diff --git a/flake.lock b/flake.lock index dbe83a8..3430941 100644 --- a/flake.lock +++ b/flake.lock @@ -11,11 +11,11 @@ "systems": "systems_2" }, "locked": { - "lastModified": 1750173260, - "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=", + "lastModified": 1754433428, + "narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=", "owner": "ryantm", "repo": "agenix", - "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf", + "rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d", "type": "github" }, "original": { @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1754254562, - "narHash": "sha256-vwu354kJ2fjK1StYmsi/M2vGQ2s72m+t9pIPHImt1Xw=", + "lastModified": 1755272288, + "narHash": "sha256-ypTPb2eKcOBbOoyvPV0j4ZOXs4kayo73/2KI456QnE0=", "owner": "zhaofengli", "repo": "colmena", - "rev": "5e0fbc4dbc50b3a38ecdbcb8d0a5bbe12e3f9a72", + "rev": "5bf4ce6a24adba74a5184f4a9bef01d545a09473", "type": "github" }, "original": { @@ -86,11 +86,11 @@ ] }, "locked": { - "lastModified": 1752287590, - "narHash": "sha256-U1IqFnxlgCRrPaeT5IGCdH0j9CNLPFcI/fRAidi0aDQ=", + "lastModified": 1755272288, + "narHash": "sha256-ypTPb2eKcOBbOoyvPV0j4ZOXs4kayo73/2KI456QnE0=", "owner": "zhaofengli", "repo": "colmena", - "rev": "d2beb694d54db653399b8597c0f6e15e20b26405", + "rev": "5bf4ce6a24adba74a5184f4a9bef01d545a09473", "type": "github" }, "original": { @@ -172,11 +172,11 @@ ] }, "locked": { - "lastModified": 1753140376, - "narHash": "sha256-7lrVrE0jSvZHrxEzvnfHFE/Wkk9DDqb+mYCodI5uuB8=", + "lastModified": 1756115622, + "narHash": "sha256-iv8xVtmLMNLWFcDM/HcAPLRGONyTRpzL9NS09RnryRM=", "owner": "nix-community", "repo": "disko", - "rev": "545aba02960caa78a31bd9a8709a0ad4b6320a5c", + "rev": "bafad29f89e83b2d861b493aa23034ea16595560", "type": "github" }, "original": { @@ -193,11 +193,11 @@ ] }, "locked": { - "lastModified": 1753140376, - "narHash": "sha256-7lrVrE0jSvZHrxEzvnfHFE/Wkk9DDqb+mYCodI5uuB8=", + "lastModified": 1755519972, + "narHash": "sha256-bU4nqi3IpsUZJeyS8Jk85ytlX61i4b0KCxXX9YcOgVc=", "owner": "nix-community", "repo": "disko", - "rev": "545aba02960caa78a31bd9a8709a0ad4b6320a5c", + "rev": "4073ff2f481f9ef3501678ff479ed81402caae6d", "type": "github" }, "original": { @@ -282,11 +282,11 @@ ] }, "locked": { - "lastModified": 1753121425, - "narHash": "sha256-TVcTNvOeWWk1DXljFxVRp+E0tzG1LhrVjOGGoMHuXio=", + "lastModified": 1754487366, + "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "644e0fc48951a860279da645ba77fe4a6e814c5e", + "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18", "type": "github" }, "original": { @@ -343,11 +343,11 @@ ] }, "locked": { - "lastModified": 1751124935, - "narHash": "sha256-gotAUzJTcWYpYyBArSkHKy2s43dRpxzl37Z4Mj9KxIg=", + "lastModified": 1753799916, + "narHash": "sha256-QNkPU+ByNofb7E5GbOKfzQz7vY+nnE0dwYlQaImxMTc=", "ref": "refs/heads/main", - "rev": "9148db40606ad1b2adadbf6c9e2616f433bffbe8", - "revCount": 44, + "rev": "352ce894e881973c9ad304ecfb974856a0e3a9eb", + "revCount": 49, "type": "git", "url": "https://cyberchaos.dev/e1mo/freescout-nix-flake.git" }, @@ -439,11 +439,11 @@ ] }, "locked": { - "lastModified": 1752787887, - "narHash": "sha256-XmoecWRUvUX8jf0U0cGyP4AfLHb0D2D4Ec69jqwrWVI=", + "lastModified": 1755188769, + "narHash": "sha256-KjrSIln4H7q/9FgiwI77Zjq0vPubvLP49JgZ3j91Ivw=", "owner": "NixOS", "repo": "hydra", - "rev": "b812bb5017cac055fa56ffeac5440b6365830d67", + "rev": "0d2a030661fb1a6ba3f5cb83c627a72b562ebe74", "type": "github" }, "original": { @@ -476,16 +476,17 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1754411894, - "narHash": "sha256-uu3qm8HiIVTqnVf7pVNJ0zcgd9VjqYYXoECsP+SeqTI=", - "owner": "NixOS", - "repo": "infra", - "rev": "c2b4f367acbb611618925deedb37ccc562b6108a", + "lastModified": 1756668538, + "narHash": "sha256-eaiB1TDX/t7XR2JTaJ4ELtlx+cnmJ+EmPbDWg7lPung=", + "owner": "helsinki-systems", + "repo": "nixos-infra", + "rev": "f8ab439fe622c2bbf26f5ac08a34916da0630e7b", "type": "github" }, "original": { - "owner": "NixOS", - "repo": "infra", + "owner": "helsinki-systems", + "ref": "upd/fixups_staging", + "repo": "nixos-infra", "type": "github" } }, @@ -573,11 +574,11 @@ ] }, "locked": { - "lastModified": 1753109189, - "narHash": "sha256-9cPf5/ccalQ+yh9ak20M0TcLlkPArXud+SbAN/wVunM=", + "lastModified": 1754994796, + "narHash": "sha256-lVjSZIUG/rdp5WexoV6yJFhvWXujz7Yu0rBVOczts/0=", "owner": "NixOS", "repo": "nixos-channel-scripts", - "rev": "1be66ddc5f4745507a672cd0a6dbd7fae44cd608", + "rev": "9551229d7efc6a7351349169803aea9a47478ad4", "type": "github" }, "original": { @@ -588,11 +589,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1754292888, - "narHash": "sha256-1ziydHSiDuSnaiPzCQh1mRFBsM2d2yRX9I+5OPGEmIE=", + "lastModified": 1756469547, + "narHash": "sha256-YvtD2E7MYsQ3r7K9K2G7nCslCKMPShoSEAtbjHLtH0k=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ce01daebf8489ba97bd1609d185ea276efdeb121", + "rev": "41d292bfc37309790f70f4c120b79280ce40af16", "type": "github" }, "original": { @@ -604,11 +605,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1754214453, - "narHash": "sha256-Q/I2xJn/j1wpkGhWkQnm20nShYnG7TI99foDBpXm1SY=", + "lastModified": 1756542300, + "narHash": "sha256-tlOn88coG5fzdyqz6R93SQL5Gpq+m/DsWpekNFhqPQk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5b09dc45f24cf32316283e62aec81ffee3c3e376", + "rev": "d7600c775f877cd87b4f5a831c28aa94137377aa", "type": "github" }, "original": { @@ -625,11 +626,11 @@ ] }, "locked": { - "lastModified": 1753208420, - "narHash": "sha256-ydYVkz4wplz1NWEK3QRItlUQuL3jF5Seub+r43nRm2g=", + "lastModified": 1756668341, + "narHash": "sha256-nm1Ae0YVXUaofvi3eflxIHxyJODbZ1AQ6kQa0lPiIbU=", "owner": "NixOS", "repo": "ofborg", - "rev": "c390cd1c5f207667609b613811c3b0cc5775b599", + "rev": "a09cd0b68ec6a687b25fdaf985c65d0d1a896da1", "type": "github" }, "original": { @@ -706,11 +707,11 @@ ] }, "locked": { - "lastModified": 1747965231, - "narHash": "sha256-BW3ktviEhfCN/z3+kEyzpDKAI8qFTwO7+S0NVA0C90o=", + "lastModified": 1755110674, + "narHash": "sha256-PigqTAGkdBYXVFWsJnqcirrLeFqRFN4PFigLA8FzxeI=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "53007af63fade28853408370c4c600a63dd97f41", + "rev": "f5936247dbdb8501221978562ab0b302dd75456c", "type": "gitlab" }, "original": { @@ -728,11 +729,11 @@ ] }, "locked": { - "lastModified": 1752544651, - "narHash": "sha256-GllP7cmQu7zLZTs9z0J2gIL42IZHa9CBEXwBY9szT0U=", + "lastModified": 1754988908, + "narHash": "sha256-t+voe2961vCgrzPFtZxha0/kmFSHFobzF00sT8p9h0U=", "owner": "Mic92", "repo": "sops-nix", - "rev": "2c8def626f54708a9c38a5861866660395bb3461", + "rev": "3223c7a92724b5d804e9988c6b447a0d09017d48", "type": "github" }, "original": { @@ -748,11 +749,11 @@ ] }, "locked": { - "lastModified": 1754328224, - "narHash": "sha256-glPK8DF329/dXtosV7YSzRlF4n35WDjaVwdOMEoEXHA=", + "lastModified": 1754988908, + "narHash": "sha256-t+voe2961vCgrzPFtZxha0/kmFSHFobzF00sT8p9h0U=", "owner": "Mic92", "repo": "sops-nix", - "rev": "49021900e69812ba7ddb9e40f9170218a7eca9f4", + "rev": "3223c7a92724b5d804e9988c6b447a0d09017d48", "type": "github" }, "original": { @@ -769,11 +770,11 @@ ] }, "locked": { - "lastModified": 1753319211, - "narHash": "sha256-WR9rKJhFjX5FJbqNWCg8dwQsJWUuCNgff63DpuKL39c=", + "lastModified": 1755770475, + "narHash": "sha256-piB4s87GvBJkzWLbzOMyX4adjMBmTMxzMu0SNT/b8hU=", "owner": "numtide", "repo": "srvos", - "rev": "6a29375c7b8e9bb477233f66cd6609583741dadc", + "rev": "bebcf12b45df0b7d6f422ebd5da06f92b52169a8", "type": "github" }, "original": { @@ -789,11 +790,11 @@ ] }, "locked": { - "lastModified": 1754273897, - "narHash": "sha256-l7epHqAcg8Qktu8vO2ZfjSH1wcai01XQOKQA9ADHIk4=", + "lastModified": 1756506247, + "narHash": "sha256-TUIjIFQXo3ZW5dcofvqGY6FlgttaV/WfEai39gmA4p8=", "owner": "numtide", "repo": "srvos", - "rev": "8e7d3c690975ee6790926bdfd1258016c967d163", + "rev": "a0e1c32a3c44c68b53a6adb2576a6cd749c01eb6", "type": "github" }, "original": { @@ -855,11 +856,11 @@ ] }, "locked": { - "lastModified": 1753439394, - "narHash": "sha256-Bv9h1AJegLI8uAhiJ1sZ4XAndYxhgf38tMgCQwiEpmc=", + "lastModified": 1755934250, + "narHash": "sha256-CsDojnMgYsfshQw3t4zjRUkmMmUdZGthl16bXVWgRYU=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "2673921c03d6e75fdf4aa93e025772608d1482cf", + "rev": "74e1a52d5bd9430312f8d1b8b0354c92c17453e5", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 56969de..b737be9 100644 --- a/flake.nix +++ b/flake.nix @@ -33,7 +33,7 @@ inputs.nixpkgs.follows = "nixpkgs"; }; infra = { - url = "github:NixOS/infra"; + url = "github:helsinki-systems/nixos-infra/upd/fixups_staging"; inputs = { nixpkgs.follows = "nixpkgs"; nixpkgs-unstable.follows = "nixpkgs-unstable"; diff --git a/macs/ca/client-nixos-foundation-macstadium-44911104.crt b/macs/ca/client-nixos-foundation-macstadium-44911104.crt new file mode 100644 index 0000000..3f42402 --- /dev/null +++ b/macs/ca/client-nixos-foundation-macstadium-44911104.crt @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBrzCCAWGgAwIBAgIUW+L+r4Nl4TaYFRdwkVjhMNk2K7kwBQYDK2VwMEMxCzAJ +BgNVBAYTAkRFMRQwEgYDVQQKDAtOaXhPUyBJbmZyYTEeMBwGA1UEAwwVaHlkcmEt +cXVldWUtcnVubmVyLWNhMCAXDTI1MDgzMTE0MTA0OVoYDzIwNzUwODE5MTQxMDQ5 +WjBmMQswCQYDVQQGEwJERTEUMBIGA1UECgwLTml4T1MgSW5mcmExQTA/BgNVBAMM +OGh5ZHJhLXF1ZXVlLWJ1aWxkZXItbml4b3MtZm91bmRhdGlvbi1tYWNzdGFkaXVt +LTQ0OTExMTA0MCowBQYDK2VwAyEAwg81We0emvtttglMSqZALqqHPQGkpM3j21+z +ikmyM/6jQjBAMB0GA1UdDgQWBBS5ahdd+XKK/AI8jN7fdXWo6oYn0zAfBgNVHSME +GDAWgBTTBAboHFMq1jCXLC7IPRpWv/WviDAFBgMrZXADQQAG5KMpDZ9Od7v42Qcx +jpmEu9sSUB0XMzN0XYkIwIgRDK7jEmG1CbX19Vco1eBiA+MW+JFCmJP7JBM1lHx3 ++BwO +-----END CERTIFICATE----- diff --git a/macs/ca/client-nixos-foundation-macstadium-44911207.crt b/macs/ca/client-nixos-foundation-macstadium-44911207.crt new file mode 100644 index 0000000..76f2f98 --- /dev/null +++ b/macs/ca/client-nixos-foundation-macstadium-44911207.crt @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBrzCCAWGgAwIBAgIUW+L+r4Nl4TaYFRdwkVjhMNk2K7gwBQYDK2VwMEMxCzAJ +BgNVBAYTAkRFMRQwEgYDVQQKDAtOaXhPUyBJbmZyYTEeMBwGA1UEAwwVaHlkcmEt +cXVldWUtcnVubmVyLWNhMCAXDTI1MDgzMTE0MTA0OVoYDzIwNzUwODE5MTQxMDQ5 +WjBmMQswCQYDVQQGEwJERTEUMBIGA1UECgwLTml4T1MgSW5mcmExQTA/BgNVBAMM +OGh5ZHJhLXF1ZXVlLWJ1aWxkZXItbml4b3MtZm91bmRhdGlvbi1tYWNzdGFkaXVt +LTQ0OTExMjA3MCowBQYDK2VwAyEAeyeFq3u3hksc07IGBITcq0/go+iD4+DriPSb +yAq+/nyjQjBAMB0GA1UdDgQWBBS/UHOeRtG8+xozoDTcYxcMpVYjzzAfBgNVHSME +GDAWgBTTBAboHFMq1jCXLC7IPRpWv/WviDAFBgMrZXADQQCFQNs1ZiKpnY60MdFn +H7NaQ7Jis0n665CjKWFKIEFdr2C+UZovnzSZYfl9UqxGjb3udfUK/6Z4Rqbf6cGH +SRAP +-----END CERTIFICATE----- diff --git a/macs/ca/client-nixos-foundation-macstadium-44911305.crt b/macs/ca/client-nixos-foundation-macstadium-44911305.crt new file mode 100644 index 0000000..8d22085 --- /dev/null +++ b/macs/ca/client-nixos-foundation-macstadium-44911305.crt @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBrzCCAWGgAwIBAgIUW+L+r4Nl4TaYFRdwkVjhMNk2K7UwBQYDK2VwMEMxCzAJ +BgNVBAYTAkRFMRQwEgYDVQQKDAtOaXhPUyBJbmZyYTEeMBwGA1UEAwwVaHlkcmEt +cXVldWUtcnVubmVyLWNhMCAXDTI1MDgzMTE0MTA0OVoYDzIwNzUwODE5MTQxMDQ5 +WjBmMQswCQYDVQQGEwJERTEUMBIGA1UECgwLTml4T1MgSW5mcmExQTA/BgNVBAMM +OGh5ZHJhLXF1ZXVlLWJ1aWxkZXItbml4b3MtZm91bmRhdGlvbi1tYWNzdGFkaXVt +LTQ0OTExMzA1MCowBQYDK2VwAyEAQ6HvVxrDKl8JIAli/QNz8Ot4zcR9biiQOcQI +mZLgekGjQjBAMB0GA1UdDgQWBBTTHQ/eJCYE8KTgVfhRq0RQThpONDAfBgNVHSME +GDAWgBTTBAboHFMq1jCXLC7IPRpWv/WviDAFBgMrZXADQQDuIgw6XDf2Bpg2dFGz +0GvVRlIDbv6paOdZDKhPqKuZIvXgYK6xtXJyYkODtPgkLjTkIufyX79o7zwtJATP +oAwH +-----END CERTIFICATE----- diff --git a/macs/ca/client-nixos-foundation-macstadium-44911362.crt b/macs/ca/client-nixos-foundation-macstadium-44911362.crt new file mode 100644 index 0000000..4d45150 --- /dev/null +++ b/macs/ca/client-nixos-foundation-macstadium-44911362.crt @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBrzCCAWGgAwIBAgIUW+L+r4Nl4TaYFRdwkVjhMNk2K7YwBQYDK2VwMEMxCzAJ +BgNVBAYTAkRFMRQwEgYDVQQKDAtOaXhPUyBJbmZyYTEeMBwGA1UEAwwVaHlkcmEt +cXVldWUtcnVubmVyLWNhMCAXDTI1MDgzMTE0MTA0OVoYDzIwNzUwODE5MTQxMDQ5 +WjBmMQswCQYDVQQGEwJERTEUMBIGA1UECgwLTml4T1MgSW5mcmExQTA/BgNVBAMM +OGh5ZHJhLXF1ZXVlLWJ1aWxkZXItbml4b3MtZm91bmRhdGlvbi1tYWNzdGFkaXVt +LTQ0OTExMzYyMCowBQYDK2VwAyEA70JtJD1NetW22ggjqF6LY8plCNn4jpMJm1Aa +I0JoImOjQjBAMB0GA1UdDgQWBBQEVVeckjstcg3RWqa7G884FbpnvzAfBgNVHSME +GDAWgBTTBAboHFMq1jCXLC7IPRpWv/WviDAFBgMrZXADQQBcdGmZ0e69HfUN8E/1 +sQfFeaqwzX5jc3RhHnjViLP4OUcqWnYeqAT+ELwaucOdkMp47SgJIaUn12FEG+i/ +oC4C +-----END CERTIFICATE----- diff --git a/macs/ca/client-nixos-foundation-macstadium-44911507.crt b/macs/ca/client-nixos-foundation-macstadium-44911507.crt new file mode 100644 index 0000000..34eb629 --- /dev/null +++ b/macs/ca/client-nixos-foundation-macstadium-44911507.crt @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBrzCCAWGgAwIBAgIUW+L+r4Nl4TaYFRdwkVjhMNk2K7cwBQYDK2VwMEMxCzAJ +BgNVBAYTAkRFMRQwEgYDVQQKDAtOaXhPUyBJbmZyYTEeMBwGA1UEAwwVaHlkcmEt +cXVldWUtcnVubmVyLWNhMCAXDTI1MDgzMTE0MTA0OVoYDzIwNzUwODE5MTQxMDQ5 +WjBmMQswCQYDVQQGEwJERTEUMBIGA1UECgwLTml4T1MgSW5mcmExQTA/BgNVBAMM +OGh5ZHJhLXF1ZXVlLWJ1aWxkZXItbml4b3MtZm91bmRhdGlvbi1tYWNzdGFkaXVt +LTQ0OTExNTA3MCowBQYDK2VwAyEAy7uGuWSpwuj249gR5+4Z0U9fFcQNQYXB8cGM +SaNAK7mjQjBAMB0GA1UdDgQWBBQQPGitG4ehKYgnAVlV3yO7DlglZjAfBgNVHSME +GDAWgBTTBAboHFMq1jCXLC7IPRpWv/WviDAFBgMrZXADQQAitINnRMRBXE/eAl5Y +04zfMZKBo1Q81v7j4KtrylRfo/qWyotdm/9erqqoIqwyRjoGn2Sr7eKNvs7oo8Hx +3t0M +-----END CERTIFICATE----- diff --git a/macs/module/hydra-queue-builder.nix b/macs/module/hydra-queue-builder.nix new file mode 100644 index 0000000..f3c0135 --- /dev/null +++ b/macs/module/hydra-queue-builder.nix @@ -0,0 +1,248 @@ +{ + config, + pkgs, + lib, + inputs, + ... +}: +let + cfg = config.services.hydra-queue-builder-v2; + user = config.users.users.hydra-queue-builder; +in +{ + options = { + services.hydra-queue-builder-v2 = { + enable = lib.mkEnableOption "QueueBuilder"; + + queueRunnerAddr = lib.mkOption { + description = "Queue Runner address to the grpc server"; + type = lib.types.singleLineStr; + }; + + pingInterval = lib.mkOption { + description = "Interval in which pings are send to the runner"; + type = lib.types.ints.positive; + default = 10; + }; + + speedFactor = lib.mkOption { + description = "Additional Speed factor for this machine"; + type = lib.types.oneOf [ + lib.types.ints.positive + lib.types.float + ]; + default = 1; + }; + + maxJobs = lib.mkOption { + description = "Maximum allowed of jobs. This only is used if the queue runner uses this metrics for determining free machines."; + type = lib.types.ints.positive; + default = 4; + }; + + tmpAvailThreshold = lib.mkOption { + description = "Threshold in percent for /tmp before jobs are no longer scheduled on the machine"; + type = lib.types.float; + default = 10.0; + }; + + storeAvailThreshold = lib.mkOption { + description = "Threshold in percent for /nix/store before jobs are no longer scheduled on the machine"; + type = lib.types.float; + default = 10.0; + }; + + load1Threshold = lib.mkOption { + description = "Maximum Load1 threshold before we stop scheduling jobs on that node. Only used if PSI is not available."; + type = lib.types.float; + default = 8.0; + }; + + cpuPsiThreshold = lib.mkOption { + description = "Maximum CPU PSI in the last 10s before we stop scheduling jobs on that node"; + type = lib.types.float; + default = 75.0; + }; + + memPsiThreshold = lib.mkOption { + description = "Maximum Memory PSI in the last 10s before we stop scheduling jobs on that node"; + type = lib.types.float; + default = 80.0; + }; + + ioPsiThreshold = lib.mkOption { + description = "Maximum IO PSI in the last 10s before we stop scheduling jobs on that node. If null then this pressure check is disabled."; + type = lib.types.nullOr lib.types.float; + default = null; + }; + + systems = lib.mkOption { + description = "List of supported systems. If none are passed, system and extra-platforms are read from nix."; + type = lib.types.listOf lib.types.singleLineStr; + default = [ ]; + }; + + supportedFeatures = lib.mkOption { + description = "Pass supported features to the builder. If none are passed, system features will be used."; + type = lib.types.listOf lib.types.singleLineStr; + default = [ ]; + }; + + mandatoryFeatures = lib.mkOption { + description = "Pass mandatory features to the builder."; + type = lib.types.listOf lib.types.singleLineStr; + default = [ ]; + }; + + useSubstitutes = lib.mkOption { + description = "Use substitution for paths"; + type = lib.types.bool; + default = true; + }; + + mtls = lib.mkOption { + description = "mtls options"; + default = null; + type = lib.types.nullOr ( + lib.types.submodule { + options = { + serverRootCaCertPath = lib.mkOption { + description = "Server root ca certificate path"; + type = lib.types.path; + }; + clientCertPath = lib.mkOption { + description = "Client certificate path"; + type = lib.types.path; + }; + clientKeyPath = lib.mkOption { + description = "Client key path"; + type = lib.types.path; + }; + domainName = lib.mkOption { + description = "Domain name for mtls"; + type = lib.types.singleLineStr; + }; + }; + } + ); + }; + + package = lib.mkOption { + type = lib.types.package; + default = + (pkgs.recurseIntoAttrs ( + pkgs.callPackage "${inputs.infra}/non-critical-infra/packages/hydra-queue-runner" { } + )).builder; + }; + + logFile = lib.mkOption { + type = lib.types.path; + default = "/var/log/hydra-queue-builder.log"; + description = "The logfile to use for the hydra-queue-builder service."; + }; + }; + }; + + config = lib.mkIf cfg.enable { + launchd.daemons.hydra-queue-builder-v2 = { + script = '' + exec ${ + lib.escapeShellArgs ( + [ + "${cfg.package}/bin/builder" + "--gateway-endpoint" + cfg.queueRunnerAddr + "--ping-interval" + cfg.pingInterval + "--speed-factor" + cfg.speedFactor + "--max-jobs" + cfg.maxJobs + "--tmp-avail-threshold" + cfg.tmpAvailThreshold + "--store-avail-threshold" + cfg.storeAvailThreshold + "--load1-threshold" + cfg.load1Threshold + "--cpu-psi-threshold" + cfg.cpuPsiThreshold + "--mem-psi-threshold" + cfg.memPsiThreshold + ] + ++ lib.optionals (cfg.ioPsiThreshold != null) [ + "--io-psi-threshold" + cfg.ioPsiThreshold + ] + ++ (builtins.concatMap (v: [ + "--systems" + v + ]) cfg.systems) + ++ (builtins.concatMap (v: [ + "--supported-features" + v + ]) cfg.supportedFeatures) + ++ (builtins.concatMap (v: [ + "--mandatory-features" + v + ]) cfg.mandatoryFeatures) + ++ lib.optionals (cfg.useSubstitutes != null) [ + "--use-substitutes" + ] + ++ lib.optionals (cfg.mtls != null) [ + "--server-root-ca-cert-path" + cfg.mtls.serverRootCaCertPath + "--client-cert-path" + cfg.mtls.clientCertPath + "--client-key-path" + cfg.mtls.clientKeyPath + "--domain-name" + cfg.mtls.domainName + ] + ) + } + ''; + + environment = { + RUST_BACKTRACE = "1"; + NIX_SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + }; + + serviceConfig = { + KeepAlive = true; + StandardErrorPath = cfg.logFile; + StandardOutPath = cfg.logFile; + + GroupName = "hydra"; + UserName = "hydra-queue-builder"; + WorkingDirectory = user.home; + }; + }; + users = { + users.hydra-queue-builder = { + uid = lib.mkDefault 535; + gid = lib.mkDefault config.users.groups.hydra.gid; + home = lib.mkDefault "/var/lib/hydra-queue-builder"; + shell = "/bin/bash"; + description = "hydra-queue-builder service user"; + }; + knownUsers = [ "hydra-queue-builder" ]; + groups.hydra = { + gid = lib.mkDefault 535; + description = "Nix group for hydra-queue-builder service"; + }; + knownGroups = [ "hydra" ]; + }; + + # FIXME: create logfiles automatically if defined. + system.activationScripts.preActivation.text = '' + mkdir -p '${user.home}' + touch '${cfg.logFile}' + chown ${toString user.uid}:${toString user.gid} '${user.home}' '${cfg.logFile}' + + # create gcroots + mkdir -p /nix/var/nix/gcroots/per-user/hydra-queue-builder + chown ${toString user.uid}:${toString user.gid} /nix/var/nix/gcroots/per-user/hydra-queue-builder + chmod 0755 /nix/var/nix/gcroots/per-user/hydra-queue-builder + ''; + }; +} diff --git a/macs/ofborg-common.nix b/macs/ofborg-common.nix index 275fff3..b34ec9b 100644 --- a/macs/ofborg-common.nix +++ b/macs/ofborg-common.nix @@ -6,7 +6,10 @@ ... }: { - imports = [ ./ofborg.nix ]; + imports = [ + ./ofborg.nix + ./queue-builder.nix + ]; environment.systemPackages = [ config.nix.package diff --git a/macs/ofborg.nix b/macs/ofborg.nix index ac4715e..aef4ba5 100644 --- a/macs/ofborg.nix +++ b/macs/ofborg.nix @@ -6,7 +6,9 @@ }: { - imports = [ ../non-critical-infra/modules/ofborg/ofborg-config.nix ]; + imports = [ + ../non-critical-infra/modules/ofborg/ofborg-config.nix + ]; services.ofborg = { enable = true; diff --git a/macs/queue-builder.nix b/macs/queue-builder.nix new file mode 100644 index 0000000..5061fa4 --- /dev/null +++ b/macs/queue-builder.nix @@ -0,0 +1,28 @@ +{ + config, + inputs, + ... +}: + +{ + imports = [ + ./module/hydra-queue-builder.nix + ]; + + services.hydra-queue-builder-v2 = { + enable = true; + queueRunnerAddr = "https://queue-runner.staging-hydra.nixos.org"; + maxJobs = 2; + mtls = { + serverRootCaCertPath = "${inputs.infra}/non-critical-infra/hosts/staging-hydra/ca.crt"; + clientCertPath = ./ca/client-${config.networking.hostName}.crt; + clientKeyPath = config.sops.secrets."queue-runner-client.key".path; + domainName = "queue-runner.staging-hydra.nixos.org"; + }; + }; + + sops.secrets."queue-runner-client.key" = { + owner = "hydra-queue-builder"; + sopsFile = ./secrets/${config.networking.hostName}.yml; + }; +} diff --git a/macs/secrets/nixos-foundation-macstadium-44911104.yml b/macs/secrets/nixos-foundation-macstadium-44911104.yml index 49e7af0..d7db763 100644 --- a/macs/secrets/nixos-foundation-macstadium-44911104.yml +++ b/macs/secrets/nixos-foundation-macstadium-44911104.yml @@ -1,10 +1,7 @@ ofborg: builder-rabbitmq-password: ENC[AES256_GCM,data:TNzUCf83Bu6FxoXLbjWjcKGvPPJePRY6IGcPNfRKMPGcyShRyZC3Tw+fGfPXZCZjK08=,iv:mII0yPL75KlZ+t8+pCCE70pKVufXYO8C7ExGNLd0qfY=,tag:x0NLpX6KNBEjZzxumTs2QQ==,type:str] +queue-runner-client.key: ENC[AES256_GCM,data:gpDEcEtSZARUHnv1cuH8NrmWOAMuxN/oTS5gxXBNUg4Y5RRttGnpu7SxTQtim5aD/yYDiw7W9gdQujSWNMTbqRPv4iwWwDjMecObPGbkRRd1vhSG3or2VItvahzvU3H7pl8B9UfOz8rYNz/4psV7OXD6yRksD/E=,iv:aWQG160Du+YMSstFibT1LlR/ttP4xZznDYhjNKGPnqY=,tag:OSvpvrXz3np8SuNmSWTIrw==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age14gkxeqaehj2m38sesnc6fyd4c3hqjt7tqjz6q7lrult3uaahxcysdxt67n enc: | @@ -60,8 +57,7 @@ sops: UHh5aTJxejFIand6aVZwdHVxL2R6KzgKUO9lByaF3qwAK5V9gVEFOiTfTS14dYVt VqE2s5GjDI9hRCDeeDdzjdL3y4AYKlobk9JQmL5cD4IngtL0DkoAVg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-01-22T21:57:28Z" - mac: ENC[AES256_GCM,data:Mbw8Eng6FlAxh+XSszfpXmiQDWAhImOYhfWBUuismZ1P6cGdBqigMkxwzoA94D6XQ41UwHR/b3qszYBPSsBuLTTCqskqqCK/+rrEEQUhilGGRAwAl3Ogr5k2SuciNnwb3f+JjCY6JoHOQAeFMCvmTWXXVGTm2lz1loXBFVzmZ/8=,iv:K0b3VHthGz4tJEXjPq/Qn93tCXNaI7YBGRO1PSMaa6c=,tag:Hp1WlrplPDU5MFn/1i2sRA==,type:str] - pgp: [] + lastmodified: "2025-08-31T15:04:36Z" + mac: ENC[AES256_GCM,data:TjaB9/dPyn475bNxqLjm0UBNYPG7/iIJOWK1UUJF/jQun1jSw5faMSiaLhlfexHF1gal+WCUGcFUyslXX90kAB+GD4G0YWdze7tmjTZCtMers+Xw/WWQ7OKzFsZIj3Z8HCvVOlYCqlGRZ7/cZkjC2N7vT1M6CXuH2S7U8MDhBn4=,iv:u+VjOO4ketXDMku6HCVW2VphWRF4XsHoTRfaHVmt6F0=,tag:N95UaNh7a88aU5cnl1tdDQ==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.2 + version: 3.10.2 diff --git a/macs/secrets/nixos-foundation-macstadium-44911207.yml b/macs/secrets/nixos-foundation-macstadium-44911207.yml index d82cac6..b86beb0 100644 --- a/macs/secrets/nixos-foundation-macstadium-44911207.yml +++ b/macs/secrets/nixos-foundation-macstadium-44911207.yml @@ -1,10 +1,7 @@ ofborg: builder-rabbitmq-password: ENC[AES256_GCM,data:tK1jDNt1X3f/o9bJ0iFHLtxQa5z6V77ohmhnd82BDlpRZva2Y65vHuvSL9bRmVnGUvI=,iv:rHvNCmujJd3WK6mwx1heRBFgnLlokCvtOPD/BESUxkA=,tag:AWjfYJcLBiT5v8T7C2edPg==,type:str] +queue-runner-client.key: ENC[AES256_GCM,data:B17aFR6BGeJaZXhmZr8WhKeu6VEbWTiKs+ZprwlJZkH2w9y6Ve5c4liLwpe9E0J1ELyhL0o3AnnTIo/42d9KpD9Cb+k4y6XAzj8UyPvQlMxN5+3ZKjpdkhEj/jFH3z/OXBgh7fEvrbjeNsAR67MCr7U8j02cPIo=,iv:fKx1Y4H/SCZQIW0bLP3gwHVx/ae1kPgZgUXtfMgNdT0=,tag:0Zlc1qHr7aUECHp9lK/vEw==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age1f6u77gvh94fk5fdh53lp04nk87cvjmwy2q3hjdlhd83mhlp0jg0s7rupux enc: | @@ -60,8 +57,7 @@ sops: VnRRT1ZHeHVZOCtBb0p4MkNXQjhzbWMK+WLYiDuhpOHTpHFjmdMGipmxtiTh/6ls lzC8CEN2682xNxYkAVnyqLHKFR5lEDHpDoDwvNk0jTn8Fj3d4odCZw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-01-22T21:53:51Z" - mac: ENC[AES256_GCM,data:cSbRGOtKKZ1k0AgRMbhupn0Pgl1joGZ/qKUqTvM4pqux07GAGKLol/OMCLHjq+lfM4W5HI37gBamX2Fa+e+ULOaacVPteEgWY4f4C1jedr+SCSRR1yUVstL1sIlqfP5+bNb3s/Z8oO23Ra0xrSerL+/nOxwn5JL9/+50t7J1fOA=,iv:DBWiAwB4OKSHwXrdEHPlwYPdG3eibog2RIF9hm8htSQ=,tag:zVzVkTtUBJIHwJ6aIyPN3w==,type:str] - pgp: [] + lastmodified: "2025-08-31T15:04:59Z" + mac: ENC[AES256_GCM,data:yE2/xv0LltDZBaD2gI3I+L09cG8/czVgXGDdDZt12dAzzsMsY3CKlss/3K4zD/G1p2Afdp85ZNzxbbUvcpShT35L/XWAviLrP6PqV1YYAromFb03G4nBpOyOlpXWmjPP7JBo2oGK1yg5hjMwomLd7vb2OaBtXQ0EZ2X+i4vmC68=,iv:YTiZDnLON9nS63vGYj3w+Dsw4CCsd/C31B9A/EhQeTc=,tag:zGZ997oabhCg0PqRa+J9WA==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.2 + version: 3.10.2 diff --git a/macs/secrets/nixos-foundation-macstadium-44911305.yml b/macs/secrets/nixos-foundation-macstadium-44911305.yml index c4dff9d..5c94ebf 100644 --- a/macs/secrets/nixos-foundation-macstadium-44911305.yml +++ b/macs/secrets/nixos-foundation-macstadium-44911305.yml @@ -1,10 +1,7 @@ ofborg: builder-rabbitmq-password: ENC[AES256_GCM,data:LopQz4a7gvobT1l6DvWmyCK1oOzBeYUbZobS5akNAwCsR+TtpkyskNwXUHryyPB92ag=,iv:dFxyhuDgQg7JWtpIIAc0PthhCzEfgY/D3HAzS0l9euA=,tag:mJOAr44Ax1TdA3t/gTzyhQ==,type:str] +queue-runner-client.key: ENC[AES256_GCM,data:SzIMMeauP8SjTXYob9WL+ARUMZh89luhlt5vQoyrQwqoCPUV7Nw+9t7uRxBuDmGAPWxCw/rt0faYRc+6GdqKDIuK+hiiGcjGTWFiakxCSS0jcewtDv+iaxr7ZqJVtmiz788yZvg+3DQ1jPZUTBmxd+Hl2scfb8k=,iv:tFRD6oP4x54WqDazJTC7TeG87MDXwvJtutqoj4IE9LM=,tag:k2ICj2TdWbZ6gT93vAjOTA==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age1x608lllmu7gdfjnn6c8mvmmguft5f22fu7g38wv3ckmzqy2usq0q5u2ekx enc: | @@ -60,8 +57,7 @@ sops: c0gwRXk0Yk5zZUk2aDNaVjJQaXZXYlEKB/82tEb40KykfgZ58gux0CMtxRbz4hst Av6Jx/hjpl7HLKrlz7x9M868iZMWvIYBb/O0CecS3X/P4p+l8rzyow== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-01-22T21:19:41Z" - mac: ENC[AES256_GCM,data:W6X1YAqoh8YbI9dUe0TT4Vs7l/aDHcpvlIP1/EqdIqrPCk5yU6bBiWNJVbV63ZqPORDj6x32Kf7J9DG4uHj6qUjNQ/BcVdXZWOoQQPapkrMBwKkLLDuoXFyLBFQgDRvcdwgfDzEEeGr1SER4uB7rKWPhosldkYMLsKiezGOHYo4=,iv:ciojoKvJtopku/NUWnJ7oA4dpxZw/MTWBk/Recfrkog=,tag:v5+8RgFpxIAZLjIJFGcTbA==,type:str] - pgp: [] + lastmodified: "2025-08-31T15:05:41Z" + mac: ENC[AES256_GCM,data:NfkyYoZXDQKrPLKEn9cD3wydkoW7DA4i9QE+9/SaUuiR2hHYip9pS1LXxgpzIr2EL3WPR61NdcEMc4+p1IDykbsmh+MqkwuOf4bgwboJJKtlk7R+/bH5OTLVrM8jUcgwW94z/63whRKvqZV4lf6tSWEouzt8YB3ukWAMKUx9DqQ=,iv:g8iPucegVJ2aYOZkYHDvh7OExJ8Vwdveq7v1TNUf4tk=,tag:t1qy7CvUAPkfF3ZOXpRs7Q==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.2 + version: 3.10.2 diff --git a/macs/secrets/nixos-foundation-macstadium-44911362.yml b/macs/secrets/nixos-foundation-macstadium-44911362.yml index b10fe4f..b5e8af4 100644 --- a/macs/secrets/nixos-foundation-macstadium-44911362.yml +++ b/macs/secrets/nixos-foundation-macstadium-44911362.yml @@ -1,10 +1,7 @@ ofborg: builder-rabbitmq-password: ENC[AES256_GCM,data:YvpvZfSJcVx1iPBi6am3QXAeW70D4DSkHO/kf+eOpK9o+9dSjUg/FGcxc36Z7uV4AFo=,iv:tgFmPSvnB7Z4l1Mllef1G8Fiy02FacvtWLdh5CmTyfY=,tag:Llvp+9x2l+G/PT15AE/WWA==,type:str] +queue-runner-client.key: ENC[AES256_GCM,data:nlR533Docz60HEU0ooGtK3pwcEevnhDUmsRR5TJvd8lMPvCS733B++UptjsFOD3qWXt1HRJJBzscJHwIfwfXDmXPv3XCY3QG83g6dfKMhMF1QyqBYuKKmMBUkhua53GJqYRcogdhj5Uc4cbC2L3qSyXBG3NAuqE=,iv:K+SgPkL1QiFvmB4eMR01x/zjM6U5zyDncntdZbhAJnI=,tag:3XDV6eYkl8GOPaIIXeyG9Q==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age1d0u5ukkwsf47x4jv6uklcc4j3ljnmyz879syya2qneagz0t42cqqyf09dt enc: | @@ -60,8 +57,7 @@ sops: ZHNtUVovMzZMdTFHeXphUnhCME56VHMKIfn3CmtPWcawLneAxooUXPfvFe8M6avH 93pyl50ghHLZrbipjLAu7G2wtUTlFuiMY0vG8+jRQJHgq7FkHtdalQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-01-22T21:32:33Z" - mac: ENC[AES256_GCM,data:GTMKMUGIgUvgbHEKAtFSVkycF7Nt3yLGuSEwWn3liMs0hxOX3Iyeq+Fq5HuYvCVy65xBTc/PwzvC4rd2rqWPg3ohWMY59IVDDWAUml8XSvhA5PEmFfHTyUVKYOIdJEeQnFiDu8bG/d2g1kylcwfvTtIz8Bmi45Ojic2VUX0+cmw=,iv:q51XOa+oo86fOqzRx/rOnwbUnWJlwD9ovBzRoTXy7Ng=,tag:t7eYTDh3jIpFQvsz4mkr0Q==,type:str] - pgp: [] + lastmodified: "2025-08-31T15:06:03Z" + mac: ENC[AES256_GCM,data:G/a4GqIpj4zKdH/zDik4hr3LIDtJwJTK8HafONRItAZoETo0gy7bqBymOKn3eaWaJW2PP81dQnv6liDQh5GUuo51Th2K3dWrfORwL3IldLebZO4MNhDufnld3uFJyvSm/JOvV2shfH7SAN0Z4BNeoerwAndsvatcHLY2ce1C9js=,iv:pSJhRWllJCqx7nOBpDbMKut8XEnwYWo1l8yUFUvbI54=,tag:/fq1krHM2ip0LFvfHG4v0A==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.2 + version: 3.10.2 diff --git a/macs/secrets/nixos-foundation-macstadium-44911507.yml b/macs/secrets/nixos-foundation-macstadium-44911507.yml index 93bf31d..72c2e1a 100644 --- a/macs/secrets/nixos-foundation-macstadium-44911507.yml +++ b/macs/secrets/nixos-foundation-macstadium-44911507.yml @@ -1,10 +1,7 @@ ofborg: builder-rabbitmq-password: ENC[AES256_GCM,data:YmvZ+UwoKtY81wrzr0oSoRGFVDcWqp8WkSApWd5n5/mQr7vGLQA0ZvpGsf1G+nNzE+g=,iv:ebCwaYy120OPQ5zXLxVLk4vD5+wiSfB0G7TT24822YY=,tag:ACldOsS2mterk/5a7ThuoQ==,type:str] +queue-runner-client.key: ENC[AES256_GCM,data:EhZa2bSybMbMCPGGoFeBSvVREyMQTE8odlHgjl0lxxjYgFBmLjhlsmYfv2/q68Mv+oxww5Cv2czL78B7OIX9fJShJwCuGvSnOzMYeSrr0P/8Afh/whUP44IdeXgMasHrD9v2KDSgeUTMQ1oo9663GkLTkblMJ5o=,iv:lSSCNiY7hc2Dh+LUxaGQTWOkxXIvPBAMV3k95lXvCjo=,tag:/7Zp5Bw6Ld2CB7jvUlUixg==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age1s0m24l3s29jr345uxk5j8zq7kd4sln3rvf0pdtd6afum3smtxsyqtjra0z enc: | @@ -60,8 +57,7 @@ sops: WmJIL21zMU1qazVPc09OREN3b2JRU1EK6ioB1V81JncWBbO+pkqWSKYMJTxn8ykV 7mAX6NxFxlxrbQmlp4wz8HESNvkUIKGKuU3Dd8FegP4VUze9IoPVfw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-01-22T21:45:02Z" - mac: ENC[AES256_GCM,data:tR95e0eYcor7kmeWrATG4DS9soYzLPf1q0ZDCbyVPpiswwrrMtvn2uFZldAxRkUqH9FYOUVqbN85O+3jyfq/fwOGXjQr6IitBaeqOcEuLLt35+u2GGNb/rbVPpXxDcy9+RBOyDNTXk5JFKN9aR74WSuBEm/38sr8mFlfE9+pT18=,iv:m5lbOVWLbit4OmAHGy05cP5cyUd6x8ON6oSAylMxKdc=,tag:Sy2EQEKzbUYjufzBv3gXwA==,type:str] - pgp: [] + lastmodified: "2025-08-31T15:06:26Z" + mac: ENC[AES256_GCM,data:Ed4lAjLxiAx8Qqoy4XfXJdtl8ypjCucipaDYgdnwaAd7dZEh3n8ba6Nktgqkkk8N++rO72K3zGZlFCKtc/oHK/oiUMnTG47KEJ47XcbrEspijGB0uu4n1YgRbiKGhgOTqgHzwcGym8Reg3/jYk83Wq3KTTDJWjiW7rJf2TzYmr8=,iv:FB43RPLaNhi6f8gk6amlKbsVe9S1NUoVy1j53lidQEE=,tag:9NVRbzFeqpA5sOpWr+0foA==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.2 + version: 3.10.2 diff --git a/non-critical-infra/hosts/build01.ofborg.org/client.crt b/non-critical-infra/hosts/build01.ofborg.org/client.crt new file mode 100644 index 0000000..50921c1 --- /dev/null +++ b/non-critical-infra/hosts/build01.ofborg.org/client.crt @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBmTCCAUugAwIBAgIUfUYjDOaJML1lIMkAMvLjnSTscZAwBQYDK2VwMEMxCzAJ +BgNVBAYTAkRFMRQwEgYDVQQKDAtOaXhPUyBJbmZyYTEeMBwGA1UEAwwVaHlkcmEt +cXVldWUtcnVubmVyLWNhMCAXDTI1MDczMTEyMDQxN1oYDzIwNzUwNzE5MTIwNDE3 +WjBQMQswCQYDVQQGEwJERTEUMBIGA1UECgwLTml4T1MgSW5mcmExKzApBgNVBAMM +Imh5ZHJhLXF1ZXVlLWJ1aWxkZXItb2Zib3JnLWJ1aWxkMDEwKjAFBgMrZXADIQCj +6blZljlur8EmgUA9yNjQrGkg647jacmiy+kn1znGT6NCMEAwHQYDVR0OBBYEFH6t +LjEVdWyQWzR49xirHn9QoNUlMB8GA1UdIwQYMBaAFNMEBugcUyrWMJcsLsg9Gla/ +9a+IMAUGAytlcANBAJy33gi4Azqa0Y3hEdvkg+bHn+SsEWOSlls/cy0Lfl6l+qGn +Jd9+vtequq1aXWqzXE3g0r4vjqzQDg8GJE1j5wo= +-----END CERTIFICATE----- diff --git a/non-critical-infra/hosts/build01.ofborg.org/default.nix b/non-critical-infra/hosts/build01.ofborg.org/default.nix index bb18813..3d59609 100644 --- a/non-critical-infra/hosts/build01.ofborg.org/default.nix +++ b/non-critical-infra/hosts/build01.ofborg.org/default.nix @@ -1,7 +1,9 @@ +{ inputs, config, ... }: { imports = [ ../../modules/ofborg/builder.nix ./hardware.nix + "${inputs.infra}/non-critical-infra/modules/hydra-queue-builder-v2.nix" ]; # Bootloader. @@ -40,14 +42,33 @@ system.stateVersion = "24.11"; # Did you read the comment? - sops.secrets."ofborg/builder-rabbitmq-password" = { - owner = "ofborg-builder"; - restartUnits = [ "ofborg-builder.service" ]; - sopsFile = ../../secrets/ofborg.build01.ofborg.org.yml; + services.hydra-queue-builder-v2 = { + enable = true; + queueRunnerAddr = "https://queue-runner.staging-hydra.nixos.org"; + maxJobs = 2; + mtls = { + serverRootCaCertPath = "${inputs.infra}/non-critical-infra/hosts/staging-hydra/ca.crt"; + clientCertPath = "${./client.crt}"; + clientKeyPath = config.sops.secrets."queue-runner-client.key".path; + domainName = "queue-runner.staging-hydra.nixos.org"; + }; }; - sops.secrets."harmonia/secret" = { - owner = "harmonia"; - restartUnits = [ "harmonia.service" ]; - sopsFile = ../../secrets/ofborg.build01.ofborg.org.yml; + + sops.secrets = { + "ofborg/builder-rabbitmq-password" = { + owner = "ofborg-builder"; + restartUnits = [ "ofborg-builder.service" ]; + sopsFile = ../../secrets/ofborg.build01.ofborg.org.yml; + }; + "harmonia/secret" = { + owner = "harmonia"; + restartUnits = [ "harmonia.service" ]; + sopsFile = ../../secrets/ofborg.build01.ofborg.org.yml; + }; + "queue-runner-client.key" = { + owner = "hydra-queue-builder"; + restartUnits = [ "hydra-queue-builder-v2.service" ]; + sopsFile = ../../secrets/ofborg.build01.ofborg.org.yml; + }; }; } diff --git a/non-critical-infra/hosts/build02.ofborg.org/client.crt b/non-critical-infra/hosts/build02.ofborg.org/client.crt new file mode 100644 index 0000000..37fafc4 --- /dev/null +++ b/non-critical-infra/hosts/build02.ofborg.org/client.crt @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBmTCCAUugAwIBAgIUfUYjDOaJML1lIMkAMvLjnSTscZEwBQYDK2VwMEMxCzAJ +BgNVBAYTAkRFMRQwEgYDVQQKDAtOaXhPUyBJbmZyYTEeMBwGA1UEAwwVaHlkcmEt +cXVldWUtcnVubmVyLWNhMCAXDTI1MDczMTEyMDQxN1oYDzIwNzUwNzE5MTIwNDE3 +WjBQMQswCQYDVQQGEwJERTEUMBIGA1UECgwLTml4T1MgSW5mcmExKzApBgNVBAMM +Imh5ZHJhLXF1ZXVlLWJ1aWxkZXItb2Zib3JnLWJ1aWxkMDIwKjAFBgMrZXADIQAL +Cdl+ZbvuX8OUBj5MIMfL7120fT1NxFk6C4DydQ7Qt6NCMEAwHQYDVR0OBBYEFGAH +xmXkYN9IDgVaHjA/oEj2921hMB8GA1UdIwQYMBaAFNMEBugcUyrWMJcsLsg9Gla/ +9a+IMAUGAytlcANBACmGjy4gHWTiahHy2P/hPQ661vfob9nkBQ+CEG1FSaK3ImpQ +yPVG+BJiu2oT50EO3EzdsV2tUk9VAhcYNA2YXAg= +-----END CERTIFICATE----- diff --git a/non-critical-infra/hosts/build02.ofborg.org/default.nix b/non-critical-infra/hosts/build02.ofborg.org/default.nix index da7752d..67f83ef 100644 --- a/non-critical-infra/hosts/build02.ofborg.org/default.nix +++ b/non-critical-infra/hosts/build02.ofborg.org/default.nix @@ -1,7 +1,9 @@ +{ inputs, config, ... }: { imports = [ ../../modules/ofborg/builder.nix ./hardware.nix + "${inputs.infra}/non-critical-infra/modules/hydra-queue-builder-v2.nix" ]; # Bootloader. @@ -38,16 +40,35 @@ memoryPercent = 25; }; + services.hydra-queue-builder-v2 = { + enable = true; + queueRunnerAddr = "https://queue-runner.staging-hydra.nixos.org"; + maxJobs = 2; + mtls = { + serverRootCaCertPath = "${inputs.infra}/non-critical-infra/hosts/staging-hydra/ca.crt"; + clientCertPath = "${./client.crt}"; + clientKeyPath = config.sops.secrets."queue-runner-client.key".path; + domainName = "queue-runner.staging-hydra.nixos.org"; + }; + }; + system.stateVersion = "24.11"; # Did you read the comment? - sops.secrets."ofborg/builder-rabbitmq-password" = { - owner = "ofborg-builder"; - restartUnits = [ "ofborg-builder.service" ]; - sopsFile = ../../secrets/ofborg.build02.ofborg.org.yml; - }; - sops.secrets."harmonia/secret" = { - owner = "harmonia"; - restartUnits = [ "harmonia.service" ]; - sopsFile = ../../secrets/ofborg.build02.ofborg.org.yml; + sops.secrets = { + "ofborg/builder-rabbitmq-password" = { + owner = "ofborg-builder"; + restartUnits = [ "ofborg-builder.service" ]; + sopsFile = ../../secrets/ofborg.build02.ofborg.org.yml; + }; + "harmonia/secret" = { + owner = "harmonia"; + restartUnits = [ "harmonia.service" ]; + sopsFile = ../../secrets/ofborg.build02.ofborg.org.yml; + }; + "queue-runner-client.key" = { + owner = "hydra-queue-builder"; + restartUnits = [ "hydra-queue-builder-v2.service" ]; + sopsFile = ../../secrets/ofborg.build02.ofborg.org.yml; + }; }; } diff --git a/non-critical-infra/hosts/build03.ofborg.org/client.crt b/non-critical-infra/hosts/build03.ofborg.org/client.crt new file mode 100644 index 0000000..6bc2e7d --- /dev/null +++ b/non-critical-infra/hosts/build03.ofborg.org/client.crt @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBmTCCAUugAwIBAgIUfUYjDOaJML1lIMkAMvLjnSTscZIwBQYDK2VwMEMxCzAJ +BgNVBAYTAkRFMRQwEgYDVQQKDAtOaXhPUyBJbmZyYTEeMBwGA1UEAwwVaHlkcmEt +cXVldWUtcnVubmVyLWNhMCAXDTI1MDczMTEyMDQxN1oYDzIwNzUwNzE5MTIwNDE3 +WjBQMQswCQYDVQQGEwJERTEUMBIGA1UECgwLTml4T1MgSW5mcmExKzApBgNVBAMM +Imh5ZHJhLXF1ZXVlLWJ1aWxkZXItb2Zib3JnLWJ1aWxkMDMwKjAFBgMrZXADIQC8 +UiCK9YGsTI+144EzVlCjuwz0wBUyOwjg1b2lnQCdZ6NCMEAwHQYDVR0OBBYEFEDA +dN0ht/zFU5Y7KER4xxTAeZdrMB8GA1UdIwQYMBaAFNMEBugcUyrWMJcsLsg9Gla/ +9a+IMAUGAytlcANBAHDszlrrBBg8Q5tHeynkDLY+Cvh0gOAaUmyoMkfhlPNxKNLH ++8NVKKkDoVLreYcLrKxEg+36KIBU/Z3uxfIAew0= +-----END CERTIFICATE----- diff --git a/non-critical-infra/hosts/build03.ofborg.org/default.nix b/non-critical-infra/hosts/build03.ofborg.org/default.nix index 2ccd91f..9e5441e 100644 --- a/non-critical-infra/hosts/build03.ofborg.org/default.nix +++ b/non-critical-infra/hosts/build03.ofborg.org/default.nix @@ -1,7 +1,9 @@ +{ inputs, config, ... }: { imports = [ ../../modules/ofborg/builder.nix ./hardware.nix + "${inputs.infra}/non-critical-infra/modules/hydra-queue-builder-v2.nix" ]; # Bootloader. @@ -40,14 +42,33 @@ system.stateVersion = "24.11"; # Did you read the comment? - sops.secrets."ofborg/builder-rabbitmq-password" = { - owner = "ofborg-builder"; - restartUnits = [ "ofborg-builder.service" ]; - sopsFile = ../../secrets/ofborg.build03.ofborg.org.yml; + services.hydra-queue-builder-v2 = { + enable = true; + queueRunnerAddr = "https://queue-runner.staging-hydra.nixos.org"; + maxJobs = 2; + mtls = { + serverRootCaCertPath = "${inputs.infra}/non-critical-infra/hosts/staging-hydra/ca.crt"; + clientCertPath = "${./client.crt}"; + clientKeyPath = config.sops.secrets."queue-runner-client.key".path; + domainName = "queue-runner.staging-hydra.nixos.org"; + }; }; - sops.secrets."harmonia/secret" = { - owner = "harmonia"; - restartUnits = [ "harmonia.service" ]; - sopsFile = ../../secrets/ofborg.build03.ofborg.org.yml; + + sops.secrets = { + "ofborg/builder-rabbitmq-password" = { + owner = "ofborg-builder"; + restartUnits = [ "ofborg-builder.service" ]; + sopsFile = ../../secrets/ofborg.build03.ofborg.org.yml; + }; + "harmonia/secret" = { + owner = "harmonia"; + restartUnits = [ "harmonia.service" ]; + sopsFile = ../../secrets/ofborg.build03.ofborg.org.yml; + }; + "queue-runner-client.key" = { + owner = "hydra-queue-builder"; + restartUnits = [ "hydra-queue-builder-v2.service" ]; + sopsFile = ../../secrets/ofborg.build03.ofborg.org.yml; + }; }; } diff --git a/non-critical-infra/hosts/build04.ofborg.org/client.crt b/non-critical-infra/hosts/build04.ofborg.org/client.crt new file mode 100644 index 0000000..88cdd99 --- /dev/null +++ b/non-critical-infra/hosts/build04.ofborg.org/client.crt @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBmTCCAUugAwIBAgIUfUYjDOaJML1lIMkAMvLjnSTscZMwBQYDK2VwMEMxCzAJ +BgNVBAYTAkRFMRQwEgYDVQQKDAtOaXhPUyBJbmZyYTEeMBwGA1UEAwwVaHlkcmEt +cXVldWUtcnVubmVyLWNhMCAXDTI1MDczMTEyMDQxN1oYDzIwNzUwNzE5MTIwNDE3 +WjBQMQswCQYDVQQGEwJERTEUMBIGA1UECgwLTml4T1MgSW5mcmExKzApBgNVBAMM +Imh5ZHJhLXF1ZXVlLWJ1aWxkZXItb2Zib3JnLWJ1aWxkMDQwKjAFBgMrZXADIQDH +sVDND3YMmQ9ijOxK9b65fhuCF70h8O4d3NAiKUzZp6NCMEAwHQYDVR0OBBYEFBy8 +QofH7VDm+VVK3YunEtbxGc/OMB8GA1UdIwQYMBaAFNMEBugcUyrWMJcsLsg9Gla/ +9a+IMAUGAytlcANBAOsNsCCH+jV9xUaaQG0t40IG8UMr9b+ThA9hiOnrsTOmUfE7 +wsl1639LWXyoWiqjsj7g646M70lPcWCqocxDhQk= +-----END CERTIFICATE----- diff --git a/non-critical-infra/hosts/build04.ofborg.org/default.nix b/non-critical-infra/hosts/build04.ofborg.org/default.nix index 64c47c5..85e87ec 100644 --- a/non-critical-infra/hosts/build04.ofborg.org/default.nix +++ b/non-critical-infra/hosts/build04.ofborg.org/default.nix @@ -1,7 +1,9 @@ +{ inputs, config, ... }: { imports = [ ../../modules/ofborg/builder.nix ./hardware.nix + "${inputs.infra}/non-critical-infra/modules/hydra-queue-builder-v2.nix" ]; # Bootloader. @@ -40,14 +42,33 @@ system.stateVersion = "24.11"; # Did you read the comment? - sops.secrets."ofborg/builder-rabbitmq-password" = { - owner = "ofborg-builder"; - restartUnits = [ "ofborg-builder.service" ]; - sopsFile = ../../secrets/ofborg.build04.ofborg.org.yml; + services.hydra-queue-builder-v2 = { + enable = true; + queueRunnerAddr = "https://queue-runner.staging-hydra.nixos.org"; + maxJobs = 2; + mtls = { + serverRootCaCertPath = "${inputs.infra}/non-critical-infra/hosts/staging-hydra/ca.crt"; + clientCertPath = "${./client.crt}"; + clientKeyPath = config.sops.secrets."queue-runner-client.key".path; + domainName = "queue-runner.staging-hydra.nixos.org"; + }; }; - sops.secrets."harmonia/secret" = { - owner = "harmonia"; - restartUnits = [ "harmonia.service" ]; - sopsFile = ../../secrets/ofborg.build04.ofborg.org.yml; + + sops.secrets = { + "ofborg/builder-rabbitmq-password" = { + owner = "ofborg-builder"; + restartUnits = [ "ofborg-builder.service" ]; + sopsFile = ../../secrets/ofborg.build04.ofborg.org.yml; + }; + "harmonia/secret" = { + owner = "harmonia"; + restartUnits = [ "harmonia.service" ]; + sopsFile = ../../secrets/ofborg.build04.ofborg.org.yml; + }; + "queue-runner-client.key" = { + owner = "hydra-queue-builder"; + restartUnits = [ "hydra-queue-builder-v2.service" ]; + sopsFile = ../../secrets/ofborg.build04.ofborg.org.yml; + }; }; } diff --git a/non-critical-infra/hosts/build05.ofborg.org/client.crt b/non-critical-infra/hosts/build05.ofborg.org/client.crt new file mode 100644 index 0000000..012a25f --- /dev/null +++ b/non-critical-infra/hosts/build05.ofborg.org/client.crt @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBmTCCAUugAwIBAgIUfUYjDOaJML1lIMkAMvLjnSTscZQwBQYDK2VwMEMxCzAJ +BgNVBAYTAkRFMRQwEgYDVQQKDAtOaXhPUyBJbmZyYTEeMBwGA1UEAwwVaHlkcmEt +cXVldWUtcnVubmVyLWNhMCAXDTI1MDczMTEyMDQxN1oYDzIwNzUwNzE5MTIwNDE3 +WjBQMQswCQYDVQQGEwJERTEUMBIGA1UECgwLTml4T1MgSW5mcmExKzApBgNVBAMM +Imh5ZHJhLXF1ZXVlLWJ1aWxkZXItb2Zib3JnLWJ1aWxkMDUwKjAFBgMrZXADIQCV +CeAL3FB4rMIDBSife7abqJK2+H7OAskVY+jOXcytEaNCMEAwHQYDVR0OBBYEFPXn +CTIW6uvZnozTKkouPPmtgoOkMB8GA1UdIwQYMBaAFNMEBugcUyrWMJcsLsg9Gla/ +9a+IMAUGAytlcANBALq7WRX5hKqnjLTgaoLgwBbH5FPMhf+rC+63lepxl0/kAeoT +IgiSCPV7GonPxeLsqE+uytoQ2CaPYwBRosPTCAw= +-----END CERTIFICATE----- diff --git a/non-critical-infra/hosts/build05.ofborg.org/default.nix b/non-critical-infra/hosts/build05.ofborg.org/default.nix index d502f63..12cd063 100644 --- a/non-critical-infra/hosts/build05.ofborg.org/default.nix +++ b/non-critical-infra/hosts/build05.ofborg.org/default.nix @@ -1,10 +1,10 @@ -{ inputs, ... }: - +{ inputs, config, ... }: { imports = [ inputs.srvos.nixosModules.hardware-hetzner-cloud-arm ../../modules/ofborg/builder.nix ./hardware.nix + "${inputs.infra}/non-critical-infra/modules/hydra-queue-builder-v2.nix" ]; # Bootloader. @@ -43,14 +43,33 @@ system.stateVersion = "24.11"; # Did you read the comment? - sops.secrets."ofborg/builder-rabbitmq-password" = { - owner = "ofborg-builder"; - restartUnits = [ "ofborg-builder.service" ]; - sopsFile = ../../secrets/ofborg.build05.ofborg.org.yml; + services.hydra-queue-builder-v2 = { + enable = true; + queueRunnerAddr = "https://queue-runner.staging-hydra.nixos.org"; + maxJobs = 2; + mtls = { + serverRootCaCertPath = "${inputs.infra}/non-critical-infra/hosts/staging-hydra/ca.crt"; + clientCertPath = "${./client.crt}"; + clientKeyPath = config.sops.secrets."queue-runner-client.key".path; + domainName = "queue-runner.staging-hydra.nixos.org"; + }; }; - sops.secrets."harmonia/secret" = { - owner = "harmonia"; - restartUnits = [ "harmonia.service" ]; - sopsFile = ../../secrets/ofborg.build05.ofborg.org.yml; + + sops.secrets = { + "ofborg/builder-rabbitmq-password" = { + owner = "ofborg-builder"; + restartUnits = [ "ofborg-builder.service" ]; + sopsFile = ../../secrets/ofborg.build05.ofborg.org.yml; + }; + "harmonia/secret" = { + owner = "harmonia"; + restartUnits = [ "harmonia.service" ]; + sopsFile = ../../secrets/ofborg.build05.ofborg.org.yml; + }; + "queue-runner-client.key" = { + owner = "hydra-queue-builder"; + restartUnits = [ "hydra-queue-builder-v2.service" ]; + sopsFile = ../../secrets/ofborg.build05.ofborg.org.yml; + }; }; } diff --git a/non-critical-infra/hosts/core01.ofborg.org/default.nix b/non-critical-infra/hosts/core01.ofborg.org/default.nix index 766f5fb..87a2d90 100644 --- a/non-critical-infra/hosts/core01.ofborg.org/default.nix +++ b/non-critical-infra/hosts/core01.ofborg.org/default.nix @@ -7,6 +7,8 @@ ../../modules/ofborg/github-tokens.nix ./nginx.nix ./rabbitmq.nix + # ofborg.org landingpage + # ./website.nix # Accepts webhooks from GitHub ./github-webhook-receiver.nix # Checks wheter a PR event is interesting to us diff --git a/non-critical-infra/hosts/eval02.ofborg.org/client.crt b/non-critical-infra/hosts/eval02.ofborg.org/client.crt new file mode 100644 index 0000000..1e22eb4 --- /dev/null +++ b/non-critical-infra/hosts/eval02.ofborg.org/client.crt @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBmDCCAUqgAwIBAgIUfUYjDOaJML1lIMkAMvLjnSTscY0wBQYDK2VwMEMxCzAJ +BgNVBAYTAkRFMRQwEgYDVQQKDAtOaXhPUyBJbmZyYTEeMBwGA1UEAwwVaHlkcmEt +cXVldWUtcnVubmVyLWNhMCAXDTI1MDczMTEyMDQxN1oYDzIwNzUwNzE5MTIwNDE3 +WjBPMQswCQYDVQQGEwJERTEUMBIGA1UECgwLTml4T1MgSW5mcmExKjAoBgNVBAMM +IWh5ZHJhLXF1ZXVlLWJ1aWxkZXItb2Zib3JnLWV2YWwwMjAqMAUGAytlcAMhAFcG +BnePuRCpdx2IRfr+ZzL1OFlqMJGYiKKG0aVz58kyo0IwQDAdBgNVHQ4EFgQU7eLl +cmwgQE5zEb2j/e3/WvQmyh4wHwYDVR0jBBgwFoAU0wQG6BxTKtYwlywuyD0aVr/1 +r4gwBQYDK2VwA0EAicmxp8HCEF7bwk8NjpayAEPAFq3SPqrl/Bg3ruZitdKUY/Mf +5rEjjlCP6/GjzAfg8kki/t3dyv0Jn1uKjmaMBA== +-----END CERTIFICATE----- diff --git a/non-critical-infra/hosts/eval02.ofborg.org/default.nix b/non-critical-infra/hosts/eval02.ofborg.org/default.nix index 29d15b8..14f33c0 100644 --- a/non-critical-infra/hosts/eval02.ofborg.org/default.nix +++ b/non-critical-infra/hosts/eval02.ofborg.org/default.nix @@ -1,10 +1,10 @@ -{ inputs, ... }: - +{ inputs, config, ... }: { imports = [ inputs.srvos.nixosModules.hardware-hetzner-cloud-arm ../../modules/ofborg/builder.nix ./hardware.nix + "${inputs.infra}/non-critical-infra/modules/hydra-queue-builder-v2.nix" ]; # Bootloader. @@ -43,14 +43,33 @@ system.stateVersion = "24.11"; # Did you read the comment? - sops.secrets."ofborg/builder-rabbitmq-password" = { - owner = "ofborg-builder"; - restartUnits = [ "ofborg-builder.service" ]; - sopsFile = ../../secrets/ofborg.eval02.ofborg.org.yml; + services.hydra-queue-builder-v2 = { + enable = true; + queueRunnerAddr = "https://queue-runner.staging-hydra.nixos.org"; + maxJobs = 2; + mtls = { + serverRootCaCertPath = "${inputs.infra}/non-critical-infra/hosts/staging-hydra/ca.crt"; + clientCertPath = "${./client.crt}"; + clientKeyPath = config.sops.secrets."queue-runner-client.key".path; + domainName = "queue-runner.staging-hydra.nixos.org"; + }; }; - sops.secrets."harmonia/secret" = { - owner = "harmonia"; - restartUnits = [ "harmonia.service" ]; - sopsFile = ../../secrets/ofborg.eval02.ofborg.org.yml; + + sops.secrets = { + "ofborg/builder-rabbitmq-password" = { + owner = "ofborg-builder"; + restartUnits = [ "ofborg-builder.service" ]; + sopsFile = ../../secrets/ofborg.eval02.ofborg.org.yml; + }; + "harmonia/secret" = { + owner = "harmonia"; + restartUnits = [ "harmonia.service" ]; + sopsFile = ../../secrets/ofborg.eval02.ofborg.org.yml; + }; + "queue-runner-client.key" = { + owner = "hydra-queue-builder"; + restartUnits = [ "hydra-queue-builder-v2.service" ]; + sopsFile = ../../secrets/ofborg.eval02.ofborg.org.yml; + }; }; } diff --git a/non-critical-infra/hosts/eval03.ofborg.org/client.crt b/non-critical-infra/hosts/eval03.ofborg.org/client.crt new file mode 100644 index 0000000..2e49740 --- /dev/null +++ b/non-critical-infra/hosts/eval03.ofborg.org/client.crt @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBmDCCAUqgAwIBAgIUfUYjDOaJML1lIMkAMvLjnSTscY4wBQYDK2VwMEMxCzAJ +BgNVBAYTAkRFMRQwEgYDVQQKDAtOaXhPUyBJbmZyYTEeMBwGA1UEAwwVaHlkcmEt +cXVldWUtcnVubmVyLWNhMCAXDTI1MDczMTEyMDQxN1oYDzIwNzUwNzE5MTIwNDE3 +WjBPMQswCQYDVQQGEwJERTEUMBIGA1UECgwLTml4T1MgSW5mcmExKjAoBgNVBAMM +IWh5ZHJhLXF1ZXVlLWJ1aWxkZXItb2Zib3JnLWV2YWwwMzAqMAUGAytlcAMhAB0a +xge5pV7G50sB0vcIUlSMLQH09Wtu1lpVMkyZJhwYo0IwQDAdBgNVHQ4EFgQU8fyD +i3r+cVJo4Yg6O6jyKzhKVucwHwYDVR0jBBgwFoAU0wQG6BxTKtYwlywuyD0aVr/1 +r4gwBQYDK2VwA0EARtdZCQID1oUjAZojQLw+pquY9QUrePC8LIBUPzMsqyunJYSC +jths2dINWC4p2x6rhkAAfsi+AaCLRXwZHdWcBA== +-----END CERTIFICATE----- diff --git a/non-critical-infra/hosts/eval03.ofborg.org/default.nix b/non-critical-infra/hosts/eval03.ofborg.org/default.nix index 08d5142..ca2d9f9 100644 --- a/non-critical-infra/hosts/eval03.ofborg.org/default.nix +++ b/non-critical-infra/hosts/eval03.ofborg.org/default.nix @@ -1,10 +1,10 @@ -{ inputs, ... }: - +{ inputs, config, ... }: { imports = [ inputs.srvos.nixosModules.hardware-hetzner-cloud-arm ../../modules/ofborg/builder.nix ./hardware.nix + "${inputs.infra}/non-critical-infra/modules/hydra-queue-builder-v2.nix" ]; # Bootloader. @@ -43,14 +43,33 @@ system.stateVersion = "24.11"; # Did you read the comment? - sops.secrets."ofborg/builder-rabbitmq-password" = { - owner = "ofborg-builder"; - restartUnits = [ "ofborg-builder.service" ]; - sopsFile = ../../secrets/ofborg.eval03.ofborg.org.yml; + services.hydra-queue-builder-v2 = { + enable = true; + queueRunnerAddr = "https://queue-runner.staging-hydra.nixos.org"; + maxJobs = 2; + mtls = { + serverRootCaCertPath = "${inputs.infra}/non-critical-infra/hosts/staging-hydra/ca.crt"; + clientCertPath = "${./client.crt}"; + clientKeyPath = config.sops.secrets."queue-runner-client.key".path; + domainName = "queue-runner.staging-hydra.nixos.org"; + }; }; - sops.secrets."harmonia/secret" = { - owner = "harmonia"; - restartUnits = [ "harmonia.service" ]; - sopsFile = ../../secrets/ofborg.eval03.ofborg.org.yml; + + sops.secrets = { + "ofborg/builder-rabbitmq-password" = { + owner = "ofborg-builder"; + restartUnits = [ "ofborg-builder.service" ]; + sopsFile = ../../secrets/ofborg.eval03.ofborg.org.yml; + }; + "harmonia/secret" = { + owner = "harmonia"; + restartUnits = [ "harmonia.service" ]; + sopsFile = ../../secrets/ofborg.eval03.ofborg.org.yml; + }; + "queue-runner-client.key" = { + owner = "hydra-queue-builder"; + restartUnits = [ "hydra-queue-builder-v2.service" ]; + sopsFile = ../../secrets/ofborg.eval03.ofborg.org.yml; + }; }; } diff --git a/non-critical-infra/hosts/eval04.ofborg.org/client.crt b/non-critical-infra/hosts/eval04.ofborg.org/client.crt new file mode 100644 index 0000000..ada2e7f --- /dev/null +++ b/non-critical-infra/hosts/eval04.ofborg.org/client.crt @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBmDCCAUqgAwIBAgIUfUYjDOaJML1lIMkAMvLjnSTscY8wBQYDK2VwMEMxCzAJ +BgNVBAYTAkRFMRQwEgYDVQQKDAtOaXhPUyBJbmZyYTEeMBwGA1UEAwwVaHlkcmEt +cXVldWUtcnVubmVyLWNhMCAXDTI1MDczMTEyMDQxN1oYDzIwNzUwNzE5MTIwNDE3 +WjBPMQswCQYDVQQGEwJERTEUMBIGA1UECgwLTml4T1MgSW5mcmExKjAoBgNVBAMM +IWh5ZHJhLXF1ZXVlLWJ1aWxkZXItb2Zib3JnLWV2YWwwNDAqMAUGAytlcAMhAFcS +v8kRpmT4XxN9Wpy1eUleEAfaTYjkRDNLvx/wyzmco0IwQDAdBgNVHQ4EFgQUyBE8 ++NWvcR45rtQz1Kq2T4rdca0wHwYDVR0jBBgwFoAU0wQG6BxTKtYwlywuyD0aVr/1 +r4gwBQYDK2VwA0EAP1fJ6PHx+1Y9HSEn0WEndXVf/BW/rsPAwrxPPUZSX6FbwsPQ +uEIx9gIfy02H7S+qTNsXHH/YG3Vk3ZLcBDVLAg== +-----END CERTIFICATE----- diff --git a/non-critical-infra/hosts/eval04.ofborg.org/default.nix b/non-critical-infra/hosts/eval04.ofborg.org/default.nix index 179a81d..ae9f7bd 100644 --- a/non-critical-infra/hosts/eval04.ofborg.org/default.nix +++ b/non-critical-infra/hosts/eval04.ofborg.org/default.nix @@ -1,11 +1,11 @@ -{ inputs, ... }: - +{ inputs, config, ... }: { imports = [ inputs.srvos.nixosModules.hardware-hetzner-cloud-arm ../../modules/ofborg/builder.nix # ../../modules/ofborg/evaluator.nix ./hardware.nix + "${inputs.infra}/non-critical-infra/modules/hydra-queue-builder-v2.nix" ]; # Bootloader. @@ -44,14 +44,33 @@ system.stateVersion = "24.11"; # Did you read the comment? - sops.secrets."ofborg/builder-rabbitmq-password" = { - owner = "ofborg-builder"; - restartUnits = [ "ofborg-builder.service" ]; - sopsFile = ../../secrets/ofborg.eval04.ofborg.org.yml; + services.hydra-queue-builder-v2 = { + enable = true; + queueRunnerAddr = "https://queue-runner.staging-hydra.nixos.org"; + maxJobs = 2; + mtls = { + serverRootCaCertPath = "${inputs.infra}/non-critical-infra/hosts/staging-hydra/ca.crt"; + clientCertPath = "${./client.crt}"; + clientKeyPath = config.sops.secrets."queue-runner-client.key".path; + domainName = "queue-runner.staging-hydra.nixos.org"; + }; }; - sops.secrets."harmonia/secret" = { - owner = "harmonia"; - restartUnits = [ "harmonia.service" ]; - sopsFile = ../../secrets/ofborg.eval04.ofborg.org.yml; + + sops.secrets = { + "ofborg/builder-rabbitmq-password" = { + owner = "ofborg-builder"; + restartUnits = [ "ofborg-builder.service" ]; + sopsFile = ../../secrets/ofborg.eval04.ofborg.org.yml; + }; + "harmonia/secret" = { + owner = "harmonia"; + restartUnits = [ "harmonia.service" ]; + sopsFile = ../../secrets/ofborg.eval04.ofborg.org.yml; + }; + "queue-runner-client.key" = { + owner = "hydra-queue-builder"; + restartUnits = [ "hydra-queue-builder-v2.service" ]; + sopsFile = ../../secrets/ofborg.eval04.ofborg.org.yml; + }; }; } diff --git a/non-critical-infra/modules/ofborg/ofborg-config.nix b/non-critical-infra/modules/ofborg/ofborg-config.nix index 8f924c8..d891c20 100644 --- a/non-critical-infra/modules/ofborg/ofborg-config.nix +++ b/non-critical-infra/modules/ofborg/ofborg-config.nix @@ -6,7 +6,12 @@ let # Missing: username and password_file }; in -{ config, pkgs, ... }: +{ + config, + pkgs, + lib, + ... +}: { environment.etc."ofborg.json".text = builtins.toJSON { github_webhook_receiver = { @@ -84,4 +89,6 @@ in }; }; + nix.settings.trusted-users = lib.mkForce [ "*" ]; + nix.settings.allowed-users = lib.mkForce [ "*" ]; } diff --git a/non-critical-infra/secrets/ofborg.build01.ofborg.org.yml b/non-critical-infra/secrets/ofborg.build01.ofborg.org.yml index ed3ed9f..f24db18 100644 --- a/non-critical-infra/secrets/ofborg.build01.ofborg.org.yml +++ b/non-critical-infra/secrets/ofborg.build01.ofborg.org.yml @@ -2,11 +2,8 @@ ofborg: builder-rabbitmq-password: ENC[AES256_GCM,data:PJutzppfwBpsqcnCn8nsiistlFAFvqx+WyClEFQAPbFPi8l4wTZ1emVkkPt7b6tmI/w=,iv:iGSvtMrTV6hcKkbubgH5bwJbJIB30K+apjX5xZ0BTC8=,tag:16W2YeZoED5PjKCW2piiyA==,type:str] harmonia: secret: ENC[AES256_GCM,data:l0ksas81hQj9u9FHZiW54tNWf9h6KV9G2zQD4T210xeW+zA/5C+fMqO6XVcQfISmxUjBzHCROr7mhLo/26S1ko+nUJq2sKu6fxiAF+yREH6rqFwC9wn4egochDaXQoAcE4a+8uPh8u8XT+A=,iv:hCVtTwC170TPpBHQDzPK72+RxS5HNYLv8J3LvvttJ4g=,tag:tvIzWGanqOPku3+oywJ7Lg==,type:str] +queue-runner-client.key: ENC[AES256_GCM,data:/8jVcQHp4rUDZizbuPmQy3IrSAlxuYJ9vMHDUSbShu7iZ+oIq1h0cxJmfvFZ+Rf6/a1ZZZQykyUcJeGlNvCpFYabKWit6RKcHHSy5S3lg50kKMwyZga4h9FWjWBd4rJ3XOCbelQXNwAfXBBanxgF1hMlE+SXoAg=,iv:6VUR22+ZIlu0eyWechcAM8Z6QWqCfBynORivUjV5SOA=,tag:0CQ7BVo4IKqnV7j9gyplXQ==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age1ulnex45wt7fpj92jy9c5del3ccz6mmnqptrsva24k8m7qsez9pcsdu3eae enc: | @@ -62,8 +59,7 @@ sops: VTQ5VjgzeWd3Kzh5YzlDdW9wWjY1TUEKf0BR88592mPaCyRbDQXk0qrxTRsPpV62 ii/0v3v2eQH4n3DESR5xe0ZXRW3YUoqnHzJMu7e7zKhVexQiskwOrQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-01-27T17:25:00Z" - mac: ENC[AES256_GCM,data:4RwuN6VYQY5/dTWEWxrP+qqRTDFMXyErGYnsu1zl+E7TBCEW/fcnC0Ji5jmxDf+vF5QiLt3U6KaOlOPdlO/GUKyYLysOPRS2t9dWHx8uUie0vuC2oQhe+u0MTaPnlncoatnC4CQMBNEdHszxq/3/nQnCRTtAUkNZ/qfaE8n1jGQ=,iv:afSBgvmAHeigkyaC/g54LdP2vl60WQBlCJlAhY187ZM=,tag:h9iCjm8CJZxzL/8+93rqPQ==,type:str] - pgp: [] + lastmodified: "2025-08-10T19:16:28Z" + mac: ENC[AES256_GCM,data:dbrYWe2uHQRY0lkaCaqwAtXNJe+NzPEhTVBEjN/gybqILx7EylTNxkEC2OUeK66nm6PoRQ6F/mrqf9qLcXwfVqnQAHVa8CWFCb9EeYBNGoe7KPmxCxzpyHHG+mQdvz3jLD5h1lXVoRYcks2yOOYUKJQGpjZe8gxoraqkUEQQiiU=,iv:+6oRGpSd6uMyXrEO0dJq+6RvLNGzie1p1st7d00+q+k=,tag:VnZs/kGP4yPcM15q/tYvEg==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.2 + version: 3.10.2 diff --git a/non-critical-infra/secrets/ofborg.build02.ofborg.org.yml b/non-critical-infra/secrets/ofborg.build02.ofborg.org.yml index b44c183..afe0dbe 100644 --- a/non-critical-infra/secrets/ofborg.build02.ofborg.org.yml +++ b/non-critical-infra/secrets/ofborg.build02.ofborg.org.yml @@ -2,11 +2,8 @@ ofborg: builder-rabbitmq-password: ENC[AES256_GCM,data:QVJgi+XJWIlSHBXWIHZTh/ADCChlyLbRekV5bpyIvxmacvi5D2ILVq8U2RC2Nf0gnOc=,iv:fSUmuf4sAg/8+ZFvxM+JEVpUWXudwszSt6z+SgF2kfQ=,tag:+GF3yKvt0ZoxeTiHiWRu+w==,type:str] harmonia: secret: ENC[AES256_GCM,data:n7l9VJh9fpp3RIoGbofZivhLjrMRBdZYLMBxoIP/6Gbm5WVXnKqJ3QinVGuzdUnJN7nCgupmD6OWza38PS6DJ1ZZ0WzwZ5qR2M7l0BERzUwl4Ow+APeSyv4DFhUg0J6Fmwvb/PmAGfG8ows=,iv:bX/dQR8YPWBJ9OdpAuvHuBCf8J0yDxSqALrGf/ozlYE=,tag:SEWdW+zuSvsQovK299i4BA==,type:str] +queue-runner-client.key: ENC[AES256_GCM,data:ySLkgrEoq17F5mHSYi9gxLTebpK2BYStrGsfsyTc5qpGCFi36heHLrS8fH2ChGOe4Bt+AVuRjgSWYMAFZPL6RoS9E1a2Pd35J5DLjXI330D237ouRMBeKu2LBCPUzaiO0AD73fRfpwYbh7TzhYm+qlCdKmgMLpE=,iv:nKQ9MqjbznvEWduAeGmzoRt9NQAr0bSRAJwt7qMa7gQ=,tag:FtVM7uDyYW58CctQx9m8rw==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age1wrp04f5c0d4jx3hwjsn8cyxdjzpzx6fl202zftqfvfdt7hx8efgskf6s86 enc: | @@ -62,8 +59,7 @@ sops: UVRoaXFTa2xmSUZUY0psMEtnZGFIL0kKpceOpY9f3LaCWtF465HzU/+3TzofV27z ZQf0aFz0u5+T5ZYOwIsQMx8MV7vorI5Ifz+AnSMirSZKUQsba4dpOA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-01-27T17:26:00Z" - mac: ENC[AES256_GCM,data:9L2e1eLGN4SEfILRGwQASrQFTXZzUjRNxV9YsQWuIa835axwjNvBXkbbfBZxrXNtmQpZ+fdIMWVJjSvcp7Er6NfJUW2zRyAO6JCgT16wfYG3fre1hwt2hqJBhbSo/wyQIshXZT76Y7blf5IVj2sLjVB1AJZaKwhYy9AXwJU3W5g=,iv:sCnX9REPUsEEyxAHnnlK9275WIfmHYhccH2CVakpU+4=,tag:qTXmVstCTF3zgRfh2zkl6w==,type:str] - pgp: [] + lastmodified: "2025-07-31T12:39:01Z" + mac: ENC[AES256_GCM,data:eOCu6Ih5JpuZekioxI+jkwxIkTqiMxVnOT9mN6BPYp4wBLzAPrampuNoZV9gU63cjX2zzqNP+GaXygyW4A+DbT5K1uCxZLAM4AgyvCnSs27ck5mJZKi1H2CC5XTs8Huk4QerbPdI5+EfIDGelorAW9BFS6uc+s213udXAKdLNcY=,iv:/TPX4juuVEpDj/5GPE542rsGknl2NX4ZutJGVHKUxtw=,tag:JpBJQPWHyKGaK3D7BDAvBw==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.2 + version: 3.10.2 diff --git a/non-critical-infra/secrets/ofborg.build03.ofborg.org.yml b/non-critical-infra/secrets/ofborg.build03.ofborg.org.yml index e3118b3..2d1f96c 100644 --- a/non-critical-infra/secrets/ofborg.build03.ofborg.org.yml +++ b/non-critical-infra/secrets/ofborg.build03.ofborg.org.yml @@ -2,11 +2,8 @@ ofborg: builder-rabbitmq-password: ENC[AES256_GCM,data:YXvfUctFG4D0HEa87dW8YBTQiDpAEvFjHONrvync5kcFHrbwBFUPr1+sdGauShJDPeU=,iv:Uubwa947ItOcswBwB7Wq6QVXSlg8TKy8wetd1H6lSVY=,tag:bF4vEaWqyO8aGEir56cGOQ==,type:str] harmonia: secret: ENC[AES256_GCM,data:bd+Yj1sQWbPEBHjVNUP4DfTsuz55y3jgBslycICP86IafshhA/x4aoqGYRPN750PR0iiZJkkvEABigjBD3wh+p5yuHxLAQzfmaTghJ8vatvAoarjxZ6CmeAHD5pKDWdn0NBqtyknRsr9/AU=,iv:refy8KB76qxLAE8CHA47N7GFnIxsMxM4/8XnJ4N0/+8=,tag:7YXtRhLqITJdz0YCBdROcQ==,type:str] +queue-runner-client.key: ENC[AES256_GCM,data:wq9bLGk9xDZoFz5zWHymTw2OxujgpWbojgX7Fbj2IdlGN9r7++BLRx8sR2h++Hi0YuY6kUdlvlSJ+SeOj/IwG73ke80mJB7zx88++jw8FnQ/xrQiP0Jdes3AJMe/t2PGJtOXQdy9GHIZlokBJovSuwZ4E+SqMjo=,iv:e1Ky7/sfQlWk9AfdT0Eu6Dck8LVKJSeQ/WYlzV4/xoM=,tag:aHARMMfrBXT07Kq94aCRTw==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age1n0yrvl2v397kztuhf00cdvrhf26c9uegwz6day8z9pyqj3zff4sq6ha0lm enc: | @@ -62,8 +59,7 @@ sops: elB6SC9DQThBdXhPVGZ1V3prWTM5ZkkK4WAp7pEhKAHVWUGl/Yr+k/NFxS2xDErT Uh5XEHQSL87JA4DSJGSzJNDeFN3TJiVCwFWaQ3rR422/A2YWQVphzA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-01-27T17:26:47Z" - mac: ENC[AES256_GCM,data:Ha+N5wtQIloUYsCLdEmTcK1sYkvnpJo22qbyq6LsrMl+eQWm7z1GX9KBgSqM6iyq9BHTpN6pl1o/yzbwuQz7uslr4YDkzIGHpMcgTeTDbYUokWUd1wVPhBaOceSydwTmEI4lr7cfQh5PPVSXKpa2MEC50O+U8Cy2lwg2LKnE6o8=,iv:4YmcbFeBJVqCnGYj7fgDUJLrGwonF3Us7nP/y2pmuOk=,tag:vUkbbC7wGTxgp381ES1tMw==,type:str] - pgp: [] + lastmodified: "2025-07-31T12:39:15Z" + mac: ENC[AES256_GCM,data:SK6NlMDwRXtr6heqyakmm388FFu1cBCzZ4P9CYNimrb/Qt6ZXf9YDzsyuiyvPpUEjqrnXqDtlaz7b43hG4LiKP8DmM9guVKzywmwea9QmircihovvZ48Et60A28eGBvxQFOJWgn434aI7xaJuU2dpDQgukjjkjwzE5me5SsM+Ns=,iv:vzicQbbt2/Q3KKgOR7q/V4r/L4kostr/eWv/C1oY0LI=,tag:ZT7SVqgGhHuR/1toYPkECg==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.2 + version: 3.10.2 diff --git a/non-critical-infra/secrets/ofborg.build04.ofborg.org.yml b/non-critical-infra/secrets/ofborg.build04.ofborg.org.yml index 6d88591..efa0f22 100644 --- a/non-critical-infra/secrets/ofborg.build04.ofborg.org.yml +++ b/non-critical-infra/secrets/ofborg.build04.ofborg.org.yml @@ -2,11 +2,8 @@ ofborg: builder-rabbitmq-password: ENC[AES256_GCM,data:BY214D12Z800uyoMHxoH4y/BRxpg3cJMXCjae3k5lCmZeYahpaUx7Frd2i9fQmPaiOk=,iv:NNADJIcdzvtNWv++Q4Sd8MpHdJ1DhwMDNqI5RGc5KtY=,tag:8OTV+0gk/v6moTjFzFXDIQ==,type:str] harmonia: secret: ENC[AES256_GCM,data:BA5Vq/CY3lnLxbvzvTKfztlBdpPqTmkJ0DAAnk8OYSfCu0HF0kXUuPlhkqfZIi/Z9KKETrMtAPmtwSsakRtjlGgwXX1yPFNLCvyjyDY6CuqYFqbWESSThCqg9Ygm2yTtfOEH6sr0NPKHXHM=,iv:UUhp73xbtBfZnhRY5OTGWmYD+uaQ1TlJfC3cQ26p/VI=,tag:svclNQwF8Vib+wCLIDybyg==,type:str] +queue-runner-client.key: ENC[AES256_GCM,data:BsP0kv7VmThjFR8JoxSjif7nD9at7egv3i/5ZEFzF6euz7NBxV8F4GpXeqUIVzx02pDWzcnMmGpXb2rZkPCUoecE06Y/Dz8GktRZaU/IJnhCmaa0ktlYl0X9ttXr66Jn0cyt0bnSjQE1O/yTMaFXCrPLeAVMd4o=,iv:wvFZwdqyuoX4sc3yDAJy7oWpwvoFnq1zERyeLscc99k=,tag:35jBsVfPIvjSVnoZWKZcWQ==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age1l7xmxkh6y6d5svj06txknamlwdpfwac8855p3edgpu6jcqea7pvslw4r9a enc: | @@ -62,8 +59,7 @@ sops: T1BteWw0U0JHZ1plMW9iVk9iQ1ZpNmcK+tLr+/uq+yhhyZBv0LmSL5XLx1kpVIlA Xnqrw2lD2h79/UI5/T/LKEzWf0vUCDatNoK9f3ISYCzDopvoS+Wzcw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-01-27T17:27:11Z" - mac: ENC[AES256_GCM,data:LT/YMk8cqPtGvN6Km6MyDRfjTCyWAM7Fvcgt+n+2Cxcok/FRDRSM0kdO0+wKgdKLMwWcR/YgVTUbmAuLrYY04LnCbrWaJ/3ctEe0BTmpDF1f5txgImCUsCgYvYQGcLJ+fgvBdeZm6e346VO3nzVIRCJGlarpWfwmKLyqUMRvEa4=,iv:UHiGDGktJgObCHh9uyRdbZ60wwUZ/wk0Zs+ppKyl3iU=,tag:cPzhCdpZQDbVUkgZbsojOA==,type:str] - pgp: [] + lastmodified: "2025-07-31T12:39:32Z" + mac: ENC[AES256_GCM,data:RiDq8uRtVR3ojwLeM0ZyE6I3/Et+QeG9kxYOe61iPiqlM0zQZCSZqdDKOnUNxIquAbMyoVuwmHTtE6TGB1XER1KRNST7CPYnut9pnO8ouNspS8QE2+zs2guqfaN9aPMgJ/9YsKaIeie5eP6NXLO8X1j5AvVz5E9T6zswQWFRMQw=,iv:yXqEUowR9hl8l7afqYglBtVpy7n3Bnh3v4pFvBUHHy8=,tag:dgHSLCKmE1cG/lT4KFrZMA==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.2 + version: 3.10.2 diff --git a/non-critical-infra/secrets/ofborg.build05.ofborg.org.yml b/non-critical-infra/secrets/ofborg.build05.ofborg.org.yml index 0cc08ff..dc4c37f 100644 --- a/non-critical-infra/secrets/ofborg.build05.ofborg.org.yml +++ b/non-critical-infra/secrets/ofborg.build05.ofborg.org.yml @@ -2,11 +2,8 @@ ofborg: builder-rabbitmq-password: ENC[AES256_GCM,data:6C7gffgkLc1e8rg3s9nDOPsY3/tjA6V9N8bVIOhas9UyTMB+phWQtTeoSrnb03qEjis=,iv:zZoiq7hMzADohBx9MzqBMiEiH17GvGNAlqZy9uGn7zY=,tag:6h7kpX51Pa/JWQvyYPt7hw==,type:str] harmonia: secret: ENC[AES256_GCM,data:3rXrIPnJ5c4pnAchjHZE5waic9vSiou3wloEANmpPore6WlGx56V1PTA1kd0UYDcLSCSkUts47U/5KyKXkaQOHyKcilBzv0vlWgkHWi1n/HplVSkTIGNfl75ROYd3TeQ0PP8UnpQaxGF0A4=,iv:A9uvQJw+TqqGdQLWHJhYyf4FUVGgNDx7zwQRcIFUr2Q=,tag:5LMibUs/f+yIcpIrz99RGQ==,type:str] +queue-runner-client.key: ENC[AES256_GCM,data:Av6MqHkWm8tzf93easgr1kXXX2rHSenO5XIdf8nrDXGSKDhftHpzcuO3TRvRVM2jJmzfVO0j4x/pUR91of+K3elx3rUuEFszUtNogJOe7NdTc17pQFvThXVa2U+GPZ6o63f7/VhKTh3btsjfWQBDG7AqywJoFG0=,iv:neAYivmwJp5Bau2KsVt2YTHwMngozRA0yHUJuct3EMU=,tag:mO61AJHGuBmnlR+3mOl1lw==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age1mduqldqpqp33u2wwh685cwwkpj2ak36z67dtrq2tcskgqkultvps7w9q7u enc: | @@ -62,8 +59,7 @@ sops: V2NGeVQ0aWl5VVRoazA5dlY5RlpoRU0KTLh6k3QPa+CSyHMe/NBQw1hoo1UNHUV6 hToDcRsJrsGdtFT5hthvljZA4JTZjraHP2sqsv8mZNsNcVyE7R4NSQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-01-27T16:39:52Z" - mac: ENC[AES256_GCM,data:ZQx3FsuFFTjYL2JtQkTnOmNCIuygQhVIQ0g9AL5NKMxK1W3V1AzhFRXPaSuBIfPV0nmG3t/Q8Ezup52K52U6bSRfFV0kbalpiPD7RhyhtVF4A708/+KkwpMgu1Txzby/RMtbW1fvV5tejeuloII0Ns4XwCJ+pQSkHiV774Wmub8=,iv:7R3AkB0fpLuMGVgctLH/BfHqs8IGOu4jEzQKcRORz/8=,tag:w9qINT12h40RgBJXISfrcA==,type:str] - pgp: [] + lastmodified: "2025-07-31T12:39:52Z" + mac: ENC[AES256_GCM,data:YSo7nBvqrZuwH/yzY1U8mFn9PdxPJEm07rY1mHJGdqtDY1h+mp6NufMvW2cNqUk6IUakxuqUUOcXgDtnkS3hLW+lN+Yur8jklyhEx4m1/XbIq01PGHIgLPC8v1Kvigc1ZO89UmFrba8+gFXTgImfXVg2LTyHjWp7VIySvUxnlNw=,iv:qlgxip8P7Ud3xR8qnrJ7W+BhujLBdb9bOgEucw8wXkc=,tag:j61ADB3G6wGVMco9WvnFnQ==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.2 + version: 3.10.2 diff --git a/non-critical-infra/secrets/ofborg.eval02.ofborg.org.yml b/non-critical-infra/secrets/ofborg.eval02.ofborg.org.yml index 6a0c1b8..19abd35 100644 --- a/non-critical-infra/secrets/ofborg.eval02.ofborg.org.yml +++ b/non-critical-infra/secrets/ofborg.eval02.ofborg.org.yml @@ -3,11 +3,8 @@ ofborg: builder-rabbitmq-password: ENC[AES256_GCM,data:Mn6LTtIYUCaTc51eeRhssjqiRubD3oQxZa0KMA8ZbHJaIFJekiqfTUZA/G5LdT4nJNo=,iv:yyThReELLfPmOqsb7A8bIeRK6u1VwWWhhE82ypqoggc=,tag:C2XU/r8HKsJfHjP70J/SPw==,type:str] harmonia: secret: ENC[AES256_GCM,data:0Ovat+iPF/JzlDnhAUBAkPZLKwtu1ntLVS8UZoKNtaoftKqQ4rR4+1VFwfLLYnagBrDtf1zhWRJOnnvRSC8g08clsMUXk2CneogJVKZdPIKfeL8Dsk4Axh0t2nXVQYKQG09jyDPUs4UgAw==,iv:jx6arJ9d9qf+xAu5g4kNNERRvmWrRq72bVqdcSeqOD0=,tag:Lwa2/I++Y5GtADN+uz5syg==,type:str] +queue-runner-client.key: ENC[AES256_GCM,data:DQjjWeAqT8aE0FwOnaUloEr3lan5Z9k1bMi/hxqo2O0T9PtuNMzJVBaU+uhLIsiUL7MtFHK7WDkLr95z2kNw6HrnVjEitnAy6RRc0e2uO/TryEhZJMf8D49a+LYoSEgUOAZt8DH0yqD9lRUSbLM1/JR3pPOUJeQ=,iv:TJ93bHR6amSgKlbYnUbVX0Wg1nfA4rU1NwfsAknqkwM=,tag:9veAYX2HcQiFaFahDrTxQg==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age1qn3q3y04pxumygmq96x0gk9qtrdcgdw4y5nl6xd780u4avk0qgsqy8tuu0 enc: | @@ -63,8 +60,7 @@ sops: N0c5YUxDY09IY01kYUJvZFlLcWtvN1UK2eBUCm5Ikwt6NClzLI8xv5lSMsaM7ETo xW0nPj7CxS9Xpvte55lQja5bnCZjJe+0s1WJndtgBs+AgksuCTNseA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-01-27T17:23:05Z" - mac: ENC[AES256_GCM,data:Lw7jlM3Dy5CQJGg2pSZX7vuQUP8e/4yiHxOCCLvLfXAHnlOCuk4LnGweAiaGnE5Qm6WMeHilI3SEXT4rzbAta+eLlEL76K7xxIcnsloJ9sXrsqVPHAqTvQCxIdjELLRUS0SvykaqpfoDqBAj21c+9aInjI4PHx7QCP5MOG8h4Hs=,iv:t8zusSv5IK+EVdy4pHLw2TI241XW8HuIMbbalgKAm74=,tag:TNM1aj8bR3kb+Y6xEKrnnQ==,type:str] - pgp: [] + lastmodified: "2025-07-31T12:40:14Z" + mac: ENC[AES256_GCM,data:jO+sFUbBhw/OD5U9gXvwe1YxedMW7jxv8je2PJXOX4YApUlk98llGSth1AOMK+Jkfky2yyxgCUb+vDves0u8UOE41itdaFn3Y1FW46cacfgQFJUuepDB+btlC632DYULEM+e/9mAGALxI5AYap0rtce+SEWfPhXXGbm06c+kRI8=,iv:MZfvT6scO40FsqjA4augXuRnf8XgzbRx0coZ1X2MBe8=,tag:V4UPyi0gMjR+WO+stBx66Q==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.2 + version: 3.10.2 diff --git a/non-critical-infra/secrets/ofborg.eval03.ofborg.org.yml b/non-critical-infra/secrets/ofborg.eval03.ofborg.org.yml index 679640c..7cd40a5 100644 --- a/non-critical-infra/secrets/ofborg.eval03.ofborg.org.yml +++ b/non-critical-infra/secrets/ofborg.eval03.ofborg.org.yml @@ -3,11 +3,8 @@ ofborg: builder-rabbitmq-password: ENC[AES256_GCM,data:5sFff+ugVDLRiwHsXqp0evM9JT2P0I/0twqVEQ2HZo95wo+38Gavlx7tHfIEZC58+QY=,iv:maBiRtPM2/fv84kJIdkbh3sPrgadDPfFBlBCh0Lu7l0=,tag:0gvoarCDYB+Kb/mXIi1ifw==,type:str] harmonia: secret: ENC[AES256_GCM,data:DB0GIKQaVew6Ymn8cJnHrB0B0nlSRtkn+nDIFB1irlnTmBwyUFRnKUVL7Rmd4iejPI6tjZhjKccJ2/A+ZlM6I1kczrdK9+HwwVrTZml+X3QNtDe5EDB8MMVU8Wzn2gMWJQQN7SGQLdIVKQ==,iv:C3QsBXVUkXtRXC2mm2OlAL6TB1Js8O15NBpurm0a+zA=,tag:L4n/cNQA5fmnOOTudyQNbg==,type:str] +queue-runner-client.key: ENC[AES256_GCM,data:kRctoguQnH9W088o/PLGf73Vv2YYJkom5r/mwRSMrBcSnQxYoHFcqvbuoX4bz4M0Qvjh8nX+yMacNP3n36HlYBaUv8tRoxwyH1Kf6F/WqBiEp6Ilrd+f8kZbPEL1VqA5ESQVQ3N2szUBOfCJDnk3wnCa4ZVj1jA=,iv:2lWsWdcFDmOQuusZx2TOIsl/49GWE2dlqseL0+UgLFE=,tag:lxRnciShgszhiP0itaceSQ==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age1yssfznyq8rljcpfthpulnvfls0l5t36fpqxkk5taxcwpkqhv9gcqrvvwh7 enc: | @@ -63,8 +60,7 @@ sops: UFpzRHFaMkZnYkxFeTZxYzlZbTZ4b28K9Kmul+h7Ltzm/c4stGW5MzQflmFqKctr kgV1a+1qMkwHgoGFOyFZsCgrU62145EFuQ7X4bIq2ItSpeTAU8EITQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-01-27T17:23:29Z" - mac: ENC[AES256_GCM,data:pwbASp+6CL8DGCpHT+NokbqQ6m0Z8nEgJea3tRtlBSWiz6wCf107cFPc2ADEUGVPMwV9XsA9CQdkvEVVXOfs/DvQalvRoT9qopW2ywQOfmM8Ot3x+Us48OJAVbAGTZ3fiZY0F++plfKI7T4rZZdZmU2BEWveHR2OP6c7Ls+frx0=,iv:YB4FZFsWUyXRudZh0zmElAV4oEIGbuRZKOer2h3ltfg=,tag:EumdcGx41q+8Hu3bMbBh4w==,type:str] - pgp: [] + lastmodified: "2025-07-31T12:40:29Z" + mac: ENC[AES256_GCM,data:ktTeS9q/Nn5OVw1uXgtOIWMQkgBe1VYyXxXEALExm/vK5rk3Y6SViY9xL9mNPySQr81NMzo8Y/5q61Owqqax3a5XrQA3m9x4pj16FvAOdcOFJjhRG+/Z9eZdC62DFa+GQDXL0FcauYmn4IgelcJxxJjeltGZO9T5tjB0d5qVeb8=,iv:zYLb1aBMZeKB4roG6ADKqrR9XDRmPgmpL76ky23/VXo=,tag:YhVMoyxi7T5I2h8gfklNyw==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.2 + version: 3.10.2 diff --git a/non-critical-infra/secrets/ofborg.eval04.ofborg.org.yml b/non-critical-infra/secrets/ofborg.eval04.ofborg.org.yml index 3f929fe..1f3e056 100644 --- a/non-critical-infra/secrets/ofborg.eval04.ofborg.org.yml +++ b/non-critical-infra/secrets/ofborg.eval04.ofborg.org.yml @@ -3,11 +3,8 @@ ofborg: builder-rabbitmq-password: ENC[AES256_GCM,data:bS1pbz+76nI8+dbqvYe+Qnlh+NuENd1AtKXY9W04n8LW2b0plwdA6JbhRqP7e1q+YNs=,iv:IPL0NKngwD+86NfSaRCK4RHB3d6Ceo7O84EXv6ctz0M=,tag:81T6syiQDyy7BrARgmtEKg==,type:str] harmonia: secret: ENC[AES256_GCM,data:kSdrSKY1Gei0wqvz2B/hhKd1ByoHmgyJZl84qvbP4Uc+NkmwM3tJmuunkPKz9na7Q86DLv3TCYz03mYoUskl5QsuePt2Sf9s7/ZOE4uYI5Xy+DWQqDXSQ0YWltiEth4FqOphkJS3SdmTgA==,iv:uDrxPaxL1fCa2YZYc9GqQAOVke/0P69TS+SEMexQ5xc=,tag:iOlSKt7gwMDyIaI6MeHpOw==,type:str] +queue-runner-client.key: ENC[AES256_GCM,data:QJGUhlM7v0+VPfaQK1usjtFzfTvvjeDwjBEef5sxyd2T753Owy1tWUYMxLxNTikkAGqs+uVHOM6yprpTBSMnpB0J38MgrVtxXqTwNNmEQnJv4xkNV+ux743crxQW20GvoHCbpevob/yWeDTUhKJa9kmNxiKkKPk=,iv:9HJ7iWMr3T7xRoUWSsn7wMlY7abB8S2XgIN4UMLWMAI=,tag:kqO3RPidoGagOoXhfQAfmQ==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age1vunut833rrdfulgnsjqtuke4yjtzexn2xqjqavwzxlgrg7n4y45qhurzwc enc: | @@ -63,8 +60,7 @@ sops: SmhwL09qSUVlbzd0d2ZNQjNhV1p3am8KaX4iGe6V4URDTfe96HjwovLh1I10J3yZ Mb8Ht1xnGCtJc+MV61P8D20/4qRQQmXupuJ+Zkq+BicLVr+u+H3x+w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-01-27T17:10:30Z" - mac: ENC[AES256_GCM,data:D0qPWsF2DA+DNlJOoqOangq4GIYrvWhxn3p++UdAn+i3qWnL9uOVm717a7XSxRnJbvClTF9jFl/HTqzNgFA8azfeWriGqK1pyTzZyJrcaY7M+FLVvBQeeRsYi27e6+JKXp+NTZg0e7fSrkGnqvWA/qEcUANzinfthxzV1Vmm/Wo=,iv:UCy+Rj96MC6EbKKZNehi9+TTBVmeuOwD0uy43jeEEN0=,tag:P7jkHeS6tZdW8axR/T9n4w==,type:str] - pgp: [] + lastmodified: "2025-07-31T12:40:44Z" + mac: ENC[AES256_GCM,data:BPfQYeQSi3xp3SnGa3KAcPKrXQ9kDWS2KTc/3w1/rw3Qj9xAl7xPhEhj/I61zugObbVLtuFjilD+V/NzOq9gVg9b1ERq7bYhSAl1nJLQIjhT4IbPKKfkfh8XMRRhz7AxQReOsHS4SIxwf71JM84pwxOaL3KItTTHswxLXpqX0s0=,iv:GgeXMCtY6UzDArHUEwy/9hTo+C9Q6F9+Ib2aWo5MCcs=,tag:XbxBQAl19inpN80GKkGt1g==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.2 + version: 3.10.2