diff --git a/hosts/VEGAS/services/ipfs/default.nix b/hosts/VEGAS/services/ipfs/default.nix index edac3b6..f12097a 100644 --- a/hosts/VEGAS/services/ipfs/default.nix +++ b/hosts/VEGAS/services/ipfs/default.nix @@ -71,6 +71,22 @@ in postStart = "chmod 660 /run/ipfs/ipfs-api.sock"; }; + systemd.slices.remotefshost.sliceConfig = { + IOWeight = 5; + IOReadIOPSMax = [ + "/dev/sda 100" + "/dev/sdb 100" + ]; + IOWriteIOPSMax = [ + "/dev/sda 100" + "/dev/sdb 100" + ]; + IODviceLatencyTargetSec = [ + "/dev/sda 500ms" + "/dev/sdb 500ms" + ]; + }; + environment.variables.IPFS_PATH = lib.mkForce "${ipfsApi}"; environment.shellAliases = { diff --git a/hosts/VEGAS/services/sips/default.nix b/hosts/VEGAS/services/sips/default.nix new file mode 100644 index 0000000..949034a --- /dev/null +++ b/hosts/VEGAS/services/sips/default.nix @@ -0,0 +1,76 @@ +{ config, inputs, pkgs, tools, ... }: +let + host = tools.identity.autoDomain "sips"; + + inherit (inputs.self.packages.${pkgs.system}) sips; + + connStringNet = "host=127.0.0.1 sslmode=disable dbname=sips user=sips"; + connString = "host=/var/run/postgresql dbname=sips user=sips"; + + sipsctl = pkgs.runCommandNoCC "sipsctl-with-env" { + nativeBuildInputs = [ pkgs.makeWrapper ]; + } '' + makeWrapper ${sips}/bin/sipsctl $out/bin/sipsctl \ + --set PGPASSFILE ${config.age.secrets.sips-db-credentials.path} \ + --add-flags '--dbdriver postgres --db "${connStringNet}"' + + ln -s ${sips}/share $out/share + ''; +in +{ + age.secrets.sips-db-credentials = { + file = ../../../../secrets/sips-db-credentials.age; + mode = "0400"; + }; + + reservePortsFor = [ "sips" "sipsInternal" "sipsIpfsApiProxy" ]; + + systemd.services.sips = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + requires = [ "sips-ipfs-api-proxy.service" ]; + serviceConfig = { + ExecStart = "${sips}/bin/sips --dbdriver postgres --db \"${connString}\" --addr 127.0.0.1:${config.portsStr.sipsInternal} --api http://127.0.0.1:${config.portsStr.sipsIpfsApiProxy} --apitimeout 604800s"; + PrivateNetwork = true; + DynamicUser = true; + }; + environment.PGPASSFILE = config.age.secrets.sips-db-credentials.path; + }; + + systemd.services.sips-ipfs-api-proxy = { + after = [ "network.target" "sips.service" ]; + bindsTo = [ "sips.service" ]; + serviceConfig = { + ExecStart = "${pkgs.socat}/bin/socat tcp4-listen:${config.portsStr.sipsIpfsApiProxy},fork,reuseaddr,bind=127.0.0.1 unix-connect:/run/ipfs/ipfs-api.sock"; + PrivateNetwork = true; + DynamicUser = true; + SupplementaryGroups = "ipfs"; + }; + unitConfig.JoinsNamespaceOf = "sips.service"; + }; + + systemd.services.sips-proxy = { + after = [ "network.target" "sips.service" ]; + bindsTo = [ "sips.service" ]; + requires = [ "sips-proxy.socket" ]; + serviceConfig = { + ExecStart = "${config.systemd.package}/lib/systemd/systemd-socket-proxyd 127.0.0.1:${config.portsStr.sipsInternal}"; + PrivateNetwork = true; + DynamicUser = true; + SupplementaryGroups = "ipfs"; + }; + unitConfig.JoinsNamespaceOf = "sips.service"; + }; + + systemd.sockets.sips-proxy = { + wantedBy = [ "sockets.target" ]; + after = [ "network.target" ]; + socketConfig = { + ListenStream = "127.0.0.1:${config.portsStr.sips}"; + }; + }; + + environment.systemPackages = [ sipsctl ]; + + services.nginx.virtualHosts.${host} = tools.nginx.vhosts.proxy "http://127.0.0.1:${config.portsStr.sips}"; +} diff --git a/hosts/VEGAS/system.nix b/hosts/VEGAS/system.nix index 664689b..1da1d25 100644 --- a/hosts/VEGAS/system.nix +++ b/hosts/VEGAS/system.nix @@ -36,6 +36,7 @@ ./services/nix/nar-serve.nix ./services/object-storage ./services/openvpn + ./services/sips ./services/sso ./services/vault ./services/warehouse diff --git a/packages/packages.nix b/packages/packages.nix index db24227..d8ab905 100644 --- a/packages/packages.nix +++ b/packages/packages.nix @@ -27,4 +27,6 @@ in minio-console = pkgs.callPackage ./servers/minio-console { }; privatevoid-smart-card-ca-bundle = pkgs.callPackage ./data/privatevoid-smart-card-certificate-authority-bundle.nix { }; + + sips = pkgs.callPackage ./servers/sips { }; } diff --git a/packages/servers/sips/default.nix b/packages/servers/sips/default.nix new file mode 100644 index 0000000..0ba8021 --- /dev/null +++ b/packages/servers/sips/default.nix @@ -0,0 +1,34 @@ +{ lib +, buildGoModule +, fetchFromGitHub +}: + +buildGoModule rec { + pname = "sips"; + version = "0.3.0"; + + src = fetchFromGitHub { + owner = "DeedleFake"; + repo = pname; + rev = "v${version}"; + sha256 = "0v5g4zz7j6150yk7k3svh3ffgr0ghzp5yl01bpq99i0lkpliidpx"; + }; + + vendorSha256 = "sha256-JZ8wtfu+jLikTKjYt+1Zt05jNVahEyRU/ciK2n+AACc="; + + subPackages = [ "cmd/sips" "cmd/sipsctl" ]; + + # HACK: this can't cross-compile + postInstall = '' + mkdir -p $out/share/bash-completion/completions $out/share/zsh/site-functions + $out/bin/sipsctl completion bash > $out/share/bash-completion/completions/sipsctl + $out/bin/sipsctl completion zsh > $out/share/zsh/site-functions/_sipsctl + ''; + + meta = with lib; { + description = "A Simple IPFS Pinning Service"; + homepage = "https://github.com/DeedleFake/sips"; + license = licenses.mit; + maintainers = with maintainers; [ ]; + }; +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 8375dd0..f423eac 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -21,6 +21,7 @@ in with hosts; "nextcloud-dbpass.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "oauth2_proxy-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "postfix-ldap-mailboxes.age".publicKeys = max ++ map systemKeys [ VEGAS ]; + "sips-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "synapse-db.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "synapse-keys.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "synapse-ldap.age".publicKeys = max ++ map systemKeys [ VEGAS ]; diff --git a/secrets/sips-db-credentials.age b/secrets/sips-db-credentials.age new file mode 100644 index 0000000..93bd028 --- /dev/null +++ b/secrets/sips-db-credentials.age @@ -0,0 +1,13 @@ +age-encryption.org/v1 +-> ssh-ed25519 NO562A E/9/zbcPJ/7RcvpQDdiH3964S2458+gfe4y58gljdRM +EkmMt7j+MRT4+StvnCbmyyFudWsGHN72Vq+sW3BMG3k +-> ssh-ed25519 5/zT0w 2hwtQ2r3Yt92hnBdHS6dlxxWEMhc/a+Xs6GFjOer9xQ +IADvMgdOEj9lVpEyPYQf4VHzbAqa5jf1xHCxu3tX0Os +-> ssh-ed25519 d3WGuA SH5ARarHt6Z6ieKm42ECfJps0ZQZpEnbIcJzWZhGr1Q +fjQQJJUkQf8fv7CihShd51ChXse9GBmoY/q186M7FBE +-> /a.-grease +w3y137fgLnhJLYkLo2uSwwIIevdM+G7A9ewrChPDFEmoahoOYPoNfPb6Lo4XBMEv +OSVsc+9B5cO95zQ2hOncu7LlsDUcdCHa8rLJFVaGLwfqXi79EnCsdrucUK+nnNCe + +--- mpr2ZFj40sPB65FCmlwUSWhRNU0TWSkNvyCh4HQN/e4 +H1 8y@;a]'gRy/7& >Ld'tYN|e _o5㼘+`[f3OPgwZfTT}yhs3 \ No newline at end of file diff --git a/tools/identity.nix b/tools/identity.nix index 1557b50..04cc0b8 100644 --- a/tools/identity.nix +++ b/tools/identity.nix @@ -7,6 +7,8 @@ let inherit domain; + autoDomain = name: "${builtins.hashString "md5" name}.dev.${domain}"; + ldap = { server = with self.ldap.server; { # TODO: unhardcode everything here