From a8d6acf0bbafc4919ead9962ef3404db8ea42225 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Mon, 13 Apr 2026 09:25:42 +0200 Subject: [PATCH 1/2] ofborg: merge ofborg-infrastructure into this repo The ofborg machines were maintained in a separate NixOS/ofborg-infrastructure repo that already consumed this one as a flake input for shared modules and ssh-keys. Keeping two repos in lockstep created drift and double-locking, so fold the ofborg NixOS hosts (core01, eval01-04, build01-05) into non-critical-infra and the five MacStadium darwin builders into macs/. References to inputs.infra are rewritten to local relative paths now that the indirection is gone. The ofborg and ofborg-viewer flakes become direct inputs so the ofborg builders and core services keep evaluating unchanged. The ofborg hosts are registered in colmena alongside the existing non-critical machines so a single hive covers everything. The hydra builders on these hosts now use inputs.hydra-staging (NixOS/hydra) instead of the helsinki-systems/hydra-queue-runner fork (incorporating NixOS/ofborg-infrastructure#18), so client and server are built from the same tree. The duplicated per-host services.queue-builder-dev / sops blocks are factored into non-critical-infra/modules/hydra/builder.nix. Secrets are copied verbatim with their sops creation rules and host age keys merged into the existing .sops.yaml files; cole-h's ssh and age keys are dropped while at it. CI gains per-architecture ofborg jobs that build all hosts of one arch in a single nix-fast-build run via a new ciSystems flake output, since the fleet shares almost its entire closure and splitting per host would rebuild it repeatedly. --- .github/workflows/ci.yml | 54 ++++++++ checks/flake-module.nix | 37 +++++- flake.lock | 38 ++++++ flake.nix | 11 ++ macs/.sops.yaml | 58 +++++++++ macs/flake-module.nix | 57 ++++++++- macs/mac-exec | 6 + macs/mac-update | 6 + ...t-nixos-foundation-macstadium-44911104.crt | 12 ++ ...t-nixos-foundation-macstadium-44911207.crt | 12 ++ ...t-nixos-foundation-macstadium-44911305.crt | 12 ++ ...t-nixos-foundation-macstadium-44911362.crt | 12 ++ ...t-nixos-foundation-macstadium-44911507.crt | 12 ++ macs/ofborg-common.nix | 79 ++++++++++++ macs/ofborg-queue-builder.nix | 28 +++++ macs/ofborg.nix | 29 +++++ macs/profiles/ofborg-m1.nix | 8 ++ macs/profiles/ofborg-x86_64.nix | 8 ++ .../nixos-foundation-macstadium-44911104.yml | 63 ++++++++++ .../nixos-foundation-macstadium-44911207.yml | 63 ++++++++++ .../nixos-foundation-macstadium-44911305.yml | 63 ++++++++++ .../nixos-foundation-macstadium-44911362.yml | 63 ++++++++++ .../nixos-foundation-macstadium-44911507.yml | 63 ++++++++++ non-critical-infra/.sops.yaml | 118 ++++++++++++++++++ non-critical-infra/flake-module.nix | 12 ++ .../hosts/build01.ofborg.org/client.crt | 11 ++ .../hosts/build01.ofborg.org/default.nix | 54 ++++++++ .../hosts/build01.ofborg.org/disko.nix | 64 ++++++++++ .../hosts/build01.ofborg.org/hardware.nix | 9 ++ .../hosts/build02.ofborg.org/client.crt | 11 ++ .../hosts/build02.ofborg.org/default.nix | 54 ++++++++ .../hosts/build02.ofborg.org/disko.nix | 64 ++++++++++ .../hosts/build02.ofborg.org/hardware.nix | 9 ++ .../hosts/build03.ofborg.org/client.crt | 11 ++ .../hosts/build03.ofborg.org/default.nix | 54 ++++++++ .../hosts/build03.ofborg.org/disko.nix | 64 ++++++++++ .../hosts/build03.ofborg.org/hardware.nix | 9 ++ .../hosts/build04.ofborg.org/client.crt | 11 ++ .../hosts/build04.ofborg.org/default.nix | 54 ++++++++ .../hosts/build04.ofborg.org/disko.nix | 64 ++++++++++ .../hosts/build04.ofborg.org/hardware.nix | 9 ++ .../hosts/build05.ofborg.org/client.crt | 11 ++ .../hosts/build05.ofborg.org/default.nix | 56 +++++++++ .../hosts/build05.ofborg.org/disko.nix | 64 ++++++++++ .../hosts/build05.ofborg.org/hardware.nix | 18 +++ .../hosts/core01.ofborg.org/default.nix | 55 ++++++++ .../hosts/core01.ofborg.org/disko.nix | 68 ++++++++++ .../core01.ofborg.org/evaluation-filter.nix | 67 ++++++++++ .../github-comment-filter.nix | 69 ++++++++++ .../github-comment-poster.nix | 69 ++++++++++ .../github-webhook-receiver.nix | 80 ++++++++++++ .../log-message-collector.nix | 69 ++++++++++ .../hosts/core01.ofborg.org/log-viewer.nix | 102 +++++++++++++++ .../hosts/core01.ofborg.org/nginx.nix | 13 ++ .../hosts/core01.ofborg.org/rabbitmq.nix | 71 +++++++++++ .../hosts/eval01.ofborg.org/default.nix | 44 +++++++ .../hosts/eval01.ofborg.org/disko.nix | 64 ++++++++++ .../hosts/eval01.ofborg.org/hardware.nix | 18 +++ .../hosts/eval02.ofborg.org/client.crt | 11 ++ .../hosts/eval02.ofborg.org/default.nix | 56 +++++++++ .../hosts/eval02.ofborg.org/disko.nix | 64 ++++++++++ .../hosts/eval02.ofborg.org/hardware.nix | 18 +++ .../hosts/eval03.ofborg.org/client.crt | 11 ++ .../hosts/eval03.ofborg.org/default.nix | 56 +++++++++ .../hosts/eval03.ofborg.org/disko.nix | 64 ++++++++++ .../hosts/eval03.ofborg.org/hardware.nix | 18 +++ .../hosts/eval04.ofborg.org/client.crt | 11 ++ .../hosts/eval04.ofborg.org/default.nix | 57 +++++++++ .../hosts/eval04.ofborg.org/disko.nix | 64 ++++++++++ .../hosts/eval04.ofborg.org/hardware.nix | 18 +++ non-critical-infra/modules/hydra/builder.nix | 37 ++++++ non-critical-infra/modules/ofborg/builder.nix | 92 ++++++++++++++ non-critical-infra/modules/ofborg/common.nix | 33 +++++ .../modules/ofborg/evaluator.nix | 91 ++++++++++++++ .../modules/ofborg/github-tokens.nix | 16 +++ .../modules/ofborg/harmonia.nix | 71 +++++++++++ .../modules/ofborg/ofborg-config.nix | 94 ++++++++++++++ .../secrets/github-tokens.ofborg.org.yml | 104 +++++++++++++++ .../secrets/ofborg.build01.ofborg.org.yml | 65 ++++++++++ .../secrets/ofborg.build02.ofborg.org.yml | 65 ++++++++++ .../secrets/ofborg.build03.ofborg.org.yml | 65 ++++++++++ .../secrets/ofborg.build04.ofborg.org.yml | 65 ++++++++++ .../secrets/ofborg.build05.ofborg.org.yml | 65 ++++++++++ .../secrets/ofborg.core01.ofborg.org.yml | 72 +++++++++++ .../secrets/ofborg.eval01.ofborg.org.yml | 67 ++++++++++ .../secrets/ofborg.eval02.ofborg.org.yml | 66 ++++++++++ .../secrets/ofborg.eval03.ofborg.org.yml | 66 ++++++++++ .../secrets/ofborg.eval04.ofborg.org.yml | 66 ++++++++++ 88 files changed, 4060 insertions(+), 2 deletions(-) create mode 100644 macs/.sops.yaml create mode 100644 macs/ofborg-ca/client-nixos-foundation-macstadium-44911104.crt create mode 100644 macs/ofborg-ca/client-nixos-foundation-macstadium-44911207.crt create mode 100644 macs/ofborg-ca/client-nixos-foundation-macstadium-44911305.crt create mode 100644 macs/ofborg-ca/client-nixos-foundation-macstadium-44911362.crt create mode 100644 macs/ofborg-ca/client-nixos-foundation-macstadium-44911507.crt create mode 100644 macs/ofborg-common.nix create mode 100644 macs/ofborg-queue-builder.nix create mode 100644 macs/ofborg.nix create mode 100644 macs/profiles/ofborg-m1.nix create mode 100644 macs/profiles/ofborg-x86_64.nix create mode 100644 macs/secrets/nixos-foundation-macstadium-44911104.yml create mode 100644 macs/secrets/nixos-foundation-macstadium-44911207.yml create mode 100644 macs/secrets/nixos-foundation-macstadium-44911305.yml create mode 100644 macs/secrets/nixos-foundation-macstadium-44911362.yml create mode 100644 macs/secrets/nixos-foundation-macstadium-44911507.yml create mode 100644 non-critical-infra/hosts/build01.ofborg.org/client.crt create mode 100644 non-critical-infra/hosts/build01.ofborg.org/default.nix create mode 100644 non-critical-infra/hosts/build01.ofborg.org/disko.nix create mode 100644 non-critical-infra/hosts/build01.ofborg.org/hardware.nix create mode 100644 non-critical-infra/hosts/build02.ofborg.org/client.crt create mode 100644 non-critical-infra/hosts/build02.ofborg.org/default.nix create mode 100644 non-critical-infra/hosts/build02.ofborg.org/disko.nix create mode 100644 non-critical-infra/hosts/build02.ofborg.org/hardware.nix create mode 100644 non-critical-infra/hosts/build03.ofborg.org/client.crt create mode 100644 non-critical-infra/hosts/build03.ofborg.org/default.nix create mode 100644 non-critical-infra/hosts/build03.ofborg.org/disko.nix create mode 100644 non-critical-infra/hosts/build03.ofborg.org/hardware.nix create mode 100644 non-critical-infra/hosts/build04.ofborg.org/client.crt create mode 100644 non-critical-infra/hosts/build04.ofborg.org/default.nix create mode 100644 non-critical-infra/hosts/build04.ofborg.org/disko.nix create mode 100644 non-critical-infra/hosts/build04.ofborg.org/hardware.nix create mode 100644 non-critical-infra/hosts/build05.ofborg.org/client.crt create mode 100644 non-critical-infra/hosts/build05.ofborg.org/default.nix create mode 100644 non-critical-infra/hosts/build05.ofborg.org/disko.nix create mode 100644 non-critical-infra/hosts/build05.ofborg.org/hardware.nix create mode 100644 non-critical-infra/hosts/core01.ofborg.org/default.nix create mode 100644 non-critical-infra/hosts/core01.ofborg.org/disko.nix create mode 100644 non-critical-infra/hosts/core01.ofborg.org/evaluation-filter.nix create mode 100644 non-critical-infra/hosts/core01.ofborg.org/github-comment-filter.nix create mode 100644 non-critical-infra/hosts/core01.ofborg.org/github-comment-poster.nix create mode 100644 non-critical-infra/hosts/core01.ofborg.org/github-webhook-receiver.nix create mode 100644 non-critical-infra/hosts/core01.ofborg.org/log-message-collector.nix create mode 100644 non-critical-infra/hosts/core01.ofborg.org/log-viewer.nix create mode 100644 non-critical-infra/hosts/core01.ofborg.org/nginx.nix create mode 100644 non-critical-infra/hosts/core01.ofborg.org/rabbitmq.nix create mode 100644 non-critical-infra/hosts/eval01.ofborg.org/default.nix create mode 100644 non-critical-infra/hosts/eval01.ofborg.org/disko.nix create mode 100644 non-critical-infra/hosts/eval01.ofborg.org/hardware.nix create mode 100644 non-critical-infra/hosts/eval02.ofborg.org/client.crt create mode 100644 non-critical-infra/hosts/eval02.ofborg.org/default.nix create mode 100644 non-critical-infra/hosts/eval02.ofborg.org/disko.nix create mode 100644 non-critical-infra/hosts/eval02.ofborg.org/hardware.nix create mode 100644 non-critical-infra/hosts/eval03.ofborg.org/client.crt create mode 100644 non-critical-infra/hosts/eval03.ofborg.org/default.nix create mode 100644 non-critical-infra/hosts/eval03.ofborg.org/disko.nix create mode 100644 non-critical-infra/hosts/eval03.ofborg.org/hardware.nix create mode 100644 non-critical-infra/hosts/eval04.ofborg.org/client.crt create mode 100644 non-critical-infra/hosts/eval04.ofborg.org/default.nix create mode 100644 non-critical-infra/hosts/eval04.ofborg.org/disko.nix create mode 100644 non-critical-infra/hosts/eval04.ofborg.org/hardware.nix create mode 100644 non-critical-infra/modules/hydra/builder.nix create mode 100644 non-critical-infra/modules/ofborg/builder.nix create mode 100644 non-critical-infra/modules/ofborg/common.nix create mode 100644 non-critical-infra/modules/ofborg/evaluator.nix create mode 100644 non-critical-infra/modules/ofborg/github-tokens.nix create mode 100644 non-critical-infra/modules/ofborg/harmonia.nix create mode 100644 non-critical-infra/modules/ofborg/ofborg-config.nix create mode 100644 non-critical-infra/secrets/github-tokens.ofborg.org.yml create mode 100644 non-critical-infra/secrets/ofborg.build01.ofborg.org.yml create mode 100644 non-critical-infra/secrets/ofborg.build02.ofborg.org.yml create mode 100644 non-critical-infra/secrets/ofborg.build03.ofborg.org.yml create mode 100644 non-critical-infra/secrets/ofborg.build04.ofborg.org.yml create mode 100644 non-critical-infra/secrets/ofborg.build05.ofborg.org.yml create mode 100644 non-critical-infra/secrets/ofborg.core01.ofborg.org.yml create mode 100644 non-critical-infra/secrets/ofborg.eval01.ofborg.org.yml create mode 100644 non-critical-infra/secrets/ofborg.eval02.ofborg.org.yml create mode 100644 non-critical-infra/secrets/ofborg.eval03.ofborg.org.yml create mode 100644 non-critical-infra/secrets/ofborg.eval04.ofborg.org.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1a42afa9..b7446cc2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -75,6 +75,60 @@ jobs: name: nixos-infra-dev authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" - run: nix run --inputs-from . nixpkgs#nix-fast-build -- --skip-cached --no-nom --flake '.#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel' + # ofborg machines share most of their closure, so build all of one arch in a + # single job to reuse the store between them. + nixos-ofborg-x86_64: + name: NixOS ofborg (x86_64) + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + - uses: cachix/install-nix-action@616559265b40713947b9c190a8ff4b507b5df49b # v31 + - uses: cachix/cachix-action@1eb2ef646ac0255473d23a5907ad7b04ce94065c # v17 + with: + name: nixos-infra-dev + authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" + - run: nix run --inputs-from . nixpkgs#nix-fast-build -- --skip-cached --no-nom --flake '.#ciSystems.ofborg-x86_64-linux' + nixos-ofborg-aarch64: + name: NixOS ofborg (aarch64) + runs-on: ubuntu-22.04-arm + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + - uses: cachix/install-nix-action@616559265b40713947b9c190a8ff4b507b5df49b # v31 + - uses: cachix/cachix-action@1eb2ef646ac0255473d23a5907ad7b04ce94065c # v17 + with: + name: nixos-infra-dev + authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" + - run: nix run --inputs-from . nixpkgs#nix-fast-build -- --skip-cached --no-nom --flake '.#ciSystems.ofborg-aarch64-linux' + nix-darwin-ofborg: + name: nix-darwin ofborg (aarch64) + runs-on: macos-latest + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + - uses: cachix/install-nix-action@616559265b40713947b9c190a8ff4b507b5df49b # v31 + - uses: cachix/cachix-action@1eb2ef646ac0255473d23a5907ad7b04ce94065c # v17 + with: + name: nixos-infra-dev + authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" + - run: nix run --inputs-from . nixpkgs#nix-fast-build -- --skip-cached --no-nom --flake '.#ciSystems.ofborg-aarch64-darwin' + nix-darwin-ofborg-x86_64: + name: nix-darwin ofborg (x86_64) + runs-on: macos-15-intel + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + - uses: cachix/install-nix-action@616559265b40713947b9c190a8ff4b507b5df49b # v31 + - uses: cachix/cachix-action@1eb2ef646ac0255473d23a5907ad7b04ce94065c # v17 + with: + name: nixos-infra-dev + authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" + - run: nix run --inputs-from . nixpkgs#nix-fast-build -- --skip-cached --no-nom --flake '.#ciSystems.ofborg-x86_64-darwin' nix-darwin: runs-on: macos-latest strategy: diff --git a/checks/flake-module.nix b/checks/flake-module.nix index bc09ad43..f0cbd8ae 100644 --- a/checks/flake-module.nix +++ b/checks/flake-module.nix @@ -1,5 +1,40 @@ -{ ... }: +{ self, lib, ... }: { + # Group machine toplevels by architecture so CI can build all hosts of one + # arch in a single nix-fast-build invocation (the ofborg fleet in particular + # shares almost its entire closure). Hosts are listed explicitly to avoid + # forcing evaluation of every configuration just to learn its system. + flake.ciSystems = + let + nixos = names: lib.genAttrs names (n: self.nixosConfigurations.${n}.config.system.build.toplevel); + darwin = names: lib.genAttrs names (n: self.darwinConfigurations.${n}.config.system.build.toplevel); + in + { + ofborg-x86_64-linux = nixos [ + "core01.ofborg.org" + "build01.ofborg.org" + "build02.ofborg.org" + "build03.ofborg.org" + "build04.ofborg.org" + ]; + ofborg-aarch64-linux = nixos [ + "eval01.ofborg.org" + "eval02.ofborg.org" + "eval03.ofborg.org" + "eval04.ofborg.org" + "build05.ofborg.org" + ]; + ofborg-aarch64-darwin = darwin [ + "nixos-foundation-macstadium-44911207" + "nixos-foundation-macstadium-44911104" + ]; + ofborg-x86_64-darwin = darwin [ + "nixos-foundation-macstadium-44911305" + "nixos-foundation-macstadium-44911362" + "nixos-foundation-macstadium-44911507" + ]; + }; + perSystem = { self', lib, ... }: { diff --git a/flake.lock b/flake.lock index f070d7d7..4eaceb4e 100644 --- a/flake.lock +++ b/flake.lock @@ -506,6 +506,42 @@ "type": "github" } }, + "ofborg": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1775142351, + "narHash": "sha256-HdnxJRJnPvlE4jqkivzd+zKVlsew4prfOz4cAkpkwyc=", + "owner": "NixOS", + "repo": "ofborg", + "rev": "f5c1e00707d3ebd232d114b2732783d36a9dc17f", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "ofborg", + "type": "github" + } + }, + "ofborg-viewer": { + "flake": false, + "locked": { + "lastModified": 1736528671, + "narHash": "sha256-g4BK1MP8LPBEesMdRavl6eqJcKPIQg6FWs4XSbzObq4=", + "owner": "NixOS", + "repo": "ofborg-viewer", + "rev": "bb4ad97f2bd431e113698fce3a4a988f5d713019", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "ofborg-viewer", + "type": "github" + } + }, "rfc39": { "inputs": { "nixpkgs": [ @@ -543,6 +579,8 @@ "nixpkgs": "nixpkgs", "nixpkgs-swh": "nixpkgs-swh", "nixpkgs-unstable": "nixpkgs-unstable", + "ofborg": "ofborg", + "ofborg-viewer": "ofborg-viewer", "rfc39": "rfc39", "simple-nixos-mailserver": "simple-nixos-mailserver", "sops-nix": "sops-nix", diff --git a/flake.nix b/flake.nix index 4859d8e7..eb8a6278 100644 --- a/flake.nix +++ b/flake.nix @@ -106,6 +106,17 @@ url = "github:nix-community/nixpkgs-swh"; inputs.nixpkgs.follows = "nixpkgs"; }; + + ofborg = { + url = "github:NixOS/ofborg"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + ofborg-viewer = { + url = "github:NixOS/ofborg-viewer"; + flake = false; + }; + }; outputs = inputs@{ flake-parts, ... }: diff --git a/macs/.sops.yaml b/macs/.sops.yaml new file mode 100644 index 00000000..f87a0ba7 --- /dev/null +++ b/macs/.sops.yaml @@ -0,0 +1,58 @@ +keys: + - &hexa age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x + - &simon age17ez23w2kpxl0gcdx4ehcglkcfcfnv4qz0gq2n8ylxwx4yrtjpvjqxfasua + - &dasJ age1lz3mvem0rgfxj7uavth8du4xsw23wp5ts77m5vvclxyj5mjxfujs0jgtcz + - &mic92 age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz + - &mic92-mac age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h + - &nixos-foundation-macstadium-44911305-ofborg-org age1x608lllmu7gdfjnn6c8mvmmguft5f22fu7g38wv3ckmzqy2usq0q5u2ekx + - &nixos-foundation-macstadium-44911362-ofborg-org age1d0u5ukkwsf47x4jv6uklcc4j3ljnmyz879syya2qneagz0t42cqqyf09dt + - &nixos-foundation-macstadium-44911507-ofborg-org age1s0m24l3s29jr345uxk5j8zq7kd4sln3rvf0pdtd6afum3smtxsyqtjra0z + - &nixos-foundation-macstadium-44911207-ofborg-org age1f6u77gvh94fk5fdh53lp04nk87cvjmwy2q3hjdlhd83mhlp0jg0s7rupux + - &nixos-foundation-macstadium-44911104-ofborg-org age14gkxeqaehj2m38sesnc6fyd4c3hqjt7tqjz6q7lrult3uaahxcysdxt67n + +creation_rules: + - path_regex: secrets/nixos-foundation-macstadium-44911305.yml + key_groups: + - age: + - *nixos-foundation-macstadium-44911305-ofborg-org + - *hexa + - *simon + - *dasJ + - *mic92 + - *mic92-mac + - path_regex: secrets/nixos-foundation-macstadium-44911362.yml + key_groups: + - age: + - *nixos-foundation-macstadium-44911362-ofborg-org + - *hexa + - *simon + - *dasJ + - *mic92 + - *mic92-mac + - path_regex: secrets/nixos-foundation-macstadium-44911507.yml + key_groups: + - age: + - *nixos-foundation-macstadium-44911507-ofborg-org + - *hexa + - *simon + - *dasJ + - *mic92 + - *mic92-mac + - path_regex: secrets/nixos-foundation-macstadium-44911207.yml + key_groups: + - age: + - *nixos-foundation-macstadium-44911207-ofborg-org + - *hexa + - *simon + - *dasJ + - *mic92 + - *mic92-mac + - path_regex: secrets/nixos-foundation-macstadium-44911104.yml + key_groups: + - age: + - *nixos-foundation-macstadium-44911104-ofborg-org + - *hexa + - *simon + - *dasJ + - *mic92 + - *mic92-mac diff --git a/macs/flake-module.nix b/macs/flake-module.nix index 6ac2ac34..bb9acdda 100644 --- a/macs/flake-module.nix +++ b/macs/flake-module.nix @@ -34,5 +34,60 @@ # M2 8C, 24G, 1TB (Oakhost) eager-heisenberg = mkNixDarwin "eager-heisenberg" ./profiles/m2.large.nix; kind-lumiere = mkNixDarwin "kind-lumiere" ./profiles/m2.large.nix; - }; + } + // inputs.nixpkgs.lib.listToAttrs ( + map + (cfg: { + name = cfg.hostname; + value = inputs.darwin.lib.darwinSystem { + system = "${cfg.system}-darwin"; + + specialArgs = { + inherit inputs; + }; + + modules = [ + ./ofborg-common.nix + ./profiles/${cfg.profile or "ofborg-${cfg.system}"}.nix + "${inputs.sops-nix}/modules/nix-darwin" + { networking.hostName = cfg.hostname; } + ]; + }; + }) + [ + # MacStadium ofborg builders + { + hostname = "nixos-foundation-macstadium-44911305"; + system = "x86_64"; + ip = "208.83.1.173"; + # 12 CPU cores, 32 GB RAM, 500 GB disk + } + { + hostname = "nixos-foundation-macstadium-44911362"; + system = "x86_64"; + ip = "208.83.1.175"; + # 12 CPU cores, 32 GB RAM, 500 GB disk + } + { + hostname = "nixos-foundation-macstadium-44911507"; + system = "x86_64"; + ip = "208.83.1.186"; + # 12 CPU cores, 32 GB RAM, 500 GB disk + } + { + hostname = "nixos-foundation-macstadium-44911207"; + system = "aarch64"; + profile = "ofborg-m1"; + ip = "208.83.1.145"; + # 8 CPU cores, 16 GB RAM, 256 GB disk + } + { + hostname = "nixos-foundation-macstadium-44911104"; + system = "aarch64"; + profile = "ofborg-m1"; + ip = "208.83.1.181"; + # 8 CPU cores, 16 GB RAM, 256 GB disk + } + ] + ); } diff --git a/macs/mac-exec b/macs/mac-exec index cd827bd0..3e21643c 100755 --- a/macs/mac-exec +++ b/macs/mac-exec @@ -9,6 +9,12 @@ HOSTS=( "customer@eager-heisenberg.mac.nixos.org" "customer@kind-lumiere.mac.nixos.org" "root@norwegian-blue.mac.nixos.org" + # ofborg (MacStadium) + "root@mac01.ofborg.org" + "root@mac02.ofborg.org" + "root@mac03.ofborg.org" + "root@mac04.ofborg.org" + "root@mac05.ofborg.org" ) PIDS=() diff --git a/macs/mac-update b/macs/mac-update index 489e9fba..122a1cc0 100755 --- a/macs/mac-update +++ b/macs/mac-update @@ -17,5 +17,11 @@ update hetzner@sweeping-filly.mac.nixos.org update customer@eager-heisenberg.mac.nixos.org update customer@kind-lumiere.mac.nixos.org update root@norwegian-blue.mac.nixos.org +# ofborg (MacStadium) +update root@mac01.ofborg.org +update root@mac02.ofborg.org +update root@mac03.ofborg.org +update root@mac04.ofborg.org +update root@mac05.ofborg.org wait "${PIDS[@]}" diff --git a/macs/ofborg-ca/client-nixos-foundation-macstadium-44911104.crt b/macs/ofborg-ca/client-nixos-foundation-macstadium-44911104.crt new file mode 100644 index 00000000..3f424020 --- /dev/null +++ b/macs/ofborg-ca/client-nixos-foundation-macstadium-44911104.crt @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBrzCCAWGgAwIBAgIUW+L+r4Nl4TaYFRdwkVjhMNk2K7kwBQYDK2VwMEMxCzAJ +BgNVBAYTAkRFMRQwEgYDVQQKDAtOaXhPUyBJbmZyYTEeMBwGA1UEAwwVaHlkcmEt +cXVldWUtcnVubmVyLWNhMCAXDTI1MDgzMTE0MTA0OVoYDzIwNzUwODE5MTQxMDQ5 +WjBmMQswCQYDVQQGEwJERTEUMBIGA1UECgwLTml4T1MgSW5mcmExQTA/BgNVBAMM +OGh5ZHJhLXF1ZXVlLWJ1aWxkZXItbml4b3MtZm91bmRhdGlvbi1tYWNzdGFkaXVt +LTQ0OTExMTA0MCowBQYDK2VwAyEAwg81We0emvtttglMSqZALqqHPQGkpM3j21+z +ikmyM/6jQjBAMB0GA1UdDgQWBBS5ahdd+XKK/AI8jN7fdXWo6oYn0zAfBgNVHSME +GDAWgBTTBAboHFMq1jCXLC7IPRpWv/WviDAFBgMrZXADQQAG5KMpDZ9Od7v42Qcx +jpmEu9sSUB0XMzN0XYkIwIgRDK7jEmG1CbX19Vco1eBiA+MW+JFCmJP7JBM1lHx3 ++BwO +-----END CERTIFICATE----- diff --git a/macs/ofborg-ca/client-nixos-foundation-macstadium-44911207.crt b/macs/ofborg-ca/client-nixos-foundation-macstadium-44911207.crt new file mode 100644 index 00000000..76f2f983 --- /dev/null +++ b/macs/ofborg-ca/client-nixos-foundation-macstadium-44911207.crt @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBrzCCAWGgAwIBAgIUW+L+r4Nl4TaYFRdwkVjhMNk2K7gwBQYDK2VwMEMxCzAJ +BgNVBAYTAkRFMRQwEgYDVQQKDAtOaXhPUyBJbmZyYTEeMBwGA1UEAwwVaHlkcmEt +cXVldWUtcnVubmVyLWNhMCAXDTI1MDgzMTE0MTA0OVoYDzIwNzUwODE5MTQxMDQ5 +WjBmMQswCQYDVQQGEwJERTEUMBIGA1UECgwLTml4T1MgSW5mcmExQTA/BgNVBAMM +OGh5ZHJhLXF1ZXVlLWJ1aWxkZXItbml4b3MtZm91bmRhdGlvbi1tYWNzdGFkaXVt +LTQ0OTExMjA3MCowBQYDK2VwAyEAeyeFq3u3hksc07IGBITcq0/go+iD4+DriPSb +yAq+/nyjQjBAMB0GA1UdDgQWBBS/UHOeRtG8+xozoDTcYxcMpVYjzzAfBgNVHSME +GDAWgBTTBAboHFMq1jCXLC7IPRpWv/WviDAFBgMrZXADQQCFQNs1ZiKpnY60MdFn +H7NaQ7Jis0n665CjKWFKIEFdr2C+UZovnzSZYfl9UqxGjb3udfUK/6Z4Rqbf6cGH +SRAP +-----END CERTIFICATE----- diff --git a/macs/ofborg-ca/client-nixos-foundation-macstadium-44911305.crt b/macs/ofborg-ca/client-nixos-foundation-macstadium-44911305.crt new file mode 100644 index 00000000..8d22085e --- /dev/null +++ b/macs/ofborg-ca/client-nixos-foundation-macstadium-44911305.crt @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBrzCCAWGgAwIBAgIUW+L+r4Nl4TaYFRdwkVjhMNk2K7UwBQYDK2VwMEMxCzAJ +BgNVBAYTAkRFMRQwEgYDVQQKDAtOaXhPUyBJbmZyYTEeMBwGA1UEAwwVaHlkcmEt +cXVldWUtcnVubmVyLWNhMCAXDTI1MDgzMTE0MTA0OVoYDzIwNzUwODE5MTQxMDQ5 +WjBmMQswCQYDVQQGEwJERTEUMBIGA1UECgwLTml4T1MgSW5mcmExQTA/BgNVBAMM +OGh5ZHJhLXF1ZXVlLWJ1aWxkZXItbml4b3MtZm91bmRhdGlvbi1tYWNzdGFkaXVt +LTQ0OTExMzA1MCowBQYDK2VwAyEAQ6HvVxrDKl8JIAli/QNz8Ot4zcR9biiQOcQI +mZLgekGjQjBAMB0GA1UdDgQWBBTTHQ/eJCYE8KTgVfhRq0RQThpONDAfBgNVHSME +GDAWgBTTBAboHFMq1jCXLC7IPRpWv/WviDAFBgMrZXADQQDuIgw6XDf2Bpg2dFGz +0GvVRlIDbv6paOdZDKhPqKuZIvXgYK6xtXJyYkODtPgkLjTkIufyX79o7zwtJATP +oAwH +-----END CERTIFICATE----- diff --git a/macs/ofborg-ca/client-nixos-foundation-macstadium-44911362.crt b/macs/ofborg-ca/client-nixos-foundation-macstadium-44911362.crt new file mode 100644 index 00000000..4d451509 --- /dev/null +++ b/macs/ofborg-ca/client-nixos-foundation-macstadium-44911362.crt @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBrzCCAWGgAwIBAgIUW+L+r4Nl4TaYFRdwkVjhMNk2K7YwBQYDK2VwMEMxCzAJ +BgNVBAYTAkRFMRQwEgYDVQQKDAtOaXhPUyBJbmZyYTEeMBwGA1UEAwwVaHlkcmEt +cXVldWUtcnVubmVyLWNhMCAXDTI1MDgzMTE0MTA0OVoYDzIwNzUwODE5MTQxMDQ5 +WjBmMQswCQYDVQQGEwJERTEUMBIGA1UECgwLTml4T1MgSW5mcmExQTA/BgNVBAMM +OGh5ZHJhLXF1ZXVlLWJ1aWxkZXItbml4b3MtZm91bmRhdGlvbi1tYWNzdGFkaXVt +LTQ0OTExMzYyMCowBQYDK2VwAyEA70JtJD1NetW22ggjqF6LY8plCNn4jpMJm1Aa +I0JoImOjQjBAMB0GA1UdDgQWBBQEVVeckjstcg3RWqa7G884FbpnvzAfBgNVHSME +GDAWgBTTBAboHFMq1jCXLC7IPRpWv/WviDAFBgMrZXADQQBcdGmZ0e69HfUN8E/1 +sQfFeaqwzX5jc3RhHnjViLP4OUcqWnYeqAT+ELwaucOdkMp47SgJIaUn12FEG+i/ +oC4C +-----END CERTIFICATE----- diff --git a/macs/ofborg-ca/client-nixos-foundation-macstadium-44911507.crt b/macs/ofborg-ca/client-nixos-foundation-macstadium-44911507.crt new file mode 100644 index 00000000..34eb6295 --- /dev/null +++ b/macs/ofborg-ca/client-nixos-foundation-macstadium-44911507.crt @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBrzCCAWGgAwIBAgIUW+L+r4Nl4TaYFRdwkVjhMNk2K7cwBQYDK2VwMEMxCzAJ +BgNVBAYTAkRFMRQwEgYDVQQKDAtOaXhPUyBJbmZyYTEeMBwGA1UEAwwVaHlkcmEt +cXVldWUtcnVubmVyLWNhMCAXDTI1MDgzMTE0MTA0OVoYDzIwNzUwODE5MTQxMDQ5 +WjBmMQswCQYDVQQGEwJERTEUMBIGA1UECgwLTml4T1MgSW5mcmExQTA/BgNVBAMM +OGh5ZHJhLXF1ZXVlLWJ1aWxkZXItbml4b3MtZm91bmRhdGlvbi1tYWNzdGFkaXVt +LTQ0OTExNTA3MCowBQYDK2VwAyEAy7uGuWSpwuj249gR5+4Z0U9fFcQNQYXB8cGM +SaNAK7mjQjBAMB0GA1UdDgQWBBQQPGitG4ehKYgnAVlV3yO7DlglZjAfBgNVHSME +GDAWgBTTBAboHFMq1jCXLC7IPRpWv/WviDAFBgMrZXADQQAitINnRMRBXE/eAl5Y +04zfMZKBo1Q81v7j4KtrylRfo/qWyotdm/9erqqoIqwyRjoGn2Sr7eKNvs7oo8Hx +3t0M +-----END CERTIFICATE----- diff --git a/macs/ofborg-common.nix b/macs/ofborg-common.nix new file mode 100644 index 00000000..4635df82 --- /dev/null +++ b/macs/ofborg-common.nix @@ -0,0 +1,79 @@ +{ + config, + pkgs, + lib, + ... +}: +{ + imports = [ + ./ofborg.nix + ./ofborg-queue-builder.nix + ]; + + environment.systemPackages = [ + config.nix.package + pkgs.nix-top + ]; + + system.stateVersion = 5; + ids.gids.nixbld = 30000; + + programs = { + zsh = { + enable = true; + enableCompletion = false; + }; + bash = { + enable = true; + completion.enable = true; + }; + }; + + nix = { + settings = { + extra-experimental-features = [ + "nix-command" + "flakes" + ]; + max-silent-time = 7200; # 2h + timeout = 43200; # 12h + }; + gc = { + automatic = true; + interval = { + # hourly at the 15th minute + Minute = 15; + }; + # ensure up to 125G free space every hour + options = "--max-freed $(df -k /nix/store | awk 'NR==2 {available=$4; required=125*1024*1024; to_free=required-available; printf \"%.0d\", to_free*1024}')"; + }; + }; + + # Manage user for ofborg, this enables creating/deleting users + # depending on what modules are enabled. + users = { + users.ofborg.home = "/private/var/lib/ofborg"; + users.root = { + # bash doesn't export /run/current-system/sw/bin to $PATH, + # which we need for nix-store + shell = "/bin/zsh"; + # Not part of the infra team + openssh.authorizedKeys.keys = (import ../ssh-keys.nix).infra ++ [ + # Not part of the infra team + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM35Bq87SBWrEcoDqrZFOXyAmV/PJrSSu3hl3TdVvo4C janne" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPK/3rYhlIzoPCsPK38PMdK1ivqPaJgUqWwRtmxdKZrO ✏️" + ]; + }; + }; + + system.activationScripts.postActivation.text = '' + printf "disabling spotlight indexing... " + mdutil -i off -d / &> /dev/null + mdutil -E / &> /dev/null + echo "ok" + ''; + + services.prometheus.exporters.node.enable = true; + # https://github.com/LnL7/nix-darwin/issues/1256 + users.users._prometheus-node-exporter.home = lib.mkForce "/private/var/lib/prometheus-node-exporter"; +} diff --git a/macs/ofborg-queue-builder.nix b/macs/ofborg-queue-builder.nix new file mode 100644 index 00000000..2cd7db34 --- /dev/null +++ b/macs/ofborg-queue-builder.nix @@ -0,0 +1,28 @@ +{ + config, + inputs, + ... +}: + +{ + imports = [ + inputs.hydra-staging.darwinModules.builder + ]; + + services.hydra-queue-builder-dev = { + enable = true; + queueRunnerAddr = "https://queue-runner.staging-hydra.nixos.org"; + maxJobs = 2; + mtls = { + serverRootCaCertPath = ../non-critical-infra/hosts/staging-hydra/ca.crt; + clientCertPath = "${./ofborg-ca/client-${config.networking.hostName}.crt}"; + clientKeyPath = config.sops.secrets."queue-runner-client.key".path; + domainName = "queue-runner.staging-hydra.nixos.org"; + }; + }; + + sops.secrets."queue-runner-client.key" = { + owner = "hydra-queue-builder"; + sopsFile = ./secrets/${config.networking.hostName}.yml; + }; +} diff --git a/macs/ofborg.nix b/macs/ofborg.nix new file mode 100644 index 00000000..2e26d8ff --- /dev/null +++ b/macs/ofborg.nix @@ -0,0 +1,29 @@ +{ + config, + inputs, + pkgs, + ... +}: + +{ + imports = [ + ../non-critical-infra/modules/ofborg/ofborg-config.nix + ]; + + services.ofborg = { + enable = true; + package = pkgs.ofborg; + configFile = "/etc/ofborg.json"; + }; + + nixpkgs.overlays = [ + (_self: super: { + ofborg = inputs.ofborg.packages.${super.stdenv.hostPlatform.system}.pkg; + }) + ]; + + sops.secrets."ofborg/builder-rabbitmq-password" = { + owner = "ofborg"; + sopsFile = ./secrets/${config.networking.hostName}.yml; + }; +} diff --git a/macs/profiles/ofborg-m1.nix b/macs/profiles/ofborg-m1.nix new file mode 100644 index 00000000..4e1f273a --- /dev/null +++ b/macs/profiles/ofborg-m1.nix @@ -0,0 +1,8 @@ +{ + # 8 Cores, 16 GB RAM, 256 GB Disk + # split into 4 jobs with 2C/4G + nix.settings = { + cores = 2; + max-jobs = 4; + }; +} diff --git a/macs/profiles/ofborg-x86_64.nix b/macs/profiles/ofborg-x86_64.nix new file mode 100644 index 00000000..7259b626 --- /dev/null +++ b/macs/profiles/ofborg-x86_64.nix @@ -0,0 +1,8 @@ +{ + # 12 Cores, 32GB RAM, 1 TB Disk + # split into 4 jobs with 3C/8G + nix.settings = { + cores = 3; + max-jobs = 4; + }; +} diff --git a/macs/secrets/nixos-foundation-macstadium-44911104.yml b/macs/secrets/nixos-foundation-macstadium-44911104.yml new file mode 100644 index 00000000..cd1d05bc --- /dev/null +++ b/macs/secrets/nixos-foundation-macstadium-44911104.yml @@ -0,0 +1,63 @@ +ofborg: + builder-rabbitmq-password: ENC[AES256_GCM,data:TNzUCf83Bu6FxoXLbjWjcKGvPPJePRY6IGcPNfRKMPGcyShRyZC3Tw+fGfPXZCZjK08=,iv:mII0yPL75KlZ+t8+pCCE70pKVufXYO8C7ExGNLd0qfY=,tag:x0NLpX6KNBEjZzxumTs2QQ==,type:str] +queue-runner-client.key: ENC[AES256_GCM,data:gpDEcEtSZARUHnv1cuH8NrmWOAMuxN/oTS5gxXBNUg4Y5RRttGnpu7SxTQtim5aD/yYDiw7W9gdQujSWNMTbqRPv4iwWwDjMecObPGbkRRd1vhSG3or2VItvahzvU3H7pl8B9UfOz8rYNz/4psV7OXD6yRksD/E=,iv:aWQG160Du+YMSstFibT1LlR/ttP4xZznDYhjNKGPnqY=,tag:OSvpvrXz3np8SuNmSWTIrw==,type:str] +sops: + age: + - recipient: age14gkxeqaehj2m38sesnc6fyd4c3hqjt7tqjz6q7lrult3uaahxcysdxt67n + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFT1FRa1p1WkxRQ1VwWCti + MS9qZHdSMTdKajNwQmhGWlhxTVFTZDNxS1RrCkl3KytxTnBzYWtCeWtCSmZ3TG1o + dThaNTRFUjNLWTFzelQ3L3R2Q29VNzQKLS0tIDM4dEZOZmxuSmVBNlVEenkzNTNh + bU5JZkNoaEY4TjE1bFhxZTB0b1NkODQKp/7Pq3nHqqywVc6KyRaNgRJYS+kvCQ+2 + g7CjJxnRrAsf9zamKbJIBFPRjqwXX48GigVnly5s/lW2+nT3Gu4m5A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4a3VpbmZiRnR5U3FSU0dO + c1VaWWNVa3VRWXBFb28zaCtrb2MxMm04N0Z3CjdYSGRGa0RHWUlhVWZXcDBvRGVn + K3Zaak43Z2tGR0FFVi9nN3BqMXpVQUEKLS0tIHBHTDdzTVRoU1VRdi9BUW1tWnRL + ZjdvNFJVTlI0VmNXK3AwMlhIc2V3a1EKdTneIVCqt0b5wfGIar+A32pqezcn+J3r + +rqhD7k5oW1gus7Fi9JI/fkLjJW1ak9S/kmOpwSNoYmC+EJrPepg8A== + -----END AGE ENCRYPTED FILE----- + - recipient: age17ez23w2kpxl0gcdx4ehcglkcfcfnv4qz0gq2n8ylxwx4yrtjpvjqxfasua + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpaU5EakpaaGVCTitucDhz + enowMUhyc1EzQ0dCcUtIRU1Bclk2T25ZbkJJCjlJQS81MlEyVnM3Q0xNWlczVXRB + K05iOFdqNEc0dFdDblliRHVCbWtXZ28KLS0tIEhPR0lkeUtOMlNiMVZpcDlzcS91 + QXhGZmFPQzVrSlNwamJQUXNEWk1DOUEKpt/RBqQ/WJYtPM7/7hS0RdHtWFaCcrEP + YWkaqPePY+jK85d/+0kW3CTGSefOJ119qKgG77l/kcQGtP6OsJKm6Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1lz3mvem0rgfxj7uavth8du4xsw23wp5ts77m5vvclxyj5mjxfujs0jgtcz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFeU1KNVF3VUtiYWNwQWt4 + ZHFzUi9PcFRpa1dOTjllZUczaGNUaXBDdGlBCkVkUDhvTTBnSDAyWmdmUndTVlla + N0cwckwwVWE3Yys0amNCTTJUMmtBR0EKLS0tIFFUV0R3T2RDaENtalFpYWFDYm5O + cEdZbjFYUXlrWmxXcSsyRVlrcmR2d1kKYld95q8VvDPDbtAFT6d58HT/q0nSYA0Q + PRylkunDAXS+5HjPxECZNVcX85eHyr+mFI/ju6enMVLkXqH87R3WkQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1m68dw9dltvtsg8e9lf5ts2vwnn4ykraguhjr8v65s0xessk3xqeqyz5jwt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3WjQ1NzZEdU52OXBkK3kw + TTI4am9OS1l4SC9meWpKYmZ6RTlzQkd4Tm1VCkYvUXFDOVJzazFsejNlZ3diTXZG + ZE9VMnFkVm5SMWw0L3RSQVhjdG51Nk0KLS0tIHdRci9MS0dRcS9zTCtxSEVBdThk + UFZlcGFaVm9ITE9NQSt2RGRsN0gwdWsKZMYNlfUgZUfYxxzUkPptVM25zbGRMT/7 + SVpwY5X1oZBfD4DjnTtTt99Ld8ayje7hfBH+H20AIRbCKTh/qmj7/g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1nc9sh92wf62nt89k4vgyvqws2pt49cq6xqxx46jqpz4vqxsh5a4q8ltzp8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNM1FaQTVMKzRhVm5yaUlP + cFhpa05vLy93dTZpakhiMGw0WWtYbjV5T2pnCjZ1NGJGd0FxQlhKOTF1bVkxMmE2 + MHlDRlpkeWdUZ0p2YXVVS1owbGdFYjQKLS0tIG5vV08rQ0xUbzVob3pibzdOOWFH + UHh5aTJxejFIand6aVZwdHVxL2R6KzgKUO9lByaF3qwAK5V9gVEFOiTfTS14dYVt + VqE2s5GjDI9hRCDeeDdzjdL3y4AYKlobk9JQmL5cD4IngtL0DkoAVg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-08-31T15:04:36Z" + mac: ENC[AES256_GCM,data:TjaB9/dPyn475bNxqLjm0UBNYPG7/iIJOWK1UUJF/jQun1jSw5faMSiaLhlfexHF1gal+WCUGcFUyslXX90kAB+GD4G0YWdze7tmjTZCtMers+Xw/WWQ7OKzFsZIj3Z8HCvVOlYCqlGRZ7/cZkjC2N7vT1M6CXuH2S7U8MDhBn4=,iv:u+VjOO4ketXDMku6HCVW2VphWRF4XsHoTRfaHVmt6F0=,tag:N95UaNh7a88aU5cnl1tdDQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/macs/secrets/nixos-foundation-macstadium-44911207.yml b/macs/secrets/nixos-foundation-macstadium-44911207.yml new file mode 100644 index 00000000..4697f828 --- /dev/null +++ b/macs/secrets/nixos-foundation-macstadium-44911207.yml @@ -0,0 +1,63 @@ +ofborg: + builder-rabbitmq-password: ENC[AES256_GCM,data:tK1jDNt1X3f/o9bJ0iFHLtxQa5z6V77ohmhnd82BDlpRZva2Y65vHuvSL9bRmVnGUvI=,iv:rHvNCmujJd3WK6mwx1heRBFgnLlokCvtOPD/BESUxkA=,tag:AWjfYJcLBiT5v8T7C2edPg==,type:str] +queue-runner-client.key: ENC[AES256_GCM,data:B17aFR6BGeJaZXhmZr8WhKeu6VEbWTiKs+ZprwlJZkH2w9y6Ve5c4liLwpe9E0J1ELyhL0o3AnnTIo/42d9KpD9Cb+k4y6XAzj8UyPvQlMxN5+3ZKjpdkhEj/jFH3z/OXBgh7fEvrbjeNsAR67MCr7U8j02cPIo=,iv:fKx1Y4H/SCZQIW0bLP3gwHVx/ae1kPgZgUXtfMgNdT0=,tag:0Zlc1qHr7aUECHp9lK/vEw==,type:str] +sops: + age: + - recipient: age1f6u77gvh94fk5fdh53lp04nk87cvjmwy2q3hjdlhd83mhlp0jg0s7rupux + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCRW9XMXZxZlZPbW8ya0Ix + Umt1RjFsTHdrQUx3M1YyUG1zb2pmeVRRcTFrClFNNEFVS1lrL0luUjZNaFp3VmJs + cGxyMmN1N2gyMVRwU0VmbDVqLzNNS28KLS0tIGUxeE1RQmlSMTVKY2hVUVFsbnhV + YytLL1hVTFJZZWlKaCs0a2J4RXE0N1EK5u7iNulm1XDEdbwtbtIQz71/DYiE4f1A + 0KteNJQvG61ko07U/Zoxap4Vgxrvxos3pbWy2VcAbL3r35KgBzzO3A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2aE92MXZjb3A0b0VtSG9o + WUNwcEpFYzJCdE1BQU9xSzh6Q1o2TEF1L1RVCmg0enVlOUsydGh2dXdmbkQrblZo + M1JQOFpEbGNoTXRuQ2pWaHAyQ2twUkEKLS0tIHhERUdwdUEvQXBIS2V0YThnU0di + L2lrVDBwTjhHSFljZys4cXJLMks1ZmsK7PvI+nD3dvzFzj2WdUVZWRWeaBS5nKRE + scE2HzwrvRPyfYxLgTnm0gQB24akX6B75YP1MpIZpJ+Mhao83iJpSw== + -----END AGE ENCRYPTED FILE----- + - recipient: age17ez23w2kpxl0gcdx4ehcglkcfcfnv4qz0gq2n8ylxwx4yrtjpvjqxfasua + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtd3o3S01DWllwQVpJRTBV + VnFvUHc5eEdEcjlvbHZFK29PdndqaVRqb1VRCklyMWpCc0RXelNiUU9aeStqbWZj + YktienMyL2x1ZFJ1WGhGZWwvVmpTTkkKLS0tIHVrK3RkQUxPaHdNanh5Sy9XMWhO + SGxsb1RrakR1WFlZM2tXUHJwK1FVeWcKbm1qMcVGjCzVWPtoo0WUy7cfjxGK8JQm + ckNGQQVgXjaWKO15qRgcqWnmCLDckv/dwsBIuBrwwN+B0uFOaWsnKg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1lz3mvem0rgfxj7uavth8du4xsw23wp5ts77m5vvclxyj5mjxfujs0jgtcz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTQlhUZ1lIRkQrTXU4Umxq + Wi9pZmdZV1NzaXFNZGhuT08vY3dBUE1CTFNvCnloZllOZ3ViMjNOQTQvTGY0emU2 + MWpQZ1ZoZTJwZUhsSHF1TDQvSHV0R2MKLS0tIGFUMXNRMnprRmlqYm1qSVhLSExn + WDJLRzRGMHJhYUIzRGptVnlRVTJxT28KOXZoTt5hAplGcQVXcOii6kgqf6iHMrPi + wURFQPnTHZRrnqENltVG0cQufzToYyHd4rlm9ewgzES2/nBq96oB+A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1m68dw9dltvtsg8e9lf5ts2vwnn4ykraguhjr8v65s0xessk3xqeqyz5jwt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2S0p6RE53UTdmVTdLbjBT + TzVicXovdmlHUFJhczFQMkFGdE1VSWpFMVJVCmx4SkJPOFNLZjFycFZWYlB5WXpy + RmhtajhJMkJidVFabGRMakl4bkEvOFkKLS0tIFRLOCtzRnRQM1FEelAyZ0xCbVN2 + SkdYT3NycktzWDU0R2xLeGVtaEhqUnMKiWA/CPYZrhrgKMtOYWS38+cBmgoPQ8o/ + 7qvXqciFPr3TCxTidPG42VViQT6SzD2ursZx02h167Z0GA6+0p0Elg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1nc9sh92wf62nt89k4vgyvqws2pt49cq6xqxx46jqpz4vqxsh5a4q8ltzp8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxNUZKUnNWWjZva1dRR21h + TTZPVyt6cjdsbkFQbVhhNFlveHp6WTFhWHhNCkZLeXkzeFhMZWFhVFNiSm13Z0hJ + WTIwRDdWV1JnSVlQNTl3TENsZktld00KLS0tIERrTXpsTXZyQWtVam1FMUdDYWJK + VnRRT1ZHeHVZOCtBb0p4MkNXQjhzbWMK+WLYiDuhpOHTpHFjmdMGipmxtiTh/6ls + lzC8CEN2682xNxYkAVnyqLHKFR5lEDHpDoDwvNk0jTn8Fj3d4odCZw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-08-31T15:04:59Z" + mac: ENC[AES256_GCM,data:yE2/xv0LltDZBaD2gI3I+L09cG8/czVgXGDdDZt12dAzzsMsY3CKlss/3K4zD/G1p2Afdp85ZNzxbbUvcpShT35L/XWAviLrP6PqV1YYAromFb03G4nBpOyOlpXWmjPP7JBo2oGK1yg5hjMwomLd7vb2OaBtXQ0EZ2X+i4vmC68=,iv:YTiZDnLON9nS63vGYj3w+Dsw4CCsd/C31B9A/EhQeTc=,tag:zGZ997oabhCg0PqRa+J9WA==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/macs/secrets/nixos-foundation-macstadium-44911305.yml b/macs/secrets/nixos-foundation-macstadium-44911305.yml new file mode 100644 index 00000000..4b16346c --- /dev/null +++ b/macs/secrets/nixos-foundation-macstadium-44911305.yml @@ -0,0 +1,63 @@ +ofborg: + builder-rabbitmq-password: ENC[AES256_GCM,data:LopQz4a7gvobT1l6DvWmyCK1oOzBeYUbZobS5akNAwCsR+TtpkyskNwXUHryyPB92ag=,iv:dFxyhuDgQg7JWtpIIAc0PthhCzEfgY/D3HAzS0l9euA=,tag:mJOAr44Ax1TdA3t/gTzyhQ==,type:str] +queue-runner-client.key: ENC[AES256_GCM,data:SzIMMeauP8SjTXYob9WL+ARUMZh89luhlt5vQoyrQwqoCPUV7Nw+9t7uRxBuDmGAPWxCw/rt0faYRc+6GdqKDIuK+hiiGcjGTWFiakxCSS0jcewtDv+iaxr7ZqJVtmiz788yZvg+3DQ1jPZUTBmxd+Hl2scfb8k=,iv:tFRD6oP4x54WqDazJTC7TeG87MDXwvJtutqoj4IE9LM=,tag:k2ICj2TdWbZ6gT93vAjOTA==,type:str] +sops: + age: + - recipient: age1x608lllmu7gdfjnn6c8mvmmguft5f22fu7g38wv3ckmzqy2usq0q5u2ekx + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkT01WTjNVM2RZQ2hCdm5B + djMzaTRwZjFYbUJnVnhCRTBKbXJlblM3ZkdRCnVnbXREZVExakdaZk1TaitLcU9Z + V05wcjZJRGdDSlA1WDdPbGY2RXBFY1EKLS0tIE1kbmQ3OXFZdHp0bjlEUldYTE1s + VFdQK1hoTXZDRU1TV1dkMi9mUXVqZncKe9iTJkHCmfzGen+hm8F0FHIq0OW3UyAX + eGz9UAwPDH7Y6N/gCpB0ZzMvDljQxYdM7sVtrumq7lAXEoirsqAZMQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGZHVMcDV0MnlyaE9VSzBk + WTBIeWZKNFpTTWltRjFYZU9KWVBUOHVRamcwCllMdWpRYVZFKzY4TUI4cWRaNW8r + TTJLai9rbUhFR3d0cEFNVHEvM3c2eEUKLS0tIExaT1NOVDhBTHlRendUNnBhU2dn + dkpzbjB3MGh1bk9qNnEwc0hhYTNKa00KQdxuzlXDnfUyw1ipjNz0rNVJ5kIbO/ya + oGebUaxTphLG4QFq3vw5N4AeXBcbUcfX3hjUKYiM7HYSBz7CyxckVw== + -----END AGE ENCRYPTED FILE----- + - recipient: age17ez23w2kpxl0gcdx4ehcglkcfcfnv4qz0gq2n8ylxwx4yrtjpvjqxfasua + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvYVVpNFNIbjZ4L0MwQUc0 + NHIxS3NvYTJLTUU4K0lxenRkaUZ0VWk1NkFBCm9wWDdOTjVMYk54dnRrbHdzUUFN + VFFZYmM1YW1CcVpwbm1uNnNYaEk4YUEKLS0tIEZQYU9iSlhLZWl1Rk80aEtCVEpR + UjRIR2ZPOGxKMzZoOVp5TXdHNExWZ3cKY6CWwoeEBLT8H7b0TVhQtxW0H9P/pKAn + OKqS4U2g+bTwQRCJ8h7b/eTdJM3lAXqxkLz/A6kBcFCKj0oZqIeiPw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1lz3mvem0rgfxj7uavth8du4xsw23wp5ts77m5vvclxyj5mjxfujs0jgtcz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRSlJKMUtaTFRqNFhkbnVD + Y3hURnJwTU5zb3cwTW5yUUdqbk1NSGlkN0M4Cml3aWFGNSt0Z01MZU9DT2RKaU04 + Ukx0MXQ1cXMyL29EaUNHZTVhRDdKM2MKLS0tIE9DRG5ZRWNXNHRCRmUwUDRVMnc0 + VFRVODRGTzRCWkl0cHgyTFArU3h3ZkkKpRRtPMl3VDgEBUDYrm9pShCEF99kPdQh + 6dS32a/FK/OP0qXaQyCLZ6JlBwutu2fy/ohyfQ6TVaskLfwidQxvyg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1m68dw9dltvtsg8e9lf5ts2vwnn4ykraguhjr8v65s0xessk3xqeqyz5jwt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3dnZOK2hsZDg1RGlwRkYy + ZUNKb2p0YW8ySzJ1cjBrbmVGR3ZueEdlYVZRCkhrQmxHSVBMRzdpUkZjYk14bURl + V0U3bzBsRUFiSmUwU0NFaFRBakZTR2sKLS0tIHNwVzRnZXN6VVdnMXg1Zm5jM0hU + Q0hDbmlEM1pheHNyYTlLOTNHM3A0cmMKvMQrYkuHbaZkRNuN0gJKojFn112yOWlV + ZsC7+A6jcYFJBPtO3k3Y+XeUa5WD/TuBt7Pa+oiGZ2gx1/igVPzH8A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1nc9sh92wf62nt89k4vgyvqws2pt49cq6xqxx46jqpz4vqxsh5a4q8ltzp8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOem9jZCtSVnYweVNoWklj + dzF3RzQ1UFpXcmJYUEtwbHJEeGJsVm1kNEdBCkZaUHhqTnRnR0UwMjVCWW5WWlY4 + VzZTUjhhUlpuZUdXUGZJd1NVb3FZRzAKLS0tIFhoRkpta1hnQ0xFR1NMU1hFdmR2 + c0gwRXk0Yk5zZUk2aDNaVjJQaXZXYlEKB/82tEb40KykfgZ58gux0CMtxRbz4hst + Av6Jx/hjpl7HLKrlz7x9M868iZMWvIYBb/O0CecS3X/P4p+l8rzyow== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-08-31T15:05:41Z" + mac: ENC[AES256_GCM,data:NfkyYoZXDQKrPLKEn9cD3wydkoW7DA4i9QE+9/SaUuiR2hHYip9pS1LXxgpzIr2EL3WPR61NdcEMc4+p1IDykbsmh+MqkwuOf4bgwboJJKtlk7R+/bH5OTLVrM8jUcgwW94z/63whRKvqZV4lf6tSWEouzt8YB3ukWAMKUx9DqQ=,iv:g8iPucegVJ2aYOZkYHDvh7OExJ8Vwdveq7v1TNUf4tk=,tag:t1qy7CvUAPkfF3ZOXpRs7Q==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/macs/secrets/nixos-foundation-macstadium-44911362.yml b/macs/secrets/nixos-foundation-macstadium-44911362.yml new file mode 100644 index 00000000..a1fbd02c --- /dev/null +++ b/macs/secrets/nixos-foundation-macstadium-44911362.yml @@ -0,0 +1,63 @@ +ofborg: + builder-rabbitmq-password: ENC[AES256_GCM,data:YvpvZfSJcVx1iPBi6am3QXAeW70D4DSkHO/kf+eOpK9o+9dSjUg/FGcxc36Z7uV4AFo=,iv:tgFmPSvnB7Z4l1Mllef1G8Fiy02FacvtWLdh5CmTyfY=,tag:Llvp+9x2l+G/PT15AE/WWA==,type:str] +queue-runner-client.key: ENC[AES256_GCM,data:nlR533Docz60HEU0ooGtK3pwcEevnhDUmsRR5TJvd8lMPvCS733B++UptjsFOD3qWXt1HRJJBzscJHwIfwfXDmXPv3XCY3QG83g6dfKMhMF1QyqBYuKKmMBUkhua53GJqYRcogdhj5Uc4cbC2L3qSyXBG3NAuqE=,iv:K+SgPkL1QiFvmB4eMR01x/zjM6U5zyDncntdZbhAJnI=,tag:3XDV6eYkl8GOPaIIXeyG9Q==,type:str] +sops: + age: + - recipient: age1d0u5ukkwsf47x4jv6uklcc4j3ljnmyz879syya2qneagz0t42cqqyf09dt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwWGRHeFVGYUZ2YWxiYW9Z + OGpSQ2VteExwZm4wMXVvMVdMc3N6VVpUNzJRCmNNUmVqcTJhbUFrU1h4WnNOSUQ4 + dWFDRzg3NG55c0xXQk93bVlRUjdJclkKLS0tIGdvWUFTSkxCZTlJTnI0YzJEeXRF + ZUNIYXQvUGlqRWpGMHVtN0hxTHJwbEUKsXuzBa7u15cM/DrIeQ2gfXwUktovxGjB + 6V6yPZbeA5v7yA+0GG89UH67tmArh/mF0l2z/UJRZDgw7Z+Gh0RGHQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYUWs4VFFIM05XM0txd0cv + YTV4RHZ3Tjl4TXptdVpyUVkvaHFjU1V5TTAwClVWclZEKytaSTJrcUhoaXBUekd1 + V2xaYUZUcmFseHNPb1ZJYXM0Q0ZkM1UKLS0tIE9tcVJkRmJLUnlybTlhK243NXB6 + Sk5QcVVaejB6TDFtV0pDVUpkRGNkMUUKF8sEATa7mRbeti4WJFXVYiiAryPSO3Gw + ViIhsYVg7M4t8/11AJZ2edJayTWaSrPwMxPWLrc3A2w7pRDtK1LoAw== + -----END AGE ENCRYPTED FILE----- + - recipient: age17ez23w2kpxl0gcdx4ehcglkcfcfnv4qz0gq2n8ylxwx4yrtjpvjqxfasua + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNaHJqcmtzSEQvQTdzZFNG + b2pLSXBwa2UrRU9NZnlySmkyc0crRnVFRlRBCnl4VFNLRnIwTnJjZ2NoZkJvdXJ1 + ZGJEbitra0o4WmJaeG9aaFkzdTZIUUEKLS0tIHhMOE0vaS9IWFBvcFpKYytrVkpj + TU1LcWJIZGhKOHhjVmczTEZiREhaT28KPFIui3jqceI8SNqSGhvC4XFmsq3vbiPp + fr44yKqTaWdHBgX4wXHuyp1FYCpunCfDDw2aYfN3rSlhey3+5ky0ng== + -----END AGE ENCRYPTED FILE----- + - recipient: age1lz3mvem0rgfxj7uavth8du4xsw23wp5ts77m5vvclxyj5mjxfujs0jgtcz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1N1piTmhrbWVTR3RvbnZa + Q2FlRUtzM1FWZ203a2QzTk8zSEYxc05BWEE0CllQbEZTeDRnVXh3cmpPRUpIVTRM + YW9lTTV1YzFVdjg5anBxTWVObC9wbHMKLS0tIFZ3ZGhpV0ZPNG9GTDJadEpLY3Jw + b0V1NFo2ZUR5SmJyOTRHUGVON2M3dWcKa1BUdWY9/Xtvk56ZonN7X6jfZHzYwTE/ + xgtcuRPJF05vuN/n/uCKu9OtU/Lb0A5m9OaN9JQE3kdzeyHoe9Ic8A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1m68dw9dltvtsg8e9lf5ts2vwnn4ykraguhjr8v65s0xessk3xqeqyz5jwt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDRjJSM3lWNGJXdmM3a1Ew + K004cjNocFlwQUpmTU96aWpnMDJjMEowS0RFCm1Wc0gzZVo0alJxcU9DNW5BOXdO + eFZZSzRjNHRtUGV5YytwZUVuNlVZN2cKLS0tIFhWRjk0Z0N6MG1KaVp5ZjF2a21i + V2dNWUwvYTJzcUZWMEkxZkRGMHcrZFUKCwMWyULhYFDBstatQh4CSZrZ0/4gwthW + iYOML3bf12sZf1wFfM+199XXkkFZHHYzazhVX+3578w6cz/wAt65Lg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1nc9sh92wf62nt89k4vgyvqws2pt49cq6xqxx46jqpz4vqxsh5a4q8ltzp8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2NTh1WEZXZmtBMTdRRmxO + T0NGb3VMZHRubm5BSDNUSmY5cVA5cHRrS25rCjV5NXJ2TnZIcld2ME1lV29wMnZI + ZWlydVNZZ2t5M2VqZE1xYTlsVDQzSmcKLS0tIEJGYlFFY2F1OGc2SU55VStpVG1S + ZHNtUVovMzZMdTFHeXphUnhCME56VHMKIfn3CmtPWcawLneAxooUXPfvFe8M6avH + 93pyl50ghHLZrbipjLAu7G2wtUTlFuiMY0vG8+jRQJHgq7FkHtdalQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-08-31T15:06:03Z" + mac: ENC[AES256_GCM,data:G/a4GqIpj4zKdH/zDik4hr3LIDtJwJTK8HafONRItAZoETo0gy7bqBymOKn3eaWaJW2PP81dQnv6liDQh5GUuo51Th2K3dWrfORwL3IldLebZO4MNhDufnld3uFJyvSm/JOvV2shfH7SAN0Z4BNeoerwAndsvatcHLY2ce1C9js=,iv:pSJhRWllJCqx7nOBpDbMKut8XEnwYWo1l8yUFUvbI54=,tag:/fq1krHM2ip0LFvfHG4v0A==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/macs/secrets/nixos-foundation-macstadium-44911507.yml b/macs/secrets/nixos-foundation-macstadium-44911507.yml new file mode 100644 index 00000000..caa80ed8 --- /dev/null +++ b/macs/secrets/nixos-foundation-macstadium-44911507.yml @@ -0,0 +1,63 @@ +ofborg: + builder-rabbitmq-password: ENC[AES256_GCM,data:YmvZ+UwoKtY81wrzr0oSoRGFVDcWqp8WkSApWd5n5/mQr7vGLQA0ZvpGsf1G+nNzE+g=,iv:ebCwaYy120OPQ5zXLxVLk4vD5+wiSfB0G7TT24822YY=,tag:ACldOsS2mterk/5a7ThuoQ==,type:str] +queue-runner-client.key: ENC[AES256_GCM,data:EhZa2bSybMbMCPGGoFeBSvVREyMQTE8odlHgjl0lxxjYgFBmLjhlsmYfv2/q68Mv+oxww5Cv2czL78B7OIX9fJShJwCuGvSnOzMYeSrr0P/8Afh/whUP44IdeXgMasHrD9v2KDSgeUTMQ1oo9663GkLTkblMJ5o=,iv:lSSCNiY7hc2Dh+LUxaGQTWOkxXIvPBAMV3k95lXvCjo=,tag:/7Zp5Bw6Ld2CB7jvUlUixg==,type:str] +sops: + age: + - recipient: age1s0m24l3s29jr345uxk5j8zq7kd4sln3rvf0pdtd6afum3smtxsyqtjra0z + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3TTBaN2w0TDVhUHBCL1Yy + cjF3L0NTYjE0VXJGTTBVcWlMSm9mOU1wNEJRCmhNaERJL2FXZ3d6dmtpSFB5YVJu + T3A2MGd4N1B3SVE1Wmc1MHQ1cHhPZWMKLS0tIHJFNkE5U0Z3ZHJTNTZLVUtWVGpW + OUZRTlhKYzN5OGxFYWRJS29RQUdxTk0Ky8T3HuBXIYDqb4PnU3wxil2tT3a9R8zt + HEyPA/BU9ujZrvSWf9NLylCqtID5ZADvycJfm6dsJUUAs1Fq6XSy9w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwZVdJSnlGZkNtV0hMYXkx + Qjc1dzVHNGRudXdmYVc2VEwvTG5SZUdncEg4ClBTWEhrNXBmbGVGMHk0T2toTHQr + UnBSUlJBei9yTGVLR1VHK2xzSVptNWcKLS0tIEFoU3JzR0I2a1ozdFRIQjYwUzVm + c1hLaTZSMGs5ZjE5L1RCdjhoNDNCUjQKG2mt7WyXwngUmA7SN9DBgJjAsOOyB4+M + OV60D/bjcYrSMRjNI0T8cZopD2N5/Mste0VtvfOk78doZICfTM0p2g== + -----END AGE ENCRYPTED FILE----- + - recipient: age17ez23w2kpxl0gcdx4ehcglkcfcfnv4qz0gq2n8ylxwx4yrtjpvjqxfasua + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGcUNIOVdwa2VCTHhGeUpy + eXg0a2craDRLazB2b2VPZUFVeDhrYTZYWnlrClpUUHd4UE8rU3dEdlBRaHFrdWRi + NGszWmhOYms1Znk1bnZoNlAvMGVwMzAKLS0tIHM3RDhUS0JjaHRmNEZhaFJhM1lt + NzZJaDh0WUpJV29JZm42Q3liZzAwWTgKKKAIunuTHChBMcg76Eu2XHDOQawIVgsq + T98joVBVz2CAFMjbyYmE4uMvvA47KmUnhnlUzvaVfB28YzzuSH2elg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1lz3mvem0rgfxj7uavth8du4xsw23wp5ts77m5vvclxyj5mjxfujs0jgtcz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKbXBXMkxmaU1ISWRWamZu + d0FEaVFQc1c0NTQ3REhnMnVIeHhLK1lZSlJjCjRpeVA4Qk1qM0Zha1pMblN1NVQr + VnNKeXcrVnlENmdNTGU5bTZ4Sk1CQkEKLS0tIDdCck5jS0FaYUEreDhCaHBFenJ2 + WUxmdEZ0czlHTk1IS0ZrQ05MdjE4N2cKmVsm5M1zp7VaKAih4keKhredjAraHmYw + yjcYrr3+bLxvQhaY4JLtw39SWrpKVEouAlVl6moQyGIr6l3KPkTDdw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1m68dw9dltvtsg8e9lf5ts2vwnn4ykraguhjr8v65s0xessk3xqeqyz5jwt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5M01ibnk0SzdLWjUvQUFn + aERQRnJYeENrSmFVY2JCUFJqQUZIOHUwazF3Ck5aSXB4aFpna3haUUY1UGgrQzRT + b0V1Y2JPb05EblBlcDZiVHlJNDJlN2MKLS0tICtmNHlVRXdmUmIxTmMvdHIzLys0 + dzV1SzJBUkwzbVFuU0lWNHQ4ZmVRaDAK0gMG0Uz7+9QHXIestCAK/z+AQFnXGzzM + FZz4o62gWsI/DsB0c67DAQn3ghsZ1rDJa3Vge86BSgCoG61jGbEw2w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1nc9sh92wf62nt89k4vgyvqws2pt49cq6xqxx46jqpz4vqxsh5a4q8ltzp8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFMEczci9RUXNOWHUrQUVV + aXkxSW5aaHhHZzQzbWlkTE82bGRKQ0ZrdVhJCk9Xa3kraGNsM1hCeHFOcEgyVU9Z + cHk5K0FDWnhURHVLZDdSREhTZ3J3L2sKLS0tIFNwVFRneDhQNUdKNjlCRzZpV2Ey + WmJIL21zMU1qazVPc09OREN3b2JRU1EK6ioB1V81JncWBbO+pkqWSKYMJTxn8ykV + 7mAX6NxFxlxrbQmlp4wz8HESNvkUIKGKuU3Dd8FegP4VUze9IoPVfw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-08-31T15:06:26Z" + mac: ENC[AES256_GCM,data:Ed4lAjLxiAx8Qqoy4XfXJdtl8ypjCucipaDYgdnwaAd7dZEh3n8ba6Nktgqkkk8N++rO72K3zGZlFCKtc/oHK/oiUMnTG47KEJ47XcbrEspijGB0uu4n1YgRbiKGhgOTqgHzwcGym8Reg3/jYk83Wq3KTTDJWjiW7rJf2TzYmr8=,iv:FB43RPLaNhi6f8gk6amlKbsVe9S1NUoVy1j53lidQEE=,tag:9NVRbzFeqpA5sOpWr+0foA==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/non-critical-infra/.sops.yaml b/non-critical-infra/.sops.yaml index a9f3c328..c5aab9bb 100644 --- a/non-critical-infra/.sops.yaml +++ b/non-critical-infra/.sops.yaml @@ -8,6 +8,19 @@ keys: - &mic92 age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz - &mic92-mac age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h - &Ericson2314 age1fgzf77gyah4efemnrqg4e7j0vk8fpq0uzrucepmdpsd5z7l4lgpsfq54df + # ofborg admins + - &dasJ age1lz3mvem0rgfxj7uavth8du4xsw23wp5ts77m5vvclxyj5mjxfujs0jgtcz + # ofborg hosts + - &core01-ofborg-org age1rrrj8tgcyp9xfxvy6zmk9487x62cgx0z68l7jretz2th6ey9nf4qh7nq7h + - &eval01-ofborg-org age16d0phf8c5wy3rfsd4pgc42mqa3aw2llfukdhgu7pzklnzjr2rvxsusz842 + - &eval02-ofborg-org age1qn3q3y04pxumygmq96x0gk9qtrdcgdw4y5nl6xd780u4avk0qgsqy8tuu0 + - &eval03-ofborg-org age1yssfznyq8rljcpfthpulnvfls0l5t36fpqxkk5taxcwpkqhv9gcqrvvwh7 + - &eval04-ofborg-org age1vunut833rrdfulgnsjqtuke4yjtzexn2xqjqavwzxlgrg7n4y45qhurzwc + - &build01-ofborg-org age1ulnex45wt7fpj92jy9c5del3ccz6mmnqptrsva24k8m7qsez9pcsdu3eae + - &build02-ofborg-org age1wrp04f5c0d4jx3hwjsn8cyxdjzpzx6fl202zftqfvfdt7hx8efgskf6s86 + - &build03-ofborg-org age1n0yrvl2v397kztuhf00cdvrhf26c9uegwz6day8z9pyqj3zff4sq6ha0lm + - &build04-ofborg-org age1l7xmxkh6y6d5svj06txknamlwdpfwac8855p3edgpu6jcqea7pvslw4r9a + - &build05-ofborg-org age1mduqldqpqp33u2wwh685cwwkpj2ak36z67dtrq2tcskgqkultvps7w9q7u creation_rules: - path_regex: secrets/[^/]+.caliban @@ -48,3 +61,108 @@ creation_rules: - *zimbatm - *simon - *Ericson2314 + + # ofborg + - path_regex: secrets/[^/]+.core01.ofborg.org.yml + key_groups: + - age: + - *core01-ofborg-org + - *hexa + - *simon + - *dasJ + - *mic92 + - *mic92-mac + - path_regex: secrets/github-tokens.ofborg.org.yml + key_groups: + - age: + - *core01-ofborg-org + - *eval01-ofborg-org + - *eval02-ofborg-org + - *eval03-ofborg-org + - *eval04-ofborg-org + - *hexa + - *simon + - *dasJ + - *mic92 + - *mic92-mac + - path_regex: secrets/[^/]+.eval01.ofborg.org.yml + key_groups: + - age: + - *eval01-ofborg-org + - *hexa + - *simon + - *dasJ + - *mic92 + - *mic92-mac + - path_regex: secrets/[^/]+.eval02.ofborg.org.yml + key_groups: + - age: + - *eval02-ofborg-org + - *hexa + - *simon + - *dasJ + - *mic92 + - *mic92-mac + - path_regex: secrets/[^/]+.eval03.ofborg.org.yml + key_groups: + - age: + - *eval03-ofborg-org + - *hexa + - *simon + - *dasJ + - *mic92 + - *mic92-mac + - path_regex: secrets/[^/]+.eval04.ofborg.org.yml + key_groups: + - age: + - *eval04-ofborg-org + - *hexa + - *simon + - *dasJ + - *mic92 + - *mic92-mac + - path_regex: secrets/[^/]+.build01.ofborg.org.yml + key_groups: + - age: + - *build01-ofborg-org + - *hexa + - *simon + - *dasJ + - *mic92 + - *mic92-mac + - path_regex: secrets/[^/]+.build02.ofborg.org.yml + key_groups: + - age: + - *build02-ofborg-org + - *hexa + - *simon + - *dasJ + - *mic92 + - *mic92-mac + - path_regex: secrets/[^/]+.build03.ofborg.org.yml + key_groups: + - age: + - *build03-ofborg-org + - *hexa + - *simon + - *dasJ + - *mic92 + - *mic92-mac + - path_regex: secrets/[^/]+.build04.ofborg.org.yml + key_groups: + - age: + - *build04-ofborg-org + - *hexa + - *simon + - *dasJ + - *mic92 + - *mic92-mac + - path_regex: secrets/[^/]+.build05.ofborg.org.yml + key_groups: + - age: + - *build05-ofborg-org + - *hexa + - *simon + - *dasJ + - *mic92 + - *mic92-mac diff --git a/non-critical-infra/flake-module.nix b/non-critical-infra/flake-module.nix index 60d6db0d..aa59b3f7 100644 --- a/non-critical-infra/flake-module.nix +++ b/non-critical-infra/flake-module.nix @@ -8,6 +8,18 @@ caliban = { }; umbriel = { }; staging-hydra = { }; + + # ofborg + "core01.ofborg.org".targetHost = "138.199.148.47"; + "eval01.ofborg.org".targetHost = "95.217.15.9"; + "eval02.ofborg.org".targetHost = "95.216.209.162"; + "eval03.ofborg.org".targetHost = "37.27.189.4"; + "eval04.ofborg.org".targetHost = "95.217.18.12"; + "build01.ofborg.org".targetHost = "185.119.168.10"; + "build02.ofborg.org".targetHost = "185.119.168.11"; + "build03.ofborg.org".targetHost = "185.119.168.12"; + "build04.ofborg.org".targetHost = "185.119.168.13"; + "build05.ofborg.org".targetHost = "142.132.171.106"; }; flake = let diff --git a/non-critical-infra/hosts/build01.ofborg.org/client.crt b/non-critical-infra/hosts/build01.ofborg.org/client.crt new file mode 100644 index 00000000..50921c1f --- /dev/null +++ b/non-critical-infra/hosts/build01.ofborg.org/client.crt @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBmTCCAUugAwIBAgIUfUYjDOaJML1lIMkAMvLjnSTscZAwBQYDK2VwMEMxCzAJ +BgNVBAYTAkRFMRQwEgYDVQQKDAtOaXhPUyBJbmZyYTEeMBwGA1UEAwwVaHlkcmEt +cXVldWUtcnVubmVyLWNhMCAXDTI1MDczMTEyMDQxN1oYDzIwNzUwNzE5MTIwNDE3 +WjBQMQswCQYDVQQGEwJERTEUMBIGA1UECgwLTml4T1MgSW5mcmExKzApBgNVBAMM +Imh5ZHJhLXF1ZXVlLWJ1aWxkZXItb2Zib3JnLWJ1aWxkMDEwKjAFBgMrZXADIQCj +6blZljlur8EmgUA9yNjQrGkg647jacmiy+kn1znGT6NCMEAwHQYDVR0OBBYEFH6t +LjEVdWyQWzR49xirHn9QoNUlMB8GA1UdIwQYMBaAFNMEBugcUyrWMJcsLsg9Gla/ +9a+IMAUGAytlcANBAJy33gi4Azqa0Y3hEdvkg+bHn+SsEWOSlls/cy0Lfl6l+qGn +Jd9+vtequq1aXWqzXE3g0r4vjqzQDg8GJE1j5wo= +-----END CERTIFICATE----- diff --git a/non-critical-infra/hosts/build01.ofborg.org/default.nix b/non-critical-infra/hosts/build01.ofborg.org/default.nix new file mode 100644 index 00000000..fb85510a --- /dev/null +++ b/non-critical-infra/hosts/build01.ofborg.org/default.nix @@ -0,0 +1,54 @@ +{ + imports = [ + ../../modules/ofborg/builder.nix + ../../modules/hydra/builder.nix + ./hardware.nix + ]; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + + networking = { + hostName = "ofborg-build01"; + domain = "ofborg.org"; + hostId = "007f0301"; + }; + + disko.devices = import ./disko.nix; + + systemd.network.networks."10-uplink" = { + matchConfig.MACAddress = "00:23:09:4f:49:36"; + address = [ "185.119.168.10/32" ]; + routes = [ + { + Gateway = "91.224.148.0"; + GatewayOnLink = true; + } + ]; + linkConfig.RequiredForOnline = "routable"; + }; + + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQ5hBVVKK72ZX+n+BVnPocx+AG5u6ht8bM++G1lhufp liberodark@gmail.com" + ]; + + zramSwap = { + enable = true; + memoryPercent = 25; + }; + + system.stateVersion = "24.11"; # Did you read the comment? + + sops.secrets = { + "ofborg/builder-rabbitmq-password" = { + owner = "ofborg-builder"; + restartUnits = [ "ofborg-builder.service" ]; + sopsFile = ../../secrets/ofborg.build01.ofborg.org.yml; + }; + "harmonia/secret" = { + owner = "harmonia"; + restartUnits = [ "harmonia.service" ]; + sopsFile = ../../secrets/ofborg.build01.ofborg.org.yml; + }; + }; +} diff --git a/non-critical-infra/hosts/build01.ofborg.org/disko.nix b/non-critical-infra/hosts/build01.ofborg.org/disko.nix new file mode 100644 index 00000000..919c7ea6 --- /dev/null +++ b/non-critical-infra/hosts/build01.ofborg.org/disko.nix @@ -0,0 +1,64 @@ +{ + disk = { + main = { + type = "disk"; + device = "/dev/nvme0n1"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + root = { + size = "100%"; + content = { + type = "zfs"; + pool = "zroot"; + }; + }; + }; + }; + }; + }; + + zpool = { + zroot = { + type = "zpool"; + options = { + # smartctl --all /dev/nvme0n1 + # Logical block size: 512 bytes + ashift = "9"; + }; + rootFsOptions = { + acltype = "posixacl"; + compression = "zstd"; + mountpoint = "none"; + xattr = "sa"; + }; + datasets = { + "root" = { + type = "zfs_fs"; + mountpoint = "/"; + }; + "nix" = { + type = "zfs_fs"; + mountpoint = "/nix"; + }; + "reserved" = { + type = "zfs_fs"; + options = { + canmount = "off"; + refreservation = "1G"; + }; + }; + }; + }; + }; +} diff --git a/non-critical-infra/hosts/build01.ofborg.org/hardware.nix b/non-critical-infra/hosts/build01.ofborg.org/hardware.nix new file mode 100644 index 00000000..0b15aa0c --- /dev/null +++ b/non-critical-infra/hosts/build01.ofborg.org/hardware.nix @@ -0,0 +1,9 @@ +{ + + boot.initrd.availableKernelModules = [ + "ehci_pci" + "ahci" + ]; + boot.initrd.kernelModules = [ "nvme" ]; + boot.kernelModules = [ "kvm-intel" ]; +} diff --git a/non-critical-infra/hosts/build02.ofborg.org/client.crt b/non-critical-infra/hosts/build02.ofborg.org/client.crt new file mode 100644 index 00000000..37fafc4f --- /dev/null +++ b/non-critical-infra/hosts/build02.ofborg.org/client.crt @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBmTCCAUugAwIBAgIUfUYjDOaJML1lIMkAMvLjnSTscZEwBQYDK2VwMEMxCzAJ +BgNVBAYTAkRFMRQwEgYDVQQKDAtOaXhPUyBJbmZyYTEeMBwGA1UEAwwVaHlkcmEt +cXVldWUtcnVubmVyLWNhMCAXDTI1MDczMTEyMDQxN1oYDzIwNzUwNzE5MTIwNDE3 +WjBQMQswCQYDVQQGEwJERTEUMBIGA1UECgwLTml4T1MgSW5mcmExKzApBgNVBAMM +Imh5ZHJhLXF1ZXVlLWJ1aWxkZXItb2Zib3JnLWJ1aWxkMDIwKjAFBgMrZXADIQAL +Cdl+ZbvuX8OUBj5MIMfL7120fT1NxFk6C4DydQ7Qt6NCMEAwHQYDVR0OBBYEFGAH +xmXkYN9IDgVaHjA/oEj2921hMB8GA1UdIwQYMBaAFNMEBugcUyrWMJcsLsg9Gla/ +9a+IMAUGAytlcANBACmGjy4gHWTiahHy2P/hPQ661vfob9nkBQ+CEG1FSaK3ImpQ +yPVG+BJiu2oT50EO3EzdsV2tUk9VAhcYNA2YXAg= +-----END CERTIFICATE----- diff --git a/non-critical-infra/hosts/build02.ofborg.org/default.nix b/non-critical-infra/hosts/build02.ofborg.org/default.nix new file mode 100644 index 00000000..bfc520b2 --- /dev/null +++ b/non-critical-infra/hosts/build02.ofborg.org/default.nix @@ -0,0 +1,54 @@ +{ + imports = [ + ../../modules/ofborg/builder.nix + ../../modules/hydra/builder.nix + ./hardware.nix + ]; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + + networking = { + hostName = "ofborg-build02"; + domain = "ofborg.org"; + hostId = "007f0302"; + }; + + disko.devices = import ./disko.nix; + + systemd.network.networks."10-uplink" = { + matchConfig.MACAddress = "22:33:4d:07:51:b4"; + address = [ "185.119.168.11/32" ]; + routes = [ + { + Gateway = "91.224.148.0"; + GatewayOnLink = true; + } + ]; + linkConfig.RequiredForOnline = "routable"; + }; + + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQ5hBVVKK72ZX+n+BVnPocx+AG5u6ht8bM++G1lhufp liberodark@gmail.com" + ]; + + zramSwap = { + enable = true; + memoryPercent = 25; + }; + + system.stateVersion = "24.11"; # Did you read the comment? + + sops.secrets = { + "ofborg/builder-rabbitmq-password" = { + owner = "ofborg-builder"; + restartUnits = [ "ofborg-builder.service" ]; + sopsFile = ../../secrets/ofborg.build02.ofborg.org.yml; + }; + "harmonia/secret" = { + owner = "harmonia"; + restartUnits = [ "harmonia.service" ]; + sopsFile = ../../secrets/ofborg.build02.ofborg.org.yml; + }; + }; +} diff --git a/non-critical-infra/hosts/build02.ofborg.org/disko.nix b/non-critical-infra/hosts/build02.ofborg.org/disko.nix new file mode 100644 index 00000000..919c7ea6 --- /dev/null +++ b/non-critical-infra/hosts/build02.ofborg.org/disko.nix @@ -0,0 +1,64 @@ +{ + disk = { + main = { + type = "disk"; + device = "/dev/nvme0n1"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + root = { + size = "100%"; + content = { + type = "zfs"; + pool = "zroot"; + }; + }; + }; + }; + }; + }; + + zpool = { + zroot = { + type = "zpool"; + options = { + # smartctl --all /dev/nvme0n1 + # Logical block size: 512 bytes + ashift = "9"; + }; + rootFsOptions = { + acltype = "posixacl"; + compression = "zstd"; + mountpoint = "none"; + xattr = "sa"; + }; + datasets = { + "root" = { + type = "zfs_fs"; + mountpoint = "/"; + }; + "nix" = { + type = "zfs_fs"; + mountpoint = "/nix"; + }; + "reserved" = { + type = "zfs_fs"; + options = { + canmount = "off"; + refreservation = "1G"; + }; + }; + }; + }; + }; +} diff --git a/non-critical-infra/hosts/build02.ofborg.org/hardware.nix b/non-critical-infra/hosts/build02.ofborg.org/hardware.nix new file mode 100644 index 00000000..0b15aa0c --- /dev/null +++ b/non-critical-infra/hosts/build02.ofborg.org/hardware.nix @@ -0,0 +1,9 @@ +{ + + boot.initrd.availableKernelModules = [ + "ehci_pci" + "ahci" + ]; + boot.initrd.kernelModules = [ "nvme" ]; + boot.kernelModules = [ "kvm-intel" ]; +} diff --git a/non-critical-infra/hosts/build03.ofborg.org/client.crt b/non-critical-infra/hosts/build03.ofborg.org/client.crt new file mode 100644 index 00000000..6bc2e7d0 --- /dev/null +++ b/non-critical-infra/hosts/build03.ofborg.org/client.crt @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBmTCCAUugAwIBAgIUfUYjDOaJML1lIMkAMvLjnSTscZIwBQYDK2VwMEMxCzAJ +BgNVBAYTAkRFMRQwEgYDVQQKDAtOaXhPUyBJbmZyYTEeMBwGA1UEAwwVaHlkcmEt +cXVldWUtcnVubmVyLWNhMCAXDTI1MDczMTEyMDQxN1oYDzIwNzUwNzE5MTIwNDE3 +WjBQMQswCQYDVQQGEwJERTEUMBIGA1UECgwLTml4T1MgSW5mcmExKzApBgNVBAMM +Imh5ZHJhLXF1ZXVlLWJ1aWxkZXItb2Zib3JnLWJ1aWxkMDMwKjAFBgMrZXADIQC8 +UiCK9YGsTI+144EzVlCjuwz0wBUyOwjg1b2lnQCdZ6NCMEAwHQYDVR0OBBYEFEDA +dN0ht/zFU5Y7KER4xxTAeZdrMB8GA1UdIwQYMBaAFNMEBugcUyrWMJcsLsg9Gla/ +9a+IMAUGAytlcANBAHDszlrrBBg8Q5tHeynkDLY+Cvh0gOAaUmyoMkfhlPNxKNLH ++8NVKKkDoVLreYcLrKxEg+36KIBU/Z3uxfIAew0= +-----END CERTIFICATE----- diff --git a/non-critical-infra/hosts/build03.ofborg.org/default.nix b/non-critical-infra/hosts/build03.ofborg.org/default.nix new file mode 100644 index 00000000..2fd7f001 --- /dev/null +++ b/non-critical-infra/hosts/build03.ofborg.org/default.nix @@ -0,0 +1,54 @@ +{ + imports = [ + ../../modules/ofborg/builder.nix + ../../modules/hydra/builder.nix + ./hardware.nix + ]; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + + networking = { + hostName = "ofborg-build03"; + domain = "ofborg.org"; + hostId = "007f0303"; + }; + + disko.devices = import ./disko.nix; + + systemd.network.networks."10-uplink" = { + matchConfig.MACAddress = "22:33:4d:07:51:b9"; + address = [ "185.119.168.12/32" ]; + routes = [ + { + Gateway = "91.224.148.0"; + GatewayOnLink = true; + } + ]; + linkConfig.RequiredForOnline = "routable"; + }; + + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQ5hBVVKK72ZX+n+BVnPocx+AG5u6ht8bM++G1lhufp liberodark@gmail.com" + ]; + + zramSwap = { + enable = true; + memoryPercent = 25; + }; + + system.stateVersion = "24.11"; # Did you read the comment? + + sops.secrets = { + "ofborg/builder-rabbitmq-password" = { + owner = "ofborg-builder"; + restartUnits = [ "ofborg-builder.service" ]; + sopsFile = ../../secrets/ofborg.build03.ofborg.org.yml; + }; + "harmonia/secret" = { + owner = "harmonia"; + restartUnits = [ "harmonia.service" ]; + sopsFile = ../../secrets/ofborg.build03.ofborg.org.yml; + }; + }; +} diff --git a/non-critical-infra/hosts/build03.ofborg.org/disko.nix b/non-critical-infra/hosts/build03.ofborg.org/disko.nix new file mode 100644 index 00000000..919c7ea6 --- /dev/null +++ b/non-critical-infra/hosts/build03.ofborg.org/disko.nix @@ -0,0 +1,64 @@ +{ + disk = { + main = { + type = "disk"; + device = "/dev/nvme0n1"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + root = { + size = "100%"; + content = { + type = "zfs"; + pool = "zroot"; + }; + }; + }; + }; + }; + }; + + zpool = { + zroot = { + type = "zpool"; + options = { + # smartctl --all /dev/nvme0n1 + # Logical block size: 512 bytes + ashift = "9"; + }; + rootFsOptions = { + acltype = "posixacl"; + compression = "zstd"; + mountpoint = "none"; + xattr = "sa"; + }; + datasets = { + "root" = { + type = "zfs_fs"; + mountpoint = "/"; + }; + "nix" = { + type = "zfs_fs"; + mountpoint = "/nix"; + }; + "reserved" = { + type = "zfs_fs"; + options = { + canmount = "off"; + refreservation = "1G"; + }; + }; + }; + }; + }; +} diff --git a/non-critical-infra/hosts/build03.ofborg.org/hardware.nix b/non-critical-infra/hosts/build03.ofborg.org/hardware.nix new file mode 100644 index 00000000..0b15aa0c --- /dev/null +++ b/non-critical-infra/hosts/build03.ofborg.org/hardware.nix @@ -0,0 +1,9 @@ +{ + + boot.initrd.availableKernelModules = [ + "ehci_pci" + "ahci" + ]; + boot.initrd.kernelModules = [ "nvme" ]; + boot.kernelModules = [ "kvm-intel" ]; +} diff --git a/non-critical-infra/hosts/build04.ofborg.org/client.crt b/non-critical-infra/hosts/build04.ofborg.org/client.crt new file mode 100644 index 00000000..88cdd998 --- /dev/null +++ b/non-critical-infra/hosts/build04.ofborg.org/client.crt @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBmTCCAUugAwIBAgIUfUYjDOaJML1lIMkAMvLjnSTscZMwBQYDK2VwMEMxCzAJ +BgNVBAYTAkRFMRQwEgYDVQQKDAtOaXhPUyBJbmZyYTEeMBwGA1UEAwwVaHlkcmEt +cXVldWUtcnVubmVyLWNhMCAXDTI1MDczMTEyMDQxN1oYDzIwNzUwNzE5MTIwNDE3 +WjBQMQswCQYDVQQGEwJERTEUMBIGA1UECgwLTml4T1MgSW5mcmExKzApBgNVBAMM +Imh5ZHJhLXF1ZXVlLWJ1aWxkZXItb2Zib3JnLWJ1aWxkMDQwKjAFBgMrZXADIQDH +sVDND3YMmQ9ijOxK9b65fhuCF70h8O4d3NAiKUzZp6NCMEAwHQYDVR0OBBYEFBy8 +QofH7VDm+VVK3YunEtbxGc/OMB8GA1UdIwQYMBaAFNMEBugcUyrWMJcsLsg9Gla/ +9a+IMAUGAytlcANBAOsNsCCH+jV9xUaaQG0t40IG8UMr9b+ThA9hiOnrsTOmUfE7 +wsl1639LWXyoWiqjsj7g646M70lPcWCqocxDhQk= +-----END CERTIFICATE----- diff --git a/non-critical-infra/hosts/build04.ofborg.org/default.nix b/non-critical-infra/hosts/build04.ofborg.org/default.nix new file mode 100644 index 00000000..337fd130 --- /dev/null +++ b/non-critical-infra/hosts/build04.ofborg.org/default.nix @@ -0,0 +1,54 @@ +{ + imports = [ + ../../modules/ofborg/builder.nix + ../../modules/hydra/builder.nix + ./hardware.nix + ]; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + + networking = { + hostName = "ofborg-build04"; + domain = "ofborg.org"; + hostId = "007f0304"; + }; + + disko.devices = import ./disko.nix; + + systemd.network.networks."10-uplink" = { + matchConfig.MACAddress = "22:33:4d:06:4a:ad"; + address = [ "185.119.168.13/32" ]; + routes = [ + { + Gateway = "91.224.148.0"; + GatewayOnLink = true; + } + ]; + linkConfig.RequiredForOnline = "routable"; + }; + + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQ5hBVVKK72ZX+n+BVnPocx+AG5u6ht8bM++G1lhufp liberodark@gmail.com" + ]; + + zramSwap = { + enable = true; + memoryPercent = 25; + }; + + system.stateVersion = "24.11"; # Did you read the comment? + + sops.secrets = { + "ofborg/builder-rabbitmq-password" = { + owner = "ofborg-builder"; + restartUnits = [ "ofborg-builder.service" ]; + sopsFile = ../../secrets/ofborg.build04.ofborg.org.yml; + }; + "harmonia/secret" = { + owner = "harmonia"; + restartUnits = [ "harmonia.service" ]; + sopsFile = ../../secrets/ofborg.build04.ofborg.org.yml; + }; + }; +} diff --git a/non-critical-infra/hosts/build04.ofborg.org/disko.nix b/non-critical-infra/hosts/build04.ofborg.org/disko.nix new file mode 100644 index 00000000..919c7ea6 --- /dev/null +++ b/non-critical-infra/hosts/build04.ofborg.org/disko.nix @@ -0,0 +1,64 @@ +{ + disk = { + main = { + type = "disk"; + device = "/dev/nvme0n1"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + root = { + size = "100%"; + content = { + type = "zfs"; + pool = "zroot"; + }; + }; + }; + }; + }; + }; + + zpool = { + zroot = { + type = "zpool"; + options = { + # smartctl --all /dev/nvme0n1 + # Logical block size: 512 bytes + ashift = "9"; + }; + rootFsOptions = { + acltype = "posixacl"; + compression = "zstd"; + mountpoint = "none"; + xattr = "sa"; + }; + datasets = { + "root" = { + type = "zfs_fs"; + mountpoint = "/"; + }; + "nix" = { + type = "zfs_fs"; + mountpoint = "/nix"; + }; + "reserved" = { + type = "zfs_fs"; + options = { + canmount = "off"; + refreservation = "1G"; + }; + }; + }; + }; + }; +} diff --git a/non-critical-infra/hosts/build04.ofborg.org/hardware.nix b/non-critical-infra/hosts/build04.ofborg.org/hardware.nix new file mode 100644 index 00000000..0b15aa0c --- /dev/null +++ b/non-critical-infra/hosts/build04.ofborg.org/hardware.nix @@ -0,0 +1,9 @@ +{ + + boot.initrd.availableKernelModules = [ + "ehci_pci" + "ahci" + ]; + boot.initrd.kernelModules = [ "nvme" ]; + boot.kernelModules = [ "kvm-intel" ]; +} diff --git a/non-critical-infra/hosts/build05.ofborg.org/client.crt b/non-critical-infra/hosts/build05.ofborg.org/client.crt new file mode 100644 index 00000000..012a25f4 --- /dev/null +++ b/non-critical-infra/hosts/build05.ofborg.org/client.crt @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBmTCCAUugAwIBAgIUfUYjDOaJML1lIMkAMvLjnSTscZQwBQYDK2VwMEMxCzAJ +BgNVBAYTAkRFMRQwEgYDVQQKDAtOaXhPUyBJbmZyYTEeMBwGA1UEAwwVaHlkcmEt +cXVldWUtcnVubmVyLWNhMCAXDTI1MDczMTEyMDQxN1oYDzIwNzUwNzE5MTIwNDE3 +WjBQMQswCQYDVQQGEwJERTEUMBIGA1UECgwLTml4T1MgSW5mcmExKzApBgNVBAMM +Imh5ZHJhLXF1ZXVlLWJ1aWxkZXItb2Zib3JnLWJ1aWxkMDUwKjAFBgMrZXADIQCV +CeAL3FB4rMIDBSife7abqJK2+H7OAskVY+jOXcytEaNCMEAwHQYDVR0OBBYEFPXn +CTIW6uvZnozTKkouPPmtgoOkMB8GA1UdIwQYMBaAFNMEBugcUyrWMJcsLsg9Gla/ +9a+IMAUGAytlcANBALq7WRX5hKqnjLTgaoLgwBbH5FPMhf+rC+63lepxl0/kAeoT +IgiSCPV7GonPxeLsqE+uytoQ2CaPYwBRosPTCAw= +-----END CERTIFICATE----- diff --git a/non-critical-infra/hosts/build05.ofborg.org/default.nix b/non-critical-infra/hosts/build05.ofborg.org/default.nix new file mode 100644 index 00000000..217308d7 --- /dev/null +++ b/non-critical-infra/hosts/build05.ofborg.org/default.nix @@ -0,0 +1,56 @@ +{ inputs, ... }: +{ + imports = [ + inputs.srvos.nixosModules.hardware-hetzner-cloud-arm + ../../modules/ofborg/builder.nix + ../../modules/hydra/builder.nix + ./hardware.nix + ]; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + + networking = { + hostName = "ofborg-build05"; + domain = "ofborg.org"; + hostId = "007f0305"; + }; + + disko.devices = import ./disko.nix; + + systemd.network.networks."10-uplink" = { + matchConfig.MACAddress = "96:00:03:fd:32:fd"; + address = [ + "142.132.171.106/32" + "2a01:4f8:1c1b:6d41::/64" + ]; + routes = [ + { Gateway = "fe80::1"; } + { + Gateway = "172.31.1.1"; + GatewayOnLink = true; + } + ]; + linkConfig.RequiredForOnline = "routable"; + }; + + zramSwap = { + enable = true; + memoryPercent = 100; + }; + + system.stateVersion = "24.11"; # Did you read the comment? + + sops.secrets = { + "ofborg/builder-rabbitmq-password" = { + owner = "ofborg-builder"; + restartUnits = [ "ofborg-builder.service" ]; + sopsFile = ../../secrets/ofborg.build05.ofborg.org.yml; + }; + "harmonia/secret" = { + owner = "harmonia"; + restartUnits = [ "harmonia.service" ]; + sopsFile = ../../secrets/ofborg.build05.ofborg.org.yml; + }; + }; +} diff --git a/non-critical-infra/hosts/build05.ofborg.org/disko.nix b/non-critical-infra/hosts/build05.ofborg.org/disko.nix new file mode 100644 index 00000000..a8694d1c --- /dev/null +++ b/non-critical-infra/hosts/build05.ofborg.org/disko.nix @@ -0,0 +1,64 @@ +{ + disk = { + main = { + type = "disk"; + device = "/dev/sda"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + root = { + size = "100%"; + content = { + type = "zfs"; + pool = "zroot"; + }; + }; + }; + }; + }; + }; + + zpool = { + zroot = { + type = "zpool"; + options = { + # smartctl --all /dev/sda + # Logical block size: 512 bytes + ashift = "9"; + }; + rootFsOptions = { + acltype = "posixacl"; + compression = "zstd"; + mountpoint = "none"; + xattr = "sa"; + }; + datasets = { + "root" = { + type = "zfs_fs"; + mountpoint = "/"; + }; + "nix" = { + type = "zfs_fs"; + mountpoint = "/nix"; + }; + "reserved" = { + type = "zfs_fs"; + options = { + canmount = "off"; + refreservation = "1G"; + }; + }; + }; + }; + }; +} diff --git a/non-critical-infra/hosts/build05.ofborg.org/hardware.nix b/non-critical-infra/hosts/build05.ofborg.org/hardware.nix new file mode 100644 index 00000000..5bc4812b --- /dev/null +++ b/non-critical-infra/hosts/build05.ofborg.org/hardware.nix @@ -0,0 +1,18 @@ +{ lib, ... }: + +{ + + boot.initrd.availableKernelModules = [ + "xhci_pci" + "virtio_pci" + "usbhid" + "sr_mod" + ]; + boot.initrd.kernelModules = [ "virtio_gpu" ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + swapDevices = [ ]; + + nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; +} diff --git a/non-critical-infra/hosts/core01.ofborg.org/default.nix b/non-critical-infra/hosts/core01.ofborg.org/default.nix new file mode 100644 index 00000000..87a2d900 --- /dev/null +++ b/non-critical-infra/hosts/core01.ofborg.org/default.nix @@ -0,0 +1,55 @@ +{ inputs, ... }: + +{ + imports = [ + inputs.srvos.nixosModules.hardware-hetzner-cloud + ../../modules/ofborg/common.nix + ../../modules/ofborg/github-tokens.nix + ./nginx.nix + ./rabbitmq.nix + # ofborg.org landingpage + # ./website.nix + # Accepts webhooks from GitHub + ./github-webhook-receiver.nix + # Checks wheter a PR event is interesting to us + ./evaluation-filter.nix + # Handles incoming comments + ./github-comment-filter.nix + # Receives logs from builders + ./log-message-collector.nix + # Posts to GitHub + ./github-comment-poster.nix + # LogApi and LogViewer + ./log-viewer.nix + ]; + # TODO backups + + # Bootloader. + boot.loader.grub.enable = true; + + networking = { + hostName = "ofborg-core01"; + domain = "ofborg.org"; + hostId = "007f0101"; + }; + + disko.devices = import ./disko.nix; + + systemd.network.networks."10-uplink" = { + matchConfig.MACAddress = "96:00:03:ea:fa:62"; + address = [ + "138.199.148.47/32" + "2a01:4f8:c012:cda4::1/64" + ]; + routes = [ + { Gateway = "fe80::1"; } + { + Gateway = "172.31.1.1"; + GatewayOnLink = true; + } + ]; + linkConfig.RequiredForOnline = "routable"; + }; + + system.stateVersion = "24.11"; # Did you read the comment? +} diff --git a/non-critical-infra/hosts/core01.ofborg.org/disko.nix b/non-critical-infra/hosts/core01.ofborg.org/disko.nix new file mode 100644 index 00000000..1f0b9892 --- /dev/null +++ b/non-critical-infra/hosts/core01.ofborg.org/disko.nix @@ -0,0 +1,68 @@ +{ + disk = { + main = { + type = "disk"; + device = "/dev/sda"; + content = { + type = "gpt"; + partitions = { + grub = { + size = "1M"; + type = "EF02"; + }; + boot = { + size = "1G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + root = { + size = "100%"; + content = { + type = "zfs"; + pool = "zroot"; + }; + }; + }; + }; + }; + }; + + zpool = { + zroot = { + type = "zpool"; + options = { + # smartctl --all /dev/sda + # Logical block size: 512 bytes + ashift = "9"; + }; + rootFsOptions = { + acltype = "posixacl"; + compression = "zstd"; + mountpoint = "none"; + xattr = "sa"; + }; + datasets = { + "root" = { + type = "zfs_fs"; + mountpoint = "/"; + }; + "nix" = { + type = "zfs_fs"; + mountpoint = "/nix"; + }; + "reserved" = { + type = "zfs_fs"; + options = { + canmount = "off"; + refreservation = "1G"; + }; + }; + }; + }; + }; +} diff --git a/non-critical-infra/hosts/core01.ofborg.org/evaluation-filter.nix b/non-critical-infra/hosts/core01.ofborg.org/evaluation-filter.nix new file mode 100644 index 00000000..ee9218dc --- /dev/null +++ b/non-critical-infra/hosts/core01.ofborg.org/evaluation-filter.nix @@ -0,0 +1,67 @@ +{ config, pkgs, ... }: + +{ + systemd.services.ofborg-evaluation-filter = { + description = "ofBorg Evaluation Filter"; + + wantedBy = [ "ofborg.target" ]; + bindsTo = [ "ofborg.target" ]; + restartTriggers = [ config.environment.etc."ofborg.json".source ]; + + stopIfChanged = false; + unitConfig.StartLimitIntervalSec = 0; + serviceConfig = { + # Filesystem stuff + ProtectSystem = "strict"; # Prevent writing to most of / + ProtectHome = true; # Prevent accessing /home and /root + PrivateTmp = true; # Give an own directory under /tmp + PrivateDevices = true; # Deny access to most of /dev + ProtectKernelTunables = true; # Protect some parts of /sys + ProtectControlGroups = true; # Remount cgroups read-only + RestrictSUIDSGID = true; # Prevent creating SETUID/SETGID files + PrivateMounts = true; # Give an own mount namespace + RemoveIPC = true; + UMask = "0077"; + + Restart = "always"; + RestartSec = "5s"; + ExecStart = "${pkgs.ofborg}/bin/evaluation-filter /etc/ofborg.json"; + User = "ofborg-evaluation-filter"; + Group = "ofborg-evaluation-filter"; + + # Capabilities + CapabilityBoundingSet = ""; # Allow no capabilities at all + NoNewPrivileges = true; # Disallow getting more capabilities. This is also implied by other options. + + # Kernel stuff + ProtectKernelModules = true; # Prevent loading of kernel modules + SystemCallArchitectures = "native"; # Usually no need to disable this + ProtectKernelLogs = true; # Prevent access to kernel logs + ProtectClock = true; # Prevent setting the RTC + + # Misc + LockPersonality = true; # Prevent change of the personality + ProtectHostname = true; # Give an own UTS namespace + RestrictRealtime = true; # Prevent switching to RT scheduling + MemoryDenyWriteExecute = true; # Maybe disable this for interpreters like python + PrivateUsers = true; # If anything randomly breaks, it's mostly because of this + RestrictNamespaces = true; + SystemCallFilter = "@system-service"; + }; + }; + + users.users.ofborg-evaluation-filter = { + isSystemUser = true; + group = "ofborg-evaluation-filter"; + description = "ofBorg evaluation filter system user"; + }; + users.groups.ofborg-evaluation-filter = { }; + + sops.secrets = { + "ofborg/evaluation-filter-rabbitmq-password" = { + owner = "ofborg-evaluation-filter"; + restartUnits = [ "ofborg-evaluation-filter.service" ]; + sopsFile = ../../secrets/ofborg.core01.ofborg.org.yml; + }; + }; +} diff --git a/non-critical-infra/hosts/core01.ofborg.org/github-comment-filter.nix b/non-critical-infra/hosts/core01.ofborg.org/github-comment-filter.nix new file mode 100644 index 00000000..9903b5f4 --- /dev/null +++ b/non-critical-infra/hosts/core01.ofborg.org/github-comment-filter.nix @@ -0,0 +1,69 @@ +{ config, pkgs, ... }: + +{ + systemd.services.ofborg-github-comment-filter = { + description = "ofBorg GitHub comment filter"; + + wantedBy = [ "ofborg.target" ]; + bindsTo = [ "ofborg.target" ]; + restartTriggers = [ config.environment.etc."ofborg.json".source ]; + + stopIfChanged = false; + unitConfig.StartLimitIntervalSec = 0; + serviceConfig = { + # Filesystem stuff + ProtectSystem = "strict"; # Prevent writing to most of / + ProtectHome = true; # Prevent accessing /home and /root + PrivateTmp = true; # Give an own directory under /tmp + PrivateDevices = true; # Deny access to most of /dev + ProtectKernelTunables = true; # Protect some parts of /sys + ProtectControlGroups = true; # Remount cgroups read-only + RestrictSUIDSGID = true; # Prevent creating SETUID/SETGID files + PrivateMounts = true; # Give an own mount namespace + RemoveIPC = true; + UMask = "0077"; + + Restart = "always"; + RestartSec = "5s"; + ExecStart = "${pkgs.ofborg}/bin/github-comment-filter /etc/ofborg.json"; + User = "ofborg-github-comment-filter"; + Group = "ofborg-github-comment-filter"; + SupplementaryGroups = [ "ofborg-github-oauth-secret" ]; + + # Capabilities + CapabilityBoundingSet = ""; # Allow no capabilities at all + NoNewPrivileges = true; # Disallow getting more capabilities. This is also implied by other options. + + # Kernel stuff + ProtectKernelModules = true; # Prevent loading of kernel modules + SystemCallArchitectures = "native"; # Usually no need to disable this + ProtectKernelLogs = true; # Prevent access to kernel logs + ProtectClock = true; # Prevent setting the RTC + + # Misc + LockPersonality = true; # Prevent change of the personality + ProtectHostname = true; # Give an own UTS namespace + RestrictRealtime = true; # Prevent switching to RT scheduling + MemoryDenyWriteExecute = true; # Maybe disable this for interpreters like python + PrivateUsers = true; # If anything randomly breaks, it's mostly because of this + RestrictNamespaces = true; + SystemCallFilter = "@system-service"; + }; + }; + + users.users.ofborg-github-comment-filter = { + isSystemUser = true; + group = "ofborg-github-comment-filter"; + description = "ofBorg GitHub comment filter system user"; + }; + users.groups.ofborg-github-comment-filter = { }; + + sops.secrets = { + "ofborg/github-comment-filter-rabbitmq-password" = { + owner = "ofborg-github-comment-filter"; + restartUnits = [ "ofborg-github-comment-filter.service" ]; + sopsFile = ../../secrets/ofborg.core01.ofborg.org.yml; + }; + "ofborg/github-oauth-secret".restartUnits = [ "ofborg-github-comment-filter.service" ]; + }; +} diff --git a/non-critical-infra/hosts/core01.ofborg.org/github-comment-poster.nix b/non-critical-infra/hosts/core01.ofborg.org/github-comment-poster.nix new file mode 100644 index 00000000..076f319c --- /dev/null +++ b/non-critical-infra/hosts/core01.ofborg.org/github-comment-poster.nix @@ -0,0 +1,69 @@ +{ config, pkgs, ... }: + +{ + systemd.services.ofborg-github-comment-poster = { + description = "ofBorg GitHub comment poster"; + + wantedBy = [ "ofborg.target" ]; + bindsTo = [ "ofborg.target" ]; + restartTriggers = [ config.environment.etc."ofborg.json".source ]; + + stopIfChanged = false; + unitConfig.StartLimitIntervalSec = 0; + serviceConfig = { + # Filesystem stuff + ProtectSystem = "strict"; # Prevent writing to most of / + ProtectHome = true; # Prevent accessing /home and /root + PrivateTmp = true; # Give an own directory under /tmp + PrivateDevices = true; # Deny access to most of /dev + ProtectKernelTunables = true; # Protect some parts of /sys + ProtectControlGroups = true; # Remount cgroups read-only + RestrictSUIDSGID = true; # Prevent creating SETUID/SETGID files + PrivateMounts = true; # Give an own mount namespace + RemoveIPC = true; + UMask = "0077"; + + Restart = "always"; + RestartSec = "5s"; + ExecStart = "${pkgs.ofborg}/bin/github-comment-poster /etc/ofborg.json"; + User = "ofborg-github-comment-poster"; + Group = "ofborg-github-comment-poster"; + SupplementaryGroups = [ "ofborg-github-app-key" ]; + + # Capabilities + CapabilityBoundingSet = ""; # Allow no capabilities at all + NoNewPrivileges = true; # Disallow getting more capabilities. This is also implied by other options. + + # Kernel stuff + ProtectKernelModules = true; # Prevent loading of kernel modules + SystemCallArchitectures = "native"; # Usually no need to disable this + ProtectKernelLogs = true; # Prevent access to kernel logs + ProtectClock = true; # Prevent setting the RTC + + # Misc + LockPersonality = true; # Prevent change of the personality + ProtectHostname = true; # Give an own UTS namespace + RestrictRealtime = true; # Prevent switching to RT scheduling + MemoryDenyWriteExecute = true; # Maybe disable this for interpreters like python + PrivateUsers = true; # If anything randomly breaks, it's mostly because of this + RestrictNamespaces = true; + SystemCallFilter = "@system-service"; + }; + }; + + users.users.ofborg-github-comment-poster = { + isSystemUser = true; + group = "ofborg-github-comment-poster"; + description = "ofBorg GitHub comment poster system user"; + }; + users.groups.ofborg-github-comment-poster = { }; + + sops.secrets = { + "ofborg/github-comment-poster-rabbitmq-password" = { + owner = "ofborg-github-comment-poster"; + restartUnits = [ "ofborg-github-comment-poster.service" ]; + sopsFile = ../../secrets/ofborg.core01.ofborg.org.yml; + }; + "ofborg/github-app-key".restartUnits = [ "ofborg-github-comment-poster.service" ]; + }; +} diff --git a/non-critical-infra/hosts/core01.ofborg.org/github-webhook-receiver.nix b/non-critical-infra/hosts/core01.ofborg.org/github-webhook-receiver.nix new file mode 100644 index 00000000..c84980e7 --- /dev/null +++ b/non-critical-infra/hosts/core01.ofborg.org/github-webhook-receiver.nix @@ -0,0 +1,80 @@ +{ config, pkgs, ... }: + +{ + systemd.services.ofborg-github-webhook-receiver = { + description = "ofBorg Webhook Receiver"; + + wantedBy = [ "ofborg.target" ]; + bindsTo = [ "ofborg.target" ]; + restartTriggers = [ config.environment.etc."ofborg.json".source ]; + + stopIfChanged = false; + unitConfig.StartLimitIntervalSec = 0; + serviceConfig = { + # Filesystem stuff + ProtectSystem = "strict"; # Prevent writing to most of / + ProtectHome = true; # Prevent accessing /home and /root + PrivateTmp = true; # Give an own directory under /tmp + PrivateDevices = true; # Deny access to most of /dev + ProtectKernelTunables = true; # Protect some parts of /sys + ProtectControlGroups = true; # Remount cgroups read-only + RestrictSUIDSGID = true; # Prevent creating SETUID/SETGID files + PrivateMounts = true; # Give an own mount namespace + RemoveIPC = true; + UMask = "0077"; + + Restart = "always"; + RestartSec = "5s"; + ExecStart = "${pkgs.ofborg}/bin/github-webhook-receiver /etc/ofborg.json"; + User = "ofborg-github-webhook-receiver"; + Group = "ofborg-github-webhook-receiver"; + + # Capabilities + CapabilityBoundingSet = ""; # Allow no capabilities at all + NoNewPrivileges = true; # Disallow getting more capabilities. This is also implied by other options. + + # Kernel stuff + ProtectKernelModules = true; # Prevent loading of kernel modules + SystemCallArchitectures = "native"; # Usually no need to disable this + ProtectKernelLogs = true; # Prevent access to kernel logs + ProtectClock = true; # Prevent setting the RTC + + # Misc + LockPersonality = true; # Prevent change of the personality + ProtectHostname = true; # Give an own UTS namespace + RestrictRealtime = true; # Prevent switching to RT scheduling + MemoryDenyWriteExecute = true; # Maybe disable this for interpreters like python + PrivateUsers = true; # If anything randomly breaks, it's mostly because of this + RestrictNamespaces = true; + SystemCallFilter = "@system-service"; + }; + }; + + services.nginx.virtualHosts."gh-webhook.ofborg.org" = { + forceSSL = true; + enableACME = true; + + locations."