the-distro/infra
9
0
Fork 5
Code Issues 40 Pull requests 6 Packages Projects 1 Releases Wiki Activity

Compare commits

base: the-distro:main
Branches Tags
the-distro:main
the-distro:storage-project
the-distro:block-crawlers
the-distro:fix-buildbot
the-distro:lukegb/rule-94
the-distro:cache-lix
the-distro:build02-lix
the-distro:lukegb/uptime-kuma-root
the-distro:hydra-metrics
the-distro:builder
the-distro:email-groups
the-distro:cache-ipv4
the-distro:format
the-distro:hexchen/colmena-checker
the-distro:hexy/credentials
the-distro:buildbot
the-distro:ckie/moarr-v4
the-distro:gerrit-metrics
the-distro:moar-builders
the-distro:unplug-epyc
the-distro:hydra-wire-up
the-distro:alertmanager
the-distro:fodwatch
the-distro:cadvisor-containers
the-distro:gerrit-http-clones
the-distro:meta01
..
compare: the-distro:block-crawlers
Branches Tags
the-distro:main
the-distro:storage-project
the-distro:block-crawlers
the-distro:fix-buildbot
the-distro:lukegb/rule-94
the-distro:cache-lix
the-distro:build02-lix
the-distro:lukegb/uptime-kuma-root
the-distro:hydra-metrics
the-distro:builder
the-distro:email-groups
the-distro:cache-ipv4
the-distro:format
the-distro:hexchen/colmena-checker
the-distro:hexy/credentials
the-distro:buildbot
the-distro:ckie/moarr-v4
the-distro:gerrit-metrics
the-distro:moar-builders
the-distro:unplug-epyc
the-distro:hydra-wire-up
the-distro:alertmanager
the-distro:fodwatch
the-distro:cadvisor-containers
the-distro:gerrit-http-clones
the-distro:meta01

No commits in common. "main" and "block-crawlers" have entirely different histories.
main ... block-craw

40 changed files with 606 additions and 1382 deletions
Show stats Expand all files Collapse all files

9
.envrc
View file

@ -1,11 +1,2 @@
#!/usr/bin/env bash
# the shebang is ignored, but nice for editors
# shellcheck shell=bash
if type -P lorri &>/dev/null; then
eval "$(lorri direnv --flake .)"
else
echo 'while direnv evaluated .envrc, could not find the command "lorri" [https://github.com/nix-community/lorri]'
use flake
fi

2
common/admins.nix
View file

@ -26,7 +26,6 @@ in
"raito"
"hexchen"
"jade"
"pennae"
];
};
bagel.users = genAttrs [
@ -42,6 +41,5 @@ in
"winter"
"yuka"
"ckie"
"pennae"
] (name: {});
}

1
common/base-server.nix
View file

@ -7,7 +7,6 @@
nixpkgs.overlays = import ../overlays;
nix.package = lib.mkDefault pkgs.lix;
system.tools.nixos-option.enable = false;
services.openssh.enable = lib.mkForce true;
networking.nftables.enable = true;

13
common/hardware/raito-vm.nix
View file

@ -1,7 +1,7 @@
{ lib, config, ... }:
let
cfg = config.bagel.hardware.raito-vm;
inherit (lib) mkEnableOption mkIf mkOption types split toIntBase10;
inherit (lib) mkEnableOption mkIf mkOption types;
in
{
options.bagel.hardware.raito-vm = {
@ -54,17 +54,6 @@ in
linkConfig.Name = "wan";
};
bagel.infra.self.wan =
let
parts = split "/" cfg.networking.wan.address;
address = builtins.elemAt parts 0;
prefixLength = toIntBase10 (builtins.elemAt 1 parts);
in
{
family = "inet6";
inherit address prefixLength;
};
boot.loader.systemd-boot.enable = true;
boot.initrd.kernelModules = [

4
common/ssh-keys.nix
View file

@ -64,9 +64,5 @@
yuka = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIxQ3NYBi8v1f/vhxLKDcA6upmX0pctRDbnK6SER5OUR yureka" ];
winter = [ "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIH/LDRUG+U+++UmlxvA2kspioTjktQZ8taDcHq8gVlkfAAAABHNzaDo=" ];
ckie = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3uTwzSSMAPg84fwbNp2cq9+BdLFeA1VzDGth4zCAbz https://mei.puppycat.house" ];
pennae = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC5Wf5/IbyFpdziWfwxkQqxOf3r1L9pYn6xQBEKFwmMY"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIK8icXjHkb4XzbIVN3djH4CE7RvgGd+3xbG4cgh0Yls5AAAABHNzaDo="
];
};
}

1
common/zsh.nix
View file

@ -1,4 +1,5 @@
{ lib, pkgs, config, ... }: {
users.defaultUserShell = pkgs.zsh;
programs.zsh = {
enable = true;
enableCompletion = true;

