refactor: collapse edge certificates to one cert

Remove split IP/DNS certificate generation and keep mixed challenge mode on a single edge certificate containing all configured subjects.

Update the system node tests to assert one lego certificate and one HAProxy certificate path.

.guix-authorizations

@@ -5,6 +5,4 @@
  (version 0)
 
  (("6688 9153 C51C 4613 A493  A525 2F0D FD14 EF99 DAC3"
-   (name "steffen"))  ("F29B A6DA 96E5 EC29 FDDE D994 8F4F 75B3 B19D 4784"
+   (name "steffen"))))
-   (name "tribes-supertest-dev"))
-))

.supertest-dev-sync.json

@@ -1,7 +0,0 @@
-{
-   "mode" : "tree-sync",
-   "previous_dev_commit" : "593745da5e4135abc63956442e853dd2643e46ae",
-   "source_branch" : "origin/master",
-   "source_commit" : "54f23bc863ebef8173faf2aaf21801050e09fb53",
-   "synced_at" : "2026-06-09T07:43:46Z"
-}

examples/legion-host-config.json

@@ -34,8 +34,8 @@
   "edge": {
     "certificateName": "node1-example-invalid",
     "certificateSubjects": ["node1.example.invalid"],
-    "certificateEmail": "ops@example.invalid",
     "certificateProfile": "shortlived",
+    "certificateChallengeMode": "http",
     "renewDays": 4,
     "httpPort": 80,
     "httpsPort": 443,

manifests/sources.scm

@@ -0,0 +1,54 @@
+;;; Manifest of upstream source origins for every package defined by the
+;;; tribes channel.  Consumed by Cuirass's `manifests' build type as a
+;;; network-bound canary: fast-fails when an upstream URL or commit ref
+;;; becomes unreachable, without depending on any actual package build.
+
+(define-module (manifests sources)
+  #:use-module (gnu packages)
+  #:use-module (guix discovery)
+  #:use-module (guix packages)
+  #:use-module (guix profiles)
+  #:use-module (ice-9 match)
+  #:use-module (ice-9 vlist)
+  #:use-module (srfi srfi-1)
+  #:use-module (srfi srfi-26)
+  #:export (sources-manifest))
+
+(define (channel-module-path prefix)
+  (delete-duplicates
+   (filter-map (lambda (dir)
+                 (let ((path (string-append dir "/" prefix)))
+                   (and (file-exists? path) (cons dir prefix))))
+               %load-path)
+   equal?))
+
+(define (channel-packages)
+  (fold-packages cons '()
+                 (append (all-modules (channel-module-path "tribes/packages"))
+                         (all-modules (channel-module-path "nbde/packages")))))
+
+(define (upstream-origin source)
+  (origin (inherit source) (snippet #f) (patches '())))
+
+(define (channel-origins)
+  (let loop ((packages (channel-packages))
+             (origins '())
+             (visited vlist-null))
+    (match packages
+      ((head . tail)
+       (let ((new (remove (cut vhash-assq <> visited)
+                          (package-direct-sources head))))
+         (loop tail (append new origins)
+               (fold (cut vhash-consq <> #t <>)
+                     visited new))))
+      (() origins))))
+
+(define sources-manifest
+  (manifest (map (lambda (origin)
+                   (manifest-entry
+                    (name (or (origin-actual-file-name origin) "origin"))
+                    (version "0")
+                    (item (upstream-origin origin))))
+                 (channel-origins))))
+
+sources-manifest

manifests/substitutes/base.scm

@@ -1,49 +0,0 @@
-(define-module (manifests substitutes base)
-  #:use-module (gnu packages)
-  #:use-module (gnu packages elixir)
-  #:use-module (gnu packages erlang)
-  #:use-module (guix profiles)
-  #:use-module (nbde packages crypto)
-  #:use-module (tribes packages terminals)
-  #:export (base-manifest))
-
-(define %base-specifications
-  '("bash-minimal"
-    "coreutils"
-    "diffutils"
-    "findutils"
-    "gawk"
-    "grep"
-    "gzip"
-    "inetutils"
-    "iproute2"
-    "less"
-    "nss-certs"
-    "openssh"
-    "postgresql"
-    "procps"
-    "rsync"
-    "sed"
-    "tar"
-    "which"
-    "xz"
-    "cryptsetup"
-    "dosfstools"
-    "e2fsprogs"
-    "gptfdisk"
-    "kmod"
-    "parted"
-    "util-linux"))
-
-(define base-manifest
-  (packages->manifest
-   (append (map specification->package %base-specifications)
-           (list clevis
-                 tang
-                 luksmeta
-                 erlang
-                 elixir
-                 elixir-hex
-                 ghostty-terminfo))))
-
-base-manifest

manifests/substitutes/installer.scm

@@ -1,48 +0,0 @@
-(define-module (manifests substitutes installer)
-  #:use-module (gnu packages)
-  #:use-module (guix profiles)
-  #:use-module (nbde packages crypto)
-  #:export (installer-manifest))
-
-(define %installer-specifications
-  '("bash-minimal"
-    "coreutils"
-    "diffutils"
-    "findutils"
-    "gawk"
-    "git-minimal"
-    "grep"
-    "gzip"
-    "guix"
-    "inetutils"
-    "iproute2"
-    "kexec-tools"
-    "less"
-    "curl"
-    "nss-certs"
-    "procps"
-    "rsync"
-    "sed"
-    "tar"
-    "which"
-    "zstd"
-    "xz"
-    "console-setup"
-    "cryptsetup"
-    "dosfstools"
-    "grub-efi"
-    "grub-pc"
-    "mdadm"
-    "e2fsprogs"
-    "gptfdisk"
-    "kmod"
-    "parted"
-    "util-linux"))
-
-(define installer-manifest
-  (packages->manifest
-   (append (map specification->package %installer-specifications)
-           (list clevis
-                 luksmeta))))
-
-installer-manifest

manifests/substitutes/tribes-node.scm

@@ -1,60 +0,0 @@
-(define-module (manifests substitutes tribes-node)
-  #:use-module (gnu packages)
-  #:use-module (gnu packages elixir)
-  #:use-module (gnu packages erlang)
-  #:use-module (gnu packages monitoring)
-  #:use-module (guix profiles)
-  #:use-module (tribes packages monitoring)
-  #:use-module (tribes packages source)
-  #:use-module (tribes packages terminals)
-  #:use-module (tribes packages web)
-  #:use-module (tribes plugins registry)
-  #:export (tribes-node-manifest
-            make-tribes-node-manifest))
-
-(define %tribes-node-specifications
-  '("nss-certs"
-    "openssh"
-    "postgresql"
-    "rsync"
-    "ripgrep"
-    "fd"
-    "tmux"
-    "neovim"
-    "btop"))
-
-(define (getenv/default name default)
-  (or (getenv name) default))
-
-(define (tribes-node-package)
-  (let ((source-directory (getenv "TRIBES_SOURCE_DIRECTORY")))
-    (if source-directory
-        (local-tribes-package
-         source-directory
-         #:version (getenv/default "TRIBES_RELEASE_VERSION" "dev")
-         #:mix-deps-sha256 (getenv "TRIBES_MIX_DEPS_SHA256")
-         #:raw-mix-deps-sha256 (getenv "TRIBES_RAW_MIX_DEPS_SHA256")
-         #:npm-deps-sha256 (getenv "TRIBES_NPM_DEPS_SHA256"))
-        tribes-package)))
-
-(define (make-tribes-node-manifest)
-  (packages->manifest
-   (append
-    (map specification->package %tribes-node-specifications)
-    (list erlang
-          elixir
-          elixir-hex
-          ghostty-terminfo
-          haproxy
-          vinyl
-          lego
-          prometheus-node-exporter
-          victoriametrics
-          vinyl-exporter
-          (tribes-node-package))
-    (guix-tribes-plugin-substitute-packages))))
-
-(define tribes-node-manifest
-  (make-tribes-node-manifest))
-
-tribes-node-manifest

nbde/system/build-host-kexec-installer.scm

@@ -55,7 +55,10 @@
          util-linux)))
 
 (define %build-host-kexec-initrd-modules
-  '("ahci"
+  '(;; Common block/storage basics.
+    "ahci"
+    "ata_piix"
+    "cdrom"
     "dm-crypt"
     "fat"
     "loop"
@@ -64,13 +67,19 @@
     "nvme"
     "overlay"
     "sd_mod"
+    "sr_mod"
     "squashfs"
     "vfat"
+
+    ;; KVM/QEMU and common emulated or non-virtio NICs.
     "virtio_blk"
     "virtio_console"
     "virtio_net"
     "virtio_pci"
-    "virtio_scsi"))
+    "virtio_scsi"
+    "e1000"
+    "e1000e"
+    "r8169"))
 
 (define build-host-kexec-installer-os
   (operating-system
@@ -84,9 +93,10 @@
     (initrd kexec-installer-initrd)
     (kernel-arguments
      '("console=ttyS0,115200n8"
+       "console=tty0"
        "net.ifnames=0"
        "panic=30"
-       "loglevel=4"))
+       "loglevel=6"))
     (bootloader
      (bootloader-configuration
       (bootloader grub-bootloader)

nbde/system/build-host.scm

@@ -28,8 +28,9 @@
                                            (locale "en_US.UTF-8")
                                            (kernel tribes-linux)
                                            (kernel-arguments
-                                            (list "console=tty0"
+                                            (list "console=ttyS0,115200n8"
-                                                  "console=ttyS0,115200n8"))
+                                                  "console=tty0"
+                                                  "net.ifnames=0"))
                                            (initrd
                                             (lambda (file-systems . rest)
                                               (apply base-initrd

nbde/system/installed-base.scm

@@ -48,8 +48,9 @@
                                           (locale "en_US.UTF-8")
                                           (kernel tribes-linux)
                                           (kernel-arguments
-                                           (list "console=tty0"
+                                           (list "console=ttyS0,115200n8"
-                                                 "console=ttyS0,115200n8"))
+                                                 "console=tty0"
+                                                 "net.ifnames=0"))
                                           (initrd-modules
                                            (append %nbde-initrd-modules
                                                    %base-initrd-modules))
@@ -72,7 +73,9 @@ runtime-discovered boot and filesystem values from the installer."
      (append
      extra-services
       (list (boot-store-staging-service)
-            (service dhcpcd-service-type)
+            (service dhcpcd-service-type
+                     (dhcpcd-configuration
+                      (interfaces (list interface))))
             (service elogind-service-type)
             (service agetty-service-type
                      (agetty-configuration

