darkkirb/nixos-config
1
0
Fork 0
Code Issues 1 Pull requests 1 Projects Releases Packages Wiki Activity Actions

switch away from attic #245

Merged
DarkKirb merged 1 commit from switch-away-from-attic into main 2023-11-04 18:20:07 +00:00
Conversation 0 Commits 1 Files changed 18 +228 -271
18 changed files with 228 additions and 271 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/update.yaml vendored
View file

@ -15,7 +15,7 @@ jobs:
nix_path: nixpkgs=channel:nixos-unstable
extra_nix_config: |
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
substituters = https://cache.nixos.org/ https://attic.chir.rs/chir-rs/ https://hydra.chir.rs/
substituters = https://cache.nixos.org/ https://cache.chir.rs/ https://hydra.chir.rs/
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nixcache:8KKuGz95Pk4UJ5W/Ni+pN+v+LDTkMMFV4yrGmAYgkDg= chir-rs:/iTDNHmQw1HklELHTBAVDFVAFaJ3ACGu3eezVUtplKc=
experimental-features = nix-command flakes
- name: update flake lock

1
config/instance-20221213-1915.nix
View file

@ -15,7 +15,6 @@
./services/named-submissive.nix
./services/shitalloverme.nix
./users/remote-build.nix
./services/atticd.nix
./services/minecraft.nix
./services/postgres.nix
./services/nextcloud.nix

2
config/nas.nix
View file

@ -119,7 +119,7 @@
];
hardware.enableRedistributableFirmware = true;
nix.settings.substituters = lib.mkForce [
"https://attic.chir.rs/chir-rs/"
"https://cache.chir.rs/"
"https://cache.nixos.org/"
"https://beam.attic.rs/riscv"
"https://cache.ztier.in"

3
config/nix.nix
View file

@ -3,7 +3,6 @@
lib,
config,
system,
attic,
...
}: {
imports = [
@ -17,7 +16,7 @@
require-sigs = true;
builders-use-substitutes = true;
substituters = [
"https://attic.chir.rs/chir-rs/"
"https://cache.chir.rs/"
"https://hydra.int.chir.rs"
];
trusted-public-keys = [

1
config/nixos-8gb-fsn1-1.nix
View file

@ -31,7 +31,6 @@
./services/rspamd.nix
./wireguard/public-server.nix
./services/shitalloverme.nix
./services/atticd.nix
./services/wordpress.nix
./services/initrd-ssh.nix
./services/chir-rs.nix

62
config/services/atticd.nix
View file

@ -1,62 +0,0 @@
{
attic,
config,
lib,
nix-packages,
system,
pkgs,
...
}: {
imports = [attic.nixosModules.atticd];
services.atticd = {
enable = true;
package = attic.packages.${system}.attic-server;
credentialsFile = config.sops.secrets."services/attic".path;
settings = {
listen = "[::1]:57448";
allowed-hosts = ["attic.chir.rs"];
api-endpoint = "https://attic.chir.rs/";
database = lib.mkForce {};
storage = {
type = "s3";
region = "us-east-1";
bucket = "attic-chir-rs";
endpoint = "https://ams1.vultrobjects.com/";
};
compression = {
type = "zstd";
level = 12;
};
chunking = {
nar-size-threshold = 131072;
min-size = 65536;
avg-size = 131072;
max-size = 262144;
};
garbage-collection.default-retention-period = "3 months";
};
};
sops.secrets."services/attic" = {};
services.postgresql.ensureDatabases = [
"attic"
];
services.postgresql.ensureUsers = [
{
name = "attic";
ensurePermissions = {
"DATABASE attic" = "ALL PRIVILEGES";
};
}
];
services.caddy.virtualHosts."attic.chir.rs" = {
useACMEHost = "chir.rs";
logFormat = lib.mkForce "";
extraConfig = ''
import baseConfig
reverse_proxy http://[::1]:57448 {
trusted_proxies private_ranges
}
'';
};
}

37
config/services/hydra.nix
View file

@ -1,6 +1,5 @@
{
system,
attic,
lib,
config,
pkgs,
@ -77,6 +76,7 @@ in {
</prometheus>
</hydra_notify>
binary_cache_secret_key_file = ${config.sops.secrets."services/hydra/cache-key".path}
store_uri = s3://cache-chir-rs?scheme=https&endpoint=ams1.vultrobjects.com&secret-key=${config.sops.secrets."services/hydra/cache-key".path}&multipart-upload=true&compression=zstd&compression-level=15
<git-input>
timeout = 3600
</git-input>
@ -115,7 +115,7 @@ in {
sops.secrets."services/hydra/aws_credentials" = {
owner = "hydra-queue-runner";
path = "/var/lib/hydra/queue-runner/.aws/credentials";
restartUnits = ["hydra-notify.service"];
restartUnits = ["hydra-notify.service" "hydra-queue-runner.service"];
};
systemd.services.update-hydra-hosts = {
description = "Update hydra hosts";
@ -152,38 +152,25 @@ in {
chown -Rv hydra-queue-runner /var/lib/hydra/queue-runner
ln -svf ${sshConfig} /var/lib/hydra/queue-runner/.ssh/config
'';
sops.secrets."attic/config.toml" = {
owner = "hydra-queue-runner";
key = "attic/config.toml";
path = "/var/lib/hydra/queue-runner/.config/attic/config.toml";
};
systemd.services."upload-hydra-results" = {
description = "Upload hydra build results";
systemd.services.clean-s3-cache = let
clean-cache = pkgs.callPackage ../../packages/clean-s3-cache.nix {};
in {
enable = true;
description = "Clean up S3 cache";
serviceConfig = {
Type = "oneshot";
ExecStart = "${clean-cache}/bin/clean-s3-cache.py";
User = "hydra-queue-runner";
Group = "hydra";
};
script = ''
set -ex
if [ -e /var/lib/hydra/queue-runner/uploading ]; then
cat /var/lib/hydra/queue-runner/uploading | xargs ${attic.packages.${system}.attic-client}/bin/attic push chir-rs
rm /var/lib/hydra/queue-runner/uploading
fi
mv /var/lib/hydra/queue-runner/upload-queue /var/lib/hydra/queue-runner/uploading
cat /var/lib/hydra/queue-runner/uploading | xargs ${attic.packages.${system}.attic-client}/bin/attic push chir-rs
rm /var/lib/hydra/queue-runner/uploading
'';
};
systemd.timers.upload-hydra-results = {
systemd.timers.clean-s3-cache = {
enable = true;
description = "Upload hydra build results";
requires = ["upload-hydra-results.service"];
description = "Clean up S3 cache";
requires = ["clean-s3-cache.service"];
wantedBy = ["multi-user.target"];
timerConfig = {
OnBootSec = 300;
OnUnitActiveSec = 300;
OnUnitActiveSec = 604800;
};
};
}

2
config/services/nextcloud.nix
View file

@ -65,7 +65,7 @@
{
name = "nextcloud";
ensurePermissions = {
"DATABASE attic" = "ALL PRIVILEGES";
"DATABASE nextcloud" = "ALL PRIVILEGES";
};
}
];

127
flake.lock
View file

@ -1,41 +1,6 @@
{
"nodes": {
"attic": {
"inputs": {
"cargo2nix": [
"cargo2nix"
],
"crane": [
"crane"
],
"flake-compat": [
"flake-compat"
],
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
],
"rust-overlay": [
"rust-overlay"
]
},
"locked": {
"lastModified": 1694160842,
"narHash": "sha256-KqzSSagAay+qBhXlDGHc05dpio9PZ/ZFVmQcuJum/qU=",
"owner": "DarkKirb",
"repo": "attic",
"rev": "9460d742caf366a1f999936dacd4d6e9274d956b",
"type": "github"
},
"original": {
"owner": "DarkKirb",
"repo": "attic",
"type": "github"
}
},
"attic_2": {
"inputs": {
"crane": [
"nixos-config-for-netboot",
@ -70,36 +35,6 @@
}
},
"cargo2nix": {
"inputs": {
"flake-compat": [
"flake-compat"
],
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
],
"rust-overlay": [
"rust-overlay"
]
},
"locked": {
"lastModified": 1691655399,
"narHash": "sha256-hVfFMu27OMaUPxpyovnxYNrzDYFCbQaFu+XCAIPeoAk=",
"owner": "DarkKirb",
"repo": "cargo2nix",
"rev": "1a37221e07295f7d5a8842717e94229af72f1c20",
"type": "github"
},
"original": {
"owner": "DarkKirb",
"ref": "release-0.11.0",
"repo": "cargo2nix",
"type": "github"
}
},
"cargo2nix_2": {
"inputs": {
"flake-compat": "flake-compat_3",
"flake-utils": [
@ -244,35 +179,6 @@
}
},
"crane": {
"inputs": {
"flake-compat": [
"flake-compat"
],
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
],
"rust-overlay": [
"rust-overlay"
]
},
"locked": {
"lastModified": 1674934931,
"narHash": "sha256-TmGfRDBK7EkR0VY8Jr0WU4WdyzZxiXDGVGUzIXPFXRI=",
"owner": "DarkKirb",
"repo": "crane",
"rev": "42c3f329daa267857c6bc6d21c9eec468e97e2d7",
"type": "github"
},
"original": {
"owner": "DarkKirb",
"repo": "crane",
"type": "github"
}
},
"crane_2": {
"inputs": {
"flake-compat": "flake-compat_4",
"flake-utils": [
@ -1154,11 +1060,11 @@
},
"nixos-config-for-netboot": {
"inputs": {
"attic": "attic_2",
"cargo2nix": "cargo2nix_2",
"attic": "attic",
"cargo2nix": "cargo2nix",
"chir-rs": "chir-rs_2",
"colorpickle": "colorpickle",
"crane": "crane_2",
"crane": "crane",
"dns": "dns_2",
"emanote": "emanote",
"flake-parts": "flake-parts_2",
@ -1368,10 +1274,7 @@
},
"root": {
"inputs": {
"attic": "attic",
"cargo2nix": "cargo2nix",
"chir-rs": "chir-rs",
"crane": "crane",
"dns": "dns",
"firefox": "firefox",
"flake-compat": "flake-compat",
@ -1388,7 +1291,6 @@
"nixos-hardware": "nixos-hardware_2",
"nixpkgs": "nixpkgs_4",
"nur": "nur_2",
"rust-overlay": "rust-overlay_2",
"sops-nix": "sops-nix_2",
"systems": "systems_2",
"treefmt-nix": "treefmt-nix_2"
@ -1419,29 +1321,6 @@
"type": "github"
}
},
"rust-overlay_2": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1698891127,
"narHash": "sha256-HuhQGsvBX1CdD+wvyK7J8aANYxvABhkPsiY97aT4+/w=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "6bc508466396bc6e24a7e4236ece9cb95b72582e",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [

28
flake.nix
View file

@ -4,22 +4,6 @@ rec {
# Use NixOS unstable
inputs = {
# Sorted by name
attic = {
url = "github:DarkKirb/attic";
inputs.cargo2nix.follows = "cargo2nix";
inputs.crane.follows = "crane";
inputs.flake-compat.follows = "flake-compat";
inputs.flake-utils.follows = "flake-utils";
inputs.nixpkgs.follows = "nixpkgs";
inputs.rust-overlay.follows = "rust-overlay";
};
cargo2nix = {
url = "github:DarkKirb/cargo2nix/release-0.11.0";
inputs.flake-compat.follows = "flake-compat";
inputs.flake-utils.follows = "flake-utils";
inputs.nixpkgs.follows = "nixpkgs";
inputs.rust-overlay.follows = "rust-overlay";
};
chir-rs = {
url = "github:DarkKirb/chir.rs";
inputs.flake-parts.follows = "flake-parts";
@ -29,13 +13,6 @@ rec {
inputs.systems.follows = "systems";
inputs.treefmt-nix.follows = "treefmt-nix";
};
crane = {
url = "github:DarkKirb/crane";
inputs.flake-compat.follows = "flake-compat";
inputs.flake-utils.follows = "flake-utils";
inputs.nixpkgs.follows = "nixpkgs";
inputs.rust-overlay.follows = "rust-overlay";
};
dns = {
url = "github:DarkKirb/dns.nix";
inputs.flake-utils.follows = "flake-utils";
@ -94,11 +71,6 @@ rec {
nixos-hardware.url = "github:NixOS/nixos-hardware";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
nur.url = "github:nix-community/NUR";
rust-overlay = {
url = "github:oxalica/rust-overlay";
inputs.flake-utils.follows = "flake-utils";
inputs.nixpkgs.follows = "nixpkgs";
};
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";

1
overlays/riscv.nix
View file

@ -9,7 +9,6 @@ args: self: prev: let
in {
pandoc = self.writeScriptBin "pandoc" "true";
inherit (pkgsX86) nix;
inherit (args.attic.packages.x86_64-linux) attic-client;
bind = prev.bind.overrideAttrs (_: {
doCheck = false;
doInstallCheck = false;

17
packages/clean-s3-cache.nix Normal file
View file

@ -0,0 +1,17 @@
{
writeTextFile,
python3,
python3Packages,
}: let
environment = python3.buildEnv.override {
extraLibs = with python3Packages; [
boto3
];
};
in
writeTextFile {
name = "clean-s3-cache.py";
executable = true;
destination = "/bin/clean-s3-cache.py";
text = builtins.replaceStrings ["#SHEBANG#"] ["${environment}/bin/python"] (builtins.readFile ./clean-s3-cache.py);
}

180
packages/clean-s3-cache.py Normal file
View file

@ -0,0 +1,180 @@
#!#SHEBANG#
import asyncio
from concurrent.futures import ThreadPoolExecutor
import functools
from typing import Any, AsyncIterable, Awaitable, Callable, Optional, TypeVar, cast
from os import path, listdir
import json
import boto3
from botocore.response import StreamingBody
ENDPOINT_URL: str = "https://ams1.vultrobjects.comk"
BUCKET_NAME: str = "cache-chir-rs"
executor: ThreadPoolExecutor = ThreadPoolExecutor()
F = TypeVar('F', bound=Callable[..., Any])
T = TypeVar('T')
def with_backoff(
f: Callable[..., Awaitable[T]]) -> Callable[..., Awaitable[T]]:
async def with_backoff_wrapper(*args: Any, **kwargs: Any) -> T:
last_delay = 2
while True:
try:
return await f(*args, **kwargs)
except Exception as e:
print(f"{e}")
if last_delay >= 120:
raise
await asyncio.sleep(last_delay)
last_delay *= last_delay
return with_backoff_wrapper
def aio(f: Callable[..., T]) -> Callable[..., Awaitable[T]]:
async def aio_wrapper(*args: Any, **kwargs: Any) -> T:
f_bound: Callable[[], T] = functools.partial(f, *args, **kwargs)
loop: asyncio.AbstractEventLoop = asyncio.get_running_loop()
return await loop.run_in_executor(executor, f_bound)
return aio_wrapper
@aio
def exists_locally(store_path: str) -> bool:
return path.exists(store_path)
class NarInfo(object):
def __init__(self, narinfo: str) -> None:
self.compression = "bzip2"
for narinfo_line in narinfo.splitlines():
key, value = narinfo_line.split(": ", 1)
if key == "StorePath":
self.store_path = value
elif key == "URL":
self.url = value
elif key == "Compression":
self.compression = value
elif key == "FileHash":
self.file_hash = value
elif key == "FileSize":
self.file_size = int(value)
elif key == "NarHash":
self.nar_hash = value
elif key == "NarSize":
self.nar_size = int(value)
elif key == "References":
self.references = value.split()
elif key == "Deriver":
self.deriver = value
elif key == "System":
self.system = value
elif key == "Sig":
self.sig = value
elif key == "CA":
self.ca = value
async def exists_locally(self) -> bool:
return await exists_locally(self.store_path)
s3 = boto3.client("s3", endpoint_url=ENDPOINT_URL)
@with_backoff
@aio
def get_object(Key: str) -> str:
obj = s3.get_object(Bucket=BUCKET_NAME, Key=Key)
if "Body" not in obj:
raise Exception("No Body")
if isinstance(obj["Body"], StreamingBody):
return obj["Body"].read().decode("utf-8")
raise Exception("Not StreamingBody")
async def list_cache_objects() -> AsyncIterable[str]:
@with_backoff
@aio
def list_objects_v2(ContinuationToken: Optional[str]) -> dict[str, Any]:
if ContinuationToken != None:
return s3.list_objects_v2(Bucket=BUCKET_NAME,
ContinuationToken=ContinuationToken)
else:
return s3.list_objects_v2(Bucket=BUCKET_NAME)
cont_token = None
while True:
objs = await list_objects_v2(cont_token)
if "Contents" not in objs:
raise Exception("No Contents")
if isinstance(objs["Contents"], list):
for obj in cast(list[Any], objs["Contents"]):
if not isinstance(obj, dict):
raise Exception("Not dict")
obj = cast(dict[str, Any], obj)
yield obj["Key"]
if "NextContinuationToken" not in objs:
break
cont_token = objs["NextContinuationToken"]
@with_backoff
@aio
def delete_object(key: str) -> None:
s3.delete_object(Bucket=BUCKET_NAME, Key=key)
def get_store_hashes() -> set[str]:
hashes = set()
for obj in listdir("/nix/store"):
hashes.add(obj.split("-")[0])
return hashes
async def main() -> None:
store_hashes = get_store_hashes()
nars_to_delete = set()
nars_to_keep = set()
async for obj_key in list_cache_objects():
if obj_key.endswith(".narinfo"):
# check if we have the hash locally
narinfo = await get_object(obj_key)
narinfo = NarInfo(narinfo)
if not await narinfo.exists_locally():
print(f"Found unused NAR for {narinfo.store_path}")
await delete_object(obj_key)
nars_to_delete.add(narinfo.url)
else:
nars_to_keep.add(narinfo.url)
if obj_key.startswith("realisations/"):
realisation = await get_object(obj_key)
realisation = json.loads(realisation)
if not isinstance(realisation, dict):
continue
if "outPath" not in realisation:
continue
if not await exists_locally("/nix/store/" +
realisation["outPath"]):
print(f"Found unused realisation for {realisation['outPath']}")
await delete_object(obj_key)
if obj_key.startswith("nar/"):
nars_to_delete.add(obj_key)
for nar in nars_to_delete:
if nar in nars_to_keep:
continue
print(f"Deleting unused NAR {nar}")
await delete_object(nar)
if __name__ == "__main__":
asyncio.get_event_loop().run_until_complete(main())

8
scripts/post-build-hook
View file

@ -1,8 +0,0 @@
#!/usr/bin/env bash
set -euf
export IFS=' '
export XDG_CONFIG_HOME=/home/runner/.config
until /nix/var/nix/profiles/default/bin/nix run 'github:DarkKirb/nix-packages#attic-client' -- push chir-rs $OUT_PATHS; do
sleep 5
echo "Retrying..."
done

7
secrets/instance-20221213-1915.yaml
View file

@ -15,7 +15,6 @@ services:
private_key: ENC[AES256_GCM,data:E2BWj1/dBHJ47NhqUkEAbbkI3nPWmNM5XoD5ZBu40lBv9xvPxP9SCbLQdFMcxNY/Xew91OZL8NvlNxk=,iv:X6V0YFmkWA6C5j7REFijZt8/gNfB2wHT6U8/iSjLAFA=,tag:DF3ZyQlYLUXBxmnfqoNYnw==,type:str]
ipfs:
access_grant: ENC[AES256_GCM,data:WFWKgRf4VG0fViy9hSvRclwxQxICoV94eOpaVjGv6HJ/SeHLF2FaXG9PPNvU35JsNrWQhovYK33QPqE9IV6rgoo7xtH7FYlr91YYJ6a/x4SQnkIu5aUYIpsTk+I97T/5gfLJZK2Sr05lrnCBth5F2eu+ITILt8AUizrqLLW+KWpeCkzz6G8pJGwnOqp/CIDkTCybgnzM0piF4F0lVukAjnrUhYGR3szi8zpy6ZSQHFvXgz37DfEaTgcJlt/tx/xozkSor+KweXHDA71d1nugQ1p7DhLdP4rpm7PrdfZmwc56p2OkK15jdDPeOTBpOWvFt+wdPKR4PMfwYFHO5adE8ZNkdBafICtrdEV552qkTZ4LDYqY9qCi0tKU3TbuArxKoMPshoiaeqEuP2itPsZonqYVv9CXeOLSlA==,iv:NU4rJgOTg6SPOCiYvOqQH0w9i3aJR8IvfNcm+eykoVI=,tag:/LRTOtGRd/Y9QJlK0X1jvA==,type:str]
attic: ENC[AES256_GCM,data:rGWQ12Qbl4A7FYBOultw2lPQvmuH6FGF0FrOSZezLhWEaPE0HQcFZAtTRnp/mPDO2hdDWW8KQrbCYDgOvf62VO60CE7iuAy8b7VYsGyXs69fNrrKWyLkAaVR5pmMXXVq2eooqfxFh7FAtzr19BvRZO0nZndnw6SaDc1WZsJifdQG7YOXnUulKOHvbiSMaisc+QEOZJ8FmYN0524dd4fIFYWTNbf80i2SCyEudrgzPV0S+spFMQ0Cg/p2KL42ly3Lljm7yxNDYA3fEgp/8cEm91/VaHTp7YqaP+S+70JJfwpL8CdokpuG7Tp6hALwGpYiKYB+875fmGeiBF4qlTxdmC/dkMSCmxzVxNptYT3oOqpbWnB+K4W30g+dlFMyJiG1s0EIckG7tQidBo5pd/543qP2GvoN0JcQW9juxNqv51wa8TqC4GLGoz9V2GbAckxvephRtq2pcwxx/5MVrZCumGHin2hEwdCmKhsCVTXuEtFZwt+0kpSF,iv:eh5t4CENtUt5wkdIRQkwMCDcraBi6xHeIe/h8bDl1SY=,tag:2YAJMlBdI0DcK93F9m/QYg==,type:str]
ssh:
host-key: ENC[AES256_GCM,data:oiy1thPKRVgH0XltFQCKwGMdLZde8zp1Ag1dL/el/2jXp1be1Evtr+kkZv56nhlaJ6KpYi5VsfrfpFVnKUkcYGUMmqVf2lFDu2fPcWB+PW7nol9K+sVRhHgTPP1wz385o5bof4OnbMF9sUbV0PT/pd4yAvluKq9s2vBBb2GEZ+HDBwkurmgVrFqUb66AvCdncXTpK47qpWZQMDTMGKqv5d1hJOoCCIulX3iJ4ko2xDD7qRlFtcdLNFLw3q4R6eP+L0OqoQs8dnjpIQOLVItzHTHTTcQRVoFvD7OMYSyU5RIIxTIOoS9tWzQu/QpHpO4cgjQ/GX09uj+a6/Cy8Itavd88YeSoYEPGwBYEciYLakFpNQ8aFl0yEsEMdZbfHgOUAOlbv28Mv93+RFMs5HrdIup/lZr5PsCBSsrMVkwJNVQKTxbN34LCTGOeCkuzohAwmwEVB/Ysuh23WyFKcdkGWAwlnVvgaNT5/TsNTCCI8Hf6fJecD4imWrJAtlXG7o+mnE+f0LlixxsnMgSnlkX4,iv:mnW23zPiSDoluMjQJEUFHDkVO6IT/4+RgAlaKuie3Qw=,tag:F+KOH/MkjrF1wYCR9OzFkQ==,type:str]
nextcloud:
@ -52,8 +51,8 @@ sops:
bVJUcDZLWTk3MiszOWp4enRRQmNsajQKF8QJs/Wb0SqnvsQEkRKlS1Ms9xLIdyvZ
QCFAPclaOfaTLTiRJWXjDneBkMBduYKkRPiXCR+Bn7i4z8ixLXFmWw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-09-28T18:49:48Z"
mac: ENC[AES256_GCM,data:aFZwrPUeO+6iDeJMSQRbzlQvtpSgINVped/ZSucbVrijTvKzetUtO1URZl6WreZxE/NSqAuJr5oOWOsAVmQHuARhbsqfVXLykc/m+L6a9e4mQbiTjAVZh9AmZNnrunIv5rpn1BVZSjYa31UQC/VWnuqsCCmeyQEfEu14sUVrH/U=,iv:jp5k+qmNwMAt29/kRACkhPwl3ISFvJjbHupsCVDyhZM=,tag:0ISIGuQ7BO63Mh6O+Wqvow==,type:str]
lastmodified: "2023-11-03T13:29:07Z"
mac: ENC[AES256_GCM,data:cHdS1omrtgqyOECJtcuekU90i7zVeiyJIYLr7FZ88G2dRSn3UGhu8vFE3m/7M7kt5we9UU4lY158FOqF0BL9Sei61eOY8qCT7KiqX5jhKf1a6zAdzBG2rgipmG0dTopKthm+CtwX8FLF9tRnumUlQgMqUGymtgf3vcbrWwbkhsU=,iv:+qX3eWASW+MHReZbyr+W/yZfmGgW1k/7wCFVe/EH6AU=,tag:yH7nSk/xYCuVVHnB9nnm8A==,type:str]
pgp:
- created_at: "2022-12-14T15:34:13Z"
enc: |
@ -67,4 +66,4 @@ sops:
-----END PGP MESSAGE-----
fp: 46C6A7E14BC7812E86C2700737FE303AAC2D06CD
unencrypted_suffix: _unencrypted
version: 3.8.0
version: 3.8.1

10
secrets/nas.yaml
View file

@ -8,7 +8,7 @@ services:
cache-key: ENC[AES256_GCM,data:359HiOnMunY5vQowyl79OOYX7ELs1jGkyCMjvuUXUaVnPWu/Nui5UM51O4VKD6+cLvVKyy5QXJxxOVfPO5DHL7gb+rlcbcusdBs8iCLaqlxD7yHqDE6FsncFSB7OqqUKNw==,iv:/NBm6p/vpurdhFzrN7HA9Tu13g6FbWREbKh4yNPryB4=,tag:xTs/KwTOgAQwaukU8+ek0A==,type:str]
gitea_token: ENC[AES256_GCM,data:v0Ej8841I1F/dK5ZplRzZlvngpueMQKspM5USzX9VkOEmpCs2NA3+Q==,iv:fZisAuyqk7ATFx6qHYkScUeS8SsikjiPzVovZjGnUYM=,tag:7+O+Sn7unPDy88a6T70Jmg==,type:str]
github_token: ENC[AES256_GCM,data:AWMeX+P8YHGpSuH+5KqvE9zNxkEPKGvdRaQjNysO4/XE4csGjCvmjA==,iv:MCRtws/SM7lWS2/2pp5tbeX7+I5h4LVd9bJp//ln9hs=,tag:LMEGWFAaOqH0fqfNgc87AQ==,type:str]
aws_credentials: ENC[AES256_GCM,data:yxJU6d6BMi+LHUPimMkgr5h6accGXQXxFu9A0swdwKII/Xfo4ALAw4J4aEhpnNuK8JwmzuuDdTDGnilzuEATeaANa2cNXps6AWw8Hem8idw585xTcU1YBEOdbBSs/mKK6S+Da1OU5jC1atrCCWY7cg==,iv:tAEGsniZ7N/jBp7btLlD1pNcF4NvEmpO6zXji1H29t8=,tag:lmAB3QMfaT3ljDmr+8IBHA==,type:str]
aws_credentials: ENC[AES256_GCM,data:TqfAEFfDEIicrI/qNEpHYI/cXw5OZ4z31eq05WTIQWxuyD01UfduuJeHlPNuzp7+cGVSExBUccNvVpwz7ivESoMLqiP459GfXert/SZi56fMZdOsfFxbl5x/ks71bamj5/qIXxQW0hqSOG8TwQNIMNQgAcA=,iv:HDXc7F+3WXnIfRL8rYxMnQPlfNLMYJAjKKjWVzIhNQ0=,tag:u+D+/YY+60TAEmhHMGoUwg==,type:str]
hostapd: ENC[AES256_GCM,data:KCOOPShBt6gs8TK0Ns6Kzw==,iv:haG+7w893r9w9XySav8n2MWIAOi8eehy61rQudpdjGU=,tag:yupv4fTLiOgTU7SKoAR3og==,type:str]
rspamd:
dkim:
@ -30,8 +30,6 @@ email:
password:
root: ENC[AES256_GCM,data:edK/dud41KmbX6v8Mxn1vVcaCwG0x4YhGjqLTw3oAigmwixTovz+4yUDrkjTQLb3/eMClqQJnjcJsRBv4chSu+UuNorKIsPM0IX9mkTmVH2soGmdPB21HXOXmisGu33oOyhyojbvlaWlFw==,iv:GiXRuhJVPgkAAp7OYufzXtHusnSPOfAP0ztdAtn14GE=,tag:nIOus2VvzE6d+r/aJOLCBw==,type:str]
darkkirb: ENC[AES256_GCM,data:vmI8B7PWeoKTwOywaGmJmD9gWb09eDcmchx241XrfNvT9QseuSElDTb3OajHornt/OFBPh7EtNi/y1BHF1+DZq0i1tmhYuJy24BLuCPH9VpCb5s5xZZCVtOC6w3qUGqIlLQHYN0Fp1Ap5A==,iv:KkcLQDJSDqeFr3gDByb66MOx8/PbpKpvM9Ym+KMB3jc=,tag:wLLOU4RhWnS+DDSOQLrLHA==,type:str]
attic:
config.toml: ENC[AES256_GCM,data:060O5ICRHpkfTIdrkrLjlJSFKh7HCcMuETkRwf8zSaPQO7NTYnX6nQjd0mYcWZvBPQF3l8cVovja19nKMQAUGTzkBxkpvfylG+UMAfxEpuwTzypyzBwLXQOZPXqdXoEKPu0ghx1nojF08CLALDMlM8J/I7KrlofmSWGO+7142EAhrf1ov5IFmfHBn1vJvfa9aSVKnYDXmMpimO8zxc876YiBiHPe9srTpAlyOu/aOiev0fRmZfWGt7X7/lBap1AcDZFvoe/8Hs0Nb1GSE4ZW9WLPBMFigGK10fCgmlk8rTkaXTNCdZ/yJ24lugganFwssET6HBS/nmDLLMjPkZ0n+6U+JdDcRtXQXq9nwFG9TpMvX9i9K1z24F1/maQ2qUS0OB/YQ/pADLJt/xYfuzfB70FHpN2YYn2Lcmup3xKvbfAL9BFJCA==,iv:3wCOLgoqKoycuitBrQCccRRYulfrhI0a5K8vARU2MM4=,tag:/Zggqm+3CCcUwyc9ubhqcA==,type:str]
sops:
kms: []
gcp_kms: []
@ -47,8 +45,8 @@ sops:
WnV3QWxtalIzWFdoQmpDTmJsNGdNOW8K++rFGXy0G6Gcu2gQwSP6xfXInQ/y5nh5
2oGp8sfOLFWnNI4SWL0ChP47K3C/9ysUHwQnUYPbRafZ/4X6cN40ZQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-08-02T17:25:38Z"
mac: ENC[AES256_GCM,data:iu4NhBQHLTuGAG70rSedcI2cwwDZpzLu18cIxO9JaVRWVanDoYTDXd9sDC7H8oBOmLnypYpXc4kOMCwsY9475W+Yi3HxHWlkcWAPWxAsJL5nIkC7Q9CwrwSCpwtsPyebsLzl299lYPjsNsLpQ6ft/GWnwAn5ISIkKV91k9hduz0=,iv:IB8YVkok7NrX2ayu2iQcwzsP/Tl+WXxjfvQ/1DkRUlk=,tag:z2tlvGWpEbXFrCmuKwUdbA==,type:str]
lastmodified: "2023-11-03T13:33:44Z"
mac: ENC[AES256_GCM,data:CUi7/JEP6LerZ1SKYt4nEJQNbLs6iLK4U758qFXCpLkHBX2DA7wpu2HQ98SXkfQYHNOmoH/2LhCd+Am+UixnzmTZPXol7zntO3zSrjLQh208Cpp7lYO+sDFLOJqijjth1n6c4dri5yaXJwHLQn/iLZR0Ktespl38RotWnaQ597A=,iv:K6nhBEpagZSrTVfFiS1iGC/K691yxrdFP/sqoMZvWO0=,tag:7N10AC167RoG2qKUH11g5g==,type:str]
pgp:
- created_at: "2022-04-24T10:34:20Z"
enc: |
@ -62,4 +60,4 @@ sops:
-----END PGP MESSAGE-----
fp: 46C6A7E14BC7812E86C2700737FE303AAC2D06CD
unencrypted_suffix: _unencrypted
version: 3.7.3
version: 3.8.1

7
secrets/nixos-8gb-fsn1-1.yaml
View file

@ -11,7 +11,6 @@ services:
chir-rs:
database-password: ENC[AES256_GCM,data:6c8Ey39Lh/MoCJakEGpNFyueH+RAs//HXPKExrsiXiU=,iv:YmajjfpoaTHlbv5VhCk36jgfDetCKOTMqrmMGzXvitc=,tag:eQq7P92TR0txNk161gUUKA==,type:str]
signup-secret: ENC[AES256_GCM,data:rLpC7HdhTSkDNeRau5iOvicDxeHJC9R3aRIVe65xysQ=,iv:Pm/+ZXWJCtN4Bq87hPaXco78C/cwD7cdCJmApDpS6iA=,tag:NL4T35lL+xauva72f8C+EQ==,type:str]
attic: ENC[AES256_GCM,data:q75ahgZD0O56SAXxKoUaVoxqbioreMDtxLXK6K6iTzGhZYabthxmm2RSgUIWuV/sSdDPuuld3eILypr0+G+ujtckyPb8Osc8OAAiZEVgyLac09250nM59Ypuaoqm1qrouD1T2kmPwocVqbWLNz+NzWKnOgX8Yi2lwSPZGXMfhi7THOgb+vyTwSE0PYWubCktynqUM/qw2XgThqp4OYg1V3+nMo3pP3wCtjFu3Vb5HURoUIXTewag08OI0ma6jTkJUARX1ihjuBqW+2/EJ6xVCzq4f1fiWtzjmFYrsFwmScP18modQAB/yHLc0RZOdb8ujSqkJYcHx5SayZ2tBQ+A6DimUbaUfdTLqKF4nPECzZPRfSw079t1t7u1iv95yveCCWmMS9Vslb+zvXETVzg8E33d2BdNQymgYnaavlZiC++hosg9WZw8YqBFxJ7rQqcxAA5kX3VgWg8SbCuHyc2dXVUVIwRaPlOC+QETsK6iDB8+gkt/HOLv,iv:K7zh3b9i9qBTCb6UUIwrFZl3K+td0vafUw/R2JAmckE=,tag:a44Skw4jhlkOfkkkSy5ltA==,type:str]
rspamd:
dkim:
darkkirb.de: ENC[AES256_GCM,data:2Af4PsmTI07QzY/++VrrENe8wovHrUNElisfufyNt4RaiAB0Uq9Bp6BnpIEqLzfDs0z4mY5D05ncVa+K6oZWnAkhTBwIwO/iD6a4v5aOSdMp1BjbAQnJ9OD41+lLw1KZe98qAbjoO0yjtr4ySo5UzQUJ2wm2i7ZHtEBH06Gc1ZIPD64u2rC3/x9m65Xf+NFe7uSn0hBlaVTnuLkA0RwcopvtFXe63PXq93cHc+YCu9O6beppp7p0K5EkOW54l0UuGVbNtHKm+AKbsjzLWBnS3w0tP6mi1GkbBB0DMJrasA+cd8SbQ02kh5t8cvisviDaroeWTGElovqNOiSYZ9PkBAaADBYuR6bDJ9riIH8RrFfmS+lT0XW6OPPGdz9b5AI5A+Xze+36u2sv/Mys+Y+/G2C+uZYgDj1EKYX3DGKAl0ytNlSw7QRa1WoobvcIOfgN5cvmVV56QkSNteEdHGGod0aoiWTgGFwuKyjZL4UBjoDXcXxiCAKeQJ9Kkk0u9IG5JEhsa6W21s1Ea3hJdCaNPXk/vF7d3gM/jzrYNiioic4S/PckYf4u/4NNJhP5QS9ys68uPXZpSxZ7cZnB7ZS1uzvY4Hq/nNBBXmSjGz/G8EaeAfcXtBeRwLnv6HgeDfz03lu+JoZJH4UKUkU0emoP8du1RpMU8lMxuOsOirwVAU2SljZn/P2+reeFsV2hca6/AmXNO8Ez663AcQsxww/xY9tady3ch6k/rixLIYZuhURzFilEwqQAye0KvcnQrwhix/i1ujGv5G2SKHTlpYiQPDDwnF/gYHC4H1kqzRCcRP0CcYeZ3hhBC/fwgkXSxhrKjRmPU9hGsB4LfNnzdbezi4K4XGiOzEy6DD6r+KqHK782U95eaBxDPaD5PTY/jcy4mn5jtalmznPiZ3C68EVTcZQJf/o84fQWPG6I9BIy5PITacqzm8EQC93ZPPB+gdLaUWv56U2ruT/3RgC4eusgBtngydbRP7MaVojasX/NWEV4uhQ6zH7ErEFQDpqwaTNBDhXQUS2DJznQH+xk9M+VxInN1tUvc7UXQ1SBdARFLPzNubRvnyhd05bx1TEGHIqKNaJN6khYOt0ES+wZPjYtx3ctdhzNjajMIjv8rjmEmNoRyyH66GMHEfDbuCkv+VoBkPPWhl5QGbF8NRmN6LxR/GokQgCitfDqBAvuCYhRahurVZmGelcXh3X/eV+aFWnC9TC8aA==,iv:LhtgzfLhkBUsZcEF5oBrUQJLeMkdSN97H9rp8fRdG2g=,tag:vTyG6L9n9LwNe94UNkLyhA==,type:str]
@ -86,8 +85,8 @@ sops:
UDRmejBFNTVxeTF6aVFta09OS25uNXcKizOsV9EUukinCAwvpZVrk9x0aXTKQckd
gGfdCEU0HZXhZg+ikDFzy52+vPo8+gInjscXiXr/gGn6dJoctLqQXA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-09-29T12:29:47Z"
mac: ENC[AES256_GCM,data:Rap4mZqwBEGJ3rOuMV7yGmRoERedw5hUEOF/jm34qQGIqXnkuQ0TgEK0lXEo+2W1UY0xZYlN/CPz7oej4Tl4iRL3JhVngMotSuV6gNTt5PE67fac2WOlQFQrJynZV9eD4IZahb4aOSO+Vw04RoIFgOZmle5af8vkXVflJmEJhXU=,iv:ovBe3BhEDX3V9X6kQaplYbnoGMseIuDMfX+O+keSgRc=,tag:06V+VODklrJA3VUT+Q1b4A==,type:str]
lastmodified: "2023-11-03T13:29:28Z"
mac: ENC[AES256_GCM,data:r1peL6D9MIP2UAuQzaX+Tj0wnVZq8ompReOuwMtVEM8yRi5tmF4X5brHOHFURyyPk8AuPVM+Bc3mMw5zoshn/eAFredhAMegA86H0HVri34mxoY8wkVeWWHTqi7QtnudeZMlXn+SPjgsC+d6WYvHEYmI7/VS1XV3cNtVaCmWqd4=,iv:2lQqsryjhMnA7sH1DPRBBYYWrxZeO9QBzRLuob/U0r0=,tag:bsVJh6FH64FoP7GWKpanDA==,type:str]
pgp:
- created_at: "2023-02-18T08:54:32Z"
enc: |
@ -101,4 +100,4 @@ sops:
-----END PGP MESSAGE-----
fp: 46C6A7E14BC7812E86C2700737FE303AAC2D06CD
unencrypted_suffix: _unencrypted
version: 3.8.0
version: 3.8.1

4
zones/chir.rs.nix
View file

@ -144,7 +144,7 @@ with dns.lib.combinators; let
SOA = {
nameServer = "ns1.chir.rs.";
adminEmail = "lotte@chir.rs";
serial = 39;
serial = 40;
};
NS = [
"ns1.chir.rs."
@ -239,7 +239,7 @@ with dns.lib.combinators; let
akko = createZone {};
peertube = createZone {};
mediaproxy.CNAME = ["mediaproxy-chir-rs.b-cdn.net."];
attic = createFullZone {};
attic.CNAME = ["cache-chir-rs.b-cdn.net."];
cloud = createZone oracleBase;
lotte.CNAME = ["lotte-chir-rs.b-cdn.net."];
lotte-nocdn = createZone {};