Massive Refactor #95

Merged
max merged 1 commit from refactor into master 2023-09-03 02:21:16 +03:00
96 changed files with 373 additions and 424 deletions

View file

@ -1,4 +1,4 @@
{ lib, depot, hostName }:
{ lib, depot }:
lib.evalModules {
specialArgs = {
@ -7,12 +7,10 @@ lib.evalModules {
modules = [
# Arbitrary variables to reference across multiple services
./lib/vars
{ vars = { inherit hostName; }; }
# Cluster-level port-magic
../modules/port-magic
../tools/inject.nix
./lib/services.nix
./lib/inject-nixos-config.nix
./lib/port-magic-multi.nix

View file

@ -1,15 +0,0 @@
hostName:
{ depot, lib, ... }:
let
cluster = import ./. { inherit lib depot hostName; };
in
{
_module.args.cluster = {
inherit (cluster.config) vars;
inherit (cluster.config.vars) hosts;
inherit (cluster) config;
};
imports = cluster.config.out.injectedNixosConfig;
}

View file

@ -1,10 +1,10 @@
{ lib, ... }:
{ config, lib, ... }:
with lib;
{
options.out.injectedNixosConfig = mkOption {
description = "NixOS configuration modules to inject into the host.";
type = with types; listOf anything;
default = {};
options.out.injectNixosConfig = mkOption {
description = "NixOS configuration to inject into the given host.";
type = with types; functionTo raw;
default = const [];
};
}

View file

@ -1,11 +1,8 @@
vars:
{ config, lib, ... }:
with lib;
let
notSelf = x: x != vars.hostName;
filterGroup = builtins.filter notSelf;
filterGroup = group: hostName: builtins.filter (x: x != hostName) group;
in
{
@ -26,7 +23,7 @@ in
};
otherNodes = mkOption {
description = "Other nodes in the group.";
type = with types; attrsOf (listOf str);
type = with types; attrsOf (functionTo (listOf str));
default = [];
};
nixos = mkOption {
@ -35,5 +32,5 @@ in
default = {};
};
};
config.otherNodes = builtins.mapAttrs (_: filterGroup) config.nodes;
config.otherNodes = builtins.mapAttrs (const filterGroup) config.nodes;
}

View file

@ -2,18 +2,25 @@
with lib;
let
getHostConfigurations = svcConfig: hostName:
getHostConfigurations = hostName: svcConfig:
lib.mapAttrsToList (groupName: _: svcConfig.nixos.${groupName})
(lib.filterAttrs (_: lib.elem hostName) svcConfig.nodes);
getServiceConfigurations = svcConfig: getHostConfigurations svcConfig config.vars.hostName;
introspectionModule._module.args.cluster = {
inherit (config) vars;
inherit config;
};
in
{
options.services = mkOption {
description = "Cluster services.";
type = with types; attrsOf (submodule (import ./service-module.nix config.vars));
type = with types; attrsOf (submodule ./service-module.nix);
default = {};
};
config.out.injectedNixosConfig = lib.flatten (lib.mapAttrsToList (_: getServiceConfigurations) config.services);
config.out.injectNixosConfig = hostName: (lib.flatten (lib.mapAttrsToList (_: getHostConfigurations hostName) config.services)) ++ [
introspectionModule
];
}

11
cluster/part.nix Normal file
View file

@ -0,0 +1,11 @@
{ depot, lib, ... }:
{
options.cluster = lib.mkOption {
type = lib.types.raw;
};
config.cluster = import ./. {
inherit depot lib;
};
}

View file

@ -1,5 +1,5 @@
{ config, tools, ... }:
with tools.nginx;
{ config, depot, ... }:
with depot.lib.nginx;
let
addrSplit' = builtins.split ":" config.services.minio.listenAddress;
addrSplit = builtins.filter builtins.isString addrSplit';
@ -27,7 +27,7 @@ in
services.nginx.appendHttpConfig = ''
proxy_cache_path /var/cache/nginx/nixstore levels=1:2 keys_zone=nixstore:10m max_size=10g inactive=24h use_temp_path=off;
'';
services.nginx.virtualHosts."cache.${tools.meta.domain}" = vhosts.basic // {
services.nginx.virtualHosts."cache.${depot.lib.meta.domain}" = vhosts.basic // {
locations = {
"= /".return = "302 /404";
"/" = {

View file

@ -1,4 +1,4 @@
{ config, depot, tools, ... }:
{ config, depot, ... }:
let
mkNarServe = NAR_CACHE_URL: PORT: {
@ -17,6 +17,6 @@
nar-serve-nixos-org.protocol = "http";
};
systemd.services.nar-serve-self = mkNarServe "https://cache.${tools.meta.domain}" config.links.nar-serve-self.portStr;
systemd.services.nar-serve-self = mkNarServe "https://cache.${depot.lib.meta.domain}" config.links.nar-serve-self.portStr;
systemd.services.nar-serve-nixos-org = mkNarServe "https://cache.nixos.org" config.links.nar-serve-nixos-org.portStr;
}

View file

@ -1,4 +1,4 @@
{ config, depot, lib, tools, ... }:
{ config, depot, lib, ... }:
let
dataDir = "/srv/storage/private/attic";
@ -52,7 +52,7 @@ in
ReadWritePaths = [ dataDir ];
};
services.nginx.virtualHosts."cache-api.${tools.meta.domain}" = tools.nginx.vhosts.proxy config.links.atticServer.url // {
services.nginx.virtualHosts."cache-api.${depot.lib.meta.domain}" = depot.lib.nginx.vhosts.proxy config.links.atticServer.url // {
extraConfig = ''
client_max_body_size 4G;
'';

View file

@ -1,7 +1,7 @@
{ config, lib, pkgs, tools, ... }:
{ config, lib, pkgs, depot, ... }:
let
inherit (tools.meta) domain;
inherit (depot.lib.meta) domain;
extraGroups = [ "nginx" ]
++ lib.optional config.services.kanidm.enableServer "kanidm";

View file

@ -1,7 +1,7 @@
{ config, cluster, lib, tools, ... }:
{ config, cluster, depot, ... }:
let
inherit (tools.meta) domain;
inherit (depot.lib.meta) domain;
inherit (config.networking) hostName;
inherit (cluster.config) hostLinks;
cfg = cluster.config.services.consul;
@ -21,7 +21,7 @@ in
node_name = config.networking.hostName;
bind_addr = hl.ipv4;
ports.serf_lan = hl.port;
retry_join = map (hostName: hostLinks.${hostName}.consul.tuple) cfg.otherNodes.agent;
retry_join = map (hostName: hostLinks.${hostName}.consul.tuple) (cfg.otherNodes.agent hostName);
};
};

View file

@ -1,13 +1,13 @@
{ config, cluster, depot, lib, tools, ... }:
{ config, cluster, depot, lib, ... }:
let
inherit (tools.meta) domain;
inherit (depot.lib.meta) domain;
inherit (depot.reflection) hyprspace;
frontendDomain = "consul-remote.internal.${domain}";
in
{
services.nginx.virtualHosts.${frontendDomain} = tools.nginx.vhosts.proxy "http://127.0.0.1:8500" // {
services.nginx.virtualHosts.${frontendDomain} = depot.lib.nginx.vhosts.proxy "http://127.0.0.1:8500" // {
listenAddresses = lib.singleton hyprspace.addr;
enableACME = false;
useACMEHost = "internal.${domain}";

View file

@ -1,7 +1,7 @@
{ cluster, config, lib, pkgs, tools, ... }:
{ cluster, config, lib, pkgs, depot, ... }:
let
inherit (tools.meta) domain;
inherit (depot.lib.meta) domain;
inherit (config.links) pdnsAdmin;
inherit (cluster.config) vars;
@ -96,7 +96,7 @@ in {
};
services.nginx.virtualHosts."dnsadmin.${domain}" = lib.recursiveUpdate
(tools.nginx.vhosts.proxy pdnsAdmin.url)
(depot.lib.nginx.vhosts.proxy pdnsAdmin.url)
# backend sends really big headers for some reason
# increase buffer size accordingly
{

View file

@ -1,14 +1,14 @@
{ cluster, config, depot, lib, tools, ... }:
{ cluster, config, depot, lib, ... }:
let
inherit (depot.reflection) interfaces;
inherit (tools.meta) domain;
inherit (depot.lib.meta) domain;
inherit (config.networking) hostName;
link = cluster.config.hostLinks.${hostName}.dnsAuthoritative;
patroni = cluster.config.links.patroni-pg-access;
otherDnsServers = lib.pipe (with cluster.config.services.dns.otherNodes; master ++ slave) [
otherDnsServers = lib.pipe (with cluster.config.services.dns.otherNodes; (master hostName) ++ (slave hostName)) [
(map (node: cluster.config.hostLinks.${node}.dnsAuthoritative.tuple))
(lib.concatStringsSep " ")
];

View file

@ -1,15 +1,14 @@
{ cluster, config, depot, lib, pkgs, tools, ... }:
{ cluster, config, depot, lib, ... }:
let
inherit (depot.reflection) interfaces hyprspace;
inherit (tools.meta) domain;
inherit (config.links) localRecursor;
inherit (depot.lib.meta) domain;
inherit (config.networking) hostName;
link = cluster.config.hostLinks.${hostName}.dnsResolver;
backend = cluster.config.hostLinks.${hostName}.dnsResolverBackend;
otherRecursors = lib.pipe (cluster.config.services.dns.otherNodes.coredns) [
otherRecursors = lib.pipe (cluster.config.services.dns.otherNodes.coredns hostName) [
(map (node: cluster.config.hostLinks.${node}.dnsResolverBackend.tuple))
(lib.concatStringsSep " ")
];

View file

@ -1,7 +1,7 @@
{ config, depot, lib, ... }:
let
inherit (depot.config) hours;
inherit (depot) hours;
cfg = config.services.dns;
in
{

View file

@ -1,8 +1,8 @@
{ cluster, config, depot, lib, pkgs, tools, ... }:
{ cluster, config, depot, lib, pkgs, ... }:
let
inherit (tools.meta) domain;
inherit (tools.nginx) vhosts;
inherit (depot.lib.meta) domain;
inherit (depot.lib.nginx) vhosts;
inherit (config.age) secrets;
patroni = cluster.config.links.patroni-pg-access;

View file

@ -1,4 +1,4 @@
{ config, lib, tools, ... }:
{ config, lib, depot, ... }:
{
services.hercules-ci-multi-agent = {

View file

@ -1,14 +1,14 @@
{ config, tools, ... }:
{ config, depot, ... }:
{
links = {
idm = {
ipv4 = "idm.${tools.meta.domain}";
ipv4 = "idm.${depot.lib.meta.domain}";
port = 443;
protocol = "https";
};
ldap = {
hostname = "idm-ldap.internal.${tools.meta.domain}";
hostname = "idm-ldap.internal.${depot.lib.meta.domain}";
ipv4 = config.vars.mesh.VEGAS.meshIp;
port = 636;
protocol = "ldaps";

View file

@ -1,7 +1,7 @@
{ cluster, config, lib, tools, ... }:
{ cluster, config, lib, depot, ... }:
let
inherit (tools.meta) domain;
inherit (depot.lib.meta) domain;
frontendLink = cluster.config.links.idm;
@ -38,7 +38,7 @@ in
systemd.services.kanidm.after = [ "acme-selfsigned-internal.${domain}.service" ];
services.nginx.virtualHosts."idm.${domain}" = lib.recursiveUpdate (tools.nginx.vhosts.proxy backendLink.url) {
services.nginx.virtualHosts."idm.${domain}" = lib.recursiveUpdate (depot.lib.nginx.vhosts.proxy backendLink.url) {
locations."/".extraConfig = ''
proxy_ssl_name idm-backend.internal.${domain};
proxy_ssl_trusted_certificate ${certDir}/chain.pem;

View file

@ -1,8 +1,8 @@
{ config, depot, lib, pkgs, tools, ... }:
{ config, depot, lib, pkgs, ... }:
let
inherit (tools.meta) domain;
inherit (tools.nginx) vhosts;
inherit (depot.lib.meta) domain;
inherit (depot.lib.nginx) vhosts;
cfg = config.services.ipfs-cluster;
ipfsCfg = config.services.ipfs;

View file

@ -1,7 +1,7 @@
{ config, depot, lib, tools, ... }:
{ config, depot, lib, ... }:
{
hostLinks = lib.genAttrs config.services.ipfs.nodes.node (name: let
hostLinks = lib.genAttrs config.services.ipfs.nodes.node (name: depot.lib.summon name ({ depot, ... }: let
host = depot.reflection;
intf = host.interfaces.primary;
self = config.hostLinks.${name}.ipfs;
@ -20,7 +20,7 @@
];
};
};
});
}));
services.ipfs = {
nodes = {
node = [ "VEGAS" "prophet" ];
@ -46,7 +46,7 @@
};
monitoring.blackbox.targets.ipfs-gateway = {
address = "https://bafybeiczsscdsbs7ffqz55asqdf3smv6klcw3gofszvwlyarci47bgf354.ipfs.${tools.meta.domain}/";
address = "https://bafybeiczsscdsbs7ffqz55asqdf3smv6klcw3gofszvwlyarci47bgf354.ipfs.${depot.lib.meta.domain}/";
module = "https2xx";
};
}

View file

@ -1,7 +1,7 @@
{ config, depot, lib, tools, ... }:
with tools.nginx;
{ config, depot, lib, ... }:
with depot.lib.nginx;
let
inherit (tools.meta) domain;
inherit (depot.lib.meta) domain;
gw = config.links.ipfsGateway;
cfg = config.services.ipfs;
metrics = config.links.ipfsMetrics;

View file

@ -1,6 +1,6 @@
{ cluster, config, depot, lib, pkgs, tools, ... }:
{ cluster, config, depot, lib, pkgs, ... }:
let
inherit (tools.meta) domain;
inherit (depot.lib.meta) domain;
cfg = config.services.ipfs;
apiAddress = "/unix/run/ipfs/ipfs-api.sock";
ipfsApi = pkgs.writeTextDir "api" apiAddress;
@ -41,7 +41,7 @@ in
extraFlags = [ "--migrate" ];
extraConfig = {
Bootstrap = [
"/ip4/${depot.config.hours.VEGAS.interfaces.primary.addr}/tcp/${toString ipfsPort}/p2p/Qmd7QHZU8UjfYdwmjmq1SBh9pvER9AwHpfwQvnvNo3HBBo"
"/ip4/${depot.hours.VEGAS.interfaces.primary.addr}/tcp/${toString ipfsPort}/p2p/Qmd7QHZU8UjfYdwmjmq1SBh9pvER9AwHpfwQvnvNo3HBBo"
"/dnsaddr/bootstrap.libp2p.io/p2p/QmQCU2EcMqAqQPR2i9bChDtGNJchTbq5TbXJJ16u19uLTa"
"/dnsaddr/bootstrap.libp2p.io/p2p/QmbLHAnMoJPWSCR5Zhtx6BHJX9KiKNN6tpvbUcqanj75Nb"
"/dnsaddr/bootstrap.libp2p.io/p2p/QmNnooDu7bfjPFoTZYxMNLWUQJyrVwtbZg5gBMjTezGAJN"
@ -62,7 +62,7 @@ in
ID = extra.peerId;
Addrs = extra.multiaddrs;
})
cluster.config.services.ipfs.otherNodes.node;
(cluster.config.services.ipfs.otherNodes.node config.networking.hostName);
Gateway = {
Writable = false;
APICommands = [];

View file

@ -1,7 +1,7 @@
{ config, tools, ... }:
with tools.nginx;
{ config, depot, ... }:
with depot.lib.nginx;
let
inherit (tools.meta) domain;
inherit (depot.lib.meta) domain;
cfg = config.services.ipfs;
gw = config.links.ipfsGateway;
in

View file

@ -1,9 +1,9 @@
{ config, depot, lib, tools, ... }:
{ config, depot, lib, ... }:
let
inherit (depot.config) hours;
inherit (depot) hours;
inherit (tools.meta) domain;
inherit (depot.lib.meta) domain;
subDomains = {
VEGAS = "eu1";

View file

@ -1,13 +1,14 @@
{ cluster, config, lib, pkgs, tools, ... }:
{ cluster, config, lib, pkgs, depot, ... }:
let
inherit (tools.meta) adminEmail;
inherit (depot.lib.meta) adminEmail;
inherit (cluster) vars;
inherit (config.networking) hostName;
linkGlobalSecure = cluster.config.links.ircSecure;
link = cluster.config.hostLinks.${vars.hostName}.irc;
linkSecure = cluster.config.hostLinks.${vars.hostName}.ircSecure;
otherServers = map mkServer cluster.config.services.irc.otherNodes.host;
link = cluster.config.hostLinks.${hostName}.irc;
linkSecure = cluster.config.hostLinks.${hostName}.ircSecure;
otherServers = map mkServer (cluster.config.services.irc.otherNodes.host hostName);
otherServerFiles = map (builtins.toFile "ngircd-peer.conf") otherServers;
opers = map mkOper vars.ircOpers;
@ -41,7 +42,7 @@ in {
config = ''
[Global]
Name = ${serverName}
Info = Private Void IRC - ${vars.hostName}
Info = Private Void IRC - ${hostName}
Network = PrivateVoidIRC
AdminInfo1 = Private Void Administrators
AdminInfo2 = Contact for help

View file

@ -1,6 +1,6 @@
{ config, tools, ... }:
{ config, depot, ... }:
let
inherit (tools.meta) domain;
inherit (depot.lib.meta) domain;
in
{
age.secrets = {

View file

@ -1,4 +1,4 @@
{ config, tools, ... }:
{ config, depot, ... }:
{
age.secrets = {
coturn-static-auth = {
@ -11,7 +11,7 @@
services.coturn = {
enable = true;
no-cli = true;
realm = tools.meta.domain;
realm = depot.lib.meta.domain;
no-tcp-relay = true;
min-port = 64000;

View file

@ -1,4 +1,4 @@
{ tools, ... }:
{ depot, ... }:
{
services.matrix = {
@ -13,7 +13,7 @@
};
monitoring.blackbox.targets.matrix = {
address = "https://matrix.${tools.meta.domain}/_matrix/federation/v1/version";
address = "https://matrix.${depot.lib.meta.domain}/_matrix/federation/v1/version";
module = "https2xx";
};
}

View file

@ -1,6 +1,6 @@
{ config, pkgs, tools, ... }:
{ config, pkgs, depot, ... }:
let
inherit (tools.meta) domain;
inherit (depot.lib.meta) domain;
federation = pkgs.writeText "matrix-federation.json" (builtins.toJSON {
"m.server" = "matrix.${domain}:443";
});

View file

@ -1,6 +1,6 @@
{ cluster, config, lib, pkgs, tools, ... }:
{ cluster, config, lib, pkgs, depot, ... }:
let
inherit (tools.meta) domain;
inherit (depot.lib.meta) domain;
patroni = cluster.config.links.patroni-pg-access;
@ -121,8 +121,8 @@ in {
]) ++ [ dbConfigOut ];
};
services.nginx.virtualHosts = tools.nginx.mappers.mapSubdomains {
matrix = tools.nginx.vhosts.basic // {
services.nginx.virtualHosts = depot.lib.nginx.mappers.mapSubdomains {
matrix = depot.lib.nginx.vhosts.basic // {
locations."/".return = "204";
locations."/_matrix" = {
proxyPass = "http://127.0.0.1:8008";

View file

@ -1,6 +1,6 @@
{ depot, lib, pkgs, tools, ... }:
{ depot, lib, pkgs, ... }:
let
inherit (tools.nginx) domain vhosts;
inherit (depot.lib.nginx) domain vhosts;
inherit (depot.packages) cinny;
in
{

View file

@ -1,4 +1,4 @@
{ tools, ... }:
{ depot, ... }:
{
services.meet = {
@ -7,7 +7,7 @@
};
monitoring.blackbox.targets.jitsi-videobridge = {
address = "meet.${tools.meta.domain}:7777";
address = "meet.${depot.lib.meta.domain}:7777";
module = "tcpConnect";
};
}

View file

@ -1,4 +1,4 @@
{ config, lib, depot, tools, ... }:
{ config, lib, depot, ... }:
let
inherit (config) links;
@ -11,7 +11,7 @@ in
services.jitsi-meet = {
enable = true;
hostName = "meet.${tools.meta.domain}";
hostName = "meet.${depot.lib.meta.domain}";
nginx.enable = true;
jicofo.enable = true;
videobridge.enable = true;
@ -38,7 +38,7 @@ in
publicAddress = interfaces.primary.addrPublic;
};
};
services.nginx.virtualHosts."meet.${tools.meta.domain}" = {
services.nginx.virtualHosts."meet.${depot.lib.meta.domain}" = {
enableACME = true;
forceSSL = true;
locations."=/images/watermark.svg" = {

View file

@ -1,9 +1,9 @@
{ config, cluster, lib, tools, ... }:
{ cluster, config, lib, depot, ... }:
let
inherit (lib) flip pipe mapAttrsToList range recursiveUpdate substring;
inherit (tools.meta) domain;
inherit (depot.lib.meta) domain;
inherit (cluster.config) vars;
mapTargets = mapAttrsToList (name: value: value // { name = "default/${name}"; });
@ -19,7 +19,7 @@ let
})
]) (range 1 1);
probeId = pipe "blackbox-probe-${domain}-${vars.hostName}" [
probeId = pipe "blackbox-probe-${domain}-${config.networking.hostName}" [
(builtins.hashString "md5")
(substring 0 8)
];
@ -39,7 +39,7 @@ in
{
services.grafana-agent.settings.integrations.blackbox = {
enabled = true;
instance = vars.hostName;
instance = config.networking.hostName;
scrape_interval = "600s";
relabel_configs = [
(relabel "__param_module" "module")

View file

@ -1,4 +1,4 @@
{ cluster, lib, ... }:
{ cluster, config, lib, ... }:
let
inherit (lib) singleton;
@ -17,7 +17,7 @@ in {
};
integrations.node_exporter = {
enabled = true;
instance = cluster.config.vars.hostName;
instance = config.networking.hostName;
enable_collectors = [
"systemd"
];
@ -32,7 +32,7 @@ in {
job_name = "journal";
journal = {
max_age = "12h";
labels.host = cluster.config.vars.hostName;
labels.host = config.networking.hostName;
};
relabel_configs = [
(relabel "__journal__systemd_unit" "systemd_unit")

View file

@ -1,6 +1,6 @@
{ cluster, config, depot, lib, pkgs, tools, ... }:
{ cluster, config, depot, lib, pkgs, ... }:
let
inherit (tools.meta) domain;
inherit (depot.lib.meta) domain;
inherit (cluster.config.links) loki-ingest prometheus-ingest;
@ -97,7 +97,7 @@ in
services.nginx = {
upstreams.grafana-ha.servers = lib.mapAttrs' (_: links: lib.nameValuePair links.grafana.tuple {}) (lib.getAttrs (svc.nodes.grafana) hostLinks);
virtualHosts."monitoring.${domain}" = lib.recursiveUpdate (tools.nginx.vhosts.proxy "http://grafana-ha") {
virtualHosts."monitoring.${domain}" = lib.recursiveUpdate (depot.lib.nginx.vhosts.proxy "http://grafana-ha") {
locations."/".proxyWebsockets = true;
};
};

View file

@ -1,4 +1,4 @@
{ tools, ... }:
{ depot, ... }:
{
services.nextcloud = {
@ -7,7 +7,7 @@
};
monitoring.blackbox.targets.nextcloud = {
address = "https://storage.${tools.meta.domain}/status.php";
address = "https://storage.${depot.lib.meta.domain}/status.php";
module = "nextcloudStatus";
};
}

View file

@ -1,4 +1,4 @@
{ cluster, config, lib, pkgs, tools, ... }:
{ cluster, config, lib, pkgs, depot, ... }:
let
patroni = cluster.config.links.patroni-pg-access;
in
@ -22,7 +22,7 @@ in
enableBrokenCiphersForSSE = false;
enable = true;
https = true;
hostName = "storage.${tools.meta.domain}";
hostName = "storage.${depot.lib.meta.domain}";
home = "/srv/storage/www-app/nextcloud";
maxUploadSize = "4G";
enableImagemagick = true;

View file

@ -1,7 +1,7 @@
{ config, tools, ... }:
{ depot, ... }:
let
inherit (tools.meta) adminEmail;
inherit (depot.lib.meta) adminEmail;
in {
security.acme.defaults.email = adminEmail;
security.acme.acceptTerms = true;
@ -24,15 +24,6 @@ in {
access_log syslog:server=unix:/dev/log,tag=nginx_access,nohostname fmt_loki;
'';
};
services.phpfpm.pools.www = {
inherit (config.services.nginx) user group;
settings = {
pm = "ondemand";
"pm.max_children" = 16;
"listen.owner" = config.services.nginx.user;
"listen.group" = config.services.nginx.group;
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
systemd.services.nginx.after = [ "network-online.target" ];
}

View file

@ -1,4 +1,4 @@
{ tools, ... }:
{ depot, ... }:
{
services.object-storage = {
@ -7,7 +7,7 @@
};
monitoring.blackbox.targets.object-storage = {
address = "https://object-storage.${tools.meta.domain}/minio/health/live";
address = "https://object-storage.${depot.lib.meta.domain}/minio/health/live";
module = "https2xx";
};
}

View file

@ -1,5 +1,5 @@
{ config, lib, tools, ... }:
with tools.nginx;
{ config, lib, depot, ... }:
with depot.lib.nginx;
let
inherit (config) links;

View file

@ -12,9 +12,9 @@ in
services.grafana-agent = {
settings.integrations.postgres_exporter = {
enabled = true;
instance = vars.hostName;
instance = config.networking.hostName;
data_source_names = [
"postgresql://metrics:\${PG_METRICS_DB_PASSWORD}@${getMeshIp vars.hostName}:${links.patroni-pg-internal.portStr}/postgres?sslmode=disable"
"postgresql://metrics:\${PG_METRICS_DB_PASSWORD}@${getMeshIp config.networking.hostName}:${links.patroni-pg-internal.portStr}/postgres?sslmode=disable"
];
autodiscover_databases = true;
};

View file

@ -2,6 +2,7 @@
let
inherit (cluster.config) vars;
inherit (config.networking) hostName;
getMeshIp = name: vars.mesh.${name}.meshIp;
@ -32,7 +33,7 @@ in
];
services.patroni = {
enable = true;
name = vars.hostName;
name = hostName;
postgresqlPackage = pg;
postgresqlDataDir ="${baseDir}/${pg.psqlSchema}";
postgresqlPort = cluster.config.links.patroni-pg-internal.port;
@ -40,8 +41,8 @@ in
scope = "poseidon";
namespace = "/patroni";
nodeIp = getMeshIp vars.hostName;
otherNodesIps = map getMeshIp cluster.config.services.patroni.otherNodes.worker;
nodeIp = getMeshIp hostName;
otherNodesIps = map getMeshIp (cluster.config.services.patroni.otherNodes.worker hostName);
raft = false;
softwareWatchdog = true;
settings = {
@ -68,7 +69,7 @@ in
superuser.username = "postgres";
};
parameters = {
listen_addresses = getMeshIp vars.hostName;
listen_addresses = getMeshIp hostName;
wal_level = "replica";
hot_standby_feedback = "on";
unix_socket_directories = "/tmp";

View file

@ -1,4 +1,4 @@
{ tools, ... }:
{ depot, ... }:
{
services.search = {
@ -7,7 +7,7 @@
};
monitoring.blackbox.targets.search = {
address = "https://search.${tools.meta.domain}/healthz";
address = "https://search.${depot.lib.meta.domain}/healthz";
module = "https2xx";
};
}

View file

@ -1,4 +1,4 @@
{ config, depot, lib, tools, ... }:
{ config, depot, lib, ... }:
let
inherit (config) links;
in
@ -56,7 +56,7 @@ in
disable-logging = true;
};
};
services.nginx.virtualHosts."search.${tools.meta.domain}" = lib.recursiveUpdate (tools.nginx.vhosts.proxy links.searxng.url) {
services.nginx.virtualHosts."search.${depot.lib.meta.domain}" = lib.recursiveUpdate (depot.lib.nginx.vhosts.proxy links.searxng.url) {
extraConfig = "access_log off;";
};
systemd.services.uwsgi.after = [ "wireguard-wgmv.service" "network-addresses-wgmv.service" ];

View file

@ -1,8 +1,8 @@
{ tools, ... }:
{ depot, ... }:
{
monitoring.blackbox.targets.soda-machine = {
address = "soda.int.${tools.meta.domain}:22";
address = "soda.int.${depot.lib.meta.domain}:22";
module = "sshConnect";
};
}

View file

@ -1,19 +1,19 @@
{ config, depot, lib, pkgs, tools, ... }:
with tools.nginx;
{ config, depot, lib, pkgs, ... }:
with depot.lib.nginx;
{
# TODO: not a whole lot to configure, maybe add some autoconfig stuff
services.jellyfin = {
enable = true;
package = depot.packages.jellyfin;
};
services.nginx.virtualHosts."warehouse.${tools.meta.domain}" = lib.mkMerge [
services.nginx.virtualHosts."warehouse.${depot.lib.meta.domain}" = lib.mkMerge [
(vhosts.proxy "http://127.0.0.1:8096")
{
locations."/".extraConfig = ''
proxy_buffering off;
'';
locations."/socket" = {
inherit (config.services.nginx.virtualHosts."warehouse.${tools.meta.domain}".locations."/") proxyPass;
inherit (config.services.nginx.virtualHosts."warehouse.${depot.lib.meta.domain}".locations."/") proxyPass;
proxyWebsockets = true;
};
# TODO: video cache

View file

@ -1,14 +1,7 @@
{ depot, lib, tools, ... }:
{ depot, lib, ... }:
let
inherit (tools.meta) domain;
importWebsites = expr: import expr {
tools = tools.nginx;
inherit (depot) packages;
};
websites = tools.nginx.mappers.mapSubdomains (importWebsites ./websites.nix);
inherit (depot.lib.meta) domain;
acmeUseDNS = name: conf: {
name = conf.useACMEHost or conf.serverName or name;
@ -24,7 +17,16 @@ in
{
services.websites = {
nodes.host = [ "checkmate" "thunderskin" "VEGAS" "prophet" ];
nixos.host = {
nixos.host = { config, depot, ... }: let
importWebsites = expr: import expr {
tools = depot.lib.nginx;
inherit (depot) packages;
};
websites = depot.lib.nginx.mappers.mapSubdomains (importWebsites ./websites.nix);
in {
services.nginx.virtualHosts = websites;
security.acme.certs = lib.mapAttrs' acmeUseDNS (lib.filterAttrs isACME websites);
consul.services.nginx = {

View file

@ -1,7 +1,7 @@
{ config, depot, lib, ... }:
let
inherit (depot.config) hours;
inherit (depot) hours;
meshNet = rec {
netAddr = "10.1.1.0";

View file

@ -30,7 +30,7 @@ in
ips = [ "${link.extra.meshIp}/24" ];
listenPort = link.port;
privateKeyFile = config.age.secrets.wireguard-key-core.path;
peers = map mkPeer cluster.config.services.wireguard.otherNodes.mesh;
peers = map mkPeer (cluster.config.services.wireguard.otherNodes.mesh hostName);
};
};
};

View file

@ -19,6 +19,7 @@
./packages/part.nix
./jobs/part.nix
./lib/part.nix
./cluster/part.nix
];
};

View file

@ -1,6 +1,6 @@
{ config, lib, tools, ... }:
{ config, lib, depot, ... }:
let
inherit (tools.meta) domain;
inherit (depot.lib.meta) domain;
login = x: "https://login.${domain}/auth/realms/master/protocol/openid-connect/${x}";
cfg = config.services.oauth2_proxy;
in

View file

@ -1,9 +1,9 @@
{ config, lib, tools, ... }:
{ config, lib, depot, ... }:
let
inherit (tools.meta) domain;
inherit (depot.lib.meta) domain;
apiAddr = "api.${domain}";
proxyTarget = config.links.api.url;
proxy = tools.nginx.vhosts.proxy proxyTarget;
proxy = depot.lib.nginx.vhosts.proxy proxyTarget;
in
{
# n8n uses "Sustainable Use License"

View file

@ -4,7 +4,7 @@
networking.nat.forwardPorts = [
{
sourcePort = 52222;
destination = "${depot.config.hours.soda.interfaces.primary.addr}:22";
destination = "${depot.hours.soda.interfaces.primary.addr}:22";
proto = "tcp";
}
];

View file

@ -1,5 +1,5 @@
{ config, lib, tools, ... }:
with tools.nginx;
{ config, lib, depot, ... }:
with depot.lib.nginx;
{
links.bitwarden.protocol = "http";

View file

@ -1,10 +1,9 @@
{ config, lib, toolsets, ... }:
{ depot, lib, ... }:
let
tools = toolsets.nginx {
inherit lib config;
domain = "cdn-shield.privatevoid.net";
};
tools = (depot.lib.override {
meta.domain = lib.mkForce "cdn-shield.privatevoid.net";
}).nginx;
in
{
services.nginx.virtualHosts = tools.mappers.mapSubdomains (import ./shields.nix { inherit tools; });

View file

@ -1,5 +1,5 @@
{ config, tools, ... }:
with tools.nginx;
{ config, depot, ... }:
with depot.lib.nginx;
{
links = {
ombi.protocol = "http";

View file

@ -1,7 +1,7 @@
{ cluster, config, lib, tools, ... }:
{ cluster, config, lib, depot, ... }:
let
inherit (tools.meta) domain adminEmail;
inherit (depot.lib.meta) domain adminEmail;
patroni = cluster.config.links.patroni-pg-access;
@ -106,5 +106,5 @@ in
};
};
services.nginx.virtualHosts."${cfg.host}" = tools.nginx.vhosts.proxy "http://unix:/run/gitlab/gitlab-workhorse.socket";
services.nginx.virtualHosts."${cfg.host}" = depot.lib.nginx.vhosts.proxy "http://unix:/run/gitlab/gitlab-workhorse.socket";
}

View file

@ -1,10 +1,9 @@
{ tools, ... }:
with tools.nginx.mappers;
with tools.nginx.vhosts;
{ depot, ... }:
with depot.lib.nginx.mappers;
with depot.lib.nginx.vhosts;
{
services.nginx.virtualHosts = mapSubdomains {
"bone-ds-dc.com-ldap" = static "/srv/storage/www/bone-meme/dist";
"get" = simplePHP "/srv/storage/www/dietldb";
"rzentrale" = static "/srv/storage/www/rzentrale";
"wunschnachricht" = static "/srv/storage/www/wunschnachricht";
};

View file

@ -1,4 +1,4 @@
{ tools, ... }:
{ depot, ... }:
{
imports = [
./imap.nix
@ -6,12 +6,12 @@
./postfix.nix
./saslauthd.nix
];
services.nginx.virtualHosts."mail.${tools.meta.domain}" = {
services.nginx.virtualHosts."mail.${depot.lib.meta.domain}" = {
enableACME = true;
locations."/".return = "204";
};
security.acme.certs."mail.${tools.meta.domain}".extraDomainNames = map
(x: "${x}.${tools.meta.domain}") [
security.acme.certs."mail.${depot.lib.meta.domain}".extraDomainNames = map
(x: "${x}.${depot.lib.meta.domain}") [
"mx"
"imap"
"smtp"

View file

@ -1,7 +1,7 @@
{ config, pkgs, tools, ... }:
{ config, pkgs, depot, ... }:
let
inherit (tools.identity) ldap;
inherit (tools.meta) domain;
inherit (depot.lib.identity) ldap;
inherit (depot.lib.meta) domain;
postfixCfg = config.services.postfix;

View file

@ -1,6 +1,6 @@
{ lib, tools, ... }:
{ lib, depot, ... }:
let
inherit (tools.meta) domain;
inherit (depot.lib.meta) domain;
in
{
services.opendkim = {

View file

@ -1,6 +1,6 @@
{ config, depot, tools, ... }:
{ config, depot, ... }:
let
inherit (tools.meta) domain;
inherit (depot.lib.meta) domain;
certDir = config.security.acme.certs."mail.${domain}".directory;
receivePolicy = [ "permit_sasl_authenticated" "permit_mynetworks" "reject_unauth_destination" ];

View file

@ -1,6 +1,6 @@
{ pkgs, tools, ... }:
{ pkgs, depot, ... }:
let
inherit (tools.identity) ldap;
inherit (depot.lib.identity) ldap;
in
{
services.saslauthd = {

View file

@ -1,4 +1,4 @@
{ config, depot, tools, ... }:
{ config, depot, ... }:
{
links.nixIpfs.protocol = "http";
@ -17,11 +17,11 @@
IPFS_CLUSTER_API = config.services.ipfs-cluster.settings.api.restapi.http_listen_multiaddress;
NIX_CACHES = toString [
"https://cache.nixos.org"
"https://cache.${tools.meta.domain}"
"https://cache.${depot.lib.meta.domain}"
"https://max.cachix.org"
];
};
};
services.nginx.virtualHosts."reflex.${tools.meta.domain}" = tools.nginx.vhosts.proxy config.links.nixIpfs.url;
services.nginx.virtualHosts."reflex.${depot.lib.meta.domain}" = depot.lib.nginx.vhosts.proxy config.links.nixIpfs.url;
}

View file

@ -1,7 +1,7 @@
{ cluster, config, depot, lib, tools, ... }:
with tools.nginx;
{ cluster, config, depot, lib, ... }:
with depot.lib.nginx;
let
login = "login.${tools.meta.domain}";
login = "login.${depot.lib.meta.domain}";
kc = config.links.keycloak;
patroni = cluster.config.links.patroni-pg-access;
in

View file

@ -1,9 +1,9 @@
{ tools, ... }:
with tools.nginx.vhosts;
{ depot, ... }:
with depot.lib.nginx.vhosts;
let
inherit (tools.meta) domain;
inherit (depot.lib.meta) domain;
front = "ident.${domain}";
back = tools.identity.ldap.server.hostname;
back = depot.lib.identity.ldap.server.hostname;
in
{
services.nginx.virtualHosts."${front}" = basic // {

View file

@ -1,4 +1,4 @@
{ config, pkgs, tools, ... }:
{ config, pkgs, depot, ... }:
{
services.vault = {
@ -8,5 +8,5 @@
extraConfig = "ui = true";
package = pkgs.vault-bin;
};
services.nginx.virtualHosts."vault.${tools.meta.domain}" = tools.nginx.vhosts.proxy "http://${config.services.vault.address}";
services.nginx.virtualHosts."vault.${depot.lib.meta.domain}" = depot.lib.nginx.vhosts.proxy "http://${config.services.vault.address}";
}

View file

@ -1,14 +1,12 @@
{ depot, tools, ... }:
{ depot, ... }:
let
importWebsites = expr: import expr {
tools = tools.nginx;
tools = depot.lib.nginx;
inherit (depot) packages;
};
websites = tools.nginx.mappers.mapSubdomains (importWebsites ./websites.nix);
extraWebsites = importWebsites ./extra-sites.nix;
websites = depot.lib.nginx.mappers.mapSubdomains (importWebsites ./websites.nix);
in {
services.nginx.virtualHosts = websites // extraWebsites;
services.nginx.virtualHosts = websites;
}

View file

@ -1,8 +0,0 @@
{ tools, ... }:
with tools.vhosts;
let
noSSL = { enableACME = false; forceSSL = false; };
in
{
"ky.rip" = simplePHP "/srv/storage/www/ky.rip" // noSSL;
}

View file

@ -1,4 +1,4 @@
{ config, depot, tools, ... }:
{ config, depot, ... }:
{
imports =
@ -43,7 +43,7 @@
networking.hostName = "VEGAS";
networking.domain = "backbone.${tools.meta.domain}";
networking.domain = "backbone.${depot.lib.meta.domain}";
time.timeZone = "Europe/Helsinki";
@ -94,7 +94,7 @@
path = depot.nixosConfigurations.soda.config.system.build.toplevel;
privateNetwork = true;
hostBridge = "vmdefault";
localAddress = "${depot.config.hours.soda.interfaces.primary.addr}/24";
localAddress = "${depot.hours.soda.interfaces.primary.addr}/24";
autoStart = true;
bindMounts.sodaDir = {
hostPath = "/srv/storage/www/soda";

