chaos/nixfiles
1
0
Fork 0
Code Issues 2 Releases Activity

move piped to single db away from cockroachdb

Browse source
This commit is contained in:
chaos 2023-09-21 16:59:51 +01:00
parent 90f450d7d9
commit dd3790c14d
No known key found for this signature in database
29 changed files with 237 additions and 710 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
data/piped/pipedClusterConfig.nix
View file

@ -1,31 +0,0 @@
let
internalWireGuard = import ../wireguard/chaosInternalWireGuard.nix;
ports = import ./pipedClusterPorts.nix;
in rec {
inherit ports;
hosts = {
# map of hostname to config for cluster node
"piped-fi" = rec {
ip = "${internalWireGuard.hosts.hetzner-arm.ip}";
# ssh -L 3014:127.0.0.1:3014 -L 26257:127.0.0.1:26257 hetzner-arm
joinString = "${ip}:${toString ports.cockroachDB}";
advertiseAddr = joinString;
resticName = "piped-finland";
resticBucket = "Piped-Finland";
baseDomain = "piped-fi.owo.monster";
};
"piped-uk" = rec {
ip = "${internalWireGuard.hosts.raspberry.ip}";
# ssh -L 3014:127.0.0.1:3014 -L 26257:127.0.0.1:26257 raspberry
joinString = "${ip}:${toString ports.cockroachDB}";
advertiseAddr = joinString;
resticName = "piped-uk";
resticBucket = "Piped-UK";
baseDomain = "piped-uk.owo.monster";
};
};
}

8
data/piped/pipedClusterPorts.nix
View file

@ -1,8 +0,0 @@
{
internalPipedBackend = 3012;
internalPipedProxy = 3013;
cockroachDB = 26257;
cockroachDB_HTTP = 3014;
cockroachDB_HAProxy = 26258;
}

5
home/apps/firefox.nix
View file

@ -106,10 +106,7 @@ in {
# browser toolbar and UI # browser toolbar and UI
# may need updating when extensions change # may need updating when extensions change
"browser.toolbars.bookmarks.visibility" = "always"; "browser.toolbars.bookmarks.visibility" = "always";
"layout.css.devPixelsPerPx" = "layout.css.devPixelsPerPx" = "1.4";
if nixosConfig.networking.hostName == "lappy-t495"
then "1.4"
else "1.8";
"browser.uiCustomization.state" = builtins.toJSON { "browser.uiCustomization.state" = builtins.toJSON {
currentVersion = 18; currentVersion = 18;
dirtyAreaCache = [ dirtyAreaCache = [

41
hosts/hetzner-arm/containers/piped-db/default.nix Normal file
View file

@ -0,0 +1,41 @@
{
self,
hostPath,
tree,
inputs,
config,
pkgs,
lib,
...
}: let
inherit (lib.modules) mkForce;
in {
containers.piped-db = {
autoStart = true;
privateNetwork = false;
specialArgs = {
inherit inputs;
inherit tree;
inherit self;
inherit hostPath;
};
config = {...}: {
nixpkgs.pkgs = pkgs;
imports = with tree; [
presets.nixos.containerBase
./secrets.nix
./profiles/postgres.nix
./profiles/restic.nix
];
networking.firewall.enable = mkForce false;
home-manager.users.root.home.stateVersion = "23.05";
system.stateVersion = "23.05";
};
};
}

21
hosts/hetzner-arm/containers/piped-db/profiles/postgres.nix Normal file
View file

@ -0,0 +1,21 @@
{self, ...}: let
wireguardData = import "${self}/data/wireguard/chaosInternalWireGuard.nix";
wireguardHosts = wireguardData.hosts;
in {
services.postgresql = {
enable = true;
port = 5434;
enableTCPIP = true;
ensureUsers = [
{
name = "piped";
ensurePermissions."DATABASE piped" = "ALL PRIVILEGES";
}
];
ensureDatabases = ["piped"];
authentication = ''
host piped piped ${wireguardHosts."raspberry".ip}/32 trust
host piped piped ${wireguardHosts."hetzner-arm".ip}/32 trust
'';
};
}

55
hosts/hetzner-arm/containers/piped-db/profiles/restic.nix Normal file
View file

