fix: raise Parrhesia sync read pool

Live mixed-provider supertest runs showed control-lane SYNC-PAGE handlers timing out while waiting for Parrhesia DB read connections under catch-up load. Set larger Parrhesia main/read pool sizes in the Tribes service environment so sync-page queries can proceed concurrently during node joins.

.guix-authorizations

@@ -5,4 +5,6 @@
  (version 0)
 
  (("6688 9153 C51C 4613 A493  A525 2F0D FD14 EF99 DAC3"
-   (name "steffen"))))
+   (name "steffen"))  ("F29B A6DA 96E5 EC29 FDDE D994 8F4F 75B3 B19D 4784"
+   (name "tribes-supertest-dev"))
+))

.supertest-dev-sync.json

@@ -0,0 +1,7 @@
+{
+   "mode" : "tree-sync",
+   "previous_dev_commit" : "593745da5e4135abc63956442e853dd2643e46ae",
+   "source_branch" : "origin/master",
+   "source_commit" : "54f23bc863ebef8173faf2aaf21801050e09fb53",
+   "synced_at" : "2026-06-09T07:43:46Z"
+}

manifests/sources.scm

@@ -1,54 +0,0 @@
-;;; Manifest of upstream source origins for every package defined by the
-;;; tribes channel.  Consumed by Cuirass's `manifests' build type as a
-;;; network-bound canary: fast-fails when an upstream URL or commit ref
-;;; becomes unreachable, without depending on any actual package build.
-
-(define-module (manifests sources)
-  #:use-module (gnu packages)
-  #:use-module (guix discovery)
-  #:use-module (guix packages)
-  #:use-module (guix profiles)
-  #:use-module (ice-9 match)
-  #:use-module (ice-9 vlist)
-  #:use-module (srfi srfi-1)
-  #:use-module (srfi srfi-26)
-  #:export (sources-manifest))
-
-(define (channel-module-path prefix)
-  (delete-duplicates
-   (filter-map (lambda (dir)
-                 (let ((path (string-append dir "/" prefix)))
-                   (and (file-exists? path) (cons dir prefix))))
-               %load-path)
-   equal?))
-
-(define (channel-packages)
-  (fold-packages cons '()
-                 (append (all-modules (channel-module-path "tribes/packages"))
-                         (all-modules (channel-module-path "nbde/packages")))))
-
-(define (upstream-origin source)
-  (origin (inherit source) (snippet #f) (patches '())))
-
-(define (channel-origins)
-  (let loop ((packages (channel-packages))
-             (origins '())
-             (visited vlist-null))
-    (match packages
-      ((head . tail)
-       (let ((new (remove (cut vhash-assq <> visited)
-                          (package-direct-sources head))))
-         (loop tail (append new origins)
-               (fold (cut vhash-consq <> #t <>)
-                     visited new))))
-      (() origins))))
-
-(define sources-manifest
-  (manifest (map (lambda (origin)
-                   (manifest-entry
-                    (name (or (origin-actual-file-name origin) "origin"))
-                    (version "0")
-                    (item (upstream-origin origin))))
-                 (channel-origins))))
-
-sources-manifest

manifests/substitutes/base.scm

@@ -0,0 +1,49 @@
+(define-module (manifests substitutes base)
+  #:use-module (gnu packages)
+  #:use-module (gnu packages elixir)
+  #:use-module (gnu packages erlang)
+  #:use-module (guix profiles)
+  #:use-module (nbde packages crypto)
+  #:use-module (tribes packages terminals)
+  #:export (base-manifest))
+
+(define %base-specifications
+  '("bash-minimal"
+    "coreutils"
+    "diffutils"
+    "findutils"
+    "gawk"
+    "grep"
+    "gzip"
+    "inetutils"
+    "iproute2"
+    "less"
+    "nss-certs"
+    "openssh"
+    "postgresql"
+    "procps"
+    "rsync"
+    "sed"
+    "tar"
+    "which"
+    "xz"
+    "cryptsetup"
+    "dosfstools"
+    "e2fsprogs"
+    "gptfdisk"
+    "kmod"
+    "parted"
+    "util-linux"))
+
+(define base-manifest
+  (packages->manifest
+   (append (map specification->package %base-specifications)
+           (list clevis
+                 tang
+                 luksmeta
+                 erlang
+                 elixir
+                 elixir-hex
+                 ghostty-terminfo))))
+
+base-manifest

