diff --git a/.envrc b/.envrc new file mode 100644 index 00000000..3d4ddbc9 --- /dev/null +++ b/.envrc @@ -0,0 +1,5 @@ +if ! has nix_direnv_version || ! nix_direnv_version 3.0.4; then + source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.4/direnvrc" "sha256-DzlYZ33mWF/Gs8DDeyjr8mnVmQGx7ASYqA5WlxwvBG4=" +fi + +use flake diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml new file mode 100644 index 00000000..07a08ee5 --- /dev/null +++ b/.github/workflows/pr.yml @@ -0,0 +1,19 @@ +on: + pull_request: + push: + branches: [develop] + +jobs: + lints: + name: Build + runs-on: ubuntu-22.04 + permissions: + id-token: "write" + contents: "read" + steps: + - uses: actions/checkout@v4 + - uses: DeterminateSystems/nix-installer-action@main + - uses: DeterminateSystems/magic-nix-cache-action@main + - uses: DeterminateSystems/flake-checker-action@main + # - name: Run `nix build` + # run: nix build . diff --git a/.gitignore b/.gitignore index 2842cda8..37757e17 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ result* .decrypted~keys.yaml .storage +.direnv diff --git a/.sops.yaml b/.sops.yaml index 32806fe3..f99cc2c4 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -6,7 +6,7 @@ keys: - &steveej 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - &jost-s D299483493EAE6B2B3D892B6D33548FA55FF167F - - &dweb-reverse-proxy age1p4udet5m63tccqqpy38d2m90cv4rffe3cn3965jpmakkwcs7t56qvlp2vw + - &dweb-reverse-proxy age1ygzy9clj0xavlmau0ham7j5nw8yy4z0q8hvkfpdgwc4fcr8nufpqrdxgvx - &linux-builder-01 age1kxkr407jz77ljrhgsfwfmv2yvqjprc6unvx389xp2f48xj8r0vqq2wew5r creation_rules: @@ -30,7 +30,7 @@ creation_rules: key_groups: - pgp: - *steveej - - *jost-s + # - *jost-s age: - *dweb-reverse-proxy - path_regex: ^secrets/nomad/admin/.+$ diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 00000000..1149e003 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,6 @@ +{ + "nixEnvSelector.nixFile": "${workspaceRoot}/flake.nix", + "[nix]": { + "editor.defaultFormatter": "kamadorueda.alejandra" + }, +} diff --git a/flake.lock b/flake.lock index 125633e5..510d52a7 100644 --- a/flake.lock +++ b/flake.lock @@ -22,6 +22,114 @@ "type": "github" } }, + "cargo-chef": { + "flake": false, + "locked": { + "lastModified": 1695999026, + "narHash": "sha256-UtLoZd7YBRSF9uXStfC3geEFqSqZXFh1rLHaP8hre0Y=", + "owner": "LukeMathWalker", + "repo": "cargo-chef", + "rev": "6e96ae5cd023b718ae40d608981e50a6e7d7facf", + "type": "github" + }, + "original": { + "owner": "LukeMathWalker", + "ref": "main", + "repo": "cargo-chef", + "type": "github" + } + }, + "cargo-rdme": { + "flake": false, + "locked": { + "lastModified": 1675118998, + "narHash": "sha256-lrYWqu3h88fr8gG3Yo5GbFGYaq5/1Os7UtM+Af0Bg4k=", + "owner": "orium", + "repo": "cargo-rdme", + "rev": "f9dbb6bccc078f4869f45ae270a2890ac9a75877", + "type": "github" + }, + "original": { + "owner": "orium", + "ref": "v1.1.0", + "repo": "cargo-rdme", + "type": "github" + } + }, + "coturn": { + "flake": false, + "locked": { + "lastModified": 1711026554, + "narHash": "sha256-fvxj4G7GmkyuS67QiFcEX8+UlxvjtyfAbilfE9cin5Q=", + "owner": "steveej-forks", + "repo": "coturn", + "rev": "fed3efd2c4447e5e5966eed5cc32a43d768172ad", + "type": "github" + }, + "original": { + "owner": "steveej-forks", + "ref": "debug-cli-login", + "repo": "coturn", + "type": "github" + } + }, + "crane": { + "inputs": { + "nixpkgs": [ + "nixpkgs-23-11" + ] + }, + "locked": { + "lastModified": 1710003968, + "narHash": "sha256-g8+K+mLiNG5uch35Oy9oDQBAmGSkCcqrd0Jjme7xiG0=", + "owner": "ipetkov", + "repo": "crane", + "rev": "10484f86201bb94bd61ecc5335b1496794fedb78", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "crane_2": { + "inputs": { + "nixpkgs": [ + "holochain", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1707363936, + "narHash": "sha256-QbqyvGFYt84QNOQLOOTWplZZkzkyDhYrAl/N/9H0vFM=", + "owner": "ipetkov", + "repo": "crane", + "rev": "9107434eda6991e9388ad87b815dafa337446d16", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "crate2nix": { + "flake": false, + "locked": { + "lastModified": 1706909251, + "narHash": "sha256-T7G9Uhh77P0kKri/u+Mwa/4YnXwdPsJSwYCiJCCW+fs=", + "owner": "kolloch", + "repo": "crate2nix", + "rev": "15656bb6cb15f55ee3344bf4362e6489feb93db6", + "type": "github" + }, + "original": { + "owner": "kolloch", + "repo": "crate2nix", + "type": "github" + } + }, "darwin": { "inputs": { "nixpkgs": [ @@ -54,11 +162,11 @@ "pre-commit-hooks": "pre-commit-hooks" }, "locked": { - "lastModified": 1678184100, - "narHash": "sha256-6R0LmBiS2E6CApdqqFpY2IBXDAg2RQ2JHBkJOLMxXsY=", + "lastModified": 1710144971, + "narHash": "sha256-CjTOdoBvT/4AQncTL20SDHyJNgsXZjtGbz62yDIUYnM=", "owner": "cachix", "repo": "devenv", - "rev": "b9e0ace80abd0ca5631ab5df7d6562ba9d8af50c", + "rev": "6c0bad0045f1e1802f769f7890f6a59504825f4d", "type": "github" }, "original": { @@ -74,11 +182,11 @@ ] }, "locked": { - "lastModified": 1686545384, - "narHash": "sha256-XniReOaWLjubBAXk6Wx2Ny6/b9Xdsx3viLhhs7ycuWw=", + "lastModified": 1710724748, + "narHash": "sha256-aXlifKr6Brg0SBUBgRNEBaZf3JLUeGhM9BX2gam+vvo=", "owner": "nix-community", "repo": "disko", - "rev": "55eea2030a42845102334eb29f054f0c6604a32c", + "rev": "c09c3a9639690f94ddff44c3dd25c85602e5aeb2", "type": "github" }, "original": { @@ -109,6 +217,22 @@ "type": "github" } }, + "empty": { + "flake": false, + "locked": { + "lastModified": 1683792623, + "narHash": "sha256-pQpattmS9VmO3ZIQUFn66az8GSmB4IvYhTTCFn6SUmo=", + "owner": "steveej", + "repo": "empty", + "rev": "8e328e450e4cd32e072eba9e99fe92cf2a1ef5cf", + "type": "github" + }, + "original": { + "owner": "steveej", + "repo": "empty", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -125,6 +249,22 @@ "type": "github" } }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" @@ -143,6 +283,23 @@ } }, "flake-parts_2": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib_2" + }, + "locked": { + "lastModified": 1706830856, + "narHash": "sha256-a0NYyp+h9hlb7ddVz4LUn1vT/PLwqfrWYcHMvFB1xYg=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "b253292d9c0a5ead9bc98c4e9a26c6312e27d69f", + "type": "github" + }, + "original": { + "id": "flake-parts", + "type": "indirect" + } + }, + "flake-parts_3": { "inputs": { "nixpkgs-lib": [ "nixos-anywhere", @@ -164,12 +321,15 @@ } }, "flake-utils": { + "inputs": { + "systems": "systems" + }, "locked": { - "lastModified": 1667395993, - "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", "owner": "numtide", "repo": "flake-utils", - "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", "type": "github" }, "original": { @@ -180,7 +340,25 @@ }, "flake-utils_2": { "inputs": { - "systems": "systems" + "systems": "systems_2" + }, + "locked": { + "lastModified": 1705309234, + "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { + "inputs": { + "systems": "systems_3" }, "locked": { "lastModified": 1692799911, @@ -206,11 +384,11 @@ ] }, "locked": { - "lastModified": 1660459072, - "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "lastModified": 1703887061, + "narHash": "sha256-gGPa9qWNc6eCXT/+Z5/zMkyYOuRZqeFZBDbopNZQkuY=", "owner": "hercules-ci", "repo": "gitignore.nix", - "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "rev": "43e1aa1308018f37118e34d3a9cb4f5e75dc11d5", "type": "github" }, "original": { @@ -236,6 +414,94 @@ "type": "github" } }, + "holochain": { + "inputs": { + "cargo-chef": "cargo-chef", + "cargo-rdme": "cargo-rdme", + "crane": "crane_2", + "crate2nix": "crate2nix", + "empty": "empty", + "flake-compat": "flake-compat_2", + "flake-parts": "flake-parts_2", + "holochain": [ + "holochain", + "empty" + ], + "lair": [ + "holochain", + "empty" + ], + "launcher": [ + "holochain", + "empty" + ], + "nix-filter": "nix-filter", + "nixpkgs": "nixpkgs_3", + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "repo-git": "repo-git", + "rust-overlay": "rust-overlay", + "scaffolding": [ + "holochain", + "empty" + ], + "versions": [ + "holochain-versions" + ] + }, + "locked": { + "lastModified": 1710743393, + "narHash": "sha256-xhkOYQotgVNiCAVeBRem8V0b1Csi0p/yZY6XvvzePvU=", + "owner": "holochain", + "repo": "holochain", + "rev": "2a4773ca6985cd08a57f6aafb54565bb988ca6bc", + "type": "github" + }, + "original": { + "owner": "holochain", + "repo": "holochain", + "type": "github" + } + }, + "holochain-versions": { + "inputs": { + "holochain": "holochain_2", + "lair": "lair", + "launcher": "launcher", + "scaffolding": "scaffolding" + }, + "locked": { + "dir": "versions/weekly", + "lastModified": 1710743393, + "narHash": "sha256-xhkOYQotgVNiCAVeBRem8V0b1Csi0p/yZY6XvvzePvU=", + "owner": "holochain", + "repo": "holochain", + "rev": "2a4773ca6985cd08a57f6aafb54565bb988ca6bc", + "type": "github" + }, + "original": { + "dir": "versions/weekly", + "owner": "holochain", + "repo": "holochain", + "type": "github" + } + }, + "holochain_2": { + "flake": false, + "locked": { + "lastModified": 1710291013, + "narHash": "sha256-etoY8oXg3PXFMeZgkixxsKJjH1Uauua366y2TN8+fms=", + "owner": "holochain", + "repo": "holochain", + "rev": "15516823c6f5e0ec7f032e614d804b2376fe0867", + "type": "github" + }, + "original": { + "owner": "holochain", + "ref": "holochain-0.3.0-beta-dev.40", + "repo": "holochain", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -305,14 +571,60 @@ "url": "https://github.com/ThetaSinner.keys" } }, + "keys_zippy": { + "flake": false, + "locked": { + "narHash": "sha256-0OoNLGRMmWmezTJGQdbQno6BCYHnuuuUKVfY48chkOw=", + "type": "file", + "url": "https://github.com/zippy.keys" + }, + "original": { + "type": "file", + "url": "https://github.com/zippy.keys" + } + }, + "lair": { + "flake": false, + "locked": { + "lastModified": 1709335027, + "narHash": "sha256-rKMhh7TLuR1lqze2YFWZCGYKZQoB4dZxjpX3sb7r7Jk=", + "owner": "holochain", + "repo": "lair", + "rev": "826be915efc839d1d1b8a2156b158999b8de8d5b", + "type": "github" + }, + "original": { + "owner": "holochain", + "ref": "lair_keystore-v0.4.4", + "repo": "lair", + "type": "github" + } + }, + "launcher": { + "flake": false, + "locked": { + "lastModified": 1706294585, + "narHash": "sha256-92Qc6hBMFfHo3w1m1+EpNAAV+7whpkgRHiGqNiXaMCg=", + "owner": "holochain", + "repo": "launcher", + "rev": "51a45a7141abc98a861b34b288b384f50f359485", + "type": "github" + }, + "original": { + "owner": "holochain", + "ref": "holochain-weekly", + "repo": "launcher", + "type": "github" + } + }, "lowdown-src": { "flake": false, "locked": { - "lastModified": 1633514407, - "narHash": "sha256-Dw32tiMjdK9t3ETl5fzGrutQTzh2rufgZV4A/BbxuD4=", + "lastModified": 1700431489, + "narHash": "sha256-YB0ksW9HFRVr0WbtBcF4KSN44r02+ArD1Voipw8rU/8=", "owner": "kristapsdz", "repo": "lowdown", - "rev": "d2c2b44ff6c27b936ec27358a2653caaef8f73b8", + "rev": "1200b9f4ceceb5795ccc0a02a2105310f0819222", "type": "github" }, "original": { @@ -323,7 +635,7 @@ }, "microvm": { "inputs": { - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils_3", "nixpkgs": [ "nixpkgs" ] @@ -367,6 +679,21 @@ "type": "github" } }, + "nix-filter": { + "locked": { + "lastModified": 1705332318, + "narHash": "sha256-kcw1yFeJe9N4PjQji9ZeX47jg0p9A0DuU4djKvg1a7I=", + "owner": "numtide", + "repo": "nix-filter", + "rev": "3449dc925982ad46246cfc36469baf66e1b64f17", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "nix-filter", + "type": "github" + } + }, "nixos-2305": { "locked": { "lastModified": 1686478675, @@ -386,7 +713,7 @@ "nixos-anywhere": { "inputs": { "disko": "disko_2", - "flake-parts": "flake-parts_2", + "flake-parts": "flake-parts_3", "nixos-2305": "nixos-2305", "nixos-images": "nixos-images", "nixpkgs": [ @@ -449,6 +776,22 @@ "type": "github" } }, + "nixpkgs-23-11": { + "locked": { + "lastModified": 1710695816, + "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "614b4613980a522ba49f0d194531beddbb7220d3", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-lib": { "locked": { "dir": "lib", @@ -467,6 +810,24 @@ "type": "github" } }, + "nixpkgs-lib_2": { + "locked": { + "dir": "lib", + "lastModified": 1706550542, + "narHash": "sha256-UcsnCG6wx++23yeER4Hg18CXWbgNpqNXcHIo5/1Y+hc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "97b17f32362e475016f942bbdfda4a4a72a8a652", + "type": "github" + }, + "original": { + "dir": "lib", + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-regression": { "locked": { "lastModified": 1643052045, @@ -485,16 +846,16 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1673800717, - "narHash": "sha256-SFHraUqLSu5cC6IxTprex/nTsI81ZQAtDvlBvGDWfnA=", + "lastModified": 1704874635, + "narHash": "sha256-YWuCrtsty5vVZvu+7BchAxmcYzTMfolSPP5io8+WYCg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2f9fd351ec37f5d479556cd48be4ca340da59b8f", + "rev": "3dc440faeee9e889fe2d1b4d25ad0f430d449356", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-22.11", + "ref": "nixos-23.11", "repo": "nixpkgs", "type": "github" } @@ -581,18 +942,17 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1695975771, - "narHash": "sha256-+AGkCM+ZHal3gk6AjOo+vnUMv0I9Kqmas01v2ldEIpQ=", - "owner": "nixos", + "lastModified": 1710631334, + "narHash": "sha256-rL5LSYd85kplL5othxK5lmAtjyMOBg390sGBTb3LRMM=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "c710fc3c3e41e7b7e02dc40885f55aa341461678", + "rev": "c75037bbf9093a2acb617804ee46320d6d1fea5a", "type": "github" }, "original": { - "owner": "nixos", - "ref": "release-23.05", - "repo": "nixpkgs", - "type": "github" + "id": "nixpkgs", + "ref": "nixos-unstable", + "type": "indirect" } }, "pre-commit-hooks": { @@ -612,11 +972,27 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1677160285, - "narHash": "sha256-tBzpCjMP+P3Y3nKLYvdBkXBg3KvTMo3gvi8tLQaqXVY=", + "lastModified": 1708018599, + "narHash": "sha256-M+Ng6+SePmA8g06CmUZWi1AjG2tFBX9WCXElBHEKnyM=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "5df5a70ad7575f6601d91f0efec95dd9bc619431", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, + "pre-commit-hooks-nix": { + "flake": false, + "locked": { + "lastModified": 1707297608, + "narHash": "sha256-ADjo/5VySGlvtCW3qR+vdFF4xM9kJFlRDqcC9ZGI8EA=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "2bd861ab81469428d9c823ef72c4bb08372dd2c4", + "rev": "0db2e67ee49910adfa13010e7f012149660af7f0", "type": "github" }, "original": { @@ -625,25 +1001,85 @@ "type": "github" } }, + "repo-git": { + "flake": false, + "locked": { + "narHash": "sha256-d6xi4mKdjkX2JFicDIv5niSzpyI0m/Hnm8GGAIU04kY=", + "type": "file", + "url": "file:/dev/null" + }, + "original": { + "type": "file", + "url": "file:/dev/null" + } + }, "root": { "inputs": { "cachix_for_watch_store": "cachix_for_watch_store", + "coturn": "coturn", + "crane": "crane", "darwin": "darwin", "disko": "disko", "flake-parts": "flake-parts", + "holochain": "holochain", + "holochain-versions": "holochain-versions", "home-manager": "home-manager", "keys_artbrock": "keys_artbrock", "keys_jost-s": "keys_jost-s", "keys_steveej": "keys_steveej", "keys_thetasinner": "keys_thetasinner", + "keys_zippy": "keys_zippy", "microvm": "microvm", "nixos-anywhere": "nixos-anywhere", - "nixpkgs": "nixpkgs_3", + "nixpkgs": [ + "nixpkgs-23-11" + ], + "nixpkgs-23-11": "nixpkgs-23-11", "nixpkgsGithubActionRunners": "nixpkgsGithubActionRunners", "nixpkgsMaster": "nixpkgsMaster", "nixpkgsUnstable": "nixpkgsUnstable", "sops-nix": "sops-nix", - "srvos": "srvos" + "srvos": "srvos", + "tx5": "tx5" + } + }, + "rust-overlay": { + "inputs": { + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "holochain", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1710727870, + "narHash": "sha256-Ulsx+t4SnRmjMJx4eF2Li+3rBGYhZp0XNShVjIheCfg=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "a1b17cacfa7a6ed18f553a195a047f4e73e95da9", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "scaffolding": { + "flake": false, + "locked": { + "lastModified": 1708377063, + "narHash": "sha256-5+iEjwMO/sTe1h9JVrfn77GjliIRVJQFS2yvI3KTsL8=", + "owner": "holochain", + "repo": "scaffolding", + "rev": "c41f01d2ff19fe58b6632860d85f88a96e16fd65", + "type": "github" + }, + "original": { + "owner": "holochain", + "ref": "holochain-weekly", + "repo": "scaffolding", + "type": "github" } }, "sops-nix": { @@ -674,11 +1110,11 @@ ] }, "locked": { - "lastModified": 1686528292, - "narHash": "sha256-RWSI4qsx2NTPZa7e27DKLEAYOjtyGADSJ1sPB1j4yQA=", + "lastModified": 1710722976, + "narHash": "sha256-tAQvMzQ3pB4O7C0WJqvewlywEpJQRTdu2om5bgKV3L8=", "owner": "numtide", "repo": "srvos", - "rev": "5db34b8c369dad476406ef8ac6382fd019bd07a3", + "rev": "6f5c52bcd3b9e7c0e88907a75d284d11b609a36c", "type": "github" }, "original": { @@ -702,6 +1138,36 @@ "type": "github" } }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "treefmt-nix": { "inputs": { "nixpkgs": [ @@ -722,6 +1188,23 @@ "repo": "treefmt-nix", "type": "github" } + }, + "tx5": { + "flake": false, + "locked": { + "lastModified": 1707175829, + "narHash": "sha256-Lkry9eEUk6aXe7aQ824YwkG2Ra44GPapIznGR2Ao/PA=", + "owner": "holochain", + "repo": "tx5", + "rev": "d5fa9096eae2156618c701e87b7c40770faa123c", + "type": "github" + }, + "original": { + "owner": "holochain", + "ref": "tx5-signal-srv-v0.0.7-alpha", + "repo": "tx5", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 9526a6f6..70799c88 100644 --- a/flake.nix +++ b/flake.nix @@ -2,7 +2,8 @@ description = "The new, performant, and simplified version of Holochain on Rust (sometimes called Holochain RSM for Refactored State Model) "; inputs = { - nixpkgs = {url = "github:nixos/nixpkgs/release-23.05";}; + nixpkgs.follows = "nixpkgs-23-11"; + nixpkgs-23-11 = {url = "github:nixos/nixpkgs/nixos-23.11";}; nixpkgsGithubActionRunners = {url = "github:nixos/nixpkgs/nixos-unstable";}; nixpkgsUnstable = {url = "github:nixos/nixpkgs/nixos-unstable";}; nixpkgsMaster = {url = "github:nixos/nixpkgs/master";}; @@ -32,6 +33,11 @@ sops-nix.url = "github:Mic92/sops-nix"; sops-nix.inputs.nixpkgs.follows = "nixpkgs"; + crane = { + url = "github:ipetkov/crane"; + inputs.nixpkgs.follows = "nixpkgs-23-11"; + }; + keys_steveej = { url = "https://github.com/steveej.keys"; flake = false; @@ -46,7 +52,7 @@ # url = "https://github.com/maackle.keys"; # flake = false; # }; - + # hash mismatch 20230821 # keys_neonphog = { # url = "https://github.com/neonphog.keys"; @@ -63,17 +69,30 @@ flake = false; }; - # NAR mismatch as of 2023/07/21 - # keys_zippy = { - # url = "https://github.com/zippy.keys"; - # flake = false; - # }; + keys_zippy = { + url = "https://github.com/zippy.keys"; + flake = false; + }; keys_artbrock = { url = "https://github.com/artbrock.keys"; flake = false; }; - cachix_for_watch_store.url = github:cachix/cachix/v1.5; + cachix_for_watch_store.url = "github:cachix/cachix/v1.5"; + + tx5.url = "github:holochain/tx5/tx5-signal-srv-v0.0.7-alpha"; + tx5.flake = false; + + holochain-versions.url = "github:holochain/holochain?dir=versions/weekly"; + holochain = { + url = "github:holochain/holochain"; + inputs.versions.follows = "holochain-versions"; + }; + + coturn = { + flake = false; + url = "github:steveej-forks/coturn/debug-cli-login"; + }; }; outputs = inputs @ { @@ -155,7 +174,9 @@ }; packages = { - nomad = inputs'.nixpkgsMaster.legacyPackages.nomad_1_6; + nomad = inputs'.nixpkgs.legacyPackages.nomad_1_6; + + nixos-anywhere = inputs'.nixos-anywhere.packages.default; }; }; flake = { diff --git a/modules/flake-parts/_template.nix b/modules/flake-parts/_template.nix index a0742dbd..297557d1 100644 --- a/modules/flake-parts/_template.nix +++ b/modules/flake-parts/_template.nix @@ -1,16 +1,9 @@ { # System independent arguments. - self, - lib, - inputs, ... }: { perSystem = { # Arguments specific to the `perSystem` context. - config, - self', - inputs', - pkgs, ... }: { # system specific outputs like, apps, checks, packages diff --git a/modules/flake-parts/darwinConfigurations.macos-01/default.nix b/modules/flake-parts/darwinConfigurations.macos-01/default.nix index c6910a17..1c5f2f9d 100644 --- a/modules/flake-parts/darwinConfigurations.macos-01/default.nix +++ b/modules/flake-parts/darwinConfigurations.macos-01/default.nix @@ -1,8 +1,6 @@ { - self, lib, inputs, - config, ... }: let system = "aarch64-darwin"; diff --git a/modules/flake-parts/darwinConfigurations.macos-02/default.nix b/modules/flake-parts/darwinConfigurations.macos-02/default.nix index 6f3ebef1..e454dcc4 100644 --- a/modules/flake-parts/darwinConfigurations.macos-02/default.nix +++ b/modules/flake-parts/darwinConfigurations.macos-02/default.nix @@ -1,8 +1,6 @@ { - self, lib, inputs, - config, ... }: let system = "x86_64-darwin"; diff --git a/modules/flake-parts/darwinConfigurations.macos-03/default.nix b/modules/flake-parts/darwinConfigurations.macos-03/default.nix index b33d4802..2e355d0a 100644 --- a/modules/flake-parts/darwinConfigurations.macos-03/default.nix +++ b/modules/flake-parts/darwinConfigurations.macos-03/default.nix @@ -1,8 +1,6 @@ { - self, lib, inputs, - config, ... }: let system = "aarch64-darwin"; diff --git a/modules/flake-parts/darwinConfigurations.macos-04/default.nix b/modules/flake-parts/darwinConfigurations.macos-04/default.nix index 2ed7651d..9adde8c1 100644 --- a/modules/flake-parts/darwinConfigurations.macos-04/default.nix +++ b/modules/flake-parts/darwinConfigurations.macos-04/default.nix @@ -1,8 +1,6 @@ { - self, lib, inputs, - config, ... }: let system = "aarch64-darwin"; diff --git a/modules/flake-parts/darwinConfigurations.macos-05/default.nix b/modules/flake-parts/darwinConfigurations.macos-05/default.nix index 73e69583..60e97fe7 100644 --- a/modules/flake-parts/darwinConfigurations.macos-05/default.nix +++ b/modules/flake-parts/darwinConfigurations.macos-05/default.nix @@ -1,8 +1,6 @@ { - self, lib, inputs, - config, ... }: let system = "aarch64-darwin"; diff --git a/modules/flake-parts/darwinConfigurations.macos-06/default.nix b/modules/flake-parts/darwinConfigurations.macos-06/default.nix index 6b9a31b4..301155d5 100644 --- a/modules/flake-parts/darwinConfigurations.macos-06/default.nix +++ b/modules/flake-parts/darwinConfigurations.macos-06/default.nix @@ -1,8 +1,6 @@ { - self, lib, inputs, - config, ... }: let system = "x86_64-darwin"; diff --git a/modules/flake-parts/formatter.nix b/modules/flake-parts/formatter.nix index abfc0c09..905eb44a 100644 --- a/modules/flake-parts/formatter.nix +++ b/modules/flake-parts/formatter.nix @@ -1,15 +1,5 @@ -{ - self, - lib, - ... -}: { - perSystem = { - config, - self', - inputs', - pkgs, - ... - }: { +{...}: { + perSystem = {pkgs, ...}: { # define formatter used by `nix fmt` formatter = pkgs.alejandra; }; diff --git a/modules/flake-parts/holochain-turn-server.nix b/modules/flake-parts/holochain-turn-server.nix new file mode 100644 index 00000000..a31da6bb --- /dev/null +++ b/modules/flake-parts/holochain-turn-server.nix @@ -0,0 +1,186 @@ +{ + # System independent arguments. + self, + lib, + ... +}: { + flake = { + # system independent outputs like nixosModules, nixosConfigurations, etc. + + # nixosConfigurations.example-host = ... + overlays.coturn = _final: previous: { + coturn = previous.coturn.overrideAttrs ( + _super: { + src = self.inputs.coturn; + # coturn for NixOS needs to be built without libev_ok, otherwise acme-redirect won't work + LIBEV_OK = "0"; + meta.platforms = lib.platforms.linux; + } + ); + }; + + nixosModules.holochain-turn-server = { + config, + lib, + ... + }: let + cfg = config.services.holochain-turn-server; + in { + options.services.holochain-turn-server = { + enable = lib.mkEnableOption "holochain turn server"; + url = lib.mkOption { + description = "publicly visible url for the turn server"; + type = lib.types.str; + }; + turn-cert-dir = lib.mkOption { + description = "directory where fullchain.pem and key.pem are expected to exist"; + type = lib.types.str; + default = config.security.acme.certs.${cfg.url}.directory; + }; + address = lib.mkOption { + description = "address coturn should listen on"; + type = lib.types.str; + }; + + nginx-http-port = lib.mkOption { + description = "port for nginx to listen on for answering ACME challenges"; + type = lib.types.int; + # skipping 81 because it's the default coturn alternative http port + default = 82; + }; + + coturn-min-port = lib.mkOption { + description = "lower port for coturn's range"; + type = lib.types.int; + default = 20000; + }; + + coturn-max-port = lib.mkOption { + description = "upper port for coturn's range"; + type = lib.types.int; + default = 65535; # which is default but here listing explicitly + }; + + verbose = lib.mkEnableOption "verbose logging"; + + acme-redirect = lib.mkOption { + description = "value passed to acme-redirect configuration option"; + type = lib.types.str; + default = "http://acme-${cfg.url}/.well-known/acme-challenge/"; + }; + + username = lib.mkOption { + description = "user for establishing turn connections to coturn"; + type = lib.types.str; + default = "test"; + }; + + credential = lib.mkOption { + description = "credential for establishing turn connections to coturn"; + type = lib.types.str; + default = "test"; + }; + + extraCoturnAttrs = lib.mkOption { + description = "extra attributes assigned to services.coturn"; + type = lib.types.attrs; + default = {}; + }; + }; + + config = lib.mkIf cfg.enable { + nixpkgs.overlays = [self.overlays.coturn]; + + networking.firewall.allowedTCPPorts = [ + 80 + 443 + 9641 # prometheus + + cfg.nginx-http-port + ]; + networking.firewall.allowedUDPPorts = [ + 80 + 443 + 9641 # prometheus + ]; + networking.firewall.allowedUDPPortRanges = [ + { + from = cfg.coturn-min-port; + to = cfg.coturn-max-port; + } + ]; + + services.coturn = + { + enable = true; + listening-port = 80; + tls-listening-port = 443; + listening-ips = [cfg.address]; + lt-cred-mech = true; # Use long-term credential mechanism. + realm = cfg.url; + cert = "${cfg.turn-cert-dir}/fullchain.pem"; + pkey = "${cfg.turn-cert-dir}/key.pem"; + no-cli = false; + min-port = cfg.coturn-min-port; + max-port = cfg.coturn-max-port; + extraConfig = + '' + no-software-attribute + no-multicast-peers + no-tlsv1 + no-tlsv1_1 + user=${cfg.username}:${cfg.credential} + prometheus + '' + + lib.strings.optionalString cfg.verbose '' + verbose + '' + + lib.strings.optionalString (cfg.acme-redirect != null) '' + acme-redirect=${cfg.acme-redirect} + ''; + } + // cfg.extraCoturnAttrs; + + systemd.services.coturn.serviceConfig = { + LimitNOFILESoft = 10000; + }; + + # Add turnserver user to nginx group, because turnserver needs to have access to TLS certs from /var/lib/acme/ + users.groups.nginx.members = ["turnserver"]; + + services.nginx = { + enable = true; + + # the sole purpose of nginx here is TLS certificate renewal from letsencrypt + # coturn redirects ACME, i.e. HTTP GET requests matching '^/.well-known/acme-challenge/(.*)' + # to acme-turn.holo.host, which is intercepted by a reverse-proxy and redirected to port ${cfg.nginx-http-port} on this host + virtualHosts."${cfg.url}" = { + listen = [ + { + addr = "${cfg.address}"; + port = cfg.nginx-http-port; + ssl = false; + } + ]; + enableACME = true; + serverName = cfg.url; + }; + }; + + security.acme = { + acceptTerms = true; + defaults = { + email = "acme@holo.host"; + }; + + # after certificate renewal by acme coturn.service needs to reload this new cert, too + # see https://github.com/NixOS/nixpkgs/blob/nixos-23.05/nixos/modules/security/acme/default.nix#L322 + certs."${cfg.url}".reloadServices = ["coturn"]; + + # staging server has higher retry limits. uncomment the following when debugging ACME challenges. + # certs."${cfg.url}".server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + }; + }; + }; + }; +} diff --git a/modules/flake-parts/microvms.nix-cache/configuration.nix b/modules/flake-parts/microvms.nix-cache/configuration.nix index 8a29e5fb..947ce41e 100644 --- a/modules/flake-parts/microvms.nix-cache/configuration.nix +++ b/modules/flake-parts/microvms.nix-cache/configuration.nix @@ -1,8 +1,6 @@ { name, self, - config, - lib, pkgs, ... }: let diff --git a/modules/flake-parts/microvms.nix-cache/default.nix b/modules/flake-parts/microvms.nix-cache/default.nix index 8c2c576a..a40a71ec 100644 --- a/modules/flake-parts/microvms.nix-cache/default.nix +++ b/modules/flake-parts/microvms.nix-cache/default.nix @@ -13,12 +13,7 @@ in { # Include the microvm module inputs.microvm.nixosModules.microvm # Add more modules here - ({ - config, - lib, - pkgs, - ... - }: { + ({config, ...}: { microvm.mem = 1024 * 8; microvm.vcpu = 4; diff --git a/modules/flake-parts/nixosConfigurations.dweb-reverse-tls-proxy/configuration.nix b/modules/flake-parts/nixosConfigurations.dweb-reverse-tls-proxy/configuration.nix index 2b385aff..1064e71f 100644 --- a/modules/flake-parts/nixosConfigurations.dweb-reverse-tls-proxy/configuration.nix +++ b/modules/flake-parts/nixosConfigurations.dweb-reverse-tls-proxy/configuration.nix @@ -7,7 +7,6 @@ ... }: let ipv4 = "5.78.43.185"; - ipv6Prefix = "2a01:4ff:1f0:872a"; fqdn2domain = "infra.holochain.org"; in { imports = [ @@ -37,36 +36,31 @@ in { "holochain-ci.cachix.org-1:5IUSkZc0aoRS53rfkvH9Kid40NpyjwCMCzwRTXy+QN8=" ]; - boot.loader.grub = { - efiSupport = false; - device = "/dev/sda"; - }; - # boot.loader.systemd-boot.enable = true; - # boot.loader.efi.canTouchEfiVariables = true; - boot.kernelPackages = pkgs.linuxPackages_latest; - - systemd.network.networks."10-uplink".networkConfig.Address = "${ipv6Prefix}::1/64"; + boot.loader.systemd-boot.enable = false; + boot.loader.grub.efiSupport = true; + boot.loader.grub.efiInstallAsRemovable = false; disko.devices.disk.sda = { device = "/dev/sda"; type = "disk"; content = { - type = "table"; - format = "gpt"; - partitions = [ - { - name = "boot"; - start = "0"; - end = "1M"; - part-type = "primary"; - flags = ["bios_grub"]; - } - { - name = "root"; - start = "1M"; - end = "100%"; - part-type = "primary"; - bootable = true; + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + ESP = { + type = "EF00"; + size = "1G"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + size = "100%"; content = { type = "btrfs"; extraArgs = ["-f"]; # Override existing partition @@ -77,15 +71,16 @@ in { }; "/nix" = { mountOptions = ["noatime"]; + mountpoint = "/nix"; }; }; }; - } - ]; + }; + }; }; }; - system.stateVersion = "23.05"; + system.stateVersion = "23.11"; ### ZeroTier services.zerotierone = { @@ -94,6 +89,7 @@ in { nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "zerotierone" + "nomad" ]; sops.secrets.zerotieroneNetworks = { @@ -152,6 +148,7 @@ in { ### BIND and ACME + # FIXME: changes to the bind zone require a manual `systemctl restart bind` system.activationScripts.bind-zones.text = '' mkdir -p /etc/bind/zones chown named:named /etc/bind/zones @@ -186,6 +183,10 @@ in { amsterdam2023.events.${fqdn2domain}. A 10.1.3.187 sj-bm-hostkey0.dev.${fqdn2domain}. A 185.130.224.33 + + turn.${fqdn2domain}. A ${self.nixosConfigurations.turn-infra-holochain-org.config.services.holochain-turn-server.address} + signal.${fqdn2domain}. A ${self.nixosConfigurations.turn-infra-holochain-org.config.services.tx5-signal-server.address} + bootstrap.${fqdn2domain}. A ${self.nixosConfigurations.turn-infra-holochain-org.config.services.kitsune-bootstrap.address} ''; }; @@ -306,6 +307,12 @@ in { # reverse_proxy https://holochain-ci.cachix.org ''; }; + + "acme-turn.${fqdn2domain}:80" = { + extraConfig = '' + reverse_proxy http://turn.${fqdn2domain}:${builtins.toString self.nixosConfigurations.turn-infra-holochain-org.config.services.holochain-turn-server.nginx-http-port} + ''; + }; }; sops.secrets.global-server-nomad-key = { @@ -316,7 +323,7 @@ in { services.nomad = { enable = true; - package = self.packages.${pkgs.system}.nomad; + package = pkgs.nomad_1_6; enableDocker = false; dropPrivileges = false; diff --git a/modules/flake-parts/nixosConfigurations.dweb-reverse-tls-proxy/default.nix b/modules/flake-parts/nixosConfigurations.dweb-reverse-tls-proxy/default.nix index dd1f2d86..a961336c 100644 --- a/modules/flake-parts/nixosConfigurations.dweb-reverse-tls-proxy/default.nix +++ b/modules/flake-parts/nixosConfigurations.dweb-reverse-tls-proxy/default.nix @@ -1,5 +1,4 @@ { - config, self, lib, inputs, diff --git a/modules/flake-parts/nixosConfigurations.linux-builder-01/configuration.nix b/modules/flake-parts/nixosConfigurations.linux-builder-01/configuration.nix index 5496cfcd..bb24ca66 100644 --- a/modules/flake-parts/nixosConfigurations.linux-builder-01/configuration.nix +++ b/modules/flake-parts/nixosConfigurations.linux-builder-01/configuration.nix @@ -1,6 +1,5 @@ { config, - lib, inputs, self, pkgs, diff --git a/modules/flake-parts/nixosConfigurations.linux-builder-01/default.nix b/modules/flake-parts/nixosConfigurations.linux-builder-01/default.nix index 19c37035..a6e80dec 100644 --- a/modules/flake-parts/nixosConfigurations.linux-builder-01/default.nix +++ b/modules/flake-parts/nixosConfigurations.linux-builder-01/default.nix @@ -1,5 +1,4 @@ { - config, self, lib, inputs, diff --git a/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/README.md b/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/README.md new file mode 100644 index 00000000..3a6923c5 --- /dev/null +++ b/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/README.md @@ -0,0 +1,7 @@ +This machine is of type CCX23 + +# Installation + +``` +nix run github:numtide/nixos-anywhere -- --flake .\#nixosConfigurations.turn-infra-holochain-org root@turn.infra.holochain.org +``` diff --git a/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/configuration.nix b/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/configuration.nix new file mode 100644 index 00000000..5c184948 --- /dev/null +++ b/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/configuration.nix @@ -0,0 +1,148 @@ +{ + config, + inputs, + self, + pkgs, + ... +}: let + + turnIpv4 = "37.27.24.128"; + turnFqdn = "turn.infra.holochain.org"; + + signalIpv4 = "95.217.30.224"; + signalFqdn = "signal.infra.holochain.org"; + + bootstrapIpv4 = "95.216.179.59"; + bootstrapFqdn = "bootstrap.infra.holochain.org"; +in { + imports = [ + inputs.disko.nixosModules.disko + inputs.srvos.nixosModules.server + inputs.srvos.nixosModules.mixins-terminfo + inputs.srvos.nixosModules.hardware-hetzner-cloud + + inputs.sops-nix.nixosModules.sops + + self.nixosModules.holo-users + ../../nixos/shared.nix + ../../nixos/shared-nix-settings.nix + + self.nixosModules.holochain-turn-server + self.nixosModules.tx5-signal-server + self.nixosModules.kitsune-bootstrap + ]; + + networking.hostName = "turn-infra-holochain-org"; # Define your hostname. + + hostName = turnIpv4; + + nix.settings.max-jobs = 8; + + nix.settings.substituters = [ + "https://holochain-ci.cachix.org" + ]; + + nix.settings.trusted-public-keys = [ + "holochain-ci.cachix.org-1:5IUSkZc0aoRS53rfkvH9Kid40NpyjwCMCzwRTXy+QN8=" + ]; + + boot.loader.grub.enable = false; + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + boot.kernelPackages = pkgs.linuxPackages; + + # FIXME: is there a better way to do this? + environment.etc."systemd/network/10-cloud-init-eth0.network.d/00-floating-ips.conf".text = '' + [Network] + Address = ${signalIpv4}/32 + Address = ${bootstrapIpv4}/32 + ''; + + disko.devices.disk.sda = { + device = "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + ESP = { + type = "EF00"; + size = "1G"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + size = "100%"; + content = { + type = "btrfs"; + extraArgs = ["-f"]; # Override existing partition + subvolumes = { + # Subvolume name is different from mountpoint + "/rootfs" = { + mountpoint = "/"; + }; + "/nix" = { + mountOptions = ["noatime"]; + mountpoint = "/nix"; + }; + }; + }; + }; + }; + }; + }; + + system.stateVersion = "23.05"; + + services.holochain-turn-server = { + enable = true; + url = turnFqdn; + address = turnIpv4; + username = "test"; + credential = "test"; + verbose = false; + extraCoturnAttrs = { + cli-ip = "127.0.0.1"; + cli-password = "$5$4c2b9a49c5e013ae$14f901c5f36d4c8d5cf0c7383ecb0f26b052134293152bd1191412641a20ddf5"; + }; + }; + + services.tx5-signal-server = { + enable = true; + address = signalIpv4; + port = 8443; + tls-port = 443; + url = signalFqdn; + iceServers = [ + { + urls = [ + "stun:${config.services.holochain-turn-server.url}:80" + ]; + } + { + urls = [ + "turn:${config.services.holochain-turn-server.url}:80" + "turn:${config.services.holochain-turn-server.url}:80?transport=tcp" + "turns:${config.services.holochain-turn-server.url}:443?transport=tcp" + ]; + + inherit + (config.services.holochain-turn-server) + username + credential + ; + } + ]; + }; + + services.kitsune-bootstrap = { + enable = true; + address = bootstrapIpv4; + port = 8444; + tls-port = 443; + url = bootstrapFqdn; + }; +} diff --git a/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/default.nix b/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/default.nix new file mode 100644 index 00000000..b2243723 --- /dev/null +++ b/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/default.nix @@ -0,0 +1,12 @@ +{ + self, + lib, + inputs, + ... +}: { + flake.nixosConfigurations.turn-infra-holochain-org = inputs.nixpkgs.lib.nixosSystem { + modules = [./configuration.nix]; + system = "x86_64-linux"; + specialArgs = self.specialArgs; + }; +} diff --git a/modules/flake-parts/nixosModules.holo-users.nix b/modules/flake-parts/nixosModules.holo-users.nix index 4490f0a9..c5164208 100644 --- a/modules/flake-parts/nixosModules.holo-users.nix +++ b/modules/flake-parts/nixosModules.holo-users.nix @@ -4,8 +4,13 @@ ... }: { flake.nixosModules.holo-users = { - users.users.root.openssh.authorizedKeys.keyFiles = - lib.attrValues - (lib.filterAttrs (name: _: lib.hasPrefix "keys_" name) inputs); + users.users.root.openssh.authorizedKeys = { + keyFiles = + lib.attrValues + (lib.filterAttrs (name: _: lib.hasPrefix "keys_" name) inputs); + keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICHujII5RAwfEXNBYxKhWv2Wx/oHeHUTc8CACZ3M5W3p neonphog@gmail.com" + ]; + }; }; } diff --git a/modules/flake-parts/packages.nix b/modules/flake-parts/packages.default.nix similarity index 73% rename from modules/flake-parts/packages.nix rename to modules/flake-parts/packages.default.nix index da2fd2be..bdc7084d 100644 --- a/modules/flake-parts/packages.nix +++ b/modules/flake-parts/packages.default.nix @@ -1,27 +1,18 @@ { # System independent arguments. - self, - lib, - inputs, ... }: { perSystem = { # Arguments specific to the `perSystem` context. - config, - self', - inputs', pkgs, ... }: { # system specific outputs like, apps, checks, packages packages = { - reverse-proxy-nix-cache = let - - in pkgs.writeShellScriptBin "reverse-proxy-nix-cache" '' + reverse-proxy-nix-cache = pkgs.writeShellScriptBin "reverse-proxy-nix-cache" '' sudo ${pkgs.caddy}/bin/caddy reverse-proxy --from :80 --to :5000 ''; - }; }; flake = { diff --git a/modules/flake-parts/packages.holochain-tx5.nix b/modules/flake-parts/packages.holochain-tx5.nix new file mode 100644 index 00000000..1f04146c --- /dev/null +++ b/modules/flake-parts/packages.holochain-tx5.nix @@ -0,0 +1,49 @@ +{ + # System independent arguments. + lib, + inputs, + ... +}: { + perSystem = { + # Arguments specific to the `perSystem` context. + self', + pkgs, + ... + }: { + # system specific outputs like, apps, checks, packages + + packages = let + system = pkgs.system; + craneLib = inputs.crane.lib.${system}; + cranePkgs = inputs.crane.inputs.nixpkgs.legacyPackages.${system}; + + tx5Args = { + pname = "tx5"; + src = inputs.tx5; + version = inputs.tx5.rev; + cargoExtraArgs = "--examples --bins"; + nativeBuildInputs = [ + cranePkgs.perl + cranePkgs.pkg-config + cranePkgs.go + ]; + + doCheck = false; + }; + tx5Deps = lib.makeOverridable craneLib.buildDepsOnly tx5Args; + in { + tx5 = lib.makeOverridable craneLib.buildPackage (tx5Args // { + cargoArtifacts = tx5Deps; + }); + + tx5-signal-srv = self'.packages.tx5.override { + cargoExtraArgs = "--bin tx5-signal-srv"; + }; + }; + }; + flake = { + # system independent outputs like nixosModules, nixosConfigurations, etc. + + # nixosConfigurations.example-host = ... + }; +} diff --git a/modules/nixos/cachix-watch.nix b/modules/nixos/cachix-watch.nix index e86dd640..281adabd 100644 --- a/modules/nixos/cachix-watch.nix +++ b/modules/nixos/cachix-watch.nix @@ -1,8 +1,6 @@ { inputs, pkgs, - config, - lib, magicPaths, ... }: { diff --git a/modules/nixos/github-runner-multi-arch.nix b/modules/nixos/github-runner-multi-arch.nix index 79d8b655..d853b06a 100644 --- a/modules/nixos/github-runner-multi-arch.nix +++ b/modules/nixos/github-runner-multi-arch.nix @@ -2,7 +2,6 @@ self, config, lib, - magicPaths, pkgs, ... }: let diff --git a/modules/nixos/holo-deploy.nix b/modules/nixos/holo-deploy.nix index 6f4aa617..1bce3c67 100644 --- a/modules/nixos/holo-deploy.nix +++ b/modules/nixos/holo-deploy.nix @@ -1,8 +1,4 @@ -{ - config, - lib, - ... -}: { +{lib, ...}: { options = { deployUser = lib.mkOption { type = lib.types.str; diff --git a/modules/nixos/kitsune-bootstrap.nix b/modules/nixos/kitsune-bootstrap.nix new file mode 100644 index 00000000..9b06429c --- /dev/null +++ b/modules/nixos/kitsune-bootstrap.nix @@ -0,0 +1,92 @@ +{ + self, + config, + lib, + pkgs, + ... +}: let + cfg = config.services.kitsune-bootstrap; +in { + options.services.kitsune-bootstrap = { + enable = lib.mkEnableOption "kitsune-bootstrap"; + + package = lib.mkOption { + default = self.inputs.holochain.packages.${pkgs.system}.holochain; + type = lib.types.package; + }; + + address = lib.mkOption { + description = "address to bind"; + type = lib.types.str; + }; + + tls-port = lib.mkOption { + description = "port to bind for incoming TLS connections"; + type = lib.types.int; + }; + + url = lib.mkOption { + description = "url for incoming TLS connections to the bootstrap server"; + type = lib.types.str; + }; + + port = lib.mkOption { + description = "port to bind"; + type = lib.types.int; + }; + }; + + config = lib.mkIf (cfg.enable) { + systemd.services.kitsune-bootstrap = { + after = ["network.target"]; + wantedBy = ["multi-user.target"]; + + environment = { + TMPDIR = "%T"; + }; + + serviceConfig = { + DynamicUser = true; + ExecStart = "${cfg.package}/bin/kitsune-bootstrap -i 127.0.0.1:${builtins.toString cfg.port}"; + Restart = "always"; + }; + }; + + services.nginx = { + enable = true; + virtualHosts."${cfg.url}" = { + serverName = cfg.url; + enableACME = true; + addSSL = true; + + listen = [ + { + addr = "${cfg.address}"; + port = 80; + ssl = false; + } + + { + addr = "${cfg.address}"; + port = cfg.tls-port; + ssl = true; + } + ]; + + locations."/" = { + proxyPass = "http://127.0.0.1:${builtins.toString cfg.port}"; + }; + }; + }; + + security.acme = { + acceptTerms = true; + defaults = { + email = "acme@holo.host"; + }; + + # staging server has higher retry limits. uncomment the following when debugging ACME challenges. + # certs."${cfg.url}".server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + }; + }; +} diff --git a/modules/nixos/macos-remote-builder.nix b/modules/nixos/macos-remote-builder.nix index d64f8e20..530596b1 100644 --- a/modules/nixos/macos-remote-builder.nix +++ b/modules/nixos/macos-remote-builder.nix @@ -1,5 +1,4 @@ { - config, lib, pkgs, ... diff --git a/modules/nixos/macos.nix b/modules/nixos/macos.nix index 863c545f..b49af85b 100644 --- a/modules/nixos/macos.nix +++ b/modules/nixos/macos.nix @@ -1,7 +1,6 @@ { inputs, config, - pkgs, lib, ... }: { diff --git a/modules/nixos/nix-build-distributor.nix b/modules/nixos/nix-build-distributor.nix index fa3e6dde..5682807c 100644 --- a/modules/nixos/nix-build-distributor.nix +++ b/modules/nixos/nix-build-distributor.nix @@ -20,7 +20,7 @@ speedFactor = 1; supportedFeatures = config.nix.settings.experimental-features; } - + # macos-02 # - intel CPU { @@ -46,7 +46,6 @@ supportedFeatures = config.nix.settings.experimental-features; } - # macos-04 # - m1 cpu # - system integrity protection disabled diff --git a/modules/nixos/shared-darwin.nix b/modules/nixos/shared-darwin.nix index 103e2553..cd2b2172 100644 --- a/modules/nixos/shared-darwin.nix +++ b/modules/nixos/shared-darwin.nix @@ -1,5 +1,10 @@ -{ config, lib, pkgs, ...}: let - cleanup0sizeDrvs = (import ./shared-linux.nix { inherit config pkgs; }).systemd.services.nix-gc.preStart; +{ + config, + lib, + pkgs, + ... +}: let + cleanup0sizeDrvs = (import ./shared-linux.nix {inherit config pkgs;}).systemd.services.nix-gc.preStart; in { launchd.daemons.nix-gc.command = lib.mkForce (pkgs.writeShellScript "nix-gc" '' ${cleanup0sizeDrvs} diff --git a/modules/nixos/shared-linux.nix b/modules/nixos/shared-linux.nix index cf0e3f63..7474e29d 100644 --- a/modules/nixos/shared-linux.nix +++ b/modules/nixos/shared-linux.nix @@ -1,4 +1,8 @@ -{ config, pkgs, ... }: { +{ + config, + pkgs, + ... +}: { systemd.services.nix-gc.preStart = '' # if the machine runs low on disk space it's possible for derivation files to be created but never get content which results in derivations that can't be removed by the gc. this is a workaround which finds and deletes those problem derivations. echo Removing 0-size derivations if any exist... diff --git a/modules/nixos/shared-nix-settings.nix b/modules/nixos/shared-nix-settings.nix index 93008eac..a1f04a1c 100644 --- a/modules/nixos/shared-nix-settings.nix +++ b/modules/nixos/shared-nix-settings.nix @@ -1,5 +1,4 @@ { - config, pkgs, lib, ... diff --git a/modules/nixos/shared.nix b/modules/nixos/shared.nix index 93d39e6f..1f331d23 100644 --- a/modules/nixos/shared.nix +++ b/modules/nixos/shared.nix @@ -2,22 +2,21 @@ config, pkgs, lib, - system, ... -}: let -in { +}: { # Nix configuration shared between all hosts - imports = [ - ./holo-deploy.nix - ] - # TODO: figure out why this results in infinite recursion - # ++ pkgs.stdenv.isLinux [ - # ./shared-linux.nix - # ] - ; + imports = + [ + ./holo-deploy.nix + ] + # TODO: figure out why this results in infinite recursion + # ++ pkgs.stdenv.isLinux [ + # ./shared-linux.nix + # ] + ; - nix.package = lib.mkDefault pkgs.nixVersions.nix_2_17; + nix.package = lib.mkDefault pkgs.nixVersions.nix_2_18; nix.settings.extra-platforms = lib.mkIf pkgs.stdenv.isDarwin ["x86_64-darwin" "aarch64-darwin"]; @@ -88,4 +87,4 @@ in { else if config.deployUser == "root" then "/root" else "/home/${config.deployUser}"; -} +} diff --git a/modules/nixos/tx5-signal-server.nix b/modules/nixos/tx5-signal-server.nix new file mode 100644 index 00000000..b098d3fd --- /dev/null +++ b/modules/nixos/tx5-signal-server.nix @@ -0,0 +1,119 @@ +{ + self, + config, + lib, + pkgs, + ... +}: let + cfg = config.services.tx5-signal-server; +in { + options.services.tx5-signal-server = { + enable = lib.mkEnableOption "tx5-signal-server"; + + package = lib.mkOption { + default = self.packages.${pkgs.system}.tx5-signal-srv; + type = lib.types.package; + }; + + address = lib.mkOption { + description = "address to bind"; + type = lib.types.str; + }; + + tls-port = lib.mkOption { + description = "port to bind for incoming TLS connections"; + type = lib.types.int; + }; + + url = lib.mkOption { + description = "url for incoming TLS connections to the signal server"; + type = lib.types.str; + }; + + port = lib.mkOption { + description = "port to bind"; + type = lib.types.int; + }; + + iceServers = lib.mkOption { + description = "webrtc configuration to broadcast"; + type = lib.types.listOf lib.types.attrs; + default = []; + }; + + demo = lib.mkEnableOption "enable demo broadcasting as a stand-in for bootstrapping"; + + configTextFile = lib.mkOption { + default = builtins.toFile "tx5.config.json" (builtins.toJSON { + port = cfg.port; + iceServers.iceServers = cfg.iceServers; + demo = cfg.demo; + }); + }; + }; + + config = lib.mkIf (cfg.enable) { + systemd.services.tx5-signal-server = { + after = ["network.target"]; + wantedBy = ["multi-user.target"]; + + environment = { + TMPDIR = "%T"; + CONFIG_PATH = "%T/config.json"; + }; + + serviceConfig = { + DynamicUser = true; + PrivateTmp = true; + ExecStartPre = pkgs.writeShellScript "tx5-start-pre" '' + set -xue + export PATH=${lib.makeBinPath [pkgs.coreutils]} + + cp ${cfg.configTextFile} $CONFIG_PATH + chmod 0400 $CONFIG_PATH + ''; + + ExecStart = "${cfg.package}/bin/tx5-signal-srv --config $CONFIG_PATH"; + Restart = "always"; + }; + }; + + services.nginx = { + enable = true; + virtualHosts."${cfg.url}" = { + serverName = cfg.url; + enableACME = true; + addSSL = true; + + listen = [ + { + addr = "${cfg.address}"; + port = 80; + ssl = false; + } + + { + addr = "${cfg.address}"; + port = 443; + ssl = true; + } + ]; + + locations."/" = { + proxyPass = "http://127.0.0.1:${builtins.toString cfg.port}"; + proxyWebsockets = true; + }; + }; + }; + + security.acme = { + acceptTerms = true; + defaults = { + email = "acme@holo.host"; + }; + + # staging server has higher retry limits. uncomment the following when debugging ACME challenges. + # certs."${cfg.url}".server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + }; + }; +} diff --git a/secrets/dweb-reverse-tls-proxy/zerotier.txt b/secrets/dweb-reverse-tls-proxy/zerotier.txt index a4894c1b..7f7f1c42 100644 --- a/secrets/dweb-reverse-tls-proxy/zerotier.txt +++ b/secrets/dweb-reverse-tls-proxy/zerotier.txt @@ -7,16 +7,16 @@ "hc_vault": null, "age": [ { - "recipient": "age1p4udet5m63tccqqpy38d2m90cv4rffe3cn3965jpmakkwcs7t56qvlp2vw", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSTjFjNTlkUVhWQmFKM09W\nYzBNZSthTjNYaFNpVFpMNkdlNXlSVFBsM0RJCmx2QjdSUWwrYWhtMkpDMWVTYkdG\nNjBsekJKaUZhNWxxRmxqRnV1R2tQdzgKLS0tIDhXWDE5TE1sWmhZNGRGcG01VUxz\nLzhUMjlFS3Z6emx3b0w4VzR4UXphRU0KXPniYzhIWYkA4xr6b5qWNNk0F5ibQ/cC\nnhgluE8xDVniSWLKEvpfzszktXpffTMolG/+f/nwEUsuNenxC3z8NA==\n-----END AGE ENCRYPTED FILE-----\n" + "recipient": "age1ygzy9clj0xavlmau0ham7j5nw8yy4z0q8hvkfpdgwc4fcr8nufpqrdxgvx", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKZUJLYm1wdDVKZ1dGVXph\nNFozSjFDOE1icHBCZVhvZ0NrTE90Wm52MmdnCjJVcG1UMkNiQThoK1ZodmdaNDFx\nNTlZSWhZckhHamJQM29tY3VpREhHcTQKLS0tIEh3MkhxUW5yRm1ZSzUzQTB6ZjZy\nWDB1RWRwNGVXSEpqVUFGZDc5dDdsY3cKcGr7HgAaYM1+I69tlGKS4tBQj3bHiEf1\nsUa9nw3widX8q4zBbFlectvsSDRdtjhyEZc7dCVc4V72vcpeMKqjiA==\n-----END AGE ENCRYPTED FILE-----\n" } ], "lastmodified": "2023-07-03T08:11:48Z", "mac": "ENC[AES256_GCM,data:AtEx+5gllwE1Ip8en9038k2HgbuQ0H+bIi+5rwevJ0EEFJyELvCEgAdX0RDd95VRb/KOR1j4txM+WUHH182HireiPIfpYb7AccycpsH8HzVU7JaeWAr+bDTpcFIqwEEstxP7vVljnPijtFcblL/e+hNwJ8ItyjLLbO94SY8vOTI=,iv:mspxursskO7W7f/Glp952HaFBw1iRqg2+TVh65Dl8Wg=,tag:+R/mSggcQL/pRTcVnHaJBQ==,type:str]", "pgp": [ { - "created_at": "2023-07-03T08:11:07Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMA0SHG/zF3227AQf/c6xy74E+xTqQqLDafK3rilVholh13M2sRWqxvv2gRQy3\nifuTT0Y3FFBFHqihrbMJ+5vo6DFTuKukP6fi6kkCsRJGm6M1sqAHwdWUcZRvLQuT\nopU/lvrTAz/ctwl9uZPLnvtZK434d0kCSzyBKPQSBbzxOovfOnHQcKe4y/0fgqV5\nTjodIWutNSQMVtlILgdGX9juGpvqcY2tYoHcqsdXQSdMln0XdwntFtPaj67Bw5pt\nAJs/UCDDZUujfzMsYopk/UyIymtnjMfeVvmhgOyuLDRc9BSJ5D2gyD2J1fjfKyqm\nhPj3sN+tyq9gDkvIDmAs1cuba6hslggn3TAe40Fq/dJRAZt5OR4fExedq1JfSo9x\n0oNqzVoCNczTx9zgdD+LSLMokefBwVs9GdS4Als1M2UJmlQlOrOXDr2VwvFVGmzz\nXjA8Ts/1n3FPs8gzRvEIVVJ2\n=kDBU\n-----END PGP MESSAGE-----", + "created_at": "2024-03-18T21:19:06Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMA0SHG/zF3227AQf/c1rh18OwFLY8fMAjBeAbxPts+AULrDiW+eh7NX6PIRkM\n2dlg+q+G+gLy6v8bvhLSCJ46cI5MgQ2uNFnCRLHlT2S2/MJ/zwdIgdOs5b6UheT3\nONATOwX6GkGIaXJvtDGjHyPlg/zM+67E2HktyB8A6jYErpP54MHIceDefVxJYuSr\nUqwlDDEAIIgUJEHSinUxeUSnmfI7otLIa+wOffeU6/T0Jm7qVTRgcsvHNE64Qogz\nh6swBUln5Y6PbgLjspwd0HA7Nb963E6f/v5zn9bRa6st9Ui0Rpuxrrl6258pfKQi\n4Im/eMOTIzIgP14KD2U1PxZ9IYsRd8GF3mjHEMVSPdJRAbfnUYluxpZUvgnaJivi\nu2ZXezHyzpPED44cL5mEgASQnHpgKLTC9w6w07mob4h0t1hT0HIf4xP92NQecYts\nobWpUae3I7x7gb4EPqa/JXO7\n=7vqi\n-----END PGP MESSAGE-----", "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" } ], diff --git a/secrets/nomad/admin/keys.yaml b/secrets/nomad/admin/keys.yaml index 0f9c9a71..24e04498 100644 --- a/secrets/nomad/admin/keys.yaml +++ b/secrets/nomad/admin/keys.yaml @@ -5,44 +5,32 @@ sops: azure_kv: [] hc_vault: [] age: - - recipient: age1p4udet5m63tccqqpy38d2m90cv4rffe3cn3965jpmakkwcs7t56qvlp2vw + - recipient: age1ygzy9clj0xavlmau0ham7j5nw8yy4z0q8hvkfpdgwc4fcr8nufpqrdxgvx enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvS05VQURLMW4xRXNhdytY - RXBrUzBzc2JPRktHcEhuY1FTdW5KOUloUkVNClk5VUZVU2lYem5zRCt6bjhXNnJD - QlptdHJxY0VNaGpUUzRZMlVmemN5QzAKLS0tIFpQejFRSGZvY0U1NytZRVhTZTUw - RFBkY3o3TDFpeUxHb2wzSlJ3OWF0NTAK75H/uh2bvFCR01kSWvXNhwep8dk9hGxF - oF6h9cGlEyDEm67LqEjj93Q7SMXIxQk7gbiHgUwuDtUKhsAnoQ1/Bw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGTGV2dTQrVkFxUmNPelFr + Ums3UEFNVDl1OHJLcVYwTXJMaTRrbEJiREZBCk0xajVYaStaTHZwSDZsU00vMVFJ + c3NPVmdBcVhTcTVQRldad0lmV1NTQ0kKLS0tIHA4dkw3T0x5TzYxSVMzMlc5b1FL + MlpTQ3MzL29UTU1aM0VMR3NHTTBJODAKDYpsGHSJ5VdyFTVyW88cEH5a1LhM6klU + C4jHUPQSIeVev4T+zySdtozGNb+TEWLuhjJT6RwPILI814PL6OHhKA== -----END AGE ENCRYPTED FILE----- lastmodified: "2023-07-04T14:26:28Z" mac: ENC[AES256_GCM,data:fpzYyKWzwLs9sbRV04h2xyVw+4oZDewzf0C2WNt5RB+/ffy3dUrQotQJ8OHaVS4KboXHeJCT73ZRcVJcCFTs6smSPJXJLxsMkMbEarIlNTVFFp4OGplR62Ynr1/rivB7GlM8wyE51yKByHRQkecKI9ihI3eFdM4y3pkBCTdmrm0=,iv:TSW1Rlhem02fTrCB9CJCtml21Z/uEBAZEa30gzbGuxY=,tag:CraHtqFZbNKbBkAE6cvRMQ==,type:str] pgp: - - created_at: "2023-08-25T15:45:31Z" + - created_at: "2024-03-18T21:27:01Z" enc: |- -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQgAw26WQIPkyE6wg3FRYwZ7leT90W4XZEnl5jNRZ1oYLTbc - KHQ8kUZL9fU6HTkya43CGMkyGN0KB3cyhsrJKu9Peewh6DWD+mJ7dYALdPYfdxFq - AvuBEAQURcO4VO7pnE+4E8jM9OHffmepXJf+W4xqM/9cliMdTlb4V0ZPP5Se6Oec - u9eSXHrrvnY4DIbIozKduIhbrUBM7wbFnNy1QRmIfnn/Q/D8oLaHs2YuDzciEHd6 - OvgBExUMzA86yIqM4ru3q3hiPAzpuDuDGHqkc3SskKz9XYcaAt+zC4VgCz6X7VQ7 - aKOKCfh463+sKoL+5q4CEXKfI/Gf9fQ3G+oBj7Yr1tJRAQyQ+dBD0QguiKv8B98g - jJp1hteCfF01mfCuasdHDY2zs0Yecd0Rb9e+mHU7I5pvL9xBDVrkK1FVyeg2sXZ9 - GA/rZwRRdx5CMDckeXo3zJtf - =r901 + wcBMA0SHG/zF3227AQgAi1JSuHVKZZPqO+BNS+n25uIYZQZDznr8NIDz24UW066s + PhLm8IWpWLREiF6u410dn3zDCxQQ5kYqv+49nl/m4GMqif/BwueHhcATJlRZq9ll + wcIE5VkoyLKNFpAYW23oSEyfJ8cuakvmkzNXLw+sbljFWwUju9VKHz6Z55jBJalh + fWshg+yagzXKN6nOVGYDojJc/goaHUem2Iy9bD9SZGYPpDwV+/n9xk5wYV3FXeHj + 4bGlgO8e5AzRts8BzBD8DyB7Ioed3rvo3uREmfRvJoJI3mlldH2EhInQbzBlASOs + F3aOwhnSx/N4+UGryEh3BUuao1aF/d6psFBndPRCJNJRAYU8S3HT01mrOgk52Mww + pLaeCU1E0g9NHkW/PruJcitvhZW4i/JzH8Qq+G1iUUJ3EdfnzxeQawZtOB1rPwlj + 0MrRvz4Ext4O//6Px3mDK0Ja + =WarA -----END PGP MESSAGE----- fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - - created_at: "2023-08-25T15:45:31Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hF4DtA1eM2l/IxsSAQdAIm/+Cl5RQI0xRuOgtShgzZloeoiXDOTt0iofpUgNvzEw - GeShL4fYDvFDlA+ouquFQYesNh5FTdinpQtbITnj7GJNqfeOrlJ2LLnp68tar1JW - 1GgBCQIQ8cnLVC7+m3Wh8HaJ0pb/Ik+DutczbP4LlzSi+dv70mV6SVzTbN4NJOVF - Ja9dz46TgjuwrEoOaK2Vm9vJ4MjPm1xT3+mIwR/vaH9ZmDbvhlmd437NPgLRhAlL - zM2KPqYgdUS+Yw== - =KT32 - -----END PGP MESSAGE----- - fp: D299483493EAE6B2B3D892B6D33548FA55FF167F unencrypted_suffix: _unencrypted version: 3.7.3 diff --git a/secrets/nomad/cli/keys.yaml b/secrets/nomad/cli/keys.yaml index d81c538b..bdb5cc53 100644 --- a/secrets/nomad/cli/keys.yaml +++ b/secrets/nomad/cli/keys.yaml @@ -5,44 +5,32 @@ sops: azure_kv: [] hc_vault: [] age: - - recipient: age1p4udet5m63tccqqpy38d2m90cv4rffe3cn3965jpmakkwcs7t56qvlp2vw + - recipient: age1ygzy9clj0xavlmau0ham7j5nw8yy4z0q8hvkfpdgwc4fcr8nufpqrdxgvx enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvcFpIRFhmOHJ1MndjKzRr - V29iRzdZUzJudFRwSWpNRHI0S1paekxpNURVCnlQaWQxWVI1eFJRTmIwN3BPdG9n - d21HTXUvMEJuancxUkZQd3RDK3JpbEUKLS0tIGNpZk1mc202RmJyczlJV0J6bUtK - SFpJQi9BTVBZblVZVGZVL0pYaVBoMEkKHlmAX4ELfCBssPnS30o0ZmJ8KBr/BlYy - 1b9J/6mhhaNm5MIkGURa/DCzGRzQtqkBIITgjHt/oW4N3/y6MWclmw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCSG1YZHAvOU5kQmR4aklh + a0FPdHdaOTljMlBBNGtiWHo4Vmd1T0llVzBvCm8ybGl5VzhnM0QrNW1ZS0tqdG9s + Z2E3ZU9MUHFJWFlIN1ZsazhCTnVoWkUKLS0tIE9HTktCY3hEcm05QUVSQTlFSWQ5 + ajVOa3REbmpEZHNjbkFQa0NIS05sV1UKmB6F8oW9w2tC+EaWoYCnLkHIfqL1idk6 + jtce1k+htxaQhXe78wEugGMRONb++QDqIz+bNjLe8HZrEJZ79yIm3g== -----END AGE ENCRYPTED FILE----- lastmodified: "2023-07-05T09:14:30Z" mac: ENC[AES256_GCM,data:xASypo/4Hfyz4118WUKcork3KtbOhsYR1haK4BfncedCxjNfAf9F+D1gfpUD/TRhT3tf6ZTelHc8l9T/FXnK/Ur0IGoIubS7NMOHPQncB1WpOCusiHIlIHqOAqlEhNrzT/8Kct2HEXe8yGs/WgWHuzEkEfRupnME3dml0FJnZXw=,iv:HTYK/ayED0LRZH2Gp53YsfpeXdgYG8PwKZ6H0ddCcLA=,tag:1UniA+s1b5QsRHSnLBIOCQ==,type:str] pgp: - - created_at: "2023-08-25T15:45:40Z" + - created_at: "2024-03-18T21:27:03Z" enc: |- -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQf/UFCxQRWBNErI5JgyVKQfUOtkv3OuEVO+PLdkFTJp3GiE - zB7LD1rlGLHDUOUbgmnm9Qd8ivJE59aG0VBgsLgexLt0RzFWa47xNr51uE74+Tj6 - gVDIY8Oyiyhl2fC7CRQm/8+XCdjANIdVFKwL2qlbOTN9vr+0eK+v8/b67MPDp9TI - 5ZVLzSW73N93z4U4mNLF21bA+snNx3SaQjRrInCi6myEob5dPQBp929fOEKUv6db - FJXiGAF6noDXBJ+EWZ3756TM42I26tVxMduCauPJD6WFFVLtWzS/SgOqSPvnWx6u - NQNqX5HpAPD4GB1D4ppuLcbdDtqsbKCDUIktfo2jmtJRAdlMEVgZ9yN81F5Zk8uv - ueEwhsDgCsxeBnZU5RjhytKSpa5iiMEg4NmzFDk9XJmhgLWZ+J3TNc9z8wIwoqT4 - YNgdrq42Owgy0sbIXcS6L/RN - =8hWj + wcBMA0SHG/zF3227AQf/aNPG9i/s+tcVEu6jJ6y5vCM8qC7T5JfL1i3ITMzJxPSP + Y86F42DdojMp6Rxkz7JvIwgyo7apmg3um/NlKZ5BYi5wicv7vmj46D9YJmuB6W2v + 8QJy/dezwmFQPyvbKwfUjRbCc3U5mWhhROmWQiWNJ1l74Hpfac84BOIPvLEWlkJf + ZmvUmrAM/K9YxXoQiYVZn+HPHsCVFR/sMgSAR+Qfgobg+IiQp+EED/WuC4G2jS8V + CCfEKFNXbzc37F7CpZyHuW3ePZpcGMemU8YphDYJ+/tcw5ch0o+pcFr2araLsSL3 + Cmvo2loPsKO2xBJTyJQR7LVTkafPRjMzoI5L5r5ncNJRAYUtwvAVeofohoB8YCms + HwDZLE0wwpSDBOj1E169xIzGgwg/wy5UtlP95YDxg8WkVN3kjkxVF/dnFBg1uaCw + vyvDTvaG5KOdCEnEXtiB5Ccr + =t67I -----END PGP MESSAGE----- fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - - created_at: "2023-08-25T15:45:40Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hF4DtA1eM2l/IxsSAQdA+IsuAJ7huWhxDbYW+oL9XE5Az4a/zQRTdiOGNBbB7Ecw - OVHbT1wfrYLOD6FuT82EE/yA4bBZj6MS564xaYgiUwXDXqfGVYSasMhHfxlttKEP - 1GYBCQIQj+tjnK+BsvlB7OMfl5nH0X5p51B0ADD+aupLWfrNTCbqQBFQ0r7MIO/x - b2a+yA4nMFRG0NIXTxCliNrPpnc5yWjc6zVEfEco8w45lhaqk8wuxtlCxJF83cKU - 3eEzq0wBCBE= - =mkAF - -----END PGP MESSAGE----- - fp: D299483493EAE6B2B3D892B6D33548FA55FF167F unencrypted_suffix: _unencrypted version: 3.7.3 diff --git a/secrets/nomad/client/keys.yaml b/secrets/nomad/client/keys.yaml index e1de4173..51642e9e 100644 --- a/secrets/nomad/client/keys.yaml +++ b/secrets/nomad/client/keys.yaml @@ -5,44 +5,32 @@ sops: azure_kv: [] hc_vault: [] age: - - recipient: age1p4udet5m63tccqqpy38d2m90cv4rffe3cn3965jpmakkwcs7t56qvlp2vw + - recipient: age1ygzy9clj0xavlmau0ham7j5nw8yy4z0q8hvkfpdgwc4fcr8nufpqrdxgvx enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3QWlJVGVQV2s0ZE1zdXY0 - M29XT0tIblcrdUlCZVA3ejNaaTZ5R0JTZmhBCmZwWkZyOHBjdzVVbUo1ZlIya1NY - bitqdlUwSmorbGgvQVRvRldWTkZVbTQKLS0tIHhDbjVmRk0yb2NBZExWT1pCOEtu - SzF6R3ZQM1RneTBXVGYyTGdBcXdzZTAKF8qtOi7Mc1RevZr8AtetYANvo5ygJWrk - /7Q+gkWuyr7NSyz6ffDwshKNmtSCn5I2Nx9ROhSSILDOroou2g8rrQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1U0MybVJqdzZxSG1TSHQ0 + RVpWbk8wUXlORXhya1duQUNwSThhUXFjcmg0CjErODhFMjNEaDl1V09hb254U05o + WnpFNVNpdWd1UFA3emFITHNjd0JrVTAKLS0tIGprYjN0K3hHcWd5dGpsbmNpVGxk + aEhRYlVHQnNpUGs3cExYRjNheURKZEEKuONf6KQptwKPfpjoq6NE6pql7hRTmBEa + jWlskL212zPKy4jwBTILVxpSECYgWuyGmpUCVhgduXP8HPOtjUuEVA== -----END AGE ENCRYPTED FILE----- lastmodified: "2023-07-12T09:25:18Z" mac: ENC[AES256_GCM,data:tQR1UYHFm8YnjcXqGLJaPz6X5SaTrlQ913KjS6waFz/LUEYzGfmAjqjJEH+/xRupS2daNxvTrpmNk5j8QTMFlDSUaKgse3dqQucL7dpJ6dE8PSGolXayswDw54kb8yNXi1u6JRg3v/5lyVrj2zajAmyFkYeila9TrwlZVwh8drA=,iv:cJ/561WeaYcW7Zrv50c79JPlWaY7iGQxlEr/17+tqh0=,tag:sH8gnl69GjJbe7eAbPbuwQ==,type:str] pgp: - - created_at: "2023-08-25T15:45:50Z" + - created_at: "2024-03-18T21:27:04Z" enc: |- -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQgAoB3+cVl1AAFrw7e3JiGLdIzblWKYvoghItm/Mm1twSkh - jftBnrBGGz9a77ksgopxthkuMMguErZNt5pqJezsnSL/96TtAS4oKfWJVpZJwHG6 - 2UFwSReaB2PFLiKQ3c1A+ol4TrbyvHlqsDS78YdRYCorpoEuqHvh732/mIKiDvcd - wTSZ8k8ICB/BD86kORRkIB1WCBIX1VRt68c+e/9T/jZsw6M3555xNL5T5V/LoZfI - fT/j8GufMtjb9Lk1kHiMwBHB1CbMPUUfKe2VsZ3wWpNChsb0mzuVRnIq/fuyqPyf - 6q+wm/sEnDcbBk+xqN7HFonFPLhTIkjtPs3P3IaFoNJRAWuBudDhcwITlo1L+bxM - tikD6BWSBu5GYmnCEPBV3VV49svgkph5gEbphlwuvfD+P4sOaTQAirmwkhHmcU2/ - FOFFT7DdhTMjR1/2lCyIoc70 - =auhV + wcBMA0SHG/zF3227AQf+Oq7+G/LBsGNtyOmLWuDUv5mLQ4IjiOWO02w6/AgmKzAs + 6nKLwSY2v56pezR8TaDO7U2GtSLhqJihcM9zaHpBtfEc6tKQ9jJEh8RLiT6MWuPv + vjQ8BljqMJ4Y3DzoOuO2h4/Y0F9XuNgaiSoicf4Vs4F8NYjuBmnxdilhO1199jfx + oUu1s38yDEtfgHSLtjDrxrT975jrnqFeaTh2t+qClHZ23fRYi5bqVw6TxizJL0Ma + eAXAW/Ujj6MeBe2dLB3icj5lj+nbedO6AM6e4lM3JkMWY9z8eke+XetRQqyZYY/0 + C9M4PZ5NAB295ldPjOAZzY9PtWoWQB/C7wOkXgWm69JRAdHZSre0jWRGsq5oMe1P + 9ROIcCh5DEnYuHhlFk4Hssk+ZNniC3z/0+lF+z8A0/OusMkUcCSDGCG3XO0loCPN + eGtY2qA3xRFEOabr/cfGLSUQ + =lC6i -----END PGP MESSAGE----- fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - - created_at: "2023-08-25T15:45:50Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hF4DtA1eM2l/IxsSAQdA++vE1v1/meAAwe5Gt3MTCVej3L0EJB9P6bNll9Klfgkw - JjGDMmvx2QsN8AXQenfMOV1cgfNkl/0NW9SMjJ6erVKOfH2g/Q7/+7v7vRNuuAUL - 1GgBCQIQ+2eZ5nBwgg6cOPvXmfah4tuLJkrgT1XzlS1fVpFd+j+N4AeDiIiTActr - mjqaOsZ5wHOahA85tamMaAReyuoHahNw9OhaSS2F7Agyqm0MI5fLphWU0q6o2GWT - 2tHKfNAnB98BxQ== - =PFeI - -----END PGP MESSAGE----- - fp: D299483493EAE6B2B3D892B6D33548FA55FF167F unencrypted_suffix: _unencrypted version: 3.7.3 diff --git a/secrets/nomad/servers/keys.yaml b/secrets/nomad/servers/keys.yaml index 5b3a28b7..e39fcd5a 100644 --- a/secrets/nomad/servers/keys.yaml +++ b/secrets/nomad/servers/keys.yaml @@ -5,44 +5,32 @@ sops: azure_kv: [] hc_vault: [] age: - - recipient: age1p4udet5m63tccqqpy38d2m90cv4rffe3cn3965jpmakkwcs7t56qvlp2vw + - recipient: age1ygzy9clj0xavlmau0ham7j5nw8yy4z0q8hvkfpdgwc4fcr8nufpqrdxgvx enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpY1JiZUNJTkw0RkI1eko1 - UWgrcFo4ZVZTcG40SlUyZThzUlhYb2d6SGhNCnJKZDJNNURrbXhucDEzU0JXRXYr - TFJFWXJ2Y0MxK1FMNzRzblROY0taeHcKLS0tIDF1cExxNnQxTWFIR0VqSk1xMVpD - VXI1ODdEdER5cnpDeWNYVHZrTTJJMkEKkVHdmI84OnyM/tktrzPNJuaD72kv28wZ - AxRoAnFXCui6S1No7WHrWw12XfD+6VHBlV0TRKtdfFiPRmq9vNxsMw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5QkFMRDE2MEFTRXJLc0lT + Nkd5YmpIbzl5dCsvSEZmczZIcVljYzV5WkVzCk1UUGE1c2JRWFhQZVRQQ0prYk5m + NVA3TFJuRXRxMUZheVdMMmp1RWt4NU0KLS0tIHFmb05CNERHVGRlZ2pvVCtNeE9v + Q1A3OFFLbm5XekhOaWdHR0xGanBLU1EKDzNqlIBK+Si1DfvgbmQlJh/ubumYYEAx + xzVaulVhfq6TWgkcpS6zwFLcNS1qzeDNLKwmd2RlJ8iQpgafdiGHSw== -----END AGE ENCRYPTED FILE----- lastmodified: "2023-07-05T09:59:44Z" mac: ENC[AES256_GCM,data:qKRGsoInfFTGoJj59ecQV8bwakcwBLK20rBmqRlNuNGr/KeBGSf4d1gbBiJf5Uk5VJZuZJGyhpGvFlzeB20vhwVvMHEUl6g4nr+sft2ZskXWfM02+4pq2dA2T4lQOhix2Hmr8vLqbdoKMcxT73CwsLBxduAJ1DIOG+Q617LFGa4=,iv:C6D2tNlbmgfSuIJeZZSRygT/pWWPw95LNAGN9oBljdE=,tag:/chzfo0NBAlgkGJTvSqYGg==,type:str] pgp: - - created_at: "2023-08-25T15:46:00Z" + - created_at: "2024-03-18T21:27:06Z" enc: |- -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQgAiBEp4aHe2uj66b2zuwmgdRoOg9AA7nWT+Ti7VlJjT81w - sgn1AMY4RE+4DK1AiB6xSl+G3TLFfmjnxc3EeqF/7xjgD8hrR6S2ZJLD88o0iv2k - jjD1ZJMIWjJy+IJig9L+mpF/EPv4LfdhPvsbL1f8NsuNqBl72tE82hnCMtvyAEoA - P2w6uFZr0Hfz+MlJ8RAd+JOfadT4n8W+XJ38e2xtOhnFgPIlJY/jrw9MyiEyTPJd - 6RhuwcF2bKrkqsAwVYg6Jz9EEYnsIab52IxhoTOPfdx4Nh5SorGUWf7Ns1qvRIoI - r6uPmxm6Dg+jTR1eHB7EHz91hkO4Bg0pVlWF/u71ItJRAc2+9SfDsV9ru4TenYkp - e2hj5xVDrubrxFSos9PEEqYNwEDV7EovXjRiypdfDG0cungZHonegvfGdxUmeeMZ - hfdMv7emuTP2rs44TvRP6h13 - =eXie + wcBMA0SHG/zF3227AQf/cLdA/l1SnxJO9lnmd15lQUjHndRH721N2hWAFTVFndin + 6nq71PYZwfdubyZ6npVjzZzCwI0Jrh0A2Tn4lYXoEGVFDEg/Z5DU9FXwxHQaF4IV + 50y1FEybvR+5FHNQHtyor2pQ+56E2bNte06/peAnDh2PxZpdJsmMmSZ8+15CeOxA + UcUc00rWjPuHJE+CJtwKZ+C5LE3ypFehsF6s1ZQqlK/hd+MI0ROdfm+tloAAZ2fV + 04Ie4IP2gfjw/4ie5vDQT99AolKycL5goRzAyOEmvPLJRhl0TRR3mlZ9vJsgnJm7 + aibcPB8q8vzluCxHpQY+e1ccqlPoeP6xVXBOtOOCjtJRARXFF0tK/+il4bAyhOwa + Cfit7jodFmo1QSTQo5DJXs7SrmV7Sm8sj40HEiuTqy0H64L31PCJV42Ttcm9/iHI + rKw+PYINnmufCDVk5j5P/8Bp + =uIWo -----END PGP MESSAGE----- fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - - created_at: "2023-08-25T15:46:00Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hF4DtA1eM2l/IxsSAQdA5MszuLu+UQoL9MkQM5v6ZragVM+6tBAouLSSNM4utQAw - 5MQTqinhIN4dvSGcgujdZDAVbyGti/R85sqIEN+kAdFe+/uoFJFFysbfeLiHceqY - 1GgBCQIQGBBEuUSORHT6JaBBoz5xBteoWUip+BKCQ+DJQbYAXy0FfVlGFONRzEmn - Xvr25EvhqhMZdHqvoealgrXzRdHM5w/dLZLcGKvI46g0H+ppYoPROjfQ728j0Nk/ - xm9ff+tbSzekLw== - =S2xM - -----END PGP MESSAGE----- - fp: D299483493EAE6B2B3D892B6D33548FA55FF167F unencrypted_suffix: _unencrypted version: 3.7.3