Compare commits
1 commit
cef88ec598
...
464a726664
Author | SHA1 | Date | |
---|---|---|---|
464a726664 |
6 changed files with 3 additions and 197 deletions
|
@ -1,7 +1,7 @@
|
||||||
let
|
let
|
||||||
keys = import ./ssh-keys.nix;
|
keys = import ./ssh-keys.nix;
|
||||||
in {
|
in {
|
||||||
users.users.root.openssh.authorizedKeys.keys =
|
users.users.root.openssh.authorizedKeys.keys =
|
||||||
keys.users.delroth ++
|
keys.users.delroth ++
|
||||||
keys.users.emilylange ++
|
keys.users.emilylange ++
|
||||||
keys.users.hexchen ++
|
keys.users.hexchen ++
|
||||||
|
@ -12,6 +12,5 @@ in {
|
||||||
keys.users.maxine ++
|
keys.users.maxine ++
|
||||||
keys.users.raito ++
|
keys.users.raito ++
|
||||||
keys.users.thubrecht ++
|
keys.users.thubrecht ++
|
||||||
keys.users.yuka ++
|
keys.users.yuka;
|
||||||
keys.users.winter;
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -51,6 +51,5 @@
|
||||||
];
|
];
|
||||||
thubrecht = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn" ];
|
thubrecht = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn" ];
|
||||||
yuka = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKath4/fDnlv/4fzxkPrQN1ttmoPRNu/m9bEtdPJBDfY cardno:16_933_242" ];
|
yuka = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKath4/fDnlv/4fzxkPrQN1ttmoPRNu/m9bEtdPJBDfY cardno:16_933_242" ];
|
||||||
winter = [ "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIH/LDRUG+U+++UmlxvA2kspioTjktQZ8taDcHq8gVlkfAAAABHNzaDo=" ];
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -23,7 +23,7 @@ in
|
||||||
|
|
||||||
# machines with the netboot module enabled should only be updated by appliying wob-vpn-gw and rebooting
|
# machines with the netboot module enabled should only be updated by appliying wob-vpn-gw and rebooting
|
||||||
deployment.targetHost = "invalid.example.com";
|
deployment.targetHost = "invalid.example.com";
|
||||||
# fixes initrd eval assertion error, and allows `colmena build` to succeed
|
# fixes initrd eval warning, and allows `colmena build` to succed
|
||||||
fileSystems."/" = {
|
fileSystems."/" = {
|
||||||
device = "none";
|
device = "none";
|
||||||
fsType = "tmpfs";
|
fsType = "tmpfs";
|
||||||
|
|
|
@ -41,7 +41,6 @@ in
|
||||||
imports = [
|
imports = [
|
||||||
./www.nix
|
./www.nix
|
||||||
./one-way-sync.nix
|
./one-way-sync.nix
|
||||||
./git-gc-preserve.nix
|
|
||||||
];
|
];
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
|
@ -319,13 +318,6 @@ in
|
||||||
environment.REVWALK_USE_PRIORITY_QUEUE = "true";
|
environment.REVWALK_USE_PRIORITY_QUEUE = "true";
|
||||||
};
|
};
|
||||||
|
|
||||||
bagel.services.git-gc-preserve = {
|
|
||||||
nixpkgs = {
|
|
||||||
enable = true;
|
|
||||||
repoPath = "/var/lib/gerrit/git/nixpkgs.git";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
age.secrets.gerrit-prometheus-bearer-token.file = ../../secrets/gerrit-prometheus-bearer-token.age;
|
age.secrets.gerrit-prometheus-bearer-token.file = ../../secrets/gerrit-prometheus-bearer-token.age;
|
||||||
bagel.monitoring.grafana-agent.exporters.gerrit = {
|
bagel.monitoring.grafana-agent.exporters.gerrit = {
|
||||||
port = 4778; # grrt
|
port = 4778; # grrt
|
||||||
|
|
|
@ -1,86 +0,0 @@
|
||||||
{ lib, utils, config, pkgs, ... }: let
|
|
||||||
inherit (lib) mkOption mkEnableOption types;
|
|
||||||
cfg = config.bagel.services.git-gc-preserve;
|
|
||||||
enabledServices = lib.filterAttrs (_: gcConfig: gcConfig.enable) cfg;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
options.bagel.services.git-gc-preserve = mkOption {
|
|
||||||
default = { };
|
|
||||||
description = "Repositories that should be garbage collected";
|
|
||||||
type = types.attrsOf (types.submodule {
|
|
||||||
options = {
|
|
||||||
enable = mkEnableOption "git-gc-preserve";
|
|
||||||
user = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "git";
|
|
||||||
description = "The user which will run the garbage collection script";
|
|
||||||
example = "forgejo";
|
|
||||||
};
|
|
||||||
group = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "git";
|
|
||||||
description = "The group which will run the garbage collection script";
|
|
||||||
example = "forgejo";
|
|
||||||
};
|
|
||||||
repoPath = mkOption {
|
|
||||||
type = types.path;
|
|
||||||
description = "The path to the git repository that should be garbage collected";
|
|
||||||
example = "/var/lib/gerrit/git/nixpkgs";
|
|
||||||
};
|
|
||||||
timeoutSec = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "1h";
|
|
||||||
description = "Garbage collection Systemd unit timeout";
|
|
||||||
example = "infinity";
|
|
||||||
};
|
|
||||||
timerConfig = mkOption {
|
|
||||||
type = types.attrsOf utils.systemdUtils.unitOptions.unitOption;
|
|
||||||
default = {
|
|
||||||
OnCalendar = "daily";
|
|
||||||
};
|
|
||||||
description = ''
|
|
||||||
When to run the git-gc-preserve. See {manpage}`systemd.timer(5)` for details.
|
|
||||||
'';
|
|
||||||
example = {
|
|
||||||
OnCalendar = "00:05";
|
|
||||||
RandomizedDelaySec = "5h";
|
|
||||||
Persistent = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
});
|
|
||||||
};
|
|
||||||
config = {
|
|
||||||
systemd.services =
|
|
||||||
let
|
|
||||||
mkGCService = name: gcConfig: {
|
|
||||||
name = "git-gc-preserve-${name}";
|
|
||||||
value = {
|
|
||||||
description = "Git-GC-Preserve Service - ${name}";
|
|
||||||
serviceConfig = {
|
|
||||||
WorkingDirectory = gcConfig.repoPath;
|
|
||||||
Type = "oneshot";
|
|
||||||
User = gcConfig.user;
|
|
||||||
Group = gcConfig.group;
|
|
||||||
ExecStart = lib.getExe pkgs.git-gc-preserve;
|
|
||||||
TimeoutSec = gcConfig.timeoutSec;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
mkServices = lib.mapAttrs' mkGCService;
|
|
||||||
in
|
|
||||||
mkServices enabledServices;
|
|
||||||
|
|
||||||
systemd.timers = let
|
|
||||||
mkGCTimer = name: gcConfig: {
|
|
||||||
name = "git-gc-preserve-${name}";
|
|
||||||
value = {
|
|
||||||
wantedBy = [ "timers.target" ];
|
|
||||||
after = [ "multi-user.target" ];
|
|
||||||
timerConfig = gcConfig.timerConfig;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
mkTimer = lib.mapAttrs' mkGCTimer;
|
|
||||||
in mkTimer enabledServices;
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -45,103 +45,5 @@ in
|
||||||
resource.dnsimple_zone.vzfdfp_de = {
|
resource.dnsimple_zone.vzfdfp_de = {
|
||||||
name = "vzfdfp.de";
|
name = "vzfdfp.de";
|
||||||
};
|
};
|
||||||
|
|
||||||
resource.dnsimple_zone_record = let
|
|
||||||
# https://registry.terraform.io/providers/dnsimple/dnsimple/latest/docs/resources/zone_record
|
|
||||||
canonicalName = zoneName: record: let
|
|
||||||
# TODO: make less fragile and have actual unique and stable names
|
|
||||||
normalize = builtins.replaceStrings ["." "@"] ["_" "_root_"];
|
|
||||||
zone = normalize zoneName;
|
|
||||||
name = normalize record.name;
|
|
||||||
in "${zone}_${record.type}_${name}";
|
|
||||||
|
|
||||||
record = name: ttl: type: value: {
|
|
||||||
inherit name ttl type value;
|
|
||||||
};
|
|
||||||
|
|
||||||
proxyRecords = name: ttl: type: value: [
|
|
||||||
# kurisu.lahfa.xyz running a sniproxy:
|
|
||||||
(record name ttl "A" "163.172.69.160")
|
|
||||||
(record name ttl type value)
|
|
||||||
];
|
|
||||||
|
|
||||||
# Creates a extra *.p record pointing to the sniproxy
|
|
||||||
dualProxyRecords = name: ttl: type: value: lib.flatten [
|
|
||||||
(record name ttl type value)
|
|
||||||
(proxyRecords "${name}.p" ttl type value)
|
|
||||||
];
|
|
||||||
|
|
||||||
domain = zoneName: records:
|
|
||||||
builtins.listToAttrs (map (record: {
|
|
||||||
name = canonicalName zoneName record;
|
|
||||||
value = record // {
|
|
||||||
zone_name = zoneName;
|
|
||||||
};
|
|
||||||
}
|
|
||||||
) (lib.flatten records));
|
|
||||||
zones = domains: lib.zipAttrs (lib.mapAttrsToList (zoneName: records: domain zoneName records) domains);
|
|
||||||
in zones {
|
|
||||||
"forkos.org" = ([
|
|
||||||
# (record "@" 300 "A" "163.172.69.160")
|
|
||||||
(record "@" 300 "AAAA" "2001:bc8:38ee:100:1000::20")
|
|
||||||
|
|
||||||
(dualProxyRecords "bagel-box.infra" 300 "AAAA" "2001:bc8:38ee:100:100::1")
|
|
||||||
(dualProxyRecords "gerrit01.infra" 300 "AAAA" "2001:bc8:38ee:100:1000::10")
|
|
||||||
(dualProxyRecords "meta01.infra" 300 "AAAA" "2001:bc8:38ee:100:1000::20")
|
|
||||||
(dualProxyRecords "fodwatch.infra" 300 "AAAA" "2001:bc8:38ee:100:1000::30")
|
|
||||||
# git.infra.forkos.org exposes opensshd
|
|
||||||
(dualProxyRecords "git.infra" 300 "AAAA" "2001:bc8:38ee:100:1000::41")
