move piped to single db away from cockroachdb
This commit is contained in:
parent
90f450d7d9
commit
dd3790c14d
|
@ -1,31 +0,0 @@
|
|||
let
|
||||
internalWireGuard = import ../wireguard/chaosInternalWireGuard.nix;
|
||||
ports = import ./pipedClusterPorts.nix;
|
||||
in rec {
|
||||
inherit ports;
|
||||
|
||||
hosts = {
|
||||
# map of hostname to config for cluster node
|
||||
"piped-fi" = rec {
|
||||
ip = "${internalWireGuard.hosts.hetzner-arm.ip}";
|
||||
|
||||
# ssh -L 3014:127.0.0.1:3014 -L 26257:127.0.0.1:26257 hetzner-arm
|
||||
joinString = "${ip}:${toString ports.cockroachDB}";
|
||||
advertiseAddr = joinString;
|
||||
|
||||
resticName = "piped-finland";
|
||||
resticBucket = "Piped-Finland";
|
||||
baseDomain = "piped-fi.owo.monster";
|
||||
};
|
||||
|
||||
"piped-uk" = rec {
|
||||
ip = "${internalWireGuard.hosts.raspberry.ip}";
|
||||
# ssh -L 3014:127.0.0.1:3014 -L 26257:127.0.0.1:26257 raspberry
|
||||
joinString = "${ip}:${toString ports.cockroachDB}";
|
||||
advertiseAddr = joinString;
|
||||
resticName = "piped-uk";
|
||||
resticBucket = "Piped-UK";
|
||||
baseDomain = "piped-uk.owo.monster";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,8 +0,0 @@
|
|||
{
|
||||
internalPipedBackend = 3012;
|
||||
internalPipedProxy = 3013;
|
||||
|
||||
cockroachDB = 26257;
|
||||
cockroachDB_HTTP = 3014;
|
||||
cockroachDB_HAProxy = 26258;
|
||||
}
|
|
@ -106,10 +106,7 @@ in {
|
|||
# browser toolbar and UI
|
||||
# may need updating when extensions change
|
||||
"browser.toolbars.bookmarks.visibility" = "always";
|
||||
"layout.css.devPixelsPerPx" =
|
||||
if nixosConfig.networking.hostName == "lappy-t495"
|
||||
then "1.4"
|
||||
else "1.8";
|
||||
"layout.css.devPixelsPerPx" = "1.4";
|
||||
"browser.uiCustomization.state" = builtins.toJSON {
|
||||
currentVersion = 18;
|
||||
dirtyAreaCache = [
|
||||
|
|
41
hosts/hetzner-arm/containers/piped-db/default.nix
Normal file
41
hosts/hetzner-arm/containers/piped-db/default.nix
Normal file
|
@ -0,0 +1,41 @@
|
|||
{
|
||||
self,
|
||||
hostPath,
|
||||
tree,
|
||||
inputs,
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}: let
|
||||
inherit (lib.modules) mkForce;
|
||||
in {
|
||||
containers.piped-db = {
|
||||
autoStart = true;
|
||||
privateNetwork = false;
|
||||
|
||||
specialArgs = {
|
||||
inherit inputs;
|
||||
inherit tree;
|
||||
inherit self;
|
||||
inherit hostPath;
|
||||
};
|
||||
|
||||
config = {...}: {
|
||||
nixpkgs.pkgs = pkgs;
|
||||
|
||||
imports = with tree; [
|
||||
presets.nixos.containerBase
|
||||
./secrets.nix
|
||||
|
||||
./profiles/postgres.nix
|
||||
./profiles/restic.nix
|
||||
];
|
||||
|
||||
networking.firewall.enable = mkForce false;
|
||||
|
||||
home-manager.users.root.home.stateVersion = "23.05";
|
||||
system.stateVersion = "23.05";
|
||||
};
|
||||
};
|
||||
}
|
21
hosts/hetzner-arm/containers/piped-db/profiles/postgres.nix
Normal file
21
hosts/hetzner-arm/containers/piped-db/profiles/postgres.nix
Normal file
|
@ -0,0 +1,21 @@
|
|||
{self, ...}: let
|
||||
wireguardData = import "${self}/data/wireguard/chaosInternalWireGuard.nix";
|
||||
wireguardHosts = wireguardData.hosts;
|
||||
in {
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
port = 5434;
|
||||
enableTCPIP = true;
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "piped";
|
||||
ensurePermissions."DATABASE piped" = "ALL PRIVILEGES";
|
||||
}
|
||||
];
|
||||
ensureDatabases = ["piped"];
|
||||
authentication = ''
|
||||
host piped piped ${wireguardHosts."raspberry".ip}/32 trust
|
||||
host piped piped ${wireguardHosts."hetzner-arm".ip}/32 trust
|
||||
'';
|
||||
};
|
||||
}
|
55
hosts/hetzner-arm/containers/piped-db/profiles/restic.nix
Normal file
55
hosts/hetzner-arm/containers/piped-db/profiles/restic.nix
Normal file
|
@ -0,0 +1,55 @@
|
|||
{
|
||||
pkgs,
|
||||
config,
|
||||
...
