fix(chat): correct .well-known URLs (#15)

By default, conduit assumes your .well-known URLs are the same as your
base URL (for us auxolotl.org). Unfortunately, although we want our
accounts to be @foo:auxolotl.org, our server is actually at
matrix.auxolotl.org, which broke some clients such as commet

Correcting these .well-known URLs allows clients to connect again

Reviewed-on: #15
Co-authored-by: Skyler Grey <sky@a.starrysky.fyi>
Co-committed-by: Skyler Grey <sky@a.starrysky.fyi>

.reuse/dep5

@@ -1,10 +0,0 @@
-Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
-Upstream-Name: Auxolotl Infrastructure
-Upstream-Contact: Auxolotl Infrastructure Committee <infrastructure@auxolotl.org>
-Source: https://auxolotl.org
-
-# Sample paragraph, commented out:
-#
-# Files: src/*
-# Copyright: $YEAR $NAME <$CONTACT>
-# License: ...

LICENSES/MIT.txt

@@ -1,9 +0,0 @@
-MIT License
-
-Copyright (c) <year> <copyright holders>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

REUSE.toml

@@ -0,0 +1,24 @@
+# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
+#
+# SPDX-License-Identifier: CC0-1.0
+
+version = 1
+
+SPDX-PackageName = "Auxolotl Infrastructure"
+SPDX-PackageSupplier = "Auxolotl Infrastructure Committee <infrastructure@auxolotl.org>"
+SPDX-PackageDownloadLocation = "https://auxolotl.org"
+
+[[annotations]]
+path = "secrets/generated/**"
+SPDX-FileCopyrightText = "2024 Auxolotl Infrastructure Contributors"
+SPDX-License-Identifier = "CC0-1.0"
+
+[[annotations]]
+path = "secrets/rekeyed/**"
+SPDX-FileCopyrightText = "2024 Auxolotl Infrastructure Contributors"
+SPDX-License-Identifier = "CC0-1.0"
+
+[[annotations]]
+path = "**/*.age"
+SPDX-FileCopyrightText = "2024 Auxolotl Infrastructure Contributors"
+SPDX-License-Identifier = "CC0-1.0"

flake.nix

@@ -6,11 +6,17 @@
   description = "Auxolotl infrastructure.";
 
   inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
     unstable.url = "github:nixos/nixpkgs/nixos-unstable";
-
     snowfall-lib = {
-      url = "github:snowfallorg/lib/dev";
+      url = "github:snowfallorg/lib";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    agenix.url = "github:ryantm/agenix";
+
+    agenix-rekey = {
+      url = "github:oddlama/agenix-rekey";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
@@ -19,12 +25,23 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    buildbot-nix.url = "git+https://git.auxolotl.org/auxolotl/buildbot-nix.git";
+    # Do not override nixpkgs in buildbot-nix (see https://github.com/nix-community/buildbot-nix)
+
+    clicks = {
+      url = "git+https://git.clicks.codes/Infra/NixFiles.git";
+      inputs = {
+        deploy-rs.follows = "deploy-rs";
+        nixpkgs.follows = "nixpkgs";
+        snowfall-lib.follows = "snowfall-lib";
+        unstable.follows = "unstable";
+      };
+    };
+
     deploy-rs = {
       url = "github:serokell/deploy-rs";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-
-    buildbot-nix.url = "github:Mic92/buildbot-nix";
   };
 
   outputs = inputs: let
@@ -39,21 +56,34 @@
     };
   in
     lib.mkFlake {
-      overlays = with inputs; [
-        auxolotl-website.overlays.default
+      overlays = [
+        inputs.auxolotl-website.overlays.default
+        inputs.agenix-rekey.overlays.default
       ];
 
+      systems.modules.nixos = [
+        inputs.agenix.nixosModules.default
+        inputs.agenix-rekey.nixosModules.default
+        inputs.buildbot-nix.nixosModules.buildbot-master
+        inputs.buildbot-nix.nixosModules.buildbot-worker
+      ] ++ (lib.attrsets.attrValues inputs.clicks.nixosModules);
+
       deploy = lib.mkDeploy {
         inherit (inputs) self;
         overrides = {
           axol.hostname = "137.184.177.239";
           baxter.hostname = "209.38.149.197";
+					codex.hostname = "64.23.153.98";
         };
       };
 
