Various changes

master
Sven Slootweg 3 years ago
parent 97981c9224
commit 5b420f07a6

@ -1,17 +1,32 @@
{ {
"machine-workbot-01.cryto.net" = {
friendlyName = "workbot";
ipv4 = "148.251.195.23";
internalIpv4 = "10.217.0.1";
tincPublicKey = builtins.readFile ./tinc-keys/machine-workbot-01.cryto.net.pub;
};
"machine-haless-03.cryto.net" = { "machine-haless-03.cryto.net" = {
friendlyName = "haless";
ipv4 = "31.7.187.145"; ipv4 = "31.7.187.145";
internalIpv4 = "10.217.0.5"; internalIpv4 = "10.217.0.5";
tincPublicKey = builtins.readFile ./tinc-keys/machine-haless-03.cryto.net.pub; tincPublicKey = builtins.readFile ./tinc-keys/machine-haless-03.cryto.net.pub;
}; };
"machine-borg2-01.cryto.net" = { "machine-borg2-01.cryto.net" = {
friendlyName = "borg2";
ipv4 = "205.185.121.93"; ipv4 = "205.185.121.93";
internalIpv4 = "10.217.0.6"; internalIpv4 = "10.217.0.6";
tincPublicKey = builtins.readFile ./tinc-keys/machine-borg2-01.cryto.net.pub; tincPublicKey = builtins.readFile ./tinc-keys/machine-borg2-01.cryto.net.pub;
}; };
"machine-konjassiem-02.cryto.net" = { "machine-konjassiem-02.cryto.net" = {
friendlyName = "konjassiem";
ipv4 = "81.4.122.123"; ipv4 = "81.4.122.123";
internalIpv4 = "10.217.0.7"; internalIpv4 = "10.217.0.7";
tincPublicKey = builtins.readFile ./tinc-keys/machine-konjassiem-02.cryto.net.pub; tincPublicKey = builtins.readFile ./tinc-keys/machine-konjassiem-02.cryto.net.pub;
}; };
"machine-pikachu-02.cryto.net" = {
friendlyName = "pikachu";
ipv4 = "2.59.133.101";
internalIpv4 = "10.217.0.8";
tincPublicKey = builtins.readFile ./tinc-keys/machine-pikachu-02.cryto.net.pub;
};
} }

