forked from Deuxfleurs/nixcfg
Compare commits
4 commits
main
...
feat/im-tl
Author | SHA1 | Date | |
---|---|---|---|
3e93d19347 | |||
df7301e97a | |||
672c398315 | |||
abce598e6c |
58 changed files with 8907 additions and 6779 deletions
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -4,3 +4,4 @@ secrets/*
|
|||
cluster/*/secrets/*
|
||||
!cluster/*/secrets/*.sample
|
||||
|
||||
bugs/
|
||||
|
|
|
@ -87,10 +87,7 @@ EOH
|
|||
service {
|
||||
name = "tricot-http"
|
||||
port = "http_port"
|
||||
tags = [
|
||||
"(diplonat (tcp_port 80))",
|
||||
"${meta.site}"
|
||||
]
|
||||
tags = [ "(diplonat (tcp_port 80))", "${meta.site}" ]
|
||||
address_mode = "host"
|
||||
}
|
||||
|
||||
|
@ -100,12 +97,9 @@ EOH
|
|||
tags = [
|
||||
"(diplonat (tcp_port 443))",
|
||||
"${meta.site}",
|
||||
"d53-aaaa ${meta.site}.site.deuxfleurs.fr",
|
||||
"d53-a global.site.deuxfleurs.fr",
|
||||
"d53-aaaa global.site.deuxfleurs.fr",
|
||||
"d53-a ${meta.site}.site.deuxfleurs.fr",
|
||||
"d53-aaaa ${meta.site}.site.deuxfleurs.fr",
|
||||
"d53-a v4.${meta.site}.site.deuxfleurs.fr",
|
||||
"d53-aaaa v6.${meta.site}.site.deuxfleurs.fr",
|
||||
]
|
||||
address_mode = "host"
|
||||
}
|
||||
|
|
|
@ -1,56 +1,29 @@
|
|||
# CryptPad for NixOS with Deuxfleurs flavour
|
||||
## Build
|
||||
|
||||
## Building
|
||||
Cryptpad being not NixOS native, an upgrade must be done in 4 steps:
|
||||
1. Bump the cryptpad version in `common.nix`
|
||||
2. Rebuild the Nix lock files for the dependencies
|
||||
3. Build the package for Nix
|
||||
4. Create a container from the Nix package
|
||||
|
||||
The `default.nix` file follows the nixpkgs `callPackage` convention for fetching dependencies, so you need to either:
|
||||
To bump the nix version, set the desired tag in `common.nix` in the `cryptpadVersion` entry.
|
||||
Set the corresponding commit in the `cryptadCommit` field, its goal would be to detect unwanted update of the tag.
|
||||
|
||||
- Run `nix-build --expr '{ ... }@args: (import <nixpkgs> {}).callPackage ./default.nix args'`
|
||||
- Do the `callPackage from a higher-level directory importing your package`
|
||||
To rebuild the lock files (they are stored in the `nix.lock` folder):
|
||||
|
||||
### Docker
|
||||
|
||||
The `docker.nix` derives into a Docker image you can load simply by running:
|
||||
|
||||
```shell
|
||||
docker load -i $(nix-build docker.nix)
|
||||
```
|
||||
nix-shell --run "update_lock"
|
||||
```
|
||||
|
||||
You can then test the built Docker image using the provided `docker-compose.yml` and `config.js` files, which are
|
||||
configured to render the instance accessible at `http://localhost:3000` with data stored into the `_data` folder.
|
||||
To build cryptpad:
|
||||
|
||||
|
||||
### Deuxfleurs flavour
|
||||
The `deuxfleurs.nix` file derives into two derivations: The CryptPad derivation itself and a Docker image,
|
||||
which can be choose by passing the `-A [name]` flags to `nix-build`
|
||||
|
||||
For example, to build and load the Deuxfleurs-flavoured CryptPad Docker image, you run:
|
||||
|
||||
```shell
|
||||
docker load -i $(nix-build deuxfleurs.nix -A docker)
|
||||
```
|
||||
nix-build
|
||||
```
|
||||
|
||||
## OnlyOffice integration
|
||||
Apart for `deuxfleurs.nix`, both `default.nix` and `docker.nix` files build CryptPad with a copy of OnlyOffice pre-built and
|
||||
used by CryptPad, which can result to large Docker image (~2.6GiB)
|
||||
Create the container:
|
||||
|
||||
This behaviour is configurable by passing the `--arg withOnlyOffice false` flag to `nix-build` when building them.
|
||||
|
||||
## Updating the Deuxfleurs pinned nixpkgs
|
||||
The pinned sources files are generated with the [niv](https://github.com/nmattia/niv) tool.
|
||||
|
||||
To update the pinned nixpkgs, you simply run the following command:
|
||||
|
||||
```shell
|
||||
niv update
|
||||
```
|
||||
|
||||
To modify the pinned nixpkgs, you can use the `niv modify` command, for example, to move to nixpkgs-unstable:
|
||||
|
||||
```shell
|
||||
niv modify nixpkgs -b nixos-unstable
|
||||
docker load < $(nix-build docker.nix)
|
||||
docker push superboum/cryptpad:???
|
||||
```
|
||||
|
||||
## Quirks
|
||||
|
||||
- The CryptPad `package-lock.json` is included here because the upstream-provided one appeared to be desync'ed, so a
|
||||
manual lockfile generation was needed
|
||||
|
|
22
cluster/prod/app/cryptpad/build/common.nix
Normal file
22
cluster/prod/app/cryptpad/build/common.nix
Normal file
|
@ -0,0 +1,22 @@
|
|||
rec {
|
||||
cryptpadVersion = "4.14.1+2";
|
||||
cryptpadCommit = "18c371bb5bda068a5d962dd7c4f0726320eea5e9";
|
||||
|
||||
pkgsSrc = fetchTarball {
|
||||
# Latest commit on https://github.com/NixOS/nixpkgs/tree/nixos-21.11
|
||||
# As of 2022-04-15
|
||||
url ="https://github.com/NixOS/nixpkgs/archive/2f06b87f64bc06229e05045853e0876666e1b023.tar.gz";
|
||||
sha256 = "sha256:1d7zg96xw4qsqh7c89pgha9wkq3rbi9as3k3d88jlxy2z0ns0cy2";
|
||||
};
|
||||
cryptpadSrc = builtins.fetchGit {
|
||||
url = "https://github.com/superboum/cryptpad";
|
||||
ref = "refs/tags/${cryptpadVersion}";
|
||||
rev = cryptpadCommit;
|
||||
};
|
||||
bower2nixSrc = builtins.fetchGit {
|
||||
url = "https://github.com/superboum/bower2nix";
|
||||
ref = "new";
|
||||
rev = "618ab3e206325c63fe4526ae842a1f6c792b0e27";
|
||||
};
|
||||
nodejs = "nodejs-slim-16_x";
|
||||
}
|
|
@ -1,118 +1,77 @@
|
|||
{ lib
|
||||
, stdenvNoCC
|
||||
let
|
||||
common = import ./common.nix;
|
||||
pkgs = import common.pkgsSrc {};
|
||||
nodejs = pkgs.${common.nodejs};
|
||||
|
||||
, buildNpmPackage
|
||||
, fetchFromGitHub
|
||||
bower = (pkgs.buildBowerComponents {
|
||||
name = "cryptpad-${common.cryptpadVersion}-bower";
|
||||
generated = ./nix.lock/bower.nix;
|
||||
src = common.cryptpadSrc;
|
||||
}).overrideAttrs (old: {
|
||||
bowerPackages = old.bowerPackages.override (old_: {
|
||||
# add missing dependencies:
|
||||
# Those dependencies are EOL and they are not installed by buildBowerComponents,
|
||||
# but they are required, otherwise the resolver crashes.
|
||||
# * add the second jquery ~2.1.0 entry
|
||||
# * add the second bootstrap ~3.1.1 entry
|
||||
paths = old_.paths ++ [
|
||||
(pkgs.fetchbower "jquery" "2.1.0" "~2.1.0" "02kwvz93vzpv10qnp7s0dz3al0jh77awwrizb6wadsvgifxssnlr")
|
||||
(pkgs.fetchbower "bootstrap" "3.1.1" "~3.1.1" "06bhjwa8p7mzbpr3jkgydd804z1nwrkdql66h7jkfml99psv9811")
|
||||
];
|
||||
});
|
||||
});
|
||||
|
||||
, nodejs
|
||||
npm = import ./nix.lock/npm.nix {
|
||||
inherit pkgs;
|
||||
};
|
||||
|
||||
, withOnlyOffice ? true
|
||||
}: let
|
||||
onlyOfficeVersions = {
|
||||
v1 = {
|
||||
rev = "4f370bebe96e3a0d4054df87412ee5b2c6ed8aaa";
|
||||
hash = "sha256-TE/99qOx4wT2s0op9wi+SHwqTPYq/H+a9Uus9Zj4iSY=";
|
||||
};
|
||||
v2b = {
|
||||
rev = "d9da72fda95daf93b90ffa345757c47eb5b919dd";
|
||||
hash = "sha256-SiRDRc2vnLwCVnvtk+C8PKw7IeuSzHBaJmZHogRe3hQ=";
|
||||
};
|
||||
v4 = {
|
||||
rev = "6ebc6938b6841440ffad2efc1e23f1dc1ceda964";
|
||||
hash = "sha256-eto1+8Tk/s3kbUCpbUh8qCS8EOq700FYG1/KiHyynaA=";
|
||||
};
|
||||
v5 = {
|
||||
rev = "88a356f08ded2f0f4620bda66951caf1d7f02c21";
|
||||
hash = "sha256-8j1rlAyHlKx6oAs2pIhjPKcGhJFj6ZzahOcgenyeOCc=";
|
||||
};
|
||||
v6 = {
|
||||
rev = "abd8a309f6dd37289f950cd8cea40df4492d8a15";
|
||||
hash = "sha256-BZdExj2q/bqUD3k9uluOot2dlrWKA+vpad49EdgXKww=";
|
||||
};
|
||||
v7 = {
|
||||
rev = "9d8b914a81f0f9e5d0bc3f0fc631adf4b6d480e7";
|
||||
hash = "sha256-M+rPJ/Xo2olhqB5ViynGRaesMLLfG/1ltUoLnepMPnM=";
|
||||
};
|
||||
};
|
||||
mkOnlyOffice = {
|
||||
pname, version
|
||||
}: stdenvNoCC.mkDerivation (final: {
|
||||
pname = "${pname}-onlyoffice";
|
||||
inherit version;
|
||||
in
|
||||
pkgs.stdenv.mkDerivation {
|
||||
name = "cryptpad-${common.cryptpadVersion}";
|
||||
src = common.cryptpadSrc;
|
||||
|
||||
srcs = lib.mapAttrsToList (version: { rev, hash ? lib.fakeHash }: fetchFromGitHub {
|
||||
name = "${final.pname}-${version}-source";
|
||||
owner = "cryptpad";
|
||||
repo = "onlyoffice-builds";
|
||||
inherit rev hash;
|
||||
}) onlyOfficeVersions;
|
||||
buildPhase = ''
|
||||
cp -r ${npm.nodeDependencies}/lib/node_modules node_modules
|
||||
chmod +w -R node_modules
|
||||
|
||||
dontBuild = true;
|
||||
# clear executable files inside the node_modules folder to reduce dependencies
|
||||
# and attack surface
|
||||
find node_modules -type f ! -path 'node_modules/gar/*' -executable -print | tee >(xargs -n 20 rm)
|
||||
|
||||
sourceRoot = ".";
|
||||
# Remove only office that IS BIG
|
||||
# COMMENTED as it is not as easy as planned.
|
||||
# rm -rf www/common/onlyoffice
|
||||
'';
|
||||
|
||||
installPhase = ''
|
||||
mkdir -p $out
|
||||
${lib.concatLines (map
|
||||
(version: "cp -Tr ${final.pname}-${version}-source $out/${version}")
|
||||
(builtins.attrNames onlyOfficeVersions)
|
||||
)}
|
||||
mkdir -p $out/{bin,opt}
|
||||
|
||||
out_cryptpad=$out/opt/
|
||||
|
||||
# copy the source code
|
||||
cp -r .bowerrc bower.json package.json package-lock.json customize.dist lib server.js www $out_cryptpad
|
||||
|
||||
# mount node_modules
|
||||
cp -r node_modules $out_cryptpad/node_modules
|
||||
|
||||
# patch
|
||||
substituteInPlace $out_cryptpad/lib/workers/index.js --replace "lib/workers/db-worker" "$out_cryptpad/lib/workers/db-worker"
|
||||
|
||||
# mount bower, based on the .bowerrc file at the git repo root
|
||||
cp -r ${bower}/bower_components $out_cryptpad/www/
|
||||
|
||||
# cryptpad is bugged with absolute path, this is a workaround to use absolute path as relative path
|
||||
ln -s / $out_cryptpad/root
|
||||
|
||||
# start script, cryptpad is lost if its working directory is not its source directory
|
||||
cat > $out/bin/cryptpad <<EOF
|
||||
#!${pkgs.stdenv.shell}
|
||||
cd $out_cryptpad
|
||||
exec ${nodejs}/bin/node server.js
|
||||
EOF
|
||||
|
||||
chmod +x $out/bin/cryptpad
|
||||
'';
|
||||
});
|
||||
in buildNpmPackage rec {
|
||||
pname = "cryptpad";
|
||||
version = "2024.3.0";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "cryptpad";
|
||||
repo = "cryptpad";
|
||||
rev = version;
|
||||
hash = "sha256-VUW6KvoSatk1/hlzklMQYlSNVH/tdbH+yU4ONUQ0JSQ=";
|
||||
};
|
||||
|
||||
npmDepsHash = "sha256-tvTkoxxioPuNoe8KIuXSP7QQbvcpxMnygsMmzKBQIY0=";
|
||||
|
||||
inherit nodejs;
|
||||
|
||||
onlyOffice = lib.optional withOnlyOffice (mkOnlyOffice {
|
||||
inherit pname version;
|
||||
});
|
||||
|
||||
makeCacheWritable = true;
|
||||
dontFixup = true;
|
||||
|
||||
postPatch = ''
|
||||
cp -T ${./package-lock.json} package-lock.json
|
||||
'';
|
||||
|
||||
preBuild = ''
|
||||
npm run install:components
|
||||
'' + lib.optionalString withOnlyOffice ''
|
||||
ln -s $onlyOffice www/common/onlyoffice/dist
|
||||
'';
|
||||
|
||||
postBuild = ''
|
||||
rm -rf customize
|
||||
'';
|
||||
|
||||
installPhase = ''
|
||||
runHook preInstall
|
||||
|
||||
mkdir -p $out
|
||||
cp -R . $out/
|
||||
|
||||
substituteInPlace $out/lib/workers/index.js \
|
||||
--replace-warn "lib/workers/db-worker" "$out/lib/workers/db-worker"
|
||||
|
||||
makeWrapper ${lib.getExe nodejs} $out/bin/cryptpad-server \
|
||||
--chdir $out \
|
||||
--add-flags server.js
|
||||
|
||||
runHook postInstall
|
||||
'';
|
||||
|
||||
meta = {
|
||||
homepage = "https://cryptpad.org";
|
||||
mainProgram = "cryptpad-server";
|
||||
};
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,12 +0,0 @@
|
|||
{ name ? "deuxfleurs/cryptpad"
|
||||
, tag ? "nix-latest"
|
||||
}: let
|
||||
sources = import ./nix/sources.nix;
|
||||
pkgs = import sources.nixpkgs {};
|
||||
in rec {
|
||||
cryptpad = pkgs.callPackage ./default.nix {};
|
||||
docker = pkgs.callPackage ./docker.nix {
|
||||
inherit name tag;
|
||||
inherit cryptpad;
|
||||
};
|
||||
}
|
|
@ -1,27 +1,11 @@
|
|||
{ pkgs ? import <nixpkgs> {}
|
||||
|
||||
, name ? "cryptpad"
|
||||
, tag ? "nix-latest"
|
||||
|
||||
, withOnlyOffice ? true
|
||||
|
||||
, cryptpad ? pkgs.callPackage ./default.nix { inherit withOnlyOffice; }
|
||||
}: let
|
||||
cryptpad' = cryptpad.overrideAttrs {
|
||||
postInstall = ''
|
||||
ln -sf /cryptpad/customize $out/customize
|
||||
'';
|
||||
};
|
||||
in pkgs.dockerTools.buildImage {
|
||||
inherit name tag;
|
||||
|
||||
let
|
||||
common = import ./common.nix;
|
||||
pkgs = import common.pkgsSrc {};
|
||||
app = import ./default.nix;
|
||||
in
|
||||
pkgs.dockerTools.buildLayeredImage {
|
||||
name = "superboum/cryptpad";
|
||||
config = {
|
||||
Cmd = [
|
||||
(pkgs.lib.getExe cryptpad')
|
||||
];
|
||||
|
||||
Volumes = {
|
||||
"/cryptpad/customize" = {};
|
||||
Cmd = [ "${app}/bin/cryptpad" ];
|
||||
};
|
||||
};
|
||||
}
|
||||
}
|
||||
|
|
57
cluster/prod/app/cryptpad/build/nix.lock/bower.json
Normal file
57
cluster/prod/app/cryptpad/build/nix.lock/bower.json
Normal file
|
@ -0,0 +1,57 @@
|
|||
{
|
||||
"name": "cryptpad",
|
||||
"version": "0.1.0",
|
||||
"authors": [
|
||||
"Caleb James DeLisle <cjd@cjdns.fr>"
|
||||
],
|
||||
"description": "realtime collaborative visual editor with zero knowlege server",
|
||||
"main": "www/index.html",
|
||||
"moduleType": [
|
||||
"node"
|
||||
],
|
||||
"license": "AGPLv3",
|
||||
"ignore": [
|
||||
"**/.*",
|
||||
"node_modules",
|
||||
"bower_components",
|
||||
"test",
|
||||
"tests"
|
||||
],
|
||||
"dependencies": {
|
||||
"jquery": "3.6.0",
|
||||
"tweetnacl": "0.12.2",
|
||||
"components-font-awesome": "^4.6.3",
|
||||
"ckeditor": "4.14.0",
|
||||
"codemirror": "^5.19.0",
|
||||
"requirejs": "2.3.5",
|
||||
"marked": "1.1.0",
|
||||
"rangy": "rangy-release#~1.3.0",
|
||||
"json.sortify": "~2.1.0",
|
||||
"hyperjson": "~1.4.0",
|
||||
"chainpad-crypto": "^0.2.0",
|
||||
"chainpad-listmap": "^1.0.0",
|
||||
"chainpad": "^5.2.0",
|
||||
"file-saver": "1.3.1",
|
||||
"alertifyjs": "1.0.11",
|
||||
"scrypt-async": "1.2.0",
|
||||
"require-css": "0.1.10",
|
||||
"bootstrap": "^v4.0.0",
|
||||
"diff-dom": "2.1.1",
|
||||
"nthen": "0.1.7",
|
||||
"open-sans-fontface": "^1.4.2",
|
||||
"bootstrap-tokenfield": "0.12.1",
|
||||
"localforage": "^1.5.2",
|
||||
"html2canvas": "^0.4.1",
|
||||
"croppie": "^2.5.0",
|
||||
"sortablejs": "^1.6.0",
|
||||
"saferphore": "^0.0.1",
|
||||
"jszip": "3.7.1",
|
||||
"requirejs-plugins": "^1.0.3",
|
||||
"dragula.js": "3.7.2",
|
||||
"MathJax": "3.0.5"
|
||||
},
|
||||
"resolutions": {
|
||||
"bootstrap": "^v4.0.0",
|
||||
"jquery": "3.6.0"
|
||||
}
|
||||
}
|
37
cluster/prod/app/cryptpad/build/nix.lock/bower.nix
Normal file
37
cluster/prod/app/cryptpad/build/nix.lock/bower.nix
Normal file
|
@ -0,0 +1,37 @@
|
|||
# Generated by bower2nix v3.3.0 (https://github.com/rvl/bower2nix)
|
||||
{ fetchbower, buildEnv }:
|
||||
buildEnv { name = "bower-env"; ignoreCollisions = true; paths = [
|
||||
(fetchbower "jquery" "3.6.0" "3.6.0" "1wx5n605x6ga483hba43gxjncgzk8yvxc3h0jlwgpjd0h54y9v6l")
|
||||
(fetchbower "tweetnacl" "0.12.2" "0.12.2" "1lfzbfrdaly3zyzbcp1p53yhxlrx56k8x04q924kg7l52gblm65g")
|
||||
(fetchbower "components-font-awesome" "4.7.0" "^4.6.3" "1w27im6ayjrbgjqa0i49ml5d3wy4ld40h9b29hz9myv77bpx4lg1")
|
||||
(fetchbower "ckeditor" "4.14.0" "4.14.0" "0lw9q0k8c0jlxvf35vrccab9c3c8rgpc6x66czj9si8yy2lyliyp")
|
||||
(fetchbower "codemirror" "5.65.3" "^5.19.0" "0z6pd0q0cy0k0dkplx4f3cmmjqbiixv6wqlzbz5j8dnsxr5hhgzh")
|
||||
(fetchbower "requirejs" "2.3.5" "2.3.5" "05lyvgz914h2w08r24rk0vkk3yxmqrvlg7j3i5av9ffkg9lpzsli")
|
||||
(fetchbower "marked" "1.1.0" "1.1.0" "1sdgqw9iki9c1pfm4c5h6c956mchbip2jywjrcmrlb75k53flsjz")
|
||||
(fetchbower "rangy" "rangy-release#1.3.0" "rangy-release#~1.3.0" "13x3wci003p8jyv2ncir0k23bxckx99b3555r0zvgmlwycg7w0zv")
|
||||
(fetchbower "json.sortify" "2.1.0" "~2.1.0" "1rz9xz0gnm4ak31n10vhslqsw8fw493gjylwj8xsy3bxqq1ygpnh")
|
||||
(fetchbower "hyperjson" "1.4.0" "~1.4.0" "1n68ls3x4lyhg1yy8i4q3xkgh5xqpyakf45sny4x91mkr68x4bd9")
|
||||
