the-distro/infra
9
0
Fork 5
Code Issues 39 Pull requests 8 Packages Projects 1 Releases Wiki Activity

Compare commits

base: the-distro:vault
Branches Tags
the-distro:main
the-distro:ofborg
the-distro:revert-to-bash
the-distro:vault
the-distro:storage-project
the-distro:block-crawlers
the-distro:fix-buildbot
the-distro:lukegb/rule-94
the-distro:cache-lix
the-distro:build02-lix
the-distro:lukegb/uptime-kuma-root
the-distro:hydra-metrics
the-distro:builder
the-distro:email-groups
the-distro:cache-ipv4
the-distro:format
the-distro:hexchen/colmena-checker
the-distro:hexy/credentials
the-distro:buildbot
the-distro:ckie/moarr-v4
the-distro:gerrit-metrics
the-distro:moar-builders
the-distro:unplug-epyc
the-distro:hydra-wire-up
the-distro:alertmanager
the-distro:fodwatch
the-distro:cadvisor-containers
the-distro:gerrit-http-clones
the-distro:meta01
..
compare: the-distro:main
Branches Tags
the-distro:main
the-distro:ofborg
the-distro:revert-to-bash
the-distro:vault
the-distro:storage-project
the-distro:block-crawlers
the-distro:fix-buildbot
the-distro:lukegb/rule-94
the-distro:cache-lix
the-distro:build02-lix
the-distro:lukegb/uptime-kuma-root
the-distro:hydra-metrics
the-distro:builder
the-distro:email-groups
the-distro:cache-ipv4
the-distro:format
the-distro:hexchen/colmena-checker
the-distro:hexy/credentials
the-distro:buildbot
the-distro:ckie/moarr-v4
the-distro:gerrit-metrics
the-distro:moar-builders
the-distro:unplug-epyc
the-distro:hydra-wire-up
the-distro:alertmanager
the-distro:fodwatch
the-distro:cadvisor-containers
the-distro:gerrit-http-clones
the-distro:meta01

14 commits
vault ... main

Author SHA1 Message Date
Ilya K cae763e8dd ofborg: enable nginx for certs 2024-11-17 14:48:08 +03:00
Ilya K 4f1378937f Disable nixos-option, it breaks 2024-11-17 14:39:25 +03:00
Ilya K 7e3074a769 Update everything again 2024-11-17 14:39:19 +03:00
Ilya K 3182a036c0 chore: bump everything 2024-11-12 23:42:51 +03:00
Ilya K 54e8282aac fix: use promtool to verify rules, fix format 2024-11-12 23:21:30 +03:00
Ilya K 41be8dc170 fix: pin pyroscope to go 1.22 2024-11-12 23:16:46 +03:00
Ilya K b08330c42b fix: allow insecure netbox 2024-11-12 22:52:11 +03:00
Ilya K 268422f653 fix: update grapevine to build with current nixpkgs 2024-11-12 22:49:33 +03:00
Yureka 4e03cf2309 increase zram on build-coord 2024-11-04 08:48:40 +01:00
Yureka 00a5d373f3 flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/e2f08f4d8b3ecb5cf5c9fd9cb2d53bb3c71807da' (2024-10-05)
  → 'github:NixOS/nixpkgs/7ffd9ae656aec493492b44d0ddfb28e79a1ea25d' (2024-11-02)
 2024-11-04 08:46:51 +01:00
Yureka ec93c94e7e revert default shell to bash 
zsh is unbearably slow on some machines
 2024-10-30 13:29:27 +01:00
raito f56576d644 fix: add util-linux in git-gc-preserve 
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
 2024-10-28 12:07:54 +01:00
raito 1ae3d7c396 chore: move to forkos branch for buildbot 
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
 2024-10-28 12:07:06 +01:00
raito cca8156e52 Revert "chore: move to faster-depinfo branch for Buildbot" 
This reverts commit 7df7eaeb9b because
there was a missing intersection in the code and this broke Buildbot
entirely by exhausting all the resources.
 2024-10-27 22:01:34 +01:00
20 changed files with 216 additions and 519 deletions
Show stats Expand all files Collapse all files

1
common/base-server.nix
View file

@ -7,6 +7,7 @@
nixpkgs.overlays = import ../overlays;
nix.package = lib.mkDefault pkgs.lix;
system.tools.nixos-option.enable = false;
services.openssh.enable = lib.mkForce true;
networking.nftables.enable = true;

13
common/hardware/raito-vm.nix
View file

@ -1,7 +1,7 @@
{ lib, config, ... }:
let
cfg = config.bagel.hardware.raito-vm;
inherit (lib) mkEnableOption mkIf mkOption types split toIntBase10;
inherit (lib) mkEnableOption mkIf mkOption types;
in
{
options.bagel.hardware.raito-vm = {
@ -54,17 +54,6 @@ in
linkConfig.Name = "wan";
};
bagel.infra.self.wan =
let
parts = split "/" cfg.networking.wan.address;
address = builtins.elemAt parts 0;
prefixLength = toIntBase10 (builtins.elemAt 1 parts);
in
{
family = "inet6";
inherit address prefixLength;
};
boot.loader.systemd-boot.enable = true;
boot.initrd.kernelModules = [

1
common/zsh.nix
View file

@ -1,5 +1,4 @@
{ lib, pkgs, config, ... }: {
users.defaultUserShell = pkgs.zsh;
programs.zsh = {
enable = true;
enableCompletion = true;

302
flake.lock
View file

@ -27,16 +27,17 @@
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat_2",
"flake-utils": "flake-utils_2",
"flake-parts": "flake-parts_2",
"nix-github-actions": "nix-github-actions_2",
"nixpkgs": "nixpkgs",
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1711742460,
"narHash": "sha256-0O4v6e4a1toxXZ2gf5INhg4WPE5C5T+SVvsBt+45Mcc=",
"lastModified": 1730257295,
"narHash": "sha256-OQl+aAsKiyygvpzck1u0sZf/R4T9zM903CgNDFmmzA8=",
"owner": "zhaofengli",
"repo": "attic",
"rev": "4dbdbee45728d8ce5788db6461aaaa89d98081f0",
"rev": "48c8b395bfbc6b76c7eae74df6c74351255a095c",
"type": "github"
},
"original": {
@ -49,11 +50,11 @@
"bats-assert": {
"flake": false,
"locked": {
"lastModified": 1636059754,
"narHash": "sha256-ewME0l27ZqfmAwJO4h5biTALc9bDLv7Bl3ftBzBuZwk=",
"lastModified": 1692829535,
"narHash": "sha256-oDqhUQ6Xg7a3xx537SWLGRzqP3oKKeyY4UYGCdz9z/Y=",
"owner": "bats-core",
"repo": "bats-assert",
"rev": "34551b1d7f8c7b677c1a66fc0ac140d6223409e5",
"rev": "e2d855bc78619ee15b0c702b5c30fb074101159f",
"type": "github"
},
"original": {
@ -65,11 +66,11 @@
"bats-support": {
"flake": false,
"locked": {
"lastModified": 1548869839,
"narHash": "sha256-Gr4ntadr42F2Ks8Pte2D4wNDbijhujuoJi4OPZnTAZU=",
"lastModified": 1693050811,
"narHash": "sha256-PxJaH16+QrsfZqtkWVt5K6TwJB5gjIXnbGo+MB84WIU=",
"owner": "bats-core",
"repo": "bats-support",
"rev": "d140a65044b2d6810381935ae7f0c94c7023c8c3",
"rev": "9bf10e876dd6b624fe44423f0b35e064225f7556",
"type": "github"
},
"original": {
@ -87,16 +88,16 @@
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1730050514,
"narHash": "sha256-QvzyEJQiFyj3ZjJmN0PlbhJjhYgvMjinhz1mwKbXeJs=",
"ref": "refs/heads/faster-depinfo",
"rev": "ab0767beddb020f17bbee2965232c0e941a037db",
"revCount": 304,
"lastModified": 1730064416,
"narHash": "sha256-Opbtu9hKijGkEx+GYbSu3MJms3lFxZmAGTFyckguWMM=",
"ref": "refs/heads/forkos",
"rev": "79137b14f3cb376204f739f44b05aebfc288ca89",
"revCount": 310,
"type": "git",
"url": "https://git.lix.systems/lix-project/buildbot-nix.git"
},
"original": {
"ref": "refs/heads/faster-depinfo",
"ref": "refs/heads/forkos",
"type": "git",
"url": "https://git.lix.systems/lix-project/buildbot-nix.git"
}
@ -125,17 +126,18 @@
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": "flake-utils",
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"nixpkgs"
],
"stable": "stable"
},
"locked": {
"lastModified": 1711386353,
"narHash": "sha256-gWEpb8Hybnoqb4O4tmpohGZk6+aerAbJpywKcFIiMlg=",
"lastModified": 1731527002,
"narHash": "sha256-dI9I6suECoIAmbS4xcrqF8r2pbmed8WWm5LIF1yWPw8=",
"owner": "zhaofengli",
"repo": "colmena",
"rev": "cd65ef7a25cdc75052fbd04b120aeb066c3881db",
"rev": "e3ad42138015fcdf2524518dd564a13145c72ea1",
"type": "github"
},
"original": {
@ -153,11 +155,11 @@
]
},
"locked": {
"lastModified": 1702918879,
"narHash": "sha256-tWJqzajIvYcaRWxn+cLUB9L9Pv4dQ3Bfit/YjU5ze3g=",
"lastModified": 1722960479,
"narHash": "sha256-NhCkJJQhD5GUib8zN9JrmYGMwt4lCRp6ZVNzIiYCl0Y=",
"owner": "ipetkov",
"repo": "crane",
"rev": "7195c00c272fdd92fc74e7d5a0a2844b9fadb2fb",
"rev": "4c6c77920b8d44cd6660c1621dea6b3fc4b4c4f4",
"type": "github"
},
"original": {
@ -167,18 +169,12 @@
}
},
"crane_2": {
"inputs": {
"nixpkgs": [
"grapevine",
"nixpkgs"
]
},
"locked": {
"lastModified": 1716569590,
"narHash": "sha256-5eDbq8TuXFGGO3mqJFzhUbt5zHVTf5zilQoyW5jnJwo=",
"lastModified": 1730060262,
"narHash": "sha256-RMgSVkZ9H03sxC+Vh4jxtLTCzSjPq18UWpiM0gq6shQ=",
"owner": "ipetkov",
"repo": "crane",
"rev": "109987da061a1bf452f435f1653c47511587d919",
"rev": "498d9f122c413ee1154e8131ace5a35a80d8fa76",
"type": "github"
},
"original": {
@ -219,11 +215,11 @@
"rust-analyzer-src": "rust-analyzer-src"
},
"locked": {
"lastModified": 1716359173,
"narHash": "sha256-pYcjP6Gy7i6jPWrjiWAVV0BCQp+DdmGaI/k65lBb/kM=",
"lastModified": 1730442928,
"narHash": "sha256-U1DWb5c3EfkA7pqx5V1H4AWRA+EaE6UJ0lIRvK1RxgM=",
"owner": "nix-community",
"repo": "fenix",
"rev": "b6fc5035b28e36a98370d0eac44f4ef3fd323df6",
"rev": "87b4d20f896c99018dde4702a9c6157b516f2a76",
"type": "github"
},
"original": {
@ -252,11 +248,11 @@
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
@ -320,6 +316,28 @@
}
},
"flake-parts_2": {
"inputs": {
"nixpkgs-lib": [
"grapevine",
"attic",
"nixpkgs"
]
},
"locked": {
"lastModified": 1722555600,
"narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "8471fe90ad337a8074e957b69ca4d0089218391d",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_3": {
"inputs": {
"nixpkgs-lib": [
"hydra",
@ -341,6 +359,23 @@
"type": "github"
}
},
"flake-parts_4": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1727826117,
"narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1",
"type": "github"
},
"original": {
"id": "flake-parts",
"type": "indirect"
}
},
"flake-utils": {
"locked": {
"lastModified": 1659877975,
@ -357,30 +392,15 @@
}
},
"flake-utils_2": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github"
},
"original": {
@ -390,21 +410,6 @@
"type": "github"
}
},
"flake-utils_4": {
"locked": {
"lastModified": 1634851050,
"narHash": "sha256-N83GlSGPJJdcqhUxSCS/WwW5pksYf3VP1M13cDRTSVA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c91f3de5adaf1de973b797ef7485e441a65b8935",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"gerrit-dashboard": {
"flake": false,
"locked": {
@ -427,20 +432,21 @@
"crane": "crane_2",
"fenix": "fenix",
"flake-compat": "flake-compat_3",
"flake-utils": "flake-utils_3",
"flake-utils": "flake-utils_2",
"nix-filter": "nix-filter",
"nixpkgs": [
"nixpkgs"
],
"rocksdb": "rocksdb",
"rust-manifest": "rust-manifest"
},
"locked": {
"host": "gitlab.computer.surgery",
"lastModified": 1727994504,
"narHash": "sha256-FC6M1KKX58HbU9LG+cG6EJRr02J9lE/o0iiDi6m1gv8=",
"lastModified": 1731820516,
"narHash": "sha256-BJiFq5meQMwOLhVS9/m2HCZoNUIN5u5weJXr94dkIRU=",
"owner": "matrix",
"repo": "grapevine-fork",
"rev": "5a490a4397f0c6a36dab1cb631dadc67a849deab",
"rev": "887e59cf03efb70bfa68b56dda32c411ba6cd5fa",
"type": "gitlab"
},
"original": {
@ -520,12 +526,12 @@
},
"nix-eval-jobs": {
"inputs": {
"flake-parts": "flake-parts_2",
"flake-parts": "flake-parts_3",
"lix": [
"hydra",
"lix"
],
"nix-github-actions": "nix-github-actions",
"nix-github-actions": "nix-github-actions_3",
"nixpkgs": [
"hydra",
"nixpkgs"
@ -548,11 +554,11 @@
},
"nix-filter": {
"locked": {
"lastModified": 1710156097,
"narHash": "sha256-1Wvk8UP7PXdf8bCCaEoMnOT1qe5/Duqgj+rL8sRQsSM=",
"lastModified": 1730207686,
"narHash": "sha256-SCHiL+1f7q9TAnxpasriP6fMarWE5H43t25F5/9e28I=",
"owner": "numtide",
"repo": "nix-filter",
"rev": "3342559a24e85fc164b295c3444e8a139924675b",
"rev": "776e68c1d014c3adde193a18db9d738458cd2ba4",
"type": "github"
},
"original": {
@ -583,6 +589,49 @@
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
"colmena",
"nixpkgs"
]
},
"locked": {
"lastModified": 1729742964,
"narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nix-github-actions_2": {
"inputs": {
"nixpkgs": [
"grapevine",
"attic",
"nixpkgs"
]
},
"locked": {
"lastModified": 1729742964,
"narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nix-github-actions_3": {
"inputs": {
"nixpkgs": [
"hydra",
@ -622,11 +671,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1711401922,
"narHash": "sha256-QoQqXoj8ClGo0sqD/qWKFWezgEwUL0SUh37/vY2jNhc=",
"lastModified": 1726042813,
"narHash": "sha256-LnNKCCxnwgF+575y0pxUdlGZBO/ru1CtGHIqQVfvjlA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "07262b18b97000d16a4bdb003418bd2fb067a932",
"rev": "159be5db480d1df880a0135ca0bfed84c2f88353",
"type": "github"
},
"original": {
@ -636,6 +685,18 @@
"type": "github"
}
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1727825735,
"narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
}
},
"nixpkgs-regression": {
"locked": {
"lastModified": 1643052045,
@ -654,32 +715,32 @@
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1711460390,
"narHash": "sha256-akSgjDZL6pVHEfSE6sz1DNSXuYX6hq+P/1Z5IoYWs7E=",
"lastModified": 1724316499,
"narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "44733514b72e732bd49f5511bd0203dea9b9a434",
"rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.11",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1728093190,
"narHash": "sha256-CAZF2NRuHmqTtRTNAruWpHA43Gg2UvuCNEIzabP0l6M=",
"lastModified": 1731676054,
"narHash": "sha256-OZiZ3m8SCMfh3B6bfGC/Bm4x3qc1m2SVEAlkV6iY7Yg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e2f08f4d8b3ecb5cf5c9fd9cb2d53bb3c71807da",
"rev": "5e4fbfb6b3de1aa2872b76d49fafc942626e2add",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
@ -700,6 +761,23 @@
"type": "github"
}
},
"rocksdb": {
"flake": false,
"locked": {
"lastModified": 1730475155,
"narHash": "sha256-u5uuShM2SxHc9/zL4UU56IhCcR/ZQbzde0LgOYS44bM=",
"owner": "facebook",
"repo": "rocksdb",
"rev": "3c27a3dde0993210c5cc30d99717093f7537916f",
"type": "github"
},
"original": {
"owner": "facebook",
"ref": "v9.7.4",
"repo": "rocksdb",
"type": "github"
}
},
"root": {
"inputs": {
"agenix": "agenix",
@ -722,11 +800,11 @@
"rust-analyzer-src": {
"flake": false,
"locked": {
"lastModified": 1716107283,
"narHash": "sha256-NJgrwLiLGHDrCia5AeIvZUHUY7xYGVryee0/9D3Ir1I=",
"lastModified": 1730386175,
"narHash": "sha256-0Uq+/B8eu7pw8B8pxuGdFYKjcVLwNMcHfDxU9sXh7rg=",
"owner": "rust-lang",
"repo": "rust-analyzer",
"rev": "21ec8f523812b88418b2bfc64240c62b3dd967bd",
"rev": "0ba893e1a00d92557ac91efb771d72eee36ca687",
"type": "github"
},
"original": {
@ -750,16 +828,16 @@
},
"stable": {
"locked": {
"lastModified": 1696039360,
"narHash": "sha256-g7nIUV4uq1TOVeVIDEZLb005suTWCUjSY0zYOlSBsyE=",
"lastModified": 1730883749,
"narHash": "sha256-mwrFF0vElHJP8X3pFCByJR365Q2463ATp2qGIrDUdlE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "32dcb45f66c0487e92db8303a798ebc548cadedc",
"rev": "dba414932936fde69f0606b4f1d87c5bc0003ede",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.05",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
@ -810,22 +888,38 @@
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"terranix": {
"inputs": {
"bats-assert": "bats-assert",
"bats-support": "bats-support",
"flake-utils": "flake-utils_4",
"flake-parts": "flake-parts_4",
"nixpkgs": [
"nixpkgs"
],
"systems": "systems_3",
"terranix-examples": "terranix-examples"
},
"locked": {
"lastModified": 1695406838,
"narHash": "sha256-xiUfVD6rtsVWFotVtUW3Q1nQh4obKzgvpN1wqZuGXvM=",
"lastModified": 1728959489,
"narHash": "sha256-1Pu2j5xsBTuoyga08ZVf+rKp3FOMmJh/0fXen/idOrA=",
"owner": "terranix",
"repo": "terranix",
"rev": "fc9077ca02ab5681935dbf0ecd725c4d889b9275",
"rev": "7734e2ee6a1472807a33ce1e7da794bed2aaf91c",
"type": "github"
},
"original": {
@ -836,11 +930,11 @@
},
"terranix-examples": {
"locked": {
"lastModified": 1636300201,
"narHash": "sha256-0n1je1WpiR6XfCsvi8ZK7GrpEnMl+DpwhWaO1949Vbc=",
"lastModified": 1637156952,
"narHash": "sha256-KqvXIe1yiKOEP9BRYqNQN+LOWPCsWojh0WjEgv5jfEI=",
"owner": "terranix",
"repo": "terranix-examples",
"rev": "a934aa1cf88f6bd6c6ddb4c77b77ec6e1660bd5e",
"rev": "921680efb8af0f332d8ad73718d53907f9483e24",
"type": "github"
},
"original": {

4
flake.nix
View file

@ -2,7 +2,7 @@
description = "Bagel cooking infrastructure";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
terranix.url = "github:terranix/terranix";
terranix.inputs.nixpkgs.follows = "nixpkgs";
@ -22,7 +22,7 @@
gerrit-dashboard.url = "git+https://git.lix.systems/the-distro/gerrit-monitoring.git";
gerrit-dashboard.flake = false;
buildbot-nix.url = "git+https://git.lix.systems/lix-project/buildbot-nix.git?ref=refs/heads/faster-depinfo";
buildbot-nix.url = "git+https://git.lix.systems/lix-project/buildbot-nix.git?ref=refs/heads/forkos";
buildbot-nix.inputs.nixpkgs.follows = "nixpkgs";
channel-scripts.url = "git+https://git.lix.systems/the-distro/channel-scripts.git";

8
hosts/build-coord/hardware.nix
View file

@ -38,7 +38,7 @@
zramSwap = {
enable = true;
memoryPercent = 25;
memoryPercent = 100;
};
networking.useNetworkd = true;
@ -72,12 +72,6 @@
];
networking.defaultGateway6 = { interface = "uplink"; address = "2a01:584:11::1"; };
bagel.infra.self.wan = {
family = "inet6";
address = "2a01:584:11::1:11";
prefixLength = 64;
};
services.coredns = {
enable = true;
config = ''

5
overlays/pyroscope/default.nix
View file

@ -1,9 +1,10 @@
{ lib
, buildGoModule
, buildGo122Module
, fetchFromGitHub
}:
buildGoModule rec {
# FIXME: update, remove this pin
buildGo122Module rec {
pname = "pyroscope";
version = "1.7.1";

5
services/baremetal-builder/default.nix
View file

@ -135,11 +135,6 @@ in
{ address = "2a01:584:11::1:${toString cfg.num}"; prefixLength = 64; }
];
networking.defaultGateway6 = { interface = "uplink"; address = "2a01:584:11::1"; };
bagel.infra.self.wan = {
family = "inet6";
address = "2a01:584:11::1:${toString cfg.num}";
prefixLength = 64;
};
deployment.targetHost = "2a01:584:11::1:${toString cfg.num}";
deployment.tags = [ "builders" ];

2
services/default.nix
View file

@ -7,7 +7,6 @@
./matrix
./monitoring
./uptime-kuma
./self
./netbox
./ofborg
./postgres
@ -16,7 +15,6 @@
./buildbot
./newsletter
./s3-revproxy
./vault
./extra-builders
];
}

1
services/gerrit/git-gc-preserve.nix
View file

@ -57,6 +57,7 @@ in
name = "git-gc-preserve-${name}";
value = {
description = "Git-GC-Preserve Service - ${name}";
path = [ pkgs.util-linux ];
serviceConfig = {
WorkingDirectory = gcConfig.repoPath;
Type = "oneshot";

1
services/monitoring/lgtm/alerts/forkos.yaml
View file

@ -1,4 +1,3 @@
namespace: forkos
groups:
- name: ForkOS automation
rules:

1
services/monitoring/lgtm/alerts/postgres.yml
View file

@ -1,4 +1,3 @@
namespace: postgres
groups:
- name: PostgreSQL
rules:

1
services/monitoring/lgtm/alerts/resources.yaml
View file

@ -1,4 +1,3 @@
namespace: resources
groups:
- name: Host & hardware
rules:

7
services/monitoring/lgtm/mimir.nix
View file

@ -12,14 +12,11 @@ let
alerts = pkgs.runCommand "mimir-alerts-checked" {
src = ./alerts;
nativeBuildInputs = with pkgs; [ mimir ];
nativeBuildInputs = with pkgs; [ prometheus.cli ];
} ''
promtool check rules $src/*
mkdir $out
cp -R $src $out/anonymous/
chmod -R +w $out
mimirtool rules check --rule-dirs=$out/anonymous
mimirtool rules lint --rule-dirs=$out/anonymous
diff -r $src $out/anonymous
'';
in
{

3
services/netbox/default.nix
View file

@ -20,6 +20,9 @@ in
};
config = mkIf cfg.enable {
# FIXME: why
nixpkgs.config.permittedInsecurePackages = [ pkgs.netbox_3_7.name ];
age.secrets.netbox-environment.file = ../../secrets/floral/netbox-environment.age;
services = {
netbox = {

4
services/ofborg/default.nix
View file

@ -26,10 +26,12 @@ in {
webroot = "/var/lib/acme/.challenges";
group = "rabbitmq";
};
services.nginx.enable = true;
services.nginx.virtualHosts.${amqpHost}.locations."/.well-known/acme-challenge".root =
"/var/lib/acme/.challenges";
systemd.services.rabbitmq.requires = ["acme-finished-${amqpHost}.target"];
networking.firewall.allowedTCPPorts = [ amqpPort ];
networking.firewall.allowedTCPPorts = [ 80 443 amqpPort ];
};
}

21
services/self/default.nix
View file

@ -1,21 +0,0 @@
# This is a data-only module for other modules consumption.
{ lib, ... }:
let
inherit (lib) mkOption types;
in
{
options.bagel.infra.self = {
wan = {
family = mkOption {
type = types.enum [ "inet" "inet6" ];
default = "inet6";
};
address = mkOption {
type = types.str;
};
prefixLength = mkOption {
type = types.int;
};
};
};
}

65
services/vault/default.nix
View file

@ -1,65 +0,0 @@
{ config, lib, ... }:
let
cfg = config.bagel.infra.vault;
inherit (lib) mkEnableOption mkOption mkIf concatStringsSep types;
mkPeerNode = fqdn: ''
retry_join {
leader_api_addr = "https://${fqdn}"
leader_tls_servername = "${fqdn}"
}
'';
wanAddress = if config.bagel.infra.self.wan.family == "inet6" then "[${config.bagel.infra.self.wan.address}]" else "${config.bagel.infra.self.wan.address}";
in
{
options.bagel.infra.vault = {
enable = mkEnableOption "the OpenBao (Vault fork) service";
peers = mkOption {
type = types.listOf types.str;
description = "List of FQDN that are peers of this service";
};
};
imports = [
./module.nix
];
config = mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [
# NGINX HTTP API access
80
443
# mTLS backed cluster port
8201
];
services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts."${config.networking.fqdn}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8200";
};
};
};
services.openbao = {
enable = true;
storageBackend = "raft";
listenerExtraConfig = ''
cluster_address = "${wanAddress}:8201"
'';
storageConfig = ''
node_id = "${config.networking.fqdn}"
# Other nodes of the cluster.
${concatStringsSep "\n" (map mkPeerNode cfg.peers)}
'';
extraConfig = ''
cluster_addr = "http://${config.networking.fqdn}:8201"
api_addr = "https://${config.networking.fqdn}"
'';
};
};
}

237
services/vault/module.nix
View file

@ -1,237 +0,0 @@
{ config, lib, options, pkgs, ... }:
with lib;
let
cfg = config.services.openbao;
opt = options.services.openbao;
configFile = pkgs.writeText "openbao.hcl" ''
# vault in dev mode will refuse to start if its configuration sets listener
${lib.optionalString (!cfg.dev) ''
listener "tcp" {
address = "${cfg.address}"
${if (cfg.tlsCertFile == null || cfg.tlsKeyFile == null) then ''
tls_disable = "true"
'' else ''
tls_cert_file = "${cfg.tlsCertFile}"
tls_key_file = "${cfg.tlsKeyFile}"
''}
${cfg.listenerExtraConfig}
}
''}
storage "${cfg.storageBackend}" {
${optionalString (cfg.storagePath != null) ''path = "${cfg.storagePath}"''}
${optionalString (cfg.storageConfig != null) cfg.storageConfig}
}
${optionalString (cfg.telemetryConfig != "") ''
telemetry {
${cfg.telemetryConfig}
}
''}
${cfg.extraConfig}
'';
allConfigPaths = [configFile] ++ cfg.extraSettingsPaths;
configOptions = escapeShellArgs
(lib.optional cfg.dev "-dev" ++
lib.optional (cfg.dev && cfg.devRootTokenID != null) "-dev-root-token-id=${cfg.devRootTokenID}"
++ (concatMap (p: ["-config" p]) allConfigPaths));
in
{
options = {
services.openbao = {
enable = mkEnableOption "OpenBao daemon";
package = mkPackageOption pkgs "openbao" { };
dev = mkOption {
type = types.bool;
default = false;
description = ''
In this mode, the Vault runs in-memory and starts unsealed. This option is not meant production but for development and testing i.e. for nixos tests.
'';
};
devRootTokenID = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Initial root token. This only applies when {option}`services.vault.dev` is true
'';
};
address = mkOption {
type = types.str;
default = "127.0.0.1:8200";
description = "The name of the ip interface to listen to";
};
tlsCertFile = mkOption {
type = types.nullOr types.str;
default = null;
example = "/path/to/your/cert.pem";
description = "TLS certificate file. TLS will be disabled unless this option is set";
};
tlsKeyFile = mkOption {
type = types.nullOr types.str;
default = null;
example = "/path/to/your/key.pem";
description = "TLS private key file. TLS will be disabled unless this option is set";
};
listenerExtraConfig = mkOption {
type = types.lines;
default = ''
tls_min_version = "tls12"
'';
description = "Extra text appended to the listener section.";
};
storageBackend = mkOption {
type = types.enum [ "inmem" "file" "consul" "zookeeper" "s3" "azure" "dynamodb" "etcd" "mssql" "mysql" "postgresql" "swift" "gcs" "raft" ];
default = "inmem";
description = "The name of the type of storage backend";
};
storagePath = mkOption {
type = types.nullOr types.path;
default = if cfg.storageBackend == "file" || cfg.storageBackend == "raft" then "/var/lib/vault" else null;
defaultText = literalExpression ''
if config.${opt.storageBackend} == "file" || cfg.storageBackend == "raft"
then "/var/lib/vault"
else null
'';
description = "Data directory for file backend";
};
storageConfig = mkOption {
type = types.nullOr types.lines;
default = null;
description = ''
HCL configuration to insert in the storageBackend section.
Confidential values should not be specified here because this option's
value is written to the Nix store, which is publicly readable.
Provide credentials and such in a separate file using
[](#opt-services.vault.extraSettingsPaths).
'';
};
telemetryConfig = mkOption {
type = types.lines;
default = "";
description = "Telemetry configuration";
};
extraConfig = mkOption {
type = types.lines;
default = "";
description = "Extra text appended to {file}`vault.hcl`.";
};
extraSettingsPaths = mkOption {
type = types.listOf types.path;
default = [];
description = ''
Configuration files to load besides the immutable one defined by the NixOS module.
This can be used to avoid putting credentials in the Nix store, which can be read by any user.
Each path can point to a JSON- or HCL-formatted file, or a directory
to be scanned for files with `.hcl` or
`.json` extensions.
To upload the confidential file with NixOps, use for example:
```
# https://releases.nixos.org/nixops/latest/manual/manual.html#opt-deployment.keys
deployment.keys."vault.hcl" = let db = import ./db-credentials.nix; in {
text = ${"''"}
storage "postgresql" {
connection_url = "postgres://''${db.username}:''${db.password}@host.example.com/exampledb?sslmode=verify-ca"
}
${"''"};
user = "vault";
};
services.vault.extraSettingsPaths = ["/run/keys/vault.hcl"];
services.vault.storageBackend = "postgresql";
users.users.vault.extraGroups = ["keys"];
```
'';
};
};
};
config = mkIf cfg.enable {
nixpkgs.overlays = [ (self: super: {
openbao = super.callPackage ./package.nix { };
}) ];
environment.systemPackages = [
pkgs.openbao
];
assertions = [
{
assertion = cfg.storageBackend == "inmem" -> (cfg.storagePath == null && cfg.storageConfig == null);
message = ''The "inmem" storage expects no services.vault.storagePath nor services.vault.storageConfig'';
}
{
assertion = (
(cfg.storageBackend == "file" -> (cfg.storagePath != null && cfg.storageConfig == null)) &&
(cfg.storagePath != null -> (cfg.storageBackend == "file" || cfg.storageBackend == "raft"))
);
message = ''You must set services.vault.storagePath only when using the "file" or "raft" backend'';
}
];
users.users.openbao = {
name = "openbao";
group = "openbao";
uid = config.ids.uids.vault;
description = "OpenBao daemon user";
};
users.groups.openbao.gid = config.ids.gids.vault;
systemd.tmpfiles.rules = optional (cfg.storagePath != null)
"d '${cfg.storagePath}' 0700 openbao openbao - -";
systemd.services.openbao = {
description = "OpenBao server daemon";
wantedBy = ["multi-user.target"];
after = [ "network.target" ]
++ optional (config.services.consul.enable && cfg.storageBackend == "consul") "consul.service";
restartIfChanged = false; # do not restart on "nixos-rebuild switch". It would seal the storage and disrupt the clients.
startLimitIntervalSec = 60;
startLimitBurst = 3;
serviceConfig = {
User = "openbao";
Group = "openbao";
ExecStart = "${lib.getExe cfg.package} server ${configOptions}";
ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";
StateDirectory = "vault";
# In `dev` mode vault will put its token here
Environment = lib.optional (cfg.dev) "HOME=/var/lib/vault";
PrivateDevices = true;
PrivateTmp = true;
ProtectSystem = "full";
ProtectHome = "read-only";
AmbientCapabilities = "cap_ipc_lock";
NoNewPrivileges = true;
LimitCORE = 0;
KillSignal = "SIGINT";
TimeoutStopSec = "30s";
Restart = "on-failure";
};
unitConfig.RequiresMountsFor = optional (cfg.storagePath != null) cfg.storagePath;
};
};
}

51
services/vault/package.nix
View file

@ -1,51 +0,0 @@
{ stdenv, lib, fetchFromGitHub, buildGoModule, installShellFiles, nixosTests
, makeWrapper
, gawk
, glibc
}:
buildGoModule rec {
pname = "openbao";
version = "2.0.2";
src = fetchFromGitHub {
owner = "openbao";
repo = "openbao";
rev = "v${version}";
hash = "sha256-7Dqrw00wjI/VCahY1+ANBMq9nPUQlb94HiBB3CKyhSQ=";
};
vendorHash = "sha256-qojDPhdCqnYCAFo5sc9mWyQxvHc/p/a1LYdW7MbOO5w=";
subPackages = [ "." ];
nativeBuildInputs = [ installShellFiles makeWrapper ];
tags = [ "openbao" ];
ldflags = [
"-s" "-w"
"-X github.com/openbao/openbao/sdk/version.GitCommit=${src.rev}"
"-X github.com/openbao/openbao/sdk/version.Version=${version}"
"-X github.com/openbao/openbao/sdk/version.VersionPrerelease="
];
postInstall = ''
echo "complete -C $out/bin/openbao openbao" > openbao.bash
installShellCompletion openbao.bash
'' + lib.optionalString stdenv.isLinux ''
wrapProgram $out/bin/openbao \
--prefix PATH ${lib.makeBinPath [ gawk glibc ]}
'';
# passthru.tests = { inherit (nixosTests) vault vault-postgresql vault-dev vault-agent; };
meta = with lib; {
homepage = "https://openbao.org/";
description = "Tool for managing secrets";
changelog = "https://github.com/openbao/openbao/blob/v${version}/CHANGELOG.md";
license = licenses.mpl20;
mainProgram = "openbao";
maintainers = with maintainers; [ raitobezarius ];
};
}