diff options
58 files changed, 743 insertions, 431 deletions
diff --git a/cluster/prod/app/backup/deploy/backup-daily.hcl b/cluster/prod/app/backup/deploy/backup-daily.hcl index d9d9f2a..9650735 100644 --- a/cluster/prod/app/backup/deploy/backup-daily.hcl +++ b/cluster/prod/app/backup/deploy/backup-daily.hcl @@ -14,7 +14,7 @@ job "backup_daily" { constraint { attribute = "${attr.unique.hostname}" operator = "=" - value = "celeri" + value = "ananas" } task "main" { @@ -152,7 +152,7 @@ EOH constraint { attribute = "${attr.unique.hostname}" operator = "=" - value = "courgette" + value = "abricot" } task "main" { diff --git a/cluster/prod/app/bagage/deploy/bagage.hcl b/cluster/prod/app/bagage/deploy/bagage.hcl index fbb571d..51af59e 100644 --- a/cluster/prod/app/bagage/deploy/bagage.hcl +++ b/cluster/prod/app/bagage/deploy/bagage.hcl @@ -1,5 +1,5 @@ job "bagage" { - datacenters = ["scorpio", "neptune"] + datacenters = ["corrin", "neptune", "scorpio"] type = "service" priority = 90 diff --git a/cluster/prod/app/cms/deploy/cms.hcl b/cluster/prod/app/cms/deploy/cms.hcl index 71192d2..ce1a0a3 100644 --- a/cluster/prod/app/cms/deploy/cms.hcl +++ b/cluster/prod/app/cms/deploy/cms.hcl @@ -1,5 +1,5 @@ job "cms" { - datacenters = ["neptune", "scorpio"] + datacenters = ["corrin", "neptune", "scorpio"] type = "service" priority = 100 diff --git a/cluster/prod/app/core/deploy/bottin.hcl b/cluster/prod/app/core/deploy/bottin.hcl index e21eb72..9cae97e 100644 --- a/cluster/prod/app/core/deploy/bottin.hcl +++ b/cluster/prod/app/core/deploy/bottin.hcl @@ -1,5 +1,5 @@ job "core-bottin" { - datacenters = ["neptune", "scorpio"] + datacenters = ["corrin", "neptune", "scorpio", "bespin"] type = "system" priority = 90 diff --git a/cluster/prod/app/core/deploy/tricot.hcl b/cluster/prod/app/core/deploy/tricot.hcl index 2131b11..f54657f 100644 --- a/cluster/prod/app/core/deploy/tricot.hcl +++ b/cluster/prod/app/core/deploy/tricot.hcl @@ -28,7 +28,7 @@ job "core-tricot" { driver = "docker" config { - image = "armael/tricot:n6dk1b5xrdww12zf12jbcmihqs6g1brz" + image = "armael/tricot:40g7jpp915jkfszlczfh1yw2x6syjkxs-redir-headers" network_mode = "host" readonly_rootfs = true ports = [ "http_port", "https_port" ] diff --git a/cluster/prod/app/coturn/deploy/coturn.hcl b/cluster/prod/app/coturn/deploy/coturn.hcl index 8923b2b..8b29d8f 100644 --- a/cluster/prod/app/coturn/deploy/coturn.hcl +++ b/cluster/prod/app/coturn/deploy/coturn.hcl @@ -1,5 +1,5 @@ job "coturn" { - datacenters = ["neptune", "scorpio"] + datacenters = ["corrin", "neptune", "scorpio"] type = "service" priority = 100 diff --git a/cluster/prod/app/cryptpad/build/README.md b/cluster/prod/app/cryptpad/build/README.md index 13c6ea2..f97fce4 100644 --- a/cluster/prod/app/cryptpad/build/README.md +++ b/cluster/prod/app/cryptpad/build/README.md @@ -1,6 +1,24 @@ # CryptPad for NixOS with Deuxfleurs flavour -## Building +## Basic Usage + +### Building + +To build and load the Docker image used in our Deuxfleurs deployment, run: + +``` shell +docker load -i $(nix-build deuxfleurs.nix -A docker) +``` + +### Updating Cryptpad to a newer version + +- Check whether the cryptpad build instructions and the `install-onlyoffice.sh` + script has changed. If yes, then update `default.nix` accordingly. +- In `default.nix`, update the `version` field for cryptpad +- In `default.nix`, change the hash (any change works) of the release and `npmDepsHash` to trigger a rebuild +- Run `nix-build deuxfleurs.nix`. This will fail because the hashes have changed, but tell you the correct hash to insert in `default.nix`. + +## More info The `default.nix` file follows the nixpkgs `callPackage` convention for fetching dependencies, so you need to either: diff --git a/cluster/prod/app/cryptpad/build/default.nix b/cluster/prod/app/cryptpad/build/default.nix index 458253a..fffbd91 100644 --- a/cluster/prod/app/cryptpad/build/default.nix +++ b/cluster/prod/app/cryptpad/build/default.nix @@ -71,16 +71,16 @@ }); in buildNpmPackage rec { pname = "cryptpad"; - version = "2024.9.0"; + version = "2024.12.0"; src = fetchFromGitHub { owner = "cryptpad"; repo = "cryptpad"; rev = version; - hash = "sha256-OUtWaDVLRUbKS0apwY0aNq4MalGFv+fH9VA7LvWWYRs="; + hash = "sha256-oSrDajaCEc7I2AsDzKoO34ffd4OeXDwFDGm45yQDSvE="; }; - npmDepsHash = "sha256-pK0b7q1kJja9l8ANwudbfo3jpldwuO56kuulS8X9A5s="; + npmDepsHash = "sha256-1EwxAe+8FOrngZx5+FEeu9uHKWZNBpsECEGrsyiZ2GU="; inherit nodejs; diff --git a/cluster/prod/app/cryptpad/build/npins/sources.json b/cluster/prod/app/cryptpad/build/npins/sources.json index 3372fd0..1f513ad 100644 --- a/cluster/prod/app/cryptpad/build/npins/sources.json +++ b/cluster/prod/app/cryptpad/build/npins/sources.json @@ -3,8 +3,8 @@ "nixpkgs": { "type": "Channel", "name": "nixos-24.05", - "url": "https://releases.nixos.org/nixos/24.05/nixos-24.05.5385.1719f27dd95f/nixexprs.tar.xz", - "hash": "0f7i315g1z8kjh10hvj2zv7y2vfqxmwvd96hwlcrr8aig6qq5gzm" + "url": "https://releases.nixos.org/nixos/24.05/nixos-24.05.7376.b134951a4c9f/nixexprs.tar.xz", + "hash": "1f8j7fh0nl4qmqlxn6lis8zf7dnckm6jri4rwmj0qm1qivhr58lv" } }, "version": 3 diff --git a/cluster/prod/app/cryptpad/build_docker/README.md b/cluster/prod/app/cryptpad/build_docker/README.md new file mode 100644 index 0000000..03e11bb --- /dev/null +++ b/cluster/prod/app/cryptpad/build_docker/README.md @@ -0,0 +1,4 @@ +# Dockerfile for Cryptpad + +This was an experiment but is not used or maintained currently. +The docker image we use is the one build using nix; see the `build/` directory. diff --git a/cluster/prod/app/cryptpad/deploy/cryptpad.hcl b/cluster/prod/app/cryptpad/deploy/cryptpad.hcl index 76737a6..5e19919 100644 --- a/cluster/prod/app/cryptpad/deploy/cryptpad.hcl +++ b/cluster/prod/app/cryptpad/deploy/cryptpad.hcl @@ -1,5 +1,5 @@ job "cryptpad" { - datacenters = ["neptune"] + datacenters = ["scorpio"] type = "service" group "cryptpad" { @@ -22,11 +22,11 @@ job "cryptpad" { constraint { attribute = "${attr.unique.hostname}" operator = "=" - value = "courgette" + value = "abricot" } config { - image = "kokakiwi/cryptpad:2024.9.0" + image = "armael/cryptpad:2024.12.0" ports = [ "http" ] volumes = [ diff --git a/cluster/prod/app/email/config/dkim/signingtable b/cluster/prod/app/email/config/dkim/signingtable index 102f6db..2c74b4d 100644 --- a/cluster/prod/app/email/config/dkim/signingtable +++ b/cluster/prod/app/email/config/dkim/signingtable @@ -7,3 +7,5 @@ *@e-x-t-r-a-c-t.me smtp._domainkey.deuxfleurs.fr *@courderec.re smtp._domainkey.deuxfleurs.fr *@trinity.fr.eu.org smtp._domainkey.deuxfleurs.fr +*@scrutin.app smtp._domainkey.deuxfleurs.fr +*@lalis.se smtp._domainkey.deuxfleurs.fr diff --git a/cluster/prod/app/email/deploy/email.hcl b/cluster/prod/app/email/deploy/email.hcl index 287cff3..fc8f7e4 100644 --- a/cluster/prod/app/email/deploy/email.hcl +++ b/cluster/prod/app/email/deploy/email.hcl @@ -1,6 +1,6 @@ job "email" { # Should not run on the same site as email-android7.hcl (port conflict in diplonat) - datacenters = ["neptune"] + datacenters = ["scorpio"] type = "service" priority = 65 @@ -32,7 +32,7 @@ job "email" { constraint { attribute = "${attr.unique.hostname}" operator = "=" - value = "celeri" + value = "ananas" } config { diff --git a/cluster/prod/app/garage/deploy/garage.hcl b/cluster/prod/app/garage/deploy/garage.hcl index 68edc94..81a22c3 100644 --- a/cluster/prod/app/garage/deploy/garage.hcl +++ b/cluster/prod/app/garage/deploy/garage.hcl @@ -1,5 +1,5 @@ job "garage" { - datacenters = [ "neptune", "bespin", "scorpio" ] + datacenters = ["neptune", "bespin", "scorpio", "corrin"] type = "system" priority = 80 diff --git a/cluster/prod/app/guichet/deploy/guichet.hcl b/cluster/prod/app/guichet/deploy/guichet.hcl index c1476e2..aca811f 100644 --- a/cluster/prod/app/guichet/deploy/guichet.hcl +++ b/cluster/prod/app/guichet/deploy/guichet.hcl @@ -1,5 +1,5 @@ job "guichet" { - datacenters = [ "neptune", "scorpio" ] + datacenters = ["corrin", "neptune", "scorpio"] type = "service" priority = 90 diff --git a/cluster/prod/app/matrix/build/docker-compose.yml b/cluster/prod/app/matrix/build/docker-compose.yml index b61fb39..4f2c573 100644 --- a/cluster/prod/app/matrix/build/docker-compose.yml +++ b/cluster/prod/app/matrix/build/docker-compose.yml @@ -1,4 +1,3 @@ -version: '3.4' services: # Instant Messaging riot: @@ -6,18 +5,18 @@ services: context: ./riotweb args: # https://github.com/vector-im/element-web/releases - VERSION: v1.11.78 - image: particallydone/amd64_elementweb:v36 + VERSION: v1.11.90 + image: superboum/amd64_elementweb:v37 synapse: build: context: ./matrix-synapse args: - # https://github.com/matrix-org/synapse/releases - VERSION: v1.104.0 + # https://github.com/element-hq/synapse/releases + VERSION: v1.122.0 # https://github.com/matrix-org/synapse-s3-storage-provider/commits/main # Update with the latest commit on main each time you update the synapse version # otherwise synapse may fail to launch due to incompatibility issues # see this issue for an example: https://github.com/matrix-org/synapse-s3-storage-provider/issues/64 - S3_VERSION: 2c46a764f700e6439afa11c00db827ddf21a9e89 - image: particallydone/amd64_synapse:v60 + S3_VERSION: bdc46a71aa16bcbcf8ed1b157ca6756ddb0131ef + image: superboum/amd64_synapse:v61 diff --git a/cluster/prod/app/matrix/build/riotweb/Dockerfile b/cluster/prod/app/matrix/build/riotweb/Dockerfile index ec4f5dd..0bb408a 100644 --- a/cluster/prod/app/matrix/build/riotweb/Dockerfile +++ b/cluster/prod/app/matrix/build/riotweb/Dockerfile @@ -1,4 +1,4 @@ -FROM amd64/debian:trixie as builder +FROM amd64/debian:trixie AS builder ARG VERSION WORKDIR /root diff --git a/cluster/prod/app/matrix/config/synapse/homeserver.yaml b/cluster/prod/app/matrix/config/synapse/homeserver.yaml index fb223eb..41241f0 100644 --- a/cluster/prod/app/matrix/config/synapse/homeserver.yaml +++ b/cluster/prod/app/matrix/config/synapse/homeserver.yaml @@ -110,6 +110,7 @@ federation_rc_concurrent: 3 # Directory where uploaded images and attachments are stored. media_store_path: "/var/lib/matrix-synapse/media" uploads_path: "/var/lib/matrix-synapse/uploads" +enable_authenticated_media: False media_storage_providers: - module: s3_storage_provider.S3StorageProviderBackend @@ -121,7 +122,7 @@ media_storage_providers: # All of the below options are optional, for use with non-AWS S3-like # services, or to specify access tokens here instead of some external method. region_name: garage - endpoint_url: https://garage.deuxfleurs.fr + endpoint_url: http://localhost:3900 access_key_id: {{ key "secrets/chat/synapse/s3_access_key" | trimSpace }} secret_access_key: {{ key "secrets/chat/synapse/s3_secret_key" | trimSpace }} diff --git a/cluster/prod/app/matrix/deploy/im.hcl b/cluster/prod/app/matrix/deploy/im.hcl index c348131..c0f3a1a 100644 --- a/cluster/prod/app/matrix/deploy/im.hcl +++ b/cluster/prod/app/matrix/deploy/im.hcl @@ -15,7 +15,7 @@ job "matrix" { driver = "docker" config { - image = "particallydone/amd64_synapse:v60" + image = "superboum/amd64_synapse:v61" network_mode = "host" readonly_rootfs = true ports = [ "api_port" ] @@ -101,7 +101,7 @@ job "matrix" { driver = "docker" config { - image = "particallydone/amd64_synapse:v60" + image = "superboum/amd64_synapse:v61" readonly_rootfs = true command = "/usr/local/bin/matrix-s3-async" work_dir = "/tmp" @@ -126,7 +126,7 @@ AWS_DEFAULT_REGION=garage PG_USER={{ key "secrets/chat/synapse/postgres_user" | trimSpace }} PG_PASS={{ key "secrets/chat/synapse/postgres_pwd" | trimSpace }} PG_DB={{ key "secrets/chat/synapse/postgres_db" | trimSpace }} -PG_HOST={{ env "meta.site" }}.psql-proxy.service.2.cluster.deuxfleurs.fr +PG_HOST={{ env "meta.site" }}.psql-proxy.service.prod.consul PG_PORT=5432 EOH destination = "secrets/env" @@ -137,7 +137,7 @@ EOH task "riotweb" { driver = "docker" config { - image = "particallydone/amd64_elementweb:v36" + image = "superboum/amd64_elementweb:v37" ports = [ "web_port" ] volumes = [ "secrets/config.json:/srv/http/config.json" @@ -177,70 +177,5 @@ EOH } } } - - group "syncv3" { - count = 1 - - network { - port "syncv3_api" { to = 8009 } - port "syncv3_metrics" { to = 2112 } - } - - task "syncv3" { - driver = "docker" - - config { - image = "ghcr.io/matrix-org/sliding-sync:v0.99.16" - ports = [ "syncv3_api", "syncv3_metrics" ] - } - - resources { - cpu = 1000 - memory = 500 - memory_max = 1000 - } - - template { - data = <<EOH -SYNCV3_SERVER=http://synapse.service.prod.consul:8008 -SYNCV3_DB=postgresql://{{ key "secrets/chat/syncv3/postgres_user"|trimSpace }}:{{ key "secrets/chat/syncv3/postgres_pwd"|trimSpace }}@{{ env "meta.site" }}.psql-proxy.service.prod.consul/{{ key "secrets/chat/syncv3/postgres_db"|trimSpace }}?sslmode=disable -SYNCV3_SECRET={{ key "secrets/chat/syncv3/secret"|trimSpace }} -SYNCV3_BINDADDR=0.0.0.0:8009 -SYNCV3_PROM=0.0.0.0:2112 -EOH - destination = "secrets/env" - env = true - } - - service { - name = "matrix-syncv3" - port = "syncv3_api" - address_mode = "host" - tags = [ - "matrix", - "tricot im-syncv3.deuxfleurs.fr 100", - "tricot-add-header Access-Control-Allow-Origin *", - "d53-cname im-syncv3.deuxfleurs.fr", - ] - check { - type = "tcp" - port = "syncv3_api" - interval = "60s" - timeout = "5s" - check_restart { - limit = 3 - grace = "90s" - ignore_warnings = false - } - } - } - - service { - name = "matrix-syncv3-metrics" - port = "syncv3_metrics" - address_mode = "host" - } - } - } } diff --git a/cluster/prod/app/plume/config/app.env b/cluster/prod/app/plume/config/app.env index b663d81..36000c2 100644 --- a/cluster/prod/app/plume/config/app.env +++ b/cluster/prod/app/plume/config/app.env @@ -28,7 +28,7 @@ MIGRATION_DIRECTORY=migrations/postgres USE_HTTPS=0 ROCKET_ADDRESS=:: -ROCKET_PORT={{ env "NOMAD_PORT_web_port" }} +ROCKET_PORT={{ env "NOMAD_PORT_back_port" }} MEDIA_UPLOAD_DIRECTORY=/app/static/media SEARCH_INDEX=/app/search_index diff --git a/cluster/prod/app/plume/deploy/plume.hcl b/cluster/prod/app/plume/deploy/plume.hcl index 5d10339..c759a02 100644 --- a/cluster/prod/app/plume/deploy/plume.hcl +++ b/cluster/prod/app/plume/deploy/plume.hcl @@ -1,12 +1,50 @@ job "plume-blog" { - datacenters = ["scorpio", "neptune"] + datacenters = ["corrin", "neptune", "scorpio"] type = "service" group "plume" { count = 1 network { - port "web_port" { } + port "back_port" { } + port "cache_port" { } + } + + task "varnish" { + driver = "docker" + config { + image = "varnish:7.6.1" + network_mode = "host" + ports = [ "cache_port" ] + + # cache + mount { + type = "tmpfs" + target = "/var/lib/varnish/varnishd:exec" + readonly = false + tmpfs_options { + size = 2684354559 # 2.5GB in bytes + } + } + } + + env { + VARNISH_SIZE = "2G" + VARNISH_BACKEND_HOST = "localhost" + VARNISH_BACKEND_PORT = "${NOMAD_PORT_back_port}" + VARNISH_HTTP_PORT = "${NOMAD_PORT_cache_port}" + } + + service { + name = "plume-cache" + tags = [ + "plume", + "tricot plume.deuxfleurs.fr", + "d53-cname plume.deuxfleurs.fr", + ] + port = "cache_port" + address_mode = "host" + } } task "plume" { @@ -14,9 +52,9 @@ job "plume-blog" { config { image = "lxpz/plume_s3:v1" network_mode = "host" - ports = [ "web_port" ] + ports = [ "back_port" ] command = "sh" - args = [ "-c", "plm search init; plm search refill; plume" ] + args = [ "-c", "plm search init; plume" ] } template { @@ -26,24 +64,22 @@ job "plume-blog" { } resources { - memory = 200 - memory_max = 800 + memory = 512 + memory_max = 512 cpu = 100 } service { - name = "plume" + name = "plume-back" tags = [ "plume", - "tricot plume.deuxfleurs.fr", - "d53-cname plume.deuxfleurs.fr", ] - port = "web_port" + port = "back_port" address_mode = "host" check { type = "http" protocol = "http" - port = "web_port" + port = "back_port" path = "/" interval = "60s" timeout = "5s" @@ -55,7 +91,7 @@ job "plume-blog" { } } restart { - interval = "30m" + interval = "20m" attempts = 20 delay = "15s" mode = "delay" diff --git a/cluster/prod/app/postgres/deploy/postgres.hcl b/cluster/prod/app/postgres/deploy/postgres.hcl index a42d57e..424a993 100644 --- a/cluster/prod/app/postgres/deploy/postgres.hcl +++ b/cluster/prod/app/postgres/deploy/postgres.hcl @@ -1,5 +1,5 @@ job "postgres14" { - datacenters = ["neptune", "bespin", "scorpio"] + datacenters = ["neptune", "bespin", "scorpio", "corrin"] type = "system" priority = 90 @@ -19,8 +19,7 @@ job "postgres14" { constraint { attribute = "${attr.unique.hostname}" operator = "set_contains_any" - value = "courgette,df-ymf,abricot" - # old (orion) = diplotaxis + value = "courgette,df-ymf,abricot,pasteque" } restart { diff --git a/cluster/prod/app/telemetry/deploy/telemetry-service.hcl b/cluster/prod/app/telemetry/deploy/telemetry-service.hcl index 13efddb..0744abc 100644 --- a/cluster/prod/app/telemetry/deploy/telemetry-service.hcl +++ b/cluster/prod/app/telemetry/deploy/telemetry-service.hcl @@ -1,5 +1,5 @@ job "telemetry-service" { - datacenters = ["neptune", "scorpio"] + datacenters = ["corrin", "scorpio", "dathormir"] type = "service" group "grafana" { @@ -45,7 +45,7 @@ job "telemetry-service" { task "grafana" { driver = "docker" config { - image = "grafana/grafana:10.3.4" + image = "grafana/grafana:11.4.1" network_mode = "host" ports = [ "grafana" ] volumes = [ @@ -76,9 +76,9 @@ EOH } resources { - memory = 100 + memory = 200 memory_max = 400 - cpu = 500 + cpu = 300 } service { diff --git a/cluster/prod/app/telemetry/deploy/telemetry-storage.hcl b/cluster/prod/app/telemetry/deploy/telemetry-storage.hcl index d87f3c6..1fe0d38 100644 --- a/cluster/prod/app/telemetry/deploy/telemetry-storage.hcl +++ b/cluster/prod/app/telemetry/deploy/telemetry-storage.hcl @@ -1,5 +1,5 @@ job "telemetry-storage" { - datacenters = ["neptune", "bespin"] + datacenters = ["scorpio", "bespin"] type = "service" group "prometheus" { @@ -14,13 +14,13 @@ job "telemetry-storage" { constraint { attribute = "${attr.unique.hostname}" operator = "set_contains_any" - value = "celeri,df-ymk" + value = "ananas,df-ymk" } task "prometheus" { driver = "docker" config { - image = "prom/prometheus:v2.50.1" + image = "prom/prometheus:v3.1.0" network_mode = "host" ports = [ "prometheus" ] args = [ diff --git a/cluster/prod/app/telemetry/deploy/telemetry-system.hcl b/cluster/prod/app/telemetry/deploy/telemetry-system.hcl index 76fad83..b80153f 100644 --- a/cluster/prod/app/telemetry/deploy/telemetry-system.hcl +++ b/cluster/prod/app/telemetry/deploy/telemetry-system.hcl @@ -1,5 +1,5 @@ job "telemetry-system" { - datacenters = ["neptune", "scorpio", "bespin", "corrin"] + datacenters = ["neptune", "scorpio", "bespin", "corrin", "dathomir"] type = "system" priority = "100" @@ -12,7 +12,7 @@ job "telemetry-system" { driver = "docker" config { - image = "quay.io/prometheus/node-exporter:v1.7.0" + image = "quay.io/prometheus/node-exporter:v1.8.1" network_mode = "host" volumes = [ "/:/host:ro,rslave" diff --git a/cluster/prod/app/woodpecker-ci/deploy/server.hcl b/cluster/prod/app/woodpecker-ci/deploy/server.hcl index c974e3f..60806b9 100644 --- a/cluster/prod/app/woodpecker-ci/deploy/server.hcl +++ b/cluster/prod/app/woodpecker-ci/deploy/server.hcl @@ -23,7 +23,7 @@ job "woodpecker-ci" { task "server" { driver = "docker" config { - image = "woodpeckerci/woodpecker-server:v2.7.1" + image = "woodpeckerci/woodpecker-server:v3.0.1" ports = [ "web_port", "grpc_port" ] network_mode = "host" } @@ -31,7 +31,7 @@ job "woodpecker-ci" { template { data = <<EOH WOODPECKER_OPEN=true -WOODPECKER_ORGS=Deuxfleurs +WOODPECKER_ORGS=Deuxfleurs,distorsion WOODPECKER_ADMIN=lx WOODPECKER_HOST=https://woodpecker.deuxfleurs.fr @@ -93,6 +93,10 @@ EOH name = "woodpecker-grpc" tags = [ "woodpecker-grpc", + # The tricot tag is necessary for tricot to get us a tls certificate, + # but it will not make the grpc endpoint work as tricot cannot + # proxy grpc traffic by itself. + "tricot woodpecker-grpc.deuxfleurs.fr", ] port = "grpc_port" address_mode = "host" @@ -120,7 +124,7 @@ http { listen 0.0.0.0:14453 ssl; listen [::]:14453 ssl; http2 on; - server_name woodpecker.deuxfleurs.fr; + server_name woodpecker-grpc.deuxfleurs.fr; resolver 127.0.0.1 valid=30s; ssl_certificate "/etc/ssl/certs/woodpecker.cert"; @@ -128,6 +132,8 @@ http { location / { grpc_pass grpc://woodpecker-grpc.service.prod.consul:14090; + grpc_read_timeout 1800s; + grpc_send_timeout 1800s; } } } @@ -136,11 +142,11 @@ EOH } template { - data = "{{ with $d := key \"tricot/certs/woodpecker.deuxfleurs.fr\" | parseJSON }}{{ $d.key_pem }}{{ end }}" + data = "{{ with $d := key \"tricot/certs/woodpecker-grpc.deuxfleurs.fr\" | parseJSON }}{{ $d.key_pem }}{{ end }}" destination = "secrets/ssl/certs/woodpecker.key" } template { - data = "{{ with $d := key \"tricot/certs/woodpecker.deuxfleurs.fr\" | parseJSON }}{{ $d.cert_pem }}{{ end }}" + data = "{{ with $d := key \"tricot/certs/woodpecker-grpc.deuxfleurs.fr\" | parseJSON }}{{ $d.cert_pem }}{{ end }}" destination = "secrets/ssl/certs/woodpecker.cert" } diff --git a/cluster/prod/app/woodpecker-ci/integration/docker-compose.yml b/cluster/prod/app/woodpecker-ci/integration/docker-compose.yml index 7b825df..5756b25 100644 --- a/cluster/prod/app/woodpecker-ci/integration/docker-compose.yml +++ b/cluster/prod/app/woodpecker-ci/integration/docker-compose.yml @@ -10,7 +10,7 @@ services: - "./nix.conf:/etc/nix/nix.conf:ro" woodpecker-runner: - image: woodpeckerci/woodpecker-agent:v2.4.1 + image: woodpeckerci/woodpecker-agent:v3.0.1 restart: always environment: # -- change these for each agent diff --git a/cluster/prod/cluster.nix b/cluster/prod/cluster.nix index ff4e4b5..66da48d 100644 --- a/cluster/prod/cluster.nix +++ b/cluster/prod/cluster.nix @@ -7,44 +7,6 @@ deuxfleurs.clusterPrefix = "10.83.0.0/16"; deuxfleurs.clusterNodes = { - "concombre" = { - siteName = "neptune"; - publicKey = "VvXT0fPDfWsHxumZqVShpS33dJQAdpJ1E79ZbCBJP34="; - address = "10.83.1.1"; - endpoint = "82.67.87.112:33731"; - }; - "courgette" = { - siteName = "neptune"; - publicKey = "goTkBJGmzrGDOAjUcdH9G0JekipqSMoaYQdB6IHnzi0="; - address = "10.83.1.2"; - endpoint = "82.67.87.112:33732"; - }; - "celeri" = { - siteName = "neptune"; - publicKey = "oZDAb8LoLW87ktUHyFFec0VaIar97bqq47mGbdVqJ0U="; - address = "10.83.1.3"; - endpoint = "82.67.87.112:33733"; - }; - /* - "dahlia" = { - siteName = "orion"; - publicKey = "EtRoWBYCdjqgXX0L+uWLg8KxNfIK8k9OTh30tL19bXU="; - address = "10.83.2.1"; - endpoint = "82.66.80.201:33731"; - }; - "diplotaxis" = { - siteName = "orion"; - publicKey = "HbLC938mysadMSOxWgq8+qrv+dBKzPP/43OMJp/3phA="; - address = "10.83.2.2"; - endpoint = "82.66.80.201:33732"; - }; - "doradille" = { - siteName = "orion"; - publicKey = "e1C8jgTj9eD20ywG08G1FQZ+Js3wMK/msDUE1wO3l1Y="; - address = "10.83.2.3"; - endpoint = "82.66.80.201:33733"; - }; - */ "df-ykl" = { siteName = "bespin"; publicKey = "bIjxey/VhBgVrLa0FxN/KISOt2XFmQeSh1MPivUq9gg="; @@ -105,6 +67,12 @@ address = "10.83.6.1"; endpoint = "45.81.62.36:33731"; }; + "pasteque" = { + siteName = "corrin"; + publicKey = "7vPq0z6JVxTLEebasUlR5Uu4dAFZxfddhjWtIYhCoXw="; + address = "10.83.6.2"; + endpoint = "45.81.62.36:33732"; + }; }; # Pin Nomad version @@ -114,15 +82,13 @@ # Bootstrap IPs for Consul cluster, # these are IPs on the Wireguard overlay services.consul.extraConfig.retry_join = [ - "10.83.1.1" # concombre - "10.83.2.1" # dahlia "10.83.3.1" # df-ykl + "10.83.4.2" # ananas + "10.83.6.1" # pamplemousse ]; deuxfleurs.adminAccounts = { lx = [ - # Keys for accessing nodes from outside - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJpaBZdYxHqMxhv2RExAOa7nkKhPBOHupMP3mYaZ73w9 lx@lindy" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIw+IIX8+lZX9RrHAbwi/bncLYStXpI4EmK3AUcqPY2O lx@kusanagi " ]; quentin = [ @@ -167,6 +133,9 @@ kokakiwi = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFPTsEgcOtb2bij+Ih8eg8ZqO7d3IMiWykv6deMzlSSS kokakiwi@kira" ]; + stitch = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILdT28Emp9yJqTPrxz+oDP08KZaN1kbsNyVqt9p9IMED" + ]; }; # For Garage external communication diff --git a/cluster/prod/known_hosts b/cluster/prod/known_hosts index 2bce50f..938b7b8 100644 --- a/cluster/prod/known_hosts +++ b/cluster/prod/known_hosts @@ -15,3 +15,4 @@ io.