@ -0,0 +1 @@
YfaykKs117gIGXbcLcc+asUqX5goF97EKIoLLgYZ4uG

@ -0,0 +1 @@
r+f4yLySll2Qx4m1aTba4wGteFTP38jq2EqINpgz5XJ

@ -13,7 +13,7 @@ let
}) })
]; ];
}; };
pkgs = (import (fetchTarball "https://github.com/NixOS/nixpkgs-channels/archive/nixos-20.03.tar.gz") nixpkgsOptions); pkgs = (import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/nixos-21.11.tar.gz") nixpkgsOptions);
presets = { presets = {
base = (import ./presets/base.nix); base = (import ./presets/base.nix);
kvm = (import ./presets/kvm.nix); kvm = (import ./presets/kvm.nix);
@ -25,6 +25,9 @@ let
}; };
nodes = (import ./data/nodes.nix); nodes = (import ./data/nodes.nix);
tincConfiguration = (import ./lib/tinc-configuration.nix); tincConfiguration = (import ./lib/tinc-configuration.nix);
trackSystemMetrics = (import ./lib/track-system-metrics.nix);
trackServiceMetrics = (import ./lib/track-service-metrics.nix);
httpHealthChecks = (import ./lib/http-health-checks.nix);
in { in {
network = { network = {
inherit pkgs; inherit pkgs;
@ -33,6 +36,7 @@ in {
"machine-borg2-01.cryto.net" = { pkgs, lib, ... }: { "machine-borg2-01.cryto.net" = { pkgs, lib, ... }: {
system.stateVersion = "18.09"; system.stateVersion = "18.09";
networking.hostName = "machine-borg2-01";
# FIXME: Why is this needed? # FIXME: Why is this needed?
nixpkgs.overlays = []; nixpkgs.overlays = [];
@ -42,6 +46,8 @@ in {
presets.kvm presets.kvm
./hardware-configurations/machine-borg2-01.nix ./hardware-configurations/machine-borg2-01.nix
(tincConfiguration { hostname = "machine-borg2-01.cryto.net"; nodes = nodes; }) (tincConfiguration { hostname = "machine-borg2-01.cryto.net"; nodes = nodes; })
(trackSystemMetrics nodes."machine-borg2-01.cryto.net".internalIpv4)
(trackServiceMetrics nodes."machine-borg2-01.cryto.net".internalIpv4)
]; ];
boot.loader.grub.device = lib.mkForce "/dev/vda"; boot.loader.grub.device = lib.mkForce "/dev/vda";
@ -71,6 +77,7 @@ in {
group = "backup-f0x"; group = "backup-f0x";
authorizedKeys = [ authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjJDP2TDyj1X/L6gNgHCXASIWoW/VnJ77FQy39VRTi8 f0x@elephantus" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjJDP2TDyj1X/L6gNgHCXASIWoW/VnJ77FQy39VRTi8 f0x@elephantus"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+dwsWe1/ujR0N4IxPv7mfyiuKWURc6QwYNJ+VV8KA6 f0x@behemoth"
]; ];
authorizedKeysAppendOnly = [ authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG7WSUY6Y2lsIawo8dPBu4/Omx6c7/1SMD9ve/vpcorN borg-backup@terra" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG7WSUY6Y2lsIawo8dPBu4/Omx6c7/1SMD9ve/vpcorN borg-backup@terra"
@ -94,41 +101,37 @@ in {
"machine-haless-03.cryto.net" = { pkgs, lib, config, ... }@args: { "machine-haless-03.cryto.net" = { pkgs, lib, config, ... }@args: {
system.stateVersion = "19.03"; system.stateVersion = "19.03";
networking.hostName = "machine-haless-03";
imports = [ imports = [
presets.base presets.base
presets.kvm presets.kvm
./hardware-configurations/machine-haless-03.nix ./hardware-configurations/machine-haless-03.nix
(tincConfiguration { hostname = "machine-haless-03.cryto.net"; nodes = nodes; }) (tincConfiguration { hostname = "machine-haless-03.cryto.net"; nodes = nodes; })
]; (trackSystemMetrics nodes."machine-haless-03.cryto.net".internalIpv4)
(trackServiceMetrics nodes."machine-haless-03.cryto.net".internalIpv4)
deployment.healthChecks.http = let (httpHealthChecks {
makeHostChecker = { protocol, port }: host: { http = [
scheme = protocol; "iomfats.cryto.net"
port = port; "castleroland.cryto.net"
path = "/"; "awesomedude.cryto.net"
host = host; "matrix-rooms.cryto.net"
description = "${host} (${protocol} :${toString port}) is up"; "validatem.cryto.net"
}; "nixos-manual-mdx.cryto.net"
httpHosts = hosts: map (makeHostChecker { protocol = "http"; port = 80; }) hosts; "geojson.cryto.net"
httpsHosts = hosts: map (makeHostChecker { protocol = "https"; port = 443; }) hosts; "ossworks.nl"
in lib.mkMerge [ ];
(httpHosts [ https = [
"iomfats.cryto.net" "iomfats.cryto.net"
"castleroland.cryto.net" "castleroland.cryto.net"
"awesomedude.cryto.net" "awesomedude.cryto.net"
"matrix-rooms.cryto.net" "matrix-rooms.cryto.net"
"validatem.cryto.net" "validatem.cryto.net"
"nixos-manual-mdx.cryto.net" "nixos-manual-mdx.cryto.net"
]) "geojson.cryto.net"
(httpsHosts [ "ossworks.nl"
"iomfats.cryto.net" ];
"castleroland.cryto.net" })
"awesomedude.cryto.net"
"matrix-rooms.cryto.net"
"validatem.cryto.net"
"nixos-manual-mdx.cryto.net"
])
]; ];
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
@ -166,6 +169,10 @@ in {
(nginxPresets.letsEncrypt) (nginxPresets.letsEncrypt)
{ root = ./sources/modular-matrix; } { root = ./sources/modular-matrix; }
]; ];
"geojson.cryto.net" = lib.mkMerge [
(nginxPresets.letsEncrypt)
{ root = ../../image-to-geojson/static; }
];
# "validatem.cryto.net" = lib.mkMerge [ # "validatem.cryto.net" = lib.mkMerge [
# (nginxPresets.letsEncrypt) # (nginxPresets.letsEncrypt)
# { root = ./sources/validatem-site; } # { root = ./sources/validatem-site; }
@ -174,6 +181,10 @@ in {
(nginxPresets.letsEncrypt) (nginxPresets.letsEncrypt)
{ root = ../../validatem/site/build; } { root = ../../validatem/site/build; }
]; ];
"ossworks.nl" = lib.mkMerge [
(nginxPresets.letsEncrypt)
{ root = ../../ossworks-site/build; }
];
"nixos-manual-mdx.cryto.net" = lib.mkMerge [ "nixos-manual-mdx.cryto.net" = lib.mkMerge [
(nginxPresets.letsEncrypt) (nginxPresets.letsEncrypt)
{ root = ../../nixos-manual-mdx/build; } { root = ../../nixos-manual-mdx/build; }
@ -222,8 +233,11 @@ in {
}; };
}; };
users.extraUsers.mobile-proxy = { users.groups.mobile-proxy = {};
users.users.mobile-proxy = {
description = "mobile-proxy Service User"; description = "mobile-proxy Service User";
isSystemUser = true;
group = "mobile-proxy";
}; };
systemd.services.mobile-proxy = let systemd.services.mobile-proxy = let
@ -250,8 +264,11 @@ in {
}; };
}; };
users.extraUsers.matrix-rooms = { users.groups.matrix-rooms = {};
users.users.matrix-rooms = {
description = "mobile-proxy Service User"; description = "mobile-proxy Service User";
isSystemUser = true;
group = "matrix-rooms";
}; };
systemd.services.matrix-rooms = let systemd.services.matrix-rooms = let
@ -283,12 +300,15 @@ in {
"machine-konjassiem-02.cryto.net" = { pkgs, lib, config, ... }@args: { "machine-konjassiem-02.cryto.net" = { pkgs, lib, config, ... }@args: {
system.stateVersion = "20.03"; system.stateVersion = "20.03";
networking.hostName = "machine-konjassiem-02";
imports = [ imports = [
presets.base presets.base
presets.kvm presets.kvm
./hardware-configurations/machine-konjassiem-02.nix ./hardware-configurations/machine-konjassiem-02.nix
(tincConfiguration { hostname = "machine-konjassiem-02.cryto.net"; nodes = nodes; }) (tincConfiguration { hostname = "machine-konjassiem-02.cryto.net"; nodes = nodes; })
(trackSystemMetrics nodes."machine-konjassiem-02.cryto.net".internalIpv4)
(trackServiceMetrics nodes."machine-konjassiem-02.cryto.net".internalIpv4)
]; ];
services.postgresql = { services.postgresql = {
@ -331,13 +351,40 @@ in {
}; };
# NOTE: Workaround that removes `setuid` from the disallowed syscall list, because otherwise sendmail/opensmtpd breaks # NOTE: Workaround that removes `setuid` from the disallowed syscall list, because otherwise sendmail/opensmtpd breaks
systemd.services.gitea.serviceConfig.SystemCallFilter = lib.mkForce "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @swap"; # systemd.services.gitea.serviceConfig.SystemCallFilter = lib.mkForce "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @swap";
