Compare commits
No commits in common. "main" and "flake-update-2024-03-18" have entirely different histories.
main
...
flake-upda
11
.gitea/workflows/checks.yaml
Normal file
11
.gitea/workflows/checks.yaml
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
name: checks
|
||||||
|
on:
|
||||||
|
pull_request:
|
||||||
|
push:
|
||||||
|
branches: main
|
||||||
|
jobs:
|
||||||
|
test:
|
||||||
|
runs-on: nix
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
- run: nix run --refresh github:Mic92/nix-fast-build -- --no-nom --eval-workers 10
|
17
LICENSE.md
17
LICENSE.md
|
@ -1,18 +1,7 @@
|
||||||
Copyright 2023 Clan contributers
|
Copyright 2023 Clan contributers
|
||||||
|
|
||||||
Permission is hereby granted, free of charge, to any person obtaining a copy of
|
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
|
||||||
this software and associated documentation files (the "Software"), to deal in
|
|
||||||
the Software without restriction, including without limitation the rights to
|
|
||||||
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
|
||||||
the Software, and to permit persons to whom the Software is furnished to do so,
|
|
||||||
subject to the following conditions:
|
|
||||||
|
|
||||||
The above copyright notice and this permission notice shall be included in all
|
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
|
||||||
copies or substantial portions of the Software.
|
|
||||||
|
|
||||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
|
||||||
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
|
||||||
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
|
||||||
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
|
||||||
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
||||||
|
|
11
README.md
11
README.md
|
@ -4,10 +4,8 @@ This repository contains nixos modules and terraform code that powers clan.lol.
|
||||||
The website and git hosting is currently on [hetzner](https://www.hetzner.com/).
|
The website and git hosting is currently on [hetzner](https://www.hetzner.com/).
|
||||||
|
|
||||||
## Servers
|
## Servers
|
||||||
|
|
||||||
- web01:
|
- web01:
|
||||||
- Instance type:
|
- Instance type: [ex101](https://www.hetzner.com/de/dedicated-rootserver/ex101)
|
||||||
[ex101](https://www.hetzner.com/de/dedicated-rootserver/ex101)
|
|
||||||
- CPU: Intel Core i9-13900 (24 cores / 32 threads)
|
- CPU: Intel Core i9-13900 (24 cores / 32 threads)
|
||||||
- RAM: 64GB DDR5
|
- RAM: 64GB DDR5
|
||||||
- Drives: 2 x 1.92 TB NVME
|
- Drives: 2 x 1.92 TB NVME
|
||||||
|
@ -25,10 +23,3 @@ $ ./tf.sh apply
|
||||||
$ cd ./targets/web01
|
$ cd ./targets/web01
|
||||||
$ ./tf.sh apply
|
$ ./tf.sh apply
|
||||||
```
|
```
|
||||||
|
|
||||||
## To add a new project to CI
|
|
||||||
|
|
||||||
1. Add the 'buildbot-clan' topic to the repository using the "Manage topics"
|
|
||||||
button below the project description
|
|
||||||
2. Go to https://buildbot.clan.lol/#/builders/2 and press "Update projects"
|
|
||||||
after you have logged in.
|
|
||||||
|
|
|
@ -1,14 +1,14 @@
|
||||||
{
|
{
|
||||||
perSystem =
|
perSystem =
|
||||||
{ inputs', pkgs, ... }:
|
{ inputs'
|
||||||
|
, pkgs
|
||||||
|
, lib
|
||||||
|
, ...
|
||||||
|
}:
|
||||||
let
|
let
|
||||||
convert2Tofu =
|
convert2Tofu = provider: provider.override (prev: {
|
||||||
provider:
|
homepage = builtins.replaceStrings [ "registry.terraform.io/providers" ] [ "registry.opentofu.org" ] prev.homepage;
|
||||||
provider.override (prev: {
|
});
|
||||||
homepage = builtins.replaceStrings [ "registry.terraform.io/providers" ] [
|
|
||||||
"registry.opentofu.org"
|
|
||||||
] prev.homepage;
|
|
||||||
});
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
devShells.default = pkgs.mkShellNoCC {
|
devShells.default = pkgs.mkShellNoCC {
|
||||||
|
@ -18,18 +18,17 @@
|
||||||
|
|
||||||
inputs'.clan-core.packages.clan-cli
|
inputs'.clan-core.packages.clan-cli
|
||||||
|
|
||||||
(pkgs.opentofu.withPlugins (
|
(pkgs.opentofu.withPlugins (p: builtins.map convert2Tofu [
|
||||||
p:
|
p.hetznerdns
|
||||||
builtins.map convert2Tofu [
|
p.hcloud
|
||||||
p.hetznerdns
|
p.null
|
||||||
p.hcloud
|
p.external
|
||||||
p.null
|
p.local
|
||||||
p.external
|
]))
|
||||||
p.local
|
];
|
||||||
]
|
inputsFrom = [
|
||||||
))
|
inputs'.clan-core.devShells.default
|
||||||
];
|
];
|
||||||
inputsFrom = [ inputs'.clan-core.devShells.default ];
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
225
flake.lock
225
flake.lock
|
@ -1,47 +1,5 @@
|
||||||
{
|
{
|
||||||
"nodes": {
|
"nodes": {
|
||||||
"blobs": {
|
|
||||||
"flake": false,
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1604995301,
|
|
||||||
"narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
|
|
||||||
"owner": "simple-nixos-mailserver",
|
|
||||||
"repo": "blobs",
|
|
||||||
"rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
|
|
||||||
"type": "gitlab"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "simple-nixos-mailserver",
|
|
||||||
"repo": "blobs",
|
|
||||||
"type": "gitlab"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"buildbot-nix": {
|
|
||||||
"inputs": {
|
|
||||||
"flake-parts": [
|
|
||||||
"flake-parts"
|
|
||||||
],
|
|
||||||
"nixpkgs": [
|
|
||||||
"nixpkgs"
|
|
||||||
],
|
|
||||||
"treefmt-nix": [
|
|
||||||
"treefmt-nix"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1719797756,
|
|
||||||
"narHash": "sha256-TGZthxgxLdT8boadFm6+MK7HZlIxN1u1V+x3hu+Fd8I=",
|
|
||||||
"owner": "Mic92",
|
|
||||||
"repo": "buildbot-nix",
|
|
||||||
"rev": "0b56574a5c823097771487d1bac952c3549fe9fb",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "Mic92",
|
|
||||||
"repo": "buildbot-nix",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"clan-core": {
|
"clan-core": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"disko": "disko",
|
"disko": "disko",
|
||||||
|
@ -49,25 +7,28 @@
|
||||||
"flake-parts"
|
"flake-parts"
|
||||||
],
|
],
|
||||||
"nixos-generators": "nixos-generators",
|
"nixos-generators": "nixos-generators",
|
||||||
"nixos-images": "nixos-images",
|
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
"nixpkgs"
|
"nixpkgs"
|
||||||
],
|
],
|
||||||
"sops-nix": "sops-nix",
|
"sops-nix": [
|
||||||
|
"sops-nix"
|
||||||
|
],
|
||||||
"treefmt-nix": [
|
"treefmt-nix": [
|
||||||
"treefmt-nix"
|
"treefmt-nix"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1720172904,
|
"lastModified": 1710710604,
|
||||||
"narHash": "sha256-TjJPIUYyoXZGNuBi0nooyr3nm8yyKeZQy6PLjXPFTSE=",
|
"narHash": "sha256-RN00CBLQf1eDWnlSi7Dig/h3SLJKN39EsBuPeNvZM4g=",
|
||||||
"rev": "fb38516a867c1aa62eb9cc14aaf7903b13e1ae83",
|
"ref": "refs/heads/main",
|
||||||
"type": "tarball",
|
"rev": "4a5b9cf0f47d60ab36afa40c4a6a76e268000943",
|
||||||
"url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/fb38516a867c1aa62eb9cc14aaf7903b13e1ae83.tar.gz"
|
"revCount": 2284,
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.clan.lol/clan/clan-core"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"type": "tarball",
|
"type": "git",
|
||||||
"url": "https://git.clan.lol/clan/clan-core/archive/main.tar.gz"
|
"url": "https://git.clan.lol/clan/clan-core"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"disko": {
|
"disko": {
|
||||||
|
@ -78,11 +39,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1718846788,
|
"lastModified": 1710169806,
|
||||||
"narHash": "sha256-9dtXYtEkmXoUJV+PGLqscqF7qTn4AIhAKpFWRFU2NYs=",
|
"narHash": "sha256-HeWFrRuHpnAiPmIr26OKl2g142HuGerwoO/XtW53pcI=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "disko",
|
"repo": "disko",
|
||||||
"rev": "e1174d991944a01eaaa04bc59c6281edca4c0e6e",
|
"rev": "fe064a639319ed61cdf12b8f6eded9523abcc498",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -91,18 +52,23 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"flake-compat": {
|
"disko_2": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1696426674,
|
"lastModified": 1710427903,
|
||||||
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
|
"narHash": "sha256-sV0Q5ndvfjK9JfCg/QM/HX/fcittohvtq8dD62isxdM=",
|
||||||
"owner": "edolstra",
|
"owner": "nix-community",
|
||||||
"repo": "flake-compat",
|
"repo": "disko",
|
||||||
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
|
"rev": "21d89b333ca300bef82c928c856d48b94a9f997c",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "edolstra",
|
"owner": "nix-community",
|
||||||
"repo": "flake-compat",
|
"repo": "disko",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
@ -113,11 +79,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1719994518,
|
"lastModified": 1709336216,
|
||||||
"narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
|
"narHash": "sha256-Dt/wOWeW6Sqm11Yh+2+t0dfEWxoMxGBvv3JpIocFl9E=",
|
||||||
"owner": "hercules-ci",
|
"owner": "hercules-ci",
|
||||||
"repo": "flake-parts",
|
"repo": "flake-parts",
|
||||||
"rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
|
"rev": "f7b3c975cf067e56e7cda6cb098ebe3fb4d74ca2",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -126,41 +92,35 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"flake-utils": {
|
"nixlib": {
|
||||||
"inputs": {
|
|
||||||
"systems": "systems"
|
|
||||||
},
|
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1710146030,
|
"lastModified": 1709426687,
|
||||||
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
|
"narHash": "sha256-jLBZmwXf0WYHzLkmEMq33bqhX55YtT5edvluFr0RcSA=",
|
||||||
"owner": "numtide",
|
"owner": "nix-community",
|
||||||
"repo": "flake-utils",
|
"repo": "nixpkgs.lib",
|
||||||
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
|
"rev": "7873d84a89ae6e4841528ff7f5697ddcb5bdfe6c",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "numtide",
|
"owner": "nix-community",
|
||||||
"repo": "flake-utils",
|
"repo": "nixpkgs.lib",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"nixos-generators": {
|
"nixos-generators": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"nixlib": [
|
"nixlib": "nixlib",
|
||||||
"clan-core",
|
|
||||||
"nixpkgs"
|
|
||||||
],
|
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
"clan-core",
|
"clan-core",
|
||||||
"nixpkgs"
|
"nixpkgs"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1718025593,
|
"lastModified": 1710164763,
|
||||||
"narHash": "sha256-WZ1gdKq/9u1Ns/oXuNsDm+W0salonVA0VY1amw8urJ4=",
|
"narHash": "sha256-6p7yebSjzrL8qK4Q0gx2RnsxaudGUQcgkSxFG/J265Y=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "nixos-generators",
|
"repo": "nixos-generators",
|
||||||
"rev": "35c20ba421dfa5059e20e0ef2343c875372bdcf3",
|
"rev": "1d9c8cd24eba7942955f92fdcefba5a6a7543bc6",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -169,62 +129,13 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"nixos-images": {
|
|
||||||
"inputs": {
|
|
||||||
"nixos-stable": [
|
|
||||||
"clan-core"
|
|
||||||
],
|
|
||||||
"nixos-unstable": [
|
|
||||||
"clan-core",
|
|
||||||
"nixpkgs"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1718845599,
|
|
||||||
"narHash": "sha256-HbQ0iKohKJC5grC95HNjLxGPdgsc/BJgoENDYNbzkLo=",
|
|
||||||
"owner": "nix-community",
|
|
||||||
"repo": "nixos-images",
|
|
||||||
"rev": "c1e6a5f7b08f1c9993de1cfc5f15f838bf783b88",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "nix-community",
|
|
||||||
"repo": "nixos-images",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"nixos-mailserver": {
|
|
||||||
"inputs": {
|
|
||||||
"blobs": "blobs",
|
|
||||||
"flake-compat": [
|
|
||||||
"flake-compat"
|
|
||||||
],
|
|
||||||
"nixpkgs": [
|
|
||||||
"nixpkgs"
|
|
||||||
],
|
|
||||||
"nixpkgs-24_05": []
|
|
||||||
},
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1718697807,
|
|
||||||
"narHash": "sha256-Enla61WFisytTYbWygPynEbu8vozjeGc6Obkj2GRj7o=",
|
|
||||||
"owner": "simple-nixos-mailserver",
|
|
||||||
"repo": "nixos-mailserver",
|
|
||||||
"rev": "290a995de5c3d3f08468fa548f0d55ab2efc7b6b",
|
|
||||||
"type": "gitlab"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "simple-nixos-mailserver",
|
|
||||||
"repo": "nixos-mailserver",
|
|
||||||
"type": "gitlab"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1719931832,
|
"lastModified": 1710669607,
|
||||||
"narHash": "sha256-0LD+KePCKKEb4CcPsTBOwf019wDtZJanjoKm1S8q3Do=",
|
"narHash": "sha256-kNj0Ka1/rkQRcigYTa1c5B6IcFuxDgM3s9jYuKUhxyM=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "0aeab749216e4c073cece5d34bc01b79e717c3e0",
|
"rev": "6af7e814afb3b62171eee1edc31989ee61528d25",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -236,13 +147,11 @@
|
||||||
},
|
},
|
||||||
"root": {
|
"root": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"buildbot-nix": "buildbot-nix",
|
|
||||||
"clan-core": "clan-core",
|
"clan-core": "clan-core",
|
||||||
"flake-compat": "flake-compat",
|
"disko": "disko_2",
|
||||||
"flake-parts": "flake-parts",
|
"flake-parts": "flake-parts",
|
||||||
"flake-utils": "flake-utils",
|
|
||||||
"nixos-mailserver": "nixos-mailserver",
|
|
||||||
"nixpkgs": "nixpkgs",
|
"nixpkgs": "nixpkgs",
|
||||||
|
"sops-nix": "sops-nix",
|
||||||
"srvos": "srvos",
|
"srvos": "srvos",
|
||||||
"treefmt-nix": "treefmt-nix"
|
"treefmt-nix": "treefmt-nix"
|
||||||
}
|
}
|
||||||
|
@ -250,19 +159,16 @@
|
||||||
"sops-nix": {
|
"sops-nix": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
"clan-core",
|
|
||||||
"nixpkgs"
|
"nixpkgs"
|
||||||
],
|
],
|
||||||
"nixpkgs-stable": [
|
"nixpkgs-stable": []
|
||||||
"clan-core"
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1719111739,
|
"lastModified": 1710644594,
|
||||||
"narHash": "sha256-kr2QzRrplzlCP87ddayCZQS+dhGW98kw2zy7+jUXtF4=",
|
"narHash": "sha256-RquCuzxfy4Nr8DPbdp3D/AsbYep21JgQzG8aMH9jJ4A=",
|
||||||
"owner": "Mic92",
|
"owner": "Mic92",
|
||||||
"repo": "sops-nix",
|
"repo": "sops-nix",
|
||||||
"rev": "5e2e9421e9ed2b918be0a441c4535cfa45e04811",
|
"rev": "83b68a0e8c94b72cdd0a6e547a14ca7eb1c03616",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -278,11 +184,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1719965291,
|
"lastModified": 1710664522,
|
||||||
"narHash": "sha256-IQiO6VNESSmgxQkpI1q86pqxRw0SZ45iSeM1jsmBpSw=",
|
"narHash": "sha256-Y2z6Q7V3vjCKTAsn65VNeWoHfr9XE7W9cM7wjq0Yu5w=",
|
||||||
"owner": "numtide",
|
"owner": "numtide",
|
||||||
"repo": "srvos",
|
"repo": "srvos",
|
||||||
"rev": "1844f1a15ef530c963bb07c3846172fccbfb9f74",
|
"rev": "83eef007bb039bd5dfd7262a0746d02791ef4b6b",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -291,21 +197,6 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"systems": {
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1681028828,
|
|
||||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
|
||||||
"owner": "nix-systems",
|
|
||||||
"repo": "default",
|
|
||||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "nix-systems",
|
|
||||||
"repo": "default",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"treefmt-nix": {
|
"treefmt-nix": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
|
@ -313,11 +204,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1719887753,
|
"lastModified": 1710278050,
|
||||||
"narHash": "sha256-p0B2r98UtZzRDM5miGRafL4h7TwGRC4DII+XXHDHqek=",
|
"narHash": "sha256-Oc6BP7soXqb8itlHI8UKkdf3V9GeJpa1S39SR5+HJys=",
|
||||||
"owner": "numtide",
|
"owner": "numtide",
|
||||||
"repo": "treefmt-nix",
|
"repo": "treefmt-nix",
|
||||||
"rev": "bdb6355009562d8f9313d9460c0d3860f525bc6c",
|
"rev": "35791f76524086ab4b785a33e4abbedfda64bd22",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
133
flake.nix
133
flake.nix
|
@ -1,108 +1,69 @@
|
||||||
{
|
{
|
||||||
description = "Dependencies to deploy a clan";
|
description = "Dependencies to deploy a clan";
|
||||||
|
|
||||||
#nixConfig = {
|
nixConfig = {
|
||||||
# extra-substituters = [ "https://cache.clan.lol" ];
|
extra-substituters = [ "https://cache.clan.lol" ];
|
||||||
# extra-trusted-public-keys = [ "cache.clan.lol-1:3KztgSAB5R1M+Dz7vzkBGzXdodizbgLXGXKXlcQLA28=" ];
|
extra-trusted-public-keys = [ "cache.clan.lol-1:3KztgSAB5R1M+Dz7vzkBGzXdodizbgLXGXKXlcQLA28=" ];
|
||||||
#};
|
};
|
||||||
|
|
||||||
inputs = {
|
inputs = {
|
||||||
nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
|
nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
|
||||||
flake-utils.url = "github:numtide/flake-utils";
|
|
||||||
flake-compat.url = "github:edolstra/flake-compat";
|
|
||||||
flake-parts.url = "github:hercules-ci/flake-parts";
|
flake-parts.url = "github:hercules-ci/flake-parts";
|
||||||
flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
|
flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
|
||||||
treefmt-nix.url = "github:numtide/treefmt-nix";
|
treefmt-nix.url = "github:numtide/treefmt-nix";
|
||||||
treefmt-nix.inputs.nixpkgs.follows = "nixpkgs";
|
treefmt-nix.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|
||||||
nixos-mailserver = {
|
disko.url = "github:nix-community/disko";
|
||||||
url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
|
disko.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
|
||||||
inputs.nixpkgs-24_05.follows = "";
|
sops-nix.url = "github:Mic92/sops-nix";
|
||||||
inputs.flake-compat.follows = "flake-compat";
|
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
sops-nix.inputs.nixpkgs-stable.follows = "";
|
||||||
|
|
||||||
srvos.url = "github:numtide/srvos";
|
srvos.url = "github:numtide/srvos";
|
||||||
# Use the version of nixpkgs that has been tested to work with SrvOS
|
# Use the version of nixpkgs that has been tested to work with SrvOS
|
||||||
srvos.inputs.nixpkgs.follows = "nixpkgs";
|
srvos.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|
||||||
clan-core.url = "https://git.clan.lol/clan/clan-core/archive/main.tar.gz";
|
clan-core.url = "git+https://git.clan.lol/clan/clan-core";
|
||||||
clan-core.inputs.flake-parts.follows = "flake-parts";
|
clan-core.inputs.flake-parts.follows = "flake-parts";
|
||||||
clan-core.inputs.nixpkgs.follows = "nixpkgs";
|
clan-core.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
clan-core.inputs.treefmt-nix.follows = "treefmt-nix";
|
clan-core.inputs.treefmt-nix.follows = "treefmt-nix";
|
||||||
|
clan-core.inputs.sops-nix.follows = "sops-nix";
|
||||||
buildbot-nix.url = "github:Mic92/buildbot-nix";
|
|
||||||
buildbot-nix.inputs.nixpkgs.follows = "nixpkgs";
|
|
||||||
buildbot-nix.inputs.flake-parts.follows = "flake-parts";
|
|
||||||
buildbot-nix.inputs.treefmt-nix.follows = "treefmt-nix";
|
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs =
|
outputs = inputs@{ flake-parts, ... }:
|
||||||
inputs@{ flake-parts, ... }:
|
flake-parts.lib.mkFlake { inherit inputs; } ({ self, ... }: {
|
||||||
flake-parts.lib.mkFlake { inherit inputs; } (
|
systems = [
|
||||||
{ self, ... }:
|
"x86_64-linux"
|
||||||
{
|
"aarch64-linux"
|
||||||
systems = [
|
];
|
||||||
"x86_64-linux"
|
imports = [
|
||||||
"aarch64-linux"
|
inputs.treefmt-nix.flakeModule
|
||||||
];
|
./devShells/flake-module.nix
|
||||||
imports = [
|
./targets/flake-module.nix
|
||||||
inputs.treefmt-nix.flakeModule
|
./modules/flake-module.nix
|
||||||
./devShells/flake-module.nix
|
./pkgs/flake-module.nix
|
||||||
./targets/flake-module.nix
|
];
|
||||||
./modules/flake-module.nix
|
perSystem = ({ lib, self', system, ... }: {
|
||||||
./pkgs/flake-module.nix
|
treefmt = {
|
||||||
];
|
projectRootFile = ".git/config";
|
||||||
perSystem = (
|
programs.hclfmt.enable = true;
|
||||||
{
|
programs.nixpkgs-fmt.enable = true;
|
||||||
lib,
|
settings.formatter.nixpkgs-fmt.excludes = [
|
||||||
self',
|
# generated files
|
||||||
system,
|
"node-env.nix"
|
||||||
pkgs,
|
"node-packages.nix"
|
||||||
...
|
"composition.nix"
|
||||||
}:
|
];
|
||||||
{
|
};
|
||||||
treefmt = {
|
checks =
|
||||||
package = pkgs.treefmt.overrideAttrs (_old: {
|
let
|
||||||
# https://github.com/numtide/treefmt/pull/325
|
nixosMachines = lib.mapAttrs' (name: config: lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel) ((lib.filterAttrs (_: config: config.pkgs.system == system)) self.nixosConfigurations);
|
||||||
patches = [ ./treefmt-config.patch ];
|
packages = lib.mapAttrs' (n: lib.nameValuePair "package-${n}") self'.packages;
|
||||||
});
|
devShells = lib.mapAttrs' (n: lib.nameValuePair "devShell-${n}") self'.devShells;
|
||||||
projectRootFile = ".git/config";
|
homeConfigurations = lib.mapAttrs' (name: config: lib.nameValuePair "home-manager-${name}" config.activation-script) (self'.legacyPackages.homeConfigurations or { });
|
||||||
programs.terraform.enable = true;
|
in
|
||||||
programs.shellcheck.enable = true;
|
nixosMachines // packages // devShells // homeConfigurations;
|
||||||
|
});
|
||||||
programs.deno.enable = true;
|
});
|
||||||
settings.global.excludes = [
|
|
||||||
# generated files
|
|
||||||
"sops/*"
|
|
||||||
"terraform.tfstate"
|
|
||||||
"*.tfvars.sops.json"
|
|
||||||
"*nixos-vars.json"
|
|
||||||
"secrets.yaml"
|
|
||||||
];
|
|
||||||
|
|
||||||
programs.nixfmt-rfc-style.enable = true;
|
|
||||||
settings.formatter.nixfmt-rfc-style.excludes = [
|
|
||||||
# generated files
|
|
||||||
"node-env.nix"
|
|
||||||
"node-packages.nix"
|
|
||||||
"composition.nix"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
checks =
|
|
||||||
let
|
|
||||||
nixosMachines = lib.mapAttrs' (
|
|
||||||
name: config: lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel
|
|
||||||
) ((lib.filterAttrs (_: config: config.pkgs.system == system)) self.nixosConfigurations);
|
|
||||||
packages = lib.mapAttrs' (n: lib.nameValuePair "package-${n}") self'.packages;
|
|
||||||
devShells = lib.mapAttrs' (n: lib.nameValuePair "devShell-${n}") self'.devShells;
|
|
||||||
homeConfigurations = lib.mapAttrs' (
|
|
||||||
name: config: lib.nameValuePair "home-manager-${name}" config.activation-script
|
|
||||||
) (self'.legacyPackages.homeConfigurations or { });
|
|
||||||
in
|
|
||||||
nixosMachines // packages // devShells // homeConfigurations;
|
|
||||||
}
|
|
||||||
);
|
|
||||||
}
|
|
||||||
);
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHS2PvT2e04pqbt1EFFN2y1za9nNmr8rcfnXq9kG5RS2 nixbld@turingmachine
|
|
|
@ -41,18 +41,7 @@ in
|
||||||
extraGroups = [ "wheel" ];
|
extraGroups = [ "wheel" ];
|
||||||
shell = "/run/current-system/sw/bin/zsh";
|
shell = "/run/current-system/sw/bin/zsh";
|
||||||
uid = 1004;
|
uid = 1004;
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [ admins.kenji admins.kenji-remote ];
|
||||||
admins.kenji
|
|
||||||
admins.kenji-remote
|
|
||||||
];
|
|
||||||
};
|
|
||||||
johannes = {
|
|
||||||
isNormalUser = true;
|
|
||||||
home = "/home/johannes";
|
|
||||||
extraGroups = [ "wheel" ];
|
|
||||||
shell = "/run/current-system/sw/bin/zsh";
|
|
||||||
uid = 1005;
|
|
||||||
openssh.authorizedKeys.keys = [ admins.johannes ];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
root.openssh.authorizedKeys.keys = builtins.attrValues admins;
|
root.openssh.authorizedKeys.keys = builtins.attrValues admins;
|
||||||
|
|
|
@ -1,57 +0,0 @@
|
||||||
{ config, ... }:
|
|
||||||
{
|
|
||||||
services.buildbot-nix.master = {
|
|
||||||
enable = true;
|
|
||||||
# Domain name under which the buildbot frontend is reachable
|
|
||||||
domain = "buildbot.clan.lol";
|
|
||||||
# The workers file configures credentials for the buildbot workers to connect to the master.
|
|
||||||
# "name" is the configured worker name in services.buildbot-nix.worker.name of a worker
|
|
||||||
# (defaults to the hostname of the machine)
|
|
||||||
# "pass" is the password for the worker configured in `services.buildbot-nix.worker.workerPasswordFile`
|
|
||||||
# "cores" is the number of cpu cores the worker has.
|
|
||||||
# The number must match as otherwise potentially not enought buildbot-workers are created.
|
|
||||||
workersFile = config.sops.secrets.buildbot-workers-file.path;
|
|
||||||
|
|
||||||
authBackend = "gitea";
|
|
||||||
|
|
||||||
admins = [
|
|
||||||
"Mic92"
|
|
||||||
"Qubasa"
|
|
||||||
"DavHau"
|
|
||||||
"kenji"
|
|
||||||
"hsjobeki"
|
|
||||||
"lassulus"
|
|
||||||
];
|
|
||||||
|
|
||||||
gitea = {
|
|
||||||
enable = true;
|
|
||||||
instanceUrl = "https://git.clan.lol";
|
|
||||||
# Redirect URIs. Please use a new line for every URI: https://buildbot.clan.lol/auth/login
|
|
||||||
oauthId = "adb3425c-490f-4558-9487-8f8940d2925b";
|
|
||||||
oauthSecretFile = config.sops.secrets.buildbot-oauth-secret-file.path;
|
|
||||||
webhookSecretFile = config.sops.secrets.buildbot-webhook-secret-file.path;
|
|
||||||
tokenFile = config.sops.secrets.buildbot-token-file.path;
|
|
||||||
topic = "buildbot-clan";
|
|
||||||
};
|
|
||||||
|
|
||||||
# optional nix-eval-jobs settings
|
|
||||||
evalWorkerCount = 10; # limit number of concurrent evaluations
|
|
||||||
evalMaxMemorySize = "4096"; # limit memory usage per evaluation
|
|
||||||
};
|
|
||||||
|
|
||||||
# Optional: Enable acme/TLS in nginx (recommended)
|
|
||||||
services.nginx.virtualHosts.${config.services.buildbot-nix.master.domain} = {
|
|
||||||
forceSSL = true;
|
|
||||||
enableACME = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
services.buildbot-nix.worker = {
|
|
||||||
enable = true;
|
|
||||||
workerPasswordFile = config.sops.secrets.buildbot-worker-password-file.path;
|
|
||||||
};
|
|
||||||
|
|
||||||
sops.secrets.buildbot-oauth-secret-file = { };
|
|
||||||
sops.secrets.buildbot-workers-file = { };
|
|
||||||
sops.secrets.buildbot-worker-password-file = { };
|
|
||||||
sops.secrets.buildbot-token-file = { };
|
|
||||||
}
|
|
|
@ -1,5 +1,4 @@
|
||||||
{ self, inputs, ... }:
|
{ self, inputs, ... }: {
|
||||||
{
|
|
||||||
flake.nixosModules = {
|
flake.nixosModules = {
|
||||||
server.imports = [
|
server.imports = [
|
||||||
inputs.srvos.nixosModules.server
|
inputs.srvos.nixosModules.server
|
||||||
|
@ -16,21 +15,11 @@
|
||||||
./initrd-networking.nix
|
./initrd-networking.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
buildbot.imports = [
|
|
||||||
inputs.buildbot-nix.nixosModules.buildbot-master
|
|
||||||
inputs.buildbot-nix.nixosModules.buildbot-worker
|
|
||||||
./buildbot.nix
|
|
||||||
];
|
|
||||||
|
|
||||||
web01.imports = [
|
web01.imports = [
|
||||||
self.nixosModules.server
|
self.nixosModules.server
|
||||||
self.nixosModules.buildbot
|
|
||||||
inputs.srvos.nixosModules.mixins-nginx
|
inputs.srvos.nixosModules.mixins-nginx
|
||||||
inputs.srvos.nixosModules.mixins-nix-experimental
|
inputs.srvos.nixosModules.mixins-nix-experimental
|
||||||
./matrix-bot.nix
|
|
||||||
./web01
|
./web01
|
||||||
inputs.nixos-mailserver.nixosModules.mailserver
|
|
||||||
./mailserver.nix
|
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,22 +1,31 @@
|
||||||
{ config, lib, ... }:
|
{ config
|
||||||
let
|
, lib
|
||||||
cfg = config.clan-infra.networking;
|
, ...