manifests/substitutes/installer.scm

@@ -0,0 +1,48 @@
+(define-module (manifests substitutes installer)
+  #:use-module (gnu packages)
+  #:use-module (guix profiles)
+  #:use-module (nbde packages crypto)
+  #:export (installer-manifest))
+
+(define %installer-specifications
+  '("bash-minimal"
+    "coreutils"
+    "diffutils"
+    "findutils"
+    "gawk"
+    "git-minimal"
+    "grep"
+    "gzip"
+    "guix"
+    "inetutils"
+    "iproute2"
+    "kexec-tools"
+    "less"
+    "curl"
+    "nss-certs"
+    "procps"
+    "rsync"
+    "sed"
+    "tar"
+    "which"
+    "zstd"
+    "xz"
+    "console-setup"
+    "cryptsetup"
+    "dosfstools"
+    "grub-efi"
+    "grub-pc"
+    "mdadm"
+    "e2fsprogs"
+    "gptfdisk"
+    "kmod"
+    "parted"
+    "util-linux"))
+
+(define installer-manifest
+  (packages->manifest
+   (append (map specification->package %installer-specifications)
+           (list clevis
+                 luksmeta))))
+
+installer-manifest

manifests/substitutes/tribes-node.scm

@@ -0,0 +1,60 @@
+(define-module (manifests substitutes tribes-node)
+  #:use-module (gnu packages)
+  #:use-module (gnu packages elixir)
+  #:use-module (gnu packages erlang)
+  #:use-module (gnu packages monitoring)
+  #:use-module (guix profiles)
+  #:use-module (tribes packages monitoring)
+  #:use-module (tribes packages source)
+  #:use-module (tribes packages terminals)
+  #:use-module (tribes packages web)
+  #:use-module (tribes plugins registry)
+  #:export (tribes-node-manifest
+            make-tribes-node-manifest))
+
+(define %tribes-node-specifications
+  '("nss-certs"
+    "openssh"
+    "postgresql"
+    "rsync"
+    "ripgrep"
+    "fd"
+    "tmux"
+    "neovim"
+    "btop"))
+
+(define (getenv/default name default)
+  (or (getenv name) default))
+
+(define (tribes-node-package)
+  (let ((source-directory (getenv "TRIBES_SOURCE_DIRECTORY")))
+    (if source-directory
+        (local-tribes-package
+         source-directory
+         #:version (getenv/default "TRIBES_RELEASE_VERSION" "dev")
+         #:mix-deps-sha256 (getenv "TRIBES_MIX_DEPS_SHA256")
+         #:raw-mix-deps-sha256 (getenv "TRIBES_RAW_MIX_DEPS_SHA256")
+         #:npm-deps-sha256 (getenv "TRIBES_NPM_DEPS_SHA256"))
+        tribes-package)))
+
+(define (make-tribes-node-manifest)
+  (packages->manifest
+   (append
+    (map specification->package %tribes-node-specifications)
+    (list erlang
+          elixir
+          elixir-hex
+          ghostty-terminfo
+          haproxy
+          vinyl
+          lego
+          prometheus-node-exporter
+          victoriametrics
+          vinyl-exporter
+          (tribes-node-package))
+    (guix-tribes-plugin-substitute-packages))))
+
+(define tribes-node-manifest
+  (make-tribes-node-manifest))
+
+tribes-node-manifest

nbde/system/build-host-kexec-installer.scm

@@ -55,10 +55,7 @@
          util-linux)))
 
