diff --git a/.sops.yaml b/.sops.yaml index 1e82b33f..87c30cf0 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -20,7 +20,7 @@ keys: - &build3 age1q7c2wlrpj0dvthdg7v9j4jmee0kzda8ggtp4nq8jay9u4catee3sn9pa0w - &hetzarm age1ppunea05ue028qezt9rvhp59dgcskkleetyjpqtxzea7vtp4ppfqh7ltuy - &ghaf-log age15kk5q4u68pfsy5auzah6klsdk6p50jnkr986u7vpzfrnj30pz4ssq7wnud - - &ghaf-coverity age172azvwv5vne79mqfhvdvk9j95gn5v04uk9t3fjdfe5p7dv7kucvqpygxkx + - &ghaf-coverity age1z825k99myjmfcml86pujcmtj96psvj8c3m08me8kkq03tkpwy9xql4jt9y - &ghaf-webserver age1f643hcr8xvzm6fha93xhn6dw552tfd6zvu7eulxk7vedgt09d9ysljsayq - &ghaf-proxy age1sv50w7ydcqxxng4nfpvretqhusfkjewtrzpu4006z685xgplha2sa9tv9v @@ -74,6 +74,7 @@ creation_rules: - age: - *ghaf-coverity - *jrautiola + - *fayad - path_regex: hosts/ghaf-proxy/secrets.yaml$ key_groups: - age: diff --git a/hosts/ghaf-coverity/configuration.nix b/hosts/ghaf-coverity/configuration.nix index 5e83ca6f..fc8aaa2c 100644 --- a/hosts/ghaf-coverity/configuration.nix +++ b/hosts/ghaf-coverity/configuration.nix @@ -5,8 +5,12 @@ inputs, modulesPath, lib, + pkgs, ... }: +let + coverity = pkgs.callPackage ../../pkgs/coverity/default.nix { }; +in { sops.defaultSopsFile = ./secrets.yaml; @@ -30,6 +34,14 @@ nixpkgs.hostPlatform = "x86_64-linux"; hardware.enableRedistributableFirmware = true; + environment.systemPackages = with pkgs; [ + coverity + emacs + meson + ninja + gcc + nix-index + ]; networking = { hostName = "ghaf-coverity"; diff --git a/hosts/ghaf-coverity/disk-config.nix b/hosts/ghaf-coverity/disk-config.nix index ae0e640d..ca155780 100644 --- a/hosts/ghaf-coverity/disk-config.nix +++ b/hosts/ghaf-coverity/disk-config.nix @@ -2,7 +2,7 @@ # SPDX-License-Identifier: Apache-2.0 { disko.devices.disk.os = { - device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_52101387"; + device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_53714277"; type = "disk"; content = { type = "gpt"; diff --git a/hosts/ghaf-coverity/secrets.yaml b/hosts/ghaf-coverity/secrets.yaml index 0493200d..dbdfdba7 100644 --- a/hosts/ghaf-coverity/secrets.yaml +++ b/hosts/ghaf-coverity/secrets.yaml @@ -1,30 +1,39 @@ -ssh_host_ed25519_key: ENC[AES256_GCM,data:ilXl33AwzQmAzaVtGK6FcPwLgI/9Cr79ah6ToRzKmg7meHPEt+aAKhmKBHHW0Pu5G+Ga4woWLkydveUpuMqA4YSQFfGgBsroNnPQ20BnKMC8exXdh0GR+35O0JvMvMxYQx1fN7d9x8bI4C30qIpWNxyV6uwrA+hoPt1HT+hrTNf0jyfwz4UsEfcd7yH8AjrS/oJvlep19M7ZWicfcUb6AFQmLNR20UE24IHIozptFv2QKndmjFr9SEbgDetc1Y75R2JAW545vp6ZvFxHOtf3GVPmhOhIXlkdBnPNrVZ8c+Ygq0VGAkGFRQagSG1fHZArwRFnXShZT/npYW5xelKlJgZiRCR8KF31Gn0UfJsw/WLxCJ60unFwd8qTVkEFpjB4e/JI7ybjd1NqlkwWa0EDBa+xjKh4/VshtxZl4XoCfwoJRkzC8ML93HA2LgOmvdfVMhZpMLpoCHiFr0ACLzsIEICShFFNCk6iMJJXjotwid1FuXvro2W+qKRWAep+qKwoFsBIsySoiAMmaXhcwV3Wd5oXW4xHge++1G0/,iv:pw443wskOHT5z8jS0wV+D4FgqVkhESa4TQqjKB1LjT8=,tag:L+ntfxoM8WLmwbI8OVo8jw==,type:str] +ssh_host_ed25519_key: ENC[AES256_GCM,data:mz/nbtkpCCI1IMqXMne6/i5F6JwpXvuNCs9DbNCgQGYP2MtVYAIL0FLi4glpWmE64rPeF60XLoNFGRVomALwF6we+a8YbA5y1rNx/Zympn/1RJ7GqMoEhJ4vHOWUyYeTWnzD0NGfLdmcBvTaWRT9a3jFLj9plYD5DnNluCdBzzif0XCBSlAnM3KAlJVY/0kByAo1aXCjQ1p67xN8yRuSbrJ6+DD+Q2cL8ITuUGQROZa9c06aWahwfmzESscfm623T3k6t9IiePojHI6wLNZJ2wKHjtvtRZjhLt6ykYSMwfxdZTf3xxvGW88z24hHCs1fpMBowIh2z5ip1kAsZcWpohjZL/QKMSjW3/zAR99qkG/2BDmK0lrEs50plWh4B21hEFf7iHAT049qTUf219P6iPlyMVW4B1l3C2eYsWZQQsWSwamzAw2h94RFQtoEdfcZVg7M0fmlO4Q2smHn5YsqxkxMghVSyLb+ytcl29bq2AnKBZt4gkzCTeSYzdnL0wfZyaYd5ITHRJNz3eJFlXrq1XuQj8wZbr4Hj9r9,iv:dlg6VLNBUgD7I9dsalaDkZSwaacPDkd8GraM/xBPTow=,tag:/7V8JCGBmForB2KUz+Aw9w==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: - - recipient: age172azvwv5vne79mqfhvdvk9j95gn5v04uk9t3fjdfe5p7dv7kucvqpygxkx + - recipient: age1z825k99myjmfcml86pujcmtj96psvj8c3m08me8kkq03tkpwy9xql4jt9y enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvY0Rxa0hJTXBpaGhQME9w - SzZTdHlrVFFaeVhDTUxzYjB1VHIxNUhLSWdnCkxxY2Jpd0cvTWFTOFJCQkZQNHFu - K3RwY3dDKy9DL3g2TWIxT1BVYlhPalUKLS0tIFhNd3Rpc3BKRVdSSnJiTHFKTkFm - UXB3eVI2cUNacm4xWnltc2pxTFFIalkK4LMlFdwqjggE05rPQdxMfpDP0ezCWsQI - wbR72DGVQcr901mmpIryE3qY6ACkBLF8r5pJOtIa2PxYXcnOFkPfYQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnUEZGNExLdURCcnpKT05y + OVFpNml0YjV3bUpPQ2V6SVIvajZDOWxSNURjClBDNlJ1VmtyY0ZmZ2hpb3ZxbGNI + M0NqL2pkNjFVMXdzbnZSNVlvZXZLUUUKLS0tIENzV2hhWGdQemRrbVpaZUwydzhq + SFh1OVpXWFRxc3VLZTdHU2xKVFN0cFEKwHfcKV8xp8D5qHyo3KeAQ9wUiQjUqokX + u6MKaIvEVgQ9tp0sQnR8vtxscp5v1/ioHmwJaSs3r74Yn+YHgakZFA== -----END AGE ENCRYPTED FILE----- - recipient: age1hszrldafdz09hzze4lgq58r0r66p4sjftn6q8z6h0leer77jhf4qd9vu9v enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwUXdBeWVzYXB5NE1EN01P - aWhVSVhlUFpPRGEwMWdrUkd5UlBNYklqUEd3ClBTVWRER1pkRFpzOC9nTlkwUGNz - b2pvdG5oZnVzMDdlcUp0ZCtLbXJ0Y2sKLS0tIDMrKzY2MWI4QVlsUWxzd1ZwNFdw - U1p2c2FVRVk1Tlh5bjR2bWxhUnVTQkEKmAtSSrPdSBVQB5tMIQvgljqxb9Hd8WV8 - c//R9nH5xcwIUqU9V0XDRqtF/g4zTEbw/NvnUcFy36qko4DBxl05+A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLb1l6OTRMcGwvZXJ5WDhG + aEhHZHoxeGdsMktpSDRVb2F6d0o4RisvTVRNCldJSXltRzNHNkV1YnlhZnNLRmU2 + YzRhalEvT0VmTURZOEFNalBxeFc0UHcKLS0tIGNTV3FvL3ZabCtxcGhxLzhIVzRO + NngrallCbTZNdW85NVJwQXN1V1hIaTgK9LV8OaTBCchuxyNz/1Qux9mw1u3PP+mI + lhvgIaIaiUa7TSNDjrPdj0dx3miWWWQb49ku6r9zKr1IogQzyW6aAw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-11T11:38:32Z" - mac: ENC[AES256_GCM,data:r/7H97Vxzom8vK3DMp+BaVASCoDefCY4JOVyTYAI8jIfOpPGkFm1sB4LgmcYM+u2aqqxyD5z3J9Ytg812gzuRK03BXhm3rVLbg7DonagBdkbEZvw2vXF8qrplvRJFOYsHRSIa3Gyqiyz0J9542SzdMnIJ0yRVcy902rQS9AeMfg=,iv:Ab+AGKlTESd48qXxiPFWcmM4s2RCqhjjIFdETCYt0bw=,tag:tqzzvzKWACkS6MRvexLe6Q==,type:str] + - recipient: age18t3gss4l6l629rd8s93eh3ctycu9vjnsftehy38c8tstu2gqycxs64t4sw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnMTF4QW9KQkp3bDJiSUcw + eDZBVDNEVmI5cTh3VytlUXdWcUw0bHFFNmc0Ckx0M01WSHlGMW1SOGV2VGx4VDhN + Ulk0cGxTMFRGZEUydU5WNkdWYVJwbTAKLS0tIGpYVG45R3FwYzZqeWhSbVdiaExR + NFVtTVo1bVVaTVArOEIxczcreDlvNWsKKejdCZQu8gTgOxg6SeAhc7Z32FDF2PnA + 6v+weMlyfHLKpCYLf6XJ+kx+tTynQZ6LE24aXQYqeGqnOlE35sATOw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-10-23T12:43:55Z" + mac: ENC[AES256_GCM,data:lJ9e/flUsu6QWTLw629+IFz05xGIK2RZc3lZYcHovz/yTTXrToWWF3SeObcQdroZk73v62sT3V5BCSLAxkyk7RRqhCO+cXdwpAVN2loDwY1xc8wCNBGw63vK1sEQQEji05ze0ftpr45Qhreor+2edPrYPzRrGyt08TeX6HnoX/Y=,iv:iheHyL5AA+m8TgM+5hdNm6wbUh+NPAkCntdQpxjFpi8=,tag:rvaULYObpUkDccDdRgx9Iw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/nix/deployments.nix b/nix/deployments.nix index c262845d..4ff83753 100644 --- a/nix/deployments.nix +++ b/nix/deployments.nix @@ -22,7 +22,7 @@ let testagent-dev = mkDeployment "x86_64-linux" "testagent-dev" "172.18.16.33"; testagent-release = mkDeployment "x86_64-linux" "testagent-release" "172.18.16.32"; ghaf-log = mkDeployment "x86_64-linux" "ghaf-log" "95.217.177.197"; - ghaf-coverity = mkDeployment "x86_64-linux" "ghaf-coverity" "37.27.204.82"; + ghaf-coverity = mkDeployment "x86_64-linux" "ghaf-coverity" "135.181.103.32"; ghaf-proxy = mkDeployment "x86_64-linux" "ghaf-proxy" "95.216.200.85"; ghaf-webserver = mkDeployment "x86_64-linux" "ghaf-webserver" "37.27.204.82"; }; diff --git a/pkgs/coverity/default.nix b/pkgs/coverity/default.nix new file mode 100644 index 00000000..f3267b61 --- /dev/null +++ b/pkgs/coverity/default.nix @@ -0,0 +1,68 @@ +# SPDX-FileCopyrightText: 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + stdenv, + lib, + autoPatchelfHook, + fetchurl, + curl, + systemd, + zlib, + xorg, + alsaLib, + libxcrypt-legacy, + ... +}: +stdenv.mkDerivation { + pname = "coverity"; + version = "2411.6"; + + src = fetchurl { + url = "https://archive.ssrcdevops.tii.ae/ghaf/cov-analysis.tar.gz"; + hash = "sha256-Y6DvakNzl+FVZjPq+X/R0RQ9SMzyztZlA/yD0slPG7M="; + }; + + nativeBuildInputs = [ autoPatchelfHook ]; + buildInputs = [ + # libudev + (lib.getLib systemd) + # libstdc++.so libgcc_s.so + stdenv.cc.cc.lib + # libcurl.so.4 + curl + # libz.so.1 + zlib + # libXext.so.6 + xorg.libXext + # libX11.so.6 + xorg.libX11 + # libXrender.so.1 + xorg.libXrender + # libXtst.so.6 + xorg.libXtst + # libXi.so.6 + xorg.libXi + # libasound2.so.2 + alsaLib + # libcrypt.so.1 + libxcrypt-legacy + ]; + + # Unpack the CLI tools. + installPhase = '' + mkdir -p $out/bin + cp -r * $out + ''; + + meta = with lib; { + description = "Coverity Scan Tools"; + longDescription = '' + Coverity tools for code analysis + ''; + homepage = "https://coverity.com"; + platforms = [ "x86_64-linux" ]; + license = licenses.unfree; + maintainers = with maintainers; [ TII ]; + mainProgram = "coverity"; + }; +} diff --git a/tasks.py b/tasks.py index 97faf748..d723b6ff 100644 --- a/tasks.py +++ b/tasks.py @@ -117,7 +117,7 @@ class TargetHost: secretspath="hosts/ghaf-log/secrets.yaml", ), "ghaf-coverity": TargetHost( - hostname="37.27.204.82", + hostname="135.181.103.32", nixosconfig="ghaf-coverity", secretspath="hosts/ghaf-coverity/secrets.yaml", ),