Compare commits
No commits in common. "main" and "flake-update-2024-04-22" have entirely different histories.
main
...
flake-upda
11
.gitea/workflows/checks.yaml
Normal file
11
.gitea/workflows/checks.yaml
Normal file
|
@ -0,0 +1,11 @@
|
|||
name: checks
|
||||
on:
|
||||
pull_request:
|
||||
push:
|
||||
branches: main
|
||||
jobs:
|
||||
test:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- run: nix run --refresh github:Mic92/nix-fast-build -- --no-nom --eval-workers 10
|
|
@ -23,8 +23,3 @@ $ ./tf.sh apply
|
|||
$ cd ./targets/web01
|
||||
$ ./tf.sh apply
|
||||
```
|
||||
|
||||
## To add a new project to CI
|
||||
|
||||
1. Add the 'buildbot-clan' topic to the repository using the "Manage topics" button below the project description
|
||||
2. Go to https://buildbot.clan.lol/#/builders/2 and press "Update projects" after you have logged in.
|
||||
|
|
|
@ -1,14 +1,14 @@
|
|||
{
|
||||
perSystem =
|
||||
{ inputs', pkgs, ... }:
|
||||
{ inputs'
|
||||
, pkgs
|
||||
, lib
|
||||
, ...
|
||||
}:
|
||||
let
|
||||
convert2Tofu =
|
||||
provider:
|
||||
provider.override (prev: {
|
||||
homepage = builtins.replaceStrings [ "registry.terraform.io/providers" ] [
|
||||
"registry.opentofu.org"
|
||||
] prev.homepage;
|
||||
});
|
||||
convert2Tofu = provider: provider.override (prev: {
|
||||
homepage = builtins.replaceStrings [ "registry.terraform.io/providers" ] [ "registry.opentofu.org" ] prev.homepage;
|
||||
});
|
||||
in
|
||||
{
|
||||
devShells.default = pkgs.mkShellNoCC {
|
||||
|
@ -18,18 +18,17 @@
|
|||
|
||||
inputs'.clan-core.packages.clan-cli
|
||||
|
||||
(pkgs.opentofu.withPlugins (
|
||||
p:
|
||||
builtins.map convert2Tofu [
|
||||
p.hetznerdns
|
||||
p.hcloud
|
||||
p.null
|
||||
p.external
|
||||
p.local
|
||||
]
|
||||
))
|
||||
(pkgs.opentofu.withPlugins (p: builtins.map convert2Tofu [
|
||||
p.hetznerdns
|
||||
p.hcloud
|
||||
p.null
|
||||
p.external
|
||||
p.local
|
||||
]))
|
||||
];
|
||||
inputsFrom = [
|
||||
inputs'.clan-core.devShells.default
|
||||
];
|
||||
inputsFrom = [ inputs'.clan-core.devShells.default ];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
244
flake.lock
244
flake.lock
|
@ -1,47 +1,5 @@
|
|||
{
|
||||
"nodes": {
|
||||
"blobs": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1604995301,
|
||||
"narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
|
||||
"owner": "simple-nixos-mailserver",
|
||||
"repo": "blobs",
|
||||
"rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
|
||||
"type": "gitlab"
|
||||
},
|
||||
"original": {
|
||||
"owner": "simple-nixos-mailserver",
|
||||
"repo": "blobs",
|
||||
"type": "gitlab"
|
||||
}
|
||||
},
|
||||
"buildbot-nix": {
|
||||
"inputs": {
|
||||
"flake-parts": [
|
||||
"flake-parts"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"treefmt-nix": [
|
||||
"treefmt-nix"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1718502800,
|
||||
"narHash": "sha256-Arnuj2v9HCrmV9ZU5fln/MoKhQfICO6o9ia8xQ386CY=",
|
||||
"owner": "Mic92",
|
||||
"repo": "buildbot-nix",
|
||||
"rev": "c3b59dac3ee3b4c1dd9cabb2f850e2d8bcfaf417",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "Mic92",
|
||||
"repo": "buildbot-nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"clan-core": {
|
||||
"inputs": {
|
||||
"disko": "disko",
|
||||
|
@ -49,25 +7,29 @@
|
|||
"flake-parts"
|
||||
],
|
||||
"nixos-generators": "nixos-generators",
|
||||
"nixos-images": "nixos-images",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"sops-nix": "sops-nix",
|
||||
"sops-nix": [
|
||||
"sops-nix"
|
||||
],
|
||||
"treefmt-nix": [
|
||||
"treefmt-nix"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1718900431,
|
||||
"narHash": "sha256-iEpESD8Hywek3lkGgvTjG5C25UTaAAjnqX9R0lIvhSI=",
|
||||
"rev": "b3123b150ff7a287d36efd1cce29bd4d1e7e4d86",
|
||||
"type": "tarball",
|
||||
"url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/b3123b150ff7a287d36efd1cce29bd4d1e7e4d86.tar.gz"
|
||||
"lastModified": 1712910239,
|
||||
"narHash": "sha256-0Iu86fs3QqmDTEBZ2kJFYeNQc59L0ncW22CnJItDIuE=",
|
||||
"ref": "synapse",
|
||||
"rev": "e22501799b2409b9c1db340a25acadc5ff730e4c",
|
||||
"revCount": 2473,
|
||||
"type": "git",
|
||||
"url": "https://git.clan.lol/clan/clan-core"
|
||||
},
|
||||
"original": {
|
||||
"type": "tarball",
|
||||
"url": "https://git.clan.lol/clan/clan-core/archive/main.tar.gz"
|
||||
"ref": "synapse",
|
||||
"type": "git",
|
||||
"url": "https://git.clan.lol/clan/clan-core"
|
||||
}
|
||||
},
|
||||
"disko": {
|
||||
|
@ -78,11 +40,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1717915259,
|
||||
"narHash": "sha256-VsGPboaleIlPELHY5cNTrXK4jHVmgUra8uC6h7KVC5c=",
|
||||
"lastModified": 1712356478,
|
||||
"narHash": "sha256-kTcEtrQIRnexu5lAbLsmUcfR2CrmsACF1s3ZFw1NEVA=",
|
||||
"owner": "nix-community",
|
||||
"repo": "disko",
|
||||
"rev": "1bbdb06f14e2621290b250e631cf3d8948e4d19b",
|
||||
"rev": "0a17298c0d96190ef3be729d594ba202b9c53beb",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -91,18 +53,23 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-compat": {
|
||||
"disko_2": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1696426674,
|
||||
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
|
||||
"lastModified": 1713406758,
|
||||
"narHash": "sha256-kwZvhmx+hSZvjzemKxsAqzEqWmXZS47VVwQhNrINORQ=",
|
||||
"owner": "nix-community",
|
||||
"repo": "disko",
|
||||
"rev": "1efd500e9805a9efbce401ed5999006d397b9f11",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"owner": "nix-community",
|
||||
"repo": "disko",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
|
@ -113,11 +80,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1717285511,
|
||||
"narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=",
|
||||
"lastModified": 1712014858,
|
||||
"narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8",
|
||||
"rev": "9126214d0a59633752a136528f5f3b9aa8565b7d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -126,31 +93,13 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-utils": {
|
||||
"inputs": {
|
||||
"systems": "systems"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1710146030,
|
||||
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixlib": {
|
||||
"locked": {
|
||||
"lastModified": 1712450863,
|
||||
"narHash": "sha256-K6IkdtMtq9xktmYPj0uaYc8NsIqHuaAoRBaMgu9Fvrw=",
|
||||
"lastModified": 1711846064,
|
||||
"narHash": "sha256-cqfX0QJNEnge3a77VnytM0Q6QZZ0DziFXt6tSCV8ZSc=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nixpkgs.lib",
|
||||
"rev": "3c62b6a12571c9a7f65ab037173ee153d539905f",
|
||||
"rev": "90b1a963ff84dc532db92f678296ff2499a60a87",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -168,11 +117,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1716210724,
|
||||
"narHash": "sha256-iqQa3omRcHGpWb1ds75jS9ruA5R39FTmAkeR3J+ve1w=",
|
||||
"lastModified": 1712191720,
|
||||
"narHash": "sha256-xXtSSnVHURHsxLQO30dzCKW5NJVGV/umdQPmFjPFMVA=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nixos-generators",
|
||||
"rev": "d14b286322c7f4f897ca4b1726ce38cb68596c94",
|
||||
"rev": "0c15e76bed5432d7775a22e8d22059511f59d23a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -181,65 +130,13 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixos-images": {
|
||||
"inputs": {
|
||||
"nixos-stable": [
|
||||
"clan-core"
|
||||
],
|
||||
"nixos-unstable": [
|
||||
"clan-core",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1717770332,
|
||||
"narHash": "sha256-NQmFHj0hTCUgnMAsaNTu6sNTRyo0rFQEe+/lVgV5yxU=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nixos-images",
|
||||
"rev": "72771bd35f4e19e32d6f652528483b5e07fc317b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"repo": "nixos-images",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixos-mailserver": {
|
||||
"inputs": {
|
||||
"blobs": "blobs",
|
||||
"flake-compat": [
|
||||
"flake-compat"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"nixpkgs-24_05": "nixpkgs-24_05",
|
||||
"utils": [
|
||||
"flake-utils"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1718084203,
|
||||
"narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=",
|
||||
"owner": "simple-nixos-mailserver",
|
||||
"repo": "nixos-mailserver",
|
||||
"rev": "29916981e7b3b5782dc5085ad18490113f8ff63b",
|
||||
"type": "gitlab"
|
||||
},
|
||||
"original": {
|
||||
"owner": "simple-nixos-mailserver",
|
||||
"repo": "nixos-mailserver",
|
||||
"type": "gitlab"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1718396522,
|
||||
"narHash": "sha256-C0re6ZtCqC1ndL7ib7vOqmgwvZDhOhJ1W0wQgX1tTIo=",
|
||||
"lastModified": 1713687659,
|
||||
"narHash": "sha256-Yd8KuOBpZ0Slau/NxFhMPJI0gBxeax0vq/FD0rqKwuQ=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "3e6b9369165397184774a4b7c5e8e5e46531b53f",
|
||||
"rev": "f2d7a289c5a5ece8521dd082b81ac7e4a57c2c5c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -249,30 +146,13 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-24_05": {
|
||||
"locked": {
|
||||
"lastModified": 1717144377,
|
||||
"narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "805a384895c696f802a9bf5bf4720f37385df547",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"ref": "nixos-24.05",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"buildbot-nix": "buildbot-nix",
|
||||
"clan-core": "clan-core",
|
||||
"flake-compat": "flake-compat",
|
||||
"disko": "disko_2",
|
||||
"flake-parts": "flake-parts",
|
||||
"flake-utils": "flake-utils",
|
||||
"nixos-mailserver": "nixos-mailserver",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"sops-nix": "sops-nix",
|
||||
"srvos": "srvos",
|
||||
"treefmt-nix": "treefmt-nix"
|
||||
}
|
||||
|
@ -280,19 +160,16 @@
|
|||
"sops-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"clan-core",
|
||||
"nixpkgs"
|
||||
],
|
||||
"nixpkgs-stable": [
|
||||
"clan-core"
|
||||
]
|
||||
"nixpkgs-stable": []
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1717902109,
|
||||
"narHash": "sha256-OQTjaEZcByyVmHwJlKp/8SE9ikC4w+mFd3X0jJs6wiA=",
|
||||
"lastModified": 1713668495,
|
||||
"narHash": "sha256-4BvlfPfyUmB1U0r/oOF6jGEW/pG59c5yv6PJwgucTNM=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "f0922ad001829b400f0160ba85b47d252fa3d925",
|
||||
"rev": "09f1bc8ba3277c0f052f7887ec92721501541938",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -308,11 +185,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1718585173,
|
||||
"narHash": "sha256-G5DB6D3p8ucyGfmWt3JmiWcVW55DeuUoiT230wQ9Am4=",
|
||||
"lastModified": 1713533513,
|
||||
"narHash": "sha256-nv5GmWaGryyZU8ihQIYLZWasqaXTZKGTjsypG0TRw9Q=",
|
||||
"owner": "numtide",
|
||||
"repo": "srvos",
|
||||
"rev": "c607ffef7c234d88f37ed12d75b2c48de3f4b3fe",
|
||||
"rev": "d8945920cb8e98dc737d1fc2d42607f5916c34cf",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -321,21 +198,6 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"systems": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"treefmt-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
|
@ -343,11 +205,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1718522839,
|
||||
"narHash": "sha256-ULzoKzEaBOiLRtjeY3YoGFJMwWSKRYOic6VNw2UyTls=",
|
||||
"lastModified": 1711963903,
|
||||
"narHash": "sha256-N3QDhoaX+paWXHbEXZapqd1r95mdshxToGowtjtYkGI=",
|
||||
"owner": "numtide",
|
||||
"repo": "treefmt-nix",
|
||||
"rev": "68eb1dc333ce82d0ab0c0357363ea17c31ea1f81",
|
||||
"rev": "49dc4a92b02b8e68798abd99184f228243b6e3ac",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
108
flake.nix
108
flake.nix
|
@ -8,84 +8,62 @@
|
|||
|
||||
inputs = {
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
|
||||
flake-utils.url = "github:numtide/flake-utils";
|
||||
flake-compat.url = "github:edolstra/flake-compat";
|
||||
flake-parts.url = "github:hercules-ci/flake-parts";
|
||||
flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
|
||||
treefmt-nix.url = "github:numtide/treefmt-nix";
|
||||
treefmt-nix.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
nixos-mailserver = {
|
||||
url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
inputs.utils.follows = "flake-utils";
|
||||
inputs.flake-compat.follows = "flake-compat";
|
||||
};
|
||||
disko.url = "github:nix-community/disko";
|
||||
disko.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
sops-nix.url = "github:Mic92/sops-nix";
|
||||
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
|
||||
sops-nix.inputs.nixpkgs-stable.follows = "";
|
||||
|
||||
srvos.url = "github:numtide/srvos";
|
||||
# Use the version of nixpkgs that has been tested to work with SrvOS
|
||||
srvos.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
clan-core.url = "https://git.clan.lol/clan/clan-core/archive/main.tar.gz";
|
||||
clan-core.url = "git+https://git.clan.lol/clan/clan-core?ref=synapse";
|
||||
clan-core.inputs.flake-parts.follows = "flake-parts";
|
||||
clan-core.inputs.nixpkgs.follows = "nixpkgs";
|
||||
clan-core.inputs.treefmt-nix.follows = "treefmt-nix";
|
||||
|
||||
buildbot-nix.url = "github:Mic92/buildbot-nix";
|
||||
buildbot-nix.inputs.nixpkgs.follows = "nixpkgs";
|
||||
buildbot-nix.inputs.flake-parts.follows = "flake-parts";
|
||||
buildbot-nix.inputs.treefmt-nix.follows = "treefmt-nix";
|
||||
clan-core.inputs.sops-nix.follows = "sops-nix";
|
||||
};
|
||||
|
||||
outputs =
|
||||
inputs@{ flake-parts, ... }:
|
||||
flake-parts.lib.mkFlake { inherit inputs; } (
|
||||
{ self, ... }:
|
||||
{
|
||||
systems = [
|
||||
"x86_64-linux"
|
||||
"aarch64-linux"
|
||||
];
|
||||
imports = [
|
||||
inputs.treefmt-nix.flakeModule
|
||||
./devShells/flake-module.nix
|
||||
./targets/flake-module.nix
|
||||
./modules/flake-module.nix
|
||||
./pkgs/flake-module.nix
|
||||
];
|
||||
perSystem = (
|
||||
{
|
||||
lib,
|
||||
self',
|
||||
system,
|
||||
...
|
||||
}:
|
||||
{
|
||||
treefmt = {
|
||||
projectRootFile = ".git/config";
|
||||
programs.hclfmt.enable = true;
|
||||
programs.nixfmt-rfc-style.enable = true;
|
||||
settings.formatter.nixfmt-rfc-style.excludes = [
|
||||
# generated files
|
||||
"node-env.nix"
|
||||
"node-packages.nix"
|
||||
"composition.nix"
|
||||
];
|
||||
};
|
||||
checks =
|
||||
let
|
||||
nixosMachines = lib.mapAttrs' (
|
||||
name: config: lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel
|
||||
) ((lib.filterAttrs (_: config: config.pkgs.system == system)) self.nixosConfigurations);
|
||||
packages = lib.mapAttrs' (n: lib.nameValuePair "package-${n}") self'.packages;
|
||||
devShells = lib.mapAttrs' (n: lib.nameValuePair "devShell-${n}") self'.devShells;
|
||||
homeConfigurations = lib.mapAttrs' (
|
||||
name: config: lib.nameValuePair "home-manager-${name}" config.activation-script
|
||||
) (self'.legacyPackages.homeConfigurations or { });
|
||||
in
|
||||
nixosMachines // packages // devShells // homeConfigurations;
|
||||
}
|
||||
);
|
||||
}
|
||||
);
|
||||
outputs = inputs@{ flake-parts, ... }:
|
||||
flake-parts.lib.mkFlake { inherit inputs; } ({ self, ... }: {
|
||||
systems = [
|
||||
"x86_64-linux"
|
||||
"aarch64-linux"
|
||||
];
|
||||
imports = [
|
||||
inputs.treefmt-nix.flakeModule
|
||||
./devShells/flake-module.nix
|
||||
./targets/flake-module.nix
|
||||
./modules/flake-module.nix
|
||||
./pkgs/flake-module.nix
|
||||
];
|
||||
perSystem = ({ lib, self', system, ... }: {
|
||||
treefmt = {
|
||||
projectRootFile = ".git/config";
|
||||
programs.hclfmt.enable = true;
|
||||
programs.nixpkgs-fmt.enable = true;
|
||||
settings.formatter.nixpkgs-fmt.excludes = [
|
||||
# generated files
|
||||
"node-env.nix"
|
||||
"node-packages.nix"
|
||||
"composition.nix"
|
||||
];
|
||||
};
|
||||
checks =
|
||||
let
|
||||
nixosMachines = lib.mapAttrs' (name: config: lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel) ((lib.filterAttrs (_: config: config.pkgs.system == system)) self.nixosConfigurations);
|
||||
packages = lib.mapAttrs' (n: lib.nameValuePair "package-${n}") self'.packages;
|
||||
devShells = lib.mapAttrs' (n: lib.nameValuePair "devShell-${n}") self'.devShells;
|
||||
homeConfigurations = lib.mapAttrs' (name: config: lib.nameValuePair "home-manager-${name}" config.activation-script) (self'.legacyPackages.homeConfigurations or { });
|
||||
in
|
||||
nixosMachines // packages // devShells // homeConfigurations;
|
||||
});
|
||||
});
|
||||
}
|
||||
|
|
|
@ -1 +0,0 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHS2PvT2e04pqbt1EFFN2y1za9nNmr8rcfnXq9kG5RS2 nixbld@turingmachine
|
|
@ -41,10 +41,7 @@ in
|
|||
extraGroups = [ "wheel" ];
|
||||
shell = "/run/current-system/sw/bin/zsh";
|
||||
uid = 1004;
|
||||
openssh.authorizedKeys.keys = [
|
||||
admins.kenji
|
||||
admins.kenji-remote
|
||||
];
|
||||
openssh.authorizedKeys.keys = [ admins.kenji admins.kenji-remote ];
|
||||
};
|
||||
johannes = {
|
||||
isNormalUser = true;
|
||||
|
|
|
@ -1,57 +0,0 @@
|
|||
{ config, ... }:
|
||||
{
|
||||
services.buildbot-nix.master = {
|
||||
enable = true;
|
||||
# Domain name under which the buildbot frontend is reachable
|
||||
domain = "buildbot.clan.lol";
|
||||
# The workers file configures credentials for the buildbot workers to connect to the master.
|
||||
# "name" is the configured worker name in services.buildbot-nix.worker.name of a worker
|
||||
# (defaults to the hostname of the machine)
|
||||
# "pass" is the password for the worker configured in `services.buildbot-nix.worker.workerPasswordFile`
|
||||
# "cores" is the number of cpu cores the worker has.
|
||||
# The number must match as otherwise potentially not enought buildbot-workers are created.
|
||||
workersFile = config.sops.secrets.buildbot-workers-file.path;
|
||||
|
||||
authBackend = "gitea";
|
||||
|
||||
admins = [
|
||||
"Mic92"
|
||||
"Qubasa"
|
||||
"DavHau"
|
||||
"kenji"
|
||||
"hsjobeki"
|
||||
"lassulus"
|
||||
];
|
||||
|
||||
gitea = {
|
||||
enable = true;
|
||||
instanceUrl = "https://git.clan.lol";
|
||||
# Redirect URIs. Please use a new line for every URI: https://buildbot.clan.lol/auth/login
|
||||
oauthId = "adb3425c-490f-4558-9487-8f8940d2925b";
|
||||
oauthSecretFile = config.sops.secrets.buildbot-oauth-secret-file.path;
|
||||
webhookSecretFile = config.sops.secrets.buildbot-webhook-secret-file.path;
|
||||
tokenFile = config.sops.secrets.buildbot-token-file.path;
|
||||
topic = "buildbot-clan";
|
||||
};
|
||||
|
||||
# optional nix-eval-jobs settings
|
||||
evalWorkerCount = 10; # limit number of concurrent evaluations
|
||||
evalMaxMemorySize = "4096"; # limit memory usage per evaluation
|
||||
};
|
||||
|
||||
# Optional: Enable acme/TLS in nginx (recommended)
|
||||
services.nginx.virtualHosts.${config.services.buildbot-nix.master.domain} = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
};
|
||||
|
||||
services.buildbot-nix.worker = {
|
||||
enable = true;
|
||||
workerPasswordFile = config.sops.secrets.buildbot-worker-password-file.path;
|
||||
};
|
||||
|
||||
sops.secrets.buildbot-oauth-secret-file = { };
|
||||
sops.secrets.buildbot-workers-file = { };
|
||||
sops.secrets.buildbot-worker-password-file = { };
|
||||
sops.secrets.buildbot-token-file = { };
|
||||
}
|
|
@ -1,5 +1,4 @@
|
|||
{ self, inputs, ... }:
|
||||
{
|
||||
{ self, inputs, ... }: {
|
||||
flake.nixosModules = {
|
||||
server.imports = [
|
||||
inputs.srvos.nixosModules.server
|
||||
|
@ -16,20 +15,11 @@
|
|||
./initrd-networking.nix
|
||||
];
|
||||
|
||||
buildbot.imports = [
|
||||
inputs.buildbot-nix.nixosModules.buildbot-master
|
||||
inputs.buildbot-nix.nixosModules.buildbot-worker
|
||||
./buildbot.nix
|
||||
];
|
||||
|
||||
web01.imports = [
|
||||
self.nixosModules.server
|
||||
self.nixosModules.buildbot
|
||||
inputs.srvos.nixosModules.mixins-nginx
|
||||
inputs.srvos.nixosModules.mixins-nix-experimental
|
||||
./web01
|
||||
inputs.nixos-mailserver.nixosModules.mailserver
|
||||
./mailserver.nix
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,22 +1,31 @@
|
|||
{ config, lib, ... }:
|
||||
let
|
||||
{ config
|
||||
, lib
|
||||
, ...
|
||||
}:
|
||||
with lib; let
|
||||
cfg = config.clan.networking;
|
||||
in
|
||||
{
|
||||
options = {
|
||||
clan.networking.ipv4.address = lib.mkOption { type = lib.types.str; };
|
||||
clan.networking.ipv4.address = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
|
||||
clan.networking.ipv4.cidr = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
clan.networking.ipv4.cidr = mkOption {
|
||||
type = types.str;
|
||||
default = "26";
|
||||
};
|
||||
|
||||
clan.networking.ipv4.gateway = lib.mkOption { type = lib.types.str; };
|
||||
clan.networking.ipv4.gateway = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
|
||||
clan.networking.ipv6.address = lib.mkOption { type = lib.types.str; };
|
||||
clan.networking.ipv6.address = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
|
||||
clan.networking.ipv6.cidr = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
clan.networking.ipv6.cidr = mkOption {
|
||||
type = types.str;
|
||||
default = "64";
|
||||
};
|
||||
};
|
||||
|
|
|
@ -1,54 +0,0 @@
|
|||
{ config, pkgs, ... }:
|
||||
let
|
||||
mailPassword =
|
||||
{ service }:
|
||||
{
|
||||
secret."${service}-password" = { };
|
||||
secret."${service}-password-hash" = { };
|
||||
generator.path = with pkgs; [
|
||||
coreutils
|
||||
xkcdpass
|
||||
mkpasswd
|
||||
];
|
||||
generator.script = ''
|
||||
xkcdpass -n 4 -d - > $secrets/${service}-password
|
||||
cat $secrets/${service}-password | mkpasswd -s -m bcrypt > $secrets/${service}-password-hash
|
||||
'';
|
||||
};
|
||||
in
|
||||
{
|
||||
mailserver = {
|
||||
enable = true;
|
||||
fqdn = "mail.clan.lol";
|
||||
domains = [ "clan.lol" ];
|
||||
enablePop3 = true;
|
||||
certificateScheme = "acme-nginx";
|
||||
# kresd sucks unfortunally (fails when one NS server is not working, instead of trying other ones)
|
||||
localDnsResolver = false;
|
||||
|
||||
loginAccounts."golem@clan.lol".hashedPasswordFile =
|
||||
config.clan.core.facts.services.golem-mail.secret.golem-password-hash.path;
|
||||
loginAccounts."gitea@clan.lol".hashedPasswordFile =
|
||||
config.clan.core.facts.services.gitea-mail.secret.gitea-password-hash.path;
|
||||
};
|
||||
|
||||
services.unbound = {
|
||||
enable = true;
|
||||
settings.server = {
|
||||
prefetch = "yes";
|
||||
prefetch-key = true;
|
||||
qname-minimisation = true;
|
||||
# Too many broken dnssec setups even at big companies such as amazon.
|
||||
# Breaks my email setup. Better rely on tls for security.
|
||||
val-permissive-mode = "yes";
|
||||
};
|
||||
};
|
||||
|
||||
# use local unbound as dns resolver
|
||||
networking.nameservers = [ "127.0.0.1" ];
|
||||
|
||||
security.acme.acceptTerms = true;
|
||||
|
||||
clan.core.facts.services.golem-mail = mailPassword { service = "golem"; };
|
||||
clan.core.facts.services.gitea-mail = mailPassword { service = "gitea"; };
|
||||
}
|
45
modules/single-disk.nix
Normal file
45
modules/single-disk.nix
Normal file
|
@ -0,0 +1,45 @@
|
|||
{ self, ... }:
|
||||
let
|
||||
partitions = {
|
||||
grub = {
|
||||
name = "grub";
|
||||
size = "1M";
|
||||
type = "ef02";
|
||||
};
|
||||
esp = {
|
||||
name = "ESP";
|
||||
type = "EF00";
|
||||
size = "500M";
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "vfat";
|
||||
mountpoint = "/boot";
|
||||
};
|
||||
};
|
||||
root = {
|
||||
name = "root";
|
||||
size = "100%";
|
||||
content = {
|
||||
type = "filesystem";
|
||||
# We use xfs because it has support for compression and has a quite good performance for databases
|
||||
format = "xfs";
|
||||
mountpoint = "/";
|
||||
};
|
||||
};
|
||||
};
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
self.inputs.disko.nixosModules.disko
|
||||
];
|
||||
disko.devices = {
|
||||
disk.sda = {
|
||||
type = "disk";
|
||||
device = "/dev/sda";
|
||||
content = {
|
||||
type = "gpt";
|
||||
inherit partitions;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,21 +1,26 @@
|
|||
{ config, self, ... }:
|
||||
{
|
||||
imports = [ self.inputs.clan-core.clanModules.borgbackup ];
|
||||
|
||||
{ config, ... }: {
|
||||
# 100GB storagebox is under the nix-community hetzner account
|
||||
clan.borgbackup.destinations.${config.networking.hostName} = {
|
||||
repo = "u366395@u366395.your-storagebox.de:/./borgbackup";
|
||||
rsh = "ssh -oPort=23 -i ${config.clan.core.facts.services.borgbackup.secret."borgbackup.ssh".path}";
|
||||
};
|
||||
|
||||
clan.core.state.system.folders = [
|
||||
"/home"
|
||||
"/etc"
|
||||
"/var"
|
||||
"/root"
|
||||
systemd.services.borgbackup-job-clan-lol.serviceConfig.ReadWritePaths = [
|
||||
"/var/log/telegraf"
|
||||
];
|
||||
|
||||
services.borgbackup.jobs.${config.networking.hostName} = {
|
||||
# Run this from the hetzner network:
|
||||
# ssh-keyscan -p 23 u359378.your-storagebox.de
|
||||
programs.ssh.knownHosts = {
|
||||
storagebox-ecdsa.hostNames = [ "[u359378.your-storagebox.de]:23" ];
|
||||
storagebox-ecdsa.publicKey = "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAGK0po6usux4Qv2d8zKZN1dDvbWjxKkGsx7XwFdSUCnF19Q8psHEUWR7C/LtSQ5crU/g+tQVRBtSgoUcE8T+FWp5wBxKvWG2X9gD+s9/4zRmDeSJR77W6gSA/+hpOZoSE+4KgNdnbYSNtbZH/dN74EG7GLb/gcIpbUUzPNXpfKl7mQitw==";
|
||||
|
||||
storagebox-rsa.hostNames = [ "[u359378.your-storagebox.de]:23" ];
|
||||
storagebox-rsa.publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw==";
|
||||
};
|
||||
|
||||
services.borgbackup.jobs.clan-lol = {
|
||||
paths = [
|
||||
"/home"
|
||||
"/var"
|
||||
"/root"
|
||||
];
|
||||
exclude = [
|
||||
"*.pyc"
|
||||
"/home/*/.direnv"
|
||||
|
@ -36,20 +41,32 @@
|
|||
"/var/tmp"
|
||||
"/var/log"
|
||||
];
|
||||
# $ ssh-keygen -y -f /run/secrets/hetzner-borgbackup-ssh > /tmp/hetzner-borgbackup-ssh.pub
|
||||
# $ cat /tmp/hetzner-borgbackup-ssh.pub | ssh -p23 u366395@u366395.your-storagebox.de install-ssh-key
|
||||
repo = "u366395@u366395.your-storagebox.de:/./borgbackup";
|
||||
|
||||
# Disaster recovery:
|
||||
# get the backup passphrase and ssh key from the sops and store them in /tmp
|
||||
# $ export BORG_PASSCOMMAND='cat /tmp/hetzner-borgbackup-passphrase'
|
||||
# $ export BORG_REPO='u359378@u359378.your-storagebox.de:/./borgbackup'
|
||||
# $ export BORG_RSH='ssh -oPort=23 -i /tmp/hetzner-borgbackup-ssh'
|
||||
# $ export BORG_RSH='ssh -oPort=23 -i /tmp/hetzner-borgbackup-ssh'
|
||||
# $ borg list
|
||||
# web01-clan-lol-2023-07-21T14:12:22 Fri, 2023-07-21 14:12:27 [539b1037669ffd0d3f50020f439bbe2881b7234910e405eafc333125383351bc]
|
||||
# $ borg mount u359378@u359378.your-storagebox.de:/./borgbackup::web01-clan-lol-2023-07-21T14:12:22 /tmp/backup
|
||||
doInit = true;
|
||||
encryption = {
|
||||
mode = "repokey-blake2";
|
||||
# $ nix run nixpkgs#xkcdpass -- -d '-' -n 3 -C capitalize "$@"
|
||||
passCommand = "cat ${config.sops.secrets.hetzner-borgbackup-passphrase.path}";
|
||||
};
|
||||
compression = "auto,zstd";
|
||||
startAt = "daily";
|
||||
|
||||
# Also enable ssh support in the storagebox web interface.
|
||||
# By default the storage box is only accessible from the hetzner network.
|
||||
# $ clan facts generate
|
||||
# $ clan facts list web01 | jq .borgbackup.ssh.pub | ssh -p23 u359378@u359378.your-storagebox.de install-ssh-key
|
||||
# $ ssh-keygen -t ed25519 -N "" -f /tmp/ssh_host_ed25519_key
|
||||
# $ cat /tmp/ssh_host_ed25519_key.pub | ssh -p23 u359378@u359378.your-storagebox.de install-ssh-key
|
||||
environment.BORG_RSH = "ssh -oPort=23 -i ${config.sops.secrets.hetzner-borgbackup-ssh.path}";
|
||||
preHook = ''
|
||||
set -x
|
||||
'';
|
||||
|
@ -59,19 +76,12 @@
|
|||
task,frequency=daily last_run=$(date +%s)i,state="$([[ $exitStatus == 0 ]] && echo ok || echo fail)"
|
||||
EOF
|
||||
'';
|
||||
};
|
||||
|
||||
systemd.services."borgbackup-job-${config.networking.hostName}".serviceConfig.ReadWritePaths = [
|
||||
"/var/log/telegraf"
|
||||
];
|
||||
|
||||
# Run this from the hetzner network:
|
||||
# ssh-keyscan -p 23 u359378.your-storagebox.de
|
||||
programs.ssh.knownHosts = {
|
||||
storagebox-ecdsa.hostNames = [ "[u359378.your-storagebox.de]:23" ];
|
||||
storagebox-ecdsa.publicKey = "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAGK0po6usux4Qv2d8zKZN1dDvbWjxKkGsx7XwFdSUCnF19Q8psHEUWR7C/LtSQ5crU/g+tQVRBtSgoUcE8T+FWp5wBxKvWG2X9gD+s9/4zRmDeSJR77W6gSA/+hpOZoSE+4KgNdnbYSNtbZH/dN74EG7GLb/gcIpbUUzPNXpfKl7mQitw==";
|
||||
|
||||
storagebox-rsa.hostNames = [ "[u359378.your-storagebox.de]:23" ];
|
||||
storagebox-rsa.publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw==";
|
||||
prune.keep = {
|
||||
within = "1d"; # Keep all archives from the last day
|
||||
daily = 7;
|
||||
weekly = 4;
|
||||
monthly = 0;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,18 +1,10 @@
|
|||
{
|
||||
config,
|
||||
self,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
{
|
||||
{ config, self, pkgs, ... }: {
|
||||
# service to for automatic merge bot
|
||||
systemd.services.clan-merge = {
|
||||
description = "Merge clan.lol PRs automatically";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
environment = {
|
||||
GITEA_TOKEN_FILE = "%d/GITEA_TOKEN_FILE";
|
||||
};
|
||||
environment = { GITEA_TOKEN_FILE = "%d/GITEA_TOKEN_FILE"; };
|
||||
serviceConfig = {
|
||||
LoadCredential = [ "GITEA_TOKEN_FILE:${config.sops.secrets.merge-bot-gitea-token.path}" ];
|
||||
Restart = "on-failure";
|
||||
|
|
|
@ -1,5 +1,4 @@
|
|||
{ self, ... }:
|
||||
{
|
||||
{ self, ... }: {
|
||||
imports = [
|
||||
./borgbackup.nix
|
||||
./clan-merge.nix
|
||||
|
@ -9,7 +8,7 @@
|
|||
./homepage.nix
|
||||
./postfix.nix
|
||||
./jobs.nix
|
||||
./matrix-synapse.nix
|
||||
#./matrix-synapse.nix
|
||||
../dev.nix
|
||||
self.inputs.clan-core.clanModules.zt-tcp-relay
|
||||
];
|
||||
|
|
|
@ -1,26 +1,8 @@
|
|||
{
|
||||
config,
|
||||
self,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
{ config, self, pkgs, lib, ... }:
|
||||
let
|
||||
storeDeps = pkgs.runCommand "store-deps" { } ''
|
||||
mkdir -p $out/bin
|
||||
for dir in ${
|
||||
toString [
|
||||
pkgs.coreutils
|
||||
pkgs.findutils
|
||||
pkgs.gnugrep
|
||||
pkgs.gawk
|
||||
pkgs.git
|
||||
pkgs.nix
|
||||
pkgs.bash
|
||||
pkgs.jq
|
||||
pkgs.nodejs
|
||||
]
|
||||
}; do
|
||||
for dir in ${toString [ pkgs.coreutils pkgs.findutils pkgs.gnugrep pkgs.gawk pkgs.git pkgs.nix pkgs.bash pkgs.jq pkgs.nodejs ]}; do
|
||||
for bin in "$dir"/bin/*; do
|
||||
ln -s "$bin" "$out/bin/$(basename "$bin")"
|
||||
done
|
||||
|
@ -32,95 +14,87 @@ let
|
|||
'';
|
||||
numInstances = 2;
|
||||
in
|
||||
lib.mkMerge [
|
||||
lib.mkMerge [{
|
||||
# everything here has no dependencies on the store
|
||||
systemd.services.gitea-runner-nix-image = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "podman.service" ];
|
||||
requires = [ "podman.service" ];
|
||||
path = [ config.virtualisation.podman.package pkgs.gnutar pkgs.shadow pkgs.getent ];
|
||||
# we also include etc here because the cleanup job also wants the nixuser to be present
|
||||
script = ''
|
||||
set -eux -o pipefail
|
||||
mkdir -p etc/nix
|
||||
|
||||
# Create an unpriveleged user that we can use also without the run-as-user.sh script
|
||||
touch etc/passwd etc/group
|
||||
groupid=$(cut -d: -f3 < <(getent group nixuser))
|
||||
userid=$(cut -d: -f3 < <(getent passwd nixuser))
|
||||
groupadd --prefix $(pwd) --gid "$groupid" nixuser
|
||||
emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.'
|
||||
useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nixuser nixuser
|
||||
|
||||
cat <<NIX_CONFIG > etc/nix/nix.conf
|
||||
accept-flake-config = true
|
||||
experimental-features = nix-command flakes
|
||||
NIX_CONFIG
|
||||
|
||||
cat <<NSSWITCH > etc/nsswitch.conf
|
||||
passwd: files mymachines systemd
|
||||
group: files mymachines systemd
|
||||
shadow: files
|
||||
|
||||
hosts: files mymachines dns myhostname
|
||||
networks: files
|
||||
|
||||
ethers: files
|
||||
services: files
|
||||
protocols: files
|
||||
rpc: files
|
||||
NSSWITCH
|
||||
|
||||
# list the content as it will be imported into the container
|
||||
tar -cv . | tar -tvf -
|
||||
tar -cv . | podman import - gitea-runner-nix
|
||||
'';
|
||||
serviceConfig = {
|
||||
RuntimeDirectory = "gitea-runner-nix-image";
|
||||
WorkingDirectory = "/run/gitea-runner-nix-image";
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
};
|
||||
};
|
||||
|
||||
users.users.nixuser = {
|
||||
group = "nixuser";
|
||||
description = "Used for running nix ci jobs";
|
||||
home = "/var/empty";
|
||||
isSystemUser = true;
|
||||
};
|
||||
users.groups.nixuser = { };
|
||||
}
|
||||
{
|
||||
# everything here has no dependencies on the store
|
||||
systemd.services.gitea-runner-nix-image = {
|
||||
systemd.services = lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}-token") numInstances) (name: {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "podman.service" ];
|
||||
requires = [ "podman.service" ];
|
||||
path = [
|
||||
config.virtualisation.podman.package
|
||||
pkgs.gnutar
|
||||
pkgs.shadow
|
||||
pkgs.getent
|
||||
];
|
||||
# we also include etc here because the cleanup job also wants the nixuser to be present
|
||||
after = [ "gitea.service" ];
|
||||
environment = {
|
||||
GITEA_CUSTOM = "/var/lib/gitea/custom";
|
||||
GITEA_WORK_DIR = "/var/lib/gitea";
|
||||
};
|
||||
script = ''
|
||||
set -eux -o pipefail
|
||||
mkdir -p etc/nix
|
||||
|
||||
# Create an unpriveleged user that we can use also without the run-as-user.sh script
|
||||
touch etc/passwd etc/group
|
||||
groupid=$(cut -d: -f3 < <(getent group nixuser))
|
||||
userid=$(cut -d: -f3 < <(getent passwd nixuser))
|
||||
groupadd --prefix $(pwd) --gid "$groupid" nixuser
|
||||
emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.'
|
||||
useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nixuser nixuser
|
||||
|
||||
cat <<NIX_CONFIG > etc/nix/nix.conf
|
||||
accept-flake-config = true
|
||||
experimental-features = nix-command flakes
|
||||
NIX_CONFIG
|
||||
|
||||
cat <<NSSWITCH > etc/nsswitch.conf
|
||||
passwd: files mymachines systemd
|
||||
group: files mymachines systemd
|
||||
shadow: files
|
||||
|
||||
hosts: files mymachines dns myhostname
|
||||
networks: files
|
||||
|
||||
ethers: files
|
||||
services: files
|
||||
protocols: files
|
||||
rpc: files
|
||||
NSSWITCH
|
||||
|
||||
# list the content as it will be imported into the container
|
||||
tar -cv . | tar -tvf -
|
||||
tar -cv . | podman import - gitea-runner-nix
|
||||
set -euo pipefail
|
||||
token=$(${lib.getExe self.packages.${pkgs.hostPlatform.system}.gitea} actions generate-runner-token)
|
||||
echo "TOKEN=$token" > /var/lib/gitea-registration/${name}
|
||||
'';
|
||||
unitConfig.ConditionPathExists = [ "!/var/lib/gitea-registration/${name}" ];
|
||||
serviceConfig = {
|
||||
RuntimeDirectory = "gitea-runner-nix-image";
|
||||
WorkingDirectory = "/run/gitea-runner-nix-image";
|
||||
User = "gitea";
|
||||
Group = "gitea";
|
||||
StateDirectory = "gitea-registration";
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
};
|
||||
};
|
||||
|
||||
users.users.nixuser = {
|
||||
group = "nixuser";
|
||||
description = "Used for running nix ci jobs";
|
||||
home = "/var/empty";
|
||||
isSystemUser = true;
|
||||
};
|
||||
users.groups.nixuser = { };
|
||||
}
|
||||
{
|
||||
systemd.services =
|
||||
lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}-token") numInstances)
|
||||
(name: {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "gitea.service" ];
|
||||
environment = {
|
||||
GITEA_CUSTOM = "/var/lib/gitea/custom";
|
||||
GITEA_WORK_DIR = "/var/lib/gitea";
|
||||
};
|
||||
script = ''
|
||||
set -euo pipefail
|
||||
token=$(${lib.getExe self.packages.${pkgs.hostPlatform.system}.gitea} actions generate-runner-token)
|
||||
echo "TOKEN=$token" > /var/lib/gitea-registration/${name}
|
||||
'';
|
||||
unitConfig.ConditionPathExists = [ "!/var/lib/gitea-registration/${name}" ];
|
||||
serviceConfig = {
|
||||
User = "gitea";
|
||||
Group = "gitea";
|
||||
StateDirectory = "gitea-registration";
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
};
|
||||
});
|
||||
});
|
||||
|
||||
# Format of the token file:
|
||||
virtualisation = {
|
||||
|
@ -137,119 +111,106 @@ lib.mkMerge [
|
|||
|
||||
virtualisation.containers.containersConf.settings = {
|
||||
# podman seems to not work with systemd-resolved
|
||||
containers.dns_servers = [
|
||||
"8.8.8.8"
|
||||
"8.8.4.4"
|
||||
];
|
||||
containers.dns_servers = [ "8.8.8.8" "8.8.4.4" ];
|
||||
};
|
||||
}
|
||||
{
|
||||
systemd.services =
|
||||
lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}") numInstances)
|
||||
(name: {
|
||||
after = [
|
||||
"${name}-token.service"
|
||||
"gitea-runner-nix-image.service"
|
||||
];
|
||||
requires = [
|
||||
"${name}-token.service"
|
||||
"gitea-runner-nix-image.service"
|
||||
];
|
||||
systemd.services = lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}") numInstances) (name: {
|
||||
after = [
|
||||
"${name}-token.service"
|
||||
"gitea-runner-nix-image.service"
|
||||
];
|
||||
requires = [
|
||||
"${name}-token.service"
|
||||
"gitea-runner-nix-image.service"
|
||||
];
|
||||
|
||||
# TODO: systemd confinment
|
||||
serviceConfig = {
|
||||
# Hardening (may overlap with DynamicUser=)
|
||||
# The following options are only for optimizing output of systemd-analyze
|
||||
AmbientCapabilities = "";
|
||||
CapabilityBoundingSet = "";
|
||||
# ProtectClock= adds DeviceAllow=char-rtc r
|
||||
DeviceAllow = "";
|
||||
NoNewPrivileges = true;
|
||||
PrivateDevices = true;
|
||||
PrivateMounts = true;
|
||||
PrivateTmp = true;
|
||||
PrivateUsers = true;
|
||||
ProtectClock = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectSystem = "strict";
|
||||
RemoveIPC = true;
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
UMask = "0066";
|
||||
ProtectProc = "invisible";
|
||||
SystemCallFilter = [
|
||||
"~@clock"
|
||||
"~@cpu-emulation"
|
||||
"~@module"
|
||||
"~@mount"
|
||||
"~@obsolete"
|
||||
"~@raw-io"
|
||||
"~@reboot"
|
||||
"~@swap"
|
||||
# needed by go?
|
||||
#"~@resources"
|
||||
"~@privileged"
|
||||
"~capset"
|
||||
"~setdomainname"
|
||||
"~sethostname"
|
||||
];
|
||||
RestrictAddressFamilies = [
|
||||
"AF_INET"
|
||||
"AF_INET6"
|
||||
"AF_UNIX"
|
||||
"AF_NETLINK"
|
||||
];
|
||||
# TODO: systemd confinment
|
||||
serviceConfig = {
|
||||
# Hardening (may overlap with DynamicUser=)
|
||||
# The following options are only for optimizing output of systemd-analyze
|
||||
AmbientCapabilities = "";
|
||||
CapabilityBoundingSet = "";
|
||||
# ProtectClock= adds DeviceAllow=char-rtc r
|
||||
DeviceAllow = "";
|
||||
NoNewPrivileges = true;
|
||||
PrivateDevices = true;
|
||||
PrivateMounts = true;
|
||||
PrivateTmp = true;
|
||||
PrivateUsers = true;
|
||||
ProtectClock = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectSystem = "strict";
|
||||
RemoveIPC = true;
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
UMask = "0066";
|
||||
ProtectProc = "invisible";
|
||||
SystemCallFilter = [
|
||||
"~@clock"
|
||||
"~@cpu-emulation"
|
||||
"~@module"
|
||||
"~@mount"
|
||||
"~@obsolete"
|
||||
"~@raw-io"
|
||||
"~@reboot"
|
||||
"~@swap"
|
||||
# needed by go?
|
||||
#"~@resources"
|
||||
"~@privileged"
|
||||
"~capset"
|
||||
"~setdomainname"
|
||||
"~sethostname"
|
||||
];
|
||||
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ];
|
||||
|
||||
# Needs network access
|
||||
PrivateNetwork = false;
|
||||
# Cannot be true due to Node
|
||||
MemoryDenyWriteExecute = false;
|
||||
# Needs network access
|
||||
PrivateNetwork = false;
|
||||
# Cannot be true due to Node
|
||||
MemoryDenyWriteExecute = false;
|
||||
|
||||
# The more restrictive "pid" option makes `nix` commands in CI emit
|
||||
# "GC Warning: Couldn't read /proc/stat"
|
||||
# You may want to set this to "pid" if not using `nix` commands
|
||||
ProcSubset = "all";
|
||||
# Coverage programs for compiled code such as `cargo-tarpaulin` disable
|
||||
# ASLR (address space layout randomization) which requires the
|
||||
# `personality` syscall
|
||||
# You may want to set this to `true` if not using coverage tooling on
|
||||
# compiled code
|
||||
LockPersonality = false;
|
||||
# The more restrictive "pid" option makes `nix` commands in CI emit
|
||||
# "GC Warning: Couldn't read /proc/stat"
|
||||
# You may want to set this to "pid" if not using `nix` commands
|
||||
ProcSubset = "all";
|
||||
# Coverage programs for compiled code such as `cargo-tarpaulin` disable
|
||||
# ASLR (address space layout randomization) which requires the
|
||||
# `personality` syscall
|
||||
# You may want to set this to `true` if not using coverage tooling on
|
||||
# compiled code
|
||||
LockPersonality = false;
|
||||
|
||||
# Note that this has some interactions with the User setting; so you may
|
||||
# want to consult the systemd docs if using both.
|
||||
DynamicUser = true;
|
||||
};
|
||||
});
|
||||
# Note that this has some interactions with the User setting; so you may
|
||||
# want to consult the systemd docs if using both.
|
||||
DynamicUser = true;
|
||||
};
|
||||
});
|
||||
|
||||
services.gitea-actions-runner.instances =
|
||||
lib.genAttrs (builtins.genList (n: "nix${builtins.toString n}") numInstances)
|
||||
(name: {
|
||||
enable = true;
|
||||
name = "nix-runner";
|
||||
# take the git root url from the gitea config
|
||||
# only possible if you've also configured your gitea though the same nix config
|
||||
# otherwise you need to set it manually
|
||||
url = config.services.gitea.settings.server.ROOT_URL;
|
||||
# use your favourite nix secret manager to get a path for this
|
||||
tokenFile = "/var/lib/gitea-registration/gitea-runner-${name}-token";
|
||||
labels = [ "nix:docker://gitea-runner-nix" ];
|
||||
settings = {
|
||||
container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
|
||||
# the default network that also respects our dns server settings
|
||||
container.network = "host";
|
||||
container.valid_volumes = [
|
||||
"/nix"
|
||||
"${storeDeps}/bin"
|
||||
"${storeDeps}/etc/ssl"
|
||||
];
|
||||
};
|
||||
});
|
||||
}
|
||||
]
|
||||
services.gitea-actions-runner.instances = lib.genAttrs (builtins.genList (n: "nix${builtins.toString n}") numInstances) (name: {
|
||||
enable = true;
|
||||
name = "nix-runner";
|
||||
# take the git root url from the gitea config
|
||||
# only possible if you've also configured your gitea though the same nix config
|
||||
# otherwise you need to set it manually
|
||||
url = config.services.gitea.settings.server.ROOT_URL;
|
||||
# use your favourite nix secret manager to get a path for this
|
||||
tokenFile = "/var/lib/gitea-registration/gitea-runner-${name}-token";
|
||||
labels = [ "nix:docker://gitea-runner-nix" ];
|
||||
settings = {
|
||||
container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
|
||||
# the default network that also respects our dns server settings
|
||||
container.network = "host";
|
||||
container.valid_volumes = [
|
||||
"/nix"
|
||||
"${storeDeps}/bin"
|
||||
"${storeDeps}/etc/ssl"
|
||||
];
|
||||
};
|
||||
});
|
||||
}]
|
||||
|
|
|
@ -1,29 +1,18 @@
|
|||
{
|
||||
pkgs,
|
||||
lib,
|
||||
self,
|
||||
config,
|
||||
...
|
||||
}:
|
||||
{ config, pkgs, lib, publog, self, ... }:
|
||||
|
||||
let
|
||||
# make the logs for this host "public" so that they show up in e.g. metrics
|
||||
publog =
|
||||
vhost:
|
||||
lib.attrsets.unionOfDisjoint vhost {
|
||||
extraConfig =
|
||||
(vhost.extraConfig or "")
|
||||
+ ''
|
||||
access_log /var/log/nginx/public.log vcombined;
|
||||
'';
|
||||
};
|
||||
publog = vhost: lib.attrsets.unionOfDisjoint vhost {
|
||||
extraConfig = (vhost.extraConfig or "") + ''
|
||||
access_log /var/log/nginx/public.log vcombined;
|
||||
'';
|
||||
};
|
||||
in
|
||||
{
|
||||
|
||||
imports = [
|
||||
./postgresql.nix
|
||||
./actions-runner.nix
|
||||
./installer.nix
|
||||
];
|
||||
|
||||
services.gitea = {
|
||||
|
@ -37,17 +26,11 @@ in
|
|||
package = self.packages.${pkgs.hostPlatform.system}.gitea;
|
||||
|
||||
settings.actions.ENABLED = true;
|
||||
|
||||
mailerPasswordFile = config.clan.core.facts.services.gitea-mail.secret.gitea-password.path;
|
||||
|
||||
settings.mailer = {
|
||||
ENABLED = true;
|
||||
FROM = "gitea@clan.lol";
|
||||
USER = "gitea@clan.lol";
|
||||
SMTP_ADDR = "mail.clan.lol";
|
||||
SMTP_PORT = "587";
|
||||
HOST = "localhost:25";
|
||||
};
|
||||
|
||||
settings.log.LEVEL = "Error";
|
||||
settings.service.DISABLE_REGISTRATION = false;
|
||||
settings.metrics.ENABLED = true;
|
||||
|
@ -59,17 +42,16 @@ in
|
|||
DOMAIN = "git.clan.lol";
|
||||
LANDING_PAGE = "explore";
|
||||
};
|
||||
settings.session.PROVIDER = "db";
|
||||
settings.session.COOKIE_SECURE = true;
|
||||
};
|
||||
|
||||
sops.secrets.web01-gitea-password.owner = config.systemd.services.gitea.serviceConfig.User;
|
||||
|
||||
services.nginx.virtualHosts."git.clan.lol" = publog {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
# The add_header directive is used to set the Content-Security-Policy header to allow embedding the Gitea instance in an iframe on the pad.lassul.us instance.
|
||||
locations."/".extraConfig = ''
|
||||
proxy_pass http://localhost:3002;
|
||||
add_header Content-Security-Policy "frame-ancestors 'self' https://pad.lassul.us";
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,13 +0,0 @@
|
|||
{
|
||||
# http forward from https://clan.lol/sh to https://git.clan.lol/clan/clan-core/raw/branch/main/pkgs/gui-installer/gui-installer.sh
|
||||
services.nginx.virtualHosts."clan.lol" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/install.sh".extraConfig = ''
|
||||
proxy_pass http://localhost:3002/clan/clan-core/raw/branch/main/pkgs/gui-installer/gui-installer.sh;
|
||||
'';
|
||||
locations."/install-dev.sh".extraConfig = ''
|
||||
proxy_pass http://localhost:3002/clan/clan-core/raw/branch/install-dev/pkgs/gui-installer/gui-installer.sh;
|
||||
'';
|
||||
};
|
||||
}
|
|
@ -1,5 +1,4 @@
|
|||
{ pkgs, ... }:
|
||||
{
|
||||
{ pkgs, ... }: {
|
||||
services.postgresql.enable = true;
|
||||
services.postgresql.package = pkgs.postgresql_14;
|
||||
services.postgresql.settings = {
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ pkgs, ... }:
|
||||
{ stdenv, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
domain = "metrics.clan.lol";
|
||||
|
@ -38,13 +38,14 @@ in
|
|||
"d ${pub_goaccess} 0755 goaccess nginx -"
|
||||
];
|
||||
|
||||
|
||||
# --browsers-file=/etc/goaccess/browsers.list
|
||||
# https://raw.githubusercontent.com/allinurl/goaccess/master/config/browsers.list
|
||||
systemd.services.goaccess = {
|
||||
description = "GoAccess server monitoring";
|
||||
preStart = ''
|
||||
rm -f ${pub_goaccess}/index.html
|
||||
'';
|
||||
rm -f ${pub_goaccess}/index.html
|
||||
'';
|
||||
serviceConfig = {
|
||||
User = "goaccess";
|
||||
Group = "nginx";
|
||||
|
@ -82,11 +83,7 @@ in
|
|||
ProtectSystem = "strict";
|
||||
SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @reboot @resources @setuid @swap @raw-io";
|
||||
ReadOnlyPaths = "/";
|
||||
ReadWritePaths = [
|
||||
"/proc/self"
|
||||
"${pub_goaccess}"
|
||||
"${priv_goaccess}"
|
||||
];
|
||||
ReadWritePaths = [ "/proc/self" "${pub_goaccess}" "${priv_goaccess}" ];
|
||||
PrivateDevices = "yes";
|
||||
ProtectKernelModules = "yes";
|
||||
ProtectKernelTunables = "yes";
|
||||
|
@ -95,6 +92,7 @@ in
|
|||
wantedBy = [ "multi-user.target" ];
|
||||
};
|
||||
|
||||
|
||||
services.nginx.virtualHosts."${domain}" = {
|
||||
addSSL = true;
|
||||
enableACME = true;
|
||||
|
|
|
@ -1,18 +1,17 @@
|
|||
{ config, pkgs, ... }:
|
||||
{
|
||||
{ config, pkgs, ... }: {
|
||||
services.harmonia.enable = true;
|
||||
# $ nix-store --generate-binary-cache-key cache.yourdomain.tld-1 harmonia.secret harmonia.pub
|
||||
services.harmonia.signKeyPath = config.sops.secrets.harmonia-secret.path;
|
||||
|
||||
services.nginx = {
|
||||
package = pkgs.nginxStable.override { modules = [ pkgs.nginxModules.zstd ]; };
|
||||
package = pkgs.nginxStable.override {
|
||||
modules = [ pkgs.nginxModules.zstd ];
|
||||
};
|
||||
};
|
||||
|
||||
# trust our own cache
|
||||
nix.settings.trusted-substituters = [ "https://cache.clan.lol" ];
|
||||
nix.settings.trusted-public-keys = [
|
||||
"cache.clan.lol-1:3KztgSAB5R1M+Dz7vzkBGzXdodizbgLXGXKXlcQLA28="
|
||||
];
|
||||
nix.settings.trusted-public-keys = [ "cache.clan.lol-1:3KztgSAB5R1M+Dz7vzkBGzXdodizbgLXGXKXlcQLA28=" ];
|
||||
|
||||
services.nginx.virtualHosts."cache.clan.lol" = {
|
||||
forceSSL = true;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, ... }:
|
||||
{ config, lib, pkgs, self, ... }:
|
||||
|
||||
{
|
||||
security.acme.defaults.email = "admins@clan.lol";
|
||||
|
@ -6,11 +6,12 @@
|
|||
|
||||
# www user to push website artifacts via ssh
|
||||
users.users.www = {
|
||||
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys ++ [
|
||||
# ssh-homepage-key
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxZ3Av30M6Sh6NU1mnCskB16bYtNP8vskc/+ud0AU1C ssh-homepage-key"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBuYyfSuETSrwqCsWHeeClqjcsFlMEmiJN6Rr8/DwrU0 gitea-ci"
|
||||
];
|
||||
openssh.authorizedKeys.keys =
|
||||
config.users.users.root.openssh.authorizedKeys.keys
|
||||
++ [
|
||||
# ssh-homepage-key
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxZ3Av30M6Sh6NU1mnCskB16bYtNP8vskc/+ud0AU1C ssh-homepage-key"
|
||||
];
|
||||
isSystemUser = true;
|
||||
shell = "/run/current-system/sw/bin/bash";
|
||||
group = "www";
|
||||
|
@ -18,7 +19,9 @@
|
|||
users.groups.www = { };
|
||||
|
||||
# ensure /var/www can be accessed by nginx and www user
|
||||
systemd.tmpfiles.rules = [ "d /var/www 0755 www nginx" ];
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /var/www 0755 www nginx"
|
||||
];
|
||||
|
||||
services.nginx = {
|
||||
|
||||
|
@ -32,45 +35,13 @@
|
|||
source_charset utf-8;
|
||||
'';
|
||||
|
||||
# Make sure to expire the cache after 1 hour
|
||||
locations."/".extraConfig = ''
|
||||
set $cors "false";
|
||||
|
||||
# Allow cross-origin requests from docs.clan.lol
|
||||
if ($http_origin = "https://docs.clan.lol") {
|
||||
set $cors "true";
|
||||
}
|
||||
|
||||
# Allow cross-origin requests from localhost IPs with port 8000
|
||||
if ($http_origin = "http://localhost:8000") {
|
||||
set $cors "true";
|
||||
}
|
||||
|
||||
if ($http_origin = "http://127.0.0.1:8000") {
|
||||
set $cors "true";
|
||||
}
|
||||
|
||||
if ($http_origin = "http://[::1]:8000") {
|
||||
set $cors "true";
|
||||
}
|
||||
|
||||
if ($cors = "true") {
|
||||
add_header 'Access-Control-Allow-Origin' "$http_origin" always;
|
||||
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
|
||||
add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization' always;
|
||||
}
|
||||
|
||||
if ($cors = "true") {
|
||||
add_header 'Access-Control-Allow-Origin' "$http_origin" always;
|
||||
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
|
||||
add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization' always;
|
||||
}
|
||||
add_header Cache-Control "public, max-age=3600";
|
||||
'';
|
||||
locations."^~ /docs".extraConfig = ''
|
||||
rewrite ^/docs(.*)$ https://docs.clan.lol permanent;
|
||||
'';
|
||||
locations."^~ /blog".extraConfig = ''
|
||||
rewrite ^/blog(.*)$ https://docs.clan.lol/blog permanent;
|
||||
'';
|
||||
locations."/thaigersprint".return = "307 https://pad.lassul.us/s/clan-thaigersprint";
|
||||
};
|
||||
|
||||
|
@ -84,9 +55,9 @@
|
|||
source_charset utf-8;
|
||||
'';
|
||||
|
||||
# Make sure to expire the cache after 12 hour
|
||||
# Make sure to expire the cache after 1 hour
|
||||
locations."/".extraConfig = ''
|
||||
add_header Cache-Control "public, max-age=43200";
|
||||
add_header Cache-Control "public, max-age=3600";
|
||||
'';
|
||||
};
|
||||
|
||||
|
|
|
@ -1,10 +1,4 @@
|
|||
{
|
||||
config,
|
||||
self,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
{ config, self, pkgs, lib, ... }:
|
||||
let
|
||||
configForJob = name: {
|
||||
systemd.timers.${name} = {
|
||||
|
@ -52,11 +46,9 @@ let
|
|||
};
|
||||
in
|
||||
{
|
||||
config = lib.mkMerge (
|
||||
map configForJob [
|
||||
"job-flake-update-clan-core"
|
||||
"job-flake-update-clan-homepage"
|
||||
"job-flake-update-clan-infra"
|
||||
]
|
||||
);
|
||||
config = lib.mkMerge (map configForJob [
|
||||
"job-flake-update-clan-core"
|
||||
"job-flake-update-clan-homepage"
|
||||
"job-flake-update-clan-infra"
|
||||
]);
|
||||
}
|
||||
|
|
|
@ -1,11 +1,6 @@
|
|||
{ self, ... }:
|
||||
{
|
||||
imports = [ self.inputs.clan-core.clanModules.matrix-synapse ];
|
||||
clan.matrix-synapse.enable = true;
|
||||
clan.matrix-synapse.domain = "clan.lol";
|
||||
|
||||
clan.matrix-synapse.users.admin = {
|
||||
admin = true;
|
||||
};
|
||||
clan.matrix-synapse.users.monitoring = { };
|
||||
clan.matrix-synapse.users.clan-bot = { };
|
||||
}
|
||||
|
|
|
@ -1,41 +1,40 @@
|
|||
{ }
|
||||
{ config, ... }:
|
||||
|
||||
#{ config, ... }:
|
||||
#let
|
||||
# domain = "clan.lol";
|
||||
#in
|
||||
#{
|
||||
# services.opendkim.enable = true;
|
||||
# services.opendkim.domains = domain;
|
||||
# services.opendkim.selector = "v1";
|
||||
# services.opendkim.user = config.services.postfix.user;
|
||||
# services.opendkim.group = config.services.postfix.group;
|
||||
#
|
||||
# # postfix configuration for sending emails only
|
||||
# services.postfix = {
|
||||
# enable = true;
|
||||
# hostname = "mail.${domain}";
|
||||
# inherit domain;
|
||||
#
|
||||
# config = {
|
||||
# smtp_tls_note_starttls_offer = "yes";
|
||||
#
|
||||
# smtp_dns_support_level = "dnssec";
|
||||
# smtp_tls_security_level = "dane";
|
||||
#
|
||||
# tls_medium_cipherlist = "AES128+EECDH:AES128+EDH";
|
||||
#
|
||||
# smtpd_relay_restrictions = "permit_mynetworks permit_sasl_authenticated defer_unauth_destination";
|
||||
# mydestination = "localhost.$mydomain, localhost, $myhostname";
|
||||
# myorigin = "$mydomain";
|
||||
#
|
||||
# milter_default_action = "accept";
|
||||
# milter_protocol = "6";
|
||||
# smtpd_milters = "unix:/run/opendkim/opendkim.sock";
|
||||
# non_smtpd_milters = "unix:/run/opendkim/opendkim.sock";
|
||||
#
|
||||
# inet_interfaces = "loopback-only";
|
||||
# inet_protocols = "all";
|
||||
# };
|
||||
# };
|
||||
#}
|
||||
let
|
||||
domain = "clan.lol";
|
||||
in
|
||||
{
|
||||
services.opendkim.enable = true;
|
||||
services.opendkim.domains = domain;
|
||||
services.opendkim.selector = "v1";
|
||||
services.opendkim.user = config.services.postfix.user;
|
||||
services.opendkim.group = config.services.postfix.group;
|
||||
|
||||
# postfix configuration for sending emails only
|
||||
services.postfix = {
|
||||
enable = true;
|
||||
hostname = "mail.${domain}";
|
||||
inherit domain;
|
||||
|
||||
config = {
|
||||
smtp_tls_note_starttls_offer = "yes";
|
||||
|
||||
smtp_dns_support_level = "dnssec";
|
||||
smtp_tls_security_level = "dane";
|
||||
|
||||
tls_medium_cipherlist = "AES128+EECDH:AES128+EDH";
|
||||
|
||||
smtpd_relay_restrictions = "permit_mynetworks permit_sasl_authenticated defer_unauth_destination";
|
||||
mydestination = "localhost.$mydomain, localhost, $myhostname";
|
||||
myorigin = "$mydomain";
|
||||
|
||||
milter_default_action = "accept";
|
||||
milter_protocol = "6";
|
||||
smtpd_milters = "unix:/run/opendkim/opendkim.sock";
|
||||
non_smtpd_milters = "unix:/run/opendkim/opendkim.sock";
|
||||
|
||||
inet_interfaces = "loopback-only";
|
||||
inet_protocols = "all";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
83
modules/xfs-lvm-crypto-raid.nix
Normal file
83
modules/xfs-lvm-crypto-raid.nix
Normal file
|
@ -0,0 +1,83 @@
|
|||
{ self, lib, ... }:
|
||||
|
||||
let
|
||||
disk = index: {
|
||||
type = "disk";
|
||||
device = "/dev/nvme${toString index}n1";
|
||||
content = {
|
||||
type = "gpt";
|
||||
partitions =
|
||||
# systemd only wants to have one /boot partition
|
||||
# should we rsync?
|
||||
(lib.optionalAttrs (index == 0) {
|
||||
boot = {
|
||||
type = "EF00";
|
||||
size = "1G";
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "vfat";
|
||||
mountpoint = "/boot";
|
||||
};
|
||||
};
|
||||
}) // {
|
||||
root = {
|
||||
size = "100%";
|
||||
content = {
|
||||
type = "luks";
|
||||
name = "crypted${toString index}";
|
||||
keyFile = "/tmp/secret.key";
|
||||
content = {
|
||||
type = "lvm_pv";
|
||||
vg = "pool";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
self.inputs.disko.nixosModules.disko
|
||||
];
|
||||
|
||||
boot.initrd.kernelModules = [
|
||||
"xhci_pci"
|
||||
"ahci"
|
||||
"sd_mod"
|
||||
"nvme"
|
||||
"dm-raid"
|
||||
"dm-integrity"
|
||||
];
|
||||
|
||||
disko.devices = {
|
||||
disk = {
|
||||
nvme0n1 = disk 0;
|
||||
nvme1n1 = disk 1;
|
||||
};
|
||||
|
||||
lvm_vg = {
|
||||
pool = {
|
||||
type = "lvm_vg";
|
||||
lvs = {
|
||||
root = {
|
||||
size = "95%FREE";
|
||||
lvm_type = "raid1";
|
||||
extraArgs = [
|
||||
"--raidintegrity"
|
||||
"y"
|
||||
];
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "xfs";
|
||||
mountpoint = "/";
|
||||
mountOptions = [
|
||||
"defaults"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,3 +1,4 @@
|
|||
{ self, ... }:
|
||||
let
|
||||
mirrorBoot = idx: {
|
||||
type = "disk";
|
||||
|
@ -26,6 +27,10 @@ let
|
|||
};
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
self.inputs.disko.nixosModules.disko
|
||||
];
|
||||
|
||||
networking.hostId = "8425e349";
|
||||
|
||||
boot.initrd.postDeviceCommands = ''
|
||||
|
@ -40,14 +45,8 @@ in
|
|||
efiSupport = true;
|
||||
efiInstallAsRemovable = true;
|
||||
mirroredBoots = [
|
||||
{
|
||||
path = "/boot0";
|
||||
devices = [ "nodev" ];
|
||||
}
|
||||
{
|
||||
path = "/boot1";
|
||||
devices = [ "nodev" ];
|
||||
}
|
||||
{ path = "/boot0"; devices = [ "nodev" ]; }
|
||||
{ path = "/boot1"; devices = [ "nodev" ]; }
|
||||
];
|
||||
};
|
||||
|
||||
|
|
|
@ -1,19 +1,10 @@
|
|||
{
|
||||
bash,
|
||||
coreutils,
|
||||
git,
|
||||
tea,
|
||||
openssh,
|
||||
writePureShellScriptBin,
|
||||
{ bash
|
||||
, coreutils
|
||||
, git
|
||||
, tea
|
||||
, openssh
|
||||
, writePureShellScriptBin
|
||||
}:
|
||||
writePureShellScriptBin "action-create-pr"
|
||||
[
|
||||
bash
|
||||
coreutils
|
||||
git
|
||||
tea
|
||||
openssh
|
||||
]
|
||||
''
|
||||
bash ${./script.sh} "$@"
|
||||
''
|
||||
writePureShellScriptBin "action-create-pr" [ bash coreutils git tea openssh ] ''
|
||||
bash ${./script.sh} "$@"
|
||||
''
|
||||
|
|
|
@ -1,15 +1,8 @@
|
|||
{
|
||||
bash,
|
||||
coreutils,
|
||||
tea,
|
||||
writePureShellScriptBin,
|
||||
{ bash
|
||||
, coreutils
|
||||
, tea
|
||||
, writePureShellScriptBin
|
||||
}:
|
||||
writePureShellScriptBin "action-ensure-tea-login"
|
||||
[
|
||||
bash
|
||||
coreutils
|
||||
tea
|
||||
]
|
||||
''
|
||||
bash ${./script.sh}
|
||||
''
|
||||
writePureShellScriptBin "action-ensure-tea-login" [ bash coreutils tea ] ''
|
||||
bash ${./script.sh}
|
||||
''
|
||||
|
|
|
@ -8,5 +8,5 @@ fi
|
|||
GITEA_TOKEN="${GITEA_TOKEN:-"$(cat "$GITEA_TOKEN_FILE")"}"
|
||||
|
||||
tea login add \
|
||||
--token "$GITEA_TOKEN" \
|
||||
--url "$GITEA_URL"
|
||||
--token $GITEA_TOKEN \
|
||||
--url $GITEA_URL
|
||||
|
|
|
@ -1,23 +1,20 @@
|
|||
{
|
||||
bash,
|
||||
coreutils,
|
||||
git,
|
||||
openssh,
|
||||
action-ensure-tea-login,
|
||||
action-create-pr,
|
||||
action-flake-update,
|
||||
writePureShellScriptBin,
|
||||
{ bash
|
||||
, coreutils
|
||||
, git
|
||||
, openssh
|
||||
, action-ensure-tea-login
|
||||
, action-create-pr
|
||||
, action-flake-update
|
||||
, writePureShellScriptBin
|
||||
}:
|
||||
writePureShellScriptBin "action-flake-update-pr-clan"
|
||||
[
|
||||
bash
|
||||
coreutils
|
||||
git
|
||||
openssh
|
||||
action-ensure-tea-login
|
||||
action-create-pr
|
||||
action-flake-update
|
||||
]
|
||||
''
|
||||
bash ${./script.sh}
|
||||
''
|
||||
writePureShellScriptBin "action-flake-update-pr-clan" [
|
||||
bash
|
||||
coreutils
|
||||
git
|
||||
openssh
|
||||
action-ensure-tea-login
|
||||
action-create-pr
|
||||
action-flake-update
|
||||
] ''
|
||||
bash ${./script.sh}
|
||||
''
|
||||
|
|
|
@ -5,10 +5,8 @@ set -euo pipefail
|
|||
export KEEP_VARS="GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL GIT_COMMITTER_NAME GIT_COMMITTER_EMAIL GITEA_URL GITEA_USER PR_TITLE REMOTE_BRANCH REPO_DIR${KEEP_VARS:+ $KEEP_VARS}"
|
||||
|
||||
# configure variables for actions
|
||||
PR_TITLE="Automatic flake update - $(date --iso-8601=minutes)"
|
||||
export PR_TITLE
|
||||
REMOTE_BRANCH="flake-update-$(date --iso-8601)"
|
||||
export REMOTE_BRANCH
|
||||
export PR_TITLE="Automatic flake update - $(date --iso-8601=minutes)"
|
||||
export REMOTE_BRANCH="flake-update-$(date --iso-8601)"
|
||||
export REPO_DIR=$TMPDIR/repo
|
||||
export GIT_AUTHOR_NAME="Clan Merge Bot"
|
||||
export GIT_AUTHOR_EMAIL="clan-bot@git.clan.lol"
|
||||
|
|
|
@ -1,17 +1,9 @@
|
|||
{
|
||||
bash,
|
||||
coreutils,
|
||||
git,
|
||||
nix,
|
||||
writePureShellScriptBin,
|
||||
{ bash
|
||||
, coreutils
|
||||
, git
|
||||
, nix
|
||||
, writePureShellScriptBin
|
||||
}:
|
||||
writePureShellScriptBin "action-flake-update"
|
||||
[
|
||||
bash
|
||||
coreutils
|
||||
git
|
||||
nix
|
||||
]
|
||||
''
|
||||
bash ${./script.sh}
|
||||
''
|
||||
writePureShellScriptBin "action-flake-update" [ bash coreutils git nix ] ''
|
||||
bash ${./script.sh}
|
||||
''
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
import argparse
|
||||
import json
|
||||
import urllib.error
|
||||
import urllib.request
|
||||
import urllib.error
|
||||
from os import environ
|
||||
from typing import Optional
|
||||
|
||||
|
@ -38,7 +38,6 @@ def is_ci_green(pr: dict) -> bool:
|
|||
return False
|
||||
return True
|
||||
|
||||
|
||||
def is_org_member(user: str, token: str) -> bool:
|
||||
url = "https://git.clan.lol/api/v1/orgs/clan/members/" + user + f"?token={token}"
|
||||
try:
|
||||
|
@ -51,6 +50,7 @@ def is_org_member(user: str, token: str) -> bool:
|
|||
raise
|
||||
|
||||
|
||||
|
||||
def merge_allowed(pr: dict, bot_name: str, token: str) -> bool:
|
||||
assignees = pr["assignees"] if pr["assignees"] else []
|
||||
if (
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
{
|
||||
pkgs ? import <nixpkgs> { },
|
||||
lib ? pkgs.lib,
|
||||
python3 ? pkgs.python3,
|
||||
ruff ? pkgs.ruff,
|
||||
runCommand ? pkgs.runCommand,
|
||||
{ pkgs ? import <nixpkgs> { }
|
||||
, lib ? pkgs.lib
|
||||
, python3 ? pkgs.python3
|
||||
, ruff ? pkgs.ruff
|
||||
, runCommand ? pkgs.runCommand
|
||||
,
|
||||
}:
|
||||
let
|
||||
pyproject = builtins.fromTOML (builtins.readFile ./pyproject.toml);
|
||||
|
@ -32,11 +32,13 @@ let
|
|||
package = python3.pkgs.buildPythonPackage {
|
||||
inherit name src;
|
||||
format = "pyproject";
|
||||
nativeBuildInputs = [ python3.pkgs.setuptools ];
|
||||
propagatedBuildInputs = dependencies ++ [ ];
|
||||
passthru.tests = {
|
||||
inherit check;
|
||||
};
|
||||
nativeBuildInputs = [
|
||||
python3.pkgs.setuptools
|
||||
];
|
||||
propagatedBuildInputs =
|
||||
dependencies
|
||||
++ [ ];
|
||||
passthru.tests = { inherit check; };
|
||||
passthru.devDependencies = devDependencies;
|
||||
};
|
||||
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
{
|
||||
perSystem =
|
||||
{ pkgs, ... }:
|
||||
perSystem = { pkgs, ... }:
|
||||
let
|
||||
package = pkgs.callPackage ./default.nix { inherit pkgs; };
|
||||
in
|
||||
|
|
|
@ -1,11 +1,16 @@
|
|||
{
|
||||
pkgs ? import <nixpkgs> { },
|
||||
}:
|
||||
{ pkgs ? import <nixpkgs> { } }:
|
||||
let
|
||||
inherit (pkgs) lib python3;
|
||||
package = import ./default.nix { inherit lib pkgs python3; };
|
||||
package = import ./default.nix {
|
||||
inherit lib pkgs python3;
|
||||
};
|
||||
pythonWithDeps = python3.withPackages (
|
||||
ps: package.propagatedBuildInputs ++ package.devDependencies ++ [ ps.pip ]
|
||||
ps:
|
||||
package.propagatedBuildInputs
|
||||
++ package.devDependencies
|
||||
++ [
|
||||
ps.pip
|
||||
]
|
||||
);
|
||||
checkScript = pkgs.writeScriptBin "check" ''
|
||||
nix build -f . tests -L "$@"
|
||||
|
|
|
@ -112,6 +112,4 @@ def test_list_prs_to_merge(monkeypatch: pytest.MonkeyPatch) -> None:
|
|||
assignees=[dict(login=bot_name)],
|
||||
),
|
||||
]
|
||||
assert clan_merge.list_prs_to_merge(prs, bot_name=bot_name, gitea_token="test") == [
|
||||
prs[0]
|
||||
]
|
||||
assert clan_merge.list_prs_to_merge(prs, bot_name=bot_name, gitea_token="test") == [prs[0]]
|
||||
|
|
|
@ -1,37 +1,33 @@
|
|||
{
|
||||
imports = [ ./clan-merge/flake-module.nix ];
|
||||
perSystem =
|
||||
{ pkgs, config, ... }:
|
||||
{
|
||||
packages =
|
||||
let
|
||||
writers = pkgs.callPackage ./writers.nix { };
|
||||
in
|
||||
{
|
||||
gitea = pkgs.callPackage ./gitea { };
|
||||
imports = [
|
||||
./clan-merge/flake-module.nix
|
||||
];
|
||||
perSystem = { pkgs, config, ... }: {
|
||||
packages =
|
||||
let
|
||||
writers = pkgs.callPackage ./writers.nix { };
|
||||
in
|
||||
{
|
||||
inherit (pkgs.callPackage ./renovate { }) renovate;
|
||||
gitea = pkgs.callPackage ./gitea { };
|
||||
|
||||
action-create-pr = pkgs.callPackage ./action-create-pr {
|
||||
inherit (writers) writePureShellScriptBin;
|
||||
};
|
||||
action-ensure-tea-login = pkgs.callPackage ./action-ensure-tea-login {
|
||||
inherit (writers) writePureShellScriptBin;
|
||||
};
|
||||
action-flake-update = pkgs.callPackage ./action-flake-update {
|
||||
inherit (writers) writePureShellScriptBin;
|
||||
};
|
||||
action-flake-update-pr-clan = pkgs.callPackage ./action-flake-update-pr-clan {
|
||||
inherit (writers) writePureShellScriptBin;
|
||||
inherit (config.packages) action-ensure-tea-login action-create-pr action-flake-update;
|
||||
};
|
||||
inherit
|
||||
(pkgs.callPackages ./job-flake-updates {
|
||||
inherit (writers) writePureShellScriptBin;
|
||||
inherit (config.packages) action-flake-update-pr-clan;
|
||||
})
|
||||
job-flake-update-clan-core
|
||||
job-flake-update-clan-homepage
|
||||
job-flake-update-clan-infra
|
||||
;
|
||||
action-create-pr = pkgs.callPackage ./action-create-pr {
|
||||
inherit (writers) writePureShellScriptBin;
|
||||
};
|
||||
};
|
||||
action-ensure-tea-login = pkgs.callPackage ./action-ensure-tea-login {
|
||||
inherit (writers) writePureShellScriptBin;
|
||||
};
|
||||
action-flake-update = pkgs.callPackage ./action-flake-update {
|
||||
inherit (writers) writePureShellScriptBin;
|
||||
};
|
||||
action-flake-update-pr-clan = pkgs.callPackage ./action-flake-update-pr-clan {
|
||||
inherit (writers) writePureShellScriptBin;
|
||||
inherit (config.packages) action-ensure-tea-login action-create-pr action-flake-update;
|
||||
};
|
||||
inherit (pkgs.callPackages ./job-flake-updates {
|
||||
inherit (writers) writePureShellScriptBin;
|
||||
inherit (config.packages) action-flake-update-pr-clan;
|
||||
}) job-flake-update-clan-core job-flake-update-clan-homepage job-flake-update-clan-infra;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,120 +0,0 @@
|
|||
From dd2ccf4ff923757b81088e27e362e3fdb222c9d3 Mon Sep 17 00:00:00 2001
|
||||
From: Jade Lovelace <software@lfcode.ca>
|
||||
Date: Tue, 28 May 2024 16:36:25 +0200
|
||||
Subject: [PATCH] Add an immutable tarball link to archive download headers for
|
||||
Nix
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This allows `nix flake metadata` and nix in general to lock a *branch*
|
||||
tarball link in a manner that causes it to fetch the correct commit even
|
||||
if the branch is updated with a newer version.
|
||||
|
||||
For further context, Nix flakes are a feature that, among other things,
|
||||
allows for "inputs" that are "github:someuser/somerepo",
|
||||
"https://some-tarball-service/some-tarball.tar.gz",
|
||||
"sourcehut:~meow/nya" or similar. This feature allows our users to fetch
|
||||
tarballs of git-based inputs to their builds rather than using git to
|
||||
fetch them, saving significant download time.
|
||||
|
||||
There is presently no gitea or forgejo specific fetcher in Nix, and we
|
||||
don't particularly wish to have one. Ideally (as a developer on a Nix
|
||||
implementation myself) we could just use the generic tarball fetcher and
|
||||
not add specific forgejo support, but to do so, we need additional
|
||||
metadata to know which commit a given *branch* tarball represents, which
|
||||
is the purpose of the Link header added here.
|
||||
|
||||
The result of this patch is that a Nix user can specify `inputs.something.url =
|
||||
"https://forgejo-host/some/project/archive/main.tar.gz"` in flake.nix
|
||||
and get a link to some concrete tarball for the actual commit in the
|
||||
lock file, then when they run `nix flake update` in the future, they
|
||||
will get the latest commit in that branch.
|
||||
|
||||
Example of it working locally:
|
||||
|
||||
» nix flake metadata --refresh 'http://localhost:3000/api/v1/repos/jade/cats/archive/main.tar.gz?dir=configs/nix'
|
||||
Resolved URL: http://localhost:3000/api/v1/repos/jade/cats/archive/main.tar.gz?dir=configs/nix
|
||||
Locked URL: http://localhost:3000/api/v1/repos/jade/cats/archive/804ede182b6b66469b23ea4d21eece52766b7a06.tar.gz?dir=configs
|
||||
/nix&narHash=sha256-yP7KkDVfuixZzs0fsqhSETXFC0y8m6nmPLw2GrAMxKQ%3D
|
||||
Description: Computers with the nixos
|
||||
Path: /nix/store/s856c6yqghyan4v0zy6jj19ksv0q22nx-source
|
||||
Revision: 804ede182b6b66469b23ea4d21eece52766b7a06
|
||||
Last modified: 2024-05-02 00:48:32
|
||||
|
||||
For details on the header value, see:
|
||||
https://github.com/nixos/nix/blob/56763ff918eb308db23080e560ed2ea3e00c80a7/doc/manual/src/protocols/tarball-fetcher.md
|
||||
|
||||
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
|
||||
---
|
||||
routers/api/v1/repo/file.go | 6 ++++++
|
||||
routers/web/repo/repo.go | 6 ++++++
|
||||
tests/integration/api_repo_archive_test.go | 11 +++++++++++
|
||||
3 files changed, 23 insertions(+)
|
||||
|
||||
diff --git a/routers/api/v1/repo/file.go b/routers/api/v1/repo/file.go
|
||||
index 156033f58a..b7ad63af08 100644
|
||||
--- a/routers/api/v1/repo/file.go
|
||||
+++ b/routers/api/v1/repo/file.go
|
||||
@@ -319,6 +319,12 @@ func archiveDownload(ctx *context.APIContext) {
|
||||
func download(ctx *context.APIContext, archiveName string, archiver *repo_model.RepoArchiver) {
|
||||
downloadName := ctx.Repo.Repository.Name + "-" + archiveName
|
||||
|
||||
+ // Add nix format link header so tarballs lock correctly:
|
||||
+ // https://github.com/nixos/nix/blob/56763ff918eb308db23080e560ed2ea3e00c80a7/doc/manual/src/protocols/tarball-fetcher.md
|
||||
+ ctx.Resp.Header().Add("Link", fmt.Sprintf("<%s/archive/%s.tar.gz?rev=%s>; rel=\"immutable\"",
|
||||
+ ctx.Repo.Repository.APIURL(),
|
||||
+ archiver.CommitID, archiver.CommitID))
|
||||
+
|
||||
rPath := archiver.RelativePath()
|
||||
if setting.RepoArchive.Storage.MinioConfig.ServeDirect {
|
||||
// If we have a signed url (S3, object storage), redirect to this directly.
|
||||
diff --git a/routers/web/repo/repo.go b/routers/web/repo/repo.go
|
||||
index 71c582b5f9..bb6349658f 100644
|
||||
--- a/routers/web/repo/repo.go
|
||||
+++ b/routers/web/repo/repo.go
|
||||
@@ -484,6 +484,12 @@ func Download(ctx *context.Context) {
|
||||
func download(ctx *context.Context, archiveName string, archiver *repo_model.RepoArchiver) {
|
||||
downloadName := ctx.Repo.Repository.Name + "-" + archiveName
|
||||
|
||||
+ // Add nix format link header so tarballs lock correctly:
|
||||
+ // https://github.com/nixos/nix/blob/56763ff918eb308db23080e560ed2ea3e00c80a7/doc/manual/src/protocols/tarball-fetcher.md
|
||||
+ ctx.Resp.Header().Add("Link", fmt.Sprintf("<%s/archive/%s.tar.gz?rev=%s>; rel=\"immutable\"",
|
||||
+ ctx.Repo.Repository.APIURL(),
|
||||
+ archiver.CommitID, archiver.CommitID))
|
||||
+
|
||||
rPath := archiver.RelativePath()
|
||||
if setting.RepoArchive.Storage.MinioConfig.ServeDirect {
|
||||
// If we have a signed url (S3, object storage), redirect to this directly.
|
||||
diff --git a/tests/integration/api_repo_archive_test.go b/tests/integration/api_repo_archive_test.go
|
||||
index 57d3abfe84..340ff03961 100644
|
||||
--- a/tests/integration/api_repo_archive_test.go
|
||||
+++ b/tests/integration/api_repo_archive_test.go
|
||||
@@ -8,6 +8,7 @@
|
||||
"io"
|
||||
"net/http"
|
||||
"net/url"
|
||||
+ "regexp"
|
||||
"testing"
|
||||
|
||||
auth_model "code.gitea.io/gitea/models/auth"
|
||||
@@ -39,6 +40,16 @@ func TestAPIDownloadArchive(t *testing.T) {
|
||||
assert.NoError(t, err)
|
||||
assert.Len(t, bs, 266)
|
||||
|
||||
+ // Must return a link to a commit ID as the "immutable" archive link
|
||||
+ linkHeaderRe := regexp.MustCompile(`<(?P<url>https?://.*/api/v1/repos/user2/repo1/archive/[a-f0-9]+\.tar\.gz.*)>; rel="immutable"`)
|
||||
+ m := linkHeaderRe.FindStringSubmatch(resp.Header().Get("Link"))
|
||||
+ assert.NotEmpty(t, m[1])
|
||||
+ resp = MakeRequest(t, NewRequest(t, "GET", m[1]).AddTokenAuth(token), http.StatusOK)
|
||||
+ bs2, err := io.ReadAll(resp.Body)
|
||||
+ assert.NoError(t, err)
|
||||
+ // The locked URL should give the same bytes as the non-locked one
|
||||
+ assert.EqualValues(t, bs, bs2)
|
||||
+
|
||||
link, _ = url.Parse(fmt.Sprintf("/api/v1/repos/%s/%s/archive/master.bundle", user2.Name, repo.Name))
|
||||
resp = MakeRequest(t, NewRequest(t, "GET", link.String()).AddTokenAuth(token), http.StatusOK)
|
||||
bs, err = io.ReadAll(resp.Body)
|
||||
--
|
||||
2.44.1
|
||||
|
|
@ -21,7 +21,7 @@ index 007e790b8..a8f3ba7dc 100644
|
|||
|
||||
ctx.Data["PageIsSignUp"] = true
|
||||
|
||||
+ if !strings.Contains(strings.ToLower(form.Notabot), "clan") {
|
||||
+ if strings.ToLower(form.Notabot) != "clan" {
|
||||
+ ctx.Error(http.StatusForbidden)
|
||||
+ return
|
||||
+ }
|
||||
|
|
|
@ -3,6 +3,5 @@
|
|||
gitea.overrideAttrs (old: {
|
||||
patches = old.patches ++ [
|
||||
./0001-add-bot-check.patch
|
||||
./0001-Add-an-immutable-tarball-link-to-archive-download-he.patch
|
||||
];
|
||||
})
|
||||
|
|
|
@ -1,13 +1,13 @@
|
|||
{ action-flake-update-pr-clan, writePureShellScriptBin }:
|
||||
{ action-flake-update-pr-clan
|
||||
, writePureShellScriptBin
|
||||
}:
|
||||
let
|
||||
job-flake-update =
|
||||
repo:
|
||||
writePureShellScriptBin "job-flake-update-${repo}" [ action-flake-update-pr-clan ] ''
|
||||
export REPO="gitea@git.clan.lol:clan/${repo}.git"
|
||||
export KEEP_VARS="REPO''${KEEP_VARS:+ $KEEP_VARS}"
|
||||
job-flake-update = repo: writePureShellScriptBin "job-flake-update-${repo}" [ action-flake-update-pr-clan ] ''
|
||||
export REPO="gitea@git.clan.lol:clan/${repo}.git"
|
||||
export KEEP_VARS="REPO''${KEEP_VARS:+ $KEEP_VARS}"
|
||||
|
||||
action-flake-update-pr-clan
|
||||
'';
|
||||
action-flake-update-pr-clan
|
||||
'';
|
||||
in
|
||||
{
|
||||
job-flake-update-clan-core = job-flake-update "clan-core";
|
||||
|
|
17
pkgs/renovate/composition.nix
Normal file
17
pkgs/renovate/composition.nix
Normal file
|
@ -0,0 +1,17 @@
|
|||
# This file has been generated by node2nix 1.11.1. Do not edit!
|
||||
|
||||
{pkgs ? import <nixpkgs> {
|
||||
inherit system;
|
||||
}, system ? builtins.currentSystem, nodejs ? pkgs."nodejs_18"}:
|
||||
|
||||
let
|
||||
nodeEnv = import ./node-env.nix {
|
||||
inherit (pkgs) stdenv lib python2 runCommand writeTextFile writeShellScript;
|
||||
inherit pkgs nodejs;
|
||||
libtool = if pkgs.stdenv.isDarwin then pkgs.darwin.cctools else null;
|
||||
};
|
||||
in
|
||||
import ./node-packages.nix {
|
||||
inherit (pkgs) fetchurl nix-gitignore stdenv lib fetchgit;
|
||||
inherit nodeEnv;
|
||||
}
|
8
pkgs/renovate/default.nix
Normal file
8
pkgs/renovate/default.nix
Normal file
|
@ -0,0 +1,8 @@
|
|||
{ pkgs, system, nodejs-18_x, makeWrapper }:
|
||||
let
|
||||
nodePackages = import ./composition.nix {
|
||||
inherit pkgs system;
|
||||
nodejs = nodejs-18_x;
|
||||
};
|
||||
in
|
||||
nodePackages
|
5
pkgs/renovate/generate.sh
Executable file
5
pkgs/renovate/generate.sh
Executable file
|
@ -0,0 +1,5 @@
|
|||
#!/usr/bin/env nix-shell
|
||||
#! nix-shell -i bash -p nodePackages.node2nix
|
||||
|
||||
rm -f node-env.nix
|
||||
node2nix -18 -i node-packages.json -o node-packages.nix -c composition.nix
|
689
pkgs/renovate/node-env.nix
Normal file
689
pkgs/renovate/node-env.nix
Normal file
|
@ -0,0 +1,689 @@
|
|||
# This file originates from node2nix
|
||||
|
||||
{lib, stdenv, nodejs, python2, pkgs, libtool, runCommand, writeTextFile, writeShellScript}:
|
||||
|
||||
let
|
||||
# Workaround to cope with utillinux in Nixpkgs 20.09 and util-linux in Nixpkgs master
|
||||
utillinux = if pkgs ? utillinux then pkgs.utillinux else pkgs.util-linux;
|
||||
|
||||
python = if nodejs ? python then nodejs.python else python2;
|
||||
|
||||
# Create a tar wrapper that filters all the 'Ignoring unknown extended header keyword' noise
|
||||
tarWrapper = runCommand "tarWrapper" {} ''
|
||||
mkdir -p $out/bin
|
||||
|
||||
cat > $out/bin/tar <<EOF
|
||||
#! ${stdenv.shell} -e
|
||||
$(type -p tar) "\$@" --warning=no-unknown-keyword --delay-directory-restore
|
||||
EOF
|
||||
|
||||
chmod +x $out/bin/tar
|
||||
'';
|
||||
|
||||
# Function that generates a TGZ file from a NPM project
|
||||
buildNodeSourceDist =
|
||||
{ name, version, src, ... }:
|
||||
|
||||
stdenv.mkDerivation {
|
||||
name = "node-tarball-${name}-${version}";
|
||||
inherit src;
|
||||
buildInputs = [ nodejs ];
|
||||
buildPhase = ''
|
||||
export HOME=$TMPDIR
|
||||
tgzFile=$(npm pack | tail -n 1) # Hooks to the pack command will add output (https://docs.npmjs.com/misc/scripts)
|
||||
'';
|
||||
installPhase = ''
|
||||
mkdir -p $out/tarballs
|
||||
mv $tgzFile $out/tarballs
|
||||
mkdir -p $out/nix-support
|
||||
echo "file source-dist $out/tarballs/$tgzFile" >> $out/nix-support/hydra-build-products
|
||||
'';
|
||||
};
|
||||
|
||||
# Common shell logic
|
||||
installPackage = writeShellScript "install-package" ''
|
||||
installPackage() {
|
||||
local packageName=$1 src=$2
|
||||
|
||||
local strippedName
|
||||
|
||||
local DIR=$PWD
|
||||
cd $TMPDIR
|
||||
|
||||
unpackFile $src
|
||||
|
||||
# Make the base dir in which the target dependency resides first
|
||||
mkdir -p "$(dirname "$DIR/$packageName")"
|
||||
|
||||
if [ -f "$src" ]
|
||||
then
|
||||
# Figure out what directory has been unpacked
|
||||
packageDir="$(find . -maxdepth 1 -type d | tail -1)"
|
||||
|
||||
# Restore write permissions to make building work
|
||||
find "$packageDir" -type d -exec chmod u+x {} \;
|
||||
chmod -R u+w "$packageDir"
|
||||
|
||||
# Move the extracted tarball into the output folder
|
||||
mv "$packageDir" "$DIR/$packageName"
|
||||
elif [ -d "$src" ]
|
||||
then
|
||||
# Get a stripped name (without hash) of the source directory.
|
||||
# On old nixpkgs it's already set internally.
|
||||
if [ -z "$strippedName" ]
|
||||
then
|
||||
strippedName="$(stripHash $src)"
|
||||
fi
|
||||
|
||||
# Restore write permissions to make building work
|
||||
chmod -R u+w "$strippedName"
|
||||
|
||||
# Move the extracted directory into the output folder
|
||||
mv "$strippedName" "$DIR/$packageName"
|
||||
fi
|
||||
|
||||
# Change to the package directory to install dependencies
|
||||
cd "$DIR/$packageName"
|
||||
}
|
||||
'';
|
||||
|
||||
# Bundle the dependencies of the package
|
||||
#
|
||||
# Only include dependencies if they don't exist. They may also be bundled in the package.
|
||||
includeDependencies = {dependencies}:
|
||||
lib.optionalString (dependencies != []) (
|
||||
''
|
||||
mkdir -p node_modules
|
||||
cd node_modules
|
||||
''
|
||||
+ (lib.concatMapStrings (dependency:
|
||||
''
|
||||
if [ ! -e "${dependency.packageName}" ]; then
|
||||
${composePackage dependency}
|
||||
fi
|
||||
''
|
||||
) dependencies)
|
||||
+ ''
|
||||
cd ..
|
||||
''
|
||||
);
|
||||
|
||||
# Recursively composes the dependencies of a package
|
||||
composePackage = { name, packageName, src, dependencies ? [], ... }@args:
|
||||
builtins.addErrorContext "while evaluating node package '${packageName}'" ''
|
||||
installPackage "${packageName}" "${src}"
|
||||
${includeDependencies { inherit dependencies; }}
|
||||
cd ..
|
||||
${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
|
||||
'';
|
||||
|
||||
pinpointDependencies = {dependencies, production}:
|
||||
let
|
||||
pinpointDependenciesFromPackageJSON = writeTextFile {
|
||||
name = "pinpointDependencies.js";
|
||||
text = ''
|
||||
var fs = require('fs');
|
||||
var path = require('path');
|
||||
|
||||
function resolveDependencyVersion(location, name) {
|
||||
if(location == process.env['NIX_STORE']) {
|
||||
return null;
|
||||
} else {
|
||||
var dependencyPackageJSON = path.join(location, "node_modules", name, "package.json");
|
||||
|
||||
if(fs.existsSync(dependencyPackageJSON)) {
|
||||
var dependencyPackageObj = JSON.parse(fs.readFileSync(dependencyPackageJSON));
|
||||
|
||||
if(dependencyPackageObj.name == name) {
|
||||
return dependencyPackageObj.version;
|
||||
}
|
||||
} else {
|
||||
return resolveDependencyVersion(path.resolve(location, ".."), name);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function replaceDependencies(dependencies) {
|
||||
if(typeof dependencies == "object" && dependencies !== null) {
|
||||
for(var dependency in dependencies) {
|
||||
var resolvedVersion = resolveDependencyVersion(process.cwd(), dependency);
|
||||
|
||||
if(resolvedVersion === null) {
|
||||
process.stderr.write("WARNING: cannot pinpoint dependency: "+dependency+", context: "+process.cwd()+"\n");
|
||||
} else {
|
||||
dependencies[dependency] = resolvedVersion;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/* Read the package.json configuration */
|
||||
var packageObj = JSON.parse(fs.readFileSync('./package.json'));
|
||||
|
||||
/* Pinpoint all dependencies */
|
||||
replaceDependencies(packageObj.dependencies);
|
||||
if(process.argv[2] == "development") {
|
||||
replaceDependencies(packageObj.devDependencies);
|
||||
}
|
||||
else {
|
||||
packageObj.devDependencies = {};
|
||||
}
|
||||
replaceDependencies(packageObj.optionalDependencies);
|
||||
replaceDependencies(packageObj.peerDependencies);
|
||||
|
||||
/* Write the fixed package.json file */
|
||||
fs.writeFileSync("package.json", JSON.stringify(packageObj, null, 2));
|
||||
'';
|
||||
};
|
||||
in
|
||||
''
|
||||
node ${pinpointDependenciesFromPackageJSON} ${if production then "production" else "development"}
|
||||
|
||||
${lib.optionalString (dependencies != [])
|
||||
''
|
||||
if [ -d node_modules ]
|
||||
then
|
||||
cd node_modules
|
||||
${lib.concatMapStrings (dependency: pinpointDependenciesOfPackage dependency) dependencies}
|
||||
cd ..
|
||||
fi
|
||||
''}
|
||||
'';
|
||||
|
||||
# Recursively traverses all dependencies of a package and pinpoints all
|
||||
# dependencies in the package.json file to the versions that are actually
|
||||
# being used.
|
||||
|
||||
pinpointDependenciesOfPackage = { packageName, dependencies ? [], production ? true, ... }@args:
|
||||
''
|
||||
if [ -d "${packageName}" ]
|
||||
then
|
||||
cd "${packageName}"
|
||||
${pinpointDependencies { inherit dependencies production; }}
|
||||
cd ..
|
||||
${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
|
||||
fi
|
||||
'';
|
||||
|
||||
# Extract the Node.js source code which is used to compile packages with
|
||||
# native bindings
|
||||
nodeSources = runCommand "node-sources" {} ''
|
||||
tar --no-same-owner --no-same-permissions -xf ${nodejs.src}
|
||||
mv node-* $out
|
||||
'';
|
||||
|
||||
# Script that adds _integrity fields to all package.json files to prevent NPM from consulting the cache (that is empty)
|
||||
addIntegrityFieldsScript = writeTextFile {
|
||||
name = "addintegrityfields.js";
|
||||
text = ''
|
||||
var fs = require('fs');
|
||||
var path = require('path');
|
||||
|
||||
function augmentDependencies(baseDir, dependencies) {
|
||||
for(var dependencyName in dependencies) {
|
||||
var dependency = dependencies[dependencyName];
|
||||
|
||||
// Open package.json and augment metadata fields
|
||||
var packageJSONDir = path.join(baseDir, "node_modules", dependencyName);
|
||||
var packageJSONPath = path.join(packageJSONDir, "package.json");
|
||||
|
||||
if(fs.existsSync(packageJSONPath)) { // Only augment packages that exist. Sometimes we may have production installs in which development dependencies can be ignored
|
||||
console.log("Adding metadata fields to: "+packageJSONPath);
|
||||
var packageObj = JSON.parse(fs.readFileSync(packageJSONPath));
|
||||
|
||||
if(dependency.integrity) {
|
||||
packageObj["_integrity"] = dependency.integrity;
|
||||
} else {
|
||||
packageObj["_integrity"] = "sha1-000000000000000000000000000="; // When no _integrity string has been provided (e.g. by Git dependencies), add a dummy one. It does not seem to harm and it bypasses downloads.
|
||||
}
|
||||
|
||||
if(dependency.resolved) {
|
||||
packageObj["_resolved"] = dependency.resolved; // Adopt the resolved property if one has been provided
|
||||
} else {
|
||||
packageObj["_resolved"] = dependency.version; // Set the resolved version to the version identifier. This prevents NPM from cloning Git repositories.
|
||||
}
|
||||
|
||||
if(dependency.from !== undefined) { // Adopt from property if one has been provided
|
||||
packageObj["_from"] = dependency.from;
|
||||
}
|
||||
|
||||
fs.writeFileSync(packageJSONPath, JSON.stringify(packageObj, null, 2));
|
||||
}
|
||||
|
||||
// Augment transitive dependencies
|
||||
if(dependency.dependencies !== undefined) {
|
||||
augmentDependencies(packageJSONDir, dependency.dependencies);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if(fs.existsSync("./package-lock.json")) {
|
||||
var packageLock = JSON.parse(fs.readFileSync("./package-lock.json"));
|
||||
|
||||
if(![1, 2].includes(packageLock.lockfileVersion)) {
|
||||
process.stderr.write("Sorry, I only understand lock file versions 1 and 2!\n");
|
||||
process.exit(1);
|
||||
}
|
||||
|
||||
if(packageLock.dependencies !== undefined) {
|
||||
augmentDependencies(".", packageLock.dependencies);
|
||||
}
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
||||
# Reconstructs a package-lock file from the node_modules/ folder structure and package.json files with dummy sha1 hashes
|
||||
reconstructPackageLock = writeTextFile {
|
||||
name = "reconstructpackagelock.js";
|
||||
text = ''
|
||||
var fs = require('fs');
|
||||
var path = require('path');
|
||||
|
||||
var packageObj = JSON.parse(fs.readFileSync("package.json"));
|
||||
|
||||
var lockObj = {
|
||||
name: packageObj.name,
|
||||
version: packageObj.version,
|
||||
lockfileVersion: 2,
|
||||
requires: true,
|
||||
packages: {
|
||||
"": {
|
||||
name: packageObj.name,
|
||||
version: packageObj.version,
|
||||
license: packageObj.license,
|
||||
bin: packageObj.bin,
|
||||
dependencies: packageObj.dependencies,
|
||||
engines: packageObj.engines,
|
||||
optionalDependencies: packageObj.optionalDependencies
|
||||
}
|
||||
},
|
||||
dependencies: {}
|
||||
};
|
||||
|
||||
function augmentPackageJSON(filePath, packages, dependencies) {
|
||||
var packageJSON = path.join(filePath, "package.json");
|
||||
if(fs.existsSync(packageJSON)) {
|
||||
var packageObj = JSON.parse(fs.readFileSync(packageJSON));
|
||||
packages[filePath] = {
|
||||
version: packageObj.version,
|
||||
integrity: "sha1-000000000000000000000000000=",
|
||||
dependencies: packageObj.dependencies,
|
||||
engines: packageObj.engines,
|
||||
optionalDependencies: packageObj.optionalDependencies
|
||||
};
|
||||
dependencies[packageObj.name] = {
|
||||
version: packageObj.version,
|
||||
integrity: "sha1-000000000000000000000000000=",
|
||||
dependencies: {}
|
||||
};
|
||||
processDependencies(path.join(filePath, "node_modules"), packages, dependencies[packageObj.name].dependencies);
|
||||
}
|
||||
}
|
||||
|
||||
function processDependencies(dir, packages, dependencies) {
|
||||
if(fs.existsSync(dir)) {
|
||||
var files = fs.readdirSync(dir);
|
||||
|
||||
files.forEach(function(entry) {
|
||||
var filePath = path.join(dir, entry);
|
||||
var stats = fs.statSync(filePath);
|
||||
|
||||
if(stats.isDirectory()) {
|
||||
if(entry.substr(0, 1) == "@") {
|
||||
// When we encounter a namespace folder, augment all packages belonging to the scope
|
||||
var pkgFiles = fs.readdirSync(filePath);
|
||||
|
||||
pkgFiles.forEach(function(entry) {
|
||||
if(stats.isDirectory()) {
|
||||
var pkgFilePath = path.join(filePath, entry);
|
||||
augmentPackageJSON(pkgFilePath, packages, dependencies);
|
||||
}
|
||||
});
|
||||
} else {
|
||||
augmentPackageJSON(filePath, packages, dependencies);
|
||||
}
|
||||
}
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
processDependencies("node_modules", lockObj.packages, lockObj.dependencies);
|
||||
|
||||
fs.writeFileSync("package-lock.json", JSON.stringify(lockObj, null, 2));
|
||||
'';
|
||||
};
|
||||
|
||||
# Script that links bins defined in package.json to the node_modules bin directory
|
||||
# NPM does not do this for top-level packages itself anymore as of v7
|
||||
linkBinsScript = writeTextFile {
|
||||
name = "linkbins.js";
|
||||
text = ''
|
||||
var fs = require('fs');
|
||||
var path = require('path');
|
||||
|
||||
var packageObj = JSON.parse(fs.readFileSync("package.json"));
|
||||
|
||||
var nodeModules = Array(packageObj.name.split("/").length).fill("..").join(path.sep);
|
||||
|
||||
if(packageObj.bin !== undefined) {
|
||||
fs.mkdirSync(path.join(nodeModules, ".bin"))
|
||||
|
||||
if(typeof packageObj.bin == "object") {
|
||||
Object.keys(packageObj.bin).forEach(function(exe) {
|
||||
if(fs.existsSync(packageObj.bin[exe])) {
|
||||
console.log("linking bin '" + exe + "'");
|
||||
fs.symlinkSync(
|
||||
path.join("..", packageObj.name, packageObj.bin[exe]),
|
||||
path.join(nodeModules, ".bin", exe)
|
||||
);
|
||||
}
|
||||
else {
|
||||
console.log("skipping non-existent bin '" + exe + "'");
|
||||
}
|
||||
})
|
||||
}
|
||||
else {
|
||||
if(fs.existsSync(packageObj.bin)) {
|
||||
console.log("linking bin '" + packageObj.bin + "'");
|
||||
fs.symlinkSync(
|
||||
path.join("..", packageObj.name, packageObj.bin),
|
||||
path.join(nodeModules, ".bin", packageObj.name.split("/").pop())
|
||||
);
|
||||
}
|
||||
else {
|
||||
console.log("skipping non-existent bin '" + packageObj.bin + "'");
|
||||
}
|
||||
}
|
||||
}
|
||||
else if(packageObj.directories !== undefined && packageObj.directories.bin !== undefined) {
|
||||
fs.mkdirSync(path.join(nodeModules, ".bin"))
|
||||
|
||||
fs.readdirSync(packageObj.directories.bin).forEach(function(exe) {
|
||||
if(fs.existsSync(path.join(packageObj.directories.bin, exe))) {
|
||||
console.log("linking bin '" + exe + "'");
|
||||
fs.symlinkSync(
|
||||
path.join("..", packageObj.name, packageObj.directories.bin, exe),
|
||||
path.join(nodeModules, ".bin", exe)
|
||||
);
|
||||
}
|
||||
else {
|
||||
console.log("skipping non-existent bin '" + exe + "'");
|
||||
}
|
||||
})
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
||||
prepareAndInvokeNPM = {packageName, bypassCache, reconstructLock, npmFlags, production}:
|
||||
let
|
||||
forceOfflineFlag = if bypassCache then "--offline" else "--registry http://www.example.com";
|
||||
in
|
||||
''
|
||||
# Pinpoint the versions of all dependencies to the ones that are actually being used
|
||||
echo "pinpointing versions of dependencies..."
|
||||
source $pinpointDependenciesScriptPath
|
||||
|
||||
# Patch the shebangs of the bundled modules to prevent them from
|
||||
# calling executables outside the Nix store as much as possible
|
||||
patchShebangs .
|
||||
|
||||
# Deploy the Node.js package by running npm install. Since the
|
||||
# dependencies have been provided already by ourselves, it should not
|
||||
# attempt to install them again, which is good, because we want to make
|
||||
# it Nix's responsibility. If it needs to install any dependencies
|
||||
# anyway (e.g. because the dependency parameters are
|
||||
# incomplete/incorrect), it fails.
|
||||
#
|
||||
# The other responsibilities of NPM are kept -- version checks, build
|
||||
# steps, postprocessing etc.
|
||||
|
||||
export HOME=$TMPDIR
|
||||
cd "${packageName}"
|
||||
runHook preRebuild
|
||||
|
||||
${lib.optionalString bypassCache ''
|
||||
${lib.optionalString reconstructLock ''
|
||||
if [ -f package-lock.json ]
|
||||
then
|
||||
echo "WARNING: Reconstruct lock option enabled, but a lock file already exists!"
|
||||
echo "This will most likely result in version mismatches! We will remove the lock file and regenerate it!"
|
||||
rm package-lock.json
|
||||
else
|
||||
echo "No package-lock.json file found, reconstructing..."
|
||||
fi
|
||||
|
||||
node ${reconstructPackageLock}
|
||||
''}
|
||||
|
||||
node ${addIntegrityFieldsScript}
|
||||
''}
|
||||
|
||||
npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${lib.optionalString production "--production"} rebuild
|
||||
|
||||
runHook postRebuild
|
||||
|
||||
if [ "''${dontNpmInstall-}" != "1" ]
|
||||
then
|
||||
# NPM tries to download packages even when they already exist if npm-shrinkwrap is used.
|
||||
rm -f npm-shrinkwrap.json
|
||||
|
||||
npm ${forceOfflineFlag} --nodedir=${nodeSources} --no-bin-links --ignore-scripts ${npmFlags} ${lib.optionalString production "--production"} install
|
||||
fi
|
||||
|
||||
# Link executables defined in package.json
|
||||
node ${linkBinsScript}
|
||||
'';
|
||||
|
||||
# Builds and composes an NPM package including all its dependencies
|
||||
buildNodePackage =
|
||||
{ name
|
||||
, packageName
|
||||
, version ? null
|
||||
, dependencies ? []
|
||||
, buildInputs ? []
|
||||
, production ? true
|
||||
, npmFlags ? ""
|
||||
, dontNpmInstall ? false
|
||||
, bypassCache ? false
|
||||
, reconstructLock ? false
|
||||
, preRebuild ? ""
|
||||
, dontStrip ? true
|
||||
, unpackPhase ? "true"
|
||||
, buildPhase ? "true"
|
||||
, meta ? {}
|
||||
, ... }@args:
|
||||
|
||||
let
|
||||
extraArgs = removeAttrs args [ "name" "dependencies" "buildInputs" "dontStrip" "dontNpmInstall" "preRebuild" "unpackPhase" "buildPhase" "meta" ];
|
||||
in
|
||||
stdenv.mkDerivation ({
|
||||
name = "${name}${if version == null then "" else "-${version}"}";
|
||||
buildInputs = [ tarWrapper python nodejs ]
|
||||
++ lib.optional (stdenv.isLinux) utillinux
|
||||
++ lib.optional (stdenv.isDarwin) libtool
|
||||
++ buildInputs;
|
||||
|
||||
inherit nodejs;
|
||||
|
||||
inherit dontStrip; # Stripping may fail a build for some package deployments
|
||||
inherit dontNpmInstall preRebuild unpackPhase buildPhase;
|
||||
|
||||
compositionScript = composePackage args;
|
||||
pinpointDependenciesScript = pinpointDependenciesOfPackage args;
|
||||
|
||||
passAsFile = [ "compositionScript" "pinpointDependenciesScript" ];
|
||||
|
||||
installPhase = ''
|
||||
source ${installPackage}
|
||||
|
||||
# Create and enter a root node_modules/ folder
|
||||
mkdir -p $out/lib/node_modules
|
||||
cd $out/lib/node_modules
|
||||
|
||||
# Compose the package and all its dependencies
|
||||
source $compositionScriptPath
|
||||
|
||||
${prepareAndInvokeNPM { inherit packageName bypassCache reconstructLock npmFlags production; }}
|
||||
|
||||
# Create symlink to the deployed executable folder, if applicable
|
||||
if [ -d "$out/lib/node_modules/.bin" ]
|
||||
then
|
||||
ln -s $out/lib/node_modules/.bin $out/bin
|
||||
|
||||
# Fixup all executables
|
||||
ls $out/bin/* | while read i
|
||||
do
|
||||
file="$(readlink -f "$i")"
|
||||
chmod u+rwx "$file"
|
||||
if isScript "$file"
|
||||
then
|
||||
sed -i 's/\r$//' "$file" # convert crlf to lf
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
# Create symlinks to the deployed manual page folders, if applicable
|
||||
if [ -d "$out/lib/node_modules/${packageName}/man" ]
|
||||
then
|
||||
mkdir -p $out/share
|
||||
for dir in "$out/lib/node_modules/${packageName}/man/"*
|
||||
do
|
||||
mkdir -p $out/share/man/$(basename "$dir")
|
||||
for page in "$dir"/*
|
||||
do
|
||||
ln -s $page $out/share/man/$(basename "$dir")
|
||||
done
|
||||
done
|
||||
fi
|
||||
|
||||
# Run post install hook, if provided
|
||||
runHook postInstall
|
||||
'';
|
||||
|
||||
meta = {
|
||||
# default to Node.js' platforms
|
||||
platforms = nodejs.meta.platforms;
|
||||
} // meta;
|
||||
} // extraArgs);
|
||||
|
||||
# Builds a node environment (a node_modules folder and a set of binaries)
|
||||
buildNodeDependencies =
|
||||
{ name
|
||||
, packageName
|
||||
, version ? null
|
||||
, src
|
||||
, dependencies ? []
|
||||
, buildInputs ? []
|
||||
, production ? true
|
||||
, npmFlags ? ""
|
||||
, dontNpmInstall ? false
|
||||
, bypassCache ? false
|
||||
, reconstructLock ? false
|
||||
, dontStrip ? true
|
||||
, unpackPhase ? "true"
|
||||
, buildPhase ? "true"
|
||||
, ... }@args:
|
||||
|
||||
let
|
||||
extraArgs = removeAttrs args [ "name" "dependencies" "buildInputs" ];
|
||||
in
|
||||
stdenv.mkDerivation ({
|
||||
name = "node-dependencies-${name}${if version == null then "" else "-${version}"}";
|
||||
|
||||
buildInputs = [ tarWrapper python nodejs ]
|
||||
++ lib.optional (stdenv.isLinux) utillinux
|
||||
++ lib.optional (stdenv.isDarwin) libtool
|
||||
++ buildInputs;
|
||||
|
||||
inherit dontStrip; # Stripping may fail a build for some package deployments
|
||||
inherit dontNpmInstall unpackPhase buildPhase;
|
||||
|
||||
includeScript = includeDependencies { inherit dependencies; };
|
||||
pinpointDependenciesScript = pinpointDependenciesOfPackage args;
|
||||
|
||||
passAsFile = [ "includeScript" "pinpointDependenciesScript" ];
|
||||
|
||||
installPhase = ''
|
||||
source ${installPackage}
|
||||
|
||||
mkdir -p $out/${packageName}
|
||||
cd $out/${packageName}
|
||||
|
||||
source $includeScriptPath
|
||||
|
||||
# Create fake package.json to make the npm commands work properly
|
||||
cp ${src}/package.json .
|
||||
chmod 644 package.json
|
||||
${lib.optionalString bypassCache ''
|
||||
if [ -f ${src}/package-lock.json ]
|
||||
then
|
||||
cp ${src}/package-lock.json .
|
||||
chmod 644 package-lock.json
|
||||
fi
|
||||
''}
|
||||
|
||||
# Go to the parent folder to make sure that all packages are pinpointed
|
||||
cd ..
|
||||
${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
|
||||
|
||||
${prepareAndInvokeNPM { inherit packageName bypassCache reconstructLock npmFlags production; }}
|
||||
|
||||
# Expose the executables that were installed
|
||||
cd ..
|
||||
${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
|
||||
|
||||
mv ${packageName} lib
|
||||
ln -s $out/lib/node_modules/.bin $out/bin
|
||||
'';
|
||||
} // extraArgs);
|
||||
|
||||
# Builds a development shell
|
||||
buildNodeShell =
|
||||
{ name
|
||||
, packageName
|
||||
, version ? null
|
||||
, src
|
||||
, dependencies ? []
|
||||
, buildInputs ? []
|
||||
, production ? true
|
||||
, npmFlags ? ""
|
||||
, dontNpmInstall ? false
|
||||
, bypassCache ? false
|
||||
, reconstructLock ? false
|
||||
, dontStrip ? true
|
||||
, unpackPhase ? "true"
|
||||
, buildPhase ? "true"
|
||||
, ... }@args:
|
||||
|
||||
let
|
||||
nodeDependencies = buildNodeDependencies args;
|
||||
extraArgs = removeAttrs args [ "name" "dependencies" "buildInputs" "dontStrip" "dontNpmInstall" "unpackPhase" "buildPhase" ];
|
||||
in
|
||||
stdenv.mkDerivation ({
|
||||
name = "node-shell-${name}${if version == null then "" else "-${version}"}";
|
||||
|
||||
buildInputs = [ python nodejs ] ++ lib.optional (stdenv.isLinux) utillinux ++ buildInputs;
|
||||
buildCommand = ''
|
||||
mkdir -p $out/bin
|
||||
cat > $out/bin/shell <<EOF
|
||||
#! ${stdenv.shell} -e
|
||||
$shellHook
|
||||
exec ${stdenv.shell}
|
||||
EOF
|
||||
chmod +x $out/bin/shell
|
||||
'';
|
||||
|
||||
# Provide the dependencies in a development shell through the NODE_PATH environment variable
|
||||
inherit nodeDependencies;
|
||||
shellHook = lib.optionalString (dependencies != []) ''
|
||||
export NODE_PATH=${nodeDependencies}/lib/node_modules
|
||||
export PATH="${nodeDependencies}/bin:$PATH"
|
||||
'';
|
||||
} // extraArgs);
|
||||
in
|
||||
{
|
||||
buildNodeSourceDist = lib.makeOverridable buildNodeSourceDist;
|
||||
buildNodePackage = lib.makeOverridable buildNodePackage;
|
||||
buildNodeDependencies = lib.makeOverridable buildNodeDependencies;
|
||||
buildNodeShell = lib.makeOverridable buildNodeShell;
|
||||
}
|
3
pkgs/renovate/node-packages.json
Normal file
3
pkgs/renovate/node-packages.json
Normal file
|
@ -0,0 +1,3 @@
|
|||
[
|
||||
"renovate"
|
||||
]
|
8361
pkgs/renovate/node-packages.nix
Normal file
8361
pkgs/renovate/node-packages.nix
Normal file
File diff suppressed because it is too large
Load Diff
|
@ -1,13 +1,12 @@
|
|||
{
|
||||
lib,
|
||||
bash,
|
||||
coreutils,
|
||||
gawk,
|
||||
path,
|
||||
# nixpkgs path
|
||||
writeScript,
|
||||
writeScriptBin,
|
||||
...
|
||||
{ lib
|
||||
, bash
|
||||
, coreutils
|
||||
, gawk
|
||||
, path
|
||||
, # nixpkgs path
|
||||
writeScript
|
||||
, writeScriptBin
|
||||
, ...
|
||||
}:
|
||||
let
|
||||
# Create a script that runs in a `pure` environment, in the sense that:
|
||||
|
@ -19,12 +18,12 @@ let
|
|||
# - all environment variables are unset, except:
|
||||
# - the ones listed in `keepVars` defined in ./default.nix
|
||||
# - the ones listed via the `KEEP_VARS` variable
|
||||
writePureShellScript = PATH: script: writeScript "script.sh" (mkScript PATH script);
|
||||
writePureShellScript = PATH: script:
|
||||
writeScript "script.sh" (mkScript PATH script);
|
||||
|
||||
# Creates a script in a `bin/` directory in the output; suitable for use with `lib.makeBinPath`, etc.
|
||||
# See {option}`writers.writePureShellScript`
|
||||
writePureShellScriptBin =
|
||||
binName: PATH: script:
|
||||
writePureShellScriptBin = binName: PATH: script:
|
||||
writeScriptBin binName (mkScript PATH script);
|
||||
|
||||
mkScript = PATH: scriptText: ''
|
||||
|
@ -92,5 +91,8 @@ let
|
|||
'';
|
||||
in
|
||||
{
|
||||
inherit writePureShellScript writePureShellScriptBin;
|
||||
inherit
|
||||
writePureShellScript
|
||||
writePureShellScriptBin
|
||||
;
|
||||
}
|
||||
|
|
|
@ -1 +0,0 @@
|
|||
../../../machines/web01
|
|
@ -1,24 +0,0 @@
|
|||
{
|
||||
"data": "ENC[AES256_GCM,data:58ptmutnKoe4R6IE053eEm1gtgY1evYQM+WJtMRTuNm9Z1lE40Q8VJ4gDZ8xkc2ZWssizEgB0Iw=,iv:pNEUemTqKU4joMU9mJI4yYrLGfoHsD10G7BFbqsbSVA=,tag:oJfePGGn/OXJT7l1cugnkQ==,type:str]",
|
||||
"sops": {
|
||||
"kms": null,
|
||||
"gcp_kms": null,
|
||||
"azure_kv": null,
|
||||
"hc_vault": null,
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBeVpORHNpdk1TZURNQlVE\nRFRtb0ZMODZ5WXdPOHoyVm42TUxnWVJRTGhrCmdOcndyTHlTMUdKYlJnajF0bXRj\ndDNYTmNNanpUbWF4NDJIdlNVQVpZS0EKLS0tIHRCYlpNMHVIMklQbkc2d3Vaenpl\ncysrK3FnSFpTdTVsQUhWTVRmb2h1eFkKmhJdVLu1zb+lEIlDHeoeExaiRQW075mY\nw6dM9dSW1BXTQmKT9q3WsAfF1SDafhSvBpphXTKBI58vrtFNFxJquQ==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPc2h2VEErMmRpMndBY3hN\nMlJVM3ZJTHJSQWppQ2wzV0V2T2xiS3BUSXdjCk9WaS9RL3pzSUJCakh4ZkIvQXk0\nV3VweE4yNDZZUHViZHZ3clNHMDB4UEUKLS0tIHkrMXpib2pneHl0a1kyM2VreGty\nMzNQMnJVaXRCT2ZneCtSNlFwREFza0UK2QUqLP6MfsJD1zsI5w/Oq/t87L3k4z/6\nxCe5ZTSBJcksV9v3E20jmFBcJHN/7Yrvp/FeQZRTUr8J9xY5DTBPHQ==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2024-04-30T11:28:18Z",
|
||||
"mac": "ENC[AES256_GCM,data:umJSHZSWw/EYeinv2QCsJjq7t+awSj4LY8dthXWrX5nLPEzuzGpQrGfAGNle15SudfpZ0XpzeoiFrK6LqeQUr6BwlyWRjuwZjBD0Eo/RG5zvv0lEcQ666KWVlq8v7lP1rNuXIXGSef4ZN/Oqel0HAJW4d05YedwShD6/99HyLhw=,iv:VusNFfl5MRjv1Vrbkcw9auY4DxW9tkMvEJ4KPDEpk18=,tag:0yESnJbjneyG5PQagcsSOQ==,type:str]",
|
||||
"pgp": null,
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.8.1"
|
||||
}
|
||||
}
|
|
@ -1 +0,0 @@
|
|||
../../../users/joerg
|
|
@ -1 +0,0 @@
|
|||
../../../machines/web01
|
|
@ -1,24 +0,0 @@
|
|||
{
|
||||
"data": "ENC[AES256_GCM,data:wAUAcK0gtlCSCuXUMp6w/MBnn+J407iObssBVFjR7I1VUe9enghf4/Q=,iv:nbcgGyOCt8iO1FLPnV4aakLugr6/7fj/DB75KwqC93I=,tag:1D6B38fKIpQFdxobQ89mrg==,type:str]",
|
||||
"sops": {
|
||||
"kms": null,
|
||||
"gcp_kms": null,
|
||||
"azure_kv": null,
|
||||
"hc_vault": null,
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTa29QelppdVhheGR0YytK\nR1NWNTU1MUt0WHY1cDBqN2YwRURzN1lEVEhjCmpvK0tmNEZReWpKVGlkUWREakpa\nYnJYbGRUcGJHdGVnYmhKTktVckpKR00KLS0tIDZicFZERnlNckEwTUFaTk11bWsw\nb3hjblFvTWwrZXJLNFp2SkhuN0c5aXMKkYTrgforNlHLf14TLkV2G2qEE87u4dSC\niiywv7ltnotTiAgG2RgQwkmHubpFaEhVyhRskNmVjQI8gZ74AxmC+w==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwUzlmMFdySGE0UjJlWEFZ\nL3lNbWpHYUNNTDRHTUE1bVNvMnkzOUZzOEc4CjUrYUNnLzNxQXlJWGJvY2RyU0w1\nWlFpTVFybXdEUVB4cHZIUWFja0poSXMKLS0tIFErMEk3dS9qcWhUUGVnZE41VE0w\nQlBpUCtlQkR2RzlKSjNKMHpHd2xaMUEKe5DRJeyGqMeGWzzWXrdhzLmriXs6BDMq\nA8s4AApF8ojwZdZ7K7k8lslof/kxuFhD7KLhrOJmSgvfRZ8a8vcz7w==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2024-05-01T09:44:51Z",
|
||||
"mac": "ENC[AES256_GCM,data:Bofuu/7Mk1qbsFUE5HTeX9daEQg2NDby0ev/Q96fiLKwcg0rpIFk84NxwPKB/hLGAiUoHEegnzrCFCcAmGPaVQtr/W6dEKsdeVH3R3UBTekEwkXGAnKvrmcS7Vbd/bzvcSA+NuuO93laAgeU/HjMOmkwZwR8GN1LkxGfinVCGhM=,iv:mqMoCB5welSRzSzaIgi9P+Y60n+/ZrB0LlR8Mx2bIRM=,tag:Ytvv38xMoXzHow4qheRLQA==,type:str]",
|
||||
"pgp": null,
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.8.1"
|
||||
}
|
||||
}
|
|
@ -1 +0,0 @@
|
|||
../../../users/joerg
|
|
@ -1 +0,0 @@
|
|||
../../../machines/web01
|
|
@ -1,24 +0,0 @@
|
|||
{
|
||||
"data": "ENC[AES256_GCM,data:Bzc+7/1WPH1P9L9B/fzhtD4PAtsvplXU7SKVyC2o,iv:aLq+EZ1twpHa47nvcIv0M1SIb+IzzIa0lYiu92/GMwI=,tag:+zXRw99x/E2R5MZqIXgz/g==,type:str]",
|
||||
"sops": {
|
||||
"kms": null,
|
||||
"gcp_kms": null,
|
||||
"azure_kv": null,
|
||||
"hc_vault": null,
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6WlBpTXlhZHBsM2VsVFAw\nUlY3S2l4R3hDZmJoM2lJd0lkNXY5YUNiRVJzClc1b0NxYndEYkZUMy9TS1BmdDBO\nTks3Q2llL1Jkc2NIeWV1QWVpdVdZYVkKLS0tIFovMEtBbU1hTURHZDNzZ0drUndY\nYVU2YTJxVENXdkFTRTdVT0FWa3RoU0EKqZ1XST0fbbagViwG8xtAjjts9AA/Hn0m\nIO5mpZNYNUzf+l0Zi/AjtAnaRrpZowV0gcskfcj3LX30CbwwySH3qA==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEMjBoZHpBN0JBZVFlUnd2\nWVpYMXNaOVQ2eExuWlBWYWppL2ltYXBnRWlRClRReUcrT2RYck1XQlFINGUyVFNn\nNGdiSkQzUERaTXNEaUJycHBXZ1pXelUKLS0tIDUxMzl1MzBDdmpXRnphUkdhRzRz\nUm9UbWhjUFA4M0JxLyt4d1pMMFJEbUUKwiJziQs5qqTc6Tlm55wHobu5PKGpsoRm\ndKTjasrcUEFWu0cNAxdGXvOUipT8hPazvLl3Ajdo8KYXwP7/LVaTuQ==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2024-04-30T12:50:37Z",
|
||||
"mac": "ENC[AES256_GCM,data:vOuXOCzTFrS4M8ZKWc8wVdccTfcqiFjtuRAAPToLOVk1AlY97cT0SIMCNOniSmChYIHIx1rvPqmc16BWYZr0AhYpw8a0XH2XrpCo3M3oLJ8UMiwvn5R2FdU3P9Q+feDpWL5KPy3ii/OuoQBCAovywSs3fhi/dQZfjIQHVs5bqvs=,iv:F7egkb6zDIKYAxRJwRYChR1dboeHGgqS85Er23YT2es=,tag:0UurFP2e0vFw0RbkjnizcA==,type:str]",
|
||||
"pgp": null,
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.8.1"
|
||||
}
|
||||
}
|
|
@ -1 +0,0 @@
|
|||
../../../users/joerg
|
|
@ -1 +0,0 @@
|
|||
../../../machines/web01
|
|
@ -1,24 +0,0 @@
|
|||
{
|
||||
"data": "ENC[AES256_GCM,data:rbKMhNQwkuMFJCQHXiwxyEpQLqLsLqBeE6o=,iv:Fo8SoR9wPV0e7r42zpuELHcr0r5YwWpAWhVZJy3rt4Q=,tag:sGHXyai6d5VLMotE1P33Fg==,type:str]",
|
||||
"sops": {
|
||||
"kms": null,
|
||||
"gcp_kms": null,
|
||||
"azure_kv": null,
|
||||
"hc_vault": null,
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWQnNiN0FXZ0Nkek5DVElW\ncUc4MmNBa0pHOUFsclp6ekZUMWdBVnNjSVJVCkdlME5sWC9rSGhUdjhRSDY3S3Jt\nQjBWLzRIbDNvWVg0eDNITnBnNHlVcGsKLS0tIFFWVms4SmZjSmE3RGZSbnVCYnJH\nUFdZRm1aSkVWZkRLdmlEQkVpa1lQNDAKBomS4CHmrfwiF5UTzVZZsCFqZ2wyCyQE\ndzFQe0ysLekbRTw1FfHnz/vJYsOV1Hk5PqTEFdTFNrYO+I6Rh/0ZIw==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0TmVtbXl4R3QxOGZ0VmJG\nMlJWMFJGTDIvS0M1cVFmNjFXMkdCR3RDaENZClFac0Zxc0gwUkpHYkdVZWg0NUhs\nRk9va2ZQVFlXVG1VZE10Z3ZuS2NheUUKLS0tIHRhNHlWQ21JNkNnN094LzVwb0tJ\nMUQ3T1Vycm1yQ1l0d0tNdytFcFhoVDQKVaGaWAOXwHWm+FqxILcPlZ+7eDSeNftZ\nZFAP3ANmPMkl311Ucl8kub0a9bY9RhU0ZZn1WGgJD/qL/EAtmudFSA==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2024-04-30T14:56:43Z",
|
||||
"mac": "ENC[AES256_GCM,data:sH/X2WLD3OCJ4Z20s+Mqnoe/xDZzfp0DL0w8HhBshbRu0NtTbQ6MyPwZ7ar3Gl6wBVBVXDfHTX5x2/6Vs/C59NIJCKjeDrkuRWLL1qd1kF9Iqf5CyBjv3Pv/bZVGRkFSQ4IG5SZDRrGyz5+FZEGUbxvYOzZWW6gDrBWsyNn62rM=,iv:ITVFQJEqhqO3w/7m4+tH2d76FI4mghNRd+Em7yZ3QiQ=,tag:kq/rD8MUuWorSDKWGKQQnA==,type:str]",
|
||||
"pgp": null,
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.8.1"
|
||||
}
|
||||
}
|
|
@ -1 +0,0 @@
|
|||
../../../users/joerg
|
|
@ -1 +0,0 @@
|
|||
../../../machines/web01
|
|
@ -1,24 +0,0 @@
|
|||
{
|
||||
"data": "ENC[AES256_GCM,data:5IICNx79F7NM4LzU8dWgnmkqn/6zgx/m9swqHsCo6wrqV0C+OCC9lWsBGbQ7sGDZHP9OPo4xXijzgBPelceb6Tb2CrwDo3Ud0UCMNA==,iv:wUMUI6gqaR1it4CaT+qbJfSIKDAXuLIPrfGDpwr+TwY=,tag:pIPF878PCJc/HcOfTEoA/w==,type:str]",
|
||||
"sops": {
|
||||
"kms": null,
|
||||
"gcp_kms": null,
|
||||
"azure_kv": null,
|
||||
"hc_vault": null,
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvNWZRUnJpY1pLZ2RKY2Vu\neXNQUXdzTUNEbkZyTFFRWVVFRDhCQzdjWGlBCnEvbXlzKzBwQ3c4T0R6RFR3bTRz\nTXcyNEYzMGhoOE5KV0pDTXVBcVRiVjAKLS0tIDBHWTByK0NmRlZLZmxudk1XMFFP\nSU1YLzN0WElPbWk0TTlOMlE5azcrQzQKDBP5mZGRgR9W8jN5nC0SifqR/x5poMOy\nUPsAQx8JVarvbAAXn2btTkjkUCG0ATdIxPDeJenocMzLX8kFOZsV4g==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwNXpBU0x6QkhwYWpMVVJh\nTlllS2pkbWNwa01HZjNwNHhNemFlbVNSZUVnCmUrM3lpL0FtdjVwanN6YWJFMjZU\nOUV5ZVIydUFrYWxKNDJiMGVOc0VaSWMKLS0tIGhocjg2RkFDV1IyM0Viamg1QVRX\nNDFTN1M1clB3NHZqV2NrcFBmOURkc0kKmrFWs9yEJ7gyWdyH15HepzYt0d9jkx2w\nqVqYfLx79GHmrZVyzM+10wHrkjP+LJBorcz6QR68JMgagcAbPxi6nQ==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2024-05-01T10:05:01Z",
|
||||
"mac": "ENC[AES256_GCM,data:evJedhmyh4E8jHr4YZzaexzoeWok3imHUBBNwKNXwxip0X/BpWdBV8E0+uVMIxhg5PMI58VzRVVrSlcuda2yLBT94+iHWPXIedbk0RxYMhyw21oR53OAgN5/CM5SjfvBB58tr9r1X+kdB6kaCEbH2nVUfsax+A27AGh9m0IcQtc=,iv:Q4PLC3dml+RcSTYf74k5bnoikJX0wwM1pLaiWayOfnM=,tag:eWY312KepmAHiUMFuvhLsQ==,type:str]",
|
||||
"pgp": null,
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.8.1"
|
||||
}
|
||||
}
|
|
@ -1 +0,0 @@
|
|||
../../../users/joerg
|
|
@ -1 +0,0 @@
|
|||
../../../machines/web01
|
|
@ -1,24 +0,0 @@
|
|||
{
|
||||
"data": "ENC[AES256_GCM,data:WW0RmSs3k81jSgYLt8dHEiJOxlncPWl3QWvRtmNgtIxvup7h,iv:nw7SP15EVWfS78dJE37msnxAZ/goYb7rGqAKNzhXFP4=,tag:yxVyGUMFczq8cGuU4V/FzA==,type:str]",
|
||||
"sops": {
|
||||
"kms": null,
|
||||
"gcp_kms": null,
|
||||
"azure_kv": null,
|
||||
"hc_vault": null,
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiM0FBVkhPc2luMjlpSW1R\nN0NlUU9ZQkxIOVAwa3hlMVg3bFluTjRlRUdRCmMxSkMvZjg2ckUyUThhSC9VOW1H\nZExFY2owcHQ5NzJtUW5pbDFjd2oyaEUKLS0tIG1Fd25acHdYWEdlQkMxajhRQXNw\nTGxJUDdPMlRrQ0t3SkVSaWdZZXJGT0EK7WfQ+6jVzOBToqO9wJby/qaF6kM00hMh\n+Y4A08X/ItLzyfCc5LQ97GQ2VlwXK5+HoD7jNnn//3xeH6YC1VBdkg==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhNlpOQ1QydEJuM3pCbEpK\nSDUzVlppNkFnSDJLSU1ITEdWWCtaUEE0THcwCmljSUl0amx2OTBVZXBPMFNGbjJP\nakNQcWlad1R3cDZYWWZpQkJkQmEvUEEKLS0tIFpJOU1GUnNaTnlaL25GRkdxZnhs\nUEhIVEpNWjNOV2FTSmVnRkVCWm90MDgKMvz6QdPRoYb2bPjS9oSOVA5gTfwrgn4q\nIyboQIMV3oAaAs9LSUcUMBvERzQ31JXnHRzrnqtdiNX0NLbIrN47yg==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2024-06-06T16:09:34Z",
|
||||
"mac": "ENC[AES256_GCM,data:7iKDT5577mLLeNyi46JHa4AUumqbQm65V3DXqNdNyLWccpIcML8n7jgFNxuK9gTqV2LM6bG18qS1orBJtPdawKnvxJwUaFb3Mo06C2+LVnWG4fT6MV+5eF8y6SM3IngT9BPk7IhTTGWe8lGJ6HTlg+9/f4/cq5NSKfeRgTkDEcE=,iv:T8wjeq2D1J8krhWeQJbVCOPY5sr05z/wMJqvr9onQK8=,tag:XgDTOTa2zv4NiBFN0b3rqA==,type:str]",
|
||||
"pgp": null,
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.8.1"
|
||||
}
|
||||
}
|
|
@ -1 +0,0 @@
|
|||
../../../users/joerg
|
|
@ -1 +0,0 @@
|
|||
../../../machines/web01
|
|
@ -1,24 +0,0 @@
|
|||
{
|
||||
"data": "ENC[AES256_GCM,data:ybX1/Uc+LqfgUoZQqCURgPfsTyzlsO+Xn7z8/0H9v5kyfJYX7PI1VlXVFBgR3Xh+2iuTF+v98PQyYeJOYLk3NTWggZayQQ4ivt0DLdhgG+DRFbeN8GMiqV5NWNhnL2tgLBu9DZViBSpgcbg9aHfI2cagboJnCSqyS2w1i/anvKaEgKa5YucrS4jywVxhBbvON6Oa2v8Hb0f/R8Ldl9HSqMM6o3pQEaYOsTNieNy63h9C4ERP/jIhKSajggpeHENdnuQC7Kavz54faL9xaz0jwRHb1fd+IGTM7fxqbyB5702nKEGytDwKzH0fh6q1HJNHbhWeWyCmGFKOkqywaQjcpJsczP2FIwkZmoui0juTEluNk1KzugP0gxtsuwjUiJlZeJxtZEgsnifLPpHyCaN99jzPjhd1TknT7MWZMVJT/R14bdD+QdwvR8rHK8IMctMGrNsqu3+Crdwu3WSfDH9jEM1zAZQNvLUT13azRABz1rpJvNFnvhDTBwDbUJlLpIQcPOPtVKO0IQeM5EUnCr+oCfBrP/To3mqo82s3,iv:jbY6WK0BcyLlU3Sbo7qNOHfCGU4TjUqTiww546Tyq20=,tag:VklHST51z5XI9+UiASBO9g==,type:str]",
|
||||
"sops": {
|
||||
"kms": null,
|
||||
"gcp_kms": null,
|
||||
"azure_kv": null,
|
||||
"hc_vault": null,
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlenFrWW45UXcyd3pwaTE0\nY3ROWWFPdzIwK1JuU2h2NCsyanF1VzhoM1NjCndscHZpTUNmcWc0TDd4V2xHM0lh\ndVNZQW1jMGFNeDdxbDhwdFB1Z3AwdVUKLS0tIGNmbVNMRUZGb1lPcnlrdkhnZ3JX\nM2szRHVydldGN3haV2lhZlFMeUgzcU0KDDwWVSjsua4DKXlqqk2Ns2e1zkzJK2Y2\n8+r8bXkBLJyXqQCQteXBrc5U+0n1KfHVkkvPmuBI3BmcAiVVmr/RxQ==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJdHEyT3U0TzJQUW9wM2Z3\nYVdTYmRSeUwrZy9iNTVpcmZJMnhOeHlGRGp3CnVYbk15NWxadk9waFdJVFBKa0Vx\nYUtkYWZuYmhabk1xREtDdzFGdUcyaW8KLS0tIGYxcDVuQXZwdk1rVHJOOHljTmVl\nMXNXTHdSam12djE3Z0UyU2dSZDcrRGcKaQnrYuUpSTjOYYHH0EsqnTLHkU5Md4Ro\nUpeJX1GmAoIAUGruB/8jPbMaDQQXbjNLDCCalStlbqMgbgz/Ty4ukQ==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2024-06-06T16:09:35Z",
|
||||
"mac": "ENC[AES256_GCM,data:2RptHkE/k4JfqdybmnI3sbeEDaaD4bUtEPLuBcpltZjR5EHFYLsEB1Woxlzj2rLqq+8Wr6kWZtsG3uJSxsColUbazJd1CoVJxHpm6tAnM47Mv1YG5PdLwqpwJWji4AI5lAer4ZMfuGDpNbrwvbO3qB8R55r5SYay4b4Yc49wQXA=,iv:ESimFSybysRrgEj+27ECUi6kIklv1IunWVclTjX7C5g=,tag:LONP+cUm5NVcBvgVStZnwQ==,type:str]",
|
||||
"pgp": null,
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.8.1"
|
||||
}
|
||||
}
|
|
@ -1 +0,0 @@
|
|||
../../../users/joerg
|
|
@ -1 +0,0 @@
|
|||
../../../machines/web01
|
|
@ -1,24 +0,0 @@
|
|||
{
|
||||
"data": "ENC[AES256_GCM,data:zCWFFE6+923po+i6g+ehKgC3FdAEhbmFDTbc6VZIXdBqNO7qvC8K1Q34aZVzQ3HaE6l/p5V7Ax0U0xRypQ==,iv:NJhOMcGg55fznrpM6bSqNvr/lOYAsUUVtfK8eJRs0Iw=,tag:6jadN151/70a7BBXsqMClg==,type:str]",
|
||||
"sops": {
|
||||
"kms": null,
|
||||
"gcp_kms": null,
|
||||
"azure_kv": null,
|
||||
"hc_vault": null,
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHcHNaTjJlejlJYy90eGFT\nVTloRFV3OVV4enI1OENaeGVpcXpCV0dUenlBCkdONUE3eXhlY1JMRko5Q0VJVFN6\nMkdSR1krYjlJRyswOExRSW9UeUI2czAKLS0tIEJWRDZwRWp1U3V4S0NLOXJDS0ZZ\ncXRFNGxnNXZHNHpvOUpVcTYvM3RoNU0KPgJoJ/22jyUtqGeXfO+DInB3zIwrB+OP\ncjw6Dt7mPYT/OUG6Cq12D6+xMYCm+r4jswtkvWaPhnzGcIOcqMJHwg==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUa1IvdklYcENvUzlwdnNi\nbnlidGVvMzZLRS9EU1RzZ0VzMUtvOGRGR25zCklqVTA4T2FIR3l2MER2RjRsbkZH\nRWlxUkYyUjIwSzl5SWJHblMvclZwOGsKLS0tICtaYW83M3lXakJsMFNEc0FjYWdC\nU3ZDUEplYk1tOFRiUUpXTVA0NTUyaHMKdtR+rqRz+Jjf4BfCd5B7ygRLYKTDDRJk\nq0eSNG+i+Xjz/kLWsMpmO4Cevhp0SPyLZV2g2CiDo5vXZQ5Qiy8pSQ==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2024-06-10T09:11:22Z",
|
||||
"mac": "ENC[AES256_GCM,data:D+NLO8U8mXc4wzQC1OHoba5t+i92P3ZeZy7M8nPhBvnWFznhWBmHRLTI55c8+Q3tkNJI0rBt43+XjC7X1ij36eSza/8O6dh5+jM4UkvFBBJG8ZTPSqakISmPBN1k80qm6G15ELgRrJc0+DNAuuZVuBAwVNUFmaZNx6FmX/G4nRU=,iv:RlhgqQoXAeNFTLRJubVzFJq0wbZwZOeAyZs2nD7IHfg=,tag:6zgWakwYjf93qyMwKlSG9g==,type:str]",
|
||||
"pgp": null,
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.8.1"
|
||||
}
|
||||
}
|
|
@ -1 +0,0 @@
|
|||
../../../users/joerg
|
|
@ -1 +0,0 @@
|
|||
../../../machines/web01
|
|
@ -1,24 +0,0 @@
|
|||
{
|
||||
"data": "ENC[AES256_GCM,data:bcYm9Jx6NS5T2085GmeUJJeLdD1ZtGSfMtXNWcNkeL7F,iv:jR8k0EMO20ZiBXmb1ddJS5x0c95y9vEPvMig0Y0iXBg=,tag:wZBLbCe8ucQSIGrNOjN1jg==,type:str]",
|
||||
"sops": {
|
||||
"kms": null,
|
||||
"gcp_kms": null,
|
||||
"azure_kv": null,
|
||||
"hc_vault": null,
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSVWx6TzM4MEpmZ3ExczZo\nNS9kU1Z5NEl1aDdwSzUwSy93anlPQXdOVVVNClBqMENEWUhLVml6dkRZaVk4OU1V\nNjBNV0p2MjFLMDI1c3paOUU0Zndsd28KLS0tIEJZVFA4akVLMzVSanJMcWwweCtE\nZ2h2NE1mdWJNd1VWZDFyT0tvTmlrV0kKfsW5qG12wP+hI/ZCcZNsjv5ububSITLp\n4SzzyeTzpDrGlu/h52szD0VYnB0w3/fF2Ar/lvBYN0y9MXXYUQGdRA==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArdmZUaThzQzQ0em9reXJM\nTkNNRlhKRWoxR3dVTXc0TEdXV2pNQytXK3lrCkk1Z1g2d2R6V002d2lXNWtFMmo5\nT2tiTGpyRTE4WXk4c0hYOGdFejBITWsKLS0tIFdib0UzL2dNbXRjZHFYOEVGSWVU\nTDlNN0xSQWgzdFVhV21SSE9JNkM0OGcK2icnV6pvh7PMVp5r51b+Ukgl95XiiTHG\nDjj3M24jEh9UX2bYraGyRNnLh3piQe7Jim3/ZAHSOzl105GulapU5g==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2024-06-10T09:11:20Z",
|
||||
"mac": "ENC[AES256_GCM,data:Ie9j/N4dB6qKtpzPrQROPbsGQCfzYL8dhtptOB0XQw+mh19vpcvWyzLqYOorM1eBKrUWYob6ZHe27KXxN+9RtPe+KFABlFAQRENfPBVPi9Y7/XxMiMQ2gL6JQkvN47Aou/jWhPIOeuCXuEqr4VEOa0F6jPLmS9aPPc95MV/cHxo=,iv:/R67c5rBG3nIm6iAJedPdXL8R+b1RGez/ejzBDW4tf4=,tag:2A9njvLHsAzda+kh8PYj5w==,type:str]",
|
||||
"pgp": null,
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.8.1"
|
||||
}
|
||||
}
|
|
@ -1 +0,0 @@
|
|||
../../../users/joerg
|
|
@ -1 +0,0 @@
|
|||
../../../machines/web01
|
|
@ -1,24 +0,0 @@
|
|||
{
|
||||
"data": "ENC[AES256_GCM,data:U1NXeka1c0Fe55r8D6lAQiujSHbOW6zLjZ85dmtk02q9Szcjj79A6v/jFezqjbQjTtBvBs7tn39/MhQ6CQ==,iv:WPd7Jl4qldLztNUfErlF0dlMo4fe96aJUpiJk0GJePM=,tag:ruIMTtbVOYE7Y4XXhoBSww==,type:str]",
|
||||
"sops": {
|
||||
"kms": null,
|
||||
"gcp_kms": null,
|
||||
"azure_kv": null,
|
||||
"hc_vault": null,
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnWHlzTzYwckQwU2VKSDhW\nQmdQdWRSOFgrYk1ZamtDK3JPdkQvcFhrUWhjCjVWbWJYZFUyWnloM1Bram1Rbm1Q\nclZ4NExNOTVCZURFRVhqbGpvNEh5WG8KLS0tIFFkT1ZEOUoxS2NlcFZ0NTFjQmp6\ncUNHOFM1ZWJFaVk4SzJQUzMzbXFXTlEKDUDq9ErdYGm0KYWoXaG8/mVRuW/Sy7hW\nUIzOJ4gdPfB8BxGN5y/Nb0dX+lHN/M4qebcW9KXXPI6Pa3Y6aXCP8g==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEMThwK1FPZUdaNnFmZnJm\nZmx6cWs4QTlwVEd2UFBhdHpIYWdZNW5BMEE0Cjg3bTMxbTFWSGF0UG0rTktrdHpG\ncFBvNDJnY1hWbmxKUUhpRHVpRndhMVEKLS0tIE9BemM0ck5MQWw0YTBRUHpIVjI1\nQTI1c1B3T0FOdkc5MVZZSEhzUFNiNncKuTDwqvXvUcXSX0q8aqlKHr4YewKuL82v\nf/6Mow2JDODVJXtdG36ZBUGQWfCcrSDHVrZjlcoTGyxiHXYh49Y8hQ==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2024-06-10T09:11:23Z",
|
||||
"mac": "ENC[AES256_GCM,data:ELrw2J+ar72JSJVWN2qJl3SvmtZUIDaeannl75UJN1Z/HZ70F6HDfasu8gtfRraAc5uKuBviyKm83eElwXELV5ZHz5IMkEvFNYOJsAp65YBzfEZuAMoPMFsBYE9U0MTJeYuN62/j13X8Lyld2JPDyPy6INgozFr5XgWfLgkHfrA=,iv:W51r68thFudKRgl9yaSClSG9ByRMfDzFETIWAycBNHw=,tag:8oRyvy53Cvn1u7UH4DuhMA==,type:str]",
|
||||
"pgp": null,
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.8.1"
|
||||
}
|
||||
}
|
|
@ -1 +0,0 @@
|
|||
../../../users/joerg
|
|
@ -1 +0,0 @@
|
|||
../../../machines/web01
|
|
@ -1,24 +0,0 @@
|
|||
{
|
||||
"data": "ENC[AES256_GCM,data:Nx5x4US7N7vKqAhnn2NFwsBiuh9tnAWCBrc6pbNCDQ==,iv:ijhwJFzxggDFPdXVPwKKG0vI8HA8m21xkdFUhHIvCBk=,tag:p1QbTFm/TTyUaGI1s73MIQ==,type:str]",
|
||||
"sops": {
|
||||
"kms": null,
|
||||
"gcp_kms": null,
|
||||
"azure_kv": null,
|
||||
"hc_vault": null,
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4dDF3ZEVtTVlyMTRLQ2c2\nOTB6WUxvMXdJZ2xrMnlFOElpYmlEMnorb0NrCkN5MzFmMG9GbTc2N0pvbGtTZFdp\nNjI2YmlodlhSaXMyTENjMG44UkxxYUEKLS0tIEhPZEJhWGozdVBMVWM1QkV5cDAx\nYWRBL3VGU0RFY29HVWtTVjJQZVpIdnMKAftERIDtOMw8k3fbMo+KZJ4JYc5UyL3S\n+16m0hWK1BCXkeL2XFGujkzmrGXJF1bxFXCegdH4fnW2+IMESZZO6w==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4WmJobW8xTU40RUYyYlVj\nclk4UndKRTBMSDNFSmc4RGx1OGJyd0poTFNjClhQV3BQdlVEeU8rME5OUUtlTmYr\nTzZhR2srYnlzL3l5NUZlVmhFV3BOcXcKLS0tIFVMUm5tTVBXckRsVHVsc0ZrSzB1\nWE02MVJZNWtYc201ZDBrc1d2SUptcW8KPSqT5mBQymSksUv3j1y6vgnMuwQKbiXW\nCtzVtF05hv2Z21L+XIV3LOpJ98GGUoJu2uq7qjKIM4CYX+Jj/GS9Nw==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2024-06-10T09:11:22Z",
|
||||
"mac": "ENC[AES256_GCM,data:6EeQBxukfz2iNypbkasgDSqb8vMiRaORrA8OvYP5+YNUUguF+jCmSpOUHOM6d2KMF6vGSPLiG15e5IxW7x0QIotMf91Bj46FquzT8PS1hcPTe4WIcg/FHAlLNYqQUgZ9ZlojekkYqs13P8NvFW9pY+MSeYMRQFQLrXvaakcYDHs=,iv:xXALlG13aSaiKiAFUAE/8cZnjh5DaKlinKemoM5tl9E=,tag:x3xVmQwufZav5Yhwxp8cUw==,type:str]",
|
||||
"pgp": null,
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.8.1"
|
||||
}
|
||||
}
|
|
@ -1 +0,0 @@
|
|||
../../../users/joerg
|
|
@ -1 +0,0 @@
|
|||
../../../machines/web01
|
|
@ -1,24 +0,0 @@
|
|||
{
|
||||
"data": "ENC[AES256_GCM,data:vef3eK79BP0R8KS3Ycal0HOfcVTZkB9whZIqjpmgQw==,iv:3i37rWIn5kh6jWQqGFRu0yxyT1Bfa99espOT1DpYB/E=,tag:u90TEhOKTQ8Y8iPvnToeXA==,type:str]",
|
||||
"sops": {
|
||||
"kms": null,
|
||||
"gcp_kms": null,
|
||||
"azure_kv": null,
|
||||
"hc_vault": null,
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1K2tkSUE0d0UzYi9XSVdi\nWE5BMVBSTFdLRXJkbk5FaEVvZTUwVjBGT3pRCnVOY3oyK0xIcm4zeXpSb2lzdUZ6\nWDJyUDBDdTdVSmJsYzlBL01qNGtBaW8KLS0tIFoybmZ4cXpZWnhjM2JsMDhNdFVH\nNHhRZTUveDhvRHFGNjhUL0hjNmV2TU0KU9pt2aRKN77uQW5Mq6l/g21YEpokW8Rn\nH0jmBc+n9pPkphojl7VUhm52aBMsUxU94Chko3oHUnTWJXjaS36LAw==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBER0c3VCtzb29MUVVvU3p1\naXJXS01uT2NrcmNIT1RyOGJFazA3bFlTNnpvCjVzWmtieVR4ZUV1cWhaR3p3bVNP\ncXp4aWlrZE85cjFRY3RzcThJTlE3SkUKLS0tIGc5UWRINkhhV3lKMjBqYlJDUE5O\ncTY4V05qaGxWM1RYWjFKTXdiM0ZPc00K5nIxr2jMrBdtXJIWjwORM2jXjk7Xcvxu\nIc2KKoOOaQwo7SpAdf/GQm8BoHh2TJcUevfpM0GDII/DyMenhPf1pw==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2024-06-11T13:38:24Z",
|
||||
"mac": "ENC[AES256_GCM,data:B2gQaMJIFpJuKpPPdaa6Gw0K9DN4FcoEOybSkA+2kMAqMv5cTPVnG7HV/XY21bQKvmGkAvKa6PhouIp46QyajTmUrUlAGrZrt9W1tBwctJlsHiY7O6she6S02NPpKn9CWurh5XIz8NxcZVcMEwWhc3wQdld47puubUOgHpmfqFU=,iv:Bi3CL4Zb9EZoEmA0e3Qg0B6Kwhc5pvlFlioCcX8Fnco=,tag:gk7VaDhZlbfnv8Xrx6mypA==,type:str]",
|
||||
"pgp": null,
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.8.1"
|
||||
}
|
||||
}
|
|
@ -1 +0,0 @@
|
|||
../../../users/joerg
|
|
@ -1 +0,0 @@
|
|||
../../../machines/web01
|
|
@ -1,24 +0,0 @@
|
|||
{
|
||||
"data": "ENC[AES256_GCM,data:S8Y5p8O9KmheK4fRzoSF5/LqanJ0CxkuMEIqPFfhkFbCaXbjRw==,iv:xVlBzGfAqLDk01UI7oXnR7ukjnKMIn9/avxI/KkLWtg=,tag:sn4N8dXipo63YLT9I40s3g==,type:str]",
|
||||
"sops": {
|
||||
"kms": null,
|
||||
"gcp_kms": null,
|
||||
"azure_kv": null,
|
||||
"hc_vault": null,
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHRmxjY0FWTFBpc3BLK1JB\nMGhrVFJzTHVsNGlzR1FyS0JsSzQxMnpSRWtRCkU3bEhidFd0RTVZTzVXemJCTjhV\nSk4ydHJscUd6cExyK3ZmNnowMkR2OVkKLS0tIFBKZnFvaGx1cStNWU9leUk4Ymd3\nM0FFN1ZRYmZJUU8wQ1lKVlI5bzN1TVUKSTK4MflBBEq4a8RnBMEtKGzrKxjZi9wv\nguglBCGX6tvWVkzGmZWWIT9oSimb4pEPlJKH553WBf4aiF5n+kYwsA==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age1zwte859d9nvg6wy5dugjkf38dqe8w8qkt2as7xcc5pw3285833xs797uan",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLMEpEL1dkM214NmRzdVpw\naUhxSms1ZlZOS0dhdTlVbmkvdFN3MCtFZ3lvCkRYeTFJUHErSFFyK2YvTHdwR3h6\nRVZqNVdkWUh0R09VRDNIVnRNa2FhdFkKLS0tIGxzb3BaQy9vMTZhdjVlVUQ0SEhP\nMHRTWHgxNE1HSVhXM091RVVJUjVmRHMKZD7U1cUvHzvB/rdXRPUAjakxwqrpthUB\nZkLNaY7ws5KNF8dwU72vElPPdz2CWDdIz563u3XV1ZioTkuepgdZyA==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2024-06-26T12:20:42Z",
|
||||
"mac": "ENC[AES256_GCM,data:SdZInMlmS/fDQDpxuZUTjWwhjJqzPSJ7UN+fY5vsTdXJ+BRLKxZUpMlahXt85PZukfxE2XxjsnDV+tft80qxSv66HzwSnxsecfrxR9OMwGlG4SEdO0NJe2HFWwcSsXJUlGdkefVhUS5HL97Jr/NN69QTX1Ay/NoOoEdW6R6hb+w=,iv:uc9nlVAbScdxOtvERSiQ0SNfSJ6WK95B37MuL30FY2A=,tag:Swkkc/dQflO7MuTZXvm99w==,type:str]",
|
||||
"pgp": null,
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.8.1"
|
||||
}
|
||||
}
|
|
@ -1 +0,0 @@
|
|||
../../../users/qubasa
|
|
@ -1 +0,0 @@
|
|||
../../../machines/web01
|
|
@ -1,24 +0,0 @@
|
|||
{
|
||||
"data": "ENC[AES256_GCM,data:ruKBCJYW1Q4ivCQ0uXNyI4QpmHF/kux9OtjKFwt6pC2hV2U=,iv:ZYqvNEhGfJxBEs37fX3Rg7KK9M1PKsTFfZEDd1yEbZk=,tag:37uDB6G4vcwYPzmDxJA5/Q==,type:str]",
|
||||
"sops": {
|
||||
"kms": null,
|
||||
"gcp_kms": null,
|
||||
"azure_kv": null,
|
||||
"hc_vault": null,
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1eXhOZVNMYkhVbkhrMnEy\nVm5zd0JDVHpwSzVDQ1gwK1NEa2MyU0VaRVdZClJPdGdlYXUwNDZPb2xEUWJkdGNJ\nS1d1TXFvRWQzdVM0VGY2NHRhZ2dSTTAKLS0tIEt6SmUyRlE3V0dUSFFqbnV0SGp4\nbnU1bXdhMHF4TktaNE1nd2R2U0FLRkUKjp8Gq7zy34Z7NR0qn/GNVG2G0CSQPKvA\nQG0fbZQfpCySnz7O3GG0iA9Zz77aj1OvKE4iXnmejmEg0OO9gHEAoA==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsYzAzUm5HTVRNcFFnUENM\nKzlCZno4SlBDcHVkUDNYRXY1cTVQVVRTWmlVCmJMb3QzRm91dkcvMDVvSDFOS3VB\nSUtRSVRrK3BlVjIwU1hBek5FdkxtM28KLS0tIFUzOUNtRmFMV1ZIWjVkbGF5cmM2\nL2NZWVFuNzFIOC9HeWUrRHByWEJzTlkK8GKi6bY4DEWhSnESt+pe2nAm+Omkh/p5\nJkXX0dJIGxuu9VuOUcVIE9m5WmWPKRDS0BinMPZuGSgFYqzn0kV90Q==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2024-06-11T13:38:26Z",
|
||||
"mac": "ENC[AES256_GCM,data:caOsb2taskbJC8iB9+J+lVHCQGDYt/XZiOo1cKSdhtrkQJ/BJOinZOY6cBGCzv57ewBg6FT9XIEQAqcYzChs910gGFklVAlmwo8BEMFdhg/VTg/qDbBC3AmTGuOepVbFRbsA714UiHuAmbt+pfpe3+wAh9oEEpNRmLc9x8MhNTo=,iv:kKtI4yF7gqm1pXQKIifhJX0+Ugk5FdXNjW39t9cnTf4=,tag:2FTptmViYqx/e0yjOfSndQ==,type:str]",
|
||||
"pgp": null,
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.8.1"
|
||||
}
|
||||
}
|
|
@ -1 +0,0 @@
|
|||
../../../users/joerg
|
|
@ -1,14 +1,16 @@
|
|||
{ self, inputs, ... }:
|
||||
{
|
||||
flake = inputs.clan-core.lib.buildClan {
|
||||
meta.name = "infra";
|
||||
clanName = "infra";
|
||||
directory = self;
|
||||
# Make flake available in modules
|
||||
specialArgs.self = {
|
||||
inherit (self) inputs nixosModules packages;
|
||||
specialArgs = {
|
||||
self = {
|
||||
inherit (self) inputs nixosModules packages;
|
||||
};
|
||||
};
|
||||
machines = {
|
||||
web01 = {
|
||||
web01 = { modulesPath, ... }: {
|
||||
imports = [ (./web01/configuration.nix) ];
|
||||
};
|
||||
};
|
||||
|
|
|
@ -1,8 +1,6 @@
|
|||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -i bash -p coreutils sops openssh
|
||||
|
||||
# shellcheck disable=SC1008,SC1128
|
||||
|
||||
set -euox pipefail
|
||||
|
||||
HOST="clan.lol"
|
||||
|
|
|
@ -1,8 +1,6 @@
|
|||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -i bash -p nix jq bash rsync
|
||||
|
||||
# shellcheck disable=SC1008,SC1128
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
clan machines update web01
|
||||
|
|
|
@ -10,7 +10,6 @@ ssh_host_rsa_key.pub: ENC[AES256_GCM,data:Gqk5+cDBsYg84d5Y5vowhnPyGncW3bycpeZAsu
|
|||
harmonia-key: ENC[AES256_GCM,data:pZObqfbLogp0DYs47Tg2STKT9HptPSiP4sgcf31FD68PKSWhkgJbdY3gO/pfa0zsnvZTrAiljR8Ugh/x9z70T/XhjgZ/dIKqtcrGw0or9WPDmVzD4UHYm6iWR30MZLa9EBK0GFInlcSa/g==,iv:9HRnOaqP1iKMyyRX7evl6woZgfw9h4t7mBD98v/iBng=,tag:MQDio//aEOAOTVWlgADYDQ==,type:str]
|
||||
matrix-server-key: ENC[AES256_GCM,data:0148ezOFk8jX5KPQPCG0jQK9ajSfe/iOdUqlvys5/M8DrIwPXH9GzrkknwH+l8kF9ViTRDC/q5md8J2bj3/FBR/RW4rwjDrYx9cBEFm8wjHrywUlwON8kNKtj9ycJmXgtRyCrVGv7sBmODy0ZC5ZfWbhIQh6xWBkX2/rsSh4zwi/1PoHLpOO3u4=,iv:IwHPDi1E3R9LAY/seGpvx1U+N8mB9NMrUjLg4KMA1UA=,tag:pwRJ/CqkFN2eedrnMAaj2w==,type:str]
|
||||
registration-secret: ENC[AES256_GCM,data:EvPearZAxxb2irZFYgvy/tFA72h+IABuzwCbvy94IYR0eoHjuYw6GBde8CNUWG4SUiwyXJr4v438o/YThDhehsZ/cZFjg2o=,iv:ogN4/Iia5Zl95a3HP1KZoy86K8LyBFYw50cZUpkDNQo=,tag:5wU2OrNi7b5gWPfFZcGLjg==,type:str]
|
||||
gitea-buildbot-user: ENC[AES256_GCM,data:GsSP6YMfFoaYslLwceRh9OU6lNYUWQnpTi6Fazyxz/NF8bpy3wbYe+I8P1OlE50rpQ==,iv:ZFnFwXBXZc8c3Q60ZnG7WgcLXQNV9iUhjQxfu3w1lh0=,tag:6WlZkgwA4YY1C3VOEAx4Ww==,type:str]
|
||||
gitea-actions-runner: ENC[AES256_GCM,data:JKXAa7J1V3GH8lp3UtHTBmiezJlqxX1ItHLE7UcaIeNFQH8We2imaOMVftMpVCeXTpRX,iv:W9+4wH4asw3+w28i5om0OcJFHrABC85bhjhbgGWEs8E=,tag:Rf9XBeiEoJ1Pt8Z1TDIyJA==,type:str]
|
||||
merge-bot-gitea-token: ENC[AES256_GCM,data:ULHcaNSYJwMVeeEq4bSiRcVRuUkE9fFUV0AkWW1wM0yHQtD+dmo1GcQ=,iv:dujDWGZ+seoVN8Eez1w3tUuMpGeOHtNLMaa+f2hOpAo=,tag:WoDTsZegC6rrbh7ygWSk+A==,type:str]
|
||||
clan-bot-gitea-token: ENC[AES256_GCM,data:J+8AuAT50Xh4lKUWmigZQ/QBfNuaNKJDVuPj6jAOx06XZDwLEFtE8R8=,iv:8OGDcHbGfv6SOxe6+UBU7rTNgzYJYNJtUysSLao6H50=,tag:LxzSogjPBlxIrPcsgRU2Zw==,type:str]
|
||||
|
@ -57,8 +56,8 @@ sops:
|
|||
TGk4dUlwcE9XWWIzZE1nQXdXcWY0V0kKJi5yXdrsEOP4Z8K6k/sPA7yadNPKQtzo
|
||||
Iyt//Y+Y7n55KwuO8Doogu42SiVTUhHDICM9lezQmcugFqCoh3Lk4A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-05-01T09:44:24Z"
|
||||
mac: ENC[AES256_GCM,data:jH1w5Xk9aAHQreykHiG9PMfljaWO5tm0rIWx1avLntbGVs7Ov1kIuAQ1U8otLMmjI3vA1QXGRMTJFoODqNEMxpBvER60dPPtkwkgnSYE1v9C88PFp3xBDeryrh4aLE9PKxZcY9kf9f7anZ8p1+FL7iYo25pDygD+bHvT/y+qM1k=,iv:L0oI5D5jq4n0x5KsveotGc91+M+Y7EVO6UIzLFfgW98=,tag:vTekW9SRjkdJkIJqcoXa5Q==,type:str]
|
||||
lastmodified: "2023-07-28T09:00:40Z"
|
||||
mac: ENC[AES256_GCM,data:EJGv76KzHaWG80CZy4/1n9JmDl1JafIR4mfNl4uWJeeZqvJm3D47WbXXKeOVnMGuSvElqxnLELpXG+aSxkbxBxc7fGDTwXPlnSb6N81OP4lZ9NfA0VvXo3dQY5vjunGUVhkK+eyVDeE/pIaO/EpIeUiCNug+OzpM5AjNU5KQXYc=,iv:upGfihotn1k1v2QbSapRv1O6aynNRnKW0mqDxJ4JIQg=,tag:ZJTQlwBvRSaV4CK3V2hoRA==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
||||
version: 3.7.3
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -1,32 +1,33 @@
|
|||
locals {
|
||||
hostnames = [
|
||||
"@",
|
||||
"git",
|
||||
"mail",
|
||||
"cache",
|
||||
"matrix",
|
||||
"www",
|
||||
"docs",
|
||||
"metrics"
|
||||
]
|
||||
}
|
||||
|
||||
resource "hetznerdns_zone" "server" {
|
||||
name = var.dns_zone
|
||||
ttl = 3600
|
||||
}
|
||||
|
||||
resource "hetznerdns_record" "root_a" {
|
||||
resource "hetznerdns_record" "server_a" {
|
||||
for_each = toset(local.hostnames)
|
||||
zone_id = hetznerdns_zone.server.id
|
||||
name = "@"
|
||||
name = each.value
|
||||
type = "A"
|
||||
value = var.ipv4_address
|
||||
}
|
||||
|
||||
resource "hetznerdns_record" "root_aaaa" {
|
||||
resource "hetznerdns_record" "server_aaaa" {
|
||||
for_each = toset(local.hostnames)
|
||||
zone_id = hetznerdns_zone.server.id
|
||||
name = "@"
|
||||
type = "AAAA"
|
||||
value = var.ipv6_address
|
||||
}
|
||||
|
||||
resource "hetznerdns_record" "wildcard_a" {
|
||||
zone_id = hetznerdns_zone.server.id
|
||||
name = "*"
|
||||
type = "A"
|
||||
value = var.ipv4_address
|
||||
}
|
||||
|
||||
resource "hetznerdns_record" "wildcard_aaaa" {
|
||||
zone_id = hetznerdns_zone.server.id
|
||||
name = "*"
|
||||
name = each.value
|
||||
type = "AAAA"
|
||||
value = var.ipv6_address
|
||||
}
|
||||
|
@ -41,10 +42,10 @@ resource "hetznerdns_record" "spf" {
|
|||
|
||||
resource "hetznerdns_record" "dkim" {
|
||||
zone_id = hetznerdns_zone.server.id
|
||||
name = "mail._domainkey"
|
||||
name = "v1._hostnamekey"
|
||||
type = "TXT"
|
||||
# take from `systemctl status opendkim`
|
||||
value = "\"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdw2gyAg5TW2/OO2u8sbzlI6vfLkPycr4ufpfFQVvpd31hb6ctvpWXlzVHUDi9KyaWRydB7cAmYvPuZ7KFi1XPzQ213vy0S0AEbnXOJsTyT5FR8cmiuHPhiWGSMrSlB/l78kG6xK6A1x2lWCm2r7z/dzkLyCgAqI79YaUTcYO0eQIDAQAB\""
|
||||
value = "\"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDpQeJirqh8VFGHRQBemqF5CeicC/5qHJn3vqKkVIOQNqkgp7IE+EZDg+MXoxMQZEJ0RbO0JpZZgYpOf3jf8o5w56WbE4dbpbi+9112R57k5w41R16Q0EUjf7MbrLJqcF6mtf+3bPklF9ngdcWhgN024YfhR9SlebCOapCVYqVt8QIDAQAB\""
|
||||
}
|
||||
|
||||
resource "hetznerdns_record" "adsp" {
|
||||
|
|
|
@ -1,7 +1,5 @@
|
|||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -i bash -p coreutils sops openssh nix
|
||||
|
||||
# shellcheck disable=SC1008,SC1128
|
||||
set -euox pipefail
|
||||
|
||||
if [[ -z "${HOST:-}" ]]; then
|
||||
|
|
|
@ -1,7 +1,5 @@
|
|||
#!/bin/sh
|
||||
|
||||
# shellcheck disable=SC1091
|
||||
|
||||
set -eu
|
||||
|
||||
installNix() {
|
||||
|
|
Loading…
Reference in New Issue
Block a user