From af69be89ce796f3a34599d112783717245dff7ba Mon Sep 17 00:00:00 2001 From: r17x Date: Thu, 7 Nov 2024 01:25:02 +0700 Subject: [PATCH 01/15] refactor: cache.komunix.org web --- flake.lock | 179 +++++++++++++++++++++++++++++++++++++++++++++ flake.nix | 37 ++++++++++ nix/cache.html.tpl | 94 ++++++++++++++++++++++++ nix/default.nix | 111 ++++++++++++++++++++++++++++ 4 files changed, 421 insertions(+) create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 nix/cache.html.tpl create mode 100644 nix/default.nix diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..6a8cc76 --- /dev/null +++ b/flake.lock @@ -0,0 +1,179 @@ +{ + "nodes": { + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1726153070, + "narHash": "sha256-HO4zgY0ekfwO5bX0QH/3kJ/h4KvUDFZg8YpkNwIbg1U=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "bcef6817a8b2aa20a5a6dbb19b43e63c5bf8619a", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "pre-commit-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "nixpkgs-lib": { + "locked": { + "lastModified": 1725233747, + "narHash": "sha256-Ss8QWLXdr2JCBPcYChJhz4xJm+h/xjl4G0c0XlP6a74=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/356624c12086a18f2ea2825fed34523d60ccc4e3.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/356624c12086a18f2ea2825fed34523d60ccc4e3.tar.gz" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1730768919, + "narHash": "sha256-8AKquNnnSaJRXZxc5YmF/WfmxiHX6MMZZasRP6RRQkE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a04d33c0c3f1a59a2c1cb0c6e34cd24500e5a1dc", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1720386169, + "narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "194846768975b7ad2c4988bdb82572c00222c0d7", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1727089097, + "narHash": "sha256-ZMHMThPsthhUREwDebXw7GX45bJnBCVbfnH1g5iuSPc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "568bfef547c14ca438c56a0bece08b8bb2b71a9c", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "pre-commit-hooks": { + "inputs": { + "flake-compat": "flake-compat", + "gitignore": "gitignore", + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable_2" + }, + "locked": { + "lastModified": 1726745158, + "narHash": "sha256-D5AegvGoEjt4rkKedmxlSEmC+nNLMBPWFxvmYnVLhjk=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "4e743a6920eab45e8ba0fbe49dc459f1423a4b74", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, + "root": { + "inputs": { + "flake-parts": "flake-parts", + "nixpkgs": [ + "nixpkgs-unstable" + ], + "nixpkgs-stable": "nixpkgs-stable", + "nixpkgs-unstable": "nixpkgs-unstable", + "pre-commit-hooks": "pre-commit-hooks", + "sops": "sops" + } + }, + "sops": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": [ + "nixpkgs-stable" + ] + }, + "locked": { + "lastModified": 1716400300, + "narHash": "sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb+cyGsqOKa4c=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "b549832718b8946e875c016a4785d204fcfc2e53", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..5f0b5d6 --- /dev/null +++ b/flake.nix @@ -0,0 +1,37 @@ +{ + description = "area13"; + + outputs = + inputs: + inputs.flake-parts.lib.mkFlake { inherit inputs; } { + systems = [ + "aarch64-darwin" + "aarch64-linux" + "x86_64-linux" + ]; + + imports = [ + inputs.pre-commit-hooks.flakeModule + ./nix + ]; + }; + + inputs = { + # utilities for Flake + flake-parts.url = "github:hercules-ci/flake-parts"; + + ## -- nixpkgs + nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; + nixpkgs-stable.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; + nixpkgs.follows = "nixpkgs-unstable"; + + # secret management + sops.url = "github:Mic92/sops-nix"; + sops.inputs.nixpkgs.follows = "nixpkgs"; + sops.inputs.nixpkgs-stable.follows = "nixpkgs-stable"; + + # utilities + pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix"; + pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs"; + }; +} diff --git a/nix/cache.html.tpl b/nix/cache.html.tpl new file mode 100644 index 0000000..ade0763 --- /dev/null +++ b/nix/cache.html.tpl @@ -0,0 +1,94 @@ + + + + + + + cache.komunix.org (di raspi) - UP + + +
+
+
+
+
+
+
+
+
+
+
+
+
+
+                                                                     __                  __
+                                                                    /\ \                /\ \                                          __
+                                                 ___     __      ___\ \ \___      __    \ \ \/'\     ___     ___ ___   __  __    ___ /\_\   __  _       ___   _ __    __
+                                                /'___\ /'__`\   /'___\ \  _ `\  /'__`\   \ \ , <    / __`\ /' __` __`\/\ \/\ \ /' _ `\/\ \ /\ \/'\     / __`\/\`'__\/'_ `\
+                                                /\ \__//\ \L\.\_/\ \__/\ \ \ \ \/\  __/  __\ \ \\`\ /\ \L\ \/\ \/\ \/\ \ \ \_\ \/\ \/\ \ \ \\/>   /  __/\ \L\ \ \ \//\ \L\ \
+                                                \ \____\ \__/.\_\ \____\\ \_\ \_\ \____\/\_\\ \_\ \_\ \____/\ \_\ \_\ \_\ \____/\ \_\ \_\ \_\/\_/\_\/\_\ \____/\ \_\\ \____ \
+                                                \/____/\/__/\/_/\/____/ \/_/\/_/\/____/\/_/ \/_/\/_/\/___/  \/_/\/_/\/_/\/___/  \/_/\/_/\/_/\//\/_/\/_/\/___/  \/_/ \/___L\ \
+                                                                                                                                                   /\____/
+                                                                                                                                                   \_/__/
+
+                                                                                        /nix/store milik bersama | tulung@komunix.org
+
+
+
+
+
+                > NixOS
+
+                # /etc/nixos/configuration.nix
+
+                { nix.settings.substituters = [ https://cache.komunix.org/ ]; }
+
+                > GNU/Linux
+
+                # /etc/nix/nix.conf
+
+                fallback = true
+                binary-caches = https://cache.komunix.org/ https://cache.nixos.org/
+
+                # OR
+
+                fallback = true
+                substituters = https://cache.komunix.org
+
+
+                > Mac OS
+
+                # $HOME/.nixpkgs/darwin-configuration.nix
+
+                nix.settings.substituters = pkgs.lib.mkBefore [ "https://cache.komunix.org/" ];
+
+                > Flake
+
+                nix.settings.experimental-features = [ "nix-command" "flakes" ];
+                nix.settings.trusted-substituters = [ "https://cache.komunix.org" ];
+
+                # Recomendation
+                nix.settings.fallback = true;
+
+
+                enjoy :^)
+
+                ---
+
+                # stats for nerds
+
+                $> find /home/komunix/nfs/nix-cache -type f | wc -l
+
+                $TOTAL_CACHE
+
