diff --git a/config/instance-20221213-1915.nix b/config/instance-20221213-1915.nix index c551789b..9f86fff7 100644 --- a/config/instance-20221213-1915.nix +++ b/config/instance-20221213-1915.nix @@ -28,6 +28,7 @@ ./services/heisenbridge.nix ./services/uptime-kuma.nix ./services/matrix-sliding-sync.nix + ./services/chir-rs.nix ]; boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "usbhid"]; diff --git a/config/nixos-8gb-fsn1-1.nix b/config/nixos-8gb-fsn1-1.nix index 2f17ff89..f7414ec6 100644 --- a/config/nixos-8gb-fsn1-1.nix +++ b/config/nixos-8gb-fsn1-1.nix @@ -34,6 +34,7 @@ ./services/atticd.nix ./services/wordpress.nix ./services/initrd-ssh.nix + ./services/chir-rs.nix ]; boot.initrd.availableKernelModules = ["ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod"]; diff --git a/config/services/chir-rs.dhall b/config/services/chir-rs.dhall new file mode 100644 index 00000000..b1cf41fd --- /dev/null +++ b/config/services/chir-rs.dhall @@ -0,0 +1,63 @@ +λ ( secretsFile + : { staticDir : Text, connectionString : Text, signUpKey : Text + , nodeName : Text } + ) → + let SqliteConfig = + { Type = + { filename : Text + , walEnabled : Optional Bool + , fkEnabled : Optional Bool + , extraPragmas : Optional (List Text) + } + , default = + { walEnabled = None Bool + , fkEnabled = None Bool + , extraPragmas = None (List Text) + } + } + + let PostgresConfig = + { Type = + { connectionString : Text + , poolStripes : Natural + , poolIdleTimeout : Natural + } + , default = { poolStripes = 0, poolIdleTimeout = 300 } + } + + let LogLevel = + { Type = + < LogLevelDebug + | LogLevelInfo + | LogLevelWarn + | LogLevelError + | LogLevelOther : Text + > + } + + let Config = + { Type = + { listenPort : Natural + , database : PostgresConfig.Type + , databasePoolSize : Natural + , staticDir : Text + , logLevel : LogLevel.Type + , nodeName : Text + , signUpKey : Text + , rpId : Text + } + , default = + { databasePoolSize = 10 + , staticDir = "./static" + , logLevel = LogLevel.Type.LogLevelInfo + } + } + + in Config::{ + , listenPort = 62936 + , database = PostgresConfig::{ connectionString } + , logLevel = LogLevel.Type.LogLevelInfo + , signUpKey + , rpId = "lotte-test.chir.rs" + , staticDir + } diff --git a/config/services/chir-rs.nix b/config/services/chir-rs.nix new file mode 100644 index 00000000..3d336e18 --- /dev/null +++ b/config/services/chir-rs.nix @@ -0,0 +1,90 @@ +{ lib, pkgs, config, chir-rs, system, ... }: +let staticDir = pkgs.stdenvNoCC.mkDerivation { + name = "static"; + buildPhase = "true"; + src = pkgs.emptyDirectory; + installPhase = '' + mkdir $out + for f in ${chir-rs.packages.${system}.chir-rs-fe}/*; do + ln -sv $f $out + done + ln -sv ${chir-rs.packages.${system}.art-assets} $out/img + ''; +}; +auxCfg = pkgs.writeText "config.dhall" '' +${./chir-rs.dhall} +{ + staticDir = "${staticDir}", + connectionString = "postgres://chir_rs:" ++ (${config.sops.secrets."services/chir-rs/database-password".path} as Text) ++ @nixos-8gb-fsn1-1.int.chir.rs/chir_rs", + signUpKey = ${config.sops.secrets."services/chir-rs/signup-secret".path} as Text, + nodeName = "${config.networking.hostName}" +} +''; +in +{ + systemd.services.chir-rs = { + enable = true; + wantedBy = ["multi-user.target"]; + after = ["network.target"]; + serviceConfig = { + Restart = "always"; + PrivateTmp = true; + WorkingDirectory = "/tmp"; + User = "chir-rs"; + CapabilityBoundingSet = [""]; + DeviceAllow = [""]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = ["AF_INET" "AF_INET6"]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + UMask = "0077"; + ExeStart = '' + ${chir-rs.packages.${system}.chir-rs} ${auxCfg} + ''; + }; + }; + sops.secrets."services/chir-rs/database-password".owner = "chir-rs"; + sops.secrets."services/chir-rs/signup-secret".owner = "chir-rs"; + services.postgresql.ensureDatabases = [ + "chir_rs" + ]; + services.postgresql.ensureUsers = [ + { + name = "chir_rs"; + ensurePermissions = { + "DATABASE chir_rs" = "ALL PRIVILEGES"; + }; + } + ]; + services.caddy.virtualHosts."lotte-test.chir.rs" = { + useACMEHost = "chir.rs"; + logFormat = lib.mkForce ""; + extraConfig = '' + import baseConfig + + reverse_proxy http://[::1]:57448 { + trusted_proxies private_ranges + } + ''; + }; + users.users.chir-rs = { + description = "Chir.rs domain server"; + isSystemUser = true; + group = "chir-rs"; + }; + users.groups.chir-rs = {}; +} \ No newline at end of file diff --git a/extra/switch-to-configuration.pl b/extra/switch-to-configuration.pl deleted file mode 100644 index 9c65fc2a..00000000 --- a/extra/switch-to-configuration.pl +++ /dev/null @@ -1,956 +0,0 @@ -#! @perl@/bin/perl - -# Issue #166838 uncovered a situation in which a configuration not suitable -# for the target architecture caused a cryptic error message instead of -# a clean failure. Due to this mismatch, the perl interpreter in the shebang -# line wasn't able to be executed, causing this script to be misinterpreted -# as a shell script. -# -# Let's detect this situation to give a more meaningful error -# message. The following two lines are carefully written to be both valid Perl -# and Bash. -printf "Perl script erroneously interpreted as shell script,\ndoes target platform match nixpkgs.crossSystem platform?\n" && exit 1 - if 0; - -use strict; -use warnings; -use Config::IniFiles; -use File::Path qw(make_path); -use File::Basename; -use File::Slurp qw(read_file write_file edit_file); -use JSON::PP; -use IPC::Cmd; -use Sys::Syslog qw(:standard :macros); -use Cwd qw(abs_path); - -## no critic(ControlStructures::ProhibitDeepNests) -## no critic(ErrorHandling::RequireCarping) -## no critic(CodeLayout::ProhibitParensWithBuiltins) -## no critic(Variables::ProhibitPunctuationVars, Variables::RequireLocalizedPunctuationVars) -## no critic(InputOutput::RequireCheckedSyscalls, InputOutput::RequireBracedFileHandleWithPrint, InputOutput::RequireBriefOpen) -## no critic(ValuesAndExpressions::ProhibitNoisyQuotes, ValuesAndExpressions::ProhibitMagicNumbers, ValuesAndExpressions::ProhibitEmptyQuotes, ValuesAndExpressions::ProhibitInterpolationOfLiterals) -## no critic(RegularExpressions::ProhibitEscapedMetacharacters) - -# System closure path to switch to -my $out = "@out@"; -# Path to the directory containing systemd tools of the old system -my $cur_systemd = abs_path("/run/current-system/sw/bin"); -# Path to the systemd store path of the new system -my $new_systemd = "@systemd@"; - -# To be robust against interruption, record what units need to be started etc. -# We read these files again every time this script starts to make sure we continue -# where the old (interrupted) script left off. -my $start_list_file = "/run/nixos/start-list"; -my $restart_list_file = "/run/nixos/restart-list"; -my $reload_list_file = "/run/nixos/reload-list"; - -# Parse restart/reload requests by the activation script. -# Activation scripts may write newline-separated units to the restart -# file and switch-to-configuration will handle them. While -# `stopIfChanged = true` is ignored, switch-to-configuration will -# handle `restartIfChanged = false` and `reloadIfChanged = true`. -# This is the same as specifying a restart trigger in the NixOS module. -# -# The reload file asks the script to reload a unit. This is the same as -# specifying a reload trigger in the NixOS module and can be ignored if -# the unit is restarted in this activation. -my $restart_by_activation_file = "/run/nixos/activation-restart-list"; -my $reload_by_activation_file = "/run/nixos/activation-reload-list"; -my $dry_restart_by_activation_file = "/run/nixos/dry-activation-restart-list"; -my $dry_reload_by_activation_file = "/run/nixos/dry-activation-reload-list"; - -# The action that is to be performed (like switch, boot, test, dry-activate) -# Also exposed via environment variable from now on -my $action = shift(@ARGV); -$ENV{NIXOS_ACTION} = $action; - -# Expose the locale archive as an environment variable for systemctl and the activation script -if ("@localeArchive@" ne "") { - $ENV{LOCALE_ARCHIVE} = "@localeArchive@"; -} - -if (!defined($action) || ($action ne "switch" && $action ne "boot" && $action ne "test" && $action ne "dry-activate")) { - print STDERR <<"EOF"; -Usage: $0 [switch|boot|test] - -switch: make the configuration the boot default and activate now -boot: make the configuration the boot default -test: activate the configuration, but don\'t make it the boot default -dry-activate: show what would be done if this configuration were activated -EOF - exit(1); -} - -# This is a NixOS installation if it has /etc/NIXOS or a proper -# /etc/os-release. -if (!-f "/etc/NIXOS" && (read_file("/etc/os-release", err_mode => "quiet") // "") !~ /^ID="?nixos"?/msx) { - die("This is not a NixOS installation!\n"); -} - -make_path("/run/nixos", { mode => oct(755) }); -openlog("nixos", "", LOG_USER); - -# Install or update the bootloader. -if ($action eq "switch") { - chomp(my $install_boot_loader = <<'EOFBOOTLOADER'); -@installBootLoader@ -EOFBOOTLOADER - system("$install_boot_loader $out") == 0 or exit 1; -} - -# Just in case the new configuration hangs the system, do a sync now. -if (($ENV{"NIXOS_NO_SYNC"} // "") ne "1") { - system("@coreutils@/bin/sync", "-f", "/nix/store"); -} - -if ($action eq "boot") { - exit(0); -} - -# Check if we can activate the new configuration. -my $cur_init_interface_version = read_file("/run/current-system/init-interface-version", err_mode => "quiet") // ""; -my $new_init_interface_version = read_file("$out/init-interface-version"); - -if ($new_init_interface_version ne $cur_init_interface_version) { - print STDERR <<'EOF'; -Warning: the new NixOS configuration has an ‘init’ that is -incompatible with the current configuration. The new configuration -won't take effect until you reboot the system. -EOF - exit(100); -} - -# Ignore SIGHUP so that we're not killed if we're running on (say) -# virtual console 1 and we restart the "tty1" unit. -$SIG{PIPE} = "IGNORE"; - -# Replacement for Net::DBus that calls busctl of the current systemd, parses -# it's json output and returns the response using only core modules to reduce -# dependencies on perlPackages in baseSystem -sub busctl_call_systemd1_mgr { - my (@args) = @_; - my $cmd = [ - "$cur_systemd/busctl", "--json=short", "call", "org.freedesktop.systemd1", - "/org/freedesktop/systemd1", "org.freedesktop.systemd1.Manager", - @args - ]; - - my ($ok, $err, undef, $stdout) = IPC::Cmd::run(command => $cmd); - die $err unless $ok; - - my $res = decode_json(join "", @$stdout); - return $res; -} - -# Asks the currently running systemd instance via dbus which units are active. -# Returns a hash where the key is the name of each unit and the value a hash -# of load, state, substate. -sub get_active_units { - my $units = busctl_call_systemd1_mgr("ListUnitsByPatterns", "asas", 0, 0)->{data}->[0]; - my $res = {}; - for my $item (@{$units}) { - my ($id, $description, $load_state, $active_state, $sub_state, - $following, $unit_path, $job_id, $job_type, $job_path) = @{$item}; - if ($following ne "") { - next; - } - if ($job_id == 0 and $active_state eq "inactive") { - next; - } - $res->{$id} = { load => $load_state, state => $active_state, substate => $sub_state }; - } - return $res; -} - -# Asks the currently running systemd instance whether a unit is currently active. -# Takes the name of the unit as an argument and returns a bool whether the unit is active or not. -sub unit_is_active { - my ($unit_name) = @_; - my $units = busctl_call_systemd1_mgr("ListUnitsByNames", "as", 1, $unit_name)->{data}->[0]; - if (scalar(@{$units}) == 0) { - return 0; - } - my $active_state = $units->[0]->[3]; - return $active_state eq "active" || $active_state eq "activating"; -} - -# Parse a fstab file, given its path. -# Returns a tuple of filesystems and swaps. -# -# Filesystems is a hash of mountpoint and { device, fsType, options } -# Swaps is a hash of device and { options } -sub parse_fstab { - my ($filename) = @_; - my ($fss, $swaps); - foreach my $line (read_file($filename, err_mode => "quiet")) { - chomp($line); - $line =~ s/^\s*\#.*//msx; - if ($line =~ /^\s*$/msx) { - next; - } - my @xs = split(/\s+/msx, $line); - if ($xs[2] eq "swap") { - $swaps->{$xs[0]} = { options => $xs[3] // "" }; - } else { - $fss->{$xs[1]} = { device => $xs[0], fsType => $xs[2], options => $xs[3] // "" }; - } - } - return ($fss, $swaps); -} - -# This subroutine takes a single ini file that specified systemd configuration -# like unit configuration and parses it into a hash where the keys are the sections -# of the unit file and the values are hashes themselves. These hashes have the unit file -# keys as their keys (left side of =) and an array of all values that were set as their -# values. If a value is empty (for example `ExecStart=`), then all current definitions are -# removed. -# -# Instead of returning the hash, this subroutine takes a hashref to return the data in. This -# allows calling the subroutine multiple times with the same hash to parse override files. -sub parse_systemd_ini { - my ($unit_contents, $path) = @_; - # Tie the ini file to a hash for easier access - tie(my %file_contents, "Config::IniFiles", (-file => $path, -allowempty => 1, -allowcontinue => 1)); ## no critic(Miscellanea::ProhibitTies) - - # Copy over all sections - foreach my $section_name (keys(%file_contents)) { - if ($section_name eq "Install") { - # Skip the [Install] section because it has no relevant keys for us - next; - } - # Copy over all keys - foreach my $ini_key (keys(%{$file_contents{$section_name}})) { - # Ensure the value is an array so it's easier to work with - my $ini_value = $file_contents{$section_name}{$ini_key}; - my @ini_values; - if (ref($ini_value) eq "ARRAY") { - @ini_values = @{$ini_value}; - } else { - @ini_values = $ini_value; - } - # Go over all values - for my $ini_value (@ini_values) { - # If a value is empty, it's an override that tells us to clean the value - if ($ini_value eq "") { - delete $unit_contents->{$section_name}->{$ini_key}; - next; - } - push(@{$unit_contents->{$section_name}->{$ini_key}}, $ini_value); - } - } - } - return; -} - -# This subroutine takes the path to a systemd configuration file (like a unit configuration), -# parses it, and returns a hash that contains the contents. The contents of this hash are -# explained in the `parse_systemd_ini` subroutine. Neither the sections nor the keys inside -# the sections are consistently sorted. -# -# If a directory with the same basename ending in .d exists next to the unit file, it will be -# assumed to contain override files which will be parsed as well and handled properly. -sub parse_unit { - my ($unit_path) = @_; - - # Parse the main unit and all overrides - my %unit_data; - # Replace \ with \\ so glob() still works with units that have a \ in them - # Valid characters in unit names are ASCII letters, digits, ":", "-", "_", ".", and "\" - $unit_path =~ s/\\/\\\\/gmsx; - foreach (glob("${unit_path}{,.d/*.conf}")) { - parse_systemd_ini(\%unit_data, "$_") - } - return %unit_data; -} - -# Checks whether a specified boolean in a systemd unit is true -# or false, with a default that is applied when the value is not set. -sub parse_systemd_bool { - my ($unit_config, $section_name, $bool_name, $default) = @_; - - my @values = @{$unit_config->{$section_name}{$bool_name} // []}; - # Return default if value is not set - if ((scalar(@values) < 1) || (not defined($values[-1]))) { - return $default; - } - # If value is defined multiple times, use the last definition - my $last_value = $values[-1]; - # These are valid values as of systemd.syntax(7) - return $last_value eq "1" || $last_value eq "yes" || $last_value eq "true" || $last_value eq "on"; -} - -# Writes a unit name into a given file to be more resilient against -# crashes of the script. Does nothing when the action is dry-activate. -sub record_unit { - my ($fn, $unit) = @_; - if ($action ne "dry-activate") { - write_file($fn, { append => 1 }, "$unit\n"); - } - return; -} - -# The opposite of record_unit, removes a unit name from a file -sub unrecord_unit { - my ($fn, $unit) = @_; - if ($action ne "dry-activate") { - edit_file(sub { s/^$unit\n//msx }, $fn); - } - return; -} - -# Compare the contents of two unit files and return whether the unit -# needs to be restarted or reloaded. If the units differ, the service -# is restarted unless the only difference is `X-Reload-Triggers` in the -# `Unit` section. If this is the only modification, the unit is reloaded -# instead of restarted. -# Returns: -# - 0 if the units are equal -# - 1 if the units are different and a restart action is required -# - 2 if the units are different and a reload action is required -sub compare_units { ## no critic(Subroutines::ProhibitExcessComplexity) - my ($cur_unit, $new_unit) = @_; - my $ret = 0; - # Keys to ignore in the [Unit] section - my %unit_section_ignores = map { $_ => 1 } qw( - X-Reload-Triggers - Description Documentation - OnFailure OnSuccess OnFailureJobMode - IgnoreOnIsolate StopWhenUnneeded - RefuseManualStart RefuseManualStop - AllowIsolate CollectMode - SourcePath - ); - - my $comp_array = sub { - my ($a, $b) = @_; - return join("\0", @{$a}) eq join("\0", @{$b}); - }; - - # Comparison hash for the sections - my %section_cmp = map { $_ => 1 } keys(%{$new_unit}); - # Iterate over the sections - foreach my $section_name (keys(%{$cur_unit})) { - # Missing section in the new unit? - if (not exists($section_cmp{$section_name})) { - # If the [Unit] section was removed, make sure that only keys - # were in it that are ignored - if ($section_name eq "Unit") { - foreach my $ini_key (keys(%{$cur_unit->{"Unit"}})) { - if (not defined($unit_section_ignores{$ini_key})) { - return 1; - } - } - next; # check the next section - } else { - return 1; - } - if ($section_name eq "Unit" and %{$cur_unit->{"Unit"}} == 1 and defined(%{$cur_unit->{"Unit"}}{"X-Reload-Triggers"})) { - # If a new [Unit] section was removed that only contained X-Reload-Triggers, - # do nothing. - next; - } else { - return 1; - } - } - delete $section_cmp{$section_name}; - # Comparison hash for the section contents - my %ini_cmp = map { $_ => 1 } keys(%{$new_unit->{$section_name}}); - # Iterate over the keys of the section - foreach my $ini_key (keys(%{$cur_unit->{$section_name}})) { - delete $ini_cmp{$ini_key}; - my @cur_value = @{$cur_unit->{$section_name}{$ini_key}}; - # If the key is missing in the new unit, they are different... - if (not $new_unit->{$section_name}{$ini_key}) { - # ... unless the key that is now missing is one of the ignored keys - if ($section_name eq "Unit" and defined($unit_section_ignores{$ini_key})) { - next; - } - return 1; - } - my @new_value = @{$new_unit->{$section_name}{$ini_key}}; - # If the contents are different, the units are different - if (not $comp_array->(\@cur_value, \@new_value)) { - # Check if only the reload triggers changed or one of the ignored keys - if ($section_name eq "Unit") { - if ($ini_key eq "X-Reload-Triggers") { - $ret = 2; - next; - } elsif (defined($unit_section_ignores{$ini_key})) { - next; - } - } - return 1; - } - } - # A key was introduced that was missing in the previous unit - if (%ini_cmp) { - if ($section_name eq "Unit") { - foreach my $ini_key (keys(%ini_cmp)) { - if ($ini_key eq "X-Reload-Triggers") { - $ret = 2; - } elsif (defined($unit_section_ignores{$ini_key})) { - next; - } else { - return 1; - } - } - } else { - return 1; - } - }; - } - # A section was introduced that was missing in the previous unit - if (%section_cmp) { - if (%section_cmp == 1 and defined($section_cmp{"Unit"})) { - foreach my $ini_key (keys(%{$new_unit->{"Unit"}})) { - if (not defined($unit_section_ignores{$ini_key})) { - return 1; - } elsif ($ini_key eq "X-Reload-Triggers") { - $ret = 2; - } - } - } else { - return 1; - } - } - - return $ret; -} - -# Called when a unit exists in both the old systemd and the new system and the units -# differ. This figures out of what units are to be stopped, restarted, reloaded, started, and skipped. -sub handle_modified_unit { ## no critic(Subroutines::ProhibitManyArgs, Subroutines::ProhibitExcessComplexity) - my ($unit, $base_name, $new_unit_file, $new_unit_info, $active_cur, $units_to_stop, $units_to_start, $units_to_reload, $units_to_restart, $units_to_skip) = @_; - - if ($unit eq "sysinit.target" || $unit eq "basic.target" || $unit eq "multi-user.target" || $unit eq "graphical.target" || $unit =~ /\.path$/msx || $unit =~ /\.slice$/msx) { - # Do nothing. These cannot be restarted directly. - - # Slices and Paths don't have to be restarted since - # properties (resource limits and inotify watches) - # seem to get applied on daemon-reload. - } elsif ($unit =~ /\.mount$/msx) { - # Reload the changed mount unit to force a remount. - # FIXME: only reload when Options= changed, restart otherwise - $units_to_reload->{$unit} = 1; - record_unit($reload_list_file, $unit); - } elsif ($unit =~ /\.socket$/msx) { - # FIXME: do something? - # Attempt to fix this: https://github.com/NixOS/nixpkgs/pull/141192 - # Revert of the attempt: https://github.com/NixOS/nixpkgs/pull/147609 - # More details: https://github.com/NixOS/nixpkgs/issues/74899#issuecomment-981142430 - } else { - my %new_unit_info = $new_unit_info ? %{$new_unit_info} : parse_unit($new_unit_file); - if (parse_systemd_bool(\%new_unit_info, "Service", "X-ReloadIfChanged", 0) and not $units_to_restart->{$unit} and not $units_to_stop->{$unit}) { - $units_to_reload->{$unit} = 1; - record_unit($reload_list_file, $unit); - } - elsif (!parse_systemd_bool(\%new_unit_info, "Service", "X-RestartIfChanged", 1) || parse_systemd_bool(\%new_unit_info, "Unit", "RefuseManualStop", 0) || parse_systemd_bool(\%new_unit_info, "Unit", "X-OnlyManualStart", 0)) { - $units_to_skip->{$unit} = 1; - } else { - # It doesn't make sense to stop and start non-services because - # they can't have ExecStop= - if (!parse_systemd_bool(\%new_unit_info, "Service", "X-StopIfChanged", 1) || $unit !~ /\.service$/msx) { - # This unit should be restarted instead of - # stopped and started. - $units_to_restart->{$unit} = 1; - record_unit($restart_list_file, $unit); - # Remove from units to reload so we don't restart and reload - if ($units_to_reload->{$unit}) { - delete $units_to_reload->{$unit}; - unrecord_unit($reload_list_file, $unit); - } - } else { - # If this unit is socket-activated, then stop the - # socket unit(s) as well, and restart the - # socket(s) instead of the service. - my $socket_activated = 0; - if ($unit =~ /\.service$/msx) { - my @sockets = split(/\s+/msx, join(" ", @{$new_unit_info{Service}{Sockets} // []})); - if (scalar(@sockets) == 0) { - @sockets = ("$base_name.socket"); - } - foreach my $socket (@sockets) { - if (defined($active_cur->{$socket})) { - # We can now be sure this is a socket-activate unit - - $units_to_stop->{$socket} = 1; - # Only restart sockets that actually - # exist in new configuration: - if (-e "$out/etc/systemd/system/$socket") { - $units_to_start->{$socket} = 1; - if ($units_to_start eq $units_to_restart) { - record_unit($restart_list_file, $socket); - } else { - record_unit($start_list_file, $socket); - } - $socket_activated = 1; - } - # Remove from units to reload so we don't restart and reload - if ($units_to_reload->{$unit}) { - delete $units_to_reload->{$unit}; - unrecord_unit($reload_list_file, $unit); - } - } - } - } - - # If the unit is not socket-activated, record - # that this unit needs to be started below. - # We write this to a file to ensure that the - # service gets restarted if we're interrupted. - if (!$socket_activated) { - $units_to_start->{$unit} = 1; - if ($units_to_start eq $units_to_restart) { - record_unit($restart_list_file, $unit); - } else { - record_unit($start_list_file, $unit); - } - } - - $units_to_stop->{$unit} = 1; - # Remove from units to reload so we don't restart and reload - if ($units_to_reload->{$unit}) { - delete $units_to_reload->{$unit}; - unrecord_unit($reload_list_file, $unit); - } - } - } - } - return; -} - -# Figure out what units need to be stopped, started, restarted or reloaded. -my (%units_to_stop, %units_to_skip, %units_to_start, %units_to_restart, %units_to_reload); - -my %units_to_filter; # units not shown - -%units_to_start = map { $_ => 1 } - split(/\n/msx, read_file($start_list_file, err_mode => "quiet") // ""); - -%units_to_restart = map { $_ => 1 } - split(/\n/msx, read_file($restart_list_file, err_mode => "quiet") // ""); - -%units_to_reload = map { $_ => 1 } - split(/\n/msx, read_file($reload_list_file, err_mode => "quiet") // ""); - -my $active_cur = get_active_units(); -while (my ($unit, $state) = each(%{$active_cur})) { - my $base_unit = $unit; - - my $cur_unit_file = "/etc/systemd/system/$base_unit"; - my $new_unit_file = "$out/etc/systemd/system/$base_unit"; - - # Detect template instances. - if (!-e $cur_unit_file && !-e $new_unit_file && $unit =~ /^(.*)@[^\.]*\.(.*)$/msx) { - $base_unit = "$1\@.$2"; - $cur_unit_file = "/etc/systemd/system/$base_unit"; - $new_unit_file = "$out/etc/systemd/system/$base_unit"; - } - - my $base_name = $base_unit; - $base_name =~ s/\.[[:lower:]]*$//msx; - - if (-e $cur_unit_file && ($state->{state} eq "active" || $state->{state} eq "activating")) { - if (! -e $new_unit_file || abs_path($new_unit_file) eq "/dev/null") { - my %cur_unit_info = parse_unit($cur_unit_file); - if (parse_systemd_bool(\%cur_unit_info, "Unit", "X-StopOnRemoval", 1)) { - $units_to_stop{$unit} = 1; - } - } - - elsif ($unit =~ /\.target$/msx) { - my %new_unit_info = parse_unit($new_unit_file); - - # Cause all active target units to be restarted below. - # This should start most changed units we stop here as - # well as any new dependencies (including new mounts and - # swap devices). FIXME: the suspend target is sometimes - # active after the system has resumed, which probably - # should not be the case. Just ignore it. - if ($unit ne "suspend.target" && $unit ne "hibernate.target" && $unit ne "hybrid-sleep.target") { - if (!(parse_systemd_bool(\%new_unit_info, "Unit", "RefuseManualStart", 0) || parse_systemd_bool(\%new_unit_info, "Unit", "X-OnlyManualStart", 0))) { - $units_to_start{$unit} = 1; - record_unit($start_list_file, $unit); - # Don't spam the user with target units that always get started. - $units_to_filter{$unit} = 1; - } - } - - # Stop targets that have X-StopOnReconfiguration set. - # This is necessary to respect dependency orderings - # involving targets: if unit X starts after target Y and - # target Y starts after unit Z, then if X and Z have both - # changed, then X should be restarted after Z. However, - # if target Y is in the "active" state, X and Z will be - # restarted at the same time because X's dependency on Y - # is already satisfied. Thus, we need to stop Y first. - # Stopping a target generally has no effect on other units - # (unless there is a PartOf dependency), so this is just a - # bookkeeping thing to get systemd to do the right thing. - if (parse_systemd_bool(\%new_unit_info, "Unit", "X-StopOnReconfiguration", 0)) { - $units_to_stop{$unit} = 1; - } - } - - else { - my %cur_unit_info = parse_unit($cur_unit_file); - my %new_unit_info = parse_unit($new_unit_file); - my $diff = compare_units(\%cur_unit_info, \%new_unit_info); - if ($diff == 1) { - handle_modified_unit($unit, $base_name, $new_unit_file, \%new_unit_info, $active_cur, \%units_to_stop, \%units_to_start, \%units_to_reload, \%units_to_restart, \%units_to_skip); - } elsif ($diff == 2 and not $units_to_restart{$unit}) { - $units_to_reload{$unit} = 1; - record_unit($reload_list_file, $unit); - } - } - } -} - -# Converts a path to the name of a systemd mount unit that would be responsible -# for mounting this path. -sub path_to_unit_name { - my ($path) = @_; - # Use current version of systemctl binary before daemon is reexeced. - open(my $cmd, "-|", "$cur_systemd/systemd-escape", "--suffix=mount", "-p", $path) - or die "Unable to escape $path!\n"; - my $escaped = do { local $/ = undef; <$cmd> }; - chomp($escaped); - close($cmd) or die("Unable to close systemd-escape pipe"); - return $escaped; -} - -# Compare the previous and new fstab to figure out which filesystems -# need a remount or need to be unmounted. New filesystems are mounted -# automatically by starting local-fs.target. FIXME: might be nicer if -# we generated units for all mounts; then we could unify this with the -# unit checking code above. -my ($cur_fss, $cur_swaps) = parse_fstab("/etc/fstab"); -my ($new_fss, $new_swaps) = parse_fstab("$out/etc/fstab"); -foreach my $mount_point (keys(%{$cur_fss})) { - my $cur = $cur_fss->{$mount_point}; - my $new = $new_fss->{$mount_point}; - my $unit = path_to_unit_name($mount_point); - if (!defined($new)) { - # Filesystem entry disappeared, so unmount it. - $units_to_stop{$unit} = 1; - } elsif ($cur->{fsType} ne $new->{fsType} || $cur->{device} ne $new->{device}) { - # Filesystem type or device changed, so unmount and mount it. - $units_to_stop{$unit} = 1; - $units_to_start{$unit} = 1; - record_unit($start_list_file, $unit); - } elsif ($cur->{options} ne $new->{options}) { - # Mount options changes, so remount it. - $units_to_reload{$unit} = 1; - record_unit($reload_list_file, $unit); - } -} - -# Also handles swap devices. -foreach my $device (keys(%{$cur_swaps})) { - my $cur = $cur_swaps->{$device}; - my $new = $new_swaps->{$device}; - if (!defined($new)) { - # Swap entry disappeared, so turn it off. Can't use - # "systemctl stop" here because systemd has lots of alias - # units that prevent a stop from actually calling - # "swapoff". - if ($action ne "dry-activate") { - print STDERR "would stop swap device: $device\n"; - } else { - print STDERR "stopping swap device: $device\n"; - system("@utillinux@/sbin/swapoff", $device); - } - } - # FIXME: update swap options (i.e. its priority). -} - - -# Should we have systemd re-exec itself? -my $cur_pid1_path = abs_path("/proc/1/exe") // "/unknown"; -my $cur_systemd_system_config = abs_path("/etc/systemd/system.conf") // "/unknown"; -my $new_pid1_path = abs_path("$new_systemd/lib/systemd/systemd") or die; -my $new_systemd_system_config = abs_path("$out/etc/systemd/system.conf") // "/unknown"; - -my $restart_systemd = $cur_pid1_path ne $new_pid1_path; -if ($cur_systemd_system_config ne $new_systemd_system_config) { - $restart_systemd = 1; -} - -# Takes an array of unit names and returns an array with the same elements, -# except all units that are also in the global variable `unitsToFilter`. -sub filter_units { - my ($units) = @_; - my @res; - foreach my $unit (sort(keys(%{$units}))) { - if (!defined($units_to_filter{$unit})) { - push(@res, $unit); - } - } - return @res; -} - -my @units_to_stop_filtered = filter_units(\%units_to_stop); - - -# Show dry-run actions. -if ($action eq "dry-activate") { - if (scalar(@units_to_stop_filtered) > 0) { - print STDERR "would stop the following units: ", join(", ", @units_to_stop_filtered), "\n"; - } - if (scalar(keys(%units_to_skip)) > 0) { - print STDERR "would NOT stop the following changed units: ", join(", ", sort(keys(%units_to_skip))), "\n"; - } - - print STDERR "would activate the configuration...\n"; - system("$out/dry-activate", "$out"); - - # Handle the activation script requesting the restart or reload of a unit. - foreach (split(/\n/msx, read_file($dry_restart_by_activation_file, err_mode => "quiet") // "")) { - my $unit = $_; - my $base_unit = $unit; - my $new_unit_file = "$out/etc/systemd/system/$base_unit"; - - # Detect template instances. - if (!-e $new_unit_file && $unit =~ /^(.*)@[^\.]*\.(.*)$/msx) { - $base_unit = "$1\@.$2"; - $new_unit_file = "$out/etc/systemd/system/$base_unit"; - } - - my $base_name = $base_unit; - $base_name =~ s/\.[[:lower:]]*$//msx; - - # Start units if they were not active previously - if (not defined($active_cur->{$unit})) { - $units_to_start{$unit} = 1; - next; - } - - handle_modified_unit($unit, $base_name, $new_unit_file, undef, $active_cur, \%units_to_restart, \%units_to_restart, \%units_to_reload, \%units_to_restart, \%units_to_skip); - } - unlink($dry_restart_by_activation_file); - - foreach (split(/\n/msx, read_file($dry_reload_by_activation_file, err_mode => "quiet") // "")) { - my $unit = $_; - - if (defined($active_cur->{$unit}) and not $units_to_restart{$unit} and not $units_to_stop{$unit}) { - $units_to_reload{$unit} = 1; - record_unit($reload_list_file, $unit); - } - } - unlink($dry_reload_by_activation_file); - - if ($restart_systemd) { - print STDERR "would restart systemd\n"; - } - if (scalar(keys(%units_to_reload)) > 0) { - print STDERR "would reload the following units: ", join(", ", sort(keys(%units_to_reload))), "\n"; - } - if (scalar(keys(%units_to_restart)) > 0) { - print STDERR "would restart the following units: ", join(", ", sort(keys(%units_to_restart))), "\n"; - } - my @units_to_start_filtered = filter_units(\%units_to_start); - if (scalar(@units_to_start_filtered)) { - print STDERR "would start the following units: ", join(", ", @units_to_start_filtered), "\n"; - } - exit 0; -} - - -syslog(LOG_NOTICE, "switching to system configuration $out"); - -if (scalar(keys(%units_to_stop)) > 0) { - if (scalar(@units_to_stop_filtered)) { - print STDERR "stopping the following units: ", join(", ", @units_to_stop_filtered), "\n"; - } - # Use current version of systemctl binary before daemon is reexeced. - system("$cur_systemd/systemctl", "stop", "--", sort(keys(%units_to_stop))); -} - -if (scalar(keys(%units_to_skip)) > 0) { - print STDERR "NOT restarting the following changed units: ", join(", ", sort(keys(%units_to_skip))), "\n"; -} - -# Activate the new configuration (i.e., update /etc, make accounts, -# and so on). -my $res = 0; -print STDERR "activating the configuration...\n"; -system("$out/activate", "$out") == 0 or $res = 2; - -# Handle the activation script requesting the restart or reload of a unit. -foreach (split(/\n/msx, read_file($restart_by_activation_file, err_mode => "quiet") // "")) { - my $unit = $_; - my $base_unit = $unit; - my $new_unit_file = "$out/etc/systemd/system/$base_unit"; - - # Detect template instances. - if (!-e $new_unit_file && $unit =~ /^(.*)@[^\.]*\.(.*)$/msx) { - $base_unit = "$1\@.$2"; - $new_unit_file = "$out/etc/systemd/system/$base_unit"; - } - - my $base_name = $base_unit; - $base_name =~ s/\.[[:lower:]]*$//msx; - - # Start units if they were not active previously - if (not defined($active_cur->{$unit})) { - $units_to_start{$unit} = 1; - record_unit($start_list_file, $unit); - next; - } - - handle_modified_unit($unit, $base_name, $new_unit_file, undef, $active_cur, \%units_to_restart, \%units_to_restart, \%units_to_reload, \%units_to_restart, \%units_to_skip); -} -# We can remove the file now because it has been propagated to the other restart/reload files -unlink($restart_by_activation_file); - -foreach (split(/\n/msx, read_file($reload_by_activation_file, err_mode => "quiet") // "")) { - my $unit = $_; - - if (defined($active_cur->{$unit}) and not $units_to_restart{$unit} and not $units_to_stop{$unit}) { - $units_to_reload{$unit} = 1; - record_unit($reload_list_file, $unit); - } -} -# We can remove the file now because it has been propagated to the other reload file -unlink($reload_by_activation_file); - -# Restart systemd if necessary. Note that this is done using the -# current version of systemd, just in case the new one has trouble -# communicating with the running pid 1. -if ($restart_systemd) { - print STDERR "restarting systemd...\n"; - system("$cur_systemd/systemctl", "daemon-reexec") == 0 or $res = 2; -} - -# Forget about previously failed services. -system("$new_systemd/bin/systemctl", "reset-failed"); - -# Make systemd reload its units. -system("$new_systemd/bin/systemctl", "daemon-reload") == 0 or $res = 3; - -# Reload user units -open(my $list_active_users, "-|", "$new_systemd/bin/loginctl", "list-users", "--no-legend") || die("Unable to call loginctl"); -while (my $f = <$list_active_users>) { - if ($f !~ /^\s*(?\d+)\s+(?\S+)/msx) { - next; - } - my ($uid, $name) = ($+{uid}, $+{user}); - print STDERR "reloading user units for $name...\n"; - - system("@su@", "-s", "@shell@", "-l", $name, "-c", - "export XDG_RUNTIME_DIR=/run/user/$uid; " . - "$cur_systemd/systemctl --user daemon-reexec; " . - "$new_systemd/bin/systemctl --user start nixos-activation.service"); -} - -close($list_active_users) || die("Unable to close the file handle to loginctl"); - -# Set the new tmpfiles -print STDERR "setting up tmpfiles\n"; -system("$new_systemd/bin/systemd-tmpfiles", "--create", "--remove", "--exclude-prefix=/dev") == 0 or $res = 3; - -# Before reloading we need to ensure that the units are still active. They may have been -# deactivated because one of their requirements got stopped. If they are inactive -# but should have been reloaded, the user probably expects them to be started. -if (scalar(keys(%units_to_reload)) > 0) { - for my $unit (keys(%units_to_reload)) { - if (!unit_is_active($unit)) { - # Figure out if we need to start the unit - my %unit_info = parse_unit("$out/etc/systemd/system/$unit"); - if (!(parse_systemd_bool(\%unit_info, "Unit", "RefuseManualStart", 0) || parse_systemd_bool(\%unit_info, "Unit", "X-OnlyManualStart", 0))) { - $units_to_start{$unit} = 1; - record_unit($start_list_file, $unit); - } - # Don't reload the unit, reloading would fail - delete %units_to_reload{$unit}; - unrecord_unit($reload_list_file, $unit); - } - } -} -# Reload units that need it. This includes remounting changed mount -# units. -if (scalar(keys(%units_to_reload)) > 0) { - print STDERR "reloading the following units: ", join(", ", sort(keys(%units_to_reload))), "\n"; - system("$new_systemd/bin/systemctl", "reload", "--", sort(keys(%units_to_reload))) == 0 or $res = 4; - unlink($reload_list_file); -} - -# Restart changed services (those that have to be restarted rather -# than stopped and started). -if (scalar(keys(%units_to_restart)) > 0) { - print STDERR "restarting the following units: ", join(", ", sort(keys(%units_to_restart))), "\n"; - system("$new_systemd/bin/systemctl", "restart", "--", sort(keys(%units_to_restart))) == 0 or $res = 4; - unlink($restart_list_file); -} - -# Start all active targets, as well as changed units we stopped above. -# The latter is necessary because some may not be dependencies of the -# targets (i.e., they were manually started). FIXME: detect units -# that are symlinks to other units. We shouldn't start both at the -# same time because we'll get a "Failed to add path to set" error from -# systemd. -my @units_to_start_filtered = filter_units(\%units_to_start); -if (scalar(@units_to_start_filtered)) { - print STDERR "starting the following units: ", join(", ", @units_to_start_filtered), "\n" -} -system("$new_systemd/bin/systemctl", "start", "--", sort(keys(%units_to_start))) == 0 or $res = 4; -unlink($start_list_file); - - -# Print failed and new units. -my (@failed, @new); -my $active_new = get_active_units(); -while (my ($unit, $state) = each(%{$active_new})) { - if ($state->{state} eq "failed") { - push(@failed, $unit); - next; - } - - if ($state->{substate} eq "auto-restart") { - # A unit in auto-restart substate is a failure *if* it previously failed to start - open(my $main_status_fd, "-|", "$new_systemd/bin/systemctl", "show", "--value", "--property=ExecMainStatus", $unit) || die("Unable to call 'systemctl show'"); - my $main_status = do { local $/ = undef; <$main_status_fd> }; - close($main_status_fd) || die("Unable to close 'systemctl show' fd"); - chomp($main_status); - - if ($main_status ne "0") { - push(@failed, $unit); - next; - } - } - - # Ignore scopes since they are not managed by this script but rather - # created and managed by third-party services via the systemd dbus API. - # This only lists units that are not failed (including ones that are in auto-restart but have not failed previously) - if ($state->{state} ne "failed" && !defined($active_cur->{$unit}) && $unit !~ /\.scope$/msx) { - push(@new, $unit); - } -} - -if (scalar(@new) > 0) { - print STDERR "the following new units were started: ", join(", ", sort(@new)), "\n" -} - -if (scalar(@failed) > 0) { - my @failed_sorted = sort(@failed); - print STDERR "warning: the following units failed: ", join(", ", @failed_sorted), "\n\n"; - system("$new_systemd/bin/systemctl status --no-pager --full '" . join("' '", @failed_sorted) . "' >&2"); - $res = 4; -} - -# Install or update the bootloader. -if ($action eq "switch") { - chomp(my $install_boot_loader = <<'EOFBOOTLOADER'); -@installBootLoader@ -EOFBOOTLOADER - system("$install_boot_loader $out") == 0 or exit 1; -} - -if ($res == 0) { - syslog(LOG_NOTICE, "finished switching to system configuration $out"); -} else { - syslog(LOG_ERR, "switching to system configuration $out failed (status $res)"); -} - -exit($res); diff --git a/flake.lock b/flake.lock index 5429a620..8b14a294 100644 --- a/flake.lock +++ b/flake.lock @@ -140,6 +140,33 @@ } }, "chir-rs": { + "inputs": { + "flake-parts": "flake-parts", + "haskell-flake": "haskell-flake", + "nix-packages": [ + "nix-packages" + ], + "nixpkgs": [ + "nixpkgs" + ], + "systems": "systems", + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1695651960, + "narHash": "sha256-Szm1jq0rindDRQbnSzKmKsIzyvTCt3H1LXMucQUT12g=", + "owner": "DarkKirb", + "repo": "chir.rs", + "rev": "8d0d60c36cd969642a9f3a4a3ec0e867ad27c329", + "type": "github" + }, + "original": { + "owner": "DarkKirb", + "repo": "chir.rs", + "type": "github" + } + }, + "chir-rs_2": { "inputs": { "cargo2nix": [ "nixos-config-for-netboot", @@ -370,8 +397,8 @@ "nixos-config-for-netboot", "nixpkgs" ], - "systems": "systems", - "treefmt-nix": "treefmt-nix" + "systems": "systems_2", + "treefmt-nix": "treefmt-nix_2" }, "locked": { "lastModified": 1687282304, @@ -516,6 +543,24 @@ } }, "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1693611461, + "narHash": "sha256-aPODl8vAgGQ0ZYFIRisxYG5MOGSkIczvu2Cd8Gb9+1Y=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "7f53fdb7bdc5bb237da7fefef12d099e4fd611ca", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "nixos-config-for-netboot", @@ -649,6 +694,21 @@ } }, "haskell-flake": { + "locked": { + "lastModified": 1694478711, + "narHash": "sha256-zW/saV4diypxwP56b8l93Nw8fR7tXLbOFku2I+xYCxU=", + "owner": "srid", + "repo": "haskell-flake", + "rev": "ddc704f3f62d3d3569ced794b534e8fd065c379c", + "type": "github" + }, + "original": { + "owner": "srid", + "repo": "haskell-flake", + "type": "github" + } + }, + "haskell-flake_2": { "locked": { "lastModified": 1687547380, "narHash": "sha256-AHetxX1xCf87UcyExP3oJF5MDD7uVTsKD0SPGr9KEo8=", @@ -670,11 +730,11 @@ ] }, "locked": { - "lastModified": 1695509808, - "narHash": "sha256-rW6kfjLLYDB9xGJwoFkSNzcmLJCcN7VcD+YnDPbEM2c=", + "lastModified": 1695550077, + "narHash": "sha256-xoxR/iY69/3lTnnZDP6gf3J46DUKPcf+Y1jH03tfZXE=", "owner": "nix-community", "repo": "home-manager", - "rev": "2d27bdcd640759a5fb1b48125fee7280adad95f7", + "rev": "a88df2fb101778bfd98a17556b3a2618c6c66091", "type": "github" }, "original": { @@ -951,11 +1011,11 @@ ] }, "locked": { - "lastModified": 1695493039, - "narHash": "sha256-jyCiRfLhTnMHso3/1NA+UsGnzT5xI9JiGNjf2tOtCAQ=", + "lastModified": 1695656636, + "narHash": "sha256-aWNsycaRcfb+74tkAk/nr/NGHFIc/CPHCv+YGR/tSQc=", "ref": "main", - "rev": "d0014b42307dc3a8ffe7d1af6321063de6a8638a", - "revCount": 1012, + "rev": "7308061928ea56fbb9bc03892d1da01624a7e5e4", + "revCount": 1014, "type": "git", "url": "https://git.chir.rs/darkkirb/nix-packages.git" }, @@ -1024,14 +1084,14 @@ "inputs": { "attic": "attic_2", "cargo2nix": "cargo2nix_2", - "chir-rs": "chir-rs", + "chir-rs": "chir-rs_2", "colorpickle": "colorpickle", "crane": "crane_2", "dns": "dns_2", "emanote": "emanote", - "flake-parts": "flake-parts", + "flake-parts": "flake-parts_2", "flake-utils": "flake-utils_3", - "haskell-flake": "haskell-flake", + "haskell-flake": "haskell-flake_2", "home-manager": "home-manager_2", "hosts-list": "hosts-list", "naersk": "naersk", @@ -1080,11 +1140,11 @@ }, "nixos-hardware_2": { "locked": { - "lastModified": 1695109627, - "narHash": "sha256-4rpyoVzmunIG6xWA/EonnSSqC69bDBzciFi6SjBze/0=", + "lastModified": 1695541019, + "narHash": "sha256-rs++zfk41K9ArWkDAlmBDlGlKO8qeRIRzdjo+9SmNFI=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "cb4dc98f776ddb6af165e6f06b2902efe31ca67a", + "rev": "61283b30d11f27d5b76439d43f20d0c0c8ff5296", "type": "github" }, "original": { @@ -1125,6 +1185,24 @@ "type": "github" } }, + "nixpkgs-lib": { + "locked": { + "dir": "lib", + "lastModified": 1693471703, + "narHash": "sha256-0l03ZBL8P1P6z8MaSDS/MvuU8E75rVxe5eE1N6gxeTo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "3e52e76b70d5508f3cec70b882a29199f4d1ee85", + "type": "github" + }, + "original": { + "dir": "lib", + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-regression": { "locked": { "lastModified": 1643052045, @@ -1190,11 +1268,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1695521010, - "narHash": "sha256-2raGKYu7U7nqBKUBPzZbnRAEraRstM4CHPN4GZHXtJM=", + "lastModified": 1695656499, + "narHash": "sha256-kWq5qv257//eVjzQrE99DLQkcJxxHTNjUiXMJzLcdvc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "397b1733f45dc601e82ab9e13d5d427167fc284e", + "rev": "12d9af932f7eec42d826c0395515dab2d0cd8f27", "type": "github" }, "original": { @@ -1220,11 +1298,11 @@ }, "nur_2": { "locked": { - "lastModified": 1695528336, - "narHash": "sha256-HHQVzXsDNbl23qzPX+AuZwh3NlsCXs695wgNpW39FzQ=", + "lastModified": 1695656745, + "narHash": "sha256-GdivHNuf8HxrWkUbojHH3q7vgaG3T7KoVJ/SJ9IUD5Q=", "owner": "nix-community", "repo": "NUR", - "rev": "640b5ce3d9b40b5d589f8d36a00b1dda78ef4396", + "rev": "f8ad482a1c42596b3491914e8cba8fa0d08471d1", "type": "github" }, "original": { @@ -1237,6 +1315,7 @@ "inputs": { "attic": "attic", "cargo2nix": "cargo2nix", + "chir-rs": "chir-rs", "crane": "crane", "dns": "dns", "flake-utils": "flake-utils_2", @@ -1286,11 +1365,11 @@ ] }, "locked": { - "lastModified": 1695521529, - "narHash": "sha256-iTQGb6DNZPOg1C6DG4daXFKFiuUffl2rZ5YKzi0LK+4=", + "lastModified": 1695607919, + "narHash": "sha256-PU6yIbHXdm3W8bBlhO6aL+VIjK5UQCRnOvCqa1lYQ6M=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "164b96162f83ae3be6a9f5577053e0d53e5f4e6a", + "rev": "014e0035c262e5506f904829e6b925ee3cfdb55e", "type": "github" }, "original": { @@ -1362,6 +1441,21 @@ "type": "github" } }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "tomlplusplus": { "flake": false, "locked": { @@ -1379,6 +1473,27 @@ } }, "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "chir-rs", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1695290086, + "narHash": "sha256-ol6licpIAzc9oMsEai/9YZhgSMcrnlnD/3ulMLGNKL0=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "e951529be2e7c669487de78f5aef8597bbae5fca", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "treefmt-nix_2": { "inputs": { "nixpkgs": [ "nixos-config-for-netboot", diff --git a/flake.nix b/flake.nix index 4085b28f..3bd142dc 100644 --- a/flake.nix +++ b/flake.nix @@ -17,6 +17,11 @@ rec { inputs.nixpkgs.follows = "nixpkgs"; inputs.rust-overlay.follows = "rust-overlay"; }; + chir-rs = { + url = "github:DarkKirb/chir.rs"; + inputs.nix-packages.follows = "nix-packages"; + inputs.nixpkgs.follows = "nixpkgs"; + }; crane = { url = "github:DarkKirb/crane"; inputs.flake-utils.follows = "flake-utils"; diff --git a/secrets/instance-20221213-1915.yaml b/secrets/instance-20221213-1915.yaml index be95174f..ceedd70a 100644 --- a/secrets/instance-20221213-1915.yaml +++ b/secrets/instance-20221213-1915.yaml @@ -8,6 +8,9 @@ security: restic: password: ENC[AES256_GCM,data:80XNExfwBIG3aVNQBc8T2fdN9oA=,iv:JM/HU7vhx28VA9EppxpFc3xRVcAt+kp3JwTuHmFpL78=,tag:pC73+XCsFGTdA+MbTihD7Q==,type:str] services: + chir-rs: + database-password: ENC[AES256_GCM,data:selw9JIny9dNpuMVUlLg50YC4Tqbm2I+/3EEZsDbO0I=,iv:VKmdFvQJsI0KiZNZVLSZjVLGl85Xp/P47/YrfBeUPh8=,tag:NCjXDA9JosqIYFC3sFiIPg==,type:str] + signup-secret: ENC[AES256_GCM,data:PV4Iau9Wkvmixn8Tirvxy/fuPk94PjkovQlKyF2OqwI=,iv:UtqUFewEthfrGW2xo5rtz3lrnD7LXk1C+msPWGe3f30=,tag:9fuV1SIBK+uOoeIG3K5UhQ==,type:str] synapse: private_key: ENC[AES256_GCM,data:E2BWj1/dBHJ47NhqUkEAbbkI3nPWmNM5XoD5ZBu40lBv9xvPxP9SCbLQdFMcxNY/Xew91OZL8NvlNxk=,iv:X6V0YFmkWA6C5j7REFijZt8/gNfB2wHT6U8/iSjLAFA=,tag:DF3ZyQlYLUXBxmnfqoNYnw==,type:str] ipfs: @@ -52,8 +55,8 @@ sops: bVJUcDZLWTk3MiszOWp4enRRQmNsajQKF8QJs/Wb0SqnvsQEkRKlS1Ms9xLIdyvZ QCFAPclaOfaTLTiRJWXjDneBkMBduYKkRPiXCR+Bn7i4z8ixLXFmWw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-08-09T12:17:28Z" - mac: ENC[AES256_GCM,data:kPWrigNRRYYbt7WT+oRIM4aZBBqscNoyXn8NNOY9npYBNbg5acRfhUWM/q/1FAyCQh0puJK1vqzlp8oJ3H3BWZTh+6SkNPMWVfuktObQBXK3wgt33g2euZyKp8nsp/kUYMVpcC1QJhvkAr34PJ6qDa97q18QwAIiY5cmtdAq+Ao=,iv:OriDQd+j0p4x49j8OMgI/zoDMTnJhlAyQRv9vsLyqGo=,tag:Ed0RcMGI7CeYtIkyZ2bZ8g==,type:str] + lastmodified: "2023-09-25T18:36:20Z" + mac: ENC[AES256_GCM,data:Ot8GWCq9Jz7Gd8CwRkdOGlpQgXHbwkP1Y7c2NozmOg8rrTjF6xpZtrYL45n+wNvEREKCbhhbspGW0EcXdCh2IJWN0Dq4prVyq0/+NSnqbOsh6YYtoGgaMb0lyOgecVyHkxRKTNKIXDKsyrjKSbumql1Q3G9Aa7u1ZFFsEhV8paQ=,iv:RtQbJF33dhX8VLvdktKTohAYRYy8T9VqRblSPomGD4s=,tag:ckDVTlKrbWdehcfJxeh1qQ==,type:str] pgp: - created_at: "2022-12-14T15:34:13Z" enc: | @@ -67,4 +70,4 @@ sops: -----END PGP MESSAGE----- fp: 46C6A7E14BC7812E86C2700737FE303AAC2D06CD unencrypted_suffix: _unencrypted - version: 3.7.3 + version: 3.8.0 diff --git a/secrets/nixos-8gb-fsn1-1.yaml b/secrets/nixos-8gb-fsn1-1.yaml index 354a3827..4dbe3f59 100644 --- a/secrets/nixos-8gb-fsn1-1.yaml +++ b/secrets/nixos-8gb-fsn1-1.yaml @@ -8,6 +8,9 @@ security: restic: password: ENC[AES256_GCM,data:e1wb7as2uEel8ee99B3C0M+8BxU=,iv:laNw6z7GQAHxo8FIqYlVY7dHdwZlBWre3HIZ+ns7mmk=,tag:9qSMkvMtfPdL46iiyCp8Pw==,type:str] services: + chir-rs: + database-password: ENC[AES256_GCM,data:6c8Ey39Lh/MoCJakEGpNFyueH+RAs//HXPKExrsiXiU=,iv:YmajjfpoaTHlbv5VhCk36jgfDetCKOTMqrmMGzXvitc=,tag:eQq7P92TR0txNk161gUUKA==,type:str] + signup-secret: ENC[AES256_GCM,data:rLpC7HdhTSkDNeRau5iOvicDxeHJC9R3aRIVe65xysQ=,iv:Pm/+ZXWJCtN4Bq87hPaXco78C/cwD7cdCJmApDpS6iA=,tag:NL4T35lL+xauva72f8C+EQ==,type:str] attic: ENC[AES256_GCM,data:DeVHavVIxhy74rywh6kD8dcZsUO+klUtv5iWJYcAxHKHidM40c8lpk0wb/ZixyOzV+ivDy0qCtN7vObseYUZRSChVe/ceE84WoULdQTHbLVkRE3hpxOSzL9d4AJH7mHyAZj+HXNtihtdFn8+0xSSyqpZQD9ic+jECbTHh+rTggQ5i9eBz5U+upbZXDAJi5KQNGJ1icbFwViJd8D0+dap/+9PnfcCi6syoUfJmDjxPrQItysX2xtjkf/sxHyK57XXXtYMNGjNmnJNyLWA136Foe0FNPgWGYms93gkKv6s6s4pZ7uVeax+zUtj0nnYAsF1qu1TBfGDAxuXqevqnuPX8mtFtfxxrcRT4Yw3SSuTb+qhFv7khgEJvpaZFfUweANwsiApvoWfoJViLNaT0Fa8jJG1OU8hX2gbnR2Bf0QZPfmdzxTtI+XvEBaFP3XCk04Xce+Mz2ZVjp+8MEk3uzqX0DNaFWjy6OZeo+VoEvmWOu2u2rk=,iv:lfkaR4d4cHvU7LMS1hrzrn6WovgOYflz8CmKM3c1rI0=,tag:vB8jIVYBv+JCo4mXt5/bfQ==,type:str] rspamd: dkim: @@ -23,10 +26,6 @@ services: access-key-id: ENC[AES256_GCM,data:KIyoS9W5I5JfQDXLpTCaNxTg8w2N1AvNzA==,iv:r4tBoR9KWmPMZwh+kh7ZEP4KE2hWse6OeOXyhOlZ2W8=,tag:D1qYI2IGgsLjNArDcilsbQ==,type:str] secret-access-key: ENC[AES256_GCM,data:Z/7k4oG4Nz5z1xlF3gN9L+6tEHAG/JFauZ4VRQMxxA==,iv:SbFadBqgL+lCvqYJx7hiMTdvTSw+LoKmq9BvHkaId28=,tag:fvfae3Lc8mmsR67KTLqS8Q==,type:str] matrix-token: ENC[AES256_GCM,data:pY+qeZY087urzwoYmA6lKc7j4HzsXswG6bkS7uSxFHXhRcoClTB2,iv:9+8uM07QeYBDWZFthMn2NqBBvIYrbkCuXzvieA6eGMQ=,tag:/kXekfgLG+iJZD6Dz7sQOQ==,type:str] - chir.rs: ENC[AES256_GCM,data:TQVbJF0UuztDiofhjzlMVIsIkdTAmzRfq2Fb7H6fZsMS9mHubkn0JzObz+FFTa9KjV3FPa0+LEpF9CsFeNVwd0jRmvFaCGxEdMU7O5LaF22zzGFAZHTeJhexkuipwbF9skFuzJndMLTiR7e8kvg+lT2Mto3w5KdQTWZOgw4OfZAmmRZOajTt44GERR1LS6PI+o6ufD+dDEskKLBO07HPwv9Ch5hERV4XIZALTQ+ovCFm3Dh3Yb4o3bN840U5wo9EgF9isDNvHDZI3aVyk59JT++FYR/5iDi4GqKlWiLGZ1x40aD7lBuQo5UgS9BrHJrDJKcao9vC6nvOwKoRhD1pk4TY3haBIpMmfCkCmlb1ATDuENPkzVjoLvM44bUTKxecXzGWJMz6Eb+F1YoGAt885yLTissqjUxkuVSjnskeTHRNu4O4iF87Fh5TeUTrTEYiF5n7hTLgttyWOOpPIxzmqWL6KcCC09IZHLgIrA==,iv:kZ8K4wG/Abv6RRZpKHl6BgmQJPSq6eOKDPSWmcu+000=,tag:AFEnAz4cQ5BPzyMQaH6dSg==,type:str] - chir-rs: - auth: - password: ENC[AES256_GCM,data:oBeyAHCCYeg/QsyxtB0tUmvzd5kfglY7wp56kdav5SYbwTxLdOCXegJouqPIR7Sm6viz2INDXsHlZW20Hkkkhw==,iv:8UmczITg+HY0inR+4FUh9RG4vJO/MspY+hBXRY3UNm8=,tag:4N7nZSKsEblVluTA/19OHA==,type:str] hydra: gitea_token: ENC[AES256_GCM,data:NkEXwLbofK2QnWrUuxY5QvUkYPWzY7Brsgl9FvV5Me0J5mWuHUc0Dg==,iv:UhA4JUKV/+D5lOTAx3fC+rsr61lYQJRioSyKQ3s1e0Y=,tag:E/HB2S90o7dLmeWBLsOP9w==,type:str] gitea: ENC[AES256_GCM,data:4lwnfAuAn8qa+3oNKaFkOX8rQINvYW2/p+5Cd1c3FQ==,iv:KeW/72JZ9Ar5KIzH87S5LBd6RjHGK6O3SwVibCJ1mn8=,tag:Fapbl3LmJ+H5TjZTapFIQQ==,type:str] @@ -87,8 +86,8 @@ sops: UDRmejBFNTVxeTF6aVFta09OS25uNXcKizOsV9EUukinCAwvpZVrk9x0aXTKQckd gGfdCEU0HZXhZg+ikDFzy52+vPo8+gInjscXiXr/gGn6dJoctLqQXA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-05-21T15:38:17Z" - mac: ENC[AES256_GCM,data:VaHp7F++bzk6inHOZLXQ0rqZ8BESf2uSspKV/IjJDPl+R5rwzmILfXNnscJenHXmtsouRUGoNLo3u+4DH95Ow/WdHiR76vMv4z6pCLQBrLwYg0UQi8w6WqksTSf33AnCow8A1p12AKG3hFzKMijR7G7TivQJSTMsXTy+1/fOtPY=,iv:WWLvVPpZTNP9twcOnNl974UMPkObzNYqM4cfBEQZldk=,tag:9q+PcIf1TMTq9OdG45F/pA==,type:str] + lastmodified: "2023-09-25T18:46:12Z" + mac: ENC[AES256_GCM,data:JqSBMSazTsiRolQGZnf3ho8HIACQtdVeXDEz3inMEIBShVocrEiHt5il7OJ3X1sg/g99LRnnng5TxSuaYZUcWFAo+bHKGLEZdxN26ysyxkNvrKyfc1A57tPOVNInmGKdO3VuEUzH2G4qNLLNd2VTuObpvLw6KWq6AIa6GBQJYvI=,iv:25nBfbeGYKk5IVRzsBpCW8zM9uHDkhnXxDa915z0+wU=,tag:RO/iwEUH/m9BxWtWKyI7JQ==,type:str] pgp: - created_at: "2023-02-18T08:54:32Z" enc: | @@ -102,4 +101,4 @@ sops: -----END PGP MESSAGE----- fp: 46C6A7E14BC7812E86C2700737FE303AAC2D06CD unencrypted_suffix: _unencrypted - version: 3.7.3 + version: 3.8.0 diff --git a/zones/chir.rs.nix b/zones/chir.rs.nix index 7b0f083d..3bfae0bf 100644 --- a/zones/chir.rs.nix +++ b/zones/chir.rs.nix @@ -144,7 +144,7 @@ with dns.lib.combinators; let SOA = { nameServer = "ns1.chir.rs."; adminEmail = "lotte@chir.rs"; - serial = 38; + serial = 39; }; NS = [ "ns1.chir.rs." @@ -247,6 +247,7 @@ with dns.lib.combinators; let ipfs.CNAME = ["ipfs-chir-rs.b-cdn.net."]; status = createZone oracleBase; sliding-sync = createZone oracleBase; + lotte-test = createFullZone {}; int = delegateTo [