chaos/nixfiles
1
0
Fork 0
Code Issues 2 Releases Activity

more work on piped stuff

Browse source
This commit is contained in:
chaos 2023-09-19 17:53:44 +01:00
parent 20e2cdfdc2
commit b4f9cc52e6
No known key found for this signature in database
23 changed files with 414 additions and 334 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
data/pipedClusterConfig.nix Normal file
View file

@ -0,0 +1,35 @@
let
internalWireGuard = import ./chaosInternalWireGuard.nix;
ports = import ./pipedClusterPorts.nix;
in rec {
inherit ports;
hosts = {
# map of hostname to config for cluster node
"piped-fi" = rec {
ip = "${internalWireGuard.hosts.hetzner-vm.ip}";
# ssh -L 3014:127.0.0.1:3014 -L 26257:127.0.0.1:26257 hetzner-vm
joinString = "${ip}:${toString ports.cockroachDB}";
advertiseAddr = joinString;
resticBucket = "Piped-Finland";
vaultUserName = "hetzner-vm-container-piped-fi";
baseDomain = "piped-fi.owo.monster";
};
"piped-uk" = rec {
ip = "${internalWireGuard.hosts.raspberry.ip}";
# ssh -L 3014:127.0.0.1:3014 -L 26257:127.0.0.1:26257 raspberry
joinString = "${ip}:${toString ports.cockroachDB}";
advertiseAddr = joinString;
vaultUserName = "rapsberry-container-piped-uk";
baseDomain = "piped-uk.owo.monster";
};
};
}

8
data/pipedClusterPorts.nix Normal file
View file

@ -0,0 +1,8 @@
{
internalPipedBackend = 3012;
internalPipedProxy = 3013;
cockroachDB = 26257;
cockroachDB_HTTP = 3014;
cockroachDB_HAProxy = 26258;
}

15
flake.lock
View file

@ -176,17 +176,16 @@
] ]
}, },
"locked": { "locked": {
"dirtyRev": "1729b90a2e81b95f0158720816b174532a9b1f2b-dirty",
"dirtyShortRev": "1729b90-dirty",
"lastModified": 1694730023, "lastModified": 1694730023,
"narHash": "sha256-/J7ZPye0T1idRgvpa7oHJnON3rzIniv4tXiMP2sj3tk=", "narHash": "sha256-luuXpoTIfcvruZfNF3KsIs5rxbZKHuoJPRiI2kMrAYE=",
"owner": "ChaotiCryptidz", "type": "git",
"repo": "piped-flake", "url": "file:/home/chaos/Projects/piped-flake"
"rev": "1729b90a2e81b95f0158720816b174532a9b1f2b",
"type": "gitlab"
}, },
"original": { "original": {
"owner": "ChaotiCryptidz", "type": "git",
"repo": "piped-flake", "url": "file:/home/chaos/Projects/piped-flake"
"type": "gitlab"
} }
}, },
"root": { "root": {

3
flake.nix
View file

@ -41,7 +41,8 @@
gitlab_artifacts_sync.inputs.utils.follows = "flake-utils"; gitlab_artifacts_sync.inputs.utils.follows = "flake-utils";
gitlab_artifacts_sync.inputs.flake-compat.follows = "flake-compat"; gitlab_artifacts_sync.inputs.flake-compat.follows = "flake-compat";
piped-flake.url = "gitlab:ChaotiCryptidz/piped-flake"; #piped-flake.url = "gitlab:ChaotiCryptidz/piped-flake";
piped-flake.url = "git+file:/home/chaos/Projects/piped-flake";
piped-flake.inputs.nixpkgs.follows = "nixpkgs-unstable"; piped-flake.inputs.nixpkgs.follows = "nixpkgs-unstable";
piped-flake.inputs.utils.follows = "flake-utils"; piped-flake.inputs.utils.follows = "flake-utils";
piped-flake.inputs.flake-compat.follows = "flake-compat"; piped-flake.inputs.flake-compat.follows = "flake-compat";

0
home/home-folders.nix → home/homeFolders.nix
View file

2
home/manual-backup-apps.nix → home/manualBackupApps.nix
View file

@ -5,7 +5,7 @@
} @ file_inputs: let } @ file_inputs: let
# Requires secrets.{gitlab_archiver_token, restic_music_env} # Requires secrets.{gitlab_archiver_token, restic_music_env}
# expected to be in default locations # expected to be in default locations
# Incase home.apps.manual-backup-apps is running in container which passes secrets in from host # Incase home.apps.manualBackupApps is running in container which passes secrets in from host
secrets = secrets =
if file_inputs ? "hostSecrets" if file_inputs ? "hostSecrets"
then file_inputs.hostSecrets then file_inputs.hostSecrets

79
hosts/hetzner-vm/containers/piped-fi/default.nix Normal file
View file

@ -0,0 +1,79 @@
{
self,
hostPath,
tree,
inputs,
config,
pkgs,
...
}: let
containerName = "piped-fi";
containerConfig = config.containers.${containerName}.config;
pipedSocketForComponent = (
component: "/var/lib/nixos-containers/${containerName}/var/sockets/piped-${component}.sock"
);
in {
containers.piped-fi = {
autoStart = true;
privateNetwork = false;
specialArgs = {
inherit inputs;
inherit tree;
inherit self;
inherit hostPath;
};
config = {...}: {
nixpkgs.pkgs = pkgs;
imports = with tree;
[
presets.nixos.containerBase
profiles.nginx
profiles.firewallAllow.httpCommon
profiles.pipedCluster
./secrets.nix
]
++ (with hosts.hetzner-vm.containers.piped-fi.profiles; [
restic
]);
# For Shared Secrets
systemd.tmpfiles.rules = [
"d /var/lib/cockroachdb-certs - root root"
];
home-manager.users.root.home.stateVersion = "23.05";
system.stateVersion = "23.05";
};
};
services.nginx.virtualHosts."piped-fi.owo.monster" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://unix:${pipedSocketForComponent "frontend"}";
};
};
services.nginx.virtualHosts."backend.piped-fi.owo.monster" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://unix:${pipedSocketForComponent "backend"}";
};
};
services.nginx.virtualHosts."proxy.piped-fi.owo.monster" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://unix:${pipedSocketForComponent "proxy"}";
};
};
}

14
hosts/hetzner-vm/containers/piped/profiles/restic.nix → hosts/hetzner-vm/containers/piped-fi/profiles/restic.nix
View file

@ -1,16 +1,16 @@
{ {
pkgs, pkgs,
hostSecrets, config,
... ...
}: let }: let
secrets = hostSecrets; secrets = config.services.secrets.secrets;
in { in {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
restic restic
(pkgs.writeShellScriptBin "restic-piped-finland" '' (pkgs.writeShellScriptBin "restic-piped-finland" ''
env \ env \
RESTIC_PASSWORD_FILE=${secrets.piped_finland_restic_password.path} \ RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \
$(cat ${secrets.piped_finland_restic_env.path}) \ $(cat ${secrets.restic_env.path}) \
${pkgs.restic}/bin/restic $@ ${pkgs.restic}/bin/restic $@
'') '')
]; ];
@ -22,11 +22,9 @@ in {
"/var/lib/cockroachdb-certs" "/var/lib/cockroachdb-certs"
]; ];
# repository is overrided in environmentFile to contain auth
# make sure to keep up to date when changing repository
repository = "rest:https://storage-restic.owo.monster/Piped-Finland"; repository = "rest:https://storage-restic.owo.monster/Piped-Finland";
passwordFile = "${secrets.piped_finland_restic_password.path}"; passwordFile = "${secrets.restic_password.path}";
environmentFile = "${secrets.piped_finland_restic_env.path}"; environmentFile = "${secrets.restic_env.path}";
pruneOpts = [ pruneOpts = [
"--keep-last 5" "--keep-last 5"

75
hosts/hetzner-vm/containers/piped-fi/secrets.nix Normal file
View file

@ -0,0 +1,75 @@
{...}: {
services.secrets = {
enable = true;
vaultLogin = {
enable = true;
loginUsername = "hetzner-vm-container-piped-fi";
};
autoSecrets = {
enable = true;
};
requiredVaultPaths = [
"api-keys/data/storage/restic/Piped-Finland"
"private-public-keys/data/piped-cockroachdb-ca/nodes/piped-fi"
"private-public-keys/data/restic/Piped-Finland"
];
secrets = {
vault_password = {
manual = true;
};
restic_password = {
fetchScript = ''
simple_get "/private-public-keys/restic/Piped-Finland" .password > "$secretFile"
'';
};
restic_env = {
fetchScript = ''
RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Piped-Finland" .username)
RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Piped-Finland" .password)
echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Piped-Finland" > "$secretFile"
'';
};
cockroachdb_ca_certificate = {
user = "cockroachdb";
group = "cockroachdb";
permissions = "600";
path = "/var/lib/cockroachdb-certs/ca.crt";
fetchScript = ''
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/piped-fi" .ca_certificate \
| base64 -d > "$secretFile"
'';
};
cockroachdb_node_certificate = {
user = "cockroachdb";
group = "cockroachdb";
permissions = "600";
path = "/var/lib/cockroachdb-certs/node.crt";
fetchScript = ''
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/piped-fi" .node_certificate \
| base64 -d > "$secretFile"
'';
};
cockroachdb_node_key = {
user = "cockroachdb";
group = "cockroachdb";
permissions = "600";
path = "/var/lib/cockroachdb-certs/node.key";
fetchScript = ''
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/piped-fi" .node_key \
| base64 -d > "$secretFile"
'';
};
};
};
}

7
hosts/hetzner-vm/containers/piped/data/ports.nix
View file

@ -1,7 +0,0 @@
{
internal-piped-backend = 3012;
internal-piped-proxy = 3013;
cockroachdb = 26257;
cockroachdb-http = 3014;
}

124
hosts/hetzner-vm/containers/piped/default.nix
View file

@ -1,124 +0,0 @@
{
self,
hostPath,
tree,
lib,
inputs,
config,
pkgs,
...
}: let
containerAddresses = import "${hostPath}/data/containerAddresses.nix";
hostIP = containerAddresses.host;
containerIP = containerAddresses.containers.${containerName};
containerName = "piped";
containerConfig = config.containers.${containerName}.config;
containerLib = import "${self}/lib/containerLib.nix" {
inherit lib;
};
# Using secrets from Host
secrets = config.services.secrets.secrets;
secretsList = [
"piped_finland_restic_env"
"piped_finland_restic_password"
{
name = "piped_cockroachdb_ca_certificate";
path = "/var/lib/cockroachdb-certs/ca.crt";
}
{
name = "piped_cockroachdb_node_certificate";
path = "/var/lib/cockroachdb-certs/node.crt";
}
{
name = "piped_cockroachdb_node_key";
path = "/var/lib/cockroachdb-certs/node.key";
}
];
pipedSocketForComponent = (
component: "/var/lib/nixos-containers/${containerName}/var/sockets/piped-${component}.sock"
);
in {
containers.piped = {
autoStart = true;
privateNetwork = false;
hostAddress = hostIP;
localAddress = containerIP;
bindMounts = containerLib.genBindHostsForSecrets secrets secretsList;
specialArgs = {
inherit inputs;
inherit tree;
inherit self;
inherit hostPath;
hostSecrets = secrets;
};
config = {config, ...}: {
nixpkgs.pkgs = pkgs;
imports = with tree;
[
presets.nixos.containerBase
profiles.nginx
profiles.firewallAllow.httpCommon
]
++ (with hosts.hetzner-vm.containers.piped.profiles; [
piped
restic
cockroachDB
]);
# For Shared Secrets
systemd.tmpfiles.rules = [
"d ${config.services.secrets.secretsDir} - root root"
];
home-manager.users.root.home.stateVersion = "23.05";
system.stateVersion = "23.05";
};
};
# Create this directory outside the container so the bind mounts work
systemd.tmpfiles.rules = [
"d /var/lib/nixos-containers/${containerName}/var/lib/cockroachdb-certs - root root"
];
users.users."cockroachdb-piped" = {
uid = containerConfig.users.users.cockroachdb.uid;
group = "cockroachdb-piped";
};
users.groups."cockroachdb-piped" = {
gid = containerConfig.users.groups.cockroachdb.gid;
};
services.nginx.virtualHosts."piped-fi.owo.monster" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://unix:${pipedSocketForComponent "frontend"}";
};
};
services.nginx.virtualHosts."backend.piped-fi.owo.monster" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://unix:${pipedSocketForComponent "backend"}";
};
};
services.nginx.virtualHosts."proxy.piped-fi.owo.monster" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://unix:${pipedSocketForComponent "proxy"}";
extraConfig = config.services.piped.proxyNginxExtraConfig;
};
};
}

20
hosts/hetzner-vm/containers/piped/profiles/cockroachDB.nix
View file

@ -1,20 +0,0 @@
{self, ...}: let
internalWireGuard = import "${self}/data/chaosInternalWireGuard.nix";
ports = import ../data/ports.nix;
in {
services.cockroachdb-bin = {
enable = true;
certsDir = "/var/lib/cockroachdb-certs";
join = "localhost:${toString ports.cockroachdb},${internalWireGuard.hosts.raspberry.ip}:26257";
# ssh -L 3014:127.0.0.1:3014 -L 26257:127.0.0.1:26257 raspberry
extraArgs = ["--advertise-addr=${internalWireGuard.hosts.hetzner-vm.ip}:26257"];
listen = {
port = ports.cockroachdb;
address = "0.0.0.0";
};
http = {
address = "0.0.0.0";
port = ports.cockroachdb-http;
};
};
}

77
hosts/hetzner-vm/containers/piped/profiles/piped.nix
View file

@ -1,77 +0,0 @@
{config, ...}: let
ports = import ../data/ports.nix;
pipedConfig = config.services.piped;
in {
services.piped = {
enable = true;
frontendDomain = "piped-fi.owo.monster";
backendDomain = "backend.piped-fi.owo.monster";
proxyDomain = "proxy.piped-fi.owo.monster";
disableRegistrations = true;
# TODO: change these creds to be read from file before opening DB to firewall
postgresDBName = "piped";
postgresDBUsername = "piped";
postgresDBPassword = "piped";
postgresDBHost = "127.0.0.1";
postgresDBPort = 26257;
databaseDialect = "org.hibernate.dialect.CockroachDialect";
disablePostgresDB = true;
nginxForceSSL = false;
nginxEnableACME = false;
# Do not set proxyNginxExtraConfig here as needs be set in outside of container
internalBackendPort = ports.internal-piped-backend;
internalProxyPort = ports.internal-piped-proxy;
};
systemd.tmpfiles.rules = [
"d /var/sockets - nginx nginx"
];
systemd.services.nginx = {
serviceConfig.ReadWritePaths = [
"/var/sockets"
];
};
systemd.services.piped-backend = {
after = ["cockroachdb.service"];
wants = ["cockroachdb.service"];
};
services.nginx.virtualHosts = let
componentPath = component: "/var/sockets/piped-${component}.sock";
in {
"${pipedConfig.frontendDomain}" = {
listen = [
{
addr = "127.0.0.1";
port = 8091;
}
];
extraConfig = "listen unix:${componentPath "frontend"};";
};
"${pipedConfig.backendDomain}" = {
extraConfig = "listen unix:${componentPath "backend"};";
listen = [
{
addr = "127.0.0.1";
port = 8092;
}
];
};
"${pipedConfig.proxyDomain}" = {
extraConfig = "listen unix:${componentPath "proxy"};";
listen = [
{
addr = "127.0.0.1";
port = 8093;
}
];
};
};
}

2
hosts/hetzner-vm/hetzner-vm.nix
View file

@ -24,7 +24,7 @@ in {
"storage" "storage"
"music" "music"
"quassel" "quassel"
"piped" "piped-fi"
"mail" "mail"
] (name: ./containers + "/${name}")) ] (name: ./containers + "/${name}"))
++ (with hosts.hetzner-vm.profiles; [ ++ (with hosts.hetzner-vm.profiles; [

74
hosts/hetzner-vm/secrets.nix
View file

@ -1,15 +1,4 @@
{ {pkgs, ...}: {
pkgs,
lib,
config,
...
}: let
inherit (lib.lists) forEach;
inherit (lib.modules) mkMerge;
users = ["root" "dovecot2" "gitlab_artifacts_sync" "mpd" "nginx"];
groups = users;
in {
services.secrets = { services.secrets = {
enable = true; enable = true;
@ -25,7 +14,7 @@ in {
"container@music" "container@music"
"container@social" "container@social"
"container@quassel" "container@quassel"
"container@piped" "container@piped-fi"
]; ];
}; };
@ -34,20 +23,6 @@ in {
apacheHttpd apacheHttpd
]; ];
uidMap = let
getUID = name: config.users.users.${name}.uid;
in
mkMerge (forEach users (user: {
"${user}" = getUID user;
}));
gidMap = let
getGID = name: config.users.groups.${name}.gid;
in
mkMerge (forEach groups (group: {
"${group}" = getGID group;
}));
requiredVaultPaths = [ requiredVaultPaths = [
"api-keys/data/mpd" "api-keys/data/mpd"
"api-keys/data/music-stream" "api-keys/data/music-stream"
@ -57,7 +32,6 @@ in {
"api-keys/data/storage/restic/Mail" "api-keys/data/storage/restic/Mail"
"api-keys/data/storage/restic/Social" "api-keys/data/storage/restic/Social"
"api-keys/data/storage/restic/Quassel" "api-keys/data/storage/restic/Quassel"
"api-keys/data/storage/restic/Piped-Finland"
"api-keys/data/chaos_mail/system" "api-keys/data/chaos_mail/system"
"api-keys/data/chaos_mail/gotosocial" "api-keys/data/chaos_mail/gotosocial"
@ -66,12 +40,9 @@ in {
"passwords/data/slskd" "passwords/data/slskd"
"passwords/data/mail" "passwords/data/mail"
"private-public-keys/data/piped-cockroachdb-ca/nodes/hetzner-vm"
"private-public-keys/data/restic/Mail" "private-public-keys/data/restic/Mail"
"private-public-keys/data/restic/Social" "private-public-keys/data/restic/Social"
"private-public-keys/data/restic/Quassel" "private-public-keys/data/restic/Quassel"
"private-public-keys/data/restic/Piped-Finland"
"infra/data/private-mail-aliases" "infra/data/private-mail-aliases"
]; ];
@ -195,47 +166,6 @@ in {
echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Quassel" > "$secretFile" echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Quassel" > "$secretFile"
''; '';
}; };
# Container: piped
piped_finland_restic_password = {
fetchScript = ''
simple_get "/private-public-keys/restic/Piped-Finland" .password > "$secretFile"
'';
};
piped_finland_restic_env = {
fetchScript = ''
RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Piped-Finland" .username)
RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Piped-Finland" .password)
echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Piped-Finland" > "$secretFile"
'';
};
piped_cockroachdb_ca_certificate = {
user = "cockroachdb-piped";
group = "cockroachdb-piped";
permissions = "600";
fetchScript = ''
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/hetzner-vm" .ca_certificate \
| base64 -d > "$secretFile"
'';
};
piped_cockroachdb_node_certificate = {
user = "cockroachdb-piped";
group = "cockroachdb-piped";
permissions = "600";
fetchScript = ''
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/hetzner-vm" .node_certificate \
| base64 -d > "$secretFile"
'';
};
piped_cockroachdb_node_key = {
user = "cockroachdb-piped";
group = "cockroachdb-piped";
permissions = "600";
fetchScript = ''
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/hetzner-vm" .node_key \
| base64 -d > "$secretFile"
'';
};
}; };
}; };
} }

4
hosts/lappy-t495/lappy-t495.nix
View file

@ -24,8 +24,8 @@
imports = with tree; [ imports = with tree; [
home.base home.base
home.dev.all home.dev.all
home.home-folders home.homeFolders
home.manual-backup-apps home.manualBackupApps
home.programming.editors.vscode home.programming.editors.vscode
home.programming.languages.rust home.programming.languages.rust

4
hosts/lappy-t495/secrets.nix
View file

@ -14,7 +14,7 @@
''; '';
}; };
# Required for home.apps.manual-backup-apps # Required for home.apps.manualBackupApps
gitlab_archiver_token = { gitlab_archiver_token = {
user = "chaos"; user = "chaos";
group = "users"; group = "users";
@ -24,7 +24,7 @@
''; '';
}; };
# Required for home.apps.manual-backup-apps # Required for home.apps.manualBackupApps
restic_music_env = { restic_music_env = {
user = "chaos"; user = "chaos";
group = "users"; group = "users";

6
hosts/raspberry/profiles/piped.nix
View file

@ -1,8 +1,4 @@
{ {pkgs, ...}: {
config,
pkgs,
...
}: {
services.piped = { services.piped = {
enable = true; enable = true;

2
outputs.nix
View file

@ -124,7 +124,7 @@ in
# All machines/containers with secrets.nix # All machines/containers with secrets.nix
machines = { machines = {
"hetzner-vm" = { "hetzner-vm" = {
containers = ["storage"]; containers = ["storage" "piped-fi"];
sshAddress = "hetzner-vm.servers.genderfucked.monster"; sshAddress = "hetzner-vm.servers.genderfucked.monster";
}; };
"vault" = { "vault" = {

40
profiles/pipedCluster/cockroachDB.nix Normal file
View file

@ -0,0 +1,40 @@
{
self,
config,
lib,
...
}: let
inherit (lib.lists) filter;
inherit (builtins) attrNames;
clusterConfig = import "${self}/data/pipedClusterConfig.nix";
inherit (clusterConfig) hosts ports;
currentHostName = config.networking.hostName;
joinString = lib.concatStringsSep "," ([
"localhost:${toString ports.cockroachDB}"
]
++ (
map
(hostName: hosts.${hostName}.joinString)
(filter (hostName: hostName != currentHostName) (attrNames hosts))
));
in {
systemd.services.haproxy.wantedBy = ["piped-backend.service"];
services.cockroachdb-bin = {
enable = true;
certsDir = "/var/lib/cockroachdb-certs";
join = joinString;
extraArgs = ["--advertise-addr=${hosts.${currentHostName}.advertiseAddr}"];
listen = {
port = ports.cockroachDB;
address = "0.0.0.0";
};
http = {
address = "0.0.0.0";
port = ports.cockroachDB_HTTP;
};
};
}

36
profiles/pipedCluster/haproxy.nix Normal file
View file

@ -0,0 +1,36 @@
{self, ...}: let
inherit (builtins) concatStringsSep attrNames;
clusterConfig = import "${self}/data/pipedClusterConfig.nix";
inherit (clusterConfig) hosts ports;
in {
systemd.services.haproxy.wantedBy = ["piped-backend.service"];
services.haproxy = {
enable = true;
config = ''
global
maxconn 4096
defaults
mode tcp
retries 5
timeout connect 5s
timeout client 10m
timeout server 10m
option clitcpka
listen psql
bind :${toString ports.cockroachDB_HAProxy}
mode tcp
balance roundrobin
option httpchk GET /health?ready=1
${concatStringsSep "\n" (
map (serverConfig: " " + serverConfig)
(map (
hostName: "server ${hostName} ${hosts.${hostName}.advertiseAddr} check port ${toString ports.cockroachDB_HTTP}"
) (attrNames hosts))
)}
'';
};
}

111
profiles/pipedCluster/piped.nix Normal file
View file

@ -0,0 +1,111 @@
{
self,
config,
...
}: let
clusterConfig = import "${self}/data/pipedClusterConfig.nix";
inherit (clusterConfig) hosts ports;
currentHostName = config.networking.hostName;
currentHostConfig = hosts.${currentHostName};
baseDomain = currentHostConfig.baseDomain;
in {
systemd.coredump.enable = true;
services.piped = {
enable = true;
frontend = {
domain = "${baseDomain}";
nginx = {
forceSSL = false;
enableACME = false;
};
};
backend = {
domain = "backend.${baseDomain}";
internalPort = ports.internalPipedBackend;
nginx = {
forceSSL = false;
enableACME = false;
};
settings = {
disableRegistrations = true;
};
database = {
disablePostgresDB = true;
name = "piped";
username = "piped";
passwordFile = builtins.toFile "password-file" "piped";
host = "127.0.0.1";
port = ports.cockroachDB;
dialect = "org.hibernate.dialect.CockroachDialect";
};
};
proxy = {
domain = "proxy.${baseDomain}";
internalPort = ports.internalPipedProxy;
nginx = {
forceSSL = false;
enableACME = false;
};
};
};
systemd.tmpfiles.rules = [
"d /var/sockets - nginx nginx"
];
systemd.services.nginx = {
serviceConfig.ReadWritePaths = [
"/var/sockets"
];
};
systemd.services.piped-backend = {
after = ["network.target" "cockroachdb.service" "haproxy.service"];
wants = ["network.target" "cockroachdb.service" "haproxy.service"];
};
services.nginx.virtualHosts = let
componentPath = component: "/var/sockets/piped-${component}.sock";
in {
"${baseDomain}" = {
listen = [
{
addr = "127.0.0.1";
port = 8091;
}
];
extraConfig = "listen unix:${componentPath "frontend"};";
};
"backend.${baseDomain}" = {
extraConfig = "listen unix:${componentPath "backend"};";
listen = [
{
addr = "127.0.0.1";
port = 8092;
}
];
};
"proxy.${baseDomain}" = {
extraConfig = "listen unix:${componentPath "proxy"};";
listen = [
{
addr = "127.0.0.1";
port = 8093;
}
];
};
};
}

10
profiles/usbAutoMount.nix
View file

@ -1,20 +1,20 @@
{pkgs, ...}: let {pkgs, ...}: let
encryptedUSB = import ../data/encryptedUSB.nix; encryptedUSB = import ../data/encryptedUSB.nix;
enc_usb_mount = pkgs.writeShellScriptBin "enc_usb_mount" '' encUSBMount = pkgs.writeShellScriptBin "enc_usb_mount" ''
set -x set -x
${enc_usb_unmount}/bin/enc_usb_unmount ${encUSBMount}/bin/enc_usb_unmount
cat /secrets/usb_encryption_passphrase | cryptsetup luksOpen ${encryptedUSB.encryptedPath} ${encryptedUSB.mapperName} - cat /secrets/usb_encryption_passphrase | cryptsetup luksOpen ${encryptedUSB.encryptedPath} ${encryptedUSB.mapperName} -
mount ${encryptedUSB.mapperPath} -o rw ${encryptedUSB.mountpoint} mount ${encryptedUSB.mapperPath} -o rw ${encryptedUSB.mountpoint}
''; '';
enc_usb_unmount = pkgs.writeShellScriptBin "enc_usb_unmount" '' encUSBUnmount = pkgs.writeShellScriptBin "enc_usb_unmount" ''
set -x set -x
umount -flR ${encryptedUSB.mountpoint} || true umount -flR ${encryptedUSB.mountpoint} || true
cryptsetup close ${encryptedUSB.mapperName} || true cryptsetup close ${encryptedUSB.mapperName} || true
''; '';
in { in {
environment.systemPackages = [enc_usb_mount enc_usb_unmount]; environment.systemPackages = [encUSBMount encUSBUnmount];
systemd.tmpfiles.rules = ["d ${encryptedUSB.mountpoint} - chaos root"]; systemd.tmpfiles.rules = ["d ${encryptedUSB.mountpoint} - chaos root"];
@ -22,7 +22,7 @@ in {
path = [pkgs.util-linux pkgs.cryptsetup]; path = [pkgs.util-linux pkgs.cryptsetup];
wantedBy = ["multi-user.target"]; wantedBy = ["multi-user.target"];
script = '' script = ''
${enc_usb_mount}/bin/enc_usb_mount ${encUSBMount}/bin/enc_usb_mount
''; '';
}; };