+                $> du -sh /home/komunix/nfs/nix-cache; echo; df -h /home/komunix/nfs/nix-cache; echo; date +%s
+
+                $NICE
+
+                Filesystem                      Size  Used Avail Use% Mounted on
+                $USAGE
+
+                $TIMESTAMP
+
+ + diff --git a/nix/default.nix b/nix/default.nix new file mode 100644 index 0000000..a3d5d7e --- /dev/null +++ b/nix/default.nix @@ -0,0 +1,111 @@ +{ self, inputs, ... }: + +{ + flake.nixosConfigurations.komunix-vm2 = self.nixosConfigurations.komunix.extend { + modules = [ + ( + { }: + { + services.nginx.enable = true; + } + ) + ]; + }; + flake.nixosConfigurations.komunix = inputs.nixpkgs.lib.nixosSystem { + system = "aarch64-linux"; + modules = [ + "${inputs.nixpkgs}/nixos/modules/profiles/macos-builder.nix" + self.nixosModules.common + + { + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKvi3Co5fB1dSU2Qs1sR6LwdB1hM6HCyIWfXsC0wgz1pmeFlje24SzPCxDtsVMq28fDpEBsXPqKSZbUIyBtHRnpIc72Z8IV0KNtBjbKQTfHLTiDu43e+VLuAdFE7u2Wf5KPQIQ52r/jr9P7UKU2GKwV016OzrRiaZjm+gixmd8YRfidzG1bsL5fbKBjxCIUROdVpW5kNNtPZHpeuHCkZ7341USC6V2qnp1BNHIoHLjRYosV82apOxN/AWY/tMN2jlVQ/gKIUHbxXoILsG+XRFCen5TSSearx54KxifI1aIWbxVVmmYNuLXGWnVumaH6U7ARpz2cEXQB9z2lvJGYmod8qfloVdjXESu8OFe4RT+nj0JUQs7pMhiN6K1AsMQiyFc0ZmU2UNx4JcHre5STnSKUHUCx4zzoToFvIQRBTB3HePHy74FcXWaYDAN/6YF3JEA203nyYL4o5m/KhSXNkcT3H+r3IAqKnl7J7obsvNowwa1UB2NxVmq0VXXR8uZlT0=" + "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHnjecqMe2lrGzAvQ2VQRTXhjZ5q1tONgme+2/97Z3VSXdY0i2bEH3qGEIC7uMyWUfmLystXxqP0u6/Xspmm0Ck=" + ]; + users.users.komunix = { + home = "/home/komunix"; + createHome = true; + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKvi3Co5fB1dSU2Qs1sR6LwdB1hM6HCyIWfXsC0wgz1pmeFlje24SzPCxDtsVMq28fDpEBsXPqKSZbUIyBtHRnpIc72Z8IV0KNtBjbKQTfHLTiDu43e+VLuAdFE7u2Wf5KPQIQ52r/jr9P7UKU2GKwV016OzrRiaZjm+gixmd8YRfidzG1bsL5fbKBjxCIUROdVpW5kNNtPZHpeuHCkZ7341USC6V2qnp1BNHIoHLjRYosV82apOxN/AWY/tMN2jlVQ/gKIUHbxXoILsG+XRFCen5TSSearx54KxifI1aIWbxVVmmYNuLXGWnVumaH6U7ARpz2cEXQB9z2lvJGYmod8qfloVdjXESu8OFe4RT+nj0JUQs7pMhiN6K1AsMQiyFc0ZmU2UNx4JcHre5STnSKUHUCx4zzoToFvIQRBTB3HePHy74FcXWaYDAN/6YF3JEA203nyYL4o5m/KhSXNkcT3H+r3IAqKnl7J7obsvNowwa1UB2NxVmq0VXXR8uZlT0=" + "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHnjecqMe2lrGzAvQ2VQRTXhjZ5q1tONgme+2/97Z3VSXdY0i2bEH3qGEIC7uMyWUfmLystXxqP0u6/Xspmm0Ck=" + ]; + }; + } + + ( + { pkgs, lib, ... }: + let + genCachex = pkgs.writeShellApplication { + name = "gen-cachex"; + runtimeInputs = with pkgs; [ + coreutils + gnused + envsubst + ]; + text = '' + TIMESTAMP=$(date +%s) + USAGE=$(df -h /home/komunix/nfs/nix-cache | tail -n1 || 0) + TOTAL_CACHE=$(find /home/komunix/nfs/nix-cache -type f | wc -l) + NICE=$(du -sh /home/komunix/nfs/nix-cache) + + export TIMESTAMP + export USAGE + export TOTAL_CACHE + export NICE + envsubst < ${./cache.html.tpl} + ''; + }; + in + { + system.stateVersion = "24.05"; + environment.systemPackages = [ pkgs.caddy ]; + system.activationScripts.createDir = + lib.mkBefore # bash + '' + [[ -d /home/komunix/cachex ]] || \ + (mkdir -p /home/komunix/cachex && chown komunix:users /home/komunix/cachex) + + [[ -d /home/komunix/nfs ]] || \ + (mount -t nfs -O rw,username=komunix,uid=1030,gid=100 100.121.185.1:/volume2/komunix /home/komunix/nfs) + + ${lib.getExe genCachex} > /home/komunix/cachex/index.html + ''; + + services.cron.enable = true; + services.cron.systemCronJobs = [ + "* * * * * cachex ${lib.getExe genCachex} > /home/komunix/cachex/index.html" + ]; + systemd.services.caddy = { + unitConfig.Description = "Caddy"; + serviceConfig.StartLimitIntervalSec = 5; + serviceConfig.StartLimitBurst = 10; + serviceConfig.Restart = "always"; + serviceConfig.RestartSec = 10; + serviceConfig.StandardOutput = null; + serviceConfig.StandardError = "journal"; + serviceConfig.WorkingDirectory = "/home/komunix"; + serviceConfig.StateDirectory = "cachex"; + serviceConfig.RuntimeDirectory = "cachex"; + serviceConfig.ExecStart = # bash + '' + ${lib.getExe pkgs.caddy} file-server --root /home/komunix/cachex --listen 127.0.0.1:2022 + ''; + wantedBy = [ "multi-user.target" ]; + }; + } + ) + ]; + }; + + flake.nixosModules.common = { + nixpkgs.config.allowUnfree = true; + nix.settings.auto-optimise-store = true; + nix.settings.fallback = true; + nix.settings.experimental-features = [ + "flakes" + "nix-command" + ]; + }; +} From 81b0bda6bf36ba58f7f5f53fd0d002ba958c5caf Mon Sep 17 00:00:00 2001 From: r17x Date: Thu, 7 Nov 2024 21:17:47 +0700 Subject: [PATCH 02/15] feat: make module generic for cachex --- flake.nix | 6 +- nix/default.nix | 253 ++++++++++++++++++++++++++++++++---------------- 2 files changed, 171 insertions(+), 88 deletions(-) diff --git a/flake.nix b/flake.nix index 5f0b5d6..3ef2222 100644 --- a/flake.nix +++ b/flake.nix @@ -2,8 +2,8 @@ description = "area13"; outputs = - inputs: - inputs.flake-parts.lib.mkFlake { inherit inputs; } { + inputs@{ flake-parts, pre-commit-hooks, ... }: + flake-parts.lib.mkFlake { inherit inputs; } { systems = [ "aarch64-darwin" "aarch64-linux" @@ -11,7 +11,7 @@ ]; imports = [ - inputs.pre-commit-hooks.flakeModule + pre-commit-hooks.flakeModule ./nix ]; }; diff --git a/nix/default.nix b/nix/default.nix index a3d5d7e..70414fd 100644 --- a/nix/default.nix +++ b/nix/default.nix @@ -1,106 +1,72 @@ -{ self, inputs, ... }: +{ + self, + inputs, + ... +}: { - flake.nixosConfigurations.komunix-vm2 = self.nixosConfigurations.komunix.extend { - modules = [ + perSystem = + { + pkgs, + ... + }: + { + packages.cachex = pkgs.writeShellApplication { + name = "cachex"; + runtimeInputs = with pkgs; [ + coreutils + gnused + envsubst + ]; + text = '' + NFS_DIR="$1" + TIMESTAMP=$(date +%s) + USAGE=$(df -h "$NFS_DIR" | tail -n1 || 0) + TOTAL_CACHE=$(find "$NFS_DIR" -type f | wc -l) + NICE=$(du -sh "$NFS_DIR") + + export TIMESTAMP + export USAGE + export TOTAL_CACHE + export NICE + envsubst < ${./cache.html.tpl} + ''; + }; + }; + + flake.nixosConfigurations.komunix-dev = inputs.nixpkgs.lib.nixosSystem { + system = "aarch64-linux"; + modules = inputs.nixpkgs.lib.attrValues self.nixosModules ++ [ + "${inputs.nixpkgs}/nixos/modules/profiles/macos-builder.nix" ( - { }: + { config, ... }: { - services.nginx.enable = true; + services.cachex.enable = true; + services.cachex.enableCron = true; + services.cachex.workDir = config.users.users.komunix.home; + services.cachex.cachexPackage = self.packages.aarch64-linux.cachex; } ) ]; }; + flake.nixosConfigurations.komunix = inputs.nixpkgs.lib.nixosSystem { system = "aarch64-linux"; - modules = [ - "${inputs.nixpkgs}/nixos/modules/profiles/macos-builder.nix" - self.nixosModules.common - - { - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKvi3Co5fB1dSU2Qs1sR6LwdB1hM6HCyIWfXsC0wgz1pmeFlje24SzPCxDtsVMq28fDpEBsXPqKSZbUIyBtHRnpIc72Z8IV0KNtBjbKQTfHLTiDu43e+VLuAdFE7u2Wf5KPQIQ52r/jr9P7UKU2GKwV016OzrRiaZjm+gixmd8YRfidzG1bsL5fbKBjxCIUROdVpW5kNNtPZHpeuHCkZ7341USC6V2qnp1BNHIoHLjRYosV82apOxN/AWY/tMN2jlVQ/gKIUHbxXoILsG+XRFCen5TSSearx54KxifI1aIWbxVVmmYNuLXGWnVumaH6U7ARpz2cEXQB9z2lvJGYmod8qfloVdjXESu8OFe4RT+nj0JUQs7pMhiN6K1AsMQiyFc0ZmU2UNx4JcHre5STnSKUHUCx4zzoToFvIQRBTB3HePHy74FcXWaYDAN/6YF3JEA203nyYL4o5m/KhSXNkcT3H+r3IAqKnl7J7obsvNowwa1UB2NxVmq0VXXR8uZlT0=" - "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHnjecqMe2lrGzAvQ2VQRTXhjZ5q1tONgme+2/97Z3VSXdY0i2bEH3qGEIC7uMyWUfmLystXxqP0u6/Xspmm0Ck=" - ]; - users.users.komunix = { - home = "/home/komunix"; - createHome = true; - isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKvi3Co5fB1dSU2Qs1sR6LwdB1hM6HCyIWfXsC0wgz1pmeFlje24SzPCxDtsVMq28fDpEBsXPqKSZbUIyBtHRnpIc72Z8IV0KNtBjbKQTfHLTiDu43e+VLuAdFE7u2Wf5KPQIQ52r/jr9P7UKU2GKwV016OzrRiaZjm+gixmd8YRfidzG1bsL5fbKBjxCIUROdVpW5kNNtPZHpeuHCkZ7341USC6V2qnp1BNHIoHLjRYosV82apOxN/AWY/tMN2jlVQ/gKIUHbxXoILsG+XRFCen5TSSearx54KxifI1aIWbxVVmmYNuLXGWnVumaH6U7ARpz2cEXQB9z2lvJGYmod8qfloVdjXESu8OFe4RT+nj0JUQs7pMhiN6K1AsMQiyFc0ZmU2UNx4JcHre5STnSKUHUCx4zzoToFvIQRBTB3HePHy74FcXWaYDAN/6YF3JEA203nyYL4o5m/KhSXNkcT3H+r3IAqKnl7J7obsvNowwa1UB2NxVmq0VXXR8uZlT0=" - "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHnjecqMe2lrGzAvQ2VQRTXhjZ5q1tONgme+2/97Z3VSXdY0i2bEH3qGEIC7uMyWUfmLystXxqP0u6/Xspmm0Ck=" - ]; - }; - } - + modules = inputs.nixpkgs.lib.attrValues self.nixosModules ++ [ ( - { pkgs, lib, ... }: - let - genCachex = pkgs.writeShellApplication { - name = "gen-cachex"; - runtimeInputs = with pkgs; [ - coreutils - gnused - envsubst - ]; - text = '' - TIMESTAMP=$(date +%s) - USAGE=$(df -h /home/komunix/nfs/nix-cache | tail -n1 || 0) - TOTAL_CACHE=$(find /home/komunix/nfs/nix-cache -type f | wc -l) - NICE=$(du -sh /home/komunix/nfs/nix-cache) - - export TIMESTAMP - export USAGE - export TOTAL_CACHE - export NICE - envsubst < ${./cache.html.tpl} - ''; - }; - in + { config, ... }: { - system.stateVersion = "24.05"; - environment.systemPackages = [ pkgs.caddy ]; - system.activationScripts.createDir = - lib.mkBefore # bash - '' - [[ -d /home/komunix/cachex ]] || \ - (mkdir -p /home/komunix/cachex && chown komunix:users /home/komunix/cachex) - - [[ -d /home/komunix/nfs ]] || \ - (mount -t nfs -O rw,username=komunix,uid=1030,gid=100 100.121.185.1:/volume2/komunix /home/komunix/nfs) - - ${lib.getExe genCachex} > /home/komunix/cachex/index.html - ''; - - services.cron.enable = true; - services.cron.systemCronJobs = [ - "* * * * * cachex ${lib.getExe genCachex} > /home/komunix/cachex/index.html" - ]; - systemd.services.caddy = { - unitConfig.Description = "Caddy"; - serviceConfig.StartLimitIntervalSec = 5; - serviceConfig.StartLimitBurst = 10; - serviceConfig.Restart = "always"; - serviceConfig.RestartSec = 10; - serviceConfig.StandardOutput = null; - serviceConfig.StandardError = "journal"; - serviceConfig.WorkingDirectory = "/home/komunix"; - serviceConfig.StateDirectory = "cachex"; - serviceConfig.RuntimeDirectory = "cachex"; - serviceConfig.ExecStart = # bash - '' - ${lib.getExe pkgs.caddy} file-server --root /home/komunix/cachex --listen 127.0.0.1:2022 - ''; - wantedBy = [ "multi-user.target" ]; - }; + services.cachex.enable = true; + services.cachex.enableCron = true; + services.cachex.workDir = config.users.users.komunix.home; + services.cachex.cachexPackage = self.packages.aarch64-linux.cachex; } ) ]; }; flake.nixosModules.common = { - nixpkgs.config.allowUnfree = true; + system.stateVersion = "24.05"; nix.settings.auto-optimise-store = true; nix.settings.fallback = true; nix.settings.experimental-features = [ @@ -108,4 +74,121 @@ "nix-command" ]; }; + + flake.nixosModules.maintainers = { + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKvi3Co5fB1dSU2Qs1sR6LwdB1hM6HCyIWfXsC0wgz1pmeFlje24SzPCxDtsVMq28fDpEBsXPqKSZbUIyBtHRnpIc72Z8IV0KNtBjbKQTfHLTiDu43e+VLuAdFE7u2Wf5KPQIQ52r/jr9P7UKU2GKwV016OzrRiaZjm+gixmd8YRfidzG1bsL5fbKBjxCIUROdVpW5kNNtPZHpeuHCkZ7341USC6V2qnp1BNHIoHLjRYosV82apOxN/AWY/tMN2jlVQ/gKIUHbxXoILsG+XRFCen5TSSearx54KxifI1aIWbxVVmmYNuLXGWnVumaH6U7ARpz2cEXQB9z2lvJGYmod8qfloVdjXESu8OFe4RT+nj0JUQs7pMhiN6K1AsMQiyFc0ZmU2UNx4JcHre5STnSKUHUCx4zzoToFvIQRBTB3HePHy74FcXWaYDAN/6YF3JEA203nyYL4o5m/KhSXNkcT3H+r3IAqKnl7J7obsvNowwa1UB2NxVmq0VXXR8uZlT0=" + "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHnjecqMe2lrGzAvQ2VQRTXhjZ5q1tONgme+2/97Z3VSXdY0i2bEH3qGEIC7uMyWUfmLystXxqP0u6/Xspmm0Ck=" + ]; + users.users.komunix = { + home = "/home/komunix"; + createHome = true; + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKvi3Co5fB1dSU2Qs1sR6LwdB1hM6HCyIWfXsC0wgz1pmeFlje24SzPCxDtsVMq28fDpEBsXPqKSZbUIyBtHRnpIc72Z8IV0KNtBjbKQTfHLTiDu43e+VLuAdFE7u2Wf5KPQIQ52r/jr9P7UKU2GKwV016OzrRiaZjm+gixmd8YRfidzG1bsL5fbKBjxCIUROdVpW5kNNtPZHpeuHCkZ7341USC6V2qnp1BNHIoHLjRYosV82apOxN/AWY/tMN2jlVQ/gKIUHbxXoILsG+XRFCen5TSSearx54KxifI1aIWbxVVmmYNuLXGWnVumaH6U7ARpz2cEXQB9z2lvJGYmod8qfloVdjXESu8OFe4RT+nj0JUQs7pMhiN6K1AsMQiyFc0ZmU2UNx4JcHre5STnSKUHUCx4zzoToFvIQRBTB3HePHy74FcXWaYDAN/6YF3JEA203nyYL4o5m/KhSXNkcT3H+r3IAqKnl7J7obsvNowwa1UB2NxVmq0VXXR8uZlT0=" + "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHnjecqMe2lrGzAvQ2VQRTXhjZ5q1tONgme+2/97Z3VSXdY0i2bEH3qGEIC7uMyWUfmLystXxqP0u6/Xspmm0Ck=" + ]; + }; + }; + + flake.nixosModules.services-cachex = + { + pkgs, + config, + lib, + ... + }: + let + cfg = config.services.cachex; + in + with lib; + { + options.services.cachex = { + enable = mkOption { + default = false; + type = with types; bool; + description = '' + Enable caddy for cachex + ''; + }; + enableCron = mkOption { + default = false; + type = with types; bool; + description = '' + Enable cachex in cron job + ''; + }; + cachexPackage = mkOption { + type = types.package; + description = '' + Cachex Package + ''; + }; + caddyPackage = mkOption { + default = pkgs.caddy; + type = types.package; + description = '' + Caddy package + ''; + example = literalExample "pkgs.caddy"; + }; + workDir = mkOption { + type = types.str; + example = literalExample "/home/komunix"; + }; + listenAddress = mkOption { + type = types.str; + default = "127.0.0.1"; + description = '' + Listen Address + ''; + }; + listenPort = mkOption { + type = types.port; + default = 2022; + description = '' + Listen Address + ''; + }; + }; + config = mkIf cfg.enable { + environment.systemPackages = [ cfg.caddyPackage ]; + + services.cron.enable = cfg.enableCron; + services.cron.systemCronJobs = [ + "* * * * * cachex ${getExe cfg.cachexPackage} > ${cfg.workDir}/cachex/index.html" + ]; + + system.activationScripts.createDir = + # bash + mkBefore '' + [[ -d ${cfg.workDir}/cachex ]] || \ + (mkdir -p ${cfg.workDir}/cachex && chown komunix:users ${cfg.workDir}/cachex) + + [[ -d ${cfg.workDir}/nfs ]] || \ + (mount -t nfs -O rw,username=komunix,uid=1030,gid=100 100.121.185.1:/volume2/komunix ${cfg.workDir}/nfs) + + ${getExe cfg.cachexPackage} ${cfg.workDir}/nfs > ${cfg.workDir}/cachex/index.html + ''; + + systemd.services.caddy = { + unitConfig.Description = "Caddy"; + serviceConfig.StartLimitIntervalSec = 5; + serviceConfig.StartLimitBurst = 10; + serviceConfig.Restart = "always"; + serviceConfig.RestartSec = 10; + serviceConfig.StandardOutput = null; + serviceConfig.StandardError = "journal"; + serviceConfig.WorkingDirectory = cfg.workDir; + serviceConfig.StateDirectory = "cachex"; + serviceConfig.RuntimeDirectory = "cachex"; + serviceConfig.ExecStart = # bash + '' + ${getExe cfg.caddyPackage} file-server --root ${cfg.workDir}/cachex --listen ${cfg.listenAddress}:${toString cfg.listenPort} + ''; + wantedBy = [ "multi-user.target" ]; + }; + }; + }; } From 24430fe9cd431e709153a4be512c6ca2b5369701 Mon Sep 17 00:00:00 2001 From: r17x Date: Fri, 8 Nov 2024 00:31:15 +0700 Subject: [PATCH 03/15] chore: precommit enable --- .envrc.example | 2 +- .gitignore | 2 ++ nix/default.nix | 39 +++++++++++++++++++++++++++------------ 3 files changed, 30 insertions(+), 13 deletions(-) diff --git a/.envrc.example b/.envrc.example index b682864..b61ff84 100644 --- a/.envrc.example +++ b/.envrc.example @@ -1,4 +1,4 @@ -use_nix +use flake export TF_VAR_do_token= export TF_VAR_linode_token= diff --git a/.gitignore b/.gitignore index bdeb823..55d40fe 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,5 @@ terraform.tfstate.* .direnv # End of https://www.toptal.com/developers/gitignore/api/direnv + +.pre-commit-config.yaml diff --git a/nix/default.nix b/nix/default.nix index 70414fd..54d8526 100644 --- a/nix/default.nix +++ b/nix/default.nix @@ -8,9 +8,22 @@ perSystem = { pkgs, + config, ... }: { + pre-commit.check.enable = true; + pre-commit.settings.hooks = { + actionlint.enable = true; + shellcheck.enable = true; + deadnix.enable = true; + deadnix.excludes = [ "nix/overlays/nodePackages/node2nix" ]; + nixfmt-rfc-style.enable = true; + }; + devShells.default = pkgs.mkShell { + shellHook = config.pre-commit.installationScript; + buildInputs = config.pre-commit.settings.enabledPackages; + }; packages.cachex = pkgs.writeShellApplication { name = "cachex"; runtimeInputs = with pkgs; [ @@ -75,22 +88,23 @@ ]; }; - flake.nixosModules.maintainers = { - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKvi3Co5fB1dSU2Qs1sR6LwdB1hM6HCyIWfXsC0wgz1pmeFlje24SzPCxDtsVMq28fDpEBsXPqKSZbUIyBtHRnpIc72Z8IV0KNtBjbKQTfHLTiDu43e+VLuAdFE7u2Wf5KPQIQ52r/jr9P7UKU2GKwV016OzrRiaZjm+gixmd8YRfidzG1bsL5fbKBjxCIUROdVpW5kNNtPZHpeuHCkZ7341USC6V2qnp1BNHIoHLjRYosV82apOxN/AWY/tMN2jlVQ/gKIUHbxXoILsG+XRFCen5TSSearx54KxifI1aIWbxVVmmYNuLXGWnVumaH6U7ARpz2cEXQB9z2lvJGYmod8qfloVdjXESu8OFe4RT+nj0JUQs7pMhiN6K1AsMQiyFc0ZmU2UNx4JcHre5STnSKUHUCx4zzoToFvIQRBTB3HePHy74FcXWaYDAN/6YF3JEA203nyYL4o5m/KhSXNkcT3H+r3IAqKnl7J7obsvNowwa1UB2NxVmq0VXXR8uZlT0=" - "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHnjecqMe2lrGzAvQ2VQRTXhjZ5q1tONgme+2/97Z3VSXdY0i2bEH3qGEIC7uMyWUfmLystXxqP0u6/Xspmm0Ck=" - ]; - users.users.komunix = { - home = "/home/komunix"; - createHome = true; - isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = [ + flake.nixosModules.maintainers = + let + keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKvi3Co5fB1dSU2Qs1sR6LwdB1hM6HCyIWfXsC0wgz1pmeFlje24SzPCxDtsVMq28fDpEBsXPqKSZbUIyBtHRnpIc72Z8IV0KNtBjbKQTfHLTiDu43e+VLuAdFE7u2Wf5KPQIQ52r/jr9P7UKU2GKwV016OzrRiaZjm+gixmd8YRfidzG1bsL5fbKBjxCIUROdVpW5kNNtPZHpeuHCkZ7341USC6V2qnp1BNHIoHLjRYosV82apOxN/AWY/tMN2jlVQ/gKIUHbxXoILsG+XRFCen5TSSearx54KxifI1aIWbxVVmmYNuLXGWnVumaH6U7ARpz2cEXQB9z2lvJGYmod8qfloVdjXESu8OFe4RT+nj0JUQs7pMhiN6K1AsMQiyFc0ZmU2UNx4JcHre5STnSKUHUCx4zzoToFvIQRBTB3HePHy74FcXWaYDAN/6YF3JEA203nyYL4o5m/KhSXNkcT3H+r3IAqKnl7J7obsvNowwa1UB2NxVmq0VXXR8uZlT0=" "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHnjecqMe2lrGzAvQ2VQRTXhjZ5q1tONgme+2/97Z3VSXdY0i2bEH3qGEIC7uMyWUfmLystXxqP0u6/Xspmm0Ck=" ]; + in + { + users.users.root.openssh.authorizedKeys.keys = keys; + users.users.komunix = { + home = "/home/komunix"; + createHome = true; + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = keys; + }; }; - }; flake.nixosModules.services-cachex = { @@ -166,6 +180,7 @@ [[ -d ${cfg.workDir}/cachex ]] || \ (mkdir -p ${cfg.workDir}/cachex && chown komunix:users ${cfg.workDir}/cachex) + # TODO: better way is using options `services.nfs.*` from `NixOS`. [[ -d ${cfg.workDir}/nfs ]] || \ (mount -t nfs -O rw,username=komunix,uid=1030,gid=100 100.121.185.1:/volume2/komunix ${cfg.workDir}/nfs) From dbb81cd0f6d99cb2e215779f12cca18b82681edb Mon Sep 17 00:00:00 2001 From: r17x Date: Fri, 8 Nov 2024 10:47:51 +0700 Subject: [PATCH 04/15] feat(machine): add raspi system --- nix/default.nix | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/nix/default.nix b/nix/default.nix index 54d8526..697e70c 100644 --- a/nix/default.nix +++ b/nix/default.nix @@ -47,6 +47,27 @@ }; }; + /** + Build image for Raspberry Pi: + `nix build .#nixosConfigurations.komunix-pi.config.system.build.sdImage` to build the sd card image, and + `nix build .#nixosConfigurations.komunix-pi.config.system.build.toplevel` to build (only) the system + */ + flake.nixosConfigurations.komunix-pi = inputs.nixpkgs.lib.nixosSystem { + system = "aarch64-linux"; + modules = inputs.nixpkgs.lib.attrValues self.nixosModules ++ [ + "${inputs.nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" + ( + { config, ... }: + { + services.cachex.enable = true; + services.cachex.enableCron = true; + services.cachex.workDir = config.users.users.komunix.home; + services.cachex.cachexPackage = self.packages.aarch64-linux.cachex; + } + ) + ]; + }; + flake.nixosConfigurations.komunix-dev = inputs.nixpkgs.lib.nixosSystem { system = "aarch64-linux"; modules = inputs.nixpkgs.lib.attrValues self.nixosModules ++ [ From 6ad086c4575e57a6ee208b2ef77535d717eb0889 Mon Sep 17 00:00:00 2001 From: r17x Date: Sun, 10 Nov 2024 15:14:06 +0700 Subject: [PATCH 05/15] feat(secrets): add tailscale auth key --- .gitattributes | 1 + .sops.yaml | 8 ++++++++ secrets/secret.yaml | 32 ++++++++++++++++++++++++++++++++ 3 files changed, 41 insertions(+) create mode 100644 .gitattributes create mode 100644 .sops.yaml create mode 100644 secrets/secret.yaml diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..42d7b0d --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +secrets/*.yaml diff=sopsdiffer diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..0e80765 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,8 @@ +keys: + - &r17x B0B63B776767DFAA669D06715CA1E57AFBF76F90 +creation_rules: + - path_regex: secrets/(?:[^/]+/)*[^/]+\.