cluster/services/ipfs: switch to ways

This commit is contained in:
Max Headroom 2024-07-04 18:30:38 +02:00
parent ac047b189d
commit e2397ac946
4 changed files with 40 additions and 63 deletions

View file

@ -29,6 +29,10 @@
io-tweaks = [ "VEGAS" ]; io-tweaks = [ "VEGAS" ];
remote-api = [ "VEGAS" ]; remote-api = [ "VEGAS" ];
}; };
meshLinks.gateway = {
name = "ipfsGateway";
link.protocol = "http";
};
nixos = { nixos = {
node = [ node = [
./node.nix ./node.nix
@ -51,18 +55,37 @@
}; };
dns.records = { dns.records = {
p2p.consulService = "ipfs-gateway";
pin.consulService = "ipfs-gateway";
"ipfs.admin".target = map "ipfs.admin".target = map
(node: depot.hours.${node}.interfaces.primary.addrPublic) (node: depot.hours.${node}.interfaces.primary.addrPublic)
config.services.ipfs.nodes.remote-api; config.services.ipfs.nodes.remote-api;
"^[^_].+\\.ipfs" = { pin.consulService = "ipfs-gateway";
};
ways = {
p2p = {
consulService = "ipfs-gateway"; consulService = "ipfs-gateway";
rewrite.type = "regex"; extras.locations."/routing" = {
extraConfig = ''
add_header X-Content-Type-Options "";
add_header Access-Control-Allow-Origin *;
'';
};
}; };
"^[^_].+\\.ipns" = { ipfs = {
consulService = "ipfs-gateway"; consulService = "ipfs-gateway";
rewrite.type = "regex"; wildcard = true;
extras.extraConfig = ''
add_header X-Content-Type-Options "";
add_header Access-Control-Allow-Origin *;
'';
};
ipns = {
consulService = "ipfs-gateway";
wildcard = true;
extras.extraConfig = ''
add_header X-Content-Type-Options "";
add_header Access-Control-Allow-Origin *;
'';
}; };
}; };
} }

View file

@ -1,8 +1,7 @@
{ config, depot, lib, ... }: { cluster, config, depot, lib, ... }:
with depot.lib.nginx;
let let
inherit (depot.lib.meta) domain; inherit (depot.lib.meta) domain;
gw = config.links.ipfsGateway; gw = cluster.config.hostLinks.${config.networking.hostName}.ipfsGateway;
cfg = config.services.ipfs; cfg = config.services.ipfs;
metrics = config.links.ipfsMetrics; metrics = config.links.ipfsMetrics;
in in
@ -34,42 +33,6 @@ in
locations."/".return = "204"; locations."/".return = "204";
locations."${metrics.path}".proxyPass = "http://unix:/run/ipfs/ipfs-api.sock:"; locations."${metrics.path}".proxyPass = "http://unix:/run/ipfs/ipfs-api.sock:";
}; };
"p2p.${domain}" = vhosts.basic // {
locations."/".return = "204";
locations."/routing" = {
proxyPass = gw.url;
extraConfig = ''
add_header X-Content-Type-Options "";
add_header Access-Control-Allow-Origin *;
'';
};
};
};
security.acme.certs."ipfs.${domain}" = {
domain = "*.ipfs.${domain}";
extraDomainNames = [ "*.ipns.${domain}" ];
dnsProvider = "exec";
group = "nginx";
};
security.acme.certs."p2p.${domain}" = {
dnsProvider = "exec";
webroot = lib.mkForce null;
};
services.nginx.virtualHosts."ipfs.${domain}" = vhosts.basic // {
serverName = "~^(.+)\.(ip[fn]s)\.${domain}$";
enableACME = false;
useACMEHost = "ipfs.${domain}";
locations = {
"/" = {
proxyPass = gw.url;
extraConfig = ''
add_header X-Content-Type-Options "";
add_header Access-Control-Allow-Origin *;
'';
};
};
}; };
services.ipfs.extraConfig.Gateway.PublicGateways = { services.ipfs.extraConfig.Gateway.PublicGateways = {
@ -88,20 +51,11 @@ in
consul.services.ipfs-gateway = { consul.services.ipfs-gateway = {
mode = "external"; mode = "external";
unit = "ipfs"; unit = "ipfs";
definition = rec { definition = {
name = "ipfs-gateway"; name = "ipfs-gateway";
address = depot.reflection.interfaces.primary.addrPublic; address = gw.ipv4;
port = 443; port = gw.port;
checks = [ checks = [
rec {
name = "Frontend";
id = "service:ipfs-gateway:frontend";
interval = "60s";
http = "https://${address}/";
tls_server_name = "bafybeiczsscdsbs7ffqz55asqdf3smv6klcw3gofszvwlyarci47bgf354.ipfs.${domain}"; # empty directory
header.Host = lib.singleton tls_server_name;
method = "HEAD";
}
{ {
name = "IPFS Node"; name = "IPFS Node";
id = "service:ipfs-gateway:ipfs"; id = "service:ipfs-gateway:ipfs";

View file

@ -4,7 +4,7 @@ let
cfg = config.services.ipfs; cfg = config.services.ipfs;
apiAddress = "/unix/run/ipfs/ipfs-api.sock"; apiAddress = "/unix/run/ipfs/ipfs-api.sock";
ipfsApi = pkgs.writeTextDir "api" apiAddress; ipfsApi = pkgs.writeTextDir "api" apiAddress;
gw = config.links.ipfsGateway; gw = cluster.config.hostLinks.${config.networking.hostName}.ipfsGateway;
ipfsPort = 110; ipfsPort = 110;
nameservers = lib.unique config.networking.nameservers; nameservers = lib.unique config.networking.nameservers;
in in
@ -13,8 +13,6 @@ in
depot.nixosModules.ipfs depot.nixosModules.ipfs
]; ];
links.ipfsGateway.protocol = "http";
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ ipfsPort 4001 ]; allowedTCPPorts = [ ipfsPort 4001 ];
allowedUDPPorts = [ ipfsPort 4001 ]; allowedUDPPorts = [ ipfsPort 4001 ];
@ -157,7 +155,9 @@ in
"fc00::/7" "fc00::/7"
"fe80::/10" "fe80::/10"
]; ];
IPAddressAllow = nameservers; IPAddressAllow = nameservers ++ [
cluster.config.vars.meshNet.cidr
];
}; };
postStart = "chmod 660 /run/ipfs/ipfs-api.sock"; postStart = "chmod 660 /run/ipfs/ipfs-api.sock";
}; };

View file

@ -1,9 +1,9 @@
{ config, depot, ... }: { cluster, config, depot, ... }:
with depot.lib.nginx; with depot.lib.nginx;
let let
inherit (depot.lib.meta) domain; inherit (depot.lib.meta) domain;
cfg = config.services.ipfs; cfg = config.services.ipfs;
gw = config.links.ipfsGateway; gw = cluster.config.hostLinks.${config.networking.hostName}.ipfsGateway;
in in
{ {
users.users.nginx.extraGroups = [ cfg.group ]; users.users.nginx.extraGroups = [ cfg.group ];