/".proxyPass = "http://[::1]:9899/"; + }; + + users.users.ofborg-github-webhook-receiver = { + isSystemUser = true; + group = "ofborg-github-webhook-receiver"; + description = "ofBorg Github webhook receiver system user"; + }; + users.groups.ofborg-github-webhook-receiver = { }; + + sops.secrets = { + "ofborg/github-webhook-secret" = { + owner = "ofborg-github-webhook-receiver"; + restartUnits = [ "ofborg-github-webhook-receiver.service" ]; + sopsFile = ../../secrets/ofborg.core01.ofborg.org.yml; + }; + + "ofborg/github-webhook-rabbitmq-password" = { + owner = "ofborg-github-webhook-receiver"; + restartUnits = [ "ofborg-github-webhook-receiver.service" ]; + sopsFile = ../../secrets/ofborg.core01.ofborg.org.yml; + }; + }; +} diff --git a/non-critical-infra/hosts/core01.ofborg.org/log-message-collector.nix b/non-critical-infra/hosts/core01.ofborg.org/log-message-collector.nix new file mode 100644 index 00000000..8c19c8d4 --- /dev/null +++ b/non-critical-infra/hosts/core01.ofborg.org/log-message-collector.nix @@ -0,0 +1,69 @@ +{ config, pkgs, ... }: + +{ + systemd.services.ofborg-log-message-collector = { + description = "ofBorg log message collector"; + + wantedBy = [ "ofborg.target" ]; + bindsTo = [ "ofborg.target" ]; + restartTriggers = [ config.environment.etc."ofborg.json".source ]; + + stopIfChanged = false; + unitConfig.StartLimitIntervalSec = 0; + serviceConfig = { + # Filesystem stuff + ProtectSystem = "strict"; # Prevent writing to most of / + ProtectHome = true; # Prevent accessing /home and /root + PrivateTmp = true; # Give an own directory under /tmp + PrivateDevices = true; # Deny access to most of /dev + ProtectKernelTunables = true; # Protect some parts of /sys + ProtectControlGroups = true; # Remount cgroups read-only + RestrictSUIDSGID = true; # Prevent creating SETUID/SETGID files + PrivateMounts = true; # Give an own mount namespace + RemoveIPC = true; + UMask = "0027"; + + Restart = "always"; + RestartSec = "5s"; + ExecStart = "${pkgs.ofborg}/bin/log-message-collector /etc/ofborg.json"; + User = "ofborg-logs"; + Group = "ofborg-logs"; + + LogsDirectory = "ofborg"; + + # Capabilities + CapabilityBoundingSet = ""; # Allow no capabilities at all + NoNewPrivileges = true; # Disallow getting more capabilities. This is also implied by other options. + + # Kernel stuff + ProtectKernelModules = true; # Prevent loading of kernel modules + SystemCallArchitectures = "native"; # Usually no need to disable this + ProtectKernelLogs = true; # Prevent access to kernel logs + ProtectClock = true; # Prevent setting the RTC + + # Misc + LockPersonality = true; # Prevent change of the personality + ProtectHostname = true; # Give an own UTS namespace + RestrictRealtime = true; # Prevent switching to RT scheduling + MemoryDenyWriteExecute = true; # Maybe disable this for interpreters like python + PrivateUsers = true; # If anything randomly breaks, it's mostly because of this + RestrictNamespaces = true; + SystemCallFilter = "@system-service"; + }; + }; + + users.users.ofborg-logs = { + isSystemUser = true; + group = "ofborg-logs"; + description = "ofBorg logs user"; + }; + users.groups.ofborg-logs = { }; + + sops.secrets = { + "ofborg/log-message-collector-rabbitmq-password" = { + owner = "ofborg-logs"; + restartUnits = [ "ofborg-log-message-collector.service" ]; + sopsFile = ../../secrets/ofborg.core01.ofborg.org.yml; + }; + }; +} diff --git a/non-critical-infra/hosts/core01.ofborg.org/log-viewer.nix b/non-critical-infra/hosts/core01.ofborg.org/log-viewer.nix new file mode 100644 index 00000000..fc7bf526 --- /dev/null +++ b/non-critical-infra/hosts/core01.ofborg.org/log-viewer.nix @@ -0,0 +1,102 @@ +{ + config, + pkgs, + inputs, + ... +}: +let + logviewer = import "${inputs.ofborg-viewer}/release.nix" { inherit pkgs; }; +in +{ + systemd.services.ofborg-logapi = { + description = "ofBorg log api"; + + wantedBy = [ "ofborg.target" ]; + bindsTo = [ "ofborg.target" ]; + restartTriggers = [ config.environment.etc."ofborg.json".source ]; + + stopIfChanged = false; + unitConfig.StartLimitIntervalSec = 0; + serviceConfig = { + # Filesystem stuff + ProtectSystem = "strict"; # Prevent writing to most of / + ProtectHome = true; # Prevent accessing /home and /root + PrivateTmp = true; # Give an own directory under /tmp + PrivateDevices = true; # Deny access to most of /dev + ProtectKernelTunables = true; # Protect some parts of /sys + ProtectControlGroups = true; # Remount cgroups read-only + RestrictSUIDSGID = true; # Prevent creating SETUID/SETGID files + PrivateMounts = true; # Give an own mount namespace + RemoveIPC = true; + UMask = "0077"; + + Restart = "always"; + RestartSec = "5s"; + ExecStart = "${pkgs.ofborg}/bin/logapi /etc/ofborg.json"; + User = "ofborg-logapi"; + Group = "ofborg-logapi"; + + # Capabilities + CapabilityBoundingSet = ""; # Allow no capabilities at all + NoNewPrivileges = true; # Disallow getting more capabilities. This is also implied by other options. + + # Kernel stuff + ProtectKernelModules = true; # Prevent loading of kernel modules + SystemCallArchitectures = "native"; # Usually no need to disable this + ProtectKernelLogs = true; # Prevent access to kernel logs + ProtectClock = true; # Prevent setting the RTC + + # Misc + LockPersonality = true; # Prevent change of the personality + ProtectHostname = true; # Give an own UTS namespace + RestrictRealtime = true; # Prevent switching to RT scheduling + MemoryDenyWriteExecute = true; # Maybe disable this for interpreters like python + PrivateUsers = true; # If anything randomly breaks, it's mostly because of this + RestrictNamespaces = true; + SystemCallFilter = "@system-service"; + }; + }; + + users = { + users.ofborg-logapi = { + isSystemUser = true; + group = "ofborg-logapi"; + description = "ofBorg Log Api"; + extraGroups = [ "ofborg-logs" ]; + }; + groups.ofborg-logapi = { }; + users.nginx.extraGroups = [ "ofborg-logs" ]; + }; + + services.nginx.virtualHosts."logs.ofborg.org" = { + forceSSL = true; + enableACME = true; + root = "${logviewer}/website"; + + locations = { + "/logfile/" = { + alias = "/var/log/ofborg/"; + extraConfig = '' + add_header Access-Control-Allow-Origin "*"; + add_header Access-Control-Request-Method "GET"; + add_header Content-Security-Policy "default-src 'none'; sandbox;"; + add_header Content-Type "text/plain; charset=utf-8"; + add_header X-Content-Type-Options "nosniff"; + add_header X-Frame-Options "deny"; + add_header X-XSS-Protection "1; mode=block"; + ''; + }; + + "/logs/" = { + proxyPass = "http://[::1]:9898"; + extraConfig = '' + add_header Access-Control-Allow-Origin "*"; + add_header Access-Control-Request-Method "GET"; + add_header Content-Security-Policy "default-src 'none'; sandbox;"; + add_header X-Content-Type-Options "nosniff"; + add_header X-XSS-Protection "1; mode=block"; + ''; + }; + }; + }; +} diff --git a/non-critical-infra/hosts/core01.ofborg.org/nginx.nix b/non-critical-infra/hosts/core01.ofborg.org/nginx.nix new file mode 100644 index 00000000..ce7e7790 --- /dev/null +++ b/non-critical-infra/hosts/core01.ofborg.org/nginx.nix @@ -0,0 +1,13 @@ +{ + imports = [ + ../../modules/nginx.nix + ]; + + services.nginx.virtualHosts."core01.ofborg.org" = { + forceSSL = true; + enableACME = true; + + locations."= /metrics/node".proxyPass = "http://[::1]:9100/metrics"; + locations."= /metrics/rabbitmq".proxyPass = "http://[::1]:15692/metrics"; + }; +} diff --git a/non-critical-infra/hosts/core01.ofborg.org/rabbitmq.nix b/non-critical-infra/hosts/core01.ofborg.org/rabbitmq.nix new file mode 100644 index 00000000..5d16c418 --- /dev/null +++ b/non-critical-infra/hosts/core01.ofborg.org/rabbitmq.nix @@ -0,0 +1,71 @@ +{ config, ... }: + +{ + services.rabbitmq = { + enable = true; + plugins = [ + "rabbitmq_shovel" + "rabbitmq_shovel_management" + # https://www.rabbitmq.com/docs/prometheus#overview-prometheus + "rabbitmq_prometheus" + # https://www.rabbitmq.com/docs/management + "rabbitmq_management" + # ofborg-viewer, https://www.rabbitmq.com/docs/web-stomp + "rabbitmq_web_stomp" + ]; + configItems = { + # Consumer + "consumer_timeout" = "28800000"; # 8h + + # TLS + "listeners.tcp" = "none"; + "listeners.ssl.default" = "5671"; + "ssl_options.cacertfile" = "${ + config.security.acme.certs."messages.ofborg.org".directory + }/chain.pem"; + "ssl_options.certfile" = "${config.security.acme.certs."messages.ofborg.org".directory}/cert.pem"; + "ssl_options.keyfile" = "${config.security.acme.certs."messages.ofborg.org".directory}/key.pem"; + "ssl_options.versions.1" = "tlsv1.3"; + + # Auth + "auth_mechanisms.1" = "PLAIN"; + "auth_mechanisms.2" = "AMQPLAIN"; + "anonymous_login_user" = "none"; + + # Web interface + "management.tcp.ip" = "::1"; + "management.tcp.port" = "15672"; + + # Prometheus + "cluster_name" = "messages.ofborg.org"; + "prometheus.tcp.ip" = "::1"; + + # STOMP for ofborg-viewer + "web_stomp.ssl.ip" = "::"; + "web_stomp.ssl.port" = "15673"; + "web_stomp.ssl.cacertfile" = "${ + config.security.acme.certs."messages.ofborg.org".directory + }/chain.pem"; + "web_stomp.ssl.certfile" = "${config.security.acme.certs."messages.ofborg.org".directory}/cert.pem"; + "web_stomp.ssl.keyfile" = "${config.security.acme.certs."messages.ofborg.org".directory}/key.pem"; + }; + }; + + # No need to reload RabbitMQ, this happens automatically every couple minutes + security.acme.certs."messages.ofborg.org" = { + webroot = "/var/lib/acme/acme-challenge"; + group = "rabbitmq"; + }; + + systemd.services.rabbitmq = { + stopIfChanged = false; + requires = [ "acme-messages.ofborg.org.service" ]; + # https://github.com/rabbitmq/rabbitmq-server-release/issues/51 + serviceConfig.SuccessExitStatus = "69"; + }; + + networking.firewall.allowedTCPPorts = [ + 5671 + 15673 + ]; +} diff --git a/non-critical-infra/hosts/eval01.ofborg.org/default.nix b/non-critical-infra/hosts/eval01.ofborg.org/default.nix new file mode 100644 index 00000000..09672610 --- /dev/null +++ b/non-critical-infra/hosts/eval01.ofborg.org/default.nix @@ -0,0 +1,44 @@ +{ inputs, ... }: + +{ + imports = [ + inputs.srvos.nixosModules.hardware-hetzner-cloud-arm + ../../modules/ofborg/evaluator.nix + ./hardware.nix + ]; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + + networking = { + hostName = "ofborg-eval01"; + domain = "ofborg.org"; + hostId = "007f0201"; + }; + + disko.devices = import ./disko.nix; + + systemd.network.networks."10-uplink" = { + matchConfig.MACAddress = "96:00:03:f4:25:ec"; + address = [ + "95.217.15.9/32" + "2a01:4f9:c012:cf00::1/64" + ]; + routes = [ + { Gateway = "fe80::1"; } + { + Gateway = "172.31.1.1"; + GatewayOnLink = true; + } + ]; + linkConfig.RequiredForOnline = "routable"; + }; + + system.stateVersion = "24.11"; # Did you read the comment? + + sops.secrets."ofborg/mass-rebuilder-rabbitmq-password" = { + owner = "ofborg-mass-rebuilder"; + restartUnits = [ "ofborg-mass-rebuilder.service" ]; + sopsFile = ../../secrets/ofborg.eval01.ofborg.org.yml; + }; +} diff --git a/non-critical-infra/hosts/eval01.ofborg.org/disko.nix b/non-critical-infra/hosts/eval01.ofborg.org/disko.nix new file mode 100644 index 00000000..a8694d1c --- /dev/null +++ b/non-critical-infra/hosts/eval01.ofborg.org/disko.nix @@ -0,0 +1,64 @@ +{ + disk = { + main = { + type = "disk"; + device = "/dev/sda"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + root = { + size = "100%"; + content = { + type = "zfs"; + pool = "zroot"; + }; + }; + }; + }; + }; + }; + + zpool = { + zroot = { + type = "zpool"; + options = { + # smartctl --all /dev/sda + # Logical block size: 512 bytes + ashift = "9"; + }; + rootFsOptions = { + acltype = "posixacl"; + compression = "zstd"; + mountpoint = "none"; + xattr = "sa"; + }; + datasets = { + "root" = { + type = "zfs_fs"; + mountpoint = "/"; + }; + "nix" = { + type = "zfs_fs"; + mountpoint = "/nix"; + }; + "reserved" = { + type = "zfs_fs"; + options = { + canmount = "off"; + refreservation = "1G"; + }; + }; + }; + }; + }; +} diff --git a/non-critical-infra/hosts/eval01.ofborg.org/hardware.nix b/non-critical-infra/hosts/eval01.ofborg.org/hardware.nix new file mode 100644 index 00000000..5bc4812b --- /dev/null +++ b/non-critical-infra/hosts/eval01.ofborg.org/hardware.nix @@ -0,0 +1,18 @@ +{ lib, ... }: + +{ + + boot.initrd.availableKernelModules = [ + "xhci_pci" + "virtio_pci" + "usbhid" + "sr_mod" + ]; + boot.initrd.kernelModules = [ "virtio_gpu" ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + swapDevices = [ ]; + + nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; +} diff --git a/non-critical-infra/hosts/eval02.ofborg.org/client.crt b/non-critical-infra/hosts/eval02.ofborg.org/client.crt new file mode 100644 index 00000000..1e22eb43 --- /dev/null +++ b/non-critical-infra/hosts/eval02.ofborg.org/client.crt @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBmDCCAUqgAwIBAgIUfUYjDOaJML1lIMkAMvLjnSTscY0wBQYDK2VwMEMxCzAJ +BgNVBAYTAkRFMRQwEgYDVQQKDAtOaXhPUyBJbmZyYTEeMBwGA1UEAwwVaHlkcmEt +cXVldWUtcnVubmVyLWNhMCAXDTI1MDczMTEyMDQxN1oYDzIwNzUwNzE5MTIwNDE3 +WjBPMQswCQYDVQQGEwJERTEUMBIGA1UECgwLTml4T1MgSW5mcmExKjAoBgNVBAMM +IWh5ZHJhLXF1ZXVlLWJ1aWxkZXItb2Zib3JnLWV2YWwwMjAqMAUGAytlcAMhAFcG +BnePuRCpdx2IRfr+ZzL1OFlqMJGYiKKG0aVz58kyo0IwQDAdBgNVHQ4EFgQU7eLl +cmwgQE5zEb2j/e3/WvQmyh4wHwYDVR0jBBgwFoAU0wQG6BxTKtYwlywuyD0aVr/1 +r4gwBQYDK2VwA0EAicmxp8HCEF7bwk8NjpayAEPAFq3SPqrl/Bg3ruZitdKUY/Mf +5rEjjlCP6/GjzAfg8kki/t3dyv0Jn1uKjmaMBA== +-----END CERTIFICATE----- diff --git a/non-critical-infra/hosts/eval02.ofborg.org/default.nix b/non-critical-infra/hosts/eval02.ofborg.org/default.nix new file mode 100644 index 00000000..525d5efb --- /dev/null +++ b/non-critical-infra/hosts/eval02.ofborg.org/default.nix @@ -0,0 +1,56 @@ +{ inputs, ... }: +{ + imports = [ + inputs.srvos.nixosModules.hardware-hetzner-cloud-arm + ../../modules/ofborg/builder.nix + ../../modules/hydra/builder.nix + ./hardware.nix + ]; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + + networking = { + hostName = "ofborg-eval02"; + domain = "ofborg.org"; + hostId = "007f0202"; + }; + + disko.devices = import ./disko.nix; + + systemd.network.networks."10-uplink" = { + matchConfig.MACAddress = "96:00:03:f4:25:ee"; + address = [ + "95.216.209.162/32" + "2a01:4f9:c012:17c6::1/64" + ]; + routes = [ + { Gateway = "fe80::1"; } + { + Gateway = "172.31.1.1"; + GatewayOnLink = true; + } + ]; + linkConfig.RequiredForOnline = "routable"; + }; + + zramSwap = { + enable = true; + memoryPercent = 100; + }; + + system.stateVersion = "24.11"; # Did you read the comment? + + sops.secrets = { + "ofborg/builder-rabbitmq-password" = { + owner = "ofborg-builder"; + restartUnits = [ "ofborg-builder.service" ]; + sopsFile = ../../secrets/ofborg.eval02.ofborg.org.yml; + }; + "harmonia/secret" = { + owner = "harmonia"; + restartUnits = [ "harmonia.service" ]; + sopsFile = ../../secrets/ofborg.eval02.ofborg.org.yml; + }; + }; +} diff --git a/non-critical-infra/hosts/eval02.ofborg.org/disko.nix b/non-critical-infra/hosts/eval02.ofborg.org/disko.nix new file mode 100644 index 00000000..a8694d1c --- /dev/null +++ b/non-critical-infra/hosts/eval02.ofborg.org/disko.nix @@ -0,0 +1,64 @@ +{ + disk = { + main = { + type = "disk"; + device = "/dev/sda"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + root = { + size = "100%"; + content = { + type = "zfs"; + pool = "zroot"; + }; + }; + }; + }; + }; + }; + + zpool = { + zroot = { + type = "zpool"; + options = { + # smartctl --all /dev/sda + # Logical block size: 512 bytes + ashift = "9"; + }; + rootFsOptions = { + acltype = "posixacl"; + compression = "zstd"; + mountpoint = "none"; + xattr = "sa"; + }; + datasets = { + "root" = { + type = "zfs_fs"; + mountpoint = "/"; + }; + "nix" = { + type = "zfs_fs"; + mountpoint = "/nix"; + }; + "reserved" = { + type = "zfs_fs"; + options = { + canmount = "off"; + refreservation = "1G"; + }; + }; + }; + }; + }; +} diff --git a/non-critical-infra/hosts/eval02.ofborg.org/hardware.nix b/non-critical-infra/hosts/eval02.ofborg.org/hardware.nix new file mode 100644 index 00000000..5bc4812b --- /dev/null +++ b/non-critical-infra/hosts/eval02.ofborg.org/hardware.nix @@ -0,0 +1,18 @@ +{ lib, ... }: + +{ + + boot.initrd.availableKernelModules = [ + "xhci_pci" + "virtio_pci" + "usbhid" + "sr_mod" + ]; + boot.initrd.kernelModules = [ "virtio_gpu" ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + swapDevices = [ ]; + + nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; +} diff --git a/non-critical-infra/hosts/eval03.ofborg.org/client.crt b/non-critical-infra/hosts/eval03.ofborg.org/client.crt new file mode 100644 index 00000000..2e497401 --- /dev/null +++ b/non-critical-infra/hosts/eval03.ofborg.org/client.crt @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBmDCCAUqgAwIBAgIUfUYjDOaJML1lIMkAMvLjnSTscY4wBQYDK2VwMEMxCzAJ +BgNVBAYTAkRFMRQwEgYDVQQKDAtOaXhPUyBJbmZyYTEeMBwGA1UEAwwVaHlkcmEt +cXVldWUtcnVubmVyLWNhMCAXDTI1MDczMTEyMDQxN1oYDzIwNzUwNzE5MTIwNDE3 +WjBPMQswCQYDVQQGEwJERTEUMBIGA1UECgwLTml4T1MgSW5mcmExKjAoBgNVBAMM +IWh5ZHJhLXF1ZXVlLWJ1aWxkZXItb2Zib3JnLWV2YWwwMzAqMAUGAytlcAMhAB0a +xge5pV7G50sB0vcIUlSMLQH09Wtu1lpVMkyZJhwYo0IwQDAdBgNVHQ4EFgQU8fyD +i3r+cVJo4Yg6O6jyKzhKVucwHwYDVR0jBBgwFoAU0wQG6BxTKtYwlywuyD0aVr/1 +r4gwBQYDK2VwA0EARtdZCQID1oUjAZojQLw+pquY9QUrePC8LIBUPzMsqyunJYSC +jths2dINWC4p2x6rhkAAfsi+AaCLRXwZHdWcBA== +-----END CERTIFICATE----- diff --git a/non-critical-infra/hosts/eval03.ofborg.org/default.nix b/non-critical-infra/hosts/eval03.ofborg.org/default.nix new file mode 100644 index 00000000..bdb0deb5 --- /dev/null +++ b/non-critical-infra/hosts/eval03.ofborg.org/default.nix @@ -0,0 +1,56 @@ +{ inputs, ... }: +{ + imports = [ + inputs.srvos.nixosModules.hardware-hetzner-cloud-arm + ../../modules/ofborg/builder.nix + ../../modules/hydra/builder.nix + ./hardware.nix + ]; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + + networking = { + hostName = "ofborg-eval03"; + domain = "ofborg.org"; + hostId = "007f0203"; + }; + + disko.devices = import ./disko.nix; + + systemd.network.networks."10-uplink" = { + matchConfig.MACAddress = "96:00:03:f4:25:ed"; + address = [ + "37.27.189.4/32" + "2a01:4f9:c012:e37b::1/64" + ]; + routes = [ + { Gateway = "fe80::1"; } + { + Gateway = "172.31.1.1"; + GatewayOnLink = true; + } + ]; + linkConfig.RequiredForOnline = "routable"; + }; + + zramSwap = { + enable = true; + memoryPercent = 100; + }; + + system.stateVersion = "24.11"; # Did you read the comment? + + sops.secrets = { + "ofborg/builder-rabbitmq-password" = { + owner = "ofborg-builder"; + restartUnits = [ "ofborg-builder.service" ]; + sopsFile = ../../secrets/ofborg.eval03.ofborg.org.yml; + }; + "harmonia/secret" = { + owner = "harmonia"; + restartUnits = [ "harmonia.service" ]; + sopsFile = ../../secrets/ofborg.eval03.ofborg.org.yml; + }; + }; +} diff --git a/non-critical-infra/hosts/eval03.ofborg.org/disko.nix b/non-critical-infra/hosts/eval03.ofborg.org/disko.nix new file mode 100644 index 00000000..a8694d1c --- /dev/null +++ b/non-critical-infra/hosts/eval03.ofborg.org/disko.nix @@ -0,0 +1,64 @@ +{ + disk = { + main = { + type = "disk"; + device = "/dev/sda"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + root = { + size = "100%"; + content = { + type = "zfs"; + pool = "zroot"; + }; + }; + }; + }; + }; + }; + + zpool = { + zroot = { + type = "zpool"; + options = { + # smartctl --all /dev/sda + # Logical block size: 512 bytes + ashift = "9"; + }; + rootFsOptions = { + acltype = "posixacl"; + compression = "zstd"; + mountpoint = "none"; + xattr = "sa"; + }; + datasets = { + "root" = { + type = "zfs_fs"; + mountpoint = "/"; + }; + "nix" = { + type = "zfs_fs"; + mountpoint = "/nix"; + }; + "reserved" = { + type = "zfs_fs"; + options = { + canmount = "off"; + refreservation = "1G"; + }; + }; + }; + }; + }; +} diff --git a/non-critical-infra/hosts/eval03.ofborg.org/hardware.nix b/non-critical-infra/hosts/eval03.ofborg.org/hardware.nix new file mode 100644 index 00000000..5bc4812b --- /dev/null +++ b/non-critical-infra/hosts/eval03.ofborg.org/hardware.nix @@ -0,0 +1,18 @@ +{ lib, ... }: + +{ + + boot.initrd.availableKernelModules = [ + "xhci_pci" + "virtio_pci" + "usbhid" + "sr_mod" + ]; + boot.initrd.kernelModules = [ "virtio_gpu" ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + swapDevices = [ ]; + + nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; +} diff --git a/non-critical-infra/hosts/eval04.ofborg.org/client.crt b/non-critical-infra/hosts/eval04.ofborg.org/client.crt new file mode 100644 index 00000000..ada2e7f7 --- /dev/null +++ b/non-critical-infra/hosts/eval04.ofborg.org/client.crt @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBmDCCAUqgAwIBAgIUfUYjDOaJML1lIMkAMvLjnSTscY8wBQYDK2VwMEMxCzAJ +BgNVBAYTAkRFMRQwEgYDVQQKDAtOaXhPUyBJbmZyYTEeMBwGA1UEAwwVaHlkcmEt +cXVldWUtcnVubmVyLWNhMCAXDTI1MDczMTEyMDQxN1oYDzIwNzUwNzE5MTIwNDE3 +WjBPMQswCQYDVQQGEwJERTEUMBIGA1UECgwLTml4T1MgSW5mcmExKjAoBgNVBAMM +IWh5ZHJhLXF1ZXVlLWJ1aWxkZXItb2Zib3JnLWV2YWwwNDAqMAUGAytlcAMhAFcS +v8kRpmT4XxN9Wpy1eUleEAfaTYjkRDNLvx/wyzmco0IwQDAdBgNVHQ4EFgQUyBE8 ++NWvcR45rtQz1Kq2T4rdca0wHwYDVR0jBBgwFoAU0wQG6BxTKtYwlywuyD0aVr/1 +r4gwBQYDK2VwA0EAP1fJ6PHx+1Y9HSEn0WEndXVf/BW/rsPAwrxPPUZSX6FbwsPQ +uEIx9gIfy02H7S+qTNsXHH/YG3Vk3ZLcBDVLAg== +-----END CERTIFICATE----- diff --git a/non-critical-infra/hosts/eval04.ofborg.org/default.nix b/non-critical-infra/hosts/eval04.ofborg.org/default.nix new file mode 100644 index 00000000..42449a11 --- /dev/null +++ b/non-critical-infra/hosts/eval04.ofborg.org/default.nix @@ -0,0 +1,57 @@ +{ inputs, ... }: +{ + imports = [ + inputs.srvos.nixosModules.hardware-hetzner-cloud-arm + ../../modules/ofborg/builder.nix + ../../modules/hydra/builder.nix + # ../../modules/ofborg/evaluator.nix + ./hardware.nix + ]; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + + networking = { + hostName = "ofborg-eval04"; + domain = "ofborg.org"; + hostId = "007f0204"; + }; + + disko.devices = import ./disko.nix; + + systemd.network.networks."10-uplink" = { + matchConfig.MACAddress = "96:00:03:f4:25:eb"; + address = [ + "95.217.18.12/32" + "2a01:4f9:c012:273b::/64" + ]; + routes = [ + { Gateway = "fe80::1"; } + { + Gateway = "172.31.1.1"; + GatewayOnLink = true; + } + ]; + linkConfig.RequiredForOnline = "routable"; + }; + + zramSwap = { + enable = true; + memoryPercent = 100; + }; + + system.stateVersion = "24.11"; # Did you read the comment? + + sops.secrets = { + "ofborg/builder-rabbitmq-password" = { + owner = "ofborg-builder"; + restartUnits = [ "ofborg-builder.service" ]; + sopsFile = ../../secrets/ofborg.eval04.ofborg.org.yml; + }; + "harmonia/secret" = { + owner = "harmonia"; + restartUnits = [ "harmonia.service" ]; + sopsFile = ../../secrets/ofborg.eval04.ofborg.org.yml; + }; + }; +} diff --git a/non-critical-infra/hosts/eval04.ofborg.org/disko.nix b/non-critical-infra/hosts/eval04.ofborg.org/disko.nix new file mode 100644 index 00000000..a8694d1c --- /dev/null +++ b/non-critical-infra/hosts/eval04.ofborg.org/disko.nix @@ -0,0 +1,64 @@ +{ + disk = { + main = { + type = "disk"; + device = "/dev/sda"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + root = { + size = "100%"; + content = { + type = "zfs"; + pool = "zroot"; + }; + }; + }; + }; + }; + }; + + zpool = { + zroot = { + type = "zpool"; + options = { + # smartctl --all /dev/sda + # Logical block size: 512 bytes + ashift = "9"; + }; + rootFsOptions = { + acltype = "posixacl"; + compression = "zstd"; + mountpoint = "none"; + xattr = "sa"; + }; + datasets = { + "root" = { + type = "zfs_fs"; + mountpoint = "/"; + }; + "nix" = { + type = "zfs_fs"; + mountpoint = "/nix"; + }; + "reserved" = { + type = "zfs_fs"; + options = { + canmount = "off"; + refreservation = "1G"; + }; + }; + }; + }; + }; +} diff --git a/non-critical-infra/hosts/eval04.ofborg.org/hardware.nix b/non-critical-infra/hosts/eval04.ofborg.org/hardware.nix new file mode 100644 index 00000000..5bc4812b --- /dev/null +++ b/non-critical-infra/hosts/eval04.ofborg.org/hardware.nix @@ -0,0 +1,18 @@ +{ lib, ... }: + +{ + + boot.initrd.availableKernelModules = [ + "xhci_pci" + "virtio_pci" + "usbhid" + "sr_mod" + ]; + boot.initrd.kernelModules = [ "virtio_gpu" ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + swapDevices = [ ]; + + nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; +} diff --git a/non-critical-infra/modules/hydra/builder.nix b/non-critical-infra/modules/hydra/builder.nix new file mode 100644 index 00000000..1d496680 --- /dev/null +++ b/non-critical-infra/modules/hydra/builder.nix @@ -0,0 +1,37 @@ +{ inputs, config, ... }: +let + nodes = { + ofborg-eval02 = "eval02.ofborg.org"; + ofborg-eval03 = "eval03.ofborg.org"; + ofborg-eval04 = "eval04.ofborg.org"; + ofborg-build01 = "build01.ofborg.org"; + ofborg-build02 = "build02.ofborg.org"; + ofborg-build03 = "build03.ofborg.org"; + ofborg-build04 = "build04.ofborg.org"; + ofborg-build05 = "build05.ofborg.org"; + }; + nodePath = nodes."${config.networking.hostName}"; +in +{ + imports = [ + inputs.hydra-staging.nixosModules.builder + ]; + + services.hydra-queue-builder-dev = { + enable = true; + queueRunnerAddr = "https://queue-runner.staging-hydra.nixos.org"; + maxJobs = 2; + mtls = { + serverRootCaCertPath = ../../hosts/staging-hydra/ca.crt; + clientCertPath = "${../../hosts/${nodePath}/client.crt}"; + clientKeyPath = config.sops.secrets."queue-runner-client.key".path; + domainName = "queue-runner.staging-hydra.nixos.org"; + }; + }; + + sops.secrets."queue-runner-client.key" = { + owner = "hydra-queue-builder"; + restartUnits = [ "hydra-queue-builder-dev.service" ]; + sopsFile = ../../secrets/ofborg.${nodePath}.yml; + }; +} diff --git a/non-critical-infra/modules/ofborg/builder.nix b/non-critical-infra/modules/ofborg/builder.nix new file mode 100644 index 00000000..212e7bf0 --- /dev/null +++ b/non-critical-infra/modules/ofborg/builder.nix @@ -0,0 +1,92 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./common.nix + ./ofborg-config.nix + ./harmonia.nix + ]; + + networking.extraHosts = '' + 95.216.209.162 eval02.ofborg.org + 37.27.189.4 eval03.ofborg.org + 95.217.18.12 eval04.ofborg.org + + 185.119.168.10 build01.ofborg.org + 185.119.168.11 build02.ofborg.org + 185.119.168.12 build03.ofborg.org + 185.119.168.13 build04.ofborg.org + 142.132.171.106 build05.ofborg.org + ''; + + deployment.tags = [ "ofborg-builder" ]; + + systemd.services.ofborg-builder = { + description = "ofBorg builder"; + + wantedBy = [ "ofborg.target" ]; + bindsTo = [ "ofborg.target" ]; + restartTriggers = [ config.environment.etc."ofborg.json".source ]; + + path = [ + config.nix.package + config.programs.git.package + ]; + + environment = { + GIT_AUTHOR_NAME = "OfBorg"; + GIT_COMMITTER_NAME = "OfBorg"; + EMAIL = "ofborg@nixos.org"; + }; + + stopIfChanged = false; + unitConfig.StartLimitIntervalSec = 0; + serviceConfig = { + # Filesystem stuff + ProtectSystem = "strict"; # Prevent writing to most of / + ProtectHome = true; # Prevent accessing /home and /root + PrivateTmp = true; # Give an own directory under /tmp + PrivateDevices = true; # Deny access to most of /dev + ProtectKernelTunables = true; # Protect some parts of /sys + ProtectControlGroups = true; # Remount cgroups read-only + RestrictSUIDSGID = true; # Prevent creating SETUID/SETGID files + PrivateMounts = true; # Give an own mount namespace + RemoveIPC = true; + UMask = "0077"; + + Restart = "always"; + RestartSec = "5s"; + ExecStart = "${pkgs.ofborg}/bin/builder /etc/ofborg.json"; + User = "ofborg-builder"; + Group = "ofborg-builder"; + + StateDirectory = [ "ofborg/checkout" ]; + + # Capabilities + CapabilityBoundingSet = ""; # Allow no capabilities at all + NoNewPrivileges = true; # Disallow getting more capabilities. This is also implied by other options. + + # Kernel stuff + ProtectKernelModules = true; # Prevent loading of kernel modules + SystemCallArchitectures = "native"; # Usually no need to disable this + ProtectKernelLogs = true; # Prevent access to kernel logs + ProtectClock = true; # Prevent setting the RTC + + # Misc + LockPersonality = true; # Prevent change of the personality + ProtectHostname = true; # Give an own UTS namespace + RestrictRealtime = true; # Prevent switching to RT scheduling + MemoryDenyWriteExecute = true; # Maybe disable this for interpreters like python + PrivateUsers = true; # If anything randomly breaks, it's mostly because of this + RestrictNamespaces = true; + SystemCallFilter = "@system-service"; + }; + }; + + users.users.ofborg-builder = { + isSystemUser = true; + group = "ofborg-builder"; + description = "ofBorg builder system user"; + }; + users.groups.ofborg-builder = { }; +} diff --git a/non-critical-infra/modules/ofborg/common.nix b/non-critical-infra/modules/ofborg/common.nix new file mode 100644 index 00000000..b777e99a --- /dev/null +++ b/non-critical-infra/modules/ofborg/common.nix @@ -0,0 +1,33 @@ +{ inputs, ... }: +{ + imports = [ + inputs.srvos.nixosModules.server + ../../../modules/common.nix + ../common.nix + ./ofborg-config.nix + ]; + + nix.gc.automatic = true; + + # TODO wire up exporters + # TODO loki + + # Not part of the infra team + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM35Bq87SBWrEcoDqrZFOXyAmV/PJrSSu3hl3TdVvo4C janne" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPK/3rYhlIzoPCsPK38PMdK1ivqPaJgUqWwRtmxdKZrO ✏️" + ]; + + nixpkgs.overlays = [ + (_self: super: { + ofborg = inputs.ofborg.packages.${super.stdenv.hostPlatform.system}.pkg; + }) + ]; + + systemd.targets.ofborg = { + description = "ofBorg target"; + wantedBy = [ "multi-user.target" ]; + }; + + deployment.tags = [ "ofborg" ]; +} diff --git a/non-critical-infra/modules/ofborg/evaluator.nix b/non-critical-infra/modules/ofborg/evaluator.nix new file mode 100644 index 00000000..fee5d4bc --- /dev/null +++ b/non-critical-infra/modules/ofborg/evaluator.nix @@ -0,0 +1,91 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./common.nix + ./ofborg-config.nix + ./github-tokens.nix + ]; + + deployment.tags = [ "ofborg-evaluator" ]; + + systemd.services.ofborg-mass-rebuilder = { + description = "ofBorg mass rebuilder"; + + wantedBy = [ "ofborg.target" ]; + bindsTo = [ "ofborg.target" ]; + restartTriggers = [ config.environment.etc."ofborg.json".source ]; + + path = [ + config.nix.package + config.programs.git.package + ]; + + environment = { + GIT_AUTHOR_NAME = "OfBorg"; + GIT_COMMITTER_NAME = "OfBorg"; + EMAIL = "ofborg@nixos.org"; + }; + + stopIfChanged = false; + unitConfig.StartLimitIntervalSec = 0; + serviceConfig = { + # Filesystem stuff + ProtectSystem = "strict"; # Prevent writing to most of / + ProtectHome = true; # Prevent accessing /home and /root + PrivateTmp = true; # Give an own directory under /tmp + PrivateDevices = true; # Deny access to most of /dev + ProtectKernelTunables = true; # Protect some parts of /sys + ProtectControlGroups = true; # Remount cgroups read-only + RestrictSUIDSGID = true; # Prevent creating SETUID/SETGID files + PrivateMounts = true; # Give an own mount namespace + RemoveIPC = true; + UMask = "0077"; + + Restart = "always"; + RestartSec = "5s"; + ExecStart = "${pkgs.ofborg}/bin/mass-rebuilder /etc/ofborg.json"; + User = "ofborg-mass-rebuilder"; + Group = "ofborg-mass-rebuilder"; + SupplementaryGroups = [ + "ofborg-github-oauth-secret" + "ofborg-github-app-key" + ]; + + StateDirectory = [ "ofborg/checkout" ]; + + # Capabilities + CapabilityBoundingSet = ""; # Allow no capabilities at all + NoNewPrivileges = true; # Disallow getting more capabilities. This is also implied by other options. + + # Kernel stuff + ProtectKernelModules = true; # Prevent loading of kernel modules + SystemCallArchitectures = "native"; # Usually no need to disable this + ProtectKernelLogs = true; # Prevent access to kernel logs + ProtectClock = true; # Prevent setting the RTC + + # Misc + LockPersonality = true; # Prevent change of the personality + ProtectHostname = true; # Give an own UTS namespace + RestrictRealtime = true; # Prevent switching to RT scheduling + MemoryDenyWriteExecute = true; # Maybe disable this for interpreters like python + PrivateUsers = true; # If anything randomly breaks, it's mostly because of this + RestrictNamespaces = true; + SystemCallFilter = "@system-service"; + }; + }; + + users.users.ofborg-mass-rebuilder = { + isSystemUser = true; + group = "ofborg-mass-rebuilder"; + description = "ofBorg mass rebuilder system user"; + }; + users.groups.ofborg-mass-rebuilder = { }; + + programs.git.enable = true; + + sops.secrets = { + "ofborg/github-oauth-secret".restartUnits = [ "ofborg-github-comment-filter.service" ]; + "ofborg/github-app-key".restartUnits = [ "ofborg-github-comment-filter.service" ]; + }; +} diff --git a/non-critical-infra/modules/ofborg/github-tokens.nix b/non-critical-infra/modules/ofborg/github-tokens.nix new file mode 100644 index 00000000..f3a2fbe9 --- /dev/null +++ b/non-critical-infra/modules/ofborg/github-tokens.nix @@ -0,0 +1,16 @@ +{ + sops.secrets = { + "ofborg/github-oauth-secret" = { + mode = "0440"; + group = "ofborg-github-oauth-secret"; + sopsFile = ../../secrets/github-tokens.ofborg.org.yml; + }; + "ofborg/github-app-key" = { + mode = "0440"; + group = "ofborg-github-app-key"; + sopsFile = ../../secrets/github-tokens.ofborg.org.yml; + }; + }; + users.groups."ofborg-github-oauth-secret" = { }; + users.groups."ofborg-github-app-key" = { }; +} diff --git a/non-critical-infra/modules/ofborg/harmonia.nix b/non-critical-infra/modules/ofborg/harmonia.nix new file mode 100644 index 00000000..53d5db51 --- /dev/null +++ b/non-critical-infra/modules/ofborg/harmonia.nix @@ -0,0 +1,71 @@ +{ config, lib, ... }: +let + nodes = { + ofborg-eval02 = { + substituter = "eval02.ofborg.org"; + public-key = "eval02.ofborg.org:85vbhZviIv2eeC3VKK2T/X/zzgIYLYjyGw3Pi+Pqh34="; + }; + ofborg-eval03 = { + substituter = "eval03.ofborg.org"; + public-key = "eval03.ofborg.org:HATIHUe6QMH83dbDpnUv9VeuaNDBjeWshW2monmRK1c="; + }; + ofborg-eval04 = { + substituter = "eval04.ofborg.org"; + public-key = "eval04.ofborg.org:k4s/u1JWDew+dwXcuFvAAVFK2DfN6ib+73iCwX5gkBE="; + }; + ofborg-build01 = { + substituter = "build01.ofborg.org"; + public-key = "build01.ofborg.org:Edgo6+RgHXa8nlxuLAgh18fMhQuXGdXNcYK6yNKQaQ8="; + }; + ofborg-build02 = { + substituter = "build02.ofborg.org"; + public-key = "build02.ofborg.org:uw5IBpYv129c8+ltrQ288TGvmE5JqNZA+q7GW3tDaUk="; + }; + ofborg-build03 = { + substituter = "build03.ofborg.org"; + public-key = "build03.ofborg.org:8LFTt2s1cbzniV4MLkT30qEHPY0cK3RP+6fk03GD3lw="; + }; + ofborg-build04 = { + substituter = "build04.ofborg.org"; + public-key = "build04.ofborg.org:NHEGj8moimu2TiZNIA4DOb4kVhvds6Vlzr2TAwX1mUY="; + }; + ofborg-build05 = { + substituter = "build05.ofborg.org"; + public-key = "build05.ofborg.org:RPuXIkyo86mCmsfYqyK/STIbPE+DM9Ixcw7HUe64Ss4="; + }; + }; + ownNode = nodes."${config.networking.hostName}"; + allOtherNodes = lib.filterAttrs (n: _: n != config.networking.hostName) nodes; +in +{ + services.harmonia = { + enable = true; + signKeyPaths = [ "/run/secrets/harmonia/secret" ]; + settings = { + priority = 50; + }; + }; + + nix.settings = { + fallback = true; + extra-substituters = lib.mapAttrsToList (_: config: "http://${config.substituter}") allOtherNodes; + extra-trusted-public-keys = lib.mapAttrsToList (_: config: config.public-key) allOtherNodes; + }; + + networking.firewall.allowedTCPPorts = [ 80 ]; + services.nginx = { + enable = true; + recommendedTlsSettings = true; + virtualHosts."${ownNode.substituter}" = { + locations."/".extraConfig = '' + proxy_pass http://127.0.0.1:5000; + proxy_set_header Host $host; + proxy_redirect http:// https://; + proxy_http_version 1.1; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + ''; + }; + }; +} diff --git a/non-critical-infra/modules/ofborg/ofborg-config.nix b/non-critical-infra/modules/ofborg/ofborg-config.nix new file mode 100644 index 00000000..e442cd89 --- /dev/null +++ b/non-critical-infra/modules/ofborg/ofborg-config.nix @@ -0,0 +1,94 @@ +let + rabbitmq = { + host = "messages.ofborg.org"; + ssl = true; + virtualhost = "ofborg"; + # Missing: username and password_file + }; +in +{ + config, + pkgs, + lib, + ... +}: +{ + environment.etc."ofborg.json".text = builtins.toJSON { + github_webhook_receiver = { + listen = "[::1]:9899"; + webhook_secret_file = "/run/secrets/ofborg/github-webhook-secret"; + rabbitmq = rabbitmq // { + username = "ofborg-github-webhook"; + password_file = "/run/secrets/ofborg/github-webhook-rabbitmq-password"; + }; + }; + log_api_config = { + listen = "[::1]:9898"; + logs_path = "/var/log/ofborg"; + serve_root = "https://logs.ofborg.org/logfile"; + }; + evaluation_filter = { + rabbitmq = rabbitmq // { + username = "ofborg-evaluation-filter"; + password_file = "/run/secrets/ofborg/evaluation-filter-rabbitmq-password"; + }; + }; + github_comment_filter = { + rabbitmq = rabbitmq // { + username = "ofborg-github-comment-filter"; + password_file = "/run/secrets/ofborg/github-comment-filter-rabbitmq-password"; + }; + }; + github_comment_poster = { + rabbitmq = rabbitmq // { + username = "ofborg-github-comment-poster"; + password_file = "/run/secrets/ofborg/github-comment-poster-rabbitmq-password"; + }; + }; + log_message_collector = { + rabbitmq = rabbitmq // { + username = "ofborg-log-message-collector"; + password_file = "/run/secrets/ofborg/log-message-collector-rabbitmq-password"; + }; + logs_path = "/var/log/ofborg"; + }; + mass_rebuilder = { + rabbitmq = rabbitmq // { + username = "${config.networking.hostName}"; + password_file = "/run/secrets/ofborg/mass-rebuilder-rabbitmq-password"; + }; + }; + runner = { + identity = "ofborg-core"; # TODO what is this + repos = [ + "nixos/nixpkgs" + "ofborg/testpkgs" + ]; + disable_trusted_users = true; + trusted_users = [ ]; # disabled so everyone can build + }; + builder = { + rabbitmq = rabbitmq // { + username = "${config.networking.hostName}"; + password_file = "/run/secrets/ofborg/builder-rabbitmq-password"; + }; + }; + github_app = { + app_id = 20500; # Used for submitting statuses + private_key = "/run/secrets/ofborg/github-app-key"; # Used for submitting statuses + oauth_client_id = "Iv1.24d6e782e2ccbbdf"; # For accessing the API + oauth_client_secret_file = "/run/secrets/ofborg/github-oauth-secret"; # For accessing the API + }; + + checkout.root = "/var/lib/ofborg/checkout"; + nix = { + build_timeout_seconds = 18000; + initial_heap_size = "4g"; + remote = "daemon"; + inherit (pkgs.stdenv.hostPlatform) system; + }; + }; + + nix.settings.trusted-users = lib.mkForce [ "*" ]; + nix.settings.allowed-users = lib.mkForce [ "*" ]; +} diff --git a/non-critical-infra/secrets/github-tokens.ofborg.org.yml b/non-critical-infra/secrets/github-tokens.ofborg.org.yml new file mode 100644 index 00000000..12738ca7 --- /dev/null +++ b/non-critical-infra/secrets/github-tokens.ofborg.org.yml @@ -0,0 +1,104 @@ +ofborg: + github-oauth-secret: ENC[AES256_GCM,data:ljXwAT9e8Wo/5m2xWC0Ip3JxGVFZNqeVn//TnOtck8NCE0enG3Pv5w==,iv:v/sATS+/psNauwc9dkGA+kNzCyjOE0Lx2uakidmnCmw=,tag:9me+XbM1spGzvJGUYDbbDA==,type:str] + github-app-key: ENC[AES256_GCM,data:+NMlEwfrQgQtYPzmQE6rRTi6OMJRCVONHfgA2MRE32RaLXnpRXVdbVl5pujyD1AihFxb8l8QKjPOZolb7W+GBV4u7nAD5NW/JWKLrnll7AXsL2pDltzSyeXRHC8AM2Sl6vB9xAQJ6XPF/PsAHMm9xWCrGqByoUz0cVUK9jUTwG6Ckzc35oSu6HWuX0wjD46Mjv5pB6ODr0zs0wgLeEku6UBk6OqVwctAOKPzL8ESjxxJz1n+EGCV3XEeQAIkh1EQgfTgzrHntmdGIGPytYpUO50qIZCf/UQepYVDxiCL34f7lypT5FRji7DnaiAMgvuNIvBnBR65o0Su91EjiAFjs/si0a226WVApXg+EVjWdcUgG5O6FYH/No0MxfdjhmFlTlHMS+WhP+nCZilFFTuMnA8/tam2ywCDrEZQybJI8BjnwALlT9nVo8iTLrEPF+p2T2D2JBMENXgOfma5IZFFfOkn7eJt1U0kJQrWRe3zylM/Q6g7Iv3gW0N8jgtx0XUPQlmI3TE7QfjJLzgFky7x0gvF0fdohuGg18tJrzxPudcV9FWGpiOwIw9dYix3cCDpIOT3ohAdYS4XRsweNNZLShQlGwHR4YkFEVMFL07hbEWkn7iO0uyei8e+UBwFrCYnz/hMcTihCE8gmi0ohURe0z5id0G7xp41Z7O3kZTLJCkIAa8PDR9A/n9VLb+ae29c48TfUsiJv3OspfVtbOgSl9FfO/6wNPw7D2TFLILlJnnCFToxzaQPjWWiiE8+G+NA433JGMbs8T07RymMPufoumOs7OVJoz30O72ertNT3IRVFEWTkdOwtqw31ZYJPHxVc/sQHUlOmuUBebfS/tNR3UyLTyJFI5M77otW1zrpaxEd94IPBvn4p5G5Tosc3NNZug5ciN42YVwgKyARzBAZvi7d34l5p0tkxMYv/Ky8jMsocY7B5+9j87FnsivHhku1ha1YP/7NwmctX+P9tQdkLKCrBKLxj7nBUoiG8MCgM7qBP/0bjD5CLh+GTaL2d569nJzqMaCO27cnPzCuKjz5wegBZFBYyRYqWKpShTK4bL6eGWgPK6vSC7fsVtiGAkeTLHarNNo5i4ad9ucyw5a0E4cQtok1SG3hbopbqTDZb6F5pqs+JccYjfURjQSaoUJqa32MG3ifU2V9N1btRxa4zEE5S9kH+EneCfrDGaCM2iL2MWdbuIrgNieybEEUjBvLc1DSG834kFRJFVhz0BiQ1uo0afeqvXvlSzPBEo2x/9SeB1KCWjKV4tdBI4aDGvNNhZq7tbhpzzzdpfBKUgfeoL8UJl9vIv6LeXxSs+CIJbImgV1hHfg5ZN+LE7UB29+pLZzK4DlVCQS4hZjQ8/fnbxJl3x2XkdcEDa/69Ad4M6cZlU+Pbj5OfB+PfoluPMTMWX5YxaoZjGvDobh+lUrPnQjf/Yai7nFr0k/qhpSbFbwRNQ4k1rcTPLaopmjtn7WbvC21+lZN8wSmOF5duMc47REslZgodJyr75K9qFWE/V3l6w1r9oD9i1WLbLdQSJ4Dvd5WWvwT0Z9Klx3Vey9AUJ7IE2g78e+6adWzkuqJunJ7nZmxPZNSuDz3ElGK3aFFlUpwpOGkRrJ18We3E9f5LXjbn3FEvHsmXmxgSaxYEjubHtyLyctupETHROG6QIcUEo8OrQqtHpN0ljTo6qD1fJXC6/tQF0SEfYayGiXetEVTdLjJAvKggThbKMdnGRN7LPNxOqRVHSWi5VFJMizZrPiZZizmMApe73TH0wf6bUKOmkUjN1MgIC+T5pKlsHr+1xadLObrIOL3FiCjg70setSiTjLRJjJJ97+pQqfo1z5SOit8DUv55K3Rth/C01hl7/RKkpWl2z/tXSnYcfdfmIky8OrUFGorPiZ7S3pSPlwcjLZmscu1SXZVSDnhaAp8nTUKEOw6pwN3mDcI88cgVF9Qi9HGKxL/fjCO14OkBCGE6rjANXtGsGfY0FG6H98uyD2U7IiS6oRUBFaVwvfjzQYESQCqH3UYFCIeRfwpCzB59g5xhiJni5+9DcIKuJAKM6/mnmQKyRu3SReMElsXN7xme7ggOQQ5FtnXa7wPUcDsMYZvs36Rkc25Jyjnh5T0iqpU/46Rj7owKMCvz860ZCDTbL4J3APnYKV63ix4y+8Lh+E7fQOXEyci7jBK+3ArCKysitEVc55QvFDX/XDAtdBWLZT4UvUASyX+7MN4OtfqbTXCrwA7zXCKrA==,iv:seUxszOTK2/oct+FlKVFPseo4/CHpdp0eiLUyddmmWg=,tag:HWrNTJKz7oQY+aPRk4H55g==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rrrj8tgcyp9xfxvy6zmk9487x62cgx0z68l7jretz2th6ey9nf4qh7nq7h + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0QlNpd2c5MDhBcGEwQjQx + OTFXSUd1SldaNUdTc2t4Ukx2c3FncVFzZWtRCnd5a1hwekxYVjZmY0tiaEhIbWFU + cWpZUGxxcjZDVWx0L3FnaDBKaU5mdEkKLS0tIFVSUkJsdWpWeXhoYit0SGVCZC96 + Y1NZVHp6aG9PMVZYM3FSTU1vUWJWamsKma/fA+Gko375jMBmT/oOrbbnkju22SYo + Vcc4qUthuffHxlSCW5fW7Coyl9JEA3tx2lOBUk0hZO5kPkVpquS8Uw== + -----END AGE ENCRYPTED FILE----- + - recipient: age16d0phf8c5wy3rfsd4pgc42mqa3aw2llfukdhgu7pzklnzjr2rvxsusz842 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrc1NSckN4ZEsxZ0RtWUcz + czBMcDR6akRzN0pVUnc3a2dHU3RZelBXTUZZClNzWXBmYmhUMW9pbVVXYXJOdDF1 + QWJsQWE5cFQwdXp4ck42VkRud050OG8KLS0tIGVNeXdBMmxOTXp1TUhDY09sbE5r + Z0NLRXNzcWdTL0lzcEtRd21CRFd0dUEKNjzdg+qidmug1Jn/kvpaeOcSm6U3iZnP + um0wz8k3sWsAZdnzxm3jYPhjEFaRZMkEez4OGv5ZAbj6QOJ/LgVu0A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1qn3q3y04pxumygmq96x0gk9qtrdcgdw4y5nl6xd780u4avk0qgsqy8tuu0 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6UWFycmhQRlhJNjNBZElZ + aDBBSHgrUXZIbVRCZzdiK0NkV29rZ09laWxFCnhZMFlzdFh5aTlBdkU5bFdPNDMz + REFEZ1hZdHpFNUQ0RmJrUm1aYVRjd28KLS0tIGtVY29NOGhOa0J1YVh5eWJIUDA2 + ZnhUNmhMQUdwN3UvcFU4Y0hlZDI5NWsKfmVq2vz6fg+V/VEtHBNykjs/1TO6PPql + HQL8GEWGJtATdlLkbfIiYF/I/mFr04Vm8Efk7kDPfhMAtDtah5cr9A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1yssfznyq8rljcpfthpulnvfls0l5t36fpqxkk5taxcwpkqhv9gcqrvvwh7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNSENwSTJqaTNYSnZIOFlw + Ulk0TWZtaEJUUVBlWG9lUmlMQ1REMDhZcFVZCmVoTzVaNHZuUGowVnkvSEVrZXdn + b2tSemNYZjJSQTdIcHl3UDhJTEdwYjQKLS0tIDJXVDRSUlBnWXdleGROUzA1dVBD + R1NzN0ZRay8vNzhQYnJqQ3pXcUJpSFkKT2r2INWOiYqg1Z/QY3Uz8O0jqvC+zOyD + EIKCCHO1S4FdO6lmcsA0ArncL6LwStSQSb0JC4iHyhzjuRf2Jqo6jw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1vunut833rrdfulgnsjqtuke4yjtzexn2xqjqavwzxlgrg7n4y45qhurzwc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKTEVUeUJVNTA5dmsrcWVw + Q3R5RGF0cVYrQVJGWXBFWEs3a3lmSWEwRGpZClR6ZGJaZHJ1ZE9oQ28zZ3RRRUMx + VGY1aFNBRGNkSStuUDlDNUZZeTN6azQKLS0tIGUzWXIxQ0NranBDZHJQQVRvb2dF + QWQxbmRJSUlKSmdGaGRXTHhNRnc5OGsKKUz1rJXZpDkyVuLafUzzYurPm0SHdXF0 + u5gBoEUFK302z04UFIKu7TXKDFthNxCnh7bKLGjlmPQ9mkEoDAx5FA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVc1BzZGtHZHFKN2VYc29D + eGpkaWdXalhSdjFRT2Nhd3ZUUjMwdDNFL3ljCmZLdnh5MUI2WWFNNjRhaU14M05K + WkVpR3NjYjNwem9rYkJ4NkRvUDE3Ym8KLS0tIDZjbXV4R0hwTUUzaEtzMkV4N2NP + elMwbUFHV2RCemdWeFQzYlRnNnlBLzgKQD8sy0m0vI85vQEKcKNWkZlaOyJMoikt + XNXNkx+PT5cXIrPHcQOsbRqTM/lgepJqHsSrnWCf7HmVgaBxpLN03g== + -----END AGE ENCRYPTED FILE----- + - recipient: age17ez23w2kpxl0gcdx4ehcglkcfcfnv4qz0gq2n8ylxwx4yrtjpvjqxfasua + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvc0ZsY0w3Wnhwemtoa3pH + MVRuYmNoQkpJSU5oZFh6Y3R1dDl4bURwMzBrClVWOVRacndkN3c0TlVvWnpIaWdK + Z09FUVQ1bDUwcHMzaXN2YlNwQzhQVEkKLS0tIDhvVGNzOUZnNjZucXdXNE1aWkJW + SjBPS003bWh1Z2NFbDYxazlKVUF0c0UKiH+DGOBx7tSzjBelBwea7Av4oG50aV7R + CWZc5efN8naw9r0+c1QwSQKQ40a4fXaIoy66X6oLDPfBO0nApUlAag== + -----END AGE ENCRYPTED FILE----- + - recipient: age1lz3mvem0rgfxj7uavth8du4xsw23wp5ts77m5vvclxyj5mjxfujs0jgtcz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6SVIwZlFnQ0NweGxaVW8x + WCtZVm0yOXE3VmcwdEwwWW9YR3lCZ1hCczFJCkVjSjA4SmNhTXJRTzNGMVNqY210 + NTh6bUJyODhIY2ZjT3JhRk1waHdnVE0KLS0tIHdxcDJFRzlDTVpqZlArZWVFcHFj + MHZteHZHRG52VEhraDd5akd1Ym0rN3MKaotVK+V+sgN3jYO6eRT6iklBInF17S47 + pB0epMvdUSvu0rXeNlkyrKzqKSPQDA+iwJJws7N3fsYiL91MjYrFgA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1m68dw9dltvtsg8e9lf5ts2vwnn4ykraguhjr8v65s0xessk3xqeqyz5jwt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5cGtQN2dZOVg1dU9GcU5h + ejFOc25HRGYyajhFMHZGQ0ZLc2hiNHV5d1FzCmlGa1lWaW9tQi9TMk1Pd3ZBMjl1 + WGV1azgwWkx2VUFEODBUOFpLeFFtYXcKLS0tIGh5RkozSEFkeVg0eVFaa1doUDV3 + K2RuMHZyUnltallXQk4xamxLQ3h2NzAKlMaEXoukMvK6O5/88nfYmCSxFm+MmSk3 + t4et95x+87Kyen5LX7z+Pj+X5MrjC0O2DDyoDQj6K7wT/hjMzarbNg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1nc9sh92wf62nt89k4vgyvqws2pt49cq6xqxx46jqpz4vqxsh5a4q8ltzp8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBUnNnR2IvelptWW1DL3pq + V3pKMXFKZXlpdmFKMEQzN1VIanlFNjRHWW13CmxocThhTDdOQ3oxd1ZoNHpJYnpT + Z1JXUE5TZE1ZWEwvc0x4di9ORGdUWWMKLS0tIFY5Y2NLUXZwbi9uaVVvYU9DbkJE + TFpQaW0zYWVMMkExc0tlb3FxVDdTcmMK+QNN15A44FNROjzoNEdLJCc3t3s8YX3g + abliHcCZmf4PxF0Z2KTem7vfglkKZiA8kf//nmH3UADiVm2K/AY6Vg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-12-29T16:57:50Z" + mac: ENC[AES256_GCM,data:9eXCFgz2dK9F4yWZ/vZykAZV6B0dh2ZrtsPMcy0EfnT12JFgt6AHpkmclEhqVLS7oXshUi4mVwkQjB2ZdVVega2IePu3EmWkpxbFoJyNW+kce0d/CYZAZRjigwPS68lxXT8+q1rUvIeMAq60EnZaefTwU9+xM+x05lXsw2yxsIo=,iv:ouMLuOX1mBlJ2wcn7MPexfZs0RT/xxOWovgYQIpafxY=,tag:SHjoqoBrSdUZB/RTqdB9RQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.2 diff --git a/non-critical-infra/secrets/ofborg.build01.ofborg.org.yml b/non-critical-infra/secrets/ofborg.build01.ofborg.org.yml new file mode 100644 index 00000000..f24db18e --- /dev/null +++ b/non-critical-infra/secrets/ofborg.build01.ofborg.org.yml @@ -0,0 +1,65 @@ +ofborg: + builder-rabbitmq-password: ENC[AES256_GCM,data:PJutzppfwBpsqcnCn8nsiistlFAFvqx+WyClEFQAPbFPi8l4wTZ1emVkkPt7b6tmI/w=,iv:iGSvtMrTV6hcKkbubgH5bwJbJIB30K+apjX5xZ0BTC8=,tag:16W2YeZoED5PjKCW2piiyA==,type:str] +harmonia: + secret: ENC[AES256_GCM,data:l0ksas81hQj9u9FHZiW54tNWf9h6KV9G2zQD4T210xeW+zA/5C+fMqO6XVcQfISmxUjBzHCROr7mhLo/26S1ko+nUJq2sKu6fxiAF+yREH6rqFwC9wn4egochDaXQoAcE4a+8uPh8u8XT+A=,iv:hCVtTwC170TPpBHQDzPK72+RxS5HNYLv8J3LvvttJ4g=,tag:tvIzWGanqOPku3+oywJ7Lg==,type:str] +queue-runner-client.key: ENC[AES256_GCM,data:/8jVcQHp4rUDZizbuPmQy3IrSAlxuYJ9vMHDUSbShu7iZ+oIq1h0cxJmfvFZ+Rf6/a1ZZZQykyUcJeGlNvCpFYabKWit6RKcHHSy5S3lg50kKMwyZga4h9FWjWBd4rJ3XOCbelQXNwAfXBBanxgF1hMlE+SXoAg=,iv:6VUR22+ZIlu0eyWechcAM8Z6QWqCfBynORivUjV5SOA=,tag:0CQ7BVo4IKqnV7j9gyplXQ==,type:str] +sops: + age: + - recipient: age1ulnex45wt7fpj92jy9c5del3ccz6mmnqptrsva24k8m7qsez9pcsdu3eae + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVaDJ3K3RobDN2bU5lNTJK + RTd3WVFmQUpGVFFYb3dMeDdJVE1DOVp6NW5NCnZEZ2lqald3TVVuZWJhZ1I1Mi9E + bkNaaU56K2xLYmdEVWRQRWEvTUFWU2cKLS0tIE5oeHFaTFJKTitJVk1XTndIeUFl + cmxhbDlBSVRJeFlDM3BpbnZDbElSYTgKruwJAwrNYk52IQCwWgOTUIFN3NPDTP0k + jd7TvMStgqBKU2jz5IBHkzKjgpEY4vjqwTnj5Fw9ArRJ6mIzctFDlA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkWXRCcVg0bVBJQm93U3My + Z0V1bXM5YUo2b3dDMVNZajB5alByS0EySmlJCmxEVjdZY3BZbnlyNVRZWXFZTjM3 + MnlJNEw1Q3FMZFF1YmRpd3UxN0g3U1kKLS0tIHB0a1IxT08weFg0UHZkWmJMMWkw + Smp3a2EwcDVXWnROZkE0SU5tZmdGRlkKKkbWDY1iJLrxnZx9VBHQKZ31SdDsA80n + ikiuB935RLiT0qk52BnkGmakXGyiEMS1SjP1+OtHIbpFw3Y2Y4Iarw== + -----END AGE ENCRYPTED FILE----- + - recipient: age17ez23w2kpxl0gcdx4ehcglkcfcfnv4qz0gq2n8ylxwx4yrtjpvjqxfasua + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLeXU0YjA0djBxZ0c2R3h6 + ckdWS1pqSnUzUjhNZ0QwcWZYUDM1aCtmQ24wCkhNemhIb1dNUmtZdUc3QnZ2S3RY + eE5VN0xhVEVYNUUxY2JCSFBHT1lnMm8KLS0tIFcxV01NRk8zRFU4MFJQZ2xOc0N2 + Ym85YkdOWUxkS1NhZE9mUFFSbThtTjQKTtu108ofDN0wv5wucmUn7xYNA/dd2rWi + NG62pg5S39oi6V+JdXddV8WJ4Cr261zQA67s5/4U6mCGr2+5iC7npw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1lz3mvem0rgfxj7uavth8du4xsw23wp5ts77m5vvclxyj5mjxfujs0jgtcz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBla21sWFR1VEtUTnU0Szls + ZmNGcmJyZTdDak9Wd25Kam1jckE2ejZ3aGg0Ckxuc2N3eXlKSDZkQUt6ZXUwMDM1 + S0txYk5yNXZGdjRtVEhxWnVINVg1MEUKLS0tIGVVWU9kRVFVYm5vZ05HNzU1a01W + N2svOGQ2NWV5cFd2MlkzQ1dEZFJCVjgKsYDLsz8EUWKt4tU6ecc9qhEd6CghRmke + GLoMfLXmC1UkxoJq2/1ZoUbWaM1nLTHXcd0jRvqY2PtFgOzixs+5dQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1m68dw9dltvtsg8e9lf5ts2vwnn4ykraguhjr8v65s0xessk3xqeqyz5jwt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1Z1ZQczFRRUdKUjR0Q3FC + SGVPb0lkNWMvQkVJNVoreVVJT1AwVzhaMFVBCm9FUlFselU3TDBBQTMzcHdlZFQ3 + d0RiWklleC9ZeUcrY0NBeHRUWHZOZFkKLS0tIFlFMkdKZDkwN1hNS2xQNEd2NWF1 + anpIWThNaG5rNEw2bVNrTGxTVjc3aWcK5uq2oy5WdJ1Hv8ah+3AUULVrSOcz/NgS + QrIbuzvbjJqH7TOsTd0OUPz0liYkWoZTvt4jORdxRRRnYaqr02pZmw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1nc9sh92wf62nt89k4vgyvqws2pt49cq6xqxx46jqpz4vqxsh5a4q8ltzp8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwTGJwbjRpR2ppanRFekdq + T09yYm5FR0hWeThCV1pLOXNJZnljWE1aeFhJCnZudkZhMG1sMzhXYUwzQW1NL3Fq + cHdkc2g1STNrMStOM1BTS2pBSlpadnMKLS0tIGVhc1NyWlFnaVBRM1ZrT3N6MkRG + VTQ5VjgzeWd3Kzh5YzlDdW9wWjY1TUEKf0BR88592mPaCyRbDQXk0qrxTRsPpV62 + ii/0v3v2eQH4n3DESR5xe0ZXRW3YUoqnHzJMu7e7zKhVexQiskwOrQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-08-10T19:16:28Z" + mac: ENC[AES256_GCM,data:dbrYWe2uHQRY0lkaCaqwAtXNJe+NzPEhTVBEjN/gybqILx7EylTNxkEC2OUeK66nm6PoRQ6F/mrqf9qLcXwfVqnQAHVa8CWFCb9EeYBNGoe7KPmxCxzpyHHG+mQdvz3jLD5h1lXVoRYcks2yOOYUKJQGpjZe8gxoraqkUEQQiiU=,iv:+6oRGpSd6uMyXrEO0dJq+6RvLNGzie1p1st7d00+q+k=,tag:VnZs/kGP4yPcM15q/tYvEg==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/non-critical-infra/secrets/ofborg.build02.ofborg.org.yml b/non-critical-infra/secrets/ofborg.build02.ofborg.org.yml new file mode 100644 index 00000000..afe0dbe7 --- /dev/null +++ b/non-critical-infra/secrets/ofborg.build02.ofborg.org.yml @@ -0,0 +1,65 @@ +ofborg: + builder-rabbitmq-password: ENC[AES256_GCM,data:QVJgi+XJWIlSHBXWIHZTh/ADCChlyLbRekV5bpyIvxmacvi5D2ILVq8U2RC2Nf0gnOc=,iv:fSUmuf4sAg/8+ZFvxM+JEVpUWXudwszSt6z+SgF2kfQ=,tag:+GF3yKvt0ZoxeTiHiWRu+w==,type:str] +harmonia: + secret: ENC[AES256_GCM,data:n7l9VJh9fpp3RIoGbofZivhLjrMRBdZYLMBxoIP/6Gbm5WVXnKqJ3QinVGuzdUnJN7nCgupmD6OWza38PS6DJ1ZZ0WzwZ5qR2M7l0BERzUwl4Ow+APeSyv4DFhUg0J6Fmwvb/PmAGfG8ows=,iv:bX/dQR8YPWBJ9OdpAuvHuBCf8J0yDxSqALrGf/ozlYE=,tag:SEWdW+zuSvsQovK299i4BA==,type:str] +queue-runner-client.key: ENC[AES256_GCM,data:ySLkgrEoq17F5mHSYi9gxLTebpK2BYStrGsfsyTc5qpGCFi36heHLrS8fH2ChGOe4Bt+AVuRjgSWYMAFZPL6RoS9E1a2Pd35J5DLjXI330D237ouRMBeKu2LBCPUzaiO0AD73fRfpwYbh7TzhYm+qlCdKmgMLpE=,iv:nKQ9MqjbznvEWduAeGmzoRt9NQAr0bSRAJwt7qMa7gQ=,tag:FtVM7uDyYW58CctQx9m8rw==,type:str] +sops: + age: + - recipient: age1wrp04f5c0d4jx3hwjsn8cyxdjzpzx6fl202zftqfvfdt7hx8efgskf6s86 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqTHUwU1pFSGZCT3ZpMXdJ + bk93bDhZSmVRbDBibXAwZGl1SFVveXNER1RnCnNwQURGUUZsVDdEZ1d4VjVPMk00 + NWNJaWZGSWMrczA3VzNJNWFFMFBWQm8KLS0tIHFvN2l5QXR1K3NvK2xUV1JYTTFn + bmY4TEgvMndzamZyWnc5QWFDcFd6NGMKu3UzG5HGJ+kQtOfOxaPVyZnxfQaIU/41 + KB9X1NBPXyJzkRIdM8p0wm1Wmv8tXMjn/vg43zzR5yjEaCgg1amhqA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvY1VveWpqbWxHUWRtdGE1 + Nk5DMXNkWU0yUzY5YmVpbVNmVXJpRHBSaDBnCkFhR2s4ZmlHcGRHS2J4VHNXQ2pB + UTY4dE5leEVydWdNZnJTV2xsNmh5Y3cKLS0tIFVlV2tCdnY1VTFQQkdKYzdyakVu + TWJRdU1zcWQ1dTlpR3crZjJRZkFzZTgKTIF6ZjO+Ur1df08YadOzLIKbuGurx76I + jc3rbvK2yzWhrcDltC/kGHrXe8ZJp8kILXIDaE3WQgQ+EV7DMNqcDQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age17ez23w2kpxl0gcdx4ehcglkcfcfnv4qz0gq2n8ylxwx4yrtjpvjqxfasua + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4dEhaUnhxZWZlcmU5dmRh + NDJBWENjS215aUVJTytqTi9KVGR6Z3BpY1FJCjc5ZmpjZFZRQkVON29NTGk5N25T + ZEJkQnhodUJJM0ZIRUI2TjRwdk1XMG8KLS0tIHUxSkd0KzF3L1R0Wnp2MUJIeEND + WlZ6N2xIZ0t1UGp2NHlOYkpPYnlTTWMKkCBa5YRHnmXNpGS71jBzbEZIQq6yeHct + m7/kKz3cBN7857ClbJeKQRcZkS0gjR174hb7nwz+gBn6LUe6hTuYaA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1lz3mvem0rgfxj7uavth8du4xsw23wp5ts77m5vvclxyj5mjxfujs0jgtcz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtZTUrT2FVcm9ITG1QYSts + OWcreGJuRG5lRGIwb2NOTWM0QS9CNlJPcjBNCm5WeFNtT01OeE1GOStmV0xXSVNC + OUpDeGxOdnREWmQyOHVoZVoyeW1WU1kKLS0tIHBNcE1uRWNvUGloejQwTmo4WGVs + a20va1pka0xPK0VSdDgxVWloRU1QTXcKFpVCaJRWcJLXxnKDWj4S9zM2h6KVN1Vz + cWWc+LSkVuwMgPS9KQRudsTVPC93AKzc3qM7CMpo0yIRv/2wukhFDA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1m68dw9dltvtsg8e9lf5ts2vwnn4ykraguhjr8v65s0xessk3xqeqyz5jwt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUYVhkQXpTS3N5bm9rN2RM + cEhCQzlYNktXOUcreTkwbnVuV3kwbUNIWERFCktUZ0VQZG8rMk9qUXhycnd1OXM0 + MTNqck04MUtCVTNiR3k1TGR6N3YyMHMKLS0tIG5ZSkR1VUdpdjFBeFE1M3VaeFFS + YksrN3QvOFNESGJLUDFwUDRqVFpXOVEKZB/pdEmjGY3nJF+sd2Z733pFx9Cymq2/ + u8xa2ofgybrfLM3UgWZXQJZbZHkmn9huUD2uo8cLL/hOY6+247DYeg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1nc9sh92wf62nt89k4vgyvqws2pt49cq6xqxx46jqpz4vqxsh5a4q8ltzp8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtVG9JZ0c1SFVLaURYQ0dX + YWwxcGx2WFhRc29YY0E4TWlsNkZ2TjlHZ1ZrClpNKzVYTkVkZituQlQ2d3lnMXRx + UjI0NDNuSnBRVnBkQUM2Qm54NlAwalkKLS0tIEdDcGFaVUlJRHJ1OVZRcHFvRWdW + UVRoaXFTa2xmSUZUY0psMEtnZGFIL0kKpceOpY9f3LaCWtF465HzU/+3TzofV27z + ZQf0aFz0u5+T5ZYOwIsQMx8MV7vorI5Ifz+AnSMirSZKUQsba4dpOA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-31T12:39:01Z" + mac: ENC[AES256_GCM,data:eOCu6Ih5JpuZekioxI+jkwxIkTqiMxVnOT9mN6BPYp4wBLzAPrampuNoZV9gU63cjX2zzqNP+GaXygyW4A+DbT5K1uCxZLAM4AgyvCnSs27ck5mJZKi1H2CC5XTs8Huk4QerbPdI5+EfIDGelorAW9BFS6uc+s213udXAKdLNcY=,iv:/TPX4juuVEpDj/5GPE542rsGknl2NX4ZutJGVHKUxtw=,tag:JpBJQPWHyKGaK3D7BDAvBw==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/non-critical-infra/secrets/ofborg.build03.ofborg.org.yml b/non-critical-infra/secrets/ofborg.build03.ofborg.org.yml new file mode 100644 index 00000000..2d1f96c6 --- /dev/null +++ b/non-critical-infra/secrets/ofborg.build03.ofborg.org.yml @@ -0,0 +1,65 @@ +ofborg: + builder-rabbitmq-password: ENC[AES256_GCM,data:YXvfUctFG4D0HEa87dW8YBTQiDpAEvFjHONrvync5kcFHrbwBFUPr1+sdGauShJDPeU=,iv:Uubwa947ItOcswBwB7Wq6QVXSlg8TKy8wetd1H6lSVY=,tag:bF4vEaWqyO8aGEir56cGOQ==,type:str] +harmonia: + secret: ENC[AES256_GCM,data:bd+Yj1sQWbPEBHjVNUP4DfTsuz55y3jgBslycICP86IafshhA/x4aoqGYRPN750PR0iiZJkkvEABigjBD3wh+p5yuHxLAQzfmaTghJ8vatvAoarjxZ6CmeAHD5pKDWdn0NBqtyknRsr9/AU=,iv:refy8KB76qxLAE8CHA47N7GFnIxsMxM4/8XnJ4N0/+8=,tag:7YXtRhLqITJdz0YCBdROcQ==,type:str] +queue-runner-client.key: ENC[AES256_GCM,data:wq9bLGk9xDZoFz5zWHymTw2OxujgpWbojgX7Fbj2IdlGN9r7++BLRx8sR2h++Hi0YuY6kUdlvlSJ+SeOj/IwG73ke80mJB7zx88++jw8FnQ/xrQiP0Jdes3AJMe/t2PGJtOXQdy9GHIZlokBJovSuwZ4E+SqMjo=,iv:e1Ky7/sfQlWk9AfdT0Eu6Dck8LVKJSeQ/WYlzV4/xoM=,tag:aHARMMfrBXT07Kq94aCRTw==,type:str] +sops: + age: + - recipient: age1n0yrvl2v397kztuhf00cdvrhf26c9uegwz6day8z9pyqj3zff4sq6ha0lm + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5SUJsTXY4TjRIT2R2VWhY + VmJQVW5Oc1ZBd3grdE5EWGNETURaNFFUYXdvCnZaemtwYno2VUxuRVhTZFFYdTdm + c0VOY28zYXNPT3ZsZk55ZFFSMXp5L1UKLS0tIExOa3ZoR0ZaTk5vUTA4cTF3VXAz + TXBzaUJkT1ROWHBrekVaZTZOMk9hMUEKYfhdyoFIlSUhXUNQ9x48WQlN2/EGrFmU + 73w+WKGkANoEg/728DsKYYkRmeAQh7D28fdsG1ssXz4QXI9cgbd/DQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPeUJwa2VLNEVMRjRQWUhY + cDl3ZUlkNHg4Z2hYMmM1UmRDVHNuVGZFMG13Ckloc2w0VHJTNDVXOHBSYVd3d1Jp + bzhVRXlKTHR3c0puQlpQQWpIWHJieFkKLS0tIHNidloybkRCcVdzYk12V3lSVEZE + aTNoY29NeDBPbzdRU00wU2hVNm54R28KzZBQ/CEPKfZ6GOtIDAjDP6C3pSGKkrTm + NODg2Ewtfr6ssL40A/ocAO3lBODQgjTRXXo35g5/Zb1fRnTgrV9yvg== + -----END AGE ENCRYPTED FILE----- + - recipient: age17ez23w2kpxl0gcdx4ehcglkcfcfnv4qz0gq2n8ylxwx4yrtjpvjqxfasua + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0eDhFbVlvSkNVUHU5WGtr + Mmt5V214R1dFaHd1KzNQL25zRkxZS2RPaEh3CnZieTdnSGUyMWxjUVVDZGRRWmZa + eGFuNk15VGpwYzhCd2pnRkR0QlgvckkKLS0tIGMrMDhTbTRqRGFXbGNBYUVTNDVy + UHNzRnFsYVlPZUY4YVpTVmNEcmRwQm8KdgrgnU3IF59nx9u74fkQnjqfgCVG8PKE + IVdqwYBGVjU472cGTlY+ALQINkjE99bJZUkwTs0dM9NZ0tyYPU72dQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1lz3mvem0rgfxj7uavth8du4xsw23wp5ts77m5vvclxyj5mjxfujs0jgtcz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTV0hYWDQ1R3FWNFE5bUhZ + a0luTGVrSW1uRnRqM3I0SUtOY3RWVHM4ajJBCnZLcEZXMUg5NFRJSENlSm1uazNY + aTZSVitrMTNGZ1lpNzdKbWs5SzU5ZlEKLS0tIEkxR21wdlBiTWVVc3NtM3ZnQXFy + bVBJbXowQTIyYTBDRlp5d3VJWWFOZ28KoIsbDW2qf4jUVmv7dOgynZvbEtrBHptg + 8YnWWBIqpD1GfHgaQ5igtXvCgelVMK6D3vnxztO92uZzU2b3Bm+8VA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1m68dw9dltvtsg8e9lf5ts2vwnn4ykraguhjr8v65s0xessk3xqeqyz5jwt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxcGxHUHI4cHZJbnpYeXpO + T0RjeUtKYmsyakl4WHgvYXV4dURpRS9BS25ZCmZBSkhWSDlkOCtqclNpWDFZRmZT + YmpxOUxRTThYYWpwVG1TcllPTmNGL28KLS0tIDBBWC9LMSsvT1hKVmk3Vk5ZM1ZZ + d1VIWFBNRGhrQTBnUnJTY0V0NXpLV2MKd2O4NTuuxnlIFJfYAu4W+KIckrsLRkHr + hXg+VlQa341UFPkmd4Ruj1yLI+fFSCRsobFll7exhIZm8qziiG95Og== + -----END AGE ENCRYPTED FILE----- + - recipient: age1nc9sh92wf62nt89k4vgyvqws2pt49cq6xqxx46jqpz4vqxsh5a4q8ltzp8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByakhyc2ZSQ296RFZScDFX + aTFCcmxhQVpKc0ZvVHBWdVRRczFmMHl0SEZFCkJYTEowcXM2OUd2UGNENkZNUTA0 + NmFNTXlOTm94amxJL2FzaDRNRnhlcjAKLS0tIDI3ZmVsMkVYSnNWRmZpZU1RVmJx + elB6SC9DQThBdXhPVGZ1V3prWTM5ZkkK4WAp7pEhKAHVWUGl/Yr+k/NFxS2xDErT + Uh5XEHQSL87JA4DSJGSzJNDeFN3TJiVCwFWaQ3rR422/A2YWQVphzA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-31T12:39:15Z" + mac: ENC[AES256_GCM,data:SK6NlMDwRXtr6heqyakmm388FFu1cBCzZ4P9CYNimrb/Qt6ZXf9YDzsyuiyvPpUEjqrnXqDtlaz7b43hG4LiKP8DmM9guVKzywmwea9QmircihovvZ48Et60A28eGBvxQFOJWgn434aI7xaJuU2dpDQgukjjkjwzE5me5SsM+Ns=,iv:vzicQbbt2/Q3KKgOR7q/V4r/L4kostr/eWv/C1oY0LI=,tag:ZT7SVqgGhHuR/1toYPkECg==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/non-critical-infra/secrets/ofborg.build04.ofborg.org.yml b/non-critical-infra/secrets/ofborg.build04.ofborg.org.yml new file mode 100644 index 00000000..efa0f228 --- /dev/null +++ b/non-critical-infra/secrets/ofborg.build04.ofborg.org.yml @@ -0,0 +1,65 @@ +ofborg: + builder-rabbitmq-password: ENC[AES256_GCM,data:BY214D12Z800uyoMHxoH4y/BRxpg3cJMXCjae3k5lCmZeYahpaUx7Frd2i9fQmPaiOk=,iv:NNADJIcdzvtNWv++Q4Sd8MpHdJ1DhwMDNqI5RGc5KtY=,tag:8OTV+0gk/v6moTjFzFXDIQ==,type:str] +harmonia: + secret: ENC[AES256_GCM,data:BA5Vq/CY3lnLxbvzvTKfztlBdpPqTmkJ0DAAnk8OYSfCu0HF0kXUuPlhkqfZIi/Z9KKETrMtAPmtwSsakRtjlGgwXX1yPFNLCvyjyDY6CuqYFqbWESSThCqg9Ygm2yTtfOEH6sr0NPKHXHM=,iv:UUhp73xbtBfZnhRY5OTGWmYD+uaQ1TlJfC3cQ26p/VI=,tag:svclNQwF8Vib+wCLIDybyg==,type:str] +queue-runner-client.key: ENC[AES256_GCM,data:BsP0kv7VmThjFR8JoxSjif7nD9at7egv3i/5ZEFzF6euz7NBxV8F4GpXeqUIVzx02pDWzcnMmGpXb2rZkPCUoecE06Y/Dz8GktRZaU/IJnhCmaa0ktlYl0X9ttXr66Jn0cyt0bnSjQE1O/yTMaFXCrPLeAVMd4o=,iv:wvFZwdqyuoX4sc3yDAJy7oWpwvoFnq1zERyeLscc99k=,tag:35jBsVfPIvjSVnoZWKZcWQ==,type:str] +sops: + age: + - recipient: age1l7xmxkh6y6d5svj06txknamlwdpfwac8855p3edgpu6jcqea7pvslw4r9a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0VmtPY0V6QUNFSHFzSUM0 + NTBpaHc3T21CR2dnL3ROanNpOUlaeVoyR1hVCnJHVnlxUkg1aXRJQjFQK0VlUEtG + MC8rZDdsek82S1pTcjQyRXR4UTZrMG8KLS0tIHdZOGVxcHA0MHMwN2tSRHZFN0ta + WHZGRDJaUG93QjBiWUFzK25Cc29LVHcKkA8SQeH6spdyLye1Mnsei+z75zOrzSs/ + F0Ndz7JSbO9Tg1TmMk7ttQJ8BGC7A0Yi44GNCALjxV8m1Vs62/wNTQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzNEtQelM4WjgwSkpESGVv + VmpmSzVCV2gwN3AyalllN2xCaklXdk41TmxBCmdqNmlZWmJkc25RVC94dGpXK0w1 + V2dhSjFZSUFGdzM2QXFjVHA1VHFwbGcKLS0tIGdHMDUxRVQ4NWlNcHRIbzdEdW5U + NnE4QlNtazlqeXdHZ3dHcFdNRUFBOVkKWlZU6HYIJayk1YUH+9MLwVRxpissLBUr + qy7HdzTdWm6JH9P+L7p92THJ230HZYx7c6Zd0Xo6bFe9sLtdZndk/Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age17ez23w2kpxl0gcdx4ehcglkcfcfnv4qz0gq2n8ylxwx4yrtjpvjqxfasua + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVVdGWkJ5N0l3UXZBZ0k5 + Ump4Y3AvZXJrSktqR2o2MUVGMGQ1TkcySGtVCk9WSTVqZVRoT2w2NHlVNTJZcWxj + a2V5L2NxR3Q5S2wwR2NZcVZoYUhLN1UKLS0tIDVCMkkzUDJJY016elNQVkdPVXFi + bi9ObFgwVjFqeW85RXdEdCtTd2tOU2MK+ZI77YveRdA6//gLPneQQNPFsE2uWXcS + WtIKzMAm9VDtJnKL8oSzkFdAZ2Pvn8ouJySH/Uk5zPP7jDrYJueeTg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1lz3mvem0rgfxj7uavth8du4xsw23wp5ts77m5vvclxyj5mjxfujs0jgtcz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLZ2xLMDFRa0p1eTM1ZXUz + aUxuWnl2RUZTR3ZtUWNrazRubzJuVjRNMlJFCm1kT056ZkVjbFFMaWJPWkxYY0RH + UjNUQVRnWXBxY25JOHRwd3NQd2ZyUW8KLS0tIFkxd2xmMW9yd3RKdlJLZ1RRL2tO + anFWVkZYQlRZS3pDclkzSko1MnVKNFEKkkC/vtOhX0mM6NAILDAYlXIKKDP3XxQJ + VDleil6XqULQyFzvCbHwdAiakjZhDigtiwbX21pnILr2eX/+mg95YQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1m68dw9dltvtsg8e9lf5ts2vwnn4ykraguhjr8v65s0xessk3xqeqyz5jwt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0VUQ0MS9TcjBKcXVySWNh + Slc0d0hqSmZOL0ZnZVhoOEExakVxazljV2d3CnRHM3I1anUvajBTODJpbTBuNCtp + SmoyNEVZSll0cUQ4ZURhU2lLWXFJN2cKLS0tIFFYRDQ3WEdNTjk4djNkQUh1QjRo + eFpUV0xVVlhGaHhVUmh3REpXaDg5bFkKdsJkLKA/B2ydQH374zOfPQZ0LqkwNKZV + njHmW1+Rvb7Rh5GvNSM6K67hxzIw7tdI9pisWozbIwDQoi/I5csE7w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1nc9sh92wf62nt89k4vgyvqws2pt49cq6xqxx46jqpz4vqxsh5a4q8ltzp8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxZTBnd2NkTlNXMkF2c0Q3 + YXpCQ0RyYXFua0tJbDhQQ3JqOGt4UVQ0cGpJCmJkbFNBQzhJcjBaQlI0ajJqdTJJ + WkRnMFd4Q0hzeVEzUUVxRkFJQWNaa2cKLS0tIGxBUVQwc0xKVXVyOGtXSVJ5eGFU + T1BteWw0U0JHZ1plMW9iVk9iQ1ZpNmcK+tLr+/uq+yhhyZBv0LmSL5XLx1kpVIlA + Xnqrw2lD2h79/UI5/T/LKEzWf0vUCDatNoK9f3ISYCzDopvoS+Wzcw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-31T12:39:32Z" + mac: ENC[AES256_GCM,data:RiDq8uRtVR3ojwLeM0ZyE6I3/Et+QeG9kxYOe61iPiqlM0zQZCSZqdDKOnUNxIquAbMyoVuwmHTtE6TGB1XER1KRNST7CPYnut9pnO8ouNspS8QE2+zs2guqfaN9aPMgJ/9YsKaIeie5eP6NXLO8X1j5AvVz5E9T6zswQWFRMQw=,iv:yXqEUowR9hl8l7afqYglBtVpy7n3Bnh3v4pFvBUHHy8=,tag:dgHSLCKmE1cG/lT4KFrZMA==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/non-critical-infra/secrets/ofborg.build05.ofborg.org.yml b/non-critical-infra/secrets/ofborg.build05.ofborg.org.yml new file mode 100644 index 00000000..dc4c37f1 --- /dev/null +++ b/non-critical-infra/secrets/ofborg.build05.ofborg.org.yml @@ -0,0 +1,65 @@ +ofborg: + builder-rabbitmq-password: ENC[AES256_GCM,data:6C7gffgkLc1e8rg3s9nDOPsY3/tjA6V9N8bVIOhas9UyTMB+phWQtTeoSrnb03qEjis=,iv:zZoiq7hMzADohBx9MzqBMiEiH17GvGNAlqZy9uGn7zY=,tag:6h7kpX51Pa/JWQvyYPt7hw==,type:str] +harmonia: + secret: ENC[AES256_GCM,data:3rXrIPnJ5c4pnAchjHZE5waic9vSiou3wloEANmpPore6WlGx56V1PTA1kd0UYDcLSCSkUts47U/5KyKXkaQOHyKcilBzv0vlWgkHWi1n/HplVSkTIGNfl75ROYd3TeQ0PP8UnpQaxGF0A4=,iv:A9uvQJw+TqqGdQLWHJhYyf4FUVGgNDx7zwQRcIFUr2Q=,tag:5LMibUs/f+yIcpIrz99RGQ==,type:str] +queue-runner-client.key: ENC[AES256_GCM,data:Av6MqHkWm8tzf93easgr1kXXX2rHSenO5XIdf8nrDXGSKDhftHpzcuO3TRvRVM2jJmzfVO0j4x/pUR91of+K3elx3rUuEFszUtNogJOe7NdTc17pQFvThXVa2U+GPZ6o63f7/VhKTh3btsjfWQBDG7AqywJoFG0=,iv:neAYivmwJp5Bau2KsVt2YTHwMngozRA0yHUJuct3EMU=,tag:mO61AJHGuBmnlR+3mOl1lw==,type:str] +sops: + age: + - recipient: age1mduqldqpqp33u2wwh685cwwkpj2ak36z67dtrq2tcskgqkultvps7w9q7u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxZE8xZy95YXRnZE5EUXFY + R1Z0dTVmQmlrdmtYdjJjNFFFcVY3VFJ1Y2d3CkVoSVdWbmE0VmdZeVFLazk5SzVi + TkVhZUJMNnBNT2t2a1ZVSUlISUVHVzQKLS0tIEdKeThjdTBmSTBVeWlLdm1rWXNJ + UkRuRXo3Tm0rTWxzMmdVQzdsd2FtdzAKjDcgrjcFeISLyNdmRLJagkf7Afn237eZ + ENwFKVXOjtXF3HN4fiUqO6dCZyl8D3g7X0B1VVgA3FlvY2/ucmUitA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArQ0FNYVlCUkJBdUx5VDJF + TWlYOWVNQ3IvNDFEajljZjNWaVFza0xnQUZnCll2KzdHdlhqZVVKTzRTdmZHa0pv + YnRLS212ZDdrdVJWaUZicnF4VE14a0UKLS0tIDF3aFRYK0NpT091SGpsajlyZ1JY + Unk5dGZXNURicFlNNjZaaFpZNVF2WW8KKZALYweB4jsRuFOhzM0v2Ls+WuxvbwHt + EZT3JggbPSe728PybUv2l4F49Rqmh9DVndFvGRlnNoGHb02rBARvhA== + -----END AGE ENCRYPTED FILE----- + - recipient: age17ez23w2kpxl0gcdx4ehcglkcfcfnv4qz0gq2n8ylxwx4yrtjpvjqxfasua + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2VlRRZGVCU3NBM2hQOVZw + cHF4NUNxT3ZvUjhYcnZDMDdTSXBHNGV0ZlFVCnhaRUYrNklnL3kyTWNyMFp5aFZv + R3FsMmVhMURwRGQ1eFhJZUpQYXVKTlkKLS0tIDg5OWdaVnRmNzZBbTNLYVFXZ1E4 + SHRYYmZIUDJIbnlyKzBxdUJ5ZzNLSFEKrlGODX4fv/CjGplGuutSwLJmjl6y4fBo + DyZykN4mZhxQy4P8GshUEX1+vTffcO48S2c1w4XPTfiFHcNVRhYgLw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1lz3mvem0rgfxj7uavth8du4xsw23wp5ts77m5vvclxyj5mjxfujs0jgtcz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrUkxQUGhzczhDNzBVWUgy + UDJScFRvVWptNVBxb0FlNWJ5akczZXl4RkFvClFzL1ZhSnpySlEzZTBvOFpHL2pQ + YjJLNGJvaXg5K0tZaUpSay9QeFhCNkkKLS0tIDc2dUlGcXNZTnJMcEw5MUg5UWhq + VjFkVGhrODgrQWZWTWhOTS9MbEJLRmMKoHak92bGtBkyoYDNqYPXzPczk7ltNOmt + DCSCx9Cgq0gmNDryMl8DXZdEiN334nOXu/HB1RiUHoQIjJnEiwul9A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1m68dw9dltvtsg8e9lf5ts2vwnn4ykraguhjr8v65s0xessk3xqeqyz5jwt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxSjQzZ3hwY0k0bmRuMjN4 + WWNrWVB6bTF5UGZ6M0Y0ZUtlaGhFN0ZNb2xnClpRMDhkWk1kOW5lQ3hHcFJ6K0E1 + Z2t6QVVyM0FadjBkSlAxcWFvb3FiY1kKLS0tIDhTdVlHM2RGRnMvMWxQR0RGUXVt + NjhqdEZVYkdwQUhBS1FHN0JJckowK28K19Ond+UZ0/MFHHR20kp5gAC8ov42xlgB + ZEvAd88tXfJvrbBBAySykj83wg1FYCi3GvWdFOZ5dq18V3ffKKTy0Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1nc9sh92wf62nt89k4vgyvqws2pt49cq6xqxx46jqpz4vqxsh5a4q8ltzp8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCUnhyd25Dei9rYWZlc3Qw + bzd3cGk5S0N0NlQ3K0JvcGphT3hheW5nM3k0CkVBbU83RXlyZWwvME9yZ2wyUktI + RmRQYmhrWHZ4UzhBUTFkSnVTYS9WWWMKLS0tIHU1L2VIbEQvNDlaWk82ai8zRnov + V2NGeVQ0aWl5VVRoazA5dlY5RlpoRU0KTLh6k3QPa+CSyHMe/NBQw1hoo1UNHUV6 + hToDcRsJrsGdtFT5hthvljZA4JTZjraHP2sqsv8mZNsNcVyE7R4NSQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-31T12:39:52Z" + mac: ENC[AES256_GCM,data:YSo7nBvqrZuwH/yzY1U8mFn9PdxPJEm07rY1mHJGdqtDY1h+mp6NufMvW2cNqUk6IUakxuqUUOcXgDtnkS3hLW+lN+Yur8jklyhEx4m1/XbIq01PGHIgLPC8v1Kvigc1ZO89UmFrba8+gFXTgImfXVg2LTyHjWp7VIySvUxnlNw=,iv:qlgxip8P7Ud3xR8qnrJ7W+BhujLBdb9bOgEucw8wXkc=,tag:j61ADB3G6wGVMco9WvnFnQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/non-critical-infra/secrets/ofborg.core01.ofborg.org.yml b/non-critical-infra/secrets/ofborg.core01.ofborg.org.yml new file mode 100644 index 00000000..928ac4b8 --- /dev/null +++ b/non-critical-infra/secrets/ofborg.core01.ofborg.org.yml @@ -0,0 +1,72 @@ +ofborg: + github-webhook-secret: ENC[AES256_GCM,data:9yLN867F6kJHHQcrDGw/TC/tUQage4t0Uhnu+BMjj/qqaA/BULCUu73U1R+Llb8BdkAG6Pd9sLEcTsoz5kfSug==,iv:lFVdhOI9a08Q06dRxOqS2YDbYudIxqkalNeS+qwall0=,tag:VVTzGj4Rvul6z7Z8c+zS7g==,type:str] + github-webhook-rabbitmq-password: ENC[AES256_GCM,data:UYJ1Cy0gJ+n5HLgnxmm6ggZg8GlBGWGOUoYC1eB8FWBbo3UtVoq0syXQSFNQl9w84+E=,iv:C94Ma14s6CFKlogrIMc+JYTDBjhzAqCscPqonXrMsdM=,tag:hzBD63/qBye5belOmE/vcg==,type:str] + evaluation-filter-rabbitmq-password: ENC[AES256_GCM,data:HCpnksWNrl+7gmGv24sC/Hew6GbM/xzZpKYdNE/zmQ+rwvfZVvVncromEbTW7ksyZ6Y=,iv:PDDf+U5xmTvKx4+5NY1gc+J9rIuepXRPvf/7Zd+yBG4=,tag:g+7UA6Q8W70Tx/qepMXPUQ==,type:str] + github-comment-filter-rabbitmq-password: ENC[AES256_GCM,data:EL3y07go0UP2nHpvSmDkF9DcdyoBFe3XOE8HxQ5xb611Hs5owGFfCOEmHxNRfkNUNN4=,iv:Q054FgRtiFuCwQgm4+npi7AkdO9k1Is3snd8QFXgKXI=,tag:eMTsLRLaVmZsvGbVaurjow==,type:str] + github-comment-poster-rabbitmq-password: ENC[AES256_GCM,data:dYm6yZ94yX4RMWSZdHzC7/8NNLN/u9Yyr0y8WtnySy2bkdvOfxtXgPnafeCt4hUrdXg=,iv:xu27b9YM4Z3apmVoolq8wYy5bi2Ip5ScrNMXi6pFnNs=,tag:qdaYYHV8f7PLb+xXgfdxVA==,type:str] + log-message-collector-rabbitmq-password: ENC[AES256_GCM,data:HZaFkL/coGffcROPb0Np/zyIwVSEjmoQmAteV8fx1SBmVSLGsSWmkwitvRHNKDXZu8o=,iv:ICOwj8kYiEbrkldIE54DmVHdglpwR0W6Bqvh9GKroJY=,tag:/DOrZzK62S6Ut95uJjtf6A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rrrj8tgcyp9xfxvy6zmk9487x62cgx0z68l7jretz2th6ey9nf4qh7nq7h + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkOXF5RThxTGFFNHh2Q00r + cGcwVHY2RlhDUUN4Q0Q2UUw0VjVWUWsxRXdvCnFXa3VjbmpjSnBnVW1vQTl3OHBK + ZFBSWHRMekRBL3REQXNEdmFFNEJPUUUKLS0tIE5xcG44ZEYreVpCb3YvWHovMVJh + dkdyRGtUaThBNVBKaHRQRUcyZGxja0UKVvt/NZOpa2YhhhZdig2OKOauZnY40Q+2 + VuOMUuvrW/lzHI2xNQtd5XYNM+OB9kNgcxmQltqndxZJfs4XJQge8Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQk1YTDhxK3BsVTgwZnND + V0Mxbi9MZTdsMWQ4Q3JvNzVhRGRpZ3NIVHdrCnlkN1pLRElJNk5NZUw3Vkt5a2Zz + SGJsTzBqSnhnU3cwcU4zRTlCc3RTRDgKLS0tIGpycHVrMzBYVWZGenBnYXoxM1VI + cFo5ZTNSajJmQS9ZZi85V1FHaUplbTQK09kAVXeEVXWWWjKg9zIFNB55EN9tfD1P + CaF/rmtb9hmvdpkaFkDVY5ok9+2T2gTZqvT5FsCFypCKLZFxMA4tLA== + -----END AGE ENCRYPTED FILE----- + - recipient: age17ez23w2kpxl0gcdx4ehcglkcfcfnv4qz0gq2n8ylxwx4yrtjpvjqxfasua + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrOXZvV0hldFVzQUl5OTBn + c2pnVEhEdCt3OCt6ZWpMbksyVUM0L2hib2hzCmZSSTBEMnl2YmoxTFRFR1hEV3NI + Z2JadlM1YUpnSzRBZWRxaE9xdW42RXcKLS0tIC9ROHZhYS9SNjZ5Z2x4SCtoTDVC + VWYyWDlaWWJHQ3V2QTQ0Tkw3K05vclEK+YYPsfCnCdoO+rEVMa6SgVJb5t7JIym6 + 9n+2d82caUcopTaLTgzj8t7tzBGCceaxtRUTruIOH2EvvhLoL5RjnQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1lz3mvem0rgfxj7uavth8du4xsw23wp5ts77m5vvclxyj5mjxfujs0jgtcz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmWlFvQ3dMSnpMQjM3SW9Z + SFU3NjUybUVQcXRuNlhLb2l5Nmc3UUExbFJNCkQ1amUwb25yZXo3NTE3aEJieGNC + d1JiSHQyd255VTMzZEQrRVZOZjBJKzAKLS0tIFpJTUZ6REhjVSsrMmtIcW0wL2tN + ZzhValo0eUkzSThhU21HenRvZTNwOWcKeHbXUgWbPEzNdEm6mm755v9cZReLBVwO + l9Q5UntN1RzjNTe0+6/QZDlqm1E6A7BmMPFDKV8Advdkg+auBcFgjA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1m68dw9dltvtsg8e9lf5ts2vwnn4ykraguhjr8v65s0xessk3xqeqyz5jwt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxdXNPcCtzT0dTalQ0NTZk + d1pNaGdaQ0dEVnpZODlRaEM3czRwZVJ0aFRvCjdTZmZvelhUcHJoRmMvYmxHNUdu + SFI4RHZOTjkyajBZd2MzU0tWVGlTZm8KLS0tIHNBZzlMS0VFcGZBRDJzcjV0V1RT + M082VE5sQWNXcHJaTUhPcFdWQ3ZjNGsKAiQDeZ2KASXqYpLs72/Ns99bZXfuC65J + EGiV23fkuCo//09nK9Ll8XFGm2CUTHrk352TBtL0v0Tz64jCUY8drA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1nc9sh92wf62nt89k4vgyvqws2pt49cq6xqxx46jqpz4vqxsh5a4q8ltzp8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArVUhEZDkwQTBkYUhLYTRT + ZC96TUJYbTluV2V1N0s0dVd2VnZSaHIweUVBCjV6ZlZ4NERMUm1ZUlk5ZlRvY0lw + Zi9DMi9GaEV0cThSU3NUZVQ2RmV4Y1UKLS0tIG1PcmY4OEIrdXdlbnY1eDREQ1BV + VkZKL0Q2TzF4TCtlbWVjSjJFVy94ZjgK75ST+KUV3pxkoEAwmqoeGVqlnf1lhm3u + Kwno/31LOCmeivVkz+L7DD7/BlBeh7BaPyhDyD+WPnlD/jAeN6NPag== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-12-30T12:13:27Z" + mac: ENC[AES256_GCM,data:X+55YgOwJ1V2V11tO6JwCRa6EugXuAp1e3IqWUZHuEVz8SaeVDbU4IB4xIzXw8ug8caWs1vljtWSjXkcLpmnfA77rx5x4h3sKWjW9CM4Wrz1jtI2uTaGMlZ+xKpiPDQD1YJHjNRRPLp8QCUfUH6UC9RfaWONubiOOttfIaFbLOI=,iv:prULAefZKflT054J6i2y5QA5zLxQsnuO2YiR4wR1yho=,tag:BVo78nriAN5HmPfBdMqScA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.2 diff --git a/non-critical-infra/secrets/ofborg.eval01.ofborg.org.yml b/non-critical-infra/secrets/ofborg.eval01.ofborg.org.yml new file mode 100644 index 00000000..15b944e9 --- /dev/null +++ b/non-critical-infra/secrets/ofborg.eval01.ofborg.org.yml @@ -0,0 +1,67 @@ +ofborg: + mass-rebuilder-rabbitmq-password: ENC[AES256_GCM,data:vQTjY4bitWJwOxqIO6FdCcfpcsnSaK8FLYSFipAIwYIWoWK+VLpuJJJuRgcauXczVs4=,iv:8FPVs17xmeVAAcGQzN6pY7W78IaU7ynNE1a4GAZk62k=,tag:KXqp5ZBPPQHkl+M1G9+eTg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age16d0phf8c5wy3rfsd4pgc42mqa3aw2llfukdhgu7pzklnzjr2rvxsusz842 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4dVBNVmNpQzZDVDBKR1RB + Qm5uMjN2VFhDeThXTUEyRXZFMWJsSlZSTmtjCk5ZMGdTenp4TGhiQkRZbCsyKzI3 + STVvQktGWVhJNkFCVlJXNVJCdEJ0UkUKLS0tIHNVQWFsb0FsSnJVVDdCRGRINHVW + dmVaRGFja2c0OSt2SEtYalFpdlNYTkUKm1VelPESqM6q1uzfvxW9iNTOAt4U1tsz + 4kBh5oc2rx+hNWP7gNsS4kRkJxxTNOvu8GWltt42ItJ1o9FLCCdb5Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuLzBITFJZTHNuOGdGNHl6 + dCtFaU8xQW9YMitIM3FMODVNT3NicjF5K0dRClNkS0xId0tRaU5GdVZJcVduVUJD + U2twdjQxa0RJS3lwS3J6ekJIRVA0cEkKLS0tIGdJeXBkUnZUbk9zVTJXOFd4cVBz + M3dUUGhhZmVzSUE4eGFVY1JwRXRObU0KA08rMP65rri96BMZe5/qVQaLvFzLWfot + snuCObBwodr968tjWMv6tcotvVfBhGZ6GTTbE1iRAc5+iYENHIwoeg== + -----END AGE ENCRYPTED FILE----- + - recipient: age17ez23w2kpxl0gcdx4ehcglkcfcfnv4qz0gq2n8ylxwx4yrtjpvjqxfasua + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOR3E5dER5aVRHVUJVWUhs + dzBBdlA2a3VBWGJiWFNBRUpxWlR3anBkbkM4CmN5VDFkRkp0d1ZQeEJKRHNrRlZQ + SVBlTkNndjErWlNzcTArNW1FNUloVGMKLS0tIHRyN1VJQVpZbTZOa2FvQTdWM3lk + RW12UVRuLzRsZTZZV055R3JkODd2SkUKnNMbhGDeAGJwFDDySVhM+jxAFtyxAI9R + ZSTBQjmY/VaZy35hwiZ7utrq9bzy5WjmYmJHkyQUEIWAmUDdoSZ3qA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1lz3mvem0rgfxj7uavth8du4xsw23wp5ts77m5vvclxyj5mjxfujs0jgtcz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByNHZOQUw2ZGo5Y1Z4SU5Q + NjdCY1pUUkZmclBxVGkrdlN0VWVSRm04UEJRCnNYdTVrV1lWOEh0T0JSOXVqdFVJ + VmNHZlhjR3FHMGhOVkQzNTgvTDZMdmsKLS0tIDlKeTgzZ05rOFhMQWNOUGlITTdM + QjNaOGZZaG1ZZFRTNVQ1Z1MrODlhS1EKb0E+AZhS4K7X/Lh4pQaHTzfPB0uD6eB/ + aCLFDbjoraOrsMu4zZipOBwdKHJ+4DnN82Xmn40C4Ev/y3gDLyHxmw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1m68dw9dltvtsg8e9lf5ts2vwnn4ykraguhjr8v65s0xessk3xqeqyz5jwt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBONE92Q2hzanh5RDlvajhL + c0lwMEV6bzJZQlYxMDBBR3A5Y1ErRnJJdmkwCjR4UlFBSEoxQ2ZVQUVpWXd3L28y + dUZQU1p2Q0VmbCtmMXhjWjBwZDRHY3MKLS0tIGpMcFBGbzYwWjV1VEh4czJnRmli + WUJaWDBMelI1NVlWT3NQemZodXhMN3cKbb2yu0joqiYZswddPg5XSMvtdU+opMKz + zosvMKRMqFnG1r9eR7Di2mD6xW8T9rvNluxpkOmAo3txCwhELxfLPw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1nc9sh92wf62nt89k4vgyvqws2pt49cq6xqxx46jqpz4vqxsh5a4q8ltzp8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlZE05K2ZkOEJLRDQzcThG + WnZPN1A4cit6VEFEV3RxQnNzMnZiQU9BajA4CmQxdnJHWEFUK1MxOGYwNzNSZzJl + UUJnMEJIS1VwSU9mRTRkbitXelNiTlUKLS0tIElYcVErZ2ppN3NUL21JYk43Y3hN + WlNtVUR0YitjWmhRZmhDUG1vNUdDRTgKw7sRQ1Ao876O5KBd7TxjyYBgYTKE7qFN + OfbIj+IRgOtsh53cuBX7exu+Amuh3+yQvaf0oyjuSDyjJpfwCwK5DA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-12-29T17:01:34Z" + mac: ENC[AES256_GCM,data:UlS0/7BBaHyy07Be/f44q1N/43zpeiXMCbD/uIyNhkAGTzRbPBLPMgUsfr84XQMdeNXJOiI5XN6Vxy8rXEkpz0O8xqE1TIZq/IMNTEFOasFV9Fk59hmJmOBXYaZzAEVBrIvOqJt74AT+0Y38AusUW+wczyQZt2ksVpL2vvBpqLw=,iv:iF3NoDcANH7QvfUT+8McXjIEBLSX4ApVwOExP1T7HVo=,tag:QJXvBouCzgEjPfWipbsNCQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.2 diff --git a/non-critical-infra/secrets/ofborg.eval02.ofborg.org.yml b/non-critical-infra/secrets/ofborg.eval02.ofborg.org.yml new file mode 100644 index 00000000..19abd356 --- /dev/null +++ b/non-critical-infra/secrets/ofborg.eval02.ofborg.org.yml @@ -0,0 +1,66 @@ +ofborg: + mass-rebuilder-rabbitmq-password: ENC[AES256_GCM,data:ipEMLuirLRKHMr58Ga3gLVm/NSMhIVEdbWG1RJ4Y1rOSQWaakyzfjEIwRRrBRu5oHkQ=,iv:tH3tuqUzVintlGnwONZ9lSvQzUpDI5q644PBxBdHssI=,tag:GunGT6vvbwUK14KQ0Ed+9w==,type:str] + builder-rabbitmq-password: ENC[AES256_GCM,data:Mn6LTtIYUCaTc51eeRhssjqiRubD3oQxZa0KMA8ZbHJaIFJekiqfTUZA/G5LdT4nJNo=,iv:yyThReELLfPmOqsb7A8bIeRK6u1VwWWhhE82ypqoggc=,tag:C2XU/r8HKsJfHjP70J/SPw==,type:str] +harmonia: + secret: ENC[AES256_GCM,data:0Ovat+iPF/JzlDnhAUBAkPZLKwtu1ntLVS8UZoKNtaoftKqQ4rR4+1VFwfLLYnagBrDtf1zhWRJOnnvRSC8g08clsMUXk2CneogJVKZdPIKfeL8Dsk4Axh0t2nXVQYKQG09jyDPUs4UgAw==,iv:jx6arJ9d9qf+xAu5g4kNNERRvmWrRq72bVqdcSeqOD0=,tag:Lwa2/I++Y5GtADN+uz5syg==,type:str] +queue-runner-client.key: ENC[AES256_GCM,data:DQjjWeAqT8aE0FwOnaUloEr3lan5Z9k1bMi/hxqo2O0T9PtuNMzJVBaU+uhLIsiUL7MtFHK7WDkLr95z2kNw6HrnVjEitnAy6RRc0e2uO/TryEhZJMf8D49a+LYoSEgUOAZt8DH0yqD9lRUSbLM1/JR3pPOUJeQ=,iv:TJ93bHR6amSgKlbYnUbVX0Wg1nfA4rU1NwfsAknqkwM=,tag:9veAYX2HcQiFaFahDrTxQg==,type:str] +sops: + age: + - recipient: age1qn3q3y04pxumygmq96x0gk9qtrdcgdw4y5nl6xd780u4avk0qgsqy8tuu0 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpRUJnWUk2ay94WDFkYXM3 + VG5lNkhWWjVmU24yaE5pVmY4LzdxQjlOaFNzCncvNWRLYlFTamliYWx5clBOeTl0 + UlYrMVVXWkJVcVR3Vlp6V2NkcGFkZ2sKLS0tIFVJN3c2UW1PeFVTNDZDVEtZUFRS + c0VtUmF5WXY0RENFcEhwUDRFc3FMeU0Kkda4+csIM7ucD8qePFGy6eTdUJbsSmR/ + bWKnK1Sl/HJ+p5naF0IJ8JtXVKYHJYlUn9rGfJvkfS3RXBCRQhexXw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZUWdXUzRMUnJVZXd6Q3Yx + MlJDWTFsOVkxYU1kYWpyVThrdkZoZXMyNUc4CmFOZEpmT2s4clczQ0xndy9GRmZM + QVl1WkdnNU1ya0NJT0xOQktDK1ZGdmcKLS0tIEhCVGdqNEsxYkNxbHovU2pURUZ1 + QzNodlg4T1NFMGszN2Y1TXRsR2FHd00KwG8buymdfyltvDa9YuvOdU5yjgG0s2ti + 3UlK2gDcP7q4FcJo8/QP/v0QqKTuGv+0HrdhMgVw/VVdkIZ3dD3TKg== + -----END AGE ENCRYPTED FILE----- + - recipient: age17ez23w2kpxl0gcdx4ehcglkcfcfnv4qz0gq2n8ylxwx4yrtjpvjqxfasua + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0b1pWSy9LSUZDbWtheTRO + cW1VU3ZUcG1POUdwbjZzd2JXVStJQWZVcmdNCllwT1p3bUhrS21BUVgyZEJrdTJ3 + U0hOVXUyWGpXdi8vSXJWeHVyUXhKaVEKLS0tIGEwL1lHQjR1WjBjeUEzT2l4TGps + QTIzanNXcmpZNEYxdjF2MVhrMktKNEUKncQUla/SmWXlkNz4LK3AMNNJLMYY5AzQ + duy9IP1dhfOBaj8u39AH/9yK1C7CGSdlpZB4nQFMAviUmcFOLkjJcw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1lz3mvem0rgfxj7uavth8du4xsw23wp5ts77m5vvclxyj5mjxfujs0jgtcz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5V1hZaTJUZHZFR2RxTmNn + TUJVbkR0OFZEM3VEWVhCNC9tZkJvSG9qSm5VCmJSckt2NlNmVlM0ZFh2eExIUEo1 + bHJFVFNVd1pYZkNDQTltcGVPQUlMSWMKLS0tIGRQL1RMRXVOQzRUbjcwcFE1cFZz + eW1FelV4akJmM3RTeDRVQ3FNZlhNWUkKLRAB/+bnexIGYwAyczY1IIDFzvji2OzW + rqOdtyGCi/99tMxtfsK3h5UFZlMVEOOosjz8n8WTC2/g/P4H5CVgrA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1m68dw9dltvtsg8e9lf5ts2vwnn4ykraguhjr8v65s0xessk3xqeqyz5jwt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEa0NFQ2l2V3dpekdDUGxl + TFFZNi90M25tWTlYSnphN2FwaUFkdTNwUG5rCnBDK2laVUd0MHFGR25yc0tHUDdr + eURKRlJJcHRDcFJhUDEvVWNvSmc3SmsKLS0tIFF1ZDNvOVhOdTNQaWZtc2I3Q054 + UHN1V3owanJFVkI2VjBVUzhwYUhpNjQKW6IQ0cjfk3vxbNuZY4thgOzL630Nxf3Y + iQOT71FJA+Byj9NN2D/tapJdanilS6eVxzUJXhKkaFLRHa+D02vpAg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1nc9sh92wf62nt89k4vgyvqws2pt49cq6xqxx46jqpz4vqxsh5a4q8ltzp8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2aGxKbXdyU0RLZlZ4eThW + QUFYQnpoeVRQaWRLQWJLcmFZbERSaUlpQVJjCjI0bVoyNGhRMHp1TlFySmlMQk8w + UVdaVW0zQWFMajZtdlphN2dZS0thcGMKLS0tIHRnWlRJQi83RWJhbTE0RzYwWGsy + N0c5YUxDY09IY01kYUJvZFlLcWtvN1UK2eBUCm5Ikwt6NClzLI8xv5lSMsaM7ETo + xW0nPj7CxS9Xpvte55lQja5bnCZjJe+0s1WJndtgBs+AgksuCTNseA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-31T12:40:14Z" + mac: ENC[AES256_GCM,data:jO+sFUbBhw/OD5U9gXvwe1YxedMW7jxv8je2PJXOX4YApUlk98llGSth1AOMK+Jkfky2yyxgCUb+vDves0u8UOE41itdaFn3Y1FW46cacfgQFJUuepDB+btlC632DYULEM+e/9mAGALxI5AYap0rtce+SEWfPhXXGbm06c+kRI8=,iv:MZfvT6scO40FsqjA4augXuRnf8XgzbRx0coZ1X2MBe8=,tag:V4UPyi0gMjR+WO+stBx66Q==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/non-critical-infra/secrets/ofborg.eval03.ofborg.org.yml b/non-critical-infra/secrets/ofborg.eval03.ofborg.org.yml new file mode 100644 index 00000000..7cd40a5d --- /dev/null +++ b/non-critical-infra/secrets/ofborg.eval03.ofborg.org.yml @@ -0,0 +1,66 @@ +ofborg: + mass-rebuilder-rabbitmq-password: ENC[AES256_GCM,data:bG3a7gAx9XhN7TM5wEvXeC7lB3ZaLz2NZU2VEjaTdTzHDtwQZl/T3gOvJR+RsO7fDJs=,iv:bTx9Bru62CCBcHvPSRIFfVG+eeSRvN1muk0p+ROqGO0=,tag:Zl/L52kl1qTd1VczlHa3TQ==,type:str] + builder-rabbitmq-password: ENC[AES256_GCM,data:5sFff+ugVDLRiwHsXqp0evM9JT2P0I/0twqVEQ2HZo95wo+38Gavlx7tHfIEZC58+QY=,iv:maBiRtPM2/fv84kJIdkbh3sPrgadDPfFBlBCh0Lu7l0=,tag:0gvoarCDYB+Kb/mXIi1ifw==,type:str] +harmonia: + secret: ENC[AES256_GCM,data:DB0GIKQaVew6Ymn8cJnHrB0B0nlSRtkn+nDIFB1irlnTmBwyUFRnKUVL7Rmd4iejPI6tjZhjKccJ2/A+ZlM6I1kczrdK9+HwwVrTZml+X3QNtDe5EDB8MMVU8Wzn2gMWJQQN7SGQLdIVKQ==,iv:C3QsBXVUkXtRXC2mm2OlAL6TB1Js8O15NBpurm0a+zA=,tag:L4n/cNQA5fmnOOTudyQNbg==,type:str] +queue-runner-client.key: ENC[AES256_GCM,data:kRctoguQnH9W088o/PLGf73Vv2YYJkom5r/mwRSMrBcSnQxYoHFcqvbuoX4bz4M0Qvjh8nX+yMacNP3n36HlYBaUv8tRoxwyH1Kf6F/WqBiEp6Ilrd+f8kZbPEL1VqA5ESQVQ3N2szUBOfCJDnk3wnCa4ZVj1jA=,iv:2lWsWdcFDmOQuusZx2TOIsl/49GWE2dlqseL0+UgLFE=,tag:lxRnciShgszhiP0itaceSQ==,type:str] +sops: + age: + - recipient: age1yssfznyq8rljcpfthpulnvfls0l5t36fpqxkk5taxcwpkqhv9gcqrvvwh7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtZXR5WC9VRFNPMHRXSXRJ + ZE5yZjlMRGV2bVpzMUx3cUloN0I4TGowOFQwCnRuS3Z3aDdnV01QQUF3dFlveHRY + aUpoWXdmSk8vT2o4U1ZLS29OTUhkWm8KLS0tIGF0Uy9JQ0t3TkQxY0hyOWp4Yjd4 + NWo2N0hQSTJoRUNEYmpUZW9LUktKS1EKVl8MPhroHW4NJ7jcZo7uzwtjP3DmLqqj + zWlITjyZATB8I2OsaricBocdtxlJDNtVRHCpimxjqUpFmItbMbrzQA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLZkhjeFBnVHZSdHlMRmtU + MWp5NWNEWkFrdUFFUEU5M05xNE4zYnFjL1FnCkVEZkxJOGZQUzEvazYycG95TzJl + MWVvTW1BdzJ1TStGN0JtbGl1N2o0UkUKLS0tIERJRStwR1hPaUpvL0Y0ZFlZeWJG + cC9KdEhCa0IraitrMkNUNWRVMm1JM3MKUUWWGTmpRwB6HYMb7kZ4KDH2jBUGsGuv + 8eSTpyXXYbHCgkLAJIn7J+ET8agpEg5X9bNJc/uG0dxVYRgV0hQxUw== + -----END AGE ENCRYPTED FILE----- + - recipient: age17ez23w2kpxl0gcdx4ehcglkcfcfnv4qz0gq2n8ylxwx4yrtjpvjqxfasua + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmVXFwdklma0F2OUkyQk5a + VGN5Zkc1SXNkcnNvL2w1L084Rm5POG83NVNJCnU3VFVHak1ZVmpmU3p0aHFQeHdL + Uk9QcmJsekcxT0wyOEtDN2JjQVBNY3MKLS0tIGhxRFQrL0ZVYnJpYURTczlPbWFD + S2w3eW5ZTHBYSEExZUk4SmtxdnJCTmcKwcxD6oLROx2Y4aCEYVL1CHV273/ts54x + mZSuD9kssOPc5GC6Wa/XIYbcGbXMlD+psveNpaNtMY/WS7lX8IwoEQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1lz3mvem0rgfxj7uavth8du4xsw23wp5ts77m5vvclxyj5mjxfujs0jgtcz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMS2IvMGwyZnRqenN4d2pF + eEMvaHR5Y1ZSWEQxcXVRMEFjVjAxaDBNQm5NClJQaUljZjRxME94SkRNMUE4OWRj + dTYycDBoTEZicjRJbFNvWStrQVZwNDAKLS0tIHUxTHZmTk94UzVjREpLRTZ2Y0lo + ME5aODB5OFM4aUpHdnlMbklSejQyMFUKly7wnZ3q6n8Mv05EkcCAj4GyLGba4kcM + IW/gg+vyuYPkoxllFb/lbkpQMs57kWQ32JgEaY0gXBaBjNNYZ7lpEQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1m68dw9dltvtsg8e9lf5ts2vwnn4ykraguhjr8v65s0xessk3xqeqyz5jwt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKUEpPdDJGRUJ3bjRLR0k4 + d0lKV3NJeWsxdjdSYUVuSG84ZFp6bndpNlRBCk40c0doeUEvdlhoZlgzdkFEZEtS + NmpWdExsR2FNVitLYVhBR1NubTFrTFkKLS0tIDIwSkdTQmx1STZPL1BJa05EanN3 + bnYvMGZJdnJadXk2ZkhUcXpTS1NuOGsKDh8RAx/vuN4jYQKOWySdpdhbOD399TR2 + cl+Y6dnl6UM81lSAJz1B9eKI9hn2cuDW6TrLPc5fb4kFnwlYWwro2g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1nc9sh92wf62nt89k4vgyvqws2pt49cq6xqxx46jqpz4vqxsh5a4q8ltzp8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6OEs5YkxoT0FHbEpFRjJv + SnpGZExua01Hbyt0WUZhSFV3QkVpcGVXMkFVClFMU2d4cXlSSm4zRmRIWG15L2tu + VDFjSFBGVHZxREJFaTJOY2JPVk5HQWsKLS0tIDREamUvSThrTkdRTUFrOUFrRjFB + UFpzRHFaMkZnYkxFeTZxYzlZbTZ4b28K9Kmul+h7Ltzm/c4stGW5MzQflmFqKctr + kgV1a+1qMkwHgoGFOyFZsCgrU62145EFuQ7X4bIq2ItSpeTAU8EITQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-31T12:40:29Z" + mac: ENC[AES256_GCM,data:ktTeS9q/Nn5OVw1uXgtOIWMQkgBe1VYyXxXEALExm/vK5rk3Y6SViY9xL9mNPySQr81NMzo8Y/5q61Owqqax3a5XrQA3m9x4pj16FvAOdcOFJjhRG+/Z9eZdC62DFa+GQDXL0FcauYmn4IgelcJxxJjeltGZO9T5tjB0d5qVeb8=,iv:zYLb1aBMZeKB4roG6ADKqrR9XDRmPgmpL76ky23/VXo=,tag:YhVMoyxi7T5I2h8gfklNyw==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/non-critical-infra/secrets/ofborg.eval04.ofborg.org.yml b/non-critical-infra/secrets/ofborg.eval04.ofborg.org.yml new file mode 100644 index 00000000..1f3e0566 --- /dev/null +++ b/non-critical-infra/secrets/ofborg.eval04.ofborg.org.yml @@ -0,0 +1,66 @@ +ofborg: + mass-rebuilder-rabbitmq-password: ENC[AES256_GCM,data:VGNge1ehls864sKzDJVgpngMrey2E6Kl9Z2n0lljA5hQkHc1fMxoayJofeLiJPQI/NU=,iv:VvTb0V6vFxqhH4RHfVDqhgRWf8X/wDQtoDPGJRL8vCI=,tag:soyUaOTnwEUHrIRAzBcr8g==,type:str] + builder-rabbitmq-password: ENC[AES256_GCM,data:bS1pbz+76nI8+dbqvYe+Qnlh+NuENd1AtKXY9W04n8LW2b0plwdA6JbhRqP7e1q+YNs=,iv:IPL0NKngwD+86NfSaRCK4RHB3d6Ceo7O84EXv6ctz0M=,tag:81T6syiQDyy7BrARgmtEKg==,type:str] +harmonia: + secret: ENC[AES256_GCM,data:kSdrSKY1Gei0wqvz2B/hhKd1ByoHmgyJZl84qvbP4Uc+NkmwM3tJmuunkPKz9na7Q86DLv3TCYz03mYoUskl5QsuePt2Sf9s7/ZOE4uYI5Xy+DWQqDXSQ0YWltiEth4FqOphkJS3SdmTgA==,iv:uDrxPaxL1fCa2YZYc9GqQAOVke/0P69TS+SEMexQ5xc=,tag:iOlSKt7gwMDyIaI6MeHpOw==,type:str] +queue-runner-client.key: ENC[AES256_GCM,data:QJGUhlM7v0+VPfaQK1usjtFzfTvvjeDwjBEef5sxyd2T753Owy1tWUYMxLxNTikkAGqs+uVHOM6yprpTBSMnpB0J38MgrVtxXqTwNNmEQnJv4xkNV+ux743crxQW20GvoHCbpevob/yWeDTUhKJa9kmNxiKkKPk=,iv:9HJ7iWMr3T7xRoUWSsn7wMlY7abB8S2XgIN4UMLWMAI=,tag:kqO3RPidoGagOoXhfQAfmQ==,type:str] +sops: + age: + - recipient: age1vunut833rrdfulgnsjqtuke4yjtzexn2xqjqavwzxlgrg7n4y45qhurzwc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3YzlpajQzeEtwVEdqYkhr + bVc5UUhsZ0hWbmxWSkl4azNreVhqK0x0MWlnCmNqbEgvY0c5a20xQklSd09sMXpJ + c1kyVHNqbURIZ3F0dm13ZENXV3VleGMKLS0tIDEwQUMyK0dwNGZFOWZzdi94QUdv + c0xHNE5DSkp4cTZuakRoR0VPYUk4WWcKXFZA1mJIpkynTpgaTl2E0XJuMArkM6vB + GLzuoMqAUzludzzSF+9f6CF+o5FoAyho/Q4scpqqsPcwpMZ1UMpxkA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ZlhqU2NoL3RsYVNReEg2 + ZTFqNFRmU3RxdmVTRTZtcWFNdmMzVTErZWdjCnU4Y3NURjBSdFdoTzMwYTk0RnVq + Z3l4ZGxxcTFVOWdYK3NhekJ4VHlDaEEKLS0tIHI1RWJYbnhHNkFBSUhDS0M4RUZR + OWordG56clBFWEQ4Y0ZKbEd0N0RHdW8KJLjKAyOIuK7eyBzjo1SaFxC9gN7fdRUy + u0PxzZL7+FjWCecMB3zcFabWbuPyZPTFTrbM2diiqaM7BuCPm9Fhxw== + -----END AGE ENCRYPTED FILE----- + - recipient: age17ez23w2kpxl0gcdx4ehcglkcfcfnv4qz0gq2n8ylxwx4yrtjpvjqxfasua + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRZDFGOUNyZmpvOXVYU2ti + S1YvOStxbFZRTjBIVzBwdUlkL2xVTWoyazJNCm5FTGE0N2J6VVdGbldqc2t3WHV6 + L251TmYxczRCcjhIcGhEQ3NCdUJnOTgKLS0tIG1HN1gybUNXUHMybEdic3lzMFRH + WmtzSmdZelE4S1pIVFZJeWJNUmdnVzQKGvbLhDiGOoAc7jMX7snlIrfNOU9VbN4D + Tn9x350Urx3P2wklqz7xIGEoEriTUScQ7+qb/9XSpORNle0w8wamzA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1lz3mvem0rgfxj7uavth8du4xsw23wp5ts77m5vvclxyj5mjxfujs0jgtcz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrTEtqa1JPM1ErT0owLzND + T1hGRDV6ZFBFTHQyaXVKY2FqcGRXWnpjRFVjCi9HcElDTWk1R2FZMy9UUGl3L0FV + aFhUVkEyTDFWQzQwNDBhNTBBdTdrZDgKLS0tIFRJNTQyM3ZUZmNRM05CZ29aR3Ja + dE5nRTJ4TzNzaFI4NEtscmZUTnRmaGcKCyDbriCAE4Lk9t/gnYCmM810hWkkb1VB + XXURC9kDBRksFIfx6kYtzx7o5EarGl5egSoCAHa49xqU5nL7+N7NQA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1m68dw9dltvtsg8e9lf5ts2vwnn4ykraguhjr8v65s0xessk3xqeqyz5jwt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPbDV4Z1NNWHhrUE02QkQ3 + RFBMT1lRWWpkb05OdjZRNkEvV1EybGhOT2hNCnlZNWtYajJlOWhJZDdERlArdzNh + U2d0UXoxWWt4bW9FRFhXNVBiK3ZmMEkKLS0tIG9iTWs0WFNpd1VjOE03NEdZR1Yy + MWpteUkveTFKbVJoVUVaRStQc0RuK0UKkMxjbNrsq2ccVBqv8lr/yJJ75/CuEso4 + V3241AS1shx31IaPh17F11mulDkUCTUpU1jnQLn+IdLqKnQMHD6aXA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1nc9sh92wf62nt89k4vgyvqws2pt49cq6xqxx46jqpz4vqxsh5a4q8ltzp8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMVGVQYklyQUdsVXVCR2Nw + Wnprc1Y2VTJSL3VWUURtOGY1RDRFNG1KY0ZrClpxRnl4K2w2YTl1Z3BSRnFDME1L + WWlBMG1LSGpXVXhjMlhGczdRSGpDTkkKLS0tIDgrRGJraU9lT1JwSjBMaWZKRU45 + SmhwL09qSUVlbzd0d2ZNQjNhV1p3am8KaX4iGe6V4URDTfe96HjwovLh1I10J3yZ + Mb8Ht1xnGCtJc+MV61P8D20/4qRQQmXupuJ+Zkq+BicLVr+u+H3x+w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-31T12:40:44Z" + mac: ENC[AES256_GCM,data:BPfQYeQSi3xp3SnGa3KAcPKrXQ9kDWS2KTc/3w1/rw3Qj9xAl7xPhEhj/I61zugObbVLtuFjilD+V/NzOq9gVg9b1ERq7bYhSAl1nJLQIjhT4IbPKKfkfh8XMRRhz7AxQReOsHS4SIxwf71JM84pwxOaL3KItTTHswxLXpqX0s0=,iv:GgeXMCtY6UzDArHUEwy/9hTo+C9Q6F9+Ib2aWo5MCcs=,tag:XbxBQAl19inpN80GKkGt1g==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 From 165266af99567a0675d3a24a2c1d8e7f82f4b477 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Mon, 13 Apr 2026 09:58:18 +0200 Subject: [PATCH 2/2] staging-hydra: switch to nixos-infra branch https://github.com/NixOS/hydra/pull/1659 --- flake.lock | 7 ++++--- flake.nix | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/flake.lock b/flake.lock index 4eaceb4e..d335ed3c 100644 --- a/flake.lock +++ b/flake.lock @@ -329,15 +329,16 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1776061551, - "narHash": "sha256-MTLpUlUMrjy71lWZ4PEhRYqCNQVgZa7s7W9mS4y6aWA=", + "lastModified": 1776066647, + "narHash": "sha256-ENd5ZQPY224iNxSAw+5vDaV4/N4oIMdgbf4xpyay17s=", "owner": "NixOS", "repo": "hydra", - "rev": "47252e4f6a348c01d3d61069d5f5d8ab2538f2dc", + "rev": "e15b6d7188b8a92cc761a0320d0d2ce2c934788d", "type": "github" }, "original": { "owner": "NixOS", + "ref": "nixos-infra", "repo": "hydra", "type": "github" } diff --git a/flake.nix b/flake.nix index eb8a6278..0d215b59 100644 --- a/flake.nix +++ b/flake.nix @@ -24,7 +24,7 @@ }; hydra-staging = { - url = "github:NixOS/hydra"; + url = "github:NixOS/hydra/nixos-infra"; inputs.nixpkgs.follows = "nixpkgs"; # Can be kept in sync I suppose for now. inputs.nix.follows = "nix";