privatevoid.net/depot
1
1
Fork 0
Code Issues 18 Pull requests 2 Projects 3 Releases Packages Wiki Activity Actions

treewide: massive refactor

Browse source
This commit is contained in:
Max Headroom 2023-08-31 00:55:45 +02:00
parent 8b96787bc2
commit ae48e4807a
96 changed files with 373 additions and 424 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
cluster/default.nix
View file

@ -1,4 +1,4 @@
{ lib, depot, hostName }: { lib, depot }:
lib.evalModules { lib.evalModules {
specialArgs = { specialArgs = {
@ -7,12 +7,10 @@ lib.evalModules {
modules = [ modules = [
# Arbitrary variables to reference across multiple services # Arbitrary variables to reference across multiple services
./lib/vars ./lib/vars
{ vars = { inherit hostName; }; }
# Cluster-level port-magic # Cluster-level port-magic
../modules/port-magic ../modules/port-magic
../tools/inject.nix
./lib/services.nix ./lib/services.nix
./lib/inject-nixos-config.nix ./lib/inject-nixos-config.nix
./lib/port-magic-multi.nix ./lib/port-magic-multi.nix

15
cluster/inject.nix
View file

@ -1,15 +0,0 @@
hostName:
{ depot, lib, ... }:
let
cluster = import ./. { inherit lib depot hostName; };
in
{
_module.args.cluster = {
inherit (cluster.config) vars;
inherit (cluster.config.vars) hosts;
inherit (cluster) config;
};
imports = cluster.config.out.injectedNixosConfig;
}

10
cluster/lib/inject-nixos-config.nix
View file

@ -1,10 +1,10 @@
{ lib, ... }: { config, lib, ... }:
with lib; with lib;
{ {
options.out.injectedNixosConfig = mkOption { options.out.injectNixosConfig = mkOption {
description = "NixOS configuration modules to inject into the host."; description = "NixOS configuration to inject into the given host.";
type = with types; listOf anything; type = with types; functionTo raw;
default = {}; default = const [];
}; };
} }

9
cluster/lib/service-module.nix
View file

@ -1,11 +1,8 @@
vars:
{ config, lib, ... }: { config, lib, ... }:
with lib; with lib;
let let
notSelf = x: x != vars.hostName; filterGroup = group: hostName: builtins.filter (x: x != hostName) group;
filterGroup = builtins.filter notSelf;
in in
{ {
@ -26,7 +23,7 @@ in
}; };
otherNodes = mkOption { otherNodes = mkOption {
description = "Other nodes in the group."; description = "Other nodes in the group.";
type = with types; attrsOf (listOf str); type = with types; attrsOf (functionTo (listOf str));
default = []; default = [];
}; };
nixos = mkOption { nixos = mkOption {
@ -35,5 +32,5 @@ in
default = {}; default = {};
}; };
}; };
config.otherNodes = builtins.mapAttrs (_: filterGroup) config.nodes; config.otherNodes = builtins.mapAttrs (const filterGroup) config.nodes;
} }

15
cluster/lib/services.nix
View file

@ -2,18 +2,25 @@
with lib; with lib;
let let
getHostConfigurations = svcConfig: hostName: getHostConfigurations = hostName: svcConfig:
lib.mapAttrsToList (groupName: _: svcConfig.nixos.${groupName}) lib.mapAttrsToList (groupName: _: svcConfig.nixos.${groupName})
(lib.filterAttrs (_: lib.elem hostName) svcConfig.nodes); (lib.filterAttrs (_: lib.elem hostName) svcConfig.nodes);
getServiceConfigurations = svcConfig: getHostConfigurations svcConfig config.vars.hostName;
introspectionModule._module.args.cluster = {
inherit (config) vars;
inherit config;
};
in in
{ {
options.services = mkOption { options.services = mkOption {
description = "Cluster services."; description = "Cluster services.";
type = with types; attrsOf (submodule (import ./service-module.nix config.vars)); type = with types; attrsOf (submodule ./service-module.nix);
default = {}; default = {};
}; };
config.out.injectedNixosConfig = lib.flatten (lib.mapAttrsToList (_: getServiceConfigurations) config.services);
config.out.injectNixosConfig = hostName: (lib.flatten (lib.mapAttrsToList (_: getHostConfigurations hostName) config.services)) ++ [
introspectionModule
];
} }

11
cluster/part.nix Normal file
View file

@ -0,0 +1,11 @@
{ depot, lib, ... }:
{
options.cluster = lib.mkOption {
type = lib.types.raw;
};
config.cluster = import ./. {
inherit depot lib;
};
}

6
cluster/services/attic/binary-cache.nix
View file

@ -1,5 +1,5 @@
{ config, tools, ... }: { config, depot, ... }:
with tools.nginx; with depot.lib.nginx;
let let
addrSplit' = builtins.split ":" config.services.minio.listenAddress; addrSplit' = builtins.split ":" config.services.minio.listenAddress;
addrSplit = builtins.filter builtins.isString addrSplit'; addrSplit = builtins.filter builtins.isString addrSplit';
@ -27,7 +27,7 @@ in
services.nginx.appendHttpConfig = '' services.nginx.appendHttpConfig = ''
proxy_cache_path /var/cache/nginx/nixstore levels=1:2 keys_zone=nixstore:10m max_size=10g inactive=24h use_temp_path=off; proxy_cache_path /var/cache/nginx/nixstore levels=1:2 keys_zone=nixstore:10m max_size=10g inactive=24h use_temp_path=off;
''; '';
services.nginx.virtualHosts."cache.${tools.meta.domain}" = vhosts.basic // { services.nginx.virtualHosts."cache.${depot.lib.meta.domain}" = vhosts.basic // {
locations = { locations = {
"= /".return = "302 /404"; "= /".return = "302 /404";
"/" = { "/" = {

4
cluster/services/attic/nar-serve.nix
View file

@ -1,4 +1,4 @@
{ config, depot, tools, ... }: { config, depot, ... }:
let let
mkNarServe = NAR_CACHE_URL: PORT: { mkNarServe = NAR_CACHE_URL: PORT: {
@ -17,6 +17,6 @@
nar-serve-nixos-org.protocol = "http"; nar-serve-nixos-org.protocol = "http";
}; };
systemd.services.nar-serve-self = mkNarServe "https://cache.${tools.meta.domain}" config.links.nar-serve-self.portStr; systemd.services.nar-serve-self = mkNarServe "https://cache.${depot.lib.meta.domain}" config.links.nar-serve-self.portStr;
systemd.services.nar-serve-nixos-org = mkNarServe "https://cache.nixos.org" config.links.nar-serve-nixos-org.portStr; systemd.services.nar-serve-nixos-org = mkNarServe "https://cache.nixos.org" config.links.nar-serve-nixos-org.portStr;
} }

4
cluster/services/attic/server.nix
View file

@ -1,4 +1,4 @@
{ config, depot, lib, tools, ... }: { config, depot, lib, ... }:
let let
dataDir = "/srv/storage/private/attic"; dataDir = "/srv/storage/private/attic";
@ -52,7 +52,7 @@ in
ReadWritePaths = [ dataDir ]; ReadWritePaths = [ dataDir ];
}; };
services.nginx.virtualHosts."cache-api.${tools.meta.domain}" = tools.nginx.vhosts.proxy config.links.atticServer.url // { services.nginx.virtualHosts."cache-api.${depot.lib.meta.domain}" = depot.lib.nginx.vhosts.proxy config.links.atticServer.url // {
extraConfig = '' extraConfig = ''
client_max_body_size 4G; client_max_body_size 4G;
''; '';

4
cluster/services/certificates/internal-wildcard.nix
View file

@ -1,7 +1,7 @@
{ config, lib, pkgs, tools, ... }: { config, lib, pkgs, depot, ... }:
let let
inherit (tools.meta) domain; inherit (depot.lib.meta) domain;
extraGroups = [ "nginx" ] extraGroups = [ "nginx" ]
++ lib.optional config.services.kanidm.enableServer "kanidm"; ++ lib.optional config.services.kanidm.enableServer "kanidm";

6
cluster/services/consul/agent.nix
View file

@ -1,7 +1,7 @@
{ config, cluster, lib, tools, ... }: { config, cluster, depot, ... }:
let let
inherit (tools.meta) domain; inherit (depot.lib.meta) domain;
inherit (config.networking) hostName; inherit (config.networking) hostName;
inherit (cluster.config) hostLinks; inherit (cluster.config) hostLinks;
cfg = cluster.config.services.consul; cfg = cluster.config.services.consul;
@ -21,7 +21,7 @@ in
node_name = config.networking.hostName; node_name = config.networking.hostName;
bind_addr = hl.ipv4; bind_addr = hl.ipv4;
ports.serf_lan = hl.port; ports.serf_lan = hl.port;
retry_join = map (hostName: hostLinks.${hostName}.consul.tuple) cfg.otherNodes.agent; retry_join = map (hostName: hostLinks.${hostName}.consul.tuple) (cfg.otherNodes.agent hostName);
}; };
}; };

6
cluster/services/consul/remote-api.nix
View file

@ -1,13 +1,13 @@
{ config, cluster, depot, lib, tools, ... }: { config, cluster, depot, lib, ... }:
let let
inherit (tools.meta) domain; inherit (depot.lib.meta) domain;
inherit (depot.reflection) hyprspace; inherit (depot.reflection) hyprspace;
frontendDomain = "consul-remote.internal.${domain}"; frontendDomain = "consul-remote.internal.${domain}";
in in
{ {
services.nginx.virtualHosts.${frontendDomain} = tools.nginx.vhosts.proxy "http://127.0.0.1:8500" // { services.nginx.virtualHosts.${frontendDomain} = depot.lib.nginx.vhosts.proxy "http://127.0.0.1:8500" // {
listenAddresses = lib.singleton hyprspace.addr; listenAddresses = lib.singleton hyprspace.addr;
enableACME = false; enableACME = false;
useACMEHost = "internal.${domain}"; useACMEHost = "internal.${domain}";

6
cluster/services/dns/admin.nix
View file

@ -1,7 +1,7 @@
{ cluster, config, lib, pkgs, tools, ... }: { cluster, config, lib, pkgs, depot, ... }:
let let
inherit (tools.meta) domain; inherit (depot.lib.meta) domain;
inherit (config.links) pdnsAdmin; inherit (config.links) pdnsAdmin;
inherit (cluster.config) vars; inherit (cluster.config) vars;
@ -96,7 +96,7 @@ in {
}; };
services.nginx.virtualHosts."dnsadmin.${domain}" = lib.recursiveUpdate services.nginx.virtualHosts."dnsadmin.${domain}" = lib.recursiveUpdate
(tools.nginx.vhosts.proxy pdnsAdmin.url) (depot.lib.nginx.vhosts.proxy pdnsAdmin.url)
# backend sends really big headers for some reason # backend sends really big headers for some reason
# increase buffer size accordingly # increase buffer size accordingly
{ {

6
cluster/services/dns/authoritative.nix
View file

@ -1,14 +1,14 @@
{ cluster, config, depot, lib, tools, ... }: { cluster, config, depot, lib, ... }:
let let
inherit (depot.reflection) interfaces; inherit (depot.reflection) interfaces;
inherit (tools.meta) domain; inherit (depot.lib.meta) domain;
inherit (config.networking) hostName; inherit (config.networking) hostName;
link = cluster.config.hostLinks.${hostName}.dnsAuthoritative; link = cluster.config.hostLinks.${hostName}.dnsAuthoritative;
patroni = cluster.config.links.patroni-pg-access; patroni = cluster.config.links.patroni-pg-access;
otherDnsServers = lib.pipe (with cluster.config.services.dns.otherNodes; master ++ slave) [ otherDnsServers = lib.pipe (with cluster.config.services.dns.otherNodes; (master hostName) ++ (slave hostName)) [
(map (node: cluster.config.hostLinks.${node}.dnsAuthoritative.tuple)) (map (node: cluster.config.hostLinks.${node}.dnsAuthoritative.tuple))
(lib.concatStringsSep " ") (lib.concatStringsSep " ")
]; ];

7
cluster/services/dns/coredns.nix
View file

@ -1,15 +1,14 @@
{ cluster, config, depot, lib, pkgs, tools, ... }: { cluster, config, depot, lib, ... }:
let let
inherit (depot.reflection) interfaces hyprspace; inherit (depot.reflection) interfaces hyprspace;
inherit (tools.meta) domain; inherit (depot.lib.meta) domain;
inherit (config.links) localRecursor;
inherit (config.networking) hostName; inherit (config.networking) hostName;
link = cluster.config.hostLinks.${hostName}.dnsResolver; link = cluster.config.hostLinks.${hostName}.dnsResolver;
backend = cluster.config.hostLinks.${hostName}.dnsResolverBackend; backend = cluster.config.hostLinks.${hostName}.dnsResolverBackend;
otherRecursors = lib.pipe (cluster.config.services.dns.otherNodes.coredns) [ otherRecursors = lib.pipe (cluster.config.services.dns.otherNodes.coredns hostName) [
(map (node: cluster.config.hostLinks.${node}.dnsResolverBackend.tuple)) (map (node: cluster.config.hostLinks.${node}.dnsResolverBackend.tuple))
(lib.concatStringsSep " ") (lib.concatStringsSep " ")
]; ];

2
cluster/services/dns/default.nix
View file

@ -1,7 +1,7 @@
{ config, depot, lib, ... }: { config, depot, lib, ... }:
let let
inherit (depot.config) hours; inherit (depot) hours;
cfg = config.services.dns; cfg = config.services.dns;
in in
{ {

6
cluster/services/forge/server.nix
View file

@ -1,8 +1,8 @@
{ cluster, config, depot, lib, pkgs, tools, ... }: { cluster, config, depot, lib, pkgs, ... }:
let let
inherit (tools.meta) domain; inherit (depot.lib.meta) domain;
inherit (tools.nginx) vhosts; inherit (depot.lib.nginx) vhosts;
inherit (config.age) secrets; inherit (config.age) secrets;
patroni = cluster.config.links.patroni-pg-access; patroni = cluster.config.links.patroni-pg-access;

2
cluster/services/hercules-ci-multi-agent/default.nix
View file

@ -1,4 +1,4 @@
{ config, lib, tools, ... }: { config, lib, depot, ... }:
{ {
services.hercules-ci-multi-agent = { services.hercules-ci-multi-agent = {

6
cluster/services/idm/default.nix
View file

@ -1,14 +1,14 @@
{ config, tools, ... }: { config, depot, ... }:
{ {
links = { links = {
idm = { idm = {
ipv4 = "idm.${tools.meta.domain}"; ipv4 = "idm.${depot.lib.meta.domain}";
port = 443; port = 443;
protocol = "https"; protocol = "https";
}; };
ldap = { ldap = {
hostname = "idm-ldap.internal.${tools.meta.domain}"; hostname = "idm-ldap.internal.${depot.lib.meta.domain}";
ipv4 = config.vars.mesh.VEGAS.meshIp; ipv4 = config.vars.mesh.VEGAS.meshIp;
port = 636; port = 636;
protocol = "ldaps"; protocol = "ldaps";

6
cluster/services/idm/server.nix
View file

@ -1,7 +1,7 @@
{ cluster, config, lib, tools, ... }: { cluster, config, lib, depot, ... }:
let let
inherit (tools.meta) domain; inherit (depot.lib.meta) domain;
frontendLink = cluster.config.links.idm; frontendLink = cluster.config.links.idm;
@ -38,7 +38,7 @@ in
systemd.services.kanidm.after = [ "acme-selfsigned-internal.${domain}.service" ]; systemd.services.kanidm.after = [ "acme-selfsigned-internal.${domain}.service" ];
services.nginx.virtualHosts."idm.${domain}" = lib.recursiveUpdate (tools.nginx.vhosts.proxy backendLink.url) { services.nginx.virtualHosts."idm.${domain}" = lib.recursiveUpdate (depot.lib.nginx.vhosts.proxy backendLink.url) {
locations."/".extraConfig = '' locations."/".extraConfig = ''
proxy_ssl_name idm-backend.internal.${domain}; proxy_ssl_name idm-backend.internal.${domain};
proxy_ssl_trusted_certificate ${certDir}/chain.pem; proxy_ssl_trusted_certificate ${certDir}/chain.pem;

6
cluster/services/ipfs/cluster.nix
View file

@ -1,8 +1,8 @@
{ config, depot, lib, pkgs, tools, ... }: { config, depot, lib, pkgs, ... }:
let let
inherit (tools.meta) domain; inherit (depot.lib.meta) domain;
inherit (tools.nginx) vhosts; inherit (depot.lib.nginx) vhosts;
cfg = config.services.ipfs-cluster; cfg = config.services.ipfs-cluster;
ipfsCfg = config.services.ipfs; ipfsCfg = config.services.ipfs;

8
cluster/services/ipfs/default.nix
View file

@ -1,7 +1,7 @@
{ config, depot, lib, tools, ... }: { config, depot, lib, ... }:
{ {
hostLinks = lib.genAttrs config.services.ipfs.nodes.node (name: let hostLinks = lib.genAttrs config.services.ipfs.nodes.node (name: depot.lib.summon name ({ depot, ... }: let
host = depot.reflection; host = depot.reflection;
intf = host.interfaces.primary; intf = host.interfaces.primary;
self = config.hostLinks.${name}.ipfs; self = config.hostLinks.${name}.ipfs;
@ -20,7 +20,7 @@
]; ];
}; };
}; };
}); }));
services.ipfs = { services.ipfs = {
nodes = { nodes = {
node = [ "VEGAS" "prophet" ]; node = [ "VEGAS" "prophet" ];
@ -46,7 +46,7 @@
}; };
monitoring.blackbox.targets.ipfs-gateway = { monitoring.blackbox.targets.ipfs-gateway = {
address = "https://bafybeiczsscdsbs7ffqz55asqdf3smv6klcw3gofszvwlyarci47bgf354.ipfs.${tools.meta.domain}/"; address = "https://bafybeiczsscdsbs7ffqz55asqdf3smv6klcw3gofszvwlyarci47bgf354.ipfs.${depot.lib.meta.domain}/";
module = "https2xx"; module = "https2xx";
}; };
} }

6
cluster/services/ipfs/gateway.nix
View file

@ -1,7 +1,7 @@
{ config, depot, lib, tools, ... }: { config, depot, lib, ... }:
with tools.nginx; with depot.lib.nginx;
let let
inherit (tools.meta) domain; inherit (depot.lib.meta) domain;
gw = config.links.ipfsGateway; gw = config.links.ipfsGateway;
cfg = config.services.ipfs; cfg = config.services.ipfs;
metrics = config.links.ipfsMetrics; metrics = config.links.ipfsMetrics;

8
cluster/services/ipfs/node.nix
View file

@ -1,6 +1,6 @@
{ cluster, config, depot, lib, pkgs, tools, ... }: { cluster, config, depot, lib, pkgs, ... }:
let let
inherit (tools.meta) domain; inherit (depot.lib.meta) domain;
cfg = config.services.ipfs; cfg = config.services.ipfs;
apiAddress = "/unix/run/ipfs/ipfs-api.sock"; apiAddress = "/unix/run/ipfs/ipfs-api.sock";
ipfsApi = pkgs.writeTextDir "api" apiAddress; ipfsApi = pkgs.writeTextDir "api" apiAddress;
@ -41,7 +41,7 @@ in
extraFlags = [ "--migrate" ]; extraFlags = [ "--migrate" ];
extraConfig = { extraConfig = {
Bootstrap = [ Bootstrap = [
"/ip4/${depot.config.hours.VEGAS.interfaces.primary.addr}/tcp/${toString ipfsPort}/p2p/Qmd7QHZU8UjfYdwmjmq1SBh9pvER9AwHpfwQvnvNo3HBBo" "/ip4/${depot.hours.VEGAS.interfaces.primary.addr}/tcp/${toString ipfsPort}/p2p/Qmd7QHZU8UjfYdwmjmq1SBh9pvER9AwHpfwQvnvNo3HBBo"
"/dnsaddr/bootstrap.libp2p.io/p2p/QmQCU2EcMqAqQPR2i9bChDtGNJchTbq5TbXJJ16u19uLTa" "/dnsaddr/bootstrap.libp2p.io/p2p/QmQCU2EcMqAqQPR2i9bChDtGNJchTbq5TbXJJ16u19uLTa"
"/dnsaddr/bootstrap.libp2p.io/p2p/QmbLHAnMoJPWSCR5Zhtx6BHJX9KiKNN6tpvbUcqanj75Nb" "/dnsaddr/bootstrap.libp2p.io/p2p/QmbLHAnMoJPWSCR5Zhtx6BHJX9KiKNN6tpvbUcqanj75Nb"
"/dnsaddr/bootstrap.libp2p.io/p2p/QmNnooDu7bfjPFoTZYxMNLWUQJyrVwtbZg5gBMjTezGAJN" "/dnsaddr/bootstrap.libp2p.io/p2p/QmNnooDu7bfjPFoTZYxMNLWUQJyrVwtbZg5gBMjTezGAJN"
@ -62,7 +62,7 @@ in
ID = extra.peerId; ID = extra.peerId;
Addrs = extra.multiaddrs; Addrs = extra.multiaddrs;
}) })
cluster.config.services.ipfs.otherNodes.node; (cluster.config.services.ipfs.otherNodes.node config.networking.hostName);
Gateway = { Gateway = {
Writable = false; Writable = false;
APICommands = []; APICommands = [];

6
cluster/services/ipfs/remote-api.nix
View file

@ -1,7 +1,7 @@
{ config, tools, ... }: { config, depot, ... }:
with tools.nginx; with depot.lib.nginx;
let let
inherit (tools.meta) domain; inherit (depot.lib.meta) domain;
cfg = config.services.ipfs; cfg = config.services.ipfs;
gw = config.links.ipfsGateway; gw = config.links.ipfsGateway;
in in

6
cluster/services/irc/default.nix
View file

@ -1,9 +1,9 @@
{ config, depot, lib, tools, ... }: { config, depot, lib, ... }:
let let
inherit (depot.config) hours; inherit (depot) hours;
inherit (tools.meta) domain; inherit (depot.lib.meta) domain;
subDomains = { subDomains = {
VEGAS = "eu1"; VEGAS = "eu1";

13
cluster/services/irc/irc-host.nix
View file

@ -1,13 +1,14 @@
{ cluster, config, lib, pkgs, tools, ... }: { cluster, config, lib, pkgs, depot, ... }:
let let
inherit (tools.meta) adminEmail; inherit (depot.lib.meta) adminEmail;
inherit (cluster) vars; inherit (cluster) vars;
inherit (config.networking) hostName;
linkGlobalSecure = cluster.config.links.ircSecure; linkGlobalSecure = cluster.config.links.ircSecure;
link = cluster.config.hostLinks.${vars.hostName}.irc; link = cluster.config.hostLinks.${hostName}.irc;
linkSecure = cluster.config.hostLinks.${vars.hostName}.ircSecure; linkSecure = cluster.config.hostLinks.${hostName}.ircSecure;
otherServers = map mkServer cluster.config.services.irc.otherNodes.host; otherServers = map mkServer (cluster.config.services.irc.otherNodes.host hostName);
otherServerFiles = map (builtins.toFile "ngircd-peer.conf") otherServers; otherServerFiles = map (builtins.toFile "ngircd-peer.conf") otherServers;
opers = map mkOper vars.ircOpers; opers = map mkOper vars.ircOpers;
@ -41,7 +42,7 @@ in {
config = '' config = ''
[Global] [Global]
Name = ${serverName} Name = ${serverName}
Info = Private Void IRC - ${vars.hostName} Info = Private Void IRC - ${hostName}
Network = PrivateVoidIRC Network = PrivateVoidIRC
AdminInfo1 = Private Void Administrators AdminInfo1 = Private Void Administrators
AdminInfo2 = Contact for help AdminInfo2 = Contact for help

4
cluster/services/matrix/bridges/discord.nix
View file

@ -1,6 +1,6 @@
{ config, tools, ... }: { config, depot, ... }:
let let
inherit (tools.meta) domain; inherit (depot.lib.meta) domain;
in in
{ {
age.secrets = { age.secrets = {

4
cluster/services/matrix/coturn.nix
View file

@ -1,4 +1,4 @@
{ config, tools, ... }: { config, depot, ... }:
{ {
age.secrets = { age.secrets = {
coturn-static-auth = { coturn-static-auth = {
@ -11,7 +11,7 @@
services.coturn = { services.coturn = {
enable = true; enable = true;
no-cli = true; no-cli = true;
realm = tools.meta.domain; realm = depot.lib.meta.domain;
no-tcp-relay = true; no-tcp-relay = true;
min-port = 64000; min-port = 64000;

4
cluster/services/matrix/default.nix
View file

@ -1,4 +1,4 @@
{ tools, ... }: { depot, ... }:
{ {
services.matrix = { services.matrix = {
@ -13,7 +13,7 @@
}; };
monitoring.blackbox.targets.matrix = { monitoring.blackbox.targets.matrix = {
address = "https://matrix.${tools.meta.domain}/_matrix/federation/v1/version"; address = "https://matrix.${depot.lib.meta.domain}/_matrix/federation/v1/version";
module = "https2xx"; module = "https2xx";
}; };
} }

4
cluster/services/matrix/federation.nix
View file

@ -1,6 +1,6 @@
{ config, pkgs, tools, ... }: { config, pkgs, depot, ... }:
let let
inherit (tools.meta) domain; inherit (depot.lib.meta) domain;
federation = pkgs.writeText "matrix-federation.json" (builtins.toJSON { federation = pkgs.writeText "matrix-federation.json" (builtins.toJSON {
"m.server" = "matrix.${domain}:443"; "m.server" = "matrix.${domain}:443";
}); });

8
cluster/services/matrix/homeserver.nix
View file

@ -1,6 +1,6 @@
{ cluster, config, lib, pkgs, tools, ... }: { cluster, config, lib, pkgs, depot, ... }:
let let
inherit (tools.meta) domain; inherit (depot.lib.meta) domain;
patroni = cluster.config.links.patroni-pg-access; patroni = cluster.config.links.patroni-pg-access;
@ -121,8 +121,8 @@ in {
]) ++ [ dbConfigOut ]; ]) ++ [ dbConfigOut ];
}; };
services.nginx.virtualHosts = tools.nginx.mappers.mapSubdomains { services.nginx.virtualHosts = depot.lib.nginx.mappers.mapSubdomains {
matrix = tools.nginx.vhosts.basic // { matrix = depot.lib.nginx.vhosts.basic // {
locations."/".return = "204"; locations."/".return = "204";
locations."/_matrix" = { locations."/_matrix" = {
proxyPass = "http://127.0.0.1:8008"; proxyPass = "http://127.0.0.1:8008";

4
cluster/services/matrix/web-client.nix
View file

@ -1,6 +1,6 @@
{ depot, lib, pkgs, tools, ... }: { depot, lib, pkgs, ... }:
let let
inherit (tools.nginx) domain vhosts; inherit (depot.lib.nginx) domain vhosts;
inherit (depot.packages) cinny; inherit (depot.packages) cinny;
in in
{ {

4
cluster/services/meet/default.nix
View file

@ -1,4 +1,4 @@
{ tools, ... }: { depot, ... }:
{ {
services.meet = { services.meet = {
@ -7,7 +7,7 @@
}; };
monitoring.blackbox.targets.jitsi-videobridge = { monitoring.blackbox.targets.jitsi-videobridge = {
address = "meet.${tools.meta.domain}:7777"; address = "meet.${depot.lib.meta.domain}:7777";
module = "tcpConnect"; module = "tcpConnect";
}; };
} }

6
cluster/services/meet/host.nix
View file

@ -1,4 +1,4 @@
{ config, lib, depot, tools, ... }: { config, lib, depot, ... }:
let let
inherit (config) links; inherit (config) links;
@ -11,7 +11,7 @@ in
services.jitsi-meet = { services.jitsi-meet = {
enable = true; enable = true;
hostName = "meet.${tools.meta.domain}"; hostName = "meet.${depot.lib.meta.domain}";
nginx.enable = true; nginx.enable = true;
jicofo.enable = true; jicofo.enable = true;
videobridge.enable = true; videobridge.enable = true;
@ -38,7 +38,7 @@ in
publicAddress = interfaces.primary.addrPublic; publicAddress = interfaces.primary.addrPublic;
}; };
}; };
services.nginx.virtualHosts."meet.${tools.meta.domain}" = { services.nginx.virtualHosts."meet.${depot.lib.meta.domain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."=/images/watermark.svg" = { locations."=/images/watermark.svg" = {

8
cluster/services/monitoring/blackbox.nix
View file

@ -1,9 +1,9 @@
{ config, cluster, lib, tools, ... }: { cluster, config, lib, depot, ... }:
let let
inherit (lib) flip pipe mapAttrsToList range recursiveUpdate substring; inherit (lib) flip pipe mapAttrsToList range recursiveUpdate substring;
inherit (tools.meta) domain; inherit (depot.lib.meta) domain;
inherit (cluster.config) vars; inherit (cluster.config) vars;
mapTargets = mapAttrsToList (name: value: value // { name = "default/${name}"; }); mapTargets = mapAttrsToList (name: value: value // { name = "default/${name}"; });
@ -19,7 +19,7 @@ let
}) })
]) (range 1 1); ]) (range 1 1);
probeId = pipe "blackbox-probe-${domain}-${vars.hostName}" [ probeId = pipe "blackbox-probe-${domain}-${config.networking.hostName}" [
(builtins.hashString "md5") (builtins.hashString "md5")
(substring 0 8) (substring 0 8)
]; ];
@ -39,7 +39,7 @@ in
{ {
services.grafana-agent.settings.integrations.blackbox = { services.grafana-agent.settings.integrations.blackbox = {
enabled = true; enabled = true;
instance = vars.hostName; instance = config.networking.hostName;
scrape_interval = "600s"; scrape_interval = "600s";
relabel_configs = [ relabel_configs = [
(relabel "__param_module" "module") (relabel "__param_module" "module")

6
cluster/services/monitoring/client.nix
View file

@ -1,4 +1,4 @@
{ cluster, lib, ... }: { cluster, config, lib, ... }:
let let
inherit (lib) singleton; inherit (lib) singleton;
@ -17,7 +17,7 @@ in {
}; };
integrations.node_exporter = { integrations.node_exporter = {
enabled = true; enabled = true;
instance = cluster.config.vars.hostName; instance = config.networking.hostName;
enable_collectors = [ enable_collectors = [
"systemd" "systemd"
]; ];
@ -32,7 +32,7 @@ in {
job_name = "journal"; job_name = "journal";
journal = { journal = {
max_age = "12h"; max_age = "12h";
labels.host = cluster.config.vars.hostName; labels.host = config.networking.hostName;
}; };
relabel_configs = [ relabel_configs = [
(relabel "__journal__systemd_unit" "systemd_unit") (relabel "__journal__systemd_unit" "systemd_unit")

6
cluster/services/monitoring/grafana-ha.nix
View file

@ -1,6 +1,6 @@
{ cluster, config, depot, lib, pkgs, tools, ... }: { cluster, config, depot, lib, pkgs, ... }:
let let
inherit (tools.meta) domain; inherit (depot.lib.meta) domain;
inherit (cluster.config.links) loki-ingest prometheus-ingest; inherit (cluster.config.links) loki-ingest prometheus-ingest;
@ -97,7 +97,7 @@ in
services.nginx = { services.nginx = {
upstreams.grafana-ha.servers = lib.mapAttrs' (_: links: lib.nameValuePair links.grafana.tuple {}) (lib.getAttrs (svc.nodes.grafana) hostLinks); upstreams.grafana-ha.servers = lib.mapAttrs' (_: links: lib.nameValuePair links.grafana.tuple {}) (lib.getAttrs (svc.nodes.grafana) hostLinks);
virtualHosts."monitoring.${domain}" = lib.recursiveUpdate (tools.nginx.vhosts.proxy "http://grafana-ha") { virtualHosts."monitoring.${domain}" = lib.recursiveUpdate (depot.lib.nginx.vhosts.proxy "http://grafana-ha") {
locations."/".proxyWebsockets = true; locations."/".proxyWebsockets = true;
}; };
}; };

4
cluster/services/nextcloud/default.nix
View file

@ -1,4 +1,4 @@
{ tools, ... }: { depot, ... }:
{ {
services.nextcloud = { services.nextcloud = {
@ -7,7 +7,7 @@
}; };
monitoring.blackbox.targets.nextcloud = { monitoring.blackbox.targets.nextcloud = {
address = "https://storage.${tools.meta.domain}/status.php"; address = "https://storage.${depot.lib.meta.domain}/status.php";
module = "nextcloudStatus"; module = "nextcloudStatus";
}; };
} }

4
cluster/services/nextcloud/host.nix
View file

@ -1,4 +1,4 @@
{ cluster, config, lib, pkgs, tools, ... }: { cluster, config, lib, pkgs, depot, ... }:
let let
patroni = cluster.config.links.patroni-pg-access; patroni = cluster.config.links.patroni-pg-access;
in in
@ -22,7 +22,7 @@ in
enableBrokenCiphersForSSE = false; enableBrokenCiphersForSSE = false;
enable = true; enable = true;
https = true; https = true;
hostName = "storage.${tools.meta.domain}"; hostName = "storage.${depot.lib.meta.domain}";
home = "/srv/storage/www-app/nextcloud"; home = "/srv/storage/www-app/nextcloud";
maxUploadSize = "4G"; maxUploadSize = "4G";
enableImagemagick = true; enableImagemagick = true;

13
cluster/services/nginx/nginx.nix
View file

@ -1,7 +1,7 @@
{ config, tools, ... }: { depot, ... }:
let let
inherit (tools.meta) adminEmail; inherit (depot.lib.meta) adminEmail;
in { in {
security.acme.defaults.email = adminEmail; security.acme.defaults.email = adminEmail;
security.acme.acceptTerms = true; security.acme.acceptTerms = true;
@ -24,15 +24,6 @@ in {
access_log syslog:server=unix:/dev/log,tag=nginx_access,nohostname fmt_loki; access_log syslog:server=unix:/dev/log,tag=nginx_access,nohostname fmt_loki;
''; '';
}; };
services.phpfpm.pools.www = {
inherit (config.services.nginx) user group;
settings = {
pm = "ondemand";
"pm.max_children" = 16;
"listen.owner" = config.services.nginx.user;
"listen.group" = config.services.nginx.group;
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
systemd.services.nginx.after = [ "network-online.target" ]; systemd.services.nginx.after = [ "network-online.target" ];
} }

4
cluster/services/object-storage/default.nix
View file

@ -1,4 +1,4 @@
{ tools, ... }: { depot, ... }:
{ {
services.object-storage = { services.object-storage = {
@ -7,7 +7,7 @@
}; };
monitoring.blackbox.targets.object-storage = { monitoring.blackbox.targets.object-storage = {
address = "https://object-storage.${tools.meta.domain}/minio/health/live"; address = "https://object-storage.${depot.lib.meta.domain}/minio/health/live";
module = "https2xx"; module = "https2xx";
}; };
} }

4
cluster/services/object-storage/host.nix
View file

@ -1,5 +1,5 @@
{ config, lib, tools, ... }: { config, lib, depot, ... }:
with tools.nginx; with depot.lib.nginx;
let let
inherit (config) links; inherit (config) links;

4
cluster/services/patroni/metrics.nix
View file

@ -12,9 +12,9 @@ in
services.grafana-agent = { services.grafana-agent = {
settings.integrations.postgres_exporter = { settings.integrations.postgres_exporter = {
enabled = true; enabled = true;
instance = vars.hostName; instance = config.networking.hostName;
data_source_names = [ data_source_names = [
"postgresql://metrics:\${PG_METRICS_DB_PASSWORD}@${getMeshIp vars.hostName}:${links.patroni-pg-internal.portStr}/postgres?sslmode=disable" "postgresql://metrics:\${PG_METRICS_DB_PASSWORD}@${getMeshIp config.networking.hostName}:${links.patroni-pg-internal.portStr}/postgres?sslmode=disable"
]; ];
autodiscover_databases = true; autodiscover_databases = true;
}; };

9
cluster/services/patroni/worker.nix
View file

@ -2,6 +2,7 @@
let let
inherit (cluster.config) vars; inherit (cluster.config) vars;
inherit (config.networking) hostName;
getMeshIp = name: vars.mesh.${name}.meshIp; getMeshIp = name: vars.mesh.${name}.meshIp;
@ -32,7 +33,7 @@ in
]; ];
services.patroni = { services.patroni = {
enable = true; enable = true;
name = vars.hostName; name = hostName;
postgresqlPackage = pg; postgresqlPackage = pg;
postgresqlDataDir ="${baseDir}/${pg.psqlSchema}"; postgresqlDataDir ="${baseDir}/${pg.psqlSchema}";
postgresqlPort = cluster.config.links.patroni-pg-internal.port; postgresqlPort = cluster.config.links.patroni-pg-internal.port;
@ -40,8 +41,8 @@ in
scope = "poseidon"; scope = "poseidon";
namespace = "/patroni"; namespace = "/patroni";
nodeIp = getMeshIp vars.hostName; nodeIp = getMeshIp hostName;
otherNodesIps = map getMeshIp cluster.config.services.patroni.otherNodes.worker; otherNodesIps = map getMeshIp (cluster.config.services.patroni.otherNodes.worker hostName);
raft = false; raft = false;
softwareWatchdog = true; softwareWatchdog = true;
settings = { settings = {
@ -68,7 +69,7 @@ in
superuser.username = "postgres"; superuser.username = "postgres";
}; };
parameters = { parameters = {
listen_addresses = getMeshIp vars.hostName; listen_addresses = getMeshIp hostName;
wal_level = "replica"; wal_level = "replica";
hot_standby_feedback = "on"; hot_standby_feedback = "on";
unix_socket_directories = "/tmp"; unix_socket_directories = "/tmp";

4
cluster/services/search/default.nix
View file

@ -1,4 +1,4 @@
{ tools, ... }: { depot, ... }:
{ {
services.search = { services.search = {
@ -7,7 +7,7 @@
}; };
monitoring.blackbox.targets.search = { monitoring.blackbox.targets.search = {
address = "https://search.${tools.meta.domain}/healthz"; address = "https://search.${depot.lib.meta.domain}/healthz";
module = "https2xx"; module = "https2xx";
}; };
} }

4
cluster/services/search/host.nix
View file

@ -1,4 +1,4 @@
{ config, depot, lib, tools, ... }: { config, depot, lib, ... }:
let let
inherit (config) links; inherit (config) links;
in in
@ -56,7 +56,7 @@ in
disable-logging = true; disable-logging = true;
}; };
}; };
services.nginx.virtualHosts."search.${tools.meta.domain}" = lib.recursiveUpdate (tools.nginx.vhosts.proxy links.searxng.url) { services.nginx.virtualHosts."search.${depot.lib.meta.domain}" = lib.recursiveUpdate (depot.lib.nginx.vhosts.proxy links.searxng.url) {
extraConfig = "access_log off;"; extraConfig = "access_log off;";
}; };
systemd.services.uwsgi.after = [ "wireguard-wgmv.service" "network-addresses-wgmv.service" ]; systemd.services.uwsgi.after = [ "wireguard-wgmv.service" "network-addresses-wgmv.service" ];

4
cluster/services/soda/default.nix
View file

@ -1,8 +1,8 @@
{ tools, ... }: { depot, ... }:
{ {
monitoring.blackbox.targets.soda-machine = { monitoring.blackbox.targets.soda-machine = {
address = "soda.int.${tools.meta.domain}:22"; address = "soda.int.${depot.lib.meta.domain}:22";
module = "sshConnect"; module = "sshConnect";
}; };
} }

8
cluster/services/warehouse/host.nix
View file

@ -1,19 +1,19 @@
{ config, depot, lib, pkgs, tools, ... }: { config, depot, lib, pkgs, ... }:
with tools.nginx; with depot.lib.nginx;
{ {
# TODO: not a whole lot to configure, maybe add some autoconfig stuff # TODO: not a whole lot to configure, maybe add some autoconfig stuff
services.jellyfin = { services.jellyfin = {
enable = true; enable = true;
package = depot.packages.jellyfin; package = depot.packages.jellyfin;
}; };
services.nginx.virtualHosts."warehouse.${tools.meta.domain}" = lib.mkMerge [ services.nginx.virtualHosts."warehouse.${depot.lib.meta.domain}" = lib.mkMerge [
(vhosts.proxy "http://127.0.0.1:8096") (vhosts.proxy "http://127.0.0.1:8096")
{ {
locations."/".extraConfig = '' locations."/".extraConfig = ''
proxy_buffering off; proxy_buffering off;
''; '';
locations."/socket" = { locations."/socket" = {
inherit (config.services.nginx.virtualHosts."warehouse.${tools.meta.domain}".locations."/") proxyPass; inherit (config.services.nginx.virtualHosts."warehouse.${depot.lib.meta.domain}".locations."/") proxyPass;
proxyWebsockets = true; proxyWebsockets = true;
}; };
# TODO: video cache # TODO: video cache

22
cluster/services/websites/default.nix
View file

@ -1,14 +1,7 @@
{ depot, lib, tools, ... }: { depot, lib, ... }:
let let
inherit (tools.meta) domain; inherit (depot.lib.meta) domain;
importWebsites = expr: import expr {
tools = tools.nginx;
inherit (depot) packages;
};
websites = tools.nginx.mappers.mapSubdomains (importWebsites ./websites.nix);
acmeUseDNS = name: conf: { acmeUseDNS = name: conf: {
name = conf.useACMEHost or conf.serverName or name; name = conf.useACMEHost or conf.serverName or name;
@ -24,7 +17,16 @@ in
{ {
services.websites = { services.websites = {
nodes.host = [ "checkmate" "thunderskin" "VEGAS" "prophet" ]; nodes.host = [ "checkmate" "thunderskin" "VEGAS" "prophet" ];
nixos.host = { nixos.host = { config, depot, ... }: let
importWebsites = expr: import expr {
tools = depot.lib.nginx;
inherit (depot) packages;
};
websites = depot.lib.nginx.mappers.mapSubdomains (importWebsites ./websites.nix);
in {
services.nginx.virtualHosts = websites; services.nginx.virtualHosts = websites;
security.acme.certs = lib.mapAttrs' acmeUseDNS (lib.filterAttrs isACME websites); security.acme.certs = lib.mapAttrs' acmeUseDNS (lib.filterAttrs isACME websites);
consul.services.nginx = { consul.services.nginx = {

2
cluster/services/wireguard/default.nix
View file

@ -1,7 +1,7 @@
{ config, depot, lib, ... }: { config, depot, lib, ... }:
let let
inherit (depot.config) hours; inherit (depot) hours;
meshNet = rec { meshNet = rec {
netAddr = "10.1.1.0"; netAddr = "10.1.1.0";

2
cluster/services/wireguard/mesh.nix
View file

@ -30,7 +30,7 @@ in
ips = [ "${link.extra.meshIp}/24" ]; ips = [ "${link.extra.meshIp}/24" ];
listenPort = link.port; listenPort = link.port;
privateKeyFile = config.age.secrets.wireguard-key-core.path; privateKeyFile = config.age.secrets.wireguard-key-core.path;
peers = map mkPeer cluster.config.services.wireguard.otherNodes.mesh; peers = map mkPeer (cluster.config.services.wireguard.otherNodes.mesh hostName);
}; };
}; };
}; };

1
flake.nix
View file

@ -19,6 +19,7 @@
./packages/part.nix ./packages/part.nix
./jobs/part.nix ./jobs/part.nix
./lib/part.nix ./lib/part.nix
./cluster/part.nix
]; ];
}; };

4
hosts/VEGAS/modules/oauth2-proxy/default.nix
View file

@ -1,6 +1,6 @@
{ config, lib, tools, ... }: { config, lib, depot, ... }:
let let
inherit (tools.meta) domain; inherit (depot.lib.meta) domain;
login = x: "https://login.${domain}/auth/realms/master/protocol/openid-connect/${x}"; login = x: "https://login.${domain}/auth/realms/master/protocol/openid-connect/${x}";
cfg = config.services.oauth2_proxy; cfg = config.services.oauth2_proxy;
in in

6
hosts/VEGAS/services/api/default.nix
View file

@ -1,9 +1,9 @@
{ config, lib, tools, ... }: { config, lib, depot, ... }:
let let
inherit (tools.meta) domain; inherit (depot.lib.meta) domain;
apiAddr = "api.${domain}"; apiAddr = "api.${domain}";
proxyTarget = config.links.api.url; proxyTarget = config.links.api.url;
proxy = tools.nginx.vhosts.proxy proxyTarget; proxy = depot.lib.nginx.vhosts.proxy proxyTarget;
in in
{ {
# n8n uses "Sustainable Use License" # n8n uses "Sustainable Use License"

2
hosts/VEGAS/services/backbone-routing/port-forward.nix
View file

@ -4,7 +4,7 @@
networking.nat.forwardPorts = [ networking.nat.forwardPorts = [
{ {
sourcePort = 52222; sourcePort = 52222;
destination = "${depot.config.hours.soda.interfaces.primary.addr}:22"; destination = "${depot.hours.soda.interfaces.primary.addr}:22";
proto = "tcp"; proto = "tcp";
} }
]; ];

4
hosts/VEGAS/services/bitwarden/default.nix
View file

@ -1,5 +1,5 @@
{ config, lib, tools, ... }: { config, lib, depot, ... }:
with tools.nginx; with depot.lib.nginx;
{ {
links.bitwarden.protocol = "http"; links.bitwarden.protocol = "http";

9
hosts/VEGAS/services/cdn-shield/default.nix
View file

@ -1,10 +1,9 @@
{ config, lib, toolsets, ... }: { depot, lib, ... }:
let let
tools = toolsets.nginx { tools = (depot.lib.override {
inherit lib config; meta.domain = lib.mkForce "cdn-shield.privatevoid.net";
domain = "cdn-shield.privatevoid.net"; }).nginx;
};
in in
{ {
services.nginx.virtualHosts = tools.mappers.mapSubdomains (import ./shields.nix { inherit tools; }); services.nginx.virtualHosts = tools.mappers.mapSubdomains (import ./shields.nix { inherit tools; });

4
hosts/VEGAS/services/fbi/default.nix
View file

@ -1,5 +1,5 @@
{ config, tools, ... }: { config, depot, ... }:
with tools.nginx; with depot.lib.nginx;
{ {
links = { links = {
ombi.protocol = "http"; ombi.protocol = "http";

6
hosts/VEGAS/services/gitlab/default.nix
View file

@ -1,7 +1,7 @@
{ cluster, config, lib, tools, ... }: { cluster, config, lib, depot, ... }:
let let
inherit (tools.meta) domain adminEmail; inherit (depot.lib.meta) domain adminEmail;
patroni = cluster.config.links.patroni-pg-access; patroni = cluster.config.links.patroni-pg-access;
@ -106,5 +106,5 @@ in
}; };
}; };
services.nginx.virtualHosts."${cfg.host}" = tools.nginx.vhosts.proxy "http://unix:/run/gitlab/gitlab-workhorse.socket"; services.nginx.virtualHosts."${cfg.host}" = depot.lib.nginx.vhosts.proxy "http://unix:/run/gitlab/gitlab-workhorse.socket";
} }

7
hosts/VEGAS/services/jokes/default.nix
View file

@ -1,10 +1,9 @@
{ tools, ... }: { depot, ... }:
with tools.nginx.mappers; with depot.lib.nginx.mappers;
with tools.nginx.vhosts; with depot.lib.nginx.vhosts;
{ {
services.nginx.virtualHosts = mapSubdomains { services.nginx.virtualHosts = mapSubdomains {
"bone-ds-dc.com-ldap" = static "/srv/storage/www/bone-meme/dist"; "bone-ds-dc.com-ldap" = static "/srv/storage/www/bone-meme/dist";
"get" = simplePHP "/srv/storage/www/dietldb";
"rzentrale" = static "/srv/storage/www/rzentrale"; "rzentrale" = static "/srv/storage/www/rzentrale";
"wunschnachricht" = static "/srv/storage/www/wunschnachricht"; "wunschnachricht" = static "/srv/storage/www/wunschnachricht";
}; };

8
hosts/VEGAS/services/mail/default.nix
View file

@ -1,4 +1,4 @@
{ tools, ... }: { depot, ... }:
{ {
imports = [ imports = [
./imap.nix ./imap.nix
@ -6,12 +6,12 @@
./postfix.nix ./postfix.nix
./saslauthd.nix ./saslauthd.nix
]; ];
services.nginx.virtualHosts."mail.${tools.meta.domain}" = { services.nginx.virtualHosts."mail.${depot.lib.meta.domain}" = {
enableACME = true; enableACME = true;
locations."/".return = "204"; locations."/".return = "204";
}; };
security.acme.certs."mail.${tools.meta.domain}".extraDomainNames = map security.acme.certs."mail.${depot.lib.meta.domain}".extraDomainNames = map
(x: "${x}.${tools.meta.domain}") [ (x: "${x}.${depot.lib.meta.domain}") [
"mx" "mx"
"imap" "imap"
"smtp" "smtp"

6
hosts/VEGAS/services/mail/imap.nix
View file

@ -1,7 +1,7 @@
{ config, pkgs, tools, ... }: { config, pkgs, depot, ... }:
let let
inherit (tools.identity) ldap; inherit (depot.lib.identity) ldap;
inherit (tools.meta) domain; inherit (depot.lib.meta) domain;
postfixCfg = config.services.postfix; postfixCfg = config.services.postfix;

4
hosts/VEGAS/services/mail/opendkim.nix
View file

@ -1,6 +1,6 @@
{ lib, tools, ... }: { lib, depot, ... }:
let let
inherit (tools.meta) domain; inherit (depot.lib.meta) domain;
in in
{ {
services.opendkim = { services.opendkim = {

4
hosts/VEGAS/services/mail/postfix.nix
View file

@ -1,6 +1,6 @@
{ config, depot, tools, ... }: { config, depot, ... }:
let let
inherit (tools.meta) domain; inherit (depot.lib.meta) domain;
certDir = config.security.acme.certs."mail.${domain}".directory; certDir = config.security.acme.certs."mail.${domain}".directory;
receivePolicy = [ "permit_sasl_authenticated" "permit_mynetworks" "reject_unauth_destination" ]; receivePolicy = [ "permit_sasl_authenticated" "permit_mynetworks" "reject_unauth_destination" ];

4
hosts/VEGAS/services/mail/saslauthd.nix
View file

@ -1,6 +1,6 @@
{ pkgs, tools, ... }: { pkgs, depot, ... }:
let let
inherit (tools.identity) ldap; inherit (depot.lib.identity) ldap;
in in
{ {
services.saslauthd = { services.saslauthd = {

6
hosts/VEGAS/services/reflex/default.nix
View file

@ -1,4 +1,4 @@
{ config, depot, tools, ... }: { config, depot, ... }:
{ {
links.nixIpfs.protocol = "http"; links.nixIpfs.protocol = "http";
@ -17,11 +17,11 @@
IPFS_CLUSTER_API = config.services.ipfs-cluster.settings.api.restapi.http_listen_multiaddress; IPFS_CLUSTER_API = config.services.ipfs-cluster.settings.api.restapi.http_listen_multiaddress;
NIX_CACHES = toString [ NIX_CACHES = toString [
"https://cache.nixos.org" "https://cache.nixos.org"
"https://cache.${tools.meta.domain}" "https://cache.${depot.lib.meta.domain}"
"https://max.cachix.org" "https://max.cachix.org"
]; ];
}; };
}; };
services.nginx.virtualHosts."reflex.${tools.meta.domain}" = tools.nginx.vhosts.proxy config.links.nixIpfs.url; services.nginx.virtualHosts."reflex.${depot.lib.meta.domain}" = depot.lib.nginx.vhosts.proxy config.links.nixIpfs.url;
} }

6
hosts/VEGAS/services/sso/default.nix
View file

@ -1,7 +1,7 @@
{ cluster, config, depot, lib, tools, ... }: { cluster, config, depot, lib, ... }:
with tools.nginx; with depot.lib.nginx;
let let
login = "login.${tools.meta.domain}"; login = "login.${depot.lib.meta.domain}";
kc = config.links.keycloak; kc = config.links.keycloak;
patroni = cluster.config.links.patroni-pg-access; patroni = cluster.config.links.patroni-pg-access;
in in

8
hosts/VEGAS/services/sso/identity-management.nix
View file

@ -1,9 +1,9 @@
{ tools, ... }: { depot, ... }:
with tools.nginx.vhosts; with depot.lib.nginx.vhosts;
let let
inherit (tools.meta) domain; inherit (depot.lib.meta) domain;
front = "ident.${domain}"; front = "ident.${domain}";
back = tools.identity.ldap.server.hostname; back = depot.lib.identity.ldap.server.hostname;
in in
{ {
services.nginx.virtualHosts."${front}" = basic // { services.nginx.virtualHosts."${front}" = basic // {

4
hosts/VEGAS/services/vault/default.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, tools, ... }: { config, pkgs, depot, ... }:
{ {
services.vault = { services.vault = {
@ -8,5 +8,5 @@
extraConfig = "ui = true"; extraConfig = "ui = true";
package = pkgs.vault-bin; package = pkgs.vault-bin;
}; };
services.nginx.virtualHosts."vault.${tools.meta.domain}" = tools.nginx.vhosts.proxy "http://${config.services.vault.address}"; services.nginx.virtualHosts."vault.${depot.lib.meta.domain}" = depot.lib.nginx.vhosts.proxy "http://${config.services.vault.address}";
} }

10
hosts/VEGAS/services/websites/default.nix
View file

@ -1,14 +1,12 @@
{ depot, tools, ... }: { depot, ... }:
let let
importWebsites = expr: import expr { importWebsites = expr: import expr {
tools = tools.nginx; tools = depot.lib.nginx;
inherit (depot) packages; inherit (depot) packages;
}; };
websites = tools.nginx.mappers.mapSubdomains (importWebsites ./websites.nix); websites = depot.lib.nginx.mappers.mapSubdomains (importWebsites ./websites.nix);
extraWebsites = importWebsites ./extra-sites.nix;
in { in {
services.nginx.virtualHosts = websites // extraWebsites; services.nginx.virtualHosts = websites;
} }

8
hosts/VEGAS/services/websites/extra-sites.nix
View file

@ -1,8 +0,0 @@
{ tools, ... }:
with tools.vhosts;
let
noSSL = { enableACME = false; forceSSL = false; };
in
{
"ky.rip" = simplePHP "/srv/storage/www/ky.rip" // noSSL;
}

6
hosts/VEGAS/system.nix
View file

@ -1,4 +1,4 @@
{ config, depot, tools, ... }: { config, depot, ... }:
{ {
imports = imports =
@ -43,7 +43,7 @@
networking.hostName = "VEGAS"; networking.hostName = "VEGAS";
networking.domain = "backbone.${tools.meta.domain}"; networking.domain = "backbone.${depot.lib.meta.domain}";
time.timeZone = "Europe/Helsinki"; time.timeZone = "Europe/Helsinki";
@ -94,7 +94,7 @@
path = depot.nixosConfigurations.soda.config.system.build.toplevel; path = depot.nixosConfigurations.soda.config.system.build.toplevel;
privateNetwork = true; privateNetwork = true;
hostBridge = "vmdefault"; hostBridge = "vmdefault";
localAddress = "${depot.config.hours.soda.interfaces.primary.addr}/24"; localAddress = "${depot.hours.soda.interfaces.primary.addr}/24";
autoStart = true; autoStart = true;
bindMounts.sodaDir = { bindMounts.sodaDir = {
hostPath = "/srv/storage/www/soda"; hostPath = "/srv/storage/www/soda";

2
hosts/checkmate/system.nix
View file

@ -17,7 +17,7 @@
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "checkmate"; networking.hostName = "checkmate";
networking.nameservers = [ depot.config.hours.VEGAS.interfaces.vstub.addr ]; networking.nameservers = [ depot.hours.VEGAS.interfaces.vstub.addr ];
time.timeZone = "Europe/Zurich"; time.timeZone = "Europe/Zurich";

18
hosts/nixos.nix
View file

@ -1,23 +1,13 @@
{ config, inputs, lib, self, withSystem, ... }: { config, lib, ... }:
let let
inherit (lib) const mapAttrs nixosSystem; inherit (lib) mapAttrs nixosSystem;
inherit (config) gods; inherit (config) gods;
mkSpecialArgs = system: hostName: withSystem system ({ inputs', self', ... }: {
depot = self // self' // {
inputs = mapAttrs (name: const (inputs.${name} // inputs'.${name})) inputs;
inherit config;
# peer into the Watchman's Glass
reflection = config.hours.${hostName};
};
toolsets = import ../tools;
});
mkNixOS = name: host: nixosSystem { mkNixOS = name: host: nixosSystem {
specialArgs = mkSpecialArgs host.system name; specialArgs = config.lib.summon name lib.id;
inherit (host) system; inherit (host) system;
modules = [ host.nixos ../tools/inject.nix (import ../cluster/inject.nix name) ]; modules = [ host.nixos ] ++ config.cluster.config.out.injectNixosConfig name;
}; };
in { in {
flake.nixosConfigurations = mapAttrs mkNixOS (gods.fromLight // gods.fromFlesh); flake.nixosConfigurations = mapAttrs mkNixOS (gods.fromLight // gods.fromFlesh);

2
hosts/prophet/system.nix
View file

@ -19,7 +19,7 @@
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "prophet"; networking.hostName = "prophet";
networking.nameservers = [ depot.config.hours.VEGAS.interfaces.vstub.addr ]; networking.nameservers = [ depot.hours.VEGAS.interfaces.vstub.addr ];
time.timeZone = "Europe/Zurich"; time.timeZone = "Europe/Zurich";

4
hosts/soda/system.nix
View file

@ -14,9 +14,9 @@
networking.interfaces.eth0.useDHCP = true; networking.interfaces.eth0.useDHCP = true;
networking.nameservers = [ depot.config.hours.VEGAS.interfaces.vstub.addr ]; networking.nameservers = [ depot.hours.VEGAS.interfaces.vstub.addr ];
networking.resolvconf.extraConfig = "local_nameservers='${depot.config.hours.VEGAS.interfaces.vstub.addr}'"; networking.resolvconf.extraConfig = "local_nameservers='${depot.hours.VEGAS.interfaces.vstub.addr}'";
networking.hostName = "soda"; networking.hostName = "soda";

2
hosts/thunderskin/system.nix
View file

@ -17,7 +17,7 @@
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "thunderskin"; networking.hostName = "thunderskin";
networking.nameservers = [ depot.config.hours.VEGAS.interfaces.vstub.addr ]; networking.nameservers = [ depot.hours.VEGAS.interfaces.vstub.addr ];
time.timeZone = "Europe/Zurich"; time.timeZone = "Europe/Zurich";

18
lib/hours.nix Normal file
View file

@ -0,0 +1,18 @@
{ config, inputs, lib, self, withSystem, ... }:
let
inherit (lib) const mapAttrs;
in
{
lib.summon = name: f: let
lift = config;
hour = config.hours.${name};
in withSystem hour.system ({ config, inputs', self', ... }: f {
depot = self // self' // lift // config // {
inputs = mapAttrs (name: const (inputs.${name} // inputs'.${name})) inputs;
# peer into the Watchman's Glass
reflection = hour;
};
});
}

37
lib/identity.nix Normal file
View file

@ -0,0 +1,37 @@
{ lib, ... }:
{
lib = { config, ... }: with config.identity; {
identity = {
inherit (config.meta) domain;
autoDomain = name: "${builtins.hashString "md5" name}.dev.${domain}";
ldap = {
server = with ldap.server; {
# TODO: unhardcode everything here
protocol = "ldaps";
hostname = "authsys.virtual-machines.${domain}";
port = 636;
url = "${protocol}://${connectionString}";
connectionString = "${hostname}:${builtins.toString port}";
};
accounts = with ldap.accounts; {
domainComponents = ldap.lib.convertDomain domain;
uidAttribute = "uid";
uidFilter = "(${uidAttribute}=%u)";
userSearchBase = "cn=users,cn=accounts,${domainComponents}";
};
lib = {
convertDomain = domain: with builtins; lib.pipe domain [
(split "\\.")
(filter isString)
(map (x: "dc=${x}"))
(concatStringsSep ",")
];
};
};
};
};
}

8
lib/meta.nix Normal file
View file

@ -0,0 +1,8 @@
{
lib = { config, ... }: with config.meta; {
meta = {
domain = "privatevoid.net";
adminEmail = "admins@${domain}";
};
};
}

50
lib/nginx.nix Normal file
View file

@ -0,0 +1,50 @@
{ lib, ... }:
{
lib = { config, ... }: with config.nginx; {
nginx = {
inherit (config.meta) domain;
mappers = {
mapSubdomains = with lib; mapAttrs' (k: nameValuePair "${k}.${domain}");
};
vhosts = with vhosts; {
basic = {
forceSSL = true;
enableACME = true;
};
redirect = target: basic // {
locations."/".return = "301 ${target}";
};
proxy = target: basic // {
locations."/".proxyPass = target;
};
static = root: basic // {
inherit root;
};
indexedStatic = root: (static root) // {
extraConfig = "autoindex on;";
};
proxyGhost = scheme: target: basic // {
locations."/".extraConfig = ''
proxy_pass ${scheme}://${target};
proxy_set_header Host ${target};
proxy_set_header Referer ${scheme}://${target};
proxy_cookie_domain ${target} domain.invalid;
proxy_set_header Cookie "";
'';
};
};
};
};
}

22
lib/part.nix
View file

@ -1,5 +1,27 @@
{ config, lib, ... }:
{ {
imports = [ imports = [
./time-travel.nix ./time-travel.nix
./hours.nix
./meta.nix
./nginx.nix
./identity.nix
]; ];
options.lib = lib.mkOption {
default = {};
type = with lib.types; submodule ({ extendModules, ... }: {
freeformType = let
t = either (lazyAttrsOf t) raw;
in t;
config.override = conf: let
overridden = extendModules {
modules = [ conf ];
};
in overridden.config;
});
};
config._module.args.depot = config;
} }

17
lib/time-travel.nix
View file

@ -1,18 +1,3 @@
{ config, lib, ... }:
let
timeTravel = rev: builtins.getFlake "github:privatevoid-net/depot/${rev}";
in
{ {
_module.args = { inherit timeTravel; }; lib.timeTravel = rev: builtins.getFlake "github:privatevoid-net/depot/${rev}";
perSystem = { system, ... }: {
_module.args.timeTravel' = rev: let
flake = timeTravel rev;
flake' = config.perInput system flake;
in flake' // {
inputs = lib.mapAttrs (_: input: config.perInput system input) flake.inputs;
};
};
} }

4
modules/enterprise/default.nix
View file

@ -1,6 +1,6 @@
{ config, depot, lib, tools, ... }: { config, depot, lib, ... }:
let let
orgDomain = tools.meta.domain; orgDomain = depot.lib.meta.domain;
host = depot.reflection; host = depot.reflection;
in { in {
networking.domain = lib.mkDefault "${host.enterprise.subdomain or "services"}.${orgDomain}"; networking.domain = lib.mkDefault "${host.enterprise.subdomain or "services"}.${orgDomain}";

2
modules/hyprspace/default.nix
View file

@ -2,7 +2,7 @@
let let
inherit (config.networking) hostName; inherit (config.networking) hostName;
inherit (depot.packages) hyprspace; inherit (depot.packages) hyprspace;
hyprspaceCapableNodes = lib.filterAttrs (_: host: host.hyprspace.enable) depot.config.hours; hyprspaceCapableNodes = lib.filterAttrs (_: host: host.hyprspace.enable) depot.hours;
peersFormatted = builtins.mapAttrs (_: x: { peersFormatted = builtins.mapAttrs (_: x: {
inherit (x.hyprspace) id; inherit (x.hyprspace) id;
routes = map (net: { inherit net; }) ((x.hyprspace.routes or []) ++ [ "${x.hyprspace.addr}/32" ]); routes = map (net: { inherit net; }) ((x.hyprspace.routes or []) ++ [ "${x.hyprspace.addr}/32" ]);

6
modules/nix-config/server.nix
View file

@ -1,4 +1,4 @@
{ depot, tools, ... }: { depot, ... }:
{ {
nix = { nix = {
@ -6,7 +6,7 @@
settings = { settings = {
trusted-users = [ "root" "@wheel" "@admins" ]; trusted-users = [ "root" "@wheel" "@admins" ];
substituters = [ "https://cache.${tools.meta.domain}" ]; substituters = [ "https://cache.${depot.lib.meta.domain}" ];
trusted-public-keys = [ "cache.privatevoid.net:SErQ8bvNWANeAvtsOESUwVYr2VJynfuc9JRwlzTTkVg=" ]; trusted-public-keys = [ "cache.privatevoid.net:SErQ8bvNWANeAvtsOESUwVYr2VJynfuc9JRwlzTTkVg=" ];
}; };
@ -14,7 +14,7 @@
experimental-features = nix-command flakes cgroups experimental-features = nix-command flakes cgroups
use-cgroups = true use-cgroups = true
builders-use-substitutes = true builders-use-substitutes = true
flake-registry = https://git.${tools.meta.domain}/private-void/registry/-/raw/master/registry.json flake-registry = https://git.${depot.lib.meta.domain}/private-void/registry/-/raw/master/registry.json
# For Hercules CI agent # For Hercules CI agent
narinfo-cache-negative-ttl = 0 narinfo-cache-negative-ttl = 0

2
modules/ssh/default.nix
View file

@ -1,6 +1,6 @@
{ depot, lib, ... }: { depot, lib, ... }:
let let
filtered = lib.filterAttrs (_: host: host.ssh.enable) depot.config.hours; filtered = lib.filterAttrs (_: host: host.ssh.enable) depot.hours;
idCapable = lib.filterAttrs (_: host: host.ssh.id.publicKey != null) filtered; idCapable = lib.filterAttrs (_: host: host.ssh.id.publicKey != null) filtered;
configCapable = lib.filterAttrs (_: host: host.ssh.extraConfig != "") filtered; configCapable = lib.filterAttrs (_: host: host.ssh.extraConfig != "") filtered;

12
packages/checks/default.nix
View file

@ -1,17 +1,11 @@
{ lib, self, ... }: { config, self, ... }:
{ {
perSystem = { filters, pkgs, self', ... }: let perSystem = { filters, pkgs, self', ... }: {
fakeCluster = import ../../cluster {
inherit lib;
hostName = throw "not available in test environment";
depot = throw "not available in test environment";
};
in {
checks = filters.doFilter filters.checks { checks = filters.doFilter filters.checks {
jellyfin-stateless = pkgs.callPackage ./jellyfin-stateless.nix { jellyfin-stateless = pkgs.callPackage ./jellyfin-stateless.nix {
inherit (self'.packages) jellyfin; inherit (self'.packages) jellyfin;
inherit fakeCluster; inherit (config) cluster;
}; };
keycloak = pkgs.callPackage ./keycloak-custom-jre.nix { keycloak = pkgs.callPackage ./keycloak-custom-jre.nix {

4
packages/checks/jellyfin-stateless.nix
View file

@ -1,10 +1,10 @@
{ nixosTest, fakeCluster, jellyfin }: { nixosTest, cluster, jellyfin }:
nixosTest { nixosTest {
name = "jellyfin-stateless"; name = "jellyfin-stateless";
nodes = { nodes = {
machine = { machine = {
imports = fakeCluster.config.services.warehouse.nixos.host; imports = cluster.config.services.warehouse.nixos.host;
_module.args.depot.packages.jellyfin = jellyfin; _module.args.depot.packages.jellyfin = jellyfin;
}; };

10
tools/default.nix
View file

@ -1,10 +0,0 @@
let toolsets = {
meta = import ./meta.nix;
identity = import ./identity.nix { inherit toolsets; };
networks = import ./networks.nix { inherit toolsets; };
nginx = import ./nginx.nix { inherit toolsets; };
};
in toolsets // {
all = args: (builtins.mapAttrs (_: x: x args) toolsets) // { inherit (toolsets) meta; };
}

40
tools/identity.nix
View file

@ -1,40 +0,0 @@
# internal interface
{ toolsets }:
# external interface
{ lib ? null, domain ? toolsets.meta.domain, ... }:
let
tools = (self: {
inherit domain;
autoDomain = name: "${builtins.hashString "md5" name}.dev.${domain}";
ldap = {
server = with self.ldap.server; {
# TODO: unhardcode everything here
protocol = "ldaps";
hostname = "authsys.virtual-machines.${domain}";
port = 636;
url = "${protocol}://${connectionString}";
connectionString = "${hostname}:${builtins.toString port}";
};
accounts = with self.ldap.accounts; {
domainComponents = self.ldap.lib.convertDomain domain;
uidAttribute = "uid";
uidFilter = "(${uidAttribute}=%u)";
userSearchBase = "cn=users,cn=accounts,${domainComponents}";
};
lib = {
convertDomain = domain: with builtins; lib.pipe domain [
(split "\\.")
(filter isString)
(map (x: "dc=${x}"))
(concatStringsSep ",")
];
};
};
dns.master.addr = "10.10.0.11";
kerberos.kdc = "authsys.virtual-machines.${domain}";
}) tools;
in tools

4
tools/inject.nix
View file

@ -1,4 +0,0 @@
{ pkgs, lib, config, ... }:
{
_module.args.tools = (import ./.).all { inherit pkgs lib config; };
}

4
tools/meta.nix
View file

@ -1,4 +0,0 @@
rec {
domain = "privatevoid.net";
adminEmail = "admins@${domain}";
}

20
tools/networks.nix
View file

@ -1,20 +0,0 @@
# internal interface
{ toolsets }:
# external interface
{ lib ? null, ... }:
let
tools = (self: {
all = {};
ipv4.all = {};
ipv4.internal = {
addr = "10.0.0.0/8";
vpn = {
addr = "10.100.0.0/16";
};
};
}) tools;
in tools

58
tools/nginx.nix
View file

@ -1,58 +0,0 @@
# internal interface
{ toolsets }:
# external interface
{ config ? null, lib ? null, domain ? toolsets.meta.domain, ... }:
let
tools = (self: {
inherit domain;
mappers = {
mapSubdomains = with lib; mapAttrs' (k: nameValuePair "${k}.${domain}");
};
vhosts = with self.vhosts; {
basic = {
forceSSL = true;
enableACME = true;
};
redirect = target: basic // {
locations."/".return = "301 ${target}";
};
proxy = target: basic // {
locations."/".proxyPass = target;
};
static = root: basic // {
inherit root;
};
indexedStatic = root: (static root) // {
extraConfig = "autoindex on;";
};
simplePHP = root: (static root) // {
locations."~ \.php$".extraConfig = ''
fastcgi_pass unix:${config.services.phpfpm.pools.www.socket};
fastcgi_index index.php;
'';
};
proxyGhost = scheme: target: basic // {
locations."/".extraConfig = ''
proxy_pass ${scheme}://${target};
proxy_set_header Host ${target};
proxy_set_header Referer ${scheme}://${target};
proxy_cookie_domain ${target} domain.invalid;
proxy_set_header Cookie "";
'';
};
};
}) tools;
in tools