treewide: massive refactor
This commit is contained in:
parent
8b96787bc2
commit
ae48e4807a
96 changed files with 373 additions and 424 deletions
|
@ -1,4 +1,4 @@
|
|||
{ lib, depot, hostName }:
|
||||
{ lib, depot }:
|
||||
|
||||
lib.evalModules {
|
||||
specialArgs = {
|
||||
|
@ -7,12 +7,10 @@ lib.evalModules {
|
|||
modules = [
|
||||
# Arbitrary variables to reference across multiple services
|
||||
./lib/vars
|
||||
{ vars = { inherit hostName; }; }
|
||||
|
||||
# Cluster-level port-magic
|
||||
../modules/port-magic
|
||||
|
||||
../tools/inject.nix
|
||||
./lib/services.nix
|
||||
./lib/inject-nixos-config.nix
|
||||
./lib/port-magic-multi.nix
|
||||
|
|
|
@ -1,15 +0,0 @@
|
|||
hostName:
|
||||
{ depot, lib, ... }:
|
||||
|
||||
let
|
||||
cluster = import ./. { inherit lib depot hostName; };
|
||||
in
|
||||
|
||||
{
|
||||
_module.args.cluster = {
|
||||
inherit (cluster.config) vars;
|
||||
inherit (cluster.config.vars) hosts;
|
||||
inherit (cluster) config;
|
||||
};
|
||||
imports = cluster.config.out.injectedNixosConfig;
|
||||
}
|
|
@ -1,10 +1,10 @@
|
|||
{ lib, ... }:
|
||||
{ config, lib, ... }:
|
||||
with lib;
|
||||
|
||||
{
|
||||
options.out.injectedNixosConfig = mkOption {
|
||||
description = "NixOS configuration modules to inject into the host.";
|
||||
type = with types; listOf anything;
|
||||
default = {};
|
||||
options.out.injectNixosConfig = mkOption {
|
||||
description = "NixOS configuration to inject into the given host.";
|
||||
type = with types; functionTo raw;
|
||||
default = const [];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,11 +1,8 @@
|
|||
vars:
|
||||
{ config, lib, ... }:
|
||||
with lib;
|
||||
|
||||
let
|
||||
notSelf = x: x != vars.hostName;
|
||||
|
||||
filterGroup = builtins.filter notSelf;
|
||||
filterGroup = group: hostName: builtins.filter (x: x != hostName) group;
|
||||
in
|
||||
|
||||
{
|
||||
|
@ -26,7 +23,7 @@ in
|
|||
};
|
||||
otherNodes = mkOption {
|
||||
description = "Other nodes in the group.";
|
||||
type = with types; attrsOf (listOf str);
|
||||
type = with types; attrsOf (functionTo (listOf str));
|
||||
default = [];
|
||||
};
|
||||
nixos = mkOption {
|
||||
|
@ -35,5 +32,5 @@ in
|
|||
default = {};
|
||||
};
|
||||
};
|
||||
config.otherNodes = builtins.mapAttrs (_: filterGroup) config.nodes;
|
||||
config.otherNodes = builtins.mapAttrs (const filterGroup) config.nodes;
|
||||
}
|
||||
|
|
|
@ -2,18 +2,25 @@
|
|||
with lib;
|
||||
|
||||
let
|
||||
getHostConfigurations = svcConfig: hostName:
|
||||
getHostConfigurations = hostName: svcConfig:
|
||||
lib.mapAttrsToList (groupName: _: svcConfig.nixos.${groupName})
|
||||
(lib.filterAttrs (_: lib.elem hostName) svcConfig.nodes);
|
||||
|
||||
getServiceConfigurations = svcConfig: getHostConfigurations svcConfig config.vars.hostName;
|
||||
|
||||
introspectionModule._module.args.cluster = {
|
||||
inherit (config) vars;
|
||||
inherit config;
|
||||
};
|
||||
in
|
||||
|
||||
{
|
||||
options.services = mkOption {
|
||||
description = "Cluster services.";
|
||||
type = with types; attrsOf (submodule (import ./service-module.nix config.vars));
|
||||
type = with types; attrsOf (submodule ./service-module.nix);
|
||||
default = {};
|
||||
};
|
||||
config.out.injectedNixosConfig = lib.flatten (lib.mapAttrsToList (_: getServiceConfigurations) config.services);
|
||||
|
||||
config.out.injectNixosConfig = hostName: (lib.flatten (lib.mapAttrsToList (_: getHostConfigurations hostName) config.services)) ++ [
|
||||
introspectionModule
|
||||
];
|
||||
}
|
||||
|
|
11
cluster/part.nix
Normal file
11
cluster/part.nix
Normal file
|
@ -0,0 +1,11 @@
|
|||
{ depot, lib, ... }:
|
||||
|
||||
{
|
||||
options.cluster = lib.mkOption {
|
||||
type = lib.types.raw;
|
||||
};
|
||||
|
||||
config.cluster = import ./. {
|
||||
inherit depot lib;
|
||||
};
|
||||
}
|
|
@ -1,5 +1,5 @@
|
|||
{ config, tools, ... }:
|
||||
with tools.nginx;
|
||||
{ config, depot, ... }:
|
||||
with depot.lib.nginx;
|
||||
let
|
||||
addrSplit' = builtins.split ":" config.services.minio.listenAddress;
|
||||
addrSplit = builtins.filter builtins.isString addrSplit';
|
||||
|
@ -27,7 +27,7 @@ in
|
|||
services.nginx.appendHttpConfig = ''
|
||||
proxy_cache_path /var/cache/nginx/nixstore levels=1:2 keys_zone=nixstore:10m max_size=10g inactive=24h use_temp_path=off;
|
||||
'';
|
||||
services.nginx.virtualHosts."cache.${tools.meta.domain}" = vhosts.basic // {
|
||||
services.nginx.virtualHosts."cache.${depot.lib.meta.domain}" = vhosts.basic // {
|
||||
locations = {
|
||||
"= /".return = "302 /404";
|
||||
"/" = {
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, depot, tools, ... }:
|
||||
{ config, depot, ... }:
|
||||
|
||||
let
|
||||
mkNarServe = NAR_CACHE_URL: PORT: {
|
||||
|
@ -17,6 +17,6 @@
|
|||
nar-serve-nixos-org.protocol = "http";
|
||||
};
|
||||
|
||||
systemd.services.nar-serve-self = mkNarServe "https://cache.${tools.meta.domain}" config.links.nar-serve-self.portStr;
|
||||
systemd.services.nar-serve-self = mkNarServe "https://cache.${depot.lib.meta.domain}" config.links.nar-serve-self.portStr;
|
||||
systemd.services.nar-serve-nixos-org = mkNarServe "https://cache.nixos.org" config.links.nar-serve-nixos-org.portStr;
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, depot, lib, tools, ... }:
|
||||
{ config, depot, lib, ... }:
|
||||
|
||||
let
|
||||
dataDir = "/srv/storage/private/attic";
|
||||
|
@ -52,7 +52,7 @@ in
|
|||
ReadWritePaths = [ dataDir ];
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."cache-api.${tools.meta.domain}" = tools.nginx.vhosts.proxy config.links.atticServer.url // {
|
||||
services.nginx.virtualHosts."cache-api.${depot.lib.meta.domain}" = depot.lib.nginx.vhosts.proxy config.links.atticServer.url // {
|
||||
extraConfig = ''
|
||||
client_max_body_size 4G;
|
||||
'';
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{ config, lib, pkgs, tools, ... }:
|
||||
{ config, lib, pkgs, depot, ... }:
|
||||
|
||||
let
|
||||
inherit (tools.meta) domain;
|
||||
inherit (depot.lib.meta) domain;
|
||||
|
||||
extraGroups = [ "nginx" ]
|
||||
++ lib.optional config.services.kanidm.enableServer "kanidm";
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{ config, cluster, lib, tools, ... }:
|
||||
{ config, cluster, depot, ... }:
|
||||
|
||||
let
|
||||
inherit (tools.meta) domain;
|
||||
inherit (depot.lib.meta) domain;
|
||||
inherit (config.networking) hostName;
|
||||
inherit (cluster.config) hostLinks;
|
||||
cfg = cluster.config.services.consul;
|
||||
|
@ -21,7 +21,7 @@ in
|
|||
node_name = config.networking.hostName;
|
||||
bind_addr = hl.ipv4;
|
||||
ports.serf_lan = hl.port;
|
||||
retry_join = map (hostName: hostLinks.${hostName}.consul.tuple) cfg.otherNodes.agent;
|
||||
retry_join = map (hostName: hostLinks.${hostName}.consul.tuple) (cfg.otherNodes.agent hostName);
