tixie/nixcfg
1
0
Fork 0
forked from Deuxfleurs/nixcfg
Code Pull requests Activity

Compare commits

base: tixie:main
Branches Tags
tixie:main
tixie:update-woodpecker-2.4.0
tixie:telemetry-update
tixie:jitsi
tixie:feat/im-tls-proxy
tixie:simplify-network-config
tixie:plume-s3
tixie:wgautomesh-service-v2
tixie:refactor
Deuxfleurs:main
Deuxfleurs:armael-cryptpad-admin
Deuxfleurs:fix_ports_conflicts
Deuxfleurs:debug-cryptpad-update
Deuxfleurs:telemetry-update
Deuxfleurs:jitsi
Deuxfleurs:feat/im-tls-proxy
Deuxfleurs:simplify-network-config
Deuxfleurs:plume-s3
Deuxfleurs:wgautomesh-service-v2
Deuxfleurs:refactor
..
compare: tixie:feat/im-tls-proxy
Branches Tags
tixie:update-woodpecker-2.4.0
tixie:main
tixie:telemetry-update
tixie:jitsi
tixie:feat/im-tls-proxy
tixie:simplify-network-config
tixie:plume-s3
tixie:wgautomesh-service-v2
tixie:refactor
Deuxfleurs:main
Deuxfleurs:armael-cryptpad-admin
Deuxfleurs:fix_ports_conflicts
Deuxfleurs:debug-cryptpad-update
Deuxfleurs:telemetry-update
Deuxfleurs:jitsi
Deuxfleurs:feat/im-tls-proxy
Deuxfleurs:simplify-network-config
Deuxfleurs:plume-s3
Deuxfleurs:wgautomesh-service-v2
Deuxfleurs:refactor

4 commits
main ... feat/im-tl

Author SHA1 Message Date
ADRN
3e93d19347 the android bridge to android7 works, but Element does not. Solution is to use FluffyChat that embarks its own crypto. We will not merge 2024-01-22 20:24:46 +01:00
ADRN
df7301e97a im-android7 avant lancement 2024-01-22 18:31:09 +01:00
ADRN
672c398315 Merge branch 'main' into feat/im-tls-proxy 2024-01-22 18:00:49 +01:00
ADRN
abce598e6c WIP: im.deuxfleurs.fr porte de service pour Android 7. TODO : mettre le certificat dans Consul et tester. Testeeeeeer. 2024-01-13 17:58:33 +01:00
58 changed files with 8907 additions and 6779 deletions
Show stats Expand all files Collapse all files

1
.gitignore vendored
View file

@ -4,3 +4,4 @@ secrets/*
cluster/*/secrets/*
!cluster/*/secrets/*.sample
bugs/

10
cluster/prod/app/core/deploy/tricot.hcl
View file

@ -87,10 +87,7 @@ EOH
service {
name = "tricot-http"
port = "http_port"
tags = [
"(diplonat (tcp_port 80))",
"${meta.site}"
]
tags = [ "(diplonat (tcp_port 80))", "${meta.site}" ]
address_mode = "host"
}
@ -100,12 +97,9 @@ EOH
tags = [
"(diplonat (tcp_port 443))",
"${meta.site}",
"d53-aaaa ${meta.site}.site.deuxfleurs.fr",
"d53-a global.site.deuxfleurs.fr",
"d53-aaaa global.site.deuxfleurs.fr",
"d53-a ${meta.site}.site.deuxfleurs.fr",
"d53-aaaa ${meta.site}.site.deuxfleurs.fr",
"d53-a v4.${meta.site}.site.deuxfleurs.fr",
"d53-aaaa v6.${meta.site}.site.deuxfleurs.fr",
]
address_mode = "host"
}

61
cluster/prod/app/cryptpad/build/README.md
View file

@ -1,56 +1,29 @@
# CryptPad for NixOS with Deuxfleurs flavour
## Build
## Building
Cryptpad being not NixOS native, an upgrade must be done in 4 steps:
1. Bump the cryptpad version in `common.nix`
2. Rebuild the Nix lock files for the dependencies
3. Build the package for Nix
4. Create a container from the Nix package
The `default.nix` file follows the nixpkgs `callPackage` convention for fetching dependencies, so you need to either:
To bump the nix version, set the desired tag in `common.nix` in the `cryptpadVersion` entry.
Set the corresponding commit in the `cryptadCommit` field, its goal would be to detect unwanted update of the tag.
- Run `nix-build --expr '{ ... }@args: (import <nixpkgs> {}).callPackage ./default.nix args'`
- Do the `callPackage from a higher-level directory importing your package`
To rebuild the lock files (they are stored in the `nix.lock` folder):
### Docker
The `docker.nix` derives into a Docker image you can load simply by running:
```shell
docker load -i $(nix-build docker.nix)
```
nix-shell --run "update_lock"
```
You can then test the built Docker image using the provided `docker-compose.yml` and `config.js` files, which are
configured to render the instance accessible at `http://localhost:3000` with data stored into the `_data` folder.
To build cryptpad:
### Deuxfleurs flavour
The `deuxfleurs.nix` file derives into two derivations: The CryptPad derivation itself and a Docker image,
which can be choose by passing the `-A [name]` flags to `nix-build`
For example, to build and load the Deuxfleurs-flavoured CryptPad Docker image, you run:
```shell
docker load -i $(nix-build deuxfleurs.nix -A docker)
```
nix-build
```
## OnlyOffice integration
Apart for `deuxfleurs.nix`, both `default.nix` and `docker.nix` files build CryptPad with a copy of OnlyOffice pre-built and
used by CryptPad, which can result to large Docker image (~2.6GiB)
Create the container:
This behaviour is configurable by passing the `--arg withOnlyOffice false` flag to `nix-build` when building them.
## Updating the Deuxfleurs pinned nixpkgs
The pinned sources files are generated with the [niv](https://github.com/nmattia/niv) tool.
To update the pinned nixpkgs, you simply run the following command:
```shell
niv update
```
To modify the pinned nixpkgs, you can use the `niv modify` command, for example, to move to nixpkgs-unstable:
```shell
niv modify nixpkgs -b nixos-unstable
docker load < $(nix-build docker.nix)
docker push superboum/cryptpad:???
```
## Quirks
- The CryptPad `package-lock.json` is included here because the upstream-provided one appeared to be desync'ed, so a
manual lockfile generation was needed

22
cluster/prod/app/cryptpad/build/common.nix Normal file
View file

@ -0,0 +1,22 @@
rec {
cryptpadVersion = "4.14.1+2";
cryptpadCommit = "18c371bb5bda068a5d962dd7c4f0726320eea5e9";
pkgsSrc = fetchTarball {
# Latest commit on https://github.com/NixOS/nixpkgs/tree/nixos-21.11
# As of 2022-04-15
url ="https://github.com/NixOS/nixpkgs/archive/2f06b87f64bc06229e05045853e0876666e1b023.tar.gz";
sha256 = "sha256:1d7zg96xw4qsqh7c89pgha9wkq3rbi9as3k3d88jlxy2z0ns0cy2";
};
cryptpadSrc = builtins.fetchGit {
url = "https://github.com/superboum/cryptpad";
ref = "refs/tags/${cryptpadVersion}";
rev = cryptpadCommit;
};
bower2nixSrc = builtins.fetchGit {
url = "https://github.com/superboum/bower2nix";
ref = "new";
rev = "618ab3e206325c63fe4526ae842a1f6c792b0e27";
};
nodejs = "nodejs-slim-16_x";
}

171
cluster/prod/app/cryptpad/build/default.nix
View file

@ -1,118 +1,77 @@
{ lib
, stdenvNoCC
let
common = import ./common.nix;
pkgs = import common.pkgsSrc {};
nodejs = pkgs.${common.nodejs};
, buildNpmPackage
, fetchFromGitHub
bower = (pkgs.buildBowerComponents {
name = "cryptpad-${common.cryptpadVersion}-bower";
generated = ./nix.lock/bower.nix;
src = common.cryptpadSrc;
}).overrideAttrs (old: {
bowerPackages = old.bowerPackages.override (old_: {
# add missing dependencies:
# Those dependencies are EOL and they are not installed by buildBowerComponents,
# but they are required, otherwise the resolver crashes.
# * add the second jquery ~2.1.0 entry
# * add the second bootstrap ~3.1.1 entry
paths = old_.paths ++ [
(pkgs.fetchbower "jquery" "2.1.0" "~2.1.0" "02kwvz93vzpv10qnp7s0dz3al0jh77awwrizb6wadsvgifxssnlr")
(pkgs.fetchbower "bootstrap" "3.1.1" "~3.1.1" "06bhjwa8p7mzbpr3jkgydd804z1nwrkdql66h7jkfml99psv9811")
];
});
});
, nodejs
npm = import ./nix.lock/npm.nix {
inherit pkgs;
};
, withOnlyOffice ? true
}: let
onlyOfficeVersions = {
v1 = {
rev = "4f370bebe96e3a0d4054df87412ee5b2c6ed8aaa";
hash = "sha256-TE/99qOx4wT2s0op9wi+SHwqTPYq/H+a9Uus9Zj4iSY=";
};
v2b = {
rev = "d9da72fda95daf93b90ffa345757c47eb5b919dd";
hash = "sha256-SiRDRc2vnLwCVnvtk+C8PKw7IeuSzHBaJmZHogRe3hQ=";
};
v4 = {
rev = "6ebc6938b6841440ffad2efc1e23f1dc1ceda964";
hash = "sha256-eto1+8Tk/s3kbUCpbUh8qCS8EOq700FYG1/KiHyynaA=";
};
v5 = {
rev = "88a356f08ded2f0f4620bda66951caf1d7f02c21";
hash = "sha256-8j1rlAyHlKx6oAs2pIhjPKcGhJFj6ZzahOcgenyeOCc=";
};
v6 = {
rev = "abd8a309f6dd37289f950cd8cea40df4492d8a15";
hash = "sha256-BZdExj2q/bqUD3k9uluOot2dlrWKA+vpad49EdgXKww=";
};
v7 = {
rev = "9d8b914a81f0f9e5d0bc3f0fc631adf4b6d480e7";
hash = "sha256-M+rPJ/Xo2olhqB5ViynGRaesMLLfG/1ltUoLnepMPnM=";
};
};
mkOnlyOffice = {
pname, version
}: stdenvNoCC.mkDerivation (final: {
pname = "${pname}-onlyoffice";
inherit version;
in
pkgs.stdenv.mkDerivation {
name = "cryptpad-${common.cryptpadVersion}";
src = common.cryptpadSrc;
srcs = lib.mapAttrsToList (version: { rev, hash ? lib.fakeHash }: fetchFromGitHub {
name = "${final.pname}-${version}-source";
owner = "cryptpad";
repo = "onlyoffice-builds";
inherit rev hash;
}) onlyOfficeVersions;
buildPhase = ''
cp -r ${npm.nodeDependencies}/lib/node_modules node_modules
chmod +w -R node_modules
dontBuild = true;
# clear executable files inside the node_modules folder to reduce dependencies
# and attack surface
find node_modules -type f ! -path 'node_modules/gar/*' -executable -print | tee >(xargs -n 20 rm)
sourceRoot = ".";
# Remove only office that IS BIG
# COMMENTED as it is not as easy as planned.
# rm -rf www/common/onlyoffice
'';
installPhase = ''
mkdir -p $out
${lib.concatLines (map
(version: "cp -Tr ${final.pname}-${version}-source $out/${version}")
(builtins.attrNames onlyOfficeVersions)
)}
mkdir -p $out/{bin,opt}
out_cryptpad=$out/opt/
# copy the source code
cp -r .bowerrc bower.json package.json package-lock.json customize.dist lib server.js www $out_cryptpad
# mount node_modules
cp -r node_modules $out_cryptpad/node_modules
# patch
substituteInPlace $out_cryptpad/lib/workers/index.js --replace "lib/workers/db-worker" "$out_cryptpad/lib/workers/db-worker"
# mount bower, based on the .bowerrc file at the git repo root
cp -r ${bower}/bower_components $out_cryptpad/www/
# cryptpad is bugged with absolute path, this is a workaround to use absolute path as relative path
ln -s / $out_cryptpad/root
# start script, cryptpad is lost if its working directory is not its source directory
cat > $out/bin/cryptpad <<EOF
#!${pkgs.stdenv.shell}
cd $out_cryptpad
exec ${nodejs}/bin/node server.js
EOF
chmod +x $out/bin/cryptpad
'';
});
in buildNpmPackage rec {
pname = "cryptpad";
version = "2024.3.0";
src = fetchFromGitHub {
owner = "cryptpad";
repo = "cryptpad";
rev = version;
hash = "sha256-VUW6KvoSatk1/hlzklMQYlSNVH/tdbH+yU4ONUQ0JSQ=";
};
npmDepsHash = "sha256-tvTkoxxioPuNoe8KIuXSP7QQbvcpxMnygsMmzKBQIY0=";
inherit nodejs;
onlyOffice = lib.optional withOnlyOffice (mkOnlyOffice {
inherit pname version;
});
makeCacheWritable = true;
dontFixup = true;
postPatch = ''
cp -T ${./package-lock.json} package-lock.json
'';
preBuild = ''
npm run install:components
'' + lib.optionalString withOnlyOffice ''
ln -s $onlyOffice www/common/onlyoffice/dist
'';
postBuild = ''
rm -rf customize
'';
installPhase = ''
runHook preInstall
mkdir -p $out
cp -R . $out/
substituteInPlace $out/lib/workers/index.js \
--replace-warn "lib/workers/db-worker" "$out/lib/workers/db-worker"
makeWrapper ${lib.getExe nodejs} $out/bin/cryptpad-server \
--chdir $out \
--add-flags server.js
runHook postInstall
'';
meta = {
homepage = "https://cryptpad.org";
mainProgram = "cryptpad-server";
};
}

12
cluster/prod/app/cryptpad/build/deuxfleurs.nix
View file

@ -1,12 +0,0 @@
{ name ? "deuxfleurs/cryptpad"
, tag ? "nix-latest"
}: let
sources = import ./nix/sources.nix;
pkgs = import sources.nixpkgs {};
in rec {
cryptpad = pkgs.callPackage ./default.nix {};
docker = pkgs.callPackage ./docker.nix {
inherit name tag;
inherit cryptpad;
};
}

32
cluster/prod/app/cryptpad/build/docker.nix
View file

@ -1,27 +1,11 @@
{ pkgs ? import <nixpkgs> {}
, name ? "cryptpad"
, tag ? "nix-latest"
, withOnlyOffice ? true
, cryptpad ? pkgs.callPackage ./default.nix { inherit withOnlyOffice; }
}: let
cryptpad' = cryptpad.overrideAttrs {
postInstall = ''
ln -sf /cryptpad/customize $out/customize
'';
};
in pkgs.dockerTools.buildImage {
inherit name tag;
let
common = import ./common.nix;
pkgs = import common.pkgsSrc {};
app = import ./default.nix;
in
pkgs.dockerTools.buildLayeredImage {
name = "superboum/cryptpad";
config = {
Cmd = [
(pkgs.lib.getExe cryptpad')
];
Volumes = {
"/cryptpad/customize" = {};
};
Cmd = [ "${app}/bin/cryptpad" ];
};
}

57
cluster/prod/app/cryptpad/build/nix.lock/bower.json Normal file
View file

@ -0,0 +1,57 @@
{
"name": "cryptpad",
"version": "0.1.0",
"authors": [
"Caleb James DeLisle <cjd@cjdns.fr>"
],
"description": "realtime collaborative visual editor with zero knowlege server",
"main": "www/index.html",
"moduleType": [
"node"
],
"license": "AGPLv3",
"ignore": [
"**/.*",
"node_modules",
"bower_components",
"test",
"tests"
],
"dependencies": {
"jquery": "3.6.0",
"tweetnacl": "0.12.2",
"components-font-awesome": "^4.6.3",
"ckeditor": "4.14.0",
"codemirror": "^5.19.0",
"requirejs": "2.3.5",
"marked": "1.1.0",
"rangy": "rangy-release#~1.3.0",
"json.sortify": "~2.1.0",
"hyperjson": "~1.4.0",
"chainpad-crypto": "^0.2.0",
"chainpad-listmap": "^1.0.0",
"chainpad": "^5.2.0",
"file-saver": "1.3.1",
"alertifyjs": "1.0.11",
"scrypt-async": "1.2.0",
"require-css": "0.1.10",
"bootstrap": "^v4.0.0",
"diff-dom": "2.1.1",
"nthen": "0.1.7",
"open-sans-fontface": "^1.4.2",
"bootstrap-tokenfield": "0.12.1",
"localforage": "^1.5.2",
"html2canvas": "^0.4.1",
"croppie": "^2.5.0",
"sortablejs": "^1.6.0",
"saferphore": "^0.0.1",
"jszip": "3.7.1",
"requirejs-plugins": "^1.0.3",
"dragula.js": "3.7.2",
"MathJax": "3.0.5"
},
"resolutions": {
"bootstrap": "^v4.0.0",
"jquery": "3.6.0"
}
}