-      systems.modules.nixos = [
-        inputs.buildbot-nix.nixosModules.buildbot-master
-      ];
+      agenix-rekey = inputs.agenix-rekey.configure {
+        userFlake = inputs.self // { outPath = lib.pipe "" [
+          lib.snowfall.fs.get-snowfall-file
+          (lib.strings.removeSuffix "/")
+        ]; };
+        nodes = inputs.self.nixosConfigurations;
+      };
 
       checks =
         builtins.mapAttrs

modules/nixos/auxolotl/security/secrets/default.nix

@@ -0,0 +1,18 @@
+# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
+#
+# SPDX-License-Identifier: GPL-3.0-only
+
+{ config, lib, pkgs, inputs, ... }:
+
+{
+  age.rekey = {
+    masterIdentities = [
+      "${inputs.self}/secrets/keys/minion/collabora-yubikey.pub"
+      "${inputs.self}/secrets/keys/minion/tiny-yubikey.pub"
+      "${inputs.self}/secrets/keys/minion/iyubikey.pub"
+    ];
+    storageMode = "local";
+    generatedSecretsDir = lib.snowfall.fs.get-snowfall-file "secrets/generated/${config.networking.hostName}";
+    localStorageDir = lib.snowfall.fs.get-snowfall-file "secrets/rekeyed/${config.networking.hostName}";
+  };
+}

modules/nixos/auxolotl/services/buildbot/default.nix

@@ -1,65 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
-#
-# SPDX-License-Identifier: GPL-3.0-only
-
-{
-  lib,
-  pkgs,
-  config,
-  ...
-}: let
-  cfg = config.auxolotl.services.buildbot;
-in {
-  options.auxolotl.services.buildbot = {
-    enable = lib.mkEnableOption "Matrix chat";
-
-    domain = lib.mkOption {
-      type = lib.types.str;
-      description = "Buildbot domain";
-    };
-
-    admins = lib.mkOption {
-      type = lib.types.listOf lib.types.str;
-      description = "List of usernames to give admin permissions to. This allows them to reload the project list.";
-      default = [ ];
-    };
-
-    gitea = {
-      url = lib.mkOption {
-        type = lib.types.str;
-        description = "URL of the gitea instance to connect to.";
-      };
-      oauthId = lib.mkOption {
-        type = lib.types.str;
-        description = "Oauth ID for the login buttons.";
-      };
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    services.buildbot-nix.master = {
-      enable = true;
-
-      domain = cfg.domain;
-      admins = cfg.admins;
-
-      authBackend = "gitea";
-
-      gitea = {
-        tokenFile = /.;
-        webhookSecretFile = /.;
-
-        instanceUrl = cfg.giteaUrl;
-      };
-    };
-
-    services.nginx = {
-      enable = true;
-
-      virtualHosts."${cfg.domain}" = {
-        forceSSL = true;
-        enableACME = true;
-      };
-    };
-  };
-}

modules/nixos/auxolotl/services/chat/default.nix

@@ -77,6 +77,10 @@ in {
         global = {
           server_name = cfg.domain;
           allow_registration = false;
+          well_known = {
+            server = "matrix.auxolotl.org:443";
+            client = "https://matrix.auxolotl.org";
+          };
         };
       };
     };

modules/nixos/auxolotl/services/ci/master/default.nix

@@ -0,0 +1,112 @@
+# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
+#
+# SPDX-License-Identifier: GPL-3.0-only
+
+{
+  lib,
+  pkgs,
+  config,
+  inputs,
+  ...
+}: let
+  cfg = config.auxolotl.services.ci.master;
+in {
+  options.auxolotl.services.ci.master = {
+    enable = lib.mkEnableOption "Enable the buildbot-nix master on this server";
+
+    forgeUrl = lib.mkOption {
+      type = lib.types.str;
+      default = "https://${config.auxolotl.services.forge.subdomain}.${config.auxolotl.services.forge.domain}";
+      description = "The url your gitea/forgejo forge is hosted at";
+    };
+
+    domain = lib.mkOption {
+      type = lib.types.str;
+      default = "auxolotl.org";
+      description = "The domain name for the website.";
+    };
+
+    subdomain = lib.mkOption {
+      type = lib.types.str;
+      default = "builds";
+      description = "The subdomain for the website.";
+    };
+
+    oauth = {
+      clientId = lib.mkOption {
+        type = lib.types.str;
+        description = "The client ID for your gitea/forgejo app";
+      };
+      clientSecretFile = lib.mkOption {
+        type = lib.types.str;
+        description = "A file containing the client secret for your gitea/forgejo app, readable by the 'buildbot' user";
+      };
+    };
+
+    tokenFile = lib.mkOption {
+      type = lib.types.str;
+      description = "A file containing the personal access token for your gitea/forgejo user. You should probably make a new 'ci' user for this purpose, although this is not strictly required";
+    };
+
+    webhookSecretFile = lib.mkOption {
+      type = lib.types.str;
+      description = "A file containing the secret for your gitea/forgejo triggering webhooks";
+    };
+
+    databasePasswordFile = lib.mkOption {
+      type = lib.types.str;
+      description = "A file containing the password for the buildbot postgres user";
+    };
+
+    workersFile = lib.mkOption {
+      type = lib.types.str;
+      description = "A file containing a list of workers, passwords, etc. as JSON. See https://github.com/nix-community/buildbot-nix/blob/5bdbb7609689989a79f7d6e6e59c4b7985634230/examples/master.nix#L13 for an example";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.buildbot-nix.master = {
+      enable = true;
+
+      authBackend = "gitea"; # Forgejo and gitea are similar enough to ...
+
+      gitea = {
+        inherit (cfg) tokenFile webhookSecretFile;
+
+        instanceUrl = cfg.forgeUrl;
+
+        oauthId = cfg.oauth.clientId;
+        oauthSecretFile = cfg.oauth.clientSecretFile;
+
+        topic = null;
+      };
+
+      admins = [
+        "jakehamilton"
+        "isabelroses"
+        "minion"
+
+        "AxelSilverdew"
+        "coded"
+        "srd424"
+      ];
+      # Admins is currently Steering+Infrastructure committees
+      # We should consider how best to proceed with this...
+
+      workersFile = cfg.workersFile;
+      buildSystems = [ pkgs.hostPlatform.system ];
+
+      domain = "${cfg.subdomain}.${cfg.domain}";
+      useHTTPS = true;
+
+      buildbotNixpkgs = pkgs;
+
+      outputsPath = "/var/lib/buildbot/outputs";
+    };
+
+    services.nginx.virtualHosts."${cfg.subdomain}.${cfg.domain}" = {
+      forceSSL = true;
+      enableACME = true;
+    };
+  };
+}

modules/nixos/auxolotl/services/ci/worker/default.nix

@@ -0,0 +1,40 @@
+# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
+#
+# SPDX-License-Identifier: GPL-3.0-only
+
+{
+  lib,
+  pkgs,
+  config,
+  inputs,
+  ...
+}: let
+  cfg = config.auxolotl.services.ci.worker;
+in {
+  options.auxolotl.services.ci.worker = {
+    enable = lib.mkEnableOption "Enable a buildbot-nix worker on this server";
+
+    masterUrl = lib.mkOption {
+      type = lib.types.str;
+      description = "The master url for the buildbot worker";
+      default = if config.auxolotl.services.ci.master.enable
+        then "tcp:host=localhost:port=9989"
+        else throw "auxolotl.services.ci.worker: You must either set a master URL or run a master on this server";
+    };
+
+    workerPasswordFile = lib.mkOption {
+      type = lib.types.str;
+      description = "A file containing the password for this worker";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.buildbot-nix.worker = {
+      enable = true;
+
+      buildbotNixpkgs = pkgs;
+
+      inherit (cfg) masterUrl workerPasswordFile;
+    };
+  };
+}

modules/nixos/auxolotl/services/forge/default.nix

@@ -38,7 +38,7 @@ in {
 
       lfs.enable = true;
 
