2022-02-05 18:13:57 +02:00
18 changed files with 307 additions and 204 deletions
--- a/flake.nix
+++ b/flake.nix
@ -26,59 +26,70 @@
  };
  outputs = { self, nixpkgs, home-manager, ... }@inputs:
    let
-      inherit (nixpkgs) lib;
+      systems = [ "x86_64-linux" "aarch64-linux" ];
-      system = "x86_64-linux";
+
-      pkgs = import nixpkgs {
+      forSystems = nixpkgs.lib.genAttrs systems;
      nixpkgsFor = system: import nixpkgs {
        inherit system;
      };
-      deploy-rs-lib = inputs.deploy-rs.lib.${system};
+      inherit (nixpkgs) lib;
      agenixModule = inputs.agenix.nixosModules.age;
      aspect = import ./modules inputs;
      hosts = import ./hosts;
      nixosHosts' = lib.filterAttrs (_: host: host ? nixos) hosts;
      nixosHosts = lib.attrNames nixosHosts';
      meta = import ./tools/meta.nix;
      specialArgs = {
        inherit inputs hosts aspect;
        toolsets = import ./tools;
      };
-      mkNixOS' = lib: name: lib.nixosSystem {
+      mkNixOS' = lib: name: let host = hosts.${name}; in lib.nixosSystem {
        inherit system;
        inherit specialArgs;
-        modules = [ hosts."${name}".nixos ./tools/inject.nix ];
+        system = "${host.arch}-linux";
        modules = [ host.nixos ./tools/inject.nix ];
      };
      mkNixOS = mkNixOS' lib;  
    in {
      nixosModules = aspect.modules;
      nixosConfigurations = lib.genAttrs [
        "VEGAS"
      ] mkNixOS;
-      deploy.nodes = with deploy-rs-lib; {
+      mkDeploy = name: let
-        VEGAS = {
+        host = hosts.${name};
-          hostname = "vegas.backbone.privatevoid.net";
+        subdomain = host.enterprise.subdomain or "services";
        deploy-rs = inputs.deploy-rs.lib."${host.arch}-linux";
      in {
        hostname = "${lib.toLower name}.${subdomain}.${meta.domain}";
        profiles.system = {
          user = "root";
          sshUser = "deploy";
-            path = activate.nixos self.nixosConfigurations.VEGAS;
+          path = deploy-rs.activate.nixos self.nixosConfigurations.${name};
          };
        };
      };
-      packages.${system} = import ./packages {
+      mkDeployments = hosts: overrides: lib.genAttrs hosts
-        inherit pkgs inputs;
+        (host: mkDeploy host // (overrides.${host} or {}) );
      };
-      apps.${system} = {
+    in {
      nixosModules = aspect.modules;
      nixosConfigurations = lib.genAttrs nixosHosts mkNixOS;
      deploy.nodes = mkDeployments nixosHosts {};
      packages = forSystems (system: import ./packages {
        inherit inputs;
        pkgs = nixpkgsFor system;
      });
      apps = forSystems (system: {
        dream2nix = inputs.dream2nix.defaultApp.${system};
-      };
+      });
      defaultApp.${system} = {
        type = "app";
        program = self.packages.${system}.flake-installer.outPath;
      };
      hydraJobs = {
-        systems.${system} = lib.mapAttrs (_: x: x.config.system.build.toplevel) self.nixosConfigurations;
+        systems = lib.mapAttrs (_: x: x.config.system.build.toplevel) self.nixosConfigurations;
