diff --git a/common/base-server.nix b/common/base-server.nix index 57d6eab..c3f0251 100644 --- a/common/base-server.nix +++ b/common/base-server.nix @@ -1,4 +1,8 @@ { lib, pkgs, ... }: { + imports = [ + ./known-ssh-keys.nix + ]; + nixpkgs.overlays = import ../overlays; nix.package = lib.mkDefault pkgs.lix; @@ -25,7 +29,7 @@ nix.gc = { automatic = true; persistent = true; - dates = "daily"; + dates = lib.mkDefault "daily"; options = "--delete-older-than 30d"; }; diff --git a/common/known-ssh-keys.nix b/common/known-ssh-keys.nix new file mode 100644 index 0000000..9fca84d --- /dev/null +++ b/common/known-ssh-keys.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + programs.ssh.knownHosts = { + "[cl.forkos.org]:29418".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM82mJ259C8Nc+BHHNBeRWXWhL3dfirQhmFbDAwHMle3"; + }; +} diff --git a/common/ssh-keys.nix b/common/ssh-keys.nix index eb1afb8..7d06233 100644 --- a/common/ssh-keys.nix +++ b/common/ssh-keys.nix @@ -4,6 +4,7 @@ meta01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM5t9gYorOWgpCFDJgb24pyCKIabGpeI2H/UfdvXODcT"; gerrit01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA+eSZu+u9sCynrMlsmFzQHLIELQAuVg0Cs1pBvwb4+A"; fodwatch = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRyTNfvKl5FcSyzGzw+h+bNFNOxdhvI67WdUZ2iIJ1L"; + buildbot = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJgIu6ouagYqBeMLfmn1CbaDJMuZcPH9bnUhkht8GfuB"; git = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQJcpkCUOx8+5oukMX6lxrYcIX8FyHu8Mc/3+ieKMUn"; builder-0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBHSNcDGctvlG6BHcJuYIzW9WsBJsts2vpwSketsbXoL"; builder-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIQOGUjERK7Mx8UPM/rbOdMqVyn1sbWqYOG6CbOzH2wm"; diff --git a/flake.lock b/flake.lock index 066cd89..38d1859 100644 --- a/flake.lock +++ b/flake.lock @@ -55,6 +55,29 @@ "type": "github" } }, + "buildbot-nix": { + "inputs": { + "flake-parts": "flake-parts", + "nixpkgs": [ + "nixpkgs" + ], + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1721229951, + "narHash": "sha256-RO7jlz2T0h9l7Hmij6Iy3qdYps33wDuAoBMQ21ROvyw=", + "ref": "refs/heads/refactor", + "rev": "8286c1028b2a69ee72680dc06d26bd80665ce02a", + "revCount": 262, + "type": "git", + "url": "https://git.lix.systems/lix-project/buildbot-nix.git" + }, + "original": { + "ref": "refs/heads/refactor", + "type": "git", + "url": "https://git.lix.systems/lix-project/buildbot-nix.git" + } + }, "colmena": { "inputs": { "flake-compat": "flake-compat", @@ -133,6 +156,27 @@ } }, "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "buildbot-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1706830856, + "narHash": "sha256-a0NYyp+h9hlb7ddVz4LUn1vT/PLwqfrWYcHMvFB1xYg=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "b253292d9c0a5ead9bc98c4e9a26c6312e27d69f", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "hydra", @@ -254,7 +298,7 @@ }, "nix-eval-jobs": { "inputs": { - "flake-parts": "flake-parts", + "flake-parts": "flake-parts_2", "lix": [ "hydra", "lix" @@ -264,7 +308,7 @@ "hydra", "nixpkgs" ], - "treefmt-nix": "treefmt-nix" + "treefmt-nix": "treefmt-nix_2" }, "locked": { "lastModified": 1721195872, @@ -404,6 +448,7 @@ "root": { "inputs": { "agenix": "agenix", + "buildbot-nix": "buildbot-nix", "colmena": "colmena", "hydra": "hydra", "lix": [ @@ -484,6 +529,27 @@ } }, "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "buildbot-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1708897213, + "narHash": "sha256-QECZB+Hgz/2F/8lWvHNk05N6NU/rD9bWzuNn6Cv8oUk=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "e497a9ddecff769c2a7cbab51e1ed7a8501e7a3a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "treefmt-nix_2": { "inputs": { "nixpkgs": [ "hydra", diff --git a/flake.nix b/flake.nix index 1a929e8..a5a662a 100644 --- a/flake.nix +++ b/flake.nix @@ -17,6 +17,9 @@ nix-gerrit.url = "git+https://git.lix.systems/the-distro/nix-gerrit.git"; nix-gerrit.inputs.nixpkgs.follows = "nixpkgs"; + buildbot-nix.url = "git+https://git.lix.systems/lix-project/buildbot-nix.git?ref=refs/heads/refactor"; + buildbot-nix.inputs.nixpkgs.follows = "nixpkgs"; + lix.follows = "hydra/lix"; }; @@ -73,6 +76,8 @@ commonModules = [ inputs.agenix.nixosModules.default inputs.hydra.nixosModules.hydra + inputs.buildbot-nix.nixosModules.buildbot-coordinator + inputs.buildbot-nix.nixosModules.buildbot-worker ./services ./common @@ -101,6 +106,7 @@ fodwatch.imports = commonModules ++ [ ./hosts/fodwatch ]; git.imports = commonModules ++ [ ./hosts/git ]; wob-vpn-gw.imports = commonModules ++ [ ./hosts/wob-vpn-gw ]; + buildbot.imports = commonModules ++ [ ./hosts/buildbot ]; } // builders; hydraJobs = builtins.mapAttrs (n: v: v.config.system.build.toplevel) self.nixosConfigurations; diff --git a/hosts/buildbot/default.nix b/hosts/buildbot/default.nix new file mode 100755 index 0000000..5748069 --- /dev/null +++ b/hosts/buildbot/default.nix @@ -0,0 +1,38 @@ +{ + config, + lib, + pkgs, + ... +}: +{ + networking.hostName = "buildbot"; + # TODO: make it the default + networking.domain = "infra.forkos.org"; + + time.timeZone = "Europe/Paris"; + + bagel.sysadmin.enable = true; + # Buildbot is proxied. + bagel.raito.v6-proxy-awareness.enable = true; + bagel.hardware.raito-vm = { + enable = true; + networking = { + nat-lan-mac = "BC:24:11:E7:42:8B"; + wan = { + address = "2001:bc8:38ee:100:1000::50/64"; + mac = "BC:24:11:C9:BA:6C"; + }; + }; + }; + + bagel.services.buildbot = { + enable = true; + domain = "buildbot.forkos.org"; + builders = [ "builder-3" ]; + }; + + i18n.defaultLocale = "en_US.UTF-8"; + + system.stateVersion = "24.05"; + deployment.targetHost = "buildbot.infra.forkos.org"; +} diff --git a/hosts/gerrit01/default.nix b/hosts/gerrit01/default.nix index a0f9f85..49e93ae 100755 --- a/hosts/gerrit01/default.nix +++ b/hosts/gerrit01/default.nix @@ -35,6 +35,7 @@ domains = [ "cl.forkos.org" ]; + canonicalDomain = "cl.forkos.org"; data = "/gerrit-data"; }; diff --git a/secrets.nix b/secrets.nix index e4b3446..badeab9 100644 --- a/secrets.nix +++ b/secrets.nix @@ -13,6 +13,16 @@ let loki-environment = [ machines.meta01 ]; gerrit-prometheus-bearer-token = [ machines.gerrit01 machines.meta01 ]; + buildbot-worker-password = [ machines.buildbot ]; + buildbot-oauth-secret = [ machines.buildbot ]; + buildbot-workers = [ machines.buildbot ]; + # Private SSH key to Gerrit + # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx52RUPWzTa2rBA96xcnGjjzAboNN/hm6gW+Q6JiSos + buildbot-service-key = [ machines.buildbot ]; + # Signing key for Buildbot's specific cache + buildbot-signing-key = [ machines.buildbot ]; + buildbot-remote-builder-key = [ machines.buildbot ]; + # These are the same password, but nginx wants it in htpasswd format metrics-push-htpasswd = [ machines.meta01 ]; metrics-push-password = builtins.attrValues machines; diff --git a/secrets/buildbot-oauth-secret.age b/secrets/buildbot-oauth-secret.age new file mode 100644 index 0000000..f9525da --- /dev/null +++ b/secrets/buildbot-oauth-secret.age @@ -0,0 +1,20 @@ +age-encryption.org/v1 +-> ssh-ed25519 87T2Ig g15A5EWi9IhaxPFS6SD6YYm/aFnC0Dum7zK8/ZUtW0s +791D6C8mAy2dhDAlqRQ+q41FlQTJX2WfZQPjuwetP2A +-> ssh-ed25519 K3b7BA cJY9qIFVmucmMJLTFffkRCNYeudZl+8Yrm5SkxQ4eSI +97nXyKffZGoGJ6252UKUEJHiFgdk8XUkAAkXy2PLepM +-> ssh-ed25519 +qVung HMBSUjfmaFLVx64epj0djkqNMe3CdKN1fxAVuu+Dtmg +AxT62n2p/pP9WZmmuHClSKKgXhr4FjEQpEs0HfdNGfw +-> ssh-rsa krWCLQ +N0Duz2bONcCUZ76QhPsCJ4BHHWqzFdZLqFdl+6GeW+tgIp2Nb4la8eNfgzYGSwTy +53bRePNMIBTkChXFYt/4fUdqaiiVYg25swMeVLQBJnjJkcAks0Gf44FXLIaoPr1M +56rtixpSX31WDKwHbUF/40G6Xut8KNlI8BdwiOl9ibgnuEf4mYQbwFbRQbLMK5IK +Rf/7SEmAqqfY/HG1RqqgCs4kEpvFTKqEEDpgjOoyS2tyKN2351jya91YzotLja4I +sLoMg/G3UNtxfdaCgK7TP4IxV9blkVMDPAbyR622VbS0sEa7uJGzb86jDDsZXaKX +9iWK9n4hMKZDv9gBbhTIWg +-> ssh-ed25519 /vwQcQ hMkCrUcLGxdZMYgi1D1Kr5qUdGNfza2UTvRJKiHObgM +7Lz70zSMPk/tsU1CZGOk/BPA7NSSnSJgFbG5TjyOXvA +-> ssh-ed25519 0R97PA OQjDTknVmrYVclcqlT31YjZx+3a/0GxfjuVQFmPJ7UQ +KMGTMfO/mO5EAYacyz1hmHnQgzunRqkDeglhbGVNWe4 +--- ScDZvSiVSjNXm8TSoLSAM+KpcFORnCXiemYbCBcz2jQ +h}EʜUᢌkg[C"Nju5 CXGtTOm \ No newline at end of file diff --git a/secrets/buildbot-remote-builder-key.age b/secrets/buildbot-remote-builder-key.age new file mode 100644 index 0000000..f3bc083 Binary files /dev/null and b/secrets/buildbot-remote-builder-key.age differ diff --git a/secrets/buildbot-service-key.age b/secrets/buildbot-service-key.age new file mode 100644 index 0000000..bcdb7ce Binary files /dev/null and b/secrets/buildbot-service-key.age differ diff --git a/secrets/buildbot-signing-key.age b/secrets/buildbot-signing-key.age new file mode 100644 index 0000000..143eb53 Binary files /dev/null and b/secrets/buildbot-signing-key.age differ diff --git a/secrets/buildbot-worker-password.age b/secrets/buildbot-worker-password.age new file mode 100644 index 0000000..382ac61 --- /dev/null +++ b/secrets/buildbot-worker-password.age @@ -0,0 +1,20 @@ +age-encryption.org/v1 +-> ssh-ed25519 87T2Ig df+IMqWM/HNjaY74zibFQIdUdC3K7uQlm3U9R9NUtFY +hPSbCuWvqy/7FEj7YScYztyt5GVx4Y7tgGuKKkSKoRg +-> ssh-ed25519 K3b7BA xN8wzUKHqjOb/tqA+EI+0H0MSQRihRfydchwVqYWAVU +maLMpZe8orvTT6Av+YkhT8FcG4dc7bzDgOW339nSw1g +-> ssh-ed25519 +qVung oM1uphTbjI54t4U9jNd1zORqpjBG17MwDf2eNDmOlkg +oUHVuQt2SHIwtV82pgnKJ7g2jcVBAHWOzPK46otoh34 +-> ssh-rsa krWCLQ +eYspf5hUKdFQl1RxPaNTj0viAPd+kzp8Xbwn+q6fSITMacmyTY5J8FckLx2YXDxy +Qm/OsEK0ZOvxnHMrL0oAJjKSy/MamE+9heT3QO+LUN30QxbOIOqHMrl3waadWZdx +ZGOWK+r+dKGYNsxFv+t1Y/4DBKKzlXFWhJ0aL7nMOqq9+Ca+UZuE41j7eWGGPPLy +fuW/iOVVxQ+EEeCDpatQSrFPKaeWCCVP9oIDFtE4dsKxubMa4EpUoag0UvEIW182 +UGS8BvMqYgx+obqJDkhXXBK9apmJS2ojcfdtCbNOCV9Ett72Nm/iY5NjLprFMLde +8wWGA6s3hBOP39lq0eiSxw +-> ssh-ed25519 /vwQcQ 3zLcLDaDVhIn2knezexYM5Fqu/O9wwORnJIhsXHqgj0 +HchGikQMgkDj0qQgtDdsdKokV+nMjdv6t0uVISeU7Q8 +-> ssh-ed25519 0R97PA 6lm6B6B3dzSdhdcf5rjyTu+7cCtWRxVpWeapJX3nbQo +x/w4dEfFyxPi4lbNEqgjEblPVfQyj+q1JjeQHiVFhDw +--- oo5BK1pG+43amUg803Uv511RNtdQ/PDwlXUrV/AbOAA +Uq[f7뼨FYmLS?ℶ ssh-ed25519 2D+APA Vh/FrR9oyO8V1pEMQkmGbHCePB6RU+dPm+Z4bgKenEg -2G5eLlYe8IS7fsEBorFljUwQZ9sEk/FEr25S4p5hWLk --> ssh-ed25519 j2r2qQ 9+NX0Guhux9QlAxx2MtSZH0OZpDk1CQZ4Blu1P9fpgQ -PDUoAjBaIdKQAvRblvc0QEtrvp5MpE8HsCwKWwAn0uE --> ssh-ed25519 K3b7BA wuOc6LGnjsC4Rb9D9QX3YVgMqWPvBK27Q0vqADLpsk8 -wRnoNzkyaU9SGlOtpqY2pAeIwD9lGWKrqNn3D3W7U6Y --> ssh-ed25519 +qVung biXtZHmjJmsazEmp1iIGUqmuV1YP94bzrMjoZTmGPjg -GDN4WZGTIP6b2nmjyhikHeOrZi9YEtiPOyaJLzUl138 +-> ssh-ed25519 2D+APA jiLDQ8JlYhaivXQQhjEfZrGWn7o6Wd2OMrLorEVSPns +qRzHYcBhtGSm4RW7C4oW+VWSzHiDXkCN6bGeej2Gcpo +-> ssh-ed25519 j2r2qQ OcnIHB/vJoKuvhsT9dx1B+5lXguARtB9wSquW2KBB3M +pgzC2KOFi3Yj1gCPemVK3a9Grv2SkwZ6AI1EFdh4hoc +-> ssh-ed25519 K3b7BA ibHY8wN3rNit1mO2dJZ44rwLylMaR39a7Oz3CGV561o +4ElWORF/4lVEz33CJiuFG4rwUSIIOyi2L/W7Td7MX5M +-> ssh-ed25519 +qVung q4DDHS3M24kke2NCcpHEaUbUgoQB6QwnmDiwmdIOuBw +Yfa6v23oezdDICE8I0UaVCShKlx9lN3DnBnSb63LU64 -> ssh-rsa krWCLQ -UkNySvhS5o6v6/7xGvn43hgD5y2D91oH4pjU3Oa83CW6ha80dnE+JkSTpTdz7Og0 -vtZJuisNpcH254zTt8OAUpWN/tVXlD34RyV1xo1eHEWgUzKactrhlACpSbzYBdVJ -8cUj7jiE+qjIOtrU2sHWo09NKpf0J2YEPwajuBy1/fPrivlgXAzdAAnP4gll02x1 -Et8lUn6HVfYDGtrDo/PUUdgcGudVeCOJbvvrKYkuqe8vsNYgnFHM8dkTJmObL8dz -zp4MEuIQ3WrrXActSnTs+QAGIFSskOIr1DQlJRYzQcYtd8wkfx9a+6oxBECZyDAZ -T4yso7ctflKlr6OqpJYzeA --> ssh-ed25519 /vwQcQ +jsCn0OlVpuyVA0XSvD3ZCDRTBq29UV9qsDvE4XaGk0 -p2qblImpl+G0pefJ0T/GjanIc7+bNuA0wRB4mUuFGXM --> ssh-ed25519 0R97PA /bE6+eVlzeJKOOMqz4QjFdsu+5XDv9L8cZ94cPZ5WQk -Xco24ijeQnaT7jcsfXLQPzGr1FE/zy9+qVoQ20DLP+Q ---- NDqgX11cTXR48vD9YmAIYx+og0n1OQj+bbkKwqv2BeE -\w9̒7cؚ%}|k?$9l &=vܹ!P3b퀩 \ No newline at end of file +gLBHP4Z8EBW1y7Yf9sfWMU+/fJ4WWp+NGRR7ebO5GwUeYobDYm/eYQ7rD3Q9k0rF +kU51GYBaO7m5gLqc2Tq4+YjE2/EXDvjqkDSoyNrjQaaGTLqzvPYlCvKWyROjqJjX +UwzPbQx5XVIKNgpsR9e6/hoJiJbDpavM+HQo+1zwoKAg5FvZZkE5UnIiSjuAxMgR ++tmrhBfHEYkpbCCrXVE0jLCup8gPIci1PyXWkdhJy+HyHVkbYowGwNawNobNr1cF +dJ5IU8P/DSSqZ1qWSl6ju7JKjzXU2Xq87/g7wJyrKGpe37pJmPIT86nCJTut+AK9 +iFED/y/p5NCtohyhztosgA +-> ssh-ed25519 /vwQcQ rzEjV56G+USMdpWklrGQSHuzG8d+S0zWhhwrmuyTyiA +y+uMRG8NdAD0H4ipRN+sJPn1P0CGs4bk+U4qtetP3O0 +-> ssh-ed25519 0R97PA ULWdDUjDg9oTEOqzCKUJl8yN+qwwmlSi1PFwRvr7aWM +YWaE+STxKfQzxYMtP/cA20q0atXLdsjeA5nJyl2f8iI +--- Avs8hTgLwcBy8hyYWjR/Jbs5YaKozv2oBmGs51ckquA +Wܐd`@ӵ35bY%AZ=Ki76,w,1kRAĂFu \ No newline at end of file diff --git a/secrets/grafana-oauth-secret.age b/secrets/grafana-oauth-secret.age index 28213bc..c389cf6 100644 --- a/secrets/grafana-oauth-secret.age +++ b/secrets/grafana-oauth-secret.age @@ -1,20 +1,20 @@ age-encryption.org/v1 --> ssh-ed25519 j2r2qQ qI/dlkHZYcNkCVgZbxpw5Ps2anl8pofaFPi4p6kOHAo -KWL+H9at/p/AfCjfO8+SgMhn97F+DqLO2ymYUOHkWjQ --> ssh-ed25519 K3b7BA URYQ0jFY5yHS+dodR1RqodNWrrXkMnzTp5OCSv1gbWI -bnyrPvWnzDRNh4mI5HBPkNl3NSZE1ycMK3LLExMEYbo --> ssh-ed25519 +qVung z8e56tCZ4TLkrX7BfH+5RrGxGoT3q9V1FB/ySsH3tg4 -jIpEEVF8jCp/ks5eYXh3O7+TLidvzYsnBRFd3LkgLXw +-> ssh-ed25519 j2r2qQ JSveX4zYEjb4jJH4eg4oXA6r3oc0jBx8NgjhN9JrjlQ +1ZIr/XFClbwJHn0ppJnolpb4QlgZOA8JX5OjjY4x6pU +-> ssh-ed25519 K3b7BA sXUjuZFK0PL/KndxRCJCM5Kg8OmVseRZNWG8mL1alRc +U9MMgDtqtmsS1W5i04Pa/b4JBTSjK6FffZxgYI3phtg +-> ssh-ed25519 +qVung FNSElbiw0frYcsO0xoyPQgRGqAe/aVX21dTB6yk+GQg +zHT/xU+yfXYSBO2HLwoHrGf5ns6BDVb8MlhVVQCBlOc -> ssh-rsa krWCLQ -XG8KKBT/hEvB+c1RDGUrDR4HrfAertfOIzQTquMQ+Z3Nde3Ybxf8W+rWGQDErbq4 -VlvC/wVVnGnqgE/tJMQP41sCMKSH61MPyiNZC63g4RW9e2H9YQfWWrnuBh668G+3 -3sE0FSdIAB+UlI2jlbMiG60QaT6zV0XyOrugLX/G2R+D4aXYIVvMtcwYq2oIHy58 -1DE5llUZHGsQ8APXZle7ZGyO48ELOQkVn8ozPlPFhvz2y9srgBZvNL/wadjvLstv -2vBTBoRk8HnTLOiybAnGtOfK6kWUMdfSYMvhu0IM8UBSoxwxOHTfIttKDu2ZMB8g -c/RnKbV2z0PBdXVrYuijPg --> ssh-ed25519 /vwQcQ qinzScNz0IFoHUaCeGXne6ddllQ0dA/TJr5Z/nbfvTQ -0YpTZ2Z2WwN0sJ1CIV8voPS298u9uHbRQMlV0GMrvFI --> ssh-ed25519 0R97PA en5iGTQoH0/QJKl38HNe4xun/FxVBIun7Z23mBW+4XE -Sjshx8hLyP4iY40y/Fehc0wZTBH0d1Lu+auX8L5n28s ---- i5+vCeWbFTRR2YbIX4lwbEORRhaI5NkCwqaMEJqrPEs -\FRiXa,.orhE0=$ǂuGa/oifxӚ?gCi \ No newline at end of file +ye0mLiYeyvlp4EZX7mZ3F7B9V9JSeoiCodzccS+5qIEd6gr+RTHSnKYqwf/nwf8F +qKLwbxWjpmkIzBWeswy8AJ8159aucGEmB+3/tTSwd+QlRkru4Z/7jtfU64KQttgt +vaRfc9J/85AJJ2V6Sw/xG8SgxyLBbp/XIN2+tmb0g3kAWiuLcrLk3H/MsfmxDVXg +RQjugP5K2+fEZc77dHQTrMI58K9TrSw1zYA1ee8J/fl9IJ7J77qi5UgizY+YfX8T +SmR9DeYUe+hKgCB2k/KgAxp4WOQNgUOFBTsE5FW+kQQpfGx5aqR6vCYU+CPsA3Zb +FwV0l+g4FUVy+xAtqaGSAQ +-> ssh-ed25519 /vwQcQ fbnK1jYiUwUsgD8sSTboJCBfcuwJXKNCaJaWYuIfmVk +Uj2+uBABMTxq1MBsiHXgkdFMOpIN7gfxoJVKOQff1Pw +-> ssh-ed25519 0R97PA yYOb6AYAFWvm7W2KYT5v9zznkF4Di/vatH48Xgx0x2E +yUm+MKj9496BkdX2FpLyhML7budUyqT1hL9hpghxSnI +--- ogCPBrmdbeDorj3t5BL05ge6VngXBpUEDW4qaaKIa0U +%lD]Ϫ?(E/Wu穉T[}$S^[:]he0XUpq`0A \ No newline at end of file diff --git a/secrets/hydra-s3-credentials.age b/secrets/hydra-s3-credentials.age index 9fb3d81..804f088 100644 Binary files a/secrets/hydra-s3-credentials.age and b/secrets/hydra-s3-credentials.age differ diff --git a/secrets/hydra-signing-priv.age b/secrets/hydra-signing-priv.age index 23cd618..3e6ca1a 100644 Binary files a/secrets/hydra-signing-priv.age and b/secrets/hydra-signing-priv.age differ diff --git a/secrets/hydra-ssh-key-priv.age b/secrets/hydra-ssh-key-priv.age index e4ae755..20deb4b 100644 Binary files a/secrets/hydra-ssh-key-priv.age and b/secrets/hydra-ssh-key-priv.age differ diff --git a/secrets/loki-environment.age b/secrets/loki-environment.age index 4d2a214..c58d72d 100644 --- a/secrets/loki-environment.age +++ b/secrets/loki-environment.age @@ -1,20 +1,21 @@ age-encryption.org/v1 --> ssh-ed25519 j2r2qQ JzVKQt25f18L96aJWsJtFAR4mvMVCgYMKu/xtJ1BeDw -vj+HpNQCNNxDRA+7HgjiD0XlGG/Yy+tk8KmszMkxdag --> ssh-ed25519 K3b7BA judlH57lGOGmaTEG19gYiORJT9uXiAlxZrP+ISTHDT4 -MS7e24A6rEMUtUUl8DlYXPy9NhqAq4buOWT0iYKvbSY --> ssh-ed25519 +qVung vglRR5LYFZw8v6zRhybGPBctwDgYoskbpGYiLNW9qxM -VdjQTykQSVWubGimCHiekQX7EQdgOB3PYsRHiFnpPkg +-> ssh-ed25519 j2r2qQ 6qyr94uky6B36UOY0jd5NXgF2rJ3RWBUzZ32c5iOTmY +fjlI3fjYjwyNQBs4K4pq/5c7oBkf5XUXoGlBOBpmPu4 +-> ssh-ed25519 K3b7BA N9VYT/ZslG07KldzO8sPE5TiYYwxJqpYU87ED4PuBXw +P1s9L57prPqM4fjcYHv+g0rgP/NvFr13CgCxthVHZ4c +-> ssh-ed25519 +qVung Ry8uUFsmYmP+Urw46lhAsCc3S+QiWu1mn8J3rIy+KFQ +iB7xAfdpHwOzAnLvosJb+F50QKsOYWr7CHC3srsS6ME -> ssh-rsa krWCLQ -hLYT6U+dUVuicVO8hSw4KcfkM9bay4JR3TEWGlmmIxcQ67LNggzuyRvV6U2yfucg -Xyxezdd9LArf8z1eV/y3iwsY0PvK9qwtgpgH/NxaF7djhTA8+c3c3a6w4sqdHn0m -/RZU+eKSFeDWII7fn6o7JxzITFhF1FYH6PJYA2cb3PvbPw/JSja8EVZ7192ShqGW -22TThbZmmKoOPbmDxmQIygZTxqyaXkoFOnTWqqTzOfNtBOBFXT+cIFh3ctGWLw79 -u7O5c2dmpXoE0bdndQ7GUSPrgRzOYHQ5hLg8WtC56EYjE11Bxj88fktzw4hZTbYQ -jrS8Pa68UPhUmSfutlpd4A --> ssh-ed25519 /vwQcQ MqdVxRlS+EMA3f6B0D6m2ylvCE7WVq1av/CvsNVAB24 -KX8RJ1bzUUhsYW6qN06FTzis5i13IIoIpUb5FkW9wkw --> ssh-ed25519 0R97PA RHUvc9XQIxOW0GCyt0vRxPHyVXlpqM9gaUps4q/Grx8 -bxgFxtbtbvDi9knzasdR7u33Mb7x7LcBzqEB/g4Oc4A ---- Z175YCdbPBBSItxomyXPSo6xILLV4GT4gpA4Oxz9qgo -EVށӦxYq846&֑!Zmd.46ȷ/=܈'hM_j >6R&uE^8c;ě:Q1)1L_~,KB7 \ No newline at end of file +w0xIVFtUghdAO7SxZD10rBMtdQESEvYUEKxnWzLh0cjcRhaVT/BXSZQsKV2Rupoo +nDL5uy0k+tPXm0HroZ6VkZ0fH/lOpeUR69ZvJmClKql3Fnf1385+5BvT719cbbaq +yll49gx0+ms/oB9jS3SPwbOg+UJgnkZCeu9138h3MG7yWNtVuA9l5hsJioVvOVlS +Z5EXbjdQR9xYjSwR+b8MYZ97ej5fXpuULEopbx2wXt84u1e67vTETqflitR7lrzy +A6F65g35aagPJZGHzfrKVToy3pfXm9ky/30DolWLD0DpG7G6o/8afy8O4yBAGlv3 +ZLTaUbrdILSz2ff1Njx4Nw +-> ssh-ed25519 /vwQcQ YqqmX/f4whOk97kCgSPo6oj/274eYlBWtS+OahAAQ34 +hoCbhupzSTx+wNIorzYGHyGvU/L8unKEyD7Bqq23YP0 +-> ssh-ed25519 0R97PA 17SDtfT9GzAsIsQB24AmYXpW8v4+LEakup+tdFroHTk +HIvBhAGA2GMVWFBP3OTFEn+XpPFBJDOJDK3SQ94mNKM +--- CD1QrxYGAhhy+l7U5kOXn1shCwz8pYJNuGRugPxmzJw +Y N Ϗx rR^z[腕az +ɿϞu0cc;y& {xA]Q_:̱UoiDl(wKi,j.oFy̰$}Y@1șYu *ŏ0 \ No newline at end of file diff --git a/secrets/metrics-push-htpasswd.age b/secrets/metrics-push-htpasswd.age index 9892486..9347cff 100644 --- a/secrets/metrics-push-htpasswd.age +++ b/secrets/metrics-push-htpasswd.age @@ -1,20 +1,21 @@ age-encryption.org/v1 --> ssh-ed25519 j2r2qQ n1lfxDP73nfF/CYtE4gpUH6YgjAQbx/2TTuyfFUBiHQ -LGzudpjsYA92pM0UpUT9CWZD+e+rzGFP4ndxPE0MByo --> ssh-ed25519 K3b7BA NRnnKaOtdtIjkRdam5vAA9Yj1RUJRReugWKRglWAoQ4 -Xprx5TSU1rNH7NMl0X07K1KexCVXMEu7BFxbiPwxvBY --> ssh-ed25519 +qVung qZsGi4JqgpHrjlg2VdY+OhXb0BzYTytBBqY3jNsrSgU -GgvQG5iMd6XTZRCC3EBBvqF7nhkqAJmxdIkCFRV46Ok +-> ssh-ed25519 j2r2qQ sIYTVOTWNToDSNa4qiIaSoac7zka54g/opQ70q1SAA8 +2Z1mlCWxjakHqRbArU2BkT7B/Dx0XKH7kCnBa+OYI+s +-> ssh-ed25519 K3b7BA PGyd27M/Hmk6qpRf8bcI4QWrS0vrPgjiZzaXvKQkJDQ +ixrciiNR/th0FM9MxVx/omHdI61EmAhTA465SjxECF8 +-> ssh-ed25519 +qVung Q7k74fDLKwCdzobz0b6ByS2LrhMOIC58Ofto0gpBLFE +p4CIje+sO/nOaO1lzAY9n2HYLUKxEvKDbxeR6dOyM00 -> ssh-rsa krWCLQ -EkmY8uc79xWfKjlIozS4Yigorz9IdK8T8VjMnVcJN6+rhoRctQNVCj4JgogY4wa0 -V3ObjoRPZgVU3qPmkPgIKVa2Mvf6MrCMwvvE4j2Yyy6lmQEwFdvk4s2c6AD6T8Bf -rktRYqOcFavuDr348e0ZzKniFTRcPMcY49mqBR/mWIfSEtLxBgpFUCn6f40PLndT -3dse7kgRBlrKbzmf6JIsITHejqwDRq2bZqHWAmZhb6+ske7oDicAt90FDoDbrwvd -YwXPRDCxgATlNz8n/xFUxd35X+zEftUUtANSGtihIE4LcdsO7IOwv/FCjdEn/3YW -ZtQjphnxgDsY61PEFCMnYg --> ssh-ed25519 /vwQcQ DKQuo5jVunUFTCbOxVV57Xl6q+DDOVDWXdon/lZlLi0 -doN6en8IK4Ju0uATp+IZAhYl1tvdnfyxHziSobb1ER4 --> ssh-ed25519 0R97PA I1GECXSPagJ5kD7CeVA21TQmpMEgLeaiB7XYEomUl2U -d0kO+4SkAPC/ois39SZafEhTqvmDpCZbWTUU1aUZ47o ---- 555iE+C2kDLIdAJ5KARyKcBQZSDRWASuzcNiKZ9IbRI -eceV&g6=6!CC^zէ(Ӂ!BB| 'R_a UtI3 \ No newline at end of file +ezrZTitn0/BRD0K7e2K53qz9AZCa0aHlzFSuyzqyVJLdAZUxBUnfBwmGuJgKTa4Q +fWsXBs+L65hkcL6/VKS7oSGGyoEHmoPFKbb08B6FKLHt9V1td5xbHIoTYbvSavUA +g3wpTUa4eG3ivcu96VjyyBKTAc7LN7h7dSMbvvP5tpWT5vL+WstCdFf7zzUL9HBS +yI8dzEbCQIgAAaHj90MREgIIgIB27Dn1PvkEBGYky5ybBRa3DXVyqnX0dDtsXWpK +ipRPDV7HC1+x2TlqQjD5ED737r/AP573IXbnRLSEWnGDjtd/JWQmfOO3JACoRjU6 +qfb5SSDT9QriuWSow7CDhQ +-> ssh-ed25519 /vwQcQ duuo3BGe4Q1MHMljgzmtpzvtiOvAHqKu2HS9SBxLuhE +GCwccbE5lX5uPIri/7Vn6hzpfL7ouJBFU14bKjl6yTM +-> ssh-ed25519 0R97PA WIFf8tbMlmNrNFF5tRcL+mOJ40SvIdppAtItWtxzCk8 +miU7Z4poEVMZCeAEef1VS0jouCDxGro2xLEE3hnRJEQ +--- Iaff5rxl9r1qEnlpkOpGyBGtAvGMLyBlJQ45iInuAnw +cIC«27 ړnZM`{7`¨V@yzŞ)YDXo ~<Pٛ5Tpx +R \ No newline at end of file diff --git a/secrets/metrics-push-password.age b/secrets/metrics-push-password.age index 27be01f..5815275 100644 --- a/secrets/metrics-push-password.age +++ b/secrets/metrics-push-password.age @@ -1,52 +1,57 @@ age-encryption.org/v1 --> ssh-ed25519 +HUDfA FOqd+I9DzoloOMK2InPz8yAGsk+ZgMKy0n542DmF5ig -sui4rdOQcvjL6H9rPSbSAyIggaSbsIVrontrkFpPPC0 --> ssh-ed25519 wIR2ZA V4KPrGw2NKeOBWpjsRbhUJ/eLR8/hvExNMpcBvC7gCY -Zjc+HtALqZbp+L8tUUgaFe9LR4NKptpFq/L7xhTItXM --> ssh-ed25519 oGiV/Q kJS4DAPBTOgADY7LCZnIfORMM1RJez/5XGoKDfErHjM -LN3XE7qM2SHqQwb+JjIq5tMvt77NI4+YOxYnZh82udA --> ssh-ed25519 gO3aog gJFIrngWZp4ypA2IZwr+c0JkWgUu9VN5AzoyyhozlDE -lezfokY1lgABSKNO+Fr+tTlIjC3gzc4Bw2YlGLy+WvI --> ssh-ed25519 r/iJSw VzO6pblztwci/TMfha+dOc6Vg4DC/1oSNEt0aFaCYRE -Mf0LjSjWJA2lMt1M1z+tGJ+9NVMxd8J5CSMvaLK8zB4 --> ssh-ed25519 N/+Clw uNBuYGWU+LLY856o15jLkJNk6pu42FnX55CoE98/ukA -zh+sZ0nskVPUKd3Ajg1FHng7caKhkEHiRFcm8c53siw --> ssh-ed25519 CtkSZw YP79uyNelg7+nbeois1vu64anUC0lhUhIie6EqUz2i0 -rb9zte3dN0+uwjyJLGaUfeEQcVtMerKEOVAocLGXUYs --> ssh-ed25519 keg2lg +g5uYkOOyQABVmL+9t08aaMklNEbBO2j6vqKyrwYrhA -U4FzATeou9spmYchqHPR/WR79Y+ILWpwhLwxjYQd7d4 --> ssh-ed25519 H885DA tAx+W9kfJkvERw9KPKZInC0s44QqQIu71MPUosasHy4 -5ks2qkZfkMLK4meVHTfWpR8qCeU3vKdPiWVRTyD6OhI --> ssh-ed25519 Rq7K4Q xwSlrqIh+rZFv6w1iDcPyD0nEmESlmHleUHsVPrG2Bg -OgrWCBqb7SAtQQSUnTQ1l9JRyDGS2DgzKRRbMCtKK7g --> ssh-ed25519 vvyRpw wQB8wg6bGvb68pvEp+7khrNpZTUxSVzLIfubbYsX+34 -KZ2/Vnxg7Gpazc26lYddjNnMxpoteb5ysuTZUg00ZvE --> ssh-ed25519 aSEktQ KdKSZuVH/v+gkZkL07YdUJ5vvH2+mcUR4x+mXHylhys -MRGd8l+0X6XVq1KpLqYqUZD/4EkOKz3mpHsdQepc6kc --> ssh-ed25519 cD6JxA FesXIZs/X+fWefYjP0sfkwz6bYLxOkuIzQppwZYXNTU -hg+ZTdCGuQ66FIc+NZI023Aunnhz+Ds5cFKUwNj+MGU --> ssh-ed25519 1qYEfw HRQdZ4u1UWpzwIF/0lbJ1NVDQ+/Rl913jk+BwLM0KCE -CHlDCaov7TWme5YMBiV6Tby0IReB8pER/RbDkpI3TWM --> ssh-ed25519 2D+APA BTVVWo3G0tZj/hUMH5cwByYf3LjAg2RNVMhYrkXxXjQ -iKghO+M6xpp95xVrmydz9GJJIOK5JrIsoL+CSFD77uM --> ssh-ed25519 j2r2qQ RC/2vV5yr1af4iyeouQwIBK/r8b4nD51WwxgbuMEgG0 -L+uqV7eeCNqnMTqCNmvLPZFNTdmlYu/i7+3NVwmpIxA --> ssh-ed25519 C/bBAQ KO1owoeb7pbuXtDS+f/TziotgffL0Eg6qnjJ9W8Yp2c -af4IhSiXlMPiNuM473dIeWQqNbRgb3ciHyoa6buolyU --> ssh-ed25519 K3b7BA h4mC/hZ10ToaaYDRyBOyPpcvA28sY5FPCQPuaTTRIws -VG4QtmEOnubhhjV3CS49aYOyVl/Dq+ryxfZENgFJZTo --> ssh-ed25519 +qVung 6gs9DdduYx2twVsFED7HJnGFfKZynUctQIO4F3MXfj8 -gMmU2tXwR9K8Nb5gMKPbTexE58FOAK6QlVYzGvaX3hw +-> ssh-ed25519 +HUDfA SrjyocQ2U/mcmsVX3bhTDPiNfnRepZ+J//d4JkVrQ0w +MELfJrKcLlC3rWKHdMZKZyXB0ztzmZUjWUcT8ibP8vE +-> ssh-ed25519 87T2Ig IN9MMxRNzgKHBmGwidVWIvq2xpNVkbioWjG0lf+B5zM +sXIXfrTak7E8isigDDnrzvjJli5ma5f9fOJnWCdDRpU +-> ssh-ed25519 wIR2ZA 4DD/V3Xq1B2t8Zb11MnvtSZ3Oq5Glvka93g313dVSyU +TrQiCJGOtitCCfNy0PdaRaPnk2mYCEPKtnOtdAzGolg +-> ssh-ed25519 oGiV/Q W67zxBlGYg3PhUbwBiGE2vVoIl455R+4g3EClZKwulI +2sldkyyBUGxhXRCoa/vW5LrxbI0TqerOeOqrTtzY3Mo +-> ssh-ed25519 gO3aog YVF4hdjNYxOPE8v95BENIb6khsu0+tztaPNNCsXoWDE +LLX/uofYt5/HQ7q5L35UK2t05rOlhCDnC4SIJx0bNtM +-> ssh-ed25519 r/iJSw RMwg0xLCOVA+wc08f67kkUVIgy6W3Ypd3jRkRHFA+l4 +KR5RElZHGzzLU9hjr3Qg3NwudDxMtHqcf2t6xjDMz+U +-> ssh-ed25519 N/+Clw BBYMWbIT8dXcD7SU+LrIuFeM+2RodGF2rW1ubx/W9mU +yANEUWhFtNkx3VArOTTW+rREcxwzkN47CD2kK6JsMns +-> ssh-ed25519 CtkSZw wy5ZfWI6tqN3OZDqRZvb6lhj8Pt+GrP3YryqhjH0ugo +OtY/WsGkJJghGGAh4cfZOxkg/WcYJ4w2gu4Hu9VHntc +-> ssh-ed25519 keg2lg lzE0HqDHBwDyuc5m5T9YSxxTgEk4mOQWY3l7a1+QKD0 +cn07YAocsIrSeWo1ZGyFzq3un8kdpEuS6zYpKs7G/iI +-> ssh-ed25519 H885DA eZJW1T2VPMhDs/ygauDFdd1Md3D830ysel1yUZkZoSI +wpq1+ndzQWUUN2yYMKnEZrOcgCuqKIrDjaeX+XpkQgk +-> ssh-ed25519 Rq7K4Q CQ+Y2k5F8Q79GF5PQh8qDmxWgrKcqJHjAodVBqKqQkc +SkcUl6dFoBQmPOOjTEopgcn5vzLH2oHICymAAS7nsAQ +-> ssh-ed25519 vvyRpw nW2eCEqQ6uCT9RgIJyCSpP4JHwQtKDSiBBp1wdVFtTE +DQcHIBTNqvFVYV1fXbGhu0pCwa++knjLpCVFC3npaS0 +-> ssh-ed25519 aSEktQ 7SEG8F8UyH0gR9uT+mFfBIXsAIUFnNd2bZgyJ8C/gVQ +JTlr5eIhpepOoCxi54nrG7Wjxq9CXZYkb33kd2urdak +-> ssh-ed25519 cD6JxA QKVkY0MS3LeJf+YfwJT2yysuseg8tSAEGHOBgHFsVkc +IpAAWCWxHNg1MOBjG+JNXcTE/xNrDW8+5Cz/hNWVYvU +-> ssh-ed25519 1qYEfw pA2G6CxFosIcXsBnTUfN1wsPs3Ue5aMzo7wameAacXM +av7xGnRkh57JtgF37QtaF//eYS/pHqznHY4DJewRp5s +-> ssh-ed25519 2D+APA SOSVjgiiugDWg9HeFIlaLa+mo3q8AHhntl1tHEB6QUQ +QINZr847DASGM32Si6t1mHH6fCkKnq/sa1+3IXhaSlE +-> ssh-ed25519 eTSU6g NuV8gm/Ijo6BpZptiYua2bnYNoxuHcOtce9zGNyi0yo +E4zAIpZN5eTWJanPEwS7B6RfnnMRLDaOj+5l5L4GdCk +-> ssh-ed25519 j2r2qQ PpKKKAJikQKWAaYvDhIoiPeTkWtE1chw8lCpZ4O+LHs +4kR0ZNRMt0fljaOu3UgqVrUFnc6v916IyKdYkvz/zfA +-> ssh-ed25519 C/bBAQ m7XsRBwlHgWXifCif/8H9TcSqs0so5hha2T4tCq6qn4 +QltQrR6Y3Im4xo8DtpzN5kMsHNfkpG0FE6Y2GnkrH5Y +-> ssh-ed25519 K3b7BA x91SNkgN6NSlw2FZnliA+c6zoTYyeuZh2iT+Rl+qtT4 +nKU6GcX4WLTRncStiW6BS7iK7zlCVhn55FPjRNniqSc +-> ssh-ed25519 +qVung opSEU5VaLZcm4GhcKlNtG/Ut0jU6oTYQuqvnDkuSGT4 +ny6Wfsi/PIj5A9q/fwL3vwnkft/yH6fqlPIXo0cklfY -> ssh-rsa krWCLQ -vjNcmgDmmaNUSXIUgKf1digOgbohvyKkYSUalTOskvPo+9NRZbp0IJ7DoYLRrSBB -DobCBM078iKOvIGGJCIbMS86/z/7lz6SSPcbfM1EG+hknVJLZaj+K3PYYSX6QTUC -6rWSC+yg0gKehAhnYO3q+8mnismk7SERdyCZDNtPwHOhTAt6NZ6e+33VFxnbJPTz -IvoNU/RTUhV+XuKbtosm55PqDkOuTM27jesZ0/SARYL+gVgaltacqt4kzbEMOP/W -tv2kU6f1eNaX71c57DGI7rfcvLrPRAjTxUhsuKJPGQeaHtfiWz832gUMIJOEjoo0 -mvrAfyoykJRbPGNFl5pMmg --> ssh-ed25519 /vwQcQ gpPktkJ57USbj7kn1qbeUQDbHHSCuzWM5OcmNooBMi8 -6JPXUJYQ1IjRVv90r1EJx3EUMDPmU9X1FK6j/6vT5hE --> ssh-ed25519 0R97PA vzT774La7rcOMz7/KYjSUsY+D6V5bi5j3ghdDBLBoAU -HAXfMmFuj3YJGCBR1U0btPlr9MdIBYnwT1ufbHaAxVk ---- /0DCLjy0dwjRGPnkNk/a9fZ1ox9+LVkwh9Y5jiyA8x4 -1KB|\STi/ h9}%\Ÿ,"gZʚw05Rm' \ No newline at end of file +p5Y5fVwyG2s7m9ClsgbcVz/fSF2lJvbXxuN8O4b6sp+QiABmSGs0R3pZuf1v9xBr +Jc0JWhl4vvvb9F9WUbJR50hIpdWo6iX4vrz3TnSvPFmnpUpRfe+a29ZJhp0vCA4a +HVaOJGlnGZ5BdSkvPslGVCPu684OmO/veL5G1H7xmN6yg2b3n7SaGF7A4+rpVqgI +6GZiFpnM6LpyKyoTyXRL0ghzjhwggQCCnBaN7GIUhvPacPdilAJWmnagQzx8aZpT +LRe1WAeKH2Lbar4UNeot3MzWkZxUXyyWszTMe1ca94N3jY7MG8adzX3guMykP5qA +eya7UOphIwkQKlVB3N5bfQ +-> ssh-ed25519 /vwQcQ xQFghc3LzwG82u+h80e3NdfbCh85OKdai32pwvS3uzs +MdUPg9BHvPX85jWnV7evkNekPrzoJuT8FP0l/mhfZDk +-> ssh-ed25519 0R97PA 8cDQRKrujysaUiD5OxdrpmWn7ZZCJ9SNbLYtWuTSmXg +HFa/6WbK4aMK3cKEMEycyiclTu8jOcCMcr1R7Ebh73c +--- wZAdkwtibHAVLCqtfmZ54ZtPwDPogkRwfKREBR2xOeY +[ȹkR\ubГR +q૑Hbe{Y gmsƬ[-p \ No newline at end of file diff --git a/secrets/mimir-environment.age b/secrets/mimir-environment.age index a7a14ad..c5787cf 100644 Binary files a/secrets/mimir-environment.age and b/secrets/mimir-environment.age differ diff --git a/secrets/netbox-environment.age b/secrets/netbox-environment.age index 11e7c18..19317d6 100644 Binary files a/secrets/netbox-environment.age and b/secrets/netbox-environment.age differ diff --git a/services/baremetal-builder/default.nix b/services/baremetal-builder/default.nix index af661fa..5ae0820 100644 --- a/services/baremetal-builder/default.nix +++ b/services/baremetal-builder/default.nix @@ -28,7 +28,19 @@ in "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAvUT9YBig9LQPHgypIBHQuC32XqDKxlFZ2CfgDi0ZKx" ]; }; - nix.settings.trusted-users = [ "builder" ]; + + users.users.buildbot = { + isSystemUser = true; + group = "nogroup"; + home = "/var/empty"; + shell = "/bin/sh"; + openssh.authorizedKeys.keys = [ + # Do not hardcode Buildbot's public key, selectively + # add the keys of the coordinators that require us. + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGMnOLLX0vGTZbSJrUmF9ZFXt/NIId/MUrEpXmL2vxod" + ]; + }; + nix.settings.trusted-users = [ "builder" "buildbot" ]; nixpkgs.hostPlatform = "x86_64-linux"; diff --git a/services/buildbot/default.nix b/services/buildbot/default.nix new file mode 100644 index 0000000..5b3187f --- /dev/null +++ b/services/buildbot/default.nix @@ -0,0 +1,137 @@ +{ + nodes, + config, + lib, + pkgs, + ... +}: +let + cfg = config.bagel.services.buildbot; + cfgGerrit = nodes.gerrit01.config.bagel.services.gerrit; + ssh-keys = import ../../common/ssh-keys.nix; + inherit (lib) mkEnableOption mkOption mkIf types; +in +{ + options.bagel.services.buildbot = { + enable = mkEnableOption "Buildbot"; + domain = mkOption { + type = types.str; + }; + + builders = mkOption { + type = types.listOf types.str; + description = "List of builders to configure for Buildbot"; + example = [ "builder-2" "builder-3" ]; + }; + }; + + config = mkIf cfg.enable { + networking.firewall.allowedTCPPorts = [ 80 443 ]; + age.secrets.buildbot-worker-password.file = ../../secrets/buildbot-worker-password.age; + age.secrets.buildbot-oauth-secret.file = ../../secrets/buildbot-oauth-secret.age; + age.secrets.buildbot-workers.file = ../../secrets/buildbot-workers.age; + age.secrets.buildbot-service-key.file = ../../secrets/buildbot-service-key.age; + age.secrets.buildbot-signing-key.file = ../../secrets/buildbot-signing-key.age; + age.secrets.buildbot-remote-builder-key.file = ../../secrets/buildbot-remote-builder-key.age; + + services.nginx.virtualHosts.${cfg.domain} = { + forceSSL = true; + enableACME = true; + extraConfig = '' + add_header Access-Control-Allow-Credentials 'true' always; + add_header Access-Control-Allow-Origin 'https://cl.forkos.org' always; + ''; + }; + + services.buildbot-nix.worker = { + enable = true; + workerPasswordFile = config.age.secrets.buildbot-worker-password.path; + # All credits to eldritch horrors for this beauty. + workerArchitectures = + { + # nix-eval-jobs runs under a lock, error reports do not (but are cheap) + other = 8; + } // ( + lib.filterAttrs + (n: v: lib.elem n config.services.buildbot-nix.coordinator.buildSystems) + (lib.zipAttrsWith + (_: lib.foldl' lib.add 0) + (lib.concatMap + (m: map (s: { ${s} = m.maxJobs; }) m.systems) + config.nix.buildMachines)) + ); + }; + + services.buildbot-nix.coordinator = { + enable = true; + + inherit (cfg) domain; + + oauth2 = { + name = "Lix"; + clientId = "forkos-buildbot"; + clientSecretFile = config.age.secrets.buildbot-oauth-secret.path; + resourceEndpoint = "https://identity.lix.systems"; + authUri = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/auth"; + tokenUri = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token"; + }; + + workersFile = config.age.secrets.buildbot-workers.path; + + allowedOrigins = [ + "*.forkos.org" + ]; + + buildSystems = [ + "x86_64-linux" + ]; + + gerrit = { + domain = cfgGerrit.canonicalDomain; + # Manually managed account… + # TODO: https://git.lix.systems/the-distro/infra/issues/69 + username = "buildbot"; + port = cfgGerrit.port; + privateKeyFile = config.age.secrets.buildbot-service-key.path; + projects = [ + "buildbot-test" + "nixpkgs" + "infra" + ]; + }; + + evalWorkerCount = 6; + evalMaxMemorySize = "4096"; + + signingKeyFile = config.age.secrets.buildbot-signing-key.path; + }; + + nix.distributedBuilds = true; + nix.buildMachines = map (n: { + hostName = nodes.${n}.config.networking.fqdn; + protocol = "ssh-ng"; + # Follows Hydra. + maxJobs = 8; + sshKey = config.age.secrets.buildbot-remote-builder-key.path; + sshUser = "buildbot"; + systems = [ "x86_64-linux" ]; + supportedFeatures = nodes.${n}.config.nix.settings.system-features; + # TODO: fix it, see the Hydra file about it. + # IFD already exist in NixOS, so it's fine, I guess. + publicHostKey = builtins.readFile (pkgs.runCommandLocal "in-the-right-form" { + buildInputs = [ + pkgs.coreutils + ]; + } '' + echo -n '${ssh-keys.machines.${n}}' | base64 -w0 > $out + ''); + } + ) cfg.builders; + + nix.settings.keep-derivations = true; + nix.gc = { + automatic = true; + dates = "hourly"; + }; + }; +} diff --git a/services/default.nix b/services/default.nix index 0599eb5..27dacfd 100644 --- a/services/default.nix +++ b/services/default.nix @@ -8,5 +8,6 @@ ./postgres ./forgejo ./baremetal-builder + ./buildbot ]; } diff --git a/services/gerrit/checks.js b/services/gerrit/checks.js new file mode 100644 index 0000000..dd6a814 --- /dev/null +++ b/services/gerrit/checks.js @@ -0,0 +1,113 @@ +/* Inspired from the Lix setup. + * Original-Author: puckipedia + */ +Gerrit.install((plugin) => { + // TODO: can we just use `plugin.serverInfo().plugin` and control the settings over there. + const configuration = { + baseUri: @BASE_URI@, + supportedProjects: @SUPPORTED_PROJECTS@, + }; + + function makeBuildbotUri(suffix) { + return `${configuration.baseUri}/${suffix}`; + } + + let builders = []; + let fetchBuilders = async () => { + if (builders.length > 0) return; + let data = await (await fetch(makeBuildbotUri(`api/v2/builders`), { credentials: 'include' })).json(); + builders = data.builders; + }; + + + let checksProvider; + checksProvider = { + async fetch({ repo, patchsetSha, changeNumber, patchsetNumber }, runBefore = false) { + if (!configuration.supportedProjects.includes(repo)) { + return { responseCode: 'OK' }; + } + + let num = changeNumber.toString(10); + + let branch = `refs/changes/${num.substr(-2)}/${num}/${patchsetNumber}`; + + let changeFetch = await fetch(makeBuildbotUri(`api/v2/changes?limit=1&order=-changeid&revision=${patchsetSha}&branch=${branch}`), { credentials: 'include' }); + if (changeFetch.status == 400) { + if ((await changeFetch.json()).error === 'invalid origin' && !runBefore) { + return await checksProvider.fetch({ repo, patchsetSha, changeNumber, patchsetNumber }, true); + } + + return { responseCode: 'OK' }; + } else if (changeFetch.status === 403) { + return { responseCode: 'NOT_LOGGED_IN', loginCallback() { + window.open(configuration.baseUri); + } }; + } + + let changes = await changeFetch.json(); + if (changes.meta.total === 0) { + return { responseCode: 'OK' }; + } + + let { changeid } = changes.changes[0]; + let { builds } = await (await fetch(makeBuildbotUri(`api/v2/changes/${changeid}/builds?property=owners&property=workername`), { credentials: 'include' })).json(); + await fetchBuilders(); + let links = []; + let runs = []; + for (let build of builds) { + let name = `unknown builder ${build.builderid}`; + for (let builder of builders) { + if (builder.builderid === build.builderid) { + name = builder.name; + break; + } + } + + if (name === `${repo}/nix-eval`) { + links.push({ + url: makeBuildbotUri(`#/builders/${build.builderid}/builds/${build.number}`), + primary: true, + icon: 'external', + }); + } + + let checkrun = { + attempt: build.buildrequestid, + // FIXME: generalize this accordingly once auto-discovery is available. + checkName: name.replace(/^hydraJobs\./, ''), + externalId: build.buildrequestid.toString(), + status: build.complete ? 'COMPLETED' : (typeof build.started_at !== 'number' ? 'SCHEDULED' : 'RUNNING'), + checkLink: makeBuildbotUri(`#/builders/${build.builderid}/builds/${build.number}`), + labelName: 'Verified', + results: [], + links: [{ + url: makeBuildbotUri(`#/builders/${build.builderid}/builds/${build.number}`), + primary: true, + icon: 'external', + }], + }; + + if (build.started_at !== null) { + checkrun.startedTimestamp = new Date(build.started_at * 1000); + } + + if (build.complete_at !== null) { + checkrun.finishedTimestamp = new Date(build.complete_at * 1000); + } + + if (build.results !== null) { + checkrun.results = [{ + category: build.results < 2 ? 'SUCCESS' : 'ERROR', + summary: build.state_string, + }]; + } + + runs.push(checkrun); + } + + return { responseCode: 'OK', runs, links }; + } + }; + + plugin.checks().register(checksProvider); +}); diff --git a/services/gerrit/default.nix b/services/gerrit/default.nix index 5b4f8c5..61e7ca8 100644 --- a/services/gerrit/default.nix +++ b/services/gerrit/default.nix @@ -3,7 +3,7 @@ { pkgs, config, lib, ... }: let - inherit (lib) mkEnableOption mkIf mkOption types; + inherit (lib) mkEnableOption mkIf mkOption types head; cfgGerrit = config.services.gerrit; cfg = config.bagel.services.gerrit; @@ -16,11 +16,22 @@ in type = types.listOf types.str; description = "List of domains that Gerrit will answer to"; }; + canonicalDomain = mkOption { + type = types.str; + description = "Canonical domain for this Gerrit instance"; + default = head cfg.domains; + }; data = mkOption { type = types.path; default = "/var/lib/gerrit"; description = "Root of data directory for the Gerrit"; }; + port = mkOption { + type = types.port; + default = 29418; + readOnly = true; + description = "Port for the Gerrit SSH server"; + }; }; imports = [ @@ -28,7 +39,7 @@ in ]; config = mkIf cfg.enable { - networking.firewall.allowedTCPPorts = [ 29418 ]; + networking.firewall.allowedTCPPorts = [ cfg.port ]; environment.systemPackages = [ jdk ]; @@ -58,9 +69,24 @@ in "webhooks" ]; - plugins = with pkgs.gerritPlugins; [ + plugins = with pkgs.gerritPlugins; [ oauth metrics-reporter-prometheus + # Buildbot checks plugin (writeText because services.gerrit.plugins expects packages) + (pkgs.runCommand "checks.js" { + BASE_URI = builtins.toJSON "https://buildbot.forkos.org"; + SUPPORTED_PROJECTS = builtins.toJSON [ + "infra" + "nixpkgs" + "buildbot-test" + ]; + } + '' + echo "configuring buildbot checks plugin for $BASE_URI with $SUPPORTED_PROJECTS project list" + substitute ${./checks.js} $out \ + --replace-fail "@BASE_URI@" "$BASE_URI" \ + --replace-fail "@SUPPORTED_PROJECTS@" "$SUPPORTED_PROJECTS" + '') ]; package = pkgs.gerrit; @@ -115,7 +141,7 @@ in # Other settings log.jsonLogging = true; log.textLogging = false; - sshd.advertisedAddress = "cl.forkos.org:29418"; + sshd.advertisedAddress = "${cfg.canonicalDomain}:${toString cfg.port}"; cache.web_sessions.maxAge = "3 months"; plugins.allowRemoteAdmin = false; change.enableAttentionSet = true; @@ -130,7 +156,7 @@ in # Configures gerrit for being reverse-proxied by nginx as per # https://gerrit-review.googlesource.com/Documentation/config-reverseproxy.html gerrit = { - canonicalWebUrl = "https://cl.forkos.org"; + canonicalWebUrl = "https://${cfg.canonicalDomain}"; docUrl = "/Documentation"; defaultBranch = "refs/heads/main"; }; @@ -147,7 +173,7 @@ in # Auto-link other CLs commentlink.gerrit = { match = "cl/(\\d+)"; - link = "https://cl.forkos.org/$1"; + link = "https://${cfg.canonicalDomain}/$1"; }; # Configures integration with Keycloak, which then integrates with a