391
flake.lock
View file

@ -27,17 +27,16 @@
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat_2",
"flake-parts": "flake-parts_2",
"nix-github-actions": "nix-github-actions_2",
"flake-utils": "flake-utils_2",
"nixpkgs": "nixpkgs",
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1731270564,
"narHash": "sha256-6KMC/NH/VWP5Eb+hA56hz0urel3jP6Y6cF2PX6xaTkk=",
"lastModified": 1711742460,
"narHash": "sha256-0O4v6e4a1toxXZ2gf5INhg4WPE5C5T+SVvsBt+45Mcc=",
"owner": "zhaofengli",
"repo": "attic",
"rev": "47752427561f1c34debb16728a210d378f0ece36",
"rev": "4dbdbee45728d8ce5788db6461aaaa89d98081f0",
"type": "github"
},
"original": {
@ -50,11 +49,11 @@
"bats-assert": {
"flake": false,
"locked": {
"lastModified": 1692829535,
"narHash": "sha256-oDqhUQ6Xg7a3xx537SWLGRzqP3oKKeyY4UYGCdz9z/Y=",
"lastModified": 1636059754,
"narHash": "sha256-ewME0l27ZqfmAwJO4h5biTALc9bDLv7Bl3ftBzBuZwk=",
"owner": "bats-core",
"repo": "bats-assert",
"rev": "e2d855bc78619ee15b0c702b5c30fb074101159f",
"rev": "34551b1d7f8c7b677c1a66fc0ac140d6223409e5",
"type": "github"
},
"original": {
@ -66,11 +65,11 @@
"bats-support": {
"flake": false,
"locked": {
"lastModified": 1693050811,
"narHash": "sha256-PxJaH16+QrsfZqtkWVt5K6TwJB5gjIXnbGo+MB84WIU=",
"lastModified": 1548869839,
"narHash": "sha256-Gr4ntadr42F2Ks8Pte2D4wNDbijhujuoJi4OPZnTAZU=",
"owner": "bats-core",
"repo": "bats-support",
"rev": "9bf10e876dd6b624fe44423f0b35e064225f7556",
"rev": "d140a65044b2d6810381935ae7f0c94c7023c8c3",
"type": "github"
},
"original": {
@ -88,16 +87,16 @@
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1730064416,
"narHash": "sha256-Opbtu9hKijGkEx+GYbSu3MJms3lFxZmAGTFyckguWMM=",
"ref": "refs/heads/forkos",
"rev": "79137b14f3cb376204f739f44b05aebfc288ca89",
"revCount": 310,
"lastModified": 1728837991,
"narHash": "sha256-+jXVHPmX9eUtH2JhMKye0Tm2KMQTmD8FlHHfbcaXMOI=",
"ref": "refs/heads/bring-back-old-gerrit-reporting",
"rev": "879e9cdcdf2d7e6566ee512d015acc4d23f35517",
"revCount": 302,
"type": "git",
"url": "https://git.lix.systems/lix-project/buildbot-nix.git"
},
"original": {
"ref": "refs/heads/forkos",
"ref": "refs/heads/bring-back-old-gerrit-reporting",
"type": "git",
"url": "https://git.lix.systems/lix-project/buildbot-nix.git"
}
@ -109,11 +108,11 @@
]
},
"locked": {
"lastModified": 1734197525,
"narHash": "sha256-rb/+iJBNsfXnz+PJSdlsCViodtEHrgfz/Fixq2NXUFI=",
"lastModified": 1725128016,
"narHash": "sha256-4TvaXELsl+1OcGNgqB/5HVXVxBvdIQkhJsY4FyiDcNU=",
"ref": "refs/heads/main",
"rev": "6e4ae567a3f872bdb90a62d588bb5cc4b3596258",
"revCount": 265,
"rev": "23b6c38ed7e11417bf624f6e4fb6cde0d2be6400",
"revCount": 261,
"type": "git",
"url": "https://git.lix.systems/the-distro/channel-scripts.git"
},
@ -126,18 +125,17 @@
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": "flake-utils",
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"nixpkgs"
],
"stable": "stable"
},
"locked": {
"lastModified": 1731527002,
"narHash": "sha256-dI9I6suECoIAmbS4xcrqF8r2pbmed8WWm5LIF1yWPw8=",
"lastModified": 1711386353,
"narHash": "sha256-gWEpb8Hybnoqb4O4tmpohGZk6+aerAbJpywKcFIiMlg=",
"owner": "zhaofengli",
"repo": "colmena",
"rev": "e3ad42138015fcdf2524518dd564a13145c72ea1",
"rev": "cd65ef7a25cdc75052fbd04b120aeb066c3881db",
"type": "github"
},
"original": {
@ -155,11 +153,11 @@
]
},
"locked": {
"lastModified": 1722960479,
"narHash": "sha256-NhCkJJQhD5GUib8zN9JrmYGMwt4lCRp6ZVNzIiYCl0Y=",
"lastModified": 1702918879,
"narHash": "sha256-tWJqzajIvYcaRWxn+cLUB9L9Pv4dQ3Bfit/YjU5ze3g=",
"owner": "ipetkov",
"repo": "crane",
"rev": "4c6c77920b8d44cd6660c1621dea6b3fc4b4c4f4",
"rev": "7195c00c272fdd92fc74e7d5a0a2844b9fadb2fb",
"type": "github"
},
"original": {
@ -169,12 +167,18 @@
}
},
"crane_2": {
"inputs": {
"nixpkgs": [
"grapevine",
"nixpkgs"
]
},
"locked": {
"lastModified": 1731098351,
"narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=",
"lastModified": 1716569590,
"narHash": "sha256-5eDbq8TuXFGGO3mqJFzhUbt5zHVTf5zilQoyW5jnJwo=",
"owner": "ipetkov",
"repo": "crane",
"rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28",
"rev": "109987da061a1bf452f435f1653c47511587d919",
"type": "github"
},
"original": {
@ -215,11 +219,11 @@
"rust-analyzer-src": "rust-analyzer-src"
},
"locked": {
"lastModified": 1731738660,
"narHash": "sha256-tIXhc9lX1b030v812yVJanSR37OnpTb/OY5rU3TbShA=",
"lastModified": 1716359173,
"narHash": "sha256-pYcjP6Gy7i6jPWrjiWAVV0BCQp+DdmGaI/k65lBb/kM=",
"owner": "nix-community",
"repo": "fenix",
"rev": "e10ba121773f754a30d31b6163919a3e404a434f",
"rev": "b6fc5035b28e36a98370d0eac44f4ef3fd323df6",
"type": "github"
},
"original": {
@ -248,11 +252,11 @@
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
@ -318,8 +322,8 @@
"flake-parts_2": {
"inputs": {
"nixpkgs-lib": [
"grapevine",
"attic",
"hydra",
"nix-eval-jobs",
"nixpkgs"
]
},
@ -337,45 +341,6 @@
"type": "github"
}
},
"flake-parts_3": {
"inputs": {
"nixpkgs-lib": [
"hydra",
"nix-eval-jobs",
"nixpkgs"
]
},
"locked": {
"lastModified": 1730504689,
"narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "506278e768c2a08bec68eb62932193e341f55c90",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_4": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1727826117,
"narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1",
"type": "github"
},
"original": {
"id": "flake-parts",
"type": "indirect"
}
},
"flake-utils": {
"locked": {
"lastModified": 1659877975,
@ -392,15 +357,30 @@
}
},
"flake-utils_2": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
@ -410,6 +390,21 @@
"type": "github"
}
},
"flake-utils_4": {
"locked": {
"lastModified": 1634851050,
"narHash": "sha256-N83GlSGPJJdcqhUxSCS/WwW5pksYf3VP1M13cDRTSVA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c91f3de5adaf1de973b797ef7485e441a65b8935",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"gerrit-dashboard": {
"flake": false,
"locked": {
@ -432,21 +427,20 @@
"crane": "crane_2",
"fenix": "fenix",
"flake-compat": "flake-compat_3",
"flake-utils": "flake-utils_2",
"flake-utils": "flake-utils_3",
"nix-filter": "nix-filter",
"nixpkgs": [
"nixpkgs"
],
"rocksdb": "rocksdb",
"rust-manifest": "rust-manifest"
},
"locked": {
"host": "gitlab.computer.surgery",
"lastModified": 1734138037,
"narHash": "sha256-pN/nJ9tR6ewnpVUUzcF+Z9L/0R0WmtBVePJOqx9rzTk=",
"lastModified": 1727994504,
"narHash": "sha256-FC6M1KKX58HbU9LG+cG6EJRr02J9lE/o0iiDi6m1gv8=",
"owner": "matrix",
"repo": "grapevine-fork",
"rev": "8537c0e8ac3eb388500587b035008e5f98204a4b",
"rev": "5a490a4397f0c6a36dab1cb631dadc67a849deab",
"type": "gitlab"
},
"original": {
@ -486,11 +480,11 @@
]
},
"locked": {
"lastModified": 1733503045,
"narHash": "sha256-VoMam8Zzbk+X6dIYwH2f9NqItL6g9YDhQvGybzSl8xQ=",
"lastModified": 1728321752,
"narHash": "sha256-GbBAoBF7ZObz0IP+g0LZKxMafpMvNKjTEu9haiZbV54=",
"ref": "refs/heads/main",
"rev": "eccf01d4fef67f87b6383f96c73781bd08b686ac",
"revCount": 4230,
"rev": "ee1234c15cdcb427dbd4828e0add09d02cd606c9",
"revCount": 4220,
"type": "git",
"url": "https://git.lix.systems/lix-project/hydra.git"
},
@ -511,11 +505,11 @@
"pre-commit-hooks": "pre-commit-hooks"
},
"locked": {
"lastModified": 1732112222,
"narHash": "sha256-H7GN4++a4vE49SUNojZx+FSk4mmpb2ifJUtJMJHProI=",
"lastModified": 1728163191,
"narHash": "sha256-SW0IEBsPN1EysqzvfDT+8Kimtzy03O1BxQQm7ZB6fRY=",
"ref": "refs/heads/main",
"rev": "66f6dbda32959dd5cf3a9aaba15af72d037ab7ff",
"revCount": 16513,
"rev": "ed9b7f4f84fd60ad8618645cc1bae2d686ff0db6",
"revCount": 16323,
"type": "git",
"url": "https://git.lix.systems/lix-project/lix"
},
@ -526,12 +520,12 @@
},
"nix-eval-jobs": {
"inputs": {
"flake-parts": "flake-parts_3",
"flake-parts": "flake-parts_2",
"lix": [
"hydra",
"lix"
],
"nix-github-actions": "nix-github-actions_3",
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"hydra",
"nixpkgs"
@ -539,11 +533,11 @@
"treefmt-nix": "treefmt-nix_2"
},
"locked": {
"lastModified": 1732351635,
"narHash": "sha256-H94CcQ3yamG5+RMxtxXllR02YIlxQ5WD/8PcolO9yEA=",
"lastModified": 1723579251,
"narHash": "sha256-xnHtfw0gRhV+2S9U7hQwvp2klTy1Iv7FlMMO0/WiMVc=",
"ref": "refs/heads/main",
"rev": "dfc286ca3dc49118c30d8d6205d6d6af76c62b7a",
"revCount": 617,
"rev": "42a160bce2fd9ffebc3809746bc80cc7208f9b08",
"revCount": 609,
"type": "git",
"url": "https://git.lix.systems/lix-project/nix-eval-jobs"
},
@ -554,11 +548,11 @@
},
"nix-filter": {
"locked": {
"lastModified": 1731533336,
"narHash": "sha256-oRam5PS1vcrr5UPgALW0eo1m/5/pls27Z/pabHNy2Ms=",
"lastModified": 1710156097,
"narHash": "sha256-1Wvk8UP7PXdf8bCCaEoMnOT1qe5/Duqgj+rL8sRQsSM=",
"owner": "numtide",
"repo": "nix-filter",
"rev": "f7653272fd234696ae94229839a99b73c9ab7de0",
"rev": "3342559a24e85fc164b295c3444e8a139924675b",
"type": "github"
},
"original": {
@ -575,64 +569,20 @@
]
},
"locked": {
"lastModified": 1734192622,
"narHash": "sha256-AkT4QHHneyWBL9UDhvrmPnQUOfN9ETP295y6TtuW6rU=",
"ref": "refs/heads/bump-minor-3_10",
"rev": "c011f670b335b52150af5c75f21e987d166ecec2",
"revCount": 8,
"lastModified": 1720891381,
"narHash": "sha256-bdZRPgnkROSejmwMOrlcqHMWmuPIVIzjk6r5FbS+fqU=",
"ref": "refs/heads/main",
"rev": "23dd318e6741ff686d3069c53ecf475eac8a0565",
"revCount": 5,
"type": "git",
"url": "https://git.lix.systems/the-distro/nix-gerrit.git"
},
"original": {
"ref": "refs/heads/bump-minor-3_10",
"type": "git",
"url": "https://git.lix.systems/the-distro/nix-gerrit.git"
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
"colmena",
"nixpkgs"
]
},
"locked": {
"lastModified": 1729742964,
"narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nix-github-actions_2": {
"inputs": {
"nixpkgs": [
"grapevine",
"attic",
"nixpkgs"
]
},
"locked": {
"lastModified": 1729742964,
"narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nix-github-actions_3": {
"inputs": {
"nixpkgs": [
"hydra",
@ -641,11 +591,11 @@
]
},
"locked": {
"lastModified": 1731952509,
"narHash": "sha256-p4gB3Rhw8R6Ak4eMl8pqjCPOLCZRqaehZxdZ/mbFClM=",
"lastModified": 1720066371,
"narHash": "sha256-uPlLYH2S0ACj0IcgaK9Lsf4spmJoGejR9DotXiXSBZQ=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "7b5f051df789b6b20d259924d349a9ba3319b226",
"rev": "622f829f5fe69310a866c8a6cd07e747c44ef820",
"type": "github"
},
"original": {
@ -657,11 +607,11 @@
"nix2container": {
"flake": false,
"locked": {
"lastModified": 1724996935,
"narHash": "sha256-njRK9vvZ1JJsP8oV2OgkBrpJhgQezI03S7gzskCcHos=",
"lastModified": 1720642556,
"narHash": "sha256-qsnqk13UmREKmRT7c8hEnz26X3GFFyIQrqx4EaRc1Is=",
"owner": "nlewo",
"repo": "nix2container",
"rev": "fa6bb0a1159f55d071ba99331355955ae30b3401",
"rev": "3853e5caf9ad24103b13aa6e0e8bcebb47649fe4",
"type": "github"
},
"original": {
@ -672,11 +622,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1726042813,
"narHash": "sha256-LnNKCCxnwgF+575y0pxUdlGZBO/ru1CtGHIqQVfvjlA=",
"lastModified": 1711401922,
"narHash": "sha256-QoQqXoj8ClGo0sqD/qWKFWezgEwUL0SUh37/vY2jNhc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "159be5db480d1df880a0135ca0bfed84c2f88353",
"rev": "07262b18b97000d16a4bdb003418bd2fb067a932",
"type": "github"
},
"original": {
@ -686,18 +636,6 @@
"type": "github"
}
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1727825735,
"narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
}
},
"nixpkgs-regression": {
"locked": {
"lastModified": 1643052045,
@ -716,61 +654,44 @@
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1724316499,
"narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=",
"lastModified": 1711460390,
"narHash": "sha256-akSgjDZL6pVHEfSE6sz1DNSXuYX6hq+P/1Z5IoYWs7E=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841",
"rev": "44733514b72e732bd49f5511bd0203dea9b9a434",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1733940404,
"narHash": "sha256-Pj39hSoUA86ZePPF/UXiYHHM7hMIkios8TYG29kQT4g=",
"lastModified": 1728093190,
"narHash": "sha256-CAZF2NRuHmqTtRTNAruWpHA43Gg2UvuCNEIzabP0l6M=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "5d67ea6b4b63378b9c13be21e2ec9d1afc921713",
"rev": "e2f08f4d8b3ecb5cf5c9fd9cb2d53bb3c71807da",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"ofborg": {
"flake": false,
"locked": {
"lastModified": 1734308727,
"narHash": "sha256-/bJhMZQ5VSblvgqAR9hSLwdm5pxenn/UMY8pDDVSquI=",
"ref": "refs/heads/vcs-generalization",
"rev": "7bcc8fa584c66f317923337658974c0525e5779f",
"revCount": 1495,
"type": "git",
"url": "https://git.lix.systems/the-distro/ofborg.git"
},
"original": {
"ref": "refs/heads/vcs-generalization",
"type": "git",
"url": "https://git.lix.systems/the-distro/ofborg.git"
}
},
"pre-commit-hooks": {
"flake": false,
"locked": {
"lastModified": 1726745158,
"narHash": "sha256-D5AegvGoEjt4rkKedmxlSEmC+nNLMBPWFxvmYnVLhjk=",
"lastModified": 1721042469,
"narHash": "sha256-6FPUl7HVtvRHCCBQne7Ylp4p+dpP3P/OYuzjztZ4s70=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "4e743a6920eab45e8ba0fbe49dc459f1423a4b74",
"rev": "f451c19376071a90d8c58ab1a953c6e9840527fd",
"type": "github"
},
"original": {
@ -779,23 +700,6 @@
"type": "github"
}
},
"rocksdb": {
"flake": false,
"locked": {
"lastModified": 1730475155,
"narHash": "sha256-u5uuShM2SxHc9/zL4UU56IhCcR/ZQbzde0LgOYS44bM=",
"owner": "facebook",
"repo": "rocksdb",
"rev": "3c27a3dde0993210c5cc30d99717093f7537916f",
"type": "github"
},
"original": {
"owner": "facebook",
"ref": "v9.7.4",
"repo": "rocksdb",
"type": "github"
}
},
"root": {
"inputs": {
"agenix": "agenix",
@ -811,7 +715,6 @@
],
"nix-gerrit": "nix-gerrit",
"nixpkgs": "nixpkgs_2",
"ofborg": "ofborg",
"stateless-uptime-kuma": "stateless-uptime-kuma",
"terranix": "terranix"
}
@ -819,11 +722,11 @@
"rust-analyzer-src": {
"flake": false,
"locked": {
"lastModified": 1731693936,
"narHash": "sha256-uHUUS1WPyW6ohp5Bt3dAZczUlQ22vOn7YZF8vaPKIEw=",
"lastModified": 1716107283,
"narHash": "sha256-NJgrwLiLGHDrCia5AeIvZUHUY7xYGVryee0/9D3Ir1I=",
"owner": "rust-lang",
"repo": "rust-analyzer",
"rev": "1b90e979aeee8d1db7fe14603a00834052505497",
"rev": "21ec8f523812b88418b2bfc64240c62b3dd967bd",
"type": "github"
},
"original": {
@ -847,16 +750,16 @@
},
"stable": {
"locked": {
"lastModified": 1730883749,
"narHash": "sha256-mwrFF0vElHJP8X3pFCByJR365Q2463ATp2qGIrDUdlE=",
"lastModified": 1696039360,
"narHash": "sha256-g7nIUV4uq1TOVeVIDEZLb005suTWCUjSY0zYOlSBsyE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "dba414932936fde69f0606b4f1d87c5bc0003ede",
"rev": "32dcb45f66c0487e92db8303a798ebc548cadedc",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"ref": "nixos-23.05",
"repo": "nixpkgs",
"type": "github"
}
@ -907,38 +810,22 @@
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"terranix": {
"inputs": {
"bats-assert": "bats-assert",
"bats-support": "bats-support",
"flake-parts": "flake-parts_4",
"flake-utils": "flake-utils_4",
"nixpkgs": [
"nixpkgs"
],
"systems": "systems_3",
"terranix-examples": "terranix-examples"
},
"locked": {
"lastModified": 1728959489,
"narHash": "sha256-1Pu2j5xsBTuoyga08ZVf+rKp3FOMmJh/0fXen/idOrA=",
"lastModified": 1695406838,
"narHash": "sha256-xiUfVD6rtsVWFotVtUW3Q1nQh4obKzgvpN1wqZuGXvM=",
"owner": "terranix",
"repo": "terranix",
"rev": "7734e2ee6a1472807a33ce1e7da794bed2aaf91c",
"rev": "fc9077ca02ab5681935dbf0ecd725c4d889b9275",
"type": "github"
},
"original": {
@ -949,11 +836,11 @@
},
"terranix-examples": {
"locked": {
"lastModified": 1637156952,
"narHash": "sha256-KqvXIe1yiKOEP9BRYqNQN+LOWPCsWojh0WjEgv5jfEI=",
"lastModified": 1636300201,
"narHash": "sha256-0n1je1WpiR6XfCsvi8ZK7GrpEnMl+DpwhWaO1949Vbc=",
"owner": "terranix",
"repo": "terranix-examples",
"rev": "921680efb8af0f332d8ad73718d53907f9483e24",
"rev": "a934aa1cf88f6bd6c6ddb4c77b77ec6e1660bd5e",
"type": "github"
},
"original": {
@ -992,11 +879,11 @@
]
},
"locked": {
"lastModified": 1732292307,
"narHash": "sha256-5WSng844vXt8uytT5djmqBCkopyle6ciFgteuA9bJpw=",
"lastModified": 1723454642,
"narHash": "sha256-S0Gvsenh0II7EAaoc9158ZB4vYyuycvMGKGxIbERNAM=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "705df92694af7093dfbb27109ce16d828a79155f",
"rev": "349de7bc435bdff37785c2466f054ed1766173be",
"type": "github"
},
"original": {