-      secrets.mailer.PASSWD = "/var/lib/secrets/forgejo-smtp-password";
+			mailerPasswordFile = "/var/lib/secrets/forgejo-smtp-password";
 
       database = {
         type = "postgres";

overlays/buildbot/default.nix

@@ -0,0 +1,4 @@
+{ channels, ... }:
+final: prev: {
+  inherit (channels.unstable) buildbot;
+}

secrets/generated/axol/clicks.services.headscale.database_password_path.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> piv-p256 xE4ypg AotC1OcKc0ti5K6mtsUMYAqbatTWQDKp/2FrnOlzkjdO
+0rQChKMRXxIcSYDstypsXuielQrocv4BA5A1sl13OI4
+-> piv-p256 Hpt/+Q ApUzYGw2STuEvWzD9ApOVYZt6chkddNNUqMdFrHVLfob
+fuEK2OPd+RZ6NyTGDkT9XDqKoRM3PKIH+7uXT2vloeQ
+-> piv-p256 zfskmQ A6tQg5bZLRhR6P7Ch1OYGB+8epuYWVgY8NHVt2/duCX4
+UZ/siP1+Ee5fOucjCuy9OdJdYr2+HA4UElUJKfR/Z+w
+-> :98mk-F1-grease . NZ)[K^Y dH
+lNVgE+LU+g
+--- jnqRYlJ+O2Gyyq3F+Bg6wbeWnr+BrvnyS7yZJSBVdMA
+¾2<ž½úG<7F>²öw;Á•–¨É2}æAmw˜Y6ºa©5TÖÉd<EÍ„Ñ×0Î9]µÍpŒ}„ÄçÆ7.À¤™¤Ë¨. ‹äé\FN¢)@µ

secrets/generated/baxter/services.ci.master.webhookSecretFile.age

@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> piv-p256 xE4ypg A70wMCisOjVzR3ug4BLjnWaiySAkBRDLS80G5F+HgP90
+5eo4VyKyOpO3s1ab5tYWrPJLp2NDoNfOLssPJz1X6sM
+-> piv-p256 Hpt/+Q Ap55RMoW+ydJ/CWdY4f+dT3m+e6iKe+OJlE3ORgH5jl/
+XjwSs/jqumcvnOsfKM97NbjuKelP7bxz87fXqDajmto
+-> piv-p256 zfskmQ A6uIgMEgAQONVDgcpqh935TcbNVHPdGR+a8y2fsY0dw4
+0eByad5OHK5Gap5Eq+jA5j1cWHS8q6cKvR9VKD5gXg4
+-> LOt-grease %/=M
+fgFp1gevlSUjaT26jP0yiRZNh3H9IlhZtJDt61WublxpuNhISVSNSqXat86tXjOZ
+iEd+
+--- 8HghOj3gAYLyGa2/z7ep5TbdSmrzhi7Bv333id6/XRY
+µÕOåš:¤&-<2D>ý‘3ºÜõsÔQsDµFª<¥§è¹Ùá‘ØÑÌ…fDXb.TxdR	ùú3Y¯Bó«æqs¤<73>¸Æ"‹NÛlÕÙš

secrets/keys/minion/collabora-yubikey.pub

@@ -0,0 +1,7 @@
+#       Serial: 20652804, Slot: 1
+#         Name: MINION_COLLABORA_YUBIKEY
+#      Created: Sun, 21 Jul 2024 12:55:44 +0000
+#   PIN policy: Once   (A PIN is required once per session, if set)
+# Touch policy: Always (A physical touch is required for every decryption)
+#    Recipient: age1yubikey1qd38ggwk5h8y877qwx4kkt3jz89fd4483v843ps450z5fl2uwgc82x8tsz8
+AGE-PLUGIN-YUBIKEY-1QS3NKQVZC38R9FS6T2PNZ

secrets/keys/minion/collabora-yubikey.pub.license

@@ -0,0 +1,3 @@
+SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
+
+SPDX-License-Identifier: GPL-3.0-only

secrets/keys/minion/iyubikey.pub

@@ -0,0 +1,7 @@
+#       Serial: 24039462, Slot: 1
+#         Name: MINION_iYUBIKEY
+#      Created: Sun, 21 Jul 2024 12:57:17 +0000
+#   PIN policy: Once   (A PIN is required once per session, if set)
+# Touch policy: Always (A physical touch is required for every decryption)
+#    Recipient: age1yubikey1qfczekkv6thu32q5fv272pmzca86rqf4pn4083h9qvfgytrmycquqz23c3d
+AGE-PLUGIN-YUBIKEY-1YMGXUQVZEHAJFXGQ57UKA