|
||||
}: let
|
||||
secrets = config.services.secrets.secrets;
|
||||
|
||||
backupPrepareCommand = "${
|
||||
(pkgs.writeShellScriptBin "backupPrepareCommand" ''
|
||||
systemctl start postgresqlBackup-piped --wait
|
||||
'')
|
||||
}/bin/backupPrepareCommand";
|
||||
in {
|
||||
environment.systemPackages = with pkgs; [
|
||||
restic
|
||||
(pkgs.writeShellScriptBin "restic-piped" ''
|
||||
env \
|
||||
RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \
|
||||
$(cat ${secrets.restic_env.path}) \
|
||||
${pkgs.restic}/bin/restic $@
|
||||
'')
|
||||
];
|
||||
|
||||
services.restic.backups.piped = {
|
||||
user = "root";
|
||||
paths = [
|
||||
"/var/backup/postgresql"
|
||||
];
|
||||
|
||||
# repository is overrided in environmentFile to contain auth
|
||||
# make sure to keep up to date when changing repository
|
||||
repository = "rest:https://storage-restic.owo.monster/Piped";
|
||||
passwordFile = "${secrets.restic_password.path}";
|
||||
environmentFile = "${secrets.restic_env.path}";
|
||||
|
||||
pruneOpts = [
|
||||
"--keep-last 5"
|
||||
];
|
||||
|
||||
timerConfig = {
|
||||
OnBootSec = "1m";
|
||||
OnCalendar = "daily";
|
||||
};
|
||||
|
||||
inherit backupPrepareCommand;
|
||||
};
|
||||
|
||||
services.postgresqlBackup = {
|
||||
enable = true;
|
||||
backupAll = false;
|
||||
pgdumpOptions = "-p ${toString config.services.postgresql.port}";
|
||||
databases = ["piped"];
|
||||
compression = "zstd";
|
||||
};
|
||||
}
|
38
hosts/hetzner-arm/containers/piped-db/secrets.nix
Normal file
38
hosts/hetzner-arm/containers/piped-db/secrets.nix
Normal file
|
@ -0,0 +1,38 @@
|
|||
{...}: {
|
||||
services.secrets = {
|
||||
enable = true;
|
||||
|
||||
vaultLogin = {
|
||||
enable = true;
|
||||
loginUsername = "hetzner-arm-container-piped-db";
|
||||
};
|
||||
|
||||
autoSecrets = {
|
||||
enable = true;
|
||||
};
|
||||
|
||||
requiredVaultPaths = [
|
||||
"api-keys/data/storage/restic/Piped"
|
||||
"private-public-keys/data/restic/Piped"
|
||||
];
|
||||
|
||||
secrets = {
|
||||
vault_password = {
|
||||
manual = true;
|
||||
};
|
||||
|
||||
restic_password = {
|
||||
fetchScript = ''
|
||||
simple_get "/private-public-keys/restic/Piped" .password > "$secretFile"
|
||||
'';
|
||||
};
|
||||
restic_env = {
|
||||
fetchScript = ''
|
||||
RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Piped" .username)
|
||||
RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Piped" .password)
|
||||
echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Piped" > "$secretFile"
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -10,13 +10,14 @@
|
|||
}: let
|
||||
inherit (lib.modules) mkForce;
|
||||
|
||||
containerName = "piped-fi";
|
||||
pipedName = "piped-fi";
|
||||
containerName = pipedName;
|
||||
|
||||
pipedSocketForComponent = (
|
||||
component: "/var/lib/nixos-containers/${containerName}/var/sockets/piped-${component}.sock"
|
||||
);
|
||||
in {
|
||||
containers.piped-fi = {
|
||||
containers.${containerName} = {
|
||||
autoStart = true;
|
||||
privateNetwork = false;
|
||||
|
||||
|
@ -32,17 +33,7 @@ in {
|
|||
|
||||
imports = with tree; [
|
||||
presets.nixos.containerBase
|
||||
|
||||
profiles.nginx
|
||||
profiles.firewallAllow.httpCommon
|
||||
|
||||
profiles.pipedCluster
|
||||
|
||||
./secrets.nix
|
||||
];
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /var/lib/cockroachdb-certs - root root"
|
||||
presets.nixos.pipedNode
|
||||
];
|
||||
|
||||
networking.firewall.enable = mkForce false;
|
||||
|
@ -52,7 +43,7 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."piped-fi.owo.monster" = {
|
||||
services.nginx.virtualHosts."${pipedName}.owo.monster" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
|
@ -60,7 +51,7 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."backend.piped-fi.owo.monster" = {
|
||||
services.nginx.virtualHosts."backend.${pipedName}.owo.monster" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
|
@ -68,7 +59,7 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."proxy.piped-fi.owo.monster" = {
|
||||
services.nginx.virtualHosts."proxy.${pipedName}.owo.monster" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
|
|
|
@ -1,75 +0,0 @@
|
|||
{...}: {
|
||||
services.secrets = {
|
||||
enable = true;
|
||||
|
||||
vaultLogin = {
|
||||
enable = true;
|
||||
loginUsername = "hetzner-arm-container-piped-fi";
|
||||
};
|
||||
|
||||
autoSecrets = {
|
||||
enable = true;
|
||||
};
|
||||
|
||||
requiredVaultPaths = [
|
||||
"api-keys/data/storage/restic/Piped-Finland"
|
||||
|
||||
"private-public-keys/data/piped-cockroachdb-ca/nodes/piped-fi"
|
||||
|
||||
"private-public-keys/data/restic/Piped-Finland"
|
||||
];
|
||||
|
||||
secrets = {
|
||||
vault_password = {
|
||||
manual = true;
|
||||
};
|
||||
|
||||
restic_password = {
|
||||
fetchScript = ''
|
||||
simple_get "/private-public-keys/restic/Piped-Finland" .password > "$secretFile"
|
||||
'';
|
||||
};
|
||||
|
||||
restic_env = {
|
||||
fetchScript = ''
|
||||
RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Piped-Finland" .username)
|
||||
RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Piped-Finland" .password)
|
||||
echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Piped-Finland" > "$secretFile"
|
||||
'';
|
||||
};
|
||||
|
||||
cockroachdb_ca_certificate = {
|
||||
user = "cockroachdb";
|
||||
group = "cockroachdb";
|
||||
permissions = "600";
|
||||
path = "/var/lib/cockroachdb-certs/ca.crt";
|
||||
fetchScript = ''
|
||||
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/piped-fi" .ca_certificate \
|
||||
| base64 -d > "$secretFile"
|
||||
'';
|
||||
};
|
||||
|
||||
cockroachdb_node_certificate = {
|
||||
user = "cockroachdb";
|
||||
group = "cockroachdb";
|
||||
permissions = "600";
|
||||
path = "/var/lib/cockroachdb-certs/node.crt";
|
||||
fetchScript = ''
|
||||
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/piped-fi" .node_certificate \
|
||||
| base64 -d > "$secretFile"
|
||||
'';
|
||||
};
|
||||
|
||||
cockroachdb_node_key = {
|
||||
user = "cockroachdb";
|
||||
group = "cockroachdb";
|
||||
permissions = "600";
|
||||
path = "/var/lib/cockroachdb-certs/node.key";
|
||||
fetchScript = ''
|
||||
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/piped-fi" .node_key \
|
||||
| base64 -d > "$secretFile"
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -7,9 +7,8 @@
|
|||
rclone_serve_restic_vault = 4211;
|
||||
rclone_serve_restic_social = 4212;
|
||||
rclone_serve_restic_quassel = 4213;
|
||||
rclone_serve_restic_piped_finland = 4214;
|
||||
rclone_serve_restic_piped_uk = 4215;
|
||||
rclone_serve_restic_mail = 4216;
|
||||
rclone_serve_restic_piped = 4214;
|
||||
rclone_serve_restic_mail = 4215;
|
||||
|
||||
rclone_serve_http_music = 4220;
|
||||
rclone_serve_http_public = 4221;
|
||||
|
|
|
@ -95,8 +95,7 @@ in {
|
|||
"/Vault/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_vault}";
|
||||
"/Social/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_social}";
|
||||
"/Quassel/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_quassel}";
|
||||
"/Piped-Finland/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_piped_finland}";
|
||||
"/Piped-UK/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_piped_uk}";
|
||||
"/Piped/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_piped}";
|
||||
"/Mail/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_mail}";
|
||||
};
|
||||
extraConfig = ''
|
||||
|
|
|
@ -117,23 +117,13 @@ in {
|
|||
];
|
||||
}
|
||||
{
|
||||
id = "restic-piped-finland";
|
||||
remote = "StorageBox:Backups/Restic/Piped-Finland";
|
||||
id = "restic-piped";
|
||||
remote = "StorageBox:Backups/Restic/Piped";
|
||||
type = "restic";
|
||||
extraArgs = [
|
||||
"--addr=0.0.0.0:${toString ports.rclone_serve_restic_piped_finland}"
|
||||
"--htpasswd=${secrets.restic_piped_finland_htpasswd.path}"
|
||||
"--baseurl=/Piped-Finland/"
|
||||
];
|
||||
}
|
||||
{
|
||||
id = "restic-piped-uk";
|
||||
remote = "StorageBox:Backups/Restic/Piped-UK";
|
||||
type = "restic";
|
||||
extraArgs = [
|
||||
"--addr=0.0.0.0:${toString ports.rclone_serve_restic_piped_uk}"
|
||||
"--htpasswd=${secrets.restic_piped_uk_htpasswd.path}"
|
||||
"--baseurl=/Piped-UK/"
|
||||
"--addr=0.0.0.0:${toString ports.rclone_serve_restic_piped}"
|
||||
"--htpasswd=${secrets.restic_piped_htpasswd.path}"
|
||||
"--baseurl=/Piped/"
|
||||
];
|
||||
}
|
||||
{
|
||||
|
|
|
@ -28,8 +28,7 @@
|
|||
"api-keys/data/storage/restic/Vault"
|
||||
"api-keys/data/storage/restic/Social"
|
||||
"api-keys/data/storage/restic/Quassel"
|
||||
"api-keys/data/storage/restic/Piped-Finland"
|
||||
"api-keys/data/storage/restic/Piped-UK"
|
||||
"api-keys/data/storage/restic/Piped"
|
||||
"api-keys/data/storage/restic/Mail"
|
||||
|
||||
"api-keys/data/storage/webdav/main"
|
||||
|
@ -66,11 +65,11 @@
|
|||
}
|
||||
|
||||
simple_get_replace_crypt() {
|
||||
password=$(simple_get "$1" .password | replace_slash_for_sed)
|
||||
salt=$(simple_get "$1" .salt | replace_slash_for_sed)
|
||||
password=$(simple_get_obscure "$1" .password)
|
||||
salt=$(simple_get_obscure "$1" .salt)
|
||||
|
||||
replace_password=''${2}_ACCOUNT
|
||||
replace_salt=''${2}_KEY
|
||||
replace_password=''${2}_PASSWORD
|
||||
replace_salt=''${2}_SALT
|
||||
|
||||
sed -i "s/$replace_password/$password/" "$3"
|
||||
sed -i "s/$replace_salt/$salt/" "$3"
|
||||
|
@ -118,22 +117,12 @@
|
|||
'';
|
||||
};
|
||||
|
||||
restic_piped_finland_htpasswd = {
|
||||
restic_piped_htpasswd = {
|
||||
user = "storage";
|
||||
group = "storage";
|
||||
fetchScript = ''
|
||||
username=$(simple_get "/api-keys/storage/restic/Piped-Finland" .username)
|
||||
password=$(simple_get "/api-keys/storage/restic/Piped-Finland" .password)
|
||||
htpasswd -bc "$secretFile" "$username" "$password" 2>/dev/null
|
||||
'';
|
||||
};
|
||||
|
||||
restic_piped_uk_htpasswd = {
|
||||
user = "storage";
|
||||
group = "storage";
|
||||
fetchScript = ''
|
||||
username=$(simple_get "/api-keys/storage/restic/Piped-UK" .username)
|
||||
password=$(simple_get "/api-keys/storage/restic/Piped-UK" .password)
|
||||
username=$(simple_get "/api-keys/storage/restic/Piped" .username)
