From 699283c0bab810a9058f875a88c8adb69103228f Mon Sep 17 00:00:00 2001
From: Max <max@privatevoid.net>
Date: Thu, 3 Feb 2022 20:36:14 +0100
Subject: [PATCH] modules: extract IPFS module

---
 hosts/VEGAS/services/ipfs/default.nix | 75 ++--------------------
 modules/default.nix                   |  2 +-
 modules/ipfs-lain/default.nix         | 22 -------
 modules/ipfs/default.nix              | 90 +++++++++++++++++++++++++++
 secrets/ipfs-swarm-key.age            | 13 ++++
 secrets/secrets.nix                   |  3 +-
 6 files changed, 110 insertions(+), 95 deletions(-)
 delete mode 100644 modules/ipfs-lain/default.nix
 create mode 100644 modules/ipfs/default.nix
 create mode 100644 secrets/ipfs-swarm-key.age

diff --git a/hosts/VEGAS/services/ipfs/default.nix b/hosts/VEGAS/services/ipfs/default.nix
index f12097a..62aef9c 100644
--- a/hosts/VEGAS/services/ipfs/default.nix
+++ b/hosts/VEGAS/services/ipfs/default.nix
@@ -1,75 +1,14 @@
-{ config, lib, pkgs, tools, ... }:
+{ aspect, config, lib, pkgs, tools, ... }:
 with tools.nginx;
 let
   inherit (tools.meta) domain;
   cfg = config.services.ipfs;
-  apiAddress = "/unix/run/ipfs/ipfs-api.sock";
-  ipfsApi = pkgs.writeTextDir "api" apiAddress;
   gwPort = config.portsStr.ipfsGateway;
 in
 {
-  reservePortsFor = [ "ipfsGateway" ];
-
-  networking.firewall = {
-    allowedTCPPorts = [ 4001 ];
-    allowedUDPPorts = [ 4001 ];
-  };
-
-  services.ipfs = {
-    enable = true;
-    startWhenNeeded = false;
-    autoMount = true;
-
-    inherit apiAddress;
-    gatewayAddress = "/ip4/127.0.0.1/tcp/${gwPort}";
-    dataDir = "/srv/storage/ipfs/repo";
-    localDiscovery = false;
-
-    extraConfig = {
-      Bootstrap = [
-        "/ip4/168.235.67.108/tcp/4001/p2p/QmRMA5pWXtfuW1y5w2t9gYxrDDD6bPRLKdWAYnHTeCxZMm"
-        "/ip4/51.38.87.150/tcp/4001/p2p/12D3KooWDUgNsoLVauCDpRAo54mc4whoBudgeXQnZZK2iVYhBLCN"
-      ];
-      API.HTTPHeaders = {
-        Access-Control-Allow-Origin = [
-          "https://ipfs.admin.${domain}"
-          "http://127.0.0.1:5001"
-        ];
-        Access-Control-Allow-Methods = [ "PUT" "POST" ];
-      };
-      Gateway = {
-        Writable = false;
-        APICommands = [];
-        HTTPHeaders = {
-          Access-Control-Allow-Headers = [
-            "X-Requested-With"
-            "Range"
-            "User-Agent"
-          ];
-          Access-Control-Allow-Methods = [
-            "GET"
-          ];
-          Access-Control-Allow-Origin = [
-            "*"
-          ];
-        };
-      };
-    };
-  };
-
-  systemd.sockets = {
-    ipfs-api.enable = false;
-    ipfs-gateway.enable = false;
-  };
-
-  systemd.tmpfiles.rules = [ "d '/run/ipfs' 0750 ${cfg.user} ${cfg.group} - -" ];
-
-
-  systemd.services.ipfs = {
-    environment.LIBP2P_FORCE_PNET = "1";
-    serviceConfig.Slice = "remotefshost.slice";
-    postStart = "chmod 660 /run/ipfs/ipfs-api.sock";
-  };
+  imports = [
+    aspect.modules.ipfs
+  ];
 
   systemd.slices.remotefshost.sliceConfig = {
     IOWeight = 5;
@@ -87,12 +26,6 @@ in
     ];
   };
 
-  environment.variables.IPFS_PATH = lib.mkForce "${ipfsApi}";
-
-  environment.shellAliases = {
-    ipfs-admin = "sudo -u ${cfg.user} env IPFS_PATH=${cfg.dataDir} ipfs";
-  };
-
   users.users.nginx.extraGroups = [ cfg.group ];
 
   services.nginx.virtualHosts = {
diff --git a/modules/default.nix b/modules/default.nix
index f2f07c2..b98c04d 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -7,7 +7,7 @@ let
     enterprise = import ./enterprise;
     fail2ban = import ./fail2ban;
     hydra = import ./hydra;
-    ipfs-lain = import ./ipfs-lain;
+    ipfs = import ./ipfs;
     nix-builder = import ./nix-builder;
     nix-config = import ./nix-config;
     nix-config-server = import ./nix-config/server.nix;
diff --git a/modules/ipfs-lain/default.nix b/modules/ipfs-lain/default.nix
deleted file mode 100644
index 1c7bb2e..0000000
--- a/modules/ipfs-lain/default.nix
+++ /dev/null
@@ -1,22 +0,0 @@
-{ pkgs, config, ... }:
-{
-  services.ipfs = {
-    enable = true;
-    extraConfig = {
-      Bootstrap = [
-        "/ip4/95.216.8.12/tcp/4001/p2p/Qmd7QHZU8UjfYdwmjmq1SBh9pvER9AwHpfwQvnvNo3HBBo"
-        "/ip4/34.75.66.204/tcp/4001/p2p/QmUDwdaJthQkxgoHN1QQFvj4jR12A2nGQMXxYJEqtPMsYJ"
-        "/ip4/35.233.49.84/tcp/4001/p2p/QmTuZN9VtqiVWjcqTkRAUnRWYurwFbC6j9E2gvnMs5XEFy"
-      ];
-    };
-  };
-
-  systemd.services.ipfs.environment.LIBP2P_FORCE_PNET = "1";
-
-  environment.shellAliases = {
-    ipfs =
-      "doas -u ${config.services.ipfs.user} env IPFS_PATH=${config.services.ipfs.dataDir} ipfs";
-    f =
-      "doas -u ${config.services.ipfs.user} env IPFS_PATH=${config.services.ipfs.dataDir} ipfs files";
-  };
-}
diff --git a/modules/ipfs/default.nix b/modules/ipfs/default.nix
new file mode 100644
index 0000000..c779b1a
--- /dev/null
+++ b/modules/ipfs/default.nix
@@ -0,0 +1,90 @@
+{ config, lib, pkgs, tools, ... }:
+let
+  inherit (tools.meta) domain;
+  cfg = config.services.ipfs;
+  apiAddress = "/unix/run/ipfs/ipfs-api.sock";
+  ipfsApi = pkgs.writeTextDir "api" apiAddress;
+  gwPort = config.portsStr.ipfsGateway;
+in
+{
+  age.secrets.ipfs-swarm-key = {
+    file = ../../secrets/ipfs-swarm-key.age;
+    mode = "0400";
+    owner = cfg.user;
+    inherit (cfg) group;
+  };
+
+  reservePortsFor = [ "ipfsGateway" ];
+
+  networking.firewall = {
+    allowedTCPPorts = [ 4001 ];
+    allowedUDPPorts = [ 4001 ];
+  };
+
+  services.ipfs = {
+    enable = true;
+    startWhenNeeded = false;
+    autoMount = true;
+
+    inherit apiAddress;
+    gatewayAddress = "/ip4/127.0.0.1/tcp/${gwPort}";
+    dataDir = "/srv/storage/ipfs/repo";
+    localDiscovery = false;
+
+    extraConfig = {
+      Bootstrap = [
+        "/ip4/168.235.67.108/tcp/4001/p2p/QmRMA5pWXtfuW1y5w2t9gYxrDDD6bPRLKdWAYnHTeCxZMm"
+        "/ip4/51.38.87.150/tcp/4001/p2p/12D3KooWDUgNsoLVauCDpRAo54mc4whoBudgeXQnZZK2iVYhBLCN"
+        "/ip4/77.54.95.19/tcp/12104/p2p/12D3KooWC1RZxLvAeEFNTZWk1FWc1sZZ3yemF4FNNRYa3X854KJ8"
+        "/ip4/95.216.8.12/tcp/4001/p2p/Qmd7QHZU8UjfYdwmjmq1SBh9pvER9AwHpfwQvnvNo3HBBo"
+      ];
+      API.HTTPHeaders = {
+        Access-Control-Allow-Origin = [
+          "https://ipfs.admin.${domain}"
+          "http://127.0.0.1:5001"
+        ];
+        Access-Control-Allow-Methods = [ "PUT" "POST" ];
+      };
+      Gateway = {
+        Writable = false;
+        APICommands = [];
+        HTTPHeaders = {
+          Access-Control-Allow-Headers = [
+            "X-Requested-With"
+            "Range"
+            "User-Agent"
+          ];
+          Access-Control-Allow-Methods = [
+            "GET"
+          ];
+          Access-Control-Allow-Origin = [
+            "*"
+          ];
+        };
+      };
+    };
+  };
+
+  systemd.sockets = {
+    ipfs-api.enable = false;
+    ipfs-gateway.enable = false;
+  };
+
+  systemd.tmpfiles.rules = [
+    "d '/run/ipfs' 0750 ${cfg.user} ${cfg.group} - -"
+    "L+ '${cfg.dataDir}/swarm.key' - - - - ${config.age.secrets.ipfs-swarm-key.path}"
+  ];
+
+
+  systemd.services.ipfs = {
+    environment.LIBP2P_FORCE_PNET = "1";
+    serviceConfig.Slice = "remotefshost.slice";
+    postStart = "chmod 660 /run/ipfs/ipfs-api.sock";
+  };
+
+  environment.variables.IPFS_PATH = lib.mkForce "${ipfsApi}";
+
+  environment.shellAliases = {
+    ipfs-admin = "sudo -u ${cfg.user} env IPFS_PATH=${cfg.dataDir} ipfs";
+  };
+}
diff --git a/secrets/ipfs-swarm-key.age b/secrets/ipfs-swarm-key.age
new file mode 100644
index 0000000..03e0cd5
--- /dev/null
+++ b/secrets/ipfs-swarm-key.age
@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 NO562A M3tf8OUR0EYa4UQDTd0U1gHJDrGKNjRbnGBePHA3nH0
+6FftIih0/S8jNv94bRiJPb4V+P7jOtGHQFZbGcj2cqE
+-> ssh-ed25519 5/zT0w o4eVLMXyfImHYXmnPo7qDQyDOcB4s85gPMr8IAuvVE4
+bY7L3YihZytZ1XrYbHPxR1FRGNA8W5qsYKNIkwmF2r0
+-> ssh-ed25519 d3WGuA iFH+ntVIDTmMUzgLLrNFHyPhSvTPsLcjNH+QTR4yfDk
+Q54Nwc6fwPan62XX70WkG5mrmRlhE/rcHfyV8xMim3E
+-> ssh-ed25519 6YMlxg tbaiMLpardsaNZOlCF7FAmKOlqZfIM6cVvOxQQjn2kU
+gmu1AVuMzENxbs73dxRFWjxSCUeFjb4bMdgyYaikSOs
+-> Wdm-grease
+8TLtQ/rdFCG5Yo3nYsAuPjPD0+HZwPO02rnPdlczJkDYPNmepWgt01Wf3VdbYko
+--- r4yb3tN9yWRCAxraKDJohDTA0BRvpxQN86Qr+M64jic
+‚kí	ps–êŠ›ü]ìÕ<R;QµI¯Vª¼Qó&­–»ìCLX3ïEÚ©‹3|MC‡¾ÊVJî’ÆN¯9ŸÎ[çÖamæ!…F·;i…ªÚ$²‹;ÂÛs9øð€¼_A©•û ÿ•Eé½³¤„Á?³eò\eNÉkÀ›
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 70deecf..3302222 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -19,6 +19,7 @@ in with hosts;
   "hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "hydra-s3.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "hyprspace-key-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "ipfs-swarm-key.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "keycloak-dbpass.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "matrix-appservice-discord-token.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "minio-console-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];
@@ -32,6 +33,6 @@ in with hosts;
   "synapse-keys.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "synapse-ldap.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "synapse-turn.age".publicKeys = max ++ map systemKeys [ VEGAS ];
-  "wireguard-key-wgautobahn.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "vpn-host-key-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "wireguard-key-wgautobahn.age".publicKeys = max ++ map systemKeys [ VEGAS ];
 }