From b4f9cc52e6ccde8e139151542c2188d27abe8381 Mon Sep 17 00:00:00 2001 From: chaos Date: Tue, 19 Sep 2023 17:53:44 +0100 Subject: [PATCH] more work on piped stuff --- data/pipedClusterConfig.nix | 35 +++++ data/pipedClusterPorts.nix | 8 ++ flake.lock | 15 +-- flake.nix | 3 +- home/{home-folders.nix => homeFolders.nix} | 0 ...l-backup-apps.nix => manualBackupApps.nix} | 2 +- .../containers/piped-fi/default.nix | 79 +++++++++++ .../{piped => piped-fi}/profiles/restic.nix | 14 +- .../containers/piped-fi/secrets.nix | 75 +++++++++++ .../containers/piped/data/ports.nix | 7 - hosts/hetzner-vm/containers/piped/default.nix | 124 ------------------ .../containers/piped/profiles/cockroachDB.nix | 20 --- .../containers/piped/profiles/piped.nix | 77 ----------- hosts/hetzner-vm/hetzner-vm.nix | 2 +- hosts/hetzner-vm/secrets.nix | 74 +---------- hosts/lappy-t495/lappy-t495.nix | 4 +- hosts/lappy-t495/secrets.nix | 4 +- hosts/raspberry/profiles/piped.nix | 6 +- outputs.nix | 2 +- profiles/pipedCluster/cockroachDB.nix | 40 ++++++ profiles/pipedCluster/haproxy.nix | 36 +++++ profiles/pipedCluster/piped.nix | 111 ++++++++++++++++ profiles/usbAutoMount.nix | 10 +- 23 files changed, 414 insertions(+), 334 deletions(-) create mode 100644 data/pipedClusterConfig.nix create mode 100644 data/pipedClusterPorts.nix rename home/{home-folders.nix => homeFolders.nix} (100%) rename home/{manual-backup-apps.nix => manualBackupApps.nix} (83%) create mode 100644 hosts/hetzner-vm/containers/piped-fi/default.nix rename hosts/hetzner-vm/containers/{piped => piped-fi}/profiles/restic.nix (56%) create mode 100644 hosts/hetzner-vm/containers/piped-fi/secrets.nix delete mode 100644 hosts/hetzner-vm/containers/piped/data/ports.nix delete mode 100644 hosts/hetzner-vm/containers/piped/default.nix delete mode 100644 hosts/hetzner-vm/containers/piped/profiles/cockroachDB.nix delete mode 100644 hosts/hetzner-vm/containers/piped/profiles/piped.nix create mode 100644 profiles/pipedCluster/cockroachDB.nix create mode 100644 profiles/pipedCluster/haproxy.nix create mode 100644 profiles/pipedCluster/piped.nix diff --git a/data/pipedClusterConfig.nix b/data/pipedClusterConfig.nix new file mode 100644 index 0000000..282bb6a --- /dev/null +++ b/data/pipedClusterConfig.nix @@ -0,0 +1,35 @@ +let + internalWireGuard = import ./chaosInternalWireGuard.nix; + ports = import ./pipedClusterPorts.nix; +in rec { + inherit ports; + + hosts = { + # map of hostname to config for cluster node + "piped-fi" = rec { + ip = "${internalWireGuard.hosts.hetzner-vm.ip}"; + + # ssh -L 3014:127.0.0.1:3014 -L 26257:127.0.0.1:26257 hetzner-vm + joinString = "${ip}:${toString ports.cockroachDB}"; + advertiseAddr = joinString; + + resticBucket = "Piped-Finland"; + + vaultUserName = "hetzner-vm-container-piped-fi"; + + baseDomain = "piped-fi.owo.monster"; + }; + + "piped-uk" = rec { + ip = "${internalWireGuard.hosts.raspberry.ip}"; + + # ssh -L 3014:127.0.0.1:3014 -L 26257:127.0.0.1:26257 raspberry + joinString = "${ip}:${toString ports.cockroachDB}"; + advertiseAddr = joinString; + + vaultUserName = "rapsberry-container-piped-uk"; + + baseDomain = "piped-uk.owo.monster"; + }; + }; +} diff --git a/data/pipedClusterPorts.nix b/data/pipedClusterPorts.nix new file mode 100644 index 0000000..552ce8b --- /dev/null +++ b/data/pipedClusterPorts.nix @@ -0,0 +1,8 @@ +{ + internalPipedBackend = 3012; + internalPipedProxy = 3013; + + cockroachDB = 26257; + cockroachDB_HTTP = 3014; + cockroachDB_HAProxy = 26258; +} diff --git a/flake.lock b/flake.lock index a48b41d..755064e 100644 --- a/flake.lock +++ b/flake.lock @@ -176,17 +176,16 @@ ] }, "locked": { + "dirtyRev": "1729b90a2e81b95f0158720816b174532a9b1f2b-dirty", + "dirtyShortRev": "1729b90-dirty", "lastModified": 1694730023, - "narHash": "sha256-/J7ZPye0T1idRgvpa7oHJnON3rzIniv4tXiMP2sj3tk=", - "owner": "ChaotiCryptidz", - "repo": "piped-flake", - "rev": "1729b90a2e81b95f0158720816b174532a9b1f2b", - "type": "gitlab" + "narHash": "sha256-luuXpoTIfcvruZfNF3KsIs5rxbZKHuoJPRiI2kMrAYE=", + "type": "git", + "url": "file:/home/chaos/Projects/piped-flake" }, "original": { - "owner": "ChaotiCryptidz", - "repo": "piped-flake", - "type": "gitlab" + "type": "git", + "url": "file:/home/chaos/Projects/piped-flake" } }, "root": { diff --git a/flake.nix b/flake.nix index 5444688..15cd0ca 100644 --- a/flake.nix +++ b/flake.nix @@ -41,7 +41,8 @@ gitlab_artifacts_sync.inputs.utils.follows = "flake-utils"; gitlab_artifacts_sync.inputs.flake-compat.follows = "flake-compat"; - piped-flake.url = "gitlab:ChaotiCryptidz/piped-flake"; + #piped-flake.url = "gitlab:ChaotiCryptidz/piped-flake"; + piped-flake.url = "git+file:/home/chaos/Projects/piped-flake"; piped-flake.inputs.nixpkgs.follows = "nixpkgs-unstable"; piped-flake.inputs.utils.follows = "flake-utils"; piped-flake.inputs.flake-compat.follows = "flake-compat"; diff --git a/home/home-folders.nix b/home/homeFolders.nix similarity index 100% rename from home/home-folders.nix rename to home/homeFolders.nix diff --git a/home/manual-backup-apps.nix b/home/manualBackupApps.nix similarity index 83% rename from home/manual-backup-apps.nix rename to home/manualBackupApps.nix index ec1f604..d061baf 100644 --- a/home/manual-backup-apps.nix +++ b/home/manualBackupApps.nix @@ -5,7 +5,7 @@ } @ file_inputs: let # Requires secrets.{gitlab_archiver_token, restic_music_env} # expected to be in default locations - # Incase home.apps.manual-backup-apps is running in container which passes secrets in from host + # Incase home.apps.manualBackupApps is running in container which passes secrets in from host secrets = if file_inputs ? "hostSecrets" then file_inputs.hostSecrets diff --git a/hosts/hetzner-vm/containers/piped-fi/default.nix b/hosts/hetzner-vm/containers/piped-fi/default.nix new file mode 100644 index 0000000..3bda899 --- /dev/null +++ b/hosts/hetzner-vm/containers/piped-fi/default.nix @@ -0,0 +1,79 @@ +{ + self, + hostPath, + tree, + inputs, + config, + pkgs, + ... +}: let + containerName = "piped-fi"; + containerConfig = config.containers.${containerName}.config; + + pipedSocketForComponent = ( + component: "/var/lib/nixos-containers/${containerName}/var/sockets/piped-${component}.sock" + ); +in { + containers.piped-fi = { + autoStart = true; + privateNetwork = false; + + specialArgs = { + inherit inputs; + inherit tree; + inherit self; + inherit hostPath; + }; + + config = {...}: { + nixpkgs.pkgs = pkgs; + + imports = with tree; + [ + presets.nixos.containerBase + + profiles.nginx + profiles.firewallAllow.httpCommon + + profiles.pipedCluster + + ./secrets.nix + ] + ++ (with hosts.hetzner-vm.containers.piped-fi.profiles; [ + restic + ]); + + # For Shared Secrets + systemd.tmpfiles.rules = [ + "d /var/lib/cockroachdb-certs - root root" + ]; + + home-manager.users.root.home.stateVersion = "23.05"; + system.stateVersion = "23.05"; + }; + }; + + services.nginx.virtualHosts."piped-fi.owo.monster" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://unix:${pipedSocketForComponent "frontend"}"; + }; + }; + + services.nginx.virtualHosts."backend.piped-fi.owo.monster" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://unix:${pipedSocketForComponent "backend"}"; + }; + }; + + services.nginx.virtualHosts."proxy.piped-fi.owo.monster" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://unix:${pipedSocketForComponent "proxy"}"; + }; + }; +} diff --git a/hosts/hetzner-vm/containers/piped/profiles/restic.nix b/hosts/hetzner-vm/containers/piped-fi/profiles/restic.nix similarity index 56% rename from hosts/hetzner-vm/containers/piped/profiles/restic.nix rename to hosts/hetzner-vm/containers/piped-fi/profiles/restic.nix index bdc8fb8..b656711 100644 --- a/hosts/hetzner-vm/containers/piped/profiles/restic.nix +++ b/hosts/hetzner-vm/containers/piped-fi/profiles/restic.nix @@ -1,16 +1,16 @@ { pkgs, - hostSecrets, + config, ... }: let - secrets = hostSecrets; + secrets = config.services.secrets.secrets; in { environment.systemPackages = with pkgs; [ restic (pkgs.writeShellScriptBin "restic-piped-finland" '' env \ - RESTIC_PASSWORD_FILE=${secrets.piped_finland_restic_password.path} \ - $(cat ${secrets.piped_finland_restic_env.path}) \ + RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \ + $(cat ${secrets.restic_env.path}) \ ${pkgs.restic}/bin/restic $@ '') ]; @@ -22,11 +22,9 @@ in { "/var/lib/cockroachdb-certs" ]; - # repository is overrided in environmentFile to contain auth - # make sure to keep up to date when changing repository repository = "rest:https://storage-restic.owo.monster/Piped-Finland"; - passwordFile = "${secrets.piped_finland_restic_password.path}"; - environmentFile = "${secrets.piped_finland_restic_env.path}"; + passwordFile = "${secrets.restic_password.path}"; + environmentFile = "${secrets.restic_env.path}"; pruneOpts = [ "--keep-last 5" diff --git a/hosts/hetzner-vm/containers/piped-fi/secrets.nix b/hosts/hetzner-vm/containers/piped-fi/secrets.nix new file mode 100644 index 0000000..25dd676 --- /dev/null +++ b/hosts/hetzner-vm/containers/piped-fi/secrets.nix @@ -0,0 +1,75 @@ +{...}: { + services.secrets = { + enable = true; + + vaultLogin = { + enable = true; + loginUsername = "hetzner-vm-container-piped-fi"; + }; + + autoSecrets = { + enable = true; + }; + + requiredVaultPaths = [ + "api-keys/data/storage/restic/Piped-Finland" + + "private-public-keys/data/piped-cockroachdb-ca/nodes/piped-fi" + + "private-public-keys/data/restic/Piped-Finland" + ]; + + secrets = { + vault_password = { + manual = true; + }; + + restic_password = { + fetchScript = '' + simple_get "/private-public-keys/restic/Piped-Finland" .password > "$secretFile" + ''; + }; + + restic_env = { + fetchScript = '' + RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Piped-Finland" .username) + RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Piped-Finland" .password) + echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Piped-Finland" > "$secretFile" + ''; + }; + + cockroachdb_ca_certificate = { + user = "cockroachdb"; + group = "cockroachdb"; + permissions = "600"; + path = "/var/lib/cockroachdb-certs/ca.crt"; + fetchScript = '' + simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/piped-fi" .ca_certificate \ + | base64 -d > "$secretFile" + ''; + }; + + cockroachdb_node_certificate = { + user = "cockroachdb"; + group = "cockroachdb"; + permissions = "600"; + path = "/var/lib/cockroachdb-certs/node.crt"; + fetchScript = '' + simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/piped-fi" .node_certificate \ + | base64 -d > "$secretFile" + ''; + }; + + cockroachdb_node_key = { + user = "cockroachdb"; + group = "cockroachdb"; + permissions = "600"; + path = "/var/lib/cockroachdb-certs/node.key"; + fetchScript = '' + simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/piped-fi" .node_key \ + | base64 -d > "$secretFile" + ''; + }; + }; + }; +} diff --git a/hosts/hetzner-vm/containers/piped/data/ports.nix b/hosts/hetzner-vm/containers/piped/data/ports.nix deleted file mode 100644 index 64a13df..0000000 --- a/hosts/hetzner-vm/containers/piped/data/ports.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ - internal-piped-backend = 3012; - internal-piped-proxy = 3013; - - cockroachdb = 26257; - cockroachdb-http = 3014; -} diff --git a/hosts/hetzner-vm/containers/piped/default.nix b/hosts/hetzner-vm/containers/piped/default.nix deleted file mode 100644 index de3fb8f..0000000 --- a/hosts/hetzner-vm/containers/piped/default.nix +++ /dev/null @@ -1,124 +0,0 @@ -{ - self, - hostPath, - tree, - lib, - inputs, - config, - pkgs, - ... -}: let - containerAddresses = import "${hostPath}/data/containerAddresses.nix"; - - hostIP = containerAddresses.host; - containerIP = containerAddresses.containers.${containerName}; - - containerName = "piped"; - containerConfig = config.containers.${containerName}.config; - - containerLib = import "${self}/lib/containerLib.nix" { - inherit lib; - }; - - # Using secrets from Host - secrets = config.services.secrets.secrets; - secretsList = [ - "piped_finland_restic_env" - "piped_finland_restic_password" - { - name = "piped_cockroachdb_ca_certificate"; - path = "/var/lib/cockroachdb-certs/ca.crt"; - } - { - name = "piped_cockroachdb_node_certificate"; - path = "/var/lib/cockroachdb-certs/node.crt"; - } - { - name = "piped_cockroachdb_node_key"; - path = "/var/lib/cockroachdb-certs/node.key"; - } - ]; - - pipedSocketForComponent = ( - component: "/var/lib/nixos-containers/${containerName}/var/sockets/piped-${component}.sock" - ); -in { - containers.piped = { - autoStart = true; - privateNetwork = false; - hostAddress = hostIP; - localAddress = containerIP; - bindMounts = containerLib.genBindHostsForSecrets secrets secretsList; - - specialArgs = { - inherit inputs; - inherit tree; - inherit self; - inherit hostPath; - hostSecrets = secrets; - }; - - config = {config, ...}: { - nixpkgs.pkgs = pkgs; - - imports = with tree; - [ - presets.nixos.containerBase - - profiles.nginx - profiles.firewallAllow.httpCommon - ] - ++ (with hosts.hetzner-vm.containers.piped.profiles; [ - piped - restic - cockroachDB - ]); - - # For Shared Secrets - systemd.tmpfiles.rules = [ - "d ${config.services.secrets.secretsDir} - root root" - ]; - - home-manager.users.root.home.stateVersion = "23.05"; - system.stateVersion = "23.05"; - }; - }; - - # Create this directory outside the container so the bind mounts work - systemd.tmpfiles.rules = [ - "d /var/lib/nixos-containers/${containerName}/var/lib/cockroachdb-certs - root root" - ]; - - users.users."cockroachdb-piped" = { - uid = containerConfig.users.users.cockroachdb.uid; - group = "cockroachdb-piped"; - }; - users.groups."cockroachdb-piped" = { - gid = containerConfig.users.groups.cockroachdb.gid; - }; - - services.nginx.virtualHosts."piped-fi.owo.monster" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://unix:${pipedSocketForComponent "frontend"}"; - }; - }; - - services.nginx.virtualHosts."backend.piped-fi.owo.monster" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://unix:${pipedSocketForComponent "backend"}"; - }; - }; - - services.nginx.virtualHosts."proxy.piped-fi.owo.monster" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://unix:${pipedSocketForComponent "proxy"}"; - extraConfig = config.services.piped.proxyNginxExtraConfig; - }; - }; -} diff --git a/hosts/hetzner-vm/containers/piped/profiles/cockroachDB.nix b/hosts/hetzner-vm/containers/piped/profiles/cockroachDB.nix deleted file mode 100644 index 7206392..0000000 --- a/hosts/hetzner-vm/containers/piped/profiles/cockroachDB.nix +++ /dev/null @@ -1,20 +0,0 @@ -{self, ...}: let - internalWireGuard = import "${self}/data/chaosInternalWireGuard.nix"; - ports = import ../data/ports.nix; -in { - services.cockroachdb-bin = { - enable = true; - certsDir = "/var/lib/cockroachdb-certs"; - join = "localhost:${toString ports.cockroachdb},${internalWireGuard.hosts.raspberry.ip}:26257"; - # ssh -L 3014:127.0.0.1:3014 -L 26257:127.0.0.1:26257 raspberry - extraArgs = ["--advertise-addr=${internalWireGuard.hosts.hetzner-vm.ip}:26257"]; - listen = { - port = ports.cockroachdb; - address = "0.0.0.0"; - }; - http = { - address = "0.0.0.0"; - port = ports.cockroachdb-http; - }; - }; -} diff --git a/hosts/hetzner-vm/containers/piped/profiles/piped.nix b/hosts/hetzner-vm/containers/piped/profiles/piped.nix deleted file mode 100644 index bb0ec13..0000000 --- a/hosts/hetzner-vm/containers/piped/profiles/piped.nix +++ /dev/null @@ -1,77 +0,0 @@ -{config, ...}: let - ports = import ../data/ports.nix; - pipedConfig = config.services.piped; -in { - services.piped = { - enable = true; - frontendDomain = "piped-fi.owo.monster"; - backendDomain = "backend.piped-fi.owo.monster"; - proxyDomain = "proxy.piped-fi.owo.monster"; - - disableRegistrations = true; - - # TODO: change these creds to be read from file before opening DB to firewall - postgresDBName = "piped"; - postgresDBUsername = "piped"; - postgresDBPassword = "piped"; - postgresDBHost = "127.0.0.1"; - postgresDBPort = 26257; - databaseDialect = "org.hibernate.dialect.CockroachDialect"; - disablePostgresDB = true; - - nginxForceSSL = false; - nginxEnableACME = false; - - # Do not set proxyNginxExtraConfig here as needs be set in outside of container - - internalBackendPort = ports.internal-piped-backend; - internalProxyPort = ports.internal-piped-proxy; - }; - - systemd.tmpfiles.rules = [ - "d /var/sockets - nginx nginx" - ]; - - systemd.services.nginx = { - serviceConfig.ReadWritePaths = [ - "/var/sockets" - ]; - }; - - systemd.services.piped-backend = { - after = ["cockroachdb.service"]; - wants = ["cockroachdb.service"]; - }; - - services.nginx.virtualHosts = let - componentPath = component: "/var/sockets/piped-${component}.sock"; - in { - "${pipedConfig.frontendDomain}" = { - listen = [ - { - addr = "127.0.0.1"; - port = 8091; - } - ]; - extraConfig = "listen unix:${componentPath "frontend"};"; - }; - "${pipedConfig.backendDomain}" = { - extraConfig = "listen unix:${componentPath "backend"};"; - listen = [ - { - addr = "127.0.0.1"; - port = 8092; - } - ]; - }; - "${pipedConfig.proxyDomain}" = { - extraConfig = "listen unix:${componentPath "proxy"};"; - listen = [ - { - addr = "127.0.0.1"; - port = 8093; - } - ]; - }; - }; -} diff --git a/hosts/hetzner-vm/hetzner-vm.nix b/hosts/hetzner-vm/hetzner-vm.nix index 5611017..07b039b 100644 --- a/hosts/hetzner-vm/hetzner-vm.nix +++ b/hosts/hetzner-vm/hetzner-vm.nix @@ -24,7 +24,7 @@ in { "storage" "music" "quassel" - "piped" + "piped-fi" "mail" ] (name: ./containers + "/${name}")) ++ (with hosts.hetzner-vm.profiles; [ diff --git a/hosts/hetzner-vm/secrets.nix b/hosts/hetzner-vm/secrets.nix index 99837fa..7f14ecb 100644 --- a/hosts/hetzner-vm/secrets.nix +++ b/hosts/hetzner-vm/secrets.nix @@ -1,15 +1,4 @@ -{ - pkgs, - lib, - config, - ... -}: let - inherit (lib.lists) forEach; - inherit (lib.modules) mkMerge; - - users = ["root" "dovecot2" "gitlab_artifacts_sync" "mpd" "nginx"]; - groups = users; -in { +{pkgs, ...}: { services.secrets = { enable = true; @@ -25,7 +14,7 @@ in { "container@music" "container@social" "container@quassel" - "container@piped" + "container@piped-fi" ]; }; @@ -34,20 +23,6 @@ in { apacheHttpd ]; - uidMap = let - getUID = name: config.users.users.${name}.uid; - in - mkMerge (forEach users (user: { - "${user}" = getUID user; - })); - - gidMap = let - getGID = name: config.users.groups.${name}.gid; - in - mkMerge (forEach groups (group: { - "${group}" = getGID group; - })); - requiredVaultPaths = [ "api-keys/data/mpd" "api-keys/data/music-stream" @@ -57,7 +32,6 @@ in { "api-keys/data/storage/restic/Mail" "api-keys/data/storage/restic/Social" "api-keys/data/storage/restic/Quassel" - "api-keys/data/storage/restic/Piped-Finland" "api-keys/data/chaos_mail/system" "api-keys/data/chaos_mail/gotosocial" @@ -66,12 +40,9 @@ in { "passwords/data/slskd" "passwords/data/mail" - "private-public-keys/data/piped-cockroachdb-ca/nodes/hetzner-vm" - "private-public-keys/data/restic/Mail" "private-public-keys/data/restic/Social" "private-public-keys/data/restic/Quassel" - "private-public-keys/data/restic/Piped-Finland" "infra/data/private-mail-aliases" ]; @@ -195,47 +166,6 @@ in { echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Quassel" > "$secretFile" ''; }; - - # Container: piped - piped_finland_restic_password = { - fetchScript = '' - simple_get "/private-public-keys/restic/Piped-Finland" .password > "$secretFile" - ''; - }; - piped_finland_restic_env = { - fetchScript = '' - RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Piped-Finland" .username) - RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Piped-Finland" .password) - echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Piped-Finland" > "$secretFile" - ''; - }; - piped_cockroachdb_ca_certificate = { - user = "cockroachdb-piped"; - group = "cockroachdb-piped"; - permissions = "600"; - fetchScript = '' - simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/hetzner-vm" .ca_certificate \ - | base64 -d > "$secretFile" - ''; - }; - piped_cockroachdb_node_certificate = { - user = "cockroachdb-piped"; - group = "cockroachdb-piped"; - permissions = "600"; - fetchScript = '' - simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/hetzner-vm" .node_certificate \ - | base64 -d > "$secretFile" - ''; - }; - piped_cockroachdb_node_key = { - user = "cockroachdb-piped"; - group = "cockroachdb-piped"; - permissions = "600"; - fetchScript = '' - simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/hetzner-vm" .node_key \ - | base64 -d > "$secretFile" - ''; - }; }; }; } diff --git a/hosts/lappy-t495/lappy-t495.nix b/hosts/lappy-t495/lappy-t495.nix index 30f694a..3cdfdf4 100644 --- a/hosts/lappy-t495/lappy-t495.nix +++ b/hosts/lappy-t495/lappy-t495.nix @@ -24,8 +24,8 @@ imports = with tree; [ home.base home.dev.all - home.home-folders - home.manual-backup-apps + home.homeFolders + home.manualBackupApps home.programming.editors.vscode home.programming.languages.rust diff --git a/hosts/lappy-t495/secrets.nix b/hosts/lappy-t495/secrets.nix index 0bf491e..a5d3ec6 100644 --- a/hosts/lappy-t495/secrets.nix +++ b/hosts/lappy-t495/secrets.nix @@ -14,7 +14,7 @@ ''; }; - # Required for home.apps.manual-backup-apps + # Required for home.apps.manualBackupApps gitlab_archiver_token = { user = "chaos"; group = "users"; @@ -24,7 +24,7 @@ ''; }; - # Required for home.apps.manual-backup-apps + # Required for home.apps.manualBackupApps restic_music_env = { user = "chaos"; group = "users"; diff --git a/hosts/raspberry/profiles/piped.nix b/hosts/raspberry/profiles/piped.nix index 3ac216d..260bbb5 100644 --- a/hosts/raspberry/profiles/piped.nix +++ b/hosts/raspberry/profiles/piped.nix @@ -1,8 +1,4 @@ -{ - config, - pkgs, - ... -}: { +{pkgs, ...}: { services.piped = { enable = true; diff --git a/outputs.nix b/outputs.nix index b221272..c5a47ea 100644 --- a/outputs.nix +++ b/outputs.nix @@ -124,7 +124,7 @@ in # All machines/containers with secrets.nix machines = { "hetzner-vm" = { - containers = ["storage"]; + containers = ["storage" "piped-fi"]; sshAddress = "hetzner-vm.servers.genderfucked.monster"; }; "vault" = { diff --git a/profiles/pipedCluster/cockroachDB.nix b/profiles/pipedCluster/cockroachDB.nix new file mode 100644 index 0000000..38a4d06 --- /dev/null +++ b/profiles/pipedCluster/cockroachDB.nix @@ -0,0 +1,40 @@ +{ + self, + config, + lib, + ... +}: let + inherit (lib.lists) filter; + inherit (builtins) attrNames; + + clusterConfig = import "${self}/data/pipedClusterConfig.nix"; + inherit (clusterConfig) hosts ports; + + currentHostName = config.networking.hostName; + + joinString = lib.concatStringsSep "," ([ + "localhost:${toString ports.cockroachDB}" + ] + ++ ( + map + (hostName: hosts.${hostName}.joinString) + (filter (hostName: hostName != currentHostName) (attrNames hosts)) + )); +in { + systemd.services.haproxy.wantedBy = ["piped-backend.service"]; + + services.cockroachdb-bin = { + enable = true; + certsDir = "/var/lib/cockroachdb-certs"; + join = joinString; + extraArgs = ["--advertise-addr=${hosts.${currentHostName}.advertiseAddr}"]; + listen = { + port = ports.cockroachDB; + address = "0.0.0.0"; + }; + http = { + address = "0.0.0.0"; + port = ports.cockroachDB_HTTP; + }; + }; +} diff --git a/profiles/pipedCluster/haproxy.nix b/profiles/pipedCluster/haproxy.nix new file mode 100644 index 0000000..8e613a5 --- /dev/null +++ b/profiles/pipedCluster/haproxy.nix @@ -0,0 +1,36 @@ +{self, ...}: let + inherit (builtins) concatStringsSep attrNames; + + clusterConfig = import "${self}/data/pipedClusterConfig.nix"; + inherit (clusterConfig) hosts ports; +in { + systemd.services.haproxy.wantedBy = ["piped-backend.service"]; + + services.haproxy = { + enable = true; + config = '' + global + maxconn 4096 + + defaults + mode tcp + retries 5 + timeout connect 5s + timeout client 10m + timeout server 10m + option clitcpka + + listen psql + bind :${toString ports.cockroachDB_HAProxy} + mode tcp + balance roundrobin + option httpchk GET /health?ready=1 + ${concatStringsSep "\n" ( + map (serverConfig: " " + serverConfig) + (map ( + hostName: "server ${hostName} ${hosts.${hostName}.advertiseAddr} check port ${toString ports.cockroachDB_HTTP}" + ) (attrNames hosts)) + )} + ''; + }; +} diff --git a/profiles/pipedCluster/piped.nix b/profiles/pipedCluster/piped.nix new file mode 100644 index 0000000..0177584 --- /dev/null +++ b/profiles/pipedCluster/piped.nix @@ -0,0 +1,111 @@ +{ + self, + config, + ... +}: let + clusterConfig = import "${self}/data/pipedClusterConfig.nix"; + inherit (clusterConfig) hosts ports; + + currentHostName = config.networking.hostName; + currentHostConfig = hosts.${currentHostName}; + + baseDomain = currentHostConfig.baseDomain; +in { + systemd.coredump.enable = true; + + services.piped = { + enable = true; + + frontend = { + domain = "${baseDomain}"; + + nginx = { + forceSSL = false; + enableACME = false; + }; + }; + + backend = { + domain = "backend.${baseDomain}"; + internalPort = ports.internalPipedBackend; + + nginx = { + forceSSL = false; + enableACME = false; + }; + + settings = { + disableRegistrations = true; + }; + + database = { + disablePostgresDB = true; + name = "piped"; + username = "piped"; + passwordFile = builtins.toFile "password-file" "piped"; + host = "127.0.0.1"; + port = ports.cockroachDB; + dialect = "org.hibernate.dialect.CockroachDialect"; + }; + }; + + proxy = { + domain = "proxy.${baseDomain}"; + internalPort = ports.internalPipedProxy; + + nginx = { + forceSSL = false; + enableACME = false; + }; + }; + }; + + systemd.tmpfiles.rules = [ + "d /var/sockets - nginx nginx" + ]; + + systemd.services.nginx = { + serviceConfig.ReadWritePaths = [ + "/var/sockets" + ]; + }; + + systemd.services.piped-backend = { + after = ["network.target" "cockroachdb.service" "haproxy.service"]; + wants = ["network.target" "cockroachdb.service" "haproxy.service"]; + }; + + services.nginx.virtualHosts = let + componentPath = component: "/var/sockets/piped-${component}.sock"; + in { + "${baseDomain}" = { + listen = [ + { + addr = "127.0.0.1"; + port = 8091; + } + ]; + extraConfig = "listen unix:${componentPath "frontend"};"; + }; + + "backend.${baseDomain}" = { + extraConfig = "listen unix:${componentPath "backend"};"; + listen = [ + { + addr = "127.0.0.1"; + port = 8092; + } + ]; + }; + + "proxy.${baseDomain}" = { + extraConfig = "listen unix:${componentPath "proxy"};"; + listen = [ + { + addr = "127.0.0.1"; + port = 8093; + } + ]; + }; + }; +} diff --git a/profiles/usbAutoMount.nix b/profiles/usbAutoMount.nix index ede9287..6f524bb 100644 --- a/profiles/usbAutoMount.nix +++ b/profiles/usbAutoMount.nix @@ -1,20 +1,20 @@ {pkgs, ...}: let encryptedUSB = import ../data/encryptedUSB.nix; - enc_usb_mount = pkgs.writeShellScriptBin "enc_usb_mount" '' + encUSBMount = pkgs.writeShellScriptBin "enc_usb_mount" '' set -x - ${enc_usb_unmount}/bin/enc_usb_unmount + ${encUSBMount}/bin/enc_usb_unmount cat /secrets/usb_encryption_passphrase | cryptsetup luksOpen ${encryptedUSB.encryptedPath} ${encryptedUSB.mapperName} - mount ${encryptedUSB.mapperPath} -o rw ${encryptedUSB.mountpoint} ''; - enc_usb_unmount = pkgs.writeShellScriptBin "enc_usb_unmount" '' + encUSBUnmount = pkgs.writeShellScriptBin "enc_usb_unmount" '' set -x umount -flR ${encryptedUSB.mountpoint} || true cryptsetup close ${encryptedUSB.mapperName} || true ''; in { - environment.systemPackages = [enc_usb_mount enc_usb_unmount]; + environment.systemPackages = [encUSBMount encUSBUnmount]; systemd.tmpfiles.rules = ["d ${encryptedUSB.mountpoint} - chaos root"]; @@ -22,7 +22,7 @@ in { path = [pkgs.util-linux pkgs.cryptsetup]; wantedBy = ["multi-user.target"]; script = '' - ${enc_usb_mount}/bin/enc_usb_mount + ${encUSBMount}/bin/enc_usb_mount ''; };