|
||||
password=$(simple_get "/api-keys/storage/restic/Piped" .password)
|
||||
htpasswd -bc "$secretFile" "$username" "$password" 2>/dev/null
|
||||
'';
|
||||
};
|
||||
|
|
|
@ -24,6 +24,7 @@ in {
|
|||
"storage"
|
||||
"music"
|
||||
"quassel"
|
||||
"piped-db"
|
||||
"piped-fi"
|
||||
"mail"
|
||||
] (name: ./containers + "/${name}"))
|
||||
|
|
|
@ -36,7 +36,6 @@
|
|||
tree.modules.nixos.rclone-serve
|
||||
tree.modules.nixos.rclone-sync
|
||||
tree.modules.nixos.secrets
|
||||
tree.modules.nixos.cockroachdb-bin
|
||||
];
|
||||
|
||||
nixosUnstableSystem = nixpkgs-unstable.lib.nixosSystem;
|
||||
|
|
|
@ -10,13 +10,14 @@
|
|||
}: let
|
||||
inherit (lib.modules) mkForce;
|
||||
|
||||
containerName = "piped-uk";
|
||||
pipedName = "piped-uk";
|
||||
containerName = pipedName;
|
||||
|
||||
pipedSocketForComponent = (
|
||||
component: "/var/lib/nixos-containers/${containerName}/var/sockets/piped-${component}.sock"
|
||||
);
|
||||
in {
|
||||
containers.piped-uk = {
|
||||
containers.${containerName} = {
|
||||
autoStart = true;
|
||||
privateNetwork = false;
|
||||
|
||||
|
@ -32,17 +33,7 @@ in {
|
|||
|
||||
imports = with tree; [
|
||||
presets.nixos.containerBase
|
||||
|
||||
profiles.nginx
|
||||
profiles.firewallAllow.httpCommon
|
||||
|
||||
profiles.pipedCluster
|
||||
|
||||
./secrets.nix
|
||||
];
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /var/lib/cockroachdb-certs - root root"
|
||||
presets.nixos.pipedNode
|
||||
];
|
||||
|
||||
networking.firewall.enable = mkForce false;
|
||||
|
@ -52,7 +43,7 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."piped-uk.owo.monster" = {
|
||||
services.nginx.virtualHosts."${pipedName}.owo.monster" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
|
@ -60,7 +51,7 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."backend.piped-uk.owo.monster" = {
|
||||
services.nginx.virtualHosts."backend.${pipedName}.owo.monster" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
|
@ -68,7 +59,7 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."proxy.piped-uk.owo.monster" = {
|
||||
services.nginx.virtualHosts."proxy.${pipedName}.owo.monster" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
|
|
|
@ -1,65 +0,0 @@
|
|||
{...}: {
|
||||
services.secrets = {
|
||||
enable = true;
|
||||
|
||||
vaultLogin = {
|
||||
enable = true;
|
||||
loginUsername = "raspberry-container-piped-uk";
|
||||
};
|
||||
|
||||
autoSecrets = {
|
||||
enable = true;
|
||||
affectedSystemdServices = ["cockroachdb"];
|
||||
};
|
||||
|
||||
requiredVaultPaths = [
|
||||
"private-public-keys/data/piped-cockroachdb-ca/nodes/raspberry"
|
||||
];
|
||||
|
||||
secrets = {
|
||||
vault_password = {
|
||||
manual = true;
|
||||
};
|
||||
|
||||
cockroachdb_ca_certificate = {
|
||||
user = "cockroachdb";
|
||||
group = "cockroachdb";
|
||||
permissions = "600";
|
||||
path = "/var/lib/cockroachdb-certs/ca.crt";
|
||||
fetchScript = ''
|
||||
if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
|
||||
mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
|
||||
fi
|
||||
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .ca_certificate \
|
||||
| base64 -d > "$secretFile"
|
||||
'';
|
||||
};
|
||||
cockroachdb_node_certificate = {
|
||||
user = "cockroachdb";
|
||||
group = "cockroachdb";
|
||||
permissions = "600";
|
||||
path = "/var/lib/cockroachdb-certs/node.crt";
|
||||
fetchScript = ''
|
||||
if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
|
||||
mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
|
||||
fi
|
||||
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_certificate \
|
||||
| base64 -d > "$secretFile"
|
||||
'';
|
||||
};
|
||||
cockroachdb_node_key = {
|
||||
user = "cockroachdb";
|
||||
group = "cockroachdb";
|
||||
permissions = "600";
|
||||
path = "/var/lib/cockroachdb-certs/node.key";
|
||||
fetchScript = ''
|
||||
if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
|
||||
mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
|
||||
fi
|
||||
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_key \
|
||||
| base64 -d > "$secretFile"
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -15,8 +15,8 @@
|
|||
};
|
||||
|
||||
requiredVaultPaths = [
|
||||
"/private-public-keys/data/ssh/root@vault"
|
||||
"/private-public-keys/data/ssh/root@vault-decrypt"
|
||||
"private-public-keys/data/ssh/root@vault"
|
||||
"private-public-keys/data/ssh/root@vault-decrypt"
|
||||
|
||||
"private-public-keys/data/restic/Vault"
|
||||
|
||||
|
|
|
@ -1,248 +0,0 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
with lib; let
|
||||
cfg = config.services.cockroachdb-bin;
|
||||
crdb = cfg.package;
|
||||
|
||||
escapeSystemdExecArg = arg: let
|
||||
s =
|
||||
if builtins.isPath arg
|
||||
then "${arg}"
|
||||
else if builtins.isString arg
|
||||
then arg
|
||||
else if builtins.isInt arg || builtins.isFloat arg
|
||||
then toString arg
|
||||
else throw "escapeSystemdExecArg only allows strings, paths and numbers";
|
||||
in
|
||||
lib.replaceStrings ["%" "$"] ["%%" "$$"] (builtins.toJSON s);
|
||||
|
||||
# Quotes a list of arguments into a single string for use in a Exec*
|
||||
# line.
|
||||
escapeSystemdExecArgs = lib.concatMapStringsSep " " escapeSystemdExecArg;
|
||||
|
||||
startupCommand =
|
||||
escapeSystemdExecArgs
|
||||
([
|
||||
# Basic startup
|
||||
"${crdb}/bin/cockroach"
|
||||
(
|
||||
if (cfg.join != null)
|
||||
then "start"
|
||||
else "start-single-node"
|
||||
)
|
||||
"--logtostderr"
|
||||
"--store=/var/lib/cockroachdb"
|
||||
|
||||
# WebUI settings
|
||||
"--http-addr=${cfg.http.address}:${toString cfg.http.port}"
|
||||
|
||||
# Cluster listen address
|
||||
"--listen-addr=${cfg.listen.address}:${toString cfg.listen.port}"
|
||||
|
||||
# Cache and memory settings.
|
||||
"--cache=${cfg.cache}"
|
||||
"--max-sql-memory=${cfg.maxSqlMemory}"
|
||||
|
||||
# Certificate/security settings.
|
||||
(
|
||||
if cfg.insecure
|
||||
then "--insecure"
|
||||
else "--certs-dir=${cfg.certsDir}"
|
||||
)
|
||||
]
|
||||
++ lib.optional (cfg.join != null) "--join=${cfg.join}"
|
||||
++ lib.optional (cfg.locality != null) "--locality=${cfg.locality}"
|
||||
++ cfg.extraArgs);
|
||||
|
||||
addressOption = descr: defaultPort: {
|
||||
address = mkOption {
|
||||
type = types.str;
|
||||
default = "localhost";
|
||||
description = lib.mdDoc "Address to bind to for ${descr}";
|
||||
};
|
||||
|
||||
port = mkOption {
|
||||
type = types.port;
|
||||
default = defaultPort;
|
||||
description = lib.mdDoc "Port to bind to for ${descr}";
|
||||
};
|
||||
};
|
||||
in {
|
||||
options = {
|
||||
services.cockroachdb-bin = {
|
||||
enable = mkEnableOption (lib.mdDoc "CockroachDB Server");
|
||||
|
||||
listen = addressOption "intra-cluster communication" 26257;
|
||||
|
||||
http = addressOption "http-based Admin UI" 8080;
|
||||
|
||||
locality = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = lib.mdDoc ''
|
||||
An ordered, comma-separated list of key-value pairs that describe the
|
||||
topography of the machine. Topography might include country,
|
||||
datacenter or rack designations. Data is automatically replicated to
|
||||
maximize diversities of each tier. The order of tiers is used to
|
||||
determine the priority of the diversity, so the more inclusive
|
||||
localities like country should come before less inclusive localities
|
||||
like datacenter. The tiers and order must be the same on all nodes.
|
||||
Including more tiers is better than including fewer. For example:
|
||||
|
||||
```
|
||||
country=us,region=us-west,datacenter=us-west-1b,rack=12
|
||||
country=ca,region=ca-east,datacenter=ca-east-2,rack=4
|
||||
|
||||
planet=earth,province=manitoba,colo=secondary,power=3
|
||||
```
|
||||
'';
|
||||
};
|
||||
|
||||
join = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = lib.mdDoc "The addresses for connecting the node to a cluster.";
|
||||
};
|
||||
|
||||
insecure = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = lib.mdDoc "Run in insecure mode.";
|
||||
};
|
||||
|
||||
certsDir = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
description = lib.mdDoc "The path to the certificate directory.";
|
||||
};
|
||||
|
||||
user = mkOption {
|
||||
type = types.str;
|
||||
default = "cockroachdb";
|
||||
description = lib.mdDoc "User account under which CockroachDB runs";
|
||||
};
|
||||
|
||||
group = mkOption {
|
||||
type = types.str;
|
||||
default = "cockroachdb";
|
||||
description = lib.mdDoc "User account under which CockroachDB runs";
|
||||
};
|
||||
|
||||
openPorts = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = lib.mdDoc "Open firewall ports for cluster communication by default";
|
||||
};
|
||||
|
||||
cache = mkOption {
|
||||
type = types.str;
|
||||
default = "25%";
|
||||
description = lib.mdDoc ''
|
||||
The total size for caches.
|
||||
|
||||
This can be a percentage, expressed with a fraction sign or as a
|
||||
decimal-point number, or any bytes-based unit. For example,
|
||||
`"25%"`, `"0.25"` both represent
|
||||
25% of the available system memory. The values
|
||||
`"1000000000"` and `"1GB"` both
|
||||
represent 1 gigabyte of memory.
|
||||
|
||||
'';
|
||||
};
|
||||
|
||||
maxSqlMemory = mkOption {
|
||||
type = types.str;
|
||||
default = "25%";
|
||||
description = lib.mdDoc ''
|
||||
The maximum in-memory storage capacity available to store temporary
|
||||
data for SQL queries.
|
||||
|
||||
This can be a percentage, expressed with a fraction sign or as a
|
||||
decimal-point number, or any bytes-based unit. For example,
|
||||
`"25%"`, `"0.25"` both represent
|
||||
25% of the available system memory. The values
|
||||
`"1000000000"` and `"1GB"` both
|
||||
represent 1 gigabyte of memory.
|
||||
'';
|
||||
};
|
||||
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
default = pkgs.cockroachdb-bin;
|
||||
defaultText = literalExpression "pkgs.cockroachdb-bin";
|
||||
description = lib.mdDoc ''
|
||||
The CockroachDB derivation to use for running the service.
|
||||
'';
|
||||
};
|
||||
|
||||
extraArgs = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
example = ["--advertise-addr" "[fe80::f6f2:::]"];
|
||||
description = lib.mdDoc ''
|
||||
Extra CLI arguments passed to {command}`cockroach start`.
|
||||
For the full list of supported arguments, check <https://www.cockroachlabs.com/docs/stable/cockroach-start.html#flags>
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf config.services.cockroachdb-bin.enable {
|
||||
assertions = [
|
||||
{
|
||||
assertion = !cfg.insecure -> cfg.certsDir != null;
|
||||
message = "CockroachDB must have a set of SSL certificates (.certsDir), or run in Insecure Mode (.insecure = true)";
|
||||
}
|
||||
];
|
||||
|
||||
environment.systemPackages = [crdb];
|
||||
|
||||
users.users = optionalAttrs (cfg.user == "cockroachdb") {
|
||||
cockroachdb = {
|
||||
description = "CockroachDB Server User";
|
||||
uid = config.ids.uids.cockroachdb;
|
||||
group = cfg.group;
|
||||
};
|
||||
};
|
||||
|
||||
users.groups = optionalAttrs (cfg.group == "cockroachdb") {
|
||||
cockroachdb.gid = config.ids.gids.cockroachdb;
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts =
|
||||
lib.optionals cfg.openPorts
|
||||
[cfg.http.port cfg.listen.port];
|
||||
|
||||
systemd.services.cockroachdb = {
|
||||
description = "CockroachDB Server";
|
||||
documentation = ["man:cockroach(1)" "https://www.cockroachlabs.com"];
|
||||
|
||||
after = ["network.target" "time-sync.target"];
|
||||
requires = ["time-sync.target"];
|
||||
wantedBy = ["multi-user.target"];
|
||||
|
||||
unitConfig.RequiresMountsFor = "/var/lib/cockroachdb";
|
||||
|
||||
serviceConfig = {
|
||||
ExecStart = startupCommand;
|
||||
Type = "notify";
|
||||
User = cfg.user;
|
||||
StateDirectory = "cockroachdb";
|
||||
StateDirectoryMode = "0700";
|
||||
|
||||
Restart = "always";
|
||||
|
||||
# A conservative-ish timeout is alright here, because for Type=notify
|
||||
# cockroach will send systemd pings during startup to keep it alive
|
||||
TimeoutStopSec = 60;
|
||||
RestartSec = 10;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
meta.maintainers = with lib.maintainers; [thoughtpolice];
|
||||
}
|
|
@ -66,7 +66,6 @@ in
|
|||
inherit (pkgs) comic-code comic-sans;
|
||||
inherit (pkgs) mk-enc-usb mk-encrypted-drive mk-raspberry-ext-drive;
|
||||
inherit (pkgs) gotosocial;
|
||||
inherit (pkgs) cockroachdb;
|
||||
inherit (pkgs) piped-backend piped-frontend piped-proxy;
|
||||
inherit (pkgs) kitty-terminfo;
|
||||
};
|
||||
|
@ -141,7 +140,7 @@ in
|
|||
# All machines/containers with secrets.nix
|
||||
machines = rec {
|
||||
"hetzner-arm" = {
|
||||
containers = ["storage" "music" "quassel" "social" "mail" "piped-fi"];
|
||||
containers = ["storage" "music" "quassel" "social" "mail" "piped-db" "piped-fi"];
|
||||
sshAddress = "hetzner-arm.servers.genderfucked.monster";
|
||||
};
|
||||
"vault" = {
|
||||
|
|
|
@ -1,48 +0,0 @@
|
|||
{
|
||||
lib,
|
||||
stdenv,
|
||||
autoPatchelfHook,
|
||||
fetchzip,
|
||||
}:
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "cockroachdb-bin";
|
||||
version = "23.1.9";
|
||||
|
||||
src = let
|
||||
inherit (stdenv.hostPlatform) system;
|
||||
selectSystem = attrs: attrs.${system} or (throw "Unsupported system: ${system}");
|
||||
suffix = selectSystem {
|
||||
x86_64-linux = "linux-amd64";
|
||||
aarch64-linux = "linux-arm64";
|
||||
};
|
||||
sha256 = selectSystem {
|
||||
x86_64-linux = "sha256-TopDCszdU73WiD/fsa/lq4h7jPUk0u50v3ELiuakzTU=";
|
||||
aarch64-linux = "sha256-uRW1g2IFAfQ6a1w7pz5GKklHmfaNgk70qj3hhm6KV6s=";
|
||||
};
|
||||
in
|
||||
fetchzip {
|
||||
url = "https://binaries.cockroachdb.com/cockroach-v${version}.${suffix}.tgz";
|
||||
inherit sha256;
|
||||
};
|
||||
|
||||
dontConfigure = true;
|
||||
dontBuild = true;
|
||||
dontStrip = stdenv.isDarwin;
|
||||
|
||||
nativeBuildInputs = [autoPatchelfHook];
|
||||
|
||||
installPhase = ''
|
||||
runHook preInstall
|
||||
install -D cockroach $out/bin/cockroach
|
||||
runHook postInstall
|
||||
'';
|
||||
|
||||
meta = with lib; {
|
||||
homepage = "https://www.cockroachlabs.com";
|
||||
description = "A scalable, survivable, strongly-consistent SQL database";
|
||||
license = licenses.bsl11;
|
||||
mainProgram = "cockroach";
|
||||
sourceProvenance = with sourceTypes; [binaryNativeCode];
|
||||
platforms = ["x86_64-linux" "aarch64-linux"];
|
||||
};
|
||||
}
|
|
@ -13,9 +13,6 @@ final: prev: rec {
|
|||
cp -r ${./kitty-terminfo}/* $out/share
|
||||
'';
|
||||
|
||||
cockroachdb-bin = final.callPackage ./cockroachdb-bin {};
|
||||
cockroachdb = cockroachdb-bin;
|
||||
|
||||
gotosocial = prev.gotosocial.overrideAttrs (_old: let
|
||||
owner = "superseriousbusiness";
|
||||
repo = "gotosocial";
|
||||
|
|
|
@ -11,7 +11,6 @@
|
|||
modules.nixos.rclone-serve
|
||||
modules.nixos.rclone-sync
|
||||
modules.nixos.secrets
|
||||
modules.nixos.cockroachdb-bin
|
||||
])
|
||||
++ [
|
||||
# Default modules which are usually included in nixos.nix
|
||||
|
|
|
@ -1,17 +1,44 @@
|
|||
{
|
||||
self,
|
||||
config,
|
||||
tree,
|
||||
...
|
||||
}: let
|
||||
clusterConfig = import "${self}/data/piped/pipedClusterConfig.nix";
|
||||
inherit (clusterConfig) hosts ports;
|
||||
inherit (builtins) attrNames elem;
|
||||
|
||||
currentHostName = config.networking.hostName;
|
||||
currentHostConfig = hosts.${currentHostName};
|
||||
wireguardData = import "${self}/data/wireguard/chaosInternalWireGuard.nix";
|
||||
wireguardHosts = wireguardData.hosts;
|
||||
|
||||
baseDomain = currentHostConfig.baseDomain;
|
||||
hostName = config.networking.hostName;
|
||||
|
||||
defaultPorts = {
|
||||
internalPipedBackend = 3012;
|
||||
internalPipedProxy = 3013;
|
||||
|
||||
internalNginxPort = 8199;
|
||||
};
|
||||
|
||||
hostConfigs = {
|
||||
"piped-fi" = {
|
||||
baseDomain = "piped-fi.owo.monster";
|
||||
ports = defaultPorts;
|
||||
};
|
||||
"piped-uk" = {
|
||||
baseDomain = "piped-uk.owo.monster";
|
||||
ports = defaultPorts;
|
||||
};
|
||||
};
|
||||
|
||||
hostConfig =
|
||||
if elem hostName (attrNames hostConfigs)
|
||||
then hostConfigs.${hostName}
|
||||
else throw "host isn't configured for piped node";
|
||||
|
||||
inherit (hostConfig) baseDomain ports;
|
||||
in {
|
||||
systemd.coredump.enable = true;
|
||||
imports = with tree; [
|
||||
profiles.nginx
|
||||
];
|
||||
|
||||
services.piped = {
|
||||
enable = true;
|
||||
|
@ -42,10 +69,9 @@ in {
|
|||
disablePostgresDB = true;
|
||||
name = "piped";
|
||||
username = "piped";
|
||||
passwordFile = builtins.toFile "password-file" "piped";
|
||||
host = "127.0.0.1";
|
||||
port = ports.cockroachDB;
|
||||
dialect = "org.hibernate.dialect.CockroachDialect";
|
||||
usePassword = false;
|
||||
host = "${wireguardHosts."hetzner-arm".ip}";
|
||||
port = 5434;
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -70,42 +96,28 @@ in {
|
|||
];
|
||||
};
|
||||
|
||||
systemd.services.piped-backend = {
|
||||
after = ["network.target" "cockroachdb.service" "haproxy.service"];
|
||||
wants = ["network.target" "cockroachdb.service" "haproxy.service"];
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts = let
|
||||
componentPath = component: "/var/sockets/piped-${component}.sock";
|
||||
in {
|
||||
"${baseDomain}" = {
|
||||
listen = [
|
||||
{
|
||||
addr = "127.0.0.1";
|
||||
port = 8091;
|
||||
port = ports.internalNginxPort;
|
||||
}
|
||||
];
|
||||
in {
|
||||
"${baseDomain}" = {
|
||||
inherit listen;
|
||||
extraConfig = "listen unix:${componentPath "frontend"};";
|
||||
};
|
||||
|
||||
"backend.${baseDomain}" = {
|
||||
inherit listen;
|
||||
extraConfig = "listen unix:${componentPath "backend"};";
|
||||
listen = [
|
||||
{
|
||||
addr = "127.0.0.1";
|
||||
port = 8092;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
"proxy.${baseDomain}" = {
|
||||
inherit listen;
|
||||
extraConfig = "listen unix:${componentPath "proxy"};";
|
||||
listen = [
|
||||
{
|
||||
addr = "127.0.0.1";
|
||||
port = 8093;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
|
@ -27,6 +27,8 @@
|
|||
'';
|
||||
|
||||
boot.kernel.sysctl = {
|
||||
"net.core.default_qdisc" = "fq";
|
||||
"net.ipv4.tcp_congestion_control" = "bbr";
|
||||
"fs.inotify.max_user_watches" = 1024 * 64 * 16;
|
||||
};
|
||||
|
||||
|
|
|
@ -1,37 +0,0 @@
|
|||
{
|
||||
self,
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}: let
|
||||
inherit (lib.lists) filter;
|
||||
inherit (builtins) attrNames;
|
||||
|
||||
clusterConfig = import "${self}/data/piped/pipedClusterConfig.nix";
|
||||
inherit (clusterConfig) hosts ports;
|
||||
|
||||
currentHostName = config.networking.hostName;
|
||||
|
||||
joinString = lib.concatStringsSep "," (
|
||||
map
|
||||
(hostName: hosts.${hostName}.joinString)
|
||||
(filter (hostName: hostName != currentHostName) (attrNames hosts))
|
||||
);
|
||||
in {
|
||||
systemd.services.haproxy.wantedBy = ["piped-backend.service"];
|
||||
|
||||
services.cockroachdb-bin = {
|
||||
enable = true;
|
||||
certsDir = "/var/lib/cockroachdb-certs";
|
||||
join = joinString;
|
||||
extraArgs = ["--advertise-addr=${hosts.${currentHostName}.advertiseAddr}"];
|
||||
listen = {
|
||||
port = ports.cockroachDB;
|
||||
address = "0.0.0.0";
|
||||
};
|
||||
http = {
|
||||
address = "0.0.0.0";
|
||||
port = ports.cockroachDB_HTTP;
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,36 +0,0 @@
|
|||
{self, ...}: let
|
||||
inherit (builtins) concatStringsSep attrNames;
|
||||
|
||||
clusterConfig = import "${self}/data/piped/pipedClusterConfig.nix";
|
||||
inherit (clusterConfig) hosts ports;
|
||||
in {
|
||||
systemd.services.haproxy.wantedBy = ["piped-backend.service"];
|
||||
|
||||
services.haproxy = {
|
||||
enable = true;
|
||||
config = ''
|
||||
global
|
||||
maxconn 4096
|
||||
|
||||
defaults
|
||||
mode tcp
|
||||
retries 5
|
||||
timeout connect 5s
|
||||
timeout client 10m
|
||||
timeout server 10m
|
||||
option clitcpka
|
||||
|
||||
listen psql
|
||||
bind :${toString ports.cockroachDB_HAProxy}
|
||||
mode tcp
|
||||
balance roundrobin
|
||||
option httpchk GET /health?ready=1
|
||||
${concatStringsSep "\n" (
|
||||
map (serverConfig: " " + serverConfig)
|
||||
(map (
|
||||
hostName: "server ${hostName} ${hosts.${hostName}.advertiseAddr} check port ${toString ports.cockroachDB_HTTP}"
|
||||
) (attrNames hosts))
|
||||
)}
|
||||
'';
|
||||
};
|
||||
}
|
|
@ -1,44 +0,0 @@
|
|||
{
|
||||
self,
|
||||
pkgs,
|
||||
config,
|
||||
...
|
||||
}: let
|
||||
secrets = config.services.secrets.secrets;
|
||||
|
||||
clusterConfig = import "${self}/data/piped/pipedClusterConfig.nix";
|
||||
|
||||
currentHostConfig = clusterConfig.hosts.${config.networking.hostName};
|
||||
inherit (currentHostConfig) resticName resticBucket;
|
||||
in {
|
||||
environment.systemPackages = with pkgs; [
|
||||
restic
|
||||
(pkgs.writeShellScriptBin "restic-${resticName}" ''
|
||||
env \
|
||||
RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \
|
||||
$(cat ${secrets.restic_env.path}) \
|
||||
${pkgs.restic}/bin/restic $@
|
||||
'')
|
||||
];
|
||||
|
||||
services.restic.backups.${resticName} = {
|
||||
user = "root";
|
||||
paths = [
|
||||
"/var/lib/cockroachdb"
|
||||
"/var/lib/cockroachdb-certs"
|
||||
];
|
||||
|
||||
repository = "rest:https://storage-restic.owo.monster/${resticBucket}";
|
||||
passwordFile = "${secrets.restic_password.path}";
|
||||
environmentFile = "${secrets.restic_env.path}";
|
||||
|
||||
pruneOpts = [
|
||||
"--keep-last 5"
|
||||
];
|
||||
|
||||
timerConfig = {
|
||||
OnBootSec = "1m";
|
||||
OnCalendar = "daily";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1 +0,0 @@
|
|||
/nix/store/026j6nzg6hyllkkvzjnqnarxwrc32nsa-bash-5.2-p15-man
|
Loading…
Reference in a new issue