16
flake.nix
View file

@ -2,7 +2,7 @@
description = "Bagel cooking infrastructure";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
terranix.url = "github:terranix/terranix";
terranix.inputs.nixpkgs.follows = "nixpkgs";
@ -16,16 +16,13 @@
hydra.url = "git+https://git.lix.systems/lix-project/hydra.git";
hydra.inputs.nixpkgs.follows = "nixpkgs";
nix-gerrit.url = "git+https://git.lix.systems/the-distro/nix-gerrit.git?ref=refs/heads/bump-minor-3_10";
nix-gerrit.url = "git+https://git.lix.systems/the-distro/nix-gerrit.git";
nix-gerrit.inputs.nixpkgs.follows = "nixpkgs";
ofborg.url = "git+https://git.lix.systems/the-distro/ofborg.git?ref=refs/heads/vcs-generalization";
ofborg.flake = false;
gerrit-dashboard.url = "git+https://git.lix.systems/the-distro/gerrit-monitoring.git";
gerrit-dashboard.flake = false;
buildbot-nix.url = "git+https://git.lix.systems/lix-project/buildbot-nix.git?ref=refs/heads/forkos";
buildbot-nix.url = "git+https://git.lix.systems/lix-project/buildbot-nix.git?ref=refs/heads/bring-back-old-gerrit-reporting";
buildbot-nix.inputs.nixpkgs.follows = "nixpkgs";
channel-scripts.url = "git+https://git.lix.systems/the-distro/channel-scripts.git";
@ -45,7 +42,7 @@
};
};
outputs = { self, nixpkgs, terranix, colmena, ofborg, ... } @ inputs:
outputs = { self, nixpkgs, terranix, colmena, ... } @ inputs:
let
supportedSystems = [ "x86_64-linux" "aarch64-linux" ];
forEachSystem = f: builtins.listToAttrs (map (system: {
@ -61,9 +58,6 @@
inputs.lix.overlays.default
inputs.nix-gerrit.overlays.default
inputs.channel-scripts.overlays.default
(import inputs.ofborg {
pkgs = import nixpkgs { localSystem = system; };
}).overlay
(import "${inputs.stateless-uptime-kuma}/overlay.nix")
];
};
@ -179,7 +173,7 @@
}
];
builders = lib.listToAttrs (map makeBuilder [4 5 10 11]);
builders = lib.listToAttrs (lib.genList makeBuilder 11);
in {
meta.nixpkgs = systemBits.x86_64-linux.pkgs;
# Add any non-x86_64 native systems here.

16
hosts/bagel-box/default.nix
View file

@ -37,21 +37,7 @@
bagel.services = {
postgres.enable = true;
ofborg = {
rabbitmq.enable = true;
pastebin.enable = true;
# TODO: statcheck.enable = true;
mass-rebuilder.enable = true;
# TODO: enable once ready.
builder.enable = false;
gerrit-event-streamer.enable = true;
gerrit-generic-vcs-filter.enable = true;
# FIXME: plug into our prometheus stack.
stats.enable = true;
};
ofborg.enable = true;
};
bagel.sysadmin.enable = true;

10
hosts/build-coord/default.nix
View file

@ -9,14 +9,8 @@
bagel.services = {
hydra.enable = true;
hydra.builders = map (i: "builder-${builtins.toString i}") [4 5 10];
# Arguably, the build-coordinator is the most sensitive piece of our own infrastructure.
# Henceforth, it can run as well another sensitive piece of the system: the Vault.
vault = {
enable = true;
domain = "vault.forkos.org";
};
# Takes 10 builders (0 → 9).
hydra.builders = lib.genList (i: "builder-${builtins.toString i}") 10;
};
bagel.monitoring.exporters.hydra.enable = true;

8
hosts/build-coord/hardware.nix
View file

@ -38,7 +38,7 @@
zramSwap = {
enable = true;
memoryPercent = 100;
memoryPercent = 25;
};
networking.useNetworkd = true;
@ -72,12 +72,6 @@
];
networking.defaultGateway6 = { interface = "uplink"; address = "2a01:584:11::1"; };
bagel.infra.self.wan = {
family = "inet6";
address = "2a01:584:11::1:11";
prefixLength = 64;
};
services.coredns = {
enable = true;
config = ''

2
hosts/buildbot/default.nix
View file

@ -44,7 +44,7 @@
"nixpkgs"
"infra"
];
builders = [ "builder-4" ];
builders = [ "builder-9" ];
};
i18n.defaultLocale = "en_US.UTF-8";

17
hosts/gerrit01/default.nix
View file

@ -61,8 +61,6 @@
{
enable = true;
stateDirectory = "/gerrit-data/ows";
pushUrl = "ssh://ows_bot@cl.forkos.org:29418/nixpkgs";
deployKeyPath = config.age.secrets.ows-deploy-key.path;
@ -109,6 +107,21 @@
timer = "hourly";
fromRefspec = "staging-23.11";
};
# Testing jobs for personal sandbox branches
branches."raito-unstable-sync" = {
fromUri = "https://github.com/NixOS/nixpkgs";
fromRefspec = "nixos-unstable-small";
localRefspec = "sandbox/raito/raito-unstable-small";
timer = "*-*-* 12:00:00";
};
branches."raito-release-sync" = {
fromUri = "https://github.com/NixOS/nixpkgs";
fromRefspec = "nixos-24.05";
localRefspec = "sandbox/raito/raito-nixos-24.05";
timer = "daily";
};
};
age.secrets.s3-channel-staging-keys.file = ../../secrets/floral/s3-channel-staging-keys.age;

5
overlays/pyroscope/default.nix
View file

@ -1,10 +1,9 @@
{ lib
, buildGo122Module
, buildGoModule
, fetchFromGitHub
}:
# FIXME: update, remove this pin
buildGo122Module rec {
buildGoModule rec {
pname = "pyroscope";
version = "1.7.1";

2
secrets.nix
View file

@ -46,8 +46,6 @@ let
postgres-ca-priv = [ machines.bagel-box ];
postgres-tls-priv = [ machines.bagel-box ];
rabbitmq-password = [ machines.bagel-box ];
gerrit-event-listener-ssh-key = [ machines.bagel-box ];
newsletter-secrets = [ machines.public01 ];
s3-revproxy-api-keys = [ machines.public01 ];

BIN
secrets/floral/gerrit-event-listener-ssh-key.age
View file

Binary file not shown.

BIN
secrets/floral/rabbitmq-password.age
View file

Binary file not shown.

15
services/baremetal-builder/assignments.nix
View file

@ -3,18 +3,27 @@
let
genBuilders = { offset ? 0, count, f }: builtins.genList (x: rec { name = "builder-${toString (offset + x)}"; value = f name; }) count;
in builtins.listToAttrs (
genBuilders { offset = 4; count = 2; f = name: {
# The first 8 builders are general purpose hydra builders
genBuilders { count = 8; f = name: {
cores = 8;
max-jobs = 8;
supported-features = [ "kvm" "nixos-test" ];
required-features = [ ];
}; }
++
# This builder is exclusively for big-parallel
genBuilders { offset = 10; count = 1; f = name: {
# The last 2 builders are exclusively for big-parallel
genBuilders { offset = 8; count = 2; f = name: {
cores = 20;
max-jobs = 1;
supported-features = [ "kvm" "nixos-test" "big-parallel" ];
required-features = [ "big-parallel" ];
}; }
++
# These are not currently used for hydra
genBuilders { offset = 10; count = 1; f = name: {
cores = 8;
max-jobs = 8;
supported-features = [ "kvm" "nixos-test" "big-parallel" ];
required-features = [ ];
}; }
)

5
services/baremetal-builder/default.nix
View file

@ -135,11 +135,6 @@ in
{ address = "2a01:584:11::1:${toString cfg.num}"; prefixLength = 64; }
];
networking.defaultGateway6 = { interface = "uplink"; address = "2a01:584:11::1"; };
bagel.infra.self.wan = {
family = "inet6";
address = "2a01:584:11::1:${toString cfg.num}";
prefixLength = 64;
};
deployment.targetHost = "2a01:584:11::1:${toString cfg.num}";
deployment.tags = [ "builders" ];

26
services/buildbot/default.nix
View file

@ -194,32 +194,6 @@ in
RestartSteps = 10;
};
services.postgresql.settings = {
# DB Version: 15
# OS Type: linux
# DB Type: web
# Total Memory (RAM): 64 GB
# CPUs num: 16
# Connections num: 100
# Data Storage: ssd
max_connections = 100;
shared_buffers = "16GB";
effective_cache_size = "48GB";
maintenance_work_mem = "2GB";
checkpoint_completion_target = 0.9;
wal_buffers = "16MB";
default_statistics_target = 100;
random_page_cost = 1.1;
effective_io_concurrency = 200;
work_mem = "41943kB";
huge_pages = "try";
min_wal_size = "1GB";
max_wal_size = "4GB";
max_worker_processes = 16;
max_parallel_workers_per_gather = 4;
max_parallel_workers = 16;
max_parallel_maintenance_workers = 4;
};
nix.settings.keep-derivations = true;
nix.gc = {

31
services/channel-scripts/default.nix
View file

@ -152,9 +152,7 @@ in
hydra_uri = cfg.hydraUrl;
binary_cache_uri = cfg.binaryCacheUrl;
base_git_uri_for_revision = cfg.baseUriForGitRevisions;
# TODO: this leaks information about where channel-scripts are hosted.
# Cleanup this later with a proper module option.
repo_dir = "/gerrit-data/channel-scripts/nixpkgs";
nixpkgs_dir = "/var/lib/channel-scripts/nixpkgs";
s3_release_bucket_name = cfg.s3.release;
s3_channel_bucket_name = cfg.s3.channel;
};
@ -179,24 +177,6 @@ in
};
script = "true";
};
"cleanup-failed-streaming-prefixes" = {
description = "Cleanup all failed streaming prefixes on the channel bucket (channel-scripts)";
conflicts = map (service: "${service.name}.service") updateJobs;
after = [ "networking.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = false;
User = "channel-scripts";
DynamicUser = true;
StateDirectory = "channel-scripts";
EnvironmentFile = [
cfg.releaseBucketCredentialsFile
];
Environment = cfg.extraEnvironment;
LoadCredential = [ "password:${config.age.secrets.alloy-push-password.path}" ];
ExecStart = "${cfg.package}/bin/mirror-forkos -c ${configFile} ${concatStringsSep " " cfg.extraArgs} cleanup-streamed-prefixes";
};
};
};
systemd.timers."update-all-channels" = {
@ -208,14 +188,5 @@ in
AccuracySec = 300;
};
};
systemd.timers."cleanup-failed-streaming-prefixes" = {
description = "Cleanup failed streaming prefixes for channel-scripts";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "daily";
RandomizedDelaySec = "1h";
};
};
};
}

2
services/default.nix
View file

@ -7,7 +7,6 @@
./matrix
./monitoring
./uptime-kuma
./self
./netbox
./ofborg
./postgres
@ -16,7 +15,6 @@
./buildbot
./newsletter
./s3-revproxy
./vault
./extra-builders
];
}

4
services/gerrit/default.nix
View file

@ -129,9 +129,7 @@ in
serverId = "9e5216ad-038d-4d74-a4e8-716515834a94";
builtinPlugins = [
# Disable gitiles as it generates too much traffic.
# Prefer git.forkos.org.
# "gitiles"
"gitiles"
"codemirror-editor"
"reviewnotes"
"download-commands"

1
services/gerrit/git-gc-preserve.nix
View file

@ -57,7 +57,6 @@ in
name = "git-gc-preserve-${name}";
value = {
description = "Git-GC-Preserve Service - ${name}";
path = [ pkgs.util-linux ];
serviceConfig = {
WorkingDirectory = gcConfig.repoPath;
Type = "oneshot";

10
services/gerrit/one-way-sync.nix
View file

@ -71,12 +71,6 @@ in
description = "Working directory for the service";
};
stateDirectory = mkOption {
type = types.str;
default = "/var/lib/onewaysync";
description = "State directory where the copies of nixpkgs are stored";
};
pushUrl = mkOption {
type = types.str;
example = "ssh://...";
@ -125,10 +119,6 @@ in
};
config = mkIf cfg.enable {
fileSystems."/var/lib/onewaysync" = mkIf (cfg.stateDirectory != "/var/lib/onewaysync") {
device = cfg.stateDirectory;
options = [ "bind" ];
};
systemd.timers = mapAttrs' (name: value: {
name = "ows-${name}";
value = mkSyncTimer name value;

18
services/matrix/default.nix
View file

@ -32,11 +32,6 @@ in
];
server_name = "forkos.org";
database.backend = "rocksdb";
server_discovery = {
server.authority = "matrix.forkos.org:443";
client.base_url = "https://matrix.forkos.org";
};
};
};
@ -53,7 +48,18 @@ in
"forkos.org" = {
forceSSL = true;
enableACME = true;
locations."/.well-known/matrix".proxyPass = "http://grapevine";
locations = {
"= /.well-known/matrix/server".extraConfig = ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '{"m.server": "matrix.forkos.org:443"}';
'';
"= /.well-known/matrix/client".extraConfig = ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '{"m.homeserver": {"base_url": "https://matrix.forkos.org/"}, "m.identity_server": {"base_url": "https://matrix.org/"}, "org.matrix.msc3575.proxy": {"url": "https://matrix.forkos.org"}}';
'';
};
};
};
};

3
services/monitoring/exporters/postgres.nix
View file

@ -23,9 +23,6 @@ in
};
services.postgresql.settings.shared_preload_libraries = "pg_stat_statements";
systemd.services.postgresql.postStart = lib.mkAfter ''
${config.services.postgresql.package}/bin/psql -U postgres -c "CREATE EXTENSION IF NOT EXISTS pg_stat_statements;";
'';
bagel.monitoring.grafana-agent.exporters.postgres.port = 9104;
};

1
services/monitoring/lgtm/alerts/forkos.yaml
View file

@ -1,3 +1,4 @@
namespace: forkos
groups:
- name: ForkOS automation
rules:

1
services/monitoring/lgtm/alerts/postgres.yml
View file

@ -1,3 +1,4 @@
namespace: postgres
groups:
- name: PostgreSQL
rules:

1
services/monitoring/lgtm/alerts/resources.yaml
View file

@ -1,3 +1,4 @@
namespace: resources
groups:
- name: Host & hardware
rules:

