
|
"darwin": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
|
@ -100,6 +206,29 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"fenix": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"grapevine",
|
||||||
|
"nixpkgs"
|
||||||
|
],
|
||||||
|
"rust-analyzer-src": "rust-analyzer-src"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1730442928,
|
||||||
|
"narHash": "sha256-U1DWb5c3EfkA7pqx5V1H4AWRA+EaE6UJ0lIRvK1RxgM=",
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "fenix",
|
||||||
|
"rev": "87b4d20f896c99018dde4702a9c6157b516f2a76",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nix-community",
|
||||||
|
"ref": "main",
|
||||||
|
"repo": "fenix",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"flake-compat": {
|
"flake-compat": {
|
||||||
"flake": false,
|
"flake": false,
|
||||||
"locked": {
|
"locked": {
|
||||||
|
@ -132,6 +261,121 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"flake-compat_3": {
|
||||||
|
"flake": false,
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1696426674,
|
||||||
|
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
|
||||||
|
"owner": "edolstra",
|
||||||
|
"repo": "flake-compat",
|
||||||
|
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "edolstra",
|
||||||
|
"ref": "master",
|
||||||
|
"repo": "flake-compat",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"flake-compat_4": {
|
||||||
|
"flake": false,
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1696426674,
|
||||||
|
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
|
||||||
|
"owner": "edolstra",
|
||||||
|
"repo": "flake-compat",
|
||||||
|
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "edolstra",
|
||||||
|
"repo": "flake-compat",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"flake-parts": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs-lib": [
|
||||||
|
"buildbot-nix",
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1706830856,
|
||||||
|
"narHash": "sha256-a0NYyp+h9hlb7ddVz4LUn1vT/PLwqfrWYcHMvFB1xYg=",
|
||||||
|
"owner": "hercules-ci",
|
||||||
|
"repo": "flake-parts",
|
||||||
|
"rev": "b253292d9c0a5ead9bc98c4e9a26c6312e27d69f",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "hercules-ci",
|
||||||
|
"repo": "flake-parts",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"flake-parts_2": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs-lib": [
|
||||||
|
"grapevine",
|
||||||
|
"attic",
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1722555600,
|
||||||
|
"narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=",
|
||||||
|
"owner": "hercules-ci",
|
||||||
|
"repo": "flake-parts",
|
||||||
|
"rev": "8471fe90ad337a8074e957b69ca4d0089218391d",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "hercules-ci",
|
||||||
|
"repo": "flake-parts",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"flake-parts_3": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs-lib": [
|
||||||
|
"hydra",
|
||||||
|
"nix-eval-jobs",
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1722555600,
|
||||||
|
"narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=",
|
||||||
|
"owner": "hercules-ci",
|
||||||
|
"repo": "flake-parts",
|
||||||
|
"rev": "8471fe90ad337a8074e957b69ca4d0089218391d",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "hercules-ci",
|
||||||
|
"repo": "flake-parts",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"flake-parts_4": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs-lib": "nixpkgs-lib"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1727826117,
|
||||||
|
"narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=",
|
||||||
|
"owner": "hercules-ci",
|
||||||
|
"repo": "flake-parts",
|
||||||
|
"rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"id": "flake-parts",
|
||||||
|
"type": "indirect"
|
||||||
|
}
|
||||||
|
},
|
||||||
"flake-utils": {
|
"flake-utils": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1659877975,
|
"lastModified": 1659877975,
|
||||||
|
@ -148,20 +392,70 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"flake-utils_2": {
|
"flake-utils_2": {
|
||||||
|
"inputs": {
|
||||||
|
"systems": "systems_2"
|
||||||
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1634851050,
|
"lastModified": 1726560853,
|
||||||
"narHash": "sha256-N83GlSGPJJdcqhUxSCS/WwW5pksYf3VP1M13cDRTSVA=",
|
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
|
||||||
"owner": "numtide",
|
"owner": "numtide",
|
||||||
"repo": "flake-utils",
|
"repo": "flake-utils",
|
||||||
"rev": "c91f3de5adaf1de973b797ef7485e441a65b8935",
|
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "numtide",
|
"owner": "numtide",
|
||||||
|
"ref": "main",
|
||||||
"repo": "flake-utils",
|
"repo": "flake-utils",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"gerrit-dashboard": {
|
||||||
|
"flake": false,
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1724509518,
|
||||||
|
"narHash": "sha256-fwYXZVddxfzrlDa3QnFCwHqrbEX+3PrWy0QOlbO+8jk=",
|
||||||
|
"ref": "refs/heads/master",
|
||||||
|
"rev": "e544abac81c581558d68abb2a8dd583049073939",
|
||||||
|
"revCount": 75,
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.lix.systems/the-distro/gerrit-monitoring.git"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.lix.systems/the-distro/gerrit-monitoring.git"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"grapevine": {
|
||||||
|
"inputs": {
|
||||||
|
"attic": "attic",
|
||||||
|
"crane": "crane_2",
|
||||||
|
"fenix": "fenix",
|
||||||
|
"flake-compat": "flake-compat_3",
|
||||||
|
"flake-utils": "flake-utils_2",
|
||||||
|
"nix-filter": "nix-filter",
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
],
|
||||||
|
"rocksdb": "rocksdb",
|
||||||
|
"rust-manifest": "rust-manifest"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"host": "gitlab.computer.surgery",
|
||||||
|
"lastModified": 1731820516,
|
||||||
|
"narHash": "sha256-BJiFq5meQMwOLhVS9/m2HCZoNUIN5u5weJXr94dkIRU=",
|
||||||
|
"owner": "matrix",
|
||||||
|
"repo": "grapevine-fork",
|
||||||
|
"rev": "887e59cf03efb70bfa68b56dda32c411ba6cd5fa",
|
||||||
|
"type": "gitlab"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"host": "gitlab.computer.surgery",
|
||||||
|
"owner": "matrix",
|
||||||
|
"repo": "grapevine-fork",
|
||||||
|
"type": "gitlab"
|
||||||
|
}
|
||||||
|
},
|
||||||
"home-manager": {
|
"home-manager": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
|
@ -185,17 +479,18 @@
|
||||||
},
|
},
|
||||||
"hydra": {
|
"hydra": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"nix": "nix",
|
"lix": "lix",
|
||||||
|
"nix-eval-jobs": "nix-eval-jobs",
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
"nixpkgs"
|
"nixpkgs"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1719258100,
|
"lastModified": 1728321752,
|
||||||
"narHash": "sha256-Eu8ausj0RsXV5MraCPezwX+j51iZD0ukif110Yj2+6k=",
|
"narHash": "sha256-GbBAoBF7ZObz0IP+g0LZKxMafpMvNKjTEu9haiZbV54=",
|
||||||
"ref": "refs/heads/main",
|
"ref": "refs/heads/main",
|
||||||
"rev": "a9a2679793a17325c966dec4cbb27d44b0531694",
|
"rev": "ee1234c15cdcb427dbd4828e0add09d02cd606c9",
|
||||||
"revCount": 4172,
|
"revCount": 4220,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "https://git.lix.systems/lix-project/hydra.git"
|
"url": "https://git.lix.systems/lix-project/hydra.git"
|
||||||
},
|
},
|
||||||
|
@ -204,9 +499,9 @@
|
||||||
"url": "https://git.lix.systems/lix-project/hydra.git"
|
"url": "https://git.lix.systems/lix-project/hydra.git"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"nix": {
|
"lix": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"flake-compat": "flake-compat_2",
|
"flake-compat": "flake-compat_4",
|
||||||
"nix2container": "nix2container",
|
"nix2container": "nix2container",
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
"hydra",
|
"hydra",
|
||||||
|
@ -216,27 +511,156 @@
|
||||||
"pre-commit-hooks": "pre-commit-hooks"
|
"pre-commit-hooks": "pre-commit-hooks"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1719211568,
|
"lastModified": 1728163191,
|
||||||
"narHash": "sha256-oIgmvhe3CV/36LC0KXgqWnKXma39wabks8U9JBMDfO4=",
|
"narHash": "sha256-SW0IEBsPN1EysqzvfDT+8Kimtzy03O1BxQQm7ZB6fRY=",
|
||||||
"ref": "refs/heads/main",
|
"ref": "refs/heads/main",
|
||||||
"rev": "4c3d93611f2848c56ebc69c85f2b1e18001ed3c7",
|
"rev": "ed9b7f4f84fd60ad8618645cc1bae2d686ff0db6",
|
||||||
"revCount": 15877,
|
"revCount": 16323,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "https://git@git.lix.systems/lix-project/lix"
|
"url": "https://git.lix.systems/lix-project/lix"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "https://git@git.lix.systems/lix-project/lix"
|
"url": "https://git.lix.systems/lix-project/lix"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nix-eval-jobs": {
|
||||||
|
"inputs": {
|
||||||
|
"flake-parts": "flake-parts_3",
|
||||||
|
"lix": [
|
||||||
|
"hydra",
|
||||||
|
"lix"
|
||||||
|
],
|
||||||
|
"nix-github-actions": "nix-github-actions_3",
|
||||||
|
"nixpkgs": [
|
||||||
|
"hydra",
|
||||||
|
"nixpkgs"
|
||||||
|
],
|
||||||
|
"treefmt-nix": "treefmt-nix_2"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1723579251,
|
||||||
|
"narHash": "sha256-xnHtfw0gRhV+2S9U7hQwvp2klTy1Iv7FlMMO0/WiMVc=",
|
||||||
|
"ref": "refs/heads/main",
|
||||||
|
"rev": "42a160bce2fd9ffebc3809746bc80cc7208f9b08",
|
||||||
|
"revCount": 609,
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.lix.systems/lix-project/nix-eval-jobs"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.lix.systems/lix-project/nix-eval-jobs"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nix-filter": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1730207686,
|
||||||
|
"narHash": "sha256-SCHiL+1f7q9TAnxpasriP6fMarWE5H43t25F5/9e28I=",
|
||||||
|
"owner": "numtide",
|
||||||
|
"repo": "nix-filter",
|
||||||
|
"rev": "776e68c1d014c3adde193a18db9d738458cd2ba4",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "numtide",
|
||||||
|
"ref": "main",
|
||||||
|
"repo": "nix-filter",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nix-gerrit": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1720891381,
|
||||||
|
"narHash": "sha256-bdZRPgnkROSejmwMOrlcqHMWmuPIVIzjk6r5FbS+fqU=",
|
||||||
|
"ref": "refs/heads/main",
|
||||||
|
"rev": "23dd318e6741ff686d3069c53ecf475eac8a0565",
|
||||||
|
"revCount": 5,
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.lix.systems/the-distro/nix-gerrit.git"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.lix.systems/the-distro/nix-gerrit.git"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nix-github-actions": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"colmena",
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1729742964,
|
||||||
|
"narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "nix-github-actions",
|
||||||
|
"rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "nix-github-actions",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nix-github-actions_2": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"grapevine",
|
||||||
|
"attic",
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1729742964,
|
||||||
|
"narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "nix-github-actions",
|
||||||
|
"rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "nix-github-actions",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nix-github-actions_3": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"hydra",
|
||||||
|
"nix-eval-jobs",
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1720066371,
|
||||||
|
"narHash": "sha256-uPlLYH2S0ACj0IcgaK9Lsf4spmJoGejR9DotXiXSBZQ=",
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "nix-github-actions",
|
||||||
|
"rev": "622f829f5fe69310a866c8a6cd07e747c44ef820",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "nix-github-actions",
|
||||||
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"nix2container": {
|
"nix2container": {
|
||||||
"flake": false,
|
"flake": false,
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1712990762,
|
"lastModified": 1720642556,
|
||||||
"narHash": "sha256-hO9W3w7NcnYeX8u8cleHiSpK2YJo7ecarFTUlbybl7k=",
|
"narHash": "sha256-qsnqk13UmREKmRT7c8hEnz26X3GFFyIQrqx4EaRc1Is=",
|
||||||
"owner": "nlewo",
|
"owner": "nlewo",
|
||||||
"repo": "nix2container",
|
"repo": "nix2container",
|
||||||
"rev": "20aad300c925639d5d6cbe30013c8357ce9f2a2e",
|
"rev": "3853e5caf9ad24103b13aa6e0e8bcebb47649fe4",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -247,11 +671,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1719082008,
|
"lastModified": 1726042813,
|
||||||
"narHash": "sha256-jHJSUH619zBQ6WdC21fFAlDxHErKVDJ5fpN0Hgx4sjs=",
|
"narHash": "sha256-LnNKCCxnwgF+575y0pxUdlGZBO/ru1CtGHIqQVfvjlA=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "9693852a2070b398ee123a329e68f0dab5526681",
|
"rev": "159be5db480d1df880a0135ca0bfed84c2f88353",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -261,6 +685,18 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"nixpkgs-lib": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1727825735,
|
||||||
|
"narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=",
|
||||||
|
"type": "tarball",
|
||||||
|
"url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"type": "tarball",
|
||||||
|
"url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
|
||||||
|
}
|
||||||
|
},
|
||||||
"nixpkgs-regression": {
|
"nixpkgs-regression": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1643052045,
|
"lastModified": 1643052045,
|
||||||
|
@ -277,17 +713,34 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"nixpkgs_2": {
|
"nixpkgs-stable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1636823747,
|
"lastModified": 1724316499,
|
||||||
"narHash": "sha256-oWo1nElRAOZqEf90Yek2ixdHyjD+gqtS/pAgwaQ9UhQ=",
|
"narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=",
|
||||||
"owner": "nixos",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "f6a2ed2082d9a51668c86ba27d0b5496f7a2ea93",
|
"rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "nixos",
|
"owner": "NixOS",
|
||||||
|
"ref": "nixos-24.05",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nixpkgs_2": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1731676054,
|
||||||
|
"narHash": "sha256-OZiZ3m8SCMfh3B6bfGC/Bm4x3qc1m2SVEAlkV6iY7Yg=",
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "5e4fbfb6b3de1aa2872b76d49fafc942626e2add",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "NixOS",
|
||||||
|
"ref": "nixos-unstable",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
|
@ -295,11 +748,11 @@
|
||||||
"pre-commit-hooks": {
|
"pre-commit-hooks": {
|
||||||
"flake": false,
|
"flake": false,
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1712055707,
|
"lastModified": 1721042469,
|
||||||
"narHash": "sha256-4XLvuSIDZJGS17xEwSrNuJLL7UjDYKGJSbK1WWX2AK8=",
|
"narHash": "sha256-6FPUl7HVtvRHCCBQne7Ylp4p+dpP3P/OYuzjztZ4s70=",
|
||||||
"owner": "cachix",
|
"owner": "cachix",
|
||||||
"repo": "git-hooks.nix",
|
"repo": "git-hooks.nix",
|
||||||
"rev": "e35aed5fda3cc79f88ed7f1795021e559582093a",
|
"rev": "f451c19376071a90d8c58ab1a953c6e9840527fd",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -308,35 +761,103 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"rocksdb": {
|
||||||
|
"flake": false,
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1730475155,
|
||||||
|
"narHash": "sha256-u5uuShM2SxHc9/zL4UU56IhCcR/ZQbzde0LgOYS44bM=",
|
||||||
|
"owner": "facebook",
|
||||||
|
"repo": "rocksdb",
|
||||||
|
"rev": "3c27a3dde0993210c5cc30d99717093f7537916f",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "facebook",
|
||||||
|
"ref": "v9.7.4",
|
||||||
|
"repo": "rocksdb",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"root": {
|
"root": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"agenix": "agenix",
|
"agenix": "agenix",
|
||||||
|
"buildbot-nix": "buildbot-nix",
|
||||||
|
"channel-scripts": "channel-scripts",
|
||||||
"colmena": "colmena",
|
"colmena": "colmena",
|
||||||
|
"gerrit-dashboard": "gerrit-dashboard",
|
||||||
|
"grapevine": "grapevine",
|
||||||
"hydra": "hydra",
|
"hydra": "hydra",
|
||||||
"lix": [
|
"lix": [
|
||||||
"hydra",
|
"hydra",
|
||||||
"nix"
|
"lix"
|
||||||
],
|
],
|
||||||
"nixpkgs": "nixpkgs",
|
"nix-gerrit": "nix-gerrit",
|
||||||
|
"nixpkgs": "nixpkgs_2",
|
||||||
|
"stateless-uptime-kuma": "stateless-uptime-kuma",
|
||||||
"terranix": "terranix"
|
"terranix": "terranix"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"rust-analyzer-src": {
|
||||||
|
"flake": false,
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1730386175,
|
||||||
|
"narHash": "sha256-0Uq+/B8eu7pw8B8pxuGdFYKjcVLwNMcHfDxU9sXh7rg=",
|
||||||
|
"owner": "rust-lang",
|
||||||
|
"repo": "rust-analyzer",
|
||||||
|
"rev": "0ba893e1a00d92557ac91efb771d72eee36ca687",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "rust-lang",
|
||||||
|
"ref": "nightly",
|
||||||
|
"repo": "rust-analyzer",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"rust-manifest": {
|
||||||
|
"flake": false,
|
||||||
|
"locked": {
|
||||||
|
"narHash": "sha256-tB9BZB6nRHDk5ELIVlGYlIjViLKBjQl52nC1avhcCwA=",
|
||||||
|
"type": "file",
|
||||||
|
"url": "https://static.rust-lang.org/dist/channel-rust-1.81.0.toml"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"type": "file",
|
||||||
|
"url": "https://static.rust-lang.org/dist/channel-rust-1.81.0.toml"
|
||||||
|
}
|
||||||
|
},
|
||||||
"stable": {
|
"stable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1696039360,
|
"lastModified": 1730883749,
|
||||||
"narHash": "sha256-g7nIUV4uq1TOVeVIDEZLb005suTWCUjSY0zYOlSBsyE=",
|
"narHash": "sha256-mwrFF0vElHJP8X3pFCByJR365Q2463ATp2qGIrDUdlE=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "32dcb45f66c0487e92db8303a798ebc548cadedc",
|
"rev": "dba414932936fde69f0606b4f1d87c5bc0003ede",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"ref": "nixos-23.05",
|
"ref": "nixos-24.05",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"stateless-uptime-kuma": {
|
||||||
|
"flake": false,
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1728243069,
|
||||||
|
"narHash": "sha256-l9fgwesnmFxasCaYUCD7L9bGGJXytLuwtx3CZMgpwJg=",
|
||||||
|
"ref": "refs/heads/master",
|
||||||
|
"rev": "880f444ff7862d6127b051cf1a993ad1585b1652",
|
||||||
|
"revCount": 25,
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.dgnum.eu/DGNum/stateless-uptime-kuma.git"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.dgnum.eu/DGNum/stateless-uptime-kuma.git"
|
||||||
|
}
|
||||||
|
},
|
||||||
"systems": {
|
"systems": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1681028828,
|
"lastModified": 1681028828,
|
||||||
|
@ -352,20 +873,53 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"systems_2": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1681028828,
|
||||||
|
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||||
|
"owner": "nix-systems",
|
||||||
|
"repo": "default",
|
||||||
|
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nix-systems",
|
||||||
|
"repo": "default",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"systems_3": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1681028828,
|
||||||
|
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||||
|
"owner": "nix-systems",
|
||||||
|
"repo": "default",
|
||||||
|
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nix-systems",
|
||||||
|
"repo": "default",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"terranix": {
|
"terranix": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"bats-assert": "bats-assert",
|
"bats-assert": "bats-assert",
|
||||||
"bats-support": "bats-support",
|
"bats-support": "bats-support",
|
||||||
"flake-utils": "flake-utils_2",
|
"flake-parts": "flake-parts_4",
|
||||||
"nixpkgs": "nixpkgs_2",
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
],
|
||||||
|
"systems": "systems_3",
|
||||||
"terranix-examples": "terranix-examples"
|
"terranix-examples": "terranix-examples"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1695406838,
|
"lastModified": 1728959489,
|
||||||
"narHash": "sha256-xiUfVD6rtsVWFotVtUW3Q1nQh4obKzgvpN1wqZuGXvM=",
|
"narHash": "sha256-1Pu2j5xsBTuoyga08ZVf+rKp3FOMmJh/0fXen/idOrA=",
|
||||||
"owner": "terranix",
|
"owner": "terranix",
|
||||||
"repo": "terranix",
|
"repo": "terranix",
|
||||||
"rev": "fc9077ca02ab5681935dbf0ecd725c4d889b9275",
|
"rev": "7734e2ee6a1472807a33ce1e7da794bed2aaf91c",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -376,11 +930,11 @@
|
||||||
},
|
},
|
||||||
"terranix-examples": {
|
"terranix-examples": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1636300201,
|
"lastModified": 1637156952,
|
||||||
"narHash": "sha256-0n1je1WpiR6XfCsvi8ZK7GrpEnMl+DpwhWaO1949Vbc=",
|
"narHash": "sha256-KqvXIe1yiKOEP9BRYqNQN+LOWPCsWojh0WjEgv5jfEI=",
|
||||||
"owner": "terranix",
|
"owner": "terranix",
|
||||||
"repo": "terranix-examples",
|
"repo": "terranix-examples",
|
||||||
"rev": "a934aa1cf88f6bd6c6ddb4c77b77ec6e1660bd5e",
|
"rev": "921680efb8af0f332d8ad73718d53907f9483e24",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -388,6 +942,49 @@
|
||||||
"repo": "terranix-examples",
|
"repo": "terranix-examples",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
|
},
|
||||||
|
"treefmt-nix": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"buildbot-nix",
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1708897213,
|
||||||
|
"narHash": "sha256-QECZB+Hgz/2F/8lWvHNk05N6NU/rD9bWzuNn6Cv8oUk=",
|
||||||
|
"owner": "numtide",
|
||||||
|
"repo": "treefmt-nix",
|
||||||
|
"rev": "e497a9ddecff769c2a7cbab51e1ed7a8501e7a3a",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "numtide",
|
||||||
|
"repo": "treefmt-nix",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"treefmt-nix_2": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"hydra",
|
||||||
|
"nix-eval-jobs",
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1723454642,
|
||||||
|
"narHash": "sha256-S0Gvsenh0II7EAaoc9158ZB4vYyuycvMGKGxIbERNAM=",
|
||||||
|
"owner": "numtide",
|
||||||
|
"repo": "treefmt-nix",
|
||||||
|
"rev": "349de7bc435bdff37785c2466f054ed1766173be",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "numtide",
|
||||||
|
"repo": "treefmt-nix",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"root": "root",
|
"root": "root",
|
||||||
|
|
220
flake.nix
220
flake.nix
|
@ -2,8 +2,10 @@
|
||||||
description = "Bagel cooking infrastructure";
|
description = "Bagel cooking infrastructure";
|
||||||
|
|
||||||
inputs = {
|
inputs = {
|
||||||
nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
|
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
|
||||||
|
|
||||||
terranix.url = "github:terranix/terranix";
|
terranix.url = "github:terranix/terranix";
|
||||||
|
terranix.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|
||||||
agenix.url = "github:ryantm/agenix";
|
agenix.url = "github:ryantm/agenix";
|
||||||
agenix.inputs.nixpkgs.follows = "nixpkgs";
|
agenix.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
@ -14,100 +16,192 @@
|
||||||
hydra.url = "git+https://git.lix.systems/lix-project/hydra.git";
|
hydra.url = "git+https://git.lix.systems/lix-project/hydra.git";
|
||||||
hydra.inputs.nixpkgs.follows = "nixpkgs";
|
hydra.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|
||||||
lix.follows = "hydra/nix";
|
nix-gerrit.url = "git+https://git.lix.systems/the-distro/nix-gerrit.git";
|
||||||
|
nix-gerrit.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|
||||||
|
gerrit-dashboard.url = "git+https://git.lix.systems/the-distro/gerrit-monitoring.git";
|
||||||
|
gerrit-dashboard.flake = false;
|
||||||
|
|
||||||
|
buildbot-nix.url = "git+https://git.lix.systems/lix-project/buildbot-nix.git?ref=refs/heads/forkos";
|
||||||
|
buildbot-nix.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|
||||||
|
channel-scripts.url = "git+https://git.lix.systems/the-distro/channel-scripts.git";
|
||||||
|
channel-scripts.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|
||||||
|
stateless-uptime-kuma.url = "git+https://git.dgnum.eu/DGNum/stateless-uptime-kuma.git";
|
||||||
|
stateless-uptime-kuma.flake = false;
|
||||||
|
|
||||||
|
lix.follows = "hydra/lix";
|
||||||
|
|
||||||
|
grapevine = {
|
||||||
|
type = "gitlab";
|
||||||
|
host = "gitlab.computer.surgery";
|
||||||
|
owner = "matrix";
|
||||||
|
repo = "grapevine-fork";
|
||||||
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = { self, nixpkgs, terranix, ... } @ inputs:
|
outputs = { self, nixpkgs, terranix, colmena, ... } @ inputs:
|
||||||
let
|
let
|
||||||
system = "x86_64-linux";
|
supportedSystems = [ "x86_64-linux" "aarch64-linux" ];
|
||||||
|
forEachSystem = f: builtins.listToAttrs (map (system: {
|
||||||
|
name = system;
|
||||||
|
value = f system;
|
||||||
|
}) supportedSystems);
|
||||||
|
systemBits = forEachSystem (system: rec {
|
||||||
|
inherit system;
|
||||||
pkgs = import nixpkgs {
|
pkgs = import nixpkgs {
|
||||||
localSystem = system;
|
localSystem = system;
|
||||||
overlays = [
|
overlays = [
|
||||||
inputs.hydra.overlays.default
|
inputs.hydra.overlays.default
|
||||||
inputs.lix.overlays.default
|
inputs.lix.overlays.default
|
||||||
|
inputs.nix-gerrit.overlays.default
|
||||||
|
inputs.channel-scripts.overlays.default
|
||||||
|
(import "${inputs.stateless-uptime-kuma}/overlay.nix")
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
lib = pkgs.lib;
|
|
||||||
terraform = pkgs.opentofu;
|
terraform = pkgs.opentofu;
|
||||||
terraformCfg = terranix.lib.terranixConfiguration {
|
terraformCfg = terranix.lib.terranixConfiguration {
|
||||||
inherit system;
|
inherit system;
|
||||||
modules = [ ];
|
modules = [
|
||||||
|
./terraform
|
||||||
|
{
|
||||||
|
bagel.dnsimple.enable = true;
|
||||||
|
bagel.hydra.enable = true;
|
||||||
|
}
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
});
|
||||||
|
forEachSystem' = f: forEachSystem (system: (f systemBits.${system}));
|
||||||
|
inherit (nixpkgs) lib;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
apps.${system} = {
|
apps = forEachSystem' ({ system, pkgs, terraformCfg, terraform, ... }: {
|
||||||
apply = {
|
tf = {
|
||||||
type = "app";
|
type = "app";
|
||||||
program = toString (pkgs.writers.writeBash "apply" ''
|
program = toString (pkgs.writers.writeBash "tf" ''
|
||||||
set -eo pipefail
|
|
||||||
rm -f config.tf.json
|
|
||||||
cp ${terraformCfg} config.tf.json
|
|
||||||
${lib.getExe terraform} init
|
|
||||||
${lib.getExe terraform} apply
|
|
||||||
'');
|
|
||||||
};
|
|
||||||
# nix run ".#destroy"
|
|
||||||
destroy = {
|
|
||||||
type = "app";
|
|
||||||
program = toString (pkgs.writers.writeBash "destroy" ''
|
|
||||||
set -eo pipefail
|
set -eo pipefail
|
||||||
ln -snf ${terraformCfg} config.tf.json
|
ln -snf ${terraformCfg} config.tf.json
|
||||||
${lib.getExe terraform} init
|
exec ${lib.getExe terraform} "$@"
|
||||||
${lib.getExe terraform} destroy
|
|
||||||
'');
|
'');
|
||||||
};
|
};
|
||||||
};
|
|
||||||
apps.${system}.default = self.apps.${system}.apply;
|
|
||||||
|
|
||||||
devShells.${system}.default = pkgs.mkShell {
|
default = self.apps.${system}.tf;
|
||||||
|
});
|
||||||
|
|
||||||
|
devShells = forEachSystem' ({ system, pkgs, ... }: {
|
||||||
|
default = pkgs.mkShell {
|
||||||
packages = [
|
packages = [
|
||||||
inputs.agenix.packages.${system}.agenix
|
inputs.agenix.packages.${system}.agenix
|
||||||
inputs.colmena.packages.${system}.colmena
|
|
||||||
|
pkgs.opentofu
|
||||||
|
|
||||||
|
(pkgs.callPackage ./lib/colmena-wrapper.nix { })
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
});
|
||||||
|
|
||||||
|
nixosConfigurations = (colmena.lib.makeHive self.outputs.colmena).nodes;
|
||||||
|
|
||||||
|
colmena = let
|
||||||
|
commonModules = [
|
||||||
|
inputs.agenix.nixosModules.default
|
||||||
|
inputs.hydra.nixosModules.hydra
|
||||||
|
inputs.buildbot-nix.nixosModules.buildbot-coordinator
|
||||||
|
inputs.buildbot-nix.nixosModules.buildbot-worker
|
||||||
|
|
||||||
|
./services
|
||||||
|
./common
|
||||||
|
];
