From 2388e80dd923ed3c9f5b6e3aeacb3c62698b55d1 Mon Sep 17 00:00:00 2001 From: emily Date: Mon, 4 Nov 2024 21:19:57 +0100 Subject: [PATCH] florp.social: add dedicated host --- .sops.yaml | 3 +- config/common/default.nix | 8 +- config/hosts/crime/configuration.nix | 6 +- config/hosts/emilia/configuration.nix | 6 +- config/hosts/florp/configuration.nix | 41 +++++ config/hosts/girldick/configuration.nix | 1 - config/hosts/seras/configuration.nix | 6 +- config/hosts/web-dus/configuration.nix | 3 +- config/services/akkoma/default.nix | 210 +++++++++++++----------- config/services/nginx.nix | 1 + flake.lock | 8 +- modules/nginx/default.nix | 16 +- pkgs/akkoma-fe-domi/default.nix | 13 +- pkgs/overlay.nix | 6 +- pkgs/update-nixfiles/update-nixfiles.sh | 20 ++- secrets/services/akkoma.yaml | 24 +-- 16 files changed, 226 insertions(+), 146 deletions(-) create mode 100644 config/hosts/florp/configuration.nix diff --git a/.sops.yaml b/.sops.yaml index 6078d69..fc9da64 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -3,6 +3,7 @@ keys: - &seras age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd - &emilia age1pjn7q6qs49jenr40dhsxa8x5g4z6elsh0pk0tc5pxg6pl0nzgc6scakynn - &girldick age1r6cmthdk6lhy62wa4pu23l46f5fcqhuu7xrq353pe6c8f0s6ce8s67pdtf + - &florp age18vc8rcmczlt3r0ee7jr9s8l3yrkthu8wtypt08eh0eskpkw3dg6qxs7t3t creation_rules: - path_regex: secrets/services/dns-knot.yaml key_groups: @@ -57,4 +58,4 @@ creation_rules: - pgp: - *emily age: - - *seras + - *florp diff --git a/config/common/default.nix b/config/common/default.nix index f5266a5..1b33d66 100644 --- a/config/common/default.nix +++ b/config/common/default.nix @@ -1,6 +1,6 @@ -{ config, inputs, lib, pkgs, ... }: - -with lib; { +{ config, inputs, lib, pkgs, ... }: let + inherit (lib) mkDefault; +in { imports = [ ./kernel.nix ./networking.nix @@ -105,6 +105,6 @@ with lib; { services.fprintd.enable = config.kyouma.machine-type.graphical; - system.stateVersion = "23.11"; + system.stateVersion = mkDefault "23.11"; time.timeZone = mkDefault "CET"; } diff --git a/config/hosts/crime/configuration.nix b/config/hosts/crime/configuration.nix index fcceeca..f3e45ce 100644 --- a/config/hosts/crime/configuration.nix +++ b/config/hosts/crime/configuration.nix @@ -7,11 +7,7 @@ ../../services/nginx.nix ./nginx.nix ]; - networking = { - hostName = "crime"; - firewall.allowedTCPPorts = [ 80 443 ]; - firewall.allowedUDPPorts = [ 443 ]; - }; + networking.hostName = "crime"; systemd.network.networks."98-eth-default" = { address = [ "2a0f:be01:0:100::1337/128" diff --git a/config/hosts/emilia/configuration.nix b/config/hosts/emilia/configuration.nix index f4bceb0..cad1e2c 100644 --- a/config/hosts/emilia/configuration.nix +++ b/config/hosts/emilia/configuration.nix @@ -17,10 +17,8 @@ kyouma.machine-type.physical = true; kyouma.nginx.defaultForbidden = "uptime.kyouma.net"; - networking = { - firewall.allowedTCPPorts = [ 80 443 ]; - hostName = "emilia"; - }; + networking.hostName = "emilia"; + systemd.network.networks."98-eth-default" = { matchConfig.MACAddress = "04:d4:c4:39:73:f6"; addresses = [ diff --git a/config/hosts/florp/configuration.nix b/config/hosts/florp/configuration.nix new file mode 100644 index 0000000..4a7e62f --- /dev/null +++ b/config/hosts/florp/configuration.nix @@ -0,0 +1,41 @@ +{ lib, ... }: { + imports = [ + ../../common + ../../profiles/headless.nix + ../../profiles/kartoffel.nix + ../../profiles/lxc.nix + ../../services/akkoma + ../../services/nginx.nix + ]; + networking = { + hostName = "florp"; + domain = lib.mkForce "social"; + }; + kyouma.nginx.defaultForbidden = "florp.social"; + systemd.network.networks."98-eth-default" = { + address = [ + "2a0f:be01:0:100::171/128" + ]; + }; + + services.postgresql.settings = { + max_connections = 30; + shared_buffers = "4GB"; + effective_cache_size = "12GB"; + maintenance_work_mem = "1GB"; + checkpoint_completion_target = 0.9; + wal_buffers = "16MB"; + default_statistics_target = 100; + random_page_cost = 1.1; + effective_io_concurrency = 200; + work_mem = "34952kB"; + huge_pages = "try"; + min_wal_size = "2GB"; + max_wal_size = "8GB"; + max_worker_processes = 16; + max_parallel_workers_per_gather = 4; + max_parallel_workers = 16; + max_parallel_maintenance_workers = 4; + }; + system.stateVersion = "24.11"; +} diff --git a/config/hosts/girldick/configuration.nix b/config/hosts/girldick/configuration.nix index bc69ddc..35c9211 100644 --- a/config/hosts/girldick/configuration.nix +++ b/config/hosts/girldick/configuration.nix @@ -11,7 +11,6 @@ domain = lib.mkForce "girldick.gay"; hostName = "staging"; nftables.enable = lib.mkForce false; - firewall.allowedTCPPorts = [ 80 443 ]; }; systemd.network.networks."98-eth-default" = { address = [ diff --git a/config/hosts/seras/configuration.nix b/config/hosts/seras/configuration.nix index 34b2ee8..368b4b0 100644 --- a/config/hosts/seras/configuration.nix +++ b/config/hosts/seras/configuration.nix @@ -5,17 +5,13 @@ ../../profiles/headless.nix ../../profiles/kartoffel.nix ../../profiles/lxc.nix - ../../services/akkoma ../../services/nginx.nix ../../services/hydra ../../services/update-nixfiles.nix ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; - networking = { - hostName = "seras"; - firewall.allowedTCPPorts = [ 80 443 ]; - }; + networking.hostName = "seras"; systemd.network.networks."98-eth-default" = { address = [ "2a0f:be01:0:100::169/128" diff --git a/config/hosts/web-dus/configuration.nix b/config/hosts/web-dus/configuration.nix index 5f2d701..1eb8172 100644 --- a/config/hosts/web-dus/configuration.nix +++ b/config/hosts/web-dus/configuration.nix @@ -11,8 +11,7 @@ networking = { hostName = "web-dus"; nftables.enable = lib.mkForce false; - firewall.allowedTCPPorts = [ 80 443 11019 ]; - firewall.allowedUDPPorts = [ 443 ]; + firewall.allowedTCPPorts = [ 11019 ]; }; systemd.network.networks."98-eth-default" = { address = [ diff --git a/config/services/akkoma/default.nix b/config/services/akkoma/default.nix index a2ad317..4baebfe 100644 --- a/config/services/akkoma/default.nix +++ b/config/services/akkoma/default.nix @@ -1,34 +1,28 @@ -{ config, inputs, pkgs, ... }: { - sops.secrets."services/akkoma/mailerPassword" = { +{ config, inputs, lib, pkgs, ... }: { + sops.secrets."services/akkoma/mailerPassword" = { sopsFile = ../../../secrets/services/akkoma.yaml; }; sops.secrets."services/akkoma/deepl" = { sopsFile = ../../../secrets/services/akkoma.yaml; }; + services.akkoma = { enable = true; extraPackages = with pkgs; [ exiftool ffmpeg-headless imagemagick ]; extraStatic."emoji/blobs.gg" = pkgs.akkoma-emoji.blobs_gg; - extraStatic."static/styles.json" = pkgs.writeText "styles.json" (builtins.toJSON { - pleroma-dark = "/static/themes/pleroma-dark.json"; - pleroma-light = "/static/themes/pleroma-light.json"; - pleroma-amoled = [ "Pleroma Dark AMOLED" "#000000" "#111111" "#b0b0b1" "#d8a070" "#aa0000" "#0fa00f" "#0095ff" "#d59500"]; - classic-dark = [ "Classic Dark" "#161c20" "#282e32" "#b9b9b9" "#baaa9c" "#d31014" "#0fa00f" "#0095ff" "#ffa500" ]; - bird = [ "Bird" "#f8fafd" "#e6ecf0" "#14171a" "#0084b8" "#e0245e" "#17bf63" "#1b95e0" "#fab81e"]; - ir-black = [ "Ir Black" "#000000" "#242422" "#b5b3aa" "#ff6c60" "#FF6C60" "#A8FF60" "#96CBFE" "#FFFFB6" ]; - monokai = [ "Monokai" "#272822" "#383830" "#f8f8f2" "#f92672" "#F92672" "#a6e22e" "#66d9ef" "#f4bf75" ]; + extraStatic."emoji/florp" = pkgs.runCommandNoCC "florp" { + src = inputs.florp-branding.packages.${config.nixpkgs.hostPlatform.system}.favicon; + } '' + mkdir $out + cp $src $out/florp.png + ''; - redmond-xx = "/static/themes/redmond-xx.json"; - redmond-xx-se = "/static/themes/redmond-xx-se.json"; - redmond-xxi = "/static/themes/redmond-xxi.json"; - breezy-dark = "/static/themes/breezy-dark.json"; - breezy-light = "/static/themes/breezy-light.json"; - paper = "/static/themes/paper.json"; - thekanata = "/static/themes/thekanata.json"; - ihatebeingalive = "/static/themes/ihatebeingalive.json"; - elly-mod = "/static/themes/elly-mod.json"; - }); + extraStatic."static/styles.json" = pkgs.writeText "styles.json" (builtins.toJSON ( + builtins.fromJSON (builtins.readFile "${pkgs.akkoma-fe-domi}/static/styles.json") // { + elly-mod = "/static/themes/elly-mod.json"; + } + )); extraStatic."static/themes/elly-mod.json" = pkgs.writeText "elly-mod.json" (builtins.readFile ./elly-mod.json); @@ -38,23 +32,7 @@ extraStatic."images/sylvia-ritter-15012323.avif" = inputs.florp-branding.packages.${config.nixpkgs.hostPlatform.system}.wallpaper; - extraStatic."favicon.png" = let - rev = "697a8211b0f427a921e7935a35d14bb3e32d0a2c"; - in pkgs.stdenvNoCC.mkDerivation { - name = "favicon.png"; - - src = pkgs.fetchurl { - url = "https://raw.githubusercontent.com/TilCreator/NixOwO/${rev}/NixOwO_plain.svg"; - hash = "sha256-tWhHMfJ3Od58N9H5yOKPMfM56hYWSOnr/TGCBi8bo9E="; - }; - - nativeBuildInputs = with pkgs; [ librsvg ]; - - dontUnpack = true; - installPhase = '' - rsvg-convert -o $out -w 96 -h 96 $src - ''; - }; + extraStatic."favicon.png" = inputs.florp-branding.packages.${config.nixpkgs.hostPlatform.system}.favicon; frontends = { primary = { @@ -70,13 +48,31 @@ }; }; services.akkoma.config = let - inherit ((pkgs.formats.elixirConf { }).lib) mkRaw mkAtom mkMap; + inherit ((pkgs.formats.elixirConf { }).lib) mkRaw mkAtom mkTuple; + + mapAttrsToListOfTuple = attr: lib.mapAttrsToList (name: value: mkTuple [ name value ]) attr; + + mkMapOfPredefinedKeys = set: let + string = value: "\"${(lib.escape [ "\\" "#" "\"" ]) value}\""; + + toElixir = value: + if value == null then "nil" else + if lib.isString value then string value else + if builtins.isBool value then lib.boolToString value else + if lib.isInt value || lib.isFloat value then toString value else + abort "Not a elixir value ${value}"; + + entries = attrs: lib.concatStringsSep ", " (lib.mapAttrsToList (name: value: + "${toElixir name}: ${toElixir value}" + ) attrs); + in mkRaw "%{${entries set}}"; + in { ":pleroma" = { ":instance" = { name = "florp.social"; email = "contact@florp.social"; - notify_email = "akkoma@florp.social"; + notify_email = "noreply@florp.social"; description = "Likes are now florps. The timeline goes sideways."; instance_thumbnail = "/instance/thumbnail.avif"; limit = 69420; @@ -90,19 +86,22 @@ registration_reason_length = 2048; account_approval_required = true; account_activation_required = true; - federation = false; + federating = true; federation_incoming_replies_max_depth = 1024; + federation_reachability_timeout_days = 14; + allow_relay = true; max_pinned_statuses = 10; + max_report_comment_size = 2048; safe_dm_mentions = true; remote_post_retention_days = 365; user_bio_length = 8192; user_name_length = 64; - max_account_fields = 8; cleanup_attachments = true; local_bubble = [ "solitary.social" "donotsta.re" "chaos.social" + "girldick.gay" ]; }; @@ -110,11 +109,13 @@ "Pleroma.Web.Endpoint".url.host = "florp.social"; + "Pleroma.Web.Metadata.Providers.Theme".theme_color = "#070F1C"; + "Pleroma.Emails.Mailer" = { enabled = true; adapter = mkRaw "Swoosh.Adapters.SMTP"; relay = "mail.kyouma.net"; - username = "akkoma@florp.social"; + username = "noreply@florp.social"; password._secret = config.sops.secrets."services/akkoma/mailerPassword".path; port = 465; ssl = true; @@ -146,37 +147,42 @@ "Pleroma.Upload.Filter.AnonymizeFilename" ]; - ":mrf" = { - transparency = true; - policies = map mkRaw [ - "Pleroma.Web.ActivityPub.MRF.SimplePolicy" - "Pleroma.Web.ActivityPub.MRF.ObjectAgePolicy" - ]; - }; + ":mrf".policies = map mkRaw [ + "Pleroma.Web.ActivityPub.MRF.SimplePolicy" + "Pleroma.Web.ActivityPub.MRF.ObjectAgePolicy" + "Pleroma.Web.ActivityPub.MRF.MediaProxyWarmingPolicy" + ]; ":mrf_simple" = { - reject = mkMap { - "bae.st" = "harassment"; - "brighteon.social" = "incompatible"; - "detroitriotcity.com" = "incompatible"; - "freeatlantis.com" = "incompatible"; - "freespeechextremist.com" = "incompatible"; - "gab.com" = "incompatible"; - "gleasonator.com" = "incompatible"; - "kitsunemimi.club" = "incompatible"; - "poa.st" = "incompatible"; - "seal.cafe" = "harassment"; - "social.quodverum.com" = "incompatible"; - "spinster.xyz" = "incompatible"; - "truthsocial.co.in" = "incompatible"; - "varishangout.net" = "incompatible"; - - "activitypub-troll.cf" = "security"; - "misskey-forkbomb.cf" = "security"; - "repl.co" = "security"; + reject = mapAttrsToListOfTuple { + "bae.st" = "transphobia / queerphobia"; + "brighteon.social" = "transphobia, pro trump"; + "detroitriotcity.com" = "transphobia / queerphobia"; + "freeatlantis.com" = "harassment"; + "freespeechextremist.com" = "N/A"; + "gab.com" = "N/A"; + "gleasonator.com" = "transphobia"; + "kitsunemimi.club" = "transphobia"; + "kiwifarms.*" = "N/A"; + "poa.st" = "queerphobia / racism / nazis"; + "seal.cafe" = "transphobia"; + "social.quodverum.com" = "N/A"; + "spinster.xyz" = "transphobia"; + "truthsocial.co.in" = "N/A"; + "varishangout.net" = "transphobia"; + "activitypub-troll.cf" = "N/A"; + "misskey-forkbomb.cf" = "N/A"; + "repl.co" = "N/A"; + "rape.pet" = "CP"; + "childlove.space" = "CP"; + "pedo.school" = "CP"; + "loli.church" = "transphobia"; + "usasa.ky" = "spam"; + "tickler.cc" = "spam"; + "shitposter.club" = "transphobia"; }; - followers_only = mkMap { + followers_only = mapAttrsToListOfTuple { "bitcoinhackers.org" = "annoying"; }; }; @@ -184,8 +190,9 @@ ":mrf_object_age".threshold = 180 * 24 * 3600; ":frontend_configurations" = { - pleroma_fe = mkMap { + pleroma_fe = mkMapOfPredefinedKeys { background = "/images/sylvia-ritter-15012323.avif"; + nsfwCensorImage = "/static/blurhash-overlay.png"; collapseMessageWithSubject = true; streaming = true; webPushNotifications = true; @@ -204,9 +211,10 @@ }; ":restrict_unauthenticated" = { - timelines = mkMap { + timelines = mkMapOfPredefinedKeys { local = false; - federated = true; + federated = false; + bubble = true; }; }; @@ -227,21 +235,44 @@ ":joken".":default_signer"._secret = "/var/lib/secrets/akkoma/jwt-signer"; }; + services.postgresql.enable = true; services.postgresql.extraPlugins = [ - pkgs.postgresql15Packages.rum + pkgs.postgresql16Packages.rum ]; services.nginx = { clientMaxBodySize = "256m"; commonHttpConfig = '' - proxy_cache_path /var/cache/nginx/cache/akkoma-media-cache + proxy_cache_path /var/cache/nginx/akkoma-media-cache levels= keys_zone=akkoma_media_cache:32m max_size=32g inactive=1y use_temp_path=off; access_log off; ''; }; - kyouma.nginx.virtualHosts = { + kyouma.nginx.virtualHosts = let + proxyCache = '' + proxy_cache akkoma_media_cache; + + # Cache objects in slices of 1 MiB + slice 1m; + proxy_cache_key $host$uri$is_args$args$slice_range; + proxy_set_header Range $slice_range; + + # Decouple proxy and upstream responses + proxy_buffering on; + proxy_cache_lock on; + proxy_ignore_client_abort on; + + # Default cache times for various responses + proxy_cache_valid 200 1y; + proxy_cache_valid 206 301 304 1h; + + # Allow serving of stale items + proxy_cache_use_stale error timeout invalid_header updating; + ''; + in { "florp.social" = { + serverAliases = map (x: "${x}.florp.social") [ "a" "b" "c" ]; locations."/" = { proxyPass = "http://unix:/run/akkoma/socket"; proxyWebsockets = true; @@ -254,7 +285,9 @@ useACMEHost = "florp.social"; locations."/" = { proxyPass = "http://unix:/run/akkoma/socket"; - extraConfig = "rewrite ^(?!/media)(.*)$ /media$1;"; + extraConfig = '' + rewrite ^(?!/media)(.*)$ /media$1; + '' + proxyCache; }; }; @@ -264,27 +297,12 @@ proxyPass = "http://unix:/run/akkoma/socket"; extraConfig = '' rewrite ^(?!/proxy)(.*)$ /proxy$1; - proxy_cache akkoma_media_cache; - - # Cache objects in slices of 1 MiB - slice 1m; - proxy_cache_key $host$uri$is_args$args$slice_range; - proxy_set_header Range $slice_range; - - # Decouple proxy and upstream responses - proxy_buffering on; - proxy_cache_lock on; - proxy_ignore_client_abort on; - - # Default cache times for various responses - proxy_cache_valid 200 1y; - proxy_cache_valid 206 301 304 1h; - - # Allow serving of stale items - proxy_cache_use_stale error timeout invalid_header updating; - ''; + '' + proxyCache; }; }; }; - security.acme.certs."florp.social".extraDomainNames = [ "cache.florp.social" "media.florp.social" ]; + security.acme.certs."florp.social".extraDomainNames = [ + "cache.florp.social" + "media.florp.social" + ] ++ map (x: "${x}.florp.social") [ "a" "b" "c" ]; } diff --git a/config/services/nginx.nix b/config/services/nginx.nix index f76663f..b27fa24 100644 --- a/config/services/nginx.nix +++ b/config/services/nginx.nix @@ -11,6 +11,7 @@ in { email = "noc@kyouma.net"; }; }; + networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedUDPPorts = [ 443 ]; services.nginx = { enable = true; diff --git a/flake.lock b/flake.lock index fe32570..faec4a2 100644 --- a/flake.lock +++ b/flake.lock @@ -437,11 +437,11 @@ ] }, "locked": { - "lastModified": 1730469723, - "narHash": "sha256-5U2aVAXbzd26f0r4+1fo0F4KTqY5h3z2fV0uDJ9YsMQ=", + "lastModified": 1730825511, + "narHash": "sha256-Ywc4Y+4VobocyxcVhHlJ5Q5h1fOdsJNlAlWlrkqC8U0=", "ref": "refs/heads/main", - "rev": "16f4a9c871b5417b9ed17e7666c1b266dd8de464", - "revCount": 1, + "rev": "81bde12357d59215e7d67c7f55c2eb3d54c47689", + "revCount": 2, "type": "git", "url": "https://woof.rip/florp/branding.git" }, diff --git a/modules/nginx/default.nix b/modules/nginx/default.nix index 644a2c7..b9d827c 100644 --- a/modules/nginx/default.nix +++ b/modules/nginx/default.nix @@ -3,11 +3,11 @@ extraConfig = '' add_header Strict-Transport-Security $hsts_header; add_header Alt-Svc 'h3=":443"; ma=7776000; persist=1, h2=":443"; ma=7776000; persist=1'; - #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header Referrer-Policy "same-origin" always; + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header Referrer-Policy "same-origin" always; ''; createHost = vhostName: vhostCfg: { extraConfig = lib.optionalString (builtins.hasAttr "extraConfig" vhostCfg) (vhostCfg.extraConfig + "\n" + extraConfig); @@ -42,9 +42,13 @@ in { builtins.mapAttrs (createHost) cfg.virtualHosts) // lib.optionalAttrs (cfg.defaultForbidden != null) { "redirect" = { + quic = true; + http3 = true; + # reuseport has to be specified on the quic listener + # when using worker_processes auto; + reuseport = true; default = true; forceSSL = true; - reuseport = true; useACMEHost = cfg.defaultForbidden; extraConfig = '' return 403; diff --git a/pkgs/akkoma-fe-domi/default.nix b/pkgs/akkoma-fe-domi/default.nix index 1ffd048..77aca4f 100644 --- a/pkgs/akkoma-fe-domi/default.nix +++ b/pkgs/akkoma-fe-domi/default.nix @@ -22,7 +22,18 @@ in { postPatch = '' # Build scripts assume to be used within a Git repository checkout substituteInPlace src/modules/instance.js \ - --replace-fail "widenTimeline: true" 'widenTimeline: "50%"' + --replace-fail "widenTimeline: true" 'widenTimeline: "50%"' + + substituteInPlace src/modules/config.js \ + --replace-fail "streaming: false" "streaming: true" \ + --replace-fail "useStreamingApi: false" "useStreamingApi: true" \ + --replace-fail "webPushNotifications: false" "webPushNotifications: true" \ + --replace-fail "postLanguage: undefined" 'postLanguage: "en"' + + substituteInPlace src/i18n/en.json \ + --replace-fail "meow" "florp" \ + --replace-fail "Meow" "Florp" + sed -E -i '/^let commitHash =/,/;$/clet commitHash = "${builtins.substring 0 7 src.rev}";' \ build/webpack.prod.conf.js ''; diff --git a/pkgs/overlay.nix b/pkgs/overlay.nix index 72ef525..8934f1c 100644 --- a/pkgs/overlay.nix +++ b/pkgs/overlay.nix @@ -6,5 +6,9 @@ final: prev: { librespeed-rust = final.callPackage ./librespeed-rust/default.nix {}; librespeed-go = final.callPackage ./librespeed-go/default.nix {}; akkoma-fe-domi = final.callPackage ./akkoma-fe-domi/default.nix {}; - nginxQuic = prev.nginxQuic.override { withSlice = true; }; + nginxQuic = prev.nginxQuic.override { + withSlice = true; + # Use zlib because zlib-ng uses larger buffers then nginx preallocates. + zlib = final.zlib; + }; } diff --git a/pkgs/update-nixfiles/update-nixfiles.sh b/pkgs/update-nixfiles/update-nixfiles.sh index dc7721f..f2c8169 100644 --- a/pkgs/update-nixfiles/update-nixfiles.sh +++ b/pkgs/update-nixfiles/update-nixfiles.sh @@ -6,6 +6,7 @@ BRANCH="update-inputs-$(date +%Y-%m-%d-%H-%M)" HYDRA_URL="https://hydra.kyouma.net" JOBSET_URL="${HYDRA_URL}/jobset/nixfiles/update-inputs" ROOT="$(mktemp -d)" +START_TIME="$(date +%s)" gitin () { git -C "${ROOT}/nixfiles" "$@" @@ -21,20 +22,31 @@ merge_theirs () { } test_build () { + local last_error local build_jobs + build_jobs="$(curl --fail -s -L -H "Accept: application/json" "${JOBSET_URL}/latest-eval" | jq -r ".builds | .[]")" for build in ${build_jobs}; do local build_status + while true; do local build_finished build_finished="$(curl --fail -s -L -H "Accept: application/json" "${HYDRA_URL}/build/${build}" | jq -r ".finished")" [[ ${build_finished} == 1 ]] && break sleep 5 done + build_status="$(curl --fail -s -L -H "Accept: application/json" "${HYDRA_URL}/build/${build}" | jq -r ".buildstatus")" - [[ $build_status != 0 ]] && echo "Build ${build} failed" && exit 1 + [[ $build_status != 0 ]] && + echo "Build ${build} failed" && + exit 1 echo "Build ${build} was successful" done + + last_error="$(curl --fail -s -L -H "Accept: application/json" "${JOBSET_URL}" | jq -r ".errortime")" + [[ $last_error -gt $START_TIME ]] && + echo "Evaluation error encountered at $(date +%Y-%m-%d-%H:%M:%S --date="@${last_error}")" && + exit 1 } wait_for_hydra () { @@ -42,9 +54,9 @@ wait_for_hydra () { local hydra_rev local counter counter=0 - git_rev="$(git -C "${ROOT}/nixfiles" rev-parse update-inputs)" + git_rev="$(git -C "${1}/nixfiles" rev-parse update-inputs)" while true; do - hydra_rev="$(curl -s -L -H "Accept: application/json" "${JOBSET_URL}/latest-eval" | jq -r .flake | sed -E "s/.