637
services/monitoring/lgtm/dashboards/node_exporter.json
View file

File diff suppressed because it is too large Load diff

175
services/monitoring/lgtm/dashboards/postgres2.json
View file

@ -20,6 +20,7 @@
"fiscalYearStartMonth": 0,
"gnetId": 9628,
"graphTooltip": 0,
"id": 27,
"links": [],
"liveNow": false,
"panels": [
@ -100,7 +101,6 @@
"graphMode": "none",
"justifyMode": "auto",
"orientation": "horizontal",
"percentChangeColorMode": "standard",
"reduceOptions": {
"calcs": [
"mean"
@ -112,14 +112,14 @@
"textMode": "name",
"wideLayout": true
},
"pluginVersion": "11.2.1",
"pluginVersion": "11.0.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "mimir"
},
"expr": "pg_static{tenant=\"$tenant\",hostname=\"$hostname\"}",
"expr": "pg_static{hostname=\"$hostname\"}",
"format": "time_series",
"instant": true,
"intervalFactor": 1,
@ -182,7 +182,6 @@
"graphMode": "none",
"justifyMode": "auto",
"orientation": "horizontal",
"percentChangeColorMode": "standard",
"reduceOptions": {
"calcs": [
"mean"
@ -194,14 +193,14 @@
"textMode": "auto",
"wideLayout": true
},
"pluginVersion": "11.2.1",
"pluginVersion": "11.0.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "mimir"
},
"expr": "pg_postmaster_start_time_seconds{tenant=\"$tenant\",hostname=\"$hostname\"} * 1000",
"expr": "pg_postmaster_start_time_seconds{hostname=\"$hostname\"} * 1000",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "",
@ -262,7 +261,6 @@
"graphMode": "none",
"justifyMode": "auto",
"orientation": "horizontal",
"percentChangeColorMode": "standard",
"reduceOptions": {
"calcs": [
"lastNotNull"
@ -274,14 +272,14 @@
"textMode": "auto",
"wideLayout": true
},
"pluginVersion": "11.2.1",
"pluginVersion": "11.0.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "mimir"
},
"expr": "SUM(pg_stat_database_tup_fetched{datname=~\"$datname\", tenant=\"$tenant\",hostname=~\"$hostname\"})",
"expr": "SUM(pg_stat_database_tup_fetched{datname=~\"$datname\", hostname=~\"$hostname\"})",
"format": "time_series",
"intervalFactor": 2,
"refId": "A",
@ -342,7 +340,6 @@
"graphMode": "none",
"justifyMode": "auto",
"orientation": "horizontal",
"percentChangeColorMode": "standard",
"reduceOptions": {
"calcs": [
"lastNotNull"
@ -354,14 +351,14 @@
"textMode": "auto",
"wideLayout": true
},
"pluginVersion": "11.2.1",
"pluginVersion": "11.0.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "mimir"
},
"expr": "SUM(pg_stat_database_tup_inserted{datname=~\"$datname\", tenant=\"$tenant\",hostname=~\"$hostname\"})",
"expr": "SUM(pg_stat_database_tup_inserted{datname=~\"$datname\", hostname=~\"$hostname\"})",
"format": "time_series",
"intervalFactor": 2,
"refId": "A",
@ -422,7 +419,6 @@
"graphMode": "none",
"justifyMode": "auto",
"orientation": "horizontal",
"percentChangeColorMode": "standard",
"reduceOptions": {
"calcs": [
"lastNotNull"
@ -434,14 +430,14 @@
"textMode": "auto",
"wideLayout": true
},
"pluginVersion": "11.2.1",
"pluginVersion": "11.0.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "mimir"
},
"expr": "SUM(pg_stat_database_tup_updated{datname=~\"$datname\", tenant=\"$tenant\",hostname=~\"$hostname\"})",
"expr": "SUM(pg_stat_database_tup_updated{datname=~\"$datname\", hostname=~\"$hostname\"})",
"format": "time_series",
"intervalFactor": 2,
"refId": "A",
@ -502,7 +498,6 @@
"graphMode": "none",
"justifyMode": "auto",
"orientation": "horizontal",
"percentChangeColorMode": "standard",
"reduceOptions": {
"calcs": [
"mean"
@ -514,14 +509,14 @@
"textMode": "auto",
"wideLayout": true
},
"pluginVersion": "11.2.1",
"pluginVersion": "11.0.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "mimir"
},
"expr": "pg_settings_max_connections{tenant=\"$tenant\",hostname=\"$hostname\"}",
"expr": "pg_settings_max_connections{hostname=\"$hostname\"}",
"format": "time_series",
"intervalFactor": 1,
"refId": "A"
@ -607,7 +602,6 @@
"graphMode": "none",
"justifyMode": "auto",
"orientation": "horizontal",
"percentChangeColorMode": "standard",
"reduceOptions": {
"calcs": [
"lastNotNull"
@ -619,14 +613,14 @@
"textMode": "auto",
"wideLayout": true
},
"pluginVersion": "11.2.1",
"pluginVersion": "11.0.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "mimir"
},
"expr": "pg_settings_shared_buffers_bytes{tenant=\"$tenant\",hostname=\"$hostname\"}",
"expr": "pg_settings_shared_buffers_bytes{hostname=\"$hostname\"}",
"format": "time_series",
"intervalFactor": 1,
"refId": "A"
@ -686,7 +680,6 @@
"graphMode": "none",
"justifyMode": "auto",
"orientation": "horizontal",
"percentChangeColorMode": "standard",
"reduceOptions": {
"calcs": [
"lastNotNull"
@ -698,14 +691,14 @@
"textMode": "auto",
"wideLayout": true
},
"pluginVersion": "11.2.1",
"pluginVersion": "11.0.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "mimir"
},
"expr": "pg_settings_effective_cache_size_bytes{tenant=\"$tenant\",hostname=\"$hostname\"}",
"expr": "pg_settings_effective_cache_size_bytes{hostname=\"$hostname\"}",
"format": "time_series",
"intervalFactor": 1,
"refId": "A"
@ -765,7 +758,6 @@
"graphMode": "none",
"justifyMode": "auto",
"orientation": "horizontal",
"percentChangeColorMode": "standard",
"reduceOptions": {
"calcs": [
"lastNotNull"
@ -777,14 +769,14 @@
"textMode": "auto",
"wideLayout": true
},
"pluginVersion": "11.2.1",
"pluginVersion": "11.0.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "mimir"
},
"expr": "pg_settings_maintenance_work_mem_bytes{tenant=\"$tenant\",hostname=\"$hostname\"}",
"expr": "pg_settings_maintenance_work_mem_bytes{hostname=\"$hostname\"}",
"format": "time_series",
"intervalFactor": 1,
"refId": "A"
@ -844,7 +836,6 @@
"graphMode": "none",
"justifyMode": "auto",
"orientation": "horizontal",
"percentChangeColorMode": "standard",
"reduceOptions": {
"calcs": [
"lastNotNull"
@ -856,14 +847,14 @@
"textMode": "auto",
"wideLayout": true
},
"pluginVersion": "11.2.1",
"pluginVersion": "11.0.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "mimir"
},
"expr": "pg_settings_work_mem_bytes{tenant=\"$tenant\",hostname=\"$hostname\"}",
"expr": "pg_settings_work_mem_bytes{hostname=\"$hostname\"}",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "",
@ -925,7 +916,6 @@
"graphMode": "none",
"justifyMode": "auto",
"orientation": "horizontal",
"percentChangeColorMode": "standard",
"reduceOptions": {
"calcs": [
"lastNotNull"
@ -937,14 +927,14 @@
"textMode": "auto",
"wideLayout": true
},
"pluginVersion": "11.2.1",
"pluginVersion": "11.0.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "mimir"
},
"expr": "pg_settings_max_wal_size_bytes{tenant=\"$tenant\",hostname=\"$hostname\"}",
"expr": "pg_settings_max_wal_size_bytes{hostname=\"$hostname\"}",
"format": "time_series",
"intervalFactor": 1,
"refId": "A"
@ -1004,7 +994,6 @@
"graphMode": "none",
"justifyMode": "auto",
"orientation": "horizontal",
"percentChangeColorMode": "standard",
"reduceOptions": {
"calcs": [
"lastNotNull"
@ -1016,14 +1005,14 @@
"textMode": "auto",
"wideLayout": true
},
"pluginVersion": "11.2.1",
"pluginVersion": "11.0.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "mimir"
},
"expr": "pg_settings_random_page_cost{tenant=\"$tenant\",hostname=\"$hostname\"}",
"expr": "pg_settings_random_page_cost{hostname=\"$hostname\"}",
"format": "time_series",
"intervalFactor": 1,
"refId": "A"
@ -1083,7 +1072,6 @@
"graphMode": "none",
"justifyMode": "auto",
"orientation": "horizontal",
"percentChangeColorMode": "standard",
"reduceOptions": {
"calcs": [
"lastNotNull"
@ -1095,7 +1083,7 @@
"textMode": "auto",
"wideLayout": true
},
"pluginVersion": "11.2.1",
"pluginVersion": "11.0.0",
"targets": [
{
"datasource": {
@ -1162,7 +1150,6 @@
"graphMode": "none",
"justifyMode": "auto",
"orientation": "horizontal",
"percentChangeColorMode": "standard",
"reduceOptions": {
"calcs": [
"mean"
@ -1174,14 +1161,14 @@
"textMode": "auto",
"wideLayout": true
},
"pluginVersion": "11.2.1",
"pluginVersion": "11.0.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "mimir"
},
"expr": "pg_settings_max_worker_processes{tenant=\"$tenant\",hostname=\"$hostname\"}",
"expr": "pg_settings_max_worker_processes{hostname=\"$hostname\"}",
"format": "time_series",
"intervalFactor": 1,
"refId": "A"
@ -1241,7 +1228,6 @@
"graphMode": "none",
"justifyMode": "auto",
"orientation": "horizontal",
"percentChangeColorMode": "standard",
"reduceOptions": {
"calcs": [
"lastNotNull"
@ -1253,14 +1239,14 @@
"textMode": "auto",
"wideLayout": true
},
"pluginVersion": "11.2.1",
"pluginVersion": "11.0.0",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "mimir"
},
"expr": "pg_settings_max_parallel_workers{tenant=\"$tenant\",hostname=\"$hostname\"}",
"expr": "pg_settings_max_parallel_workers{hostname=\"$hostname\"}",
"format": "time_series",
"intervalFactor": 1,
"refId": "A"
@ -1312,7 +1298,6 @@
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"barWidthFactor": 0.6,
"drawStyle": "points",
"fillOpacity": 10,
"gradientMode": "none",
@ -1387,7 +1372,7 @@
"type": "prometheus",
"uid": "mimir"
},
"expr": "pg_stat_activity_count{datname=~\"$datname\", tenant=\"$tenant\",hostname=~\"$hostname\", state=\"active\"} !=0",
"expr": "pg_stat_activity_count{datname=~\"$datname\", hostname=~\"$hostname\", state=\"active\"} !=0",
"format": "time_series",
"interval": "",
"intervalFactor": 2,
@ -1416,7 +1401,6 @@
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 10,
"gradientMode": "none",
@ -1490,7 +1474,7 @@
"type": "prometheus",
"uid": "mimir"
},
