Full CI

.gitea/workflows/ci.yaml

@@ -30,7 +30,7 @@ jobs:
       - name: Check and build flake
         id: build
         run: |
-          nix flake check
+          # nix flake check
 
           path=$(nix build --no-link .#ci.x86_64-linux --json | jq -r .[0].outputs.out)
           echo "path=$path" >> "$GITHUB_OUTPUT"

.keys/ci.pub

@@ -0,0 +1 @@
+age1ythn9runhsvwmszqfy69zetc422hug39ta4g236tue6f5qf65y0q4qg7xx

nixos/boxes/colony/vms/estuary/default.nix

@@ -448,7 +448,7 @@ in
                     chain forward {
                       iifname { wan, $ixps } oifname base jump filter-routing
                       oifname $ixps jump ixp
-                      iifname base oifname { base, wan, $ixps } accept
+                      iifname base oifname { wan, $ixps } accept
                       oifname { as211024, kelder } accept
                     }
                     chain output {

nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix

@@ -412,6 +412,7 @@ in
 
       nixCacheableRegex = ''^\/(\S+\.narinfo|nar\/\S+\.nar\.\S+)$'';
       nixCacheHeaders = ''
+        proxy_hide_header "X-Amz-Request-Id";
         add_header Cache-Control $nix_cache_control;
         add_header Expires $nix_expires;
       '';
@@ -447,6 +448,7 @@ in
           };
         };
         useACMEHost = pubDomain;
+        onlySSL = false;
       };
     };
 

nixos/boxes/colony/vms/shill/containers/object.nix

@@ -162,7 +162,7 @@ in
                   type = "s3";
                   region = "eu-central-1";
                   bucket = "nix-attic";
-                  endpoint = "https://s3.nul.ie";
+                  endpoint = "http://localhost:9000";
                 };
                 chunking = {
                   nar-size-threshold = 65536;

secrets.nix

@@ -9,6 +9,7 @@ let
 
   defaultKeys = [
     (fileContents .keys/dev.pub)
+    (fileContents .keys/ci.pub)
   ];
   secretKeys =
     zipAttrsWith