        packages = self.packages;
      };
    };
--- a/hosts/VEGAS/default.nix
+++ b/hosts/VEGAS/default.nix
@ -25,5 +25,6 @@ tools: {
    subdomain = "backbone";
  };
  arch = "x86_64";
  nixos = import ./system.nix;
 }
--- a/hosts/VEGAS/services/ipfs/default.nix
+++ b/hosts/VEGAS/services/ipfs/default.nix
@ -1,75 +1,14 @@
-{ config, lib, pkgs, tools, ... }:
+{ aspect, config, lib, pkgs, tools, ... }:
 with tools.nginx;
 let
  inherit (tools.meta) domain;
  cfg = config.services.ipfs;
  apiAddress = "/unix/run/ipfs/ipfs-api.sock";
  ipfsApi = pkgs.writeTextDir "api" apiAddress;
  gwPort = config.portsStr.ipfsGateway;
 in
 {
-  reservePortsFor = [ "ipfsGateway" ];
+  imports = [
-
+    aspect.modules.ipfs
  networking.firewall = {
    allowedTCPPorts = [ 4001 ];
    allowedUDPPorts = [ 4001 ];
  };
  services.ipfs = {
    enable = true;
    startWhenNeeded = false;
    autoMount = true;
    inherit apiAddress;
    gatewayAddress = "/ip4/127.0.0.1/tcp/${gwPort}";
    dataDir = "/srv/storage/ipfs/repo";
    localDiscovery = false;
    extraConfig = {
      Bootstrap = [
        "/ip4/168.235.67.108/tcp/4001/p2p/QmRMA5pWXtfuW1y5w2t9gYxrDDD6bPRLKdWAYnHTeCxZMm"
        "/ip4/51.38.87.150/tcp/4001/p2p/12D3KooWDUgNsoLVauCDpRAo54mc4whoBudgeXQnZZK2iVYhBLCN"
  ];
      API.HTTPHeaders = {
        Access-Control-Allow-Origin = [
          "https://ipfs.admin.${domain}"
          "http://127.0.0.1:5001"
        ];
        Access-Control-Allow-Methods = [ "PUT" "POST" ];
      };
      Gateway = {
        Writable = false;
        APICommands = [];
        HTTPHeaders = {
          Access-Control-Allow-Headers = [
            "X-Requested-With"
            "Range"
            "User-Agent"
          ];
          Access-Control-Allow-Methods = [
            "GET"
          ];
          Access-Control-Allow-Origin = [
            "*"
          ];
        };
      };
    };
  };
  systemd.sockets = {
    ipfs-api.enable = false;
    ipfs-gateway.enable = false;
  };
  systemd.tmpfiles.rules = [ "d '/run/ipfs' 0750 ${cfg.user} ${cfg.group} - -" ];
  systemd.services.ipfs = {
    environment.LIBP2P_FORCE_PNET = "1";
    serviceConfig.Slice = "remotefshost.slice";
    postStart = "chmod 660 /run/ipfs/ipfs-api.sock";
  };
  systemd.slices.remotefshost.sliceConfig = {
    IOWeight = 5;
@ -87,12 +26,6 @@ in
    ];
  };
  environment.variables.IPFS_PATH = lib.mkForce "${ipfsApi}";
  environment.shellAliases = {
    ipfs-admin = "sudo -u ${cfg.user} env IPFS_PATH=${cfg.dataDir} ipfs";
  };
  users.users.nginx.extraGroups = [ cfg.group ];
  services.nginx.virtualHosts = {
--- a/hosts/VEGAS/system.nix
+++ b/hosts/VEGAS/system.nix
@ -27,7 +27,6 @@
      ./services/hyprspace
      ./services/ipfs
      ./services/jokes
      ./services/meet
      ./services/nextcloud
      ./services/nfs
      ./services/mail
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -4,6 +4,7 @@ in with tools.dns; {
  # NixOS machines
  VEGAS = import ./VEGAS tools;
  prophet = import ./prophet tools;
  # Non-NixOS machine metadata
  AnimusAlpha = let hostNames = [ "alpha.animus.com" "animus.com" ]; in {
--- a/hosts/prophet/default.nix
+++ b/hosts/prophet/default.nix
@ -0,0 +1,26 @@
 tools: {
  ssh.id = with tools.dns; {
    publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJZ4FyGi69MksEn+UJZ87vw1APqiZmPNlEYIr0CbEoGv";
    hostNames = subResolve "prophet" "node";
  };
  interfaces = {
    primary = {
      addr = "10.0.0.92";
      addrPublic = "152.67.76.138";
      link = "enp0s3";
    };
  };
 #  hypr = {
 #    id = "";
 #    addr = "10.100.3.9";
 #  };
  enterprise = {
    subdomain = "node";
  };
  arch = "aarch64";
  nixos = import ./system.nix;
 }
--- a/hosts/prophet/hardware-configuration.nix
+++ b/hosts/prophet/hardware-configuration.nix
@ -0,0 +1,25 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
  boot.initrd.availableKernelModules = [ "virtio_pci" "usbhid" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/68a66c53-17c1-402f-b0e0-5f9c3c1628a4";
      fsType = "xfs";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/A368-4D28";
      fsType = "vfat";
    };
 }
--- a/hosts/prophet/modules/nginx/default.nix
+++ b/hosts/prophet/modules/nginx/default.nix
@ -0,0 +1,39 @@
 { lib, config, tools, ... }:
 let
  inherit (tools.meta) domain adminEmail;
 in
  with tools.nginx.vhosts;
  with tools.nginx.mappers;
 {
  security.acme.email = adminEmail;
  security.acme.acceptTerms = true;
  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    proxyResolveWhileRunning = false;
    resolver = {
      addresses = [ "127.0.0.1" ];
      valid = "30s";
    };
    appendHttpConfig = ''
      server_names_hash_bucket_size 128;
      proxy_headers_hash_max_size 4096;
      proxy_headers_hash_bucket_size 128;
    '';
  };
  services.phpfpm.pools.www = {
    inherit (config.services.nginx) user group;
    settings = {
      pm = "ondemand";
      "pm.max_children" = 16;
      "listen.owner" = config.services.nginx.user;
      "listen.group" = config.services.nginx.group;
    };
  };
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  systemd.services.nginx.after = [ "network-online.target" ];
 }
--- a/hosts/prophet/services/meet/default.nix
+++ b/hosts/prophet/services/meet/default.nix
@ -1,4 +1,10 @@
-{ lib, tools, ... }:
+{ config, lib, hosts, tools, ... }:
 let
  host = hosts.${config.networking.hostName};
  inherit (host) interfaces;
  isNAT = interfaces.primary ? addrPublic;
 in
 {
  services.jitsi-meet = {
    enable = true;
@ -24,4 +30,11 @@
    };
  });
  boot.kernel.sysctl."net.core.rmem_max" = lib.mkForce 10485760;
  environment.etc."jitsi/videobridge/sip-communicator.properties" = lib.optionalAttrs isNAT {
    text = ''
      org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=${interfaces.primary.addr}
      org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=${interfaces.primary.addrPublic}
    '';
  };
 }
--- a/hosts/prophet/system.nix
+++ b/hosts/prophet/system.nix
@ -0,0 +1,44 @@
