Massive Refactor #95
96 changed files with 373 additions and 424 deletions
|
@ -1,4 +1,4 @@
|
||||||
{ lib, depot, hostName }:
|
{ lib, depot }:
|
||||||
|
|
||||||
lib.evalModules {
|
lib.evalModules {
|
||||||
specialArgs = {
|
specialArgs = {
|
||||||
|
@ -7,12 +7,10 @@ lib.evalModules {
|
||||||
modules = [
|
modules = [
|
||||||
# Arbitrary variables to reference across multiple services
|
# Arbitrary variables to reference across multiple services
|
||||||
./lib/vars
|
./lib/vars
|
||||||
{ vars = { inherit hostName; }; }
|
|
||||||
|
|
||||||
# Cluster-level port-magic
|
# Cluster-level port-magic
|
||||||
../modules/port-magic
|
../modules/port-magic
|
||||||
|
|
||||||
../tools/inject.nix
|
|
||||||
./lib/services.nix
|
./lib/services.nix
|
||||||
./lib/inject-nixos-config.nix
|
./lib/inject-nixos-config.nix
|
||||||
./lib/port-magic-multi.nix
|
./lib/port-magic-multi.nix
|
||||||
|
|
|
@ -1,15 +0,0 @@
|
||||||
hostName:
|
|
||||||
{ depot, lib, ... }:
|
|
||||||
|
|
||||||
let
|
|
||||||
cluster = import ./. { inherit lib depot hostName; };
|
|
||||||
in
|
|
||||||
|
|
||||||
{
|
|
||||||
_module.args.cluster = {
|
|
||||||
inherit (cluster.config) vars;
|
|
||||||
inherit (cluster.config.vars) hosts;
|
|
||||||
inherit (cluster) config;
|
|
||||||
};
|
|
||||||
imports = cluster.config.out.injectedNixosConfig;
|
|
||||||
}
|
|
|
@ -1,10 +1,10 @@
|
||||||
{ lib, ... }:
|
{ config, lib, ... }:
|
||||||
with lib;
|
with lib;
|
||||||
|
|
||||||
{
|
{
|
||||||
options.out.injectedNixosConfig = mkOption {
|
options.out.injectNixosConfig = mkOption {
|
||||||
description = "NixOS configuration modules to inject into the host.";
|
description = "NixOS configuration to inject into the given host.";
|
||||||
type = with types; listOf anything;
|
type = with types; functionTo raw;
|
||||||
default = {};
|
default = const [];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,11 +1,8 @@
|
||||||
vars:
|
|
||||||
{ config, lib, ... }:
|
{ config, lib, ... }:
|
||||||
with lib;
|
with lib;
|
||||||
|
|
||||||
let
|
let
|
||||||
notSelf = x: x != vars.hostName;
|
filterGroup = group: hostName: builtins.filter (x: x != hostName) group;
|
||||||
|
|
||||||
filterGroup = builtins.filter notSelf;
|
|
||||||
in
|
in
|
||||||
|
|
||||||
{
|
{
|
||||||
|
@ -26,7 +23,7 @@ in
|
||||||
};
|
};
|
||||||
otherNodes = mkOption {
|
otherNodes = mkOption {
|
||||||
description = "Other nodes in the group.";
|
description = "Other nodes in the group.";
|
||||||
type = with types; attrsOf (listOf str);
|
type = with types; attrsOf (functionTo (listOf str));
|
||||||
default = [];
|
default = [];
|
||||||
};
|
};
|
||||||
nixos = mkOption {
|
nixos = mkOption {
|
||||||
|
@ -35,5 +32,5 @@ in
|
||||||
default = {};
|
default = {};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
config.otherNodes = builtins.mapAttrs (_: filterGroup) config.nodes;
|
config.otherNodes = builtins.mapAttrs (const filterGroup) config.nodes;
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,18 +2,25 @@
|
||||||
with lib;
|
with lib;
|
||||||
|
|
||||||
let
|
let
|
||||||
getHostConfigurations = svcConfig: hostName:
|
getHostConfigurations = hostName: svcConfig:
|
||||||
lib.mapAttrsToList (groupName: _: svcConfig.nixos.${groupName})
|
lib.mapAttrsToList (groupName: _: svcConfig.nixos.${groupName})
|
||||||
(lib.filterAttrs (_: lib.elem hostName) svcConfig.nodes);
|
(lib.filterAttrs (_: lib.elem hostName) svcConfig.nodes);
|
||||||
|
|
||||||
getServiceConfigurations = svcConfig: getHostConfigurations svcConfig config.vars.hostName;
|
|
||||||
|
introspectionModule._module.args.cluster = {
|
||||||
|
inherit (config) vars;
|
||||||
|
inherit config;
|
||||||
|
};
|
||||||
in
|
in
|
||||||
|
|
||||||
{
|
{
|
||||||
options.services = mkOption {
|
options.services = mkOption {
|
||||||
description = "Cluster services.";
|
description = "Cluster services.";
|
||||||
type = with types; attrsOf (submodule (import ./service-module.nix config.vars));
|
type = with types; attrsOf (submodule ./service-module.nix);
|
||||||
default = {};
|
default = {};
|
||||||
};
|
};
|
||||||
config.out.injectedNixosConfig = lib.flatten (lib.mapAttrsToList (_: getServiceConfigurations) config.services);
|
|
||||||
|
config.out.injectNixosConfig = hostName: (lib.flatten (lib.mapAttrsToList (_: getHostConfigurations hostName) config.services)) ++ [
|
||||||
|
introspectionModule
|
||||||
|
];
|
||||||
}
|
}
|
||||||
|
|
11
cluster/part.nix
Normal file
11
cluster/part.nix
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
{ depot, lib, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
options.cluster = lib.mkOption {
|
||||||
|
type = lib.types.raw;
|
||||||
|
};
|
||||||
|
|
||||||
|
config.cluster = import ./. {
|
||||||
|
inherit depot lib;
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,5 +1,5 @@
|
||||||
{ config, tools, ... }:
|
{ config, depot, ... }:
|
||||||
with tools.nginx;
|
with depot.lib.nginx;
|
||||||
let
|
let
|
||||||
addrSplit' = builtins.split ":" config.services.minio.listenAddress;
|
addrSplit' = builtins.split ":" config.services.minio.listenAddress;
|
||||||
addrSplit = builtins.filter builtins.isString addrSplit';
|
addrSplit = builtins.filter builtins.isString addrSplit';
|
||||||
|
@ -27,7 +27,7 @@ in
|
||||||
services.nginx.appendHttpConfig = ''
|
services.nginx.appendHttpConfig = ''
|
||||||
proxy_cache_path /var/cache/nginx/nixstore levels=1:2 keys_zone=nixstore:10m max_size=10g inactive=24h use_temp_path=off;
|
proxy_cache_path /var/cache/nginx/nixstore levels=1:2 keys_zone=nixstore:10m max_size=10g inactive=24h use_temp_path=off;
|
||||||
'';
|
'';
|
||||||
services.nginx.virtualHosts."cache.${tools.meta.domain}" = vhosts.basic // {
|
services.nginx.virtualHosts."cache.${depot.lib.meta.domain}" = vhosts.basic // {
|
||||||
locations = {
|
locations = {
|
||||||
"= /".return = "302 /404";
|
"= /".return = "302 /404";
|
||||||
"/" = {
|
"/" = {
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, depot, tools, ... }:
|
{ config, depot, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
mkNarServe = NAR_CACHE_URL: PORT: {
|
mkNarServe = NAR_CACHE_URL: PORT: {
|
||||||
|
@ -17,6 +17,6 @@
|
||||||
nar-serve-nixos-org.protocol = "http";
|
nar-serve-nixos-org.protocol = "http";
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.nar-serve-self = mkNarServe "https://cache.${tools.meta.domain}" config.links.nar-serve-self.portStr;
|
systemd.services.nar-serve-self = mkNarServe "https://cache.${depot.lib.meta.domain}" config.links.nar-serve-self.portStr;
|
||||||
systemd.services.nar-serve-nixos-org = mkNarServe "https://cache.nixos.org" config.links.nar-serve-nixos-org.portStr;
|
systemd.services.nar-serve-nixos-org = mkNarServe "https://cache.nixos.org" config.links.nar-serve-nixos-org.portStr;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, depot, lib, tools, ... }:
|
{ config, depot, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
dataDir = "/srv/storage/private/attic";
|
dataDir = "/srv/storage/private/attic";
|
||||||
|
@ -52,7 +52,7 @@ in
|
||||||
ReadWritePaths = [ dataDir ];
|
ReadWritePaths = [ dataDir ];
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."cache-api.${tools.meta.domain}" = tools.nginx.vhosts.proxy config.links.atticServer.url // {
|
services.nginx.virtualHosts."cache-api.${depot.lib.meta.domain}" = depot.lib.nginx.vhosts.proxy config.links.atticServer.url // {
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
client_max_body_size 4G;
|
client_max_body_size 4G;
|
||||||
'';
|
'';
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
{ config, lib, pkgs, tools, ... }:
|
{ config, lib, pkgs, depot, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (tools.meta) domain;
|
inherit (depot.lib.meta) domain;
|
||||||
|
|
||||||
extraGroups = [ "nginx" ]
|
extraGroups = [ "nginx" ]
|
||||||
++ lib.optional config.services.kanidm.enableServer "kanidm";
|
++ lib.optional config.services.kanidm.enableServer "kanidm";
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
{ config, cluster, lib, tools, ... }:
|
{ config, cluster, depot, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (tools.meta) domain;
|
inherit (depot.lib.meta) domain;
|
||||||
inherit (config.networking) hostName;
|
inherit (config.networking) hostName;
|
||||||
inherit (cluster.config) hostLinks;
|
inherit (cluster.config) hostLinks;
|
||||||
cfg = cluster.config.services.consul;
|
cfg = cluster.config.services.consul;
|
||||||
|
@ -21,7 +21,7 @@ in
|
||||||
node_name = config.networking.hostName;
|
node_name = config.networking.hostName;
|
||||||
bind_addr = hl.ipv4;
|
bind_addr = hl.ipv4;
|
||||||
ports.serf_lan = hl.port;
|
ports.serf_lan = hl.port;
|
||||||
retry_join = map (hostName: hostLinks.${hostName}.consul.tuple) cfg.otherNodes.agent;
|
retry_join = map (hostName: hostLinks.${hostName}.consul.tuple) (cfg.otherNodes.agent hostName);
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -1,13 +1,13 @@
|
||||||
{ config, cluster, depot, lib, tools, ... }:
|
{ config, cluster, depot, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (tools.meta) domain;
|
inherit (depot.lib.meta) domain;
|
||||||
inherit (depot.reflection) hyprspace;
|
inherit (depot.reflection) hyprspace;
|
||||||
frontendDomain = "consul-remote.internal.${domain}";
|
frontendDomain = "consul-remote.internal.${domain}";
|
||||||
in
|
in
|
||||||
|
|
||||||
{
|
{
|
||||||
services.nginx.virtualHosts.${frontendDomain} = tools.nginx.vhosts.proxy "http://127.0.0.1:8500" // {
|
services.nginx.virtualHosts.${frontendDomain} = depot.lib.nginx.vhosts.proxy "http://127.0.0.1:8500" // {
|
||||||
listenAddresses = lib.singleton hyprspace.addr;
|
listenAddresses = lib.singleton hyprspace.addr;
|
||||||
enableACME = false;
|
enableACME = false;
|
||||||
useACMEHost = "internal.${domain}";
|
useACMEHost = "internal.${domain}";
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
{ cluster, config, lib, pkgs, tools, ... }:
|
{ cluster, config, lib, pkgs, depot, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (tools.meta) domain;
|
inherit (depot.lib.meta) domain;
|
||||||
inherit (config.links) pdnsAdmin;
|
inherit (config.links) pdnsAdmin;
|
||||||
inherit (cluster.config) vars;
|
inherit (cluster.config) vars;
|
||||||
|
|
||||||
|
@ -96,7 +96,7 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."dnsadmin.${domain}" = lib.recursiveUpdate
|
services.nginx.virtualHosts."dnsadmin.${domain}" = lib.recursiveUpdate
|
||||||
(tools.nginx.vhosts.proxy pdnsAdmin.url)
|
(depot.lib.nginx.vhosts.proxy pdnsAdmin.url)
|
||||||
# backend sends really big headers for some reason
|
# backend sends really big headers for some reason
|
||||||
# increase buffer size accordingly
|
# increase buffer size accordingly
|
||||||
{
|
{
|
||||||
|
|
|
@ -1,14 +1,14 @@
|
||||||
{ cluster, config, depot, lib, tools, ... }:
|
{ cluster, config, depot, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (depot.reflection) interfaces;
|
inherit (depot.reflection) interfaces;
|
||||||
inherit (tools.meta) domain;
|
inherit (depot.lib.meta) domain;
|
||||||
inherit (config.networking) hostName;
|
inherit (config.networking) hostName;
|
||||||
|
|
||||||
link = cluster.config.hostLinks.${hostName}.dnsAuthoritative;
|
link = cluster.config.hostLinks.${hostName}.dnsAuthoritative;
|
||||||
patroni = cluster.config.links.patroni-pg-access;
|
patroni = cluster.config.links.patroni-pg-access;
|
||||||
|
|
||||||
otherDnsServers = lib.pipe (with cluster.config.services.dns.otherNodes; master ++ slave) [
|
otherDnsServers = lib.pipe (with cluster.config.services.dns.otherNodes; (master hostName) ++ (slave hostName)) [
|
||||||
(map (node: cluster.config.hostLinks.${node}.dnsAuthoritative.tuple))
|
(map (node: cluster.config.hostLinks.${node}.dnsAuthoritative.tuple))
|
||||||
(lib.concatStringsSep " ")
|
(lib.concatStringsSep " ")
|
||||||
];
|
];
|
||||||
|
|
|
@ -1,15 +1,14 @@
|
||||||
{ cluster, config, depot, lib, pkgs, tools, ... }:
|
{ cluster, config, depot, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (depot.reflection) interfaces hyprspace;
|
inherit (depot.reflection) interfaces hyprspace;
|
||||||
inherit (tools.meta) domain;
|
inherit (depot.lib.meta) domain;
|
||||||
inherit (config.links) localRecursor;
|
|
||||||
inherit (config.networking) hostName;
|
inherit (config.networking) hostName;
|
||||||
|
|
||||||
link = cluster.config.hostLinks.${hostName}.dnsResolver;
|
link = cluster.config.hostLinks.${hostName}.dnsResolver;
|
||||||
backend = cluster.config.hostLinks.${hostName}.dnsResolverBackend;
|
backend = cluster.config.hostLinks.${hostName}.dnsResolverBackend;
|
||||||
|
|
||||||
otherRecursors = lib.pipe (cluster.config.services.dns.otherNodes.coredns) [
|
otherRecursors = lib.pipe (cluster.config.services.dns.otherNodes.coredns hostName) [
|
||||||
(map (node: cluster.config.hostLinks.${node}.dnsResolverBackend.tuple))
|
(map (node: cluster.config.hostLinks.${node}.dnsResolverBackend.tuple))
|
||||||
(lib.concatStringsSep " ")
|
(lib.concatStringsSep " ")
|
||||||
];
|
];
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
{ config, depot, lib, ... }:
|
{ config, depot, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (depot.config) hours;
|
inherit (depot) hours;
|
||||||
cfg = config.services.dns;
|
cfg = config.services.dns;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
{ cluster, config, depot, lib, pkgs, tools, ... }:
|
{ cluster, config, depot, lib, pkgs, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (tools.meta) domain;
|
inherit (depot.lib.meta) domain;
|
||||||
inherit (tools.nginx) vhosts;
|
inherit (depot.lib.nginx) vhosts;
|
||||||
inherit (config.age) secrets;
|
inherit (config.age) secrets;
|
||||||
|
|
||||||
patroni = cluster.config.links.patroni-pg-access;
|
patroni = cluster.config.links.patroni-pg-access;
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, lib, tools, ... }:
|
{ config, lib, depot, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
services.hercules-ci-multi-agent = {
|
services.hercules-ci-multi-agent = {
|
||||||
|
|
|
@ -1,14 +1,14 @@
|
||||||
{ config, tools, ... }:
|
{ config, depot, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
links = {
|
links = {
|
||||||
idm = {
|
idm = {
|
||||||
ipv4 = "idm.${tools.meta.domain}";
|
ipv4 = "idm.${depot.lib.meta.domain}";
|
||||||
port = 443;
|
port = 443;
|
||||||
protocol = "https";
|
protocol = "https";
|
||||||
};
|
};
|
||||||
ldap = {
|
ldap = {
|
||||||
hostname = "idm-ldap.internal.${tools.meta.domain}";
|
hostname = "idm-ldap.internal.${depot.lib.meta.domain}";
|
||||||
ipv4 = config.vars.mesh.VEGAS.meshIp;
|
ipv4 = config.vars.mesh.VEGAS.meshIp;
|
||||||
port = 636;
|
port = 636;
|
||||||
protocol = "ldaps";
|
protocol = "ldaps";
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
{ cluster, config, lib, tools, ... }:
|
{ cluster, config, lib, depot, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (tools.meta) domain;
|
inherit (depot.lib.meta) domain;
|
||||||
|
|
||||||
frontendLink = cluster.config.links.idm;
|
frontendLink = cluster.config.links.idm;
|
||||||
|
|
||||||
|
@ -38,7 +38,7 @@ in
|
||||||
|
|
||||||
systemd.services.kanidm.after = [ "acme-selfsigned-internal.${domain}.service" ];
|
systemd.services.kanidm.after = [ "acme-selfsigned-internal.${domain}.service" ];
|
||||||
|
|
||||||
services.nginx.virtualHosts."idm.${domain}" = lib.recursiveUpdate (tools.nginx.vhosts.proxy backendLink.url) {
|
services.nginx.virtualHosts."idm.${domain}" = lib.recursiveUpdate (depot.lib.nginx.vhosts.proxy backendLink.url) {
|
||||||
locations."/".extraConfig = ''
|
locations."/".extraConfig = ''
|
||||||
proxy_ssl_name idm-backend.internal.${domain};
|
proxy_ssl_name idm-backend.internal.${domain};
|
||||||
proxy_ssl_trusted_certificate ${certDir}/chain.pem;
|
proxy_ssl_trusted_certificate ${certDir}/chain.pem;
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
{ config, depot, lib, pkgs, tools, ... }:
|
{ config, depot, lib, pkgs, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (tools.meta) domain;
|
inherit (depot.lib.meta) domain;
|
||||||
inherit (tools.nginx) vhosts;
|
inherit (depot.lib.nginx) vhosts;
|
||||||
cfg = config.services.ipfs-cluster;
|
cfg = config.services.ipfs-cluster;
|
||||||
ipfsCfg = config.services.ipfs;
|
ipfsCfg = config.services.ipfs;
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
{ config, depot, lib, tools, ... }:
|
{ config, depot, lib, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
hostLinks = lib.genAttrs config.services.ipfs.nodes.node (name: let
|
hostLinks = lib.genAttrs config.services.ipfs.nodes.node (name: depot.lib.summon name ({ depot, ... }: let
|
||||||
host = depot.reflection;
|
host = depot.reflection;
|
||||||
intf = host.interfaces.primary;
|
intf = host.interfaces.primary;
|
||||||
self = config.hostLinks.${name}.ipfs;
|
self = config.hostLinks.${name}.ipfs;
|
||||||
|
@ -20,7 +20,7 @@
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
});
|
}));
|
||||||
services.ipfs = {
|
services.ipfs = {
|
||||||
nodes = {
|
nodes = {
|
||||||
node = [ "VEGAS" "prophet" ];
|
node = [ "VEGAS" "prophet" ];
|
||||||
|
@ -46,7 +46,7 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
monitoring.blackbox.targets.ipfs-gateway = {
|
monitoring.blackbox.targets.ipfs-gateway = {
|
||||||
address = "https://bafybeiczsscdsbs7ffqz55asqdf3smv6klcw3gofszvwlyarci47bgf354.ipfs.${tools.meta.domain}/";
|
address = "https://bafybeiczsscdsbs7ffqz55asqdf3smv6klcw3gofszvwlyarci47bgf354.ipfs.${depot.lib.meta.domain}/";
|
||||||
module = "https2xx";
|
module = "https2xx";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
{ config, depot, lib, tools, ... }:
|
{ config, depot, lib, ... }:
|
||||||
with tools.nginx;
|
with depot.lib.nginx;
|
||||||
let
|
let
|
||||||
inherit (tools.meta) domain;
|
inherit (depot.lib.meta) domain;
|
||||||
gw = config.links.ipfsGateway;
|
gw = config.links.ipfsGateway;
|
||||||
cfg = config.services.ipfs;
|
cfg = config.services.ipfs;
|
||||||
metrics = config.links.ipfsMetrics;
|
metrics = config.links.ipfsMetrics;
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
{ cluster, config, depot, lib, pkgs, tools, ... }:
|
{ cluster, config, depot, lib, pkgs, ... }:
|
||||||
let
|
let
|
||||||
inherit (tools.meta) domain;
|
inherit (depot.lib.meta) domain;
|
||||||
cfg = config.services.ipfs;
|
cfg = config.services.ipfs;
|
||||||
apiAddress = "/unix/run/ipfs/ipfs-api.sock";
|
apiAddress = "/unix/run/ipfs/ipfs-api.sock";
|
||||||
ipfsApi = pkgs.writeTextDir "api" apiAddress;
|
ipfsApi = pkgs.writeTextDir "api" apiAddress;
|
||||||
|
@ -41,7 +41,7 @@ in
|
||||||
extraFlags = [ "--migrate" ];
|
extraFlags = [ "--migrate" ];
|
||||||
extraConfig = {
|
extraConfig = {
|
||||||
Bootstrap = [
|
Bootstrap = [
|
||||||
"/ip4/${depot.config.hours.VEGAS.interfaces.primary.addr}/tcp/${toString ipfsPort}/p2p/Qmd7QHZU8UjfYdwmjmq1SBh9pvER9AwHpfwQvnvNo3HBBo"
|
"/ip4/${depot.hours.VEGAS.interfaces.primary.addr}/tcp/${toString ipfsPort}/p2p/Qmd7QHZU8UjfYdwmjmq1SBh9pvER9AwHpfwQvnvNo3HBBo"
|
||||||
"/dnsaddr/bootstrap.libp2p.io/p2p/QmQCU2EcMqAqQPR2i9bChDtGNJchTbq5TbXJJ16u19uLTa"
|
"/dnsaddr/bootstrap.libp2p.io/p2p/QmQCU2EcMqAqQPR2i9bChDtGNJchTbq5TbXJJ16u19uLTa"
|
||||||
"/dnsaddr/bootstrap.libp2p.io/p2p/QmbLHAnMoJPWSCR5Zhtx6BHJX9KiKNN6tpvbUcqanj75Nb"
|
"/dnsaddr/bootstrap.libp2p.io/p2p/QmbLHAnMoJPWSCR5Zhtx6BHJX9KiKNN6tpvbUcqanj75Nb"
|
||||||
"/dnsaddr/bootstrap.libp2p.io/p2p/QmNnooDu7bfjPFoTZYxMNLWUQJyrVwtbZg5gBMjTezGAJN"
|
"/dnsaddr/bootstrap.libp2p.io/p2p/QmNnooDu7bfjPFoTZYxMNLWUQJyrVwtbZg5gBMjTezGAJN"
|
||||||
|
@ -62,7 +62,7 @@ in
|
||||||
ID = extra.peerId;
|
ID = extra.peerId;
|
||||||
Addrs = extra.multiaddrs;
|
Addrs = extra.multiaddrs;
|
||||||
})
|
})
|
||||||
cluster.config.services.ipfs.otherNodes.node;
|
(cluster.config.services.ipfs.otherNodes.node config.networking.hostName);
|
||||||
Gateway = {
|
Gateway = {
|
||||||
Writable = false;
|
Writable = false;
|
||||||
APICommands = [];
|
APICommands = [];
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
{ config, tools, ... }:
|
{ config, depot, ... }:
|
||||||
with tools.nginx;
|
with depot.lib.nginx;
|
||||||
let
|
let
|
||||||
inherit (tools.meta) domain;
|
inherit (depot.lib.meta) domain;
|
||||||
cfg = config.services.ipfs;
|
cfg = config.services.ipfs;
|
||||||
gw = config.links.ipfsGateway;
|
gw = config.links.ipfsGateway;
|
||||||
in
|
in
|
||||||
|
|
|
@ -1,9 +1,9 @@
|
||||||
{ config, depot, lib, tools, ... }:
|
{ config, depot, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (depot.config) hours;
|
inherit (depot) hours;
|
||||||
|
|
||||||
inherit (tools.meta) domain;
|
inherit (depot.lib.meta) domain;
|
||||||
|
|
||||||
subDomains = {
|
subDomains = {
|
||||||
VEGAS = "eu1";
|
VEGAS = "eu1";
|
||||||
|
|
|
@ -1,13 +1,14 @@
|
||||||
{ cluster, config, lib, pkgs, tools, ... }:
|
{ cluster, config, lib, pkgs, depot, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (tools.meta) adminEmail;
|
inherit (depot.lib.meta) adminEmail;
|
||||||
inherit (cluster) vars;
|
inherit (cluster) vars;
|
||||||
|
inherit (config.networking) hostName;
|
||||||
|
|
||||||
linkGlobalSecure = cluster.config.links.ircSecure;
|
linkGlobalSecure = cluster.config.links.ircSecure;
|
||||||
link = cluster.config.hostLinks.${vars.hostName}.irc;
|
link = cluster.config.hostLinks.${hostName}.irc;
|
||||||
linkSecure = cluster.config.hostLinks.${vars.hostName}.ircSecure;
|
linkSecure = cluster.config.hostLinks.${hostName}.ircSecure;
|
||||||
otherServers = map mkServer cluster.config.services.irc.otherNodes.host;
|
otherServers = map mkServer (cluster.config.services.irc.otherNodes.host hostName);
|
||||||
otherServerFiles = map (builtins.toFile "ngircd-peer.conf") otherServers;
|
otherServerFiles = map (builtins.toFile "ngircd-peer.conf") otherServers;
|
||||||
opers = map mkOper vars.ircOpers;
|
opers = map mkOper vars.ircOpers;
|
||||||
|
|
||||||
|
@ -41,7 +42,7 @@ in {
|
||||||
config = ''
|
config = ''
|
||||||
[Global]
|
[Global]
|
||||||
Name = ${serverName}
|
Name = ${serverName}
|
||||||
Info = Private Void IRC - ${vars.hostName}
|
Info = Private Void IRC - ${hostName}
|
||||||
Network = PrivateVoidIRC
|
Network = PrivateVoidIRC
|
||||||
AdminInfo1 = Private Void Administrators
|
AdminInfo1 = Private Void Administrators
|
||||||
AdminInfo2 = Contact for help
|
AdminInfo2 = Contact for help
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
{ config, tools, ... }:
|
{ config, depot, ... }:
|
||||||
let
|
let
|
||||||
inherit (tools.meta) domain;
|
inherit (depot.lib.meta) domain;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
age.secrets = {
|
age.secrets = {
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, tools, ... }:
|
{ config, depot, ... }:
|
||||||
{
|
{
|
||||||
age.secrets = {
|
age.secrets = {
|
||||||
coturn-static-auth = {
|
coturn-static-auth = {
|
||||||
|
@ -11,7 +11,7 @@
|
||||||
services.coturn = {
|
services.coturn = {
|
||||||
enable = true;
|
enable = true;
|
||||||
no-cli = true;
|
no-cli = true;
|
||||||
realm = tools.meta.domain;
|
realm = depot.lib.meta.domain;
|
||||||
|
|
||||||
no-tcp-relay = true;
|
no-tcp-relay = true;
|
||||||
min-port = 64000;
|
min-port = 64000;
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ tools, ... }:
|
{ depot, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
services.matrix = {
|
services.matrix = {
|
||||||
|
@ -13,7 +13,7 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
monitoring.blackbox.targets.matrix = {
|
monitoring.blackbox.targets.matrix = {
|
||||||
address = "https://matrix.${tools.meta.domain}/_matrix/federation/v1/version";
|
address = "https://matrix.${depot.lib.meta.domain}/_matrix/federation/v1/version";
|
||||||
module = "https2xx";
|
module = "https2xx";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
{ config, pkgs, tools, ... }:
|
{ config, pkgs, depot, ... }:
|
||||||
let
|
let
|
||||||
inherit (tools.meta) domain;
|
inherit (depot.lib.meta) domain;
|
||||||
federation = pkgs.writeText "matrix-federation.json" (builtins.toJSON {
|
federation = pkgs.writeText "matrix-federation.json" (builtins.toJSON {
|
||||||
"m.server" = "matrix.${domain}:443";
|
"m.server" = "matrix.${domain}:443";
|
||||||
});
|
});
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
{ cluster, config, lib, pkgs, tools, ... }:
|
{ cluster, config, lib, pkgs, depot, ... }:
|
||||||
let
|
let
|
||||||
inherit (tools.meta) domain;
|
inherit (depot.lib.meta) domain;
|
||||||
|
|
||||||
patroni = cluster.config.links.patroni-pg-access;
|
patroni = cluster.config.links.patroni-pg-access;
|
||||||
|
|
||||||
|
@ -121,8 +121,8 @@ in {
|
||||||
]) ++ [ dbConfigOut ];
|
]) ++ [ dbConfigOut ];
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts = tools.nginx.mappers.mapSubdomains {
|
services.nginx.virtualHosts = depot.lib.nginx.mappers.mapSubdomains {
|
||||||
matrix = tools.nginx.vhosts.basic // {
|
matrix = depot.lib.nginx.vhosts.basic // {
|
||||||
locations."/".return = "204";
|
locations."/".return = "204";
|
||||||
locations."/_matrix" = {
|
locations."/_matrix" = {
|
||||||
proxyPass = "http://127.0.0.1:8008";
|
proxyPass = "http://127.0.0.1:8008";
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
{ depot, lib, pkgs, tools, ... }:
|
{ depot, lib, pkgs, ... }:
|
||||||
let
|
let
|
||||||
inherit (tools.nginx) domain vhosts;
|
inherit (depot.lib.nginx) domain vhosts;
|
||||||
inherit (depot.packages) cinny;
|
inherit (depot.packages) cinny;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ tools, ... }:
|
{ depot, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
services.meet = {
|
services.meet = {
|
||||||
|
@ -7,7 +7,7 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
monitoring.blackbox.targets.jitsi-videobridge = {
|
monitoring.blackbox.targets.jitsi-videobridge = {
|
||||||
address = "meet.${tools.meta.domain}:7777";
|
address = "meet.${depot.lib.meta.domain}:7777";
|
||||||
module = "tcpConnect";
|
module = "tcpConnect";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, lib, depot, tools, ... }:
|
{ config, lib, depot, ... }:
|
||||||
let
|
let
|
||||||
inherit (config) links;
|
inherit (config) links;
|
||||||
|
|
||||||
|
@ -11,7 +11,7 @@ in
|
||||||
|
|
||||||
services.jitsi-meet = {
|
services.jitsi-meet = {
|
||||||
enable = true;
|
enable = true;
|
||||||
hostName = "meet.${tools.meta.domain}";
|
hostName = "meet.${depot.lib.meta.domain}";
|
||||||
nginx.enable = true;
|
nginx.enable = true;
|
||||||
jicofo.enable = true;
|
jicofo.enable = true;
|
||||||
videobridge.enable = true;
|
videobridge.enable = true;
|
||||||
|
@ -38,7 +38,7 @@ in
|
||||||
publicAddress = interfaces.primary.addrPublic;
|
publicAddress = interfaces.primary.addrPublic;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
services.nginx.virtualHosts."meet.${tools.meta.domain}" = {
|
services.nginx.virtualHosts."meet.${depot.lib.meta.domain}" = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
locations."=/images/watermark.svg" = {
|
locations."=/images/watermark.svg" = {
|
||||||
|
|
|
@ -1,9 +1,9 @@
|
||||||
{ config, cluster, lib, tools, ... }:
|
{ cluster, config, lib, depot, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (lib) flip pipe mapAttrsToList range recursiveUpdate substring;
|
inherit (lib) flip pipe mapAttrsToList range recursiveUpdate substring;
|
||||||
|
|
||||||
inherit (tools.meta) domain;
|
inherit (depot.lib.meta) domain;
|
||||||
inherit (cluster.config) vars;
|
inherit (cluster.config) vars;
|
||||||
|
|
||||||
mapTargets = mapAttrsToList (name: value: value // { name = "default/${name}"; });
|
mapTargets = mapAttrsToList (name: value: value // { name = "default/${name}"; });
|
||||||
|
@ -19,7 +19,7 @@ let
|
||||||
})
|
})
|
||||||
]) (range 1 1);
|
]) (range 1 1);
|
||||||
|
|
||||||
probeId = pipe "blackbox-probe-${domain}-${vars.hostName}" [
|
probeId = pipe "blackbox-probe-${domain}-${config.networking.hostName}" [
|
||||||
(builtins.hashString "md5")
|
(builtins.hashString "md5")
|
||||||
(substring 0 8)
|
(substring 0 8)
|
||||||
];
|
];
|
||||||
|
@ -39,7 +39,7 @@ in
|
||||||
{
|
{
|
||||||
services.grafana-agent.settings.integrations.blackbox = {
|
services.grafana-agent.settings.integrations.blackbox = {
|
||||||
enabled = true;
|
enabled = true;
|
||||||
instance = vars.hostName;
|
instance = config.networking.hostName;
|
||||||
scrape_interval = "600s";
|
scrape_interval = "600s";
|
||||||
relabel_configs = [
|
relabel_configs = [
|
||||||
(relabel "__param_module" "module")
|
(relabel "__param_module" "module")
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ cluster, lib, ... }:
|
{ cluster, config, lib, ... }:
|
||||||
let
|
let
|
||||||
inherit (lib) singleton;
|
inherit (lib) singleton;
|
||||||
|
|
||||||
|
@ -17,7 +17,7 @@ in {
|
||||||
};
|
};
|
||||||
integrations.node_exporter = {
|
integrations.node_exporter = {
|
||||||
enabled = true;
|
enabled = true;
|
||||||
instance = cluster.config.vars.hostName;
|
instance = config.networking.hostName;
|
||||||
enable_collectors = [
|
enable_collectors = [
|
||||||
"systemd"
|
"systemd"
|
||||||
];
|
];
|
||||||
|
@ -32,7 +32,7 @@ in {
|
||||||
job_name = "journal";
|
job_name = "journal";
|
||||||
journal = {
|
journal = {
|
||||||
max_age = "12h";
|
max_age = "12h";
|
||||||
labels.host = cluster.config.vars.hostName;
|
labels.host = config.networking.hostName;
|
||||||
};
|
};
|
||||||
relabel_configs = [
|
relabel_configs = [
|
||||||
(relabel "__journal__systemd_unit" "systemd_unit")
|
(relabel "__journal__systemd_unit" "systemd_unit")
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
{ cluster, config, depot, lib, pkgs, tools, ... }:
|
{ cluster, config, depot, lib, pkgs, ... }:
|
||||||
let
|
let
|
||||||
inherit (tools.meta) domain;
|
inherit (depot.lib.meta) domain;
|
||||||
|
|
||||||
inherit (cluster.config.links) loki-ingest prometheus-ingest;
|
inherit (cluster.config.links) loki-ingest prometheus-ingest;
|
||||||
|
|
||||||
|
@ -97,7 +97,7 @@ in
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
upstreams.grafana-ha.servers = lib.mapAttrs' (_: links: lib.nameValuePair links.grafana.tuple {}) (lib.getAttrs (svc.nodes.grafana) hostLinks);
|
upstreams.grafana-ha.servers = lib.mapAttrs' (_: links: lib.nameValuePair links.grafana.tuple {}) (lib.getAttrs (svc.nodes.grafana) hostLinks);
|
||||||
|
|
||||||
virtualHosts."monitoring.${domain}" = lib.recursiveUpdate (tools.nginx.vhosts.proxy "http://grafana-ha") {
|
virtualHosts."monitoring.${domain}" = lib.recursiveUpdate (depot.lib.nginx.vhosts.proxy "http://grafana-ha") {
|
||||||
locations."/".proxyWebsockets = true;
|
locations."/".proxyWebsockets = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ tools, ... }:
|
{ depot, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
services.nextcloud = {
|
services.nextcloud = {
|
||||||
|
@ -7,7 +7,7 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
monitoring.blackbox.targets.nextcloud = {
|
monitoring.blackbox.targets.nextcloud = {
|
||||||
address = "https://storage.${tools.meta.domain}/status.php";
|
address = "https://storage.${depot.lib.meta.domain}/status.php";
|
||||||
module = "nextcloudStatus";
|
module = "nextcloudStatus";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ cluster, config, lib, pkgs, tools, ... }:
|
{ cluster, config, lib, pkgs, depot, ... }:
|
||||||
let
|
let
|
||||||
patroni = cluster.config.links.patroni-pg-access;
|
patroni = cluster.config.links.patroni-pg-access;
|
||||||
in
|
in
|
||||||
|
@ -22,7 +22,7 @@ in
|
||||||
enableBrokenCiphersForSSE = false;
|
enableBrokenCiphersForSSE = false;
|
||||||
enable = true;
|
enable = true;
|
||||||
https = true;
|
https = true;
|
||||||
hostName = "storage.${tools.meta.domain}";
|
hostName = "storage.${depot.lib.meta.domain}";
|
||||||
home = "/srv/storage/www-app/nextcloud";
|
home = "/srv/storage/www-app/nextcloud";
|
||||||
maxUploadSize = "4G";
|
maxUploadSize = "4G";
|
||||||
enableImagemagick = true;
|
enableImagemagick = true;
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
{ config, tools, ... }:
|
{ depot, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (tools.meta) adminEmail;
|
inherit (depot.lib.meta) adminEmail;
|
||||||
in {
|
in {
|
||||||
security.acme.defaults.email = adminEmail;
|
security.acme.defaults.email = adminEmail;
|
||||||
security.acme.acceptTerms = true;
|
security.acme.acceptTerms = true;
|
||||||
|
@ -24,15 +24,6 @@ in {
|
||||||
access_log syslog:server=unix:/dev/log,tag=nginx_access,nohostname fmt_loki;
|
access_log syslog:server=unix:/dev/log,tag=nginx_access,nohostname fmt_loki;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
services.phpfpm.pools.www = {
|
|
||||||
inherit (config.services.nginx) user group;
|
|
||||||
settings = {
|
|
||||||
pm = "ondemand";
|
|
||||||
"pm.max_children" = 16;
|
|
||||||
"listen.owner" = config.services.nginx.user;
|
|
||||||
"listen.group" = config.services.nginx.group;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
systemd.services.nginx.after = [ "network-online.target" ];
|
systemd.services.nginx.after = [ "network-online.target" ];
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ tools, ... }:
|
{ depot, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
services.object-storage = {
|
services.object-storage = {
|
||||||
|
@ -7,7 +7,7 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
monitoring.blackbox.targets.object-storage = {
|
monitoring.blackbox.targets.object-storage = {
|
||||||
address = "https://object-storage.${tools.meta.domain}/minio/health/live";
|
address = "https://object-storage.${depot.lib.meta.domain}/minio/health/live";
|
||||||
module = "https2xx";
|
module = "https2xx";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
{ config, lib, tools, ... }:
|
{ config, lib, depot, ... }:
|
||||||
with tools.nginx;
|
with depot.lib.nginx;
|
||||||
let
|
let
|
||||||
inherit (config) links;
|
inherit (config) links;
|
||||||
|
|
||||||
|
|
|
@ -12,9 +12,9 @@ in
|
||||||
services.grafana-agent = {
|
services.grafana-agent = {
|
||||||
settings.integrations.postgres_exporter = {
|
settings.integrations.postgres_exporter = {
|
||||||
enabled = true;
|
enabled = true;
|
||||||
instance = vars.hostName;
|
instance = config.networking.hostName;
|
||||||
data_source_names = [
|
data_source_names = [
|
||||||
"postgresql://metrics:\${PG_METRICS_DB_PASSWORD}@${getMeshIp vars.hostName}:${links.patroni-pg-internal.portStr}/postgres?sslmode=disable"
|
"postgresql://metrics:\${PG_METRICS_DB_PASSWORD}@${getMeshIp config.networking.hostName}:${links.patroni-pg-internal.portStr}/postgres?sslmode=disable"
|
||||||
];
|
];
|
||||||
autodiscover_databases = true;
|
autodiscover_databases = true;
|
||||||
};
|
};
|
||||||
|
|
|
@ -2,6 +2,7 @@
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (cluster.config) vars;
|
inherit (cluster.config) vars;
|
||||||
|
inherit (config.networking) hostName;
|
||||||
|
|
||||||
getMeshIp = name: vars.mesh.${name}.meshIp;
|
getMeshIp = name: vars.mesh.${name}.meshIp;
|
||||||
|
|
||||||
|
@ -32,7 +33,7 @@ in
|
||||||
];
|
];
|
||||||
services.patroni = {
|
services.patroni = {
|
||||||
enable = true;
|
enable = true;
|
||||||
name = vars.hostName;
|
name = hostName;
|
||||||
postgresqlPackage = pg;
|
postgresqlPackage = pg;
|
||||||
postgresqlDataDir ="${baseDir}/${pg.psqlSchema}";
|
postgresqlDataDir ="${baseDir}/${pg.psqlSchema}";
|
||||||
postgresqlPort = cluster.config.links.patroni-pg-internal.port;
|
postgresqlPort = cluster.config.links.patroni-pg-internal.port;
|
||||||
|
@ -40,8 +41,8 @@ in
|
||||||
scope = "poseidon";
|
scope = "poseidon";
|
||||||
namespace = "/patroni";
|
namespace = "/patroni";
|
||||||
|
|
||||||
nodeIp = getMeshIp vars.hostName;
|
nodeIp = getMeshIp hostName;
|
||||||
otherNodesIps = map getMeshIp cluster.config.services.patroni.otherNodes.worker;
|
otherNodesIps = map getMeshIp (cluster.config.services.patroni.otherNodes.worker hostName);
|
||||||
raft = false;
|
raft = false;
|
||||||
softwareWatchdog = true;
|
softwareWatchdog = true;
|
||||||
settings = {
|
settings = {
|
||||||
|
@ -68,7 +69,7 @@ in
|
||||||
superuser.username = "postgres";
|
superuser.username = "postgres";
|
||||||
};
|
};
|
||||||
parameters = {
|
parameters = {
|
||||||
listen_addresses = getMeshIp vars.hostName;
|
listen_addresses = getMeshIp hostName;
|
||||||
wal_level = "replica";
|
wal_level = "replica";
|
||||||
hot_standby_feedback = "on";
|
hot_standby_feedback = "on";
|
||||||
unix_socket_directories = "/tmp";
|
unix_socket_directories = "/tmp";
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ tools, ... }:
|
{ depot, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
services.search = {
|
services.search = {
|
||||||
|
@ -7,7 +7,7 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
monitoring.blackbox.targets.search = {
|
monitoring.blackbox.targets.search = {
|
||||||
address = "https://search.${tools.meta.domain}/healthz";
|
address = "https://search.${depot.lib.meta.domain}/healthz";
|
||||||
module = "https2xx";
|
module = "https2xx";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, depot, lib, tools, ... }:
|
{ config, depot, lib, ... }:
|
||||||
let
|
let
|
||||||
inherit (config) links;
|
inherit (config) links;
|
||||||
in
|
in
|
||||||
|
@ -56,7 +56,7 @@ in
|
||||||
disable-logging = true;
|
disable-logging = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
services.nginx.virtualHosts."search.${tools.meta.domain}" = lib.recursiveUpdate (tools.nginx.vhosts.proxy links.searxng.url) {
|
services.nginx.virtualHosts."search.${depot.lib.meta.domain}" = lib.recursiveUpdate (depot.lib.nginx.vhosts.proxy links.searxng.url) {
|
||||||
extraConfig = "access_log off;";
|
extraConfig = "access_log off;";
|
||||||
};
|
};
|
||||||
systemd.services.uwsgi.after = [ "wireguard-wgmv.service" "network-addresses-wgmv.service" ];
|
systemd.services.uwsgi.after = [ "wireguard-wgmv.service" "network-addresses-wgmv.service" ];
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
{ tools, ... }:
|
{ depot, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
monitoring.blackbox.targets.soda-machine = {
|
monitoring.blackbox.targets.soda-machine = {
|
||||||
address = "soda.int.${tools.meta.domain}:22";
|
address = "soda.int.${depot.lib.meta.domain}:22";
|
||||||
module = "sshConnect";
|
module = "sshConnect";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,19 +1,19 @@
|
||||||
{ config, depot, lib, pkgs, tools, ... }:
|
{ config, depot, lib, pkgs, ... }:
|
||||||
with tools.nginx;
|
with depot.lib.nginx;
|
||||||
{
|
{
|
||||||
# TODO: not a whole lot to configure, maybe add some autoconfig stuff
|
# TODO: not a whole lot to configure, maybe add some autoconfig stuff
|
||||||
services.jellyfin = {
|
services.jellyfin = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = depot.packages.jellyfin;
|
package = depot.packages.jellyfin;
|
||||||
};
|
};
|
||||||
services.nginx.virtualHosts."warehouse.${tools.meta.domain}" = lib.mkMerge [
|
services.nginx.virtualHosts."warehouse.${depot.lib.meta.domain}" = lib.mkMerge [
|
||||||
(vhosts.proxy "http://127.0.0.1:8096")
|
(vhosts.proxy "http://127.0.0.1:8096")
|
||||||
{
|
{
|
||||||
locations."/".extraConfig = ''
|
locations."/".extraConfig = ''
|
||||||
proxy_buffering off;
|
proxy_buffering off;
|
||||||
'';
|
'';
|
||||||
locations."/socket" = {
|
locations."/socket" = {
|
||||||
inherit (config.services.nginx.virtualHosts."warehouse.${tools.meta.domain}".locations."/") proxyPass;
|
inherit (config.services.nginx.virtualHosts."warehouse.${depot.lib.meta.domain}".locations."/") proxyPass;
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
||||||
};
|
};
|
||||||
# TODO: video cache
|
# TODO: video cache
|
||||||
|
|
|
@ -1,14 +1,7 @@
|
||||||
{ depot, lib, tools, ... }:
|
{ depot, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (tools.meta) domain;
|
inherit (depot.lib.meta) domain;
|
||||||
|
|
||||||
importWebsites = expr: import expr {
|
|
||||||
tools = tools.nginx;
|
|
||||||
inherit (depot) packages;
|
|
||||||
};
|
|
||||||
|
|
||||||
websites = tools.nginx.mappers.mapSubdomains (importWebsites ./websites.nix);
|
|
||||||
|
|
||||||
acmeUseDNS = name: conf: {
|
acmeUseDNS = name: conf: {
|
||||||
name = conf.useACMEHost or conf.serverName or name;
|
name = conf.useACMEHost or conf.serverName or name;
|
||||||
|
@ -24,7 +17,16 @@ in
|
||||||
{
|
{
|
||||||
services.websites = {
|
services.websites = {
|
||||||
nodes.host = [ "checkmate" "thunderskin" "VEGAS" "prophet" ];
|
nodes.host = [ "checkmate" "thunderskin" "VEGAS" "prophet" ];
|
||||||
nixos.host = {
|
nixos.host = { config, depot, ... }: let
|
||||||
|
|
||||||
|
importWebsites = expr: import expr {
|
||||||
|
tools = depot.lib.nginx;
|
||||||
|
inherit (depot) packages;
|
||||||
|
};
|
||||||
|
|
||||||
|
websites = depot.lib.nginx.mappers.mapSubdomains (importWebsites ./websites.nix);
|
||||||
|
|
||||||
|
in {
|
||||||
services.nginx.virtualHosts = websites;
|
services.nginx.virtualHosts = websites;
|
||||||
security.acme.certs = lib.mapAttrs' acmeUseDNS (lib.filterAttrs isACME websites);
|
security.acme.certs = lib.mapAttrs' acmeUseDNS (lib.filterAttrs isACME websites);
|
||||||
consul.services.nginx = {
|
consul.services.nginx = {
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
{ config, depot, lib, ... }:
|
{ config, depot, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (depot.config) hours;
|
inherit (depot) hours;
|
||||||
|
|
||||||
meshNet = rec {
|
meshNet = rec {
|
||||||
netAddr = "10.1.1.0";
|
netAddr = "10.1.1.0";
|
||||||
|
|
|
@ -30,7 +30,7 @@ in
|
||||||
ips = [ "${link.extra.meshIp}/24" ];
|
ips = [ "${link.extra.meshIp}/24" ];
|
||||||
listenPort = link.port;
|
listenPort = link.port;
|
||||||
privateKeyFile = config.age.secrets.wireguard-key-core.path;
|
privateKeyFile = config.age.secrets.wireguard-key-core.path;
|
||||||
peers = map mkPeer cluster.config.services.wireguard.otherNodes.mesh;
|
peers = map mkPeer (cluster.config.services.wireguard.otherNodes.mesh hostName);
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -19,6 +19,7 @@
|
||||||
./packages/part.nix
|
./packages/part.nix
|
||||||
./jobs/part.nix
|
./jobs/part.nix
|
||||||
./lib/part.nix
|
./lib/part.nix
|
||||||
|
./cluster/part.nix
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
{ config, lib, tools, ... }:
|
{ config, lib, depot, ... }:
|
||||||
let
|
let
|
||||||
inherit (tools.meta) domain;
|
inherit (depot.lib.meta) domain;
|
||||||
login = x: "https://login.${domain}/auth/realms/master/protocol/openid-connect/${x}";
|
login = x: "https://login.${domain}/auth/realms/master/protocol/openid-connect/${x}";
|
||||||
cfg = config.services.oauth2_proxy;
|
cfg = config.services.oauth2_proxy;
|
||||||
in
|
in
|
||||||
|
|
|
@ -1,9 +1,9 @@
|
||||||
{ config, lib, tools, ... }:
|
{ config, lib, depot, ... }:
|
||||||
let
|
let
|
||||||
inherit (tools.meta) domain;
|
inherit (depot.lib.meta) domain;
|
||||||
apiAddr = "api.${domain}";
|
apiAddr = "api.${domain}";
|
||||||
proxyTarget = config.links.api.url;
|
proxyTarget = config.links.api.url;
|
||||||
proxy = tools.nginx.vhosts.proxy proxyTarget;
|
proxy = depot.lib.nginx.vhosts.proxy proxyTarget;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
# n8n uses "Sustainable Use License"
|
# n8n uses "Sustainable Use License"
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
networking.nat.forwardPorts = [
|
networking.nat.forwardPorts = [
|
||||||
{
|
{
|
||||||
sourcePort = 52222;
|
sourcePort = 52222;
|
||||||
destination = "${depot.config.hours.soda.interfaces.primary.addr}:22";
|
destination = "${depot.hours.soda.interfaces.primary.addr}:22";
|
||||||
proto = "tcp";
|
proto = "tcp";
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
{ config, lib, tools, ... }:
|
{ config, lib, depot, ... }:
|
||||||
with tools.nginx;
|
with depot.lib.nginx;
|
||||||
{
|
{
|
||||||
links.bitwarden.protocol = "http";
|
links.bitwarden.protocol = "http";
|
||||||
|
|
||||||
|
|
|
@ -1,10 +1,9 @@
|
||||||
{ config, lib, toolsets, ... }:
|
{ depot, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
tools = toolsets.nginx {
|
tools = (depot.lib.override {
|
||||||
inherit lib config;
|
meta.domain = lib.mkForce "cdn-shield.privatevoid.net";
|
||||||
domain = "cdn-shield.privatevoid.net";
|
}).nginx;
|
||||||
};
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services.nginx.virtualHosts = tools.mappers.mapSubdomains (import ./shields.nix { inherit tools; });
|
services.nginx.virtualHosts = tools.mappers.mapSubdomains (import ./shields.nix { inherit tools; });
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
{ config, tools, ... }:
|
{ config, depot, ... }:
|
||||||
with tools.nginx;
|
with depot.lib.nginx;
|
||||||
{
|
{
|
||||||
links = {
|
links = {
|
||||||
ombi.protocol = "http";
|
ombi.protocol = "http";
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
{ cluster, config, lib, tools, ... }:
|
{ cluster, config, lib, depot, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (tools.meta) domain adminEmail;
|
inherit (depot.lib.meta) domain adminEmail;
|
||||||
|
|
||||||
patroni = cluster.config.links.patroni-pg-access;
|
patroni = cluster.config.links.patroni-pg-access;
|
||||||
|
|
||||||
|
@ -106,5 +106,5 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."${cfg.host}" = tools.nginx.vhosts.proxy "http://unix:/run/gitlab/gitlab-workhorse.socket";
|
services.nginx.virtualHosts."${cfg.host}" = depot.lib.nginx.vhosts.proxy "http://unix:/run/gitlab/gitlab-workhorse.socket";
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,10 +1,9 @@
|
||||||
{ tools, ... }:
|
{ depot, ... }:
|
||||||
with tools.nginx.mappers;
|
with depot.lib.nginx.mappers;
|
||||||
with tools.nginx.vhosts;
|
with depot.lib.nginx.vhosts;
|
||||||
{
|
{
|
||||||
services.nginx.virtualHosts = mapSubdomains {
|
services.nginx.virtualHosts = mapSubdomains {
|
||||||
"bone-ds-dc.com-ldap" = static "/srv/storage/www/bone-meme/dist";
|
"bone-ds-dc.com-ldap" = static "/srv/storage/www/bone-meme/dist";
|
||||||
"get" = simplePHP "/srv/storage/www/dietldb";
|
|
||||||
"rzentrale" = static "/srv/storage/www/rzentrale";
|
"rzentrale" = static "/srv/storage/www/rzentrale";
|
||||||
"wunschnachricht" = static "/srv/storage/www/wunschnachricht";
|
"wunschnachricht" = static "/srv/storage/www/wunschnachricht";
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ tools, ... }:
|
{ depot, ... }:
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
./imap.nix
|
./imap.nix
|
||||||
|
@ -6,12 +6,12 @@
|
||||||
./postfix.nix
|
./postfix.nix
|
||||||
./saslauthd.nix
|
./saslauthd.nix
|
||||||
];
|
];
|
||||||
services.nginx.virtualHosts."mail.${tools.meta.domain}" = {
|
services.nginx.virtualHosts."mail.${depot.lib.meta.domain}" = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
locations."/".return = "204";
|
locations."/".return = "204";
|
||||||
};
|
};
|
||||||
security.acme.certs."mail.${tools.meta.domain}".extraDomainNames = map
|
security.acme.certs."mail.${depot.lib.meta.domain}".extraDomainNames = map
|
||||||
(x: "${x}.${tools.meta.domain}") [
|
(x: "${x}.${depot.lib.meta.domain}") [
|
||||||
"mx"
|
"mx"
|
||||||
"imap"
|
"imap"
|
||||||
"smtp"
|
"smtp"
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
{ config, pkgs, tools, ... }:
|
{ config, pkgs, depot, ... }:
|
||||||
let
|
let
|
||||||
inherit (tools.identity) ldap;
|
inherit (depot.lib.identity) ldap;
|
||||||
inherit (tools.meta) domain;
|
inherit (depot.lib.meta) domain;
|
||||||
|
|
||||||
postfixCfg = config.services.postfix;
|
postfixCfg = config.services.postfix;
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
{ lib, tools, ... }:
|
{ lib, depot, ... }:
|
||||||
let
|
let
|
||||||
inherit (tools.meta) domain;
|
inherit (depot.lib.meta) domain;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services.opendkim = {
|
services.opendkim = {
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
{ config, depot, tools, ... }:
|
{ config, depot, ... }:
|
||||||
let
|
let
|
||||||
inherit (tools.meta) domain;
|
inherit (depot.lib.meta) domain;
|
||||||
certDir = config.security.acme.certs."mail.${domain}".directory;
|
certDir = config.security.acme.certs."mail.${domain}".directory;
|
||||||
|
|
||||||
receivePolicy = [ "permit_sasl_authenticated" "permit_mynetworks" "reject_unauth_destination" ];
|
receivePolicy = [ "permit_sasl_authenticated" "permit_mynetworks" "reject_unauth_destination" ];
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
{ pkgs, tools, ... }:
|
{ pkgs, depot, ... }:
|
||||||
let
|
let
|
||||||
inherit (tools.identity) ldap;
|
inherit (depot.lib.identity) ldap;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services.saslauthd = {
|
services.saslauthd = {
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, depot, tools, ... }:
|
{ config, depot, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
links.nixIpfs.protocol = "http";
|
links.nixIpfs.protocol = "http";
|
||||||
|
@ -17,11 +17,11 @@
|
||||||
IPFS_CLUSTER_API = config.services.ipfs-cluster.settings.api.restapi.http_listen_multiaddress;
|
IPFS_CLUSTER_API = config.services.ipfs-cluster.settings.api.restapi.http_listen_multiaddress;
|
||||||
NIX_CACHES = toString [
|
NIX_CACHES = toString [
|
||||||
"https://cache.nixos.org"
|
"https://cache.nixos.org"
|
||||||
"https://cache.${tools.meta.domain}"
|
"https://cache.${depot.lib.meta.domain}"
|
||||||
"https://max.cachix.org"
|
"https://max.cachix.org"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."reflex.${tools.meta.domain}" = tools.nginx.vhosts.proxy config.links.nixIpfs.url;
|
services.nginx.virtualHosts."reflex.${depot.lib.meta.domain}" = depot.lib.nginx.vhosts.proxy config.links.nixIpfs.url;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
{ cluster, config, depot, lib, tools, ... }:
|
{ cluster, config, depot, lib, ... }:
|
||||||
with tools.nginx;
|
with depot.lib.nginx;
|
||||||
let
|
let
|
||||||
login = "login.${tools.meta.domain}";
|
login = "login.${depot.lib.meta.domain}";
|
||||||
kc = config.links.keycloak;
|
kc = config.links.keycloak;
|
||||||
patroni = cluster.config.links.patroni-pg-access;
|
patroni = cluster.config.links.patroni-pg-access;
|
||||||
in
|
in
|
||||||
|
|
|
@ -1,9 +1,9 @@
|
||||||
{ tools, ... }:
|
{ depot, ... }:
|
||||||
with tools.nginx.vhosts;
|
with depot.lib.nginx.vhosts;
|
||||||
let
|
let
|
||||||
inherit (tools.meta) domain;
|
inherit (depot.lib.meta) domain;
|
||||||
front = "ident.${domain}";
|
front = "ident.${domain}";
|
||||||
back = tools.identity.ldap.server.hostname;
|
back = depot.lib.identity.ldap.server.hostname;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services.nginx.virtualHosts."${front}" = basic // {
|
services.nginx.virtualHosts."${front}" = basic // {
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, pkgs, tools, ... }:
|
{ config, pkgs, depot, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
services.vault = {
|
services.vault = {
|
||||||
|
@ -8,5 +8,5 @@
|
||||||
extraConfig = "ui = true";
|
extraConfig = "ui = true";
|
||||||
package = pkgs.vault-bin;
|
package = pkgs.vault-bin;
|
||||||
};
|
};
|
||||||
services.nginx.virtualHosts."vault.${tools.meta.domain}" = tools.nginx.vhosts.proxy "http://${config.services.vault.address}";
|
services.nginx.virtualHosts."vault.${depot.lib.meta.domain}" = depot.lib.nginx.vhosts.proxy "http://${config.services.vault.address}";
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,14 +1,12 @@
|
||||||
{ depot, tools, ... }:
|
{ depot, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
importWebsites = expr: import expr {
|
importWebsites = expr: import expr {
|
||||||
tools = tools.nginx;
|
tools = depot.lib.nginx;
|
||||||
inherit (depot) packages;
|
inherit (depot) packages;
|
||||||
};
|
};
|
||||||
|
|
||||||
websites = tools.nginx.mappers.mapSubdomains (importWebsites ./websites.nix);
|
websites = depot.lib.nginx.mappers.mapSubdomains (importWebsites ./websites.nix);
|
||||||
|
|
||||||
extraWebsites = importWebsites ./extra-sites.nix;
|
|
||||||
in {
|
in {
|
||||||
services.nginx.virtualHosts = websites // extraWebsites;
|
services.nginx.virtualHosts = websites;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,8 +0,0 @@
|
||||||
{ tools, ... }:
|
|
||||||
with tools.vhosts;
|
|
||||||
let
|
|
||||||
noSSL = { enableACME = false; forceSSL = false; };
|
|
||||||
in
|
|
||||||
{
|
|
||||||
"ky.rip" = simplePHP "/srv/storage/www/ky.rip" // noSSL;
|
|
||||||
}
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, depot, tools, ... }:
|
{ config, depot, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
imports =
|
imports =
|
||||||
|
@ -43,7 +43,7 @@
|
||||||
|
|
||||||
|
|
||||||
networking.hostName = "VEGAS";
|
networking.hostName = "VEGAS";
|
||||||
networking.domain = "backbone.${tools.meta.domain}";
|
networking.domain = "backbone.${depot.lib.meta.domain}";
|
||||||
|
|
||||||
time.timeZone = "Europe/Helsinki";
|
time.timeZone = "Europe/Helsinki";
|
||||||
|
|
||||||
|
@ -94,7 +94,7 @@
|
||||||
path = depot.nixosConfigurations.soda.config.system.build.toplevel;
|
path = depot.nixosConfigurations.soda.config.system.build.toplevel;
|
||||||
privateNetwork = true;
|
privateNetwork = true;
|
||||||
hostBridge = "vmdefault";
|
hostBridge = "vmdefault";
|
||||||
localAddress = "${depot.config.hours.soda.interfaces.primary.addr}/24";