 (define %build-host-kexec-initrd-modules
-  '(;; Common block/storage basics.
-    "ahci"
-    "ata_piix"
-    "cdrom"
+  '("ahci"
     "dm-crypt"
     "fat"
     "loop"
@@ -67,19 +64,13 @@
     "nvme"
     "overlay"
     "sd_mod"
-    "sr_mod"
     "squashfs"
     "vfat"
-
-    ;; KVM/QEMU and common emulated or non-virtio NICs.
     "virtio_blk"
     "virtio_console"
     "virtio_net"
     "virtio_pci"
-    "virtio_scsi"
-    "e1000"
-    "e1000e"
-    "r8169"))
+    "virtio_scsi"))
 
 (define build-host-kexec-installer-os
   (operating-system
@@ -92,11 +83,10 @@
     (initrd-modules %build-host-kexec-initrd-modules)
     (initrd kexec-installer-initrd)
     (kernel-arguments
-     '("console=tty0"
-       "console=ttyS0,115200n8"
+     '("console=ttyS0,115200n8"
        "net.ifnames=0"
        "panic=30"
-       "loglevel=6"))
+       "loglevel=4"))
     (bootloader
      (bootloader-configuration
       (bootloader grub-bootloader)

pins/base-channels.sexp

@@ -1,10 +1,10 @@
 (list (channel
         (name 'guix)
         (url "https://git.teralink.net/tribes/guix-fork.git")
-        (branch "feature/substitute-read-timeout")
-        ;; guix-fork feature/substitute-read-timeout
+        (branch "refactor/substituter-trace-framing")
+        ;; guix-fork refactor/substituter-trace-framing
         (commit
-          "4574af27f27c7a5d2dc4d4823ef4518a392dc973")
+          "8514f9c1a98468c044e8b5f65e4a90d097a63a47")
         (introduction
           (make-channel-introduction
             "093f27dde01cdbda68f2ec4b81e5a34ae180aab9"

pins/legion-channels.sexp

@@ -2,10 +2,10 @@
   (channel
     (name 'guix)
     (url "https://git.teralink.net/tribes/guix-fork.git")
-    (branch "feature/substitute-read-timeout")
-    ;; guix-fork feature/substitute-read-timeout
+    (branch "refactor/substituter-trace-framing")
+    ;; guix-fork refactor/substituter-trace-framing
     (commit
-      "4574af27f27c7a5d2dc4d4823ef4518a392dc973")
+      "8514f9c1a98468c044e8b5f65e4a90d097a63a47")
     (introduction
       (make-channel-introduction
         "093f27dde01cdbda68f2ec4b81e5a34ae180aab9"

scripts/build-kexec-image

@@ -109,7 +109,6 @@ load_guix_env
 require_tool guix
 require_tool guile
 require_tool mksquashfs
-require_tool cpio
 require_file "$channels" "channels file"
 require_file "$script_dir/kexec-run" "kexec runner"
 require_file "$root_dir/examples/build-host-kexec-installer.scm" "system file"

scripts/update-base-channels-pin

@@ -7,11 +7,11 @@ base_output="${NBDE_BASE_CHANNELS_OUTPUT:-$root_dir/pins/base-channels.sexp}"
 legion_output="${NBDE_LEGION_CHANNELS_OUTPUT:-$root_dir/pins/legion-channels.sexp}"
 
 fork_url="https://git.teralink.net/tribes/guix-fork.git"
-fork_branch="feature/substitute-read-timeout"
+fork_branch="refactor/substituter-trace-framing"
 fork_introduction_commit="093f27dde01cdbda68f2ec4b81e5a34ae180aab9"
 fork_introduction_signer="6688 9153 C51C 4613 A493  A525 2F0D FD14 EF99 DAC3"
 fork_checkout="$root_dir/../guix-fork"
-fork_comment="guix-fork feature/substitute-read-timeout"
+fork_comment="guix-fork refactor/substituter-trace-framing"
 
 official_url="https://git.teralink.net/tribes/guix.git"
 official_branch="master"

