From 1148ea30b57a6bc0a312c4e3906446334c5cd0a1 Mon Sep 17 00:00:00 2001 From: Sven Slootweg Date: Sat, 17 Aug 2019 22:33:24 +0200 Subject: [PATCH 1/9] Keep around a GC root for deployments --- deploy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy b/deploy index 7c44e50..ab7c2c6 100755 --- a/deploy +++ b/deploy @@ -1 +1 @@ -SSH_USER=root morph deploy "$@" configuration/default.nix switch +SSH_USER=root morph --keep-result deploy "$@" configuration/default.nix switch From 935175a4062210d8035449e8de7826741bdd60a8 Mon Sep 17 00:00:00 2001 From: Sven Slootweg Date: Sat, 17 Aug 2019 22:33:30 +0200 Subject: [PATCH 2/9] Add a deploy-secrets script --- deploy-secrets | 1 + 1 file changed, 1 insertion(+) create mode 100755 deploy-secrets diff --git a/deploy-secrets b/deploy-secrets new file mode 100755 index 0000000..fae1e91 --- /dev/null +++ b/deploy-secrets @@ -0,0 +1 @@ +SSH_USER=root morph --keep-result upload-secrets "$@" configuration/default.nix From a662249fd965f84c6cbed78481d3d64a56d7dbbd Mon Sep 17 00:00:00 2001 From: Sven Slootweg Date: Sat, 17 Aug 2019 22:33:51 +0200 Subject: [PATCH 3/9] Disable auto-detected Hyper-V support on borg2 --- configuration/hardware-configurations/machine-borg2-01.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configuration/hardware-configurations/machine-borg2-01.nix b/configuration/hardware-configurations/machine-borg2-01.nix index 8c54e68..9e89f72 100644 --- a/configuration/hardware-configurations/machine-borg2-01.nix +++ b/configuration/hardware-configurations/machine-borg2-01.nix @@ -25,5 +25,5 @@ ]; nix.maxJobs = lib.mkDefault 1; - virtualisation.hypervGuest.enable = true; +# virtualisation.hypervGuest.enable = true; } From 932264ef0ea75623f6d501a8b82b55d7b2e1c6b7 Mon Sep 17 00:00:00 2001 From: Sven Slootweg Date: Sat, 17 Aug 2019 22:34:04 +0200 Subject: [PATCH 4/9] Install mtr by default on all servers --- configuration/presets/base.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/configuration/presets/base.nix b/configuration/presets/base.nix index e705805..ffe7f51 100644 --- a/configuration/presets/base.nix +++ b/configuration/presets/base.nix @@ -16,6 +16,7 @@ iftop nload lsof + mtr ]; services.openssh = { From 6cec6c4a10c10982338773e4b4351d80266101a7 Mon Sep 17 00:00:00 2001 From: Sven Slootweg Date: Sat, 17 Aug 2019 22:34:33 +0200 Subject: [PATCH 5/9] Ignore deployment GC roots --- .gitignore | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 3e18ebf..3f5aa4f 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ -private +/private +.gcroots From 00dc1a33669e16578e793a878976cb77baab1e97 Mon Sep 17 00:00:00 2001 From: Sven Slootweg Date: Sat, 17 Aug 2019 22:34:43 +0200 Subject: [PATCH 6/9] Set up a Tinc VPN --- configuration/data/nodes.nix | 12 ++++ .../tinc-keys/machine-borg2-01.cryto.net.pub | 1 + .../tinc-keys/machine-haless-03.cryto.net.pub | 1 + configuration/default.nix | 4 ++ configuration/lib/tinc-configuration.nix | 62 +++++++++++++++++++ notes/tinc-key-setup.txt | 5 ++ 6 files changed, 85 insertions(+) create mode 100644 configuration/data/nodes.nix create mode 100644 configuration/data/tinc-keys/machine-borg2-01.cryto.net.pub create mode 100644 configuration/data/tinc-keys/machine-haless-03.cryto.net.pub create mode 100644 configuration/lib/tinc-configuration.nix create mode 100644 notes/tinc-key-setup.txt diff --git a/configuration/data/nodes.nix b/configuration/data/nodes.nix new file mode 100644 index 0000000..fa5f877 --- /dev/null +++ b/configuration/data/nodes.nix @@ -0,0 +1,12 @@ +{ + "machine-haless-03.cryto.net" = { + ipv4 = "31.7.187.145"; + internalIpv4 = "10.217.0.5"; + tincPublicKey = builtins.readFile ./tinc-keys/machine-haless-03.cryto.net.pub; + }; + "machine-borg2-01.cryto.net" = { + ipv4 = "205.185.121.93"; + internalIpv4 = "10.217.0.6"; + tincPublicKey = builtins.readFile ./tinc-keys/machine-borg2-01.cryto.net.pub; + }; +} diff --git a/configuration/data/tinc-keys/machine-borg2-01.cryto.net.pub b/configuration/data/tinc-keys/machine-borg2-01.cryto.net.pub new file mode 100644 index 0000000..12d9f6a --- /dev/null +++ b/configuration/data/tinc-keys/machine-borg2-01.cryto.net.pub @@ -0,0 +1 @@ +FZNH5Z50Tr/Ep0VpbnIBasUxekLteUphr5Vzi6ONrNH diff --git a/configuration/data/tinc-keys/machine-haless-03.cryto.net.pub b/configuration/data/tinc-keys/machine-haless-03.cryto.net.pub new file mode 100644 index 0000000..6bde251 --- /dev/null +++ b/configuration/data/tinc-keys/machine-haless-03.cryto.net.pub @@ -0,0 +1 @@ +P4MOft3fYOHYpG0I58lYxdZm40u9CXhTH0jvuyIbKZP diff --git a/configuration/default.nix b/configuration/default.nix index 7dd5903..297caee 100644 --- a/configuration/default.nix +++ b/configuration/default.nix @@ -24,6 +24,8 @@ let reverseProxy = (import ./presets/nginx/reverse-proxy.nix); letsEncrypt = (import ./presets/nginx/lets-encrypt.nix); }; + nodes = (import ./data/nodes.nix); + tincConfiguration = (import ./lib/tinc-configuration.nix); in { network = { inherit pkgs; @@ -37,6 +39,7 @@ in { presets.base presets.kvm ./hardware-configurations/machine-borg2-01.nix + (tincConfiguration { hostname = "machine-borg2-01.cryto.net"; nodes = nodes; }) ]; boot.loader.grub.device = lib.mkForce "/dev/vda"; @@ -77,6 +80,7 @@ in { presets.base presets.kvm ./hardware-configurations/machine-haless-03.nix + (tincConfiguration { hostname = "machine-haless-03.cryto.net"; nodes = nodes; }) ]; deployment.healthChecks.http = let diff --git a/configuration/lib/tinc-configuration.nix b/configuration/lib/tinc-configuration.nix new file mode 100644 index 0000000..a513f01 --- /dev/null +++ b/configuration/lib/tinc-configuration.nix @@ -0,0 +1,62 @@ +/* TODO: Translate this to a service/module at some point? Something like 'cryto.network' that handles all the internal-networking stuff. */ + +{ hostname, nodes, pingInterval ? 10 }: + { lib, ... }: let + /* NOTE: We cannot just use simple string interpolation, because tinc's configuration format is not indentation-tolerant. Therefore, we do some programmatic concatenation magic to ensure that everything is indentation-free, without turning this file into a mess of wrong indentation. */ + generateConfiguration = options: + let + keys = builtins.attrNames options; + toPairs = map (key: {key = key; value = options.${key};}); + createConfigEntries = map (item: "${item.key} = ${toString item.value}"); + in + builtins.concatStringsSep "\n" (createConfigEntries (toPairs keys)); + in { + deployment.secrets = { + "tinc-key" = { + source = "../private/${hostname}/tinc-key.priv"; + destination = "/etc/tinc/cryto/ed25519_key.priv"; + owner = { user = "tinc.cryto"; }; + action = [ "systemctl" "restart" "tinc.cryto.service" ]; + }; + }; + + services.tinc.networks.cryto = { + debugLevel = 3; + + extraConfig = generateConfiguration { + AutoConnect = "yes"; + PingInterval = pingInterval; + }; + + hosts = let + mapper = nodeName: nodeConfiguration: + lib.nameValuePair + /* NOTE: The below is because for a machine named `foo.bar-baz.net`, tinc expects a configuration file named `foo_bar_baz_net`. */ + ( builtins.replaceStrings [ "." "-" ] [ "_" "_" ] nodeName ) + ( generateConfiguration { + # Address = nodeName; + /* TODO: Figure out why a DNS name doesn't work here ("Error looking up machine-borg2-01.cryto.net port 655: Device or resource busy") */ + Address = nodeConfiguration.ipv4; + Subnet = "${nodeConfiguration.internalIpv4}/32"; + Ed25519PublicKey = nodeConfiguration.tincPublicKey; + } ); + in lib.mapAttrs' mapper nodes; + }; + + networking.interfaces."tinc.cryto".ipv4.addresses = [{ + address = nodes.${hostname}.internalIpv4; + prefixLength = 24; + }]; + + networking.firewall = { + allowedTCPPorts = [ + 655 + ]; + allowedUDPPorts = [ + 655 + ]; + trustedInterfaces = [ + "tinc.cryto" + ]; + }; + } diff --git a/notes/tinc-key-setup.txt b/notes/tinc-key-setup.txt new file mode 100644 index 0000000..f448a68 --- /dev/null +++ b/notes/tinc-key-setup.txt @@ -0,0 +1,5 @@ +# From the machine's `private` folder: +nix-shell --command 'tinc --batch --config ./ -n cryto generate-ed25519-keys' --packages tinc_pre + +# NOTE: Change the machine name! +mv ed25519_key.priv tinc-key.priv && sed -i -r 's/^Ed25519PublicKey = //' ed25519_key.pub && mv ed25519_key.pub ../../configuration/data/tinc-keys/machine-haless-03.cryto.net.pub From a2f7bbbb4101d36b36fcb5aaa33e1b6d92eb1562 Mon Sep 17 00:00:00 2001 From: Sven Slootweg Date: Sat, 17 Aug 2019 22:50:22 +0200 Subject: [PATCH 7/9] Set up placeholder site for Modular Matrix --- configuration/default.nix | 4 ++++ .../sources/modular-matrix/index.html | 20 +++++++++++++++++++ 2 files changed, 24 insertions(+) create mode 100644 configuration/sources/modular-matrix/index.html diff --git a/configuration/default.nix b/configuration/default.nix index 297caee..1b14f4a 100644 --- a/configuration/default.nix +++ b/configuration/default.nix @@ -125,6 +125,10 @@ in { return 404; ''; }; + "modular-matrix.cryto.net" = lib.mkMerge [ + (nginxPresets.letsEncrypt) + { root = ./sources/modular-matrix; } + ]; "haless.cryto.net" = lib.mkMerge [ (nginxPresets.letsEncrypt) { diff --git a/configuration/sources/modular-matrix/index.html b/configuration/sources/modular-matrix/index.html new file mode 100644 index 0000000..4f65773 --- /dev/null +++ b/configuration/sources/modular-matrix/index.html @@ -0,0 +1,20 @@ + + + + + + Modular Matrix + + +

Modular Matrix

+

+ Hi! This will eventually be the website for Modular Matrix, a project to build a modular JavaScript SDK for the Matrix protocol, as an alternative to the matrix-js-sdk. +

+

+ Currently there's not really anything here yet, though you can have a look at the already-published packages if you're curious about how things are going. +

+

+ You can contact me on Matrix as @joepie91:pixie.town. +

+ + From a26c526e93233b1b785453318e599d2e247a830e Mon Sep 17 00:00:00 2001 From: Sven Slootweg Date: Sat, 17 Aug 2019 23:26:09 +0200 Subject: [PATCH 8/9] Update Modular Matrix website with disambiguation --- configuration/sources/modular-matrix/index.html | 3 +++ 1 file changed, 3 insertions(+) diff --git a/configuration/sources/modular-matrix/index.html b/configuration/sources/modular-matrix/index.html index 4f65773..e43703b 100644 --- a/configuration/sources/modular-matrix/index.html +++ b/configuration/sources/modular-matrix/index.html @@ -7,6 +7,9 @@

Modular Matrix

+

+ NOTE: If you're looking for the Matrix website, go to Matrix.org. If you're looking for the Matrix hosting service, go to Modular.im. This project is not affiliated with either of those two. +

Hi! This will eventually be the website for Modular Matrix, a project to build a modular JavaScript SDK for the Matrix protocol, as an alternative to the matrix-js-sdk.

From b23b4e9ea9c0c016611433400546fe35f70b4335 Mon Sep 17 00:00:00 2001 From: Sven Slootweg Date: Sat, 31 Aug 2019 16:19:52 +0200 Subject: [PATCH 9/9] Set up matrix-rooms.cryto.net --- configuration/default.nix | 37 +++++++++++++++++++ .../packages/matrix-rooms/default.nix | 18 +++++++++ 2 files changed, 55 insertions(+) create mode 100644 configuration/packages/matrix-rooms/default.nix diff --git a/configuration/default.nix b/configuration/default.nix index 1b14f4a..cca65da 100644 --- a/configuration/default.nix +++ b/configuration/default.nix @@ -8,6 +8,7 @@ let nodeApplication = self.callPackage ./lib/node-application.nix {}; unpack = self.callPackage ./lib/unpack.nix {}; mobileProxy = self.callPackage ./packages/mobile-proxy { configFile = null; }; + matrixRooms = self.callPackage ./packages/matrix-rooms {}; }; }) ]; @@ -103,6 +104,7 @@ in { "iomfats.cryto.net" "castleroland.cryto.net" "awesomedude.cryto.net" + "matrix-rooms.cryto.net" ]) (httpsHosts [ # "haless.cryto.net" @@ -111,6 +113,7 @@ in { "iomfats.cryto.net" "castleroland.cryto.net" "awesomedude.cryto.net" + "matrix-rooms.cryto.net" ]) ]; @@ -210,6 +213,10 @@ in { (nginxPresets.letsEncrypt) (nginxPresets.reverseProxy "http://127.0.0.1:3000/") ]; + "matrix-rooms.cryto.net" = lib.mkMerge [ + (nginxPresets.letsEncrypt) + (nginxPresets.reverseProxy "http://127.0.0.1:3842/") + ]; }; }; @@ -272,5 +279,35 @@ in { HOME = "/tmp/mobile-proxy-home"; }; }; + + users.extraUsers.matrix-rooms = { + description = "mobile-proxy Service User"; + }; + + systemd.services.matrix-rooms = let + package = pkgs.cryto.matrixRooms; + in { + description = "Matrix Room List Viewer"; + wantedBy = ["multi-user.target"]; + after = ["network.target"]; + + serviceConfig = { + ExecStart = "${package}/bin/matrix-room-list-viewer"; /* FIXME: Change binary name in its package.json at some point */ + User = "matrix-rooms"; + Restart = "on-failure"; + PermissionsStartOnly = true; + }; + + # FIXME: Is a fake homes necessary for this application? + preStart = '' + mkdir -m 0700 -p /tmp/matrix-rooms-home + chown matrix-rooms /tmp/matrix-rooms-home + ''; + + environment = { + HOME = "/tmp/matrix-rooms-home"; + NODE_ENV = "production"; + }; + }; }; } diff --git a/configuration/packages/matrix-rooms/default.nix b/configuration/packages/matrix-rooms/default.nix new file mode 100644 index 0000000..e464ff2 --- /dev/null +++ b/configuration/packages/matrix-rooms/default.nix @@ -0,0 +1,18 @@ +{ pkgs, ... }: + pkgs.cryto.nodeApplication { + name = "matrix-rooms"; + source = pkgs.stdenv.mkDerivation { + name = "matrix-rooms-application"; + src = pkgs.cryto.fetchFromCrytoGit { + owner = "joepie91"; + repo = "matrix-room-list-viewer"; + rev = "5912b79024cba33ee7e291f325d0286b8304af99"; + sha256 = "199in3m3vll0i0qsz869x2q6zqn1xxgyvia3fxnmschvfmybbf8r"; + }; + + buildCommand = '' + mkdir -p $out + tar -xzvf $src -C $out + ''; + }; + }