(fetchbower "chainpad-crypto" "0.2.7" "^0.2.0" "16j0gjj1v8dckqpsg38229qs4dammz7vx8ywsik6f0brzf4py65a")
|
||||
(fetchbower "chainpad-listmap" "1.0.1" "^1.0.0" "0s2v27hhraifb1yjw5fka4a922zmgsdngsaq1nfd48gbs8gd2rrd")
|
||||
(fetchbower "chainpad" "5.2.4" "^5.2.0" "1f4nap0r8w50qpmjdfhhjhpz5xcl0n4zaxxnav1qaxi5j6dyg8h6")
|
||||
(fetchbower "file-saver" "1.3.1" "1.3.1" "065nzkvdiicxnw06z1sjz1sbp9nyis8z839hv6ng1fk25dc5kvkg")
|
||||
(fetchbower "alertifyjs" "1.0.11" "1.0.11" "0v7323bzq90k35shm3h6azj4wd9la3kbi1va1pw4qyvndkwma69l")
|
||||
(fetchbower "scrypt-async" "1.2.0" "1.2.0" "0d076ax708p9b8hcmk4f82j925nlnm0hmp0ni45ql37g7iirfpyv")
|
||||
(fetchbower "require-css" "0.1.10" "0.1.10" "106gz9i76v71q9zx2pnqkkj342m630lvssnw54023a0ljc0gqcwq")
|
||||
(fetchbower "bootstrap" "4.6.1" "^v4.0.0" "0g8zy1fl396lawgjvfhlpcl38zxsgybhnzi8b6b4m9nccvmpxv83")
|
||||
(fetchbower "diff-dom" "2.1.1" "2.1.1" "0bp8c80g11hhlkvl3lhrqc39jvqiiyqvrgk1nsn35ps01ava07z9")
|
||||
(fetchbower "nthen" "0.1.7" "0.1.7" "03yap5ildigaw4rwxmxs37pcwhq415iham8w39zd56ka98gpfxa5")
|
||||
(fetchbower "open-sans-fontface" "1.4.2" "^1.4.2" "0ksav1fcq640fmdz49ra4prwsrrfj35y2p4shx1jh1j7zxd044nf")
|
||||
(fetchbower "bootstrap-tokenfield" "0.12.1" "0.12.1" "1dh791s6ih8bf9ihck9n39h68c273jb3lg4mqk94bvqraz45fvwx")
|
||||
(fetchbower "localforage" "1.10.0" "^1.5.2" "019rh006v2w5x63mgk78qhw59kf8czbkwdvfngmac8fs6gz88lc8")
|
||||
(fetchbower "html2canvas" "0.4.1" "^0.4.1" "0yg7y90nav068q0i5afc2c221zkddpf28hi0hwc46cawx4180c69")
|
||||
(fetchbower "croppie" "2.6.5" "^2.5.0" "1j1v5620zi13ad42r358i4ay891abwn6nz357484kgq2bgjj6ccx")
|
||||
(fetchbower "sortablejs" "1.15.0" "^1.6.0" "1wk1097jrxbp2c4ghcppqd3h2gnq5b01qkf9426mc08zgszlvjr7")
|
||||
(fetchbower "saferphore" "0.0.1" "^0.0.1" "1wfr9wpbm3lswmvy2p0247ydb108h4qh5s286py89k871qh6jwdi")
|
||||
(fetchbower "jszip" "3.7.1" "3.7.1" "0f14bak7vylxizi6pvj3znjc2cx922avbv7lslklvic85x0318lf")
|
||||
(fetchbower "requirejs-plugins" "1.0.3" "^1.0.3" "00s3sdz1ykygx5shldwhhhybwgw7c99vkqd94i5i5x0gl97ifxf5")
|
||||
(fetchbower "dragula.js" "3.7.2" "3.7.2" "0dbkmrl8bcxiplprmmp9fj96ri5nahb2ql8cc7zwawncv0drvlh0")
|
||||
(fetchbower "MathJax" "3.0.5" "3.0.5" "087a9av15qj43m8pr3b9g59ncmydhmg40m6dfzsac62ykianh2a0")
|
||||
(fetchbower "chainpad-netflux" "1.0.0" "^1.0.0" "08rpc73x1vyvd6zkb7w0m1smzjhq3b7cwb30nlmg93x873zjlsl6")
|
||||
(fetchbower "netflux-websocket" "1.0.0" "^1.0.0" "10hgc5ra3ll7qc2r8aal6p03gx6dgz06l2b54lh995pvf901wzi6")
|
||||
]; }
|
588
cluster/prod/app/cryptpad/build/nix.lock/node-env.nix
Normal file
588
cluster/prod/app/cryptpad/build/nix.lock/node-env.nix
Normal file
|
@ -0,0 +1,588 @@
|
|||
# This file originates from node2nix
|
||||
|
||||
{lib, stdenv, nodejs, python2, pkgs, libtool, runCommand, writeTextFile, writeShellScript}:
|
||||
|
||||
let
|
||||
# Workaround to cope with utillinux in Nixpkgs 20.09 and util-linux in Nixpkgs master
|
||||
utillinux = if pkgs ? utillinux then pkgs.utillinux else pkgs.util-linux;
|
||||
|
||||
python = if nodejs ? python then nodejs.python else python2;
|
||||
|
||||
# Create a tar wrapper that filters all the 'Ignoring unknown extended header keyword' noise
|
||||
tarWrapper = runCommand "tarWrapper" {} ''
|
||||
mkdir -p $out/bin
|
||||
|
||||
cat > $out/bin/tar <<EOF
|
||||
#! ${stdenv.shell} -e
|
||||
$(type -p tar) "\$@" --warning=no-unknown-keyword --delay-directory-restore
|
||||
EOF
|
||||
|
||||
chmod +x $out/bin/tar
|
||||
'';
|
||||
|
||||
# Function that generates a TGZ file from a NPM project
|
||||
buildNodeSourceDist =
|
||||
{ name, version, src, ... }:
|
||||
|
||||
stdenv.mkDerivation {
|
||||
name = "node-tarball-${name}-${version}";
|
||||
inherit src;
|
||||
buildInputs = [ nodejs ];
|
||||
buildPhase = ''
|
||||
export HOME=$TMPDIR
|
||||
tgzFile=$(npm pack | tail -n 1) # Hooks to the pack command will add output (https://docs.npmjs.com/misc/scripts)
|
||||
'';
|
||||
installPhase = ''
|
||||
mkdir -p $out/tarballs
|
||||
mv $tgzFile $out/tarballs
|
||||
mkdir -p $out/nix-support
|
||||
echo "file source-dist $out/tarballs/$tgzFile" >> $out/nix-support/hydra-build-products
|
||||
'';
|
||||
};
|
||||
|
||||
# Common shell logic
|
||||
installPackage = writeShellScript "install-package" ''
|
||||
installPackage() {
|
||||
local packageName=$1 src=$2
|
||||
|
||||
local strippedName
|
||||
|
||||
local DIR=$PWD
|
||||
cd $TMPDIR
|
||||
|
||||
unpackFile $src
|
||||
|
||||
# Make the base dir in which the target dependency resides first
|
||||
mkdir -p "$(dirname "$DIR/$packageName")"
|
||||
|
||||
if [ -f "$src" ]
|
||||
then
|
||||
# Figure out what directory has been unpacked
|
||||
packageDir="$(find . -maxdepth 1 -type d | tail -1)"
|
||||
|
||||
# Restore write permissions to make building work
|
||||
find "$packageDir" -type d -exec chmod u+x {} \;
|
||||
chmod -R u+w "$packageDir"
|
||||
|
||||
# Move the extracted tarball into the output folder
|
||||
mv "$packageDir" "$DIR/$packageName"
|
||||
elif [ -d "$src" ]
|
||||
then
|
||||
# Get a stripped name (without hash) of the source directory.
|
||||
# On old nixpkgs it's already set internally.
|
||||
if [ -z "$strippedName" ]
|
||||
then
|
||||
strippedName="$(stripHash $src)"
|
||||
fi
|
||||
|
||||
# Restore write permissions to make building work
|
||||
chmod -R u+w "$strippedName"
|
||||
|
||||
# Move the extracted directory into the output folder
|
||||
mv "$strippedName" "$DIR/$packageName"
|
||||
fi
|
||||
|
||||
# Change to the package directory to install dependencies
|
||||
cd "$DIR/$packageName"
|
||||
}
|
||||
'';
|
||||
|
||||
# Bundle the dependencies of the package
|
||||
#
|
||||
# Only include dependencies if they don't exist. They may also be bundled in the package.
|
||||
includeDependencies = {dependencies}:
|
||||
lib.optionalString (dependencies != []) (
|
||||
''
|
||||
mkdir -p node_modules
|
||||
cd node_modules
|
||||
''
|
||||
+ (lib.concatMapStrings (dependency:
|
||||
''
|
||||
if [ ! -e "${dependency.name}" ]; then
|
||||
${composePackage dependency}
|
||||
fi
|
||||
''
|
||||
) dependencies)
|
||||
+ ''
|
||||
cd ..
|
||||
''
|
||||
);
|
||||
|
||||
# Recursively composes the dependencies of a package
|
||||
composePackage = { name, packageName, src, dependencies ? [], ... }@args:
|
||||
builtins.addErrorContext "while evaluating node package '${packageName}'" ''
|
||||
installPackage "${packageName}" "${src}"
|
||||
${includeDependencies { inherit dependencies; }}
|
||||
cd ..
|
||||
${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
|
||||
'';
|
||||
|
||||
pinpointDependencies = {dependencies, production}:
|
||||
let
|
||||
pinpointDependenciesFromPackageJSON = writeTextFile {
|
||||
name = "pinpointDependencies.js";
|
||||
text = ''
|
||||
var fs = require('fs');
|
||||
var path = require('path');
|
||||
|
||||
function resolveDependencyVersion(location, name) {
|
||||
if(location == process.env['NIX_STORE']) {
|
||||
return null;
|
||||
} else {
|
||||
var dependencyPackageJSON = path.join(location, "node_modules", name, "package.json");
|
||||
|
||||
if(fs.existsSync(dependencyPackageJSON)) {
|
||||
var dependencyPackageObj = JSON.parse(fs.readFileSync(dependencyPackageJSON));
|
||||
|
||||
if(dependencyPackageObj.name == name) {
|
||||
return dependencyPackageObj.version;
|
||||
}
|
||||
} else {
|
||||
return resolveDependencyVersion(path.resolve(location, ".."), name);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function replaceDependencies(dependencies) {
|
||||
if(typeof dependencies == "object" && dependencies !== null) {
|
||||
for(var dependency in dependencies) {
|
||||
var resolvedVersion = resolveDependencyVersion(process.cwd(), dependency);
|
||||
|
||||
if(resolvedVersion === null) {
|
||||
process.stderr.write("WARNING: cannot pinpoint dependency: "+dependency+", context: "+process.cwd()+"\n");
|
||||
} else {
|
||||
dependencies[dependency] = resolvedVersion;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/* Read the package.json configuration */
|
||||
var packageObj = JSON.parse(fs.readFileSync('./package.json'));
|
||||
|
||||
/* Pinpoint all dependencies */
|
||||
replaceDependencies(packageObj.dependencies);
|
||||
if(process.argv[2] == "development") {
|
||||
replaceDependencies(packageObj.devDependencies);
|
||||
}
|
||||
replaceDependencies(packageObj.optionalDependencies);
|
||||
|
||||
/* Write the fixed package.json file */
|
||||
fs.writeFileSync("package.json", JSON.stringify(packageObj, null, 2));
|
||||
'';
|
||||
};
|
||||
in
|
||||
''
|
||||
node ${pinpointDependenciesFromPackageJSON} ${if production then "production" else "development"}
|
||||
|
||||
${lib.optionalString (dependencies != [])
|
||||
''
|
||||
if [ -d node_modules ]
|
||||
then
|
||||
cd node_modules
|
||||
${lib.concatMapStrings (dependency: pinpointDependenciesOfPackage dependency) dependencies}
|
||||
cd ..
|
||||
fi
|
||||
''}
|
||||
'';
|
||||
|
||||
# Recursively traverses all dependencies of a package and pinpoints all
|
||||
# dependencies in the package.json file to the versions that are actually
|
||||
# being used.
|
||||
|
||||
pinpointDependenciesOfPackage = { packageName, dependencies ? [], production ? true, ... }@args:
|
||||
''
|
||||
if [ -d "${packageName}" ]
|
||||
then
|
||||
cd "${packageName}"
|
||||
${pinpointDependencies { inherit dependencies production; }}
|
||||
cd ..
|
||||
${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
|
||||
fi
|
||||
'';
|
||||
|
||||
# Extract the Node.js source code which is used to compile packages with
|
||||
# native bindings
|
||||
nodeSources = runCommand "node-sources" {} ''
|
||||
tar --no-same-owner --no-same-permissions -xf ${nodejs.src}
|
||||
mv node-* $out
|
||||
'';
|
||||
|
||||
# Script that adds _integrity fields to all package.json files to prevent NPM from consulting the cache (that is empty)
|
||||
addIntegrityFieldsScript = writeTextFile {
|
||||
name = "addintegrityfields.js";
|
||||
text = ''
|
||||
var fs = require('fs');
|
||||
var path = require('path');
|
||||
|
||||
function augmentDependencies(baseDir, dependencies) {
|
||||
for(var dependencyName in dependencies) {
|
||||
var dependency = dependencies[dependencyName];
|
||||
|
||||
// Open package.json and augment metadata fields
|
||||
var packageJSONDir = path.join(baseDir, "node_modules", dependencyName);
|
||||
var packageJSONPath = path.join(packageJSONDir, "package.json");
|
||||
|
||||
if(fs.existsSync(packageJSONPath)) { // Only augment packages that exist. Sometimes we may have production installs in which development dependencies can be ignored
|
||||
console.log("Adding metadata fields to: "+packageJSONPath);
|
||||
var packageObj = JSON.parse(fs.readFileSync(packageJSONPath));
|
||||
|
||||
if(dependency.integrity) {
|
||||
packageObj["_integrity"] = dependency.integrity;
|
||||
} else {
|
||||
packageObj["_integrity"] = "sha1-000000000000000000000000000="; // When no _integrity string has been provided (e.g. by Git dependencies), add a dummy one. It does not seem to harm and it bypasses downloads.
|
||||
}
|
||||
|
||||
if(dependency.resolved) {
|
||||
packageObj["_resolved"] = dependency.resolved; // Adopt the resolved property if one has been provided
|
||||
} else {
|
||||
packageObj["_resolved"] = dependency.version; // Set the resolved version to the version identifier. This prevents NPM from cloning Git repositories.
|
||||
}
|
||||
|
||||
if(dependency.from !== undefined) { // Adopt from property if one has been provided
|
||||
packageObj["_from"] = dependency.from;
|
||||
}
|
||||
|
||||
fs.writeFileSync(packageJSONPath, JSON.stringify(packageObj, null, 2));
|
||||
}
|
||||
|
||||
// Augment transitive dependencies
|
||||
if(dependency.dependencies !== undefined) {
|
||||
augmentDependencies(packageJSONDir, dependency.dependencies);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if(fs.existsSync("./package-lock.json")) {
|
||||
var packageLock = JSON.parse(fs.readFileSync("./package-lock.json"));
|
||||
|
||||
if(![1, 2].includes(packageLock.lockfileVersion)) {
|
||||
process.stderr.write("Sorry, I only understand lock file versions 1 and 2!\n");
|
||||
process.exit(1);
|
||||
}
|
||||
|
||||
if(packageLock.dependencies !== undefined) {
|
||||
augmentDependencies(".", packageLock.dependencies);
|
||||
}
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
||||
# Reconstructs a package-lock file from the node_modules/ folder structure and package.json files with dummy sha1 hashes
|
||||
reconstructPackageLock = writeTextFile {
|
||||
name = "addintegrityfields.js";
|
||||
text = ''
|
||||
var fs = require('fs');
|
||||
var path = require('path');
|
||||
|
||||
var packageObj = JSON.parse(fs.readFileSync("package.json"));
|
||||
|
||||
var lockObj = {
|
||||
name: packageObj.name,
|
||||
version: packageObj.version,
|
||||
lockfileVersion: 1,
|
||||
requires: true,
|
||||
dependencies: {}
|
||||
};
|
||||
|
||||
function augmentPackageJSON(filePath, dependencies) {
|
||||
var packageJSON = path.join(filePath, "package.json");
|
||||
if(fs.existsSync(packageJSON)) {
|
||||
var packageObj = JSON.parse(fs.readFileSync(packageJSON));
|
||||
dependencies[packageObj.name] = {
|
||||
version: packageObj.version,
|
||||
integrity: "sha1-000000000000000000000000000=",
|
||||
dependencies: {}
|
||||
};
|
||||
processDependencies(path.join(filePath, "node_modules"), dependencies[packageObj.name].dependencies);
|
||||
}
|
||||
}
|
||||
|
||||
function processDependencies(dir, dependencies) {
|
||||
if(fs.existsSync(dir)) {
|
||||
var files = fs.readdirSync(dir);
|
||||
|
||||
files.forEach(function(entry) {
|
||||
var filePath = path.join(dir, entry);
|
||||
var stats = fs.statSync(filePath);
|
||||
|
||||
if(stats.isDirectory()) {
|
||||
if(entry.substr(0, 1) == "@") {
|
||||
// When we encounter a namespace folder, augment all packages belonging to the scope
|
||||
var pkgFiles = fs.readdirSync(filePath);
|
||||
|
||||
pkgFiles.forEach(function(entry) {
|
||||
if(stats.isDirectory()) {
|
||||
var pkgFilePath = path.join(filePath, entry);
|
||||
augmentPackageJSON(pkgFilePath, dependencies);
|
||||
}
|
||||
});
|
||||
} else {
|
||||
augmentPackageJSON(filePath, dependencies);
|
||||
}
|
||||
}
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
processDependencies("node_modules", lockObj.dependencies);
|
||||
|
||||
fs.writeFileSync("package-lock.json", JSON.stringify(lockObj, null, 2));
|
||||
'';
|
||||
};
|
||||
|
||||
prepareAndInvokeNPM = {packageName, bypassCache, reconstructLock, npmFlags, production}:
|
||||
let
|
||||
forceOfflineFlag = if bypassCache then "--offline" else "--registry http://www.example.com";
|
||||
in
|
||||
''
|
||||
# Pinpoint the versions of all dependencies to the ones that are actually being used
|
||||
echo "pinpointing versions of dependencies..."
|
||||
source $pinpointDependenciesScriptPath
|
||||
|
||||
# Patch the shebangs of the bundled modules to prevent them from
|
||||
# calling executables outside the Nix store as much as possible
|
||||
patchShebangs .
|
||||
|
||||
# Deploy the Node.js package by running npm install. Since the
|
||||
# dependencies have been provided already by ourselves, it should not
|
||||
# attempt to install them again, which is good, because we want to make
|
||||
# it Nix's responsibility. If it needs to install any dependencies
|
||||
# anyway (e.g. because the dependency parameters are
|
||||
# incomplete/incorrect), it fails.
|
||||
#
|
||||
# The other responsibilities of NPM are kept -- version checks, build
|
||||
# steps, postprocessing etc.
|
||||
|
||||
export HOME=$TMPDIR
|
||||
cd "${packageName}"
|
||||
runHook preRebuild
|
||||
|
||||
${lib.optionalString bypassCache ''
|
||||
${lib.optionalString reconstructLock ''
|
||||
if [ -f package-lock.json ]
|
||||
then
|
||||
echo "WARNING: Reconstruct lock option enabled, but a lock file already exists!"
