nixfiles/nixos/boxes/colony/vms/shill/containers/object.nix

{ lib, ... }:
let
  inherit (lib.my) net;
  inherit (lib.my.c) pubDomain;
  inherit (lib.my.c.colony) domain prefixes;
in
{
  nixos.systems.object = { config, ... }: {
    system = "x86_64-linux";
    nixpkgs = "mine";
    rendered = config.configuration.config.my.asContainer;

    assignments = {
      internal = {
        name = "object-ctr";
        inherit domain;
        ipv4.address = net.cidr.host 7 prefixes.ctrs.v4;
        ipv6 = {
          iid = "::7";
          address = net.cidr.host 7 prefixes.ctrs.v6;
        };
      };
    };

    configuration = { lib, pkgs, config, assignments, ... }:
    let
      inherit (lib) mkMerge mkIf mkForce;
      inherit (config.my.user.homeConfig.lib.file) mkOutOfStoreSymlink;
      inherit (lib.my) networkdAssignment systemdAwaitPostgres;
    in
    {
      config = mkMerge [
        {
          fileSystems = {
            "/var/lib/harmonia" = {
              device = "/mnt/nix-cache";
              options = [ "bind" ];
            };
          };

          my = {
            deploy.enable = false;
            server.enable = true;

            secrets = {
              key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdHbZErWLmTPO/aEWB1Fup/aGMf31Un5Wk66FJwTz/8";
              files = {
                "object/minio.env" = {};
                "object/sharry.conf" = {
                  owner = "sharry";
                  group = "sharry";
                };
                "object/minio-client-config.json" = {
                  owner = config.my.user.config.name;
                  group = config.my.user.config.group;
                };
                "object/atticd.env" = {};
                "nix-cache.key" = {};
                "object/hedgedoc.env" = {};
                "object/wastebin.env" = {};
              };
            };

            firewall = {
              tcp.allowed = [
                9000 9001
                config.services.sharry.config.bind.port
                8069
                5000
                config.services.hedgedoc.settings.port
                8088
              ];
            };

            user.homeConfig = {
              home.file.".mc/config.json".source = mkOutOfStoreSymlink config.age.secrets."object/minio-client-config.json".path;
            };
          };

          users = with lib.my.c.ids; mkMerge [
            (let inherit (config.services.atticd) user group; in {
              users."${user}" = {
                isSystemUser = true;
                uid = uids.atticd;
                group = group;
              };
              groups."${user}".gid = gids.atticd;
            })
            {
              users = {
                harmonia = {
                  shell = pkgs.bashInteractive;
                  openssh.authorizedKeys.keyFiles = [
                    lib.my.c.sshKeyFiles.harmonia
                  ];
                };
              };
            }
          ];

          systemd = {
            network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal;

            services =
            let
              awaitPostgres = systemdAwaitPostgres pkgs.postgresql "colony-psql";
            in
            {
              minio = {
                environment = {
                  MINIO_ROOT_USER = "minioadmin";
                  MINIO_DOMAIN = "s3.nul.ie";
                  MINIO_SERVER_URL = "https://s3.nul.ie";
                  MINIO_BROWSER_REDIRECT_URL = "https://minio.nul.ie";
                };
              };

              sharry = awaitPostgres;

              atticd = mkMerge [
                awaitPostgres
                {
                  serviceConfig = {
                    # Needs to be able to access its data
                    DynamicUser = mkForce false;
                    BindPaths = [ "/mnt/atticd:/var/lib/atticd/storage" ];
                  };
                }
              ];
              harmonia = {
                environment.NIX_REMOTE = "/var/lib/harmonia";
                preStart = ''
                  ${config.nix.package}/bin/nix store ping
                '';
                serviceConfig = {
                  StateDirectory = "harmonia";
                };
              };
            };
          };

          environment = {
            systemPackages = with pkgs; [
              minio-client
            ];
          };

          services = {
            minio = {
              enable = true;
              region = "eu-central-1";
              browser = true;
              rootCredentialsFile = config.age.secrets."object/minio.env".path;
              dataDir = [ "/mnt/minio" ];
            };

            sharry = {
              enable = true;
              configOverridesFile = config.age.secrets."object/sharry.conf".path;

