diff --git a/.github/workflows/update.yaml b/.github/workflows/update.yaml index b86e01ea..54c0fadd 100644 --- a/.github/workflows/update.yaml +++ b/.github/workflows/update.yaml @@ -15,7 +15,7 @@ jobs: nix_path: nixpkgs=channel:nixos-unstable extra_nix_config: | access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} - substituters = https://cache.nixos.org/ https://attic.chir.rs/chir-rs/ https://hydra.chir.rs/ + substituters = https://cache.nixos.org/ https://cache.chir.rs/ https://hydra.chir.rs/ trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nixcache:8KKuGz95Pk4UJ5W/Ni+pN+v+LDTkMMFV4yrGmAYgkDg= chir-rs:/iTDNHmQw1HklELHTBAVDFVAFaJ3ACGu3eezVUtplKc= experimental-features = nix-command flakes - name: update flake lock diff --git a/config/instance-20221213-1915.nix b/config/instance-20221213-1915.nix index 7855a851..effb1a9a 100644 --- a/config/instance-20221213-1915.nix +++ b/config/instance-20221213-1915.nix @@ -15,7 +15,6 @@ ./services/named-submissive.nix ./services/shitalloverme.nix ./users/remote-build.nix - ./services/atticd.nix ./services/minecraft.nix ./services/postgres.nix ./services/nextcloud.nix diff --git a/config/nas.nix b/config/nas.nix index 5fa1cee4..f47f864a 100644 --- a/config/nas.nix +++ b/config/nas.nix @@ -119,7 +119,7 @@ ]; hardware.enableRedistributableFirmware = true; nix.settings.substituters = lib.mkForce [ - "https://attic.chir.rs/chir-rs/" + "https://cache.chir.rs/" "https://cache.nixos.org/" "https://beam.attic.rs/riscv" "https://cache.ztier.in" diff --git a/config/nix.nix b/config/nix.nix index e3cf1220..7e3af727 100644 --- a/config/nix.nix +++ b/config/nix.nix @@ -3,7 +3,6 @@ lib, config, system, - attic, ... }: { imports = [ @@ -17,7 +16,7 @@ require-sigs = true; builders-use-substitutes = true; substituters = [ - "https://attic.chir.rs/chir-rs/" + "https://cache.chir.rs/" "https://hydra.int.chir.rs" ]; trusted-public-keys = [ diff --git a/config/nixos-8gb-fsn1-1.nix b/config/nixos-8gb-fsn1-1.nix index f7414ec6..2628d0e8 100644 --- a/config/nixos-8gb-fsn1-1.nix +++ b/config/nixos-8gb-fsn1-1.nix @@ -31,7 +31,6 @@ ./services/rspamd.nix ./wireguard/public-server.nix ./services/shitalloverme.nix - ./services/atticd.nix ./services/wordpress.nix ./services/initrd-ssh.nix ./services/chir-rs.nix diff --git a/config/services/atticd.nix b/config/services/atticd.nix deleted file mode 100644 index 65d7c67c..00000000 --- a/config/services/atticd.nix +++ /dev/null @@ -1,62 +0,0 @@ -{ - attic, - config, - lib, - nix-packages, - system, - pkgs, - ... -}: { - imports = [attic.nixosModules.atticd]; - services.atticd = { - enable = true; - package = attic.packages.${system}.attic-server; - credentialsFile = config.sops.secrets."services/attic".path; - settings = { - listen = "[::1]:57448"; - allowed-hosts = ["attic.chir.rs"]; - api-endpoint = "https://attic.chir.rs/"; - database = lib.mkForce {}; - storage = { - type = "s3"; - region = "us-east-1"; - bucket = "attic-chir-rs"; - endpoint = "https://ams1.vultrobjects.com/"; - }; - compression = { - type = "zstd"; - level = 12; - }; - chunking = { - nar-size-threshold = 131072; - min-size = 65536; - avg-size = 131072; - max-size = 262144; - }; - garbage-collection.default-retention-period = "3 months"; - }; - }; - sops.secrets."services/attic" = {}; - services.postgresql.ensureDatabases = [ - "attic" - ]; - services.postgresql.ensureUsers = [ - { - name = "attic"; - ensurePermissions = { - "DATABASE attic" = "ALL PRIVILEGES"; - }; - } - ]; - services.caddy.virtualHosts."attic.chir.rs" = { - useACMEHost = "chir.rs"; - logFormat = lib.mkForce ""; - extraConfig = '' - import baseConfig - - reverse_proxy http://[::1]:57448 { - trusted_proxies private_ranges - } - ''; - }; -} diff --git a/config/services/hydra.nix b/config/services/hydra.nix index 76727130..48b0e66d 100644 --- a/config/services/hydra.nix +++ b/config/services/hydra.nix @@ -1,6 +1,5 @@ { system, - attic, lib, config, pkgs, @@ -77,6 +76,7 @@ in { binary_cache_secret_key_file = ${config.sops.secrets."services/hydra/cache-key".path} + store_uri = s3://cache-chir-rs?scheme=https&endpoint=ams1.vultrobjects.com&secret-key=${config.sops.secrets."services/hydra/cache-key".path}&multipart-upload=true&compression=zstd&compression-level=15 timeout = 3600 @@ -115,7 +115,7 @@ in { sops.secrets."services/hydra/aws_credentials" = { owner = "hydra-queue-runner"; path = "/var/lib/hydra/queue-runner/.aws/credentials"; - restartUnits = ["hydra-notify.service"]; + restartUnits = ["hydra-notify.service" "hydra-queue-runner.service"]; }; systemd.services.update-hydra-hosts = { description = "Update hydra hosts"; @@ -152,38 +152,25 @@ in { chown -Rv hydra-queue-runner /var/lib/hydra/queue-runner ln -svf ${sshConfig} /var/lib/hydra/queue-runner/.ssh/config ''; - sops.secrets."attic/config.toml" = { - owner = "hydra-queue-runner"; - key = "attic/config.toml"; - path = "/var/lib/hydra/queue-runner/.config/attic/config.toml"; - }; - - systemd.services."upload-hydra-results" = { - description = "Upload hydra build results"; + systemd.services.clean-s3-cache = let + clean-cache = pkgs.callPackage ../../packages/clean-s3-cache.nix {}; + in { + enable = true; + description = "Clean up S3 cache"; serviceConfig = { - Type = "oneshot"; + ExecStart = "${clean-cache}/bin/clean-s3-cache.py"; User = "hydra-queue-runner"; Group = "hydra"; }; - script = '' - set -ex - if [ -e /var/lib/hydra/queue-runner/uploading ]; then - cat /var/lib/hydra/queue-runner/uploading | xargs ${attic.packages.${system}.attic-client}/bin/attic push chir-rs - rm /var/lib/hydra/queue-runner/uploading - fi - mv /var/lib/hydra/queue-runner/upload-queue /var/lib/hydra/queue-runner/uploading - cat /var/lib/hydra/queue-runner/uploading | xargs ${attic.packages.${system}.attic-client}/bin/attic push chir-rs - rm /var/lib/hydra/queue-runner/uploading - ''; }; - systemd.timers.upload-hydra-results = { + systemd.timers.clean-s3-cache = { enable = true; - description = "Upload hydra build results"; - requires = ["upload-hydra-results.service"]; + description = "Clean up S3 cache"; + requires = ["clean-s3-cache.service"]; wantedBy = ["multi-user.target"]; timerConfig = { OnBootSec = 300; - OnUnitActiveSec = 300; + OnUnitActiveSec = 604800; }; }; } diff --git a/config/services/nextcloud.nix b/config/services/nextcloud.nix index 3358d115..aac05f84 100644 --- a/config/services/nextcloud.nix +++ b/config/services/nextcloud.nix @@ -65,7 +65,7 @@ { name = "nextcloud"; ensurePermissions = { - "DATABASE attic" = "ALL PRIVILEGES"; + "DATABASE nextcloud" = "ALL PRIVILEGES"; }; } ]; diff --git a/flake.lock b/flake.lock index 368413e2..fef191ea 100644 --- a/flake.lock +++ b/flake.lock @@ -1,41 +1,6 @@ { "nodes": { "attic": { - "inputs": { - "cargo2nix": [ - "cargo2nix" - ], - "crane": [ - "crane" - ], - "flake-compat": [ - "flake-compat" - ], - "flake-utils": [ - "flake-utils" - ], - "nixpkgs": [ - "nixpkgs" - ], - "rust-overlay": [ - "rust-overlay" - ] - }, - "locked": { - "lastModified": 1694160842, - "narHash": "sha256-KqzSSagAay+qBhXlDGHc05dpio9PZ/ZFVmQcuJum/qU=", - "owner": "DarkKirb", - "repo": "attic", - "rev": "9460d742caf366a1f999936dacd4d6e9274d956b", - "type": "github" - }, - "original": { - "owner": "DarkKirb", - "repo": "attic", - "type": "github" - } - }, - "attic_2": { "inputs": { "crane": [ "nixos-config-for-netboot", @@ -70,36 +35,6 @@ } }, "cargo2nix": { - "inputs": { - "flake-compat": [ - "flake-compat" - ], - "flake-utils": [ - "flake-utils" - ], - "nixpkgs": [ - "nixpkgs" - ], - "rust-overlay": [ - "rust-overlay" - ] - }, - "locked": { - "lastModified": 1691655399, - "narHash": "sha256-hVfFMu27OMaUPxpyovnxYNrzDYFCbQaFu+XCAIPeoAk=", - "owner": "DarkKirb", - "repo": "cargo2nix", - "rev": "1a37221e07295f7d5a8842717e94229af72f1c20", - "type": "github" - }, - "original": { - "owner": "DarkKirb", - "ref": "release-0.11.0", - "repo": "cargo2nix", - "type": "github" - } - }, - "cargo2nix_2": { "inputs": { "flake-compat": "flake-compat_3", "flake-utils": [ @@ -244,35 +179,6 @@ } }, "crane": { - "inputs": { - "flake-compat": [ - "flake-compat" - ], - "flake-utils": [ - "flake-utils" - ], - "nixpkgs": [ - "nixpkgs" - ], - "rust-overlay": [ - "rust-overlay" - ] - }, - "locked": { - "lastModified": 1674934931, - "narHash": "sha256-TmGfRDBK7EkR0VY8Jr0WU4WdyzZxiXDGVGUzIXPFXRI=", - "owner": "DarkKirb", - "repo": "crane", - "rev": "42c3f329daa267857c6bc6d21c9eec468e97e2d7", - "type": "github" - }, - "original": { - "owner": "DarkKirb", - "repo": "crane", - "type": "github" - } - }, - "crane_2": { "inputs": { "flake-compat": "flake-compat_4", "flake-utils": [ @@ -1154,11 +1060,11 @@ }, "nixos-config-for-netboot": { "inputs": { - "attic": "attic_2", - "cargo2nix": "cargo2nix_2", + "attic": "attic", + "cargo2nix": "cargo2nix", "chir-rs": "chir-rs_2", "colorpickle": "colorpickle", - "crane": "crane_2", + "crane": "crane", "dns": "dns_2", "emanote": "emanote", "flake-parts": "flake-parts_2", @@ -1368,10 +1274,7 @@ }, "root": { "inputs": { - "attic": "attic", - "cargo2nix": "cargo2nix", "chir-rs": "chir-rs", - "crane": "crane", "dns": "dns", "firefox": "firefox", "flake-compat": "flake-compat", @@ -1388,7 +1291,6 @@ "nixos-hardware": "nixos-hardware_2", "nixpkgs": "nixpkgs_4", "nur": "nur_2", - "rust-overlay": "rust-overlay_2", "sops-nix": "sops-nix_2", "systems": "systems_2", "treefmt-nix": "treefmt-nix_2" @@ -1419,29 +1321,6 @@ "type": "github" } }, - "rust-overlay_2": { - "inputs": { - "flake-utils": [ - "flake-utils" - ], - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1698891127, - "narHash": "sha256-HuhQGsvBX1CdD+wvyK7J8aANYxvABhkPsiY97aT4+/w=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "6bc508466396bc6e24a7e4236ece9cb95b72582e", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" - } - }, "sops-nix": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index 6da3b28e..41302138 100644 --- a/flake.nix +++ b/flake.nix @@ -4,22 +4,6 @@ rec { # Use NixOS unstable inputs = { # Sorted by name - attic = { - url = "github:DarkKirb/attic"; - inputs.cargo2nix.follows = "cargo2nix"; - inputs.crane.follows = "crane"; - inputs.flake-compat.follows = "flake-compat"; - inputs.flake-utils.follows = "flake-utils"; - inputs.nixpkgs.follows = "nixpkgs"; - inputs.rust-overlay.follows = "rust-overlay"; - }; - cargo2nix = { - url = "github:DarkKirb/cargo2nix/release-0.11.0"; - inputs.flake-compat.follows = "flake-compat"; - inputs.flake-utils.follows = "flake-utils"; - inputs.nixpkgs.follows = "nixpkgs"; - inputs.rust-overlay.follows = "rust-overlay"; - }; chir-rs = { url = "github:DarkKirb/chir.rs"; inputs.flake-parts.follows = "flake-parts"; @@ -29,13 +13,6 @@ rec { inputs.systems.follows = "systems"; inputs.treefmt-nix.follows = "treefmt-nix"; }; - crane = { - url = "github:DarkKirb/crane"; - inputs.flake-compat.follows = "flake-compat"; - inputs.flake-utils.follows = "flake-utils"; - inputs.nixpkgs.follows = "nixpkgs"; - inputs.rust-overlay.follows = "rust-overlay"; - }; dns = { url = "github:DarkKirb/dns.nix"; inputs.flake-utils.follows = "flake-utils"; @@ -94,11 +71,6 @@ rec { nixos-hardware.url = "github:NixOS/nixos-hardware"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; nur.url = "github:nix-community/NUR"; - rust-overlay = { - url = "github:oxalica/rust-overlay"; - inputs.flake-utils.follows = "flake-utils"; - inputs.nixpkgs.follows = "nixpkgs"; - }; sops-nix = { url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/overlays/riscv.nix b/overlays/riscv.nix index 8c13fa32..15f117d7 100644 --- a/overlays/riscv.nix +++ b/overlays/riscv.nix @@ -9,7 +9,6 @@ args: self: prev: let in { pandoc = self.writeScriptBin "pandoc" "true"; inherit (pkgsX86) nix; - inherit (args.attic.packages.x86_64-linux) attic-client; bind = prev.bind.overrideAttrs (_: { doCheck = false; doInstallCheck = false; diff --git a/packages/clean-s3-cache.nix b/packages/clean-s3-cache.nix new file mode 100644 index 00000000..0e75611d --- /dev/null +++ b/packages/clean-s3-cache.nix @@ -0,0 +1,17 @@ +{ + writeTextFile, + python3, + python3Packages, +}: let + environment = python3.buildEnv.override { + extraLibs = with python3Packages; [ + boto3 + ]; + }; +in + writeTextFile { + name = "clean-s3-cache.py"; + executable = true; + destination = "/bin/clean-s3-cache.py"; + text = builtins.replaceStrings ["#SHEBANG#"] ["${environment}/bin/python"] (builtins.readFile ./clean-s3-cache.py); + } diff --git a/packages/clean-s3-cache.py b/packages/clean-s3-cache.py new file mode 100644 index 00000000..e62c965c --- /dev/null +++ b/packages/clean-s3-cache.py @@ -0,0 +1,180 @@ +#!#SHEBANG# +import asyncio +from concurrent.futures import ThreadPoolExecutor +import functools +from typing import Any, AsyncIterable, Awaitable, Callable, Optional, TypeVar, cast +from os import path, listdir +import json + +import boto3 +from botocore.response import StreamingBody + +ENDPOINT_URL: str = "https://ams1.vultrobjects.comk" +BUCKET_NAME: str = "cache-chir-rs" + +executor: ThreadPoolExecutor = ThreadPoolExecutor() + +F = TypeVar('F', bound=Callable[..., Any]) +T = TypeVar('T') + + +def with_backoff( + f: Callable[..., Awaitable[T]]) -> Callable[..., Awaitable[T]]: + + async def with_backoff_wrapper(*args: Any, **kwargs: Any) -> T: + last_delay = 2 + while True: + try: + return await f(*args, **kwargs) + except Exception as e: + print(f"{e}") + if last_delay >= 120: + raise + await asyncio.sleep(last_delay) + last_delay *= last_delay + + return with_backoff_wrapper + + +def aio(f: Callable[..., T]) -> Callable[..., Awaitable[T]]: + + async def aio_wrapper(*args: Any, **kwargs: Any) -> T: + f_bound: Callable[[], T] = functools.partial(f, *args, **kwargs) + loop: asyncio.AbstractEventLoop = asyncio.get_running_loop() + return await loop.run_in_executor(executor, f_bound) + + return aio_wrapper + + +@aio +def exists_locally(store_path: str) -> bool: + return path.exists(store_path) + + +class NarInfo(object): + + def __init__(self, narinfo: str) -> None: + self.compression = "bzip2" + for narinfo_line in narinfo.splitlines(): + key, value = narinfo_line.split(": ", 1) + if key == "StorePath": + self.store_path = value + elif key == "URL": + self.url = value + elif key == "Compression": + self.compression = value + elif key == "FileHash": + self.file_hash = value + elif key == "FileSize": + self.file_size = int(value) + elif key == "NarHash": + self.nar_hash = value + elif key == "NarSize": + self.nar_size = int(value) + elif key == "References": + self.references = value.split() + elif key == "Deriver": + self.deriver = value + elif key == "System": + self.system = value + elif key == "Sig": + self.sig = value + elif key == "CA": + self.ca = value + + async def exists_locally(self) -> bool: + return await exists_locally(self.store_path) + + +s3 = boto3.client("s3", endpoint_url=ENDPOINT_URL) + + +@with_backoff +@aio +def get_object(Key: str) -> str: + obj = s3.get_object(Bucket=BUCKET_NAME, Key=Key) + if "Body" not in obj: + raise Exception("No Body") + if isinstance(obj["Body"], StreamingBody): + return obj["Body"].read().decode("utf-8") + raise Exception("Not StreamingBody") + + +async def list_cache_objects() -> AsyncIterable[str]: + + @with_backoff + @aio + def list_objects_v2(ContinuationToken: Optional[str]) -> dict[str, Any]: + if ContinuationToken != None: + return s3.list_objects_v2(Bucket=BUCKET_NAME, + ContinuationToken=ContinuationToken) + else: + return s3.list_objects_v2(Bucket=BUCKET_NAME) + + cont_token = None + while True: + objs = await list_objects_v2(cont_token) + if "Contents" not in objs: + raise Exception("No Contents") + if isinstance(objs["Contents"], list): + for obj in cast(list[Any], objs["Contents"]): + if not isinstance(obj, dict): + raise Exception("Not dict") + obj = cast(dict[str, Any], obj) + yield obj["Key"] + + if "NextContinuationToken" not in objs: + break + cont_token = objs["NextContinuationToken"] + + +@with_backoff +@aio +def delete_object(key: str) -> None: + s3.delete_object(Bucket=BUCKET_NAME, Key=key) + + +def get_store_hashes() -> set[str]: + hashes = set() + for obj in listdir("/nix/store"): + hashes.add(obj.split("-")[0]) + return hashes + + +async def main() -> None: + store_hashes = get_store_hashes() + nars_to_delete = set() + nars_to_keep = set() + async for obj_key in list_cache_objects(): + if obj_key.endswith(".narinfo"): + # check if we have the hash locally + narinfo = await get_object(obj_key) + narinfo = NarInfo(narinfo) + if not await narinfo.exists_locally(): + print(f"Found unused NAR for {narinfo.store_path}") + await delete_object(obj_key) + nars_to_delete.add(narinfo.url) + else: + nars_to_keep.add(narinfo.url) + if obj_key.startswith("realisations/"): + realisation = await get_object(obj_key) + realisation = json.loads(realisation) + if not isinstance(realisation, dict): + continue + if "outPath" not in realisation: + continue + if not await exists_locally("/nix/store/" + + realisation["outPath"]): + print(f"Found unused realisation for {realisation['outPath']}") + await delete_object(obj_key) + if obj_key.startswith("nar/"): + nars_to_delete.add(obj_key) + for nar in nars_to_delete: + if nar in nars_to_keep: + continue + print(f"Deleting unused NAR {nar}") + await delete_object(nar) + + +if __name__ == "__main__": + asyncio.get_event_loop().run_until_complete(main()) diff --git a/scripts/post-build-hook b/scripts/post-build-hook deleted file mode 100755 index 477036c9..00000000 --- a/scripts/post-build-hook +++ /dev/null @@ -1,8 +0,0 @@ -#!/usr/bin/env bash -set -euf -export IFS=' ' -export XDG_CONFIG_HOME=/home/runner/.config -until /nix/var/nix/profiles/default/bin/nix run 'github:DarkKirb/nix-packages#attic-client' -- push chir-rs $OUT_PATHS; do - sleep 5 - echo "Retrying..." -done diff --git a/secrets/instance-20221213-1915.yaml b/secrets/instance-20221213-1915.yaml index 48ec5b61..244d1f75 100644 --- a/secrets/instance-20221213-1915.yaml +++ b/secrets/instance-20221213-1915.yaml @@ -15,7 +15,6 @@ services: private_key: ENC[AES256_GCM,data:E2BWj1/dBHJ47NhqUkEAbbkI3nPWmNM5XoD5ZBu40lBv9xvPxP9SCbLQdFMcxNY/Xew91OZL8NvlNxk=,iv:X6V0YFmkWA6C5j7REFijZt8/gNfB2wHT6U8/iSjLAFA=,tag:DF3ZyQlYLUXBxmnfqoNYnw==,type:str] ipfs: access_grant: ENC[AES256_GCM,data:WFWKgRf4VG0fViy9hSvRclwxQxICoV94eOpaVjGv6HJ/SeHLF2FaXG9PPNvU35JsNrWQhovYK33QPqE9IV6rgoo7xtH7FYlr91YYJ6a/x4SQnkIu5aUYIpsTk+I97T/5gfLJZK2Sr05lrnCBth5F2eu+ITILt8AUizrqLLW+KWpeCkzz6G8pJGwnOqp/CIDkTCybgnzM0piF4F0lVukAjnrUhYGR3szi8zpy6ZSQHFvXgz37DfEaTgcJlt/tx/xozkSor+KweXHDA71d1nugQ1p7DhLdP4rpm7PrdfZmwc56p2OkK15jdDPeOTBpOWvFt+wdPKR4PMfwYFHO5adE8ZNkdBafICtrdEV552qkTZ4LDYqY9qCi0tKU3TbuArxKoMPshoiaeqEuP2itPsZonqYVv9CXeOLSlA==,iv:NU4rJgOTg6SPOCiYvOqQH0w9i3aJR8IvfNcm+eykoVI=,tag:/LRTOtGRd/Y9QJlK0X1jvA==,type:str] - attic: ENC[AES256_GCM,data:rGWQ12Qbl4A7FYBOultw2lPQvmuH6FGF0FrOSZezLhWEaPE0HQcFZAtTRnp/mPDO2hdDWW8KQrbCYDgOvf62VO60CE7iuAy8b7VYsGyXs69fNrrKWyLkAaVR5pmMXXVq2eooqfxFh7FAtzr19BvRZO0nZndnw6SaDc1WZsJifdQG7YOXnUulKOHvbiSMaisc+QEOZJ8FmYN0524dd4fIFYWTNbf80i2SCyEudrgzPV0S+spFMQ0Cg/p2KL42ly3Lljm7yxNDYA3fEgp/8cEm91/VaHTp7YqaP+S+70JJfwpL8CdokpuG7Tp6hALwGpYiKYB+875fmGeiBF4qlTxdmC/dkMSCmxzVxNptYT3oOqpbWnB+K4W30g+dlFMyJiG1s0EIckG7tQidBo5pd/543qP2GvoN0JcQW9juxNqv51wa8TqC4GLGoz9V2GbAckxvephRtq2pcwxx/5MVrZCumGHin2hEwdCmKhsCVTXuEtFZwt+0kpSF,iv:eh5t4CENtUt5wkdIRQkwMCDcraBi6xHeIe/h8bDl1SY=,tag:2YAJMlBdI0DcK93F9m/QYg==,type:str] ssh: host-key: ENC[AES256_GCM,data:oiy1thPKRVgH0XltFQCKwGMdLZde8zp1Ag1dL/el/2jXp1be1Evtr+kkZv56nhlaJ6KpYi5VsfrfpFVnKUkcYGUMmqVf2lFDu2fPcWB+PW7nol9K+sVRhHgTPP1wz385o5bof4OnbMF9sUbV0PT/pd4yAvluKq9s2vBBb2GEZ+HDBwkurmgVrFqUb66AvCdncXTpK47qpWZQMDTMGKqv5d1hJOoCCIulX3iJ4ko2xDD7qRlFtcdLNFLw3q4R6eP+L0OqoQs8dnjpIQOLVItzHTHTTcQRVoFvD7OMYSyU5RIIxTIOoS9tWzQu/QpHpO4cgjQ/GX09uj+a6/Cy8Itavd88YeSoYEPGwBYEciYLakFpNQ8aFl0yEsEMdZbfHgOUAOlbv28Mv93+RFMs5HrdIup/lZr5PsCBSsrMVkwJNVQKTxbN34LCTGOeCkuzohAwmwEVB/Ysuh23WyFKcdkGWAwlnVvgaNT5/TsNTCCI8Hf6fJecD4imWrJAtlXG7o+mnE+f0LlixxsnMgSnlkX4,iv:mnW23zPiSDoluMjQJEUFHDkVO6IT/4+RgAlaKuie3Qw=,tag:F+KOH/MkjrF1wYCR9OzFkQ==,type:str] nextcloud: @@ -52,8 +51,8 @@ sops: bVJUcDZLWTk3MiszOWp4enRRQmNsajQKF8QJs/Wb0SqnvsQEkRKlS1Ms9xLIdyvZ QCFAPclaOfaTLTiRJWXjDneBkMBduYKkRPiXCR+Bn7i4z8ixLXFmWw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-09-28T18:49:48Z" - mac: ENC[AES256_GCM,data:aFZwrPUeO+6iDeJMSQRbzlQvtpSgINVped/ZSucbVrijTvKzetUtO1URZl6WreZxE/NSqAuJr5oOWOsAVmQHuARhbsqfVXLykc/m+L6a9e4mQbiTjAVZh9AmZNnrunIv5rpn1BVZSjYa31UQC/VWnuqsCCmeyQEfEu14sUVrH/U=,iv:jp5k+qmNwMAt29/kRACkhPwl3ISFvJjbHupsCVDyhZM=,tag:0ISIGuQ7BO63Mh6O+Wqvow==,type:str] + lastmodified: "2023-11-03T13:29:07Z" + mac: ENC[AES256_GCM,data:cHdS1omrtgqyOECJtcuekU90i7zVeiyJIYLr7FZ88G2dRSn3UGhu8vFE3m/7M7kt5we9UU4lY158FOqF0BL9Sei61eOY8qCT7KiqX5jhKf1a6zAdzBG2rgipmG0dTopKthm+CtwX8FLF9tRnumUlQgMqUGymtgf3vcbrWwbkhsU=,iv:+qX3eWASW+MHReZbyr+W/yZfmGgW1k/7wCFVe/EH6AU=,tag:yH7nSk/xYCuVVHnB9nnm8A==,type:str] pgp: - created_at: "2022-12-14T15:34:13Z" enc: | @@ -67,4 +66,4 @@ sops: -----END PGP MESSAGE----- fp: 46C6A7E14BC7812E86C2700737FE303AAC2D06CD unencrypted_suffix: _unencrypted - version: 3.8.0 + version: 3.8.1 diff --git a/secrets/nas.yaml b/secrets/nas.yaml index b20545c6..601854c0 100644 --- a/secrets/nas.yaml +++ b/secrets/nas.yaml @@ -8,7 +8,7 @@ services: cache-key: ENC[AES256_GCM,data:359HiOnMunY5vQowyl79OOYX7ELs1jGkyCMjvuUXUaVnPWu/Nui5UM51O4VKD6+cLvVKyy5QXJxxOVfPO5DHL7gb+rlcbcusdBs8iCLaqlxD7yHqDE6FsncFSB7OqqUKNw==,iv:/NBm6p/vpurdhFzrN7HA9Tu13g6FbWREbKh4yNPryB4=,tag:xTs/KwTOgAQwaukU8+ek0A==,type:str] gitea_token: ENC[AES256_GCM,data:v0Ej8841I1F/dK5ZplRzZlvngpueMQKspM5USzX9VkOEmpCs2NA3+Q==,iv:fZisAuyqk7ATFx6qHYkScUeS8SsikjiPzVovZjGnUYM=,tag:7+O+Sn7unPDy88a6T70Jmg==,type:str] github_token: ENC[AES256_GCM,data:AWMeX+P8YHGpSuH+5KqvE9zNxkEPKGvdRaQjNysO4/XE4csGjCvmjA==,iv:MCRtws/SM7lWS2/2pp5tbeX7+I5h4LVd9bJp//ln9hs=,tag:LMEGWFAaOqH0fqfNgc87AQ==,type:str] - aws_credentials: ENC[AES256_GCM,data:yxJU6d6BMi+LHUPimMkgr5h6accGXQXxFu9A0swdwKII/Xfo4ALAw4J4aEhpnNuK8JwmzuuDdTDGnilzuEATeaANa2cNXps6AWw8Hem8idw585xTcU1YBEOdbBSs/mKK6S+Da1OU5jC1atrCCWY7cg==,iv:tAEGsniZ7N/jBp7btLlD1pNcF4NvEmpO6zXji1H29t8=,tag:lmAB3QMfaT3ljDmr+8IBHA==,type:str] + aws_credentials: ENC[AES256_GCM,data:TqfAEFfDEIicrI/qNEpHYI/cXw5OZ4z31eq05WTIQWxuyD01UfduuJeHlPNuzp7+cGVSExBUccNvVpwz7ivESoMLqiP459GfXert/SZi56fMZdOsfFxbl5x/ks71bamj5/qIXxQW0hqSOG8TwQNIMNQgAcA=,iv:HDXc7F+3WXnIfRL8rYxMnQPlfNLMYJAjKKjWVzIhNQ0=,tag:u+D+/YY+60TAEmhHMGoUwg==,type:str] hostapd: ENC[AES256_GCM,data:KCOOPShBt6gs8TK0Ns6Kzw==,iv:haG+7w893r9w9XySav8n2MWIAOi8eehy61rQudpdjGU=,tag:yupv4fTLiOgTU7SKoAR3og==,type:str] rspamd: dkim: @@ -30,8 +30,6 @@ email: password: root: ENC[AES256_GCM,data:edK/dud41KmbX6v8Mxn1vVcaCwG0x4YhGjqLTw3oAigmwixTovz+4yUDrkjTQLb3/eMClqQJnjcJsRBv4chSu+UuNorKIsPM0IX9mkTmVH2soGmdPB21HXOXmisGu33oOyhyojbvlaWlFw==,iv:GiXRuhJVPgkAAp7OYufzXtHusnSPOfAP0ztdAtn14GE=,tag:nIOus2VvzE6d+r/aJOLCBw==,type:str] darkkirb: ENC[AES256_GCM,data:vmI8B7PWeoKTwOywaGmJmD9gWb09eDcmchx241XrfNvT9QseuSElDTb3OajHornt/OFBPh7EtNi/y1BHF1+DZq0i1tmhYuJy24BLuCPH9VpCb5s5xZZCVtOC6w3qUGqIlLQHYN0Fp1Ap5A==,iv:KkcLQDJSDqeFr3gDByb66MOx8/PbpKpvM9Ym+KMB3jc=,tag:wLLOU4RhWnS+DDSOQLrLHA==,type:str] -attic: - config.toml: ENC[AES256_GCM,data:060O5ICRHpkfTIdrkrLjlJSFKh7HCcMuETkRwf8zSaPQO7NTYnX6nQjd0mYcWZvBPQF3l8cVovja19nKMQAUGTzkBxkpvfylG+UMAfxEpuwTzypyzBwLXQOZPXqdXoEKPu0ghx1nojF08CLALDMlM8J/I7KrlofmSWGO+7142EAhrf1ov5IFmfHBn1vJvfa9aSVKnYDXmMpimO8zxc876YiBiHPe9srTpAlyOu/aOiev0fRmZfWGt7X7/lBap1AcDZFvoe/8Hs0Nb1GSE4ZW9WLPBMFigGK10fCgmlk8rTkaXTNCdZ/yJ24lugganFwssET6HBS/nmDLLMjPkZ0n+6U+JdDcRtXQXq9nwFG9TpMvX9i9K1z24F1/maQ2qUS0OB/YQ/pADLJt/xYfuzfB70FHpN2YYn2Lcmup3xKvbfAL9BFJCA==,iv:3wCOLgoqKoycuitBrQCccRRYulfrhI0a5K8vARU2MM4=,tag:/Zggqm+3CCcUwyc9ubhqcA==,type:str] sops: kms: [] gcp_kms: [] @@ -47,8 +45,8 @@ sops: WnV3QWxtalIzWFdoQmpDTmJsNGdNOW8K++rFGXy0G6Gcu2gQwSP6xfXInQ/y5nh5 2oGp8sfOLFWnNI4SWL0ChP47K3C/9ysUHwQnUYPbRafZ/4X6cN40ZQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-08-02T17:25:38Z" - mac: ENC[AES256_GCM,data:iu4NhBQHLTuGAG70rSedcI2cwwDZpzLu18cIxO9JaVRWVanDoYTDXd9sDC7H8oBOmLnypYpXc4kOMCwsY9475W+Yi3HxHWlkcWAPWxAsJL5nIkC7Q9CwrwSCpwtsPyebsLzl299lYPjsNsLpQ6ft/GWnwAn5ISIkKV91k9hduz0=,iv:IB8YVkok7NrX2ayu2iQcwzsP/Tl+WXxjfvQ/1DkRUlk=,tag:z2tlvGWpEbXFrCmuKwUdbA==,type:str] + lastmodified: "2023-11-03T13:33:44Z" + mac: ENC[AES256_GCM,data:CUi7/JEP6LerZ1SKYt4nEJQNbLs6iLK4U758qFXCpLkHBX2DA7wpu2HQ98SXkfQYHNOmoH/2LhCd+Am+UixnzmTZPXol7zntO3zSrjLQh208Cpp7lYO+sDFLOJqijjth1n6c4dri5yaXJwHLQn/iLZR0Ktespl38RotWnaQ597A=,iv:K6nhBEpagZSrTVfFiS1iGC/K691yxrdFP/sqoMZvWO0=,tag:7N10AC167RoG2qKUH11g5g==,type:str] pgp: - created_at: "2022-04-24T10:34:20Z" enc: | @@ -62,4 +60,4 @@ sops: -----END PGP MESSAGE----- fp: 46C6A7E14BC7812E86C2700737FE303AAC2D06CD unencrypted_suffix: _unencrypted - version: 3.7.3 + version: 3.8.1 diff --git a/secrets/nixos-8gb-fsn1-1.yaml b/secrets/nixos-8gb-fsn1-1.yaml index f89ead56..4a746447 100644 --- a/secrets/nixos-8gb-fsn1-1.yaml +++ b/secrets/nixos-8gb-fsn1-1.yaml @@ -11,7 +11,6 @@ services: chir-rs: database-password: ENC[AES256_GCM,data:6c8Ey39Lh/MoCJakEGpNFyueH+RAs//HXPKExrsiXiU=,iv:YmajjfpoaTHlbv5VhCk36jgfDetCKOTMqrmMGzXvitc=,tag:eQq7P92TR0txNk161gUUKA==,type:str] signup-secret: ENC[AES256_GCM,data:rLpC7HdhTSkDNeRau5iOvicDxeHJC9R3aRIVe65xysQ=,iv:Pm/+ZXWJCtN4Bq87hPaXco78C/cwD7cdCJmApDpS6iA=,tag:NL4T35lL+xauva72f8C+EQ==,type:str] - attic: ENC[AES256_GCM,data:q75ahgZD0O56SAXxKoUaVoxqbioreMDtxLXK6K6iTzGhZYabthxmm2RSgUIWuV/sSdDPuuld3eILypr0+G+ujtckyPb8Osc8OAAiZEVgyLac09250nM59Ypuaoqm1qrouD1T2kmPwocVqbWLNz+NzWKnOgX8Yi2lwSPZGXMfhi7THOgb+vyTwSE0PYWubCktynqUM/qw2XgThqp4OYg1V3+nMo3pP3wCtjFu3Vb5HURoUIXTewag08OI0ma6jTkJUARX1ihjuBqW+2/EJ6xVCzq4f1fiWtzjmFYrsFwmScP18modQAB/yHLc0RZOdb8ujSqkJYcHx5SayZ2tBQ+A6DimUbaUfdTLqKF4nPECzZPRfSw079t1t7u1iv95yveCCWmMS9Vslb+zvXETVzg8E33d2BdNQymgYnaavlZiC++hosg9WZw8YqBFxJ7rQqcxAA5kX3VgWg8SbCuHyc2dXVUVIwRaPlOC+QETsK6iDB8+gkt/HOLv,iv:K7zh3b9i9qBTCb6UUIwrFZl3K+td0vafUw/R2JAmckE=,tag:a44Skw4jhlkOfkkkSy5ltA==,type:str] rspamd: dkim: darkkirb.de: ENC[AES256_GCM,data:2Af4PsmTI07QzY/++VrrENe8wovHrUNElisfufyNt4RaiAB0Uq9Bp6BnpIEqLzfDs0z4mY5D05ncVa+K6oZWnAkhTBwIwO/iD6a4v5aOSdMp1BjbAQnJ9OD41+lLw1KZe98qAbjoO0yjtr4ySo5UzQUJ2wm2i7ZHtEBH06Gc1ZIPD64u2rC3/x9m65Xf+NFe7uSn0hBlaVTnuLkA0RwcopvtFXe63PXq93cHc+YCu9O6beppp7p0K5EkOW54l0UuGVbNtHKm+AKbsjzLWBnS3w0tP6mi1GkbBB0DMJrasA+cd8SbQ02kh5t8cvisviDaroeWTGElovqNOiSYZ9PkBAaADBYuR6bDJ9riIH8RrFfmS+lT0XW6OPPGdz9b5AI5A+Xze+36u2sv/Mys+Y+/G2C+uZYgDj1EKYX3DGKAl0ytNlSw7QRa1WoobvcIOfgN5cvmVV56QkSNteEdHGGod0aoiWTgGFwuKyjZL4UBjoDXcXxiCAKeQJ9Kkk0u9IG5JEhsa6W21s1Ea3hJdCaNPXk/vF7d3gM/jzrYNiioic4S/PckYf4u/4NNJhP5QS9ys68uPXZpSxZ7cZnB7ZS1uzvY4Hq/nNBBXmSjGz/G8EaeAfcXtBeRwLnv6HgeDfz03lu+JoZJH4UKUkU0emoP8du1RpMU8lMxuOsOirwVAU2SljZn/P2+reeFsV2hca6/AmXNO8Ez663AcQsxww/xY9tady3ch6k/rixLIYZuhURzFilEwqQAye0KvcnQrwhix/i1ujGv5G2SKHTlpYiQPDDwnF/gYHC4H1kqzRCcRP0CcYeZ3hhBC/fwgkXSxhrKjRmPU9hGsB4LfNnzdbezi4K4XGiOzEy6DD6r+KqHK782U95eaBxDPaD5PTY/jcy4mn5jtalmznPiZ3C68EVTcZQJf/o84fQWPG6I9BIy5PITacqzm8EQC93ZPPB+gdLaUWv56U2ruT/3RgC4eusgBtngydbRP7MaVojasX/NWEV4uhQ6zH7ErEFQDpqwaTNBDhXQUS2DJznQH+xk9M+VxInN1tUvc7UXQ1SBdARFLPzNubRvnyhd05bx1TEGHIqKNaJN6khYOt0ES+wZPjYtx3ctdhzNjajMIjv8rjmEmNoRyyH66GMHEfDbuCkv+VoBkPPWhl5QGbF8NRmN6LxR/GokQgCitfDqBAvuCYhRahurVZmGelcXh3X/eV+aFWnC9TC8aA==,iv:LhtgzfLhkBUsZcEF5oBrUQJLeMkdSN97H9rp8fRdG2g=,tag:vTyG6L9n9LwNe94UNkLyhA==,type:str] @@ -86,8 +85,8 @@ sops: UDRmejBFNTVxeTF6aVFta09OS25uNXcKizOsV9EUukinCAwvpZVrk9x0aXTKQckd gGfdCEU0HZXhZg+ikDFzy52+vPo8+gInjscXiXr/gGn6dJoctLqQXA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-09-29T12:29:47Z" - mac: ENC[AES256_GCM,data:Rap4mZqwBEGJ3rOuMV7yGmRoERedw5hUEOF/jm34qQGIqXnkuQ0TgEK0lXEo+2W1UY0xZYlN/CPz7oej4Tl4iRL3JhVngMotSuV6gNTt5PE67fac2WOlQFQrJynZV9eD4IZahb4aOSO+Vw04RoIFgOZmle5af8vkXVflJmEJhXU=,iv:ovBe3BhEDX3V9X6kQaplYbnoGMseIuDMfX+O+keSgRc=,tag:06V+VODklrJA3VUT+Q1b4A==,type:str] + lastmodified: "2023-11-03T13:29:28Z" + mac: ENC[AES256_GCM,data:r1peL6D9MIP2UAuQzaX+Tj0wnVZq8ompReOuwMtVEM8yRi5tmF4X5brHOHFURyyPk8AuPVM+Bc3mMw5zoshn/eAFredhAMegA86H0HVri34mxoY8wkVeWWHTqi7QtnudeZMlXn+SPjgsC+d6WYvHEYmI7/VS1XV3cNtVaCmWqd4=,iv:2lQqsryjhMnA7sH1DPRBBYYWrxZeO9QBzRLuob/U0r0=,tag:bsVJh6FH64FoP7GWKpanDA==,type:str] pgp: - created_at: "2023-02-18T08:54:32Z" enc: | @@ -101,4 +100,4 @@ sops: -----END PGP MESSAGE----- fp: 46C6A7E14BC7812E86C2700737FE303AAC2D06CD unencrypted_suffix: _unencrypted - version: 3.8.0 + version: 3.8.1 diff --git a/zones/chir.rs.nix b/zones/chir.rs.nix index 3bfae0bf..9a8da461 100644 --- a/zones/chir.rs.nix +++ b/zones/chir.rs.nix @@ -144,7 +144,7 @@ with dns.lib.combinators; let SOA = { nameServer = "ns1.chir.rs."; adminEmail = "lotte@chir.rs"; - serial = 39; + serial = 40; }; NS = [ "ns1.chir.rs." @@ -239,7 +239,7 @@ with dns.lib.combinators; let akko = createZone {}; peertube = createZone {}; mediaproxy.CNAME = ["mediaproxy-chir-rs.b-cdn.net."]; - attic = createFullZone {}; + attic.CNAME = ["cache-chir-rs.b-cdn.net."]; cloud = createZone oracleBase; lotte.CNAME = ["lotte-chir-rs.b-cdn.net."]; lotte-nocdn = createZone {};