|
||||
echo "This will most likely result in version mismatches! We will remove the lock file and regenerate it!"
|
||||
rm package-lock.json
|
||||
else
|
||||
echo "No package-lock.json file found, reconstructing..."
|
||||
fi
|
||||
|
||||
node ${reconstructPackageLock}
|
||||
''}
|
||||
|
||||
node ${addIntegrityFieldsScript}
|
||||
''}
|
||||
|
||||
npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${lib.optionalString production "--production"} rebuild
|
||||
|
||||
if [ "''${dontNpmInstall-}" != "1" ]
|
||||
then
|
||||
# NPM tries to download packages even when they already exist if npm-shrinkwrap is used.
|
||||
rm -f npm-shrinkwrap.json
|
||||
|
||||
npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${lib.optionalString production "--production"} install
|
||||
fi
|
||||
'';
|
||||
|
||||
# Builds and composes an NPM package including all its dependencies
|
||||
buildNodePackage =
|
||||
{ name
|
||||
, packageName
|
||||
, version
|
||||
, dependencies ? []
|
||||
, buildInputs ? []
|
||||
, production ? true
|
||||
, npmFlags ? ""
|
||||
, dontNpmInstall ? false
|
||||
, bypassCache ? false
|
||||
, reconstructLock ? false
|
||||
, preRebuild ? ""
|
||||
, dontStrip ? true
|
||||
, unpackPhase ? "true"
|
||||
, buildPhase ? "true"
|
||||
, meta ? {}
|
||||
, ... }@args:
|
||||
|
||||
let
|
||||
extraArgs = removeAttrs args [ "name" "dependencies" "buildInputs" "dontStrip" "dontNpmInstall" "preRebuild" "unpackPhase" "buildPhase" "meta" ];
|
||||
in
|
||||
stdenv.mkDerivation ({
|
||||
name = "${name}-${version}";
|
||||
buildInputs = [ tarWrapper python nodejs ]
|
||||
++ lib.optional (stdenv.isLinux) utillinux
|
||||
++ lib.optional (stdenv.isDarwin) libtool
|
||||
++ buildInputs;
|
||||
|
||||
inherit nodejs;
|
||||
|
||||
inherit dontStrip; # Stripping may fail a build for some package deployments
|
||||
inherit dontNpmInstall preRebuild unpackPhase buildPhase;
|
||||
|
||||
compositionScript = composePackage args;
|
||||
pinpointDependenciesScript = pinpointDependenciesOfPackage args;
|
||||
|
||||
passAsFile = [ "compositionScript" "pinpointDependenciesScript" ];
|
||||
|
||||
installPhase = ''
|
||||
source ${installPackage}
|
||||
|
||||
# Create and enter a root node_modules/ folder
|
||||
mkdir -p $out/lib/node_modules
|
||||
cd $out/lib/node_modules
|
||||
|
||||
# Compose the package and all its dependencies
|
||||
source $compositionScriptPath
|
||||
|
||||
${prepareAndInvokeNPM { inherit packageName bypassCache reconstructLock npmFlags production; }}
|
||||
|
||||
# Create symlink to the deployed executable folder, if applicable
|
||||
if [ -d "$out/lib/node_modules/.bin" ]
|
||||
then
|
||||
ln -s $out/lib/node_modules/.bin $out/bin
|
||||
fi
|
||||
|
||||
# Create symlinks to the deployed manual page folders, if applicable
|
||||
if [ -d "$out/lib/node_modules/${packageName}/man" ]
|
||||
then
|
||||
mkdir -p $out/share
|
||||
for dir in "$out/lib/node_modules/${packageName}/man/"*
|
||||
do
|
||||
mkdir -p $out/share/man/$(basename "$dir")
|
||||
for page in "$dir"/*
|
||||
do
|
||||
ln -s $page $out/share/man/$(basename "$dir")
|
||||
done
|
||||
done
|
||||
fi
|
||||
|
||||
# Run post install hook, if provided
|
||||
runHook postInstall
|
||||
'';
|
||||
|
||||
meta = {
|
||||
# default to Node.js' platforms
|
||||
platforms = nodejs.meta.platforms;
|
||||
} // meta;
|
||||
} // extraArgs);
|
||||
|
||||
# Builds a node environment (a node_modules folder and a set of binaries)
|
||||
buildNodeDependencies =
|
||||
{ name
|
||||
, packageName
|
||||
, version
|
||||
, src
|
||||
, dependencies ? []
|
||||
, buildInputs ? []
|
||||
, production ? true
|
||||
, npmFlags ? ""
|
||||
, dontNpmInstall ? false
|
||||
, bypassCache ? false
|
||||
, reconstructLock ? false
|
||||
, dontStrip ? true
|
||||
, unpackPhase ? "true"
|
||||
, buildPhase ? "true"
|
||||
, ... }@args:
|
||||
|
||||
let
|
||||
extraArgs = removeAttrs args [ "name" "dependencies" "buildInputs" ];
|
||||
in
|
||||
stdenv.mkDerivation ({
|
||||
name = "node-dependencies-${name}-${version}";
|
||||
|
||||
buildInputs = [ tarWrapper python nodejs ]
|
||||
++ lib.optional (stdenv.isLinux) utillinux
|
||||
++ lib.optional (stdenv.isDarwin) libtool
|
||||
++ buildInputs;
|
||||
|
||||
inherit dontStrip; # Stripping may fail a build for some package deployments
|
||||
inherit dontNpmInstall unpackPhase buildPhase;
|
||||
|
||||
includeScript = includeDependencies { inherit dependencies; };
|
||||
pinpointDependenciesScript = pinpointDependenciesOfPackage args;
|
||||
|
||||
passAsFile = [ "includeScript" "pinpointDependenciesScript" ];
|
||||
|
||||
installPhase = ''
|
||||
source ${installPackage}
|
||||
|
||||
mkdir -p $out/${packageName}
|
||||
cd $out/${packageName}
|
||||
|
||||
source $includeScriptPath
|
||||
|
||||
# Create fake package.json to make the npm commands work properly
|
||||
cp ${src}/package.json .
|
||||
chmod 644 package.json
|
||||
${lib.optionalString bypassCache ''
|
||||
if [ -f ${src}/package-lock.json ]
|
||||
then
|
||||
cp ${src}/package-lock.json .
|
||||
fi
|
||||
''}
|
||||
|
||||
# Go to the parent folder to make sure that all packages are pinpointed
|
||||
cd ..
|
||||
${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
|
||||
|
||||
${prepareAndInvokeNPM { inherit packageName bypassCache reconstructLock npmFlags production; }}
|
||||
|
||||
# Expose the executables that were installed
|
||||
cd ..
|
||||
${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
|
||||
|
||||
mv ${packageName} lib
|
||||
ln -s $out/lib/node_modules/.bin $out/bin
|
||||
'';
|
||||
} // extraArgs);
|
||||
|
||||
# Builds a development shell
|
||||
buildNodeShell =
|
||||
{ name
|
||||
, packageName
|
||||
, version
|
||||
, src
|
||||
, dependencies ? []
|
||||
, buildInputs ? []
|
||||
, production ? true
|
||||
, npmFlags ? ""
|
||||
, dontNpmInstall ? false
|
||||
, bypassCache ? false
|
||||
, reconstructLock ? false
|
||||
, dontStrip ? true
|
||||
, unpackPhase ? "true"
|
||||
, buildPhase ? "true"
|
||||
, ... }@args:
|
||||
|
||||
let
|
||||
nodeDependencies = buildNodeDependencies args;
|
||||
in
|
||||
stdenv.mkDerivation {
|
||||
name = "node-shell-${name}-${version}";
|
||||
|
||||
buildInputs = [ python nodejs ] ++ lib.optional (stdenv.isLinux) utillinux ++ buildInputs;
|
||||
buildCommand = ''
|
||||
mkdir -p $out/bin
|
||||
cat > $out/bin/shell <<EOF
|
||||
#! ${stdenv.shell} -e
|
||||
$shellHook
|
||||
exec ${stdenv.shell}
|
||||
EOF
|
||||
chmod +x $out/bin/shell
|
||||
'';
|
||||
|
||||
# Provide the dependencies in a development shell through the NODE_PATH environment variable
|
||||
inherit nodeDependencies;
|
||||
shellHook = lib.optionalString (dependencies != []) ''
|
||||
export NODE_PATH=${nodeDependencies}/lib/node_modules
|
||||
export PATH="${nodeDependencies}/bin:$PATH"
|
||||
'';
|
||||
};
|
||||
in
|
||||
{
|
||||
buildNodeSourceDist = lib.makeOverridable buildNodeSourceDist;
|
||||
buildNodePackage = lib.makeOverridable buildNodePackage;
|
||||
buildNodeDependencies = lib.makeOverridable buildNodeDependencies;
|
||||
buildNodeShell = lib.makeOverridable buildNodeShell;
|
||||
}
|
756
cluster/prod/app/cryptpad/build/nix.lock/node-packages.nix
Normal file
756
cluster/prod/app/cryptpad/build/nix.lock/node-packages.nix
Normal file
|
@ -0,0 +1,756 @@
|
|||
# This file has been generated by node2nix 1.9.0. Do not edit!
|
||||
|
||||
{nodeEnv, fetchurl, fetchgit, nix-gitignore, stdenv, lib, globalBuildInputs ? []}:
|
||||
|
||||
let
|
||||
sources = {
|
||||
"@mcrowe/minibloom-0.2.0" = {
|
||||
name = "_at_mcrowe_slash_minibloom";
|
||||
packageName = "@mcrowe/minibloom";
|
||||
version = "0.2.0";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/@mcrowe/minibloom/-/minibloom-0.2.0.tgz";
|
||||
sha1 = "1bed96aec18388198da37443899b2c3ff5948053";
|
||||
};
|
||||
};
|
||||
"accepts-1.3.8" = {
|
||||
name = "accepts";
|
||||
packageName = "accepts";
|
||||
version = "1.3.8";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/accepts/-/accepts-1.3.8.tgz";
|
||||
sha512 = "PYAthTa2m2VKxuvSD3DPC/Gy+U+sOA1LAuT8mkmRuvw+NACSaeXEQ+NHcVF7rONl6qcaxV3Uuemwawk+7+SJLw==";
|
||||
};
|
||||
};
|
||||
"array-flatten-1.1.1" = {
|
||||
name = "array-flatten";
|
||||
packageName = "array-flatten";
|
||||
version = "1.1.1";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/array-flatten/-/array-flatten-1.1.1.tgz";
|
||||
sha1 = "9a5f699051b1e7073328f2a008968b64ea2955d2";
|
||||
};
|
||||
};
|
||||
"async-limiter-1.0.1" = {
|
||||
name = "async-limiter";
|
||||
packageName = "async-limiter";
|
||||
version = "1.0.1";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/async-limiter/-/async-limiter-1.0.1.tgz";
|
||||
sha512 = "csOlWGAcRFJaI6m+F2WKdnMKr4HhdhFVBk0H/QbJFMCr+uO2kwohwXQPxw/9OCxp05r5ghVBFSyioixx3gfkNQ==";
|
||||
};
|
||||
};
|
||||
"body-parser-1.18.3" = {
|
||||
name = "body-parser";
|
||||
packageName = "body-parser";
|
||||
version = "1.18.3";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/body-parser/-/body-parser-1.18.3.tgz";
|
||||
sha1 = "5b292198ffdd553b3a0f20ded0592b956955c8b4";
|
||||
};
|
||||
};
|
||||
"bytes-3.0.0" = {
|
||||
name = "bytes";
|
||||
packageName = "bytes";
|
||||
version = "3.0.0";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/bytes/-/bytes-3.0.0.tgz";
|
||||
sha1 = "d32815404d689699f85a4ea4fa8755dd13a96048";
|
||||
};
|
||||
};
|
||||
"chainpad-crypto-0.2.7" = {
|
||||
name = "chainpad-crypto";
|
||||
packageName = "chainpad-crypto";
|
||||
version = "0.2.7";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/chainpad-crypto/-/chainpad-crypto-0.2.7.tgz";
|
||||
sha512 = "H2FfFmMwWw4i8XeGVjKUNEmgOnJohlAvc5IpnVnHqCDm6axntpZ15rv9hV70uhzDrmFhlAPW8MoY4roe5PhUyA==";
|
||||
};
|
||||
};
|
||||
"chainpad-server-5.1.0" = {
|
||||
name = "chainpad-server";
|
||||
packageName = "chainpad-server";
|
||||
version = "5.1.0";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/chainpad-server/-/chainpad-server-5.1.0.tgz";
|
||||
sha512 = "BdjgOOLTXXo1EjQ7lURDe7oqsqfQISNvwhILfp3K3diY2K1hxpPLbjYzOSgxNOTADeOAff0xnInR5eUCESVWaQ==";
|
||||
};
|
||||
};
|
||||
"content-disposition-0.5.2" = {
|
||||
name = "content-disposition";
|
||||
packageName = "content-disposition";
|
||||
version = "0.5.2";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/content-disposition/-/content-disposition-0.5.2.tgz";
|
||||
sha1 = "0cf68bb9ddf5f2be7961c3a85178cb85dba78cb4";
|
||||
};
|
||||
};
|
||||
"content-type-1.0.4" = {
|
||||
name = "content-type";
|
||||
packageName = "content-type";
|
||||
version = "1.0.4";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/content-type/-/content-type-1.0.4.tgz";
|
||||
sha512 = "hIP3EEPs8tB9AT1L+NUqtwOAps4mk2Zob89MWXMHjHWg9milF/j4osnnQLXBCBFBk/tvIG/tUc9mOUJiPBhPXA==";
|
||||
};
|
||||
};
|
||||
"cookie-0.3.1" = {
|
||||
name = "cookie";
|
||||
packageName = "cookie";
|
||||
version = "0.3.1";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/cookie/-/cookie-0.3.1.tgz";
|
||||
sha1 = "e7e0a1f9ef43b4c8ba925c5c5a96e806d16873bb";
|
||||
};
|
||||
};
|
||||
"cookie-signature-1.0.6" = {
|
||||
name = "cookie-signature";
|
||||
packageName = "cookie-signature";
|
||||
version = "1.0.6";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz";
|
||||
sha1 = "e303a882b342cc3ee8ca513a79999734dab3ae2c";
|
||||
};
|
||||
};
|
||||
"debug-2.6.9" = {
|
||||
name = "debug";
|
||||
packageName = "debug";
|
||||
version = "2.6.9";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz";
|
||||
sha512 = "bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==";
|
||||
};
|
||||
};
|
||||
"depd-1.1.2" = {
|
||||
name = "depd";
|
||||
packageName = "depd";
|
||||
version = "1.1.2";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/depd/-/depd-1.1.2.tgz";
|
||||
sha1 = "9bcd52e14c097763e749b274c4346ed2e560b5a9";
|
||||
};
|
||||
};
|
||||
"destroy-1.0.4" = {
|
||||
name = "destroy";
|
||||
packageName = "destroy";
|
||||
version = "1.0.4";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/destroy/-/destroy-1.0.4.tgz";
|
||||
sha1 = "978857442c44749e4206613e37946205826abd80";
|
||||
};
|
||||
};
|
||||
"ee-first-1.1.1" = {
|
||||
name = "ee-first";
|
||||
packageName = "ee-first";
|
||||
version = "1.1.1";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz";
|
||||
sha1 = "590c61156b0ae2f4f0255732a158b266bc56b21d";
|
||||
};
|
||||
};
|
||||
"encodeurl-1.0.2" = {
|
||||
name = "encodeurl";
|
||||
packageName = "encodeurl";
|
||||
version = "1.0.2";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/encodeurl/-/encodeurl-1.0.2.tgz";
|
||||
sha1 = "ad3ff4c86ec2d029322f5a02c3a9a606c95b3f59";
|
||||
};
|
||||
};
|
||||
"escape-html-1.0.3" = {
|
||||
name = "escape-html";
|
||||
packageName = "escape-html";
|
||||
version = "1.0.3";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz";
|
||||
sha1 = "0258eae4d3d0c0974de1c169188ef0051d1d1988";
|
||||
};
|
||||
};
|
||||
"etag-1.8.1" = {
|
||||
name = "etag";
|
||||
packageName = "etag";
|
||||
version = "1.8.1";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/etag/-/etag-1.8.1.tgz";
|
||||
sha1 = "41ae2eeb65efa62268aebfea83ac7d79299b0887";
|
||||
};
|
||||
};
|
||||
"express-4.16.4" = {
|
||||
name = "express";
|
||||
packageName = "express";
|
||||
version = "4.16.4";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/express/-/express-4.16.4.tgz";
|
||||
sha512 = "j12Uuyb4FMrd/qQAm6uCHAkPtO8FDTRJZBDd5D2KOL2eLaz1yUNdUB/NOIyq0iU4q4cFarsUCrnFDPBcnksuOg==";
|
||||
};
|
||||
};
|
||||
"finalhandler-1.1.1" = {
|
||||
name = "finalhandler";
|
||||
packageName = "finalhandler";
|
||||
version = "1.1.1";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/finalhandler/-/finalhandler-1.1.1.tgz";
|
||||
sha512 = "Y1GUDo39ez4aHAw7MysnUD5JzYX+WaIj8I57kO3aEPT1fFRL4sr7mjei97FgnwhAyyzRYmQZaTHb2+9uZ1dPtg==";
|
||||
};
|
||||
};
|
||||
"forwarded-0.2.0" = {
|
||||
name = "forwarded";
|
||||
packageName = "forwarded";
|
||||
version = "0.2.0";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/forwarded/-/forwarded-0.2.0.tgz";
|
||||
sha512 = "buRG0fpBtRHSTCOASe6hD258tEubFoRLb4ZNA6NxMVHNw2gOcwHo9wyablzMzOA5z9xA9L1KNjk/Nt6MT9aYow==";
|
||||
};
|
||||
};
|
||||
"fresh-0.5.2" = {
|
||||
name = "fresh";
|
||||
packageName = "fresh";
|
||||
version = "0.5.2";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/fresh/-/fresh-0.5.2.tgz";
|
||||
sha1 = "3d8cadd90d976569fa835ab1f8e4b23a105605a7";
|
||||
};
|
||||
};
|
||||
"fs-extra-7.0.1" = {
|
||||
name = "fs-extra";
|
||||
packageName = "fs-extra";
|
||||
version = "7.0.1";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/fs-extra/-/fs-extra-7.0.1.tgz";
|
||||
sha512 = "YJDaCJZEnBmcbw13fvdAM9AwNOJwOzrE4pqMqBq5nFiEqXUqHwlK4B+3pUw6JNvfSPtX05xFHtYy/1ni01eGCw==";
|
||||
};
|
||||
};
|
||||
"gar-1.0.4" = {
|
||||
name = "gar";
|
||||
packageName = "gar";
|
||||
version = "1.0.4";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/gar/-/gar-1.0.4.tgz";
|
||||
sha512 = "w4n9cPWyP7aHxKxYHFQMegj7WIAsL/YX/C4Bs5Rr8s1H9M1rNtRWRsw+ovYMkXDQ5S4ZbYHsHAPmevPjPgw44w==";
|
||||
};
|
||||
};
|
||||
"get-folder-size-2.0.1" = {
|
||||
name = "get-folder-size";
|
||||
packageName = "get-folder-size";
|
||||
version = "2.0.1";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/get-folder-size/-/get-folder-size-2.0.1.tgz";
|
||||
sha512 = "+CEb+GDCM7tkOS2wdMKTn9vU7DgnKUTuDlehkNJKNSovdCOVxs14OfKCk4cvSaR3za4gj+OBdl9opPN9xrJ0zA==";
|
||||
};
|
||||
};
|
||||
"graceful-fs-4.2.10" = {
|
||||
name = "graceful-fs";
|
||||
packageName = "graceful-fs";
|
||||
version = "4.2.10";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.10.tgz";
|
||||
sha512 = "9ByhssR2fPVsNZj478qUUbKfmL0+t5BDVyjShtyZZLiK7ZDAArFFfopyOTj0M05wE2tJPisA4iTnnXl2YoPvOA==";
|
||||
};
|
||||
};
|
||||
"http-errors-1.6.3" = {
|
||||
name = "http-errors";
|
||||
packageName = "http-errors";
|
||||
version = "1.6.3";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/http-errors/-/http-errors-1.6.3.tgz";
|
||||
sha1 = "8b55680bb4be283a0b5bf4ea2e38580be1d9320d";
|
||||
};
|
||||
};
|
||||
"iconv-lite-0.4.23" = {
|
||||
name = "iconv-lite";
|
||||
packageName = "iconv-lite";
