Skip to content

Commit

Permalink
Merge branch 'develop' into pulumi-tfgrid-nixos-deployments
Browse files Browse the repository at this point in the history
  • Loading branch information
steveej authored May 28, 2024
2 parents db33e12 + 1500cf5 commit 17da3e0
Show file tree
Hide file tree
Showing 11 changed files with 461 additions and 64 deletions.
18 changes: 18 additions & 0 deletions flake.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions flake.nix
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,10 @@

tx5.url = "github:holochain/tx5/tx5-signal-srv-v0.0.8-alpha";
tx5.flake = false;
sbd.url =
"github:holochain/sbd/sbd-server-v0.0.4-alpha"
;
sbd.flake = false;

holochain-versions.url = "github:holochain/holochain?dir=versions/weekly";
holochain = {
Expand Down Expand Up @@ -151,6 +155,8 @@
pkgs.mkShell {
packages =
[
self'.formatter

pkgs.yq-go

inputs'.nixos-anywhere.packages.default
Expand Down
56 changes: 25 additions & 31 deletions lib/make-system-directory.nix
Original file line number Diff line number Diff line change
@@ -1,47 +1,41 @@
{ stdenv
, closureInfo
, pixz

, # The files and directories to be placed in the directory.
{
stdenv,
closureInfo,
pixz,
# The files and directories to be placed in the directory.
# This is a list of attribute sets {source, target} where `source'
# is the file system object (regular file or directory) to be
# grafted in the file system at path `target'.
contents

, # In addition to `contents', the closure of the store paths listed
contents,
# In addition to `contents', the closure of the store paths listed
# in `packages' are also placed in the Nix store of the tarball. This is
# a list of attribute sets {object, symlink} where `object' if a
# store path whose closure will be copied, and `symlink' is a
# symlink to `object' that will be added to the tarball.
storeContents ? [ ]

storeContents ? [],
# Extra commands to be executed before archiving files
, extraCommands ? ""

extraCommands ? "",
# extra inputs
, extraInputs ? [ ]
}:

let
extraInputs ? [],
}: let
symlinks = map (x: x.symlink) storeContents;
objects = map (x: x.object) storeContents;
in
stdenv.mkDerivation {
name = "system-directory";
builder = ./make-system-directory.sh;
nativeBuildInputs = extraInputs;

stdenv.mkDerivation {
name = "system-directory";
builder = ./make-system-directory.sh;
nativeBuildInputs = extraInputs;

inherit extraCommands;
inherit extraCommands;

# !!! should use XML.
sources = map (x: x.source) contents;
targets = map (x: x.target) contents;
# !!! should use XML.
sources = map (x: x.source) contents;
targets = map (x: x.target) contents;

# !!! should use XML.
inherit symlinks objects;
# !!! should use XML.
inherit symlinks objects;

closureInfo = closureInfo {
rootPaths = objects;
};
}
closureInfo = closureInfo {
rootPaths = objects;
};
}
100 changes: 67 additions & 33 deletions modules/flake-parts/holochain-turn-server.nix
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
nixosModules.holochain-turn-server = {
config,
lib,
options,
...
}: let
cfg = config.services.holochain-turn-server;
Expand Down Expand Up @@ -49,6 +50,12 @@
default = 82;
};

listening-port = lib.mkOption {
description = options.services.coturn.listening-port.description;
type = lib.types.nullOr lib.types.int;
default = 80;
};

coturn-min-port = lib.mkOption {
description = "lower port for coturn's range";
type = lib.types.int;
Expand All @@ -71,38 +78,56 @@

username = lib.mkOption {
description = "user for establishing turn connections to coturn";
type = lib.types.str;
default = "test";
type = lib.types.nullOr lib.types.str;
default = null;
};

credential = lib.mkOption {
description = "credential for establishing turn connections to coturn";
type = lib.types.str;
default = "test";
type = lib.types.nullOr lib.types.str;
default = null;
};

extraCoturnAttrs = lib.mkOption {
description = "extra attributes assigned to services.coturn";
type = lib.types.attrs;
default = {};
};

extraCoturnConfig = lib.mkOption {
description = "extra config passed to coturn";
type = lib.types.str;
default = "";
};

acme-staging = lib.mkEnableOption "use ACME's staging server which has retry limits. useful when debugging ACME challenges.";
};

config = lib.mkIf cfg.enable {
nixpkgs.overlays = [self.overlays.coturn];

networking.firewall.allowedTCPPorts = [
80
443
9641 # prometheus

cfg.nginx-http-port
];
networking.firewall.allowedUDPPorts = [
80
443
9641 # prometheus
];
networking.firewall.allowedTCPPorts =
(
lib.lists.optionals (cfg.listening-port != null) [
cfg.listening-port
]
)
++ [
443
9641 # prometheus

cfg.nginx-http-port
];
networking.firewall.allowedUDPPorts =
(
lib.lists.optionals (cfg.listening-port != null) [
cfg.listening-port
]
)
++ [
443
9641 # prometheus
];
networking.firewall.allowedUDPPortRanges = [
{
from = cfg.coturn-min-port;
Expand All @@ -113,10 +138,9 @@
services.coturn =
{
enable = true;
listening-port = 80;
tls-listening-port = 443;
listening-ips = [cfg.address];
lt-cred-mech = true; # Use long-term credential mechanism.
lt-cred-mech = cfg.username != null && cfg.credential != null; # Use long-term credential mechanism.
realm = cfg.url;
cert = "${cfg.turn-cert-dir}/fullchain.pem";
pkey = "${cfg.turn-cert-dir}/key.pem";
Expand All @@ -129,15 +153,22 @@
no-multicast-peers
no-tlsv1
no-tlsv1_1
user=${cfg.username}:${cfg.credential}
prometheus
''
+ lib.strings.optionalString config.services.coturn.lt-cred-mech ''
user=${cfg.username}:${cfg.credential}
''
+ lib.strings.optionalString cfg.verbose ''
verbose
''
+ lib.strings.optionalString (cfg.acme-redirect != null) ''
acme-redirect=${cfg.acme-redirect}
'';
''
+ cfg.extraCoturnConfig;
}
// lib.attrsets.optionalAttrs (cfg.listening-port
!= null) {
inherit (cfg) listening-port;
}
// cfg.extraCoturnAttrs;

Expand Down Expand Up @@ -167,19 +198,22 @@
};
};

security.acme = {
acceptTerms = true;
defaults = {
email = "acme@holo.host";
};

# after certificate renewal by acme coturn.service needs to reload this new cert, too
# see https://github.com/NixOS/nixpkgs/blob/nixos-23.05/nixos/modules/security/acme/default.nix#L322
certs."${cfg.url}".reloadServices = ["coturn"];

# staging server has higher retry limits. uncomment the following when debugging ACME challenges.
# certs."${cfg.url}".server = "https://acme-staging-v02.api.letsencrypt.org/directory";
};
security.acme =
lib.attrsets.recursiveUpdate
{
acceptTerms = true;
defaults = {
email = "acme@holo.host";
};

# after certificate renewal by acme coturn.service needs to reload this new cert, too
# see https://github.com/NixOS/nixpkgs/blob/nixos-23.05/nixos/modules/security/acme/default.nix#L322
certs."${cfg.url}".reloadServices = ["coturn"];
} (
lib.attrsets.optionalAttrs cfg.acme-staging {
certs."${cfg.url}".server = "https://acme-staging-v02.api.letsencrypt.org/directory";
}
);
};
};
};
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
{
config,
inputs,
self,
pkgs,
...
}: let
# https://console.hetzner.cloud/projects/1982619/servers/47746862/overview
hostName = "sbd-0";
domain = "main.infra.holo.host";
ipv4 = "65.108.241.120";
fqdn = "${config.networking.hostName}.${config.networking.domain}";
in {
imports = [
inputs.disko.nixosModules.disko
inputs.srvos.nixosModules.server
inputs.srvos.nixosModules.mixins-terminfo
inputs.srvos.nixosModules.hardware-hetzner-cloud
self.nixosModules.hardware-hetzner-cloud-ccx

inputs.sops-nix.nixosModules.sops

self.nixosModules.holo-users
../../nixos/shared.nix
../../nixos/shared-nix-settings.nix
self.nixosModules.ps1

self.nixosModules.sbd-server
];

networking = {inherit hostName domain;};

hostName = ipv4;

nix.settings.max-jobs = 8;

nix.settings.substituters = [
"https://holochain-ci.cachix.org"
];

nix.settings.trusted-public-keys = [
"holochain-ci.cachix.org-3:5IUSkZc0aoRS53rfkvH9Kid40NpyjwCMCzwRTXy+QN8="
];

system.stateVersion = "23.11";

services.sbd-server = {
enable = true;
url = fqdn;
address = ipv4;
tls-port = 443;
trusted-ip-header = "cf-connecting-ip";

# unlike the tx5-signal-server the sbd-server doesn't know about the STUN servers.
# going forward its' going to be part of the conductor client config
# "stun:${config.services.holochain-turn-server.url}:80"
};
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{
self,
lib,
inputs,
...
}: {
flake.nixosConfigurations.sbd-0_main_infra_holo_host = inputs.nixpkgs.lib.nixosSystem {
modules = [./configuration.nix];
system = "x86_64-linux";
specialArgs = self.specialArgs;
};
}
Loading

0 comments on commit 17da3e0

Please sign in to comment.