(yaml|json|env|ini)$ + key_groups: + - pgp: + - *r17x + diff --git a/secrets/secret.yaml b/secrets/secret.yaml new file mode 100644 index 0000000..4b281a0 --- /dev/null +++ b/secrets/secret.yaml @@ -0,0 +1,32 @@ +tailscale_auth_key: ENC[AES256_GCM,data:dmYEr+eOf6UO2u7wBFWABERE5kt+3plKQOGQWR4HA+9gC0BGDgtW/AYNyoy4b1p50pQP9vo16X9UPXmTIg==,iv:hNS2NaAiQmzpYSv7A0hGooBPwDPBlvh+5cTURy0U280=,tag:r3zephEEu7KK77mt2ft9tQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-11-10T08:13:27Z" + mac: ENC[AES256_GCM,data:cGaGo4y/NqHUOIWO82j6kIbJ1YQWZGdZO7CQFEDY+oyK5sPQR9m6KNVXyPLjgc9omiiF3BFyiPK7vmz2TV9xQx5hnSqYZn+KO8iM0d99LeBKQCYPzTVJA476oVhdnGxhuvNhVvMQ2k4OWuLufSB+NXXzTeiPVZmIRmfbz9jM6fY=,iv:DHYTN5hxqfzALIxaaqnvUCPi8q/5LqadOyHBIwMzrKw=,tag:j1dLRYSYxaW8mCWXoPXTEA==,type:str] + pgp: + - created_at: "2024-11-10T08:13:27Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA7z/T8UoYDaeAQ/9EAHedDm5FAGX7mgvQ2ojyi222Uo395YjyFqe45lL98zn + rWuDqCs2A/3Tdf+F2qUqvNQLLxi2iKbX5vc7+O4zBSzFs3ZpMuBTPxbVwJwdTPO9 + CQqmvw7qWBFu7L2k6KIeC6FVOGziAG8y2Y7ltyR1zK/H0BaWdjI3yEvjqT5oYhS6 + AnrVZwYWWS/syzJT2dp/ABINzMsfxPDFOdXLY+re3/yzf6vqvQfCXbVe/1D14prV + FVCXHXtu151PN7CmAr+bZ33834+WQ0nitHsBbalC4SxcHGZ93hO82D924lgp9Svb + pyt8jJ9rhGTTI6uGEmLQI/mcuRUJWhRI2MwhZQyZNdkJ4ezbYlcF/3CRP/RF7gHB + ixwwfvkoy0CRJZRf7y2GdSgrwrLCDB41+QOF5MwyOFtC1GsgV66LCEEQwKv7fez5 + FtFtin4hSGNHOM0/dXtO8ikIKRbHqtoP8fSdeYSibOFSZh8i0kVXfP+qSR1t7qq1 + BZZPbTpcvoJ3NyjB+Xj2MZW36bt/gUSsGyRcXxkAo/ZsXK6kFzjSMMtUiwZwJMY4 + 5Jy1o7HXKr4jZ3PTmIw776aUSDKdmblTc5daZLhFVja1Ztj4/c+S8l1xpr26JwLe + 5AhZ92GErXXHxMONmciUZVzFKBiyHHDUQfECK2vjaKtCJoWS2iyjHDXFZGJ/O0nS + XAFyOeFT91bQFP+v0MghKGfRynLvcDmo+LHzH/zihIrScANAMB6NJjIoJSQWjhyr + P8r5mHvJVeNKetvv0IuP/99nlk9yHb0rf3DY5TcU9gUXp4ARI8FBw4f4/xXm + =EUGP + -----END PGP MESSAGE----- + fp: B0B63B776767DFAA669D06715CA1E57AFBF76F90 + unencrypted_suffix: _unencrypted + version: 3.9.0 From 68e3540803e4d71f86bc721f59384e9d4ab91667 Mon Sep 17 00:00:00 2001 From: r17x Date: Sun, 10 Nov 2024 15:32:12 +0700 Subject: [PATCH 06/15] chore: update gitignore --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index 55d40fe..37a95bf 100644 --- a/.gitignore +++ b/.gitignore @@ -12,3 +12,5 @@ terraform.tfstate.* # End of https://www.toptal.com/developers/gitignore/api/direnv .pre-commit-config.yaml + +result From ff23ea9bfde84bb00279bab4518db0fbc7ce6262 Mon Sep 17 00:00:00 2001 From: r17x Date: Sun, 10 Nov 2024 15:32:20 +0700 Subject: [PATCH 07/15] feat(cachex): using nfs in service --- nix/default.nix | 85 ++++++++++++++++++++++++++++++------------------- 1 file changed, 53 insertions(+), 32 deletions(-) diff --git a/nix/default.nix b/nix/default.nix index 697e70c..43cd432 100644 --- a/nix/default.nix +++ b/nix/default.nix @@ -34,9 +34,9 @@ text = '' NFS_DIR="$1" TIMESTAMP=$(date +%s) - USAGE=$(df -h "$NFS_DIR" | tail -n1 || 0) - TOTAL_CACHE=$(find "$NFS_DIR" -type f | wc -l) - NICE=$(du -sh "$NFS_DIR") + USAGE=$(timeout 5s df -h "$NFS_DIR" | tail -n1 || echo "0") + TOTAL_CACHE=$(find "$NFS_DIR" -type f | wc -l || echo "0") + NICE=$(du -sh "$NFS_DIR" || echo "0") export TIMESTAMP export USAGE @@ -60,9 +60,9 @@ { config, ... }: { services.cachex.enable = true; - services.cachex.enableCron = true; - services.cachex.workDir = config.users.users.komunix.home; services.cachex.cachexPackage = self.packages.aarch64-linux.cachex; + services.cachex.settings.cron = true; + services.cachex.settings.workDir = config.users.users.komunix.home; } ) ]; @@ -76,9 +76,9 @@ { config, ... }: { services.cachex.enable = true; - services.cachex.enableCron = true; - services.cachex.workDir = config.users.users.komunix.home; services.cachex.cachexPackage = self.packages.aarch64-linux.cachex; + services.cachex.settings.cron = true; + services.cachex.settings.workDir = config.users.users.komunix.home; } ) ]; @@ -91,9 +91,9 @@ { config, ... }: { services.cachex.enable = true; - services.cachex.enableCron = true; - services.cachex.workDir = config.users.users.komunix.home; services.cachex.cachexPackage = self.packages.aarch64-linux.cachex; + services.cachex.settings.cron = true; + services.cachex.settings.workDir = config.users.users.komunix.home; } ) ]; @@ -122,7 +122,10 @@ home = "/home/komunix"; createHome = true; isNormalUser = true; - extraGroups = [ "wheel" ]; + extraGroups = [ + "wheel" + "networkmanager" + ]; openssh.authorizedKeys.keys = keys; }; }; @@ -147,13 +150,6 @@ Enable caddy for cachex ''; }; - enableCron = mkOption { - default = false; - type = with types; bool; - description = '' - Enable cachex in cron job - ''; - }; cachexPackage = mkOption { type = types.package; description = '' @@ -168,18 +164,25 @@ ''; example = literalExample "pkgs.caddy"; }; - workDir = mkOption { + settings.cron = mkOption { + default = false; + type = with types; bool; + description = '' + Enable cachex in cron job + ''; + }; + settings.workDir = mkOption { type = types.str; example = literalExample "/home/komunix"; }; - listenAddress = mkOption { + settings.listenAddress = mkOption { type = types.str; default = "127.0.0.1"; description = '' Listen Address ''; }; - listenPort = mkOption { + settings.listenPort = mkOption { type = types.port; default = 2022; description = '' @@ -187,41 +190,59 @@ ''; }; }; + config = mkIf cfg.enable { environment.systemPackages = [ cfg.caddyPackage ]; - services.cron.enable = cfg.enableCron; + services.cron.enable = cfg.settings.cron; services.cron.systemCronJobs = [ - "* * * * * cachex ${getExe cfg.cachexPackage} > ${cfg.workDir}/cachex/index.html" + "* * * * * cachex ${getExe cfg.cachexPackage} > ${cfg.settings.workDir}/cachex/index.html" + ]; + + services.rpcbind.enable = true; # needed for NFS + systemd.mounts = [ + { + type = "nfs"; + mountConfig = { + Options = "noatime"; + }; + what = "100.121.185.1:/volume2/komunix"; + where = "${cfg.settings.workDir}/nfs"; + } + ]; + systemd.automounts = [ + { + wantedBy = [ "multi-user.target" ]; + automountConfig = { + TimeoutIdleSec = "600"; + }; + where = "${cfg.settings.workDir}/nfs"; + } ]; system.activationScripts.createDir = # bash mkBefore '' - [[ -d ${cfg.workDir}/cachex ]] || \ - (mkdir -p ${cfg.workDir}/cachex && chown komunix:users ${cfg.workDir}/cachex) - - # TODO: better way is using options `services.nfs.*` from `NixOS`. - [[ -d ${cfg.workDir}/nfs ]] || \ - (mount -t nfs -O rw,username=komunix,uid=1030,gid=100 100.121.185.1:/volume2/komunix ${cfg.workDir}/nfs) + [[ -d ${cfg.settings.workDir}/cachex ]] || \ + (mkdir -p ${cfg.settings.workDir}/cachex && chown komunix:users ${cfg.settings.workDir}/cachex) - ${getExe cfg.cachexPackage} ${cfg.workDir}/nfs > ${cfg.workDir}/cachex/index.html + ${getExe cfg.cachexPackage} ${cfg.settings.workDir}/nfs > ${cfg.settings.workDir}/cachex/index.html ''; systemd.services.caddy = { unitConfig.Description = "Caddy"; - serviceConfig.StartLimitIntervalSec = 5; + serviceConfig.StartLimitInterval = 5; serviceConfig.StartLimitBurst = 10; serviceConfig.Restart = "always"; serviceConfig.RestartSec = 10; serviceConfig.StandardOutput = null; serviceConfig.StandardError = "journal"; - serviceConfig.WorkingDirectory = cfg.workDir; + serviceConfig.WorkingDirectory = cfg.settings.workDir; serviceConfig.StateDirectory = "cachex"; serviceConfig.RuntimeDirectory = "cachex"; serviceConfig.ExecStart = # bash '' - ${getExe cfg.caddyPackage} file-server --root ${cfg.workDir}/cachex --listen ${cfg.listenAddress}:${toString cfg.listenPort} + ${getExe cfg.caddyPackage} file-server --root ${cfg.settings.workDir}/cachex --listen ${cfg.settings.listenAddress}:${toString cfg.settings.listenPort} ''; wantedBy = [ "multi-user.target" ]; }; From 5cd6c5b331c70cd35485b94d1aceabf5959bf36b Mon Sep 17 00:00:00 2001 From: r17x Date: Sun, 10 Nov 2024 17:55:32 +0700 Subject: [PATCH 08/15] feat(komunix): integrate tailscale --- .sops.yaml | 5 ++++- nix/default.nix | 20 ++++++++++++++++++++ secrets/secret.yaml | 41 +++++++++++++++++++++++++---------------- 3 files changed, 49 insertions(+), 17 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index 0e80765..22f7061 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,8 +1,11 @@ keys: - &r17x B0B63B776767DFAA669D06715CA1E57AFBF76F90 + - &komunix-dev age13rrpdnr7f9knpgdvafvjkp74ejacuhcvzhdw2j8h5xjwyrmrhv4s4tvr8j creation_rules: - path_regex: secrets/(?:[^/]+/)*[^/]+\.(yaml|json|env|ini)$ key_groups: - pgp: - - *r17x + - *r17x + age: + - *komunix-dev diff --git a/nix/default.nix b/nix/default.nix index 43cd432..c85b0fc 100644 --- a/nix/default.nix +++ b/nix/default.nix @@ -75,6 +75,7 @@ ( { config, ... }: { + networking.hostName = "komunix-dev"; services.cachex.enable = true; services.cachex.cachexPackage = self.packages.aarch64-linux.cachex; services.cachex.settings.cron = true; @@ -117,6 +118,15 @@ ]; in { + config, + ... + }: + { + + services.tailscale.enable = true; + services.tailscale.authKeyFile = config.sops.secrets.tailscale_auth_key.path; + services.tailscale.extraUpFlags = [ "--ssh" ]; + users.users.root.openssh.authorizedKeys.keys = keys; users.users.komunix = { home = "/home/komunix"; @@ -128,6 +138,16 @@ ]; openssh.authorizedKeys.keys = keys; }; + + imports = [ + inputs.sops.nixosModules.sops + ]; + + sops.defaultSopsFile = ../secrets/secret.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.age.keyFile = "/var/lib/sops-nix/key.txt"; + sops.age.generateKey = true; + sops.secrets.tailscale_auth_key = { }; }; flake.nixosModules.services-cachex = diff --git a/secrets/secret.yaml b/secrets/secret.yaml index 4b281a0..e6947aa 100644 --- a/secrets/secret.yaml +++ b/secrets/secret.yaml @@ -4,28 +4,37 @@ sops: gcp_kms: [] azure_kv: [] hc_vault: [] - age: [] + age: + - recipient: age13rrpdnr7f9knpgdvafvjkp74ejacuhcvzhdw2j8h5xjwyrmrhv4s4tvr8j + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1UFhka0dZbkt6eGd2L2VB + RGx5eW9uMEkrbHJqM1FGcUU5N0l2MkJrdkNBClhvTWJ0Z0lWOFRRZzQ3NCsrZUox + amV0UVM4TU1hS0NFclQ5TVZEVnN1ZzQKLS0tIERmSmwralpLRzNIeWJYaG92VTVR + YlVNM3RidG56bHIvbHRkeWs3NlJMRDQKBO+jzjiIxg3u/6LuqWIjTTVimcukED0V + P+P8duF+keHnchpvD4Vi6EIcVK9Gb6MfODiUWqntsfL3R9Uc4DyutQ== + -----END AGE ENCRYPTED FILE----- lastmodified: "2024-11-10T08:13:27Z" mac: ENC[AES256_GCM,data:cGaGo4y/NqHUOIWO82j6kIbJ1YQWZGdZO7CQFEDY+oyK5sPQR9m6KNVXyPLjgc9omiiF3BFyiPK7vmz2TV9xQx5hnSqYZn+KO8iM0d99LeBKQCYPzTVJA476oVhdnGxhuvNhVvMQ2k4OWuLufSB+NXXzTeiPVZmIRmfbz9jM6fY=,iv:DHYTN5hxqfzALIxaaqnvUCPi8q/5LqadOyHBIwMzrKw=,tag:j1dLRYSYxaW8mCWXoPXTEA==,type:str] pgp: - - created_at: "2024-11-10T08:13:27Z" + - created_at: "2024-11-10T09:14:37Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA7z/T8UoYDaeAQ/9EAHedDm5FAGX7mgvQ2ojyi222Uo395YjyFqe45lL98zn - rWuDqCs2A/3Tdf+F2qUqvNQLLxi2iKbX5vc7+O4zBSzFs3ZpMuBTPxbVwJwdTPO9 - CQqmvw7qWBFu7L2k6KIeC6FVOGziAG8y2Y7ltyR1zK/H0BaWdjI3yEvjqT5oYhS6 - AnrVZwYWWS/syzJT2dp/ABINzMsfxPDFOdXLY+re3/yzf6vqvQfCXbVe/1D14prV - FVCXHXtu151PN7CmAr+bZ33834+WQ0nitHsBbalC4SxcHGZ93hO82D924lgp9Svb - pyt8jJ9rhGTTI6uGEmLQI/mcuRUJWhRI2MwhZQyZNdkJ4ezbYlcF/3CRP/RF7gHB - ixwwfvkoy0CRJZRf7y2GdSgrwrLCDB41+QOF5MwyOFtC1GsgV66LCEEQwKv7fez5 - FtFtin4hSGNHOM0/dXtO8ikIKRbHqtoP8fSdeYSibOFSZh8i0kVXfP+qSR1t7qq1 - BZZPbTpcvoJ3NyjB+Xj2MZW36bt/gUSsGyRcXxkAo/ZsXK6kFzjSMMtUiwZwJMY4 - 5Jy1o7HXKr4jZ3PTmIw776aUSDKdmblTc5daZLhFVja1Ztj4/c+S8l1xpr26JwLe - 5AhZ92GErXXHxMONmciUZVzFKBiyHHDUQfECK2vjaKtCJoWS2iyjHDXFZGJ/O0nS - XAFyOeFT91bQFP+v0MghKGfRynLvcDmo+LHzH/zihIrScANAMB6NJjIoJSQWjhyr - P8r5mHvJVeNKetvv0IuP/99nlk9yHb0rf3DY5TcU9gUXp4ARI8FBw4f4/xXm - =EUGP + hQIMA7z/T8UoYDaeARAAqg3MtNk7Y1T95qnEbWTw0OvO7GuPmiRO+cvctCbcvkRS + CpQ7rSfni+roJOI6uvny/MAFJtS/uybSVbgaaQj/rljWv+e/nCx/sYsg3vjIlL8l + MPEjjxcYn82CFkIOXJbsRuFMtKzE3wFugBojZIEql/byZ84fGQp3J53N6pYdSp04 + eK/nJnYoMj0bhyQIugn7F4hRDvl0rH1nSHFFdBiPuqa86DVyermnQtNoQhL2Xqk5 + QN3Ug4HWJ9h7qPofPIjVXn+bbMTwJaDZn4V9JKgJT79XQ+0oRz560N10XMMuqOUt + xpoUjakFW+GRToLu0zyG1hmXog0whxL1uK0RAdHxPQAADjy0fFJUR54fKVu0tmxX + 2O/TI8wOhxFM1xgAFOT+Ta8v5lwtQoVKGq7rCnsLRfU2UnSkpyH3QqygXD2Br1BV + YVzYzPND/H5uTKSp7sWVn/QMubTX96o/bXa1Pf0Lc3I6iGAOmwFq5ayKO6gRhd6P + G2IVW0rspg6qOPEBbTwbrbu1ZsEoNF4gkxtn9sAinLWSKyzQnrqJbWScVFd2NWSn + +4iy0ZjxExG5JyU3IgEknQ6wPnJjYGnKqQZSD5ZBtVFE4DBBt2FV5nSbVSK1YK0a + tl1EeVB5Tv/hRVdZRC/amoDUKO9iury7UlzVj7MYh8knf5Q5bUfrkEb+0vUJPUrS + XAHESNWRiS+wdetivov5wQV13sV99RBvO1HW1S6i0sb0lIeQHvUglbBiuGXSNNaN + qNlykGB2HHVsB6kIZfbT6XAjVY6zzTUb+qmV3IUTBLjTgTq6fXWY4TuDXgzR + =qffB -----END PGP MESSAGE----- fp: B0B63B776767DFAA669D06715CA1E57AFBF76F90 unencrypted_suffix: _unencrypted From db1f161d564cb92da023151a981452d295a3751e Mon Sep 17 00:00:00 2001 From: r17x Date: Sun, 10 Nov 2024 20:45:49 +0700 Subject: [PATCH 09/15] feat(nfs): update nfs configurations --- nix/default.nix | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/nix/default.nix b/nix/default.nix index c85b0fc..9ecda10 100644 --- a/nix/default.nix +++ b/nix/default.nix @@ -127,6 +127,12 @@ services.tailscale.authKeyFile = config.sops.secrets.tailscale_auth_key.path; services.tailscale.extraUpFlags = [ "--ssh" ]; + sops.defaultSopsFile = ../secrets/secret.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.age.keyFile = "/var/lib/sops-nix/key.txt"; + sops.age.generateKey = true; + sops.secrets.tailscale_auth_key = { }; + users.users.root.openssh.authorizedKeys.keys = keys; users.users.komunix = { home = "/home/komunix"; @@ -143,11 +149,6 @@ inputs.sops.nixosModules.sops ]; - sops.defaultSopsFile = ../secrets/secret.yaml; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - sops.age.keyFile = "/var/lib/sops-nix/key.txt"; - sops.age.generateKey = true; - sops.secrets.tailscale_auth_key = { }; }; flake.nixosModules.services-cachex = @@ -212,7 +213,9 @@ }; config = mkIf cfg.enable { - environment.systemPackages = [ cfg.caddyPackage ]; + environment.systemPackages = [ + cfg.caddyPackage + ]; services.cron.enable = cfg.settings.cron; services.cron.systemCronJobs = [ @@ -220,13 +223,17 @@ ]; services.rpcbind.enable = true; # needed for NFS + services.nfs.server.enable = true; + networking.hosts = { + "100.121.185.1" = [ "synology" ]; + }; systemd.mounts = [ { type = "nfs"; mountConfig = { - Options = "noatime"; + Options = "auto,nofail,noatime,nolock,intr,tcp"; }; - what = "100.121.185.1:/volume2/komunix"; + what = "synology:/volume2/komunix"; where = "${cfg.settings.workDir}/nfs"; } ]; From d6aef689a22e3f12e12aa43e1cf13987585c12da Mon Sep 17 00:00:00 2001 From: r17x Date: Mon, 11 Nov 2024 02:23:26 +0700 Subject: [PATCH 10/15] feat(komunix): fix nfs integrations --- nix/default.nix | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/nix/default.nix b/nix/default.nix index 9ecda10..822109e 100644 --- a/nix/default.nix +++ b/nix/default.nix @@ -34,9 +34,9 @@ text = '' NFS_DIR="$1" TIMESTAMP=$(date +%s) - USAGE=$(timeout 5s df -h "$NFS_DIR" | tail -n1 || echo "0") - TOTAL_CACHE=$(find "$NFS_DIR" -type f | wc -l || echo "0") - NICE=$(du -sh "$NFS_DIR" || echo "0") + USAGE=$(df -h "$NFS_DIR/nix-cache" | tail -n1 || echo "0") + TOTAL_CACHE=$(find "$NFS_DIR/nix-cache" -type f | wc -l || echo "0") + NICE=$(du -sh "$NFS_DIR/nix-cache" || echo "0") export TIMESTAMP export USAGE @@ -149,6 +149,11 @@ inputs.sops.nixosModules.sops ]; + # hosts aliases + networking.hosts = { + "100.121.185.1" = [ "synology" ]; + }; + }; flake.nixosModules.services-cachex = @@ -215,23 +220,20 @@ config = mkIf cfg.enable { environment.systemPackages = [ cfg.caddyPackage + pkgs.nfs-utils ]; services.cron.enable = cfg.settings.cron; services.cron.systemCronJobs = [ - "* * * * * cachex ${getExe cfg.cachexPackage} > ${cfg.settings.workDir}/cachex/index.html" + "* * * * * cachex ${getExe cfg.cachexPackage} ${cfg.settings.workDir}/nfs > ${cfg.settings.workDir}/cachex/index.html" ]; services.rpcbind.enable = true; # needed for NFS - services.nfs.server.enable = true; - networking.hosts = { - "100.121.185.1" = [ "synology" ]; - }; systemd.mounts = [ { type = "nfs"; mountConfig = { - Options = "auto,nofail,noatime,nolock,intr,tcp"; + Options = "auto,nofail,noatime,nolock,tcp"; }; what = "synology:/volume2/komunix"; where = "${cfg.settings.workDir}/nfs"; @@ -252,8 +254,6 @@ mkBefore '' [[ -d ${cfg.settings.workDir}/cachex ]] || \ (mkdir -p ${cfg.settings.workDir}/cachex && chown komunix:users ${cfg.settings.workDir}/cachex) - - ${getExe cfg.cachexPackage} ${cfg.settings.workDir}/nfs > ${cfg.settings.workDir}/cachex/index.html ''; systemd.services.caddy = { From a6b16b1676c6246dcd2b481649be96cec36122f3 Mon Sep 17 00:00:00 2001 From: r17x Date: Mon, 11 Nov 2024 04:40:06 +0700 Subject: [PATCH 11/15] feat(traefik): add traefik services --- nix/default.nix | 90 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) diff --git a/nix/default.nix b/nix/default.nix index 822109e..e802e44 100644 --- a/nix/default.nix +++ b/nix/default.nix @@ -256,6 +256,96 @@ (mkdir -p ${cfg.settings.workDir}/cachex && chown komunix:users ${cfg.settings.workDir}/cachex) ''; + services.traefik.enable = true; + services.traefik.dynamicConfigOptions.http.middlewares.raspi.headers.customResponseHeaders."X-Served-From" = "raspi"; + services.traefik.dynamicConfigOptions.http.middlewares.cachex_index.headers.customResponseHeaders.server = "komunix 0.66.6"; + services.traefik.dynamicConfigOptions.http.middlewares.cachex_fallback.headers.customResponseHeaders."X-Komunix-Fallback-To" = "cache.nixos.org"; + services.traefik.dynamicConfigOptions.http.middlewares.nice.headers.customResponseHeaders."X-faultables" = "hayo mau cari apa .:monman"; + services.traefik.dynamicConfigOptions.http.middlewares.nice.headers.customResponseHeaders."X-Powered-By" = "PHP 69.42.0 (tapi boong)"; + + services.traefik.dynamicConfigOptions.http.services = { + komunix_index = { + loadBalancer.servers = [ + { url = "http://127.0.0.1:2026"; } + ]; + }; + nice = { + loadBalancer.servers = [ + { url = "http://127.0.0.1:2025"; } + ]; + }; + index = { + loadBalancer.servers = [ + { url = "http://127.0.0.1:2022"; } + ]; + }; + cachex_index = { + loadBalancer.servers = [ + { url = "http://127.0.0.1:2022"; } + ]; + }; + cachex_fallback = { + loadBalancer = { + servers = [ + { url = "http://127.0.0.1:8080"; } + ]; + passHostHeader = false; + }; + }; + cachex = { + loadBalancer.servers = [ + { url = "http://127.0.0.1:8080"; } + ]; + }; + npm = { + loadBalancer.servers = [ + { url = "http://127.0.0.1:4873"; } + ]; + }; + npm_index = { + loadBalancer.servers = [ + { url = "http://127.0.0.1:2023"; } + ]; + }; + }; + + services.traefik.dynamicConfigOptions.http.routers = { + nice = { + rule = "Host(`raspi.faultables.net`)"; + service = "nice"; + middlewares = [ "nice" ]; + }; + index = { + rule = "Host(`komunix.org`)"; + service = "komunix_index"; + middlewares = [ "raspi" ]; + }; + cachex = { + rule = "Host(`cache.komunix.org`) && PathPrefix (`/`)"; + service = "cachex_fallback"; + priority = 1; + middlewares = [ + "cachex_index" + "cachex_fallback" + ]; + }; + cachex_index = { + rule = "Host(`cache.komunix.org`) && Path (`/`)"; + service = "cachex_index"; + priority = 1337; + middlewares = [ "cachex_index" ]; + }; + npm = { + rule = "Host(`npm.komunix.org`) && PathPrefix (`/`)"; + service = "npm"; + }; + npm_index = { + rule = "Host(`npm.komunix.org`) && Path (`/`)"; + service = "npm_index"; + priority = 1337; + }; + }; + systemd.services.caddy = { unitConfig.Description = "Caddy"; serviceConfig.StartLimitInterval = 5; From 5e74cc84c9b35d52a9cbdf1318444e100f8bab9b Mon Sep 17 00:00:00 2001 From: r17x Date: Mon, 11 Nov 2024 10:10:24 +0700 Subject: [PATCH 12/15] feat(cachex): separate modules traefik and sops --- nix/default.nix | 272 +++++++++++++++++++++++++----------------------- 1 file changed, 139 insertions(+), 133 deletions(-) diff --git a/nix/default.nix b/nix/default.nix index e802e44..6c3f0c4 100644 --- a/nix/default.nix +++ b/nix/default.nix @@ -59,6 +59,9 @@ ( { config, ... }: { + networking.hostName = "komunix-dev"; + services.traefik.enable = true; + services.tailscale.enable = true; services.cachex.enable = true; services.cachex.cachexPackage = self.packages.aarch64-linux.cachex; services.cachex.settings.cron = true; @@ -76,21 +79,8 @@ { config, ... }: { networking.hostName = "komunix-dev"; - services.cachex.enable = true; - services.cachex.cachexPackage = self.packages.aarch64-linux.cachex; - services.cachex.settings.cron = true; - services.cachex.settings.workDir = config.users.users.komunix.home; - } - ) - ]; - }; - - flake.nixosConfigurations.komunix = inputs.nixpkgs.lib.nixosSystem { - system = "aarch64-linux"; - modules = inputs.nixpkgs.lib.attrValues self.nixosModules ++ [ - ( - { config, ... }: - { + services.traefik.enable = true; + services.tailscale.enable = true; services.cachex.enable = true; services.cachex.cachexPackage = self.packages.aarch64-linux.cachex; services.cachex.settings.cron = true; @@ -110,6 +100,24 @@ ]; }; + flake.nixosModules.tailscale = + { config, ... }: + { + services.tailscale.extraUpFlags = [ "--ssh" ]; + services.tailscale.authKeyFile = config.sops.secrets.tailscale_auth_key.path; + sops.secrets.tailscale_auth_key = { }; + }; + + flake.nixosModules.sops = { + imports = [ + inputs.sops.nixosModules.sops + ]; + sops.defaultSopsFile = ../secrets/secret.