|
||||
version = "0.4.23";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.23.tgz";
|
||||
sha512 = "neyTUVFtahjf0mB3dZT77u+8O0QB89jFdnBkd5P1JgYPbPaia3gXXOVL2fq8VyU2gMMD7SaN7QukTB/pmXYvDA==";
|
||||
};
|
||||
};
|
||||
"inherits-2.0.3" = {
|
||||
name = "inherits";
|
||||
packageName = "inherits";
|
||||
version = "2.0.3";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/inherits/-/inherits-2.0.3.tgz";
|
||||
sha1 = "633c2c83e3da42a502f52466022480f4208261de";
|
||||
};
|
||||
};
|
||||
"ipaddr.js-1.9.1" = {
|
||||
name = "ipaddr.js";
|
||||
packageName = "ipaddr.js";
|
||||
version = "1.9.1";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz";
|
||||
sha512 = "0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g==";
|
||||
};
|
||||
};
|
||||
"jsonfile-4.0.0" = {
|
||||
name = "jsonfile";
|
||||
packageName = "jsonfile";
|
||||
version = "4.0.0";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/jsonfile/-/jsonfile-4.0.0.tgz";
|
||||
sha1 = "8771aae0799b64076b76640fca058f9c10e33ecb";
|
||||
};
|
||||
};
|
||||
"lex-1.7.9" = {
|
||||
name = "lex";
|
||||
packageName = "lex";
|
||||
version = "1.7.9";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/lex/-/lex-1.7.9.tgz";
|
||||
sha1 = "5d5636ccef574348362938b79a47f0eed8ed0d43";
|
||||
};
|
||||
};
|
||||
"looper-3.0.0" = {
|
||||
name = "looper";
|
||||
packageName = "looper";
|
||||
version = "3.0.0";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/looper/-/looper-3.0.0.tgz";
|
||||
sha1 = "2efa54c3b1cbaba9b94aee2e5914b0be57fbb749";
|
||||
};
|
||||
};
|
||||
"media-typer-0.3.0" = {
|
||||
name = "media-typer";
|
||||
packageName = "media-typer";
|
||||
version = "0.3.0";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/media-typer/-/media-typer-0.3.0.tgz";
|
||||
sha1 = "8710d7af0aa626f8fffa1ce00168545263255748";
|
||||
};
|
||||
};
|
||||
"merge-descriptors-1.0.1" = {
|
||||
name = "merge-descriptors";
|
||||
packageName = "merge-descriptors";
|
||||
version = "1.0.1";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-1.0.1.tgz";
|
||||
sha1 = "b00aaa556dd8b44568150ec9d1b953f3f90cbb61";
|
||||
};
|
||||
};
|
||||
"methods-1.1.2" = {
|
||||
name = "methods";
|
||||
packageName = "methods";
|
||||
version = "1.1.2";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/methods/-/methods-1.1.2.tgz";
|
||||
sha1 = "5529a4d67654134edcc5266656835b0f851afcee";
|
||||
};
|
||||
};
|
||||
"mime-1.4.1" = {
|
||||
name = "mime";
|
||||
packageName = "mime";
|
||||
version = "1.4.1";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/mime/-/mime-1.4.1.tgz";
|
||||
sha512 = "KI1+qOZu5DcW6wayYHSzR/tXKCDC5Om4s1z2QJjDULzLcmf3DvzS7oluY4HCTrc+9FiKmWUgeNLg7W3uIQvxtQ==";
|
||||
};
|
||||
};
|
||||
"mime-db-1.52.0" = {
|
||||
name = "mime-db";
|
||||
packageName = "mime-db";
|
||||
version = "1.52.0";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz";
|
||||
sha512 = "sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==";
|
||||
};
|
||||
};
|
||||
"mime-types-2.1.35" = {
|
||||
name = "mime-types";
|
||||
packageName = "mime-types";
|
||||
version = "2.1.35";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz";
|
||||
sha512 = "ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==";
|
||||
};
|
||||
};
|
||||
"ms-2.0.0" = {
|
||||
name = "ms";
|
||||
packageName = "ms";
|
||||
version = "2.0.0";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz";
|
||||
sha1 = "5608aeadfc00be6c2901df5f9861788de0d597c8";
|
||||
};
|
||||
};
|
||||
"negotiator-0.6.3" = {
|
||||
name = "negotiator";
|
||||
packageName = "negotiator";
|
||||
version = "0.6.3";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/negotiator/-/negotiator-0.6.3.tgz";
|
||||
sha512 = "+EUsqGPLsM+j/zdChZjsnX51g4XrHFOIXwfnCVPGlQk/k5giakcKsuxCObBRu6DSm9opw/O6slWbJdghQM4bBg==";
|
||||
};
|
||||
};
|
||||
"netflux-websocket-0.1.21" = {
|
||||
name = "netflux-websocket";
|
||||
packageName = "netflux-websocket";
|
||||
version = "0.1.21";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/netflux-websocket/-/netflux-websocket-0.1.21.tgz";
|
||||
sha512 = "Zjl5lefg8urC0a0T7YCPGiUgRsISZBsTZl1STylmQz8Bq4ohcZ8cP3r6VoCpeVcvJ1Y/e3ZCXPxndWlNP9Jfug==";
|
||||
};
|
||||
};
|
||||
"nthen-0.1.8" = {
|
||||
name = "nthen";
|
||||
packageName = "nthen";
|
||||
version = "0.1.8";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/nthen/-/nthen-0.1.8.tgz";
|
||||
sha512 = "Oh2CwIbhj+wUT94lQV7LKmmgw3UYAGGd8oLIqp6btQN3Bz3PuWp4BuvtUo35H3rqDknjPfKx5P6mt7v+aJNjcw==";
|
||||
};
|
||||
};
|
||||
"on-finished-2.3.0" = {
|
||||
name = "on-finished";
|
||||
packageName = "on-finished";
|
||||
version = "2.3.0";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/on-finished/-/on-finished-2.3.0.tgz";
|
||||
sha1 = "20f1336481b083cd75337992a16971aa2d906947";
|
||||
};
|
||||
};
|
||||
"parseurl-1.3.3" = {
|
||||
name = "parseurl";
|
||||
packageName = "parseurl";
|
||||
version = "1.3.3";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz";
|
||||
sha512 = "CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ==";
|
||||
};
|
||||
};
|
||||
"path-to-regexp-0.1.7" = {
|
||||
name = "path-to-regexp";
|
||||
packageName = "path-to-regexp";
|
||||
version = "0.1.7";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz";
|
||||
sha1 = "df604178005f522f15eb4490e7247a1bfaa67f8c";
|
||||
};
|
||||
};
|
||||
"proxy-addr-2.0.7" = {
|
||||
name = "proxy-addr";
|
||||
packageName = "proxy-addr";
|
||||
version = "2.0.7";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/proxy-addr/-/proxy-addr-2.0.7.tgz";
|
||||
sha512 = "llQsMLSUDUPT44jdrU/O37qlnifitDP+ZwrmmZcoSKyLKvtZxpyV0n2/bD/N4tBAAZ/gJEdZU7KMraoK1+XYAg==";
|
||||
};
|
||||
};
|
||||
"pull-stream-3.6.14" = {
|
||||
name = "pull-stream";
|
||||
packageName = "pull-stream";
|
||||
version = "3.6.14";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/pull-stream/-/pull-stream-3.6.14.tgz";
|
||||
sha512 = "KIqdvpqHHaTUA2mCYcLG1ibEbu/LCKoJZsBWyv9lSYtPkJPBq8m3Hxa103xHi6D2thj5YXa0TqK3L3GUkwgnew==";
|
||||
};
|
||||
};
|
||||
"qs-6.5.2" = {
|
||||
name = "qs";
|
||||
packageName = "qs";
|
||||
version = "6.5.2";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/qs/-/qs-6.5.2.tgz";
|
||||
sha512 = "N5ZAX4/LxJmF+7wN74pUD6qAh9/wnvdQcjq9TZjevvXzSUo7bfmw91saqMjzGS2xq91/odN2dW/WOl7qQHNDGA==";
|
||||
};
|
||||
};
|
||||
"range-parser-1.2.1" = {
|
||||
name = "range-parser";
|
||||
packageName = "range-parser";
|
||||
version = "1.2.1";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz";
|
||||
sha512 = "Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg==";
|
||||
};
|
||||
};
|
||||
"raw-body-2.3.3" = {
|
||||
name = "raw-body";
|
||||
packageName = "raw-body";
|
||||
version = "2.3.3";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/raw-body/-/raw-body-2.3.3.tgz";
|
||||
sha512 = "9esiElv1BrZoI3rCDuOuKCBRbuApGGaDPQfjSflGxdy4oyzqghxu6klEkkVIvBje+FF0BX9coEv8KqW6X/7njw==";
|
||||
};
|
||||
};
|
||||
"safe-buffer-5.1.2" = {
|
||||
name = "safe-buffer";
|
||||
packageName = "safe-buffer";
|
||||
version = "5.1.2";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz";
|
||||
sha512 = "Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==";
|
||||
};
|
||||
};
|
||||
"safer-buffer-2.1.2" = {
|
||||
name = "safer-buffer";
|
||||
packageName = "safer-buffer";
|
||||
version = "2.1.2";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz";
|
||||
sha512 = "YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==";
|
||||
};
|
||||
};
|
||||
"saferphore-0.0.1" = {
|
||||
name = "saferphore";
|
||||
packageName = "saferphore";
|
||||
version = "0.0.1";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/saferphore/-/saferphore-0.0.1.tgz";
|
||||
sha1 = "cc962eda4e2b2452e6437fd32dcfb6f69ef2ea63";
|
||||
};
|
||||
};
|
||||
"send-0.16.2" = {
|
||||
name = "send";
|
||||
packageName = "send";
|
||||
version = "0.16.2";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/send/-/send-0.16.2.tgz";
|
||||
sha512 = "E64YFPUssFHEFBvpbbjr44NCLtI1AohxQ8ZSiJjQLskAdKuriYEP6VyGEsRDH8ScozGpkaX1BGvhanqCwkcEZw==";
|
||||
};
|
||||
};
|
||||
"serve-static-1.13.2" = {
|
||||
name = "serve-static";
|
||||
packageName = "serve-static";
|
||||
version = "1.13.2";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/serve-static/-/serve-static-1.13.2.tgz";
|
||||
sha512 = "p/tdJrO4U387R9oMjb1oj7qSMaMfmOyd4j9hOFoxZe2baQszgHcSWjuya/CiT5kgZZKRudHNOA0pYXOl8rQ5nw==";
|
||||
};
|
||||
};
|
||||
"setprototypeof-1.1.0" = {
|
||||
name = "setprototypeof";
|
||||
packageName = "setprototypeof";
|
||||
version = "1.1.0";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.1.0.tgz";
|
||||
sha512 = "BvE/TwpZX4FXExxOxZyRGQQv651MSwmWKZGqvmPcRIjDqWub67kTKuIMx43cZZrS/cBBzwBcNDWoFxt2XEFIpQ==";
|
||||
};
|
||||
};
|
||||
"sortify-1.0.4" = {
|
||||
name = "sortify";
|
||||
packageName = "sortify";
|
||||
version = "1.0.4";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/sortify/-/sortify-1.0.4.tgz";
|
||||
sha1 = "f0178687c83231be8a34fc0ec5462ea957b60284";
|
||||
};
|
||||
};
|
||||
"statuses-1.4.0" = {
|
||||
name = "statuses";
|
||||
packageName = "statuses";
|
||||
version = "1.4.0";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/statuses/-/statuses-1.4.0.tgz";
|
||||
sha512 = "zhSCtt8v2NDrRlPQpCNtw/heZLtfUDqxBM1udqikb/Hbk52LK4nQSwr10u77iopCW5LsyHpuXS0GnEc48mLeew==";
|
||||
};
|
||||
};
|
||||
"stream-to-pull-stream-1.7.3" = {
|
||||
name = "stream-to-pull-stream";
|
||||
packageName = "stream-to-pull-stream";
|
||||
version = "1.7.3";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/stream-to-pull-stream/-/stream-to-pull-stream-1.7.3.tgz";
|
||||
sha512 = "6sNyqJpr5dIOQdgNy/xcDWwDuzAsAwVzhzrWlAPAQ7Lkjx/rv0wgvxEyKwTq6FmNd5rjTrELt/CLmaSw7crMGg==";
|
||||
};
|
||||
};
|
||||
"tiny-each-async-2.0.3" = {
|
||||
name = "tiny-each-async";
|
||||
packageName = "tiny-each-async";
|
||||
version = "2.0.3";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/tiny-each-async/-/tiny-each-async-2.0.3.tgz";
|
||||
sha1 = "8ebbbfd6d6295f1370003fbb37162afe5a0a51d1";
|
||||
};
|
||||
};
|
||||
"tweetnacl-0.12.2" = {
|
||||
name = "tweetnacl";
|
||||
packageName = "tweetnacl";
|
||||
version = "0.12.2";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.12.2.tgz";
|
||||
sha1 = "bd59f890507856fb0a1136acc3a8b44547e29ddb";
|
||||
};
|
||||
};
|
||||
"type-is-1.6.18" = {
|
||||
name = "type-is";
|
||||
packageName = "type-is";
|
||||
version = "1.6.18";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/type-is/-/type-is-1.6.18.tgz";
|
||||
sha512 = "TkRKr9sUTxEH8MdfuCSP7VizJyzRNMjj2J2do2Jr3Kym598JVdEksuzPQCnlFPW4ky9Q+iA+ma9BGm06XQBy8g==";
|
||||
};
|
||||
};
|
||||
"ulimit-0.0.2" = {
|
||||
name = "ulimit";
|
||||
packageName = "ulimit";
|
||||
version = "0.0.2";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/ulimit/-/ulimit-0.0.2.tgz";
|
||||
sha1 = "2b51f9dc8381ae4102636cec5eb338c2630588a0";
|
||||
};
|
||||
};
|
||||
"ultron-1.1.1" = {
|
||||
name = "ultron";
|
||||
packageName = "ultron";
|
||||
version = "1.1.1";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/ultron/-/ultron-1.1.1.tgz";
|
||||
sha512 = "UIEXBNeYmKptWH6z8ZnqTeS8fV74zG0/eRU9VGkpzz+LIJNs8W/zM/L+7ctCkRrgbNnnR0xxw4bKOr0cW0N0Og==";
|
||||
};
|
||||
};
|
||||
"universalify-0.1.2" = {
|
||||
name = "universalify";
|
||||
packageName = "universalify";
|
||||
version = "0.1.2";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/universalify/-/universalify-0.1.2.tgz";
|
||||
sha512 = "rBJeI5CXAlmy1pV+617WB9J63U6XcazHHF2f2dbJix4XzpUF0RS3Zbj0FGIOCAva5P/d/GBOYaACQ1w+0azUkg==";
|
||||
};
|
||||
};
|
||||
"unpipe-1.0.0" = {
|
||||
name = "unpipe";
|
||||
packageName = "unpipe";
|
||||
version = "1.0.0";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz";
|
||||
sha1 = "b2bf4ee8514aae6165b4817829d21b2ef49904ec";
|
||||
};
|
||||
};
|
||||
"utils-merge-1.0.1" = {
|
||||
name = "utils-merge";
|
||||
packageName = "utils-merge";
|
||||
version = "1.0.1";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/utils-merge/-/utils-merge-1.0.1.tgz";
|
||||
sha1 = "9f95710f50a267947b2ccc124741c1028427e713";
|
||||
};
|
||||
};
|
||||
"vary-1.1.2" = {
|
||||
name = "vary";
|
||||
packageName = "vary";
|
||||
version = "1.1.2";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/vary/-/vary-1.1.2.tgz";
|
||||
sha1 = "2299f02c6ded30d4a5961b0b9f74524a18f634fc";
|
||||
};
|
||||
};
|
||||
"ws-3.3.3" = {
|
||||
name = "ws";
|
||||
packageName = "ws";
|
||||
version = "3.3.3";
|
||||
src = fetchurl {
|
||||
url = "https://registry.npmjs.org/ws/-/ws-3.3.3.tgz";
|
||||
sha512 = "nnWLa/NwZSt4KQJu51MYlCcSQ5g7INpOrOMt4XV8j4dqTXdmlUmSHQ8/oLC069ckre0fRsgfvsKwbTdtKLCDkA==";
|
||||
};
|
||||
};
|
||||
};
|
||||
args = {
|
||||
name = "cryptpad";
|
||||
packageName = "cryptpad";
|
||||
version = "4.14.1";
|
||||
src = ./.;
|
||||
dependencies = [
|
||||
sources."@mcrowe/minibloom-0.2.0"
|
||||
sources."accepts-1.3.8"
|
||||
sources."array-flatten-1.1.1"
|
||||
sources."async-limiter-1.0.1"
|
||||
sources."body-parser-1.18.3"
|
||||
sources."bytes-3.0.0"
|
||||
sources."chainpad-crypto-0.2.7"
|
||||
sources."chainpad-server-5.1.0"
|
||||
sources."content-disposition-0.5.2"
|
||||
sources."content-type-1.0.4"
|
||||
sources."cookie-0.3.1"
|
||||
sources."cookie-signature-1.0.6"
|
||||
sources."debug-2.6.9"
|
||||
sources."depd-1.1.2"
|
||||
sources."destroy-1.0.4"
|
||||
sources."ee-first-1.1.1"
|
||||
sources."encodeurl-1.0.2"
|
||||
sources."escape-html-1.0.3"
|
||||
sources."etag-1.8.1"
|
||||
sources."express-4.16.4"
|
||||
sources."finalhandler-1.1.1"
|
||||
sources."forwarded-0.2.0"
|
||||
sources."fresh-0.5.2"
|
||||
sources."fs-extra-7.0.1"
|
||||
sources."gar-1.0.4"
|
||||
sources."get-folder-size-2.0.1"
|
||||
sources."graceful-fs-4.2.10"
|
||||
sources."http-errors-1.6.3"
|
||||
sources."iconv-lite-0.4.23"
|
||||
sources."inherits-2.0.3"
|
||||
sources."ipaddr.js-1.9.1"
|
||||
sources."jsonfile-4.0.0"
|
||||
sources."lex-1.7.9"
|
||||
sources."looper-3.0.0"
|
||||
sources."media-typer-0.3.0"
|
||||
sources."merge-descriptors-1.0.1"
|
||||
sources."methods-1.1.2"
|
||||
sources."mime-db-1.52.0"
|
||||
sources."mime-types-2.1.35"
|
||||
sources."ms-2.0.0"
|
||||
sources."negotiator-0.6.3"
|
||||
sources."netflux-websocket-0.1.21"
|
||||
sources."nthen-0.1.8"
|
||||
sources."on-finished-2.3.0"
|
||||
sources."parseurl-1.3.3"
|
||||
sources."path-to-regexp-0.1.7"
|
||||
sources."proxy-addr-2.0.7"
|
||||
sources."pull-stream-3.6.14"
|
||||
sources."qs-6.5.2"
|
||||
sources."range-parser-1.2.1"
|
||||
sources."raw-body-2.3.3"
|
||||
sources."safe-buffer-5.1.2"
|
||||
sources."safer-buffer-2.1.2"
|
||||
sources."saferphore-0.0.1"
|
||||
(sources."send-0.16.2" // {
|
||||
dependencies = [
|
||||
sources."mime-1.4.1"
|
||||
];
|
||||
})
|
||||
sources."serve-static-1.13.2"
|
||||
sources."setprototypeof-1.1.0"
|
||||
sources."sortify-1.0.4"
|
||||
sources."statuses-1.4.0"
|
||||
sources."stream-to-pull-stream-1.7.3"
|
||||
sources."tiny-each-async-2.0.3"
|
||||
sources."tweetnacl-0.12.2"
|
||||
sources."type-is-1.6.18"
|
||||
sources."ulimit-0.0.2"
|
||||
sources."ultron-1.1.1"
|
||||
sources."universalify-0.1.2"
|
||||
sources."unpipe-1.0.0"
|
||||
sources."utils-merge-1.0.1"
|
||||
sources."vary-1.1.2"
|
||||
sources."ws-3.3.3"
|
||||
];
|
||||
buildInputs = globalBuildInputs;
|
||||
meta = {
|
||||
description = "realtime collaborative visual editor with zero knowlege server";
|
||||
license = "AGPL-3.0+";
|
||||
};
|
||||
production = true;
|
||||
bypassCache = true;
|
||||
reconstructLock = false;
|
||||
};
|
||||
in
|
||||
{
|
||||
args = args;
|
||||
sources = sources;
|
||||
tarball = nodeEnv.buildNodeSourceDist args;
|
||||
package = nodeEnv.buildNodePackage args;
|
||||
shell = nodeEnv.buildNodeShell args;
|
||||
nodeDependencies = nodeEnv.buildNodeDependencies (lib.overrideExisting args {
|
||||
src = stdenv.mkDerivation {
|
||||
name = args.name + "-package-json";
|
||||
src = nix-gitignore.gitignoreSourcePure [
|
||||
"*"
|
||||
"!package.json"
|
||||
"!package-lock.json"
|
||||
] args.src;
|
||||
dontBuild = true;
|
||||
installPhase = "mkdir -p $out; cp -r ./* $out;";
|
||||
};
|
||||
});