"expr": "irate(pg_stat_database_xact_commit{tenant=\"$tenant\",hostname=\"$hostname\", datname=~\"$datname\"}[5m])",
"expr": "irate(pg_stat_database_xact_commit{hostname=\"$hostname\", datname=~\"$datname\"}[5m])",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "{{datname}} commits",
@ -1501,7 +1485,7 @@
"type": "prometheus",
"uid": "mimir"
},
"expr": "irate(pg_stat_database_xact_rollback{tenant=\"$tenant\",hostname=\"$hostname\", datname=~\"$datname\"}[5m])",
"expr": "irate(pg_stat_database_xact_rollback{hostname=\"$hostname\", datname=~\"$datname\"}[5m])",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "{{datname}} rollbacks",
@ -1528,7 +1512,6 @@
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 10,
"gradientMode": "none",
@ -1602,7 +1585,7 @@
"type": "prometheus",
"uid": "mimir"
},
"expr": "pg_stat_database_tup_updated{datname=~\"$datname\", tenant=\"$tenant\",hostname=~\"$hostname\"} != 0",
"expr": "pg_stat_database_tup_updated{datname=~\"$datname\", hostname=~\"$hostname\"} != 0",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "{{datname}}",
@ -1630,7 +1613,6 @@
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 10,
"gradientMode": "none",
@ -1704,7 +1686,7 @@
"type": "prometheus",
"uid": "mimir"
},
"expr": "pg_stat_database_tup_fetched{datname=~\"$datname\", tenant=\"$tenant\",hostname=~\"$hostname\"} != 0",
"expr": "pg_stat_database_tup_fetched{datname=~\"$datname\", hostname=~\"$hostname\"} != 0",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "{{datname}}",
@ -1732,7 +1714,6 @@
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 10,
"gradientMode": "none",
@ -1806,7 +1787,7 @@
"type": "prometheus",
"uid": "mimir"
},
"expr": "pg_stat_database_tup_inserted{datname=~\"$datname\", tenant=\"$tenant\",hostname=~\"$hostname\"} != 0",
"expr": "pg_stat_database_tup_inserted{datname=~\"$datname\", hostname=~\"$hostname\"} != 0",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "{{datname}}",
@ -1834,7 +1815,6 @@
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 10,
"gradientMode": "none",
@ -1910,7 +1890,7 @@
"type": "prometheus",
"uid": "mimir"
},
"expr": "pg_locks_count{datname=~\"$datname\", tenant=\"$tenant\",hostname=~\"$hostname\", mode=~\"$mode\"} != 0",
"expr": "pg_locks_count{datname=~\"$datname\", hostname=~\"$hostname\", mode=~\"$mode\"} != 0",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "{{datname}},{{mode}}",
@ -1968,7 +1948,8 @@
"mode": "absolute",
"steps": [
{
"color": "green"
"color": "green",
"value": null
},
{
"color": "red",
@ -2010,7 +1991,7 @@
"type": "prometheus",
"uid": "mimir"
},
"expr": "pg_stat_database_tup_returned{datname=~\"$datname\", tenant=\"$tenant\",hostname=~\"$hostname\"} != 0",
"expr": "pg_stat_database_tup_returned{datname=~\"$datname\", hostname=~\"$hostname\"} != 0",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "{{datname}}",
@ -2069,7 +2050,8 @@
"mode": "absolute",
"steps": [
{
"color": "green"
"color": "green",
"value": null
},
{
"color": "red",
@ -2110,7 +2092,7 @@
"type": "prometheus",
"uid": "mimir"
},
"expr": "pg_stat_activity_count{datname=~\"$datname\", tenant=\"$tenant\",hostname=~\"$hostname\", state=~\"idle|idle in transaction|idle in transaction (aborted)\"}",
"expr": "pg_stat_activity_count{datname=~\"$datname\", hostname=~\"$hostname\", state=~\"idle|idle in transaction|idle in transaction (aborted)\"}",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "{{datname}}, s: {{state}}",
@ -2168,7 +2150,8 @@
"mode": "absolute",
"steps": [
{
"color": "green"
"color": "green",
"value": null
},
{
"color": "red",
@ -2210,7 +2193,7 @@
"type": "prometheus",
"uid": "mimir"
},
"expr": "pg_stat_database_tup_deleted{datname=~\"$datname\", tenant=\"$tenant\",hostname=~\"$hostname\"} != 0",
"expr": "pg_stat_database_tup_deleted{datname=~\"$datname\", hostname=~\"$hostname\"} != 0",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "{{datname}}",
@ -2269,7 +2252,8 @@
"mode": "absolute",
"steps": [
{
"color": "green"
"color": "green",
"value": null
},
{
"color": "red",
@ -2310,7 +2294,7 @@
"type": "prometheus",
"uid": "mimir"
},
"expr": "pg_stat_database_blks_hit{tenant=\"$tenant\",hostname=\"$hostname\", datname=~\"$datname\"} / (pg_stat_database_blks_read{tenant=\"$tenant\",hostname=\"$hostname\", datname=~\"$datname\"} + pg_stat_database_blks_hit{tenant=\"$tenant\",hostname=\"$hostname\", datname=~\"$datname\"})",
"expr": "pg_stat_database_blks_hit{hostname=\"$hostname\", datname=~\"$datname\"} / (pg_stat_database_blks_read{hostname=\"$hostname\", datname=~\"$datname\"} + pg_stat_database_blks_hit{hostname=\"$hostname\", datname=~\"$datname\"})",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "{{ datname }}",
@ -2367,7 +2351,8 @@
"mode": "absolute",
"steps": [
{
"color": "green"
"color": "green",
"value": null
},
{
"color": "red",
@ -2410,7 +2395,7 @@
"type": "prometheus",
"uid": "mimir"
},
"expr": "irate(pg_stat_bgwriter_buffers_backend{tenant=\"$tenant\",hostname=\"$hostname\"}[5m])",
"expr": "irate(pg_stat_bgwriter_buffers_backend{hostname=\"$hostname\"}[5m])",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "buffers_backend",
@ -2421,7 +2406,7 @@
"type": "prometheus",
"uid": "mimir"
},
"expr": "irate(pg_stat_bgwriter_buffers_alloc{tenant=\"$tenant\",hostname=\"$hostname\"}[5m])",
"expr": "irate(pg_stat_bgwriter_buffers_alloc{hostname=\"$hostname\"}[5m])",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "buffers_alloc",
@ -2432,7 +2417,7 @@
"type": "prometheus",
"uid": "mimir"
},
"expr": "irate(pg_stat_bgwriter_buffers_backend_fsync{tenant=\"$tenant\",hostname=\"$hostname\"}[5m])",
"expr": "irate(pg_stat_bgwriter_buffers_backend_fsync{hostname=\"$hostname\"}[5m])",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "backend_fsync",
@ -2443,7 +2428,7 @@
"type": "prometheus",
"uid": "mimir"
},
"expr": "irate(pg_stat_bgwriter_buffers_checkpoint{tenant=\"$tenant\",hostname=\"$hostname\"}[5m])",
"expr": "irate(pg_stat_bgwriter_buffers_checkpoint{hostname=\"$hostname\"}[5m])",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "buffers_checkpoint",
@ -2454,7 +2439,7 @@
"type": "prometheus",
"uid": "mimir"
},
"expr": "irate(pg_stat_bgwriter_buffers_clean{tenant=\"$tenant\",hostname=\"$hostname\"}[5m])",
"expr": "irate(pg_stat_bgwriter_buffers_clean{hostname=\"$hostname\"}[5m])",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "buffers_clean",
@ -2512,7 +2497,8 @@
"mode": "absolute",
"steps": [
{
"color": "green"
"color": "green",
"value": null
},
{
"color": "red",
@ -2554,7 +2540,7 @@
"type": "prometheus",
"uid": "mimir"
},
"expr": "irate(pg_stat_database_conflicts{tenant=\"$tenant\",hostname=\"$hostname\", datname=~\"$datname\"}[5m])",
"expr": "irate(pg_stat_database_conflicts{hostname=\"$hostname\", datname=~\"$datname\"}[5m])",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "{{datname}} conflicts",
@ -2565,7 +2551,7 @@
"type": "prometheus",
"uid": "mimir"
},
"expr": "irate(pg_stat_database_deadlocks{tenant=\"$tenant\",hostname=\"$hostname\", datname=~\"$datname\"}[5m])",
"expr": "irate(pg_stat_database_deadlocks{hostname=\"$hostname\", datname=~\"$datname\"}[5m])",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "{{datname}} deadlocks",
@ -2624,7 +2610,8 @@
"mode": "absolute",
"steps": [
{
"color": "green"
"color": "green",
"value": null
},
{
"color": "red",
@ -2666,7 +2653,7 @@
"type": "prometheus",
"uid": "mimir"
},
"expr": "irate(pg_stat_database_temp_bytes{tenant=\"$tenant\",hostname=\"$hostname\", datname=~\"$datname\"}[5m])",
"expr": "irate(pg_stat_database_temp_bytes{hostname=\"$hostname\", datname=~\"$datname\"}[5m])",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "{{datname}}",
@ -2723,7 +2710,8 @@
"mode": "absolute",
"steps": [
{
"color": "green"
"color": "green",
"value": null
},
{
"color": "red",
@ -2766,7 +2754,7 @@
"type": "prometheus",
"uid": "mimir"
},
"expr": "irate(pg_stat_bgwriter_checkpoint_write_time{tenant=\"$tenant\",hostname=\"$hostname\"}[5m])",
"expr": "irate(pg_stat_bgwriter_checkpoint_write_time{hostname=\"$hostname\"}[5m])",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "write_time - Total amount of time that has been spent in the portion of checkpoint processing where files are written to disk.",
@ -2777,7 +2765,7 @@
"type": "prometheus",
"uid": "mimir"
},
"expr": "irate(pg_stat_bgwriter_checkpoint_sync_time{tenant=\"$tenant\",hostname=\"$hostname\"}[5m])",
"expr": "irate(pg_stat_bgwriter_checkpoint_sync_time{hostname=\"$hostname\"}[5m])",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "sync_time - Total amount of time that has been spent in the portion of checkpoint processing where files are synchronized to disk.",
@ -2878,32 +2866,8 @@
{
"current": {
"selected": false,
"text": "fake",
"value": "fake"
},
"definition": "label_values(tenant)",
"hide": 0,
"includeAll": true,
"label": "Tenant",
"multi": true,
"name": "tenant",
"options": [],
"query": {
"qryType": 1,
"query": "label_values(tenant)",
"refId": "PrometheusVariableQueryEditor-VariableQuery"
},
"refresh": 1,
"regex": "",
"skipUrlSync": false,
"sort": 0,
"type": "query"
},
{
"current": {
"selected": true,
"text": "buildbot",
"value": "buildbot"
"text": "bagel-box",
"value": "bagel-box"
},
"datasource": {
"type": "prometheus",
@ -2998,6 +2962,7 @@
"from": "now-6h",
"to": "now"
},
"timeRangeUpdatedDuringEditOrView": false,
"timepicker": {
"refresh_intervals": [
"5s",