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -1,13 +1,13 @@
|
|||
{ config, cluster, depot, lib, tools, ... }:
|
||||
{ config, cluster, depot, lib, ... }:
|
||||
|
||||
let
|
||||
inherit (tools.meta) domain;
|
||||
inherit (depot.lib.meta) domain;
|
||||
inherit (depot.reflection) hyprspace;
|
||||
frontendDomain = "consul-remote.internal.${domain}";
|
||||
in
|
||||
|
||||
{
|
||||
services.nginx.virtualHosts.${frontendDomain} = tools.nginx.vhosts.proxy "http://127.0.0.1:8500" // {
|
||||
services.nginx.virtualHosts.${frontendDomain} = depot.lib.nginx.vhosts.proxy "http://127.0.0.1:8500" // {
|
||||
listenAddresses = lib.singleton hyprspace.addr;
|
||||
enableACME = false;
|
||||
useACMEHost = "internal.${domain}";
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{ cluster, config, lib, pkgs, tools, ... }:
|
||||
{ cluster, config, lib, pkgs, depot, ... }:
|
||||
|
||||
let
|
||||
inherit (tools.meta) domain;
|
||||
inherit (depot.lib.meta) domain;
|
||||
inherit (config.links) pdnsAdmin;
|
||||
inherit (cluster.config) vars;
|
||||
|
||||
|
@ -96,7 +96,7 @@ in {
|
|||
};
|
||||
|
||||
services.nginx.virtualHosts."dnsadmin.${domain}" = lib.recursiveUpdate
|
||||
(tools.nginx.vhosts.proxy pdnsAdmin.url)
|
||||
(depot.lib.nginx.vhosts.proxy pdnsAdmin.url)
|
||||
# backend sends really big headers for some reason
|
||||
# increase buffer size accordingly
|
||||
{
|
||||
|
|
|
@ -1,14 +1,14 @@
|
|||
{ cluster, config, depot, lib, tools, ... }:
|
||||
{ cluster, config, depot, lib, ... }:
|
||||
|
||||
let
|
||||
inherit (depot.reflection) interfaces;
|
||||
inherit (tools.meta) domain;
|
||||
inherit (depot.lib.meta) domain;
|
||||
inherit (config.networking) hostName;
|
||||
|
||||
link = cluster.config.hostLinks.${hostName}.dnsAuthoritative;
|
||||
patroni = cluster.config.links.patroni-pg-access;
|
||||
|
||||
otherDnsServers = lib.pipe (with cluster.config.services.dns.otherNodes; master ++ slave) [
|
||||
otherDnsServers = lib.pipe (with cluster.config.services.dns.otherNodes; (master hostName) ++ (slave hostName)) [
|
||||
(map (node: cluster.config.hostLinks.${node}.dnsAuthoritative.tuple))
|
||||
(lib.concatStringsSep " ")
|
||||
];
|
||||
|
|
|
@ -1,15 +1,14 @@
|
|||
{ cluster, config, depot, lib, pkgs, tools, ... }:
|
||||
{ cluster, config, depot, lib, ... }:
|
||||
|
||||
let
|
||||
inherit (depot.reflection) interfaces hyprspace;
|
||||
inherit (tools.meta) domain;
|
||||
inherit (config.links) localRecursor;
|
||||
inherit (depot.lib.meta) domain;
|
||||
inherit (config.networking) hostName;
|
||||
|
||||
link = cluster.config.hostLinks.${hostName}.dnsResolver;
|
||||
backend = cluster.config.hostLinks.${hostName}.dnsResolverBackend;
|
||||
|
||||
otherRecursors = lib.pipe (cluster.config.services.dns.otherNodes.coredns) [
|
||||
otherRecursors = lib.pipe (cluster.config.services.dns.otherNodes.coredns hostName) [
|
||||
(map (node: cluster.config.hostLinks.${node}.dnsResolverBackend.tuple))
|
||||
(lib.concatStringsSep " ")
|
||||
];
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{ config, depot, lib, ... }:
|
||||
|
||||
let
|
||||
inherit (depot.config) hours;
|
||||
inherit (depot) hours;
|
||||
cfg = config.services.dns;
|
||||
in
|
||||
{
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
{ cluster, config, depot, lib, pkgs, tools, ... }:
|
||||
{ cluster, config, depot, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
inherit (tools.meta) domain;
|
||||
inherit (tools.nginx) vhosts;
|
||||
inherit (depot.lib.meta) domain;
|
||||
inherit (depot.lib.nginx) vhosts;
|
||||
inherit (config.age) secrets;
|
||||
|
||||
patroni = cluster.config.links.patroni-pg-access;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, lib, tools, ... }:
|
||||
{ config, lib, depot, ... }:
|
||||
|
||||
{
|
||||
services.hercules-ci-multi-agent = {
|
||||
|
|
|
@ -1,14 +1,14 @@
|
|||
{ config, tools, ... }:
|
||||
{ config, depot, ... }:
|
||||
|
||||
{
|
||||
links = {
|
||||
idm = {
|
||||
ipv4 = "idm.${tools.meta.domain}";
|
||||
ipv4 = "idm.${depot.lib.meta.domain}";
|
||||
port = 443;
|
||||
protocol = "https";
|
||||
};
|
||||
ldap = {
|
||||
hostname = "idm-ldap.internal.${tools.meta.domain}";
|
||||
hostname = "idm-ldap.internal.${depot.lib.meta.domain}";
|
||||
ipv4 = config.vars.mesh.VEGAS.meshIp;
|
||||
port = 636;
|
||||
protocol = "ldaps";
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{ cluster, config, lib, tools, ... }:
|
||||
{ cluster, config, lib, depot, ... }:
|
||||
|
||||
let
|
||||
inherit (tools.meta) domain;
|
||||
inherit (depot.lib.meta) domain;
|
||||
|
||||
frontendLink = cluster.config.links.idm;
|
||||
|
||||
|
@ -38,7 +38,7 @@ in
|
|||
|
||||
systemd.services.kanidm.after = [ "acme-selfsigned-internal.${domain}.service" ];
|
||||
|
||||
services.nginx.virtualHosts."idm.${domain}" = lib.recursiveUpdate (tools.nginx.vhosts.proxy backendLink.url) {
|
||||
services.nginx.virtualHosts."idm.${domain}" = lib.recursiveUpdate (depot.lib.nginx.vhosts.proxy backendLink.url) {
|
||||
locations."/".extraConfig = ''
|
||||
proxy_ssl_name idm-backend.internal.${domain};
|
||||
proxy_ssl_trusted_certificate ${certDir}/chain.pem;
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
{ config, depot, lib, pkgs, tools, ... }:
|
||||
{ config, depot, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
inherit (tools.meta) domain;
|
||||
inherit (tools.nginx) vhosts;
|
||||
inherit (depot.lib.meta) domain;
|
||||
inherit (depot.lib.nginx) vhosts;
|
||||
cfg = config.services.ipfs-cluster;
|
||||
ipfsCfg = config.services.ipfs;
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{ config, depot, lib, tools, ... }:
|
||||
{ config, depot, lib, ... }:
|
||||
|
||||
{
|
||||
hostLinks = lib.genAttrs config.services.ipfs.nodes.node (name: let
|
||||
hostLinks = lib.genAttrs config.services.ipfs.nodes.node (name: depot.lib.summon name ({ depot, ... }: let
|
||||
host = depot.reflection;
|
||||
intf = host.interfaces.primary;
|
||||
self = config.hostLinks.${name}.ipfs;
|
||||
|
@ -20,7 +20,7 @@
|
|||
];
|
||||
};
|
||||
};
|
||||
});
|
||||
}));
|
||||
services.ipfs = {
|
||||
nodes = {
|
||||
node = [ "VEGAS" "prophet" ];
|
||||
|
@ -46,7 +46,7 @@
|
|||
};
|
||||
|
||||
monitoring.blackbox.targets.ipfs-gateway = {
|
||||
address = "https://bafybeiczsscdsbs7ffqz55asqdf3smv6klcw3gofszvwlyarci47bgf354.ipfs.${tools.meta.domain}/";
|
||||
address = "https://bafybeiczsscdsbs7ffqz55asqdf3smv6klcw3gofszvwlyarci47bgf354.ipfs.${depot.lib.meta.domain}/";
|
||||
module = "https2xx";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{ config, depot, lib, tools, ... }:
|
||||
with tools.nginx;
|
||||
{ config, depot, lib, ... }:
|
||||
with depot.lib.nginx;
|
||||
let
|
||||
inherit (tools.meta) domain;
|
||||
inherit (depot.lib.meta) domain;
|
||||
gw = config.links.ipfsGateway;
|
||||
cfg = config.services.ipfs;
|
||||
metrics = config.links.ipfsMetrics;
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{ cluster, config, depot, lib, pkgs, tools, ... }:
|
||||
{ cluster, config, depot, lib, pkgs, ... }:
|
||||
let
|
||||
inherit (tools.meta) domain;
|
||||
inherit (depot.lib.meta) domain;
|
||||
cfg = config.services.ipfs;
|
||||
apiAddress = "/unix/run/ipfs/ipfs-api.sock";
|
||||
ipfsApi = pkgs.writeTextDir "api" apiAddress;
|
||||
|
@ -41,7 +41,7 @@ in
|
|||
extraFlags = [ "--migrate" ];
|
||||
extraConfig = {
|
||||
Bootstrap = [
|
||||
"/ip4/${depot.config.hours.VEGAS.interfaces.primary.addr}/tcp/${toString ipfsPort}/p2p/Qmd7QHZU8UjfYdwmjmq1SBh9pvER9AwHpfwQvnvNo3HBBo"
|
||||
"/ip4/${depot.hours.VEGAS.interfaces.primary.addr}/tcp/${toString ipfsPort}/p2p/Qmd7QHZU8UjfYdwmjmq1SBh9pvER9AwHpfwQvnvNo3HBBo"
|
||||
"/dnsaddr/bootstrap.libp2p.io/p2p/QmQCU2EcMqAqQPR2i9bChDtGNJchTbq5TbXJJ16u19uLTa"
|
||||
"/dnsaddr/bootstrap.libp2p.io/p2p/QmbLHAnMoJPWSCR5Zhtx6BHJX9KiKNN6tpvbUcqanj75Nb"
|
||||
"/dnsaddr/bootstrap.libp2p.io/p2p/QmNnooDu7bfjPFoTZYxMNLWUQJyrVwtbZg5gBMjTezGAJN"
|
||||
|
@ -62,7 +62,7 @@ in
|
|||
ID = extra.peerId;
|
||||
Addrs = extra.multiaddrs;
|
||||
})
|
||||
cluster.config.services.ipfs.otherNodes.node;
|
||||
(cluster.config.services.ipfs.otherNodes.node config.networking.hostName);
|
||||
Gateway = {
|
||||
Writable = false;
|
||||
APICommands = [];
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{ config, tools, ... }:
|
||||
with tools.nginx;
|
||||
{ config, depot, ... }:
|
||||
with depot.lib.nginx;
|
||||
let
|
||||
inherit (tools.meta) domain;
|
||||
inherit (depot.lib.meta) domain;
|
||||
cfg = config.services.ipfs;
|
||||
gw = config.links.ipfsGateway;
|
||||
in
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
{ config, depot, lib, tools, ... }:
|
||||
{ config, depot, lib, ... }:
|
||||
|
||||
let
|
||||
inherit (depot.config) hours;
|
||||
inherit (depot) hours;
|
||||
|
||||
inherit (tools.meta) domain;
|
||||
inherit (depot.lib.meta) domain;
|
||||
|
||||
subDomains = {
|
||||
VEGAS = "eu1";
|
||||
|
|
|
@ -1,13 +1,14 @@
|
|||
{ cluster, config, lib, pkgs, tools, ... }:
|
||||
{ cluster, config, lib, pkgs, depot, ... }:
|
||||
|
||||
let
|
||||
inherit (tools.meta) adminEmail;
|
||||
inherit (depot.lib.meta) adminEmail;
|
||||
inherit (cluster) vars;
|
||||
inherit (config.networking) hostName;
|
||||
|
||||
linkGlobalSecure = cluster.config.links.ircSecure;
|
||||
link = cluster.config.hostLinks.${vars.hostName}.irc;
|
||||
linkSecure = cluster.config.hostLinks.${vars.hostName}.ircSecure;
|
||||
otherServers = map mkServer cluster.config.services.irc.otherNodes.host;
|
||||
link = cluster.config.hostLinks.${hostName}.irc;
|
||||
linkSecure = cluster.config.hostLinks.${hostName}.ircSecure;
|
||||
otherServers = map mkServer (cluster.config.services.irc.otherNodes.host hostName);
|
||||
otherServerFiles = map (builtins.toFile "ngircd-peer.conf") otherServers;
|
||||
opers = map mkOper vars.ircOpers;
|
||||
|
||||
|
@ -41,7 +42,7 @@ in {
|
|||
config = ''
|
||||
[Global]
|
||||
Name = ${serverName}
|
||||
Info = Private Void IRC - ${vars.hostName}
|
||||
Info = Private Void IRC - ${hostName}
|
||||
Network = PrivateVoidIRC
|
||||
AdminInfo1 = Private Void Administrators
|
||||
AdminInfo2 = Contact for help
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{ config, tools, ... }:
|
||||
{ config, depot, ... }:
|
||||
let
|
||||
inherit (tools.meta) domain;
|
||||
inherit (depot.lib.meta) domain;
|
||||
in
|
||||
{
|
||||
age.secrets = {
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, tools, ... }:
|
||||
{ config, depot, ... }:
|
||||
{
|
||||
age.secrets = {
|
||||
coturn-static-auth = {
|
||||
|
@ -11,7 +11,7 @@
|
|||
services.coturn = {
|
||||
enable = true;
|
||||
no-cli = true;
|
||||
realm = tools.meta.domain;
|
||||
realm = depot.lib.meta.domain;
|
||||
|
||||
no-tcp-relay = true;
|
||||
min-port = 64000;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ tools, ... }:
|
||||
{ depot, ... }:
|
||||
|
||||
{
|
||||
services.matrix = {
|
||||
|
@ -13,7 +13,7 @@
|
|||
};
|
||||
|
||||
monitoring.blackbox.targets.matrix = {
|
||||
address = "https://matrix.${tools.meta.domain}/_matrix/federation/v1/version";
|
||||
address = "https://matrix.${depot.lib.meta.domain}/_matrix/federation/v1/version";
|
||||
module = "https2xx";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{ config, pkgs, tools, ... }:
|
||||
{ config, pkgs, depot, ... }:
|
||||
let
|
||||
inherit (tools.meta) domain;
|
||||
inherit (depot.lib.meta) domain;
|
||||
federation = pkgs.writeText "matrix-federation.json" (builtins.toJSON {
|
||||
"m.server" = "matrix.${domain}:443";
|
||||
});
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{ cluster, config, lib, pkgs, tools, ... }:
|
||||
{ cluster, config, lib, pkgs, depot, ... }:
|
||||
let
|
||||
inherit (tools.meta) domain;
|
||||
inherit (depot.lib.meta) domain;
|
||||
|
||||
patroni = cluster.config.links.patroni-pg-access;
|
||||
|
||||
|
@ -121,8 +121,8 @@ in {
|
|||
]) ++ [ dbConfigOut ];
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts = tools.nginx.mappers.mapSubdomains {
|
||||
matrix = tools.nginx.vhosts.basic // {
|
||||
services.nginx.virtualHosts = depot.lib.nginx.mappers.mapSubdomains {
|
||||
matrix = depot.lib.nginx.vhosts.basic // {
|
||||
locations."/".return = "204";
|
||||
locations."/_matrix" = {
|
||||
proxyPass = "http://127.0.0.1:8008";
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{ depot, lib, pkgs, tools, ... }:
|
||||
{ depot, lib, pkgs, ... }:
|
||||
let
|
||||
inherit (tools.nginx) domain vhosts;
|
||||
inherit (depot.lib.nginx) domain vhosts;
|
||||
inherit (depot.packages) cinny;
|
||||
in
|
||||
{
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ tools, ... }:
|
||||
{ depot, ... }:
|
||||
|
||||
{
|
||||
services.meet = {
|
||||
|
@ -7,7 +7,7 @@
|
|||
};
|
||||
|
||||
monitoring.blackbox.targets.jitsi-videobridge = {
|
||||
address = "meet.${tools.meta.domain}:7777";
|
||||
address = "meet.${depot.lib.meta.domain}:7777";
|
||||
module = "tcpConnect";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, lib, depot, tools, ... }:
|
||||
{ config, lib, depot, ... }:
|
||||
let
|
||||
inherit (config) links;
|
||||
|
||||
|
@ -11,7 +11,7 @@ in
|
|||
|
||||
services.jitsi-meet = {
|
||||
enable = true;
|
||||
hostName = "meet.${tools.meta.domain}";
|
||||
hostName = "meet.${depot.lib.meta.domain}";
|
||||
nginx.enable = true;
|
||||
jicofo.enable = true;
|
||||
videobridge.enable = true;
|
||||
|
@ -38,7 +38,7 @@ in
|
|||
publicAddress = interfaces.primary.addrPublic;
|
||||
};
|
||||
};
|
||||
services.nginx.virtualHosts."meet.${tools.meta.domain}" = {
|
||||
services.nginx.virtualHosts."meet.${depot.lib.meta.domain}" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."=/images/watermark.svg" = {
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
{ config, cluster, lib, tools, ... }:
|
||||
{ cluster, config, lib, depot, ... }:
|
||||
|
||||
let
|
||||
inherit (lib) flip pipe mapAttrsToList range recursiveUpdate substring;
|
||||
|
||||
inherit (tools.meta) domain;
|
||||
inherit (depot.lib.meta) domain;
|
||||
inherit (cluster.config) vars;
|
||||
|
||||
mapTargets = mapAttrsToList (name: value: value // { name = "default/${name}"; });
|
||||
|
@ -19,7 +19,7 @@ let
|
|||
})
|
||||
]) (range 1 1);
|
||||
|
||||
probeId = pipe "blackbox-probe-${domain}-${vars.hostName}" [
|
||||
probeId = pipe "blackbox-probe-${domain}-${config.networking.hostName}" [
|
||||
(builtins.hashString "md5")
|
||||
(substring 0 8)
|
||||
];
|
||||
|
@ -39,7 +39,7 @@ in
|
|||
{
|
||||
services.grafana-agent.settings.integrations.blackbox = {
|
||||
enabled = true;
|
||||
instance = vars.hostName;
|
||||
instance = config.networking.hostName;
|
||||
scrape_interval = "600s";
|
||||
relabel_configs = [
|
||||
(relabel "__param_module" "module")
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ cluster, lib, ... }:
|
||||
{ cluster, config, lib, ... }:
|
||||
let
|
||||
inherit (lib) singleton;
|
||||
|
||||
|
@ -17,7 +17,7 @@ in {
|
|||
};
|
||||
integrations.node_exporter = {
|
||||
enabled = true;
|
||||
instance = cluster.config.vars.hostName;
|
||||
instance = config.networking.hostName;
|
||||
enable_collectors = [
|
||||
"systemd"
|
||||
];
|
||||
|
@ -32,7 +32,7 @@ in {
|
|||
job_name = "journal";
|
||||
journal = {
|
||||
max_age = "12h";
|
||||
labels.host = cluster.config.vars.hostName;
|
||||
labels.host = config.networking.hostName;
|
||||
};
|
||||
relabel_configs = [
|
||||
(relabel "__journal__systemd_unit" "systemd_unit")
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{ cluster, config, depot, lib, pkgs, tools, ... }:
|
||||
{ cluster, config, depot, lib, pkgs, ... }:
|
||||
let
|
||||
inherit (tools.meta) domain;
|
||||
inherit (depot.lib.meta) domain;
|
||||
|
||||
inherit (cluster.config.links) loki-ingest prometheus-ingest;
|
||||
|
||||
|
@ -97,7 +97,7 @@ in
|
|||
services.nginx = {
|
||||
upstreams.grafana-ha.servers = lib.mapAttrs' (_: links: lib.nameValuePair links.grafana.tuple {}) (lib.getAttrs (svc.nodes.grafana) hostLinks);
|
||||
|
||||
virtualHosts."monitoring.${domain}" = lib.recursiveUpdate (tools.nginx.vhosts.proxy "http://grafana-ha") {
|
||||
virtualHosts."monitoring.${domain}" = lib.recursiveUpdate (depot.lib.nginx.vhosts.proxy "http://grafana-ha") {
|
||||
locations."/".proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ tools, ... }:
|
||||
{ depot, ... }:
|
||||
|
||||
{
|
||||
services.nextcloud = {
|
||||
|
@ -7,7 +7,7 @@
|
|||
};
|
||||
|
||||
monitoring.blackbox.targets.nextcloud = {
|
||||
address = "https://storage.${tools.meta.domain}/status.php";
|
||||
address = "https://storage.${depot.lib.meta.domain}/status.php";
|
||||
module = "nextcloudStatus";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ cluster, config, lib, pkgs, tools, ... }:
|
||||
{ cluster, config, lib, pkgs, depot, ... }:
|
||||
let
|
||||
patroni = cluster.config.links.patroni-pg-access;
|
||||
in
|
||||
|
@ -22,7 +22,7 @@ in
|
|||
enableBrokenCiphersForSSE = false;
|
||||
enable = true;
|
||||
https = true;
|
||||
hostName = "storage.${tools.meta.domain}";
|
||||
hostName = "storage.${depot.lib.meta.domain}";
|
||||
home = "/srv/storage/www-app/nextcloud";
|
||||
maxUploadSize = "4G";
|
||||
enableImagemagick = true;
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{ config, tools, ... }:
|
||||
{ depot, ... }:
|
||||
|
||||
let
|
||||
inherit (tools.meta) adminEmail;
|
||||
inherit (depot.lib.meta) adminEmail;
|
||||
in {
|
||||
security.acme.defaults.email = adminEmail;
|
||||
security.acme.acceptTerms = true;
|
||||
|
@ -24,15 +24,6 @@ in {
|
|||
access_log syslog:server=unix:/dev/log,tag=nginx_access,nohostname fmt_loki;
|
||||
'';
|
||||
};
|
||||
services.phpfpm.pools.www = {
|
||||
inherit (config.services.nginx) user group;
|
||||
settings = {
|
||||
pm = "ondemand";
|
||||
"pm.max_children" = 16;
|
||||
"listen.owner" = config.services.nginx.user;
|
||||
"listen.group" = config.services.nginx.group;
|
||||
};
|
||||
};
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
systemd.services.nginx.after = [ "network-online.target" ];
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ tools, ... }:
|
||||
{ depot, ... }:
|
||||
|
||||
{
|
||||
services.object-storage = {
|
||||
|
@ -7,7 +7,7 @@
|
|||
};
|
||||
|
||||
monitoring.blackbox.targets.object-storage = {
|
||||
address = "https://object-storage.${tools.meta.domain}/minio/health/live";
|
||||
address = "https://object-storage.${depot.lib.meta.domain}/minio/health/live";
|
||||
module = "https2xx";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
{ config, lib, tools, ... }:
|
||||
with tools.nginx;
|
||||
{ config, lib, depot, ... }:
|
||||
with depot.lib.nginx;
|
||||
let
|
||||
inherit (config) links;
|
||||
|
||||
|
|
|
@ -12,9 +12,9 @@ in
|
|||
services.grafana-agent = {
|
||||
settings.integrations.postgres_exporter = {
|
||||
enabled = true;
|
||||
instance = vars.hostName;
|
||||
instance = config.networking.hostName;
|
||||
data_source_names = [
|
||||
"postgresql://metrics:\${PG_METRICS_DB_PASSWORD}@${getMeshIp vars.hostName}:${links.patroni-pg-internal.portStr}/postgres?sslmode=disable"
|
||||
"postgresql://metrics:\${PG_METRICS_DB_PASSWORD}@${getMeshIp config.networking.hostName}:${links.patroni-pg-internal.portStr}/postgres?sslmode=disable"
|
||||
];
|
||||
autodiscover_databases = true;
|
||||
};
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
|
||||
let
|
||||
inherit (cluster.config) vars;
|
||||
inherit (config.networking) hostName;
|
||||
|
||||
getMeshIp = name: vars.mesh.${name}.meshIp;
|
||||
|
||||
|
@ -32,7 +33,7 @@ in
|
|||
];
|
||||
services.patroni = {
|
||||
enable = true;
|
||||
name = vars.hostName;
|
||||
name = hostName;
|
||||
postgresqlPackage = pg;
|
||||
postgresqlDataDir ="${baseDir}/${pg.psqlSchema}";
|
||||
postgresqlPort = cluster.config.links.patroni-pg-internal.port;
|
||||
|
@ -40,8 +41,8 @@ in
|
|||
scope = "poseidon";
|
||||
namespace = "/patroni";
|
||||
|
||||
nodeIp = getMeshIp vars.hostName;
|
||||
otherNodesIps = map getMeshIp cluster.config.services.patroni.otherNodes.worker;
|
||||
nodeIp = getMeshIp hostName;
|
||||
otherNodesIps = map getMeshIp (cluster.config.services.patroni.otherNodes.worker hostName);
|
||||
raft = false;
|
||||
softwareWatchdog = true;
|
||||
settings = {
|
||||
|
@ -68,7 +69,7 @@ in
|
|||
superuser.username = "postgres";
|
||||
};
|
||||
parameters = {
|
||||
listen_addresses = getMeshIp vars.hostName;
|
||||
listen_addresses = getMeshIp hostName;
|
||||
wal_level = "replica";
|
||||
hot_standby_feedback = "on";
|
||||
unix_socket_directories = "/tmp";
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ tools, ... }:
|
||||
{ depot, ... }:
|
||||
|
||||
{
|
||||
services.search = {
|
||||
|
@ -7,7 +7,7 @@
|
|||
};
|
||||
|
||||
monitoring.blackbox.targets.search = {
|
||||
address = "https://search.${tools.meta.domain}/healthz";
|
||||
address = "https://search.${depot.lib.meta.domain}/healthz";
|
||||
module = "https2xx";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, depot, lib, tools, ... }:
|
||||
{ config, depot, lib, ... }:
|
||||
let
|
||||
inherit (config) links;
|
||||
in
|
||||
|
@ -56,7 +56,7 @@ in
|
|||
disable-logging = true;
|
||||
};
|
||||
};
|
||||
services.nginx.virtualHosts."search.${tools.meta.domain}" = lib.recursiveUpdate (tools.nginx.vhosts.proxy links.searxng.url) {
|
||||
services.nginx.virtualHosts."search.${depot.lib.meta.domain}" = lib.recursiveUpdate (depot.lib.nginx.vhosts.proxy links.searxng.url) {
|
||||
extraConfig = "access_log off;";
|
||||
};
|
||||
systemd.services.uwsgi.after = [ "wireguard-wgmv.service" "network-addresses-wgmv.service" ];
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
{ tools, ... }:
|
||||
{ depot, ... }:
|
||||
|
||||
{
|
||||
monitoring.blackbox.targets.soda-machine = {
|
||||
address = "soda.int.${tools.meta.domain}:22";
|
||||
address = "soda.int.${depot.lib.meta.domain}:22";
|
||||
module = "sshConnect";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,19 +1,19 @@
|
|||
{ config, depot, lib, pkgs, tools, ... }:
|
||||
with tools.nginx;
|
||||
{ config, depot, lib, pkgs, ... }:
|
||||
with depot.lib.nginx;
|
||||
{
|
||||
# TODO: not a whole lot to configure, maybe add some autoconfig stuff
|
||||
services.jellyfin = {
|
||||
enable = true;
|
||||
package = depot.packages.jellyfin;
|
||||
};
|
||||
services.nginx.virtualHosts."warehouse.${tools.meta.domain}" = lib.mkMerge [
|
||||
services.nginx.virtualHosts."warehouse.${depot.lib.meta.domain}" = lib.mkMerge [
|
||||
(vhosts.proxy "http://127.0.0.1:8096")
|
||||
{
|
||||
locations."/".extraConfig = ''
|
||||
proxy_buffering off;
|
||||
'';
|
||||
locations."/socket" = {
|
||||
inherit (config.services.nginx.virtualHosts."warehouse.${tools.meta.domain}".locations."/") proxyPass;
|
||||
inherit (config.services.nginx.virtualHosts."warehouse.${depot.lib.meta.domain}".locations."/") proxyPass;
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
# TODO: video cache
|
||||
|
|
|
@ -1,14 +1,7 @@
|
|||
{ depot, lib, tools, ... }:
|
||||
{ depot, lib, ... }:
|
||||
|
||||
let
|
||||
inherit (tools.meta) domain;
|
||||
|
||||
importWebsites = expr: import expr {
|
||||
tools = tools.nginx;
|
||||
inherit (depot) packages;
|
||||
};
|
||||
|
||||
websites = tools.nginx.mappers.mapSubdomains (importWebsites ./websites.nix);
|
||||
inherit (depot.lib.meta) domain;
|
||||
|
||||
acmeUseDNS = name: conf: {
|
||||
name = conf.useACMEHost or conf.serverName or name;
|
||||
|
@ -24,7 +17,16 @@ in
|
|||
{
|
||||
services.websites = {
|
||||
nodes.host = [ "checkmate" "thunderskin" "VEGAS" "prophet" ];
|
||||
nixos.host = {
|
||||
nixos.host = { config, depot, ... }: let
|
||||
|
||||
importWebsites = expr: import expr {
|
||||
tools = depot.lib.nginx;
|
||||
inherit (depot) packages;
|
||||
};
|
||||
|
||||
websites = depot.lib.nginx.mappers.mapSubdomains (importWebsites ./websites.nix);
|
||||
|
||||
in {
|
||||
services.nginx.virtualHosts = websites;
|
||||
security.acme.certs = lib.mapAttrs' acmeUseDNS (lib.filterAttrs isACME websites);
|
||||
consul.services.nginx = {
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{ config, depot, lib, ... }:
|
||||
|
||||
let
|
||||
inherit (depot.config) hours;
|
||||
inherit (depot) hours;
|
||||
|
||||
meshNet = rec {
|
||||
netAddr = "10.1.1.0";
|
||||
|
|
|
@ -30,7 +30,7 @@ in
|
|||
ips = [ "${link.extra.meshIp}/24" ];
|
||||
listenPort = link.port;
|
||||
privateKeyFile = config.age.secrets.wireguard-key-core.path;
|
||||
peers = map mkPeer cluster.config.services.wireguard.otherNodes.mesh;
|
||||
peers = map mkPeer (cluster.config.services.wireguard.otherNodes.mesh hostName);
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -19,6 +19,7 @@
|
|||
./packages/part.nix
|
||||
./jobs/part.nix
|
||||
./lib/part.nix
|
||||
./cluster/part.nix
|
||||
];
|
||||
};
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{ config, lib, tools, ... }:
|
||||
{ config, lib, depot, ... }:
|
||||
let
|
||||
inherit (tools.meta) domain;
|
||||
inherit (depot.lib.meta) domain;
|
||||
login = x: "https://login.${domain}/auth/realms/master/protocol/openid-connect/${x}";
|
||||
cfg = config.services.oauth2_proxy;
|
||||
in
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
{ config, lib, tools, ... }:
|
||||
{ config, lib, depot, ... }:
|
||||
let
|
||||
inherit (tools.meta) domain;
|
||||
inherit (depot.lib.meta) domain;
|
||||
apiAddr = "api.${domain}";
|
||||
proxyTarget = config.links.api.url;
|
||||
proxy = tools.nginx.vhosts.proxy proxyTarget;
|
||||
proxy = depot.lib.nginx.vhosts.proxy proxyTarget;
|
||||
in
|
||||
{
|
||||
# n8n uses "Sustainable Use License"
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
networking.nat.forwardPorts = [
|
||||
{
|
||||
sourcePort = 52222;
|
||||
destination = "${depot.config.hours.soda.interfaces.primary.addr}:22";
|
||||
destination = "${depot.hours.soda.interfaces.primary.addr}:22";
|
||||
proto = "tcp";
|
||||
}
|
||||
];
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
{ config, lib, tools, ... }:
|
||||
with tools.nginx;
|
||||
{ config, lib, depot, ... }:
|
||||
with depot.lib.nginx;
|
||||
{
|
||||
links.bitwarden.protocol = "http";
|
||||
|
||||
|
|
|
@ -1,10 +1,9 @@
|
|||
{ config, lib, toolsets, ... }:
|
||||
{ depot, lib, ... }:
|
||||
|
||||
let
|
||||
tools = toolsets.nginx {
|
||||
inherit lib config;
|
||||
domain = "cdn-shield.privatevoid.net";
|
||||
};
|
||||
tools = (depot.lib.override {
|
||||
meta.domain = lib.mkForce "cdn-shield.privatevoid.net";
|
||||
}).nginx;
|
||||
in
|
||||
{
|
||||
services.nginx.virtualHosts = tools.mappers.mapSubdomains (import ./shields.nix { inherit tools; });
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
{ config, tools, ... }:
|
||||
with tools.nginx;
|
||||
{ config, depot, ... }:
|
||||
with depot.lib.nginx;
|
||||
{
|
||||
links = {
|
||||
ombi.protocol = "http";
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{ cluster, config, lib, tools, ... }:
|
||||
{ cluster, config, lib, depot, ... }:
|
||||
|
||||
let
|
||||
inherit (tools.meta) domain adminEmail;
|
||||
inherit (depot.lib.meta) domain adminEmail;
|
||||
|
||||
patroni = cluster.config.links.patroni-pg-access;
|
||||
|
||||
|
@ -106,5 +106,5 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."${cfg.host}" = tools.nginx.vhosts.proxy "http://unix:/run/gitlab/gitlab-workhorse.socket";
|
||||
services.nginx.virtualHosts."${cfg.host}" = depot.lib.nginx.vhosts.proxy "http://unix:/run/gitlab/gitlab-workhorse.socket";
|
||||
}
|
||||
|
|
|
@ -1,10 +1,9 @@
|
|||
{ tools, ... }:
|
||||
with tools.nginx.mappers;
|
||||
with tools.nginx.vhosts;
|
||||
{ depot, ... }:
|
||||
with depot.lib.nginx.mappers;
|
||||
with depot.lib.nginx.vhosts;
|
||||
{
|
||||
services.nginx.virtualHosts = mapSubdomains {
|
||||
"bone-ds-dc.com-ldap" = static "/srv/storage/www/bone-meme/dist";
|
||||
"get" = simplePHP "/srv/storage/www/dietldb";
|
||||
"rzentrale" = static "/srv/storage/www/rzentrale";
|
||||
"wunschnachricht" = static "/srv/storage/www/wunschnachricht";
|
||||
};
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ tools, ... }:
|
||||
{ depot, ... }:
|
||||
{
|
||||
imports = [
|
||||
./imap.nix
|
||||
|
@ -6,12 +6,12 @@
|
|||
./postfix.nix
|
||||
./saslauthd.nix
|
||||
];
|
||||
services.nginx.virtualHosts."mail.${tools.meta.domain}" = {
|
||||
services.nginx.virtualHosts."mail.${depot.lib.meta.domain}" = {
|
||||
enableACME = true;
|
||||
locations."/".return = "204";
|
||||
};
|
||||
security.acme.certs."mail.${tools.meta.domain}".extraDomainNames = map
|
||||
(x: "${x}.${tools.meta.domain}") [
|
||||
security.acme.certs."mail.${depot.lib.meta.domain}".extraDomainNames = map
|
||||
(x: "${x}.${depot.lib.meta.domain}") [
|
||||
"mx"
|
||||
"imap"
|
||||
"smtp"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{ config, pkgs, tools, ... }:
|
||||
{ config, pkgs, depot, ... }:
|
||||
let
|
||||
inherit (tools.identity) ldap;
|
||||
inherit (tools.meta) domain;
|
||||
inherit (depot.lib.identity) ldap;
|
||||
inherit (depot.lib.meta) domain;
|
||||
|
||||
postfixCfg = config.services.postfix;
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{ lib, tools, ... }:
|
||||
{ lib, depot, ... }:
|
||||
let
|
||||
inherit (tools.meta) domain;
|
||||
inherit (depot.lib.meta) domain;
|
||||
in
|
||||
{
|
||||
services.opendkim = {
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{ config, depot, tools, ... }:
|
||||
{ config, depot, ... }:
|
||||
let
|
||||
inherit (tools.meta) domain;
|
||||
inherit (depot.lib.meta) domain;
|
||||
certDir = config.security.acme.certs."mail.${domain}".directory;
|
||||
|
||||
receivePolicy = [ "permit_sasl_authenticated" "permit_mynetworks" "reject_unauth_destination" ];
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{ pkgs, tools, ... }:
|
||||
{ pkgs, depot, ... }:
|
||||
let
|
||||
inherit (tools.identity) ldap;
|
||||
inherit (depot.lib.identity) ldap;
|
||||
in
|
||||
{
|
||||
services.saslauthd = {
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, depot, tools, ... }:
|
||||
{ config, depot, ... }:
|
||||
|
||||
{
|
||||
links.nixIpfs.protocol = "http";
|
||||
|
@ -17,11 +17,11 @@
|
|||
IPFS_CLUSTER_API = config.services.ipfs-cluster.settings.api.restapi.http_listen_multiaddress;
|
||||
NIX_CACHES = toString [
|
||||
"https://cache.nixos.org"
|
||||
"https://cache.${tools.meta.domain}"
|
||||
"https://cache.${depot.lib.meta.domain}"
|
||||
"https://max.cachix.org"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."reflex.${tools.meta.domain}" = tools.nginx.vhosts.proxy config.links.nixIpfs.url;
|
||||
services.nginx.virtualHosts."reflex.${depot.lib.meta.domain}" = depot.lib.nginx.vhosts.proxy config.links.nixIpfs.url;
|
||||
}
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{ cluster, config, depot, lib, tools, ... }:
|
||||
with tools.nginx;
|
||||
{ cluster, config, depot, lib, ... }:
|
||||
with depot.lib.nginx;
|
||||
let
|
||||
login = "login.${tools.meta.domain}";
|
||||
login = "login.${depot.lib.meta.domain}";
|
||||
kc = config.links.keycloak;
|
||||
patroni = cluster.config.links.patroni-pg-access;
|
||||
in
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
{ tools, ... }:
|
||||
with tools.nginx.vhosts;
|
||||
{ depot, ... }:
|
||||
with depot.lib.nginx.vhosts;
|
||||
let
|
||||
inherit (tools.meta) domain;
|
||||
inherit (depot.lib.meta) domain;
|
||||
front = "ident.${domain}";
|
||||
back = tools.identity.ldap.server.hostname;
|
||||
back = depot.lib.identity.ldap.server.hostname;
|
||||
in
|
||||
{
|
||||
services.nginx.virtualHosts."${front}" = basic // {
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, tools, ... }:
|
||||
{ config, pkgs, depot, ... }:
|
||||
|
||||
{
|
||||
services.vault = {
|
||||
|
@ -8,5 +8,5 @@
|
|||
extraConfig = "ui = true";
|
||||
package = pkgs.vault-bin;
|
||||
};
|
||||
services.nginx.virtualHosts."vault.${tools.meta.domain}" = tools.nginx.vhosts.proxy "http://${config.services.vault.address}";
|
||||
services.nginx.virtualHosts."vault.${depot.lib.meta.domain}" = depot.lib.nginx.vhosts.proxy "http://${config.services.vault.address}";
|
||||
}
|
||||
|
|
|
@ -1,14 +1,12 @@
|
|||
{ depot, tools, ... }:
|
||||
{ depot, ... }:
|
||||
|
||||
let
|
||||
importWebsites = expr: import expr {
|
||||
tools = tools.nginx;
|
||||
tools = depot.lib.nginx;
|
||||
inherit (depot) packages;
|
||||
};
|
||||
|
||||
websites = tools.nginx.mappers.mapSubdomains (importWebsites ./websites.nix);
|
||||
|
||||
extraWebsites = importWebsites ./extra-sites.nix;
|
||||
websites = depot.lib.nginx.mappers.mapSubdomains (importWebsites ./websites.nix);
|
||||
in {
|
||||
services.nginx.virtualHosts = websites // extraWebsites;
|
||||
services.nginx.virtualHosts = websites;
|
||||
}
|
||||
|
|
|
@ -1,8 +0,0 @@
|
|||
{ tools, ... }:
|
||||
with tools.vhosts;
|
||||
let
|
||||
noSSL = { enableACME = false; forceSSL = false; };
|
||||
in
|
||||
{
|
||||
"ky.rip" = simplePHP "/srv/storage/www/ky.rip" // noSSL;
|
||||
}
|
|
@ -1,4 +1,4 @@
|
|||
{ config, depot, tools, ... }:
|
||||
{ config, depot, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
|
@ -43,7 +43,7 @@
|
|||
|
||||
|
||||
networking.hostName = "VEGAS";
|
||||
networking.domain = "backbone.${tools.meta.domain}";
|
||||
networking.domain = "backbone.${depot.lib.meta.domain}";
|
||||
|
||||
time.timeZone = "Europe/Helsinki";
|
||||
|
||||
|
@ -94,7 +94,7 @@
|
|||
path = depot.nixosConfigurations.soda.config.system.build.toplevel;
|
||||
privateNetwork = true;
|
||||
hostBridge = "vmdefault";
|
||||
localAddress = "${depot.config.hours.soda.interfaces.primary.addr}/24";
|
||||
localAddress = "${depot.hours.soda.interfaces.primary.addr}/24";
|
||||
autoStart = true;
|
||||
bindMounts.sodaDir = {
|
||||
hostPath = "/srv/storage/www/soda";
|
||||
|
|
|
@ -17,7 +17,7 @@
|
|||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
networking.hostName = "checkmate";
|
||||
networking.nameservers = [ depot.config.hours.VEGAS.interfaces.vstub.addr ];
|
||||
networking.nameservers = [ depot.hours.VEGAS.interfaces.vstub.addr ];
|
||||
|
||||
time.timeZone = "Europe/Zurich";
|
||||
|
||||
|
|
|
@ -1,23 +1,13 @@
|
|||
{ config, inputs, lib, self, withSystem, ... }:
|
||||
{ config, lib, ... }:
|
||||
|
||||
let
|
||||
inherit (lib) const mapAttrs nixosSystem;
|
||||
inherit (lib) mapAttrs nixosSystem;
|
||||
inherit (config) gods;
|
||||
|
||||
mkSpecialArgs = system: hostName: withSystem system ({ inputs', self', ... }: {
|
||||
depot = self // self' // {
|
||||
inputs = mapAttrs (name: const (inputs.${name} // inputs'.${name})) inputs;
|
||||
inherit config;
|
||||
# peer into the Watchman's Glass
|
||||
reflection = config.hours.${hostName};
|
||||
};
|
||||
toolsets = import ../tools;
|
||||
});
|
||||
|
||||
mkNixOS = name: host: nixosSystem {
|
||||
specialArgs = mkSpecialArgs host.system name;
|
||||
specialArgs = config.lib.summon name lib.id;
|
||||
inherit (host) system;
|
||||
modules = [ host.nixos ../tools/inject.nix (import ../cluster/inject.nix name) ];
|
||||
modules = [ host.nixos ] ++ config.cluster.config.out.injectNixosConfig name;
|
||||
};
|
||||
in {
|
||||
flake.nixosConfigurations = mapAttrs mkNixOS (gods.fromLight // gods.fromFlesh);
|
||||
|
|
|
@ -19,7 +19,7 @@
|
|||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
networking.hostName = "prophet";
|
||||
networking.nameservers = [ depot.config.hours.VEGAS.interfaces.vstub.addr ];
|
||||
networking.nameservers = [ depot.hours.VEGAS.interfaces.vstub.addr ];
|
||||
|
||||
time.timeZone = "Europe/Zurich";
|
||||
|
||||
|
|
|
@ -14,9 +14,9 @@
|
|||
|
||||
networking.interfaces.eth0.useDHCP = true;
|
||||
|
||||
networking.nameservers = [ depot.config.hours.VEGAS.interfaces.vstub.addr ];
|
||||
networking.nameservers = [ depot.hours.VEGAS.interfaces.vstub.addr ];
|
||||
|
||||
networking.resolvconf.extraConfig = "local_nameservers='${depot.config.hours.VEGAS.interfaces.vstub.addr}'";
|
||||
networking.resolvconf.extraConfig = "local_nameservers='${depot.hours.VEGAS.interfaces.vstub.addr}'";
|
||||
|
||||
networking.hostName = "soda";
|
||||
|
||||
|
|
|
@ -17,7 +17,7 @@
|
|||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
networking.hostName = "thunderskin";
|
||||
networking.nameservers = [ depot.config.hours.VEGAS.interfaces.vstub.addr ];
|
||||
networking.nameservers = [ depot.hours.VEGAS.interfaces.vstub.addr ];
|
||||
|
||||
time.timeZone = "Europe/Zurich";
|
||||
|
||||
|
|
18
lib/hours.nix
Normal file
18
lib/hours.nix
Normal file
|
@ -0,0 +1,18 @@
|
|||
{ config, inputs, lib, self, withSystem, ... }:
|
||||
|
||||
let
|
||||
inherit (lib) const mapAttrs;
|
||||
in
|
||||
|
||||
{
|
||||
lib.summon = name: f: let
|
||||
lift = config;
|
||||
hour = config.hours.${name};
|
||||
in withSystem hour.system ({ config, inputs', self', ... }: f {
|
||||
depot = self // self' // lift // config // {
|
||||
inputs = mapAttrs (name: const (inputs.${name} // inputs'.${name})) inputs;
|
||||
# peer into the Watchman's Glass
|
||||
reflection = hour;
|
||||
};
|
||||
});
|
||||
}
|
37
lib/identity.nix
Normal file
37
lib/identity.nix
Normal file
|
@ -0,0 +1,37 @@
|
|||
{ lib, ... }:
|
||||
|
||||
{
|
||||
lib = { config, ... }: with config.identity; {
|
||||
identity = {
|
||||
|
||||
inherit (config.meta) domain;
|
||||
|
||||
autoDomain = name: "${builtins.hashString "md5" name}.dev.${domain}";
|
||||
|
||||
ldap = {
|
||||
server = with ldap.server; {
|
||||
# TODO: unhardcode everything here
|
||||
protocol = "ldaps";
|
||||
hostname = "authsys.virtual-machines.${domain}";
|
||||
port = 636;
|
||||
url = "${protocol}://${connectionString}";
|
||||
connectionString = "${hostname}:${builtins.toString port}";
|
||||
};
|
||||
accounts = with ldap.accounts; {
|
||||
domainComponents = ldap.lib.convertDomain domain;
|
||||
uidAttribute = "uid";
|
||||
uidFilter = "(${uidAttribute}=%u)";
|
||||
userSearchBase = "cn=users,cn=accounts,${domainComponents}";
|
||||
};
|
||||
lib = {
|
||||
convertDomain = domain: with builtins; lib.pipe domain [
|
||||
(split "\\.")
|
||||
(filter isString)
|
||||
(map (x: "dc=${x}"))
|
||||
(concatStringsSep ",")
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
8
lib/meta.nix
Normal file
8
lib/meta.nix
Normal file
|
@ -0,0 +1,8 @@
|
|||
{
|
||||
lib = { config, ... }: with config.meta; {
|
||||
meta = {
|
||||
domain = "privatevoid.net";
|
||||
adminEmail = "admins@${domain}";
|
||||
};
|
||||
};
|
||||
}
|
50
lib/nginx.nix
Normal file
50
lib/nginx.nix
Normal file
|
@ -0,0 +1,50 @@
|
|||
{ lib, ... }:
|
||||
|
||||
{
|
||||
lib = { config, ... }: with config.nginx; {
|
||||
nginx = {
|
||||
inherit (config.meta) domain;
|
||||
|
||||
mappers = {
|
||||
|
||||
mapSubdomains = with lib; mapAttrs' (k: nameValuePair "${k}.${domain}");
|
||||
|
||||
};
|
||||
|
||||
vhosts = with vhosts; {
|
||||
|
||||
basic = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
};
|
||||
|
||||
redirect = target: basic // {
|
||||
locations."/".return = "301 ${target}";
|
||||
};
|
||||
|
||||
proxy = target: basic // {
|
||||
locations."/".proxyPass = target;
|
||||
};
|
||||
|
||||
static = root: basic // {
|
||||
inherit root;
|
||||
};
|
||||
|
||||
indexedStatic = root: (static root) // {
|
||||
extraConfig = "autoindex on;";
|
||||
};
|
||||
|
||||
proxyGhost = scheme: target: basic // {
|
||||
locations."/".extraConfig = ''
|
||||
proxy_pass ${scheme}://${target};
|
||||
proxy_set_header Host ${target};
|
||||
proxy_set_header Referer ${scheme}://${target};
|
||||
proxy_cookie_domain ${target} domain.invalid;
|
||||
proxy_set_header Cookie "";
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
22
lib/part.nix
22
lib/part.nix
|
@ -1,5 +1,27 @@
|
|||
{ config, lib, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./time-travel.nix
|
||||
./hours.nix
|
||||
./meta.nix
|
||||
./nginx.nix
|
||||
./identity.nix
|
||||
];
|
||||
|
||||
options.lib = lib.mkOption {
|
||||
default = {};
|
||||
type = with lib.types; submodule ({ extendModules, ... }: {
|
||||
freeformType = let
|
||||
t = either (lazyAttrsOf t) raw;
|
||||
in t;
|
||||
config.override = conf: let
|
||||
overridden = extendModules {
|
||||
modules = [ conf ];
|
||||
};
|
||||
in overridden.config;
|
||||
});
|
||||
};
|
||||
|
||||
config._module.args.depot = config;
|
||||
}
|
||||
|
|
|
@ -1,18 +1,3 @@
|
|||
{ config, lib, ... }:
|
||||
|
||||
let
|
||||
timeTravel = rev: builtins.getFlake "github:privatevoid-net/depot/${rev}";
|
||||
|
||||
in
|
||||
|
||||
{
|
||||
_module.args = { inherit timeTravel; };
|
||||
perSystem = { system, ... }: {
|
||||
_module.args.timeTravel' = rev: let
|
||||
flake = timeTravel rev;
|
||||
flake' = config.perInput system flake;
|
||||
in flake' // {
|
||||
inputs = lib.mapAttrs (_: input: config.perInput system input) flake.inputs;
|
||||
};
|
||||
};
|
||||
lib.timeTravel = rev: builtins.getFlake "github:privatevoid-net/depot/${rev}";
|
||||
}
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{ config, depot, lib, tools, ... }:
|
||||
{ config, depot, lib, ... }:
|
||||
let
|
||||
orgDomain = tools.meta.domain;
|
||||
orgDomain = depot.lib.meta.domain;
|
||||
host = depot.reflection;
|
||||
in {
|
||||
networking.domain = lib.mkDefault "${host.enterprise.subdomain or "services"}.${orgDomain}";
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
let
|
||||
inherit (config.networking) hostName;
|
||||
inherit (depot.packages) hyprspace;
|
||||
hyprspaceCapableNodes = lib.filterAttrs (_: host: host.hyprspace.enable) depot.config.hours;
|
||||
hyprspaceCapableNodes = lib.filterAttrs (_: host: host.hyprspace.enable) depot.hours;
|
||||
peersFormatted = builtins.mapAttrs (_: x: {
|
||||
inherit (x.hyprspace) id;
|
||||
routes = map (net: { inherit net; }) ((x.hyprspace.routes or []) ++ [ "${x.hyprspace.addr}/32" ]);
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ depot, tools, ... }:
|
||||
{ depot, ... }:
|
||||
|
||||
{
|
||||
nix = {
|
||||
|
@ -6,7 +6,7 @@
|
|||
|
||||
settings = {
|
||||
trusted-users = [ "root" "@wheel" "@admins" ];
|
||||
substituters = [ "https://cache.${tools.meta.domain}" ];
|
||||
substituters = [ "https://cache.${depot.lib.meta.domain}" ];
|
||||
trusted-public-keys = [ "cache.privatevoid.net:SErQ8bvNWANeAvtsOESUwVYr2VJynfuc9JRwlzTTkVg=" ];
|
||||
};
|
||||
|
||||
|
@ -14,7 +14,7 @@
|
|||
experimental-features = nix-command flakes cgroups
|
||||
use-cgroups = true
|
||||
builders-use-substitutes = true
|
||||
flake-registry = https://git.${tools.meta.domain}/private-void/registry/-/raw/master/registry.json
|
||||
flake-registry = https://git.${depot.lib.meta.domain}/private-void/registry/-/raw/master/registry.json
|
||||
|
||||
# For Hercules CI agent
|
||||
narinfo-cache-negative-ttl = 0
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{ depot, lib, ... }:
|
||||
let
|
||||
filtered = lib.filterAttrs (_: host: host.ssh.enable) depot.config.hours;
|
||||
filtered = lib.filterAttrs (_: host: host.ssh.enable) depot.hours;
|
||||
idCapable = lib.filterAttrs (_: host: host.ssh.id.publicKey != null) filtered;
|
||||
configCapable = lib.filterAttrs (_: host: host.ssh.extraConfig != "") filtered;
|
||||
|
||||
|
|
|
@ -1,17 +1,11 @@
|
|||
{ lib, self, ... }:
|
||||
{ config, self, ... }:
|
||||
|
||||
{
|
||||
perSystem = { filters, pkgs, self', ... }: let
|
||||
fakeCluster = import ../../cluster {
|
||||
inherit lib;
|
||||
hostName = throw "not available in test environment";
|
||||
depot = throw "not available in test environment";
|
||||
};
|
||||
in {
|
||||
perSystem = { filters, pkgs, self', ... }: {
|
||||
checks = filters.doFilter filters.checks {
|
||||
jellyfin-stateless = pkgs.callPackage ./jellyfin-stateless.nix {
|
||||
inherit (self'.packages) jellyfin;
|
||||
inherit fakeCluster;
|
||||
inherit (config) cluster;
|
||||
};
|
||||
|
||||
keycloak = pkgs.callPackage ./keycloak-custom-jre.nix {
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
{ nixosTest, fakeCluster, jellyfin }:
|
||||
{ nixosTest, cluster, jellyfin }:
|
||||
|
||||
nixosTest {
|
||||
name = "jellyfin-stateless";
|
||||
nodes = {
|
||||
machine = {
|
||||
imports = fakeCluster.config.services.warehouse.nixos.host;
|
||||
imports = cluster.config.services.warehouse.nixos.host;
|
||||
|
||||
_module.args.depot.packages.jellyfin = jellyfin;
|
||||
};
|
||||
|
|
|
@ -1,10 +0,0 @@
|
|||
let toolsets = {
|
||||
meta = import ./meta.nix;
|
||||
|
||||
identity = import ./identity.nix { inherit toolsets; };
|
||||
networks = import ./networks.nix { inherit toolsets; };
|
||||
nginx = import ./nginx.nix { inherit toolsets; };
|
||||
};
|
||||
in toolsets // {
|
||||
all = args: (builtins.mapAttrs (_: x: x args) toolsets) // { inherit (toolsets) meta; };
|
||||
}
|
|
@ -1,40 +0,0 @@
|
|||
# internal interface
|
||||
{ toolsets }:
|
||||
# external interface
|
||||
{ lib ? null, domain ? toolsets.meta.domain, ... }:
|
||||
let
|
||||
tools = (self: {
|
||||
|
||||
inherit domain;
|
||||
|
||||
autoDomain = name: "${builtins.hashString "md5" name}.dev.${domain}";
|
||||
|
||||
ldap = {
|
||||
server = with self.ldap.server; {
|
||||
# TODO: unhardcode everything here
|
||||
protocol = "ldaps";
|
||||
hostname = "authsys.virtual-machines.${domain}";
|
||||
port = 636;
|
||||
url = "${protocol}://${connectionString}";
|
||||
connectionString = "${hostname}:${builtins.toString port}";
|
||||
};
|
||||
accounts = with self.ldap.accounts; {
|
||||
domainComponents = self.ldap.lib.convertDomain domain;
|
||||
uidAttribute = "uid";
|
||||
uidFilter = "(${uidAttribute}=%u)";
|
||||
userSearchBase = "cn=users,cn=accounts,${domainComponents}";
|
||||
};
|
||||
lib = {
|
||||
convertDomain = domain: with builtins; lib.pipe domain [
|
||||
(split "\\.")
|
||||
(filter isString)
|
||||
(map (x: "dc=${x}"))
|
||||
(concatStringsSep ",")
|
||||
];
|
||||
};
|
||||
};
|
||||
dns.master.addr = "10.10.0.11";
|
||||
kerberos.kdc = "authsys.virtual-machines.${domain}";
|
||||
|
||||
}) tools;
|
||||
in tools
|
|
@ -1,4 +0,0 @@
|
|||
{ pkgs, lib, config, ... }:
|
||||
{
|
||||
_module.args.tools = (import ./.).all { inherit pkgs lib config; };
|
||||
}
|
|
@ -1,4 +0,0 @@
|
|||
rec {
|
||||
domain = "privatevoid.net";
|
||||
adminEmail = "admins@${domain}";
|
||||
}
|
|
@ -1,20 +0,0 @@
|
|||
# internal interface
|
||||
{ toolsets }:
|
||||
# external interface
|
||||
{ lib ? null, ... }:
|
||||
let
|
||||
tools = (self: {
|
||||
|
||||
all = {};
|
||||
|
||||
ipv4.all = {};
|
||||
|
||||
ipv4.internal = {
|
||||
addr = "10.0.0.0/8";
|
||||
vpn = {
|
||||
addr = "10.100.0.0/16";
|
||||
};
|
||||
};
|
||||
|
||||
}) tools;
|
||||
in tools
|
|
@ -1,58 +0,0 @@
|
|||
# internal interface
|
||||
{ toolsets }:
|
||||
# external interface
|
||||
{ config ? null, lib ? null, domain ? toolsets.meta.domain, ... }:
|
||||
let
|
||||
tools = (self: {
|
||||
|
||||
inherit domain;
|
||||
|
||||
mappers = {
|
||||
|
||||
mapSubdomains = with lib; mapAttrs' (k: nameValuePair "${k}.${domain}");
|
||||
|
||||
};
|
||||
|
||||
vhosts = with self.vhosts; {
|
||||
|
||||
basic = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
};
|
||||
|
||||
redirect = target: basic // {
|
||||
locations."/".return = "301 ${target}";
|
||||
};
|
||||
|
||||
proxy = target: basic // {
|
||||
locations."/".proxyPass = target;
|
||||
};
|
||||
|
||||
static = root: basic // {
|
||||
inherit root;
|
||||
};
|
||||
|
||||
indexedStatic = root: (static root) // {
|
||||
extraConfig = "autoindex on;";
|
||||
};
|
||||
|
||||
simplePHP = root: (static root) // {
|
||||
locations."~ \.php$".extraConfig = ''
|
||||
fastcgi_pass unix:${config.services.phpfpm.pools.www.socket};
|
||||
fastcgi_index index.php;
|
||||
'';
|
||||
};
|
||||
|
||||
proxyGhost = scheme: target: basic // {
|
||||
locations."/".extraConfig = ''
|
||||
proxy_pass ${scheme}://${target};
|
||||
proxy_set_header Host ${target};
|
||||
proxy_set_header Referer ${scheme}://${target};
|
||||
proxy_cookie_domain ${target} domain.invalid;
|
||||
proxy_set_header Cookie "";
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
}) tools;
|
||||
in tools
|
Loading…
Reference in a new issue