37
cluster/prod/app/cryptpad/build/nix.lock/bower.nix Normal file
View file

@ -0,0 +1,37 @@
# Generated by bower2nix v3.3.0 (https://github.com/rvl/bower2nix)
{ fetchbower, buildEnv }:
buildEnv { name = "bower-env"; ignoreCollisions = true; paths = [
(fetchbower "jquery" "3.6.0" "3.6.0" "1wx5n605x6ga483hba43gxjncgzk8yvxc3h0jlwgpjd0h54y9v6l")
(fetchbower "tweetnacl" "0.12.2" "0.12.2" "1lfzbfrdaly3zyzbcp1p53yhxlrx56k8x04q924kg7l52gblm65g")
(fetchbower "components-font-awesome" "4.7.0" "^4.6.3" "1w27im6ayjrbgjqa0i49ml5d3wy4ld40h9b29hz9myv77bpx4lg1")
(fetchbower "ckeditor" "4.14.0" "4.14.0" "0lw9q0k8c0jlxvf35vrccab9c3c8rgpc6x66czj9si8yy2lyliyp")
(fetchbower "codemirror" "5.65.3" "^5.19.0" "0z6pd0q0cy0k0dkplx4f3cmmjqbiixv6wqlzbz5j8dnsxr5hhgzh")
(fetchbower "requirejs" "2.3.5" "2.3.5" "05lyvgz914h2w08r24rk0vkk3yxmqrvlg7j3i5av9ffkg9lpzsli")
(fetchbower "marked" "1.1.0" "1.1.0" "1sdgqw9iki9c1pfm4c5h6c956mchbip2jywjrcmrlb75k53flsjz")
(fetchbower "rangy" "rangy-release#1.3.0" "rangy-release#~1.3.0" "13x3wci003p8jyv2ncir0k23bxckx99b3555r0zvgmlwycg7w0zv")
(fetchbower "json.sortify" "2.1.0" "~2.1.0" "1rz9xz0gnm4ak31n10vhslqsw8fw493gjylwj8xsy3bxqq1ygpnh")
(fetchbower "hyperjson" "1.4.0" "~1.4.0" "1n68ls3x4lyhg1yy8i4q3xkgh5xqpyakf45sny4x91mkr68x4bd9")
(fetchbower "chainpad-crypto" "0.2.7" "^0.2.0" "16j0gjj1v8dckqpsg38229qs4dammz7vx8ywsik6f0brzf4py65a")
(fetchbower "chainpad-listmap" "1.0.1" "^1.0.0" "0s2v27hhraifb1yjw5fka4a922zmgsdngsaq1nfd48gbs8gd2rrd")
(fetchbower "chainpad" "5.2.4" "^5.2.0" "1f4nap0r8w50qpmjdfhhjhpz5xcl0n4zaxxnav1qaxi5j6dyg8h6")
(fetchbower "file-saver" "1.3.1" "1.3.1" "065nzkvdiicxnw06z1sjz1sbp9nyis8z839hv6ng1fk25dc5kvkg")
(fetchbower "alertifyjs" "1.0.11" "1.0.11" "0v7323bzq90k35shm3h6azj4wd9la3kbi1va1pw4qyvndkwma69l")
(fetchbower "scrypt-async" "1.2.0" "1.2.0" "0d076ax708p9b8hcmk4f82j925nlnm0hmp0ni45ql37g7iirfpyv")
(fetchbower "require-css" "0.1.10" "0.1.10" "106gz9i76v71q9zx2pnqkkj342m630lvssnw54023a0ljc0gqcwq")
(fetchbower "bootstrap" "4.6.1" "^v4.0.0" "0g8zy1fl396lawgjvfhlpcl38zxsgybhnzi8b6b4m9nccvmpxv83")
(fetchbower "diff-dom" "2.1.1" "2.1.1" "0bp8c80g11hhlkvl3lhrqc39jvqiiyqvrgk1nsn35ps01ava07z9")
(fetchbower "nthen" "0.1.7" "0.1.7" "03yap5ildigaw4rwxmxs37pcwhq415iham8w39zd56ka98gpfxa5")
(fetchbower "open-sans-fontface" "1.4.2" "^1.4.2" "0ksav1fcq640fmdz49ra4prwsrrfj35y2p4shx1jh1j7zxd044nf")
(fetchbower "bootstrap-tokenfield" "0.12.1" "0.12.1" "1dh791s6ih8bf9ihck9n39h68c273jb3lg4mqk94bvqraz45fvwx")
(fetchbower "localforage" "1.10.0" "^1.5.2" "019rh006v2w5x63mgk78qhw59kf8czbkwdvfngmac8fs6gz88lc8")
(fetchbower "html2canvas" "0.4.1" "^0.4.1" "0yg7y90nav068q0i5afc2c221zkddpf28hi0hwc46cawx4180c69")
(fetchbower "croppie" "2.6.5" "^2.5.0" "1j1v5620zi13ad42r358i4ay891abwn6nz357484kgq2bgjj6ccx")
(fetchbower "sortablejs" "1.15.0" "^1.6.0" "1wk1097jrxbp2c4ghcppqd3h2gnq5b01qkf9426mc08zgszlvjr7")
(fetchbower "saferphore" "0.0.1" "^0.0.1" "1wfr9wpbm3lswmvy2p0247ydb108h4qh5s286py89k871qh6jwdi")
(fetchbower "jszip" "3.7.1" "3.7.1" "0f14bak7vylxizi6pvj3znjc2cx922avbv7lslklvic85x0318lf")
(fetchbower "requirejs-plugins" "1.0.3" "^1.0.3" "00s3sdz1ykygx5shldwhhhybwgw7c99vkqd94i5i5x0gl97ifxf5")
(fetchbower "dragula.js" "3.7.2" "3.7.2" "0dbkmrl8bcxiplprmmp9fj96ri5nahb2ql8cc7zwawncv0drvlh0")
(fetchbower "MathJax" "3.0.5" "3.0.5" "087a9av15qj43m8pr3b9g59ncmydhmg40m6dfzsac62ykianh2a0")
(fetchbower "chainpad-netflux" "1.0.0" "^1.0.0" "08rpc73x1vyvd6zkb7w0m1smzjhq3b7cwb30nlmg93x873zjlsl6")
(fetchbower "netflux-websocket" "1.0.0" "^1.0.0" "10hgc5ra3ll7qc2r8aal6p03gx6dgz06l2b54lh995pvf901wzi6")
]; }

588
cluster/prod/app/cryptpad/build/nix.lock/node-env.nix Normal file
View file

@ -0,0 +1,588 @@
# This file originates from node2nix
{lib, stdenv, nodejs, python2, pkgs, libtool, runCommand, writeTextFile, writeShellScript}:
let
# Workaround to cope with utillinux in Nixpkgs 20.09 and util-linux in Nixpkgs master
utillinux = if pkgs ? utillinux then pkgs.utillinux else pkgs.util-linux;
python = if nodejs ? python then nodejs.python else python2;
# Create a tar wrapper that filters all the 'Ignoring unknown extended header keyword' noise
tarWrapper = runCommand "tarWrapper" {} ''
mkdir -p $out/bin
cat > $out/bin/tar <<EOF
#! ${stdenv.shell} -e
$(type -p tar) "\$@" --warning=no-unknown-keyword --delay-directory-restore
EOF
chmod +x $out/bin/tar
'';
# Function that generates a TGZ file from a NPM project
buildNodeSourceDist =
{ name, version, src, ... }:
stdenv.mkDerivation {
name = "node-tarball-${name}-${version}";
inherit src;
buildInputs = [ nodejs ];
buildPhase = ''
export HOME=$TMPDIR
tgzFile=$(npm pack | tail -n 1) # Hooks to the pack command will add output (https://docs.npmjs.com/misc/scripts)
'';
installPhase = ''
mkdir -p $out/tarballs
mv $tgzFile $out/tarballs
mkdir -p $out/nix-support
echo "file source-dist $out/tarballs/$tgzFile" >> $out/nix-support/hydra-build-products
'';
};
# Common shell logic
installPackage = writeShellScript "install-package" ''
installPackage() {
local packageName=$1 src=$2
local strippedName
local DIR=$PWD
cd $TMPDIR
unpackFile $src
# Make the base dir in which the target dependency resides first
mkdir -p "$(dirname "$DIR/$packageName")"
if [ -f "$src" ]
then
# Figure out what directory has been unpacked
packageDir="$(find . -maxdepth 1 -type d | tail -1)"
# Restore write permissions to make building work
find "$packageDir" -type d -exec chmod u+x {} \;
chmod -R u+w "$packageDir"
# Move the extracted tarball into the output folder
mv "$packageDir" "$DIR/$packageName"
elif [ -d "$src" ]
then
# Get a stripped name (without hash) of the source directory.
# On old nixpkgs it's already set internally.
if [ -z "$strippedName" ]
then
strippedName="$(stripHash $src)"
fi
# Restore write permissions to make building work
chmod -R u+w "$strippedName"
# Move the extracted directory into the output folder
mv "$strippedName" "$DIR/$packageName"
fi
# Change to the package directory to install dependencies
cd "$DIR/$packageName"
}
'';
# Bundle the dependencies of the package
#
# Only include dependencies if they don't exist. They may also be bundled in the package.
includeDependencies = {dependencies}:
lib.optionalString (dependencies != []) (
''
mkdir -p node_modules
cd node_modules
''
+ (lib.concatMapStrings (dependency:
''
if [ ! -e "${dependency.name}" ]; then
${composePackage dependency}
fi
''
) dependencies)
+ ''
cd ..
''
);
# Recursively composes the dependencies of a package
composePackage = { name, packageName, src, dependencies ? [], ... }@args:
builtins.addErrorContext "while evaluating node package '${packageName}'" ''
installPackage "${packageName}" "${src}"
${includeDependencies { inherit dependencies; }}
cd ..
${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
'';
pinpointDependencies = {dependencies, production}:
let
pinpointDependenciesFromPackageJSON = writeTextFile {
name = "pinpointDependencies.js";
text = ''
var fs = require('fs');
var path = require('path');
function resolveDependencyVersion(location, name) {
if(location == process.env['NIX_STORE']) {
return null;
} else {
var dependencyPackageJSON = path.join(location, "node_modules", name, "package.json");
if(fs.existsSync(dependencyPackageJSON)) {
var dependencyPackageObj = JSON.parse(fs.readFileSync(dependencyPackageJSON));
if(dependencyPackageObj.name == name) {
return dependencyPackageObj.version;
}
} else {
return resolveDependencyVersion(path.resolve(location, ".."), name);
}
}
}
function replaceDependencies(dependencies) {
if(typeof dependencies == "object" && dependencies !== null) {
for(var dependency in dependencies) {
var resolvedVersion = resolveDependencyVersion(process.cwd(), dependency);
if(resolvedVersion === null) {
process.stderr.write("WARNING: cannot pinpoint dependency: "+dependency+", context: "+process.cwd()+"\n");
} else {
dependencies[dependency] = resolvedVersion;
}
}
}
}
/* Read the package.json configuration */
var packageObj = JSON.parse(fs.readFileSync('./package.json'));
/* Pinpoint all dependencies */
replaceDependencies(packageObj.dependencies);
if(process.argv[2] == "development") {
replaceDependencies(packageObj.devDependencies);
}
replaceDependencies(packageObj.optionalDependencies);
/* Write the fixed package.json file */
fs.writeFileSync("package.json", JSON.stringify(packageObj, null, 2));
'';
};
in
''
node ${pinpointDependenciesFromPackageJSON} ${if production then "production" else "development"}
${lib.optionalString (dependencies != [])
''
if [ -d node_modules ]
then
cd node_modules
${lib.concatMapStrings (dependency: pinpointDependenciesOfPackage dependency) dependencies}
cd ..
fi
''}
'';
# Recursively traverses all dependencies of a package and pinpoints all
# dependencies in the package.json file to the versions that are actually
# being used.
pinpointDependenciesOfPackage = { packageName, dependencies ? [], production ? true, ... }@args:
''
if [ -d "${packageName}" ]
then
cd "${packageName}"
${pinpointDependencies { inherit dependencies production; }}
cd ..
${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
fi
'';
# Extract the Node.js source code which is used to compile packages with
# native bindings
nodeSources = runCommand "node-sources" {} ''
tar --no-same-owner --no-same-permissions -xf ${nodejs.src}
mv node-* $out
'';
# Script that adds _integrity fields to all package.json files to prevent NPM from consulting the cache (that is empty)
addIntegrityFieldsScript = writeTextFile {
name = "addintegrityfields.js";
text = ''
var fs = require('fs');
var path = require('path');
function augmentDependencies(baseDir, dependencies) {
for(var dependencyName in dependencies) {
var dependency = dependencies[dependencyName];
// Open package.json and augment metadata fields
var packageJSONDir = path.join(baseDir, "node_modules", dependencyName);
var packageJSONPath = path.join(packageJSONDir, "package.json");
if(fs.existsSync(packageJSONPath)) { // Only augment packages that exist. Sometimes we may have production installs in which development dependencies can be ignored
console.log("Adding metadata fields to: "+packageJSONPath);
var packageObj = JSON.parse(fs.readFileSync(packageJSONPath));
if(dependency.integrity) {
packageObj["_integrity"] = dependency.integrity;
} else {
packageObj["_integrity"] = "sha1-000000000000000000000000000="; // When no _integrity string has been provided (e.g. by Git dependencies), add a dummy one. It does not seem to harm and it bypasses downloads.
}
if(dependency.resolved) {
packageObj["_resolved"] = dependency.resolved; // Adopt the resolved property if one has been provided
} else {
packageObj["_resolved"] = dependency.version; // Set the resolved version to the version identifier. This prevents NPM from cloning Git repositories.
}
if(dependency.from !== undefined) { // Adopt from property if one has been provided
packageObj["_from"] = dependency.from;
}
fs.writeFileSync(packageJSONPath, JSON.stringify(packageObj, null, 2));
}
// Augment transitive dependencies
if(dependency.dependencies !== undefined) {
augmentDependencies(packageJSONDir, dependency.dependencies);
}
}
}
if(fs.existsSync("./package-lock.json")) {
var packageLock = JSON.parse(fs.readFileSync("./package-lock.json"));
if(![1, 2].includes(packageLock.lockfileVersion)) {
process.stderr.write("Sorry, I only understand lock file versions 1 and 2!\n");
process.exit(1);
}
if(packageLock.dependencies !== undefined) {
augmentDependencies(".", packageLock.dependencies);
}
}
'';
};
# Reconstructs a package-lock file from the node_modules/ folder structure and package.json files with dummy sha1 hashes
reconstructPackageLock = writeTextFile {
name = "addintegrityfields.js";
text = ''
var fs = require('fs');
var path = require('path');
var packageObj = JSON.parse(fs.readFileSync("package.json"));
var lockObj = {
name: packageObj.name,
version: packageObj.version,
lockfileVersion: 1,
requires: true,
dependencies: {}
};
function augmentPackageJSON(filePath, dependencies) {
var packageJSON = path.join(filePath, "package.json");
if(fs.existsSync(packageJSON)) {
var packageObj = JSON.parse(fs.readFileSync(packageJSON));
dependencies[packageObj.name] = {
version: packageObj.version,
integrity: "sha1-000000000000000000000000000=",
dependencies: {}
};
processDependencies(path.join(filePath, "node_modules"), dependencies[packageObj.name].dependencies);
}
}
function processDependencies(dir, dependencies) {
if(fs.existsSync(dir)) {
var files = fs.readdirSync(dir);
files.forEach(function(entry) {
var filePath = path.join(dir, entry);
var stats = fs.statSync(filePath);
if(stats.isDirectory()) {
if(entry.substr(0, 1) == "@") {
// When we encounter a namespace folder, augment all packages belonging to the scope
var pkgFiles = fs.readdirSync(filePath);
pkgFiles.forEach(function(entry) {
if(stats.isDirectory()) {
var pkgFilePath = path.join(filePath, entry);
augmentPackageJSON(pkgFilePath, dependencies);
}
});
} else {
augmentPackageJSON(filePath, dependencies);
}
}
});
}
}
processDependencies("node_modules", lockObj.dependencies);
fs.writeFileSync("package-lock.json", JSON.stringify(lockObj, null, 2));
'';
};
prepareAndInvokeNPM = {packageName, bypassCache, reconstructLock, npmFlags, production}:
let
forceOfflineFlag = if bypassCache then "--offline" else "--registry http://www.example.com";
in
''
# Pinpoint the versions of all dependencies to the ones that are actually being used
echo "pinpointing versions of dependencies..."
source $pinpointDependenciesScriptPath
# Patch the shebangs of the bundled modules to prevent them from
# calling executables outside the Nix store as much as possible
patchShebangs .
# Deploy the Node.js package by running npm install. Since the
# dependencies have been provided already by ourselves, it should not
# attempt to install them again, which is good, because we want to make
# it Nix's responsibility. If it needs to install any dependencies
# anyway (e.g. because the dependency parameters are
# incomplete/incorrect), it fails.
#
# The other responsibilities of NPM are kept -- version checks, build
# steps, postprocessing etc.
export HOME=$TMPDIR
cd "${packageName}"
runHook preRebuild
${lib.optionalString bypassCache ''
${lib.optionalString reconstructLock ''
if [ -f package-lock.json ]
then
echo "WARNING: Reconstruct lock option enabled, but a lock file already exists!"
echo "This will most likely result in version mismatches! We will remove the lock file and regenerate it!"
rm package-lock.json
else
echo "No package-lock.json file found, reconstructing..."
fi
node ${reconstructPackageLock}
''}
node ${addIntegrityFieldsScript}
''}
npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${lib.optionalString production "--production"} rebuild
if [ "''${dontNpmInstall-}" != "1" ]
then
# NPM tries to download packages even when they already exist if npm-shrinkwrap is used.
rm -f npm-shrinkwrap.json
npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${lib.optionalString production "--production"} install
fi
'';
# Builds and composes an NPM package including all its dependencies
buildNodePackage =
{ name
, packageName
, version
, dependencies ? []
, buildInputs ? []
, production ? true
, npmFlags ? ""
, dontNpmInstall ? false
, bypassCache ? false
, reconstructLock ? false
, preRebuild ? ""
, dontStrip ? true
, unpackPhase ? "true"
, buildPhase ? "true"
, meta ? {}
, ... }@args:
let
extraArgs = removeAttrs args [ "name" "dependencies" "buildInputs" "dontStrip" "dontNpmInstall" "preRebuild" "unpackPhase" "buildPhase" "meta" ];
in
stdenv.mkDerivation ({
name = "${name}-${version}";
buildInputs = [ tarWrapper python nodejs ]
++ lib.optional (stdenv.isLinux) utillinux
++ lib.optional (stdenv.isDarwin) libtool
++ buildInputs;
inherit nodejs;
inherit dontStrip; # Stripping may fail a build for some package deployments
inherit dontNpmInstall preRebuild unpackPhase buildPhase;
compositionScript = composePackage args;
pinpointDependenciesScript = pinpointDependenciesOfPackage args;
passAsFile = [ "compositionScript" "pinpointDependenciesScript" ];
installPhase = ''
source ${installPackage}
# Create and enter a root node_modules/ folder
mkdir -p $out/lib/node_modules
cd $out/lib/node_modules
# Compose the package and all its dependencies
source $compositionScriptPath
${prepareAndInvokeNPM { inherit packageName bypassCache reconstructLock npmFlags production; }}
# Create symlink to the deployed executable folder, if applicable
if [ -d "$out/lib/node_modules/.bin" ]
then
ln -s $out/lib/node_modules/.bin $out/bin
fi
# Create symlinks to the deployed manual page folders, if applicable
if [ -d "$out/lib/node_modules/${packageName}/man" ]
then
mkdir -p $out/share
for dir in "$out/lib/node_modules/${packageName}/man/"*
do
mkdir -p $out/share/man/$(basename "$dir")
for page in "$dir"/*
do
ln -s $page $out/share/man/$(basename "$dir")
done
done
fi
# Run post install hook, if provided
runHook postInstall
'';
meta = {
# default to Node.js' platforms
platforms = nodejs.meta.platforms;
} // meta;
} // extraArgs);
# Builds a node environment (a node_modules folder and a set of binaries)
buildNodeDependencies =
{ name
, packageName
, version
, src
, dependencies ? []
, buildInputs ? []
, production ? true
, npmFlags ? ""
, dontNpmInstall ? false
, bypassCache ? false
, reconstructLock ? false
, dontStrip ? true
, unpackPhase ? "true"
, buildPhase ? "true"
, ... }@args:
let
extraArgs = removeAttrs args [ "name" "dependencies" "buildInputs" ];
in
stdenv.mkDerivation ({
name = "node-dependencies-${name}-${version}";
buildInputs = [ tarWrapper python nodejs ]
++ lib.optional (stdenv.isLinux) utillinux
++ lib.optional (stdenv.isDarwin) libtool
++ buildInputs;
inherit dontStrip; # Stripping may fail a build for some package deployments
inherit dontNpmInstall unpackPhase buildPhase;
includeScript = includeDependencies { inherit dependencies; };
pinpointDependenciesScript = pinpointDependenciesOfPackage args;
passAsFile = [ "includeScript" "pinpointDependenciesScript" ];
installPhase = ''
source ${installPackage}
mkdir -p $out/${packageName}
cd $out/${packageName}
source $includeScriptPath
# Create fake package.json to make the npm commands work properly
cp ${src}/package.json .
chmod 644 package.json
${lib.optionalString bypassCache ''
if [ -f ${src}/package-lock.json ]
then
cp ${src}/package-lock.json .
fi
''}
# Go to the parent folder to make sure that all packages are pinpointed
cd ..
${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
${prepareAndInvokeNPM { inherit packageName bypassCache reconstructLock npmFlags production; }}
# Expose the executables that were installed
cd ..
${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
mv ${packageName} lib
ln -s $out/lib/node_modules/.bin $out/bin
'';
} // extraArgs);
# Builds a development shell
buildNodeShell =
{ name
, packageName
, version
, src
, dependencies ? []
, buildInputs ? []
, production ? true
, npmFlags ? ""
, dontNpmInstall ? false
, bypassCache ? false
, reconstructLock ? false
, dontStrip ? true
, unpackPhase ? "true"
, buildPhase ? "true"
, ... }@args:
let
nodeDependencies = buildNodeDependencies args;
in
stdenv.mkDerivation {
name = "node-shell-${name}-${version}";
buildInputs = [ python nodejs ] ++ lib.optional (stdenv.isLinux) utillinux ++ buildInputs;
buildCommand = ''
mkdir -p $out/bin
cat > $out/bin/shell <<EOF
#! ${stdenv.shell} -e
$shellHook
exec ${stdenv.shell}
EOF
chmod +x $out/bin/shell
'';
# Provide the dependencies in a development shell through the NODE_PATH environment variable
inherit nodeDependencies;
shellHook = lib.optionalString (dependencies != []) ''
export NODE_PATH=${nodeDependencies}/lib/node_modules
export PATH="${nodeDependencies}/bin:$PATH"
'';
};
in
{
buildNodeSourceDist = lib.makeOverridable buildNodeSourceDist;
buildNodePackage = lib.makeOverridable buildNodePackage;
buildNodeDependencies = lib.makeOverridable buildNodeDependencies;
buildNodeShell = lib.makeOverridable buildNodeShell;
}

756
cluster/prod/app/cryptpad/build/nix.lock/node-packages.nix Normal file
View file

@ -0,0 +1,756 @@
# This file has been generated by node2nix 1.9.0. Do not edit!
{nodeEnv, fetchurl, fetchgit, nix-gitignore, stdenv, lib, globalBuildInputs ? []}:
let
sources = {
"@mcrowe/minibloom-0.2.0" = {
name = "_at_mcrowe_slash_minibloom";
packageName = "@mcrowe/minibloom";
version = "0.2.0";
src = fetchurl {
url = "https://registry.npmjs.org/@mcrowe/minibloom/-/minibloom-0.2.0.tgz";
sha1 = "1bed96aec18388198da37443899b2c3ff5948053";
};
};
"accepts-1.3.8" = {
name = "accepts";
packageName = "accepts";
version = "1.3.8";
src = fetchurl {
url = "https://registry.npmjs.org/accepts/-/accepts-1.3.8.tgz";
sha512 = "PYAthTa2m2VKxuvSD3DPC/Gy+U+sOA1LAuT8mkmRuvw+NACSaeXEQ+NHcVF7rONl6qcaxV3Uuemwawk+7+SJLw==";
};
};
"array-flatten-1.1.1" = {
name = "array-flatten";
packageName = "array-flatten";
version = "1.1.1";
src = fetchurl {
url = "https://registry.npmjs.org/array-flatten/-/array-flatten-1.1.1.tgz";
sha1 = "9a5f699051b1e7073328f2a008968b64ea2955d2";
};
};
"async-limiter-1.0.1" = {
name = "async-limiter";
packageName = "async-limiter";
version = "1.0.1";
src = fetchurl {
url = "https://registry.npmjs.org/async-limiter/-/async-limiter-1.0.1.tgz";
sha512 = "csOlWGAcRFJaI6m+F2WKdnMKr4HhdhFVBk0H/QbJFMCr+uO2kwohwXQPxw/9OCxp05r5ghVBFSyioixx3gfkNQ==";
};
};
"body-parser-1.18.3" = {
name = "body-parser";
packageName = "body-parser";
version = "1.18.3";
src = fetchurl {
url = "https://registry.npmjs.org/body-parser/-/body-parser-1.18.3.tgz";
sha1 = "5b292198ffdd553b3a0f20ded0592b956955c8b4";
};
};
"bytes-3.0.0" = {
name = "bytes";
packageName = "bytes";
version = "3.0.0";
src = fetchurl {
url = "https://registry.npmjs.org/bytes/-/bytes-3.0.0.tgz";
sha1 = "d32815404d689699f85a4ea4fa8755dd13a96048";
};
};
"chainpad-crypto-0.2.7" = {
name = "chainpad-crypto";
packageName = "chainpad-crypto";
version = "0.2.7";
src = fetchurl {
url = "https://registry.npmjs.org/chainpad-crypto/-/chainpad-crypto-0.2.7.tgz";
sha512 = "H2FfFmMwWw4i8XeGVjKUNEmgOnJohlAvc5IpnVnHqCDm6axntpZ15rv9hV70uhzDrmFhlAPW8MoY4roe5PhUyA==";
};
};
"chainpad-server-5.1.0" = {
name = "chainpad-server";
packageName = "chainpad-server";
version = "5.1.0";
src = fetchurl {
url = "https://registry.npmjs.org/chainpad-server/-/chainpad-server-5.1.0.tgz";
sha512 = "BdjgOOLTXXo1EjQ7lURDe7oqsqfQISNvwhILfp3K3diY2K1hxpPLbjYzOSgxNOTADeOAff0xnInR5eUCESVWaQ==";
};
};
"content-disposition-0.5.2" = {
name = "content-disposition";
packageName = "content-disposition";
version = "0.5.2";
src = fetchurl {
url = "https://registry.npmjs.org/content-disposition/-/content-disposition-0.5.2.tgz";
sha1 = "0cf68bb9ddf5f2be7961c3a85178cb85dba78cb4";
};
};
"content-type-1.0.4" = {
name = "content-type";
packageName = "content-type";
version = "1.0.4";
src = fetchurl {
url = "https://registry.npmjs.org/content-type/-/content-type-1.0.4.tgz";
sha512 = "hIP3EEPs8tB9AT1L+NUqtwOAps4mk2Zob89MWXMHjHWg9milF/j4osnnQLXBCBFBk/tvIG/tUc9mOUJiPBhPXA==";
};
};
"cookie-0.3.1" = {
name = "cookie";
packageName = "cookie";
version = "0.3.1";
src = fetchurl {
url = "https://registry.npmjs.org/cookie/-/cookie-0.3.1.tgz";
sha1 = "e7e0a1f9ef43b4c8ba925c5c5a96e806d16873bb";
};
};
"cookie-signature-1.0.6" = {
name = "cookie-signature";
packageName = "cookie-signature";
version = "1.0.6";
src = fetchurl {
url = "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz";
sha1 = "e303a882b342cc3ee8ca513a79999734dab3ae2c";
};
};
"debug-2.6.9" = {
name = "debug";
packageName = "debug";
version = "2.6.9";
src = fetchurl {
url = "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz";
sha512 = "bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==";
};
};
"depd-1.1.2" = {
name = "depd";
packageName = "depd";
version = "1.1.2";
src = fetchurl {
url = "https://registry.npmjs.org/depd/-/depd-1.1.2.tgz";
sha1 = "9bcd52e14c097763e749b274c4346ed2e560b5a9";
};
};
"destroy-1.0.4" = {
name = "destroy";
packageName = "destroy";
version = "1.0.4";
src = fetchurl {
url = "https://registry.npmjs.org/destroy/-/destroy-1.0.4.tgz";
sha1 = "978857442c44749e4206613e37946205826abd80";
};
};
"ee-first-1.1.1" = {
name = "ee-first";
packageName = "ee-first";
version = "1.1.1";
src = fetchurl {
url = "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz";
sha1 = "590c61156b0ae2f4f0255732a158b266bc56b21d";
};
};
"encodeurl-1.0.2" = {
name = "encodeurl";
packageName = "encodeurl";
version = "1.0.2";
src = fetchurl {
url = "https://registry.npmjs.org/encodeurl/-/encodeurl-1.0.2.tgz";
sha1 = "ad3ff4c86ec2d029322f5a02c3a9a606c95b3f59";
};
};
"escape-html-1.0.3" = {
name = "escape-html";
packageName = "escape-html";
version = "1.0.3";
src = fetchurl {
url = "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz";
sha1 = "0258eae4d3d0c0974de1c169188ef0051d1d1988";
};
};
"etag-1.8.1" = {
name = "etag";
packageName = "etag";
version = "1.8.1";
src = fetchurl {
url = "https://registry.npmjs.org/etag/-/etag-1.8.1.tgz";
sha1 = "41ae2eeb65efa62268aebfea83ac7d79299b0887";
};
};
"express-4.16.4" = {
name = "express";
packageName = "express";
version = "4.16.4";
src = fetchurl {
url = "https://registry.npmjs.org/express/-/express-4.16.4.tgz";
sha512 = "j12Uuyb4FMrd/qQAm6uCHAkPtO8FDTRJZBDd5D2KOL2eLaz1yUNdUB/NOIyq0iU4q4cFarsUCrnFDPBcnksuOg==";
};
};
"finalhandler-1.1.1" = {
name = "finalhandler";
packageName = "finalhandler";
version = "1.1.1";
src = fetchurl {
url = "https://registry.npmjs.org/finalhandler/-/finalhandler-1.1.1.tgz";
sha512 = "Y1GUDo39ez4aHAw7MysnUD5JzYX+WaIj8I57kO3aEPT1fFRL4sr7mjei97FgnwhAyyzRYmQZaTHb2+9uZ1dPtg==";
};
};
"forwarded-0.2.0" = {
name = "forwarded";
packageName = "forwarded";
version = "0.2.0";
src = fetchurl {
url = "https://registry.npmjs.org/forwarded/-/forwarded-0.2.0.tgz";
sha512 = "buRG0fpBtRHSTCOASe6hD258tEubFoRLb4ZNA6NxMVHNw2gOcwHo9wyablzMzOA5z9xA9L1KNjk/Nt6MT9aYow==";
};
};
"fresh-0.5.2" = {
name = "fresh";
packageName = "fresh";
version = "0.5.2";
src = fetchurl {
url = "https://registry.npmjs.org/fresh/-/fresh-0.5.2.tgz";
sha1 = "3d8cadd90d976569fa835ab1f8e4b23a105605a7";
};
};
"fs-extra-7.0.1" = {
name = "fs-extra";
packageName = "fs-extra";
version = "7.0.1";
src = fetchurl {
url = "https://registry.npmjs.org/fs-extra/-/fs-extra-7.0.1.tgz";
sha512 = "YJDaCJZEnBmcbw13fvdAM9AwNOJwOzrE4pqMqBq5nFiEqXUqHwlK4B+3pUw6JNvfSPtX05xFHtYy/1ni01eGCw==";
};
};
"gar-1.0.4" = {
name = "gar";
packageName = "gar";
version = "1.0.4";
src = fetchurl {
url = "https://registry.npmjs.org/gar/-/gar-1.0.4.tgz";
sha512 = "w4n9cPWyP7aHxKxYHFQMegj7WIAsL/YX/C4Bs5Rr8s1H9M1rNtRWRsw+ovYMkXDQ5S4ZbYHsHAPmevPjPgw44w==";
};
};
"get-folder-size-2.0.1" = {
name = "get-folder-size";
packageName = "get-folder-size";
version = "2.0.1";
src = fetchurl {
url = "https://registry.npmjs.org/get-folder-size/-/get-folder-size-2.0.1.tgz";
sha512 = "+CEb+GDCM7tkOS2wdMKTn9vU7DgnKUTuDlehkNJKNSovdCOVxs14OfKCk4cvSaR3za4gj+OBdl9opPN9xrJ0zA==";
};
};
"graceful-fs-4.2.10" = {
name = "graceful-fs";
packageName = "graceful-fs";
version = "4.2.10";
src = fetchurl {
url = "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.10.tgz";
sha512 = "9ByhssR2fPVsNZj478qUUbKfmL0+t5BDVyjShtyZZLiK7ZDAArFFfopyOTj0M05wE2tJPisA4iTnnXl2YoPvOA==";
};
};
"http-errors-1.6.3" = {
name = "http-errors";
packageName = "http-errors";
version = "1.6.3";
src = fetchurl {
url = "https://registry.npmjs.org/http-errors/-/http-errors-1.6.3.tgz";
sha1 = "8b55680bb4be283a0b5bf4ea2e38580be1d9320d";
};
};
"iconv-lite-0.4.23" = {
name = "iconv-lite";
packageName = "iconv-lite";
version = "0.4.23";
src = fetchurl {
url = "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.23.tgz";
sha512 = "neyTUVFtahjf0mB3dZT77u+8O0QB89jFdnBkd5P1JgYPbPaia3gXXOVL2fq8VyU2gMMD7SaN7QukTB/pmXYvDA==";
};
};
"inherits-2.0.3" = {
name = "inherits";
packageName = "inherits";
version = "2.0.3";
src = fetchurl {
url = "https://registry.npmjs.org/inherits/-/inherits-2.0.3.tgz";
sha1 = "633c2c83e3da42a502f52466022480f4208261de";
};
};
"ipaddr.js-1.9.1" = {
name = "ipaddr.js";
packageName = "ipaddr.js";
version = "1.9.1";
src = fetchurl {
url = "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz";
sha512 = "0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g==";
};
};
"jsonfile-4.0.0" = {
name = "jsonfile";
packageName = "jsonfile";
version = "4.0.0";
src = fetchurl {
url = "https://registry.npmjs.org/jsonfile/-/jsonfile-4.0.0.tgz";
sha1 = "8771aae0799b64076b76640fca058f9c10e33ecb";
};
};
"lex-1.7.9" = {
name = "lex";
packageName = "lex";
version = "1.7.9";
src = fetchurl {
url = "https://registry.npmjs.org/lex/-/lex-1.7.9.tgz";
sha1 = "5d5636ccef574348362938b79a47f0eed8ed0d43";
};
};
"looper-3.0.0" = {
name = "looper";
packageName = "looper";
version = "3.0.0";
src = fetchurl {
url = "https://registry.npmjs.org/looper/-/looper-3.0.0.tgz";
sha1 = "2efa54c3b1cbaba9b94aee2e5914b0be57fbb749";
};
};
"media-typer-0.3.0" = {
name = "media-typer";
packageName = "media-typer";
version = "0.3.0";
src = fetchurl {
url = "https://registry.npmjs.org/media-typer/-/media-typer-0.3.0.tgz";
sha1 = "8710d7af0aa626f8fffa1ce00168545263255748";
};
};
"merge-descriptors-1.0.1" = {
name = "merge-descriptors";
packageName = "merge-descriptors";
version = "1.0.1";
src = fetchurl {
url = "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-1.0.1.tgz";
sha1 = "b00aaa556dd8b44568150ec9d1b953f3f90cbb61";
};
};
"methods-1.1.2" = {
name = "methods";
packageName = "methods";
version = "1.1.2";
src = fetchurl {
url = "https://registry.npmjs.org/methods/-/methods-1.1.2.tgz";
sha1 = "5529a4d67654134edcc5266656835b0f851afcee";
};
};
"mime-1.4.1" = {
name = "mime";
packageName = "mime";
version = "1.4.1";
src = fetchurl {
url = "https://registry.npmjs.org/mime/-/mime-1.4.1.tgz";
sha512 = "KI1+qOZu5DcW6wayYHSzR/tXKCDC5Om4s1z2QJjDULzLcmf3DvzS7oluY4HCTrc+9FiKmWUgeNLg7W3uIQvxtQ==";
};
};
"mime-db-1.52.0" = {
name = "mime-db";
packageName = "mime-db";
version = "1.52.0";
src = fetchurl {
url = "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz";
sha512 = "sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==";
};
};
"mime-types-2.1.35" = {
name = "mime-types";
packageName = "mime-types";
version = "2.1.35";
src = fetchurl {
url = "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz";
sha512 = "ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==";
};
};
"ms-2.0.0" = {
name = "ms";
packageName = "ms";
version = "2.0.0";
src = fetchurl {
url = "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz";
sha1 = "5608aeadfc00be6c2901df5f9861788de0d597c8";
};
};
"negotiator-0.6.3" = {
name = "negotiator";
packageName = "negotiator";
version = "0.6.3";
src = fetchurl {
url = "https://registry.npmjs.org/negotiator/-/negotiator-0.6.3.tgz";
sha512 = "+EUsqGPLsM+j/zdChZjsnX51g4XrHFOIXwfnCVPGlQk/k5giakcKsuxCObBRu6DSm9opw/O6slWbJdghQM4bBg==";
};
};
"netflux-websocket-0.1.21" = {
name = "netflux-websocket";
packageName = "netflux-websocket";
version = "0.1.21";
src = fetchurl {
url = "https://registry.npmjs.org/netflux-websocket/-/netflux-websocket-0.1.21.tgz";
sha512 = "Zjl5lefg8urC0a0T7YCPGiUgRsISZBsTZl1STylmQz8Bq4ohcZ8cP3r6VoCpeVcvJ1Y/e3ZCXPxndWlNP9Jfug==";
};
};
"nthen-0.1.8" = {
name = "nthen";
packageName = "nthen";
version = "0.1.8";
src = fetchurl {
url = "https://registry.npmjs.org/nthen/-/nthen-0.1.8.tgz";
sha512 = "Oh2CwIbhj+wUT94lQV7LKmmgw3UYAGGd8oLIqp6btQN3Bz3PuWp4BuvtUo35H3rqDknjPfKx5P6mt7v+aJNjcw==";
};
};
"on-finished-2.3.0" = {
name = "on-finished";
packageName = "on-finished";
version = "2.3.0";
src = fetchurl {
url = "https://registry.npmjs.org/on-finished/-/on-finished-2.3.0.tgz";
sha1 = "20f1336481b083cd75337992a16971aa2d906947";
};
};
"parseurl-1.3.3" = {
name = "parseurl";
packageName = "parseurl";
version = "1.3.3";
src = fetchurl {
url = "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz";
sha512 = "CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ==";
};
};
"path-to-regexp-0.1.7" = {
name = "path-to-regexp";
packageName = "path-to-regexp";
version = "0.1.7";
src = fetchurl {
url = "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz";
sha1 = "df604178005f522f15eb4490e7247a1bfaa67f8c";
};
};
"proxy-addr-2.0.7" = {
name = "proxy-addr";
packageName = "proxy-addr";
version = "2.0.7";
src = fetchurl {
url = "https://registry.npmjs.org/proxy-addr/-/proxy-addr-2.0.7.tgz";
sha512 = "llQsMLSUDUPT44jdrU/O37qlnifitDP+ZwrmmZcoSKyLKvtZxpyV0n2/bD/N4tBAAZ/gJEdZU7KMraoK1+XYAg==";
};
};
"pull-stream-3.6.14" = {
name = "pull-stream";
packageName = "pull-stream";
version = "3.6.14";
src = fetchurl {
url = "https://registry.npmjs.org/pull-stream/-/pull-stream-3.6.14.tgz";
sha512 = "KIqdvpqHHaTUA2mCYcLG1ibEbu/LCKoJZsBWyv9lSYtPkJPBq8m3Hxa103xHi6D2thj5YXa0TqK3L3GUkwgnew==";
};
};
"qs-6.5.2" = {
name = "qs";
packageName = "qs";
version = "6.5.2";
src = fetchurl {
url = "https://registry.npmjs.org/qs/-/qs-6.5.2.tgz";
sha512 = "N5ZAX4/LxJmF+7wN74pUD6qAh9/wnvdQcjq9TZjevvXzSUo7bfmw91saqMjzGS2xq91/odN2dW/WOl7qQHNDGA==";
};
};
"range-parser-1.2.1" = {
name = "range-parser";
packageName = "range-parser";
version = "1.2.1";
src = fetchurl {
url = "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz";
sha512 = "Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg==";
};
};
"raw-body-2.3.3" = {
name = "raw-body";
packageName = "raw-body";
version = "2.3.3";
src = fetchurl {
url = "https://registry.npmjs.org/raw-body/-/raw-body-2.3.3.tgz";
sha512 = "9esiElv1BrZoI3rCDuOuKCBRbuApGGaDPQfjSflGxdy4oyzqghxu6klEkkVIvBje+FF0BX9coEv8KqW6X/7njw==";
};
};
"safe-buffer-5.1.2" = {
name = "safe-buffer";
packageName = "safe-buffer";
version = "5.1.2";
src = fetchurl {
url = "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz";
sha512 = "Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==";
};
};
"safer-buffer-2.1.2" = {
name = "safer-buffer";
packageName = "safer-buffer";
version = "2.1.2";
src = fetchurl {
url = "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz";
sha512 = "YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==";
};
};
"saferphore-0.0.1" = {
name = "saferphore";
packageName = "saferphore";
version = "0.0.1";
src = fetchurl {
url = "https://registry.npmjs.org/saferphore/-/saferphore-0.0.1.tgz";
sha1 = "cc962eda4e2b2452e6437fd32dcfb6f69ef2ea63";
};
};
"send-0.16.2" = {
name = "send";
packageName = "send";
version = "0.16.2";
src = fetchurl {
url = "https://registry.npmjs.org/send/-/send-0.16.2.tgz";
sha512 = "E64YFPUssFHEFBvpbbjr44NCLtI1AohxQ8ZSiJjQLskAdKuriYEP6VyGEsRDH8ScozGpkaX1BGvhanqCwkcEZw==";
};
};
"serve-static-1.13.2" = {
name = "serve-static";
packageName = "serve-static";
version = "1.13.2";
src = fetchurl {
url = "https://registry.npmjs.org/serve-static/-/serve-static-1.13.2.tgz";
sha512 = "p/tdJrO4U387R9oMjb1oj7qSMaMfmOyd4j9hOFoxZe2baQszgHcSWjuya/CiT5kgZZKRudHNOA0pYXOl8rQ5nw==";
};
};
"setprototypeof-1.1.0" = {
name = "setprototypeof";
packageName = "setprototypeof";
version = "1.1.0";
src = fetchurl {
url = "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.1.0.tgz";
sha512 = "BvE/TwpZX4FXExxOxZyRGQQv651MSwmWKZGqvmPcRIjDqWub67kTKuIMx43cZZrS/cBBzwBcNDWoFxt2XEFIpQ==";
};
};
"sortify-1.0.4" = {
name = "sortify";
packageName = "sortify";
version = "1.0.4";
src = fetchurl {
url = "https://registry.npmjs.org/sortify/-/sortify-1.0.4.tgz";
sha1 = "f0178687c83231be8a34fc0ec5462ea957b60284";
};
};
"statuses-1.4.0" = {
name = "statuses";
packageName = "statuses";
version = "1.4.0";
src = fetchurl {
url = "https://registry.npmjs.org/statuses/-/statuses-1.4.0.tgz";
sha512 = "zhSCtt8v2NDrRlPQpCNtw/heZLtfUDqxBM1udqikb/Hbk52LK4nQSwr10u77iopCW5LsyHpuXS0GnEc48mLeew==";
};
};
"stream-to-pull-stream-1.7.3" = {
name = "stream-to-pull-stream";
packageName = "stream-to-pull-stream";
version = "1.7.3";
src = fetchurl {
url = "https://registry.npmjs.org/stream-to-pull-stream/-/stream-to-pull-stream-1.7.3.tgz";
sha512 = "6sNyqJpr5dIOQdgNy/xcDWwDuzAsAwVzhzrWlAPAQ7Lkjx/rv0wgvxEyKwTq6FmNd5rjTrELt/CLmaSw7crMGg==";
};
};
"tiny-each-async-2.0.3" = {
name = "tiny-each-async";
packageName = "tiny-each-async";
version = "2.0.3";
src = fetchurl {
url = "https://registry.npmjs.org/tiny-each-async/-/tiny-each-async-2.0.3.tgz";
sha1 = "8ebbbfd6d6295f1370003fbb37162afe5a0a51d1";
};
};
"tweetnacl-0.12.2" = {
name = "tweetnacl";
packageName = "tweetnacl";
version = "0.12.2";
src = fetchurl {
url = "https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.12.2.tgz";
sha1 = "bd59f890507856fb0a1136acc3a8b44547e29ddb";
};
};
"type-is-1.6.18" = {
name = "type-is";
packageName = "type-is";
version = "1.6.18";
src = fetchurl {
url = "https://registry.npmjs.org/type-is/-/type-is-1.6.18.tgz";
sha512 = "TkRKr9sUTxEH8MdfuCSP7VizJyzRNMjj2J2do2Jr3Kym598JVdEksuzPQCnlFPW4ky9Q+iA+ma9BGm06XQBy8g==";
};
};
"ulimit-0.0.2" = {
name = "ulimit";
packageName = "ulimit";
version = "0.0.2";
src = fetchurl {
url = "https://registry.npmjs.org/ulimit/-/ulimit-0.0.2.tgz";
sha1 = "2b51f9dc8381ae4102636cec5eb338c2630588a0";
};
};
"ultron-1.1.1" = {
name = "ultron";
packageName = "ultron";
version = "1.1.1";
src = fetchurl {
url = "https://registry.npmjs.org/ultron/-/ultron-1.1.1.tgz";
sha512 = "UIEXBNeYmKptWH6z8ZnqTeS8fV74zG0/eRU9VGkpzz+LIJNs8W/zM/L+7ctCkRrgbNnnR0xxw4bKOr0cW0N0Og==";
};
};
"universalify-0.1.2" = {
name = "universalify";
packageName = "universalify";
version = "0.1.2";
src = fetchurl {
url = "https://registry.npmjs.org/universalify/-/universalify-0.1.2.tgz";
sha512 = "rBJeI5CXAlmy1pV+617WB9J63U6XcazHHF2f2dbJix4XzpUF0RS3Zbj0FGIOCAva5P/d/GBOYaACQ1w+0azUkg==";
};
};
"unpipe-1.0.0" = {
name = "unpipe";
packageName = "unpipe";
version = "1.0.0";
src = fetchurl {
url = "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz";
sha1 = "b2bf4ee8514aae6165b4817829d21b2ef49904ec";
};
};
"utils-merge-1.0.1" = {
name = "utils-merge";
packageName = "utils-merge";
version = "1.0.1";
src = fetchurl {
url = "https://registry.npmjs.org/utils-merge/-/utils-merge-1.0.1.tgz";
sha1 = "9f95710f50a267947b2ccc124741c1028427e713";
};
};
"vary-1.1.2" = {
name = "vary";
packageName = "vary";
version = "1.1.2";
src = fetchurl {
url = "https://registry.npmjs.org/vary/-/vary-1.1.2.tgz";
sha1 = "2299f02c6ded30d4a5961b0b9f74524a18f634fc";
};
};
"ws-3.3.3" = {
name = "ws";
packageName = "ws";
version = "3.3.3";
src = fetchurl {
url = "https://registry.npmjs.org/ws/-/ws-3.3.3.tgz";
sha512 = "nnWLa/NwZSt4KQJu51MYlCcSQ5g7INpOrOMt4XV8j4dqTXdmlUmSHQ8/oLC069ckre0fRsgfvsKwbTdtKLCDkA==";
};
};
};
args = {
name = "cryptpad";
packageName = "cryptpad";
version = "4.14.1";
src = ./.;
dependencies = [
sources."@mcrowe/minibloom-0.2.0"
sources."accepts-1.3.8"
sources."array-flatten-1.1.1"
sources."async-limiter-1.0.1"
sources."body-parser-1.18.3"
sources."bytes-3.0.0"
sources."chainpad-crypto-0.2.7"
sources."chainpad-server-5.1.0"
sources."content-disposition-0.5.2"
sources."content-type-1.0.4"
sources."cookie-0.3.1"
sources."cookie-signature-1.0.6"
sources."debug-2.6.9"
sources."depd-1.1.2"
sources."destroy-1.0.4"
sources."ee-first-1.1.1"
sources."encodeurl-1.0.2"
sources."escape-html-1.0.3"
sources."etag-1.8.1"
sources."express-4.16.4"
sources."finalhandler-1.1.1"
sources."forwarded-0.2.0"
sources."fresh-0.5.2"
sources."fs-extra-7.0.1"
sources."gar-1.0.4"
sources."get-folder-size-2.0.1"
sources."graceful-fs-4.2.10"
sources."http-errors-1.6.3"
sources."iconv-lite-0.4.23"
sources."inherits-2.0.3"
sources."ipaddr.js-1.9.1"
sources."jsonfile-4.0.0"
sources."lex-1.7.9"
sources."looper-3.0.0"
sources."media-typer-0.3.0"
sources."merge-descriptors-1.0.1"
sources."methods-1.1.2"
sources."mime-db-1.52.0"
sources."mime-types-2.1.35"
sources."ms-2.0.0"
sources."negotiator-0.6.3"
sources."netflux-websocket-0.1.21"
sources."nthen-0.1.8"
sources."on-finished-2.3.0"
sources."parseurl-1.3.3"
sources."path-to-regexp-0.1.7"
sources."proxy-addr-2.0.7"
sources."pull-stream-3.6.14"
sources."qs-6.5.2"
sources."range-parser-1.2.1"
sources."raw-body-2.3.3"
sources."safe-buffer-5.1.2"
sources."safer-buffer-2.1.2"
sources."saferphore-0.0.1"
(sources."send-0.16.2" // {
dependencies = [
sources."mime-1.4.1"
];
})
sources."serve-static-1.13.2"
sources."setprototypeof-1.1.0"
sources."sortify-1.0.4"
sources."statuses-1.4.0"
sources."stream-to-pull-stream-1.7.3"
sources."tiny-each-async-2.0.3"
sources."tweetnacl-0.12.2"
sources."type-is-1.6.18"
sources."ulimit-0.0.2"
sources."ultron-1.1.1"
sources."universalify-0.1.2"
sources."unpipe-1.0.0"
sources."utils-merge-1.0.1"
sources."vary-1.1.2"
sources."ws-3.3.3"
];
buildInputs = globalBuildInputs;
meta = {
description = "realtime collaborative visual editor with zero knowlege server";
license = "AGPL-3.0+";
};
production = true;
bypassCache = true;
reconstructLock = false;
};
in
{
args = args;
sources = sources;
tarball = nodeEnv.buildNodeSourceDist args;
package = nodeEnv.buildNodePackage args;
shell = nodeEnv.buildNodeShell args;
nodeDependencies = nodeEnv.buildNodeDependencies (lib.overrideExisting args {
src = stdenv.mkDerivation {
name = args.name + "-package-json";
src = nix-gitignore.gitignoreSourcePure [
"*"
"!package.json"
"!package-lock.json"
] args.src;
dontBuild = true;
installPhase = "mkdir -p $out; cp -r ./* $out;";
};
});
}

17
cluster/prod/app/cryptpad/build/nix.lock/npm.nix Normal file
View file

@ -0,0 +1,17 @@
# This file has been generated by node2nix 1.9.0. Do not edit!
{pkgs ? import <nixpkgs> {
inherit system;
}, system ? builtins.currentSystem, nodejs ? pkgs."nodejs-12_x"}:
let
nodeEnv = import ./node-env.nix {
inherit (pkgs) stdenv lib python2 runCommand writeTextFile writeShellScript;
inherit pkgs nodejs;
libtool = if pkgs.stdenv.isDarwin then pkgs.darwin.cctools else null;
};
in
import ./node-packages.nix {
inherit (pkgs) fetchurl nix-gitignore stdenv lib fetchgit;
inherit nodeEnv;
}

6618
cluster/prod/app/cryptpad/build/nix.lock/package-lock.json generated Normal file
View file

File diff suppressed because it is too large Load diff

55
cluster/prod/app/cryptpad/build/nix.lock/package.json Normal file
View file

@ -0,0 +1,55 @@
{
"name": "cryptpad",
"description": "realtime collaborative visual editor with zero knowlege server",
"version": "4.14.1",
"license": "AGPL-3.0+",
"repository": {
"type": "git",
"url": "git+https://github.com/xwiki-labs/cryptpad.git"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/cryptpad"
},
"dependencies": {
"@mcrowe/minibloom": "^0.2.0",
"chainpad-crypto": "^0.2.5",
"chainpad-server": "^5.1.0",
"express": "~4.16.0",
"fs-extra": "^7.0.0",
"get-folder-size": "^2.0.1",
"netflux-websocket": "^0.1.20",
"nthen": "0.1.8",
"pull-stream": "^3.6.1",
"saferphore": "0.0.1",
"sortify": "^1.0.4",
"stream-to-pull-stream": "^1.7.2",
"tweetnacl": "~0.12.2",
"ulimit": "0.0.2",
"ws": "^3.3.1"
},
"devDependencies": {
"jshint": "^2.13.4",
"less": "3.7.1",
"lesshint": "6.3.7",
"selenium-webdriver": "^3.6.0"
},
"scripts": {
"start": "node server.js",
"dev": "DEV=1 node server.js",
"fresh": "FRESH=1 node server.js",
"offline": "FRESH=1 OFFLINE=1 node server.js",
"offlinedev": "DEV=1 OFFLINE=1 node server.js",
"package": "PACKAGE=1 node server.js",
"lint": "jshint --config .jshintrc --exclude-path .jshintignore . && ./node_modules/lesshint/bin/lesshint -c ./.lesshintrc ./customize.dist/src/less2/",
"lint:js": "jshint --config .jshintrc --exclude-path .jshintignore .",
"lint:server": "jshint --config .jshintrc lib",
"lint:less": "./node_modules/lesshint/bin/lesshint -c ./.lesshintrc ./customize.dist/src/less2/",
"lint:translations": "node ./scripts/translations/lint-translations.js",
"unused-translations": "node ./scripts/translations/unused-translations.js",
"test": "node scripts/TestSelenium.js",
"test-rpc": "cd scripts/tests && node test-rpc",
"template": "cd customize.dist/src && for page in ../index.html ../privacy.html ../terms.html ../contact.html ../what-is-cryptpad.html ../features.html ../../www/login/index.html ../../www/register/index.html ../../www/user/index.html;do echo $page; cp template.html $page; done;",
"evict-inactive": "node scripts/evict-inactive.js"
}
}

14
cluster/prod/app/cryptpad/build/nix/sources.json
View file

@ -1,14 +0,0 @@
{
"nixpkgs": {
"branch": "nixos-23.11",
"description": "Nix Packages collection",
"homepage": null,
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "53a2c32bc66f5ae41a28d7a9a49d321172af621e",
"sha256": "0yqbwqbripb1bbhlwjfbqmg9qb0lai2fc0k1vfh674d6rrc8igwv",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/53a2c32bc66f5ae41a28d7a9a49d321172af621e.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
}
}

198
cluster/prod/app/cryptpad/build/nix/sources.nix
View file

@ -1,198 +0,0 @@
# This file has been generated by Niv.
let
#
# The fetchers. fetch_<type> fetches specs of type <type>.
#
fetch_file = pkgs: name: spec:
let
name' = sanitizeName name + "-src";
in
if spec.builtin or true then
builtins_fetchurl { inherit (spec) url sha256; name = name'; }
else
pkgs.fetchurl { inherit (spec) url sha256; name = name'; };
fetch_tarball = pkgs: name: spec:
let
name' = sanitizeName name + "-src";
in
if spec.builtin or true then
builtins_fetchTarball { name = name'; inherit (spec) url sha256; }
else
pkgs.fetchzip { name = name'; inherit (spec) url sha256; };
fetch_git = name: spec:
let
ref =
spec.ref or (
if spec ? branch then "refs/heads/${spec.branch}" else
if spec ? tag then "refs/tags/${spec.tag}" else
abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!"
);
submodules = spec.submodules or false;
submoduleArg =
let
nixSupportsSubmodules = builtins.compareVersions builtins.nixVersion "2.4" >= 0;
emptyArgWithWarning =
if submodules
then
builtins.trace
(
"The niv input \"${name}\" uses submodules "
+ "but your nix's (${builtins.nixVersion}) builtins.fetchGit "
+ "does not support them"
)
{ }
else { };
in
if nixSupportsSubmodules
then { inherit submodules; }
else emptyArgWithWarning;
in
builtins.fetchGit
({ url = spec.repo; inherit (spec) rev; inherit ref; } // submoduleArg);
fetch_local = spec: spec.path;
fetch_builtin-tarball = name: throw
''[${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`.
$ niv modify ${name} -a type=tarball -a builtin=true'';
fetch_builtin-url = name: throw
''[${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`.
$ niv modify ${name} -a type=file -a builtin=true'';
#
# Various helpers
#
# https://github.com/NixOS/nixpkgs/pull/83241/files#diff-c6f540a4f3bfa4b0e8b6bafd4cd54e8bR695
sanitizeName = name:
(
concatMapStrings (s: if builtins.isList s then "-" else s)
(
builtins.split "[^[:alnum:]+._?=-]+"
((x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0) name)
)
);
# The set of packages used when specs are fetched using non-builtins.
mkPkgs = sources: system:
let
sourcesNixpkgs =
import (builtins_fetchTarball { inherit (sources.nixpkgs) url sha256; }) { inherit system; };
hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath;
hasThisAsNixpkgsPath = <nixpkgs> == ./.;
in
if builtins.hasAttr "nixpkgs" sources
then sourcesNixpkgs
else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then
import <nixpkgs> { }
else
abort
''
Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or
add a package called "nixpkgs" to your sources.json.
'';
# The actual fetching function.
fetch = pkgs: name: spec:
if ! builtins.hasAttr "type" spec then
abort "ERROR: niv spec ${name} does not have a 'type' attribute"
else if spec.type == "file" then fetch_file pkgs name spec
else if spec.type == "tarball" then fetch_tarball pkgs name spec
else if spec.type == "git" then fetch_git name spec
else if spec.type == "local" then fetch_local spec
else if spec.type == "builtin-tarball" then fetch_builtin-tarball name
else if spec.type == "builtin-url" then fetch_builtin-url name
else
abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}";
# If the environment variable NIV_OVERRIDE_${name} is set, then use
# the path directly as opposed to the fetched source.
replace = name: drv:
let
saneName = stringAsChars (c: if (builtins.match "[a-zA-Z0-9]" c) == null then "_" else c) name;
ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}";
in
if ersatz == "" then drv else
# this turns the string into an actual Nix path (for both absolute and
# relative paths)
if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}";
# Ports of functions for older nix versions
# a Nix version of mapAttrs if the built-in doesn't exist
mapAttrs = builtins.mapAttrs or (
f: set: with builtins;
listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set))
);
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
range = first: last: if first > last then [ ] else builtins.genList (n: first + n) (last - first + 1);
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
concatMapStrings = f: list: concatStrings (map f list);
concatStrings = builtins.concatStringsSep "";
# https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331
optionalAttrs = cond: as: if cond then as else { };
# fetchTarball version that is compatible between all the versions of Nix
builtins_fetchTarball = { url, name ? null, sha256 }@attrs:
let
inherit (builtins) lessThan nixVersion fetchTarball;
in
if lessThan nixVersion "1.12" then
fetchTarball ({ inherit url; } // (optionalAttrs (name != null) { inherit name; }))
else
fetchTarball attrs;
# fetchurl version that is compatible between all the versions of Nix
builtins_fetchurl = { url, name ? null, sha256 }@attrs:
let
inherit (builtins) lessThan nixVersion fetchurl;
in
if lessThan nixVersion "1.12" then
fetchurl ({ inherit url; } // (optionalAttrs (name != null) { inherit name; }))
else
fetchurl attrs;
# Create the final "sources" from the config
mkSources = config:
mapAttrs
(
name: spec:
if builtins.hasAttr "outPath" spec
then
abort
"The values in sources.json should not have an 'outPath' attribute"
else
spec // { outPath = replace name (fetch config.pkgs name spec); }
)
config.sources;
# The "config" used by the fetchers
mkConfig =
{ sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null
, sources ? if sourcesFile == null then { } else builtins.fromJSON (builtins.readFile sourcesFile)
, system ? builtins.currentSystem
, pkgs ? mkPkgs sources system
}: {
# The sources, i.e. the attribute set of spec name to spec
inherit sources;
# The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers
inherit pkgs;
};
in
mkSources (mkConfig { }) // { __functor = _: settings: mkSources (mkConfig settings); }

6000
cluster/prod/app/cryptpad/build/package-lock.json generated
View file

File diff suppressed because it is too large Load diff

31
cluster/prod/app/cryptpad/build/shell.nix Normal file
View file

@ -0,0 +1,31 @@
let
common = import ./common.nix;
pkgs = import common.pkgsSrc {};
bower2nixRepo = (import common.bower2nixSrc {
inherit pkgs;
});
bower2nix = bower2nixRepo // {
package = bower2nixRepo.package.override {
postInstall = "tsc";
};
};
in
pkgs.mkShell {
nativeBuildInputs = [
bower2nix.package
pkgs.nodePackages.node2nix
];
shellHook = ''
function update_lock {
set -exuo pipefail
mkdir -p nix.lock
${pkgs.wget}/bin/wget https://raw.githubusercontent.com/xwiki-labs/cryptpad/${common.cryptpadCommit}/package.json -O nix.lock/package.json
${pkgs.wget}/bin/wget https://raw.githubusercontent.com/xwiki-labs/cryptpad/${common.cryptpadCommit}/package-lock.json -O nix.lock/package-lock.json
${pkgs.wget}/bin/wget https://raw.githubusercontent.com/xwiki-labs/cryptpad/${common.cryptpadCommit}/bower.json -O nix.lock/bower.json
${bower2nix.package}/bin/bower2nix nix.lock/bower.json nix.lock/bower.nix
${pkgs.nodePackages.node2nix}/bin/node2nix --input nix.lock/package.json --lock nix.lock/package-lock.json --composition nix.lock/npm.nix --node-env nix.lock/node-env.nix --output nix.lock/node-packages.nix
}
'';
}

20
cluster/prod/app/cryptpad/config/config.js
View file

@ -114,9 +114,7 @@ module.exports = {
adminKeys: [
"[quentin@pad.deuxfleurs.fr/EWtzm-CiqJnM9RZL9mj-YyTgAtX-Zh76sru1K5bFpN8=]",
"[adrn@pad.deuxfleurs.fr/PxDpkPwd-jDJWkfWdAzFX7wtnLpnPlBeYZ4MmoEYS6E=]",
"[lx@pad.deuxfleurs.fr/FwQzcXywx1FIb83z6COB7c3sHnz8rNSDX1xhjPuH3Fg=]",
"[trinity-1686a@pad.deuxfleurs.fr/Pu6Ef03jEsAGBbZI6IOdKd6+5pORD5N51QIYt4-Ys1c=]",
"[Jill@pad.deuxfleurs.fr/tLW7W8EVNB2KYETXEaOYR+HmNiBQtZj7u+SOxS3hGmg=]"
"[lx@pad.deuxfleurs.fr/FwQzcXywx1FIb83z6COB7c3sHnz8rNSDX1xhjPuH3Fg=]"
],
/* =====================
@ -190,7 +188,7 @@ module.exports = {
* Specify a directory where files should be stored.
* It will be created automatically if it does not already exist.
*/
filePath: '/mnt/datastore/',
filePath: './root/mnt/datastore/',
/* CryptPad offers the ability to archive data for a configurable period
* before deleting it, allowing a means of recovering data in the event
@ -199,36 +197,36 @@ module.exports = {
* To set the location of this archive directory to a custom value, change
* the path below:
*/
archivePath: '/mnt/data/archive',
archivePath: './root/mnt/data/archive',
/* CryptPad allows logged in users to request that particular documents be
* stored by the server indefinitely. This is called 'pinning'.
* Pin requests are stored in a pin-store. The location of this store is
* defined here.
*/
pinPath: '/mnt/data/pins',
pinPath: './root/mnt/data/pins',
/* if you would like the list of scheduled tasks to be stored in
a custom location, change the path below:
*/
taskPath: '/mnt/data/tasks',
taskPath: './root/mnt/data/tasks',
/* if you would like users' authenticated blocks to be stored in
a custom location, change the path below:
*/
blockPath: '/mnt/block',
blockPath: './root/mnt/block',
/* CryptPad allows logged in users to upload encrypted files. Files/blobs
* are stored in a 'blob-store'. Set its location here.
*/
blobPath: '/mnt/blob',
blobPath: './root/mnt/blob',
/* CryptPad stores incomplete blobs in a 'staging' area until they are
* fully uploaded. Set its location here.
*/
blobStagingPath: '/mnt/data/blobstage',
blobStagingPath: './root/mnt/data/blobstage',
decreePath: '/mnt/data/decrees',
decreePath: './root/mnt/data/decrees',
/* CryptPad supports logging events directly to the disk in a 'logs' directory
* Set its location here, or set it to false (or nothing) if you'd rather not log

12
cluster/prod/app/cryptpad/deploy/cryptpad.hcl
View file

@ -1,5 +1,5 @@
job "cryptpad" {
datacenters = ["scorpio"]
datacenters = ["neptune"]
type = "service"
group "cryptpad" {
@ -22,20 +22,20 @@ job "cryptpad" {
constraint {
attribute = "${attr.unique.hostname}"
operator = "="
value = "abricot"
value = "concombre"
}
config {
image = "kokakiwi/cryptpad:2024.3.0"
image = "superboum/cryptpad:0p3s44hjh4s1x55kbwkmywmwmx4wfyb8"
ports = [ "http" ]
volumes = [
"/mnt/ssd/cryptpad:/mnt",
"secrets/config.js:/cryptpad/config.js",
"secrets/config.js:/etc/cryptpad/config.js",
]
}
env {
CRYPTPAD_CONFIG = "/cryptpad/config.js"
CRYPTPAD_CONFIG = "/etc/cryptpad/config.js"
}
template {
@ -63,8 +63,6 @@ job "cryptpad" {
"tricot pad-sandbox.deuxfleurs.fr",
"tricot-add-header Cross-Origin-Resource-Policy cross-origin",
"tricot-add-header Cross-Origin-Embedder-Policy require-corp",
"d53-cname pad.deuxfleurs.fr",
"d53-cname pad-sandbox.deuxfleurs.fr",
]
check {
type = "http"

10
cluster/prod/app/drone-ci/config/litestream.yml Normal file
View file

@ -0,0 +1,10 @@
dbs:
- path: /ephemeral/drone.db
replicas:
- url: s3://{{ key "secrets/drone-ci/s3_db_bucket" | trimSpace }}/drone.db
region: garage
endpoint: https://garage.deuxfleurs.fr
access-key-id: {{ key "secrets/drone-ci/s3_ak" | trimSpace }}
secret-access-key: {{ key "secrets/drone-ci/s3_sk" | trimSpace }}
force-path-style: true
sync-interval: 60s

138
cluster/prod/app/drone-ci/deploy/server.hcl Normal file
View file

@ -0,0 +1,138 @@
job "drone-ci" {
datacenters = ["neptune", "scorpio"]
type = "service"
group "server" {
count = 1
network {
port "web_port" {
to = 80
}
}
task "restore-db" {
lifecycle {
hook = "prestart"
sidecar = false
}
driver = "docker"
config {
image = "litestream/litestream:0.3.9"
args = [
"restore", "-config", "/etc/litestream.yml", "/ephemeral/drone.db"
]
volumes = [
"../alloc/data:/ephemeral",
"secrets/litestream.yml:/etc/litestream.yml"
]
}
template {
data = file("../config/litestream.yml")
destination = "secrets/litestream.yml"
}
resources {
memory = 200
cpu = 100
}
}
task "drone_server" {
driver = "docker"
config {
image = "drone/drone:2.14.0"
ports = [ "web_port" ]
volumes = [
"../alloc/data:/ephemeral",
]
}
template {
data = <<EOH
DRONE_GITEA_SERVER=https://git.deuxfleurs.fr
DRONE_GITEA_CLIENT_ID={{ key "secrets/drone-ci/oauth_client_id" }}
DRONE_GITEA_CLIENT_SECRET={{ key "secrets/drone-ci/oauth_client_secret" }}
DRONE_RPC_SECRET={{ key "secrets/drone-ci/rpc_secret" }}
DRONE_SERVER_HOST=drone.deuxfleurs.fr
DRONE_SERVER_PROTO=https
DRONE_DATABASE_SECRET={{ key "secrets/drone-ci/db_enc_secret" }}
DRONE_COOKIE_SECRET={{ key "secrets/drone-ci/cookie_secret" }}
AWS_ACCESS_KEY_ID={{ key "secrets/drone-ci/s3_ak" }}
AWS_SECRET_ACCESS_KEY={{ key "secrets/drone-ci/s3_sk" }}
AWS_DEFAULT_REGION=garage
AWS_REGION=garage
DRONE_S3_BUCKET={{ key "secrets/drone-ci/s3_storage_bucket" }}
DRONE_S3_ENDPOINT=https://garage.deuxfleurs.fr
DRONE_S3_PATH_STYLE=true
DRONE_DATABASE_DRIVER=sqlite3
DRONE_DATABASE_DATASOURCE=/ephemeral/drone.db
DRONE_USER_CREATE=username:lx-admin,admin:true
DRONE_REGISTRATION_CLOSED=true
DRONE_LOGS_DEBUG=true
DRONE_LOGS_TRACE=true
EOH
destination = "secrets/env"
env = true
}
resources {
cpu = 100
memory = 200
}
service {
name = "drone"
tags = [
"drone",
"tricot drone.deuxfleurs.fr",
"d53-cname drone.deuxfleurs.fr",
]
port = "web_port"
address_mode = "host"
check {
type = "http"
protocol = "http"
port = "web_port"
path = "/"
interval = "60s"
timeout = "5s"
check_restart {
limit = 3
grace = "600s"
ignore_warnings = false
}
}
}
}
task "replicate-db" {
driver = "docker"
config {
image = "litestream/litestream:0.3.9"
entrypoint = [ "/bin/sh" ]
args = [
"-c",
"echo sleeping; sleep 60; echo launching; litestream replicate -config /etc/litestream.yml"
]
volumes = [
"../alloc/data:/ephemeral",
"secrets/litestream.yml:/etc/litestream.yml"
]
}
template {
data = file("../config/litestream.yml")
destination = "secrets/litestream.yml"
}
resources {
memory = 200
cpu = 100
}
}
}
}

69
cluster/prod/app/drone-ci/integration/README.md Normal file
View file

@ -0,0 +1,69 @@
## Install Debian
We recommend Debian Bullseye
## Install Docker CE from docker.io
Do not use the docker engine shipped by Debian
Doc:
- https://docs.docker.com/engine/install/debian/
- https://docs.docker.com/compose/install/
On a fresh install, as root:
```bash
apt-get remove -y docker docker-engine docker.io containerd runc
apt-get update
apt-get install apt-transport-https ca-certificates curl gnupg lsb-release
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update
apt-get install -y docker-ce docker-ce-cli containerd.io
curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
```
## Install the runner
*This is our Nix runner version 2, previously we had another way to start Nix runners. This one has a proper way to handle concurrency, require less boilerplate, and should be safer and more idiomatic.*
```bash
wget https://git.deuxfleurs.fr/Deuxfleurs/infrastructure/raw/branch/main/app/drone-ci/integration/nix.conf
wget https://git.deuxfleurs.fr/Deuxfleurs/infrastructure/raw/branch/main/app/drone-ci/integration/docker-compose.yml
# Edit the docker-compose.yml to adapt its variables to your needs,
# especially the capacitiy value and its name.
COMPOSE_PROJECT_NAME=drone DRONE_SECRET=xxx docker-compose up -d
```
That's all folks.
## Check if a given job is built by your runner
```bash
export URL=https://drone.deuxfleurs.fr
export REPO=Deuxfleurs/garage
export BUILD=1312
curl ${URL}/api/repos/${REPO}/builds/${BUILD} \
| jq -c '[.stages[] | { name: .name, machine: .machine }]'
```
It will give you the following result:
```json
[{"name":"default","machine":"1686a"},{"name":"release-linux-x86_64","machine":"vimaire"},{"name":"release-linux-i686","machine":"carcajou"},{"name":"release-linux-aarch64","machine":"caribou"},{"name":"release-linux-armv6l","machine":"cariacou"},{"name":"refresh-release-page","machine":null}]
```
## Random note
*This part might be deprecated!*
This setup is done mainly to allow nix builds with some cache.
To use the cache in Drone, you must set your repository as trusted.
The command line tool does not work (it says it successfully set your repository as trusted but it did nothing):
the only way to set your repository as trusted is to connect on the DB and set the `repo_trusted` field of your repo to true.

54
cluster/prod/app/drone-ci/integration/docker-compose.yml Normal file
View file

@ -0,0 +1,54 @@
version: '3.4'
services:
nix-daemon:
image: nixpkgs/nix:nixos-22.05
restart: always
command: nix-daemon
privileged: true
volumes:
- "nix:/nix"
- "./nix.conf:/etc/nix/nix.conf:ro"
drone-runner:
image: drone/drone-runner-docker:1.8.2
restart: always
environment:
- DRONE_RPC_PROTO=https
- DRONE_RPC_HOST=drone.deuxfleurs.fr
- DRONE_RPC_SECRET=${DRONE_SECRET}
- DRONE_RUNNER_CAPACITY=3
- DRONE_DEBUG=true
- DRONE_LOGS_TRACE=true
- DRONE_RPC_DUMP_HTTP=true
- DRONE_RPC_DUMP_HTTP_BODY=true
- DRONE_RUNNER_NAME=i_forgot_to_change_my_runner_name
- DRONE_RUNNER_LABELS=nix-daemon:1
# we should put "nix:/nix:ro but it is not supported by
# drone-runner-docker because the dependency envconfig does
# not support having two colons (:) in the same stanza.
# Without the RO flag (or using docker userns), build isolation
# is broken.
# https://discourse.drone.io/t/allow-mounting-a-host-volume-as-read-only/10071
# https://github.com/kelseyhightower/envconfig/pull/153
#
# A workaround for isolation is to configure docker with a userns,
# so even if the folder is writable to root, it is not to any non
# privileged docker daemon ran by drone!
- DRONE_RUNNER_VOLUMES=drone_nix:/nix
- DRONE_RUNNER_ENVIRON=NIX_REMOTE:daemon
ports:
- "3000:3000/tcp"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
drone-gc:
image: drone/gc:latest
restart: always
environment:
- GC_DEBUG=true
- GC_CACHE=10gb
- GC_INTERVAL=10m
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
volumes:
nix:

0
cluster/prod/app/woodpecker-ci/integration/nix.conf → cluster/prod/app/drone-ci/integration/nix.conf
View file

48
cluster/prod/app/drone-ci/secrets.toml Normal file
View file

@ -0,0 +1,48 @@
# Drone's secrets
[secrets."drone-ci/rpc_secret"]
type = 'command'
command = 'openssl rand -hex 16'
# don't rotate, it would break all runners
[secrets."drone-ci/cookie_secret"]
type = 'command'
rotate = true
command = 'openssl rand -hex 16'
[secrets."drone-ci/db_enc_secret"]
type = 'command'
command = 'openssl rand -hex 16'
# don't rotate, it is used to encrypt data which we would lose if we change this
# Oauth config for gitea
[secrets."drone-ci/oauth_client_secret"]
type = 'user'
description = 'OAuth client secret (for gitea)'
[secrets."drone-ci/oauth_client_id"]
type = 'user'
description = 'OAuth client ID (on Gitea)'
# S3 config for Git LFS storage
[secrets."drone-ci/s3_db_bucket"]
type = 'constant'
value = 'drone-db'
[secrets."drone-ci/s3_sk"]
type = 'user'
description = 'S3 (garage) secret key for Drone'
[secrets."drone-ci/s3_ak"]
type = 'user'
description = 'S3 (garage) access key for Drone'
[secrets."drone-ci/s3_storage_bucket"]
type = 'constant'
value = 'drone-storage'

2
cluster/prod/app/email/config/dkim/signingtable
View file

@ -5,5 +5,3 @@
*@pointecouteau.com smtp._domainkey.deuxfleurs.fr
*@maycausesideeffects.com smtp._domainkey.deuxfleurs.fr
*@e-x-t-r-a-c-t.me smtp._domainkey.deuxfleurs.fr
*@courderec.re smtp._domainkey.deuxfleurs.fr
*@trinity.fr.eu.org smtp._domainkey.deuxfleurs.fr

2
cluster/prod/app/email/deploy/email-android7.hcl
View file

@ -1,5 +1,5 @@
job "email-android7" {
datacenters = ["neptune", "bespin"]
datacenters = ["neptune"]
type = "service"
priority = 100

2
cluster/prod/app/garage/config/garage.toml
View file

@ -6,8 +6,6 @@ db_engine = "lmdb"
replication_mode = "3"
metadata_auto_snapshot_interval = "24h"
# IPv6 config using the ipv6 address statically defined in Nomad's node metadata
# make sure to put back double { and } if re-enabling this
#rpc_bind_addr = "[{ env "meta.public_ipv6" }]:3901"

2
cluster/prod/app/garage/deploy/garage.hcl
View file

@ -26,7 +26,7 @@ job "garage" {
task "server" {
driver = "docker"
config {
image = "dxflrs/garage:v1.0.0-rc1"
image = "dxflrs/garage:v0.9.0"
command = "/garage"
args = [ "server" ]
network_mode = "host"

3
cluster/prod/app/jitsi/config/config.js
View file

@ -368,8 +368,7 @@ var config = {
// Message to show the users. Example: 'The service will be down for
// maintenance at 01:00 AM GMT,
// Does only support plaintext. No line skip.
// noticeMessage: "Suite à une utilisation contraire à nos CGU, Deuxfleurs surveille activement cette instance Jitsi et enverra tout contenu illégal à la police. Pour toute question, commentaire ou suggestion, contactez moderation@deuxfleurs.fr . Following usage breaching our TOS, Deuxfleurs actively monitors this Jitsi instance and will send any illegal behavior to the Police. For any question, remark or suggestion, reach moderation@deuxfleurs.fr",
// noticeMessage: '',
// Enables calendar integration, depends on googleApiApplicationClientID
// and microsoftApiApplicationClientID

15
cluster/prod/app/jitsi/config/nginx.conf
View file

@ -37,12 +37,6 @@ http {
access_log /dev/stdout;
server_names_hash_bucket_size 64;
# Log real IPs
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.16.0.0/12;
set_real_ip_from 192.168.0.0/16;
real_ip_header X-Forwarded-For;
# inspired by https://raw.githubusercontent.com/jitsi/docker-jitsi-meet/master/web/rootfs/defaults/meet.conf
server {
#listen 0.0.0.0:{{ env "NOMAD_PORT_https_port" }} ssl http2 default_server;
@ -91,16 +85,7 @@ http {
# tcp_nodelay on;
#}
location ~ "2daut2wank2|2duat2wank|2duat2wank0|2duat2wank1|2duat2wank2|2duat2wank3|2duatr2wank|2duatr2wank0|2duatr2wank1|2duatr2wank2|2wank2daut2|daut1|duat2wank|duat2wank2|duatr2wank2|prettypanties|slutgfs|wabk2daugther|wank2daugther|wank2daut|wank2daut2|wank2daut3|wankwatch" {
return 302 https://www.service-public.fr/particuliers/vosdroits/R17674;
}
location = /http-bind {
if ($args ~ "2daut2wank2|2duat2wank|2duat2wank0|2duat2wank1|2duat2wank2|2duat2wank3|2duatr2wank|2duatr2wank0|2duatr2wank1|2duatr2wank2|2wank2daut2|daut1|duat2wank|duat2wank2|duatr2wank2|prettypanties|slutgfs|wabk2daugther|wank2daugther|wank2daut|wank2daut2|wank2daut3|wankwatch") {
return 403 'forbidden';
}
# We add CORS to use a different frontend which is useful for load testing as we do not want to advertise too much our URL
add_header 'Access-Control-Allow-Headers' 'content-type';
add_header 'Access-Control-Allow-Methods' 'GET,POST,PUT,DELETE,OPTIONS';

5
cluster/prod/app/jitsi/deploy/jitsi.hcl
View file

@ -112,11 +112,6 @@ EOF
]
}
logs {
max_files = 25
max_file_size = 10
}
template {
data = file("../config/config.js")
destination = "secrets/config.js"