secrets/keys/minion/iyubikey.pub.license

@@ -0,0 +1,3 @@
+SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
+
+SPDX-License-Identifier: GPL-3.0-only

secrets/keys/minion/tiny-yubikey.pub

@@ -0,0 +1,7 @@
+#       Serial: 23751432, Slot: 1
+#         Name: MINION_TINY_YUBIKEY
+#      Created: Sun, 21 Jul 2024 12:49:01 +0000
+#   PIN policy: Once   (A PIN is required once per session, if set)
+# Touch policy: Always (A physical touch is required for every decryption)
+#    Recipient: age1yubikey1qf92p7gj5k8pavnzrzg644plfqcpkc8laj2l4avdfnem2re08tuqsu7ynnf
+AGE-PLUGIN-YUBIKEY-1PP4K5QVZR6DHL7G8RVVJ0

secrets/keys/minion/tiny-yubikey.pub.license

@@ -0,0 +1,3 @@
+SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
+
+SPDX-License-Identifier: GPL-3.0-only

secrets/rekeyed/axol/1ee57cb56c17a905d8f6d68eb574db79-02cace87552ceb629ab03cd084eeae6761008fddebed6b75f9a013d122a25030.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 JMblKQ /KeQPyNmEYg1qHq5M4z3aQ7Jt4dwozMQMhmb1wzdDDw
+kS77B2HAZxnhMzcD9bTkcyhGiRrkzEv6+UDcE0lonJU
+-> BVh{PUl}-grease K D$G T_Ov7Cb
+vmCUTiAi81FTpapoJgHlCO9e6ZXzUW5QfuclIZbG2gqoL6XKSvED84gdZeIeZ3TA
+tSFu/4eADDeqoGKiFQSt/Ji+qy2XDmIVJh400QwcUsjZasRXMquGPn6jDxo
+--- +5WuWL/wQ0EH3xpoQ3f5mLiHZNsXO8wGpsNBh+PfTkA
+ËA©åߘõTfl—àæ×±×ÆZôdW4‰ÝN–æ÷¤$[P#¡Z‚ÜÔÜ<18>×þƒÃ’æ£A¥ÙFÃr•bïd<C3AF>-`,@ÕµóÈÐäÕ

secrets/rekeyed/axol/c8d99c55c1546d3c2295c1e91c6db9e6-6d7837d2fe4c729d0aee7dabf3958b9dc8070761e8e3a0425d8e4dcbbe86325d.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 JMblKQ K3PuGxokm5IVyWvKINebQ78IludSXmPQ6TszMlJ+y2Y
+gSIZJVDNkGEwKqMoqnVWQnZlCtquX8OiY+zokAE3qCs
+-> y`qQqQ*-grease K-
+uoC/
+--- psxc2ttdWjZPh1yijDIrFPs4Mc7naugmqC58dH2UKD4
+4¥S0íRî)x´¬Úb’Ú‘ð¤hì˜W±Záö•·?‚U|ì÷é!qéK¶Œ±ÙŽsö³Û	Ÿßù·^‰]‡ºå)ïªð1§Á®A‚˜>Ù

secrets/rekeyed/baxter/24951ab2dd459b4cbdfa83ecee6517c6-services.ci.master.tokenFile.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 Z9MeFA 5MtkO2R8f6CVXX4c2n3BOiAMzExUSwfm4u+TQIHamEg
+i3SUH1s0UYAUhfZmCkrBw7BN5NTTtQIwGl0ITQht0XM
+-> [[E3wgE-grease xW^ t/4SAoK@
+8dSbS93buyIBRyWFPg
+--- 4ySt+P89sGFFAdDieoRwozA/Hsq+FqA2wWNcMwQ3a74
+ÒTT—UV©+E{ºY…D—LêåM_Ä.ç˜P<CB9C>$y“^<5E>ømOä¦çÍšSÈ(÷S;¯T—úgN<67>ù’®Õí(ìóNÃ	aTšQò

secrets/rekeyed/baxter/5b9aeed25aabf9b5f06ec083278ad21c-02cace87552ceb629ab03cd084eeae6761008fddebed6b75f9a013d122a25030.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 Z9MeFA 2SrMV2OMZdsZPSaxzxfgQF2ukrzRme+Vt4eAcT7dkAs
+QpHJD8cT6DMR1FP1ft57hRCYjZW6aw16cEv61mBqADg
+-> v.`66g}-grease CAkD Ap<g
+BQxsewykSzbTiU+pZmYdy4b0E2I225h0XVUFQ3mMMxHKTznsJhdon86DByrlPIK5
+S6W2AJ/wMHauk8EzHBTWsTiZnvmAk04OpLjxlgfl
+--- xQos1NCssn+gCQMs3fdLeOxgOeLRvsYZlCW9cYRsGFs
+/7}¨rÈÏÞÈ …ŠÄûk(-–N(®ßˆÄÿPfún†¸E›<45>3fLídɆ{Az‚B³ÒÿyS
F³­Œ”8X¹©¨Ty´Ó8
¾9°Puèá

secrets/rekeyed/baxter/611a4946b7c2a4de9aa8f6175cf92d7f-services.ci.master.webhookSecretFile.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 Z9MeFA 3AdBBzRTHv35vrflVzH1z/8YV5SJykizTzOtKOgucRI
+eU/l9cWEF9ix2fK8YqqlHuBdJdISERVVZAdRnAXfKFA
+-> Cf*79d-grease
+Mft5A1hDcFzr+nA1uE6kNLlN26I
+--- HkABm597GfKIRwYRHvYV6tCoFeiNN3tAEEgnctlGCo8
+x‹Û^qû©Äcµ73^À—ÃåјNüZHh?½8G²ÜüëöÓ”T½¿«w]y¢£,ªQ³8<C2B3>‚·»<02>ÑHö·ˆÿx¿VG+³Oÿ$y´

secrets/rekeyed/baxter/be4852d28a22f490934108662e4718f4-services.ci.worker.workerPasswordFile.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 Z9MeFA EOHfjGuxu4lGCf1BVX4yI6GEULyMjqgijUjozsNxCnk
+9cT0bTKNP73guNnwSmDVn+gSZwnF4Wweq4DlvHdWUkA
+-> )|AUL?-grease +&*1J$ uR@9HO ,nfE ULx2MW"l
+7Z3ZhFGj/dlmd6s1W2AESyALUeslyMrLiVN6X+Uo8w
+--- 2i6p/11kcpcMhZUItUPfqCUp+9ykJq+T4mGg1oYw7gE
+ê‰ë$¶<>Ìw•ã4ØŽ—úrºâõÝÈ}(1h®u‘‡‹e€ÂàÈ&‹æøf³à>í¯Ø4À›0G»\DºÁ.„ú%°âë<Ç&dKØ\·

shells/default/default.nix

@@ -6,10 +6,12 @@
   mkShell,
   reuse,
   deploy-rs,
+  agenix-rekey,
 }:
 mkShell {
   packages = [
     reuse # Used to provide licenses & copyright attribution
     deploy-rs # Used to deploy to our servers
+    agenix-rekey # Used to manage secrets
   ];
 }

systems/x86_64-linux/axol/default.nix

@@ -6,13 +6,17 @@
 # 137.184.177.239
 {
   pkgs,
+  lib,
   modulesPath,
+  config,
   ...
 }: {
   imports = [
     (modulesPath + "/virtualisation/digital-ocean-config.nix")
   ];
 
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG+vSEiWVIn53Jyhs0QmVa7d7qkoArCWVbP1yKv46FDX";
+
   boot.loader.grub.enable = true;
 
   virtualisation.digitalOcean.rebuildFromUserData = false;
@@ -47,5 +51,29 @@
     };
   };
 