|
||||||
|
|
||||||
|
floralInfraModules = commonModules ++ [
|
||||||
|
({ config, lib, ... }: {
|
||||||
|
# This means that anyone with @floral-infra permissions
|
||||||
|
# can ssh on root of every machines handled here.
|
||||||
|
bagel.admins.allowedGroups = [
|
||||||
|
"floral-infra"
|
||||||
|
];
|
||||||
|
|
||||||
|
# Tag all machines which have local boot as local bootables.
|
||||||
|
deployment.tags = lib.mkMerge [
|
||||||
|
[ "floral" ]
|
||||||
|
(lib.mkIf (config.bagel.baremetal.builders.enable -> !config.bagel.baremetal.builders.netboot)
|
||||||
|
[ "localboot" ]
|
||||||
|
)
|
||||||
|
];
|
||||||
|
|
||||||
|
bagel.monitoring.grafana-agent.tenant = "floral";
|
||||||
|
bagel.secrets.tenant = "floral";
|
||||||
|
bagel.builders.extra-build-capacity.provider.tenant = "floral";
|
||||||
|
bagel.services.buildbot.tenant = "floral";
|
||||||
|
})
|
||||||
|
];
|
||||||
|
|
||||||
|
# These are Floral baremetal builders.
|
||||||
|
makeBuilder = i:
|
||||||
|
let
|
||||||
|
enableNetboot = i >= 6;
|
||||||
|
in
|
||||||
|
lib.nameValuePair "builder-${toString i}" {
|
||||||
|
imports = floralInfraModules;
|
||||||
|
bagel.baremetal.builders = { enable = true; num = i; netboot = enableNetboot; };
|
||||||
|
};
|
||||||
|
|
||||||
colmena = {
|
lixInfraModules = commonModules ++ [
|
||||||
meta.nixpkgs = import nixpkgs {
|
{
|
||||||
localSystem = system;
|
# This means that anyone with @lix-infra permissions
|
||||||
overlays = [
|
# can ssh on root of every machines handled here.
|
||||||
inputs.hydra.overlays.default
|
bagel.admins.allowedGroups = [
|
||||||
inputs.lix.overlays.default
|
"lix-infra"
|
||||||
|
];
|
||||||
|
|
||||||
|
# Tag all machines which have local boot as local bootables.
|
||||||
|
# Lix has no netbootable machine.
|
||||||
|
deployment.tags = [ "localboot" "lix" ];
|
||||||
|
|
||||||
|
bagel.monitoring.grafana-agent.tenant = "lix";
|
||||||
|
bagel.secrets.tenant = "lix";
|
||||||
|
bagel.builders.extra-build-capacity.provider = {
|
||||||
|
tenant = "lix";
|
||||||
|
buildfarmPublicKeys = [
|
||||||
|
# buildbot.lix.systems SSH key
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDu4cEqZzAI/1vZjSQkTJ4ijIg9nuloOuSKUrnkJIOFn"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
bagel.services.buildbot.tenant = "lix";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
builders = lib.listToAttrs (lib.genList makeBuilder 11);
|
||||||
|
in {
|
||||||
|
meta.nixpkgs = systemBits.x86_64-linux.pkgs;
|
||||||
|
# Add any non-x86_64 native systems here.
|
||||||
|
# Cross compilation is not supported yet.
|
||||||
|
meta.nodeNixpkgs =
|
||||||
|
let
|
||||||
|
aarch64-systems = systems: lib.genAttrs systems (system: systemBits.aarch64-linux.pkgs);
|
||||||
|
in
|
||||||
|
aarch64-systems [
|
||||||
|
"build01-aarch64-lix"
|
||||||
|
];
|
||||||
meta.specialArgs.inputs = inputs;
|
meta.specialArgs.inputs = inputs;
|
||||||
|
|
||||||
bagel-box = {
|
bagel-box.imports = floralInfraModules ++ [ ./hosts/bagel-box ];
|
||||||
imports = [
|
meta01.imports = floralInfraModules ++ [ ./hosts/meta01 ];
|
||||||
inputs.agenix.nixosModules.default
|
gerrit01.imports = floralInfraModules ++ [ ./hosts/gerrit01 ];
|
||||||
inputs.hydra.nixosModules.hydra
|
fodwatch.imports = floralInfraModules ++ [ ./hosts/fodwatch ];
|
||||||
|
git.imports = floralInfraModules ++ [ ./hosts/git ];
|
||||||
|
wob-vpn-gw.imports = floralInfraModules ++ [ ./hosts/wob-vpn-gw ];
|
||||||
|
buildbot.imports = floralInfraModules ++ [ ./hosts/buildbot ];
|
||||||
|
public01.imports = floralInfraModules ++ [ ./hosts/public01 ];
|
||||||
|
build-coord.imports = floralInfraModules ++ [ ./hosts/build-coord ];
|
||||||
|
|
||||||
./services
|
build01-aarch64-lix.imports = lixInfraModules ++ [ ./hosts/build01-aarch64-lix ];
|
||||||
./common
|
buildbot-lix.imports = lixInfraModules ++ [ ./hosts/buildbot-lix ];
|
||||||
./hosts/bagel-box
|
} // builders;
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
meta01 = {
|
hydraJobs = builtins.mapAttrs (n: v: v.config.system.build.netbootDir or v.config.system.build.toplevel) self.nixosConfigurations;
|
||||||
imports = [
|
buildbotJobs = builtins.mapAttrs (_: v: v.config.system.build.toplevel) self.nixosConfigurations;
|
||||||
inputs.agenix.nixosModules.default
|
|
||||||
inputs.hydra.nixosModules.hydra
|
|
||||||
|
|
||||||
./services
|
|
||||||
./common
|
|
||||||
./hosts/meta01.nixpkgs.lahfa.xyz
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
gerrit01 = {
|
|
||||||
imports = [
|
|
||||||
inputs.agenix.nixosModules.default
|
|
||||||
inputs.hydra.nixosModules.hydra
|
|
||||||
|
|
||||||
./services
|
|
||||||
./common
|
|
||||||
./hosts/cl.forkos.org
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -20,6 +20,7 @@
|
||||||
useHostResolvConf = false;
|
useHostResolvConf = false;
|
||||||
|
|
||||||
hostName = "bagel-box";
|
hostName = "bagel-box";
|
||||||
|
domain = "infra.forkos.org";
|
||||||
nameservers = [ "2001:4860:4860::8844" ];
|
nameservers = [ "2001:4860:4860::8844" ];
|
||||||
|
|
||||||
interfaces.host0.ipv6.addresses = [
|
interfaces.host0.ipv6.addresses = [
|
||||||
|
@ -36,16 +37,13 @@
|
||||||
|
|
||||||
bagel.services = {
|
bagel.services = {
|
||||||
postgres.enable = true;
|
postgres.enable = true;
|
||||||
|
ofborg.enable = true;
|
||||||
hydra.enable = true;
|
|
||||||
hydra.dbi = "dbi:Pg:dbname=hydra;user=hydra";
|
|
||||||
};
|
};
|
||||||
bagel.meta.monitoring.address = "bagel-box.delroth.net";
|
|
||||||
|
|
||||||
security.acme.acceptTerms = true;
|
bagel.sysadmin.enable = true;
|
||||||
security.acme.defaults.email = "bagel@delroth.net";
|
|
||||||
|
|
||||||
services.openssh.enable = true;
|
services.openssh.enable = true;
|
||||||
|
|
||||||
deployment.targetHost = "bagel-box.delroth.net";
|
system.stateVersion = "24.11";
|
||||||
|
deployment.targetHost = "bagel-box.infra.forkos.org";
|
||||||
}
|
}
|
||||||
|
|
23
hosts/build-coord/default.nix
Normal file
23
hosts/build-coord/default.nix
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
{ lib, ... }:
|
||||||
|
{
|
||||||
|
imports = [ ./hardware.nix ];
|
||||||
|
|
||||||
|
networking.hostName = "build-coord";
|
||||||
|
networking.domain = "wob01.infra.forkos.org";
|
||||||
|
|
||||||
|
bagel.sysadmin.enable = true;
|
||||||
|
|
||||||
|
bagel.services = {
|
||||||
|
hydra.enable = true;
|
||||||
|
# Takes 10 builders (0 → 9).
|
||||||
|
hydra.builders = lib.genList (i: "builder-${builtins.toString i}") 10;
|
||||||
|
};
|
||||||
|
|
||||||
|
bagel.monitoring.exporters.hydra.enable = true;
|
||||||
|
|
||||||
|
# Hydra is proxied.
|
||||||
|
bagel.raito.v6-proxy-awareness.enable = true;
|
||||||
|
|
||||||
|
system.stateVersion = "24.05";
|
||||||
|
deployment.targetHost = "build-coord.wob01.infra.forkos.org";
|
||||||
|
}
|
87
hosts/build-coord/hardware.nix
Normal file
87
hosts/build-coord/hardware.nix
Normal file
|
@ -0,0 +1,87 @@
|
||||||
|
{
|
||||||
|
boot.initrd.availableKernelModules = [ "ahci" "ehci_pci" "usb_storage" "usbhid" "sd_mod" ];
|
||||||
|
boot.initrd.kernelModules = [ "dm-snapshot" ];
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = "x86_64-linux";
|
||||||
|
hardware.cpu.intel.updateMicrocode = true;
|
||||||
|
|
||||||
|
boot.loader.systemd-boot.enable = true;
|
||||||
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
|
boot.initrd.systemd.enable = true;
|
||||||
|
|
||||||
|
boot.initrd.services.lvm.enable = true;
|
||||||
|
|
||||||
|
boot.kernelParams = [
|
||||||
|
"console=tty1"
|
||||||
|
"console=ttyS0,115200"
|
||||||
|
];
|
||||||
|
|
||||||
|
fileSystems = {
|
||||||
|
"/" = {
|
||||||
|
device = "/dev/disk/by-label/root";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
|
||||||
|
"/boot" = {
|
||||||
|
device = "/dev/disk/by-label/BOOT";
|
||||||
|
fsType = "vfat";
|
||||||
|
options = [ "fmask=0022" "dmask=0022" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
swapDevices = [
|
||||||
|
{
|
||||||
|
device = "/swapfile";
|
||||||
|
size = 20 * 1024; # 50GiB
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
zramSwap = {
|
||||||
|
enable = true;
|
||||||
|
memoryPercent = 100;
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.useNetworkd = true;
|
||||||
|
|
||||||
|
systemd.network = {
|
||||||
|
netdevs = {
|
||||||
|
"40-uplink" = {
|
||||||
|
netdevConfig = {
|
||||||
|
Kind = "bond";
|
||||||
|
Name = "uplink";
|
||||||
|
};
|
||||||
|
bondConfig = {
|
||||||
|
Mode = "802.3ad";
|
||||||
|
TransmitHashPolicy = "layer3+4";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
networks = {
|
||||||
|
"40-eno1" = {
|
||||||
|
name = "eno1";
|
||||||
|
bond = [ "uplink" ];
|
||||||
|
};
|
||||||
|
"40-eno2" = {
|
||||||
|
name = "eno2";
|
||||||
|
bond = [ "uplink" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
networking.interfaces.uplink.ipv6.addresses = [
|
||||||
|
{ address = "2a01:584:11::1:11"; prefixLength = 64; }
|
||||||
|
];
|
||||||
|
networking.defaultGateway6 = { interface = "uplink"; address = "2a01:584:11::1"; };
|
||||||
|
|
||||||
|
services.coredns = {
|
||||||
|
enable = true;
|
||||||
|
config = ''
|
||||||
|
. {
|
||||||
|
bind lo
|
||||||
|
forward . 2001:4860:4860::6464
|
||||||
|
template ANY A { rcode NOERROR }
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
services.resolved.enable = false;
|
||||||
|
networking.resolvconf.useLocalResolver = true;
|
||||||
|
}
|
27
hosts/build01-aarch64-lix/default.nix
Normal file
27
hosts/build01-aarch64-lix/default.nix
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
{ ... }: {
|
||||||
|
networking.hostName = "build01";
|
||||||
|
networking.domain = "aarch64.lix.systems";
|
||||||
|
|
||||||
|
# Those free sweet VMs.
|
||||||
|
bagel.hardware.oracle-vm = {
|
||||||
|
enable = true;
|
||||||
|
system = "aarch64-linux";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/" =
|
||||||
|
{ device = "/dev/disk/by-uuid/a333323c-99f0-4258-8f68-496858d56f71";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/boot" =
|
||||||
|
{ device = "/dev/disk/by-uuid/3E74-C937";
|
||||||
|
fsType = "vfat";
|
||||||
|
};
|
||||||
|
|
||||||
|
swapDevices = [ ];
|
||||||
|
|
||||||
|
bagel.builders.extra-build-capacity.provider.enable = true;
|
||||||
|
i18n.defaultLocale = "en_US.UTF-8";
|
||||||
|
system.stateVersion = "24.05";
|
||||||
|
deployment.targetHost = "build01.aarch64.lix.systems";
|
||||||
|
}
|
71
hosts/buildbot-lix/default.nix
Normal file
71
hosts/buildbot-lix/default.nix
Normal file
|
@ -0,0 +1,71 @@
|
||||||
|
# Configuration for a virtual machine in Raito's micro-DC basement.
|
||||||
|
# 32 vCPU (2014 grade Xeon though)
|
||||||
|
# 32GB RAM
|
||||||
|
# 30GB SSD
|
||||||
|
# 500GB HDD
|
||||||
|
# All specifications can be upgraded to a certain extent, just ask Raito.
|
||||||
|
# Hosts the coordinator for Buildbot.
|
||||||
|
#
|
||||||
|
# vim: et:ts=2:sw=2:
|
||||||
|
#
|
||||||
|
{ lib, modulesPath, ... }: {
|
||||||
|
networking.hostName = "buildbot";
|
||||||
|
networking.domain = "lix.systems";
|
||||||
|
|
||||||
|
zramSwap.enable = true;
|
||||||
|
|
||||||
|
bagel.sysadmin.enable = true;
|
||||||
|
# Buildbot is proxied.
|
||||||
|
bagel.raito.v6-proxy-awareness.enable = true;
|
||||||
|
bagel.hardware.raito-vm = {
|
||||||
|
enable = true;
|
||||||
|
networking = {
|
||||||
|
nat-lan-mac = "BC:24:11:75:62:42";
|
||||||
|
wan = {
|
||||||
|
mac = "BC:24:11:B2:5F:2E";
|
||||||
|
address = "2001:bc8:38ee:100::200/56";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
i18n.defaultLocale = "en_US.UTF-8";
|
||||||
|
|
||||||
|
bagel.services.buildbot = {
|
||||||
|
enable = true;
|
||||||
|
domain = "buildbot.lix.systems";
|
||||||
|
gerrit =
|
||||||
|
{
|
||||||
|
domain = "gerrit.lix.systems";
|
||||||
|
port = 2022;
|
||||||
|
username = "buildbot";
|
||||||
|
};
|
||||||
|
cors.allowedOrigins = [
|
||||||
|
"https://*.lix.systems"
|
||||||
|
];
|
||||||
|
projects = [
|
||||||
|
"lix"
|
||||||
|
"lix-installer"
|
||||||
|
];
|
||||||
|
buildSystems = [
|
||||||
|
"x86_64-linux"
|
||||||
|
"aarch64-linux"
|
||||||
|
"aarch64-darwin"
|
||||||
|
# Too slow.
|
||||||
|
/* "x86_64-darwin" */
|
||||||
|
];
|
||||||
|
# Lix is not allowed to use yet Floral's x86_64 builders for now.
|
||||||
|
builders = [ ];
|
||||||
|
};
|
||||||
|
|
||||||
|
# This machine does not use /nix from btrfs, and instead uses a store on a bigger disk.
|
||||||
|
fileSystems."/nix" =
|
||||||
|
lib.mkForce
|
||||||
|
{ device = "/dev/disk/by-uuid/1815ca49-d0b0-4b99-8aec-0d790498ba6f";
|
||||||
|
fsType = "xfs";
|
||||||
|
neededForBoot = true;
|
||||||
|
options = [ "relatime" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
|
system.stateVersion = "24.05";
|
||||||
|
deployment.targetHost = "buildbot.lix.systems";
|
||||||
|
}
|
54
hosts/buildbot/default.nix
Executable file
54
hosts/buildbot/default.nix
Executable file
|
@ -0,0 +1,54 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
nodes,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
{
|
||||||
|
networking.hostName = "buildbot";
|
||||||
|
# TODO: make it the default
|
||||||
|
networking.domain = "infra.forkos.org";
|
||||||
|
|
||||||
|
bagel.sysadmin.enable = true;
|
||||||
|
# Buildbot is proxied.
|
||||||
|
bagel.raito.v6-proxy-awareness.enable = true;
|
||||||
|
bagel.hardware.raito-vm = {
|
||||||
|
enable = true;
|
||||||
|
networking = {
|
||||||
|
nat-lan-mac = "BC:24:11:E7:42:8B";
|
||||||
|
wan = {
|
||||||
|
address = "2001:bc8:38ee:100:1000::50/64";
|
||||||
|
mac = "BC:24:11:C9:BA:6C";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
bagel.services.buildbot = {
|
||||||
|
enable = true;
|
||||||
|
domain = "buildbot.forkos.org";
|
||||||
|
gerrit =
|
||||||
|
let
|
||||||
|
cfgGerrit = nodes.gerrit01.config.bagel.services.gerrit;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
domain = cfgGerrit.canonicalDomain;
|
||||||
|
port = cfgGerrit.port;
|
||||||
|
username = "buildbot";
|
||||||
|
};
|
||||||
|
cors.allowedOrigins = [
|
||||||
|
"https://*.forkos.org"
|
||||||
|
];
|
||||||
|
projects = [
|
||||||
|
"buildbot-test"
|
||||||
|
"nixpkgs"
|
||||||
|
"infra"
|
||||||
|
];
|
||||||
|
builders = [ "builder-9" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
i18n.defaultLocale = "en_US.UTF-8";
|
||||||
|
|
||||||
|
system.stateVersion = "24.05";
|
||||||
|
deployment.targetHost = "buildbot.infra.forkos.org";
|
||||||
|
}
|
|
@ -1,46 +0,0 @@
|
||||||
{
|
|
||||||
config,
|
|
||||||
lib,
|
|
||||||
pkgs,
|
|
||||||
...
|
|
||||||
}:
|
|
||||||
{
|
|
||||||
networking.hostName = "gerrit01";
|
|
||||||
# TODO: make it the default
|
|
||||||
networking.domain = "infra.forkos.org";
|
|
||||||
|
|
||||||
time.timeZone = "Europe/Paris";
|
|
||||||
|
|
||||||
bagel.sysadmin.enable = true;
|
|
||||||
# Gerrit is proxied.
|
|
||||||
bagel.raito.v6-proxy-awareness.enable = true;
|
|
||||||
bagel.hardware.raito-vm = {
|
|
||||||
enable = true;
|
|
||||||
networking = {
|
|
||||||
nat-lan-mac = "bc:24:11:f7:29:6c";
|
|
||||||
wan = {
|
|
||||||
address = "2001:bc8:38ee:100:1000::10/64";
|
|
||||||
mac = "bc:24:11:4a:9d:32";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
bagel.meta.monitoring.address = "gerrit01.infra.forkos.org";
|
|
||||||
|
|
||||||
fileSystems."/gerrit-data" = {
|
|
||||||
device = "/dev/disk/by-uuid/d1062305-0dea-4740-9a27-b6b1691862a4";
|
|
||||||
fsType = "ext4";
|
|
||||||
};
|
|
||||||
|
|
||||||
bagel.services.gerrit = {
|
|
||||||
enable = true;
|
|
||||||
domains = [
|
|
||||||
"cl.forkos.org"
|
|
||||||
];
|
|
||||||
data = "/gerrit-data";
|
|
||||||
};
|
|
||||||
|
|
||||||
i18n.defaultLocale = "fr_FR.UTF-8";
|
|
||||||
|
|
||||||
system.stateVersion = "24.05";
|
|
||||||
deployment.targetHost = "gerrit01.infra.forkos.org";
|
|
||||||
}
|
|
29
hosts/fodwatch/default.nix
Executable file
29
hosts/fodwatch/default.nix
Executable file
|
@ -0,0 +1,29 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
{
|
||||||
|
networking.hostName = "fodwatch";
|
||||||
|
networking.domain = "infra.forkos.org";
|
||||||
|
|
||||||
|
bagel.sysadmin.enable = true;
|
||||||
|
# Fodwatch will be proxied.
|
||||||
|
bagel.raito.v6-proxy-awareness.enable = true;
|
||||||
|
bagel.hardware.raito-vm = {
|
||||||
|
enable = true;
|
||||||
|
networking = {
|
||||||
|
nat-lan-mac = "BC:24:11:F2:17:F8";
|
||||||
|
wan = {
|
||||||
|
address = "2001:bc8:38ee:100:1000::30/64";
|
||||||
|
mac = "BC:24:11:69:74:D0";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
i18n.defaultLocale = "en_US.UTF-8";
|
||||||
|
|
||||||
|
system.stateVersion = "24.05";
|
||||||
|
deployment.targetHost = "fodwatch.infra.forkos.org";
|
||||||
|
}
|
151
hosts/gerrit01/default.nix
Executable file
151
hosts/gerrit01/default.nix
Executable file
|
@ -0,0 +1,151 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
{
|
||||||
|
networking.hostName = "gerrit01";
|
||||||
|
# TODO: make it the default
|
||||||
|
networking.domain = "infra.forkos.org";
|
||||||
|
|
||||||
|
bagel.sysadmin.enable = true;
|
||||||
|
# Gerrit is proxied.
|
||||||
|
bagel.raito.v6-proxy-awareness.enable = true;
|
||||||
|
bagel.hardware.raito-vm = {
|
||||||
|
enable = true;
|
||||||
|
networking = {
|
||||||
|
nat-lan-mac = "bc:24:11:f7:29:6c";
|
||||||
|
wan = {
|
||||||
|
address = "2001:bc8:38ee:100:1000::10/64";
|
||||||
|
mac = "bc:24:11:4a:9d:32";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# Block all these crawlers!!
|
||||||
|
bagel.services.nginx.crawler-blocker.enable = true;
|
||||||
|
|
||||||
|
fileSystems."/gerrit-data" = {
|
||||||
|
device = "/dev/disk/by-uuid/d1062305-0dea-4740-9a27-b6b1691862a4";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
|
||||||
|
bagel.services.gerrit = {
|
||||||
|
enable = true;
|
||||||
|
pyroscope.enable = true;
|
||||||
|
domains = [
|
||||||
|
"cl.forkos.org"
|
||||||
|
];
|
||||||
|
canonicalDomain = "cl.forkos.org";
|
||||||
|
data = "/gerrit-data";
|
||||||
|
};
|
||||||
|
|
||||||
|
age.secrets.ows-deploy-key = {
|
||||||
|
file = ../../secrets/floral/ows-deploy-key.age;
|
||||||
|
mode = "0600";
|
||||||
|
owner = "git";
|
||||||
|
group = "git";
|
||||||
|
};
|
||||||
|
bagel.nixpkgs.one-way-sync =
|
||||||
|
let
|
||||||
|
mkNixpkgsJob = { timer, fromRefspec, localRefspec ? fromRefspec }: {
|
||||||
|
fromUri = "https://github.com/NixOS/nixpkgs";
|
||||||
|
inherit fromRefspec localRefspec timer;
|
||||||
|
};
|
||||||
|
mkLocalJob = { timer, fromRefspec, localRefspec }: {
|
||||||
|
fromUri = "https://cl.forkos.org/nixpkgs";
|
||||||
|
inherit fromRefspec localRefspec timer;
|
||||||
|
};
|
||||||
|
in
|
||||||
|
{
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
pushUrl = "ssh://ows_bot@cl.forkos.org:29418/nixpkgs";
|
||||||
|
deployKeyPath = config.age.secrets.ows-deploy-key.path;
|
||||||
|
|
||||||
|
# Sync main -> staging-next -> staging
|
||||||
|
branches."main-to-staging-next" = mkLocalJob {
|
||||||
|
timer = "00/8:20:00"; # every 8 hours, 20 minutes past the full hour
|
||||||
|
fromRefspec = "main";
|
||||||
|
localRefspec = "staging-next";
|
||||||
|
};
|
||||||
|
branches."staging-next-to-staging" = mkLocalJob {
|
||||||
|
timer = "00/8:40:00"; # every 8 hours, 40 minutes past the full hour
|
||||||
|
fromRefspec = "staging-next";
|
||||||
|
localRefspec = "staging";
|
||||||
|
};
|
||||||
|
|
||||||
|
# Sync nixpkgs -> fork
|
||||||
|
branches."nixpkgs-master" = mkNixpkgsJob {
|
||||||
|
timer = "hourly";
|
||||||
|
fromRefspec = "master";
|
||||||
|
localRefspec = "main";
|
||||||
|
};
|
||||||
|
|
||||||
|
branches."nixpkgs-staging" = mkNixpkgsJob {
|
||||||
|
timer = "hourly";
|
||||||
|
fromRefspec = "staging";
|
||||||
|
};
|
||||||
|
|
||||||
|
branches."nixpkgs-release-24.05" = mkNixpkgsJob {
|
||||||
|
timer = "hourly";
|
||||||
|
fromRefspec = "release-24.05";
|
||||||
|
};
|
||||||
|
|
||||||
|
branches."nixpkgs-staging-24.05" = mkNixpkgsJob {
|
||||||
|
timer = "hourly";
|
||||||
|
fromRefspec = "staging-24.05";
|
||||||
|
};
|
||||||
|
|
||||||
|
branches."nixpkgs-release-23.11" = mkNixpkgsJob {
|
||||||
|
timer = "hourly";
|
||||||
|
fromRefspec = "release-23.11";
|
||||||
|
};
|
||||||
|
|
||||||
|
branches."nixpkgs-staging-23.11" = mkNixpkgsJob {
|
||||||
|
timer = "hourly";
|
||||||
|
fromRefspec = "staging-23.11";
|
||||||
|
};
|
||||||
|
|
||||||
|
# Testing jobs for personal sandbox branches
|
||||||
|
branches."raito-unstable-sync" = {
|
||||||
|
fromUri = "https://github.com/NixOS/nixpkgs";
|
||||||
|
fromRefspec = "nixos-unstable-small";
|
||||||
|
localRefspec = "sandbox/raito/raito-unstable-small";
|
||||||
|
timer = "*-*-* 12:00:00";
|
||||||
|
};
|
||||||
|
|
||||||
|
branches."raito-release-sync" = {
|
||||||
|
fromUri = "https://github.com/NixOS/nixpkgs";
|
||||||
|
fromRefspec = "nixos-24.05";
|
||||||
|
localRefspec = "sandbox/raito/raito-nixos-24.05";
|
||||||
|
timer = "daily";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
age.secrets.s3-channel-staging-keys.file = ../../secrets/floral/s3-channel-staging-keys.age;
|
||||||
|
bagel.nixpkgs.channel-scripts = {
|
||||||
|
enable = true;
|
||||||
|
otlp.enable = true;
|
||||||
|
nixpkgsUrl = "https://cl.forkos.org/nixpkgs.git";
|
||||||
|
hydraUrl = "https://hydra.forkos.org";
|
||||||
|
binaryCacheUrl = "https://cache.forkos.org";
|
||||||
|
baseUriForGitRevisions = "https://cl.forkos.org/plugins/gitiles/nixpkgs/+";
|
||||||
|
s3 = {
|
||||||
|
release = "bagel-channel-scripts-test";
|
||||||
|
channel = "bagel-channel-scripts-test";
|
||||||
|
};
|
||||||
|
releaseBucketCredentialsFile = config.age.secrets.s3-channel-staging-keys.path;
|
||||||
|
deployKeyFile = config.age.secrets.priv-ssh-key.path;
|
||||||
|
extraArgs = [
|
||||||
|
"--bypass-preflight-checks"
|
||||||
|
];
|
||||||
|
channels = import ../../common/channels.nix;
|
||||||
|
};
|
||||||
|
|
||||||
|
i18n.defaultLocale = "fr_FR.UTF-8";
|
||||||
|
|
||||||
|
system.stateVersion = "24.05";
|
||||||
|
deployment.targetHost = "gerrit01.infra.forkos.org";
|
||||||
|
}
|
47
hosts/git/default.nix
Normal file
47
hosts/git/default.nix
Normal file
|
@ -0,0 +1,47 @@
|
||||||
|
let
|
||||||
|
ipv6 = {
|
||||||
|
openssh ="2001:bc8:38ee:100:1000::41";
|
||||||
|
forgejo = "2001:bc8:38ee:100:1000::40";
|
||||||
|
};
|
||||||
|
in
|
||||||
|
{
|
||||||
|
networking.hostName = "git";
|
||||||
|
networking.domain = "infra.forkos.org";
|
||||||
|
|
||||||
|
bagel.sysadmin.enable = true;
|
||||||
|
# Forgejo will be proxied.
|
||||||
|
bagel.raito.v6-proxy-awareness.enable = true;
|
||||||
|
bagel.hardware.raito-vm = {
|
||||||
|
enable = true;
|
||||||
|
networking = {
|
||||||
|
nat-lan-mac = "BC:24:11:83:71:56";
|
||||||
|
wan = {
|
||||||
|
address = "${ipv6.forgejo}/64";
|
||||||
|
mac = "BC:24:11:0B:8A:81";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# Add one additional IPv6, so we can have both OpenSSH and
|
||||||
|
# Forgejo's built-in server bind on port :22.
|
||||||
|
systemd.network.networks."10-wan".networkConfig.Address = [ "${ipv6.openssh}/64" ];
|
||||||
|
services.openssh.listenAddresses = [{
|
||||||
|
addr = "[${ipv6.openssh}]";
|
||||||
|
}];
|
||||||
|
# Defaults to network.target, but networkd may take a while to settle and set up
|
||||||
|
# the required (additional) IPv6 address, leading to sshd to not being able to
|
||||||
|
# bind to the requested IP, crashing 5 times and running into the default
|
||||||
|
# restart counter limit (5).
|
||||||
|
systemd.services.sshd.wants = [ "network-online.target" ];
|
||||||
|
systemd.services.sshd.after = [ "network-online.target" ];
|
||||||
|
|
||||||
|
bagel.services.forgejo = {
|
||||||
|
enable = true;
|
||||||
|
sshBindAddr = ipv6.forgejo;
|
||||||
|
};
|
||||||
|
|
||||||
|
i18n.defaultLocale = "en_US.UTF-8";
|
||||||
|
|
||||||
|
system.stateVersion = "24.05";
|
||||||
|
deployment.targetHost = "git.infra.forkos.org";
|
||||||
|
}
|
|
@ -2,8 +2,6 @@
|
||||||
networking.hostName = "meta01";
|
networking.hostName = "meta01";
|
||||||
networking.domain = "infra.forkos.org";
|
networking.domain = "infra.forkos.org";
|
||||||
|
|
||||||
time.timeZone = "Europe/Paris";
|
|
||||||
|
|
||||||
bagel.sysadmin.enable = true;
|
bagel.sysadmin.enable = true;
|
||||||
# netbox is proxied.
|
# netbox is proxied.
|
||||||
bagel.raito.v6-proxy-awareness.enable = true;
|
bagel.raito.v6-proxy-awareness.enable = true;
|
||||||
|
@ -21,10 +19,18 @@
|
||||||
enable = true;
|
enable = true;
|
||||||
domain = "netbox.forkos.org";
|
domain = "netbox.forkos.org";
|
||||||
};
|
};
|
||||||
bagel.meta.monitoring.address = "meta01.infra.forkos.org";
|
|
||||||
bagel.services.prometheus.enable = true;
|
bagel.services.prometheus.enable = true;
|
||||||
bagel.services.loki.enable = true;
|
bagel.services.loki.enable = true;
|
||||||
bagel.services.grafana.enable = true;
|
bagel.services.grafana.enable = true;
|
||||||
|
bagel.services.grapevine.enable = true;
|
||||||
|
bagel.services.pyroscope.enable = true;
|
||||||
|
bagel.services.tempo.enable = true;
|
||||||
|
bagel.services.hookshot = {
|
||||||
|
enable = true;
|
||||||
|
admins = [
|
||||||
|
"@k900:0upti.me"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
i18n.defaultLocale = "fr_FR.UTF-8";
|
i18n.defaultLocale = "fr_FR.UTF-8";
|
||||||
|
|
50
hosts/public01/default.nix
Executable file
50
hosts/public01/default.nix
Executable file
|
@ -0,0 +1,50 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
{
|
||||||
|
networking.hostName = "public01";
|
||||||
|
# TODO: make it the default
|
||||||
|
networking.domain = "infra.forkos.org";
|
||||||
|
|
||||||
|
bagel.status = {
|
||||||
|
enable = true;
|
||||||
|
domain = "status.forkos.org";
|
||||||
|
};
|
||||||
|
|
||||||
|
bagel.sysadmin.enable = true;
|
||||||
|
# Newsletter is proxied.
|
||||||
|
bagel.raito.v6-proxy-awareness.enable = true;
|
||||||
|
bagel.newsletter = {
|
||||||
|
enable = true;
|
||||||
|
domain = "news.forkos.org";
|
||||||
|
};
|
||||||
|
bagel.hardware.raito-vm = {
|
||||||
|
enable = true;
|
||||||
|
networking = {
|
||||||
|
nat-lan-mac = "BC:24:11:A4:F7:D3";
|
||||||
|
wan = {
|
||||||
|
address = "2001:bc8:38ee:100:1000::60/64";
|
||||||
|
mac = "BC:24:11:DB:B8:10";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
bagel.services.s3-revproxy = {
|
||||||
|
enable = true;
|
||||||
|
domain = "forkos.org";
|
||||||
|
s3.apiUrl = "s3.delroth.net";
|
||||||
|
targets = {
|
||||||
|
channels = "bagel-channels";
|
||||||
|
releases = "bagel-releases";
|
||||||
|
channel-scripts-test = "bagel-channel-scripts-test";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
i18n.defaultLocale = "en_US.UTF-8";
|
||||||
|
|
||||||
|
system.stateVersion = "24.05";
|
||||||
|
deployment.targetHost = "public01.infra.forkos.org";
|
||||||
|
}
|
126
hosts/wob-vpn-gw/default.nix
Normal file
126
hosts/wob-vpn-gw/default.nix
Normal file
|
@ -0,0 +1,126 @@
|
||||||
|
{ pkgs, lib, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./netboot.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
###### Hardware ######
|
||||||
|
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ehci_pci" "sd_mod" "sdhci_pci" ];
|
||||||
|
boot.kernelModules = [ "kvm-amd" ];
|
||||||
|
|
||||||
|
boot.loader.grub.device = "/dev/sda";
|
||||||
|
|
||||||
|
fileSystems."/" =
|
||||||
|
{ device = "/dev/disk/by-uuid/58688a5c-e3ce-4868-804b-4e34d1370f36";
|
||||||
|
fsType = "f2fs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/boot" =
|
||||||
|
{ device = "/dev/disk/by-uuid/38caa628-3b6d-4fb4-8767-beee09a196a6";
|
||||||
|
fsType = "ext2";
|
||||||
|
};
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = "x86_64-linux";
|
||||||
|
|
||||||
|
hardware.cpu.amd.updateMicrocode = true;
|
||||||
|
|
||||||
|
# Enable serial output
|
||||||
|
boot.loader.grub.extraConfig = ''
|
||||||
|
serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
|
||||||
|
terminal_input serial
|
||||||
|
terminal_output serial
|
||||||
|
'';
|
||||||
|
boot.kernelParams = [
|
||||||
|
"console=ttyS0,115200"
|
||||||
|
"console=tty1"
|
||||||
|
];
|
||||||
|
|
||||||
|
###### Config #######
|
||||||
|
|
||||||
|
boot.initrd.systemd.enable = true;
|
||||||
|
|
||||||
|
networking.useNetworkd = true;
|
||||||
|
|
||||||
|
systemd.network = {
|
||||||
|
netdevs = {
|
||||||
|
"40-uplink" = {
|
||||||
|
netdevConfig = {
|
||||||
|
Kind = "bond";
|
||||||
|
Name = "uplink";
|
||||||
|
};
|
||||||
|
bondConfig = {
|
||||||
|
Mode = "802.3ad";
|
||||||
|
TransmitHashPolicy = "layer3+4";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
"40-oob" = {
|
||||||
|
netdevConfig = {
|
||||||
|
Kind = "bond";
|
||||||
|
Name = "oob";
|
||||||
|
};
|
||||||
|
bondConfig = {
|
||||||
|
Mode = "802.3ad";
|
||||||
|
TransmitHashPolicy = "layer3+4";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
networks = {
|
||||||
|
"40-enp1s0" = {
|
||||||
|
name = "enp1s0";
|
||||||
|
bond = [ "uplink" ];
|
||||||
|
};
|
||||||
|
"40-enp2s0" = {
|
||||||
|
name = "enp2s0";
|
||||||
|
bond = [ "uplink" ];
|
||||||
|
};
|
||||||
|
"40-enp3s0" = {
|
||||||
|
name = "enp3s0";
|
||||||
|
bond = [ "oob" ];
|
||||||
|
};
|
||||||
|
"40-enp4s0" = {
|
||||||
|
name = "enp4s0";
|
||||||
|
bond = [ "oob" ];
|
||||||
|
};
|
||||||
|
} // lib.listToAttrs (map (x: lib.nameValuePair "40-bmc${toString x}" {
|
||||||
|
name = "bmc${toString x}";
|
||||||
|
address = [ "192.168.1.${toString (x*4 + 1)}/30" ];
|
||||||
|
#address = [ "192.168.${toString x}.1/24" ];
|
||||||
|
networkConfig.DHCPServer = true;
|
||||||
|
}) (lib.genList lib.id 12));
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.nftables.enable = true;
|
||||||
|
networking.firewall.extraInputRules = ''
|
||||||
|
iifname { "bmc*" } meta nfproto ipv4 udp dport 67 accept comment "DHCP server"
|
||||||
|
'';
|
||||||
|
|
||||||
|
networking.vlans = lib.listToAttrs (map (x: lib.nameValuePair "bmc${toString x}" {
|
||||||
|
interface = "oob";
|
||||||
|
id = 101 + x;
|
||||||
|
}) (lib.genList lib.id 12));
|
||||||
|
|
||||||
|
networking.interfaces = {
|
||||||
|
uplink = {
|
||||||
|
ipv6.addresses = [
|
||||||
|
{
|
||||||
|
address = "2a01:584:11::2";
|
||||||
|
prefixLength = 64;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.defaultGateway6 = { interface = "uplink"; address = "2a01:584:11::1"; };
|
||||||
|
|
||||||
|
networking.hostName = "vpn-gw";
|
||||||
|
networking.domain = "wob01.infra.forkos.org";
|
||||||
|
|
||||||
|
deployment.targetHost = "2a01:584:11::2";
|
||||||
|
|
||||||
|
bagel.sysadmin.enable = true;
|
||||||
|
|
||||||
|
environment.systemPackages = [ pkgs.ipmitool ];
|
||||||
|
|
||||||
|
system.stateVersion = "24.05";
|
||||||
|
}
|
61
hosts/wob-vpn-gw/netboot.nix
Normal file
61
hosts/wob-vpn-gw/netboot.nix
Normal file
|
@ -0,0 +1,61 @@
|
||||||
|
{ config, lib, pkgs, nodes, modulesPath, ... }:
|
||||||
|
|
||||||
|
# The way the connection is established is specific to the wob01 site and the Intel S2600KPR blades.
|
||||||
|
# Proper netboot is not possible, because while the blades and the APU board (which is the netboot
|
||||||
|
# server here) are in the same L2 network, the uplink connection of each blade is an LACP LAG,
|
||||||
|
# meaning that the switch on the other side will only enable the port if it sees valid LACP packets.
|
||||||
|
# We work around this by presenting a virtual floppy drive using the "IUSB" protocol of the BMC.
|
||||||
|
# This virtual floppy drive contains an per-blade customized initramfs which will initialize the
|
||||||
|
# network connection including IP configuration and load the actual image off hydra.
|
||||||
|
|
||||||
|
let
|
||||||
|
netboot-server-ip = "2a01:584:11::2";
|
||||||
|
netbootNodes = lib.filterAttrs (_: node: node.config.bagel.baremetal.builders.enable && node.config.bagel.baremetal.builders.netboot) nodes;
|
||||||
|
in {
|
||||||
|
|
||||||
|
assertions = [
|
||||||
|
{
|
||||||
|
assertion = !(lib.elem 443 config.networking.firewall.allowedTCPPorts);
|
||||||
|
message = ''
|
||||||
|
Port 443 is in networking.firewalls.allowedTCPPorts, but should be only manually
|
||||||
|
allowed for specific IPs and source ports in ${builtins.toJSON __curPos}
|
||||||
|
'';
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
systemd.services = lib.mapAttrs' (nodename: node: let
|
||||||
|
bmcIp = "192.168.1.${toString (node.config.bagel.baremetal.builders.num * 4 + 2)}";
|
||||||
|
notipxe = node.config.system.build.notipxe.config.system.build.usbImage;
|
||||||
|
in lib.nameValuePair "iusb-spoof-${nodename}" {
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
serviceConfig = {
|
||||||
|
Restart = "always";
|
||||||
|
};
|
||||||
|
script = ''
|
||||||
|
AUTH_TOKEN=$(${pkgs.iusb-spoof}/bin/make-token ${bmcIp})
|
||||||
|
exec ${pkgs.iusb-spoof}/bin/iusb-spoof -r ${bmcIp} 5123 $AUTH_TOKEN ${notipxe}
|
||||||
|
'';
|
||||||
|
}) netbootNodes;
|
||||||
|
|
||||||
|
# Since the builders are stateless, they can not store their ssh hostkeys
|
||||||
|
networking.firewall.allowedTCPPorts = [ 80 ]; # for ACME
|
||||||
|
networking.firewall.extraInputRules = ''
|
||||||
|
ip6 saddr 2a01:584:11::/64 tcp sport < 1024 tcp dport 443 accept;
|
||||||
|
'';
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
virtualHosts."vpn-gw.wob01.infra.forkos.org" = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
locations = lib.mapAttrs' (nodename: node: let
|
||||||
|
ip = "2a01:584:11::1:${toString node.config.bagel.baremetal.builders.num}";
|
||||||
|
in lib.nameValuePair "/${nodename}/" {
|
||||||
|
root = "/var/www";
|
||||||
|
extraConfig = ''
|
||||||
|
allow ${ip};
|
||||||
|
deny all;
|
||||||
|
'';
|
||||||
|
}) netbootNodes;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
14
lib/colmena-wrapper.nix
Normal file
14
lib/colmena-wrapper.nix
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
# A wrapper for colmena that prevents accidentally deploying changes without
|
||||||
|
# having pulled.
|
||||||
|
{ colmena, runCommandNoCC }:
|
||||||
|
runCommandNoCC "colmena-wrapper"
|
||||||
|
{
|
||||||
|
env.colmena = "${colmena}/bin/colmena";
|
||||||
|
} ''
|
||||||
|
mkdir -p $out
|
||||||
|
ln -s ${colmena}/share $out/share
|
||||||
|
mkdir $out/bin
|
||||||
|
|
||||||
|
substituteAll ${./colmena-wrapper.sh.in} $out/bin/colmena
|
||||||
|
chmod +x $out/bin/colmena
|
||||||
|
''
|
29
lib/colmena-wrapper.sh.in
Executable file
29
lib/colmena-wrapper.sh.in
Executable file
|
@ -0,0 +1,29 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
doChecks() {
|
||||||
|
# creates refs in the refs/prefetch/remotes/origin namespace
|
||||||
|
echo "Prefetching repo changes..." >&2
|
||||||
|
git fetch --quiet --prefetch --no-write-fetch-head origin
|
||||||
|
|
||||||
|
diffs=$(git rev-list --left-right --count HEAD...refs/prefetch/remotes/origin/main)
|
||||||
|
only_in_local=$(echo "$diffs" | cut -f1)
|
||||||
|
only_in_main=$(echo "$diffs" | cut -f2)
|
||||||
|
|
||||||
|
if [[ $only_in_main -gt 0 && ! -v $FOOTGUN_ME_UWU ]]; then
|
||||||
|
echo >&2
|
||||||
|
echo "Attempting to deploy when main has $only_in_main commits not in your branch!" >&2
|
||||||
|
echo "This will probably revert someone's changes. Consider merging them." >&2
|
||||||
|
echo "If you really mean it, set the environment variable FOOTGUN_ME_UWU" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ $only_in_local -gt 0 ]]; then
|
||||||
|
echo "You have $only_in_local commits not yet pushed to main. Reminder to push them after :)" >&2
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
if [[ $1 == 'apply' ]]; then
|
||||||
|
doChecks
|
||||||
|
fi
|
||||||
|
|
||||||
|
exec @colmena@ "$@"
|
|
@ -1,3 +1,9 @@
|
||||||
[
|
[
|
||||||
(import ./gerrit.nix)
|
(final: prev: {
|
||||||
|
iusb-spoof = final.callPackage ./iusb-spoof.nix {};
|
||||||
|
u-root = final.callPackage ./u-root {};
|
||||||
|
pyroscope = final.callPackage ./pyroscope {};
|
||||||
|
s3-revproxy = final.callPackage ./s3-revproxy {};
|
||||||
|
git-gc-preserve = final.callPackage ./git-gc-preserve {};
|
||||||
|
})
|
||||||
]
|
]
|
||||||
|
|
|
@ -1,11 +0,0 @@
|
||||||
self: super: {
|
|
||||||
buildGerrit = self.callPackage ../pkgs/gerrit { };
|
|
||||||
gerrit = self.buildGerrit { };
|
|
||||||
buildGerritBazelPlugin = self.callPackage ../pkgs/gerrit_plugins/builder.nix {
|
|
||||||
inherit (self) buildGerrit;
|
|
||||||
};
|
|
||||||
gerritPlugins = {
|
|
||||||
code-owners = self.callPackage ../pkgs/gerrit_plugins/code-owners { };
|
|
||||||
oauth = self.callPackage ../pkgs/gerrit_plugins/oauth { };
|
|
||||||
};
|
|
||||||
}
|
|
9
overlays/git-gc-preserve/default.nix
Normal file
9
overlays/git-gc-preserve/default.nix
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
{ writeShellApplication, git, nettools }:
|
||||||
|
|
||||||
|
writeShellApplication {
|
||||||
|
name = "git-gc-preserve";
|
||||||
|
|
||||||
|
runtimeInputs = [ git nettools ];
|
||||||
|
|
||||||
|
text = (builtins.readFile ./script.sh);
|
||||||
|
}
|
132
overlays/git-gc-preserve/script.sh
Normal file
132
overlays/git-gc-preserve/script.sh
Normal file
|
@ -0,0 +1,132 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
set +o errexit
|
||||||
|
# Copyright (C) 2022 The Android Open Source Project
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
usage() { # exit code
|
||||||
|
cat <<-EOF
|
||||||
|
NAME
|
||||||
|
git-gc-preserve - Run git gc and preserve old packs to avoid races for JGit
|
||||||
|
SYNOPSIS
|
||||||
|
git gc-preserve
|
||||||
|
DESCRIPTION
|
||||||
|
Runs git gc and can preserve old packs to avoid races with concurrently
|
||||||
|
executed commands in JGit.
|
||||||
|
This command uses custom git config options to configure if preserved packs
|
||||||
|
from the last run of git gc should be pruned and if packs should be preserved.
|
||||||
|
This is similar to the implementation in JGit [1] which is used by
|
||||||
|
JGit to avoid errors [2] in such situations.
|
||||||
|
The command prevents concurrent runs of the command on the same repository
|
||||||
|
by acquiring an exclusive file lock on the file
|
||||||
|
"\$repopath/gc-preserve.pid"
|
||||||
|
If it cannot acquire the lock it fails immediately with exit code 3.
|
||||||
|
Failure Exit Codes
|
||||||
|
1: General failure
|
||||||
|
2: Couldn't determine repository path. If the current working directory
|
||||||
|
is outside of the working tree of the git repository use git option
|
||||||
|
--git-dir to pass the root path of the repository.
|
||||||
|
E.g.
|
||||||
|
$ git --git-dir ~/git/foo gc-preserve
|
||||||
|
3: Another process already runs $0 on the same repository
|
||||||
|
[1] https://git.eclipse.org/r/c/jgit/jgit/+/87969
|
||||||
|
[2] https://git.eclipse.org/r/c/jgit/jgit/+/122288
|
||||||
|
CONFIGURATION
|
||||||
|
"pack.prunepreserved": if set to "true" preserved packs from the last gc run
|
||||||
|
are pruned before current packs are preserved.
|
||||||
|
"pack.preserveoldpacks": if set to "true" current packs will be hard linked
|
||||||
|
to objects/pack/preserved before git gc is executed. JGit will
|
||||||
|
fallback to the preserved packs in this directory in case it comes
|
||||||
|
across missing objects which might be caused by a concurrent run of
|
||||||
|
git gc.
|
||||||
|
EOF
|
||||||
|
exit "$1"
|
||||||
|
}
|
||||||
|
# acquire file lock, unlock when the script exits
|
||||||
|
lock() { # repo
|
||||||
|
readonly LOCKFILE="$1/gc-preserve.pid"
|
||||||
|
test -f "$LOCKFILE" || touch "$LOCKFILE"
|
||||||
|
exec 9> "$LOCKFILE"
|
||||||
|
if flock -nx 9; then
|
||||||
|
echo -n "$$ $USER@$(hostname)" >&9
|
||||||
|
trap unlock EXIT
|
||||||
|
else
|
||||||
|
echo "$0 is already running"
|
||||||
|
exit 3
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
unlock() {
|
||||||
|
# only delete if the file descriptor 9 is open
|
||||||
|
if { : >&9 ; } &> /dev/null; then
|
||||||
|
rm -f "$LOCKFILE"
|
||||||
|
fi
|
||||||
|
# close the file handle to release file lock
|
||||||
|
exec 9>&-
|
||||||
|
}
|
||||||
|
# prune preserved packs if pack.prunepreserved == true
|
||||||
|
prune_preserved() { # repo
|
||||||
|
configured=$(git --git-dir="$1" config --get pack.prunepreserved)
|
||||||
|
if [ "$configured" != "true" ]; then
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
local preserved=$1/objects/pack/preserved
|
||||||
|
if [ -d "$preserved" ]; then
|
||||||
|
printf "Pruning old preserved packs: "
|
||||||
|
count=$(find "$preserved" -name "*.old-pack" | wc -l)
|
||||||
|
rm -rf "$preserved"
|
||||||
|
echo "$count, done."