supertest-dev-B19D4784.key

@@ -0,0 +1,11 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEafMY7xYJKwYBBAHaRw8BAQdAX7Cs0UPcvEpHOwmTDkjNBfeH6/FH6sqKZbRi
+sd3oBCy0U1RyaWJlcyBTdXBlcnRlc3QgRGV2IChBSSBsb2NhbCBkZXZlbG9wbWVu
+dCBrZXkpIDx0cmliZXMtc3VwZXJ0ZXN0LWRldkB0ZXJhbGluay5uZXQ+iJYEExYK
+AD4WIQTym6baluXsKf3e2ZSPT3WzsZ1HhAUCafMY7wIbAwUJAeEzgAULCQgHAgYV
+CgkICwIEFgIDAQIeAQIXgAAKCRCPT3WzsZ1HhMp8AP4gGrPkBoGLKMyubISESFpH
+fnqYUGDGucIoLRvtbl+ULQD/SlC9u/Ek9WSYvsskd0jD09lc2TxBnubl8yRi3bTM
+sA8=
+=JA7U
+-----END PGP PUBLIC KEY BLOCK-----

tests/tribes-system-node.scm

@@ -332,8 +332,6 @@
       (not (contains? text "limited-quic")))
     (test-assert "haproxy logs to syslog-ng"
       (contains? text "log /dev/log local0"))
-    (test-assert "haproxy preserves privileged bind capability for QUIC"
-      (contains? text "setcap cap_net_bind_service"))
     (test-assert "haproxy binds configured certificate"
       (contains? text
                  "bind 0.0.0.0:443 ssl crt /var/lib/lego/tribes/full.pem alpn h2,http/1.1"))

tribes/ci/artifacts-master.scm

@@ -3,25 +3,26 @@
   #:use-module (srfi srfi-1)
   #:export (cuirass-jobs))
 
-;; Publishable artifacts: the debug Docker image and the Sender runtime pack.
-;; Node operating-system closures and bootloader files are warmed by the
-;; dedicated (tribes ci artifacts-substitutes) jobset instead.
 (define (cuirass-jobs store arguments)
   (let ((tribes-commit (arguments->channel-commit arguments 'tribes)))
     (append-map
      (lambda (system)
-       (list (artifact-job store
-                           "tribes-debug-docker"
-                           (lambda ()
-                             (tribes-debug-docker-image
-                              #:image-tag
-                              (if tribes-commit
-                                  (string-append "tribes-guix-debug:"
-                                                 tribes-commit)
-                                  "tribes-guix-debug:latest")))
-                           system)
-             (artifact-job store
-                           "tribes-sender-runtime"
-                           tribes-sender-runtime-pack
-                           system)))
+       (append
+        (list (artifact-job store
+                            "tribes-debug-docker"
+                            (lambda ()
+                              (tribes-debug-docker-image
+                               #:image-tag
+                               (if tribes-commit
+                                   (string-append "tribes-guix-debug:"
+                                                  tribes-commit)
+                                   "tribes-guix-debug:latest")))
+                            system)
+              (artifact-job store
+                            "tribes-sender-runtime"
+                            tribes-sender-runtime-pack
+                            system))
+        (substitute-manifest-jobs store system)
+        (substitute-system-jobs store system)
+        (substitute-file-jobs store system)))
      (arguments->systems arguments))))

tribes/ci/artifacts-substitutes.scm

@@ -1,21 +0,0 @@
-(define-module (tribes ci artifacts-substitutes)
-  #:use-module (tribes ci artifacts)
-  #:use-module (srfi srfi-1)
-  #:export (cuirass-jobs))
-
-;; Warm the substitute mirror with the closures of the real Tribes node
-;; operating-systems and their bootloader files, so deployed nodes pull every
-;; required store path from guix.tribe-one.org during `guix system
-;; init'/reconfigure without depending on upstream availability.  This is the
-;; authoritative substitute set: it is computed from the very operating-systems
-;; nodes materialize, so it cannot drift the way the hand-curated
-;; manifests/substitutes/*.scm package lists did, and it transitively covers
-;; everything the node closure contains -- including the operator toolkit now
-;; carried in the node system profile and the upstream dependencies pulled in
-;; while building the closure.
-(define (cuirass-jobs store arguments)
-  (append-map
-   (lambda (system)
-     (append (substitute-system-jobs store system)
-             (substitute-file-jobs store system)))
-   (arguments->systems arguments)))

tribes/ci/artifacts.scm

@@ -9,7 +9,6 @@
   #:use-module (gnu packages nss)
   #:use-module (gnu system)
   #:use-module (guix build-system gnu)
-  #:use-module (guix channels)
   #:use-module (guix derivations)
   #:use-module (guix gexp)
   #:use-module (guix monads)
@@ -18,6 +17,9 @@
   #:use-module (guix scripts pack)
   #:use-module (guix store)
   #:use-module (ice-9 match)
+  #:use-module (manifests substitutes base)
+  #:use-module (manifests substitutes installer)
+  #:use-module (manifests substitutes tribes-node)
   #:use-module (nbde system build-host-kexec-installer)
   #:use-module (srfi srfi-1)
   #:use-module (tribes ci substitutes)
@@ -31,7 +33,7 @@
             artifact-job
             arguments->systems
             arguments->channel-commit
-            substitute-channel-profile-jobs
+            substitute-manifest-jobs
             substitute-system-jobs
             substitute-file-jobs))
 
@@ -171,8 +173,7 @@
                             (file-exists? path))
                    (copy-recursively path
                                      (string-append squashfs-root "/"
-                                                    (basename path))
-                                     #:keep-mtime? #t)))
+                                                    (basename path)))))
                (delete-duplicates
                 (append (list system boot-path)
                         (read-lines "system-graph"))))
@@ -248,55 +249,10 @@
     (repository
      (repository-field 'commit repository))))
 
-(define (arguments->channels arguments)
-  (filter-map sexp->channel (or (assoc-ref arguments 'channels) '())))
-
-(define (canonical-time-machine-channel channel)
-  ;; Cuirass passes channel sexps whose URLs point at its pre-fetched
-  ;; /gnu/store checkouts and whose introductions were dropped when Cuirass
-  ;; created channel instances from those checkouts.  That is correct for
-  ;; evaluating custom jobs inside Cuirass, but it does not match the profile
-  ;; computed by `guix time-machine -C channels.scm` on Legion installers,
-  ;; where the channel URLs and introductions come from the public channel
-  ;; file.  Reconstruct those canonical fields while preserving the evaluated
-  ;; commits.
-  (let* ((channel-name* (channel-name channel))
-         (canonical-url (match channel-name*
-                          ('guix "https://git.teralink.net/tribes/guix-fork.git")
-                          ('tribes "https://git.teralink.net/tribes/guix-tribes.git")
-                          (_ (channel-url channel))))
-         (canonical-introduction
-          (or (channel-introduction channel)
-              (match channel-name*
-                ('guix
-                 (make-channel-introduction
-                  "093f27dde01cdbda68f2ec4b81e5a34ae180aab9"
-                  (openpgp-fingerprint
-                   "6688 9153 C51C 4613 A493  A525 2F0D FD14 EF99 DAC3")))
-                ('tribes
-                 (make-channel-introduction
-                  "607c69a5c1662acca07ad72c3e18646c73500856"
-                  (openpgp-fingerprint
-                   "6688 9153 C51C 4613 A493  A525 2F0D FD14 EF99 DAC3")))
-                (_ #f)))))
-    ((@@ (guix channels) make-channel)
-     channel-name*
-     canonical-url
-     (channel-branch channel)
-     (channel-commit channel)
-     canonical-introduction
-     #f)))
-
-(define (substitute-channel-profile-jobs store arguments system)
-  (let ((channels (map canonical-time-machine-channel
-                       (arguments->channels arguments))))
-    (if (null? channels)
-        '()
-        (list (artifact-job store
-                            "substitute-channel-profile"
-                            (lambda ()
-                              (latest-channel-derivation channels))
-                            system)))))
+(define %substitute-manifest-targets
+  `((base . ,base-manifest)
+    (installer . ,installer-manifest)
+    (tribes-node . ,tribes-node-manifest)))
 
 (define %substitute-file-targets
   `((bios-bootloader-configuration . ,bios-bootloader-configuration)
@@ -304,6 +260,12 @@
     (efi-bootloader-configuration . ,efi-bootloader-configuration)
     (efi-bootloader-configuration-installer . ,efi-bootloader-configuration-installer)))
 
+(define (manifest-profile manifest)
+  (profile
+   (content manifest)
+   (hooks %default-profile-hooks)
+   (locales? #t)))
+
 (define (artifact-job store name proc system)
   (let ((drv (parameterize ((%current-system system)
                             (%graft? #f))
@@ -317,6 +279,17 @@
                      #:max-silent-time 3600
                      #:timeout 72000)))
 
+(define (substitute-manifest-jobs store system)
+  (map (match-lambda
+         ((name . manifest)
+          (artifact-job store
+                        (string-append "substitute-manifest-"
+                                       (symbol->string name))
+                        (lambda ()
+                          (lower-object (manifest-profile manifest)))
+                        system)))
+       %substitute-manifest-targets))
+
 (define (substitute-system-jobs store system)
   (map (match-lambda
          ((name . os)

tribes/ci/channel.scm

@@ -1,12 +0,0 @@
-(define-module (tribes ci channel)
-  #:use-module (srfi srfi-1)
-  #:use-module (tribes ci artifacts)
-  #:export (cuirass-jobs))
-
-;; Cheap canary spec: emit only the channel-instance derivation, so a
-;; "tribes modules compile and the checkout is reachable" signal is
-;; independent of any package or system build.
-(define (cuirass-jobs store arguments)
-  (append-map (lambda (system)
-                (substitute-channel-profile-jobs store arguments system))
-              (arguments->systems arguments)))

tribes/ci/fixtures/root-authorized_keys

@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAITestLegionSharedBuilder legion@example.invalid

tribes/ci/substitutes.scm

@@ -15,13 +15,11 @@
   #:use-module (nbde system initrd)
   #:use-module (nbde system mapped-devices)
   #:use-module (tribes config host)
-  #:use-module (tribes config system-facts)
   #:use-module (tribes packages plugins)
   #:use-module (tribes packages source)
   #:use-module (tribes plugins registry)
   #:use-module (tribes services tribes)
   #:use-module (tribes system installer)
-  #:use-module (tribes system materialize)
   #:use-module (tribes system node)
   #:export (phase1-operating-system
             base-edge-operating-system
@@ -155,25 +153,6 @@
      (cache-port 6081)
      (cache-storage '("malloc,256M"))))))
 
-(define (ci-authorized-keys-file-name)
-  (or (search-path %load-path "tribes/ci/fixtures/root-authorized_keys")
-      (error "failed to locate CI authorized_keys fixture")))
-(define %ci-system-facts
-  (tribes-system-facts
-   (host-name "tribes-ci-base-edge")
-   (interface "eth0")
-   (boot-mode "bios")
-   (bootloader-targets (list "/dev/sda"))
-   (boot-partition-uuid "11111111-2222-3333-4444-555555555555")
-   (boot-partition-file-system-type "ext4")
-   (root-luks-uuid "66666666-7777-8888-9999-aaaaaaaaaaaa")
-   (root-mapper-name "cryptroot")
-   (root-file-system-type "ext4")
-   (authorized-keys-file (ci-authorized-keys-file-name))
-   (local-boot-key-file "/boot/nbde/local-boot.key")
-   (tang-port 7654)
-   (initrd-network-timeout-seconds 20)
-   (enable-bbr? #t)))
 (define* (ci-operating-system name plugins
                               #:key
                               (bootloader
@@ -191,10 +170,6 @@
    #:interface "eth0"
    #:authorized-keys-file %ci-authorized-keys-file
    #:extra-services %ci-nbde-services))
-(define (ci-materialized-operating-system plugins)
-  (tribes-host-configuration+system-facts->operating-system
-   (ci-host-configuration plugins)
-   %ci-system-facts))
 
 (define* (bootloader-ci-operating-system name bootloader file-systems)
   (operating-system
@@ -253,7 +228,7 @@
   (ci-operating-system "tribes-ci-phase1" '()))
 
 (define base-edge-operating-system
-  (ci-materialized-operating-system '()))
+  (ci-operating-system "tribes-ci-base-edge" '()))
 
 (define aether-edge-operating-system
   (ci-operating-system "tribes-ci-aether-edge"

tribes/packages/kernel.scm

@@ -33,10 +33,9 @@
     "CONFIG_X86_USER_SHADOW_STACK=y"))
 
 (define %tribes-linux-disabled-options
-  '(;; Keep DRM/KMS enabled so the installer has a local console on generic
-    ;; virtual and real hardware.  This costs roughly 15 MiB in the kexec image
-    ;; compared to disabling DRM wholesale, but preserves Proxmox/QEMU VGA and
-    ;; common real-hardware GPU/BMC consoles.
+  '(;; Headless/text-console targets: keep VGA/framebuffer consoles, but drop
+    ;; DRM/KMS GPU drivers and display acceleration stacks.
+    "DRM"
 
     ;; No audio output/input stack on Tribes server deployments.
     "SOUND"

tribes/packages/source.scm

@@ -54,7 +54,7 @@
   "https://git.teralink.net/tribes/tribes.git")
 
 (define %tribes-commit
-  "f096578ec153342b29abfc5e900a82aefa378cb7")
+  "408c39553e4258dd75409eebfa0ffa4380591be0")
 
 (define %tribes-revision "1")
 
@@ -62,7 +62,7 @@
   (git-version "0.2.0" %tribes-revision %tribes-commit))
 
 (define %tribes-source-sha256
-  "0hcrf3b8ddp6a65si92slr3vrnvib855h4pyccgrsk10q34qapas")
+  "16xn3vs6py74z4wrclwapzh18frrp5i663clvwid4l4kmivz833y")
 
 (define %tribes-upstream-source
   (origin

tribes/packages/web.scm

@@ -79,7 +79,6 @@ QUIC support.")
       #:make-flags
       #~(list "LUA_LIB_NAME=lua"
               "TARGET=linux-glibc"
-              "USE_LINUX_CAP=1"
               "USE_LUA=1"
               "USE_OPENSSL_AWSLC=1"
               "USE_PCRE2=1"

tribes/services/haproxy.scm

@@ -119,7 +119,6 @@
        (haproxy-lines
         (append
          (list "log /dev/log local0"
-               "setcap cap_net_bind_service"
                (string-append "user " user)
                (string-append "group " group)
                "maxconn 32768"

tribes/system/node.scm

@@ -1,5 +1,4 @@
 (define-module (tribes system node)
-  #:use-module (gnu packages)
   #:use-module (gnu packages databases)
   #:use-module (gnu packages linux)
   #:use-module (gnu packages monitoring)
@@ -75,12 +74,7 @@
   tribes-node-configuration?
   (postgresql tribes-node-configuration-postgresql
               (default (postgresql-configuration
-                        (postgresql postgresql)
-                        (config-file
-                         (postgresql-config-file
-                          (extra-config
-                           '(("log_min_duration_statement" 1000)
-                             ("log_line_prefix" "%m [%p] user=%u db=%d app=%a client=%h "))))))))
+                        (postgresql postgresql))))
   (tribes tribes-node-configuration-tribes
           (default (tribes-configuration)))
   (edge tribes-node-configuration-edge
@@ -254,14 +248,6 @@
                         (tribes-edge-configuration-challenge-port edge)))
                (pem-files (list (lego-certificate-full-pem certificate))))))))
 
-;; Interactive toolkit installed into every node's system profile.  These are
-;; vanilla upstream packages an operator reaches for over SSH; shipping them in
-;; the system closure means they are both present on the node and served by our
-;; substitute mirror, instead of forcing a fallback to bordeaux/ci on first use.
-(define %tribes-node-operator-tools
-  (map specification->package
-       '("ripgrep" "fd" "tmux" "neovim" "btop")))
-
 (define (tribes-node-bbr-services config)
   (if (tribes-node-configuration-enable-bbr? config)
       (list
@@ -294,9 +280,6 @@
       (simple-service 'tribes-node-network-tools
                       profile-service-type
                       (list nftables))
-      (simple-service 'tribes-node-operator-tools
-                      profile-service-type
-                      %tribes-node-operator-tools)
       (service prometheus-node-exporter-service-type
                (prometheus-node-exporter-configuration
                 (package prometheus-node-exporter)