pins/base-channels.sexp

@@ -1,10 +1,10 @@
 (list (channel
         (name 'guix)
         (url "https://git.teralink.net/tribes/guix-fork.git")
-        (branch "refactor/substituter-trace-framing")
+        (branch "feature/substitute-read-timeout")
-        ;; guix-fork refactor/substituter-trace-framing
+        ;; guix-fork feature/substitute-read-timeout
         (commit
-          "8514f9c1a98468c044e8b5f65e4a90d097a63a47")
+          "4574af27f27c7a5d2dc4d4823ef4518a392dc973")
         (introduction
           (make-channel-introduction
             "093f27dde01cdbda68f2ec4b81e5a34ae180aab9"

pins/legion-channels.sexp

@@ -2,10 +2,10 @@
   (channel
     (name 'guix)
     (url "https://git.teralink.net/tribes/guix-fork.git")
-    (branch "refactor/substituter-trace-framing")
+    (branch "feature/substitute-read-timeout")
-    ;; guix-fork refactor/substituter-trace-framing
+    ;; guix-fork feature/substitute-read-timeout
     (commit
-      "8514f9c1a98468c044e8b5f65e4a90d097a63a47")
+      "4574af27f27c7a5d2dc4d4823ef4518a392dc973")
     (introduction
       (make-channel-introduction
         "093f27dde01cdbda68f2ec4b81e5a34ae180aab9"

scripts/build-kexec-image

@@ -109,6 +109,7 @@ load_guix_env
 require_tool guix
 require_tool guile
 require_tool mksquashfs
+require_tool cpio
 require_file "$channels" "channels file"
 require_file "$script_dir/kexec-run" "kexec runner"
 require_file "$root_dir/examples/build-host-kexec-installer.scm" "system file"

scripts/update-base-channels-pin

@@ -7,11 +7,11 @@ base_output="${NBDE_BASE_CHANNELS_OUTPUT:-$root_dir/pins/base-channels.sexp}"
 legion_output="${NBDE_LEGION_CHANNELS_OUTPUT:-$root_dir/pins/legion-channels.sexp}"
 
 fork_url="https://git.teralink.net/tribes/guix-fork.git"
-fork_branch="refactor/substituter-trace-framing"
+fork_branch="feature/substitute-read-timeout"
 fork_introduction_commit="093f27dde01cdbda68f2ec4b81e5a34ae180aab9"
 fork_introduction_signer="6688 9153 C51C 4613 A493  A525 2F0D FD14 EF99 DAC3"
 fork_checkout="$root_dir/../guix-fork"
-fork_comment="guix-fork refactor/substituter-trace-framing"
+fork_comment="guix-fork feature/substitute-read-timeout"
 
 official_url="https://git.teralink.net/tribes/guix.git"
 official_branch="master"

scripts/update-plugin-pin

@@ -16,13 +16,19 @@ Usage: update-plugin-pin [options] plugin [rev]
 
 Pin a Tribes external plugin and refresh fixed-output hashes.
 
-PLUGIN is the plugin slug. REV defaults to "master" resolved from the
+PLUGIN is the canonical plugin slug or, for older plugin layouts, the source
-plugin checkout. The plugin manifest.json is the source of truth for plugin
+repository basename. REV defaults to "master" resolved from the plugin checkout.
-id, slug, version, provides, and requires metadata. By default the script expects
+The plugin manifest.json is the source of truth for plugin id, slug, version,
-the plugin checkout at ../tribes-plugin-$PLUGIN and the Guix plugin file at
+provides, and requires metadata. By default the script expects the plugin
-tribes/plugins/$PLUGIN.scm relative to the guix-tribes checkout.
+checkout at ../tribes-plugin-$PLUGIN and the Guix plugin file at
+tribes/plugins/$PLUGIN.scm relative to the guix-tribes checkout. If those do not
+exist and PLUGIN starts with tribe-one-, it also tries the unprefixed source
+basename. Use --plugin-source-name when the source repository and Guix file
+basename differ from the canonical slug.
 
 Options:
+  --plugin-source-name NAME
+                       Source repository, Guix file, package, and Scheme symbol basename
   --plugin-repo PATH   Local plugin git checkout
   --plugin-file PATH   Guix plugin definition file to update
   --tribes-repo PATH   Local Tribes git checkout used for the host plugin API
@@ -133,6 +139,7 @@ my %opts;
 
 GetOptionsFromArray(
     \@argv,
+    'plugin-source-name=s' => \$opts{plugin_source_name},
     'plugin-repo=s' => \$opts{plugin_repo},
     'plugin-file=s' => \$opts{plugin_file},
     'tribes-repo=s' => \$opts{tribes_repo},
@@ -168,16 +175,37 @@ my $default_tribes_repo = abs_path(File::Spec->catdir($default_guix_repo, '..',
 
 my $guix_repo = $opts{guix_repo} ? abs_path($opts{guix_repo}) : $default_guix_repo;
 my $tribes_repo = $opts{tribes_repo} ? abs_path($opts{tribes_repo}) : $default_tribes_repo;
+
+sub default_plugin_source_name {
+    my ($plugin, $guix_repo) = @_;
+    my @candidates = ($plugin);
+
+    if ($plugin =~ /^tribe-one-(.+)$/) {
+        push @candidates, $1;
+    }
+
+    for my $candidate (@candidates) {
+        my $repo = File::Spec->catdir($guix_repo, '..', "tribes-plugin-$candidate");
+        my $file = File::Spec->catfile($guix_repo, 'tribes', 'plugins', "$candidate.scm");
+        return $candidate if -d File::Spec->catdir($repo, '.git') && -f $file;
+    }
+
+    return $plugin;
+}
+
+my $plugin_source_name = $opts{plugin_source_name} // default_plugin_source_name($plugin, $guix_repo);
+$plugin_source_name =~ /^[A-Za-z0-9._+-]+$/ or fail("Invalid plugin source name: $plugin_source_name");
+
 my $plugin_repo =
   $opts{plugin_repo}
   ? abs_path($opts{plugin_repo})
-  : abs_path(File::Spec->catdir($guix_repo, '..', "tribes-plugin-$plugin"));
+  : abs_path(File::Spec->catdir($guix_repo, '..', "tribes-plugin-$plugin_source_name"));
 my $plugin_file =
   $opts{plugin_file}
   ? abs_path($opts{plugin_file})
-  : File::Spec->catfile($guix_repo, 'tribes', 'plugins', "$plugin.scm");
+  : File::Spec->catfile($guix_repo, 'tribes', 'plugins', "$plugin_source_name.scm");
 my $source_file = File::Spec->catfile($guix_repo, 'tribes', 'packages', 'source.scm');
-my $plugin_package_name = "tribes-plugin-$plugin";
+my $plugin_package_name = "tribes-plugin-$plugin_source_name";
 
 -d File::Spec->catdir($plugin_repo, '.git') or fail("Plugin repo not found: $plugin_repo");
 -d File::Spec->catdir($tribes_repo, '.git') or fail("Tribes repo not found: $tribes_repo");
@@ -253,7 +281,14 @@ my $version = $manifest->{version};
 my $provides_joined = join("\037", @{ $manifest->{provides} });
 my $requires_joined = join("\037", @{ $manifest->{requires} });
 
-$plugin_slug eq $plugin or fail("Plugin manifest slug mismatch: expected $plugin, got $plugin_slug");
+if ($plugin_slug ne $plugin) {
+    if (!defined($opts{plugin_source_name}) && $plugin eq $plugin_source_name) {
+        print STDERR "Plugin argument '$plugin' matched source name; using manifest slug '$plugin_slug'.\n";
+        $plugin = $plugin_slug;
+    } else {
+        fail("Plugin manifest slug mismatch: expected $plugin, got $plugin_slug");
+    }
+}
 
 my ($plugin_source_for_scheme, $tribes_source_for_scheme, $guix_load_path);
 my $source_hash;
@@ -348,7 +383,7 @@ my $dummy_hash = '0' x 52;
 
 my $text = read_file($plugin_file);
 my @candidates;
-for my $candidate ($plugin, ($plugin =~ tr/_/-/r)) {
+for my $candidate ($plugin_source_name, ($plugin_source_name =~ tr/_/-/r)) {
     push @candidates, $candidate unless grep { $_ eq $candidate } @candidates;
 }
 
@@ -502,6 +537,7 @@ write_file($plugin_file, $text);
 
 print "Updated $plugin_file\n";
 print "plugin: $plugin\n";
+print "plugin source name: $plugin_source_name\n" if $plugin_source_name ne $plugin;
 print "plugin id: $plugin_id\n";
 print "commit: $commit\n";
 print "host tribes commit: $host_commit\n";

scripts/update-tribes-and-plugin-pins

@@ -2,10 +2,10 @@
 
 set -eu
 
-# External plugin pins to refresh. Each name maps to ../tribes-plugin-$name
+# External plugin pins to refresh. Each entry is canonical-slug:source-name.
-# and tribes/plugins/$name.scm unless update-plugin-pin is called with
+# The source name maps to ../tribes-plugin-$source_name and
-# different defaults in the future.
+# tribes/plugins/$source_name.scm.
-plugins="sender aether supertest kobold trust"
+plugins="tribe-one-sender:sender tribe-one-aether:aether tribe-one-supertest:supertest tribe-one-kobold:kobold tribe-one-trust:trust"
 
 usage() {
   cat <<'EOF'
@@ -86,11 +86,15 @@ fi
   --tribes-repo "$tribes_repo" \
   $build_host_args
 
-for plugin in $plugins; do
+for plugin_entry in $plugins; do
+  plugin=${plugin_entry%%:*}
+  plugin_source_name=${plugin_entry#*:}
+
   # shellcheck disable=SC2086
   "$update_plugin_pin" \
     --guix-repo "$guix_repo" \
     --tribes-repo "$tribes_repo" \
+    --plugin-source-name "$plugin_source_name" \
     $build_host_args \
     "$plugin"
 done
@@ -99,8 +103,9 @@ if [ "$commit_after" = true ]; then
   git -C "$guix_repo" add -- \
     tribes/packages/source.scm
 
-  for plugin in $plugins; do
+  for plugin_entry in $plugins; do
-    git -C "$guix_repo" add -- "tribes/plugins/$plugin.scm"
+    plugin_source_name=${plugin_entry#*:}
+    git -C "$guix_repo" add -- "tribes/plugins/$plugin_source_name.scm"
   done
 
   if git -C "$guix_repo" diff --cached --quiet; then

supertest-dev-B19D4784.key

@@ -1,11 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mDMEafMY7xYJKwYBBAHaRw8BAQdAX7Cs0UPcvEpHOwmTDkjNBfeH6/FH6sqKZbRi
-sd3oBCy0U1RyaWJlcyBTdXBlcnRlc3QgRGV2IChBSSBsb2NhbCBkZXZlbG9wbWVu
-dCBrZXkpIDx0cmliZXMtc3VwZXJ0ZXN0LWRldkB0ZXJhbGluay5uZXQ+iJYEExYK
-AD4WIQTym6baluXsKf3e2ZSPT3WzsZ1HhAUCafMY7wIbAwUJAeEzgAULCQgHAgYV
-CgkICwIEFgIDAQIeAQIXgAAKCRCPT3WzsZ1HhMp8AP4gGrPkBoGLKMyubISESFpH
-fnqYUGDGucIoLRvtbl+ULQD/SlC9u/Ek9WSYvsskd0jD09lc2TxBnubl8yRi3bTM
-sA8=
-=JA7U
------END PGP PUBLIC KEY BLOCK-----

tests/tribes-ci-substitutes.scm

@@ -58,7 +58,7 @@
     (operating-system-host-name kobold-edge-operating-system))
 
   (test-equal "kobold target includes trust provider"
-    '("trust" "kobold")
+    '("tribe-one-trust" "tribe-one-kobold")
     (target-plugin-names kobold-edge-operating-system))
 
   (test-equal "sender target has expected host name"

tests/tribes-deploy-executor.scm

@@ -1,5 +1,6 @@
 (define-module (tests tribes-deploy-executor)
   #:use-module (srfi srfi-64)
+  #:use-module (tests support)
   #:use-module (tribes deploy executor)
   #:use-module (tribes deploy plan)
   #:use-module (tribes packages plugins)
@@ -25,7 +26,7 @@
 (define valid-target
   `(("trusted_signers" . (,valid-signer))
     ("channels" . (,valid-channel))
-    ("plugins" . ((("plugin_name" . "aether")
+    ("plugins" . ((("plugin_name" . "tribe-one-aether")
                    ("channel_id" . "guix-tribes")
                    ("enabled" . #t))))))
 
@@ -43,16 +44,16 @@
        ("action" . "apply"))))
 
   (test-equal "deployment request plugins preserve names"
-    '("aether")
+    '("tribe-one-aether")
     (deployment-request-plugins
      '(("schemaVersion" . "1")
        ("action" . "apply")
-       ("plugins" . ("aether")))))
+       ("plugins" . ("tribe-one-aether")))))
 
   (test-equal "host config plugins are updated in tribes block"
     '(("schemaVersion" . "1")
       ("tribes" . (("host" . "example.com")
-                   ("plugins" . ("aether"))
+                   ("plugins" . ("tribe-one-aether"))
                    ("disabledPlugins" . ())))
       ("edge" . (("certificateName" . "tribes"))))
     (host-config-with-plugins
@@ -60,12 +61,12 @@
        ("tribes" . (("host" . "example.com")
                     ("plugins" . ())))
        ("edge" . (("certificateName" . "tribes"))))
-     '("aether")))
+     '("tribe-one-aether")))
 
   (test-equal "system target plugin names include installed plugins"
-    '("aether" "disabled")
+    '("disabled" "tribe-one-aether")
     (system-target-plugin-names
-     '(("plugins" . ((("plugin_name" . "aether")
+     '(("plugins" . ((("plugin_name" . "tribe-one-aether")
                       ("enabled" . #t))
                      (("plugin_name" . "disabled")
                       ("enabled" . #f)))))))
@@ -73,7 +74,7 @@
   (test-equal "system target disabled plugin names include disabled plugins"
     '("disabled")
     (system-target-disabled-plugin-names
-     '(("plugins" . ((("plugin_name" . "aether")
+     '(("plugins" . ((("plugin_name" . "tribe-one-aether")
                       ("enabled" . #t))
                      (("plugin_name" . "disabled")
                       ("enabled" . #f)))))))
@@ -101,7 +102,7 @@
     guix-tribes-runtime-missing-capabilities)
 
   (test-equal "resolve-target emits channel-aware plugin package refs"
-    '("aether")
+    '("tribe-one-aether")
     (let* ((plan (resolve-target valid-target))
            (hash-value (json-ref plan "plan_hash"))
            (resolved-plugins
@@ -119,7 +120,7 @@
       (plan-plugins plan)))
 
   (test-equal "resolve-target accepts spaced introduction fingerprints"
-    '("sender")
+    '("tribe-one-sender")
     (let* ((spaced-channel
             `(("id" . "guix-tribes")
               ("channel_id" . "guix-tribes")
@@ -134,29 +135,29 @@
             (resolve-target
              `(("trusted_signers" . (,valid-signer))
                ("channels" . (,spaced-channel))
-               ("plugins" . ((("plugin_name" . "sender")
+               ("plugins" . ((("plugin_name" . "tribe-one-sender")
                               ("channel_id" . "guix-tribes")
                               ("enabled" . #t))))))))
       (plan-plugins plan)))
 
   (test-equal "resolve-target satisfies org.tribe-one.caps.ui@1 from built-in Tribes UI"
-    '("sender")
+    '("tribe-one-sender")
     (let ((plan
            (resolve-target
             `(("trusted_signers" . (,valid-signer))
               ("channels" . (,valid-channel))
-              ("plugins" . ((("plugin_name" . "sender")
+              ("plugins" . ((("plugin_name" . "tribe-one-sender")
                              ("channel_id" . "guix-tribes")
                              ("enabled" . #t))))))))
       (plan-plugins plan)))
 
   (test-equal "resolve-target keeps disabled plugins installed but runtime-disabled"
-    '(("aether") ("aether"))
+    '(("tribe-one-aether") ("tribe-one-aether"))
     (let ((plan
            (resolve-target
             `(("trusted_signers" . (,valid-signer))
               ("channels" . (,valid-channel))
-              ("plugins" . ((("plugin_name" . "aether")
+              ("plugins" . ((("plugin_name" . "tribe-one-aether")
                              ("channel_id" . "guix-tribes")
                              ("enabled" . #f))))))))
       (list (plan-plugins plan) (plan-disabled-plugins plan))))
@@ -167,8 +168,8 @@
      (resolve-target
       `(("trusted_signers" . (,valid-signer))
         ("channels" . (,valid-channel))
-        ("plugins" . ((("plugin_name" . "aether") ("enabled" . #t))
+        ("plugins" . ((("plugin_name" . "tribe-one-aether") ("enabled" . #t))
-                       (("plugin_name" . "aether") ("enabled" . #t))))))))
+                       (("plugin_name" . "tribe-one-aether") ("enabled" . #t))))))))
 
   (test-equal "resolve-target rejects unknown plugins"
     "manifest_invalid"
@@ -193,8 +194,10 @@
                         ("allowed_signer_ids" . ("signer-1"))
                         ("introduction" . (("commit" . "intro123")
                                            ("fingerprint" . "0123456789ABCDEF0123456789ABCDEF01234567"))))))
-        ("plugins" . ((("plugin_name" . "aether")
+        ("plugins" . ((("plugin_name" . "tribe-one-aether")
                        ("channel_id" . "guix-tribes")
                        ("enabled" . #t))))))))
 
   (test-end "tribes-deploy-executor"))
+
+(run-tests-when-script "tests/tribes-deploy-executor.scm" run-tests)

tests/tribes-deploy-operations.scm

@@ -19,16 +19,16 @@
 
 (define plan-a
   '(("plan_hash" . "plan-a")
-    ("resolved_plugins" . ((("name" . "aether"))))))
+    ("resolved_plugins" . ((("name" . "tribe-one-aether"))))))
 
 (define plan-b
   '(("plan_hash" . "plan-b")
-    ("resolved_plugins" . ((("name" . "aether"))))))
+    ("resolved_plugins" . ((("name" . "tribe-one-aether"))))))
 
 (define plan-without-channel-delta
   '(("plan_hash" . "plan-without-channel-delta")
     ("resolved_channels" . #())
-    ("resolved_plugins" . ((("name" . "supertest"))))))
+    ("resolved_plugins" . ((("name" . "tribe-one-supertest"))))))
 
 (define plan-with-channel-pin
   '(("plan_hash" . "plan-with-channel-pin")
@@ -38,7 +38,7 @@
                                ("branch" . "master")
                                ("commit" . "abc123")
                                ("position" . 10))))
-    ("resolved_plugins" . ((("name" . "supertest"))))))
+    ("resolved_plugins" . ((("name" . "tribe-one-supertest"))))))
 (define plan-with-branch-channel
   '(("plan_hash" . "plan-with-branch-channel")
     ("resolved_channels" . #((("channel_id" . "guix-tribes")
@@ -47,7 +47,7 @@
                                ("branch" . "master")
                                ("commit" . #f)
                                ("position" . 10))))
-    ("resolved_plugins" . ((("name" . "supertest"))))))
+    ("resolved_plugins" . ((("name" . "tribe-one-supertest"))))))
 
 (define (delete-if-present path)
   (when (false-if-exception (lstat path))
@@ -516,8 +516,8 @@
   (call-with-values
       (lambda ()
         (resolve-deployment
-         '(("plugins" . ((("plugin_name" . "aether") ("enabled" . #t))
+         '(("plugins" . ((("plugin_name" . "tribe-one-aether") ("enabled" . #t))
-                          (("plugin_name" . "aether") ("enabled" . #t)))))))
+                          (("plugin_name" . "tribe-one-aether") ("enabled" . #t)))))))
     (lambda (status payload)
       (test-equal "resolve-deployment returns 409 for explicit resolver errors"
         409 status)

tests/tribes-system-node.scm

@@ -1,5 +1,7 @@
 (define-module (tests tribes-system-node)
+  #:use-module (gnu packages databases)
   #:use-module (gnu services)
+  #:use-module (gnu services databases)
   #:use-module (gnu services monitoring)
   #:use-module (gnu services shepherd)
   #:use-module (guix gexp)
@@ -8,6 +10,7 @@
   #:use-module (srfi srfi-13)
   #:use-module (srfi srfi-64)
   #:use-module (tests support)
+  #:use-module (tribes config host)
   #:use-module (tribes plugins sender)
   #:use-module (tribes services chrony)
   #:use-module (tribes services haproxy)
@@ -21,6 +24,7 @@
   #:export (run-tests))
 