View file

@ -17,7 +17,7 @@
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "checkmate";
networking.nameservers = [ depot.config.hours.VEGAS.interfaces.vstub.addr ];
networking.nameservers = [ depot.hours.VEGAS.interfaces.vstub.addr ];
time.timeZone = "Europe/Zurich";

View file

@ -1,23 +1,13 @@
{ config, inputs, lib, self, withSystem, ... }:
{ config, lib, ... }:
let
inherit (lib) const mapAttrs nixosSystem;
inherit (lib) mapAttrs nixosSystem;
inherit (config) gods;
mkSpecialArgs = system: hostName: withSystem system ({ inputs', self', ... }: {
depot = self // self' // {
inputs = mapAttrs (name: const (inputs.${name} // inputs'.${name})) inputs;
inherit config;
# peer into the Watchman's Glass
reflection = config.hours.${hostName};
};
toolsets = import ../tools;
});
mkNixOS = name: host: nixosSystem {
specialArgs = mkSpecialArgs host.system name;
specialArgs = config.lib.summon name lib.id;
inherit (host) system;
modules = [ host.nixos ../tools/inject.nix (import ../cluster/inject.nix name) ];
modules = [ host.nixos ] ++ config.cluster.config.out.injectNixosConfig name;
};
in {
flake.nixosConfigurations = mapAttrs mkNixOS (gods.fromLight // gods.fromFlesh);

View file

@ -19,7 +19,7 @@
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "prophet";
networking.nameservers = [ depot.config.hours.VEGAS.interfaces.vstub.addr ];
networking.nameservers = [ depot.hours.VEGAS.interfaces.vstub.addr ];
time.timeZone = "Europe/Zurich";

View file

@ -14,9 +14,9 @@
networking.interfaces.eth0.useDHCP = true;
networking.nameservers = [ depot.config.hours.VEGAS.interfaces.vstub.addr ];
networking.nameservers = [ depot.hours.VEGAS.interfaces.vstub.addr ];
networking.resolvconf.extraConfig = "local_nameservers='${depot.config.hours.VEGAS.interfaces.vstub.addr}'";
networking.resolvconf.extraConfig = "local_nameservers='${depot.hours.VEGAS.interfaces.vstub.addr}'";
networking.hostName = "soda";

View file

@ -17,7 +17,7 @@
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "thunderskin";
networking.nameservers = [ depot.config.hours.VEGAS.interfaces.vstub.addr ];
networking.nameservers = [ depot.hours.VEGAS.interfaces.vstub.addr ];
time.timeZone = "Europe/Zurich";

18
lib/hours.nix Normal file
View file

@ -0,0 +1,18 @@
{ config, inputs, lib, self, withSystem, ... }:
let
inherit (lib) const mapAttrs;
in
{
lib.summon = name: f: let
lift = config;
hour = config.hours.${name};
in withSystem hour.system ({ config, inputs', self', ... }: f {
depot = self // self' // lift // config // {
inputs = mapAttrs (name: const (inputs.${name} // inputs'.${name})) inputs;
# peer into the Watchman's Glass
reflection = hour;
};
});
}

37
lib/identity.nix Normal file
View file

@ -0,0 +1,37 @@
{ lib, ... }:
{
lib = { config, ... }: with config.identity; {
identity = {
inherit (config.meta) domain;
autoDomain = name: "${builtins.hashString "md5" name}.dev.${domain}";
ldap = {
server = with ldap.server; {
# TODO: unhardcode everything here
protocol = "ldaps";
hostname = "authsys.virtual-machines.${domain}";
port = 636;
url = "${protocol}://${connectionString}";
connectionString = "${hostname}:${builtins.toString port}";
};
accounts = with ldap.accounts; {
domainComponents = ldap.lib.convertDomain domain;
uidAttribute = "uid";
uidFilter = "(${uidAttribute}=%u)";
userSearchBase = "cn=users,cn=accounts,${domainComponents}";
};
lib = {
convertDomain = domain: with builtins; lib.pipe domain [
(split "\\.")
(filter isString)
(map (x: "dc=${x}"))
(concatStringsSep ",")
];
};
};
};
};
}

8
lib/meta.nix Normal file
View file

@ -0,0 +1,8 @@
{
lib = { config, ... }: with config.meta; {
meta = {
domain = "privatevoid.net";
adminEmail = "admins@${domain}";
};
};
}

50
lib/nginx.nix Normal file
View file

@ -0,0 +1,50 @@
{ lib, ... }:
{
lib = { config, ... }: with config.nginx; {
nginx = {
inherit (config.meta) domain;
mappers = {
mapSubdomains = with lib; mapAttrs' (k: nameValuePair "${k}.${domain}");
};
vhosts = with vhosts; {
basic = {
forceSSL = true;
enableACME = true;
};
redirect = target: basic // {
locations."/".return = "301 ${target}";
};
proxy = target: basic // {
locations."/".proxyPass = target;
};
static = root: basic // {
inherit root;
};
indexedStatic = root: (static root) // {
extraConfig = "autoindex on;";
};
proxyGhost = scheme: target: basic // {
locations."/".extraConfig = ''
proxy_pass ${scheme}://${target};
proxy_set_header Host ${target};
proxy_set_header Referer ${scheme}://${target};
proxy_cookie_domain ${target} domain.invalid;
proxy_set_header Cookie "";
'';
};
};
};
};
}

View file

@ -1,5 +1,27 @@
{ config, lib, ... }:
{
imports = [
./time-travel.nix
./hours.nix
./meta.nix
./nginx.nix
./identity.nix
];
options.lib = lib.mkOption {
default = {};
type = with lib.types; submodule ({ extendModules, ... }: {
freeformType = let
t = either (lazyAttrsOf t) raw;
in t;
config.override = conf: let
overridden = extendModules {
modules = [ conf ];
};
in overridden.config;
});
};
config._module.args.depot = config;
}

View file

@ -1,18 +1,3 @@
{ config, lib, ... }:
let
timeTravel = rev: builtins.getFlake "github:privatevoid-net/depot/${rev}";
in
{
_module.args = { inherit timeTravel; };
perSystem = { system, ... }: {
_module.args.timeTravel' = rev: let
flake = timeTravel rev;
flake' = config.perInput system flake;
in flake' // {
inputs = lib.mapAttrs (_: input: config.perInput system input) flake.inputs;
};
};
lib.timeTravel = rev: builtins.getFlake "github:privatevoid-net/depot/${rev}";
}

View file

@ -1,6 +1,6 @@
{ config, depot, lib, tools, ... }:
{ config, depot, lib, ... }:
let
orgDomain = tools.meta.domain;
orgDomain = depot.lib.meta.domain;
host = depot.reflection;
in {
networking.domain = lib.mkDefault "${host.enterprise.subdomain or "services"}.${orgDomain}";

View file

@ -2,7 +2,7 @@
let
inherit (config.networking) hostName;
inherit (depot.packages) hyprspace;
hyprspaceCapableNodes = lib.filterAttrs (_: host: host.hyprspace.enable) depot.config.hours;
hyprspaceCapableNodes = lib.filterAttrs (_: host: host.hyprspace.enable) depot.hours;
peersFormatted = builtins.mapAttrs (_: x: {
inherit (x.hyprspace) id;
routes = map (net: { inherit net; }) ((x.hyprspace.routes or []) ++ [ "${x.hyprspace.addr}/32" ]);

View file

@ -1,4 +1,4 @@
{ depot, tools, ... }:
{ depot, ... }:
{
nix = {
@ -6,7 +6,7 @@
settings = {
trusted-users = [ "root" "@wheel" "@admins" ];
substituters = [ "https://cache.${tools.meta.domain}" ];
substituters = [ "https://cache.${depot.lib.meta.domain}" ];
trusted-public-keys = [ "cache.privatevoid.net:SErQ8bvNWANeAvtsOESUwVYr2VJynfuc9JRwlzTTkVg=" ];
};
@ -14,7 +14,7 @@
experimental-features = nix-command flakes cgroups
use-cgroups = true
builders-use-substitutes = true
flake-registry = https://git.${tools.meta.domain}/private-void/registry/-/raw/master/registry.json
flake-registry = https://git.${depot.lib.meta.domain}/private-void/registry/-/raw/master/registry.json
# For Hercules CI agent
narinfo-cache-negative-ttl = 0

View file

@ -1,6 +1,6 @@
{ depot, lib, ... }:
let
filtered = lib.filterAttrs (_: host: host.ssh.enable) depot.config.hours;
filtered = lib.filterAttrs (_: host: host.ssh.enable) depot.hours;
idCapable = lib.filterAttrs (_: host: host.ssh.id.publicKey != null) filtered;
configCapable = lib.filterAttrs (_: host: host.ssh.extraConfig != "") filtered;

View file

@ -1,17 +1,11 @@
{ lib, self, ... }:
{ config, self, ... }:
{
perSystem = { filters, pkgs, self', ... }: let
fakeCluster = import ../../cluster {
inherit lib;
hostName = throw "not available in test environment";
depot = throw "not available in test environment";
};
in {
perSystem = { filters, pkgs, self', ... }: {
checks = filters.doFilter filters.checks {
jellyfin-stateless = pkgs.callPackage ./jellyfin-stateless.nix {
inherit (self'.packages) jellyfin;
inherit fakeCluster;
inherit (config) cluster;
};
keycloak = pkgs.callPackage ./keycloak-custom-jre.nix {

View file

@ -1,10 +1,10 @@
{ nixosTest, fakeCluster, jellyfin }:
{ nixosTest, cluster, jellyfin }:
nixosTest {
name = "jellyfin-stateless";
nodes = {
machine = {
imports = fakeCluster.config.services.warehouse.nixos.host;
imports = cluster.config.services.warehouse.nixos.host;
_module.args.depot.packages.jellyfin = jellyfin;
};

View file

@ -1,10 +0,0 @@
let toolsets = {
meta = import ./meta.nix;
identity = import ./identity.nix { inherit toolsets; };
networks = import ./networks.nix { inherit toolsets; };
nginx = import ./nginx.nix { inherit toolsets; };
};
in toolsets // {
all = args: (builtins.mapAttrs (_: x: x args) toolsets) // { inherit (toolsets) meta; };
}

View file

@ -1,40 +0,0 @@
# internal interface
{ toolsets }:
# external interface
{ lib ? null, domain ? toolsets.meta.domain, ... }:
let
tools = (self: {
inherit domain;
autoDomain = name: "${builtins.hashString "md5" name}.dev.${domain}";
ldap = {
server = with self.ldap.server; {
# TODO: unhardcode everything here
protocol = "ldaps";
hostname = "authsys.virtual-machines.${domain}";
port = 636;
url = "${protocol}://${connectionString}";
connectionString = "${hostname}:${builtins.toString port}";
};
accounts = with self.ldap.accounts; {
domainComponents = self.ldap.lib.convertDomain domain;
uidAttribute = "uid";
uidFilter = "(${uidAttribute}=%u)";
userSearchBase = "cn=users,cn=accounts,${domainComponents}";
};
lib = {
convertDomain = domain: with builtins; lib.pipe domain [
(split "\\.")
(filter isString)
(map (x: "dc=${x}"))
(concatStringsSep ",")
];
};
};
dns.master.addr = "10.10.0.11";
kerberos.kdc = "authsys.virtual-machines.${domain}";
}) tools;
in tools

View file

@ -1,4 +0,0 @@
{ pkgs, lib, config, ... }:
{
_module.args.tools = (import ./.).all { inherit pkgs lib config; };
}

View file

@ -1,4 +0,0 @@
rec {
domain = "privatevoid.net";
adminEmail = "admins@${domain}";
}

View file

@ -1,20 +0,0 @@
# internal interface
{ toolsets }:
# external interface
{ lib ? null, ... }:
let
tools = (self: {
all = {};
ipv4.all = {};
ipv4.internal = {
addr = "10.0.0.0/8";
vpn = {
addr = "10.100.0.0/16";
};
};
}) tools;
in tools

View file

@ -1,58 +0,0 @@
# internal interface
{ toolsets }:
# external interface
{ config ? null, lib ? null, domain ? toolsets.meta.domain, ... }:
let
tools = (self: {
inherit domain;
mappers = {
mapSubdomains = with lib; mapAttrs' (k: nameValuePair "${k}.${domain}");
};
vhosts = with self.vhosts; {
basic = {
forceSSL = true;
enableACME = true;
};
redirect = target: basic // {
locations."/".return = "301 ${target}";
};
proxy = target: basic // {
locations."/".proxyPass = target;
};
static = root: basic // {
inherit root;
};
indexedStatic = root: (static root) // {
extraConfig = "autoindex on;";
};
simplePHP = root: (static root) // {
locations."~ \.php$".extraConfig = ''
fastcgi_pass unix:${config.services.phpfpm.pools.www.socket};
fastcgi_index index.php;
'';
};
proxyGhost = scheme: target: basic // {
locations."/".extraConfig = ''
proxy_pass ${scheme}://${target};
proxy_set_header Host ${target};
proxy_set_header Referer ${scheme}://${target};
proxy_cookie_domain ${target} domain.invalid;
proxy_set_header Cookie "";
'';
};
};
}) tools;
in tools