+&rev=(.*)/\1/g")" + hydra_rev="$(curl -s -L -H "Accept: application/json" "${2}/latest-eval" | jq -r .flake | sed -E "s/.+&rev=(.*)/\1/g")" if [[ "${git_rev}" == "${hydra_rev}" ]]; then echo "Hydra got new commit" break @@ -87,7 +99,7 @@ gitin push origin update-inputs echo "Waiting for hydra to get new commit" export -f wait_for_hydra -timeout 4h bash -c wait_for_hydra +timeout 4h bash -c "wait_for_hydra ${ROOT} ${JOBSET_URL}" echo "Testing if all build jobs completed successfully" test_build diff --git a/secrets/services/akkoma.yaml b/secrets/services/akkoma.yaml index fc7bb2f..f76c6b6 100644 --- a/secrets/services/akkoma.yaml +++ b/secrets/services/akkoma.yaml @@ -8,27 +8,27 @@ sops: azure_kv: [] hc_vault: [] age: - - recipient: age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd + - recipient: age18vc8rcmczlt3r0ee7jr9s8l3yrkthu8wtypt08eh0eskpkw3dg6qxs7t3t enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZTi9Ha0tQRGE2L3BzclpW - NnduRVVRUnhkV1pEOXllZTA0bnN0NENESlM4Ck9jSTcxcjJIdThvUk9IM1FCOGNv - V1FNV2ZHbHlTaWNBL0VvSGxhSzlWSDgKLS0tIEFoWEozY0VSWVA0cVp5dkI4NHNH - RVQ3aDd0c1RDNWd2eGxiNURGRXVXS2sKTT4LpWSIb9hjrcdUWOhieUeUHop0pwoA - OfOv3y3dp7tYc5HRREN5jkVx29jb2lrml0ycu9ek58S8+bolfzN8yQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1NGRYOHFVSXBNdjlpVDhF + V0g2ZkRiZnR6UElvWEZKUWxHSjZySlJadHlvCmpBdzBPRklkOVltZWwzNlNrc0pC + bG9kU3phNmFKNGkwek94Y2hZcjZCNW8KLS0tIFFqM0VTQXRuODAva0Rkc2xvWFB4 + VTQ3RExKY093VG8vOThCczRzY2tpY2cKJOv0yVl9Zody0mjtytyjCXpe5V3NsReA + /Dqr6V9Hjuf3u0fjMHAjE6hDPGVH5t5NYLkNDeaGHNTaAd5dnhfprg== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-10-31T16:57:58Z" mac: ENC[AES256_GCM,data:VJpsLBdnle6bP6ALxLS2eTOEbiHJbNc5D+pvsoJulI9VODtBk0p1VvJv9ilToxh4oiwctMmCKSO4R9NyuZUqoqwwlYtW6tFDITBA2eg/iu/uQjcuuKLC+fFGdtnTpZcShUyMds3qi8Z8Iegk2sSMLk5QXCE2QhMUQ50VN4TXF2c=,iv:rOF34iqckOJMAVm+3RDSdlrJh4hgnyiTut3SM1e0w0E=,tag:cMjMkKkN8UFWGQqQfWBUnA==,type:str] pgp: - - created_at: "2024-10-31T16:40:38Z" + - created_at: "2024-11-04T20:52:58Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4D1GtNSlou/HkSAQdAmS/QDuU40+HtiMoCa9byz80b6lGMd6cvqxYShifFxUgw - Bn34D6HB6z3nQxWanlOCkA2ud8GBUhEFlLjsQf29apfWuWxKpNv37Olou1/vGvNm - 0l4BIzFesU+aoIUi+Fp0GbJ1+ObzRvGZq1IULChsDgbbvDnHah7yvN5wKYwj6x7f - ZhPpm40+FLea1najiN6igUD6oUy8TSYnCgPODef4FeI0ZwFqF5MaucY8CNuWsugS - =1vZk + hF4D1GtNSlou/HkSAQdApk/nEYcccQBCzFwC+hZbMio0s37LJuK6ceSLW786Sjsw + 90ggzfOg63e92cyqYxvbKqtCgVHHU/9RmKdsSZM+rFcR3XpzWw0ke10WjZNW0lU5 + 0l4BuP1sPvP7Z+kxWlITnYl4SPKxVhSmYtAdGbceiGUo36jtpi9vkziuPmyrGttM + t1PNZ9gjGVyNw96rRg9bgXCSvJo2FfMx8GeArj1yuO3+bkkbDm7mFrbF6fMQN3JE + =Q9iO -----END PGP MESSAGE----- fp: B04F01A7A98A13020C39B4A68AB7B773A214ACE5 unencrypted_suffix: _unencrypted