+  clicks.services.headscale = {
+    enable = true;
+    domain = "vpn.auxolotl.org";
+    database_password_path = config.age.secrets."clicks.services.headscale.database_password_path".path;
+  };
+
+  clicks.networking.tailscale = {
+    enable = true;
+    server = "vpn.auxolotl.org";
+    authKeyFile = config.age.secrets."clicks.networking.tailscale.authKeyFile".path;
+  };
+
+  age.secrets."clicks.services.headscale.database_password_path" = {
+    generator.script = "alnum";
+    group = "headscale";
+    mode = "0440"; # Needed to allow headscale group to read
+    unstableName = true; # Clicks option to base the name on a hash of the contents ... helps with autorestarting services
+  };
+
+  age.secrets."clicks.networking.tailscale.authKeyFile" = {
+    rekeyFile = ./clicks.networking.tailscale.authKeyFile.age;
+    unstableName = true;
+  };
+
   system.stateVersion = "23.11";
 }

systems/x86_64-linux/baxter/default.nix

@@ -7,12 +7,15 @@
 {
   pkgs,
   modulesPath,
+  config,
   ...
 }: {
   imports = [
     (modulesPath + "/virtualisation/digital-ocean-config.nix")
   ];
 
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM4rfWCoqby2qIcq/KVEWCKZVvIxr6h4GxJcsCQYffj+";
+
   boot.loader.grub.enable = true;
 
   virtualisation.digitalOcean.rebuildFromUserData = false;
@@ -43,8 +46,60 @@
     services = {
       ssh.enable = true;
       forge.enable = true;
+
+      ci = {
+        master = {
+          enable = true;
+
+          tokenFile = config.age.secrets."services.ci.master.tokenFile".path;
+          webhookSecretFile = config.age.secrets."services.ci.master.webhookSecretFile".path;
+          oauth = {
+            clientId = "76e70591-79a6-4a2f-8319-317f46800519";
+            clientSecretFile = config.age.secrets."services.ci.master.oauth.clientSecretFile".path;
+          };
+
+          workersFile = config.age.secrets."services.ci.master.workersFile.json".path;
+        };
+        worker = {
+          enable = true;
+          workerPasswordFile = config.age.secrets."services.ci.worker.workerPasswordFile".path;
+        };
+      };
     };
   };
 
+  clicks.networking.tailscale = {
+    enable = true;
+    server = "vpn.auxolotl.org";
+    authKeyFile = config.age.secrets."clicks.networking.tailscale.authKeyFile".path;
+  };
+
+  age.secrets."clicks.networking.tailscale.authKeyFile" = {
+    rekeyFile = ./clicks.networking.tailscale.authKeyFile.age;
+    unstableName = true;
+  };
+
+  age.secrets."services.ci.master.tokenFile" = {
+    rekeyFile = ./services.ci.master.tokenFile.age;
+    group = "buildbot";
+  };
+  age.secrets."services.ci.master.webhookSecretFile" = {
+    generator.script = "alnum";
+    group = "buildbot";
+  };
+  age.secrets."services.ci.master.oauth.clientSecretFile" = {
+    rekeyFile = ./services.ci.master.oauth.clientSecretFile.age;
+    group = "buildbot";
+  };
+  age.secrets."services.ci.master.workersFile.json" = {
+    rekeyFile = ./services.ci.master.workersFile.json.age;
+    group = "buildbot";
+  };
+
+  age.secrets."services.ci.worker.workerPasswordFile" = {
+    generator.script = "alnum";
+    group = "buildbot";
+  };
+
   system.stateVersion = "23.11";
 }

systems/x86_64-linux/baxter/services.ci.master.oauth.clientSecretFile.age

@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> piv-p256 xE4ypg A+D0j6/XAOWgbzbOKKNX3IaA0RCZSYG1lWXNL7ErYKjh
+p3kgqbWj5T0D1pbStNRjHpKPbv4sMvrHXDpBk5Ym8LE
+-> piv-p256 Hpt/+Q AgIoOHkn/1EJRoaMHTVR2nO2ub1F2UoRjYaJIpmvXzty
+tGfVG9kUG94wZSwwkFEcJK6ehvaHHUVa1eJBXjyQnW4
+-> piv-p256 zfskmQ AhG7AZlLuJ2JwfojMJIZKAjGlgUgssK2JlsBjcAkdehP
+Yr8a6Cx7S08KBYkbTYoPHAROllXvGsMkS1lKv+3cP4I
+-> D^7VNXi7-grease C !pw j
+nIH+2iyF2LotQqzFroxVIgeFVnvMjYhsO27Egb7UU/zavBgrY2Grc30v3AptjT2j
+I4q23DfwVcU5OYXq4HYHnC4zwKI
+--- XOlDFARRpwZ/ew4vOTsDt5dkAfTNNfmVKfVB+2fGwHE
+à£ì.a-.=<3D>Ô	cÂ9ò:éP¸<12>ˆ7d96œ 1	b<>;2ÿ4f××!ŽnCFùŽÉjÒJ–m‡×«rˆöwëÛtµ<74>%áðëFþ{QÖI¾ ½

systems/x86_64-linux/baxter/services.ci.master.tokenFile.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> piv-p256 xE4ypg Ags6YIwJfw361Tg6pfdxGUZDDegofZk+xIPWpEbSps02
+oSq4ycmqQjeYrnBDAb1PyK8KnWySOyukcvhS8OXW82A
+-> piv-p256 Hpt/+Q AgvQ2nuF4CELPs7L9OJEeoXk2TpPLNWkQ8TYrZIyJiZ3
+KFkj1om15tbZVCM1zmG7/zjhJSGwRDSP5wfB+9HuBP4
+-> piv-p256 zfskmQ A551KXlyYGw0E4X3VUSnyPEdXdEIcQBoLFbf4yoc2pEF
+JEheQDNOFweKrO8AfKyS2acuzpN77g/qwdHJzWXzUew
+-> 6U;sLGZs-grease 6
+Ug2KSn6pQ5KWyTb7A3l/dN3G8C9v3QlJp4PXzw
+--- 8jZf5hxeOQO2fk9vafkEkpAlHEXKO/EZIrP0YkLkI+4
+ãÏ(K¦wÂk`Þ<>.Qv{q
<©¿á|rÉDàIoÏ®nZQšÌl§<6C>Ìjû#ü46lZ"ŠÉÁ¨ž®UF2ŒY²!ÁÄÎ

systems/x86_64-linux/codex/default.nix

@@ -0,0 +1,104 @@
+# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
+#
+# SPDX-License-Identifier: GPL-3.0-only
+
+# codex
+# 64.23.153.98
+{ pkgs
+, modulesPath
+, config
+, lib
+, ...
+}: {
+  imports = [
+    (modulesPath + "/virtualisation/digital-ocean-config.nix")
+  ];
+
+  boot.loader.grub.enable = true;
+
+  virtualisation.digitalOcean.rebuildFromUserData = false;
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
+  environment.systemPackages = with pkgs; [
+    neovim
+  ];
+
+  auxolotl = {
+    nix.enable = true;
+
+    users.infra.enable = true;
+
+    security = {
+      doas.enable = true;
+
+      acme = {
+        enable = true;
+        email = "jake.hamilton@hey.com";
+      };
+    };
+
+    services = {
+      ssh.enable = true;
+    };
+  };
+
+  services = {
+    # Discourse 3.2.5 is intended to be used with PostgreSQL 13. If the Discourse package
+    # is updated, you may want to remove this line.
+    postgresql.package = pkgs.postgresql_13;
+
+    discourse = {
+      enable = true;
+      hostname = "forum.auxolotl.org";
+
+      admin = {
+        # We only want to create the admin account on the initial deployment. Now that one
+        # exists, we can skip this step.
+        skipCreate = true;
+
+        email = "jake.hamilton@hey.com";
+        username = "admin";
+        fullName = "Administrator";
+        passwordFile = "/var/lib/secrets/discourse-admin-password";
+      };
+
+      mail = {
+        # TODO: @minion needs to add an age secret here :)
+      };
+
+      plugins = with config.services.discourse.package.plugins; [
+        discourse-canned-replies
+        discourse-checklist
+        discourse-assign
+        discourse-voting
+        discourse-spoiler-alert
+        discourse-solved
+      ];
+    };
+
+    nginx = {
+      enable = true;
+
+      virtualHosts = {
+        "aux.computer" = {
+          enableACME = true;
+          forceSSL = true;
+          globalRedirect = "auxolotl.org";
+          redirectCode = 308;
+        };
+        "forum.aux.computer" = {
+          enableACME = true;
+          forceSSL = true;
+          globalRedirect = "forum.auxolotl.org";
+          redirectCode = 308;
+        };
+      };
+    };
+  };
+
+  system.stateVersion = "23.11";
+}