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
# preserve packs if pack.preserveoldpacks == true
|
||||||
|
preserve_packs() { # repo
|
||||||
|
configured=$(git --git-dir="$1" config --get pack.preserveoldpacks)
|
||||||
|
if [ "$configured" != "true" ]; then
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
local packdir=$1/objects/pack
|
||||||
|
pushd "$packdir" >/dev/null || exit 1
|
||||||
|
mkdir -p preserved
|
||||||
|
printf "Preserving packs: "
|
||||||
|
count=0
|
||||||
|
for file in pack-*{.pack,.idx} ; do
|
||||||
|
ln -f "$file" preserved/"$(get_preserved_packfile_name "$file")"
|
||||||
|
if [[ "$file" == pack-*.pack ]]; then
|
||||||
|
((count++))
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
echo "$count, done."
|
||||||
|
popd >/dev/null || exit 1
|
||||||
|
}
|
||||||
|
# pack-0...2.pack to pack-0...2.old-pack
|
||||||
|
# pack-0...2.idx to pack-0...2.old-idx
|
||||||
|
get_preserved_packfile_name() { # packfile > preserved_packfile
|
||||||
|
local old=${1/%\.pack/.old-pack}
|
||||||
|
old=${old/%\.idx/.old-idx}
|
||||||
|
echo "$old"
|
||||||
|
}
|
||||||
|
# main
|
||||||
|
while [ $# -gt 0 ] ; do
|
||||||
|
case "$1" in
|
||||||
|
-u|-h) usage 0 ;;
|
||||||
|
esac
|
||||||
|
shift
|
||||||
|
done
|
||||||
|
args=$(git rev-parse --sq-quote "$@")
|
||||||
|
repopath=$(git rev-parse --git-dir)
|
||||||
|
if [ -z "$repopath" ]; then
|
||||||
|
usage 2
|
||||||
|
fi
|
||||||
|
lock "$repopath"
|
||||||
|
prune_preserved "$repopath"
|
||||||
|
preserve_packs "$repopath"
|
||||||
|
git gc ${args:+"$args"} || { EXIT_CODE="$?"; echo "git gc failed"; exit "$EXIT_CODE"; }
|
23
overlays/iusb-spoof.nix
Normal file
23
overlays/iusb-spoof.nix
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
{ rustPlatform, python3, makeWrapper }:
|
||||||
|
let
|
||||||
|
pythonEnv = python3.withPackages (p: with p; [ requests ]);
|
||||||
|
in
|
||||||
|
|
||||||
|
rustPlatform.buildRustPackage rec {
|
||||||
|
pname = "iusb-spoof";
|
||||||
|
version = "0.1.0";
|
||||||
|
|
||||||
|
src = builtins.fetchGit {
|
||||||
|
url = "https://git.lix.systems/the-distro/iusb-spoof/";
|
||||||
|
rev = "fafd47986239cc2f4dfbbae74b17555608806581";
|
||||||
|
};
|
||||||
|
|
||||||
|
cargoLock.lockFile = src + "/Cargo.lock";
|
||||||
|
|
||||||
|
nativeBuildInputs = [ makeWrapper ];
|
||||||
|
|
||||||
|
postInstall = ''
|
||||||
|
install -Dm644 $src/make-token.py $out/opt/make-token.py
|
||||||
|
makeWrapper ${pythonEnv.interpreter} $out/bin/make-token --add-flags "$out/opt/make-token.py"
|
||||||
|
'';
|
||||||
|
}
|
43
overlays/pyroscope/default.nix
Normal file
43
overlays/pyroscope/default.nix
Normal file
|
@ -0,0 +1,43 @@
|
||||||
|
{ lib
|
||||||
|
, buildGo122Module
|
||||||
|
, fetchFromGitHub
|
||||||
|
}:
|
||||||
|
|
||||||
|
# FIXME: update, remove this pin
|
||||||
|
buildGo122Module rec {
|
||||||
|
pname = "pyroscope";
|
||||||
|
version = "1.7.1";
|
||||||
|
|
||||||
|
src = fetchFromGitHub {
|
||||||
|
owner = "grafana";
|
||||||
|
repo = "pyroscope";
|
||||||
|
rev = "v${version}";
|
||||||
|
hash = "sha256-iMP67J0Q8Cgo52iImMzAM3PEkk6uLF7r6v9TyXZVaIE=";
|
||||||
|
};
|
||||||
|
|
||||||
|
env.GOWORK = "off";
|
||||||
|
|
||||||
|
vendorHash = "sha256-ggntpnU9s2rpkv6S0LnZNexrdkBsdsUrGPc93SVrK4M=";
|
||||||
|
|
||||||
|
subPackages = [ "cmd/profilecli" "cmd/pyroscope" ];
|
||||||
|
|
||||||
|
ldflags = [
|
||||||
|
"-extldflags"
|
||||||
|
"-static"
|
||||||
|
"-s"
|
||||||
|
"-w"
|
||||||
|
"-X=github.com/grafana/pyroscope/pkg/util/build.Branch=${src.rev}"
|
||||||
|
"-X=github.com/grafana/pyroscope/pkg/util/build.Version=${version}"
|
||||||
|
"-X=github.com/grafana/pyroscope/pkg/util/build.Revision=${src.rev}"
|
||||||
|
"-X=github.com/grafana/pyroscope/pkg/util/build.BuildDate=1970-01-01T00:00:00Z"
|
||||||
|
];
|
||||||
|
|
||||||
|
meta = with lib; {
|
||||||
|
description = "Continuous profiling platform";
|
||||||
|
homepage = "https://github.com/grafana/pyroscope";
|
||||||
|
changelog = "https://github.com/grafana/pyroscope/blob/${src.rev}/CHANGELOG.md";
|
||||||
|
license = licenses.agpl3Only;
|
||||||
|
maintainers = with maintainers; [ raitobezarius ];
|
||||||
|
mainProgram = "pyroscope";
|
||||||
|
};
|
||||||
|
}
|
39
overlays/s3-revproxy/default.nix
Normal file
39
overlays/s3-revproxy/default.nix
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
# Originally written by Jade Lovelace for Lix.
|
||||||
|
{ lib, buildGoModule, fetchFromGitHub }:
|
||||||
|
buildGoModule rec {
|
||||||
|
pname = "s3-revproxy";
|
||||||
|
version = "4.15.0";
|
||||||
|
|
||||||
|
src = fetchFromGitHub {
|
||||||
|
owner = "oxyno-zeta";
|
||||||
|
repo = "s3-proxy";
|
||||||
|
rev = "v${version}";
|
||||||
|
hash = "sha256-q0cfAo8Uz7wtKljmSDaJ320bjg2yXydvvxubAsMKzbc=";
|
||||||
|
};
|
||||||
|
|
||||||
|
vendorHash = "sha256-dOwNQtTfOCQcjgNBV/FeWdwbW9xi1OK5YD7PBPPDKOQ=";
|
||||||
|
|
||||||
|
ldflags = [
|
||||||
|
"-X github.com/oxyno-zeta/s3-proxy/pkg/s3-proxy/version.Version=${version}"
|
||||||
|
"-X github.com/oxyno-zeta/s3-proxy/pkg/s3-proxy/version.Metadata="
|
||||||
|
];
|
||||||
|
|
||||||
|
postPatch = ''
|
||||||
|
# Refer to the included templates in the package instead of cwd-relative
|
||||||
|
sed -i "s#Path = \"templates/#Path = \"$out/share/s3-revproxy/templates/#" pkg/s3-proxy/config/config.go
|
||||||
|
'';
|
||||||
|
|
||||||
|
postInstall = ''
|
||||||
|
mkdir -p $out/share/s3-revproxy
|
||||||
|
cp -r templates/ $out/share/s3-revproxy/templates
|
||||||
|
'';
|
||||||
|
|
||||||
|
meta = {
|
||||||
|
description = "S3 Reverse Proxy with GET, PUT and DELETE methods and authentication (OpenID Connect and Basic Auth)";
|
||||||
|
homepage = "https://oxyno-zeta.github.io/s3-proxy";
|
||||||
|
# hm, not having a maintainers entry is kind of inconvenient
|
||||||
|
maintainers = [ ];
|
||||||
|
licenses = lib.licenses.asl20;
|
||||||
|
mainProgram = "s3-proxy";
|
||||||
|
};
|
||||||
|
}
|
20
overlays/u-root/default.nix
Normal file
20
overlays/u-root/default.nix
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
{ buildGoModule, fetchFromGitHub }:
|
||||||
|
|
||||||
|
buildGoModule rec {
|
||||||
|
pname = "u-root";
|
||||||
|
version = "0.14.0";
|
||||||
|
|
||||||
|
src = fetchFromGitHub {
|
||||||
|
owner = "u-root";
|
||||||
|
repo = "u-root";
|
||||||
|
rev = "v${version}";
|
||||||
|
hash = "sha256-8zA3pHf45MdUcq/MA/mf0KCTxB1viHieU/oigYwIPgo=";
|
||||||
|
};
|
||||||
|
|
||||||
|
patches = [
|
||||||
|
./u-root-allow-https.patch
|
||||||
|
];
|
||||||
|
|
||||||
|
vendorHash = null;
|
||||||
|
doCheck = false;
|
||||||
|
}
|
12
overlays/u-root/u-root-allow-https.patch
Normal file
12
overlays/u-root/u-root-allow-https.patch
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
diff --git a/pkg/curl/schemes.go b/pkg/curl/schemes.go
|
||||||
|
index 8bac3bc0..cd396cbc 100644
|
||||||
|
--- a/pkg/curl/schemes.go
|
||||||
|
+++ b/pkg/curl/schemes.go
|
||||||
|
@@ -81,6 +81,7 @@ var (
|
||||||
|
DefaultSchemes = Schemes{
|
||||||
|
"tftp": DefaultTFTPClient,
|
||||||
|
"http": DefaultHTTPClient,
|
||||||
|
+ "https": DefaultHTTPClient,
|
||||||
|
"file": &LocalFileClient{},
|
||||||
|
}
|
||||||
|
)
|
|
@ -0,0 +1,59 @@
|
||||||
|
diff --git a/services/repository/branch.go b/services/repository/branch.go
|
||||||
|
index e1a313749f..5a8d823eef 100644
|
||||||
|
--- a/services/repository/branch.go
|
||||||
|
+++ b/services/repository/branch.go
|
||||||
|
@@ -26,7 +26,6 @@ import (
|
||||||
|
"code.gitea.io/gitea/modules/timeutil"
|
||||||
|
webhook_module "code.gitea.io/gitea/modules/webhook"
|
||||||
|
notify_service "code.gitea.io/gitea/services/notify"
|
||||||
|
- files_service "code.gitea.io/gitea/services/repository/files"
|
||||||
|
|
||||||
|
"xorm.io/builder"
|
||||||
|
)
|
||||||
|
@@ -129,21 +128,7 @@ func loadOneBranch(ctx context.Context, repo *repo_model.Repository, dbBranch *g
|
||||||
|
p := protectedBranches.GetFirstMatched(branchName)
|
||||||
|
isProtected := p != nil
|
||||||
|
|
||||||
|
- var divergence *git.DivergeObject
|
||||||
|
-
|
||||||
|
- // it's not default branch
|
||||||
|
- if repo.DefaultBranch != dbBranch.Name && !dbBranch.IsDeleted {
|
||||||
|
- var err error
|
||||||
|
- divergence, err = files_service.CountDivergingCommits(ctx, repo, git.BranchPrefix+branchName)
|
||||||
|
- if err != nil {
|
||||||
|
- return nil, fmt.Errorf("CountDivergingCommits: %v", err)
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if divergence == nil {
|
||||||
|
- // tolerate the error that we cannot get divergence
|
||||||
|
- divergence = &git.DivergeObject{Ahead: -1, Behind: -1}
|
||||||
|
- }
|
||||||
|
+ divergence := &git.DivergeObject{Ahead: -1, Behind: -1}
|
||||||
|
|
||||||
|
pr, err := issues_model.GetLatestPullRequestByHeadInfo(ctx, repo.ID, branchName)
|
||||||
|
if err != nil {
|
||||||
|
diff --git a/templates/repo/branch/list.tmpl b/templates/repo/branch/list.tmpl
|
||||||
|
index a577fed450..e102796315 100644
|
||||||
|
--- a/templates/repo/branch/list.tmpl
|
||||||
|
+++ b/templates/repo/branch/list.tmpl
|
||||||
|
@@ -102,19 +102,6 @@
|
||||||
|
{{end}}
|
||||||
|
</td>
|
||||||
|
<td class="two wide ui">
|
||||||
|
- {{if and (not .DBBranch.IsDeleted) $.DefaultBranchBranch}}
|
||||||
|
- <div class="commit-divergence">
|
||||||
|
- <div class="bar-group">
|
||||||
|
- <div class="count count-behind">{{.CommitsBehind}}</div>
|
||||||
|
- {{/* old code bears 0/0.0 = NaN output, so it might output invalid "width: NaNpx", it just works and doesn't caues any problem. */}}
|
||||||
|
- <div class="bar bar-behind" style="width: {{Eval 100 "*" .CommitsBehind "/" "(" .CommitsBehind "+" .CommitsAhead "+" 0.0 ")"}}%"></div>
|
||||||
|
- </div>
|
||||||
|
- <div class="bar-group">
|
||||||
|
- <div class="count count-ahead">{{.CommitsAhead}}</div>
|
||||||
|
- <div class="bar bar-ahead" style="width: {{Eval 100 "*" .CommitsAhead "/" "(" .CommitsBehind "+" .CommitsAhead "+" 0.0 ")"}}%"></div>
|
||||||
|
- </div>
|
||||||
|
- </div>
|
||||||
|
- {{end}}
|
||||||
|
</td>
|
||||||
|
<td class="two wide right aligned">
|
||||||
|
{{if not .LatestPullRequest}}
|
|
@ -0,0 +1,32 @@
|
||||||
|
diff --git a/routers/web/repo/commit.go b/routers/web/repo/commit.go
|
||||||
|
index 718454e063..8fa299710c 100644
|
||||||
|
--- a/routers/web/repo/commit.go
|
||||||
|
+++ b/routers/web/repo/commit.go
|
||||||
|
@@ -408,12 +408,6 @@ func Diff(ctx *context.Context) {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- ctx.Data["BranchName"], err = commit.GetBranchName()
|
||||||
|
- if err != nil {
|
||||||
|
- ctx.ServerError("commit.GetBranchName", err)
|
||||||
|
- return
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
ctx.HTML(http.StatusOK, tplCommitPage)
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/templates/repo/commit_page.tmpl b/templates/repo/commit_page.tmpl
|
||||||
|
index c37fb46975..18c9cf18f8 100644
|
||||||
|
--- a/templates/repo/commit_page.tmpl
|
||||||
|
+++ b/templates/repo/commit_page.tmpl
|
||||||
|
@@ -71,8 +71,8 @@
|
||||||
|
"branchForm" "branch-dropdown-form"
|
||||||
|
"branchURLPrefix" (printf "%s/_cherrypick/%s/" $.RepoLink .CommitID) "branchURLSuffix" ""
|
||||||
|
"setAction" true "submitForm" true}}
|
||||||
|
- <form method="get" action="{{$.RepoLink}}/_cherrypick/{{.CommitID}}/{{if $.BranchName}}{{PathEscapeSegments $.BranchName}}{{else}}{{PathEscapeSegments $.Repository.DefaultBranch}}{{end}}" id="branch-dropdown-form">
|
||||||
|
- <input type="hidden" name="ref" value="{{if $.BranchName}}{{$.BranchName}}{{else}}{{$.Repository.DefaultBranch}}{{end}}">
|
||||||
|
+ <form method="get" action="{{$.RepoLink}}/_cherrypick/{{.CommitID}}/{{PathEscapeSegments $.Repository.DefaultBranch}}" id="branch-dropdown-form">
|
||||||
|
+ <input type="hidden" name="ref" value="{{$.Repository.DefaultBranch}}">
|
||||||
|
<input type="hidden" name="refType" value="branch">
|
||||||
|
<input type="hidden" id="cherry-pick-type" name="cherry-pick-type"><br>
|
||||||
|
<button type="submit" id="cherry-pick-submit" class="ui primary button"></button>
|
40
pkgs/forgejo/default.nix
Normal file
40
pkgs/forgejo/default.nix
Normal file
|
@ -0,0 +1,40 @@
|
||||||
|
{ forgejo-lts }:
|
||||||
|
|
||||||
|
forgejo-lts.overrideAttrs (prev: {
|
||||||
|
patches = [
|
||||||
|
# Branch divergence calculations for a single branch may take 100-200ms on something as big
|
||||||
|
# as nixpkgs. The branch view defaults to 20 branches for each page, taking roughtly 3s to
|
||||||
|
# calculate each branch sequentially and render, while consuming a single core at 100%.
|
||||||
|
# The idea is to look into making this less expensive or async.
|
||||||
|
# But for now, to get this going, we will simply drop that metric.
|
||||||
|
./branch-view_remove-expensive-commit-divergence-metric.patch
|
||||||
|
|
||||||
|
# This is literally broken and eats resources for nothing of value.
|
||||||
|
# We should upstream this.
|
||||||
|
# The tl;dr is: It calculates the nearest branch for the requested commit at
|
||||||
|
# /:owner/:repo/commit/:commit to use it as the default cherry-pick target branch
|
||||||
|
# selection in a drop-down only users with commit perms can actually view and use.
|
||||||
|
# It's expensive to calculate and happens on every request to /commit/:commit.
|
||||||
|
# To add insult to injury, it's hardly of any use: The nearest branch of a commit
|
||||||
|
# will almost always be a branch that already carries the commit. The branch you
|
||||||
|
# most likely don't want to cherry-pick to.
|
||||||
|
./commit-view_fix-broken-and-expensive-cherry-pick-default-branch-selection.patch
|
||||||
|
|
||||||
|
# Disable various /:owner/:repo/activity/ sub-views. They are expensive, which is
|
||||||
|
# totally fine and expected. There is even proper caching in place.
|
||||||
|
# However, on a scale of nixpkgs, those calculations take ages, while, of course,
|
||||||
|
# pinning a single CPU core at 100%.
|
||||||
|
# For now, we will simply disable this feature.
|
||||||
|
# Due to the 501 status code it returns, the frontend prints a "Not implemented"
|
||||||
|
# error, saving us from patching the frontend while still providing a helpful
|
||||||
|
# user-facing error text.
|
||||||
|
# It should be noted that this particular status code has the downside of being
|
||||||
|
# in the 5xx range, meaning it will show up as such in our prometheus metrics.
|
||||||
|
./disable-expensive-repository-activity-stats.patch
|
||||||
|
|
||||||
|
# Migrations and pull-mirrors are something easily abused to bring a public instance to a complete halt.
|
||||||
|
# Both features can be disabled via repository.DISABLE_MIGRATIONS and mirror.ENABLE, but we want to keep
|
||||||
|
# this functionality for admins.
|
||||||
|
./limit-migrations-and-pull-mirrors-to-admins.patch
|
||||||
|
];
|
||||||
|
})
|
|
@ -0,0 +1,34 @@
|
||||||
|
diff --git a/routers/web/web.go b/routers/web/web.go
|
||||||
|
index ee9694f41c..f55b8d6f62 100644
|
||||||
|
--- a/routers/web/web.go
|
||||||
|
+++ b/routers/web/web.go
|
||||||
|
@@ -57,6 +57,10 @@ import (
|
||||||
|
"github.com/prometheus/client_golang/prometheus"
|
||||||
|
)
|
||||||
|
|
||||||
|
+func endpointNotImplemented(ctx *context.Context) {
|
||||||
|
+ ctx.JSON(http.StatusNotImplemented, "This endpoint has been removed due to performance issues with it and as such is not longer implemented.")
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
// optionsCorsHandler return a http handler which sets CORS options if enabled by config, it blocks non-CORS OPTIONS requests.
|
||||||
|
func optionsCorsHandler() func(next http.Handler) http.Handler {
|
||||||
|
var corsHandler func(next http.Handler) http.Handler
|
||||||
|
@@ -1425,15 +1429,15 @@ func registerRoutes(m *web.Route) {
|
||||||
|
m.Get("/{period}", repo.Activity)
|
||||||
|
m.Group("/contributors", func() {
|
||||||
|
m.Get("", repo.Contributors)
|
||||||
|
- m.Get("/data", repo.ContributorsData)
|
||||||
|
+ m.Get("/data", endpointNotImplemented)
|
||||||
|
}, repo.MustBeNotEmpty, context.RequireRepoReaderOr(unit.TypeCode))
|
||||||
|
m.Group("/code-frequency", func() {
|
||||||
|
m.Get("", repo.CodeFrequency)
|
||||||
|
- m.Get("/data", repo.CodeFrequencyData)
|
||||||
|
+ m.Get("/data", endpointNotImplemented)
|
||||||
|
}, repo.MustBeNotEmpty, context.RequireRepoReaderOr(unit.TypeCode))
|
||||||
|
m.Group("/recent-commits", func() {
|
||||||
|
m.Get("", repo.RecentCommits)
|
||||||
|
- m.Get("/data", repo.RecentCommitsData)
|
||||||
|
+ m.Get("/data", endpointNotImplemented)
|
||||||
|
}, repo.MustBeNotEmpty, context.RequireRepoReaderOr(unit.TypeCode))
|
||||||
|
}, context.RepoRef(), context.RequireRepoReaderOr(unit.TypeCode, unit.TypePullRequests, unit.TypeIssues, unit.TypeReleases))
|
||||||
|
|
|
@ -0,0 +1,53 @@
|
||||||
|
diff --git a/routers/api/v1/repo/migrate.go b/routers/api/v1/repo/migrate.go
|
||||||
|
index 2caaa130e8..455e89e93e 100644
|
||||||
|
--- a/routers/api/v1/repo/migrate.go
|
||||||
|
+++ b/routers/api/v1/repo/migrate.go
|
||||||
|
@@ -12,7 +12,6 @@ import (
|
||||||
|
|
||||||
|
"code.gitea.io/gitea/models"
|
||||||
|
"code.gitea.io/gitea/models/db"
|
||||||
|
- "code.gitea.io/gitea/models/organization"
|
||||||
|
"code.gitea.io/gitea/models/perm"
|
||||||
|
access_model "code.gitea.io/gitea/models/perm/access"
|
||||||
|
repo_model "code.gitea.io/gitea/models/repo"
|
||||||
|
@@ -86,22 +85,7 @@ func Migrate(ctx *context.APIContext) {
|
||||||
|
}
|
||||||
|
|
||||||
|
if !ctx.Doer.IsAdmin {
|
||||||
|
- if !repoOwner.IsOrganization() && ctx.Doer.ID != repoOwner.ID {
|
||||||
|
- ctx.Error(http.StatusForbidden, "", "Given user is not an organization.")
|
||||||
|
- return
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if repoOwner.IsOrganization() {
|
||||||
|
- // Check ownership of organization.
|
||||||
|
- isOwner, err := organization.OrgFromUser(repoOwner).IsOwnedBy(ctx, ctx.Doer.ID)
|
||||||
|
- if err != nil {
|
||||||
|
- ctx.Error(http.StatusInternalServerError, "IsOwnedBy", err)
|
||||||
|
- return
|
||||||
|
- } else if !isOwner {
|
||||||
|
- ctx.Error(http.StatusForbidden, "", "Given user is not owner of organization.")
|
||||||
|
- return
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
+ ctx.Error(http.StatusForbidden, "", "You need to be administrator of this Forgejo instance to be able to create mirrors.")
|
||||||
|
}
|
||||||
|
|
||||||
|
remoteAddr, err := forms.ParseRemoteAddr(form.CloneAddr, form.AuthUsername, form.AuthPassword)
|
||||||
|
diff --git a/routers/web/repo/migrate.go b/routers/web/repo/migrate.go
|
||||||
|
index 97b0c425ea..554a470eab 100644
|
||||||
|
--- a/routers/web/repo/migrate.go
|
||||||
|
+++ b/routers/web/repo/migrate.go
|
||||||
|
@@ -150,6 +150,12 @@ func handleMigrateRemoteAddrError(ctx *context.Context, err error, tpl base.TplN
|
||||||
|
// MigratePost response for migrating from external git repository
|
||||||
|
func MigratePost(ctx *context.Context) {
|
||||||
|
form := web.GetForm(ctx).(*forms.MigrateRepoForm)
|
||||||
|
+
|
||||||
|
+ if !ctx.Doer.IsAdmin {
|
||||||
|
+ ctx.Error(http.StatusForbidden, "MigratePost: you need to be site administrator to use migrations and mirrors")
|
||||||
|
+ return
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if setting.Repository.DisableMigrations {
|
||||||
|
ctx.Error(http.StatusForbidden, "MigratePost: the site administrator has disabled migrations")
|
||||||
|
return
|
|
@ -1,37 +0,0 @@
|
||||||
From 084e4f92fb58f7cd85303ba602fb3c40133c8fcc Mon Sep 17 00:00:00 2001
|
|
||||||
From: Luke Granger-Brown <git@lukegb.com>
|
|
||||||
Date: Thu, 2 Jul 2020 23:02:32 +0100
|
|
||||||
Subject: [PATCH 1/3] Syntax highlight nix
|
|
||||||
|
|
||||||
---
|
|
||||||
.../app/embed/diff/gr-syntax-layer/gr-syntax-layer-worker.ts | 1 +
|
|
||||||
resources/com/google/gerrit/server/mime/mime-types.properties | 1 +
|
|
||||||
2 files changed, 2 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/polygerrit-ui/app/embed/diff/gr-syntax-layer/gr-syntax-layer-worker.ts b/polygerrit-ui/app/embed/diff/gr-syntax-layer/gr-syntax-layer-worker.ts
|
|
||||||
index a9f88bdd81..385249f280 100644
|
|
||||||
--- a/polygerrit-ui/app/embed/diff/gr-syntax-layer/gr-syntax-layer-worker.ts
|
|
||||||
+++ b/polygerrit-ui/app/embed/diff/gr-syntax-layer/gr-syntax-layer-worker.ts
|
|
||||||
@@ -93,6 +93,7 @@ const LANGUAGE_MAP = new Map<string, string>([
|
|
||||||
['text/x-vhdl', 'vhdl'],
|
|
||||||
['text/x-yaml', 'yaml'],
|
|
||||||
['text/vbscript', 'vbscript'],
|
|
||||||
+ ['text/x-nix', 'nix'],
|
|
||||||
]);
|
|
||||||
|
|
||||||
const CLASS_PREFIX = 'gr-diff gr-syntax gr-syntax-';
|
|
||||||
diff --git a/resources/com/google/gerrit/server/mime/mime-types.properties b/resources/com/google/gerrit/server/mime/mime-types.properties
|
|
||||||
index 2f9561ba2e..739818ec05 100644
|
|
||||||
--- a/resources/com/google/gerrit/server/mime/mime-types.properties
|
|
||||||
+++ b/resources/com/google/gerrit/server/mime/mime-types.properties
|
|
||||||
@@ -149,6 +149,7 @@ mscin = text/x-mscgen
|
|
||||||
msgenny = text/x-msgenny
|
|
||||||
nb = text/x-mathematica
|
|
||||||
nginx.conf = text/x-nginx-conf
|
|
||||||
+nix = text/x-nix
|
|
||||||
nsh = text/x-nsis
|
|
||||||
nsi = text/x-nsis
|
|
||||||
nt = text/n-triples
|
|
||||||
--
|
|
||||||
2.37.3
|
|
||||||
|
|
|
@ -1,37 +0,0 @@
|
||||||
From aedf8ac8fa5113843bcd83ff85e2d9f3bffdb16c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Luke Granger-Brown <git@lukegb.com>
|
|
||||||
Date: Thu, 2 Jul 2020 23:02:43 +0100
|
|
||||||
Subject: [PATCH 2/3] Syntax highlight rules.pl
|
|
||||||
|
|
||||||
---
|
|
||||||
.../app/embed/diff/gr-syntax-layer/gr-syntax-layer-worker.ts | 1 +
|
|
||||||
resources/com/google/gerrit/server/mime/mime-types.properties | 1 +
|
|
||||||
2 files changed, 2 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/polygerrit-ui/app/embed/diff/gr-syntax-layer/gr-syntax-layer-worker.ts b/polygerrit-ui/app/embed/diff/gr-syntax-layer/gr-syntax-layer-worker.ts
|
|
||||||
index 385249f280..7cb3068494 100644
|
|
||||||
--- a/polygerrit-ui/app/embed/diff/gr-syntax-layer/gr-syntax-layer-worker.ts
|
|
||||||
+++ b/polygerrit-ui/app/embed/diff/gr-syntax-layer/gr-syntax-layer-worker.ts
|
|
||||||
@@ -68,6 +68,7 @@ const LANGUAGE_MAP = new Map<string, string>([
|
|
||||||
['text/x-perl', 'perl'],
|
|
||||||
['text/x-pgsql', 'pgsql'], // postgresql
|
|
||||||
['text/x-php', 'php'],
|
|
||||||
+ ['text/x-prolog', 'prolog'],
|
|
||||||
['text/x-properties', 'properties'],
|
|
||||||
['text/x-protobuf', 'protobuf'],
|
|
||||||
['text/x-puppet', 'puppet'],
|
|
||||||
diff --git a/resources/com/google/gerrit/server/mime/mime-types.properties b/resources/com/google/gerrit/server/mime/mime-types.properties
|
|
||||||
index 739818ec05..58eb727bf9 100644
|
|
||||||
--- a/resources/com/google/gerrit/server/mime/mime-types.properties
|
|
||||||
+++ b/resources/com/google/gerrit/server/mime/mime-types.properties
|
|
||||||
@@ -200,6 +200,7 @@ rq = application/sparql-query
|
|
||||||
rs = text/x-rustsrc
|
|
||||||
rss = application/xml
|
|
||||||
rst = text/x-rst
|
|
||||||
+rules.pl = text/x-prolog
|
|
||||||
README.md = text/x-gfm
|
|
||||||
s = text/x-gas
|
|
||||||
sas = text/x-sas
|
|
||||||
--
|
|
||||||
2.37.3
|
|
||||||
|
|
|
@ -1,215 +0,0 @@
|
||||||
From f49c50ca9a84ca374b7bd91c171bbea0457f2c7a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Luke Granger-Brown <git@lukegb.com>
|
|
||||||
Date: Thu, 2 Jul 2020 23:03:02 +0100
|
|
||||||
Subject: [PATCH 3/3] Add titles to CLs over HTTP
|
|
||||||
|
|
||||||
---
|
|
||||||
.../gerrit/httpd/raw/IndexHtmlUtil.java | 13 +++-
|
|
||||||
.../google/gerrit/httpd/raw/IndexServlet.java | 8 ++-
|
|
||||||
.../google/gerrit/httpd/raw/StaticModule.java | 5 +-
|
|
||||||
.../gerrit/httpd/raw/TitleComputer.java | 67 +++++++++++++++++++
|
|
||||||
.../gerrit/httpd/raw/PolyGerritIndexHtml.soy | 4 +-
|
|
||||||
5 files changed, 89 insertions(+), 8 deletions(-)
|
|
||||||
create mode 100644 java/com/google/gerrit/httpd/raw/TitleComputer.java
|
|
||||||
|
|
||||||
diff --git a/java/com/google/gerrit/httpd/raw/IndexHtmlUtil.java b/java/com/google/gerrit/httpd/raw/IndexHtmlUtil.java
|
|
||||||
index 72bfe40c3b..439bd73b44 100644
|
|
||||||
--- a/java/com/google/gerrit/httpd/raw/IndexHtmlUtil.java
|
|
||||||
+++ b/java/com/google/gerrit/httpd/raw/IndexHtmlUtil.java
|
|
||||||
@@ -41,6 +41,7 @@ import java.util.Collections;
|
|
||||||
import java.util.HashMap;
|
|
||||||
import java.util.HashSet;
|
|
||||||
import java.util.Map;
|
|
||||||
+import java.util.Optional;
|
|
||||||
import java.util.Set;
|
|
||||||
import java.util.function.Function;
|
|
||||||
|
|
||||||
@@ -62,13 +63,14 @@ public class IndexHtmlUtil {
|
|
||||||
String faviconPath,
|
|
||||||
Map<String, String[]> urlParameterMap,
|
|
||||||
Function<String, SanitizedContent> urlInScriptTagOrdainer,
|
|
||||||
- String requestedURL)
|
|
||||||
+ String requestedURL,
|
|
||||||
+ TitleComputer titleComputer)
|
|
||||||
throws URISyntaxException, RestApiException {
|
|
||||||
ImmutableMap.Builder<String, Object> data = ImmutableMap.builder();
|
|
||||||
data.putAll(
|
|
||||||
staticTemplateData(
|
|
||||||
canonicalURL, cdnPath, faviconPath, urlParameterMap, urlInScriptTagOrdainer))
|
|
||||||
- .putAll(dynamicTemplateData(gerritApi, requestedURL));
|
|
||||||
+ .putAll(dynamicTemplateData(gerritApi, requestedURL, titleComputer));
|
|
||||||
Set<String> enabledExperiments = new HashSet<>();
|
|
||||||
enabledExperiments.addAll(experimentFeatures.getEnabledExperimentFeatures());
|
|
||||||
// Add all experiments enabled through url
|
|
||||||
@@ -81,7 +83,8 @@ public class IndexHtmlUtil {
|
|
||||||
|
|
||||||
/** Returns dynamic parameters of {@code index.html}. */
|
|
||||||
public static ImmutableMap<String, Object> dynamicTemplateData(
|
|
||||||
- GerritApi gerritApi, String requestedURL) throws RestApiException, URISyntaxException {
|
|
||||||
+ GerritApi gerritApi, String requestedURL, TitleComputer titleComputer)
|
|
||||||
+ throws RestApiException, URISyntaxException {
|
|
||||||
ImmutableMap.Builder<String, Object> data = ImmutableMap.builder();
|
|
||||||
Map<String, SanitizedContent> initialData = new HashMap<>();
|
|
||||||
Server serverApi = gerritApi.config().server();
|
|
||||||
@@ -129,6 +132,10 @@ public class IndexHtmlUtil {
|
|
||||||
}
|
|
||||||
|
|
||||||
data.put("gerritInitialData", initialData);
|
|
||||||
+
|
|
||||||
+ Optional<String> title = titleComputer.computeTitle(requestedURL);
|
|
||||||
+ title.ifPresent(s -> data.put("title", s));
|
|
||||||
+
|
|
||||||
return data.build();
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/java/com/google/gerrit/httpd/raw/IndexServlet.java b/java/com/google/gerrit/httpd/raw/IndexServlet.java
|
|
||||||
index fcb821e5ae..e1464b992b 100644
|
|
||||||
--- a/java/com/google/gerrit/httpd/raw/IndexServlet.java
|
|
||||||
+++ b/java/com/google/gerrit/httpd/raw/IndexServlet.java
|
|
||||||
@@ -48,13 +48,15 @@ public class IndexServlet extends HttpServlet {
|
|
||||||
private final ExperimentFeatures experimentFeatures;
|
|
||||||
private final SoySauce soySauce;
|
|
||||||
private final Function<String, SanitizedContent> urlOrdainer;
|
|
||||||
+ private TitleComputer titleComputer;
|
|
||||||
|
|
||||||
IndexServlet(
|
|
||||||
@Nullable String canonicalUrl,
|
|
||||||
@Nullable String cdnPath,
|
|
||||||
@Nullable String faviconPath,
|
|
||||||
GerritApi gerritApi,
|
|
||||||
- ExperimentFeatures experimentFeatures) {
|
|
||||||
+ ExperimentFeatures experimentFeatures,
|
|
||||||
+ TitleComputer titleComputer) {
|
|
||||||
this.canonicalUrl = canonicalUrl;
|
|
||||||
this.cdnPath = cdnPath;
|
|
||||||
this.faviconPath = faviconPath;
|
|
||||||
@@ -69,6 +71,7 @@ public class IndexServlet extends HttpServlet {
|
|
||||||
(s) ->
|
|
||||||
UnsafeSanitizedContentOrdainer.ordainAsSafe(
|
|
||||||
s, SanitizedContent.ContentKind.TRUSTED_RESOURCE_URI);
|
|
||||||
+ this.titleComputer = titleComputer;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
@@ -86,7 +89,8 @@ public class IndexServlet extends HttpServlet {
|
|
||||||
faviconPath,
|
|
||||||
parameterMap,
|
|
||||||
urlOrdainer,
|
|
||||||
- getRequestUrl(req));
|
|
||||||
+ getRequestUrl(req),
|
|
||||||
+ titleComputer);
|
|
||||||
renderer = soySauce.renderTemplate("com.google.gerrit.httpd.raw.Index").setData(templateData);
|
|
||||||
} catch (URISyntaxException | RestApiException e) {
|
|
||||||
throw new IOException(e);
|
|
||||||
diff --git a/java/com/google/gerrit/httpd/raw/StaticModule.java b/java/com/google/gerrit/httpd/raw/StaticModule.java
|
|
||||||
index 15dcf42e0e..9f56bf33ce 100644
|
|
||||||
--- a/java/com/google/gerrit/httpd/raw/StaticModule.java
|
|
||||||
+++ b/java/com/google/gerrit/httpd/raw/StaticModule.java
|
|
||||||
@@ -241,10 +241,11 @@ public class StaticModule extends ServletModule {
|
|
||||||
@CanonicalWebUrl @Nullable String canonicalUrl,
|
|
||||||
@GerritServerConfig Config cfg,
|
|
||||||
GerritApi gerritApi,
|
|
||||||
- ExperimentFeatures experimentFeatures) {
|
|
||||||
+ ExperimentFeatures experimentFeatures,
|
|
||||||
+ TitleComputer titleComputer) {
|
|
||||||
String cdnPath = options.devCdn().orElse(cfg.getString("gerrit", null, "cdnPath"));
|
|
||||||
String faviconPath = cfg.getString("gerrit", null, "faviconPath");
|
|
||||||
- return new IndexServlet(canonicalUrl, cdnPath, faviconPath, gerritApi, experimentFeatures);
|
|
||||||
+ return new IndexServlet(canonicalUrl, cdnPath, faviconPath, gerritApi, experimentFeatures, titleComputer);
|
|
||||||
}
|
|
||||||
|
|
||||||
@Provides
|
|
||||||
diff --git a/java/com/google/gerrit/httpd/raw/TitleComputer.java b/java/com/google/gerrit/httpd/raw/TitleComputer.java
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000000..8fd2053ad0
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/java/com/google/gerrit/httpd/raw/TitleComputer.java
|
|
||||||
@@ -0,0 +1,67 @@
|
|
||||||
+package com.google.gerrit.httpd.raw;
|
|
||||||
+
|
|
||||||
+import com.google.common.flogger.FluentLogger;
|
|
||||||
+import com.google.gerrit.entities.Change;
|
|
||||||
+import com.google.gerrit.extensions.restapi.ResourceConflictException;
|
|
||||||
+import com.google.gerrit.extensions.restapi.ResourceNotFoundException;
|
|
||||||
+import com.google.gerrit.server.change.ChangeResource;
|
|
||||||
+import com.google.gerrit.server.permissions.PermissionBackendException;
|
|
||||||
+import com.google.gerrit.server.restapi.change.ChangesCollection;
|
|
||||||
+import com.google.inject.Inject;
|
|
||||||
+import com.google.inject.Provider;
|
|
||||||
+import com.google.inject.Singleton;
|
|
||||||
+
|
|
||||||
+import java.net.MalformedURLException;
|
|
||||||
+import java.net.URL;
|
|
||||||
+import java.util.Optional;
|
|
||||||
+import java.util.regex.Matcher;
|
|
||||||
+import java.util.regex.Pattern;
|
|
||||||
+
|
|
||||||
+@Singleton
|
|
||||||
+public class TitleComputer {
|
|
||||||
+ private static final FluentLogger logger = FluentLogger.forEnclosingClass();
|
|
||||||
+
|
|
||||||
+ @Inject
|
|
||||||
+ public TitleComputer(Provider<ChangesCollection> changes) {
|
|
||||||
+ this.changes = changes;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ public Optional<String> computeTitle(String requestedURI) {
|
|
||||||
+ URL url = null;
|
|
||||||
+ try {
|
|
||||||
+ url = new URL(requestedURI);
|
|
||||||
+ } catch (MalformedURLException e) {
|
|
||||||
+ logger.atWarning().log("Failed to turn %s into a URL.", requestedURI);
|
|
||||||
+ return Optional.empty();
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ // Try to turn this into a change.
|
|
||||||
+ Optional<Change.Id> changeId = tryExtractChange(url.getPath());
|
|
||||||
+ if (changeId.isPresent()) {
|
|
||||||
+ return titleFromChangeId(changeId.get());
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return Optional.empty();
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ private static final Pattern extractChangeIdRegex = Pattern.compile("^/(?:c/.*/\\+/)?(?<changeId>[0-9]+)(?:/[0-9]+)?(?:/.*)?$");
|
|
||||||
+ private final Provider<ChangesCollection> changes;
|
|
||||||
+
|
|
||||||
+ private Optional<Change.Id> tryExtractChange(String path) {
|
|
||||||
+ Matcher m = extractChangeIdRegex.matcher(path);
|
|
||||||
+ if (!m.matches()) {
|
|
||||||
+ return Optional.empty();
|
|
||||||
+ }
|
|
||||||
+ return Change.Id.tryParse(m.group("changeId"));
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ private Optional<String> titleFromChangeId(Change.Id changeId) {
|
|
||||||
+ ChangesCollection changesCollection = changes.get();
|
|
||||||
+ try {
|
|
||||||
+ ChangeResource changeResource = changesCollection.parse(changeId);
|
|
||||||
+ return Optional.of(changeResource.getChange().getSubject());
|
|
||||||
+ } catch (ResourceConflictException | ResourceNotFoundException | PermissionBackendException e) {
|
|
||||||
+ return Optional.empty();
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
diff --git a/resources/com/google/gerrit/httpd/raw/PolyGerritIndexHtml.soy b/resources/com/google/gerrit/httpd/raw/PolyGerritIndexHtml.soy
|
|
||||||
index dbfef44dfe..347ee75aab 100644
|
|
||||||
--- a/resources/com/google/gerrit/httpd/raw/PolyGerritIndexHtml.soy
|
|
||||||
+++ b/resources/com/google/gerrit/httpd/raw/PolyGerritIndexHtml.soy
|
|
||||||
@@ -33,10 +33,12 @@
|
|
||||||
{@param? defaultDashboardHex: ?}
|
|
||||||
{@param? dashboardQuery: ?}
|
|
||||||
{@param? userIsAuthenticated: ?}
|
|
||||||
+ {@param? title: ?}
|
|
||||||
<!DOCTYPE html>{\n}
|
|
||||||
<html lang="en">{\n}
|
|
||||||
<meta charset="utf-8">{\n}
|
|
||||||
- <meta name="description" content="Gerrit Code Review">{\n}
|
|
||||||
+ {if $title}<title>{$title} · Gerrit Code Review</title>{\n}{/if}
|
|
||||||
+ <meta name="description" content="{if $title}{$title} · {/if}Gerrit Code Review">{\n}
|
|
||||||
<meta name="referrer" content="never">{\n}
|
|
||||||
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=0">{\n}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.37.3
|
|
||||||
|
|
|
@ -1,152 +0,0 @@
|
||||||
{ buildFHSUserEnv, writeShellScriptBin, buildBazelPackage, fetchgit, unzip }:
|
|
||||||
{ name ? "gerrit-${version}", version ? "3.9.1", src ? (fetchgit {
|
|
||||||
url = "https://gerrit.googlesource.com/gerrit";
|
|
||||||
rev = "620a819cbf3c64fff7a66798822775ad42c91d8e";
|
|
||||||
branchName = "v${version}";
|
|
||||||
sha256 = "sha256:1mdxbgnx3mpxand4wq96ic38bb4yh45q271h40jrk7dk23sgmz02";
|
|
||||||
fetchSubmodules = true;
|
|
||||||
}), bazelTargets ? [ "release" "api-skip-javadoc" ]
|
|
||||||
}:
|
|
||||||
let
|
|
||||||
bazelRunScript = writeShellScriptBin "bazel-run" ''
|
|
||||||
yarn config set cache-folder "$bazelOut/external/yarn_cache"
|
|
||||||
export HOME="$bazelOut/external/home"
|
|
||||||
mkdir -p "$bazelOut/external/home"
|
|
||||||
exec /bin/bazel "$@"
|
|
||||||
'';
|
|
||||||
bazelTop = buildFHSUserEnv {
|
|
||||||
name = "bazel";
|
|
||||||
targetPkgs = pkgs: [
|
|
||||||
(pkgs.bazel_5.override { enableNixHacks = true; })
|
|
||||||
pkgs.jdk17_headless
|
|
||||||
pkgs.zlib
|
|
||||||
pkgs.python3
|
|
||||||
pkgs.curl
|
|
||||||
pkgs.nodejs
|
|
||||||
pkgs.yarn
|
|
||||||
pkgs.git
|
|
||||||
bazelRunScript
|
|
||||||
];
|
|
||||||
runScript = "/bin/bazel-run";
|
|
||||||
};
|
|
||||||
bazel = bazelTop // { override = x: bazelTop; };
|
|
||||||
in
|
|
||||||
buildBazelPackage {
|
|
||||||
inherit name version src;
|
|
||||||
|
|
||||||
patches = [
|
|
||||||
./0001-Syntax-highlight-nix.patch
|
|
||||||
./0002-Syntax-highlight-rules.pl.patch
|
|
||||||
./0003-Add-titles-to-CLs-over-HTTP.patch
|
|
||||||
];
|
|
||||||
|
|
||||||
inherit bazel bazelTargets;
|
|
||||||
|
|
||||||
bazelFlags = [
|
|
||||||
"--repository_cache="
|
|
||||||
"--disk_cache="
|
|
||||||
];
|
|
||||||
|
|
||||||
removeRulesCC = false;
|
|
||||||
fetchConfigured = true;
|
|
||||||
|
|
||||||
fetchAttrs = {
|
|
||||||
sha256 = "sha256-rsYQR6/RO5NM3/fnB3lEmbz876B59QWxWpE3M/Z4rK4=";
|
|
||||||
preBuild = ''
|
|
||||||
rm .bazelversion
|
|
||||||
'';
|
|
||||||
|
|
||||||
installPhase = ''
|
|
||||||
runHook preInstall
|
|
||||||
|
|
||||||
# Remove all built in external workspaces, Bazel will recreate them when building
|
|
||||||
rm -rf $bazelOut/external/{bazel_tools,\@bazel_tools.marker}
|
|
||||||
rm -rf $bazelOut/external/{embedded_jdk,\@embedded_jdk.marker}
|
|
||||||
rm -rf $bazelOut/external/{local_config_cc,\@local_config_cc.marker}
|
|
||||||
rm -rf $bazelOut/external/{local_*,\@local_*.marker}
|
|
||||||
|
|
||||||
# Clear markers
|
|
||||||
find $bazelOut/external -name '@*\.marker' -exec sh -c 'echo > {}' \;
|
|
||||||
|
|
||||||
# Remove all vcs files
|
|
||||||
rm -rf $(find $bazelOut/external -type d -name .git)
|
|
||||||
rm -rf $(find $bazelOut/external -type d -name .svn)
|
|
||||||
rm -rf $(find $bazelOut/external -type d -name .hg)
|
|
||||||
|
|
||||||
# Removing top-level symlinks along with their markers.
|
|
||||||
# This is needed because they sometimes point to temporary paths (?).
|
|
||||||
# For example, in Tensorflow-gpu build:
|
|
||||||
#sha256:06bmzbcb9717s4b016kcbn8nr9pgaz04i8bnzg7ybkbdwpl8vxvv"; platforms -> NIX_BUILD_TOP/tmp/install/35282f5123611afa742331368e9ae529/_embedded_binaries/platforms
|
|
||||||
find $bazelOut/external -maxdepth 1 -type l | while read symlink; do
|
|
||||||
name="$(basename "$symlink")"
|
|
||||||
rm -rf "$symlink" "$bazelOut/external/@$name.marker"
|
|
||||||
done
|
|
||||||
|
|
||||||
# Patching symlinks to remove build directory reference
|
|
||||||
find $bazelOut/external -type l | while read symlink; do
|
|
||||||
new_target="$(readlink "$symlink" | sed "s,$NIX_BUILD_TOP,NIX_BUILD_TOP,")"
|
|
||||||
rm "$symlink"
|
|
||||||
ln -sf "$new_target" "$symlink"
|
|
||||||
done
|
|
||||||
|
|
||||||
echo '${bazel.name}' > $bazelOut/external/.nix-bazel-version
|
|
||||||
|
|
||||||
# Gerrit fixups:
|
|
||||||
# Normalize permissions on .yarn-{tarball,metadata} files
|
|
||||||
test -d $bazelOut/external/yarn_cache && find $bazelOut/external/yarn_cache \( -name .yarn-tarball.tgz -or -name .yarn-metadata.json \) -exec chmod 644 {} +
|
|
||||||
|
|
||||||
mkdir $bazelOut/_bits/
|
|
||||||
find . -name node_modules -prune -print | while read d; do
|
|
||||||
echo "$d" "$(dirname $d)"
|
|
||||||
mkdir -p $bazelOut/_bits/$(dirname $d)
|
|
||||||
cp -R "$d" "$bazelOut/_bits/$(dirname $d)/node_modules"
|
|
||||||
done
|
|
||||||
|
|
||||||
(cd $bazelOut/ && tar czf $out --sort=name --mtime='@1' --owner=0 --group=0 --numeric-owner external/ _bits/)
|
|
||||||
|
|
||||||
runHook postInstall
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
buildAttrs = {
|
|
||||||
preConfigure = ''
|
|
||||||
rm .bazelversion
|
|
||||||
|
|
||||||
[ "$(ls -A $bazelOut/_bits)" ] && cp -R $bazelOut/_bits/* ./ || true
|
|
||||||
'';
|
|
||||||
postPatch = ''
|
|
||||||
# Disable all errorprone checks, since we might be using a different version.
|
|
||||||
sed -i \
|
|
||||||
-e '/-Xep:/d' \
|
|
||||||
-e '/-XepExcludedPaths:/a "-XepDisableAllChecks",' \
|
|
||||||
tools/BUILD
|
|
||||||
'';
|
|
||||||
installPhase = ''
|
|
||||||
mkdir -p "$out"/webapps/ "$out"/share/api/
|
|
||||||
cp bazel-bin/release.war "$out"/webapps/gerrit-${version}.war
|
|
||||||
unzip bazel-bin/api-skip-javadoc.zip -d "$out"/share/api
|
|
||||||
'';
|
|
||||||
|
|
||||||
nativeBuildInputs = [
|
|
||||||
unzip
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
passthru = {
|
|
||||||
# A list of plugins that are part of the gerrit.war file.
|
|
||||||
# Use `java -jar gerrit.war ls | grep -Po '(?<=plugins/)[^.]+' | sed -e 's,^,",' -e 's,$,",' | sort` to generate that list.
|
|
||||||
plugins = [
|
|
||||||
"codemirror-editor"
|
|
||||||
"commit-message-length-validator"
|
|
||||||
"delete-project"
|
|
||||||
"download-commands"
|
|
||||||
"gitiles"
|
|
||||||
"hooks"
|
|
||||||
"plugin-manager"
|
|
||||||
"replication"
|
|
||||||
"reviewnotes"
|
|
||||||
"singleusergroup"
|
|
||||||
"webhooks"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,97 +0,0 @@
|
||||||
package main
|
|
||||||
|
|
||||||
import (
|
|
||||||
"archive/zip"
|
|
||||||
"flag"
|
|
||||||
"fmt"
|
|
||||||
"io"
|
|
||||||
"log"
|
|
||||||
"os"
|
|
||||||
"path/filepath"
|
|
||||||
"sort"
|
|
||||||
"strings"
|
|
||||||
)
|
|
||||||
|
|
||||||
var (
|
|
||||||
exclude = flag.String("exclude", "", "comma-separated list of filenames to exclude (in any directory)")
|
|
||||||
)
|
|
||||||
|
|
||||||
func init() {
|
|
||||||
flag.Usage = func() {
|
|
||||||
fmt.Fprintf(flag.CommandLine.Output(), "Usage of %s [zip file] [directory]:\n", os.Args[0])
|
|
||||||
flag.PrintDefaults()
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func listToMap(ss []string) map[string]bool {
|
|
||||||
m := make(map[string]bool)
|
|
||||||
for _, s := range ss {
|
|
||||||
m[s] = true
|
|
||||||
}
|
|
||||||
return m
|
|
||||||
}
|
|
||||||
|
|
||||||
func main() {
|
|
||||||
flag.Parse()
|
|
||||||
if flag.NArg() != 2 {
|
|
||||||
flag.Usage()
|
|
||||||
os.Exit(1)
|
|
||||||
}
|
|
||||||
|
|
||||||
outPath := flag.Arg(0)
|
|
||||||
dirPath := flag.Arg(1)
|
|
||||||
|
|
||||||
excludeFiles := listToMap(strings.Split(*exclude, ","))
|
|
||||||
|
|
||||||
// Aggregate all files first.
|
|
||||||
var files []string
|
|
||||||
filepath.Walk(dirPath, func(path string, info os.FileInfo, err error) error {
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
if info.IsDir() {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
if excludeFiles[info.Name()] {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
files = append(files, path)
|
|
||||||
return nil
|
|
||||||
})
|
|
||||||
|
|
||||||
// Create zip
|
|
||||||
outW, err := os.Create(outPath)
|
|
||||||
if err != nil {
|
|
||||||
log.Fatalf("Create(%q): %v", outPath, err)
|
|
||||||
}
|
|
||||||
|
|
||||||
zipW := zip.NewWriter(outW)
|
|
||||||
|
|
||||||
// Output files in alphabetical order
|
|
||||||
sort.Strings(files)
|
|
||||||
for _, f := range files {
|
|
||||||
fw, err := zipW.CreateHeader(&zip.FileHeader{
|
|
||||||
Name: f,
|
|
||||||
Method: zip.Store,
|
|
||||||
})
|
|
||||||
if err != nil {
|
|
||||||
log.Fatalf("creating %q in zip: %v", f, err)
|
|
||||||
}
|
|
||||||
|
|
||||||
ff, err := os.Open(f)
|
|
||||||
if err != nil {
|
|
||||||
log.Fatalf("opening %q: %v", f, err)
|
|
||||||
}
|
|
||||||
if _, err := io.Copy(fw, ff); err != nil {
|
|
||||||
log.Fatalf("copying %q to zip: %v", f, err)
|
|
||||||
}
|
|
||||||
ff.Close()
|
|
||||||
}
|
|
||||||
|
|
||||||
if err := zipW.Close(); err != nil {
|
|
||||||
log.Fatalf("writing ZIP central directory: %v", err)
|
|
||||||
}
|
|
||||||
if err := outW.Close(); err != nil {
|
|
||||||
log.Fatalf("closing ZIP file: %v", err)
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,36 +0,0 @@
|
||||||
{ buildGerrit, gerrit, runCommandLocal, lib }:
|
|
||||||
{ name
|
|
||||||
, src
|
|
||||||
, depsOutputHash
|
|
||||||
, overlayPluginCmd ? ''
|
|
||||||
cp -R "${src}" "$out/plugins/${name}"
|
|
||||||
''
|
|
||||||
, postPatch ? ""
|
|
||||||
, patches ? [ ]
|
|
||||||
}: (buildGerrit {
|
|
||||||
name = "${name}.jar";
|
|
||||||
|
|
||||||
src = runCommandLocal "${name}-src" { } ''
|
|
||||||
cp -R "${gerrit.src}" "$out"
|
|
||||||
chmod +w "$out/plugins"
|
|
||||||
${overlayPluginCmd}
|
|
||||||
'';
|
|
||||||
|
|
||||||
bazelTargets = [ "//plugins/${name}" ];
|
|
||||||
}).overrideAttrs (super: {
|
|
||||||
deps = super.deps.overrideAttrs (superDeps: {
|
|
||||||
outputHash = depsOutputHash;
|
|
||||||
});
|
|
||||||
installPhase = ''
|
|
||||||
cp "bazel-bin/plugins/${name}/${name}.jar" "$out"
|
|
||||||
'';
|
|
||||||
postPatch = ''
|
|
||||||
${super.postPatch or ""}
|
|
||||||
pushd "plugins/${name}"
|
|
||||||
${lib.concatMapStringsSep "\n" (patch: ''
|
|
||||||
patch -p1 < ${patch}
|
|
||||||
'') patches}
|
|
||||||
popd
|
|
||||||
${postPatch}
|
|
||||||
'';
|
|
||||||
})
|
|
|
@ -1,14 +0,0 @@
|
||||||
{ fetchgit, buildGerritBazelPlugin, lib }:
|
|
||||||
|
|
||||||
buildGerritBazelPlugin {
|
|
||||||
name = "code-owners";
|
|
||||||
depsOutputHash = "sha256-Ee2n7R/vi91drR+dNYB0QnGiiqcmz9/pynHhV9yDxdE=";
|
|
||||||
src = fetchgit {
|
|
||||||
url = "https://gerrit.googlesource.com/plugins/code-owners";
|
|
||||||
rev = "e654ae5bda2085bce9a99942bec440e004a114f3";
|
|
||||||
sha256 = "sha256:14d3x3iqskgw16pvyaa0swh252agj84p9pzlf24l8lgx9d7y4biz";
|
|
||||||
};
|
|
||||||
patches = [
|
|
||||||
./using-usernames.patch
|
|
||||||
];
|
|
||||||
}
|
|
|
@ -1,472 +0,0 @@
|
||||||
commit 29ace6c38ac513f7ec56ca425230d5712c081043
|
|
||||||
Author: Luke Granger-Brown <git@lukegb.com>
|
|
||||||
Date: Wed Sep 21 03:15:38 2022 +0100
|
|
||||||
|
|
||||||
Add support for usernames and groups
|
|
||||||
|
|
||||||
Change-Id: I3ba8527f66216d08e555a6ac4451fe0d1e090de5
|
|
||||||
|
|
||||||
diff --git a/java/com/google/gerrit/plugins/codeowners/backend/CodeOwnerResolver.java b/java/com/google/gerrit/plugins/codeowners/backend/CodeOwnerResolver.java
|
|
||||||
index 70009591..6dc596c9 100644
|
|
||||||
--- a/java/com/google/gerrit/plugins/codeowners/backend/CodeOwnerResolver.java
|
|
||||||
+++ b/java/com/google/gerrit/plugins/codeowners/backend/CodeOwnerResolver.java
|
|
||||||
@@ -17,6 +17,8 @@ package com.google.gerrit.plugins.codeowners.backend;
|
|
||||||
import static com.google.common.base.Preconditions.checkState;
|
|
||||||
import static com.google.common.collect.ImmutableMap.toImmutableMap;
|
|
||||||
import static com.google.common.collect.ImmutableSet.toImmutableSet;
|
|
||||||
+import static com.google.common.collect.ImmutableSetMultimap.flatteningToImmutableSetMultimap;
|
|
||||||
+import static com.google.common.collect.ImmutableSetMultimap.toImmutableSetMultimap;
|
|
||||||
import static com.google.gerrit.plugins.codeowners.backend.CodeOwnersInternalServerErrorException.newInternalServerError;
|
|
||||||
import static java.util.Objects.requireNonNull;
|
|
||||||
|
|
||||||
@@ -25,6 +27,7 @@ import com.google.common.collect.ImmutableList;
|
|
||||||
import com.google.common.collect.ImmutableMap;
|
|
||||||
import com.google.common.collect.ImmutableMultimap;
|
|
||||||
import com.google.common.collect.ImmutableSet;
|
|
||||||
+import com.google.common.collect.ImmutableSetMultimap;
|
|
||||||
import com.google.common.collect.Iterables;
|
|
||||||
import com.google.common.collect.Streams;
|
|
||||||
import com.google.common.flogger.FluentLogger;
|
|
||||||
@@ -33,17 +36,24 @@ import com.google.gerrit.entities.Project;
|
|
||||||
import com.google.gerrit.metrics.Timer0;
|
|
||||||
import com.google.gerrit.plugins.codeowners.backend.config.CodeOwnersPluginConfiguration;
|
|
||||||
import com.google.gerrit.plugins.codeowners.metrics.CodeOwnerMetrics;
|
|
||||||
+import com.google.gerrit.server.AnonymousUser;
|
|
||||||
import com.google.gerrit.server.CurrentUser;
|
|
||||||
import com.google.gerrit.server.IdentifiedUser;
|
|
||||||
import com.google.gerrit.server.account.AccountCache;
|
|
||||||
import com.google.gerrit.server.account.AccountControl;
|
|
||||||
import com.google.gerrit.server.account.AccountState;
|
|
||||||
+import com.google.gerrit.server.account.GroupBackend;
|
|
||||||
+import com.google.gerrit.server.account.GroupBackends;
|
|
||||||
+import com.google.gerrit.server.account.InternalGroupBackend;
|
|
||||||
import com.google.gerrit.server.account.externalids.ExternalId;
|
|
||||||
import com.google.gerrit.server.account.externalids.ExternalIdCache;
|
|
||||||
import com.google.gerrit.server.permissions.GlobalPermission;
|
|
||||||
import com.google.gerrit.server.permissions.PermissionBackend;
|
|
||||||
import com.google.gerrit.server.permissions.PermissionBackendException;
|
|
||||||
+import com.google.gerrit.server.util.RequestContext;
|
|
||||||
+import com.google.gerrit.server.util.ThreadLocalRequestContext;
|
|
||||||
import com.google.inject.Inject;
|
|
||||||
+import com.google.inject.OutOfScopeException;
|
|
||||||
import com.google.inject.Provider;
|
|
||||||
import java.io.IOException;
|
|
||||||
import java.nio.file.Path;
|
|
||||||
@@ -102,6 +112,8 @@ public class CodeOwnerResolver {
|
|
||||||
|
|
||||||
@VisibleForTesting public static final String ALL_USERS_WILDCARD = "*";
|
|
||||||
|
|
||||||
+ public static final String GROUP_PREFIX = "group:";
|
|
||||||
+
|
|
||||||
private final CodeOwnersPluginConfiguration codeOwnersPluginConfiguration;
|
|
||||||
private final PermissionBackend permissionBackend;
|
|
||||||
private final Provider<CurrentUser> currentUser;
|
|
||||||
@@ -112,6 +124,8 @@ public class CodeOwnerResolver {
|
|
||||||
private final CodeOwnerMetrics codeOwnerMetrics;
|
|
||||||
private final UnresolvedImportFormatter unresolvedImportFormatter;
|
|
||||||
private final TransientCodeOwnerCache transientCodeOwnerCache;
|
|
||||||
+ private final InternalGroupBackend groupBackend;
|
|
||||||
+ private final ThreadLocalRequestContext context;
|
|
||||||
|
|
||||||
// Enforce visibility by default.
|
|
||||||
private boolean enforceVisibility = true;
|
|
||||||
@@ -132,7 +146,9 @@ public class CodeOwnerResolver {
|
|
||||||
PathCodeOwners.Factory pathCodeOwnersFactory,
|
|
||||||
CodeOwnerMetrics codeOwnerMetrics,
|
|
||||||
UnresolvedImportFormatter unresolvedImportFormatter,
|
|
||||||
- TransientCodeOwnerCache transientCodeOwnerCache) {
|
|
||||||
+ TransientCodeOwnerCache transientCodeOwnerCache,
|
|
||||||
+ InternalGroupBackend groupBackend,
|
|
||||||
+ ThreadLocalRequestContext context) {
|
|
||||||
this.codeOwnersPluginConfiguration = codeOwnersPluginConfiguration;
|
|
||||||
this.permissionBackend = permissionBackend;
|
|
||||||
this.currentUser = currentUser;
|
|
||||||
@@ -143,6 +159,8 @@ public class CodeOwnerResolver {
|
|
||||||
this.codeOwnerMetrics = codeOwnerMetrics;
|
|
||||||
this.unresolvedImportFormatter = unresolvedImportFormatter;
|
|
||||||
this.transientCodeOwnerCache = transientCodeOwnerCache;
|
|
||||||
+ this.groupBackend = groupBackend;
|
|
||||||
+ this.context = context;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
@@ -361,6 +379,12 @@ public class CodeOwnerResolver {
|
|
||||||
"cannot resolve code owner email %s: no account with this email exists",
|
|
||||||
CodeOwnerResolver.ALL_USERS_WILDCARD));
|
|
||||||
}
|
|
||||||
+ if (codeOwnerReference.email().startsWith(GROUP_PREFIX)) {
|
|
||||||
+ return OptionalResultWithMessages.createEmpty(
|
|
||||||
+ String.format(
|
|
||||||
+ "cannot resolve code owner email %s: this is a group",
|
|
||||||
+ codeOwnerReference.email()));
|
|
||||||
+ }
|
|
||||||
|
|
||||||
ImmutableList.Builder<String> messageBuilder = ImmutableList.builder();
|
|
||||||
AtomicBoolean ownedByAllUsers = new AtomicBoolean(false);
|
|
||||||
@@ -405,9 +429,53 @@ public class CodeOwnerResolver {
|
|
||||||
ImmutableMultimap<CodeOwnerReference, CodeOwnerAnnotation> annotations) {
|
|
||||||
requireNonNull(codeOwnerReferences, "codeOwnerReferences");
|
|
||||||
|
|
||||||
+ ImmutableSet<String> groupsToResolve =
|
|
||||||
+ codeOwnerReferences.stream()
|
|
||||||
+ .map(CodeOwnerReference::email)
|
|
||||||
+ .filter(ref -> ref.startsWith(GROUP_PREFIX))
|
|
||||||
+ .map(ref -> ref.substring(GROUP_PREFIX.length()))
|
|
||||||
+ .collect(toImmutableSet());
|
|
||||||
+
|
|
||||||
+ // When we call GroupBackends.findExactSuggestion we need to ensure that we
|
|
||||||
+ // have a user in context. This is because the suggestion backend is
|
|
||||||
+ // likely to want to try to check that we can actually see the group it's
|
|
||||||
+ // returning (which we also check for explicitly, because I have trust
|
|
||||||
+ // issues).
|
|
||||||
+ RequestContext oldCtx = context.getContext();
|
|
||||||
+ // Check if we have a user in the context at all...
|
|
||||||
+ try {
|
|
||||||
+ oldCtx.getUser();
|
|
||||||
+ } catch (OutOfScopeException | NullPointerException e) {
|
|
||||||
+ // Nope.
|
|
||||||
+ RequestContext newCtx = () -> {
|
|
||||||
+ return new AnonymousUser();
|
|
||||||
+ };
|
|
||||||
+ context.setContext(newCtx);
|
|
||||||
+ }
|
|
||||||
+ ImmutableSetMultimap<String, CodeOwner> resolvedGroups = null;
|
|
||||||
+ try {
|
|
||||||
+ resolvedGroups =
|
|
||||||
+ groupsToResolve.stream()
|
|
||||||
+ .map(groupName -> GroupBackends.findExactSuggestion(groupBackend, groupName))
|
|
||||||
+ .filter(groupRef -> groupRef != null)
|
|
||||||
+ .filter(groupRef -> groupBackend.isVisibleToAll(groupRef.getUUID()))
|
|
||||||
+ .map(groupRef -> groupBackend.get(groupRef.getUUID()))
|
|
||||||
+ .collect(flatteningToImmutableSetMultimap(
|
|
||||||
+ groupRef -> GROUP_PREFIX + groupRef.getName(),
|
|
||||||
+ groupRef -> accountCache
|
|
||||||
+ .get(ImmutableSet.copyOf(groupRef.getMembers()))
|
|
||||||
+ .values().stream()
|
|
||||||
+ .map(accountState -> CodeOwner.create(accountState.account().id()))));
|
|
||||||
+ } finally {
|
|
||||||
+ context.setContext(oldCtx);
|
|
||||||
+ }
|
|
||||||
+ ImmutableSetMultimap<CodeOwner, String> usersToGroups =
|
|
||||||
+ resolvedGroups.inverse();
|
|
||||||
+
|
|
||||||
ImmutableSet<String> emailsToResolve =
|
|
||||||
codeOwnerReferences.stream()
|
|
||||||
.map(CodeOwnerReference::email)
|
|
||||||
+ .filter(ref -> !ref.startsWith(GROUP_PREFIX))
|
|
||||||
.filter(filterOutAllUsersWildCard(ownedByAllUsers))
|
|
||||||
.collect(toImmutableSet());
|
|
||||||
|
|
||||||
@@ -442,7 +510,8 @@ public class CodeOwnerResolver {
|
|
||||||
ImmutableMap<String, CodeOwner> codeOwnersByEmail =
|
|
||||||
accountsByEmail.map(mapToCodeOwner()).collect(toImmutableMap(Pair::key, Pair::value));
|
|
||||||
|
|
||||||
- if (codeOwnersByEmail.keySet().size() < emailsToResolve.size()) {
|
|
||||||
+ if (codeOwnersByEmail.keySet().size() < emailsToResolve.size() ||
|
|
||||||
+ resolvedGroups.keySet().size() < groupsToResolve.size()) {
|
|
||||||
hasUnresolvedCodeOwners.set(true);
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -456,7 +525,9 @@ public class CodeOwnerResolver {
|
|
||||||
cachedCodeOwnersByEmail.entrySet().stream()
|
|
||||||
.filter(e -> e.getValue().isPresent())
|
|
||||||
.map(e -> Pair.of(e.getKey(), e.getValue().get()));
|
|
||||||
- Streams.concat(newlyResolvedCodeOwnersStream, cachedCodeOwnersStream)
|
|
||||||
+ Stream<Pair<String, CodeOwner>> resolvedGroupsCodeOwnersStream =
|
|
||||||
+ resolvedGroups.entries().stream().map(e -> Pair.of(e.getKey(), e.getValue()));
|
|
||||||
+ Streams.concat(Streams.concat(newlyResolvedCodeOwnersStream, cachedCodeOwnersStream), resolvedGroupsCodeOwnersStream)
|
|
||||||
.forEach(
|
|
||||||
p -> {
|
|
||||||
ImmutableSet.Builder<CodeOwnerAnnotation> annotationBuilder = ImmutableSet.builder();
|
|
||||||
@@ -467,6 +538,12 @@ public class CodeOwnerResolver {
|
|
||||||
annotationBuilder.addAll(
|
|
||||||
annotations.get(CodeOwnerReference.create(ALL_USERS_WILDCARD)));
|
|
||||||
|
|
||||||
+ // annotations for the groups this user is in apply as well
|
|
||||||
+ for (String group : usersToGroups.get(p.value())) {
|
|
||||||
+ annotationBuilder.addAll(
|
|
||||||
+ annotations.get(CodeOwnerReference.create(group)));
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (!codeOwnersWithAnnotations.containsKey(p.value())) {
|
|
||||||
codeOwnersWithAnnotations.put(p.value(), new HashSet<>());
|
|
||||||
}
|
|
||||||
@@ -570,7 +647,7 @@ public class CodeOwnerResolver {
|
|
||||||
}
|
|
||||||
|
|
||||||
messages.add(String.format("email %s has no domain", email));
|
|
||||||
- return false;
|
|
||||||
+ return true; // TVL: we allow domain-less strings which are treated as usernames.
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
@@ -585,11 +662,29 @@ public class CodeOwnerResolver {
|
|
||||||
*/
|
|
||||||
private ImmutableMap<String, Collection<ExternalId>> lookupExternalIds(
|
|
||||||
ImmutableList.Builder<String> messages, ImmutableSet<String> emails) {
|
|
||||||
+ String[] actualEmails = emails.stream()
|
|
||||||
+ .filter(email -> email.contains("@"))
|
|
||||||
+ .toArray(String[]::new);
|
|
||||||
+ ImmutableSet<String> usernames = emails.stream()
|
|
||||||
+ .filter(email -> !email.contains("@"))
|
|
||||||
+ .collect(ImmutableSet.toImmutableSet());
|
|
||||||
try {
|
|
||||||
- ImmutableMap<String, Collection<ExternalId>> extIdsByEmail =
|
|
||||||
- externalIdCache.byEmails(emails.toArray(new String[0])).asMap();
|
|
||||||
+ ImmutableMap<String, Collection<ExternalId>> extIds =
|
|
||||||
+ new ImmutableMap.Builder<String, Collection<ExternalId>>()
|
|
||||||
+ .putAll(externalIdCache.byEmails(actualEmails).asMap())
|
|
||||||
+ .putAll(externalIdCache.allByAccount().entries().stream()
|
|
||||||
+ .map(entry -> entry.getValue())
|
|
||||||
+ .filter(externalId ->
|
|
||||||
+ externalId.key().scheme() != null &&
|
|
||||||
+ externalId.key().isScheme(ExternalId.SCHEME_USERNAME) &&
|
|
||||||
+ usernames.contains(externalId.key().id()))
|
|
||||||
+ .collect(toImmutableSetMultimap(
|
|
||||||
+ externalId -> externalId.key().id(),
|
|
||||||
+ externalId -> externalId))
|
|
||||||
+ .asMap())
|
|
||||||
+ .build();
|
|
||||||
emails.stream()
|
|
||||||
- .filter(email -> !extIdsByEmail.containsKey(email))
|
|
||||||
+ .filter(email -> !extIds.containsKey(email))
|
|
||||||
.forEach(
|
|
||||||
email -> {
|
|
||||||
transientCodeOwnerCache.cacheNonResolvable(email);
|
|
||||||
@@ -598,7 +693,7 @@ public class CodeOwnerResolver {
|
|
||||||
"cannot resolve code owner email %s: no account with this email exists",
|
|
||||||
email));
|
|
||||||
});
|
|
||||||
- return extIdsByEmail;
|
|
||||||
+ return extIds;
|
|
||||||
} catch (IOException e) {
|
|
||||||
throw newInternalServerError(
|
|
||||||
String.format("cannot resolve code owner emails: %s", emails), e);
|
|
||||||
@@ -815,6 +910,15 @@ public class CodeOwnerResolver {
|
|
||||||
user != null ? user.getLoggableName() : currentUser.get().getLoggableName()));
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
+ if (!email.contains("@")) {
|
|
||||||
+ // the email is the username of the account, or a group, or something else.
|
|
||||||
+ messages.add(
|
|
||||||
+ String.format(
|
|
||||||
+ "account %s is visible to user %s",
|
|
||||||
+ accountState.account().id(),
|
|
||||||
+ user != null ? user.getLoggableName() : currentUser.get().getLoggableName()));
|
|
||||||
+ return true;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
if (user != null) {
|
|
||||||
if (user.hasEmailAddress(email)) {
|
|
||||||
diff --git a/java/com/google/gerrit/plugins/codeowners/backend/findowners/FindOwnersCodeOwnerConfigParser.java b/java/com/google/gerrit/plugins/codeowners/backend/findowners/FindOwnersCodeOwnerConfigParser.java
|
|
||||||
index 5f350998..7977ba55 100644
|
|
||||||
--- a/java/com/google/gerrit/plugins/codeowners/backend/findowners/FindOwnersCodeOwnerConfigParser.java
|
|
||||||
+++ b/java/com/google/gerrit/plugins/codeowners/backend/findowners/FindOwnersCodeOwnerConfigParser.java
|
|
||||||
@@ -149,7 +149,8 @@ public class FindOwnersCodeOwnerConfigParser implements CodeOwnerConfigParser {
|
|
||||||
private static final String EOL = "[\\s]*(#.*)?$"; // end-of-line
|
|
||||||
private static final String GLOB = "[^\\s,=]+"; // a file glob
|
|
||||||
|
|
||||||
- private static final String EMAIL_OR_STAR = "([^\\s<>@,]+@[^\\s<>@#,]+|\\*)";
|
|
||||||
+ // Also allows usernames, and group:$GROUP_NAME.
|
|
||||||
+ private static final String EMAIL_OR_STAR = "([^\\s<>@,]+@[^\\s<>@#,]+?|\\*|[a-zA-Z0-9_\\-]+|group:[a-zA-Z0-9_\\-]+)";
|
|
||||||
private static final String EMAIL_LIST =
|
|
||||||
"(" + EMAIL_OR_STAR + "(" + COMMA + EMAIL_OR_STAR + ")*)";
|
|
||||||
|
|
||||||
diff --git a/javatests/com/google/gerrit/plugins/codeowners/backend/AbstractFileBasedCodeOwnerBackendTest.java b/javatests/com/google/gerrit/plugins/codeowners/backend/AbstractFileBasedCodeOwnerBackendTest.java
|
|
||||||
index 7ec92959..59cf7e05 100644
|
|
||||||
--- a/javatests/com/google/gerrit/plugins/codeowners/backend/AbstractFileBasedCodeOwnerBackendTest.java
|
|
||||||
+++ b/javatests/com/google/gerrit/plugins/codeowners/backend/AbstractFileBasedCodeOwnerBackendTest.java
|
|
||||||
@@ -424,7 +424,7 @@ public abstract class AbstractFileBasedCodeOwnerBackendTest extends AbstractCode
|
|
||||||
.commit()
|
|
||||||
.parent(head)
|
|
||||||
.message("Add invalid test code owner config")
|
|
||||||
- .add(JgitPath.of(codeOwnerConfigKey.filePath(getFileName())).get(), "INVALID"));
|
|
||||||
+ .add(JgitPath.of(codeOwnerConfigKey.filePath(getFileName())).get(), "INVALID!"));
|
|
||||||
}
|
|
||||||
|
|
||||||
// Try to update the code owner config.
|
|
||||||
diff --git a/javatests/com/google/gerrit/plugins/codeowners/backend/CodeOwnerResolverTest.java b/javatests/com/google/gerrit/plugins/codeowners/backend/CodeOwnerResolverTest.java
|
|
||||||
index 6171aca9..37699012 100644
|
|
||||||
--- a/javatests/com/google/gerrit/plugins/codeowners/backend/CodeOwnerResolverTest.java
|
|
||||||
+++ b/javatests/com/google/gerrit/plugins/codeowners/backend/CodeOwnerResolverTest.java
|
|
||||||
@@ -24,8 +24,10 @@ import com.google.gerrit.acceptance.TestAccount;
|
|
||||||
import com.google.gerrit.acceptance.TestMetricMaker;
|
|
||||||
import com.google.gerrit.acceptance.config.GerritConfig;
|
|
||||||
import com.google.gerrit.acceptance.testsuite.account.AccountOperations;
|
|
||||||
+import com.google.gerrit.acceptance.testsuite.group.GroupOperations;
|
|
||||||
import com.google.gerrit.acceptance.testsuite.request.RequestScopeOperations;
|
|
||||||
import com.google.gerrit.entities.Account;
|
|
||||||
+import com.google.gerrit.entities.AccountGroup;
|
|
||||||
import com.google.gerrit.plugins.codeowners.acceptance.AbstractCodeOwnersTest;
|
|
||||||
import com.google.gerrit.server.ServerInitiated;
|
|
||||||
import com.google.gerrit.server.account.AccountsUpdate;
|
|
||||||
@@ -51,6 +53,7 @@ public class CodeOwnerResolverTest extends AbstractCodeOwnersTest {
|
|
||||||
@Inject private RequestScopeOperations requestScopeOperations;
|
|
||||||
@Inject @ServerInitiated private Provider<AccountsUpdate> accountsUpdate;
|
|
||||||
@Inject private AccountOperations accountOperations;
|
|
||||||
+ @Inject private GroupOperations groupOperations;
|
|
||||||
@Inject private ExternalIdNotes.Factory externalIdNotesFactory;
|
|
||||||
@Inject private TestMetricMaker testMetricMaker;
|
|
||||||
@Inject private ExternalIdFactory externalIdFactory;
|
|
||||||
@@ -112,6 +115,18 @@ public class CodeOwnerResolverTest extends AbstractCodeOwnersTest {
|
|
||||||
.contains(String.format("account %s is visible to user %s", admin.id(), admin.username()));
|
|
||||||
}
|
|
||||||
|
|
||||||
+ @Test
|
|
||||||
+ public void resolveCodeOwnerReferenceForUsername() throws Exception {
|
|
||||||
+ OptionalResultWithMessages<CodeOwner> result =
|
|
||||||
+ codeOwnerResolverProvider
|
|
||||||
+ .get()
|
|
||||||
+ .resolveWithMessages(CodeOwnerReference.create(admin.username()));
|
|
||||||
+ assertThat(result.get()).hasAccountIdThat().isEqualTo(admin.id());
|
|
||||||
+ assertThat(result)
|
|
||||||
+ .hasMessagesThat()
|
|
||||||
+ .contains(String.format("account %s is visible to user %s", admin.id(), admin.username()));
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
@Test
|
|
||||||
public void cannotResolveCodeOwnerReferenceForStarAsEmail() throws Exception {
|
|
||||||
OptionalResultWithMessages<CodeOwner> result =
|
|
||||||
@@ -127,6 +142,18 @@ public class CodeOwnerResolverTest extends AbstractCodeOwnersTest {
|
|
||||||
CodeOwnerResolver.ALL_USERS_WILDCARD));
|
|
||||||
}
|
|
||||||
|
|
||||||
+ @Test
|
|
||||||
+ public void cannotResolveCodeOwnerReferenceForGroup() throws Exception {
|
|
||||||
+ OptionalResultWithMessages<CodeOwner> result =
|
|
||||||
+ codeOwnerResolverProvider
|
|
||||||
+ .get()
|
|
||||||
+ .resolveWithMessages(CodeOwnerReference.create("group:Administrators"));
|
|
||||||
+ assertThat(result).isEmpty();
|
|
||||||
+ assertThat(result)
|
|
||||||
+ .hasMessagesThat()
|
|
||||||
+ .contains("cannot resolve code owner email group:Administrators: this is a group");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
@Test
|
|
||||||
public void resolveCodeOwnerReferenceForAmbiguousEmailIfOtherAccountIsInactive()
|
|
||||||
throws Exception {
|
|
||||||
@@ -397,6 +424,64 @@ public class CodeOwnerResolverTest extends AbstractCodeOwnersTest {
|
|
||||||
assertThat(result.hasUnresolvedCodeOwners()).isFalse();
|
|
||||||
}
|
|
||||||
|
|
||||||
+ @Test
|
|
||||||
+ public void resolvePathCodeOwnersWhenNonVisibleGroupIsUsed() throws Exception {
|
|
||||||
+ CodeOwnerConfig codeOwnerConfig =
|
|
||||||
+ CodeOwnerConfig.builder(CodeOwnerConfig.Key.create(project, "master", "/"), TEST_REVISION)
|
|
||||||
+ .addCodeOwnerSet(
|
|
||||||
+ CodeOwnerSet.createWithoutPathExpressions("group:Administrators"))
|
|
||||||
+ .build();
|
|
||||||
+
|
|
||||||
+ CodeOwnerResolverResult result =
|
|
||||||
+ codeOwnerResolverProvider
|
|
||||||
+ .get()
|
|
||||||
+ .resolvePathCodeOwners(codeOwnerConfig, Paths.get("/README.md"));
|
|
||||||
+ assertThat(result.codeOwnersAccountIds()).isEmpty();
|
|
||||||
+ assertThat(result.ownedByAllUsers()).isFalse();
|
|
||||||
+ assertThat(result.hasUnresolvedCodeOwners()).isTrue();
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ @Test
|
|
||||||
+ public void resolvePathCodeOwnersWhenVisibleGroupIsUsed() throws Exception {
|
|
||||||
+ AccountGroup.UUID createdGroupUUID = groupOperations
|
|
||||||
+ .newGroup()
|
|
||||||
+ .name("VisibleGroup")
|
|
||||||
+ .visibleToAll(true)
|
|
||||||
+ .addMember(admin.id())
|
|
||||||
+ .create();
|
|
||||||
+
|
|
||||||
+ CodeOwnerConfig codeOwnerConfig =
|
|
||||||
+ CodeOwnerConfig.builder(CodeOwnerConfig.Key.create(project, "master", "/"), TEST_REVISION)
|
|
||||||
+ .addCodeOwnerSet(
|
|
||||||
+ CodeOwnerSet.createWithoutPathExpressions("group:VisibleGroup"))
|
|
||||||
+ .build();
|
|
||||||
+
|
|
||||||
+ CodeOwnerResolverResult result =
|
|
||||||
+ codeOwnerResolverProvider
|
|
||||||
+ .get()
|
|
||||||
+ .resolvePathCodeOwners(codeOwnerConfig, Paths.get("/README.md"));
|
|
||||||
+ assertThat(result.codeOwnersAccountIds()).containsExactly(admin.id());
|
|
||||||
+ assertThat(result.ownedByAllUsers()).isFalse();
|
|
||||||
+ assertThat(result.hasUnresolvedCodeOwners()).isFalse();
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ @Test
|
|
||||||
+ public void resolvePathCodeOwnersWhenUsernameIsUsed() throws Exception {
|
|
||||||
+ CodeOwnerConfig codeOwnerConfig =
|
|
||||||
+ CodeOwnerConfig.builder(CodeOwnerConfig.Key.create(project, "master", "/"), TEST_REVISION)
|
|
||||||
+ .addCodeOwnerSet(
|
|
||||||
+ CodeOwnerSet.createWithoutPathExpressions(admin.username()))
|
|
||||||
+ .build();
|
|
||||||
+
|
|
||||||
+ CodeOwnerResolverResult result =
|
|
||||||
+ codeOwnerResolverProvider
|
|
||||||
+ .get()
|
|
||||||
+ .resolvePathCodeOwners(codeOwnerConfig, Paths.get("/README.md"));
|
|
||||||
+ assertThat(result.codeOwnersAccountIds()).containsExactly(admin.id());
|
|
||||||
+ assertThat(result.ownedByAllUsers()).isFalse();
|
|
||||||
+ assertThat(result.hasUnresolvedCodeOwners()).isFalse();
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
@Test
|
|
||||||
public void resolvePathCodeOwnersNonResolvableCodeOwnersAreFilteredOut() throws Exception {
|
|
||||||
CodeOwnerConfig codeOwnerConfig =
|
|
||||||
@@ -655,7 +740,7 @@ public class CodeOwnerResolverTest extends AbstractCodeOwnersTest {
|
|
||||||
"domain example.com of email foo@example.org@example.com is allowed");
|
|
||||||
assertIsEmailDomainAllowed(
|
|
||||||
"foo@example.org", false, "domain example.org of email foo@example.org is not allowed");
|
|
||||||
- assertIsEmailDomainAllowed("foo", false, "email foo has no domain");
|
|
||||||
+ assertIsEmailDomainAllowed("foo", true, "email foo has no domain");
|
|
||||||
assertIsEmailDomainAllowed(
|
|
||||||
"foo@example.com@example.org",
|
|
||||||
false,
|
|
||||||
diff --git a/javatests/com/google/gerrit/plugins/codeowners/backend/findowners/FindOwnersCodeOwnerConfigParserTest.java b/javatests/com/google/gerrit/plugins/codeowners/backend/findowners/FindOwnersCodeOwnerConfigParserTest.java
|
|
||||||
index 260e635e..7aab99d0 100644
|
|
||||||
--- a/javatests/com/google/gerrit/plugins/codeowners/backend/findowners/FindOwnersCodeOwnerConfigParserTest.java
|
|
||||||
+++ b/javatests/com/google/gerrit/plugins/codeowners/backend/findowners/FindOwnersCodeOwnerConfigParserTest.java
|
|
||||||
@@ -158,16 +158,42 @@ public class FindOwnersCodeOwnerConfigParserTest extends AbstractCodeOwnerConfig
|
|
||||||
codeOwnerConfigParser.parse(
|
|
||||||
TEST_REVISION,
|
|
||||||
CodeOwnerConfig.Key.create(project, "master", "/"),
|
|
||||||
- getCodeOwnerConfig(EMAIL_1, "INVALID", "NOT_AN_EMAIL", EMAIL_2)));
|
|
||||||
+ getCodeOwnerConfig(EMAIL_1, "INVALID!", "NOT!AN_EMAIL", EMAIL_2)));
|
|
||||||
assertThat(exception.getFullMessage(FindOwnersBackend.CODE_OWNER_CONFIG_FILE_NAME))
|
|
||||||
.isEqualTo(
|
|
||||||
String.format(
|
|
||||||
"invalid code owner config file '/OWNERS' (project = %s, branch = master):\n"
|
|
||||||
- + " invalid line: INVALID\n"
|
|
||||||
- + " invalid line: NOT_AN_EMAIL",
|
|
||||||
+ + " invalid line: INVALID!\n"
|
|
||||||
+ + " invalid line: NOT!AN_EMAIL",
|
|
||||||
project));
|
|
||||||
}
|
|
||||||
|
|
||||||
+ @Test
|
|
||||||
+ public void codeOwnerConfigWithUsernames() throws Exception {
|
|
||||||
+ assertParseAndFormat(
|
|
||||||
+ getCodeOwnerConfig(EMAIL_1, "USERNAME", EMAIL_2),
|
|
||||||
+ codeOwnerConfig ->
|
|
||||||
+ assertThat(codeOwnerConfig)
|
|
||||||
+ .hasCodeOwnerSetsThat()
|
|
||||||
+ .onlyElement()
|
|
||||||
+ .hasCodeOwnersEmailsThat()
|
|
||||||
+ .containsExactly(EMAIL_1, "USERNAME", EMAIL_2),
|
|
||||||
+ getCodeOwnerConfig(EMAIL_1, "USERNAME", EMAIL_2));
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ @Test
|
|
||||||
+ public void codeOwnerConfigWithGroups() throws Exception {
|
|
||||||
+ assertParseAndFormat(
|
|
||||||
+ getCodeOwnerConfig(EMAIL_1, "group:tvl-employees", EMAIL_2),
|
|
||||||
+ codeOwnerConfig ->
|
|
||||||
+ assertThat(codeOwnerConfig)
|
|
||||||
+ .hasCodeOwnerSetsThat()
|
|
||||||
+ .onlyElement()
|
|
||||||
+ .hasCodeOwnersEmailsThat()
|
|
||||||
+ .containsExactly(EMAIL_1, "group:tvl-employees", EMAIL_2),
|
|
||||||
+ getCodeOwnerConfig(EMAIL_1, "group:tvl-employees", EMAIL_2));
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
@Test
|
|
||||||
public void codeOwnerConfigWithComment() throws Exception {
|
|
||||||
assertParseAndFormat(
|
|
|
@ -1,16 +0,0 @@
|
||||||
{ buildGerritBazelPlugin, fetchgit }:
|
|
||||||
|
|
||||||
buildGerritBazelPlugin rec {
|
|
||||||
name = "oauth";
|
|
||||||
depsOutputHash = "sha256-4/+E0BwkA+rYYCy7y3G9xF86DJj+CFzPZUNXC5HN5wc=";
|
|
||||||
src = fetchgit {
|
|
||||||
url = "https://gerrit.googlesource.com/plugins/oauth";
|
|
||||||
rev = "b27cf3ea820eec2ddd22d217fc839261692ccdb0";
|
|
||||||
sha256 = "1m654ibgzprrhcl0wpzqrmq8drpgx6rzlw0ha16l1fi2zv5idkk2";
|
|
||||||
};
|
|
||||||
overlayPluginCmd = ''
|
|
||||||
chmod +w "$out" "$out/plugins/external_plugin_deps.bzl"
|
|
||||||
cp -R "${src}" "$out/plugins/${name}"
|
|
||||||
cp "${src}/external_plugin_deps.bzl" "$out/plugins/external_plugin_deps.bzl"
|
|
||||||
'';
|
|
||||||
}
|
|
70
secrets.nix
70
secrets.nix
|
@ -1,24 +1,76 @@
|
||||||
let
|
let
|
||||||
keys = import common/ssh-keys.nix;
|
keys = import common/ssh-keys.nix;
|
||||||
|
|
||||||
commonKeys = keys.users.delroth;
|
commonKeys = {
|
||||||
|
# WARNING: `keys.users.*` are *lists*, so you need concatenate them, don't put them into lists!
|
||||||
|
# Otherwise, agenix will be confused!
|
||||||
|
global = keys.users.raito;
|
||||||
|
lix = keys.users.hexchen ++ keys.users.jade;
|
||||||
|
floral = keys.users.delroth;
|
||||||
|
};
|
||||||
|
|
||||||
secrets = with keys; {
|
secrets = with keys; {
|
||||||
hydra-s3-credentials = [ machines.bagel-box ];
|
floral = {
|
||||||
hydra-ssh-key-priv = [ machines.bagel-box ];
|
hydra-postgres-key = [ machines.build-coord ];
|
||||||
|
hydra-s3-credentials = [ machines.build-coord ];
|
||||||
|
hydra-signing-priv = [ machines.build-coord ];
|
||||||
|
hydra-ssh-key-priv = [ machines.build-coord ];
|
||||||
|
|
||||||
netbox-environment = [ machines.meta01 ];
|
netbox-environment = [ machines.meta01 ];
|
||||||
mimir-environment = [ machines.meta01 ];
|
mimir-environment = [ machines.meta01 ];
|
||||||
|
mimir-webhook-url = [ machines.meta01 ];
|
||||||
grafana-oauth-secret = [ machines.meta01 ];
|
grafana-oauth-secret = [ machines.meta01 ];
|
||||||
loki-environment = [ machines.meta01 ];
|
loki-environment = [ machines.meta01 ];
|
||||||
|
gerrit-prometheus-bearer-token = [ machines.gerrit01 machines.meta01 ];
|
||||||
|
pyroscope-secrets = [ machines.meta01 ];
|
||||||
|
tempo-environment = [ machines.meta01 ];
|
||||||
|
|
||||||
|
buildbot-worker-password = [ machines.buildbot ];
|
||||||
|
buildbot-oauth-secret = [ machines.buildbot ];
|
||||||
|
buildbot-workers = [ machines.buildbot ];
|
||||||
|
# Private SSH key to Gerrit
|
||||||
|
# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx52RUPWzTa2rBA96xcnGjjzAboNN/hm6gW+Q6JiSos
|
||||||
|
buildbot-service-key = [ machines.buildbot ];
|
||||||
|
# Signing key for Buildbot's specific cache
|
||||||
|
buildbot-signing-key = [ machines.buildbot ];
|
||||||
|
buildbot-remote-builder-key = [ machines.buildbot ];
|
||||||
|
|
||||||
# These are the same password, but nginx wants it in htpasswd format
|
# These are the same password, but nginx wants it in htpasswd format
|
||||||
loki-htpasswd = [ machines.meta01 ];
|
metrics-push-htpasswd = [ machines.meta01 ];
|
||||||
promtail-password = builtins.attrValues machines;
|
# Yes, even Lix machines are included in this monitoring infrastructure.
|
||||||
|
metrics-push-password = builtins.attrValues machines;
|
||||||
|
|
||||||
|
ows-deploy-key = [ machines.gerrit01 ];
|
||||||
|
s3-channel-staging-keys = [ machines.gerrit01 ];
|
||||||
|
s3-channel-keys = [ machines.gerrit01 ];
|
||||||
|
|
||||||
|
postgres-ca-priv = [ machines.bagel-box ];
|
||||||
|
postgres-tls-priv = [ machines.bagel-box ];
|
||||||
|
|
||||||
|
newsletter-secrets = [ machines.public01 ];
|
||||||
|
s3-revproxy-api-keys = [ machines.public01 ];
|
||||||
|
stateless-uptime-kuma-password = [ machines.public01 ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
lix = {
|
||||||
|
buildbot-worker-password = [ machines.buildbot-lix ];
|
||||||
|
buildbot-oauth-secret = [ machines.buildbot-lix ];
|
||||||
|
buildbot-workers = [ machines.buildbot-lix ];
|
||||||
|
# Private SSH key to Gerrit
|
||||||
|
# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx52RUPWzTa2rBA96xcnGjjzAboNN/hm6gW+Q6JiSos
|
||||||
|
buildbot-service-key = [ machines.buildbot-lix ];
|
||||||
|
# Signing key for Buildbot's specific cache
|
||||||
|
buildbot-signing-key = [ machines.buildbot-lix ];
|
||||||
|
buildbot-remote-builder-key = [ machines.buildbot-lix ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
mkSecretListFor = tenant:
|
||||||
|
map (secretName: {
|
||||||
|
name = "secrets/${tenant}/${secretName}.age";
|
||||||
|
value.publicKeys = secrets.${tenant}."${secretName}" ++ commonKeys.global ++ commonKeys.${tenant};
|
||||||
|
}) (builtins.attrNames secrets.${tenant});
|
||||||
in
|
in
|
||||||
builtins.listToAttrs (
|
builtins.listToAttrs (
|
||||||
map (secretName: {
|
(mkSecretListFor "floral") ++ (mkSecretListFor "lix")
|
||||||
name = "secrets/${secretName}.age";
|
|
||||||
value.publicKeys = secrets."${secretName}" ++ commonKeys;
|
|
||||||
}) (builtins.attrNames secrets)
|
|
||||||
)
|
)
|
||||||
|
|
20
secrets/floral/buildbot-oauth-secret.age
Normal file
20
secrets/floral/buildbot-oauth-secret.age
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 87T2Ig tzPD1x6XKuDfgJ8jkQnwW/ALp2pkANCeNoO8xdUqq30
|
||||||
|
QSsuO6Dwc8QJuY92gXRnWB5aJ2SU9X2uFh01GmLVaQE
|
||||||
|
-> ssh-ed25519 K3b7BA 9G9Uw1xY8hq//xphNWrPn5y7vG2o8/kwkC8cJGuf/mI
|
||||||
|
Ip0019OUaFq2ZDFI3i77hdsp9IqFV2qqYIB/TnDSXgo
|
||||||
|
-> ssh-ed25519 +qVung dx22ef+x9X5mr73L8NUzxYQa640M2XViELjJcpgF3go
|
||||||
|
CXyit7pk8SPNHBgULlMQUAasGAn4C36zcwOBDI46nU4
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
NlGh0hM10NOuek7MbrFo0iul0kQQtDFmZIhgpyqaATMdCDRBXJOyhASHU5N0zDDJ
|
||||||
|
MLaJUV0l2o1ghBF9RhSKdoUPVEn8Cce/nfQepYzMlfc4UG3qWXwabwR6EtqqCZCJ
|
||||||
|
jAEWZ8taTKDmzoXwuygCW+bRBuoMMrcfzu7V90N+mQpZWtOScatb6E7d5VRqjlar
|
||||||
|
st1ZQu5ccghufyQSUmOC7GpojOyutX5EvbMGn84X4ouZRHRX/8fTgaqicV+aeAIb
|
||||||
|
QyXisOrO6C+Jle5qfxzMSe8c/TCyF2574kD6F1BQ9Kpkinn8v7OWcIXtkNmZ5hzK
|
||||||
|
vs0Bej8yZVsoBkj1vWAM0A
|
||||||
|
-> ssh-ed25519 /vwQcQ n+hr1cV1zRs1S86YnA+0oRB8SCaPKtkoMNe15ZsVVwM
|
||||||
|
fdFtUqno07ik6FpW5zMImIjd8wM8dMgwU+RqjeT2PiI
|
||||||
|
-> ssh-ed25519 0R97PA ddPILw57gkuKvAqlmpa+MnV/LSEdyQzQaAarCUqQ1xE
|
||||||
|
ozK5a6uXZDc17OrX0OZun9hmZwP3H3rYQiNuKnukqsg
|
||||||
|
--- f7yGgKQpCPj64Ps0HfMcToYircGH5SPqMzVZrUMB8ZI
|
||||||
|
føv[iY\ÅšMP,¯Ùh°Èxb—Ðÿ«J<C2AB>*ºË"”+¬ÒA0T˜?KmˆPÈË2¹'2±‚µ³Ø=¯êÚÏŸj”
|
BIN
secrets/floral/buildbot-remote-builder-key.age
Normal file
BIN
secrets/floral/buildbot-remote-builder-key.age
Normal file
Binary file not shown.
BIN
secrets/floral/buildbot-service-key.age
Normal file
BIN
secrets/floral/buildbot-service-key.age
Normal file
Binary file not shown.
BIN
secrets/floral/buildbot-signing-key.age
Normal file
BIN
secrets/floral/buildbot-signing-key.age
Normal file
Binary file not shown.
20
secrets/floral/buildbot-worker-password.age
Normal file
20
secrets/floral/buildbot-worker-password.age
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 87T2Ig p8lEB5da4fIfLH/HKBsghzq5mvQLB69UB4+uAi3DGCw
|
||||||
|
NeZ3jPTUKa7MiqjrFPrYuP4VneytQPdBNqf+omPZJYM
|
||||||
|
-> ssh-ed25519 K3b7BA uP2K1hU7uLmiHXmmoUdsB7CHQq61ZkEAjG/aK863RDw
|
||||||
|
0chTczEMXASdYiwqNxDQ+vMXXhjOf64oIQ2ULZmQI8Y
|
||||||
|
-> ssh-ed25519 +qVung jUgEqz3+ypL7mwJ1R7lfeOMhkon/aRrNSJUJT3X7vmU
|
||||||
|
pgOiwrp9JiA20yw9bsxi8eiQ9/23CYXKRBGF1pea9eI
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
snCHrLHzkjimwIxKO90IjnHwOArlozO9kd/aCdZZnYNgh/QG3rUSceSn9yTHbtMV
|
||||||
|
izv0SU51LrRU+JyE+a524AxKhyPBvGDig20j7hMy5fVxZqeunztqtlha5gaYYaQg
|
||||||
|
Tbfs9tDP+pCIgzMVNqYf6EJ4MK7qjNf9DE5I490Eta5YZxAi/3To3BmZmIYtCz6l
|
||||||
|
1kNRiSmWCbZqE25keFgPCgRMFXAFK9W6NmL+HamqCUhjPoJg/Gd4sf39EONT0PYg
|
||||||
|
7BpCOAnwwfECHPxpM3qv0h2kJXTb4DZ715cFReSVyQe5fvKv8hoWhl/S+++pEYT8
|
||||||
|
u/LKBx/o7e3Kd7cm2RGnBw
|
||||||
|
-> ssh-ed25519 /vwQcQ 4+IQPRsMMHmuSGL7T7IbRkTTuL+TTqgdQp5FSbyt8Dw
|
||||||
|
KOI0LKQ0oA5XtxaW7wftlEJB0BGVnx41HUJMG92SRUA
|
||||||
|
-> ssh-ed25519 0R97PA l1aWUEv8nLEtYnpY1gjTJqk5UYm51NDqOjYmL83rZ10
|
||||||
|
B7qDZwCpolkIajqCXeOepwmF6ciJfKvr+AN7VouMUvA
|
||||||
|
--- lz/IMMPxBpD3Bzuv9Wl23+swBQHlblhlAO/ZXAgN0hU
|
||||||
|
µoÍüÌ<EFBFBD>²-‚Īr °eó|Í?ït
èìÎZ<C38E>¬sÒì!ŸƒÁ<>@Ï'–ìèz6UöÎgJøÑOµ–s13<31>š‹8<î’%-·Ô‡Eÿ}–Šdm9¿å¢Óoæ
|
BIN
secrets/floral/buildbot-workers.age
Normal file
BIN
secrets/floral/buildbot-workers.age
Normal file
Binary file not shown.
BIN
secrets/floral/gerrit-prometheus-bearer-token.age
Normal file
BIN
secrets/floral/gerrit-prometheus-bearer-token.age
Normal file
Binary file not shown.
20
secrets/floral/grafana-oauth-secret.age
Normal file
20
secrets/floral/grafana-oauth-secret.age
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 j2r2qQ vwcaLpvGJ9swXnV8idDwi9jdRPSj38As9p2QFkIJ1Xc
|
||||||
|
FLnZeblHDQQcWjFm1iaghbvuFgOG3miwtkRE5sz1+X0
|
||||||
|
-> ssh-ed25519 K3b7BA 9VRe2rBwg3G9lxxfxL/yLob2NZmLJTBMxzx0Ew8VwmY
|
||||||
|
/I2W80UykNvll5o98OPeMpIsddOel9B7uQlio0X3gcs
|
||||||
|
-> ssh-ed25519 +qVung VsqKzMD85aps4PIx2zqae2Dj7YWibiaKYb5z7ws8ggM
|
||||||
|
Y9dRd/hOz8h4avlutBQ1YZgHIAf/AuTr5WaByKlFbLE
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
gjyaUFrIIbZnFTGVw4XEZzkTIP/+qXV6/q0W8Wb4EtqQXDRISFT+bwxQU/S2p5hf
|
||||||
|
7+JGcn4BZg6puOJ5BBABWtpn6gcX5OFfga5azIdioF/R19XByT+0SK5njw8g1VPS
|
||||||
|
R7o8kQt2yvKWayoq9Cis5XRg+4KANkwOQaNTO8AdiCwgq9nc0Cd9avk8QhaFoR74
|
||||||
|
D5cf8jPsufp744rQqwhWDoG533LS1WUUuYZqRmtp2Vz+r583RhSscaNyA7ddr7o6
|
||||||
|
e9ZQJyL5bKiN8qe3Xm76lLypf/wg7+aGn8HHnO6GA65g+VYfjLMODEqCN/+uDJtB
|
||||||
|
g8v2wzKIGYlZiV1hEjH8nw
|
||||||
|
-> ssh-ed25519 /vwQcQ 4pU5JGK5vpZbFgq01a9YY8VmSJvPSHPSZD50TLJwKHc
|
||||||
|
L46UA/p+bNSR8cLmL8G7VpmAcZ+sy5AROc4yj2ABOWg
|
||||||
|
-> ssh-ed25519 0R97PA Tk00kYLhsEy1HJcmKLgaLWTdNP8XV/cdKHMLzyK6glk
|
||||||
|
kwyQZr/h6MutROJmjVfPWGcf9xN5Uc5w5mVyuKcK64g
|
||||||
|
--- E0vVtBqbjNkZY0/1dFJ53uVAR7IGPO+OMmXkpJcKmlw
|
||||||
|
{ÐQê%è‹õY•B,isr¥1‘<31>|¼yLÕ'7?¶iŠM…¶MU]×ê/d2¸I1u¶2hZjHåh&¥
|
BIN
secrets/floral/hydra-postgres-key.age
Normal file
BIN
secrets/floral/hydra-postgres-key.age
Normal file
Binary file not shown.
20
secrets/floral/hydra-s3-credentials.age
Normal file
20
secrets/floral/hydra-s3-credentials.age
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 +uvEmw Kuduppyhz98frjlV96R/WcmPdaWmHbNKZhQs76GGTx8
|
||||||
|
7zpedlPflGOi6FqkpswAJflx77yde7M2XlTw/8mz2tU
|
||||||
|
-> ssh-ed25519 K3b7BA TPNmUK38+TR58MpsgxIe91bY6E1j9HecIFn0AKdat20
|
||||||
|
MjXh06xd3mkPcK+iEonx+itsHvEGHSknzO6Sgh5WdZ4
|
||||||
|
-> ssh-ed25519 +qVung KereHQ3Kl0f7O0xzl2s4Yu4KX7OOA17R7p/w8uRx/AQ
|
||||||
|
3aOqUoBCDurkh5jT2fq5MDPQKIDISQdXBhF+qeRppnA
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
TVlmM2LYR339Aglo2D4j/Itr0E+mg7UEaV9n+sUYyit0phWS1zMI2YMc78Xbmn73
|
||||||
|
6U0VYi/3hpesD6/8uA5sywuueOMntlL32aECz/DJPC71feMjvHTxiJpqnFw6DQYJ
|
||||||
|
FvERtvJ2U7QiStv6UeS1vOucP1/om0Qj4smTXBWYsDglTSLx56/bghCsM21RNZZb
|
||||||
|
yd8JE5CEdtCHduj+uRHbnEYsnGYM7R/Gw9XAuajFLw6BxqEtHi5xOivQ2P0Tm+Bc
|
||||||
|
SVHW48iF8S3q1tx5QU7oIMZcCobOeHb6w+C1GHiSeJy3R8hWkEwfNxCCc0rSItKd
|
||||||
|
edqO4YPz/zT2DWoUx+n0Og
|
||||||
|
-> ssh-ed25519 /vwQcQ TLa0Xty2LlqBiP9Lk0lC+S/BoVT+VbRhY3qPHIGf20E
|
||||||
|
3mzqkwT8dvP11GAVJiVIc+MiN/pLP2b6KbC+1F86tg8
|
||||||
|
-> ssh-ed25519 0R97PA pbGz7e6nU4M4cpJRmmxWxUV3O2rWytIP18M7OpMpa04
|
||||||
|
doSBv72rqS5gNusMjKw8KwzXHbzoLlFUSdLqp/f5aRM
|
||||||
|
--- beE6zNg+kY7jke/79FGZoNTq7Wbe3eqNWvLD3igQJdg
|
||||||
|
bÓÿ¾ ¾ÿÔáïØÉmÿŠ$Ÿ–‡¸’Ý={6
eÿ¨SIîumT8”äÿÁ{òo<C3B2>Ë3Ý&¾12¡p¶ œZ÷³4zx¡8B˜¤a@â(_Þ7(‚Ñ^tµä±Á‘<C381>g“Ùà4Ö*&Á`*øäNšB÷$ÉÆ ò£§m<C2A7>"ÓtD$Î5‡ku˜eÎ+X@LJüç£h2ü£Þ*H¥ ÂåaÚ¢
|
20
secrets/floral/hydra-signing-priv.age
Normal file
20
secrets/floral/hydra-signing-priv.age
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 +uvEmw TNYFQxSUv5yMmlTWoIxCOlv6UR+RA50cb5aJbo0yEE0
|
||||||
|
Yw3sTPqYf7A33RI87CqoPWe2gh0FuvdBGGKqHV55Atc
|
||||||
|
-> ssh-ed25519 K3b7BA vMlHenY6jSIfnxQD6xh09cwwV+YVBkLuSMHcyKD+dCk
|
||||||
|
heXkAEqRawBlHqcr6ldmhWmk7qPtGLMDFC3QT79vdMM
|
||||||
|
-> ssh-ed25519 +qVung fgimLW5X0z4Eh2u3fIr5bgR5/c1SKam9CKW/2mqtTik
|
||||||
|
8VKJJr+FRE0j5YvjfdMXugNA4UwUebKrkeAe+9LYBnQ
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
sa3fA4GglovY8H6jimpTvQPW/axun8WADPlIXzpX/Zeshkzem+pQoQqptzDlnmH8
|
||||||
|
8AngqXgFYrmHgNNAylavgcrxbjNrtlJU24ldF1YIubz7VsU1678F27LCd9B0c2dn
|
||||||
|
X+0CccH19lM8Q+zVI2Wrq9R83MEP/5uOOc+eXXnvNSGqfKgZ2OplG/HUllFS13j6
|
||||||
|
uiQy5zwJJKkII7KUThcGteux7NONoLeUqRE8CW2uSeY9fXBWKgxeENKgiT7PEAAo
|
||||||
|
nvwWa+GatEYf6eUz8Lph8lETorgP+7JS2VQRAkmhDbjQLTYzfFmiJGE/mzyobslf
|
||||||
|
ZEq6Oj5UNgnzdWmK5ZYKPg
|
||||||
|
-> ssh-ed25519 /vwQcQ 9EG/cydlzlLd6cFed7DzmwzubzJUXvD9mX3WKDyFD1s
|
||||||
|
3Emj+tVZmnsC/YZdChvyaxeObbBsri347vZl0ff9kH4
|
||||||
|
-> ssh-ed25519 0R97PA kcIYyWKxpJmjcrel+YodZQiR2zGPqfjzMyJXsz2XOzM
|
||||||
|
SUlgGGs2BVRzTHT/ULNo1AiN5SY1BETFtJRY6LDr4JI
|
||||||
|
--- l87sO6IuwSeCeQ8ktvYFI0xr4Utcl8KfpAV7WePc1y4
|
||||||
|
÷ÚÖ~÷J3¦Œ§Í‘1íÇè²ù<º?%×ý<0E>›Á‡ÉÒ\—\Ï7\»Ú¨åU-&W'd”{իɼ½u "Û#Ž}¯õ…x–ìšz¥®Nj„!éfUqDG‘<é<7F>Ñca<63>‚'´+ ¸Ï±]Pó»ö€DÕ¸’´þ<C2B4>£¼ŽÿÂçÌ\¦<>
|
22
secrets/floral/hydra-ssh-key-priv.age
Normal file
22
secrets/floral/hydra-ssh-key-priv.age
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 +uvEmw BoYFUISKrlypCBQW/fA9UNRSnxQ93FkQupWUWAeOd3c
|
||||||
|
wQH9gNk8TtjOgrwYwCuedPBbmftd7JhJk53ga2qo2iE
|
||||||
|
-> ssh-ed25519 K3b7BA vyQIsvbNrHI0Mui5UdLz2mWcYvnTQBupWiAfEP5NfXk
|
||||||
|
WeHg0PyfuaSJVzuiBPa1Tanj4NdqHvnZFWhXhIgbWc0
|
||||||
|
-> ssh-ed25519 +qVung LneEmMhBqJxN0bgM7/Z+jJ8U8MJmCgE2EghBmDJ/aT4
|
||||||
|
nd3B7afUNX1ZLCjHdoJ8+tabXmi38lQkLlhthYjIplI
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
krJRF4AvwfEFro4uiLIBB2RQTwO9COSyAqkjOi6jgLzJFMaU62EZrgfSYu24a6zs
|
||||||
|
JyAHQ5k78uh3EhhbSzu6U65fComCbRAo+NiN2BJU7jb28y64suJbezJ+LE4P35CX
|
||||||
|
biVgycaSc+OCrb1F6e6QOREi7+YjK3VrI4ZVCu93hSQNNRi/U5bbigQXt7NwcSIJ
|
||||||
|
bY93sset4wg9Zwjk7tFg1bHiyOK3ZvYYQGlMjUxiWGl4Qch1fpL2CJNR32mZybps
|
||||||
|
GZc7x69E8EhoHvdI0u1AXwS2raLhyRBPxFzu0r7nPlSi17TnLnU3Ux3BkVEDa6bh
|
||||||
|
eVHqAB4dudNCC4wOY/ZE+Q
|
||||||
|
-> ssh-ed25519 /vwQcQ scOp+aVA3TfY269EzQ6E4YX0uAu7qVVVIDmBvFGaYk8
|
||||||
|
AYqW8+A7oxH/0m8OUReWxto1xWcnOnZOkX45ejuFJiM
|
||||||
|
-> ssh-ed25519 0R97PA YqfHMAAiMcH/efJ0K5URDJkdLqlJIlQ+pSnuGUOJzjI
|
||||||
|
v6BujlFcBF71SzvlZzA+tWku/A8bZzLkRfHtoCdbCO4
|
||||||
|
--- PeORL3PTxYsxaY6GliSm1dRAH+hxf1n5LNeRYDq+poM
|
||||||
|
I«Ñ_÷l꺓CqyƹÚ@‹Ýç¾Wï;äù¹¨<ñÛ5ÅF¼·Ee7þ11=ø‰øQ<‚pmƒ¬ì¼^²<>òŸµÉÑÃÙƒ¨[†GÞ½÷$j†©<E280A0>±¨m’±‡I×ñí¶\«•ÉO§ëÇBdÜÛ< O›ª$ª„5£ãÒ¼âá‰õw˜REŽ3Y×ë!Ïd4ŒBFõ‡>ªŠÈ˜\EKËhæg‹ôÙ^f;ˆ1>tk ™‹£{ª»ÓMð³ D§š³87®\uÄ,íSá›ÕIinÀ:ø¢z"“Æ<1E>-XBñíÀ<C3AD>‰u<E280B0>jš
C5Õ‘Ðï,Âg“*\]ÒO†îÇye5ïQîÄ!‰$þ.‹†+ù¦²¶zÀF¨ÑŠ^¨·SµµL<11>äÍB+óÓ¼ËR“Hxö6ÿåʉ1f<31>=jú8›¾!o¿@‚Rzrü5p´(#‰w|Gd×¼O@>²0ã{$ËhE‹°Ä<C2B0>ÕûS
ê_¦æš^#›Oÿžò– 2c¹ŽŸ#G<>ž'º?e9yÂ)ô
ªÅ–Ì~ÑÓ¤
|
||||||
|
Ì’tl##„»I³>o½Å³°)ˆóu
|
||||||
|
†
|
20
secrets/floral/loki-environment.age
Normal file
20
secrets/floral/loki-environment.age
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
<EFBFBD>
|
||||||
|
<EFBFBD>
|
||||||
|
<EFBFBD>
|
||||||
|
<EFBFBD>
|
||||||
|
<EFBFBD>
|
||||||
|
<EFBFBD>
|
||||||
|
<EFBFBD>
|
||||||
|
<EFBFBD>
|
||||||
|
<EFBFBD>
|
||||||
|
<EFBFBD>
|
||||||
|
<EFBFBD>
|
||||||
|
<EFBFBD>
|
||||||
|
<EFBFBD>
|
||||||
|
<EFBFBD>
|
||||||
|
<EFBFBD>
|
||||||
|
<EFBFBD>
|
||||||
|
<EFBFBD>
|
||||||
|
<EFBFBD>
|
||||||
|
<EFBFBD>
|
||||||
|
<EFBFBD>
|
BIN
secrets/floral/metrics-push-htpasswd.age
Normal file
BIN
secrets/floral/metrics-push-htpasswd.age
Normal file
Binary file not shown.
68
secrets/floral/metrics-push-password.age
Normal file
68
secrets/floral/metrics-push-password.age
Normal file
|
@ -0,0 +1,68 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 +HUDfA d5f2ESneC0wsoc9rwTjNfNXMBjCbjAQ7euthH2Buq1E
|
||||||
|
5CynaQ8zhDRBvcmifhCsiDtllztCVAqs8rU36DOxgPw
|
||||||
|
-> ssh-ed25519 +uvEmw EtYRis2LP0jv1W8mx8vFYNzkgi8OoqnA8cM2huS6NBk
|
||||||
|
ll1csFIO+hVYk+I0uSVJmlDKj9aTWvf4kaYI5LJcm7w
|
||||||
|
-> ssh-ed25519 DMaM1w ex4QJN8CG99J15i+yvqGEiEZn9OlGIC+cmLHL4u8ZEI
|
||||||
|
VXnOv4CGK68q5t6hUV3oKAtxGZ+4FVbrmE1yMn16A0Q
|
||||||
|
-> ssh-ed25519 sixKXw drXN6+q1y7L7ZU4chTfHfelu5GcTdff+i/UMFV0+3RQ
|
||||||
|
+8jmgnMh2OpQ3vhAuyQYWslfx7KO84a8KsCpoRD3Yl8
|
||||||
|
-> ssh-ed25519 aHbF7w Af7NgjZ/Nvh5FHrX2VlF5riTIhJ+fdxTo6OR+8PcNwA
|
||||||
|
ktKpm/HnOnw2Ym7xee3N1rneEX7+/xDhcp71N1NNHAA
|
||||||
|
-> ssh-ed25519 87T2Ig 8mEUxJ/5NUvV+qQCDQH2Tm6Ryr5hf4xgsQlqXGf03Fw
|
||||||
|
EavMcnsg/3EYBLQEBHX+0oTDKq5ZL4vj+mZntPM8UMU
|
||||||
|
-> ssh-ed25519 Ao+7Wg UphWbatIaa+R1oZbfHazFhrawf0vax/3ZZS7YuX03Hs
|
||||||
|
dwBbwoV0jpjiKr+nj+CRfUDgDl7ISpsCintVAzHnIFQ
|
||||||
|
-> ssh-ed25519 wIR2ZA ZM58Nq7eJX9JVeYkoJf+mw8hxhYGoTx042ow1u3mJkw
|
||||||
|
UtEaf7e4xsPO0ISlIF9LF+GcwTBqw4AXdMO4MASfgLQ
|
||||||
|
-> ssh-ed25519 oGiV/Q G5KX/Eox+9md0yFRUZvGIsio2gWM17soHsL6H6zEX2g
|
||||||
|
vI8jPjBAoFF0xhvRRLPzCMSiQOQ0fKuRb3CYVu3KUUo
|
||||||
|
-> ssh-ed25519 gO3aog p9nZtjzoA0zJM+7Y6R16mpdub3dhu67yOYTUNKRytgI
|
||||||
|
YL9vAp1+CK7jgmXkB47ufZMz+/swngkdUvEGR1zFZwc
|
||||||
|
-> ssh-ed25519 N/+Clw 6LzFdtNsWewuJK2r97ZXJbRazvK3raN78UGanR/zWVU
|
||||||
|
WT0y+sfDP3ffVwRcbYw51ArFR3OzXnoyi9IXwZZKEL8
|
||||||
|
-> ssh-ed25519 CtkSZw CV0jQ5dIbgFtMxGK1X9b1qJOKmske8VgIPW5NW9mAwc
|
||||||
|
clv7P3de61nZmXrvbOgL7Llw8ZqBMm2WFqgpznDwKv8
|
||||||
|
-> ssh-ed25519 keg2lg 3Nk40ByQj8RThj4QDY2BdAkw55mXAJprXQRGjQqGvz0
|
||||||
|
f8OFszJ8p90crFd+awEE12CNd7b22zgpH2XRKmH/Hf0
|
||||||
|
-> ssh-ed25519 H885DA GDiJYH+gaC++TSqfoPDOTFcsCZRhEl0EeTeab7tgcWU
|
||||||
|
kMILmwNMnMS7rgC3kKsAksu4Txn5owPU2y09h4aHKY8
|
||||||
|
-> ssh-ed25519 Rq7K4Q VCNxGtCSCD2OYSWWwl0+yf189xV3QwRiwo80h4NPTkE
|
||||||
|
hHkgYHLbISdl/RRdlInp9ub854M9ZKFSXpLgKW2YkmQ
|
||||||
|
-> ssh-ed25519 vvyRpw XSCCrqEOtvzQRssI0U1DHirKoPgbOUKJxNKnioHhT2Y
|
||||||
|
HGey1j0Kxae5Qs0aw6eqFziQGiRmNA+lEwbRdf5hhbM
|
||||||
|
-> ssh-ed25519 aSEktQ mXY70Lgl76J4O5dPdDcIqmJ40EinigDuZrUghpGOq2I
|
||||||
|
U2qeVFxGCYCEFWU+7vHc5Mu9EuzScowrjnwUyoqPj5U
|
||||||
|
-> ssh-ed25519 cD6JxA at89poimBZyeeM8CQrxDxN0yCNDT2k04++py1fFycj8
|
||||||
|
cQV/K5zc5x/oYnJ4N0MX3sTboT4G4ZNvVUVdHuJRzbA
|
||||||
|
-> ssh-ed25519 ec6XRQ spJtb/xy4k4dmwKz8R2CPhC1WcuNV/rnDT978GkjHHk
|
||||||
|
KrGEVGts/AhzbRNreqQ/CVanXL3l/9oMWxnpBLj23qU
|
||||||
|
-> ssh-ed25519 1qYEfw KRkTYlvvnsCIExKQNmCyU7YxnGZsiI03kzecXNpLzUQ
|
||||||
|
h2YagV7BzlsF7banzwXbOudTdlFzT7LC8PvtxAsX36U
|
||||||
|
-> ssh-ed25519 2D+APA 4hdYlOnNIT9Q6tyKwXzy+u66Ti2EJopK43Sipebd0As
|
||||||
|
tuesc9/QcEu4q9bTFJ5zJr0qvgLcmpn4at4cYtHrtbE
|
||||||
|
-> ssh-ed25519 eTSU6g i1qT6PtepHXnoLCqDbhk86QG+SR9luQaw34a34gy5mw
|
||||||
|
YE9VBAT5SLW2ECHRU+dMg9na6OQNVRVGuhY8vOdmE/Q
|
||||||
|
-> ssh-ed25519 j2r2qQ TTTbSB/8UIDmmI3C9+u24PYZNfjl9jGADKHNWIwLfGE
|
||||||
|
SNDforwii/GFp82TpyOcVIVrZWCe2QQKrjzPA6XA7Jc
|
||||||
|
-> ssh-ed25519 CyxfgQ P5EiJ54v65Sz1gHuI0s170Z7c1WjcZLlb7NYigElfVs
|
||||||
|
iYJUGpoE9LBIlv+O1navSSsy3EJ8tusXXX+/QAQvjNI
|
||||||
|
-> ssh-ed25519 C/bBAQ hlBDpQRkcVCr3B6TCrBjxauhUX6Ndpm0s6x8W4hU6gM
|
||||||
|
OFG3EuGJkSoEEXhbJ/Tp2DBdnBcs+hzxjNRdvcOSpQs
|
||||||
|
-> ssh-ed25519 +qVung cGEGpO8NJfpj9ixAH9lhYkPKPDdQWryVxSOhMGQdnWM
|
||||||
|
+MycbIEab3P/AOS9i/YmPBDXB76hp3xUcWI4VMihV2w
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
Zv3dPYERlX1MaVaJTBDwIcjt1yLmu4Z7MovPgjGg01p+XsdBXeepTyOl+gRBwGgo
|
||||||
|
AW5CIuaChYxtSNJ6nOgSaUpqzILycUF1xE1jROe3MIX2MZ4KGD1qoqcHbiCAng+a
|
||||||
|
RqYrwAKnNea9FQMVfhYZBkRoYE6ne1R+0G6BoFM/okz24pAAFPBx+sMMhfTkt0uV
|
||||||
|
kHVx0dgRw1pxa7Na98WH/7E0zp9VuBvVHGXfk1rfW/UQlbIO5RP3nldFoa6OmOWS
|
||||||
|
JZ022UvjyC1re0KCurka4y+qmaiRKnTBmpIXxJFMwNCAQ8O8SeAQ3DHKHmXNMOIL
|
||||||
|
ZVICtRRk0uX36AVU8DWDog
|
||||||
|
-> ssh-ed25519 /vwQcQ kF8+hsA+0Msjd3q0SL52cae5RDqx4ls5kPKnc3UZyms
|
||||||
|
Q33kIKJL3Vjxu7LQ5l4M3tlEuj+OW4uGh1x+JxthW8A
|
||||||
|
-> ssh-ed25519 0R97PA gWBH71l6w9upTE0DwqOMSvWXc5VyJiKFAQLaSpWQ43E
|
||||||
|
IrOrvzEa0bABw6UOpP8pM8WhuRNMaWJ2khljJIKwOS8
|
||||||
|
-> ssh-ed25519 K3b7BA oS14iav9pSioLecMkOanJz89OJygLugvrnnTs5pKzz8
|
||||||
|
akupMSiqXussXJyHwFm/f0imKALjowJVqd8/LFcC/58
|
||||||
|
--- bCJXTEDaKg4FF2dQp2zFMU4Zm0zACekCuDvthcAyncM
|
||||||
|
&Ÿ€Waïãà›BD R(¯¥Ñ”ufj<>úVÁ8nÆ>‚ß›øëæðZúâ{Idƒ„©,³*„%Ç“È‚z«
|
BIN
secrets/floral/mimir-environment.age
Normal file
BIN
secrets/floral/mimir-environment.age
Normal file
Binary file not shown.
20
secrets/floral/mimir-webhook-url.age
Normal file
20
secrets/floral/mimir-webhook-url.age
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 j2r2qQ uYhcMpOER5j/SWUX1mNvkOU9Rumr0CgVBuGv9EHGpFY
|
||||||
|
6kAgrwjgB7C1cMd410EpUegcxxGRcNOwCMJPXppepvE
|
||||||
|
-> ssh-ed25519 K3b7BA 57GDNt5nwxgzCV5bnMPEPUeyZNG1U+zajCIjeoHjLAE
|
||||||
|
rFCbfodjXHZ0aVLtW6xtoh6e/VH/HwFdFzjnQ2QEEXQ
|
||||||
|
-> ssh-ed25519 +qVung DnLKAJPnUDpZ2+wXDZWpxwZkvv8oDyu3xxObTMT9W1I
|
||||||
|
vh59DYoQLpiro5eBjwgNH2YHRsGY/i6TB7zPfQicOEU
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
ekvGooB5sCmAniHU7hlk+iCkYMQ7Rw2SJx8tp4FnpfAWJbRMH8CpTFYFiDvlHfFy
|
||||||
|
Ce1OpkNkkipzBge0OCrfn6Y5iVz2CZHYHf8Ul5ueHwmb5fS7seT3yMoWhhSw/zE/
|
||||||
|
G3snrBORT9S9+KTRnVnKiy+O3CaMZY+q41RR35Fs3mmVc/of2ILc/Jj3a3t+uBTX
|
||||||
|
axkOMU6z6R6i3Ps5SbwJTaB9q2kMPvZFOO9Nmku1wohjetz64wvm+fDx0XVRPe4A
|
||||||
|
jDQRPKAMIZK68SYHk/9azmlBtJSJnvxcxyj3IaU9MBskUCldWi8CQ9jQ+1XAIuHX
|
||||||
|
0Etcsx7MhzBpuhx2xZ+dyg
|
||||||
|
-> ssh-ed25519 /vwQcQ uW41w2RAtfMaOm1wJktMcbVporqKgdGA5SY03OcPmlM
|
||||||
|
WgL8DWPU735Ysowq0HtvbrT6Tc3XEpwws3AycqpBgtM
|
||||||
|
-> ssh-ed25519 0R97PA 59AFQx8ngDwQUdmfOeOFUARQQqaAdLA5WH67Wsld4yM
|
||||||
|
o6jSWtlidZssWsJsI8xAaASi8p1sirLJFJwizzPXIBM
|
||||||
|
--- scUnldbU89ICZYlniDbGEqeUF7QUoO1kcZLl8abyttk
|
||||||
|
öR{p@IµþOlKKõŒ§!<01>œWÎÅœ[R<-A‚ÐbÔ<¯·÷0õÐu¹øµñU’gBÏF~µ«=ÊõeQò}î4Ø:ô²¢5ƯŠtaØ™û”<C3BB>æ·<C3A6>§°x±Më?Ew0<77>8.
|
BIN
secrets/floral/netbox-environment.age
Normal file
BIN
secrets/floral/netbox-environment.age
Normal file
Binary file not shown.
21
secrets/floral/newsletter-secrets.age
Normal file
21
secrets/floral/newsletter-secrets.age
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 CyxfgQ fWH/o2+Uf0i/JFIuVjCnkhDIfYndtL8EeDcxSxhKVH8
|
||||||
|
ShSPmdwnxzDuUe/kCx8e61JJAoHMwguNydn+5OIGuAg
|
||||||
|
-> ssh-ed25519 K3b7BA p+wXAGvPqTX63dlZNCTIq3F4QFMWEJH1R+Ex4SJ5UTk
|
||||||
|
1sFqFqnUM8YvZy7BEBArg3eLxCCsLXq2jNI7XLKq/Ww
|
||||||
|
-> ssh-ed25519 +qVung rcpgzVQ1PmoNF2i0K0nAknzZwPXICBggzqhIZwO+8xY
|
||||||
|
9rjsTwLm5u1GOJmnJYriXXAY1unG7y+WJ4G2ltxX34U
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
seXsQjs62kxn/agyKda2l19PI4xzDl1gM7rEnaEBV8UNLOPNxh41HTnP2etgDXSc
|
||||||
|
4eyS3ntHXIOHmN4+JBn+Q/wuhzMGQmAcoFWbjqVVPOrpPYjgCG7q/iUD8kULxLB9
|
||||||
|
UpF0gLsg1TnvrkTwlpxr8rP/PM+ZgyQAA84S96j9TW0coyTUoH/ZX1wWGtS4aalm
|
||||||
|
aTrOMZGScZu7onTg+tYvR+aBKlFL28h08I5nqbA39srnCNuU68+OUhLgLUfiTscl
|
||||||
|
umwNh/C4BP2Tmc6gxQiY8o3tGqGBssGH5+WqKzbK151vJjq80RKAS1HCaSSfmxkP
|
||||||
|
vWkXWN3NQkJyqCBpuPYilg
|
||||||
|
-> ssh-ed25519 /vwQcQ eUH0B+cCoUubIKbG+bA25kRj0TnZabB6t8jVK04NrFs
|
||||||
|
ovkI0C4W5CJXMZIZdpaTtQNc+TGkQ3Yq87Dei3BMUsA
|
||||||
|
-> ssh-ed25519 0R97PA u/I45pxH3Bnja/Jw/6IukINRuC0e1IKu8UVygVgIomc
|
||||||
|
xyHuiHf1/nJirnhXbGHJnextGQa95tDo/RPRRnDCkIg
|
||||||
|
--- LGqO4Bsa8bofD1W5YrQp75SlGLNg1XaFZ0rPUuvLPTo
|
||||||
|
Êçã ‹ÜmlW£{@I3…*¹ŒÇ™@ÞªL7Wª
¤ÝŒY
|
||||||
|
n
õö~Tb\V‘•ÜvPÙpPôïoÌS"ôm/Ûµ/bÝp’Äžêq¸£¦šeDj6–ÆþTì)
|
BIN
secrets/floral/ows-deploy-key.age
Normal file
BIN
secrets/floral/ows-deploy-key.age
Normal file
Binary file not shown.
BIN
secrets/floral/postgres-ca-priv.age
Normal file
BIN
secrets/floral/postgres-ca-priv.age
Normal file
Binary file not shown.
BIN
secrets/floral/postgres-tls-priv.age
Normal file
BIN
secrets/floral/postgres-tls-priv.age
Normal file
Binary file not shown.
BIN
secrets/floral/pyroscope-secrets.age
Normal file
BIN
secrets/floral/pyroscope-secrets.age
Normal file
Binary file not shown.
BIN
secrets/floral/s3-channel-keys.age
Normal file
BIN
secrets/floral/s3-channel-keys.age
Normal file
Binary file not shown.
BIN
secrets/floral/s3-channel-staging-keys.age
Normal file
BIN
secrets/floral/s3-channel-staging-keys.age
Normal file
Binary file not shown.
BIN
secrets/floral/s3-revproxy-api-keys.age
Normal file
BIN
secrets/floral/s3-revproxy-api-keys.age
Normal file
Binary file not shown.
20
secrets/floral/stateless-uptime-kuma-password.age
Normal file
20
secrets/floral/stateless-uptime-kuma-password.age
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 CyxfgQ D2o8bUccO13DKF4COLBQ9mJbACsE2XsRa5S+N71WnTk
|
||||||
|
ZaldT7HhQxbxf2ptIwdMYkC60eGtzihc7uwcAkq7s00
|
||||||
|
-> ssh-ed25519 K3b7BA AiUCG5CnNyv1DPu+iEwEgW9GqZ8zgpgxKJTAp350ADc
|
||||||
|
cUVaDv7F1haQIF11/UhhDAR5DrfJlPttGfDjkv+z9vY
|
||||||
|
-> ssh-ed25519 +qVung 1JXeXyea+2Pcwoln/NLRiR8IPPIiB3gaFCP4imyv4DA
|
||||||
|
JWmAY6ZnyU46KxzhRrQigGmUPba9lJDDyRQ2GjQShqc
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
ciLu/+cXfQrB1ms8oTv+xi4eADyL4j0qwnY/6TE0wAXkQHuNXDmpF6ccWZoS2DqN
|
||||||
|
NcnGXL6+WyWxmwlyBEq/rsBPvi1g0M6Md7Z4gXn2UvjJ+S7WyA8QEwkxoTDkJS7x
|
||||||
|
k/NvtunmggVsWVK4Xdi5DKRw+f32qr/8GysDhIPrTt43iReBKNbyuYWmC5Ec85ep
|
||||||
|
JU4JzCNZjJ07kixS5Y9BhaJbpEr47lCXE/KtJUvm3VAxS9IwfUn7KHHdFWynbExi
|
||||||
|
F898j3zOR/kgYmeA0oTiexRD3Y2LCvjXIHQZ3MobbZ/PBrjWxe78Sw2vy2t5JLtB
|
||||||
|
gFG0K8M1z8DT6a8TtvXEgg
|
||||||
|
-> ssh-ed25519 /vwQcQ kUM21TO9iSa8oVXMlNxR7Kc+8TV4C/uTzyQ+t3xnARA
|
||||||
|
oXt+egWWONsKT48H4vZ2CPdy3Zfb2QeQVe9l7dDyO/w
|
||||||
|
-> ssh-ed25519 0R97PA e/piqf2RD5QgPaQs6jsJdzJgfZR9n1JDIWpbvLZErSs
|
||||||
|
UTJH8POFdZ4+N9WkLoNESl1pvcVD0MS1qn7AdS/mg34
|
||||||
|
--- 9aYEP0eHDKMacIf09h+OJqIYw+N99+FrW/x/do8Lbo4
|
||||||
|
$ ÖëWÛ\zú—¾=s/à@.Ç,?ƒW6n^ù#–i!§Ã–ï¶1]±Nvù±Ž'Ï¥¹6?‚'mµpPÒqýŸº
|
20
secrets/floral/tempo-environment.age
Normal file
20
secrets/floral/tempo-environment.age
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 j2r2qQ kbi4mciOrjd7/X86xfmkDaMZhvZakoSJ6qjqLF3ljkE
|
||||||
|
Q2BsgMLJ8AmjhnggRi+wkICj18NCA2HW1t8clemReUw
|
||||||
|
-> ssh-ed25519 K3b7BA wNGmX9S9bJgd2JDte9QoNDfyycgmq4JMu2bc5nyYYik
|
||||||
|
uUiutxAI3nI0M51W97aPRVE/l4dV2PEjph8eWOMLHIE
|
||||||
|
-> ssh-ed25519 +qVung raYJ5vwMP9JopSdfa+ofkLY/gc0zcW4wTNBFTca+MXw
|
||||||
|
sa/rWGSYrI4y6rn4JSboldWKUGvx6HbtsYo78AFOkBo
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
FLq8NwkiGw2gXptVVY393f0p9hFom57xHWPxtAlzOcRT8gvWu/uwgV+0raOcOcJa
|
||||||
|
xxr5Sib+2D3UnUhprVPmH5Os9bI2seFAiej1MVVWLqvMtQHLFwnrzZTyZpxsXpQq
|
||||||
|
5qQhNEADuQc4uD/ELVjGHKt6nF1Cl/GbgNLIOF/ITZ0pm1O1MjtT6MYJhQJhc6sb
|
||||||
|
sno/wQyTXjj7rC06nyLX/rgOWrJSOeaz9eVp0A8k8/I0TXu/vRCW9gqWtv2m8sbh
|
||||||
|
1uUHIm0l8f3z+zrL6OlZnpMFw4jpiiGoCYKPzD17I0onDYIjtdVS5iO9BsckxV/a
|
||||||
|
wQWbyONUwbGCfeNSVAzZbg
|
||||||
|
-> ssh-ed25519 /vwQcQ jwf7fwy4wKz7q761DNu8SyFHGgFlwq4P/Pn44Nido3E
|
||||||
|
1q/jvt/vtD4ziY3eCDqk1XwMPpNUd80POTV2VVsumCE
|
||||||
|
-> ssh-ed25519 0R97PA XeuziQ+wsoh0KSHXk5Qkl1kQOsAu1Ax1zTg13+XWd3M
|
||||||
|
B1KHKm3tx/EsnE6hY+w7ya1ilhYiUs9AbwARHNkJi90
|
||||||
|
--- JgQA6gCYZu8xcbXEl9VypccEIBO6uAJIdhBefr4doRQ
|
||||||
|
V3ZðõÚ<EFBFBD>ç-·Ý.ê«sòÀ³3 ÎiS‰a5#¿Ð{åÔÈ®Dý˜YêNèãëù«ýoL+ÔÝ#–M<sws P»¢+í¢Ó‰ïBDoÊξÆÏuFí”Ç^Â¥•<C2A5>—ÝG@ÍM×ÛãÐØìq¦ºG^Qb s<;ÂÒnC+ÖÊxª_Úì]S<16>Ð
|
|
@ -1,7 +0,0 @@
|
||||||
age-encryption.org/v1
|
|
||||||
-> ssh-ed25519 j2r2qQ Xl0fSOuF0xNTJrtVGdRLRIszd15LFrG5KCFNvSBK4Go
|
|
||||||
qSEMBBw90jz4j8elpoUeyS4CTLBhZtNDhLNigesJq+0
|
|
||||||
-> ssh-ed25519 K3b7BA cKI0twKiuuTKv1Js4jqt5v8cOqpxEMY9dmVghgJtbzw
|
|
||||||
K5o31XP/nLsswsrMaxnIzCXVUtJqmJWoFglWFsV7+AQ
|
|
||||||
--- X8pvqCHeCQ0LjzcjIHThkqp6YeOOT8dBMLuktgdgeY4
|
|
||||||
sZÓ¸ŠíØ[þ²X<C2B2>“¡èÅ®Š5°=÷6)ÇT¿Q†‘N{•x³I1ƒ!Ó–ÜøB
ƒzš*×íåL~K
|
|
Binary file not shown.
Binary file not shown.
7
secrets/lix/buildbot-oauth-secret.age
Normal file
7
secrets/lix/buildbot-oauth-secret.age
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 Ao+7Wg q7oRHUUlAvD8OUbpPT7d6eLMPWU0YS/verYTDE5BCkY
|
||||||
|
/87/1uqOvRYeqel9IjnFmGyF9SXUQD8MTgfcj91b/Fs
|
||||||
|
--- ulIeB91NJ7z/64h9BCLSD9/RW/zwv3m1Zo2ovNuInv8
|
||||||
|
Îœç}³Óš#épÇ o>ä·*vµ÷ÄåŽs?[¦º´L
|
||||||
|
<EFBFBD>þz™rý‰?R±Ñó7<Ê
|
||||||
|
æi!€{X„¾òÓ
|
BIN
secrets/lix/buildbot-remote-builder-key.age
Normal file
BIN
secrets/lix/buildbot-remote-builder-key.age
Normal file
Binary file not shown.
BIN
secrets/lix/buildbot-service-key.age
Normal file
BIN
secrets/lix/buildbot-service-key.age
Normal file
Binary file not shown.
6
secrets/lix/buildbot-signing-key.age
Normal file
6
secrets/lix/buildbot-signing-key.age
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 Ao+7Wg EMpfs0EpWwaIKAoUBfEkyAHLIwi6JnGG6RvUWM5LjnU
|
||||||
|
LKiwUBNc791U/GVRNlRPZE/TEMJjcFFrLruFJhiyiOI
|
||||||
|
--- 0khp8u+4vHgGyQqP05m473Eo09eyOUZLI5+EK4olzoc
|
||||||
|
N3(
|
||||||
|
ª•ûxRq°<71>f<EFBFBD>Ó;ͼ3¬~RˆÓC^ñ+fœš1”®˜xˆ÷ÅëñSØ—hâ
£ÖË°GˆÓn–YIûµ:7¾!°u×Hþy/‰Øð‰™.¯¤á^¹lC™ôUÈËþ5cž:]ÿNž&'MÎè¶É-˜–ÆHF¦D0‘ cjô ‹Ð~
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue