nixops-configuration/networks/default.nix

let
	secrets = import ../secrets.nix;
	hosts = import ../lib/hosts.nix;
	vpnConfiguration = import ../lib/vpn.nix;
in {
	network.description = "Cryto";

	workbot = {config, lib, pkgs, ...}@args:
		{
			imports = [
				(import ../lib/presets/track-service-metrics.nix)
				(vpnConfiguration "workbot")
			];

			config = {
				services.nginx = let
					hostRoot = pkgs.writeTextDir "index.html" "Hello world!";
					reverseProxy = target: {
						proxyPass = target;
						extraConfig = ''
							proxy_set_header Host $http_host;
							proxy_set_header X-Forwarded-Proto https;
							proxy_set_header X-Forwarded-Port 443;
						'';
					};
					requireTLS = {
						enableACME = true;
						forceSSL = true;
					};
				in {
					enable = true;
					virtualHosts = {
						"_" = {
							default = true;
							root = hostRoot;
						};
						"hydra.cryto.net" = {
							locations = {
								"/" = reverseProxy "http://localhost:3333";
							};
						} // requireTLS;
						"prometheus.cryto.net" = {
							locations = {
								"/" = reverseProxy "http://localhost:9090";
							};
						} // requireTLS;
						"metrics.cryto.net" = {
							locations = {
								"/" = reverseProxy "http://localhost:8452";
							};
						} // requireTLS;
						"nix-cache.cryto.net" = {
							root = "/var/lib/hydra-builds";
						} // requireTLS;
					};
				};

				services.postgresql = {
					enable = true;
				};

				services.hydra = {
					enable = true;
					port = 3333;
					hydraURL = "http://hydra.cryto.net/";
					notificationSender = "hydra@cryto.net";
					useSubstitutes = false;
					minimumDiskFree = 20;
					minimumDiskFreeEvaluator = 20;
					buildMachinesFiles = pkgs.lib.mkIf (config.nix.buildMachines == []) [];
					extraConfig = ''
						store_uri = file:///var/lib/hydra-builds?secret-key=/var/lib/hydra/binary-cache.key&write-nar-listing=1
						binary_cache_public_uri = https://nix-cache.cryto.net
					'';
				};

				/* FIXME: Declaratively define data sources; Grafana module for NixOS does not appear to support this yet? */
				services.grafana = {
					enable = true;
					port = 8452;
					rootUrl = "https://metrics.cryto.net/";

					security = {
						adminUser = secrets.grafana.username;
						adminPassword = secrets.grafana.password;
					};

					auth = {
						anonymous.enable = true;
					};
				};

				services.prometheus = {
					enable = true;

					globalConfig = {
						scrape_interval = "30s";
					};

					scrapeConfigs = let
						nameInstance = address: name: {
							source_labels = [ "__address__" ];
							target_label = "instance";
							regex = address;
							replacement = name;
						};
					in [
						{
							job_name = "prometheus";
							static_configs = [{
								targets = [
									"localhost:9090"
								];
							}];
							relabel_configs = [
								(nameInstance "localhost:9090" "workbot")
							];
						} {
							job_name = "nodes";
							scrape_interval = "10s";
							static_configs = [{
								targets = [
									"localhost:9100"
									"${hosts.osmium.ipv4}:9100"
									"${hosts.nijaxor.ipv4}:9100"
								];
							}];
							relabel_configs = [
								(nameInstance "localhost:9100" "workbot")
								(nameInstance "${hosts.osmium.ipv4}:9100" "osmium")
								(nameInstance "${hosts.nijaxor.ipv4}:9100" "nijaxor")
							];
						} {
							job_name = "systemd";
							scrape_interval = "60s";
							static_configs = [{
								targets = [
									"localhost:9333"
									"${hosts.osmium.ipv4}:9333"
									"${hosts.nijaxor.ipv4}:9333"
								];
							}];
							relabel_configs = [
								(nameInstance "localhost:9333" "workbot")
								(nameInstance "${hosts.osmium.ipv4}:9333" "osmium")
								(nameInstance "${hosts.nijaxor.ipv4}:9333" "nijaxor")
							];
						}
					];

					exporters = {
						node = {
							enable = true;
							enabledCollectors = [
								"systemd"
							];
						};
					};
				};

				networking.firewall.allowedTCPPorts = [
					80
					443
				];
			};
		};