|
||||
}
|
17
cluster/prod/app/cryptpad/build/nix.lock/npm.nix
Normal file
17
cluster/prod/app/cryptpad/build/nix.lock/npm.nix
Normal file
|
@ -0,0 +1,17 @@
|
|||
# This file has been generated by node2nix 1.9.0. Do not edit!
|
||||
|
||||
{pkgs ? import <nixpkgs> {
|
||||
inherit system;
|
||||
}, system ? builtins.currentSystem, nodejs ? pkgs."nodejs-12_x"}:
|
||||
|
||||
let
|
||||
nodeEnv = import ./node-env.nix {
|
||||
inherit (pkgs) stdenv lib python2 runCommand writeTextFile writeShellScript;
|
||||
inherit pkgs nodejs;
|
||||
libtool = if pkgs.stdenv.isDarwin then pkgs.darwin.cctools else null;
|
||||
};
|
||||
in
|
||||
import ./node-packages.nix {
|
||||
inherit (pkgs) fetchurl nix-gitignore stdenv lib fetchgit;
|
||||
inherit nodeEnv;
|
||||
}
|
6618
cluster/prod/app/cryptpad/build/nix.lock/package-lock.json
generated
Normal file
6618
cluster/prod/app/cryptpad/build/nix.lock/package-lock.json
generated
Normal file
File diff suppressed because it is too large
Load diff
55
cluster/prod/app/cryptpad/build/nix.lock/package.json
Normal file
55
cluster/prod/app/cryptpad/build/nix.lock/package.json
Normal file
|
@ -0,0 +1,55 @@
|
|||
{
|
||||
"name": "cryptpad",
|
||||
"description": "realtime collaborative visual editor with zero knowlege server",
|
||||
"version": "4.14.1",
|
||||
"license": "AGPL-3.0+",
|
||||
"repository": {
|
||||
"type": "git",
|
||||
"url": "git+https://github.com/xwiki-labs/cryptpad.git"
|
||||
},
|
||||
"funding": {
|
||||
"type": "opencollective",
|
||||
"url": "https://opencollective.com/cryptpad"
|
||||
},
|
||||
"dependencies": {
|
||||
"@mcrowe/minibloom": "^0.2.0",
|
||||
"chainpad-crypto": "^0.2.5",
|
||||
"chainpad-server": "^5.1.0",
|
||||
"express": "~4.16.0",
|
||||
"fs-extra": "^7.0.0",
|
||||
"get-folder-size": "^2.0.1",
|
||||
"netflux-websocket": "^0.1.20",
|
||||
"nthen": "0.1.8",
|
||||
"pull-stream": "^3.6.1",
|
||||
"saferphore": "0.0.1",
|
||||
"sortify": "^1.0.4",
|
||||
"stream-to-pull-stream": "^1.7.2",
|
||||
"tweetnacl": "~0.12.2",
|
||||
"ulimit": "0.0.2",
|
||||
"ws": "^3.3.1"
|
||||
},
|
||||
"devDependencies": {
|
||||
"jshint": "^2.13.4",
|
||||
"less": "3.7.1",
|
||||
"lesshint": "6.3.7",
|
||||
"selenium-webdriver": "^3.6.0"
|
||||
},
|
||||
"scripts": {
|
||||
"start": "node server.js",
|
||||
"dev": "DEV=1 node server.js",
|
||||
"fresh": "FRESH=1 node server.js",
|
||||
"offline": "FRESH=1 OFFLINE=1 node server.js",
|
||||
"offlinedev": "DEV=1 OFFLINE=1 node server.js",
|
||||
"package": "PACKAGE=1 node server.js",
|
||||
"lint": "jshint --config .jshintrc --exclude-path .jshintignore . && ./node_modules/lesshint/bin/lesshint -c ./.lesshintrc ./customize.dist/src/less2/",
|
||||
"lint:js": "jshint --config .jshintrc --exclude-path .jshintignore .",
|
||||
"lint:server": "jshint --config .jshintrc lib",
|
||||
"lint:less": "./node_modules/lesshint/bin/lesshint -c ./.lesshintrc ./customize.dist/src/less2/",
|
||||
"lint:translations": "node ./scripts/translations/lint-translations.js",
|
||||
"unused-translations": "node ./scripts/translations/unused-translations.js",
|
||||
"test": "node scripts/TestSelenium.js",
|
||||
"test-rpc": "cd scripts/tests && node test-rpc",
|
||||
"template": "cd customize.dist/src && for page in ../index.html ../privacy.html ../terms.html ../contact.html ../what-is-cryptpad.html ../features.html ../../www/login/index.html ../../www/register/index.html ../../www/user/index.html;do echo $page; cp template.html $page; done;",
|
||||
"evict-inactive": "node scripts/evict-inactive.js"
|
||||
}
|
||||
}
|
|
@ -1,14 +0,0 @@
|
|||
{
|
||||
"nixpkgs": {
|
||||
"branch": "nixos-23.11",
|
||||
"description": "Nix Packages collection",
|
||||
"homepage": null,
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "53a2c32bc66f5ae41a28d7a9a49d321172af621e",
|
||||
"sha256": "0yqbwqbripb1bbhlwjfbqmg9qb0lai2fc0k1vfh674d6rrc8igwv",
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/NixOS/nixpkgs/archive/53a2c32bc66f5ae41a28d7a9a49d321172af621e.tar.gz",
|
||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||
}
|
||||
}
|
|
@ -1,198 +0,0 @@
|
|||
# This file has been generated by Niv.
|
||||
|
||||
let
|
||||
|
||||
#
|
||||
# The fetchers. fetch_<type> fetches specs of type <type>.
|
||||
#
|
||||
|
||||
fetch_file = pkgs: name: spec:
|
||||
let
|
||||
name' = sanitizeName name + "-src";
|
||||
in
|
||||
if spec.builtin or true then
|
||||
builtins_fetchurl { inherit (spec) url sha256; name = name'; }
|
||||
else
|
||||
pkgs.fetchurl { inherit (spec) url sha256; name = name'; };
|
||||
|
||||
fetch_tarball = pkgs: name: spec:
|
||||
let
|
||||
name' = sanitizeName name + "-src";
|
||||
in
|
||||
if spec.builtin or true then
|
||||
builtins_fetchTarball { name = name'; inherit (spec) url sha256; }
|
||||
else
|
||||
pkgs.fetchzip { name = name'; inherit (spec) url sha256; };
|
||||
|
||||
fetch_git = name: spec:
|
||||
let
|
||||
ref =
|
||||
spec.ref or (
|
||||
if spec ? branch then "refs/heads/${spec.branch}" else
|
||||
if spec ? tag then "refs/tags/${spec.tag}" else
|
||||
abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!"
|
||||
);
|
||||
submodules = spec.submodules or false;
|
||||
submoduleArg =
|
||||
let
|
||||
nixSupportsSubmodules = builtins.compareVersions builtins.nixVersion "2.4" >= 0;
|
||||
emptyArgWithWarning =
|
||||
if submodules
|
||||
then
|
||||
builtins.trace
|
||||
(
|
||||
"The niv input \"${name}\" uses submodules "
|
||||
+ "but your nix's (${builtins.nixVersion}) builtins.fetchGit "
|
||||
+ "does not support them"
|
||||
)
|
||||
{ }
|
||||
else { };
|
||||
in
|
||||
if nixSupportsSubmodules
|
||||
then { inherit submodules; }
|
||||
else emptyArgWithWarning;
|
||||
in
|
||||
builtins.fetchGit
|
||||
({ url = spec.repo; inherit (spec) rev; inherit ref; } // submoduleArg);
|
||||
|
||||
fetch_local = spec: spec.path;
|
||||
|
||||
fetch_builtin-tarball = name: throw
|
||||
''[${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`.
|
||||
$ niv modify ${name} -a type=tarball -a builtin=true'';
|
||||
|
||||
fetch_builtin-url = name: throw
|
||||
''[${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`.
|
||||
$ niv modify ${name} -a type=file -a builtin=true'';
|
||||
|
||||
#
|
||||
# Various helpers
|
||||
#
|
||||
|
||||
# https://github.com/NixOS/nixpkgs/pull/83241/files#diff-c6f540a4f3bfa4b0e8b6bafd4cd54e8bR695
|
||||
sanitizeName = name:
|
||||
(
|
||||
concatMapStrings (s: if builtins.isList s then "-" else s)
|
||||
(
|
||||
builtins.split "[^[:alnum:]+._?=-]+"
|
||||
((x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0) name)
|
||||
)
|
||||
);
|
||||
|
||||
# The set of packages used when specs are fetched using non-builtins.
|
||||
mkPkgs = sources: system:
|
||||
let
|
||||
sourcesNixpkgs =
|
||||
import (builtins_fetchTarball { inherit (sources.nixpkgs) url sha256; }) { inherit system; };
|
||||
hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath;
|
||||
hasThisAsNixpkgsPath = <nixpkgs> == ./.;
|
||||
in
|
||||
if builtins.hasAttr "nixpkgs" sources
|
||||
then sourcesNixpkgs
|
||||
else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then
|
||||
import <nixpkgs> { }
|
||||
else
|
||||
abort
|
||||
''
|
||||
Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or
|
||||
add a package called "nixpkgs" to your sources.json.
|
||||
'';
|
||||
|
||||
# The actual fetching function.
|
||||
fetch = pkgs: name: spec:
|
||||
|
||||
if ! builtins.hasAttr "type" spec then
|
||||
abort "ERROR: niv spec ${name} does not have a 'type' attribute"
|
||||
else if spec.type == "file" then fetch_file pkgs name spec
|
||||
else if spec.type == "tarball" then fetch_tarball pkgs name spec
|
||||
else if spec.type == "git" then fetch_git name spec
|
||||
else if spec.type == "local" then fetch_local spec
|
||||
else if spec.type == "builtin-tarball" then fetch_builtin-tarball name
|
||||
else if spec.type == "builtin-url" then fetch_builtin-url name
|
||||
else
|
||||
abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}";
|
||||
|
||||
# If the environment variable NIV_OVERRIDE_${name} is set, then use
|
||||
# the path directly as opposed to the fetched source.
|
||||
replace = name: drv:
|
||||
let
|
||||
saneName = stringAsChars (c: if (builtins.match "[a-zA-Z0-9]" c) == null then "_" else c) name;
|
||||
ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}";
|
||||
in
|
||||
if ersatz == "" then drv else
|
||||
# this turns the string into an actual Nix path (for both absolute and
|
||||
# relative paths)
|
||||
if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}";
|
||||
|
||||
# Ports of functions for older nix versions
|
||||
|
||||
# a Nix version of mapAttrs if the built-in doesn't exist
|
||||
mapAttrs = builtins.mapAttrs or (
|
||||
f: set: with builtins;
|
||||
listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set))
|
||||
);
|
||||
|
||||
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
|
||||
range = first: last: if first > last then [ ] else builtins.genList (n: first + n) (last - first + 1);
|
||||
|
||||
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
|
||||
stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
|
||||
|
||||
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
|
||||
stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
|
||||
concatMapStrings = f: list: concatStrings (map f list);
|
||||
concatStrings = builtins.concatStringsSep "";
|
||||
|
||||
# https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331
|
||||
optionalAttrs = cond: as: if cond then as else { };
|
||||
|
||||
# fetchTarball version that is compatible between all the versions of Nix
|
||||
builtins_fetchTarball = { url, name ? null, sha256 }@attrs:
|
||||
let
|
||||
inherit (builtins) lessThan nixVersion fetchTarball;
|
||||
in
|
||||
if lessThan nixVersion "1.12" then
|
||||
fetchTarball ({ inherit url; } // (optionalAttrs (name != null) { inherit name; }))
|
||||
else
|
||||
fetchTarball attrs;
|
||||
|
||||
# fetchurl version that is compatible between all the versions of Nix
|
||||
builtins_fetchurl = { url, name ? null, sha256 }@attrs:
|
||||
let
|
||||
inherit (builtins) lessThan nixVersion fetchurl;
|
||||
in
|
||||
if lessThan nixVersion "1.12" then
|
||||
fetchurl ({ inherit url; } // (optionalAttrs (name != null) { inherit name; }))
|
||||
else
|
||||
fetchurl attrs;
|
||||
|
||||
# Create the final "sources" from the config
|
||||
mkSources = config:
|
||||
mapAttrs
|
||||
(
|
||||
name: spec:
|
||||
if builtins.hasAttr "outPath" spec
|
||||
then
|
||||
abort
|
||||
"The values in sources.json should not have an 'outPath' attribute"
|
||||
else
|
||||
spec // { outPath = replace name (fetch config.pkgs name spec); }
|
||||
)
|
||||
config.sources;
|
||||
|
||||
# The "config" used by the fetchers
|
||||
mkConfig =
|
||||
{ sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null
|
||||
, sources ? if sourcesFile == null then { } else builtins.fromJSON (builtins.readFile sourcesFile)
|
||||
, system ? builtins.currentSystem
|
||||
, pkgs ? mkPkgs sources system
|
||||
}: {
|
||||
# The sources, i.e. the attribute set of spec name to spec
|
||||
inherit sources;
|
||||
|
||||
# The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers
|
||||
inherit pkgs;
|
||||
};
|
||||
|
||||
in
|
||||
mkSources (mkConfig { }) // { __functor = _: settings: mkSources (mkConfig settings); }
|
6000
cluster/prod/app/cryptpad/build/package-lock.json
generated
6000
cluster/prod/app/cryptpad/build/package-lock.json
generated
File diff suppressed because it is too large
Load diff
31
cluster/prod/app/cryptpad/build/shell.nix
Normal file
31
cluster/prod/app/cryptpad/build/shell.nix
Normal file
|
@ -0,0 +1,31 @@
|
|||
let
|
||||
common = import ./common.nix;
|
||||
pkgs = import common.pkgsSrc {};
|
||||
|
||||
bower2nixRepo = (import common.bower2nixSrc {
|
||||
inherit pkgs;
|
||||
});
|
||||
bower2nix = bower2nixRepo // {
|
||||
package = bower2nixRepo.package.override {
|
||||
postInstall = "tsc";
|
||||
};
|
||||
};
|
||||
in
|
||||
pkgs.mkShell {
|
||||
nativeBuildInputs = [
|
||||
bower2nix.package
|
||||
pkgs.nodePackages.node2nix
|
||||
];
|
||||
|
||||
shellHook = ''
|
||||
function update_lock {
|
||||
set -exuo pipefail
|
||||
mkdir -p nix.lock
|
||||
${pkgs.wget}/bin/wget https://raw.githubusercontent.com/xwiki-labs/cryptpad/${common.cryptpadCommit}/package.json -O nix.lock/package.json
|
||||
${pkgs.wget}/bin/wget https://raw.githubusercontent.com/xwiki-labs/cryptpad/${common.cryptpadCommit}/package-lock.json -O nix.lock/package-lock.json
|
||||
${pkgs.wget}/bin/wget https://raw.githubusercontent.com/xwiki-labs/cryptpad/${common.cryptpadCommit}/bower.json -O nix.lock/bower.json
|
||||
${bower2nix.package}/bin/bower2nix nix.lock/bower.json nix.lock/bower.nix
|
||||
${pkgs.nodePackages.node2nix}/bin/node2nix --input nix.lock/package.json --lock nix.lock/package-lock.json --composition nix.lock/npm.nix --node-env nix.lock/node-env.nix --output nix.lock/node-packages.nix
|
||||
}
|
||||
'';
|
||||
}
|
|
@ -114,9 +114,7 @@ module.exports = {
|
|||
adminKeys: [
|
||||
"[quentin@pad.deuxfleurs.fr/EWtzm-CiqJnM9RZL9mj-YyTgAtX-Zh76sru1K5bFpN8=]",
|
||||
"[adrn@pad.deuxfleurs.fr/PxDpkPwd-jDJWkfWdAzFX7wtnLpnPlBeYZ4MmoEYS6E=]",
|
||||
"[lx@pad.deuxfleurs.fr/FwQzcXywx1FIb83z6COB7c3sHnz8rNSDX1xhjPuH3Fg=]",
|
||||
"[trinity-1686a@pad.deuxfleurs.fr/Pu6Ef03jEsAGBbZI6IOdKd6+5pORD5N51QIYt4-Ys1c=]",
|
||||
"[Jill@pad.deuxfleurs.fr/tLW7W8EVNB2KYETXEaOYR+HmNiBQtZj7u+SOxS3hGmg=]"
|
||||
"[lx@pad.deuxfleurs.fr/FwQzcXywx1FIb83z6COB7c3sHnz8rNSDX1xhjPuH3Fg=]"
|
||||
],
|
||||
|
||||
/* =====================
|
||||
|
@ -190,7 +188,7 @@ module.exports = {
|
|||
* Specify a directory where files should be stored.
|
||||
* It will be created automatically if it does not already exist.
|
||||
*/
|
||||
filePath: '/mnt/datastore/',
|
||||
filePath: './root/mnt/datastore/',
|
||||
|
||||
/* CryptPad offers the ability to archive data for a configurable period
|
||||
* before deleting it, allowing a means of recovering data in the event
|
||||
|
@ -199,36 +197,36 @@ module.exports = {
|
|||
* To set the location of this archive directory to a custom value, change
|
||||
* the path below:
|
||||
*/
|
||||
archivePath: '/mnt/data/archive',
|
||||
archivePath: './root/mnt/data/archive',
|
||||
|
||||
/* CryptPad allows logged in users to request that particular documents be
|
||||
* stored by the server indefinitely. This is called 'pinning'.
|
||||
* Pin requests are stored in a pin-store. The location of this store is
|
||||
* defined here.
|
||||
*/
|
||||
pinPath: '/mnt/data/pins',
|
||||
pinPath: './root/mnt/data/pins',
|
||||
|
||||
/* if you would like the list of scheduled tasks to be stored in
|
||||
a custom location, change the path below:
|
||||
*/
|
||||
taskPath: '/mnt/data/tasks',
|
||||
taskPath: './root/mnt/data/tasks',
|
||||
|
||||
/* if you would like users' authenticated blocks to be stored in
|
||||
a custom location, change the path below:
|
||||
*/
|
||||
blockPath: '/mnt/block',
|
||||
blockPath: './root/mnt/block',
|
||||
|
||||
/* CryptPad allows logged in users to upload encrypted files. Files/blobs
|
||||
* are stored in a 'blob-store'. Set its location here.
|
||||
*/
|
||||
blobPath: '/mnt/blob',
|
||||
blobPath: './root/mnt/blob',
|
||||
|
||||
/* CryptPad stores incomplete blobs in a 'staging' area until they are
|
||||
* fully uploaded. Set its location here.
