privatevoid.net/depot
1
1
Fork 0
Code Issues 25 Pull requests 2 Projects 3 Releases Packages Wiki Activity Actions

Compare commits

base: privatevoid.net:9893c5f0593f1acb7a533c0e9e422ca3a5396d1b
Branches Tags
privatevoid.net:master
privatevoid.net:pr-simulacrum-performance
privatevoid.net:pr-drop-gitlab
privatevoid.net:pr-s3ql-5.2.2-fix
privatevoid.net:staging
privatevoid.net:pr-hyprspace-libp2p-0.37-test
privatevoid.net:pr-consul-acl
privatevoid.net:pr-hci-no-ifd
privatevoid.net:pr-frangiclave
privatevoid.net:attic-ha
privatevoid.net:pg-auto-migrations
privatevoid.net:pkg-ircbot
privatevoid.net:d2n-bug-symlink-bin
...
compare: privatevoid.net:18a376e8dd42f0257b3a6dcce0293bbf3aabb0ff
Branches Tags
privatevoid.net:master
privatevoid.net:pr-simulacrum-performance
privatevoid.net:pr-drop-gitlab
privatevoid.net:pr-s3ql-5.2.2-fix
privatevoid.net:staging
privatevoid.net:pr-hyprspace-libp2p-0.37-test
privatevoid.net:pr-consul-acl
privatevoid.net:pr-hci-no-ifd
privatevoid.net:pr-frangiclave
privatevoid.net:attic-ha
privatevoid.net:pg-auto-migrations
privatevoid.net:pkg-ircbot
privatevoid.net:d2n-bug-symlink-bin

16 commits
9893c5f059 ... 18a376e8dd

Author SHA1 Message Date
Max
18a376e8dd cluster/services/frangiclave: some cluster stuff 2024-07-20 23:52:16 +02:00
Max
3179d90463 cluster/services/sso: move from VEGAS/sso 2024-07-20 23:04:19 +02:00
Max
540275e71c cluster/services/bitwarden: move from VEGAS/bitwarden 2024-07-20 23:03:01 +02:00
Max
abdf08be6f cluster/services/gitlab: move from VEGAS/gitlab 2024-07-20 23:00:52 +02:00
Max
a9f7c368d2 checks/simulacrum: test with limited services 2024-07-20 22:34:12 +02:00
Max
6de09da138 cluster/services/frangiclave: init trivial WIP 2024-07-20 22:34:12 +02:00
Max
ec16ec8681 cluster/lib: implement injectNixosConfigForServices to select individual services 2024-07-20 22:34:12 +02:00
Max
31593dd0ad checks/simulacrum: better networking 2024-07-20 22:34:12 +02:00
Max
9472794b97 checks/simulacrum: rename from cluster, add more stuff, WIP 2024-07-20 22:34:12 +02:00
Max
f7a16924f3 packages/checks: add fake external storage module 2024-07-20 22:34:12 +02:00
Max
805887590c checks/cluster: init WIP 2024-07-20 22:34:12 +02:00
Max
3c950b278f checks: add a bunch of snakeoil keys 2024-07-20 22:34:12 +02:00
Max
63002031d6 cluster/services/soda: move from VEGAS 2024-07-20 22:23:31 +02:00
Max
c7f89489da cluster/services/reflex: move from VEGAS/reflex 2024-07-20 22:22:25 +02:00
Max
9ed7d26952 cluster/services/fbi: move from VEGAS/fbi 2024-07-20 22:22:14 +02:00
Max
0961e81a9f packages/stop-using-nix-env: update ephemeral shells link 2024-07-20 22:20:22 +02:00
36 changed files with 268 additions and 43 deletions
Show stats Expand all files Collapse all files

6
cluster/lib/inject-nixos-config.nix
View file

@ -2,9 +2,9 @@
with lib; with lib;
{ {
options.out.injectNixosConfig = mkOption { options.out = mkOption {
description = "NixOS configuration to inject into the given host."; description = "Output functions.";
type = with types; functionTo raw; type = with types; lazyAttrsOf (functionTo raw);
default = const []; default = const [];
}; };
} }

10
cluster/lib/services.nix
View file

@ -39,7 +39,11 @@ in
default = {}; default = {};
}; };
config.out.injectNixosConfig = hostName: (lib.flatten (lib.mapAttrsToList (getHostConfigurations hostName) config.services)) ++ [ config.out = {
introspectionModule injectNixosConfigForServices = services: hostName: (lib.flatten (lib.mapAttrsToList (getHostConfigurations hostName) (lib.getAttrs services config.services))) ++ [
]; introspectionModule
];
injectNixosConfig = config.out.injectNixosConfigForServices (lib.attrNames config.services);
};
} }

5
cluster/services/bitwarden/default.nix
View file

@ -1,5 +1,10 @@
{ depot, ... }: { depot, ... }:
{ {
services.bitwarden = {
nodes.host = [ "VEGAS" ];
nixos.host = ./host.nix;
};
dns.records.keychain.target = [ depot.hours.VEGAS.interfaces.primary.addrPublic ]; dns.records.keychain.target = [ depot.hours.VEGAS.interfaces.primary.addrPublic ];
} }

0
hosts/VEGAS/services/bitwarden/default.nix → cluster/services/bitwarden/host.nix
View file

5
cluster/services/fbi/default.nix
View file

@ -1,6 +1,11 @@
{ depot, ... }: { depot, ... }:
{ {
services.fbi = {
nodes.host = [ "VEGAS" ];
nixos.host = ./host.nix;
};
dns.records = let dns.records = let
fbiAddr = [ depot.hours.VEGAS.interfaces.primary.addrPublic ]; fbiAddr = [ depot.hours.VEGAS.interfaces.primary.addrPublic ];
in { in {

0
hosts/VEGAS/services/fbi/default.nix → cluster/services/fbi/host.nix
View file

22
cluster/services/frangiclave/default.nix Normal file
View file

@ -0,0 +1,22 @@
{ config, ... }:
{
services.frangiclave = {
nodes = {
server = [ "VEGAS" "grail" "prophet" ];
cluster = config.services.frangiclave.nodes.server;
agent = []; # all nodes, for vault-agent, secret templates, etc.
};
meshLinks = {
server.link.protocol = "http";
cluster.link.protocol = "http";
};
nixos = {
server = [
./server.nix
];
cluster = [];
agent = [];
};
};
}

23
cluster/services/frangiclave/server.nix Normal file
View file

@ -0,0 +1,23 @@
{ cluster, config, depot, ... }:
let
apiLink = cluster.config.hostLinks.${config.networking.hostName}.frangiclave-server;
clusterLink = cluster.config.hostLinks.${config.networking.hostName}.frangiclave-cluster;
in
{
services.vault = {
enable = true;
package = depot.packages.openbao;
address = apiLink.tuple;
extraConfig = /*hcl*/ ''
api_addr = "${apiLink.url}"
cluster_addr = "${clusterLink.url}"
'';
storageBackend = "raft";
storageConfig = /*hcl*/ ''
node_id = "x${builtins.hashString "sha256" "frangiclave-node-${config.networking.hostName}"}"
'';
};
}

5
cluster/services/gitlab/default.nix
View file

@ -1,5 +1,10 @@
{ depot, ... }: { depot, ... }:
{ {
services.gitlab = {
nodes.host = [ "VEGAS" ];
nixos.host = ./host.nix;
};
dns.records.git.target = [ depot.hours.VEGAS.interfaces.primary.addrPublic ]; dns.records.git.target = [ depot.hours.VEGAS.interfaces.primary.addrPublic ];
} }

0
hosts/VEGAS/services/gitlab/default.nix → cluster/services/gitlab/host.nix
View file

5
cluster/services/reflex/default.nix
View file

@ -1,5 +1,10 @@
{ depot, ... }: { depot, ... }:
{ {
services.reflex = {
nodes.host = [ "VEGAS" ];
nixos.host = ./host.nix;
};
dns.records.reflex.target = [ depot.hours.VEGAS.interfaces.primary.addrPublic ]; dns.records.reflex.target = [ depot.hours.VEGAS.interfaces.primary.addrPublic ];
} }

0
hosts/VEGAS/services/reflex/default.nix → cluster/services/reflex/host.nix
View file

5
cluster/services/soda/default.nix
View file

@ -1,6 +1,11 @@
{ depot, ... }: { depot, ... }:
{ {
services.soda = {
nodes.host = [ "VEGAS" ];
nixos.host = ./host.nix;
};
monitoring.blackbox.targets.soda-machine = { monitoring.blackbox.targets.soda-machine = {
address = "soda.int.${depot.lib.meta.domain}:22"; address = "soda.int.${depot.lib.meta.domain}:22";
module = "sshConnect"; module = "sshConnect";

26
cluster/services/soda/host.nix Normal file
View file

@ -0,0 +1,26 @@
{ depot, ... }:
{
containers.soda = {
path = depot.nixosConfigurations.soda.config.system.build.toplevel;
privateNetwork = true;
hostBridge = "vmdefault";
localAddress = "${depot.hours.soda.interfaces.primary.addr}/24";
autoStart = true;
bindMounts.sodaDir = {
hostPath = "/srv/storage/www/soda";
mountPoint = "/soda";
isReadOnly = false;
};
};
systemd.services."container@soda".after = [ "libvirtd.service" "sys-devices-virtual-net-vmdefault.device" ];
networking.nat.forwardPorts = [
{
sourcePort = 52222;
destination = "${depot.hours.soda.interfaces.primary.addr}:22";
proto = "tcp";
}
];
}

5
cluster/services/sso/default.nix
View file

@ -1,6 +1,11 @@
{ depot, ... }: { depot, ... }:
{ {
services.sso = {
nodes.host = [ "VEGAS" ];
nixos.host = ./host.nix;
};
dns.records = let dns.records = let
ssoAddr = [ depot.hours.VEGAS.interfaces.primary.addrPublic ]; ssoAddr = [ depot.hours.VEGAS.interfaces.primary.addrPublic ];
in { in {

0
hosts/VEGAS/services/sso/default.nix → cluster/services/sso/host.nix
View file

4
hosts/VEGAS/services/backbone-routing/default.nix
View file

@ -3,10 +3,6 @@ let
inherit (config.reflection) interfaces; inherit (config.reflection) interfaces;
in in
{ {
imports = [
./port-forward.nix
];
networking.nat = { networking.nat = {
enable = true; enable = true;
externalInterface = interfaces.primary.link; externalInterface = interfaces.primary.link;

11
hosts/VEGAS/services/backbone-routing/port-forward.nix
View file

@ -1,11 +0,0 @@
{ depot, ... }:
{
networking.nat.forwardPorts = [
{
sourcePort = 52222;
destination = "${depot.hours.soda.interfaces.primary.addr}:22";
proto = "tcp";
}
];
}

19
hosts/VEGAS/system.nix
View file

@ -16,15 +16,10 @@
# Services # Services
./services/backbone-routing ./services/backbone-routing
./services/bitwarden
./services/cdn-shield ./services/cdn-shield
./services/fbi
./services/gitlab
./services/jokes ./services/jokes
./services/mail ./services/mail
./services/minecraft ./services/minecraft
./services/reflex
./services/sso
./services/websites ./services/websites
./services/wireguard-server ./services/wireguard-server
depot.nixosModules.hyprspace depot.nixosModules.hyprspace
@ -90,18 +85,4 @@
system.stateVersion = "21.05"; system.stateVersion = "21.05";
services.openssh.settings.PasswordAuthentication = false; services.openssh.settings.PasswordAuthentication = false;
containers.soda = {
path = depot.nixosConfigurations.soda.config.system.build.toplevel;
privateNetwork = true;
hostBridge = "vmdefault";
localAddress = "${depot.hours.soda.interfaces.primary.addr}/24";
autoStart = true;
bindMounts.sodaDir = {
hostPath = "/srv/storage/www/soda";
mountPoint = "/soda";
isReadOnly = false;
};
};
systemd.services."container@soda".after = [ "libvirtd.service" "sys-devices-virtual-net-vmdefault.device" ];
} }

7
packages/checks/default.nix
View file

@ -1,4 +1,4 @@
{ config, lib, self, ... }: { config, lib, self, extendModules, ... }:
let let
timeMachine = { timeMachine = {
@ -7,6 +7,7 @@ let
in in
{ {
debug = lib.warn "debug mode is enabled" true;
perSystem = { filters, pkgs, self', system, ... }: { perSystem = { filters, pkgs, self', system, ... }: {
checks = lib.mkIf (system == "x86_64-linux") { checks = lib.mkIf (system == "x86_64-linux") {
ascensions = pkgs.callPackage ./ascensions.nix { ascensions = pkgs.callPackage ./ascensions.nix {
@ -49,6 +50,10 @@ in
searxng = pkgs.callPackage ./searxng.nix { searxng = pkgs.callPackage ./searxng.nix {
inherit (self'.packages) searxng; inherit (self'.packages) searxng;
}; };
simulacrum = pkgs.callPackage ./simulacrum.nix {
inherit config extendModules;
};
}; };
}; };
} }

12
packages/checks/modules/nixos/external-storage.nix Normal file
View file

@ -0,0 +1,12 @@
{ config, lib, ... }:
{
systemd.tmpfiles.settings."00-testing-external-storage-underlays" = lib.mapAttrs' (name: cfg: {
name = cfg.mountpoint;
value.d = {
user = toString cfg.uid;
group = toString cfg.gid;
mode = "0700";
};
}) config.services.external-storage.underlays;
}

119
packages/checks/simulacrum.nix Normal file
View file

@ -0,0 +1,119 @@
{ testers, config, extendModules, lib, system }:
let
lift = config;
snakeoil = {
ssh = {
public = lib.fileContents ./snakeoil/ssh/snakeoil-key.pub;
private = ./snakeoil/ssh/snakeoil-key;
};
wireguard = {
public = lib.genAttrs nodes (node: lib.fileContents ./snakeoil/wireguard/public-key-${toString digits.${node}});
private = lib.genAttrs nodes (node: ./snakeoil/wireguard/private-key-${toString digits.${node}});
};
};
nodes = lib.attrNames config.gods.fromLight;
digits = lib.attrsets.listToAttrs (lib.zipListsWith lib.nameValuePair nodes (lib.range 1 255));
depot' = extendModules {
modules = [
({ config, ... }: {
gods.fromLight = lib.mapAttrs (name: cfg: {
interfaces.primary = {
link = lib.mkForce "vprimary";
};
ssh.id.publicKey = lib.mkForce snakeoil.ssh.public;
}) lift.gods.fromLight;
cluster = lib.mkForce (lift.cluster.extendModules {
specialArgs.depot = config;
modules = [
{
hostLinks = lib.genAttrs nodes (node: {
mesh.extra = lib.mkForce (lift.cluster.config.hostLinks.${node}.mesh.extra // {
pubKey = snakeoil.wireguard.public.${node};
});
});
}
];
});
})
];
};
specialArgs = depot'.config.lib.summon system lib.id;
in
testers.runNixOSTest {
name = "simulacrum";
node = { inherit specialArgs; };
nodes = lib.genAttrs nodes (node: let
hour = depot'.config.hours.${node};
in {
imports = [
specialArgs.depot.hours.${node}.nixos
./modules/nixos/age-dummy-secrets
./modules/nixos/external-storage.nix
] ++ depot'.config.cluster.config.out.injectNixosConfigForServices [ "consul" "certificates" "nginx" "wireguard" "frangiclave" ] node;
boot.kernel.sysctl."net.ipv4.ip_forward" = "1";
networking = {
interfaces = {
${hour.interfaces.primary.link} = {
useDHCP = lib.mkForce false;
virtual = true;
ipv4.addresses = lib.mkForce [
{
address = hour.interfaces.primary.addr;
prefixLength = 32;
}
];
};
eth1.ipv4.routes = lib.pipe nodes [
(lib.filter (n: n != node))
(map (n: let
hour = depot'.config.hours.${n};
in {
address = hour.interfaces.primary.addrPublic;
prefixLength = 32;
via = "192.168.1.${toString digits.${n}}";
}))
];
};
firewall.extraCommands = lib.mkAfter (lib.optionalString (hour.interfaces.primary.isNat) ''
# self-nat
iptables -t nat -A PREROUTING -d ${hour.interfaces.primary.addrPublic} -j DNAT --to-destination ${hour.interfaces.primary.addr}
iptables -t nat -A POSTROUTING -s ${hour.interfaces.primary.addr} -j SNAT --to-source ${hour.interfaces.primary.addrPublic}
'');
};
systemd.services = {
hyprspace.enable = false;
cachix-agent.enable = false;
};
environment.etc = {
"ssh/ssh_host_ed25519_key" = {
source = snakeoil.ssh.private;
mode = "0400";
};
"dummy-secrets/cluster-wireguard-meshPrivateKey".source = lib.mkForce snakeoil.wireguard.private.${node};
"dummy-secrets/grafana-agent-blackbox-secret-monitoring".text = lib.mkForce ''
SECRET_MONITORING_BLACKBOX_TARGET_1_NAME=example-external-service
SECRET_MONITORING_BLACKBOX_TARGET_1_MODULE=http2xx
SECRET_MONITORING_BLACKBOX_TARGET_1_ADDRESS=http://127.0.0.1:1
'';
"dummy-secrets/garageRpcSecret".text = lib.mkForce "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
};
virtualisation = {
cores = 2;
memorySize = 4096;
};
});
testScript = ''
grail.succeed("false")
'';
}

7
packages/checks/snakeoil/ssh/snakeoil-key Normal file
View file

@ -0,0 +1,7 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACAOx03X+LtW0aN8ejdN4IJgDPrTZgVwe7WbXhhBvqVwgwAAAJAS78fWEu/H
1gAAAAtzc2gtZWQyNTUxOQAAACAOx03X+LtW0aN8ejdN4IJgDPrTZgVwe7WbXhhBvqVwgw
AAAEAUtGOZZIZdzGP6g85JuXBjDtciNQ9bLHNxSN5Gbwvb2Q7HTdf4u1bRo3x6N03ggmAM
+tNmBXB7tZteGEG+pXCDAAAACW1heEBUSVRBTgECAwQ=
-----END OPENSSH PRIVATE KEY-----

1
packages/checks/snakeoil/ssh/snakeoil-key.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA7HTdf4u1bRo3x6N03ggmAM+tNmBXB7tZteGEG+pXCD

1
packages/checks/snakeoil/wireguard/private-key-1 Normal file
View file

@ -0,0 +1 @@
YHzP8rBP6qiXs6ZdnvHop9KnCYRADIEejwZzAzvj8m4=

1
packages/checks/snakeoil/wireguard/private-key-2 Normal file
View file

@ -0,0 +1 @@
uD7X5E6N9d0sN+xPr/bWnehSa3bAok741GO7Z4I+Z3I=

1
packages/checks/snakeoil/wireguard/private-key-3 Normal file
View file

@ -0,0 +1 @@
YLl+hkWaCWx/5PpWs3cQ+bKqYdJef/qZ+FMTsM9ammM=

1
packages/checks/snakeoil/wireguard/private-key-4 Normal file
View file

@ -0,0 +1 @@
MNvWpMluuzQvPyGTp7jtyPSyz6n9lIly/WX1gW2NAHg=

1
packages/checks/snakeoil/wireguard/private-key-5 Normal file
View file

@ -0,0 +1 @@
QHyIJ3HoKGGFN28qOrQP4UyoQMP5bM7Idn2MzayKzEM=

1
packages/checks/snakeoil/wireguard/public-key-1 Normal file
View file

@ -0,0 +1 @@
TESTtbFybW5YREwtd18a1A4StS4YAIUS5/M1Lv0jHjA=

1
packages/checks/snakeoil/wireguard/public-key-2 Normal file
View file

@ -0,0 +1 @@
TEsTh7bthkaDh9A1CpqDi/F121ao5lRZqIJznLH8mB4=

1
packages/checks/snakeoil/wireguard/public-key-3 Normal file
View file

@ -0,0 +1 @@
tEST6afFmVN18o+EiWNFx+ax3MJwdQIeNfJSGEpffXw=

1
packages/checks/snakeoil/wireguard/public-key-4 Normal file
View file

@ -0,0 +1 @@
tEsT6s7VtM5C20eJBaq6UlQydAha8ATlmrTRe9T5jnM=

1
packages/checks/snakeoil/wireguard/public-key-5 Normal file
View file

@ -0,0 +1 @@
TEstYyb5IoqSL53HbSQwMhTaR16sxcWcMmXIBPd+1gE=

2
packages/websites/stop-using-nix-env/project.nix
View file

@ -3,7 +3,7 @@
packages.stop-using-nix-env = let packages.stop-using-nix-env = let
site = with pkgs; stdenvNoCC.mkDerivation rec { site = with pkgs; stdenvNoCC.mkDerivation rec {
pname = "stop-using-nix-env"; pname = "stop-using-nix-env";
version = "1.2.0"; version = "1.2.1";
src = ./src; src = ./src;
buildCommand = '' buildCommand = ''
install -Dm644 $src/* -t $out/share/www/${pname} install -Dm644 $src/* -t $out/share/www/${pname}

2
packages/websites/stop-using-nix-env/src/index.html
View file

@ -218,7 +218,7 @@
Do you often run into a situation where you need a particular command Do you often run into a situation where you need a particular command
for a one-off thing, but don't feel like it should reside on your system for a one-off thing, but don't feel like it should reside on your system
at all times? at all times?
<a href="https://nixos.org/guides/ad-hoc-developer-environments.html">Ephemeral shells</a> <a href="https://nix.dev/tutorials/first-steps/ad-hoc-shell-environments.html">Ephemeral shells</a>
allow you to <i>gain temporary access</i> to a command and after you exit allow you to <i>gain temporary access</i> to a command and after you exit
out of the shell, it's as if the package was never installed. out of the shell, it's as if the package was never installed.
If you're using Flakes, If you're using Flakes,