From c0229d0d62d7b0a000b7ee466446bf12b55348c3 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Fri, 15 Mar 2024 10:23:14 +0100 Subject: [PATCH 01/31] feat(nixosConfigurations): add turn-infra-holochain-org --- .../configuration.nix | 3 + .../README.md | 5 ++ .../configuration.nix | 90 +++++++++++++++++++ .../default.nix | 13 +++ 4 files changed, 111 insertions(+) create mode 100644 modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/README.md create mode 100644 modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/configuration.nix create mode 100644 modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/default.nix diff --git a/modules/flake-parts/nixosConfigurations.dweb-reverse-tls-proxy/configuration.nix b/modules/flake-parts/nixosConfigurations.dweb-reverse-tls-proxy/configuration.nix index 2b385aff..1302751c 100644 --- a/modules/flake-parts/nixosConfigurations.dweb-reverse-tls-proxy/configuration.nix +++ b/modules/flake-parts/nixosConfigurations.dweb-reverse-tls-proxy/configuration.nix @@ -152,6 +152,7 @@ in { ### BIND and ACME + # FIXME: changes to the bind zone require a manual `systemctl restart bind` system.activationScripts.bind-zones.text = '' mkdir -p /etc/bind/zones chown named:named /etc/bind/zones @@ -186,6 +187,8 @@ in { amsterdam2023.events.${fqdn2domain}. A 10.1.3.187 sj-bm-hostkey0.dev.${fqdn2domain}. A 185.130.224.33 + + turn.${fqdn2domain}. A ${self.nixosConfigurations.turn-infra-holochain-org.config.hostName} ''; }; diff --git a/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/README.md b/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/README.md new file mode 100644 index 00000000..4ab5d7a9 --- /dev/null +++ b/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/README.md @@ -0,0 +1,5 @@ +# Installation + +``` +nix run github:numtide/nixos-anywhere -- --flake .\#nixosConfigurations.turn-infra-holochain-org root@turn.infra.holochain.org +``` diff --git a/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/configuration.nix b/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/configuration.nix new file mode 100644 index 00000000..eb07916b --- /dev/null +++ b/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/configuration.nix @@ -0,0 +1,90 @@ +{ + config, + lib, + inputs, + self, + pkgs, + ... +}: let + ipv4 = "37.27.24.128"; + ipv6Prefix = "2a01:4f9:c012:b61f"; + ipv6PrefixLength = "64"; + fqdn2domain = "infra.holochain.org"; +in { + imports = [ + inputs.disko.nixosModules.disko + inputs.srvos.nixosModules.server + inputs.srvos.nixosModules.mixins-terminfo + inputs.srvos.nixosModules.hardware-hetzner-cloud + + inputs.sops-nix.nixosModules.sops + + self.nixosModules.holo-users + ../../nixos/shared.nix + ../../nixos/shared-nix-settings.nix + ]; + + networking.hostName = "turn-infra-holochain-org"; # Define your hostname. + + hostName = ipv4; + + nix.settings.max-jobs = 8; + + nix.settings.substituters = [ + "https://holochain-ci.cachix.org" + ]; + + nix.settings.trusted-public-keys = [ + "holochain-ci.cachix.org-1:5IUSkZc0aoRS53rfkvH9Kid40NpyjwCMCzwRTXy+QN8=" + ]; + + boot.loader.grub = { + efiSupport = false; + device = "/dev/sda"; + }; + # boot.loader.systemd-boot.enable = true; + # boot.loader.efi.canTouchEfiVariables = true; + boot.kernelPackages = pkgs.linuxPackages_latest; + + systemd.network.networks."10-uplink".networkConfig.Address = "${ipv6Prefix}::1/${ipv6PrefixLength}"; + + disko.devices.disk.sda = { + device = "/dev/sda"; + type = "disk"; + content = { + type = "table"; + format = "gpt"; + partitions = [ + { + name = "boot"; + start = "0"; + end = "1M"; + part-type = "primary"; + flags = ["bios_grub"]; + } + { + name = "root"; + start = "1M"; + end = "100%"; + part-type = "primary"; + bootable = true; + content = { + type = "btrfs"; + extraArgs = ["-f"]; # Override existing partition + subvolumes = { + # Subvolume name is different from mountpoint + "/rootfs" = { + mountpoint = "/"; + }; + "/nix" = { + mountOptions = ["noatime"]; + }; + }; + }; + } + ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/default.nix b/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/default.nix new file mode 100644 index 00000000..979f2ff4 --- /dev/null +++ b/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/default.nix @@ -0,0 +1,13 @@ +{ + config, + self, + lib, + inputs, + ... +}: { + flake.nixosConfigurations.turn-infra-holochain-org = inputs.nixpkgs.lib.nixosSystem { + modules = [./configuration.nix]; + system = "x86_64-linux"; + specialArgs = self.specialArgs; + }; +} From 30180526b7fd7631b75edaf50e2b844fa7e8f375 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Fri, 15 Mar 2024 10:14:40 +0000 Subject: [PATCH 02/31] feat(flake): expose nixos-anywhere package --- flake.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/flake.nix b/flake.nix index 9526a6f6..0a026d27 100644 --- a/flake.nix +++ b/flake.nix @@ -156,6 +156,8 @@ packages = { nomad = inputs'.nixpkgsMaster.legacyPackages.nomad_1_6; + + nixos-anywhere = inputs'.nixos-anywhere.packages.default; }; }; flake = { From 76057590a974dfef2a2f48d08a8a279418a45e28 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Fri, 15 Mar 2024 11:00:46 +0000 Subject: [PATCH 03/31] flake: update disko --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index 125633e5..35ce0369 100644 --- a/flake.lock +++ b/flake.lock @@ -74,11 +74,11 @@ ] }, "locked": { - "lastModified": 1686545384, - "narHash": "sha256-XniReOaWLjubBAXk6Wx2Ny6/b9Xdsx3viLhhs7ycuWw=", + "lastModified": 1710427903, + "narHash": "sha256-sV0Q5ndvfjK9JfCg/QM/HX/fcittohvtq8dD62isxdM=", "owner": "nix-community", "repo": "disko", - "rev": "55eea2030a42845102334eb29f054f0c6604a32c", + "rev": "21d89b333ca300bef82c928c856d48b94a9f997c", "type": "github" }, "original": { From cf44cccab9bb205ceb38797d4bef63dc7db61a53 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Fri, 15 Mar 2024 11:01:43 +0000 Subject: [PATCH 04/31] fix(turn-infra-holochain-org): adapt for EFI --- .../README.md | 2 + .../configuration.nix | 44 +++++++++---------- 2 files changed, 22 insertions(+), 24 deletions(-) diff --git a/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/README.md b/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/README.md index 4ab5d7a9..3a6923c5 100644 --- a/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/README.md +++ b/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/README.md @@ -1,3 +1,5 @@ +This machine is of type CCX23 + # Installation ``` diff --git a/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/configuration.nix b/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/configuration.nix index eb07916b..46ed61f7 100644 --- a/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/configuration.nix +++ b/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/configuration.nix @@ -38,12 +38,10 @@ in { "holochain-ci.cachix.org-1:5IUSkZc0aoRS53rfkvH9Kid40NpyjwCMCzwRTXy+QN8=" ]; - boot.loader.grub = { - efiSupport = false; - device = "/dev/sda"; - }; - # boot.loader.systemd-boot.enable = true; - # boot.loader.efi.canTouchEfiVariables = true; + boot.loader.grub.enable = false; + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.kernelPackages = pkgs.linuxPackages_latest; systemd.network.networks."10-uplink".networkConfig.Address = "${ipv6Prefix}::1/${ipv6PrefixLength}"; @@ -52,22 +50,19 @@ in { device = "/dev/sda"; type = "disk"; content = { - type = "table"; - format = "gpt"; - partitions = [ - { - name = "boot"; - start = "0"; - end = "1M"; - part-type = "primary"; - flags = ["bios_grub"]; - } - { - name = "root"; - start = "1M"; - end = "100%"; - part-type = "primary"; - bootable = true; + type = "gpt"; + partitions = { + ESP = { + type = "EF00"; + size = "1G"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + size = "100%"; content = { type = "btrfs"; extraArgs = ["-f"]; # Override existing partition @@ -78,11 +73,12 @@ in { }; "/nix" = { mountOptions = ["noatime"]; + mountpoint = "/nix"; }; }; }; - } - ]; + }; + }; }; }; From 2d215f9c77b9157edc7002f199d25a8f083c2f52 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Fri, 15 Mar 2024 19:24:30 +0000 Subject: [PATCH 05/31] feat(dweb-reverse-proxy/caddy): pass through acme challenges to turn server --- .../configuration.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/modules/flake-parts/nixosConfigurations.dweb-reverse-tls-proxy/configuration.nix b/modules/flake-parts/nixosConfigurations.dweb-reverse-tls-proxy/configuration.nix index 1302751c..1656456a 100644 --- a/modules/flake-parts/nixosConfigurations.dweb-reverse-tls-proxy/configuration.nix +++ b/modules/flake-parts/nixosConfigurations.dweb-reverse-tls-proxy/configuration.nix @@ -309,6 +309,12 @@ in { # reverse_proxy https://holochain-ci.cachix.org ''; }; + + "acme-turn.${fqdn2domain}:80" = { + extraConfig = '' + reverse_proxy http://turn.${fqdn2domain}:${builtins.toString self.nixosConfigurations.turn-infra-holochain-org.config.services.holochain-turn-server.nginx-http-port} + ''; + }; }; sops.secrets.global-server-nomad-key = { From e8ebdada67a8bfd16524a8ea3b4b7221d9312cd7 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Fri, 15 Mar 2024 19:25:47 +0000 Subject: [PATCH 06/31] feat(holochain-turn-server): add and use flake-part coturn overlay and module the flake-part encapsulates and exposes both the overlay and the module. the coturn overlay adds a coturn that working acme-redirection which we make use of here. --- modules/flake-parts/holochain-turn-server.nix | 154 ++++++++++++++++++ .../configuration.nix | 9 +- 2 files changed, 162 insertions(+), 1 deletion(-) create mode 100644 modules/flake-parts/holochain-turn-server.nix diff --git a/modules/flake-parts/holochain-turn-server.nix b/modules/flake-parts/holochain-turn-server.nix new file mode 100644 index 00000000..e2cc7b8a --- /dev/null +++ b/modules/flake-parts/holochain-turn-server.nix @@ -0,0 +1,154 @@ +{ + # System independent arguments. + self, + lib, + inputs, + ... +}: { + perSystem = { + # Arguments specific to the `perSystem` context. + config, + self', + inputs', + pkgs, + ... + }: { + # system specific outputs like, apps, checks, packages + + # packages = ... + }; + flake = { + # system independent outputs like nixosModules, nixosConfigurations, etc. + + # nixosConfigurations.example-host = ... + overlays.coturn = final: previous: { + coturn = previous.coturn.overrideAttrs ( + super: { + # coturn for NixOS needs to be built without libev_ok, otherwise acme-redirect won't work + LIBEV_OK = "0"; + meta.platforms = lib.platforms.linux; + } + ); + }; + + nixosModules.holochain-turn-server = { + config, + pkgs, + lib, + system, + ... + }: let + cfg = config.services.holochain-turn-server; + in { + options.services.holochain-turn-server = { + enable = lib.mkEnableOption "holochain turn server"; + turn-url = lib.mkOption { + type = lib.types.str; + }; + turn-cert-dir = lib.mkOption { + type = lib.types.str; + default = config.security.acme.certs.${cfg.turn-url}.directory; + }; + coturn-listening-ip = lib.mkOption { + type = lib.types.str; + }; + + nginx-http-port = lib.mkOption { + type = lib.types.int; + # skipping 81 because it's the default coturn alternative http port + default = 82; + }; + + coturn-min-port = lib.mkOption { + type = lib.types.int; + default = 20000; + }; + + coturn-max-port = lib.mkOption { + type = lib.types.int; + default = 65535; # which is default but here listing explicitly + }; + }; + + config = lib.mkIf cfg.enable { + nixpkgs.overlays = [self.overlays.coturn]; + + networking.firewall.allowedTCPPorts = [ + 80 + 443 + 9641 # prometheus + + cfg.nginx-http-port + ]; + networking.firewall.allowedUDPPorts = [ + 80 + 443 + 9641 # prometheus + ]; + networking.firewall.allowedUDPPortRanges = [ + { + from = cfg.coturn-min-port; + to = cfg.coturn-max-port; + } + ]; + + services.coturn = { + enable = true; + listening-port = 80; + tls-listening-port = 443; + listening-ips = [cfg.coturn-listening-ip]; + lt-cred-mech = true; # Use long-term credential mechanism. + realm = cfg.turn-url; + cert = "${cfg.turn-cert-dir}/fullchain.pem"; + pkey = "${cfg.turn-cert-dir}/key.pem"; + no-cli = false; + min-port = cfg.coturn-min-port; + max-port = cfg.coturn-max-port; + extraConfig = '' + verbose + no-software-attribute + no-multicast-peers + no-tlsv1 + no-tlsv1_1 + user=test:test + prometheus + acme-redirect=http://acme-${cfg.turn-url}/.well-known/acme-challenge/ + ''; + }; + + systemd.services.coturn.serviceConfig = { + LimitNOFILESoft = 10000; + }; + + # Add turnserver user to nginx group, because turnserver needs to have access to TLS certs from /var/lib/acme/ + users.groups.nginx.members = ["turnserver"]; + + services.nginx = { + enable = true; + defaultHTTPListenPort = cfg.nginx-http-port; + + # the sole purpose of nginx here is TLS certificate renewal from letsencrypt + # coturn redirects ACME, i.e. HTTP GET requests matching '^/.well-known/acme-challenge/(.*)' + # to acme-turn.holo.host, which is intercepted by a reverse-proxy and redirected to port ${cfg.nginx-http-port} on this host + virtualHosts."${cfg.turn-url}" = { + enableACME = true; + serverName = cfg.turn-url; + }; + }; + + security.acme = { + acceptTerms = true; + defaults = { + # staging server has higher retry limits + # server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + + email = "acme@holo.host"; + # after certificate renewal by acme coturn.service needs to reload this new cert, too + # see https://github.com/NixOS/nixpkgs/blob/nixos-23.05/nixos/modules/security/acme/default.nix#L322 + reloadServices = ["coturn"]; + }; + }; + }; + }; + }; +} diff --git a/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/configuration.nix b/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/configuration.nix index 46ed61f7..0fcf6720 100644 --- a/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/configuration.nix +++ b/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/configuration.nix @@ -9,7 +9,6 @@ ipv4 = "37.27.24.128"; ipv6Prefix = "2a01:4f9:c012:b61f"; ipv6PrefixLength = "64"; - fqdn2domain = "infra.holochain.org"; in { imports = [ inputs.disko.nixosModules.disko @@ -22,6 +21,8 @@ in { self.nixosModules.holo-users ../../nixos/shared.nix ../../nixos/shared-nix-settings.nix + + self.nixosModules.holochain-turn-server ]; networking.hostName = "turn-infra-holochain-org"; # Define your hostname. @@ -83,4 +84,10 @@ in { }; system.stateVersion = "23.05"; + + services.holochain-turn-server = { + enable = true; + turn-url = "turn.infra.holochain.org"; + coturn-listening-ip = ipv4; + }; } From 9b0d3590dd75133e83c1365fda267fcdd7242647 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Fri, 15 Mar 2024 21:40:32 +0000 Subject: [PATCH 07/31] fix missing quotes in flake --- flake.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/flake.nix b/flake.nix index 0a026d27..4467980a 100644 --- a/flake.nix +++ b/flake.nix @@ -46,7 +46,7 @@ # url = "https://github.com/maackle.keys"; # flake = false; # }; - + # hash mismatch 20230821 # keys_neonphog = { # url = "https://github.com/neonphog.keys"; @@ -73,7 +73,7 @@ flake = false; }; - cachix_for_watch_store.url = github:cachix/cachix/v1.5; + cachix_for_watch_store.url = "github:cachix/cachix/v1.5"; }; outputs = inputs @ { From 78f2c084351fb84da9cc1f1fc67391a6b9f31b0b Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Fri, 15 Mar 2024 21:41:13 +0000 Subject: [PATCH 08/31] feat: add tx5 signal server module and stub package; add signal DNS entry --- flake.lock | 19 +++- flake.nix | 3 + modules/flake-parts/holochain-turn-server.nix | 42 +++++++-- .../configuration.nix | 3 +- .../configuration.nix | 38 +++++++- .../{packages.nix => packages/default.nix} | 9 +- .../flake-parts/packages/tx5-signal-srv.nix | 10 ++ modules/nixos/tx5-signal-server.nix | 91 +++++++++++++++++++ 8 files changed, 198 insertions(+), 17 deletions(-) rename modules/flake-parts/{packages.nix => packages/default.nix} (68%) create mode 100644 modules/flake-parts/packages/tx5-signal-srv.nix create mode 100644 modules/nixos/tx5-signal-server.nix diff --git a/flake.lock b/flake.lock index 35ce0369..1a5246c5 100644 --- a/flake.lock +++ b/flake.lock @@ -643,7 +643,8 @@ "nixpkgsMaster": "nixpkgsMaster", "nixpkgsUnstable": "nixpkgsUnstable", "sops-nix": "sops-nix", - "srvos": "srvos" + "srvos": "srvos", + "tx5": "tx5" } }, "sops-nix": { @@ -722,6 +723,22 @@ "repo": "treefmt-nix", "type": "github" } + }, + "tx5": { + "flake": false, + "locked": { + "lastModified": 1708794983, + "narHash": "sha256-XFZcI344QhuNJSkzsTIta8Ytkz/MpZNe+1Makt3SwcQ=", + "owner": "holochain", + "repo": "tx5", + "rev": "989ac62d3967133814d89e2b1b4afa2c967776dc", + "type": "github" + }, + "original": { + "owner": "holochain", + "repo": "tx5", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 4467980a..00124e42 100644 --- a/flake.nix +++ b/flake.nix @@ -74,6 +74,9 @@ }; cachix_for_watch_store.url = "github:cachix/cachix/v1.5"; + + tx5.url = "github:holochain/tx5"; + tx5.flake = false; }; outputs = inputs @ { diff --git a/modules/flake-parts/holochain-turn-server.nix b/modules/flake-parts/holochain-turn-server.nix index e2cc7b8a..6fc83333 100644 --- a/modules/flake-parts/holochain-turn-server.nix +++ b/modules/flake-parts/holochain-turn-server.nix @@ -68,6 +68,23 @@ type = lib.types.int; default = 65535; # which is default but here listing explicitly }; + + verbose = lib.mkEnableOption "verbose logging"; + + acme-redirect = lib.mkOption { + type = lib.types.str; + default = "http://acme-${cfg.turn-url}/.well-known/acme-challenge/"; + }; + + username = lib.mkOption { + type = lib.types.str; + default = "test"; + }; + + credential = lib.mkOption { + type = lib.types.str; + default = "test"; + }; }; config = lib.mkIf cfg.enable { @@ -104,16 +121,21 @@ no-cli = false; min-port = cfg.coturn-min-port; max-port = cfg.coturn-max-port; - extraConfig = '' - verbose - no-software-attribute - no-multicast-peers - no-tlsv1 - no-tlsv1_1 - user=test:test - prometheus - acme-redirect=http://acme-${cfg.turn-url}/.well-known/acme-challenge/ - ''; + extraConfig = + '' + no-software-attribute + no-multicast-peers + no-tlsv1 + no-tlsv1_1 + user=${cfg.username}:${cfg.credential} + prometheus + '' + + lib.strings.optionalString cfg.verbose '' + verbose + '' + + lib.strings.optionalString (cfg.acme-redirect != null) '' + acme-redirect=${cfg.acme-redirect} + ''; }; systemd.services.coturn.serviceConfig = { diff --git a/modules/flake-parts/nixosConfigurations.dweb-reverse-tls-proxy/configuration.nix b/modules/flake-parts/nixosConfigurations.dweb-reverse-tls-proxy/configuration.nix index 1656456a..51bcc669 100644 --- a/modules/flake-parts/nixosConfigurations.dweb-reverse-tls-proxy/configuration.nix +++ b/modules/flake-parts/nixosConfigurations.dweb-reverse-tls-proxy/configuration.nix @@ -188,7 +188,8 @@ in { sj-bm-hostkey0.dev.${fqdn2domain}. A 185.130.224.33 - turn.${fqdn2domain}. A ${self.nixosConfigurations.turn-infra-holochain-org.config.hostName} + turn.${fqdn2domain}. A ${self.nixosConfigurations.turn-infra-holochain-org.config.services.holochain-turn-server.coturn-listening-ip} + signal.${fqdn2domain}. A ${self.nixosConfigurations.turn-infra-holochain-org.config.services.tx5-signal-server.address} ''; }; diff --git a/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/configuration.nix b/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/configuration.nix index 0fcf6720..30ce16e0 100644 --- a/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/configuration.nix +++ b/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/configuration.nix @@ -9,6 +9,9 @@ ipv4 = "37.27.24.128"; ipv6Prefix = "2a01:4f9:c012:b61f"; ipv6PrefixLength = "64"; + + signalIpv4 = "95.217.30.224"; + signalIpv4Prefix = 32; in { imports = [ inputs.disko.nixosModules.disko @@ -23,6 +26,7 @@ in { ../../nixos/shared-nix-settings.nix self.nixosModules.holochain-turn-server + self.nixosModules.tx5-signal-server ]; networking.hostName = "turn-infra-holochain-org"; # Define your hostname. @@ -45,7 +49,11 @@ in { boot.kernelPackages = pkgs.linuxPackages_latest; - systemd.network.networks."10-uplink".networkConfig.Address = "${ipv6Prefix}::1/${ipv6PrefixLength}"; + # FIXME: is there a better way to do this? + environment.etc."systemd/network/10-cloud-init-eth0.network.d/00-floating-ips.conf".text = '' + [Network] + Address = ${signalIpv4}/${builtins.toString signalIpv4Prefix} + ''; disko.devices.disk.sda = { device = "/dev/sda"; @@ -89,5 +97,33 @@ in { enable = true; turn-url = "turn.infra.holochain.org"; coturn-listening-ip = ipv4; + username = "test"; + credential = "test"; + }; + + services.tx5-signal-server = { + enable = true; + address = signalIpv4; + port = 443; + iceServers = [ + { + urls = [ + "stun:${config.services.holochain-turn-server.turn-url}:80" + ]; + } + { + urls = [ + "turn:${config.services.holochain-turn-server.turn-url}:80" + "turn:${config.services.holochain-turn-server.turn-url}:80?transport=tcp" + "turns:${config.services.holochain-turn-server.turn-url}:443?transport=tcp" + ]; + + inherit + (config.services.holochain-turn-server) + username + credential + ; + } + ]; }; } diff --git a/modules/flake-parts/packages.nix b/modules/flake-parts/packages/default.nix similarity index 68% rename from modules/flake-parts/packages.nix rename to modules/flake-parts/packages/default.nix index da2fd2be..b79e21ac 100644 --- a/modules/flake-parts/packages.nix +++ b/modules/flake-parts/packages/default.nix @@ -17,11 +17,12 @@ packages = { reverse-proxy-nix-cache = let + in + pkgs.writeShellScriptBin "reverse-proxy-nix-cache" '' + sudo ${pkgs.caddy}/bin/caddy reverse-proxy --from :80 --to :5000 + ''; - in pkgs.writeShellScriptBin "reverse-proxy-nix-cache" '' - sudo ${pkgs.caddy}/bin/caddy reverse-proxy --from :80 --to :5000 - ''; - + tx5-signal-srv = pkgs.callPackage ./tx5-signal-srv.nix {}; }; }; flake = { diff --git a/modules/flake-parts/packages/tx5-signal-srv.nix b/modules/flake-parts/packages/tx5-signal-srv.nix new file mode 100644 index 00000000..8a05555e --- /dev/null +++ b/modules/flake-parts/packages/tx5-signal-srv.nix @@ -0,0 +1,10 @@ +{ + writeShellScriptBin, + jq, + ... +}: +# TODO: make it real +writeShellScriptBin "tx5-signal-srv" +'' + while true; do ${jq}/bin/jq . $2; sleep 60; done +'' diff --git a/modules/nixos/tx5-signal-server.nix b/modules/nixos/tx5-signal-server.nix new file mode 100644 index 00000000..b740b81f --- /dev/null +++ b/modules/nixos/tx5-signal-server.nix @@ -0,0 +1,91 @@ +{ + self, + config, + lib, + pkgs, + ... +}: let + cfg = config.services.tx5-signal-server; +in { + options.services.tx5-signal-server = { + enable = lib.mkEnableOption "tx5-signal-server"; + + package = lib.mkOption { + default = self.packages.${pkgs.system}.tx5-signal-srv; + type = lib.types.package; + }; + + user = lib.mkOption { + # TODO - change to tx5 + default = "root"; + type = lib.types.str; + }; + + group = lib.mkOption { + # TODO - change to tx5 + default = "root"; + type = lib.types.str; + }; + + # TODO: consume this + listenAddr = lib.mkOption { + default = ""; + type = lib.types.str; + }; + + address = lib.mkOption { + description = "address to bind"; + type = lib.types.str; + }; + + # TODO: distinguish between tls port and plain port. tx5 will listen on the latter and it'll be fronted by a reverse TLS proxy + port = lib.mkOption { + description = "port to bind"; + type = lib.types.int; + }; + + iceServers = lib.mkOption { + description = "webrtc configuration to broadcast"; + type = lib.types.listOf lib.types.attrs; + default = []; + }; + + demo = lib.mkEnableOption "enable demo broadcasting as a stand-in for bootstrapping"; + + configText = lib.mkOption { + default = builtins.toFile "tx5.config.json" (builtins.toJSON { + port = cfg.port; + iceServers.iceServers = cfg.iceServers; + demo = cfg.demo; + }); + }; + }; + + config = lib.mkIf (cfg.enable) { + systemd.services.tx5-signal-server = { + after = ["network.target"]; + wantedBy = ["multi-user.target"]; + + serviceConfig = { + User = cfg.user; + Group = cfg.group; + ExecStart = "${cfg.package}/bin/tx5-signal-srv --config ${cfg.configText}"; # TODO - point to dynamically created config + Restart = "always"; + }; + }; + + # TODO: set up a separate user or let systemd do this + #users.groups.tx5 = { }; + #users.users.tx5 = { + # isSystemUser = true; + # group = "tx5"; + # home = "${cfg.working-directory}"; + # # ensures directory is owned by user + # createHome = true; + #}; + + #systemd.tmpfiles.rules = [ + # "d ${cfg.working-directory}/uis 0755 tx5 tx5 - -" + #]; + }; +} From 7a58ba3735fc192992d26688de9dc8b93b80a716 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Fri, 15 Mar 2024 21:47:05 +0000 Subject: [PATCH 09/31] set tx5 tag --- flake.lock | 7 ++++--- flake.nix | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/flake.lock b/flake.lock index 1a5246c5..b1f71e25 100644 --- a/flake.lock +++ b/flake.lock @@ -727,15 +727,16 @@ "tx5": { "flake": false, "locked": { - "lastModified": 1708794983, - "narHash": "sha256-XFZcI344QhuNJSkzsTIta8Ytkz/MpZNe+1Makt3SwcQ=", + "lastModified": 1707175829, + "narHash": "sha256-Lkry9eEUk6aXe7aQ824YwkG2Ra44GPapIznGR2Ao/PA=", "owner": "holochain", "repo": "tx5", - "rev": "989ac62d3967133814d89e2b1b4afa2c967776dc", + "rev": "d5fa9096eae2156618c701e87b7c40770faa123c", "type": "github" }, "original": { "owner": "holochain", + "ref": "tx5-signal-srv-v0.0.7-alpha", "repo": "tx5", "type": "github" } diff --git a/flake.nix b/flake.nix index 00124e42..27e60d6b 100644 --- a/flake.nix +++ b/flake.nix @@ -75,7 +75,7 @@ cachix_for_watch_store.url = "github:cachix/cachix/v1.5"; - tx5.url = "github:holochain/tx5"; + tx5.url = "github:holochain/tx5/tx5-signal-srv-v0.0.7-alpha"; tx5.flake = false; }; From 2b96e73d6ac83f84cb6c635c619b53bb80a4830b Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 18 Mar 2024 15:30:44 +0000 Subject: [PATCH 10/31] feat(tx5 signal server): working TLS, name changes, config file chmod --- .../default.nix => packages.default.nix} | 0 ...nal-srv.nix => packages.holochain-tx5.nix} | 0 modules/nixos/tx5-signal-server.nix | 94 ++++++++++++------- 3 files changed, 61 insertions(+), 33 deletions(-) rename modules/flake-parts/{packages/default.nix => packages.default.nix} (100%) rename modules/flake-parts/{packages/tx5-signal-srv.nix => packages.holochain-tx5.nix} (100%) diff --git a/modules/flake-parts/packages/default.nix b/modules/flake-parts/packages.default.nix similarity index 100% rename from modules/flake-parts/packages/default.nix rename to modules/flake-parts/packages.default.nix diff --git a/modules/flake-parts/packages/tx5-signal-srv.nix b/modules/flake-parts/packages.holochain-tx5.nix similarity index 100% rename from modules/flake-parts/packages/tx5-signal-srv.nix rename to modules/flake-parts/packages.holochain-tx5.nix diff --git a/modules/nixos/tx5-signal-server.nix b/modules/nixos/tx5-signal-server.nix index b740b81f..0e8b3636 100644 --- a/modules/nixos/tx5-signal-server.nix +++ b/modules/nixos/tx5-signal-server.nix @@ -15,30 +15,21 @@ in { type = lib.types.package; }; - user = lib.mkOption { - # TODO - change to tx5 - default = "root"; - type = lib.types.str; - }; - - group = lib.mkOption { - # TODO - change to tx5 - default = "root"; + address = lib.mkOption { + description = "address to bind"; type = lib.types.str; }; - # TODO: consume this - listenAddr = lib.mkOption { - default = ""; - type = lib.types.str; + tls-port = lib.mkOption { + description = "port to bind for incoming TLS connections"; + type = lib.types.int; }; - address = lib.mkOption { - description = "address to bind"; + url = lib.mkOption { + description = "url for incoming TLS connections to the signal server"; type = lib.types.str; }; - # TODO: distinguish between tls port and plain port. tx5 will listen on the latter and it'll be fronted by a reverse TLS proxy port = lib.mkOption { description = "port to bind"; type = lib.types.int; @@ -52,7 +43,7 @@ in { demo = lib.mkEnableOption "enable demo broadcasting as a stand-in for bootstrapping"; - configText = lib.mkOption { + configTextFile = lib.mkOption { default = builtins.toFile "tx5.config.json" (builtins.toJSON { port = cfg.port; iceServers.iceServers = cfg.iceServers; @@ -66,26 +57,63 @@ in { after = ["network.target"]; wantedBy = ["multi-user.target"]; + environment = { + TMPDIR = "%T"; + CONFIG_PATH = "%T/config.json"; + }; + serviceConfig = { - User = cfg.user; - Group = cfg.group; - ExecStart = "${cfg.package}/bin/tx5-signal-srv --config ${cfg.configText}"; # TODO - point to dynamically created config + DynamicUser = true; + PrivateTmp = true; + ExecStartPre = pkgs.writeShellScript "tx5-start-pre" '' + set -xue + export PATH=${lib.makeBinPath [pkgs.coreutils]} + + cp ${cfg.configTextFile} $CONFIG_PATH + chmod 0400 $CONFIG_PATH + ''; + + ExecStart = "${cfg.package}/bin/tx5-signal-srv --config $CONFIG_PATH"; Restart = "always"; }; }; - # TODO: set up a separate user or let systemd do this - #users.groups.tx5 = { }; - #users.users.tx5 = { - # isSystemUser = true; - # group = "tx5"; - # home = "${cfg.working-directory}"; - # # ensures directory is owned by user - # createHome = true; - #}; - - #systemd.tmpfiles.rules = [ - # "d ${cfg.working-directory}/uis 0755 tx5 tx5 - -" - #]; + services.nginx = { + enable = true; + virtualHosts."${cfg.url}" = { + serverName = cfg.url; + enableACME = true; + addSSL = true; + + listen = [ + { + addr = "${cfg.address}"; + port = 80; + ssl = false; + } + + { + addr = "${cfg.address}"; + port = 443; + ssl = true; + } + ]; + + locations."/" = { + proxyPass = "http://127.0.0.1:${builtins.toString cfg.port}"; + proxyWebsockets = true; + }; + }; + }; + + security.acme = { + acceptTerms = true; + defaults = { + # staging server has higher retry limits + # server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + + email = "acme@holo.host"; + }; + }; }; } From 3d06304a6ec231a8ab43feaa5a8d4a85aa8cf711 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 18 Mar 2024 15:31:15 +0000 Subject: [PATCH 11/31] feat(flake); add nixpkgs 23.11 and crane inputs --- flake.lock | 44 +++++++++++++++++++++++++++++++++++++++++--- flake.nix | 6 ++++++ 2 files changed, 47 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index b1f71e25..24009c6b 100644 --- a/flake.lock +++ b/flake.lock @@ -22,6 +22,26 @@ "type": "github" } }, + "crane": { + "inputs": { + "nixpkgs": [ + "nixpkgs-23-11" + ] + }, + "locked": { + "lastModified": 1710003968, + "narHash": "sha256-g8+K+mLiNG5uch35Oy9oDQBAmGSkCcqrd0Jjme7xiG0=", + "owner": "ipetkov", + "repo": "crane", + "rev": "10484f86201bb94bd61ecc5335b1496794fedb78", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "darwin": { "inputs": { "nixpkgs": [ @@ -449,6 +469,22 @@ "type": "github" } }, + "nixpkgs-23-11": { + "locked": { + "lastModified": 1710748499, + "narHash": "sha256-uDgiy47Rj02WG0fGidqrmBKg5oYRPi5StDbd5cMZVw4=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "5145d90b09038a58ca2a9db773e8a5e09372816a", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "release-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-lib": { "locked": { "dir": "lib", @@ -581,11 +617,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1695975771, - "narHash": "sha256-+AGkCM+ZHal3gk6AjOo+vnUMv0I9Kqmas01v2ldEIpQ=", + "lastModified": 1705957679, + "narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c710fc3c3e41e7b7e02dc40885f55aa341461678", + "rev": "9a333eaa80901efe01df07eade2c16d183761fa3", "type": "github" }, "original": { @@ -628,6 +664,7 @@ "root": { "inputs": { "cachix_for_watch_store": "cachix_for_watch_store", + "crane": "crane", "darwin": "darwin", "disko": "disko", "flake-parts": "flake-parts", @@ -639,6 +676,7 @@ "microvm": "microvm", "nixos-anywhere": "nixos-anywhere", "nixpkgs": "nixpkgs_3", + "nixpkgs-23-11": "nixpkgs-23-11", "nixpkgsGithubActionRunners": "nixpkgsGithubActionRunners", "nixpkgsMaster": "nixpkgsMaster", "nixpkgsUnstable": "nixpkgsUnstable", diff --git a/flake.nix b/flake.nix index 27e60d6b..4cf7db9e 100644 --- a/flake.nix +++ b/flake.nix @@ -6,6 +6,7 @@ nixpkgsGithubActionRunners = {url = "github:nixos/nixpkgs/nixos-unstable";}; nixpkgsUnstable = {url = "github:nixos/nixpkgs/nixos-unstable";}; nixpkgsMaster = {url = "github:nixos/nixpkgs/master";}; + nixpkgs-23-11 = {url = "github:nixos/nixpkgs/release-23.11";}; disko.url = "github:nix-community/disko"; disko.inputs.nixpkgs.follows = "nixpkgs"; @@ -32,6 +33,11 @@ sops-nix.url = "github:Mic92/sops-nix"; sops-nix.inputs.nixpkgs.follows = "nixpkgs"; + crane = { + url = "github:ipetkov/crane"; + inputs.nixpkgs.follows = "nixpkgs-23-11"; + }; + keys_steveej = { url = "https://github.com/steveej.keys"; flake = false; From 8d4ef8c3b04be2867e29768dc55e0768122ad932 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 18 Mar 2024 15:32:16 +0000 Subject: [PATCH 12/31] holochain-turn-server: simplify naming --- modules/flake-parts/holochain-turn-server.nix | 29 ++++++++++++------- .../configuration.nix | 20 +++++++------ 2 files changed, 29 insertions(+), 20 deletions(-) diff --git a/modules/flake-parts/holochain-turn-server.nix b/modules/flake-parts/holochain-turn-server.nix index 6fc83333..7278a62e 100644 --- a/modules/flake-parts/holochain-turn-server.nix +++ b/modules/flake-parts/holochain-turn-server.nix @@ -42,14 +42,14 @@ in { options.services.holochain-turn-server = { enable = lib.mkEnableOption "holochain turn server"; - turn-url = lib.mkOption { + url = lib.mkOption { type = lib.types.str; }; turn-cert-dir = lib.mkOption { type = lib.types.str; - default = config.security.acme.certs.${cfg.turn-url}.directory; + default = config.security.acme.certs.${cfg.url}.directory; }; - coturn-listening-ip = lib.mkOption { + address = lib.mkOption { type = lib.types.str; }; @@ -73,7 +73,7 @@ acme-redirect = lib.mkOption { type = lib.types.str; - default = "http://acme-${cfg.turn-url}/.well-known/acme-challenge/"; + default = "http://acme-${cfg.url}/.well-known/acme-challenge/"; }; username = lib.mkOption { @@ -113,9 +113,9 @@ enable = true; listening-port = 80; tls-listening-port = 443; - listening-ips = [cfg.coturn-listening-ip]; + listening-ips = [cfg.address]; lt-cred-mech = true; # Use long-term credential mechanism. - realm = cfg.turn-url; + realm = cfg.url; cert = "${cfg.turn-cert-dir}/fullchain.pem"; pkey = "${cfg.turn-cert-dir}/key.pem"; no-cli = false; @@ -147,14 +147,20 @@ services.nginx = { enable = true; - defaultHTTPListenPort = cfg.nginx-http-port; # the sole purpose of nginx here is TLS certificate renewal from letsencrypt # coturn redirects ACME, i.e. HTTP GET requests matching '^/.well-known/acme-challenge/(.*)' # to acme-turn.holo.host, which is intercepted by a reverse-proxy and redirected to port ${cfg.nginx-http-port} on this host - virtualHosts."${cfg.turn-url}" = { + virtualHosts."${cfg.url}" = { + listen = [ + { + addr = "${cfg.address}"; + port = cfg.nginx-http-port; + ssl = false; + } + ]; enableACME = true; - serverName = cfg.turn-url; + serverName = cfg.url; }; }; @@ -162,13 +168,14 @@ acceptTerms = true; defaults = { # staging server has higher retry limits - # server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + server = "https://acme-staging-v02.api.letsencrypt.org/directory"; email = "acme@holo.host"; # after certificate renewal by acme coturn.service needs to reload this new cert, too # see https://github.com/NixOS/nixpkgs/blob/nixos-23.05/nixos/modules/security/acme/default.nix#L322 - reloadServices = ["coturn"]; }; + + certs."${cfg.url}".reloadServices = ["coturn"]; }; }; }; diff --git a/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/configuration.nix b/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/configuration.nix index 30ce16e0..b9bce66b 100644 --- a/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/configuration.nix +++ b/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/configuration.nix @@ -6,7 +6,7 @@ pkgs, ... }: let - ipv4 = "37.27.24.128"; + turnIpv4 = "37.27.24.128"; ipv6Prefix = "2a01:4f9:c012:b61f"; ipv6PrefixLength = "64"; @@ -31,7 +31,7 @@ in { networking.hostName = "turn-infra-holochain-org"; # Define your hostname. - hostName = ipv4; + hostName = turnIpv4; nix.settings.max-jobs = 8; @@ -95,8 +95,8 @@ in { services.holochain-turn-server = { enable = true; - turn-url = "turn.infra.holochain.org"; - coturn-listening-ip = ipv4; + url = "turn.infra.holochain.org"; + address = turnIpv4; username = "test"; credential = "test"; }; @@ -104,18 +104,20 @@ in { services.tx5-signal-server = { enable = true; address = signalIpv4; - port = 443; + port = 8443; + tls-port = 443; + url = "signal.infra.holochain.org"; iceServers = [ { urls = [ - "stun:${config.services.holochain-turn-server.turn-url}:80" + "stun:${config.services.holochain-turn-server.url}:80" ]; } { urls = [ - "turn:${config.services.holochain-turn-server.turn-url}:80" - "turn:${config.services.holochain-turn-server.turn-url}:80?transport=tcp" - "turns:${config.services.holochain-turn-server.turn-url}:443?transport=tcp" + "turn:${config.services.holochain-turn-server.url}:80" + "turn:${config.services.holochain-turn-server.url}:80?transport=tcp" + "turns:${config.services.holochain-turn-server.url}:443?transport=tcp" ]; inherit From 7c62b92e2002575bd4c1899b20eda36cad90ef3f Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 18 Mar 2024 15:32:36 +0000 Subject: [PATCH 13/31] feat(tx5): package all upstream rust binaries --- modules/flake-parts/packages.default.nix | 12 ++-- .../flake-parts/packages.holochain-tx5.nix | 56 ++++++++++++++++--- 2 files changed, 53 insertions(+), 15 deletions(-) diff --git a/modules/flake-parts/packages.default.nix b/modules/flake-parts/packages.default.nix index b79e21ac..45c2d8e7 100644 --- a/modules/flake-parts/packages.default.nix +++ b/modules/flake-parts/packages.default.nix @@ -3,6 +3,7 @@ self, lib, inputs, + inputs', ... }: { perSystem = { @@ -11,18 +12,15 @@ self', inputs', pkgs, + system, ... }: { # system specific outputs like, apps, checks, packages packages = { - reverse-proxy-nix-cache = let - in - pkgs.writeShellScriptBin "reverse-proxy-nix-cache" '' - sudo ${pkgs.caddy}/bin/caddy reverse-proxy --from :80 --to :5000 - ''; - - tx5-signal-srv = pkgs.callPackage ./tx5-signal-srv.nix {}; + reverse-proxy-nix-cache = pkgs.writeShellScriptBin "reverse-proxy-nix-cache" '' + sudo ${pkgs.caddy}/bin/caddy reverse-proxy --from :80 --to :5000 + ''; }; }; flake = { diff --git a/modules/flake-parts/packages.holochain-tx5.nix b/modules/flake-parts/packages.holochain-tx5.nix index 8a05555e..33a203c4 100644 --- a/modules/flake-parts/packages.holochain-tx5.nix +++ b/modules/flake-parts/packages.holochain-tx5.nix @@ -1,10 +1,50 @@ { - writeShellScriptBin, - jq, + # System independent arguments. + self, + lib, + inputs, + inputs', ... -}: -# TODO: make it real -writeShellScriptBin "tx5-signal-srv" -'' - while true; do ${jq}/bin/jq . $2; sleep 60; done -'' +}: { + perSystem = { + # Arguments specific to the `perSystem` context. + config, + self', + inputs', + pkgs, + system, + ... + }: { + # system specific outputs like, apps, checks, packages + + packages = let + system = pkgs.system; + craneLib = inputs.crane.lib.${system}; + cranePkgs = inputs.crane.inputs.nixpkgs.legacyPackages.${system}; + in { + tx5 = craneLib.buildPackage { + pname = "tx5"; + src = inputs.tx5; + version = inputs.tx5.rev; + cargoExtraArgs = "--examples --bins"; + nativeBuildInputs = [ + cranePkgs.perl + cranePkgs.pkg-config + cranePkgs.go + ]; + + doCheck = false; + }; + + tx5-signal-srv = pkgs.runCommandNoCC "tx5-signal-srv" {} '' + mkdir -p $out/bin + cp ${self'.packages.tx5}/bin/tx5-signal-srv $out/bin/ + ''; + }; + }; + flake = { + # system independent outputs like nixosModules, nixosConfigurations, etc. + + # nixosConfigurations.example-host = ... + }; +} From 5ece4e796d4808d7ac69d6c2e9742f065d723c43 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 18 Mar 2024 15:42:29 +0000 Subject: [PATCH 14/31] chore: nix fmt --- modules/nixos/nix-build-distributor.nix | 3 +-- modules/nixos/shared-darwin.nix | 9 +++++++-- modules/nixos/shared-linux.nix | 6 +++++- modules/nixos/shared.nix | 19 ++++++++++--------- 4 files changed, 23 insertions(+), 14 deletions(-) diff --git a/modules/nixos/nix-build-distributor.nix b/modules/nixos/nix-build-distributor.nix index fa3e6dde..5682807c 100644 --- a/modules/nixos/nix-build-distributor.nix +++ b/modules/nixos/nix-build-distributor.nix @@ -20,7 +20,7 @@ speedFactor = 1; supportedFeatures = config.nix.settings.experimental-features; } - + # macos-02 # - intel CPU { @@ -46,7 +46,6 @@ supportedFeatures = config.nix.settings.experimental-features; } - # macos-04 # - m1 cpu # - system integrity protection disabled diff --git a/modules/nixos/shared-darwin.nix b/modules/nixos/shared-darwin.nix index 103e2553..cd2b2172 100644 --- a/modules/nixos/shared-darwin.nix +++ b/modules/nixos/shared-darwin.nix @@ -1,5 +1,10 @@ -{ config, lib, pkgs, ...}: let - cleanup0sizeDrvs = (import ./shared-linux.nix { inherit config pkgs; }).systemd.services.nix-gc.preStart; +{ + config, + lib, + pkgs, + ... +}: let + cleanup0sizeDrvs = (import ./shared-linux.nix {inherit config pkgs;}).systemd.services.nix-gc.preStart; in { launchd.daemons.nix-gc.command = lib.mkForce (pkgs.writeShellScript "nix-gc" '' ${cleanup0sizeDrvs} diff --git a/modules/nixos/shared-linux.nix b/modules/nixos/shared-linux.nix index cf0e3f63..7474e29d 100644 --- a/modules/nixos/shared-linux.nix +++ b/modules/nixos/shared-linux.nix @@ -1,4 +1,8 @@ -{ config, pkgs, ... }: { +{ + config, + pkgs, + ... +}: { systemd.services.nix-gc.preStart = '' # if the machine runs low on disk space it's possible for derivation files to be created but never get content which results in derivations that can't be removed by the gc. this is a workaround which finds and deletes those problem derivations. echo Removing 0-size derivations if any exist... diff --git a/modules/nixos/shared.nix b/modules/nixos/shared.nix index 93d39e6f..dc7437bf 100644 --- a/modules/nixos/shared.nix +++ b/modules/nixos/shared.nix @@ -8,14 +8,15 @@ in { # Nix configuration shared between all hosts - imports = [ - ./holo-deploy.nix - ] - # TODO: figure out why this results in infinite recursion - # ++ pkgs.stdenv.isLinux [ - # ./shared-linux.nix - # ] - ; + imports = + [ + ./holo-deploy.nix + ] + # TODO: figure out why this results in infinite recursion + # ++ pkgs.stdenv.isLinux [ + # ./shared-linux.nix + # ] + ; nix.package = lib.mkDefault pkgs.nixVersions.nix_2_17; @@ -88,4 +89,4 @@ in { else if config.deployUser == "root" then "/root" else "/home/${config.deployUser}"; -} +} From 3bef126f7463fbf566c241bd96381faaba616a50 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 18 Mar 2024 15:42:34 +0000 Subject: [PATCH 15/31] feat(holo-users): add neonphog --- modules/flake-parts/nixosModules.holo-users.nix | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/modules/flake-parts/nixosModules.holo-users.nix b/modules/flake-parts/nixosModules.holo-users.nix index 4490f0a9..c5164208 100644 --- a/modules/flake-parts/nixosModules.holo-users.nix +++ b/modules/flake-parts/nixosModules.holo-users.nix @@ -4,8 +4,13 @@ ... }: { flake.nixosModules.holo-users = { - users.users.root.openssh.authorizedKeys.keyFiles = - lib.attrValues - (lib.filterAttrs (name: _: lib.hasPrefix "keys_" name) inputs); + users.users.root.openssh.authorizedKeys = { + keyFiles = + lib.attrValues + (lib.filterAttrs (name: _: lib.hasPrefix "keys_" name) inputs); + keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICHujII5RAwfEXNBYxKhWv2Wx/oHeHUTc8CACZ3M5W3p neonphog@gmail.com" + ]; + }; }; } From be35f6fa02c44c068cba3aa719b5c3760d7db057 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 18 Mar 2024 17:30:02 +0000 Subject: [PATCH 16/31] fix(holochain-turn-server): use production ACME server --- modules/flake-parts/holochain-turn-server.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/flake-parts/holochain-turn-server.nix b/modules/flake-parts/holochain-turn-server.nix index 7278a62e..f9258ea4 100644 --- a/modules/flake-parts/holochain-turn-server.nix +++ b/modules/flake-parts/holochain-turn-server.nix @@ -168,7 +168,7 @@ acceptTerms = true; defaults = { # staging server has higher retry limits - server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + # server = "https://acme-staging-v02.api.letsencrypt.org/directory"; email = "acme@holo.host"; # after certificate renewal by acme coturn.service needs to reload this new cert, too From 26bd929e34305559452d3b039cabecc25328db81 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 18 Mar 2024 17:33:38 +0000 Subject: [PATCH 17/31] feat(flake): readd zippy's keys --- flake.lock | 13 +++++++++++++ flake.nix | 9 ++++----- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/flake.lock b/flake.lock index 24009c6b..4a550403 100644 --- a/flake.lock +++ b/flake.lock @@ -325,6 +325,18 @@ "url": "https://github.com/ThetaSinner.keys" } }, + "keys_zippy": { + "flake": false, + "locked": { + "narHash": "sha256-0OoNLGRMmWmezTJGQdbQno6BCYHnuuuUKVfY48chkOw=", + "type": "file", + "url": "https://github.com/zippy.keys" + }, + "original": { + "type": "file", + "url": "https://github.com/zippy.keys" + } + }, "lowdown-src": { "flake": false, "locked": { @@ -673,6 +685,7 @@ "keys_jost-s": "keys_jost-s", "keys_steveej": "keys_steveej", "keys_thetasinner": "keys_thetasinner", + "keys_zippy": "keys_zippy", "microvm": "microvm", "nixos-anywhere": "nixos-anywhere", "nixpkgs": "nixpkgs_3", diff --git a/flake.nix b/flake.nix index 4cf7db9e..e311da5a 100644 --- a/flake.nix +++ b/flake.nix @@ -69,11 +69,10 @@ flake = false; }; - # NAR mismatch as of 2023/07/21 - # keys_zippy = { - # url = "https://github.com/zippy.keys"; - # flake = false; - # }; + keys_zippy = { + url = "https://github.com/zippy.keys"; + flake = false; + }; keys_artbrock = { url = "https://github.com/artbrock.keys"; flake = false; From 7a0fe8ed6b2a43319c3cfd6579da6c9145b16005 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 18 Mar 2024 22:19:23 +0100 Subject: [PATCH 18/31] chore(secrets): rotate dweb-reverse-tls-proxy key --- .sops.yaml | 2 +- secrets/dweb-reverse-tls-proxy/zerotier.txt | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index 32806fe3..876324f5 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -6,7 +6,7 @@ keys: - &steveej 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - &jost-s D299483493EAE6B2B3D892B6D33548FA55FF167F - - &dweb-reverse-proxy age1p4udet5m63tccqqpy38d2m90cv4rffe3cn3965jpmakkwcs7t56qvlp2vw + - &dweb-reverse-proxy age1ygzy9clj0xavlmau0ham7j5nw8yy4z0q8hvkfpdgwc4fcr8nufpqrdxgvx - &linux-builder-01 age1kxkr407jz77ljrhgsfwfmv2yvqjprc6unvx389xp2f48xj8r0vqq2wew5r creation_rules: diff --git a/secrets/dweb-reverse-tls-proxy/zerotier.txt b/secrets/dweb-reverse-tls-proxy/zerotier.txt index a4894c1b..7f7f1c42 100644 --- a/secrets/dweb-reverse-tls-proxy/zerotier.txt +++ b/secrets/dweb-reverse-tls-proxy/zerotier.txt @@ -7,16 +7,16 @@ "hc_vault": null, "age": [ { - "recipient": "age1p4udet5m63tccqqpy38d2m90cv4rffe3cn3965jpmakkwcs7t56qvlp2vw", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSTjFjNTlkUVhWQmFKM09W\nYzBNZSthTjNYaFNpVFpMNkdlNXlSVFBsM0RJCmx2QjdSUWwrYWhtMkpDMWVTYkdG\nNjBsekJKaUZhNWxxRmxqRnV1R2tQdzgKLS0tIDhXWDE5TE1sWmhZNGRGcG01VUxz\nLzhUMjlFS3Z6emx3b0w4VzR4UXphRU0KXPniYzhIWYkA4xr6b5qWNNk0F5ibQ/cC\nnhgluE8xDVniSWLKEvpfzszktXpffTMolG/+f/nwEUsuNenxC3z8NA==\n-----END AGE ENCRYPTED FILE-----\n" + "recipient": "age1ygzy9clj0xavlmau0ham7j5nw8yy4z0q8hvkfpdgwc4fcr8nufpqrdxgvx", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKZUJLYm1wdDVKZ1dGVXph\nNFozSjFDOE1icHBCZVhvZ0NrTE90Wm52MmdnCjJVcG1UMkNiQThoK1ZodmdaNDFx\nNTlZSWhZckhHamJQM29tY3VpREhHcTQKLS0tIEh3MkhxUW5yRm1ZSzUzQTB6ZjZy\nWDB1RWRwNGVXSEpqVUFGZDc5dDdsY3cKcGr7HgAaYM1+I69tlGKS4tBQj3bHiEf1\nsUa9nw3widX8q4zBbFlectvsSDRdtjhyEZc7dCVc4V72vcpeMKqjiA==\n-----END AGE ENCRYPTED FILE-----\n" } ], "lastmodified": "2023-07-03T08:11:48Z", "mac": "ENC[AES256_GCM,data:AtEx+5gllwE1Ip8en9038k2HgbuQ0H+bIi+5rwevJ0EEFJyELvCEgAdX0RDd95VRb/KOR1j4txM+WUHH182HireiPIfpYb7AccycpsH8HzVU7JaeWAr+bDTpcFIqwEEstxP7vVljnPijtFcblL/e+hNwJ8ItyjLLbO94SY8vOTI=,iv:mspxursskO7W7f/Glp952HaFBw1iRqg2+TVh65Dl8Wg=,tag:+R/mSggcQL/pRTcVnHaJBQ==,type:str]", "pgp": [ { - "created_at": "2023-07-03T08:11:07Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMA0SHG/zF3227AQf/c6xy74E+xTqQqLDafK3rilVholh13M2sRWqxvv2gRQy3\nifuTT0Y3FFBFHqihrbMJ+5vo6DFTuKukP6fi6kkCsRJGm6M1sqAHwdWUcZRvLQuT\nopU/lvrTAz/ctwl9uZPLnvtZK434d0kCSzyBKPQSBbzxOovfOnHQcKe4y/0fgqV5\nTjodIWutNSQMVtlILgdGX9juGpvqcY2tYoHcqsdXQSdMln0XdwntFtPaj67Bw5pt\nAJs/UCDDZUujfzMsYopk/UyIymtnjMfeVvmhgOyuLDRc9BSJ5D2gyD2J1fjfKyqm\nhPj3sN+tyq9gDkvIDmAs1cuba6hslggn3TAe40Fq/dJRAZt5OR4fExedq1JfSo9x\n0oNqzVoCNczTx9zgdD+LSLMokefBwVs9GdS4Als1M2UJmlQlOrOXDr2VwvFVGmzz\nXjA8Ts/1n3FPs8gzRvEIVVJ2\n=kDBU\n-----END PGP MESSAGE-----", + "created_at": "2024-03-18T21:19:06Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMA0SHG/zF3227AQf/c1rh18OwFLY8fMAjBeAbxPts+AULrDiW+eh7NX6PIRkM\n2dlg+q+G+gLy6v8bvhLSCJ46cI5MgQ2uNFnCRLHlT2S2/MJ/zwdIgdOs5b6UheT3\nONATOwX6GkGIaXJvtDGjHyPlg/zM+67E2HktyB8A6jYErpP54MHIceDefVxJYuSr\nUqwlDDEAIIgUJEHSinUxeUSnmfI7otLIa+wOffeU6/T0Jm7qVTRgcsvHNE64Qogz\nh6swBUln5Y6PbgLjspwd0HA7Nb963E6f/v5zn9bRa6st9Ui0Rpuxrrl6258pfKQi\n4Im/eMOTIzIgP14KD2U1PxZ9IYsRd8GF3mjHEMVSPdJRAbfnUYluxpZUvgnaJivi\nu2ZXezHyzpPED44cL5mEgASQnHpgKLTC9w6w07mob4h0t1hT0HIf4xP92NQecYts\nobWpUae3I7x7gb4EPqa/JXO7\n=7vqi\n-----END PGP MESSAGE-----", "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" } ], From 49f19e31a9b94f8f53813f00e82f769922c528b9 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 18 Mar 2024 22:19:23 +0100 Subject: [PATCH 19/31] chore(secrets): rotate dweb-reverse-tls-proxy key disable jost-s key as i don't have it in the keychain and cannot find it immediately. --- .sops.yaml | 2 +- secrets/nomad/admin/keys.yaml | 44 ++++++++++++--------------------- secrets/nomad/cli/keys.yaml | 44 ++++++++++++--------------------- secrets/nomad/client/keys.yaml | 44 ++++++++++++--------------------- secrets/nomad/servers/keys.yaml | 44 ++++++++++++--------------------- 5 files changed, 65 insertions(+), 113 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index 876324f5..f99cc2c4 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -30,7 +30,7 @@ creation_rules: key_groups: - pgp: - *steveej - - *jost-s + # - *jost-s age: - *dweb-reverse-proxy - path_regex: ^secrets/nomad/admin/.+$ diff --git a/secrets/nomad/admin/keys.yaml b/secrets/nomad/admin/keys.yaml index 0f9c9a71..24e04498 100644 --- a/secrets/nomad/admin/keys.yaml +++ b/secrets/nomad/admin/keys.yaml @@ -5,44 +5,32 @@ sops: azure_kv: [] hc_vault: [] age: - - recipient: age1p4udet5m63tccqqpy38d2m90cv4rffe3cn3965jpmakkwcs7t56qvlp2vw + - recipient: age1ygzy9clj0xavlmau0ham7j5nw8yy4z0q8hvkfpdgwc4fcr8nufpqrdxgvx enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvS05VQURLMW4xRXNhdytY - RXBrUzBzc2JPRktHcEhuY1FTdW5KOUloUkVNClk5VUZVU2lYem5zRCt6bjhXNnJD - QlptdHJxY0VNaGpUUzRZMlVmemN5QzAKLS0tIFpQejFRSGZvY0U1NytZRVhTZTUw - RFBkY3o3TDFpeUxHb2wzSlJ3OWF0NTAK75H/uh2bvFCR01kSWvXNhwep8dk9hGxF - oF6h9cGlEyDEm67LqEjj93Q7SMXIxQk7gbiHgUwuDtUKhsAnoQ1/Bw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGTGV2dTQrVkFxUmNPelFr + Ums3UEFNVDl1OHJLcVYwTXJMaTRrbEJiREZBCk0xajVYaStaTHZwSDZsU00vMVFJ + c3NPVmdBcVhTcTVQRldad0lmV1NTQ0kKLS0tIHA4dkw3T0x5TzYxSVMzMlc5b1FL + MlpTQ3MzL29UTU1aM0VMR3NHTTBJODAKDYpsGHSJ5VdyFTVyW88cEH5a1LhM6klU + C4jHUPQSIeVev4T+zySdtozGNb+TEWLuhjJT6RwPILI814PL6OHhKA== -----END AGE ENCRYPTED FILE----- lastmodified: "2023-07-04T14:26:28Z" mac: ENC[AES256_GCM,data:fpzYyKWzwLs9sbRV04h2xyVw+4oZDewzf0C2WNt5RB+/ffy3dUrQotQJ8OHaVS4KboXHeJCT73ZRcVJcCFTs6smSPJXJLxsMkMbEarIlNTVFFp4OGplR62Ynr1/rivB7GlM8wyE51yKByHRQkecKI9ihI3eFdM4y3pkBCTdmrm0=,iv:TSW1Rlhem02fTrCB9CJCtml21Z/uEBAZEa30gzbGuxY=,tag:CraHtqFZbNKbBkAE6cvRMQ==,type:str] pgp: - - created_at: "2023-08-25T15:45:31Z" + - created_at: "2024-03-18T21:27:01Z" enc: |- -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQgAw26WQIPkyE6wg3FRYwZ7leT90W4XZEnl5jNRZ1oYLTbc - KHQ8kUZL9fU6HTkya43CGMkyGN0KB3cyhsrJKu9Peewh6DWD+mJ7dYALdPYfdxFq - AvuBEAQURcO4VO7pnE+4E8jM9OHffmepXJf+W4xqM/9cliMdTlb4V0ZPP5Se6Oec - u9eSXHrrvnY4DIbIozKduIhbrUBM7wbFnNy1QRmIfnn/Q/D8oLaHs2YuDzciEHd6 - OvgBExUMzA86yIqM4ru3q3hiPAzpuDuDGHqkc3SskKz9XYcaAt+zC4VgCz6X7VQ7 - aKOKCfh463+sKoL+5q4CEXKfI/Gf9fQ3G+oBj7Yr1tJRAQyQ+dBD0QguiKv8B98g - jJp1hteCfF01mfCuasdHDY2zs0Yecd0Rb9e+mHU7I5pvL9xBDVrkK1FVyeg2sXZ9 - GA/rZwRRdx5CMDckeXo3zJtf - =r901 + wcBMA0SHG/zF3227AQgAi1JSuHVKZZPqO+BNS+n25uIYZQZDznr8NIDz24UW066s + PhLm8IWpWLREiF6u410dn3zDCxQQ5kYqv+49nl/m4GMqif/BwueHhcATJlRZq9ll + wcIE5VkoyLKNFpAYW23oSEyfJ8cuakvmkzNXLw+sbljFWwUju9VKHz6Z55jBJalh + fWshg+yagzXKN6nOVGYDojJc/goaHUem2Iy9bD9SZGYPpDwV+/n9xk5wYV3FXeHj + 4bGlgO8e5AzRts8BzBD8DyB7Ioed3rvo3uREmfRvJoJI3mlldH2EhInQbzBlASOs + F3aOwhnSx/N4+UGryEh3BUuao1aF/d6psFBndPRCJNJRAYU8S3HT01mrOgk52Mww + pLaeCU1E0g9NHkW/PruJcitvhZW4i/JzH8Qq+G1iUUJ3EdfnzxeQawZtOB1rPwlj + 0MrRvz4Ext4O//6Px3mDK0Ja + =WarA -----END PGP MESSAGE----- fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - - created_at: "2023-08-25T15:45:31Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hF4DtA1eM2l/IxsSAQdAIm/+Cl5RQI0xRuOgtShgzZloeoiXDOTt0iofpUgNvzEw - GeShL4fYDvFDlA+ouquFQYesNh5FTdinpQtbITnj7GJNqfeOrlJ2LLnp68tar1JW - 1GgBCQIQ8cnLVC7+m3Wh8HaJ0pb/Ik+DutczbP4LlzSi+dv70mV6SVzTbN4NJOVF - Ja9dz46TgjuwrEoOaK2Vm9vJ4MjPm1xT3+mIwR/vaH9ZmDbvhlmd437NPgLRhAlL - zM2KPqYgdUS+Yw== - =KT32 - -----END PGP MESSAGE----- - fp: D299483493EAE6B2B3D892B6D33548FA55FF167F unencrypted_suffix: _unencrypted version: 3.7.3 diff --git a/secrets/nomad/cli/keys.yaml b/secrets/nomad/cli/keys.yaml index d81c538b..bdb5cc53 100644 --- a/secrets/nomad/cli/keys.yaml +++ b/secrets/nomad/cli/keys.yaml @@ -5,44 +5,32 @@ sops: azure_kv: [] hc_vault: [] age: - - recipient: age1p4udet5m63tccqqpy38d2m90cv4rffe3cn3965jpmakkwcs7t56qvlp2vw + - recipient: age1ygzy9clj0xavlmau0ham7j5nw8yy4z0q8hvkfpdgwc4fcr8nufpqrdxgvx enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvcFpIRFhmOHJ1MndjKzRr - V29iRzdZUzJudFRwSWpNRHI0S1paekxpNURVCnlQaWQxWVI1eFJRTmIwN3BPdG9n - d21HTXUvMEJuancxUkZQd3RDK3JpbEUKLS0tIGNpZk1mc202RmJyczlJV0J6bUtK - SFpJQi9BTVBZblVZVGZVL0pYaVBoMEkKHlmAX4ELfCBssPnS30o0ZmJ8KBr/BlYy - 1b9J/6mhhaNm5MIkGURa/DCzGRzQtqkBIITgjHt/oW4N3/y6MWclmw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCSG1YZHAvOU5kQmR4aklh + a0FPdHdaOTljMlBBNGtiWHo4Vmd1T0llVzBvCm8ybGl5VzhnM0QrNW1ZS0tqdG9s + Z2E3ZU9MUHFJWFlIN1ZsazhCTnVoWkUKLS0tIE9HTktCY3hEcm05QUVSQTlFSWQ5 + ajVOa3REbmpEZHNjbkFQa0NIS05sV1UKmB6F8oW9w2tC+EaWoYCnLkHIfqL1idk6 + jtce1k+htxaQhXe78wEugGMRONb++QDqIz+bNjLe8HZrEJZ79yIm3g== -----END AGE ENCRYPTED FILE----- lastmodified: "2023-07-05T09:14:30Z" mac: ENC[AES256_GCM,data:xASypo/4Hfyz4118WUKcork3KtbOhsYR1haK4BfncedCxjNfAf9F+D1gfpUD/TRhT3tf6ZTelHc8l9T/FXnK/Ur0IGoIubS7NMOHPQncB1WpOCusiHIlIHqOAqlEhNrzT/8Kct2HEXe8yGs/WgWHuzEkEfRupnME3dml0FJnZXw=,iv:HTYK/ayED0LRZH2Gp53YsfpeXdgYG8PwKZ6H0ddCcLA=,tag:1UniA+s1b5QsRHSnLBIOCQ==,type:str] pgp: - - created_at: "2023-08-25T15:45:40Z" + - created_at: "2024-03-18T21:27:03Z" enc: |- -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQf/UFCxQRWBNErI5JgyVKQfUOtkv3OuEVO+PLdkFTJp3GiE - zB7LD1rlGLHDUOUbgmnm9Qd8ivJE59aG0VBgsLgexLt0RzFWa47xNr51uE74+Tj6 - gVDIY8Oyiyhl2fC7CRQm/8+XCdjANIdVFKwL2qlbOTN9vr+0eK+v8/b67MPDp9TI - 5ZVLzSW73N93z4U4mNLF21bA+snNx3SaQjRrInCi6myEob5dPQBp929fOEKUv6db - FJXiGAF6noDXBJ+EWZ3756TM42I26tVxMduCauPJD6WFFVLtWzS/SgOqSPvnWx6u - NQNqX5HpAPD4GB1D4ppuLcbdDtqsbKCDUIktfo2jmtJRAdlMEVgZ9yN81F5Zk8uv - ueEwhsDgCsxeBnZU5RjhytKSpa5iiMEg4NmzFDk9XJmhgLWZ+J3TNc9z8wIwoqT4 - YNgdrq42Owgy0sbIXcS6L/RN - =8hWj + wcBMA0SHG/zF3227AQf/aNPG9i/s+tcVEu6jJ6y5vCM8qC7T5JfL1i3ITMzJxPSP + Y86F42DdojMp6Rxkz7JvIwgyo7apmg3um/NlKZ5BYi5wicv7vmj46D9YJmuB6W2v + 8QJy/dezwmFQPyvbKwfUjRbCc3U5mWhhROmWQiWNJ1l74Hpfac84BOIPvLEWlkJf + ZmvUmrAM/K9YxXoQiYVZn+HPHsCVFR/sMgSAR+Qfgobg+IiQp+EED/WuC4G2jS8V + CCfEKFNXbzc37F7CpZyHuW3ePZpcGMemU8YphDYJ+/tcw5ch0o+pcFr2araLsSL3 + Cmvo2loPsKO2xBJTyJQR7LVTkafPRjMzoI5L5r5ncNJRAYUtwvAVeofohoB8YCms + HwDZLE0wwpSDBOj1E169xIzGgwg/wy5UtlP95YDxg8WkVN3kjkxVF/dnFBg1uaCw + vyvDTvaG5KOdCEnEXtiB5Ccr + =t67I -----END PGP MESSAGE----- fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - - created_at: "2023-08-25T15:45:40Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hF4DtA1eM2l/IxsSAQdA+IsuAJ7huWhxDbYW+oL9XE5Az4a/zQRTdiOGNBbB7Ecw - OVHbT1wfrYLOD6FuT82EE/yA4bBZj6MS564xaYgiUwXDXqfGVYSasMhHfxlttKEP - 1GYBCQIQj+tjnK+BsvlB7OMfl5nH0X5p51B0ADD+aupLWfrNTCbqQBFQ0r7MIO/x - b2a+yA4nMFRG0NIXTxCliNrPpnc5yWjc6zVEfEco8w45lhaqk8wuxtlCxJF83cKU - 3eEzq0wBCBE= - =mkAF - -----END PGP MESSAGE----- - fp: D299483493EAE6B2B3D892B6D33548FA55FF167F unencrypted_suffix: _unencrypted version: 3.7.3 diff --git a/secrets/nomad/client/keys.yaml b/secrets/nomad/client/keys.yaml index e1de4173..51642e9e 100644 --- a/secrets/nomad/client/keys.yaml +++ b/secrets/nomad/client/keys.yaml @@ -5,44 +5,32 @@ sops: azure_kv: [] hc_vault: [] age: - - recipient: age1p4udet5m63tccqqpy38d2m90cv4rffe3cn3965jpmakkwcs7t56qvlp2vw + - recipient: age1ygzy9clj0xavlmau0ham7j5nw8yy4z0q8hvkfpdgwc4fcr8nufpqrdxgvx enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3QWlJVGVQV2s0ZE1zdXY0 - M29XT0tIblcrdUlCZVA3ejNaaTZ5R0JTZmhBCmZwWkZyOHBjdzVVbUo1ZlIya1NY - bitqdlUwSmorbGgvQVRvRldWTkZVbTQKLS0tIHhDbjVmRk0yb2NBZExWT1pCOEtu - SzF6R3ZQM1RneTBXVGYyTGdBcXdzZTAKF8qtOi7Mc1RevZr8AtetYANvo5ygJWrk - /7Q+gkWuyr7NSyz6ffDwshKNmtSCn5I2Nx9ROhSSILDOroou2g8rrQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1U0MybVJqdzZxSG1TSHQ0 + RVpWbk8wUXlORXhya1duQUNwSThhUXFjcmg0CjErODhFMjNEaDl1V09hb254U05o + WnpFNVNpdWd1UFA3emFITHNjd0JrVTAKLS0tIGprYjN0K3hHcWd5dGpsbmNpVGxk + aEhRYlVHQnNpUGs3cExYRjNheURKZEEKuONf6KQptwKPfpjoq6NE6pql7hRTmBEa + jWlskL212zPKy4jwBTILVxpSECYgWuyGmpUCVhgduXP8HPOtjUuEVA== -----END AGE ENCRYPTED FILE----- lastmodified: "2023-07-12T09:25:18Z" mac: ENC[AES256_GCM,data:tQR1UYHFm8YnjcXqGLJaPz6X5SaTrlQ913KjS6waFz/LUEYzGfmAjqjJEH+/xRupS2daNxvTrpmNk5j8QTMFlDSUaKgse3dqQucL7dpJ6dE8PSGolXayswDw54kb8yNXi1u6JRg3v/5lyVrj2zajAmyFkYeila9TrwlZVwh8drA=,iv:cJ/561WeaYcW7Zrv50c79JPlWaY7iGQxlEr/17+tqh0=,tag:sH8gnl69GjJbe7eAbPbuwQ==,type:str] pgp: - - created_at: "2023-08-25T15:45:50Z" + - created_at: "2024-03-18T21:27:04Z" enc: |- -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQgAoB3+cVl1AAFrw7e3JiGLdIzblWKYvoghItm/Mm1twSkh - jftBnrBGGz9a77ksgopxthkuMMguErZNt5pqJezsnSL/96TtAS4oKfWJVpZJwHG6 - 2UFwSReaB2PFLiKQ3c1A+ol4TrbyvHlqsDS78YdRYCorpoEuqHvh732/mIKiDvcd - wTSZ8k8ICB/BD86kORRkIB1WCBIX1VRt68c+e/9T/jZsw6M3555xNL5T5V/LoZfI - fT/j8GufMtjb9Lk1kHiMwBHB1CbMPUUfKe2VsZ3wWpNChsb0mzuVRnIq/fuyqPyf - 6q+wm/sEnDcbBk+xqN7HFonFPLhTIkjtPs3P3IaFoNJRAWuBudDhcwITlo1L+bxM - tikD6BWSBu5GYmnCEPBV3VV49svgkph5gEbphlwuvfD+P4sOaTQAirmwkhHmcU2/ - FOFFT7DdhTMjR1/2lCyIoc70 - =auhV + wcBMA0SHG/zF3227AQf+Oq7+G/LBsGNtyOmLWuDUv5mLQ4IjiOWO02w6/AgmKzAs + 6nKLwSY2v56pezR8TaDO7U2GtSLhqJihcM9zaHpBtfEc6tKQ9jJEh8RLiT6MWuPv + vjQ8BljqMJ4Y3DzoOuO2h4/Y0F9XuNgaiSoicf4Vs4F8NYjuBmnxdilhO1199jfx + oUu1s38yDEtfgHSLtjDrxrT975jrnqFeaTh2t+qClHZ23fRYi5bqVw6TxizJL0Ma + eAXAW/Ujj6MeBe2dLB3icj5lj+nbedO6AM6e4lM3JkMWY9z8eke+XetRQqyZYY/0 + C9M4PZ5NAB295ldPjOAZzY9PtWoWQB/C7wOkXgWm69JRAdHZSre0jWRGsq5oMe1P + 9ROIcCh5DEnYuHhlFk4Hssk+ZNniC3z/0+lF+z8A0/OusMkUcCSDGCG3XO0loCPN + eGtY2qA3xRFEOabr/cfGLSUQ + =lC6i -----END PGP MESSAGE----- fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - - created_at: "2023-08-25T15:45:50Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hF4DtA1eM2l/IxsSAQdA++vE1v1/meAAwe5Gt3MTCVej3L0EJB9P6bNll9Klfgkw - JjGDMmvx2QsN8AXQenfMOV1cgfNkl/0NW9SMjJ6erVKOfH2g/Q7/+7v7vRNuuAUL - 1GgBCQIQ+2eZ5nBwgg6cOPvXmfah4tuLJkrgT1XzlS1fVpFd+j+N4AeDiIiTActr - mjqaOsZ5wHOahA85tamMaAReyuoHahNw9OhaSS2F7Agyqm0MI5fLphWU0q6o2GWT - 2tHKfNAnB98BxQ== - =PFeI - -----END PGP MESSAGE----- - fp: D299483493EAE6B2B3D892B6D33548FA55FF167F unencrypted_suffix: _unencrypted version: 3.7.3 diff --git a/secrets/nomad/servers/keys.yaml b/secrets/nomad/servers/keys.yaml index 5b3a28b7..e39fcd5a 100644 --- a/secrets/nomad/servers/keys.yaml +++ b/secrets/nomad/servers/keys.yaml @@ -5,44 +5,32 @@ sops: azure_kv: [] hc_vault: [] age: - - recipient: age1p4udet5m63tccqqpy38d2m90cv4rffe3cn3965jpmakkwcs7t56qvlp2vw + - recipient: age1ygzy9clj0xavlmau0ham7j5nw8yy4z0q8hvkfpdgwc4fcr8nufpqrdxgvx enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpY1JiZUNJTkw0RkI1eko1 - UWgrcFo4ZVZTcG40SlUyZThzUlhYb2d6SGhNCnJKZDJNNURrbXhucDEzU0JXRXYr - TFJFWXJ2Y0MxK1FMNzRzblROY0taeHcKLS0tIDF1cExxNnQxTWFIR0VqSk1xMVpD - VXI1ODdEdER5cnpDeWNYVHZrTTJJMkEKkVHdmI84OnyM/tktrzPNJuaD72kv28wZ - AxRoAnFXCui6S1No7WHrWw12XfD+6VHBlV0TRKtdfFiPRmq9vNxsMw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5QkFMRDE2MEFTRXJLc0lT + Nkd5YmpIbzl5dCsvSEZmczZIcVljYzV5WkVzCk1UUGE1c2JRWFhQZVRQQ0prYk5m + NVA3TFJuRXRxMUZheVdMMmp1RWt4NU0KLS0tIHFmb05CNERHVGRlZ2pvVCtNeE9v + Q1A3OFFLbm5XekhOaWdHR0xGanBLU1EKDzNqlIBK+Si1DfvgbmQlJh/ubumYYEAx + xzVaulVhfq6TWgkcpS6zwFLcNS1qzeDNLKwmd2RlJ8iQpgafdiGHSw== -----END AGE ENCRYPTED FILE----- lastmodified: "2023-07-05T09:59:44Z" mac: ENC[AES256_GCM,data:qKRGsoInfFTGoJj59ecQV8bwakcwBLK20rBmqRlNuNGr/KeBGSf4d1gbBiJf5Uk5VJZuZJGyhpGvFlzeB20vhwVvMHEUl6g4nr+sft2ZskXWfM02+4pq2dA2T4lQOhix2Hmr8vLqbdoKMcxT73CwsLBxduAJ1DIOG+Q617LFGa4=,iv:C6D2tNlbmgfSuIJeZZSRygT/pWWPw95LNAGN9oBljdE=,tag:/chzfo0NBAlgkGJTvSqYGg==,type:str] pgp: - - created_at: "2023-08-25T15:46:00Z" + - created_at: "2024-03-18T21:27:06Z" enc: |- -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQgAiBEp4aHe2uj66b2zuwmgdRoOg9AA7nWT+Ti7VlJjT81w - sgn1AMY4RE+4DK1AiB6xSl+G3TLFfmjnxc3EeqF/7xjgD8hrR6S2ZJLD88o0iv2k - jjD1ZJMIWjJy+IJig9L+mpF/EPv4LfdhPvsbL1f8NsuNqBl72tE82hnCMtvyAEoA - P2w6uFZr0Hfz+MlJ8RAd+JOfadT4n8W+XJ38e2xtOhnFgPIlJY/jrw9MyiEyTPJd - 6RhuwcF2bKrkqsAwVYg6Jz9EEYnsIab52IxhoTOPfdx4Nh5SorGUWf7Ns1qvRIoI - r6uPmxm6Dg+jTR1eHB7EHz91hkO4Bg0pVlWF/u71ItJRAc2+9SfDsV9ru4TenYkp - e2hj5xVDrubrxFSos9PEEqYNwEDV7EovXjRiypdfDG0cungZHonegvfGdxUmeeMZ - hfdMv7emuTP2rs44TvRP6h13 - =eXie + wcBMA0SHG/zF3227AQf/cLdA/l1SnxJO9lnmd15lQUjHndRH721N2hWAFTVFndin + 6nq71PYZwfdubyZ6npVjzZzCwI0Jrh0A2Tn4lYXoEGVFDEg/Z5DU9FXwxHQaF4IV + 50y1FEybvR+5FHNQHtyor2pQ+56E2bNte06/peAnDh2PxZpdJsmMmSZ8+15CeOxA + UcUc00rWjPuHJE+CJtwKZ+C5LE3ypFehsF6s1ZQqlK/hd+MI0ROdfm+tloAAZ2fV + 04Ie4IP2gfjw/4ie5vDQT99AolKycL5goRzAyOEmvPLJRhl0TRR3mlZ9vJsgnJm7 + aibcPB8q8vzluCxHpQY+e1ccqlPoeP6xVXBOtOOCjtJRARXFF0tK/+il4bAyhOwa + Cfit7jodFmo1QSTQo5DJXs7SrmV7Sm8sj40HEiuTqy0H64L31PCJV42Ttcm9/iHI + rKw+PYINnmufCDVk5j5P/8Bp + =uIWo -----END PGP MESSAGE----- fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - - created_at: "2023-08-25T15:46:00Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hF4DtA1eM2l/IxsSAQdA5MszuLu+UQoL9MkQM5v6ZragVM+6tBAouLSSNM4utQAw - 5MQTqinhIN4dvSGcgujdZDAVbyGti/R85sqIEN+kAdFe+/uoFJFFysbfeLiHceqY - 1GgBCQIQGBBEuUSORHT6JaBBoz5xBteoWUip+BKCQ+DJQbYAXy0FfVlGFONRzEmn - Xvr25EvhqhMZdHqvoealgrXzRdHM5w/dLZLcGKvI46g0H+ppYoPROjfQ728j0Nk/ - xm9ff+tbSzekLw== - =S2xM - -----END PGP MESSAGE----- - fp: D299483493EAE6B2B3D892B6D33548FA55FF167F unencrypted_suffix: _unencrypted version: 3.7.3 From 50a469c447f15bc32790c6c0c6e4d3ed95c4b845 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 18 Mar 2024 21:45:45 +0000 Subject: [PATCH 20/31] feat(modules/nixos): add kitsune-bootstrap this relies on a package in holochain/holochain so adding that too. --- flake.nix | 6 ++ modules/nixos/kitsune-bootstrap.nix | 93 +++++++++++++++++++++++++++++ 2 files changed, 99 insertions(+) create mode 100644 modules/nixos/kitsune-bootstrap.nix diff --git a/flake.nix b/flake.nix index e311da5a..1d960fda 100644 --- a/flake.nix +++ b/flake.nix @@ -82,6 +82,12 @@ tx5.url = "github:holochain/tx5/tx5-signal-srv-v0.0.7-alpha"; tx5.flake = false; + + holochain-versions.url = "github:holochain/holochain?dir=versions/weekly"; + holochain = { + url = "github:holochain/holochain"; + inputs.versions.follows = "holochain-versions"; + }; }; outputs = inputs @ { diff --git a/modules/nixos/kitsune-bootstrap.nix b/modules/nixos/kitsune-bootstrap.nix new file mode 100644 index 00000000..084fd7dc --- /dev/null +++ b/modules/nixos/kitsune-bootstrap.nix @@ -0,0 +1,93 @@ +{ + self, + config, + lib, + pkgs, + ... +}: let + cfg = config.services.kitsune-bootstrap; +in { + options.services.kitsune-bootstrap = { + enable = lib.mkEnableOption "kitsune-bootstrap"; + + package = lib.mkOption { + default = self.inputs.holochain.packages.${pkgs.system}.holochain; + type = lib.types.package; + }; + + address = lib.mkOption { + description = "address to bind"; + type = lib.types.str; + }; + + tls-port = lib.mkOption { + description = "port to bind for incoming TLS connections"; + type = lib.types.int; + }; + + url = lib.mkOption { + description = "url for incoming TLS connections to the bootstrap server"; + type = lib.types.str; + }; + + port = lib.mkOption { + description = "port to bind"; + type = lib.types.int; + }; + }; + + config = lib.mkIf (cfg.enable) { + systemd.services.kitsune-bootstrap = { + after = ["network.target"]; + wantedBy = ["multi-user.target"]; + + environment = { + TMPDIR = "%T"; + }; + + serviceConfig = { + DynamicUser = true; + ExecStart = "${cfg.package}/bin/kitsune-bootstrap -i 127.0.0.1:${builtins.toString cfg.port}"; + Restart = "always"; + }; + }; + + services.nginx = { + enable = true; + virtualHosts."${cfg.url}" = { + serverName = cfg.url; + enableACME = true; + addSSL = true; + + listen = [ + { + addr = "${cfg.address}"; + port = 80; + ssl = false; + } + + { + addr = "${cfg.address}"; + port = cfg.tls-port; + ssl = true; + } + ]; + + locations."/" = { + proxyPass = "http://127.0.0.1:${builtins.toString cfg.port}"; + proxyWebsockets = true; + }; + }; + }; + + security.acme = { + acceptTerms = true; + defaults = { + email = "acme@holo.host"; + }; + + # staging server has higher retry limits + certs."${cfg.url}".server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + }; + }; +} From 2f932b93702dec46fff944d3effdd308f22aa0fc Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 18 Mar 2024 21:46:31 +0000 Subject: [PATCH 21/31] repo-wide bump to nixos-23.11 and configure kitsune-bootstrap server --- flake.lock | 470 ++++++++++++++++-- flake.nix | 4 +- modules/flake-parts/holochain-turn-server.nix | 74 +-- .../configuration.nix | 58 ++- .../configuration.nix | 31 +- modules/nixos/kitsune-bootstrap.nix | 2 +- modules/nixos/shared.nix | 2 +- modules/nixos/tx5-signal-server.nix | 6 +- 8 files changed, 534 insertions(+), 113 deletions(-) diff --git a/flake.lock b/flake.lock index 4a550403..cc1a818b 100644 --- a/flake.lock +++ b/flake.lock @@ -22,6 +22,40 @@ "type": "github" } }, + "cargo-chef": { + "flake": false, + "locked": { + "lastModified": 1695999026, + "narHash": "sha256-UtLoZd7YBRSF9uXStfC3geEFqSqZXFh1rLHaP8hre0Y=", + "owner": "LukeMathWalker", + "repo": "cargo-chef", + "rev": "6e96ae5cd023b718ae40d608981e50a6e7d7facf", + "type": "github" + }, + "original": { + "owner": "LukeMathWalker", + "ref": "main", + "repo": "cargo-chef", + "type": "github" + } + }, + "cargo-rdme": { + "flake": false, + "locked": { + "lastModified": 1675118998, + "narHash": "sha256-lrYWqu3h88fr8gG3Yo5GbFGYaq5/1Os7UtM+Af0Bg4k=", + "owner": "orium", + "repo": "cargo-rdme", + "rev": "f9dbb6bccc078f4869f45ae270a2890ac9a75877", + "type": "github" + }, + "original": { + "owner": "orium", + "ref": "v1.1.0", + "repo": "cargo-rdme", + "type": "github" + } + }, "crane": { "inputs": { "nixpkgs": [ @@ -42,6 +76,43 @@ "type": "github" } }, + "crane_2": { + "inputs": { + "nixpkgs": [ + "holochain", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1707363936, + "narHash": "sha256-QbqyvGFYt84QNOQLOOTWplZZkzkyDhYrAl/N/9H0vFM=", + "owner": "ipetkov", + "repo": "crane", + "rev": "9107434eda6991e9388ad87b815dafa337446d16", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "crate2nix": { + "flake": false, + "locked": { + "lastModified": 1706909251, + "narHash": "sha256-T7G9Uhh77P0kKri/u+Mwa/4YnXwdPsJSwYCiJCCW+fs=", + "owner": "kolloch", + "repo": "crate2nix", + "rev": "15656bb6cb15f55ee3344bf4362e6489feb93db6", + "type": "github" + }, + "original": { + "owner": "kolloch", + "repo": "crate2nix", + "type": "github" + } + }, "darwin": { "inputs": { "nixpkgs": [ @@ -74,11 +145,11 @@ "pre-commit-hooks": "pre-commit-hooks" }, "locked": { - "lastModified": 1678184100, - "narHash": "sha256-6R0LmBiS2E6CApdqqFpY2IBXDAg2RQ2JHBkJOLMxXsY=", + "lastModified": 1710144971, + "narHash": "sha256-CjTOdoBvT/4AQncTL20SDHyJNgsXZjtGbz62yDIUYnM=", "owner": "cachix", "repo": "devenv", - "rev": "b9e0ace80abd0ca5631ab5df7d6562ba9d8af50c", + "rev": "6c0bad0045f1e1802f769f7890f6a59504825f4d", "type": "github" }, "original": { @@ -94,11 +165,11 @@ ] }, "locked": { - "lastModified": 1710427903, - "narHash": "sha256-sV0Q5ndvfjK9JfCg/QM/HX/fcittohvtq8dD62isxdM=", + "lastModified": 1710724748, + "narHash": "sha256-aXlifKr6Brg0SBUBgRNEBaZf3JLUeGhM9BX2gam+vvo=", "owner": "nix-community", "repo": "disko", - "rev": "21d89b333ca300bef82c928c856d48b94a9f997c", + "rev": "c09c3a9639690f94ddff44c3dd25c85602e5aeb2", "type": "github" }, "original": { @@ -129,6 +200,22 @@ "type": "github" } }, + "empty": { + "flake": false, + "locked": { + "lastModified": 1683792623, + "narHash": "sha256-pQpattmS9VmO3ZIQUFn66az8GSmB4IvYhTTCFn6SUmo=", + "owner": "steveej", + "repo": "empty", + "rev": "8e328e450e4cd32e072eba9e99fe92cf2a1ef5cf", + "type": "github" + }, + "original": { + "owner": "steveej", + "repo": "empty", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -145,6 +232,22 @@ "type": "github" } }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" @@ -163,6 +266,23 @@ } }, "flake-parts_2": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib_2" + }, + "locked": { + "lastModified": 1706830856, + "narHash": "sha256-a0NYyp+h9hlb7ddVz4LUn1vT/PLwqfrWYcHMvFB1xYg=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "b253292d9c0a5ead9bc98c4e9a26c6312e27d69f", + "type": "github" + }, + "original": { + "id": "flake-parts", + "type": "indirect" + } + }, + "flake-parts_3": { "inputs": { "nixpkgs-lib": [ "nixos-anywhere", @@ -184,12 +304,15 @@ } }, "flake-utils": { + "inputs": { + "systems": "systems" + }, "locked": { - "lastModified": 1667395993, - "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", "owner": "numtide", "repo": "flake-utils", - "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", "type": "github" }, "original": { @@ -200,7 +323,25 @@ }, "flake-utils_2": { "inputs": { - "systems": "systems" + "systems": "systems_2" + }, + "locked": { + "lastModified": 1705309234, + "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { + "inputs": { + "systems": "systems_3" }, "locked": { "lastModified": 1692799911, @@ -226,11 +367,11 @@ ] }, "locked": { - "lastModified": 1660459072, - "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "lastModified": 1703887061, + "narHash": "sha256-gGPa9qWNc6eCXT/+Z5/zMkyYOuRZqeFZBDbopNZQkuY=", "owner": "hercules-ci", "repo": "gitignore.nix", - "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "rev": "43e1aa1308018f37118e34d3a9cb4f5e75dc11d5", "type": "github" }, "original": { @@ -256,6 +397,94 @@ "type": "github" } }, + "holochain": { + "inputs": { + "cargo-chef": "cargo-chef", + "cargo-rdme": "cargo-rdme", + "crane": "crane_2", + "crate2nix": "crate2nix", + "empty": "empty", + "flake-compat": "flake-compat_2", + "flake-parts": "flake-parts_2", + "holochain": [ + "holochain", + "empty" + ], + "lair": [ + "holochain", + "empty" + ], + "launcher": [ + "holochain", + "empty" + ], + "nix-filter": "nix-filter", + "nixpkgs": "nixpkgs_3", + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "repo-git": "repo-git", + "rust-overlay": "rust-overlay", + "scaffolding": [ + "holochain", + "empty" + ], + "versions": [ + "holochain-versions" + ] + }, + "locked": { + "lastModified": 1710743393, + "narHash": "sha256-xhkOYQotgVNiCAVeBRem8V0b1Csi0p/yZY6XvvzePvU=", + "owner": "holochain", + "repo": "holochain", + "rev": "2a4773ca6985cd08a57f6aafb54565bb988ca6bc", + "type": "github" + }, + "original": { + "owner": "holochain", + "repo": "holochain", + "type": "github" + } + }, + "holochain-versions": { + "inputs": { + "holochain": "holochain_2", + "lair": "lair", + "launcher": "launcher", + "scaffolding": "scaffolding" + }, + "locked": { + "dir": "versions/weekly", + "lastModified": 1710743393, + "narHash": "sha256-xhkOYQotgVNiCAVeBRem8V0b1Csi0p/yZY6XvvzePvU=", + "owner": "holochain", + "repo": "holochain", + "rev": "2a4773ca6985cd08a57f6aafb54565bb988ca6bc", + "type": "github" + }, + "original": { + "dir": "versions/weekly", + "owner": "holochain", + "repo": "holochain", + "type": "github" + } + }, + "holochain_2": { + "flake": false, + "locked": { + "lastModified": 1710291013, + "narHash": "sha256-etoY8oXg3PXFMeZgkixxsKJjH1Uauua366y2TN8+fms=", + "owner": "holochain", + "repo": "holochain", + "rev": "15516823c6f5e0ec7f032e614d804b2376fe0867", + "type": "github" + }, + "original": { + "owner": "holochain", + "ref": "holochain-0.3.0-beta-dev.40", + "repo": "holochain", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -337,14 +566,48 @@ "url": "https://github.com/zippy.keys" } }, + "lair": { + "flake": false, + "locked": { + "lastModified": 1709335027, + "narHash": "sha256-rKMhh7TLuR1lqze2YFWZCGYKZQoB4dZxjpX3sb7r7Jk=", + "owner": "holochain", + "repo": "lair", + "rev": "826be915efc839d1d1b8a2156b158999b8de8d5b", + "type": "github" + }, + "original": { + "owner": "holochain", + "ref": "lair_keystore-v0.4.4", + "repo": "lair", + "type": "github" + } + }, + "launcher": { + "flake": false, + "locked": { + "lastModified": 1706294585, + "narHash": "sha256-92Qc6hBMFfHo3w1m1+EpNAAV+7whpkgRHiGqNiXaMCg=", + "owner": "holochain", + "repo": "launcher", + "rev": "51a45a7141abc98a861b34b288b384f50f359485", + "type": "github" + }, + "original": { + "owner": "holochain", + "ref": "holochain-weekly", + "repo": "launcher", + "type": "github" + } + }, "lowdown-src": { "flake": false, "locked": { - "lastModified": 1633514407, - "narHash": "sha256-Dw32tiMjdK9t3ETl5fzGrutQTzh2rufgZV4A/BbxuD4=", + "lastModified": 1700431489, + "narHash": "sha256-YB0ksW9HFRVr0WbtBcF4KSN44r02+ArD1Voipw8rU/8=", "owner": "kristapsdz", "repo": "lowdown", - "rev": "d2c2b44ff6c27b936ec27358a2653caaef8f73b8", + "rev": "1200b9f4ceceb5795ccc0a02a2105310f0819222", "type": "github" }, "original": { @@ -355,7 +618,7 @@ }, "microvm": { "inputs": { - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils_3", "nixpkgs": [ "nixpkgs" ] @@ -399,6 +662,21 @@ "type": "github" } }, + "nix-filter": { + "locked": { + "lastModified": 1705332318, + "narHash": "sha256-kcw1yFeJe9N4PjQji9ZeX47jg0p9A0DuU4djKvg1a7I=", + "owner": "numtide", + "repo": "nix-filter", + "rev": "3449dc925982ad46246cfc36469baf66e1b64f17", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "nix-filter", + "type": "github" + } + }, "nixos-2305": { "locked": { "lastModified": 1686478675, @@ -418,7 +696,7 @@ "nixos-anywhere": { "inputs": { "disko": "disko_2", - "flake-parts": "flake-parts_2", + "flake-parts": "flake-parts_3", "nixos-2305": "nixos-2305", "nixos-images": "nixos-images", "nixpkgs": [ @@ -515,6 +793,24 @@ "type": "github" } }, + "nixpkgs-lib_2": { + "locked": { + "dir": "lib", + "lastModified": 1706550542, + "narHash": "sha256-UcsnCG6wx++23yeER4Hg18CXWbgNpqNXcHIo5/1Y+hc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "97b17f32362e475016f942bbdfda4a4a72a8a652", + "type": "github" + }, + "original": { + "dir": "lib", + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-regression": { "locked": { "lastModified": 1643052045, @@ -533,16 +829,16 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1673800717, - "narHash": "sha256-SFHraUqLSu5cC6IxTprex/nTsI81ZQAtDvlBvGDWfnA=", + "lastModified": 1704874635, + "narHash": "sha256-YWuCrtsty5vVZvu+7BchAxmcYzTMfolSPP5io8+WYCg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2f9fd351ec37f5d479556cd48be4ca340da59b8f", + "rev": "3dc440faeee9e889fe2d1b4d25ad0f430d449356", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-22.11", + "ref": "nixos-23.11", "repo": "nixpkgs", "type": "github" } @@ -629,18 +925,17 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1705957679, - "narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=", - "owner": "nixos", + "lastModified": 1710631334, + "narHash": "sha256-rL5LSYd85kplL5othxK5lmAtjyMOBg390sGBTb3LRMM=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "9a333eaa80901efe01df07eade2c16d183761fa3", + "rev": "c75037bbf9093a2acb617804ee46320d6d1fea5a", "type": "github" }, "original": { - "owner": "nixos", - "ref": "release-23.05", - "repo": "nixpkgs", - "type": "github" + "id": "nixpkgs", + "ref": "nixos-unstable", + "type": "indirect" } }, "pre-commit-hooks": { @@ -660,11 +955,27 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1677160285, - "narHash": "sha256-tBzpCjMP+P3Y3nKLYvdBkXBg3KvTMo3gvi8tLQaqXVY=", + "lastModified": 1708018599, + "narHash": "sha256-M+Ng6+SePmA8g06CmUZWi1AjG2tFBX9WCXElBHEKnyM=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "5df5a70ad7575f6601d91f0efec95dd9bc619431", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, + "pre-commit-hooks-nix": { + "flake": false, + "locked": { + "lastModified": 1707297608, + "narHash": "sha256-ADjo/5VySGlvtCW3qR+vdFF4xM9kJFlRDqcC9ZGI8EA=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "2bd861ab81469428d9c823ef72c4bb08372dd2c4", + "rev": "0db2e67ee49910adfa13010e7f012149660af7f0", "type": "github" }, "original": { @@ -673,6 +984,18 @@ "type": "github" } }, + "repo-git": { + "flake": false, + "locked": { + "narHash": "sha256-d6xi4mKdjkX2JFicDIv5niSzpyI0m/Hnm8GGAIU04kY=", + "type": "file", + "url": "file:/dev/null" + }, + "original": { + "type": "file", + "url": "file:/dev/null" + } + }, "root": { "inputs": { "cachix_for_watch_store": "cachix_for_watch_store", @@ -680,6 +1003,8 @@ "darwin": "darwin", "disko": "disko", "flake-parts": "flake-parts", + "holochain": "holochain", + "holochain-versions": "holochain-versions", "home-manager": "home-manager", "keys_artbrock": "keys_artbrock", "keys_jost-s": "keys_jost-s", @@ -688,7 +1013,9 @@ "keys_zippy": "keys_zippy", "microvm": "microvm", "nixos-anywhere": "nixos-anywhere", - "nixpkgs": "nixpkgs_3", + "nixpkgs": [ + "nixpkgs-23-11" + ], "nixpkgs-23-11": "nixpkgs-23-11", "nixpkgsGithubActionRunners": "nixpkgsGithubActionRunners", "nixpkgsMaster": "nixpkgsMaster", @@ -698,6 +1025,45 @@ "tx5": "tx5" } }, + "rust-overlay": { + "inputs": { + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "holochain", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1710727870, + "narHash": "sha256-Ulsx+t4SnRmjMJx4eF2Li+3rBGYhZp0XNShVjIheCfg=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "a1b17cacfa7a6ed18f553a195a047f4e73e95da9", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "scaffolding": { + "flake": false, + "locked": { + "lastModified": 1708377063, + "narHash": "sha256-5+iEjwMO/sTe1h9JVrfn77GjliIRVJQFS2yvI3KTsL8=", + "owner": "holochain", + "repo": "scaffolding", + "rev": "c41f01d2ff19fe58b6632860d85f88a96e16fd65", + "type": "github" + }, + "original": { + "owner": "holochain", + "ref": "holochain-weekly", + "repo": "scaffolding", + "type": "github" + } + }, "sops-nix": { "inputs": { "nixpkgs": [ @@ -726,11 +1092,11 @@ ] }, "locked": { - "lastModified": 1686528292, - "narHash": "sha256-RWSI4qsx2NTPZa7e27DKLEAYOjtyGADSJ1sPB1j4yQA=", + "lastModified": 1710722976, + "narHash": "sha256-tAQvMzQ3pB4O7C0WJqvewlywEpJQRTdu2om5bgKV3L8=", "owner": "numtide", "repo": "srvos", - "rev": "5db34b8c369dad476406ef8ac6382fd019bd07a3", + "rev": "6f5c52bcd3b9e7c0e88907a75d284d11b609a36c", "type": "github" }, "original": { @@ -754,6 +1120,36 @@ "type": "github" } }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "treefmt-nix": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index 1d960fda..2c633043 100644 --- a/flake.nix +++ b/flake.nix @@ -2,7 +2,7 @@ description = "The new, performant, and simplified version of Holochain on Rust (sometimes called Holochain RSM for Refactored State Model) "; inputs = { - nixpkgs = {url = "github:nixos/nixpkgs/release-23.05";}; + nixpkgs.follows = "nixpkgs-23-11"; nixpkgsGithubActionRunners = {url = "github:nixos/nixpkgs/nixos-unstable";}; nixpkgsUnstable = {url = "github:nixos/nixpkgs/nixos-unstable";}; nixpkgsMaster = {url = "github:nixos/nixpkgs/master";}; @@ -169,7 +169,7 @@ }; packages = { - nomad = inputs'.nixpkgsMaster.legacyPackages.nomad_1_6; + nomad = inputs'.nixpkgs.legacyPackages.nomad_1_6; nixos-anywhere = inputs'.nixos-anywhere.packages.default; }; diff --git a/modules/flake-parts/holochain-turn-server.nix b/modules/flake-parts/holochain-turn-server.nix index f9258ea4..a55e1859 100644 --- a/modules/flake-parts/holochain-turn-server.nix +++ b/modules/flake-parts/holochain-turn-server.nix @@ -85,6 +85,12 @@ type = lib.types.str; default = "test"; }; + + extraCoturnAttrs = lib.mkOption { + description = "extra attributes assigned to services.coturn"; + type = lib.types.attrs; + default = {}; + }; }; config = lib.mkIf cfg.enable { @@ -109,34 +115,36 @@ } ]; - services.coturn = { - enable = true; - listening-port = 80; - tls-listening-port = 443; - listening-ips = [cfg.address]; - lt-cred-mech = true; # Use long-term credential mechanism. - realm = cfg.url; - cert = "${cfg.turn-cert-dir}/fullchain.pem"; - pkey = "${cfg.turn-cert-dir}/key.pem"; - no-cli = false; - min-port = cfg.coturn-min-port; - max-port = cfg.coturn-max-port; - extraConfig = - '' - no-software-attribute - no-multicast-peers - no-tlsv1 - no-tlsv1_1 - user=${cfg.username}:${cfg.credential} - prometheus - '' - + lib.strings.optionalString cfg.verbose '' - verbose - '' - + lib.strings.optionalString (cfg.acme-redirect != null) '' - acme-redirect=${cfg.acme-redirect} - ''; - }; + services.coturn = + { + enable = true; + listening-port = 80; + tls-listening-port = 443; + listening-ips = [cfg.address]; + lt-cred-mech = true; # Use long-term credential mechanism. + realm = cfg.url; + cert = "${cfg.turn-cert-dir}/fullchain.pem"; + pkey = "${cfg.turn-cert-dir}/key.pem"; + no-cli = false; + min-port = cfg.coturn-min-port; + max-port = cfg.coturn-max-port; + extraConfig = + '' + no-software-attribute + no-multicast-peers + no-tlsv1 + no-tlsv1_1 + user=${cfg.username}:${cfg.credential} + prometheus + '' + + lib.strings.optionalString cfg.verbose '' + verbose + '' + + lib.strings.optionalString (cfg.acme-redirect != null) '' + acme-redirect=${cfg.acme-redirect} + ''; + } + // cfg.extraCoturnAttrs; systemd.services.coturn.serviceConfig = { LimitNOFILESoft = 10000; @@ -167,15 +175,15 @@ security.acme = { acceptTerms = true; defaults = { - # staging server has higher retry limits - # server = "https://acme-staging-v02.api.letsencrypt.org/directory"; - email = "acme@holo.host"; - # after certificate renewal by acme coturn.service needs to reload this new cert, too - # see https://github.com/NixOS/nixpkgs/blob/nixos-23.05/nixos/modules/security/acme/default.nix#L322 }; + # after certificate renewal by acme coturn.service needs to reload this new cert, too + # see https://github.com/NixOS/nixpkgs/blob/nixos-23.05/nixos/modules/security/acme/default.nix#L322 certs."${cfg.url}".reloadServices = ["coturn"]; + + # staging server has higher retry limits + # certs."${cfg.url}".server = "https://acme-staging-v02.api.letsencrypt.org/directory"; }; }; }; diff --git a/modules/flake-parts/nixosConfigurations.dweb-reverse-tls-proxy/configuration.nix b/modules/flake-parts/nixosConfigurations.dweb-reverse-tls-proxy/configuration.nix index 51bcc669..f099b49d 100644 --- a/modules/flake-parts/nixosConfigurations.dweb-reverse-tls-proxy/configuration.nix +++ b/modules/flake-parts/nixosConfigurations.dweb-reverse-tls-proxy/configuration.nix @@ -37,36 +37,31 @@ in { "holochain-ci.cachix.org-1:5IUSkZc0aoRS53rfkvH9Kid40NpyjwCMCzwRTXy+QN8=" ]; - boot.loader.grub = { - efiSupport = false; - device = "/dev/sda"; - }; - # boot.loader.systemd-boot.enable = true; - # boot.loader.efi.canTouchEfiVariables = true; - boot.kernelPackages = pkgs.linuxPackages_latest; - - systemd.network.networks."10-uplink".networkConfig.Address = "${ipv6Prefix}::1/64"; + boot.loader.systemd-boot.enable = false; + boot.loader.grub.efiSupport = true; + boot.loader.grub.efiInstallAsRemovable = false; disko.devices.disk.sda = { device = "/dev/sda"; type = "disk"; content = { - type = "table"; - format = "gpt"; - partitions = [ - { - name = "boot"; - start = "0"; - end = "1M"; - part-type = "primary"; - flags = ["bios_grub"]; - } - { - name = "root"; - start = "1M"; - end = "100%"; - part-type = "primary"; - bootable = true; + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + ESP = { + type = "EF00"; + size = "1G"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + size = "100%"; content = { type = "btrfs"; extraArgs = ["-f"]; # Override existing partition @@ -77,15 +72,16 @@ in { }; "/nix" = { mountOptions = ["noatime"]; + mountpoint = "/nix"; }; }; }; - } - ]; + }; + }; }; }; - system.stateVersion = "23.05"; + system.stateVersion = "23.11"; ### ZeroTier services.zerotierone = { @@ -94,6 +90,7 @@ in { nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "zerotierone" + "nomad" ]; sops.secrets.zerotieroneNetworks = { @@ -188,8 +185,9 @@ in { sj-bm-hostkey0.dev.${fqdn2domain}. A 185.130.224.33 - turn.${fqdn2domain}. A ${self.nixosConfigurations.turn-infra-holochain-org.config.services.holochain-turn-server.coturn-listening-ip} + turn.${fqdn2domain}. A ${self.nixosConfigurations.turn-infra-holochain-org.config.services.holochain-turn-server.address} signal.${fqdn2domain}. A ${self.nixosConfigurations.turn-infra-holochain-org.config.services.tx5-signal-server.address} + bootstrap.${fqdn2domain}. A ${self.nixosConfigurations.turn-infra-holochain-org.config.services.kitsune-bootstrap.address} ''; }; @@ -326,7 +324,7 @@ in { services.nomad = { enable = true; - package = self.packages.${pkgs.system}.nomad; + package = pkgs.nomad_1_6; enableDocker = false; dropPrivileges = false; diff --git a/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/configuration.nix b/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/configuration.nix index b9bce66b..1eedbf8f 100644 --- a/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/configuration.nix +++ b/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/configuration.nix @@ -6,12 +6,17 @@ pkgs, ... }: let - turnIpv4 = "37.27.24.128"; ipv6Prefix = "2a01:4f9:c012:b61f"; ipv6PrefixLength = "64"; + turnIpv4 = "37.27.24.128"; + turnFqdn = "turn.infra.holochain.org"; + signalIpv4 = "95.217.30.224"; - signalIpv4Prefix = 32; + signalFqdn = "signal.infra.holochain.org"; + + bootstrapIpv4 = "95.216.179.59"; + bootstrapFqdn = "bootstrap.infra.holochain.org"; in { imports = [ inputs.disko.nixosModules.disko @@ -27,6 +32,7 @@ in { self.nixosModules.holochain-turn-server self.nixosModules.tx5-signal-server + self.nixosModules.kitsune-bootstrap ]; networking.hostName = "turn-infra-holochain-org"; # Define your hostname. @@ -47,12 +53,13 @@ in { boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - boot.kernelPackages = pkgs.linuxPackages_latest; + boot.kernelPackages = pkgs.linuxPackages; # FIXME: is there a better way to do this? environment.etc."systemd/network/10-cloud-init-eth0.network.d/00-floating-ips.conf".text = '' [Network] - Address = ${signalIpv4}/${builtins.toString signalIpv4Prefix} + Address = ${signalIpv4}/32 + Address = ${bootstrapIpv4}/32 ''; disko.devices.disk.sda = { @@ -95,10 +102,14 @@ in { services.holochain-turn-server = { enable = true; - url = "turn.infra.holochain.org"; + url = turnFqdn; address = turnIpv4; username = "test"; credential = "test"; + extraCoturnAttrs = { + cli-ip = "127.0.0.1"; + cli-password = "$5$4c2b9a49c5e013ae$14f901c5f36d4c8d5cf0c7383ecb0f26b052134293152bd1191412641a20ddf5"; + }; }; services.tx5-signal-server = { @@ -106,7 +117,7 @@ in { address = signalIpv4; port = 8443; tls-port = 443; - url = "signal.infra.holochain.org"; + url = signalFqdn; iceServers = [ { urls = [ @@ -128,4 +139,12 @@ in { } ]; }; + + services.kitsune-bootstrap = { + enable = true; + address = bootstrapIpv4; + port = 8444; + tls-port = 443; + url = bootstrapFqdn; + }; } diff --git a/modules/nixos/kitsune-bootstrap.nix b/modules/nixos/kitsune-bootstrap.nix index 084fd7dc..3d74c305 100644 --- a/modules/nixos/kitsune-bootstrap.nix +++ b/modules/nixos/kitsune-bootstrap.nix @@ -87,7 +87,7 @@ in { }; # staging server has higher retry limits - certs."${cfg.url}".server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + # certs."${cfg.url}".server = "https://acme-staging-v02.api.letsencrypt.org/directory"; }; }; } diff --git a/modules/nixos/shared.nix b/modules/nixos/shared.nix index dc7437bf..dd133bc1 100644 --- a/modules/nixos/shared.nix +++ b/modules/nixos/shared.nix @@ -18,7 +18,7 @@ in { # ] ; - nix.package = lib.mkDefault pkgs.nixVersions.nix_2_17; + nix.package = lib.mkDefault pkgs.nixVersions.nix_2_18; nix.settings.extra-platforms = lib.mkIf pkgs.stdenv.isDarwin ["x86_64-darwin" "aarch64-darwin"]; diff --git a/modules/nixos/tx5-signal-server.nix b/modules/nixos/tx5-signal-server.nix index 0e8b3636..043b2252 100644 --- a/modules/nixos/tx5-signal-server.nix +++ b/modules/nixos/tx5-signal-server.nix @@ -109,11 +109,11 @@ in { security.acme = { acceptTerms = true; defaults = { - # staging server has higher retry limits - # server = "https://acme-staging-v02.api.letsencrypt.org/directory"; - email = "acme@holo.host"; }; + + # staging server has higher retry limits + # certs."${cfg.url}".server = "https://acme-staging-v02.api.letsencrypt.org/directory"; }; }; } From 6c489adcf0a214cf8ed1bef8012b9d9beb7f19ed Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 18 Mar 2024 21:47:44 +0000 Subject: [PATCH 22/31] feat: initial github pr checks --- .github/workflows/pr.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .github/workflows/pr.yml diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml new file mode 100644 index 00000000..07a08ee5 --- /dev/null +++ b/.github/workflows/pr.yml @@ -0,0 +1,19 @@ +on: + pull_request: + push: + branches: [develop] + +jobs: + lints: + name: Build + runs-on: ubuntu-22.04 + permissions: + id-token: "write" + contents: "read" + steps: + - uses: actions/checkout@v4 + - uses: DeterminateSystems/nix-installer-action@main + - uses: DeterminateSystems/magic-nix-cache-action@main + - uses: DeterminateSystems/flake-checker-action@main + # - name: Run `nix build` + # run: nix build . From c90b58e97ed8c2473f273d6ec3091da2921f5175 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 18 Mar 2024 21:58:02 +0000 Subject: [PATCH 23/31] fix(flake/nixpkgs): change branch release-23.11 -> nixos-23.11 --- flake.lock | 8 ++++---- flake.nix | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/flake.lock b/flake.lock index cc1a818b..e8435c2f 100644 --- a/flake.lock +++ b/flake.lock @@ -761,16 +761,16 @@ }, "nixpkgs-23-11": { "locked": { - "lastModified": 1710748499, - "narHash": "sha256-uDgiy47Rj02WG0fGidqrmBKg5oYRPi5StDbd5cMZVw4=", + "lastModified": 1710695816, + "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=", "owner": "nixos", "repo": "nixpkgs", - "rev": "5145d90b09038a58ca2a9db773e8a5e09372816a", + "rev": "614b4613980a522ba49f0d194531beddbb7220d3", "type": "github" }, "original": { "owner": "nixos", - "ref": "release-23.11", + "ref": "nixos-23.11", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index 2c633043..5be8bc67 100644 --- a/flake.nix +++ b/flake.nix @@ -3,10 +3,10 @@ inputs = { nixpkgs.follows = "nixpkgs-23-11"; + nixpkgs-23-11 = {url = "github:nixos/nixpkgs/nixos-23.11";}; nixpkgsGithubActionRunners = {url = "github:nixos/nixpkgs/nixos-unstable";}; nixpkgsUnstable = {url = "github:nixos/nixpkgs/nixos-unstable";}; nixpkgsMaster = {url = "github:nixos/nixpkgs/master";}; - nixpkgs-23-11 = {url = "github:nixos/nixpkgs/release-23.11";}; disko.url = "github:nix-community/disko"; disko.inputs.nixpkgs.follows = "nixpkgs"; From f7d28cea069f9e83d633907db0bc353805e8feb1 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Wed, 20 Mar 2024 15:48:39 +0100 Subject: [PATCH 24/31] chore: run deadnix --- modules/flake-parts/holochain-turn-server.nix | 11 ++--------- .../configuration.nix | 1 - .../configuration.nix | 3 --- .../default.nix | 1 - modules/flake-parts/packages.holochain-tx5.nix | 5 ----- 5 files changed, 2 insertions(+), 19 deletions(-) diff --git a/modules/flake-parts/holochain-turn-server.nix b/modules/flake-parts/holochain-turn-server.nix index a55e1859..c8032c93 100644 --- a/modules/flake-parts/holochain-turn-server.nix +++ b/modules/flake-parts/holochain-turn-server.nix @@ -2,15 +2,10 @@ # System independent arguments. self, lib, - inputs, ... }: { perSystem = { # Arguments specific to the `perSystem` context. - config, - self', - inputs', - pkgs, ... }: { # system specific outputs like, apps, checks, packages @@ -21,9 +16,9 @@ # system independent outputs like nixosModules, nixosConfigurations, etc. # nixosConfigurations.example-host = ... - overlays.coturn = final: previous: { + overlays.coturn = _final: previous: { coturn = previous.coturn.overrideAttrs ( - super: { + _super: { # coturn for NixOS needs to be built without libev_ok, otherwise acme-redirect won't work LIBEV_OK = "0"; meta.platforms = lib.platforms.linux; @@ -33,9 +28,7 @@ nixosModules.holochain-turn-server = { config, - pkgs, lib, - system, ... }: let cfg = config.services.holochain-turn-server; diff --git a/modules/flake-parts/nixosConfigurations.dweb-reverse-tls-proxy/configuration.nix b/modules/flake-parts/nixosConfigurations.dweb-reverse-tls-proxy/configuration.nix index f099b49d..1064e71f 100644 --- a/modules/flake-parts/nixosConfigurations.dweb-reverse-tls-proxy/configuration.nix +++ b/modules/flake-parts/nixosConfigurations.dweb-reverse-tls-proxy/configuration.nix @@ -7,7 +7,6 @@ ... }: let ipv4 = "5.78.43.185"; - ipv6Prefix = "2a01:4ff:1f0:872a"; fqdn2domain = "infra.holochain.org"; in { imports = [ diff --git a/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/configuration.nix b/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/configuration.nix index 1eedbf8f..0074d82c 100644 --- a/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/configuration.nix +++ b/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/configuration.nix @@ -1,13 +1,10 @@ { config, - lib, inputs, self, pkgs, ... }: let - ipv6Prefix = "2a01:4f9:c012:b61f"; - ipv6PrefixLength = "64"; turnIpv4 = "37.27.24.128"; turnFqdn = "turn.infra.holochain.org"; diff --git a/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/default.nix b/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/default.nix index 979f2ff4..b2243723 100644 --- a/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/default.nix +++ b/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/default.nix @@ -1,5 +1,4 @@ { - config, self, lib, inputs, diff --git a/modules/flake-parts/packages.holochain-tx5.nix b/modules/flake-parts/packages.holochain-tx5.nix index 33a203c4..16c99dcd 100644 --- a/modules/flake-parts/packages.holochain-tx5.nix +++ b/modules/flake-parts/packages.holochain-tx5.nix @@ -1,18 +1,13 @@ { # System independent arguments. - self, lib, inputs, - inputs', ... }: { perSystem = { # Arguments specific to the `perSystem` context. - config, self', - inputs', pkgs, - system, ... }: { # system specific outputs like, apps, checks, packages From d29bc231f4a81ae198b81723eac3b1f9a4dd78cc Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Wed, 20 Mar 2024 20:35:25 +0000 Subject: [PATCH 25/31] feat(holochain-turn-server): document remaining options --- modules/flake-parts/holochain-turn-server.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/modules/flake-parts/holochain-turn-server.nix b/modules/flake-parts/holochain-turn-server.nix index c8032c93..5795038f 100644 --- a/modules/flake-parts/holochain-turn-server.nix +++ b/modules/flake-parts/holochain-turn-server.nix @@ -36,28 +36,34 @@ options.services.holochain-turn-server = { enable = lib.mkEnableOption "holochain turn server"; url = lib.mkOption { + description = "publicly visible url for the turn server"; type = lib.types.str; }; turn-cert-dir = lib.mkOption { + description = "directory where fullchain.pem and key.pem are expected to exist"; type = lib.types.str; default = config.security.acme.certs.${cfg.url}.directory; }; address = lib.mkOption { + description = "address coturn should listen on"; type = lib.types.str; }; nginx-http-port = lib.mkOption { + description = "port for nginx to listen on for answering ACME challenges"; type = lib.types.int; # skipping 81 because it's the default coturn alternative http port default = 82; }; coturn-min-port = lib.mkOption { + description = "lower port for coturn's range"; type = lib.types.int; default = 20000; }; coturn-max-port = lib.mkOption { + description = "upper port for coturn's range"; type = lib.types.int; default = 65535; # which is default but here listing explicitly }; @@ -65,16 +71,19 @@ verbose = lib.mkEnableOption "verbose logging"; acme-redirect = lib.mkOption { + description = "value passed to acme-redirect configuration option"; type = lib.types.str; default = "http://acme-${cfg.url}/.well-known/acme-challenge/"; }; username = lib.mkOption { + description = "user for establishing turn connections to coturn"; type = lib.types.str; default = "test"; }; credential = lib.mkOption { + description = "credential for establishing turn connections to coturn"; type = lib.types.str; default = "test"; }; From bdb43291479a40bff73f1a6128d603ab0b8b9318 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Wed, 20 Mar 2024 20:36:59 +0000 Subject: [PATCH 26/31] holochain-turn-server: remove perSystem attr --- modules/flake-parts/holochain-turn-server.nix | 8 -------- 1 file changed, 8 deletions(-) diff --git a/modules/flake-parts/holochain-turn-server.nix b/modules/flake-parts/holochain-turn-server.nix index 5795038f..763d9259 100644 --- a/modules/flake-parts/holochain-turn-server.nix +++ b/modules/flake-parts/holochain-turn-server.nix @@ -4,14 +4,6 @@ lib, ... }: { - perSystem = { - # Arguments specific to the `perSystem` context. - ... - }: { - # system specific outputs like, apps, checks, packages - - # packages = ... - }; flake = { # system independent outputs like nixosModules, nixosConfigurations, etc. From 536829946919aa697bff3478b30bd16314a31fdf Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Wed, 20 Mar 2024 20:42:45 +0000 Subject: [PATCH 27/31] chore(modules): add comment on ACME staging server to explain when it's useful --- modules/flake-parts/holochain-turn-server.nix | 2 +- modules/nixos/kitsune-bootstrap.nix | 2 +- modules/nixos/tx5-signal-server.nix | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/flake-parts/holochain-turn-server.nix b/modules/flake-parts/holochain-turn-server.nix index 763d9259..4f8d9467 100644 --- a/modules/flake-parts/holochain-turn-server.nix +++ b/modules/flake-parts/holochain-turn-server.nix @@ -176,7 +176,7 @@ # see https://github.com/NixOS/nixpkgs/blob/nixos-23.05/nixos/modules/security/acme/default.nix#L322 certs."${cfg.url}".reloadServices = ["coturn"]; - # staging server has higher retry limits + # staging server has higher retry limits. uncomment the following when debugging ACME challenges. # certs."${cfg.url}".server = "https://acme-staging-v02.api.letsencrypt.org/directory"; }; }; diff --git a/modules/nixos/kitsune-bootstrap.nix b/modules/nixos/kitsune-bootstrap.nix index 3d74c305..b4fc9cf7 100644 --- a/modules/nixos/kitsune-bootstrap.nix +++ b/modules/nixos/kitsune-bootstrap.nix @@ -86,7 +86,7 @@ in { email = "acme@holo.host"; }; - # staging server has higher retry limits + # staging server has higher retry limits. uncomment the following when debugging ACME challenges. # certs."${cfg.url}".server = "https://acme-staging-v02.api.letsencrypt.org/directory"; }; }; diff --git a/modules/nixos/tx5-signal-server.nix b/modules/nixos/tx5-signal-server.nix index 043b2252..b098d3fd 100644 --- a/modules/nixos/tx5-signal-server.nix +++ b/modules/nixos/tx5-signal-server.nix @@ -112,7 +112,7 @@ in { email = "acme@holo.host"; }; - # staging server has higher retry limits + # staging server has higher retry limits. uncomment the following when debugging ACME challenges. # certs."${cfg.url}".server = "https://acme-staging-v02.api.letsencrypt.org/directory"; }; }; From 965cb0003a77f6222c60c3e23bc88ac84ed1b8a3 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Wed, 20 Mar 2024 20:48:54 +0000 Subject: [PATCH 28/31] fix(modules/kitsune-bootstrap): don't proxy websockets in nginx --- modules/nixos/kitsune-bootstrap.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/nixos/kitsune-bootstrap.nix b/modules/nixos/kitsune-bootstrap.nix index b4fc9cf7..9b06429c 100644 --- a/modules/nixos/kitsune-bootstrap.nix +++ b/modules/nixos/kitsune-bootstrap.nix @@ -75,7 +75,6 @@ in { locations."/" = { proxyPass = "http://127.0.0.1:${builtins.toString cfg.port}"; - proxyWebsockets = true; }; }; }; From 3a751f2af356dfc80bfddd7f76748285f50a0206 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Wed, 20 Mar 2024 22:08:04 +0100 Subject: [PATCH 29/31] fix: revert deadnix on apps.ssh-/default.nix --- modules/flake-parts/apps.ssh-/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/flake-parts/apps.ssh-/default.nix b/modules/flake-parts/apps.ssh-/default.nix index 2e78c66d..38bc7d8f 100644 --- a/modules/flake-parts/apps.ssh-/default.nix +++ b/modules/flake-parts/apps.ssh-/default.nix @@ -6,6 +6,7 @@ }: { perSystem = {pkgs, ...}: let mkSsh = { + attrName, hostName, deployUser, }: From 1cb54dcce29c51fced01d6e4e5d4bff651585e49 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Thu, 21 Mar 2024 11:02:36 +0000 Subject: [PATCH 30/31] feat(packages/tx5-signal-srv): only compile single binary --- modules/flake-parts/packages.holochain-tx5.nix | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/modules/flake-parts/packages.holochain-tx5.nix b/modules/flake-parts/packages.holochain-tx5.nix index 16c99dcd..1f04146c 100644 --- a/modules/flake-parts/packages.holochain-tx5.nix +++ b/modules/flake-parts/packages.holochain-tx5.nix @@ -16,8 +16,8 @@ system = pkgs.system; craneLib = inputs.crane.lib.${system}; cranePkgs = inputs.crane.inputs.nixpkgs.legacyPackages.${system}; - in { - tx5 = craneLib.buildPackage { + + tx5Args = { pname = "tx5"; src = inputs.tx5; version = inputs.tx5.rev; @@ -30,11 +30,15 @@ doCheck = false; }; + tx5Deps = lib.makeOverridable craneLib.buildDepsOnly tx5Args; + in { + tx5 = lib.makeOverridable craneLib.buildPackage (tx5Args // { + cargoArtifacts = tx5Deps; + }); - tx5-signal-srv = pkgs.runCommandNoCC "tx5-signal-srv" {} '' - mkdir -p $out/bin - cp ${self'.packages.tx5}/bin/tx5-signal-srv $out/bin/ - ''; + tx5-signal-srv = self'.packages.tx5.override { + cargoExtraArgs = "--bin tx5-signal-srv"; + }; }; }; flake = { From fdfd132eb701e03538f9bbb52e3aa1993907dd10 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Thu, 21 Mar 2024 13:24:14 +0000 Subject: [PATCH 31/31] fix(coturn): use patched coturn for now to enable cli login --- flake.lock | 18 ++++++++++++++++++ flake.nix | 5 +++++ modules/flake-parts/holochain-turn-server.nix | 1 + .../configuration.nix | 1 + 4 files changed, 25 insertions(+) diff --git a/flake.lock b/flake.lock index e8435c2f..510d52a7 100644 --- a/flake.lock +++ b/flake.lock @@ -56,6 +56,23 @@ "type": "github" } }, + "coturn": { + "flake": false, + "locked": { + "lastModified": 1711026554, + "narHash": "sha256-fvxj4G7GmkyuS67QiFcEX8+UlxvjtyfAbilfE9cin5Q=", + "owner": "steveej-forks", + "repo": "coturn", + "rev": "fed3efd2c4447e5e5966eed5cc32a43d768172ad", + "type": "github" + }, + "original": { + "owner": "steveej-forks", + "ref": "debug-cli-login", + "repo": "coturn", + "type": "github" + } + }, "crane": { "inputs": { "nixpkgs": [ @@ -999,6 +1016,7 @@ "root": { "inputs": { "cachix_for_watch_store": "cachix_for_watch_store", + "coturn": "coturn", "crane": "crane", "darwin": "darwin", "disko": "disko", diff --git a/flake.nix b/flake.nix index 5be8bc67..70799c88 100644 --- a/flake.nix +++ b/flake.nix @@ -88,6 +88,11 @@ url = "github:holochain/holochain"; inputs.versions.follows = "holochain-versions"; }; + + coturn = { + flake = false; + url = "github:steveej-forks/coturn/debug-cli-login"; + }; }; outputs = inputs @ { diff --git a/modules/flake-parts/holochain-turn-server.nix b/modules/flake-parts/holochain-turn-server.nix index 4f8d9467..a31da6bb 100644 --- a/modules/flake-parts/holochain-turn-server.nix +++ b/modules/flake-parts/holochain-turn-server.nix @@ -11,6 +11,7 @@ overlays.coturn = _final: previous: { coturn = previous.coturn.overrideAttrs ( _super: { + src = self.inputs.coturn; # coturn for NixOS needs to be built without libev_ok, otherwise acme-redirect won't work LIBEV_OK = "0"; meta.platforms = lib.platforms.linux; diff --git a/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/configuration.nix b/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/configuration.nix index 0074d82c..5c184948 100644 --- a/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/configuration.nix +++ b/modules/flake-parts/nixosConfigurations.turn-infra-holochain-org/configuration.nix @@ -103,6 +103,7 @@ in { address = turnIpv4; username = "test"; credential = "test"; + verbose = false; extraCoturnAttrs = { cli-ip = "127.0.0.1"; cli-password = "$5$4c2b9a49c5e013ae$14f901c5f36d4c8d5cf0c7383ecb0f26b052134293152bd1191412641a20ddf5";