modules: extract IPFS module
This commit is contained in:
parent
8f69b14f66
commit
699283c0ba
6 changed files with 110 additions and 95 deletions
|
@ -1,75 +1,14 @@
|
||||||
{ config, lib, pkgs, tools, ... }:
|
{ aspect, config, lib, pkgs, tools, ... }:
|
||||||
with tools.nginx;
|
with tools.nginx;
|
||||||
let
|
let
|
||||||
inherit (tools.meta) domain;
|
inherit (tools.meta) domain;
|
||||||
cfg = config.services.ipfs;
|
cfg = config.services.ipfs;
|
||||||
apiAddress = "/unix/run/ipfs/ipfs-api.sock";
|
|
||||||
ipfsApi = pkgs.writeTextDir "api" apiAddress;
|
|
||||||
gwPort = config.portsStr.ipfsGateway;
|
gwPort = config.portsStr.ipfsGateway;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
reservePortsFor = [ "ipfsGateway" ];
|
imports = [
|
||||||
|
aspect.modules.ipfs
|
||||||
networking.firewall = {
|
|
||||||
allowedTCPPorts = [ 4001 ];
|
|
||||||
allowedUDPPorts = [ 4001 ];
|
|
||||||
};
|
|
||||||
|
|
||||||
services.ipfs = {
|
|
||||||
enable = true;
|
|
||||||
startWhenNeeded = false;
|
|
||||||
autoMount = true;
|
|
||||||
|
|
||||||
inherit apiAddress;
|
|
||||||
gatewayAddress = "/ip4/127.0.0.1/tcp/${gwPort}";
|
|
||||||
dataDir = "/srv/storage/ipfs/repo";
|
|
||||||
localDiscovery = false;
|
|
||||||
|
|
||||||
extraConfig = {
|
|
||||||
Bootstrap = [
|
|
||||||
"/ip4/168.235.67.108/tcp/4001/p2p/QmRMA5pWXtfuW1y5w2t9gYxrDDD6bPRLKdWAYnHTeCxZMm"
|
|
||||||
"/ip4/51.38.87.150/tcp/4001/p2p/12D3KooWDUgNsoLVauCDpRAo54mc4whoBudgeXQnZZK2iVYhBLCN"
|
|
||||||
];
|
];
|
||||||
API.HTTPHeaders = {
|
|
||||||
Access-Control-Allow-Origin = [
|
|
||||||
"https://ipfs.admin.${domain}"
|
|
||||||
"http://127.0.0.1:5001"
|
|
||||||
];
|
|
||||||
Access-Control-Allow-Methods = [ "PUT" "POST" ];
|
|
||||||
};
|
|
||||||
Gateway = {
|
|
||||||
Writable = false;
|
|
||||||
APICommands = [];
|
|
||||||
HTTPHeaders = {
|
|
||||||
Access-Control-Allow-Headers = [
|
|
||||||
"X-Requested-With"
|
|
||||||
"Range"
|
|
||||||
"User-Agent"
|
|
||||||
];
|
|
||||||
Access-Control-Allow-Methods = [
|
|
||||||
"GET"
|
|
||||||
];
|
|
||||||
Access-Control-Allow-Origin = [
|
|
||||||
"*"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.sockets = {
|
|
||||||
ipfs-api.enable = false;
|
|
||||||
ipfs-gateway.enable = false;
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.tmpfiles.rules = [ "d '/run/ipfs' 0750 ${cfg.user} ${cfg.group} - -" ];
|
|
||||||
|
|
||||||
|
|
||||||
systemd.services.ipfs = {
|
|
||||||
environment.LIBP2P_FORCE_PNET = "1";
|
|
||||||
serviceConfig.Slice = "remotefshost.slice";
|
|
||||||
postStart = "chmod 660 /run/ipfs/ipfs-api.sock";
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.slices.remotefshost.sliceConfig = {
|
systemd.slices.remotefshost.sliceConfig = {
|
||||||
IOWeight = 5;
|
IOWeight = 5;
|
||||||
|
@ -87,12 +26,6 @@ in
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
environment.variables.IPFS_PATH = lib.mkForce "${ipfsApi}";
|
|
||||||
|
|
||||||
environment.shellAliases = {
|
|
||||||
ipfs-admin = "sudo -u ${cfg.user} env IPFS_PATH=${cfg.dataDir} ipfs";
|
|
||||||
};
|
|
||||||
|
|
||||||
users.users.nginx.extraGroups = [ cfg.group ];
|
users.users.nginx.extraGroups = [ cfg.group ];
|
||||||
|
|
||||||
services.nginx.virtualHosts = {
|
services.nginx.virtualHosts = {
|
||||||
|
|
|
@ -7,7 +7,7 @@ let
|
||||||
enterprise = import ./enterprise;
|
enterprise = import ./enterprise;
|
||||||
fail2ban = import ./fail2ban;
|
fail2ban = import ./fail2ban;
|
||||||
hydra = import ./hydra;
|
hydra = import ./hydra;
|
||||||
ipfs-lain = import ./ipfs-lain;
|
ipfs = import ./ipfs;
|
||||||
nix-builder = import ./nix-builder;
|
nix-builder = import ./nix-builder;
|
||||||
nix-config = import ./nix-config;
|
nix-config = import ./nix-config;
|
||||||
nix-config-server = import ./nix-config/server.nix;
|
nix-config-server = import ./nix-config/server.nix;
|
||||||
|
|
|
@ -1,22 +0,0 @@
|
||||||
{ pkgs, config, ... }:
|
|
||||||
{
|
|
||||||
services.ipfs = {
|
|
||||||
enable = true;
|
|
||||||
extraConfig = {
|
|
||||||
Bootstrap = [
|
|
||||||
"/ip4/95.216.8.12/tcp/4001/p2p/Qmd7QHZU8UjfYdwmjmq1SBh9pvER9AwHpfwQvnvNo3HBBo"
|
|
||||||
"/ip4/34.75.66.204/tcp/4001/p2p/QmUDwdaJthQkxgoHN1QQFvj4jR12A2nGQMXxYJEqtPMsYJ"
|
|
||||||
"/ip4/35.233.49.84/tcp/4001/p2p/QmTuZN9VtqiVWjcqTkRAUnRWYurwFbC6j9E2gvnMs5XEFy"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.ipfs.environment.LIBP2P_FORCE_PNET = "1";
|
|
||||||
|
|
||||||
environment.shellAliases = {
|
|
||||||
ipfs =
|
|
||||||
"doas -u ${config.services.ipfs.user} env IPFS_PATH=${config.services.ipfs.dataDir} ipfs";
|
|
||||||
f =
|
|
||||||
"doas -u ${config.services.ipfs.user} env IPFS_PATH=${config.services.ipfs.dataDir} ipfs files";
|
|
||||||
};
|
|
||||||
}
|
|
90
modules/ipfs/default.nix
Normal file
90
modules/ipfs/default.nix
Normal file
|
@ -0,0 +1,90 @@
|
||||||
|
{ config, lib, pkgs, tools, ... }:
|
||||||
|
let
|
||||||
|
inherit (tools.meta) domain;
|
||||||
|
cfg = config.services.ipfs;
|
||||||
|
apiAddress = "/unix/run/ipfs/ipfs-api.sock";
|
||||||
|
ipfsApi = pkgs.writeTextDir "api" apiAddress;
|
||||||
|
gwPort = config.portsStr.ipfsGateway;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
age.secrets.ipfs-swarm-key = {
|
||||||
|
file = ../../secrets/ipfs-swarm-key.age;
|
||||||
|
mode = "0400";
|
||||||
|
owner = cfg.user;
|
||||||
|
inherit (cfg) group;
|
||||||
|
};
|
||||||
|
|
||||||
|
reservePortsFor = [ "ipfsGateway" ];
|
||||||
|
|
||||||
|
networking.firewall = {
|
||||||
|
allowedTCPPorts = [ 4001 ];
|
||||||
|
allowedUDPPorts = [ 4001 ];
|
||||||
|
};
|
||||||
|
|
||||||
|
services.ipfs = {
|
||||||
|
enable = true;
|
||||||
|
startWhenNeeded = false;
|
||||||
|
autoMount = true;
|
||||||
|
|
||||||
|
inherit apiAddress;
|
||||||
|
gatewayAddress = "/ip4/127.0.0.1/tcp/${gwPort}";
|
||||||
|
dataDir = "/srv/storage/ipfs/repo";
|
||||||
|
localDiscovery = false;
|
||||||
|
|
||||||
|
extraConfig = {
|
||||||
|
Bootstrap = [
|
||||||
|
"/ip4/168.235.67.108/tcp/4001/p2p/QmRMA5pWXtfuW1y5w2t9gYxrDDD6bPRLKdWAYnHTeCxZMm"
|
||||||
|
"/ip4/51.38.87.150/tcp/4001/p2p/12D3KooWDUgNsoLVauCDpRAo54mc4whoBudgeXQnZZK2iVYhBLCN"
|
||||||
|
"/ip4/77.54.95.19/tcp/12104/p2p/12D3KooWC1RZxLvAeEFNTZWk1FWc1sZZ3yemF4FNNRYa3X854KJ8"
|
||||||
|
"/ip4/95.216.8.12/tcp/4001/p2p/Qmd7QHZU8UjfYdwmjmq1SBh9pvER9AwHpfwQvnvNo3HBBo"
|
||||||
|
];
|
||||||
|
API.HTTPHeaders = {
|
||||||
|
Access-Control-Allow-Origin = [
|
||||||
|
"https://ipfs.admin.${domain}"
|
||||||
|
"http://127.0.0.1:5001"
|
||||||
|
];
|
||||||
|
Access-Control-Allow-Methods = [ "PUT" "POST" ];
|
||||||
|
};
|
||||||
|
Gateway = {
|
||||||
|
Writable = false;
|
||||||
|
APICommands = [];
|
||||||
|
HTTPHeaders = {
|
||||||
|
Access-Control-Allow-Headers = [
|
||||||
|
"X-Requested-With"
|
||||||
|
"Range"
|
||||||
|
"User-Agent"
|
||||||
|
];
|
||||||
|
Access-Control-Allow-Methods = [
|
||||||
|
"GET"
|
||||||
|
];
|
||||||
|
Access-Control-Allow-Origin = [
|
||||||
|
"*"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.sockets = {
|
||||||
|
ipfs-api.enable = false;
|
||||||
|
ipfs-gateway.enable = false;
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d '/run/ipfs' 0750 ${cfg.user} ${cfg.group} - -"
|
||||||
|
"L+ '${cfg.dataDir}/swarm.key' - - - - ${config.age.secrets.ipfs-swarm-key.path}"
|
||||||
|
];
|
||||||
|
|
||||||
|
|
||||||
|
systemd.services.ipfs = {
|
||||||
|
environment.LIBP2P_FORCE_PNET = "1";
|
||||||
|
serviceConfig.Slice = "remotefshost.slice";
|
||||||
|
postStart = "chmod 660 /run/ipfs/ipfs-api.sock";
|
||||||
|
};
|
||||||
|
|
||||||
|
environment.variables.IPFS_PATH = lib.mkForce "${ipfsApi}";
|
||||||
|
|
||||||
|
environment.shellAliases = {
|
||||||
|
ipfs-admin = "sudo -u ${cfg.user} env IPFS_PATH=${cfg.dataDir} ipfs";
|
||||||
|
};
|
||||||
|
}
|
13
secrets/ipfs-swarm-key.age
Normal file
13
secrets/ipfs-swarm-key.age
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 NO562A M3tf8OUR0EYa4UQDTd0U1gHJDrGKNjRbnGBePHA3nH0
|
||||||
|
6FftIih0/S8jNv94bRiJPb4V+P7jOtGHQFZbGcj2cqE
|
||||||
|
-> ssh-ed25519 5/zT0w o4eVLMXyfImHYXmnPo7qDQyDOcB4s85gPMr8IAuvVE4
|
||||||
|
bY7L3YihZytZ1XrYbHPxR1FRGNA8W5qsYKNIkwmF2r0
|
||||||
|
-> ssh-ed25519 d3WGuA iFH+ntVIDTmMUzgLLrNFHyPhSvTPsLcjNH+QTR4yfDk
|
||||||
|
Q54Nwc6fwPan62XX70WkG5mrmRlhE/rcHfyV8xMim3E
|
||||||
|
-> ssh-ed25519 6YMlxg tbaiMLpardsaNZOlCF7FAmKOlqZfIM6cVvOxQQjn2kU
|
||||||
|
gmu1AVuMzENxbs73dxRFWjxSCUeFjb4bMdgyYaikSOs
|
||||||
|
-> Wdm-grease
|
||||||
|
8TLtQ/rdFCG5Yo3nYsAuPjPD0+HZwPO02rnPdlczJkDYPNmepWgt01Wf3VdbYko
|
||||||
|
--- r4yb3tN9yWRCAxraKDJohDTA0BRvpxQN86Qr+M64jic
|
||||||
|
‚kí ps–ꊛü]ìÕ<R;QµI¯Vª¼Qó&–»ìCLX3ïE<>Ú©‹3|MC‡¾ÊVJî’ÆN¯9ŸÎ[<5B>çÖamæ!…F·;i…ªÚ$²‹;ÂÛs9øð€¼_A©•û ÿ•E<E280A2>é½³¤„Á?³eò\eNÉkÀ›
|
|
@ -19,6 +19,7 @@ in with hosts;
|
||||||
"hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
"hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||||
"hydra-s3.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
"hydra-s3.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||||
"hyprspace-key-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
"hyprspace-key-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||||
|
"ipfs-swarm-key.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
|
||||||
"keycloak-dbpass.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
"keycloak-dbpass.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||||
"matrix-appservice-discord-token.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
"matrix-appservice-discord-token.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||||
"minio-console-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
"minio-console-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||||
|
@ -32,6 +33,6 @@ in with hosts;
|
||||||
"synapse-keys.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
"synapse-keys.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||||
"synapse-ldap.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
"synapse-ldap.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||||
"synapse-turn.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
"synapse-turn.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||||
"wireguard-key-wgautobahn.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
|
||||||
"vpn-host-key-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
"vpn-host-key-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||||
|
"wireguard-key-wgautobahn.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue