diff options
Diffstat (limited to 'ops/machines/whitby/default.nix')
-rw-r--r-- | ops/machines/whitby/default.nix | 183 |
1 files changed, 85 insertions, 98 deletions
diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix index 940cfc910a..6a8ee56abc 100644 --- a/ops/machines/whitby/default.nix +++ b/ops/machines/whitby/default.nix @@ -12,14 +12,13 @@ in (mod "atward.nix") (mod "cgit.nix") (mod "clbot.nix") - (mod "gerrit-queue.nix") + (mod "gerrit-autosubmit.nix") (mod "irccat.nix") (mod "josh.nix") (mod "journaldriver.nix") (mod "known-hosts.nix") + (mod "livegrep.nix") (mod "monorepo-gerrit.nix") - (mod "nixery.nix") - (mod "oauth2_proxy.nix") (mod "owothia.nix") (mod "panettone.nix") (mod "paroxysm.nix") @@ -37,17 +36,19 @@ in (mod "www/code.tvl.fyi.nix") (mod "www/cs.tvl.fyi.nix") (mod "www/deploys.tvl.fyi.nix") - (mod "www/images.tvl.fyi.nix") - (mod "www/nixery.dev.nix") (mod "www/self-redirect.nix") + (mod "www/signup.tvl.fyi.nix") (mod "www/static.tvl.fyi.nix") (mod "www/status.tvl.su.nix") - (mod "www/tazj.in.nix") (mod "www/todo.tvl.fyi.nix") + (mod "www/tvix.dev.nix") (mod "www/tvl.fyi.nix") (mod "www/tvl.su.nix") (mod "www/wigglydonke.rs.nix") + # experimental! + (mod "www/grep.tvl.fyi.nix") + (depot.third_party.agenix.src + "/modules/age.nix") ]; @@ -57,7 +58,7 @@ in }; boot = { - tmpOnTmpfs = true; + tmp.useTmpfs = true; kernelModules = [ "kvm-amd" ]; supportedFilesystems = [ "zfs" ]; @@ -82,7 +83,7 @@ in authorizedKeys = depot.users.tazjin.keys.all ++ depot.users.lukegb.keys.all - ++ [ depot.users.grfn.keys.whitby ]; + ++ [ depot.users.aspen.keys.whitby ]; hostKeys = [ /etc/secrets/initrd_host_ed25519_key @@ -103,7 +104,6 @@ in loader.grub = { enable = true; - version = 2; efiSupport = true; efiInstallAsRemovable = true; device = "/dev/disk/by-id/nvme-SAMSUNG_MZQLB1T9HAJR-00007_S439NA0N201620"; @@ -184,24 +184,24 @@ in nix = { nrBuildUsers = 256; - maxJobs = lib.mkDefault 64; - extraOptions = '' - secret-key-files = /run/agenix/nix-cache-priv - ''; - - trustedUsers = [ - "grfn" - "lukegb" - "tazjin" - "sterni" - ]; + settings = { + max-jobs = lib.mkDefault 64; + secret-key-files = "/run/agenix/nix-cache-priv"; + + trusted-users = [ + "aspen" + "lukegb" + "tazjin" + "sterni" + ]; + }; sshServe = { enable = true; keys = with depot.users; tazjin.keys.all ++ lukegb.keys.all - ++ [ grfn.keys.whitby ] + ++ [ aspen.keys.whitby ] ++ sterni.keys.all ; }; @@ -211,8 +211,10 @@ in programs.mosh.enable = true; services.openssh = { enable = true; - passwordAuthentication = false; - challengeResponseAuthentication = false; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + }; }; # Configure secrets for services that need them. @@ -222,12 +224,11 @@ in in { clbot.file = secretFile "clbot"; - gerrit-queue.file = secretFile "gerrit-queue"; + gerrit-autosubmit.file = secretFile "gerrit-autosubmit"; grafana.file = secretFile "grafana"; irccat.file = secretFile "irccat"; keycloak-db.file = secretFile "keycloak-db"; nix-cache-priv.file = secretFile "nix-cache-priv"; - oauth2_proxy.file = secretFile "oauth2_proxy"; owothia.file = secretFile "owothia"; panettone.file = secretFile "panettone"; smtprelay.file = secretFile "smtprelay"; @@ -344,7 +345,7 @@ in # Start the Gerrit->IRC bot services.depot.clbot = { enable = true; - channels = [ "#tvl" ]; + channels = [ "#tvix-dev" "#tvl" ]; # See //fun/clbot for details. flags = { @@ -369,6 +370,9 @@ in # Run a SourceGraph code search instance sourcegraph.enable = true; + # Run a livegrep code search instance + livegrep.enable = true; + # Run the Panettone issue tracker panettone = { enable = true; @@ -409,9 +413,6 @@ in # Run atward, the search engine redirection thing. atward.enable = true; - # Run a Nixery instance - nixery.enable = true; - # Run cgit & josh to serve git cgit = { enable = true; @@ -431,15 +432,13 @@ in }; # Run autosubmit bot for Gerrit - gerrit-queue.enable = true; - - # Run oauth2_proxy for internal service auth - oauth2_proxy.enable = true; + gerrit-autosubmit.enable = true; }; services.postgresql = { enable = true; enableTCPIP = true; + package = pkgs.postgresql_16; authentication = lib.mkForce '' local all all trust @@ -455,9 +454,7 @@ in ensureUsers = [{ name = "panettone"; - ensurePermissions = { - "DATABASE panettone" = "ALL PRIVILEGES"; - }; + ensureDBOwnership = true; }]; }; @@ -547,70 +544,52 @@ in services.grafana = { enable = true; - port = 4723; # "graf" on phone keyboard - domain = "status.tvl.su"; - rootUrl = "https://status.tvl.su"; - analytics.reporting.enable = false; - extraOptions = - let - options = { - auth = { - generic_oauth = { - enabled = true; - client_id = "grafana"; - scopes = "openid profile email"; - name = "TVL"; - email_attribute_path = "mail"; - login_attribute_path = "sub"; - name_attribute_path = "displayName"; - auth_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/auth"; - token_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/token"; - api_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/userinfo"; - - # Give lukegb, grfn, tazjin "Admin" rights. - role_attribute_path = "((sub == 'lukegb' || sub == 'grfn' || sub == 'tazjin') && 'Admin') || 'Editor'"; - - # Allow creating new Grafana accounts from OAuth accounts. - allow_sign_up = true; - }; - - anonymous = { - enabled = true; - org_name = "The Virus Lounge"; - org_role = "Viewer"; - }; - - basic.enabled = false; - oauth_auto_login = true; - disable_login_form = true; - }; - }; - inherit (builtins) typeOf replaceStrings listToAttrs concatLists; - inherit (lib) toUpper mapAttrsToList nameValuePair concatStringsSep; - - # Take ["auth" "generic_oauth" "enabled"] and turn it into OPTIONS_GENERIC_OAUTH_ENABLED. - encodeName = raw: replaceStrings [ "." ] [ "_" ] (toUpper (concatStringsSep "_" raw)); - - # Turn an option value into a string, but we want bools to be sensible strings and not "1" or "". - optionToString = value: - if (typeOf value) == "bool" then - if value then "true" else "false" - else builtins.toString value; - - # Turn an nested options attrset into a flat listToAttrs-compatible list. - encodeOptions = prefix: inp: concatLists (mapAttrsToList - (name: value: - if (typeOf value) == "set" - then encodeOptions (prefix ++ [ name ]) value - else [ (nameValuePair (encodeName (prefix ++ [ name ])) (optionToString value)) ] - ) - inp); - in - listToAttrs (encodeOptions [ ] options); + + settings = { + server = { + http_port = 4723; # "graf" on phone keyboard + domain = "status.tvl.su"; + root_url = "https://status.tvl.su"; + }; + + analytics.reporting_enabled = false; + + "auth.generic_oauth" = { + enabled = true; + client_id = "grafana"; + scopes = "openid profile email"; + name = "TVL"; + email_attribute_path = "mail"; + login_attribute_path = "sub"; + name_attribute_path = "displayName"; + auth_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/auth"; + token_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/token"; + api_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/userinfo"; + + # Give lukegb, aspen, tazjin "Admin" rights. + role_attribute_path = "((sub == 'lukegb' || sub == 'aspen' || sub == 'tazjin') && 'Admin') || 'Editor'"; + + # Allow creating new Grafana accounts from OAuth accounts. + allow_sign_up = true; + }; + + "auth.anonymous" = { + enabled = true; + org_name = "The Virus Lounge"; + org_role = "Viewer"; + }; + + "auth.basic".enabled = false; + + auth = { + oauth_auto_login = true; + disable_login_form = true; + }; + }; provision = { enable = true; - datasources = [{ + datasources.settings.datasources = [{ name = "Prometheus"; type = "prometheus"; url = "http://localhost:9090"; @@ -623,9 +602,9 @@ in services.keycloak = { enable = true; - httpPort = "5925"; # "kycl" settings = { + http-port = 5925; # kycl hostname = "auth.tvl.fyi"; http-relative-path = "/auth"; proxy = "edge"; @@ -638,6 +617,12 @@ in }; }; + # Join TVL Tailscale network at net.tvl.fyi + services.tailscale = { + enable = true; + useRoutingFeatures = "server"; # for exit-node usage + }; + # Allow Keycloak access to the LDAP module by forcing in the JVM # configuration systemd.services.keycloak.environment.PREPEND_JAVA_OPTS = @@ -661,5 +646,7 @@ in }; }; + zramSwap.enable = true; + system.stateVersion = "20.03"; } |