7
services/monitoring/lgtm/mimir.nix
View file

@ -12,11 +12,14 @@ let
alerts = pkgs.runCommand "mimir-alerts-checked" {
src = ./alerts;
nativeBuildInputs = with pkgs; [ prometheus.cli ];
nativeBuildInputs = with pkgs; [ mimir ];
} ''
promtool check rules $src/*
mkdir $out
cp -R $src $out/anonymous/
chmod -R +w $out
mimirtool rules check --rule-dirs=$out/anonymous
mimirtool rules lint --rule-dirs=$out/anonymous
diff -r $src $out/anonymous
'';
in
{

3
services/netbox/default.nix
View file

@ -20,9 +20,6 @@ in
};
config = mkIf cfg.enable {
# FIXME: why
nixpkgs.config.permittedInsecurePackages = [ pkgs.netbox_3_7.name ];
age.secrets.netbox-environment.file = ../../secrets/floral/netbox-environment.age;
services = {
netbox = {

124
services/ofborg/default.nix
View file

@ -1,109 +1,22 @@
{ pkgs, config, lib, ... }:
{ config, lib, ... }:
let
inherit (lib) mkIf mkMerge optional hasAttr;
cfg = config.bagel.services.ofborg;
amqpHost = "amqp.forkos.org";
amqpPort = 5671;
generators = pkgs.formats.json { };
configFile = generators.generate "ofborg-config.json" config.bagel.services.ofborg.settings;
mkOfborgWorker = binaryName: extra: extra // {
wantedBy = [ "multi-user.target" ];
description = "ofborg CI service - ${binaryName} worker";
after = [ "rabbitmq.service" ];
serviceConfig = {
DynamicUser = true;
ExecStart = "${cfg.package}/bin/${binaryName} ${configFile}";
# TODO: more hardening.
StateDirectory = "ofborg";
LogsDirectory = "ofborg";
RuntimeDirectory = "ofborg";
WorkingDirectory = "/var/lib/ofborg";
LoadCredential =
optional (hasAttr "rabbitmq-password" config.age.secrets) "rabbitmq-password:${config.age.secrets.rabbitmq-password.path}"
++ optional (hasAttr "gerrit-event-listener-ssh-key" config.age.secrets) "gerrit-ssh-key:${config.age.secrets.gerrit-event-listener-ssh-key.path}";
Environment = [
"XDG_STATE_HOME=/run/ofborg"
];
};
};
in {
options.bagel.services.ofborg = with lib; {
rabbitmq.enable = mkEnableOption "ofborg AMQP queue";
builder.enable = mkEnableOption "ofborg builder worker";
pastebin.enable = mkEnableOption "ofborg pastebin service";
statcheck-worker.enable = mkEnableOption "ofborg status & checks worker";
mass-rebuilder.enable = mkEnableOption "ofborg evaluator worker for mass rebuilds jobs";
stats.enable = mkEnableOption "ofborg prometheus worker";
gerrit-event-streamer.enable = mkEnableOption "ofborg's Gerrit event streamer";
gerrit-generic-vcs-filter.enable = mkEnableOption "ofborg's Gerrit event transformer to generic VCS events";
package = mkPackageOption pkgs "ofborg" { };
settings = mkOption {
type = generators.type;
};
enable = mkEnableOption "ofborg coordinator";
};
config = mkMerge [
{
# TODO: move this to global.
bagel.services.ofborg.settings = {
rabbitmq = {
ssl = true;
host = "amqp.forkos.org";
virtualhost = "/";
username = "ofborg";
password_file = "$CREDENTIALS_DIRECTORY/rabbitmq-password";
};
feedback.full_logs = lib.mkDefault true;
log_storage.path = lib.mkDefault "/var/log/ofborg";
runner = {
identity = config.networking.fqdn;
repos = lib.mkDefault [
"nixpkgs"
"ofborg"
];
disable_trusted_users = true;
};
checkout.root = lib.mkDefault "/var/lib/ofborg/checkouts";
nix = {
system = "x86_64-linux";
remote = "daemon";
build_timeout_seconds = 3600;
initial_heap_size = "4g";
};
pastebin = {
root = "$STATE_DIRECTORY/pastebins";
db = "$STATE_DIRECTORY/db.json";
};
statcheck = {
db = "$STATE_DIRECTORY/db.sqlite";
};
# We use Gerrit.
vcs = "Gerrit";
gerrit = {
instance_uri = "cl.forkos.org";
username = "ofborg-event-listener";
ssh_private_key_file = "$CREDENTIALS_DIRECTORY/gerrit-ssh-key";
ssh_port = 29418;
};
};
}
(mkIf cfg.rabbitmq.enable {
age.secrets.rabbitmq-password.file = ../../secrets/floral/rabbitmq-password.age;
services.nginx.enable = true;
config = lib.mkIf cfg.enable {
services.rabbitmq = {
enable = true;
configItems = {
"listeners.tcp" = "none";
"listeners.ssl.default" = builtins.toString amqpPort;
"ssl_options.certfile" = "${config.security.acme.certs.${amqpHost}.directory}/cert.pem";
"ssl_options.keyfile" = "${config.security.acme.certs.${amqpHost}.directory}/key.pem";
};
@ -118,34 +31,5 @@ in {
systemd.services.rabbitmq.requires = ["acme-finished-${amqpHost}.target"];
networking.firewall.allowedTCPPorts = [ amqpPort ];
})
(mkIf cfg.pastebin.enable {
systemd.services.ofborg-pastebin = mkOfborgWorker "pastebin-worker" { };
})
(mkIf cfg.statcheck-worker.enable {
systemd.services.ofborg-statcheck-worker = mkOfborgWorker "statcheck-worker" { };
})
(mkIf cfg.gerrit-event-streamer.enable {
age.secrets.gerrit-event-listener-ssh-key.file = ../../secrets/floral/gerrit-event-listener-ssh-key.age;
systemd.services.ofborg-gerrit-event-streamer = mkOfborgWorker "gerrit-event-streamer" {
path = [ pkgs.openssh ];
};
})
(mkIf cfg.gerrit-generic-vcs-filter.enable {
systemd.services.ofborg-gerrit-generic-vcs-filter = mkOfborgWorker "gerrit-generic-vcs-filter" { };
})
(mkIf cfg.mass-rebuilder.enable {
systemd.services.ofborg-mass-rebuilder = mkOfborgWorker "mass-rebuilder" { };
})
(mkIf cfg.builder.enable {
systemd.services.ofborg-builder = mkOfborgWorker "builder" { };
})
(mkIf cfg.stats.enable {
systemd.services.ofborg-stats = mkOfborgWorker "stats" { };
})
];
# systemd.services.ofborg-log-message-collector = {};
# systemd.services.ofborg-evaluation-filter = {};
# systemd.services.ofborg-vcs-comment-filter = {};
# systemd.services.ofborg-vcs-comment-poster = {};
}

21
services/self/default.nix
View file

@ -1,21 +0,0 @@
# This is a data-only module for other modules consumption.
{ lib, ... }:
let
inherit (lib) mkOption types;
in
{
options.bagel.infra.self = {
wan = {
family = mkOption {
type = types.enum [ "inet" "inet6" ];
default = "inet6";
};
address = mkOption {
type = types.str;
};
prefixLength = mkOption {
type = types.int;
};
};
};
}

72
services/vault/default.nix
View file

@ -1,72 +0,0 @@
{ config, lib, ... }:
let
cfg = config.bagel.services.vault;
inherit (lib) mkEnableOption mkOption mkIf concatStringsSep types;
mkPeerNode = fqdn: ''
retry_join {
leader_api_addr = "https://${fqdn}"
leader_tls_servername = "${fqdn}"
}
'';
wanAddress = if config.bagel.infra.self.wan.family == "inet6" then "[${config.bagel.infra.self.wan.address}]" else "${config.bagel.infra.self.wan.address}";
in
{
options.bagel.services.vault = {
enable = mkEnableOption "the OpenBao (Vault fork) service";
domain = mkOption {
type = types.str;
default = config.networking.fqdn;
defaultText = "config.networking.fqdn";
example = "vault.infra.forkos.org";
};
peers = mkOption {
type = types.listOf types.str;
default = [ ];
description = "List of FQDN that are peers of this service";
};
};
imports = [
./module.nix
];
config = mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [
# NGINX HTTP API access
80
443
# mTLS backed cluster port
8201
];
services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts."${cfg.domain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8200";
};
};
};
services.openbao = {
enable = true;
storageBackend = "raft";
listenerExtraConfig = ''
cluster_address = "${wanAddress}:8201"
'';
storageConfig = ''
node_id = "${config.networking.fqdn}"
# Other nodes of the cluster.
${concatStringsSep "\n" (map mkPeerNode cfg.peers)}
'';
extraConfig = ''
cluster_addr = "http://${config.networking.fqdn}:8201"
api_addr = "https://${config.networking.fqdn}"
'';
};
};
}