|
localAddress = "${depot.hours.soda.interfaces.primary.addr}/24";
|
||||||
autoStart = true;
|
autoStart = true;
|
||||||
bindMounts.sodaDir = {
|
bindMounts.sodaDir = {
|
||||||
hostPath = "/srv/storage/www/soda";
|
hostPath = "/srv/storage/www/soda";
|
||||||
|
|
|
@ -17,7 +17,7 @@
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
|
|
||||||
networking.hostName = "checkmate";
|
networking.hostName = "checkmate";
|
||||||
networking.nameservers = [ depot.config.hours.VEGAS.interfaces.vstub.addr ];
|
networking.nameservers = [ depot.hours.VEGAS.interfaces.vstub.addr ];
|
||||||
|
|
||||||
time.timeZone = "Europe/Zurich";
|
time.timeZone = "Europe/Zurich";
|
||||||
|
|
||||||
|
|
|
@ -1,23 +1,13 @@
|
||||||
{ config, inputs, lib, self, withSystem, ... }:
|
{ config, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (lib) const mapAttrs nixosSystem;
|
inherit (lib) mapAttrs nixosSystem;
|
||||||
inherit (config) gods;
|
inherit (config) gods;
|
||||||
|
|
||||||
mkSpecialArgs = system: hostName: withSystem system ({ inputs', self', ... }: {
|
|
||||||
depot = self // self' // {
|
|
||||||
inputs = mapAttrs (name: const (inputs.${name} // inputs'.${name})) inputs;
|
|
||||||
inherit config;
|
|
||||||
# peer into the Watchman's Glass
|
|
||||||
reflection = config.hours.${hostName};
|
|
||||||
};
|
|
||||||
toolsets = import ../tools;
|
|
||||||
});
|
|
||||||
|
|
||||||
mkNixOS = name: host: nixosSystem {
|
mkNixOS = name: host: nixosSystem {
|
||||||
specialArgs = mkSpecialArgs host.system name;
|
specialArgs = config.lib.summon name lib.id;
|
||||||
inherit (host) system;
|
inherit (host) system;
|
||||||
modules = [ host.nixos ../tools/inject.nix (import ../cluster/inject.nix name) ];
|
modules = [ host.nixos ] ++ config.cluster.config.out.injectNixosConfig name;
|
||||||
};
|
};
|
||||||
in {
|
in {
|
||||||
flake.nixosConfigurations = mapAttrs mkNixOS (gods.fromLight // gods.fromFlesh);
|
flake.nixosConfigurations = mapAttrs mkNixOS (gods.fromLight // gods.fromFlesh);
|
||||||
|
|
|
@ -19,7 +19,7 @@
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
|
|
||||||
networking.hostName = "prophet";
|
networking.hostName = "prophet";
|
||||||
networking.nameservers = [ depot.config.hours.VEGAS.interfaces.vstub.addr ];
|
networking.nameservers = [ depot.hours.VEGAS.interfaces.vstub.addr ];
|
||||||
|
|
||||||
time.timeZone = "Europe/Zurich";
|
time.timeZone = "Europe/Zurich";
|
||||||
|
|
||||||
|
|
|
@ -14,9 +14,9 @@
|
||||||
|
|
||||||
networking.interfaces.eth0.useDHCP = true;
|
networking.interfaces.eth0.useDHCP = true;
|
||||||
|
|
||||||
networking.nameservers = [ depot.config.hours.VEGAS.interfaces.vstub.addr ];
|
networking.nameservers = [ depot.hours.VEGAS.interfaces.vstub.addr ];
|
||||||
|
|
||||||
networking.resolvconf.extraConfig = "local_nameservers='${depot.config.hours.VEGAS.interfaces.vstub.addr}'";
|
networking.resolvconf.extraConfig = "local_nameservers='${depot.hours.VEGAS.interfaces.vstub.addr}'";
|
||||||
|
|
||||||
networking.hostName = "soda";
|
networking.hostName = "soda";
|
||||||
|
|
||||||
|
|
|
@ -17,7 +17,7 @@
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
|
|
||||||
networking.hostName = "thunderskin";
|
networking.hostName = "thunderskin";
|
||||||
networking.nameservers = [ depot.config.hours.VEGAS.interfaces.vstub.addr ];
|
networking.nameservers = [ depot.hours.VEGAS.interfaces.vstub.addr ];
|
||||||
|
|
||||||
time.timeZone = "Europe/Zurich";
|
time.timeZone = "Europe/Zurich";
|
||||||
|
|
||||||
|
|
18
lib/hours.nix
Normal file
18
lib/hours.nix
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
{ config, inputs, lib, self, withSystem, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
inherit (lib) const mapAttrs;
|
||||||
|
in
|
||||||
|
|
||||||
|
{
|
||||||
|
lib.summon = name: f: let
|
||||||
|
lift = config;
|
||||||
|
hour = config.hours.${name};
|
||||||
|
in withSystem hour.system ({ config, inputs', self', ... }: f {
|
||||||
|
depot = self // self' // lift // config // {
|
||||||
|
inputs = mapAttrs (name: const (inputs.${name} // inputs'.${name})) inputs;
|
||||||
|
# peer into the Watchman's Glass
|
||||||
|
reflection = hour;
|
||||||
|
};
|
||||||
|
});
|
||||||
|
}
|
37
lib/identity.nix
Normal file
37
lib/identity.nix
Normal file
|
@ -0,0 +1,37 @@
|
||||||
|
{ lib, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
lib = { config, ... }: with config.identity; {
|
||||||
|
identity = {
|
||||||
|
|
||||||
|
inherit (config.meta) domain;
|
||||||
|
|
||||||
|
autoDomain = name: "${builtins.hashString "md5" name}.dev.${domain}";
|
||||||
|
|
||||||
|
ldap = {
|
||||||
|
server = with ldap.server; {
|
||||||
|
# TODO: unhardcode everything here
|
||||||
|
protocol = "ldaps";
|
||||||
|
hostname = "authsys.virtual-machines.${domain}";
|
||||||
|
port = 636;
|
||||||
|
url = "${protocol}://${connectionString}";
|
||||||
|
connectionString = "${hostname}:${builtins.toString port}";
|
||||||
|
};
|
||||||
|
accounts = with ldap.accounts; {
|
||||||
|
domainComponents = ldap.lib.convertDomain domain;
|
||||||
|
uidAttribute = "uid";
|
||||||
|
uidFilter = "(${uidAttribute}=%u)";
|
||||||
|
userSearchBase = "cn=users,cn=accounts,${domainComponents}";
|
||||||
|
};
|
||||||
|
lib = {
|
||||||
|
convertDomain = domain: with builtins; lib.pipe domain [
|
||||||
|
(split "\\.")
|
||||||
|
(filter isString)
|
||||||
|
(map (x: "dc=${x}"))
|
||||||
|
(concatStringsSep ",")
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
8
lib/meta.nix
Normal file
8
lib/meta.nix
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
{
|
||||||
|
lib = { config, ... }: with config.meta; {
|
||||||
|
meta = {
|
||||||
|
domain = "privatevoid.net";
|
||||||
|
adminEmail = "admins@${domain}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
50
lib/nginx.nix
Normal file
50
lib/nginx.nix
Normal file
|
@ -0,0 +1,50 @@
|
||||||
|
{ lib, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
lib = { config, ... }: with config.nginx; {
|
||||||
|
nginx = {
|
||||||
|
inherit (config.meta) domain;
|
||||||
|
|
||||||
|
mappers = {
|
||||||
|
|
||||||
|
mapSubdomains = with lib; mapAttrs' (k: nameValuePair "${k}.${domain}");
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
vhosts = with vhosts; {
|
||||||
|
|
||||||
|
basic = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
redirect = target: basic // {
|
||||||
|
locations."/".return = "301 ${target}";
|
||||||
|
};
|
||||||
|
|
||||||
|
proxy = target: basic // {
|
||||||
|
locations."/".proxyPass = target;
|
||||||
|
};
|
||||||
|
|
||||||
|
static = root: basic // {
|
||||||
|
inherit root;
|
||||||
|
};
|
||||||
|
|
||||||
|
indexedStatic = root: (static root) // {
|
||||||
|
extraConfig = "autoindex on;";
|
||||||
|
};
|
||||||
|
|
||||||
|
proxyGhost = scheme: target: basic // {
|
||||||
|
locations."/".extraConfig = ''
|
||||||
|
proxy_pass ${scheme}://${target};
|
||||||
|
proxy_set_header Host ${target};
|
||||||
|
proxy_set_header Referer ${scheme}://${target};
|
||||||
|
proxy_cookie_domain ${target} domain.invalid;
|
||||||
|
proxy_set_header Cookie "";
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
22
lib/part.nix
22
lib/part.nix
|
@ -1,5 +1,27 @@
|
||||||
|
{ config, lib, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
./time-travel.nix
|
./time-travel.nix
|
||||||
|
./hours.nix
|
||||||
|
./meta.nix
|
||||||
|
./nginx.nix
|
||||||
|
./identity.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
options.lib = lib.mkOption {
|
||||||
|
default = {};
|
||||||
|
type = with lib.types; submodule ({ extendModules, ... }: {
|
||||||
|
freeformType = let
|
||||||
|
t = either (lazyAttrsOf t) raw;
|
||||||
|
in t;
|
||||||
|
config.override = conf: let
|
||||||
|
overridden = extendModules {
|
||||||
|
modules = [ conf ];
|
||||||
|
};
|
||||||
|
in overridden.config;
|
||||||
|
});
|
||||||
|
};
|
||||||
|
|
||||||
|
config._module.args.depot = config;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,18 +1,3 @@
|
||||||
{ config, lib, ... }:
|
|
||||||
|
|
||||||
let
|
|
||||||
timeTravel = rev: builtins.getFlake "github:privatevoid-net/depot/${rev}";
|
|
||||||
|
|
||||||
in
|
|
||||||
|
|
||||||
{
|
{
|
||||||
_module.args = { inherit timeTravel; };
|
lib.timeTravel = rev: builtins.getFlake "github:privatevoid-net/depot/${rev}";
|
||||||
perSystem = { system, ... }: {
|
|
||||||
_module.args.timeTravel' = rev: let
|
|
||||||
flake = timeTravel rev;
|
|
||||||
flake' = config.perInput system flake;
|
|
||||||
in flake' // {
|
|
||||||
inputs = lib.mapAttrs (_: input: config.perInput system input) flake.inputs;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
{ config, depot, lib, tools, ... }:
|
{ config, depot, lib, ... }:
|
||||||
let
|
let
|
||||||
orgDomain = tools.meta.domain;
|
orgDomain = depot.lib.meta.domain;
|
||||||
host = depot.reflection;
|
host = depot.reflection;
|
||||||
in {
|
in {
|
||||||
networking.domain = lib.mkDefault "${host.enterprise.subdomain or "services"}.${orgDomain}";
|
networking.domain = lib.mkDefault "${host.enterprise.subdomain or "services"}.${orgDomain}";
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
let
|
let
|
||||||
inherit (config.networking) hostName;
|
inherit (config.networking) hostName;
|
||||||
inherit (depot.packages) hyprspace;
|
inherit (depot.packages) hyprspace;
|
||||||
hyprspaceCapableNodes = lib.filterAttrs (_: host: host.hyprspace.enable) depot.config.hours;
|
hyprspaceCapableNodes = lib.filterAttrs (_: host: host.hyprspace.enable) depot.hours;
|
||||||
peersFormatted = builtins.mapAttrs (_: x: {
|
peersFormatted = builtins.mapAttrs (_: x: {
|
||||||
inherit (x.hyprspace) id;
|
inherit (x.hyprspace) id;
|
||||||
routes = map (net: { inherit net; }) ((x.hyprspace.routes or []) ++ [ "${x.hyprspace.addr}/32" ]);
|
routes = map (net: { inherit net; }) ((x.hyprspace.routes or []) ++ [ "${x.hyprspace.addr}/32" ]);
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ depot, tools, ... }:
|
{ depot, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
nix = {
|
nix = {
|
||||||
|
@ -6,7 +6,7 @@
|
||||||
|
|
||||||
settings = {
|
settings = {
|
||||||
trusted-users = [ "root" "@wheel" "@admins" ];
|
trusted-users = [ "root" "@wheel" "@admins" ];
|
||||||
substituters = [ "https://cache.${tools.meta.domain}" ];
|
substituters = [ "https://cache.${depot.lib.meta.domain}" ];
|
||||||
trusted-public-keys = [ "cache.privatevoid.net:SErQ8bvNWANeAvtsOESUwVYr2VJynfuc9JRwlzTTkVg=" ];
|
trusted-public-keys = [ "cache.privatevoid.net:SErQ8bvNWANeAvtsOESUwVYr2VJynfuc9JRwlzTTkVg=" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -14,7 +14,7 @@
|
||||||
experimental-features = nix-command flakes cgroups
|
experimental-features = nix-command flakes cgroups
|
||||||
use-cgroups = true
|
use-cgroups = true
|
||||||
builders-use-substitutes = true
|
builders-use-substitutes = true
|
||||||
flake-registry = https://git.${tools.meta.domain}/private-void/registry/-/raw/master/registry.json
|
flake-registry = https://git.${depot.lib.meta.domain}/private-void/registry/-/raw/master/registry.json
|
||||||
|
|
||||||
# For Hercules CI agent
|
# For Hercules CI agent
|
||||||
narinfo-cache-negative-ttl = 0
|
narinfo-cache-negative-ttl = 0
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
{ depot, lib, ... }:
|
{ depot, lib, ... }:
|
||||||
let
|
let
|
||||||
filtered = lib.filterAttrs (_: host: host.ssh.enable) depot.config.hours;
|
filtered = lib.filterAttrs (_: host: host.ssh.enable) depot.hours;
|
||||||
idCapable = lib.filterAttrs (_: host: host.ssh.id.publicKey != null) filtered;
|
idCapable = lib.filterAttrs (_: host: host.ssh.id.publicKey != null) filtered;
|
||||||
configCapable = lib.filterAttrs (_: host: host.ssh.extraConfig != "") filtered;
|
configCapable = lib.filterAttrs (_: host: host.ssh.extraConfig != "") filtered;
|
||||||
|
|
||||||
|
|
|
@ -1,17 +1,11 @@
|
||||||
{ lib, self, ... }:
|
{ config, self, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
perSystem = { filters, pkgs, self', ... }: let
|
perSystem = { filters, pkgs, self', ... }: {
|
||||||
fakeCluster = import ../../cluster {
|
|
||||||
inherit lib;
|
|
||||||
hostName = throw "not available in test environment";
|
|
||||||
depot = throw "not available in test environment";
|
|
||||||
};
|
|
||||||
in {
|
|
||||||
checks = filters.doFilter filters.checks {
|
checks = filters.doFilter filters.checks {
|
||||||
jellyfin-stateless = pkgs.callPackage ./jellyfin-stateless.nix {
|
jellyfin-stateless = pkgs.callPackage ./jellyfin-stateless.nix {
|
||||||
inherit (self'.packages) jellyfin;
|
inherit (self'.packages) jellyfin;
|
||||||
inherit fakeCluster;
|
inherit (config) cluster;
|
||||||
};
|
};
|
||||||
|
|
||||||
keycloak = pkgs.callPackage ./keycloak-custom-jre.nix {
|
keycloak = pkgs.callPackage ./keycloak-custom-jre.nix {
|
||||||
|
|
|
@ -1,10 +1,10 @@
|
||||||
{ nixosTest, fakeCluster, jellyfin }:
|
{ nixosTest, cluster, jellyfin }:
|
||||||
|
|
||||||
nixosTest {
|
nixosTest {
|
||||||
name = "jellyfin-stateless";
|
name = "jellyfin-stateless";
|
||||||
nodes = {
|
nodes = {
|
||||||
machine = {
|
machine = {
|
||||||
imports = fakeCluster.config.services.warehouse.nixos.host;
|
imports = cluster.config.services.warehouse.nixos.host;
|
||||||
|
|
||||||
_module.args.depot.packages.jellyfin = jellyfin;
|
_module.args.depot.packages.jellyfin = jellyfin;
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,10 +0,0 @@
|
||||||
let toolsets = {
|
|
||||||
meta = import ./meta.nix;
|
|
||||||
|
|
||||||
identity = import ./identity.nix { inherit toolsets; };
|
|
||||||
networks = import ./networks.nix { inherit toolsets; };
|
|
||||||
nginx = import ./nginx.nix { inherit toolsets; };
|
|
||||||
};
|
|
||||||
in toolsets // {
|
|
||||||
all = args: (builtins.mapAttrs (_: x: x args) toolsets) // { inherit (toolsets) meta; };
|
|
||||||
}
|
|
|
@ -1,40 +0,0 @@
|
||||||
# internal interface
|
|
||||||
{ toolsets }:
|
|
||||||
# external interface
|
|
||||||
{ lib ? null, domain ? toolsets.meta.domain, ... }:
|
|
||||||
let
|
|
||||||
tools = (self: {
|
|
||||||
|
|
||||||
inherit domain;
|
|
||||||
|
|
||||||
autoDomain = name: "${builtins.hashString "md5" name}.dev.${domain}";
|
|
||||||
|
|
||||||
ldap = {
|
|
||||||
server = with self.ldap.server; {
|
|
||||||
# TODO: unhardcode everything here
|
|
||||||
protocol = "ldaps";
|
|
||||||
hostname = "authsys.virtual-machines.${domain}";
|
|
||||||
port = 636;
|
|
||||||
url = "${protocol}://${connectionString}";
|
|
||||||
connectionString = "${hostname}:${builtins.toString port}";
|
|
||||||
};
|
|
||||||
accounts = with self.ldap.accounts; {
|
|
||||||
domainComponents = self.ldap.lib.convertDomain domain;
|
|
||||||
uidAttribute = "uid";
|
|
||||||
uidFilter = "(${uidAttribute}=%u)";
|
|
||||||
userSearchBase = "cn=users,cn=accounts,${domainComponents}";
|
|
||||||
};
|
|
||||||
lib = {
|
|
||||||
convertDomain = domain: with builtins; lib.pipe domain [
|
|
||||||
(split "\\.")
|
|
||||||
(filter isString)
|
|
||||||
(map (x: "dc=${x}"))
|
|
||||||
(concatStringsSep ",")
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
dns.master.addr = "10.10.0.11";
|
|
||||||
kerberos.kdc = "authsys.virtual-machines.${domain}";
|
|
||||||
|
|
||||||
}) tools;
|
|
||||||
in tools
|
|
|
@ -1,4 +0,0 @@
|
||||||
{ pkgs, lib, config, ... }:
|
|
||||||
{
|
|
||||||
_module.args.tools = (import ./.).all { inherit pkgs lib config; };
|
|
||||||
}
|
|
|
@ -1,4 +0,0 @@
|
||||||
rec {
|
|
||||||
domain = "privatevoid.net";
|
|
||||||
adminEmail = "admins@${domain}";
|
|
||||||
}
|
|
|
@ -1,20 +0,0 @@
|
||||||
# internal interface
|
|
||||||
{ toolsets }:
|
|
||||||
# external interface
|
|
||||||
{ lib ? null, ... }:
|
|
||||||
let
|
|
||||||
tools = (self: {
|
|
||||||
|
|
||||||
all = {};
|
|
||||||
|
|
||||||
ipv4.all = {};
|
|
||||||
|
|
||||||
ipv4.internal = {
|
|
||||||
addr = "10.0.0.0/8";
|
|
||||||
vpn = {
|
|
||||||
addr = "10.100.0.0/16";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
}) tools;
|
|
||||||
in tools
|
|
|
@ -1,58 +0,0 @@
|
||||||
# internal interface
|
|
||||||
{ toolsets }:
|
|
||||||
# external interface
|
|
||||||
{ config ? null, lib ? null, domain ? toolsets.meta.domain, ... }:
|
|
||||||
let
|
|
||||||
tools = (self: {
|
|
||||||
|
|
||||||
inherit domain;
|
|
||||||
|
|
||||||
mappers = {
|
|
||||||
|
|
||||||
mapSubdomains = with lib; mapAttrs' (k: nameValuePair "${k}.${domain}");
|
|
||||||
|
|
||||||
};
|
|
||||||
|
|
||||||
vhosts = with self.vhosts; {
|
|
||||||
|
|
||||||
basic = {
|
|
||||||
forceSSL = true;
|
|
||||||
enableACME = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
redirect = target: basic // {
|
|
||||||
locations."/".return = "301 ${target}";
|
|
||||||
};
|
|
||||||
|
|
||||||
proxy = target: basic // {
|
|
||||||
locations."/".proxyPass = target;
|
|
||||||
};
|
|
||||||
|
|
||||||
static = root: basic // {
|
|
||||||
inherit root;
|
|
||||||
};
|
|
||||||
|
|
||||||
indexedStatic = root: (static root) // {
|
|
||||||
extraConfig = "autoindex on;";
|
|
||||||
};
|
|
||||||
|
|
||||||
simplePHP = root: (static root) // {
|
|
||||||
locations."~ \.php$".extraConfig = ''
|
|
||||||
fastcgi_pass unix:${config.services.phpfpm.pools.www.socket};
|
|
||||||
fastcgi_index index.php;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
proxyGhost = scheme: target: basic // {
|
|
||||||
locations."/".extraConfig = ''
|
|
||||||
proxy_pass ${scheme}://${target};
|
|
||||||
proxy_set_header Host ${target};
|
|
||||||
proxy_set_header Referer ${scheme}://${target};
|
|
||||||
proxy_cookie_domain ${target} domain.invalid;
|
|
||||||
proxy_set_header Cookie "";
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
};
|
|
||||||
}) tools;
|
|
||||||
in tools
|
|
Loading…
Reference in a new issue