diff options
Diffstat (limited to 'ops/modules')
| -rw-r--r-- | ops/modules/cheddar.nix | 29 | ||||
| -rw-r--r-- | ops/modules/clbot.nix | 11 | ||||
| -rw-r--r-- | ops/modules/harmonia.nix | 110 | ||||
| -rw-r--r-- | ops/modules/irccat.nix | 2 | ||||
| -rw-r--r-- | ops/modules/sourcegraph.nix | 60 | ||||
| -rw-r--r-- | ops/modules/teleirc.nix | 40 | ||||
| -rw-r--r-- | ops/modules/tvl-headscale.nix | 6 | ||||
| -rw-r--r-- | ops/modules/www/cache.tvl.su.nix | 7 | ||||
| -rw-r--r-- | ops/modules/www/cs.tvl.fyi.nix | 49 | ||||
| -rw-r--r-- | ops/modules/www/tazj.in.nix | 54 |
10 files changed, 231 insertions, 137 deletions
diff --git a/ops/modules/cheddar.nix b/ops/modules/cheddar.nix new file mode 100644 index 000000000000..8c3036978988 --- /dev/null +++ b/ops/modules/cheddar.nix @@ -0,0 +1,29 @@ +{ depot, config, pkgs, lib, ... }: + +let + cfg = config.services.depot.cheddar; + description = "cheddar - markdown/highlighting server"; +in +{ + options.services.depot.cheddar = with lib; { + enable = mkEnableOption description; + port = mkOption { + description = "Port on which cheddar should listen"; + type = types.int; + default = 4238; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.cheddar-server = { + inherit description; + wantedBy = [ "multi-user.target" ]; + script = "${depot.tools.cheddar}/bin/cheddar --listen 0.0.0.0:${toString cfg.port} --sourcegraph-server"; + + serviceConfig = { + DynamicUser = true; + Restart = "always"; + }; + }; + }; +} diff --git a/ops/modules/clbot.nix b/ops/modules/clbot.nix index bdddff6c810b..0a436a8749d0 100644 --- a/ops/modules/clbot.nix +++ b/ops/modules/clbot.nix @@ -7,6 +7,7 @@ let inherit (lib) listToAttrs + mapAttrsToList mkEnableOption mkIf mkOption @@ -25,13 +26,13 @@ let ${pkgs.systemd}/bin/systemd-escape '${name}' >> $out '')); - mkUnit = flags: channel: { + mkUnit = channel: channelFlags: { name = "clbot-${systemdEscape channel}"; value = { description = "${description} to ${channel}"; wantedBy = [ "multi-user.target" ]; - script = "${depot.fun.clbot}/bin/clbot ${mkFlags (cfg.flags // { + script = "${depot.fun.clbot}/bin/clbot ${mkFlags (cfg.flags // channelFlags // { irc_channel = channel; })} -alsologtostderr"; @@ -53,8 +54,8 @@ in }; channels = mkOption { - type = with types; listOf str; - description = "Channels in which to post (generates one unit per channel)"; + type = with types; attrsOf (attrsOf str); + description = "Channels in which to post (generates one unit per channel); nested attrs are used as extra flags to the service, which override the attrs in `flags`"; }; secretsFile = mkOption { @@ -77,6 +78,6 @@ in }; }; - systemd.services = listToAttrs (map (mkUnit cfg.flags) cfg.channels); + systemd.services = listToAttrs (mapAttrsToList mkUnit cfg.channels); }; } diff --git a/ops/modules/harmonia.nix b/ops/modules/harmonia.nix new file mode 100644 index 000000000000..ae0bdc2cf01e --- /dev/null +++ b/ops/modules/harmonia.nix @@ -0,0 +1,110 @@ +# This is a fork of the nixpkgs module for Harmonia, which adds compatibility +# with Nix 2.3. +# +# We will upstream this eventually. +{ config, pkgs, lib, ... }: +let + cfg = config.services.depot.harmonia; + format = pkgs.formats.toml { }; + + credentials = lib.imap0 + (i: signKeyPath: { + id = "sign-key-${builtins.toString i}"; + path = signKeyPath; + }) + cfg.signKeyPaths; +in +{ + options = { + services.depot.harmonia = { + enable = lib.mkEnableOption "Harmonia: Nix binary cache written in Rust"; + + signKeyPaths = lib.mkOption { + type = lib.types.listOf lib.types.path; + default = [ ]; + description = "Paths to the signing keys to use for signing the cache"; + }; + + package = lib.mkPackageOption pkgs "harmonia" { }; + + settings = lib.mkOption { + inherit (format) type; + default = { }; + description = '' + Settings to merge with the default configuration. + For the list of the default configuration, see <https://github.com/nix-community/harmonia/tree/master#configuration>. + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + users.users.harmonia = { + isSystemUser = true; + group = "harmonia"; + }; + users.groups.harmonia = { }; + + systemd.services.harmonia = { + description = "harmonia binary cache service"; + + requires = [ "nix-daemon.socket" ]; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + environment = { + CONFIG_FILE = format.generate "harmonia.toml" cfg.settings; + SIGN_KEY_PATHS = lib.strings.concatMapStringsSep " " + ( + credential: "%d/${credential.id}" + ) + credentials; + # Note: it's important to set this for nix-store, because it wants to use + # $HOME in order to use a temporary cache dir. bizarre failures will occur + # otherwise + HOME = "/run/harmonia"; + }; + + serviceConfig = { + ExecStart = lib.getExe cfg.package; + User = "harmonia"; + Group = "harmonia"; + Restart = "on-failure"; + PrivateUsers = true; + DeviceAllow = [ "" ]; + UMask = "0066"; + RuntimeDirectory = "harmonia"; + LoadCredential = builtins.map (credential: "${credential.id}:${credential.path}") credentials; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "~@resources" + ]; + CapabilityBoundingSet = ""; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + ProtectKernelLogs = true; + ProtectHostname = true; + ProtectClock = true; + RestrictRealtime = true; + MemoryDenyWriteExecute = true; + ProcSubset = "pid"; + ProtectProc = "invisible"; + RestrictNamespaces = true; + SystemCallArchitectures = "native"; + PrivateNetwork = false; + PrivateTmp = true; + PrivateDevices = true; + PrivateMounts = true; + NoNewPrivileges = true; + ProtectSystem = "strict"; + ProtectHome = true; + LockPersonality = true; + RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; + LimitNOFILE = 65536; + }; + }; + }; +} + diff --git a/ops/modules/irccat.nix b/ops/modules/irccat.nix index 2263118d9974..9f99e8852fef 100644 --- a/ops/modules/irccat.nix +++ b/ops/modules/irccat.nix @@ -48,6 +48,8 @@ in systemd.services.irccat = { inherit description; wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; serviceConfig = { ExecStart = "${mergeAndLaunch}"; diff --git a/ops/modules/sourcegraph.nix b/ops/modules/sourcegraph.nix deleted file mode 100644 index cbf836ab64d5..000000000000 --- a/ops/modules/sourcegraph.nix +++ /dev/null @@ -1,60 +0,0 @@ -# Run sourcegraph, including its entire machinery, in a container. -# Running it outside of a container is a futile endeavour for now. -{ depot, config, pkgs, lib, ... }: - -let - cfg = config.services.depot.sourcegraph; -in -{ - options.services.depot.sourcegraph = with lib; { - enable = mkEnableOption "SourceGraph code search engine"; - - port = mkOption { - description = "Port on which SourceGraph should listen"; - type = types.int; - default = 3463; - }; - - cheddarPort = mkOption { - description = "Port on which cheddar should listen"; - type = types.int; - default = 4238; - }; - }; - - config = lib.mkIf cfg.enable { - # Run a cheddar syntax highlighting server - systemd.services.cheddar-server = { - wantedBy = [ "multi-user.target" ]; - script = "${depot.tools.cheddar}/bin/cheddar --listen 0.0.0.0:${toString cfg.cheddarPort} --sourcegraph-server"; - - serviceConfig = { - DynamicUser = true; - Restart = "always"; - }; - }; - - virtualisation.oci-containers.containers.sourcegraph = { - image = "sourcegraph/server:3.40.0"; - - ports = [ - "127.0.0.1:${toString cfg.port}:7080" - ]; - - volumes = [ - "/var/lib/sourcegraph/etc:/etc/sourcegraph" - "/var/lib/sourcegraph/data:/var/opt/sourcegraph" - ]; - - # TODO(tazjin): Figure out what changed in the protocol. - # environment.SRC_SYNTECT_SERVER = "http://172.17.0.1:${toString cfg.cheddarPort}"; - - # Sourcegraph needs a higher nofile limit, it logs warnings - # otherwise (unclear whether it actually affects the service). - extraOptions = [ - "--ulimit" - "nofile=10000:10000" - ]; - }; - }; -} diff --git a/ops/modules/teleirc.nix b/ops/modules/teleirc.nix new file mode 100644 index 000000000000..9f9ac059ce38 --- /dev/null +++ b/ops/modules/teleirc.nix @@ -0,0 +1,40 @@ +# Run the Telegram<>IRC sync bot for the Volga Sprint channel. +# +# This module is written in a pretty ad-hoc style, as it is sort of a +# throwaway thing (will be removed again after the event). +{ depot, config, lib, pkgs, ... }: + +let + cfg = config.services.depot.owothia; + description = "IRC<>Telegram sync for Volga Sprint channel"; + configFile = builtins.toFile "teleirc.env" '' + # connect through tvlbot's ZNC bouncer + IRC_SERVER="localhost" + IRC_PORT=2627 + IRC_USE_SSL=false + IRC_CHANNEL="#volgasprint" + IRC_BLACKLIST="tvlbot" + IRC_BOT_NAME="tvlbot" + IRC_BOT_REALNAME="TVL bot for Volga Sprint" + IRC_BOT_IDENT="tvlbot" + IRC_SEND_STICKER_EMOJI=false # look into this + TELEGRAM_CHAT_ID=-1002153072030 + ''; +in +{ + options.services.depot.teleirc.enable = lib.mkEnableOption description; + + config = lib.mkIf cfg.enable { + systemd.services.teleirc = { + inherit description; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + DynamicUser = true; + Restart = "always"; + EnvironmentFile = "/run/agenix/teleirc"; + ExecStart = "${depot.third_party.teleirc}/bin/teleirc -conf ${configFile}"; + }; + }; + }; +} diff --git a/ops/modules/tvl-headscale.nix b/ops/modules/tvl-headscale.nix index a07021c78861..6e805e4ac728 100644 --- a/ops/modules/tvl-headscale.nix +++ b/ops/modules/tvl-headscale.nix @@ -22,11 +22,7 @@ settings = { server_url = "https://net.tvl.fyi"; - dns_config.nameservers = [ - "8.8.8.8" - "1.1.1.1" - "77.88.8.8" - ]; + dns.magic_dns = false; # TLS is handled by nginx tls_cert_path = null; diff --git a/ops/modules/www/cache.tvl.su.nix b/ops/modules/www/cache.tvl.su.nix index 99bc008cd6a5..27d1c06dd3a7 100644 --- a/ops/modules/www/cache.tvl.su.nix +++ b/ops/modules/www/cache.tvl.su.nix @@ -17,13 +17,8 @@ alias /run/agenix/nix-cache-pub; } - location = /nix-cache-info { - add_header Content-Type text/plain; - return 200 "StoreDir: /nix/store\nWantMassQuery: 1\nPriority: 50\n"; - } - location / { - proxy_pass http://localhost:${toString config.services.nix-serve.port}; + proxy_pass http://${config.services.depot.harmonia.settings.bind}; } ''; }; diff --git a/ops/modules/www/cs.tvl.fyi.nix b/ops/modules/www/cs.tvl.fyi.nix index fac814baf064..9555acf9ac47 100644 --- a/ops/modules/www/cs.tvl.fyi.nix +++ b/ops/modules/www/cs.tvl.fyi.nix @@ -1,3 +1,5 @@ +# This configuration redirects from the previous Sourcegraph instance to +# livegrep/cgit where appropriate. { config, ... }: { @@ -13,17 +15,50 @@ forceSSL = true; extraConfig = '' - location = / { - return 301 https://cs.tvl.fyi/depot; + set $lineno ""; + + # depot root + location = /depot { + return 301 https://code.tvl.fyi/tree/; } - location / { - proxy_set_header X-Sg-Auth "Anonymous"; - proxy_pass http://localhost:${toString config.services.depot.sourcegraph.port}; + # folder/file on canon + location ~ ^/depot/-/(blob|tree)/([^\s]*)$ { + set $path $2; + if ($args ~ ^L(\d+)(-\d+)?$) { + set $lineno "#n$1"; + } + + return 302 https://code.tvl.fyi/tree/$path$lineno; + } + + # folder/file on specific commit + location ~ ^/depot@([a-f0-9]+)/-/(blob|tree)/([^\s]*)$ { + set $commit $1; + set $path $3; + + if ($args ~ ^L(\d+)(-\d+)?$) { + set $lineno "#n$1"; + } + + return 302 https://code.tvl.fyi/tree/$path?id=$commit$lineno; + } + + # commit info + location ~ ^/depot/-/commit/([a-f0-9]+)$ { + set $commit $1; + return 302 https://code.tvl.fyi/commit/?id=$commit; } - location /users/Anonymous/settings { - return 301 https://cs.tvl.fyi; + # search handler + # This only redirects to the new search, it doesn't try to parse and + # rewrite the query. + location /search { + return 302 https://grep.tvl.fyi/search; + } + + location / { + return 404 "TVL code search has moved to grep.tvl.fyi and we could not figure out how to rewrite your query. Sorry!"; } ''; }; diff --git a/ops/modules/www/tazj.in.nix b/ops/modules/www/tazj.in.nix deleted file mode 100644 index 47eefca2a622..000000000000 --- a/ops/modules/www/tazj.in.nix +++ /dev/null @@ -1,54 +0,0 @@ -# serve tazjin's website & blog -{ depot, config, lib, pkgs, ... }: - -{ - imports = [ - ./base.nix - ]; - - config = { - services.nginx.virtualHosts."tazj.in" = { - enableACME = true; - forceSSL = true; - root = depot.users.tazjin.homepage; - serverAliases = [ "www.tazj.in" ]; - - extraConfig = '' - location = /en/rss.xml { - return 301 https://tazj.in/feed.atom; - } - - ${depot.users.tazjin.blog.oldRedirects} - location /blog/ { - alias ${depot.users.tazjin.blog.rendered}/; - - if ($request_uri ~ ^/(.*)\.html$) { - return 302 /$1; - } - - try_files $uri $uri.html $uri/ =404; - } - - location = /predlozhnik { - return 302 https://predlozhnik.ru; - } - - # redirect for easier entry on a TV - location = /tv { - return 302 https://tazj.in/blobs/play.html; - } - - # Temporary place for serving static files. - location /blobs/ { - alias /var/lib/tazjins-blobs/; - } - ''; - }; - - services.nginx.virtualHosts."git.tazj.in" = { - enableACME = true; - forceSSL = true; - extraConfig = "return 301 https://code.tvl.fyi$request_uri;"; - }; - }; -} |