chaos/nixfiles
1
0
Fork 0
Code Issues 2 Releases Activity

piped-proxy on raspberry

Browse source
This commit is contained in:
chaos 2023-09-14 19:44:27 +01:00
parent ed7e0c4db5
commit d69991819a
No known key found for this signature in database
27 changed files with 208 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
data/chaos_wireguard_internal.nix
View file

@ -23,6 +23,7 @@
raspberry = {
ip = "10.69.42.5";
public = "IGq+WanFM/bKNUkwjO/0AAtDhJLvtvU+mVxH27QyHTc=";
endpoint = "raspberry.servers.genderfucked.monster:51820";
};
};
}

6
flake.lock
View file

@ -202,11 +202,11 @@
]
},
"locked": {
"lastModified": 1694550850,
"narHash": "sha256-lN3W5WhbxLrsp2lgGh4fk2th5RkhQIMFd4WCNAlYvs8=",
"lastModified": 1694714112,
"narHash": "sha256-x2CgsEvWIf4ETx4puLqmHrPthesNXW30OMYg4pVJARg=",
"owner": "ChaotiCryptidz",
"repo": "piped-flake",
"rev": "6ef001f2a840fe3fefbcda619126659ba9cc1981",
"rev": "c5ad01eac79809686d9685671e77a6dac4e17ddf",
"type": "gitlab"
},
"original": {

2
home/base/ssh.nix
View file

@ -4,7 +4,7 @@ in {
programs.ssh.enable = true;
programs.ssh.matchBlocks =
lib.mkMerge
((lib.forEach ["hetzner-vm" "vault" "vault-decrypt"] (hostname: {
((lib.forEach ["hetzner-vm" "vault" "raspberry" "vault-decrypt"] (hostname: {
"${hostname}" = {
user = "root";
hostname = "${hostname}.servers.genderfucked.monster";

10
hosts/hetzner-vm/containers/piped/default.nix
View file

@ -5,6 +5,8 @@
config,
...
}: let
internal_wireguard = import ../../../../data/chaos_wireguard_internal.nix {};
container-addresses = import ../../data/container-addresses.nix {};
hostIP = container-addresses.host;
containerIP = container-addresses.containers.piped;
@ -104,8 +106,12 @@ in {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://unix:${pipedSocketForComponent "proxy"}";
extraConfig = config.services.piped.proxyNginxExtraConfig;
proxyPass = "http://${internal_wireguard.hosts.raspberry.ip}";
extraConfig = ''
proxy_set_header Host $host;
'';
#proxyPass = "http://unix:${pipedSocketForComponent "proxy"}";
#extraConfig = config.services.piped.proxyNginxExtraConfig;
};
};

8
hosts/hetzner-vm/containers/piped/profiles/piped.nix
View file

@ -8,6 +8,8 @@ in {
backendDomain = "backend.piped.owo.monster";
proxyDomain = "proxy.piped.owo.monster";
disableProxy = true; # Currently using proxy via raspberry in UK
nginxForceSSL = false;
nginxEnableACME = false;
@ -31,7 +33,7 @@ in {
config.services.nginx.virtualHosts."${piped_config.backendDomain}" = {
extraConfig = "listen unix:/var/sockets/piped-backend.sock;";
};
config.services.nginx.virtualHosts."${piped_config.proxyDomain}" = {
extraConfig = "listen unix:/var/sockets/piped-proxy.sock;";
};
#config.services.nginx.virtualHosts."${piped_config.proxyDomain}" = {
# extraConfig = "listen unix:/var/sockets/piped-proxy.sock;";
#};
}

3
hosts/hetzner-vm/containers/storage/default.nix
View file

@ -41,10 +41,11 @@ in {
modules.nixos.rclone-sync
modules.nixos.secrets
./secrets.nix
users.root
]
++ (with hosts.hetzner-vm.containers.storage; [
profiles.secrets
profiles.auto-secrets
profiles.rclone-configs
profiles.rclone-serve

0
hosts/hetzner-vm/containers/storage/profiles/rclone_config.template → hosts/hetzner-vm/containers/storage/rclone_config.template
View file

0
hosts/hetzner-vm/containers/storage/profiles/secrets.nix → hosts/hetzner-vm/containers/storage/secrets.nix
View file

2
hosts/hetzner-vm/hetzner-vm.nix
View file

@ -12,8 +12,10 @@
profiles.base
profiles.sshd
profiles.nginx
profiles.nginx-firewall
profiles.nix-gc
profiles.kernels.latest
profiles.cross.arm64
./networking.nix
./hardware.nix

2
hosts/hetzner-vm/profiles/wireguard.nix
View file

@ -33,6 +33,8 @@ in {
publicKey = "${data.hosts.raspberry.public}";
presharedKeyFile = "${secrets.wg_preshared_raspberry.path}";
allowedIPs = ["${data.hosts.raspberry.ip}/32"];
endpoint = "${data.hosts.raspberry.endpoint}";
persistentKeepalive = 25;
}
];
};

1
hosts/lappy-t495/lappy-t495.nix
View file

@ -10,6 +10,7 @@
presets.nixos.encrypted-usb
profiles.cross.arm64
profiles.remote-builders
hosts.lappy-t495.profiles.wireguard

2
hosts/raspberry/profiles/auto-storage-backups.nix Normal file
View file

@ -0,0 +1,2 @@
{...}: {
}

8
hosts/raspberry/profiles/external-drive.nix
View file

@ -37,8 +37,8 @@ in {
systemd.tmpfiles.rules = ["d ${external_drive_data.mountpoint} - root root"];
# services.udev.extraRules = ''
# ACTION=="add", ENV{PARTNAME}=="${external_drive_data.encrypted_partlabel}", ENV{SYSTEMD_WANTS}="mount-external-drive.service"
# ACTION=="remove", ENV{PARTNAME}=="${external_drive_data.encrypted_partlabel}", ENV{SYSTEMD_WANTS}="unmount-external-drive.service"
# '';
#services.udev.extraRules = ''
# ACTION=="add", ENV{PARTLABEL}=="${external_drive_data.encrypted_label}", ENV{SYSTEMD_WANTS}="mount-external-drive.service"
# ACTION=="remove", ENV{PARTLABEL}=="${external_drive_data.encrypted_label}", ENV{SYSTEMD_WANTS}="unmount-external-drive.service"
#'';
}

25
hosts/raspberry/profiles/piped-proxy.nix Normal file
View file

@ -0,0 +1,25 @@
{
config,
pkgs,
...
}: {
config.services.piped = {
enable = true;
# Takes too much time to compile otherwise, idm extra bandwidth
proxyPackage =
(pkgs.piped-proxy.override {
withAVIF = false;
withWebP = false;
})
.overrideAttrs {
pname = "piped-proxy-debug";
doCheck = false;
buildType = "debug";
};
proxyDomain = "proxy.piped.owo.monster";
disableBackend = true;
disableFrontend = true;
};
}

1
hosts/raspberry/profiles/wireguard.nix
View file

@ -5,6 +5,7 @@
persistentKeepalive = 15;
in {
networking.firewall.trustedInterfaces = ["wg0"];
networking.firewall.allowedUDPPorts = [51820];
networking.wg-quick.interfaces = {
wg0 = {
address = ["${data.hosts.raspberry.ip}/32"];

5
hosts/raspberry/raspberry.nix
View file

@ -15,6 +15,8 @@ in {
profiles.base
profiles.sshd
profiles.nginx
profiles.nginx-firewall
profiles.connectivity.network_manager
profiles.connectivity.bluetooth
@ -27,6 +29,9 @@ in {
]
++ (with hosts.raspberry.profiles; [
external-drive
wireguard
piped-proxy
auto-storage-backups
]);
environment.systemPackages = [

17
hosts/raspberry/rclone_config.template Normal file
View file

@ -0,0 +1,17 @@
[StorageBox-Remote]
type = webdav
vendor = other
host = u323231.your-storagebox.de
url = https://u323231.your-storagebox.de
user = u323231
pass = STORAGEBOX_PASSWORD
[StorageBox-Hasher]
type = hasher
remote = StorageBox-Remote:
hashes = sha1,md5
max_age = off
[StorageBox]
type = alias
remote = StorageBox-Hasher:

37
hosts/raspberry/secrets.nix
View file

@ -1,6 +1,22 @@
{...}: {
{pkgs, ...}: {
services.secrets = {
enable = true;
packages = with pkgs; [rclone];
extraFunctions = ''
simple_get_obscure() {
rclone obscure "$(simple_get "$@")"
}
'';
requiredVaultPaths = [
"private-public-keys/data/cryptsetup/raspberry-ext-drive" # used dynamically
"private-public-keys/data/wireguard/chaos-internal/raspberry"
"passwords/data/wifi/parentals-home"
"api-keys/data/hetzner/storagebox"
];
secrets = {
# Used for fetching the encryption drive's key at runtime
# can be revoked in case of hardware theft
@ -31,6 +47,25 @@
'';
};
rclone_config = {
fetchScript = ''
TMP_DIR="$(mktemp -d)"
cp ${./rclone_config.template} "$TMP_DIR/template"
pushd "$TMP_DIR" >/dev/null
STORAGEBOX_PASSWORD=$(simple_get_obscure /api-keys/hetzner/storagebox .password)
sed -i "s/STORAGEBOX_PASSWORD/$STORAGEBOX_PASSWORD/" ./template
cp ./template "$secretFile"
popd >/dev/null
rm -rf "$TMP_DIR"
'';
};
# for internal wireguard VPN
wg_priv = {
fetchScript = ''

2
hosts/vault/profiles/wireguard.nix
View file

@ -34,6 +34,8 @@ in {
publicKey = "${data.hosts.raspberry.public}";
presharedKeyFile = "${secrets.wg_preshared_raspberry.path}";
allowedIPs = ["${data.hosts.raspberry.ip}/32"];
endpoint = "${data.hosts.raspberry.endpoint}";
persistentKeepalive = 25;
}
];
};

1
hosts/vault/vault.nix
View file

@ -6,6 +6,7 @@
profiles.sshd
profiles.nix-gc
profiles.nginx
profiles.nginx-firewall
profiles.kernels.latest
hosts.vault.profiles.wireguard

5
outputs.nix
View file

@ -19,6 +19,7 @@ in
system: let
pkgs = import nixpkgs {
inherit system;
config.allowUnfree = true;
overlays = [
(import ./overlay)
];
@ -26,6 +27,10 @@ in
in
lib.foldl' lib.recursiveUpdate {} [
{
# we expose nixpkgs.${system} so that we can nix run/build stuff
# from nixpkgs from flake's input versions
nixpkgs = pkgs;
formatter = pkgs.alejandra;
devShell = pkgs.mkShell {

4
profiles/nginx-firewall.nix Normal file
View file

@ -0,0 +1,4 @@
{...}: {
networking.firewall.allowedTCPPorts = [80 443];
networking.firewall.allowedUDPPorts = [80 443];
}

48
profiles/remote-builders.nix Normal file
View file

@ -0,0 +1,48 @@
{
lib,
config,
...
}: let
inherit (lib.modules) mkIf;
current_machine_hostname = config.networking.hostName;
usb_ssh_key_file = "/usb/ssh-keys/chaos.priv";
ssh_key_file =
if
builtins.elem current_machine_hostname [
"lappy-t495"
"tablet"
]
then usb_ssh_key_file
else throw "host isn't configured for remote-builders";
builderDefaults = {
sshUser = "root";
sshKey = ssh_key_file;
supportedFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm"];
mandatoryFeatures = [];
};
in {
nix.buildMachines = [
(mkIf (current_machine_hostname != "hetzner-vm") (builderDefaults
// {
hostName = "hetzner-vm.servers.genderfucked.monster";
systems = ["x86_64-linux" "aarch64-linux"];
publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSU1JdDJBQnF3SGhNano5cjZhdHY0WHVYNTh4RVdlU3RrbVhVd3ZNVkd2NHcgcm9vdEBuaXhvcwo=";
maxJobs = 3;
speedFactor = 2;
}))
(mkIf (current_machine_hostname != "vault") (builderDefaults
// {
hostName = "vault.servers.genderfucked.monster";
systems = ["x86_64-linux"];
publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSU16L1dyaG81MTFGdzhXN3FsU0NUY1V4cWh4TGlBQkJXbFNNNFRNNzJ5RWQgcm9vdEBuaXhvcwo=";
maxJobs = 2;
speedFactor = 1;
}))
];
nix.distributedBuilds = true;
nix.extraOptions = "builders-use-substitutes = true";
}

12
scripts/deploy-all.sh
View file

@ -1,14 +1,14 @@
#!/usr/bin/env bash
set -ex
set -e
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
REPO_ROOT="${SCRIPT_DIR}/.."
cd $REPO_ROOT
cd $SCRIPT_DIR
cd $(git rev-parse --show-toplevel)
HOSTNAME=$(hostname)
[ "${NO_REBUILD}" == "" ] && ./scripts/rebuild.sh $@
[ "${HOSTNAME}" != "hetzner-vm" ] && deploy -s ".#hetzner-vm" -- $@
[ "${HOSTNAME}" != "vault" ] && deploy -s ".#vault" -- $@
[ "${HOSTNAME}" != "raspberry" ] && nixos-rebuild --flake .#raspberry --target-host root@192.168.0.203 $@
[ "${HOSTNAME}" != "hetzner-vm" ] && ./scripts/deploy/hetzner-vm.sh $@
[ "${HOSTNAME}" != "vault" ] && ./scripts/deploy/vault.sh $@
[ "${HOSTNAME}" != "raspberry" ] && ./scripts/deploy/raspberry.sh $@

9
scripts/deploy/hetzner-vm.sh Executable file
View file

@ -0,0 +1,9 @@
#!/usr/bin/env bash
set -e
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
cd $SCRIPT_DIR
cd $(git rev-parse --show-toplevel)
nixos-rebuild switch --flake .#hetzner-vm --target-host hetzner-vm -s $@

9
scripts/deploy/raspberry.sh Normal file
View file

@ -0,0 +1,9 @@
#!/usr/bin/env bash
set -e
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
cd $SCRIPT_DIR
cd $(git rev-parse --show-toplevel)
nixos-rebuild switch --flake .#raspberry --target-host raspberry -s $@

9
scripts/deploy/vault.sh Normal file
View file

@ -0,0 +1,9 @@
#!/usr/bin/env bash
set -e
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
cd $SCRIPT_DIR
cd $(git rev-parse --show-toplevel)
nixos-rebuild switch --flake .#vault --target-host vault -s $@