From d96fbd63510048bf56d3d600a65f7983096c1bb1 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Wed, 3 Mar 2021 00:51:39 +0100 Subject: migrating config This deploy logic is primarily based on hxchn's deploy lib [1], with some slight modifications to make it work with my setup. Everything seems to work fine for now. However, I am unsure about the usage of niv — the config doesn't seem to gain much from it, apart from (some) additional complexity. [1] https://gitlab.com/hexchen/nixfiles --- hosts/flora/services/daemoniones.nix | 34 +++++++++++ hosts/flora/services/hedgedoc.nix | 66 +++++++++++++++++++++ hosts/flora/services/nginx.nix | 21 +++++++ hosts/flora/services/workadventure.nix | 104 +++++++++++++++++++++++++++++++++ 4 files changed, 225 insertions(+) create mode 100644 hosts/flora/services/daemoniones.nix create mode 100644 hosts/flora/services/hedgedoc.nix create mode 100644 hosts/flora/services/nginx.nix create mode 100644 hosts/flora/services/workadventure.nix (limited to 'hosts/flora/services') diff --git a/hosts/flora/services/daemoniones.nix b/hosts/flora/services/daemoniones.nix new file mode 100644 index 0000000..6c96b3c --- /dev/null +++ b/hosts/flora/services/daemoniones.nix @@ -0,0 +1,34 @@ +{ config, pkgs, ...}: + +{ + systemd.services = + let simpledaemon = name: command: { + enable = true; + description = name; + wantedBy = [ "multi-user.target" ]; + serviceConfig.Type = "simple"; + script = command; + }; + in { + choclo = simpledaemon "choclo signalling server" "/root/simple-signalling/target/release/chaski -b 127.0.0.1:5000"; + wasi = simpledaemon "wasi backend" "/root/wasi-minimal/target/release/wasi"; + picarones = simpledaemon "picarones backend" "/root/picarones-server/target/release/picarones -b 127.0.0.1:6000"; + }; + + services.nginx = { + virtualHosts = + let websocketproxy = addr: { + locations."/".proxyPass = addr; + forceSSL = true; + enableACME = true; + locations."/".proxyWebsockets = true; + }; + in { + "wasi.stuebinm.eu" = websocketproxy "http://127.0.0.1:9000"; + "choclo.stuebinm.eu" = websocketproxy "http://127.0.0.1:5000"; + "picarones.stuebinm.eu" = websocketproxy "http://127.0.0.1:6000"; + }; + }; + + +} diff --git a/hosts/flora/services/hedgedoc.nix b/hosts/flora/services/hedgedoc.nix new file mode 100644 index 0000000..4ce2256 --- /dev/null +++ b/hosts/flora/services/hedgedoc.nix @@ -0,0 +1,66 @@ +{ config, lib, pkgs, ... }: + +{ + # Container containing CodiMD and its database + # has its own internal network; needs a reverse-proxy to be reachable from the outside + # TODO: persistent memory for pads + containers.codimd = { + autoStart = true; + privateNetwork = true; + hostAddress6 = "fd00::42:10"; + localAddress6 = "fd00::42:11"; + + config = {config, pkgs, ... }: { + # open CodiMD port + networking.firewall.allowedTCPPorts = [ config.services.codimd.configuration.port ]; + + # database (postgres 11), with default database reachable for CodiMD; no imperative config needed! + services.postgresql = { + enable = true; + package = pkgs.postgresql_11; + ensureDatabases = [ "codimd" ]; + ensureUsers = [ { + name = "codimd"; + ensurePermissions = { "DATABASE codimd" = "ALL PRIVILEGES";}; + } ]; + # ugly workaround to allow CodiMD to login without password — this service has lots of options, + # but apparently not for authentification, which even needs to be forced … + authentication = pkgs.lib.mkForce '' + # Generated file; do not edit! + local all all trust + host codimd codimd ::1/128 trust + ''; + }; + # CodiMD itself + services.hedgedoc = { + enable = true; + workDir = "/var/codimd/"; + configuration = { + dbURL = "postgres:///codimd"; + port = 3000; + domain = "nix.stuebinm.eu"; + urlAddPort = false; + protocolUseSSL = true; + allowPDFExport = true; + host = "::"; + allowEmailRegister = false; + allowFreeURL = true; + uploadsPath = "/var/codimd/uploads"; + #email = false; + }; + }; + }; + }; + + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + services.nginx.virtualHosts."nix.stuebinm.eu" = { + locations."/" = { + proxyPass = "http://[" + config.containers.codimd.localAddress6 + "]:3000"; + proxyWebsockets = true; + }; + forceSSL = true; + enableACME = true; + }; +} diff --git a/hosts/flora/services/nginx.nix b/hosts/flora/services/nginx.nix new file mode 100644 index 0000000..5d21a14 --- /dev/null +++ b/hosts/flora/services/nginx.nix @@ -0,0 +1,21 @@ +{ config, lib, pkgs, ... }: + +{ + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + services.nginx = { + enable = true; + + recommendedOptimisation = true; + recommendedTlsSettings = true; + recommendedProxySettings = true; + + # virtualHosts = { + # "stuebinm.eu" = { + # forceSSL = true; + # enableACME = true; + # root = "/var/www/stats"; + # }; + # }; + }; +} diff --git a/hosts/flora/services/workadventure.nix b/hosts/flora/services/workadventure.nix new file mode 100644 index 0000000..f38f5da --- /dev/null +++ b/hosts/flora/services/workadventure.nix @@ -0,0 +1,104 @@ +{pkgs, config, ...}: + + +let + haccpkgssrc = pkgs.fetchgit { + url = "https://gitlab.infra4future.de/stuebinm/workadventure-nix-hacc"; + rev = "a4ffb828aadf5ffd54a269f8a9ec9553c016069b"; + sha256 = "12qfisfwr170b94j12rhy2q3smrwc7a3nh6xzbxlphnr3vadplvz"; + }; + haccpkgs = import "${haccpkgssrc}"; + fediventure = pkgs.fetchgit { + url = "https://gitlab.infra4future.de/stuebinm/fediventure-simple"; + rev = "f32d3c5efd39df558f80b862c60b2866c567d999"; + sha256 = "0kdb29hzh6s7rsz8s9z40hsmj09rrww1lcyfdi7wpng9ixi1jfvx"; + }; +in + +{ + + containers.wa-test = { + autoStart = true; + privateNetwork = true; + hostAddress6 = "fd00::42:20"; + localAddress6 = "fd00::42:21"; + + config = {config, pkgs, ...}: { + imports = [ "${fediventure}/workadventure.nix" ]; + networking.firewall.allowedTCPPorts = [ 80 443 5000 7890 ]; + + services.workadventure.instances."space.stuebinm.eu" = { + nginx.default = true; + nginx.domain = "space.stuebinm.eu"; + maps.path = haccpkgs.workadventure-hacc-rc3-map.outPath + "/"; + frontend.settings.startRoomUrl = "space.stuebinm.eu/maps/main.json"; + frontend.settings = { + stunServer = "stun:chaski.stuebinm.eu:3478"; + turnServer = "turn:95.217.159.23"; + turnUser = "chaski"; + turnPassword = "chaski"; + jitsiUrl = "meet.ffmuc.net"; + }; + }; + + services.prometheus = { + enable = true; + port = 9001; + scrapeConfigs = [ { + job_name = "workadventure-back"; + static_configs = [ { + targets = [ "localhost:8080" ]; + } ]; + } ]; + }; + + services.grafana = { + enable = true; + port = 5000; + addr = "[::]"; + rootUrl = "https://space.stuebinm.eu/metrics/"; + auth.anonymous.enable = true; + provision = { + enable = true; + datasources = [ { + name = "workadventure"; + type = "prometheus"; + url = "http://localhost:9001"; + } ]; + }; + }; + + systemd.services.goaccess = { + enable = true; + description = "Uses goaccess to publish a neat acces log on /var/www/index.html"; + requires = [ "nginx.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig.Type = "simple"; + path = [ pkgs.goaccess ]; + environment = {"HOME" = "/tmp";}; # necessary as goaccess will crash otherwise — is fixed upstream, but not yet in nixos + script = '' + mkdir -p /var/www-goaccess/ + goaccess /var/log/nginx/access.log -o /var/www-goaccess/index.html --log-format=COMBINED --html + ''; + }; + + services.nginx.virtualHosts."space.stuebinm.eu" = { + locations."/stats/".alias = "/var/www-goaccess/"; + }; + }; + }; + + services.nginx.virtualHosts."space.stuebinm.eu" = { + extraConfig = '' + proxy_read_timeout 300s; + proxy_connect_timeout 75s; + ''; + locations."/metrics/".proxyPass = "http://[${config.containers.wa-test.localAddress6}]:5000/"; + locations."/metrics/".proxyWebsockets = true; + locations."/".proxyPass = "http://[${config.containers.wa-test.localAddress6}]:80"; + locations."/".proxyWebsockets = true; + enableACME = true; + forceSSL = true; + }; +} + -- cgit v1.2.3