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIvgCJ7Jew7ou1RZuaT ortie.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMqtfIPLk8a5tM6Upj7GQwlIS16nBPrZYVXE2FVlO2Yn pamplemousse.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAI0M5qny9yQ6LNzWqPfSlOWwTYpvxQtuSpFiOb6aVtA 2001:912:1ac0:2200::201 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAI0M5qny9yQ6LNzWqPfSlOWwTYpvxQtuSpFiOb6aVtA +2001:912:1ac0:2200::202 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEmngRvteIMEcy9UcRX6hcSsO7Pq+gY2dfLvhcUUciEZ diff --git a/cluster/prod/node/concombre.nix b/cluster/prod/node/concombre.nix index 9a9e456..acd2598 100644 --- a/cluster/prod/node/concombre.nix +++ b/cluster/prod/node/concombre.nix @@ -11,5 +11,4 @@ deuxfleurs.hostName = "concombre"; deuxfleurs.staticIPv4.address = "192.168.1.31"; deuxfleurs.staticIPv6.address = "2001:910:1204:1::31"; - deuxfleurs.isRaftServer = true; } diff --git a/cluster/prod/node/dahlia.site.nix b/cluster/prod/node/dahlia.site.nix deleted file mode 120000 index 3af56c7..0000000 --- a/cluster/prod/node/dahlia.site.nix +++ /dev/null @@ -1 +0,0 @@ -../site/orion.nix
\ No newline at end of file diff --git a/cluster/prod/node/diplotaxis.nix b/cluster/prod/node/diplotaxis.nix deleted file mode 100644 index f9c7faf..0000000 --- a/cluster/prod/node/diplotaxis.nix +++ /dev/null @@ -1,14 +0,0 @@ -# Configuration file local to this node - -{ config, pkgs, ... }: - -{ - # Use the GRUB 2 boot loader. - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; - boot.loader.grub.device = "/dev/nvme0n1"; # or "nodev" for efi only - - deuxfleurs.hostName = "diplotaxis"; - deuxfleurs.staticIPv4.address = "192.168.1.12"; - deuxfleurs.staticIPv6.address = "2a01:e0a:28f:5e60::12"; -} diff --git a/cluster/prod/node/diplotaxis.site.nix b/cluster/prod/node/diplotaxis.site.nix deleted file mode 120000 index 3af56c7..0000000 --- a/cluster/prod/node/diplotaxis.site.nix +++ /dev/null @@ -1 +0,0 @@ -../site/orion.nix
\ No newline at end of file diff --git a/cluster/prod/node/doradille.nix b/cluster/prod/node/doradille.nix deleted file mode 100644 index a4dc691..0000000 --- a/cluster/prod/node/doradille.nix +++ /dev/null @@ -1,14 +0,0 @@ -# Configuration file local to this node - -{ config, pkgs, ... }: - -{ - # Use the GRUB 2 boot loader. - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; - boot.loader.grub.device = "/dev/nvme0n1"; # or "nodev" for efi only - - deuxfleurs.hostName = "doradille"; - deuxfleurs.staticIPv4.address = "192.168.1.13"; - deuxfleurs.staticIPv6.address = "2a01:e0a:28f:5e60::13"; -} diff --git a/cluster/prod/node/doradille.site.nix b/cluster/prod/node/doradille.site.nix deleted file mode 120000 index 3af56c7..0000000 --- a/cluster/prod/node/doradille.site.nix +++ /dev/null @@ -1 +0,0 @@ -../site/orion.nix
\ No newline at end of file diff --git a/cluster/prod/node/pamplemousse.nix b/cluster/prod/node/pamplemousse.nix index 00ab784..61463c8 100644 --- a/cluster/prod/node/pamplemousse.nix +++ b/cluster/prod/node/pamplemousse.nix @@ -11,4 +11,5 @@ deuxfleurs.hostName = "pamplemousse"; deuxfleurs.staticIPv4.address = "192.168.5.201"; deuxfleurs.staticIPv6.address = "2001:912:1ac0:2200::201"; + deuxfleurs.isRaftServer = true; } diff --git a/cluster/prod/node/dahlia.nix b/cluster/prod/node/pasteque.nix index 121a34d..98cd2e6 100644 --- a/cluster/prod/node/dahlia.nix +++ b/cluster/prod/node/pasteque.nix @@ -5,9 +5,10 @@ { # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; + boot.loader.timeout = 5; boot.loader.efi.canTouchEfiVariables = true; - deuxfleurs.hostName = "dahlia"; - deuxfleurs.staticIPv4.address = "192.168.1.11"; - deuxfleurs.staticIPv6.address = "2a01:e0a:28f:5e60::11"; + deuxfleurs.hostName = "pasteque"; + deuxfleurs.staticIPv4.address = "192.168.5.202"; + deuxfleurs.staticIPv6.address = "2001:912:1ac0:2200::202"; } diff --git a/cluster/prod/node/pasteque.site.nix b/cluster/prod/node/pasteque.site.nix new file mode 120000 index 0000000..0a97c41 --- /dev/null +++ b/cluster/prod/node/pasteque.site.nix @@ -0,0 +1 @@ +../site/corrin.nix
\ No newline at end of file diff --git a/cluster/prod/site/orion.nix b/cluster/prod/site/orion.nix deleted file mode 100644 index dd8e208..0000000 --- a/cluster/prod/site/orion.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ config, pkgs, ... }: - -{ - deuxfleurs.siteName = "orion"; - deuxfleurs.staticIPv4.defaultGateway = "192.168.1.254"; - deuxfleurs.cnameTarget = "orion.site.deuxfleurs.fr."; - deuxfleurs.publicIPv4 = "82.66.80.201"; -} diff --git a/cluster/prod/ssh_config b/cluster/prod/ssh_config index c8abb42..f63a335 100644 --- a/cluster/prod/ssh_config +++ b/cluster/prod/ssh_config @@ -1,4 +1,6 @@ UserKnownHostsFile ./cluster/prod/known_hosts +Host * + Port 110 Host concombre HostName concombre.machine.deuxfleurs.fr @@ -47,3 +49,6 @@ Host ortie Host pamplemousse HostName 2001:912:1ac0:2200::201 + +Host pasteque + HostName 2001:912:1ac0:2200::202 diff --git a/cluster/staging/app/core/deploy/d53.hcl b/cluster/staging/app/core/deploy/d53.hcl index 2fb86c0..fd4a74c 100644 --- a/cluster/staging/app/core/deploy/d53.hcl +++ b/cluster/staging/app/core/deploy/d53.hcl @@ -7,13 +7,15 @@ job "core-d53" { count = 1 task "d53" { - driver = "nix2" + driver = "docker" config { - packages = [ - "git+https://git.deuxfleurs.fr/lx/D53.git?ref=diplonat-autodiscovery&rev=49d94dae1d753c1f3349be7ea9bc7e7978c0af15" + image = "lxpz/amd64_d53:4" + network_mode = "host" + readonly_rootfs = true + volumes = [ + "secrets:/etc/d53", ] - command = "d53" } resources { @@ -30,25 +32,25 @@ job "core-d53" { template { data = "{{ key \"secrets/consul/consul-ca.crt\" }}" - destination = "etc/tricot/consul-ca.crt" + destination = "secrets/consul-ca.crt" } template { data = "{{ key \"secrets/consul/consul-client.crt\" }}" - destination = "etc/tricot/consul-client.crt" + destination = "secrets/consul-client.crt" } template { data = "{{ key \"secrets/consul/consul-client.key\" }}" - destination = "etc/tricot/consul-client.key" + destination = "secrets/consul-client.key" } template { data = <<EOH D53_CONSUL_HOST=https://localhost:8501 -D53_CONSUL_CA_CERT=/etc/tricot/consul-ca.crt -D53_CONSUL_CLIENT_CERT=/etc/tricot/consul-client.crt -D53_CONSUL_CLIENT_KEY=/etc/tricot/consul-client.key +D53_CONSUL_CA_CERT=/etc/d53/consul-ca.crt +D53_CONSUL_CLIENT_CERT=/etc/d53/consul-client.crt +D53_CONSUL_CLIENT_KEY=/etc/d53/consul-client.key D53_PROVIDERS=deuxfleurs.org:gandi D53_GANDI_API_KEY={{ key "secrets/d53/gandi_api_key" }} D53_ALLOWED_DOMAINS=staging.deuxfleurs.org diff --git a/cluster/staging/app/core/deploy/diplonat.hcl b/cluster/staging/app/core/deploy/diplonat.hcl index b6a83aa..e7657ed 100644 --- a/cluster/staging/app/core/deploy/diplonat.hcl +++ b/cluster/staging/app/core/deploy/diplonat.hcl @@ -15,18 +15,17 @@ job "core-diplonat" { group "diplonat" { task "diplonat" { - driver = "nix2" + driver = "docker" config { - packages = [ - "#iptables", - "#bash", - "#coreutils", - "git+https://git.deuxfleurs.fr/Deuxfleurs/diplonat.git?ref=main&rev=843104dad73bfdebb674d3c3ec82af225c20c493" + image = "lxpz/amd64_diplonat:7" + network_mode = "host" + readonly_rootfs = true + privileged = true + volumes = [ + "secrets:/etc/diplonat", ] - command = "diplonat" } - user = "root" restart { interval = "30m" @@ -37,17 +36,17 @@ job "core-diplonat" { template { data = "{{ key \"secrets/consul/consul-ca.crt\" }}" - destination = "etc/diplonat/consul-ca.crt" + destination = "secrets/consul-ca.crt" } template { data = "{{ key \"secrets/consul/consul-client.crt\" }}" - destination = "etc/diplonat/consul-client.crt" + destination = "secrets/consul-client.crt" } template { data = "{{ key \"secrets/consul/consul-client.key\" }}" - destination = "etc/diplonat/consul-client.key" + destination = "secrets/consul-client.key" } template { diff --git a/cluster/staging/app/core/deploy/tricot.hcl b/cluster/staging/app/core/deploy/tricot.hcl index e7aded6..7436c70 100644 --- a/cluster/staging/app/core/deploy/tricot.hcl +++ b/cluster/staging/app/core/deploy/tricot.hcl @@ -24,7 +24,7 @@ job "core-tricot" { driver = "docker" config { - image = "armael/tricot:n6dk1b5xrdww12zf12jbcmihqs6g1brz" + image = "armael/tricot:40g7jpp915jkfszlczfh1yw2x6syjkxs-redir-headers" network_mode = "host" readonly_rootfs = true ports = [ "http_port", "https_port" ] @@ -77,7 +77,7 @@ TRICOT_HTTP_BIND_ADDR=[::]:80 TRICOT_HTTPS_BIND_ADDR=[::]:443 TRICOT_METRICS_BIND_ADDR=[::]:9334 TRICOT_WARMUP_CERT_MEMORY_STORE=true -RUST_LOG=tricot=debug +RUST_LOG=tricot=trace RUST_BACKTRACE=1 EOH destination = "secrets/env" diff --git a/cluster/staging/app/cryptpad/config/application_config.js b/cluster/staging/app/cryptpad/config/application_config.js new file mode 100644 index 0000000..94a613d --- /dev/null +++ b/cluster/staging/app/cryptpad/config/application_config.js @@ -0,0 +1,40 @@ +/* + * You can override the configurable values from this file. + * The recommended method is to make a copy of this file (/customize.dist/application_config.js) + in a 'customize' directory (/customize/application_config.js). + * If you want to check all the configurable values, you can open the internal configuration file + but you should not change it directly (/common/application_config_internal.js) +*/ +define(['/common/application_config_internal.js'], function (AppConfig) { + // To inform users of the support ticket panel which languages your admins speak: + AppConfig.supportLanguages = [ 'en', 'fr' ]; + + /* Select the buttons displayed on the main page to create new collaborative sessions. + * Removing apps from the list will prevent users from accessing them. They will instead be + * redirected to the drive. + * You should never remove the drive from this list. + */ + AppConfig.availablePadTypes = ['drive', 'teams', 'doc', 'presentation', 'pad', 'kanban', 'code', 'form', 'poll', 'whiteboard', + 'file', 'contacts', 'slide', 'convert']; + // disabled: sheet + + /* You can display a link to your own privacy policy in the static pages footer. + * Since this is different for each individual or organization there is no default value. + * See the comments above for a description of possible configurations. + */ + AppConfig.privacy = { + "default": "https://deuxfleurs.fr/CGU.html", + }; + + /* You can display a link to your instances's terms of service in the static pages footer. + * A default is included for backwards compatibility, but we recommend replacing this + * with your own terms. + * + * See the comments above for a description of possible configurations. + */ + AppConfig.terms = { + "default": "https://deuxfleurs.fr/CGU.html", + }; + + return AppConfig; +}); diff --git a/cluster/staging/app/cryptpad/config/config.js b/cluster/staging/app/cryptpad/config/config.js new file mode 100644 index 0000000..590d4c6 --- /dev/null +++ b/cluster/staging/app/cryptpad/config/config.js @@ -0,0 +1,296 @@ +/* globals module */ + +/* DISCLAIMER: + + There are two recommended methods of running a CryptPad instance: + + 1. Using a standalone nodejs server without HTTPS (suitable for local development) + 2. Using NGINX to serve static assets and to handle HTTPS for API server's websocket traffic + + We do not officially recommend or support Apache, Docker, Kubernetes, Traefik, or any other configuration. + Support requests for such setups should be directed to their authors. + + If you're having difficulty difficulty configuring your instance + we suggest that you join the project's IRC/Matrix channel. + + If you don't have any difficulty configuring your instance and you'd like to + support us for the work that went into making it pain-free we are quite happy + to accept donations via our opencollective page: https://opencollective.com/cryptpad + +*/ +module.exports = { +/* CryptPad is designed to serve its content over two domains. + * Account passwords and cryptographic content is handled on the 'main' domain, + * while the user interface is loaded on a 'sandbox' domain + * which can only access information which the main domain willingly shares. + * + * In the event of an XSS vulnerability in the UI (that's bad) + * this system prevents attackers from gaining access to your account (that's good). + * + * Most problems with new instances are related to this system blocking access + * because of incorrectly configured sandboxes. If you only see a white screen + * when you try to load CryptPad, this is probably the cause. + * + * PLEASE READ THE FOLLOWING COMMENTS CAREFULLY. + * + */ + +/* httpUnsafeOrigin is the URL that clients will enter to load your instance. + * Any other URL that somehow points to your instance is supposed to be blocked. + * The default provided below assumes you are loading CryptPad from a server + * which is running on the same machine, using port 3000. + * + * In a production instance this should be available ONLY over HTTPS + * using the default port for HTTPS (443) ie. https://cryptpad.fr + * In such a case this should be also handled by NGINX, as documented in + * cryptpad/docs/example.nginx.conf (see the $main_domain variable) + * + */ + httpUnsafeOrigin: 'https://pad.staging.deuxfleurs.org', + +/* httpSafeOrigin is the URL that is used for the 'sandbox' described above. + * If you're testing or developing with CryptPad on your local machine then + * it is appropriate to leave this blank. The default behaviour is to serve + * the main domain over port 3000 and to serve the sandbox content over port 3001. + * + * This is not appropriate in a production environment where invasive networks + * may filter traffic going over abnormal ports. + * To correctly configure your production instance you must provide a URL + * with a different domain (a subdomain is sufficient). + * It will be used to load the UI in our 'sandbox' system. + * + * This value corresponds to the $sandbox_domain variable + * in the example nginx file. + * + * Note that in order for the sandboxing system to be effective + * httpSafeOrigin must be different from httpUnsafeOrigin. + * + * CUSTOMIZE AND UNCOMMENT THIS FOR PRODUCTION INSTALLATIONS. + */ + httpSafeOrigin: "https://pad-sandbox.staging.deuxfleurs.org", + +/* httpAddress specifies the address on which the nodejs server + * should be accessible. By default it will listen on 127.0.0.1 + * (IPv4 localhost on most systems). If you want it to listen on + * all addresses, including IPv6, set this to '::'. + * + */ + httpAddress: '::', + +/* httpPort specifies on which port the nodejs server should listen. + * By default it will serve content over port 3000, which is suitable + * for both local development and for use with the provided nginx example, + * which will proxy websocket traffic to your node server. + * + */ + httpPort: 3000, + +/* httpSafePort allows you to specify an alternative port from which + * the node process should serve sandboxed assets. The default value is + * that of your httpPort + 1. You probably don't need to change this. + * + */ + // httpSafePort: 3001, + +/* CryptPad will launch a child process for every core available + * in order to perform CPU-intensive tasks in parallel. + * Some host environments may have a very large number of cores available + * or you may want to limit how much computing power CryptPad can take. + * If so, set 'maxWorkers' to a positive integer. + */ + // maxWorkers: 4, + + /* ===================== + * Admin + * ===================== */ + + /* + * CryptPad contains an administration panel. Its access is restricted to specific + * users using the following list. + * To give access to the admin panel to a user account, just add their public signing + * key, which can be found on the settings page for registered users. + * Entries should be strings separated by a comma. + */ + adminKeys: [ + "[quentin@pad.deuxfleurs.fr/EWtzm-CiqJnM9RZL9mj-YyTgAtX-Zh76sru1K5bFpN8=]", + "[adrn@pad.deuxfleurs.fr/PxDpkPwd-jDJWkfWdAzFX7wtnLpnPlBeYZ4MmoEYS6E=]", + "[lx@pad.deuxfleurs.fr/FwQzcXywx1FIb83z6COB7c3sHnz8rNSDX1xhjPuH3Fg=]", + "[trinity-1686a@pad.deuxfleurs.fr/Pu6Ef03jEsAGBbZI6IOdKd6+5pORD5N51QIYt4-Ys1c=]", + "[Jill@pad.deuxfleurs.fr/tLW7W8EVNB2KYETXEaOYR+HmNiBQtZj7u+SOxS3hGmg=]", + "[vincent@pad.deuxfleurs.fr/07FQiE8w1iztRWwzbRJzEy3xIqnNR31mUFjLNiGXjwU=]", + "[boris@pad.deuxfleurs.fr/kHo5LIhSxDFk39GuhGRp+XKlMjNe+lWfFWM75cINoTQ=]", + "[maximilien@pad.deuxfleurs.fr/UoXHLejYRUjvX6t55hAQKpjMdU-3ecg4eDhAeckZmyE=]", + "[armael@pad.deuxfleurs.fr/CIKMvNdFxGavwTmni0TnR3x9GM0ypgx3DMcFyzppplU=]", + "[bjonglez@pad.deuxfleurs.fr/+RRzwcLPj5ZCWELUXMjmt3u+-lvYnyhpDt4cqAn9nh8=]" + ], + + /* ===================== + * STORAGE + * ===================== */ + + /* Pads that are not 'pinned' by any registered user can be set to expire + * after a configurable number of days of inactivity (default 90 days). + * The value can be changed or set to false to remove expiration. + * Expired pads can then be removed using a cron job calling the + * `evict-inactive.js` script with node + * + * defaults to 90 days if nothing is provided + */ + //inactiveTime: 90, // days + + /* CryptPad archives some data instead of deleting it outright. + * This archived data still takes up space and so you'll probably still want to + * remove these files after a brief period. + * + * cryptpad/scripts/evict-inactive.js is intended to be run daily + * from a crontab or similar scheduling service. + * + * The intent with this feature is to provide a safety net in case of accidental + * deletion. Set this value to the number of days you'd like to retain + * archived data before it's removed permanently. + * + * defaults to 15 days if nothing is provided + */ + //archiveRetentionTime: 15, + + /* It's possible to configure your instance to remove data + * stored on behalf of inactive accounts. Set 'accountRetentionTime' + * to the number of days an account can remain idle before its + * documents and other account data is removed. + * + * Leave this value commented out to preserve all data stored + * by user accounts regardless of inactivity. + */ + //accountRetentionTime: 365, + + /* Starting with CryptPad 3.23.0, the server automatically runs + * the script responsible for removing inactive data according to + * your configured definition of inactivity. Set this value to `true` + * if you prefer not to remove inactive data, or if you prefer to + * do so manually using `scripts/evict-inactive.js`. + */ + //disableIntegratedEviction: true, + + + /* Max Upload Size (bytes) + * this sets the maximum size of any one file uploaded to the server. + * anything larger than this size will be rejected + * defaults to 20MB if no value is provided + */ + //maxUploadSize: 20 * 1024 * 1024, + + /* Users with premium accounts (those with a plan included in their customLimit) + * can benefit from an increased upload size limit. By default they are restricted to the same + * upload size as any other registered user. + * + */ + //premiumUploadSize: 100 * 1024 * 1024, + + /* ===================== + * DATABASE VOLUMES + * ===================== */ + + /* + * We need this config entry, else CryptPad will try to mkdir + * some stuff into Nix store apparently... + */ + base: '/mnt/data', + + /* + * CryptPad stores each document in an individual file on your hard drive. + * Specify a directory where files should be stored. + * It will be created automatically if it does not already exist. + */ + filePath: '/mnt/datastore/', + + /* CryptPad offers the ability to archive data for a configurable period + * before deleting it, allowing a means of recovering data in the event + * that it was deleted accidentally. + * + * To set the location of this archive directory to a custom value, change + * the path below: + */ + archivePath: '/mnt/data/archive', + + /* CryptPad allows logged in users to request that particular documents be + * stored by the server indefinitely. This is called 'pinning'. + * Pin requests are stored in a pin-store. The location of this store is + * defined here. + */ + pinPath: '/mnt/data/pins', + + /* if you would like the list of scheduled tasks to be stored in + a custom location, change the path below: + */ + taskPath: '/mnt/data/tasks', + + /* if you would like users' authenticated blocks to be stored in + a custom location, change the path below: + */ + blockPath: '/mnt/block', + + /* CryptPad allows logged in users to upload encrypted files. Files/blobs + * are stored in a 'blob-store'. Set its location here. + */ + blobPath: '/mnt/blob', + + /* CryptPad stores incomplete blobs in a 'staging' area until they are + * fully uploaded. Set its location here. + */ + blobStagingPath: '/mnt/data/blobstage', + + decreePath: '/mnt/data/decrees', + + /* CryptPad supports logging events directly to the disk in a 'logs' directory + * Set its location here, or set it to false (or nothing) if you'd rather not log + */ + logPath: false, + + /* ===================== + * Debugging + * ===================== */ + + /* CryptPad can log activity to stdout + * This may be useful for debugging + */ + logToStdout: true, + + /* CryptPad can be configured to log more or less + * the various settings are listed below by order of importance + * + * silly, verbose, debug, feedback, info, warn, error + * + * Choose the least important level of logging you wish to see. + * For example, a 'silly' logLevel will display everything, + * while 'info' will display 'info', 'warn', and 'error' logs + * + * This will affect both logging to the console and the disk. + */ + logLevel: 'silly', + + /* clients can use the /settings/ app to opt out of usage feedback + * which informs the server of things like how much each app is being + * used, and whether certain clientside features are supported by + * the client's browser. The intent is to provide feedback to the admin + * such that the service can be improved. Enable this with `true` + * and ignore feedback with `false` or by commenting the attribute + * + * You will need to set your logLevel to include 'feedback'. Set this + * to false if you'd like to exclude feedback from your logs. + */ + logFeedback: false, + + /* CryptPad supports verbose logging + * (false by default) + */ + verbose: true, + + /* Surplus information: + * + * 'installMethod' is included in server telemetry to voluntarily + * indicate how many instances are using unofficial installation methods + * such as Docker. + * + */ + installMethod: 'deuxfleurs.fr', +}; diff --git a/cluster/prod/app/cryptpad/deploy/cryptpad-debug.hcl b/cluster/staging/app/cryptpad/deploy/cryptpad.hcl index 7788273..0948798 100644 --- a/cluster/prod/app/cryptpad/deploy/cryptpad-debug.hcl +++ b/cluster/staging/app/cryptpad/deploy/cryptpad.hcl @@ -1,4 +1,4 @@ -job "cryptpad-debug" { +job "cryptpad" { datacenters = ["neptune"] type = "service" @@ -22,16 +22,16 @@ job "cryptpad-debug" { constraint { attribute = "${attr.unique.hostname}" operator = "=" - value = "courgette" + value = "caribou" } config { - image = "armael/cryptpad:2024.9.0" + image = "armael/cryptpad:2024.12.0" ports = [ "http" ] volumes = [ - "/mnt/ssd/cryptpad-debug:/mnt", - "secrets/config-debug.js:/cryptpad/config.js", + "/mnt/ssd/cryptpad:/mnt", + "secrets/config.js:/cryptpad/config.js", ] } env { @@ -39,14 +39,14 @@ job "cryptpad-debug" { } template { - data = file("../config/config-debug.js") - destination = "secrets/config-debug.js" + data = file("../config/config.js") + destination = "secrets/config.js" } /* Disabled because it requires modifications to the docker image and I do not want to invest the time yet template { - data = file("../config/application_config-debug.js") - destination = "secrets/config-debug.js" + data = file("../config/application_config.js") + destination = "secrets/config.js" } */ @@ -56,17 +56,17 @@ job "cryptpad-debug" { } service { - name = "cryptpad-debug" + name = "cryptpad" port = "http" tags = [ - "tricot pad-debug.deuxfleurs.fr", - "tricot pad-sandbox-debug.deuxfleurs.fr", + "tricot pad.staging.deuxfleurs.org", + "tricot pad-sandbox.staging.deuxfleurs.org", "tricot-add-header Cross-Origin-Resource-Policy cross-origin", "tricot-add-header Cross-Origin-Embedder-Policy require-corp", "tricot-add-header Access-Control-Allow-Origin *", "tricot-add-header Access-Control-Allow-Credentials true", - "d53-cname pad-debug.deuxfleurs.fr", - "d53-cname pad-sandbox-debug.deuxfleurs.fr", + "d53-cname pad.staging.deuxfleurs.org", + "d53-cname pad-sandbox.staging.deuxfleurs.org", ] check { type = "http" diff --git a/cluster/staging/app/telemetry/deploy/telemetry-service.hcl b/cluster/staging/app/telemetry/deploy/telemetry-service.hcl index 47554e2..5fcaa7a 100644 --- a/cluster/staging/app/telemetry/deploy/telemetry-service.hcl +++ b/cluster/staging/app/telemetry/deploy/telemetry-service.hcl @@ -2,95 +2,6 @@ job "telemetry-service" { datacenters = ["neptune", "dathomir", "corrin", "bespin"] type = "service" - group "prometheus" { - count = 2 - - network { - port "prometheus" { - static = 9090 - } - } - - constraint { - attribute = "${attr.unique.hostname}" - operator = "set_contains_any" - value = "df-pw5,origan" - } - - task "prometheus" { - driver = "nix2" - config { - nixpkgs = "github:nixos/nixpkgs/nixos-22.11" - packages = [ "#prometheus", "#coreutils", "#findutils", "#bash" ] - command = "prometheus" - args = [ - "--config.file=/etc/prom/prometheus.yml", - "--storage.tsdb.path=/data", - "--storage.tsdb.retention.size=5GB", - ] - bind = { - "/mnt/ssd/prometheus" = "/data" - } - } - - template { - data = file("../config/prometheus.yml") - destination = "etc/prom/prometheus.yml" - } - - template { - data = "{{ key \"secrets/consul/consul-ca.crt\" }}" - destination = "etc/prom/consul.crt" - } - - template { - data = "{{ key \"secrets/consul/consul-client.crt\" }}" - destination = "etc/prom/consul-client.crt" - } - - template { - data = "{{ key \"secrets/consul/consul-client.key\" }}" - destination = "etc/prom/consul-client.key" - } - - template { - data = "{{ key \"secrets/nomad/nomad-ca.crt\" }}" - destination = "etc/prom/nomad-ca.crt" - } - - template { - data = "{{ key \"secrets/nomad/nomad-client.crt\" }}" - destination = "etc/prom/nomad-client.crt" - } - - template { - data = "{{ key \"secrets/nomad/nomad-client.key\" }}" - destination = "etc/prom/nomad-client.key" - } - - resources { - memory = 500 - cpu = 200 - } - - service { - port = "prometheus" - name = "prometheus" - check { - type = "http" - path = "/" - interval = "60s" - timeout = "5s" - check_restart { - limit = 3 - grace = "90s" - ignore_warnings = false - } - } - } - } - } - group "grafana" { count = 1 @@ -106,50 +17,46 @@ job "telemetry-service" { sidecar = false } - driver = "nix2" + driver = "docker" config { - packages = [ "#litestream" ] - command = "litestream" + image = "litestream/litestream:0.3.13" args = [ "restore", "-config", "/etc/litestream.yml", "/ephemeral/grafana.db" ] - bind = { - "../alloc/data" = "/ephemeral", - } + volumes = [ + "../alloc/data:/ephemeral", + "secrets/litestream.yml:/etc/litestream.yml" + ] } + user = "472" template { data = file("../config/grafana-litestream.yml") - destination = "etc/litestream.yml" + destination = "secrets/litestream.yml" } resources { - memory = 100 - memory_max = 1000 + memory = 50 + memory_max = 200 cpu = 100 } } task "grafana" { - driver = "nix2" + driver = "docker" config { - nixpkgs = "github:nixos/nixpkgs/nixos-22.11" - packages = [ "#grafana" ] - command = "grafana-server" - args = [ - "-homepath", "/share/grafana", - "cfg:default.paths.data=/grafana", - "cfg:default.paths.provisioning=/grafana-provisioning" + image = "grafana/grafana:11.4.1" + network_mode = "host" + ports = [ "grafana" ] + volumes = [ + "../alloc/data:/var/lib/grafana", + "secrets/prometheus.yaml:/etc/grafana/provisioning/datasources/prometheus.yaml" ] - - bind = { - "../alloc/data" = "/grafana", - } } template { data = file("../config/grafana-datasource-prometheus.yaml") - destination = "grafana-provisioning/datasources/prometheus.yaml" + destination = "secrets/prometheus.yaml" } template { @@ -163,8 +70,9 @@ GF_SECURITY_ADMIN_PASSWORD={{ key "secrets/telemetry/grafana/admin_password" }} } resources { - memory = 300 - cpu = 300 + memory = 100 + memory_max = 400 + cpu = 300 } restart { @@ -181,9 +89,12 @@ GF_SECURITY_ADMIN_PASSWORD={{ key "secrets/telemetry/grafana/admin_password" }} "tricot grafana.staging.deuxfleurs.org", "d53-cname grafana.staging.deuxfleurs.org", ] - port = "grafana" + port = 3719 + address_mode = "driver" check { type = "tcp" + port = 3719 + address_mode = "driver" interval = "60s" timeout = "5s" check_restart { @@ -196,26 +107,27 @@ GF_SECURITY_ADMIN_PASSWORD={{ key "secrets/telemetry/grafana/admin_password" }} } task "replicate-db" { - driver = "nix2" + driver = "docker" config { - packages = [ "#litestream" ] - command = "litestream" + image = "litestream/litestream:0.3.13" args = [ "replicate", "-config", "/etc/litestream.yml" ] - bind = { - "../alloc/data" = "/ephemeral", - } + volumes = [ + "../alloc/data:/ephemeral", + "secrets/litestream.yml:/etc/litestream.yml" + ] } + user = "472" template { data = file("../config/grafana-litestream.yml") - destination = "etc/litestream.yml" + destination = "secrets/litestream.yml" } resources { - memory = 100 - memory_max = 500 + memory = 50 + memory_max = 200 cpu = 100 } } diff --git a/cluster/staging/app/telemetry/deploy/telemetry-storage.hcl b/cluster/staging/app/telemetry/deploy/telemetry-storage.hcl new file mode 100644 index 0000000..fbde697 --- /dev/null +++ b/cluster/staging/app/telemetry/deploy/telemetry-storage.hcl @@ -0,0 +1,97 @@ +job "telemetry-storage" { + datacenters = ["neptune", "dathomir", "corrin", "bespin"] + type = "service" + + group "prometheus" { + count = 2 + + network { + port "prometheus" { + static = 9090 + } + } + + constraint { + attribute = "${attr.unique.hostname}" + operator = "set_contains_any" + value = "df-pw5,origan" + } + + task "prometheus" { + driver = "docker" + config { + image = "prom/prometheus:v3.1.0" + network_mode = "host" + ports = [ "prometheus" ] + args = [ + "--config.file=/etc/prometheus/prometheus.yml", + "--storage.tsdb.path=/data", + "--storage.tsdb.retention.size=20GB", + ] + volumes = [ + "secrets:/etc/prometheus", + "/mnt/ssd/prometheus:/data" + ] + } + + template { + data = file("../config/prometheus.yml") + destination = "secrets/prometheus.yml" + } + + template { + data = "{{ key \"secrets/consul/consul-ca.crt\" }}" + destination = "secrets/consul.crt" + } + + template { + data = "{{ key \"secrets/consul/consul-client.crt\" }}" + destination = "secrets/consul-client.crt" + } + + template { + data = "{{ key \"secrets/consul/consul-client.key\" }}" + destination = "secrets/consul-client.key" + } + + template { + data = "{{ key \"secrets/nomad/nomad-ca.crt\" }}" + destination = "secrets/nomad-ca.crt" + } + + template { + data = "{{ key \"secrets/nomad/nomad-client.crt\" }}" + destination = "secrets/nomad-client.crt" + } + + template { + data = "{{ key \"secrets/nomad/nomad-client.key\" }}" + destination = "secrets/nomad-client.key" + } + + resources { + memory = 500 + cpu = 200 + } + + service { + port = 9090 + address_mode = "driver" + name = "prometheus" + check { + type = "http" + path = "/" + port = 9090 + address_mode = "driver" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + } + } +} diff --git a/cluster/staging/app/telemetry/deploy/telemetry-system.hcl b/cluster/staging/app/telemetry/deploy/telemetry-system.hcl index a97c7b1..9cd254a 100644 --- a/cluster/staging/app/telemetry/deploy/telemetry-system.hcl +++ b/cluster/staging/app/telemetry/deploy/telemetry-system.hcl @@ -4,43 +4,46 @@ job "telemetry-system" { priority = "100" group "collector" { - network { - port "node_exporter" { static = 9100 } - } + network { + port "node_exporter" { static = 9100 } + } - task "node_exporter" { - driver = "nix2" + task "node_exporter" { + driver = "docker" - config { - packages = [ "#prometheus-node-exporter" ] - command = "node_exporter" - args = [ "--path.rootfs=/host" ] - bind_read_only = { - "/" = "/host" - } - } + config { + image = "quay.io/prometheus/node-exporter:v1.8.1" + network_mode = "host" + volumes = [ + "/:/host:ro,rslave" + ] + args = [ "--path.rootfs=/host" ] + } - resources { - cpu = 50 - memory = 40 - } + resources { + cpu = 50 + memory = 40 + } - service { - name = "node-exporter" - tags = [ "telemetry" ] - port = "node_exporter" - check { - type = "http" - path = "/" - interval = "60s" - timeout = "5s" - check_restart { - limit = 3 - grace = "90s" - ignore_warnings = false - } - } - } - } - } -} + service { + tags = [ "telemetry" ] + port = 9100 + address_mode = "driver" + name = "node-exporter" + check { + type = "http" + path = "/" + port = 9100 + address_mode = "driver" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + } + } + } diff --git a/cluster/staging/cluster.nix b/cluster/staging/cluster.nix index b170162..e928824 100644 --- a/cluster/staging/cluster.nix +++ b/cluster/staging/cluster.nix @@ -46,8 +46,6 @@ deuxfleurs.adminAccounts = { lx = [ - # Keys for accessing nodes from outside - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJpaBZdYxHqMxhv2RExAOa7nkKhPBOHupMP3mYaZ73w9 lx@lindy" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIw+IIX8+lZX9RrHAbwi/bncLYStXpI4EmK3AUcqPY2O lx@kusanagi " ]; quentin = [ @@ -92,6 +90,9 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJX0A2P59or83EKhh32o8XumGz0ToTEsoq89hMbMtr7h" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB540H9kn+Ocs4Wjc1Y3f3OkHFYEqc5IM/FiCyoVVoh3" ]; + stitch = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILdT28Emp9yJqTPrxz+oDP08KZaN1kbsNyVqt9p9IMED" + ]; }; # For Garage ipv6 communication @@ -99,8 +100,8 @@ ## ===== EXPERIMENTAL SECTION FOR STAGING CLUSTER ===== - # Test nomad 1.6 - services.nomad.package = pkgs.nomad_1_6; + # Test nomad 1.7 + services.nomad.package = pkgs.nomad_1_7; nixpkgs.config.allowUnfree = true; # Accept nomad's BSL license # We're doing lots of experiments so GC periodically is usefull. diff --git a/cluster/staging/node/caribou.nix b/cluster/staging/node/caribou.nix index 487c838..9071a4c 100644 --- a/cluster/staging/node/caribou.nix +++ b/cluster/staging/node/caribou.nix @@ -9,8 +9,9 @@ boot.loader.efi.canTouchEfiVariables = true; deuxfleurs.hostName = "caribou"; - deuxfleurs.staticIPv6.address = "2a01:e0a:2c:540::23"; + deuxfleurs.staticIPv6.address = "2a01:e34:ec05:8a40::23"; deuxfleurs.isRaftServer = true; + # this denote the version at install time, do not update system.stateVersion = "21.05"; } diff --git a/cluster/staging/node/df-pw5.nix b/cluster/staging/node/df-pw5.nix index 45f392f..7192548 100644 --- a/cluster/staging/node/df-pw5.nix +++ b/cluster/staging/node/df-pw5.nix @@ -14,5 +14,6 @@ deuxfleurs.staticIPv6.address = "2a02:a03f:6510:5102:223:24ff:feb0:e8a7"; deuxfleurs.isRaftServer = true; - system.stateVersion = "22.11"; + # this denote the version at install time, do not update + system.stateVersion = "24.05"; } diff --git a/cluster/staging/node/origan.nix b/cluster/staging/node/origan.nix index 2cc4791..b1800de 100644 --- a/cluster/staging/node/origan.nix +++ b/cluster/staging/node/origan.nix @@ -10,5 +10,6 @@ deuxfleurs.staticIPv6.address = "2a01:e0a:5e4:1d0:223:24ff:feaf:fdec"; deuxfleurs.isRaftServer = true; - system.stateVersion = "22.11"; + # this denote the version at install time, do not update + system.stateVersion = "24.05"; } diff --git a/cluster/staging/node/piranha.nix b/cluster/staging/node/piranha.nix index 2dc0677..c856334 100644 --- a/cluster/staging/node/piranha.nix +++ b/cluster/staging/node/piranha.nix @@ -12,5 +12,6 @@ deuxfleurs.staticIPv4.address = "192.168.5.25"; deuxfleurs.staticIPv6.address = "2001:912:1ac0:2200::25"; - system.stateVersion = "22.11"; + # this denote the version at install time, do not update + system.stateVersion = "24.05"; } diff --git a/cluster/staging/ssh_config b/cluster/staging/ssh_config index 4f38f47..dadd285 100644 --- a/cluster/staging/ssh_config +++ b/cluster/staging/ssh_config @@ -1,16 +1,27 @@ UserKnownHostsFile ./cluster/staging/known_hosts +Host * + Port 110 + +Host caribou_v4 + Port 2234 + Hostname 78.192.88.164 Host caribou - #HostName caribou.machine.deuxfleurs.fr HostName caribou.machine.staging.deuxfleurs.org +Host origan_v4 + Port 33600 + Hostname 82.64.238.84 + Host origan - #HostName origan.df.trinity.fr.eu.org HostName origan.machine.staging.deuxfleurs.org Host piranha HostName piranha.machine.staging.deuxfleurs.org +Host df-pw5_v4 + Port 112 + Hostname bespin.site.deuxfleurs.fr + Host df-pw5 - #HostName df-pw5.machine.deuxfleurs.fr HostName df-pw5.machine.staging.deuxfleurs.org diff --git a/nix/configuration.nix b/nix/configuration.nix index 68751a2..4eb701b 100644 --- a/nix/configuration.nix +++ b/nix/configuration.nix @@ -77,6 +77,7 @@ SystemMaxUse=1G # Enable the OpenSSH daemon and disable password login. services.openssh.enable = true; services.openssh.settings.PasswordAuthentication = false; + services.openssh.ports = [ 110 ]; virtualisation.docker = { enable = true; diff --git a/nix/deuxfleurs.nix b/nix/deuxfleurs.nix index f9fd068..43e8c91 100644 --- a/nix/deuxfleurs.nix +++ b/nix/deuxfleurs.nix @@ -328,12 +328,14 @@ in rpc_hold_timeout = "70s"; }; - ca_file = "/var/lib/consul/pki/consul-ca.crt"; - cert_file = "/var/lib/consul/pki/consul.crt"; - key_file = "/var/lib/consul/pki/consul.key"; - verify_incoming = true; - verify_outgoing = true; - verify_server_hostname = true; + tls.defaults = { + ca_file = "/var/lib/consul/pki/consul-ca.crt"; + cert_file = "/var/lib/consul/pki/consul.crt"; + key_file = "/var/lib/consul/pki/consul.key"; + verify_incoming = true; + verify_outgoing = true; + }; + tls.internal_rpc.verify_server_hostname = true; }; services.nomad.enable = true; @@ -410,8 +412,8 @@ in enable = true; allowedTCPPorts = [ - # Allow anyone to connect on SSH port - (head ({ openssh.ports = [22]; } // config.services).openssh.ports) + # Allow anyone to connect on SSH port on tcp/110, port 22 is used by forgejo + (head ({ openssh.ports = [ 110 ]; } // config.services).openssh.ports) ]; allowedUDPPorts = [ @@ -419,6 +421,12 @@ in cfg.wireguardPort ]; + # Don't spam logs with refused connections + logRefusedConnections = false; + + # Use REJECT instead of DROP, to avoid timeouts (e.g. when trying to connect to the wrong SSH port) + rejectPackets = true; + # Allow specific hosts access to specific things in the cluster extraCommands = '' # Allow UDP packets comming from port 1900 from a local address, diff --git a/upgrade_nixos b/upgrade_nixos index 5f0ec3a..25a2347 100755 --- a/upgrade_nixos +++ b/upgrade_nixos @@ -1,9 +1,9 @@ #!/usr/bin/env ./sshtool if [ "$CLUSTER" = "staging" ]; then - cmd nix-channel --add https://nixos.org/channels/nixos-23.11 nixos + cmd nix-channel --add https://nixos.org/channels/nixos-24.11 nixos else - cmd nix-channel --add https://nixos.org/channels/nixos-23.11 nixos + cmd nix-channel --add https://nixos.org/channels/nixos-24.05 nixos fi cmd nix-channel --update |