237
services/vault/module.nix
View file

@ -1,237 +0,0 @@
{ config, lib, options, pkgs, ... }:
with lib;
let
cfg = config.services.openbao;
opt = options.services.openbao;
configFile = pkgs.writeText "openbao.hcl" ''
# vault in dev mode will refuse to start if its configuration sets listener
${lib.optionalString (!cfg.dev) ''
listener "tcp" {
address = "${cfg.address}"
${if (cfg.tlsCertFile == null || cfg.tlsKeyFile == null) then ''
tls_disable = "true"
'' else ''
tls_cert_file = "${cfg.tlsCertFile}"
tls_key_file = "${cfg.tlsKeyFile}"
''}
${cfg.listenerExtraConfig}
}
''}
storage "${cfg.storageBackend}" {
${optionalString (cfg.storagePath != null) ''path = "${cfg.storagePath}"''}
${optionalString (cfg.storageConfig != null) cfg.storageConfig}
}
${optionalString (cfg.telemetryConfig != "") ''
telemetry {
${cfg.telemetryConfig}
}
''}
${cfg.extraConfig}
'';
allConfigPaths = [configFile] ++ cfg.extraSettingsPaths;
configOptions = escapeShellArgs
(lib.optional cfg.dev "-dev" ++
lib.optional (cfg.dev && cfg.devRootTokenID != null) "-dev-root-token-id=${cfg.devRootTokenID}"
++ (concatMap (p: ["-config" p]) allConfigPaths));
in
{
options = {
services.openbao = {
enable = mkEnableOption "OpenBao daemon";
package = mkPackageOption pkgs "openbao" { };
dev = mkOption {
type = types.bool;
default = false;
description = ''
In this mode, the Vault runs in-memory and starts unsealed. This option is not meant production but for development and testing i.e. for nixos tests.
'';
};
devRootTokenID = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Initial root token. This only applies when {option}`services.vault.dev` is true
'';
};
address = mkOption {
type = types.str;
default = "127.0.0.1:8200";
description = "The name of the ip interface to listen to";
};
tlsCertFile = mkOption {
type = types.nullOr types.str;
default = null;
example = "/path/to/your/cert.pem";
description = "TLS certificate file. TLS will be disabled unless this option is set";
};
tlsKeyFile = mkOption {
type = types.nullOr types.str;
default = null;
example = "/path/to/your/key.pem";
description = "TLS private key file. TLS will be disabled unless this option is set";
};
listenerExtraConfig = mkOption {
type = types.lines;
default = ''
tls_min_version = "tls12"
'';
description = "Extra text appended to the listener section.";
};
storageBackend = mkOption {
type = types.enum [ "inmem" "file" "consul" "zookeeper" "s3" "azure" "dynamodb" "etcd" "mssql" "mysql" "postgresql" "swift" "gcs" "raft" ];
default = "inmem";
description = "The name of the type of storage backend";
};
storagePath = mkOption {
type = types.nullOr types.path;
default = if cfg.storageBackend == "file" || cfg.storageBackend == "raft" then "/var/lib/vault" else null;
defaultText = literalExpression ''
if config.${opt.storageBackend} == "file" || cfg.storageBackend == "raft"
then "/var/lib/vault"
else null
'';
description = "Data directory for file backend";
};
storageConfig = mkOption {
type = types.nullOr types.lines;
default = null;
description = ''
HCL configuration to insert in the storageBackend section.
Confidential values should not be specified here because this option's
value is written to the Nix store, which is publicly readable.
Provide credentials and such in a separate file using
[](#opt-services.vault.extraSettingsPaths).
'';
};
telemetryConfig = mkOption {
type = types.lines;
default = "";
description = "Telemetry configuration";
};
extraConfig = mkOption {
type = types.lines;
default = "";
description = "Extra text appended to {file}`vault.hcl`.";
};
extraSettingsPaths = mkOption {
type = types.listOf types.path;
default = [];
description = ''
Configuration files to load besides the immutable one defined by the NixOS module.
This can be used to avoid putting credentials in the Nix store, which can be read by any user.
Each path can point to a JSON- or HCL-formatted file, or a directory
to be scanned for files with `.hcl` or
`.json` extensions.
To upload the confidential file with NixOps, use for example:
```
# https://releases.nixos.org/nixops/latest/manual/manual.html#opt-deployment.keys
deployment.keys."vault.hcl" = let db = import ./db-credentials.nix; in {
text = ${"''"}
storage "postgresql" {
connection_url = "postgres://''${db.username}:''${db.password}@host.example.com/exampledb?sslmode=verify-ca"
}
${"''"};
user = "vault";
};
services.vault.extraSettingsPaths = ["/run/keys/vault.hcl"];
services.vault.storageBackend = "postgresql";
users.users.vault.extraGroups = ["keys"];
```
'';
};
};
};
config = mkIf cfg.enable {
nixpkgs.overlays = [ (self: super: {
openbao = super.callPackage ./package.nix { };
}) ];
environment.systemPackages = [
pkgs.openbao
];
assertions = [
{
assertion = cfg.storageBackend == "inmem" -> (cfg.storagePath == null && cfg.storageConfig == null);
message = ''The "inmem" storage expects no services.vault.storagePath nor services.vault.storageConfig'';
}
{
assertion = (
(cfg.storageBackend == "file" -> (cfg.storagePath != null && cfg.storageConfig == null)) &&
(cfg.storagePath != null -> (cfg.storageBackend == "file" || cfg.storageBackend == "raft"))
);
message = ''You must set services.vault.storagePath only when using the "file" or "raft" backend'';
}
];
users.users.openbao = {
name = "openbao";
group = "openbao";
uid = config.ids.uids.vault;
description = "OpenBao daemon user";
};
users.groups.openbao.gid = config.ids.gids.vault;
systemd.tmpfiles.rules = optional (cfg.storagePath != null)
"d '${cfg.storagePath}' 0700 openbao openbao - -";
systemd.services.openbao = {
description = "OpenBao server daemon";
wantedBy = ["multi-user.target"];
after = [ "network.target" ]
++ optional (config.services.consul.enable && cfg.storageBackend == "consul") "consul.service";
restartIfChanged = false; # do not restart on "nixos-rebuild switch". It would seal the storage and disrupt the clients.
startLimitIntervalSec = 60;
startLimitBurst = 3;
serviceConfig = {
User = "openbao";
Group = "openbao";
ExecStart = "${lib.getExe cfg.package} server ${configOptions}";
ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";
StateDirectory = "vault";
# In `dev` mode vault will put its token here
Environment = lib.optional (cfg.dev) "HOME=/var/lib/vault";
PrivateDevices = true;
PrivateTmp = true;
ProtectSystem = "full";
ProtectHome = "read-only";
AmbientCapabilities = "cap_ipc_lock";
NoNewPrivileges = true;
LimitCORE = 0;
KillSignal = "SIGINT";
TimeoutStopSec = "30s";
Restart = "on-failure";
};
unitConfig.RequiresMountsFor = optional (cfg.storagePath != null) cfg.storagePath;
};
};
}

51
services/vault/package.nix
View file

@ -1,51 +0,0 @@
{ stdenv, lib, fetchFromGitHub, buildGoModule, installShellFiles, nixosTests
, makeWrapper
, gawk
, glibc
}:
buildGoModule rec {
pname = "openbao";
version = "2.1.0";
src = fetchFromGitHub {
owner = "openbao";
repo = "openbao";
rev = "v${version}";
hash = "sha256-QzUNb4T9uau9bWZX6ulUDyfdInGd86iClBAG72C+7mo=";
};
vendorHash = "sha256-ghy1gjo/bXoT+m8CGbWN4IXk4ywACR586UQf9F/azF8=";
subPackages = [ "." ];
nativeBuildInputs = [ installShellFiles makeWrapper ];
tags = [ "openbao" ];
ldflags = [
"-s" "-w"
"-X github.com/openbao/openbao/sdk/version.GitCommit=${src.rev}"
"-X github.com/openbao/openbao/sdk/version.Version=${version}"
"-X github.com/openbao/openbao/sdk/version.VersionPrerelease="
];
postInstall = ''
echo "complete -C $out/bin/openbao openbao" > openbao.bash
installShellCompletion openbao.bash
'' + lib.optionalString stdenv.isLinux ''
wrapProgram $out/bin/openbao \
--prefix PATH ${lib.makeBinPath [ gawk glibc ]}
'';
# passthru.tests = { inherit (nixosTests) vault vault-postgresql vault-dev vault-agent; };
meta = with lib; {
homepage = "https://openbao.org/";
description = "Tool for managing secrets";
changelog = "https://github.com/openbao/openbao/blob/v${version}/CHANGELOG.md";
license = licenses.mpl20;
mainProgram = "openbao";
maintainers = with maintainers; [ raitobezarius ];
};
}

4
terraform/dnsimple.nix
View file

@ -101,11 +101,9 @@ in
# git.p.forkos.org is the proxy variant of the Forgejo server.
(record "git" 300 "CNAME" "git.p.forkos.org")
(record "netbox" 300 "CNAME" "meta01.infra.p.forkos.org")
# It's not a public service, so no IPv4 for it.
(record "amqp" 300 "CNAME" "bagel-box.infra.forkos.org")
(record "amqp" 300 "CNAME" "bagel-box.infra.p.forkos.org")
(record "grafana" 300 "CNAME" "meta01.infra.p.forkos.org")
(record "hydra" 300 "CNAME" "build-coord.wob01.infra.p.forkos.org")
(record "vault" 300 "CNAME" "build-coord.wob01.infra.p.forkos.org")
(record "loki" 300 "CNAME" "meta01.infra.p.forkos.org")
(record "mimir" 300 "CNAME" "meta01.infra.p.forkos.org")
(record "pyroscope" 300 "CNAME" "meta01.infra.p.forkos.org")