-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
init sbd package, nixos module and sbd-0.main.infra.holo.host
- Loading branch information
Showing
6 changed files
with
261 additions
and
0 deletions.
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
57 changes: 57 additions & 0 deletions
57
modules/flake-parts/nixosConfigurations.sbd-0.main.infra.holo.host/configuration.nix
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
{ | ||
config, | ||
inputs, | ||
self, | ||
pkgs, | ||
... | ||
}: let | ||
# https://console.hetzner.cloud/projects/1982619/servers/47746862/overview | ||
hostName = "sbd-0"; | ||
domain = "main.infra.holo.host"; | ||
ipv4 = "65.108.241.120"; | ||
fqdn = "${config.networking.hostName}.${config.networking.domain}"; | ||
in { | ||
imports = [ | ||
inputs.disko.nixosModules.disko | ||
inputs.srvos.nixosModules.server | ||
inputs.srvos.nixosModules.mixins-terminfo | ||
inputs.srvos.nixosModules.hardware-hetzner-cloud | ||
self.nixosModules.hardware-hetzner-cloud-ccx | ||
|
||
inputs.sops-nix.nixosModules.sops | ||
|
||
self.nixosModules.holo-users | ||
../../nixos/shared.nix | ||
../../nixos/shared-nix-settings.nix | ||
self.nixosModules.ps1 | ||
|
||
self.nixosModules.sbd-server | ||
]; | ||
|
||
networking = {inherit hostName domain;}; | ||
|
||
hostName = fqdn; | ||
|
||
nix.settings.max-jobs = 8; | ||
|
||
nix.settings.substituters = [ | ||
"https://holochain-ci.cachix.org" | ||
]; | ||
|
||
nix.settings.trusted-public-keys = [ | ||
"holochain-ci.cachix.org-3:5IUSkZc0aoRS53rfkvH9Kid40NpyjwCMCzwRTXy+QN8=" | ||
]; | ||
|
||
system.stateVersion = "23.11"; | ||
|
||
services.sbd-server = { | ||
enable = true; | ||
url = fqdn; | ||
address = ipv4; | ||
tls-port = 443; | ||
|
||
# unlike the tx5-signal-server the sbd-server doesn't know about the STUN servers. | ||
# going forward its' going to be part of the conductor client config | ||
# "stun:${config.services.holochain-turn-server.url}:80" | ||
}; | ||
} |
12 changes: 12 additions & 0 deletions
12
modules/flake-parts/nixosConfigurations.sbd-0.main.infra.holo.host/default.nix
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
{ | ||
self, | ||
lib, | ||
inputs, | ||
... | ||
}: { | ||
flake.nixosConfigurations.sbd-0_main_infra_holo_host = inputs.nixpkgs.lib.nixosSystem { | ||
modules = [./configuration.nix]; | ||
system = "x86_64-linux"; | ||
specialArgs = self.specialArgs; | ||
}; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
{ | ||
# System independent arguments. | ||
lib, | ||
inputs, | ||
... | ||
}: { | ||
perSystem = { | ||
# Arguments specific to the `perSystem` context. | ||
self', | ||
pkgs, | ||
... | ||
}: { | ||
# system specific outputs like, apps, checks, packages | ||
|
||
packages = let | ||
system = pkgs.system; | ||
craneLib = inputs.crane.lib.${system}; | ||
cranePkgs = inputs.crane.inputs.nixpkgs.legacyPackages.${system}; | ||
|
||
sbdArgs = { | ||
pname = "sbd"; | ||
src = inputs.sbd; | ||
version = inputs.sbd.rev; | ||
cargoExtraArgs = "--examples --bins"; | ||
nativeBuildInputs = [ | ||
pkgs.pkg-config | ||
]; | ||
buildInputs = [ | ||
pkgs.openssl | ||
]; | ||
|
||
doCheck = false; | ||
}; | ||
sbdDeps = lib.makeOverridable craneLib.buildDepsOnly sbdArgs; | ||
in { | ||
sbd = lib.makeOverridable craneLib.buildPackage (sbdArgs | ||
// { | ||
cargoArtifacts = sbdDeps; | ||
}); | ||
|
||
sbd-serverd = self'.packages.sbd.override { | ||
name = "sbd-serverd"; | ||
cargoExtraArgs = "--bin sbd-serverd"; | ||
meta.mainProgram = "sbd-serverd"; | ||
}; | ||
}; | ||
}; | ||
flake = { | ||
# system independent outputs like nixosModules, nixosConfigurations, etc. | ||
|
||
# nixosConfigurations.example-host = ... | ||
}; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,117 @@ | ||
{ | ||
self, | ||
config, | ||
lib, | ||
pkgs, | ||
... | ||
}: let | ||
cfg = config.services.sbd-server; | ||
types = lib.types; | ||
in { | ||
options.services.sbd-server = { | ||
enable = lib.mkEnableOption "sbd-server"; | ||
|
||
package = lib.mkOption { | ||
default = self.packages.${pkgs.system}.sbd-serverd; | ||
type = types.package; | ||
}; | ||
|
||
address = lib.mkOption { | ||
description = "address to bind"; | ||
type = types.str; | ||
}; | ||
|
||
tls-port = lib.mkOption { | ||
description = "port to bind for incoming TLS connections"; | ||
type = types.int; | ||
}; | ||
|
||
url = lib.mkOption { | ||
description = "url for incoming TLS connections to the signal server"; | ||
type = types.str; | ||
}; | ||
}; | ||
|
||
config = lib.mkIf (cfg.enable) { | ||
# TODO: can be tested with check-services tool on the sbd integration branch | ||
|
||
systemd.services.sbd-server = { | ||
after = ["network.target"]; | ||
wantedBy = ["multi-user.target"]; | ||
|
||
environment = { | ||
TMPDIR = "%T"; | ||
}; | ||
|
||
serviceConfig = { | ||
DynamicUser = true; | ||
PrivateTmp = true; | ||
|
||
# use this mechanism to let systemd take care of file permissions for the dynamic user it creates | ||
LoadCredential = [ | ||
"cert.pem:${config.security.acme.certs."${cfg.url}".directory}/cert.pem" | ||
"key.pem:${config.security.acme.certs."${cfg.url}".directory}/key.pem" | ||
]; | ||
Restart = "always"; | ||
|
||
AmbientCapabilities = | ||
# needed for binding to ports <1024 | ||
lib.lists.optionals (cfg.tls-port | ||
< 1024) [ | ||
"CAP_NET_BIND_SERVICE" | ||
]; | ||
|
||
ExecStart = builtins.concatStringsSep " " [ | ||
(lib.meta.getExe cfg.package) | ||
|
||
# bind to the public interface | ||
"--bind=${cfg.address}:${builtins.toString cfg.tls-port}" | ||
|
||
# configure TLS certificates | ||
''--cert-pem-file="''${CREDENTIALS_DIRECTORY}/cert.pem"'' | ||
''--priv-key-pem-file="''${CREDENTIALS_DIRECTORY}/key.pem"'' | ||
]; | ||
}; | ||
}; | ||
|
||
networking.firewall.allowedTCPPorts = [ | ||
80 | ||
|
||
cfg.tls-port | ||
]; | ||
|
||
services.nginx = { | ||
enable = true; | ||
virtualHosts."${cfg.url}" = { | ||
serverName = cfg.url; | ||
enableACME = true; | ||
addSSL = true; | ||
|
||
locations."/".root = "/var/www/${cfg.url}"; | ||
|
||
listen = [ | ||
{ | ||
addr = "${cfg.address}"; | ||
port = 80; | ||
ssl = false; | ||
} | ||
]; | ||
}; | ||
}; | ||
|
||
security.acme = { | ||
acceptTerms = true; | ||
defaults = { | ||
email = "acme@holo.host"; | ||
}; | ||
|
||
# note: the directory watching tls reload story has not yet been implemented. when tls certs are updated, the service must be restarted | ||
certs."${cfg.url}" = { | ||
reloadServices = ["sbd-server"]; | ||
|
||
# staging server has higher retry limits. uncomment the following when debugging ACME challenges. | ||
# server = "https://acme-staging-v02.api.letsencrypt.org/directory"; | ||
}; | ||
}; | ||
}; | ||
} |