 { aspect, inputs, config, pkgs, ... }:
 {
  imports =
    [
      # Hardware
      ./hardware-configuration.nix
      ./modules/nginx
      inputs.agenix.nixosModules.age
      ./services/meet
      aspect.modules.ipfs
    ]
    ++ aspect.sets.server;
  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "prophet";
  time.timeZone = "Europe/Zurich";
  networking.useDHCP = false;
  networking.interfaces.enp0s3.useDHCP = true;
  i18n.defaultLocale = "en_US.UTF-8";
  users.users.opc = {
    isNormalUser = true;
    extraGroups = [ "wheel" ];
  };
  security.sudo.wheelNeedsPassword = false;
  services.openssh.enable = true;
  system.stateVersion = "21.11";
 }
--- a/modules/default.nix
+++ b/modules/default.nix
@ -7,7 +7,7 @@ let
    enterprise = import ./enterprise;
    fail2ban = import ./fail2ban;
    hydra = import ./hydra;
-    ipfs-lain = import ./ipfs-lain;
+    ipfs = import ./ipfs;
    nix-builder = import ./nix-builder;
    nix-config = import ./nix-config;
    nix-config-server = import ./nix-config/server.nix;
--- a/modules/enterprise/default.nix
+++ b/modules/enterprise/default.nix
@ -16,7 +16,7 @@ in {
      rdns = false;
      forwardable = true;
      default_ccache_name = "KEYRING:persistent:%{uid}";
-      pkinit_anchors = "FILE:${inputs.self.packages.x86_64-linux.privatevoid-smart-card-ca-bundle}";
+      pkinit_anchors = "FILE:${inputs.self.packages.${pkgs.system}.privatevoid-smart-card-ca-bundle}";
    };
    realms = {
      "${orgRealm}" = rec {
--- a/modules/ipfs-lain/default.nix
+++ b/modules/ipfs-lain/default.nix
@ -1,22 +0,0 @@
 { pkgs, config, ... }:
 {
  services.ipfs = {
    enable = true;
    extraConfig = {
      Bootstrap = [
        "/ip4/95.216.8.12/tcp/4001/p2p/Qmd7QHZU8UjfYdwmjmq1SBh9pvER9AwHpfwQvnvNo3HBBo"
        "/ip4/34.75.66.204/tcp/4001/p2p/QmUDwdaJthQkxgoHN1QQFvj4jR12A2nGQMXxYJEqtPMsYJ"
        "/ip4/35.233.49.84/tcp/4001/p2p/QmTuZN9VtqiVWjcqTkRAUnRWYurwFbC6j9E2gvnMs5XEFy"
      ];
    };
  };
  systemd.services.ipfs.environment.LIBP2P_FORCE_PNET = "1";
  environment.shellAliases = {
    ipfs =
      "doas -u ${config.services.ipfs.user} env IPFS_PATH=${config.services.ipfs.dataDir} ipfs";
    f =
      "doas -u ${config.services.ipfs.user} env IPFS_PATH=${config.services.ipfs.dataDir} ipfs files";
  };
 }
--- a/modules/ipfs/default.nix
+++ b/modules/ipfs/default.nix
@ -0,0 +1,90 @@
 { config, lib, pkgs, tools, ... }:
 let
  inherit (tools.meta) domain;
  cfg = config.services.ipfs;
  apiAddress = "/unix/run/ipfs/ipfs-api.sock";
  ipfsApi = pkgs.writeTextDir "api" apiAddress;
  gwPort = config.portsStr.ipfsGateway;
 in
 {
  age.secrets.ipfs-swarm-key = {
    file = ../../secrets/ipfs-swarm-key.age;
    mode = "0400";
    owner = cfg.user;
    inherit (cfg) group;
  };
  reservePortsFor = [ "ipfsGateway" ];
  networking.firewall = {
    allowedTCPPorts = [ 4001 ];
    allowedUDPPorts = [ 4001 ];
  };
  services.ipfs = {
    enable = true;
    startWhenNeeded = false;
    autoMount = true;
    inherit apiAddress;
    gatewayAddress = "/ip4/127.0.0.1/tcp/${gwPort}";
    dataDir = "/srv/storage/ipfs/repo";
    localDiscovery = false;
    extraConfig = {
      Bootstrap = [
        "/ip4/168.235.67.108/tcp/4001/p2p/QmRMA5pWXtfuW1y5w2t9gYxrDDD6bPRLKdWAYnHTeCxZMm"
        "/ip4/51.38.87.150/tcp/4001/p2p/12D3KooWDUgNsoLVauCDpRAo54mc4whoBudgeXQnZZK2iVYhBLCN"
        "/ip4/77.54.95.19/tcp/12104/p2p/12D3KooWC1RZxLvAeEFNTZWk1FWc1sZZ3yemF4FNNRYa3X854KJ8"
        "/ip4/95.216.8.12/tcp/4001/p2p/Qmd7QHZU8UjfYdwmjmq1SBh9pvER9AwHpfwQvnvNo3HBBo"
      ];
      API.HTTPHeaders = {
        Access-Control-Allow-Origin = [
          "https://ipfs.admin.${domain}"
          "http://127.0.0.1:5001"
        ];
        Access-Control-Allow-Methods = [ "PUT" "POST" ];
      };
      Gateway = {
        Writable = false;
        APICommands = [];
        HTTPHeaders = {
          Access-Control-Allow-Headers = [
            "X-Requested-With"
            "Range"
            "User-Agent"
          ];
          Access-Control-Allow-Methods = [
            "GET"
          ];
          Access-Control-Allow-Origin = [
            "*"
          ];
        };
      };
    };
  };
  systemd.sockets = {
    ipfs-api.enable = false;
    ipfs-gateway.enable = false;
  };
  systemd.tmpfiles.rules = [
    "d '/run/ipfs' 0750 ${cfg.user} ${cfg.group} - -"
    "L+ '${cfg.dataDir}/swarm.key' - - - - ${config.age.secrets.ipfs-swarm-key.path}"
  ];
  systemd.services.ipfs = {
    environment.LIBP2P_FORCE_PNET = "1";
    serviceConfig.Slice = "remotefshost.slice";
    postStart = "chmod 660 /run/ipfs/ipfs-api.sock";
  };
  environment.variables.IPFS_PATH = lib.mkForce "${ipfsApi}";
  environment.shellAliases = {
    ipfs-admin = "sudo -u ${cfg.user} env IPFS_PATH=${cfg.dataDir} ipfs";
  };
 }
--- a/modules/nix-config/default.nix
+++ b/modules/nix-config/default.nix
@ -1,71 +0,0 @@
 { pkgs, config, inputs, ... }:
 let
  builder = {
    systems = [ "x86_64-linux" "i686-linux" ];
    speedFactor = 500;
    supportedFeatures = [ "benchmark" "nixos-test" ];
    sshKey = config.age.secrets.nixBuilderKey.path;
  };
  bigBuilder = builder // {
    speedFactor = 1000;
    supportedFeatures = builder.supportedFeatures ++ [ "kvm" "big-parallel" ];
  };
 in {
  age.secrets.nixBuilderKey = {
    file = ../../secrets/builder_key.age;
    mode = "0400";
  };
  nixpkgs.overlays = [
    (self: super: {
      nixSuperUnstable = inputs.self.packages.x86_64-linux.nix-super-unstable;
    })
  ];
  nix = {
    package = pkgs.nixSuperUnstable;
    trustedUsers = [ "root" "@wheel" ];
    extraOptions = ''
      experimental-features = nix-command flakes ca-references
      warn-dirty = false
      builders-use-substitutes = true
      flake-registry = ${
        pkgs.writeText "null-registry.json" ''{"flakes":[],"version":2}''
      }
    '';
    binaryCaches = [ "https://cache.privatevoid.net" ];
    binaryCachePublicKeys = [ "cache.privatevoid.net:SErQ8bvNWANeAvtsOESUwVYr2VJynfuc9JRwlzTTkVg=" ];
    autoOptimiseStore = true;
    gc = {
      automatic = true;