|
||||
*/
|
||||
blobStagingPath: '/mnt/data/blobstage',
|
||||
blobStagingPath: './root/mnt/data/blobstage',
|
||||
|
||||
decreePath: '/mnt/data/decrees',
|
||||
decreePath: './root/mnt/data/decrees',
|
||||
|
||||
/* CryptPad supports logging events directly to the disk in a 'logs' directory
|
||||
* Set its location here, or set it to false (or nothing) if you'd rather not log
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
job "cryptpad" {
|
||||
datacenters = ["scorpio"]
|
||||
datacenters = ["neptune"]
|
||||
type = "service"
|
||||
|
||||
group "cryptpad" {
|
||||
|
@ -22,20 +22,20 @@ job "cryptpad" {
|
|||
constraint {
|
||||
attribute = "${attr.unique.hostname}"
|
||||
operator = "="
|
||||
value = "abricot"
|
||||
value = "concombre"
|
||||
}
|
||||
|
||||
config {
|
||||
image = "kokakiwi/cryptpad:2024.3.0"
|
||||
image = "superboum/cryptpad:0p3s44hjh4s1x55kbwkmywmwmx4wfyb8"
|
||||
ports = [ "http" ]
|
||||
|
||||
volumes = [
|
||||
"/mnt/ssd/cryptpad:/mnt",
|
||||
"secrets/config.js:/cryptpad/config.js",
|
||||
"secrets/config.js:/etc/cryptpad/config.js",
|
||||
]
|
||||
}
|
||||
env {
|
||||
CRYPTPAD_CONFIG = "/cryptpad/config.js"
|
||||
CRYPTPAD_CONFIG = "/etc/cryptpad/config.js"
|
||||
}
|
||||
|
||||
template {
|
||||
|
@ -63,8 +63,6 @@ job "cryptpad" {
|
|||
"tricot pad-sandbox.deuxfleurs.fr",
|
||||
"tricot-add-header Cross-Origin-Resource-Policy cross-origin",
|
||||
"tricot-add-header Cross-Origin-Embedder-Policy require-corp",
|
||||
"d53-cname pad.deuxfleurs.fr",
|
||||
"d53-cname pad-sandbox.deuxfleurs.fr",
|
||||
]
|
||||
check {
|
||||
type = "http"
|
||||
|
|
10
cluster/prod/app/drone-ci/config/litestream.yml
Normal file
10
cluster/prod/app/drone-ci/config/litestream.yml
Normal file
|
@ -0,0 +1,10 @@
|
|||
dbs:
|
||||
- path: /ephemeral/drone.db
|
||||
replicas:
|
||||
- url: s3://{{ key "secrets/drone-ci/s3_db_bucket" | trimSpace }}/drone.db
|
||||
region: garage
|
||||
endpoint: https://garage.deuxfleurs.fr
|
||||
access-key-id: {{ key "secrets/drone-ci/s3_ak" | trimSpace }}
|
||||
secret-access-key: {{ key "secrets/drone-ci/s3_sk" | trimSpace }}
|
||||
force-path-style: true
|
||||
sync-interval: 60s
|
138
cluster/prod/app/drone-ci/deploy/server.hcl
Normal file
138
cluster/prod/app/drone-ci/deploy/server.hcl
Normal file
|
@ -0,0 +1,138 @@
|
|||
job "drone-ci" {
|
||||
datacenters = ["neptune", "scorpio"]
|
||||
type = "service"
|
||||
|
||||
group "server" {
|
||||
count = 1
|
||||
|
||||
network {
|
||||
port "web_port" {
|
||||
to = 80
|
||||
}
|
||||
}
|
||||
|
||||
task "restore-db" {
|
||||
lifecycle {
|
||||
hook = "prestart"
|
||||
sidecar = false
|
||||
}
|
||||
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "litestream/litestream:0.3.9"
|
||||
args = [
|
||||
"restore", "-config", "/etc/litestream.yml", "/ephemeral/drone.db"
|
||||
]
|
||||
volumes = [
|
||||
"../alloc/data:/ephemeral",
|
||||
"secrets/litestream.yml:/etc/litestream.yml"
|
||||
]
|
||||
}
|
||||
|
||||
template {
|
||||
data = file("../config/litestream.yml")
|
||||
destination = "secrets/litestream.yml"
|
||||
}
|
||||
|
||||
resources {
|
||||
memory = 200
|
||||
cpu = 100
|
||||
}
|
||||
}
|
||||
|
||||
task "drone_server" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "drone/drone:2.14.0"
|
||||
ports = [ "web_port" ]
|
||||
|
||||
volumes = [
|
||||
"../alloc/data:/ephemeral",
|
||||
]
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<EOH
|
||||
DRONE_GITEA_SERVER=https://git.deuxfleurs.fr
|
||||
DRONE_GITEA_CLIENT_ID={{ key "secrets/drone-ci/oauth_client_id" }}
|
||||
DRONE_GITEA_CLIENT_SECRET={{ key "secrets/drone-ci/oauth_client_secret" }}
|
||||
DRONE_RPC_SECRET={{ key "secrets/drone-ci/rpc_secret" }}
|
||||
DRONE_SERVER_HOST=drone.deuxfleurs.fr
|
||||
DRONE_SERVER_PROTO=https
|
||||
DRONE_DATABASE_SECRET={{ key "secrets/drone-ci/db_enc_secret" }}
|
||||
DRONE_COOKIE_SECRET={{ key "secrets/drone-ci/cookie_secret" }}
|
||||
AWS_ACCESS_KEY_ID={{ key "secrets/drone-ci/s3_ak" }}
|
||||
AWS_SECRET_ACCESS_KEY={{ key "secrets/drone-ci/s3_sk" }}
|
||||
AWS_DEFAULT_REGION=garage
|
||||
AWS_REGION=garage
|
||||
DRONE_S3_BUCKET={{ key "secrets/drone-ci/s3_storage_bucket" }}
|
||||
DRONE_S3_ENDPOINT=https://garage.deuxfleurs.fr
|
||||
DRONE_S3_PATH_STYLE=true
|
||||
DRONE_DATABASE_DRIVER=sqlite3
|
||||
DRONE_DATABASE_DATASOURCE=/ephemeral/drone.db
|
||||
DRONE_USER_CREATE=username:lx-admin,admin:true
|
||||
DRONE_REGISTRATION_CLOSED=true
|
||||
DRONE_LOGS_DEBUG=true
|
||||
DRONE_LOGS_TRACE=true
|
||||
EOH
|
||||
destination = "secrets/env"
|
||||
env = true
|
||||
}
|
||||
|
||||
resources {
|
||||
cpu = 100
|
||||
memory = 200
|
||||
}
|
||||
|
||||
service {
|
||||
name = "drone"
|
||||
tags = [
|
||||
"drone",
|
||||
"tricot drone.deuxfleurs.fr",
|
||||
"d53-cname drone.deuxfleurs.fr",
|
||||
]
|
||||
port = "web_port"
|
||||
address_mode = "host"
|
||||
check {
|
||||
type = "http"
|
||||
protocol = "http"
|
||||
port = "web_port"
|
||||
path = "/"
|
||||
interval = "60s"
|
||||
timeout = "5s"
|
||||
check_restart {
|
||||
limit = 3
|
||||
grace = "600s"
|
||||
ignore_warnings = false
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
task "replicate-db" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "litestream/litestream:0.3.9"
|
||||
entrypoint = [ "/bin/sh" ]
|
||||
args = [
|
||||
"-c",
|
||||
"echo sleeping; sleep 60; echo launching; litestream replicate -config /etc/litestream.yml"
|
||||
]
|
||||
volumes = [
|
||||
"../alloc/data:/ephemeral",
|
||||
"secrets/litestream.yml:/etc/litestream.yml"
|
||||
]
|
||||
}
|
||||
|
||||
template {
|
||||
data = file("../config/litestream.yml")
|
||||
destination = "secrets/litestream.yml"
|
||||
}
|
||||
|
||||
resources {
|
||||
memory = 200
|
||||
cpu = 100
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
69
cluster/prod/app/drone-ci/integration/README.md
Normal file
69
cluster/prod/app/drone-ci/integration/README.md
Normal file
|
@ -0,0 +1,69 @@
|
|||
## Install Debian
|
||||
|
||||
We recommend Debian Bullseye
|
||||
|
||||
## Install Docker CE from docker.io
|
||||
|
||||
Do not use the docker engine shipped by Debian
|
||||
|
||||
Doc:
|
||||
|
||||
- https://docs.docker.com/engine/install/debian/
|
||||
- https://docs.docker.com/compose/install/
|
||||
|
||||
On a fresh install, as root:
|
||||
|
||||
```bash
|
||||
apt-get remove -y docker docker-engine docker.io containerd runc
|
||||
apt-get update
|
||||
apt-get install apt-transport-https ca-certificates curl gnupg lsb-release
|
||||
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
|
||||
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
|
||||
apt-get update
|
||||
apt-get install -y docker-ce docker-ce-cli containerd.io
|
||||
|
||||
curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
|
||||
chmod +x /usr/local/bin/docker-compose
|
||||
```
|
||||
|
||||
## Install the runner
|
||||
|
||||
*This is our Nix runner version 2, previously we had another way to start Nix runners. This one has a proper way to handle concurrency, require less boilerplate, and should be safer and more idiomatic.*
|
||||
|
||||
|
||||
```bash
|
||||
wget https://git.deuxfleurs.fr/Deuxfleurs/infrastructure/raw/branch/main/app/drone-ci/integration/nix.conf
|
||||
wget https://git.deuxfleurs.fr/Deuxfleurs/infrastructure/raw/branch/main/app/drone-ci/integration/docker-compose.yml
|
||||
|
||||
# Edit the docker-compose.yml to adapt its variables to your needs,
|
||||
# especially the capacitiy value and its name.
|
||||
COMPOSE_PROJECT_NAME=drone DRONE_SECRET=xxx docker-compose up -d
|
||||
```
|
||||
|
||||
That's all folks.
|
||||
|
||||
## Check if a given job is built by your runner
|
||||
|
||||
```bash
|
||||
export URL=https://drone.deuxfleurs.fr
|
||||
export REPO=Deuxfleurs/garage
|
||||
export BUILD=1312
|
||||
curl ${URL}/api/repos/${REPO}/builds/${BUILD} \
|
||||
| jq -c '[.stages[] | { name: .name, machine: .machine }]'
|
||||
```
|
||||
|
||||
It will give you the following result:
|
||||
|
||||
```json
|
||||
[{"name":"default","machine":"1686a"},{"name":"release-linux-x86_64","machine":"vimaire"},{"name":"release-linux-i686","machine":"carcajou"},{"name":"release-linux-aarch64","machine":"caribou"},{"name":"release-linux-armv6l","machine":"cariacou"},{"name":"refresh-release-page","machine":null}]
|
||||
```
|
||||
|
||||
## Random note
|
||||
|
||||
*This part might be deprecated!*
|
||||
|
||||
This setup is done mainly to allow nix builds with some cache.
|
||||
To use the cache in Drone, you must set your repository as trusted.
|
||||
The command line tool does not work (it says it successfully set your repository as trusted but it did nothing):
|
||||
the only way to set your repository as trusted is to connect on the DB and set the `repo_trusted` field of your repo to true.
|
||||
|
54
cluster/prod/app/drone-ci/integration/docker-compose.yml
Normal file
54
cluster/prod/app/drone-ci/integration/docker-compose.yml
Normal file
|
@ -0,0 +1,54 @@
|
|||
version: '3.4'
|
||||
services:
|
||||
nix-daemon:
|
||||
image: nixpkgs/nix:nixos-22.05
|
||||
restart: always
|
||||
command: nix-daemon
|
||||
privileged: true
|
||||
volumes:
|
||||
- "nix:/nix"
|
||||
- "./nix.conf:/etc/nix/nix.conf:ro"
|
||||
|
||||
drone-runner:
|
||||
image: drone/drone-runner-docker:1.8.2
|
||||
restart: always
|
||||
environment:
|
||||
- DRONE_RPC_PROTO=https
|
||||
- DRONE_RPC_HOST=drone.deuxfleurs.fr
|
||||
- DRONE_RPC_SECRET=${DRONE_SECRET}
|
||||
- DRONE_RUNNER_CAPACITY=3
|
||||
- DRONE_DEBUG=true
|
||||
- DRONE_LOGS_TRACE=true
|
||||
- DRONE_RPC_DUMP_HTTP=true
|
||||
- DRONE_RPC_DUMP_HTTP_BODY=true
|
||||
- DRONE_RUNNER_NAME=i_forgot_to_change_my_runner_name
|
||||
- DRONE_RUNNER_LABELS=nix-daemon:1
|
||||
# we should put "nix:/nix:ro but it is not supported by
|
||||
# drone-runner-docker because the dependency envconfig does
|
||||
# not support having two colons (:) in the same stanza.
|
||||
# Without the RO flag (or using docker userns), build isolation
|
||||
# is broken.
|
||||
# https://discourse.drone.io/t/allow-mounting-a-host-volume-as-read-only/10071
|
||||
# https://github.com/kelseyhightower/envconfig/pull/153
|
||||
#
|
||||
# A workaround for isolation is to configure docker with a userns,
|
||||
# so even if the folder is writable to root, it is not to any non
|
||||
# privileged docker daemon ran by drone!
|
||||
- DRONE_RUNNER_VOLUMES=drone_nix:/nix
|
||||
- DRONE_RUNNER_ENVIRON=NIX_REMOTE:daemon
|
||||
ports:
|
||||
- "3000:3000/tcp"
|
||||
volumes:
|
||||
- "/var/run/docker.sock:/var/run/docker.sock"
|
||||
|
||||
drone-gc:
|
||||
image: drone/gc:latest
|
||||
restart: always
|
||||
environment:
|
||||
- GC_DEBUG=true
|
||||
- GC_CACHE=10gb
|
||||
- GC_INTERVAL=10m
|
||||
volumes:
|
||||
- "/var/run/docker.sock:/var/run/docker.sock"
|
||||
volumes:
|
||||
nix:
|
48
cluster/prod/app/drone-ci/secrets.toml
Normal file
48
cluster/prod/app/drone-ci/secrets.toml
Normal file
|
@ -0,0 +1,48 @@
|
|||
# Drone's secrets
|
||||
|
||||
[secrets."drone-ci/rpc_secret"]
|
||||
type = 'command'
|
||||
command = 'openssl rand -hex 16'
|
||||
# don't rotate, it would break all runners
|
||||
|
||||
[secrets."drone-ci/cookie_secret"]
|
||||
type = 'command'
|
||||
rotate = true
|
||||
command = 'openssl rand -hex 16'
|
||||
|
||||
[secrets."drone-ci/db_enc_secret"]
|
||||
type = 'command'
|
||||
command = 'openssl rand -hex 16'
|
||||
# don't rotate, it is used to encrypt data which we would lose if we change this
|
||||
|
||||
|
||||
# Oauth config for gitea
|
||||
|
||||
[secrets."drone-ci/oauth_client_secret"]
|
||||
type = 'user'
|
||||
description = 'OAuth client secret (for gitea)'
|
||||
|
||||
[secrets."drone-ci/oauth_client_id"]
|
||||
type = 'user'
|
||||
description = 'OAuth client ID (on Gitea)'
|
||||
|
||||
|
||||
# S3 config for Git LFS storage
|
||||
|
||||
[secrets."drone-ci/s3_db_bucket"]
|
||||
type = 'constant'
|
||||
value = 'drone-db'
|
||||
|
||||
[secrets."drone-ci/s3_sk"]
|
||||
type = 'user'
|
||||
description = 'S3 (garage) secret key for Drone'
|
||||
|
||||
[secrets."drone-ci/s3_ak"]
|
||||
type = 'user'
|
||||
description = 'S3 (garage) access key for Drone'
|
||||
|
||||
[secrets."drone-ci/s3_storage_bucket"]
|
||||
type = 'constant'
|
||||
value = 'drone-storage'
|
||||
|
||||
|
|
@ -5,5 +5,3 @@
|
|||
*@pointecouteau.com smtp._domainkey.deuxfleurs.fr
|
||||
*@maycausesideeffects.com smtp._domainkey.deuxfleurs.fr
|
||||
*@e-x-t-r-a-c-t.me smtp._domainkey.deuxfleurs.fr
|
||||
*@courderec.re smtp._domainkey.deuxfleurs.fr
|
||||
*@trinity.fr.eu.org smtp._domainkey.deuxfleurs.fr
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
job "email-android7" {
|
||||
datacenters = ["neptune", "bespin"]
|
||||
datacenters = ["neptune"]
|
||||
type = "service"
|
||||
priority = 100
|
||||
|
||||
|
|
|
@ -6,8 +6,6 @@ db_engine = "lmdb"
|
|||
|
||||
replication_mode = "3"
|
||||
|
||||
metadata_auto_snapshot_interval = "24h"
|
||||
|
||||
# IPv6 config using the ipv6 address statically defined in Nomad's node metadata
|
||||
# make sure to put back double { and } if re-enabling this
|
||||
#rpc_bind_addr = "[{ env "meta.public_ipv6" }]:3901"
|
||||
|
|
|
@ -26,7 +26,7 @@ job "garage" {
|
|||
task "server" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "dxflrs/garage:v1.0.0-rc1"
|
||||
image = "dxflrs/garage:v0.9.0"
|
||||
command = "/garage"
|
||||
args = [ "server" ]
|
||||
network_mode = "host"
|
||||
|
|
|
@ -368,8 +368,7 @@ var config = {
|
|||
|
||||
// Message to show the users. Example: 'The service will be down for
|
||||
// maintenance at 01:00 AM GMT,
|
||||
// Does only support plaintext. No line skip.
|
||||
// noticeMessage: "Suite à une utilisation contraire à nos CGU, Deuxfleurs surveille activement cette instance Jitsi et enverra tout contenu illégal à la police. Pour toute question, commentaire ou suggestion, contactez moderation@deuxfleurs.fr . Following usage breaching our TOS, Deuxfleurs actively monitors this Jitsi instance and will send any illegal behavior to the Police. For any question, remark or suggestion, reach moderation@deuxfleurs.fr",
|
||||
// noticeMessage: '',
|
||||
|
||||
// Enables calendar integration, depends on googleApiApplicationClientID
|
||||
// and microsoftApiApplicationClientID
|
||||
|
|
|
@ -37,12 +37,6 @@ http {
|
|||
access_log /dev/stdout;
|
||||
server_names_hash_bucket_size 64;
|
||||
|
||||
# Log real IPs
|
||||
set_real_ip_from 10.0.0.0/8;
|
||||
set_real_ip_from 172.16.0.0/12;
|
||||
set_real_ip_from 192.168.0.0/16;
|
||||
real_ip_header X-Forwarded-For;
|
||||
|
||||
# inspired by https://raw.githubusercontent.com/jitsi/docker-jitsi-meet/master/web/rootfs/defaults/meet.conf
|
||||
server {
|
||||
#listen 0.0.0.0:{{ env "NOMAD_PORT_https_port" }} ssl http2 default_server;
|
||||
|
@ -91,16 +85,7 @@ http {
|
|||
# tcp_nodelay on;
|
||||
#}
|
||||
|
||||
|
||||
location ~ "2daut2wank2|2duat2wank|2duat2wank0|2duat2wank1|2duat2wank2|2duat2wank3|2duatr2wank|2duatr2wank0|2duatr2wank1|2duatr2wank2|2wank2daut2|daut1|duat2wank|duat2wank2|duatr2wank2|prettypanties|slutgfs|wabk2daugther|wank2daugther|wank2daut|wank2daut2|wank2daut3|wankwatch" {
|
||||
return 302 https://www.service-public.fr/particuliers/vosdroits/R17674;
|
||||
}
|
||||
|
||||
location = /http-bind {
|
||||
if ($args ~ "2daut2wank2|2duat2wank|2duat2wank0|2duat2wank1|2duat2wank2|2duat2wank3|2duatr2wank|2duatr2wank0|2duatr2wank1|2duatr2wank2|2wank2daut2|daut1|duat2wank|duat2wank2|duatr2wank2|prettypanties|slutgfs|wabk2daugther|wank2daugther|wank2daut|wank2daut2|wank2daut3|wankwatch") {
|
||||
return 403 'forbidden';
|
||||
}
|
||||
|
||||
# We add CORS to use a different frontend which is useful for load testing as we do not want to advertise too much our URL
|
||||
add_header 'Access-Control-Allow-Headers' 'content-type';
|
||||
add_header 'Access-Control-Allow-Methods' 'GET,POST,PUT,DELETE,OPTIONS';
|
||||
|
|
|
@ -112,11 +112,6 @@ EOF
|
|||
]
|
||||
}
|
||||
|
||||
logs {
|
||||
max_files = 25
|
||||
max_file_size = 10
|
||||
}
|
||||
|
||||
template {
|
||||
data = file("../config/config.js")
|
||||
destination = "secrets/config.js"
|
||||
|
|
73
cluster/prod/app/matrix/deploy/im-android7.hcl
Normal file
73
cluster/prod/app/matrix/deploy/im-android7.hcl
Normal file
|
@ -0,0 +1,73 @@
|
|||
// Fichier de configuration pour exposer le service Matrix
|
||||
// avec une version TLS compatible avec Android 7
|
||||
// Voir https://git.deuxfleurs.fr/Deuxfleurs/nixcfg/src/branch/main/cluster/prod/app/email/integration
|
||||
|
||||
|
||||
|
||||
job "im-android7" {
|
||||
datacenters = ["scorpio", "neptune"]
|
||||
type = "service"
|
||||
priority = 100
|
||||
|
||||
group "rsa-ecc-proxy" {
|
||||
network {
|
||||
port "api_port" { static = 18008 }
|
||||
// port "web_port" { to = 8043 }
|
||||
}
|
||||
|
||||
task "api-proxy" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "alpine/socat:1.8.0.0"
|
||||
readonly_rootfs = true
|
||||
ports = [ "api_port" ]
|
||||
network_mode = "host"
|
||||
args = [
|
||||
"openssl-listen:18008,reuseaddr,fork,verify=0,bind=0.0.0.0,cert=/var/secrets/rsa.crt,key=/var/secrets/rsa.key",
|
||||
"tcp:synapse.service.prod.consul:8008",
|
||||
]
|
||||
volumes = [
|
||||
"secrets/certs:/var/secrets"
|
||||
]
|
||||
}
|
||||
|
||||
template {
|
||||
data = "{{ key \"secrets/chat/tls-tls-proxy/rsa.crt\" }}"
|
||||
destination = "secrets/certs/rsa.crt"
|
||||
}
|
||||
template {
|
||||
data = "{{ key \"secrets/chat/tls-tls-proxy/rsa.key\" }}"
|
||||
destination = "secrets/certs/rsa.key"
|
||||
}
|
||||
|
||||
resources {
|
||||
cpu = 50
|
||||
memory = 50
|
||||
}
|
||||
|
||||
service {
|
||||
name = "im-android7"
|
||||
port = "api_port"
|
||||
address_mode = "host"
|
||||
tags = [
|
||||
"rsa-ecc-proxy",
|
||||
"(diplonat (tcp_port 18008))",
|
||||
"d53-a im-android7.deuxfleurs.fr",
|
||||
# ipv6 is commented for now as socat does not listen on ipv6 now
|
||||
# "d53-aaaa im-android7.deuxfleurs.fr"
|
||||
]
|
||||
check {
|
||||
type = "tcp"
|
||||
port = "api_port"
|
||||
interval = "60s"
|
||||
timeout = "5s"
|
||||
check_restart {
|
||||
limit = 3
|
||||
grace = "90s"
|
||||
ignore_warnings = false
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -19,7 +19,7 @@ job "telemetry-service" {
|
|||
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "litestream/litestream:0.3.13"
|
||||
image = "litestream/litestream:0.3.9"
|
||||
args = [
|
||||
"restore", "-config", "/etc/litestream.yml", "/ephemeral/grafana.db"
|
||||
]
|
||||
|
@ -45,7 +45,7 @@ job "telemetry-service" {
|
|||
task "grafana" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "grafana/grafana:10.3.4"
|
||||
image = "grafana/grafana:10.0.3"
|
||||
network_mode = "host"
|
||||
ports = [ "grafana" ]
|
||||
volumes = [
|
||||
|
@ -108,7 +108,7 @@ EOH
|
|||
task "replicate-db" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "litestream/litestream:0.3.13"
|
||||
image = "litestream/litestream:0.3.7"
|
||||
args = [
|
||||
"replicate", "-config", "/etc/litestream.yml"
|
||||
]
|
||||
|
|
|
@ -70,8 +70,7 @@ job "telemetry-storage" {
|
|||
}
|
||||
|
||||
resources {
|
||||
memory = 1500
|
||||
memory_max = 4000
|
||||
memory = 1000
|
||||
cpu = 1000
|
||||
}
|
||||
|
||||
|
|
|
@ -1,159 +0,0 @@
|
|||
job "woodpecker-ci" {
|
||||
datacenters = ["neptune", "scorpio"]
|
||||
type = "service"
|
||||
|
||||
group "server" {
|
||||
count = 1
|
||||
|
||||
network {
|
||||
port "web_port" {
|
||||
static = 14080
|
||||
to = 14080
|
||||
}
|
||||
port "grpc_port" {
|
||||
static = 14090
|
||||
to = 14090
|
||||
}
|
||||
port "grpc_tls_port" {
|
||||
static = 14453
|
||||
to = 14453
|
||||
}
|
||||
}
|
||||
|
||||
task "server" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "woodpeckerci/woodpecker-server:v2.3.0"
|
||||
ports = [ "web_port", "grpc_port" ]
|
||||
network_mode = "host"
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<EOH
|
||||
WOODPECKER_OPEN=true
|
||||
WOODPECKER_ORGS=Deuxfleurs
|
||||
WOODPECKER_ADMIN=lx
|
||||
|
||||
WOODPECKER_HOST=https://woodpecker.deuxfleurs.fr
|
||||
WOODPECKER_AGENT_SECRET={{ key "secrets/woodpecker-ci/agent_secret" }}
|
||||
|
||||
# secret encryption is broken in woodpecker currently
|
||||
# WOODPECKER_ENCRYPTION_KEY={{ key "secrets/woodpecker-ci/secrets_encryption_key" }}
|
||||
|
||||
WOODPECKER_SERVER_ADDR=[::]:14080
|
||||
WOODPECKER_GRPC_ADDR=[::]:14090
|
||||
# WOODPECKER_GRPC_SECRET={{ key "secrets/woodpecker-ci/grpc_secret" }}
|
||||
|
||||
WOODPECKER_DATABASE_DRIVER=postgres
|
||||
WOODPECKER_DATABASE_DATASOURCE=postgres://woodpecker:{{ key "secrets/woodpecker-ci/db_password" | trimSpace }}@{{ env "meta.site" }}.psql-proxy.service.prod.consul:5432/woodpecker?sslmode=disable
|
||||
|
||||
WOODPECKER_GITEA=true
|
||||
WOODPECKER_GITEA_URL=https://git.deuxfleurs.fr
|
||||
WOODPECKER_GITEA_CLIENT={{ key "secrets/woodpecker-ci/oauth_client_id" }}
|
||||
WOODPECKER_GITEA_SECRET={{ key "secrets/woodpecker-ci/oauth_client_secret" }}
|
||||
|
||||
WOODPECKER_LOG_LEVEL=debug
|
||||
WOODPECKER_ENVIRONMENT=NIX_REMOTE:daemon
|
||||
EOH
|
||||
destination = "secrets/env"
|
||||
env = true
|
||||
}
|
||||
|
||||
resources {
|
||||
cpu = 100
|
||||
memory = 200
|
||||
}
|
||||
|
||||
service {
|
||||
name = "woodpecker"
|
||||
tags = [
|
||||
"woodpecker",
|
||||
"tricot woodpecker.deuxfleurs.fr",
|
||||
"d53-cname woodpecker.deuxfleurs.fr",
|
||||
]
|
||||
port = "web_port"
|
||||
address_mode = "host"
|
||||
/*
|
||||
check {
|
||||
type = "http"
|
||||
protocol = "http"
|
||||
port = "web_port"
|
||||
path = "/"
|
||||
interval = "60s"
|
||||
timeout = "5s"
|
||||
check_restart {
|
||||
limit = 3
|
||||
grace = "600s"
|
||||
ignore_warnings = false
|
||||
}
|
||||
}
|
||||
*/
|
||||
}
|
||||
service {
|
||||
name = "woodpecker-grpc"
|
||||
tags = [
|
||||
"woodpecker-grpc",
|
||||
]
|
||||
port = "grpc_port"
|
||||
address_mode = "host"
|
||||
}
|
||||
}
|
||||
|
||||
task "grpc_tls" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "nginx:1.25.3"
|
||||
ports = [ "grpc_tls_port" ]
|
||||
volumes = [
|
||||
"secrets/ssl/certs:/etc/ssl/certs",
|
||||
"secrets/ssl/private:/etc/ssl/private",
|
||||
"secrets/conf/:/etc/nginx/",
|
||||
]
|
||||
network_mode = "host"
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<EOH
|
||||
events {}
|
||||
http {
|
||||
server {
|
||||
listen 0.0.0.0:14453 ssl;
|
||||
listen [::]:14453 ssl;
|
||||
http2 on;
|
||||
server_name woodpecker.deuxfleurs.fr;
|
||||
|
||||
ssl_certificate "/etc/ssl/certs/woodpecker.cert";
|
||||
ssl_certificate_key "/etc/ssl/certs/woodpecker.key";
|
||||
|
||||
location / {
|
||||
grpc_pass grpc://woodpecker-grpc.service.prod.consul:14090;
|
||||
}
|
||||
}
|
||||
}
|
||||
EOH
|
||||
destination = "secrets/conf/nginx.conf"
|
||||
}
|
||||
|
||||
template {
|
||||
data = "{{ with $d := key \"tricot/certs/woodpecker.deuxfleurs.fr\" | parseJSON }}{{ $d.key_pem }}{{ end }}"
|
||||
destination = "secrets/ssl/certs/woodpecker.key"
|
||||
}
|
||||
template {
|
||||
data = "{{ with $d := key \"tricot/certs/woodpecker.deuxfleurs.fr\" | parseJSON }}{{ $d.cert_pem }}{{ end }}"
|
||||
destination = "secrets/ssl/certs/woodpecker.cert"
|
||||
}
|
||||
|
||||
service {
|
||||
name = "woodpecker-grpc-tls"
|
||||
tags = [
|
||||
"woodpecker-grpc-tls",
|
||||
"d53-a woodpecker-grpc.deuxfleurs.fr",
|
||||
"d53-aaaa woodpecker-grpc.deuxfleurs.fr",
|
||||
"(diplonat (tcp_port 14453))"
|
||||
]
|
||||
port = "grpc_tls_port"
|
||||
address_mode = "host"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,54 +0,0 @@
|
|||
## Install Debian
|
||||
|
||||
We recommend Debian Bullseye
|
||||
|
||||
## Install Docker CE from docker.io
|
||||
|
||||
Do not use the docker engine shipped by Debian
|
||||
|
||||
Doc:
|
||||
|
||||
- https://docs.docker.com/engine/install/debian/
|
||||
- https://docs.docker.com/compose/install/
|
||||
|
||||
On a fresh install, as root:
|
||||
|
||||
```bash
|
||||
# Remove all pre-existing packages
|
||||
for pkg in docker.io docker-doc docker-compose podman-docker containerd runc; do apt-get remove $pkg; done
|
||||
|
||||
# Add Docker's official GPG key:
|
||||
apt-get update
|
||||
apt-get install ca-certificates curl
|
||||
install -m 0755 -d /etc/apt/keyrings
|
||||
curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
|
||||
chmod a+r /etc/apt/keyrings/docker.asc
|
||||
|
||||
# Add the repository to Apt sources:
|
||||
echo \
|
||||
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
|
||||
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
|
||||
tee /etc/apt/sources.list.d/docker.list > /dev/null
|
||||
apt-get update
|
||||
|
||||
# Install Docker
|
||||
apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
|
||||
```
|
||||
|
||||
## Install the runner
|
||||
|
||||
```bash
|
||||
wget https://git.deuxfleurs.fr/Deuxfleurs/infrastructure/raw/branch/main/app/woodpecker-ci/integration/nix.conf
|
||||
wget https://git.deuxfleurs.fr/Deuxfleurs/infrastructure/raw/branch/main/app/woodpecker-ci/integration/docker-compose.yml
|
||||
```
|
||||
|
||||
Create a new Agent for your runner in the Woodpecker admin, and copy the agent secret value.
|
||||
|
||||
Edit `docker-compose.yml` and insert your agent secret as the value for WOODPECKER_AGENT_SECRET.
|
||||
Update other values including hostname and max workflows for your runner.
|
||||
|
||||
```bash
|
||||
COMPOSE_PROJECT_NAME=woodpecker docker-compose up -d
|
||||
```
|
||||
|
||||
That's all folks.
|
|
@ -1,33 +0,0 @@
|
|||
version: '3.4'
|
||||
services:
|
||||
nix-daemon:
|
||||
image: nixpkgs/nix:nixos-22.05
|
||||
restart: always
|
||||
command: nix-daemon
|
||||
privileged: true
|
||||
volumes:
|
||||
- "nix:/nix"
|
||||
- "./nix.conf:/etc/nix/nix.conf:ro"
|
||||
|
||||
woodpecker-runner:
|
||||
image: woodpeckerci/woodpecker-agent:v2.3.0
|
||||
restart: always
|
||||
environment:
|
||||
# -- change these for each agent
|
||||
- WOODPECKER_HOSTNAME=i_forgot_to_change_my_runner_name
|
||||
- WOODPECKER_AGENT_SECRET=xxxx
|
||||
- WOODPECKER_MAX_WORKFLOWS=4
|
||||
# -- if not using COMPOSE_PROJECT_NAME=woodpecker, change name of volume to mount
|
||||
- WOODPECKER_BACKEND_DOCKER_VOLUMES=woodpecker_nix:/nix:ro
|
||||
# -- should not need change
|
||||
- WOODPECKER_SERVER=woodpecker-grpc.deuxfleurs.fr:14453
|
||||
- WOODPECKER_HEALTHCHECK=false
|
||||
- WOODPECKER_GRPC_SECURE=true
|
||||
- WOODPECKER_LOG_LEVEL=info
|
||||
- WOODPECKER_DEBUG_PRETTY=true
|
||||
- WOODPECKER_ENVIRONMENT=NIX_REMOTE:daemon
|
||||
volumes:
|
||||
- "/var/run/docker.sock:/var/run/docker.sock"
|
||||
|
||||
volumes:
|
||||
nix:
|
|
@ -11,21 +11,20 @@
|
|||
siteName = "neptune";
|
||||
publicKey = "VvXT0fPDfWsHxumZqVShpS33dJQAdpJ1E79ZbCBJP34=";
|
||||
address = "10.83.1.1";
|
||||
endpoint = "82.67.87.112:33731";
|
||||
endpoint = "77.207.15.215:33731";
|
||||
};
|
||||
"courgette" = {
|
||||
siteName = "neptune";
|
||||
publicKey = "goTkBJGmzrGDOAjUcdH9G0JekipqSMoaYQdB6IHnzi0=";
|
||||
address = "10.83.1.2";
|
||||
endpoint = "82.67.87.112:33732";
|
||||
endpoint = "77.207.15.215:33732";
|
||||
};
|
||||
"celeri" = {
|
||||
siteName = "neptune";
|
||||
publicKey = "oZDAb8LoLW87ktUHyFFec0VaIar97bqq47mGbdVqJ0U=";
|
||||
address = "10.83.1.3";
|
||||
endpoint = "82.67.87.112:33733";
|
||||
endpoint = "77.207.15.215:33733";
|
||||
};
|
||||
/*
|
||||
"dahlia" = {
|
||||
siteName = "orion";
|
||||
publicKey = "EtRoWBYCdjqgXX0L+uWLg8KxNfIK8k9OTh30tL19bXU=";
|
||||
|
@ -44,24 +43,23 @@
|
|||
address = "10.83.2.3";
|
||||
endpoint = "82.66.80.201:33733";
|
||||
};
|
||||
*/
|
||||
"df-ykl" = {
|
||||
siteName = "bespin";
|
||||
publicKey = "bIjxey/VhBgVrLa0FxN/KISOt2XFmQeSh1MPivUq9gg=";
|
||||
address = "10.83.3.1";
|
||||
endpoint = "109.136.139.78:33731";
|
||||
endpoint = "109.136.55.235:33731";
|
||||
};
|
||||
"df-ymf" = {
|
||||
siteName = "bespin";
|
||||
publicKey = "pUIKv8UBl586O7DBrHBsb9BgNU7WlYQ2r2RSNkD+JAQ=";
|
||||
address = "10.83.3.2";
|
||||
endpoint = "109.136.139.78:33732";
|
||||
endpoint = "109.136.55.235:33732";
|
||||
};
|
||||
"df-ymk" = {
|
||||
siteName = "bespin";
|
||||
publicKey = "VBmpo15iIJP7250NAsF+ryhZc3j+8TZFnE1Djvn5TXI=";
|
||||
address = "10.83.3.3";
|
||||
endpoint = "109.136.139.78:33733";
|
||||
endpoint = "109.136.55.235:33733";
|
||||
};
|
||||
"abricot" = {
|
||||
siteName = "scorpio";
|
||||
|
@ -77,10 +75,6 @@
|
|||
};
|
||||
};
|
||||
|
||||
# Pin Nomad version
|
||||
services.nomad.package = pkgs.nomad_1_6;
|
||||
nixpkgs.config.allowUnfree = true; # Accept nomad's BSL license
|
||||
|
||||
# Bootstrap IPs for Consul cluster,
|
||||
# these are IPs on the Wireguard overlay
|
||||
services.consul.extraConfig.retry_join = [
|
||||
|
@ -124,19 +118,6 @@
|
|||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEve02acr522psrPxeElkwIPw2pc6QWtsUVZoaigqwZZ"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL/h+rxR2o+vN0hUWQPdpO7YY9aaKxO3ZRnUh9QiKBE7"
|
||||
];
|
||||
armael = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOoPghSM72AVp1zATgQzeLkuoGuP9uUTTAtwliyWoix"
|
||||
];
|
||||
marion = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzOhSTEOudBWCHi5wHc6MP0xjJJhuIDZEcx+hP6kz9N"
|
||||
];
|
||||
darkgallium = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJX0A2P59or83EKhh32o8XumGz0ToTEsoq89hMbMtr7h"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB540H9kn+Ocs4Wjc1Y3f3OkHFYEqc5IM/FiCyoVVoh3"
|
||||
];
|
||||
kokakiwi = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFPTsEgcOtb2bij+Ih8eg8ZqO7d3IMiWykv6deMzlSSS kokakiwi@kira"
|
||||
];
|
||||
};
|
||||
|
||||
# For Garage external communication
|
||||
|
|
|
@ -26,19 +26,73 @@ curl -vv -X PUT http://localhost:8500/v1/catalog/register -H "Content-Type: app
|
|||
{
|
||||
"Datacenter": "prod",
|
||||
"Node": "spoutnik",
|
||||
"Address": "192.168.1.51",
|
||||
"Address": "192.168.1.60",
|
||||
"NodeMeta": {
|
||||
"site": "scorpio",
|
||||
"cname_target": "scorpio.site.deuxfleurs.fr."
|
||||
},
|
||||
"Service": {
|
||||
"Service": "adrien-nginx",
|
||||
"Tags": [
|
||||
"tricot-https *.luxeylab.net",
|
||||
"tricot-https *.zinz.dev"
|
||||
],
|
||||
"Address": "192.168.1.51",
|
||||
"Tags": ["tricot-https *.luxeylab.net"],
|
||||
"Address": "192.168.1.60",
|
||||
"Port": 443
|
||||
}
|
||||
}
|
||||
EOF
|
||||
|
||||
# Orsay (neptune): Alex's personnal stuff
|
||||
|
||||
curl -vv -X PUT http://localhost:8500/v1/catalog/register -H "Content-Type: application/json" --data @- <<EOF
|
||||
{
|
||||
"Datacenter": "prod",
|
||||
"Node": "lindy",
|
||||
"Address": "192.168.1.184",
|
||||
"NodeMeta": {
|
||||
"site": "neptune",
|
||||
"cname_target": "neptune.site.deuxfleurs.fr."
|
||||
},
|
||||
"Service": {
|
||||
"Service": "lx-apimdev",
|
||||
"Tags": ["tricot apimdev.adnab.me"],
|
||||
"Address": "192.168.1.184",
|
||||
"Port": 8910
|
||||
}
|
||||
}
|
||||
EOF
|
||||
|
||||
curl -vv -X PUT http://localhost:8500/v1/catalog/register -H "Content-Type: application/json" --data @- <<EOF
|
||||
{
|
||||
"Datacenter": "prod",
|
||||
"Node": "lindy",
|
||||
"Address": "192.168.1.184",
|
||||
"NodeMeta": {
|
||||
"site": "neptune",
|
||||
"cname_target": "neptune.site.deuxfleurs.fr."
|
||||
},
|
||||
"Service": {
|
||||
"Service": "lx-apimtest",
|
||||
"Tags": ["tricot apimtest.adnab.me"],
|
||||
"Address": "192.168.1.184",
|
||||
"Port": 8920
|
||||
}
|
||||
}
|
||||
EOF
|
||||
|
||||
|
||||
curl -vv -X PUT http://localhost:8500/v1/catalog/register -H "Content-Type: application/json" --data @- <<EOF
|
||||
{
|
||||
"Datacenter": "prod",
|
||||
"Node": "www.isomorphis.me",
|
||||
"Address": "192.168.1.24",
|
||||
"NodeMeta": {
|
||||
"site": "neptune",
|
||||
"cname_target": "neptune.site.deuxfleurs.fr."