              config = {
                base-url = "https://share.${lib.my.c.pubDomain}";
                bind.address = "::";
                alias-member-enabled = true;
                webapp = {
                  chunk-size = "64M";
                };
                backend = {
                  auth = {
                    fixed = {
                      enabled = true;
                      user = "dev";
                    };
                    internal = {
                      enabled = true;
                      order = 50;
                    };
                  };
                  jdbc = {
                    url = "jdbc:postgresql://colony-psql:5432/sharry";
                    user = "sharry";
                  };
                  files = {
                    default-store = "minio";
                    stores = {
                      database.enabled = false;
                      minio = {
                        enabled = true;
                        type = "s3";
                        endpoint = "https://s3.nul.ie";
                        access-key = "share";
                        bucket = "share";
                      };
                    };
                  };
                  compute-checksum.parallel = 4;
                  signup.mode = "invite";
                  share = {
                    max-size = "128G";
                    max-validity = "3650 days";
                  };
                  mail = {
                    enabled = true;
                    smtp = {
                      host = "mail.nul.ie";
                      port = 587;
                      user = "sharry@nul.ie";
                      ssl-type = "starttls";
                      default-from = "Sharry <sharry@nul.ie>";
                      timeout = "30 seconds";
                    };
                  };
                };
              };
            };

            atticd = {
              enable = false;
              credentialsFile = config.age.secrets."object/atticd.env".path;
              settings = {
                listen = "[::]:8069";
                allowed-hosts = [ "nix-cache.${pubDomain}" ];
                api-endpoint = "https://nix-cache.${pubDomain}/";
                database = mkForce {}; # blank to pull from env
                storage = {
                  type = "local";
                  path = "/var/lib/atticd/storage";
                };
                chunking = {
                  nar-size-threshold = 65536;
                  min-size = 16384;
                  avg-size = 65536;
                  max-size = 262144;
                };
              };
            };

            harmonia = {
              enable = true;
              signKeyPath = config.age.secrets."nix-cache.key".path;
              settings = {
                priority = 30;
              };
            };

            hedgedoc = {
              enable = true;
              environmentFile = config.age.secrets."object/hedgedoc.env".path;
              settings = {
                domain = "md.${pubDomain}";
                protocolUseSSL = true;
                db = {
                  dialect = "postgresql";
                  username = "hedgedoc";
                  database = "hedgedoc";
                  host = "colony-psql";
                };
                host = "::";
                allowAnonymous = false;
                allowAnonymousEdits = true;
                email = true;
                allowEmailRegister = false;
              };
            };

            wastebin = {
              enable = true;
              settings = {
                WASTEBIN_MAX_BODY_SIZE = 67108864; # 16 MiB
                WASTEBIN_PASSWORD_SALT = "TeGhaemeer0Siez3";
              };
              secretFile = config.age.secrets."object/wastebin.env".path;
            };
          };
        }
        (mkIf config.my.build.isDevVM {
          virtualisation = {
            forwardPorts = [
              { from = "host"; host.port = 9000; guest.port = 9000; }
              { from = "host"; host.port = 9001; guest.port = 9001; }
              { from = "host"; guest.port = config.services.sharry.config.bind.port; }
            ];
          };
        })
      ];
    };
  };
}
nixos: Add actual IP / CIDR calculation 2023-05-27 16:57:28 +01:00			`{ lib, ... }:`
			`let`
			`inherit (lib.my) net;`
nixos/object: Initial working atticd cache 2023-11-17 15:05:12 +00:00			`inherit (lib.my.c) pubDomain;`
Split constants into separate lib file 2023-11-02 13:41:50 +00:00			`inherit (lib.my.c.colony) domain prefixes;`
nixos: Add actual IP / CIDR calculation 2023-05-27 16:57:28 +01:00			`in`
			`{`
Update nixosConfigurations to reference a preferred default config 2023-11-16 21:42:30 +00:00			`nixos.systems.object = { config, ... }: {`
nixos/shill: Add MinIO container 2022-07-16 15:01:15 +01:00			`system = "x86_64-linux";`
			`nixpkgs = "mine";`
Update nixosConfigurations to reference a preferred default config 2023-11-16 21:42:30 +00:00			`rendered = config.configuration.config.my.asContainer;`
nixos/shill: Add MinIO container 2022-07-16 15:01:15 +01:00
			`assignments = {`
			`internal = {`
			`name = "object-ctr";`
nixos: Add actual IP / CIDR calculation 2023-05-27 16:57:28 +01:00			`inherit domain;`
			`ipv4.address = net.cidr.host 7 prefixes.ctrs.v4;`
nixos/shill: Add MinIO container 2022-07-16 15:01:15 +01:00			`ipv6 = {`
			`iid = "::7";`
nixos: Add actual IP / CIDR calculation 2023-05-27 16:57:28 +01:00			`address = net.cidr.host 7 prefixes.ctrs.v6;`
nixos/shill: Add MinIO container 2022-07-16 15:01:15 +01:00			`};`
			`};`
			`};`

Upgrade NixOS stable to 22.11 and upgrade packages 2023-01-08 17:32:10 +00:00			`configuration = { lib, pkgs, config, assignments, ... }:`
nixos/shill: Add MinIO container 2022-07-16 15:01:15 +01:00			`let`
nixos/object: Initial working atticd cache 2023-11-17 15:05:12 +00:00			`inherit (lib) mkMerge mkIf mkForce;`
nixos/object: Migrate to SNSD deployment 2023-02-19 16:49:07 +00:00			`inherit (config.my.user.homeConfig.lib.file) mkOutOfStoreSymlink;`
nixos/{object,toot}: Ensure postgres is accessible on service start 2023-02-19 17:39:15 +00:00			`inherit (lib.my) networkdAssignment systemdAwaitPostgres;`
nixos/shill: Add MinIO container 2022-07-16 15:01:15 +01:00			`in`
			`{`
			`config = mkMerge [`
			`{`
Use harmonia instead of attic for binary cache 2024-07-20 16:46:10 +01:00			`fileSystems = {`
			`"/var/lib/harmonia" = {`
nixos/shill: Rename atticd mount to harmonia 2024-07-20 21:08:44 +01:00			`device = "/mnt/nix-cache";`
Use harmonia instead of attic for binary cache 2024-07-20 16:46:10 +01:00			`options = [ "bind" ];`
			`};`
			`};`

nixos/shill: Add MinIO container 2022-07-16 15:01:15 +01:00			`my = {`
			`deploy.enable = false;`
			`server.enable = true;`

			`secrets = {`
			`key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdHbZErWLmTPO/aEWB1Fup/aGMf31Un5Wk66FJwTz/8";`
nixos: Add Sharry file sharing service 2022-11-20 18:41:49 +00:00			`files = {`
			`"object/minio.env" = {};`
			`"object/sharry.conf" = {`
			`owner = "sharry";`
			`group = "sharry";`
			`};`
nixos/object: Migrate to SNSD deployment 2023-02-19 16:49:07 +00:00			`"object/minio-client-config.json" = {`
			`owner = config.my.user.config.name;`
			`group = config.my.user.config.group;`
			`};`
nixos/object: Initial working atticd cache 2023-11-17 15:05:12 +00:00			`"object/atticd.env" = {};`
Use harmonia instead of attic for binary cache 2024-07-20 16:46:10 +01:00			`"nix-cache.key" = {};`
nixos/object: Add HedgeDoc 2024-01-08 21:40:20 +00:00			`"object/hedgedoc.env" = {};`
Add wastebin 2024-01-10 15:21:40 +00:00			`"object/wastebin.env" = {};`
nixos: Add Sharry file sharing service 2022-11-20 18:41:49 +00:00			`};`
nixos/shill: Add MinIO container 2022-07-16 15:01:15 +01:00			`};`

			`firewall = {`
nixos/object: Add HedgeDoc 2024-01-08 21:40:20 +00:00			`tcp.allowed = [`
			`9000 9001`
			`config.services.sharry.config.bind.port`
			`8069`
Use harmonia instead of attic for binary cache 2024-07-20 16:46:10 +01:00			`5000`
nixos/object: Add HedgeDoc 2024-01-08 21:40:20 +00:00			`config.services.hedgedoc.settings.port`
Add wastebin 2024-01-10 15:21:40 +00:00			`8088`
nixos/object: Add HedgeDoc 2024-01-08 21:40:20 +00:00			`];`
nixos/shill: Add MinIO container 2022-07-16 15:01:15 +01:00			`};`
nixos/object: Migrate to SNSD deployment 2023-02-19 16:49:07 +00:00
			`user.homeConfig = {`
			`home.file.".mc/config.json".source = mkOutOfStoreSymlink config.age.secrets."object/minio-client-config.json".path;`
			`};`
nixos/shill: Add MinIO container 2022-07-16 15:01:15 +01:00			`};`

Use harmonia instead of attic for binary cache 2024-07-20 16:46:10 +01:00			`users = with lib.my.c.ids; mkMerge [`
			`(let inherit (config.services.atticd) user group; in {`
			`users."${user}" = {`
			`isSystemUser = true;`
			`uid = uids.atticd;`
			`group = group;`
			`};`
			`groups."${user}".gid = gids.atticd;`
			`})`
			`{`
			`users = {`
			`harmonia = {`
			`shell = pkgs.bashInteractive;`
			`openssh.authorizedKeys.keyFiles = [`
			`lib.my.c.sshKeyFiles.harmonia`
			`];`
			`};`
			`};`
			`}`
			`];`
nixos/object: Use local storage instead of s3 2023-11-17 22:14:19 +00:00
nixos/shill: Add MinIO container 2022-07-16 15:01:15 +01:00			`systemd = {`
			`network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal;`
nixos/object: Use local storage instead of s3 2023-11-17 22:14:19 +00:00
			`services =`
			`let`
			`awaitPostgres = systemdAwaitPostgres pkgs.postgresql "colony-psql";`
			`in`
			`{`
nixos/shill: Add MinIO container 2022-07-16 15:01:15 +01:00			`minio = {`
			`environment = {`
			`MINIO_ROOT_USER = "minioadmin";`
			`MINIO_DOMAIN = "s3.nul.ie";`
			`MINIO_SERVER_URL = "https://s3.nul.ie";`
			`MINIO_BROWSER_REDIRECT_URL = "https://minio.nul.ie";`
			`};`
			`};`
Use harmonia instead of attic for binary cache 2024-07-20 16:46:10 +01:00
nixos/object: Use local storage instead of s3 2023-11-17 22:14:19 +00:00			`sharry = awaitPostgres;`
Use harmonia instead of attic for binary cache 2024-07-20 16:46:10 +01:00
nixos/object: Use local storage instead of s3 2023-11-17 22:14:19 +00:00			`atticd = mkMerge [`
			`awaitPostgres`
			`{`
			`serviceConfig = {`
			`# Needs to be able to access its data`
			`DynamicUser = mkForce false;`
			`BindPaths = [ "/mnt/atticd:/var/lib/atticd/storage" ];`
			`};`
			`}`
			`];`
Use harmonia instead of attic for binary cache 2024-07-20 16:46:10 +01:00			`harmonia = {`
			`environment.NIX_REMOTE = "/var/lib/harmonia";`
			`preStart = ''`
			`${config.nix.package}/bin/nix store ping`
			`'';`
			`serviceConfig = {`
			`StateDirectory = "harmonia";`
			`};`
			`};`
nixos/shill: Add MinIO container 2022-07-16 15:01:15 +01:00			`};`
			`};`

nixos/object: Migrate to SNSD deployment 2023-02-19 16:49:07 +00:00			`environment = {`
			`systemPackages = with pkgs; [`
			`minio-client`
			`];`
			`};`

nixos/shill: Add MinIO container 2022-07-16 15:01:15 +01:00			`services = {`
			`minio = {`
			`enable = true;`
			`region = "eu-central-1";`
			`browser = true;`
nixos: Add Sharry file sharing service 2022-11-20 18:41:49 +00:00			`rootCredentialsFile = config.age.secrets."object/minio.env".path;`
nixos: Add Hercules CI and Nix cache 2022-07-16 21:01:18 +01:00			`dataDir = [ "/mnt/minio" ];`
nixos/shill: Add MinIO container 2022-07-16 15:01:15 +01:00			`};`
nixos: Add Sharry file sharing service 2022-11-20 18:41:49 +00:00
			`sharry = {`
			`enable = true;`
			`configOverridesFile = config.age.secrets."object/sharry.conf".path;`

			`config = {`
Split constants into separate lib file 2023-11-02 13:41:50 +00:00			`base-url = "https://share.${lib.my.c.pubDomain}";`
Update all inputs 2023-04-15 21:17:27 +01:00			`bind.address = "::";`
nixos: Add Sharry file sharing service 2022-11-20 18:41:49 +00:00			`alias-member-enabled = true;`
			`webapp = {`
			`chunk-size = "64M";`
			`};`
			`backend = {`
			`auth = {`
			`fixed = {`
			`enabled = true;`
			`user = "dev";`
			`};`
			`internal = {`
			`enabled = true;`
			`order = 50;`
			`};`
			`};`
			`jdbc = {`
			`url = "jdbc:postgresql://colony-psql:5432/sharry";`
			`user = "sharry";`
			`};`
			`files = {`
			`default-store = "minio";`
			`stores = {`
			`database.enabled = false;`
			`minio = {`
			`enabled = true;`
			`type = "s3";`
			`endpoint = "https://s3.nul.ie";`
			`access-key = "share";`
			`bucket = "share";`
			`};`
			`};`
			`};`
			`compute-checksum.parallel = 4;`
			`signup.mode = "invite";`
			`share = {`
			`max-size = "128G";`
			`max-validity = "3650 days";`
			`};`
			`mail = {`
			`enabled = true;`
			`smtp = {`
			`host = "mail.nul.ie";`
			`port = 587;`
			`user = "sharry@nul.ie";`
			`ssl-type = "starttls";`
			`default-from = "Sharry <sharry@nul.ie>";`
			`timeout = "30 seconds";`
			`};`
			`};`
			`};`
			`};`
			`};`
nixos/object: Initial working atticd cache 2023-11-17 15:05:12 +00:00
			`atticd = {`
Use harmonia instead of attic for binary cache 2024-07-20 16:46:10 +01:00			`enable = false;`
nixos/object: Initial working atticd cache 2023-11-17 15:05:12 +00:00			`credentialsFile = config.age.secrets."object/atticd.env".path;`
			`settings = {`
			`listen = "[::]:8069";`
			`allowed-hosts = [ "nix-cache.${pubDomain}" ];`
			`api-endpoint = "https://nix-cache.${pubDomain}/";`
			`database = mkForce {}; # blank to pull from env`
			`storage = {`
nixos/object: Use local storage instead of s3 2023-11-17 22:14:19 +00:00			`type = "local";`
			`path = "/var/lib/atticd/storage";`
nixos/object: Initial working atticd cache 2023-11-17 15:05:12 +00:00			`};`
			`chunking = {`
			`nar-size-threshold = 65536;`
			`min-size = 16384;`
			`avg-size = 65536;`
			`max-size = 262144;`
			`};`
			`};`
			`};`
nixos/object: Add HedgeDoc 2024-01-08 21:40:20 +00:00
Use harmonia instead of attic for binary cache 2024-07-20 16:46:10 +01:00			`harmonia = {`
			`enable = true;`
			`signKeyPath = config.age.secrets."nix-cache.key".path;`
			`settings = {`
			`priority = 30;`
			`};`
			`};`

nixos/object: Add HedgeDoc 2024-01-08 21:40:20 +00:00			`hedgedoc = {`
			`enable = true;`
			`environmentFile = config.age.secrets."object/hedgedoc.env".path;`
			`settings = {`
			`domain = "md.${pubDomain}";`
			`protocolUseSSL = true;`
			`db = {`
			`dialect = "postgresql";`
			`username = "hedgedoc";`
			`database = "hedgedoc";`
			`host = "colony-psql";`
			`};`
			`host = "::";`
			`allowAnonymous = false;`
			`allowAnonymousEdits = true;`
			`email = true;`
			`allowEmailRegister = false;`
			`};`
			`};`
Add wastebin 2024-01-10 15:21:40 +00:00
			`wastebin = {`
			`enable = true;`
			`settings = {`
Update nixpkgs and home-manager 2024-04-04 19:08:12 +01:00			`WASTEBIN_MAX_BODY_SIZE = 67108864; # 16 MiB`
Add wastebin 2024-01-10 15:21:40 +00:00			`WASTEBIN_PASSWORD_SALT = "TeGhaemeer0Siez3";`
			`};`
Update nixpkgs and home-manager 2024-04-04 19:08:12 +01:00			`secretFile = config.age.secrets."object/wastebin.env".path;`
Add wastebin 2024-01-10 15:21:40 +00:00			`};`
nixos/shill: Add MinIO container 2022-07-16 15:01:15 +01:00			`};`
			`}`
			`(mkIf config.my.build.isDevVM {`
			`virtualisation = {`
			`forwardPorts = [`
			`{ from = "host"; host.port = 9000; guest.port = 9000; }`
			`{ from = "host"; host.port = 9001; guest.port = 9001; }`
nixos: Add Sharry file sharing service 2022-11-20 18:41:49 +00:00			`{ from = "host"; guest.port = config.services.sharry.config.bind.port; }`
nixos/shill: Add MinIO container 2022-07-16 15:01:15 +01:00			`];`
			`};`
			`})`
			`];`
			`};`
			`};`
			`}`