|
|
||||||
# git.p.forkos.org exposes forgejo ssh server.
|
|
||||||
(proxyRecords "git.p" 300 "AAAA" "2001:bc8:38ee:100:1000::40")
|
|
||||||
(dualProxyRecords "buildbot.infra" 300 "AAAA" "2001:bc8:38ee:100:1000::50")
|
|
||||||
(dualProxyRecords "public01.infra" 300 "AAAA" "2001:bc8:38ee:100:1000::60")
|
|
||||||
|
|
||||||
(record "cl" 300 "CNAME" "gerrit01.infra.p.forkos.org")
|
|
||||||
(record "fodwatch" 300 "CNAME" "fodwatch.infra.p.forkos.org")
|
|
||||||
# git.p.forkos.org is the proxy variant of the Forgejo server.
|
|
||||||
(record "git" 300 "CNAME" "git.p.forkos.org")
|
|
||||||
(record "netbox" 300 "CNAME" "meta01.infra.p.forkos.org")
|
|
||||||
(record "amqp" 300 "CNAME" "bagel-box.infra.p.forkos.org")
|
|
||||||
(record "grafana" 300 "CNAME" "meta01.infra.p.forkos.org")
|
|
||||||
(record "hydra" 300 "CNAME" "build-coord.wob01.infra.p.forkos.org")
|
|
||||||
(record "loki" 300 "CNAME" "meta01.infra.p.forkos.org")
|
|
||||||
(record "mimir" 300 "CNAME" "meta01.infra.p.forkos.org")
|
|
||||||
(record "pyroscope" 300 "CNAME" "meta01.infra.p.forkos.org")
|
|
||||||
(record "tempo" 300 "CNAME" "meta01.infra.p.forkos.org")
|
|
||||||
(record "matrix" 300 "CNAME" "meta01.infra.p.forkos.org")
|
|
||||||
(record "alerts" 300 "CNAME" "meta01.infra.p.forkos.org")
|
|
||||||
(record "buildbot" 300 "CNAME" "buildbot.infra.p.forkos.org")
|
|
||||||
(record "b" 300 "CNAME" "public01.infra.p.forkos.org")
|
|
||||||
(record "postgres" 300 "CNAME" "bagel-box.infra.p.forkos.org")
|
|
||||||
(record "news" 3600 "CNAME" "public01.infra.p.forkos.org")
|
|
||||||
|
|
||||||
# S3 in delroth's basement
|
|
||||||
(record "cache" 300 "AAAA" "2a02:168:6426::12") # smol.delroth.net
|
|
||||||
(record "cache" 300 "A" "195.39.247.161") # sni proxy
|
|
||||||
|
|
||||||
(record "vpn-gw.wob01.infra" 300 "AAAA" "2a01:584:11::2")
|
|
||||||
|
|
||||||
(dualProxyRecords "build-coord.wob01.infra" 300 "AAAA" "2a01:584:11::1:11")
|
|
||||||
# TODO: do not hardcode, just reuse the Colmena hive module outputs to generate all the required details.
|
|
||||||
]
|
|
||||||
++ (map (index: record "builder-${toString index}.wob01.infra" 300 "AAAA" "2a01:584:11::1:${toString index}") (genList lib.id 11))
|
|
||||||
++ (
|
|
||||||
let
|
|
||||||
# FIXME: figure out a way to poke `config.services.s3-revproxy` and
|
|
||||||
# automate the DNS part away?
|
|
||||||
buckets = [
|
|
||||||
"channels"
|
|
||||||
"releases"
|
|
||||||
"channel-scripts-test"
|
|
||||||
];
|
|
||||||
in
|
|
||||||
map (bucket: record "${bucket}" 300 "CNAME" "public01.infra.p.forkos.org") buckets
|
|
||||||
));
|
|
||||||
"flowery.systems" = [
|
|
||||||
(record "" 300 "ALIAS" "news.forkos.org")
|
|
||||||
];
|
|
||||||
"vzfdfp.de" = [
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue