DGNum/infrastructure
9
5
Fork 3
Code Issues 31 Pull requests 30 Projects 1 Releases Packages Wiki Activity Actions

Compare commits

base: DGNum:main
Branches Tags
DGNum:main
DGNum:snmp-pdu
DGNum:fix-nimbolus
DGNum:lon/proxmox-nixos
DGNum:lon/nixos-unstable
DGNum:lon/nixos-25.05
DGNum:lon/nixos-24.11
DGNum:lon/disko
DGNum:ntfy-monitoring
DGNum:disko-remove
DGNum:declarative-buckets
DGNum:nixos-25.05
DGNum:vault01-isp
DGNum:lix-diff
DGNum:zulip
DGNum:netbird-relay
DGNum:demarches01
DGNum:hackdays-ap
DGNum:raito/zulip
DGNum:staging-cas
DGNum:mattermost
DGNum:feature/hackdays01
DGNum:by-name
DGNum:www-eleves
DGNum:audit
DGNum:testing02
DGNum:openwrt-exporter
DGNum:ban_git_scrappers
DGNum:meta-isp
DGNum:mdebray/ap-dev
DGNum:ap-poc-v01
DGNum:hypervisor
DGNum:victoria-metrics
DGNum:init-dgnum-page
DGNum:takumi-can-do-ollama
DGNum:hackdays2025
DGNum:poc-v1.0
..
compare: DGNum:testing02
Branches Tags
DGNum:snmp-pdu
DGNum:fix-nimbolus
DGNum:main
DGNum:lon/proxmox-nixos
DGNum:lon/nixos-unstable
DGNum:lon/nixos-25.05
DGNum:lon/nixos-24.11
DGNum:lon/disko
DGNum:ntfy-monitoring
DGNum:disko-remove
DGNum:declarative-buckets
DGNum:nixos-25.05
DGNum:vault01-isp
DGNum:lix-diff
DGNum:zulip
DGNum:netbird-relay
DGNum:demarches01
DGNum:hackdays-ap
DGNum:raito/zulip
DGNum:staging-cas
DGNum:mattermost
DGNum:feature/hackdays01
DGNum:by-name
DGNum:www-eleves
DGNum:audit
DGNum:testing02
DGNum:openwrt-exporter
DGNum:ban_git_scrappers
DGNum:meta-isp
DGNum:mdebray/ap-dev
DGNum:ap-poc-v01
DGNum:hypervisor
DGNum:victoria-metrics
DGNum:init-dgnum-page
DGNum:takumi-can-do-ollama
DGNum:hackdays2025
DGNum:poc-v1.0

1 commit
main ... testing02

Author SHA1 Message Date
sinavir
0609732735
feat(testing02): Init testing vm
Some checks failed
Check meta / check_meta (push) Failing after 15s
Details
Check workflows / check_workflows (push) Successful in 19s
Details
Check meta / check_dns (pull_request) Failing after 15s
Details
Check meta / check_meta (pull_request) Failing after 16s
Details
Run pre-commit on all files / pre-commit (push) Failing after 30s
Details
Check workflows / check_workflows (pull_request) Successful in 18s
Details
Build all the nodes / ap01 (pull_request) Failing after 35s
Details
Build all the nodes / bridge01 (pull_request) Failing after 55s
Details
Build all the nodes / build01 (pull_request) Failing after 56s
Details
Build all the nodes / cof02 (pull_request) Failing after 1m1s
Details
Build all the nodes / netaccess01 (pull_request) Failing after 20s
Details
Build all the nodes / netcore00 (pull_request) Failing after 21s
Details
Build all the nodes / netcore01 (pull_request) Failing after 21s
Details
Build all the nodes / netcore02 (pull_request) Failing after 20s
Details
Build all the nodes / geo01 (pull_request) Failing after 53s
Details
Build all the nodes / geo02 (pull_request) Failing after 53s
Details
Build all the nodes / hypervisor01 (pull_request) Failing after 53s
Details
Build all the nodes / hypervisor03 (pull_request) Failing after 49s
Details
Build all the nodes / hypervisor02 (pull_request) Failing after 54s
Details
Build all the nodes / compute01 (pull_request) Failing after 1m17s
Details
Build all the nodes / testing02 (pull_request) Failing after 40s
Details
Build the shell / build-shell (pull_request) Failing after 24s
Details
Run pre-commit on all files / pre-commit (pull_request) Failing after 30s
Details
Build all the nodes / storage01 (pull_request) Failing after 55s
Details
Build all the nodes / rescue01 (pull_request) Failing after 1m1s
Details
Build all the nodes / tower01 (pull_request) Failing after 54s
Details
Build all the nodes / vault01 (pull_request) Failing after 59s
Details
Build all the nodes / web02 (pull_request) Failing after 56s
Details
Build all the nodes / web03 (pull_request) Failing after 59s
Details
Build all the nodes / web01 (pull_request) Failing after 1m16s
Details
2025-04-22 18:57:56 +02:00
298 changed files with 10877 additions and 7754 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.forgejo/workflows/check-meta.yaml
View file

@ -2,13 +2,13 @@
# This file was automatically generated with nix-actions.
jobs:
check_dns:
runs-on: nix-infra
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check the validity of the DNS configuration
run: nix-build meta/verify.nix -A dns
check_meta:
runs-on: nix-infra
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check the validity of meta options

6
.forgejo/workflows/check-workflows.yaml
View file

@ -2,12 +2,12 @@
# This file was automatically generated with nix-actions.
jobs:
check_workflows:
runs-on: nix-infra
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check that the workflows are up to date
run: "nix-shell -A check-workflows --run 'set -o pipefail\nset -o nounset\n
set -o errexit\n[ $(git status --porcelain | wc -l) -eq 0 ]'"
run: nix-shell -A check-workflows --run '[ $(git status --porcelain | wc -l)
-eq 0 ]'
name: Check workflows
on:
pull_request:

456
.forgejo/workflows/eval-nodes.yaml
View file

@ -1,506 +1,248 @@
###
# This file was automatically generated with nix-actions.
jobs:
Jaccess01:
runs-on: nix-infra
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: Jaccess01
NIX_SHOW_STATS: 1
name: Eval Jaccess01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build Jaccess01
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Cache Jaccess01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
Jaccess04:
runs-on: nix-infra
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: Jaccess04
NIX_SHOW_STATS: 1
name: Eval Jaccess04
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build Jaccess04
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Cache Jaccess04
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
ap01:
runs-on: nix-infra
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: ap01
NIX_SHOW_STATS: 1
name: Eval ap01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build ap01
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Cache ap01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
name: Build and cache ap01
run: nix-shell -A eval-nodes --run cache-node
bridge01:
runs-on: nix-infra
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: bridge01
NIX_SHOW_STATS: 1
name: Eval bridge01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build bridge01
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Cache bridge01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
name: Build and cache bridge01
run: nix-shell -A eval-nodes --run cache-node
build01:
runs-on: nix-infra
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: build01
NIX_SHOW_STATS: 1
name: Eval build01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build build01
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Cache build01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
name: Build and cache build01
run: nix-shell -A eval-nodes --run cache-node
cof02:
runs-on: nix-infra
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: cof02
NIX_SHOW_STATS: 1
name: Eval cof02
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build cof02
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Cache cof02
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
name: Build and cache cof02
run: nix-shell -A eval-nodes --run cache-node
compute01:
runs-on: nix-infra
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: compute01
NIX_SHOW_STATS: 1
name: Eval compute01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build compute01
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Cache compute01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
name: Build and cache compute01
run: nix-shell -A eval-nodes --run cache-node
geo01:
runs-on: nix-infra
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: geo01
NIX_SHOW_STATS: 1
name: Eval geo01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build geo01
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Cache geo01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
name: Build and cache geo01
run: nix-shell -A eval-nodes --run cache-node
geo02:
runs-on: nix-infra
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: geo02
NIX_SHOW_STATS: 1
name: Eval geo02
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build geo02
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Cache geo02
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
name: Build and cache geo02
run: nix-shell -A eval-nodes --run cache-node
hypervisor01:
runs-on: nix-infra
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: hypervisor01
NIX_SHOW_STATS: 1
name: Eval hypervisor01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build hypervisor01
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Cache hypervisor01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
name: Build and cache hypervisor01
run: nix-shell -A eval-nodes --run cache-node
hypervisor02:
runs-on: nix-infra
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: hypervisor02
NIX_SHOW_STATS: 1
name: Eval hypervisor02
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build hypervisor02
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Cache hypervisor02
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
name: Build and cache hypervisor02
run: nix-shell -A eval-nodes --run cache-node
hypervisor03:
runs-on: nix-infra
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: hypervisor03
NIX_SHOW_STATS: 1
name: Eval hypervisor03
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build hypervisor03
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Cache hypervisor03
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
iso:
runs-on: nix-infra
name: Build and cache hypervisor03
run: nix-shell -A eval-nodes --run cache-node
netaccess01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: iso
NIX_SHOW_STATS: 1
name: Eval iso
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build iso
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
BUILD_NODE: netaccess01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Cache iso
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
krz01:
runs-on: nix-infra
name: Build and cache netaccess01
run: nix-shell -A eval-nodes --run cache-node
netcore00:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: krz01
NIX_SHOW_STATS: 1
name: Eval krz01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build krz01
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
BUILD_NODE: netcore00
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Cache krz01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
lab-router01:
runs-on: nix-infra
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: lab-router01
NIX_SHOW_STATS: 1
name: Eval lab-router01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build lab-router01
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Cache lab-router01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
name: Build and cache netcore00
run: nix-shell -A eval-nodes --run cache-node
netcore01:
runs-on: nix-infra
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: netcore01
NIX_SHOW_STATS: 1
name: Eval netcore01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build netcore01
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Cache netcore01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
name: Build and cache netcore01
run: nix-shell -A eval-nodes --run cache-node
netcore02:
runs-on: nix-infra
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: netcore02
NIX_SHOW_STATS: 1
name: Eval netcore02
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build netcore02
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Cache netcore02
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
name: Build and cache netcore02
run: nix-shell -A eval-nodes --run cache-node
rescue01:
runs-on: nix-infra
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: rescue01
NIX_SHOW_STATS: 1
name: Eval rescue01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build rescue01
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Cache rescue01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
name: Build and cache rescue01
run: nix-shell -A eval-nodes --run cache-node
storage01:
runs-on: nix-infra
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: storage01
NIX_SHOW_STATS: 1
name: Eval storage01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build storage01
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Cache storage01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
name: Build and cache storage01
run: nix-shell -A eval-nodes --run cache-node
testing02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: testing02
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache testing02
run: nix-shell -A eval-nodes --run cache-node
tower01:
runs-on: nix-infra
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: tower01
NIX_SHOW_STATS: 1
name: Eval tower01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build tower01
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Cache tower01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
name: Build and cache tower01
run: nix-shell -A eval-nodes --run cache-node
vault01:
runs-on: nix-infra
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: vault01
NIX_SHOW_STATS: 1
name: Eval vault01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build vault01
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Cache vault01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
name: Build and cache vault01
run: nix-shell -A eval-nodes --run cache-node
web01:
runs-on: nix-infra
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: web01
NIX_SHOW_STATS: 1
name: Eval web01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build web01
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Cache web01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
name: Build and cache web01
run: nix-shell -A eval-nodes --run cache-node
web02:
runs-on: nix-infra
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: web02
NIX_SHOW_STATS: 1
name: Eval web02
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build web02
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Cache web02
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
name: Build and cache web02
run: nix-shell -A eval-nodes --run cache-node
web03:
runs-on: nix-infra
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: web03
NIX_SHOW_STATS: 1
name: Eval web03
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build web03
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Cache web03
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
zulip01:
runs-on: nix-infra
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: zulip01
NIX_SHOW_STATS: 1
name: Eval zulip01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build zulip01
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Cache zulip01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
name: Build and cache web03
run: nix-shell -A eval-nodes --run cache-node
name: Build all the nodes
on:
pull_request:

7
.forgejo/workflows/eval-shell.yaml
View file

@ -2,16 +2,15 @@
# This file was automatically generated with nix-actions.
jobs:
build-shell:
runs-on: nix-infra
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache shell
run: "nix-shell -A eval-shell --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nnix-build-and-cache -A devShell'"
run: nix-shell -A eval-shell --run 'nix-build-and-cache -A devShell'
name: Build the shell
on:
pull_request:

21
.forgejo/workflows/lon-update.yaml
View file

@ -1,21 +0,0 @@
###
# This file was automatically generated with nix-actions.
jobs:
update:
runs-on: nix
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
LON_LABELS: bot
LON_LIST_COMMITS: true
LON_TOKEN: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
LON_USER_EMAIL: admins+lon-bot@dgnum.eu
LON_USER_NAME: DGNum [bot]
run: "nix-shell -A lon-update --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nlon bot forgejo'"
name: Update dependencies
on:
schedule:
- cron: 55 12 * * *

952
.forgejo/workflows/npins-update.yaml Normal file
View file

@ -0,0 +1,952 @@
###
# This file was automatically generated with nix-actions.
env:
GIT_AUTHOR_EMAIL: chores@mail.hubrecht.ovh
GIT_AUTHOR_NAME: HT Chores
GIT_COMMITTER_EMAIL: chores@mail.hubrecht.ovh
GIT_COMMITTER_NAME: HT Chores
jobs:
agenix:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/agenix
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update agenix'
GIT_UPDATE_BRANCH: npins-updates/agenix
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update agenix'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
arkheon:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/arkheon
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update arkheon'
GIT_UPDATE_BRANCH: npins-updates/arkheon
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update arkheon'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
cas-eleves:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/cas-eleves
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update cas-eleves'
GIT_UPDATE_BRANCH: npins-updates/cas-eleves
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update cas-eleves'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
cgroup-exporter:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/cgroup-exporter
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update cgroup-exporter'
GIT_UPDATE_BRANCH: npins-updates/cgroup-exporter
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update cgroup-exporter'\n\n# FIXME:
???????????\n# HACK: this correct the behavior of the following test\n# \
\ for some un-understandable reason\ngit help > /dev/null\nif [ ! -z \"\
$(git diff --name-only)\" ]; then\n echo \"[+] Changes detected, pushing
updates.\"\n\n git add npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n\
\ git commit --amend --no-edit\n git push --force\n else\n git commit
--message \"$COMMIT_MESSAGE\"\n git push -u origin \"$GIT_UPDATE_BRANCH\"\
\n fi\n\n # Connect to the server with the cli\n tea login add -n dgnum-chores
-t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" -u https://git.dgnum.eu\n\n \
\ # Create a pull request if needed\n # i.e. no PR with the same title exists\n\
\ if [ -z $(tea pr ls -f='head' -o simple | grep \"$GIT_UPDATE_BRANCH\")
]; then\n tea pr create --description \"Automatic npins update\" --title
\"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n fi\nelif [ -n \"$EXISTING_BRANCH\"\
\ ]; then\n git push --force\nfi\n"
colmena:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/colmena
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update colmena'
GIT_UPDATE_BRANCH: npins-updates/colmena
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update colmena'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
dgsi:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/dgsi
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update dgsi'
GIT_UPDATE_BRANCH: npins-updates/dgsi
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update dgsi'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
disko:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/disko
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update disko'
GIT_UPDATE_BRANCH: npins-updates/disko
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update disko'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
dns_nix:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/dns.nix
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update dns.nix'
GIT_UPDATE_BRANCH: npins-updates/dns.nix
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update dns.nix'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
git-hooks:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/git-hooks
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update git-hooks'
GIT_UPDATE_BRANCH: npins-updates/git-hooks
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update git-hooks'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
kadenios:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/kadenios
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update kadenios'
GIT_UPDATE_BRANCH: npins-updates/kadenios
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update kadenios'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
kahulm:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/kahulm
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update kahulm'
GIT_UPDATE_BRANCH: npins-updates/kahulm
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update kahulm'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
kat-pkgs:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/kat-pkgs
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update kat-pkgs'
GIT_UPDATE_BRANCH: npins-updates/kat-pkgs
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update kat-pkgs'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
liminix:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/liminix
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update liminix'
GIT_UPDATE_BRANCH: npins-updates/liminix
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update liminix'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
linkal:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/linkal
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update linkal'
GIT_UPDATE_BRANCH: npins-updates/linkal
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update linkal'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
lix:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/lix
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update lix'
GIT_UPDATE_BRANCH: npins-updates/lix
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update lix'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
lix-module:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/lix-module
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update lix-module'
GIT_UPDATE_BRANCH: npins-updates/lix-module
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update lix-module'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
lon:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/lon
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update lon'
GIT_UPDATE_BRANCH: npins-updates/lon
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update lon'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
metis:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/metis
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update metis'
GIT_UPDATE_BRANCH: npins-updates/metis
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update metis'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
microvm_nix:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/microvm.nix
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update microvm.nix'
GIT_UPDATE_BRANCH: npins-updates/microvm.nix
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update microvm.nix'\n\n# FIXME:
???????????\n# HACK: this correct the behavior of the following test\n# \
\ for some un-understandable reason\ngit help > /dev/null\nif [ ! -z \"\
$(git diff --name-only)\" ]; then\n echo \"[+] Changes detected, pushing
updates.\"\n\n git add npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n\
\ git commit --amend --no-edit\n git push --force\n else\n git commit
--message \"$COMMIT_MESSAGE\"\n git push -u origin \"$GIT_UPDATE_BRANCH\"\
\n fi\n\n # Connect to the server with the cli\n tea login add -n dgnum-chores
-t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" -u https://git.dgnum.eu\n\n \
\ # Create a pull request if needed\n # i.e. no PR with the same title exists\n\
\ if [ -z $(tea pr ls -f='head' -o simple | grep \"$GIT_UPDATE_BRANCH\")
]; then\n tea pr create --description \"Automatic npins update\" --title
\"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n fi\nelif [ -n \"$EXISTING_BRANCH\"\
\ ]; then\n git push --force\nfi\n"
nix-actions:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/nix-actions
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update nix-actions'
GIT_UPDATE_BRANCH: npins-updates/nix-actions
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update nix-actions'\n\n# FIXME:
???????????\n# HACK: this correct the behavior of the following test\n# \
\ for some un-understandable reason\ngit help > /dev/null\nif [ ! -z \"\
$(git diff --name-only)\" ]; then\n echo \"[+] Changes detected, pushing
updates.\"\n\n git add npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n\
\ git commit --amend --no-edit\n git push --force\n else\n git commit
--message \"$COMMIT_MESSAGE\"\n git push -u origin \"$GIT_UPDATE_BRANCH\"\
\n fi\n\n # Connect to the server with the cli\n tea login add -n dgnum-chores
-t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" -u https://git.dgnum.eu\n\n \
\ # Create a pull request if needed\n # i.e. no PR with the same title exists\n\
\ if [ -z $(tea pr ls -f='head' -o simple | grep \"$GIT_UPDATE_BRANCH\")
]; then\n tea pr create --description \"Automatic npins update\" --title
\"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n fi\nelif [ -n \"$EXISTING_BRANCH\"\
\ ]; then\n git push --force\nfi\n"
nix-modules:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/nix-modules
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update nix-modules'
GIT_UPDATE_BRANCH: npins-updates/nix-modules
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update nix-modules'\n\n# FIXME:
???????????\n# HACK: this correct the behavior of the following test\n# \
\ for some un-understandable reason\ngit help > /dev/null\nif [ ! -z \"\
$(git diff --name-only)\" ]; then\n echo \"[+] Changes detected, pushing
updates.\"\n\n git add npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n\
\ git commit --amend --no-edit\n git push --force\n else\n git commit
--message \"$COMMIT_MESSAGE\"\n git push -u origin \"$GIT_UPDATE_BRANCH\"\
\n fi\n\n # Connect to the server with the cli\n tea login add -n dgnum-chores
-t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" -u https://git.dgnum.eu\n\n \
\ # Create a pull request if needed\n # i.e. no PR with the same title exists\n\
\ if [ -z $(tea pr ls -f='head' -o simple | grep \"$GIT_UPDATE_BRANCH\")
]; then\n tea pr create --description \"Automatic npins update\" --title
\"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n fi\nelif [ -n \"$EXISTING_BRANCH\"\
\ ]; then\n git push --force\nfi\n"
nix-pkgs:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/nix-pkgs
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update nix-pkgs'
GIT_UPDATE_BRANCH: npins-updates/nix-pkgs
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update nix-pkgs'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
nix-reuse:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/nix-reuse
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update nix-reuse'
GIT_UPDATE_BRANCH: npins-updates/nix-reuse
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update nix-reuse'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
nixos-24_05:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/nixos-24.05
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update nixos-24.05'
GIT_UPDATE_BRANCH: npins-updates/nixos-24.05
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update nixos-24.05'\n\n# FIXME:
???????????\n# HACK: this correct the behavior of the following test\n# \
\ for some un-understandable reason\ngit help > /dev/null\nif [ ! -z \"\
$(git diff --name-only)\" ]; then\n echo \"[+] Changes detected, pushing
updates.\"\n\n git add npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n\
\ git commit --amend --no-edit\n git push --force\n else\n git commit
--message \"$COMMIT_MESSAGE\"\n git push -u origin \"$GIT_UPDATE_BRANCH\"\
\n fi\n\n # Connect to the server with the cli\n tea login add -n dgnum-chores
-t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" -u https://git.dgnum.eu\n\n \
\ # Create a pull request if needed\n # i.e. no PR with the same title exists\n\
\ if [ -z $(tea pr ls -f='head' -o simple | grep \"$GIT_UPDATE_BRANCH\")
]; then\n tea pr create --description \"Automatic npins update\" --title
\"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n fi\nelif [ -n \"$EXISTING_BRANCH\"\
\ ]; then\n git push --force\nfi\n"
nixos-24_11:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/nixos-24.11
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update nixos-24.11'
GIT_UPDATE_BRANCH: npins-updates/nixos-24.11
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update nixos-24.11'\n\n# FIXME:
???????????\n# HACK: this correct the behavior of the following test\n# \
\ for some un-understandable reason\ngit help > /dev/null\nif [ ! -z \"\
$(git diff --name-only)\" ]; then\n echo \"[+] Changes detected, pushing
updates.\"\n\n git add npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n\
\ git commit --amend --no-edit\n git push --force\n else\n git commit
--message \"$COMMIT_MESSAGE\"\n git push -u origin \"$GIT_UPDATE_BRANCH\"\
\n fi\n\n # Connect to the server with the cli\n tea login add -n dgnum-chores
-t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" -u https://git.dgnum.eu\n\n \
\ # Create a pull request if needed\n # i.e. no PR with the same title exists\n\
\ if [ -z $(tea pr ls -f='head' -o simple | grep \"$GIT_UPDATE_BRANCH\")
]; then\n tea pr create --description \"Automatic npins update\" --title
\"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n fi\nelif [ -n \"$EXISTING_BRANCH\"\
\ ]; then\n git push --force\nfi\n"
nixos-generators:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/nixos-generators
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update nixos-generators'
GIT_UPDATE_BRANCH: npins-updates/nixos-generators
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update nixos-generators'\n\n# FIXME:
???????????\n# HACK: this correct the behavior of the following test\n# \
\ for some un-understandable reason\ngit help > /dev/null\nif [ ! -z \"\
$(git diff --name-only)\" ]; then\n echo \"[+] Changes detected, pushing
updates.\"\n\n git add npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n\
\ git commit --amend --no-edit\n git push --force\n else\n git commit
--message \"$COMMIT_MESSAGE\"\n git push -u origin \"$GIT_UPDATE_BRANCH\"\
\n fi\n\n # Connect to the server with the cli\n tea login add -n dgnum-chores
-t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" -u https://git.dgnum.eu\n\n \
\ # Create a pull request if needed\n # i.e. no PR with the same title exists\n\
\ if [ -z $(tea pr ls -f='head' -o simple | grep \"$GIT_UPDATE_BRANCH\")
]; then\n tea pr create --description \"Automatic npins update\" --title
\"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n fi\nelif [ -n \"$EXISTING_BRANCH\"\
\ ]; then\n git push --force\nfi\n"
nixos-unstable:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/nixos-unstable
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update nixos-unstable'
GIT_UPDATE_BRANCH: npins-updates/nixos-unstable
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update nixos-unstable'\n\n# FIXME:
???????????\n# HACK: this correct the behavior of the following test\n# \
\ for some un-understandable reason\ngit help > /dev/null\nif [ ! -z \"\
$(git diff --name-only)\" ]; then\n echo \"[+] Changes detected, pushing
updates.\"\n\n git add npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n\
\ git commit --amend --no-edit\n git push --force\n else\n git commit
--message \"$COMMIT_MESSAGE\"\n git push -u origin \"$GIT_UPDATE_BRANCH\"\
\n fi\n\n # Connect to the server with the cli\n tea login add -n dgnum-chores
-t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" -u https://git.dgnum.eu\n\n \
\ # Create a pull request if needed\n # i.e. no PR with the same title exists\n\
\ if [ -z $(tea pr ls -f='head' -o simple | grep \"$GIT_UPDATE_BRANCH\")
]; then\n tea pr create --description \"Automatic npins update\" --title
\"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n fi\nelif [ -n \"$EXISTING_BRANCH\"\
\ ]; then\n git push --force\nfi\n"
signal-irc-bridge:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/signal-irc-bridge
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update signal-irc-bridge'
GIT_UPDATE_BRANCH: npins-updates/signal-irc-bridge
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update signal-irc-bridge'\n\n# FIXME:
???????????\n# HACK: this correct the behavior of the following test\n# \
\ for some un-understandable reason\ngit help > /dev/null\nif [ ! -z \"\
$(git diff --name-only)\" ]; then\n echo \"[+] Changes detected, pushing
updates.\"\n\n git add npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n\
\ git commit --amend --no-edit\n git push --force\n else\n git commit
--message \"$COMMIT_MESSAGE\"\n git push -u origin \"$GIT_UPDATE_BRANCH\"\
\n fi\n\n # Connect to the server with the cli\n tea login add -n dgnum-chores
-t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" -u https://git.dgnum.eu\n\n \
\ # Create a pull request if needed\n # i.e. no PR with the same title exists\n\
\ if [ -z $(tea pr ls -f='head' -o simple | grep \"$GIT_UPDATE_BRANCH\")
]; then\n tea pr create --description \"Automatic npins update\" --title
\"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n fi\nelif [ -n \"$EXISTING_BRANCH\"\
\ ]; then\n git push --force\nfi\n"
stateless-uptime-kuma:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/stateless-uptime-kuma
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update stateless-uptime-kuma'
GIT_UPDATE_BRANCH: npins-updates/stateless-uptime-kuma
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update stateless-uptime-kuma'\n\n
# FIXME: ???????????\n# HACK: this correct the behavior of the following test\n\
# for some un-understandable reason\ngit help > /dev/null\nif [ ! -z
\"$(git diff --name-only)\" ]; then\n echo \"[+] Changes detected, pushing
updates.\"\n\n git add npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n\
\ git commit --amend --no-edit\n git push --force\n else\n git commit
--message \"$COMMIT_MESSAGE\"\n git push -u origin \"$GIT_UPDATE_BRANCH\"\
\n fi\n\n # Connect to the server with the cli\n tea login add -n dgnum-chores
-t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" -u https://git.dgnum.eu\n\n \
\ # Create a pull request if needed\n # i.e. no PR with the same title exists\n\
\ if [ -z $(tea pr ls -f='head' -o simple | grep \"$GIT_UPDATE_BRANCH\")
]; then\n tea pr create --description \"Automatic npins update\" --title
\"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n fi\nelif [ -n \"$EXISTING_BRANCH\"\
\ ]; then\n git push --force\nfi\n"
wp4nix:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/wp4nix
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update wp4nix'
GIT_UPDATE_BRANCH: npins-updates/wp4nix
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update wp4nix'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
name: Update dependencies
on:
schedule:
- cron: 15 12 * * *

8
.forgejo/workflows/pre-commit.yaml
View file

@ -6,11 +6,11 @@ jobs:
steps:
- uses: actions/checkout@v3
- name: Check stage pre-commit
run: "nix-shell -A pre-commit --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npre-commit run --all-files --hook-stage pre-commit --show-diff-on-failure'"
run: nix-shell -A pre-commit --run 'pre-commit run --all-files --hook-stage
pre-commit --show-diff-on-failure'
- name: Check stage pre-push
run: "nix-shell -A pre-commit --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npre-commit run --all-files --hook-stage pre-push --show-diff-on-failure'"
run: nix-shell -A pre-commit --run 'pre-commit run --all-files --hook-stage
pre-push --show-diff-on-failure'
name: Run pre-commit on all files
on:
- push

8
.gitattributes vendored
View file

@ -1,8 +0,0 @@
# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
/.forgejo/workflows/*.yaml linguist-generated
/LICENSES/* linguist-vendored
/REUSE.toml linguist-generated
lon.lock linguist-generated

22
REUSE.toml
View file

@ -2,7 +2,7 @@ version = 1
[[annotations]]
SPDX-FileCopyrightText = "NONE"
SPDX-License-Identifier = "CC0-1.0"
path = ["**/.envrc", "**/Cargo.lock", "**/_hardware-configuration.nix", ".gitignore", "REUSE.toml", "shell.nix", "**/lon.lock", "**/lon.nix", "patches/nixpkgs/403844.patch", "patches/colmena/0001-*", "pkgs/by-name/docuseal/rubyEnv/*", "pkgs/by-name/docuseal/deps.json", "pkgs/by-name/docuseal/yarn.lock"]
path = ["**/.envrc", "**/Cargo.lock", "**/_hardware-configuration.nix", ".gitignore", "REUSE.toml", "shell.nix", "pkgs/by-name/docuseal/rubyEnv/*", "pkgs/by-name/docuseal/deps.json", "pkgs/by-name/docuseal/yarn.lock"]
precedence = "closest"
[[annotations]]
@ -14,19 +14,19 @@ precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "La Délégation Générale Numérique <contact@dgnum.eu>"
SPDX-License-Identifier = "CC-BY-NC-ND-4.0"
path = ["machines/**/secrets/*", "modules/nixos/dgn-backups/keys/*", "modules/nixos/dgn-netbox-agent/secrets/netbox-agent", "modules/nixos/dgn-notify/mail", "modules/nixos/dgn-forgejo-runners/forgejo_runners-token_file", "modules/nixos/dgn-records/__arkheon-token_file", "modules/nixos/dgn-s3/garage-*_file"]
path = ["machines/**/secrets/*", "modules/nixos/dgn-backups/keys/*", "modules/nixos/dgn-netbox-agent/secrets/netbox-agent", "modules/nixos/dgn-notify/mail", "modules/nixos/dgn-records/__arkheon-token_file", "modules/nixos/dgn-s3/garage-*_file"]
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>"
SPDX-License-Identifier = "EUPL-1.2"
path = ["machines/nixos/compute01/ds-fr/01-smtp-tls.patch", "machines/nixos/compute01/librenms/kanidm.patch", "machines/nixos/compute01/stirling-pdf/*.patch", "machines/nixos/vault01/k-radius/packages/01-python_path.patch", "machines/nixos/vault01/k-radius/packages/02-remove-noisy-logs.patch", "machines/nixos/vault01/k-radius/packages/03-set-log-level.patch", "machines/nixos/web01/crabfit/*.patch", "machines/nixos/web02/cas-eleves/01-pytest-cas.patch", "patches/lix/01-disable-installChecks.patch", "patches/lix/02-fetchGit-locked.patch", "patches/nixpkgs/01-pretalx-environment-file.patch", "patches/nixpkgs/03-crabfit-karla.patch", "patches/nixpkgs/05-netbird-relay.patch", "patches/cas-eleves/01-ldap-settings.patch"]
path = ["machines/nixos/compute01/ds-fr/01-smtp-tls.patch", "machines/nixos/compute01/librenms/kanidm.patch", "machines/nixos/compute01/stirling-pdf/*.patch", "machines/nixos/vault01/k-radius/packages/01-python_path.patch", "machines/nixos/vault01/k-radius/packages/02-remove-noisy-logs.patch", "machines/nixos/web01/crabfit/*.patch", "machines/nixos/web02/cas-eleves/01-pytest-cas.patch", "patches/lix/01-disable-installChecks.patch", "patches/nixpkgs/01-pretalx-environment-file.patch", "patches/nixpkgs/03-crabfit-karla.patch", "patches/nixpkgs/05-netbird-relay.patch", "patches/cas-eleves/01-ldap-settings.patch"]
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = ["2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>", "2024 Maurice Debray <maurice.debray@dgnum.eu>"]
SPDX-License-Identifier = "EUPL-1.2"
path = ["patches/nixpkgs/07-kanidm-groups-module.patch", "patches/nixpkgs/08-kanidm-groups-pkgs.patch", "patches/nixpkgs/07-25.05-kanidm-groups-module.patch", "patches/nixpkgs/08-25.05-kanidm-groups-pkgs.patch"]
path = ["patches/nixpkgs/07-kanidm-groups-module.patch", "patches/nixpkgs/08-kanidm-groups-pkgs.patch"]
precedence = "closest"
[[annotations]]
@ -38,7 +38,7 @@ precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "2024 Lubin Bailly <lubin.bailly@dgnum.eu>"
SPDX-License-Identifier = "EUPL-1.2"
path = ["modules/nixos/extranix/0001-revert-don-t-parse-md-in-js.patch", "modules/nixos/extranix/0002-chore-remove-useless-dependencies.patch", "modules/nixos/extranix/0003-feat-separate-HTML-description-of-MD-description.patch", "modules/nixos/extranix/0004-fix-indentation-of-ul.patch", "modules/nixos/extranix/0005-feat-match-all-substring-by-default.patch", "patches/nixpkgs/02-action-validator.patch", "machines/nixos/vault01/k-radius/packages/04-request-dgsi-vlan.patch", "patches/nixpkgs/06-netbird-dashboard.patch"]
path = ["modules/nixos/extranix/0001-revert-don-t-parse-md-in-js.patch", "modules/nixos/extranix/0002-chore-remove-useless-dependencies.patch", "modules/nixos/extranix/0003-feat-separate-HTML-description-of-MD-description.patch", "modules/nixos/extranix/0004-fix-indentation-of-ul.patch", "modules/nixos/extranix/0005-feat-match-all-substring-by-default.patch", "patches/nixpkgs/02-action-validator.patch"]
precedence = "closest"
[[annotations]]
@ -47,18 +47,18 @@ SPDX-License-Identifier = "EUPL-1.2"
path = ["patches/nixpkgs/09-rename-autocreate-to-verify_bucket_exists.patch"]
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>"
SPDX-License-Identifier = "EUPL-1.2"
path = ["machines/nixos/krz01/ollama/all-nvcc-arch.patch", "machines/nixos/krz01/ollama/K80-support.patch", "machines/nixos/krz01/ollama/disable-git.patch", "machines/nixos/krz01/ollama/no-weird-microarch.patch", "machines/nixos/krz01/whisper/all-nvcc-arch.patch", "machines/nixos/krz01/whisper/no-weird-microarch.patch"]
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "La Délégation Générale Numérique <contact@dgnum.eu>"
SPDX-License-Identifier = "MIT"
path = "lib/colmena/*"
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "The [npins](https://github.com/andir/npins) contributors"
SPDX-License-Identifier = "EUPL-1.2"
path = "**/npins/*"
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "The [forgejo](https://codeberg.org/forgejo/forgejo) contributors"
SPDX-License-Identifier = "GPL-3.0-or-later"

2
bootstrap.nix
View file

@ -5,7 +5,7 @@
# SPDX-License-Identifier: EUPL-1.2
let
unpatchedSources = import ./lon.nix;
unpatchedSources = import ./npins;
pkgs = import unpatchedSources.nixos-unstable { overlays = [ ]; };

58
default.nix
View file

@ -11,10 +11,7 @@ in
sources ? bootstrap.sources,
pkgs ? import sources.nixos-unstable {
overlays = [
(self: super: {
lib = super.lib.extend bootstrap.overlays.lib;
lon = self.callPackage (sources.lon + "/nix/packages/lon.nix") { };
})
(_: super: { lib = super.lib.extend bootstrap.overlays.lib; })
];
},
}:
@ -40,6 +37,7 @@ let
stages = [ "pre-push" ];
settings.ignore = [
"**/lon.nix"
"**/npins"
];
};
@ -77,14 +75,6 @@ let
"REUSE.toml"
"shell.nix"
"**/lon.lock"
"**/lon.nix"
"patches/nixpkgs/403844.patch"
# Commit revert
"patches/colmena/0001-*"
# Docuseal
"pkgs/by-name/docuseal/rubyEnv/*"
"pkgs/by-name/docuseal/deps.json"
@ -102,7 +92,6 @@ let
"modules/nixos/dgn-backups/keys/*"
"modules/nixos/dgn-netbox-agent/secrets/netbox-agent"
"modules/nixos/dgn-notify/mail"
"modules/nixos/dgn-forgejo-runners/forgejo_runners-token_file"
"modules/nixos/dgn-records/__arkheon-token_file"
"modules/nixos/dgn-s3/garage-*_file"
];
@ -117,11 +106,10 @@ let
"machines/nixos/compute01/stirling-pdf/*.patch"
"machines/nixos/vault01/k-radius/packages/01-python_path.patch"
"machines/nixos/vault01/k-radius/packages/02-remove-noisy-logs.patch"
"machines/nixos/vault01/k-radius/packages/03-set-log-level.patch"
"machines/nixos/web01/crabfit/*.patch"
"machines/nixos/web02/cas-eleves/01-pytest-cas.patch"
"machines/nixos/testing02/cas-eleves/01-pytest-cas.patch"
"patches/lix/01-disable-installChecks.patch"
"patches/lix/02-fetchGit-locked.patch"
"patches/nixpkgs/01-pretalx-environment-file.patch"
"patches/nixpkgs/03-crabfit-karla.patch"
"patches/nixpkgs/05-netbird-relay.patch"
@ -133,8 +121,6 @@ let
path = [
"patches/nixpkgs/07-kanidm-groups-module.patch"
"patches/nixpkgs/08-kanidm-groups-pkgs.patch"
"patches/nixpkgs/07-25.05-kanidm-groups-module.patch"
"patches/nixpkgs/08-25.05-kanidm-groups-pkgs.patch"
];
copyright = [
"2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>"
@ -153,8 +139,6 @@ let
"modules/nixos/extranix/0004-fix-indentation-of-ul.patch"
"modules/nixos/extranix/0005-feat-match-all-substring-by-default.patch"
"patches/nixpkgs/02-action-validator.patch"
"machines/nixos/vault01/k-radius/packages/04-request-dgsi-vlan.patch"
"patches/nixpkgs/06-netbird-dashboard.patch"
];
copyright = "2024 Lubin Bailly <lubin.bailly@dgnum.eu>";
}
@ -167,17 +151,6 @@ let
"2025 Lubin Bailly <lubin.bailly@dgnum.eu>"
];
}
{
path = [
"machines/nixos/krz01/ollama/all-nvcc-arch.patch"
"machines/nixos/krz01/ollama/K80-support.patch"
"machines/nixos/krz01/ollama/disable-git.patch"
"machines/nixos/krz01/ollama/no-weird-microarch.patch"
"machines/nixos/krz01/whisper/all-nvcc-arch.patch"
"machines/nixos/krz01/whisper/no-weird-microarch.patch"
];
copyright = "2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>";
}
# colmena wrapper
{
@ -185,6 +158,13 @@ let
license = "MIT";
}
# npins generated files
{
path = "**/npins/*";
license = "EUPL-1.2";
copyright = "The [npins](https://github.com/andir/npins) contributors";
}
# images
{
path = "machines/nixos/compute01/extranix/static-data/images/forgejo.png";
@ -230,16 +210,18 @@ in
dns = import ./meta/dns.nix;
mkCacheSettings = import ./machines/nixos/storage01/snix-cache/cache-settings.nix {
inherit (pkgs) lib;
};
mkCacheSettings = import ./machines/nixos/storage01/tvix-cache/cache-settings.nix;
devShell = pkgs.mkShell {
name = "dgnum-infra";
packages =
[
pkgs.lon
(pkgs.nixos-generators.overrideAttrs (_: {
version = "1.8.0-unstable";
src = sources.nixos-generators;
}))
pkgs.npins
# SSO testing
pkgs.kanidm
@ -250,6 +232,7 @@ in
colmena = pkgs.callPackage "${sources.colmena}/package.nix" { };
})
(pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
(pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
]
++ git-checks.enabledPackages
++ (builtins.attrValues scripts);
@ -268,12 +251,9 @@ in
passthru = mapAttrs (name: value: pkgs.mkShell (value // { inherit name; })) {
pre-commit.shellHook = git-checks.shellHook;
check-workflows.shellHook = workflows.shellHook;
eval-nodes.packages = [
scripts.instantiate-node
scripts.push-to-cache
];
eval-nodes.packages = [ scripts.cache-node ];
eval-shell.packages = [ scripts.nix-build-and-cache ];
lon-update.packages = [ pkgs.lon ];
npins-shell.packages = [ pkgs.npins ];
};
};
}

16
hive.nix
View file

@ -43,7 +43,7 @@ let
mkNixpkgsConfig =
system:
{
nixos = _: { config.allowUnfree = true; }; # TODO: add nix-pkgs overlay here
nixos = _: { }; # TODO: add nix-pkgs overlay here
zyxel-nwa50ax = mkLiminixConfig system;
netconf = _: { };
}
@ -191,11 +191,9 @@ in
# Deployment config is specified in meta.nodes.${node}.deployment
inherit (nodeMeta) deployment;
# Set NIX_PATH to the patched version of nixpkgs
environment.etc.nixpkgs.source = builtins.storePath sourcePkgs.path;
nix.nixPath = [ "nixpkgs=/etc/nixpkgs" ];
nix = {
# Set NIX_PATH to the patched version of nixpkgs
nixPath = [ "nixpkgs=${builtins.storePath sourcePkgs.path}" ];
optimise.automatic = true;
gc = {
@ -204,7 +202,13 @@ in
options = "--delete-older-than 7d";
};
settings = (import ./. { pkgs = sourcePkgs; }).mkCacheSettings [ "infra" ];
settings =
{
substituters = [ "https://tvix-store.dgnum.eu/infra" ];
}
// (import ./machines/nixos/storage01/tvix-cache/cache-settings.nix {
caches = [ "infra" ];
});
};
# Allow unfree packages

9
iso/build-iso.sh Normal file
View file

@ -0,0 +1,9 @@
#!/usr/bin/env bash
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
NIXPKGS=$(nix-build --no-out-link nixpkgs.nix)
nixos-generate -c configuration.nix -I NIX_PATH="$NIXPKGS" -f install-iso

42
iso/configuration.nix Normal file
View file

@ -0,0 +1,42 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ lib, pkgs, ... }:
let
dgn-keys = import ../keys.nix;
dgn-members = (import ../meta lib).config.organization.groups.root;
in
{
imports = [ ./dgn-install ];
boot = {
blacklistedKernelModules = [ "snd_pcsp" ];
kernelPackages = pkgs.linuxPackages_latest;
tmp.cleanOnBoot = true;
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
supportedFilesystems = [
"exfat"
"zfs"
"bcachefs"
];
swraid.enable = lib.mkForce false;
};
console.keyMap = "fr";
services = {
openssh.enable = true;
};
users.users.root.openssh.authorizedKeys.keys = dgn-keys.getKeys dgn-members;
}

7
iso/dgn-install/README.md Normal file
View file

@ -0,0 +1,7 @@
<!--
SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
SPDX-License-Identifier: EUPL-1.2
-->
Script pour installer automatiquement NixOS sur les machines de la DGNum

24
iso/dgn-install/default.nix Normal file
View file

@ -0,0 +1,24 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ pkgs, ... }:
let
installScript = pkgs.writeShellApplication {
name = "dgn-install";
runtimeInputs = with pkgs; [
coreutils
gnused
nixos-install-tools
zfs
];
text = builtins.readFile ./dgn-install.sh;
};
in
{
environment.systemPackages = [ installScript ];
}

153
iso/dgn-install/dgn-install.sh Normal file
View file

@ -0,0 +1,153 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
bootDevice=
rootDevice=
domain="par01.infra.dgnum.eu"
hostname="dgn0x"
hasZFS=
while [ "$#" -gt 0 ]; do
i="$1"
shift 1
case "$i" in
--root)
rootDevice="$1"
shift 1
;;
--boot)
bootDevice="$1"
shift 1
;;
--swap)
swapDevice="$1"
shift 1
;;
--domain)
domain="$1"
shift 1
;;
--hostname)
hostname="$1"
shift 1
;;
--with-zfs)
hasZFS="1"
;;
*)
echo "$0: unknown option \`$i'"
exit 1
;;
esac
done
if [ -z "$bootDevice" ]; then
echo "Missing boot partition"
exit 1
fi
if [ -z "$rootDevice" ]; then
echo "Missing root partition"
exit 1
fi
# Mount the partitions to where they should be
mount "$rootDevice" /mnt
mkdir /mnt/boot
mount "$bootDevice" /mnt/boot
if [ -n "$swapDevice" ]; then
swapon "$swapDevice"
fi
# Generate configration
nixos-generate-config --root /mnt
NIX="/mnt/etc/nixos/"
# Setup our own files
mv $NIX/configuration.nix $NIX/base-configuration.nix
cat <<EOF > $NIX/dgnum-server.nix
{ ... }: {
services.nscd.enableNsncd = false;
programs.bash.promptInit = ''
# Provide a nice prompt if the terminal supports it.
if [ "\$TERM" != "dumb" ] || [ -n "\$INSIDE_EMACS" ]; then
PROMPT_COLOR="1;31m"
((UID)) && PROMPT_COLOR="1;32m"
if [ -n "\$INSIDE_EMACS" ] || [ "\$TERM" = "eterm" ] || [ "\$TERM" = "eterm-color" ]; then
# Emacs term mode doesn't support xterm title escape sequence (\e]0;)
PS1="\n\[\033[\$PROMPT_COLOR\][\u@\$(hostname -f):\w]\\\$\[\033[0m\] "
else
PS1="\n\[\033[\$PROMPT_COLOR\][\[\e]0;\u@\H: \w\a\]\u@\$(hostname -f):\w]\\\$\[\033[0m\] "
fi
if test "\$TERM" = "xterm"; then
PS1="\[\033]2;\$(hostname -f):\u:\w\007\]\$PS1"
fi
fi
'';
}
EOF
cat <<EOF > $NIX/configuration.nix
{ pkgs, ... }: {
imports = [
./base-configuration.nix
./dgnum-server.nix
$(if [ -n "$hasZFS" ]; then echo './zfs.nix'; fi)
];
boot.tmp.cleanOnBoot = true;
console.keyMap = "fr";
time.timeZone = "Europe/Paris";
environment.systemPackages = with pkgs; [
vim
wget
kitty.terminfo
];
networking = {
hostName = "$hostname";
domain = "$domain";
};
# Activate SSH and set the keys
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
users.users.root.openssh.authorizedKeys.keyFiles = [ ./rootKeys ];
}
EOF
if [ -n "$hasZFS" ]; then
cat <<EOF > $NIX/zfs.nix
{ ... }: {
boot = {
supportedFilesystems = [ "zfs" ];
zfs.forceImportRoot = false;
zfs.extraPools = [
$(zpool list -Ho name | sed 's/^/"/;s/$/"/')
];
};
networking.hostId = "$(head -c4 /dev/urandom | od -A none -t x4 | sed 's/ //')";
}
EOF
fi
# Copy the keys
cp /etc/ssh/authorized_keys.d/root $NIX/rootKeys
# Perform the installation
nixos-install

13
iso/nixpkgs.nix Normal file
View file

@ -0,0 +1,13 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
let
version = (import ../meta/nixpkgs.nix).default;
nixpkgs = (import ../npins)."nixos-${version}";
in
(import nixpkgs { }).srcOnly {
name = "nixpkgs-for-iso";
src = nixpkgs;
}

15
lib/keys/default.nix
View file

@ -14,16 +14,12 @@ in
rec {
_memberKeys = builtins.mapAttrs (_: v: v.sshKeys) meta.organization.members;
_ageKeys = builtins.mapAttrs (_: v: v.ageSshKeys) meta.organization.members;
_builderKeys = builtins.mapAttrs (_: v: v.builderKeys) meta.organization.members;
_nodeKeys = builtins.mapAttrs (_: v: v.sshKeys) meta.nodes;
# Get keys of the users
getMemberKeys = name: builtins.concatLists (builtins.map (getAttr _memberKeys) name);
# Get age-keys of the users
getAgeKeys = name: builtins.concatLists (builtins.map (getAttr _ageKeys) name);
# Get builder keys of the users
getBuilderKeys = getAttr _builderKeys;
@ -33,25 +29,22 @@ rec {
# List of keys for the root group
rootKeys = getMemberKeys meta.organization.groups.root;
# List of keys for the root group (for age encryption and decryption)
rootAgeKeys = getAgeKeys meta.organization.groups.root;
# All admins for a node
getNodeAdmins = node: meta.organization.groups.root ++ meta.nodes.${node}.admins;
# All keys needed for secret encryption
getSecretKeys = node: lib.unique (getAgeKeys (getNodeAdmins node) ++ getNodeKeys [ node ]);
getSecretKeys = node: lib.unique (getMemberKeys (getNodeAdmins node) ++ getNodeKeys [ node ]);
# List of keys for all machines wide secrets
machineKeys = rootAgeKeys ++ (getNodeKeys (builtins.attrNames meta.nodes));
machineKeys = rootKeys ++ (getNodeKeys (builtins.attrNames meta.nodes));
mkSecrets = nodes: setDefault { publicKeys = lib.unique (builtins.concatMap getSecretKeys nodes); };
mkRootSecrets = setDefault { publicKeys = lib.unique rootAgeKeys; };
mkRootSecrets = setDefault { publicKeys = lib.unique rootKeys; };
machineKeysBySystem =
system:
rootAgeKeys
rootKeys
++ (getNodeKeys (
builtins.attrNames (lib.filterAttrs (_: v: v.nixpkgs.system == system) meta.nodes)
));

141
lib/netconf-junos/access.nix
View file

@ -1,141 +0,0 @@
# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, lib, ... }:
let
inherit (lib)
concatImapStringsSep
concatMapAttrsStringSep
concatMapStrings
mkOption
;
inherit (lib.types)
attrsOf
ints
listOf
str
submodule
;
in
{
options = {
access.address-assignment.pool = mkOption {
type = attrsOf (
submodule (
{ name, config, ... }:
{
options = {
family.inet = {
network = mkOption {
type = str;
description = ''
Network where this pool is located.
'';
};
ranges = mkOption {
type = listOf (submodule {
options = {
low = mkOption {
type = str;
description = ''
Lowest IP of this range.
'';
};
high = mkOption {
type = str;
description = ''
Highest IP of this range.
'';
};
};
});
description = ''
IP ranges in this pool.
'';
};
dhcp-attributes = {
maximum-lease-time = mkOption {
type = ints.unsigned;
description = ''
Maximum lease time for leases in this pool.
'';
};
name-server = mkOption {
type = listOf str;
default = [ ];
description = ''
DNS servers to propose.
'';
};
router = mkOption {
type = listOf str;
default = [ ];
description = ''
Router IP for default route.
'';
};
};
};
xml = mkOption {
type = str;
readOnly = true;
visible = false;
};
};
config.xml =
let
inet-cfg = config.family.inet;
in
''
<pool>
<name>${name}</name>
<family>
<inet>
<network>${inet-cfg.network}</network>
${concatImapStringsSep "\n" (
idx:
{ low, high }:
''
<range>
<name>${name}-${toString idx}</name>
<low>${low}</low>
<high>${high}</high>
</range>
''
) inet-cfg.ranges}
<dhcp-attributes>
<maximum-lease-time>${toString inet-cfg.dhcp-attributes.maximum-lease-time}</maximum-lease-time>
${concatMapStrings (
dns: "<name-server><name>${dns}</name></name-server>"
) inet-cfg.dhcp-attributes.name-server}
${concatMapStrings (
router: "<router><name>${router}</name></router>"
) inet-cfg.dhcp-attributes.router}
</dhcp-attributes>
</inet>
</family>
</pool>
'';
}
)
);
default = { };
description = ''
Address pools for DHCP configuration.
'';
};
netconf.xmls.access = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.netconf.xmls.access = ''
<access operation="replace">
<address-assignment>
${concatMapAttrsStringSep "\n" (_: pool: pool.xml) config.access.address-assignment.pool}
</address-assignment>
</access>
'';
}

6
lib/netconf-junos/default.nix
View file

@ -34,14 +34,11 @@ let
in
{
imports = [
./access.nix
./interfaces.nix
./poe.nix
./protocols.nix
./system.nix
./vlans.nix
./routing-options.nix
./snmp.nix
];
options = {
@ -101,9 +98,6 @@ in
${protocols}
${vlans}
${poe}
${access}
${routing-options}
${snmp}
</configuration>
'';
rpc = pkgs.writeText "${name}.rpc" ''

25
lib/netconf-junos/interfaces.nix
View file

@ -25,7 +25,6 @@ let
interface =
{ name, config, ... }:
let
intf_cfg = config;
unit =
{ name, config, ... }:
{
@ -34,13 +33,6 @@ let
default = true;
example = false;
};
description = mkOption {
type = str;
default = intf_cfg.description + "." + name;
description = ''
Descriptive name of this interface unit.
'';
};
family = {
ethernet-switching = {
enable = mkEnableOption "the ethernet switching on this logical interface";
@ -105,17 +97,17 @@ let
</ethernet-switching>
'';
addr4 = map (addr: "<address><name>${addr}</name></address>") config.family.inet.addresses;
addr4 = map (addr: "<name>${addr}</name>") config.family.inet.addresses;
inet = optionalString config.family.inet.enable ''
<inet>
${builtins.concatStringsSep "" addr4}
<address>${builtins.concatStringsSep "" addr4}</address>
</inet>
'';
addr6 = map (addr: "<address><name>${addr}</name></address>") config.family.inet6.addresses;
addr6 = map (addr: "<name>${addr}</name>") config.family.inet6.addresses;
inet6 = optionalString config.family.inet6.enable ''
<inet6>
${builtins.concatStringsSep "" addr6}
<address>${builtins.concatStringsSep "" addr6}</address>
</inet6>
'';
in
@ -123,7 +115,6 @@ let
<unit>
<name>${name}</name>
${optionalString (!config.enable) "<disable/>"}
${optionalString config.enable "<description>${config.description}</description>"}
<family>
${eth}${inet}${inet6}
</family>
@ -140,13 +131,6 @@ let
Configuration of the logical interfaces on this physical interface.
'';
};
description = mkOption {
type = str;
default = name;
description = ''
Descriptive name of this interface.
'';
};
xml = mkOption {
type = str;
visible = false;
@ -160,7 +144,6 @@ let
''
<interface>
<name>${name}</name>
${optionalString config.enable "<description>${config.description}</description>"}
${optionalString (!config.enable) "<disable/>"}
${builtins.concatStringsSep "" units}
</interface>

59
lib/netconf-junos/routing-options.nix
View file

@ -1,59 +0,0 @@
# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, lib, ... }:
let
inherit (lib)
concatMapStringsSep
mkOption
;
inherit (lib.types)
str
listOf
submodule
;
in
{
options = {
routing-options.static.route = mkOption {
type = listOf (submodule {
options = {
destination = mkOption {
type = str;
description = ''
Destination network.
'';
};
next-hop = mkOption {
type = str;
description = ''
Gateway for this network.
'';
};
};
});
default = [ ];
description = ''
Static routes.
'';
};
netconf.xmls.routing-options = mkOption {
type = str;
readOnly = true;
visible = false;
};
};
config.netconf.xmls.routing-options = ''
<routing-options operation="replace">
<static>
${concatMapStringsSep "\n" (route: ''
<route>
<name>${route.destination}</name>
<next-hop>${route.next-hop}</next-hop>
</route>
'') config.routing-options.static.route}
</static>
</routing-options>
'';
}

80
lib/netconf-junos/snmp.nix
View file

@ -1,80 +0,0 @@
# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ lib, config, ... }:
let
inherit (lib)
concatMapAttrsStringSep
mkOption
optionalString
;
inherit (lib.types)
attrsOf
bool
enum
str
submodule
;
in
{
options = {
snmp = {
filter-interfaces.all-internal-interfaces = mkOption {
type = bool;
default = false;
description = ''
Whether to filter internal interfaces.
'';
};
community = mkOption {
type = attrsOf (
submodule (
{ name, config, ... }:
{
options = {
authorization = mkOption {
type = enum [
"read-only"
"read-write"
];
description = ''
Authorization type.
'';
};
xml = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.xml = ''
<community>
<name>${name}</name>
<authorization>${config.authorization}</authorization>
</community>
'';
}
)
);
default = { };
description = ''
Communities for SNMPv2 access.
'';
};
};
netconf.xmls.snmp = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.netconf.xmls.snmp = ''
<snmp operation="replace">
<filter-interfaces>
${optionalString config.snmp.filter-interfaces.all-internal-interfaces "<all-internal-interfaces/>"}
</filter-interfaces>
${concatMapAttrsStringSep "" (_: comm: comm.xml) config.snmp.community}
</snmp>
'';
}

33
lib/netconf-junos/system.nix
View file

@ -6,25 +6,20 @@
let
inherit (lib)
concatMapAttrsStringSep
concatMapStrings
concatStrings
concatStringsSep
filter
hasPrefix
length
mkOption
optionalString
splitString
;
inherit (lib.types)
attrsOf
enum
listOf
port
str
submodule
;
in
@ -60,20 +55,6 @@ in
description = "Port to use for netconf.";
default = 830;
};
dhcp-local-server.group = mkOption {
type = attrsOf (submodule {
options.interfaces = mkOption {
type = listOf str;
description = ''
Interfaces managed by this group.
'';
};
});
default = { };
description = ''
Groups of configuration for DHCP server.
'';
};
};
};
netconf.xmls.system = mkOption {
@ -94,19 +75,6 @@ in
ed25519 = map (key: "<ssh-ed25519><name>${key}</name></ssh-ed25519>") (
filter (hasPrefix "ssh-ed25519 ") ssh-keys
);
dhcp-local = optionalString (config.system.services.dhcp-local-server.group != { }) ''
<dhcp-local-server>
${concatMapAttrsStringSep "\n" (name: cfg: ''
<group>
<name>${name}</name>
<interface>
${concatMapStrings (intf: "<name>${intf}</name>") cfg.interfaces}
</interface>
</group>
'') config.system.services.dhcp-local-server.group}
</dhcp-local-server>
'';
in
''
<system>
@ -121,7 +89,6 @@ in
<ssh><port>${toString config.system.services.netconf.port}</port></ssh>
<rfc-compliant/><yang-compliant/>
</netconf>
${dhcp-local}
</services>
</system>
'';

28
lib/nix-patches/default.nix
View file

@ -71,31 +71,15 @@ rec {
src,
name,
patches ? mkPatches name,
prePatch ? null,
postPatch ? null,
...
}@args:
if patches == [ ] && prePatch == null && postPatch == null then
}:
if patches == [ ] then
src
else
pkgs.stdenvNoCC.mkDerivation (
args
// {
name = "${name}-patched";
pkgs.applyPatches {
inherit patches src;
inherit patches prePatch postPatch;
preferLocalBuild = true;
allowSubstitutes = true;
phases = [
"unpackPhase"
"patchPhase"
"installPhase"
];
installPhase = "cp -R . $out";
}
);
name = "${name}-patched";
};
applyPatches' = name: src: applyPatches { inherit name src; };
};

315
lon.lock
View file

@ -1,315 +0,0 @@
{
"version": "1",
"sources": {
"agenix": {
"type": "GitHub",
"fetchType": "tarball",
"owner": "ryantm",
"repo": "agenix",
"branch": "main",
"revision": "531beac616433bac6f9e2a19feb8e99a22a66baf",
"url": "https://github.com/ryantm/agenix/archive/531beac616433bac6f9e2a19feb8e99a22a66baf.tar.gz",
"hash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA="
},
"arkheon": {
"type": "GitHub",
"fetchType": "tarball",
"owner": "RaitoBezarius",
"repo": "arkheon",
"branch": "main",
"revision": "3eea876b29217d01cf2ef03ea9fdd8779d28ad04",
"url": "https://github.com/RaitoBezarius/arkheon/archive/3eea876b29217d01cf2ef03ea9fdd8779d28ad04.tar.gz",
"hash": "sha256-+R6MhTXuSzNeGQiL4DQwlP5yNhmnhbf7pQWPUWgcZSM="
},
"cas-eleves": {
"type": "Git",
"fetchType": "git",
"branch": "main",
"revision": "bdbb2a6c772144813bd75316080f5fecd2c5cc9e",
"url": "https://git.dgnum.eu/DGNum/cas-eleves.git",
"hash": "sha256-kQDO331t2YsrDoVGHzftU6Y96VXfWNzgI7QmeBNCGTA=",
"lastModified": 1736030096,
"submodules": false
},
"cgroup-exporter": {
"type": "GitHub",
"fetchType": "tarball",
"owner": "arianvp",
"repo": "cgroup-exporter",
"branch": "main",
"revision": "97b83d6d495b3cb6f959a4368fd93ac342d23706",
"url": "https://github.com/arianvp/cgroup-exporter/archive/97b83d6d495b3cb6f959a4368fd93ac342d23706.tar.gz",
"hash": "sha256-MP45mdfhZ3MjpL0sJolZ0GkY3Le8QoUDqS+loPtxu2I="
},
"colmena": {
"type": "Git",
"fetchType": "git",
"branch": "main",
"revision": "b5135dc8af1d7637b337cc2632990400221da577",
"url": "https://git.dgnum.eu/DGNum/colmena",
"hash": "sha256-7gg+K3PEYlN0sGPgDlmnM8zgDDIV505gNcwjFN61Qvk=",
"lastModified": 1746392348,
"submodules": false
},
"dgsi": {
"type": "Git",
"fetchType": "git",
"branch": "main",
"revision": "fbf6385e65400802a3f9f75f7cd91d5c01373d1b",
"url": "https://git.dgnum.eu/DGNum/dgsi.git",
"hash": "sha256-aOUI69wbMm9+KVWwcMw5TgVnk3DfjOzE4OEyYTD8XPU=",
"lastModified": 1748894673,
"submodules": false
},
"disko": {
"type": "GitHub",
"fetchType": "tarball",
"owner": "nix-community",
"repo": "disko",
"branch": "master",
"revision": "dfa4d1b9c39c0342ef133795127a3af14598017a",
"url": "https://github.com/nix-community/disko/archive/dfa4d1b9c39c0342ef133795127a3af14598017a.tar.gz",
"hash": "sha256-CqmqU5FRg5AadtIkxwu8ulDSOSoIisUMZRLlcED3Q5w="
},
"dns.nix": {
"type": "GitHub",
"fetchType": "tarball",
"owner": "nix-community",
"repo": "dns.nix",
"branch": "master",
"revision": "96e548ae8bd44883afc5bddb9dacd0502542276d",
"url": "https://github.com/nix-community/dns.nix/archive/96e548ae8bd44883afc5bddb9dacd0502542276d.tar.gz",
"hash": "sha256-qTbv8Pm9WWF63M5Fj0Od9E54/lsbMSQUBHw/s30eFok="
},
"git-hooks": {
"type": "GitHub",
"fetchType": "tarball",
"owner": "cachix",
"repo": "git-hooks.nix",
"branch": "master",
"revision": "623c56286de5a3193aa38891a6991b28f9bab056",
"url": "https://github.com/cachix/git-hooks.nix/archive/623c56286de5a3193aa38891a6991b28f9bab056.tar.gz",
"hash": "sha256-WUaIlOlPLyPgz9be7fqWJA5iG6rHcGRtLERSCfUDne4="
},
"kadenios": {
"type": "Git",
"fetchType": "git",
"branch": "main",
"revision": "4fd9e3a2117f54c4184b02fd3aef31626fcad149",
"url": "https://git.dgnum.eu/DGNum/kadenios.git",
"hash": "sha256-32alJ/9M+Vaa+zSzmoMgB1+f2h4GYP3OiJ8odRMeCdw=",
"lastModified": 1720702967,
"submodules": false
},
"kat-pkgs": {
"type": "Git",
"fetchType": "git",
"branch": "master",
"revision": "3838db6ebbfe5ad9f904ce553543c1c301b67274",
"url": "https://git.dgnum.eu/lbailly/kat-pkgs",
"hash": "sha256-ifgYL9gJ1XKEL45WdFqGM17r5ZUkLnTuV2tGk+ie80I=",
"lastModified": 1750258895,
"submodules": false
},
"liminix": {
"type": "Git",
"fetchType": "git",
"branch": "main",
"revision": "1322de1ee0cdb19fead79e12ab279ee0b575019a",
"url": "https://git.dgnum.eu/DGNum/liminix",
"hash": "sha256-k5QjFRwKK8Hw7bl6XwOHiwr7hmTtBMdOUWieNKM10x4=",
"lastModified": 1733703952,
"submodules": false
},
"linkal": {
"type": "GitHub",
"fetchType": "tarball",
"owner": "JulienMalka",
"repo": "Linkal",
"branch": "main",
"revision": "085630bf369b68d2264baca020efc94c877d78e6",
"url": "https://github.com/JulienMalka/Linkal/archive/085630bf369b68d2264baca020efc94c877d78e6.tar.gz",
"hash": "sha256-nQ22VdXMO6M+rIsrPYHGmt7Zi7VWt9BeuF7WM+U2glQ="
},
"lix": {
"type": "Git",
"fetchType": "git",
"branch": "main",
"revision": "20fed838a622e48128827278db91312f580f9214",
"url": "https://git.lix.systems/lix-project/lix.git",
"hash": "sha256-Swcajzm+JPDd32kKXdg25im9CeATuY8qji9EPVU2rVo=",
"lastModified": 1750232556,
"submodules": false
},
"lix-module": {
"type": "Git",
"fetchType": "git",
"branch": "main",
"revision": "3c23c6ae2aecc1f76ae7993efe1a78b5316f0700",
"url": "https://git.lix.systems/lix-project/nixos-module.git",
"hash": "sha256-7EICjbmG6lApWKhFtwvZovdcdORY1CEe6/K7JwtpYfs=",
"lastModified": 1747667424,
"submodules": false
},
"lon": {
"type": "GitHub",
"fetchType": "tarball",
"owner": "nikstur",
"repo": "lon",
"branch": "main",
"revision": "c44e33ce55eed38a06fde43e69512380c4065441",
"url": "https://github.com/nikstur/lon/archive/c44e33ce55eed38a06fde43e69512380c4065441.tar.gz",
"hash": "sha256-bxu83mbdfAeDZYOnjZQYyjTs5WgZS8o6Q2irlzgbYs0="
},
"metis": {
"type": "Git",
"fetchType": "git",
"branch": "master",
"revision": "f8898110f4aa32c5384af605e727bfea9b0bd2de",
"url": "https://git.dgnum.eu/DGNum/metis",
"hash": "sha256-WrQCoe8h848nkQQfZnshsOdoY2NP5gAsl24hXpzDnR8=",
"lastModified": 1737730724,
"submodules": false
},
"microvm.nix": {
"type": "GitHub",
"fetchType": "tarball",
"owner": "RaitoBezarius",
"repo": "microvm.nix",
"branch": "main",
"revision": "49899c9a4fdf75320785e79709bf1608c34caeb8",
"url": "https://github.com/RaitoBezarius/microvm.nix/archive/49899c9a4fdf75320785e79709bf1608c34caeb8.tar.gz",
"hash": "sha256-nn/kta8Od0T2k5+xQj+S2PNqOmxsDdHNaIv8eNtX5ms="
},
"nix-actions": {
"type": "Git",
"fetchType": "git",
"branch": "main",
"revision": "06847b3256df402da0475dccb290832ec92a9f8c",
"url": "https://git.dgnum.eu/DGNum/nix-actions.git",
"hash": "sha256-2xOZdKiUfcriQFKG37vY96dgCJLndhLa7cGacq8+SA8=",
"lastModified": 1746294989,
"submodules": false
},
"nix-modules": {
"type": "Git",
"fetchType": "git",
"branch": "dgnum",
"revision": "fd4ba193ea3eda529ac27b43b206e9e3618b1975",
"url": "https://git.hubrecht.ovh/hubrecht/nix-modules",
"hash": "sha256-O/lMCM0qKkd+TBV43Fp9uG3aEbDSc2lI3a5TetNYs0w=",
"lastModified": 1749739595,
"submodules": false
},
"nix-pkgs": {
"type": "Git",
"fetchType": "git",
"branch": "dgnum",
"revision": "7a0e2e660b26ddd67bb8132beb6b13e3a69003a4",
"url": "https://git.hubrecht.ovh/hubrecht/nix-pkgs",
"hash": "sha256-1uzLfSTvB8UXN9zbzQr2cQXjARIXw1cBwPK6mA9GoXc=",
"lastModified": 1745005124,
"submodules": false
},
"nix-reuse": {
"type": "Git",
"fetchType": "git",
"branch": "main",
"revision": "45633dc6a0512cbbb010bc615b5d1b6e46e57597",
"url": "https://git.dgnum.eu/DGNum/nix-reuse",
"hash": "sha256-xr63AvDLp+RS0F7qwuOoWNENuepPbpuHLe4VPS85XBQ=",
"lastModified": 1737547777,
"submodules": false
},
"nixos-24.05": {
"type": "GitHub",
"fetchType": "tarball",
"owner": "NixOS",
"repo": "nixpkgs",
"branch": "nixos-24.05",
"revision": "b134951a4c9f3c995fd7be05f3243f8ecd65d798",
"url": "https://github.com/NixOS/nixpkgs/archive/b134951a4c9f3c995fd7be05f3243f8ecd65d798.tar.gz",
"hash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8="
},
"nixos-24.11": {
"type": "GitHub",
"fetchType": "tarball",
"owner": "NixOS",
"repo": "nixpkgs",
"branch": "nixos-24.11",
"revision": "bf3287dac860",
"url": "https://github.com/NixOS/nixpkgs/archive/bf3287dac860.tar.gz",
"hash": "sha256-kwaaguGkAqTZ1oK0yXeQ3ayYjs8u/W7eEfrFpFfIDFA="
},
"nixos-25.05": {
"type": "GitHub",
"fetchType": "tarball",
"owner": "NixOS",
"repo": "nixpkgs",
"branch": "nixos-25.05",
"revision": "88331c17ba434359491e8d5889cce872464052c2",
"url": "https://github.com/NixOS/nixpkgs/archive/88331c17ba434359491e8d5889cce872464052c2.tar.gz",
"hash": "sha256-FG4DEYBpROupu758beabUk9lhrblSf5hnv84v1TLqMc="
},
"nixos-unstable": {
"type": "GitHub",
"fetchType": "tarball",
"owner": "NixOS",
"repo": "nixpkgs",
"branch": "nixos-unstable",
"revision": "3e3afe5174c561dee0df6f2c2b2236990146329f",
"url": "https://github.com/NixOS/nixpkgs/archive/3e3afe5174c561dee0df6f2c2b2236990146329f.tar.gz",
"hash": "sha256-frdhQvPbmDYaScPFiCnfdh3B/Vh81Uuoo0w5TkWmmjU="
},
"proxmox-nixos": {
"type": "Git",
"fetchType": "git",
"branch": "main",
"revision": "91c96a414e14835b84adbf775f793739a5851fab",
"url": "https://github.com/SaumonNet/proxmox-nixos.git",
"hash": "sha256-YYbR1o5qTPUxpaVhkJcOGjghNGbIBQmivXAgNTFDxqU=",
"lastModified": 1743764738,
"submodules": false
},
"signal-irc-bridge": {
"type": "Git",
"fetchType": "git",
"branch": "master",
"revision": "52a370b29ff2edbec63e192e782b934823263ef2",
"url": "https://git.dgnum.eu/mdebray/signal-irc-bridge",
"hash": "sha256-sR8v7bheOigZ08VAv/AX9wFNmMZQEUqEwX3V9wW68tc=",
"lastModified": 1744031004,
"submodules": false
},
"snix-cache": {
"type": "Git",
"fetchType": "git",
"branch": "main",
"revision": "f3d0a3146c64f8fe6bdb208b75cc680c96f524e1",
"url": "https://git.dgnum.eu/DGNum/snix-cache.git",
"hash": "sha256-D6NRGdsIwvXf9MxTR1gFreefBKM3giFh8ggTM6wsh8o=",
"lastModified": 1750061908,
"submodules": false
},
"stateless-uptime-kuma": {
"type": "Git",
"fetchType": "git",
"branch": "master",
"revision": "d378d1ce00c676fa22ef0808cf73f3e1c34e0191",
"url": "https://git.dgnum.eu/mdebray/stateless-uptime-kuma",
"hash": "sha256-Dq0Kk6inCrxsxRfpYJVDZ45pMW/OZ3AAecmgF+yIZQI=",
"lastModified": 1734436346,
"submodules": false
},
"wp4nix": {
"type": "Git",
"fetchType": "git",
"branch": "master",
"revision": "2fc9a0734168cab536e3129efa6397d6cd3ac89f",
"url": "https://git.helsinki.tools//helsinki-systems/wp4nix",
"hash": "sha256-abwqAZGsWuWqfxou8XlqedBvXsUw1/xanSgljLCJxdM=",
"lastModified": 1743397420,
"submodules": false
}
}
}

53
lon.nix
View file

@ -1,53 +0,0 @@
# Generated by lon. Do not modify!
let
lock = builtins.fromJSON (builtins.readFile ./lon.lock);
# Override with a path defined in an environment variable. If no variable is
# set, the original path is used.
overrideFromEnv =
name: path:
let
replacement = builtins.getEnv "LON_OVERRIDE_${name}";
in
if replacement == "" then
path
else
# this turns the string into an actual Nix path (for both absolute and
# relative paths)
if builtins.substring 0 1 replacement == "/" then
/. + replacement
else
/. + builtins.getEnv "PWD" + "/${replacement}";
fetchSource =
args@{ fetchType, ... }:
if fetchType == "git" then
builtins.fetchGit (
{
url = args.url;
ref = args.branch;
rev = args.revision;
narHash = args.hash;
submodules = args.submodules;
}
// (
if args ? lastModified then
{
inherit (args) lastModified;
shallow = true;
}
else
{ }
)
)
else if fetchType == "tarball" then
builtins.fetchTarball {
url = args.url;
sha256 = args.hash;
}
else
builtins.throw "Unsupported source type ${fetchType}";
in
builtins.mapAttrs (name: args: overrideFromEnv name (fetchSource args)) lock.sources

93
machines/netconf/Jaccess01.nix
View file

@ -1,93 +0,0 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ lib, ... }:
let
inherit (lib) mapAttrs mod;
inherit (lib.extra) genFuse;
in
{
dgn-hardware.model = "EX2300-48P";
dgn-isp = {
enable = true;
AP = [
# H1-00
"ge-0/0/0"
"ge-0/0/1"
"ge-0/0/2"
"ge-0/0/3"
"ge-0/0/4"
"ge-0/0/5"
# H1-01
"ge-0/0/6"
"ge-0/0/7"
"ge-0/0/8"
"ge-0/0/9"
"ge-0/0/10"
"ge-0/0/11"
# H1-02
"ge-0/0/12"
"ge-0/0/13"
"ge-0/0/14"
"ge-0/0/15"
"ge-0/0/16"
"ge-0/0/17"
];
admin-ip = "fd26:baf9:d250:8000::1001/64";
};
dgn-interfaces = {
# oob
"ge-0/0/42".ethernet-switching = {
interface-mode = "trunk";
vlans = [ "all" ];
};
# ilo
"ge-0/0/47".ethernet-switching = {
interface-mode = "access";
vlans = [ "admin-core" ];
};
# router
"xe-0/1/0".ethernet-switching = {
interface-mode = "trunk";
vlans = [ "all" ];
};
# netaccess01
"xe-0/1/1".ethernet-switching = {
interface-mode = "trunk";
vlans = [
"users"
"ap-staging"
"admin-ap"
"admin-core"
];
};
# uplink
"ge-0/1/3".ethernet-switching = {
interface-mode = "trunk";
vlans = [ "uplink-cri" ];
};
# debug management
"me0".inet.addresses = [ "192.168.42.6/24" ];
};
interfaces =
{
"irb".unit."0".description = "Admin";
}
// mapAttrs (_: description: { inherit description; }) (
{
"xe-0/1/0" = "netcore01";
"xe-0/1/1" = "Jaccess04";
"ge-0/1/3" = "uplink-cri";
"ge-0/0/42" = "oob";
"ge-0/0/47" = "psu";
}
// genFuse (i: {
"ge-0/0/${toString i}" = "AP_H1_${toString (i / 6)}_${toString (mod i 6 + 1)}";
}) 18
);
snmp.community."public".authorization = "read-only";
}

19
machines/netconf/Jaccess04.nix → machines/netconf/netaccess01.nix
View file

@ -2,11 +2,6 @@
#
# SPDX-License-Identifier: EUPL-1.2
{ lib, ... }:
let
inherit (lib) mapAttrs mod;
inherit (lib.extra) genFuse;
in
{
dgn-hardware.model = "EX2300-48P";
dgn-isp = {
@ -31,18 +26,4 @@ in
# debug management
"me0".inet.addresses = [ "192.168.42.6/24" ];
};
interfaces =
{
"irb".unit."0".description = "Admin";
}
// mapAttrs (_: description: { inherit description; }) (
{
"xe-0/1/0" = "Jaccess01";
}
// genFuse (i: {
"ge-0/0/${toString i}" = "AP_H2_${toString (i / 2)}_${toString (mod i 2 + 1)}";
}) 6
);
snmp.community."public".authorization = "read-only";
}

28
machines/netconf/netcore00.nix Normal file
View file

@ -0,0 +1,28 @@
# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
dgn-hardware = {
model = "EX4400-24X";
extensions = [ "EX4400-EM-4Y" ];
};
dgn-isp = {
enable = true;
admin-ip = "fd26:baf9:d250:8000::1010/64";
};
dgn-interfaces = {
"xe-0/2/0".ethernet-switching = {
interface-mode = "trunk";
vlans = [ "all" ];
};
"xe-0/0/23".ethernet-switching = {
interface-mode = "trunk";
vlans = [ "all" ];
};
# debug management
"me0".inet.addresses = [ "192.168.2.3/24" ];
};
}

92
machines/netconf/netcore01.nix
View file

@ -2,69 +2,51 @@
#
# SPDX-License-Identifier: EUPL-1.2
{ lib, ... }:
let
inherit (lib) mapAttrs;
in
{
dgn-hardware = {
model = "EX4400-24X";
extensions = [ "EX4400-EM-4Y" ];
};
dgn-hardware.model = "EX4100-F-48P";
dgn-isp = {
enable = true;
admin-ip = "fd26:baf9:d250:8000::1010/64";
core-links = [
"xe-0/0/0"
"xe-0/0/3"
"xe-0/0/22"
"xe-0/0/21"
];
admin-ip = "fd26:baf9:d250:8000::100f/64";
};
dgn-profiles = {
"hypervisor" = {
interfaces = [
"ge-0/0/1"
"ge-0/0/3"
"ge-0/0/5"
"ge-0/0/7"
"ge-0/0/9"
];
configuration.ethernet-switching = {
interface-mode = "access";
vlans = [ "hypervisor" ];
};
};
"idrac" = {
interfaces = [
"ge-0/0/0"
"ge-0/0/2"
"ge-0/0/4"
"ge-0/0/6"
"ge-0/0/8"
# PDU and PSU
"ge-0/0/46"
"ge-0/0/47"
];
configuration.ethernet-switching = {
interface-mode = "access";
vlans = [ "admin-core" ];
};
};
};
dgn-interfaces = {
"ge-0/0/23".ethernet-switching = {
"xe-0/2/0".ethernet-switching = {
interface-mode = "trunk";
vlans = [ "uplink-cri" ];
vlans = [ "all" ];
};
"xe-0/0/0".ethernet-switching.vlans = [ "uplink-cri" ];
"xe-0/0/21".ethernet-switching.vlans = [ "all" ];
"xe-0/0/22".ethernet-switching.vlans = [ "all" ];
# debug management
"me0".inet.addresses = [ "192.168.2.3/24" ];
"me0".inet.addresses = [ "192.168.2.2/24" ];
};
dgn-profiles."hypervisor" = {
interfaces = [
"xe-0/0/4"
"xe-0/0/5"
"xe-0/0/6"
"xe-0/0/7"
"xe-0/0/8"
"xe-0/0/9"
];
configuration.ethernet-switching = {
interface-mode = "access";
vlans = [ "hypervisor" ];
};
};
interfaces =
{
"irb".unit."0".description = "Admin";
}
// mapAttrs (_: description: { inherit description; }) {
"xe-0/0/0" = "Jaccess01";
"xe-0/0/3" = "Jaccess04";
"xe-0/0/21" = "vault01";
"xe-0/0/22" = "netcore02";
"ge-0/0/23" = "uplink-cri";
"xe-0/0/4" = "random02";
"xe-0/0/5" = "random03";
"xe-0/0/6" = "hypervisor01";
"xe-0/0/7" = "hypervisor02";
"xe-0/0/8" = "hypervisor03";
"xe-0/0/9" = "build01";
};
snmp.community."public".authorization = "read-only";
}

134
machines/netconf/netcore02.nix
View file

@ -1,87 +1,77 @@
# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ lib, ... }:
let
inherit (lib) mapAttrs;
in
{
dgn-hardware.model = "EX4100-F-48P";
dgn-hardware.model = "EX2300-48P";
dgn-isp = {
enable = true;
admin-ip = "fd26:baf9:d250:8000::100f/64";
};
dgn-profiles = {
"hypervisor" = {
interfaces = [
"ge-0/0/1"
"ge-0/0/3"
"ge-0/0/5"
"ge-0/0/7"
"ge-0/0/9"
];
configuration.ethernet-switching = {
interface-mode = "access";
vlans = [ "hypervisor" ];
};
};
"idrac" = {
interfaces = [
"ge-0/0/0"
"ge-0/0/2"
"ge-0/0/4"
"ge-0/0/6"
"ge-0/0/8"
"ge-0/0/10"
"ge-0/0/12"
"ge-0/0/14"
# PDU and PSU
"ge-0/0/45"
"ge-0/0/46"
"ge-0/0/47"
];
configuration.ethernet-switching = {
interface-mode = "access";
vlans = [ "admin-core" ];
};
};
AP = [
# H1-00
"ge-0/0/0"
"ge-0/0/1"
"ge-0/0/2"
"ge-0/0/3"
"ge-0/0/4"
"ge-0/0/5"
# H1-01
"ge-0/0/6"
"ge-0/0/7"
"ge-0/0/8"
"ge-0/0/9"
"ge-0/0/10"
"ge-0/0/11"
# H1-02
"ge-0/0/12"
"ge-0/0/13"
"ge-0/0/14"
"ge-0/0/15"
"ge-0/0/16"
"ge-0/0/17"
];
admin-ip = "fd26:baf9:d250:8000::1001/64";
};
dgn-interfaces = {
"xe-0/2/0".ethernet-switching = {
# oob
"ge-0/0/42".ethernet-switching = {
interface-mode = "trunk";
vlans = [ "all" ];
};
# ilo
"ge-0/0/47".ethernet-switching = {
interface-mode = "access";
vlans = [ "admin-core" ];
};
# router
"xe-0/1/0".ethernet-switching = {
interface-mode = "trunk";
vlans = [ "all" ];
};
# netaccess01
"xe-0/1/1".ethernet-switching = {
interface-mode = "trunk";
vlans = [
"users"
"ap-staging"
"admin-ap"
"admin-core"
];
};
# netcore01 (Potos)
"xe-0/1/2".ethernet-switching = {
interface-mode = "trunk";
vlans = [
"all"
];
};
# uplink
"ge-0/1/3".ethernet-switching = {
interface-mode = "trunk";
vlans = [ "uplink-cri" ];
};
# debug management
"me0".inet.addresses = [ "192.168.2.2/24" ];
"me0".inet.addresses = [ "192.168.42.6/24" ];
};
interfaces =
{
"irb".unit."0".description = "Admin";
}
// mapAttrs (_: description: { inherit description; }) {
"xe-0/2/0" = "netcore01";
"ge-0/0/0" = "hypervisor01_idrac";
"ge-0/0/2" = "hypervisor02_idrac";
"ge-0/0/4" = "hypervisor03_idrac";
"ge-0/0/6" = "build01_idrac";
"ge-0/0/8" = "random01_idrac";
"ge-0/0/10" = "random02_idrac";
"ge-0/0/12" = "random03_idrac";
"ge-0/0/14" = "vault01_idrac";
"ge-0/0/1" = "hypervisor01";
"ge-0/0/3" = "hypervisor02";
"ge-0/0/5" = "hypervisor03";
"ge-0/0/7" = "build01";
"ge-0/0/9" = "random03";
"ge-0/0/47" = "psu";
"ge-0/0/46" = "psu_pdu";
"ge-0/0/45" = "pdu_32A";
};
snmp.community."public".authorization = "read-only";
}

1
machines/nixos/bridge01/_configuration.nix
View file

@ -16,7 +16,6 @@ lib.extra.mkConfig {
extraConfig = {
services.netbird.enable = true;
dgn-monitoring.enable = false;
environment.systemPackages = [ pkgs.bcachefs-tools ];
};

3
machines/nixos/build01/_configuration.nix
View file

@ -11,12 +11,11 @@ lib.extra.mkConfig {
enabledServices = [
"nix-builder"
"forgejo-multiuser-runner"
];
extraConfig = {
dgn-forgejo-runners = {
nbRunners = 32;
nbRunners = 16;
dataDirectory = "/data";
};

43
machines/nixos/build01/forgejo-multiuser-runner.nix
View file

@ -1,43 +0,0 @@
# SPDX-FileCopyrightText: 2025 Maurice Debray <maurice.debray@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
name,
pkgs,
config,
...
}:
{
services.forgejo-multiuser-nix-runners = {
enable = true;
url = "https://git.dgnum.eu";
storePath = "/data/multiuser-nix";
tokenFile = config.age.secrets."forgejo_runners-global_token_file".path;
names = [
"on-${name}"
"nix"
];
dependencies = [
pkgs.tea
];
containerOptions = [ "--cpus=4" ];
nbRunners = 8;
};
virtualisation = {
podman = {
enable = true;
defaultNetwork.settings = {
dns_enable = true;
ipv6_enabled = true;
};
};
};
}

1
machines/nixos/build01/nix-builder.nix
View file

@ -69,6 +69,7 @@
# "ca-derivations" this feature is really extremely broken.
"cgroups"
"fetch-closure"
"impure-derivations"
];
};
};

32
machines/nixos/build01/secrets/forgejo_runners-global_token_file
View file

@ -1,32 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA A67hxqtqvgjo/K7M6yYAG+DqiIx6QC6PGt+XLdwjyGQ
HuUHQDImcLdeEDutnERgT+0WG1xtHrqwM1MjB5KKxhk
-> ssh-ed25519 QlRB9Q qNRX5fLCeisyjSaRHYedx2ee85frxewveOku4jTD11g
HY1CPvUkXsmWCfR+0tsQ4qrjq5T15fWEHXn9ILqrrxo
-> ssh-ed25519 r+nK/Q 284BFNS9XEsNELgX44RltCAnkQuhkyYHCtyMI1sQnns
Qs6jDsr/ormGxD43/UOZ3aO948kCvRbG72hspjBwRzM
-> ssh-rsa krWCLQ
NlJSQxRyqJXITcWm7NIUaPagqZvLM9Ay2Fw1HYHwNN9P3eq4R8WMgPzHu0og+bPd
bi5Wnk3bFmDqWRx7w9NArTj8lE5mUH2yRzSwOCYmRhDy1tjEkdtI6+qWd0n5m8rS
3KQB4QLZolDCT6RCDRkBQHWsUcyme6aZJenZFhHdo4I+TwNWWUsY0wf+IHrfvZLv
RNiCqbsxPOCuW7z8KKNwhD3hS2knD3QgzaALniJnNYRoCXdTc3PolBGZnxQekG2D
4UXC2XSrLkwd3VOeamxETUCK6m52VsJv5Sergy7EL5nk1IYpbiarkLITT7ZLCVTO
+g3xzzoMeU6nn7PLklbkgQ
-> ssh-ed25519 /vwQcQ uyKb5o5/xDdi7F7nFWM4RraLU2//WsaK5x4JAjT2HVM
H9VRibUJm1i4K6DAKHMEa/5/Dj0fErr93iCYQ8yVqbQ
-> ssh-ed25519 0R97PA 7R6BPGR5EBuE6k+M/K6waLYTW56wmLf2csWWfmcCyCM
wrkT3QDYw1Vn+9qQIR8Qjfn6XNiTRYv320CICxGEG5I
-> ssh-ed25519 JGx7Ng SRJbJweqtei2AdixOUoXd1JVc3awP2ihRIy1xqMHqTg
nwKIJ2dnhYAA7C+P/O5mYAXAqAtsi0fA7JjOAGdhMVo
-> ssh-ed25519 bUjjig ZzRKxapAKVYKvt9lLwn/qwoqx/60kXJJi9qNzeMia3Y
Iw0t7zo9dDFc3FARFs/qw0YPE7F1oGfdym7EICQ7v6I
-> ssh-ed25519 oRtTqQ no8OojhPehX+a7XnzV2/WkZDbt3NwTxun6ADHljvAiw
DdIt7obJwHO0Pn6T5SXuK/RaNP2Am3+RzMbi4WlY6QE
-> ssh-ed25519 IxxZqA bwLUeDES85yed9na9UAD1JxWLbI81f4ZCXKpYs/QElA
vaJCrZ3lEEEvlVTCxQSR345E9l79WTkaB5+P42QSwgg
-> \s?<-grease ;<G {MvjGn= \|v|k
IFFdH9unA7Y/mVfwQTyX8S+94zXHIs7EyiC9eT14KvnjJQX7czZWzY2Kzh7DQU9y
8gUwz/0XFvWSLqx+FQN0jGo+hJ5Y
--- 03OgKiJDCRFuWvt9dFfLd+8oL+ROoeWjujV5ft1yqPc
p@Y„¥ H»¥i ` ÓbQ¨ÐHˆôréd<C3A9>%t4´öªÐÑtKSúµ*,ë+n<01>é
tÌJ`3HÇ(cØúztjªé­¸Šàÿ—Æ^

31
machines/nixos/build01/secrets/forgejo_runners-token_file Normal file
View file

@ -0,0 +1,31 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA plGvUUrRbdkfNyD4UGIjjkv3Ktu4iqL4dImFZzWnqWA
asE0N7d6lqnOFJWoU+V1bCLhlD5oFAkjs9HSM+ps6Ak
-> ssh-ed25519 QlRB9Q hagbD6do4gKBuRBN8m8cDL6K0RFmiJwpvJOtAaPKXnA
9727tWz+PhGm/bycXUUQHV3YqeXc0AD/mM1DvTrBLC4
-> ssh-ed25519 r+nK/Q bnu+1g77I2LLnXNHZWMkIrgJpxpwJ1ZYgdAL4HE6hCo
cDLyOiULyjO9s6PACs6Ou6m5h0XcDzbdc7o2P7OAizQ
-> ssh-rsa krWCLQ
X8SpFIBmd7LOnJqI+V3MWlaYB8f4Mron5IKYZGrqRPWzLrrkAkJsr1QdV4K9vepe
zQsHecw8VvCKQesAKFrKTZxF8oXvoJU3GP5q9IVISLuEv8nLxgyhhLqQQqPVWLbC
0nGGtbke2Xw2QXgUpoe6GdZ53Neg2BShUmV6SYoGeTwdxGmuL6nFH7UMzwsKWLW5
95CoXfRyp4oxV7FQscuewPL+tNHXh6DoeW8Qlr3rxxgJkCSNMp+EchZJZOroGmtd
SQb2SgFs712x9han1vNR7Dn3o270xa/AVldmjRBNvDGyNefItb20OP4n3bWSK3b1
ejR3mZyP5SU2+Pr6navc0w
-> ssh-ed25519 /vwQcQ NQSD4lKvM7uWm0deYyc22DC7/IGYve0XB9Zg8yOY5GE
hpDWSKnlW6BtyKlXXS1anB78CvK+mnsm3BOxht7mL4Y
-> ssh-ed25519 0R97PA i4DSi49b4vQpt3hjiHPn0/H9MzyvHz0OEPJXcvn+G1M
C9uEKNTPRK8f4d2AYnPqDwTqDOV0SHmG/x/529l3YLA
-> ssh-ed25519 JGx7Ng 5WgVespkMD/X/67sBoF2RbG+YXu06UuSozHrLJSn2xE
pISCxxw/Hg9GBxh33gW6JO2mLKrdvSUVb6+AHMHwTtE
-> ssh-ed25519 bUjjig 14Ocpj1tCsZ5lZQ32wDHsO9iFkrNi8wZS8NUhQ5HEh0
ZbX31ejXuqmgKD1EcmH/B0zo1CeORzJn+QjrRuWNxh0
-> ssh-ed25519 oRtTqQ dSGSGECezsXdDeyFcOSLIvKT0jdOs2d73/dRAeBuJjc
2O/CXEu0rV5EdAewyvdA5XfLXMQvzEEtl8lPsBqICqk
-> ssh-ed25519 IxxZqA BbHNkDUiEoWcwGjjrkFbOHCXvq2gEd8Rv7tt3p8fXHA
yJsvxku/Kz26jTTEtuoHDLGO/gUotw/QZc+UwxCIwKE
-> Tqc#'yq%-grease b
X3iOhNF2FNp0ImC6uLsqjT1pAbNPBIxUCXLivDKbVIZYoBhtrLpQRJXoWK7GEakA
8TkORCQQUYZIlNqu2Psfbi0
--- 19Nolty0dET6QnYlxtieiluPP9R3HbrhEn5EDuFu/s4
“˜?l÷6r] úfBžo<ŸŒ9lj5M+Ší7íNõϹäô% Ñ.èœELĘâÂÒw§¾snÑáã¬nšN -×Ø̯pñûëËŠÓ

2
machines/nixos/build01/secrets/secrets.nix
View file

@ -5,5 +5,5 @@
(import ../../../../keys.nix).mkSecrets
[ "build01" ]
[
"forgejo_runners-global_token_file"
"forgejo_runners-token_file"
]

BIN
machines/nixos/cof02/secrets/webhook-gestiocof_token
View file

Binary file not shown.

2
machines/nixos/compute01/_configuration.nix
View file

@ -28,9 +28,7 @@ lib.extra.mkConfig {
"mastodon"
# "netbox"
"nextcloud"
"nimbolus"
"ollama-proxy"
"opengist"
"outline"
"plausible"
"postgresql"

2
machines/nixos/compute01/arkheon.nix
View file

@ -5,7 +5,7 @@
{ config, sources, ... }:
{
nixpkgs.overlays = [ (import (sources.arkheon + "/overlay.nix")) ];
nixpkgs.overlays = [ (import (sources.arkheon.outPath + "/overlay.nix")) ];
services.arkheon = {
enable = true;

1
machines/nixos/compute01/dgsi/default.nix
View file

@ -40,7 +40,6 @@ let
ps.django-compressor
ps.django-htmx
ps.django-import-export
ps.django-sesame
ps.djangorestframework
ps.drf-spectacular
ps.gunicorn

6
machines/nixos/compute01/grafana/plugins.nix
View file

@ -16,10 +16,4 @@ builtins.map pkgs.grafanaPlugins.grafanaPlugin [
version = "0.13.1";
zipHash = "sha256-n1LskeOzp32LZS3PcsRh8FwQVBFVlzczfO2aGbEClSo=";
}
{
pname = "knightss27-weathermap-panel";
version = "0.4.3";
zipHash = "sha256-N0jhFKYEgU8dZCJ1txcYg0rr17+FkGJjXjwyq2TSa74=";
}
]

66
machines/nixos/compute01/kanidm/default.nix
View file

@ -81,7 +81,8 @@ in
) meta.organization.members;
groups =
{
(lib.extra.genFuse (id: { "vlan_${builtins.toString (4094 - id)}".memberless = true; }) 850)
// {
grp_active.members = catAttrs "username" (attrValues meta.organization.members);
grp-ext_cri.memberless = true;
}
@ -162,23 +163,6 @@ in
];
};
dgn_openbao = {
displayName = "OpenBao [Vault]";
originLanding = "https://vault.dgnum.eu";
originUrl = [ "https://vault.dgnum.eu/ui/vault/auth/kanidm/oidc/callback" ];
preferShortUsername = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
claimMaps.vault_group.valuesByGroup = {
grp_root = [ "admin" ];
};
};
dgn_outline = {
displayName = "Outline [Docs]";
originUrl = "https://docs.dgnum.eu/auth/oidc.callback";
@ -193,9 +177,6 @@ in
];
};
###
# NOTE: The following clients are currently used for experimental services
dgn_docs = {
displayName = "SuiteNumérique Docs [Docs]";
originUrl = "https://docs.lab.dgnum.eu/api/v1.0/callback/";
@ -209,49 +190,6 @@ in
"email"
];
};
dgn_drive = {
displayName = "SuiteNumérique Drive [Drive]";
originUrl = "https://drive.lab.dgnum.eu/api/v1.0/callback/";
originLanding = "https://drive.lab.dgnum.eu";
preferShortUsername = true;
allowInsecureClientDisablePkce = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_visio = {
displayName = "SuiteNumérique Visio [Visio]";
originUrl = "https://visio.lab.dgnum.eu/api/v1.0/callback/";
originLanding = "https://visio.lab.dgnum.eu";
preferShortUsername = true;
allowInsecureClientDisablePkce = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_zulip = {
displayName = "Zulip [Chat]";
originUrl = "https://zulip.dgnum.eu/complete/oidc/";
originLanding = "https://zulip.dgnum.eu";
preferShortUsername = true;
allowInsecureClientDisablePkce = true;
enableLegacyCrypto = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
};
};
};

14
machines/nixos/compute01/librenms/default.nix
View file

@ -23,19 +23,7 @@ in
hostname = host;
settings = {
auth.socialite = {
configs.kanidm = {
listener = "\\SocialiteProviders\\Kanidm\\KanidmExtendSocialite";
client_id = "$KANIDM_CLIENT_ID";
client_secret = "$KANIDM_CLIENT_SECRET";
redirect = "$KANIDM_REDIRECT_URI";
base_url = "$KANIDM_BASE_URL";
};
default_role = "normal";
register = true;
};
};
settings = { };
database = {
createLocally = true;

8
machines/nixos/compute01/librenms/kanidm.patch
View file

@ -80,11 +80,3 @@ index 3d89a1530..a00c5f307 100644
{
"name": "socialiteproviders/manager",
"version": "v4.6.0",
index 3d89a1530..a00c5f307 100644
--- a/app/Providers/EventServiceProvider.php
+++ b/app/Providers/EventServiceProvider.php
@@ -33,3 +33,4 @@
\SocialiteProviders\Manager\SocialiteWasCalled::class => [
+ \SocialiteProviders\Kanidm\KanidmExtendSocialite::class.'@handle',
\App\Listeners\SocialiteWasCalledListener::class,
],

43
machines/nixos/compute01/nimbolus/default.nix
View file

@ -1,43 +0,0 @@
# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
pkgs,
sources,
config,
...
}:
let
host = "nimbolus.dgnum.eu";
port = 9008;
in
{
imports = [ ./module.nix ];
services.nimbolus-tf = {
enable = true;
package = (import sources.kat-pkgs { inherit pkgs; }).nimbolus-tf-backend;
settings = {
LISTEN_ADDR = "127.0.0.1:${toString port}";
STORAGE_BACKEND = "s3";
STORAGE_S3_ENDPOINT = "s3.dgnum.eu";
STORAGE_S3_USE_SSL = "true";
STORAGE_S3_BUCKET = "nimbolus-dgnum";
STORAGE_S3_ACCESS_KEY = "GKefa111701f349de3988f0010";
# TODO: configure openBAO
# AUTH_BASIC_ENABLED = "false";
# AUTH_JWT_OIDC_ISSUER_URL = "https://vault.dgnum.eu/v1/identity/oidc";
};
credentials = {
KMS_KEY_FILE = config.age.secrets."nimbolus-kms_key".path;
STORAGE_S3_SECRET_KEY_FILE = config.age.secrets."nimbolus-s3_secret".path;
};
};
dgn-web.simpleProxies.nimbolus = {
inherit host port;
};
}

104
machines/nixos/compute01/nimbolus/module.nix
View file

@ -1,104 +0,0 @@
# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
lib,
config,
sources,
pkgs,
...
}:
let
inherit (lib)
getExe
mapAttrsToList
mkEnableOption
mkIf
mkPackageOption
mkOption
;
inherit (lib.types)
attrsOf
path
str
;
cfg = config.services.nimbolus-tf;
in
{
options.services.nimbolus-tf = {
enable = mkEnableOption "the nimbolus terraform http backend";
package = mkPackageOption (import sources.kat-pkgs { inherit pkgs; }) "nimbolus-tf-backend" {
pkgsText = "kat-pkgs";
};
user = mkOption {
type = str;
description = ''
User used by the nimbolus server.
'';
default = "nimbolus";
};
group = mkOption {
type = str;
description = ''
Group used by the nimbolus server.
'';
default = "nimbolus";
};
settings = mkOption {
type = attrsOf str;
default = { };
description = ''
Environment variables for nimbolus configuration.
'';
};
credentials = mkOption {
type = attrsOf path;
default = { };
description = ''
Files to pass by systemd LoadCredentials.
'';
};
};
config = mkIf cfg.enable {
systemd.services.nimbolus-tf = {
description = "Nimbolus terraform http backend";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = getExe cfg.package;
Environment =
mapAttrsToList (name: value: "${name}=${value}") cfg.settings
++ mapAttrsToList (name: _: "${name}=%d/${name}") cfg.credentials;
LoadCredential = mapAttrsToList (name: file: "${name}:${file}") cfg.credentials;
StateDirectory = "nimbolus-tf";
StateDirectoryMode = "0700";
WorkingDirectory = "/var/lib/nimbolus-tf";
# Hardening
DynamicUser = true;
CapabilityBoundingSet = "";
PrivateDevices = true;
ProtectClock = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
RestrictNamespaces = true;
ProtectHostname = true;
LockPersonality = true;
RestrictRealtime = true;
ProtectHome = true;
ProtectProc = "noaccess";
ProcSubset = "pid";
PrivateUsers = true;
UMask = "0077";
ProtectKernelTunables = true;
RestrictAddressFamilies = "AF_INET AF_INET6";
SystemCallFilter = "~@clock @cpu-emulation @debug @module @mount @obsolete @privileged @raw-io @reboot @resources @swap";
MemoryDenyWriteExecute = true;
SystemCallArchitectures = "native";
};
};
};
}

30
machines/nixos/compute01/opengist.nix
View file

@ -1,30 +0,0 @@
# SPDX-FileCopyrightText: 2025 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, nixpkgs, ... }:
let
host = "gist.dgnum.eu";
in
{
services.opengist = {
enable = true;
inherit host;
package = nixpkgs.nixos.unstable.opengist;
environmentFile = config.age.secrets."opengist-environment_file".path;
settings = {
gitea.url = "https://git.dgnum.eu";
};
};
services.nginx.virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
};
}

BIN
machines/nixos/compute01/secrets/arkheon-env_file
View file

Binary file not shown.

BIN
machines/nixos/compute01/secrets/bupstash-put_key
View file

Binary file not shown.

54
machines/nixos/compute01/secrets/dgsi-email_host_password_file
View file

@ -1,30 +1,28 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA tGZqtjbTD1qsg0gM8pKs7Pc2I8wrfAaBe45tu7trX1E
/+2NjiX51xPl+q5+IhUriM+fD5gRzMYIPjbm3z1gv+8
-> ssh-ed25519 QlRB9Q kS4pcE8k5Z//N95EcAZYxX1f91d+7KxSmbrpONm4WFY
8sCu9NRSNSUKOYAIryDOI9qWh9iaUZbhn5vJdOGZphY
-> ssh-ed25519 r+nK/Q G0frNwJpYV8m6QXx0HGU/rVWgmuI4xuDjcDX3VGAUX0
gLxMYuSFJhX9oFN6N+K+GOjR1aYaTwZVI+wAk4Dyu/I
-> ssh-ed25519 jIXfPA CQffZYaxexZ2f+HeNj+SHeSak0kzNPiq6ExW7tUyCBs
oJQhtMFD9KSnXSPGRb3zLwCB2/KEXo8cgxHN5ML83Qw
-> ssh-ed25519 QlRB9Q V1PnEYJvFCdBRzN4z3iDtIzHLxxCimejdkqRS4zMCG8
bVc87bxPmhofmoscGFBgQ+ffRlo216RiRkkV1MNoQyY
-> ssh-ed25519 r+nK/Q YI+1MYnCvSq5/QfA2y01IQlJeMGF0AfNs91QlrVaVGs
HSB8Gai96mjRbM68G3iRmXNkI4kqyJAWTMxWc8UOPr8
-> ssh-rsa krWCLQ
SMnZJ86PT3tQDotPNIRaIFoZm3WEVMSwnjXy+43aYSmgyJ+Ze1lrTS0A3DuTuchE
gudJZd3D2yVt0pz8JNB33VdYRPWsoV6suDZNPR6Fh3fq/NFRJxR9kbZn/vk9DjZz
Di8ABcIq7qptihnHLpx8wD6RYLntWbH67sX5zLvnpm/XfWSvr9UKrEjC38LpiFvs
os2YSrzBjmO+fbhiz+5N9QK05d28KNin4BC3qL6NU1nxRdHNKCrE9SwaUUNOsupU
uRat1ta7WYQk+rFafZDfWdL7FJV/seaceGi8R3OALN31Dl1o29nPXVbBxDy5nyUH
T5fL+2zF5mxRCXPd4lj9pw
-> ssh-ed25519 /vwQcQ bjAFc5XUfuTbUvqfdx+Fz/3qhU0r/ZW1lM6iV8Uzjjs
uVZuj6Ix7M9IERBb4huLLYDCgAhd5RcZdbXjDlBxl2U
-> ssh-ed25519 0R97PA Q4ZA2/RiUoMcTxxhKicuxuuAgJXtlRaR227oX/aVjTQ
Uvsccc9AOi/t7AQlsWfDf5MpdXUIaQSmQ6QApNj+i3U
-> ssh-ed25519 JGx7Ng zBDLF90R+Ql+k5ACi2RL0DGFhvKlJ5NcOgFx28ueFAk
G3QkhLg4cZV33iUPfF9VfeDcKuZET+DyQDXd5b6/3GY
-> ssh-ed25519 bUjjig XbMlc8uxnDTpxpeZwD2qqT5j4IVb1s8GB834/N+R2F4
R03sibMeLcO3zyzRONcHBnxvvOClf8x2+HBe6Xz7i00
-> ssh-ed25519 tDqJRg 13DgW1He97SFAgMCVaGDNbhYw9OMg2/+GFwqEVPo9CE
Geij5hDqUNNiTJXw8TnN4+qZkS/TgUNifDYgeeBgFX0
-> 7"g?*xa-grease TqZr .ajDT
D6cnUIX7jakOr21bdS3eL09/9FfnfF0CWV/zDli9fyAhTZlMyTsuI2o/DfEVRhTK
7V63izWxQdEypcDMSA
--- JBlPDVll9EvqwgCAyTXV8d39eRI4uBaK0BVQ+rzHnfI
'ú˜<CB9C>Þ_¨Lã<4C>pà%]YÂ#³Üž¡ZóÁY„ŒßE
êøyí"®Â…3ˆ«Sõ<C3B5>-ë†ßJ˜LF±|
k2mssz4C9p8K+rJ6Jbbm+w7uLTqoUOiOKvlt2btEyw2Lup8PQNfyTNFSBvuBMmfj
re1zuAufH0HIw3B0xWYauBSD4pasc7EFTr/OLoM8BRFMEb11IM5ZKJrO+hnWy0Sk
eIs6cpkoBVi4GZmkRfbvaitk42i9JzjrKU0OeqLCWQbHmHkTb3acsGXCc6A6JSbF
AVb+Eaak6EIdX1dP4PWyCxU2PkcBtYBcLoGH74r1o0i3SzvmuzKvlBntx5IzsAvY
+QNGJLNZl0+NePafAkvVY8UOrlzxj+tCgfunAGXIXlZlVfNcjZX9Wv30sJOtwpbw
DdkJAqSrNkHianC5MEGgpA
-> ssh-ed25519 /vwQcQ yxGAMhwDcoDjw5MJudEE95PakhZvNpYfmfWiM6wbQBg
C1o3mNO2YFnBXamCcpAW0aQVGrNNcUpDtSn8+VLobmE
-> ssh-ed25519 0R97PA XRWbcwt3wXR3AYg0rhzc6OUuAA+blVTf3SHERYy3MkA
iCBd0E1NrV7tv3/0pD0FYWgUfGmB4M+VWfiixvVGv68
-> ssh-ed25519 JGx7Ng R47xTx4IGC/qf/v6WOXvJTd20MbeTdZ/8ovAA6d0iyQ
uBxcQVztpW4QaAR5rKfEVgtmrPk6l51+tY3brNjsTV4
-> ssh-ed25519 5SY7Kg LNtU+/1YlPX6T6gO2lb/wEei7hsy2oud8cTQXFQy0HY
xxPvBAIpFyCUqExjseerz6WlwWQEmw9fltzQBx51KI0
-> ssh-ed25519 p/Mg4Q uWIz5shMnsLXsh160cCW8E6kh9v4LPunOonugjWdSEY
5aRrIB5gxIplVWDGeMQ6g09togku6LxWRxBP7FbRNU0
-> ssh-ed25519 tDqJRg G8rNpeGY29czDVMvvt4LZ7nffZ/JAHDzxuIs7C/0SEM
HowgAvrQQcvUx93ZdK5q2bSsJDqaOxFf+x/lwTRss4I
--- ktcSPCC1TpguyYJ2ua7IuGcEw+Z9YuqjzcmH18abjo4
<EFBFBD><20><>ゥ煩 ネ9<1猤カワ簒<EFBE9C>pWJSWpsV/ム#<23>ウリ9タ{タ゚cHB<><42><EFBFBD>5<EFBFBD>ャ^ァ

BIN
machines/nixos/compute01/secrets/dgsi-kanidm_auth_token_file
View file

Binary file not shown.

56
machines/nixos/compute01/secrets/dgsi-kanidm_secret_file
View file

@ -1,30 +1,30 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA T4jUAfEbqZeKVCtMSGVRlr074BIVq+jlR/G13tpnXgo
ZXiD747nT+G3dtcKWNM1kMHR1uJ1eQh4/iawCp8i4e4
-> ssh-ed25519 QlRB9Q wz2UG5T+/lXYr93YyzqthxZVJMfjU1eJ61MU1Z1tYzk
Mfs4qTlcTUpyP9S0EstsO6bax6i3vdO7eAG09FBBl1k
-> ssh-ed25519 r+nK/Q 10h6nUBmiEWzadgT6UvvDGNKmYZzz/Cb7xcK/W8y6kY
C3/SXK0SvKCbhMYmYdsibjqesFK3xmd2Fn4IVQocULY
-> ssh-ed25519 jIXfPA zSfj75mxEod8RszD4XGaFIeMvcLnBgUHShIW5yFPdiE
YXaCFZ07BMzehG/PCUFDEzRy+y4c+IESO9kcLx+eG8M
-> ssh-ed25519 QlRB9Q 39DPdLnRMs5YSQOr/rY2nXO/8s/oCnYDkRex51tZayw
W3GbNP7qbgW2b0RoZmcWH0kLtQaIV50APGcntjMfn8o
-> ssh-ed25519 r+nK/Q dnX8kPKvyHS5U1N52QTDwonaHbBh8sv2DPBL1PoBO2E
mxduSFeWB4tJlrHDEthNKGv/vxzeWUtNwq1b2nDP6Z0
-> ssh-rsa krWCLQ
UXpnd8X/EY6dn3u2I48gi1cd4cT//B3d5+AANbpjdL2+RfzUIgHjUNN1RraJTknq
N8badBFKBVVgMr1FnrUgmdd68O/AwNRPKiNYLD/ZfBJFgk1Kzrphjnq7gHUvHAMx
o2Vzc/nyksUG9XXSR3iC/Q4Oi0CCfRsk3oLP6hSyvk5PO3VkXsvoieNq2flmUTjf
HvWr0fynSpbuTQfSS65ekbf0Mxu2zbXJoIsS8VQnTAhyX0A2lri/iRPHOTFX/HrO
5M0o1XCt53IaIlAi9A57SMrSv2IFfexn1EKnsepEEoAjVtbnFJfqHJtpxPY68Ncp
B+vA+13TQHg2K6gJv+DKZQ
-> ssh-ed25519 /vwQcQ kgjPpgPK/gx8/NuSjUX7gcfmwXCrLH4yQeQCuRe9L3Y
ZTDBFoLO2/6yWtrvZMS/AL7koshruGI4XKAWREoxfM0
-> ssh-ed25519 0R97PA DvbbzsFUmA08ayCOIdXkB7X/52TBUfpgSPuycvegViU
Fg/GHq+1CsD7oswn8TCPnaFF8ArROtw0TDh7+6ue4Yc
-> ssh-ed25519 JGx7Ng 4PBlsox0MtUtFmHpLYqARYo9LWRKN5aLhvHKaw3aIE0
mXY6Yotc+6WyNJ+Vc6uFoUnTafEG3/rCMZ1k0bpGkoc
-> ssh-ed25519 bUjjig cTdkNYGkx8b8h7F9TcALgvRC1bOR0WFkJqQIvH/+1gU
EgOjW0JoiDe1yeeByQOJk7l/GtcGfJ3exrOhQ+RHaXY
-> ssh-ed25519 tDqJRg d+WxI9mSebWT0aIty/RbjFQOz1ttwF1nYuIV2qtukjw
Ey6biSaNfbQeM5Fyuar3WKZ3AVi5m5RHG7z9r05zuMI
-> ?PD-grease
lEhRWqLBMAvExk90mKDuCPFOcL1hgvuok6E6EqYZL5twYL7jjL76ARb4WlSX043h
iwyb6TgyD+CXMC/VCHao9Ht8+GOUaSu2wgMuWHqSr5O2/ic1XWJqPzOg5owVI9jS
zAk
--- u4nEfCXmy/DFbXvJiYG+KWte5F+7NX8F02YYYcZJkGc
ãŸfh‡S,%'Pþt§ËÊb<C38A>€Ñ/bc4“ÂÒœWÐ&”%â˲¿rcöhQ+1î-2Ä0·”:ÉŒT:7ß~<7E>励Î<>ÍœÿÁ
QN1OOmCREY2LljXm0+TAsOSkjIQ0RXyX8w5TVOOus5QAt1WTJan/mm4X1SviWqmn
UFDIeCoG2l5tBSyZr4VpnDeq7koWRA2eC7WnwWW47PQIRFSyjf+sy00rGR9kxVuL
1M9gsAGa5sud/PvmgSPSLsGhhrPsH/ZxN9beyIXIwmssmjN34KygUz9+u4T8IkVz
oxdq75LMzE2o0gcgC1EZ5+rDq0NSPQ9+1KgqwJuKlLKRXGdudgaVEUxX60g2ZnkX
8fNEgxqEkQ5MNnPfwbVumF6SWmMWyZSJ0rwHC94O1RdRNDcD3yKimuBmNSv2X+3L
cS3kE9LfNst2zBKHBGBOHQ
-> ssh-ed25519 /vwQcQ ZD8aiyO6fWEM9zG0iPP1/lftRPNl+mmFLHvGxVpSWzg
ZcTmN8zSHz8iLQmCLTZCdaqX5En/KrciR8KHwoXl8t0
-> ssh-ed25519 0R97PA xLQYBS5ozP1e4NWVa9yahN2OQB0Luw7mm3nBYdoHyRI
SKTRzLfGNFQ9fSX8ZFkKIYPZ4If5QrxcmSoBoGVG2Xk
-> ssh-ed25519 JGx7Ng XPo1QJ8OS/ShEAaXWwzZCS1p5/C6mLNlk4Us63YTVQ8
HGbfr8WBfCDKnIlATAeiE6JcLWCbn64vn1Cg7i9QGbA
-> ssh-ed25519 5SY7Kg CFpRcZmZ7DTspxkmdD8x7dRh1mqOHpTF7GzW5xBtLxw
n1n6/Ciwwo4rb3Cb6Yv/b1dHSvVAbCuDZ52maNpCexg
-> ssh-ed25519 p/Mg4Q km6ZjasKtOlaQL8rdVXkjRP4sooql15PrW0lz6YZaDg
Yrpi65IC3RJS3YSAChKjVyvowGxxmSPFkwa6CXUYVZ4
-> ssh-ed25519 tDqJRg au3x6e4L1os7OH4WXbdST74LhMsHPjP6KYrTWKUc1i8
zxKFk51MteTETWEu8peSH/lninM3zZkQi+Xjx5OQMTU
-> l$R6Y:c1-grease
MY0HS+ErZAtAhg
--- w+3gxmkrZ+xxSAQHbERgvsqur0v6k2/U0KUsfegRGcI
7Ú”gpò7šæ«¹Š\ŠE„àø~Â$±\¹Ä”Q„™H˜Èî¼¼2'k4Ž¥zÿqȦì'ÍNò!{@qxÎ,ƒ+iTû

BIN
machines/nixos/compute01/secrets/dgsi-secret_key_file
View file

Binary file not shown.

BIN
machines/nixos/compute01/secrets/dgsi-x509_cert_file
View file

Binary file not shown.

BIN
machines/nixos/compute01/secrets/dgsi-x509_key_file
View file

Binary file not shown.

BIN
machines/nixos/compute01/secrets/ds-fr-secret_file
View file

Binary file not shown.

53
machines/nixos/compute01/secrets/grafana-oauth_client_secret_file
View file

@ -1,29 +1,28 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA hVL1kmwXRLbZ/Ah9zhIoGMjk0c1SyPqknF0CU1Awy3I
s1Ft31J46IF2rgE5AgIN+ztDPF6hXRaIiZDlx0N3vuM
-> ssh-ed25519 QlRB9Q jUE1ZWEo3cn879tne+yqgaqp6BAE4NKK0mG5MHBaDgU
3e9jYZOh6v/y7BGqAR7pNdYDrWITS182YKaXFFZfFBs
-> ssh-ed25519 r+nK/Q gYSBl8PnNl/nXV6ruo4tBOkjCeQ57v9exdpaH8ufHxs
CI1SrDgpgDTpJie7jqJqqlpSomae6sq9hhKFKafd1ZU
-> ssh-ed25519 jIXfPA jjStc+COqzn2fkEU5y9p+h3KPL7ip0Sk7wwdjGME5Ag
2eYwXQs/IbgzeEP1vFy9OLOhPVnyq4cki7voHSXKomQ
-> ssh-ed25519 QlRB9Q rqJ1GzzA5IMgZoQD/u35k/qVr1GEbicWGCpDwzbSoRQ
cqGLtH53VWP5Z21pjllWRGRO2PkMSOQftF/WHAldW0Q
-> ssh-ed25519 r+nK/Q oPY6OIrUHYr3NSOes0KGNBjZJse4bNso3nGoKfqdOgw
8CJeNP6AdhUTWFTiYpswsottSI1C25RGOMaxHsnAeNc
-> ssh-rsa krWCLQ
pd3lb1ueDnhsVQITwty2nEp1yd58cIBTJFqRBMrx/QXnPePLZS/UC4BtLs4OClp0
Oo/d2w7jOw8q+YoBoT0h+bZ9ZZutW8GYAy5nhk6rfa6GC0evXomspRD8ESmH1AHP
38dNJeWDlvlhCObOGKRk5T5RwPUJbpxHjNcL/68kWR/iNBhGKWugrAVIu5WiocG4
/XJObZCSPq/T5MfJevhNtrDpimc812nJMTmnZwqa1rPZopLhRNEQ/3Tku8qmcCyC
IYdLjCuwLktWIQOONgTAT/W9zSdyEcnsfUKSJ8cwHeIovYes7fH0cIHLjqdY3JgD
aHd2PDp7qA6GgxDvpCWs3w
-> ssh-ed25519 /vwQcQ zWeNuyYKQSCrHjEHSfF54KBUefGhzSNKFdqzvTdROgc
JAxfrVcMbUfzOcBy6w54zlLBNy6E1e5bg5OUgWgAgMc
-> ssh-ed25519 0R97PA zS6ZNYbG/lmIPFZgokWXU9GMgACuiFkVm6C6GPxY7Fs
3mbNUNcn9qXUJYt2HhV2L2CqH3EuiZXaIb9eqH8RH54
-> ssh-ed25519 JGx7Ng htz84hxZ/FkYzcVN4v4ySg1t/VqkLup4AAFqsPFGvXY
Sc8vJheYh0bLEQDlMU6WAcII7wU1D864MnBmzyvQ3es
-> ssh-ed25519 bUjjig UlQJU1rm7lg8o1hhrYMbcyo8dEEsNhXg9eAXZbGFixo
lp0um7Xxv09TsqyyyLw3iY2tmnINsEQ8kkFX5dDXZIU
-> ssh-ed25519 tDqJRg lzEqYdxHRkuMHd/P0tib3rKhr6TaQ5JPJY22EPIrBB0
L53HwWFDF222/7sFvuSl8TH2LxgZ41dA1AeM9UKrpn4
-> }A-grease ][ gL'GE ZG]7lT!
I+0a5Pw26lub3Bq53vHmhPcApnt4
--- KxVdzLGIyPjOzg4l0mL4kRvOEWux/sv0h86j37ut3qA
<EFBFBD>?‡ñ‰3˜ÞJ†h$×z,G -úߢ£ŠlÒ¿yœ…U<73>d ú,fÑì4ƒnd» ÷EÞÔj
=É@klxtxÊMÿ^âÖÒ
BseveWlNY2C1A37CKs6rUBmJWDeYwr4JE6fGtjtvJG6oVaanIQqpAA0PkML1IG1V
tTimA7j4L8RT01UmHdpcWQUdR2ZjGBznFCfT46yW2/W/uCxrtHdRJKFur8ZZVfqg
3NNHTe87liDf9L1izNAhcMOWlSWXsDbj/xUYw07yopXoH9lA9bmbDytZp5oxrN5v
JLlWjfoiKu92RAUxobfqra2TUFM98ljAX0U2jv+Vadyz2HiDV0WRl3rsymlDNyQp
rWZRfNKmM4VVrBTB6raatgfdYaj9m3xN9x6xyTfz1Jw1etClrnvdTJOyROxR10B8
qJ10Vvy1cu1Yt3aTzmBSpQ
-> ssh-ed25519 /vwQcQ lBUUIhJo1cwZJAD8yEkPEjc3Wm5laQ4+oL47g0UUzDI
oDMv1BAaAuoWL/lWb08l7sfz7Hjt7syFGxKlJ90IWx4
-> ssh-ed25519 0R97PA oJ/bnbgfrfnozCOWyhPGrdhDD1N2VFVOhN56py0Lvic
3MFXDBDOASpUqg9ZkBCQDc7oCaJSyc77cEHYZ41O8Fk
-> ssh-ed25519 JGx7Ng lnd0RjCT6leBvk4uLXYWt+BeqstIycHYtWkbEhUqPjI
i9IVIwDe80nRV8jk3YLqyqDXzatC0PwGM6yMmZT8DeA
-> ssh-ed25519 bUjjig MFRe8FP5AQPHAUfLr3VLNAqEnnYI8wThQbFunl8fuj0
U5//sg3BRjSvp4NbH9RqD9vugee3cEnNDRuKLaf506I
-> ssh-ed25519 tDqJRg txHQKcCUKCAxc0/ZYL1IqeXfbjlGz74ccKZ7kj2bVSw
4YzZQw7PyPGBoWw6GuBsdQo3p3f+XEbOdpGCXfOeHic
-> IOpsGs-grease
JFzNAbIaA7nJkfBBACoJDaQsVCo5TmArRwHtu5W91+YxSoyj22D0
--- K4Uw4L8YfGsdUQfdxwm1zxkABRBBjORNIDoHv+sjosI
,Â!!§øäç›?K¬Õ§!ò%™ô B¨åö¦*vßc?â:;ð ãÎ{?.½EØ,þ˜;%Ä0iq^tl¨l=±Ž6.xvü\<5C>

49
machines/nixos/compute01/secrets/grafana-smtp_password_file
View file

@ -1,29 +1,24 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA IbtRuAG6Kzbhc2PlWpK5yyFbp+LIB9rjKg00utc/IGE
bR9pkoSt0Q5thWv5UVZLvdrLuc8UD6g+JcHw6QNDX6k
-> ssh-ed25519 QlRB9Q 3+tLWqpcnA1OVn/W1JSN4PwOYzQ5/YC6AiUvcMrkaxY
nYfnHE51S3ca6reUl2YUlSFKzm0U5NqzagOjaY5uMk0
-> ssh-ed25519 r+nK/Q sohcJr874WLIOna9rom1De34ny5f2HM+hJg06+WwE04
ipl4w1lrAWdqJaNyCDLEc3Z1NPwXcPWbsKyHu7tW7fY
-> ssh-ed25519 tDqJRg 81QjxFKkN+8VVGbQIAuM45veIGdQemg8CUTdPoH2QGs
YotUqCNICfvb/Flf3RHZRLJ93foKpAFB3AOjkol+EIc
-> ssh-ed25519 jIXfPA Kb01OMjnns0qo3LztzEnTShUs2aH0DZzDGDiE3WcqiA
aqdKE5MHxzCCGoIuZSOPIVSSQi75pifkQq+HptU33i0
-> ssh-ed25519 QlRB9Q eo5FA1T5eYatUmM41+RZc0y7ZlHembU+7YduHKUsFnA
tlDL2I+GFsqxiYFZKYNv/F48DnlsmqNLkB6hDbiTFhA
-> ssh-ed25519 r+nK/Q 6Zt+yfT1jAEjO53BR8Buk2nQomxRoFJgYpBRgP3CmR8
hQ8fsGpSWJI7NIpHLCVspMtsicxaiWwigXDzk20pRfE
-> ssh-rsa krWCLQ
K8m41McFMzwXxUfIPpYvsCx8I3ZBPuQMYA4zD/q/1Vq/ZUNHFVsBzHoGjViTGOdd
fN+amhHPZXwNleTeFKeENZzXn93qbas5FSjX0JoDYWGWGqCN43frnXOhtLYC9AfO
rxRblnG0VDqy+XxTRaoDU5OfPUjdsNIGjV194V8J84E2bDZy/zhivw9Fcjw7xDVN
Lvz/Dn0yjgbQmVQ1K84KxgHEb5RU1Yarzr9yej5hiuuz12mYDLMF84rfuT+xf0OU
KgF3RC8HDzImAsHeMV5DiweOHMRA8+P7luRZKJ221wLFY92LeMUV49WjuBbsFx8l
6AJtxBh8bnbITlgx3sGC0g
-> ssh-ed25519 /vwQcQ jD9GfjVQxYgv9Dda40z0NU4d9pdT+NkZAgk9kc+EI0U
aCsoQBaft5xXDcI1MQilkzjqPBmW78Io1FUHnMrn+2o
-> ssh-ed25519 0R97PA USEH3luo1q/Pw4272tR4a/xKNm3zrR6GwVbukYZvcCI
9QVpTEEF4PvKpEL3zuDdPvqJiBwnmrZfD7rvftXRRE0
-> ssh-ed25519 JGx7Ng CIyEuPUwiOkbY7M2zWKXDqh96ZcZyyis++HwoGRmBSY
QsOf9f58FxoQOppX3WwDZD6ryCpdLcSoGlsaNiWDUZA
-> ssh-ed25519 bUjjig VWzeMwqnOt1dvFD835q7Hy478FJsbSUvH9Fe6gyq61k
T4A80ss42lQdiGyFW5Ev+yMG8eEsiFIl4fsad8FkF88
-> ssh-ed25519 tDqJRg X8WVBOawfF0JSOa3XUmzUywhA0XftcTZft54vtlMBjU
jB9xbAYENwUgZ0AhhRIpnw4F31IzV9AmBJJqHxmkRV0
-> (p[Ai-grease
wz3ew3pJtFtkYj6zaPn+yHNkrVaIJF+p/eA+nizdt3Fex/mfzbbahJjAJRyyFNS8
i3kLwsEE9f1RfHDxYDmcN1YP8dEzwYGsYRgcQx7PgRIPQ4c
--- QA7YR9j4p37On+xI+dMXSwsY+TU+0UXU1Nv/7pj1uNo
Šüã'Htt$ c6éÿЧ~RT¸AÃ}ÂYü™'õQ.JÈçSÌø¾ <0A>²g÷YN WßžöÐÓÔk
FK1ozQkZ73MkzBzhLmcVAdNMvL+UzxCSVc26in+GRnZdDOEW0HnvYSxjnCkRfFZ5
l8Eo69JFVufJgKQ+Yx5xE3hfvZCEp7ih5ZmcD7rleLDGLeW4pIvamiUd/YGvGpw0
G2ZNHHATDviTlK344rc29mx/Dk01bSoAiiQJ+PiLa+bD1Uv/sXuyimm/wos3PeZV
7lcwu/Ug0k2RzhntYYjZML0fgdHlCMEiBRFqMaGAI2snTOnOtfcMb+0z0eeEUVrx
O9wCOwxj4GYr8tYQNujF6QUPF/sEOGXKlMCoK4OExjhfNL2Rrf1QTF1rlgOTsToP
sS8wCH/Gg7UQUb7LqmyA1g
-> ssh-ed25519 /vwQcQ dFeVQpXMkVKV3XLnoaSfIr092hEflFaqj5oH5VJlRVI
eM+EvVHPUblmDpIwLNE7CpU8RHYT/6v11gqliRFrT90
-> ssh-ed25519 0R97PA 1VraTBHXimUuyTRmMFzXcBFGZ+GWDS0eX08RMpRfqFo
24uyDJC0PugE8qsZRVHsUv4EQ89fm5dB6J18Dv7d3NM
-> ssh-ed25519 JGx7Ng j2v9R9ki2tPgFww+oaKAWtarDDUSQXSWLszaGqRi6SU
Xy0bFe+yrcuTMrBqbtmnlF6X6bkxXaQqwrtabTlsXPc
--- p9c3bc4gDKhcJkmiCIR9RJvTxywuPVeenqvgCuJgw6M
ágTÁôÃeÔˆ/<2F>Ë|hg*ý4DY¥íÿØä\Å”$œg᯿*°¶|uþB²gš?õ<19><:;Ýç@J$[dô'

51
machines/nixos/compute01/secrets/hedgedoc-environment_file
View file

@ -1,28 +1,27 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA iD1mAZkrCOQkMaTUnYt4ROPDOZJYv0tCrH44ssNT81U
6HFV/nz9SVcSvCNvAqQ3VvP6vdKvRSvx7hqRDJ5hHKs
-> ssh-ed25519 QlRB9Q Hig+u6pvVSx3EEc6Ai3XLRs82ca5YuN1INg0vjDDTg4
PrEEXiGZ3f4MMly+bd6olHIMVGYEaojpNHlEcz7sUEI
-> ssh-ed25519 r+nK/Q YomH+woMPRoJTJgI3o1W79QrC1kkbicatIfdlr/IVQk
J8xx70gdxATeV4MzIWbC6pDAVJTYrtz1V0NTlw3wiRM
-> ssh-ed25519 tDqJRg KxI9SGnIHimjqNshpstOhMsH2FzpAZLNWHdzQ/pj5U0
1v+gVfblcSVA2vFcDShVW0iZ/tqMmedi/DELzCkhK08
-> ssh-ed25519 jIXfPA XHM6n4X/vKSw5zvHp9DV/ZWBAvbX7x0fMrCI3LuAEE0
0D4QO7C3A4JaXLlpUJPyn+lK9SB8KdgZIGD0Hsa27fQ
-> ssh-ed25519 QlRB9Q ttXkEpXp6RzjsgxvFJYDrKgyLj9sUMi25R1b9LVP3W0
qcOYZBdWifOzBdsZeYaJRsrPc1GGGmMZh3++eLWMDr4
-> ssh-ed25519 r+nK/Q M8nhPdL5EzyY+0FY4Ztq7cMnNmGaROocFKQD4Mt1o1Q
Gx04awJFu42AoV72PIh+wrvoXVPs1/toTSoxWzimJgI
-> ssh-rsa krWCLQ
BMNFaL9ZpdUhxPNm6QbW3Wqkrq2qVc8s5KZd31if3+XcASIndl5DNXxaFInlgsqL
P0nTn6pomQJ0L5cIFLbA8CiDTvjTkJH40SvpvqXwCe5/zWy1vH39OatUnTNpY9X1
Cu/L7WmRcvkFlhBlXs/mvhTrc8x9Sj+sBm5fqmn31/f/ToML8glYq7leC5JIMZbJ
7ifYoSw1j5LGwv/UjlsV7hfuo8op96EDMkSVWzsz5itUHaTrY5bMW5CtcYh6o6AE
KxqgJ2swnAB2tJHeNi8cJFy9zy/A4HZPXXnrAr8dU5FVvcKT7CntBdUrh9W5J5Dz
Vaw9epfpAPjrn9IQwQOI0Q
-> ssh-ed25519 /vwQcQ fEb7dbuNcnVm7haAJqUKeoc4FEIyvJNDI1cIIFWSNU4
jeGQfLGKQb7OpAzg7FFHwX+jz//Pg9H/o09PUq48A7E
-> ssh-ed25519 0R97PA X4Huf5+34+xLaOOvKlnSUQ0TT6pZMb8pIgYt4e5EWmQ
92/Xas3RArB2B3+790UiG42SDr48/2RpT66T1UmM7b8
-> ssh-ed25519 JGx7Ng +6VCrsrUfbiUfQAhALnYo6mZ+VF7Zp4Pv9x1t2qzqwk
6U9aMrFT/dHxlDXNgRCsYVGZABKCimqbHkU/Y1CZPkU
-> ssh-ed25519 bUjjig dmwpLQ6bn2ZtrUPuf+Ui1ytvOHkpd7QO/NP4sxd830o
FMNq+D0c95tjmJwivIdQDcXv71WgOA/H0rLlqrr0NAk
-> ssh-ed25519 tDqJRg voyLa5+Mm2wOw1+OLL6k/80YXhUi3rUXUZWKpLM4/G8
WAIFaHu/jBkzxZEwrBjPxvwdtaAXV8C0PRAMpOvEh0E
-> #UO8?K~-grease EWE~ wY% s
d8YvbyhQWgl6oLbJbrL3E8iqbGOflxDuXPWAYaS6Tl7+inC7myd6PRNZ
--- HKcqC1+H/F0pa8wgtcUo5V9y58uyPF0liPTmueD6L5s
ˆe.æ7¢c@°ÞcWêhó}É—,r¯mï˜ñô<C3B1><C3B4>I`/Â^IaåS#È ø_~<7E>ñkÉç hmâ6ÞÔ[¾Û” zÔhXRA»ûÛc$ZO_ƒÏ‰-»JO×+@ƹ<C386>¯¸a`BH¢ wHpÙpL¯
Nw0fA8ph/Hofg4FbI6Tn3DWZXKty94CATWoGzjQD0sITszOarq5jAMxZl2BEw4Pz
RYvp65UIJC4zA7N7I7BBmtSbk1ztx1GGAjQZFMcyPYkoZJpagrDdgZMhR04KiNRN
81yG0nPHFlhIOByu+mK2NlvSty0q2bfEbinEUKz3gYqqQVxpg0sVTK79m+w9Fyq1
1U/6wP3UzOcwZ3Kx7ZWcnb+2RL+d70XFJEjYt59k8n8qfQuU4+3Lcol2CmbP7S+Z
S80Jvb2oRfLHB/0asuoo2tQ4SahW3K/1EcnQh3yOruIRDInm3CENDOprffqNcj7D
UndedK+2AzN3r/Dbr4aerw
-> ssh-ed25519 /vwQcQ oCD3GfzWpw+LE7bZGBYXLS289GLpTVcqWcnPukkgW3g
p3Tvvo8wb9Lv8rWZvh0BWbPvxYa1CYIGqqR5D14KBzY
-> ssh-ed25519 0R97PA 0H8OwGLeauHpSQvJ0yXJiIHxCl5aEJOXwe/HCRN3Q1w
/9son3mlGKOzSFQRDG2S/3abKrAnIxHho8EhgAQe8gc
-> ssh-ed25519 JGx7Ng DNtqL7Qj0/MU9WibUUFb2y/MpXbNrE6iMaJuCJQjREA
mqOEERErLEarNAzg453NIiWOfHd/ohDartg5+Ud3C7I
-> >Qzgp+-grease Tbc'Py} $ck/
TVvQj9iSMPaXM91Z74ylxesYetcaGAZyRQ5lRnUTE3Rd8G4hcnXNxzeD3/4GM+zY
s8ptyOVEqYQQJyvGg/58wu0
--- vhTC+XJU8C8U6FYqGPDv92pkSF54qNqqcIbZJtykFG8
ÑÜýH²Ra&·CçÃÍ»)¼\'ÿå#OäJÏuˆ_·]½ÓÍnmSXô<58>Ár&u^ãecŸ_?ÙUyì_åJ^—}¿¶!3ÙYüУ7Ò|èâêˆè€¥ÎíØyÊÄŽúÅÁ¿rn[[w¦x

49
machines/nixos/compute01/secrets/librenms-database_password_file
View file

@ -1,29 +1,24 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA UxfxSZSNMeVYMYCahDmlrf3mdMpyFzcj+81nBBCECgk
lYiIx4BvqqB1CfM/Y+Y1LRZBDzGkRKdfa0HLfPCzQUE
-> ssh-ed25519 QlRB9Q I13TmGvHd/x40ML386PyWmdd/ub3Q69MqPi1GzEwgVI
8ym5O+kh3JBJ91vizO8jODFN9M2OAUIOijmI5QKzguQ
-> ssh-ed25519 r+nK/Q RPDuBopRVTVPKRqZgEh2XfchP9XCPjzhuW+hu2LCbBk
BYZJvcH3BQGh9CSkvREz1JzyksVN8TSuilW2ww2kXho
-> ssh-ed25519 tDqJRg F6kru2M2ZD++ylqZ5oRwHa+zz/vO+y0ixCB7oNGt3no
jzeyn2DIiRMS6pUyAxOFmsawWhXCPWJxAE73HNpfjMI
-> ssh-ed25519 jIXfPA lH3MYyh0uy32pAwTWeMRM1X8ThIGccfH4CGUNeO/ezY
R4D0dxxPsgrC63gTTae4uLJ8J5Kf4ZetIn4Yx4RVo+0
-> ssh-ed25519 QlRB9Q tOTcm1/j5R7lq6jWTXS/WuQBWps2pmI0i+tzwqvvQkQ
n/+GFXwdAwVvPv6wEOBRwDzQBG8vKooCWIUPBRsxE/c
-> ssh-ed25519 r+nK/Q ZTzwGvZEnw578JC8ROqVaG2ejCpHSkbhuLZLu8sxMWk
0pWfDKzeLPpUd2+RdkXOvMhQaAXK7AHgOMOkPcjQP9E
-> ssh-rsa krWCLQ
jFEaahbYnGF9WTvaW5FmBIrhNwt/ZiaQv04VZHQnOhJRCmJViExZl2+yCqHlK4nF
X5qbe51FwJX1VyF4x74tVdTb3PR1hx1JdncEXUdr2/8DSsddAGTowQl2RA8GBpd4
K2YiRjMPTvShmfXZUncqR8UOB97FIOMMMjXZmDN+T2D4xZ522g7mvPLq/a9T9iB6
cvcwu4PVvTTO+oM7hWj3KYM1aMtRlNscgPaJSvZ5f3MOAEo4qdDlERC473jc/0ez
yRNz1B4AjO4YWWXmLgPrh2n+kCkv4ZI5nUHgO8kCNuHLD8bX5eeQCn1fx6F2bWuE
f5c9CI4X69z0HQDZWVSwcw
-> ssh-ed25519 /vwQcQ 9iCDJiFcwJ/2GZ1fP0BiUUDfSb8ByldRGMUMNxp1gTE
khKANSZ8UIF9jCm32Y2Pn0e04Qr42eKPfTOPTQdnKEs
-> ssh-ed25519 0R97PA qacag6Tw7RwyACjvRUQU25252nDQxDxepGuUg4e82QY
UAYVIwprsmpC7GYPZNlLAKjLQkbZ1DmXy5fdGyL3az4
-> ssh-ed25519 JGx7Ng Q6GFfKxfoI4rD1smg3NwD9Q8IqP9dFCmhBIcompCW2c
B+S+wCC7oe8CXH1/7n45U2XssrzB1xHYuJX0BPQa4tY
-> ssh-ed25519 bUjjig ZIXCFGNK5HSrVCzXw+d89RtmVYkricFsN4ITXhZYnAI
AryndaatuETXTDqFO+PgjU6X9N56DgfhTtZA660I9zI
-> ssh-ed25519 tDqJRg YyWweqs0fGEtC/t/lW2Mf8uSby7lg/p00tz51qchz2o
8bVaNX8O4+GOTvj+DVINnbQdLo0Os5nVwYygobJqLbI
-> .-grease
+TO+CNhkq/HSoBucxW7tIR6mZW6vKF/Zb1zhIBB8juSR0Tu8yw0JArAmWR5dJIRH
fDlE8JfUaY67j/KXN3ZhNvtVxzzmpK1HBG8Oii8brlVCSR6dDSLxqCHXQJo
--- 0CxvM54IJkhoH/NGTqvbcnwBi7k9txCFSFyoEk15eeM
D<EFBFBD>À/¡öl,_öÌ(4 §{÷,^ò§ƒYª'ŠâB†«U»M±à‡^¤î2ßy‰n{Ü£ëßË
RIkTbc41aHXyybIJw3mMww5b46pb5rhjEvV8w+cU4vb7xaPt9fYTxPQa8eUZ28md
dwp11I2XQ/ujt/ECzXcgXboOVvd1GVgjNzJQhgXVJ96AC9Q/Jh8VXLW0/gxNvVjA
L54RWgQUo7EuFcFfxQksfblXIo4lNrDwu+5R/YkWs9NRMAgTDJYL13s4oUKykQ1F
SmZ0wJc+h42xH/+RZtq4Y65twbLkMzfM6BcwX+veR+AEI1FOtaACUmShePFyHdqT
uMdr6u9mxdS3zvB3WYLkVGpOSgkiFlsE7M7gXz8qFMMcd2aDs/Kb3oZ+nijRM9s1
HUt9MzwAPRUHN/egcmQ0QQ
-> ssh-ed25519 /vwQcQ EvwZHCvEyMoMAupu0K3a8HJq22L+v9w4Slvf40mpaz4
1n9tK86NsSv63llpifEEovq6MJSCbvaPX0SK7sxh1TA
-> ssh-ed25519 0R97PA r8hpgykfbDR5sUbHFyWqELUQ87k1oQrACo3iHqwmWFg
56Yg1iRQKxa57+eAekHj8faRX/FbSrtmII79HlJjoxs
-> ssh-ed25519 JGx7Ng ELVGzyFAxq1tUzmMGp8TMD1nk24KHTpGf0QhVw7MWm0
3FfQf6psLRkz2j80CUHS3DKcPhQ3ObK0VZ+ZW3x0YxY
--- a9E7zbh0zWgapnThLpfI6nlQU8feDbz3WX/52I5zi0E
&vcGô•ÈÛŒ• ëÚ}cH· êl/¾n°×%Þ‹ä¥Â †ÍÌ‚ÀŽ-¦eqkà³÷Ã<C3B7>

BIN
machines/nixos/compute01/secrets/librenms-environment_file
View file

Binary file not shown.

BIN
machines/nixos/compute01/secrets/mastodon-extra_env_file
View file

Binary file not shown.

BIN
machines/nixos/compute01/secrets/mastodon-smtp-password
View file

Binary file not shown.

BIN
machines/nixos/compute01/secrets/netbox-environment_file
View file

Binary file not shown.

BIN
machines/nixos/compute01/secrets/nextcloud-adminpass_file
View file

Binary file not shown.

BIN
machines/nixos/compute01/secrets/nextcloud-s3_secret_file
View file

Binary file not shown.

BIN
machines/nixos/compute01/secrets/nimbolus-kms_key
View file

Binary file not shown.

BIN
machines/nixos/compute01/secrets/nimbolus-s3_secret
View file

Binary file not shown.

29
machines/nixos/compute01/secrets/opengist-environment_file
View file

@ -1,29 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA JNfsFoJGXnmO/7kJzoSCpnlrFTLUmfAdPzRTbQ38y0g
/H7K+ul5RDrcHkyLBtRyfJ8H6GejhPHBPcjr57p2dR8
-> ssh-ed25519 QlRB9Q kar7CorawTph0DXfvXHwqmb6HtCxuypWAgl2a56280w
YLkCnrC50mYWYEnfFnFXH9mkuOMkeK0E/oxZgX9ywbU
-> ssh-ed25519 r+nK/Q 6oTzheNd4Om0tRSFbdDMrZFTRcr4bRHuVgbiNDDkAgc
W/n/tUksbKq1EIiyVMf88PaWLSXGoK+HKwdTGn3Wk2M
-> ssh-rsa krWCLQ
Kb9dDyCKWBhdGbWbLYJJIUZfhD2Dj4Owr1XBxdU980mf8d+zzWI38TiqTrhsx4qH
9HLxC2SwPRC9hXthRtg6LvZKqBP+IJx5DlnhUTgURPEaMVItrrLcQ7cSOR3TGMaX
ogG5QIhqdRqmADLnekqILyow4DIzfOy8iFS8fLSCNNt8/tUdxSAtCr8h2zt+P9gk
Ttj/5Fx0n6CgXJbu0MUZwfZMNQ+IKINYCxHzEoItE6cny6fq4A0NUDZDo1LfAJrH
VL5vxBJuiCWs5TFTpj+VSA+/eVpPUk+FVWoeMUiUjC+igKuQ97FqvxuDOOXlPqLr
JlgacRM430CbkBuH0A6QlQ
-> ssh-ed25519 /vwQcQ UiTOVK+xYcXKBg5150GOAxaQNPt6mxY+DJa6UIQhu18
lquX1OrjzFIL2O1jR52Cgru97xTekTLxJMagznFtCeM
-> ssh-ed25519 0R97PA +08nkAVK/MKWBHtZLWn+Sv/CMYpbtY/rfKrnX5Xw+n0
ZOWpBWHknZJXu3iiCVvpF6yMKJIwE8DmLUi64g5LchI
-> ssh-ed25519 JGx7Ng LglIUnEGGqTv7ETmHK1QB6yFXGxPW2kQvxNJEATJxCA
+npYbiJwSyfYds6ZsbslH3Im78ioJ2zFT/BMJBZ8BtE
-> ssh-ed25519 bUjjig sxUMZhXfRLo2x3lvDEF+rkI2tnlFPO/RxDdnf1Fok10
GdFTIJgohQ2mmB7POnIuIIZDYXBLGTIUwyyN24aDwaU
-> ssh-ed25519 tDqJRg 9FTN1AHlFiKNQ8my3VdFxrE4KihTDfwpZb76MjUUKBk
gT/JYoPyeC2oAuKimC4CW4YxpmiRrpH7ieijWa7cJKU
-> IHL}*`]-grease tS ORa&TnK9 GwCJ} &iN7g?p$
aK0AN/FCvNkuJZc8F2Jo2ofuV4uW4fP1a+Yr9YNi1Q
--- 841/vFrnGSHrpybkCbmcAxagGsWWiZwif6smwKMdXJg
sag#ØŒ9F¢<46>¾ŽîV++ÞÈ…L¢~mi8è%ûP¼ãcõWZCØh¦[=!ŸÍ£àhZ#<>ì=ÔLÜúTzèPþŽY·ªà<C2AA>ÔXÊCÍ
b½ÌØ¥² o—,Ö\®¼eDtkàÁµTö¹Ç{«˜#°Ùà<06>ZƤ]ÜoñãÞÉa%å§ÐsŽÅÉDŠ­[Thº±8(û<

BIN
machines/nixos/compute01/secrets/outline-oidc_client_secret_file
View file

Binary file not shown.

52
machines/nixos/compute01/secrets/outline-smtp_password_file
View file

@ -1,30 +1,26 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA m+7IUJ4dBN0RuDWyhEgrevr+QfBHnVNidBbNomKxdCQ
9GJKz/o1h7y9xt0KQ8tj7mlI/+Qgn9/kFqeeGeon9AA
-> ssh-ed25519 QlRB9Q 1P8zYu+/zzpnBFzGnu4k9VduwyBeJZP6PPWAouoZrUA
PBG9A/Q2Yy4rTADreGPMKsdWZ9JxjctYP2iAvp+SNCE
-> ssh-ed25519 r+nK/Q c4iQr3ULHFOlHqFhkCD/dvSspasdcuj0Z257Qc6UfmY
j0M1F7Y/EvgEVWbqMAtIjwPLjxMlsytWpeiOSRI8QF4
-> ssh-ed25519 tDqJRg eFczeKxbba1gwn822mWYUNmZNnNeEfXTRkGCyDaiklo
S/f2Wcr/Rvu4RA6dfhTsRPJwSD7IQRJh31C0tA1o2gM
-> ssh-ed25519 jIXfPA SoTCqUmBludbO2xiowGA2lYUopGx7VU+yOn//6IAYEg
IguizihadnsOJSEVa9OVOL7jvrtI0hJkqm5WZMsWz/g
-> ssh-ed25519 QlRB9Q jRUO7iTPtVXKVOdIQcyZmfvgK4ULrHH8C5tb4dkoVk8
ZbXBjPeT9BcFpCw1YIVHsEqOKm4f640M8OJcD4xi760
-> ssh-ed25519 r+nK/Q faReoyDFkhSROsdiYn9IsZMszVu1sOrG7/QlwtJOAho
ov3T4AI7PzldeWYXSRDegq3qTGaZJb2JM3JsErKc4g0
-> ssh-rsa krWCLQ
fctsXVJdNP3wfkytxlPn1aEWbzLDR35ISenzmicBTflQTfliJ0IPMnv2aUGmPE15
VcFzr+liJ6ge1ddW3ZOCpUmMvhQDXO9mdUiaKFgQTSyl2CWL3/AQYYl41Dlmiwx7
+FMzeevEeVUs1yfC4wXJAPRyvQBehLjZqZDvg7bkR+exOuSvVikALP/MhDiUJDE+
70N/IpmsHbIifSHaDieriezb+Kf1CLMdtwNffj5Kgw8vfipwCVtQ3nIrZ2zXVwmg
ecrkSnJ/lHuW7CTUV7g7Lc6ysTzBubuOjIyeVcN3a2h6qQRZTJsAN33MrKuztSzW
uTBU1ivGuwIrO5v+CMEoUQ
-> ssh-ed25519 /vwQcQ KMVTlO/RdFN3MNFCDBpk81l4YuDNX8bBdBP5w85JbxQ
Alr1uvSJnNtPHHS9MipjIHtuUiUK4bNizvkD9szTePY
-> ssh-ed25519 0R97PA qu5XxGKeF34jdxRfHKdnwuPDx2CmjYdooOG4gf4jhjs
zsHGQK+7s6rO6PN1yB+wtzInmWa/M7YHUGD69tBjbcQ
-> ssh-ed25519 JGx7Ng cRwSmWzmgUvyZ/QNhYsQwhDvaX4nuUYrqeRjYR9K0j0
RGWuwAMbINkrR4CcMFClzC1sgUuGbCbh5TNSRm0D15U
-> ssh-ed25519 bUjjig 9hsGezuEc/q0FypRZ5kvRnyb3xGB7jbaVnqhkcSRJAc
BciRCrTYxjI0QZEGDhRBMj9FjRLmYO3VumyQiWu5GKo
-> ssh-ed25519 tDqJRg 4Q71C0eGhScf005rYTnBEEuyl+Vh7q3XGN3yqCNuJ2A
yEloKnOfqOKlovtk2apimIiR/JbbsW9Ksqf0gwHR0YA
-> ;\-grease
nujkR3icemqny/EtOa/HOTvLbCZ9fnoayA
--- fV/odcPBnF/idvxov4zLldgxIxNMF8bU8vVlMmeDh74
Eú<E28098>9P+õL[„â½™µ -Z}ë·D³
2§jìä Œìði0=¶ŽÞé]Ž
ŠƸJ<C2B8>DÐF±@Ö¬
ZUTsm0W0l+Ucod66o5UIMgr+7HNbv/8BX6aFhgwb29+1A7XhDmKR4zykYclg/SWG
eWUZNuKpPU0RjIKM6Ijn5f7imr3U8UX2yq06oUQ+IZoljP94Q7h7JqdBVlI3SHjm
7rd4qPJM3eFZAPtv0RgHHEfmjADI5j9pJY/g0ucRkuU2RsqhSJxkU7K5dIUd4r/Z
/rGpBlwryvtKFiOHpQGuusr6pLWHYXDRHd3yLk5m5VKgkUIpygelakIhXQ7RdSw/
Wn403eOEz0ZWKy9b0dk7s1nqBE9BLwW4WKxCYG2aegVWJeRjZSkeKjpXyO67+Gbl
L9Y9Soj4/Pl0LtMIKeUrXw
-> ssh-ed25519 /vwQcQ aXCrEhFaCpkWXDH7dIc75U/Zp4kasXH08vFvMPJIuxw
jR8h3NxfAd4oKZ0zrKsRCbssNsc7WoVvJ+FV6v0AnwU
-> ssh-ed25519 0R97PA XK0SqZtwHnW4QzFfym/Ts70SZ/voM3Vcy4hIJfcodUE
cTt80+v1IAIRbZckgSSBhYO4pWVaSP2fGQw5GWx+wS8
-> ssh-ed25519 JGx7Ng 5+miQtKCui673QvWbRRywF68KeCjeEZreT/l8+rXsW8
wEkDUJfpd5mPKrZLnq0Bvkrd86OFBQ86FWwqAR39yTM
-> /S9.@;7-grease TX< 1MD:2 "M2 G
OA
--- 2SAsxu0cZ8MqKKGWhQBA+2q5BimvFI4xrlZTjKY7/8Y
 ˆ9¸"™ÿfc ŸÉVBÓÌÆ­BAè«6r¹‰$ú¤ËàãNèuôÙ­ù¦êÈ6šêü²|,ñ‹¢`Æq

BIN
machines/nixos/compute01/secrets/outline-storage_secret_key_file
View file

Binary file not shown.

BIN
machines/nixos/compute01/secrets/plausible-admin_user_password_file
View file

Binary file not shown.

52
machines/nixos/compute01/secrets/plausible-secret_key_base_file
View file

@ -1,28 +1,28 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA EOVZYftVuD70yv1my+OilSk73L5LDx5GmnLbXwSo7m4
aUyR6YbR6knEj66g1l0+KD/URqWtFASub3KBGr1XlDE
-> ssh-ed25519 QlRB9Q lVNHcF0G8yNHBxBBVlcOAWNzbTF5Ip4nAncJ6mJWLDI
BcQaJeqYikVGaavCoR9K9V6OxRhqLKQA/JHFYW78jC4
-> ssh-ed25519 r+nK/Q N8y74TfnwHRAHZOWO144Pj2IS7/aRa5zLt5C+qP5AGs
YFrLMMplp+PFsyp2W4HhIhGuGqIaCPY5ecQqSiaeGR4
-> ssh-ed25519 jIXfPA T6TOJOuejaoxw3zdeLzGm0CrSkDCCIRenL7wMGnDtlU
dubdAXhc32S6BszHddOcMA6aStZLOvc+36s3nZsYFMU
-> ssh-ed25519 QlRB9Q akzRDbZzo0LwoS1cOwE/tYdz7M+6bhgI81d37d1GtBw
KsGqFhkjlcJNquMi2+1TfQDBy9qguwh5ED9KBg4Y2hU
-> ssh-ed25519 r+nK/Q bL6A9O6UnjjyY+iLvbQSvSTjXX38FLsNjaSngoQXHxY
YZ7Y11inKpzA2m6lro9XXX2qkW6FmkeFGZ3Ak6X+U2w
-> ssh-rsa krWCLQ
Jr74uZrVBfkqJt1+/T+mGFGSsDrvyhgkXklZ7NFX1vsh1OcetvSafLfueDuWj7w7
eBr1nsKo5Rt6s+8BaxdqpYH5XpCXSQps8S3EcB2H/U7Y7usQiy7blWNWDqSAiSvB
MjNHzWDsvPN9JvNtwp6NdtesvECg1loY/6Fk26c4vn0uE27rB2Y1u/F0H7ohodL4
ov/+b9wFdE9M5xmrkZ8e+k2/uc9YDDwNt4VbJLarCyxV0ED/2DkipXaYKJV+k3NS
ULMMgM+513v9gNoxlbwNLQN82wlkThb96qg64kHjgA9NjyX5Wo4Te/y3kpHVbcLW
WcSK1Rv7H27nGW3NH8naCw
-> ssh-ed25519 /vwQcQ LLKEBncoFW3em96FAhuA7iJd/IfYj/WXLO2GANRfp3k
Zk9WiA2ZOX0V4pYbTtAAGFC9SjQtc9BkNspdU1tEVfQ
-> ssh-ed25519 0R97PA W1yoJ1pg3wuH0UAvS3VcuEOK6gsPJH+4z5EUfKyhbCo
94pLXBDNmMoPYNvUctrUcHAu0C0Z5SRe8WiF0ihtTCk
-> ssh-ed25519 JGx7Ng mFFUlwmm7UE91FwzsxHCp0OQ53a3bWc9aGanNBlAhUk
mk//w82SA360u0dSI9W2Ylf2W9f3vVW8l0RmA6Xj8NM
-> ssh-ed25519 bUjjig gCoU2BLr6TnP3cojeuSSDkElkVZkb1ezu0jppLTndys
yhe+JiBsunv4uajmr/tJaz1GZGyoa7pz1MV+0X6UbgE
-> ssh-ed25519 tDqJRg zFmLdQp6rsupEZ20O0BOYWGHPs8wwumd0gjrNtqujzk
PL+dxP6kRYN51FWs4PGEa/uaIuWiUQZClJHMmt1T7Cg
-> =-grease
i1Woi7X4wMM8RzRWBpWNHfNx/QMHjIn0QfHqhYHR
--- HWXDdoo6BlN0ESmWD3eX1NlVJ67U9mtdIIuI2J4NqlU
'þ^9d$ÿÛ²šÂâÌT::µP°ÁN9>»’&˜gI?Kpæ=¦<>LÝ@þ§#m¢Óµ\czέ åÛšÄ76pÈË2ž6gÍLýÆeˆ>_=e<>ܱ€Š!0l ×p„‹¹ìÂè‚›ª.Tæmé¼]…Ü2K᪰Ñ6 éÑ”*¶^ï¬ÐuP…Ï©XKÀIÁÚ±Çã•2 §Ç«
dZVUqAyqrP3KHZlpu70IBU8U3I9IP71RzjbiF1rp4rOdz4iQ9ik88ai+hXVuadcN
DMl/7pIkVky6EL8JxFXTQhLivJUpO3NcN3iAS+CLKC+0EFVc03sLyCjn8IExO85r
Lec37ICk9n4LUNEA91A2h4C8U9TbDxCt7MLrIKcQtfFcd+4U1o9g3n19xo9PK1Ho
mcqTbUVgW1nOLxsEeCp5zsCQ+/8tFLcnK08yUB0RlWK+PDFZkk8u8Q2SYZjnaeEp
cwOhUnm/1a15IbW2oGCrVaEd/ymnLDJc6S7vXGpFDWHmOzvJ4Av9KZlGFYaWCjbV
7bGIgWkiQ7iJvTxzu0ZEqw
-> ssh-ed25519 /vwQcQ /DR3Kox7XkbdYQH7SyIc9atjwwe7Ah7hH/63RlzDd0g
k/199lCIfxR7l4ETJMEr1Ch1Zx8v3M5zn0b8mg6ip2k
-> ssh-ed25519 0R97PA H1PS+SlW5FNOf15eO6MKJ/nnVJQkfFMub0IzTS4PhDo
77zwCD0tbrLu4J0vS0RxPK3YZucFV1VYkUVoMTHjf2o
-> ssh-ed25519 JGx7Ng 2WIYPKkWXplInR8v1q22ygs7uYNfIzETeiCt5+MKQQQ
9Gsyr30kaNhxn+fUCBicvoA+hHiWpUf0d0pxRZauhMY
-> ssh-ed25519 5SY7Kg QTnBfvkMcnXpGITtaHr+mRZGogI1kTUqO4byfyMZhGE
89A/PPHVPeBQvTxCeXH8ITVDMkcsYUMbwatyw8NQ04E
-> ssh-ed25519 p/Mg4Q n6hQLuUv3QOMADJF0zpcALYqVUVi5tZHmKGmVZA0IVQ
ZXa+3y33kyo4vQxcEa2XTMIwjH2HE+bAKZw993PgROk
-> ssh-ed25519 tDqJRg Hf1KIZjUTTaHo18P1vWxaSehyKTFElBOovrCN0uJFCc
H8qGw8vIqp4bNiyon2uvTkrrd8lIYnMWnIfzS+w4QRQ
--- QOKOfU20JY1Sj+K20UUxgtPZ7JxKuZ1GtK+OKBZ1Zhg
Íúâ?º}àæ2æŽýiÐM}6BÖw#b2Ï´žËŠ¹ÍÊžvu´¿,Ö'.ŒWÔ”øIPýã'ixYÍ€*·šKoÎtXI#Àß6b`„1pʬòÍœˆ×"§lâSf(ˆ`UöëÄê6 kT°Á'µÎÔM@ÈÖå„hŸï®{WYŸØÝÏÂ<SN;UŒœ ݨÿ

53
machines/nixos/compute01/secrets/plausible-smtp_password_file
View file

@ -1,29 +1,28 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA XhAEh11QDiM3M4FrmGRWQfZ7QTDGxj2WJcQoPOZvM1E
mnLpfpQcGlibT7WVC2SpXAZ4KxcYVE8S+whSTQZDhzs
-> ssh-ed25519 QlRB9Q QswuylxPSCSybIAy/doptgKWEmPMedcnp+1LaH329n8
RceXX0jIt+0KXU75zZuMkCkaA9b/KTrvf9LILAQWHHY
-> ssh-ed25519 r+nK/Q iFxmQUSeJkromKKFvjde07KIOG8eOmGVP6YgN602NTE
iJVUrre3LUvjG2vgaVSVZmJpsKIkUmZLWo/5OIqyJQs
-> ssh-ed25519 jIXfPA CQffZYaxexZ2f+HeNj+SHeSak0kzNPiq6ExW7tUyCBs
oJQhtMFD9KSnXSPGRb3zLwCB2/KEXo8cgxHN5ML83Qw
-> ssh-ed25519 QlRB9Q V1PnEYJvFCdBRzN4z3iDtIzHLxxCimejdkqRS4zMCG8
bVc87bxPmhofmoscGFBgQ+ffRlo216RiRkkV1MNoQyY
-> ssh-ed25519 r+nK/Q YI+1MYnCvSq5/QfA2y01IQlJeMGF0AfNs91QlrVaVGs
HSB8Gai96mjRbM68G3iRmXNkI4kqyJAWTMxWc8UOPr8
-> ssh-rsa krWCLQ
iyiYHhzX+nKu9ApnEOE0Fyv3cxrBA+ZOfZtTSC1EbrzDRazJC7esZJdSGA3xwOrr
bRM1XsH9Dz14UHzYvWa1+1Hgk7cRleCyyuQK9CWwwOdjgj9Pu1WZDP2uQMRwluqg
szcp7T9bs3To/VPKb4+LQogFJow7WimuaZTGD6nzdk5cXE1WzlliO+IkMuFarsTb
9tujTpZILaUPabBdISruO3TGhhcPgzjoaqQ6SctxZ4glhveTRflgh3GFZemNu3cy
qJ8TQTd0ABeqZcvfLFPgV/gwtBLGbhnvtRQgRjEk2oqtMMqqcc7+McqMADpZO0f3
PZNnI+BkK2OceUSqXNp//Q
-> ssh-ed25519 /vwQcQ AsdJmfSAYkOyLBOwjiZrNkbTEKFwXxtx8XG0fXlvuQ0
jRwybc/W3SnxCKz5154UlVm6KKRMOFrgoFCaXF5l8XM
-> ssh-ed25519 0R97PA YsbMsIf5kO75ynZShbvS+cdlvJSLCgftiK94q+coUQk
eD6CO1vZgooCs0jE32oHKwpSwAWpWbs9s0IDeWoFcL8
-> ssh-ed25519 JGx7Ng bYI+efKqagiy+xgeG6w18Owut87uBeAWl7LPXgy8JVw
wTA++TjtI/HoY33izhb6K0qX4u6yttBgNcil9qryZUQ
-> ssh-ed25519 bUjjig JpltlB+JYkwinCfLaup1Rg/UxdGQ89ID4Bqjim3FhWM
zEMf5OXJNJFSjZi//OSV30n6fqpXX68REkYC0AJxtYA
-> ssh-ed25519 tDqJRg c3UAeqswuj71pt2Ht/Vn0BMfer+lCnFOXtKZbajUQT8
hSBh2GXP41qmBnEbbaKHmZfdn6PO9uElqYNuEuggBGE
-> ./d$7H-grease -" ;;{` '.8^F
Pks74A2eaVZQVZDxh51A0Cwz9Y58hpkiptwKylJ0SYivcpMJmvme1O/r/6z1kjOI
4DMQlok4STM3WTdqBA
--- BuDNyL5ZSZs5/Wb+jegngQb1QNDUmVeBuhx+442pH+Y
Y¸§ˆÜ*9³Ä>?Ý#+;J ƒºßê^ö4A¤ÈHÚ<17>;èS£ <20> ( Óy<C393>4~¬Ý.uŽ7€ì`
k2mssz4C9p8K+rJ6Jbbm+w7uLTqoUOiOKvlt2btEyw2Lup8PQNfyTNFSBvuBMmfj
re1zuAufH0HIw3B0xWYauBSD4pasc7EFTr/OLoM8BRFMEb11IM5ZKJrO+hnWy0Sk
eIs6cpkoBVi4GZmkRfbvaitk42i9JzjrKU0OeqLCWQbHmHkTb3acsGXCc6A6JSbF
AVb+Eaak6EIdX1dP4PWyCxU2PkcBtYBcLoGH74r1o0i3SzvmuzKvlBntx5IzsAvY
+QNGJLNZl0+NePafAkvVY8UOrlzxj+tCgfunAGXIXlZlVfNcjZX9Wv30sJOtwpbw
DdkJAqSrNkHianC5MEGgpA
-> ssh-ed25519 /vwQcQ yxGAMhwDcoDjw5MJudEE95PakhZvNpYfmfWiM6wbQBg
C1o3mNO2YFnBXamCcpAW0aQVGrNNcUpDtSn8+VLobmE
-> ssh-ed25519 0R97PA XRWbcwt3wXR3AYg0rhzc6OUuAA+blVTf3SHERYy3MkA
iCBd0E1NrV7tv3/0pD0FYWgUfGmB4M+VWfiixvVGv68
-> ssh-ed25519 JGx7Ng R47xTx4IGC/qf/v6WOXvJTd20MbeTdZ/8ovAA6d0iyQ
uBxcQVztpW4QaAR5rKfEVgtmrPk6l51+tY3brNjsTV4
-> ssh-ed25519 5SY7Kg LNtU+/1YlPX6T6gO2lb/wEei7hsy2oud8cTQXFQy0HY
xxPvBAIpFyCUqExjseerz6WlwWQEmw9fltzQBx51KI0
-> ssh-ed25519 p/Mg4Q uWIz5shMnsLXsh160cCW8E6kh9v4LPunOonugjWdSEY
5aRrIB5gxIplVWDGeMQ6g09togku6LxWRxBP7FbRNU0
-> ssh-ed25519 tDqJRg G8rNpeGY29czDVMvvt4LZ7nffZ/JAHDzxuIs7C/0SEM
HowgAvrQQcvUx93ZdK5q2bSsJDqaOxFf+x/lwTRss4I
--- ktcSPCC1TpguyYJ2ua7IuGcEw+Z9YuqjzcmH18abjo4
<EFBFBD><20><>ゥ煩 ネ9<1猤カワ簒<EFBE9C>pWJSWpsV/ム#<23>ウリ9タ{タ゚cHB<><42><EFBFBD>5<EFBFBD>ャ^ァ

BIN
machines/nixos/compute01/secrets/pretalx-environment_file
View file

Binary file not shown.

56
machines/nixos/compute01/secrets/pretix-environment_file
View file

@ -1,30 +1,30 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA M6uCziCGRhZHlKbrbhyAv175SZJ3oCwX1PIEquRWE0E
h9BS2jSMJJ739wKSz/YatGUWRFOOQdBGCa3VcmT0Fko
-> ssh-ed25519 QlRB9Q ytMHvdiu/ZU0R8nM1izot9kD7uLa56Y0fyOiLCfe0Ho
QHLISn1oDMg7Dq5qlQjhwST6ciwDo1iOCta0mE5L9xQ
-> ssh-ed25519 r+nK/Q duIWFOVxnYkyXYYa5fauMUR1FdjlkMXi8jAiU/K5bE4
38P4xHWMl8uJoVpr2NkfUHd+R/327rMK2dz7VXw9qOk
-> ssh-ed25519 jIXfPA Rns+GrvYIYGr2bkT5PGqRYgVjiDYx5bZePFwX5n84z8
+vmlrK5mS00BLpJukWoHHDvJVOuHS/dfWSfPRqiiK2A
-> ssh-ed25519 QlRB9Q RKtrm6jKvSbOSBU8Lnd6Saui6yXHMuSgNcoYgGpwPEE
cU1kLd9jZ2qaeKcQEVaxxra2le1MwGMZNuDQBui76CU
-> ssh-ed25519 r+nK/Q J3IwXYXujMKTIDTW+zoP3kTlxd+WRWwrHo/uvH7y6Tg
YimrLo0a6W2baGbCx6WIw7PBnI/cBioMtiZhU4dcT8k
-> ssh-rsa krWCLQ
azfMGiaZ/Fvh9ZKgfffzyEGlztw0BRWhM6X3m7vS8Vdb3dOyP4iSZKjGp82qavBx
olUu91n2CWlamDLLpKoAMF/tjjHMhK4I4X84vH8EPfoMggEt7w7FGh9gsf7NN8tC
9VdM5jiyohjt0cLU7j7aGTdSte7/TXpFl6fYkTHXgGpz1SSV+rxNrJ1jTugNdOy6
MJ33b9INLKJs7+ljPBN1txISqx/3DhNIMawcjSViMejMptxblI7ioousjN5S8SnY
H0OkqHlJCe9NTlwDeq2ldDnQXDCJnYpSE0fqbGY5A6p4kshD3rXxkjpNZutIoDfF
ExPoNGRDeKKwZ84ST7u9oQ
-> ssh-ed25519 /vwQcQ h2D7MDnrE52/et0/4ARz1FxZQ3Y4NcLZrjPTgc5E11w
9qXQzsV53Kn3DyYDI6XiFW5mnowCPNS6iieCYeEjO8c
-> ssh-ed25519 0R97PA bCXJMH6YSbHrCdtOyH0XoA7I4886QH7bJXCIM8vNAk8
p1CETI8M7lYoWPp1BttBYBBXyHsoyagfLGaEN11s86U
-> ssh-ed25519 JGx7Ng etwzLxUSOQdjoKGjsawZq3Je0drvrH+WRSZPWNlYHGw
3YYRgg1jcI++htKyFVkJb9cH04lkkSn7J4UN04jZihs
-> ssh-ed25519 bUjjig +WXvDcMDWN4KvkSe8xpv/5mk0VPQjERgCQKWEwEHvF0
taOwFd5/wx37OLLy9FwRIFYb409dpSWmzywzlKjzo9w
-> ssh-ed25519 tDqJRg +HzRSWduekBBc1ac0UMxx4yHYBHssIX2hYuD/tb4pHs
hor3dPvdrlVNT6LPOVttEC2eXDxgOPPqKJ8Yo6F5TFo
-> ]-grease c`BSJvdo i o&G&}
EmC+MYqkj7faPtq2XVTjrKmiVn6nNqfnUsY/+Dsqu95jVOxWxCrFNYYK64lsKlCZ
X7wkeHiOc1mdKzzWZYrtYhO4Qw
--- v04H0ACxBtFLZLbc4goC6uFrYG5nt9j95t32g8QXOHI
>?ÚT;€9M
jwÕêÈßœJODŒ.¸P$˲qšCÍ?îôÜ„ó¼À^•|Ït¯Ç¥QTœRÐA¢ÊúƸ¦³ܱ<C39C>c®HóË_wÍÏ
sX+yb3LCSr+PpOx/VHB6RCnlT2iARoPdoTlNhtz8DYGKY/UTNtqGtgHd0rV9cefh
MHdBlpjUnxpPkCuP2EwIEMTqyjGbPoq/AdpxklXNquMxWyeYD7Pe5ABbEx4vpAgH
+d3A+X3sJXV+lGqPtwIbRBBMCSYxffrS68V5DYfUWNG0rAF7xknfTE4IFNgg1yzR
4LJRpI/j77wlOn/8cH8jGtBrKtRPTq1z6a8MLU36bmBEpmS3EGMvOrfGrMnenhFr
vt6WEsEcHON5C57WyvfEV/qeLhkzaRBOcq3LnYGN4qc0EqVvWCLRqTHeMMJEWhK3
n6qGjzhE5n1FMPoxox83ig
-> ssh-ed25519 /vwQcQ brE7F9GWBMVcmBJskPLZYp2tD80LAWvQFWGxw5asvC0
aOsMTgH17u16P2oUzrIgvv3d70uYkMjAqBJDmmUYPq8
-> ssh-ed25519 0R97PA Ni0DxmzYhSN/mwgKs8AFNwcEMLGDBH2R7mxwyGqyRxg
EmtSYAQ7wwYWqNLu8CmOhEhZq09UvPE8mTL9xRlXq0A
-> ssh-ed25519 JGx7Ng 0iDIiH3slqmumi41n1xKDlxH4UG3TvN+apOZCBCC2B0
4uejPMfD2Qg9P9DPXr6kk06SdYIREc9/w5tId9ZkmjI
-> ssh-ed25519 bUjjig v0d0b2QdvJhiIlrYMRtfjvCWERTXyGIYmmocNTzFFBg
B+o4ZPftYBmc5CxdTqHSjIzyx5X6lCJ88M+XRj5ddrA
-> ssh-ed25519 tDqJRg I67xye4YEG7fRzMeSqmyY7g99YwBFG4TyIiABHnEd3k
Cj95yZeQZwGLFNnw4gK5pzS7Rvr/v0sIfNHoj/FWerU
-> 84t6-grease X|
ylGgBiG/KYc0vDvMho+lPMBe+2kZZ3DvlF5JHgtMRUAMy9ugXbwDYu5qq7GyPL38
aBw8Jx13iIRkJA9CisyygX7l2P5sOdaa/IE5fTABjL6EGkLbP1uI0OFTH9Dd1tYy
ww
--- qbaLv0BDEw2uSR1ccqH5HOinQSQeynDl0IFU9VwD3Ag
º?Ž’¸l¬BÛ†øï—iI ]å4x5¯¶ÎhMÜÍsÒ×Dz¹{ÍpTÅ}G‡U ¡ Cù]ÛQh~¯ªŒãf¯¾ˆËoQí<51>Gƒ¡“jÛ(j®

BIN
machines/nixos/compute01/secrets/satosa-env_file
View file

Binary file not shown.

3
machines/nixos/compute01/secrets/secrets.nix
View file

@ -25,9 +25,6 @@
"netbox-environment_file"
"nextcloud-adminpass_file"
"nextcloud-s3_secret_file"
"nimbolus-kms_key"
"nimbolus-s3_secret"
"opengist-environment_file"
"outline-oidc_client_secret_file"
"outline-smtp_password_file"
"outline-storage_secret_key_file"

BIN
machines/nixos/compute01/secrets/signal-irc-bridge-config
View file

Binary file not shown.

BIN
machines/nixos/compute01/secrets/telegraf-environment_file
View file

Binary file not shown.

BIN
machines/nixos/compute01/secrets/vaultwarden-environment_file
View file

Binary file not shown.

BIN
machines/nixos/compute01/secrets/zammad-secret_key_base_file
View file

Binary file not shown.

2
machines/nixos/compute01/signal-irc-bridge.nix
View file

@ -9,7 +9,7 @@
...
}:
{
imports = [ (import (sources.signal-irc-bridge + "/module.nix")) ];
imports = [ (import (sources.signal-irc-bridge.outPath + "/module.nix")) ];
services.signal-irc-bridge = {
enable = true;

139
machines/nixos/iso/README.md
View file

@ -1,139 +0,0 @@
<!--
SPDX-FileCopyrightText: 2025 Tom Hubrecht <tom.hubrecht@dgnum.eu>
SPDX-License-Identifier: EUPL-1.2
-->
# ISO Installation
Once the iso is booted, there are several steps to take:
## Partition the disk
## Mount the partions
```bash
mount $rootDevice /mnt
mkdir /mnt/boot
mount $bootDevice /mnt/boot
swapon $swapDevice
nixos-generate-config --root /mnt
```
## Setup the base configuration
```bash
export NIX="/mnt/etc/nixos/"
mv $NIX/configuration.nix $NIX/base-configuration.nix
```
Edit a new file `configuration.nix` with the following contents:
```nix
{ pkgs, ... }:
{
imports = [ ./base-configuration.nix ];
boot = {
tmp.cleanOnBoot = true;
};
console.keyMap = "fr";
time.timeZone = "Europe/Paris";
environment.systemPackages = with pkgs; [
neovim
wget
kitty.terminfo
];
# Activate SSH and set the keys
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
users.users.root.openssh.authorizedKeys.keyFiles = [ ./rootKeys ];
}
```
### ZFS setup
If ZFS is to be installed (e.g. for large servers), add to the configuration:
```nix
boot = {
supportedFilesystems = [ "zfs" ];
zfs.forceImportRoot = false;
zfs.extraPools = [
...
];
};
networking.hostId = ...;
```
Where the list of pools to include is obtained with:
```bash
zpool list -Ho name | sed 's/^/"/;s/$/"/'
```
and the host id with:
```bash
head -c4 /dev/urandom | od -A none -t x4 | sed 's/ //'
```
## Setup the network configuration
Add the network configuration:
```nix
networking = {
hostName = "${name}";
domain = "${site}.infra.dgnum.eu";
useNetworkd = true;
};
systemd.network.networks = {
"10-${interface}" = {
name = ${interface};
address = [ "${address}/${prefix}" ];
routes = [ { Gateway = "..." ; GatewayOnLink = true; } ];
dns = [ ... ];
};
};
```
If the default DNS are accessible, set them to:
```nix
[
"1.1.1.1#cloudflare-dns.com"
"8.8.8.8#dns.google"
"1.0.0.1#cloudflare-dns.com"
"8.8.4.4#dns.google"
]
```
Otherwise (in Jourdan especially), set them to the local DNS.
## Copy the ssh keys
```bash
cp /etc/ssh/authorized_keys.d/root $NIX/rootKeys
```
## Perform the installation
```bash
nixos-install
```

59
machines/nixos/iso/_configuration.nix
View file

@ -1,59 +0,0 @@
# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin@dgnum.eu>
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
pkgs,
modulesPath,
lib,
...
}:
let
inherit (lib) mkForce;
in
{
imports = [
(modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix")
];
isoImage.squashfsCompression = ''zstd -Xcompression-level 1'';
age-secrets.sources = mkForce [ ];
dgn-records.enable = false;
dgn-monitoring.enable = false;
dgn-notify.enable = false;
boot = {
blacklistedKernelModules = [ "snd_pcsp" ];
tmp.cleanOnBoot = true;
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
supportedFilesystems = {
exfat = true;
zfs = true;
};
swraid.enable = mkForce false;
};
networking = {
networkmanager.enable = true;
wireless.enable = false;
};
console.keyMap = "fr";
environment.systemPackages = with pkgs; [
perl
git
];
programs.zsh.enable = true;
services = {
openssh.enable = true;
qemuGuest.enable = true;
getty.autologinUser = mkForce "root";
};
}

45
machines/nixos/krz01/_configuration.nix
View file

@ -1,45 +0,0 @@
# SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, lib, ... }:
lib.extra.mkConfig {
enabledModules = [
# INFO: This list needs to stay sorted alphabetically
];
enabledServices = [
# INFO: This list needs to stay sorted alphabetically
# Machine learning API machine
"microvm-ml01"
"microvm-router01"
"nvidia-tesla-k80"
"ollama"
"whisper"
"proxmox"
"networking"
];
extraConfig = {
microvm = {
host.enable = true;
};
dgn-hardware = {
useZfs = true;
zfsPools = [
"dpool"
"ppool0"
];
};
# We are going to use CUDA here.
nixpkgs.config.cudaSupport = true;
hardware.graphics.enable = true;
services.netbird.enable = true;
networking.firewall.trustedInterfaces = [ "wt0" ];
};
root = ./.;
}

50
machines/nixos/krz01/_hardware-configuration.nix
View file

@ -1,50 +0,0 @@
{
config,
lib,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
initrd = {
availableKernelModules = [
"ehci_pci"
"ahci"
"mpt3sas"
"usbhid"
"sd_mod"
];
kernelModules = [ ];
};
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/92bf4d66-2693-4eca-9b26-f86ae09d468d";
fsType = "ext4";
};
boot.initrd.luks.devices."mainfs" = {
device = "/dev/disk/by-uuid/26f9737b-28aa-4c3f-bd3b-b028283cef88";
keyFileSize = 1;
keyFile = "/dev/zero";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/280C-8844";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
swapDevices = [ ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

27
machines/nixos/krz01/microvm-ml01.nix
View file

@ -1,27 +0,0 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
_: {
microvm.autostart = [ "ml01" ];
microvm.vms.ml01 = {
config = {
networking.hostName = "ml01";
system.stateVersion = "24.11";
microvm = {
hypervisor = "cloud-hypervisor";
vcpu = 4;
mem = 4096;
balloonMem = 2048;
shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}
];
};
};
};
}

21
machines/nixos/krz01/microvm-router01.nix
View file

@ -1,21 +0,0 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
_: {
microvm.autostart = [ "router01" ];
microvm.vms.router01 = {
config = {
networking.hostName = "router01";
system.stateVersion = "24.11";
microvm.shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}
];
};
};
}

54
machines/nixos/krz01/networking.nix
View file

@ -1,54 +0,0 @@
# SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
systemd.network = {
networks = {
"10-eno1" = {
matchConfig.Name = [ "eno1" ];
networkConfig = {
Bridge = "vmbr0";
};
};
"50-vmbr0" = {
matchConfig.Name = "vmbr0";
linkConfig.RequiredForOnline = "routable";
};
"50-vmbr1" = {
matchConfig.Name = "vmbr1";
linkConfig.RequiredForOnline = "routable";
bridgeVLANs = [
{
VLAN = [
"2510" # NAT
"2501" # Managment
"2520" # MW DMZ
"2530" # HE DMZ
];
}
];
};
};
netdevs = {
"50-vmbr0" = {
netdevConfig = {
Name = "vmbr0";
Kind = "bridge";
};
};
"50-vmbr1" = {
netdevConfig = {
Name = "vmbr1";
Kind = "bridge";
};
bridgeConfig = {
VLANFiltering = true;
};
};
};
};
}

12
machines/nixos/krz01/nvidia-tesla-k80.nix
View file

@ -1,12 +0,0 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, ... }:
{
nixpkgs.config.nvidia.acceptLicense = true;
# Tesla K80 is not supported by the latest driver.
hardware.nvidia.package = config.boot.kernelPackages.nvidia_x11_legacy470;
# Don't ask.
services.xserver.videoDrivers = [ "nvidia" ];
}

247
machines/nixos/krz01/ollama.nix
View file

@ -1,247 +0,0 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
lib,
buildGoModule,
fetchFromGitHub,
buildEnv,
linkFarm,
overrideCC,
makeWrapper,
stdenv,
addDriverRunpath,
nix-update-script,
cmake,
gcc11,
clblast,
libdrm,
rocmPackages,
cudaPackages,
darwin,
autoAddDriverRunpath,
extraLibraries ? [ ],
nixosTests,
testers,
ollama,
ollama-rocm,
ollama-cuda,
config,
# one of `[ null false "rocm" "cuda" ]`
acceleration ? null,
}:
assert builtins.elem acceleration [
null
false
"rocm"
"cuda"
];
let
pname = "ollama";
version = "2024-09-10-cc35";
src = fetchFromGitHub {
owner = "aliotard";
repo = "ollama";
rev = "34827c01f7723c7f5f9f5e392fe85f5a4a5d5fc0";
hash = "sha256-xFNuqcW7YWeyCyw5QLBnCHHTSMITR6LJkJT0CXZC+Y8=";
fetchSubmodules = true;
};
vendorHash = "sha256-hSxcREAujhvzHVNwnRTfhi0MKI3s8HNavER2VLz6SYk=";
validateFallback = lib.warnIf (config.rocmSupport && config.cudaSupport) (lib.concatStrings [
"both `nixpkgs.config.rocmSupport` and `nixpkgs.config.cudaSupport` are enabled, "
"but they are mutually exclusive; falling back to cpu"
]) (!(config.rocmSupport && config.cudaSupport));
shouldEnable =
mode: fallback: (acceleration == mode) || (fallback && acceleration == null && validateFallback);
rocmRequested = shouldEnable "rocm" config.rocmSupport;
cudaRequested = shouldEnable "cuda" config.cudaSupport;
enableRocm = rocmRequested && stdenv.isLinux;
enableCuda = cudaRequested && stdenv.isLinux;
rocmLibs = [
rocmPackages.clr
rocmPackages.hipblas
rocmPackages.rocblas
rocmPackages.rocsolver
rocmPackages.rocsparse
rocmPackages.rocm-device-libs
rocmPackages.rocm-smi
];
rocmClang = linkFarm "rocm-clang" { llvm = rocmPackages.llvm.clang; };
rocmPath = buildEnv {
name = "rocm-path";
paths = rocmLibs ++ [ rocmClang ];
};
cudaLibs = [
cudaPackages.cuda_cudart
cudaPackages.libcublas
cudaPackages.cuda_cccl
];
cudaToolkit = buildEnv {
name = "cuda-merged";
paths = map lib.getLib cudaLibs ++ [
(lib.getOutput "static" cudaPackages.cuda_cudart)
(lib.getBin (cudaPackages.cuda_nvcc.__spliced.buildHost or cudaPackages.cuda_nvcc))
];
};
metalFrameworks = with darwin.apple_sdk_11_0.frameworks; [
Accelerate
Metal
MetalKit
MetalPerformanceShaders
];
wrapperOptions =
[
# ollama embeds llama-cpp binaries which actually run the ai models
# these llama-cpp binaries are unaffected by the ollama binary's DT_RUNPATH
# LD_LIBRARY_PATH is temporarily required to use the gpu
# until these llama-cpp binaries can have their runpath patched
"--suffix LD_LIBRARY_PATH : '${addDriverRunpath.driverLink}/lib'"
"--suffix LD_LIBRARY_PATH : '${lib.makeLibraryPath (map lib.getLib extraLibraries)}'"
]
++ lib.optionals enableRocm [
"--suffix LD_LIBRARY_PATH : '${rocmPath}/lib'"
"--set-default HIP_PATH '${rocmPath}'"
]
++ lib.optionals enableCuda [
"--suffix LD_LIBRARY_PATH : '${lib.makeLibraryPath (map lib.getLib cudaLibs)}'"
];
wrapperArgs = builtins.concatStringsSep " " wrapperOptions;
goBuild =
if enableCuda then buildGoModule.override { stdenv = overrideCC stdenv gcc11; } else buildGoModule;
inherit (lib) licenses platforms maintainers;
in
goBuild {
inherit
pname
version
src
vendorHash
;
env =
lib.optionalAttrs enableRocm {
ROCM_PATH = rocmPath;
CLBlast_DIR = "${clblast}/lib/cmake/CLBlast";
}
// lib.optionalAttrs enableCuda { CUDA_LIB_DIR = "${cudaToolkit}/lib"; }
// {
CMAKE_CUDA_ARCHITECTURES = "35;37";
};
nativeBuildInputs =
[ cmake ]
++ lib.optionals enableRocm [ rocmPackages.llvm.bintools ]
++ lib.optionals enableCuda [ cudaPackages.cuda_nvcc ]
++ lib.optionals (enableRocm || enableCuda) [
makeWrapper
autoAddDriverRunpath
]
++ lib.optionals stdenv.isDarwin metalFrameworks;
buildInputs =
lib.optionals enableRocm (rocmLibs ++ [ libdrm ])
++ lib.optionals enableCuda cudaLibs
++ lib.optionals stdenv.isDarwin metalFrameworks;
patches = [
# disable uses of `git` in the `go generate` script
# ollama's build script assumes the source is a git repo, but nix removes the git directory
# this also disables necessary patches contained in `ollama/llm/patches/`
# those patches are applied in `postPatch`
./disable-git.patch
];
postPatch = ''
# replace inaccurate version number with actual release version
substituteInPlace version/version.go --replace-fail 0.0.0 '${version}'
# apply ollama's patches to `llama.cpp` submodule
for diff in llm/patches/*; do
patch -p1 -d llm/llama.cpp < $diff
done
'';
overrideModAttrs = _: _: {
# don't run llama.cpp build in the module fetch phase
preBuild = "";
};
preBuild = ''
# disable uses of `git`, since nix removes the git directory
export OLLAMA_SKIP_PATCHING=true
# build llama.cpp libraries for ollama
go generate ./...
'';
postFixup =
''
# the app doesn't appear functional at the moment, so hide it
mv "$out/bin/app" "$out/bin/.ollama-app"
''
+ lib.optionalString (enableRocm || enableCuda) ''
# expose runtime libraries necessary to use the gpu
wrapProgram "$out/bin/ollama" ${wrapperArgs}
'';
ldflags = [
"-s"
"-w"
"-X=github.com/ollama/ollama/version.Version=${version}"
"-X=github.com/ollama/ollama/server.mode=release"
"-X=github.com/ollama/ollama/gpu.CudaComputeMajorMin=3"
"-X=github.com/ollama/ollama/gpu.CudaComputeMinorMin=5"
];
passthru = {
tests =
{
inherit ollama;
version = testers.testVersion {
inherit version;
package = ollama;
};
}
// lib.optionalAttrs stdenv.isLinux {
inherit ollama-rocm ollama-cuda;
service = nixosTests.ollama;
service-cuda = nixosTests.ollama-cuda;
service-rocm = nixosTests.ollama-rocm;
};
updateScript = nix-update-script { };
};
meta = {
description =
"Get up and running with large language models locally"
+ lib.optionalString rocmRequested ", using ROCm for AMD GPU acceleration"
+ lib.optionalString cudaRequested ", using CUDA for NVIDIA GPU acceleration";
homepage = "https://github.com/ollama/ollama";
changelog = "https://github.com/ollama/ollama/releases/tag/v${version}";
license = licenses.mit;
platforms = if (rocmRequested || cudaRequested) then platforms.linux else platforms.unix;
mainProgram = "ollama";
maintainers = with maintainers; [
abysssol
dit7ya
elohmeier
roydubnium
];
};
}

179
machines/nixos/krz01/ollama/K80-support.patch
View file

@ -1,179 +0,0 @@
From 2abd226ff3093c5a9e18a618fba466853e7ebaf7 Mon Sep 17 00:00:00 2001
From: Raito Bezarius <masterancpp@gmail.com>
Date: Tue, 8 Oct 2024 18:27:41 +0200
Subject: [PATCH] K80 support
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
---
docs/development.md | 6 +++-
docs/gpu.md | 1 +
gpu/amd_linux.go | 6 +++-
gpu/gpu.go | 63 ++++++++++++++++++++++++++++++++++++-----
scripts/build_docker.sh | 2 +-
scripts/build_linux.sh | 2 +-
6 files changed, 69 insertions(+), 11 deletions(-)
diff --git a/docs/development.md b/docs/development.md
index 2f7b9ecf..9da35931 100644
--- a/docs/development.md
+++ b/docs/development.md
@@ -51,7 +51,11 @@ Typically the build scripts will auto-detect CUDA, however, if your Linux distro
or installation approach uses unusual paths, you can specify the location by
specifying an environment variable `CUDA_LIB_DIR` to the location of the shared
libraries, and `CUDACXX` to the location of the nvcc compiler. You can customize
-a set of target CUDA architectures by setting `CMAKE_CUDA_ARCHITECTURES` (e.g. "50;60;70")
+a set of target CUDA architectures by setting `CMAKE_CUDA_ARCHITECTURES` (e.g. "35;37;50;60;70")
+
+To support GPUs older than Compute Capability 5.0, you will need to use an older version of
+the Driver from [Unix Driver Archive](https://www.nvidia.com/en-us/drivers/unix/) (tested with 470) and [CUDA Toolkit Archive](https://developer.nvidia.com/cuda-toolkit-archive) (tested with cuda V11). When you build Ollama, you will need to set two environment variable to adjust the minimum compute capability Ollama supports via `export GOFLAGS="'-ldflags=-w -s \"-X=github.com/ollama/ollama/gpu.CudaComputeMajorMin=3\" \"-X=github.com/ollama/ollama/gpu.CudaComputeMinorMin=5\"'"` and the `CMAKE_CUDA_ARCHITECTURES`. To find the Compute Capability of your older GPU, refer to [GPU Compute Capability](https://developer.nvidia.com/cuda-gpus).
+
Then generate dependencies:
diff --git a/docs/gpu.md b/docs/gpu.md
index a6b559f0..66627611 100644
--- a/docs/gpu.md
+++ b/docs/gpu.md
@@ -28,6 +28,7 @@ Check your compute compatibility to see if your card is supported:
| 5.0 | GeForce GTX | `GTX 750 Ti` `GTX 750` `NVS 810` |
| | Quadro | `K2200` `K1200` `K620` `M1200` `M520` `M5000M` `M4000M` `M3000M` `M2000M` `M1000M` `K620M` `M600M` `M500M` |
+For building locally to support older GPUs, see [developer.md](./development.md#linux-cuda-nvidia)
### GPU Selection
diff --git a/gpu/amd_linux.go b/gpu/amd_linux.go
index 6b08ac2e..768fb97a 100644
--- a/gpu/amd_linux.go
+++ b/gpu/amd_linux.go
@@ -159,7 +159,11 @@ func AMDGetGPUInfo() []GpuInfo {
return []GpuInfo{}
}
- if int(major) < RocmComputeMin {
+ minVer, err := strconv.Atoi(RocmComputeMajorMin)
+ if err != nil {
+ slog.Error("invalid RocmComputeMajorMin setting", "value", RocmComputeMajorMin, "error", err)
+ }
+ if int(major) < minVer {
slog.Warn(fmt.Sprintf("amdgpu too old gfx%d%x%x", major, minor, patch), "gpu", gpuID)
continue
}
diff --git a/gpu/gpu.go b/gpu/gpu.go
index 781e23df..60d68c33 100644
--- a/gpu/gpu.go
+++ b/gpu/gpu.go
@@ -16,6 +16,7 @@ import (
"os"
"path/filepath"
"runtime"
+ "strconv"
"strings"
"sync"
"unsafe"
@@ -38,9 +39,11 @@ const (
var gpuMutex sync.Mutex
// With our current CUDA compile flags, older than 5.0 will not work properly
-var CudaComputeMin = [2]C.int{5, 0}
+// (string values used to allow ldflags overrides at build time)
+var CudaComputeMajorMin = "5"
+var CudaComputeMinorMin = "0"
-var RocmComputeMin = 9
+var RocmComputeMajorMin = "9"
// TODO find a better way to detect iGPU instead of minimum memory
const IGPUMemLimit = 1 * format.GibiByte // 512G is what they typically report, so anything less than 1G must be iGPU
@@ -175,11 +178,57 @@ func GetGPUInfo() GpuInfoList {
var memInfo C.mem_info_t
resp := []GpuInfo{}
- // NVIDIA first
- for i := 0; i < gpuHandles.deviceCount; i++ {
- // TODO once we support CPU compilation variants of GPU libraries refine this...
- if cpuVariant == "" && runtime.GOARCH == "amd64" {
- continue
+ // Load ALL libraries
+ cHandles = initCudaHandles()
+ minMajorVer, err := strconv.Atoi(CudaComputeMajorMin)
+ if err != nil {
+ slog.Error("invalid CudaComputeMajorMin setting", "value", CudaComputeMajorMin, "error", err)
+ }
+ minMinorVer, err := strconv.Atoi(CudaComputeMinorMin)
+ if err != nil {
+ slog.Error("invalid CudaComputeMinorMin setting", "value", CudaComputeMinorMin, "error", err)
+ }
+
+ // NVIDIA
+ for i := range cHandles.deviceCount {
+ if cHandles.cudart != nil || cHandles.nvcuda != nil {
+ gpuInfo := CudaGPUInfo{
+ GpuInfo: GpuInfo{
+ Library: "cuda",
+ },
+ index: i,
+ }
+ var driverMajor int
+ var driverMinor int
+ if cHandles.cudart != nil {
+ C.cudart_bootstrap(*cHandles.cudart, C.int(i), &memInfo)
+ } else {
+ C.nvcuda_bootstrap(*cHandles.nvcuda, C.int(i), &memInfo)
+ driverMajor = int(cHandles.nvcuda.driver_major)
+ driverMinor = int(cHandles.nvcuda.driver_minor)
+ }
+ if memInfo.err != nil {
+ slog.Info("error looking up nvidia GPU memory", "error", C.GoString(memInfo.err))
+ C.free(unsafe.Pointer(memInfo.err))
+ continue
+ }
+
+ if int(memInfo.major) < minMajorVer || (int(memInfo.major) == minMajorVer && int(memInfo.minor) < minMinorVer) {
+ slog.Info(fmt.Sprintf("[%d] CUDA GPU is too old. Compute Capability detected: %d.%d", i, memInfo.major, memInfo.minor))
+ continue
+ }
+ gpuInfo.TotalMemory = uint64(memInfo.total)
+ gpuInfo.FreeMemory = uint64(memInfo.free)
+ gpuInfo.ID = C.GoString(&memInfo.gpu_id[0])
+ gpuInfo.Compute = fmt.Sprintf("%d.%d", memInfo.major, memInfo.minor)
+ gpuInfo.MinimumMemory = cudaMinimumMemory
+ gpuInfo.DependencyPath = depPath
+ gpuInfo.Name = C.GoString(&memInfo.gpu_name[0])
+ gpuInfo.DriverMajor = driverMajor
+ gpuInfo.DriverMinor = driverMinor
+
+ // TODO potentially sort on our own algorithm instead of what the underlying GPU library does...
+ cudaGPUs = append(cudaGPUs, gpuInfo)
}
gpuInfo := GpuInfo{
Library: "cuda",
diff --git a/scripts/build_docker.sh b/scripts/build_docker.sh
index e91c56ed..c03bc25f 100755
--- a/scripts/build_docker.sh
+++ b/scripts/build_docker.sh
@@ -3,7 +3,7 @@
set -eu
export VERSION=${VERSION:-$(git describe --tags --first-parent --abbrev=7 --long --dirty --always | sed -e "s/^v//g")}
-export GOFLAGS="'-ldflags=-w -s \"-X=github.com/ollama/ollama/version.Version=$VERSION\" \"-X=github.com/ollama/ollama/server.mode=release\"'"
+export GOFLAGS=${GOFLAGS:-"'-ldflags=-w -s \"-X=github.com/ollama/ollama/version.Version=$VERSION\" \"-X=github.com/ollama/ollama/server.mode=release\"'"}
# We use 2 different image repositories to handle combining architecture images into multiarch manifest
# (The ROCm image is x86 only and is not a multiarch manifest)
diff --git a/scripts/build_linux.sh b/scripts/build_linux.sh
index 27c4ff1f..e7e6d0dd 100755
--- a/scripts/build_linux.sh
+++ b/scripts/build_linux.sh
@@ -3,7 +3,7 @@
set -eu
export VERSION=${VERSION:-$(git describe --tags --first-parent --abbrev=7 --long --dirty --always | sed -e "s/^v//g")}
-export GOFLAGS="'-ldflags=-w -s \"-X=github.com/ollama/ollama/version.Version=$VERSION\" \"-X=github.com/ollama/ollama/server.mode=release\"'"
+export GOFLAGS=${GOFLAGS:-"'-ldflags=-w -s \"-X=github.com/ollama/ollama/version.Version=$VERSION\" \"-X=github.com/ollama/ollama/server.mode=release\"'"}
BUILD_ARCH=${BUILD_ARCH:-"amd64 arm64"}
export AMDGPU_TARGETS=${AMDGPU_TARGETS:=""}
--
2.46.0

26
machines/nixos/krz01/ollama/all-nvcc-arch.patch
View file

@ -1,26 +0,0 @@
From 2278389ef9ac9231349440aa68f9544ddc69cdc7 Mon Sep 17 00:00:00 2001
From: Raito Bezarius <masterancpp@gmail.com>
Date: Wed, 9 Oct 2024 13:37:08 +0200
Subject: [PATCH] fix: sm_37 for nvcc
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index 2ccb750..70dfd9b 100644
--- a/Makefile
+++ b/Makefile
@@ -537,7 +537,7 @@ endif #GGML_CUDA_NVCC
ifdef CUDA_DOCKER_ARCH
MK_NVCCFLAGS += -Wno-deprecated-gpu-targets -arch=$(CUDA_DOCKER_ARCH)
else ifndef CUDA_POWER_ARCH
- MK_NVCCFLAGS += -arch=native
+ MK_NVCCFLAGS += -arch=sm_37
endif # CUDA_DOCKER_ARCH
ifdef GGML_CUDA_FORCE_DMMV
--
2.46.0

25
machines/nixos/krz01/ollama/default.nix
View file

@ -1,25 +0,0 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
config,
pkgs,
meta,
name,
nixpkgs,
...
}:
{
services = {
ollama = {
enable = true;
host = meta.network.${name}.netbirdIp;
package = pkgs.callPackage ./package.nix {
# HACK: Our GPU is not supported by cuda >= 12.0, and nixos-25.05 dropped cuda < 12.0
cudaPackages = nixpkgs.nixos."24.11".cudaPackages_11;
# We need to thread our nvidia x11 driver for CUDA.
extraLibraries = [ config.hardware.nvidia.package ];
};
};
};
}

Some files were not shown because too many files have changed in this diff Show more