 (define node-module (resolve-module '(tribes system node)))
+(define lego-module (resolve-module '(tribes services lego)))
 (define chrony-module (resolve-module '(tribes services chrony)))
 (define haproxy-module (resolve-module '(tribes services haproxy)))
 (define logging-module (resolve-module '(tribes services logging)))
@@ -29,6 +33,7 @@
 (define edge-cache-vcl-text (module-ref node-module 'edge-cache-vcl-text))
 (define edge-cache-vcl (module-ref node-module 'edge-cache-vcl))
 (define edge-services (module-ref node-module 'edge-services))
+(define lego-common-arguments (module-ref lego-module 'lego-common-arguments))
 (define chrony-shepherd-services
   (module-ref chrony-module 'chrony-shepherd-services))
 (define haproxy-config-file (module-ref haproxy-module 'haproxy-config-file))
@@ -62,6 +67,9 @@
       (contains? vcl ".connect_timeout = 1s;"))
     (test-assert "edge cache backend uses bounded first-byte timeout"
       (contains? vcl ".first_byte_timeout = 5s;"))
+    (test-assert "edge cache gives admin API requests longer backend timeouts"
+      (contains? vcl
+                 "sub vcl_backend_fetch {\n  if (bereq.url ~ \"^/api/admin/\") {\n    set bereq.connect_timeout = 1s;\n    set bereq.first_byte_timeout = 35s;\n    set bereq.between_bytes_timeout = 35s;"))
     (test-assert "edge cache retries only GET/HEAD 5xx backend responses"
       (contains? vcl
                  "if ((bereq.method == \"GET\" || bereq.method == \"HEAD\") &&\n      beresp.status >= 500 && beresp.status <= 599 &&\n      bereq.retries < 5)"))
@@ -87,6 +95,10 @@
                   (tribes (tribes-configuration
                            (host "example.invalid")))))
          (services (tribes-node-services config))
+         (postgresql-service
+          (find (lambda (service)
+                  (eq? (service-kind service) postgresql-service-type))
+                services))
          (chrony-service
           (find (lambda (service)
                   (eq? (service-kind service) chrony-service-type))
@@ -106,6 +118,9 @@
                 services)))
     (test-assert "node profile includes nftables for sync partition tests"
       network-tools-service)
+    (test-eq "node uses PostgreSQL 17"
+      postgresql-17
+      (postgresql-configuration-postgresql (service-value postgresql-service)))
     (test-assert "node includes Chrony service"
       chrony-service)
     (test-assert "node includes Prometheus node exporter service"
@@ -250,8 +265,7 @@
   (let* ((config (tribes-node-configuration
                   (tribes (tribes-configuration
                            (host "example.invalid")))
-                  (edge (tribes-edge-configuration
+                  (edge (tribes-edge-configuration))))
-                         (certificate-email "ops@example.invalid")))))
          (services (edge-services config))
          (vinyl-service (find (lambda (service)
                                 (eq? (service-kind service) vinyl-service-type))
@@ -312,9 +326,104 @@
       (and lego-config
            (lego-certificate-configuration-requirement
             (car (lego-configuration-certificates lego-config)))))
+    (test-equal "edge certificate omits ACME email by default"
+      #f
+      (and lego-config
+           (lego-certificate-configuration-email
+            (car (lego-configuration-certificates lego-config)))))
     (test-assert "edge uses haproxy for TLS termination"
       haproxy-service))
 
+  (let* ((certificate (lego-certificate-configuration
+                       (name "tribes")
+                       (subjects '("203.0.113.10" "node1.example.com"))
+                       (listen-http "127.0.0.1:8080")
+                       (dns-provider "ovh")))
+         (args (lego-common-arguments certificate)))
+    (test-assert "lego mixed challenge includes HTTP validation"
+      (member "--http" args))
+    (test-assert "lego mixed challenge includes DNS provider"
+      (and (member "--dns" args)
+           (member "ovh" args)))
+    (test-assert "lego mixed challenge disables CN for IP identifiers"
+      (member "--disable-cn" args)))
+
+  (let* ((config (tribes-node-configuration
+                  (tribes (tribes-configuration
+                           (host "example.com")))
+                  (edge (tribes-edge-configuration
+                         (certificate-name "tribes")
+                         (certificate-subjects
+                          '("203.0.113.10" "node1.example.com" "example.com"))
+                         (certificate-challenge-mode "mixed")
+                         (certificate-dns-provider "ovh")
+                         (certificate-environment-variables
+                          '("OVH_ENDPOINT=ovh-eu"))))))
+         (services (edge-services config))
+         (lego-service (find (lambda (service)
+                               (eq? (service-kind service) lego-service-type))
+                             services))
+         (haproxy-service (find (lambda (service)
+                                  (eq? (service-kind service) haproxy-service-type))
+                                services))
+         (certificates (and lego-service
+                            (lego-configuration-certificates
+                             (service-value lego-service))))
+         (haproxy-config (and haproxy-service
+                              (service-value haproxy-service)))
+         (haproxy-text (and haproxy-config
+                            (plain-file-content
+                             (haproxy-config-file haproxy-config)))))
+    (test-equal "mixed edge certificate creates one certificate"
+      '("tribes")
+      (map lego-certificate-configuration-name certificates))
+    (test-equal "mixed edge certificate keeps all subjects on one cert"
+      '("203.0.113.10" "node1.example.com" "example.com")
+      (lego-certificate-configuration-subjects (car certificates)))
+    (test-equal "mixed edge cert carries DNS provider"
+      "ovh"
+      (lego-certificate-configuration-dns-provider (car certificates)))
+    (test-equal "mixed edge cert carries provider environment"
+      '("OVH_ENDPOINT=ovh-eu")
+      (lego-certificate-configuration-environment-variables (car certificates)))
+    (test-equal "mixed edge passes one cert to haproxy"
+      '("/var/lib/lego/tribes/full.pem")
+      (haproxy-configuration-pem-files haproxy-config))
+    (test-assert "mixed edge renders one bind with one cert"
+      (contains? haproxy-text
+                 "bind 0.0.0.0:443 ssl crt /var/lib/lego/tribes/full.pem alpn h2,http/1.1")))
+
+  (let* ((host-config
+          (json-scm->tribes-host-configuration
+           '(("schemaVersion" . "1")
+             ("tribes" . (("workingDirectory" . "/var/lib/tribes")
+                           ("serviceUser" . "tribes")
+                           ("serviceGroup" . "tribes")
+                           ("host" . "example.com")
+                           ("listenAddress" . "127.0.0.1")
+                           ("listenPort" . 4000)
+                           ("scheme" . "https")
+                           ("port" . 443)
+                           ("syncHost" . "127.0.0.1")
+                           ("syncPort" . 4848)
+                           ("syncBindAddress" . "127.0.0.1")))
+             ("edge" . (("certificateName" . "tribes")
+                         ("certificateSubjects" . ("203.0.113.10" "example.com"))
+                         ("certificateChallengeMode" . "mixed")
+                         ("certificateDnsProvider" . "ovh")
+                         ("certificateEnvironmentVariables" .
+                          ("OVH_ENDPOINT=ovh-eu")))))))
+         (edge (tribes-host-configuration-edge host-config)))
+    (test-equal "host config parses certificate challenge mode"
+      "mixed"
+      (tribes-edge-configuration-certificate-challenge-mode edge))
+    (test-equal "host config parses certificate DNS provider"
+      "ovh"
+      (tribes-edge-configuration-certificate-dns-provider edge))
+    (test-equal "host config parses certificate environment variables"
+      '("OVH_ENDPOINT=ovh-eu")
+      (tribes-edge-configuration-certificate-environment-variables edge)))
+
   (let* ((config (haproxy-configuration
                   (backend "127.0.0.1:6081")
                   (frontends '("0.0.0.0:443" "[::]:443 v6only"))
@@ -332,6 +441,8 @@
       (not (contains? text "limited-quic")))
     (test-assert "haproxy logs to syslog-ng"
       (contains? text "log /dev/log local0"))
+    (test-assert "haproxy preserves privileged bind capability for QUIC"
+      (contains? text "setcap cap_net_bind_service"))
     (test-assert "haproxy binds configured certificate"
       (contains? text
                  "bind 0.0.0.0:443 ssl crt /var/lib/lego/tribes/full.pem alpn h2,http/1.1"))

tribes/ci/artifacts-master.scm

@@ -3,26 +3,25 @@
   #:use-module (srfi srfi-1)
   #:export (cuirass-jobs))
 
+;; Publishable artifacts: the debug Docker image and the Sender runtime pack.
+;; Node operating-system closures and bootloader files are warmed by the
+;; dedicated (tribes ci artifacts-substitutes) jobset instead.
 (define (cuirass-jobs store arguments)
   (let ((tribes-commit (arguments->channel-commit arguments 'tribes)))
     (append-map
      (lambda (system)
-       (append
+       (list (artifact-job store
-        (list (artifact-job store
+                           "tribes-debug-docker"
-                            "tribes-debug-docker"
+                           (lambda ()
-                            (lambda ()
+                             (tribes-debug-docker-image
-                              (tribes-debug-docker-image
+                              #:image-tag
-                               #:image-tag
+                              (if tribes-commit
-                               (if tribes-commit
+                                  (string-append "tribes-guix-debug:"
-                                   (string-append "tribes-guix-debug:"
+                                                 tribes-commit)
-                                                  tribes-commit)
+                                  "tribes-guix-debug:latest")))
-                                   "tribes-guix-debug:latest")))
+                           system)
-                            system)
+             (artifact-job store
-              (artifact-job store
+                           "tribes-sender-runtime"
-                            "tribes-sender-runtime"
+                           tribes-sender-runtime-pack
-                            tribes-sender-runtime-pack
+                           system)))
-                            system))
-        (substitute-manifest-jobs store system)
-        (substitute-system-jobs store system)
-        (substitute-file-jobs store system)))
      (arguments->systems arguments))))

tribes/ci/artifacts-substitutes.scm

@@ -0,0 +1,21 @@
+(define-module (tribes ci artifacts-substitutes)
+  #:use-module (tribes ci artifacts)
+  #:use-module (srfi srfi-1)
+  #:export (cuirass-jobs))
+
+;; Warm the substitute mirror with the closures of the real Tribes node
+;; operating-systems and their bootloader files, so deployed nodes pull every
+;; required store path from guix.tribe-one.org during `guix system
+;; init'/reconfigure without depending on upstream availability.  This is the
+;; authoritative substitute set: it is computed from the very operating-systems
+;; nodes materialize, so it cannot drift the way the hand-curated
+;; manifests/substitutes/*.scm package lists did, and it transitively covers
+;; everything the node closure contains -- including the operator toolkit now
+;; carried in the node system profile and the upstream dependencies pulled in
+;; while building the closure.
+(define (cuirass-jobs store arguments)
+  (append-map
+   (lambda (system)
+     (append (substitute-system-jobs store system)
+             (substitute-file-jobs store system)))
+   (arguments->systems arguments)))

tribes/ci/artifacts.scm

@@ -9,6 +9,7 @@
   #:use-module (gnu packages nss)
   #:use-module (gnu system)
   #:use-module (guix build-system gnu)
+  #:use-module (guix channels)
   #:use-module (guix derivations)
   #:use-module (guix gexp)
   #:use-module (guix monads)
@@ -17,9 +18,6 @@
   #:use-module (guix scripts pack)
   #:use-module (guix store)
   #:use-module (ice-9 match)
-  #:use-module (manifests substitutes base)
-  #:use-module (manifests substitutes installer)
-  #:use-module (manifests substitutes tribes-node)
   #:use-module (nbde system build-host-kexec-installer)
   #:use-module (srfi srfi-1)
   #:use-module (tribes ci substitutes)
@@ -33,7 +31,7 @@
             artifact-job
             arguments->systems
             arguments->channel-commit
-            substitute-manifest-jobs
+            substitute-channel-profile-jobs
             substitute-system-jobs
             substitute-file-jobs))
 
@@ -173,7 +171,8 @@
                             (file-exists? path))
                    (copy-recursively path
                                      (string-append squashfs-root "/"
-                                                    (basename path)))))
+                                                    (basename path))
+                                     #:keep-mtime? #t)))
                (delete-duplicates
                 (append (list system boot-path)
                         (read-lines "system-graph"))))
@@ -249,10 +248,55 @@
     (repository
      (repository-field 'commit repository))))
 
-(define %substitute-manifest-targets
+(define (arguments->channels arguments)
-  `((base . ,base-manifest)
+  (filter-map sexp->channel (or (assoc-ref arguments 'channels) '())))
-    (installer . ,installer-manifest)
+
-    (tribes-node . ,tribes-node-manifest)))
+(define (canonical-time-machine-channel channel)
+  ;; Cuirass passes channel sexps whose URLs point at its pre-fetched
+  ;; /gnu/store checkouts and whose introductions were dropped when Cuirass
+  ;; created channel instances from those checkouts.  That is correct for
+  ;; evaluating custom jobs inside Cuirass, but it does not match the profile
+  ;; computed by `guix time-machine -C channels.scm` on Legion installers,
+  ;; where the channel URLs and introductions come from the public channel
+  ;; file.  Reconstruct those canonical fields while preserving the evaluated
+  ;; commits.
+  (let* ((channel-name* (channel-name channel))
+         (canonical-url (match channel-name*
+                          ('guix "https://git.teralink.net/tribes/guix-fork.git")
+                          ('tribes "https://git.teralink.net/tribes/guix-tribes.git")
+                          (_ (channel-url channel))))
+         (canonical-introduction
+          (or (channel-introduction channel)
+              (match channel-name*
+                ('guix
+                 (make-channel-introduction
+                  "093f27dde01cdbda68f2ec4b81e5a34ae180aab9"
+                  (openpgp-fingerprint
+                   "6688 9153 C51C 4613 A493  A525 2F0D FD14 EF99 DAC3")))
+                ('tribes
+                 (make-channel-introduction
+                  "607c69a5c1662acca07ad72c3e18646c73500856"
+                  (openpgp-fingerprint
+                   "6688 9153 C51C 4613 A493  A525 2F0D FD14 EF99 DAC3")))
+                (_ #f)))))
+    ((@@ (guix channels) make-channel)
+     channel-name*
+     canonical-url
+     (channel-branch channel)
+     (channel-commit channel)
+     canonical-introduction
+     #f)))
+
+(define (substitute-channel-profile-jobs store arguments system)
+  (let ((channels (map canonical-time-machine-channel
+                       (arguments->channels arguments))))
+    (if (null? channels)
+        '()
+        (list (artifact-job store
+                            "substitute-channel-profile"
+                            (lambda ()
+                              (latest-channel-derivation channels))
+                            system)))))
 
 (define %substitute-file-targets
   `((bios-bootloader-configuration . ,bios-bootloader-configuration)
@@ -260,12 +304,6 @@
     (efi-bootloader-configuration . ,efi-bootloader-configuration)
     (efi-bootloader-configuration-installer . ,efi-bootloader-configuration-installer)))
 
-(define (manifest-profile manifest)
-  (profile
-   (content manifest)
-   (hooks %default-profile-hooks)
-   (locales? #t)))
-
 (define (artifact-job store name proc system)
   (let ((drv (parameterize ((%current-system system)
                             (%graft? #f))
@@ -279,17 +317,6 @@
                      #:max-silent-time 3600
                      #:timeout 72000)))
 
-(define (substitute-manifest-jobs store system)
-  (map (match-lambda
-         ((name . manifest)
-          (artifact-job store
-                        (string-append "substitute-manifest-"
-                                       (symbol->string name))
-                        (lambda ()
-                          (lower-object (manifest-profile manifest)))
-                        system)))
-       %substitute-manifest-targets))
-
 (define (substitute-system-jobs store system)
   (map (match-lambda
          ((name . os)

tribes/ci/channel.scm

@@ -0,0 +1,12 @@
+(define-module (tribes ci channel)
+  #:use-module (srfi srfi-1)
+  #:use-module (tribes ci artifacts)
+  #:export (cuirass-jobs))
+
+;; Cheap canary spec: emit only the channel-instance derivation, so a
+;; "tribes modules compile and the checkout is reachable" signal is
+;; independent of any package or system build.
+(define (cuirass-jobs store arguments)
+  (append-map (lambda (system)
+                (substitute-channel-profile-jobs store arguments system))
+              (arguments->systems arguments)))

tribes/ci/fixtures/root-authorized_keys

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAITestLegionSharedBuilder legion@example.invalid

tribes/ci/substitutes.scm

@@ -15,11 +15,13 @@
   #:use-module (nbde system initrd)
   #:use-module (nbde system mapped-devices)
   #:use-module (tribes config host)
+  #:use-module (tribes config system-facts)
   #:use-module (tribes packages plugins)
   #:use-module (tribes packages source)
   #:use-module (tribes plugins registry)
   #:use-module (tribes services tribes)
   #:use-module (tribes system installer)
+  #:use-module (tribes system materialize)
   #:use-module (tribes system node)
   #:export (phase1-operating-system
             base-edge-operating-system
@@ -142,7 +144,6 @@
     (tribes-edge-configuration
      (certificate-name "node1-example-invalid")
      (certificate-subjects '("node1.example.invalid"))
-     (certificate-email "ops@example.invalid")
      (certificate-profile "shortlived")
      (renew-days 4)
      (http-port 80)
@@ -153,6 +154,25 @@
      (cache-port 6081)
      (cache-storage '("malloc,256M"))))))
 
+(define (ci-authorized-keys-file-name)
+  (or (search-path %load-path "tribes/ci/fixtures/root-authorized_keys")
+      (error "failed to locate CI authorized_keys fixture")))
+(define %ci-system-facts
+  (tribes-system-facts
+   (host-name "tribes-ci-base-edge")
+   (interface "eth0")
+   (boot-mode "bios")
+   (bootloader-targets (list "/dev/sda"))
+   (boot-partition-uuid "11111111-2222-3333-4444-555555555555")
+   (boot-partition-file-system-type "ext4")
+   (root-luks-uuid "66666666-7777-8888-9999-aaaaaaaaaaaa")
+   (root-mapper-name "cryptroot")
+   (root-file-system-type "ext4")
+   (authorized-keys-file (ci-authorized-keys-file-name))
+   (local-boot-key-file "/boot/nbde/local-boot.key")
+   (tang-port 7654)
+   (initrd-network-timeout-seconds 20)
+   (enable-bbr? #t)))
 (define* (ci-operating-system name plugins
                               #:key
                               (bootloader
@@ -170,6 +190,10 @@
    #:interface "eth0"
    #:authorized-keys-file %ci-authorized-keys-file
    #:extra-services %ci-nbde-services))
+(define (ci-materialized-operating-system plugins)
+  (tribes-host-configuration+system-facts->operating-system
+   (ci-host-configuration plugins)
+   %ci-system-facts))
 
 (define* (bootloader-ci-operating-system name bootloader file-systems)
   (operating-system
@@ -228,24 +252,24 @@
   (ci-operating-system "tribes-ci-phase1" '()))
 
 (define base-edge-operating-system
-  (ci-operating-system "tribes-ci-base-edge" '()))
+  (ci-materialized-operating-system '()))
 
 (define aether-edge-operating-system
   (ci-operating-system "tribes-ci-aether-edge"
-                       (list (plugin-by-name "aether"))))
+                       (list (plugin-by-name "tribe-one-aether"))))
 
 (define kobold-edge-operating-system
   (ci-operating-system "tribes-ci-kobold-edge"
-                       (list (plugin-by-name "trust")
+                       (list (plugin-by-name "tribe-one-trust")
-                             (plugin-by-name "kobold"))))
+                             (plugin-by-name "tribe-one-kobold"))))
 
 (define sender-edge-operating-system
   (ci-operating-system "tribes-ci-sender-edge"
-                       (list (plugin-by-name "sender"))))
+                       (list (plugin-by-name "tribe-one-sender"))))
 
 (define supertest-edge-operating-system
   (ci-operating-system "tribes-ci-supertest-edge"
-                       (list (plugin-by-name "supertest"))))
+                       (list (plugin-by-name "tribe-one-supertest"))))
 
 (define %substitute-operating-system-targets
   `((phase1 . ,phase1-operating-system)

tribes/config/host.scm

@@ -173,11 +173,17 @@
        (certificate-subjects
         (optional-string-list edge-json "certificateSubjects"
                               (tribes-edge-configuration-certificate-subjects edge-defaults)))
-       (certificate-email
-        (required-string edge-json "certificateEmail"))
        (certificate-profile
         (optional-string edge-json "certificateProfile"
                          (tribes-edge-configuration-certificate-profile edge-defaults)))
+       (certificate-challenge-mode
+        (optional-string edge-json "certificateChallengeMode"
+                         (tribes-edge-configuration-certificate-challenge-mode edge-defaults)))
+       (certificate-dns-provider
+        (json-string-ref edge-json "certificateDnsProvider"))
+       (certificate-environment-variables
+        (optional-string-list edge-json "certificateEnvironmentVariables"
+                              (tribes-edge-configuration-certificate-environment-variables edge-defaults)))
        (renew-days
         (optional-integer edge-json "renewDays"
                           (tribes-edge-configuration-renew-days edge-defaults)))

tribes/packages/kernel.scm

@@ -33,9 +33,10 @@
     "CONFIG_X86_USER_SHADOW_STACK=y"))
 
 (define %tribes-linux-disabled-options
-  '(;; Headless/text-console targets: keep VGA/framebuffer consoles, but drop
+  '(;; Keep DRM/KMS enabled so the installer has a local console on generic
-    ;; DRM/KMS GPU drivers and display acceleration stacks.
+    ;; virtual and real hardware.  This costs roughly 15 MiB in the kexec image
-    "DRM"
+    ;; compared to disabling DRM wholesale, but preserves Proxmox/QEMU VGA and
+    ;; common real-hardware GPU/BMC consoles.
 
     ;; No audio output/input stack on Tribes server deployments.
     "SOUND"

tribes/packages/mix.scm

@@ -8,12 +8,11 @@
   #:use-module (gnu packages bash)
   #:use-module (gnu packages base)
   #:use-module (gnu packages compression)
-  #:use-module (gnu packages elixir)
-  #:use-module (gnu packages erlang)
   #:use-module (gnu packages node)
   #:use-module (gnu packages certs)
   #:use-module (gnu packages nss)
   #:use-module (gnu packages version-control)
+  #:use-module (tribes packages otp)
   #:export (fetch-mix-deps
             fetch-npm-deps
             mix-release-package))
@@ -44,14 +43,14 @@ SOURCE according to mix.lock."
            (string-append work "/ca-certificates.crt"))
          (define hex-lib-dir
            (string-append
-            #$(file-append elixir-hex "/lib/elixir/1.19")
+            #$(file-append elixir-hex-otp28 "/lib/elixir/1.19")
             ":"
-            #$(file-append elixir-hex "/lib/elixir/1.18")))
+            #$(file-append elixir-hex-otp28 "/lib/elixir/1.18")))
          (define path
            (string-join
-            (list #$(file-append elixir "/bin")
+            (list #$(file-append elixir-otp28 "/bin")
-                  #$(file-append elixir-hex "/bin")
+                  #$(file-append elixir-hex-otp28 "/bin")
-                  #$(file-append rebar3 "/bin")
+                  #$(file-append rebar3-otp28 "/bin")
                   #$(file-append bash-minimal "/bin")
                   #$(file-append coreutils "/bin")
                   #$(file-append findutils "/bin")
@@ -82,7 +81,7 @@ SOURCE according to mix.lock."
          (setenv "MIX_ENV" #$mix-env)
          (setenv "MIX_TARGET" #$mix-target)
          (setenv "MIX_OS_CONCURRENCY_LOCK" "0")
-         (setenv "MIX_REBAR3" #$(file-append rebar3 "/bin/rebar3"))
+         (setenv "MIX_REBAR3" #$(file-append rebar3-otp28 "/bin/rebar3"))
          (setenv "REBAR_GLOBAL_CONFIG_DIR" (string-append work "/rebar3"))
          (setenv "REBAR_CACHE_DIR" (string-append work "/rebar3.cache"))
          (setenv "LANG" "C.UTF-8")
@@ -280,16 +279,16 @@ MIX-FOD-DEPS as a pre-fetched dependency tree."
                 (string-append work "/ca-certificates.crt"))
               (define hex-lib-dir
                 (string-append
-                 #$(file-append elixir-hex "/lib/elixir/1.19")
+                 #$(file-append elixir-hex-otp28 "/lib/elixir/1.19")
                  ":"
-                 #$(file-append elixir-hex "/lib/elixir/1.18")))
+                 #$(file-append elixir-hex-otp28 "/lib/elixir/1.18")))
               (define aclocal-path
                 (string-join (list #$@aclocal-dirs) ":"))
               (define path
                 (string-join
-                 (list #$(file-append elixir "/bin")
+                 (list #$(file-append elixir-otp28 "/bin")
-                       #$(file-append elixir-hex "/bin")
+                       #$(file-append elixir-hex-otp28 "/bin")
-                       #$(file-append rebar3 "/bin")
+                       #$(file-append rebar3-otp28 "/bin")
                        #$(file-append bash-minimal "/bin")
                        #$(file-append coreutils "/bin")
                        #$(file-append findutils "/bin")
@@ -330,8 +329,8 @@ MIX-FOD-DEPS as a pre-fetched dependency tree."
               (setenv "MIX_OS_CONCURRENCY_LOCK" "0")
               (setenv "MIX_OS_DEPS_COMPILE_PARTITION_COUNT" "6")
               (setenv "HEX_OFFLINE" "1")
-              (setenv "MIX_REBAR" #$(file-append rebar3 "/bin/rebar3"))
+              (setenv "MIX_REBAR" #$(file-append rebar3-otp28 "/bin/rebar3"))
-              (setenv "MIX_REBAR3" #$(file-append rebar3 "/bin/rebar3"))
+              (setenv "MIX_REBAR3" #$(file-append rebar3-otp28 "/bin/rebar3"))
               (setenv "REBAR_GLOBAL_CONFIG_DIR" (string-append work "/rebar3"))
               (setenv "REBAR_CACHE_DIR" (string-append work "/rebar3.cache"))
               (setenv "SHELL" #$(file-append bash-minimal "/bin/sh"))
@@ -386,9 +385,9 @@ MIX-FOD-DEPS as a pre-fetched dependency tree."
               findutils
               git-minimal
               nss-certs
-              rebar3
+              rebar3-otp28
-              elixir
+              elixir-otp28
-              elixir-hex)
+              elixir-hex-otp28)
         native-inputs))
       (inputs inputs)
       (arguments package-arguments)

tribes/packages/otp.scm

@@ -0,0 +1,97 @@
+(define-module (tribes packages otp)
+  #:use-module (guix base32)
+  #:use-module (guix download)
+  #:use-module (guix git-download)
+  #:use-module (guix packages)
+  #:use-module (guix utils)
+  #:use-module (gnu packages)
+  #:use-module (gnu packages elixir)
+  #:use-module (gnu packages erlang)
+  #:use-module (gnu packages perl)
+  #:export (erlang-28
+            rebar3-otp28
+            elixir-otp28
+            elixir-hex-otp28))
+
+(define-public erlang-28
+  (package
+    (inherit erlang)
+    (name "erlang-28")
+    (version "28.5.0.2")
+    (source
+     (origin
+       (method git-fetch)
+       (uri (git-reference
+             (url "https://github.com/erlang/otp")
+             (commit (string-append "OTP-" version))))
+       (file-name (git-file-name name version))
+       (sha256
+        (base32
+         "0far6szk9h85njn7vwpg4pp9zkxrbyak0w7cr8iymg90s693c34q"))
+       (patches (search-patches "erlang-man-path.patch"))))
+    (arguments
+     (substitute-keyword-arguments (package-arguments erlang)
+       ((#:configure-flags flags)
+        `(append
+          (map (lambda (flag)
+                 (if (string=? flag "--enable-wx")
+                     "--without-wx"
+                     flag))
+               ,flags)
+          ;; OTP does not automatically skip applications that depend on wx.
+          '("--without-debugger"
+            "--without-observer"
+            "--without-et"
+            "--without-reltool")))
+       ((#:phases phases)
+        `(modify-phases ,phases
+           ;; OTP 28.5.0.2 no longer creates this directory during the first
+           ;; pass, but the inherited second-pass clean target still rmdirs it.
+           (add-after 'copy-modified-compiler
+                      'create-erl-interface-erts-clean-dir
+             (lambda _
+               (mkdir-p "lib/erl_interface/src/erts")))))))
+    (inputs
+     (modify-inputs (package-inputs erlang)
+       (delete "wxwidgets")))
+    (propagated-inputs '())
+    (native-inputs
+     `(("perl" ,perl)
+       ("erlang-manpages"
+        ,(origin
+           (method url-fetch)
+           (uri (string-append
+                 "https://github.com/erlang/otp/releases/download"
+                 "/OTP-" version "/otp_doc_man_" version ".tar.gz"))
+           (sha256
+            (base32
+             "02k1dvjfqq4pml8p789spkpj99szsiqqbzhd8kmb9dx30g565mzy"))))))))
+
+(define-public rebar3-otp28
+  (package
+    (inherit rebar3)
+    (name "rebar3-otp28")
+    (native-inputs
+     (modify-inputs (package-native-inputs rebar3)
+       (replace "erlang" erlang-28)))))
+
+(define-public elixir-otp28
+  (package
+    (inherit elixir)
+    (name "elixir-otp28")
+    (arguments
+     (substitute-keyword-arguments (package-arguments elixir)
+       ((#:tests? _ #f)
+        #f)))
+    (inputs
+     (modify-inputs (package-inputs elixir)
+       (replace "erlang" erlang-28)
+       (replace "rebar3" rebar3-otp28)))))
+
+(define-public elixir-hex-otp28
+  (package
+    (inherit elixir-hex)
+    (name "elixir-hex-otp28")
+    (inputs
+     (modify-inputs (package-inputs elixir-hex)
+       (replace "elixir" elixir-otp28)))))

tribes/packages/source.scm

@@ -54,7 +54,7 @@
   "https://git.teralink.net/tribes/tribes.git")
 
 (define %tribes-commit
-  "408c39553e4258dd75409eebfa0ffa4380591be0")
+  "b2fa84f34299a0a2a966d239826adba6b56e2dc3")
 
 (define %tribes-revision "1")
 
@@ -62,7 +62,7 @@
   (git-version "0.2.0" %tribes-revision %tribes-commit))
 
 (define %tribes-source-sha256
-  "16xn3vs6py74z4wrclwapzh18frrp5i663clvwid4l4kmivz833y")
+  "0v4dl4rx0l2rvwvklfhaxvzf8xdgqmpv5lmhv2dvivql3yk91awi")
 
 (define %tribes-upstream-source
   (origin

tribes/packages/web.scm

@@ -79,6 +79,7 @@ QUIC support.")
       #:make-flags
       #~(list "LUA_LIB_NAME=lua"
               "TARGET=linux-glibc"
+              "USE_LINUX_CAP=1"
               "USE_LUA=1"
               "USE_OPENSSL_AWSLC=1"
               "USE_PCRE2=1"

tribes/plugins/aether.scm

@@ -16,7 +16,7 @@
   %aether-home-page)
 
 (define %aether-commit
-  "80101b7e78808cea9151f1827777edea5c08ba1f")
+  "995160f95e31efe4d026662885d4b016f144ce9a")
 
 (define %aether-revision "1")
 
@@ -24,7 +24,7 @@
   (git-version "0.2.0" %aether-revision %aether-commit))
 
 (define %aether-source-sha256
-  "0shylw4s75djanqm7h82j8advjg96im6n4wr6fz6kwbj5hs8aq4b")
+  "1jp52q70z1djiglm03b81zh7zgn87gbf207xwih24h6a0zddsmgs")
 
 (define %aether-mix-deps-sha256
   "1pk1qv8skbgzi0wg59zj9aiyxx2hxl2k6ngxqqbwvj7wsbiz95bb")
@@ -68,7 +68,7 @@
    "External Tribes plugin artifact for Aether, packaged as a Guix-managed
 plugin directory."
    #:plugin-id "org.tribe-one.plugins.aether"
-   #:plugin-slug "aether"
+   #:plugin-slug "tribe-one-aether"
    #:display-name "Aether"
    #:provides '("org.tribe-one.caps.social@1" "org.tribe-one.caps.chat@1")
    #:requires '("org.tribe-one.caps.ui@1")
@@ -104,7 +104,7 @@ artifact."
    "External Tribes plugin artifact for Aether, packaged as a Guix-managed
 plugin directory."
    #:plugin-id "org.tribe-one.plugins.aether"
-   #:plugin-slug "aether"
+   #:plugin-slug "tribe-one-aether"
    #:display-name "Aether"
    #:provides '("org.tribe-one.caps.social@1" "org.tribe-one.caps.chat@1")
    #:requires '("org.tribe-one.caps.ui@1")

tribes/plugins/built-ins.scm

@@ -27,7 +27,7 @@
 (define guix-tribes-built-in-plugin-definitions
   (list
    (tribes-plugin-definition
-    (name "tribes_ui")
+    (name "tribe-one-tribes-ui")
     (package-name "tribes")
     (version "0.1.0")
     (synopsis "Default Tribes UI capability provider")

tribes/plugins/kobold.scm

@@ -16,7 +16,7 @@
   %kobold-home-page)
 
 (define %kobold-commit
-  "74b6c44e4dcfbeaf02f77620b5675f11781ad1eb")
+  "4658b762411f014b531d4acc5aaea05463dbfca3")
 
 (define %kobold-revision "1")
 
@@ -24,7 +24,7 @@
   (git-version "0.1.0" %kobold-revision %kobold-commit))
 
 (define %kobold-source-sha256
-  "1xxysbslh1fa57873n4669mi874byv861w934mz9g3zszr120ijn")
+  "0qrssm32apandr2m4fsh56v6ay7b31630k7g033f17fwxlrlbq34")
 
 (define %kobold-mix-deps-sha256
   "1pk1qv8skbgzi0wg59zj9aiyxx2hxl2k6ngxqqbwvj7wsbiz95bb")
@@ -68,7 +68,7 @@
    "External Tribes plugin artifact for Kobold distributed datasets,
 packaged as a Guix-managed plugin directory."
    #:plugin-id "org.tribe-one.plugins.kobold"
-   #:plugin-slug "kobold"
+   #:plugin-slug "tribe-one-kobold"
    #:display-name "Kobold"
    #:provides '("org.tribes.kobold.dataset@1")
    #:requires '("org.tribe-one.caps.ui@1" "org.tribes.alliance.trust@1")
@@ -103,7 +103,7 @@ packaged as a Guix-managed plugin directory."
    "External Tribes plugin artifact for Kobold distributed datasets,
 packaged as a Guix-managed plugin directory."
    #:plugin-id "org.tribe-one.plugins.kobold"
-   #:plugin-slug "kobold"
+   #:plugin-slug "tribe-one-kobold"
    #:display-name "Kobold"
    #:provides '("org.tribes.kobold.dataset@1")
    #:requires '("org.tribe-one.caps.ui@1" "org.tribes.alliance.trust@1")

tribes/plugins/sender.scm

@@ -17,7 +17,7 @@
   %sender-home-page)
 
 (define %sender-commit
-  "ee7d0ac29fb583e1c5f75001984622c2ba7e56b1")
+  "cdbfef7cd300c581b74b7aa61e7c35fb52e7ccff")
 
 (define %sender-revision "1")
 
@@ -25,7 +25,7 @@
   (git-version "0.1.0" %sender-revision %sender-commit))
 
 (define %sender-source-sha256
-  "1bbgi20j99ym9yiv78w3j590wpf400bdkfiqf9s1ra31dgfzzq4v")
+  "1nbybxiyihqv0avjkrl4x1k0iz5cyljcs38zvb6kln474v6qz0ly")
 
 (define %sender-mix-deps-sha256
   "08mdy38247dqni8f84y09m8vz6hvjakvc4ml28x1jxqvq53s4nq3")
@@ -72,7 +72,7 @@
    "External Tribes plugin artifact for RTMP ingest and HLS streaming,
 packaged as a Guix-managed plugin directory."
    #:plugin-id "org.tribe-one.plugins.sender"
-   #:plugin-slug "sender"
+   #:plugin-slug "tribe-one-sender"
    #:display-name "Sender"
    #:provides '("org.tribe-one.caps.sender@1")
    #:requires '("org.tribe-one.caps.ui@1")
@@ -112,7 +112,7 @@ artifact."
    "External Tribes plugin artifact for RTMP ingest and HLS streaming,
 packaged as a Guix-managed plugin directory."
    #:plugin-id "org.tribe-one.plugins.sender"
-   #:plugin-slug "sender"
+   #:plugin-slug "tribe-one-sender"
    #:display-name "Sender"
    #:provides '("org.tribe-one.caps.sender@1")
    #:requires '("org.tribe-one.caps.ui@1")

tribes/plugins/supertest.scm

@@ -16,7 +16,7 @@
   %supertest-home-page)
 
 (define %supertest-commit
-  "afc38412c4362ea2e5b1fe9fe08f1cffe60edf34")
+  "982243e64a132c4ae082234e775fa9f0e98b8eb4")
 
 (define %supertest-revision "1")
 
@@ -24,7 +24,7 @@
   (git-version "0.1.1" %supertest-revision %supertest-commit))
 
 (define %supertest-source-sha256
-  "1si0bis5k47j22cv7cbbah86ilrxvrbncld4isvyb17zan7ig0q6")
+  "0mk4ph2ibnqvcca55n9dnlmfg6abm9p8bz3wsq8913crk55hw2qa")
 
 (define %supertest-mix-deps-sha256
   "1pk1qv8skbgzi0wg59zj9aiyxx2hxl2k6ngxqqbwvj7wsbiz95bb")
@@ -65,7 +65,7 @@
    #:description
    "External Tribes plugin artifact used by live rollout and sync tests."
    #:plugin-id "org.tribe-one.plugins.supertest"
-   #:plugin-slug "supertest"
+   #:plugin-slug "tribe-one-supertest"
    #:display-name "Supertest"
    #:provides '()
    #:requires '()
@@ -95,7 +95,7 @@
    #:description
    "External Tribes plugin artifact used by live rollout and sync tests."
    #:plugin-id "org.tribe-one.plugins.supertest"
-   #:plugin-slug "supertest"
+   #:plugin-slug "tribe-one-supertest"
    #:display-name "Supertest"
    #:provides '()
    #:requires '()

tribes/plugins/trust.scm

@@ -16,7 +16,7 @@
   %trust-home-page)
 
 (define %trust-commit
-  "f08af20cd5cd2dbbb50e4472bf1a5d8ed1b73c21")
+  "157106aa66ecd7ce5f7f5a8a90c30a1f22e2fe74")
 
 (define %trust-revision "1")
 
@@ -24,7 +24,7 @@
   (git-version "0.1.0" %trust-revision %trust-commit))
 
 (define %trust-source-sha256
-  "1zsg57mr3bjxrxvim77z2as1jqr8a3anfp0jgqz0ycz6rzai58dp")
+  "0k1gzpd5f5q3mczmxw0rwx7zwqxkspzk0zfpm1a130fd4dqc9y5z")
 
 (define %trust-mix-deps-sha256
   "1pk1qv8skbgzi0wg59zj9aiyxx2hxl2k6ngxqqbwvj7wsbiz95bb")
@@ -67,7 +67,7 @@
    #:description
    "External Tribes plugin artifact for tribe-to-tribe trust, alliance, and federation provider behavior."
    #:plugin-id "org.tribe-one.plugins.trust"
-   #:plugin-slug "trust"
+   #:plugin-slug "tribe-one-trust"
    #:display-name "Trust"
    #:provides '("org.tribes.alliance.trust@1" "org.tribes.federation.provider@1" "org.tribes.access.trust_provider@1")
    #:requires '("org.tribe-one.caps.ui@1")
@@ -101,7 +101,7 @@
    #:description
    "External Tribes plugin artifact for tribe-to-tribe trust, alliance, and federation provider behavior."
    #:plugin-id "org.tribe-one.plugins.trust"
-   #:plugin-slug "trust"
+   #:plugin-slug "tribe-one-trust"
    #:display-name "Trust"
    #:provides '("org.tribes.alliance.trust@1" "org.tribes.federation.provider@1" "org.tribes.access.trust_provider@1")
    #:requires '("org.tribe-one.caps.ui@1")

tribes/services/haproxy.scm

@@ -83,6 +83,19 @@
 (define (haproxy-lines lines)
   (string-concatenate (map haproxy-indent lines)))
 
+(define (haproxy-crt-arguments pem-files)
+  (string-join
+   (append-map (lambda (pem-file)
+                 (list "crt" pem-file))
+               pem-files)
+   " "))
+
+(define (haproxy-tls-bind-line frontend pem-files alpn)
+  (string-append "bind " frontend
+                 " ssl "
+                 (haproxy-crt-arguments pem-files)
+                 " alpn " alpn))
+
 (define (haproxy-http-frontend http-frontends acme-backend)
   (if (null? http-frontends)
       ""
@@ -119,6 +132,7 @@
        (haproxy-lines
         (append
          (list "log /dev/log local0"
+               "setcap cap_net_bind_service"
                (string-append "user " user)
                (string-append "group " group)
                "maxconn 32768"
@@ -144,24 +158,15 @@
        "frontend tribes_tls\n"
        (haproxy-lines
         (append
-         (append-map
+         (if (null? pem-files)
-          (lambda (frontend)
+             '()
-            (map
+             (append
-             (lambda (pem-file)
+              (map (lambda (frontend)
-               (string-append "bind " frontend
+                     (haproxy-tls-bind-line frontend pem-files "h2,http/1.1"))
-                              " ssl crt " pem-file
+                   frontends)
-                              " alpn h2,http/1.1"))
+              (map (lambda (frontend)
-             pem-files))
+                     (haproxy-tls-bind-line frontend pem-files "h3"))
-          frontends)
+                   quic-frontends)))
-         (append-map
-          (lambda (frontend)
-            (map
-             (lambda (pem-file)
-               (string-append "bind " frontend
-                              " ssl crt " pem-file
-                              " alpn h3"))
-             pem-files))
-          quic-frontends)
          '("http-response set-header alt-svc 'h3=\":443\"; ma=86400'")
          '("default_backend tribes_edge_cache")
          extra-frontend))

tribes/services/lego.scm

@@ -22,6 +22,8 @@
             lego-certificate-configuration-profile
             lego-certificate-configuration-listen-http
             lego-certificate-configuration-webroot
+            lego-certificate-configuration-dns-provider
+            lego-certificate-configuration-environment-variables
             lego-certificate-configuration-key-type
             lego-certificate-configuration-acme-enabled?
             lego-certificate-configuration-renew-days
@@ -29,6 +31,7 @@
             lego-certificate-configuration-reload-services
             lego-certificate-directory
             lego-certificate-full-pem
+            subject-is-ip?
             lego-configuration
             lego-configuration?
             lego-configuration-package
@@ -52,6 +55,10 @@
                (default #f))
   (webroot lego-certificate-configuration-webroot
            (default #f))
+  (dns-provider lego-certificate-configuration-dns-provider
+                (default #f))
+  (environment-variables lego-certificate-configuration-environment-variables
+                         (default '()))
   (key-type lego-certificate-configuration-key-type
             (default "ec384"))
   (acme-enabled? lego-certificate-configuration-acme-enabled?
@@ -106,6 +113,7 @@
 (define (lego-common-arguments certificate)
   (let ((listen-http (lego-certificate-configuration-listen-http certificate))
         (webroot (lego-certificate-configuration-webroot certificate))
+        (dns-provider (lego-certificate-configuration-dns-provider certificate))
         (subjects (lego-certificate-configuration-subjects certificate))
         (email (lego-certificate-configuration-email certificate))
         (server (lego-certificate-configuration-server certificate))
@@ -122,10 +130,16 @@
                 (lego-certificate-configuration-name certificate))
          '())
      (cond
+      ((and listen-http dns-provider)
+       (list "--http" "--http.port" listen-http "--dns" dns-provider))
+      ((and webroot dns-provider)
+       (list "--http" "--http.webroot" webroot "--dns" dns-provider))
       (listen-http
        (list "--http" "--http.port" listen-http))
       (webroot
        (list "--http" "--http.webroot" webroot))
+      (dns-provider
+       (list "--dns" dns-provider))
       (else
        (list "--http")))
      (if server
@@ -196,6 +210,8 @@
          (key-output (string-append state-dir "/key.pem"))
          (full-pem (string-append state-dir "/full.pem"))
          (last-run-log (lego-certificate-last-run-log certificate))
+         (environment-variables
+          (lego-certificate-configuration-environment-variables certificate))
          (run-arguments
           (append (lego-common-arguments certificate)
                   (list "run")
@@ -238,6 +254,15 @@
                    (new (file-contents #$certificate-file)))
                (not (equal? old new))))
 
+           (define (apply-environment! variables)
+             (for-each
+              (lambda (variable)
+                (let ((separator (string-index variable #\=)))
+                  (when separator
+                    (setenv (substring variable 0 separator)
+                            (substring variable (+ separator 1))))))
+              variables))
+
            (define (run-lego lego args)
              (let* ((log-port (open-output-file #$last-run-log))
                     (port (apply open-pipe* OPEN_READ
@@ -264,6 +289,7 @@
                    (run-lego lego args))))
 
            (mkdir-p #$state-dir)
+           (apply-environment! '#$environment-variables)
 
            (let ((lego #$(file-append
                           (lego-configuration-package config)

tribes/system/installer.scm

@@ -24,7 +24,7 @@ Tribes service using an explicit host configuration record."
   (let* ((node-config
           (tribes-node-configuration
            (postgresql (postgresql-configuration
-                        (postgresql postgresql)))
+                        (postgresql postgresql-17)))
            (tribes (tribes-host-configuration-tribes host-configuration))
            (edge (tribes-host-configuration-edge host-configuration))
            (enable-bbr? enable-bbr?))))

tribes/system/node.scm

@@ -1,4 +1,5 @@
 (define-module (tribes system node)
+  #:use-module (gnu packages)
   #:use-module (gnu packages databases)
   #:use-module (gnu packages linux)
   #:use-module (gnu packages monitoring)
@@ -23,8 +24,10 @@
             tribes-edge-configuration?
             tribes-edge-configuration-certificate-name
             tribes-edge-configuration-certificate-subjects
-            tribes-edge-configuration-certificate-email
             tribes-edge-configuration-certificate-profile
+            tribes-edge-configuration-certificate-challenge-mode
+            tribes-edge-configuration-certificate-dns-provider
+            tribes-edge-configuration-certificate-environment-variables
             tribes-edge-configuration-renew-days
             tribes-edge-configuration-http-port
             tribes-edge-configuration-https-port
@@ -48,10 +51,15 @@
                     (default "tribes"))
   (certificate-subjects tribes-edge-configuration-certificate-subjects
                         (default '()))
-  (certificate-email tribes-edge-configuration-certificate-email
-                     (default #f))
   (certificate-profile tribes-edge-configuration-certificate-profile
                        (default "shortlived"))
+  (certificate-challenge-mode tribes-edge-configuration-certificate-challenge-mode
+                              (default "http"))
+  (certificate-dns-provider tribes-edge-configuration-certificate-dns-provider
+                            (default #f))
+  (certificate-environment-variables
+   tribes-edge-configuration-certificate-environment-variables
+   (default '()))
   (renew-days tribes-edge-configuration-renew-days
               (default 4))
   (http-port tribes-edge-configuration-http-port
@@ -74,7 +82,12 @@
   tribes-node-configuration?
   (postgresql tribes-node-configuration-postgresql
               (default (postgresql-configuration
-                        (postgresql postgresql))))
+                        (postgresql postgresql-17)
+                        (config-file
+                         (postgresql-config-file
+                          (extra-config
+                           '(("log_min_duration_statement" 1000)
+                             ("log_line_prefix" "%m [%p] user=%u db=%d app=%a client=%h "))))))))
   (tribes tribes-node-configuration-tribes
           (default (tribes-configuration)))
   (edge tribes-node-configuration-edge
@@ -95,28 +108,65 @@
         (list (tribes-configuration-host tribes))
         subjects)))
 
-(define (edge-certificate-config edge tribes)
+(define (edge-certificate-http-listen edge)
+  (format #f "~a:~a"
+          (tribes-edge-configuration-challenge-address edge)
+          (tribes-edge-configuration-challenge-port edge)))
+
+(define (edge-lego-certificate edge name subjects listen-http dns-provider self-signed-only?)
+  (lego-certificate-configuration
+   (name name)
+   (subjects subjects)
+   (profile
+    (and (not self-signed-only?)
+         (tribes-edge-configuration-certificate-profile edge)))
+   (listen-http listen-http)
+   (dns-provider dns-provider)
+   (environment-variables
+    (tribes-edge-configuration-certificate-environment-variables edge))
+   (acme-enabled? (not self-signed-only?))
+   (renew-days (tribes-edge-configuration-renew-days edge))
+   (requirement '(haproxy))
+   (reload-services '(haproxy))))
+
+(define (edge-certificate-configs edge tribes)
   (let* ((subjects (edge-certificate-subjects edge tribes))
-         (email (tribes-edge-configuration-certificate-email edge))
+         (name (tribes-edge-configuration-certificate-name edge))
+         (mode (tribes-edge-configuration-certificate-challenge-mode edge))
+         (dns-provider (tribes-edge-configuration-certificate-dns-provider edge))
          (certificate-profile
           (tribes-edge-configuration-certificate-profile edge))
-         (self-signed-only? (string=? certificate-profile "self-signed")))
+         (self-signed-only? (string=? certificate-profile "self-signed"))
-    (unless email
+         (http-listen (edge-certificate-http-listen edge))
-      (error "edge certificate email is required"
+         (ip-subjects (filter subject-is-ip? subjects))
-             (tribes-edge-configuration-certificate-name edge)))
+         (dns-subjects (filter (lambda (subject)
-    (lego-certificate-configuration
+                                 (not (subject-is-ip? subject)))
-     (name (tribes-edge-configuration-certificate-name edge))
+                               subjects)))
-     (subjects subjects)
+    (cond
-     (email email)
+     ((string=? mode "http")
-     (profile (and (not self-signed-only?) certificate-profile))
+      (list (edge-lego-certificate edge name subjects http-listen #f
-     (listen-http
+                                   self-signed-only?)))
-      (format #f "~a:~a"
+     ((string=? mode "dns")
-              (tribes-edge-configuration-challenge-address edge)
+      (when (and (not self-signed-only?) (null? dns-subjects))
-              (tribes-edge-configuration-challenge-port edge)))
+        (error "DNS certificate challenge mode requires at least one DNS subject"))
-     (acme-enabled? (not self-signed-only?))
+      (when (and (not self-signed-only?) (not (null? ip-subjects)))
-     (renew-days (tribes-edge-configuration-renew-days edge))
+        (error "DNS certificate challenge mode cannot validate IP subjects"))
-     (requirement '(haproxy))
+      (when (and (not self-signed-only?) (not dns-provider))
-     (reload-services '(haproxy)))))
+        (error "DNS certificate challenge mode requires certificateDnsProvider"))
+      (list (edge-lego-certificate edge name subjects #f dns-provider
+                                   self-signed-only?)))
+     ((string=? mode "mixed")
+      (when (and (not self-signed-only?) (not dns-provider))
+        (error "mixed certificate challenge mode requires certificateDnsProvider"))
+      (when (and (not self-signed-only?) (or (null? ip-subjects) (null? dns-subjects)))
+        (error "mixed certificate challenge mode requires IP and DNS subjects"))
+      (list (edge-lego-certificate edge name subjects http-listen dns-provider
+                                   self-signed-only?)))
+     (else
+      (error "unsupported certificate challenge mode" mode)))))
+
+(define (edge-certificate-config edge tribes)
+  (car (edge-certificate-configs edge tribes)))
 
 (define (edge-cache-vcl-text edge tribes)
   (string-append
@@ -163,6 +213,13 @@
    "  }\n\n"
    "  return (pass);\n"
    "}\n\n"
+   "sub vcl_backend_fetch {\n"
+   "  if (bereq.url ~ \"^/api/admin/\") {\n"
+   "    set bereq.connect_timeout = 1s;\n"
+   "    set bereq.first_byte_timeout = 35s;\n"
+   "    set bereq.between_bytes_timeout = 35s;\n"
+   "  }\n"
+   "}\n\n"
    "sub vcl_backend_response {\n"
    "  if ((bereq.method == \"GET\" || bereq.method == \"HEAD\") &&\n"
    "      beresp.status >= 500 && beresp.status <= 599 &&\n"
@@ -205,14 +262,14 @@
 (define (edge-services config)
   (let* ((tribes (tribes-node-configuration-tribes config))
          (edge (tribes-node-configuration-edge config))
-         (certificate (edge-certificate-config edge tribes))
+         (certificates (edge-certificate-configs edge tribes))
          (cache-port (tribes-edge-configuration-cache-port edge))
          (http-port (tribes-edge-configuration-http-port edge))
          (https-port (tribes-edge-configuration-https-port edge)))
     (list
      (service lego-service-type
               (lego-configuration
-               (certificates (list certificate))))
+               (certificates certificates)))
      (service vinyl-service-type
               (list
                (vinyl-configuration
@@ -246,7 +303,15 @@
                 (format #f "~a:~a"
                         (tribes-edge-configuration-challenge-address edge)
                         (tribes-edge-configuration-challenge-port edge)))
-               (pem-files (list (lego-certificate-full-pem certificate))))))))
+               (pem-files (map lego-certificate-full-pem certificates)))))))
+
+;; Interactive toolkit installed into every node's system profile.  These are
+;; vanilla upstream packages an operator reaches for over SSH; shipping them in
+;; the system closure means they are both present on the node and served by our
+;; substitute mirror, instead of forcing a fallback to bordeaux/ci on first use.
+(define %tribes-node-operator-tools
+  (map specification->package
+       '("ripgrep" "fd" "tmux" "neovim" "btop")))
 
 (define (tribes-node-bbr-services config)
   (if (tribes-node-configuration-enable-bbr? config)
@@ -280,6 +345,9 @@
       (simple-service 'tribes-node-network-tools
                       profile-service-type
                       (list nftables))
+      (simple-service 'tribes-node-operator-tools
+                      profile-service-type
+                      %tribes-node-operator-tools)
       (service prometheus-node-exporter-service-type
                (prometheus-node-exporter-configuration
                 (package prometheus-node-exporter)