@ -0,0 +1,55 @@
{
pkgs,
config,
...
}: let
secrets = config.services.secrets.secrets;
backupPrepareCommand = "${
(pkgs.writeShellScriptBin "backupPrepareCommand" ''
systemctl start postgresqlBackup-piped --wait
'')
}/bin/backupPrepareCommand";
in {
environment.systemPackages = with pkgs; [
restic
(pkgs.writeShellScriptBin "restic-piped" ''
env \
RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \
$(cat ${secrets.restic_env.path}) \
${pkgs.restic}/bin/restic $@
'')
];
services.restic.backups.piped = {
user = "root";
paths = [
"/var/backup/postgresql"
];
# repository is overrided in environmentFile to contain auth
# make sure to keep up to date when changing repository
repository = "rest:https://storage-restic.owo.monster/Piped";
passwordFile = "${secrets.restic_password.path}";
environmentFile = "${secrets.restic_env.path}";
pruneOpts = [
"--keep-last 5"
];
timerConfig = {
OnBootSec = "1m";
OnCalendar = "daily";
};
inherit backupPrepareCommand;
};
services.postgresqlBackup = {
enable = true;
backupAll = false;
pgdumpOptions = "-p ${toString config.services.postgresql.port}";
databases = ["piped"];
compression = "zstd";
};
}

38
hosts/hetzner-arm/containers/piped-db/secrets.nix Normal file
View file

@ -0,0 +1,38 @@
{...}: {
services.secrets = {
enable = true;
vaultLogin = {
enable = true;
loginUsername = "hetzner-arm-container-piped-db";
};
autoSecrets = {
enable = true;
};
requiredVaultPaths = [
"api-keys/data/storage/restic/Piped"
"private-public-keys/data/restic/Piped"
];
secrets = {
vault_password = {
manual = true;
};
restic_password = {
fetchScript = ''
simple_get "/private-public-keys/restic/Piped" .password > "$secretFile"
'';
};
restic_env = {
fetchScript = ''
RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Piped" .username)
RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Piped" .password)
echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Piped" > "$secretFile"
'';
};
};
};
}

23
hosts/hetzner-arm/containers/piped-fi/default.nix
View file

@ -10,13 +10,14 @@
}: let }: let
inherit (lib.modules) mkForce; inherit (lib.modules) mkForce;
containerName = "piped-fi"; pipedName = "piped-fi";
containerName = pipedName;
pipedSocketForComponent = ( pipedSocketForComponent = (
component: "/var/lib/nixos-containers/${containerName}/var/sockets/piped-${component}.sock" component: "/var/lib/nixos-containers/${containerName}/var/sockets/piped-${component}.sock"
); );
in { in {
containers.piped-fi = { containers.${containerName} = {
autoStart = true; autoStart = true;
privateNetwork = false; privateNetwork = false;
@ -32,17 +33,7 @@ in {
imports = with tree; [ imports = with tree; [
presets.nixos.containerBase presets.nixos.containerBase
presets.nixos.pipedNode
profiles.nginx
profiles.firewallAllow.httpCommon
profiles.pipedCluster
./secrets.nix
];
systemd.tmpfiles.rules = [
"d /var/lib/cockroachdb-certs - root root"
]; ];
networking.firewall.enable = mkForce false; networking.firewall.enable = mkForce false;
@ -52,7 +43,7 @@ in {
}; };
}; };
services.nginx.virtualHosts."piped-fi.owo.monster" = { services.nginx.virtualHosts."${pipedName}.owo.monster" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { locations."/" = {
@ -60,7 +51,7 @@ in {
}; };
}; };
services.nginx.virtualHosts."backend.piped-fi.owo.monster" = { services.nginx.virtualHosts."backend.${pipedName}.owo.monster" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { locations."/" = {
@ -68,7 +59,7 @@ in {
}; };
}; };
services.nginx.virtualHosts."proxy.piped-fi.owo.monster" = { services.nginx.virtualHosts."proxy.${pipedName}.owo.monster" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { locations."/" = {

75
hosts/hetzner-arm/containers/piped-fi/secrets.nix
View file

@ -1,75 +0,0 @@
{...}: {
services.secrets = {
enable = true;
vaultLogin = {
enable = true;
loginUsername = "hetzner-arm-container-piped-fi";
};
autoSecrets = {
enable = true;
};
requiredVaultPaths = [
"api-keys/data/storage/restic/Piped-Finland"
"private-public-keys/data/piped-cockroachdb-ca/nodes/piped-fi"
"private-public-keys/data/restic/Piped-Finland"
];
secrets = {
vault_password = {
manual = true;
};
restic_password = {
fetchScript = ''
simple_get "/private-public-keys/restic/Piped-Finland" .password > "$secretFile"
'';
};
restic_env = {
fetchScript = ''
RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Piped-Finland" .username)
RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Piped-Finland" .password)
echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Piped-Finland" > "$secretFile"
'';
};
cockroachdb_ca_certificate = {
user = "cockroachdb";
group = "cockroachdb";
permissions = "600";
path = "/var/lib/cockroachdb-certs/ca.crt";
fetchScript = ''
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/piped-fi" .ca_certificate \
| base64 -d > "$secretFile"
'';
};
cockroachdb_node_certificate = {
user = "cockroachdb";
group = "cockroachdb";
permissions = "600";
path = "/var/lib/cockroachdb-certs/node.crt";
fetchScript = ''
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/piped-fi" .node_certificate \
| base64 -d > "$secretFile"
'';
};
cockroachdb_node_key = {
user = "cockroachdb";
group = "cockroachdb";
permissions = "600";
path = "/var/lib/cockroachdb-certs/node.key";
fetchScript = ''
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/piped-fi" .node_key \
| base64 -d > "$secretFile"
'';
};
};
};
}

5
hosts/hetzner-arm/containers/storage/data/ports.nix
View file

@ -7,9 +7,8 @@
rclone_serve_restic_vault = 4211; rclone_serve_restic_vault = 4211;
rclone_serve_restic_social = 4212; rclone_serve_restic_social = 4212;
rclone_serve_restic_quassel = 4213; rclone_serve_restic_quassel = 4213;
rclone_serve_restic_piped_finland = 4214; rclone_serve_restic_piped = 4214;
rclone_serve_restic_piped_uk = 4215; rclone_serve_restic_mail = 4215;
rclone_serve_restic_mail = 4216;
rclone_serve_http_music = 4220; rclone_serve_http_music = 4220;
rclone_serve_http_public = 4221; rclone_serve_http_public = 4221;

3
hosts/hetzner-arm/containers/storage/default.nix
View file

@ -95,8 +95,7 @@ in {
"/Vault/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_vault}"; "/Vault/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_vault}";
"/Social/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_social}"; "/Social/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_social}";
"/Quassel/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_quassel}"; "/Quassel/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_quassel}";
"/Piped-Finland/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_piped_finland}"; "/Piped/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_piped}";
"/Piped-UK/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_piped_uk}";
"/Mail/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_mail}"; "/Mail/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_mail}";
}; };
extraConfig = '' extraConfig = ''

20
hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix
View file

@ -117,23 +117,13 @@ in {
]; ];
} }
{ {
id = "restic-piped-finland"; id = "restic-piped";
remote = "StorageBox:Backups/Restic/Piped-Finland"; remote = "StorageBox:Backups/Restic/Piped";
type = "restic"; type = "restic";
extraArgs = [ extraArgs = [
"--addr=0.0.0.0:${toString ports.rclone_serve_restic_piped_finland}" "--addr=0.0.0.0:${toString ports.rclone_serve_restic_piped}"
"--htpasswd=${secrets.restic_piped_finland_htpasswd.path}" "--htpasswd=${secrets.restic_piped_htpasswd.path}"
"--baseurl=/Piped-Finland/" "--baseurl=/Piped/"
];
}
{
id = "restic-piped-uk";
remote = "StorageBox:Backups/Restic/Piped-UK";
type = "restic";
extraArgs = [
"--addr=0.0.0.0:${toString ports.rclone_serve_restic_piped_uk}"
"--htpasswd=${secrets.restic_piped_uk_htpasswd.path}"
"--baseurl=/Piped-UK/"
]; ];
} }
{ {

27
hosts/hetzner-arm/containers/storage/secrets.nix
View file

@ -28,8 +28,7 @@
"api-keys/data/storage/restic/Vault" "api-keys/data/storage/restic/Vault"
"api-keys/data/storage/restic/Social" "api-keys/data/storage/restic/Social"
"api-keys/data/storage/restic/Quassel" "api-keys/data/storage/restic/Quassel"
"api-keys/data/storage/restic/Piped-Finland" "api-keys/data/storage/restic/Piped"
"api-keys/data/storage/restic/Piped-UK"
"api-keys/data/storage/restic/Mail" "api-keys/data/storage/restic/Mail"
"api-keys/data/storage/webdav/main" "api-keys/data/storage/webdav/main"
@ -66,11 +65,11 @@
} }
simple_get_replace_crypt() { simple_get_replace_crypt() {
password=$(simple_get "$1" .password | replace_slash_for_sed) password=$(simple_get_obscure "$1" .password)
salt=$(simple_get "$1" .salt | replace_slash_for_sed) salt=$(simple_get_obscure "$1" .salt)
replace_password=''${2}_ACCOUNT replace_password=''${2}_PASSWORD
replace_salt=''${2}_KEY replace_salt=''${2}_SALT
sed -i "s/$replace_password/$password/" "$3" sed -i "s/$replace_password/$password/" "$3"
sed -i "s/$replace_salt/$salt/" "$3" sed -i "s/$replace_salt/$salt/" "$3"
@ -118,22 +117,12 @@
''; '';
}; };
restic_piped_finland_htpasswd = { restic_piped_htpasswd = {
user = "storage"; user = "storage";
group = "storage"; group = "storage";
fetchScript = '' fetchScript = ''
username=$(simple_get "/api-keys/storage/restic/Piped-Finland" .username) username=$(simple_get "/api-keys/storage/restic/Piped" .username)
password=$(simple_get "/api-keys/storage/restic/Piped-Finland" .password) password=$(simple_get "/api-keys/storage/restic/Piped" .password)
htpasswd -bc "$secretFile" "$username" "$password" 2>/dev/null
'';
};
restic_piped_uk_htpasswd = {
user = "storage";
group = "storage";
fetchScript = ''
username=$(simple_get "/api-keys/storage/restic/Piped-UK" .username)
password=$(simple_get "/api-keys/storage/restic/Piped-UK" .password)
htpasswd -bc "$secretFile" "$username" "$password" 2>/dev/null htpasswd -bc "$secretFile" "$username" "$password" 2>/dev/null
''; '';
}; };

1
hosts/hetzner-arm/hetzner-arm.nix
View file

@ -24,6 +24,7 @@ in {
"storage" "storage"
"music" "music"
"quassel" "quassel"
"piped-db"
"piped-fi" "piped-fi"
"mail" "mail"
] (name: ./containers + "/${name}")) ] (name: ./containers + "/${name}"))

1
hosts/nixos.nix
View file

@ -36,7 +36,6 @@
tree.modules.nixos.rclone-serve tree.modules.nixos.rclone-serve
tree.modules.nixos.rclone-sync tree.modules.nixos.rclone-sync
tree.modules.nixos.secrets tree.modules.nixos.secrets
tree.modules.nixos.cockroachdb-bin
]; ];
nixosUnstableSystem = nixpkgs-unstable.lib.nixosSystem; nixosUnstableSystem = nixpkgs-unstable.lib.nixosSystem;

23
hosts/raspberry/containers/piped-uk/default.nix
View file

@ -10,13 +10,14 @@
}: let }: let
inherit (lib.modules) mkForce; inherit (lib.modules) mkForce;
containerName = "piped-uk"; pipedName = "piped-uk";
containerName = pipedName;
pipedSocketForComponent = ( pipedSocketForComponent = (
component: "/var/lib/nixos-containers/${containerName}/var/sockets/piped-${component}.sock" component: "/var/lib/nixos-containers/${containerName}/var/sockets/piped-${component}.sock"
); );
in { in {
containers.piped-uk = { containers.${containerName} = {
autoStart = true; autoStart = true;
privateNetwork = false; privateNetwork = false;
@ -32,17 +33,7 @@ in {
imports = with tree; [ imports = with tree; [
presets.nixos.containerBase presets.nixos.containerBase
presets.nixos.pipedNode
profiles.nginx
profiles.firewallAllow.httpCommon
profiles.pipedCluster
./secrets.nix
];
systemd.tmpfiles.rules = [
"d /var/lib/cockroachdb-certs - root root"
]; ];
networking.firewall.enable = mkForce false; networking.firewall.enable = mkForce false;
@ -52,7 +43,7 @@ in {
}; };
}; };
services.nginx.virtualHosts."piped-uk.owo.monster" = { services.nginx.virtualHosts."${pipedName}.owo.monster" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { locations."/" = {
@ -60,7 +51,7 @@ in {
}; };
}; };
services.nginx.virtualHosts."backend.piped-uk.owo.monster" = { services.nginx.virtualHosts."backend.${pipedName}.owo.monster" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { locations."/" = {
@ -68,7 +59,7 @@ in {
}; };
}; };
services.nginx.virtualHosts."proxy.piped-uk.owo.monster" = { services.nginx.virtualHosts."proxy.${pipedName}.owo.monster" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { locations."/" = {

65
hosts/raspberry/containers/piped-uk/secrets.nix
View file

@ -1,65 +0,0 @@
{...}: {
services.secrets = {
enable = true;
vaultLogin = {
enable = true;
loginUsername = "raspberry-container-piped-uk";
};
autoSecrets = {
enable = true;
affectedSystemdServices = ["cockroachdb"];
};
requiredVaultPaths = [
"private-public-keys/data/piped-cockroachdb-ca/nodes/raspberry"
];
secrets = {
vault_password = {
manual = true;
};
cockroachdb_ca_certificate = {
user = "cockroachdb";
group = "cockroachdb";
permissions = "600";
path = "/var/lib/cockroachdb-certs/ca.crt";
fetchScript = ''
if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
fi
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .ca_certificate \
| base64 -d > "$secretFile"
'';
};
cockroachdb_node_certificate = {
user = "cockroachdb";
group = "cockroachdb";
permissions = "600";
path = "/var/lib/cockroachdb-certs/node.crt";
fetchScript = ''
if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
fi
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_certificate \
| base64 -d > "$secretFile"
'';
};
cockroachdb_node_key = {
user = "cockroachdb";
group = "cockroachdb";
permissions = "600";
path = "/var/lib/cockroachdb-certs/node.key";
fetchScript = ''
if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
fi
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_key \
| base64 -d > "$secretFile"
'';
};
};
};
}

4
hosts/vault/secrets.nix
View file

@ -15,8 +15,8 @@
}; };
requiredVaultPaths = [ requiredVaultPaths = [
"/private-public-keys/data/ssh/root@vault" "private-public-keys/data/ssh/root@vault"
"/private-public-keys/data/ssh/root@vault-decrypt" "private-public-keys/data/ssh/root@vault-decrypt"
"private-public-keys/data/restic/Vault" "private-public-keys/data/restic/Vault"

248
modules/nixos/cockroachdb-bin.nix
View file

@ -1,248 +0,0 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.services.cockroachdb-bin;
crdb = cfg.package;
escapeSystemdExecArg = arg: let
s =
if builtins.isPath arg
then "${arg}"
else if builtins.isString arg
then arg
else if builtins.isInt arg || builtins.isFloat arg
then toString arg
else throw "escapeSystemdExecArg only allows strings, paths and numbers";
in
lib.replaceStrings ["%" "$"] ["%%" "$$"] (builtins.toJSON s);
# Quotes a list of arguments into a single string for use in a Exec*
# line.
escapeSystemdExecArgs = lib.concatMapStringsSep " " escapeSystemdExecArg;
startupCommand =
escapeSystemdExecArgs
([
# Basic startup
"${crdb}/bin/cockroach"
(
if (cfg.join != null)
then "start"
else "start-single-node"
)
"--logtostderr"
"--store=/var/lib/cockroachdb"
# WebUI settings
"--http-addr=${cfg.http.address}:${toString cfg.http.port}"
# Cluster listen address
"--listen-addr=${cfg.listen.address}:${toString cfg.listen.port}"
# Cache and memory settings.
"--cache=${cfg.cache}"
"--max-sql-memory=${cfg.maxSqlMemory}"
# Certificate/security settings.
(
if cfg.insecure
then "--insecure"
else "--certs-dir=${cfg.certsDir}"
)
]
++ lib.optional (cfg.join != null) "--join=${cfg.join}"
++ lib.optional (cfg.locality != null) "--locality=${cfg.locality}"
++ cfg.extraArgs);
addressOption = descr: defaultPort: {
address = mkOption {
type = types.str;
default = "localhost";
description = lib.mdDoc "Address to bind to for ${descr}";
};
port = mkOption {
type = types.port;
default = defaultPort;
description = lib.mdDoc "Port to bind to for ${descr}";
};
};
in {
options = {
services.cockroachdb-bin = {
enable = mkEnableOption (lib.mdDoc "CockroachDB Server");
listen = addressOption "intra-cluster communication" 26257;
http = addressOption "http-based Admin UI" 8080;
locality = mkOption {
type = types.nullOr types.str;
default = null;
description = lib.mdDoc ''
An ordered, comma-separated list of key-value pairs that describe the
topography of the machine. Topography might include country,
datacenter or rack designations. Data is automatically replicated to
maximize diversities of each tier. The order of tiers is used to
determine the priority of the diversity, so the more inclusive
localities like country should come before less inclusive localities
like datacenter. The tiers and order must be the same on all nodes.
Including more tiers is better than including fewer. For example:
```
country=us,region=us-west,datacenter=us-west-1b,rack=12
country=ca,region=ca-east,datacenter=ca-east-2,rack=4
planet=earth,province=manitoba,colo=secondary,power=3
```
'';
};
join = mkOption {
type = types.nullOr types.str;
default = null;
description = lib.mdDoc "The addresses for connecting the node to a cluster.";
};
insecure = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Run in insecure mode.";
};
certsDir = mkOption {
type = types.nullOr types.path;
default = null;
description = lib.mdDoc "The path to the certificate directory.";
};
user = mkOption {
type = types.str;
default = "cockroachdb";
description = lib.mdDoc "User account under which CockroachDB runs";
};
group = mkOption {
type = types.str;
default = "cockroachdb";
description = lib.mdDoc "User account under which CockroachDB runs";
};
openPorts = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Open firewall ports for cluster communication by default";
};
cache = mkOption {
type = types.str;
default = "25%";
description = lib.mdDoc ''
The total size for caches.
This can be a percentage, expressed with a fraction sign or as a
decimal-point number, or any bytes-based unit. For example,
`"25%"`, `"0.25"` both represent
25% of the available system memory. The values
`"1000000000"` and `"1GB"` both
represent 1 gigabyte of memory.
'';
};
maxSqlMemory = mkOption {
type = types.str;
default = "25%";
description = lib.mdDoc ''
The maximum in-memory storage capacity available to store temporary
data for SQL queries.
This can be a percentage, expressed with a fraction sign or as a
decimal-point number, or any bytes-based unit. For example,
`"25%"`, `"0.25"` both represent
25% of the available system memory. The values
`"1000000000"` and `"1GB"` both
represent 1 gigabyte of memory.
'';
};
package = mkOption {
type = types.package;
default = pkgs.cockroachdb-bin;
defaultText = literalExpression "pkgs.cockroachdb-bin";
description = lib.mdDoc ''
The CockroachDB derivation to use for running the service.
'';
};
extraArgs = mkOption {
type = types.listOf types.str;
default = [];
example = ["--advertise-addr" "[fe80::f6f2:::]"];
description = lib.mdDoc ''
Extra CLI arguments passed to {command}`cockroach start`.
For the full list of supported arguments, check <https://www.cockroachlabs.com/docs/stable/cockroach-start.html#flags>
'';
};
};
};
config = mkIf config.services.cockroachdb-bin.enable {
assertions = [
{
assertion = !cfg.insecure -> cfg.certsDir != null;
message = "CockroachDB must have a set of SSL certificates (.certsDir), or run in Insecure Mode (.insecure = true)";
}
];
environment.systemPackages = [crdb];
users.users = optionalAttrs (cfg.user == "cockroachdb") {
cockroachdb = {
description = "CockroachDB Server User";
uid = config.ids.uids.cockroachdb;
group = cfg.group;
};
};
users.groups = optionalAttrs (cfg.group == "cockroachdb") {
cockroachdb.gid = config.ids.gids.cockroachdb;
};
networking.firewall.allowedTCPPorts =
lib.optionals cfg.openPorts
[cfg.http.port cfg.listen.port];
systemd.services.cockroachdb = {
description = "CockroachDB Server";
documentation = ["man:cockroach(1)" "https://www.cockroachlabs.com"];
after = ["network.target" "time-sync.target"];
requires = ["time-sync.target"];
wantedBy = ["multi-user.target"];
unitConfig.RequiresMountsFor = "/var/lib/cockroachdb";
serviceConfig = {
ExecStart = startupCommand;
Type = "notify";
User = cfg.user;
StateDirectory = "cockroachdb";
StateDirectoryMode = "0700";
Restart = "always";
# A conservative-ish timeout is alright here, because for Type=notify
# cockroach will send systemd pings during startup to keep it alive
TimeoutStopSec = 60;
RestartSec = 10;
};
};
};
meta.maintainers = with lib.maintainers; [thoughtpolice];
}

3
outputs.nix
View file

@ -66,7 +66,6 @@ in
inherit (pkgs) comic-code comic-sans; inherit (pkgs) comic-code comic-sans;
inherit (pkgs) mk-enc-usb mk-encrypted-drive mk-raspberry-ext-drive; inherit (pkgs) mk-enc-usb mk-encrypted-drive mk-raspberry-ext-drive;
inherit (pkgs) gotosocial; inherit (pkgs) gotosocial;
inherit (pkgs) cockroachdb;
inherit (pkgs) piped-backend piped-frontend piped-proxy; inherit (pkgs) piped-backend piped-frontend piped-proxy;
inherit (pkgs) kitty-terminfo; inherit (pkgs) kitty-terminfo;
}; };
@ -141,7 +140,7 @@ in
# All machines/containers with secrets.nix # All machines/containers with secrets.nix
machines = rec { machines = rec {
"hetzner-arm" = { "hetzner-arm" = {
containers = ["storage" "music" "quassel" "social" "mail" "piped-fi"]; containers = ["storage" "music" "quassel" "social" "mail" "piped-db" "piped-fi"];
sshAddress = "hetzner-arm.servers.genderfucked.monster"; sshAddress = "hetzner-arm.servers.genderfucked.monster";
}; };
"vault" = { "vault" = {

48
overlay/cockroachdb-bin/default.nix
View file

@ -1,48 +0,0 @@
{
lib,
stdenv,
autoPatchelfHook,
fetchzip,
}:
stdenv.mkDerivation rec {
pname = "cockroachdb-bin";
version = "23.1.9";
src = let
inherit (stdenv.hostPlatform) system;
selectSystem = attrs: attrs.${system} or (throw "Unsupported system: ${system}");
suffix = selectSystem {
x86_64-linux = "linux-amd64";
aarch64-linux = "linux-arm64";
};
sha256 = selectSystem {
x86_64-linux = "sha256-TopDCszdU73WiD/fsa/lq4h7jPUk0u50v3ELiuakzTU=";
aarch64-linux = "sha256-uRW1g2IFAfQ6a1w7pz5GKklHmfaNgk70qj3hhm6KV6s=";
};
in
fetchzip {
url = "https://binaries.cockroachdb.com/cockroach-v${version}.${suffix}.tgz";
inherit sha256;
};
dontConfigure = true;
dontBuild = true;
dontStrip = stdenv.isDarwin;
nativeBuildInputs = [autoPatchelfHook];
installPhase = ''
runHook preInstall
install -D cockroach $out/bin/cockroach
runHook postInstall
'';
meta = with lib; {
homepage = "https://www.cockroachlabs.com";
description = "A scalable, survivable, strongly-consistent SQL database";
license = licenses.bsl11;
mainProgram = "cockroach";
sourceProvenance = with sourceTypes; [binaryNativeCode];
platforms = ["x86_64-linux" "aarch64-linux"];
};
}

3
overlay/default.nix
View file

@ -13,9 +13,6 @@ final: prev: rec {
cp -r ${./kitty-terminfo}/* $out/share cp -r ${./kitty-terminfo}/* $out/share
''; '';
cockroachdb-bin = final.callPackage ./cockroachdb-bin {};
cockroachdb = cockroachdb-bin;
gotosocial = prev.gotosocial.overrideAttrs (_old: let gotosocial = prev.gotosocial.overrideAttrs (_old: let
owner = "superseriousbusiness"; owner = "superseriousbusiness";
repo = "gotosocial"; repo = "gotosocial";

1
presets/nixos/containerBase.nix
View file

@ -11,7 +11,6 @@
modules.nixos.rclone-serve modules.nixos.rclone-serve
modules.nixos.rclone-sync modules.nixos.rclone-sync
modules.nixos.secrets modules.nixos.secrets
modules.nixos.cockroachdb-bin
]) ])
++ [ ++ [
# Default modules which are usually included in nixos.nix # Default modules which are usually included in nixos.nix

78
profiles/pipedCluster/piped.nix → presets/nixos/pipedNode.nix
View file

@ -1,17 +1,44 @@
{ {
self, self,
config, config,
tree,
... ...
}: let }: let
clusterConfig = import "${self}/data/piped/pipedClusterConfig.nix"; inherit (builtins) attrNames elem;
inherit (clusterConfig) hosts ports;
currentHostName = config.networking.hostName; wireguardData = import "${self}/data/wireguard/chaosInternalWireGuard.nix";
currentHostConfig = hosts.${currentHostName}; wireguardHosts = wireguardData.hosts;
baseDomain = currentHostConfig.baseDomain; hostName = config.networking.hostName;
defaultPorts = {
internalPipedBackend = 3012;
internalPipedProxy = 3013;
internalNginxPort = 8199;
};
hostConfigs = {
"piped-fi" = {
baseDomain = "piped-fi.owo.monster";
ports = defaultPorts;
};
"piped-uk" = {
baseDomain = "piped-uk.owo.monster";
ports = defaultPorts;
};
};
hostConfig =
if elem hostName (attrNames hostConfigs)
then hostConfigs.${hostName}
else throw "host isn't configured for piped node";
inherit (hostConfig) baseDomain ports;
in { in {
systemd.coredump.enable = true; imports = with tree; [
profiles.nginx
];
services.piped = { services.piped = {
enable = true; enable = true;
@ -42,10 +69,9 @@ in {
disablePostgresDB = true; disablePostgresDB = true;
name = "piped"; name = "piped";
username = "piped"; username = "piped";
passwordFile = builtins.toFile "password-file" "piped"; usePassword = false;
host = "127.0.0.1"; host = "${wireguardHosts."hetzner-arm".ip}";
port = ports.cockroachDB; port = 5434;
dialect = "org.hibernate.dialect.CockroachDialect";
}; };
}; };
@ -70,42 +96,28 @@ in {
]; ];
}; };
systemd.services.piped-backend = {
after = ["network.target" "cockroachdb.service" "haproxy.service"];
wants = ["network.target" "cockroachdb.service" "haproxy.service"];
};
services.nginx.virtualHosts = let services.nginx.virtualHosts = let
componentPath = component: "/var/sockets/piped-${component}.sock"; componentPath = component: "/var/sockets/piped-${component}.sock";
listen = [
{
addr = "127.0.0.1";
port = ports.internalNginxPort;
}
];
in { in {
"${baseDomain}" = { "${baseDomain}" = {
listen = [ inherit listen;
{
addr = "127.0.0.1";
port = 8091;
}
];
extraConfig = "listen unix:${componentPath "frontend"};"; extraConfig = "listen unix:${componentPath "frontend"};";
}; };
"backend.${baseDomain}" = { "backend.${baseDomain}" = {
inherit listen;
extraConfig = "listen unix:${componentPath "backend"};"; extraConfig = "listen unix:${componentPath "backend"};";
listen = [
{
addr = "127.0.0.1";
port = 8092;
}
];
}; };
"proxy.${baseDomain}" = { "proxy.${baseDomain}" = {
inherit listen;
extraConfig = "listen unix:${componentPath "proxy"};"; extraConfig = "listen unix:${componentPath "proxy"};";
listen = [
{
addr = "127.0.0.1";
port = 8093;
}
];
}; };
}; };
} }

2
presets/nixos/serverBase.nix
View file

@ -27,6 +27,8 @@
''; '';
boot.kernel.sysctl = { boot.kernel.sysctl = {
"net.core.default_qdisc" = "fq";
"net.ipv4.tcp_congestion_control" = "bbr";
"fs.inotify.max_user_watches" = 1024 * 64 * 16; "fs.inotify.max_user_watches" = 1024 * 64 * 16;
}; };

37
profiles/pipedCluster/cockroachDB.nix
View file

@ -1,37 +0,0 @@
{
self,
config,
lib,
...
}: let
inherit (lib.lists) filter;
inherit (builtins) attrNames;
clusterConfig = import "${self}/data/piped/pipedClusterConfig.nix";
inherit (clusterConfig) hosts ports;
currentHostName = config.networking.hostName;
joinString = lib.concatStringsSep "," (
map
(hostName: hosts.${hostName}.joinString)
(filter (hostName: hostName != currentHostName) (attrNames hosts))
);
in {
systemd.services.haproxy.wantedBy = ["piped-backend.service"];
services.cockroachdb-bin = {
enable = true;
certsDir = "/var/lib/cockroachdb-certs";
join = joinString;
extraArgs = ["--advertise-addr=${hosts.${currentHostName}.advertiseAddr}"];
listen = {
port = ports.cockroachDB;
address = "0.0.0.0";
};
http = {
address = "0.0.0.0";
port = ports.cockroachDB_HTTP;
};
};
}

36
profiles/pipedCluster/haproxy.nix
View file

@ -1,36 +0,0 @@
{self, ...}: let
inherit (builtins) concatStringsSep attrNames;
clusterConfig = import "${self}/data/piped/pipedClusterConfig.nix";
inherit (clusterConfig) hosts ports;
in {
systemd.services.haproxy.wantedBy = ["piped-backend.service"];
services.haproxy = {
enable = true;
config = ''
global
maxconn 4096
defaults
mode tcp
retries 5
timeout connect 5s
timeout client 10m
timeout server 10m
option clitcpka
listen psql
bind :${toString ports.cockroachDB_HAProxy}
mode tcp
balance roundrobin
option httpchk GET /health?ready=1
${concatStringsSep "\n" (
map (serverConfig: " " + serverConfig)
(map (
hostName: "server ${hostName} ${hosts.${hostName}.advertiseAddr} check port ${toString ports.cockroachDB_HTTP}"
) (attrNames hosts))
)}
'';
};
}

44
profiles/pipedCluster/restic.nix
View file

@ -1,44 +0,0 @@
{
self,
pkgs,
config,
...
}: let
secrets = config.services.secrets.secrets;
clusterConfig = import "${self}/data/piped/pipedClusterConfig.nix";
currentHostConfig = clusterConfig.hosts.${config.networking.hostName};
inherit (currentHostConfig) resticName resticBucket;
in {
environment.systemPackages = with pkgs; [
restic
(pkgs.writeShellScriptBin "restic-${resticName}" ''
env \
RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \
$(cat ${secrets.restic_env.path}) \
${pkgs.restic}/bin/restic $@
'')
];
services.restic.backups.${resticName} = {
user = "root";
paths = [
"/var/lib/cockroachdb"
"/var/lib/cockroachdb-certs"
];
repository = "rest:https://storage-restic.owo.monster/${resticBucket}";
passwordFile = "${secrets.restic_password.path}";
environmentFile = "${secrets.restic_env.path}";
pruneOpts = [
"--keep-last 5"
];
timerConfig = {
OnBootSec = "1m";
OnCalendar = "daily";
};
};
}

1
result-man
View file

@ -1 +0,0 @@
/nix/store/026j6nzg6hyllkkvzjnqnarxwrc32nsa-bash-5.2-p15-man