# Temporary workaround to make opensmtpd sendmail work (ref. https://github.com/NixOS/nixpkgs/issues/103446)
# Can remain enabled
systemd.services.gitea.serviceConfig.PrivateMounts = lib.mkForce true;
systemd.services.gitea.serviceConfig.PrivateTmp = lib.mkForce true;
systemd.services.gitea.serviceConfig.ProtectControlGroups = lib.mkForce true;
systemd.services.gitea.serviceConfig.ProtectHome = lib.mkForce true;
systemd.services.gitea.serviceConfig.ProtectSystem = lib.mkForce "full"; # downgraded from "strict"
# Have to be disabled
systemd.services.gitea.serviceConfig.LockPersonality = lib.mkForce false;
systemd.services.gitea.serviceConfig.MemoryDenyWriteExecute = lib.mkForce false;
systemd.services.gitea.serviceConfig.NoNewPrivileges = lib.mkForce false;
systemd.services.gitea.serviceConfig.PrivateDevices = lib.mkForce false;
systemd.services.gitea.serviceConfig.PrivateUsers = lib.mkForce false;
systemd.services.gitea.serviceConfig.ProtectClock = lib.mkForce false;
systemd.services.gitea.serviceConfig.ProtectHostname = lib.mkForce false;
systemd.services.gitea.serviceConfig.ProtectKernelLogs = lib.mkForce false;
systemd.services.gitea.serviceConfig.ProtectKernelModules = lib.mkForce false;
systemd.services.gitea.serviceConfig.ProtectKernelTunables = lib.mkForce false;
systemd.services.gitea.serviceConfig.RestrictAddressFamilies = lib.mkForce [];
systemd.services.gitea.serviceConfig.RestrictRealtime = lib.mkForce false;
systemd.services.gitea.serviceConfig.RestrictSUIDSGID = lib.mkForce false;
systemd.services.gitea.serviceConfig.SystemCallArchitectures = lib.mkForce "";
systemd.services.gitea.serviceConfig.SystemCallFilter = lib.mkForce [];
# FIXME: Healthcheck for this!
services.gitea = { services.gitea = {
enable = true; enable = true;
user = "git"; user = "git";
appName = "Cryto Git"; appName = "Cryto Git";
repositoryRoot = "/var/lib/repositories"; repositoryRoot = "/var/lib/repositories";
log.level = "Info";
domain = "git.cryto.net"; domain = "git.cryto.net";
httpAddress = "localhost"; httpAddress = "localhost";
@ -351,57 +398,38 @@ in {
user = "git"; user = "git";
}; };
extraConfig = '' settings = {
[database] server = {
LOG_SQL = false LOCAL_ROOT_URL = "http://localhost:3000/";
};
[service]
ENABLE_CAPTCHA = true database = {
REGISTER_EMAIL_CONFIRM = true LOG_SQL = false;
ENABLE_NOTIFY_MAIL = true };
ENABLE_USER_HEATMAP = false
service = {
[security] ENABLE_CAPTCHA = true;
PASSWORD_COMPLEXITY = off REGISTER_EMAIL_CONFIRM = true;
ENABLE_NOTIFY_MAIL = true;
[session] ENABLE_USER_HEATMAP = false;
PROVIDER = file };
[mailer] security = {
ENABLED = true PASSWORD_COMPLEXITY = "off";
MAILER_TYPE = sendmail INTERNAL_TOKEN = lib.mkForce "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE2MDU0NzQ1Mzh9.XqS6-ha22VNgtUP_mVkZXCMmst-lO8blFAEpWMSlU5g";
FROM = "Cryto Git" <noreply@git.cryto.net> };
SENDMAIL_PATH = ${pkgs.system-sendmail}/bin/sendmail
'';
# FIXME: Use this instead of extraConfig in 20.09 session = {
# settings = { PROVIDER = "file";
# database = { };
# LOG_SQL = false;
# }; mailer = {
ENABLED = true;
# service = { MAILER_TYPE = "sendmail";
# ENABLE_CAPTCHA = true; FROM = "\"Cryto Git\" <noreply@git.cryto.net>";
# REGISTER_EMAIL_CONFIRM = true; SENDMAIL_PATH = "${pkgs.system-sendmail}/bin/sendmail";
# ENABLE_NOTIFY_MAIL = true; };
# ENABLE_USER_HEATMAP = false; };
# };
# security = {
# PASSWORD_COMPLEXITY = "off";
# };
# session = {
# PROVIDER = "file";
# };
# mailer = {
# ENABLED = true;
# MAILER_TYPE = "sendmail";
# FROM = "\"Cryto Git\" <noreply@git.cryto.net>";
# SENDMAIL_PATH = "${pkgs.system-sendmail}/bin/sendmail";
# };
# };
}; };
# FIXME: DKIM/DMARC # FIXME: DKIM/DMARC
@ -415,4 +443,161 @@ in {
''; '';
}; };
}; };
"machine-pikachu-02.cryto.net" = { pkgs, lib, config, ... }@args: {
system.stateVersion = "19.03";
networking.hostName = "machine-pikachu-02";
imports = [
presets.base
presets.kvm
./hardware-configurations/machine-pikachu-02.nix
(tincConfiguration { hostname = "machine-pikachu-02.cryto.net"; nodes = nodes; })
(trackSystemMetrics nodes."machine-pikachu-02.cryto.net".internalIpv4)
(trackServiceMetrics nodes."machine-pikachu-02.cryto.net".internalIpv4)
];
};
"machine-workbot-01.cryto.net" = { pkgs, lib, config, ... }@args: {
system.stateVersion = "18.03";
networking.hostName = "machine-workbot-01";
imports = [
presets.base
./hardware-configurations/machine-workbot-01.nix
(tincConfiguration { hostname = "machine-workbot-01.cryto.net"; nodes = nodes; })
(trackSystemMetrics "127.0.0.1")
(trackServiceMetrics "127.0.0.1")
(httpHealthChecks {
both = [
"hydra.cryto.net"
"prometheus.cryto.net"
"metrics.cryto.net"
# "nix-cache.cryto.net" # Not directory-indexable
];
})
];
services.nginx = {
enable = true;
virtualHosts = {
"404.cryto.net" = {
# Pseudo-hostname just to set a default when no Host header is specified
default = true;
extraConfig = ''
return 404;
'';
};
"hydra.cryto.net" = lib.mkMerge [
(nginxPresets.letsEncrypt)
(nginxPresets.reverseProxy "http://localhost:3333/")
];
"prometheus.cryto.net" = lib.mkMerge [
(nginxPresets.letsEncrypt)
(nginxPresets.reverseProxy "http://localhost:9090/")
];
"metrics.cryto.net" = lib.mkMerge [
(nginxPresets.letsEncrypt)
(nginxPresets.reverseProxy "http://localhost:8452/")
];
"nix-cache.cryto.net" = lib.mkMerge [
(nginxPresets.letsEncrypt)
{ root = "/var/lib/hydra-builds"; }
];
};
};
services.postgresql = {
enable = true;
};
services.hydra = {
enable = true;
port = 3333;
hydraURL = "http://hydra.cryto.net/";
notificationSender = "hydra@cryto.net";
useSubstitutes = false;
minimumDiskFree = 20;
minimumDiskFreeEvaluator = 20;
buildMachinesFiles = pkgs.lib.mkIf (config.nix.buildMachines == []) [];
extraConfig = ''
store_uri = file:///var/lib/hydra-builds?secret-key=/var/lib/hydra/binary-cache.key&write-nar-listing=1
binary_cache_public_uri = https://nix-cache.cryto.net
'';
};
services.prometheus = {
enable = true;
globalConfig = {
scrape_interval = "30s";
};
scrapeConfigs = let
nameInstance = address: name: {
source_labels = [ "__address__" ];
target_label = "instance";
regex = address;
replacement = name;
};
mapToPort = port: builtins.map (host: "${host.internalIpv4}:${builtins.toString port}");
mapToPortRelabel = port: builtins.map (host: (nameInstance "${host.internalIpv4}:${builtins.toString port}" host.friendlyName));
# Replace the workbot node (ie. ourselves) with an entry that points directly at localhost instead
nodes_ = builtins.attrValues (nodes // {
"machine-workbot-01.cryto.net" = {
friendlyName = "workbot";
internalIpv4 = "localhost";
};
});
in [
{
job_name = "prometheus";
static_configs = [{
targets = [
"localhost:9090"
];
}];
relabel_configs = [
(nameInstance "localhost:9090" "workbot")
];
} {
job_name = "nodes";
scrape_interval = "10s";
static_configs = [{
targets = mapToPort 9100 nodes_;
}];
relabel_configs = mapToPortRelabel 9100 nodes_;
} {
job_name = "systemd";
scrape_interval = "60s";
static_configs = [{
targets = mapToPort 9333 nodes_;
}];
relabel_configs = mapToPortRelabel 9333 nodes_;
}
];
};
services.grafana = {
enable = true;
port = 8452;
rootUrl = "https://metrics.cryto.net/";
security = let
credentials = import ../private/grafana-credentials.nix;
in {
adminUser = credentials.username;
adminPassword = credentials.password;
};
auth = {
anonymous.enable = true;
};
};
networking.firewall.allowedTCPPorts = [
80
443
];
};
} }

@ -0,0 +1,33 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, ... }:
{
imports =
[ <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.loader.grub.device = lib.mkForce "/dev/vda";
fileSystems."/" =
{ device = "/dev/disk/by-uuid/17286b1d-6bbb-42cb-9f61-078c4a0c2171";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/f7a09e71-19fa-437d-bb07-841c42f49ec5";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/8a51e276-166b-4664-9f47-92e07ceb0587"; }
];
nix.maxJobs = lib.mkDefault 2;
}

@ -0,0 +1,34 @@
{ config, lib, pkgs, ... }:
{
/* Begin hardware configuration section */
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
swapDevices = [ ];
nix.maxJobs = pkgs.lib.mkDefault 8;
powerManagement.cpuFreqGovernor = pkgs.lib.mkDefault "powersave";
hardware.enableRedistributableFirmware = true;
/* End hardware configuration section */
boot.loader.grub = {
enable = true;
version = 2;
device = "/dev/sda";
};
fileSystems = {
"/" = {
device = "/dev/disk/by-label/nix";
fsType = "ext4";
};
"/boot" = {
device = "/dev/disk/by-label/boot";
fsType = "ext4";
};
};
# networking = {
# hostName = "workbot";
# };
}

@ -0,0 +1,20 @@
{ http ? [], https ? [], both ? [] }:
{ pkgs, lib, ... }:
{
deployment.healthChecks.http = let
makeHostChecker = { protocol, port }: host: {
scheme = protocol;
port = port;
path = "/";
host = host;
description = "${host} (${protocol} :${toString port}) is up";
};
allHttpHosts = http ++ both;
allHttpsHosts = https ++ both;
generateHttpChecks = hosts: map (makeHostChecker { protocol = "http"; port = 80; }) hosts;
generateHttpsChecks = hosts: map (makeHostChecker { protocol = "https"; port = 443; }) hosts;
in lib.mkMerge [
(generateHttpChecks allHttpHosts)
(generateHttpsChecks allHttpsHosts)
];
}

@ -31,18 +31,29 @@
}; };
hosts = let hosts = let
mapper = nodeName: nodeConfiguration: escapeHostname = hostname: builtins.replaceStrings [ "." "-" ] [ "_" "_" ] hostname;
lib.nameValuePair stripSuffix = hostname: builtins.head (builtins.match "^(.+?)\.cryto\.net$" hostname);
/* NOTE: The below is because for a machine named `foo.bar-baz.net`, tinc expects a configuration file named `foo_bar_baz_net`. */ makeMapper = keyMapper: (
( builtins.replaceStrings [ "." "-" ] [ "_" "_" ] nodeName ) nodeName: nodeConfiguration:
( generateConfiguration { lib.nameValuePair
# Address = nodeName; /* NOTE: The below is because for a machine named `foo.bar-baz.net`, tinc expects a configuration file named `foo_bar_baz_net`. */
/* TODO: Figure out why a DNS name doesn't work here ("Error looking up machine-borg2-01.cryto.net port 655: Device or resource busy") */ # ( builtins.replaceStrings [ "." "-" ] [ "_" "_" ] nodeName )
Address = nodeConfiguration.ipv4; ( keyMapper nodeName )
Subnet = "${nodeConfiguration.internalIpv4}/32"; ( generateConfiguration {
Ed25519PublicKey = nodeConfiguration.tincPublicKey; # Address = nodeName;
} ); /* TODO: Figure out why a DNS name doesn't work here ("Error looking up machine-borg2-01.cryto.net port 655: Device or resource busy") */
in lib.mapAttrs' mapper nodes; Address = nodeConfiguration.ipv4;
Subnet = "${nodeConfiguration.internalIpv4}/32";
Ed25519PublicKey = nodeConfiguration.tincPublicKey;
} )
);
# NOTE: We generate both hostname formats and then just use one, since this seems to keep changing... this makes it easier to revert later
mapperA = makeMapper ( nodeName: escapeHostname (stripSuffix nodeName) );
mapperB = makeMapper ( nodeName: escapeHostname nodeName );
hostsA = lib.mapAttrs' mapperA nodes;
# hostsB = lib.mapAttrs' mapperB nodes;
hostsB = {};
in hostsA // hostsB;
}; };
# networking.interfaces."tinc.cryto".ipv4.addresses = [{ # networking.interfaces."tinc.cryto".ipv4.addresses = [{

@ -0,0 +1,18 @@
listenAddress: {
systemd.extraConfig = ''
DefaultCPUAccounting=yes
DefaultIOAccounting=yes
DefaultIPAccounting=yes
DefaultBlockIOAccounting=yes
DefaultMemoryAccounting=yes
DefaultTasksAccounting=yes
'';
services.cadvisor = {
enable = true;
port = 9333;
listenAddress = listenAddress;
};
virtualisation.docker.enable = false;
}

@ -0,0 +1,14 @@
listenAddress: {
services.prometheus = {
exporters = {
node = {
enable = true;
listenAddress = listenAddress;
enabledCollectors = [
# FIXME: Move to track-service-metrics instead!
"systemd"
];
};
};
};
}

@ -7,12 +7,12 @@
owner = "joepie91"; owner = "joepie91";
repo = "matrix-room-list-viewer"; repo = "matrix-room-list-viewer";
rev = "5912b79024cba33ee7e291f325d0286b8304af99"; rev = "5912b79024cba33ee7e291f325d0286b8304af99";
sha256 = "199in3m3vll0i0qsz869x2q6zqn1xxgyvia3fxnmschvfmybbf8r"; sha256 = "1mjygxgk79qhr4kwqcw66x01q9bj6dchq6ksw3k7bj5wkv3pzn90";
}; };
buildCommand = '' buildCommand = ''
mkdir -p $out mkdir -p $out
tar -xzvf $src -C $out tar --strip-components=1 -xzvf $src -C $out
''; '';
}; };
} }

@ -7,12 +7,12 @@
owner = "joepie91"; owner = "joepie91";
repo = "mobile-proxy"; repo = "mobile-proxy";
rev = "1628f4be61621c1783e93ef6719b1dae4f352be8"; rev = "1628f4be61621c1783e93ef6719b1dae4f352be8";
sha256 = "1d9zc3phflsi2gsi7hmzybr0q983x7155bildvlbc7za3y8hry78"; sha256 = "1qi07psj88fqlsyr6kaypaxq9ayhc95pp66qa53ln0w58yvjgims";
}; };
buildCommand = '' buildCommand = ''
mkdir -p $out mkdir -p $out
tar -xzvf $src -C $out tar --strip-components=1 -xzvf $src -C $out
cp ${configFile} $out/config.jsx cp ${configFile} $out/config.jsx
''; '';
}; };

@ -43,4 +43,6 @@
acceptTerms = true; acceptTerms = true;
email = "admin+certs@cryto.net"; email = "admin+certs@cryto.net";
}; };
networking.firewall.logRefusedConnections = false;
} }

@ -14,7 +14,7 @@
Hi! This will eventually be the website for Modular Matrix, a project to build a modular JavaScript SDK for the <a href="https://matrix.org">Matrix protocol</a>, as an alternative to the <code>matrix-js-sdk</code>. Hi! This will eventually be the website for Modular Matrix, a project to build a modular JavaScript SDK for the <a href="https://matrix.org">Matrix protocol</a>, as an alternative to the <code>matrix-js-sdk</code>.
</p> </p>
<p> <p>
Currently there's not much here yet, though you can have a look at the <a href="https://www.npmjs.com/org/modular-matrix?tab=packages">already-published packages</a> if you're curious about how things are going. Currently there's not much here yet, though you can have a look at the <a href="https://www.npmjs.com/org/modular-matrix?tab=packages">already-published packages</a> if you're curious about how things are going. Most of the ongoing work currently lives in the <a href="https://git.cryto.net/modular-matrix/client/src/branch/master/src/packages">client repository</a>, and will be split out into separate modules as individual pieces are completed.
</p> </p>
<p> <p>
You can contact me on Matrix as <a href="https://matrix.to/#/@joepie91:pixie.town">@joepie91:pixie.town</a>. You can contact me on Matrix as <a href="https://matrix.to/#/@joepie91:pixie.town">@joepie91:pixie.town</a>.

Loading…
Cancel
Save