staging: updates

cluster/staging/app/im/deploy/im-nix.hcl

@@ -33,7 +33,7 @@ job "im" {
           ]
         command = "litestream"
         args = [
-          "restore", "-v", "-config", "/etc/litestream.yml", "/ephemeral/homeserver.db"
+          "restore", "-config", "/etc/litestream.yml", "/ephemeral/homeserver.db"
         ]
         bind = {
           "../alloc/data" = "/ephemeral",
@@ -55,6 +55,7 @@ job "im" {
     task "synapse" {
       driver = "nix2"
       config {
+        nixpkgs = "github:nixos/nixpkgs/nixos-23.11"
         packages = [
           "#cacert",
           "#bash",

cluster/staging/cluster.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... } @ args:
+{ config, pkgs, lib, ... } @ args:
 
 {
   deuxfleurs.clusterName = "staging";
@@ -98,6 +98,9 @@
 
   ## ===== EXPERIMENTAL SECTION FOR STAGING CLUSTER =====
 
+  # Test nomad 1.6
+  services.nomad.package = lib.mkForce pkgs.nomad_1_6;
+
   # We're doing lots of experiments so GC periodically is usefull.
   nix.gc.automatic = true;
 
@@ -118,7 +121,7 @@
             {
               config = [
                 {
-                  default_nixpkgs = "github:nixos/nixpkgs/nixos-22.11";
+                  default_nixpkgs = "github:nixos/nixpkgs/nixos-23.11";
                 }
               ];
             }
@@ -133,38 +136,5 @@
       nix.settings.substituters = [ "https://nix.web.deuxfleurs.fr" ];
       nix.settings.trusted-public-keys = [ "nix.web.deuxfleurs.fr:eTGL6kvaQn6cDR/F9lDYUIP9nCVR/kkshYfLDJf1yKs=" ];
     })
-    ## ---- Nix mutual cache ----
-    # Let nodes in a same site/zone copy from each other's Nix stores
-    # Note that nodes will only copy from one another packages that are
-    # signed by one of the trusted public keys, i.e. packages comming
-    # from cache.nixos.org and nix.web.deuxfleurs.fr.
-    # This is good as it kind of mitigates supply-chain attacks where
-    # one node's cache would become poisonned, although arguably when
-    # an attacker has gained root access on one node, it can easily
-    # become root on all the others through Nomad. Downsides include
-    # missed opportunities for not rebuilding stuff between machines
-    # (e.g. derivations that are built in the process of doing
-    # nixos-rebuild), and warnings appearing in the logs whenever such
-    # an opportunity was not taken due to missing signatures.
-    ({ pkgs, config, ... }:
-      let substituter_port = 1728;
-      in
-      {
-        services.nix-serve = {
-          enable = true;
-          port = substituter_port;
-          openFirewall = false;
-          bindAddress = "0.0.0.0";
-          #package = pkgs.haskellPackages.nix-serve-ng;
-          #package = pkgs.nix-serve-ng.override { nix = pkgs.nixVersions.nix_2_12; };
-        };
-        nix.settings.substituters = map
-            ({ address, ... }: "http://${address}:${builtins.toString substituter_port}")
-            (builtins.attrValues (pkgs.lib.filterAttrs
-              (hostname: { siteName, ...}:
-                (hostname != config.deuxfleurs.hostName
-                && siteName == config.deuxfleurs.siteName))
-              config.deuxfleurs.clusterNodes));
-      })
   ];
 }

cluster/staging/known_hosts

@@ -13,3 +13,6 @@ df-pw5.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK/dJIxioCkfeeh
 2a01:cb05:911e:ec00:223:24ff:feb0:ea82 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnpO6zpLWsyyugOoOj+2bUow9TUrcWgURFGGaoyu+co
 carcajou.machine.staging.deuxfleurs.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMf/ioVSSb19Slu+HZLgKt4f1/XsL+K9uMxazSWb/+nQ
 caribou.machine.staging.deuxfleurs.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPtsVFIoIu6tnYrzlcCbBiQXxNkFSWVMhMznUuSxGZ22
+df-pw5.machine.staging.deuxfleurs.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK/dJIxioCkfeehxeGiZR7qquYGoqEH/YrRJ/ukEcaLH
+origan.machine.staging.deuxfleurs.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsZas74RT6lCZwuUOPR23nPdbSdpWORyAmRgjoiMVHK
+piranha.machine.staging.deuxfleurs.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnpO6zpLWsyyugOoOj+2bUow9TUrcWgURFGGaoyu+co

nix/nomad-driver-nix2.nix

@@ -7,10 +7,10 @@ pkgs.buildGoModule rec {
 
   src = builtins.fetchGit {
     url = "https://git.deuxfleurs.fr/Deuxfleurs/nomad-driver-nix2";
-    rev = "59aba7607507193587be7c24229dc71066e3ae87";
+    rev = "98871a2d786f2627f1699d0ae49e7d6d3792f469";
   };
 
-  vendorSha256 = "sha256-EQdTxVOBRYQjg7kAB+pFJYcNwk0zlsjjJxM+EO/cK84=";
+  vendorHash = "sha256-EQdTxVOBRYQjg7kAB+pFJYcNwk0zlsjjJxM+EO/cK84=";
 
   postInstall = ''
     mv $out/bin/nomad-driver-nix2 $out/bin/nix2

tlsproxy

@@ -38,10 +38,10 @@ pass $PREFIX/consul$YEAR.crt > $CERTDIR/consul.crt
 pass $PREFIX/consul$YEAR-client.crt > $CERTDIR/consul-client.crt
 pass $PREFIX/consul$YEAR-client.key > $CERTDIR/consul-client.key
 
-socat -dd tcp-listen:4646,reuseaddr,fork,bind=localhost openssl:localhost:14646,cert=$CERTDIR/nomad-client.crt,key=$CERTDIR/nomad-client.key,cafile=$CERTDIR/nomad.crt,verify=0 &
+socat -dd tcp-listen:4646,reuseaddr,fork,bind=127.0.0.1 openssl:localhost:14646,cert=$CERTDIR/nomad-client.crt,key=$CERTDIR/nomad-client.key,cafile=$CERTDIR/nomad.crt,verify=0 &
 child1=$!
 
-socat -dd tcp-listen:8500,reuseaddr,fork,bind=localhost openssl:localhost:8501,cert=$CERTDIR/consul-client.crt,key=$CERTDIR/consul-client.key,cafile=$CERTDIR/consul.crt,verify=0 &
+socat -dd tcp-listen:8500,reuseaddr,fork,bind=127.0.0.1 openssl:localhost:8501,cert=$CERTDIR/consul-client.crt,key=$CERTDIR/consul-client.key,cafile=$CERTDIR/consul.crt,verify=0 &
 child2=$!
 
 wait "$child1"

upgrade_nixos

@@ -1,7 +1,7 @@
 #!/usr/bin/env ./sshtool
 
 if [ "$CLUSTER" = "staging" ]; then
-	cmd nix-channel --add https://nixos.org/channels/nixos-23.05 nixos
+	cmd nix-channel --add https://nixos.org/channels/nixos-23.11 nixos
 else
 	cmd nix-channel --add https://nixos.org/channels/nixos-22.11 nixos
 fi