|
||||
},
|
||||
"Service": {
|
||||
"Service": "isomorphis.me-web",
|
||||
"Tags": ["tricot *.isomorphis.me"],
|
||||
"Address": "192.168.1.24",
|
||||
"Port": 5000
|
||||
}
|
||||
}
|
||||
EOF
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
{
|
||||
deuxfleurs.siteName = "neptune";
|
||||
deuxfleurs.staticIPv4.defaultGateway = "192.168.1.254";
|
||||
deuxfleurs.staticIPv4.defaultGateway = "192.168.1.1";
|
||||
deuxfleurs.cnameTarget = "neptune.site.deuxfleurs.fr.";
|
||||
deuxfleurs.publicIPv4 = "77.207.15.215";
|
||||
}
|
||||
|
|
|
@ -26,8 +26,8 @@ job "garage-staging" {
|
|||
packages = [
|
||||
"#bash", # so that we can enter a shell inside container
|
||||
"#coreutils",
|
||||
# garage v1.0.0-rc1 as of 2024-03-28
|
||||
"git+https://git.deuxfleurs.fr/Deuxfleurs/garage.git?ref=next-0.10&rev=afad62939e071621666ca7255f7164f92c4475bb"
|
||||
# garage v0.9.1-rc
|
||||
"git+https://git.deuxfleurs.fr/Deuxfleurs/garage.git?ref=main&rev=9cfeea389a1274d4d3c1f4b7072b0c056af410ef",
|
||||
]
|
||||
command = "garage"
|
||||
args = [ "server" ]
|
||||
|
@ -38,7 +38,7 @@ job "garage-staging" {
|
|||
}
|
||||
|
||||
env = {
|
||||
RUST_LOG = "garage=info,garage_api=debug",
|
||||
RUST_LOG = "garage=debug",
|
||||
}
|
||||
|
||||
# files currently owned by root, we don't want to chown everything
|
||||
|
|
|
@ -33,7 +33,7 @@ job "im" {
|
|||
]
|
||||
command = "litestream"
|
||||
args = [
|
||||
"restore", "-config", "/etc/litestream.yml", "/ephemeral/homeserver.db"
|
||||
"restore", "-v", "-config", "/etc/litestream.yml", "/ephemeral/homeserver.db"
|
||||
]
|
||||
bind = {
|
||||
"../alloc/data" = "/ephemeral",
|
||||
|
@ -55,7 +55,6 @@ job "im" {
|
|||
task "synapse" {
|
||||
driver = "nix2"
|
||||
config {
|
||||
nixpkgs = "github:nixos/nixpkgs/nixos-23.11"
|
||||
packages = [
|
||||
"#cacert",
|
||||
"#bash",
|
||||
|
|
|
@ -14,7 +14,7 @@ job "telemetry-service" {
|
|||
constraint {
|
||||
attribute = "${attr.unique.hostname}"
|
||||
operator = "set_contains_any"
|
||||
value = "df-pw5,origan"
|
||||
value = "carcajou,origan"
|
||||
}
|
||||
|
||||
task "prometheus" {
|
||||
|
@ -39,7 +39,7 @@ job "telemetry-service" {
|
|||
}
|
||||
|
||||
template {
|
||||
data = "{{ key \"secrets/consul/consul-ca.crt\" }}"
|
||||
data = "{{ key \"secrets/consul/consul.crt\" }}"
|
||||
destination = "etc/prom/consul.crt"
|
||||
}
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, lib, ... } @ args:
|
||||
{ config, pkgs, ... } @ args:
|
||||
|
||||
{
|
||||
deuxfleurs.clusterName = "staging";
|
||||
|
@ -7,6 +7,12 @@
|
|||
deuxfleurs.clusterPrefix = "10.14.0.0/16";
|
||||
|
||||
deuxfleurs.clusterNodes = {
|
||||
"carcajou" = {
|
||||
siteName = "neptune";
|
||||
publicKey = "7Nm7pMmyS7Nts1MB+loyD8u84ODxHPTkDu+uqQR6yDk=";
|
||||
address = "10.14.1.2";
|
||||
endpoint = "77.207.15.215:33722";
|
||||
};
|
||||
"caribou" = {
|
||||
siteName = "neptune";
|
||||
publicKey = "lABn/axzD1jkFulX8c+K3B3CbKXORlIMDDoe8sQVxhs=";
|
||||
|
@ -70,6 +76,9 @@
|
|||
baptiste = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnGkJZZrHIUp9q0DXmVLLuhCIe7Vu1J3j6dJ1z1BglqX7yOLdFQ6LhHXx65aND/KCOM1815tJSnaAyKWEj9qJ31RVUoRl42yBn54DvQumamJUaXAHqJrXhjwxfUkF9B73ZSUzHGADlQnxcBkmrjC5FkrpC/s4xr0o7/GIBkBdtZhX9YpxBfpH6wEcCruTOlm92E3HvvjpBb/wHsoxL1f2czvWe69021gqWEYRFjqtBwP36NYZnGOJZ0RrlP3wUrGCSHxOKW+2Su+tM6g07KPJn5l1wNJiOcyBQ0/Sv7ptCJ9+rTQNeVBMoXshaucYP/bKJbqH7dONrYDgz59C4+Kax"
|
||||
];
|
||||
armael = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOoPghSM72AVp1zATgQzeLkuoGuP9uUTTAtwliyWoix"
|
||||
];
|
||||
aeddis = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILoFf9fMYwLOpmiXKgn4Rs99YCj94SU1V0gwGXR5N4Md"
|
||||
];
|
||||
|
@ -82,16 +91,6 @@
|
|||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEve02acr522psrPxeElkwIPw2pc6QWtsUVZoaigqwZZ"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL/h+rxR2o+vN0hUWQPdpO7YY9aaKxO3ZRnUh9QiKBE7"
|
||||
];
|
||||
armael = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOoPghSM72AVp1zATgQzeLkuoGuP9uUTTAtwliyWoix"
|
||||
];
|
||||
marion = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzOhSTEOudBWCHi5wHc6MP0xjJJhuIDZEcx+hP6kz9N"
|
||||
];
|
||||
darkgallium = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJX0A2P59or83EKhh32o8XumGz0ToTEsoq89hMbMtr7h"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB540H9kn+Ocs4Wjc1Y3f3OkHFYEqc5IM/FiCyoVVoh3"
|
||||
];
|
||||
};
|
||||
|
||||
# For Garage ipv6 communication
|
||||
|
@ -99,16 +98,13 @@
|
|||
|
||||
## ===== EXPERIMENTAL SECTION FOR STAGING CLUSTER =====
|
||||
|
||||
# Test nomad 1.6
|
||||
services.nomad.package = pkgs.nomad_1_6;
|
||||
nixpkgs.config.allowUnfree = true; # Accept nomad's BSL license
|
||||
|
||||
# We're doing lots of experiments so GC periodically is usefull.
|
||||
nix.gc.automatic = true;
|
||||
|
||||
imports = [
|
||||
## ---- Nix Nomad jobs using nomad-driver-nix2 ----
|
||||
({ pkgs, ... }: {
|
||||
services.nomad.dropPrivileges = false;
|
||||
services.nomad.extraSettingsPlugins = [
|
||||
(import ./nomad-driver-nix2.nix { inherit pkgs; })
|
||||
];
|
||||
|
@ -122,7 +118,7 @@
|
|||
{
|
||||
config = [
|
||||
{
|
||||
default_nixpkgs = "github:nixos/nixpkgs/nixos-23.11";
|
||||
default_nixpkgs = "github:nixos/nixpkgs/nixos-22.11";
|
||||
}
|
||||
];
|
||||
}
|
||||
|
@ -137,5 +133,38 @@
|
|||
nix.settings.substituters = [ "https://nix.web.deuxfleurs.fr" ];
|
||||
nix.settings.trusted-public-keys = [ "nix.web.deuxfleurs.fr:eTGL6kvaQn6cDR/F9lDYUIP9nCVR/kkshYfLDJf1yKs=" ];
|
||||
})
|
||||
## ---- Nix mutual cache ----
|
||||
# Let nodes in a same site/zone copy from each other's Nix stores
|
||||
# Note that nodes will only copy from one another packages that are
|
||||
# signed by one of the trusted public keys, i.e. packages comming
|
||||
# from cache.nixos.org and nix.web.deuxfleurs.fr.
|
||||
# This is good as it kind of mitigates supply-chain attacks where
|
||||
# one node's cache would become poisonned, although arguably when
|
||||
# an attacker has gained root access on one node, it can easily
|
||||
# become root on all the others through Nomad. Downsides include
|
||||
# missed opportunities for not rebuilding stuff between machines
|
||||
# (e.g. derivations that are built in the process of doing
|
||||
# nixos-rebuild), and warnings appearing in the logs whenever such
|
||||
# an opportunity was not taken due to missing signatures.
|
||||
({ pkgs, config, ... }:
|
||||
let substituter_port = 1728;
|
||||
in
|
||||
{
|
||||
services.nix-serve = {
|
||||
enable = true;
|
||||
port = substituter_port;
|
||||
openFirewall = false;
|
||||
bindAddress = "0.0.0.0";
|
||||
#package = pkgs.haskellPackages.nix-serve-ng;
|
||||
#package = pkgs.nix-serve-ng.override { nix = pkgs.nixVersions.nix_2_12; };
|
||||
};
|
||||
nix.settings.substituters = map
|
||||
({ address, ... }: "http://${address}:${builtins.toString substituter_port}")
|
||||
(builtins.attrValues (pkgs.lib.filterAttrs
|
||||
(hostname: { siteName, ...}:
|
||||
(hostname != config.deuxfleurs.hostName
|
||||
&& siteName == config.deuxfleurs.siteName))
|
||||
config.deuxfleurs.clusterNodes));
|
||||
})
|
||||
];
|
||||
}
|
||||
|
|
|
@ -11,7 +11,5 @@ df-pw5.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK/dJIxioCkfeeh
|
|||
10.14.3.1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnpO6zpLWsyyugOoOj+2bUow9TUrcWgURFGGaoyu+co
|
||||
192.168.1.22 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMf/ioVSSb19Slu+HZLgKt4f1/XsL+K9uMxazSWb/+nQ
|
||||
2a01:cb05:911e:ec00:223:24ff:feb0:ea82 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnpO6zpLWsyyugOoOj+2bUow9TUrcWgURFGGaoyu+co
|
||||
piranha.machine.staging.deuxfleurs.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnpO6zpLWsyyugOoOj+2bUow9TUrcWgURFGGaoyu+co
|
||||
df-pw5.machine.staging.deuxfleurs.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK/dJIxioCkfeehxeGiZR7qquYGoqEH/YrRJ/ukEcaLH
|
||||
origan.machine.staging.deuxfleurs.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsZas74RT6lCZwuUOPR23nPdbSdpWORyAmRgjoiMVHK
|
||||
carcajou.machine.staging.deuxfleurs.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMf/ioVSSb19Slu+HZLgKt4f1/XsL+K9uMxazSWb/+nQ
|
||||
caribou.machine.staging.deuxfleurs.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPtsVFIoIu6tnYrzlcCbBiQXxNkFSWVMhMznUuSxGZ22
|
||||
|
|
27
cluster/staging/node/carcajou.nix
Normal file
27
cluster/staging/node/carcajou.nix
Normal file
|
@ -0,0 +1,27 @@
|
|||
# Configuration file local to this node
|
||||
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
./remote-unlock.nix
|
||||
];
|
||||
|
||||
deuxfleurs.remoteUnlock = {
|
||||
networkInterface = "eno1";
|
||||
staticIP = "192.168.1.22/24";
|
||||
defaultGateway = "192.168.1.1";
|
||||
};
|
||||
|
||||
# Use the systemd-boot EFI boot loader.
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.timeout = 20;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
deuxfleurs.hostName = "carcajou";
|
||||
deuxfleurs.staticIPv6.address = "2001:910:1204:1::22";
|
||||
deuxfleurs.isRaftServer = true;
|
||||
|
||||
system.stateVersion = "21.05";
|
||||
}
|
1
cluster/staging/node/carcajou.site.nix
Symbolic link
1
cluster/staging/node/carcajou.site.nix
Symbolic link
|
@ -0,0 +1 @@
|
|||
../site/neptune.nix
|
|
@ -10,7 +10,6 @@
|
|||
|
||||
deuxfleurs.hostName = "caribou";
|
||||
deuxfleurs.staticIPv6.address = "2001:910:1204:1::23";
|
||||
deuxfleurs.isRaftServer = true;
|
||||
|
||||
system.stateVersion = "21.05";
|
||||
}
|
||||
|
|
|
@ -4,15 +4,18 @@ Host caribou
|
|||
#HostName caribou.machine.deuxfleurs.fr
|
||||
HostName caribou.machine.staging.deuxfleurs.org
|
||||
|
||||
Host carcajou
|
||||
#HostName carcajou.machine.deuxfleurs.fr
|
||||
HostName carcajou.machine.staging.deuxfleurs.org
|
||||
|
||||
Host origan
|
||||
#HostName origan.df.trinity.fr.eu.org
|
||||
HostName origan.machine.staging.deuxfleurs.org
|
||||
|
||||
Host piranha
|
||||
HostName %h.machine.staging.deuxfleurs.org
|
||||
#HostName piranha.polyno.me
|
||||
#OR
|
||||
#ProxyJump caribou.machine.deuxfleurs.fr
|
||||
#ProxyJump carcajou.machine.deuxfleurs.fr
|
||||
#HostName 10.14.3.1
|
||||
HostName piranha.machine.staging.deuxfleurs.org
|
||||
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
|
||||
copy nix/configuration.nix /etc/nixos/configuration.nix
|
||||
copy nix/deuxfleurs.nix /etc/nixos/deuxfleurs.nix
|
||||
copy nix/remote-unlock.nix /etc/nixos/remote-unlock.nix
|
||||
copy cluster/$CLUSTER/cluster.nix /etc/nixos/cluster.nix
|
||||
copy cluster/$CLUSTER/node/$NIXHOST.nix /etc/nixos/node.nix
|
||||
copy cluster/$CLUSTER/node/$NIXHOST.site.nix /etc/nixos/site.nix
|
||||
|
|
10
deploy_pki
10
deploy_pki
|
@ -19,7 +19,10 @@ cmd ln -sf /var/lib/consul/pki/consul$YEAR.key /var/lib/consul/pki/consul.key
|
|||
cmd ln -sf /var/lib/consul/pki/consul$YEAR-client.crt /var/lib/consul/pki/consul-client.crt
|
||||
cmd ln -sf /var/lib/consul/pki/consul$YEAR-client.key /var/lib/consul/pki/consul-client.key
|
||||
|
||||
cmd systemctl reload consul
|
||||
if [ ! "$CLUSTER" = "prod" ]; then
|
||||
cmd systemctl restart consul
|
||||
cmd sleep 10
|
||||
fi
|
||||
|
||||
for file in nomad-ca.crt nomad$YEAR.crt nomad$YEAR.key \
|
||||
nomad$YEAR-client.crt nomad$YEAR-client.key \
|
||||
|
@ -27,6 +30,7 @@ for file in nomad-ca.crt nomad$YEAR.crt nomad$YEAR.key \
|
|||
do
|
||||
if pass $PKI/$file >/dev/null; then
|
||||
write_pass $PKI/$file /var/lib/nomad/pki/$file
|
||||
cmd "chown \$(stat -c %u /var/lib/private/nomad/) /var/lib/nomad/pki/$file"
|
||||
fi
|
||||
done
|
||||
|
||||
|
@ -38,7 +42,9 @@ cmd ln -sf /var/lib/nomad/pki/consul$YEAR.crt /var/lib/nomad/pki/consul.crt
|
|||
cmd ln -sf /var/lib/nomad/pki/consul$YEAR-client.crt /var/lib/nomad/pki/consul-client.crt
|
||||
cmd ln -sf /var/lib/nomad/pki/consul$YEAR-client.key /var/lib/nomad/pki/consul-client.key
|
||||
|
||||
cmd systemctl reload nomad
|
||||
if [ ! "$CLUSTER" = "prod" ]; then
|
||||
cmd systemctl restart nomad
|
||||
fi
|
||||
|
||||
set_env CONSUL_HTTP_ADDR=https://localhost:8501
|
||||
set_env CONSUL_CACERT=/var/lib/consul/pki/consul-ca.crt
|
||||
|
|
|
@ -330,8 +330,8 @@ in
|
|||
};
|
||||
|
||||
services.nomad.enable = true;
|
||||
services.nomad.dropPrivileges = false; # required starting with Nomad 1.5, otherwise Docker is not detected
|
||||
systemd.services.nomad.after = [ "wg-quick-wg0.service" ];
|
||||
services.nomad.package = pkgs.nomad_1_4;
|
||||
services.nomad.extraPackages = [
|
||||
pkgs.glibc
|
||||
pkgs.zstd
|
||||
|
|
|
@ -7,10 +7,10 @@ pkgs.buildGoModule rec {
|
|||
|
||||
src = builtins.fetchGit {
|
||||
url = "https://git.deuxfleurs.fr/Deuxfleurs/nomad-driver-nix2";
|
||||
rev = "98871a2d786f2627f1699d0ae49e7d6d3792f469";
|
||||
rev = "59aba7607507193587be7c24229dc71066e3ae87";
|
||||
};
|
||||
|
||||
vendorHash = "sha256-EQdTxVOBRYQjg7kAB+pFJYcNwk0zlsjjJxM+EO/cK84=";
|
||||
vendorSha256 = "sha256-EQdTxVOBRYQjg7kAB+pFJYcNwk0zlsjjJxM+EO/cK84=";
|
||||
|
||||
postInstall = ''
|
||||
mv $out/bin/nomad-driver-nix2 $out/bin/nix2
|
||||
|
|
45
nix/remote-unlock.nix
Normal file
45
nix/remote-unlock.nix
Normal file
|
@ -0,0 +1,45 @@
|
|||
{ config, pkgs, ... }:
|
||||
|
||||
|
||||
let
|
||||
cfg = config.deuxfleurs.remoteUnlock;
|
||||
in
|
||||
with builtins;
|
||||
with pkgs.lib;
|
||||
{
|
||||
options.deuxfleurs.remoteUnlock = {
|
||||
networkInterface = mkOption {
|
||||
description = "Network interface to configure with static IP";
|
||||
type = types.str;
|
||||
};
|
||||
staticIP = mkOption {
|
||||
description = "IP address (with prefix length) of this node on the local network interface";
|
||||
type = types.str;
|
||||
};
|
||||
defaultGateway = mkOption {
|
||||
description = "IP address of default gateway";
|
||||
type = types.str;
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
boot.initrd.availableKernelModules = [ "pps_core" "ptp" "e1000e" ];
|
||||
boot.initrd.network.enable = true;
|
||||
boot.initrd.network.ssh = {
|
||||
enable = true;
|
||||
port = 222;
|
||||
authorizedKeys = concatLists (mapAttrsToList (name: user: user) config.deuxfleurs.adminAccounts);
|
||||
hostKeys = [ "/var/lib/deuxfleurs/remote-unlock/ssh_host_ed25519_key" ];
|
||||
};
|
||||
boot.initrd.network.postCommands = ''
|
||||
ip addr add ${cfg.staticIP} dev ${cfg.networkInterface}
|
||||
ip link set dev ${cfg.networkInterface} up
|
||||
ip route add default via ${cfg.defaultGateway} dev ${cfg.networkInterface}
|
||||
ip a
|
||||
ip route
|
||||
ping -c 4 ${cfg.defaultGateway}
|
||||
echo 'echo run cryptsetup-askpass to unlock drives' >> /root/.profile
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
7
tlsproxy
7
tlsproxy
|
@ -17,7 +17,8 @@ PREFIX="deuxfleurs/cluster/$CLUSTER"
|
|||
|
||||
# Do actual stuff
|
||||
|
||||
YEAR=$(date +%Y)
|
||||
#YEAR=$(date +%Y)
|
||||
YEAR=2023
|
||||
|
||||
CERTDIR=$(mktemp -d)
|
||||
|
||||
|
@ -37,10 +38,10 @@ pass $PREFIX/consul$YEAR.crt > $CERTDIR/consul.crt
|
|||
pass $PREFIX/consul$YEAR-client.crt > $CERTDIR/consul-client.crt
|
||||
pass $PREFIX/consul$YEAR-client.key > $CERTDIR/consul-client.key
|
||||
|
||||
socat -dd tcp-listen:4646,reuseaddr,fork,bind=127.0.0.1 openssl:localhost:14646,cert=$CERTDIR/nomad-client.crt,key=$CERTDIR/nomad-client.key,cafile=$CERTDIR/nomad.crt,verify=0 &
|
||||
socat -dd tcp-listen:4646,reuseaddr,fork,bind=localhost openssl:localhost:14646,cert=$CERTDIR/nomad-client.crt,key=$CERTDIR/nomad-client.key,cafile=$CERTDIR/nomad.crt,verify=0 &
|
||||
child1=$!
|
||||
|
||||
socat -dd tcp-listen:8500,reuseaddr,fork,bind=127.0.0.1 openssl:localhost:8501,cert=$CERTDIR/consul-client.crt,key=$CERTDIR/consul-client.key,cafile=$CERTDIR/consul.crt,verify=0 &
|
||||
socat -dd tcp-listen:8500,reuseaddr,fork,bind=localhost openssl:localhost:8501,cert=$CERTDIR/consul-client.crt,key=$CERTDIR/consul-client.key,cafile=$CERTDIR/consul.crt,verify=0 &
|
||||
child2=$!
|
||||
|
||||
wait "$child1"
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
#!/usr/bin/env ./sshtool
|
||||
|
||||
if [ "$CLUSTER" = "staging" ]; then
|
||||
cmd nix-channel --add https://nixos.org/channels/nixos-23.11 nixos
|
||||
cmd nix-channel --add https://nixos.org/channels/nixos-23.05 nixos
|
||||
else
|
||||
cmd nix-channel --add https://nixos.org/channels/nixos-23.11 nixos
|
||||
cmd nix-channel --add https://nixos.org/channels/nixos-22.11 nixos
|
||||
fi
|
||||
|
||||
cmd nix-channel --update
|
||||
|
|
Loading…
Reference in a new issue