73
cluster/prod/app/matrix/deploy/im-android7.hcl Normal file
View file

@ -0,0 +1,73 @@
// Fichier de configuration pour exposer le service Matrix
// avec une version TLS compatible avec Android 7
// Voir https://git.deuxfleurs.fr/Deuxfleurs/nixcfg/src/branch/main/cluster/prod/app/email/integration
job "im-android7" {
datacenters = ["scorpio", "neptune"]
type = "service"
priority = 100
group "rsa-ecc-proxy" {
network {
port "api_port" { static = 18008 }
// port "web_port" { to = 8043 }
}
task "api-proxy" {
driver = "docker"
config {
image = "alpine/socat:1.8.0.0"
readonly_rootfs = true
ports = [ "api_port" ]
network_mode = "host"
args = [
"openssl-listen:18008,reuseaddr,fork,verify=0,bind=0.0.0.0,cert=/var/secrets/rsa.crt,key=/var/secrets/rsa.key",
"tcp:synapse.service.prod.consul:8008",
]
volumes = [
"secrets/certs:/var/secrets"
]
}
template {
data = "{{ key \"secrets/chat/tls-tls-proxy/rsa.crt\" }}"
destination = "secrets/certs/rsa.crt"
}
template {
data = "{{ key \"secrets/chat/tls-tls-proxy/rsa.key\" }}"
destination = "secrets/certs/rsa.key"
}
resources {
cpu = 50
memory = 50
}
service {
name = "im-android7"
port = "api_port"
address_mode = "host"
tags = [
"rsa-ecc-proxy",
"(diplonat (tcp_port 18008))",
"d53-a im-android7.deuxfleurs.fr",
# ipv6 is commented for now as socat does not listen on ipv6 now
# "d53-aaaa im-android7.deuxfleurs.fr"
]
check {
type = "tcp"
port = "api_port"
interval = "60s"
timeout = "5s"
check_restart {
limit = 3
grace = "90s"
ignore_warnings = false
}
}
}
}
}
}

6
cluster/prod/app/telemetry/deploy/telemetry-service.hcl
View file

@ -19,7 +19,7 @@ job "telemetry-service" {
driver = "docker"
config {
image = "litestream/litestream:0.3.13"
image = "litestream/litestream:0.3.9"
args = [
"restore", "-config", "/etc/litestream.yml", "/ephemeral/grafana.db"
]
@ -45,7 +45,7 @@ job "telemetry-service" {
task "grafana" {
driver = "docker"
config {
image = "grafana/grafana:10.3.4"
image = "grafana/grafana:10.0.3"
network_mode = "host"
ports = [ "grafana" ]
volumes = [
@ -108,7 +108,7 @@ EOH
task "replicate-db" {
driver = "docker"
config {
image = "litestream/litestream:0.3.13"
image = "litestream/litestream:0.3.7"
args = [
"replicate", "-config", "/etc/litestream.yml"
]

3
cluster/prod/app/telemetry/deploy/telemetry-storage.hcl
View file

@ -70,8 +70,7 @@ job "telemetry-storage" {
}
resources {
memory = 1500
memory_max = 4000
memory = 1000
cpu = 1000
}

159
cluster/prod/app/woodpecker-ci/deploy/server.hcl
View file

@ -1,159 +0,0 @@
job "woodpecker-ci" {
datacenters = ["neptune", "scorpio"]
type = "service"
group "server" {
count = 1
network {
port "web_port" {
static = 14080
to = 14080
}
port "grpc_port" {
static = 14090
to = 14090
}
port "grpc_tls_port" {
static = 14453
to = 14453
}
}
task "server" {
driver = "docker"
config {
image = "woodpeckerci/woodpecker-server:v2.3.0"
ports = [ "web_port", "grpc_port" ]
network_mode = "host"
}
template {
data = <<EOH
WOODPECKER_OPEN=true
WOODPECKER_ORGS=Deuxfleurs
WOODPECKER_ADMIN=lx
WOODPECKER_HOST=https://woodpecker.deuxfleurs.fr
WOODPECKER_AGENT_SECRET={{ key "secrets/woodpecker-ci/agent_secret" }}
# secret encryption is broken in woodpecker currently
# WOODPECKER_ENCRYPTION_KEY={{ key "secrets/woodpecker-ci/secrets_encryption_key" }}
WOODPECKER_SERVER_ADDR=[::]:14080
WOODPECKER_GRPC_ADDR=[::]:14090
# WOODPECKER_GRPC_SECRET={{ key "secrets/woodpecker-ci/grpc_secret" }}
WOODPECKER_DATABASE_DRIVER=postgres
WOODPECKER_DATABASE_DATASOURCE=postgres://woodpecker:{{ key "secrets/woodpecker-ci/db_password" | trimSpace }}@{{ env "meta.site" }}.psql-proxy.service.prod.consul:5432/woodpecker?sslmode=disable
WOODPECKER_GITEA=true
WOODPECKER_GITEA_URL=https://git.deuxfleurs.fr
WOODPECKER_GITEA_CLIENT={{ key "secrets/woodpecker-ci/oauth_client_id" }}
WOODPECKER_GITEA_SECRET={{ key "secrets/woodpecker-ci/oauth_client_secret" }}
WOODPECKER_LOG_LEVEL=debug
WOODPECKER_ENVIRONMENT=NIX_REMOTE:daemon
EOH
destination = "secrets/env"
env = true
}
resources {
cpu = 100
memory = 200
}
service {
name = "woodpecker"
tags = [
"woodpecker",
"tricot woodpecker.deuxfleurs.fr",
"d53-cname woodpecker.deuxfleurs.fr",
]
port = "web_port"
address_mode = "host"
/*
check {
type = "http"
protocol = "http"
port = "web_port"
path = "/"
interval = "60s"
timeout = "5s"
check_restart {
limit = 3
grace = "600s"
ignore_warnings = false
}
}
*/
}
service {
name = "woodpecker-grpc"
tags = [
"woodpecker-grpc",
]
port = "grpc_port"
address_mode = "host"
}
}
task "grpc_tls" {
driver = "docker"
config {
image = "nginx:1.25.3"
ports = [ "grpc_tls_port" ]
volumes = [
"secrets/ssl/certs:/etc/ssl/certs",
"secrets/ssl/private:/etc/ssl/private",
"secrets/conf/:/etc/nginx/",
]
network_mode = "host"
}
template {
data = <<EOH
events {}
http {
server {
listen 0.0.0.0:14453 ssl;
listen [::]:14453 ssl;
http2 on;
server_name woodpecker.deuxfleurs.fr;
ssl_certificate "/etc/ssl/certs/woodpecker.cert";
ssl_certificate_key "/etc/ssl/certs/woodpecker.key";
location / {
grpc_pass grpc://woodpecker-grpc.service.prod.consul:14090;
}
}
}
EOH
destination = "secrets/conf/nginx.conf"
}
template {
data = "{{ with $d := key \"tricot/certs/woodpecker.deuxfleurs.fr\" | parseJSON }}{{ $d.key_pem }}{{ end }}"
destination = "secrets/ssl/certs/woodpecker.key"
}
template {
data = "{{ with $d := key \"tricot/certs/woodpecker.deuxfleurs.fr\" | parseJSON }}{{ $d.cert_pem }}{{ end }}"
destination = "secrets/ssl/certs/woodpecker.cert"
}
service {
name = "woodpecker-grpc-tls"
tags = [
"woodpecker-grpc-tls",
"d53-a woodpecker-grpc.deuxfleurs.fr",
"d53-aaaa woodpecker-grpc.deuxfleurs.fr",
"(diplonat (tcp_port 14453))"
]
port = "grpc_tls_port"
address_mode = "host"
}
}
}
}

54
cluster/prod/app/woodpecker-ci/integration/README.md
View file

@ -1,54 +0,0 @@
## Install Debian
We recommend Debian Bullseye
## Install Docker CE from docker.io
Do not use the docker engine shipped by Debian
Doc:
- https://docs.docker.com/engine/install/debian/
- https://docs.docker.com/compose/install/
On a fresh install, as root:
```bash
# Remove all pre-existing packages
for pkg in docker.io docker-doc docker-compose podman-docker containerd runc; do apt-get remove $pkg; done
# Add Docker's official GPG key:
apt-get update
apt-get install ca-certificates curl
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
chmod a+r /etc/apt/keyrings/docker.asc
# Add the repository to Apt sources:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update
# Install Docker
apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
```
## Install the runner
```bash
wget https://git.deuxfleurs.fr/Deuxfleurs/infrastructure/raw/branch/main/app/woodpecker-ci/integration/nix.conf
wget https://git.deuxfleurs.fr/Deuxfleurs/infrastructure/raw/branch/main/app/woodpecker-ci/integration/docker-compose.yml
```
Create a new Agent for your runner in the Woodpecker admin, and copy the agent secret value.
Edit `docker-compose.yml` and insert your agent secret as the value for WOODPECKER_AGENT_SECRET.
Update other values including hostname and max workflows for your runner.
```bash
COMPOSE_PROJECT_NAME=woodpecker docker-compose up -d
```
That's all folks.

33
cluster/prod/app/woodpecker-ci/integration/docker-compose.yml
View file

@ -1,33 +0,0 @@
version: '3.4'
services:
nix-daemon:
image: nixpkgs/nix:nixos-22.05
restart: always
command: nix-daemon
privileged: true
volumes:
- "nix:/nix"
- "./nix.conf:/etc/nix/nix.conf:ro"
woodpecker-runner:
image: woodpeckerci/woodpecker-agent:v2.3.0
restart: always
environment:
# -- change these for each agent
- WOODPECKER_HOSTNAME=i_forgot_to_change_my_runner_name
- WOODPECKER_AGENT_SECRET=xxxx
- WOODPECKER_MAX_WORKFLOWS=4
# -- if not using COMPOSE_PROJECT_NAME=woodpecker, change name of volume to mount
- WOODPECKER_BACKEND_DOCKER_VOLUMES=woodpecker_nix:/nix:ro
# -- should not need change
- WOODPECKER_SERVER=woodpecker-grpc.deuxfleurs.fr:14453
- WOODPECKER_HEALTHCHECK=false
- WOODPECKER_GRPC_SECURE=true
- WOODPECKER_LOG_LEVEL=info
- WOODPECKER_DEBUG_PRETTY=true
- WOODPECKER_ENVIRONMENT=NIX_REMOTE:daemon
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
volumes:
nix:

31
cluster/prod/cluster.nix
View file

@ -11,21 +11,20 @@
siteName = "neptune";
publicKey = "VvXT0fPDfWsHxumZqVShpS33dJQAdpJ1E79ZbCBJP34=";
address = "10.83.1.1";
endpoint = "82.67.87.112:33731";
endpoint = "77.207.15.215:33731";
};
"courgette" = {
siteName = "neptune";
publicKey = "goTkBJGmzrGDOAjUcdH9G0JekipqSMoaYQdB6IHnzi0=";
address = "10.83.1.2";
endpoint = "82.67.87.112:33732";
endpoint = "77.207.15.215:33732";
};
"celeri" = {
siteName = "neptune";
publicKey = "oZDAb8LoLW87ktUHyFFec0VaIar97bqq47mGbdVqJ0U=";
address = "10.83.1.3";
endpoint = "82.67.87.112:33733";
endpoint = "77.207.15.215:33733";
};
/*
"dahlia" = {
siteName = "orion";
publicKey = "EtRoWBYCdjqgXX0L+uWLg8KxNfIK8k9OTh30tL19bXU=";
@ -44,24 +43,23 @@
address = "10.83.2.3";
endpoint = "82.66.80.201:33733";
};
*/
"df-ykl" = {
siteName = "bespin";
publicKey = "bIjxey/VhBgVrLa0FxN/KISOt2XFmQeSh1MPivUq9gg=";
address = "10.83.3.1";
endpoint = "109.136.139.78:33731";
endpoint = "109.136.55.235:33731";
};
"df-ymf" = {
siteName = "bespin";
publicKey = "pUIKv8UBl586O7DBrHBsb9BgNU7WlYQ2r2RSNkD+JAQ=";
address = "10.83.3.2";
endpoint = "109.136.139.78:33732";
endpoint = "109.136.55.235:33732";
};
"df-ymk" = {
siteName = "bespin";
publicKey = "VBmpo15iIJP7250NAsF+ryhZc3j+8TZFnE1Djvn5TXI=";
address = "10.83.3.3";
endpoint = "109.136.139.78:33733";
endpoint = "109.136.55.235:33733";
};
"abricot" = {
siteName = "scorpio";
@ -77,10 +75,6 @@
};
};
# Pin Nomad version
services.nomad.package = pkgs.nomad_1_6;
nixpkgs.config.allowUnfree = true; # Accept nomad's BSL license
# Bootstrap IPs for Consul cluster,
# these are IPs on the Wireguard overlay
services.consul.extraConfig.retry_join = [
@ -124,19 +118,6 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEve02acr522psrPxeElkwIPw2pc6QWtsUVZoaigqwZZ"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL/h+rxR2o+vN0hUWQPdpO7YY9aaKxO3ZRnUh9QiKBE7"
];
armael = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOoPghSM72AVp1zATgQzeLkuoGuP9uUTTAtwliyWoix"
];
marion = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzOhSTEOudBWCHi5wHc6MP0xjJJhuIDZEcx+hP6kz9N"
];
darkgallium = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJX0A2P59or83EKhh32o8XumGz0ToTEsoq89hMbMtr7h"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB540H9kn+Ocs4Wjc1Y3f3OkHFYEqc5IM/FiCyoVVoh3"
];
kokakiwi = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFPTsEgcOtb2bij+Ih8eg8ZqO7d3IMiWykv6deMzlSSS kokakiwi@kira"
];
};
# For Garage external communication

66
cluster/prod/register_external_services.sh
View file

@ -26,19 +26,73 @@ curl -vv -X PUT http://localhost:8500/v1/catalog/register -H "Content-Type: app
{
"Datacenter": "prod",
"Node": "spoutnik",
"Address": "192.168.1.51",
"Address": "192.168.1.60",
"NodeMeta": {
"site": "scorpio",
"cname_target": "scorpio.site.deuxfleurs.fr."
},
"Service": {
"Service": "adrien-nginx",
"Tags": [
"tricot-https *.luxeylab.net",
"tricot-https *.zinz.dev"
],
"Address": "192.168.1.51",
"Tags": ["tricot-https *.luxeylab.net"],
"Address": "192.168.1.60",
"Port": 443
}
}
EOF
# Orsay (neptune): Alex's personnal stuff
curl -vv -X PUT http://localhost:8500/v1/catalog/register -H "Content-Type: application/json" --data @- <<EOF
{
"Datacenter": "prod",
"Node": "lindy",
"Address": "192.168.1.184",
"NodeMeta": {
"site": "neptune",
"cname_target": "neptune.site.deuxfleurs.fr."
},
"Service": {
"Service": "lx-apimdev",
"Tags": ["tricot apimdev.adnab.me"],
"Address": "192.168.1.184",
"Port": 8910
}
}
EOF
curl -vv -X PUT http://localhost:8500/v1/catalog/register -H "Content-Type: application/json" --data @- <<EOF
{
"Datacenter": "prod",
"Node": "lindy",
"Address": "192.168.1.184",
"NodeMeta": {
"site": "neptune",
"cname_target": "neptune.site.deuxfleurs.fr."
},
"Service": {
"Service": "lx-apimtest",
"Tags": ["tricot apimtest.adnab.me"],
"Address": "192.168.1.184",
"Port": 8920
}
}
EOF
curl -vv -X PUT http://localhost:8500/v1/catalog/register -H "Content-Type: application/json" --data @- <<EOF
{
"Datacenter": "prod",
"Node": "www.isomorphis.me",
"Address": "192.168.1.24",
"NodeMeta": {
"site": "neptune",
"cname_target": "neptune.site.deuxfleurs.fr."
},
"Service": {
"Service": "isomorphis.me-web",
"Tags": ["tricot *.isomorphis.me"],
"Address": "192.168.1.24",
"Port": 5000
}
}
EOF

2
cluster/prod/site/neptune.nix
View file

@ -2,7 +2,7 @@
{
deuxfleurs.siteName = "neptune";
deuxfleurs.staticIPv4.defaultGateway = "192.168.1.254";
deuxfleurs.staticIPv4.defaultGateway = "192.168.1.1";
deuxfleurs.cnameTarget = "neptune.site.deuxfleurs.fr.";
deuxfleurs.publicIPv4 = "77.207.15.215";
}

6
cluster/staging/app/garage/deploy/garage.hcl
View file

@ -26,8 +26,8 @@ job "garage-staging" {
packages = [
"#bash", # so that we can enter a shell inside container
"#coreutils",
# garage v1.0.0-rc1 as of 2024-03-28
"git+https://git.deuxfleurs.fr/Deuxfleurs/garage.git?ref=next-0.10&rev=afad62939e071621666ca7255f7164f92c4475bb"
# garage v0.9.1-rc
"git+https://git.deuxfleurs.fr/Deuxfleurs/garage.git?ref=main&rev=9cfeea389a1274d4d3c1f4b7072b0c056af410ef",
]
command = "garage"
args = [ "server" ]
@ -38,7 +38,7 @@ job "garage-staging" {
}
env = {
RUST_LOG = "garage=info,garage_api=debug",
RUST_LOG = "garage=debug",
}
# files currently owned by root, we don't want to chown everything