      dates = "weekly";
      options = "--delete-older-than 30d";
    };
    distributedBuilds = true;
    buildMachines = [
      (bigBuilder // {
        sshUser = "root";
        hostName = "styx.services.private.void";
        speedFactor = 2000;
        maxJobs = 2;
      })
      (bigBuilder // {
        sshUser = "nix";
        hostName = "wired.titan.find.private.void";
        maxJobs = 12;
      })
      (bigBuilder // {
        sshUser = "nixbuilder";
        hostName = "animus.com";
        speedFactor = 3000;
        maxJobs = 4;
      })
    ];
  };
 }
--- a/packages/patched-inputs.nix
+++ b/packages/patched-inputs.nix
@ -1,9 +1,9 @@
 let tools = import ./lib/tools.nix;
 in with tools;
 { inputs, pkgs, ... }: rec {
-  deploy-rs = inputs.deploy-rs.packages.x86_64-linux.deploy-rs;
+  deploy-rs = inputs.deploy-rs.packages.${pkgs.system}.deploy-rs;
-  nix-super = inputs.nix-super.defaultPackage.x86_64-linux;
+  nix-super = inputs.nix-super.defaultPackage.${pkgs.system};
-  agenix = inputs.agenix.packages.x86_64-linux.agenix.override { nix = nix-super; };
+  agenix = inputs.agenix.packages.${pkgs.system}.agenix.override { nix = nix-super; };
 }
--- a/secrets/ipfs-swarm-key.age
+++ b/secrets/ipfs-swarm-key.age
@ -0,0 +1,13 @@
 age-encryption.org/v1
 -> ssh-ed25519 NO562A M3tf8OUR0EYa4UQDTd0U1gHJDrGKNjRbnGBePHA3nH0
 6FftIih0/S8jNv94bRiJPb4V+P7jOtGHQFZbGcj2cqE
 -> ssh-ed25519 5/zT0w o4eVLMXyfImHYXmnPo7qDQyDOcB4s85gPMr8IAuvVE4
 bY7L3YihZytZ1XrYbHPxR1FRGNA8W5qsYKNIkwmF2r0
 -> ssh-ed25519 d3WGuA iFH+ntVIDTmMUzgLLrNFHyPhSvTPsLcjNH+QTR4yfDk
 Q54Nwc6fwPan62XX70WkG5mrmRlhE/rcHfyV8xMim3E
 -> ssh-ed25519 6YMlxg tbaiMLpardsaNZOlCF7FAmKOlqZfIM6cVvOxQQjn2kU
 gmu1AVuMzENxbs73dxRFWjxSCUeFjb4bMdgyYaikSOs
 -> Wdm-grease
 8TLtQ/rdFCG5Yo3nYsAuPjPD0+HZwPO02rnPdlczJkDYPNmepWgt01Wf3VdbYko
 --- r4yb3tN9yWRCAxraKDJohDTA0BRvpxQN86Qr+M64jic
 ‚kí	ps–êŠ›ü]ìÕ<R;QµI¯Vª¼Qó&–»ìCLX3ïE<>Ú©‹3|MC‡¾ÊVJî’ÆN¯9ŸÎ[<5B>çÖamæ!…F·;i…ªÚ$²‹;ÂÛs9øð€¼_A©•û ÿ•E<E280A2>é½³¤„Á?³eò\eNÉkÀ›
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -19,6 +19,7 @@ in with hosts;
  "hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
  "hydra-s3.age".publicKeys = max ++ map systemKeys [ VEGAS ];
  "hyprspace-key-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
  "ipfs-swarm-key.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
  "keycloak-dbpass.age".publicKeys = max ++ map systemKeys [ VEGAS ];
  "matrix-appservice-discord-token.age".publicKeys = max ++ map systemKeys [ VEGAS ];
  "minio-console-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];
@ -32,6 +33,6 @@ in with hosts;
  "synapse-keys.age".publicKeys = max ++ map systemKeys [ VEGAS ];
  "synapse-ldap.age".publicKeys = max ++ map systemKeys [ VEGAS ];
  "synapse-turn.age".publicKeys = max ++ map systemKeys [ VEGAS ];
  "wireguard-key-wgautobahn.age".publicKeys = max ++ map systemKeys [ VEGAS ];
  "vpn-host-key-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
  "wireguard-key-wgautobahn.age".publicKeys = max ++ map systemKeys [ VEGAS ];
 }