Compare commits
No commits in common. "main" and "ckie/moarr-v4" have entirely different histories.
main
...
ckie/moarr
194 changed files with 951 additions and 12199 deletions
11
.envrc
11
.envrc
|
@ -1,11 +1,2 @@
|
||||||
#!/usr/bin/env bash
|
|
||||||
# the shebang is ignored, but nice for editors
|
|
||||||
|
|
||||||
# shellcheck shell=bash
|
# shellcheck shell=bash
|
||||||
if type -P lorri &>/dev/null; then
|
use flake
|
||||||
eval "$(lorri direnv --flake .)"
|
|
||||||
else
|
|
||||||
echo 'while direnv evaluated .envrc, could not find the command "lorri" [https://github.com/nix-community/lorri]'
|
|
||||||
use flake
|
|
||||||
fi
|
|
||||||
|
|
||||||
|
|
2
.gitignore
vendored
2
.gitignore
vendored
|
@ -4,5 +4,3 @@ config.tf.json
|
||||||
.direnv
|
.direnv
|
||||||
.terraform
|
.terraform
|
||||||
.terraform.lock.hcl
|
.terraform.lock.hcl
|
||||||
secrets/*
|
|
||||||
!secrets/*.age
|
|
||||||
|
|
33
README.md
33
README.md
|
@ -1,32 +1 @@
|
||||||
# Infrastructure for the donut shaped thing that is absolutely not a donut.
|
Infrastructure for the donut shaped thing that is absolutely not a donut.
|
||||||
|
|
||||||
## Quick start
|
|
||||||
|
|
||||||
### Build the infrastructure
|
|
||||||
|
|
||||||
```
|
|
||||||
$ colmena build --on @localboot
|
|
||||||
```
|
|
||||||
|
|
||||||
Notice that `@localboot` is load-bearing as we have some machines that _cannot be_ deployed with vanilla Colmena. Fixing this is welcome.
|
|
||||||
|
|
||||||
### Recommended deploy process
|
|
||||||
|
|
||||||
```
|
|
||||||
$ colmena apply dry-activate $machine # Verify that the nvd log is reasonable.
|
|
||||||
$ colmena apply $machine
|
|
||||||
```
|
|
||||||
|
|
||||||
### Recommended upgrade process
|
|
||||||
|
|
||||||
```
|
|
||||||
$ nix flake update
|
|
||||||
$ colmena apply dry-activate --on @localboot # Verify that the nvd log is reasonable. Run it twice to get only NVD logs shown.
|
|
||||||
$ colmena apply --on @localboot
|
|
||||||
```
|
|
||||||
|
|
||||||
## Troubleshooting
|
|
||||||
|
|
||||||
### I failed to deploy `gerrit01`
|
|
||||||
|
|
||||||
Our Gerrit source build is known to have some hiccups sometimes, we are always interested in build logs, feel free to attach information in a new issue so we can make it more reliable.
|
|
||||||
|
|
|
@ -1,47 +1,13 @@
|
||||||
{ lib, ... }:
|
|
||||||
let
|
let
|
||||||
inherit (lib) genAttrs;
|
keys = import ./ssh-keys.nix;
|
||||||
in
|
in {
|
||||||
# Note: to add somefew in this list.
|
users.users.root.openssh.authorizedKeys.keys =
|
||||||
# Ensure their SSH key is already in common/ssh-keys.nix with
|
keys.users.delroth ++
|
||||||
# the same username for here, so that the keys is automatically added.
|
keys.users.k900 ++
|
||||||
{
|
keys.users.raito ++
|
||||||
bagel.groups = {
|
keys.users.maxine ++
|
||||||
floral-infra.members = [
|
keys.users.jade ++
|
||||||
"delroth"
|
keys.users.janik ++
|
||||||
"emilylange"
|
keys.users.lukegb ++
|
||||||
"hexchen"
|
keys.users.yuka;
|
||||||
"jade"
|
|
||||||
"janik"
|
|
||||||
"k900"
|
|
||||||
"maxine"
|
|
||||||
"raito"
|
|
||||||
"thubrecht"
|
|
||||||
"winter"
|
|
||||||
"yuka"
|
|
||||||
"ckie"
|
|
||||||
];
|
|
||||||
|
|
||||||
lix-infra.members = [
|
|
||||||
"raito"
|
|
||||||
"hexchen"
|
|
||||||
"jade"
|
|
||||||
"pennae"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
bagel.users = genAttrs [
|
|
||||||
"delroth"
|
|
||||||
"emilylange"
|
|
||||||
"hexchen"
|
|
||||||
"jade"
|
|
||||||
"janik"
|
|
||||||
"k900"
|
|
||||||
"maxine"
|
|
||||||
"raito"
|
|
||||||
"thubrecht"
|
|
||||||
"winter"
|
|
||||||
"yuka"
|
|
||||||
"ckie"
|
|
||||||
"pennae"
|
|
||||||
] (name: {});
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,13 +1,7 @@
|
||||||
{ lib, pkgs, ... }: {
|
{ lib, pkgs, ... }: {
|
||||||
imports = [
|
|
||||||
./known-ssh-keys.nix
|
|
||||||
./cgroups.nix
|
|
||||||
];
|
|
||||||
|
|
||||||
nixpkgs.overlays = import ../overlays;
|
nixpkgs.overlays = import ../overlays;
|
||||||
|
|
||||||
nix.package = lib.mkDefault pkgs.lix;
|
nix.package = lib.mkDefault pkgs.lix;
|
||||||
system.tools.nixos-option.enable = false;
|
|
||||||
services.openssh.enable = lib.mkForce true;
|
services.openssh.enable = lib.mkForce true;
|
||||||
|
|
||||||
networking.nftables.enable = true;
|
networking.nftables.enable = true;
|
||||||
|
@ -31,8 +25,8 @@
|
||||||
nix.gc = {
|
nix.gc = {
|
||||||
automatic = true;
|
automatic = true;
|
||||||
persistent = true;
|
persistent = true;
|
||||||
dates = lib.mkDefault "daily";
|
dates = "daily";
|
||||||
options = lib.mkDefault "--delete-older-than 30d";
|
options = "--delete-older-than 30d";
|
||||||
};
|
};
|
||||||
|
|
||||||
services.journald.extraConfig = "SystemMaxUse=512M";
|
services.journald.extraConfig = "SystemMaxUse=512M";
|
||||||
|
@ -57,19 +51,4 @@
|
||||||
"en_US.UTF-8/UTF-8"
|
"en_US.UTF-8/UTF-8"
|
||||||
"fr_FR.UTF-8/UTF-8"
|
"fr_FR.UTF-8/UTF-8"
|
||||||
];
|
];
|
||||||
|
|
||||||
time.timeZone = "UTC";
|
|
||||||
|
|
||||||
security.acme.acceptTerms = true;
|
|
||||||
security.acme.defaults.email = "infra@forkos.org";
|
|
||||||
|
|
||||||
# Enable system diffs.
|
|
||||||
system.activationScripts.system-diff = {
|
|
||||||
supportsDryActivation = true; # safe: only outputs to stdout
|
|
||||||
text = ''
|
|
||||||
if [ -e /run/current-system ]; then
|
|
||||||
PATH=$PATH:${pkgs.nix}/bin ${pkgs.nvd}/bin/nvd diff /run/current-system $systemConfig
|
|
||||||
fi
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,83 +0,0 @@
|
||||||
# Relatively inspired by fbtax2:
|
|
||||||
# https://facebookmicrosites.github.io/cgroup2/docs/fbtax-results.html
|
|
||||||
#
|
|
||||||
# See also the Chris Down talk at LISA'21:
|
|
||||||
# https://www.usenix.org/conference/lisa21/presentation/down
|
|
||||||
{ ... }:
|
|
||||||
let
|
|
||||||
systemCriticalSliceConfig = {
|
|
||||||
ManagedOOMMemoryPressure = "kill";
|
|
||||||
|
|
||||||
# guarantee availability of memory
|
|
||||||
MemoryMin = "192M";
|
|
||||||
# default 100
|
|
||||||
IOWeight = 1000;
|
|
||||||
# default 100
|
|
||||||
CPUWeight = 1000;
|
|
||||||
};
|
|
||||||
in
|
|
||||||
{
|
|
||||||
systemd.oomd = {
|
|
||||||
enable = true;
|
|
||||||
# why not, we have cgroups at user level now so it'll just kill the
|
|
||||||
# terminal
|
|
||||||
enableRootSlice = true;
|
|
||||||
enableSystemSlice = true;
|
|
||||||
enableUserSlices = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.enableCgroupAccounting = true;
|
|
||||||
|
|
||||||
systemd.services.nix-daemon = {
|
|
||||||
serviceConfig = {
|
|
||||||
# FIXME: how do i deprioritize this for memory
|
|
||||||
CPUWeight = 10;
|
|
||||||
IOWeight = 10;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.slices.hostcritical = {
|
|
||||||
description = "Ensures that services to keep the system alive remain alive";
|
|
||||||
|
|
||||||
unitConfig = {
|
|
||||||
# required to avoid a dependency cycle on systemd-oomd. systemd will
|
|
||||||
# actually guess this right but we should fix it anyway.
|
|
||||||
DefaultDependencies = false;
|
|
||||||
};
|
|
||||||
|
|
||||||
sliceConfig = systemCriticalSliceConfig;
|
|
||||||
};
|
|
||||||
|
|
||||||
# make root logins higher priority for resources
|
|
||||||
systemd.slices."user-0" = {
|
|
||||||
sliceConfig = systemCriticalSliceConfig;
|
|
||||||
};
|
|
||||||
|
|
||||||
|
|
||||||
systemd.slices.system = {
|
|
||||||
sliceConfig = {
|
|
||||||
ManagedOOMMemoryPressure = "kill";
|
|
||||||
ManagedOOMMemoryPressureLimit = "50%";
|
|
||||||
|
|
||||||
IOWeight = 100;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.sshd = {
|
|
||||||
serviceConfig = {
|
|
||||||
Slice = "hostcritical.slice";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.systemd-oomd = {
|
|
||||||
serviceConfig = {
|
|
||||||
Slice = "hostcritical.slice";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.systemd-journald = {
|
|
||||||
serviceConfig = {
|
|
||||||
Slice = "hostcritical.slice";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,32 +0,0 @@
|
||||||
# Taken from https://github.com/NixOS/infra/blob/master/channels.nix
|
|
||||||
{
|
|
||||||
# "Channel name" = {
|
|
||||||
# # This should be the <value> part of
|
|
||||||
# # https://hydra.forkos.org/job/<value>/latest-finished
|
|
||||||
# job = "project/jobset/jobname";
|
|
||||||
#
|
|
||||||
# # When adding a new version, determine if it needs to be tagged as a
|
|
||||||
# # variant -- for example:
|
|
||||||
# # nixos-xx.xx => primary
|
|
||||||
# # nixos-xx.xx-small => small
|
|
||||||
# # nixos-xx.xx-darwin => darwin
|
|
||||||
# # nixos-xx.xx-aarch64 => aarch64
|
|
||||||
# variant = "primary";
|
|
||||||
#
|
|
||||||
# # Channel Status:
|
|
||||||
# # '*-unstable' channels are always "rolling"
|
|
||||||
# # Otherwise a release generally progresses through the following phases:
|
|
||||||
# #
|
|
||||||
# # - Directly after branch off => "beta"
|
|
||||||
# # - Once the channel is released => "stable"
|
|
||||||
# # - Once the next channel is released => "deprecated"
|
|
||||||
# # - N months after the next channel is released => "unmaintained"
|
|
||||||
# # (check the release notes for when this should happen)
|
|
||||||
# status = "beta";
|
|
||||||
# };
|
|
||||||
"forkos-unstable" = {
|
|
||||||
job = "forkos/nixos-main/tested";
|
|
||||||
variant = "primary";
|
|
||||||
status = "rolling";
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,15 +1,11 @@
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
./admins.nix
|
./admins.nix
|
||||||
./server-acl.nix
|
|
||||||
./base-server.nix
|
./base-server.nix
|
||||||
./hardening.nix
|
./hardening.nix
|
||||||
./nix.nix
|
./nix.nix
|
||||||
./raito-proxy-aware-nginx.nix
|
./raito-proxy-aware-nginx.nix
|
||||||
|
./raito-vm.nix
|
||||||
./sysadmin
|
./sysadmin
|
||||||
./hardware
|
|
||||||
./zsh.nix
|
|
||||||
./secrets.nix
|
|
||||||
./pki.nix
|
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,7 +0,0 @@
|
||||||
{ ... }: {
|
|
||||||
imports = [
|
|
||||||
./raito-vm.nix
|
|
||||||
./oracle-vm.nix
|
|
||||||
./hetzner.nix
|
|
||||||
];
|
|
||||||
}
|
|
|
@ -1,76 +0,0 @@
|
||||||
|
|
||||||
{ lib, config, ... }:
|
|
||||||
let
|
|
||||||
cfg = config.bagel.hardware.hetzner;
|
|
||||||
inherit (lib) mkEnableOption mkIf mkOption types;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
options.bagel.hardware.hetzner = {
|
|
||||||
enable = mkEnableOption "Hetzner's hardware defaults";
|
|
||||||
|
|
||||||
platformType = mkOption {
|
|
||||||
# Only VMs are supported.
|
|
||||||
type = types.enum [ "virtual-machine" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
system = mkOption {
|
|
||||||
# Only the aarch64-linux VM Hetzner is supported.
|
|
||||||
type = types.enum [ "aarch64-linux" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.wan = {
|
|
||||||
mac = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = "MAC address of the WAN interface in the Hetzner machine";
|
|
||||||
};
|
|
||||||
address = mkOption {
|
|
||||||
type = types.listOf types.str;
|
|
||||||
description = "List of static addresses attached to the WAN interface";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
|
||||||
# A bunch of stuff is virtio.
|
|
||||||
boot.initrd.availableKernelModules = [
|
|
||||||
"xhci_pci"
|
|
||||||
"usbhid"
|
|
||||||
"sr_mod"
|
|
||||||
"virtio_gpu"
|
|
||||||
"virtio_scsi"
|
|
||||||
"virtio_rng"
|
|
||||||
"virtio_pci"
|
|
||||||
];
|
|
||||||
|
|
||||||
boot.loader.systemd-boot.enable = true;
|
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
|
||||||
|
|
||||||
networking.useDHCP = lib.mkDefault false;
|
|
||||||
|
|
||||||
# Stolen from the netplan provided by aarch64 Ubuntu images.
|
|
||||||
systemd.network.enable = true;
|
|
||||||
systemd.network.links."10-wan" = {
|
|
||||||
linkConfig.Name = "wan";
|
|
||||||
matchConfig.MACAddress = cfg.networking.mac;
|
|
||||||
};
|
|
||||||
systemd.network.networks."10-wan" = {
|
|
||||||
matchConfig.Name = "wan";
|
|
||||||
networkingConfig.Address = cfg.networking.address;
|
|
||||||
linkConfig.RequiredForOnline = true;
|
|
||||||
DHCP = "ipv4";
|
|
||||||
routes = [
|
|
||||||
{
|
|
||||||
routeConfig = {
|
|
||||||
Destination = "::/0";
|
|
||||||
GatewayOnLink = true;
|
|
||||||
Gateway = "fe80::1";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
];
|
|
||||||
dhcpV4Config = {
|
|
||||||
RouteMetric = 100;
|
|
||||||
UseMTU = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,52 +0,0 @@
|
||||||
|
|
||||||
{ lib, config, modulesPath, ... }:
|
|
||||||
let
|
|
||||||
cfg = config.bagel.hardware.oracle-vm;
|
|
||||||
inherit (lib) mkEnableOption mkIf mkOption types;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
options.bagel.hardware.oracle-vm = {
|
|
||||||
enable = mkEnableOption "Oracle's VM hardware defaults";
|
|
||||||
|
|
||||||
system = mkOption {
|
|
||||||
# Only the free Oracle VMs are supported.
|
|
||||||
type = types.enum [ "aarch64-linux" ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
# Imports a bunch of virtio modules.
|
|
||||||
imports = [
|
|
||||||
"${modulesPath}/profiles/qemu-guest.nix"
|
|
||||||
];
|
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
|
||||||
boot.loader.systemd-boot.enable = true;
|
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
|
||||||
boot.initrd.systemd.enable = true;
|
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = [
|
|
||||||
"xhci_pci" "virtio_pci" "usbhid" "sr_mod"
|
|
||||||
];
|
|
||||||
boot.initrd.kernelModules = [ ];
|
|
||||||
boot.kernelModules = [ ];
|
|
||||||
boot.extraModulePackages = [ ];
|
|
||||||
|
|
||||||
nixpkgs.hostPlatform = cfg.system;
|
|
||||||
|
|
||||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
|
||||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
|
||||||
# still possible to use this option, but it's recommended to use it in conjunction
|
|
||||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
|
||||||
networking.useDHCP = lib.mkDefault false;
|
|
||||||
# Examples:
|
|
||||||
# 2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
|
|
||||||
# link/ether 02:00:17:00:91:6e brd ff:ff:ff:ff:ff:ff
|
|
||||||
# inet 10.0.0.94/24 brd 10.0.0.255 scope global dynamic noprefixroute enp0s3
|
|
||||||
# valid_lft 44162sec preferred_lft 33362sec
|
|
||||||
# inet6 fe80::17ff:fe00:916e/64 scope link
|
|
||||||
# valid_lft forever preferred_lft forever
|
|
||||||
# [root@build02-aarch64-lahfa:~]# ip r
|
|
||||||
# default via 10.0.0.1 dev enp0s3 proto dhcp src 10.0.0.94 metric 1002 mtu 9000
|
|
||||||
networking.interfaces.enp0s3.useDHCP = lib.mkDefault true;
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,7 +0,0 @@
|
||||||
{ ... }:
|
|
||||||
{
|
|
||||||
programs.ssh.knownHosts = {
|
|
||||||
"[cl.forkos.org]:29418".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM82mJ259C8Nc+BHHNBeRWXWhL3dfirQhmFbDAwHMle3";
|
|
||||||
"[gerrit.lix.systems]:2022".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICC/S6Z56uhv7zBMutkV0nU8eDuRcl3trykGWBch4L/l";
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -14,7 +14,7 @@
|
||||||
|
|
||||||
# Use our cache and trust its signing key. Still use cache.nixos.org as
|
# Use our cache and trust its signing key. Still use cache.nixos.org as
|
||||||
# fallback.
|
# fallback.
|
||||||
nix.settings.substituters = [ "https://cache.forkos.org/" ];
|
nix.settings.substituters = [ "https://bagel-cache.s3-web.delroth.net/" ];
|
||||||
nix.settings.trusted-public-keys = [
|
nix.settings.trusted-public-keys = [
|
||||||
"cache.forkos.org:xfXIUJO1yiEITJmYsVmNDa9BFSlgTh/YqZ+4ei1EhQg="
|
"cache.forkos.org:xfXIUJO1yiEITJmYsVmNDa9BFSlgTh/YqZ+4ei1EhQg="
|
||||||
];
|
];
|
||||||
|
|
|
@ -1,27 +0,0 @@
|
||||||
{ config, lib, ... }:
|
|
||||||
let
|
|
||||||
cfg = config.bagel.pki;
|
|
||||||
inherit (lib) mkOption types;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
options.bagel.pki = {
|
|
||||||
rootPath = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "floral_systems/v1/infra/v1";
|
|
||||||
example = "floral_systems/v2/infra/v1";
|
|
||||||
description = "Root mountpoint for PKI issuing in the Vault cluster";
|
|
||||||
};
|
|
||||||
cacertFile = mkOption {
|
|
||||||
type = types.path;
|
|
||||||
# Trust our infrastructure CA chain certificate.
|
|
||||||
default = ../pki/cacerts/infra.crt;
|
|
||||||
description = "CA certificate file to put in our trust store";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config = {
|
|
||||||
security.pki.certificateFiles = [
|
|
||||||
cfg.cacertFile
|
|
||||||
];
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,10 +1,9 @@
|
||||||
# This enables an IPv6-only server which is proxied by kurisu.lahfa.xyz to have proper IPv4 logs via PROXY protocol.
|
# This enables an IPv6-only server which is proxied by kurisu.lahfa.xyz to have proper IPv4 logs via PROXY protocol.
|
||||||
{ config, lib, ... }:
|
{ config, lib, ... }:
|
||||||
let
|
let
|
||||||
inherit (lib) mkEnableOption mkIf concatStringsSep;
|
inherit (lib) mkEnableOption mkIf;
|
||||||
cfg = config.bagel.raito.v6-proxy-awareness;
|
cfg = config.bagel.raito.v6-proxy-awareness;
|
||||||
# outside of raito infra inside of raito infra
|
allowedUpstream = "2001:bc8:38ee:99::1/128";
|
||||||
allowedUpstreams = [ "2001:bc8:38ee::1/128" "2001:bc8:38ee:99::1/128" ];
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.bagel.raito.v6-proxy-awareness.enable = mkEnableOption "the kurisu.lahfa.xyz's sniproxy awareness for NGINX";
|
options.bagel.raito.v6-proxy-awareness.enable = mkEnableOption "the kurisu.lahfa.xyz's sniproxy awareness for NGINX";
|
||||||
|
@ -21,8 +20,8 @@ in
|
||||||
];
|
];
|
||||||
|
|
||||||
appendHttpConfig = ''
|
appendHttpConfig = ''
|
||||||
# Kurisu nodes
|
# Kurisu node
|
||||||
${concatStringsSep "\n" (map (up: "set_real_ip_from ${up};") allowedUpstreams)}
|
set_real_ip_from ${allowedUpstream};
|
||||||
real_ip_header proxy_protocol;
|
real_ip_header proxy_protocol;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
@ -30,7 +29,7 @@ in
|
||||||
# Move to nftables if firewall is enabled.
|
# Move to nftables if firewall is enabled.
|
||||||
networking.nftables.enable = true;
|
networking.nftables.enable = true;
|
||||||
networking.firewall.extraInputRules = ''
|
networking.firewall.extraInputRules = ''
|
||||||
${concatStringsSep "\n" (map (up: "ip6 saddr ${up} tcp dport 444 accept") allowedUpstreams)}
|
ip6 saddr ${allowedUpstream} tcp dport 444 accept
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
{ lib, config, ... }:
|
{ lib, config, ... }:
|
||||||
let
|
let
|
||||||
cfg = config.bagel.hardware.raito-vm;
|
cfg = config.bagel.hardware.raito-vm;
|
||||||
inherit (lib) mkEnableOption mkIf mkOption types split toIntBase10;
|
inherit (lib) mkEnableOption mkIf mkOption types;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.bagel.hardware.raito-vm = {
|
options.bagel.hardware.raito-vm = {
|
||||||
|
@ -30,6 +30,8 @@ in
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
services.qemuGuest.enable = true;
|
services.qemuGuest.enable = true;
|
||||||
systemd.network.enable = true;
|
systemd.network.enable = true;
|
||||||
|
security.acme.defaults.email = "bagel-acme@lahfa.xyz";
|
||||||
|
security.acme.acceptTerms = true;
|
||||||
networking.useDHCP = lib.mkDefault false;
|
networking.useDHCP = lib.mkDefault false;
|
||||||
|
|
||||||
systemd.network.networks."10-nat-lan" = {
|
systemd.network.networks."10-nat-lan" = {
|
||||||
|
@ -54,17 +56,6 @@ in
|
||||||
linkConfig.Name = "wan";
|
linkConfig.Name = "wan";
|
||||||
};
|
};
|
||||||
|
|
||||||
bagel.infra.self.wan =
|
|
||||||
let
|
|
||||||
parts = split "/" cfg.networking.wan.address;
|
|
||||||
address = builtins.elemAt parts 0;
|
|
||||||
prefixLength = toIntBase10 (builtins.elemAt 1 parts);
|
|
||||||
in
|
|
||||||
{
|
|
||||||
family = "inet6";
|
|
||||||
inherit address prefixLength;
|
|
||||||
};
|
|
||||||
|
|
||||||
boot.loader.systemd-boot.enable = true;
|
boot.loader.systemd-boot.enable = true;
|
||||||
|
|
||||||
boot.initrd.kernelModules = [
|
boot.initrd.kernelModules = [
|
|
@ -1,22 +0,0 @@
|
||||||
## This is a simple secret abstraction with multi-tenancy awareness.
|
|
||||||
{ config, lib, ... }:
|
|
||||||
let
|
|
||||||
cfg = config.bagel.secrets;
|
|
||||||
inherit (lib) mkOption types genAttrs;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
options.bagel.secrets = {
|
|
||||||
tenant = mkOption {
|
|
||||||
type = types.enum [ "lix" "floral" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
files = mkOption {
|
|
||||||
type = types.listOf types.str;
|
|
||||||
default = [ ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config.age.secrets = genAttrs cfg.files (secretFile: {
|
|
||||||
file = ../secrets/${cfg.tenant}/${secretFile}.age;
|
|
||||||
});
|
|
||||||
}
|
|
|
@ -1,69 +0,0 @@
|
||||||
{ lib, config, ... }:
|
|
||||||
let
|
|
||||||
keys = import ./ssh-keys.nix;
|
|
||||||
inherit (lib) mkOption types length concatMap listToAttrs catAttrs attrValues;
|
|
||||||
cfgAdmins = config.bagel.admins;
|
|
||||||
cfgGroups = config.bagel.groups;
|
|
||||||
cfgUsers = config.bagel.users;
|
|
||||||
|
|
||||||
userOpts = { name, ... }: {
|
|
||||||
options = {
|
|
||||||
sshKeys = mkOption {
|
|
||||||
type = types.listOf types.str;
|
|
||||||
description = "List of SSH keys associated to this user, defaults to `ssh-keys.nix` entries.";
|
|
||||||
default = keys.users.${name} or [ ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
groupOpts = { name, ... }: {
|
|
||||||
options = {
|
|
||||||
members = mkOption {
|
|
||||||
type = types.listOf types.str;
|
|
||||||
description = "List of users member of this group";
|
|
||||||
example = [ "raito" ];
|
|
||||||
default = [ ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
# There might be duplicate in that list. We will turn it into an attribute set.
|
|
||||||
allowedMembers = listToAttrs (
|
|
||||||
map (member: {
|
|
||||||
name = member;
|
|
||||||
value = cfgUsers.${member};
|
|
||||||
}) (concatMap (allowedGroup: cfgGroups.${allowedGroup}.members) cfgAdmins.allowedGroups));
|
|
||||||
|
|
||||||
rootKeys = concatMap ({ sshKeys, ... }: sshKeys) (attrValues allowedMembers);
|
|
||||||
in
|
|
||||||
{
|
|
||||||
options.bagel.users = mkOption {
|
|
||||||
type = types.attrsOf (types.submodule userOpts);
|
|
||||||
description = "User configuration for server ACLs";
|
|
||||||
};
|
|
||||||
|
|
||||||
options.bagel.groups = mkOption {
|
|
||||||
type = types.attrsOf (types.submodule groupOpts);
|
|
||||||
description = "Group configuration for server ACLs";
|
|
||||||
};
|
|
||||||
|
|
||||||
options.bagel.admins = {
|
|
||||||
allowedGroups = mkOption {
|
|
||||||
type = types.listOf types.str;
|
|
||||||
default = [ "catch-all" ];
|
|
||||||
description = "List of groups which are allowed to admin this machine.";
|
|
||||||
example = [ "lix" "build-infra" ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config = {
|
|
||||||
assertions = [
|
|
||||||
{ assertion = length config.users.users.root.openssh.authorizedKeys.keys > 0;
|
|
||||||
# TODO: you can add printing of `concatStringsSep ", " cfg.allowedGroups` to diagnose
|
|
||||||
# which are the allowed groups and existing admins.
|
|
||||||
message = "root@${config.networking.fqdnOrHostName} has no SSH key attached, this machine will lose its access if you deploy it successfully! Set a valid `bagel.admins.allowedGroups` or ensure you have at least one administrator of the relevant group registered";
|
|
||||||
}
|
|
||||||
];
|
|
||||||
|
|
||||||
users.users.root.openssh.authorizedKeys.keys = rootKeys;
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,47 +1,34 @@
|
||||||
{
|
{
|
||||||
machines = {
|
machines = {
|
||||||
# Floral
|
|
||||||
bagel-box = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsO4bNqY04uG13Pg3ubHfRDssTphDLzZ4YUniE5/p+M";
|
bagel-box = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsO4bNqY04uG13Pg3ubHfRDssTphDLzZ4YUniE5/p+M";
|
||||||
meta01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM5t9gYorOWgpCFDJgb24pyCKIabGpeI2H/UfdvXODcT";
|
meta01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM5t9gYorOWgpCFDJgb24pyCKIabGpeI2H/UfdvXODcT";
|
||||||
public01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPBy8G8rfLA6E9i+t5kjVafxU1c2NXATXKxoXTH4Kgtm";
|
|
||||||
gerrit01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA+eSZu+u9sCynrMlsmFzQHLIELQAuVg0Cs1pBvwb4+A";
|
gerrit01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA+eSZu+u9sCynrMlsmFzQHLIELQAuVg0Cs1pBvwb4+A";
|
||||||
fodwatch = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRyTNfvKl5FcSyzGzw+h+bNFNOxdhvI67WdUZ2iIJ1L";
|
fodwatch = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRyTNfvKl5FcSyzGzw+h+bNFNOxdhvI67WdUZ2iIJ1L";
|
||||||
buildbot = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJgIu6ouagYqBeMLfmn1CbaDJMuZcPH9bnUhkht8GfuB";
|
builder-0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBHSNcDGctvlG6BHcJuYIzW9WsBJsts2vpwSketsbXoL";
|
||||||
git = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQJcpkCUOx8+5oukMX6lxrYcIX8FyHu8Mc/3+ieKMUn";
|
builder-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIQOGUjERK7Mx8UPM/rbOdMqVyn1sbWqYOG6CbOzH2wm";
|
||||||
bm-0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBHSNcDGctvlG6BHcJuYIzW9WsBJsts2vpwSketsbXoL";
|
builder-2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKzXIqCoYElEKIYgjbSpqEcDeOvV+Wo3Agq3jba83cB";
|
||||||
bm-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIQOGUjERK7Mx8UPM/rbOdMqVyn1sbWqYOG6CbOzH2wm";
|
builder-3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGq0A5233XGt34T097KaEKBUqFvaa7a6nYZRsSO0166l";
|
||||||
bm-2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKzXIqCoYElEKIYgjbSpqEcDeOvV+Wo3Agq3jba83cB";
|
builder-4 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB9dVo2xZhgIMDgB1rUj5ApmppL39BtYu/+OFHeduvXr";
|
||||||
bm-3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGq0A5233XGt34T097KaEKBUqFvaa7a6nYZRsSO0166l";
|
builder-5 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE7vZTBxrVHmHpv7slQ8A8XwjjbfN+ZJA0V5C3k0wNBD";
|
||||||
bm-4 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB9dVo2xZhgIMDgB1rUj5ApmppL39BtYu/+OFHeduvXr";
|
builder-6 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOt1qR/2BRtc6PABuSBulowwJVO6wBNDyEFzh0qsTeOF";
|
||||||
bm-5 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE7vZTBxrVHmHpv7slQ8A8XwjjbfN+ZJA0V5C3k0wNBD";
|
builder-7 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFinAAw1v8TJB8/wcmTVBbHHc4LCYh6z4TO6ViwUPkoh";
|
||||||
bm-6 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOt1qR/2BRtc6PABuSBulowwJVO6wBNDyEFzh0qsTeOF";
|
builder-8 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKGSWHNeqT0kF/e4yVy2ieW98X5QMyCYIYZh9WTmQDs1";
|
||||||
bm-7 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFinAAw1v8TJB8/wcmTVBbHHc4LCYh6z4TO6ViwUPkoh";
|
builder-9 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOhws9zGgocVY36dMtOL+CXadpvRMffxoWMkfEcTBJm7";
|
||||||
bm-8 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKGSWHNeqT0kF/e4yVy2ieW98X5QMyCYIYZh9WTmQDs1";
|
builder-10 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE7sgIuTSqZiZhp8TvObSbIEhcHHsL5hcmYA22uzwxth";
|
||||||
bm-9 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOhws9zGgocVY36dMtOL+CXadpvRMffxoWMkfEcTBJm7";
|
builder-11 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEAqFo1qJY7MSUkfB+zxXB8Lpt/Iqz/RR5A+zwhpRWhr";
|
||||||
bm-10 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE7sgIuTSqZiZhp8TvObSbIEhcHHsL5hcmYA22uzwxth";
|
|
||||||
# bm-11 actually?
|
|
||||||
build-coord = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpAEJP7F+XtJBpQP1jTzwXwQgJrFxwEJjPf/rnCXkJA";
|
|
||||||
wob-vpn-gw = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINVytPPW8XnXf/rD5TFzsw//CZc2lBjQLmDzlVGPZsjh";
|
wob-vpn-gw = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINVytPPW8XnXf/rD5TFzsw//CZc2lBjQLmDzlVGPZsjh";
|
||||||
|
|
||||||
# Lix
|
|
||||||
build01-aarch64-lix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICC69NZD/zhIB/wUb5odg46bss5g8hH2fDl22bk4qeSW";
|
|
||||||
build02-aarch64-lix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGdJE375pe58RJbhKwXRp3D//+SJ3ssiVZrLsM9CLHn0";
|
|
||||||
build01-aarch64-darwin-lix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVf1uO0lv5UBti/naW/+amqLxvWZg+StXk9aM+lJ7e4";
|
|
||||||
|
|
||||||
buildbot-lix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFoVSh35UqNQZ6ZZ1c6CzqERC40ovQ/KDXz8pC7nNlkR";
|
|
||||||
|
|
||||||
# Raito infrastructure
|
|
||||||
epyc-newtype-fr = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOXT9Init1MhKt4rjBANLq0t0bPww/WQZ96uB4AEDrml";
|
|
||||||
};
|
};
|
||||||
|
|
||||||
users = {
|
users = {
|
||||||
delroth = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3tjB4KYDok3KlWxdBp/yEmqhhmybd+w0VO4xUwLKKV" ];
|
delroth = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3tjB4KYDok3KlWxdBp/yEmqhhmybd+w0VO4xUwLKKV" ];
|
||||||
emilylange = [ "no-touch-required sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIL7jgq3i+N3gVJhs4shm7Kmw6dIocs2OuR0GBMG1RxfKAAAABHNzaDo=" ];
|
raito = [
|
||||||
hexchen = [
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICaw9ihTG7ucB8P38XdalEWev8+q96e2yNm4B+/I9IJp"
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINJ0tCxsEilAzV6LaNpUpcjzyEn4ptw8kFz3R+Z3YjEF hexchen@backup"
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
|
||||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDI3T1eFS77URHZ/HVWkMOqx7W1U54zJtn9C7QWsHOtyH72i/4EVj8SxYqLllElh1kuKUXSUipPeEzVsipFVvfH0wEuTDgFffiSQ3a8lfUgdEBuoySwceEoPgc5deapkOmiDIDeeWlrRe3nqspLRrSWU1DirMxoFPbwqJXRvpl6qJPxRg+2IolDcXlZ6yxB4Vv48vzRfVzZNUz7Pjmy2ebU8PbDoFWL/S3m7yOzQpv3L7KYBz7+rkjuF3AU2vy6CAfIySkVpspZZLtkTGCIJF228ev0e8NvhuN6ZnjzXxVTQOy32HCdPdbBbicu0uHfZ5O7JX9DjGd8kk1r2dnZwwy/ hexchen@yubi5"
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
|
||||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4CLJ+mFfq5XiBXROKewmN9WYmj+79bj/AoaR6Iud2pirulot3tkrrLe2cMjiNWFX8CGVqrsAELKUA8EyUTJfStlcTE0/QNESTRmdDaC+lZL41pWUO9KOiD6/0axAhHXrSJ0ScvbqtD0CtpnCKKxtuOflVPoUGZsH9cLKJNRKfEka0H0GgeKb5Tp618R/WNAQOwaCcXzg/nG4Bgv3gJW4Nm9IKy/MwRZqtILi8Mtd+2diTqpMwyNRmbenmRHCQ1vRw46joYkledVqrmSlfSMFgIHI1zRSBXb/JkG2IvIyB5TGbTkC4N2fqJNpH8wnCKuOvs46xmgdiRA26P48C2em3 hexchen@yubi5c"
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
|
||||||
];
|
];
|
||||||
|
k900 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOi9vgVGs+S5kEsUqHPvyMMh1Q9gqL4TcbHoe5d73tun" ];
|
||||||
|
maxine = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILpWQfhNFdrxMTP/1DwBVuk49f3df9iH7Tbdu8ltIKjr" ];
|
||||||
jade = [
|
jade = [
|
||||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNldAg4t13/i69TD786The+U3wbiNUdW2Kc9KNWvEhgpf4y4x4Sft0oYfkPw5cjX4H3APqfD+b7ItAG0GCbwHw6KMYPoVMNK08zBMJUqt1XExbqGeFLqBaeqDsmEAYXJRbjMTAorpOCtgQdoCKK/DvZ51zUWXxT8UBNHSl19Ryv5Ry5VVdbAE35rqs57DQ9+ma6htXnsBEmmnC+1Zv1FE956m/OpBTId50mor7nS2FguAtPZnDPpTd5zl9kZmJEuWCrmy6iinw5V4Uy1mLeZkQv+/FtozbyifCRCvps9nHpv4mBSU5ABLgnRRvXs+D41Jx7xloNADr1nNgpsNrYaTh hed-bot-ssh-tpm-rsa"
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNldAg4t13/i69TD786The+U3wbiNUdW2Kc9KNWvEhgpf4y4x4Sft0oYfkPw5cjX4H3APqfD+b7ItAG0GCbwHw6KMYPoVMNK08zBMJUqt1XExbqGeFLqBaeqDsmEAYXJRbjMTAorpOCtgQdoCKK/DvZ51zUWXxT8UBNHSl19Ryv5Ry5VVdbAE35rqs57DQ9+ma6htXnsBEmmnC+1Zv1FE956m/OpBTId50mor7nS2FguAtPZnDPpTd5zl9kZmJEuWCrmy6iinw5V4Uy1mLeZkQv+/FtozbyifCRCvps9nHpv4mBSU5ABLgnRRvXs+D41Jx7xloNADr1nNgpsNrYaTh hed-bot-ssh-tpm-rsa"
|
||||||
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKYljH8iPMrH00lOb3ETxRrZimdKzPPEdsJQ5D5ovtOwAAAACnNzaDpzc2hrZXk= ssh:sshkey"
|
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKYljH8iPMrH00lOb3ETxRrZimdKzPPEdsJQ5D5ovtOwAAAACnNzaDpzc2hrZXk= ssh:sshkey"
|
||||||
|
@ -52,22 +39,7 @@
|
||||||
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIOYg513QZsVzoyVycXZjg4F3T3+OwtcY3WAhrlfyLgLTAAAABHNzaDo="
|
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIOYg513QZsVzoyVycXZjg4F3T3+OwtcY3WAhrlfyLgLTAAAABHNzaDo="
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLZxVITpJ8xbiCa/u2gjSSIupeiqOnRh+8tFIoVhCON"
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLZxVITpJ8xbiCa/u2gjSSIupeiqOnRh+8tFIoVhCON"
|
||||||
];
|
];
|
||||||
k900 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOi9vgVGs+S5kEsUqHPvyMMh1Q9gqL4TcbHoe5d73tun" ];
|
|
||||||
lukegb = [ ''cert-authority,principals="lukegb" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEqNOwlR7Qa8cbGpDfSCOweDPbAGQOZIcoRgh6s/J8DR'' ];
|
lukegb = [ ''cert-authority,principals="lukegb" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEqNOwlR7Qa8cbGpDfSCOweDPbAGQOZIcoRgh6s/J8DR'' ];
|
||||||
maxine = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILpWQfhNFdrxMTP/1DwBVuk49f3df9iH7Tbdu8ltIKjr" ];
|
yuka = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKath4/fDnlv/4fzxkPrQN1ttmoPRNu/m9bEtdPJBDfY cardno:16_933_242" ];
|
||||||
raito = [
|
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICaw9ihTG7ucB8P38XdalEWev8+q96e2yNm4B+/I9IJp"
|
|
||||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
|
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
|
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
|
|
||||||
];
|
|
||||||
thubrecht = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn" ];
|
|
||||||
yuka = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbzUmOJuuAYn/3ODyw3WKjz7SnKjMq4iHE+mEpwVVmw yureka" ];
|
|
||||||
winter = [ "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIH/LDRUG+U+++UmlxvA2kspioTjktQZ8taDcHq8gVlkfAAAABHNzaDo=" ];
|
|
||||||
ckie = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3uTwzSSMAPg84fwbNp2cq9+BdLFeA1VzDGth4zCAbz https://mei.puppycat.house" ];
|
|
||||||
pennae = [
|
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC5Wf5/IbyFpdziWfwxkQqxOf3r1L9pYn6xQBEKFwmMY"
|
|
||||||
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIK8icXjHkb4XzbIVN3djH4CE7RvgGd+3xbG4cgh0Yls5AAAABHNzaDo="
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -13,11 +13,7 @@ in
|
||||||
tmux
|
tmux
|
||||||
rsync
|
rsync
|
||||||
fd
|
fd
|
||||||
eza
|
|
||||||
grc
|
|
||||||
ripgrep
|
ripgrep
|
||||||
delta
|
|
||||||
tshark
|
|
||||||
pv
|
pv
|
||||||
kitty.terminfo
|
kitty.terminfo
|
||||||
config.boot.kernelPackages.perf
|
config.boot.kernelPackages.perf
|
||||||
|
|
|
@ -1,15 +0,0 @@
|
||||||
{ lib, pkgs, config, ... }: {
|
|
||||||
programs.zsh = {
|
|
||||||
enable = true;
|
|
||||||
enableCompletion = true;
|
|
||||||
autosuggestions.enable = true;
|
|
||||||
interactiveShellInit = ''
|
|
||||||
${lib.getExe pkgs.nix-your-shell} zsh | source /dev/stdin
|
|
||||||
'';
|
|
||||||
promptInit = ''
|
|
||||||
# https://grml.org/zsh/grml-zsh-refcard.pdf
|
|
||||||
source ${pkgs.grml-zsh-config}/etc/zsh/zshrc
|
|
||||||
PS1='%n@${config.networking.fqdn} %/ \$ '
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,43 +0,0 @@
|
||||||
{ gerrit-dashboard, stdenv, symlinkJoin, jsonnet, fetchFromGitHub, lib, ... }:
|
|
||||||
let
|
|
||||||
inherit (lib) concatMapStringsSep;
|
|
||||||
datasource-id = "mimir";
|
|
||||||
in
|
|
||||||
rec {
|
|
||||||
grafonnet = fetchFromGitHub {
|
|
||||||
owner = "grafana";
|
|
||||||
repo = "grafonnet-lib";
|
|
||||||
# TODO: figure out how to read the jsonnet lockfile
|
|
||||||
# and propagate this a bit cleverly.
|
|
||||||
rev = "a1d61cce1da59c71409b99b5c7568511fec661ea";
|
|
||||||
hash = "sha256-fs5JZJbcL6sQXBjYhp5eeRtjTFw0J1O/BcwBC8Vm9EM=";
|
|
||||||
};
|
|
||||||
buildJsonnetDashboards = dashboardSrc: targets: stdenv.mkDerivation {
|
|
||||||
name = "jsonnet-grafana-dashboards";
|
|
||||||
src = dashboardSrc;
|
|
||||||
buildInputs = [ jsonnet ];
|
|
||||||
buildPhase = ''
|
|
||||||
runHook preBuild
|
|
||||||
mkdir -p $out
|
|
||||||
${concatMapStringsSep "\n" (target: "jsonnet -J ${grafonnet} --ext-str datasource=${datasource-id} --ext-code publish=true $src/${target} > $out/${baseNameOf target}.json") targets}
|
|
||||||
runHook postBuild
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
allDashboards = symlinkJoin {
|
|
||||||
name = "all-jsonnet-dashboards";
|
|
||||||
paths = [
|
|
||||||
(buildJsonnetDashboards gerrit-dashboard [
|
|
||||||
"dashboards/gerrit/caches/gerrit-caches.jsonnet"
|
|
||||||
"dashboards/gerrit/fetch-clone/gerrit-fetch-clone.jsonnet"
|
|
||||||
"dashboards/gerrit/fetch-clone/gerrit-phases.jsonnet"
|
|
||||||
"dashboards/gerrit/healthcheck/gerrit-healthcheck.jsonnet"
|
|
||||||
"dashboards/gerrit/latency/gerrit-push-latency.jsonnet"
|
|
||||||
"dashboards/gerrit/latency/gerrit-ui-actions-latency.jsonnet"
|
|
||||||
"dashboards/gerrit/overview/gerrit-overview.jsonnet"
|
|
||||||
"dashboards/gerrit/process/gerrit-process.jsonnet"
|
|
||||||
"dashboards/gerrit/queues/gerrit-queues.jsonnet"
|
|
||||||
])
|
|
||||||
];
|
|
||||||
};
|
|
||||||
}
|
|
13
default.nix
13
default.nix
|
@ -1,13 +0,0 @@
|
||||||
(import
|
|
||||||
(
|
|
||||||
let
|
|
||||||
lock = builtins.fromJSON (builtins.readFile ./flake.lock);
|
|
||||||
inherit (lock.nodes.flake-compat.locked) narHash rev url;
|
|
||||||
in
|
|
||||||
builtins.fetchTarball {
|
|
||||||
url = "${url}/archive/${rev}.tar.gz";
|
|
||||||
sha256 = narHash;
|
|
||||||
}
|
|
||||||
)
|
|
||||||
{ src = ./.; }
|
|
||||||
).defaultNix
|
|
742
flake.lock
742
flake.lock
|
@ -10,11 +10,11 @@
|
||||||
"systems": "systems"
|
"systems": "systems"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1723293904,
|
"lastModified": 1720546205,
|
||||||
"narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
|
"narHash": "sha256-boCXsjYVxDviyzoEyAk624600f3ZBo/DKtUdvMTpbGY=",
|
||||||
"owner": "ryantm",
|
"owner": "ryantm",
|
||||||
"repo": "agenix",
|
"repo": "agenix",
|
||||||
"rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
|
"rev": "de96bd907d5fbc3b14fc33ad37d1b9a3cb15edc6",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -23,40 +23,14 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"attic": {
|
|
||||||
"inputs": {
|
|
||||||
"crane": "crane",
|
|
||||||
"flake-compat": [
|
|
||||||
"flake-compat"
|
|
||||||
],
|
|
||||||
"flake-parts": "flake-parts_2",
|
|
||||||
"nix-github-actions": "nix-github-actions_2",
|
|
||||||
"nixpkgs": "nixpkgs",
|
|
||||||
"nixpkgs-stable": "nixpkgs-stable"
|
|
||||||
},
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1731270564,
|
|
||||||
"narHash": "sha256-6KMC/NH/VWP5Eb+hA56hz0urel3jP6Y6cF2PX6xaTkk=",
|
|
||||||
"owner": "zhaofengli",
|
|
||||||
"repo": "attic",
|
|
||||||
"rev": "47752427561f1c34debb16728a210d378f0ece36",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "zhaofengli",
|
|
||||||
"ref": "main",
|
|
||||||
"repo": "attic",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"bats-assert": {
|
"bats-assert": {
|
||||||
"flake": false,
|
"flake": false,
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1692829535,
|
"lastModified": 1636059754,
|
||||||
"narHash": "sha256-oDqhUQ6Xg7a3xx537SWLGRzqP3oKKeyY4UYGCdz9z/Y=",
|
"narHash": "sha256-ewME0l27ZqfmAwJO4h5biTALc9bDLv7Bl3ftBzBuZwk=",
|
||||||
"owner": "bats-core",
|
"owner": "bats-core",
|
||||||
"repo": "bats-assert",
|
"repo": "bats-assert",
|
||||||
"rev": "e2d855bc78619ee15b0c702b5c30fb074101159f",
|
"rev": "34551b1d7f8c7b677c1a66fc0ac140d6223409e5",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -68,11 +42,11 @@
|
||||||
"bats-support": {
|
"bats-support": {
|
||||||
"flake": false,
|
"flake": false,
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1693050811,
|
"lastModified": 1548869839,
|
||||||
"narHash": "sha256-PxJaH16+QrsfZqtkWVt5K6TwJB5gjIXnbGo+MB84WIU=",
|
"narHash": "sha256-Gr4ntadr42F2Ks8Pte2D4wNDbijhujuoJi4OPZnTAZU=",
|
||||||
"owner": "bats-core",
|
"owner": "bats-core",
|
||||||
"repo": "bats-support",
|
"repo": "bats-support",
|
||||||
"rev": "9bf10e876dd6b624fe44423f0b35e064225f7556",
|
"rev": "d140a65044b2d6810381935ae7f0c94c7023c8c3",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -81,67 +55,21 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"buildbot-nix": {
|
|
||||||
"inputs": {
|
|
||||||
"flake-parts": "flake-parts",
|
|
||||||
"nixpkgs": [
|
|
||||||
"nixpkgs"
|
|
||||||
],
|
|
||||||
"treefmt-nix": "treefmt-nix"
|
|
||||||
},
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1730064416,
|
|
||||||
"narHash": "sha256-Opbtu9hKijGkEx+GYbSu3MJms3lFxZmAGTFyckguWMM=",
|
|
||||||
"ref": "refs/heads/forkos",
|
|
||||||
"rev": "79137b14f3cb376204f739f44b05aebfc288ca89",
|
|
||||||
"revCount": 310,
|
|
||||||
"type": "git",
|
|
||||||
"url": "https://git.lix.systems/lix-project/buildbot-nix.git"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"ref": "refs/heads/forkos",
|
|
||||||
"type": "git",
|
|
||||||
"url": "https://git.lix.systems/lix-project/buildbot-nix.git"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"channel-scripts": {
|
|
||||||
"inputs": {
|
|
||||||
"nixpkgs": [
|
|
||||||
"nixpkgs"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1734197525,
|
|
||||||
"narHash": "sha256-rb/+iJBNsfXnz+PJSdlsCViodtEHrgfz/Fixq2NXUFI=",
|
|
||||||
"ref": "refs/heads/main",
|
|
||||||
"rev": "6e4ae567a3f872bdb90a62d588bb5cc4b3596258",
|
|
||||||
"revCount": 265,
|
|
||||||
"type": "git",
|
|
||||||
"url": "https://git.lix.systems/the-distro/channel-scripts.git"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"type": "git",
|
|
||||||
"url": "https://git.lix.systems/the-distro/channel-scripts.git"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"colmena": {
|
"colmena": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"flake-compat": [
|
"flake-compat": "flake-compat",
|
||||||
"flake-compat"
|
|
||||||
],
|
|
||||||
"flake-utils": "flake-utils",
|
"flake-utils": "flake-utils",
|
||||||
"nix-github-actions": "nix-github-actions",
|
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
"nixpkgs"
|
"nixpkgs"
|
||||||
],
|
],
|
||||||
"stable": "stable"
|
"stable": "stable"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1731527002,
|
"lastModified": 1711386353,
|
||||||
"narHash": "sha256-dI9I6suECoIAmbS4xcrqF8r2pbmed8WWm5LIF1yWPw8=",
|
"narHash": "sha256-gWEpb8Hybnoqb4O4tmpohGZk6+aerAbJpywKcFIiMlg=",
|
||||||
"owner": "zhaofengli",
|
"owner": "zhaofengli",
|
||||||
"repo": "colmena",
|
"repo": "colmena",
|
||||||
"rev": "e3ad42138015fcdf2524518dd564a13145c72ea1",
|
"rev": "cd65ef7a25cdc75052fbd04b120aeb066c3881db",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -150,44 +78,6 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"crane": {
|
|
||||||
"inputs": {
|
|
||||||
"nixpkgs": [
|
|
||||||
"grapevine",
|
|
||||||
"attic",
|
|
||||||
"nixpkgs"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1722960479,
|
|
||||||
"narHash": "sha256-NhCkJJQhD5GUib8zN9JrmYGMwt4lCRp6ZVNzIiYCl0Y=",
|
|
||||||
"owner": "ipetkov",
|
|
||||||
"repo": "crane",
|
|
||||||
"rev": "4c6c77920b8d44cd6660c1621dea6b3fc4b4c4f4",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "ipetkov",
|
|
||||||
"repo": "crane",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"crane_2": {
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1731098351,
|
|
||||||
"narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=",
|
|
||||||
"owner": "ipetkov",
|
|
||||||
"repo": "crane",
|
|
||||||
"rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "ipetkov",
|
|
||||||
"ref": "master",
|
|
||||||
"repo": "crane",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"darwin": {
|
"darwin": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
|
@ -210,127 +100,38 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"fenix": {
|
|
||||||
"inputs": {
|
|
||||||
"nixpkgs": [
|
|
||||||
"grapevine",
|
|
||||||
"nixpkgs"
|
|
||||||
],
|
|
||||||
"rust-analyzer-src": "rust-analyzer-src"
|
|
||||||
},
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1731738660,
|
|
||||||
"narHash": "sha256-tIXhc9lX1b030v812yVJanSR37OnpTb/OY5rU3TbShA=",
|
|
||||||
"owner": "nix-community",
|
|
||||||
"repo": "fenix",
|
|
||||||
"rev": "e10ba121773f754a30d31b6163919a3e404a434f",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "nix-community",
|
|
||||||
"ref": "main",
|
|
||||||
"repo": "fenix",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"flake-compat": {
|
"flake-compat": {
|
||||||
"flake": false,
|
"flake": false,
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1732603366,
|
"lastModified": 1650374568,
|
||||||
"narHash": "sha256-I1Z54H96iLmNjBtoAR8nONsj9HpagNvVZawOxn75nP0=",
|
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
|
||||||
"ref": "refs/heads/main",
|
"owner": "edolstra",
|
||||||
"rev": "fe7f6ec62b50e6225406a0a4b339496530a019f8",
|
"repo": "flake-compat",
|
||||||
"revCount": 68,
|
"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
|
||||||
"type": "git",
|
|
||||||
"url": "https://git.lix.systems/lix-project/flake-compat"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"type": "git",
|
|
||||||
"url": "https://git.lix.systems/lix-project/flake-compat"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"flake-parts": {
|
|
||||||
"inputs": {
|
|
||||||
"nixpkgs-lib": [
|
|
||||||
"buildbot-nix",
|
|
||||||
"nixpkgs"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1706830856,
|
|
||||||
"narHash": "sha256-a0NYyp+h9hlb7ddVz4LUn1vT/PLwqfrWYcHMvFB1xYg=",
|
|
||||||
"owner": "hercules-ci",
|
|
||||||
"repo": "flake-parts",
|
|
||||||
"rev": "b253292d9c0a5ead9bc98c4e9a26c6312e27d69f",
|
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "hercules-ci",
|
"owner": "edolstra",
|
||||||
"repo": "flake-parts",
|
"repo": "flake-compat",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"flake-parts_2": {
|
"flake-compat_2": {
|
||||||
"inputs": {
|
"flake": false,
|
||||||
"nixpkgs-lib": [
|
|
||||||
"grapevine",
|
|
||||||
"attic",
|
|
||||||
"nixpkgs"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1722555600,
|
"lastModified": 1696426674,
|
||||||
"narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=",
|
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
|
||||||
"owner": "hercules-ci",
|
"owner": "edolstra",
|
||||||
"repo": "flake-parts",
|
"repo": "flake-compat",
|
||||||
"rev": "8471fe90ad337a8074e957b69ca4d0089218391d",
|
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "hercules-ci",
|
"owner": "edolstra",
|
||||||
"repo": "flake-parts",
|
"repo": "flake-compat",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"flake-parts_3": {
|
|
||||||
"inputs": {
|
|
||||||
"nixpkgs-lib": [
|
|
||||||
"hydra",
|
|
||||||
"nix-eval-jobs",
|
|
||||||
"nixpkgs"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1730504689,
|
|
||||||
"narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
|
|
||||||
"owner": "hercules-ci",
|
|
||||||
"repo": "flake-parts",
|
|
||||||
"rev": "506278e768c2a08bec68eb62932193e341f55c90",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "hercules-ci",
|
|
||||||
"repo": "flake-parts",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"flake-parts_4": {
|
|
||||||
"inputs": {
|
|
||||||
"nixpkgs-lib": "nixpkgs-lib"
|
|
||||||
},
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1727826117,
|
|
||||||
"narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=",
|
|
||||||
"owner": "hercules-ci",
|
|
||||||
"repo": "flake-parts",
|
|
||||||
"rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"id": "flake-parts",
|
|
||||||
"type": "indirect"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"flake-utils": {
|
"flake-utils": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1659877975,
|
"lastModified": 1659877975,
|
||||||
|
@ -347,72 +148,20 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"flake-utils_2": {
|
"flake-utils_2": {
|
||||||
"inputs": {
|
|
||||||
"systems": "systems_2"
|
|
||||||
},
|
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1731533236,
|
"lastModified": 1634851050,
|
||||||
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
|
"narHash": "sha256-N83GlSGPJJdcqhUxSCS/WwW5pksYf3VP1M13cDRTSVA=",
|
||||||
"owner": "numtide",
|
"owner": "numtide",
|
||||||
"repo": "flake-utils",
|
"repo": "flake-utils",
|
||||||
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
|
"rev": "c91f3de5adaf1de973b797ef7485e441a65b8935",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "numtide",
|
"owner": "numtide",
|
||||||
"ref": "main",
|
|
||||||
"repo": "flake-utils",
|
"repo": "flake-utils",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"gerrit-dashboard": {
|
|
||||||
"flake": false,
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1724509518,
|
|
||||||
"narHash": "sha256-fwYXZVddxfzrlDa3QnFCwHqrbEX+3PrWy0QOlbO+8jk=",
|
|
||||||
"ref": "refs/heads/master",
|
|
||||||
"rev": "e544abac81c581558d68abb2a8dd583049073939",
|
|
||||||
"revCount": 75,
|
|
||||||
"type": "git",
|
|
||||||
"url": "https://git.lix.systems/the-distro/gerrit-monitoring.git"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"type": "git",
|
|
||||||
"url": "https://git.lix.systems/the-distro/gerrit-monitoring.git"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"grapevine": {
|
|
||||||
"inputs": {
|
|
||||||
"attic": "attic",
|
|
||||||
"crane": "crane_2",
|
|
||||||
"fenix": "fenix",
|
|
||||||
"flake-compat": [
|
|
||||||
"flake-compat"
|
|
||||||
],
|
|
||||||
"flake-utils": "flake-utils_2",
|
|
||||||
"nix-filter": "nix-filter",
|
|
||||||
"nixpkgs": [
|
|
||||||
"nixpkgs"
|
|
||||||
],
|
|
||||||
"rocksdb": "rocksdb",
|
|
||||||
"rust-manifest": "rust-manifest"
|
|
||||||
},
|
|
||||||
"locked": {
|
|
||||||
"host": "gitlab.computer.surgery",
|
|
||||||
"lastModified": 1734138037,
|
|
||||||
"narHash": "sha256-pN/nJ9tR6ewnpVUUzcF+Z9L/0R0WmtBVePJOqx9rzTk=",
|
|
||||||
"owner": "matrix",
|
|
||||||
"repo": "grapevine-fork",
|
|
||||||
"rev": "8537c0e8ac3eb388500587b035008e5f98204a4b",
|
|
||||||
"type": "gitlab"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"host": "gitlab.computer.surgery",
|
|
||||||
"owner": "matrix",
|
|
||||||
"repo": "grapevine-fork",
|
|
||||||
"type": "gitlab"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"home-manager": {
|
"home-manager": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
|
@ -436,18 +185,17 @@
|
||||||
},
|
},
|
||||||
"hydra": {
|
"hydra": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"lix": "lix",
|
"nix": "nix",
|
||||||
"nix-eval-jobs": "nix-eval-jobs",
|
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
"nixpkgs"
|
"nixpkgs"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1733503045,
|
"lastModified": 1720843955,
|
||||||
"narHash": "sha256-VoMam8Zzbk+X6dIYwH2f9NqItL6g9YDhQvGybzSl8xQ=",
|
"narHash": "sha256-GpkZ7OorcArMaFVZMPHkXHKQVJAWjMSCaPmS8hw0PB0=",
|
||||||
"ref": "refs/heads/main",
|
"ref": "refs/heads/main",
|
||||||
"rev": "eccf01d4fef67f87b6383f96c73781bd08b686ac",
|
"rev": "fb9e29d4d0f2f591cd1d706fd3b7334af7d34b84",
|
||||||
"revCount": 4230,
|
"revCount": 4174,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "https://git.lix.systems/lix-project/hydra.git"
|
"url": "https://git.lix.systems/lix-project/hydra.git"
|
||||||
},
|
},
|
||||||
|
@ -456,11 +204,9 @@
|
||||||
"url": "https://git.lix.systems/lix-project/hydra.git"
|
"url": "https://git.lix.systems/lix-project/hydra.git"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"lix": {
|
"nix": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"flake-compat": [
|
"flake-compat": "flake-compat_2",
|
||||||
"flake-compat"
|
|
||||||
],
|
|
||||||
"nix2container": "nix2container",
|
"nix2container": "nix2container",
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
"hydra",
|
"hydra",
|
||||||
|
@ -470,77 +216,17 @@
|
||||||
"pre-commit-hooks": "pre-commit-hooks"
|
"pre-commit-hooks": "pre-commit-hooks"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1732112222,
|
"lastModified": 1720733512,
|
||||||
"narHash": "sha256-H7GN4++a4vE49SUNojZx+FSk4mmpb2ifJUtJMJHProI=",
|
"narHash": "sha256-vq9CLDvqSSvH4L7YhDa0ihTOrAry4jntKiuoNb5n98M=",
|
||||||
"ref": "refs/heads/main",
|
"ref": "refs/heads/main",
|
||||||
"rev": "66f6dbda32959dd5cf3a9aaba15af72d037ab7ff",
|
"rev": "4b109ec1a8fc4550150f56f0f46f2f41d844bda8",
|
||||||
"revCount": 16513,
|
"revCount": 15950,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "https://git.lix.systems/lix-project/lix"
|
"url": "https://git@git.lix.systems/lix-project/lix"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "https://git.lix.systems/lix-project/lix"
|
"url": "https://git@git.lix.systems/lix-project/lix"
|
||||||
}
|
|
||||||
},
|
|
||||||
"nix-eval-jobs": {
|
|
||||||
"inputs": {
|
|
||||||
"flake-parts": "flake-parts_3",
|
|
||||||
"lix": [
|
|
||||||
"hydra",
|
|
||||||
"lix"
|
|
||||||
],
|
|
||||||
"nix-github-actions": "nix-github-actions_3",
|
|
||||||
"nixpkgs": [
|
|
||||||
"hydra",
|
|
||||||
"nixpkgs"
|
|
||||||
],
|
|
||||||
"treefmt-nix": "treefmt-nix_2"
|
|
||||||
},
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1732351635,
|
|
||||||
"narHash": "sha256-H94CcQ3yamG5+RMxtxXllR02YIlxQ5WD/8PcolO9yEA=",
|
|
||||||
"ref": "refs/heads/main",
|
|
||||||
"rev": "dfc286ca3dc49118c30d8d6205d6d6af76c62b7a",
|
|
||||||
"revCount": 617,
|
|
||||||
"type": "git",
|
|
||||||
"url": "https://git.lix.systems/lix-project/nix-eval-jobs"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"type": "git",
|
|
||||||
"url": "https://git.lix.systems/lix-project/nix-eval-jobs"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"nix-filter": {
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1731533336,
|
|
||||||
"narHash": "sha256-oRam5PS1vcrr5UPgALW0eo1m/5/pls27Z/pabHNy2Ms=",
|
|
||||||
"owner": "numtide",
|
|
||||||
"repo": "nix-filter",
|
|
||||||
"rev": "f7653272fd234696ae94229839a99b73c9ab7de0",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "numtide",
|
|
||||||
"ref": "main",
|
|
||||||
"repo": "nix-filter",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"nix-forgejo": {
|
|
||||||
"flake": false,
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1734980732,
|
|
||||||
"narHash": "sha256-ToN/RwdfzvjAIL9n5HqLBOkupLn4emFvt6I7b5vN/+I=",
|
|
||||||
"ref": "refs/heads/main",
|
|
||||||
"rev": "404b26d8d40f36cf3953bbaa2ff602cdb8ca6acd",
|
|
||||||
"revCount": 4,
|
|
||||||
"type": "git",
|
|
||||||
"url": "https://git.lix.systems/the-distro/nix-forgejo.git"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"type": "git",
|
|
||||||
"url": "https://git.lix.systems/the-distro/nix-forgejo.git"
|
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"nix-gerrit": {
|
"nix-gerrit": {
|
||||||
|
@ -550,11 +236,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1734192622,
|
"lastModified": 1720891381,
|
||||||
"narHash": "sha256-AkT4QHHneyWBL9UDhvrmPnQUOfN9ETP295y6TtuW6rU=",
|
"narHash": "sha256-bdZRPgnkROSejmwMOrlcqHMWmuPIVIzjk6r5FbS+fqU=",
|
||||||
"ref": "refs/heads/main",
|
"ref": "refs/heads/main",
|
||||||
"rev": "c011f670b335b52150af5c75f21e987d166ecec2",
|
"rev": "23dd318e6741ff686d3069c53ecf475eac8a0565",
|
||||||
"revCount": 8,
|
"revCount": 5,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "https://git.lix.systems/the-distro/nix-gerrit.git"
|
"url": "https://git.lix.systems/the-distro/nix-gerrit.git"
|
||||||
},
|
},
|
||||||
|
@ -563,79 +249,14 @@
|
||||||
"url": "https://git.lix.systems/the-distro/nix-gerrit.git"
|
"url": "https://git.lix.systems/the-distro/nix-gerrit.git"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"nix-github-actions": {
|
|
||||||
"inputs": {
|
|
||||||
"nixpkgs": [
|
|
||||||
"colmena",
|
|
||||||
"nixpkgs"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1729742964,
|
|
||||||
"narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
|
|
||||||
"owner": "nix-community",
|
|
||||||
"repo": "nix-github-actions",
|
|
||||||
"rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "nix-community",
|
|
||||||
"repo": "nix-github-actions",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"nix-github-actions_2": {
|
|
||||||
"inputs": {
|
|
||||||
"nixpkgs": [
|
|
||||||
"grapevine",
|
|
||||||
"attic",
|
|
||||||
"nixpkgs"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1729742964,
|
|
||||||
"narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
|
|
||||||
"owner": "nix-community",
|
|
||||||
"repo": "nix-github-actions",
|
|
||||||
"rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "nix-community",
|
|
||||||
"repo": "nix-github-actions",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"nix-github-actions_3": {
|
|
||||||
"inputs": {
|
|
||||||
"nixpkgs": [
|
|
||||||
"hydra",
|
|
||||||
"nix-eval-jobs",
|
|
||||||
"nixpkgs"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1731952509,
|
|
||||||
"narHash": "sha256-p4gB3Rhw8R6Ak4eMl8pqjCPOLCZRqaehZxdZ/mbFClM=",
|
|
||||||
"owner": "nix-community",
|
|
||||||
"repo": "nix-github-actions",
|
|
||||||
"rev": "7b5f051df789b6b20d259924d349a9ba3319b226",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "nix-community",
|
|
||||||
"repo": "nix-github-actions",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"nix2container": {
|
"nix2container": {
|
||||||
"flake": false,
|
"flake": false,
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1724996935,
|
"lastModified": 1712990762,
|
||||||
"narHash": "sha256-njRK9vvZ1JJsP8oV2OgkBrpJhgQezI03S7gzskCcHos=",
|
"narHash": "sha256-hO9W3w7NcnYeX8u8cleHiSpK2YJo7ecarFTUlbybl7k=",
|
||||||
"owner": "nlewo",
|
"owner": "nlewo",
|
||||||
"repo": "nix2container",
|
"repo": "nix2container",
|
||||||
"rev": "fa6bb0a1159f55d071ba99331355955ae30b3401",
|
"rev": "20aad300c925639d5d6cbe30013c8357ce9f2a2e",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -646,11 +267,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1726042813,
|
"lastModified": 1720750130,
|
||||||
"narHash": "sha256-LnNKCCxnwgF+575y0pxUdlGZBO/ru1CtGHIqQVfvjlA=",
|
"narHash": "sha256-y2wc7CdK0vVSIbx7MdVoZzuMcUoLvZXm+pQf2RIr1OU=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "159be5db480d1df880a0135ca0bfed84c2f88353",
|
"rev": "6794d064edc69918bb0fc0e0eda33ece324be17a",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -660,18 +281,6 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"nixpkgs-lib": {
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1727825735,
|
|
||||||
"narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=",
|
|
||||||
"type": "tarball",
|
|
||||||
"url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"type": "tarball",
|
|
||||||
"url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"nixpkgs-regression": {
|
"nixpkgs-regression": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1643052045,
|
"lastModified": 1643052045,
|
||||||
|
@ -688,63 +297,29 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"nixpkgs-stable": {
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1724316499,
|
|
||||||
"narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=",
|
|
||||||
"owner": "NixOS",
|
|
||||||
"repo": "nixpkgs",
|
|
||||||
"rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "NixOS",
|
|
||||||
"ref": "nixos-24.05",
|
|
||||||
"repo": "nixpkgs",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"nixpkgs_2": {
|
"nixpkgs_2": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1733940404,
|
"lastModified": 1636823747,
|
||||||
"narHash": "sha256-Pj39hSoUA86ZePPF/UXiYHHM7hMIkios8TYG29kQT4g=",
|
"narHash": "sha256-oWo1nElRAOZqEf90Yek2ixdHyjD+gqtS/pAgwaQ9UhQ=",
|
||||||
"owner": "NixOS",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "5d67ea6b4b63378b9c13be21e2ec9d1afc921713",
|
"rev": "f6a2ed2082d9a51668c86ba27d0b5496f7a2ea93",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "NixOS",
|
"owner": "nixos",
|
||||||
"ref": "nixos-unstable",
|
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"ofborg": {
|
|
||||||
"flake": false,
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1735939688,
|
|
||||||
"narHash": "sha256-UHHK0LTU4VbWTN4UW1DrxGe2n1WQKrUyWKnGMH2pCG0=",
|
|
||||||
"ref": "refs/heads/vcs-generalization",
|
|
||||||
"rev": "b23794207d211bddfc9792fdbd8af21977dd770b",
|
|
||||||
"revCount": 1511,
|
|
||||||
"type": "git",
|
|
||||||
"url": "https://git.lix.systems/the-distro/ofborg.git"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"ref": "refs/heads/vcs-generalization",
|
|
||||||
"type": "git",
|
|
||||||
"url": "https://git.lix.systems/the-distro/ofborg.git"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"pre-commit-hooks": {
|
"pre-commit-hooks": {
|
||||||
"flake": false,
|
"flake": false,
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1726745158,
|
"lastModified": 1712055707,
|
||||||
"narHash": "sha256-D5AegvGoEjt4rkKedmxlSEmC+nNLMBPWFxvmYnVLhjk=",
|
"narHash": "sha256-4XLvuSIDZJGS17xEwSrNuJLL7UjDYKGJSbK1WWX2AK8=",
|
||||||
"owner": "cachix",
|
"owner": "cachix",
|
||||||
"repo": "git-hooks.nix",
|
"repo": "git-hooks.nix",
|
||||||
"rev": "4e743a6920eab45e8ba0fbe49dc459f1423a4b74",
|
"rev": "e35aed5fda3cc79f88ed7f1795021e559582093a",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -753,123 +328,36 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"rocksdb": {
|
|
||||||
"flake": false,
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1730475155,
|
|
||||||
"narHash": "sha256-u5uuShM2SxHc9/zL4UU56IhCcR/ZQbzde0LgOYS44bM=",
|
|
||||||
"owner": "facebook",
|
|
||||||
"repo": "rocksdb",
|
|
||||||
"rev": "3c27a3dde0993210c5cc30d99717093f7537916f",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "facebook",
|
|
||||||
"ref": "v9.7.4",
|
|
||||||
"repo": "rocksdb",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"root": {
|
"root": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"agenix": "agenix",
|
"agenix": "agenix",
|
||||||
"buildbot-nix": "buildbot-nix",
|
|
||||||
"channel-scripts": "channel-scripts",
|
|
||||||
"colmena": "colmena",
|
"colmena": "colmena",
|
||||||
"flake-compat": "flake-compat",
|
|
||||||
"gerrit-dashboard": "gerrit-dashboard",
|
|
||||||
"grapevine": "grapevine",
|
|
||||||
"hydra": "hydra",
|
"hydra": "hydra",
|
||||||
"lix": [
|
"lix": [
|
||||||
"hydra",
|
"hydra",
|
||||||
"lix"
|
"nix"
|
||||||
],
|
],
|
||||||
"nix-forgejo": "nix-forgejo",
|
|
||||||
"nix-gerrit": "nix-gerrit",
|
"nix-gerrit": "nix-gerrit",
|
||||||
"nixpkgs": "nixpkgs_2",
|
"nixpkgs": "nixpkgs",
|
||||||
"ofborg": "ofborg",
|
|
||||||
"stateless-uptime-kuma": "stateless-uptime-kuma",
|
|
||||||
"systemd-openbao": "systemd-openbao",
|
|
||||||
"terranix": "terranix"
|
"terranix": "terranix"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"rust-analyzer-src": {
|
|
||||||
"flake": false,
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1731693936,
|
|
||||||
"narHash": "sha256-uHUUS1WPyW6ohp5Bt3dAZczUlQ22vOn7YZF8vaPKIEw=",
|
|
||||||
"owner": "rust-lang",
|
|
||||||
"repo": "rust-analyzer",
|
|
||||||
"rev": "1b90e979aeee8d1db7fe14603a00834052505497",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "rust-lang",
|
|
||||||
"ref": "nightly",
|
|
||||||
"repo": "rust-analyzer",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"rust-manifest": {
|
|
||||||
"flake": false,
|
|
||||||
"locked": {
|
|
||||||
"narHash": "sha256-tB9BZB6nRHDk5ELIVlGYlIjViLKBjQl52nC1avhcCwA=",
|
|
||||||
"type": "file",
|
|
||||||
"url": "https://static.rust-lang.org/dist/channel-rust-1.81.0.toml"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"type": "file",
|
|
||||||
"url": "https://static.rust-lang.org/dist/channel-rust-1.81.0.toml"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"stable": {
|
"stable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1730883749,
|
"lastModified": 1696039360,
|
||||||
"narHash": "sha256-mwrFF0vElHJP8X3pFCByJR365Q2463ATp2qGIrDUdlE=",
|
"narHash": "sha256-g7nIUV4uq1TOVeVIDEZLb005suTWCUjSY0zYOlSBsyE=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "dba414932936fde69f0606b4f1d87c5bc0003ede",
|
"rev": "32dcb45f66c0487e92db8303a798ebc548cadedc",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"ref": "nixos-24.05",
|
"ref": "nixos-23.05",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"stateless-uptime-kuma": {
|
|
||||||
"flake": false,
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1728243069,
|
|
||||||
"narHash": "sha256-l9fgwesnmFxasCaYUCD7L9bGGJXytLuwtx3CZMgpwJg=",
|
|
||||||
"ref": "refs/heads/master",
|
|
||||||
"rev": "880f444ff7862d6127b051cf1a993ad1585b1652",
|
|
||||||
"revCount": 25,
|
|
||||||
"type": "git",
|
|
||||||
"url": "https://git.dgnum.eu/DGNum/stateless-uptime-kuma.git"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"type": "git",
|
|
||||||
"url": "https://git.dgnum.eu/DGNum/stateless-uptime-kuma.git"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"systemd-openbao": {
|
|
||||||
"flake": false,
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1735694158,
|
|
||||||
"narHash": "sha256-n8cyDX5qitjTNFQ2+nUeOpqSkXREir9p2bSqOZZ5sLs=",
|
|
||||||
"ref": "refs/heads/main",
|
|
||||||
"rev": "2479c46b0fa892c4fdcd3e315f0cdfe096b5e71a",
|
|
||||||
"revCount": 160,
|
|
||||||
"type": "git",
|
|
||||||
"url": "https://git.lix.systems/the-distro/systemd-openbao.git"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"type": "git",
|
|
||||||
"url": "https://git.lix.systems/the-distro/systemd-openbao.git"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"systems": {
|
"systems": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1681028828,
|
"lastModified": 1681028828,
|
||||||
|
@ -885,53 +373,20 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"systems_2": {
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1681028828,
|
|
||||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
|
||||||
"owner": "nix-systems",
|
|
||||||
"repo": "default",
|
|
||||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "nix-systems",
|
|
||||||
"repo": "default",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"systems_3": {
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1681028828,
|
|
||||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
|
||||||
"owner": "nix-systems",
|
|
||||||
"repo": "default",
|
|
||||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "nix-systems",
|
|
||||||
"repo": "default",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"terranix": {
|
"terranix": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"bats-assert": "bats-assert",
|
"bats-assert": "bats-assert",
|
||||||
"bats-support": "bats-support",
|
"bats-support": "bats-support",
|
||||||
"flake-parts": "flake-parts_4",
|
"flake-utils": "flake-utils_2",
|
||||||
"nixpkgs": [
|
"nixpkgs": "nixpkgs_2",
|
||||||
"nixpkgs"
|
|
||||||
],
|
|
||||||
"systems": "systems_3",
|
|
||||||
"terranix-examples": "terranix-examples"
|
"terranix-examples": "terranix-examples"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1728959489,
|
"lastModified": 1695406838,
|
||||||
"narHash": "sha256-1Pu2j5xsBTuoyga08ZVf+rKp3FOMmJh/0fXen/idOrA=",
|
"narHash": "sha256-xiUfVD6rtsVWFotVtUW3Q1nQh4obKzgvpN1wqZuGXvM=",
|
||||||
"owner": "terranix",
|
"owner": "terranix",
|
||||||
"repo": "terranix",
|
"repo": "terranix",
|
||||||
"rev": "7734e2ee6a1472807a33ce1e7da794bed2aaf91c",
|
"rev": "fc9077ca02ab5681935dbf0ecd725c4d889b9275",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -942,11 +397,11 @@
|
||||||
},
|
},
|
||||||
"terranix-examples": {
|
"terranix-examples": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1637156952,
|
"lastModified": 1636300201,
|
||||||
"narHash": "sha256-KqvXIe1yiKOEP9BRYqNQN+LOWPCsWojh0WjEgv5jfEI=",
|
"narHash": "sha256-0n1je1WpiR6XfCsvi8ZK7GrpEnMl+DpwhWaO1949Vbc=",
|
||||||
"owner": "terranix",
|
"owner": "terranix",
|
||||||
"repo": "terranix-examples",
|
"repo": "terranix-examples",
|
||||||
"rev": "921680efb8af0f332d8ad73718d53907f9483e24",
|
"rev": "a934aa1cf88f6bd6c6ddb4c77b77ec6e1660bd5e",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -954,49 +409,6 @@
|
||||||
"repo": "terranix-examples",
|
"repo": "terranix-examples",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
|
||||||
"treefmt-nix": {
|
|
||||||
"inputs": {
|
|
||||||
"nixpkgs": [
|
|
||||||
"buildbot-nix",
|
|
||||||
"nixpkgs"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1708897213,
|
|
||||||
"narHash": "sha256-QECZB+Hgz/2F/8lWvHNk05N6NU/rD9bWzuNn6Cv8oUk=",
|
|
||||||
"owner": "numtide",
|
|
||||||
"repo": "treefmt-nix",
|
|
||||||
"rev": "e497a9ddecff769c2a7cbab51e1ed7a8501e7a3a",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "numtide",
|
|
||||||
"repo": "treefmt-nix",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"treefmt-nix_2": {
|
|
||||||
"inputs": {
|
|
||||||
"nixpkgs": [
|
|
||||||
"hydra",
|
|
||||||
"nix-eval-jobs",
|
|
||||||
"nixpkgs"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1732292307,
|
|
||||||
"narHash": "sha256-5WSng844vXt8uytT5djmqBCkopyle6ciFgteuA9bJpw=",
|
|
||||||
"owner": "numtide",
|
|
||||||
"repo": "treefmt-nix",
|
|
||||||
"rev": "705df92694af7093dfbb27109ce16d828a79155f",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "numtide",
|
|
||||||
"repo": "treefmt-nix",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"root": "root",
|
"root": "root",
|
||||||
|
|
332
flake.nix
332
flake.nix
|
@ -2,120 +2,50 @@
|
||||||
description = "Bagel cooking infrastructure";
|
description = "Bagel cooking infrastructure";
|
||||||
|
|
||||||
inputs = {
|
inputs = {
|
||||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
|
nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
|
||||||
|
|
||||||
terranix.url = "github:terranix/terranix";
|
terranix.url = "github:terranix/terranix";
|
||||||
terranix.inputs.nixpkgs.follows = "nixpkgs";
|
|
||||||
|
|
||||||
agenix.url = "github:ryantm/agenix";
|
agenix.url = "github:ryantm/agenix";
|
||||||
agenix.inputs.nixpkgs.follows = "nixpkgs";
|
agenix.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|
||||||
colmena.url = "github:zhaofengli/colmena";
|
colmena.url = "github:zhaofengli/colmena";
|
||||||
colmena.inputs = {
|
colmena.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
nixpkgs.follows = "nixpkgs";
|
|
||||||
flake-compat.follows = "flake-compat";
|
|
||||||
};
|
|
||||||
|
|
||||||
hydra.url = "git+https://git.lix.systems/lix-project/hydra.git";
|
hydra.url = "git+https://git.lix.systems/lix-project/hydra.git";
|
||||||
hydra.inputs = {
|
hydra.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
nixpkgs.follows = "nixpkgs";
|
|
||||||
lix.inputs.flake-compat.follows = "flake-compat";
|
|
||||||
};
|
|
||||||
|
|
||||||
nix-gerrit.url = "git+https://git.lix.systems/the-distro/nix-gerrit.git";
|
nix-gerrit.url = "git+https://git.lix.systems/the-distro/nix-gerrit.git";
|
||||||
nix-gerrit.inputs.nixpkgs.follows = "nixpkgs";
|
nix-gerrit.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|
||||||
nix-forgejo.url = "git+https://git.lix.systems/the-distro/nix-forgejo.git";
|
lix.follows = "hydra/nix";
|
||||||
nix-forgejo.flake = false;
|
|
||||||
|
|
||||||
# This revision contains mTLS support.
|
|
||||||
ofborg.url = "git+https://git.lix.systems/the-distro/ofborg.git?ref=refs/heads/vcs-generalization";
|
|
||||||
ofborg.flake = false;
|
|
||||||
|
|
||||||
gerrit-dashboard.url = "git+https://git.lix.systems/the-distro/gerrit-monitoring.git";
|
|
||||||
gerrit-dashboard.flake = false;
|
|
||||||
|
|
||||||
buildbot-nix.url = "git+https://git.lix.systems/lix-project/buildbot-nix.git?ref=refs/heads/forkos";
|
|
||||||
buildbot-nix.inputs.nixpkgs.follows = "nixpkgs";
|
|
||||||
|
|
||||||
channel-scripts.url = "git+https://git.lix.systems/the-distro/channel-scripts.git";
|
|
||||||
channel-scripts.inputs.nixpkgs.follows = "nixpkgs";
|
|
||||||
channel-scripts.inputs.crane.inputs.attic.inputs.flake-compat.follows = "flake-compat";
|
|
||||||
|
|
||||||
systemd-openbao.url = "git+https://git.lix.systems/the-distro/systemd-openbao.git";
|
|
||||||
systemd-openbao.flake = false;
|
|
||||||
|
|
||||||
stateless-uptime-kuma.url = "git+https://git.dgnum.eu/DGNum/stateless-uptime-kuma.git";
|
|
||||||
stateless-uptime-kuma.flake = false;
|
|
||||||
|
|
||||||
flake-compat = {
|
|
||||||
url = "git+https://git.lix.systems/lix-project/flake-compat";
|
|
||||||
flake = false;
|
|
||||||
};
|
|
||||||
|
|
||||||
lix.follows = "hydra/lix";
|
|
||||||
|
|
||||||
grapevine = {
|
|
||||||
type = "gitlab";
|
|
||||||
host = "gitlab.computer.surgery";
|
|
||||||
owner = "matrix";
|
|
||||||
repo = "grapevine-fork";
|
|
||||||
inputs = {
|
|
||||||
nixpkgs.follows = "nixpkgs";
|
|
||||||
flake-compat.follows = "flake-compat";
|
|
||||||
attic.inputs.flake-compat.follows = "flake-compat";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = { self, nixpkgs, terranix, colmena, ofborg, ... } @ inputs:
|
outputs = { self, nixpkgs, terranix, colmena, ... } @ inputs:
|
||||||
let
|
let
|
||||||
supportedSystems = [ "x86_64-linux" "aarch64-linux" ];
|
system = "x86_64-linux";
|
||||||
forEachSystem = f: builtins.listToAttrs (map (system: {
|
pkgs = import nixpkgs {
|
||||||
name = system;
|
localSystem = system;
|
||||||
value = f system;
|
overlays = [
|
||||||
}) supportedSystems);
|
inputs.hydra.overlays.default
|
||||||
systemBits = forEachSystem (system: rec {
|
inputs.lix.overlays.default
|
||||||
|
inputs.nix-gerrit.overlays.default
|
||||||
|
];
|
||||||
|
};
|
||||||
|
lib = pkgs.lib;
|
||||||
|
terraform = pkgs.opentofu;
|
||||||
|
terraformCfg = terranix.lib.terranixConfiguration {
|
||||||
inherit system;
|
inherit system;
|
||||||
pkgs = import nixpkgs {
|
modules = [
|
||||||
localSystem = system;
|
./terraform
|
||||||
overlays = [
|
{
|
||||||
inputs.hydra.overlays.default
|
bagel.gandi.enable = true;
|
||||||
inputs.lix.overlays.default
|
bagel.hydra.enable = true;
|
||||||
inputs.nix-gerrit.overlays.default
|
}
|
||||||
inputs.channel-scripts.overlays.default
|
];
|
||||||
(import inputs.ofborg {
|
};
|
||||||
pkgs = import nixpkgs { localSystem = system; };
|
|
||||||
}).overlay
|
|
||||||
(import "${inputs.stateless-uptime-kuma}/overlay.nix")
|
|
||||||
(self: super: {
|
|
||||||
openbao = super.callPackage ./services/vault/package.nix { };
|
|
||||||
})
|
|
||||||
];
|
|
||||||
};
|
|
||||||
terraform = pkgs.opentofu;
|
|
||||||
terraformCfg = terranix.lib.terranixConfiguration {
|
|
||||||
inherit system;
|
|
||||||
extraArgs = {
|
|
||||||
inherit (self) nixosConfigurations;
|
|
||||||
};
|
|
||||||
modules = [
|
|
||||||
./terraform
|
|
||||||
{
|
|
||||||
bagel.dnsimple.enable = true;
|
|
||||||
bagel.hydra.enable = true;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
|
||||||
});
|
|
||||||
forEachSystem' = f: forEachSystem (system: (f systemBits.${system}));
|
|
||||||
inherit (nixpkgs) lib;
|
|
||||||
# ForkOS' library functions.
|
|
||||||
flib = import ./lib { inherit (nixpkgs) lib; };
|
|
||||||
inherit (flib) singleton;
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
apps = forEachSystem' ({ system, pkgs, terraformCfg, terraform, ... }: {
|
apps.${system} = {
|
||||||
tf = {
|
tf = {
|
||||||
type = "app";
|
type = "app";
|
||||||
program = toString (pkgs.writers.writeBash "tf" ''
|
program = toString (pkgs.writers.writeBash "tf" ''
|
||||||
|
@ -126,210 +56,52 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
default = self.apps.${system}.tf;
|
default = self.apps.${system}.tf;
|
||||||
});
|
};
|
||||||
|
|
||||||
devShells = forEachSystem' ({ system, pkgs, ... }: {
|
devShells.${system}.default = pkgs.mkShell {
|
||||||
default = pkgs.mkShell {
|
packages = [
|
||||||
packages = [
|
inputs.agenix.packages.${system}.agenix
|
||||||
inputs.agenix.packages.${system}.agenix
|
|
||||||
|
|
||||||
pkgs.opentofu
|
pkgs.colmena
|
||||||
pkgs.openbao
|
pkgs.opentofu
|
||||||
|
];
|
||||||
(pkgs.callPackage ./lib/colmena-wrapper.nix { })
|
};
|
||||||
];
|
|
||||||
|
|
||||||
BAO_ADDR = "https://vault.forkos.org";
|
|
||||||
};
|
|
||||||
});
|
|
||||||
|
|
||||||
nixosConfigurations = (colmena.lib.makeHive self.outputs.colmena).nodes;
|
nixosConfigurations = (colmena.lib.makeHive self.outputs.colmena).nodes;
|
||||||
terraformConfiguration = forEachSystem' ({ terraformCfg, ... }: terraformCfg);
|
|
||||||
|
|
||||||
colmena = let
|
colmena = let
|
||||||
systemd-openbao = import inputs.systemd-openbao { };
|
|
||||||
commonModules = [
|
commonModules = [
|
||||||
inputs.agenix.nixosModules.default
|
inputs.agenix.nixosModules.default
|
||||||
inputs.hydra.nixosModules.hydra
|
inputs.hydra.nixosModules.hydra
|
||||||
systemd-openbao.nixosModules.openbaoAgent
|
|
||||||
systemd-openbao.nixosModules.systemdOpenBaod
|
|
||||||
systemd-openbao.nixosModules.openbaoSecrets
|
|
||||||
inputs.buildbot-nix.nixosModules.buildbot-coordinator
|
|
||||||
inputs.buildbot-nix.nixosModules.buildbot-worker
|
|
||||||
|
|
||||||
./services
|
./services
|
||||||
./common
|
./common
|
||||||
];
|
];
|
||||||
|
|
||||||
floralInfraModules = commonModules ++ [
|
makeBuilder = i: lib.nameValuePair "builder-${toString i}" {
|
||||||
({ config, lib, ... }: {
|
imports = commonModules;
|
||||||
# This means that anyone with @floral-infra permissions
|
bagel.baremetal.builders = { enable = true; num = i; };
|
||||||
# can ssh on root of every machines handled here.
|
|
||||||
bagel.admins.allowedGroups = [
|
|
||||||
"floral-infra"
|
|
||||||
];
|
|
||||||
|
|
||||||
# Tag all machines which have local boot as local bootables.
|
|
||||||
deployment.tags = lib.mkMerge [
|
|
||||||
[ "floral" ]
|
|
||||||
# All nodes that can be local booted, including baremetal nodes.
|
|
||||||
(lib.mkIf (config.bagel.baremetal.enable -> !config.bagel.baremetal.netboot)
|
|
||||||
[ "localboot" ]
|
|
||||||
)
|
|
||||||
# Only baremetal nodes that can be local booted.
|
|
||||||
(lib.mkIf (config.bagel.baremetal.enable && !config.bagel.baremetal.netboot)
|
|
||||||
[ "bm-localboot" ]
|
|
||||||
)
|
|
||||||
];
|
|
||||||
|
|
||||||
bagel.monitoring.grafana-agent.tenant = "floral";
|
|
||||||
bagel.secrets.tenant = "floral";
|
|
||||||
bagel.builders.extra-build-capacity.provider.tenant = "floral";
|
|
||||||
bagel.services.buildbot.tenant = "floral";
|
|
||||||
})
|
|
||||||
];
|
|
||||||
|
|
||||||
# These are Floral baremetal builders.
|
|
||||||
makeColoBaremetal = i:
|
|
||||||
let
|
|
||||||
enableNetboot = i >= 6;
|
|
||||||
in
|
|
||||||
# bm for baremetal.
|
|
||||||
lib.nameValuePair "bm-${toString i}" {
|
|
||||||
imports = floralInfraModules;
|
|
||||||
bagel.baremetal = { enable = true; num = i; netboot = enableNetboot; };
|
|
||||||
};
|
};
|
||||||
|
|
||||||
# Given the data of:
|
builders = lib.listToAttrs (lib.genList makeBuilder 12);
|
||||||
# - a selector function to filter NixOS nodes
|
|
||||||
# - a module factory function to extend a NixOS configuration
|
|
||||||
# this will return a function that will take a set of nodes and project it to the filtered
|
|
||||||
# nodes augmented with the module factory function.
|
|
||||||
# Composing twice the projector should have no effect.
|
|
||||||
# `mkSystem :: { renumberedIndex: int, node: NixOS configuration } → NixOS configuration`
|
|
||||||
mkProjector = { selector, mkSystem }: nodes:
|
|
||||||
let
|
|
||||||
# Select all the nodes using the selector.
|
|
||||||
selectedNodes = lib.filterAttrs (_: node: selector node.bagel.baremetal.num) nodes;
|
|
||||||
in
|
|
||||||
# Re-map selected nodes and renumber them in some iteration order
|
|
||||||
# and apply the module extension function.
|
|
||||||
flib.renumber
|
|
||||||
# Indexing function
|
|
||||||
(node: node.bagel.baremetal.num)
|
|
||||||
# Renumbering function
|
|
||||||
(renumberedIndex: node: mkSystem { inherit renumberedIndex node; })
|
|
||||||
selectedNodes;
|
|
||||||
|
|
||||||
# Current map:
|
|
||||||
# builders: [4, 10].
|
|
||||||
# storage: [5]
|
|
||||||
# build-coord: [11].
|
|
||||||
|
|
||||||
# Set of projectors that will take a generic baremetal node
|
|
||||||
# and reconfigure it for a specific role.
|
|
||||||
projectors = {
|
|
||||||
storage = {
|
|
||||||
# Selectors are just fancy functions that can filter based on the index information.
|
|
||||||
# It is possible to construct a range filter to express a collection of intervals,
|
|
||||||
# e.g. select 0→4 & 6→8 & 12→15.
|
|
||||||
|
|
||||||
# For now, we will only use pointwise as we have very few machines.
|
|
||||||
selector = flib.mkPointwiseFilter [ 5 ];
|
|
||||||
mkSystem = { renumberedIndex, node }:
|
|
||||||
{
|
|
||||||
imports = [ node ];
|
|
||||||
bagel.baremetal.storage = {
|
|
||||||
enable = true;
|
|
||||||
num = renumberedIndex;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
builders = {
|
|
||||||
selector = flib.mkPointwiseFilter [ 4 10 ];
|
|
||||||
mkSystem = { renumberedIndex, node }: {
|
|
||||||
imports = [ node ];
|
|
||||||
bagel.baremetal.builders = {
|
|
||||||
enable = true;
|
|
||||||
num = renumberedIndex;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
project = role: mkProjector projectors.${role};
|
|
||||||
|
|
||||||
lixInfraModules = commonModules ++ [
|
|
||||||
{
|
|
||||||
# This means that anyone with @lix-infra permissions
|
|
||||||
# can ssh on root of every machines handled here.
|
|
||||||
bagel.admins.allowedGroups = [
|
|
||||||
"lix-infra"
|
|
||||||
];
|
|
||||||
|
|
||||||
# Tag all machines which have local boot as local bootables.
|
|
||||||
# Lix has no netbootable machine.
|
|
||||||
deployment.tags = [ "localboot" "lix" ];
|
|
||||||
|
|
||||||
bagel.monitoring.grafana-agent.tenant = "lix";
|
|
||||||
bagel.secrets.tenant = "lix";
|
|
||||||
bagel.builders.extra-build-capacity.provider = {
|
|
||||||
tenant = "lix";
|
|
||||||
buildfarmPublicKeys = [
|
|
||||||
# buildbot.lix.systems SSH key
|
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDu4cEqZzAI/1vZjSQkTJ4ijIg9nuloOuSKUrnkJIOFn"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
bagel.services.buildbot.tenant = "lix";
|
|
||||||
}
|
|
||||||
];
|
|
||||||
|
|
||||||
baremetalNodes =
|
|
||||||
let
|
|
||||||
# We consider all possible baremetal systems and we filter out a subset that is activated.
|
|
||||||
# To configure the set of used machines, configure the `setXYZ` role setter selectors.
|
|
||||||
allNodes = lib.listToAttrs (lib.genList makeColoBaremetal 11);
|
|
||||||
perRoles = {
|
|
||||||
# Project in the sense of linear algebra projectors.
|
|
||||||
# We are projecting allNodes on the set of storage nodes.
|
|
||||||
# (remember, a projector is a linear function such that p^2 = p).
|
|
||||||
storageNodes = project "storage" allNodes;
|
|
||||||
builderNodes = project "builders" allNodes;
|
|
||||||
# buildCoordinatorNodes = setBuildCoordinators allNodes;
|
|
||||||
};
|
|
||||||
in
|
|
||||||
# TODO: compute what are the offender nodes and their simultaneous roles.
|
|
||||||
assert (lib.assertMsg (flib.isValidPartition perRoles) "A baremetal node is simultaneously storage, builder and build coordinator, please review the ranges.");
|
|
||||||
# Merge all roles together into one big attribute set of nodes.
|
|
||||||
flib.chainAttrs perRoles;
|
|
||||||
|
|
||||||
in {
|
in {
|
||||||
meta.nixpkgs = systemBits.x86_64-linux.pkgs;
|
meta.nixpkgs = import nixpkgs {
|
||||||
# Add any non-x86_64 native systems here.
|
localSystem = system;
|
||||||
# Cross compilation is not supported yet.
|
overlays = [
|
||||||
meta.nodeNixpkgs =
|
inputs.hydra.overlays.default
|
||||||
let
|
inputs.lix.overlays.default
|
||||||
aarch64-systems = systems: lib.genAttrs systems (system: systemBits.aarch64-linux.pkgs);
|
inputs.nix-gerrit.overlays.default
|
||||||
in
|
|
||||||
aarch64-systems [
|
|
||||||
"build01-aarch64-lix"
|
|
||||||
];
|
];
|
||||||
|
};
|
||||||
meta.specialArgs.inputs = inputs;
|
meta.specialArgs.inputs = inputs;
|
||||||
|
|
||||||
bagel-box.imports = floralInfraModules ++ [ ./hosts/bagel-box ];
|
bagel-box.imports = commonModules ++ [ ./hosts/bagel-box ];
|
||||||
meta01.imports = floralInfraModules ++ [ ./hosts/meta01 ];
|
meta01.imports = commonModules ++ [ ./hosts/meta01 ];
|
||||||
gerrit01.imports = floralInfraModules ++ [ ./hosts/gerrit01 ];
|
gerrit01.imports = commonModules ++ [ ./hosts/gerrit01 ];
|
||||||
fodwatch.imports = floralInfraModules ++ [ ./hosts/fodwatch ];
|
fodwatch.imports = commonModules ++ [ ./hosts/fodwatch ];
|
||||||
git.imports = floralInfraModules ++ [ ./hosts/git ];
|
wob-vpn-gw.imports = commonModules ++ [ ./hosts/wob-vpn-gw ];
|
||||||
wob-vpn-gw.imports = floralInfraModules ++ [ ./hosts/wob-vpn-gw ];
|
} // builders;
|
||||||
buildbot.imports = floralInfraModules ++ [ ./hosts/buildbot ];
|
|
||||||
public01.imports = floralInfraModules ++ [ ./hosts/public01 ];
|
|
||||||
build-coord.imports = floralInfraModules ++ [ ./hosts/build-coord ];
|
|
||||||
|
|
||||||
build01-aarch64-lix.imports = lixInfraModules ++ [ ./hosts/build01-aarch64-lix ];
|
hydraJobs = builtins.mapAttrs (n: v: v.config.system.build.toplevel) self.nixosConfigurations;
|
||||||
buildbot-lix.imports = lixInfraModules ++ [ ./hosts/buildbot-lix ];
|
|
||||||
} // baremetalNodes;
|
|
||||||
|
|
||||||
hydraJobs = builtins.mapAttrs (n: v: v.config.system.build.netbootDir or v.config.system.build.toplevel) self.nixosConfigurations;
|
|
||||||
buildbotJobs = builtins.mapAttrs (_: v: v.config.system.build.toplevel) self.nixosConfigurations;
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -20,7 +20,6 @@
|
||||||
useHostResolvConf = false;
|
useHostResolvConf = false;
|
||||||
|
|
||||||
hostName = "bagel-box";
|
hostName = "bagel-box";
|
||||||
domain = "infra.forkos.org";
|
|
||||||
nameservers = [ "2001:4860:4860::8844" ];
|
nameservers = [ "2001:4860:4860::8844" ];
|
||||||
|
|
||||||
interfaces.host0.ipv6.addresses = [
|
interfaces.host0.ipv6.addresses = [
|
||||||
|
@ -37,36 +36,21 @@
|
||||||
|
|
||||||
bagel.services = {
|
bagel.services = {
|
||||||
postgres.enable = true;
|
postgres.enable = true;
|
||||||
ofborg = {
|
|
||||||
rabbitmq.enable = true;
|
|
||||||
pastebin.enable = true;
|
|
||||||
# TODO: statcheck.enable = true;
|
|
||||||
|
|
||||||
mass-rebuilder.enable = true;
|
hydra.enable = true;
|
||||||
# TODO: enable once ready.
|
hydra.dbi = "dbi:Pg:dbname=hydra;user=hydra";
|
||||||
builder.enable = false;
|
# Takes 4 builders (0 → 3).
|
||||||
|
hydra.builders = lib.genList (i: "builder-${builtins.toString i}") 4;
|
||||||
|
|
||||||
gerrit-event-streamer.enable = true;
|
ofborg.enable = true;
|
||||||
gerrit-generic-vcs-filter.enable = true;
|
|
||||||
|
|
||||||
# FIXME: plug into our prometheus stack.
|
|
||||||
stats.enable = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
secrets-agent = {
|
|
||||||
enable = true;
|
|
||||||
methods.token = {
|
|
||||||
enable = true;
|
|
||||||
tenancy = "floral";
|
|
||||||
identifier = "bagel-box";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
bagel.sysadmin.enable = true;
|
bagel.sysadmin.enable = true;
|
||||||
|
|
||||||
|
security.acme.acceptTerms = true;
|
||||||
|
security.acme.defaults.email = "infra@forkos.org";
|
||||||
|
|
||||||
services.openssh.enable = true;
|
services.openssh.enable = true;
|
||||||
|
|
||||||
system.stateVersion = "24.11";
|
|
||||||
deployment.targetHost = "bagel-box.infra.forkos.org";
|
deployment.targetHost = "bagel-box.infra.forkos.org";
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,30 +0,0 @@
|
||||||
{ lib, ... }:
|
|
||||||
{
|
|
||||||
imports = [ ./hardware.nix ];
|
|
||||||
|
|
||||||
networking.hostName = "build-coord";
|
|
||||||
networking.domain = "wob01.infra.forkos.org";
|
|
||||||
|
|
||||||
bagel.sysadmin.enable = true;
|
|
||||||
|
|
||||||
bagel.services = {
|
|
||||||
hydra.enable = true;
|
|
||||||
# TODO: use the roles to avoid setting up builders which are not… builders!
|
|
||||||
hydra.builders = map (i: "bm-${builtins.toString i}") [4 10];
|
|
||||||
|
|
||||||
# Arguably, the build-coordinator is the most sensitive piece of our own infrastructure.
|
|
||||||
# Henceforth, it can run as well another sensitive piece of the system: the Vault.
|
|
||||||
vault = {
|
|
||||||
enable = true;
|
|
||||||
domain = "vault.forkos.org";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
bagel.monitoring.exporters.hydra.enable = true;
|
|
||||||
|
|
||||||
# Hydra is proxied.
|
|
||||||
bagel.raito.v6-proxy-awareness.enable = true;
|
|
||||||
|
|
||||||
system.stateVersion = "24.05";
|
|
||||||
deployment.targetHost = "build-coord.wob01.infra.forkos.org";
|
|
||||||
}
|
|
|
@ -1,93 +0,0 @@
|
||||||
{
|
|
||||||
boot.initrd.availableKernelModules = [ "ahci" "ehci_pci" "usb_storage" "usbhid" "sd_mod" ];
|
|
||||||
boot.initrd.kernelModules = [ "dm-snapshot" ];
|
|
||||||
|
|
||||||
nixpkgs.hostPlatform = "x86_64-linux";
|
|
||||||
hardware.cpu.intel.updateMicrocode = true;
|
|
||||||
|
|
||||||
boot.loader.systemd-boot.enable = true;
|
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
|
||||||
boot.initrd.systemd.enable = true;
|
|
||||||
|
|
||||||
boot.initrd.services.lvm.enable = true;
|
|
||||||
|
|
||||||
boot.kernelParams = [
|
|
||||||
"console=tty1"
|
|
||||||
"console=ttyS0,115200"
|
|
||||||
];
|
|
||||||
|
|
||||||
fileSystems = {
|
|
||||||
"/" = {
|
|
||||||
device = "/dev/disk/by-label/root";
|
|
||||||
fsType = "ext4";
|
|
||||||
};
|
|
||||||
|
|
||||||
"/boot" = {
|
|
||||||
device = "/dev/disk/by-label/BOOT";
|
|
||||||
fsType = "vfat";
|
|
||||||
options = [ "fmask=0022" "dmask=0022" ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
swapDevices = [
|
|
||||||
{
|
|
||||||
device = "/swapfile";
|
|
||||||
size = 20 * 1024; # 50GiB
|
|
||||||
}
|
|
||||||
];
|
|
||||||
|
|
||||||
zramSwap = {
|
|
||||||
enable = true;
|
|
||||||
memoryPercent = 100;
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.useNetworkd = true;
|
|
||||||
|
|
||||||
systemd.network = {
|
|
||||||
netdevs = {
|
|
||||||
"40-uplink" = {
|
|
||||||
netdevConfig = {
|
|
||||||
Kind = "bond";
|
|
||||||
Name = "uplink";
|
|
||||||
};
|
|
||||||
bondConfig = {
|
|
||||||
Mode = "802.3ad";
|
|
||||||
TransmitHashPolicy = "layer3+4";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
networks = {
|
|
||||||
"40-eno1" = {
|
|
||||||
name = "eno1";
|
|
||||||
bond = [ "uplink" ];
|
|
||||||
};
|
|
||||||
"40-eno2" = {
|
|
||||||
name = "eno2";
|
|
||||||
bond = [ "uplink" ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
networking.interfaces.uplink.ipv6.addresses = [
|
|
||||||
{ address = "2a01:584:11::1:11"; prefixLength = 64; }
|
|
||||||
];
|
|
||||||
networking.defaultGateway6 = { interface = "uplink"; address = "2a01:584:11::1"; };
|
|
||||||
|
|
||||||
bagel.infra.self.wan = {
|
|
||||||
family = "inet6";
|
|
||||||
address = "2a01:584:11::1:11";
|
|
||||||
prefixLength = 64;
|
|
||||||
};
|
|
||||||
|
|
||||||
services.coredns = {
|
|
||||||
enable = true;
|
|
||||||
config = ''
|
|
||||||
. {
|
|
||||||
bind lo
|
|
||||||
forward . 2001:4860:4860::6464
|
|
||||||
template ANY A { rcode NOERROR }
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
services.resolved.enable = false;
|
|
||||||
networking.resolvconf.useLocalResolver = true;
|
|
||||||
}
|
|
|
@ -1,27 +0,0 @@
|
||||||
{ ... }: {
|
|
||||||
networking.hostName = "build01";
|
|
||||||
networking.domain = "aarch64.lix.systems";
|
|
||||||
|
|
||||||
# Those free sweet VMs.
|
|
||||||
bagel.hardware.oracle-vm = {
|
|
||||||
enable = true;
|
|
||||||
system = "aarch64-linux";
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/" =
|
|
||||||
{ device = "/dev/disk/by-uuid/a333323c-99f0-4258-8f68-496858d56f71";
|
|
||||||
fsType = "ext4";
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/boot" =
|
|
||||||
{ device = "/dev/disk/by-uuid/3E74-C937";
|
|
||||||
fsType = "vfat";
|
|
||||||
};
|
|
||||||
|
|
||||||
swapDevices = [ ];
|
|
||||||
|
|
||||||
bagel.builders.extra-build-capacity.provider.enable = true;
|
|
||||||
i18n.defaultLocale = "en_US.UTF-8";
|
|
||||||
system.stateVersion = "24.05";
|
|
||||||
deployment.targetHost = "build01.aarch64.lix.systems";
|
|
||||||
}
|
|
|
@ -1,71 +0,0 @@
|
||||||
# Configuration for a virtual machine in Raito's micro-DC basement.
|
|
||||||
# 32 vCPU (2014 grade Xeon though)
|
|
||||||
# 32GB RAM
|
|
||||||
# 30GB SSD
|
|
||||||
# 500GB HDD
|
|
||||||
# All specifications can be upgraded to a certain extent, just ask Raito.
|
|
||||||
# Hosts the coordinator for Buildbot.
|
|
||||||
#
|
|
||||||
# vim: et:ts=2:sw=2:
|
|
||||||
#
|
|
||||||
{ lib, modulesPath, ... }: {
|
|
||||||
networking.hostName = "buildbot";
|
|
||||||
networking.domain = "lix.systems";
|
|
||||||
|
|
||||||
zramSwap.enable = true;
|
|
||||||
|
|
||||||
bagel.sysadmin.enable = true;
|
|
||||||
# Buildbot is proxied.
|
|
||||||
bagel.raito.v6-proxy-awareness.enable = true;
|
|
||||||
bagel.hardware.raito-vm = {
|
|
||||||
enable = true;
|
|
||||||
networking = {
|
|
||||||
nat-lan-mac = "BC:24:11:75:62:42";
|
|
||||||
wan = {
|
|
||||||
mac = "BC:24:11:B2:5F:2E";
|
|
||||||
address = "2001:bc8:38ee:100::200/56";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
i18n.defaultLocale = "en_US.UTF-8";
|
|
||||||
|
|
||||||
bagel.services.buildbot = {
|
|
||||||
enable = true;
|
|
||||||
domain = "buildbot.lix.systems";
|
|
||||||
gerrit =
|
|
||||||
{
|
|
||||||
domain = "gerrit.lix.systems";
|
|
||||||
port = 2022;
|
|
||||||
username = "buildbot";
|
|
||||||
};
|
|
||||||
cors.allowedOrigins = [
|
|
||||||
"https://*.lix.systems"
|
|
||||||
];
|
|
||||||
projects = [
|
|
||||||
"lix"
|
|
||||||
"lix-installer"
|
|
||||||
];
|
|
||||||
buildSystems = [
|
|
||||||
"x86_64-linux"
|
|
||||||
"aarch64-linux"
|
|
||||||
"aarch64-darwin"
|
|
||||||
# Too slow.
|
|
||||||
/* "x86_64-darwin" */
|
|
||||||
];
|
|
||||||
# Lix is not allowed to use yet Floral's x86_64 builders for now.
|
|
||||||
builders = [ ];
|
|
||||||
};
|
|
||||||
|
|
||||||
# This machine does not use /nix from btrfs, and instead uses a store on a bigger disk.
|
|
||||||
fileSystems."/nix" =
|
|
||||||
lib.mkForce
|
|
||||||
{ device = "/dev/disk/by-uuid/1815ca49-d0b0-4b99-8aec-0d790498ba6f";
|
|
||||||
fsType = "xfs";
|
|
||||||
neededForBoot = true;
|
|
||||||
options = [ "relatime" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
|
||||||
system.stateVersion = "24.05";
|
|
||||||
deployment.targetHost = "buildbot.lix.systems";
|
|
||||||
}
|
|
|
@ -1,54 +0,0 @@
|
||||||
{
|
|
||||||
config,
|
|
||||||
lib,
|
|
||||||
pkgs,
|
|
||||||
nodes,
|
|
||||||
...
|
|
||||||
}:
|
|
||||||
{
|
|
||||||
networking.hostName = "buildbot";
|
|
||||||
# TODO: make it the default
|
|
||||||
networking.domain = "infra.forkos.org";
|
|
||||||
|
|
||||||
bagel.sysadmin.enable = true;
|
|
||||||
# Buildbot is proxied.
|
|
||||||
bagel.raito.v6-proxy-awareness.enable = true;
|
|
||||||
bagel.hardware.raito-vm = {
|
|
||||||
enable = true;
|
|
||||||
networking = {
|
|
||||||
nat-lan-mac = "BC:24:11:E7:42:8B";
|
|
||||||
wan = {
|
|
||||||
address = "2001:bc8:38ee:100:1000::50/64";
|
|
||||||
mac = "BC:24:11:C9:BA:6C";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
bagel.services.buildbot = {
|
|
||||||
enable = true;
|
|
||||||
domain = "buildbot.forkos.org";
|
|
||||||
gerrit =
|
|
||||||
let
|
|
||||||
cfgGerrit = nodes.gerrit01.config.bagel.services.gerrit;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
domain = cfgGerrit.canonicalDomain;
|
|
||||||
port = cfgGerrit.port;
|
|
||||||
username = "buildbot";
|
|
||||||
};
|
|
||||||
cors.allowedOrigins = [
|
|
||||||
"https://*.forkos.org"
|
|
||||||
];
|
|
||||||
projects = [
|
|
||||||
"buildbot-test"
|
|
||||||
"nixpkgs"
|
|
||||||
"infra"
|
|
||||||
];
|
|
||||||
builders = [ "builder-4" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
i18n.defaultLocale = "en_US.UTF-8";
|
|
||||||
|
|
||||||
system.stateVersion = "24.05";
|
|
||||||
deployment.targetHost = "buildbot.infra.forkos.org";
|
|
||||||
}
|
|
|
@ -8,6 +8,8 @@
|
||||||
networking.hostName = "fodwatch";
|
networking.hostName = "fodwatch";
|
||||||
networking.domain = "infra.forkos.org";
|
networking.domain = "infra.forkos.org";
|
||||||
|
|
||||||
|
time.timeZone = "Europe/Paris";
|
||||||
|
|
||||||
bagel.sysadmin.enable = true;
|
bagel.sysadmin.enable = true;
|
||||||
# Fodwatch will be proxied.
|
# Fodwatch will be proxied.
|
||||||
bagel.raito.v6-proxy-awareness.enable = true;
|
bagel.raito.v6-proxy-awareness.enable = true;
|
||||||
|
|
|
@ -9,6 +9,8 @@
|
||||||
# TODO: make it the default
|
# TODO: make it the default
|
||||||
networking.domain = "infra.forkos.org";
|
networking.domain = "infra.forkos.org";
|
||||||
|
|
||||||
|
time.timeZone = "Europe/Paris";
|
||||||
|
|
||||||
bagel.sysadmin.enable = true;
|
bagel.sysadmin.enable = true;
|
||||||
# Gerrit is proxied.
|
# Gerrit is proxied.
|
||||||
bagel.raito.v6-proxy-awareness.enable = true;
|
bagel.raito.v6-proxy-awareness.enable = true;
|
||||||
|
@ -23,9 +25,6 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# Block all these crawlers!!
|
|
||||||
bagel.services.nginx.crawler-blocker.enable = true;
|
|
||||||
|
|
||||||
fileSystems."/gerrit-data" = {
|
fileSystems."/gerrit-data" = {
|
||||||
device = "/dev/disk/by-uuid/d1062305-0dea-4740-9a27-b6b1691862a4";
|
device = "/dev/disk/by-uuid/d1062305-0dea-4740-9a27-b6b1691862a4";
|
||||||
fsType = "ext4";
|
fsType = "ext4";
|
||||||
|
@ -33,104 +32,12 @@
|
||||||
|
|
||||||
bagel.services.gerrit = {
|
bagel.services.gerrit = {
|
||||||
enable = true;
|
enable = true;
|
||||||
pyroscope.enable = true;
|
|
||||||
domains = [
|
domains = [
|
||||||
"cl.forkos.org"
|
"cl.forkos.org"
|
||||||
];
|
];
|
||||||
canonicalDomain = "cl.forkos.org";
|
|
||||||
data = "/gerrit-data";
|
data = "/gerrit-data";
|
||||||
};
|
};
|
||||||
|
|
||||||
age.secrets.ows-deploy-key = {
|
|
||||||
file = ../../secrets/floral/ows-deploy-key.age;
|
|
||||||
mode = "0600";
|
|
||||||
owner = "git";
|
|
||||||
group = "git";
|
|
||||||
};
|
|
||||||
bagel.nixpkgs.one-way-sync =
|
|
||||||
let
|
|
||||||
mkNixpkgsJob = { timer, fromRefspec, localRefspec ? fromRefspec }: {
|
|
||||||
fromUri = "https://github.com/NixOS/nixpkgs";
|
|
||||||
inherit fromRefspec localRefspec timer;
|
|
||||||
};
|
|
||||||
mkLocalJob = { timer, fromRefspec, localRefspec }: {
|
|
||||||
fromUri = "https://cl.forkos.org/nixpkgs";
|
|
||||||
inherit fromRefspec localRefspec timer;
|
|
||||||
};
|
|
||||||
in
|
|
||||||
{
|
|
||||||
enable = true;
|
|
||||||
|
|
||||||
stateDirectory = "/gerrit-data/ows";
|
|
||||||
|
|
||||||
pushUrl = "ssh://ows_bot@cl.forkos.org:29418/nixpkgs";
|
|
||||||
deployKeyPath = config.age.secrets.ows-deploy-key.path;
|
|
||||||
|
|
||||||
# Sync main -> staging-next -> staging
|
|
||||||
branches."main-to-staging-next" = mkLocalJob {
|
|
||||||
timer = "00/8:20:00"; # every 8 hours, 20 minutes past the full hour
|
|
||||||
fromRefspec = "main";
|
|
||||||
localRefspec = "staging-next";
|
|
||||||
};
|
|
||||||
branches."staging-next-to-staging" = mkLocalJob {
|
|
||||||
timer = "00/8:40:00"; # every 8 hours, 40 minutes past the full hour
|
|
||||||
fromRefspec = "staging-next";
|
|
||||||
localRefspec = "staging";
|
|
||||||
};
|
|
||||||
|
|
||||||
# Sync nixpkgs -> fork
|
|
||||||
branches."nixpkgs-master" = mkNixpkgsJob {
|
|
||||||
timer = "hourly";
|
|
||||||
fromRefspec = "master";
|
|
||||||
localRefspec = "main";
|
|
||||||
};
|
|
||||||
|
|
||||||
branches."nixpkgs-staging" = mkNixpkgsJob {
|
|
||||||
timer = "hourly";
|
|
||||||
fromRefspec = "staging";
|
|
||||||
};
|
|
||||||
|
|
||||||
branches."nixpkgs-release-24.05" = mkNixpkgsJob {
|
|
||||||
timer = "hourly";
|
|
||||||
fromRefspec = "release-24.05";
|
|
||||||
};
|
|
||||||
|
|
||||||
branches."nixpkgs-staging-24.05" = mkNixpkgsJob {
|
|
||||||
timer = "hourly";
|
|
||||||
fromRefspec = "staging-24.05";
|
|
||||||
};
|
|
||||||
|
|
||||||
branches."nixpkgs-release-23.11" = mkNixpkgsJob {
|
|
||||||
timer = "hourly";
|
|
||||||
fromRefspec = "release-23.11";
|
|
||||||
};
|
|
||||||
|
|
||||||
branches."nixpkgs-staging-23.11" = mkNixpkgsJob {
|
|
||||||
timer = "hourly";
|
|
||||||
fromRefspec = "staging-23.11";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
age.secrets.s3-channel-staging-keys.file = ../../secrets/floral/s3-channel-staging-keys.age;
|
|
||||||
bagel.nixpkgs.channel-scripts = {
|
|
||||||
enable = true;
|
|
||||||
otlp.enable = true;
|
|
||||||
nixpkgsUrl = "https://cl.forkos.org/nixpkgs.git";
|
|
||||||
hydraUrl = "https://hydra.forkos.org";
|
|
||||||
binaryCacheUrl = "https://cache.forkos.org";
|
|
||||||
baseUriForGitRevisions = "https://cl.forkos.org/plugins/gitiles/nixpkgs/+";
|
|
||||||
s3 = {
|
|
||||||
release = "bagel-channel-scripts-test";
|
|
||||||
channel = "bagel-channel-scripts-test";
|
|
||||||
};
|
|
||||||
releaseBucketCredentialsFile = config.age.secrets.s3-channel-staging-keys.path;
|
|
||||||
deployKeyFile = config.age.secrets.priv-ssh-key.path;
|
|
||||||
extraArgs = [
|
|
||||||
"--bypass-preflight-checks"
|
|
||||||
];
|
|
||||||
channels = import ../../common/channels.nix;
|
|
||||||
};
|
|
||||||
|
|
||||||
i18n.defaultLocale = "fr_FR.UTF-8";
|
i18n.defaultLocale = "fr_FR.UTF-8";
|
||||||
|
|
||||||
system.stateVersion = "24.05";
|
system.stateVersion = "24.05";
|
||||||
|
|
|
@ -1,47 +0,0 @@
|
||||||
let
|
|
||||||
ipv6 = {
|
|
||||||
openssh ="2001:bc8:38ee:100:1000::41";
|
|
||||||
forgejo = "2001:bc8:38ee:100:1000::40";
|
|
||||||
};
|
|
||||||
in
|
|
||||||
{
|
|
||||||
networking.hostName = "git";
|
|
||||||
networking.domain = "infra.forkos.org";
|
|
||||||
|
|
||||||
bagel.sysadmin.enable = true;
|
|
||||||
# Forgejo will be proxied.
|
|
||||||
bagel.raito.v6-proxy-awareness.enable = true;
|
|
||||||
bagel.hardware.raito-vm = {
|
|
||||||
enable = true;
|
|
||||||
networking = {
|
|
||||||
nat-lan-mac = "BC:24:11:83:71:56";
|
|
||||||
wan = {
|
|
||||||
address = "${ipv6.forgejo}/64";
|
|
||||||
mac = "BC:24:11:0B:8A:81";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
# Add one additional IPv6, so we can have both OpenSSH and
|
|
||||||
# Forgejo's built-in server bind on port :22.
|
|
||||||
systemd.network.networks."10-wan".networkConfig.Address = [ "${ipv6.openssh}/64" ];
|
|
||||||
services.openssh.listenAddresses = [{
|
|
||||||
addr = "[${ipv6.openssh}]";
|
|
||||||
}];
|
|
||||||
# Defaults to network.target, but networkd may take a while to settle and set up
|
|
||||||
# the required (additional) IPv6 address, leading to sshd to not being able to
|
|
||||||
# bind to the requested IP, crashing 5 times and running into the default
|
|
||||||
# restart counter limit (5).
|
|
||||||
systemd.services.sshd.wants = [ "network-online.target" ];
|
|
||||||
systemd.services.sshd.after = [ "network-online.target" ];
|
|
||||||
|
|
||||||
bagel.services.forgejo = {
|
|
||||||
enable = true;
|
|
||||||
sshBindAddr = ipv6.forgejo;
|
|
||||||
};
|
|
||||||
|
|
||||||
i18n.defaultLocale = "en_US.UTF-8";
|
|
||||||
|
|
||||||
system.stateVersion = "24.05";
|
|
||||||
deployment.targetHost = "git.infra.forkos.org";
|
|
||||||
}
|
|
|
@ -2,6 +2,8 @@
|
||||||
networking.hostName = "meta01";
|
networking.hostName = "meta01";
|
||||||
networking.domain = "infra.forkos.org";
|
networking.domain = "infra.forkos.org";
|
||||||
|
|
||||||
|
time.timeZone = "Europe/Paris";
|
||||||
|
|
||||||
bagel.sysadmin.enable = true;
|
bagel.sysadmin.enable = true;
|
||||||
# netbox is proxied.
|
# netbox is proxied.
|
||||||
bagel.raito.v6-proxy-awareness.enable = true;
|
bagel.raito.v6-proxy-awareness.enable = true;
|
||||||
|
@ -22,15 +24,6 @@
|
||||||
bagel.services.prometheus.enable = true;
|
bagel.services.prometheus.enable = true;
|
||||||
bagel.services.loki.enable = true;
|
bagel.services.loki.enable = true;
|
||||||
bagel.services.grafana.enable = true;
|
bagel.services.grafana.enable = true;
|
||||||
bagel.services.grapevine.enable = true;
|
|
||||||
bagel.services.pyroscope.enable = true;
|
|
||||||
bagel.services.tempo.enable = true;
|
|
||||||
bagel.services.hookshot = {
|
|
||||||
enable = true;
|
|
||||||
admins = [
|
|
||||||
"@k900:0upti.me"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
i18n.defaultLocale = "fr_FR.UTF-8";
|
i18n.defaultLocale = "fr_FR.UTF-8";
|
||||||
|
|
||||||
|
|
|
@ -1,50 +0,0 @@
|
||||||
{
|
|
||||||
config,
|
|
||||||
lib,
|
|
||||||
pkgs,
|
|
||||||
...
|
|
||||||
}:
|
|
||||||
{
|
|
||||||
networking.hostName = "public01";
|
|
||||||
# TODO: make it the default
|
|
||||||
networking.domain = "infra.forkos.org";
|
|
||||||
|
|
||||||
bagel.status = {
|
|
||||||
enable = true;
|
|
||||||
domain = "status.forkos.org";
|
|
||||||
};
|
|
||||||
|
|
||||||
bagel.sysadmin.enable = true;
|
|
||||||
# Newsletter is proxied.
|
|
||||||
bagel.raito.v6-proxy-awareness.enable = true;
|
|
||||||
bagel.newsletter = {
|
|
||||||
enable = true;
|
|
||||||
domain = "news.forkos.org";
|
|
||||||
};
|
|
||||||
bagel.hardware.raito-vm = {
|
|
||||||
enable = true;
|
|
||||||
networking = {
|
|
||||||
nat-lan-mac = "BC:24:11:A4:F7:D3";
|
|
||||||
wan = {
|
|
||||||
address = "2001:bc8:38ee:100:1000::60/64";
|
|
||||||
mac = "BC:24:11:DB:B8:10";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
bagel.services.s3-revproxy = {
|
|
||||||
enable = true;
|
|
||||||
domain = "forkos.org";
|
|
||||||
s3.apiUrl = "s3.delroth.net";
|
|
||||||
targets = {
|
|
||||||
channels = "bagel-channels";
|
|
||||||
releases = "bagel-releases";
|
|
||||||
channel-scripts-test = "bagel-channel-scripts-test";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
i18n.defaultLocale = "en_US.UTF-8";
|
|
||||||
|
|
||||||
system.stateVersion = "24.05";
|
|
||||||
deployment.targetHost = "public01.infra.forkos.org";
|
|
||||||
}
|
|
|
@ -1,10 +1,6 @@
|
||||||
{ pkgs, lib, ... }:
|
{ pkgs, lib, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
imports = [
|
|
||||||
./netboot.nix
|
|
||||||
];
|
|
||||||
|
|
||||||
###### Hardware ######
|
###### Hardware ######
|
||||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ehci_pci" "sd_mod" "sdhci_pci" ];
|
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ehci_pci" "sd_mod" "sdhci_pci" ];
|
||||||
boot.kernelModules = [ "kvm-amd" ];
|
boot.kernelModules = [ "kvm-amd" ];
|
||||||
|
|
|
@ -1,61 +0,0 @@
|
||||||
{ config, lib, pkgs, nodes, modulesPath, ... }:
|
|
||||||
|
|
||||||
# The way the connection is established is specific to the wob01 site and the Intel S2600KPR blades.
|
|
||||||
# Proper netboot is not possible, because while the blades and the APU board (which is the netboot
|
|
||||||
# server here) are in the same L2 network, the uplink connection of each blade is an LACP LAG,
|
|
||||||
# meaning that the switch on the other side will only enable the port if it sees valid LACP packets.
|
|
||||||
# We work around this by presenting a virtual floppy drive using the "IUSB" protocol of the BMC.
|
|
||||||
# This virtual floppy drive contains an per-blade customized initramfs which will initialize the
|
|
||||||
# network connection including IP configuration and load the actual image off hydra.
|
|
||||||
|
|
||||||
let
|
|
||||||
netboot-server-ip = "2a01:584:11::2";
|
|
||||||
netbootNodes = lib.filterAttrs (_: node: node.config.bagel.baremetal.builders.enable && node.config.bagel.baremetal.builders.netboot) nodes;
|
|
||||||
in {
|
|
||||||
|
|
||||||
assertions = [
|
|
||||||
{
|
|
||||||
assertion = !(lib.elem 443 config.networking.firewall.allowedTCPPorts);
|
|
||||||
message = ''
|
|
||||||
Port 443 is in networking.firewalls.allowedTCPPorts, but should be only manually
|
|
||||||
allowed for specific IPs and source ports in ${builtins.toJSON __curPos}
|
|
||||||
'';
|
|
||||||
}
|
|
||||||
];
|
|
||||||
|
|
||||||
systemd.services = lib.mapAttrs' (nodename: node: let
|
|
||||||
bmcIp = "192.168.1.${toString (node.config.bagel.baremetal.builders.num * 4 + 2)}";
|
|
||||||
notipxe = node.config.system.build.notipxe.config.system.build.usbImage;
|
|
||||||
in lib.nameValuePair "iusb-spoof-${nodename}" {
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
serviceConfig = {
|
|
||||||
Restart = "always";
|
|
||||||
};
|
|
||||||
script = ''
|
|
||||||
AUTH_TOKEN=$(${pkgs.iusb-spoof}/bin/make-token ${bmcIp})
|
|
||||||
exec ${pkgs.iusb-spoof}/bin/iusb-spoof -r ${bmcIp} 5123 $AUTH_TOKEN ${notipxe}
|
|
||||||
'';
|
|
||||||
}) netbootNodes;
|
|
||||||
|
|
||||||
# Since the builders are stateless, they can not store their ssh hostkeys
|
|
||||||
networking.firewall.allowedTCPPorts = [ 80 ]; # for ACME
|
|
||||||
networking.firewall.extraInputRules = ''
|
|
||||||
ip6 saddr 2a01:584:11::/64 tcp sport < 1024 tcp dport 443 accept;
|
|
||||||
'';
|
|
||||||
services.nginx = {
|
|
||||||
enable = true;
|
|
||||||
virtualHosts."vpn-gw.wob01.infra.forkos.org" = {
|
|
||||||
enableACME = true;
|
|
||||||
forceSSL = true;
|
|
||||||
locations = lib.mapAttrs' (nodename: node: let
|
|
||||||
ip = "2a01:584:11::1:${toString node.config.bagel.baremetal.builders.num}";
|
|
||||||
in lib.nameValuePair "/${nodename}/" {
|
|
||||||
root = "/var/www";
|
|
||||||
extraConfig = ''
|
|
||||||
allow ${ip};
|
|
||||||
deny all;
|
|
||||||
'';
|
|
||||||
}) netbootNodes;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,14 +0,0 @@
|
||||||
# A wrapper for colmena that prevents accidentally deploying changes without
|
|
||||||
# having pulled.
|
|
||||||
{ colmena, runCommandNoCC }:
|
|
||||||
runCommandNoCC "colmena-wrapper"
|
|
||||||
{
|
|
||||||
env.colmena = "${colmena}/bin/colmena";
|
|
||||||
} ''
|
|
||||||
mkdir -p $out
|
|
||||||
ln -s ${colmena}/share $out/share
|
|
||||||
mkdir $out/bin
|
|
||||||
|
|
||||||
substituteAll ${./colmena-wrapper.sh.in} $out/bin/colmena
|
|
||||||
chmod +x $out/bin/colmena
|
|
||||||
''
|
|
|
@ -1,29 +0,0 @@
|
||||||
#!/usr/bin/env bash
|
|
||||||
|
|
||||||
doChecks() {
|
|
||||||
# creates refs in the refs/prefetch/remotes/origin namespace
|
|
||||||
echo "Prefetching repo changes..." >&2
|
|
||||||
git fetch --quiet --prefetch --no-write-fetch-head origin
|
|
||||||
|
|
||||||
diffs=$(git rev-list --left-right --count HEAD...refs/prefetch/remotes/origin/main)
|
|
||||||
only_in_local=$(echo "$diffs" | cut -f1)
|
|
||||||
only_in_main=$(echo "$diffs" | cut -f2)
|
|
||||||
|
|
||||||
if [[ $only_in_main -gt 0 && ! -v $FOOTGUN_ME_UWU ]]; then
|
|
||||||
echo >&2
|
|
||||||
echo "Attempting to deploy when main has $only_in_main commits not in your branch!" >&2
|
|
||||||
echo "This will probably revert someone's changes. Consider merging them." >&2
|
|
||||||
echo "If you really mean it, set the environment variable FOOTGUN_ME_UWU" >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [[ $only_in_local -gt 0 ]]; then
|
|
||||||
echo "You have $only_in_local commits not yet pushed to main. Reminder to push them after :)" >&2
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
if [[ $1 == 'apply' ]]; then
|
|
||||||
doChecks
|
|
||||||
fi
|
|
||||||
|
|
||||||
exec @colmena@ "$@"
|
|
|
@ -1,65 +0,0 @@
|
||||||
# Some useful utilities to do things that depends on the nixpkgs library.
|
|
||||||
{ lib }:
|
|
||||||
let
|
|
||||||
inherit (lib) listToAttrs zipListsWith nameValuePair length range foldl any mapAttrs;
|
|
||||||
in
|
|
||||||
rec {
|
|
||||||
closedOpenInterval = a: b: { start = a; end = b; };
|
|
||||||
interval = a: b: closedOpenInterval a b;
|
|
||||||
singleton = x: interval x (x + 1);
|
|
||||||
|
|
||||||
inRange = i: range: i >= range.start && i < range.end;
|
|
||||||
|
|
||||||
# Build a selector function that will filters point-by-point any index in xs.
|
|
||||||
# e.g. if you want to select specific indexes you can just use that.
|
|
||||||
# If you want to select contiguous interval of indexes, you are better served by
|
|
||||||
# `mkIntervalFilter`.
|
|
||||||
mkPointwiseFilter = xs: index: any (allowedIndex: index == allowedIndex) xs;
|
|
||||||
|
|
||||||
# Build a selector function that will filters interval-by-interval any index in intervals.
|
|
||||||
# It will check if the given index is present in any of the passed intervals according
|
|
||||||
# to `inRange`.
|
|
||||||
mkIntervalFilter = intervals: index: any (allowedRange: inRange index allowedRange) intervals;
|
|
||||||
|
|
||||||
# Build an attribute set map from values to indexes.
|
|
||||||
# e.g. reversedEnumerate [ "a" "b" ] == { "a" = 0; "b" = 1; }.
|
|
||||||
reversedEnumerate = list: listToAttrs
|
|
||||||
(zipListsWith
|
|
||||||
(index: value: nameValuePair value index)
|
|
||||||
(range 0 (length list - 1))
|
|
||||||
list);
|
|
||||||
|
|
||||||
# Collect a list of attribute sets into an attribute set.
|
|
||||||
# Merge order depends on attrValues iteration order and foldl.
|
|
||||||
chainAttrs = attrs: foldl (a: b: a // b) { } (builtins.attrValues attrs);
|
|
||||||
|
|
||||||
# Given an attribute set of an attribute set of items, does it describe a valid partition of some global set?
|
|
||||||
# This does not check for completeness.
|
|
||||||
# idFunction :: Attrs K V → List Identifier
|
|
||||||
isValidPartition = attrs:
|
|
||||||
let
|
|
||||||
values = builtins.attrValues attrs;
|
|
||||||
in
|
|
||||||
# TODO(performance?): this is the simple dumb idea.
|
|
||||||
# A better idea would use n(n - 1)/2 iterations over values to exploit symmetry of item equality.
|
|
||||||
# To do so, a strategy could be to consider all shifted toplevel identifiers lists and zip them.
|
|
||||||
# There's sum_k(n - k) such lists, and therefore: n(n - 1)/2 lists.
|
|
||||||
# For every list, we need to perform list intersection which is supposedly in O(n log n) in the size of the nodes identifiers.
|
|
||||||
# So, if we have N subsets in the partition and each subset has at most K items, we end up doing something like (K log K) * N(N - 1)/2
|
|
||||||
# In practice, K should be the biggest and N is quite small.
|
|
||||||
lib.all (subset:
|
|
||||||
lib.all (anotherSubset:
|
|
||||||
subset != anotherSubset -> lib.intersectAttrs subset anotherSubset == {}
|
|
||||||
) values
|
|
||||||
) values;
|
|
||||||
|
|
||||||
# Renumber an attribute set of items.
|
|
||||||
# For each item in the attribute set, we replace its value by a call to the renumbering function
|
|
||||||
# where we pass renumberedIndex and value.
|
|
||||||
# It's a form of imap for attribute sets.
|
|
||||||
renumber = indexFn: renumberingFn: attrs:
|
|
||||||
let
|
|
||||||
indexes = reversedEnumerate (map (n: toString (indexFn n)) (builtins.attrValues attrs));
|
|
||||||
in
|
|
||||||
mapAttrs (name: value: renumberingFn indexes.${toString (indexFn value)} value) attrs;
|
|
||||||
}
|
|
|
@ -1,9 +1 @@
|
||||||
[
|
[]
|
||||||
(final: prev: {
|
|
||||||
iusb-spoof = final.callPackage ./iusb-spoof.nix {};
|
|
||||||
u-root = final.callPackage ./u-root {};
|
|
||||||
pyroscope = final.callPackage ./pyroscope {};
|
|
||||||
s3-revproxy = final.callPackage ./s3-revproxy {};
|
|
||||||
git-gc-preserve = final.callPackage ./git-gc-preserve {};
|
|
||||||
})
|
|
||||||
]
|
|
||||||
|
|
|
@ -1,9 +0,0 @@
|
||||||
{ writeShellApplication, git, nettools }:
|
|
||||||
|
|
||||||
writeShellApplication {
|
|
||||||
name = "git-gc-preserve";
|
|
||||||
|
|
||||||
runtimeInputs = [ git nettools ];
|
|
||||||
|
|
||||||
text = (builtins.readFile ./script.sh);
|
|
||||||
}
|
|
|
@ -1,132 +0,0 @@
|
||||||
#!/usr/bin/env bash
|
|
||||||
|
|
||||||
set +o errexit
|
|
||||||
# Copyright (C) 2022 The Android Open Source Project
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
usage() { # exit code
|
|
||||||
cat <<-EOF
|
|
||||||
NAME
|
|
||||||
git-gc-preserve - Run git gc and preserve old packs to avoid races for JGit
|
|
||||||
SYNOPSIS
|
|
||||||
git gc-preserve
|
|
||||||
DESCRIPTION
|
|
||||||
Runs git gc and can preserve old packs to avoid races with concurrently
|
|
||||||
executed commands in JGit.
|
|
||||||
This command uses custom git config options to configure if preserved packs
|
|
||||||
from the last run of git gc should be pruned and if packs should be preserved.
|
|
||||||
This is similar to the implementation in JGit [1] which is used by
|
|
||||||
JGit to avoid errors [2] in such situations.
|
|
||||||
The command prevents concurrent runs of the command on the same repository
|
|
||||||
by acquiring an exclusive file lock on the file
|
|
||||||
"\$repopath/gc-preserve.pid"
|
|
||||||
If it cannot acquire the lock it fails immediately with exit code 3.
|
|
||||||
Failure Exit Codes
|
|
||||||
1: General failure
|
|
||||||
2: Couldn't determine repository path. If the current working directory
|
|
||||||
is outside of the working tree of the git repository use git option
|
|
||||||
--git-dir to pass the root path of the repository.
|
|
||||||
E.g.
|
|
||||||
$ git --git-dir ~/git/foo gc-preserve
|
|
||||||
3: Another process already runs $0 on the same repository
|
|
||||||
[1] https://git.eclipse.org/r/c/jgit/jgit/+/87969
|
|
||||||
[2] https://git.eclipse.org/r/c/jgit/jgit/+/122288
|
|
||||||
CONFIGURATION
|
|
||||||
"pack.prunepreserved": if set to "true" preserved packs from the last gc run
|
|
||||||
are pruned before current packs are preserved.
|
|
||||||
"pack.preserveoldpacks": if set to "true" current packs will be hard linked
|
|
||||||
to objects/pack/preserved before git gc is executed. JGit will
|
|
||||||
fallback to the preserved packs in this directory in case it comes
|
|
||||||
across missing objects which might be caused by a concurrent run of
|
|
||||||
git gc.
|
|
||||||
EOF
|
|
||||||
exit "$1"
|
|
||||||
}
|
|
||||||
# acquire file lock, unlock when the script exits
|
|
||||||
lock() { # repo
|
|
||||||
readonly LOCKFILE="$1/gc-preserve.pid"
|
|
||||||
test -f "$LOCKFILE" || touch "$LOCKFILE"
|
|
||||||
exec 9> "$LOCKFILE"
|
|
||||||
if flock -nx 9; then
|
|
||||||
echo -n "$$ $USER@$(hostname)" >&9
|
|
||||||
trap unlock EXIT
|
|
||||||
else
|
|
||||||
echo "$0 is already running"
|
|
||||||
exit 3
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
unlock() {
|
|
||||||
# only delete if the file descriptor 9 is open
|
|
||||||
if { : >&9 ; } &> /dev/null; then
|
|
||||||
rm -f "$LOCKFILE"
|
|
||||||
fi
|
|
||||||
# close the file handle to release file lock
|
|
||||||
exec 9>&-
|
|
||||||
}
|
|
||||||
# prune preserved packs if pack.prunepreserved == true
|
|
||||||
prune_preserved() { # repo
|
|
||||||
configured=$(git --git-dir="$1" config --get pack.prunepreserved)
|
|
||||||
if [ "$configured" != "true" ]; then
|
|
||||||
return 0
|
|
||||||
fi
|
|
||||||
local preserved=$1/objects/pack/preserved
|
|
||||||
if [ -d "$preserved" ]; then
|
|
||||||
printf "Pruning old preserved packs: "
|
|
||||||
count=$(find "$preserved" -name "*.old-pack" | wc -l)
|
|
||||||
rm -rf "$preserved"
|
|
||||||
echo "$count, done."
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
# preserve packs if pack.preserveoldpacks == true
|
|
||||||
preserve_packs() { # repo
|
|
||||||
configured=$(git --git-dir="$1" config --get pack.preserveoldpacks)
|
|
||||||
if [ "$configured" != "true" ]; then
|
|
||||||
return 0
|
|
||||||
fi
|
|
||||||
local packdir=$1/objects/pack
|
|
||||||
pushd "$packdir" >/dev/null || exit 1
|
|
||||||
mkdir -p preserved
|
|
||||||
printf "Preserving packs: "
|
|
||||||
count=0
|
|
||||||
for file in pack-*{.pack,.idx} ; do
|
|
||||||
ln -f "$file" preserved/"$(get_preserved_packfile_name "$file")"
|
|
||||||
if [[ "$file" == pack-*.pack ]]; then
|
|
||||||
((count++))
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
echo "$count, done."
|
|
||||||
popd >/dev/null || exit 1
|
|
||||||
}
|
|
||||||
# pack-0...2.pack to pack-0...2.old-pack
|
|
||||||
# pack-0...2.idx to pack-0...2.old-idx
|
|
||||||
get_preserved_packfile_name() { # packfile > preserved_packfile
|
|
||||||
local old=${1/%\.pack/.old-pack}
|
|
||||||
old=${old/%\.idx/.old-idx}
|
|
||||||
echo "$old"
|
|
||||||
}
|
|
||||||
# main
|
|
||||||
while [ $# -gt 0 ] ; do
|
|
||||||
case "$1" in
|
|
||||||
-u|-h) usage 0 ;;
|
|
||||||
esac
|
|
||||||
shift
|
|
||||||
done
|
|
||||||
args=$(git rev-parse --sq-quote "$@")
|
|
||||||
repopath=$(git rev-parse --git-dir)
|
|
||||||
if [ -z "$repopath" ]; then
|
|
||||||
usage 2
|
|
||||||
fi
|
|
||||||
lock "$repopath"
|
|
||||||
prune_preserved "$repopath"
|
|
||||||
preserve_packs "$repopath"
|
|
||||||
git gc ${args:+"$args"} || { EXIT_CODE="$?"; echo "git gc failed"; exit "$EXIT_CODE"; }
|
|
|
@ -1,23 +0,0 @@
|
||||||
{ rustPlatform, python3, makeWrapper }:
|
|
||||||
let
|
|
||||||
pythonEnv = python3.withPackages (p: with p; [ requests ]);
|
|
||||||
in
|
|
||||||
|
|
||||||
rustPlatform.buildRustPackage rec {
|
|
||||||
pname = "iusb-spoof";
|
|
||||||
version = "0.1.0";
|
|
||||||
|
|
||||||
src = builtins.fetchGit {
|
|
||||||
url = "https://git.lix.systems/the-distro/iusb-spoof/";
|
|
||||||
rev = "fafd47986239cc2f4dfbbae74b17555608806581";
|
|
||||||
};
|
|
||||||
|
|
||||||
cargoLock.lockFile = src + "/Cargo.lock";
|
|
||||||
|
|
||||||
nativeBuildInputs = [ makeWrapper ];
|
|
||||||
|
|
||||||
postInstall = ''
|
|
||||||
install -Dm644 $src/make-token.py $out/opt/make-token.py
|
|
||||||
makeWrapper ${pythonEnv.interpreter} $out/bin/make-token --add-flags "$out/opt/make-token.py"
|
|
||||||
'';
|
|
||||||
}
|
|
|
@ -1,43 +0,0 @@
|
||||||
{ lib
|
|
||||||
, buildGo122Module
|
|
||||||
, fetchFromGitHub
|
|
||||||
}:
|
|
||||||
|
|
||||||
# FIXME: update, remove this pin
|
|
||||||
buildGo122Module rec {
|
|
||||||
pname = "pyroscope";
|
|
||||||
version = "1.7.1";
|
|
||||||
|
|
||||||
src = fetchFromGitHub {
|
|
||||||
owner = "grafana";
|
|
||||||
repo = "pyroscope";
|
|
||||||
rev = "v${version}";
|
|
||||||
hash = "sha256-iMP67J0Q8Cgo52iImMzAM3PEkk6uLF7r6v9TyXZVaIE=";
|
|
||||||
};
|
|
||||||
|
|
||||||
env.GOWORK = "off";
|
|
||||||
|
|
||||||
vendorHash = "sha256-ggntpnU9s2rpkv6S0LnZNexrdkBsdsUrGPc93SVrK4M=";
|
|
||||||
|
|
||||||
subPackages = [ "cmd/profilecli" "cmd/pyroscope" ];
|
|
||||||
|
|
||||||
ldflags = [
|
|
||||||
"-extldflags"
|
|
||||||
"-static"
|
|
||||||
"-s"
|
|
||||||
"-w"
|
|
||||||
"-X=github.com/grafana/pyroscope/pkg/util/build.Branch=${src.rev}"
|
|
||||||
"-X=github.com/grafana/pyroscope/pkg/util/build.Version=${version}"
|
|
||||||
"-X=github.com/grafana/pyroscope/pkg/util/build.Revision=${src.rev}"
|
|
||||||
"-X=github.com/grafana/pyroscope/pkg/util/build.BuildDate=1970-01-01T00:00:00Z"
|
|
||||||
];
|
|
||||||
|
|
||||||
meta = with lib; {
|
|
||||||
description = "Continuous profiling platform";
|
|
||||||
homepage = "https://github.com/grafana/pyroscope";
|
|
||||||
changelog = "https://github.com/grafana/pyroscope/blob/${src.rev}/CHANGELOG.md";
|
|
||||||
license = licenses.agpl3Only;
|
|
||||||
maintainers = with maintainers; [ raitobezarius ];
|
|
||||||
mainProgram = "pyroscope";
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,39 +0,0 @@
|
||||||
# Originally written by Jade Lovelace for Lix.
|
|
||||||
{ lib, buildGoModule, fetchFromGitHub }:
|
|
||||||
buildGoModule rec {
|
|
||||||
pname = "s3-revproxy";
|
|
||||||
version = "4.15.0";
|
|
||||||
|
|
||||||
src = fetchFromGitHub {
|
|
||||||
owner = "oxyno-zeta";
|
|
||||||
repo = "s3-proxy";
|
|
||||||
rev = "v${version}";
|
|
||||||
hash = "sha256-q0cfAo8Uz7wtKljmSDaJ320bjg2yXydvvxubAsMKzbc=";
|
|
||||||
};
|
|
||||||
|
|
||||||
vendorHash = "sha256-dOwNQtTfOCQcjgNBV/FeWdwbW9xi1OK5YD7PBPPDKOQ=";
|
|
||||||
|
|
||||||
ldflags = [
|
|
||||||
"-X github.com/oxyno-zeta/s3-proxy/pkg/s3-proxy/version.Version=${version}"
|
|
||||||
"-X github.com/oxyno-zeta/s3-proxy/pkg/s3-proxy/version.Metadata="
|
|
||||||
];
|
|
||||||
|
|
||||||
postPatch = ''
|
|
||||||
# Refer to the included templates in the package instead of cwd-relative
|
|
||||||
sed -i "s#Path = \"templates/#Path = \"$out/share/s3-revproxy/templates/#" pkg/s3-proxy/config/config.go
|
|
||||||
'';
|
|
||||||
|
|
||||||
postInstall = ''
|
|
||||||
mkdir -p $out/share/s3-revproxy
|
|
||||||
cp -r templates/ $out/share/s3-revproxy/templates
|
|
||||||
'';
|
|
||||||
|
|
||||||
meta = {
|
|
||||||
description = "S3 Reverse Proxy with GET, PUT and DELETE methods and authentication (OpenID Connect and Basic Auth)";
|
|
||||||
homepage = "https://oxyno-zeta.github.io/s3-proxy";
|
|
||||||
# hm, not having a maintainers entry is kind of inconvenient
|
|
||||||
maintainers = [ ];
|
|
||||||
licenses = lib.licenses.asl20;
|
|
||||||
mainProgram = "s3-proxy";
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,20 +0,0 @@
|
||||||
{ buildGoModule, fetchFromGitHub }:
|
|
||||||
|
|
||||||
buildGoModule rec {
|
|
||||||
pname = "u-root";
|
|
||||||
version = "0.14.0";
|
|
||||||
|
|
||||||
src = fetchFromGitHub {
|
|
||||||
owner = "u-root";
|
|
||||||
repo = "u-root";
|
|
||||||
rev = "v${version}";
|
|
||||||
hash = "sha256-8zA3pHf45MdUcq/MA/mf0KCTxB1viHieU/oigYwIPgo=";
|
|
||||||
};
|
|
||||||
|
|
||||||
patches = [
|
|
||||||
./u-root-allow-https.patch
|
|
||||||
];
|
|
||||||
|
|
||||||
vendorHash = null;
|
|
||||||
doCheck = false;
|
|
||||||
}
|
|
|
@ -1,12 +0,0 @@
|
||||||
diff --git a/pkg/curl/schemes.go b/pkg/curl/schemes.go
|
|
||||||
index 8bac3bc0..cd396cbc 100644
|
|
||||||
--- a/pkg/curl/schemes.go
|
|
||||||
+++ b/pkg/curl/schemes.go
|
|
||||||
@@ -81,6 +81,7 @@ var (
|
|
||||||
DefaultSchemes = Schemes{
|
|
||||||
"tftp": DefaultTFTPClient,
|
|
||||||
"http": DefaultHTTPClient,
|
|
||||||
+ "https": DefaultHTTPClient,
|
|
||||||
"file": &LocalFileClient{},
|
|
||||||
}
|
|
||||||
)
|
|
|
@ -1 +0,0 @@
|
||||||
use nix
|
|
|
@ -1,5 +0,0 @@
|
||||||
# PKI management
|
|
||||||
|
|
||||||
This is our expressions to generate and manage our PKI in the project.
|
|
||||||
|
|
||||||
We are using NitroHSMs for the offline storage and OpenBao server for the online operations.
|
|
|
@ -1,17 +0,0 @@
|
||||||
# CA certificate chains
|
|
||||||
|
|
||||||
## `ca.crt`
|
|
||||||
|
|
||||||
The root CA.
|
|
||||||
|
|
||||||
## `ica1.crt`
|
|
||||||
|
|
||||||
The chain from ICA1 to root CA.
|
|
||||||
|
|
||||||
## `ica2.crt`
|
|
||||||
|
|
||||||
The chain from ICA2 to root CA (ICA2 → ICA1 → root CA), this is what you want to usually use to trust our PKI, assuming you send any intermediate CAs.
|
|
||||||
|
|
||||||
## `infra.crt`
|
|
||||||
|
|
||||||
The chain from the infra CA to root CA (infra → ICA2 → ICA1 → root CA), this is what you want to trust for the infrastructure.
|
|
|
@ -1,19 +0,0 @@
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIIDJDCCAoagAwIBAgIUHW9bhbgk6GXm5i+uamYWbInHDhkwCgYIKoZIzj0EAwQw
|
|
||||||
gZsxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIZXNzZW4xEjAQBgNVBAcMCURhcm1z
|
|
||||||
dGFkdDEXMBUGA1UECgwORmxvcmFsIFN5c3RlbXMxLTArBgNVBAsMJEZsb3JhbCBT
|
|
||||||
eXN0ZW1zIENlcnRpZmljYXRlIEF1dGhvcml0eTEfMB0GA1UEAwwWRmxvcmFsIFN5
|
|
||||||
c3RlbXMgUm9vdCBDQTAeFw0yNDEyMzAxMzEwMDlaFw0zNDEyMjgxMzEwMDlaMIGb
|
|
||||||
MQswCQYDVQQGEwJERTEPMA0GA1UECAwGSGVzc2VuMRIwEAYDVQQHDAlEYXJtc3Rh
|
|
||||||
ZHQxFzAVBgNVBAoMDkZsb3JhbCBTeXN0ZW1zMS0wKwYDVQQLDCRGbG9yYWwgU3lz
|
|
||||||
dGVtcyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAdBgNVBAMMFkZsb3JhbCBTeXN0
|
|
||||||
ZW1zIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAD6xFA+QeHoUVZr
|
|
||||||
WaDbfoUkELxnviEPLogl8+IgJ06ki+84yIAM3Zn+6IlmnJGoPaceoPIdYwHByWqf
|
|
||||||
wvhvTobYRgB8T4l7vyt/KmMfkD2SU576syuR23PkJ6eImGklU3P1+H9CyU2BoPIg
|
|
||||||
N21Kumx7GCvGAA8NsQyQVdZeLZ6lYjnCfaNjMGEwHQYDVR0OBBYEFGUVeaIqxFM/
|
|
||||||
kmfTBNYf6sYyKyuBMB8GA1UdIwQYMBaAFGUVeaIqxFM/kmfTBNYf6sYyKyuBMA8G
|
|
||||||
A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMEA4GLADCB
|
|
||||||
hwJBLvw4lfu2efHxdkPZpddMe9wLrrOFwoeYMIJ4XN4qn8WwQCy4G0oXTKHzwm3y
|
|
||||||
I82YwdK5r6tUtdoHhQ5BscrrnRsCQgGNejEZMet0lFgch1Dr2iunnsOEpdODtapD
|
|
||||||
Jwp4PRUSTdlqk0C2GOWUtbcK2arZ/QexnqLAKhASuY/clqVZLLzHTw==
|
|
||||||
-----END CERTIFICATE-----
|
|
|
@ -1,36 +0,0 @@
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIICrzCCAhKgAwIBAgIUUfC3HiC4wWFjkavirLxjTpVrxkcwCgYIKoZIzj0EAwIw
|
|
||||||
gZsxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIZXNzZW4xEjAQBgNVBAcMCURhcm1z
|
|
||||||
dGFkdDEXMBUGA1UECgwORmxvcmFsIFN5c3RlbXMxLTArBgNVBAsMJEZsb3JhbCBT
|
|
||||||
eXN0ZW1zIENlcnRpZmljYXRlIEF1dGhvcml0eTEfMB0GA1UEAwwWRmxvcmFsIFN5
|
|
||||||
c3RlbXMgUm9vdCBDQTAeFw0yNDEyMzExNjQ0MjJaFw0yNTAxMzAxNjQ0MjJaMIGZ
|
|
||||||
MQswCQYDVQQGEwJERTEPMA0GA1UECBMGSGVzc2VuMRIwEAYDVQQHEwlEYXJtc3Rh
|
|
||||||
ZHQxFzAVBgNVBAoTDkZsb3JhbCBTeXN0ZW1zMS0wKwYDVQQLEyRGbG9yYWwgU3lz
|
|
||||||
dGVtcyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHTAbBgNVBAMTFEludGVybWVkaWF0
|
|
||||||
ZSBDQTEgdjEgMCowBQYDK2VwAyEA/SgktXV6oQ4Bk5X9P0uAtX08g4hgdyYY/q+z
|
|
||||||
0C+D9OujYzBhMB0GA1UdDgQWBBRqxA1IFDZW0IULtTmjs6HdHnmL+zAfBgNVHSME
|
|
||||||
GDAWgBRlFXmiKsRTP5Jn0wTWH+rGMisrgTAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud
|
|
||||||
DwEB/wQEAwIBhjAKBggqhkjOPQQDAgOBigAwgYYCQDgp6p7TvWOZmaC0WZHnVCeU
|
|
||||||
AVJ1qSKjHRqnLUHAIBoPTvsEm1ActVcOYOyq5VxS7StirkULn7qWKzr2l67k5MYC
|
|
||||||
QgG5sSKwP7vn+2B+/yNkBQTbHKyNZAQOg+tvPTwrmzmBzak3J1b2d4+qSkq9JEnZ
|
|
||||||
uCAwXV3uHmNPlK4jgr4SHxwYKg==
|
|
||||||
-----END CERTIFICATE-----
|
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIIDJDCCAoagAwIBAgIUHW9bhbgk6GXm5i+uamYWbInHDhkwCgYIKoZIzj0EAwQw
|
|
||||||
gZsxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIZXNzZW4xEjAQBgNVBAcMCURhcm1z
|
|
||||||
dGFkdDEXMBUGA1UECgwORmxvcmFsIFN5c3RlbXMxLTArBgNVBAsMJEZsb3JhbCBT
|
|
||||||
eXN0ZW1zIENlcnRpZmljYXRlIEF1dGhvcml0eTEfMB0GA1UEAwwWRmxvcmFsIFN5
|
|
||||||
c3RlbXMgUm9vdCBDQTAeFw0yNDEyMzAxMzEwMDlaFw0zNDEyMjgxMzEwMDlaMIGb
|
|
||||||
MQswCQYDVQQGEwJERTEPMA0GA1UECAwGSGVzc2VuMRIwEAYDVQQHDAlEYXJtc3Rh
|
|
||||||
ZHQxFzAVBgNVBAoMDkZsb3JhbCBTeXN0ZW1zMS0wKwYDVQQLDCRGbG9yYWwgU3lz
|
|
||||||
dGVtcyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAdBgNVBAMMFkZsb3JhbCBTeXN0
|
|
||||||
ZW1zIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAD6xFA+QeHoUVZr
|
|
||||||
WaDbfoUkELxnviEPLogl8+IgJ06ki+84yIAM3Zn+6IlmnJGoPaceoPIdYwHByWqf
|
|
||||||
wvhvTobYRgB8T4l7vyt/KmMfkD2SU576syuR23PkJ6eImGklU3P1+H9CyU2BoPIg
|
|
||||||
N21Kumx7GCvGAA8NsQyQVdZeLZ6lYjnCfaNjMGEwHQYDVR0OBBYEFGUVeaIqxFM/
|
|
||||||
kmfTBNYf6sYyKyuBMB8GA1UdIwQYMBaAFGUVeaIqxFM/kmfTBNYf6sYyKyuBMA8G
|
|
||||||
A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMEA4GLADCB
|
|
||||||
hwJBLvw4lfu2efHxdkPZpddMe9wLrrOFwoeYMIJ4XN4qn8WwQCy4G0oXTKHzwm3y
|
|
||||||
I82YwdK5r6tUtdoHhQ5BscrrnRsCQgGNejEZMet0lFgch1Dr2iunnsOEpdODtapD
|
|
||||||
Jwp4PRUSTdlqk0C2GOWUtbcK2arZ/QexnqLAKhASuY/clqVZLLzHTw==
|
|
||||||
-----END CERTIFICATE-----
|
|
|
@ -1,51 +0,0 @@
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIICXTCCAg+gAwIBAgIUcLJmuRVLSn7NRVKOJnLIcIjAKy0wBQYDK2VwMIGZMQsw
|
|
||||||
CQYDVQQGEwJERTEPMA0GA1UECBMGSGVzc2VuMRIwEAYDVQQHEwlEYXJtc3RhZHQx
|
|
||||||
FzAVBgNVBAoTDkZsb3JhbCBTeXN0ZW1zMS0wKwYDVQQLEyRGbG9yYWwgU3lzdGVt
|
|
||||||
cyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHTAbBgNVBAMTFEludGVybWVkaWF0ZSBD
|
|
||||||
QTEgdjEgMB4XDTI0MTIzMTE2NTA0OVoXDTI1MTIzMTE2NTExOVowgZoxCzAJBgNV
|
|
||||||
BAYTAkRFMQ8wDQYDVQQIEwZIZXNzZW4xEjAQBgNVBAcTCURhcm1zdGFkdDEXMBUG
|
|
||||||
A1UEChMORmxvcmFsIFN5c3RlbXMxLTArBgNVBAsTJEZsb3JhbCBTeXN0ZW1zIENl
|
|
||||||
cnRpZmljYXRlIEF1dGhvcml0eTEeMBwGA1UEAxMVSW50ZXJtZWRpYXRlIENBMiB2
|
|
||||||
MS4xMCowBQYDK2VwAyEAlMaf5T/o39ZZmieNszDxjsVP06xb3IIV7ds+01g2pQij
|
|
||||||
ZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQW
|
|
||||||
BBS8G8fUlv8s+7AvikDnIS4j8bp7HjAfBgNVHSMEGDAWgBRqxA1IFDZW0IULtTmj
|
|
||||||
s6HdHnmL+zAFBgMrZXADQQDBLEUMedqJhNtRqEOY2NHsRdqhA5kvzDuYk+hUyCaQ
|
|
||||||
VhLbW5+EfQL7vLkv8VihN7jlaRl+ngsfRBLK0LA4YJkB
|
|
||||||
-----END CERTIFICATE-----
|
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIICrzCCAhKgAwIBAgIUUfC3HiC4wWFjkavirLxjTpVrxkcwCgYIKoZIzj0EAwIw
|
|
||||||
gZsxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIZXNzZW4xEjAQBgNVBAcMCURhcm1z
|
|
||||||
dGFkdDEXMBUGA1UECgwORmxvcmFsIFN5c3RlbXMxLTArBgNVBAsMJEZsb3JhbCBT
|
|
||||||
eXN0ZW1zIENlcnRpZmljYXRlIEF1dGhvcml0eTEfMB0GA1UEAwwWRmxvcmFsIFN5
|
|
||||||
c3RlbXMgUm9vdCBDQTAeFw0yNDEyMzExNjQ0MjJaFw0yNTAxMzAxNjQ0MjJaMIGZ
|
|
||||||
MQswCQYDVQQGEwJERTEPMA0GA1UECBMGSGVzc2VuMRIwEAYDVQQHEwlEYXJtc3Rh
|
|
||||||
ZHQxFzAVBgNVBAoTDkZsb3JhbCBTeXN0ZW1zMS0wKwYDVQQLEyRGbG9yYWwgU3lz
|
|
||||||
dGVtcyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHTAbBgNVBAMTFEludGVybWVkaWF0
|
|
||||||
ZSBDQTEgdjEgMCowBQYDK2VwAyEA/SgktXV6oQ4Bk5X9P0uAtX08g4hgdyYY/q+z
|
|
||||||
0C+D9OujYzBhMB0GA1UdDgQWBBRqxA1IFDZW0IULtTmjs6HdHnmL+zAfBgNVHSME
|
|
||||||
GDAWgBRlFXmiKsRTP5Jn0wTWH+rGMisrgTAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud
|
|
||||||
DwEB/wQEAwIBhjAKBggqhkjOPQQDAgOBigAwgYYCQDgp6p7TvWOZmaC0WZHnVCeU
|
|
||||||
AVJ1qSKjHRqnLUHAIBoPTvsEm1ActVcOYOyq5VxS7StirkULn7qWKzr2l67k5MYC
|
|
||||||
QgG5sSKwP7vn+2B+/yNkBQTbHKyNZAQOg+tvPTwrmzmBzak3J1b2d4+qSkq9JEnZ
|
|
||||||
uCAwXV3uHmNPlK4jgr4SHxwYKg==
|
|
||||||
-----END CERTIFICATE-----
|
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIIDJDCCAoagAwIBAgIUHW9bhbgk6GXm5i+uamYWbInHDhkwCgYIKoZIzj0EAwQw
|
|
||||||
gZsxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIZXNzZW4xEjAQBgNVBAcMCURhcm1z
|
|
||||||
dGFkdDEXMBUGA1UECgwORmxvcmFsIFN5c3RlbXMxLTArBgNVBAsMJEZsb3JhbCBT
|
|
||||||
eXN0ZW1zIENlcnRpZmljYXRlIEF1dGhvcml0eTEfMB0GA1UEAwwWRmxvcmFsIFN5
|
|
||||||
c3RlbXMgUm9vdCBDQTAeFw0yNDEyMzAxMzEwMDlaFw0zNDEyMjgxMzEwMDlaMIGb
|
|
||||||
MQswCQYDVQQGEwJERTEPMA0GA1UECAwGSGVzc2VuMRIwEAYDVQQHDAlEYXJtc3Rh
|
|
||||||
ZHQxFzAVBgNVBAoMDkZsb3JhbCBTeXN0ZW1zMS0wKwYDVQQLDCRGbG9yYWwgU3lz
|
|
||||||
dGVtcyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAdBgNVBAMMFkZsb3JhbCBTeXN0
|
|
||||||
ZW1zIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAD6xFA+QeHoUVZr
|
|
||||||
WaDbfoUkELxnviEPLogl8+IgJ06ki+84yIAM3Zn+6IlmnJGoPaceoPIdYwHByWqf
|
|
||||||
wvhvTobYRgB8T4l7vyt/KmMfkD2SU576syuR23PkJ6eImGklU3P1+H9CyU2BoPIg
|
|
||||||
N21Kumx7GCvGAA8NsQyQVdZeLZ6lYjnCfaNjMGEwHQYDVR0OBBYEFGUVeaIqxFM/
|
|
||||||
kmfTBNYf6sYyKyuBMB8GA1UdIwQYMBaAFGUVeaIqxFM/kmfTBNYf6sYyKyuBMA8G
|
|
||||||
A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMEA4GLADCB
|
|
||||||
hwJBLvw4lfu2efHxdkPZpddMe9wLrrOFwoeYMIJ4XN4qn8WwQCy4G0oXTKHzwm3y
|
|
||||||
I82YwdK5r6tUtdoHhQ5BscrrnRsCQgGNejEZMet0lFgch1Dr2iunnsOEpdODtapD
|
|
||||||
Jwp4PRUSTdlqk0C2GOWUtbcK2arZ/QexnqLAKhASuY/clqVZLLzHTw==
|
|
||||||
-----END CERTIFICATE-----
|
|
|
@ -1,66 +0,0 @@
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIICbDCCAh6gAwIBAgIUfzoqAP1fiwDncDYJjtLvHQcjobQwBQYDK2VwMIGaMQsw
|
|
||||||
CQYDVQQGEwJERTEPMA0GA1UECBMGSGVzc2VuMRIwEAYDVQQHEwlEYXJtc3RhZHQx
|
|
||||||
FzAVBgNVBAoTDkZsb3JhbCBTeXN0ZW1zMS0wKwYDVQQLEyRGbG9yYWwgU3lzdGVt
|
|
||||||
cyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHjAcBgNVBAMTFUludGVybWVkaWF0ZSBD
|
|
||||||
QTIgdjEuMTAeFw0yNTAxMDEwMTA3NDVaFw0yNjAxMDEwMTA4MTVaMIGoMQswCQYD
|
|
||||||
VQQGEwJERTEPMA0GA1UECBMGSGVzc2VuMRIwEAYDVQQHEwlEYXJtc3RhZHQxFzAV
|
|
||||||
BgNVBAoTDkZsb3JhbCBTeXN0ZW1zMS0wKwYDVQQLEyRGbG9yYWwgU3lzdGVtcyBD
|
|
||||||
ZXJ0aWZpY2F0ZSBBdXRob3JpdHkxLDAqBgNVBAMTI0ludGVybWVkaWF0ZSBJbmZy
|
|
||||||
YXN0cnVjdHVyZSBDQSB2MS4xMCowBQYDK2VwAyEAgE4pxQEoZ1nhYtBUoamCkJEZ
|
|
||||||
VjnYABTm8iWSe4UPtdOjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAG
|
|
||||||
AQH/AgEAMB0GA1UdDgQWBBQyAkN71b8P9RTIIS8c8zpxmFpGaTAfBgNVHSMEGDAW
|
|
||||||
gBS8G8fUlv8s+7AvikDnIS4j8bp7HjAFBgMrZXADQQC1mhYcFCc34g3Yu7I32Un1
|
|
||||||
Ux60AnboO8eG+C8hGktxvBZNoGJ9uYjoyp+LwiAEa1NBLavPnOFFGATmCcCbGekA
|
|
||||||
-----END CERTIFICATE-----
|
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIICXTCCAg+gAwIBAgIUcLJmuRVLSn7NRVKOJnLIcIjAKy0wBQYDK2VwMIGZMQsw
|
|
||||||
CQYDVQQGEwJERTEPMA0GA1UECBMGSGVzc2VuMRIwEAYDVQQHEwlEYXJtc3RhZHQx
|
|
||||||
FzAVBgNVBAoTDkZsb3JhbCBTeXN0ZW1zMS0wKwYDVQQLEyRGbG9yYWwgU3lzdGVt
|
|
||||||
cyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHTAbBgNVBAMTFEludGVybWVkaWF0ZSBD
|
|
||||||
QTEgdjEgMB4XDTI0MTIzMTE2NTA0OVoXDTI1MTIzMTE2NTExOVowgZoxCzAJBgNV
|
|
||||||
BAYTAkRFMQ8wDQYDVQQIEwZIZXNzZW4xEjAQBgNVBAcTCURhcm1zdGFkdDEXMBUG
|
|
||||||
A1UEChMORmxvcmFsIFN5c3RlbXMxLTArBgNVBAsTJEZsb3JhbCBTeXN0ZW1zIENl
|
|
||||||
cnRpZmljYXRlIEF1dGhvcml0eTEeMBwGA1UEAxMVSW50ZXJtZWRpYXRlIENBMiB2
|
|
||||||
MS4xMCowBQYDK2VwAyEAlMaf5T/o39ZZmieNszDxjsVP06xb3IIV7ds+01g2pQij
|
|
||||||
ZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQW
|
|
||||||
BBS8G8fUlv8s+7AvikDnIS4j8bp7HjAfBgNVHSMEGDAWgBRqxA1IFDZW0IULtTmj
|
|
||||||
s6HdHnmL+zAFBgMrZXADQQDBLEUMedqJhNtRqEOY2NHsRdqhA5kvzDuYk+hUyCaQ
|
|
||||||
VhLbW5+EfQL7vLkv8VihN7jlaRl+ngsfRBLK0LA4YJkB
|
|
||||||
-----END CERTIFICATE-----
|
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIICrzCCAhKgAwIBAgIUUfC3HiC4wWFjkavirLxjTpVrxkcwCgYIKoZIzj0EAwIw
|
|
||||||
gZsxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIZXNzZW4xEjAQBgNVBAcMCURhcm1z
|
|
||||||
dGFkdDEXMBUGA1UECgwORmxvcmFsIFN5c3RlbXMxLTArBgNVBAsMJEZsb3JhbCBT
|
|
||||||
eXN0ZW1zIENlcnRpZmljYXRlIEF1dGhvcml0eTEfMB0GA1UEAwwWRmxvcmFsIFN5
|
|
||||||
c3RlbXMgUm9vdCBDQTAeFw0yNDEyMzExNjQ0MjJaFw0yNTAxMzAxNjQ0MjJaMIGZ
|
|
||||||
MQswCQYDVQQGEwJERTEPMA0GA1UECBMGSGVzc2VuMRIwEAYDVQQHEwlEYXJtc3Rh
|
|
||||||
ZHQxFzAVBgNVBAoTDkZsb3JhbCBTeXN0ZW1zMS0wKwYDVQQLEyRGbG9yYWwgU3lz
|
|
||||||
dGVtcyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHTAbBgNVBAMTFEludGVybWVkaWF0
|
|
||||||
ZSBDQTEgdjEgMCowBQYDK2VwAyEA/SgktXV6oQ4Bk5X9P0uAtX08g4hgdyYY/q+z
|
|
||||||
0C+D9OujYzBhMB0GA1UdDgQWBBRqxA1IFDZW0IULtTmjs6HdHnmL+zAfBgNVHSME
|
|
||||||
GDAWgBRlFXmiKsRTP5Jn0wTWH+rGMisrgTAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud
|
|
||||||
DwEB/wQEAwIBhjAKBggqhkjOPQQDAgOBigAwgYYCQDgp6p7TvWOZmaC0WZHnVCeU
|
|
||||||
AVJ1qSKjHRqnLUHAIBoPTvsEm1ActVcOYOyq5VxS7StirkULn7qWKzr2l67k5MYC
|
|
||||||
QgG5sSKwP7vn+2B+/yNkBQTbHKyNZAQOg+tvPTwrmzmBzak3J1b2d4+qSkq9JEnZ
|
|
||||||
uCAwXV3uHmNPlK4jgr4SHxwYKg==
|
|
||||||
-----END CERTIFICATE-----
|
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIIDJDCCAoagAwIBAgIUHW9bhbgk6GXm5i+uamYWbInHDhkwCgYIKoZIzj0EAwQw
|
|
||||||
gZsxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIZXNzZW4xEjAQBgNVBAcMCURhcm1z
|
|
||||||
dGFkdDEXMBUGA1UECgwORmxvcmFsIFN5c3RlbXMxLTArBgNVBAsMJEZsb3JhbCBT
|
|
||||||
eXN0ZW1zIENlcnRpZmljYXRlIEF1dGhvcml0eTEfMB0GA1UEAwwWRmxvcmFsIFN5
|
|
||||||
c3RlbXMgUm9vdCBDQTAeFw0yNDEyMzAxMzEwMDlaFw0zNDEyMjgxMzEwMDlaMIGb
|
|
||||||
MQswCQYDVQQGEwJERTEPMA0GA1UECAwGSGVzc2VuMRIwEAYDVQQHDAlEYXJtc3Rh
|
|
||||||
ZHQxFzAVBgNVBAoMDkZsb3JhbCBTeXN0ZW1zMS0wKwYDVQQLDCRGbG9yYWwgU3lz
|
|
||||||
dGVtcyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAdBgNVBAMMFkZsb3JhbCBTeXN0
|
|
||||||
ZW1zIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAD6xFA+QeHoUVZr
|
|
||||||
WaDbfoUkELxnviEPLogl8+IgJ06ki+84yIAM3Zn+6IlmnJGoPaceoPIdYwHByWqf
|
|
||||||
wvhvTobYRgB8T4l7vyt/KmMfkD2SU576syuR23PkJ6eImGklU3P1+H9CyU2BoPIg
|
|
||||||
N21Kumx7GCvGAA8NsQyQVdZeLZ6lYjnCfaNjMGEwHQYDVR0OBBYEFGUVeaIqxFM/
|
|
||||||
kmfTBNYf6sYyKyuBMB8GA1UdIwQYMBaAFGUVeaIqxFM/kmfTBNYf6sYyKyuBMA8G
|
|
||||||
A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMEA4GLADCB
|
|
||||||
hwJBLvw4lfu2efHxdkPZpddMe9wLrrOFwoeYMIJ4XN4qn8WwQCy4G0oXTKHzwm3y
|
|
||||||
I82YwdK5r6tUtdoHhQ5BscrrnRsCQgGNejEZMet0lFgch1Dr2iunnsOEpdODtapD
|
|
||||||
Jwp4PRUSTdlqk0C2GOWUtbcK2arZ/QexnqLAKhASuY/clqVZLLzHTw==
|
|
||||||
-----END CERTIFICATE-----
|
|
|
@ -1,8 +0,0 @@
|
||||||
-----BEGIN CERTIFICATE REQUEST-----
|
|
||||||
MIIBGjCBzQIBADCBmTELMAkGA1UEBhMCREUxDzANBgNVBAgTBkhlc3NlbjESMBAG
|
|
||||||
A1UEBxMJRGFybXN0YWR0MRcwFQYDVQQKEw5GbG9yYWwgU3lzdGVtczEtMCsGA1UE
|
|
||||||
CxMkRmxvcmFsIFN5c3RlbXMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MR0wGwYDVQQD
|
|
||||||
ExRJbnRlcm1lZGlhdGUgQ0ExIHYxIDAqMAUGAytlcAMhAP0oJLV1eqEOAZOV/T9L
|
|
||||||
gLV9PIOIYHcmGP6vs9Avg/TroAAwBQYDK2VwA0EATxwhMrur5dneuko3+Atpwt7V
|
|
||||||
HIW1LrZKqbyo0DPVhs5mcQ9BXKFX1N+zhReR8Et/tx3ZIJ+OtjZslBQ71JESCA==
|
|
||||||
-----END CERTIFICATE REQUEST-----
|
|
|
@ -1,3 +0,0 @@
|
||||||
# A trace of our CSRs files
|
|
||||||
|
|
||||||
This is a collection of the CSRs we built for our needs.
|
|
|
@ -1,23 +0,0 @@
|
||||||
{ flake ? import ../., nixpkgs ? flake.inputs.nixpkgs, pkgs ? import nixpkgs { } }:
|
|
||||||
{
|
|
||||||
shell = pkgs.mkShell {
|
|
||||||
buildInputs = [
|
|
||||||
pkgs.openssl
|
|
||||||
];
|
|
||||||
|
|
||||||
OPENSSL_CONF = pkgs.writeText "openssl-pkcs11.conf" ''
|
|
||||||
openssl_conf = openssl_def
|
|
||||||
|
|
||||||
[openssl_def]
|
|
||||||
engines = engine_section
|
|
||||||
|
|
||||||
[engine_section]
|
|
||||||
pkcs11 = pkcs11_section
|
|
||||||
|
|
||||||
[pkcs11_section]
|
|
||||||
engine_id = pkcs11
|
|
||||||
dynamic_path = ${pkgs.libp11}/lib/engines/libpkcs11.so
|
|
||||||
MODULE_PATH = ${pkgs.opensc}/lib/opensc-pkcs11.so
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1 +0,0 @@
|
||||||
# OpenSSL policies for extensions and CAs
|
|
|
@ -1,56 +0,0 @@
|
||||||
[ ca ]
|
|
||||||
# `man ca`
|
|
||||||
default_ca = CA_default
|
|
||||||
|
|
||||||
[ CA_default ]
|
|
||||||
# Directory and file locations.
|
|
||||||
dir = .
|
|
||||||
certs = $dir/certs
|
|
||||||
crl_dir = $dir/crl
|
|
||||||
new_certs_dir = $dir/newcerts
|
|
||||||
database = $dir/index.txt
|
|
||||||
serial = $dir/serial
|
|
||||||
|
|
||||||
# SHA-1 is deprecated, so use SHA-2 instead.
|
|
||||||
default_md = sha512
|
|
||||||
|
|
||||||
name_opt = ca_default
|
|
||||||
cert_opt = ca_default
|
|
||||||
default_days = 375
|
|
||||||
preserve = no
|
|
||||||
policy = policy_strict
|
|
||||||
|
|
||||||
[ policy_strict ]
|
|
||||||
# The root CA should only sign intermediate certificates that match.
|
|
||||||
# See the POLICY FORMAT section of `man ca`.
|
|
||||||
countryName = match
|
|
||||||
stateOrProvinceName = match
|
|
||||||
organizationName = match
|
|
||||||
organizationalUnitName = optional
|
|
||||||
commonName = supplied
|
|
||||||
emailAddress = optional
|
|
||||||
|
|
||||||
[ req ]
|
|
||||||
# Options for the `req` tool (`man req`).
|
|
||||||
default_bits = 4096
|
|
||||||
distinguished_name = req_distinguished_name
|
|
||||||
string_mask = utf8only
|
|
||||||
prompt = no
|
|
||||||
|
|
||||||
# SHA-1 is deprecated, so use SHA-2 instead.
|
|
||||||
default_md = sha512
|
|
||||||
|
|
||||||
[ req_distinguished_name ]
|
|
||||||
C = DE
|
|
||||||
ST = Hessen
|
|
||||||
L = Darmstadt
|
|
||||||
O = Floral Systems
|
|
||||||
OU = Floral Systems Certificate Authority
|
|
||||||
CN = Floral Systems Root CA
|
|
||||||
|
|
||||||
[ v3_ca ]
|
|
||||||
# Extensions for a typical CA (`man x509v3_config`).
|
|
||||||
subjectKeyIdentifier = hash
|
|
||||||
authorityKeyIdentifier = keyid:always,issuer
|
|
||||||
basicConstraints = critical, CA:true
|
|
||||||
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
|
|
|
@ -1,6 +0,0 @@
|
||||||
[ v3_intermediate_ca ]
|
|
||||||
# Extensions for a typical intermediate CA (`man x509v3_config`).
|
|
||||||
subjectKeyIdentifier = hash
|
|
||||||
authorityKeyIdentifier = keyid:always,issuer
|
|
||||||
basicConstraints = critical, CA:true
|
|
||||||
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
|
|
|
@ -1,2 +0,0 @@
|
||||||
(import ./. { }).shell
|
|
||||||
|
|
85
secrets.nix
85
secrets.nix
|
@ -1,80 +1,25 @@
|
||||||
let
|
let
|
||||||
keys = import common/ssh-keys.nix;
|
keys = import common/ssh-keys.nix;
|
||||||
|
|
||||||
commonKeys = {
|
commonKeys = keys.users.delroth ++ keys.users.raito;
|
||||||
# WARNING: `keys.users.*` are *lists*, so you need concatenate them, don't put them into lists!
|
|
||||||
# Otherwise, agenix will be confused!
|
|
||||||
global = keys.users.raito;
|
|
||||||
lix = keys.users.hexchen ++ keys.users.jade;
|
|
||||||
floral = keys.users.delroth;
|
|
||||||
};
|
|
||||||
|
|
||||||
secrets = with keys; {
|
secrets = with keys; {
|
||||||
floral = {
|
hydra-s3-credentials = [ machines.bagel-box ];
|
||||||
hydra-postgres-key = [ machines.build-coord ];
|
hydra-signing-priv = [ machines.bagel-box ];
|
||||||
hydra-s3-credentials = [ machines.build-coord ];
|
hydra-ssh-key-priv = [ machines.bagel-box ];
|
||||||
hydra-signing-priv = [ machines.build-coord ];
|
netbox-environment = [ machines.meta01 ];
|
||||||
hydra-ssh-key-priv = [ machines.build-coord ];
|
mimir-environment = [ machines.meta01 ];
|
||||||
|
grafana-oauth-secret = [ machines.meta01 ];
|
||||||
|
loki-environment = [ machines.meta01 ];
|
||||||
|
|
||||||
netbox-environment = [ machines.meta01 ];
|
# These are the same password, but nginx wants it in htpasswd format
|
||||||
mimir-environment = [ machines.meta01 ];
|
metrics-push-htpasswd = [ machines.meta01 ];
|
||||||
mimir-webhook-url = [ machines.meta01 ];
|
metrics-push-password = builtins.attrValues machines;
|
||||||
grafana-oauth-secret = [ machines.meta01 ];
|
|
||||||
loki-environment = [ machines.meta01 ];
|
|
||||||
gerrit-prometheus-bearer-token = [ machines.gerrit01 machines.meta01 ];
|
|
||||||
pyroscope-secrets = [ machines.meta01 ];
|
|
||||||
tempo-environment = [ machines.meta01 ];
|
|
||||||
|
|
||||||
buildbot-worker-password = [ machines.buildbot ];
|
|
||||||
buildbot-oauth-secret = [ machines.buildbot ];
|
|
||||||
buildbot-workers = [ machines.buildbot ];
|
|
||||||
# Private SSH key to Gerrit
|
|
||||||
# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx52RUPWzTa2rBA96xcnGjjzAboNN/hm6gW+Q6JiSos
|
|
||||||
buildbot-service-key = [ machines.buildbot ];
|
|
||||||
# Signing key for Buildbot's specific cache
|
|
||||||
buildbot-signing-key = [ machines.buildbot ];
|
|
||||||
buildbot-remote-builder-key = [ machines.buildbot ];
|
|
||||||
|
|
||||||
# These are the same password, but nginx wants it in htpasswd format
|
|
||||||
metrics-push-htpasswd = [ machines.meta01 ];
|
|
||||||
# Yes, even Lix machines are included in this monitoring infrastructure.
|
|
||||||
metrics-push-password = builtins.attrValues machines;
|
|
||||||
|
|
||||||
ows-deploy-key = [ machines.gerrit01 ];
|
|
||||||
s3-channel-staging-keys = [ machines.gerrit01 ];
|
|
||||||
s3-channel-keys = [ machines.gerrit01 ];
|
|
||||||
|
|
||||||
postgres-ca-priv = [ machines.bagel-box ];
|
|
||||||
postgres-tls-priv = [ machines.bagel-box ];
|
|
||||||
rabbitmq-password = [ machines.bagel-box ];
|
|
||||||
gerrit-event-listener-ssh-key = [ machines.bagel-box ];
|
|
||||||
|
|
||||||
newsletter-secrets = [ machines.public01 ];
|
|
||||||
s3-revproxy-api-keys = [ machines.public01 ];
|
|
||||||
stateless-uptime-kuma-password = [ machines.public01 ];
|
|
||||||
|
|
||||||
openbao-auth-token-bagel-box = [ machines.bagel-box ];
|
|
||||||
};
|
|
||||||
|
|
||||||
lix = {
|
|
||||||
buildbot-worker-password = [ machines.buildbot-lix ];
|
|
||||||
buildbot-oauth-secret = [ machines.buildbot-lix ];
|
|
||||||
buildbot-workers = [ machines.buildbot-lix ];
|
|
||||||
# Private SSH key to Gerrit
|
|
||||||
# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx52RUPWzTa2rBA96xcnGjjzAboNN/hm6gW+Q6JiSos
|
|
||||||
buildbot-service-key = [ machines.buildbot-lix ];
|
|
||||||
# Signing key for Buildbot's specific cache
|
|
||||||
buildbot-signing-key = [ machines.buildbot-lix ];
|
|
||||||
buildbot-remote-builder-key = [ machines.buildbot-lix ];
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
mkSecretListFor = tenant:
|
|
||||||
map (secretName: {
|
|
||||||
name = "secrets/${tenant}/${secretName}.age";
|
|
||||||
value.publicKeys = secrets.${tenant}."${secretName}" ++ commonKeys.global ++ commonKeys.${tenant};
|
|
||||||
}) (builtins.attrNames secrets.${tenant});
|
|
||||||
in
|
in
|
||||||
builtins.listToAttrs (
|
builtins.listToAttrs (
|
||||||
(mkSecretListFor "floral") ++ (mkSecretListFor "lix")
|
map (secretName: {
|
||||||
|
name = "secrets/${secretName}.age";
|
||||||
|
value.publicKeys = secrets."${secretName}" ++ commonKeys;
|
||||||
|
}) (builtins.attrNames secrets)
|
||||||
)
|
)
|
||||||
|
|
|
@ -1,20 +0,0 @@
|
||||||
age-encryption.org/v1
|
|
||||||
-> ssh-ed25519 87T2Ig tzPD1x6XKuDfgJ8jkQnwW/ALp2pkANCeNoO8xdUqq30
|
|
||||||
QSsuO6Dwc8QJuY92gXRnWB5aJ2SU9X2uFh01GmLVaQE
|
|
||||||
-> ssh-ed25519 K3b7BA 9G9Uw1xY8hq//xphNWrPn5y7vG2o8/kwkC8cJGuf/mI
|
|
||||||
Ip0019OUaFq2ZDFI3i77hdsp9IqFV2qqYIB/TnDSXgo
|
|
||||||
-> ssh-ed25519 +qVung dx22ef+x9X5mr73L8NUzxYQa640M2XViELjJcpgF3go
|
|
||||||
CXyit7pk8SPNHBgULlMQUAasGAn4C36zcwOBDI46nU4
|
|
||||||
-> ssh-rsa krWCLQ
|
|
||||||
NlGh0hM10NOuek7MbrFo0iul0kQQtDFmZIhgpyqaATMdCDRBXJOyhASHU5N0zDDJ
|
|
||||||
MLaJUV0l2o1ghBF9RhSKdoUPVEn8Cce/nfQepYzMlfc4UG3qWXwabwR6EtqqCZCJ
|
|
||||||
jAEWZ8taTKDmzoXwuygCW+bRBuoMMrcfzu7V90N+mQpZWtOScatb6E7d5VRqjlar
|
|
||||||
st1ZQu5ccghufyQSUmOC7GpojOyutX5EvbMGn84X4ouZRHRX/8fTgaqicV+aeAIb
|
|
||||||
QyXisOrO6C+Jle5qfxzMSe8c/TCyF2574kD6F1BQ9Kpkinn8v7OWcIXtkNmZ5hzK
|
|
||||||
vs0Bej8yZVsoBkj1vWAM0A
|
|
||||||
-> ssh-ed25519 /vwQcQ n+hr1cV1zRs1S86YnA+0oRB8SCaPKtkoMNe15ZsVVwM
|
|
||||||
fdFtUqno07ik6FpW5zMImIjd8wM8dMgwU+RqjeT2PiI
|
|
||||||
-> ssh-ed25519 0R97PA ddPILw57gkuKvAqlmpa+MnV/LSEdyQzQaAarCUqQ1xE
|
|
||||||
ozK5a6uXZDc17OrX0OZun9hmZwP3H3rYQiNuKnukqsg
|
|
||||||
--- f7yGgKQpCPj64Ps0HfMcToYircGH5SPqMzVZrUMB8ZI
|
|
||||||
føv[iY\ÅšMP,¯Ùh°Èxb—Ðÿ«J<C2AB>*ºË"”+¬ÒA0T˜?KmˆPÈË2¹'2±‚µ³Ø=¯êÚÏŸj”
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -1,20 +0,0 @@
|
||||||
age-encryption.org/v1
|
|
||||||
-> ssh-ed25519 87T2Ig p8lEB5da4fIfLH/HKBsghzq5mvQLB69UB4+uAi3DGCw
|
|
||||||
NeZ3jPTUKa7MiqjrFPrYuP4VneytQPdBNqf+omPZJYM
|
|
||||||
-> ssh-ed25519 K3b7BA uP2K1hU7uLmiHXmmoUdsB7CHQq61ZkEAjG/aK863RDw
|
|
||||||
0chTczEMXASdYiwqNxDQ+vMXXhjOf64oIQ2ULZmQI8Y
|
|
||||||
-> ssh-ed25519 +qVung jUgEqz3+ypL7mwJ1R7lfeOMhkon/aRrNSJUJT3X7vmU
|
|
||||||
pgOiwrp9JiA20yw9bsxi8eiQ9/23CYXKRBGF1pea9eI
|
|
||||||
-> ssh-rsa krWCLQ
|
|
||||||
snCHrLHzkjimwIxKO90IjnHwOArlozO9kd/aCdZZnYNgh/QG3rUSceSn9yTHbtMV
|
|
||||||
izv0SU51LrRU+JyE+a524AxKhyPBvGDig20j7hMy5fVxZqeunztqtlha5gaYYaQg
|
|
||||||
Tbfs9tDP+pCIgzMVNqYf6EJ4MK7qjNf9DE5I490Eta5YZxAi/3To3BmZmIYtCz6l
|
|
||||||
1kNRiSmWCbZqE25keFgPCgRMFXAFK9W6NmL+HamqCUhjPoJg/Gd4sf39EONT0PYg
|
|
||||||
7BpCOAnwwfECHPxpM3qv0h2kJXTb4DZ715cFReSVyQe5fvKv8hoWhl/S+++pEYT8
|
|
||||||
u/LKBx/o7e3Kd7cm2RGnBw
|
|
||||||
-> ssh-ed25519 /vwQcQ 4+IQPRsMMHmuSGL7T7IbRkTTuL+TTqgdQp5FSbyt8Dw
|
|
||||||
KOI0LKQ0oA5XtxaW7wftlEJB0BGVnx41HUJMG92SRUA
|
|
||||||
-> ssh-ed25519 0R97PA l1aWUEv8nLEtYnpY1gjTJqk5UYm51NDqOjYmL83rZ10
|
|
||||||
B7qDZwCpolkIajqCXeOepwmF6ciJfKvr+AN7VouMUvA
|
|
||||||
--- lz/IMMPxBpD3Bzuv9Wl23+swBQHlblhlAO/ZXAgN0hU
|
|
||||||
µoÍüÌ<EFBFBD>²-‚Īr °eó|Í?ït
èìÎZ<C38E>¬sÒì!ŸƒÁ<>@Ï'–ìèz6UöÎgJøÑOµ–s13<31>š‹8<î’%-·Ô‡Eÿ}–Šdm9¿å¢Óoæ
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -1,20 +0,0 @@
|
||||||
age-encryption.org/v1
|
|
||||||
-> ssh-ed25519 j2r2qQ vwcaLpvGJ9swXnV8idDwi9jdRPSj38As9p2QFkIJ1Xc
|
|
||||||
FLnZeblHDQQcWjFm1iaghbvuFgOG3miwtkRE5sz1+X0
|
|
||||||
-> ssh-ed25519 K3b7BA 9VRe2rBwg3G9lxxfxL/yLob2NZmLJTBMxzx0Ew8VwmY
|
|
||||||
/I2W80UykNvll5o98OPeMpIsddOel9B7uQlio0X3gcs
|
|
||||||
-> ssh-ed25519 +qVung VsqKzMD85aps4PIx2zqae2Dj7YWibiaKYb5z7ws8ggM
|
|
||||||
Y9dRd/hOz8h4avlutBQ1YZgHIAf/AuTr5WaByKlFbLE
|
|
||||||
-> ssh-rsa krWCLQ
|
|
||||||
gjyaUFrIIbZnFTGVw4XEZzkTIP/+qXV6/q0W8Wb4EtqQXDRISFT+bwxQU/S2p5hf
|
|
||||||
7+JGcn4BZg6puOJ5BBABWtpn6gcX5OFfga5azIdioF/R19XByT+0SK5njw8g1VPS
|
|
||||||
R7o8kQt2yvKWayoq9Cis5XRg+4KANkwOQaNTO8AdiCwgq9nc0Cd9avk8QhaFoR74
|
|
||||||
D5cf8jPsufp744rQqwhWDoG533LS1WUUuYZqRmtp2Vz+r583RhSscaNyA7ddr7o6
|
|
||||||
e9ZQJyL5bKiN8qe3Xm76lLypf/wg7+aGn8HHnO6GA65g+VYfjLMODEqCN/+uDJtB
|
|
||||||
g8v2wzKIGYlZiV1hEjH8nw
|
|
||||||
-> ssh-ed25519 /vwQcQ 4pU5JGK5vpZbFgq01a9YY8VmSJvPSHPSZD50TLJwKHc
|
|
||||||
L46UA/p+bNSR8cLmL8G7VpmAcZ+sy5AROc4yj2ABOWg
|
|
||||||
-> ssh-ed25519 0R97PA Tk00kYLhsEy1HJcmKLgaLWTdNP8XV/cdKHMLzyK6glk
|
|
||||||
kwyQZr/h6MutROJmjVfPWGcf9xN5Uc5w5mVyuKcK64g
|
|
||||||
--- E0vVtBqbjNkZY0/1dFJ53uVAR7IGPO+OMmXkpJcKmlw
|
|
||||||
{ÐQê%è‹õY•B,isr¥1‘<31>|¼yLÕ'7?¶iŠM…¶MU]×ê/d2¸I1u¶2hZjHåh&¥
|
|
Binary file not shown.
|
@ -1,20 +0,0 @@
|
||||||
age-encryption.org/v1
|
|
||||||
-> ssh-ed25519 +uvEmw Kuduppyhz98frjlV96R/WcmPdaWmHbNKZhQs76GGTx8
|
|
||||||
7zpedlPflGOi6FqkpswAJflx77yde7M2XlTw/8mz2tU
|
|
||||||
-> ssh-ed25519 K3b7BA TPNmUK38+TR58MpsgxIe91bY6E1j9HecIFn0AKdat20
|
|
||||||
MjXh06xd3mkPcK+iEonx+itsHvEGHSknzO6Sgh5WdZ4
|
|
||||||
-> ssh-ed25519 +qVung KereHQ3Kl0f7O0xzl2s4Yu4KX7OOA17R7p/w8uRx/AQ
|
|
||||||
3aOqUoBCDurkh5jT2fq5MDPQKIDISQdXBhF+qeRppnA
|
|
||||||
-> ssh-rsa krWCLQ
|
|
||||||
TVlmM2LYR339Aglo2D4j/Itr0E+mg7UEaV9n+sUYyit0phWS1zMI2YMc78Xbmn73
|
|
||||||
6U0VYi/3hpesD6/8uA5sywuueOMntlL32aECz/DJPC71feMjvHTxiJpqnFw6DQYJ
|
|
||||||
FvERtvJ2U7QiStv6UeS1vOucP1/om0Qj4smTXBWYsDglTSLx56/bghCsM21RNZZb
|
|
||||||
yd8JE5CEdtCHduj+uRHbnEYsnGYM7R/Gw9XAuajFLw6BxqEtHi5xOivQ2P0Tm+Bc
|
|
||||||
SVHW48iF8S3q1tx5QU7oIMZcCobOeHb6w+C1GHiSeJy3R8hWkEwfNxCCc0rSItKd
|
|
||||||
edqO4YPz/zT2DWoUx+n0Og
|
|
||||||
-> ssh-ed25519 /vwQcQ TLa0Xty2LlqBiP9Lk0lC+S/BoVT+VbRhY3qPHIGf20E
|
|
||||||
3mzqkwT8dvP11GAVJiVIc+MiN/pLP2b6KbC+1F86tg8
|
|
||||||
-> ssh-ed25519 0R97PA pbGz7e6nU4M4cpJRmmxWxUV3O2rWytIP18M7OpMpa04
|
|
||||||
doSBv72rqS5gNusMjKw8KwzXHbzoLlFUSdLqp/f5aRM
|
|
||||||
--- beE6zNg+kY7jke/79FGZoNTq7Wbe3eqNWvLD3igQJdg
|
|
||||||
bÓÿ¾ ¾ÿÔáïØÉmÿŠ$Ÿ–‡¸’Ý={6
eÿ¨SIîumT8”äÿÁ{òo<C3B2>Ë3Ý&¾12¡p¶ œZ÷³4zx¡8B˜¤a@â(_Þ7(‚Ñ^tµä±Á‘<C381>g“Ùà4Ö*&Á`*øäNšB÷$ÉÆ ò£§m<C2A7>"ÓtD$Î5‡ku˜eÎ+X@LJüç£h2ü£Þ*H¥ ÂåaÚ¢
|
|
|
@ -1,20 +0,0 @@
|
||||||
age-encryption.org/v1
|
|
||||||
-> ssh-ed25519 +uvEmw TNYFQxSUv5yMmlTWoIxCOlv6UR+RA50cb5aJbo0yEE0
|
|
||||||
Yw3sTPqYf7A33RI87CqoPWe2gh0FuvdBGGKqHV55Atc
|
|
||||||
-> ssh-ed25519 K3b7BA vMlHenY6jSIfnxQD6xh09cwwV+YVBkLuSMHcyKD+dCk
|
|
||||||
heXkAEqRawBlHqcr6ldmhWmk7qPtGLMDFC3QT79vdMM
|
|
||||||
-> ssh-ed25519 +qVung fgimLW5X0z4Eh2u3fIr5bgR5/c1SKam9CKW/2mqtTik
|
|
||||||
8VKJJr+FRE0j5YvjfdMXugNA4UwUebKrkeAe+9LYBnQ
|
|
||||||
-> ssh-rsa krWCLQ
|
|
||||||
sa3fA4GglovY8H6jimpTvQPW/axun8WADPlIXzpX/Zeshkzem+pQoQqptzDlnmH8
|
|
||||||
8AngqXgFYrmHgNNAylavgcrxbjNrtlJU24ldF1YIubz7VsU1678F27LCd9B0c2dn
|
|
||||||
X+0CccH19lM8Q+zVI2Wrq9R83MEP/5uOOc+eXXnvNSGqfKgZ2OplG/HUllFS13j6
|
|
||||||
uiQy5zwJJKkII7KUThcGteux7NONoLeUqRE8CW2uSeY9fXBWKgxeENKgiT7PEAAo
|
|
||||||
nvwWa+GatEYf6eUz8Lph8lETorgP+7JS2VQRAkmhDbjQLTYzfFmiJGE/mzyobslf
|
|
||||||
ZEq6Oj5UNgnzdWmK5ZYKPg
|
|
||||||
-> ssh-ed25519 /vwQcQ 9EG/cydlzlLd6cFed7DzmwzubzJUXvD9mX3WKDyFD1s
|
|
||||||
3Emj+tVZmnsC/YZdChvyaxeObbBsri347vZl0ff9kH4
|
|
||||||
-> ssh-ed25519 0R97PA kcIYyWKxpJmjcrel+YodZQiR2zGPqfjzMyJXsz2XOzM
|
|
||||||
SUlgGGs2BVRzTHT/ULNo1AiN5SY1BETFtJRY6LDr4JI
|
|
||||||
--- l87sO6IuwSeCeQ8ktvYFI0xr4Utcl8KfpAV7WePc1y4
|
|
||||||
÷ÚÖ~÷J3¦Œ§Í‘1íÇè²ù<º?%×ý<0E>›Á‡ÉÒ\—\Ï7\»Ú¨åU-&W'd”{իɼ½u "Û#Ž}¯õ…x–ìšz¥®Nj„!éfUqDG‘<é<7F>Ñca<63>‚'´+ ¸Ï±]Pó»ö€DÕ¸’´þ<C2B4>£¼ŽÿÂçÌ\¦<>
|
|
|
@ -1,22 +0,0 @@
|
||||||
age-encryption.org/v1
|
|
||||||
-> ssh-ed25519 +uvEmw BoYFUISKrlypCBQW/fA9UNRSnxQ93FkQupWUWAeOd3c
|
|
||||||
wQH9gNk8TtjOgrwYwCuedPBbmftd7JhJk53ga2qo2iE
|
|
||||||
-> ssh-ed25519 K3b7BA vyQIsvbNrHI0Mui5UdLz2mWcYvnTQBupWiAfEP5NfXk
|
|
||||||
WeHg0PyfuaSJVzuiBPa1Tanj4NdqHvnZFWhXhIgbWc0
|
|
||||||
-> ssh-ed25519 +qVung LneEmMhBqJxN0bgM7/Z+jJ8U8MJmCgE2EghBmDJ/aT4
|
|
||||||
nd3B7afUNX1ZLCjHdoJ8+tabXmi38lQkLlhthYjIplI
|
|
||||||
-> ssh-rsa krWCLQ
|
|
||||||
krJRF4AvwfEFro4uiLIBB2RQTwO9COSyAqkjOi6jgLzJFMaU62EZrgfSYu24a6zs
|
|
||||||
JyAHQ5k78uh3EhhbSzu6U65fComCbRAo+NiN2BJU7jb28y64suJbezJ+LE4P35CX
|
|
||||||
biVgycaSc+OCrb1F6e6QOREi7+YjK3VrI4ZVCu93hSQNNRi/U5bbigQXt7NwcSIJ
|
|
||||||
bY93sset4wg9Zwjk7tFg1bHiyOK3ZvYYQGlMjUxiWGl4Qch1fpL2CJNR32mZybps
|
|
||||||
GZc7x69E8EhoHvdI0u1AXwS2raLhyRBPxFzu0r7nPlSi17TnLnU3Ux3BkVEDa6bh
|
|
||||||
eVHqAB4dudNCC4wOY/ZE+Q
|
|
||||||
-> ssh-ed25519 /vwQcQ scOp+aVA3TfY269EzQ6E4YX0uAu7qVVVIDmBvFGaYk8
|
|
||||||
AYqW8+A7oxH/0m8OUReWxto1xWcnOnZOkX45ejuFJiM
|
|
||||||
-> ssh-ed25519 0R97PA YqfHMAAiMcH/efJ0K5URDJkdLqlJIlQ+pSnuGUOJzjI
|
|
||||||
v6BujlFcBF71SzvlZzA+tWku/A8bZzLkRfHtoCdbCO4
|
|
||||||
--- PeORL3PTxYsxaY6GliSm1dRAH+hxf1n5LNeRYDq+poM
|
|
||||||
I«Ñ_÷l꺓CqyƹÚ@‹Ýç¾Wï;äù¹¨<ñÛ5ÅF¼·Ee7þ11=ø‰øQ<‚pmƒ¬ì¼^²<>òŸµÉÑÃÙƒ¨[†GÞ½÷$j†©<E280A0>±¨m’±‡I×ñí¶\«•ÉO§ëÇBdÜÛ< O›ª$ª„5£ãÒ¼âá‰õw˜REŽ3Y×ë!Ïd4ŒBFõ‡>ªŠÈ˜\EKËhæg‹ôÙ^f;ˆ1>tk ™‹£{ª»ÓMð³ D§š³87®\uÄ,íSá›ÕIinÀ:ø¢z"“Æ<1E>-XBñíÀ<C3AD>‰u<E280B0>jš
C5Õ‘Ðï,Âg“*\]ÒO†îÇye5ïQîÄ!‰$þ.‹†+ù¦²¶zÀF¨ÑŠ^¨·SµµL<11>äÍB+óÓ¼ËR“Hxö6ÿåʉ1f<31>=jú8›¾!o¿@‚Rzrü5p´(#‰w|Gd×¼O@>²0ã{$ËhE‹°Ä<C2B0>ÕûS
ê_¦æš^#›Oÿžò– 2c¹ŽŸ#G<>ž'º?e9yÂ)ô
ªÅ–Ì~ÑÓ¤
|
|
||||||
Ì’tl##„»I³>o½Å³°)ˆóu
|
|
||||||
†
|
|
|
@ -1,20 +0,0 @@
|
||||||
<EFBFBD>
|
|
||||||
<EFBFBD>
|
|
||||||
<EFBFBD>
|
|
||||||
<EFBFBD>
|
|
||||||
<EFBFBD>
|
|
||||||
<EFBFBD>
|
|
||||||
<EFBFBD>
|
|
||||||
<EFBFBD>
|
|
||||||
<EFBFBD>
|
|
||||||
<EFBFBD>
|
|
||||||
<EFBFBD>
|
|
||||||
<EFBFBD>
|
|
||||||
<EFBFBD>
|
|
||||||
<EFBFBD>
|
|
||||||
<EFBFBD>
|
|
||||||
<EFBFBD>
|
|
||||||
<EFBFBD>
|
|
||||||
<EFBFBD>
|
|
||||||
<EFBFBD>
|
|
||||||
<EFBFBD>
|
|
Binary file not shown.
|
@ -1,68 +0,0 @@
|
||||||
age-encryption.org/v1
|
|
||||||
-> ssh-ed25519 +HUDfA d5f2ESneC0wsoc9rwTjNfNXMBjCbjAQ7euthH2Buq1E
|
|
||||||
5CynaQ8zhDRBvcmifhCsiDtllztCVAqs8rU36DOxgPw
|
|
||||||
-> ssh-ed25519 +uvEmw EtYRis2LP0jv1W8mx8vFYNzkgi8OoqnA8cM2huS6NBk
|
|
||||||
ll1csFIO+hVYk+I0uSVJmlDKj9aTWvf4kaYI5LJcm7w
|
|
||||||
-> ssh-ed25519 DMaM1w ex4QJN8CG99J15i+yvqGEiEZn9OlGIC+cmLHL4u8ZEI
|
|
||||||
VXnOv4CGK68q5t6hUV3oKAtxGZ+4FVbrmE1yMn16A0Q
|
|
||||||
-> ssh-ed25519 sixKXw drXN6+q1y7L7ZU4chTfHfelu5GcTdff+i/UMFV0+3RQ
|
|
||||||
+8jmgnMh2OpQ3vhAuyQYWslfx7KO84a8KsCpoRD3Yl8
|
|
||||||
-> ssh-ed25519 aHbF7w Af7NgjZ/Nvh5FHrX2VlF5riTIhJ+fdxTo6OR+8PcNwA
|
|
||||||
ktKpm/HnOnw2Ym7xee3N1rneEX7+/xDhcp71N1NNHAA
|
|
||||||
-> ssh-ed25519 87T2Ig 8mEUxJ/5NUvV+qQCDQH2Tm6Ryr5hf4xgsQlqXGf03Fw
|
|
||||||
EavMcnsg/3EYBLQEBHX+0oTDKq5ZL4vj+mZntPM8UMU
|
|
||||||
-> ssh-ed25519 Ao+7Wg UphWbatIaa+R1oZbfHazFhrawf0vax/3ZZS7YuX03Hs
|
|
||||||
dwBbwoV0jpjiKr+nj+CRfUDgDl7ISpsCintVAzHnIFQ
|
|
||||||
-> ssh-ed25519 wIR2ZA ZM58Nq7eJX9JVeYkoJf+mw8hxhYGoTx042ow1u3mJkw
|
|
||||||
UtEaf7e4xsPO0ISlIF9LF+GcwTBqw4AXdMO4MASfgLQ
|
|
||||||
-> ssh-ed25519 oGiV/Q G5KX/Eox+9md0yFRUZvGIsio2gWM17soHsL6H6zEX2g
|
|
||||||
vI8jPjBAoFF0xhvRRLPzCMSiQOQ0fKuRb3CYVu3KUUo
|
|
||||||
-> ssh-ed25519 gO3aog p9nZtjzoA0zJM+7Y6R16mpdub3dhu67yOYTUNKRytgI
|
|
||||||
YL9vAp1+CK7jgmXkB47ufZMz+/swngkdUvEGR1zFZwc
|
|
||||||
-> ssh-ed25519 N/+Clw 6LzFdtNsWewuJK2r97ZXJbRazvK3raN78UGanR/zWVU
|
|
||||||
WT0y+sfDP3ffVwRcbYw51ArFR3OzXnoyi9IXwZZKEL8
|
|
||||||
-> ssh-ed25519 CtkSZw CV0jQ5dIbgFtMxGK1X9b1qJOKmske8VgIPW5NW9mAwc
|
|
||||||
clv7P3de61nZmXrvbOgL7Llw8ZqBMm2WFqgpznDwKv8
|
|
||||||
-> ssh-ed25519 keg2lg 3Nk40ByQj8RThj4QDY2BdAkw55mXAJprXQRGjQqGvz0
|
|
||||||
f8OFszJ8p90crFd+awEE12CNd7b22zgpH2XRKmH/Hf0
|
|
||||||
-> ssh-ed25519 H885DA GDiJYH+gaC++TSqfoPDOTFcsCZRhEl0EeTeab7tgcWU
|
|
||||||
kMILmwNMnMS7rgC3kKsAksu4Txn5owPU2y09h4aHKY8
|
|
||||||
-> ssh-ed25519 Rq7K4Q VCNxGtCSCD2OYSWWwl0+yf189xV3QwRiwo80h4NPTkE
|
|
||||||
hHkgYHLbISdl/RRdlInp9ub854M9ZKFSXpLgKW2YkmQ
|
|
||||||
-> ssh-ed25519 vvyRpw XSCCrqEOtvzQRssI0U1DHirKoPgbOUKJxNKnioHhT2Y
|
|
||||||
HGey1j0Kxae5Qs0aw6eqFziQGiRmNA+lEwbRdf5hhbM
|
|
||||||
-> ssh-ed25519 aSEktQ mXY70Lgl76J4O5dPdDcIqmJ40EinigDuZrUghpGOq2I
|
|
||||||
U2qeVFxGCYCEFWU+7vHc5Mu9EuzScowrjnwUyoqPj5U
|
|
||||||
-> ssh-ed25519 cD6JxA at89poimBZyeeM8CQrxDxN0yCNDT2k04++py1fFycj8
|
|
||||||
cQV/K5zc5x/oYnJ4N0MX3sTboT4G4ZNvVUVdHuJRzbA
|
|
||||||
-> ssh-ed25519 ec6XRQ spJtb/xy4k4dmwKz8R2CPhC1WcuNV/rnDT978GkjHHk
|
|
||||||
KrGEVGts/AhzbRNreqQ/CVanXL3l/9oMWxnpBLj23qU
|
|
||||||
-> ssh-ed25519 1qYEfw KRkTYlvvnsCIExKQNmCyU7YxnGZsiI03kzecXNpLzUQ
|
|
||||||
h2YagV7BzlsF7banzwXbOudTdlFzT7LC8PvtxAsX36U
|
|
||||||
-> ssh-ed25519 2D+APA 4hdYlOnNIT9Q6tyKwXzy+u66Ti2EJopK43Sipebd0As
|
|
||||||
tuesc9/QcEu4q9bTFJ5zJr0qvgLcmpn4at4cYtHrtbE
|
|
||||||
-> ssh-ed25519 eTSU6g i1qT6PtepHXnoLCqDbhk86QG+SR9luQaw34a34gy5mw
|
|
||||||
YE9VBAT5SLW2ECHRU+dMg9na6OQNVRVGuhY8vOdmE/Q
|
|
||||||
-> ssh-ed25519 j2r2qQ TTTbSB/8UIDmmI3C9+u24PYZNfjl9jGADKHNWIwLfGE
|
|
||||||
SNDforwii/GFp82TpyOcVIVrZWCe2QQKrjzPA6XA7Jc
|
|
||||||
-> ssh-ed25519 CyxfgQ P5EiJ54v65Sz1gHuI0s170Z7c1WjcZLlb7NYigElfVs
|
|
||||||
iYJUGpoE9LBIlv+O1navSSsy3EJ8tusXXX+/QAQvjNI
|
|
||||||
-> ssh-ed25519 C/bBAQ hlBDpQRkcVCr3B6TCrBjxauhUX6Ndpm0s6x8W4hU6gM
|
|
||||||
OFG3EuGJkSoEEXhbJ/Tp2DBdnBcs+hzxjNRdvcOSpQs
|
|
||||||
-> ssh-ed25519 +qVung cGEGpO8NJfpj9ixAH9lhYkPKPDdQWryVxSOhMGQdnWM
|
|
||||||
+MycbIEab3P/AOS9i/YmPBDXB76hp3xUcWI4VMihV2w
|
|
||||||
-> ssh-rsa krWCLQ
|
|
||||||
Zv3dPYERlX1MaVaJTBDwIcjt1yLmu4Z7MovPgjGg01p+XsdBXeepTyOl+gRBwGgo
|
|
||||||
AW5CIuaChYxtSNJ6nOgSaUpqzILycUF1xE1jROe3MIX2MZ4KGD1qoqcHbiCAng+a
|
|
||||||
RqYrwAKnNea9FQMVfhYZBkRoYE6ne1R+0G6BoFM/okz24pAAFPBx+sMMhfTkt0uV
|
|
||||||
kHVx0dgRw1pxa7Na98WH/7E0zp9VuBvVHGXfk1rfW/UQlbIO5RP3nldFoa6OmOWS
|
|
||||||
JZ022UvjyC1re0KCurka4y+qmaiRKnTBmpIXxJFMwNCAQ8O8SeAQ3DHKHmXNMOIL
|
|
||||||
ZVICtRRk0uX36AVU8DWDog
|
|
||||||
-> ssh-ed25519 /vwQcQ kF8+hsA+0Msjd3q0SL52cae5RDqx4ls5kPKnc3UZyms
|
|
||||||
Q33kIKJL3Vjxu7LQ5l4M3tlEuj+OW4uGh1x+JxthW8A
|
|
||||||
-> ssh-ed25519 0R97PA gWBH71l6w9upTE0DwqOMSvWXc5VyJiKFAQLaSpWQ43E
|
|
||||||
IrOrvzEa0bABw6UOpP8pM8WhuRNMaWJ2khljJIKwOS8
|
|
||||||
-> ssh-ed25519 K3b7BA oS14iav9pSioLecMkOanJz89OJygLugvrnnTs5pKzz8
|
|
||||||
akupMSiqXussXJyHwFm/f0imKALjowJVqd8/LFcC/58
|
|
||||||
--- bCJXTEDaKg4FF2dQp2zFMU4Zm0zACekCuDvthcAyncM
|
|
||||||
&Ÿ€Waïãà›BD R(¯¥Ñ”ufj<>úVÁ8nÆ>‚ß›øëæðZúâ{Idƒ„©,³*„%Ç“È‚z«
|
|
Binary file not shown.
|
@ -1,20 +0,0 @@
|
||||||
age-encryption.org/v1
|
|
||||||
-> ssh-ed25519 j2r2qQ uYhcMpOER5j/SWUX1mNvkOU9Rumr0CgVBuGv9EHGpFY
|
|
||||||
6kAgrwjgB7C1cMd410EpUegcxxGRcNOwCMJPXppepvE
|
|
||||||
-> ssh-ed25519 K3b7BA 57GDNt5nwxgzCV5bnMPEPUeyZNG1U+zajCIjeoHjLAE
|
|
||||||
rFCbfodjXHZ0aVLtW6xtoh6e/VH/HwFdFzjnQ2QEEXQ
|
|
||||||
-> ssh-ed25519 +qVung DnLKAJPnUDpZ2+wXDZWpxwZkvv8oDyu3xxObTMT9W1I
|
|
||||||
vh59DYoQLpiro5eBjwgNH2YHRsGY/i6TB7zPfQicOEU
|
|
||||||
-> ssh-rsa krWCLQ
|
|
||||||
ekvGooB5sCmAniHU7hlk+iCkYMQ7Rw2SJx8tp4FnpfAWJbRMH8CpTFYFiDvlHfFy
|
|
||||||
Ce1OpkNkkipzBge0OCrfn6Y5iVz2CZHYHf8Ul5ueHwmb5fS7seT3yMoWhhSw/zE/
|
|
||||||
G3snrBORT9S9+KTRnVnKiy+O3CaMZY+q41RR35Fs3mmVc/of2ILc/Jj3a3t+uBTX
|
|
||||||
axkOMU6z6R6i3Ps5SbwJTaB9q2kMPvZFOO9Nmku1wohjetz64wvm+fDx0XVRPe4A
|
|
||||||
jDQRPKAMIZK68SYHk/9azmlBtJSJnvxcxyj3IaU9MBskUCldWi8CQ9jQ+1XAIuHX
|
|
||||||
0Etcsx7MhzBpuhx2xZ+dyg
|
|
||||||
-> ssh-ed25519 /vwQcQ uW41w2RAtfMaOm1wJktMcbVporqKgdGA5SY03OcPmlM
|
|
||||||
WgL8DWPU735Ysowq0HtvbrT6Tc3XEpwws3AycqpBgtM
|
|
||||||
-> ssh-ed25519 0R97PA 59AFQx8ngDwQUdmfOeOFUARQQqaAdLA5WH67Wsld4yM
|
|
||||||
o6jSWtlidZssWsJsI8xAaASi8p1sirLJFJwizzPXIBM
|
|
||||||
--- scUnldbU89ICZYlniDbGEqeUF7QUoO1kcZLl8abyttk
|
|
||||||
öR{p@IµþOlKKõŒ§!<01>œWÎÅœ[R<-A‚ÐbÔ<¯·÷0õÐu¹øµñU’gBÏF~µ«=ÊõeQò}î4Ø:ô²¢5ƯŠtaØ™û”<C3BB>æ·<C3A6>§°x±Më?Ew0<77>8.
|
|
Binary file not shown.
|
@ -1,21 +0,0 @@
|
||||||
age-encryption.org/v1
|
|
||||||
-> ssh-ed25519 CyxfgQ fWH/o2+Uf0i/JFIuVjCnkhDIfYndtL8EeDcxSxhKVH8
|
|
||||||
ShSPmdwnxzDuUe/kCx8e61JJAoHMwguNydn+5OIGuAg
|
|
||||||
-> ssh-ed25519 K3b7BA p+wXAGvPqTX63dlZNCTIq3F4QFMWEJH1R+Ex4SJ5UTk
|
|
||||||
1sFqFqnUM8YvZy7BEBArg3eLxCCsLXq2jNI7XLKq/Ww
|
|
||||||
-> ssh-ed25519 +qVung rcpgzVQ1PmoNF2i0K0nAknzZwPXICBggzqhIZwO+8xY
|
|
||||||
9rjsTwLm5u1GOJmnJYriXXAY1unG7y+WJ4G2ltxX34U
|
|
||||||
-> ssh-rsa krWCLQ
|
|
||||||
seXsQjs62kxn/agyKda2l19PI4xzDl1gM7rEnaEBV8UNLOPNxh41HTnP2etgDXSc
|
|
||||||
4eyS3ntHXIOHmN4+JBn+Q/wuhzMGQmAcoFWbjqVVPOrpPYjgCG7q/iUD8kULxLB9
|
|
||||||
UpF0gLsg1TnvrkTwlpxr8rP/PM+ZgyQAA84S96j9TW0coyTUoH/ZX1wWGtS4aalm
|
|
||||||
aTrOMZGScZu7onTg+tYvR+aBKlFL28h08I5nqbA39srnCNuU68+OUhLgLUfiTscl
|
|
||||||
umwNh/C4BP2Tmc6gxQiY8o3tGqGBssGH5+WqKzbK151vJjq80RKAS1HCaSSfmxkP
|
|
||||||
vWkXWN3NQkJyqCBpuPYilg
|
|
||||||
-> ssh-ed25519 /vwQcQ eUH0B+cCoUubIKbG+bA25kRj0TnZabB6t8jVK04NrFs
|
|
||||||
ovkI0C4W5CJXMZIZdpaTtQNc+TGkQ3Yq87Dei3BMUsA
|
|
||||||
-> ssh-ed25519 0R97PA u/I45pxH3Bnja/Jw/6IukINRuC0e1IKu8UVygVgIomc
|
|
||||||
xyHuiHf1/nJirnhXbGHJnextGQa95tDo/RPRRnDCkIg
|
|
||||||
--- LGqO4Bsa8bofD1W5YrQp75SlGLNg1XaFZ0rPUuvLPTo
|
|
||||||
Êçã ‹ÜmlW£{@I3…*¹ŒÇ™@ÞªL7Wª
¤ÝŒY
|
|
||||||
n
õö~Tb\V‘•ÜvPÙpPôïoÌS"ôm/Ûµ/bÝp’Äžêq¸£¦šeDj6–ÆþTì)
|
|
|
@ -1,20 +0,0 @@
|
||||||
age-encryption.org/v1
|
|
||||||
-> ssh-ed25519 +HUDfA h3M3Sv+URNI4Bwyhtp4T/ongaF+PcccBItQySrm9LF4
|
|
||||||
/N9DjQhFHXEWsi8+LMmE8fgAJqoc4kLIP9MNmQIAyPo
|
|
||||||
-> ssh-ed25519 +qVung lqAB+w68iIV5xb6XJW4XgSVlS6bKs+t3VIHV+pMqcTk
|
|
||||||
QY+zLs7HlyhuVQLFjZUGUznRb4f18WMGt29yNNeoZAQ
|
|
||||||
-> ssh-rsa krWCLQ
|
|
||||||
q90GbYnwXNyhuKo2b1fqr0t9KHVaX/5nLCTq9nm775/aE08ANAoqDZz1mx45BV3x
|
|
||||||
o/YolJQK3KTUhfnBk84WpkbhbXQHsJ/3po5Tm5X4lLC1u65vE3NYUHAWzTvMHRl8
|
|
||||||
761t/DArIOdKOF0a5aSJVc6Ctzkkrtr89JbHDQU7/1iGmVJEdyFMuqwCqCcxgEFc
|
|
||||||
KSZ8X7A8u5kO+GBwzHjoW0PB79Y7zQSXl2+HeLBosg7hsgr0UvR4FCkQTNPh4BMb
|
|
||||||
2Zd5vzXtpGCCHEwlHYLTwC4df0ZxRbGkIgOWMwLW+vXg0vLpp6JK1UAvtnEAmXHI
|
|
||||||
pznGdso3v7jVZWoNVYj4VQ
|
|
||||||
-> ssh-ed25519 /vwQcQ vhf0oc9AHXuZFS9gycHJBPqDanBu6ccj8Sdj2twBRHo
|
|
||||||
S2+UTHgbdqYT6mqPMOzxUOoRdQbcy24iFyzZlZS+cVc
|
|
||||||
-> ssh-ed25519 0R97PA Zdd0zeYNf54auL18VNZXFG7Pnt1dBTxy8Jd0BH0E0Cs
|
|
||||||
XmAcUAlJw2oqt3npQ7TlUFHKkf02lhGbo4ZQF266GNg
|
|
||||||
-> ssh-ed25519 K3b7BA 3Nk8bfaks1xLHzD6fKVKApVON3PZHlphDnojrOESnl4
|
|
||||||
Y6qrz0f0qdvkjj7wmmfC5NtYUWnmbW2Q2Eu/eGrXFHM
|
|
||||||
--- 3sa/7w1kNij8+Q0pzBWZVclsbJRM/PF03j36bbYFEZw
|
|
||||||
Ïpª;ìÏhí¹Ãý™MÀœmŸ9d
j–@7¸U
Ÿ¸?#N9¯•ðB_™èõˆ‚l±Vµy<>*
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -1,20 +0,0 @@
|
||||||
age-encryption.org/v1
|
|
||||||
-> ssh-ed25519 CyxfgQ D2o8bUccO13DKF4COLBQ9mJbACsE2XsRa5S+N71WnTk
|
|
||||||
ZaldT7HhQxbxf2ptIwdMYkC60eGtzihc7uwcAkq7s00
|
|
||||||
-> ssh-ed25519 K3b7BA AiUCG5CnNyv1DPu+iEwEgW9GqZ8zgpgxKJTAp350ADc
|
|
||||||
cUVaDv7F1haQIF11/UhhDAR5DrfJlPttGfDjkv+z9vY
|
|
||||||
-> ssh-ed25519 +qVung 1JXeXyea+2Pcwoln/NLRiR8IPPIiB3gaFCP4imyv4DA
|
|
||||||
JWmAY6ZnyU46KxzhRrQigGmUPba9lJDDyRQ2GjQShqc
|
|
||||||
-> ssh-rsa krWCLQ
|
|
||||||
ciLu/+cXfQrB1ms8oTv+xi4eADyL4j0qwnY/6TE0wAXkQHuNXDmpF6ccWZoS2DqN
|
|
||||||
NcnGXL6+WyWxmwlyBEq/rsBPvi1g0M6Md7Z4gXn2UvjJ+S7WyA8QEwkxoTDkJS7x
|
|
||||||
k/NvtunmggVsWVK4Xdi5DKRw+f32qr/8GysDhIPrTt43iReBKNbyuYWmC5Ec85ep
|
|
||||||
JU4JzCNZjJ07kixS5Y9BhaJbpEr47lCXE/KtJUvm3VAxS9IwfUn7KHHdFWynbExi
|
|
||||||
F898j3zOR/kgYmeA0oTiexRD3Y2LCvjXIHQZ3MobbZ/PBrjWxe78Sw2vy2t5JLtB
|
|
||||||
gFG0K8M1z8DT6a8TtvXEgg
|
|
||||||
-> ssh-ed25519 /vwQcQ kUM21TO9iSa8oVXMlNxR7Kc+8TV4C/uTzyQ+t3xnARA
|
|
||||||
oXt+egWWONsKT48H4vZ2CPdy3Zfb2QeQVe9l7dDyO/w
|
|
||||||
-> ssh-ed25519 0R97PA e/piqf2RD5QgPaQs6jsJdzJgfZR9n1JDIWpbvLZErSs
|
|
||||||
UTJH8POFdZ4+N9WkLoNESl1pvcVD0MS1qn7AdS/mg34
|
|
||||||
--- 9aYEP0eHDKMacIf09h+OJqIYw+N99+FrW/x/do8Lbo4
|
|
||||||
$ ÖëWÛ\zú—¾=s/à@.Ç,?ƒW6n^ù#–i!§Ã–ï¶1]±Nvù±Ž'Ï¥¹6?‚'mµpPÒqýŸº
|
|
|
@ -1,20 +0,0 @@
|
||||||
age-encryption.org/v1
|
|
||||||
-> ssh-ed25519 j2r2qQ kbi4mciOrjd7/X86xfmkDaMZhvZakoSJ6qjqLF3ljkE
|
|
||||||
Q2BsgMLJ8AmjhnggRi+wkICj18NCA2HW1t8clemReUw
|
|
||||||
-> ssh-ed25519 K3b7BA wNGmX9S9bJgd2JDte9QoNDfyycgmq4JMu2bc5nyYYik
|
|
||||||
uUiutxAI3nI0M51W97aPRVE/l4dV2PEjph8eWOMLHIE
|
|
||||||
-> ssh-ed25519 +qVung raYJ5vwMP9JopSdfa+ofkLY/gc0zcW4wTNBFTca+MXw
|
|
||||||
sa/rWGSYrI4y6rn4JSboldWKUGvx6HbtsYo78AFOkBo
|
|
||||||
-> ssh-rsa krWCLQ
|
|
||||||
FLq8NwkiGw2gXptVVY393f0p9hFom57xHWPxtAlzOcRT8gvWu/uwgV+0raOcOcJa
|
|
||||||
xxr5Sib+2D3UnUhprVPmH5Os9bI2seFAiej1MVVWLqvMtQHLFwnrzZTyZpxsXpQq
|
|
||||||
5qQhNEADuQc4uD/ELVjGHKt6nF1Cl/GbgNLIOF/ITZ0pm1O1MjtT6MYJhQJhc6sb
|
|
||||||
sno/wQyTXjj7rC06nyLX/rgOWrJSOeaz9eVp0A8k8/I0TXu/vRCW9gqWtv2m8sbh
|
|
||||||
1uUHIm0l8f3z+zrL6OlZnpMFw4jpiiGoCYKPzD17I0onDYIjtdVS5iO9BsckxV/a
|
|
||||||
wQWbyONUwbGCfeNSVAzZbg
|
|
||||||
-> ssh-ed25519 /vwQcQ jwf7fwy4wKz7q761DNu8SyFHGgFlwq4P/Pn44Nido3E
|
|
||||||
1q/jvt/vtD4ziY3eCDqk1XwMPpNUd80POTV2VVsumCE
|
|
||||||
-> ssh-ed25519 0R97PA XeuziQ+wsoh0KSHXk5Qkl1kQOsAu1Ax1zTg13+XWd3M
|
|
||||||
B1KHKm3tx/EsnE6hY+w7ya1ilhYiUs9AbwARHNkJi90
|
|
||||||
--- JgQA6gCYZu8xcbXEl9VypccEIBO6uAJIdhBefr4doRQ
|
|
||||||
V3ZðõÚ<EFBFBD>ç-·Ý.ê«sòÀ³3 ÎiS‰a5#¿Ð{åÔÈ®Dý˜YêNèãëù«ýoL+ÔÝ#–M<sws P»¢+í¢Ó‰ïBDoÊξÆÏuFí”Ç^Â¥•<C2A5>—ÝG@ÍM×ÛãÐØìq¦ºG^Qb s<;ÂÒnC+ÖÊxª_Úì]S<16>Ð
|
|
20
secrets/grafana-oauth-secret.age
Normal file
20
secrets/grafana-oauth-secret.age
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 j2r2qQ qI/dlkHZYcNkCVgZbxpw5Ps2anl8pofaFPi4p6kOHAo
|
||||||
|
KWL+H9at/p/AfCjfO8+SgMhn97F+DqLO2ymYUOHkWjQ
|
||||||
|
-> ssh-ed25519 K3b7BA URYQ0jFY5yHS+dodR1RqodNWrrXkMnzTp5OCSv1gbWI
|
||||||
|
bnyrPvWnzDRNh4mI5HBPkNl3NSZE1ycMK3LLExMEYbo
|
||||||
|
-> ssh-ed25519 +qVung z8e56tCZ4TLkrX7BfH+5RrGxGoT3q9V1FB/ySsH3tg4
|
||||||
|
jIpEEVF8jCp/ks5eYXh3O7+TLidvzYsnBRFd3LkgLXw
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
XG8KKBT/hEvB+c1RDGUrDR4HrfAertfOIzQTquMQ+Z3Nde3Ybxf8W+rWGQDErbq4
|
||||||
|
VlvC/wVVnGnqgE/tJMQP41sCMKSH61MPyiNZC63g4RW9e2H9YQfWWrnuBh668G+3
|
||||||
|
3sE0FSdIAB+UlI2jlbMiG60QaT6zV0XyOrugLX/G2R+D4aXYIVvMtcwYq2oIHy58
|
||||||
|
1DE5llUZHGsQ8APXZle7ZGyO48ELOQkVn8ozPlPFhvz2y9srgBZvNL/wadjvLstv
|
||||||
|
2vBTBoRk8HnTLOiybAnGtOfK6kWUMdfSYMvhu0IM8UBSoxwxOHTfIttKDu2ZMB8g
|
||||||
|
c/RnKbV2z0PBdXVrYuijPg
|
||||||
|
-> ssh-ed25519 /vwQcQ qinzScNz0IFoHUaCeGXne6ddllQ0dA/TJr5Z/nbfvTQ
|
||||||
|
0YpTZ2Z2WwN0sJ1CIV8voPS298u9uHbRQMlV0GMrvFI
|
||||||
|
-> ssh-ed25519 0R97PA en5iGTQoH0/QJKl38HNe4xun/FxVBIun7Z23mBW+4XE
|
||||||
|
Sjshx8hLyP4iY40y/Fehc0wZTBH0d1Lu+auX8L5n28s
|
||||||
|
--- i5+vCeWbFTRR2YbIX4lwbEORRhaI5NkCwqaMEJqrPEs
|
||||||
|
ÿ\ìƒF·Ri±ñXa,.øÝoªâr›çhE0=$Ç‚uGa/oÑÑÆÂiíf¥•x¦Óš?Ðg¹CiÉ
|
BIN
secrets/hydra-s3-credentials.age
Normal file
BIN
secrets/hydra-s3-credentials.age
Normal file
Binary file not shown.
BIN
secrets/hydra-signing-priv.age
Normal file
BIN
secrets/hydra-signing-priv.age
Normal file
Binary file not shown.
BIN
secrets/hydra-ssh-key-priv.age
Normal file
BIN
secrets/hydra-ssh-key-priv.age
Normal file
Binary file not shown.
|
@ -1,7 +0,0 @@
|
||||||
age-encryption.org/v1
|
|
||||||
-> ssh-ed25519 Ao+7Wg q7oRHUUlAvD8OUbpPT7d6eLMPWU0YS/verYTDE5BCkY
|
|
||||||
/87/1uqOvRYeqel9IjnFmGyF9SXUQD8MTgfcj91b/Fs
|
|
||||||
--- ulIeB91NJ7z/64h9BCLSD9/RW/zwv3m1Zo2ovNuInv8
|
|
||||||
Îœç}³Óš#épÇ o>ä·*vµ÷ÄåŽs?[¦º´L
|
|
||||||
<EFBFBD>þz™rý‰?R±Ñó7<Ê
|
|
||||||
æi!€{X„¾òÓ
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue