diff --git a/data/piped/pipedClusterConfig.nix b/data/piped/pipedClusterConfig.nix deleted file mode 100644 index 43278e1..0000000 --- a/data/piped/pipedClusterConfig.nix +++ /dev/null @@ -1,31 +0,0 @@ -let - internalWireGuard = import ../wireguard/chaosInternalWireGuard.nix; - ports = import ./pipedClusterPorts.nix; -in rec { - inherit ports; - - hosts = { - # map of hostname to config for cluster node - "piped-fi" = rec { - ip = "${internalWireGuard.hosts.hetzner-arm.ip}"; - - # ssh -L 3014:127.0.0.1:3014 -L 26257:127.0.0.1:26257 hetzner-arm - joinString = "${ip}:${toString ports.cockroachDB}"; - advertiseAddr = joinString; - - resticName = "piped-finland"; - resticBucket = "Piped-Finland"; - baseDomain = "piped-fi.owo.monster"; - }; - - "piped-uk" = rec { - ip = "${internalWireGuard.hosts.raspberry.ip}"; - # ssh -L 3014:127.0.0.1:3014 -L 26257:127.0.0.1:26257 raspberry - joinString = "${ip}:${toString ports.cockroachDB}"; - advertiseAddr = joinString; - resticName = "piped-uk"; - resticBucket = "Piped-UK"; - baseDomain = "piped-uk.owo.monster"; - }; - }; -} diff --git a/data/piped/pipedClusterPorts.nix b/data/piped/pipedClusterPorts.nix deleted file mode 100644 index 552ce8b..0000000 --- a/data/piped/pipedClusterPorts.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ - internalPipedBackend = 3012; - internalPipedProxy = 3013; - - cockroachDB = 26257; - cockroachDB_HTTP = 3014; - cockroachDB_HAProxy = 26258; -} diff --git a/home/apps/firefox.nix b/home/apps/firefox.nix index fb86da3..401b2f9 100644 --- a/home/apps/firefox.nix +++ b/home/apps/firefox.nix @@ -106,10 +106,7 @@ in { # browser toolbar and UI # may need updating when extensions change "browser.toolbars.bookmarks.visibility" = "always"; - "layout.css.devPixelsPerPx" = - if nixosConfig.networking.hostName == "lappy-t495" - then "1.4" - else "1.8"; + "layout.css.devPixelsPerPx" = "1.4"; "browser.uiCustomization.state" = builtins.toJSON { currentVersion = 18; dirtyAreaCache = [ diff --git a/hosts/hetzner-arm/containers/piped-db/default.nix b/hosts/hetzner-arm/containers/piped-db/default.nix new file mode 100644 index 0000000..aba2bf2 --- /dev/null +++ b/hosts/hetzner-arm/containers/piped-db/default.nix @@ -0,0 +1,41 @@ +{ + self, + hostPath, + tree, + inputs, + config, + pkgs, + lib, + ... +}: let + inherit (lib.modules) mkForce; +in { + containers.piped-db = { + autoStart = true; + privateNetwork = false; + + specialArgs = { + inherit inputs; + inherit tree; + inherit self; + inherit hostPath; + }; + + config = {...}: { + nixpkgs.pkgs = pkgs; + + imports = with tree; [ + presets.nixos.containerBase + ./secrets.nix + + ./profiles/postgres.nix + ./profiles/restic.nix + ]; + + networking.firewall.enable = mkForce false; + + home-manager.users.root.home.stateVersion = "23.05"; + system.stateVersion = "23.05"; + }; + }; +} diff --git a/hosts/hetzner-arm/containers/piped-db/profiles/postgres.nix b/hosts/hetzner-arm/containers/piped-db/profiles/postgres.nix new file mode 100644 index 0000000..9928665 --- /dev/null +++ b/hosts/hetzner-arm/containers/piped-db/profiles/postgres.nix @@ -0,0 +1,21 @@ +{self, ...}: let + wireguardData = import "${self}/data/wireguard/chaosInternalWireGuard.nix"; + wireguardHosts = wireguardData.hosts; +in { + services.postgresql = { + enable = true; + port = 5434; + enableTCPIP = true; + ensureUsers = [ + { + name = "piped"; + ensurePermissions."DATABASE piped" = "ALL PRIVILEGES"; + } + ]; + ensureDatabases = ["piped"]; + authentication = '' + host piped piped ${wireguardHosts."raspberry".ip}/32 trust + host piped piped ${wireguardHosts."hetzner-arm".ip}/32 trust + ''; + }; +} diff --git a/hosts/hetzner-arm/containers/piped-db/profiles/restic.nix b/hosts/hetzner-arm/containers/piped-db/profiles/restic.nix new file mode 100644 index 0000000..75e1a14 --- /dev/null +++ b/hosts/hetzner-arm/containers/piped-db/profiles/restic.nix @@ -0,0 +1,55 @@ +{ + pkgs, + config, + ... +}: let + secrets = config.services.secrets.secrets; + + backupPrepareCommand = "${ + (pkgs.writeShellScriptBin "backupPrepareCommand" '' + systemctl start postgresqlBackup-piped --wait + '') + }/bin/backupPrepareCommand"; +in { + environment.systemPackages = with pkgs; [ + restic + (pkgs.writeShellScriptBin "restic-piped" '' + env \ + RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \ + $(cat ${secrets.restic_env.path}) \ + ${pkgs.restic}/bin/restic $@ + '') + ]; + + services.restic.backups.piped = { + user = "root"; + paths = [ + "/var/backup/postgresql" + ]; + + # repository is overrided in environmentFile to contain auth + # make sure to keep up to date when changing repository + repository = "rest:https://storage-restic.owo.monster/Piped"; + passwordFile = "${secrets.restic_password.path}"; + environmentFile = "${secrets.restic_env.path}"; + + pruneOpts = [ + "--keep-last 5" + ]; + + timerConfig = { + OnBootSec = "1m"; + OnCalendar = "daily"; + }; + + inherit backupPrepareCommand; + }; + + services.postgresqlBackup = { + enable = true; + backupAll = false; + pgdumpOptions = "-p ${toString config.services.postgresql.port}"; + databases = ["piped"]; + compression = "zstd"; + }; +} diff --git a/hosts/hetzner-arm/containers/piped-db/secrets.nix b/hosts/hetzner-arm/containers/piped-db/secrets.nix new file mode 100644 index 0000000..f82baf5 --- /dev/null +++ b/hosts/hetzner-arm/containers/piped-db/secrets.nix @@ -0,0 +1,38 @@ +{...}: { + services.secrets = { + enable = true; + + vaultLogin = { + enable = true; + loginUsername = "hetzner-arm-container-piped-db"; + }; + + autoSecrets = { + enable = true; + }; + + requiredVaultPaths = [ + "api-keys/data/storage/restic/Piped" + "private-public-keys/data/restic/Piped" + ]; + + secrets = { + vault_password = { + manual = true; + }; + + restic_password = { + fetchScript = '' + simple_get "/private-public-keys/restic/Piped" .password > "$secretFile" + ''; + }; + restic_env = { + fetchScript = '' + RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Piped" .username) + RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Piped" .password) + echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Piped" > "$secretFile" + ''; + }; + }; + }; +} diff --git a/hosts/hetzner-arm/containers/piped-fi/default.nix b/hosts/hetzner-arm/containers/piped-fi/default.nix index 5012311..de15690 100644 --- a/hosts/hetzner-arm/containers/piped-fi/default.nix +++ b/hosts/hetzner-arm/containers/piped-fi/default.nix @@ -10,13 +10,14 @@ }: let inherit (lib.modules) mkForce; - containerName = "piped-fi"; + pipedName = "piped-fi"; + containerName = pipedName; pipedSocketForComponent = ( component: "/var/lib/nixos-containers/${containerName}/var/sockets/piped-${component}.sock" ); in { - containers.piped-fi = { + containers.${containerName} = { autoStart = true; privateNetwork = false; @@ -32,17 +33,7 @@ in { imports = with tree; [ presets.nixos.containerBase - - profiles.nginx - profiles.firewallAllow.httpCommon - - profiles.pipedCluster - - ./secrets.nix - ]; - - systemd.tmpfiles.rules = [ - "d /var/lib/cockroachdb-certs - root root" + presets.nixos.pipedNode ]; networking.firewall.enable = mkForce false; @@ -52,7 +43,7 @@ in { }; }; - services.nginx.virtualHosts."piped-fi.owo.monster" = { + services.nginx.virtualHosts."${pipedName}.owo.monster" = { forceSSL = true; enableACME = true; locations."/" = { @@ -60,7 +51,7 @@ in { }; }; - services.nginx.virtualHosts."backend.piped-fi.owo.monster" = { + services.nginx.virtualHosts."backend.${pipedName}.owo.monster" = { forceSSL = true; enableACME = true; locations."/" = { @@ -68,7 +59,7 @@ in { }; }; - services.nginx.virtualHosts."proxy.piped-fi.owo.monster" = { + services.nginx.virtualHosts."proxy.${pipedName}.owo.monster" = { forceSSL = true; enableACME = true; locations."/" = { diff --git a/hosts/hetzner-arm/containers/piped-fi/secrets.nix b/hosts/hetzner-arm/containers/piped-fi/secrets.nix deleted file mode 100644 index 2f58c76..0000000 --- a/hosts/hetzner-arm/containers/piped-fi/secrets.nix +++ /dev/null @@ -1,75 +0,0 @@ -{...}: { - services.secrets = { - enable = true; - - vaultLogin = { - enable = true; - loginUsername = "hetzner-arm-container-piped-fi"; - }; - - autoSecrets = { - enable = true; - }; - - requiredVaultPaths = [ - "api-keys/data/storage/restic/Piped-Finland" - - "private-public-keys/data/piped-cockroachdb-ca/nodes/piped-fi" - - "private-public-keys/data/restic/Piped-Finland" - ]; - - secrets = { - vault_password = { - manual = true; - }; - - restic_password = { - fetchScript = '' - simple_get "/private-public-keys/restic/Piped-Finland" .password > "$secretFile" - ''; - }; - - restic_env = { - fetchScript = '' - RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Piped-Finland" .username) - RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Piped-Finland" .password) - echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Piped-Finland" > "$secretFile" - ''; - }; - - cockroachdb_ca_certificate = { - user = "cockroachdb"; - group = "cockroachdb"; - permissions = "600"; - path = "/var/lib/cockroachdb-certs/ca.crt"; - fetchScript = '' - simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/piped-fi" .ca_certificate \ - | base64 -d > "$secretFile" - ''; - }; - - cockroachdb_node_certificate = { - user = "cockroachdb"; - group = "cockroachdb"; - permissions = "600"; - path = "/var/lib/cockroachdb-certs/node.crt"; - fetchScript = '' - simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/piped-fi" .node_certificate \ - | base64 -d > "$secretFile" - ''; - }; - - cockroachdb_node_key = { - user = "cockroachdb"; - group = "cockroachdb"; - permissions = "600"; - path = "/var/lib/cockroachdb-certs/node.key"; - fetchScript = '' - simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/piped-fi" .node_key \ - | base64 -d > "$secretFile" - ''; - }; - }; - }; -} diff --git a/hosts/hetzner-arm/containers/storage/data/ports.nix b/hosts/hetzner-arm/containers/storage/data/ports.nix index 11328af..febd1fb 100644 --- a/hosts/hetzner-arm/containers/storage/data/ports.nix +++ b/hosts/hetzner-arm/containers/storage/data/ports.nix @@ -7,9 +7,8 @@ rclone_serve_restic_vault = 4211; rclone_serve_restic_social = 4212; rclone_serve_restic_quassel = 4213; - rclone_serve_restic_piped_finland = 4214; - rclone_serve_restic_piped_uk = 4215; - rclone_serve_restic_mail = 4216; + rclone_serve_restic_piped = 4214; + rclone_serve_restic_mail = 4215; rclone_serve_http_music = 4220; rclone_serve_http_public = 4221; diff --git a/hosts/hetzner-arm/containers/storage/default.nix b/hosts/hetzner-arm/containers/storage/default.nix index 1907591..ca1a57e 100644 --- a/hosts/hetzner-arm/containers/storage/default.nix +++ b/hosts/hetzner-arm/containers/storage/default.nix @@ -95,8 +95,7 @@ in { "/Vault/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_vault}"; "/Social/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_social}"; "/Quassel/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_quassel}"; - "/Piped-Finland/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_piped_finland}"; - "/Piped-UK/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_piped_uk}"; + "/Piped/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_piped}"; "/Mail/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_mail}"; }; extraConfig = '' diff --git a/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix b/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix index 2ad69c8..7bff24b 100644 --- a/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix +++ b/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix @@ -117,23 +117,13 @@ in { ]; } { - id = "restic-piped-finland"; - remote = "StorageBox:Backups/Restic/Piped-Finland"; + id = "restic-piped"; + remote = "StorageBox:Backups/Restic/Piped"; type = "restic"; extraArgs = [ - "--addr=0.0.0.0:${toString ports.rclone_serve_restic_piped_finland}" - "--htpasswd=${secrets.restic_piped_finland_htpasswd.path}" - "--baseurl=/Piped-Finland/" - ]; - } - { - id = "restic-piped-uk"; - remote = "StorageBox:Backups/Restic/Piped-UK"; - type = "restic"; - extraArgs = [ - "--addr=0.0.0.0:${toString ports.rclone_serve_restic_piped_uk}" - "--htpasswd=${secrets.restic_piped_uk_htpasswd.path}" - "--baseurl=/Piped-UK/" + "--addr=0.0.0.0:${toString ports.rclone_serve_restic_piped}" + "--htpasswd=${secrets.restic_piped_htpasswd.path}" + "--baseurl=/Piped/" ]; } { diff --git a/hosts/hetzner-arm/containers/storage/secrets.nix b/hosts/hetzner-arm/containers/storage/secrets.nix index 75d4b27..072c441 100644 --- a/hosts/hetzner-arm/containers/storage/secrets.nix +++ b/hosts/hetzner-arm/containers/storage/secrets.nix @@ -28,8 +28,7 @@ "api-keys/data/storage/restic/Vault" "api-keys/data/storage/restic/Social" "api-keys/data/storage/restic/Quassel" - "api-keys/data/storage/restic/Piped-Finland" - "api-keys/data/storage/restic/Piped-UK" + "api-keys/data/storage/restic/Piped" "api-keys/data/storage/restic/Mail" "api-keys/data/storage/webdav/main" @@ -66,11 +65,11 @@ } simple_get_replace_crypt() { - password=$(simple_get "$1" .password | replace_slash_for_sed) - salt=$(simple_get "$1" .salt | replace_slash_for_sed) + password=$(simple_get_obscure "$1" .password) + salt=$(simple_get_obscure "$1" .salt) - replace_password=''${2}_ACCOUNT - replace_salt=''${2}_KEY + replace_password=''${2}_PASSWORD + replace_salt=''${2}_SALT sed -i "s/$replace_password/$password/" "$3" sed -i "s/$replace_salt/$salt/" "$3" @@ -118,22 +117,12 @@ ''; }; - restic_piped_finland_htpasswd = { + restic_piped_htpasswd = { user = "storage"; group = "storage"; fetchScript = '' - username=$(simple_get "/api-keys/storage/restic/Piped-Finland" .username) - password=$(simple_get "/api-keys/storage/restic/Piped-Finland" .password) - htpasswd -bc "$secretFile" "$username" "$password" 2>/dev/null - ''; - }; - - restic_piped_uk_htpasswd = { - user = "storage"; - group = "storage"; - fetchScript = '' - username=$(simple_get "/api-keys/storage/restic/Piped-UK" .username) - password=$(simple_get "/api-keys/storage/restic/Piped-UK" .password) + username=$(simple_get "/api-keys/storage/restic/Piped" .username) + password=$(simple_get "/api-keys/storage/restic/Piped" .password) htpasswd -bc "$secretFile" "$username" "$password" 2>/dev/null ''; }; diff --git a/hosts/hetzner-arm/hetzner-arm.nix b/hosts/hetzner-arm/hetzner-arm.nix index 1771883..a1f6db3 100644 --- a/hosts/hetzner-arm/hetzner-arm.nix +++ b/hosts/hetzner-arm/hetzner-arm.nix @@ -24,6 +24,7 @@ in { "storage" "music" "quassel" + "piped-db" "piped-fi" "mail" ] (name: ./containers + "/${name}")) diff --git a/hosts/nixos.nix b/hosts/nixos.nix index 3a915c8..81c3735 100644 --- a/hosts/nixos.nix +++ b/hosts/nixos.nix @@ -36,7 +36,6 @@ tree.modules.nixos.rclone-serve tree.modules.nixos.rclone-sync tree.modules.nixos.secrets - tree.modules.nixos.cockroachdb-bin ]; nixosUnstableSystem = nixpkgs-unstable.lib.nixosSystem; diff --git a/hosts/raspberry/containers/piped-uk/default.nix b/hosts/raspberry/containers/piped-uk/default.nix index 838fb5e..db6213c 100644 --- a/hosts/raspberry/containers/piped-uk/default.nix +++ b/hosts/raspberry/containers/piped-uk/default.nix @@ -10,13 +10,14 @@ }: let inherit (lib.modules) mkForce; - containerName = "piped-uk"; + pipedName = "piped-uk"; + containerName = pipedName; pipedSocketForComponent = ( component: "/var/lib/nixos-containers/${containerName}/var/sockets/piped-${component}.sock" ); in { - containers.piped-uk = { + containers.${containerName} = { autoStart = true; privateNetwork = false; @@ -32,17 +33,7 @@ in { imports = with tree; [ presets.nixos.containerBase - - profiles.nginx - profiles.firewallAllow.httpCommon - - profiles.pipedCluster - - ./secrets.nix - ]; - - systemd.tmpfiles.rules = [ - "d /var/lib/cockroachdb-certs - root root" + presets.nixos.pipedNode ]; networking.firewall.enable = mkForce false; @@ -52,7 +43,7 @@ in { }; }; - services.nginx.virtualHosts."piped-uk.owo.monster" = { + services.nginx.virtualHosts."${pipedName}.owo.monster" = { forceSSL = true; enableACME = true; locations."/" = { @@ -60,7 +51,7 @@ in { }; }; - services.nginx.virtualHosts."backend.piped-uk.owo.monster" = { + services.nginx.virtualHosts."backend.${pipedName}.owo.monster" = { forceSSL = true; enableACME = true; locations."/" = { @@ -68,7 +59,7 @@ in { }; }; - services.nginx.virtualHosts."proxy.piped-uk.owo.monster" = { + services.nginx.virtualHosts."proxy.${pipedName}.owo.monster" = { forceSSL = true; enableACME = true; locations."/" = { diff --git a/hosts/raspberry/containers/piped-uk/secrets.nix b/hosts/raspberry/containers/piped-uk/secrets.nix deleted file mode 100644 index 10dd61b..0000000 --- a/hosts/raspberry/containers/piped-uk/secrets.nix +++ /dev/null @@ -1,65 +0,0 @@ -{...}: { - services.secrets = { - enable = true; - - vaultLogin = { - enable = true; - loginUsername = "raspberry-container-piped-uk"; - }; - - autoSecrets = { - enable = true; - affectedSystemdServices = ["cockroachdb"]; - }; - - requiredVaultPaths = [ - "private-public-keys/data/piped-cockroachdb-ca/nodes/raspberry" - ]; - - secrets = { - vault_password = { - manual = true; - }; - - cockroachdb_ca_certificate = { - user = "cockroachdb"; - group = "cockroachdb"; - permissions = "600"; - path = "/var/lib/cockroachdb-certs/ca.crt"; - fetchScript = '' - if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then - mkdir -p "$SYSROOT/var/lib/cockroachdb-certs" - fi - simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .ca_certificate \ - | base64 -d > "$secretFile" - ''; - }; - cockroachdb_node_certificate = { - user = "cockroachdb"; - group = "cockroachdb"; - permissions = "600"; - path = "/var/lib/cockroachdb-certs/node.crt"; - fetchScript = '' - if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then - mkdir -p "$SYSROOT/var/lib/cockroachdb-certs" - fi - simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_certificate \ - | base64 -d > "$secretFile" - ''; - }; - cockroachdb_node_key = { - user = "cockroachdb"; - group = "cockroachdb"; - permissions = "600"; - path = "/var/lib/cockroachdb-certs/node.key"; - fetchScript = '' - if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then - mkdir -p "$SYSROOT/var/lib/cockroachdb-certs" - fi - simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_key \ - | base64 -d > "$secretFile" - ''; - }; - }; - }; -} diff --git a/hosts/vault/secrets.nix b/hosts/vault/secrets.nix index 3b4f43b..69b8c08 100644 --- a/hosts/vault/secrets.nix +++ b/hosts/vault/secrets.nix @@ -15,8 +15,8 @@ }; requiredVaultPaths = [ - "/private-public-keys/data/ssh/root@vault" - "/private-public-keys/data/ssh/root@vault-decrypt" + "private-public-keys/data/ssh/root@vault" + "private-public-keys/data/ssh/root@vault-decrypt" "private-public-keys/data/restic/Vault" diff --git a/modules/nixos/cockroachdb-bin.nix b/modules/nixos/cockroachdb-bin.nix deleted file mode 100644 index 39b1906..0000000 --- a/modules/nixos/cockroachdb-bin.nix +++ /dev/null @@ -1,248 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -with lib; let - cfg = config.services.cockroachdb-bin; - crdb = cfg.package; - - escapeSystemdExecArg = arg: let - s = - if builtins.isPath arg - then "${arg}" - else if builtins.isString arg - then arg - else if builtins.isInt arg || builtins.isFloat arg - then toString arg - else throw "escapeSystemdExecArg only allows strings, paths and numbers"; - in - lib.replaceStrings ["%" "$"] ["%%" "$$"] (builtins.toJSON s); - - # Quotes a list of arguments into a single string for use in a Exec* - # line. - escapeSystemdExecArgs = lib.concatMapStringsSep " " escapeSystemdExecArg; - - startupCommand = - escapeSystemdExecArgs - ([ - # Basic startup - "${crdb}/bin/cockroach" - ( - if (cfg.join != null) - then "start" - else "start-single-node" - ) - "--logtostderr" - "--store=/var/lib/cockroachdb" - - # WebUI settings - "--http-addr=${cfg.http.address}:${toString cfg.http.port}" - - # Cluster listen address - "--listen-addr=${cfg.listen.address}:${toString cfg.listen.port}" - - # Cache and memory settings. - "--cache=${cfg.cache}" - "--max-sql-memory=${cfg.maxSqlMemory}" - - # Certificate/security settings. - ( - if cfg.insecure - then "--insecure" - else "--certs-dir=${cfg.certsDir}" - ) - ] - ++ lib.optional (cfg.join != null) "--join=${cfg.join}" - ++ lib.optional (cfg.locality != null) "--locality=${cfg.locality}" - ++ cfg.extraArgs); - - addressOption = descr: defaultPort: { - address = mkOption { - type = types.str; - default = "localhost"; - description = lib.mdDoc "Address to bind to for ${descr}"; - }; - - port = mkOption { - type = types.port; - default = defaultPort; - description = lib.mdDoc "Port to bind to for ${descr}"; - }; - }; -in { - options = { - services.cockroachdb-bin = { - enable = mkEnableOption (lib.mdDoc "CockroachDB Server"); - - listen = addressOption "intra-cluster communication" 26257; - - http = addressOption "http-based Admin UI" 8080; - - locality = mkOption { - type = types.nullOr types.str; - default = null; - description = lib.mdDoc '' - An ordered, comma-separated list of key-value pairs that describe the - topography of the machine. Topography might include country, - datacenter or rack designations. Data is automatically replicated to - maximize diversities of each tier. The order of tiers is used to - determine the priority of the diversity, so the more inclusive - localities like country should come before less inclusive localities - like datacenter. The tiers and order must be the same on all nodes. - Including more tiers is better than including fewer. For example: - - ``` - country=us,region=us-west,datacenter=us-west-1b,rack=12 - country=ca,region=ca-east,datacenter=ca-east-2,rack=4 - - planet=earth,province=manitoba,colo=secondary,power=3 - ``` - ''; - }; - - join = mkOption { - type = types.nullOr types.str; - default = null; - description = lib.mdDoc "The addresses for connecting the node to a cluster."; - }; - - insecure = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc "Run in insecure mode."; - }; - - certsDir = mkOption { - type = types.nullOr types.path; - default = null; - description = lib.mdDoc "The path to the certificate directory."; - }; - - user = mkOption { - type = types.str; - default = "cockroachdb"; - description = lib.mdDoc "User account under which CockroachDB runs"; - }; - - group = mkOption { - type = types.str; - default = "cockroachdb"; - description = lib.mdDoc "User account under which CockroachDB runs"; - }; - - openPorts = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc "Open firewall ports for cluster communication by default"; - }; - - cache = mkOption { - type = types.str; - default = "25%"; - description = lib.mdDoc '' - The total size for caches. - - This can be a percentage, expressed with a fraction sign or as a - decimal-point number, or any bytes-based unit. For example, - `"25%"`, `"0.25"` both represent - 25% of the available system memory. The values - `"1000000000"` and `"1GB"` both - represent 1 gigabyte of memory. - - ''; - }; - - maxSqlMemory = mkOption { - type = types.str; - default = "25%"; - description = lib.mdDoc '' - The maximum in-memory storage capacity available to store temporary - data for SQL queries. - - This can be a percentage, expressed with a fraction sign or as a - decimal-point number, or any bytes-based unit. For example, - `"25%"`, `"0.25"` both represent - 25% of the available system memory. The values - `"1000000000"` and `"1GB"` both - represent 1 gigabyte of memory. - ''; - }; - - package = mkOption { - type = types.package; - default = pkgs.cockroachdb-bin; - defaultText = literalExpression "pkgs.cockroachdb-bin"; - description = lib.mdDoc '' - The CockroachDB derivation to use for running the service. - ''; - }; - - extraArgs = mkOption { - type = types.listOf types.str; - default = []; - example = ["--advertise-addr" "[fe80::f6f2:::]"]; - description = lib.mdDoc '' - Extra CLI arguments passed to {command}`cockroach start`. - For the full list of supported arguments, check - ''; - }; - }; - }; - - config = mkIf config.services.cockroachdb-bin.enable { - assertions = [ - { - assertion = !cfg.insecure -> cfg.certsDir != null; - message = "CockroachDB must have a set of SSL certificates (.certsDir), or run in Insecure Mode (.insecure = true)"; - } - ]; - - environment.systemPackages = [crdb]; - - users.users = optionalAttrs (cfg.user == "cockroachdb") { - cockroachdb = { - description = "CockroachDB Server User"; - uid = config.ids.uids.cockroachdb; - group = cfg.group; - }; - }; - - users.groups = optionalAttrs (cfg.group == "cockroachdb") { - cockroachdb.gid = config.ids.gids.cockroachdb; - }; - - networking.firewall.allowedTCPPorts = - lib.optionals cfg.openPorts - [cfg.http.port cfg.listen.port]; - - systemd.services.cockroachdb = { - description = "CockroachDB Server"; - documentation = ["man:cockroach(1)" "https://www.cockroachlabs.com"]; - - after = ["network.target" "time-sync.target"]; - requires = ["time-sync.target"]; - wantedBy = ["multi-user.target"]; - - unitConfig.RequiresMountsFor = "/var/lib/cockroachdb"; - - serviceConfig = { - ExecStart = startupCommand; - Type = "notify"; - User = cfg.user; - StateDirectory = "cockroachdb"; - StateDirectoryMode = "0700"; - - Restart = "always"; - - # A conservative-ish timeout is alright here, because for Type=notify - # cockroach will send systemd pings during startup to keep it alive - TimeoutStopSec = 60; - RestartSec = 10; - }; - }; - }; - - meta.maintainers = with lib.maintainers; [thoughtpolice]; -} diff --git a/outputs.nix b/outputs.nix index d08e89e..d78d0d7 100644 --- a/outputs.nix +++ b/outputs.nix @@ -66,7 +66,6 @@ in inherit (pkgs) comic-code comic-sans; inherit (pkgs) mk-enc-usb mk-encrypted-drive mk-raspberry-ext-drive; inherit (pkgs) gotosocial; - inherit (pkgs) cockroachdb; inherit (pkgs) piped-backend piped-frontend piped-proxy; inherit (pkgs) kitty-terminfo; }; @@ -141,7 +140,7 @@ in # All machines/containers with secrets.nix machines = rec { "hetzner-arm" = { - containers = ["storage" "music" "quassel" "social" "mail" "piped-fi"]; + containers = ["storage" "music" "quassel" "social" "mail" "piped-db" "piped-fi"]; sshAddress = "hetzner-arm.servers.genderfucked.monster"; }; "vault" = { diff --git a/overlay/cockroachdb-bin/default.nix b/overlay/cockroachdb-bin/default.nix deleted file mode 100644 index 9e87104..0000000 --- a/overlay/cockroachdb-bin/default.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ - lib, - stdenv, - autoPatchelfHook, - fetchzip, -}: -stdenv.mkDerivation rec { - pname = "cockroachdb-bin"; - version = "23.1.9"; - - src = let - inherit (stdenv.hostPlatform) system; - selectSystem = attrs: attrs.${system} or (throw "Unsupported system: ${system}"); - suffix = selectSystem { - x86_64-linux = "linux-amd64"; - aarch64-linux = "linux-arm64"; - }; - sha256 = selectSystem { - x86_64-linux = "sha256-TopDCszdU73WiD/fsa/lq4h7jPUk0u50v3ELiuakzTU="; - aarch64-linux = "sha256-uRW1g2IFAfQ6a1w7pz5GKklHmfaNgk70qj3hhm6KV6s="; - }; - in - fetchzip { - url = "https://binaries.cockroachdb.com/cockroach-v${version}.${suffix}.tgz"; - inherit sha256; - }; - - dontConfigure = true; - dontBuild = true; - dontStrip = stdenv.isDarwin; - - nativeBuildInputs = [autoPatchelfHook]; - - installPhase = '' - runHook preInstall - install -D cockroach $out/bin/cockroach - runHook postInstall - ''; - - meta = with lib; { - homepage = "https://www.cockroachlabs.com"; - description = "A scalable, survivable, strongly-consistent SQL database"; - license = licenses.bsl11; - mainProgram = "cockroach"; - sourceProvenance = with sourceTypes; [binaryNativeCode]; - platforms = ["x86_64-linux" "aarch64-linux"]; - }; -} diff --git a/overlay/default.nix b/overlay/default.nix index b987129..64c78da 100644 --- a/overlay/default.nix +++ b/overlay/default.nix @@ -13,9 +13,6 @@ final: prev: rec { cp -r ${./kitty-terminfo}/* $out/share ''; - cockroachdb-bin = final.callPackage ./cockroachdb-bin {}; - cockroachdb = cockroachdb-bin; - gotosocial = prev.gotosocial.overrideAttrs (_old: let owner = "superseriousbusiness"; repo = "gotosocial"; diff --git a/presets/nixos/containerBase.nix b/presets/nixos/containerBase.nix index 08f1b5a..34ce7f4 100644 --- a/presets/nixos/containerBase.nix +++ b/presets/nixos/containerBase.nix @@ -11,7 +11,6 @@ modules.nixos.rclone-serve modules.nixos.rclone-sync modules.nixos.secrets - modules.nixos.cockroachdb-bin ]) ++ [ # Default modules which are usually included in nixos.nix diff --git a/profiles/pipedCluster/piped.nix b/presets/nixos/pipedNode.nix similarity index 56% rename from profiles/pipedCluster/piped.nix rename to presets/nixos/pipedNode.nix index aded9e8..a81e2c1 100644 --- a/profiles/pipedCluster/piped.nix +++ b/presets/nixos/pipedNode.nix @@ -1,17 +1,44 @@ { self, config, + tree, ... }: let - clusterConfig = import "${self}/data/piped/pipedClusterConfig.nix"; - inherit (clusterConfig) hosts ports; + inherit (builtins) attrNames elem; - currentHostName = config.networking.hostName; - currentHostConfig = hosts.${currentHostName}; + wireguardData = import "${self}/data/wireguard/chaosInternalWireGuard.nix"; + wireguardHosts = wireguardData.hosts; - baseDomain = currentHostConfig.baseDomain; + hostName = config.networking.hostName; + + defaultPorts = { + internalPipedBackend = 3012; + internalPipedProxy = 3013; + + internalNginxPort = 8199; + }; + + hostConfigs = { + "piped-fi" = { + baseDomain = "piped-fi.owo.monster"; + ports = defaultPorts; + }; + "piped-uk" = { + baseDomain = "piped-uk.owo.monster"; + ports = defaultPorts; + }; + }; + + hostConfig = + if elem hostName (attrNames hostConfigs) + then hostConfigs.${hostName} + else throw "host isn't configured for piped node"; + + inherit (hostConfig) baseDomain ports; in { - systemd.coredump.enable = true; + imports = with tree; [ + profiles.nginx + ]; services.piped = { enable = true; @@ -42,10 +69,9 @@ in { disablePostgresDB = true; name = "piped"; username = "piped"; - passwordFile = builtins.toFile "password-file" "piped"; - host = "127.0.0.1"; - port = ports.cockroachDB; - dialect = "org.hibernate.dialect.CockroachDialect"; + usePassword = false; + host = "${wireguardHosts."hetzner-arm".ip}"; + port = 5434; }; }; @@ -70,42 +96,28 @@ in { ]; }; - systemd.services.piped-backend = { - after = ["network.target" "cockroachdb.service" "haproxy.service"]; - wants = ["network.target" "cockroachdb.service" "haproxy.service"]; - }; - services.nginx.virtualHosts = let componentPath = component: "/var/sockets/piped-${component}.sock"; + listen = [ + { + addr = "127.0.0.1"; + port = ports.internalNginxPort; + } + ]; in { "${baseDomain}" = { - listen = [ - { - addr = "127.0.0.1"; - port = 8091; - } - ]; + inherit listen; extraConfig = "listen unix:${componentPath "frontend"};"; }; "backend.${baseDomain}" = { + inherit listen; extraConfig = "listen unix:${componentPath "backend"};"; - listen = [ - { - addr = "127.0.0.1"; - port = 8092; - } - ]; }; "proxy.${baseDomain}" = { + inherit listen; extraConfig = "listen unix:${componentPath "proxy"};"; - listen = [ - { - addr = "127.0.0.1"; - port = 8093; - } - ]; }; }; } diff --git a/presets/nixos/serverBase.nix b/presets/nixos/serverBase.nix index f0b90ec..3448348 100644 --- a/presets/nixos/serverBase.nix +++ b/presets/nixos/serverBase.nix @@ -27,6 +27,8 @@ ''; boot.kernel.sysctl = { + "net.core.default_qdisc" = "fq"; + "net.ipv4.tcp_congestion_control" = "bbr"; "fs.inotify.max_user_watches" = 1024 * 64 * 16; }; diff --git a/profiles/pipedCluster/cockroachDB.nix b/profiles/pipedCluster/cockroachDB.nix deleted file mode 100644 index 0c518bb..0000000 --- a/profiles/pipedCluster/cockroachDB.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ - self, - config, - lib, - ... -}: let - inherit (lib.lists) filter; - inherit (builtins) attrNames; - - clusterConfig = import "${self}/data/piped/pipedClusterConfig.nix"; - inherit (clusterConfig) hosts ports; - - currentHostName = config.networking.hostName; - - joinString = lib.concatStringsSep "," ( - map - (hostName: hosts.${hostName}.joinString) - (filter (hostName: hostName != currentHostName) (attrNames hosts)) - ); -in { - systemd.services.haproxy.wantedBy = ["piped-backend.service"]; - - services.cockroachdb-bin = { - enable = true; - certsDir = "/var/lib/cockroachdb-certs"; - join = joinString; - extraArgs = ["--advertise-addr=${hosts.${currentHostName}.advertiseAddr}"]; - listen = { - port = ports.cockroachDB; - address = "0.0.0.0"; - }; - http = { - address = "0.0.0.0"; - port = ports.cockroachDB_HTTP; - }; - }; -} diff --git a/profiles/pipedCluster/haproxy.nix b/profiles/pipedCluster/haproxy.nix deleted file mode 100644 index 4ec55d6..0000000 --- a/profiles/pipedCluster/haproxy.nix +++ /dev/null @@ -1,36 +0,0 @@ -{self, ...}: let - inherit (builtins) concatStringsSep attrNames; - - clusterConfig = import "${self}/data/piped/pipedClusterConfig.nix"; - inherit (clusterConfig) hosts ports; -in { - systemd.services.haproxy.wantedBy = ["piped-backend.service"]; - - services.haproxy = { - enable = true; - config = '' - global - maxconn 4096 - - defaults - mode tcp - retries 5 - timeout connect 5s - timeout client 10m - timeout server 10m - option clitcpka - - listen psql - bind :${toString ports.cockroachDB_HAProxy} - mode tcp - balance roundrobin - option httpchk GET /health?ready=1 - ${concatStringsSep "\n" ( - map (serverConfig: " " + serverConfig) - (map ( - hostName: "server ${hostName} ${hosts.${hostName}.advertiseAddr} check port ${toString ports.cockroachDB_HTTP}" - ) (attrNames hosts)) - )} - ''; - }; -} diff --git a/profiles/pipedCluster/restic.nix b/profiles/pipedCluster/restic.nix deleted file mode 100644 index 60e409c..0000000 --- a/profiles/pipedCluster/restic.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ - self, - pkgs, - config, - ... -}: let - secrets = config.services.secrets.secrets; - - clusterConfig = import "${self}/data/piped/pipedClusterConfig.nix"; - - currentHostConfig = clusterConfig.hosts.${config.networking.hostName}; - inherit (currentHostConfig) resticName resticBucket; -in { - environment.systemPackages = with pkgs; [ - restic - (pkgs.writeShellScriptBin "restic-${resticName}" '' - env \ - RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \ - $(cat ${secrets.restic_env.path}) \ - ${pkgs.restic}/bin/restic $@ - '') - ]; - - services.restic.backups.${resticName} = { - user = "root"; - paths = [ - "/var/lib/cockroachdb" - "/var/lib/cockroachdb-certs" - ]; - - repository = "rest:https://storage-restic.owo.monster/${resticBucket}"; - passwordFile = "${secrets.restic_password.path}"; - environmentFile = "${secrets.restic_env.path}"; - - pruneOpts = [ - "--keep-last 5" - ]; - - timerConfig = { - OnBootSec = "1m"; - OnCalendar = "daily"; - }; - }; -} diff --git a/result-man b/result-man deleted file mode 120000 index 304314d..0000000 --- a/result-man +++ /dev/null @@ -1 +0,0 @@ -/nix/store/026j6nzg6hyllkkvzjnqnarxwrc32nsa-bash-5.2-p15-man \ No newline at end of file