diff options
Diffstat (limited to 'ops')
29 files changed, 209 insertions, 159 deletions
diff --git a/ops/dns/default.nix b/ops/dns/default.nix index 136a4c58dca7..ad6e136f2756 100644 --- a/ops/dns/default.nix +++ b/ops/dns/default.nix @@ -2,11 +2,12 @@ { depot, pkgs, ... }: let - checkZone = zone: file: pkgs.runCommandNoCC "${zone}-check" {} '' + checkZone = zone: file: pkgs.runCommandNoCC "${zone}-check" { } '' ${pkgs.bind}/bin/named-checkzone -i local ${zone} ${file} | tee $out ''; -in depot.nix.readTree.drvTargets { +in +depot.nix.readTree.drvTargets { nixery-dev = checkZone "nixery.dev" ./nixery.dev.zone; tvl-fyi = checkZone "tvl.fyi" ./tvl.fyi.zone; tvl-su = checkZone "tvl.su" ./tvl.su.zone; diff --git a/ops/glesys/default.nix b/ops/glesys/default.nix index f4c0478c5d89..2dfb505fb423 100644 --- a/ops/glesys/default.nix +++ b/ops/glesys/default.nix @@ -2,7 +2,7 @@ depot.nix.readTree.drvTargets { # Provide a Terraform wrapper with the right provider installed. - terraform = pkgs.terraform.withPlugins(_: [ + terraform = pkgs.terraform.withPlugins (_: [ depot.third_party.terraform-provider-glesys ]); } diff --git a/ops/journaldriver/default.nix b/ops/journaldriver/default.nix index d2413e74cc92..a06a858fa12a 100644 --- a/ops/journaldriver/default.nix +++ b/ops/journaldriver/default.nix @@ -4,6 +4,8 @@ depot.third_party.naersk.buildPackage { src = ./.; buildInputs = with pkgs; [ - pkgconfig openssl systemd.dev + pkgconfig + openssl + systemd.dev ]; } diff --git a/ops/keycloak/default.nix b/ops/keycloak/default.nix index 96f0c40e5e2a..5757debd1a39 100644 --- a/ops/keycloak/default.nix +++ b/ops/keycloak/default.nix @@ -2,7 +2,7 @@ depot.nix.readTree.drvTargets { # Provide a Terraform wrapper with the right provider installed. - terraform = pkgs.terraform.withPlugins(p: [ + terraform = pkgs.terraform.withPlugins (p: [ p.keycloak ]); } diff --git a/ops/kontemplate/release.nix b/ops/kontemplate/release.nix index 8a04109526cf..6a3dbd5efe87 100644 --- a/ops/kontemplate/release.nix +++ b/ops/kontemplate/release.nix @@ -10,13 +10,17 @@ # This file is the Nix derivation used to build release binaries for # several different architectures and operating systems. -let pkgs = import ((import <nixpkgs> {}).fetchFromGitHub { - owner = "NixOS"; - repo = "nixpkgs-channels"; - rev = "541d9cce8af7a490fb9085305939569567cb58e6"; - sha256 = "0jgz72hhzkd5vyq5v69vpljjlnf0lqaz7fh327bvb3cvmwbfxrja"; -}) {}; -in with pkgs; buildGoPackage rec { +let + pkgs = import + ((import <nixpkgs> { }).fetchFromGitHub { + owner = "NixOS"; + repo = "nixpkgs-channels"; + rev = "541d9cce8af7a490fb9085305939569567cb58e6"; + sha256 = "0jgz72hhzkd5vyq5v69vpljjlnf0lqaz7fh327bvb3cvmwbfxrja"; + }) + { }; +in +with pkgs; buildGoPackage rec { name = "kontemplate-${version}"; version = "canon"; src = ./.; @@ -29,8 +33,8 @@ in with pkgs; buildGoPackage rec { # reason for setting the 'allowGoReference' flag. dontStrip = true; # Linker configuration handles stripping allowGoReference = true; - CGO_ENABLED="0"; - GOCACHE="off"; + CGO_ENABLED = "0"; + GOCACHE = "off"; # Configure release builds via the "build-matrix" script: buildInputs = [ git ]; diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix index a6a5a763177a..0aa61fda80cf 100644 --- a/ops/machines/whitby/default.nix +++ b/ops/machines/whitby/default.nix @@ -4,7 +4,8 @@ let inherit (builtins) listToAttrs; inherit (lib) range; -in { +in +{ imports = [ "${depot.path}/ops/modules/atward.nix" "${depot.path}/ops/modules/clbot.nix" @@ -55,7 +56,13 @@ in { initrd = { availableKernelModules = [ - "igb" "xhci_pci" "nvme" "ahci" "usbhid" "usb_storage" "sr_mod" + "igb" + "xhci_pci" + "nvme" + "ahci" + "usbhid" + "usb_storage" + "sr_mod" ]; # Enable SSH in the initrd so that we can enter disk encryption @@ -189,7 +196,7 @@ in { ++ lukegb.keys.all ++ [ grfn.keys.whitby ] ++ sterni.keys.all - ; + ; }; }; @@ -205,7 +212,8 @@ in { age.secrets = let secretFile = name: depot.ops.secrets."${name}.age"; - in { + in + { clbot.file = secretFile "clbot"; gerrit-queue.file = secretFile "gerrit-queue"; grafana.file = secretFile "grafana"; @@ -509,15 +517,16 @@ in { job_name = "node"; scrape_interval = "5s"; static_configs = [{ - targets = ["localhost:${toString config.services.prometheus.exporters.node.port}"]; + targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; }]; - } { - job_name = "nginx"; - scrape_interval = "5s"; - static_configs = [{ - targets = ["localhost:${toString config.services.prometheus.exporters.nginx.port}"]; + } + { + job_name = "nginx"; + scrape_interval = "5s"; + static_configs = [{ + targets = [ "localhost:${toString config.services.prometheus.exporters.nginx.port}" ]; + }]; }]; - }]; }; services.grafana = { @@ -526,58 +535,62 @@ in { domain = "status.tvl.su"; rootUrl = "https://status.tvl.su"; analytics.reporting.enable = false; - extraOptions = let - options = { - auth = { - generic_oauth = { - enabled = true; - client_id = "grafana"; - scopes = "openid profile email"; - name = "TVL"; - email_attribute_path = "mail"; - login_attribute_path = "sub"; - name_attribute_path = "displayName"; - auth_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/auth"; - token_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/token"; - api_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/userinfo"; - - # Give lukegb, grfn, tazjin "Admin" rights. - role_attribute_path = "((sub == 'lukegb' || sub == 'grfn' || sub == 'tazjin') && 'Admin') || 'Editor'"; - - # Allow creating new Grafana accounts from OAuth accounts. - allow_sign_up = true; - }; - - anonymous = { - enabled = true; - org_name = "The Virus Lounge"; - org_role = "Viewer"; + extraOptions = + let + options = { + auth = { + generic_oauth = { + enabled = true; + client_id = "grafana"; + scopes = "openid profile email"; + name = "TVL"; + email_attribute_path = "mail"; + login_attribute_path = "sub"; + name_attribute_path = "displayName"; + auth_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/auth"; + token_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/token"; + api_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/userinfo"; + + # Give lukegb, grfn, tazjin "Admin" rights. + role_attribute_path = "((sub == 'lukegb' || sub == 'grfn' || sub == 'tazjin') && 'Admin') || 'Editor'"; + + # Allow creating new Grafana accounts from OAuth accounts. + allow_sign_up = true; + }; + + anonymous = { + enabled = true; + org_name = "The Virus Lounge"; + org_role = "Viewer"; + }; + + basic.enabled = false; + oauth_auto_login = true; + disable_login_form = true; }; - - basic.enabled = false; - oauth_auto_login = true; - disable_login_form = true; }; - }; - inherit (builtins) typeOf replaceStrings listToAttrs concatLists; - inherit (lib) toUpper mapAttrsToList nameValuePair concatStringsSep; - - # Take ["auth" "generic_oauth" "enabled"] and turn it into OPTIONS_GENERIC_OAUTH_ENABLED. - encodeName = raw: replaceStrings ["."] ["_"] (toUpper (concatStringsSep "_" raw)); - - # Turn an option value into a string, but we want bools to be sensible strings and not "1" or "". - optionToString = value: - if (typeOf value) == "bool" then - if value then "true" else "false" - else builtins.toString value; - - # Turn an nested options attrset into a flat listToAttrs-compatible list. - encodeOptions = prefix: inp: concatLists (mapAttrsToList (name: value: - if (typeOf value) == "set" - then encodeOptions (prefix ++ [name]) value - else [ (nameValuePair (encodeName (prefix ++ [name])) (optionToString value)) ] - ) inp); - in listToAttrs (encodeOptions [] options); + inherit (builtins) typeOf replaceStrings listToAttrs concatLists; + inherit (lib) toUpper mapAttrsToList nameValuePair concatStringsSep; + + # Take ["auth" "generic_oauth" "enabled"] and turn it into OPTIONS_GENERIC_OAUTH_ENABLED. + encodeName = raw: replaceStrings [ "." ] [ "_" ] (toUpper (concatStringsSep "_" raw)); + + # Turn an option value into a string, but we want bools to be sensible strings and not "1" or "". + optionToString = value: + if (typeOf value) == "bool" then + if value then "true" else "false" + else builtins.toString value; + + # Turn an nested options attrset into a flat listToAttrs-compatible list. + encodeOptions = prefix: inp: concatLists (mapAttrsToList + (name: value: + if (typeOf value) == "set" + then encodeOptions (prefix ++ [ name ]) value + else [ (nameValuePair (encodeName (prefix ++ [ name ])) (optionToString value)) ] + ) + inp); + in + listToAttrs (encodeOptions [ ] options); provision = { enable = true; @@ -623,8 +636,8 @@ in { security.sudo.extraRules = [ { - groups = ["wheel"]; - commands = [{ command = "ALL"; options = ["NOPASSWD"]; }]; + groups = [ "wheel" ]; + commands = [{ command = "ALL"; options = [ "NOPASSWD" ]; }]; } ]; @@ -705,7 +718,7 @@ in { }; # Set up a user & group for git shenanigans - groups.git = {}; + groups.git = { }; users.git = { group = "git"; isSystemUser = true; diff --git a/ops/modules/atward.nix b/ops/modules/atward.nix index 354f9ebdd3cb..f345a08e3131 100644 --- a/ops/modules/atward.nix +++ b/ops/modules/atward.nix @@ -3,7 +3,8 @@ let cfg = config.services.depot.atward; description = "atward - (attempt to) cleverly route queries"; -in { +in +{ options.services.depot.atward = { enable = lib.mkEnableOption description; diff --git a/ops/modules/auto-deploy.nix b/ops/modules/auto-deploy.nix index 83a8273562f6..c504906b2b94 100644 --- a/ops/modules/auto-deploy.nix +++ b/ops/modules/auto-deploy.nix @@ -45,7 +45,8 @@ let # NixOS in $STATE_DIRECTORY (cd / && ${rebuild-system}/bin/rebuild-system) ''; -in { +in +{ options.services.depot.auto-deploy = { enable = lib.mkEnableOption description; diff --git a/ops/modules/automatic-gc.nix b/ops/modules/automatic-gc.nix index 634785721024..ad53a63f7f16 100644 --- a/ops/modules/automatic-gc.nix +++ b/ops/modules/automatic-gc.nix @@ -29,7 +29,8 @@ let echo "Skipping GC, enough space available" fi ''; -in { +in +{ options.services.depot.automatic-gc = { enable = lib.mkEnableOption description; diff --git a/ops/modules/clbot.nix b/ops/modules/clbot.nix index ef4c2ab23795..958d321f81ad 100644 --- a/ops/modules/clbot.nix +++ b/ops/modules/clbot.nix @@ -21,7 +21,7 @@ let (attrValues (mapAttrs (key: value: "-${key} \"${toString value}\"") flags)); # Escapes a unit name for use in systemd - systemdEscape = name: removeSuffix "\n" (readFile (runCommandNoCC "unit-name" {} '' + systemdEscape = name: removeSuffix "\n" (readFile (runCommandNoCC "unit-name" { } '' ${pkgs.systemd}/bin/systemd-escape '${name}' >> $out '')); @@ -42,7 +42,8 @@ let }; }; }; -in { +in +{ options.services.depot.clbot = { enable = mkEnableOption description; @@ -68,7 +69,7 @@ in { # (notably the SSH private key) readable by this user outside of # the module. users = { - groups.clbot = {}; + groups.clbot = { }; users.clbot = { group = "clbot"; diff --git a/ops/modules/default.nix b/ops/modules/default.nix index 8bdfecdf41b0..d747e8e1319a 100644 --- a/ops/modules/default.nix +++ b/ops/modules/default.nix @@ -1,2 +1,2 @@ # Make readTree happy at this level. -_: {} +_: { } diff --git a/ops/modules/gerrit-queue.nix b/ops/modules/gerrit-queue.nix index a4b073f8560b..66d584cc3361 100644 --- a/ops/modules/gerrit-queue.nix +++ b/ops/modules/gerrit-queue.nix @@ -8,7 +8,8 @@ let inherit default; type = lib.types.str; }; -in { +in +{ options.services.depot.gerrit-queue = { enable = lib.mkEnableOption description; gerritUrl = mkStringOption "https://cl.tvl.fyi"; diff --git a/ops/modules/git-serving.nix b/ops/modules/git-serving.nix index 6b8bef29b15a..49af01a0fd3e 100644 --- a/ops/modules/git-serving.nix +++ b/ops/modules/git-serving.nix @@ -12,7 +12,8 @@ let cfg = config.services.depot.git-serving; -in { +in +{ options.services.depot.git-serving = with lib; { enable = mkEnableOption "Enable cgit & josh configuration"; diff --git a/ops/modules/irccat.nix b/ops/modules/irccat.nix index deb0b4ecaf34..05a783fd6614 100644 --- a/ops/modules/irccat.nix +++ b/ops/modules/irccat.nix @@ -27,7 +27,8 @@ let exec ${depot.third_party.irccat}/bin/irccat ''; -in { +in +{ options.services.depot.irccat = { enable = lib.mkEnableOption description; diff --git a/ops/modules/monorepo-gerrit.nix b/ops/modules/monorepo-gerrit.nix index 6638f30b3f9f..509500c9139d 100644 --- a/ops/modules/monorepo-gerrit.nix +++ b/ops/modules/monorepo-gerrit.nix @@ -9,12 +9,13 @@ let exec -a ${name} ${depot.ops.besadii}/bin/besadii "$@" ''; - gerritHooks = pkgs.runCommandNoCC "gerrit-hooks" {} '' + gerritHooks = pkgs.runCommandNoCC "gerrit-hooks" { } '' mkdir -p $out ln -s ${besadiiWithConfig "change-merged"} $out/change-merged ln -s ${besadiiWithConfig "patchset-created"} $out/patchset-created ''; -in { +in +{ services.gerrit = { enable = true; listenAddress = "[::]:4778"; # 4778 - grrt diff --git a/ops/modules/nixery.nix b/ops/modules/nixery.nix index 60d151045756..33f196372dbb 100644 --- a/ops/modules/nixery.nix +++ b/ops/modules/nixery.nix @@ -6,7 +6,8 @@ let cfg = config.services.depot.nixery; description = "Nixery - container images on-demand"; storagePath = "/var/lib/nixery/${pkgs.nixpkgsCommits.unstable}"; -in { +in +{ options.services.depot.nixery = { enable = lib.mkEnableOption description; diff --git a/ops/modules/oauth2_proxy.nix b/ops/modules/oauth2_proxy.nix index 07ba8861e745..423f9010c5d2 100644 --- a/ops/modules/oauth2_proxy.nix +++ b/ops/modules/oauth2_proxy.nix @@ -19,7 +19,8 @@ let reverse_proxy = true set_xauthrequest = true ''; -in { +in +{ options.services.depot.oauth2_proxy = { enable = lib.mkEnableOption description; diff --git a/ops/modules/owothia.nix b/ops/modules/owothia.nix index b2a77cddc2dd..d11fdd26ecbc 100644 --- a/ops/modules/owothia.nix +++ b/ops/modules/owothia.nix @@ -4,7 +4,8 @@ let cfg = config.services.depot.owothia; description = "owothia - i'm a service owo"; -in { +in +{ options.services.depot.owothia = { enable = lib.mkEnableOption description; diff --git a/ops/modules/panettone.nix b/ops/modules/panettone.nix index 11e934ec2e8d..d57e53e75442 100644 --- a/ops/modules/panettone.nix +++ b/ops/modules/panettone.nix @@ -2,7 +2,8 @@ let cfg = config.services.depot.panettone; -in { +in +{ options.services.depot.panettone = with lib; { enable = mkEnableOption "Panettone issue tracker"; @@ -62,23 +63,26 @@ in { assertion = cfg.dbHost != "localhost" || config.services.postgresql.enable; message = "Panettone requires a postgresql database"; - } { - assertion = - cfg.dbHost != "localhost" || config.services.postgresql.enableTCPIP; - message = "Panettone can only connect to the postgresql database over TCP"; - } { - assertion = - cfg.dbHost != "localhost" || (lib.any - (user: user.name == cfg.dbUser) - config.services.postgresql.ensureUsers); - message = "Panettone requires a database user"; - } { - assertion = - cfg.dbHost != "localhost" || (lib.any - (db: db == cfg.dbName) - config.services.postgresql.ensureDatabases); - message = "Panettone requires a database"; - }]; + } + { + assertion = + cfg.dbHost != "localhost" || config.services.postgresql.enableTCPIP; + message = "Panettone can only connect to the postgresql database over TCP"; + } + { + assertion = + cfg.dbHost != "localhost" || (lib.any + (user: user.name == cfg.dbUser) + config.services.postgresql.ensureUsers); + message = "Panettone requires a database user"; + } + { + assertion = + cfg.dbHost != "localhost" || (lib.any + (db: db == cfg.dbName) + config.services.postgresql.ensureDatabases); + message = "Panettone requires a database"; + }]; systemd.services.panettone = { wantedBy = [ "multi-user.target" ]; diff --git a/ops/modules/paroxysm.nix b/ops/modules/paroxysm.nix index cd9cd3866e47..070e7623db09 100644 --- a/ops/modules/paroxysm.nix +++ b/ops/modules/paroxysm.nix @@ -3,7 +3,8 @@ let cfg = config.services.depot.paroxysm; description = "TVL's majestic IRC bot"; -in { +in +{ options.services.depot.paroxysm.enable = lib.mkEnableOption description; config = lib.mkIf cfg.enable { diff --git a/ops/modules/quassel.nix b/ops/modules/quassel.nix index 9c8692629a2a..4a0b64ffc100 100644 --- a/ops/modules/quassel.nix +++ b/ops/modules/quassel.nix @@ -8,7 +8,8 @@ let enableDaemon = true; withKDE = false; }; -in { +in +{ options.services.depot.quassel = with lib; { enable = mkEnableOption "Quassel IRC daemon"; @@ -70,7 +71,7 @@ in { group = "quassel"; }; - groups.quassel = {}; + groups.quassel = { }; }; }; } diff --git a/ops/modules/restic.nix b/ops/modules/restic.nix index 1aacf68973e3..869539603578 100644 --- a/ops/modules/restic.nix +++ b/ops/modules/restic.nix @@ -14,7 +14,8 @@ let inherit default; type = lib.types.str; }; -in { +in +{ options.services.depot.restic = { enable = lib.mkEnableOption description; bucketEndpoint = mkStringOption "objects.dc-sto1.glesys.net"; diff --git a/ops/modules/smtprelay.nix b/ops/modules/smtprelay.nix index 106593fe39d1..cfb185ecd107 100644 --- a/ops/modules/smtprelay.nix +++ b/ops/modules/smtprelay.nix @@ -27,8 +27,9 @@ let prepareArgs = args: concatStringsSep " " (attrValues (mapAttrs (key: value: "-${key} \"${toString value}\"") - (args // overrideArgs))); -in { + (args // overrideArgs))); +in +{ options.services.depot.smtprelay = { enable = mkEnableOption description; diff --git a/ops/modules/sourcegraph.nix b/ops/modules/sourcegraph.nix index a72cd75d477d..5311b42dd1db 100644 --- a/ops/modules/sourcegraph.nix +++ b/ops/modules/sourcegraph.nix @@ -4,7 +4,8 @@ let cfg = config.services.depot.sourcegraph; -in { +in +{ options.services.depot.sourcegraph = with lib; { enable = mkEnableOption "SourceGraph code search engine"; @@ -51,7 +52,8 @@ in { # Sourcegraph needs a higher nofile limit, it logs warnings # otherwise (unclear whether it actually affects the service). extraOptions = [ - "--ulimit" "nofile=10000:10000" + "--ulimit" + "nofile=10000:10000" ]; }; }; diff --git a/ops/modules/tvl-buildkite.nix b/ops/modules/tvl-buildkite.nix index aaeb5a0f7554..a6e7372a250a 100644 --- a/ops/modules/tvl-buildkite.nix +++ b/ops/modules/tvl-buildkite.nix @@ -13,7 +13,7 @@ let # All Buildkite hooks are actually besadii, but it's being invoked # with different names. - buildkiteHooks = pkgs.runCommandNoCC "buildkite-hooks" {} '' + buildkiteHooks = pkgs.runCommandNoCC "buildkite-hooks" { } '' mkdir -p $out/bin ln -s ${besadiiWithConfig "post-command"} $out/bin/post-command ''; @@ -22,7 +22,8 @@ let echo 'username=buildkite' echo "password=$(jq -r '.gerritPassword' /run/agenix/buildkite-besadii-config)" ''; -in { +in +{ options.services.depot.buildkite = { enable = lib.mkEnableOption description; agentCount = lib.mkOption { @@ -33,39 +34,43 @@ in { config = lib.mkIf cfg.enable { # Run the Buildkite agents using the default upstream module. - services.buildkite-agents = builtins.listToAttrs (map (n: rec { - name = "whitby-${toString n}"; - value = { - inherit name; - enable = true; - tokenPath = "/run/agenix/buildkite-agent-token"; - hooks.post-command = "${buildkiteHooks}/bin/post-command"; + services.buildkite-agents = builtins.listToAttrs (map + (n: rec { + name = "whitby-${toString n}"; + value = { + inherit name; + enable = true; + tokenPath = "/run/agenix/buildkite-agent-token"; + hooks.post-command = "${buildkiteHooks}/bin/post-command"; - runtimePackages = with pkgs; [ - bash - coreutils - credentialHelper - curl - git - gnutar - gzip - jq - nix - ]; - }; - }) agents); + runtimePackages = with pkgs; [ + bash + coreutils + credentialHelper + curl + git + gnutar + gzip + jq + nix + ]; + }; + }) + agents); # Set up a group for all Buildkite agent users users = { - groups.buildkite-agents = {}; - users = builtins.listToAttrs (map (n: rec { - name = "buildkite-agent-whitby-${toString n}"; - value = { - isSystemUser = true; - group = lib.mkForce "buildkite-agents"; - extraGroups = [ name "docker" ]; - }; - }) agents); + groups.buildkite-agents = { }; + users = builtins.listToAttrs (map + (n: rec { + name = "buildkite-agent-whitby-${toString n}"; + value = { + isSystemUser = true; + group = lib.mkForce "buildkite-agents"; + extraGroups = [ name "docker" ]; + }; + }) + agents); }; }; } diff --git a/ops/modules/tvl-slapd/default.nix b/ops/modules/tvl-slapd/default.nix index dbcf139338ea..d0d6616e224b 100644 --- a/ops/modules/tvl-slapd/default.nix +++ b/ops/modules/tvl-slapd/default.nix @@ -26,7 +26,8 @@ let inherit (depot.ops) users; -in { +in +{ services.openldap = { enable = true; @@ -48,7 +49,7 @@ in { "cn=schema".includes = map (schema: "${pkgs.openldap}/etc/schema/${schema}.ldif") - [ "core" "cosine" "inetorgperson" "nis" ]; + [ "core" "cosine" "inetorgperson" "nis" ]; }; # Contents are immutable at runtime, and adding user accounts etc. diff --git a/ops/pipelines/depot.nix b/ops/pipelines/depot.nix index b6941ba38aa7..6d9e625e04be 100644 --- a/ops/pipelines/depot.nix +++ b/ops/pipelines/depot.nix @@ -16,9 +16,10 @@ let drvTargets = depot.ci.targets; additionalSteps = [ protoCheck ]; - parentTargetMap = if (externalArgs ? parentTargetMap) + parentTargetMap = + if (externalArgs ? parentTargetMap) then builtins.fromJSON (builtins.readFile externalArgs.parentTargetMap) - else {}; + else { }; postBuildSteps = [ # After successful builds, create a gcroot for builds on canon. @@ -40,7 +41,8 @@ let }; drvmap = depot.nix.buildkite.mkDrvmap depot.ci.targets; -in pkgs.runCommandNoCC "depot-pipeline" {} '' +in +pkgs.runCommandNoCC "depot-pipeline" { } '' mkdir $out cp -r ${pipeline}/* $out cp ${drvmap} $out/drvmap.json diff --git a/ops/secrets/mkSecrets.nix b/ops/secrets/mkSecrets.nix index 4e40112b9610..c99130835f15 100644 --- a/ops/secrets/mkSecrets.nix +++ b/ops/secrets/mkSecrets.nix @@ -22,6 +22,6 @@ in defun [ path (attrs agenixSecret) (attrs any) ] (path: secrets: - depot.nix.readTree.drvTargets - # Import each secret into the Nix store - (builtins.mapAttrs (name: _: "${path}/${name}") secrets)) + depot.nix.readTree.drvTargets + # Import each secret into the Nix store + (builtins.mapAttrs (name: _: "${path}/${name}") secrets)) diff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix index 52b79e444a7c..2c08bb1aee5d 100644 --- a/ops/secrets/secrets.nix +++ b/ops/secrets/secrets.nix @@ -15,7 +15,8 @@ let whitby = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILNh/w4BSKov0jdz3gKBc98tpoLta5bb87fQXWBhAl2I"; default.publicKeys = tazjin ++ grfn ++ sterni ++ [ whitby ]; -in { +in +{ "besadii.age" = default; "buildkite-agent-token.age" = default; "buildkite-graphql-token.age" = default; |