|
||||||
|
}:
|
||||||
|
with lib; let
|
||||||
|
cfg = config.clan.networking;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options = {
|
options = {
|
||||||
clan-infra.networking.ipv4.address = lib.mkOption { type = lib.types.str; };
|
clan.networking.ipv4.address = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
};
|
||||||
|
|
||||||
clan-infra.networking.ipv4.cidr = lib.mkOption {
|
clan.networking.ipv4.cidr = mkOption {
|
||||||
type = lib.types.str;
|
type = types.str;
|
||||||
default = "26";
|
default = "26";
|
||||||
};
|
};
|
||||||
|
|
||||||
clan-infra.networking.ipv4.gateway = lib.mkOption { type = lib.types.str; };
|
clan.networking.ipv4.gateway = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
};
|
||||||
|
|
||||||
clan-infra.networking.ipv6.address = lib.mkOption { type = lib.types.str; };
|
clan.networking.ipv6.address = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
};
|
||||||
|
|
||||||
clan-infra.networking.ipv6.cidr = lib.mkOption {
|
clan.networking.ipv6.cidr = mkOption {
|
||||||
type = lib.types.str;
|
type = types.str;
|
||||||
default = "64";
|
default = "64";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,54 +0,0 @@
|
||||||
{ config, pkgs, ... }:
|
|
||||||
let
|
|
||||||
mailPassword =
|
|
||||||
{ service }:
|
|
||||||
{
|
|
||||||
secret."${service}-password" = { };
|
|
||||||
secret."${service}-password-hash" = { };
|
|
||||||
generator.path = with pkgs; [
|
|
||||||
coreutils
|
|
||||||
xkcdpass
|
|
||||||
mkpasswd
|
|
||||||
];
|
|
||||||
generator.script = ''
|
|
||||||
xkcdpass -n 4 -d - > $secrets/${service}-password
|
|
||||||
cat $secrets/${service}-password | mkpasswd -s -m bcrypt > $secrets/${service}-password-hash
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
in
|
|
||||||
{
|
|
||||||
mailserver = {
|
|
||||||
enable = true;
|
|
||||||
fqdn = "mail.clan.lol";
|
|
||||||
domains = [ "clan.lol" ];
|
|
||||||
enablePop3 = true;
|
|
||||||
certificateScheme = "acme-nginx";
|
|
||||||
# kresd sucks unfortunally (fails when one NS server is not working, instead of trying other ones)
|
|
||||||
localDnsResolver = false;
|
|
||||||
|
|
||||||
loginAccounts."golem@clan.lol".hashedPasswordFile =
|
|
||||||
config.clan.core.facts.services.golem-mail.secret.golem-password-hash.path;
|
|
||||||
loginAccounts."gitea@clan.lol".hashedPasswordFile =
|
|
||||||
config.clan.core.facts.services.gitea-mail.secret.gitea-password-hash.path;
|
|
||||||
};
|
|
||||||
|
|
||||||
services.unbound = {
|
|
||||||
enable = true;
|
|
||||||
settings.server = {
|
|
||||||
prefetch = "yes";
|
|
||||||
prefetch-key = true;
|
|
||||||
qname-minimisation = true;
|
|
||||||
# Too many broken dnssec setups even at big companies such as amazon.
|
|
||||||
# Breaks my email setup. Better rely on tls for security.
|
|
||||||
val-permissive-mode = "yes";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
# use local unbound as dns resolver
|
|
||||||
networking.nameservers = [ "127.0.0.1" ];
|
|
||||||
|
|
||||||
security.acme.acceptTerms = true;
|
|
||||||
|
|
||||||
clan.core.facts.services.golem-mail = mailPassword { service = "golem"; };
|
|
||||||
clan.core.facts.services.gitea-mail = mailPassword { service = "gitea"; };
|
|
||||||
}
|
|
|
@ -1,49 +0,0 @@
|
||||||
{
|
|
||||||
config,
|
|
||||||
pkgs,
|
|
||||||
self,
|
|
||||||
...
|
|
||||||
}:
|
|
||||||
|
|
||||||
let
|
|
||||||
name = "matrix-bot";
|
|
||||||
in
|
|
||||||
{
|
|
||||||
users.groups.matrix-bot-user = { };
|
|
||||||
users.users.matrix-bot-user = {
|
|
||||||
group = "matrix-bot-user";
|
|
||||||
isSystemUser = true;
|
|
||||||
description = "User for matrix-bot service";
|
|
||||||
home = "/var/lib/matrix-bot";
|
|
||||||
createHome = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.${name} = {
|
|
||||||
path = [ self.packages.${pkgs.system}.matrix-bot ];
|
|
||||||
description = "Matrix bot for changelog and reviews";
|
|
||||||
after = [ "network.target" ];
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
environment = {
|
|
||||||
MATRIX_PASSWORD_FILE = "%d/MATRIX_PASSWORD_FILE";
|
|
||||||
OPENAI_API_KEY_FILE = "%d/OPENAI_API_KEY_FILE";
|
|
||||||
HOME = "/var/lib/${name}";
|
|
||||||
};
|
|
||||||
|
|
||||||
serviceConfig = {
|
|
||||||
LoadCredential = [
|
|
||||||
"MATRIX_PASSWORD_FILE:${config.sops.secrets.web01-matrix-password-clan-bot.path}"
|
|
||||||
"OPENAI_API_KEY_FILE:${config.sops.secrets.qubasas-openai-api-key.path}"
|
|
||||||
];
|
|
||||||
User = "matrix-bot-user";
|
|
||||||
Group = "matrix-bot-user";
|
|
||||||
WorkingDirectory = "/var/lib/${name}";
|
|
||||||
RuntimeDirectory = "/var/lib/${name}";
|
|
||||||
};
|
|
||||||
|
|
||||||
script = ''
|
|
||||||
set -euxo pipefail
|
|
||||||
|
|
||||||
mbot --changelog-room "!FdCwyKsRlfooNYKYzx:matrix.org" --review-room "!tmSRJlbsVXFUKAddiM:gchq.icu"
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
}
|
|
45
modules/single-disk.nix
Normal file
45
modules/single-disk.nix
Normal file
|
@ -0,0 +1,45 @@
|
||||||
|
{ self, ... }:
|
||||||
|
let
|
||||||
|
partitions = {
|
||||||
|
grub = {
|
||||||
|
name = "grub";
|
||||||
|
size = "1M";
|
||||||
|
type = "ef02";
|
||||||
|
};
|
||||||
|
esp = {
|
||||||
|
name = "ESP";
|
||||||
|
type = "EF00";
|
||||||
|
size = "500M";
|
||||||
|
content = {
|
||||||
|
type = "filesystem";
|
||||||
|
format = "vfat";
|
||||||
|
mountpoint = "/boot";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
root = {
|
||||||
|
name = "root";
|
||||||
|
size = "100%";
|
||||||
|
content = {
|
||||||
|
type = "filesystem";
|
||||||
|
# We use xfs because it has support for compression and has a quite good performance for databases
|
||||||
|
format = "xfs";
|
||||||
|
mountpoint = "/";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
in
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
self.inputs.disko.nixosModules.disko
|
||||||
|
];
|
||||||
|
disko.devices = {
|
||||||
|
disk.sda = {
|
||||||
|
type = "disk";
|
||||||
|
device = "/dev/sda";
|
||||||
|
content = {
|
||||||
|
type = "gpt";
|
||||||
|
inherit partitions;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,21 +1,26 @@
|
||||||
{ config, self, ... }:
|
{ config, ... }: {
|
||||||
{
|
|
||||||
imports = [ self.inputs.clan-core.clanModules.borgbackup ];
|
|
||||||
|
|
||||||
# 100GB storagebox is under the nix-community hetzner account
|
# 100GB storagebox is under the nix-community hetzner account
|
||||||
clan.borgbackup.destinations.${config.networking.hostName} = {
|
|
||||||
repo = "u366395@u366395.your-storagebox.de:/./borgbackup";
|
|
||||||
rsh = "ssh -oPort=23 -i ${config.clan.core.facts.services.borgbackup.secret."borgbackup.ssh".path}";
|
|
||||||
};
|
|
||||||
|
|
||||||
clan.core.state.system.folders = [
|
systemd.services.borgbackup-job-clan-lol.serviceConfig.ReadWritePaths = [
|
||||||
"/home"
|
"/var/log/telegraf"
|
||||||
"/etc"
|
|
||||||
"/var"
|
|
||||||
"/root"
|
|
||||||
];
|
];
|
||||||
|
|
||||||
services.borgbackup.jobs.${config.networking.hostName} = {
|
# Run this from the hetzner network:
|
||||||
|
# ssh-keyscan -p 23 u359378.your-storagebox.de
|
||||||
|
programs.ssh.knownHosts = {
|
||||||
|
storagebox-ecdsa.hostNames = [ "[u359378.your-storagebox.de]:23" ];
|
||||||
|
storagebox-ecdsa.publicKey = "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAGK0po6usux4Qv2d8zKZN1dDvbWjxKkGsx7XwFdSUCnF19Q8psHEUWR7C/LtSQ5crU/g+tQVRBtSgoUcE8T+FWp5wBxKvWG2X9gD+s9/4zRmDeSJR77W6gSA/+hpOZoSE+4KgNdnbYSNtbZH/dN74EG7GLb/gcIpbUUzPNXpfKl7mQitw==";
|
||||||
|
|
||||||
|
storagebox-rsa.hostNames = [ "[u359378.your-storagebox.de]:23" ];
|
||||||
|
storagebox-rsa.publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw==";
|
||||||
|
};
|
||||||
|
|
||||||
|
services.borgbackup.jobs.clan-lol = {
|
||||||
|
paths = [
|
||||||
|
"/home"
|
||||||
|
"/var"
|
||||||
|
"/root"
|
||||||
|
];
|
||||||
exclude = [
|
exclude = [
|
||||||
"*.pyc"
|
"*.pyc"
|
||||||
"/home/*/.direnv"
|
"/home/*/.direnv"
|
||||||
|
@ -36,20 +41,32 @@
|
||||||
"/var/tmp"
|
"/var/tmp"
|
||||||
"/var/log"
|
"/var/log"
|
||||||
];
|
];
|
||||||
|
# $ ssh-keygen -y -f /run/secrets/hetzner-borgbackup-ssh > /tmp/hetzner-borgbackup-ssh.pub
|
||||||
|
# $ cat /tmp/hetzner-borgbackup-ssh.pub | ssh -p23 u366395@u366395.your-storagebox.de install-ssh-key
|
||||||
|
repo = "u366395@u366395.your-storagebox.de:/./borgbackup";
|
||||||
|
|
||||||
# Disaster recovery:
|
# Disaster recovery:
|
||||||
# get the backup passphrase and ssh key from the sops and store them in /tmp
|
# get the backup passphrase and ssh key from the sops and store them in /tmp
|
||||||
# $ export BORG_PASSCOMMAND='cat /tmp/hetzner-borgbackup-passphrase'
|
# $ export BORG_PASSCOMMAND='cat /tmp/hetzner-borgbackup-passphrase'
|
||||||
# $ export BORG_REPO='u359378@u359378.your-storagebox.de:/./borgbackup'
|
# $ export BORG_REPO='u359378@u359378.your-storagebox.de:/./borgbackup'
|
||||||
# $ export BORG_RSH='ssh -oPort=23 -i /tmp/hetzner-borgbackup-ssh'
|
# $ export BORG_RSH='ssh -oPort=23 -i /tmp/hetzner-borgbackup-ssh'
|
||||||
# $ borg list
|
# $ borg list
|
||||||
# web01-clan-lol-2023-07-21T14:12:22 Fri, 2023-07-21 14:12:27 [539b1037669ffd0d3f50020f439bbe2881b7234910e405eafc333125383351bc]
|
# web01-clan-lol-2023-07-21T14:12:22 Fri, 2023-07-21 14:12:27 [539b1037669ffd0d3f50020f439bbe2881b7234910e405eafc333125383351bc]
|
||||||
# $ borg mount u359378@u359378.your-storagebox.de:/./borgbackup::web01-clan-lol-2023-07-21T14:12:22 /tmp/backup
|
# $ borg mount u359378@u359378.your-storagebox.de:/./borgbackup::web01-clan-lol-2023-07-21T14:12:22 /tmp/backup
|
||||||
|
doInit = true;
|
||||||
|
encryption = {
|
||||||
|
mode = "repokey-blake2";
|
||||||
|
# $ nix run nixpkgs#xkcdpass -- -d '-' -n 3 -C capitalize "$@"
|
||||||
|
passCommand = "cat ${config.sops.secrets.hetzner-borgbackup-passphrase.path}";
|
||||||
|
};
|
||||||
|
compression = "auto,zstd";
|
||||||
|
startAt = "daily";
|
||||||
|
|
||||||
# Also enable ssh support in the storagebox web interface.
|
# Also enable ssh support in the storagebox web interface.
|
||||||
# By default the storage box is only accessible from the hetzner network.
|
# By default the storage box is only accessible from the hetzner network.
|
||||||
# $ clan facts generate
|
# $ ssh-keygen -t ed25519 -N "" -f /tmp/ssh_host_ed25519_key
|
||||||
# $ clan facts list web01 | jq .borgbackup.ssh.pub | ssh -p23 u359378@u359378.your-storagebox.de install-ssh-key
|
# $ cat /tmp/ssh_host_ed25519_key.pub | ssh -p23 u359378@u359378.your-storagebox.de install-ssh-key
|
||||||
|
environment.BORG_RSH = "ssh -oPort=23 -i ${config.sops.secrets.hetzner-borgbackup-ssh.path}";
|
||||||
preHook = ''
|
preHook = ''
|
||||||
set -x
|
set -x
|
||||||
'';
|
'';
|
||||||
|
@ -59,19 +76,12 @@
|
||||||
task,frequency=daily last_run=$(date +%s)i,state="$([[ $exitStatus == 0 ]] && echo ok || echo fail)"
|
task,frequency=daily last_run=$(date +%s)i,state="$([[ $exitStatus == 0 ]] && echo ok || echo fail)"
|
||||||
EOF
|
EOF
|
||||||
'';
|
'';
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services."borgbackup-job-${config.networking.hostName}".serviceConfig.ReadWritePaths = [
|
prune.keep = {
|
||||||
"/var/log/telegraf"
|
within = "1d"; # Keep all archives from the last day
|
||||||
];
|
daily = 7;
|
||||||
|
weekly = 4;
|
||||||
# Run this from the hetzner network:
|
monthly = 0;
|
||||||
# ssh-keyscan -p 23 u359378.your-storagebox.de
|
};
|
||||||
programs.ssh.knownHosts = {
|
|
||||||
storagebox-ecdsa.hostNames = [ "[u359378.your-storagebox.de]:23" ];
|
|
||||||
storagebox-ecdsa.publicKey = "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAGK0po6usux4Qv2d8zKZN1dDvbWjxKkGsx7XwFdSUCnF19Q8psHEUWR7C/LtSQ5crU/g+tQVRBtSgoUcE8T+FWp5wBxKvWG2X9gD+s9/4zRmDeSJR77W6gSA/+hpOZoSE+4KgNdnbYSNtbZH/dN74EG7GLb/gcIpbUUzPNXpfKl7mQitw==";
|
|
||||||
|
|
||||||
storagebox-rsa.hostNames = [ "[u359378.your-storagebox.de]:23" ];
|
|
||||||
storagebox-rsa.publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw==";
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,18 +1,10 @@
|
||||||
{
|
{ config, self, pkgs, ... }: {
|
||||||
config,
|
|
||||||
self,
|
|
||||||
pkgs,
|
|
||||||
...
|
|
||||||
}:
|
|
||||||
{
|
|
||||||
# service to for automatic merge bot
|
# service to for automatic merge bot
|
||||||
systemd.services.clan-merge = {
|
systemd.services.clan-merge = {
|
||||||
description = "Merge clan.lol PRs automatically";
|
description = "Merge clan.lol PRs automatically";
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
after = [ "network.target" ];
|
after = [ "network.target" ];
|
||||||
environment = {
|
environment = { GITEA_TOKEN_FILE = "%d/GITEA_TOKEN_FILE"; };
|
||||||
GITEA_TOKEN_FILE = "%d/GITEA_TOKEN_FILE";
|
|
||||||
};
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
LoadCredential = [ "GITEA_TOKEN_FILE:${config.sops.secrets.merge-bot-gitea-token.path}" ];
|
LoadCredential = [ "GITEA_TOKEN_FILE:${config.sops.secrets.merge-bot-gitea-token.path}" ];
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
|
|
|
@ -1,15 +1,13 @@
|
||||||
{ self, ... }:
|
{ self, ... }: {
|
||||||
{
|
|
||||||
imports = [
|
imports = [
|
||||||
./borgbackup.nix
|
./borgbackup.nix
|
||||||
./clan-merge.nix
|
./clan-merge.nix
|
||||||
|
./dendrite.nix
|
||||||
./gitea
|
./gitea
|
||||||
./goaccess.nix
|
|
||||||
./harmonia.nix
|
./harmonia.nix
|
||||||
./homepage.nix
|
./homepage.nix
|
||||||
./postfix.nix
|
./postfix.nix
|
||||||
./jobs.nix
|
./jobs.nix
|
||||||
./matrix-synapse.nix
|
|
||||||
../dev.nix
|
../dev.nix
|
||||||
self.inputs.clan-core.clanModules.zt-tcp-relay
|
self.inputs.clan-core.clanModules.zt-tcp-relay
|
||||||
];
|
];
|
||||||
|
|
147
modules/web01/dendrite.nix
Normal file
147
modules/web01/dendrite.nix
Normal file
|
@ -0,0 +1,147 @@
|
||||||
|
{ config
|
||||||
|
, pkgs
|
||||||
|
, ...
|
||||||
|
}:
|
||||||
|
let
|
||||||
|
database = {
|
||||||
|
connection_string = "postgres:///dendrite?host=/run/postgresql";
|
||||||
|
max_open_conns = 100;
|
||||||
|
max_idle_conns = 5;
|
||||||
|
conn_max_lifetime = -1;
|
||||||
|
};
|
||||||
|
inherit (config.services.dendrite.settings.global) server_name;
|
||||||
|
domain = "clan.lol";
|
||||||
|
nginx-vhost = "matrix.${domain}";
|
||||||
|
element-web =
|
||||||
|
pkgs.runCommand "element-web-with-config"
|
||||||
|
{
|
||||||
|
nativeBuildInputs = [ pkgs.buildPackages.jq ];
|
||||||
|
} ''
|
||||||
|
cp -r ${pkgs.element-web} $out
|
||||||
|
chmod -R u+w $out
|
||||||
|
jq '."default_server_config"."m.homeserver" = { "base_url": "https://${nginx-vhost}:443", "server_name": "${server_name}" }' \
|
||||||
|
> $out/config.json < ${pkgs.element-web}/config.json
|
||||||
|
ln -s $out/config.json $out/config.${nginx-vhost}.json
|
||||||
|
'';
|
||||||
|
in
|
||||||
|
{
|
||||||
|
services.dendrite = {
|
||||||
|
enable = true;
|
||||||
|
httpPort = 8043;
|
||||||
|
# $ echo "REGISTRATION_SHARED_SECRET=$(openssl rand -base64 32)"
|
||||||
|
|
||||||
|
# To create a user:
|
||||||
|
# $ password=$(nix run "nixpkgs#xkcdpass" -- -n 3 -d-)
|
||||||
|
# $ shared_secret=$(sops -d --extract '["registration-secret"]' ./secrets.yaml| sed s/REGISTRATION_SHARED_SECRET=//)
|
||||||
|
# $ nix shell "nixpkgs#matrix-synapse" -c register_new_matrix_user --password "${password}" --shared-secret "${shared_secret}" "https://matrix.clan.lol:443"
|
||||||
|
environmentFile = config.sops.secrets.registration-secret.path;
|
||||||
|
|
||||||
|
settings = {
|
||||||
|
sync_api.search = {
|
||||||
|
enabled = true;
|
||||||
|
index_path = "/var/lib/dendrite/searchindex";
|
||||||
|
};
|
||||||
|
global = {
|
||||||
|
server_name = domain;
|
||||||
|
# `private_key` has the type `path`
|
||||||
|
# prefix a `/` to make `path` happy
|
||||||
|
private_key = "/$CREDENTIALS_DIRECTORY/matrix-server-key";
|
||||||
|
trusted_third_party_id_servers = [
|
||||||
|
"matrix.org"
|
||||||
|
"vector.im"
|
||||||
|
];
|
||||||
|
metrics.enabled = true;
|
||||||
|
};
|
||||||
|
logging = [
|
||||||
|
{
|
||||||
|
type = "std";
|
||||||
|
level = "warn";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
app_service_api = {
|
||||||
|
inherit database;
|
||||||
|
config_files = [ ];
|
||||||
|
};
|
||||||
|
client_api = {
|
||||||
|
registration_disabled = true;
|
||||||
|
rate_limiting.enabled = false;
|
||||||
|
registration_shared_secret = ''''${REGISTRATION_SHARED_SECRET}'';
|
||||||
|
};
|
||||||
|
media_api = {
|
||||||
|
inherit database;
|
||||||
|
dynamic_thumbnails = true;
|
||||||
|
};
|
||||||
|
room_server = {
|
||||||
|
inherit database;
|
||||||
|
};
|
||||||
|
push_server = {
|
||||||
|
inherit database;
|
||||||
|
};
|
||||||
|
relay_api = {
|
||||||
|
inherit database;
|
||||||
|
};
|
||||||
|
mscs = {
|
||||||
|
inherit database;
|
||||||
|
mscs = [ "msc2836" "msc2946" ];
|
||||||
|
};
|
||||||
|
sync_api = {
|
||||||
|
inherit database;
|
||||||
|
real_ip_header = "X-Real-IP";
|
||||||
|
};
|
||||||
|
key_server = {
|
||||||
|
inherit database;
|
||||||
|
};
|
||||||
|
federation_api = {
|
||||||
|
inherit database;
|
||||||
|
key_perspectives = [
|
||||||
|
{
|
||||||
|
server_name = "matrix.org";
|
||||||
|
keys = [
|
||||||
|
{
|
||||||
|
key_id = "ed25519:auto";
|
||||||
|
public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
key_id = "ed25519:a_RXGa";
|
||||||
|
public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
prefer_direct_fetch = false;
|
||||||
|
};
|
||||||
|
user_api = {
|
||||||
|
account_database = database;
|
||||||
|
device_database = database;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.dendrite.serviceConfig.LoadCredential = [
|
||||||
|
# $ nix-shell -p dendrite --run 'generate-keys --private-key /tmp/key'
|
||||||
|
"matrix-server-key:${config.sops.secrets.matrix-server-key.path}"
|
||||||
|
];
|
||||||
|
|
||||||
|
systemd.services.dendrite.after = [ "postgresql.service" ];
|
||||||
|
services.postgresql = {
|
||||||
|
ensureDatabases = [ "dendrite" ];
|
||||||
|
ensureUsers = [{
|
||||||
|
name = "dendrite";
|
||||||
|
ensureDBOwnership = true;
|
||||||
|
}];
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts.${nginx-vhost} = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
extraConfig = ''
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_read_timeout 600;
|
||||||
|
'';
|
||||||
|
locations."/_matrix".proxyPass = "http://127.0.0.1:${toString config.services.dendrite.httpPort}";
|
||||||
|
# for remote admin access
|
||||||
|
locations."/_synapse".proxyPass = "http://127.0.0.1:${toString config.services.dendrite.httpPort}";
|
||||||
|
locations."/".root = element-web;
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,26 +1,8 @@
|
||||||
{
|
{ config, self, pkgs, lib, ... }:
|
||||||
config,
|
|
||||||
self,
|
|
||||||
pkgs,
|
|
||||||
lib,
|
|
||||||
...
|
|
||||||
}:
|
|
||||||
let
|
let
|
||||||
storeDeps = pkgs.runCommand "store-deps" { } ''
|
storeDeps = pkgs.runCommand "store-deps" { } ''
|
||||||
mkdir -p $out/bin
|
mkdir -p $out/bin
|
||||||
for dir in ${
|
for dir in ${toString [ pkgs.coreutils pkgs.findutils pkgs.gnugrep pkgs.gawk pkgs.git pkgs.nix pkgs.bash pkgs.jq pkgs.nodejs ]}; do
|
||||||
toString [
|
|
||||||
pkgs.coreutils
|
|
||||||
pkgs.findutils
|
|
||||||
pkgs.gnugrep
|
|
||||||
pkgs.gawk
|
|
||||||
pkgs.git
|
|
||||||
pkgs.nix
|
|
||||||
pkgs.bash
|
|
||||||
pkgs.jq
|
|
||||||
pkgs.nodejs
|
|
||||||
]
|
|
||||||
}; do
|
|
||||||
for bin in "$dir"/bin/*; do
|
for bin in "$dir"/bin/*; do
|
||||||
ln -s "$bin" "$out/bin/$(basename "$bin")"
|
ln -s "$bin" "$out/bin/$(basename "$bin")"
|
||||||
done
|
done
|
||||||
|
@ -32,95 +14,87 @@ let
|
||||||
'';
|
'';
|
||||||
numInstances = 2;
|
numInstances = 2;
|
||||||
in
|
in
|
||||||
lib.mkMerge [
|
lib.mkMerge [{
|
||||||
|
# everything here has no dependencies on the store
|
||||||
|
systemd.services.gitea-runner-nix-image = {
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
after = [ "podman.service" ];
|
||||||
|
requires = [ "podman.service" ];
|
||||||
|
path = [ config.virtualisation.podman.package pkgs.gnutar pkgs.shadow pkgs.getent ];
|
||||||
|
# we also include etc here because the cleanup job also wants the nixuser to be present
|
||||||
|
script = ''
|
||||||
|
set -eux -o pipefail
|
||||||
|
mkdir -p etc/nix
|
||||||
|
|
||||||
|
# Create an unpriveleged user that we can use also without the run-as-user.sh script
|
||||||
|
touch etc/passwd etc/group
|
||||||
|
groupid=$(cut -d: -f3 < <(getent group nixuser))
|
||||||
|
userid=$(cut -d: -f3 < <(getent passwd nixuser))
|
||||||
|
groupadd --prefix $(pwd) --gid "$groupid" nixuser
|
||||||
|
emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.'
|
||||||
|
useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nixuser nixuser
|
||||||
|
|
||||||
|
cat <<NIX_CONFIG > etc/nix/nix.conf
|
||||||
|
accept-flake-config = true
|
||||||
|
experimental-features = nix-command flakes
|
||||||
|
NIX_CONFIG
|
||||||
|
|
||||||
|
cat <<NSSWITCH > etc/nsswitch.conf
|
||||||
|
passwd: files mymachines systemd
|
||||||
|
group: files mymachines systemd
|
||||||
|
shadow: files
|
||||||
|
|
||||||
|
hosts: files mymachines dns myhostname
|
||||||
|
networks: files
|
||||||
|
|
||||||
|
ethers: files
|
||||||
|
services: files
|
||||||
|
protocols: files
|
||||||
|
rpc: files
|
||||||
|
NSSWITCH
|
||||||
|
|
||||||
|
# list the content as it will be imported into the container
|
||||||
|
tar -cv . | tar -tvf -
|
||||||
|
tar -cv . | podman import - gitea-runner-nix
|
||||||
|
'';
|
||||||
|
serviceConfig = {
|
||||||
|
RuntimeDirectory = "gitea-runner-nix-image";
|
||||||
|
WorkingDirectory = "/run/gitea-runner-nix-image";
|
||||||
|
Type = "oneshot";
|
||||||
|
RemainAfterExit = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
users.users.nixuser = {
|
||||||
|
group = "nixuser";
|
||||||
|
description = "Used for running nix ci jobs";
|
||||||
|
home = "/var/empty";
|
||||||
|
isSystemUser = true;
|
||||||
|
};
|
||||||
|
users.groups.nixuser = { };
|
||||||
|
}
|
||||||
{
|
{
|
||||||
# everything here has no dependencies on the store
|
systemd.services = lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}-token") numInstances) (name: {
|
||||||
systemd.services.gitea-runner-nix-image = {
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
after = [ "podman.service" ];
|
after = [ "gitea.service" ];
|
||||||
requires = [ "podman.service" ];
|
environment = {
|
||||||
path = [
|
GITEA_CUSTOM = "/var/lib/gitea/custom";
|
||||||
config.virtualisation.podman.package
|
GITEA_WORK_DIR = "/var/lib/gitea";
|
||||||
pkgs.gnutar
|
};
|
||||||
pkgs.shadow
|
|
||||||
pkgs.getent
|
|
||||||
];
|
|
||||||
# we also include etc here because the cleanup job also wants the nixuser to be present
|
|
||||||
script = ''
|
script = ''
|
||||||
set -eux -o pipefail
|
set -euo pipefail
|
||||||
mkdir -p etc/nix
|
token=$(${lib.getExe self.packages.${pkgs.hostPlatform.system}.gitea} actions generate-runner-token)
|
||||||
|
echo "TOKEN=$token" > /var/lib/gitea-registration/${name}
|
||||||
# Create an unpriveleged user that we can use also without the run-as-user.sh script
|
|
||||||
touch etc/passwd etc/group
|
|
||||||
groupid=$(cut -d: -f3 < <(getent group nixuser))
|
|
||||||
userid=$(cut -d: -f3 < <(getent passwd nixuser))
|
|
||||||
groupadd --prefix $(pwd) --gid "$groupid" nixuser
|
|
||||||
emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.'
