diff options
Diffstat (limited to 'ops/machines/whitby/default.nix')
| -rw-r--r-- | ops/machines/whitby/default.nix | 281 |
1 files changed, 144 insertions, 137 deletions
diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix index 5de8481878..6a8ee56abc 100644 --- a/ops/machines/whitby/default.nix +++ b/ops/machines/whitby/default.nix @@ -4,49 +4,52 @@ let inherit (builtins) listToAttrs; inherit (lib) range; + + mod = name: depot.path.origSrc + ("/ops/modules/" + name); in { imports = [ - "${depot.path}/ops/modules/atward.nix" - "${depot.path}/ops/modules/cgit/default.nix" - "${depot.path}/ops/modules/clbot.nix" - "${depot.path}/ops/modules/gerrit-queue.nix" - "${depot.path}/ops/modules/irccat.nix" - "${depot.path}/ops/modules/josh.nix" - "${depot.path}/ops/modules/journaldriver.nix" - "${depot.path}/ops/modules/known-hosts.nix" - "${depot.path}/ops/modules/monorepo-gerrit.nix" - "${depot.path}/ops/modules/nixery.nix" - "${depot.path}/ops/modules/oauth2_proxy.nix" - "${depot.path}/ops/modules/owothia.nix" - "${depot.path}/ops/modules/panettone.nix" - "${depot.path}/ops/modules/paroxysm.nix" - "${depot.path}/ops/modules/restic.nix" - "${depot.path}/ops/modules/smtprelay.nix" - "${depot.path}/ops/modules/sourcegraph.nix" - "${depot.path}/ops/modules/tvl-buildkite.nix" - "${depot.path}/ops/modules/tvl-slapd/default.nix" - "${depot.path}/ops/modules/tvl-users.nix" - "${depot.path}/ops/modules/www/atward.tvl.fyi.nix" - "${depot.path}/ops/modules/www/auth.tvl.fyi.nix" - "${depot.path}/ops/modules/www/b.tvl.fyi.nix" - "${depot.path}/ops/modules/www/cache.tvl.su.nix" - "${depot.path}/ops/modules/www/cl.tvl.fyi.nix" - "${depot.path}/ops/modules/www/code.tvl.fyi.nix" - "${depot.path}/ops/modules/www/cs.tvl.fyi.nix" - "${depot.path}/ops/modules/www/deploys.tvl.fyi.nix" - "${depot.path}/ops/modules/www/images.tvl.fyi.nix" - "${depot.path}/ops/modules/www/nixery.dev.nix" - "${depot.path}/ops/modules/www/self-redirect.nix" - "${depot.path}/ops/modules/www/static.tvl.fyi.nix" - "${depot.path}/ops/modules/www/status.tvl.su.nix" - "${depot.path}/ops/modules/www/tazj.in.nix" - "${depot.path}/ops/modules/www/todo.tvl.fyi.nix" - "${depot.path}/ops/modules/www/tvl.fyi.nix" - "${depot.path}/ops/modules/www/tvl.su.nix" - "${depot.path}/ops/modules/www/wigglydonke.rs.nix" - "${depot.third_party.agenix.src}/modules/age.nix" - "${pkgs.path}/nixos/modules/services/web-apps/gerrit.nix" + (mod "atward.nix") + (mod "cgit.nix") + (mod "clbot.nix") + (mod "gerrit-autosubmit.nix") + (mod "irccat.nix") + (mod "josh.nix") + (mod "journaldriver.nix") + (mod "known-hosts.nix") + (mod "livegrep.nix") + (mod "monorepo-gerrit.nix") + (mod "owothia.nix") + (mod "panettone.nix") + (mod "paroxysm.nix") + (mod "restic.nix") + (mod "smtprelay.nix") + (mod "sourcegraph.nix") + (mod "tvl-buildkite.nix") + (mod "tvl-slapd/default.nix") + (mod "tvl-users.nix") + (mod "www/atward.tvl.fyi.nix") + (mod "www/auth.tvl.fyi.nix") + (mod "www/b.tvl.fyi.nix") + (mod "www/cache.tvl.su.nix") + (mod "www/cl.tvl.fyi.nix") + (mod "www/code.tvl.fyi.nix") + (mod "www/cs.tvl.fyi.nix") + (mod "www/deploys.tvl.fyi.nix") + (mod "www/self-redirect.nix") + (mod "www/signup.tvl.fyi.nix") + (mod "www/static.tvl.fyi.nix") + (mod "www/status.tvl.su.nix") + (mod "www/todo.tvl.fyi.nix") + (mod "www/tvix.dev.nix") + (mod "www/tvl.fyi.nix") + (mod "www/tvl.su.nix") + (mod "www/wigglydonke.rs.nix") + + # experimental! + (mod "www/grep.tvl.fyi.nix") + + (depot.third_party.agenix.src + "/modules/age.nix") ]; hardware = { @@ -55,7 +58,7 @@ in }; boot = { - tmpOnTmpfs = true; + tmp.useTmpfs = true; kernelModules = [ "kvm-amd" ]; supportedFilesystems = [ "zfs" ]; @@ -80,7 +83,7 @@ in authorizedKeys = depot.users.tazjin.keys.all ++ depot.users.lukegb.keys.all - ++ [ depot.users.grfn.keys.whitby ]; + ++ [ depot.users.aspen.keys.whitby ]; hostKeys = [ /etc/secrets/initrd_host_ed25519_key @@ -101,7 +104,6 @@ in loader.grub = { enable = true; - version = 2; efiSupport = true; efiInstallAsRemovable = true; device = "/dev/disk/by-id/nvme-SAMSUNG_MZQLB1T9HAJR-00007_S439NA0N201620"; @@ -182,24 +184,24 @@ in nix = { nrBuildUsers = 256; - maxJobs = lib.mkDefault 64; - extraOptions = '' - secret-key-files = /run/agenix/nix-cache-priv - ''; - - trustedUsers = [ - "grfn" - "lukegb" - "tazjin" - "sterni" - ]; + settings = { + max-jobs = lib.mkDefault 64; + secret-key-files = "/run/agenix/nix-cache-priv"; + + trusted-users = [ + "aspen" + "lukegb" + "tazjin" + "sterni" + ]; + }; sshServe = { enable = true; keys = with depot.users; tazjin.keys.all ++ lukegb.keys.all - ++ [ grfn.keys.whitby ] + ++ [ aspen.keys.whitby ] ++ sterni.keys.all ; }; @@ -209,8 +211,10 @@ in programs.mosh.enable = true; services.openssh = { enable = true; - passwordAuthentication = false; - challengeResponseAuthentication = false; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + }; }; # Configure secrets for services that need them. @@ -220,12 +224,11 @@ in in { clbot.file = secretFile "clbot"; - gerrit-queue.file = secretFile "gerrit-queue"; + gerrit-autosubmit.file = secretFile "gerrit-autosubmit"; grafana.file = secretFile "grafana"; irccat.file = secretFile "irccat"; keycloak-db.file = secretFile "keycloak-db"; nix-cache-priv.file = secretFile "nix-cache-priv"; - oauth2_proxy.file = secretFile "oauth2_proxy"; owothia.file = secretFile "owothia"; panettone.file = secretFile "panettone"; smtprelay.file = secretFile "smtprelay"; @@ -248,6 +251,12 @@ in group = "buildkite-agents"; }; + buildkite-private-key = { + file = secretFile "buildkite-ssh-private-key"; + mode = "0440"; + group = "buildkite-agents"; + }; + gerrit-besadii-config = { file = secretFile "besadii"; owner = "git"; @@ -270,6 +279,14 @@ in file = secretFile "nix-cache-pub"; mode = "0444"; }; + + depot-replica-key = { + file = secretFile "depot-replica-key"; + mode = "0500"; + owner = "git"; + group = "git"; + path = "/var/lib/git/.ssh/id_ed25519"; + }; }; # Automatically collect garbage from the Nix store. @@ -328,13 +345,13 @@ in # Start the Gerrit->IRC bot services.depot.clbot = { enable = true; - channels = [ "#tvl" ]; + channels = [ "#tvix-dev" "#tvl" ]; # See //fun/clbot for details. flags = { gerrit_host = "cl.tvl.fyi:29418"; gerrit_ssh_auth_username = "clbot"; - gerrit_ssh_auth_key = "/run/agenix/clbot-ssh"; + gerrit_ssh_auth_key = config.age.secretsDir + "/clbot-ssh"; irc_server = "localhost:${toString config.services.znc.config.Listener.l.Port}"; irc_user = "tvlbot"; @@ -353,6 +370,9 @@ in # Run a SourceGraph code search instance sourcegraph.enable = true; + # Run a livegrep code search instance + livegrep.enable = true; + # Run the Panettone issue tracker panettone = { enable = true; @@ -393,11 +413,12 @@ in # Run atward, the search engine redirection thing. atward.enable = true; - # Run a Nixery instance - nixery.enable = true; - # Run cgit & josh to serve git - cgit.enable = true; + cgit = { + enable = true; + user = "git"; # run as the same user as gerrit + }; + josh.enable = true; # Configure backups to GleSYS @@ -411,15 +432,13 @@ in }; # Run autosubmit bot for Gerrit - gerrit-queue.enable = true; - - # Run oauth2_proxy for internal service auth - oauth2_proxy.enable = true; + gerrit-autosubmit.enable = true; }; services.postgresql = { enable = true; enableTCPIP = true; + package = pkgs.postgresql_16; authentication = lib.mkForce '' local all all trust @@ -435,9 +454,7 @@ in ensureUsers = [{ name = "panettone"; - ensurePermissions = { - "DATABASE panettone" = "ALL PRIVILEGES"; - }; + ensureDBOwnership = true; }]; }; @@ -453,7 +470,7 @@ in services.nix-serve = { enable = true; port = 6443; - secretKeyFile = "/run/agenix/nix-cache-priv"; + secretKeyFile = config.age.secretsDir + "/nix-cache-priv"; bindAddress = "localhost"; }; @@ -527,70 +544,52 @@ in services.grafana = { enable = true; - port = 4723; # "graf" on phone keyboard - domain = "status.tvl.su"; - rootUrl = "https://status.tvl.su"; - analytics.reporting.enable = false; - extraOptions = - let - options = { - auth = { - generic_oauth = { - enabled = true; - client_id = "grafana"; - scopes = "openid profile email"; - name = "TVL"; - email_attribute_path = "mail"; - login_attribute_path = "sub"; - name_attribute_path = "displayName"; - auth_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/auth"; - token_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/token"; - api_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/userinfo"; - - # Give lukegb, grfn, tazjin "Admin" rights. - role_attribute_path = "((sub == 'lukegb' || sub == 'grfn' || sub == 'tazjin') && 'Admin') || 'Editor'"; - - # Allow creating new Grafana accounts from OAuth accounts. - allow_sign_up = true; - }; - - anonymous = { - enabled = true; - org_name = "The Virus Lounge"; - org_role = "Viewer"; - }; - - basic.enabled = false; - oauth_auto_login = true; - disable_login_form = true; - }; - }; - inherit (builtins) typeOf replaceStrings listToAttrs concatLists; - inherit (lib) toUpper mapAttrsToList nameValuePair concatStringsSep; - - # Take ["auth" "generic_oauth" "enabled"] and turn it into OPTIONS_GENERIC_OAUTH_ENABLED. - encodeName = raw: replaceStrings [ "." ] [ "_" ] (toUpper (concatStringsSep "_" raw)); - - # Turn an option value into a string, but we want bools to be sensible strings and not "1" or "". - optionToString = value: - if (typeOf value) == "bool" then - if value then "true" else "false" - else builtins.toString value; - - # Turn an nested options attrset into a flat listToAttrs-compatible list. - encodeOptions = prefix: inp: concatLists (mapAttrsToList - (name: value: - if (typeOf value) == "set" - then encodeOptions (prefix ++ [ name ]) value - else [ (nameValuePair (encodeName (prefix ++ [ name ])) (optionToString value)) ] - ) - inp); - in - listToAttrs (encodeOptions [ ] options); + + settings = { + server = { + http_port = 4723; # "graf" on phone keyboard + domain = "status.tvl.su"; + root_url = "https://status.tvl.su"; + }; + + analytics.reporting_enabled = false; + + "auth.generic_oauth" = { + enabled = true; + client_id = "grafana"; + scopes = "openid profile email"; + name = "TVL"; + email_attribute_path = "mail"; + login_attribute_path = "sub"; + name_attribute_path = "displayName"; + auth_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/auth"; + token_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/token"; + api_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/userinfo"; + + # Give lukegb, aspen, tazjin "Admin" rights. + role_attribute_path = "((sub == 'lukegb' || sub == 'aspen' || sub == 'tazjin') && 'Admin') || 'Editor'"; + + # Allow creating new Grafana accounts from OAuth accounts. + allow_sign_up = true; + }; + + "auth.anonymous" = { + enabled = true; + org_name = "The Virus Lounge"; + org_role = "Viewer"; + }; + + "auth.basic".enabled = false; + + auth = { + oauth_auto_login = true; + disable_login_form = true; + }; + }; provision = { enable = true; - datasources = [{ + datasources.settings.datasources = [{ name = "Prometheus"; type = "prometheus"; url = "http://localhost:9090"; @@ -599,13 +598,13 @@ in }; # Contains GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET. - systemd.services.grafana.serviceConfig.EnvironmentFile = "/run/agenix/grafana"; + systemd.services.grafana.serviceConfig.EnvironmentFile = config.age.secretsDir + "/grafana"; services.keycloak = { enable = true; - httpPort = "5925"; # "kycl" settings = { + http-port = 5925; # kycl hostname = "auth.tvl.fyi"; http-relative-path = "/auth"; proxy = "edge"; @@ -613,11 +612,17 @@ in database = { type = "postgresql"; - passwordFile = "/run/agenix/keycloak-db"; + passwordFile = config.age.secretsDir + "/keycloak-db"; createLocally = false; }; }; + # Join TVL Tailscale network at net.tvl.fyi + services.tailscale = { + enable = true; + useRoutingFeatures = "server"; # for exit-node usage + }; + # Allow Keycloak access to the LDAP module by forcing in the JVM # configuration systemd.services.keycloak.environment.PREPEND_JAVA_OPTS = @@ -641,5 +646,7 @@ in }; }; + zramSwap.enable = true; + system.stateVersion = "20.03"; } |