	osmium = { config, lib, pkgs, ... }@args:
		let
			pastebinStream = (import ../applications/pastebin-stream.nix) args;
			generateCaddyConfiguration = (import ../lib/generate/caddy-configuration.nix) args;
		in let
			proxiedApplications = [{
				hostname = config.systems.osmium.applications.pastebin-stream.hostname;
				tls = true;
				proxyTarget = "http://localhost:3000";
			}];
		in
			{
				imports = [
					(pastebinStream {
						errorPath = "/var/lib/pastebin-stream/errors";
						rev = "d7a09deda0916fa99920156e928d281a5bd3d97a";
						sha256 = "08xjcwmbzdmkzbz1al3vkryiix1y2zqc8yv4lsrw21dz0c5zl726";
					})
					(import ../lib/presets/track-service-metrics.nix)
					(import ../lib/presets/low-ram-nix.nix)
					(vpnConfiguration "osmium")
				];

				config = {
					services.caddy = {
						enable = true;
						agree = true;
						email = "admin@cryto.net";
						config = ''
						${generateCaddyConfiguration proxiedApplications}
						'';
					};

					services.node-pastebin-stream = {
						enable = true;

						errorReporting = {
							enable = true;

							metadata = {
								from = "ops@cryto.net";
								to = "admin@cryto.net";
							};
						};
					};

					networking.firewall.allowedTCPPorts = [
						80
						443
						9100 # Prometheus node exporter
					];

					environment.systemPackages = with pkgs; [
						htop
					];

					services.prometheus.exporters = {
						node = {
							enable = true;
							enabledCollectors = [
								"systemd"
							];
						};
					};
				};

				options.systems.osmium = with lib; {
					applications.pastebin-stream = {
						hostname = mkOption {
							description = ''
								The hostname to expose the pastebin-stream application on.
							'';
							type = types.str;
						};
					};
				};
			};

	nijaxor = { config, lib, pkgs, ... }@args:
		{
			imports = [
				(import ../lib/presets/low-ram-nix.nix)
				(import ../lib/presets/track-service-metrics.nix)
				(vpnConfiguration "nijaxor")
			];

			config = {
				networking.firewall.allowedTCPPorts = [
					9100 # Prometheus node exporter
				];

				services.prometheus.exporters = {
					node = {
						enable = true;
						enabledCollectors = [
							"systemd"
						];
					};
				};
			};
		};
}
Update network configuration 6 years ago			`let`
			`secrets = import ../secrets.nix;`
Move out host connectivity information, move out service metric tracking preset, implement a Tinc VPN 6 years ago			`hosts = import ../lib/hosts.nix;`
			`vpnConfiguration = import ../lib/vpn.nix;`
Update network configuration 6 years ago			`in {`
Initial commit 8 years ago			`network.description = "Cryto";`

Update network configuration 6 years ago			`workbot = {config, lib, pkgs, ...}@args:`
			`{`
Add patched version of Nix to deal with low-RAM NixOps machines, and enable systemd service accounting metrics 6 years ago			`imports = [`
Move out host connectivity information, move out service metric tracking preset, implement a Tinc VPN 6 years ago			`(import ../lib/presets/track-service-metrics.nix)`
			`(vpnConfiguration "workbot")`
Add patched version of Nix to deal with low-RAM NixOps machines, and enable systemd service accounting metrics 6 years ago			`];`

Update network configuration 6 years ago			`config = {`
			`services.nginx = let`
			`hostRoot = pkgs.writeTextDir "index.html" "Hello world!";`
			`reverseProxy = target: {`
			`proxyPass = target;`
			`extraConfig = ''`
			`proxy_set_header Host $http_host;`
			`proxy_set_header X-Forwarded-Proto https;`
			`proxy_set_header X-Forwarded-Port 443;`
			`'';`
			`};`
			`requireTLS = {`
			`enableACME = true;`
			`forceSSL = true;`
			`};`
			`in {`
			`enable = true;`
			`virtualHosts = {`
			`"_" = {`
			`default = true;`
			`root = hostRoot;`
			`};`
			`"hydra.cryto.net" = {`
			`locations = {`
			`"/" = reverseProxy "http://localhost:3333";`
			`};`
			`} // requireTLS;`
			`"prometheus.cryto.net" = {`
			`locations = {`
			`"/" = reverseProxy "http://localhost:9090";`
			`};`
			`} // requireTLS;`
			`"metrics.cryto.net" = {`
			`locations = {`
			`"/" = reverseProxy "http://localhost:8452";`
			`};`
			`} // requireTLS;`
			`"nix-cache.cryto.net" = {`
			`root = "/var/lib/hydra-builds";`
			`} // requireTLS;`
			`};`
			`};`

			`services.postgresql = {`
			`enable = true;`
			`};`

			`services.hydra = {`
Fix more spacing 6 years ago			`enable = true;`
Fix yet more spacing... 6 years ago			`port = 3333;`
			`hydraURL = "http://hydra.cryto.net/";`
			`notificationSender = "hydra@cryto.net";`
			`useSubstitutes = false;`
			`minimumDiskFree = 20;`
			`minimumDiskFreeEvaluator = 20;`
			`buildMachinesFiles = pkgs.lib.mkIf (config.nix.buildMachines == []) [];`
			`extraConfig = ''`
Fix spacing in Hydra configuration 6 years ago			`store_uri = file:///var/lib/hydra-builds?secret-key=/var/lib/hydra/binary-cache.key&write-nar-listing=1`
Update network configuration 6 years ago			`binary_cache_public_uri = https://nix-cache.cryto.net`
Fix yet more spacing... 6 years ago			`'';`
			`};`
Update network configuration 6 years ago
			`/* FIXME: Declaratively define data sources; Grafana module for NixOS does not appear to support this yet? */`
			`services.grafana = {`
			`enable = true;`
			`port = 8452;`
			`rootUrl = "https://metrics.cryto.net/";`

			`security = {`
			`adminUser = secrets.grafana.username;`
			`adminPassword = secrets.grafana.password;`
			`};`

			`auth = {`
			`anonymous.enable = true;`
			`};`
			`};`

			`services.prometheus = {`
			`enable = true;`

			`globalConfig = {`
			`scrape_interval = "30s";`
			`};`

			`scrapeConfigs = let`
			`nameInstance = address: name: {`
			`source_labels = [ "__address__" ];`
			`target_label = "instance";`
			`regex = address;`
			`replacement = name;`
			`};`
			`in [`
			`{`
			`job_name = "prometheus";`
			`static_configs = [{`
			`targets = [`
			`"localhost:9090"`
			`];`
			`}];`
			`relabel_configs = [`
			`(nameInstance "localhost:9090" "workbot")`
			`];`
			`} {`
			`job_name = "nodes";`
			`scrape_interval = "10s";`
			`static_configs = [{`
			`targets = [`
			`"localhost:9100"`
Move out host connectivity information, move out service metric tracking preset, implement a Tinc VPN 6 years ago			`"${hosts.osmium.ipv4}:9100"`
			`"${hosts.nijaxor.ipv4}:9100"`
Update network configuration 6 years ago			`];`
			`}];`
			`relabel_configs = [`
			`(nameInstance "localhost:9100" "workbot")`
Move out host connectivity information, move out service metric tracking preset, implement a Tinc VPN 6 years ago			`(nameInstance "${hosts.osmium.ipv4}:9100" "osmium")`
			`(nameInstance "${hosts.nijaxor.ipv4}:9100" "nijaxor")`
Update network configuration 6 years ago			`];`
Add patched version of Nix to deal with low-RAM NixOps machines, and enable systemd service accounting metrics 6 years ago			`} {`
			`job_name = "systemd";`
			`scrape_interval = "60s";`
			`static_configs = [{`
			`targets = [`
			`"localhost:9333"`
Move out host connectivity information, move out service metric tracking preset, implement a Tinc VPN 6 years ago			`"${hosts.osmium.ipv4}:9333"`
			`"${hosts.nijaxor.ipv4}:9333"`
Add patched version of Nix to deal with low-RAM NixOps machines, and enable systemd service accounting metrics 6 years ago			`];`
			`}];`
			`relabel_configs = [`
			`(nameInstance "localhost:9333" "workbot")`
Move out host connectivity information, move out service metric tracking preset, implement a Tinc VPN 6 years ago			`(nameInstance "${hosts.osmium.ipv4}:9333" "osmium")`
			`(nameInstance "${hosts.nijaxor.ipv4}:9333" "nijaxor")`
Add patched version of Nix to deal with low-RAM NixOps machines, and enable systemd service accounting metrics 6 years ago			`];`
Update network configuration 6 years ago			`}`
			`];`

			`exporters = {`
			`node = {`
			`enable = true;`
			`enabledCollectors = [`
			`"systemd"`
			`];`
			`};`
			`};`
			`};`

			`networking.firewall.allowedTCPPorts = [`
			`80`
			`443`
			`];`
			`};`
			`};`

Reorganize and finish configuration 7 years ago			`osmium = { config, lib, pkgs, ... }@args:`
			`let`
			`pastebinStream = (import ../applications/pastebin-stream.nix) args;`
			`generateCaddyConfiguration = (import ../lib/generate/caddy-configuration.nix) args;`
			`in let`
			`proxiedApplications = [{`
Add production system and add on-failure service restart for Node applications 7 years ago			`hostname = config.systems.osmium.applications.pastebin-stream.hostname;`
Reorganize and finish configuration 7 years ago			`tls = true;`
			`proxyTarget = "http://localhost:3000";`
			`}];`
			`in`
			`{`
			`imports = [`
			`(pastebinStream {`
			`errorPath = "/var/lib/pastebin-stream/errors";`
Update network configuration 6 years ago			`rev = "d7a09deda0916fa99920156e928d281a5bd3d97a";`
			`sha256 = "08xjcwmbzdmkzbz1al3vkryiix1y2zqc8yv4lsrw21dz0c5zl726";`
Reorganize and finish configuration 7 years ago			`})`
Move out host connectivity information, move out service metric tracking preset, implement a Tinc VPN 6 years ago			`(import ../lib/presets/track-service-metrics.nix)`
			`(import ../lib/presets/low-ram-nix.nix)`
			`(vpnConfiguration "osmium")`
Reorganize and finish configuration 7 years ago			`];`
Update attempt... 7 years ago
Add production system and add on-failure service restart for Node applications 7 years ago			`config = {`
			`services.caddy = {`
			`enable = true;`
			`agree = true;`
			`email = "admin@cryto.net";`
			`config = ''`
Reorganize and finish configuration 7 years ago			`${generateCaddyConfiguration proxiedApplications}`
Add production system and add on-failure service restart for Node applications 7 years ago			`'';`
			`};`
Update attempt... 7 years ago
Add production system and add on-failure service restart for Node applications 7 years ago			`services.node-pastebin-stream = {`
Reorganize and finish configuration 7 years ago			`enable = true;`
Update attempt... 7 years ago
Add production system and add on-failure service restart for Node applications 7 years ago			`errorReporting = {`
			`enable = true;`

			`metadata = {`
			`from = "ops@cryto.net";`
			`to = "admin@cryto.net";`
			`};`
Reorganize and finish configuration 7 years ago			`};`
			`};`
Initial commit 8 years ago
Add production system and add on-failure service restart for Node applications 7 years ago			`networking.firewall.allowedTCPPorts = [`
			`80`
			`443`
Update network configuration 6 years ago			`9100 # Prometheus node exporter`
Add production system and add on-failure service restart for Node applications 7 years ago			`];`
Update attempt... 7 years ago
Add production system and add on-failure service restart for Node applications 7 years ago			`environment.systemPackages = with pkgs; [`
			`htop`
			`];`
Update network configuration 6 years ago
			`services.prometheus.exporters = {`
			`node = {`
			`enable = true;`
			`enabledCollectors = [`
			`"systemd"`
			`];`
			`};`
			`};`
Add production system and add on-failure service restart for Node applications 7 years ago			`};`

			`options.systems.osmium = with lib; {`
			`applications.pastebin-stream = {`
			`hostname = mkOption {`
			`description = ''`
			`The hostname to expose the pastebin-stream application on.`
			`'';`
			`type = types.str;`
			`};`
			`};`
			`};`
Reorganize and finish configuration 7 years ago			`};`
Update network configuration 6 years ago
			`nijaxor = { config, lib, pkgs, ... }@args:`
			`{`
Add patched version of Nix to deal with low-RAM NixOps machines, and enable systemd service accounting metrics 6 years ago			`imports = [`
Move out host connectivity information, move out service metric tracking preset, implement a Tinc VPN 6 years ago			`(import ../lib/presets/low-ram-nix.nix)`
			`(import ../lib/presets/track-service-metrics.nix)`
			`(vpnConfiguration "nijaxor")`
Add patched version of Nix to deal with low-RAM NixOps machines, and enable systemd service accounting metrics 6 years ago			`];`

Update network configuration 6 years ago			`config = {`
			`networking.firewall.allowedTCPPorts = [`
			`9100 # Prometheus node exporter`
			`];`

			`services.prometheus.exporters = {`
			`node = {`
			`enable = true;`
			`enabledCollectors = [`
			`"systemd"`
			`];`
			`};`
			`};`
			`};`
			`};`
Initial commit 8 years ago			`}`