mdebray/infrastructure
1
0
Fork 0
forked from DGNum/infrastructure
Code Pull requests Activity Actions 1

Compare commits

merge into: mdebray:main
Branches Tags
mdebray:main
mdebray:npins-updates/wp4nix
mdebray:npins-updates/nixos-unstable
mdebray:npins-updates/nixos-generators
mdebray:npins-updates/lix-module
mdebray:npins-updates/lix
mdebray:npins-updates/git-hooks
mdebray:multiuser_runners
mdebray:workflows
mdebray:npins-updates/nixos-24.11
mdebray:docuseal
mdebray:move_krz_and_router_back_to_infra
mdebray:vault01-isp
mdebray:audit
mdebray:django-apps-cycle
mdebray:tower02
mdebray:age-keys
mdebray:dgsi-vlan
mdebray:openwrt-exporter
mdebray:ban_git_scrappers
mdebray:asn-ban
mdebray:meta-isp
mdebray:mdebray/ap-dev
mdebray:ap-poc-v01
mdebray:ap01-prepare-poc
mdebray:netconf-profiles
mdebray:vault01-mtu
mdebray:meta_rework_bis
mdebray:meta_rework
mdebray:reuse
mdebray:mdebray/overlay
mdebray:django-apps-overlays
mdebray:testing02
mdebray:hypervisor
mdebray:ap01-vlan
mdebray:colmena-liminx-ng
mdebray:declarative-buckets
mdebray:victoria-metrics
mdebray:mattermost
mdebray:init-dgnum-page
mdebray:takumi-can-do-ollama
mdebray:colmena-liminix
DGNum:lon
DGNum:npins-updates/nixos-25.05
DGNum:vault01-isp
DGNum:npins-updates/proxmox-nixos
DGNum:npins-updates/lix
DGNum:npins-updates/nixos-24.11
DGNum:npins-updates/nixos-unstable
DGNum:npins-updates/nix-modules
DGNum:main
DGNum:npins-updates/lix-module
DGNum:npins-updates/disko
DGNum:npins-updates/git-hooks
DGNum:feature/add-drive-lab-oauth
DGNum:zulip
DGNum:netbird-relay
DGNum:ntfy-monitoring
DGNum:demarches01
DGNum:hackdays-ap
DGNum:raito/zulip
DGNum:declarative-buckets
DGNum:staging-cas
DGNum:mattermost
DGNum:feature/hackdays01
DGNum:by-name
DGNum:www-eleves
DGNum:audit
DGNum:testing02
DGNum:openwrt-exporter
DGNum:ban_git_scrappers
DGNum:asn-ban
DGNum:meta-isp
DGNum:mdebray/ap-dev
DGNum:ap-poc-v01
DGNum:hypervisor
DGNum:victoria-metrics
DGNum:init-dgnum-page
DGNum:takumi-can-do-ollama
mdebray:poc-v1.0
DGNum:hackdays2025
DGNum:poc-v1.0
...
pull from: DGNum:main
Branches Tags
DGNum:lon
DGNum:npins-updates/nixos-25.05
DGNum:vault01-isp
DGNum:npins-updates/proxmox-nixos
DGNum:npins-updates/lix
DGNum:npins-updates/nixos-24.11
DGNum:npins-updates/nixos-unstable
DGNum:npins-updates/nix-modules
DGNum:main
DGNum:npins-updates/lix-module
DGNum:npins-updates/disko
DGNum:npins-updates/git-hooks
DGNum:feature/add-drive-lab-oauth
DGNum:zulip
DGNum:netbird-relay
DGNum:ntfy-monitoring
DGNum:demarches01
DGNum:hackdays-ap
DGNum:raito/zulip
DGNum:declarative-buckets
DGNum:staging-cas
DGNum:mattermost
DGNum:feature/hackdays01
DGNum:by-name
DGNum:www-eleves
DGNum:audit
DGNum:testing02
DGNum:openwrt-exporter
DGNum:ban_git_scrappers
DGNum:asn-ban
DGNum:meta-isp
DGNum:mdebray/ap-dev
DGNum:ap-poc-v01
DGNum:hypervisor
DGNum:victoria-metrics
DGNum:init-dgnum-page
DGNum:takumi-can-do-ollama
mdebray:main
mdebray:npins-updates/wp4nix
mdebray:npins-updates/nixos-unstable
mdebray:npins-updates/nixos-generators
mdebray:npins-updates/lix-module
mdebray:npins-updates/lix
mdebray:npins-updates/git-hooks
mdebray:multiuser_runners
mdebray:workflows
mdebray:npins-updates/nixos-24.11
mdebray:docuseal
mdebray:move_krz_and_router_back_to_infra
mdebray:vault01-isp
mdebray:audit
mdebray:django-apps-cycle
mdebray:tower02
mdebray:age-keys
mdebray:dgsi-vlan
mdebray:openwrt-exporter
mdebray:ban_git_scrappers
mdebray:asn-ban
mdebray:meta-isp
mdebray:mdebray/ap-dev
mdebray:ap-poc-v01
mdebray:ap01-prepare-poc
mdebray:netconf-profiles
mdebray:vault01-mtu
mdebray:meta_rework_bis
mdebray:meta_rework
mdebray:reuse
mdebray:mdebray/overlay
mdebray:django-apps-overlays
mdebray:testing02
mdebray:hypervisor
mdebray:ap01-vlan
mdebray:colmena-liminx-ng
mdebray:declarative-buckets
mdebray:victoria-metrics
mdebray:mattermost
mdebray:init-dgnum-page
mdebray:takumi-can-do-ollama
mdebray:colmena-liminix
DGNum:hackdays2025
DGNum:poc-v1.0
mdebray:poc-v1.0
Sign in to create a new pull request.

142 commits
main ... main

Author SHA1 Message Date
HT Chores
7e9878c0c7 chore(npins): Update kat-pkgs 2025-06-10 13:30:32 +00:00
catvayor
a2b66d75c4
chore(fai/nixos): upgrade to nixos-25.05 2025-06-09 23:26:39 +02:00
catvayor
4534909d09
feat(bridge01): finally connected to vpn 2025-06-09 23:21:02 +02:00
HT Chores
e6d3f11d32 chore(npins): Update nixos-25.05 2025-06-09 23:11:34 +02:00
catvayor
40f660fe76
feat(grafana/plugins): add weathermap panel 2025-06-09 17:05:06 +02:00
catvayor
44a6b658a1
feat(snmp_exporter): enable snmp exporter for network monitoring 
fix(snmp_exporter): increase scrape_timeout
 2025-06-09 17:05:06 +02:00
catvayor
0d13b5cd69
docs(netconf): descriptive naming of near all interfaces 2025-06-09 17:05:00 +02:00
catvayor
a0596d022a
feat(netconf/junos): allow snmp management 2025-06-09 17:04:59 +02:00
catvayor
4dbd5ac6b1
feat(netconf/junos): add description 2025-06-09 17:04:58 +02:00
catvayor
e4697fc809
fix(librenms): allows kanidm to create accounts 2025-06-07 23:19:16 +02:00
catvayor
f685e7e4ec
fix(librenms): fix kanidm login 2025-06-07 22:22:05 +02:00
catvayor
2fe8b66fa2
revert(hackdays): remove all infra dedicated to hackdays 2025-06-06 10:59:42 +02:00
sinavir
4b6f200c31
fix(kanidm/zulip): disable pkce and allow legacy crypto 2025-06-05 22:19:08 +02:00
Tom Hubrecht
7e39b40b0d
chore(dgsi): Update 2025-06-02 22:05:00 +02:00
Tom Hubrecht
37741075d8
fix(dns): Make use of the modularity of meta 
Define A and AAAA options in meta.addresses that can be reused later
Also define proxying in the metadata
 2025-06-02 20:03:50 +02:00
sinavir
4f7d0e6fdb
feat(zulip): dns records 2025-06-02 20:03:50 +02:00
sinavir
92d8da0673
feat(zulip01): init 2025-06-02 20:03:50 +02:00
sinavir
da808fc305
feat(kanidm): add zulip 2025-06-02 20:03:50 +02:00
Tom Hubrecht
c358db30ff
feat(web03): Deploy vector on photos.dgnum.eu 2025-06-02 18:04:05 +02:00
catvayor
81ab5ca4ac
fix(vault01/ups): ups is not connected anymore 2025-06-02 15:41:27 +02:00
catvayor
e88a9ccda9
feat(hackdays): all switches GO 2025-06-02 15:41:21 +02:00
catvayor
276f2f4f7d
feat(hackdays): generic switch config 2025-06-02 15:41:21 +02:00
catvayor
f8c2f2f5ee
feat(hackdays): hackdays network 2025-06-02 15:41:21 +02:00
catvayor
78e54b02f1
feat(netconf-junos): added required configuration for dhcp 2025-06-02 15:41:21 +02:00
Tom Hubrecht
1032b3225e
feat(wordpress/npr): Add a plugin 2025-05-30 16:43:31 +02:00
Tom Hubrecht
75ba2e4fcf
fix(netbird): Update dashboard version 
The daemon and dashboard versions are supposed to be somewhat couples,
but nixpkgs does not do it. The daemon is regularly updated but the
dashboard lags behind.
 2025-05-30 14:56:02 +02:00
catvayor
4bc96151b2
feat(netconf): chnages in potos network 
* core-links in dgn-isp module
* factorize nodes/netconf.nix
 2025-05-26 14:28:58 +02:00
catvayor
4bbaeee232
refactor(netconf): renamed switchs 
netcore00 -> netcore01
netcore01 -> netcore02
netcore02 -> Jaccess01
netaccess01 -> Jaccess04
 2025-05-26 14:24:07 +02:00
Tom Hubrecht
db195b9c0b
fix(colmena): Revert aliases 
This made colmena unnecessarily slow, we don't plan to use aliases and
it was a big bowl of slow spaghetti
 2025-05-26 13:55:32 +02:00
catvayor
b09a0e8b10
fix(storage01/victorialogs): bump maxConcurrentInserts to keepup log flow 2025-05-26 00:37:09 +02:00
sinavir
5e731419f3 feat(agenix): Rekey 2025-05-25 22:22:53 +02:00
sinavir
e37ca27064 fix(dgn-forgejo-runners): Forgejo runner secret token don't have to be known by all machines 2025-05-25 22:22:53 +02:00
sinavir
78fbf6cc28 fixup! fix(keys): take root age keys for mkRootSecrets 2025-05-25 22:22:53 +02:00
catvayor
1c1c19487e fix(keys): take root age keys for mkRootSecrets 2025-05-25 22:22:53 +02:00
Elias Coppens
e53d46108f
feat(hypervisor03): activate SFP 2025-05-25 20:53:13 +02:00
Elias Coppens
e8f4fcce60
feat(hypervisor02): activate SFP 2025-05-25 20:52:10 +02:00
Elias Coppens
c6b14fb48e
feat(hypervisor01): activate SFP 2025-05-25 20:50:44 +02:00
Elias Coppens
e96d74a726
feat(dgn-network): add metric option 2025-05-25 20:46:11 +02:00
Elias Coppens
dec93715be
feat(build01): activate SFP 2025-05-25 19:56:08 +02:00
catvayor
fb5a0ae7eb
fix(patches): fix kanidm patches for 25.05 2025-05-20 16:48:45 +02:00
catvayor
ee4adaf937 chore(nixos): pass cof02 to 25.05 to have build tests 2025-05-20 15:36:48 +02:00
catvayor
e3cc0a6788 chore(npins): init nixos-25.05 pin 2025-05-20 15:36:48 +02:00
catvayor
c65e27d74f
fix(bridge01): disable monitoring 2025-05-20 15:16:14 +02:00
sinavir
90039850de
fix: Disable dgn-notify, dgn-records and dgn-monitoring 2025-05-20 14:55:37 +02:00
sinavir
622fd05807 feat: Dedicated email for monitoring 2025-05-20 13:42:26 +02:00
Tom Hubrecht
0945659efd fix(journald-upload): Don't exit as soon as the network connectivity is lost 2025-05-20 11:42:50 +02:00
HT Chores
61fe15b289 chore(npins): Update colmena 2025-05-19 13:30:49 +00:00
Tom Hubrecht
48e6f7f739 feat(scripts): Add rekey-all 2025-05-19 10:03:12 +02:00
Tom Hubrecht
2e6ba17cdf chore(secrets): Rekey all secrets 2025-05-19 10:03:12 +02:00
Tom Hubrecht
9f642eb963 feat(meta/groups): Add catvayor to root 2025-05-19 10:03:12 +02:00
Tom Hubrecht
b3d6e50fd2
fix(storage01): Move the storage of victoriametrics to another disk 
Victorialogs is postponed as it will be more involved
 2025-05-19 09:55:30 +02:00
Tom Hubrecht
2c370d804e
fix(forgejo): Don't use gitea for fetching actions 2025-05-19 09:09:40 +02:00
Tom Hubrecht
4454192c27
fix(dns): Setup www.dgnum.eu redirection 
This allows fetching the main website from both dgnum.eu and
www.dgnum.eu
 2025-05-18 17:19:56 +02:00
catvayor
51ec9b8764
chore(catvayor): add age ssh key 2025-05-15 23:04:47 +02:00
sinavir
742ed8c182
feat(secrets): Add a possibility to use extra keys for secret encryption 2025-05-15 23:04:47 +02:00
HT Chores
ef0efe73ef chore(npins): Update cgroup-exporter 2025-05-13 15:40:56 +02:00
HT Chores
ed9a21c1fa chore(npins): Update git-hooks 2025-05-13 13:31:15 +00:00
HT Chores
8fb86e8fa8
chore(npins): Update nixos-unstable 2025-05-12 15:32:15 +02:00
catvayor
dc8b7a8808
fix(eval/deprecation): replace substituteAll by replaceVars 2025-05-12 15:32:15 +02:00
catvayor
a99e9007d2
fix(patches): remove already applied patches 2025-05-12 15:32:15 +02:00
catvayor
45299918c7
fix(openbao): disable upstream module 2025-05-12 15:32:14 +02:00
Tom Hubrecht
1ad9ef3d70
chore(workflows/npins-update): Update running date 2025-05-12 15:24:24 +02:00
Tom Hubrecht
e0dfac7fae
fix(shell): Use the correct npins for the update script 2025-05-12 15:21:57 +02:00
Tom Hubrecht
c299614b50
chore(npins): Update SRI patch 2025-05-12 10:37:55 +02:00
Tom Hubrecht
10f5322016 fix(lix): Make fetchGit use the narHash attribute 2025-05-11 15:54:41 +02:00
Tom Hubrecht
4545af8044 feat(npins): Upgrade to locked versions of git pins 2025-05-11 15:54:41 +02:00
catvayor
25e94f4a6f
chore(kanidm/isp): remove vlan groups from kanidm 2025-05-09 17:11:23 +02:00
Tom Hubrecht
6a55299bbc
chore(nix-patches): The check on empty patches is included upstream 2025-05-06 12:37:51 +02:00
HT Chores
3521fcf61d chore(npins): Update nix-pkgs 2025-05-04 22:21:54 +02:00
catvayor
b1223cf8f1
docs(git/attributes): mark some files as generated or vendored 2025-05-04 17:57:21 +02:00
catvayor
106a6d74d6
fix(workflows/npins-update): make EXISTING_BRANCH always bounded 2025-05-04 15:50:58 +02:00
Tom Hubrecht
5dceb573b7 fix(substituters): Allow all paths from the infra cache 2025-05-04 15:20:47 +02:00
catvayor
9aabdedb83
fix(vault01/radius): add configuration declaration 2025-05-04 11:45:30 +02:00
Tom Hubrecht
40f5fc2a55
feat(forgejo): Don't use unstable's version anymore 2025-05-03 22:32:31 +02:00
catvayor
7c9f73e921
feat(vault01/radius): ask dgsi for vlan id 2025-05-03 22:06:36 +02:00
Tom Hubrecht
025cc2b56a
chore(workflows/npins-update): Regenerate 2025-05-03 20:51:02 +02:00
HT Chores
5091e6ba4a chore(npins): Update nixos-24.11 2025-05-03 20:39:05 +02:00
Tom Hubrecht
2145e20271 fix(pkgs/docuseal): Unlock ruby version 2025-05-03 20:39:05 +02:00
catvayor
3e01c6aa03 fix(patches): remove already applied patches 2025-05-03 20:39:05 +02:00
Tom Hubrecht
10ab6314dc fix(workflows): Update nix-actions 2025-05-03 20:39:05 +02:00
Tom Hubrecht
fed05df362 fix(workflow): Try to not eat errors 2025-05-03 20:39:05 +02:00
Tom Hubrecht
e8663d88c4
fix(workflows): Remove npins and tea from the runners dependencies 
This ensures we use those from the defined shells
 2025-05-03 18:40:02 +02:00
Tom Hubrecht
c950aed3fc
chore(workflows): Update npins-update 2025-05-03 18:36:25 +02:00
Tom Hubrecht
e775d3049d
fix(radiusd): Disable debug output 2025-05-03 18:27:22 +02:00
Tom Hubrecht
b13ba3f17a
fix(k-radius): Reduce log level 
In debug mode, the radius secrets were printed to the log...
 2025-05-03 18:26:02 +02:00
Tom Hubrecht
2537b8550d chore(dgsi): Update 2025-05-03 17:24:11 +02:00
Tom Hubrecht
51e08a6b89
feat(crabfit): Reduce log level for sqlx queries 2025-05-03 15:28:20 +02:00
Tom Hubrecht
58f7f2b735
fix(web01): 48h.arts.ens.fr is on S3 2025-05-03 10:49:33 +02:00
Tom Hubrecht
8c965282a7
feat(compute01): Deploy opengist on gist.dgnum.eu 2025-05-01 15:07:19 +02:00
Tom Hubrecht
c8dde546f6
feat(dns): Allow restricting ip records to only one address 
This allows simpler migrations
 2025-04-29 10:33:54 +02:00
Tom Hubrecht
0ed5d7f1e0 fix(extranix): Build HTML description in the python script 
This avoids creating one derivation per option
 2025-04-28 22:18:25 +02:00
Tom Hubrecht
fc0ab4f677 fix(extranix): Make options description replacement fast 2025-04-28 22:18:25 +02:00
Tom Hubrecht
dbd2528994
fix(build01): Set a global token for multiuser runners 2025-04-28 22:17:23 +02:00
Tom Hubrecht
c02cd7047d
fix(scripts): Add build-iso to the shell 2025-04-28 20:43:17 +02:00
catvayor
a62cfafcb4 feat(web03): change IP for a non-DHCP one 2025-04-28 13:58:46 +02:00
sinavir
9d3c6d14b8 fix(debian-runners): Use new tokens 2025-04-28 12:42:51 +02:00
sinavir
a7fe5cdd7d fix(dgn-forgejo-runners): Move secret to module 2025-04-28 12:42:51 +02:00
sinavir
8a958087f7 feat(workflows): Move workflows to dedicated runners 
This also removes storage01 as a builder
 2025-04-28 12:42:51 +02:00
sinavir
fc7620a338 feat(forgejo-runners): Use a multiuser nix installation 2025-04-28 12:42:51 +02:00
sinavir
e7b76d1579 feat(snix-cache): Use snix-cache module 2025-04-28 12:42:51 +02:00
sinavir
361572d013
fix(tower01): Import data zpool 2025-04-27 17:03:25 +02:00
thubrecht
d28d2ac5e5 revert: feat(web03): change IP for a non-DHCP one 
This IP is currently reserved for other matters
 2025-04-26 21:41:04 +02:00
catvayor
7346f53817
feat(web03): change IP for a non-DHCP one 2025-04-25 18:01:55 +02:00
sinavir
95a5b4cf55
fix(secrets): Rekey for krz01 2025-04-25 15:14:23 +02:00
catvayor
f642e2e106
fix(krz01/eval): specified stateVersion 2025-04-25 15:14:23 +02:00
catvayor
95c0f9a3a1
fix(lab-router01/eval): move some Config attribute up 2025-04-25 15:14:23 +02:00
catvayor
2bf11ba2e1
fix(meta): lab-router01 has no netbird 2025-04-25 15:14:23 +02:00
sinavir
f0771ff28d
feat: move back router02 and rename it lab-router01 2025-04-25 15:14:23 +02:00
sinavir
6303da3811
feat: move back krz01 2025-04-25 15:14:00 +02:00
HT Chores
fca2486e01 chore(npins): Update wp4nix 2025-04-25 15:08:18 +02:00
HT Chores
e3ddfee02c chore(npins): Update lix-module 2025-04-25 15:03:12 +02:00
HT Chores
4aa809e680 chore(npins): Update git-hooks 2025-04-25 14:47:52 +02:00
Tom Hubrecht
46332e793e
chore(modules/dgn-network): The web02 workaround is no longer necessary 2025-04-25 14:45:19 +02:00
Tom Hubrecht
ea27842782
feat(iso): Add README 2025-04-25 14:40:32 +02:00
catvayor
189b1357dd
feat(iso): everyone is admin of iso 2025-04-25 10:08:43 +02:00
catvayor
427cee0c3e
feat(iso): place iso inside hive 2025-04-25 10:08:43 +02:00
catvayor
43abc137dc
chore(npins): remove unused pins 
* lon
* nixos-generator
* kahulm
 2025-04-25 10:08:43 +02:00
sinavir
0109b4703a
feat(web03/ernestophone): Pull app from master 2025-04-25 10:07:54 +02:00
catvayor
1bc03e83e8
feat(workflows/eval-nodes): separate workflow in multiple stage 2025-04-25 00:30:45 +02:00
catvayor
35bf5793a6
fix(modules/extranix): don't crash when having to many options 2025-04-23 15:33:34 +02:00
Elias Coppens
6b71080404
feat(kanidm): Add SuiteNumerique Visio client 2025-04-22 17:26:39 +02:00
Tom Hubrecht
1c7a138f1a
fix(storage01): Add back podman 
We have build01 now
 2025-04-21 19:08:27 +02:00
Tom Hubrecht
dfa46faee1
chore(storage01): Disable forgejo nix runners 
We have build01 now
 2025-04-21 18:56:01 +02:00
HT Chores
2c48143966 chore(npins): Update nixos-24.11 2025-04-21 17:33:54 +02:00
HT Chores
78fdf04f29 chore(npins): Update nixos-unstable 2025-04-20 18:03:45 +02:00
catvayor
32b0bf7e1c fix(action-validator): patch to build & use in default 2025-04-20 18:03:45 +02:00
Tom Hubrecht
0c44467e0b
fix(nix): Use correct expression for list-nodes 2025-04-20 17:06:42 +02:00
Elias Coppens
bfff4108d1 feat(kanidm): Add SuiteNumerique Docs client 2025-04-20 16:54:36 +02:00
catvayor
2ad9125ffc
fix(storage01/tvix-cache): fix build after force-push... 2025-04-17 14:57:46 +02:00
Tom Hubrecht
6d81001b85
feat(extranix): Add theme option and update 2025-04-17 12:58:44 +02:00
Tom Hubrecht
01d72bfa13
chore(dns): Switch rescue01 to v6 only 
ipv4 seems to have difficulties right now
 2025-04-16 18:03:48 +02:00
catvayor
a1fc8f8cfe feat(modules/dgn-audit): init 2025-04-16 07:54:17 +02:00
Tom Hubrecht
bb7c377cb3 feat(modules/extranix): Simplify 2025-04-16 07:48:57 +02:00
Tom Hubrecht
447e4df244 feat(extranix): Add docuseal documentation 2025-04-16 07:48:57 +02:00
Tom Hubrecht
8f8585038d feat(bootstrap): Add the root of the repository 
This avoids making ../../.. in some places
 2025-04-16 07:48:57 +02:00
Tom Hubrecht
6ffa71c17d feat(hive): Pass bootstrap as an argument 2025-04-16 07:48:57 +02:00
catvayor
ee05a030da fix(workflows/npins-update): hack! ?? 2025-04-15 12:16:54 +02:00
Tom Hubrecht
3748efa295
fix(keys): unique is not in extra anymore 2025-04-15 00:34:36 +02:00
Tom Hubrecht
9f91f73270
fix(compute01): Add nofail to dgsi mounts 2025-04-15 00:23:16 +02:00
Tom Hubrecht
f77e011c11
fix(docuseal): Actually import the module 
Minor cleanup as well
 2025-04-14 13:16:29 +02:00
Tom Hubrecht
41a4b98cc5
feat(compute01): Deploy docuseal on docuseal.dgnum.eu 2025-04-14 11:24:10 +02:00
Tom Hubrecht
ad5d108bc0
feat(pkgs): Init docuseal at 1.9.8 2025-04-14 11:22:15 +02:00
297 changed files with 20401 additions and 7964 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.forgejo/workflows/check-meta.yaml generated
View file

@ -2,13 +2,13 @@
# This file was automatically generated with nix-actions.
jobs:
check_dns:
runs-on: nix
runs-on: nix-infra
steps:
- uses: actions/checkout@v3
- name: Check the validity of the DNS configuration
run: nix-build meta/verify.nix -A dns
check_meta:
runs-on: nix
runs-on: nix-infra
steps:
- uses: actions/checkout@v3
- name: Check the validity of meta options

6
.forgejo/workflows/check-workflows.yaml generated
View file

@ -2,12 +2,12 @@
# This file was automatically generated with nix-actions.
jobs:
check_workflows:
runs-on: nix
runs-on: nix-infra
steps:
- uses: actions/checkout@v3
- name: Check that the workflows are up to date
run: nix-shell -A check-workflows --run '[ $(git status --porcelain | wc -l)
-eq 0 ]'
run: "nix-shell -A check-workflows --run 'set -o pipefail\nset -o nounset\n
set -o errexit\n[ $(git status --porcelain | wc -l) -eq 0 ]'"
name: Check workflows
on:
pull_request:

420
.forgejo/workflows/eval-nodes.yaml generated
View file

@ -1,237 +1,481 @@
###
# This file was automatically generated with nix-actions.
jobs:
Jaccess01:
runs-on: nix-infra
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: Jaccess01
name: Eval Jaccess01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build Jaccess01
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Cache Jaccess01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
Jaccess04:
runs-on: nix-infra
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: Jaccess04
name: Eval Jaccess04
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build Jaccess04
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Cache Jaccess04
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
ap01:
runs-on: nix
runs-on: nix-infra
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: ap01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
name: Eval ap01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build ap01
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache ap01
run: nix-shell -A eval-nodes --run cache-node
name: Cache ap01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
bridge01:
runs-on: nix
runs-on: nix-infra
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: bridge01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
name: Eval bridge01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build bridge01
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache bridge01
run: nix-shell -A eval-nodes --run cache-node
name: Cache bridge01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
build01:
runs-on: nix
runs-on: nix-infra
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: build01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
name: Eval build01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build build01
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache build01
run: nix-shell -A eval-nodes --run cache-node
name: Cache build01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
cof02:
runs-on: nix
runs-on: nix-infra
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: cof02
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
name: Eval cof02
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build cof02
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache cof02
run: nix-shell -A eval-nodes --run cache-node
name: Cache cof02
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
compute01:
runs-on: nix
runs-on: nix-infra
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: compute01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
name: Eval compute01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build compute01
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache compute01
run: nix-shell -A eval-nodes --run cache-node
name: Cache compute01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
geo01:
runs-on: nix
runs-on: nix-infra
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: geo01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
name: Eval geo01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build geo01
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache geo01
run: nix-shell -A eval-nodes --run cache-node
name: Cache geo01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
geo02:
runs-on: nix
runs-on: nix-infra
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: geo02
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
name: Eval geo02
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build geo02
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache geo02
run: nix-shell -A eval-nodes --run cache-node
name: Cache geo02
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
hypervisor01:
runs-on: nix
runs-on: nix-infra
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: hypervisor01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
name: Eval hypervisor01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build hypervisor01
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache hypervisor01
run: nix-shell -A eval-nodes --run cache-node
name: Cache hypervisor01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
hypervisor02:
runs-on: nix
runs-on: nix-infra
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: hypervisor02
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
name: Eval hypervisor02
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build hypervisor02
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache hypervisor02
run: nix-shell -A eval-nodes --run cache-node
name: Cache hypervisor02
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
hypervisor03:
runs-on: nix
runs-on: nix-infra
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: hypervisor03
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
name: Eval hypervisor03
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build hypervisor03
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache hypervisor03
run: nix-shell -A eval-nodes --run cache-node
netaccess01:
runs-on: nix
name: Cache hypervisor03
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
iso:
runs-on: nix-infra
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: netaccess01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
BUILD_NODE: iso
name: Eval iso
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build iso
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache netaccess01
run: nix-shell -A eval-nodes --run cache-node
netcore00:
runs-on: nix
name: Cache iso
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
krz01:
runs-on: nix-infra
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: netcore00
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
BUILD_NODE: krz01
name: Eval krz01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build krz01
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache netcore00
run: nix-shell -A eval-nodes --run cache-node
name: Cache krz01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
lab-router01:
runs-on: nix-infra
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: lab-router01
name: Eval lab-router01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build lab-router01
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Cache lab-router01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
netcore01:
runs-on: nix
runs-on: nix-infra
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: netcore01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
name: Eval netcore01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build netcore01
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache netcore01
run: nix-shell -A eval-nodes --run cache-node
name: Cache netcore01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
netcore02:
runs-on: nix
runs-on: nix-infra
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: netcore02
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
name: Eval netcore02
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build netcore02
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache netcore02
run: nix-shell -A eval-nodes --run cache-node
name: Cache netcore02
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
rescue01:
runs-on: nix
runs-on: nix-infra
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: rescue01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
name: Eval rescue01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build rescue01
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache rescue01
run: nix-shell -A eval-nodes --run cache-node
name: Cache rescue01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
storage01:
runs-on: nix
runs-on: nix-infra
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: storage01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
name: Eval storage01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build storage01
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache storage01
run: nix-shell -A eval-nodes --run cache-node
name: Cache storage01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
tower01:
runs-on: nix
runs-on: nix-infra
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: tower01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
name: Eval tower01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build tower01
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache tower01
run: nix-shell -A eval-nodes --run cache-node
name: Cache tower01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
vault01:
runs-on: nix
runs-on: nix-infra
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: vault01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
name: Eval vault01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build vault01
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache vault01
run: nix-shell -A eval-nodes --run cache-node
name: Cache vault01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
web01:
runs-on: nix
runs-on: nix-infra
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: web01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
name: Eval web01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build web01
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache web01
run: nix-shell -A eval-nodes --run cache-node
name: Cache web01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
web02:
runs-on: nix
runs-on: nix-infra
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: web02
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
name: Eval web02
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build web02
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache web02
run: nix-shell -A eval-nodes --run cache-node
name: Cache web02
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
web03:
runs-on: nix
runs-on: nix-infra
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: web03
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
name: Eval web03
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build web03
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache web03
run: nix-shell -A eval-nodes --run cache-node
name: Cache web03
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
zulip01:
runs-on: nix-infra
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: zulip01
name: Eval zulip01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
- name: Build zulip01
run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
\ >> $GITHUB_ENV\n"
- env:
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Cache zulip01
run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npush-to-cache \"$STORE_PATH\"\n'"
name: Build all the nodes
on:
pull_request:

7
.forgejo/workflows/eval-shell.yaml generated
View file

@ -2,15 +2,16 @@
# This file was automatically generated with nix-actions.
jobs:
build-shell:
runs-on: nix
runs-on: nix-infra
steps:
- uses: actions/checkout@v3
- env:
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache shell
run: nix-shell -A eval-shell --run 'nix-build-and-cache -A devShell'
run: "nix-shell -A eval-shell --run 'set -o pipefail\nset -o nounset\nset -o
errexit\nnix-build-and-cache -A devShell'"
name: Build the shell
on:
pull_request:

839
.forgejo/workflows/npins-update.yaml generated
View file

File diff suppressed because it is too large Load diff

8
.forgejo/workflows/pre-commit.yaml generated
View file

@ -6,11 +6,11 @@ jobs:
steps:
- uses: actions/checkout@v3
- name: Check stage pre-commit
run: nix-shell -A pre-commit --run 'pre-commit run --all-files --hook-stage
pre-commit --show-diff-on-failure'
run: "nix-shell -A pre-commit --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npre-commit run --all-files --hook-stage pre-commit --show-diff-on-failure'"
- name: Check stage pre-push
run: nix-shell -A pre-commit --run 'pre-commit run --all-files --hook-stage
pre-push --show-diff-on-failure'
run: "nix-shell -A pre-commit --run 'set -o pipefail\nset -o nounset\nset -o
errexit\npre-commit run --all-files --hook-stage pre-push --show-diff-on-failure'"
name: Run pre-commit on all files
on:
- push

7
.gitattributes vendored Normal file
View file

@ -0,0 +1,7 @@
# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
/.forgejo/workflows/*.yaml linguist-generated
/LICENSES/* linguist-vendored
/REUSE.toml linguist-generated

232
LICENSES/GPL-3.0-or-later.txt vendored
View file

@ -1,232 +0,0 @@
GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007
Copyright © 2007 Free Software Foundation, Inc. <https://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
Preamble
The GNU General Public License is a free, copyleft license for software and other kinds of works.
The licenses for most software and other practical works are designed to take away your freedom to share and change the works. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change all versions of a program--to make sure it remains free software for all its users. We, the Free Software Foundation, use the GNU General Public License for most of our software; it applies also to any other work released this way by its authors. You can apply it to your programs, too.
When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for them if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs, and that you know you can do these things.
To protect your rights, we need to prevent others from denying you these rights or asking you to surrender the rights. Therefore, you have certain responsibilities if you distribute copies of the software, or if you modify it: responsibilities to respect the freedom of others.
For example, if you distribute copies of such a program, whether gratis or for a fee, you must pass on to the recipients the same freedoms that you received. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.
Developers that use the GNU GPL protect your rights with two steps: (1) assert copyright on the software, and (2) offer you this License giving you legal permission to copy, distribute and/or modify it.
For the developers' and authors' protection, the GPL clearly explains that there is no warranty for this free software. For both users' and authors' sake, the GPL requires that modified versions be marked as changed, so that their problems will not be attributed erroneously to authors of previous versions.
Some devices are designed to deny users access to install or run modified versions of the software inside them, although the manufacturer can do so. This is fundamentally incompatible with the aim of protecting users' freedom to change the software. The systematic pattern of such abuse occurs in the area of products for individuals to use, which is precisely where it is most unacceptable. Therefore, we have designed this version of the GPL to prohibit the practice for those products. If such problems arise substantially in other domains, we stand ready to extend this provision to those domains in future versions of the GPL, as needed to protect the freedom of users.
Finally, every program is threatened constantly by software patents. States should not allow patents to restrict development and use of software on general-purpose computers, but in those that do, we wish to avoid the special danger that patents applied to a free program could make it effectively proprietary. To prevent this, the GPL assures that patents cannot be used to render the program non-free.
The precise terms and conditions for copying, distribution and modification follow.
TERMS AND CONDITIONS
0. Definitions.
“This License” refers to version 3 of the GNU General Public License.
“Copyright” also means copyright-like laws that apply to other kinds of works, such as semiconductor masks.
“The Program” refers to any copyrightable work licensed under this License. Each licensee is addressed as “you”. “Licensees” and “recipients” may be individuals or organizations.
To “modify” a work means to copy from or adapt all or part of the work in a fashion requiring copyright permission, other than the making of an exact copy. The resulting work is called a “modified version” of the earlier work or a work “based on” the earlier work.
A “covered work” means either the unmodified Program or a work based on the Program.
To “propagate” a work means to do anything with it that, without permission, would make you directly or secondarily liable for infringement under applicable copyright law, except executing it on a computer or modifying a private copy. Propagation includes copying, distribution (with or without modification), making available to the public, and in some countries other activities as well.
To “convey” a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying.
An interactive user interface displays “Appropriate Legal Notices” to the extent that it includes a convenient and prominently visible feature that (1) displays an appropriate copyright notice, and (2) tells the user that there is no warranty for the work (except to the extent that warranties are provided), that licensees may convey the work under this License, and how to view a copy of this License. If the interface presents a list of user commands or options, such as a menu, a prominent item in the list meets this criterion.
1. Source Code.
The “source code” for a work means the preferred form of the work for making modifications to it. “Object code” means any non-source form of a work.
A “Standard Interface” means an interface that either is an official standard defined by a recognized standards body, or, in the case of interfaces specified for a particular programming language, one that is widely used among developers working in that language.
The “System Libraries” of an executable work include anything, other than the work as a whole, that (a) is included in the normal form of packaging a Major Component, but which is not part of that Major Component, and (b) serves only to enable use of the work with that Major Component, or to implement a Standard Interface for which an implementation is available to the public in source code form. A “Major Component”, in this context, means a major essential component (kernel, window system, and so on) of the specific operating system (if any) on which the executable work runs, or a compiler used to produce the work, or an object code interpreter used to run it.
The “Corresponding Source” for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work. For example, Corresponding Source includes interface definition files associated with source files for the work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work.
The Corresponding Source need not include anything that users can regenerate automatically from other parts of the Corresponding Source.
The Corresponding Source for a work in source code form is that same work.
2. Basic Permissions.
All rights granted under this License are granted for the term of copyright on the Program, and are irrevocable provided the stated conditions are met. This License explicitly affirms your unlimited permission to run the unmodified Program. The output from running a covered work is covered by this License only if the output, given its content, constitutes a covered work. This License acknowledges your rights of fair use or other equivalent, as provided by copyright law.
You may make, run and propagate covered works that you do not convey, without conditions so long as your license otherwise remains in force. You may convey covered works to others for the sole purpose of having them make modifications exclusively for you, or provide you with facilities for running those works, provided that you comply with the terms of this License in conveying all material for which you do not control copyright. Those thus making or running the covered works for you must do so exclusively on your behalf, under your direction and control, on terms that prohibit them from making any copies of your copyrighted material outside their relationship with you.
Conveying under any other circumstances is permitted solely under the conditions stated below. Sublicensing is not allowed; section 10 makes it unnecessary.
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
No covered work shall be deemed part of an effective technological measure under any applicable law fulfilling obligations under article 11 of the WIPO copyright treaty adopted on 20 December 1996, or similar laws prohibiting or restricting circumvention of such measures.
When you convey a covered work, you waive any legal power to forbid circumvention of technological measures to the extent such circumvention is effected by exercising rights under this License with respect to the covered work, and you disclaim any intention to limit operation or modification of the work as a means of enforcing, against the work's users, your or third parties' legal rights to forbid circumvention of technological measures.
4. Conveying Verbatim Copies.
You may convey verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice; keep intact all notices stating that this License and any non-permissive terms added in accord with section 7 apply to the code; keep intact all notices of the absence of any warranty; and give all recipients a copy of this License along with the Program.
You may charge any price or no price for each copy that you convey, and you may offer support or warranty protection for a fee.
5. Conveying Modified Source Versions.
You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions:
a) The work must carry prominent notices stating that you modified it, and giving a relevant date.
b) The work must carry prominent notices stating that it is released under this License and any conditions added under section 7. This requirement modifies the requirement in section 4 to “keep intact all notices”.
c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it.
d) If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need not make them do so.
A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work, and which are not combined with it such as to form a larger program, in or on a volume of a storage or distribution medium, is called an “aggregate” if the compilation and its resulting copyright are not used to limit the access or legal rights of the compilation's users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate.
6. Conveying Non-Source Forms.
You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways:
a) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by the Corresponding Source fixed on a durable physical medium customarily used for software interchange.
b) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software in the product that is covered by this License, on a durable physical medium customarily used for software interchange, for a price no more than your reasonable cost of physically performing this conveying of source, or (2) access to copy the Corresponding Source from a network server at no charge.
c) Convey individual copies of the object code with a copy of the written offer to provide the Corresponding Source. This alternative is allowed only occasionally and noncommercially, and only if you received the object code with such an offer, in accord with subsection 6b.
d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge. You need not require recipients to copy the Corresponding Source along with the object code. If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements.
e) Convey the object code using peer-to-peer transmission, provided you inform other peers where the object code and Corresponding Source of the work are being offered to the general public at no charge under subsection 6d.
A separable portion of the object code, whose source code is excluded from the Corresponding Source as a System Library, need not be included in conveying the object code work.
A “User Product” is either (1) a “consumer product”, which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) anything designed or sold for incorporation into a dwelling. In determining whether a product is a consumer product, doubtful cases shall be resolved in favor of coverage. For a particular product received by a particular user, “normally used” refers to a typical or common use of that class of product, regardless of the status of the particular user or of the way in which the particular user actually uses, or expects or is expected to use, the product. A product is a consumer product regardless of whether the product has substantial commercial, industrial or non-consumer uses, unless such uses represent the only significant mode of use of the product.
“Installation Information” for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made.
If you convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized), the Corresponding Source conveyed under this section must be accompanied by the Installation Information. But this requirement does not apply if neither you nor any third party retains the ability to install modified object code on the User Product (for example, the work has been installed in ROM).
The requirement to provide Installation Information does not include a requirement to continue to provide support service, warranty, or updates for a work that has been modified or installed by the recipient, or for the User Product in which it has been modified or installed. Access to a network may be denied when the modification itself materially and adversely affects the operation of the network or violates the rules and protocols for communication across the network.
Corresponding Source conveyed, and Installation Information provided, in accord with this section must be in a format that is publicly documented (and with an implementation available to the public in source code form), and must require no special password or key for unpacking, reading or copying.
7. Additional Terms.
“Additional permissions” are terms that supplement the terms of this License by making exceptions from one or more of its conditions. Additional permissions that are applicable to the entire Program shall be treated as though they were included in this License, to the extent that they are valid under applicable law. If additional permissions apply only to part of the Program, that part may be used separately under those permissions, but the entire Program remains governed by this License without regard to the additional permissions.
When you convey a copy of a covered work, you may at your option remove any additional permissions from that copy, or from any part of it. (Additional permissions may be written to require their own removal in certain cases when you modify the work.) You may place additional permissions on material, added by you to a covered work, for which you have or can give appropriate copyright permission.
Notwithstanding any other provision of this License, for material you add to a covered work, you may (if authorized by the copyright holders of that material) supplement the terms of this License with terms:
a) Disclaiming warranty or limiting liability differently from the terms of sections 15 and 16 of this License; or
b) Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it; or
c) Prohibiting misrepresentation of the origin of that material, or requiring that modified versions of such material be marked in reasonable ways as different from the original version; or
d) Limiting the use for publicity purposes of names of licensors or authors of the material; or
e) Declining to grant rights under trademark law for use of some trade names, trademarks, or service marks; or
f) Requiring indemnification of licensors and authors of that material by anyone who conveys the material (or modified versions of it) with contractual assumptions of liability to the recipient, for any liability that these contractual assumptions directly impose on those licensors and authors.
All other non-permissive additional terms are considered “further restrictions” within the meaning of section 10. If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term. If a license document contains a further restriction but permits relicensing or conveying under this License, you may add to a covered work material governed by the terms of that license document, provided that the further restriction does not survive such relicensing or conveying.
If you add terms to a covered work in accord with this section, you must place, in the relevant source files, a statement of the additional terms that apply to those files, or a notice indicating where to find the applicable terms.
Additional terms, permissive or non-permissive, may be stated in the form of a separately written license, or stated as exceptions; the above requirements apply either way.
8. Termination.
You may not propagate or modify a covered work except as expressly provided under this License. Any attempt otherwise to propagate or modify it is void, and will automatically terminate your rights under this License (including any patent licenses granted under the third paragraph of section 11).
However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation.
Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice.
Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, you do not qualify to receive new licenses for the same material under section 10.
9. Acceptance Not Required for Having Copies.
You are not required to accept this License in order to receive or run a copy of the Program. Ancillary propagation of a covered work occurring solely as a consequence of using peer-to-peer transmission to receive a copy likewise does not require acceptance. However, nothing other than this License grants you permission to propagate or modify any covered work. These actions infringe copyright if you do not accept this License. Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so.
10. Automatic Licensing of Downstream Recipients.
Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License. You are not responsible for enforcing compliance by third parties with this License.
An “entity transaction” is a transaction transferring control of an organization, or substantially all assets of one, or subdividing an organization, or merging organizations. If propagation of a covered work results from an entity transaction, each party to that transaction who receives a copy of the work also receives whatever licenses to the work the party's predecessor in interest had or could give under the previous paragraph, plus a right to possession of the Corresponding Source of the work from the predecessor in interest, if the predecessor has it or can get it with reasonable efforts.
You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License. For example, you may not impose a license fee, royalty, or other charge for exercise of rights granted under this License, and you may not initiate litigation (including a cross-claim or counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it.
11. Patents.
A “contributor” is a copyright holder who authorizes use under this License of the Program or a work on which the Program is based. The work thus licensed is called the contributor's “contributor version”.
A contributor's “essential patent claims” are all patent claims owned or controlled by the contributor, whether already acquired or hereafter acquired, that would be infringed by some manner, permitted by this License, of making, using, or selling its contributor version, but do not include claims that would be infringed only as a consequence of further modification of the contributor version. For purposes of this definition, “control” includes the right to grant patent sublicenses in a manner consistent with the requirements of this License.
Each contributor grants you a non-exclusive, worldwide, royalty-free patent license under the contributor's essential patent claims, to make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version.
In the following three paragraphs, a “patent license” is any express agreement or commitment, however denominated, not to enforce a patent (such as an express permission to practice a patent or covenant not to sue for patent infringement). To “grant” such a patent license to a party means to make such an agreement or commitment not to enforce a patent against the party.
If you convey a covered work, knowingly relying on a patent license, and the Corresponding Source of the work is not available for anyone to copy, free of charge and under the terms of this License, through a publicly available network server or other readily accessible means, then you must either (1) cause the Corresponding Source to be so available, or (2) arrange to deprive yourself of the benefit of the patent license for this particular work, or (3) arrange, in a manner consistent with the requirements of this License, to extend the patent license to downstream recipients. “Knowingly relying” means you have actual knowledge that, but for the patent license, your conveying the covered work in a country, or your recipient's use of the covered work in a country, would infringe one or more identifiable patents in that country that you have reason to believe are valid.
If, pursuant to or in connection with a single transaction or arrangement, you convey, or propagate by procuring conveyance of, a covered work, and grant a patent license to some of the parties receiving the covered work authorizing them to use, propagate, modify or convey a specific copy of the covered work, then the patent license you grant is automatically extended to all recipients of the covered work and works based on it.
A patent license is “discriminatory” if it does not include within the scope of its coverage, prohibits the exercise of, or is conditioned on the non-exercise of one or more of the rights that are specifically granted under this License. You may not convey a covered work if you are a party to an arrangement with a third party that is in the business of distributing software, under which you make payment to the third party based on the extent of your activity of conveying the work, and under which the third party grants, to any of the parties who would receive the covered work from you, a discriminatory patent license (a) in connection with copies of the covered work conveyed by you (or copies made from those copies), or (b) primarily for and in connection with specific products or compilations that contain the covered work, unless you entered into that arrangement, or that patent license was granted, prior to 28 March 2007.
Nothing in this License shall be construed as excluding or limiting any implied license or other defenses to infringement that may otherwise be available to you under applicable patent law.
12. No Surrender of Others' Freedom.
If conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not convey it at all. For example, if you agree to terms that obligate you to collect a royalty for further conveying from those to whom you convey the Program, the only way you could satisfy both those terms and this License would be to refrain entirely from conveying the Program.
13. Use with the GNU Affero General Public License.
Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU Affero General Public License into a single combined work, and to convey the resulting work. The terms of this License will continue to apply to the part which is the covered work, but the special requirements of the GNU Affero General Public License, section 13, concerning interaction through a network will apply to the combination as such.
14. Revised Versions of this License.
The Free Software Foundation may publish revised and/or new versions of the GNU General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.
Each version is given a distinguishing version number. If the Program specifies that a certain numbered version of the GNU General Public License “or any later version” applies to it, you have the option of following the terms and conditions either of that numbered version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of the GNU General Public License, you may choose any version ever published by the Free Software Foundation.
If the Program specifies that a proxy can decide which future versions of the GNU General Public License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Program.
Later license versions may give you additional or different permissions. However, no additional obligations are imposed on any author or copyright holder as a result of your choosing to follow a later version.
15. Disclaimer of Warranty.
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
16. Limitation of Liability.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
17. Interpretation of Sections 15 and 16.
If the disclaimer of warranty and limitation of liability provided above cannot be given local legal effect according to their terms, reviewing courts shall apply local law that most closely approximates an absolute waiver of all civil liability in connection with the Program, unless a warranty or assumption of liability accompanies a copy of the Program in return for a fee.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively state the exclusion of warranty; and each file should have at least the “copyright” line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see <https://www.gnu.org/licenses/>.
Also add information on how to contact you by electronic and paper mail.
If the program does terminal interaction, make it output a short notice like this when it starts in an interactive mode:
<program> Copyright (C) <year> <name of author>
This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, your program's commands might be different; for a GUI interface, you would use an “about box”.
You should also get your employer (if you work as a programmer) or school, if any, to sign a “copyright disclaimer” for the program, if necessary. For more information on this, and how to apply and follow the GNU GPL, see <https://www.gnu.org/licenses/>.
The GNU General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. But first, please read <https://www.gnu.org/philosophy/why-not-lgpl.html>.

1
LICENSES/LicenseRef-Reserved.txt vendored
View file

@ -1 +0,0 @@
All rights reserved.

16
REUSE.toml generated
View file

@ -2,7 +2,7 @@ version = 1
[[annotations]]
SPDX-FileCopyrightText = "NONE"
SPDX-License-Identifier = "CC0-1.0"
path = ["**/.envrc", "**/Cargo.lock", "**/_hardware-configuration.nix", ".gitignore", "REUSE.toml", "shell.nix"]
path = ["**/.envrc", "**/Cargo.lock", "**/_hardware-configuration.nix", ".gitignore", "REUSE.toml", "shell.nix", "patches/colmena/0001-*", "pkgs/by-name/docuseal/rubyEnv/*", "pkgs/by-name/docuseal/deps.json", "pkgs/by-name/docuseal/yarn.lock"]
precedence = "closest"
[[annotations]]
@ -14,19 +14,19 @@ precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "La Délégation Générale Numérique <contact@dgnum.eu>"
SPDX-License-Identifier = "CC-BY-NC-ND-4.0"
path = ["machines/**/secrets/*", "modules/nixos/dgn-backups/keys/*", "modules/nixos/dgn-netbox-agent/secrets/netbox-agent", "modules/nixos/dgn-notify/mail", "modules/nixos/dgn-records/__arkheon-token_file", "modules/nixos/dgn-s3/garage-*_file"]
path = ["machines/**/secrets/*", "modules/nixos/dgn-backups/keys/*", "modules/nixos/dgn-netbox-agent/secrets/netbox-agent", "modules/nixos/dgn-notify/mail", "modules/nixos/dgn-forgejo-runners/forgejo_runners-token_file", "modules/nixos/dgn-records/__arkheon-token_file", "modules/nixos/dgn-s3/garage-*_file"]
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>"
SPDX-License-Identifier = "EUPL-1.2"
path = ["machines/nixos/compute01/ds-fr/01-smtp-tls.patch", "machines/nixos/compute01/librenms/kanidm.patch", "machines/nixos/compute01/stirling-pdf/*.patch", "machines/nixos/vault01/k-radius/packages/01-python_path.patch", "machines/nixos/vault01/k-radius/packages/02-remove-noisy-logs.patch", "machines/nixos/web01/crabfit/*.patch", "machines/nixos/web02/cas-eleves/01-pytest-cas.patch", "patches/lix/01-disable-installChecks.patch", "patches/nixpkgs/01-pretalx-environment-file.patch", "patches/nixpkgs/03-crabfit-karla.patch", "patches/nixpkgs/05-netbird-relay.patch", "patches/cas-eleves/01-ldap-settings.patch"]
path = ["machines/nixos/compute01/ds-fr/01-smtp-tls.patch", "machines/nixos/compute01/librenms/kanidm.patch", "machines/nixos/compute01/stirling-pdf/*.patch", "machines/nixos/vault01/k-radius/packages/01-python_path.patch", "machines/nixos/vault01/k-radius/packages/02-remove-noisy-logs.patch", "machines/nixos/vault01/k-radius/packages/03-set-log-level.patch", "machines/nixos/web01/crabfit/*.patch", "machines/nixos/web02/cas-eleves/01-pytest-cas.patch", "patches/lix/01-disable-installChecks.patch", "patches/lix/02-fetchGit-locked.patch", "patches/nixpkgs/01-pretalx-environment-file.patch", "patches/nixpkgs/03-crabfit-karla.patch", "patches/nixpkgs/05-netbird-relay.patch", "patches/cas-eleves/01-ldap-settings.patch"]
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = ["2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>", "2024 Maurice Debray <maurice.debray@dgnum.eu>"]
SPDX-License-Identifier = "EUPL-1.2"
path = ["patches/nixpkgs/07-kanidm-groups-module.patch", "patches/nixpkgs/08-kanidm-groups-pkgs.patch"]
path = ["patches/nixpkgs/07-kanidm-groups-module.patch", "patches/nixpkgs/08-kanidm-groups-pkgs.patch", "patches/nixpkgs/07-25.05-kanidm-groups-module.patch", "patches/nixpkgs/08-25.05-kanidm-groups-pkgs.patch"]
precedence = "closest"
[[annotations]]
@ -38,7 +38,7 @@ precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "2024 Lubin Bailly <lubin.bailly@dgnum.eu>"
SPDX-License-Identifier = "EUPL-1.2"
path = ["modules/nixos/extranix/0001-revert-don-t-parse-md-in-js.patch", "modules/nixos/extranix/0002-chore-remove-useless-dependencies.patch", "modules/nixos/extranix/0003-feat-separate-HTML-description-of-MD-description.patch", "modules/nixos/extranix/0004-fix-indentation-of-ul.patch", "modules/nixos/extranix/0005-feat-match-all-substring-by-default.patch"]
path = ["modules/nixos/extranix/0001-revert-don-t-parse-md-in-js.patch", "modules/nixos/extranix/0002-chore-remove-useless-dependencies.patch", "modules/nixos/extranix/0003-feat-separate-HTML-description-of-MD-description.patch", "modules/nixos/extranix/0004-fix-indentation-of-ul.patch", "modules/nixos/extranix/0005-feat-match-all-substring-by-default.patch", "patches/nixpkgs/02-action-validator.patch", "machines/nixos/vault01/k-radius/packages/04-request-dgsi-vlan.patch"]
precedence = "closest"
[[annotations]]
@ -47,6 +47,12 @@ SPDX-License-Identifier = "EUPL-1.2"
path = ["patches/nixpkgs/09-rename-autocreate-to-verify_bucket_exists.patch"]
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>"
SPDX-License-Identifier = "EUPL-1.2"
path = ["machines/nixos/krz01/ollama/all-nvcc-arch.patch", "machines/nixos/krz01/ollama/K80-support.patch", "machines/nixos/krz01/ollama/disable-git.patch", "machines/nixos/krz01/ollama/no-weird-microarch.patch", "machines/nixos/krz01/whisper/all-nvcc-arch.patch", "machines/nixos/krz01/whisper/no-weird-microarch.patch"]
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "La Délégation Générale Numérique <contact@dgnum.eu>"
SPDX-License-Identifier = "MIT"

2
bootstrap.nix
View file

@ -27,6 +27,8 @@ in
{
inherit overlays sources unpatchedSources;
root = ./.;
pkgs = pkgs // {
lib = pkgs.lib.extend overlays.lib;
};

55
default.nix
View file

@ -9,7 +9,11 @@ in
{
sources ? bootstrap.sources,
pkgs ? bootstrap.pkgs,
pkgs ? import sources.nixos-unstable {
overlays = [
(_: super: { lib = super.lib.extend bootstrap.overlays.lib; })
];
},
}:
let
@ -70,6 +74,14 @@ let
".gitignore"
"REUSE.toml"
"shell.nix"
# Commit revert
"patches/colmena/0001-*"
# Docuseal
"pkgs/by-name/docuseal/rubyEnv/*"
"pkgs/by-name/docuseal/deps.json"
"pkgs/by-name/docuseal/yarn.lock"
];
annotations = [
@ -83,6 +95,7 @@ let
"modules/nixos/dgn-backups/keys/*"
"modules/nixos/dgn-netbox-agent/secrets/netbox-agent"
"modules/nixos/dgn-notify/mail"
"modules/nixos/dgn-forgejo-runners/forgejo_runners-token_file"
"modules/nixos/dgn-records/__arkheon-token_file"
"modules/nixos/dgn-s3/garage-*_file"
];
@ -97,9 +110,11 @@ let
"machines/nixos/compute01/stirling-pdf/*.patch"
"machines/nixos/vault01/k-radius/packages/01-python_path.patch"
"machines/nixos/vault01/k-radius/packages/02-remove-noisy-logs.patch"
"machines/nixos/vault01/k-radius/packages/03-set-log-level.patch"
"machines/nixos/web01/crabfit/*.patch"
"machines/nixos/web02/cas-eleves/01-pytest-cas.patch"
"patches/lix/01-disable-installChecks.patch"
"patches/lix/02-fetchGit-locked.patch"
"patches/nixpkgs/01-pretalx-environment-file.patch"
"patches/nixpkgs/03-crabfit-karla.patch"
"patches/nixpkgs/05-netbird-relay.patch"
@ -111,6 +126,8 @@ let
path = [
"patches/nixpkgs/07-kanidm-groups-module.patch"
"patches/nixpkgs/08-kanidm-groups-pkgs.patch"
"patches/nixpkgs/07-25.05-kanidm-groups-module.patch"
"patches/nixpkgs/08-25.05-kanidm-groups-pkgs.patch"
];
copyright = [
"2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>"
@ -128,6 +145,8 @@ let
"modules/nixos/extranix/0003-feat-separate-HTML-description-of-MD-description.patch"
"modules/nixos/extranix/0004-fix-indentation-of-ul.patch"
"modules/nixos/extranix/0005-feat-match-all-substring-by-default.patch"
"patches/nixpkgs/02-action-validator.patch"
"machines/nixos/vault01/k-radius/packages/04-request-dgsi-vlan.patch"
];
copyright = "2024 Lubin Bailly <lubin.bailly@dgnum.eu>";
}
@ -140,6 +159,17 @@ let
"2025 Lubin Bailly <lubin.bailly@dgnum.eu>"
];
}
{
path = [
"machines/nixos/krz01/ollama/all-nvcc-arch.patch"
"machines/nixos/krz01/ollama/K80-support.patch"
"machines/nixos/krz01/ollama/disable-git.patch"
"machines/nixos/krz01/ollama/no-weird-microarch.patch"
"machines/nixos/krz01/whisper/all-nvcc-arch.patch"
"machines/nixos/krz01/whisper/no-weird-microarch.patch"
];
copyright = "2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>";
}
# colmena wrapper
{
@ -195,22 +225,20 @@ in
{
nodes = builtins.mapAttrs (
host: { site, ... }: "${host}.${site}.infra.dgnum.eu"
) (import ./meta/nodes);
) (import ./meta/nodes/nixos.nix).nodes;
dns = import ./meta/dns.nix;
mkCacheSettings = import ./machines/nixos/storage01/tvix-cache/cache-settings.nix;
mkCacheSettings = import ./machines/nixos/storage01/snix-cache/cache-settings.nix {
inherit (pkgs) lib;
};
devShell = pkgs.mkShell {
name = "dgnum-infra";
packages =
[
(pkgs.nixos-generators.overrideAttrs (_: {
version = "1.8.0-unstable";
src = sources.nixos-generators;
}))
pkgs.npins
(pkgs.callPackage "${sources.npins}/npins.nix" { })
# SSO testing
pkgs.kanidm
@ -221,7 +249,6 @@ in
colmena = pkgs.callPackage "${sources.colmena}/package.nix" { };
})
(pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
(pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
]
++ git-checks.enabledPackages
++ (builtins.attrValues scripts);
@ -240,9 +267,15 @@ in
passthru = mapAttrs (name: value: pkgs.mkShell (value // { inherit name; })) {
pre-commit.shellHook = git-checks.shellHook;
check-workflows.shellHook = workflows.shellHook;
eval-nodes.packages = [ scripts.cache-node ];
eval-nodes.packages = [
scripts.instantiate-node
scripts.push-to-cache
];
eval-shell.packages = [ scripts.nix-build-and-cache ];
npins-shell.packages = [ pkgs.npins ];
npins-shell.packages = [
(pkgs.callPackage "${sources.npins}/npins.nix" { })
pkgs.tea
];
};
};
}

12
hive.nix
View file

@ -43,7 +43,7 @@ let
mkNixpkgsConfig =
system:
{
nixos = _: { }; # TODO: add nix-pkgs overlay here
nixos = _: { config.allowUnfree = true; }; # TODO: add nix-pkgs overlay here
zyxel-nwa50ax = mkLiminixConfig system;
netconf = _: { };
}
@ -92,7 +92,7 @@ in
nodeNixpkgs = mapSingleFuse nodePkgs nodes;
specialArgs = {
inherit nixpkgs sources;
inherit bootstrap nixpkgs sources;
dgn-keys = import ./lib/keys {
meta = metadata;
@ -202,13 +202,7 @@ in
options = "--delete-older-than 7d";
};
settings =
{
substituters = [ "https://tvix-store.dgnum.eu/infra" ];
}
// (import ./machines/nixos/storage01/tvix-cache/cache-settings.nix {
caches = [ "infra" ];
});
settings = (import ./. { pkgs = sourcePkgs; }).mkCacheSettings [ "infra" ];
};
# Allow unfree packages

9
iso/build-iso.sh
View file

@ -1,9 +0,0 @@
#!/usr/bin/env bash
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
NIXPKGS=$(nix-build --no-out-link nixpkgs.nix)
nixos-generate -c configuration.nix -I NIX_PATH="$NIXPKGS" -f install-iso

42
iso/configuration.nix
View file

@ -1,42 +0,0 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ lib, pkgs, ... }:
let
dgn-keys = import ../keys.nix;
dgn-members = (import ../meta lib).config.organization.groups.root;
in
{
imports = [ ./dgn-install ];
boot = {
blacklistedKernelModules = [ "snd_pcsp" ];
kernelPackages = pkgs.linuxPackages_latest;
tmp.cleanOnBoot = true;
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
supportedFilesystems = [
"exfat"
"zfs"
"bcachefs"
];
swraid.enable = lib.mkForce false;
};
console.keyMap = "fr";
services = {
openssh.enable = true;
};
users.users.root.openssh.authorizedKeys.keys = dgn-keys.getKeys dgn-members;
}

7
iso/dgn-install/README.md
View file

@ -1,7 +0,0 @@
<!--
SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
SPDX-License-Identifier: EUPL-1.2
-->
Script pour installer automatiquement NixOS sur les machines de la DGNum

24
iso/dgn-install/default.nix
View file

@ -1,24 +0,0 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ pkgs, ... }:
let
installScript = pkgs.writeShellApplication {
name = "dgn-install";
runtimeInputs = with pkgs; [
coreutils
gnused
nixos-install-tools
zfs
];
text = builtins.readFile ./dgn-install.sh;
};
in
{
environment.systemPackages = [ installScript ];
}

153
iso/dgn-install/dgn-install.sh
View file

@ -1,153 +0,0 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
bootDevice=
rootDevice=
domain="par01.infra.dgnum.eu"
hostname="dgn0x"
hasZFS=
while [ "$#" -gt 0 ]; do
i="$1"
shift 1
case "$i" in
--root)
rootDevice="$1"
shift 1
;;
--boot)
bootDevice="$1"
shift 1
;;
--swap)
swapDevice="$1"
shift 1
;;
--domain)
domain="$1"
shift 1
;;
--hostname)
hostname="$1"
shift 1
;;
--with-zfs)
hasZFS="1"
;;
*)
echo "$0: unknown option \`$i'"
exit 1
;;
esac
done
if [ -z "$bootDevice" ]; then
echo "Missing boot partition"
exit 1
fi
if [ -z "$rootDevice" ]; then
echo "Missing root partition"
exit 1
fi
# Mount the partitions to where they should be
mount "$rootDevice" /mnt
mkdir /mnt/boot
mount "$bootDevice" /mnt/boot
if [ -n "$swapDevice" ]; then
swapon "$swapDevice"
fi
# Generate configration
nixos-generate-config --root /mnt
NIX="/mnt/etc/nixos/"
# Setup our own files
mv $NIX/configuration.nix $NIX/base-configuration.nix
cat <<EOF > $NIX/dgnum-server.nix
{ ... }: {
services.nscd.enableNsncd = false;
programs.bash.promptInit = ''
# Provide a nice prompt if the terminal supports it.
if [ "\$TERM" != "dumb" ] || [ -n "\$INSIDE_EMACS" ]; then
PROMPT_COLOR="1;31m"
((UID)) && PROMPT_COLOR="1;32m"
if [ -n "\$INSIDE_EMACS" ] || [ "\$TERM" = "eterm" ] || [ "\$TERM" = "eterm-color" ]; then
# Emacs term mode doesn't support xterm title escape sequence (\e]0;)
PS1="\n\[\033[\$PROMPT_COLOR\][\u@\$(hostname -f):\w]\\\$\[\033[0m\] "
else
PS1="\n\[\033[\$PROMPT_COLOR\][\[\e]0;\u@\H: \w\a\]\u@\$(hostname -f):\w]\\\$\[\033[0m\] "
fi
if test "\$TERM" = "xterm"; then
PS1="\[\033]2;\$(hostname -f):\u:\w\007\]\$PS1"
fi
fi
'';
}
EOF
cat <<EOF > $NIX/configuration.nix
{ pkgs, ... }: {
imports = [
./base-configuration.nix
./dgnum-server.nix
$(if [ -n "$hasZFS" ]; then echo './zfs.nix'; fi)
];
boot.tmp.cleanOnBoot = true;
console.keyMap = "fr";
time.timeZone = "Europe/Paris";
environment.systemPackages = with pkgs; [
vim
wget
kitty.terminfo
];
networking = {
hostName = "$hostname";
domain = "$domain";
};
# Activate SSH and set the keys
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
users.users.root.openssh.authorizedKeys.keyFiles = [ ./rootKeys ];
}
EOF
if [ -n "$hasZFS" ]; then
cat <<EOF > $NIX/zfs.nix
{ ... }: {
boot = {
supportedFilesystems = [ "zfs" ];
zfs.forceImportRoot = false;
zfs.extraPools = [
$(zpool list -Ho name | sed 's/^/"/;s/$/"/')
];
};
networking.hostId = "$(head -c4 /dev/urandom | od -A none -t x4 | sed 's/ //')";
}
EOF
fi
# Copy the keys
cp /etc/ssh/authorized_keys.d/root $NIX/rootKeys
# Perform the installation
nixos-install

13
iso/nixpkgs.nix
View file

@ -1,13 +0,0 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
let
version = (import ../meta/nixpkgs.nix).default;
nixpkgs = (import ../npins)."nixos-${version}";
in
(import nixpkgs { }).srcOnly {
name = "nixpkgs-for-iso";
src = nixpkgs;
}

19
lib/keys/default.nix
View file

@ -7,19 +7,23 @@
{ meta, lib }:
let
inherit (lib.extra) setDefault unique;
inherit (lib.extra) setDefault;
getAttr = lib.flip builtins.getAttr;
in
rec {
_memberKeys = builtins.mapAttrs (_: v: v.sshKeys) meta.organization.members;
_ageKeys = builtins.mapAttrs (_: v: v.ageSshKeys) meta.organization.members;
_builderKeys = builtins.mapAttrs (_: v: v.builderKeys) meta.organization.members;
_nodeKeys = builtins.mapAttrs (_: v: v.sshKeys) meta.nodes;
# Get keys of the users
getMemberKeys = name: builtins.concatLists (builtins.map (getAttr _memberKeys) name);
# Get age-keys of the users
getAgeKeys = name: builtins.concatLists (builtins.map (getAttr _ageKeys) name);
# Get builder keys of the users
getBuilderKeys = getAttr _builderKeys;
@ -29,22 +33,25 @@ rec {
# List of keys for the root group
rootKeys = getMemberKeys meta.organization.groups.root;
# List of keys for the root group (for age encryption and decryption)
rootAgeKeys = getAgeKeys meta.organization.groups.root;
# All admins for a node
getNodeAdmins = node: meta.organization.groups.root ++ meta.nodes.${node}.admins;
# All keys needed for secret encryption
getSecretKeys = node: unique (getMemberKeys (getNodeAdmins node) ++ getNodeKeys [ node ]);
getSecretKeys = node: lib.unique (getAgeKeys (getNodeAdmins node) ++ getNodeKeys [ node ]);
# List of keys for all machines wide secrets
machineKeys = rootKeys ++ (getNodeKeys (builtins.attrNames meta.nodes));
machineKeys = rootAgeKeys ++ (getNodeKeys (builtins.attrNames meta.nodes));
mkSecrets = nodes: setDefault { publicKeys = unique (builtins.concatMap getSecretKeys nodes); };
mkSecrets = nodes: setDefault { publicKeys = lib.unique (builtins.concatMap getSecretKeys nodes); };
mkRootSecrets = setDefault { publicKeys = unique rootKeys; };
mkRootSecrets = setDefault { publicKeys = lib.unique rootAgeKeys; };
machineKeysBySystem =
system:
rootKeys
rootAgeKeys
++ (getNodeKeys (
builtins.attrNames (lib.filterAttrs (_: v: v.nixpkgs.system == system) meta.nodes)
));

141
lib/netconf-junos/access.nix Normal file
View file

@ -0,0 +1,141 @@
# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, lib, ... }:
let
inherit (lib)
concatImapStringsSep
concatMapAttrsStringSep
concatMapStrings
mkOption
;
inherit (lib.types)
attrsOf
ints
listOf
str
submodule
;
in
{
options = {
access.address-assignment.pool = mkOption {
type = attrsOf (
submodule (
{ name, config, ... }:
{
options = {
family.inet = {
network = mkOption {
type = str;
description = ''
Network where this pool is located.
'';
};
ranges = mkOption {
type = listOf (submodule {
options = {
low = mkOption {
type = str;
description = ''
Lowest IP of this range.
'';
};
high = mkOption {
type = str;
description = ''
Highest IP of this range.
'';
};
};
});
description = ''
IP ranges in this pool.
'';
};
dhcp-attributes = {
maximum-lease-time = mkOption {
type = ints.unsigned;
description = ''
Maximum lease time for leases in this pool.
'';
};
name-server = mkOption {
type = listOf str;
default = [ ];
description = ''
DNS servers to propose.
'';
};
router = mkOption {
type = listOf str;
default = [ ];
description = ''
Router IP for default route.
'';
};
};
};
xml = mkOption {
type = str;
readOnly = true;
visible = false;
};
};
config.xml =
let
inet-cfg = config.family.inet;
in
''
<pool>
<name>${name}</name>
<family>
<inet>
<network>${inet-cfg.network}</network>
${concatImapStringsSep "\n" (
idx:
{ low, high }:
''
<range>
<name>${name}-${toString idx}</name>
<low>${low}</low>
<high>${high}</high>
</range>
''
) inet-cfg.ranges}
<dhcp-attributes>
<maximum-lease-time>${toString inet-cfg.dhcp-attributes.maximum-lease-time}</maximum-lease-time>
${concatMapStrings (
dns: "<name-server><name>${dns}</name></name-server>"
) inet-cfg.dhcp-attributes.name-server}
${concatMapStrings (
router: "<router><name>${router}</name></router>"
) inet-cfg.dhcp-attributes.router}
</dhcp-attributes>
</inet>
</family>
</pool>
'';
}
)
);
default = { };
description = ''
Address pools for DHCP configuration.
'';
};
netconf.xmls.access = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.netconf.xmls.access = ''
<access operation="replace">
<address-assignment>
${concatMapAttrsStringSep "\n" (_: pool: pool.xml) config.access.address-assignment.pool}
</address-assignment>
</access>
'';
}

6
lib/netconf-junos/default.nix
View file

@ -34,11 +34,14 @@ let
in
{
imports = [
./access.nix
./interfaces.nix
./poe.nix
./protocols.nix
./system.nix
./vlans.nix
./routing-options.nix
./snmp.nix
];
options = {
@ -98,6 +101,9 @@ in
${protocols}
${vlans}
${poe}
${access}
${routing-options}
${snmp}
</configuration>
'';
rpc = pkgs.writeText "${name}.rpc" ''

25
lib/netconf-junos/interfaces.nix
View file

@ -25,6 +25,7 @@ let
interface =
{ name, config, ... }:
let
intf_cfg = config;
unit =
{ name, config, ... }:
{
@ -33,6 +34,13 @@ let
default = true;
example = false;
};
description = mkOption {
type = str;
default = intf_cfg.description + "." + name;
description = ''
Descriptive name of this interface unit.
'';
};
family = {
ethernet-switching = {
enable = mkEnableOption "the ethernet switching on this logical interface";
@ -97,17 +105,17 @@ let
</ethernet-switching>
'';
addr4 = map (addr: "<name>${addr}</name>") config.family.inet.addresses;
addr4 = map (addr: "<address><name>${addr}</name></address>") config.family.inet.addresses;
inet = optionalString config.family.inet.enable ''
<inet>
<address>${builtins.concatStringsSep "" addr4}</address>
${builtins.concatStringsSep "" addr4}
</inet>
'';
addr6 = map (addr: "<name>${addr}</name>") config.family.inet6.addresses;
addr6 = map (addr: "<address><name>${addr}</name></address>") config.family.inet6.addresses;
inet6 = optionalString config.family.inet6.enable ''
<inet6>
<address>${builtins.concatStringsSep "" addr6}</address>
${builtins.concatStringsSep "" addr6}
</inet6>
'';
in
@ -115,6 +123,7 @@ let
<unit>
<name>${name}</name>
${optionalString (!config.enable) "<disable/>"}
${optionalString config.enable "<description>${config.description}</description>"}
<family>
${eth}${inet}${inet6}
</family>
@ -131,6 +140,13 @@ let
Configuration of the logical interfaces on this physical interface.
'';
};
description = mkOption {
type = str;
default = name;
description = ''
Descriptive name of this interface.
'';
};
xml = mkOption {
type = str;
visible = false;
@ -144,6 +160,7 @@ let
''
<interface>
<name>${name}</name>
${optionalString config.enable "<description>${config.description}</description>"}
${optionalString (!config.enable) "<disable/>"}
${builtins.concatStringsSep "" units}
</interface>

59
lib/netconf-junos/routing-options.nix Normal file
View file

@ -0,0 +1,59 @@
# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, lib, ... }:
let
inherit (lib)
concatMapStringsSep
mkOption
;
inherit (lib.types)
str
listOf
submodule
;
in
{
options = {
routing-options.static.route = mkOption {
type = listOf (submodule {
options = {
destination = mkOption {
type = str;
description = ''
Destination network.
'';
};
next-hop = mkOption {
type = str;
description = ''
Gateway for this network.
'';
};
};
});
default = [ ];
description = ''
Static routes.
'';
};
netconf.xmls.routing-options = mkOption {
type = str;
readOnly = true;
visible = false;
};
};
config.netconf.xmls.routing-options = ''
<routing-options operation="replace">
<static>
${concatMapStringsSep "\n" (route: ''
<route>
<name>${route.destination}</name>
<next-hop>${route.next-hop}</next-hop>
</route>
'') config.routing-options.static.route}
</static>
</routing-options>
'';
}

80
lib/netconf-junos/snmp.nix Normal file
View file

@ -0,0 +1,80 @@
# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ lib, config, ... }:
let
inherit (lib)
concatMapAttrsStringSep
mkOption
optionalString
;
inherit (lib.types)
attrsOf
bool
enum
str
submodule
;
in
{
options = {
snmp = {
filter-interfaces.all-internal-interfaces = mkOption {
type = bool;
default = false;
description = ''
Whether to filter internal interfaces.
'';
};
community = mkOption {
type = attrsOf (
submodule (
{ name, config, ... }:
{
options = {
authorization = mkOption {
type = enum [
"read-only"
"read-write"
];
description = ''
Authorization type.
'';
};
xml = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.xml = ''
<community>
<name>${name}</name>
<authorization>${config.authorization}</authorization>
</community>
'';
}
)
);
default = { };
description = ''
Communities for SNMPv2 access.
'';
};
};
netconf.xmls.snmp = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.netconf.xmls.snmp = ''
<snmp operation="replace">
<filter-interfaces>
${optionalString config.snmp.filter-interfaces.all-internal-interfaces "<all-internal-interfaces/>"}
</filter-interfaces>
${concatMapAttrsStringSep "" (_: comm: comm.xml) config.snmp.community}
</snmp>
'';
}

33
lib/netconf-junos/system.nix
View file

@ -6,20 +6,25 @@
let
inherit (lib)
concatMapAttrsStringSep
concatMapStrings
concatStrings
concatStringsSep
filter
hasPrefix
length
mkOption
optionalString
splitString
;
inherit (lib.types)
attrsOf
enum
listOf
port
str
submodule
;
in
@ -55,6 +60,20 @@ in
description = "Port to use for netconf.";
default = 830;
};
dhcp-local-server.group = mkOption {
type = attrsOf (submodule {
options.interfaces = mkOption {
type = listOf str;
description = ''
Interfaces managed by this group.
'';
};
});
default = { };
description = ''
Groups of configuration for DHCP server.
'';
};
};
};
netconf.xmls.system = mkOption {
@ -75,6 +94,19 @@ in
ed25519 = map (key: "<ssh-ed25519><name>${key}</name></ssh-ed25519>") (
filter (hasPrefix "ssh-ed25519 ") ssh-keys
);
dhcp-local = optionalString (config.system.services.dhcp-local-server.group != { }) ''
<dhcp-local-server>
${concatMapAttrsStringSep "\n" (name: cfg: ''
<group>
<name>${name}</name>
<interface>
${concatMapStrings (intf: "<name>${intf}</name>") cfg.interfaces}
</interface>
</group>
'') config.system.services.dhcp-local-server.group}
</dhcp-local-server>
'';
in
''
<system>
@ -89,6 +121,7 @@ in
<ssh><port>${toString config.system.services.netconf.port}</port></ssh>
<rfc-compliant/><yang-compliant/>
</netconf>
${dhcp-local}
</services>
</system>
'';

11
lib/nix-patches/default.nix
View file

@ -72,14 +72,11 @@ rec {
name,
patches ? mkPatches name,
}:
if patches == [ ] then
src
else
pkgs.applyPatches {
inherit patches src;
pkgs.applyPatches {
inherit patches src;
name = "${name}-patched";
};
name = "${name}-patched";
};
applyPatches' = name: src: applyPatches { inherit name src; };
};

93
machines/netconf/Jaccess01.nix Normal file
View file

@ -0,0 +1,93 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ lib, ... }:
let
inherit (lib) mapAttrs mod;
inherit (lib.extra) genFuse;
in
{
dgn-hardware.model = "EX2300-48P";
dgn-isp = {
enable = true;
AP = [
# H1-00
"ge-0/0/0"
"ge-0/0/1"
"ge-0/0/2"
"ge-0/0/3"
"ge-0/0/4"
"ge-0/0/5"
# H1-01
"ge-0/0/6"
"ge-0/0/7"
"ge-0/0/8"
"ge-0/0/9"
"ge-0/0/10"
"ge-0/0/11"
# H1-02
"ge-0/0/12"
"ge-0/0/13"
"ge-0/0/14"
"ge-0/0/15"
"ge-0/0/16"
"ge-0/0/17"
];
admin-ip = "fd26:baf9:d250:8000::1001/64";
};
dgn-interfaces = {
# oob
"ge-0/0/42".ethernet-switching = {
interface-mode = "trunk";
vlans = [ "all" ];
};
# ilo
"ge-0/0/47".ethernet-switching = {
interface-mode = "access";
vlans = [ "admin-core" ];
};
# router
"xe-0/1/0".ethernet-switching = {
interface-mode = "trunk";
vlans = [ "all" ];
};
# netaccess01
"xe-0/1/1".ethernet-switching = {
interface-mode = "trunk";
vlans = [
"users"
"ap-staging"
"admin-ap"
"admin-core"
];
};
# uplink
"ge-0/1/3".ethernet-switching = {
interface-mode = "trunk";
vlans = [ "uplink-cri" ];
};
# debug management
"me0".inet.addresses = [ "192.168.42.6/24" ];
};
interfaces =
{
"irb".unit."0".description = "Admin";
}
// mapAttrs (_: description: { inherit description; }) (
{
"xe-0/1/0" = "netcore01";
"xe-0/1/1" = "Jaccess04";
"ge-0/1/3" = "uplink-cri";
"ge-0/0/42" = "oob";
"ge-0/0/47" = "psu";
}
// genFuse (i: {
"ge-0/0/${toString i}" = "AP_H1_${toString (i / 6)}_${toString (mod i 6 + 1)}";
}) 18
);
snmp.community."public".authorization = "read-only";
}

19
machines/netconf/netaccess01.nix → machines/netconf/Jaccess04.nix
View file

@ -2,6 +2,11 @@
#
# SPDX-License-Identifier: EUPL-1.2
{ lib, ... }:
let
inherit (lib) mapAttrs mod;
inherit (lib.extra) genFuse;
in
{
dgn-hardware.model = "EX2300-48P";
dgn-isp = {
@ -26,4 +31,18 @@
# debug management
"me0".inet.addresses = [ "192.168.42.6/24" ];
};
interfaces =
{
"irb".unit."0".description = "Admin";
}
// mapAttrs (_: description: { inherit description; }) (
{
"xe-0/1/0" = "Jaccess01";
}
// genFuse (i: {
"ge-0/0/${toString i}" = "AP_H2_${toString (i / 2)}_${toString (mod i 2 + 1)}";
}) 6
);
snmp.community."public".authorization = "read-only";
}

28
machines/netconf/netcore00.nix
View file

@ -1,28 +0,0 @@
# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
dgn-hardware = {
model = "EX4400-24X";
extensions = [ "EX4400-EM-4Y" ];
};
dgn-isp = {
enable = true;
admin-ip = "fd26:baf9:d250:8000::1010/64";
};
dgn-interfaces = {
"xe-0/2/0".ethernet-switching = {
interface-mode = "trunk";
vlans = [ "all" ];
};
"xe-0/0/23".ethernet-switching = {
interface-mode = "trunk";
vlans = [ "all" ];
};
# debug management
"me0".inet.addresses = [ "192.168.2.3/24" ];
};
}

92
machines/netconf/netcore01.nix
View file

@ -2,51 +2,69 @@
#
# SPDX-License-Identifier: EUPL-1.2
{ lib, ... }:
let
inherit (lib) mapAttrs;
in
{
dgn-hardware.model = "EX4100-F-48P";
dgn-hardware = {
model = "EX4400-24X";
extensions = [ "EX4400-EM-4Y" ];
};
dgn-isp = {
enable = true;
admin-ip = "fd26:baf9:d250:8000::100f/64";
};
dgn-profiles = {
"hypervisor" = {
interfaces = [
"ge-0/0/1"
"ge-0/0/3"
"ge-0/0/5"
"ge-0/0/7"
"ge-0/0/9"
];
configuration.ethernet-switching = {
interface-mode = "access";
vlans = [ "hypervisor" ];
};
};
"idrac" = {
interfaces = [
"ge-0/0/0"
"ge-0/0/2"
"ge-0/0/4"
"ge-0/0/6"
"ge-0/0/8"
# PDU and PSU
"ge-0/0/46"
"ge-0/0/47"
];
configuration.ethernet-switching = {
interface-mode = "access";
vlans = [ "admin-core" ];
};
};
admin-ip = "fd26:baf9:d250:8000::1010/64";
core-links = [
"xe-0/0/0"
"xe-0/0/3"
"xe-0/0/22"
"xe-0/0/21"
];
};
dgn-interfaces = {
"xe-0/2/0".ethernet-switching = {
"ge-0/0/23".ethernet-switching = {
interface-mode = "trunk";
vlans = [ "all" ];
vlans = [ "uplink-cri" ];
};
"xe-0/0/0".ethernet-switching.vlans = [ "uplink-cri" ];
"xe-0/0/21".ethernet-switching.vlans = [ "all" ];
"xe-0/0/22".ethernet-switching.vlans = [ "all" ];
# debug management
"me0".inet.addresses = [ "192.168.2.2/24" ];
"me0".inet.addresses = [ "192.168.2.3/24" ];
};
dgn-profiles."hypervisor" = {
interfaces = [
"xe-0/0/4"
"xe-0/0/5"
"xe-0/0/6"
"xe-0/0/7"
"xe-0/0/8"
"xe-0/0/9"
];
configuration.ethernet-switching = {
interface-mode = "access";
vlans = [ "hypervisor" ];
};
};
interfaces =
{
"irb".unit."0".description = "Admin";
}
// mapAttrs (_: description: { inherit description; }) {
"xe-0/0/0" = "Jaccess01";
"xe-0/0/3" = "Jaccess04";
"xe-0/0/21" = "vault01";
"xe-0/0/22" = "netcore02";
"ge-0/0/23" = "uplink-cri";
"xe-0/0/4" = "random02";
"xe-0/0/5" = "random03";
"xe-0/0/6" = "hypervisor01";
"xe-0/0/7" = "hypervisor02";
"xe-0/0/8" = "hypervisor03";
"xe-0/0/9" = "build01";
};
snmp.community."public".authorization = "read-only";
}

134
machines/netconf/netcore02.nix
View file

@ -1,77 +1,87 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ lib, ... }:
let
inherit (lib) mapAttrs;
in
{
dgn-hardware.model = "EX2300-48P";
dgn-hardware.model = "EX4100-F-48P";
dgn-isp = {
enable = true;
AP = [
# H1-00
"ge-0/0/0"
"ge-0/0/1"
"ge-0/0/2"
"ge-0/0/3"
"ge-0/0/4"
"ge-0/0/5"
# H1-01
"ge-0/0/6"
"ge-0/0/7"
"ge-0/0/8"
"ge-0/0/9"
"ge-0/0/10"
"ge-0/0/11"
# H1-02
"ge-0/0/12"
"ge-0/0/13"
"ge-0/0/14"
"ge-0/0/15"
"ge-0/0/16"
"ge-0/0/17"
];
admin-ip = "fd26:baf9:d250:8000::1001/64";
admin-ip = "fd26:baf9:d250:8000::100f/64";
};
dgn-profiles = {
"hypervisor" = {
interfaces = [
"ge-0/0/1"
"ge-0/0/3"
"ge-0/0/5"
"ge-0/0/7"
"ge-0/0/9"
];
configuration.ethernet-switching = {
interface-mode = "access";
vlans = [ "hypervisor" ];
};
};
"idrac" = {
interfaces = [
"ge-0/0/0"
"ge-0/0/2"
"ge-0/0/4"
"ge-0/0/6"
"ge-0/0/8"
"ge-0/0/10"
"ge-0/0/12"
"ge-0/0/14"
# PDU and PSU
"ge-0/0/45"
"ge-0/0/46"
"ge-0/0/47"
];
configuration.ethernet-switching = {
interface-mode = "access";
vlans = [ "admin-core" ];
};
};
};
dgn-interfaces = {
# oob
"ge-0/0/42".ethernet-switching = {
"xe-0/2/0".ethernet-switching = {
interface-mode = "trunk";
vlans = [ "all" ];
};
# ilo
"ge-0/0/47".ethernet-switching = {
interface-mode = "access";
vlans = [ "admin-core" ];
};
# router
"xe-0/1/0".ethernet-switching = {
interface-mode = "trunk";
vlans = [ "all" ];
};
# netaccess01
"xe-0/1/1".ethernet-switching = {
interface-mode = "trunk";
vlans = [
"users"
"ap-staging"
"admin-ap"
"admin-core"
];
};
# netcore01 (Potos)
"xe-0/1/2".ethernet-switching = {
interface-mode = "trunk";
vlans = [
"all"
];
};
# uplink
"ge-0/1/3".ethernet-switching = {
interface-mode = "trunk";
vlans = [ "uplink-cri" ];
};
# debug management
"me0".inet.addresses = [ "192.168.42.6/24" ];
"me0".inet.addresses = [ "192.168.2.2/24" ];
};
interfaces =
{
"irb".unit."0".description = "Admin";
}
// mapAttrs (_: description: { inherit description; }) {
"xe-0/2/0" = "netcore01";
"ge-0/0/0" = "hypervisor01_idrac";
"ge-0/0/2" = "hypervisor02_idrac";
"ge-0/0/4" = "hypervisor03_idrac";
"ge-0/0/6" = "build01_idrac";
"ge-0/0/8" = "random01_idrac";
"ge-0/0/10" = "random02_idrac";
"ge-0/0/12" = "random03_idrac";
"ge-0/0/14" = "vault01_idrac";
"ge-0/0/1" = "hypervisor01";
"ge-0/0/3" = "hypervisor02";
"ge-0/0/5" = "hypervisor03";
"ge-0/0/7" = "build01";
"ge-0/0/9" = "random03";
"ge-0/0/47" = "psu";
"ge-0/0/46" = "psu_pdu";
"ge-0/0/45" = "pdu_32A";
};
snmp.community."public".authorization = "read-only";
}

1
machines/nixos/bridge01/_configuration.nix
View file

@ -16,6 +16,7 @@ lib.extra.mkConfig {
extraConfig = {
services.netbird.enable = true;
dgn-monitoring.enable = false;
environment.systemPackages = [ pkgs.bcachefs-tools ];
};

3
machines/nixos/build01/_configuration.nix
View file

@ -11,11 +11,12 @@ lib.extra.mkConfig {
enabledServices = [
"nix-builder"
"forgejo-multiuser-runner"
];
extraConfig = {
dgn-forgejo-runners = {
nbRunners = 16;
nbRunners = 32;
dataDirectory = "/data";
};

43
machines/nixos/build01/forgejo-multiuser-runner.nix Normal file
View file

@ -0,0 +1,43 @@
# SPDX-FileCopyrightText: 2025 Maurice Debray <maurice.debray@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
name,
pkgs,
config,
...
}:
{
services.forgejo-multiuser-nix-runners = {
enable = true;
url = "https://git.dgnum.eu";
storePath = "/data/multiuser-nix";
tokenFile = config.age.secrets."forgejo_runners-global_token_file".path;
names = [
"on-${name}"
"nix"
];
dependencies = [
pkgs.tea
];
containerOptions = [ "--cpus=4" ];
nbRunners = 8;
};
virtualisation = {
podman = {
enable = true;
defaultNetwork.settings = {
dns_enable = true;
ipv6_enabled = true;
};
};
};
}

32
machines/nixos/build01/secrets/forgejo_runners-global_token_file Normal file
View file

@ -0,0 +1,32 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA A67hxqtqvgjo/K7M6yYAG+DqiIx6QC6PGt+XLdwjyGQ
HuUHQDImcLdeEDutnERgT+0WG1xtHrqwM1MjB5KKxhk
-> ssh-ed25519 QlRB9Q qNRX5fLCeisyjSaRHYedx2ee85frxewveOku4jTD11g
HY1CPvUkXsmWCfR+0tsQ4qrjq5T15fWEHXn9ILqrrxo
-> ssh-ed25519 r+nK/Q 284BFNS9XEsNELgX44RltCAnkQuhkyYHCtyMI1sQnns
Qs6jDsr/ormGxD43/UOZ3aO948kCvRbG72hspjBwRzM
-> ssh-rsa krWCLQ
NlJSQxRyqJXITcWm7NIUaPagqZvLM9Ay2Fw1HYHwNN9P3eq4R8WMgPzHu0og+bPd
bi5Wnk3bFmDqWRx7w9NArTj8lE5mUH2yRzSwOCYmRhDy1tjEkdtI6+qWd0n5m8rS
3KQB4QLZolDCT6RCDRkBQHWsUcyme6aZJenZFhHdo4I+TwNWWUsY0wf+IHrfvZLv
RNiCqbsxPOCuW7z8KKNwhD3hS2knD3QgzaALniJnNYRoCXdTc3PolBGZnxQekG2D
4UXC2XSrLkwd3VOeamxETUCK6m52VsJv5Sergy7EL5nk1IYpbiarkLITT7ZLCVTO
+g3xzzoMeU6nn7PLklbkgQ
-> ssh-ed25519 /vwQcQ uyKb5o5/xDdi7F7nFWM4RraLU2//WsaK5x4JAjT2HVM
H9VRibUJm1i4K6DAKHMEa/5/Dj0fErr93iCYQ8yVqbQ
-> ssh-ed25519 0R97PA 7R6BPGR5EBuE6k+M/K6waLYTW56wmLf2csWWfmcCyCM
wrkT3QDYw1Vn+9qQIR8Qjfn6XNiTRYv320CICxGEG5I
-> ssh-ed25519 JGx7Ng SRJbJweqtei2AdixOUoXd1JVc3awP2ihRIy1xqMHqTg
nwKIJ2dnhYAA7C+P/O5mYAXAqAtsi0fA7JjOAGdhMVo
-> ssh-ed25519 bUjjig ZzRKxapAKVYKvt9lLwn/qwoqx/60kXJJi9qNzeMia3Y
Iw0t7zo9dDFc3FARFs/qw0YPE7F1oGfdym7EICQ7v6I
-> ssh-ed25519 oRtTqQ no8OojhPehX+a7XnzV2/WkZDbt3NwTxun6ADHljvAiw
DdIt7obJwHO0Pn6T5SXuK/RaNP2Am3+RzMbi4WlY6QE
-> ssh-ed25519 IxxZqA bwLUeDES85yed9na9UAD1JxWLbI81f4ZCXKpYs/QElA
vaJCrZ3lEEEvlVTCxQSR345E9l79WTkaB5+P42QSwgg
-> \s?<-grease ;<G {MvjGn= \|v|k
IFFdH9unA7Y/mVfwQTyX8S+94zXHIs7EyiC9eT14KvnjJQX7czZWzY2Kzh7DQU9y
8gUwz/0XFvWSLqx+FQN0jGo+hJ5Y
--- 03OgKiJDCRFuWvt9dFfLd+8oL+ROoeWjujV5ft1yqPc
p@Y„¥ H»¥i ` ÓbQ¨ÐHˆôréd<C3A9>%t4´öªÐÑtKSúµ*,ë+n<01>é
tÌJ`3HÇ(cØúztjªé­¸Šàÿ—Æ^

31
machines/nixos/build01/secrets/forgejo_runners-token_file
View file

@ -1,31 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA plGvUUrRbdkfNyD4UGIjjkv3Ktu4iqL4dImFZzWnqWA
asE0N7d6lqnOFJWoU+V1bCLhlD5oFAkjs9HSM+ps6Ak
-> ssh-ed25519 QlRB9Q hagbD6do4gKBuRBN8m8cDL6K0RFmiJwpvJOtAaPKXnA
9727tWz+PhGm/bycXUUQHV3YqeXc0AD/mM1DvTrBLC4
-> ssh-ed25519 r+nK/Q bnu+1g77I2LLnXNHZWMkIrgJpxpwJ1ZYgdAL4HE6hCo
cDLyOiULyjO9s6PACs6Ou6m5h0XcDzbdc7o2P7OAizQ
-> ssh-rsa krWCLQ
X8SpFIBmd7LOnJqI+V3MWlaYB8f4Mron5IKYZGrqRPWzLrrkAkJsr1QdV4K9vepe
zQsHecw8VvCKQesAKFrKTZxF8oXvoJU3GP5q9IVISLuEv8nLxgyhhLqQQqPVWLbC
0nGGtbke2Xw2QXgUpoe6GdZ53Neg2BShUmV6SYoGeTwdxGmuL6nFH7UMzwsKWLW5
95CoXfRyp4oxV7FQscuewPL+tNHXh6DoeW8Qlr3rxxgJkCSNMp+EchZJZOroGmtd
SQb2SgFs712x9han1vNR7Dn3o270xa/AVldmjRBNvDGyNefItb20OP4n3bWSK3b1
ejR3mZyP5SU2+Pr6navc0w
-> ssh-ed25519 /vwQcQ NQSD4lKvM7uWm0deYyc22DC7/IGYve0XB9Zg8yOY5GE
hpDWSKnlW6BtyKlXXS1anB78CvK+mnsm3BOxht7mL4Y
-> ssh-ed25519 0R97PA i4DSi49b4vQpt3hjiHPn0/H9MzyvHz0OEPJXcvn+G1M
C9uEKNTPRK8f4d2AYnPqDwTqDOV0SHmG/x/529l3YLA
-> ssh-ed25519 JGx7Ng 5WgVespkMD/X/67sBoF2RbG+YXu06UuSozHrLJSn2xE
pISCxxw/Hg9GBxh33gW6JO2mLKrdvSUVb6+AHMHwTtE
-> ssh-ed25519 bUjjig 14Ocpj1tCsZ5lZQ32wDHsO9iFkrNi8wZS8NUhQ5HEh0
ZbX31ejXuqmgKD1EcmH/B0zo1CeORzJn+QjrRuWNxh0
-> ssh-ed25519 oRtTqQ dSGSGECezsXdDeyFcOSLIvKT0jdOs2d73/dRAeBuJjc
2O/CXEu0rV5EdAewyvdA5XfLXMQvzEEtl8lPsBqICqk
-> ssh-ed25519 IxxZqA BbHNkDUiEoWcwGjjrkFbOHCXvq2gEd8Rv7tt3p8fXHA
yJsvxku/Kz26jTTEtuoHDLGO/gUotw/QZc+UwxCIwKE
-> Tqc#'yq%-grease b
X3iOhNF2FNp0ImC6uLsqjT1pAbNPBIxUCXLivDKbVIZYoBhtrLpQRJXoWK7GEakA
8TkORCQQUYZIlNqu2Psfbi0
--- 19Nolty0dET6QnYlxtieiluPP9R3HbrhEn5EDuFu/s4
“˜?l÷6r] úfBžo<ŸŒ9lj5M+Ší7íNõϹäô% Ñ.èœELĘâÂÒw§¾snÑáã¬nšN -×Ø̯pñûëËŠÓ

2
machines/nixos/build01/secrets/secrets.nix
View file

@ -5,5 +5,5 @@
(import ../../../../keys.nix).mkSecrets
[ "build01" ]
[
"forgejo_runners-token_file"
"forgejo_runners-global_token_file"
]

BIN
machines/nixos/cof02/secrets/webhook-gestiocof_token
View file

Binary file not shown.

2
machines/nixos/compute01/_configuration.nix
View file

@ -18,6 +18,7 @@ lib.extra.mkConfig {
# INFO: This list needs to stay sorted alphabetically
"arkheon"
"dgsi"
"docuseal"
"ds-fr"
"extranix"
"grafana"
@ -28,6 +29,7 @@ lib.extra.mkConfig {
# "netbox"
"nextcloud"
"ollama-proxy"
"opengist"
"outline"
"plausible"
"postgresql"

5
machines/nixos/compute01/dgsi/default.nix
View file

@ -40,6 +40,7 @@ let
ps.django-compressor
ps.django-htmx
ps.django-import-export
ps.django-sesame
ps.djangorestframework
ps.drf-spectacular
ps.gunicorn
@ -208,7 +209,7 @@ in
{
where = "/run/django-apps/dgsi/archives";
what = "/var/lib/django-apps/dgsi/archives";
options = "bind";
options = "bind,nofail";
after = [ "dj-dgsi.service" ];
partOf = [ "dj-dgsi.service" ];
@ -217,7 +218,7 @@ in
{
where = "/run/django-apps/dgsi/media";
what = "/var/lib/django-apps/dgsi/media";
options = "bind";
options = "bind,nofail";
after = [ "dj-dgsi.service" ];
partOf = [ "dj-dgsi.service" ];

34
machines/nixos/compute01/docuseal/default.nix Normal file
View file

@ -0,0 +1,34 @@
# SPDX-FileCopyrightText: 2025 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ bootstrap, ... }:
let
host = "docuseal.dgnum.eu";
port = 2500;
in
{
imports = [ ./module.nix ];
nixpkgs.overlays = [
(self: _: {
docuseal = self.callPackage (bootstrap.root + "/pkgs/by-name/docuseal") { };
})
];
services.docuseal = {
enable = true;
inherit host port;
};
dgn-web.simpleProxies.docuseal = {
inherit host port;
};
services.extranix.modules."DGNum Infrastructure".paths = [
./module.nix
];
}

229
machines/nixos/compute01/docuseal/module.nix Normal file
View file

@ -0,0 +1,229 @@
# SPDX-FileCopyrightText: 2025 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
config,
lib,
pkgs,
utils,
...
}:
let
inherit (lib)
getExe'
mkEnableOption
mkIf
mkOption
mkPackageOption
optional
optionalAttrs
;
inherit (lib.types)
attrsOf
bool
nullOr
oneOf
package
path
port
str
;
inherit (utils) escapeSystemdExecArgs;
cfg = config.services.docuseal;
in
{
options.services.docuseal = {
enable = mkEnableOption "docuseal, an open source DocuSign alternative";
package = mkPackageOption pkgs "docuseal" { };
host = mkOption {
type = str;
description = ''
Hostname of the web server.
'';
};
port = mkOption {
type = port;
default = 3000;
description = ''
Listening port for the web server.
'';
};
environment = mkOption {
type = attrsOf (
nullOr (oneOf [
package
path
str
])
);
description = ''
Evironment variables available to Docuseal.
'';
};
environmentFile = mkOption {
type = nullOr path;
default = null;
description = ''
Path to a file containing environment variables.
'';
};
redis = {
createLocally = mkOption {
type = bool;
default = true;
description = ''
Whether to create a local redis automatically.
'';
};
};
interactScript = mkOption {
type = package;
default = pkgs.writeShellApplication {
name = "docuseal";
runtimeInputs = [
cfg.package
config.systemd.package
pkgs.util-linux
];
text = ''
MainPID=$(systemctl show -p MainPID --value docuseal.service)
nsenter -e -a -w -t "$MainPID" -G follow -S follow "$@"
'';
};
description = ''
Script to run docuseal tasks.
'';
};
};
config = mkIf cfg.enable {
services = {
docuseal.environment =
{
RAILS_ENV = "production";
WORKDIR = "/var/lib/docuseal";
DATABASE_URL = "postgresql:///docuseal?host=/run/postgresql";
HOST = cfg.host;
PORT = builtins.toString cfg.port;
}
// (optionalAttrs cfg.redis.createLocally {
REDIS_URL = "unix://${config.services.redis.servers.docuseal.unixSocket}";
});
postgresql = {
enable = true;
ensureDatabases = [ "docuseal" ];
ensureUsers = [
{
name = "docuseal";
ensureDBOwnership = true;
}
];
};
redis.servers.docuseal = mkIf cfg.redis.createLocally {
enable = true;
};
};
environment.systemPackages = [ cfg.interactScript ];
systemd.services.docuseal = {
description = "Docuseal";
after = [
"network.target"
"postgresql.target"
] ++ (optional cfg.redis.createLocally "redis.service");
wantedBy = [ "multi-user.target" ];
inherit (cfg) environment;
path = [ cfg.package ];
serviceConfig =
{
CacheDirectory = "docuseal";
CacheDirectoryMode = "0700";
DynamicUser = true;
EnvironmentFile = optional (cfg.environmentFile != null) cfg.environmentFile;
ExecStart = escapeSystemdExecArgs [
(getExe' cfg.package "bundle")
"exec"
"puma"
"-C"
"${cfg.package}/config/puma.rb"
"--dir"
cfg.package
];
LogsDirectory = "docuseal";
LogsDirectoryMode = "0700";
StateDirectory = "docuseal";
StateDirectoryMode = "0700";
SupplementaryGroups = optional cfg.redis.createLocally "redis-docuseal";
SystemCallFilter = [
"@system-service"
"~@privileged"
];
User = "docuseal";
UMask = "0077";
WorkingDirectory = "/var/lib/docuseal";
# Proc filesystem
ProcSubset = "pid";
ProtectProc = "invisible";
# Capabilities
CapabilityBoundingSet = "";
# Security
NoNewPrivileges = true;
# Sandboxing
ProtectSystem = "strict";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
PrivateUsers = cfg.port >= 1024;
ProtectClock = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [
"AF_UNIX"
"AF_INET"
"AF_INET6"
"AF_NETLINK"
];
RestrictNamespaces = true;
LockPersonality = true;
MemoryDenyWriteExecute = false;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RemoveIPC = true;
PrivateMounts = true;
# System Call Filtering
SystemCallArchitectures = "native";
}
// optionalAttrs (cfg.port < 1024) {
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
};
};
};
}

31
machines/nixos/compute01/extranix/default.nix
View file

@ -4,14 +4,15 @@
{
lib,
pkgs,
meta,
bootstrap,
sources,
dgn-keys,
...
}:
let
inherit (lib.extra) mkImports;
hive-root = ../../../..;
host = "search.infra.dgnum.eu";
in
{
@ -20,18 +21,28 @@ in
enableACME = true;
forceSSL = true;
};
extranix = {
enable = true;
theme = pkgs.fetchFromGitea {
domain = "git.dgnum.eu";
owner = "DGNum";
repo = "extranix-theme";
rev = "99e14ca818fb1f664a2221e1cc8394325426b446";
hash = "sha256-mDa03Y3Lf/piBzxTyiNj/8OI2rYEW5Pn99lXVL9EQmg=";
};
modules = {
"netconf" = {
paths = mkImports hive-root [
paths = mkImports bootstrap.root [
"modules/netconf"
"modules/generic"
"lib/netconf-junos"
];
path-translations = [
{
base = hive-root;
base = bootstrap.root;
url = "https://git.dgnum.eu/DGNum/infrastructure/src/branch/main/";
}
];
@ -39,11 +50,11 @@ in
"DGNum Infrastructure" =
let
# prefer a non-patched nixpkgs
infra-nixpkgs = (import "${hive-root}/bootstrap.nix").pkgs;
infra-nixpkgs = bootstrap.pkgs;
infra-modulesPath = "${infra-nixpkgs.path}/nixos/modules/";
in
{
paths = mkImports hive-root [
paths = mkImports bootstrap.root [
"modules/generic"
"modules/nixos"
];
@ -71,7 +82,7 @@ in
};
path-translations = [
{
base = hive-root;
base = bootstrap.root;
url = "https://git.dgnum.eu/DGNum/infrastructure/src/branch/main/";
}
{
@ -85,15 +96,17 @@ in
];
};
};
static-data = ./static-data;
inherit host;
index = "DGNum Infrastructure";
settings = {
baseUrl = "https://dgnum.eu/";
title = "DGNum module documentation";
languageCode = "en-us";
params = {
release_current_stable = "DGNum-Infrastructure";
logo = "images/dgnum.png";
release_switch_title = "Category";
footer_credits_line = ''
Based on <a href="https://github.com/mipmip/home-manager-option-search">Home Manager Option Search</a>
'';
@ -102,7 +115,7 @@ in
'';
main_menu = [
{
name = ''<img src="images/forgejo.png" style="display:inline-block; height:2.5em; transform:translate(0, -0.7em)" /> Source'';
name = ''<img src="images/forgejo.png" /> Source'';
url = "https://git.dgnum.eu/DGNum/infrastructure/";
}
];

BIN
machines/nixos/compute01/extranix/static-data/images/dgnum.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 22 KiB

BIN
machines/nixos/compute01/extranix/static-data/images/favicon.ico
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 4.2 KiB

BIN
machines/nixos/compute01/extranix/static-data/images/favicon.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 1 KiB

BIN
machines/nixos/compute01/extranix/static-data/images/forgejo.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 4.8 KiB

6
machines/nixos/compute01/grafana/plugins.nix
View file

@ -16,4 +16,10 @@ builtins.map pkgs.grafanaPlugins.grafanaPlugin [
version = "0.13.1";
zipHash = "sha256-n1LskeOzp32LZS3PcsRh8FwQVBFVlzczfO2aGbEClSo=";
}
{
pname = "knightss27-weathermap-panel";
version = "0.4.3";
zipHash = "sha256-N0jhFKYEgU8dZCJ1txcYg0rr17+FkGJjXjwyq2TSa74=";
}
]

46
machines/nixos/compute01/kanidm/default.nix
View file

@ -81,8 +81,7 @@ in
) meta.organization.members;
groups =
(lib.extra.genFuse (id: { "vlan_${builtins.toString (4094 - id)}".memberless = true; }) 850)
// {
{
grp_active.members = catAttrs "username" (attrValues meta.organization.members);
grp-ext_cri.memberless = true;
}
@ -176,6 +175,49 @@ in
"email"
];
};
dgn_docs = {
displayName = "SuiteNumérique Docs [Docs]";
originUrl = "https://docs.lab.dgnum.eu/api/v1.0/callback/";
originLanding = "https://docs.lab.dgnum.eu";
preferShortUsername = true;
allowInsecureClientDisablePkce = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_visio = {
displayName = "SuiteNumérique Visio [Visio]";
originUrl = "https://visio.lab.dgnum.eu/api/v1.0/callback/";
originLanding = "https://visio.lab.dgnum.eu";
preferShortUsername = true;
allowInsecureClientDisablePkce = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_zulip = {
displayName = "Zulip [Chat]";
originUrl = "https://zulip.dgnum.eu/complete/oidc/";
originLanding = "https://zulip.dgnum.eu";
preferShortUsername = true;
allowInsecureClientDisablePkce = true;
enableLegacyCrypto = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
};
};
};

14
machines/nixos/compute01/librenms/default.nix
View file

@ -23,7 +23,19 @@ in
hostname = host;
settings = { };
settings = {
auth.socialite = {
configs.kanidm = {
listener = "\\SocialiteProviders\\Kanidm\\KanidmExtendSocialite";
client_id = "$KANIDM_CLIENT_ID";
client_secret = "$KANIDM_CLIENT_SECRET";
redirect = "$KANIDM_REDIRECT_URI";
base_url = "$KANIDM_BASE_URL";
};
default_role = "normal";
register = true;
};
};
database = {
createLocally = true;

8
machines/nixos/compute01/librenms/kanidm.patch
View file

@ -80,3 +80,11 @@ index 3d89a1530..a00c5f307 100644
{
"name": "socialiteproviders/manager",
"version": "v4.6.0",
index 3d89a1530..a00c5f307 100644
--- a/app/Providers/EventServiceProvider.php
+++ b/app/Providers/EventServiceProvider.php
@@ -33,3 +33,4 @@
\SocialiteProviders\Manager\SocialiteWasCalled::class => [
+ \SocialiteProviders\Kanidm\KanidmExtendSocialite::class.'@handle',
\App\Listeners\SocialiteWasCalledListener::class,
],

30
machines/nixos/compute01/opengist.nix Normal file
View file

@ -0,0 +1,30 @@
# SPDX-FileCopyrightText: 2025 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, nixpkgs, ... }:
let
host = "gist.dgnum.eu";
in
{
services.opengist = {
enable = true;
inherit host;
package = nixpkgs.nixos.unstable.opengist;
environmentFile = config.age.secrets."opengist-environment_file".path;
settings = {
gitea.url = "https://git.dgnum.eu";
};
};
services.nginx.virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
};
}

BIN
machines/nixos/compute01/secrets/arkheon-env_file
View file

Binary file not shown.

BIN
machines/nixos/compute01/secrets/bupstash-put_key
View file

Binary file not shown.

54
machines/nixos/compute01/secrets/dgsi-email_host_password_file
View file

@ -1,28 +1,30 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA CQffZYaxexZ2f+HeNj+SHeSak0kzNPiq6ExW7tUyCBs
oJQhtMFD9KSnXSPGRb3zLwCB2/KEXo8cgxHN5ML83Qw
-> ssh-ed25519 QlRB9Q V1PnEYJvFCdBRzN4z3iDtIzHLxxCimejdkqRS4zMCG8
bVc87bxPmhofmoscGFBgQ+ffRlo216RiRkkV1MNoQyY
-> ssh-ed25519 r+nK/Q YI+1MYnCvSq5/QfA2y01IQlJeMGF0AfNs91QlrVaVGs
HSB8Gai96mjRbM68G3iRmXNkI4kqyJAWTMxWc8UOPr8
-> ssh-ed25519 jIXfPA tGZqtjbTD1qsg0gM8pKs7Pc2I8wrfAaBe45tu7trX1E
/+2NjiX51xPl+q5+IhUriM+fD5gRzMYIPjbm3z1gv+8
-> ssh-ed25519 QlRB9Q kS4pcE8k5Z//N95EcAZYxX1f91d+7KxSmbrpONm4WFY
8sCu9NRSNSUKOYAIryDOI9qWh9iaUZbhn5vJdOGZphY
-> ssh-ed25519 r+nK/Q G0frNwJpYV8m6QXx0HGU/rVWgmuI4xuDjcDX3VGAUX0
gLxMYuSFJhX9oFN6N+K+GOjR1aYaTwZVI+wAk4Dyu/I
-> ssh-rsa krWCLQ
k2mssz4C9p8K+rJ6Jbbm+w7uLTqoUOiOKvlt2btEyw2Lup8PQNfyTNFSBvuBMmfj
re1zuAufH0HIw3B0xWYauBSD4pasc7EFTr/OLoM8BRFMEb11IM5ZKJrO+hnWy0Sk
eIs6cpkoBVi4GZmkRfbvaitk42i9JzjrKU0OeqLCWQbHmHkTb3acsGXCc6A6JSbF
AVb+Eaak6EIdX1dP4PWyCxU2PkcBtYBcLoGH74r1o0i3SzvmuzKvlBntx5IzsAvY
+QNGJLNZl0+NePafAkvVY8UOrlzxj+tCgfunAGXIXlZlVfNcjZX9Wv30sJOtwpbw
DdkJAqSrNkHianC5MEGgpA
-> ssh-ed25519 /vwQcQ yxGAMhwDcoDjw5MJudEE95PakhZvNpYfmfWiM6wbQBg
C1o3mNO2YFnBXamCcpAW0aQVGrNNcUpDtSn8+VLobmE
-> ssh-ed25519 0R97PA XRWbcwt3wXR3AYg0rhzc6OUuAA+blVTf3SHERYy3MkA
iCBd0E1NrV7tv3/0pD0FYWgUfGmB4M+VWfiixvVGv68
-> ssh-ed25519 JGx7Ng R47xTx4IGC/qf/v6WOXvJTd20MbeTdZ/8ovAA6d0iyQ
uBxcQVztpW4QaAR5rKfEVgtmrPk6l51+tY3brNjsTV4
-> ssh-ed25519 5SY7Kg LNtU+/1YlPX6T6gO2lb/wEei7hsy2oud8cTQXFQy0HY
xxPvBAIpFyCUqExjseerz6WlwWQEmw9fltzQBx51KI0
-> ssh-ed25519 p/Mg4Q uWIz5shMnsLXsh160cCW8E6kh9v4LPunOonugjWdSEY
5aRrIB5gxIplVWDGeMQ6g09togku6LxWRxBP7FbRNU0
-> ssh-ed25519 tDqJRg G8rNpeGY29czDVMvvt4LZ7nffZ/JAHDzxuIs7C/0SEM
HowgAvrQQcvUx93ZdK5q2bSsJDqaOxFf+x/lwTRss4I
--- ktcSPCC1TpguyYJ2ua7IuGcEw+Z9YuqjzcmH18abjo4
<EFBFBD><20><>ゥ煩 ネ9<1猤カワ簒<EFBE9C>pWJSWpsV/ム#<23>ウリ9タ{タ゚cHB<><42><EFBFBD>5<EFBFBD>ャ^ァ
SMnZJ86PT3tQDotPNIRaIFoZm3WEVMSwnjXy+43aYSmgyJ+Ze1lrTS0A3DuTuchE
gudJZd3D2yVt0pz8JNB33VdYRPWsoV6suDZNPR6Fh3fq/NFRJxR9kbZn/vk9DjZz
Di8ABcIq7qptihnHLpx8wD6RYLntWbH67sX5zLvnpm/XfWSvr9UKrEjC38LpiFvs
os2YSrzBjmO+fbhiz+5N9QK05d28KNin4BC3qL6NU1nxRdHNKCrE9SwaUUNOsupU
uRat1ta7WYQk+rFafZDfWdL7FJV/seaceGi8R3OALN31Dl1o29nPXVbBxDy5nyUH
T5fL+2zF5mxRCXPd4lj9pw
-> ssh-ed25519 /vwQcQ bjAFc5XUfuTbUvqfdx+Fz/3qhU0r/ZW1lM6iV8Uzjjs
uVZuj6Ix7M9IERBb4huLLYDCgAhd5RcZdbXjDlBxl2U
-> ssh-ed25519 0R97PA Q4ZA2/RiUoMcTxxhKicuxuuAgJXtlRaR227oX/aVjTQ
Uvsccc9AOi/t7AQlsWfDf5MpdXUIaQSmQ6QApNj+i3U
-> ssh-ed25519 JGx7Ng zBDLF90R+Ql+k5ACi2RL0DGFhvKlJ5NcOgFx28ueFAk
G3QkhLg4cZV33iUPfF9VfeDcKuZET+DyQDXd5b6/3GY
-> ssh-ed25519 bUjjig XbMlc8uxnDTpxpeZwD2qqT5j4IVb1s8GB834/N+R2F4
R03sibMeLcO3zyzRONcHBnxvvOClf8x2+HBe6Xz7i00
-> ssh-ed25519 tDqJRg 13DgW1He97SFAgMCVaGDNbhYw9OMg2/+GFwqEVPo9CE
Geij5hDqUNNiTJXw8TnN4+qZkS/TgUNifDYgeeBgFX0
-> 7"g?*xa-grease TqZr .ajDT
D6cnUIX7jakOr21bdS3eL09/9FfnfF0CWV/zDli9fyAhTZlMyTsuI2o/DfEVRhTK
7V63izWxQdEypcDMSA
--- JBlPDVll9EvqwgCAyTXV8d39eRI4uBaK0BVQ+rzHnfI
'ú˜<CB9C>Þ_¨Lã<4C>pà%]YÂ#³Üž¡ZóÁY„ŒßE
êøyí"®Â…3ˆ«Sõ<C3B5>-ë†ßJ˜LF±|

BIN
machines/nixos/compute01/secrets/dgsi-kanidm_auth_token_file
View file

Binary file not shown.

56
machines/nixos/compute01/secrets/dgsi-kanidm_secret_file
View file

@ -1,30 +1,30 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA zSfj75mxEod8RszD4XGaFIeMvcLnBgUHShIW5yFPdiE
YXaCFZ07BMzehG/PCUFDEzRy+y4c+IESO9kcLx+eG8M
-> ssh-ed25519 QlRB9Q 39DPdLnRMs5YSQOr/rY2nXO/8s/oCnYDkRex51tZayw
W3GbNP7qbgW2b0RoZmcWH0kLtQaIV50APGcntjMfn8o
-> ssh-ed25519 r+nK/Q dnX8kPKvyHS5U1N52QTDwonaHbBh8sv2DPBL1PoBO2E
mxduSFeWB4tJlrHDEthNKGv/vxzeWUtNwq1b2nDP6Z0
-> ssh-ed25519 jIXfPA T4jUAfEbqZeKVCtMSGVRlr074BIVq+jlR/G13tpnXgo
ZXiD747nT+G3dtcKWNM1kMHR1uJ1eQh4/iawCp8i4e4
-> ssh-ed25519 QlRB9Q wz2UG5T+/lXYr93YyzqthxZVJMfjU1eJ61MU1Z1tYzk
Mfs4qTlcTUpyP9S0EstsO6bax6i3vdO7eAG09FBBl1k
-> ssh-ed25519 r+nK/Q 10h6nUBmiEWzadgT6UvvDGNKmYZzz/Cb7xcK/W8y6kY
C3/SXK0SvKCbhMYmYdsibjqesFK3xmd2Fn4IVQocULY
-> ssh-rsa krWCLQ
QN1OOmCREY2LljXm0+TAsOSkjIQ0RXyX8w5TVOOus5QAt1WTJan/mm4X1SviWqmn
UFDIeCoG2l5tBSyZr4VpnDeq7koWRA2eC7WnwWW47PQIRFSyjf+sy00rGR9kxVuL
1M9gsAGa5sud/PvmgSPSLsGhhrPsH/ZxN9beyIXIwmssmjN34KygUz9+u4T8IkVz
oxdq75LMzE2o0gcgC1EZ5+rDq0NSPQ9+1KgqwJuKlLKRXGdudgaVEUxX60g2ZnkX
8fNEgxqEkQ5MNnPfwbVumF6SWmMWyZSJ0rwHC94O1RdRNDcD3yKimuBmNSv2X+3L
cS3kE9LfNst2zBKHBGBOHQ
-> ssh-ed25519 /vwQcQ ZD8aiyO6fWEM9zG0iPP1/lftRPNl+mmFLHvGxVpSWzg
ZcTmN8zSHz8iLQmCLTZCdaqX5En/KrciR8KHwoXl8t0
-> ssh-ed25519 0R97PA xLQYBS5ozP1e4NWVa9yahN2OQB0Luw7mm3nBYdoHyRI
SKTRzLfGNFQ9fSX8ZFkKIYPZ4If5QrxcmSoBoGVG2Xk
-> ssh-ed25519 JGx7Ng XPo1QJ8OS/ShEAaXWwzZCS1p5/C6mLNlk4Us63YTVQ8
HGbfr8WBfCDKnIlATAeiE6JcLWCbn64vn1Cg7i9QGbA
-> ssh-ed25519 5SY7Kg CFpRcZmZ7DTspxkmdD8x7dRh1mqOHpTF7GzW5xBtLxw
n1n6/Ciwwo4rb3Cb6Yv/b1dHSvVAbCuDZ52maNpCexg
-> ssh-ed25519 p/Mg4Q km6ZjasKtOlaQL8rdVXkjRP4sooql15PrW0lz6YZaDg
Yrpi65IC3RJS3YSAChKjVyvowGxxmSPFkwa6CXUYVZ4
-> ssh-ed25519 tDqJRg au3x6e4L1os7OH4WXbdST74LhMsHPjP6KYrTWKUc1i8
zxKFk51MteTETWEu8peSH/lninM3zZkQi+Xjx5OQMTU
-> l$R6Y:c1-grease
MY0HS+ErZAtAhg
--- w+3gxmkrZ+xxSAQHbERgvsqur0v6k2/U0KUsfegRGcI
7Ú”gpò7šæ«¹Š\ŠE„àø~Â$±\¹Ä”Q„™H˜Èî¼¼2'k4Ž¥zÿqȦì'ÍNò!{@qxÎ,ƒ+iTû
UXpnd8X/EY6dn3u2I48gi1cd4cT//B3d5+AANbpjdL2+RfzUIgHjUNN1RraJTknq
N8badBFKBVVgMr1FnrUgmdd68O/AwNRPKiNYLD/ZfBJFgk1Kzrphjnq7gHUvHAMx
o2Vzc/nyksUG9XXSR3iC/Q4Oi0CCfRsk3oLP6hSyvk5PO3VkXsvoieNq2flmUTjf
HvWr0fynSpbuTQfSS65ekbf0Mxu2zbXJoIsS8VQnTAhyX0A2lri/iRPHOTFX/HrO
5M0o1XCt53IaIlAi9A57SMrSv2IFfexn1EKnsepEEoAjVtbnFJfqHJtpxPY68Ncp
B+vA+13TQHg2K6gJv+DKZQ
-> ssh-ed25519 /vwQcQ kgjPpgPK/gx8/NuSjUX7gcfmwXCrLH4yQeQCuRe9L3Y
ZTDBFoLO2/6yWtrvZMS/AL7koshruGI4XKAWREoxfM0
-> ssh-ed25519 0R97PA DvbbzsFUmA08ayCOIdXkB7X/52TBUfpgSPuycvegViU
Fg/GHq+1CsD7oswn8TCPnaFF8ArROtw0TDh7+6ue4Yc
-> ssh-ed25519 JGx7Ng 4PBlsox0MtUtFmHpLYqARYo9LWRKN5aLhvHKaw3aIE0
mXY6Yotc+6WyNJ+Vc6uFoUnTafEG3/rCMZ1k0bpGkoc
-> ssh-ed25519 bUjjig cTdkNYGkx8b8h7F9TcALgvRC1bOR0WFkJqQIvH/+1gU
EgOjW0JoiDe1yeeByQOJk7l/GtcGfJ3exrOhQ+RHaXY
-> ssh-ed25519 tDqJRg d+WxI9mSebWT0aIty/RbjFQOz1ttwF1nYuIV2qtukjw
Ey6biSaNfbQeM5Fyuar3WKZ3AVi5m5RHG7z9r05zuMI
-> ?PD-grease
lEhRWqLBMAvExk90mKDuCPFOcL1hgvuok6E6EqYZL5twYL7jjL76ARb4WlSX043h
iwyb6TgyD+CXMC/VCHao9Ht8+GOUaSu2wgMuWHqSr5O2/ic1XWJqPzOg5owVI9jS
zAk
--- u4nEfCXmy/DFbXvJiYG+KWte5F+7NX8F02YYYcZJkGc
ãŸfh‡S,%'Pþt§ËÊb<C38A>€Ñ/bc4“ÂÒœWÐ&”%â˲¿rcöhQ+1î-2Ä0·”:ÉŒT:7ß~<7E>励Î<>ÍœÿÁ

BIN
machines/nixos/compute01/secrets/dgsi-secret_key_file
View file

Binary file not shown.

BIN
machines/nixos/compute01/secrets/dgsi-x509_cert_file
View file

Binary file not shown.

BIN
machines/nixos/compute01/secrets/dgsi-x509_key_file
View file

Binary file not shown.

BIN
machines/nixos/compute01/secrets/ds-fr-secret_file
View file

Binary file not shown.

53
machines/nixos/compute01/secrets/grafana-oauth_client_secret_file
View file

@ -1,28 +1,29 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA jjStc+COqzn2fkEU5y9p+h3KPL7ip0Sk7wwdjGME5Ag
2eYwXQs/IbgzeEP1vFy9OLOhPVnyq4cki7voHSXKomQ
-> ssh-ed25519 QlRB9Q rqJ1GzzA5IMgZoQD/u35k/qVr1GEbicWGCpDwzbSoRQ
cqGLtH53VWP5Z21pjllWRGRO2PkMSOQftF/WHAldW0Q
-> ssh-ed25519 r+nK/Q oPY6OIrUHYr3NSOes0KGNBjZJse4bNso3nGoKfqdOgw
8CJeNP6AdhUTWFTiYpswsottSI1C25RGOMaxHsnAeNc
-> ssh-ed25519 jIXfPA hVL1kmwXRLbZ/Ah9zhIoGMjk0c1SyPqknF0CU1Awy3I
s1Ft31J46IF2rgE5AgIN+ztDPF6hXRaIiZDlx0N3vuM
-> ssh-ed25519 QlRB9Q jUE1ZWEo3cn879tne+yqgaqp6BAE4NKK0mG5MHBaDgU
3e9jYZOh6v/y7BGqAR7pNdYDrWITS182YKaXFFZfFBs
-> ssh-ed25519 r+nK/Q gYSBl8PnNl/nXV6ruo4tBOkjCeQ57v9exdpaH8ufHxs
CI1SrDgpgDTpJie7jqJqqlpSomae6sq9hhKFKafd1ZU
-> ssh-rsa krWCLQ
BseveWlNY2C1A37CKs6rUBmJWDeYwr4JE6fGtjtvJG6oVaanIQqpAA0PkML1IG1V
tTimA7j4L8RT01UmHdpcWQUdR2ZjGBznFCfT46yW2/W/uCxrtHdRJKFur8ZZVfqg
3NNHTe87liDf9L1izNAhcMOWlSWXsDbj/xUYw07yopXoH9lA9bmbDytZp5oxrN5v
JLlWjfoiKu92RAUxobfqra2TUFM98ljAX0U2jv+Vadyz2HiDV0WRl3rsymlDNyQp
rWZRfNKmM4VVrBTB6raatgfdYaj9m3xN9x6xyTfz1Jw1etClrnvdTJOyROxR10B8
qJ10Vvy1cu1Yt3aTzmBSpQ
-> ssh-ed25519 /vwQcQ lBUUIhJo1cwZJAD8yEkPEjc3Wm5laQ4+oL47g0UUzDI
oDMv1BAaAuoWL/lWb08l7sfz7Hjt7syFGxKlJ90IWx4
-> ssh-ed25519 0R97PA oJ/bnbgfrfnozCOWyhPGrdhDD1N2VFVOhN56py0Lvic
3MFXDBDOASpUqg9ZkBCQDc7oCaJSyc77cEHYZ41O8Fk
-> ssh-ed25519 JGx7Ng lnd0RjCT6leBvk4uLXYWt+BeqstIycHYtWkbEhUqPjI
i9IVIwDe80nRV8jk3YLqyqDXzatC0PwGM6yMmZT8DeA
-> ssh-ed25519 bUjjig MFRe8FP5AQPHAUfLr3VLNAqEnnYI8wThQbFunl8fuj0
U5//sg3BRjSvp4NbH9RqD9vugee3cEnNDRuKLaf506I
-> ssh-ed25519 tDqJRg txHQKcCUKCAxc0/ZYL1IqeXfbjlGz74ccKZ7kj2bVSw
4YzZQw7PyPGBoWw6GuBsdQo3p3f+XEbOdpGCXfOeHic
-> IOpsGs-grease
JFzNAbIaA7nJkfBBACoJDaQsVCo5TmArRwHtu5W91+YxSoyj22D0
--- K4Uw4L8YfGsdUQfdxwm1zxkABRBBjORNIDoHv+sjosI
,Â!!§øäç›?K¬Õ§!ò%™ô B¨åö¦*vßc?â:;ð ãÎ{?.½EØ,þ˜;%Ä0iq^tl¨l=±Ž6.xvü\<5C>
pd3lb1ueDnhsVQITwty2nEp1yd58cIBTJFqRBMrx/QXnPePLZS/UC4BtLs4OClp0
Oo/d2w7jOw8q+YoBoT0h+bZ9ZZutW8GYAy5nhk6rfa6GC0evXomspRD8ESmH1AHP
38dNJeWDlvlhCObOGKRk5T5RwPUJbpxHjNcL/68kWR/iNBhGKWugrAVIu5WiocG4
/XJObZCSPq/T5MfJevhNtrDpimc812nJMTmnZwqa1rPZopLhRNEQ/3Tku8qmcCyC
IYdLjCuwLktWIQOONgTAT/W9zSdyEcnsfUKSJ8cwHeIovYes7fH0cIHLjqdY3JgD
aHd2PDp7qA6GgxDvpCWs3w
-> ssh-ed25519 /vwQcQ zWeNuyYKQSCrHjEHSfF54KBUefGhzSNKFdqzvTdROgc
JAxfrVcMbUfzOcBy6w54zlLBNy6E1e5bg5OUgWgAgMc
-> ssh-ed25519 0R97PA zS6ZNYbG/lmIPFZgokWXU9GMgACuiFkVm6C6GPxY7Fs
3mbNUNcn9qXUJYt2HhV2L2CqH3EuiZXaIb9eqH8RH54
-> ssh-ed25519 JGx7Ng htz84hxZ/FkYzcVN4v4ySg1t/VqkLup4AAFqsPFGvXY
Sc8vJheYh0bLEQDlMU6WAcII7wU1D864MnBmzyvQ3es
-> ssh-ed25519 bUjjig UlQJU1rm7lg8o1hhrYMbcyo8dEEsNhXg9eAXZbGFixo
lp0um7Xxv09TsqyyyLw3iY2tmnINsEQ8kkFX5dDXZIU
-> ssh-ed25519 tDqJRg lzEqYdxHRkuMHd/P0tib3rKhr6TaQ5JPJY22EPIrBB0
L53HwWFDF222/7sFvuSl8TH2LxgZ41dA1AeM9UKrpn4
-> }A-grease ][ gL'GE ZG]7lT!
I+0a5Pw26lub3Bq53vHmhPcApnt4
--- KxVdzLGIyPjOzg4l0mL4kRvOEWux/sv0h86j37ut3qA
<EFBFBD>?‡ñ‰3˜ÞJ†h$×z,G -úߢ£ŠlÒ¿yœ…U<73>d ú,fÑì4ƒnd» ÷EÞÔj
=É@klxtxÊMÿ^âÖÒ

49
machines/nixos/compute01/secrets/grafana-smtp_password_file
View file

@ -1,24 +1,29 @@
age-encryption.org/v1
-> ssh-ed25519 tDqJRg 81QjxFKkN+8VVGbQIAuM45veIGdQemg8CUTdPoH2QGs
YotUqCNICfvb/Flf3RHZRLJ93foKpAFB3AOjkol+EIc
-> ssh-ed25519 jIXfPA Kb01OMjnns0qo3LztzEnTShUs2aH0DZzDGDiE3WcqiA
aqdKE5MHxzCCGoIuZSOPIVSSQi75pifkQq+HptU33i0
-> ssh-ed25519 QlRB9Q eo5FA1T5eYatUmM41+RZc0y7ZlHembU+7YduHKUsFnA
tlDL2I+GFsqxiYFZKYNv/F48DnlsmqNLkB6hDbiTFhA
-> ssh-ed25519 r+nK/Q 6Zt+yfT1jAEjO53BR8Buk2nQomxRoFJgYpBRgP3CmR8
hQ8fsGpSWJI7NIpHLCVspMtsicxaiWwigXDzk20pRfE
-> ssh-ed25519 jIXfPA IbtRuAG6Kzbhc2PlWpK5yyFbp+LIB9rjKg00utc/IGE
bR9pkoSt0Q5thWv5UVZLvdrLuc8UD6g+JcHw6QNDX6k
-> ssh-ed25519 QlRB9Q 3+tLWqpcnA1OVn/W1JSN4PwOYzQ5/YC6AiUvcMrkaxY
nYfnHE51S3ca6reUl2YUlSFKzm0U5NqzagOjaY5uMk0
-> ssh-ed25519 r+nK/Q sohcJr874WLIOna9rom1De34ny5f2HM+hJg06+WwE04
ipl4w1lrAWdqJaNyCDLEc3Z1NPwXcPWbsKyHu7tW7fY
-> ssh-rsa krWCLQ
FK1ozQkZ73MkzBzhLmcVAdNMvL+UzxCSVc26in+GRnZdDOEW0HnvYSxjnCkRfFZ5
l8Eo69JFVufJgKQ+Yx5xE3hfvZCEp7ih5ZmcD7rleLDGLeW4pIvamiUd/YGvGpw0
G2ZNHHATDviTlK344rc29mx/Dk01bSoAiiQJ+PiLa+bD1Uv/sXuyimm/wos3PeZV
7lcwu/Ug0k2RzhntYYjZML0fgdHlCMEiBRFqMaGAI2snTOnOtfcMb+0z0eeEUVrx
O9wCOwxj4GYr8tYQNujF6QUPF/sEOGXKlMCoK4OExjhfNL2Rrf1QTF1rlgOTsToP
sS8wCH/Gg7UQUb7LqmyA1g
-> ssh-ed25519 /vwQcQ dFeVQpXMkVKV3XLnoaSfIr092hEflFaqj5oH5VJlRVI
eM+EvVHPUblmDpIwLNE7CpU8RHYT/6v11gqliRFrT90
-> ssh-ed25519 0R97PA 1VraTBHXimUuyTRmMFzXcBFGZ+GWDS0eX08RMpRfqFo
24uyDJC0PugE8qsZRVHsUv4EQ89fm5dB6J18Dv7d3NM
-> ssh-ed25519 JGx7Ng j2v9R9ki2tPgFww+oaKAWtarDDUSQXSWLszaGqRi6SU
Xy0bFe+yrcuTMrBqbtmnlF6X6bkxXaQqwrtabTlsXPc
--- p9c3bc4gDKhcJkmiCIR9RJvTxywuPVeenqvgCuJgw6M
ágTÁôÃeÔˆ/<2F>Ë|hg*ý4DY¥íÿØä\Å”$œg᯿*°¶|uþB²gš?õ<19><:;Ýç@J$[dô'
K8m41McFMzwXxUfIPpYvsCx8I3ZBPuQMYA4zD/q/1Vq/ZUNHFVsBzHoGjViTGOdd
fN+amhHPZXwNleTeFKeENZzXn93qbas5FSjX0JoDYWGWGqCN43frnXOhtLYC9AfO
rxRblnG0VDqy+XxTRaoDU5OfPUjdsNIGjV194V8J84E2bDZy/zhivw9Fcjw7xDVN
Lvz/Dn0yjgbQmVQ1K84KxgHEb5RU1Yarzr9yej5hiuuz12mYDLMF84rfuT+xf0OU
KgF3RC8HDzImAsHeMV5DiweOHMRA8+P7luRZKJ221wLFY92LeMUV49WjuBbsFx8l
6AJtxBh8bnbITlgx3sGC0g
-> ssh-ed25519 /vwQcQ jD9GfjVQxYgv9Dda40z0NU4d9pdT+NkZAgk9kc+EI0U
aCsoQBaft5xXDcI1MQilkzjqPBmW78Io1FUHnMrn+2o
-> ssh-ed25519 0R97PA USEH3luo1q/Pw4272tR4a/xKNm3zrR6GwVbukYZvcCI
9QVpTEEF4PvKpEL3zuDdPvqJiBwnmrZfD7rvftXRRE0
-> ssh-ed25519 JGx7Ng CIyEuPUwiOkbY7M2zWKXDqh96ZcZyyis++HwoGRmBSY
QsOf9f58FxoQOppX3WwDZD6ryCpdLcSoGlsaNiWDUZA
-> ssh-ed25519 bUjjig VWzeMwqnOt1dvFD835q7Hy478FJsbSUvH9Fe6gyq61k
T4A80ss42lQdiGyFW5Ev+yMG8eEsiFIl4fsad8FkF88
-> ssh-ed25519 tDqJRg X8WVBOawfF0JSOa3XUmzUywhA0XftcTZft54vtlMBjU
jB9xbAYENwUgZ0AhhRIpnw4F31IzV9AmBJJqHxmkRV0
-> (p[Ai-grease
wz3ew3pJtFtkYj6zaPn+yHNkrVaIJF+p/eA+nizdt3Fex/mfzbbahJjAJRyyFNS8
i3kLwsEE9f1RfHDxYDmcN1YP8dEzwYGsYRgcQx7PgRIPQ4c
--- QA7YR9j4p37On+xI+dMXSwsY+TU+0UXU1Nv/7pj1uNo
Šüã'Htt$ c6éÿЧ~RT¸AÃ}ÂYü™'õQ.JÈçSÌø¾ <0A>²g÷YN WßžöÐÓÔk

51
machines/nixos/compute01/secrets/hedgedoc-environment_file
View file

@ -1,27 +1,28 @@
age-encryption.org/v1
-> ssh-ed25519 tDqJRg KxI9SGnIHimjqNshpstOhMsH2FzpAZLNWHdzQ/pj5U0
1v+gVfblcSVA2vFcDShVW0iZ/tqMmedi/DELzCkhK08
-> ssh-ed25519 jIXfPA XHM6n4X/vKSw5zvHp9DV/ZWBAvbX7x0fMrCI3LuAEE0
0D4QO7C3A4JaXLlpUJPyn+lK9SB8KdgZIGD0Hsa27fQ
-> ssh-ed25519 QlRB9Q ttXkEpXp6RzjsgxvFJYDrKgyLj9sUMi25R1b9LVP3W0
qcOYZBdWifOzBdsZeYaJRsrPc1GGGmMZh3++eLWMDr4
-> ssh-ed25519 r+nK/Q M8nhPdL5EzyY+0FY4Ztq7cMnNmGaROocFKQD4Mt1o1Q
Gx04awJFu42AoV72PIh+wrvoXVPs1/toTSoxWzimJgI
-> ssh-ed25519 jIXfPA iD1mAZkrCOQkMaTUnYt4ROPDOZJYv0tCrH44ssNT81U
6HFV/nz9SVcSvCNvAqQ3VvP6vdKvRSvx7hqRDJ5hHKs
-> ssh-ed25519 QlRB9Q Hig+u6pvVSx3EEc6Ai3XLRs82ca5YuN1INg0vjDDTg4
PrEEXiGZ3f4MMly+bd6olHIMVGYEaojpNHlEcz7sUEI
-> ssh-ed25519 r+nK/Q YomH+woMPRoJTJgI3o1W79QrC1kkbicatIfdlr/IVQk
J8xx70gdxATeV4MzIWbC6pDAVJTYrtz1V0NTlw3wiRM
-> ssh-rsa krWCLQ
Nw0fA8ph/Hofg4FbI6Tn3DWZXKty94CATWoGzjQD0sITszOarq5jAMxZl2BEw4Pz
RYvp65UIJC4zA7N7I7BBmtSbk1ztx1GGAjQZFMcyPYkoZJpagrDdgZMhR04KiNRN
81yG0nPHFlhIOByu+mK2NlvSty0q2bfEbinEUKz3gYqqQVxpg0sVTK79m+w9Fyq1
1U/6wP3UzOcwZ3Kx7ZWcnb+2RL+d70XFJEjYt59k8n8qfQuU4+3Lcol2CmbP7S+Z
S80Jvb2oRfLHB/0asuoo2tQ4SahW3K/1EcnQh3yOruIRDInm3CENDOprffqNcj7D
UndedK+2AzN3r/Dbr4aerw
-> ssh-ed25519 /vwQcQ oCD3GfzWpw+LE7bZGBYXLS289GLpTVcqWcnPukkgW3g
p3Tvvo8wb9Lv8rWZvh0BWbPvxYa1CYIGqqR5D14KBzY
-> ssh-ed25519 0R97PA 0H8OwGLeauHpSQvJ0yXJiIHxCl5aEJOXwe/HCRN3Q1w
/9son3mlGKOzSFQRDG2S/3abKrAnIxHho8EhgAQe8gc
-> ssh-ed25519 JGx7Ng DNtqL7Qj0/MU9WibUUFb2y/MpXbNrE6iMaJuCJQjREA
mqOEERErLEarNAzg453NIiWOfHd/ohDartg5+Ud3C7I
-> >Qzgp+-grease Tbc'Py} $ck/
TVvQj9iSMPaXM91Z74ylxesYetcaGAZyRQ5lRnUTE3Rd8G4hcnXNxzeD3/4GM+zY
s8ptyOVEqYQQJyvGg/58wu0
--- vhTC+XJU8C8U6FYqGPDv92pkSF54qNqqcIbZJtykFG8
ÑÜýH²Ra&·CçÃÍ»)¼\'ÿå#OäJÏuˆ_·]½ÓÍnmSXô<58>Ár&u^ãecŸ_?ÙUyì_åJ^—}¿¶!3ÙYüУ7Ò|èâêˆè€¥ÎíØyÊÄŽúÅÁ¿rn[[w¦x
BMNFaL9ZpdUhxPNm6QbW3Wqkrq2qVc8s5KZd31if3+XcASIndl5DNXxaFInlgsqL
P0nTn6pomQJ0L5cIFLbA8CiDTvjTkJH40SvpvqXwCe5/zWy1vH39OatUnTNpY9X1
Cu/L7WmRcvkFlhBlXs/mvhTrc8x9Sj+sBm5fqmn31/f/ToML8glYq7leC5JIMZbJ
7ifYoSw1j5LGwv/UjlsV7hfuo8op96EDMkSVWzsz5itUHaTrY5bMW5CtcYh6o6AE
KxqgJ2swnAB2tJHeNi8cJFy9zy/A4HZPXXnrAr8dU5FVvcKT7CntBdUrh9W5J5Dz
Vaw9epfpAPjrn9IQwQOI0Q
-> ssh-ed25519 /vwQcQ fEb7dbuNcnVm7haAJqUKeoc4FEIyvJNDI1cIIFWSNU4
jeGQfLGKQb7OpAzg7FFHwX+jz//Pg9H/o09PUq48A7E
-> ssh-ed25519 0R97PA X4Huf5+34+xLaOOvKlnSUQ0TT6pZMb8pIgYt4e5EWmQ
92/Xas3RArB2B3+790UiG42SDr48/2RpT66T1UmM7b8
-> ssh-ed25519 JGx7Ng +6VCrsrUfbiUfQAhALnYo6mZ+VF7Zp4Pv9x1t2qzqwk
6U9aMrFT/dHxlDXNgRCsYVGZABKCimqbHkU/Y1CZPkU
-> ssh-ed25519 bUjjig dmwpLQ6bn2ZtrUPuf+Ui1ytvOHkpd7QO/NP4sxd830o
FMNq+D0c95tjmJwivIdQDcXv71WgOA/H0rLlqrr0NAk
-> ssh-ed25519 tDqJRg voyLa5+Mm2wOw1+OLL6k/80YXhUi3rUXUZWKpLM4/G8
WAIFaHu/jBkzxZEwrBjPxvwdtaAXV8C0PRAMpOvEh0E
-> #UO8?K~-grease EWE~ wY% s
d8YvbyhQWgl6oLbJbrL3E8iqbGOflxDuXPWAYaS6Tl7+inC7myd6PRNZ
--- HKcqC1+H/F0pa8wgtcUo5V9y58uyPF0liPTmueD6L5s
ˆe.æ7¢c@°ÞcWêhó}É—,r¯mï˜ñô<C3B1><C3B4>I`/Â^IaåS#È ø_~<7E>ñkÉç hmâ6ÞÔ[¾Û” zÔhXRA»ûÛc$ZO_ƒÏ‰-»JO×+@ƹ<C386>¯¸a`BH¢ wHpÙpL¯

49
machines/nixos/compute01/secrets/librenms-database_password_file
View file

@ -1,24 +1,29 @@
age-encryption.org/v1
-> ssh-ed25519 tDqJRg F6kru2M2ZD++ylqZ5oRwHa+zz/vO+y0ixCB7oNGt3no
jzeyn2DIiRMS6pUyAxOFmsawWhXCPWJxAE73HNpfjMI
-> ssh-ed25519 jIXfPA lH3MYyh0uy32pAwTWeMRM1X8ThIGccfH4CGUNeO/ezY
R4D0dxxPsgrC63gTTae4uLJ8J5Kf4ZetIn4Yx4RVo+0
-> ssh-ed25519 QlRB9Q tOTcm1/j5R7lq6jWTXS/WuQBWps2pmI0i+tzwqvvQkQ
n/+GFXwdAwVvPv6wEOBRwDzQBG8vKooCWIUPBRsxE/c
-> ssh-ed25519 r+nK/Q ZTzwGvZEnw578JC8ROqVaG2ejCpHSkbhuLZLu8sxMWk
0pWfDKzeLPpUd2+RdkXOvMhQaAXK7AHgOMOkPcjQP9E
-> ssh-ed25519 jIXfPA UxfxSZSNMeVYMYCahDmlrf3mdMpyFzcj+81nBBCECgk
lYiIx4BvqqB1CfM/Y+Y1LRZBDzGkRKdfa0HLfPCzQUE
-> ssh-ed25519 QlRB9Q I13TmGvHd/x40ML386PyWmdd/ub3Q69MqPi1GzEwgVI
8ym5O+kh3JBJ91vizO8jODFN9M2OAUIOijmI5QKzguQ
-> ssh-ed25519 r+nK/Q RPDuBopRVTVPKRqZgEh2XfchP9XCPjzhuW+hu2LCbBk
BYZJvcH3BQGh9CSkvREz1JzyksVN8TSuilW2ww2kXho
-> ssh-rsa krWCLQ
RIkTbc41aHXyybIJw3mMww5b46pb5rhjEvV8w+cU4vb7xaPt9fYTxPQa8eUZ28md
dwp11I2XQ/ujt/ECzXcgXboOVvd1GVgjNzJQhgXVJ96AC9Q/Jh8VXLW0/gxNvVjA
L54RWgQUo7EuFcFfxQksfblXIo4lNrDwu+5R/YkWs9NRMAgTDJYL13s4oUKykQ1F
SmZ0wJc+h42xH/+RZtq4Y65twbLkMzfM6BcwX+veR+AEI1FOtaACUmShePFyHdqT
uMdr6u9mxdS3zvB3WYLkVGpOSgkiFlsE7M7gXz8qFMMcd2aDs/Kb3oZ+nijRM9s1
HUt9MzwAPRUHN/egcmQ0QQ
-> ssh-ed25519 /vwQcQ EvwZHCvEyMoMAupu0K3a8HJq22L+v9w4Slvf40mpaz4
1n9tK86NsSv63llpifEEovq6MJSCbvaPX0SK7sxh1TA
-> ssh-ed25519 0R97PA r8hpgykfbDR5sUbHFyWqELUQ87k1oQrACo3iHqwmWFg
56Yg1iRQKxa57+eAekHj8faRX/FbSrtmII79HlJjoxs
-> ssh-ed25519 JGx7Ng ELVGzyFAxq1tUzmMGp8TMD1nk24KHTpGf0QhVw7MWm0
3FfQf6psLRkz2j80CUHS3DKcPhQ3ObK0VZ+ZW3x0YxY
--- a9E7zbh0zWgapnThLpfI6nlQU8feDbz3WX/52I5zi0E
&vcGô•ÈÛŒ• ëÚ}cH· êl/¾n°×%Þ‹ä¥Â †ÍÌ‚ÀŽ-¦eqkà³÷Ã<C3B7>
jFEaahbYnGF9WTvaW5FmBIrhNwt/ZiaQv04VZHQnOhJRCmJViExZl2+yCqHlK4nF
X5qbe51FwJX1VyF4x74tVdTb3PR1hx1JdncEXUdr2/8DSsddAGTowQl2RA8GBpd4
K2YiRjMPTvShmfXZUncqR8UOB97FIOMMMjXZmDN+T2D4xZ522g7mvPLq/a9T9iB6
cvcwu4PVvTTO+oM7hWj3KYM1aMtRlNscgPaJSvZ5f3MOAEo4qdDlERC473jc/0ez
yRNz1B4AjO4YWWXmLgPrh2n+kCkv4ZI5nUHgO8kCNuHLD8bX5eeQCn1fx6F2bWuE
f5c9CI4X69z0HQDZWVSwcw
-> ssh-ed25519 /vwQcQ 9iCDJiFcwJ/2GZ1fP0BiUUDfSb8ByldRGMUMNxp1gTE
khKANSZ8UIF9jCm32Y2Pn0e04Qr42eKPfTOPTQdnKEs
-> ssh-ed25519 0R97PA qacag6Tw7RwyACjvRUQU25252nDQxDxepGuUg4e82QY
UAYVIwprsmpC7GYPZNlLAKjLQkbZ1DmXy5fdGyL3az4
-> ssh-ed25519 JGx7Ng Q6GFfKxfoI4rD1smg3NwD9Q8IqP9dFCmhBIcompCW2c
B+S+wCC7oe8CXH1/7n45U2XssrzB1xHYuJX0BPQa4tY
-> ssh-ed25519 bUjjig ZIXCFGNK5HSrVCzXw+d89RtmVYkricFsN4ITXhZYnAI
AryndaatuETXTDqFO+PgjU6X9N56DgfhTtZA660I9zI
-> ssh-ed25519 tDqJRg YyWweqs0fGEtC/t/lW2Mf8uSby7lg/p00tz51qchz2o
8bVaNX8O4+GOTvj+DVINnbQdLo0Os5nVwYygobJqLbI
-> .-grease
+TO+CNhkq/HSoBucxW7tIR6mZW6vKF/Zb1zhIBB8juSR0Tu8yw0JArAmWR5dJIRH
fDlE8JfUaY67j/KXN3ZhNvtVxzzmpK1HBG8Oii8brlVCSR6dDSLxqCHXQJo
--- 0CxvM54IJkhoH/NGTqvbcnwBi7k9txCFSFyoEk15eeM
D<EFBFBD>À/¡öl,_öÌ(4 §{÷,^ò§ƒYª'ŠâB†«U»M±à‡^¤î2ßy‰n{Ü£ëßË

BIN
machines/nixos/compute01/secrets/librenms-environment_file
View file

Binary file not shown.

BIN
machines/nixos/compute01/secrets/mastodon-extra_env_file
View file

Binary file not shown.

BIN
machines/nixos/compute01/secrets/mastodon-smtp-password
View file

Binary file not shown.

BIN
machines/nixos/compute01/secrets/netbox-environment_file
View file

Binary file not shown.

BIN
machines/nixos/compute01/secrets/nextcloud-adminpass_file
View file

Binary file not shown.

BIN
machines/nixos/compute01/secrets/nextcloud-s3_secret_file
View file

Binary file not shown.

29
machines/nixos/compute01/secrets/opengist-environment_file Normal file
View file

@ -0,0 +1,29 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA JNfsFoJGXnmO/7kJzoSCpnlrFTLUmfAdPzRTbQ38y0g
/H7K+ul5RDrcHkyLBtRyfJ8H6GejhPHBPcjr57p2dR8
-> ssh-ed25519 QlRB9Q kar7CorawTph0DXfvXHwqmb6HtCxuypWAgl2a56280w
YLkCnrC50mYWYEnfFnFXH9mkuOMkeK0E/oxZgX9ywbU
-> ssh-ed25519 r+nK/Q 6oTzheNd4Om0tRSFbdDMrZFTRcr4bRHuVgbiNDDkAgc
W/n/tUksbKq1EIiyVMf88PaWLSXGoK+HKwdTGn3Wk2M
-> ssh-rsa krWCLQ
Kb9dDyCKWBhdGbWbLYJJIUZfhD2Dj4Owr1XBxdU980mf8d+zzWI38TiqTrhsx4qH
9HLxC2SwPRC9hXthRtg6LvZKqBP+IJx5DlnhUTgURPEaMVItrrLcQ7cSOR3TGMaX
ogG5QIhqdRqmADLnekqILyow4DIzfOy8iFS8fLSCNNt8/tUdxSAtCr8h2zt+P9gk
Ttj/5Fx0n6CgXJbu0MUZwfZMNQ+IKINYCxHzEoItE6cny6fq4A0NUDZDo1LfAJrH
VL5vxBJuiCWs5TFTpj+VSA+/eVpPUk+FVWoeMUiUjC+igKuQ97FqvxuDOOXlPqLr
JlgacRM430CbkBuH0A6QlQ
-> ssh-ed25519 /vwQcQ UiTOVK+xYcXKBg5150GOAxaQNPt6mxY+DJa6UIQhu18
lquX1OrjzFIL2O1jR52Cgru97xTekTLxJMagznFtCeM
-> ssh-ed25519 0R97PA +08nkAVK/MKWBHtZLWn+Sv/CMYpbtY/rfKrnX5Xw+n0
ZOWpBWHknZJXu3iiCVvpF6yMKJIwE8DmLUi64g5LchI
-> ssh-ed25519 JGx7Ng LglIUnEGGqTv7ETmHK1QB6yFXGxPW2kQvxNJEATJxCA
+npYbiJwSyfYds6ZsbslH3Im78ioJ2zFT/BMJBZ8BtE
-> ssh-ed25519 bUjjig sxUMZhXfRLo2x3lvDEF+rkI2tnlFPO/RxDdnf1Fok10
GdFTIJgohQ2mmB7POnIuIIZDYXBLGTIUwyyN24aDwaU
-> ssh-ed25519 tDqJRg 9FTN1AHlFiKNQ8my3VdFxrE4KihTDfwpZb76MjUUKBk
gT/JYoPyeC2oAuKimC4CW4YxpmiRrpH7ieijWa7cJKU
-> IHL}*`]-grease tS ORa&TnK9 GwCJ} &iN7g?p$
aK0AN/FCvNkuJZc8F2Jo2ofuV4uW4fP1a+Yr9YNi1Q
--- 841/vFrnGSHrpybkCbmcAxagGsWWiZwif6smwKMdXJg
sag#ØŒ9F¢<46>¾ŽîV++ÞÈ…L¢~mi8è%ûP¼ãcõWZCØh¦[=!ŸÍ£àhZ#<>ì=ÔLÜúTzèPþŽY·ªà<C2AA>ÔXÊCÍ
b½ÌØ¥² o—,Ö\®¼eDtkàÁµTö¹Ç{«˜#°Ùà<06>ZƤ]ÜoñãÞÉa%å§ÐsŽÅÉDŠ­[Thº±8(û<

BIN
machines/nixos/compute01/secrets/outline-oidc_client_secret_file
View file

Binary file not shown.

52
machines/nixos/compute01/secrets/outline-smtp_password_file
View file

@ -1,26 +1,30 @@
age-encryption.org/v1
-> ssh-ed25519 tDqJRg eFczeKxbba1gwn822mWYUNmZNnNeEfXTRkGCyDaiklo
S/f2Wcr/Rvu4RA6dfhTsRPJwSD7IQRJh31C0tA1o2gM
-> ssh-ed25519 jIXfPA SoTCqUmBludbO2xiowGA2lYUopGx7VU+yOn//6IAYEg
IguizihadnsOJSEVa9OVOL7jvrtI0hJkqm5WZMsWz/g
-> ssh-ed25519 QlRB9Q jRUO7iTPtVXKVOdIQcyZmfvgK4ULrHH8C5tb4dkoVk8
ZbXBjPeT9BcFpCw1YIVHsEqOKm4f640M8OJcD4xi760
-> ssh-ed25519 r+nK/Q faReoyDFkhSROsdiYn9IsZMszVu1sOrG7/QlwtJOAho
ov3T4AI7PzldeWYXSRDegq3qTGaZJb2JM3JsErKc4g0
-> ssh-ed25519 jIXfPA m+7IUJ4dBN0RuDWyhEgrevr+QfBHnVNidBbNomKxdCQ
9GJKz/o1h7y9xt0KQ8tj7mlI/+Qgn9/kFqeeGeon9AA
-> ssh-ed25519 QlRB9Q 1P8zYu+/zzpnBFzGnu4k9VduwyBeJZP6PPWAouoZrUA
PBG9A/Q2Yy4rTADreGPMKsdWZ9JxjctYP2iAvp+SNCE
-> ssh-ed25519 r+nK/Q c4iQr3ULHFOlHqFhkCD/dvSspasdcuj0Z257Qc6UfmY
j0M1F7Y/EvgEVWbqMAtIjwPLjxMlsytWpeiOSRI8QF4
-> ssh-rsa krWCLQ
ZUTsm0W0l+Ucod66o5UIMgr+7HNbv/8BX6aFhgwb29+1A7XhDmKR4zykYclg/SWG
eWUZNuKpPU0RjIKM6Ijn5f7imr3U8UX2yq06oUQ+IZoljP94Q7h7JqdBVlI3SHjm
7rd4qPJM3eFZAPtv0RgHHEfmjADI5j9pJY/g0ucRkuU2RsqhSJxkU7K5dIUd4r/Z
/rGpBlwryvtKFiOHpQGuusr6pLWHYXDRHd3yLk5m5VKgkUIpygelakIhXQ7RdSw/
Wn403eOEz0ZWKy9b0dk7s1nqBE9BLwW4WKxCYG2aegVWJeRjZSkeKjpXyO67+Gbl
L9Y9Soj4/Pl0LtMIKeUrXw
-> ssh-ed25519 /vwQcQ aXCrEhFaCpkWXDH7dIc75U/Zp4kasXH08vFvMPJIuxw
jR8h3NxfAd4oKZ0zrKsRCbssNsc7WoVvJ+FV6v0AnwU
-> ssh-ed25519 0R97PA XK0SqZtwHnW4QzFfym/Ts70SZ/voM3Vcy4hIJfcodUE
cTt80+v1IAIRbZckgSSBhYO4pWVaSP2fGQw5GWx+wS8
-> ssh-ed25519 JGx7Ng 5+miQtKCui673QvWbRRywF68KeCjeEZreT/l8+rXsW8
wEkDUJfpd5mPKrZLnq0Bvkrd86OFBQ86FWwqAR39yTM
-> /S9.@;7-grease TX< 1MD:2 "M2 G
OA
--- 2SAsxu0cZ8MqKKGWhQBA+2q5BimvFI4xrlZTjKY7/8Y
 ˆ9¸"™ÿfc ŸÉVBÓÌÆ­BAè«6r¹‰$ú¤ËàãNèuôÙ­ù¦êÈ6šêü²|,ñ‹¢`Æq
fctsXVJdNP3wfkytxlPn1aEWbzLDR35ISenzmicBTflQTfliJ0IPMnv2aUGmPE15
VcFzr+liJ6ge1ddW3ZOCpUmMvhQDXO9mdUiaKFgQTSyl2CWL3/AQYYl41Dlmiwx7
+FMzeevEeVUs1yfC4wXJAPRyvQBehLjZqZDvg7bkR+exOuSvVikALP/MhDiUJDE+
70N/IpmsHbIifSHaDieriezb+Kf1CLMdtwNffj5Kgw8vfipwCVtQ3nIrZ2zXVwmg
ecrkSnJ/lHuW7CTUV7g7Lc6ysTzBubuOjIyeVcN3a2h6qQRZTJsAN33MrKuztSzW
uTBU1ivGuwIrO5v+CMEoUQ
-> ssh-ed25519 /vwQcQ KMVTlO/RdFN3MNFCDBpk81l4YuDNX8bBdBP5w85JbxQ
Alr1uvSJnNtPHHS9MipjIHtuUiUK4bNizvkD9szTePY
-> ssh-ed25519 0R97PA qu5XxGKeF34jdxRfHKdnwuPDx2CmjYdooOG4gf4jhjs
zsHGQK+7s6rO6PN1yB+wtzInmWa/M7YHUGD69tBjbcQ
-> ssh-ed25519 JGx7Ng cRwSmWzmgUvyZ/QNhYsQwhDvaX4nuUYrqeRjYR9K0j0
RGWuwAMbINkrR4CcMFClzC1sgUuGbCbh5TNSRm0D15U
-> ssh-ed25519 bUjjig 9hsGezuEc/q0FypRZ5kvRnyb3xGB7jbaVnqhkcSRJAc
BciRCrTYxjI0QZEGDhRBMj9FjRLmYO3VumyQiWu5GKo
-> ssh-ed25519 tDqJRg 4Q71C0eGhScf005rYTnBEEuyl+Vh7q3XGN3yqCNuJ2A
yEloKnOfqOKlovtk2apimIiR/JbbsW9Ksqf0gwHR0YA
-> ;\-grease
nujkR3icemqny/EtOa/HOTvLbCZ9fnoayA
--- fV/odcPBnF/idvxov4zLldgxIxNMF8bU8vVlMmeDh74
Eú<E28098>9P+õL[„â½™µ -Z}ë·D³
2§jìä Œìði0=¶ŽÞé]Ž
ŠƸJ<C2B8>DÐF±@Ö¬

BIN
machines/nixos/compute01/secrets/outline-storage_secret_key_file
View file

Binary file not shown.

BIN
machines/nixos/compute01/secrets/plausible-admin_user_password_file
View file

Binary file not shown.

52
machines/nixos/compute01/secrets/plausible-secret_key_base_file
View file

@ -1,28 +1,28 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA T6TOJOuejaoxw3zdeLzGm0CrSkDCCIRenL7wMGnDtlU
dubdAXhc32S6BszHddOcMA6aStZLOvc+36s3nZsYFMU
-> ssh-ed25519 QlRB9Q akzRDbZzo0LwoS1cOwE/tYdz7M+6bhgI81d37d1GtBw
KsGqFhkjlcJNquMi2+1TfQDBy9qguwh5ED9KBg4Y2hU
-> ssh-ed25519 r+nK/Q bL6A9O6UnjjyY+iLvbQSvSTjXX38FLsNjaSngoQXHxY
YZ7Y11inKpzA2m6lro9XXX2qkW6FmkeFGZ3Ak6X+U2w
-> ssh-ed25519 jIXfPA EOVZYftVuD70yv1my+OilSk73L5LDx5GmnLbXwSo7m4
aUyR6YbR6knEj66g1l0+KD/URqWtFASub3KBGr1XlDE
-> ssh-ed25519 QlRB9Q lVNHcF0G8yNHBxBBVlcOAWNzbTF5Ip4nAncJ6mJWLDI
BcQaJeqYikVGaavCoR9K9V6OxRhqLKQA/JHFYW78jC4
-> ssh-ed25519 r+nK/Q N8y74TfnwHRAHZOWO144Pj2IS7/aRa5zLt5C+qP5AGs
YFrLMMplp+PFsyp2W4HhIhGuGqIaCPY5ecQqSiaeGR4
-> ssh-rsa krWCLQ
dZVUqAyqrP3KHZlpu70IBU8U3I9IP71RzjbiF1rp4rOdz4iQ9ik88ai+hXVuadcN
DMl/7pIkVky6EL8JxFXTQhLivJUpO3NcN3iAS+CLKC+0EFVc03sLyCjn8IExO85r
Lec37ICk9n4LUNEA91A2h4C8U9TbDxCt7MLrIKcQtfFcd+4U1o9g3n19xo9PK1Ho
mcqTbUVgW1nOLxsEeCp5zsCQ+/8tFLcnK08yUB0RlWK+PDFZkk8u8Q2SYZjnaeEp
cwOhUnm/1a15IbW2oGCrVaEd/ymnLDJc6S7vXGpFDWHmOzvJ4Av9KZlGFYaWCjbV
7bGIgWkiQ7iJvTxzu0ZEqw
-> ssh-ed25519 /vwQcQ /DR3Kox7XkbdYQH7SyIc9atjwwe7Ah7hH/63RlzDd0g
k/199lCIfxR7l4ETJMEr1Ch1Zx8v3M5zn0b8mg6ip2k
-> ssh-ed25519 0R97PA H1PS+SlW5FNOf15eO6MKJ/nnVJQkfFMub0IzTS4PhDo
77zwCD0tbrLu4J0vS0RxPK3YZucFV1VYkUVoMTHjf2o
-> ssh-ed25519 JGx7Ng 2WIYPKkWXplInR8v1q22ygs7uYNfIzETeiCt5+MKQQQ
9Gsyr30kaNhxn+fUCBicvoA+hHiWpUf0d0pxRZauhMY
-> ssh-ed25519 5SY7Kg QTnBfvkMcnXpGITtaHr+mRZGogI1kTUqO4byfyMZhGE
89A/PPHVPeBQvTxCeXH8ITVDMkcsYUMbwatyw8NQ04E
-> ssh-ed25519 p/Mg4Q n6hQLuUv3QOMADJF0zpcALYqVUVi5tZHmKGmVZA0IVQ
ZXa+3y33kyo4vQxcEa2XTMIwjH2HE+bAKZw993PgROk
-> ssh-ed25519 tDqJRg Hf1KIZjUTTaHo18P1vWxaSehyKTFElBOovrCN0uJFCc
H8qGw8vIqp4bNiyon2uvTkrrd8lIYnMWnIfzS+w4QRQ
--- QOKOfU20JY1Sj+K20UUxgtPZ7JxKuZ1GtK+OKBZ1Zhg
Íúâ?º}àæ2æŽýiÐM}6BÖw#b2Ï´žËŠ¹ÍÊžvu´¿,Ö'.ŒWÔ”øIPýã'ixYÍ€*·šKoÎtXI#Àß6b`„1pʬòÍœˆ×"§lâSf(ˆ`UöëÄê6 kT°Á'µÎÔM@ÈÖå„hŸï®{WYŸØÝÏÂ<SN;UŒœ ݨÿ
Jr74uZrVBfkqJt1+/T+mGFGSsDrvyhgkXklZ7NFX1vsh1OcetvSafLfueDuWj7w7
eBr1nsKo5Rt6s+8BaxdqpYH5XpCXSQps8S3EcB2H/U7Y7usQiy7blWNWDqSAiSvB
MjNHzWDsvPN9JvNtwp6NdtesvECg1loY/6Fk26c4vn0uE27rB2Y1u/F0H7ohodL4
ov/+b9wFdE9M5xmrkZ8e+k2/uc9YDDwNt4VbJLarCyxV0ED/2DkipXaYKJV+k3NS
ULMMgM+513v9gNoxlbwNLQN82wlkThb96qg64kHjgA9NjyX5Wo4Te/y3kpHVbcLW
WcSK1Rv7H27nGW3NH8naCw
-> ssh-ed25519 /vwQcQ LLKEBncoFW3em96FAhuA7iJd/IfYj/WXLO2GANRfp3k
Zk9WiA2ZOX0V4pYbTtAAGFC9SjQtc9BkNspdU1tEVfQ
-> ssh-ed25519 0R97PA W1yoJ1pg3wuH0UAvS3VcuEOK6gsPJH+4z5EUfKyhbCo
94pLXBDNmMoPYNvUctrUcHAu0C0Z5SRe8WiF0ihtTCk
-> ssh-ed25519 JGx7Ng mFFUlwmm7UE91FwzsxHCp0OQ53a3bWc9aGanNBlAhUk
mk//w82SA360u0dSI9W2Ylf2W9f3vVW8l0RmA6Xj8NM
-> ssh-ed25519 bUjjig gCoU2BLr6TnP3cojeuSSDkElkVZkb1ezu0jppLTndys
yhe+JiBsunv4uajmr/tJaz1GZGyoa7pz1MV+0X6UbgE
-> ssh-ed25519 tDqJRg zFmLdQp6rsupEZ20O0BOYWGHPs8wwumd0gjrNtqujzk
PL+dxP6kRYN51FWs4PGEa/uaIuWiUQZClJHMmt1T7Cg
-> =-grease
i1Woi7X4wMM8RzRWBpWNHfNx/QMHjIn0QfHqhYHR
--- HWXDdoo6BlN0ESmWD3eX1NlVJ67U9mtdIIuI2J4NqlU
'þ^9d$ÿÛ²šÂâÌT::µP°ÁN9>»’&˜gI?Kpæ=¦<>LÝ@þ§#m¢Óµ\czέ åÛšÄ76pÈË2ž6gÍLýÆeˆ>_=e<>ܱ€Š!0l ×p„‹¹ìÂè‚›ª.Tæmé¼]…Ü2K᪰Ñ6 éÑ”*¶^ï¬ÐuP…Ï©XKÀIÁÚ±Çã•2 §Ç«

53
machines/nixos/compute01/secrets/plausible-smtp_password_file
View file

@ -1,28 +1,29 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA CQffZYaxexZ2f+HeNj+SHeSak0kzNPiq6ExW7tUyCBs
oJQhtMFD9KSnXSPGRb3zLwCB2/KEXo8cgxHN5ML83Qw
-> ssh-ed25519 QlRB9Q V1PnEYJvFCdBRzN4z3iDtIzHLxxCimejdkqRS4zMCG8
bVc87bxPmhofmoscGFBgQ+ffRlo216RiRkkV1MNoQyY
-> ssh-ed25519 r+nK/Q YI+1MYnCvSq5/QfA2y01IQlJeMGF0AfNs91QlrVaVGs
HSB8Gai96mjRbM68G3iRmXNkI4kqyJAWTMxWc8UOPr8
-> ssh-ed25519 jIXfPA XhAEh11QDiM3M4FrmGRWQfZ7QTDGxj2WJcQoPOZvM1E
mnLpfpQcGlibT7WVC2SpXAZ4KxcYVE8S+whSTQZDhzs
-> ssh-ed25519 QlRB9Q QswuylxPSCSybIAy/doptgKWEmPMedcnp+1LaH329n8
RceXX0jIt+0KXU75zZuMkCkaA9b/KTrvf9LILAQWHHY
-> ssh-ed25519 r+nK/Q iFxmQUSeJkromKKFvjde07KIOG8eOmGVP6YgN602NTE
iJVUrre3LUvjG2vgaVSVZmJpsKIkUmZLWo/5OIqyJQs
-> ssh-rsa krWCLQ
k2mssz4C9p8K+rJ6Jbbm+w7uLTqoUOiOKvlt2btEyw2Lup8PQNfyTNFSBvuBMmfj
re1zuAufH0HIw3B0xWYauBSD4pasc7EFTr/OLoM8BRFMEb11IM5ZKJrO+hnWy0Sk
eIs6cpkoBVi4GZmkRfbvaitk42i9JzjrKU0OeqLCWQbHmHkTb3acsGXCc6A6JSbF
AVb+Eaak6EIdX1dP4PWyCxU2PkcBtYBcLoGH74r1o0i3SzvmuzKvlBntx5IzsAvY
+QNGJLNZl0+NePafAkvVY8UOrlzxj+tCgfunAGXIXlZlVfNcjZX9Wv30sJOtwpbw
DdkJAqSrNkHianC5MEGgpA
-> ssh-ed25519 /vwQcQ yxGAMhwDcoDjw5MJudEE95PakhZvNpYfmfWiM6wbQBg
C1o3mNO2YFnBXamCcpAW0aQVGrNNcUpDtSn8+VLobmE
-> ssh-ed25519 0R97PA XRWbcwt3wXR3AYg0rhzc6OUuAA+blVTf3SHERYy3MkA
iCBd0E1NrV7tv3/0pD0FYWgUfGmB4M+VWfiixvVGv68
-> ssh-ed25519 JGx7Ng R47xTx4IGC/qf/v6WOXvJTd20MbeTdZ/8ovAA6d0iyQ
uBxcQVztpW4QaAR5rKfEVgtmrPk6l51+tY3brNjsTV4
-> ssh-ed25519 5SY7Kg LNtU+/1YlPX6T6gO2lb/wEei7hsy2oud8cTQXFQy0HY
xxPvBAIpFyCUqExjseerz6WlwWQEmw9fltzQBx51KI0
-> ssh-ed25519 p/Mg4Q uWIz5shMnsLXsh160cCW8E6kh9v4LPunOonugjWdSEY
5aRrIB5gxIplVWDGeMQ6g09togku6LxWRxBP7FbRNU0
-> ssh-ed25519 tDqJRg G8rNpeGY29czDVMvvt4LZ7nffZ/JAHDzxuIs7C/0SEM
HowgAvrQQcvUx93ZdK5q2bSsJDqaOxFf+x/lwTRss4I
--- ktcSPCC1TpguyYJ2ua7IuGcEw+Z9YuqjzcmH18abjo4
<EFBFBD><20><>ゥ煩 ネ9<1猤カワ簒<EFBE9C>pWJSWpsV/ム#<23>ウリ9タ{タ゚cHB<><42><EFBFBD>5<EFBFBD>ャ^ァ
iyiYHhzX+nKu9ApnEOE0Fyv3cxrBA+ZOfZtTSC1EbrzDRazJC7esZJdSGA3xwOrr
bRM1XsH9Dz14UHzYvWa1+1Hgk7cRleCyyuQK9CWwwOdjgj9Pu1WZDP2uQMRwluqg
szcp7T9bs3To/VPKb4+LQogFJow7WimuaZTGD6nzdk5cXE1WzlliO+IkMuFarsTb
9tujTpZILaUPabBdISruO3TGhhcPgzjoaqQ6SctxZ4glhveTRflgh3GFZemNu3cy
qJ8TQTd0ABeqZcvfLFPgV/gwtBLGbhnvtRQgRjEk2oqtMMqqcc7+McqMADpZO0f3
PZNnI+BkK2OceUSqXNp//Q
-> ssh-ed25519 /vwQcQ AsdJmfSAYkOyLBOwjiZrNkbTEKFwXxtx8XG0fXlvuQ0
jRwybc/W3SnxCKz5154UlVm6KKRMOFrgoFCaXF5l8XM
-> ssh-ed25519 0R97PA YsbMsIf5kO75ynZShbvS+cdlvJSLCgftiK94q+coUQk
eD6CO1vZgooCs0jE32oHKwpSwAWpWbs9s0IDeWoFcL8
-> ssh-ed25519 JGx7Ng bYI+efKqagiy+xgeG6w18Owut87uBeAWl7LPXgy8JVw
wTA++TjtI/HoY33izhb6K0qX4u6yttBgNcil9qryZUQ
-> ssh-ed25519 bUjjig JpltlB+JYkwinCfLaup1Rg/UxdGQ89ID4Bqjim3FhWM
zEMf5OXJNJFSjZi//OSV30n6fqpXX68REkYC0AJxtYA
-> ssh-ed25519 tDqJRg c3UAeqswuj71pt2Ht/Vn0BMfer+lCnFOXtKZbajUQT8
hSBh2GXP41qmBnEbbaKHmZfdn6PO9uElqYNuEuggBGE
-> ./d$7H-grease -" ;;{` '.8^F
Pks74A2eaVZQVZDxh51A0Cwz9Y58hpkiptwKylJ0SYivcpMJmvme1O/r/6z1kjOI
4DMQlok4STM3WTdqBA
--- BuDNyL5ZSZs5/Wb+jegngQb1QNDUmVeBuhx+442pH+Y
Y¸§ˆÜ*9³Ä>?Ý#+;J ƒºßê^ö4A¤ÈHÚ<17>;èS£ <20> ( Óy<C393>4~¬Ý.uŽ7€ì`

BIN
machines/nixos/compute01/secrets/pretalx-environment_file
View file

Binary file not shown.

56
machines/nixos/compute01/secrets/pretix-environment_file
View file

@ -1,30 +1,30 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA Rns+GrvYIYGr2bkT5PGqRYgVjiDYx5bZePFwX5n84z8
+vmlrK5mS00BLpJukWoHHDvJVOuHS/dfWSfPRqiiK2A
-> ssh-ed25519 QlRB9Q RKtrm6jKvSbOSBU8Lnd6Saui6yXHMuSgNcoYgGpwPEE
cU1kLd9jZ2qaeKcQEVaxxra2le1MwGMZNuDQBui76CU
-> ssh-ed25519 r+nK/Q J3IwXYXujMKTIDTW+zoP3kTlxd+WRWwrHo/uvH7y6Tg
YimrLo0a6W2baGbCx6WIw7PBnI/cBioMtiZhU4dcT8k
-> ssh-ed25519 jIXfPA M6uCziCGRhZHlKbrbhyAv175SZJ3oCwX1PIEquRWE0E
h9BS2jSMJJ739wKSz/YatGUWRFOOQdBGCa3VcmT0Fko
-> ssh-ed25519 QlRB9Q ytMHvdiu/ZU0R8nM1izot9kD7uLa56Y0fyOiLCfe0Ho
QHLISn1oDMg7Dq5qlQjhwST6ciwDo1iOCta0mE5L9xQ
-> ssh-ed25519 r+nK/Q duIWFOVxnYkyXYYa5fauMUR1FdjlkMXi8jAiU/K5bE4
38P4xHWMl8uJoVpr2NkfUHd+R/327rMK2dz7VXw9qOk
-> ssh-rsa krWCLQ
sX+yb3LCSr+PpOx/VHB6RCnlT2iARoPdoTlNhtz8DYGKY/UTNtqGtgHd0rV9cefh
MHdBlpjUnxpPkCuP2EwIEMTqyjGbPoq/AdpxklXNquMxWyeYD7Pe5ABbEx4vpAgH
+d3A+X3sJXV+lGqPtwIbRBBMCSYxffrS68V5DYfUWNG0rAF7xknfTE4IFNgg1yzR
4LJRpI/j77wlOn/8cH8jGtBrKtRPTq1z6a8MLU36bmBEpmS3EGMvOrfGrMnenhFr
vt6WEsEcHON5C57WyvfEV/qeLhkzaRBOcq3LnYGN4qc0EqVvWCLRqTHeMMJEWhK3
n6qGjzhE5n1FMPoxox83ig
-> ssh-ed25519 /vwQcQ brE7F9GWBMVcmBJskPLZYp2tD80LAWvQFWGxw5asvC0
aOsMTgH17u16P2oUzrIgvv3d70uYkMjAqBJDmmUYPq8
-> ssh-ed25519 0R97PA Ni0DxmzYhSN/mwgKs8AFNwcEMLGDBH2R7mxwyGqyRxg
EmtSYAQ7wwYWqNLu8CmOhEhZq09UvPE8mTL9xRlXq0A
-> ssh-ed25519 JGx7Ng 0iDIiH3slqmumi41n1xKDlxH4UG3TvN+apOZCBCC2B0
4uejPMfD2Qg9P9DPXr6kk06SdYIREc9/w5tId9ZkmjI
-> ssh-ed25519 bUjjig v0d0b2QdvJhiIlrYMRtfjvCWERTXyGIYmmocNTzFFBg
B+o4ZPftYBmc5CxdTqHSjIzyx5X6lCJ88M+XRj5ddrA
-> ssh-ed25519 tDqJRg I67xye4YEG7fRzMeSqmyY7g99YwBFG4TyIiABHnEd3k
Cj95yZeQZwGLFNnw4gK5pzS7Rvr/v0sIfNHoj/FWerU
-> 84t6-grease X|
ylGgBiG/KYc0vDvMho+lPMBe+2kZZ3DvlF5JHgtMRUAMy9ugXbwDYu5qq7GyPL38
aBw8Jx13iIRkJA9CisyygX7l2P5sOdaa/IE5fTABjL6EGkLbP1uI0OFTH9Dd1tYy
ww
--- qbaLv0BDEw2uSR1ccqH5HOinQSQeynDl0IFU9VwD3Ag
º?Ž’¸l¬BÛ†øï—iI ]å4x5¯¶ÎhMÜÍsÒ×Dz¹{ÍpTÅ}G‡U ¡ Cù]ÛQh~¯ªŒãf¯¾ˆËoQí<51>Gƒ¡“jÛ(j®
azfMGiaZ/Fvh9ZKgfffzyEGlztw0BRWhM6X3m7vS8Vdb3dOyP4iSZKjGp82qavBx
olUu91n2CWlamDLLpKoAMF/tjjHMhK4I4X84vH8EPfoMggEt7w7FGh9gsf7NN8tC
9VdM5jiyohjt0cLU7j7aGTdSte7/TXpFl6fYkTHXgGpz1SSV+rxNrJ1jTugNdOy6
MJ33b9INLKJs7+ljPBN1txISqx/3DhNIMawcjSViMejMptxblI7ioousjN5S8SnY
H0OkqHlJCe9NTlwDeq2ldDnQXDCJnYpSE0fqbGY5A6p4kshD3rXxkjpNZutIoDfF
ExPoNGRDeKKwZ84ST7u9oQ
-> ssh-ed25519 /vwQcQ h2D7MDnrE52/et0/4ARz1FxZQ3Y4NcLZrjPTgc5E11w
9qXQzsV53Kn3DyYDI6XiFW5mnowCPNS6iieCYeEjO8c
-> ssh-ed25519 0R97PA bCXJMH6YSbHrCdtOyH0XoA7I4886QH7bJXCIM8vNAk8
p1CETI8M7lYoWPp1BttBYBBXyHsoyagfLGaEN11s86U
-> ssh-ed25519 JGx7Ng etwzLxUSOQdjoKGjsawZq3Je0drvrH+WRSZPWNlYHGw
3YYRgg1jcI++htKyFVkJb9cH04lkkSn7J4UN04jZihs
-> ssh-ed25519 bUjjig +WXvDcMDWN4KvkSe8xpv/5mk0VPQjERgCQKWEwEHvF0
taOwFd5/wx37OLLy9FwRIFYb409dpSWmzywzlKjzo9w
-> ssh-ed25519 tDqJRg +HzRSWduekBBc1ac0UMxx4yHYBHssIX2hYuD/tb4pHs
hor3dPvdrlVNT6LPOVttEC2eXDxgOPPqKJ8Yo6F5TFo
-> ]-grease c`BSJvdo i o&G&}
EmC+MYqkj7faPtq2XVTjrKmiVn6nNqfnUsY/+Dsqu95jVOxWxCrFNYYK64lsKlCZ
X7wkeHiOc1mdKzzWZYrtYhO4Qw
--- v04H0ACxBtFLZLbc4goC6uFrYG5nt9j95t32g8QXOHI
>?ÚT;€9M
jwÕêÈßœJODŒ.¸P$˲qšCÍ?îôÜ„ó¼À^•|Ït¯Ç¥QTœRÐA¢ÊúƸ¦³ܱ<C39C>c®HóË_wÍÏ

BIN
machines/nixos/compute01/secrets/satosa-env_file
View file

Binary file not shown.

1
machines/nixos/compute01/secrets/secrets.nix
View file

@ -25,6 +25,7 @@
"netbox-environment_file"
"nextcloud-adminpass_file"
"nextcloud-s3_secret_file"
"opengist-environment_file"
"outline-oidc_client_secret_file"
"outline-smtp_password_file"
"outline-storage_secret_key_file"

BIN
machines/nixos/compute01/secrets/signal-irc-bridge-config
View file

Binary file not shown.

BIN
machines/nixos/compute01/secrets/telegraf-environment_file
View file

Binary file not shown.

BIN
machines/nixos/compute01/secrets/vaultwarden-environment_file
View file

Binary file not shown.

BIN
machines/nixos/compute01/secrets/zammad-secret_key_base_file
View file

Binary file not shown.

139
machines/nixos/iso/README.md Normal file
View file

@ -0,0 +1,139 @@
<!--
SPDX-FileCopyrightText: 2025 Tom Hubrecht <tom.hubrecht@dgnum.eu>
SPDX-License-Identifier: EUPL-1.2
-->
# ISO Installation
Once the iso is booted, there are several steps to take:
## Partition the disk
## Mount the partions
```bash
mount $rootDevice /mnt
mkdir /mnt/boot
mount $bootDevice /mnt/boot
swapon $swapDevice
nixos-generate-config --root /mnt
```
## Setup the base configuration
```bash
export NIX="/mnt/etc/nixos/"
mv $NIX/configuration.nix $NIX/base-configuration.nix
```
Edit a new file `configuration.nix` with the following contents:
```nix
{ pkgs, ... }:
{
imports = [ ./base-configuration.nix ];
boot = {
tmp.cleanOnBoot = true;
};
console.keyMap = "fr";
time.timeZone = "Europe/Paris";
environment.systemPackages = with pkgs; [
neovim
wget
kitty.terminfo
];
# Activate SSH and set the keys
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
users.users.root.openssh.authorizedKeys.keyFiles = [ ./rootKeys ];
}
```
### ZFS setup
If ZFS is to be installed (e.g. for large servers), add to the configuration:
```nix
boot = {
supportedFilesystems = [ "zfs" ];
zfs.forceImportRoot = false;
zfs.extraPools = [
...
];
};
networking.hostId = ...;
```
Where the list of pools to include is obtained with:
```bash
zpool list -Ho name | sed 's/^/"/;s/$/"/'
```
and the host id with:
```bash
head -c4 /dev/urandom | od -A none -t x4 | sed 's/ //'
```
## Setup the network configuration
Add the network configuration:
```nix
networking = {
hostName = "${name}";
domain = "${site}.infra.dgnum.eu";
useNetworkd = true;
};
systemd.network.networks = {
"10-${interface}" = {
name = ${interface};
address = [ "${address}/${prefix}" ];
routes = [ { Gateway = "..." ; GatewayOnLink = true; } ];
dns = [ ... ];
};
};
```
If the default DNS are accessible, set them to:
```nix
[
"1.1.1.1#cloudflare-dns.com"
"8.8.8.8#dns.google"
"1.0.0.1#cloudflare-dns.com"
"8.8.4.4#dns.google"
]
```
Otherwise (in Jourdan especially), set them to the local DNS.
## Copy the ssh keys
```bash
cp /etc/ssh/authorized_keys.d/root $NIX/rootKeys
```
## Perform the installation
```bash
nixos-install
```

59
machines/nixos/iso/_configuration.nix Normal file
View file

@ -0,0 +1,59 @@
# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin@dgnum.eu>
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
pkgs,
modulesPath,
lib,
...
}:
let
inherit (lib) mkForce;
in
{
imports = [
(modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix")
];
isoImage.squashfsCompression = ''zstd -Xcompression-level 1'';
age-secrets.sources = mkForce [ ];
dgn-records.enable = false;
dgn-monitoring.enable = false;
dgn-notify.enable = false;
boot = {
blacklistedKernelModules = [ "snd_pcsp" ];
tmp.cleanOnBoot = true;
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
supportedFilesystems = {
exfat = true;
zfs = true;
};
swraid.enable = mkForce false;
};
networking = {
networkmanager.enable = true;
wireless.enable = false;
};
console.keyMap = "fr";
environment.systemPackages = with pkgs; [
perl
git
];
programs.zsh.enable = true;
services = {
openssh.enable = true;
qemuGuest.enable = true;
getty.autologinUser = mkForce "root";
};
}

45
machines/nixos/krz01/_configuration.nix Normal file
View file

@ -0,0 +1,45 @@
# SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, lib, ... }:
lib.extra.mkConfig {
enabledModules = [
# INFO: This list needs to stay sorted alphabetically
];
enabledServices = [
# INFO: This list needs to stay sorted alphabetically
# Machine learning API machine
"microvm-ml01"
"microvm-router01"
"nvidia-tesla-k80"
"ollama"
"whisper"
"proxmox"
"networking"
];
extraConfig = {
microvm = {
host.enable = true;
};
dgn-hardware = {
useZfs = true;
zfsPools = [
"dpool"
"ppool0"
];
};
# We are going to use CUDA here.
nixpkgs.config.cudaSupport = true;
hardware.graphics.enable = true;
services.netbird.enable = true;
networking.firewall.trustedInterfaces = [ "wt0" ];
};
root = ./.;
}

50
machines/nixos/krz01/_hardware-configuration.nix Normal file
View file

@ -0,0 +1,50 @@
{
config,
lib,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
initrd = {
availableKernelModules = [
"ehci_pci"
"ahci"
"mpt3sas"
"usbhid"
"sd_mod"
];
kernelModules = [ ];
};
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/92bf4d66-2693-4eca-9b26-f86ae09d468d";
fsType = "ext4";
};
boot.initrd.luks.devices."mainfs" = {
device = "/dev/disk/by-uuid/26f9737b-28aa-4c3f-bd3b-b028283cef88";
keyFileSize = 1;
keyFile = "/dev/zero";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/280C-8844";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
swapDevices = [ ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

27
machines/nixos/krz01/microvm-ml01.nix Normal file
View file

@ -0,0 +1,27 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
_: {
microvm.autostart = [ "ml01" ];
microvm.vms.ml01 = {
config = {
networking.hostName = "ml01";
system.stateVersion = "24.11";
microvm = {
hypervisor = "cloud-hypervisor";
vcpu = 4;
mem = 4096;
balloonMem = 2048;
shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}
];
};
};
};
}

21
machines/nixos/krz01/microvm-router01.nix Normal file
View file

@ -0,0 +1,21 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
_: {
microvm.autostart = [ "router01" ];
microvm.vms.router01 = {
config = {
networking.hostName = "router01";
system.stateVersion = "24.11";
microvm.shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}
];
};
};
}

54
machines/nixos/krz01/networking.nix Normal file
View file

@ -0,0 +1,54 @@
# SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
systemd.network = {
networks = {
"10-eno1" = {
matchConfig.Name = [ "eno1" ];
networkConfig = {
Bridge = "vmbr0";
};
};
"50-vmbr0" = {
matchConfig.Name = "vmbr0";
linkConfig.RequiredForOnline = "routable";
};
"50-vmbr1" = {
matchConfig.Name = "vmbr1";
linkConfig.RequiredForOnline = "routable";
bridgeVLANs = [
{
VLAN = [
"2510" # NAT
"2501" # Managment
"2520" # MW DMZ
"2530" # HE DMZ
];
}
];
};
};
netdevs = {
"50-vmbr0" = {
netdevConfig = {
Name = "vmbr0";
Kind = "bridge";
};
};
"50-vmbr1" = {
netdevConfig = {
Name = "vmbr1";
Kind = "bridge";
};
bridgeConfig = {
VLANFiltering = true;
};
};
};
};
}

12
machines/nixos/krz01/nvidia-tesla-k80.nix Normal file
View file

@ -0,0 +1,12 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, ... }:
{
nixpkgs.config.nvidia.acceptLicense = true;
# Tesla K80 is not supported by the latest driver.
hardware.nvidia.package = config.boot.kernelPackages.nvidia_x11_legacy470;
# Don't ask.
services.xserver.videoDrivers = [ "nvidia" ];
}

247
machines/nixos/krz01/ollama.nix Normal file
View file

@ -0,0 +1,247 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
lib,
buildGoModule,
fetchFromGitHub,
buildEnv,
linkFarm,
overrideCC,
makeWrapper,
stdenv,
addDriverRunpath,
nix-update-script,
cmake,
gcc11,
clblast,
libdrm,
rocmPackages,
cudaPackages,
darwin,
autoAddDriverRunpath,
extraLibraries ? [ ],
nixosTests,
testers,
ollama,
ollama-rocm,
ollama-cuda,
config,
# one of `[ null false "rocm" "cuda" ]`
acceleration ? null,
}:
assert builtins.elem acceleration [
null
false
"rocm"
"cuda"
];
let
pname = "ollama";
version = "2024-09-10-cc35";
src = fetchFromGitHub {
owner = "aliotard";
repo = "ollama";
rev = "34827c01f7723c7f5f9f5e392fe85f5a4a5d5fc0";
hash = "sha256-xFNuqcW7YWeyCyw5QLBnCHHTSMITR6LJkJT0CXZC+Y8=";
fetchSubmodules = true;
};
vendorHash = "sha256-hSxcREAujhvzHVNwnRTfhi0MKI3s8HNavER2VLz6SYk=";
validateFallback = lib.warnIf (config.rocmSupport && config.cudaSupport) (lib.concatStrings [
"both `nixpkgs.config.rocmSupport` and `nixpkgs.config.cudaSupport` are enabled, "
"but they are mutually exclusive; falling back to cpu"
]) (!(config.rocmSupport && config.cudaSupport));
shouldEnable =
mode: fallback: (acceleration == mode) || (fallback && acceleration == null && validateFallback);
rocmRequested = shouldEnable "rocm" config.rocmSupport;
cudaRequested = shouldEnable "cuda" config.cudaSupport;
enableRocm = rocmRequested && stdenv.isLinux;
enableCuda = cudaRequested && stdenv.isLinux;
rocmLibs = [
rocmPackages.clr
rocmPackages.hipblas
rocmPackages.rocblas
rocmPackages.rocsolver
rocmPackages.rocsparse
rocmPackages.rocm-device-libs
rocmPackages.rocm-smi
];
rocmClang = linkFarm "rocm-clang" { llvm = rocmPackages.llvm.clang; };
rocmPath = buildEnv {
name = "rocm-path";
paths = rocmLibs ++ [ rocmClang ];
};
cudaLibs = [
cudaPackages.cuda_cudart
cudaPackages.libcublas
cudaPackages.cuda_cccl
];
cudaToolkit = buildEnv {
name = "cuda-merged";
paths = map lib.getLib cudaLibs ++ [
(lib.getOutput "static" cudaPackages.cuda_cudart)
(lib.getBin (cudaPackages.cuda_nvcc.__spliced.buildHost or cudaPackages.cuda_nvcc))
];
};
metalFrameworks = with darwin.apple_sdk_11_0.frameworks; [
Accelerate
Metal
MetalKit
MetalPerformanceShaders
];
wrapperOptions =
[
# ollama embeds llama-cpp binaries which actually run the ai models
# these llama-cpp binaries are unaffected by the ollama binary's DT_RUNPATH
# LD_LIBRARY_PATH is temporarily required to use the gpu
# until these llama-cpp binaries can have their runpath patched
"--suffix LD_LIBRARY_PATH : '${addDriverRunpath.driverLink}/lib'"
"--suffix LD_LIBRARY_PATH : '${lib.makeLibraryPath (map lib.getLib extraLibraries)}'"
]
++ lib.optionals enableRocm [
"--suffix LD_LIBRARY_PATH : '${rocmPath}/lib'"
"--set-default HIP_PATH '${rocmPath}'"
]
++ lib.optionals enableCuda [
"--suffix LD_LIBRARY_PATH : '${lib.makeLibraryPath (map lib.getLib cudaLibs)}'"
];
wrapperArgs = builtins.concatStringsSep " " wrapperOptions;
goBuild =
if enableCuda then buildGoModule.override { stdenv = overrideCC stdenv gcc11; } else buildGoModule;
inherit (lib) licenses platforms maintainers;
in
goBuild {
inherit
pname
version
src
vendorHash
;
env =
lib.optionalAttrs enableRocm {
ROCM_PATH = rocmPath;
CLBlast_DIR = "${clblast}/lib/cmake/CLBlast";
}
// lib.optionalAttrs enableCuda { CUDA_LIB_DIR = "${cudaToolkit}/lib"; }
// {
CMAKE_CUDA_ARCHITECTURES = "35;37";
};
nativeBuildInputs =
[ cmake ]
++ lib.optionals enableRocm [ rocmPackages.llvm.bintools ]
++ lib.optionals enableCuda [ cudaPackages.cuda_nvcc ]
++ lib.optionals (enableRocm || enableCuda) [
makeWrapper
autoAddDriverRunpath
]
++ lib.optionals stdenv.isDarwin metalFrameworks;
buildInputs =
lib.optionals enableRocm (rocmLibs ++ [ libdrm ])
++ lib.optionals enableCuda cudaLibs
++ lib.optionals stdenv.isDarwin metalFrameworks;
patches = [
# disable uses of `git` in the `go generate` script
# ollama's build script assumes the source is a git repo, but nix removes the git directory
# this also disables necessary patches contained in `ollama/llm/patches/`
# those patches are applied in `postPatch`
./disable-git.patch
];
postPatch = ''
# replace inaccurate version number with actual release version
substituteInPlace version/version.go --replace-fail 0.0.0 '${version}'
# apply ollama's patches to `llama.cpp` submodule
for diff in llm/patches/*; do
patch -p1 -d llm/llama.cpp < $diff
done
'';
overrideModAttrs = _: _: {
# don't run llama.cpp build in the module fetch phase
preBuild = "";
};
preBuild = ''
# disable uses of `git`, since nix removes the git directory
export OLLAMA_SKIP_PATCHING=true
# build llama.cpp libraries for ollama
go generate ./...
'';
postFixup =
''
# the app doesn't appear functional at the moment, so hide it
mv "$out/bin/app" "$out/bin/.ollama-app"
''
+ lib.optionalString (enableRocm || enableCuda) ''
# expose runtime libraries necessary to use the gpu
wrapProgram "$out/bin/ollama" ${wrapperArgs}
'';
ldflags = [
"-s"
"-w"
"-X=github.com/ollama/ollama/version.Version=${version}"
"-X=github.com/ollama/ollama/server.mode=release"
"-X=github.com/ollama/ollama/gpu.CudaComputeMajorMin=3"
"-X=github.com/ollama/ollama/gpu.CudaComputeMinorMin=5"
];
passthru = {
tests =
{
inherit ollama;
version = testers.testVersion {
inherit version;
package = ollama;
};
}
// lib.optionalAttrs stdenv.isLinux {
inherit ollama-rocm ollama-cuda;
service = nixosTests.ollama;
service-cuda = nixosTests.ollama-cuda;
service-rocm = nixosTests.ollama-rocm;
};
updateScript = nix-update-script { };
};
meta = {
description =
"Get up and running with large language models locally"
+ lib.optionalString rocmRequested ", using ROCm for AMD GPU acceleration"
+ lib.optionalString cudaRequested ", using CUDA for NVIDIA GPU acceleration";
homepage = "https://github.com/ollama/ollama";
changelog = "https://github.com/ollama/ollama/releases/tag/v${version}";
license = licenses.mit;
platforms = if (rocmRequested || cudaRequested) then platforms.linux else platforms.unix;
mainProgram = "ollama";
maintainers = with maintainers; [
abysssol
dit7ya
elohmeier
roydubnium
];
};
}

179
machines/nixos/krz01/ollama/K80-support.patch Normal file
View file

@ -0,0 +1,179 @@
From 2abd226ff3093c5a9e18a618fba466853e7ebaf7 Mon Sep 17 00:00:00 2001
From: Raito Bezarius <masterancpp@gmail.com>
Date: Tue, 8 Oct 2024 18:27:41 +0200
Subject: [PATCH] K80 support
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
---
docs/development.md | 6 +++-
docs/gpu.md | 1 +
gpu/amd_linux.go | 6 +++-
gpu/gpu.go | 63 ++++++++++++++++++++++++++++++++++++-----
scripts/build_docker.sh | 2 +-
scripts/build_linux.sh | 2 +-
6 files changed, 69 insertions(+), 11 deletions(-)
diff --git a/docs/development.md b/docs/development.md
index 2f7b9ecf..9da35931 100644
--- a/docs/development.md
+++ b/docs/development.md
@@ -51,7 +51,11 @@ Typically the build scripts will auto-detect CUDA, however, if your Linux distro
or installation approach uses unusual paths, you can specify the location by
specifying an environment variable `CUDA_LIB_DIR` to the location of the shared
libraries, and `CUDACXX` to the location of the nvcc compiler. You can customize
-a set of target CUDA architectures by setting `CMAKE_CUDA_ARCHITECTURES` (e.g. "50;60;70")
+a set of target CUDA architectures by setting `CMAKE_CUDA_ARCHITECTURES` (e.g. "35;37;50;60;70")
+
+To support GPUs older than Compute Capability 5.0, you will need to use an older version of
+the Driver from [Unix Driver Archive](https://www.nvidia.com/en-us/drivers/unix/) (tested with 470) and [CUDA Toolkit Archive](https://developer.nvidia.com/cuda-toolkit-archive) (tested with cuda V11). When you build Ollama, you will need to set two environment variable to adjust the minimum compute capability Ollama supports via `export GOFLAGS="'-ldflags=-w -s \"-X=github.com/ollama/ollama/gpu.CudaComputeMajorMin=3\" \"-X=github.com/ollama/ollama/gpu.CudaComputeMinorMin=5\"'"` and the `CMAKE_CUDA_ARCHITECTURES`. To find the Compute Capability of your older GPU, refer to [GPU Compute Capability](https://developer.nvidia.com/cuda-gpus).
+
Then generate dependencies:
diff --git a/docs/gpu.md b/docs/gpu.md
index a6b559f0..66627611 100644
--- a/docs/gpu.md
+++ b/docs/gpu.md
@@ -28,6 +28,7 @@ Check your compute compatibility to see if your card is supported:
| 5.0 | GeForce GTX | `GTX 750 Ti` `GTX 750` `NVS 810` |
| | Quadro | `K2200` `K1200` `K620` `M1200` `M520` `M5000M` `M4000M` `M3000M` `M2000M` `M1000M` `K620M` `M600M` `M500M` |
+For building locally to support older GPUs, see [developer.md](./development.md#linux-cuda-nvidia)
### GPU Selection
diff --git a/gpu/amd_linux.go b/gpu/amd_linux.go
index 6b08ac2e..768fb97a 100644
--- a/gpu/amd_linux.go
+++ b/gpu/amd_linux.go
@@ -159,7 +159,11 @@ func AMDGetGPUInfo() []GpuInfo {
return []GpuInfo{}
}
- if int(major) < RocmComputeMin {
+ minVer, err := strconv.Atoi(RocmComputeMajorMin)
+ if err != nil {
+ slog.Error("invalid RocmComputeMajorMin setting", "value", RocmComputeMajorMin, "error", err)
+ }
+ if int(major) < minVer {
slog.Warn(fmt.Sprintf("amdgpu too old gfx%d%x%x", major, minor, patch), "gpu", gpuID)
continue
}
diff --git a/gpu/gpu.go b/gpu/gpu.go
index 781e23df..60d68c33 100644
--- a/gpu/gpu.go
+++ b/gpu/gpu.go
@@ -16,6 +16,7 @@ import (
"os"
"path/filepath"
"runtime"
+ "strconv"
"strings"
"sync"
"unsafe"
@@ -38,9 +39,11 @@ const (
var gpuMutex sync.Mutex
// With our current CUDA compile flags, older than 5.0 will not work properly
-var CudaComputeMin = [2]C.int{5, 0}
+// (string values used to allow ldflags overrides at build time)
+var CudaComputeMajorMin = "5"
+var CudaComputeMinorMin = "0"
-var RocmComputeMin = 9
+var RocmComputeMajorMin = "9"
// TODO find a better way to detect iGPU instead of minimum memory
const IGPUMemLimit = 1 * format.GibiByte // 512G is what they typically report, so anything less than 1G must be iGPU
@@ -175,11 +178,57 @@ func GetGPUInfo() GpuInfoList {
var memInfo C.mem_info_t
resp := []GpuInfo{}
- // NVIDIA first
- for i := 0; i < gpuHandles.deviceCount; i++ {
- // TODO once we support CPU compilation variants of GPU libraries refine this...
- if cpuVariant == "" && runtime.GOARCH == "amd64" {
- continue
+ // Load ALL libraries
+ cHandles = initCudaHandles()
+ minMajorVer, err := strconv.Atoi(CudaComputeMajorMin)
+ if err != nil {
+ slog.Error("invalid CudaComputeMajorMin setting", "value", CudaComputeMajorMin, "error", err)
+ }
+ minMinorVer, err := strconv.Atoi(CudaComputeMinorMin)
+ if err != nil {
+ slog.Error("invalid CudaComputeMinorMin setting", "value", CudaComputeMinorMin, "error", err)
+ }
+
+ // NVIDIA
+ for i := range cHandles.deviceCount {
+ if cHandles.cudart != nil || cHandles.nvcuda != nil {
+ gpuInfo := CudaGPUInfo{
+ GpuInfo: GpuInfo{
+ Library: "cuda",
+ },
+ index: i,
+ }
+ var driverMajor int
+ var driverMinor int
+ if cHandles.cudart != nil {
+ C.cudart_bootstrap(*cHandles.cudart, C.int(i), &memInfo)
+ } else {
+ C.nvcuda_bootstrap(*cHandles.nvcuda, C.int(i), &memInfo)
+ driverMajor = int(cHandles.nvcuda.driver_major)
+ driverMinor = int(cHandles.nvcuda.driver_minor)
+ }
+ if memInfo.err != nil {
+ slog.Info("error looking up nvidia GPU memory", "error", C.GoString(memInfo.err))
+ C.free(unsafe.Pointer(memInfo.err))
+ continue
+ }
+
+ if int(memInfo.major) < minMajorVer || (int(memInfo.major) == minMajorVer && int(memInfo.minor) < minMinorVer) {
+ slog.Info(fmt.Sprintf("[%d] CUDA GPU is too old. Compute Capability detected: %d.%d", i, memInfo.major, memInfo.minor))
+ continue
+ }
+ gpuInfo.TotalMemory = uint64(memInfo.total)
+ gpuInfo.FreeMemory = uint64(memInfo.free)
+ gpuInfo.ID = C.GoString(&memInfo.gpu_id[0])
+ gpuInfo.Compute = fmt.Sprintf("%d.%d", memInfo.major, memInfo.minor)
+ gpuInfo.MinimumMemory = cudaMinimumMemory
+ gpuInfo.DependencyPath = depPath
+ gpuInfo.Name = C.GoString(&memInfo.gpu_name[0])
+ gpuInfo.DriverMajor = driverMajor
+ gpuInfo.DriverMinor = driverMinor
+
+ // TODO potentially sort on our own algorithm instead of what the underlying GPU library does...
+ cudaGPUs = append(cudaGPUs, gpuInfo)
}
gpuInfo := GpuInfo{
Library: "cuda",
diff --git a/scripts/build_docker.sh b/scripts/build_docker.sh
index e91c56ed..c03bc25f 100755
--- a/scripts/build_docker.sh
+++ b/scripts/build_docker.sh
@@ -3,7 +3,7 @@
set -eu
export VERSION=${VERSION:-$(git describe --tags --first-parent --abbrev=7 --long --dirty --always | sed -e "s/^v//g")}
-export GOFLAGS="'-ldflags=-w -s \"-X=github.com/ollama/ollama/version.Version=$VERSION\" \"-X=github.com/ollama/ollama/server.mode=release\"'"
+export GOFLAGS=${GOFLAGS:-"'-ldflags=-w -s \"-X=github.com/ollama/ollama/version.Version=$VERSION\" \"-X=github.com/ollama/ollama/server.mode=release\"'"}
# We use 2 different image repositories to handle combining architecture images into multiarch manifest
# (The ROCm image is x86 only and is not a multiarch manifest)
diff --git a/scripts/build_linux.sh b/scripts/build_linux.sh
index 27c4ff1f..e7e6d0dd 100755
--- a/scripts/build_linux.sh
+++ b/scripts/build_linux.sh
@@ -3,7 +3,7 @@
set -eu
export VERSION=${VERSION:-$(git describe --tags --first-parent --abbrev=7 --long --dirty --always | sed -e "s/^v//g")}
-export GOFLAGS="'-ldflags=-w -s \"-X=github.com/ollama/ollama/version.Version=$VERSION\" \"-X=github.com/ollama/ollama/server.mode=release\"'"
+export GOFLAGS=${GOFLAGS:-"'-ldflags=-w -s \"-X=github.com/ollama/ollama/version.Version=$VERSION\" \"-X=github.com/ollama/ollama/server.mode=release\"'"}
BUILD_ARCH=${BUILD_ARCH:-"amd64 arm64"}
export AMDGPU_TARGETS=${AMDGPU_TARGETS:=""}
--
2.46.0

26
machines/nixos/krz01/ollama/all-nvcc-arch.patch Normal file
View file

@ -0,0 +1,26 @@
From 2278389ef9ac9231349440aa68f9544ddc69cdc7 Mon Sep 17 00:00:00 2001
From: Raito Bezarius <masterancpp@gmail.com>
Date: Wed, 9 Oct 2024 13:37:08 +0200
Subject: [PATCH] fix: sm_37 for nvcc
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index 2ccb750..70dfd9b 100644
--- a/Makefile
+++ b/Makefile
@@ -537,7 +537,7 @@ endif #GGML_CUDA_NVCC
ifdef CUDA_DOCKER_ARCH
MK_NVCCFLAGS += -Wno-deprecated-gpu-targets -arch=$(CUDA_DOCKER_ARCH)
else ifndef CUDA_POWER_ARCH
- MK_NVCCFLAGS += -arch=native
+ MK_NVCCFLAGS += -arch=sm_37
endif # CUDA_DOCKER_ARCH
ifdef GGML_CUDA_FORCE_DMMV
--
2.46.0

25
machines/nixos/krz01/ollama/default.nix Normal file
View file

@ -0,0 +1,25 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
config,
pkgs,
meta,
name,
nixpkgs,
...
}:
{
services = {
ollama = {
enable = true;
host = meta.network.${name}.netbirdIp;
package = pkgs.callPackage ./package.nix {
# HACK: Our GPU is not supported by cuda >= 12.0, and nixos-25.05 dropped cuda < 12.0
cudaPackages = nixpkgs.nixos."24.11".cudaPackages_11;
# We need to thread our nvidia x11 driver for CUDA.
extraLibraries = [ config.hardware.nvidia.package ];
};
};
};
}

20
machines/nixos/krz01/ollama/disable-git.patch Normal file
View file

@ -0,0 +1,20 @@
diff --git c/llm/generate/gen_common.sh i/llm/generate/gen_common.sh
index 3825c155..238a74a7 100644
--- c/llm/generate/gen_common.sh
+++ i/llm/generate/gen_common.sh
@@ -69,6 +69,7 @@ git_module_setup() {
}
apply_patches() {
+ return
# apply temporary patches until fix is upstream
for patch in ../patches/*.patch; do
git -c 'user.name=nobody' -c 'user.email=<>' -C ${LLAMACPP_DIR} am ${patch}
@@ -133,6 +134,7 @@ install() {
# Keep the local tree clean after we're done with the build
cleanup() {
+ return
(cd ${LLAMACPP_DIR}/ && git checkout CMakeLists.txt)
if [ -n "$(ls -A ../patches/*.diff)" ]; then

Some files were not shown because too many files have changed in this diff Show more