From e4384e10e94bc01507834568f2dfb4bd8255311f Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Fri, 10 Dec 2021 09:55:47 +0100
Subject: pkgs.generate-krebs-intermediate-ca: set vailidy to 1y

---
 krebs/5pkgs/simple/generate-krebs-intermediate-ca/default.nix | 1 +
 1 file changed, 1 insertion(+)

(limited to 'krebs')

diff --git a/krebs/5pkgs/simple/generate-krebs-intermediate-ca/default.nix b/krebs/5pkgs/simple/generate-krebs-intermediate-ca/default.nix
index 8cec5432..5055a78a 100644
--- a/krebs/5pkgs/simple/generate-krebs-intermediate-ca/default.nix
+++ b/krebs/5pkgs/simple/generate-krebs-intermediate-ca/default.nix
@@ -23,6 +23,7 @@ pkgs.writers.writeDashBin "generate-intermediate-ca" ''
 
   ${pkgs.step-cli}/bin/step certificate create "Krebs ACME CA" intermediate_ca.crt intermediate_ca.key \
     --template "$TMPDIR/intermediate.tpl" \
+    --not-after 8760h \
     --ca "$TMPDIR/krebs/ca.crt" \
     --ca-key "$TMPDIR/krebs/ca.key" \
     --no-password --insecure
-- 
cgit v1.2.3


From 6d3ea779b6d6114120bd5d2510ca5870c3012e0c Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Fri, 10 Dec 2021 09:56:02 +0100
Subject: rotate krebsAcmeCA.crt

---
 krebs/6assets/krebsAcmeCA.crt | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

(limited to 'krebs')

diff --git a/krebs/6assets/krebsAcmeCA.crt b/krebs/6assets/krebsAcmeCA.crt
index 54729e25..1cd5aed0 100644
--- a/krebs/6assets/krebsAcmeCA.crt
+++ b/krebs/6assets/krebsAcmeCA.crt
@@ -1,15 +1,15 @@
 -----BEGIN CERTIFICATE-----
-MIICWzCCAcSgAwIBAgIQVavHn7XtM7NJ8bnph6hGoTANBgkqhkiG9w0BAQsFADCB
+MIICWTCCAcKgAwIBAgIQbAfVX2J0VIzhEYSPVAB4SzANBgkqhkiG9w0BAQsFADCB
 gTELMAkGA1UEBhMCWloxEjAQBgNVBAgMCXN0YXRlbGVzczEQMA4GA1UECgwHS3Jl
 YnNjbzELMAkGA1UECwwCS00xFjAUBgNVBAMMDUtyZWJzIFJvb3QgQ0ExJzAlBgkq
-hkiG9w0BCQEWGHJvb3QtY2FAc3ludGF4LWZlaGxlci5kZTAeFw0yMTEyMDgxNTU5
-MDRaFw0yMTEyMDkxNTU5MDRaMBoxGDAWBgNVBAMTD0tyZWJzIEFDTUUgQ0EgMTBZ
-MBMGByqGSM49AgEGCCqGSM49AwEHA0IABDOK4g3pJPhOErk49zQgpNKE1cAyoeLp
-PqWXkHZVLIVg8CBzPyCYiHS8RtaJ1kwWxwo5OTypCDOLxf1isR5HgZOjgYAwfjAO
-BgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUv758
-A4RPewsRtgjdB6AE1tn632swHwYDVR0jBBgwFoAUinqtNfqwMKe8gF8M5cGQaNxB
-lS8wGAYDVR0eAQH/BA4wDKAKMAOCAXIwA4IBdzANBgkqhkiG9w0BAQsFAAOBgQAT
-ewOSGWGTCWcJFGSxgnt8/WspMERq1hL1PikwwVMp7wzJmbHcbA0Es4fcrE5Xf8vQ
-dGenlvyQjkQNahbsyGBoja7bpWpnw9qofLQkns1AZWp7q7GBqyKm30keM/E/stjH
-YkgY4QaxlIL+6N0f4nKL3RSf6GQ1hWJOHf+RrboaMw==
+hkiG9w0BCQEWGHJvb3QtY2FAc3ludGF4LWZlaGxlci5kZTAeFw0yMTEyMTAwODQ5
+MDZaFw0yMjEyMTAwODQ5MDZaMBgxFjAUBgNVBAMTDUtyZWJzIEFDTUUgQ0EwWTAT
+BgcqhkjOPQIBBggqhkjOPQMBBwNCAATL8dNO7ajNe60Km7wHrG06tCUj5kQKWsrQ
+Ay7KX8zO+RwQpYhd/i4bqpeGkGWh8uHLZ+164FlZaLgHO10DRja5o4GAMH4wDgYD
+VR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFMt9yJED
+mPRhXsrNZ0x+GtzjdnTLMB8GA1UdIwQYMBaAFIp6rTX6sDCnvIBfDOXBkGjcQZUv
+MBgGA1UdHgEB/wQOMAygCjADggFyMAOCAXcwDQYJKoZIhvcNAQELBQADgYEANo/2
+teIuEsniwxVdqu+ukjqOXHIkBK7F91+G7BuDjBlx2U96v1MwsmT4D9upajERnOOD
+tLx990Sj4t3avRTpytt+qLeIMIxt62YksUXVjDWndqaDcEUat5ZVEQsZ0ZmjOHrA
+BaB65eU0xhJWKAZdk55GqHEFz3Ym4rx7WUaomzk=
 -----END CERTIFICATE-----
-- 
cgit v1.2.3


From 9841e402e2692a6eb37d5a5b89a53474168af590 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Fri, 10 Dec 2021 10:13:49 +0100
Subject: wiki.r: listen on localhost, fix http redirect

---
 krebs/2configs/wiki.nix | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

(limited to 'krebs')

diff --git a/krebs/2configs/wiki.nix b/krebs/2configs/wiki.nix
index e7faca1f..aa694826 100644
--- a/krebs/2configs/wiki.nix
+++ b/krebs/2configs/wiki.nix
@@ -29,6 +29,7 @@ in
 {
   services.gollum = {
     enable = true;
+    address = "::";
     extraConfig = ''
       Gollum::Hook.register(:post_commit, :hook_id) do |committer, sha1|
         system('${pushCgit}')
@@ -45,12 +46,13 @@ in
     virtualHosts."wiki.r" = {
       enableACME = true;
       addSSL = true;
-      locations."/".extraConfig = ''
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
-        proxy_set_header Host $host;
-        proxy_pass http://127.0.0.1:${toString config.services.gollum.port};
-      '';
+      locations."/" = {
+        proxyPass = "http://[::]:${toString config.services.gollum.port}";
+        proxyWebsockets = true;
+        extraConfig = ''
+          proxy_set_header Host $host;
+        '';
+      };
     };
   };
 
-- 
cgit v1.2.3


From 6b59b7972a901dcbb3cb5c1aeac4616a5a94ba7b Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Fri, 10 Dec 2021 18:09:44 +0100
Subject: wiki: listen gollum on localhost only

---
 krebs/2configs/wiki.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'krebs')

diff --git a/krebs/2configs/wiki.nix b/krebs/2configs/wiki.nix
index aa694826..40d946f7 100644
--- a/krebs/2configs/wiki.nix
+++ b/krebs/2configs/wiki.nix
@@ -29,7 +29,7 @@ in
 {
   services.gollum = {
     enable = true;
-    address = "::";
+    address = "::1";
     extraConfig = ''
       Gollum::Hook.register(:post_commit, :hook_id) do |committer, sha1|
         system('${pushCgit}')
@@ -47,7 +47,7 @@ in
       enableACME = true;
       addSSL = true;
       locations."/" = {
-        proxyPass = "http://[::]:${toString config.services.gollum.port}";
+        proxyPass = "http://[::1]:${toString config.services.gollum.port}";
         proxyWebsockets = true;
         extraConfig = ''
           proxy_set_header Host $host;
-- 
cgit v1.2.3


From f2533d88924feb48834a07c4dc1e82cd21acd025 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sat, 11 Dec 2021 12:00:36 +0100
Subject: ci: add gcroots for successful builds

---
 krebs/3modules/ci.nix | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

(limited to 'krebs')

diff --git a/krebs/3modules/ci.nix b/krebs/3modules/ci.nix
index bb941a1f..822dbab6 100644
--- a/krebs/3modules/ci.nix
+++ b/krebs/3modules/ci.nix
@@ -108,8 +108,21 @@ let
                     # create a ShellCommand for each stage and add them to the build
                     stages = self.extract_stages(self.observer.getStdout())
                     self.build.addStepsAfterCurrentStep([
-                        steps.ShellCommand(name=stage, command=[stages[stage]])
-                        for stage in stages
+                        steps.ShellCommand(
+                          name=stage,
+                          env=dict(
+                            build_name = stage,
+                            build_script = stages[stage],
+                          ),
+                          command="${pkgs.writeDash "build.sh" ''
+                            set -xefu
+                            profile=${shell.escape profileRoot}/$build_name
+                            result=$("$build_script")
+                            if [ -n "$result" ]; then
+                              ${pkgs.nix}/bin/nix-env -p "$profile" --set "$result"
+                            fi
+                          ''}",
+                        ) for stage in stages
                     ])
 
                 return result
-- 
cgit v1.2.3