|
|
||||||
useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nixuser nixuser
|
|
||||||
|
|
||||||
cat <<NIX_CONFIG > etc/nix/nix.conf
|
|
||||||
accept-flake-config = true
|
|
||||||
experimental-features = nix-command flakes
|
|
||||||
NIX_CONFIG
|
|
||||||
|
|
||||||
cat <<NSSWITCH > etc/nsswitch.conf
|
|
||||||
passwd: files mymachines systemd
|
|
||||||
group: files mymachines systemd
|
|
||||||
shadow: files
|
|
||||||
|
|
||||||
hosts: files mymachines dns myhostname
|
|
||||||
networks: files
|
|
||||||
|
|
||||||
ethers: files
|
|
||||||
services: files
|
|
||||||
protocols: files
|
|
||||||
rpc: files
|
|
||||||
NSSWITCH
|
|
||||||
|
|
||||||
# list the content as it will be imported into the container
|
|
||||||
tar -cv . | tar -tvf -
|
|
||||||
tar -cv . | podman import - gitea-runner-nix
|
|
||||||
'';
|
'';
|
||||||
|
unitConfig.ConditionPathExists = [ "!/var/lib/gitea-registration/${name}" ];
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
RuntimeDirectory = "gitea-runner-nix-image";
|
User = "gitea";
|
||||||
WorkingDirectory = "/run/gitea-runner-nix-image";
|
Group = "gitea";
|
||||||
|
StateDirectory = "gitea-registration";
|
||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
RemainAfterExit = true;
|
RemainAfterExit = true;
|
||||||
};
|
};
|
||||||
};
|
});
|
||||||
|
|
||||||
users.users.nixuser = {
|
|
||||||
group = "nixuser";
|
|
||||||
description = "Used for running nix ci jobs";
|
|
||||||
home = "/var/empty";
|
|
||||||
isSystemUser = true;
|
|
||||||
};
|
|
||||||
users.groups.nixuser = { };
|
|
||||||
}
|
|
||||||
{
|
|
||||||
systemd.services =
|
|
||||||
lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}-token") numInstances)
|
|
||||||
(name: {
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
after = [ "gitea.service" ];
|
|
||||||
environment = {
|
|
||||||
GITEA_CUSTOM = "/var/lib/gitea/custom";
|
|
||||||
GITEA_WORK_DIR = "/var/lib/gitea";
|
|
||||||
};
|
|
||||||
script = ''
|
|
||||||
set -euo pipefail
|
|
||||||
token=$(${lib.getExe self.packages.${pkgs.hostPlatform.system}.gitea} actions generate-runner-token)
|
|
||||||
echo "TOKEN=$token" > /var/lib/gitea-registration/${name}
|
|
||||||
'';
|
|
||||||
unitConfig.ConditionPathExists = [ "!/var/lib/gitea-registration/${name}" ];
|
|
||||||
serviceConfig = {
|
|
||||||
User = "gitea";
|
|
||||||
Group = "gitea";
|
|
||||||
StateDirectory = "gitea-registration";
|
|
||||||
Type = "oneshot";
|
|
||||||
RemainAfterExit = true;
|
|
||||||
};
|
|
||||||
});
|
|
||||||
|
|
||||||
# Format of the token file:
|
# Format of the token file:
|
||||||
virtualisation = {
|
virtualisation = {
|
||||||
|
@ -137,119 +111,106 @@ lib.mkMerge [
|
||||||
|
|
||||||
virtualisation.containers.containersConf.settings = {
|
virtualisation.containers.containersConf.settings = {
|
||||||
# podman seems to not work with systemd-resolved
|
# podman seems to not work with systemd-resolved
|
||||||
containers.dns_servers = [
|
containers.dns_servers = [ "8.8.8.8" "8.8.4.4" ];
|
||||||
"8.8.8.8"
|
|
||||||
"8.8.4.4"
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
systemd.services =
|
systemd.services = lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}") numInstances) (name: {
|
||||||
lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}") numInstances)
|
after = [
|
||||||
(name: {
|
"${name}-token.service"
|
||||||
after = [
|
"gitea-runner-nix-image.service"
|
||||||
"${name}-token.service"
|
];
|
||||||
"gitea-runner-nix-image.service"
|
requires = [
|
||||||
];
|
"${name}-token.service"
|
||||||
requires = [
|
"gitea-runner-nix-image.service"
|
||||||
"${name}-token.service"
|
];
|
||||||
"gitea-runner-nix-image.service"
|
|
||||||
];
|
|
||||||
|
|
||||||
# TODO: systemd confinment
|
# TODO: systemd confinment
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
# Hardening (may overlap with DynamicUser=)
|
# Hardening (may overlap with DynamicUser=)
|
||||||
# The following options are only for optimizing output of systemd-analyze
|
# The following options are only for optimizing output of systemd-analyze
|
||||||
AmbientCapabilities = "";
|
AmbientCapabilities = "";
|
||||||
CapabilityBoundingSet = "";
|
CapabilityBoundingSet = "";
|
||||||
# ProtectClock= adds DeviceAllow=char-rtc r
|
# ProtectClock= adds DeviceAllow=char-rtc r
|
||||||
DeviceAllow = "";
|
DeviceAllow = "";
|
||||||
NoNewPrivileges = true;
|
NoNewPrivileges = true;
|
||||||
PrivateDevices = true;
|
PrivateDevices = true;
|
||||||
PrivateMounts = true;
|
PrivateMounts = true;
|
||||||
PrivateTmp = true;
|
PrivateTmp = true;
|
||||||
PrivateUsers = true;
|
PrivateUsers = true;
|
||||||
ProtectClock = true;
|
ProtectClock = true;
|
||||||
ProtectControlGroups = true;
|
ProtectControlGroups = true;
|
||||||
ProtectHome = true;
|
ProtectHome = true;
|
||||||
ProtectHostname = true;
|
ProtectHostname = true;
|
||||||
ProtectKernelLogs = true;
|
ProtectKernelLogs = true;
|
||||||
ProtectKernelModules = true;
|
ProtectKernelModules = true;
|
||||||
ProtectKernelTunables = true;
|
ProtectKernelTunables = true;
|
||||||
ProtectSystem = "strict";
|
ProtectSystem = "strict";
|
||||||
RemoveIPC = true;
|
RemoveIPC = true;
|
||||||
RestrictNamespaces = true;
|
RestrictNamespaces = true;
|
||||||
RestrictRealtime = true;
|
RestrictRealtime = true;
|
||||||
RestrictSUIDSGID = true;
|
RestrictSUIDSGID = true;
|
||||||
UMask = "0066";
|
UMask = "0066";
|
||||||
ProtectProc = "invisible";
|
ProtectProc = "invisible";
|
||||||
SystemCallFilter = [
|
SystemCallFilter = [
|
||||||
"~@clock"
|
"~@clock"
|
||||||
"~@cpu-emulation"
|
"~@cpu-emulation"
|
||||||
"~@module"
|
"~@module"
|
||||||
"~@mount"
|
"~@mount"
|
||||||
"~@obsolete"
|
"~@obsolete"
|
||||||
"~@raw-io"
|
"~@raw-io"
|
||||||
"~@reboot"
|
"~@reboot"
|
||||||
"~@swap"
|
"~@swap"
|
||||||
# needed by go?
|
# needed by go?
|
||||||
#"~@resources"
|
#"~@resources"
|
||||||
"~@privileged"
|
"~@privileged"
|
||||||
"~capset"
|
"~capset"
|
||||||
"~setdomainname"
|
"~setdomainname"
|
||||||
"~sethostname"
|
"~sethostname"
|
||||||
];
|
];
|
||||||
RestrictAddressFamilies = [
|
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ];
|
||||||
"AF_INET"
|
|
||||||
"AF_INET6"
|
|
||||||
"AF_UNIX"
|
|
||||||
"AF_NETLINK"
|
|
||||||
];
|
|
||||||
|
|
||||||
# Needs network access
|
# Needs network access
|
||||||
PrivateNetwork = false;
|
PrivateNetwork = false;
|
||||||
# Cannot be true due to Node
|
# Cannot be true due to Node
|
||||||
MemoryDenyWriteExecute = false;
|
MemoryDenyWriteExecute = false;
|
||||||
|
|
||||||
# The more restrictive "pid" option makes `nix` commands in CI emit
|
# The more restrictive "pid" option makes `nix` commands in CI emit
|
||||||
# "GC Warning: Couldn't read /proc/stat"
|
# "GC Warning: Couldn't read /proc/stat"
|
||||||
# You may want to set this to "pid" if not using `nix` commands
|
# You may want to set this to "pid" if not using `nix` commands
|
||||||
ProcSubset = "all";
|
ProcSubset = "all";
|
||||||
# Coverage programs for compiled code such as `cargo-tarpaulin` disable
|
# Coverage programs for compiled code such as `cargo-tarpaulin` disable
|
||||||
# ASLR (address space layout randomization) which requires the
|
# ASLR (address space layout randomization) which requires the
|
||||||
# `personality` syscall
|
# `personality` syscall
|
||||||
# You may want to set this to `true` if not using coverage tooling on
|
# You may want to set this to `true` if not using coverage tooling on
|
||||||
# compiled code
|
# compiled code
|
||||||
LockPersonality = false;
|
LockPersonality = false;
|
||||||
|
|
||||||
# Note that this has some interactions with the User setting; so you may
|
# Note that this has some interactions with the User setting; so you may
|
||||||
# want to consult the systemd docs if using both.
|
# want to consult the systemd docs if using both.
|
||||||
DynamicUser = true;
|
DynamicUser = true;
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
|
|
||||||
services.gitea-actions-runner.instances =
|
services.gitea-actions-runner.instances = lib.genAttrs (builtins.genList (n: "nix${builtins.toString n}") numInstances) (name: {
|
||||||
lib.genAttrs (builtins.genList (n: "nix${builtins.toString n}") numInstances)
|
enable = true;
|
||||||
(name: {
|
name = "nix-runner";
|
||||||
enable = true;
|
# take the git root url from the gitea config
|
||||||
name = "nix-runner";
|
# only possible if you've also configured your gitea though the same nix config
|
||||||
# take the git root url from the gitea config
|
# otherwise you need to set it manually
|
||||||
# only possible if you've also configured your gitea though the same nix config
|
url = config.services.gitea.settings.server.ROOT_URL;
|
||||||
# otherwise you need to set it manually
|
# use your favourite nix secret manager to get a path for this
|
||||||
url = config.services.gitea.settings.server.ROOT_URL;
|
tokenFile = "/var/lib/gitea-registration/gitea-runner-${name}-token";
|
||||||
# use your favourite nix secret manager to get a path for this
|
labels = [ "nix:docker://gitea-runner-nix" ];
|
||||||
tokenFile = "/var/lib/gitea-registration/gitea-runner-${name}-token";
|
settings = {
|
||||||
labels = [ "nix:docker://gitea-runner-nix" ];
|
container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
|
||||||
settings = {
|
# the default network that also respects our dns server settings
|
||||||
container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
|
container.network = "host";
|
||||||
# the default network that also respects our dns server settings
|
container.valid_volumes = [
|
||||||
container.network = "host";
|
"/nix"
|
||||||
container.valid_volumes = [
|
"${storeDeps}/bin"
|
||||||
"/nix"
|
"${storeDeps}/etc/ssl"
|
||||||
"${storeDeps}/bin"
|
];
|
||||||
"${storeDeps}/etc/ssl"
|
};
|
||||||
];
|
});
|
||||||
};
|
}]
|
||||||
});
|
|
||||||
}
|
|
||||||
]
|
|
||||||
|
|
|
@ -1,29 +1,8 @@
|
||||||
{
|
{ pkgs, self, ... }: {
|
||||||
pkgs,
|
|
||||||
lib,
|
|
||||||
self,
|
|
||||||
config,
|
|
||||||
...
|
|
||||||
}:
|
|
||||||
|
|
||||||
let
|
|
||||||
# make the logs for this host "public" so that they show up in e.g. metrics
|
|
||||||
publog =
|
|
||||||
vhost:
|
|
||||||
lib.attrsets.unionOfDisjoint vhost {
|
|
||||||
extraConfig =
|
|
||||||
(vhost.extraConfig or "")
|
|
||||||
+ ''
|
|
||||||
access_log /var/log/nginx/public.log vcombined;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
in
|
|
||||||
{
|
|
||||||
|
|
||||||
imports = [
|
imports = [
|
||||||
./postgresql.nix
|
./postgresql.nix
|
||||||
./actions-runner.nix
|
./actions-runner.nix
|
||||||
./installer.nix
|
|
||||||
];
|
];
|
||||||
|
|
||||||
services.gitea = {
|
services.gitea = {
|
||||||
|
@ -33,21 +12,14 @@ in
|
||||||
host = "/run/postgresql";
|
host = "/run/postgresql";
|
||||||
port = 5432;
|
port = 5432;
|
||||||
};
|
};
|
||||||
lfs.enable = true;
|
|
||||||
package = self.packages.${pkgs.hostPlatform.system}.gitea;
|
package = self.packages.${pkgs.hostPlatform.system}.gitea;
|
||||||
|
|
||||||
settings.actions.ENABLED = true;
|
settings.actions.ENABLED = true;
|
||||||
|
|
||||||
mailerPasswordFile = config.clan.core.facts.services.gitea-mail.secret.gitea-password.path;
|
|
||||||
|
|
||||||
settings.mailer = {
|
settings.mailer = {
|
||||||
ENABLED = true;
|
ENABLED = true;
|
||||||
FROM = "gitea@clan.lol";
|
FROM = "gitea@clan.lol";
|
||||||
USER = "gitea@clan.lol";
|
HOST = "localhost:25";
|
||||||
SMTP_ADDR = "mail.clan.lol";
|
|
||||||
SMTP_PORT = "587";
|
|
||||||
};
|
};
|
||||||
|
|
||||||
settings.log.LEVEL = "Error";
|
settings.log.LEVEL = "Error";
|
||||||
settings.service.DISABLE_REGISTRATION = false;
|
settings.service.DISABLE_REGISTRATION = false;
|
||||||
settings.metrics.ENABLED = true;
|
settings.metrics.ENABLED = true;
|
||||||
|
@ -59,17 +31,15 @@ in
|
||||||
DOMAIN = "git.clan.lol";
|
DOMAIN = "git.clan.lol";
|
||||||
LANDING_PAGE = "explore";
|
LANDING_PAGE = "explore";
|
||||||
};
|
};
|
||||||
settings.session.PROVIDER = "db";
|
|
||||||
settings.session.COOKIE_SECURE = true;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
sops.secrets.web01-gitea-password.owner = config.systemd.services.gitea.serviceConfig.User;
|
services.nginx.virtualHosts."git.clan.lol" = {
|
||||||
|
|
||||||
services.nginx.virtualHosts."git.clan.lol" = publog {
|
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
|
# The add_header directive is used to set the Content-Security-Policy header to allow embedding the Gitea instance in an iframe on the pad.lassul.us instance.
|
||||||
locations."/".extraConfig = ''
|
locations."/".extraConfig = ''
|
||||||
proxy_pass http://localhost:3002;
|
proxy_pass http://localhost:3002;
|
||||||
|
add_header Content-Security-Policy "frame-ancestors 'self' https://pad.lassul.us";
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,13 +0,0 @@
|
||||||
{
|
|
||||||
# http forward from https://clan.lol/sh to https://git.clan.lol/clan/clan-core/raw/branch/main/pkgs/gui-installer/gui-installer.sh
|
|
||||||
services.nginx.virtualHosts."clan.lol" = {
|
|
||||||
forceSSL = true;
|
|
||||||
enableACME = true;
|
|
||||||
locations."/install.sh".extraConfig = ''
|
|
||||||
proxy_pass http://localhost:3002/clan/clan-core/raw/branch/main/pkgs/gui-installer/gui-installer.sh;
|
|
||||||
'';
|
|
||||||
locations."/install-dev.sh".extraConfig = ''
|
|
||||||
proxy_pass http://localhost:3002/clan/clan-core/raw/branch/install-dev/pkgs/gui-installer/gui-installer.sh;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,5 +1,4 @@
|
||||||
{ pkgs, ... }:
|
{ pkgs, ... }: {
|
||||||
{
|
|
||||||
services.postgresql.enable = true;
|
services.postgresql.enable = true;
|
||||||
services.postgresql.package = pkgs.postgresql_14;
|
services.postgresql.package = pkgs.postgresql_14;
|
||||||
services.postgresql.settings = {
|
services.postgresql.settings = {
|
||||||
|
|
|
@ -1,114 +0,0 @@
|
||||||
{ pkgs, ... }:
|
|
||||||
|
|
||||||
let
|
|
||||||
domain = "metrics.clan.lol";
|
|
||||||
priv_goaccess = "/var/lib/goaccess";
|
|
||||||
pub_goaccess = "/var/www/goaccess";
|
|
||||||
|
|
||||||
user-agent-list = pkgs.writeText "browsers.list" ''
|
|
||||||
# List of browsers and their categories
|
|
||||||
# e.g., WORD delimited by tab(s) \t TYPE
|
|
||||||
# TYPE can be any type and it's not limited to the ones below.
|
|
||||||
matrix Matrix-Preview
|
|
||||||
slack Slack
|
|
||||||
github-actions-checkout GitHubActions
|
|
||||||
git Git
|
|
||||||
connect-go Go
|
|
||||||
Go-http-client Go
|
|
||||||
curl Curl
|
|
||||||
'';
|
|
||||||
in
|
|
||||||
{
|
|
||||||
users.users.goaccess = {
|
|
||||||
isSystemUser = true;
|
|
||||||
group = "nginx";
|
|
||||||
createHome = true;
|
|
||||||
home = "${pub_goaccess}";
|
|
||||||
homeMode = "0774";
|
|
||||||
};
|
|
||||||
|
|
||||||
services.nginx.commonHttpConfig = ''
|
|
||||||
log_format vcombined '$host:$server_port $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referrer" "$http_user_agent"';
|
|
||||||
access_log /var/log/nginx/private.log vcombined;
|
|
||||||
'';
|
|
||||||
|
|
||||||
systemd.tmpfiles.rules = [
|
|
||||||
"d ${priv_goaccess} 0755 goaccess nginx -"
|
|
||||||
"d ${priv_goaccess}/db 0755 goaccess nginx -"
|
|
||||||
"d ${pub_goaccess} 0755 goaccess nginx -"
|
|
||||||
];
|
|
||||||
|
|
||||||
# --browsers-file=/etc/goaccess/browsers.list
|
|
||||||
# https://raw.githubusercontent.com/allinurl/goaccess/master/config/browsers.list
|
|
||||||
systemd.services.goaccess = {
|
|
||||||
description = "GoAccess server monitoring";
|
|
||||||
preStart = ''
|
|
||||||
rm -f ${pub_goaccess}/index.html
|
|
||||||
'';
|
|
||||||
serviceConfig = {
|
|
||||||
User = "goaccess";
|
|
||||||
Group = "nginx";
|
|
||||||
ExecStart = ''
|
|
||||||
${pkgs.goaccess}/bin/goaccess \
|
|
||||||
-f /var/log/nginx/public.log \
|
|
||||||
--log-format=VCOMBINED \
|
|
||||||
--ignore-crawlers \
|
|
||||||
--browsers-file=${user-agent-list} \
|
|
||||||
--real-time-html \
|
|
||||||
--all-static-files \
|
|
||||||
--html-refresh=30 \
|
|
||||||
--persist \
|
|
||||||
--restore \
|
|
||||||
--db-path=${priv_goaccess}/db \
|
|
||||||
--no-query-string \
|
|
||||||
--unknowns-log=${priv_goaccess}/unknowns.log \
|
|
||||||
--invalid-requests=${priv_goaccess}/invalid-requests.log \
|
|
||||||
--anonymize-ip \
|
|
||||||
--ignore-panel=HOSTS \
|
|
||||||
--ws-url=wss://${domain}:443/ws \
|
|
||||||
--port=7890 \
|
|
||||||
-o "${pub_goaccess}/index.html"
|
|
||||||
'';
|
|
||||||
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
|
||||||
Type = "simple";
|
|
||||||
Restart = "on-failure";
|
|
||||||
RestartSec = "10s";
|
|
||||||
|
|
||||||
# hardening
|
|
||||||
WorkingDirectory = "${pub_goaccess}";
|
|
||||||
NoNewPrivileges = true;
|
|
||||||
PrivateTmp = true;
|
|
||||||
ProtectHome = "read-only";
|
|
||||||
ProtectSystem = "strict";
|
|
||||||
SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @reboot @resources @setuid @swap @raw-io";
|
|
||||||
ReadOnlyPaths = "/";
|
|
||||||
ReadWritePaths = [
|
|
||||||
"/proc/self"
|
|
||||||
"${pub_goaccess}"
|
|
||||||
"${priv_goaccess}"
|
|
||||||
];
|
|
||||||
PrivateDevices = "yes";
|
|
||||||
ProtectKernelModules = "yes";
|
|
||||||
ProtectKernelTunables = "yes";
|
|
||||||
};
|
|
||||||
after = [ "network.target" ];
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
services.nginx.virtualHosts."${domain}" = {
|
|
||||||
addSSL = true;
|
|
||||||
enableACME = true;
|
|
||||||
root = "${pub_goaccess}";
|
|
||||||
|
|
||||||
locations."/ws" = {
|
|
||||||
proxyPass = "http://127.0.0.1:7890";
|
|
||||||
extraConfig = ''
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection $connection_upgrade;
|
|
||||||
proxy_buffering off;
|
|
||||||
proxy_read_timeout 7d;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,18 +1,17 @@
|
||||||
{ config, pkgs, ... }:
|
{ config, pkgs, ... }: {
|
||||||
{
|
|
||||||
services.harmonia.enable = true;
|
services.harmonia.enable = true;
|
||||||
# $ nix-store --generate-binary-cache-key cache.yourdomain.tld-1 harmonia.secret harmonia.pub
|
# $ nix-store --generate-binary-cache-key cache.yourdomain.tld-1 harmonia.secret harmonia.pub
|
||||||
services.harmonia.signKeyPath = config.sops.secrets.harmonia-secret.path;
|
services.harmonia.signKeyPath = config.sops.secrets.harmonia-secret.path;
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
package = pkgs.nginxStable.override { modules = [ pkgs.nginxModules.zstd ]; };
|
package = pkgs.nginxStable.override {
|
||||||
|
modules = [ pkgs.nginxModules.zstd ];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# trust our own cache
|
# trust our own cache
|
||||||
nix.settings.trusted-substituters = [ "https://cache.clan.lol" ];
|
nix.settings.trusted-substituters = [ "https://cache.clan.lol" ];
|
||||||
nix.settings.trusted-public-keys = [
|
nix.settings.trusted-public-keys = [ "cache.clan.lol-1:3KztgSAB5R1M+Dz7vzkBGzXdodizbgLXGXKXlcQLA28=" ];
|
||||||
"cache.clan.lol-1:3KztgSAB5R1M+Dz7vzkBGzXdodizbgLXGXKXlcQLA28="
|
|
||||||
];
|
|
||||||
|
|
||||||
services.nginx.virtualHosts."cache.clan.lol" = {
|
services.nginx.virtualHosts."cache.clan.lol" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
|
|
@ -1,16 +1,15 @@
|
||||||
{ config, ... }:
|
{ config, pkgs, self, ... }: {
|
||||||
|
|
||||||
{
|
|
||||||
security.acme.defaults.email = "admins@clan.lol";
|
security.acme.defaults.email = "admins@clan.lol";
|
||||||
security.acme.acceptTerms = true;
|
security.acme.acceptTerms = true;
|
||||||
|
|
||||||
# www user to push website artifacts via ssh
|
# www user to push website artifacts via ssh
|
||||||
users.users.www = {
|
users.users.www = {
|
||||||
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys ++ [
|
openssh.authorizedKeys.keys =
|
||||||
# ssh-homepage-key
|
config.users.users.root.openssh.authorizedKeys.keys
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxZ3Av30M6Sh6NU1mnCskB16bYtNP8vskc/+ud0AU1C ssh-homepage-key"
|
++ [
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBuYyfSuETSrwqCsWHeeClqjcsFlMEmiJN6Rr8/DwrU0 gitea-ci"
|
# ssh-homepage-key
|
||||||
];
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxZ3Av30M6Sh6NU1mnCskB16bYtNP8vskc/+ud0AU1C ssh-homepage-key"
|
||||||
|
];
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
shell = "/run/current-system/sw/bin/bash";
|
shell = "/run/current-system/sw/bin/bash";
|
||||||
group = "www";
|
group = "www";
|
||||||
|
@ -18,78 +17,23 @@
|
||||||
users.groups.www = { };
|
users.groups.www = { };
|
||||||
|
|
||||||
# ensure /var/www can be accessed by nginx and www user
|
# ensure /var/www can be accessed by nginx and www user
|
||||||
systemd.tmpfiles.rules = [ "d /var/www 0755 www nginx" ];
|
systemd.tmpfiles.rules = [
|
||||||
|
"d /var/www 0755 www nginx"
|
||||||
|
];
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
|
|
||||||
virtualHosts."clan.lol" = {
|
virtualHosts."clan.lol" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
# to be deployed via rsync
|
# to be deployed via rsync
|
||||||
root = "/var/www/clan.lol";
|
root = "/var/www";
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
charset utf-8;
|
charset utf-8;
|
||||||
source_charset utf-8;
|
source_charset utf-8;
|
||||||
'';
|
'';
|
||||||
|
|
||||||
locations."/".extraConfig = ''
|
|
||||||
set $cors "false";
|
|
||||||
|
|
||||||
# Allow cross-origin requests from docs.clan.lol
|
|
||||||
if ($http_origin = "https://docs.clan.lol") {
|
|
||||||
set $cors "true";
|
|
||||||
}
|
|
||||||
|
|
||||||
# Allow cross-origin requests from localhost IPs with port 8000
|
|
||||||
if ($http_origin = "http://localhost:8000") {
|
|
||||||
set $cors "true";
|
|
||||||
}
|
|
||||||
|
|
||||||
if ($http_origin = "http://127.0.0.1:8000") {
|
|
||||||
set $cors "true";
|
|
||||||
}
|
|
||||||
|
|
||||||
if ($http_origin = "http://[::1]:8000") {
|
|
||||||
set $cors "true";
|
|
||||||
}
|
|
||||||
|
|
||||||
if ($cors = "true") {
|
|
||||||
add_header 'Access-Control-Allow-Origin' "$http_origin" always;
|
|
||||||
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
|
|
||||||
add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization' always;
|
|
||||||
}
|
|
||||||
|
|
||||||
if ($cors = "true") {
|
|
||||||
add_header 'Access-Control-Allow-Origin' "$http_origin" always;
|
|
||||||
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
|
|
||||||
add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization' always;
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
locations."^~ /docs".extraConfig = ''
|
|
||||||
rewrite ^/docs(.*)$ https://docs.clan.lol permanent;
|
|
||||||
'';
|
|
||||||
locations."^~ /blog".extraConfig = ''
|
|
||||||
rewrite ^/blog(.*)$ https://docs.clan.lol/blog permanent;
|
|
||||||
'';
|
|
||||||
locations."/thaigersprint".return = "307 https://pad.lassul.us/s/clan-thaigersprint";
|
locations."/thaigersprint".return = "307 https://pad.lassul.us/s/clan-thaigersprint";
|
||||||
};
|
};
|
||||||
|
|
||||||
virtualHosts."docs.clan.lol" = {
|
|
||||||
forceSSL = true;
|
|
||||||
enableACME = true;
|
|
||||||
# to be deployed via rsync
|
|
||||||
root = "/var/www/docs.clan.lol";
|
|
||||||
extraConfig = ''
|
|
||||||
charset utf-8;
|
|
||||||
source_charset utf-8;
|
|
||||||
'';
|
|
||||||
|
|
||||||
# Make sure to expire the cache after 12 hour
|
|
||||||
locations."/".extraConfig = ''
|
|
||||||
add_header Cache-Control "public, max-age=43200";
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
virtualHosts."www.clan.lol" = {
|
virtualHosts."www.clan.lol" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
|
|
|
@ -1,10 +1,4 @@
|
||||||
{
|
{ config, self, pkgs, lib, ... }:
|
||||||
config,
|
|
||||||
self,
|
|
||||||
pkgs,
|
|
||||||
lib,
|
|
||||||
...
|
|
||||||
}:
|
|
||||||
let
|
let
|
||||||
configForJob = name: {
|
configForJob = name: {
|
||||||
systemd.timers.${name} = {
|
systemd.timers.${name} = {
|
||||||
|
@ -15,13 +9,13 @@ let
|
||||||
Persistent = true;
|
Persistent = true;
|
||||||
OnCalendar = "weekly";
|
OnCalendar = "weekly";
|
||||||
};
|
};
|
||||||
after = [ "network.target" ];
|
after = [ "network-online.target" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
# service to for automatic merge bot
|
# service to for automatic merge bot
|
||||||
systemd.services.${name} = {
|
systemd.services.${name} = {
|
||||||
description = "Automatically update flake inputs for clan-repos";
|
description = "Automatically update flake inputs for clan-repos";
|
||||||
after = [ "network.target" ];
|
after = [ "network-online.target" ];
|
||||||
environment = {
|
environment = {
|
||||||
# secrets
|
# secrets
|
||||||
GITEA_TOKEN_FILE = "%d/GITEA_TOKEN_FILE";
|
GITEA_TOKEN_FILE = "%d/GITEA_TOKEN_FILE";
|
||||||
|
@ -52,11 +46,9 @@ let
|
||||||
};
|
};
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
config = lib.mkMerge (
|
config = lib.mkMerge (map configForJob [
|
||||||
map configForJob [
|
"job-flake-update-clan-core"
|
||||||
"job-flake-update-clan-core"
|
"job-flake-update-clan-homepage"
|
||||||
"job-flake-update-clan-homepage"
|
"job-flake-update-clan-infra"
|
||||||
"job-flake-update-clan-infra"
|
]);
|
||||||
]
|
|
||||||
);
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,30 +0,0 @@
|
||||||
{ self, ... }:
|
|
||||||
{
|
|
||||||
imports = [ self.inputs.clan-core.clanModules.matrix-synapse ];
|
|
||||||
clan.matrix-synapse.domain = "clan.lol";
|
|
||||||
|
|
||||||
clan.matrix-synapse.users.admin = {
|
|
||||||
admin = true;
|
|
||||||
};
|
|
||||||
clan.matrix-synapse.users.monitoring = { };
|
|
||||||
clan.matrix-synapse.users.clan-bot = { };
|
|
||||||
|
|
||||||
# Rate limiting settings
|
|
||||||
# we need to up this to be able to support matrix bots
|
|
||||||
services.matrix-synapse.settings = {
|
|
||||||
rc_login = {
|
|
||||||
address = {
|
|
||||||
per_second = 20;
|
|
||||||
burst_count = 200;
|
|
||||||
};
|
|
||||||
account = {
|
|
||||||
per_second = 20;
|
|
||||||
burst_count = 200;
|
|
||||||
};
|
|
||||||
failed_attempts = {
|
|
||||||
per_second = 3;
|
|
||||||
burst_count = 15;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,41 +1,40 @@
|
||||||
{ }
|
{ config, ... }:
|
||||||
|
|
||||||
#{ config, ... }:
|
let
|
||||||
#let
|
domain = "clan.lol";
|
||||||
# domain = "clan.lol";
|
in
|
||||||
#in
|
{
|
||||||
#{
|
services.opendkim.enable = true;
|
||||||
# services.opendkim.enable = true;
|
services.opendkim.domains = domain;
|
||||||
# services.opendkim.domains = domain;
|
services.opendkim.selector = "v1";
|
||||||
# services.opendkim.selector = "v1";
|
services.opendkim.user = config.services.postfix.user;
|
||||||
# services.opendkim.user = config.services.postfix.user;
|
services.opendkim.group = config.services.postfix.group;
|
||||||
# services.opendkim.group = config.services.postfix.group;
|
|
||||||
#
|
# postfix configuration for sending emails only
|
||||||
# # postfix configuration for sending emails only
|
services.postfix = {
|
||||||
# services.postfix = {
|
enable = true;
|
||||||
# enable = true;
|
hostname = "mail.${domain}";
|
||||||
# hostname = "mail.${domain}";
|
inherit domain;
|
||||||
# inherit domain;
|
|
||||||
#
|
config = {
|
||||||
# config = {
|
smtp_tls_note_starttls_offer = "yes";
|
||||||
# smtp_tls_note_starttls_offer = "yes";
|
|
||||||
#
|
smtp_dns_support_level = "dnssec";
|
||||||
# smtp_dns_support_level = "dnssec";
|
smtp_tls_security_level = "dane";
|
||||||
# smtp_tls_security_level = "dane";
|
|
||||||
#
|
tls_medium_cipherlist = "AES128+EECDH:AES128+EDH";
|
||||||
# tls_medium_cipherlist = "AES128+EECDH:AES128+EDH";
|
|
||||||
#
|
smtpd_relay_restrictions = "permit_mynetworks permit_sasl_authenticated defer_unauth_destination";
|
||||||
# smtpd_relay_restrictions = "permit_mynetworks permit_sasl_authenticated defer_unauth_destination";
|
mydestination = "localhost.$mydomain, localhost, $myhostname";
|
||||||
# mydestination = "localhost.$mydomain, localhost, $myhostname";
|
myorigin = "$mydomain";
|
||||||
# myorigin = "$mydomain";
|
|
||||||
#
|
milter_default_action = "accept";
|
||||||
# milter_default_action = "accept";
|
milter_protocol = "6";
|
||||||
# milter_protocol = "6";
|
smtpd_milters = "unix:/run/opendkim/opendkim.sock";
|
||||||
# smtpd_milters = "unix:/run/opendkim/opendkim.sock";
|
non_smtpd_milters = "unix:/run/opendkim/opendkim.sock";
|
||||||
# non_smtpd_milters = "unix:/run/opendkim/opendkim.sock";
|
|
||||||
#
|
inet_interfaces = "loopback-only";
|
||||||
# inet_interfaces = "loopback-only";
|
inet_protocols = "all";
|
||||||
# inet_protocols = "all";
|
};
|
||||||
# };
|
};
|
||||||
# };
|
}
|
||||||
#}
|
|
||||||
|
|
83
modules/xfs-lvm-crypto-raid.nix
Normal file
83
modules/xfs-lvm-crypto-raid.nix
Normal file
|
@ -0,0 +1,83 @@
|
||||||
|
{ self, lib, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
disk = index: {
|
||||||
|
type = "disk";
|
||||||
|
device = "/dev/nvme${toString index}n1";
|
||||||
|
content = {
|
||||||
|
type = "gpt";
|
||||||
|
partitions =
|
||||||
|
# systemd only wants to have one /boot partition
|
||||||
|
# should we rsync?
|
||||||
|
(lib.optionalAttrs (index == 0) {
|
||||||
|
boot = {
|
||||||
|
type = "EF00";
|
||||||
|
size = "1G";
|
||||||
|
content = {
|
||||||
|
type = "filesystem";
|
||||||
|
format = "vfat";
|
||||||
|
mountpoint = "/boot";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}) // {
|
||||||
|
root = {
|
||||||
|
size = "100%";
|
||||||
|
content = {
|
||||||
|
type = "luks";
|
||||||
|
name = "crypted${toString index}";
|
||||||
|
keyFile = "/tmp/secret.key";
|
||||||
|
content = {
|
||||||
|
type = "lvm_pv";
|
||||||
|
vg = "pool";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
in
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
self.inputs.disko.nixosModules.disko
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.initrd.kernelModules = [
|
||||||
|
"xhci_pci"
|
||||||
|
"ahci"
|
||||||
|
"sd_mod"
|
||||||
|
"nvme"
|
||||||
|
"dm-raid"
|
||||||
|
"dm-integrity"
|
||||||
|
];
|
||||||
|
|
||||||
|
disko.devices = {
|
||||||
|
disk = {
|
||||||
|
nvme0n1 = disk 0;
|
||||||
|
nvme1n1 = disk 1;
|
||||||
|
};
|
||||||
|
|
||||||
|
lvm_vg = {
|
||||||
|
pool = {
|
||||||
|
type = "lvm_vg";
|
||||||
|
lvs = {
|
||||||
|
root = {
|
||||||
|
size = "95%FREE";
|
||||||
|
lvm_type = "raid1";
|
||||||
|
extraArgs = [
|
||||||
|
"--raidintegrity"
|
||||||
|
"y"
|
||||||
|
];
|
||||||
|
content = {
|
||||||
|
type = "filesystem";
|
||||||
|
format = "xfs";
|
||||||
|
mountpoint = "/";
|
||||||
|
mountOptions = [
|
||||||
|
"defaults"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,3 +1,4 @@
|
||||||
|
{ self, ... }:
|
||||||
let
|
let
|
||||||
mirrorBoot = idx: {
|
mirrorBoot = idx: {
|
||||||
type = "disk";
|
type = "disk";
|
||||||
|
@ -26,6 +27,10 @@ let
|
||||||
};
|
};
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
imports = [
|
||||||
|
self.inputs.disko.nixosModules.disko
|
||||||
|
];
|
||||||
|
|
||||||
networking.hostId = "8425e349";
|
networking.hostId = "8425e349";
|
||||||
|
|
||||||
boot.initrd.postDeviceCommands = ''
|
boot.initrd.postDeviceCommands = ''
|
||||||
|
@ -40,14 +45,8 @@ in
|
||||||
efiSupport = true;
|
efiSupport = true;
|
||||||
efiInstallAsRemovable = true;
|
efiInstallAsRemovable = true;
|
||||||
mirroredBoots = [
|
mirroredBoots = [
|
||||||
{
|
{ path = "/boot0"; devices = [ "nodev" ]; }
|
||||||
path = "/boot0";
|
{ path = "/boot1"; devices = [ "nodev" ]; }
|
||||||
devices = [ "nodev" ];
|
|
||||||
}
|
|
||||||
{
|
|
||||||
path = "/boot1";
|
|
||||||
devices = [ "nodev" ];
|
|
||||||
}
|
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -1,19 +1,10 @@
|
||||||
{
|
{ bash
|
||||||
bash,
|
, coreutils
|
||||||
coreutils,
|
, git
|
||||||
git,
|
, tea
|
||||||
tea,
|
, openssh
|
||||||
openssh,
|
, writePureShellScriptBin
|
||||||
writePureShellScriptBin,
|
|
||||||
}:
|
}:
|
||||||
writePureShellScriptBin "action-create-pr"
|
writePureShellScriptBin "action-create-pr" [ bash coreutils git tea openssh ] ''
|
||||||
[
|
bash ${./script.sh} "$@"
|
||||||
bash
|
''
|
||||||
coreutils
|
|
||||||
git
|
|
||||||
tea
|
|
||||||
openssh
|
|
||||||
]
|
|
||||||
''
|
|
||||||
bash ${./script.sh} "$@"
|
|
||||||
''
|
|
||||||
|
|
|
@ -1,15 +1,8 @@
|
||||||
{
|
{ bash
|
||||||
bash,
|
, coreutils
|
||||||
coreutils,
|
, tea
|
||||||
tea,
|
, writePureShellScriptBin
|
||||||
writePureShellScriptBin,
|
|
||||||
}:
|
}:
|
||||||
writePureShellScriptBin "action-ensure-tea-login"
|
writePureShellScriptBin "action-ensure-tea-login" [ bash coreutils tea ] ''
|
||||||
[
|
bash ${./script.sh}
|
||||||
bash
|
''
|
||||||
coreutils
|
|
||||||
tea
|
|
||||||
]
|
|
||||||
''
|
|
||||||
bash ${./script.sh}
|
|
||||||
''
|
|
||||||
|
|
|
@ -8,5 +8,5 @@ fi
|
||||||
GITEA_TOKEN="${GITEA_TOKEN:-"$(cat "$GITEA_TOKEN_FILE")"}"
|
GITEA_TOKEN="${GITEA_TOKEN:-"$(cat "$GITEA_TOKEN_FILE")"}"
|
||||||
|
|
||||||
tea login add \
|
tea login add \
|
||||||
--token "$GITEA_TOKEN" \
|
--token $GITEA_TOKEN \
|
||||||
--url "$GITEA_URL"
|
--url $GITEA_URL
|
||||||
|
|
|
@ -1,23 +1,20 @@
|
||||||
{
|
{ bash
|
||||||
bash,
|
, coreutils
|
||||||
coreutils,
|
, git
|
||||||
git,
|
, openssh
|
||||||
openssh,
|
, action-ensure-tea-login
|
||||||
action-ensure-tea-login,
|
, action-create-pr
|
||||||
action-create-pr,
|
, action-flake-update
|
||||||
action-flake-update,
|
, writePureShellScriptBin
|
||||||
writePureShellScriptBin,
|
|
||||||
}:
|
}:
|
||||||
writePureShellScriptBin "action-flake-update-pr-clan"
|
writePureShellScriptBin "action-flake-update-pr-clan" [
|
||||||
[
|
bash
|
||||||
bash
|
coreutils
|
||||||
coreutils
|
git
|
||||||
git
|
openssh
|
||||||
openssh
|
action-ensure-tea-login
|
||||||
action-ensure-tea-login
|
action-create-pr
|
||||||
action-create-pr
|
action-flake-update
|
||||||
action-flake-update
|
] ''
|
||||||
]
|
bash ${./script.sh}
|
||||||
''
|
''
|
||||||
bash ${./script.sh}
|
|
||||||
''
|
|
||||||
|
|
|
@ -5,10 +5,8 @@ set -euo pipefail
|
||||||
export KEEP_VARS="GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL GIT_COMMITTER_NAME GIT_COMMITTER_EMAIL GITEA_URL GITEA_USER PR_TITLE REMOTE_BRANCH REPO_DIR${KEEP_VARS:+ $KEEP_VARS}"
|
export KEEP_VARS="GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL GIT_COMMITTER_NAME GIT_COMMITTER_EMAIL GITEA_URL GITEA_USER PR_TITLE REMOTE_BRANCH REPO_DIR${KEEP_VARS:+ $KEEP_VARS}"
|
||||||
|
|
||||||
# configure variables for actions
|
# configure variables for actions
|
||||||
today=$(date --iso-8601)
|
export PR_TITLE="Automatic flake update - $(date --iso-8601=minutes)"
|
||||||
today_minutes=$(date --iso-8601=minutes)
|
export REMOTE_BRANCH="flake-update-$(date --iso-8601)"
|
||||||
export PR_TITLE="Automatic flake update - ${today_minutes}"
|
|
||||||
export REMOTE_BRANCH="flake-update-${today}"
|
|
||||||
export REPO_DIR=$TMPDIR/repo
|
export REPO_DIR=$TMPDIR/repo
|
||||||
export GIT_AUTHOR_NAME="Clan Merge Bot"
|
export GIT_AUTHOR_NAME="Clan Merge Bot"
|
||||||
export GIT_AUTHOR_EMAIL="clan-bot@git.clan.lol"
|
export GIT_AUTHOR_EMAIL="clan-bot@git.clan.lol"
|
||||||
|
|
|
@ -1,17 +1,9 @@
|
||||||
{
|
{ bash
|
||||||
bash,
|
, coreutils
|
||||||
coreutils,
|
, git
|
||||||
git,
|
, nix
|
||||||
nix,
|
, writePureShellScriptBin
|
||||||
writePureShellScriptBin,
|
|
||||||
}:
|
}:
|
||||||
writePureShellScriptBin "action-flake-update"
|
writePureShellScriptBin "action-flake-update" [ bash coreutils git nix ] ''
|
||||||
[
|
bash ${./script.sh}
|
||||||
bash
|
''
|
||||||
coreutils
|
|
||||||
git
|
|
||||||
nix
|
|
||||||
]
|
|
||||||
''
|
|
||||||
bash ${./script.sh}
|
|
||||||
''
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
import argparse
|
import argparse
|
||||||
import json
|
import json
|
||||||
import urllib.error
|
|
||||||
import urllib.request
|
import urllib.request
|
||||||
|
import urllib.error
|
||||||
from os import environ
|
from os import environ
|
||||||
from typing import Optional
|
from typing import Optional
|
||||||
|
|
||||||
|
@ -38,7 +38,6 @@ def is_ci_green(pr: dict) -> bool:
|
||||||
return False
|
return False
|
||||||
return True
|
return True
|
||||||
|
|
||||||
|
|
||||||
def is_org_member(user: str, token: str) -> bool:
|
def is_org_member(user: str, token: str) -> bool:
|
||||||
url = "https://git.clan.lol/api/v1/orgs/clan/members/" + user + f"?token={token}"
|
url = "https://git.clan.lol/api/v1/orgs/clan/members/" + user + f"?token={token}"
|
||||||
try:
|
try:
|
||||||
|
@ -51,6 +50,7 @@ def is_org_member(user: str, token: str) -> bool:
|
||||||
raise
|
raise
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
def merge_allowed(pr: dict, bot_name: str, token: str) -> bool:
|
def merge_allowed(pr: dict, bot_name: str, token: str) -> bool:
|
||||||
assignees = pr["assignees"] if pr["assignees"] else []
|
assignees = pr["assignees"] if pr["assignees"] else []
|
||||||
if (
|
if (
|
||||||
|
|
|
@ -1,9 +1,9 @@
|
||||||
{
|
{ pkgs ? import <nixpkgs> { }
|
||||||
pkgs ? import <nixpkgs> { },
|
, lib ? pkgs.lib
|
||||||
lib ? pkgs.lib,
|
, python3 ? pkgs.python3
|
||||||
python3 ? pkgs.python3,
|
, ruff ? pkgs.ruff
|
||||||
ruff ? pkgs.ruff,
|
, runCommand ? pkgs.runCommand
|
||||||
runCommand ? pkgs.runCommand,
|
,
|
||||||
}:
|
}:
|
||||||
let
|
let
|
||||||
pyproject = builtins.fromTOML (builtins.readFile ./pyproject.toml);
|
pyproject = builtins.fromTOML (builtins.readFile ./pyproject.toml);
|
||||||
|
@ -32,11 +32,13 @@ let
|
||||||
package = python3.pkgs.buildPythonPackage {
|
package = python3.pkgs.buildPythonPackage {
|
||||||
inherit name src;
|
inherit name src;
|
||||||
format = "pyproject";
|
format = "pyproject";
|
||||||
nativeBuildInputs = [ python3.pkgs.setuptools ];
|
nativeBuildInputs = [
|
||||||
propagatedBuildInputs = dependencies ++ [ ];
|
python3.pkgs.setuptools
|
||||||
passthru.tests = {
|
];
|
||||||
inherit check;
|
propagatedBuildInputs =
|
||||||
};
|
dependencies
|
||||||
|
++ [ ];
|
||||||
|
passthru.tests = { inherit check; };
|
||||||
passthru.devDependencies = devDependencies;
|
passthru.devDependencies = devDependencies;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,5 @@
|
||||||
{
|
{
|
||||||
perSystem =
|
perSystem = { pkgs, ... }:
|
||||||
{ pkgs, ... }:
|
|
||||||
let
|
let
|
||||||
package = pkgs.callPackage ./default.nix { inherit pkgs; };
|
package = pkgs.callPackage ./default.nix { inherit pkgs; };
|
||||||
in
|
in
|
||||||
|
|
|
@ -1,11 +1,16 @@
|
||||||
{
|
{ pkgs ? import <nixpkgs> { } }:
|
||||||
pkgs ? import <nixpkgs> { },
|
|
||||||
}:
|
|
||||||
let
|
let
|
||||||
inherit (pkgs) lib python3;
|
inherit (pkgs) lib python3;
|
||||||
package = import ./default.nix { inherit lib pkgs python3; };
|
package = import ./default.nix {
|
||||||
|
inherit lib pkgs python3;
|
||||||
|
};
|
||||||
pythonWithDeps = python3.withPackages (
|
pythonWithDeps = python3.withPackages (
|
||||||
ps: package.propagatedBuildInputs ++ package.devDependencies ++ [ ps.pip ]
|
ps:
|
||||||
|
package.propagatedBuildInputs
|
||||||
|
++ package.devDependencies
|
||||||
|
++ [
|
||||||
|
ps.pip
|
||||||
|
]
|
||||||
);
|
);
|
||||||
checkScript = pkgs.writeScriptBin "check" ''
|
checkScript = pkgs.writeScriptBin "check" ''
|
||||||
nix build -f . tests -L "$@"
|
nix build -f . tests -L "$@"
|
||||||
|
|
|
@ -112,6 +112,4 @@ def test_list_prs_to_merge(monkeypatch: pytest.MonkeyPatch) -> None:
|
||||||
assignees=[dict(login=bot_name)],
|
assignees=[dict(login=bot_name)],
|
||||||
),
|
),
|
||||||
]
|
]
|
||||||
assert clan_merge.list_prs_to_merge(prs, bot_name=bot_name, gitea_token="test") == [
|
assert clan_merge.list_prs_to_merge(prs, bot_name=bot_name, gitea_token="test") == [prs[0]]
|
||||||
prs[0]
|
|
||||||
]
|
|
||||||
|
|
|
@ -1,40 +1,33 @@
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
./clan-merge/flake-module.nix
|
./clan-merge/flake-module.nix
|
||||||
./matrix-bot/flake-module.nix
|
|
||||||
];
|
];
|
||||||
perSystem =
|
perSystem = { pkgs, config, ... }: {
|
||||||
{ pkgs, config, ... }:
|
packages =
|
||||||
{
|
let
|
||||||
packages =
|
writers = pkgs.callPackage ./writers.nix { };
|
||||||
let
|
in
|
||||||
writers = pkgs.callPackage ./writers.nix { };
|
{
|
||||||
in
|
inherit (pkgs.callPackage ./renovate { }) renovate;
|
||||||
{
|
gitea = pkgs.callPackage ./gitea { };
|
||||||
gitea = pkgs.callPackage ./gitea { };
|
|
||||||
|
|
||||||
action-create-pr = pkgs.callPackage ./action-create-pr {
|
action-create-pr = pkgs.callPackage ./action-create-pr {
|
||||||
inherit (writers) writePureShellScriptBin;
|
inherit (writers) writePureShellScriptBin;
|
||||||
};
|
|
||||||
action-ensure-tea-login = pkgs.callPackage ./action-ensure-tea-login {
|
|
||||||
inherit (writers) writePureShellScriptBin;
|
|
||||||
};
|
|
||||||
action-flake-update = pkgs.callPackage ./action-flake-update {
|
|
||||||
inherit (writers) writePureShellScriptBin;
|
|
||||||
};
|
|
||||||
action-flake-update-pr-clan = pkgs.callPackage ./action-flake-update-pr-clan {
|
|
||||||
inherit (writers) writePureShellScriptBin;
|
|
||||||
inherit (config.packages) action-ensure-tea-login action-create-pr action-flake-update;
|
|
||||||
};
|
|
||||||
inherit
|
|
||||||
(pkgs.callPackages ./job-flake-updates {
|
|
||||||
inherit (writers) writePureShellScriptBin;
|
|
||||||
inherit (config.packages) action-flake-update-pr-clan;
|
|
||||||
})
|
|
||||||
job-flake-update-clan-core
|
|
||||||
job-flake-update-clan-homepage
|
|
||||||
job-flake-update-clan-infra
|
|
||||||
;
|
|
||||||
};
|
};
|
||||||
};
|
action-ensure-tea-login = pkgs.callPackage ./action-ensure-tea-login {
|
||||||
|
inherit (writers) writePureShellScriptBin;
|
||||||
|
};
|
||||||
|
action-flake-update = pkgs.callPackage ./action-flake-update {
|
||||||
|
inherit (writers) writePureShellScriptBin;
|
||||||
|
};
|
||||||
|
action-flake-update-pr-clan = pkgs.callPackage ./action-flake-update-pr-clan {
|
||||||
|
inherit (writers) writePureShellScriptBin;
|
||||||
|
inherit (config.packages) action-ensure-tea-login action-create-pr action-flake-update;
|
||||||
|
};
|
||||||
|
inherit (pkgs.callPackages ./job-flake-updates {
|
||||||
|
inherit (writers) writePureShellScriptBin;
|
||||||
|
inherit (config.packages) action-flake-update-pr-clan;
|
||||||
|
}) job-flake-update-clan-core job-flake-update-clan-homepage job-flake-update-clan-infra;
|
||||||
|
};
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,120 +0,0 @@
|
||||||
From dd2ccf4ff923757b81088e27e362e3fdb222c9d3 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jade Lovelace <software@lfcode.ca>
|
|
||||||
Date: Tue, 28 May 2024 16:36:25 +0200
|
|
||||||
Subject: [PATCH] Add an immutable tarball link to archive download headers for
|
|
||||||
Nix
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
This allows `nix flake metadata` and nix in general to lock a *branch*
|
|
||||||
tarball link in a manner that causes it to fetch the correct commit even
|
|
||||||
if the branch is updated with a newer version.
|
|
||||||
|
|
||||||
For further context, Nix flakes are a feature that, among other things,
|
|
||||||
allows for "inputs" that are "github:someuser/somerepo",
|
|
||||||
"https://some-tarball-service/some-tarball.tar.gz",
|
|
||||||
"sourcehut:~meow/nya" or similar. This feature allows our users to fetch
|
|
||||||
tarballs of git-based inputs to their builds rather than using git to
|
|
||||||
fetch them, saving significant download time.
|
|
||||||
|
|
||||||
There is presently no gitea or forgejo specific fetcher in Nix, and we
|
|
||||||
don't particularly wish to have one. Ideally (as a developer on a Nix
|
|
||||||
implementation myself) we could just use the generic tarball fetcher and
|
|
||||||
not add specific forgejo support, but to do so, we need additional
|
|
||||||
metadata to know which commit a given *branch* tarball represents, which
|
|
||||||
is the purpose of the Link header added here.
|
|
||||||
|
|
||||||
The result of this patch is that a Nix user can specify `inputs.something.url =
|
|
||||||
"https://forgejo-host/some/project/archive/main.tar.gz"` in flake.nix
|
|
||||||
and get a link to some concrete tarball for the actual commit in the
|
|
||||||
lock file, then when they run `nix flake update` in the future, they
|
|
||||||
will get the latest commit in that branch.
|
|
||||||
|
|
||||||
Example of it working locally:
|
|
||||||
|
|
||||||
» nix flake metadata --refresh 'http://localhost:3000/api/v1/repos/jade/cats/archive/main.tar.gz?dir=configs/nix'
|
|
||||||
Resolved URL: http://localhost:3000/api/v1/repos/jade/cats/archive/main.tar.gz?dir=configs/nix
|
|
||||||
Locked URL: http://localhost:3000/api/v1/repos/jade/cats/archive/804ede182b6b66469b23ea4d21eece52766b7a06.tar.gz?dir=configs
|
|
||||||
/nix&narHash=sha256-yP7KkDVfuixZzs0fsqhSETXFC0y8m6nmPLw2GrAMxKQ%3D
|
|
||||||
Description: Computers with the nixos
|
|
||||||
Path: /nix/store/s856c6yqghyan4v0zy6jj19ksv0q22nx-source
|
|
||||||
Revision: 804ede182b6b66469b23ea4d21eece52766b7a06
|
|
||||||
Last modified: 2024-05-02 00:48:32
|
|
||||||
|
|
||||||
For details on the header value, see:
|
|
||||||
https://github.com/nixos/nix/blob/56763ff918eb308db23080e560ed2ea3e00c80a7/doc/manual/src/protocols/tarball-fetcher.md
|
|
||||||
|
|
||||||
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
|
|
||||||
---
|
|
||||||
routers/api/v1/repo/file.go | 6 ++++++
|
|
||||||
routers/web/repo/repo.go | 6 ++++++
|
|
||||||
tests/integration/api_repo_archive_test.go | 11 +++++++++++
|
|
||||||
3 files changed, 23 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/routers/api/v1/repo/file.go b/routers/api/v1/repo/file.go
|
|
||||||
index 156033f58a..b7ad63af08 100644
|
|
||||||
--- a/routers/api/v1/repo/file.go
|
|
||||||
+++ b/routers/api/v1/repo/file.go
|
|
||||||
@@ -319,6 +319,12 @@ func archiveDownload(ctx *context.APIContext) {
|
|
||||||
func download(ctx *context.APIContext, archiveName string, archiver *repo_model.RepoArchiver) {
|
|
||||||
downloadName := ctx.Repo.Repository.Name + "-" + archiveName
|
|
||||||
|
|
||||||
+ // Add nix format link header so tarballs lock correctly:
|
|
||||||
+ // https://github.com/nixos/nix/blob/56763ff918eb308db23080e560ed2ea3e00c80a7/doc/manual/src/protocols/tarball-fetcher.md
|
|
||||||
+ ctx.Resp.Header().Add("Link", fmt.Sprintf("<%s/archive/%s.tar.gz?rev=%s>; rel=\"immutable\"",
|
|
||||||
+ ctx.Repo.Repository.APIURL(),
|
|
||||||
+ archiver.CommitID, archiver.CommitID))
|
|
||||||
+
|
|
||||||
rPath := archiver.RelativePath()
|
|
||||||
if setting.RepoArchive.Storage.MinioConfig.ServeDirect {
|
|
||||||
// If we have a signed url (S3, object storage), redirect to this directly.
|
|
||||||
diff --git a/routers/web/repo/repo.go b/routers/web/repo/repo.go
|
|
||||||
index 71c582b5f9..bb6349658f 100644
|
|
||||||
--- a/routers/web/repo/repo.go
|
|
||||||
+++ b/routers/web/repo/repo.go
|
|
||||||
@@ -484,6 +484,12 @@ func Download(ctx *context.Context) {
|
|
||||||
func download(ctx *context.Context, archiveName string, archiver *repo_model.RepoArchiver) {
|
|
||||||
downloadName := ctx.Repo.Repository.Name + "-" + archiveName
|
|
||||||
|
|
||||||
+ // Add nix format link header so tarballs lock correctly:
|
|
||||||
+ // https://github.com/nixos/nix/blob/56763ff918eb308db23080e560ed2ea3e00c80a7/doc/manual/src/protocols/tarball-fetcher.md
|
|
||||||
+ ctx.Resp.Header().Add("Link", fmt.Sprintf("<%s/archive/%s.tar.gz?rev=%s>; rel=\"immutable\"",
|
|
||||||
+ ctx.Repo.Repository.APIURL(),
|
|
||||||
+ archiver.CommitID, archiver.CommitID))
|
|
||||||
+
|
|
||||||
rPath := archiver.RelativePath()
|
|
||||||
if setting.RepoArchive.Storage.MinioConfig.ServeDirect {
|
|
||||||
// If we have a signed url (S3, object storage), redirect to this directly.
|
|
||||||
diff --git a/tests/integration/api_repo_archive_test.go b/tests/integration/api_repo_archive_test.go
|
|
||||||
index 57d3abfe84..340ff03961 100644
|
|
||||||
--- a/tests/integration/api_repo_archive_test.go
|
|
||||||
+++ b/tests/integration/api_repo_archive_test.go
|
|
||||||
@@ -8,6 +8,7 @@
|
|
||||||
"io"
|
|
||||||
"net/http"
|
|
||||||
"net/url"
|
|
||||||
+ "regexp"
|
|
||||||
"testing"
|
|
||||||
|
|
||||||
auth_model "code.gitea.io/gitea/models/auth"
|
|
||||||
@@ -39,6 +40,16 @@ func TestAPIDownloadArchive(t *testing.T) {
|
|
||||||
assert.NoError(t, err)
|
|
||||||
assert.Len(t, bs, 266)
|
|
||||||
|
|
||||||
+ // Must return a link to a commit ID as the "immutable" archive link
|
|
||||||
+ linkHeaderRe := regexp.MustCompile(`<(?P<url>https?://.*/api/v1/repos/user2/repo1/archive/[a-f0-9]+\.tar\.gz.*)>; rel="immutable"`)
|
|
||||||
+ m := linkHeaderRe.FindStringSubmatch(resp.Header().Get("Link"))
|
|
||||||
+ assert.NotEmpty(t, m[1])
|
|
||||||
+ resp = MakeRequest(t, NewRequest(t, "GET", m[1]).AddTokenAuth(token), http.StatusOK)
|
|
||||||
+ bs2, err := io.ReadAll(resp.Body)
|
|
||||||
+ assert.NoError(t, err)
|
|
||||||
+ // The locked URL should give the same bytes as the non-locked one
|
|
||||||
+ assert.EqualValues(t, bs, bs2)
|
|
||||||
+
|
|
||||||
link, _ = url.Parse(fmt.Sprintf("/api/v1/repos/%s/%s/archive/master.bundle", user2.Name, repo.Name))
|
|
||||||
resp = MakeRequest(t, NewRequest(t, "GET", link.String()).AddTokenAuth(token), http.StatusOK)
|
|
||||||
bs, err = io.ReadAll(resp.Body)
|
|
||||||
--
|
|
||||||
2.44.1
|
|
||||||
|
|
|
@ -21,7 +21,7 @@ index 007e790b8..a8f3ba7dc 100644
|
||||||
|
|
||||||
ctx.Data["PageIsSignUp"] = true
|
ctx.Data["PageIsSignUp"] = true
|
||||||
|
|
||||||
+ if !strings.Contains(strings.ToLower(form.Notabot), "clan") {
|
+ if strings.ToLower(form.Notabot) != "clan" {
|
||||||
+ ctx.Error(http.StatusForbidden)
|
+ ctx.Error(http.StatusForbidden)
|
||||||
+ return
|
+ return
|
||||||
+ }
|
+ }
|
||||||
|
|
|
@ -3,6 +3,5 @@
|
||||||
gitea.overrideAttrs (old: {
|
gitea.overrideAttrs (old: {
|
||||||
patches = old.patches ++ [
|
patches = old.patches ++ [
|
||||||
./0001-add-bot-check.patch
|
./0001-add-bot-check.patch
|
||||||
./0001-Add-an-immutable-tarball-link-to-archive-download-he.patch
|
|
||||||
];
|
];
|
||||||
})
|
})
|
||||||
|
|
|
@ -1,13 +1,13 @@
|
||||||
{ action-flake-update-pr-clan, writePureShellScriptBin }:
|
{ action-flake-update-pr-clan
|
||||||
|
, writePureShellScriptBin
|
||||||
|
}:
|
||||||
let
|
let
|
||||||
job-flake-update =
|
job-flake-update = repo: writePureShellScriptBin "job-flake-update-${repo}" [ action-flake-update-pr-clan ] ''
|
||||||
repo:
|
export REPO="gitea@git.clan.lol:clan/${repo}.git"
|
||||||
writePureShellScriptBin "job-flake-update-${repo}" [ action-flake-update-pr-clan ] ''
|
export KEEP_VARS="REPO''${KEEP_VARS:+ $KEEP_VARS}"
|
||||||
export REPO="gitea@git.clan.lol:clan/${repo}.git"
|
|
||||||
export KEEP_VARS="REPO''${KEEP_VARS:+ $KEEP_VARS}"
|
|
||||||
|
|
||||||
action-flake-update-pr-clan
|
action-flake-update-pr-clan
|
||||||
'';
|
'';
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
job-flake-update-clan-core = job-flake-update "clan-core";
|
job-flake-update-clan-core = job-flake-update "clan-core";
|
||||||
|
|
|
@ -1,6 +0,0 @@
|
||||||
source_up
|
|
||||||
|
|
||||||
watch_file flake-module.nix shell.nix default.nix
|
|
||||||
|
|
||||||
# Because we depend on nixpkgs sources, uploading to builders takes a long time
|
|
||||||
use flake .#matrix-bot --builders ''
|
|
3
pkgs/matrix-bot/.gitignore
vendored
3
pkgs/matrix-bot/.gitignore
vendored
|
@ -1,3 +0,0 @@
|
||||||
*.json
|
|
||||||
**/data
|
|
||||||
**/__pycache__
|
|
|
@ -1,13 +0,0 @@
|
||||||
#!/usr/bin/env python3
|
|
||||||
import os
|
|
||||||
import sys
|
|
||||||
|
|
||||||
sys.path.insert(
|
|
||||||
0, os.path.join(os.path.dirname(os.path.dirname(os.path.realpath(__file__))))
|
|
||||||
)
|
|
||||||
|
|
||||||
from matrix_bot import main # NOQA
|
|
||||||
|
|
||||||
if __name__ == "__main__":
|
|
||||||
main()
|
|
||||||
|
|
|
@ -1,42 +0,0 @@
|
||||||
{
|
|
||||||
python3,
|
|
||||||
setuptools,
|
|
||||||
matrix-nio,
|
|
||||||
aiofiles,
|
|
||||||
aiohttp,
|
|
||||||
markdown2,
|
|
||||||
git,
|
|
||||||
...
|
|
||||||
}:
|
|
||||||
|
|
||||||
let
|
|
||||||
|
|
||||||
pythonDependencies = [
|
|
||||||
matrix-nio
|
|
||||||
aiofiles
|
|
||||||
aiohttp
|
|
||||||
markdown2
|
|
||||||
];
|
|
||||||
|
|
||||||
runtimeDependencies = [ git ];
|
|
||||||
|
|
||||||
testDependencies = pythonDependencies ++ runtimeDependencies ++ [ ];
|
|
||||||
in
|
|
||||||
python3.pkgs.buildPythonApplication {
|
|
||||||
name = "matrix-bot";
|
|
||||||
src = ./.;
|
|
||||||
format = "pyproject";
|
|
||||||
|
|
||||||
nativeBuildInputs = [ setuptools ];
|
|
||||||
|
|
||||||
propagatedBuildInputs = pythonDependencies ++ runtimeDependencies;
|
|
||||||
|
|
||||||
passthru.testDependencies = testDependencies;
|
|
||||||
|
|
||||||
# Clean up after the package to avoid leaking python packages into a devshell
|
|
||||||
postFixup = ''
|
|
||||||
rm $out/nix-support/propagated-build-inputs
|
|
||||||
'';
|
|
||||||
|
|
||||||
meta.mainProgram = "matrix-bot";
|
|
||||||
}
|
|
|
@ -1,14 +0,0 @@
|
||||||
{ ... }:
|
|
||||||
{
|
|
||||||
perSystem =
|
|
||||||
{ self', pkgs, ... }:
|
|
||||||
{
|
|
||||||
|
|
||||||
devShells.matrix-bot = pkgs.callPackage ./shell.nix { inherit (self'.packages) matrix-bot; };
|
|
||||||
packages = {
|
|
||||||
matrix-bot = pkgs.python3.pkgs.callPackage ./default.nix { };
|
|
||||||
};
|
|
||||||
|
|
||||||
checks = { };
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,169 +0,0 @@
|
||||||
import argparse
|
|
||||||
import asyncio
|
|
||||||
import logging
|
|
||||||
import os
|
|
||||||
import sys
|
|
||||||
from os import environ
|
|
||||||
from pathlib import Path
|
|
||||||
|
|
||||||
from matrix_bot.custom_logger import setup_logging
|
|
||||||
from matrix_bot.gitea import GiteaData
|
|
||||||
from matrix_bot.main import bot_main
|
|
||||||
from matrix_bot.matrix import MatrixData
|
|
||||||
|
|
||||||
log = logging.getLogger(__name__)
|
|
||||||
|
|
||||||
curr_dir = Path(__file__).parent
|
|
||||||
data_dir = Path(os.getcwd()) / "data"
|
|
||||||
|
|
||||||
|
|
||||||
def create_parser(prog: str | None = None) -> argparse.ArgumentParser:
|
|
||||||
parser = argparse.ArgumentParser(
|
|
||||||
prog=prog,
|
|
||||||
description="A gitea bot for matrix",
|
|
||||||
formatter_class=argparse.RawTextHelpFormatter,
|
|
||||||
)
|
|
||||||
|
|
||||||
parser.add_argument(
|
|
||||||
"--debug",
|
|
||||||
help="Enable debug logging",
|
|
||||||
action="store_true",
|
|
||||||
default=False,
|
|
||||||
)
|
|
||||||
|
|
||||||
parser.add_argument(
|
|
||||||
"--server",
|
|
||||||
help="The matrix server to connect to",
|
|
||||||
default="https://matrix.clan.lol",
|
|
||||||
)
|
|
||||||
|
|
||||||
parser.add_argument(
|
|
||||||
"--user",
|
|
||||||
help="The matrix user to connect as",
|
|
||||||
default="@clan-bot:clan.lol",
|
|
||||||
)
|
|
||||||
|
|
||||||
parser.add_argument(
|
|
||||||
"--avatar",
|
|
||||||
help="The path to the image to use as the avatar",
|
|
||||||
default=curr_dir / "avatar.png",
|
|
||||||
)
|
|
||||||
|
|
||||||
parser.add_argument(
|
|
||||||
"--repo-owner",
|
|
||||||
help="The owner of gitea the repository",
|
|
||||||
default="clan",
|
|
||||||
)
|
|
||||||
parser.add_argument(
|
|
||||||
"--repo-name",
|
|
||||||
help="The name of the repository",
|
|
||||||
default="clan-core",
|
|
||||||
)
|
|
||||||
|
|
||||||
parser.add_argument(
|
|
||||||
"--changelog-room",
|
|
||||||
help="The matrix room to join for the changelog bot",
|
|
||||||
default="#bot-test:gchq.icu",
|
|
||||||
)
|
|
||||||
|
|
||||||
parser.add_argument(
|
|
||||||
"--review-room",
|
|
||||||
help="The matrix room to join for the review bot",
|
|
||||||
default="#bot-test:gchq.icu",
|
|
||||||
)
|
|
||||||
|
|
||||||
parser.add_argument(
|
|
||||||
"--changelog-frequency",
|
|
||||||
help="The frequency to check for changelog updates in days",
|
|
||||||
default=7,
|
|
||||||
type=int,
|
|
||||||
)
|
|
||||||
|
|
||||||
def valid_weekday(value: str) -> str:
|
|
||||||
days = [
|
|
||||||
"Monday",
|
|
||||||
"Tuesday",
|
|
||||||
"Wednesday",
|
|
||||||
"Thursday",
|
|
||||||
"Friday",
|
|
||||||
"Saturday",
|
|
||||||
"Sunday",
|
|
||||||
]
|
|
||||||
if value not in days:
|
|
||||||
raise argparse.ArgumentTypeError(
|
|
||||||
f"{value} is not a valid weekday. Choose from {', '.join(days)}"
|
|
||||||
)
|
|
||||||
return value
|
|
||||||
|
|
||||||
parser.add_argument(
|
|
||||||
"--publish-day",
|
|
||||||
help="The day of the week to publish the changelog. Ignored if changelog-frequency is less than 7 days.",
|
|
||||||
default="Wednesday",
|
|
||||||
type=valid_weekday,
|
|
||||||
)
|
|
||||||
|
|
||||||
parser.add_argument(
|
|
||||||
"--gitea-url",
|
|
||||||
help="The gitea url to connect to",
|
|
||||||
default="https://git.clan.lol",
|
|
||||||
)
|
|
||||||
|
|
||||||
parser.add_argument(
|
|
||||||
"--data-dir",
|
|
||||||
help="The directory to store data",
|
|
||||||
default=data_dir,
|
|
||||||
type=Path,
|
|
||||||
)
|
|
||||||
|
|
||||||
return parser
|
|
||||||
|
|
||||||
|
|
||||||
def matrix_password() -> str:
|
|
||||||
matrix_password = environ.get("MATRIX_PASSWORD")
|
|
||||||
if matrix_password is not None:
|
|
||||||
return matrix_password
|
|
||||||
matrix_password_file = environ.get("MATRIX_PASSWORD_FILE", default=None)
|
|
||||||
if matrix_password_file is None:
|
|
||||||
raise Exception("MATRIX_PASSWORD_FILE environment variable is not set")
|
|
||||||
with open(matrix_password_file) as f:
|
|
||||||
return f.read().strip()
|
|
||||||
|
|
||||||
|
|
||||||
def main() -> None:
|
|
||||||
parser = create_parser()
|
|
||||||
args = parser.parse_args()
|
|
||||||
|
|
||||||
if args.debug:
|
|
||||||
setup_logging(logging.DEBUG, root_log_name=__name__.split(".")[0])
|
|
||||||
log.debug("Debug log activated")
|
|
||||||
else:
|
|
||||||
setup_logging(logging.INFO, root_log_name=__name__.split(".")[0])
|
|
||||||
|
|
||||||
matrix = MatrixData(
|
|
||||||
server=args.server,
|
|
||||||
user=args.user,
|
|
||||||
avatar=args.avatar,
|
|
||||||
changelog_room=args.changelog_room,
|
|
||||||
changelog_frequency=args.changelog_frequency,
|
|
||||||
publish_day=args.publish_day,
|
|
||||||
review_room=args.review_room,
|
|
||||||
password=matrix_password(),
|
|
||||||
)
|
|
||||||
|
|
||||||
gitea = GiteaData(
|
|
||||||
url=args.gitea_url,
|
|
||||||
owner=args.repo_owner,
|
|
||||||
repo=args.repo_name,
|
|
||||||
access_token=os.getenv("GITEA_ACCESS_TOKEN"),
|
|
||||||
)
|
|
||||||
|
|
||||||
args.data_dir.mkdir(parents=True, exist_ok=True)
|
|
||||||
|
|
||||||
try:
|
|
||||||
asyncio.run(bot_main(matrix, gitea, args.data_dir))
|
|
||||||
except KeyboardInterrupt:
|
|
||||||
print("User Interrupt", file=sys.stderr)
|
|
||||||
|
|
||||||
|
|
||||||
if __name__ == "__main__":
|
|
||||||
main()
|
|
|
@ -1,4 +0,0 @@
|
||||||
from . import main
|
|
||||||
|
|
||||||
if __name__ == "__main__":
|
|
||||||
main()
|
|
Binary file not shown.
Before Width: | Height: | Size: 105 KiB |
|
@ -1,214 +0,0 @@
|
||||||
import asyncio
|
|
||||||
import datetime
|
|
||||||
import json
|
|
||||||
import logging
|
|
||||||
import shlex
|
|
||||||
import subprocess
|
|
||||||
from pathlib import Path
|
|
||||||
|
|
||||||
import aiohttp
|
|
||||||
from nio import (
|
|
||||||
AsyncClient,
|
|
||||||
JoinResponse,
|
|
||||||
)
|
|
||||||
|
|
||||||
from matrix_bot.gitea import (
|
|
||||||
GiteaData,
|
|
||||||
)
|
|
||||||
|
|
||||||
from .locked_open import read_locked_file, write_locked_file
|
|
||||||
from .matrix import MatrixData, send_message
|
|
||||||
from .openai import create_jsonl_data, upload_and_process_file
|
|
||||||
|
|
||||||
log = logging.getLogger(__name__)
|
|
||||||
|
|
||||||
|
|
||||||
def last_ndays_to_today(ndays: int) -> (str, str):
|
|
||||||
# Get today's date
|
|
||||||
today = datetime.datetime.now()
|
|
||||||
|
|
||||||
# Calculate the date one week ago
|
|
||||||
last_week = today - datetime.timedelta(days=ndays)
|
|
||||||
|
|
||||||
# Format both dates to "YYYY-MM-DD"
|
|
||||||
todate = today.strftime("%Y-%m-%d")
|
|
||||||
fromdate = last_week.strftime("%Y-%m-%d")
|
|
||||||
|
|
||||||
return (fromdate, todate)
|
|
||||||
|
|
||||||
|
|
||||||
def write_file_with_date_prefix(
|
|
||||||
content: str, directory: Path, *, ndays: int, suffix: str
|
|
||||||
) -> Path:
|
|
||||||
"""
|
|
||||||
Write content to a file with the current date as filename prefix.
|
|
||||||
|
|
||||||
:param content: The content to write to the file.
|
|
||||||
:param directory: The directory where the file will be saved.
|
|
||||||
:return: The path to the created file.
|
|
||||||
"""
|
|
||||||
# Ensure the directory exists
|
|
||||||
directory.mkdir(parents=True, exist_ok=True)
|
|
||||||
|
|
||||||
# Get the current date
|
|
||||||
fromdate, todate = last_ndays_to_today(ndays)
|
|
||||||
|
|
||||||
# Create the filename
|
|
||||||
filename = f"{fromdate}__{todate}_{suffix}.txt"
|
|
||||||
file_path = directory / filename
|
|
||||||
|
|
||||||
# Write the content to the file
|
|
||||||
with open(file_path, "w") as file:
|
|
||||||
file.write(content)
|
|
||||||
|
|
||||||
return file_path
|
|
||||||
|
|
||||||
|
|
||||||
async def git_pull(repo_path: Path) -> None:
|
|
||||||
cmd = ["git", "pull"]
|
|
||||||
log.debug(f"Running command: {shlex.join(cmd)}")
|
|
||||||
process = await asyncio.create_subprocess_exec(
|
|
||||||
*cmd,
|
|
||||||
cwd=str(repo_path),
|
|
||||||
)
|
|
||||||
await process.wait()
|
|
||||||
|
|
||||||
|
|
||||||
async def git_log(repo_path: str, ndays: int) -> str:
|
|
||||||
cmd = [
|
|
||||||
"git",
|
|
||||||
"log",
|
|
||||||
f"--since={ndays} days ago",
|
|
||||||
"--pretty=format:%h - %an, %ar : %s",
|
|
||||||
"--stat",
|
|
||||||
"--patch",
|
|
||||||
]
|
|
||||||
log.debug(f"Running command: {shlex.join(cmd)}")
|
|
||||||
process = await asyncio.create_subprocess_exec(
|
|
||||||
*cmd,
|
|
||||||
cwd=repo_path,
|
|
||||||
stdout=asyncio.subprocess.PIPE,
|
|
||||||
stderr=asyncio.subprocess.PIPE,
|
|
||||||
)
|
|
||||||
stdout, stderr = await process.communicate()
|
|
||||||
|
|
||||||
if process.returncode != 0:
|
|
||||||
raise Exception(
|
|
||||||
f"Command '{' '.join(cmd)}' failed with exit code {process.returncode}"
|
|
||||||
)
|
|
||||||
|
|
||||||
return stdout.decode()
|
|
||||||
|
|
||||||
|
|
||||||
async def changelog_bot(
|
|
||||||
client: AsyncClient,
|
|
||||||
http: aiohttp.ClientSession,
|
|
||||||
matrix: MatrixData,
|
|
||||||
gitea: GiteaData,
|
|
||||||
data_dir: Path,
|
|
||||||
) -> None:
|
|
||||||
last_run_path = data_dir / "last_changelog_run.json"
|
|
||||||
last_run = read_locked_file(last_run_path)
|
|
||||||
|
|
||||||
if last_run == {}:
|
|
||||||
fromdate, todate = last_ndays_to_today(matrix.changelog_frequency)
|
|
||||||
last_run = {
|
|
||||||
"fromdate": fromdate,
|
|
||||||
"todate": todate,
|
|
||||||
"ndays": matrix.changelog_frequency,
|
|
||||||
}
|
|
||||||
log.debug(f"First run. Setting last_run to {last_run}")
|
|
||||||
today = datetime.datetime.now()
|
|
||||||
today_weekday = today.strftime("%A")
|
|
||||||
if today_weekday != matrix.publish_day:
|
|
||||||
log.debug(f"Changelog not due yet. Due on {matrix.publish_day}")
|
|
||||||
return
|
|
||||||
else:
|
|
||||||
last_date = datetime.datetime.strptime(last_run["todate"], "%Y-%m-%d")
|
|
||||||
today = datetime.datetime.now()
|
|
||||||
today_weekday = today.strftime("%A")
|
|
||||||
delta = datetime.timedelta(days=matrix.changelog_frequency)
|
|
||||||
if today - last_date <= delta:
|
|
||||||
log.debug(f"Changelog not due yet. Due in {delta.days} days")
|
|
||||||
return
|
|
||||||
elif today_weekday != matrix.publish_day:
|
|
||||||
log.debug(f"Changelog not due yet. Due on {matrix.publish_day}")
|
|
||||||
return
|
|
||||||
|
|
||||||
# If you made a new room and haven't joined as that user, you can use
|
|
||||||
room: JoinResponse = await client.join(matrix.changelog_room)
|
|
||||||
|
|
||||||
if not room.transport_response.ok:
|
|
||||||
log.error("This can happen if the room doesn't exist or the bot isn't invited")
|
|
||||||
raise Exception(f"Failed to join room {room}")
|
|
||||||
|
|
||||||
repo_path = data_dir / gitea.repo
|
|
||||||
|
|
||||||
if not repo_path.exists():
|
|
||||||
cmd = [
|
|
||||||
"git",
|
|
||||||
"clone",
|
|
||||||
f"{gitea.url}/{gitea.owner}/{gitea.repo}.git",
|
|
||||||
gitea.repo,
|
|
||||||
]
|
|
||||||
subprocess.run(cmd, cwd=data_dir, check=True)
|
|
||||||
|
|
||||||
# git pull
|
|
||||||
await git_pull(repo_path)
|
|
||||||
|
|
||||||
# git log
|
|
||||||
diff = await git_log(repo_path, matrix.changelog_frequency)
|
|
||||||
|
|
||||||
fromdate, todate = last_ndays_to_today(matrix.changelog_frequency)
|
|
||||||
log.info(f"Generating changelog from {fromdate} to {todate}")
|
|
||||||
|
|
||||||
system_prompt = f"""
|
|
||||||
Create a concise changelog for the {matrix.changelog_frequency}.
|
|
||||||
Follow these guidelines:
|
|
||||||
|
|
||||||
- The header should include the date range from {fromdate} to {todate}
|
|
||||||
- Use present tense
|
|
||||||
- Keep the summary brief
|
|
||||||
- Follow commit message format: "scope: message (#number)"
|
|
||||||
- Link pull requests as: '{gitea.url}/{gitea.owner}/{gitea.repo}/pulls/<number>'
|
|
||||||
- Use markdown links to make the pull request number clickable
|
|
||||||
- Mention each scope and pull request number only once
|
|
||||||
- Have these headers in the changelog if applicable:
|
|
||||||
- New Features
|
|
||||||
- Documentation
|
|
||||||
- Refactoring
|
|
||||||
- Bug Fixes
|
|
||||||
- Other Changes
|
|
||||||
|
|
||||||
Changelog:
|
|
||||||
---
|
|
||||||
"""
|
|
||||||
|
|
||||||
# Step 1: Create the JSONL file
|
|
||||||
jsonl_data = await create_jsonl_data(user_prompt=diff, system_prompt=system_prompt)
|
|
||||||
|
|
||||||
# Step 2: Upload the JSONL file and process it
|
|
||||||
results = await upload_and_process_file(session=http, jsonl_data=jsonl_data)
|
|
||||||
|
|
||||||
# Write the results to a file in the changelogs directory
|
|
||||||
result_file = write_file_with_date_prefix(
|
|
||||||
json.dumps(results, indent=4),
|
|
||||||
data_dir / "changelogs",
|
|
||||||
ndays=matrix.changelog_frequency,
|
|
||||||
suffix="result",
|
|
||||||
)
|
|
||||||
log.info(f"LLM result written to: {result_file}")
|
|
||||||
|
|
||||||
# Join responses together
|
|
||||||
all_changelogs = []
|
|
||||||
for result in results:
|
|
||||||
choices = result["response"]["body"]["choices"]
|
|
||||||
changelog = "\n".join(choice["message"]["content"] for choice in choices)
|
|
||||||
all_changelogs.append(changelog)
|
|
||||||
full_changelog = "\n\n".join(all_changelogs)
|
|
||||||
|
|
||||||
# Write the last run to the file
|
|
||||||
write_locked_file(last_run_path, last_run)
|
|
||||||
log.info(f"Changelog generated:\n{full_changelog}")
|
|
||||||
|
|
||||||
await send_message(client, room, full_changelog)
|
|
|
@ -1,97 +0,0 @@
|
||||||
import inspect
|
|
||||||
import logging
|
|
||||||
from collections.abc import Callable
|
|
||||||
from pathlib import Path
|
|
||||||
from typing import Any
|
|
||||||
|
|
||||||
grey = "\x1b[38;20m"
|
|
||||||
yellow = "\x1b[33;20m"
|
|
||||||
red = "\x1b[31;20m"
|
|
||||||
bold_red = "\x1b[31;1m"
|
|
||||||
green = "\u001b[32m"
|
|
||||||
blue = "\u001b[34m"
|
|
||||||
|
|
||||||
|
|
||||||
def get_formatter(color: str) -> Callable[[logging.LogRecord, bool], logging.Formatter]:
|
|
||||||
def myformatter(
|
|
||||||
record: logging.LogRecord, with_location: bool
|
|
||||||
) -> logging.Formatter:
|
|
||||||
reset = "\x1b[0m"
|
|
||||||
|
|
||||||
try:
|
|
||||||
filepath = Path(record.pathname).resolve()
|
|
||||||
filepath = Path("~", filepath.relative_to(Path.home()))
|
|
||||||
except Exception:
|
|
||||||
filepath = Path(record.pathname)
|
|
||||||
|
|
||||||
if not with_location:
|
|
||||||
return logging.Formatter(f"{color}%(levelname)s{reset}: %(message)s")
|
|
||||||
|
|
||||||
return logging.Formatter(
|
|
||||||
f"{color}%(levelname)s{reset}: %(message)s\nLocation: {filepath}:%(lineno)d::%(funcName)s\n"
|
|
||||||
)
|
|
||||||
|
|
||||||
return myformatter
|
|
||||||
|
|
||||||
|
|
||||||
FORMATTER = {
|
|
||||||
logging.DEBUG: get_formatter(blue),
|
|
||||||
logging.INFO: get_formatter(green),
|
|
||||||
logging.WARNING: get_formatter(yellow),
|
|
||||||
logging.ERROR: get_formatter(red),
|
|
||||||
logging.CRITICAL: get_formatter(bold_red),
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
class CustomFormatter(logging.Formatter):
|
|
||||||
def __init__(self, log_locations: bool) -> None:
|
|
||||||
super().__init__()
|
|
||||||
self.log_locations = log_locations
|
|
||||||
|
|
||||||
def format(self, record: logging.LogRecord) -> str:
|
|
||||||
return FORMATTER[record.levelno](record, self.log_locations).format(record)
|
|
||||||
|
|
||||||
|
|
||||||
class ThreadFormatter(logging.Formatter):
|
|
||||||
def format(self, record: logging.LogRecord) -> str:
|
|
||||||
return FORMATTER[record.levelno](record, False).format(record)
|
|
||||||
|
|
||||||
|
|
||||||
def get_caller() -> str:
|
|
||||||
frame = inspect.currentframe()
|
|
||||||
if frame is None:
|
|
||||||
return "unknown"
|
|
||||||
caller_frame = frame.f_back
|
|
||||||
if caller_frame is None:
|
|
||||||
return "unknown"
|
|
||||||
caller_frame = caller_frame.f_back
|
|
||||||
if caller_frame is None:
|
|
||||||
return "unknown"
|
|
||||||
frame_info = inspect.getframeinfo(caller_frame)
|
|
||||||
|
|
||||||
try:
|
|
||||||
filepath = Path(frame_info.filename).resolve()
|
|
||||||
filepath = Path("~", filepath.relative_to(Path.home()))
|
|
||||||
except Exception:
|
|
||||||
filepath = Path(frame_info.filename)
|
|
||||||
|
|
||||||
ret = f"{filepath}:{frame_info.lineno}::{frame_info.function}"
|
|
||||||
return ret
|
|
||||||
|
|
||||||
|
|
||||||
def setup_logging(level: Any, root_log_name: str = __name__.split(".")[0]) -> None:
|
|
||||||
# Get the root logger and set its level
|
|
||||||
main_logger = logging.getLogger(root_log_name)
|
|
||||||
main_logger.setLevel(level)
|
|
||||||
|
|
||||||
# Create and add the default handler
|
|
||||||
default_handler = logging.StreamHandler()
|
|
||||||
|
|
||||||
# Create and add your custom handler
|
|
||||||
default_handler.setLevel(level)
|
|
||||||
default_handler.setFormatter(CustomFormatter(str(level) == str(logging.DEBUG)))
|
|
||||||
main_logger.addHandler(default_handler)
|
|
||||||
|
|
||||||
# Set logging level for other modules used by this module
|
|
||||||
logging.getLogger("asyncio").setLevel(logging.INFO)
|
|
||||||
logging.getLogger("httpx").setLevel(level=logging.WARNING)
|
|
|
@ -1,88 +0,0 @@
|
||||||
import logging
|
|
||||||
|
|
||||||
log = logging.getLogger(__name__)
|
|
||||||
|
|
||||||
|
|
||||||
from dataclasses import dataclass
|
|
||||||
from enum import Enum
|
|
||||||
|
|
||||||
import aiohttp
|
|
||||||
|
|
||||||
|
|
||||||
@dataclass
|
|
||||||
class GiteaData:
|
|
||||||
url: str
|
|
||||||
owner: str
|
|
||||||
repo: str
|
|
||||||
access_token: str | None = None
|
|
||||||
|
|
||||||
|
|
||||||
def endpoint_url(gitea: GiteaData, endpoint: str) -> str:
|
|
||||||
return f"{gitea.url}/api/v1/repos/{gitea.owner}/{gitea.repo}/{endpoint}"
|
|
||||||
|
|
||||||
|
|
||||||
async def fetch_repo_labels(
|
|
||||||
gitea: GiteaData,
|
|
||||||
session: aiohttp.ClientSession,
|
|
||||||
) -> list[dict]:
|
|
||||||
"""
|
|
||||||
Fetch labels from a Gitea repository.
|
|
||||||
|
|
||||||
Returns:
|
|
||||||
list: List of labels in the repository.
|
|
||||||
"""
|
|
||||||
url = endpoint_url(gitea, "labels")
|
|
||||||
headers = {"Accept": "application/vnd.github.v3+json"}
|
|
||||||
if gitea.access_token:
|
|
||||||
headers["Authorization"] = f"token {gitea.access_token}"
|
|
||||||
|
|
||||||
async with session.get(url, headers=headers) as response:
|
|
||||||
if response.status == 200:
|
|
||||||
labels = await response.json()
|
|
||||||
return labels
|
|
||||||
else:
|
|
||||||
# You may want to handle different statuses differently
|
|
||||||
raise Exception(
|
|
||||||
f"Failed to fetch labels: {response.status}, {await response.text()}"
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
class PullState(Enum):
|
|
||||||
OPEN = "open"
|
|
||||||
CLOSED = "closed"
|
|
||||||
ALL = "all"
|
|
||||||
|
|
||||||
|
|
||||||
async def fetch_pull_requests(
|
|
||||||
gitea: GiteaData,
|
|
||||||
session: aiohttp.ClientSession,
|
|
||||||
*,
|
|
||||||
limit: int,
|
|
||||||
state: PullState,
|
|
||||||
label_ids: list[int] = [],
|
|
||||||
) -> list[dict]:
|
|
||||||
"""
|
|
||||||
Fetch pull requests from a Gitea repository.
|
|
||||||
|
|
||||||
Returns:
|
|
||||||
list: List of pull requests.
|
|
||||||
"""
|
|
||||||
# You can use the same pattern as fetch_repo_labels
|
|
||||||
url = endpoint_url(gitea, "pulls")
|
|
||||||
params = {
|
|
||||||
"state": state.value,
|
|
||||||
"sort": "recentupdate",
|
|
||||||
"limit": limit,
|
|
||||||
"labels": label_ids,
|
|
||||||
}
|
|
||||||
headers = {"accept": "application/json"}
|
|
||||||
|
|
||||||
async with session.get(url, params=params, headers=headers) as response:
|
|
||||||
if response.status == 200:
|
|
||||||
labels = await response.json()
|
|
||||||
return labels
|
|
||||||
else:
|
|
||||||
# You may want to handle different statuses differently
|
|
||||||
raise Exception(
|
|
||||||
f"Failed to fetch labels: {response.status}, {await response.text()}"
|
|
||||||
)
|
|
|
@ -1,31 +0,0 @@
|
||||||
import fcntl
|
|
||||||
import json
|
|
||||||
from collections.abc import Generator
|
|
||||||
from contextlib import contextmanager
|
|
||||||
from pathlib import Path
|
|
||||||
from typing import Any
|
|
||||||
|
|
||||||
|
|
||||||
@contextmanager
|
|
||||||
def locked_open(filename: str | Path, mode: str = "r") -> Generator:
|
|
||||||
"""
|
|
||||||
This is a context manager that provides an advisory write lock on the file specified by `filename` when entering the context, and releases the lock when leaving the context. The lock is acquired using the `fcntl` module's `LOCK_EX` flag, which applies an exclusive write lock to the file.
|
|
||||||
"""
|
|
||||||
with open(filename, mode) as fd:
|
|
||||||
fcntl.flock(fd, fcntl.LOCK_EX)
|
|
||||||
yield fd
|
|
||||||
fcntl.flock(fd, fcntl.LOCK_UN)
|
|
||||||
|
|
||||||
|
|
||||||
def write_locked_file(path: Path, data: dict[str, Any]) -> None:
|
|
||||||
with locked_open(path, "w+") as f:
|
|
||||||
f.write(json.dumps(data, indent=4))
|
|
||||||
|
|
||||||
|
|
||||||
def read_locked_file(path: Path) -> dict[str, Any]:
|
|
||||||
if not path.exists():
|
|
||||||
return {}
|
|
||||||
with locked_open(path, "r") as f:
|
|
||||||
content: str = f.read()
|
|
||||||
parsed: dict[str, Any] = json.loads(content)
|
|
||||||
return parsed
|
|
|
@ -1,54 +0,0 @@
|
||||||
import asyncio
|
|
||||||
import logging
|
|
||||||
from pathlib import Path
|
|
||||||
|
|
||||||
import aiohttp
|
|
||||||
|
|
||||||
log = logging.getLogger(__name__)
|
|
||||||
|
|
||||||
from nio import AsyncClient, ClientConfig, ProfileGetAvatarResponse, RoomMessageText
|
|
||||||
|
|
||||||
from .changelog_bot import changelog_bot
|
|
||||||
from .gitea import GiteaData
|
|
||||||
from .matrix import MatrixData, set_avatar, upload_image
|
|
||||||
from .review_bot import message_callback, review_requested_bot
|
|
||||||
|
|
||||||
|
|
||||||
async def bot_main(
|
|
||||||
matrix: MatrixData,
|
|
||||||
gitea: GiteaData,
|
|
||||||
data_dir: Path,
|
|
||||||
) -> None:
|
|
||||||
# Setup client configuration to handle encryption
|
|
||||||
client_config = ClientConfig(
|
|
||||||
encryption_enabled=False,
|
|
||||||
)
|
|
||||||
|
|
||||||
log.info(f"Connecting to {matrix.server} as {matrix.user}")
|
|
||||||
client = AsyncClient(matrix.server, matrix.user, config=client_config)
|
|
||||||
client.add_event_callback(message_callback, RoomMessageText)
|
|
||||||
|
|
||||||
result = await client.login(matrix.password)
|
|
||||||
if not result.transport_response.ok:
|
|
||||||
log.critical(f"Failed to login: {result}")
|
|
||||||
exit(1)
|
|
||||||
log.info(f"Logged in as {result}")
|
|
||||||
|
|
||||||
avatar: ProfileGetAvatarResponse = await client.get_avatar()
|
|
||||||
if not avatar.avatar_url:
|
|
||||||
mxc_url = await upload_image(client, matrix.avatar)
|
|
||||||
log.info(f"Uploaded avatar to {mxc_url}")
|
|
||||||
await set_avatar(client, mxc_url)
|
|
||||||
else:
|
|
||||||
log.info(f"Bot already has an avatar {avatar.avatar_url}")
|
|
||||||
|
|
||||||
try:
|
|
||||||
async with aiohttp.ClientSession() as session:
|
|
||||||
while True:
|
|
||||||
await changelog_bot(client, session, matrix, gitea, data_dir)
|
|
||||||
await review_requested_bot(client, session, matrix, gitea, data_dir)
|
|
||||||
await asyncio.sleep(60 * 5)
|
|
||||||
except Exception as e:
|
|
||||||
log.exception(e)
|
|
||||||
finally:
|
|
||||||
await client.close()
|
|
|
@ -1,88 +0,0 @@
|
||||||
import logging
|
|
||||||
from pathlib import Path
|
|
||||||
|
|
||||||
log = logging.getLogger(__name__)
|
|
||||||
from dataclasses import dataclass
|
|
||||||
|
|
||||||
from markdown2 import markdown
|
|
||||||
from nio import (
|
|
||||||
AsyncClient,
|
|
||||||
JoinedMembersResponse,
|
|
||||||
JoinResponse,
|
|
||||||
ProfileSetAvatarResponse,
|
|
||||||
RoomMember,
|
|
||||||
RoomSendResponse,
|
|
||||||
UploadResponse,
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
async def upload_image(client: AsyncClient, image_path: str) -> str:
|
|
||||||
with open(image_path, "rb") as image_file:
|
|
||||||
response: UploadResponse
|
|
||||||
response, _ = await client.upload(image_file, content_type="image/png")
|
|
||||||
if not response.transport_response.ok:
|
|
||||||
raise Exception(f"Failed to upload image {response}")
|
|
||||||
return response.content_uri # This is the MXC URL
|
|
||||||
|
|
||||||
|
|
||||||
async def set_avatar(client: AsyncClient, mxc_url: str) -> None:
|
|
||||||
response: ProfileSetAvatarResponse
|
|
||||||
response = await client.set_avatar(mxc_url)
|
|
||||||
if not response.transport_response.ok:
|
|
||||||
raise Exception(f"Failed to set avatar {response}")
|
|
||||||
|
|
||||||
|
|
||||||
async def get_room_members(client: AsyncClient, room: JoinResponse) -> list[RoomMember]:
|
|
||||||
users: JoinedMembersResponse = await client.joined_members(room.room_id)
|
|
||||||
|
|
||||||
if not users.transport_response.ok:
|
|
||||||
raise Exception(f"Failed to get users {users}")
|
|
||||||
return users.members
|
|
||||||
|
|
||||||
|
|
||||||
async def send_message(
|
|
||||||
client: AsyncClient,
|
|
||||||
room: JoinResponse,
|
|
||||||
message: str,
|
|
||||||
user_ids: list[str] | None = None,
|
|
||||||
) -> None:
|
|
||||||
"""
|
|
||||||
Send a message in a Matrix room, optionally mentioning users.
|
|
||||||
"""
|
|
||||||
|
|
||||||
# If user_ids are provided, format the message to mention them
|
|
||||||
formatted_message = markdown(message)
|
|
||||||
if user_ids:
|
|
||||||
mention_list = ", ".join(
|
|
||||||
[
|
|
||||||
f"<a href='https://matrix.to/#/{user_id}'>{user_id}</a>"
|
|
||||||
for user_id in user_ids
|
|
||||||
]
|
|
||||||
)
|
|
||||||
formatted_message = f"{mention_list}: {formatted_message}"
|
|
||||||
|
|
||||||
content = {
|
|
||||||
"msgtype": "m.text" if user_ids else "m.notice",
|
|
||||||
"format": "org.matrix.custom.html",
|
|
||||||
"body": message,
|
|
||||||
"formatted_body": formatted_message,
|
|
||||||
}
|
|
||||||
|
|
||||||
res: RoomSendResponse = await client.room_send(
|
|
||||||
room_id=room.room_id, message_type="m.room.message", content=content
|
|
||||||
)
|
|
||||||
|
|
||||||
if not res.transport_response.ok:
|
|
||||||
raise Exception(f"Failed to send message {res}")
|
|
||||||
|
|
||||||
|
|
||||||
@dataclass
|
|
||||||
class MatrixData:
|
|
||||||
server: str
|
|
||||||
user: str
|
|
||||||
avatar: Path
|
|
||||||
password: str
|
|
||||||
changelog_room: str
|
|
||||||
review_room: str
|
|
||||||
changelog_frequency: int
|
|
||||||
publish_day: str
|
|
|
@ -1,129 +0,0 @@
|
||||||
import asyncio
|
|
||||||
import json
|
|
||||||
import logging
|
|
||||||
from os import environ
|
|
||||||
|
|
||||||
import aiohttp
|
|
||||||
|
|
||||||
log = logging.getLogger(__name__)
|
|
||||||
|
|
||||||
# The URL to which the request is sent
|
|
||||||
url: str = "https://api.openai.com/v1/chat/completions"
|
|
||||||
|
|
||||||
|
|
||||||
def api_key() -> str:
|
|
||||||
openapi_key = environ.get("OPENAI_API_KEY")
|
|
||||||
if openapi_key is not None:
|
|
||||||
return openapi_key
|
|
||||||
|
|
||||||
openai_key_file = environ.get("OPENAI_API_KEY_FILE", default=None)
|
|
||||||
if openai_key_file is None:
|
|
||||||
raise Exception("OPENAI_API_KEY_FILE environment variable is not set")
|
|
||||||
with open(openai_key_file) as f:
|
|
||||||
return f.read().strip()
|
|
||||||
|
|
||||||
|
|
||||||
from typing import Any
|
|
||||||
|
|
||||||
|
|
||||||
async def create_jsonl_data(
|
|
||||||
*,
|
|
||||||
user_prompt: str,
|
|
||||||
system_prompt: str,
|
|
||||||
model: str = "gpt-4o",
|
|
||||||
max_tokens: int = 1000,
|
|
||||||
) -> bytes:
|
|
||||||
summary_request = {
|
|
||||||
"custom_id": "request-1",
|
|
||||||
"method": "POST",
|
|
||||||
"url": "/v1/chat/completions",
|
|
||||||
"body": {
|
|
||||||
"model": model,
|
|
||||||
"messages": [
|
|
||||||
{"role": "system", "content": system_prompt},
|
|
||||||
{"role": "user", "content": user_prompt},
|
|
||||||
],
|
|
||||||
"max_tokens": max_tokens,
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
return json.dumps(summary_request).encode("utf-8")
|
|
||||||
|
|
||||||
|
|
||||||
async def upload_and_process_file(
|
|
||||||
*, session: aiohttp.ClientSession, jsonl_data: bytes, api_key: str = api_key()
|
|
||||||
) -> dict[str, Any]:
|
|
||||||
"""
|
|
||||||
Upload a JSONL file to OpenAI's Batch API and process it asynchronously.
|
|
||||||
"""
|
|
||||||
|
|
||||||
upload_url = "https://api.openai.com/v1/files"
|
|
||||||
headers = {
|
|
||||||
"Authorization": f"Bearer {api_key}",
|
|
||||||
}
|
|
||||||
data = aiohttp.FormData()
|
|
||||||
data.add_field(
|
|
||||||
"file", jsonl_data, filename="changelog.jsonl", content_type="application/jsonl"
|
|
||||||
)
|
|
||||||
data.add_field("purpose", "batch")
|
|
||||||
|
|
||||||
async with session.post(upload_url, headers=headers, data=data) as response:
|
|
||||||
if response.status != 200:
|
|
||||||
raise Exception(f"File upload failed with status code {response.status}")
|
|
||||||
upload_response = await response.json()
|
|
||||||
file_id = upload_response.get("id")
|
|
||||||
|
|
||||||
if not file_id:
|
|
||||||
raise Exception("File ID not returned from upload")
|
|
||||||
|
|
||||||
# Step 2: Create a batch using the uploaded file ID
|
|
||||||
batch_url = "https://api.openai.com/v1/batches"
|
|
||||||
batch_data = {
|
|
||||||
"input_file_id": file_id,
|
|
||||||
"endpoint": "/v1/chat/completions",
|
|
||||||
"completion_window": "24h",
|
|
||||||
}
|
|
||||||
|
|
||||||
async with session.post(batch_url, headers=headers, json=batch_data) as response:
|
|
||||||
if response.status != 200:
|
|
||||||
raise Exception(f"Batch creation failed with status code {response.status}")
|
|
||||||
batch_response = await response.json()
|
|
||||||
batch_id = batch_response.get("id")
|
|
||||||
|
|
||||||
if not batch_id:
|
|
||||||
raise Exception("Batch ID not returned from creation")
|
|
||||||
|
|
||||||
# Step 3: Check the status of the batch until completion
|
|
||||||
status_url = f"https://api.openai.com/v1/batches/{batch_id}"
|
|
||||||
|
|
||||||
while True:
|
|
||||||
async with session.get(status_url, headers=headers) as response:
|
|
||||||
if response.status != 200:
|
|
||||||
raise Exception(
|
|
||||||
f"Failed to check batch status with status code {response.status}"
|
|
||||||
)
|
|
||||||
status_response = await response.json()
|
|
||||||
status = status_response.get("status")
|
|
||||||
if status in ["completed", "failed", "expired"]:
|
|
||||||
break
|
|
||||||
await asyncio.sleep(10) # Wait before checking again
|
|
||||||
|
|
||||||
if status != "completed":
|
|
||||||
raise Exception(f"Batch processing failed with status: {status}")
|
|
||||||
|
|
||||||
# Step 4: Retrieve the results
|
|
||||||
output_file_id = status_response.get("output_file_id")
|
|
||||||
output_url = f"https://api.openai.com/v1/files/{output_file_id}/content"
|
|
||||||
|
|
||||||
async with session.get(output_url, headers=headers) as response:
|
|
||||||
if response.status != 200:
|
|
||||||
raise Exception(
|
|
||||||
f"Failed to retrieve batch results with status code {response.status}"
|
|
||||||
)
|
|
||||||
|
|
||||||
# Read content as text
|
|
||||||
content = await response.text()
|
|
||||||
|
|
||||||
# Parse the content as JSONL
|
|
||||||
results = [json.loads(line) for line in content.splitlines()]
|
|
||||||
return results
|
|
|
@ -1,90 +0,0 @@
|
||||||
import logging
|
|
||||||
|
|
||||||
log = logging.getLogger(__name__)
|
|
||||||
import datetime
|
|
||||||
import time
|
|
||||||
from pathlib import Path
|
|
||||||
|
|
||||||
import aiohttp
|
|
||||||
from nio import (
|
|
||||||
AsyncClient,
|
|
||||||
JoinResponse,
|
|
||||||
MatrixRoom,
|
|
||||||
RoomMessageText,
|
|
||||||
)
|
|
||||||
|
|
||||||
from matrix_bot.gitea import (
|
|
||||||
GiteaData,
|
|
||||||
PullState,
|
|
||||||
fetch_pull_requests,
|
|
||||||
)
|
|
||||||
|
|
||||||
from .locked_open import read_locked_file, write_locked_file
|
|
||||||
from .matrix import MatrixData, get_room_members, send_message
|
|
||||||
|
|
||||||
|
|
||||||
async def message_callback(room: MatrixRoom, event: RoomMessageText) -> None:
|
|
||||||
log.debug(
|
|
||||||
f"Message received in room {room.display_name}\n"
|
|
||||||
f"{room.user_name(event.sender)} | {event.body}"
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
async def review_requested_bot(
|
|
||||||
client: AsyncClient,
|
|
||||||
http: aiohttp.ClientSession,
|
|
||||||
matrix: MatrixData,
|
|
||||||
gitea: GiteaData,
|
|
||||||
data_dir: Path,
|
|
||||||
) -> None:
|
|
||||||
# If you made a new room and haven't joined as that user, you can use
|
|
||||||
room: JoinResponse = await client.join(matrix.review_room)
|
|
||||||
|
|
||||||
if not room.transport_response.ok:
|
|
||||||
log.error("This can happen if the room doesn't exist or the bot isn't invited")
|
|
||||||
raise Exception(f"Failed to join room {room}")
|
|
||||||
|
|
||||||
# Get the members of the room
|
|
||||||
users = await get_room_members(client, room)
|
|
||||||
|
|
||||||
# Fetch the pull requests
|
|
||||||
tstart = time.time()
|
|
||||||
pulls = await fetch_pull_requests(gitea, http, limit=50, state=PullState.ALL)
|
|
||||||
|
|
||||||
# Read the last updated pull request
|
|
||||||
ping_hist_path = data_dir / "last_review_run.json"
|
|
||||||
ping_hist = read_locked_file(ping_hist_path)
|
|
||||||
|
|
||||||
# Check if the pull request is mergeable and needs review
|
|
||||||
# and if the pull request is newer than the last updated pull request
|
|
||||||
for pull in pulls:
|
|
||||||
requested_reviewers = pull["requested_reviewers"]
|
|
||||||
pid = str(pull["id"])
|
|
||||||
if requested_reviewers and pull["mergeable"]:
|
|
||||||
last_time_updated = ping_hist.get(pid, {}).get(
|
|
||||||
"updated_at", datetime.datetime.min.isoformat()
|
|
||||||
)
|
|
||||||
if ping_hist == {} or pull["updated_at"] > last_time_updated:
|
|
||||||
ping_hist[pid] = pull
|
|
||||||
else:
|
|
||||||
continue
|
|
||||||
|
|
||||||
# Check if the requested reviewers are in the room
|
|
||||||
requested_reviewers = [r["login"].lower() for r in requested_reviewers]
|
|
||||||
ping_users = []
|
|
||||||
for user in users:
|
|
||||||
if user.display_name.lower() in requested_reviewers:
|
|
||||||
ping_users.append(user.user_id)
|
|
||||||
|
|
||||||
# Send a message to the room and mention the users
|
|
||||||
log.info(f"Pull request {pull['title']} needs review")
|
|
||||||
message = f"Review Requested:\n[{pull['title']}]({pull['html_url']})"
|
|
||||||
await send_message(client, room, message, user_ids=ping_users)
|
|
||||||
|
|
||||||
# Write the new last updated pull request
|
|
||||||
write_locked_file(ping_hist_path, ping_hist)
|
|
||||||
|
|
||||||
# Time taken
|
|
||||||
tend = time.time()
|
|
||||||
tdiff = round(tend - tstart)
|
|
||||||
log.debug(f"Time taken: {tdiff}s")
|
|
|
@ -1,59 +0,0 @@
|
||||||
[build-system]
|
|
||||||
requires = ["setuptools"]
|
|
||||||
build-backend = "setuptools.build_meta"
|
|
||||||
|
|
||||||
[project]
|
|
||||||
name = "matrix-bot"
|
|
||||||
description = "matrix bot for release messages from git commits"
|
|
||||||
dynamic = ["version"]
|
|
||||||
scripts = { mbot = "matrix_bot:main" }
|
|
||||||
license = {text = "MIT"}
|
|
||||||
|
|
||||||
[project.urls]
|
|
||||||
Homepage = "https://clan.lol/"
|
|
||||||
Documentation = "https://docs.clan.lol/"
|
|
||||||
Repository = "https://git.clan.lol/clan/clan-core"
|
|
||||||
|
|
||||||
[tool.setuptools.packages.find]
|
|
||||||
exclude = ["result"]
|
|
||||||
|
|
||||||
[tool.setuptools.package-data]
|
|
||||||
matrix_bot = ["py.typed"]
|
|
||||||
|
|
||||||
[tool.pytest.ini_options]
|
|
||||||
testpaths = "tests"
|
|
||||||
faulthandler_timeout = 60
|
|
||||||
log_level = "DEBUG"
|
|
||||||
log_format = "%(levelname)s: %(message)s\n %(pathname)s:%(lineno)d::%(funcName)s"
|
|
||||||
addopts = "--cov . --cov-report term --cov-report html:.reports/html --no-cov-on-fail --durations 5 --color=yes --new-first" # Add --pdb for debugging
|
|
||||||
norecursedirs = "tests/helpers"
|
|
||||||
markers = ["impure", "with_core"]
|
|
||||||
|
|
||||||
[tool.mypy]
|
|
||||||
python_version = "3.11"
|
|
||||||
warn_redundant_casts = true
|
|
||||||
disallow_untyped_calls = true
|
|
||||||
disallow_untyped_defs = true
|
|
||||||
no_implicit_optional = true
|
|
||||||
|
|
||||||
[[tool.mypy.overrides]]
|
|
||||||
module = "argcomplete.*"
|
|
||||||
ignore_missing_imports = true
|
|
||||||
|
|
||||||
[[tool.mypy.overrides]]
|
|
||||||
module = "ipdb.*"
|
|
||||||
ignore_missing_imports = true
|
|
||||||
|
|
||||||
[[tool.mypy.overrides]]
|
|
||||||
module = "pytest.*"
|
|
||||||
ignore_missing_imports = true
|
|
||||||
|
|
||||||
[[tool.mypy.overrides]]
|
|
||||||
module = "setuptools.*"
|
|
||||||
ignore_missing_imports = true
|
|
||||||
|
|
||||||
[tool.ruff]
|
|
||||||
target-version = "py311"
|
|
||||||
line-length = 88
|
|
||||||
lint.select = [ "E", "F", "I", "U", "N", "RUF", "ANN", "A" ]
|
|
||||||
lint.ignore = ["E501", "E402", "E731", "ANN101", "ANN401", "A003"]
|
|
|
@ -1,30 +0,0 @@
|
||||||
{
|
|
||||||
matrix-bot,
|
|
||||||
mkShell,
|
|
||||||
ruff,
|
|
||||||
python3,
|
|
||||||
}:
|
|
||||||
let
|
|
||||||
devshellTestDeps =
|
|
||||||
matrix-bot.passthru.testDependencies
|
|
||||||
++ (with python3.pkgs; [
|
|
||||||
rope
|
|
||||||
setuptools
|
|
||||||
wheel
|
|
||||||
ipdb
|
|
||||||
pip
|
|
||||||
]);
|
|
||||||
in
|
|
||||||
mkShell {
|
|
||||||
buildInputs = [ ruff ] ++ devshellTestDeps;
|
|
||||||
|
|
||||||
PYTHONBREAKPOINT = "ipdb.set_trace";
|
|
||||||
|
|
||||||
shellHook = ''
|
|
||||||
export GIT_ROOT="$(git rev-parse --show-toplevel)"
|
|
||||||
export PKG_ROOT="$GIT_ROOT/pkgs/matrix-bot"
|
|
||||||
|
|
||||||
# Add clan command to PATH
|
|
||||||
export PATH="$PKG_ROOT/bin":"$PATH"
|
|
||||||
'';
|
|
||||||
}
|
|
17
pkgs/renovate/composition.nix
Normal file
17
pkgs/renovate/composition.nix
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
# This file has been generated by node2nix 1.11.1. Do not edit!
|
||||||
|
|
||||||
|
{pkgs ? import <nixpkgs> {
|
||||||
|
inherit system;
|
||||||
|
}, system ? builtins.currentSystem, nodejs ? pkgs."nodejs_18"}:
|
||||||
|
|
||||||
|
let
|
||||||
|
nodeEnv = import ./node-env.nix {
|
||||||
|
inherit (pkgs) stdenv lib python2 runCommand writeTextFile writeShellScript;
|
||||||
|
inherit pkgs nodejs;
|
||||||
|
libtool = if pkgs.stdenv.isDarwin then pkgs.darwin.cctools else null;
|
||||||
|
};
|
||||||
|
in
|
||||||
|
import ./node-packages.nix {
|
||||||
|
inherit (pkgs) fetchurl nix-gitignore stdenv lib fetchgit;
|
||||||
|
inherit nodeEnv;
|
||||||
|
}
|
8
pkgs/renovate/default.nix
Normal file
8
pkgs/renovate/default.nix
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
{ pkgs, system, nodejs-18_x, makeWrapper }:
|
||||||
|
let
|
||||||
|
nodePackages = import ./composition.nix {
|
||||||
|
inherit pkgs system;
|
||||||
|
nodejs = nodejs-18_x;
|
||||||
|
};
|
||||||
|
in
|
||||||
|
nodePackages
|
5
pkgs/renovate/generate.sh
Executable file
5
pkgs/renovate/generate.sh
Executable file
|
@ -0,0 +1,5 @@
|
||||||
|
#!/usr/bin/env nix-shell
|
||||||
|
#! nix-shell -i bash -p nodePackages.node2nix
|
||||||
|
|
||||||
|
rm -f node-env.nix
|
||||||
|
node2nix -18 -i node-packages.json -o node-packages.nix -c composition.nix
|
689
pkgs/renovate/node-env.nix
Normal file
689
pkgs/renovate/node-env.nix
Normal file
|
@ -0,0 +1,689 @@
|
||||||
|
# This file originates from node2nix
|
||||||
|
|
||||||
|
{lib, stdenv, nodejs, python2, pkgs, libtool, runCommand, writeTextFile, writeShellScript}:
|
||||||
|
|
||||||
|
let
|
||||||
|
# Workaround to cope with utillinux in Nixpkgs 20.09 and util-linux in Nixpkgs master
|
||||||
|
utillinux = if pkgs ? utillinux then pkgs.utillinux else pkgs.util-linux;
|
||||||
|
|
||||||
|
python = if nodejs ? python then nodejs.python else python2;
|
||||||
|
|
||||||
|
# Create a tar wrapper that filters all the 'Ignoring unknown extended header keyword' noise
|
||||||
|
tarWrapper = runCommand "tarWrapper" {} ''
|
||||||
|
mkdir -p $out/bin
|
||||||
|
|
||||||
|
cat > $out/bin/tar <<EOF
|
||||||
|
#! ${stdenv.shell} -e
|
||||||
|
$(type -p tar) "\$@" --warning=no-unknown-keyword --delay-directory-restore
|
||||||
|
EOF
|
||||||
|
|
||||||
|
chmod +x $out/bin/tar
|
||||||
|
'';
|
||||||
|
|
||||||
|
# Function that generates a TGZ file from a NPM project
|
||||||
|
buildNodeSourceDist =
|
||||||
|
{ name, version, src, ... }:
|
||||||
|
|
||||||
|
stdenv.mkDerivation {
|
||||||
|
name = "node-tarball-${name}-${version}";
|
||||||
|
inherit src;
|
||||||
|
buildInputs = [ nodejs ];
|
||||||
|
buildPhase = ''
|
||||||
|
export HOME=$TMPDIR
|
||||||
|
tgzFile=$(npm pack | tail -n 1) # Hooks to the pack command will add output (https://docs.npmjs.com/misc/scripts)
|
||||||
|
'';
|
||||||
|
installPhase = ''
|
||||||
|
mkdir -p $out/tarballs
|
||||||
|
mv $tgzFile $out/tarballs
|
||||||
|
mkdir -p $out/nix-support
|
||||||
|
echo "file source-dist $out/tarballs/$tgzFile" >> $out/nix-support/hydra-build-products
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
# Common shell logic
|
||||||
|
installPackage = writeShellScript "install-package" ''
|
||||||
|
installPackage() {
|
||||||
|
local packageName=$1 src=$2
|
||||||
|
|
||||||
|
local strippedName
|
||||||
|
|
||||||
|
local DIR=$PWD
|
||||||
|
cd $TMPDIR
|
||||||
|
|
||||||
|
unpackFile $src
|
||||||
|
|
||||||
|
# Make the base dir in which the target dependency resides first
|
||||||
|
mkdir -p "$(dirname "$DIR/$packageName")"
|
||||||
|
|
||||||
|
if [ -f "$src" ]
|
||||||
|
then
|
||||||
|
# Figure out what directory has been unpacked
|
||||||
|
packageDir="$(find . -maxdepth 1 -type d | tail -1)"
|
||||||
|
|
||||||
|
# Restore write permissions to make building work
|
||||||
|
find "$packageDir" -type d -exec chmod u+x {} \;
|
||||||
|
chmod -R u+w "$packageDir"
|
||||||
|
|
||||||
|
# Move the extracted tarball into the output folder
|
||||||
|
mv "$packageDir" "$DIR/$packageName"
|
||||||
|
elif [ -d "$src" ]
|
||||||
|
then
|
||||||
|
# Get a stripped name (without hash) of the source directory.
|
||||||
|
# On old nixpkgs it's already set internally.
|
||||||
|
if [ -z "$strippedName" ]
|
||||||
|
then
|
||||||
|
strippedName="$(stripHash $src)"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Restore write permissions to make building work
|
||||||
|
chmod -R u+w "$strippedName"
|
||||||
|
|
||||||
|
# Move the extracted directory into the output folder
|
||||||
|
mv "$strippedName" "$DIR/$packageName"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Change to the package directory to install dependencies
|
||||||
|
cd "$DIR/$packageName"
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
|
||||||
|
# Bundle the dependencies of the package
|
||||||
|
#
|
||||||
|
# Only include dependencies if they don't exist. They may also be bundled in the package.
|
||||||
|
includeDependencies = {dependencies}:
|
||||||
|
lib.optionalString (dependencies != []) (
|
||||||
|
''
|
||||||
|
mkdir -p node_modules
|
||||||
|
cd node_modules
|
||||||
|
''
|
||||||
|
+ (lib.concatMapStrings (dependency:
|
||||||
|
''
|
||||||
|
if [ ! -e "${dependency.packageName}" ]; then
|
||||||
|
${composePackage dependency}
|
||||||
|
fi
|
||||||
|
''
|
||||||
|
) dependencies)
|
||||||
|
+ ''
|
||||||
|
cd ..
|
||||||
|
''
|
||||||
|
);
|
||||||
|
|
||||||
|
# Recursively composes the dependencies of a package
|
||||||
|
composePackage = { name, packageName, src, dependencies ? [], ... }@args:
|
||||||
|
builtins.addErrorContext "while evaluating node package '${packageName}'" ''
|
||||||
|
installPackage "${packageName}" "${src}"
|
||||||
|
${includeDependencies { inherit dependencies; }}
|
||||||
|
cd ..
|
||||||
|
${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
|
||||||
|
'';
|
||||||
|
|
||||||
|
pinpointDependencies = {dependencies, production}:
|
||||||
|
let
|
||||||
|
pinpointDependenciesFromPackageJSON = writeTextFile {
|
||||||
|
name = "pinpointDependencies.js";
|
||||||
|
text = ''
|
||||||
|
var fs = require('fs');
|
||||||
|
var path = require('path');
|
||||||
|
|
||||||
|
function resolveDependencyVersion(location, name) {
|
||||||
|
if(location == process.env['NIX_STORE']) {
|
||||||
|
return null;
|
||||||
|
} else {
|
||||||
|
var dependencyPackageJSON = path.join(location, "node_modules", name, "package.json");
|
||||||
|
|
||||||
|
if(fs.existsSync(dependencyPackageJSON)) {
|
||||||
|
var dependencyPackageObj = JSON.parse(fs.readFileSync(dependencyPackageJSON));
|
||||||
|
|
||||||
|
if(dependencyPackageObj.name == name) {
|
||||||
|
return dependencyPackageObj.version;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
return resolveDependencyVersion(path.resolve(location, ".."), name);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
function replaceDependencies(dependencies) {
|
||||||
|
if(typeof dependencies == "object" && dependencies !== null) {
|
||||||
|
for(var dependency in dependencies) {
|
||||||
|
var resolvedVersion = resolveDependencyVersion(process.cwd(), dependency);
|
||||||
|
|
||||||
|
if(resolvedVersion === null) {
|
||||||
|
process.stderr.write("WARNING: cannot pinpoint dependency: "+dependency+", context: "+process.cwd()+"\n");
|
||||||
|
} else {
|
||||||
|
dependencies[dependency] = resolvedVersion;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Read the package.json configuration */
|
||||||
|
var packageObj = JSON.parse(fs.readFileSync('./package.json'));
|
||||||
|
|
||||||
|
/* Pinpoint all dependencies */
|
||||||
|
replaceDependencies(packageObj.dependencies);
|
||||||
|
if(process.argv[2] == "development") {
|
||||||
|
replaceDependencies(packageObj.devDependencies);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
packageObj.devDependencies = {};
|
||||||
|
}
|
||||||
|
replaceDependencies(packageObj.optionalDependencies);
|
||||||
|
replaceDependencies(packageObj.peerDependencies);
|
||||||
|
|
||||||
|
/* Write the fixed package.json file */
|
||||||
|
fs.writeFileSync("package.json", JSON.stringify(packageObj, null, 2));
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
in
|
||||||
|
''
|
||||||
|
node ${pinpointDependenciesFromPackageJSON} ${if production then "production" else "development"}
|
||||||
|
|
||||||
|
${lib.optionalString (dependencies != [])
|
||||||
|
''
|
||||||
|
if [ -d node_modules ]
|
||||||
|
then
|
||||||
|
cd node_modules
|
||||||
|
${lib.concatMapStrings (dependency: pinpointDependenciesOfPackage dependency) dependencies}
|
||||||
|
cd ..
|
||||||
|
fi
|
||||||
|
''}
|
||||||
|
'';
|
||||||
|
|
||||||
|
# Recursively traverses all dependencies of a package and pinpoints all
|
||||||
|
# dependencies in the package.json file to the versions that are actually
|
||||||
|
# being used.
|
||||||
|
|
||||||
|
pinpointDependenciesOfPackage = { packageName, dependencies ? [], production ? true, ... }@args:
|
||||||
|
''
|
||||||
|
if [ -d "${packageName}" ]
|
||||||
|
then
|
||||||
|
cd "${packageName}"
|
||||||
|
${pinpointDependencies { inherit dependencies production; }}
|
||||||
|
cd ..
|
||||||
|
${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
|
||||||
|
fi
|
||||||
|
'';
|
||||||
|
|
||||||
|
# Extract the Node.js source code which is used to compile packages with
|
||||||
|
# native bindings
|
||||||
|
nodeSources = runCommand "node-sources" {} ''
|
||||||
|
tar --no-same-owner --no-same-permissions -xf ${nodejs.src}
|
||||||
|
mv node-* $out
|
||||||
|
'';
|
||||||
|
|
||||||
|
# Script that adds _integrity fields to all package.json files to prevent NPM from consulting the cache (that is empty)
|
||||||
|
addIntegrityFieldsScript = writeTextFile {
|
||||||
|
name = "addintegrityfields.js";
|
||||||
|
text = ''
|
||||||
|
var fs = require('fs');
|
||||||
|
var path = require('path');
|
||||||
|
|
||||||
|
function augmentDependencies(baseDir, dependencies) {
|
||||||
|
for(var dependencyName in dependencies) {
|
||||||
|
var dependency = dependencies[dependencyName];
|
||||||
|
|
||||||
|
// Open package.json and augment metadata fields
|
||||||
|
var packageJSONDir = path.join(baseDir, "node_modules", dependencyName);
|
||||||
|
var packageJSONPath = path.join(packageJSONDir, "package.json");
|
||||||
|
|
||||||
|
if(fs.existsSync(packageJSONPath)) { // Only augment packages that exist. Sometimes we may have production installs in which development dependencies can be ignored
|
||||||
|
console.log("Adding metadata fields to: "+packageJSONPath);
|
||||||
|
var packageObj = JSON.parse(fs.readFileSync(packageJSONPath));
|
||||||
|
|
||||||
|
if(dependency.integrity) {
|
||||||
|
packageObj["_integrity"] = dependency.integrity;
|
||||||
|
} else {
|
||||||
|
packageObj["_integrity"] = "sha1-000000000000000000000000000="; // When no _integrity string has been provided (e.g. by Git dependencies), add a dummy one. It does not seem to harm and it bypasses downloads.
|
||||||
|
}
|
||||||
|
|
||||||
|
if(dependency.resolved) {
|
||||||
|
packageObj["_resolved"] = dependency.resolved; // Adopt the resolved property if one has been provided
|
||||||
|
} else {
|
||||||
|
packageObj["_resolved"] = dependency.version; // Set the resolved version to the version identifier. This prevents NPM from cloning Git repositories.
|
||||||
|
}
|
||||||
|
|
||||||
|
if(dependency.from !== undefined) { // Adopt from property if one has been provided
|
||||||
|
packageObj["_from"] = dependency.from;
|
||||||
|
}
|
||||||
|
|
||||||
|
fs.writeFileSync(packageJSONPath, JSON.stringify(packageObj, null, 2));
|
||||||
|
}
|
||||||
|
|
||||||
|
// Augment transitive dependencies
|
||||||
|
if(dependency.dependencies !== undefined) {
|
||||||
|
augmentDependencies(packageJSONDir, dependency.dependencies);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if(fs.existsSync("./package-lock.json")) {
|
||||||
|
var packageLock = JSON.parse(fs.readFileSync("./package-lock.json"));
|
||||||
|
|
||||||
|
if(![1, 2].includes(packageLock.lockfileVersion)) {
|
||||||
|
process.stderr.write("Sorry, I only understand lock file versions 1 and 2!\n");
|
||||||
|
process.exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
|
if(packageLock.dependencies !== undefined) {
|
||||||
|
augmentDependencies(".", packageLock.dependencies);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
# Reconstructs a package-lock file from the node_modules/ folder structure and package.json files with dummy sha1 hashes
|
||||||
|
reconstructPackageLock = writeTextFile {
|
||||||
|
name = "reconstructpackagelock.js";
|
||||||
|
text = ''
|
||||||
|
var fs = require('fs');
|
||||||
|
var path = require('path');
|
||||||
|
|
||||||
|
var packageObj = JSON.parse(fs.readFileSync("package.json"));
|
||||||
|
|
||||||
|
var lockObj = {
|
||||||
|
name: packageObj.name,
|
||||||
|
version: packageObj.version,
|
||||||
|
lockfileVersion: 2,
|
||||||
|
requires: true,
|
||||||
|
packages: {
|
||||||
|
"": {
|
||||||
|
name: packageObj.name,
|
||||||
|
version: packageObj.version,
|
||||||
|
license: packageObj.license,
|
||||||
|
bin: packageObj.bin,
|
||||||
|
dependencies: packageObj.dependencies,
|
||||||
|
engines: packageObj.engines,
|
||||||
|
optionalDependencies: packageObj.optionalDependencies
|
||||||
|
}
|
||||||
|
},
|
||||||
|
dependencies: {}
|
||||||
|
};
|
||||||
|
|
||||||
|
function augmentPackageJSON(filePath, packages, dependencies) {
|
||||||
|
var packageJSON = path.join(filePath, "package.json");
|
||||||
|
if(fs.existsSync(packageJSON)) {
|
||||||
|
var packageObj = JSON.parse(fs.readFileSync(packageJSON));
|
||||||
|
packages[filePath] = {
|
||||||
|
version: packageObj.version,
|
||||||
|
integrity: "sha1-000000000000000000000000000=",
|
||||||
|
dependencies: packageObj.dependencies,
|
||||||
|
engines: packageObj.engines,
|
||||||
|
optionalDependencies: packageObj.optionalDependencies
|
||||||
|
};
|
||||||
|
dependencies[packageObj.name] = {
|
||||||
|
version: packageObj.version,
|
||||||
|
integrity: "sha1-000000000000000000000000000=",
|
||||||
|
dependencies: {}
|
||||||
|
};
|
||||||
|
processDependencies(path.join(filePath, "node_modules"), packages, dependencies[packageObj.name].dependencies);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
function processDependencies(dir, packages, dependencies) {
|
||||||
|
if(fs.existsSync(dir)) {
|
||||||
|
var files = fs.readdirSync(dir);
|
||||||
|
|
||||||
|
files.forEach(function(entry) {
|
||||||
|
var filePath = path.join(dir, entry);
|
||||||
|
var stats = fs.statSync(filePath);
|
||||||
|
|
||||||
|
if(stats.isDirectory()) {
|
||||||
|
if(entry.substr(0, 1) == "@") {
|
||||||
|
// When we encounter a namespace folder, augment all packages belonging to the scope
|
||||||
|
var pkgFiles = fs.readdirSync(filePath);
|
||||||
|
|
||||||
|
pkgFiles.forEach(function(entry) {
|
||||||
|
if(stats.isDirectory()) {
|
||||||
|
var pkgFilePath = path.join(filePath, entry);
|
||||||
|
augmentPackageJSON(pkgFilePath, packages, dependencies);
|
||||||
|
}
|
||||||
|
});
|
||||||
|
} else {
|
||||||
|
augmentPackageJSON(filePath, packages, dependencies);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
processDependencies("node_modules", lockObj.packages, lockObj.dependencies);
|
||||||
|
|
||||||
|
fs.writeFileSync("package-lock.json", JSON.stringify(lockObj, null, 2));
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
# Script that links bins defined in package.json to the node_modules bin directory
|
||||||
|
# NPM does not do this for top-level packages itself anymore as of v7
|
||||||
|
linkBinsScript = writeTextFile {
|
||||||
|
name = "linkbins.js";
|
||||||
|
text = ''
|
||||||
|
var fs = require('fs');
|
||||||
|
var path = require('path');
|
||||||
|
|
||||||
|
var packageObj = JSON.parse(fs.readFileSync("package.json"));
|
||||||
|
|
||||||
|
var nodeModules = Array(packageObj.name.split("/").length).fill("..").join(path.sep);
|
||||||
|
|
||||||
|
if(packageObj.bin !== undefined) {
|
||||||
|
fs.mkdirSync(path.join(nodeModules, ".bin"))
|
||||||
|
|
||||||
|
if(typeof packageObj.bin == "object") {
|
||||||
|
Object.keys(packageObj.bin).forEach(function(exe) {
|
||||||
|
if(fs.existsSync(packageObj.bin[exe])) {
|
||||||
|
console.log("linking bin '" + exe + "'");
|
||||||
|
fs.symlinkSync(
|
||||||
|
path.join("..", packageObj.name, packageObj.bin[exe]),
|
||||||
|
path.join(nodeModules, ".bin", exe)
|
||||||
|
);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
console.log("skipping non-existent bin '" + exe + "'");
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
if(fs.existsSync(packageObj.bin)) {
|
||||||
|
console.log("linking bin '" + packageObj.bin + "'");
|
||||||
|
fs.symlinkSync(
|
||||||
|
path.join("..", packageObj.name, packageObj.bin),
|
||||||
|
path.join(nodeModules, ".bin", packageObj.name.split("/").pop())
|
||||||
|
);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
console.log("skipping non-existent bin '" + packageObj.bin + "'");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else if(packageObj.directories !== undefined && packageObj.directories.bin !== undefined) {
|
||||||
|
fs.mkdirSync(path.join(nodeModules, ".bin"))
|
||||||
|
|
||||||
|
fs.readdirSync(packageObj.directories.bin).forEach(function(exe) {
|
||||||
|
if(fs.existsSync(path.join(packageObj.directories.bin, exe))) {
|
||||||
|
console.log("linking bin '" + exe + "'");
|
||||||
|
fs.symlinkSync(
|
||||||
|
path.join("..", packageObj.name, packageObj.directories.bin, exe),
|
||||||
|
path.join(nodeModules, ".bin", exe)
|
||||||
|
);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
console.log("skipping non-existent bin '" + exe + "'");
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
prepareAndInvokeNPM = {packageName, bypassCache, reconstructLock, npmFlags, production}:
|
||||||
|
let
|
||||||
|
forceOfflineFlag = if bypassCache then "--offline" else "--registry http://www.example.com";
|
||||||
|
in
|
||||||
|
''
|
||||||
|
# Pinpoint the versions of all dependencies to the ones that are actually being used
|
||||||
|
echo "pinpointing versions of dependencies..."
|
||||||
|
source $pinpointDependenciesScriptPath
|
||||||
|
|
||||||
|
# Patch the shebangs of the bundled modules to prevent them from
|
||||||
|
# calling executables outside the Nix store as much as possible
|
||||||
|
patchShebangs .
|
||||||
|
|
||||||
|
# Deploy the Node.js package by running npm install. Since the
|
||||||
|
# dependencies have been provided already by ourselves, it should not
|
||||||
|
# attempt to install them again, which is good, because we want to make
|
||||||
|
# it Nix's responsibility. If it needs to install any dependencies
|
||||||
|
# anyway (e.g. because the dependency parameters are
|
||||||
|
# incomplete/incorrect), it fails.
|
||||||
|
#
|
||||||
|
# The other responsibilities of NPM are kept -- version checks, build
|
||||||
|
# steps, postprocessing etc.
|
||||||
|
|
||||||
|
export HOME=$TMPDIR
|
||||||
|
cd "${packageName}"
|
||||||
|
runHook preRebuild
|
||||||
|
|
||||||
|
${lib.optionalString bypassCache ''
|
||||||
|
${lib.optionalString reconstructLock ''
|
||||||
|
if [ -f package-lock.json ]
|
||||||
|
then
|
||||||
|
echo "WARNING: Reconstruct lock option enabled, but a lock file already exists!"
|
||||||
|
echo "This will most likely result in version mismatches! We will remove the lock file and regenerate it!"
|
||||||
|
rm package-lock.json
|
||||||
|
else
|
||||||
|
echo "No package-lock.json file found, reconstructing..."
|
||||||
|
fi
|
||||||
|
|
||||||
|
node ${reconstructPackageLock}
|
||||||
|
''}
|
||||||
|
|
||||||
|
node ${addIntegrityFieldsScript}
|
||||||
|
''}
|
||||||
|
|
||||||
|
npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${lib.optionalString production "--production"} rebuild
|
||||||
|
|
||||||
|
runHook postRebuild
|
||||||
|
|
||||||
|
if [ "''${dontNpmInstall-}" != "1" ]
|
||||||
|
then
|
||||||
|
# NPM tries to download packages even when they already exist if npm-shrinkwrap is used.
|
||||||
|
rm -f npm-shrinkwrap.json
|
||||||
|
|
||||||
|
npm ${forceOfflineFlag} --nodedir=${nodeSources} --no-bin-links --ignore-scripts ${npmFlags} ${lib.optionalString production "--production"} install
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Link executables defined in package.json
|
||||||
|
node ${linkBinsScript}
|
||||||
|
'';
|
||||||
|
|
||||||
|
# Builds and composes an NPM package including all its dependencies
|
||||||
|
buildNodePackage =
|
||||||
|
{ name
|
||||||
|
, packageName
|
||||||
|
, version ? null
|
||||||
|
, dependencies ? []
|
||||||
|
, buildInputs ? []
|
||||||
|
, production ? true
|
||||||
|
, npmFlags ? ""
|
||||||
|
, dontNpmInstall ? false
|
||||||
|
, bypassCache ? false
|
||||||
|
, reconstructLock ? false
|
||||||
|
, preRebuild ? ""
|
||||||
|
, dontStrip ? true
|
||||||
|
, unpackPhase ? "true"
|
||||||
|
, buildPhase ? "true"
|
||||||
|
, meta ? {}
|
||||||
|
, ... }@args:
|
||||||
|
|
||||||
|
let
|
||||||
|
extraArgs = removeAttrs args [ "name" "dependencies" "buildInputs" "dontStrip" "dontNpmInstall" "preRebuild" "unpackPhase" "buildPhase" "meta" ];
|
||||||
|
in
|
||||||
|
stdenv.mkDerivation ({
|
||||||
|
name = "${name}${if version == null then "" else "-${version}"}";
|
||||||
|
buildInputs = [ tarWrapper python nodejs ]
|
||||||
|
++ lib.optional (stdenv.isLinux) utillinux
|
||||||
|
++ lib.optional (stdenv.isDarwin) libtool
|
||||||
|
++ buildInputs;
|
||||||
|
|
||||||
|
inherit nodejs;
|
||||||
|
|
||||||
|
inherit dontStrip; # Stripping may fail a build for some package deployments
|
||||||
|
inherit dontNpmInstall preRebuild unpackPhase buildPhase;
|
||||||
|
|
||||||
|
compositionScript = composePackage args;
|
||||||
|
pinpointDependenciesScript = pinpointDependenciesOfPackage args;
|
||||||
|
|
||||||
|
passAsFile = [ "compositionScript" "pinpointDependenciesScript" ];
|
||||||
|
|
||||||
|
installPhase = ''
|
||||||
|
source ${installPackage}
|
||||||
|
|
||||||
|
# Create and enter a root node_modules/ folder
|
||||||
|
mkdir -p $out/lib/node_modules
|
||||||
|
cd $out/lib/node_modules
|
||||||
|
|
||||||
|
# Compose the package and all its dependencies
|
||||||
|
source $compositionScriptPath
|
||||||
|
|
||||||
|
${prepareAndInvokeNPM { inherit packageName bypassCache reconstructLock npmFlags production; }}
|
||||||
|
|
||||||
|
# Create symlink to the deployed executable folder, if applicable
|
||||||
|
if [ -d "$out/lib/node_modules/.bin" ]
|
||||||
|
then
|
||||||
|
ln -s $out/lib/node_modules/.bin $out/bin
|
||||||
|
|
||||||
|
# Fixup all executables
|
||||||
|
ls $out/bin/* | while read i
|
||||||
|
do
|
||||||
|
file="$(readlink -f "$i")"
|
||||||
|
chmod u+rwx "$file"
|
||||||
|
if isScript "$file"
|
||||||
|
then
|
||||||
|
sed -i 's/\r$//' "$file" # convert crlf to lf
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Create symlinks to the deployed manual page folders, if applicable
|
||||||
|
if [ -d "$out/lib/node_modules/${packageName}/man" ]
|
||||||
|
then
|
||||||
|
mkdir -p $out/share
|
||||||
|
for dir in "$out/lib/node_modules/${packageName}/man/"*
|
||||||
|
do
|
||||||
|
mkdir -p $out/share/man/$(basename "$dir")
|
||||||
|
for page in "$dir"/*
|
||||||
|
do
|
||||||
|
ln -s $page $out/share/man/$(basename "$dir")
|
||||||
|
done
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Run post install hook, if provided
|
||||||
|
runHook postInstall
|
||||||
|
'';
|
||||||
|
|
||||||
|
meta = {
|
||||||
|
# default to Node.js' platforms
|
||||||
|
platforms = nodejs.meta.platforms;
|
||||||
|
} // meta;
|
||||||
|
} // extraArgs);
|
||||||
|
|
||||||
|
# Builds a node environment (a node_modules folder and a set of binaries)
|
||||||
|
buildNodeDependencies =
|
||||||
|
{ name
|
||||||
|
, packageName
|
||||||
|
, version ? null
|
||||||
|
, src
|
||||||
|
, dependencies ? []
|
||||||
|
, buildInputs ? []
|
||||||
|
, production ? true
|
||||||
|
, npmFlags ? ""
|
||||||
|
, dontNpmInstall ? false
|
||||||
|
, bypassCache ? false
|
||||||
|
, reconstructLock ? false
|
||||||
|
, dontStrip ? true
|
||||||
|
, unpackPhase ? "true"
|
||||||
|
, buildPhase ? "true"
|
||||||
|
, ... }@args:
|
||||||
|
|
||||||
|
let
|
||||||
|
extraArgs = removeAttrs args [ "name" "dependencies" "buildInputs" ];
|
||||||
|
in
|
||||||
|
stdenv.mkDerivation ({
|
||||||
|
name = "node-dependencies-${name}${if version == null then "" else "-${version}"}";
|
||||||
|
|
||||||
|
buildInputs = [ tarWrapper python nodejs ]
|
||||||
|
++ lib.optional (stdenv.isLinux) utillinux
|
||||||
|
++ lib.optional (stdenv.isDarwin) libtool
|
||||||
|
++ buildInputs;
|
||||||
|
|
||||||
|
inherit dontStrip; # Stripping may fail a build for some package deployments
|
||||||
|
inherit dontNpmInstall unpackPhase buildPhase;
|
||||||
|
|
||||||
|
includeScript = includeDependencies { inherit dependencies; };
|
||||||
|
pinpointDependenciesScript = pinpointDependenciesOfPackage args;
|
||||||
|
|
||||||
|
passAsFile = [ "includeScript" "pinpointDependenciesScript" ];
|
||||||
|
|
||||||
|
installPhase = ''
|
||||||
|
source ${installPackage}
|
||||||
|
|
||||||
|
mkdir -p $out/${packageName}
|
||||||
|
cd $out/${packageName}
|
||||||
|
|
||||||
|
source $includeScriptPath
|
||||||
|
|
||||||
|
# Create fake package.json to make the npm commands work properly
|
||||||
|
cp ${src}/package.json .
|
||||||
|
chmod 644 package.json
|
||||||
|
${lib.optionalString bypassCache ''
|
||||||
|
if [ -f ${src}/package-lock.json ]
|
||||||
|
then
|
||||||
|
cp ${src}/package-lock.json .
|
||||||
|
chmod 644 package-lock.json
|
||||||
|
fi
|
||||||
|
''}
|
||||||
|
|
||||||
|
# Go to the parent folder to make sure that all packages are pinpointed
|
||||||
|
cd ..
|
||||||
|
${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
|
||||||
|
|
||||||
|
${prepareAndInvokeNPM { inherit packageName bypassCache reconstructLock npmFlags production; }}
|
||||||
|
|
||||||
|
# Expose the executables that were installed
|
||||||
|
cd ..
|
||||||
|
${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
|
||||||
|
|
||||||
|
mv ${packageName} lib
|
||||||
|
ln -s $out/lib/node_modules/.bin $out/bin
|
||||||
|
'';
|
||||||
|
} // extraArgs);
|
||||||
|
|
||||||
|
# Builds a development shell
|
||||||
|
buildNodeShell =
|
||||||
|
{ name
|
||||||
|
, packageName
|
||||||
|
, version ? null
|
||||||
|
, src
|
||||||
|
, dependencies ? []
|
||||||
|
, buildInputs ? []
|
||||||
|
, production ? true
|
||||||
|
, npmFlags ? ""
|
||||||
|
, dontNpmInstall ? false
|
||||||
|
, bypassCache ? false
|
||||||
|
, reconstructLock ? false
|
||||||
|
, dontStrip ? true
|
||||||
|
, unpackPhase ? "true"
|
||||||
|
, buildPhase ? "true"
|
||||||
|
, ... }@args:
|
||||||
|
|
||||||
|
let
|
||||||
|
nodeDependencies = buildNodeDependencies args;
|
||||||
|
extraArgs = removeAttrs args [ "name" "dependencies" "buildInputs" "dontStrip" "dontNpmInstall" "unpackPhase" "buildPhase" ];
|
||||||
|
in
|
||||||
|
stdenv.mkDerivation ({
|
||||||
|
name = "node-shell-${name}${if version == null then "" else "-${version}"}";
|
||||||
|
|
||||||
|
buildInputs = [ python nodejs ] ++ lib.optional (stdenv.isLinux) utillinux ++ buildInputs;
|
||||||
|
buildCommand = ''
|
||||||
|
mkdir -p $out/bin
|
||||||
|
cat > $out/bin/shell <<EOF
|
||||||
|
#! ${stdenv.shell} -e
|
||||||
|
$shellHook
|
||||||
|
exec ${stdenv.shell}
|
||||||
|
EOF
|
||||||
|
chmod +x $out/bin/shell
|
||||||
|
'';
|
||||||
|
|
||||||
|
# Provide the dependencies in a development shell through the NODE_PATH environment variable
|
||||||
|
inherit nodeDependencies;
|
||||||
|
shellHook = lib.optionalString (dependencies != []) ''
|
||||||
|
export NODE_PATH=${nodeDependencies}/lib/node_modules
|
||||||
|
export PATH="${nodeDependencies}/bin:$PATH"
|
||||||
|
'';
|
||||||
|
} // extraArgs);
|
||||||
|
in
|
||||||
|
{
|
||||||
|
buildNodeSourceDist = lib.makeOverridable buildNodeSourceDist;
|
||||||
|
buildNodePackage = lib.makeOverridable buildNodePackage;
|
||||||
|
buildNodeDependencies = lib.makeOverridable buildNodeDependencies;
|
||||||
|
buildNodeShell = lib.makeOverridable buildNodeShell;
|
||||||
|
}
|
3
pkgs/renovate/node-packages.json
Normal file
3
pkgs/renovate/node-packages.json
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
[
|
||||||
|
"renovate"
|
||||||
|
]
|
8361
pkgs/renovate/node-packages.nix
Normal file
8361
pkgs/renovate/node-packages.nix
Normal file
File diff suppressed because it is too large
Load Diff
|
@ -1,13 +1,12 @@
|
||||||
{
|
{ lib
|
||||||
lib,
|
, bash
|
||||||
bash,
|
, coreutils
|
||||||
coreutils,
|
, gawk
|
||||||
gawk,
|
, path
|
||||||
path,
|
, # nixpkgs path
|
||||||
# nixpkgs path
|
writeScript
|
||||||
writeScript,
|
, writeScriptBin
|
||||||
writeScriptBin,
|
, ...
|
||||||
...
|
|
||||||
}:
|
}:
|
||||||
let
|
let
|
||||||
# Create a script that runs in a `pure` environment, in the sense that:
|
# Create a script that runs in a `pure` environment, in the sense that:
|
||||||
|
@ -19,12 +18,12 @@ let
|
||||||
# - all environment variables are unset, except:
|
# - all environment variables are unset, except:
|
||||||
# - the ones listed in `keepVars` defined in ./default.nix
|
# - the ones listed in `keepVars` defined in ./default.nix
|
||||||
# - the ones listed via the `KEEP_VARS` variable
|
# - the ones listed via the `KEEP_VARS` variable
|
||||||
writePureShellScript = PATH: script: writeScript "script.sh" (mkScript PATH script);
|
writePureShellScript = PATH: script:
|
||||||
|
writeScript "script.sh" (mkScript PATH script);
|
||||||
|
|
||||||
# Creates a script in a `bin/` directory in the output; suitable for use with `lib.makeBinPath`, etc.
|
# Creates a script in a `bin/` directory in the output; suitable for use with `lib.makeBinPath`, etc.
|
||||||
# See {option}`writers.writePureShellScript`
|
# See {option}`writers.writePureShellScript`
|
||||||
writePureShellScriptBin =
|
writePureShellScriptBin = binName: PATH: script:
|
||||||
binName: PATH: script:
|
|
||||||
writeScriptBin binName (mkScript PATH script);
|
writeScriptBin binName (mkScript PATH script);
|
||||||
|
|
||||||
mkScript = PATH: scriptText: ''
|
mkScript = PATH: scriptText: ''
|
||||||
|
@ -92,5 +91,8 @@ let
|
||||||
'';
|
'';
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
inherit writePureShellScript writePureShellScriptBin;
|
inherit
|
||||||
|
writePureShellScript
|
||||||
|
writePureShellScriptBin
|
||||||
|
;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
../../../machines/web01
|
|
|
@ -1,24 +0,0 @@
|
||||||
{
|
|
||||||
"data": "ENC[AES256_GCM,data:58ptmutnKoe4R6IE053eEm1gtgY1evYQM+WJtMRTuNm9Z1lE40Q8VJ4gDZ8xkc2ZWssizEgB0Iw=,iv:pNEUemTqKU4joMU9mJI4yYrLGfoHsD10G7BFbqsbSVA=,tag:oJfePGGn/OXJT7l1cugnkQ==,type:str]",
|
|
||||||
"sops": {
|
|
||||||
"kms": null,
|
|
||||||
"gcp_kms": null,
|
|
||||||
"azure_kv": null,
|
|
||||||
"hc_vault": null,
|
|
||||||
"age": [
|
|
||||||
{
|
|
||||||
"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
|
|
||||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBeVpORHNpdk1TZURNQlVE\nRFRtb0ZMODZ5WXdPOHoyVm42TUxnWVJRTGhrCmdOcndyTHlTMUdKYlJnajF0bXRj\ndDNYTmNNanpUbWF4NDJIdlNVQVpZS0EKLS0tIHRCYlpNMHVIMklQbkc2d3Vaenpl\ncysrK3FnSFpTdTVsQUhWTVRmb2h1eFkKmhJdVLu1zb+lEIlDHeoeExaiRQW075mY\nw6dM9dSW1BXTQmKT9q3WsAfF1SDafhSvBpphXTKBI58vrtFNFxJquQ==\n-----END AGE ENCRYPTED FILE-----\n"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"recipient": "age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct",
|
|
||||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPc2h2VEErMmRpMndBY3hN\nMlJVM3ZJTHJSQWppQ2wzV0V2T2xiS3BUSXdjCk9WaS9RL3pzSUJCakh4ZkIvQXk0\nV3VweE4yNDZZUHViZHZ3clNHMDB4UEUKLS0tIHkrMXpib2pneHl0a1kyM2VreGty\nMzNQMnJVaXRCT2ZneCtSNlFwREFza0UK2QUqLP6MfsJD1zsI5w/Oq/t87L3k4z/6\nxCe5ZTSBJcksV9v3E20jmFBcJHN/7Yrvp/FeQZRTUr8J9xY5DTBPHQ==\n-----END AGE ENCRYPTED FILE-----\n"
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"lastmodified": "2024-04-30T11:28:18Z",
|
|
||||||
"mac": "ENC[AES256_GCM,data:umJSHZSWw/EYeinv2QCsJjq7t+awSj4LY8dthXWrX5nLPEzuzGpQrGfAGNle15SudfpZ0XpzeoiFrK6LqeQUr6BwlyWRjuwZjBD0Eo/RG5zvv0lEcQ666KWVlq8v7lP1rNuXIXGSef4ZN/Oqel0HAJW4d05YedwShD6/99HyLhw=,iv:VusNFfl5MRjv1Vrbkcw9auY4DxW9tkMvEJ4KPDEpk18=,tag:0yESnJbjneyG5PQagcsSOQ==,type:str]",
|
|
||||||
"pgp": null,
|
|
||||||
"unencrypted_suffix": "_unencrypted",
|
|
||||||
"version": "3.8.1"
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1 +0,0 @@
|
||||||
../../../users/joerg
|
|
|
@ -1 +0,0 @@
|
||||||
../../../machines/web01
|
|
|
@ -1,24 +0,0 @@
|
||||||
{
|
|
||||||
"data": "ENC[AES256_GCM,data:wAUAcK0gtlCSCuXUMp6w/MBnn+J407iObssBVFjR7I1VUe9enghf4/Q=,iv:nbcgGyOCt8iO1FLPnV4aakLugr6/7fj/DB75KwqC93I=,tag:1D6B38fKIpQFdxobQ89mrg==,type:str]",
|
|
||||||
"sops": {
|
|
||||||
"kms": null,
|
|
||||||
"gcp_kms": null,
|
|
||||||
"azure_kv": null,
|
|
||||||
"hc_vault": null,
|
|
||||||
"age": [
|
|
||||||
{
|
|
||||||
"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
|
|
||||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTa29QelppdVhheGR0YytK\nR1NWNTU1MUt0WHY1cDBqN2YwRURzN1lEVEhjCmpvK0tmNEZReWpKVGlkUWREakpa\nYnJYbGRUcGJHdGVnYmhKTktVckpKR00KLS0tIDZicFZERnlNckEwTUFaTk11bWsw\nb3hjblFvTWwrZXJLNFp2SkhuN0c5aXMKkYTrgforNlHLf14TLkV2G2qEE87u4dSC\niiywv7ltnotTiAgG2RgQwkmHubpFaEhVyhRskNmVjQI8gZ74AxmC+w==\n-----END AGE ENCRYPTED FILE-----\n"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"recipient": "age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct",
|
|
||||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwUzlmMFdySGE0UjJlWEFZ\nL3lNbWpHYUNNTDRHTUE1bVNvMnkzOUZzOEc4CjUrYUNnLzNxQXlJWGJvY2RyU0w1\nWlFpTVFybXdEUVB4cHZIUWFja0poSXMKLS0tIFErMEk3dS9qcWhUUGVnZE41VE0w\nQlBpUCtlQkR2RzlKSjNKMHpHd2xaMUEKe5DRJeyGqMeGWzzWXrdhzLmriXs6BDMq\nA8s4AApF8ojwZdZ7K7k8lslof/kxuFhD7KLhrOJmSgvfRZ8a8vcz7w==\n-----END AGE ENCRYPTED FILE-----\n"
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"lastmodified": "2024-05-01T09:44:51Z",
|
|
||||||
"mac": "ENC[AES256_GCM,data:Bofuu/7Mk1qbsFUE5HTeX9daEQg2NDby0ev/Q96fiLKwcg0rpIFk84NxwPKB/hLGAiUoHEegnzrCFCcAmGPaVQtr/W6dEKsdeVH3R3UBTekEwkXGAnKvrmcS7Vbd/bzvcSA+NuuO93laAgeU/HjMOmkwZwR8GN1LkxGfinVCGhM=,iv:mqMoCB5welSRzSzaIgi9P+Y60n+/ZrB0LlR8Mx2bIRM=,tag:Ytvv38xMoXzHow4qheRLQA==,type:str]",
|
|
||||||
"pgp": null,
|
|
||||||
"unencrypted_suffix": "_unencrypted",
|
|
||||||
"version": "3.8.1"
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1 +0,0 @@
|
||||||
../../../users/joerg
|
|
|
@ -1 +0,0 @@
|
||||||
../../../machines/web01
|
|
|
@ -1,24 +0,0 @@
|
||||||
{
|
|
||||||
"data": "ENC[AES256_GCM,data:Bzc+7/1WPH1P9L9B/fzhtD4PAtsvplXU7SKVyC2o,iv:aLq+EZ1twpHa47nvcIv0M1SIb+IzzIa0lYiu92/GMwI=,tag:+zXRw99x/E2R5MZqIXgz/g==,type:str]",
|
|
||||||
"sops": {
|
|
||||||
"kms": null,
|
|
||||||
"gcp_kms": null,
|
|
||||||
"azure_kv": null,
|
|
||||||
"hc_vault": null,
|
|
||||||
"age": [
|
|
||||||
{
|
|
||||||
"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
|
|
||||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6WlBpTXlhZHBsM2VsVFAw\nUlY3S2l4R3hDZmJoM2lJd0lkNXY5YUNiRVJzClc1b0NxYndEYkZUMy9TS1BmdDBO\nTks3Q2llL1Jkc2NIeWV1QWVpdVdZYVkKLS0tIFovMEtBbU1hTURHZDNzZ0drUndY\nYVU2YTJxVENXdkFTRTdVT0FWa3RoU0EKqZ1XST0fbbagViwG8xtAjjts9AA/Hn0m\nIO5mpZNYNUzf+l0Zi/AjtAnaRrpZowV0gcskfcj3LX30CbwwySH3qA==\n-----END AGE ENCRYPTED FILE-----\n"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"recipient": "age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct",
|
|
||||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEMjBoZHpBN0JBZVFlUnd2\nWVpYMXNaOVQ2eExuWlBWYWppL2ltYXBnRWlRClRReUcrT2RYck1XQlFINGUyVFNn\nNGdiSkQzUERaTXNEaUJycHBXZ1pXelUKLS0tIDUxMzl1MzBDdmpXRnphUkdhRzRz\nUm9UbWhjUFA4M0JxLyt4d1pMMFJEbUUKwiJziQs5qqTc6Tlm55wHobu5PKGpsoRm\ndKTjasrcUEFWu0cNAxdGXvOUipT8hPazvLl3Ajdo8KYXwP7/LVaTuQ==\n-----END AGE ENCRYPTED FILE-----\n"
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"lastmodified": "2024-04-30T12:50:37Z",
|
|
||||||
"mac": "ENC[AES256_GCM,data:vOuXOCzTFrS4M8ZKWc8wVdccTfcqiFjtuRAAPToLOVk1AlY97cT0SIMCNOniSmChYIHIx1rvPqmc16BWYZr0AhYpw8a0XH2XrpCo3M3oLJ8UMiwvn5R2FdU3P9Q+feDpWL5KPy3ii/OuoQBCAovywSs3fhi/dQZfjIQHVs5bqvs=,iv:F7egkb6zDIKYAxRJwRYChR1dboeHGgqS85Er23YT2es=,tag:0UurFP2e0vFw0RbkjnizcA==,type:str]",
|
|
||||||
"pgp": null,
|
|
||||||
"unencrypted_suffix": "_unencrypted",
|
|
||||||
"version": "3.8.1"
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1 +0,0 @@
|
||||||
../../../users/joerg
|
|
|
@ -1 +0,0 @@
|
||||||
../../../machines/web01
|
|
|
@ -1,24 +0,0 @@
|
||||||
{
|
|
||||||
"data": "ENC[AES256_GCM,data:rbKMhNQwkuMFJCQHXiwxyEpQLqLsLqBeE6o=,iv:Fo8SoR9wPV0e7r42zpuELHcr0r5YwWpAWhVZJy3rt4Q=,tag:sGHXyai6d5VLMotE1P33Fg==,type:str]",
|
|
||||||
"sops": {
|
|
||||||
"kms": null,
|
|
||||||
"gcp_kms": null,
|
|
||||||
"azure_kv": null,
|
|
||||||
"hc_vault": null,
|
|
||||||
"age": [
|
|
||||||
{
|
|
||||||
"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
|
|
||||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWQnNiN0FXZ0Nkek5DVElW\ncUc4MmNBa0pHOUFsclp6ekZUMWdBVnNjSVJVCkdlME5sWC9rSGhUdjhRSDY3S3Jt\nQjBWLzRIbDNvWVg0eDNITnBnNHlVcGsKLS0tIFFWVms4SmZjSmE3RGZSbnVCYnJH\nUFdZRm1aSkVWZkRLdmlEQkVpa1lQNDAKBomS4CHmrfwiF5UTzVZZsCFqZ2wyCyQE\ndzFQe0ysLekbRTw1FfHnz/vJYsOV1Hk5PqTEFdTFNrYO+I6Rh/0ZIw==\n-----END AGE ENCRYPTED FILE-----\n"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"recipient": "age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct",
|
|
||||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0TmVtbXl4R3QxOGZ0VmJG\nMlJWMFJGTDIvS0M1cVFmNjFXMkdCR3RDaENZClFac0Zxc0gwUkpHYkdVZWg0NUhs\nRk9va2ZQVFlXVG1VZE10Z3ZuS2NheUUKLS0tIHRhNHlWQ21JNkNnN094LzVwb0tJ\nMUQ3T1Vycm1yQ1l0d0tNdytFcFhoVDQKVaGaWAOXwHWm+FqxILcPlZ+7eDSeNftZ\nZFAP3ANmPMkl311Ucl8kub0a9bY9RhU0ZZn1WGgJD/qL/EAtmudFSA==\n-----END AGE ENCRYPTED FILE-----\n"
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"lastmodified": "2024-04-30T14:56:43Z",
|
|
||||||
"mac": "ENC[AES256_GCM,data:sH/X2WLD3OCJ4Z20s+Mqnoe/xDZzfp0DL0w8HhBshbRu0NtTbQ6MyPwZ7ar3Gl6wBVBVXDfHTX5x2/6Vs/C59NIJCKjeDrkuRWLL1qd1kF9Iqf5CyBjv3Pv/bZVGRkFSQ4IG5SZDRrGyz5+FZEGUbxvYOzZWW6gDrBWsyNn62rM=,iv:ITVFQJEqhqO3w/7m4+tH2d76FI4mghNRd+Em7yZ3QiQ=,tag:kq/rD8MUuWorSDKWGKQQnA==,type:str]",
|
|
||||||
"pgp": null,
|
|
||||||
"unencrypted_suffix": "_unencrypted",
|
|
||||||
"version": "3.8.1"
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1 +0,0 @@
|
||||||
../../../users/joerg
|
|
|
@ -1 +0,0 @@
|
||||||
../../../machines/web01
|
|
|
@ -1,24 +0,0 @@
|
||||||
{
|
|
||||||
"data": "ENC[AES256_GCM,data:5IICNx79F7NM4LzU8dWgnmkqn/6zgx/m9swqHsCo6wrqV0C+OCC9lWsBGbQ7sGDZHP9OPo4xXijzgBPelceb6Tb2CrwDo3Ud0UCMNA==,iv:wUMUI6gqaR1it4CaT+qbJfSIKDAXuLIPrfGDpwr+TwY=,tag:pIPF878PCJc/HcOfTEoA/w==,type:str]",
|
|
||||||
"sops": {
|
|
||||||
"kms": null,
|
|
||||||
"gcp_kms": null,
|
|
||||||
"azure_kv": null,
|
|
||||||
"hc_vault": null,
|
|
||||||
"age": [
|
|
||||||
{
|
|
||||||
"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
|
|
||||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvNWZRUnJpY1pLZ2RKY2Vu\neXNQUXdzTUNEbkZyTFFRWVVFRDhCQzdjWGlBCnEvbXlzKzBwQ3c4T0R6RFR3bTRz\nTXcyNEYzMGhoOE5KV0pDTXVBcVRiVjAKLS0tIDBHWTByK0NmRlZLZmxudk1XMFFP\nSU1YLzN0WElPbWk0TTlOMlE5azcrQzQKDBP5mZGRgR9W8jN5nC0SifqR/x5poMOy\nUPsAQx8JVarvbAAXn2btTkjkUCG0ATdIxPDeJenocMzLX8kFOZsV4g==\n-----END AGE ENCRYPTED FILE-----\n"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"recipient": "age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct",
|
|
||||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwNXpBU0x6QkhwYWpMVVJh\nTlllS2pkbWNwa01HZjNwNHhNemFlbVNSZUVnCmUrM3lpL0FtdjVwanN6YWJFMjZU\nOUV5ZVIydUFrYWxKNDJiMGVOc0VaSWMKLS0tIGhocjg2RkFDV1IyM0Viamg1QVRX\nNDFTN1M1clB3NHZqV2NrcFBmOURkc0kKmrFWs9yEJ7gyWdyH15HepzYt0d9jkx2w\nqVqYfLx79GHmrZVyzM+10wHrkjP+LJBorcz6QR68JMgagcAbPxi6nQ==\n-----END AGE ENCRYPTED FILE-----\n"
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"lastmodified": "2024-05-01T10:05:01Z",
|
|
||||||
"mac": "ENC[AES256_GCM,data:evJedhmyh4E8jHr4YZzaexzoeWok3imHUBBNwKNXwxip0X/BpWdBV8E0+uVMIxhg5PMI58VzRVVrSlcuda2yLBT94+iHWPXIedbk0RxYMhyw21oR53OAgN5/CM5SjfvBB58tr9r1X+kdB6kaCEbH2nVUfsax+A27AGh9m0IcQtc=,iv:Q4PLC3dml+RcSTYf74k5bnoikJX0wwM1pLaiWayOfnM=,tag:eWY312KepmAHiUMFuvhLsQ==,type:str]",
|
|
||||||
"pgp": null,
|
|
||||||
"unencrypted_suffix": "_unencrypted",
|
|
||||||
"version": "3.8.1"
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1 +0,0 @@
|
||||||
../../../users/joerg
|
|
|
@ -1 +0,0 @@
|
||||||
../../../machines/web01
|
|
|
@ -1,24 +0,0 @@
|
||||||
{
|
|
||||||
"data": "ENC[AES256_GCM,data:iJTjs8bG2GLGnGp/Hf4Egtorrk87rkgh9Yn+gPuWAJ61wIAtN3g9SU3vyYpvRrIqHVUyLObGbrWYi3Ol07M=,iv:YTOctq9aw4tc9xwoOO4UbR2cYPHV0ZmuE1FRWn13sgk=,tag:zU3HFqxwZcn/9S02bj3/fA==,type:str]",
|
|
||||||
"sops": {
|
|
||||||
"kms": null,
|
|
||||||
"gcp_kms": null,
|
|
||||||
"azure_kv": null,
|
|
||||||
"hc_vault": null,
|
|
||||||
"age": [
|
|
||||||
{
|
|
||||||
"recipient": "age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct",
|
|
||||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUa1FIbWt2aHduZVBlcGpq\nOUsybTRmR1I4M1JZY3A4ZUFpZEN3dlZCTkZRCmdVajFUcDMyeEdJMThVZElJdmlJ\naEhvSk9sYThXdkxoaXVLem15dlJMcm8KLS0tIEJsdFY4L0M3Q2cwdzFOdy9LN0k3\nOEdCM09PUWlZbE91U2ZYNmVHeU43bUUKC+z+6XZCiVfwGQQCAHoB+WGE5Mm3qJZq\nuyD5r3Ra6MAvvwIhnqbwadRoxVH1HcdIB6hJsNREE/x6YNLxi3T7nw==\n-----END AGE ENCRYPTED FILE-----\n"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"recipient": "age1zwte859d9nvg6wy5dugjkf38dqe8w8qkt2as7xcc5pw3285833xs797uan",
|
|
||||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFOHBub0J3U2FuOFNuS2xl\nRkExYVEvcmowWDlyUGlpYko3N1dIcmN5dmxJCkRtRm9qVVNQK3FQcTB1U3g3OHhS\ncU9XaHUxNWVlL2tpblpZUHF1UWt4am8KLS0tIGJOZkJ4eDJ6WWx1d2R1VG1qODZS\ncHhXMVhEUHdLZjIvNUYxRmduZkpjaU0KqZKUb9KYpSvwxaJRAbYhkuOdnzsU3p9Q\nU2WO5TIwS762yNqWTzyYdxb9YxvTOatW7uWTorRXZu1yqCTMTuq+1Q==\n-----END AGE ENCRYPTED FILE-----\n"
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"lastmodified": "2024-07-03T09:47:40Z",
|
|
||||||
"mac": "ENC[AES256_GCM,data:dpdmkhedaqivzIlxhoWb+u77JmfWRo94iWDolAa9UKvnjBo1QE5sHbqWasCH81wjO0wPBPRUqnj9JQ7kG9AFp24Fad+gAp74Gwx5M/PSx1dsd6xkcxt6PJ8sFXGb0H3lYduCaNfDGgsJTVoDcbk8rgYzjo5+mxs2pqrrn10t4iU=,iv:MGMIq2rF4+hr89/dppi2JDVbpAShscYTMM9viHPepIY=,tag:Dj9B6qvAkmiUmgRvZ6B94Q==,type:str]",
|
|
||||||
"pgp": null,
|
|
||||||
"unencrypted_suffix": "_unencrypted",
|
|
||||||
"version": "3.8.1"
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1 +0,0 @@
|
||||||
../../../users/qubasa
|
|
|
@ -1 +0,0 @@
|
||||||
../../../machines/web01
|
|
|
@ -1,24 +0,0 @@
|
||||||
{
|
|
||||||
"data": "ENC[AES256_GCM,data:WW0RmSs3k81jSgYLt8dHEiJOxlncPWl3QWvRtmNgtIxvup7h,iv:nw7SP15EVWfS78dJE37msnxAZ/goYb7rGqAKNzhXFP4=,tag:yxVyGUMFczq8cGuU4V/FzA==,type:str]",
|
|
||||||
"sops": {
|
|
||||||
"kms": null,
|
|
||||||
"gcp_kms": null,
|
|
||||||
"azure_kv": null,
|
|
||||||
"hc_vault": null,
|
|
||||||
"age": [
|
|
||||||
{
|
|
||||||
"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
|
|
||||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiM0FBVkhPc2luMjlpSW1R\nN0NlUU9ZQkxIOVAwa3hlMVg3bFluTjRlRUdRCmMxSkMvZjg2ckUyUThhSC9VOW1H\nZExFY2owcHQ5NzJtUW5pbDFjd2oyaEUKLS0tIG1Fd25acHdYWEdlQkMxajhRQXNw\nTGxJUDdPMlRrQ0t3SkVSaWdZZXJGT0EK7WfQ+6jVzOBToqO9wJby/qaF6kM00hMh\n+Y4A08X/ItLzyfCc5LQ97GQ2VlwXK5+HoD7jNnn//3xeH6YC1VBdkg==\n-----END AGE ENCRYPTED FILE-----\n"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"recipient": "age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct",
|
|
||||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhNlpOQ1QydEJuM3pCbEpK\nSDUzVlppNkFnSDJLSU1ITEdWWCtaUEE0THcwCmljSUl0amx2OTBVZXBPMFNGbjJP\nakNQcWlad1R3cDZYWWZpQkJkQmEvUEEKLS0tIFpJOU1GUnNaTnlaL25GRkdxZnhs\nUEhIVEpNWjNOV2FTSmVnRkVCWm90MDgKMvz6QdPRoYb2bPjS9oSOVA5gTfwrgn4q\nIyboQIMV3oAaAs9LSUcUMBvERzQ31JXnHRzrnqtdiNX0NLbIrN47yg==\n-----END AGE ENCRYPTED FILE-----\n"
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"lastmodified": "2024-06-06T16:09:34Z",
|
|
||||||
"mac": "ENC[AES256_GCM,data:7iKDT5577mLLeNyi46JHa4AUumqbQm65V3DXqNdNyLWccpIcML8n7jgFNxuK9gTqV2LM6bG18qS1orBJtPdawKnvxJwUaFb3Mo06C2+LVnWG4fT6MV+5eF8y6SM3IngT9BPk7IhTTGWe8lGJ6HTlg+9/f4/cq5NSKfeRgTkDEcE=,iv:T8wjeq2D1J8krhWeQJbVCOPY5sr05z/wMJqvr9onQK8=,tag:XgDTOTa2zv4NiBFN0b3rqA==,type:str]",
|
|
||||||
"pgp": null,
|
|
||||||
"unencrypted_suffix": "_unencrypted",
|
|
||||||
"version": "3.8.1"
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1 +0,0 @@
|
||||||
../../../users/joerg
|
|
|
@ -1 +0,0 @@
|
||||||
../../../machines/web01
|
|
|
@ -1,24 +0,0 @@
|
||||||
{
|
|
||||||
"data": "ENC[AES256_GCM,data:ybX1/Uc+LqfgUoZQqCURgPfsTyzlsO+Xn7z8/0H9v5kyfJYX7PI1VlXVFBgR3Xh+2iuTF+v98PQyYeJOYLk3NTWggZayQQ4ivt0DLdhgG+DRFbeN8GMiqV5NWNhnL2tgLBu9DZViBSpgcbg9aHfI2cagboJnCSqyS2w1i/anvKaEgKa5YucrS4jywVxhBbvON6Oa2v8Hb0f/R8Ldl9HSqMM6o3pQEaYOsTNieNy63h9C4ERP/jIhKSajggpeHENdnuQC7Kavz54faL9xaz0jwRHb1fd+IGTM7fxqbyB5702nKEGytDwKzH0fh6q1HJNHbhWeWyCmGFKOkqywaQjcpJsczP2FIwkZmoui0juTEluNk1KzugP0gxtsuwjUiJlZeJxtZEgsnifLPpHyCaN99jzPjhd1TknT7MWZMVJT/R14bdD+QdwvR8rHK8IMctMGrNsqu3+Crdwu3WSfDH9jEM1zAZQNvLUT13azRABz1rpJvNFnvhDTBwDbUJlLpIQcPOPtVKO0IQeM5EUnCr+oCfBrP/To3mqo82s3,iv:jbY6WK0BcyLlU3Sbo7qNOHfCGU4TjUqTiww546Tyq20=,tag:VklHST51z5XI9+UiASBO9g==,type:str]",
|
|
||||||
"sops": {
|
|
||||||
"kms": null,
|
|
||||||
"gcp_kms": null,
|
|
||||||
"azure_kv": null,
|
|
||||||
"hc_vault": null,
|
|
||||||
"age": [
|
|
||||||
{
|
|
||||||
"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
|
|
||||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlenFrWW45UXcyd3pwaTE0\nY3ROWWFPdzIwK1JuU2h2NCsyanF1VzhoM1NjCndscHZpTUNmcWc0TDd4V2xHM0lh\ndVNZQW1jMGFNeDdxbDhwdFB1Z3AwdVUKLS0tIGNmbVNMRUZGb1lPcnlrdkhnZ3JX\nM2szRHVydldGN3haV2lhZlFMeUgzcU0KDDwWVSjsua4DKXlqqk2Ns2e1zkzJK2Y2\n8+r8bXkBLJyXqQCQteXBrc5U+0n1KfHVkkvPmuBI3BmcAiVVmr/RxQ==\n-----END AGE ENCRYPTED FILE-----\n"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"recipient": "age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct",
|
|
||||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJdHEyT3U0TzJQUW9wM2Z3\nYVdTYmRSeUwrZy9iNTVpcmZJMnhOeHlGRGp3CnVYbk15NWxadk9waFdJVFBKa0Vx\nYUtkYWZuYmhabk1xREtDdzFGdUcyaW8KLS0tIGYxcDVuQXZwdk1rVHJOOHljTmVl\nMXNXTHdSam12djE3Z0UyU2dSZDcrRGcKaQnrYuUpSTjOYYHH0EsqnTLHkU5Md4Ro\nUpeJX1GmAoIAUGruB/8jPbMaDQQXbjNLDCCalStlbqMgbgz/Ty4ukQ==\n-----END AGE ENCRYPTED FILE-----\n"
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"lastmodified": "2024-06-06T16:09:35Z",
|
|
||||||
"mac": "ENC[AES256_GCM,data:2RptHkE/k4JfqdybmnI3sbeEDaaD4bUtEPLuBcpltZjR5EHFYLsEB1Woxlzj2rLqq+8Wr6kWZtsG3uJSxsColUbazJd1CoVJxHpm6tAnM47Mv1YG5PdLwqpwJWji4AI5lAer4ZMfuGDpNbrwvbO3qB8R55r5SYay4b4Yc49wQXA=,iv:ESimFSybysRrgEj+27ECUi6kIklv1IunWVclTjX7C5g=,tag:LONP+cUm5NVcBvgVStZnwQ==,type:str]",
|
|
||||||
"pgp": null,
|
|
||||||
"unencrypted_suffix": "_unencrypted",
|
|
||||||
"version": "3.8.1"
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1 +0,0 @@
|
||||||
../../../users/joerg
|
|
|
@ -1 +0,0 @@
|
||||||
../../../machines/web01
|
|
|
@ -1,24 +0,0 @@
|
||||||
{
|
|
||||||
"data": "ENC[AES256_GCM,data:zCWFFE6+923po+i6g+ehKgC3FdAEhbmFDTbc6VZIXdBqNO7qvC8K1Q34aZVzQ3HaE6l/p5V7Ax0U0xRypQ==,iv:NJhOMcGg55fznrpM6bSqNvr/lOYAsUUVtfK8eJRs0Iw=,tag:6jadN151/70a7BBXsqMClg==,type:str]",
|
|
||||||
"sops": {
|
|
||||||
"kms": null,
|
|
||||||
"gcp_kms": null,
|
|
||||||
"azure_kv": null,
|
|
||||||
"hc_vault": null,
|
|
||||||
"age": [
|
|
||||||
{
|
|
||||||
"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
|
|
||||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHcHNaTjJlejlJYy90eGFT\nVTloRFV3OVV4enI1OENaeGVpcXpCV0dUenlBCkdONUE3eXhlY1JMRko5Q0VJVFN6\nMkdSR1krYjlJRyswOExRSW9UeUI2czAKLS0tIEJWRDZwRWp1U3V4S0NLOXJDS0ZZ\ncXRFNGxnNXZHNHpvOUpVcTYvM3RoNU0KPgJoJ/22jyUtqGeXfO+DInB3zIwrB+OP\ncjw6Dt7mPYT/OUG6Cq12D6+xMYCm+r4jswtkvWaPhnzGcIOcqMJHwg==\n-----END AGE ENCRYPTED FILE-----\n"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"recipient": "age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct",
|
|
||||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUa1IvdklYcENvUzlwdnNi\nbnlidGVvMzZLRS9EU1RzZ0VzMUtvOGRGR25zCklqVTA4T2FIR3l2MER2RjRsbkZH\nRWlxUkYyUjIwSzl5SWJHblMvclZwOGsKLS0tICtaYW83M3lXakJsMFNEc0FjYWdC\nU3ZDUEplYk1tOFRiUUpXTVA0NTUyaHMKdtR+rqRz+Jjf4BfCd5B7ygRLYKTDDRJk\nq0eSNG+i+Xjz/kLWsMpmO4Cevhp0SPyLZV2g2CiDo5vXZQ5Qiy8pSQ==\n-----END AGE ENCRYPTED FILE-----\n"
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"lastmodified": "2024-06-10T09:11:22Z",
|
|
||||||
"mac": "ENC[AES256_GCM,data:D+NLO8U8mXc4wzQC1OHoba5t+i92P3ZeZy7M8nPhBvnWFznhWBmHRLTI55c8+Q3tkNJI0rBt43+XjC7X1ij36eSza/8O6dh5+jM4UkvFBBJG8ZTPSqakISmPBN1k80qm6G15ELgRrJc0+DNAuuZVuBAwVNUFmaZNx6FmX/G4nRU=,iv:RlhgqQoXAeNFTLRJubVzFJq0wbZwZOeAyZs2nD7IHfg=,tag:6zgWakwYjf93qyMwKlSG9g==,type:str]",
|
|
||||||
"pgp": null,
|
|
||||||
"unencrypted_suffix": "_unencrypted",
|
|
||||||
"version": "3.8.1"
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1 +0,0 @@
|
||||||
../../../users/joerg
|
|
|
@ -1 +0,0 @@
|
||||||
../../../machines/web01
|
|
|
@ -1,24 +0,0 @@
|
||||||
{
|
|
||||||
"data": "ENC[AES256_GCM,data:bcYm9Jx6NS5T2085GmeUJJeLdD1ZtGSfMtXNWcNkeL7F,iv:jR8k0EMO20ZiBXmb1ddJS5x0c95y9vEPvMig0Y0iXBg=,tag:wZBLbCe8ucQSIGrNOjN1jg==,type:str]",
|
|
||||||
"sops": {
|
|
||||||
"kms": null,
|
|
||||||
"gcp_kms": null,
|
|
||||||
"azure_kv": null,
|
|
||||||
"hc_vault": null,
|
|
||||||
"age": [
|
|
||||||
{
|
|
||||||
"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
|
|
||||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSVWx6TzM4MEpmZ3ExczZo\nNS9kU1Z5NEl1aDdwSzUwSy93anlPQXdOVVVNClBqMENEWUhLVml6dkRZaVk4OU1V\nNjBNV0p2MjFLMDI1c3paOUU0Zndsd28KLS0tIEJZVFA4akVLMzVSanJMcWwweCtE\nZ2h2NE1mdWJNd1VWZDFyT0tvTmlrV0kKfsW5qG12wP+hI/ZCcZNsjv5ububSITLp\n4SzzyeTzpDrGlu/h52szD0VYnB0w3/fF2Ar/lvBYN0y9MXXYUQGdRA==\n-----END AGE ENCRYPTED FILE-----\n"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"recipient": "age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct",
|
|
||||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArdmZUaThzQzQ0em9reXJM\nTkNNRlhKRWoxR3dVTXc0TEdXV2pNQytXK3lrCkk1Z1g2d2R6V002d2lXNWtFMmo5\nT2tiTGpyRTE4WXk4c0hYOGdFejBITWsKLS0tIFdib0UzL2dNbXRjZHFYOEVGSWVU\nTDlNN0xSQWgzdFVhV21SSE9JNkM0OGcK2icnV6pvh7PMVp5r51b+Ukgl95XiiTHG\nDjj3M24jEh9UX2bYraGyRNnLh3piQe7Jim3/ZAHSOzl105GulapU5g==\n-----END AGE ENCRYPTED FILE-----\n"
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"lastmodified": "2024-06-10T09:11:20Z",
|
|
||||||
"mac": "ENC[AES256_GCM,data:Ie9j/N4dB6qKtpzPrQROPbsGQCfzYL8dhtptOB0XQw+mh19vpcvWyzLqYOorM1eBKrUWYob6ZHe27KXxN+9RtPe+KFABlFAQRENfPBVPi9Y7/XxMiMQ2gL6JQkvN47Aou/jWhPIOeuCXuEqr4VEOa0F6jPLmS9aPPc95MV/cHxo=,iv:/R67c5rBG3nIm6iAJedPdXL8R+b1RGez/ejzBDW4tf4=,tag:2A9njvLHsAzda+kh8PYj5w==,type:str]",
|
|
||||||
"pgp": null,
|
|
||||||
"unencrypted_suffix": "_unencrypted",
|
|
||||||
"version": "3.8.1"
|
|
||||||
}
|
|
||||||
}
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user