3
cluster/staging/app/im/deploy/im-nix.hcl
View file

@ -33,7 +33,7 @@ job "im" {
]
command = "litestream"
args = [
"restore", "-config", "/etc/litestream.yml", "/ephemeral/homeserver.db"
"restore", "-v", "-config", "/etc/litestream.yml", "/ephemeral/homeserver.db"
]
bind = {
"../alloc/data" = "/ephemeral",
@ -55,7 +55,6 @@ job "im" {
task "synapse" {
driver = "nix2"
config {
nixpkgs = "github:nixos/nixpkgs/nixos-23.11"
packages = [
"#cacert",
"#bash",

4
cluster/staging/app/telemetry/deploy/telemetry-service.hcl
View file

@ -14,7 +14,7 @@ job "telemetry-service" {
constraint {
attribute = "${attr.unique.hostname}"
operator = "set_contains_any"
value = "df-pw5,origan"
value = "carcajou,origan"
}
task "prometheus" {
@ -39,7 +39,7 @@ job "telemetry-service" {
}
template {
data = "{{ key \"secrets/consul/consul-ca.crt\" }}"
data = "{{ key \"secrets/consul/consul.crt\" }}"
destination = "etc/prom/consul.crt"
}

61
cluster/staging/cluster.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... } @ args:
{ config, pkgs, ... } @ args:
{
deuxfleurs.clusterName = "staging";
@ -7,6 +7,12 @@
deuxfleurs.clusterPrefix = "10.14.0.0/16";
deuxfleurs.clusterNodes = {
"carcajou" = {
siteName = "neptune";
publicKey = "7Nm7pMmyS7Nts1MB+loyD8u84ODxHPTkDu+uqQR6yDk=";
address = "10.14.1.2";
endpoint = "77.207.15.215:33722";
};
"caribou" = {
siteName = "neptune";
publicKey = "lABn/axzD1jkFulX8c+K3B3CbKXORlIMDDoe8sQVxhs=";
@ -70,6 +76,9 @@
baptiste = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnGkJZZrHIUp9q0DXmVLLuhCIe7Vu1J3j6dJ1z1BglqX7yOLdFQ6LhHXx65aND/KCOM1815tJSnaAyKWEj9qJ31RVUoRl42yBn54DvQumamJUaXAHqJrXhjwxfUkF9B73ZSUzHGADlQnxcBkmrjC5FkrpC/s4xr0o7/GIBkBdtZhX9YpxBfpH6wEcCruTOlm92E3HvvjpBb/wHsoxL1f2czvWe69021gqWEYRFjqtBwP36NYZnGOJZ0RrlP3wUrGCSHxOKW+2Su+tM6g07KPJn5l1wNJiOcyBQ0/Sv7ptCJ9+rTQNeVBMoXshaucYP/bKJbqH7dONrYDgz59C4+Kax"
];
armael = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOoPghSM72AVp1zATgQzeLkuoGuP9uUTTAtwliyWoix"
];
aeddis = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILoFf9fMYwLOpmiXKgn4Rs99YCj94SU1V0gwGXR5N4Md"
];
@ -82,16 +91,6 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEve02acr522psrPxeElkwIPw2pc6QWtsUVZoaigqwZZ"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL/h+rxR2o+vN0hUWQPdpO7YY9aaKxO3ZRnUh9QiKBE7"
];
armael = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOoPghSM72AVp1zATgQzeLkuoGuP9uUTTAtwliyWoix"
];
marion = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzOhSTEOudBWCHi5wHc6MP0xjJJhuIDZEcx+hP6kz9N"
];
darkgallium = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJX0A2P59or83EKhh32o8XumGz0ToTEsoq89hMbMtr7h"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB540H9kn+Ocs4Wjc1Y3f3OkHFYEqc5IM/FiCyoVVoh3"
];
};
# For Garage ipv6 communication
@ -99,16 +98,13 @@
## ===== EXPERIMENTAL SECTION FOR STAGING CLUSTER =====
# Test nomad 1.6
services.nomad.package = pkgs.nomad_1_6;
nixpkgs.config.allowUnfree = true; # Accept nomad's BSL license
# We're doing lots of experiments so GC periodically is usefull.
nix.gc.automatic = true;
imports = [
## ---- Nix Nomad jobs using nomad-driver-nix2 ----
({ pkgs, ... }: {
services.nomad.dropPrivileges = false;
services.nomad.extraSettingsPlugins = [
(import ./nomad-driver-nix2.nix { inherit pkgs; })
];
@ -122,7 +118,7 @@
{
config = [
{
default_nixpkgs = "github:nixos/nixpkgs/nixos-23.11";
default_nixpkgs = "github:nixos/nixpkgs/nixos-22.11";
}
];
}
@ -137,5 +133,38 @@
nix.settings.substituters = [ "https://nix.web.deuxfleurs.fr" ];
nix.settings.trusted-public-keys = [ "nix.web.deuxfleurs.fr:eTGL6kvaQn6cDR/F9lDYUIP9nCVR/kkshYfLDJf1yKs=" ];
})
## ---- Nix mutual cache ----
# Let nodes in a same site/zone copy from each other's Nix stores
# Note that nodes will only copy from one another packages that are
# signed by one of the trusted public keys, i.e. packages comming
# from cache.nixos.org and nix.web.deuxfleurs.fr.
# This is good as it kind of mitigates supply-chain attacks where
# one node's cache would become poisonned, although arguably when
# an attacker has gained root access on one node, it can easily
# become root on all the others through Nomad. Downsides include
# missed opportunities for not rebuilding stuff between machines
# (e.g. derivations that are built in the process of doing
# nixos-rebuild), and warnings appearing in the logs whenever such
# an opportunity was not taken due to missing signatures.
({ pkgs, config, ... }:
let substituter_port = 1728;
in
{
services.nix-serve = {
enable = true;
port = substituter_port;
openFirewall = false;
bindAddress = "0.0.0.0";
#package = pkgs.haskellPackages.nix-serve-ng;
#package = pkgs.nix-serve-ng.override { nix = pkgs.nixVersions.nix_2_12; };
};
nix.settings.substituters = map
({ address, ... }: "http://${address}:${builtins.toString substituter_port}")
(builtins.attrValues (pkgs.lib.filterAttrs
(hostname: { siteName, ...}:
(hostname != config.deuxfleurs.hostName
&& siteName == config.deuxfleurs.siteName))
config.deuxfleurs.clusterNodes));
})
];
}

4
cluster/staging/known_hosts
View file

@ -11,7 +11,5 @@ df-pw5.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK/dJIxioCkfeeh
10.14.3.1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnpO6zpLWsyyugOoOj+2bUow9TUrcWgURFGGaoyu+co
192.168.1.22 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMf/ioVSSb19Slu+HZLgKt4f1/XsL+K9uMxazSWb/+nQ
2a01:cb05:911e:ec00:223:24ff:feb0:ea82 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnpO6zpLWsyyugOoOj+2bUow9TUrcWgURFGGaoyu+co
piranha.machine.staging.deuxfleurs.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnpO6zpLWsyyugOoOj+2bUow9TUrcWgURFGGaoyu+co
df-pw5.machine.staging.deuxfleurs.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK/dJIxioCkfeehxeGiZR7qquYGoqEH/YrRJ/ukEcaLH
origan.machine.staging.deuxfleurs.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsZas74RT6lCZwuUOPR23nPdbSdpWORyAmRgjoiMVHK
carcajou.machine.staging.deuxfleurs.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMf/ioVSSb19Slu+HZLgKt4f1/XsL+K9uMxazSWb/+nQ
caribou.machine.staging.deuxfleurs.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPtsVFIoIu6tnYrzlcCbBiQXxNkFSWVMhMznUuSxGZ22

27
cluster/staging/node/carcajou.nix Normal file
View file

@ -0,0 +1,27 @@
# Configuration file local to this node
{ config, pkgs, ... }:
{
imports =
[
./remote-unlock.nix
];
deuxfleurs.remoteUnlock = {
networkInterface = "eno1";
staticIP = "192.168.1.22/24";
defaultGateway = "192.168.1.1";
};
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.timeout = 20;
boot.loader.efi.canTouchEfiVariables = true;
deuxfleurs.hostName = "carcajou";
deuxfleurs.staticIPv6.address = "2001:910:1204:1::22";
deuxfleurs.isRaftServer = true;
system.stateVersion = "21.05";
}

1
cluster/staging/node/carcajou.site.nix Symbolic link
View file

@ -0,0 +1 @@
../site/neptune.nix

1
cluster/staging/node/caribou.nix
View file

@ -10,7 +10,6 @@
deuxfleurs.hostName = "caribou";
deuxfleurs.staticIPv6.address = "2001:910:1204:1::23";
deuxfleurs.isRaftServer = true;
system.stateVersion = "21.05";
}

7
cluster/staging/ssh_config
View file

@ -4,15 +4,18 @@ Host caribou
#HostName caribou.machine.deuxfleurs.fr
HostName caribou.machine.staging.deuxfleurs.org
Host carcajou
#HostName carcajou.machine.deuxfleurs.fr
HostName carcajou.machine.staging.deuxfleurs.org
Host origan
#HostName origan.df.trinity.fr.eu.org
HostName origan.machine.staging.deuxfleurs.org
Host piranha
HostName %h.machine.staging.deuxfleurs.org
#HostName piranha.polyno.me
#OR
#ProxyJump caribou.machine.deuxfleurs.fr
#ProxyJump carcajou.machine.deuxfleurs.fr
#HostName 10.14.3.1
HostName piranha.machine.staging.deuxfleurs.org

1
deploy_nixos
View file

@ -2,6 +2,7 @@
copy nix/configuration.nix /etc/nixos/configuration.nix
copy nix/deuxfleurs.nix /etc/nixos/deuxfleurs.nix
copy nix/remote-unlock.nix /etc/nixos/remote-unlock.nix
copy cluster/$CLUSTER/cluster.nix /etc/nixos/cluster.nix
copy cluster/$CLUSTER/node/$NIXHOST.nix /etc/nixos/node.nix
copy cluster/$CLUSTER/node/$NIXHOST.site.nix /etc/nixos/site.nix

10
deploy_pki
View file

@ -19,7 +19,10 @@ cmd ln -sf /var/lib/consul/pki/consul$YEAR.key /var/lib/consul/pki/consul.key
cmd ln -sf /var/lib/consul/pki/consul$YEAR-client.crt /var/lib/consul/pki/consul-client.crt
cmd ln -sf /var/lib/consul/pki/consul$YEAR-client.key /var/lib/consul/pki/consul-client.key
cmd systemctl reload consul
if [ ! "$CLUSTER" = "prod" ]; then
cmd systemctl restart consul
cmd sleep 10
fi
for file in nomad-ca.crt nomad$YEAR.crt nomad$YEAR.key \
nomad$YEAR-client.crt nomad$YEAR-client.key \
@ -27,6 +30,7 @@ for file in nomad-ca.crt nomad$YEAR.crt nomad$YEAR.key \
do
if pass $PKI/$file >/dev/null; then
write_pass $PKI/$file /var/lib/nomad/pki/$file
cmd "chown \$(stat -c %u /var/lib/private/nomad/) /var/lib/nomad/pki/$file"
fi
done
@ -38,7 +42,9 @@ cmd ln -sf /var/lib/nomad/pki/consul$YEAR.crt /var/lib/nomad/pki/consul.crt
cmd ln -sf /var/lib/nomad/pki/consul$YEAR-client.crt /var/lib/nomad/pki/consul-client.crt
cmd ln -sf /var/lib/nomad/pki/consul$YEAR-client.key /var/lib/nomad/pki/consul-client.key
cmd systemctl reload nomad
if [ ! "$CLUSTER" = "prod" ]; then
cmd systemctl restart nomad
fi
set_env CONSUL_HTTP_ADDR=https://localhost:8501
set_env CONSUL_CACERT=/var/lib/consul/pki/consul-ca.crt

2
nix/deuxfleurs.nix
View file

@ -330,8 +330,8 @@ in
};
services.nomad.enable = true;
services.nomad.dropPrivileges = false; # required starting with Nomad 1.5, otherwise Docker is not detected
systemd.services.nomad.after = [ "wg-quick-wg0.service" ];
services.nomad.package = pkgs.nomad_1_4;
services.nomad.extraPackages = [
pkgs.glibc
pkgs.zstd

4
nix/nomad-driver-nix2.nix
View file

@ -7,10 +7,10 @@ pkgs.buildGoModule rec {
src = builtins.fetchGit {
url = "https://git.deuxfleurs.fr/Deuxfleurs/nomad-driver-nix2";
rev = "98871a2d786f2627f1699d0ae49e7d6d3792f469";
rev = "59aba7607507193587be7c24229dc71066e3ae87";
};
vendorHash = "sha256-EQdTxVOBRYQjg7kAB+pFJYcNwk0zlsjjJxM+EO/cK84=";
vendorSha256 = "sha256-EQdTxVOBRYQjg7kAB+pFJYcNwk0zlsjjJxM+EO/cK84=";
postInstall = ''
mv $out/bin/nomad-driver-nix2 $out/bin/nix2

45
nix/remote-unlock.nix Normal file
View file

@ -0,0 +1,45 @@
{ config, pkgs, ... }:
let
cfg = config.deuxfleurs.remoteUnlock;
in
with builtins;
with pkgs.lib;
{
options.deuxfleurs.remoteUnlock = {
networkInterface = mkOption {
description = "Network interface to configure with static IP";
type = types.str;
};
staticIP = mkOption {
description = "IP address (with prefix length) of this node on the local network interface";
type = types.str;
};
defaultGateway = mkOption {
description = "IP address of default gateway";
type = types.str;
};
};
config = {
boot.initrd.availableKernelModules = [ "pps_core" "ptp" "e1000e" ];
boot.initrd.network.enable = true;
boot.initrd.network.ssh = {
enable = true;
port = 222;
authorizedKeys = concatLists (mapAttrsToList (name: user: user) config.deuxfleurs.adminAccounts);
hostKeys = [ "/var/lib/deuxfleurs/remote-unlock/ssh_host_ed25519_key" ];
};
boot.initrd.network.postCommands = ''
ip addr add ${cfg.staticIP} dev ${cfg.networkInterface}
ip link set dev ${cfg.networkInterface} up
ip route add default via ${cfg.defaultGateway} dev ${cfg.networkInterface}
ip a
ip route
ping -c 4 ${cfg.defaultGateway}
echo 'echo run cryptsetup-askpass to unlock drives' >> /root/.profile
'';
};
}

7
tlsproxy
View file

@ -17,7 +17,8 @@ PREFIX="deuxfleurs/cluster/$CLUSTER"
# Do actual stuff
YEAR=$(date +%Y)
#YEAR=$(date +%Y)
YEAR=2023
CERTDIR=$(mktemp -d)
@ -37,10 +38,10 @@ pass $PREFIX/consul$YEAR.crt > $CERTDIR/consul.crt
pass $PREFIX/consul$YEAR-client.crt > $CERTDIR/consul-client.crt
pass $PREFIX/consul$YEAR-client.key > $CERTDIR/consul-client.key
socat -dd tcp-listen:4646,reuseaddr,fork,bind=127.0.0.1 openssl:localhost:14646,cert=$CERTDIR/nomad-client.crt,key=$CERTDIR/nomad-client.key,cafile=$CERTDIR/nomad.crt,verify=0 &
socat -dd tcp-listen:4646,reuseaddr,fork,bind=localhost openssl:localhost:14646,cert=$CERTDIR/nomad-client.crt,key=$CERTDIR/nomad-client.key,cafile=$CERTDIR/nomad.crt,verify=0 &
child1=$!
socat -dd tcp-listen:8500,reuseaddr,fork,bind=127.0.0.1 openssl:localhost:8501,cert=$CERTDIR/consul-client.crt,key=$CERTDIR/consul-client.key,cafile=$CERTDIR/consul.crt,verify=0 &
socat -dd tcp-listen:8500,reuseaddr,fork,bind=localhost openssl:localhost:8501,cert=$CERTDIR/consul-client.crt,key=$CERTDIR/consul-client.key,cafile=$CERTDIR/consul.crt,verify=0 &
child2=$!
wait "$child1"

4
upgrade_nixos
View file

@ -1,9 +1,9 @@
#!/usr/bin/env ./sshtool
if [ "$CLUSTER" = "staging" ]; then
cmd nix-channel --add https://nixos.org/channels/nixos-23.11 nixos
cmd nix-channel --add https://nixos.org/channels/nixos-23.05 nixos
else
cmd nix-channel --add https://nixos.org/channels/nixos-23.11 nixos
cmd nix-channel --add https://nixos.org/channels/nixos-22.11 nixos
fi
cmd nix-channel --update