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.age.keyFile = "/var/lib/sops-nix/key.txt"; + sops.age.generateKey = true; + }; + flake.nixosModules.maintainers = let keys = [ @@ -118,20 +126,10 @@ ]; in { - config, - ... - }: - { - - services.tailscale.enable = true; - services.tailscale.authKeyFile = config.sops.secrets.tailscale_auth_key.path; - services.tailscale.extraUpFlags = [ "--ssh" ]; - - sops.defaultSopsFile = ../secrets/secret.yaml; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - sops.age.keyFile = "/var/lib/sops-nix/key.txt"; - sops.age.generateKey = true; - sops.secrets.tailscale_auth_key = { }; + # hosts aliases + networking.hosts = { + "100.121.185.1" = [ "synology" ]; + }; users.users.root.openssh.authorizedKeys.keys = keys; users.users.komunix = { @@ -144,16 +142,115 @@ ]; openssh.authorizedKeys.keys = keys; }; + }; - imports = [ - inputs.sops.nixosModules.sops - ]; + flake.nixosModules.traefik = + { config, lib, ... }: + let + configCachex = config.services.cachex; + cachexListen = "${configCachex.settings.listenAddress}:${toString configCachex.settings.listenPort}"; + in + { + services.traefik.dynamicConfigOptions.http.middlewares = + { + raspi.headers.customResponseHeaders."X-Served-From" = "raspi"; + cachex_fallback.headers.customResponseHeaders."X-Komunix-Fallback-To" = "cache.nixos.org"; + nice.headers.customResponseHeaders."X-faultables" = "hayo mau cari apa .:monman"; + nice.headers.customResponseHeaders."X-Powered-By" = "PHP 69.42.0 (tapi boong)"; + } + // (lib.optionalAttrs configCachex.enable { + cachex_index.headers.customResponseHeaders.server = "komunix 0.66.6"; - # hosts aliases - networking.hosts = { - "100.121.185.1" = [ "synology" ]; - }; + }); + services.traefik.dynamicConfigOptions.http.services = + { + komunix_index = { + loadBalancer.servers = [ + { url = "http://127.0.0.1:2026"; } + ]; + }; + nice = { + loadBalancer.servers = [ + { url = "http://127.0.0.1:2025"; } + ]; + }; + cachex_fallback = { + loadBalancer = { + servers = [ + { url = "http://127.0.0.1:8080"; } + ]; + passHostHeader = false; + }; + }; + cachex = { + loadBalancer.servers = [ + { url = "http://127.0.0.1:8080"; } + ]; + }; + npm = { + loadBalancer.servers = [ + { url = "http://127.0.0.1:4873"; } + ]; + }; + npm_index = { + loadBalancer.servers = [ + { url = "http://127.0.0.1:2023"; } + ]; + }; + } + // (lib.optionalAttrs configCachex.enable { + index = { + loadBalancer.servers = [ + { url = "http://${cachexListen}"; } + ]; + }; + cachex_index = { + loadBalancer.servers = [ + { url = "http://${cachexListen}"; } + ]; + }; + }); + + services.traefik.dynamicConfigOptions.http.routers = + { + nice = { + rule = "Host(`raspi.faultables.net`)"; + service = "nice"; + middlewares = [ "nice" ]; + }; + index = { + rule = "Host(`komunix.org`)"; + service = "komunix_index"; + middlewares = [ "raspi" ]; + }; + cachex = { + rule = "Host(`cache.komunix.org`) && PathPrefix (`/`)"; + service = "cachex_fallback"; + priority = 1; + middlewares = [ + "cachex_index" + "cachex_fallback" + ]; + }; + npm = { + rule = "Host(`npm.komunix.org`) && PathPrefix (`/`)"; + service = "npm"; + }; + npm_index = { + rule = "Host(`npm.komunix.org`) && Path (`/`)"; + service = "npm_index"; + priority = 1337; + }; + } + // (lib.optionalAttrs configCachex.enable { + cachex_index = { + rule = "Host(`cache.komunix.org`) && Path (`/`)"; + service = "cachex_index"; + priority = 1337; + middlewares = [ "cachex_index" ]; + }; + }); }; flake.nixosModules.services-cachex = @@ -222,6 +319,12 @@ cfg.caddyPackage pkgs.nfs-utils ]; + system.activationScripts.createDir = + # bash + mkBefore '' + [[ -d ${cfg.settings.workDir}/cachex ]] || \ + (mkdir -p ${cfg.settings.workDir}/cachex && chown komunix:users ${cfg.settings.workDir}/cachex) + ''; services.cron.enable = cfg.settings.cron; services.cron.systemCronJobs = [ @@ -249,103 +352,6 @@ } ]; - system.activationScripts.createDir = - # bash - mkBefore '' - [[ -d ${cfg.settings.workDir}/cachex ]] || \ - (mkdir -p ${cfg.settings.workDir}/cachex && chown komunix:users ${cfg.settings.workDir}/cachex) - ''; - - services.traefik.enable = true; - services.traefik.dynamicConfigOptions.http.middlewares.raspi.headers.customResponseHeaders."X-Served-From" = "raspi"; - services.traefik.dynamicConfigOptions.http.middlewares.cachex_index.headers.customResponseHeaders.server = "komunix 0.66.6"; - services.traefik.dynamicConfigOptions.http.middlewares.cachex_fallback.headers.customResponseHeaders."X-Komunix-Fallback-To" = "cache.nixos.org"; - services.traefik.dynamicConfigOptions.http.middlewares.nice.headers.customResponseHeaders."X-faultables" = "hayo mau cari apa .:monman"; - services.traefik.dynamicConfigOptions.http.middlewares.nice.headers.customResponseHeaders."X-Powered-By" = "PHP 69.42.0 (tapi boong)"; - - services.traefik.dynamicConfigOptions.http.services = { - komunix_index = { - loadBalancer.servers = [ - { url = "http://127.0.0.1:2026"; } - ]; - }; - nice = { - loadBalancer.servers = [ - { url = "http://127.0.0.1:2025"; } - ]; - }; - index = { - loadBalancer.servers = [ - { url = "http://127.0.0.1:2022"; } - ]; - }; - cachex_index = { - loadBalancer.servers = [ - { url = "http://127.0.0.1:2022"; } - ]; - }; - cachex_fallback = { - loadBalancer = { - servers = [ - { url = "http://127.0.0.1:8080"; } - ]; - passHostHeader = false; - }; - }; - cachex = { - loadBalancer.servers = [ - { url = "http://127.0.0.1:8080"; } - ]; - }; - npm = { - loadBalancer.servers = [ - { url = "http://127.0.0.1:4873"; } - ]; - }; - npm_index = { - loadBalancer.servers = [ - { url = "http://127.0.0.1:2023"; } - ]; - }; - }; - - services.traefik.dynamicConfigOptions.http.routers = { - nice = { - rule = "Host(`raspi.faultables.net`)"; - service = "nice"; - middlewares = [ "nice" ]; - }; - index = { - rule = "Host(`komunix.org`)"; - service = "komunix_index"; - middlewares = [ "raspi" ]; - }; - cachex = { - rule = "Host(`cache.komunix.org`) && PathPrefix (`/`)"; - service = "cachex_fallback"; - priority = 1; - middlewares = [ - "cachex_index" - "cachex_fallback" - ]; - }; - cachex_index = { - rule = "Host(`cache.komunix.org`) && Path (`/`)"; - service = "cachex_index"; - priority = 1337; - middlewares = [ "cachex_index" ]; - }; - npm = { - rule = "Host(`npm.komunix.org`) && PathPrefix (`/`)"; - service = "npm"; - }; - npm_index = { - rule = "Host(`npm.komunix.org`) && Path (`/`)"; - service = "npm_index"; - priority = 1337; - }; - }; - systemd.services.caddy = { unitConfig.Description = "Caddy"; serviceConfig.StartLimitInterval = 5; From 0d7febce2c2822162eb376da56cdd4b1b3d71a97 Mon Sep 17 00:00:00 2001 From: r17x Date: Mon, 11 Nov 2024 13:14:03 +0700 Subject: [PATCH 13/15] chore: removed legacy nix-shell --- shell.nix | 13 ------------- 1 file changed, 13 deletions(-) delete mode 100644 shell.nix diff --git a/shell.nix b/shell.nix deleted file mode 100644 index e95205e..0000000 --- a/shell.nix +++ /dev/null @@ -1,13 +0,0 @@ -with import {}; - -pkgs.mkShell { - name = "area13"; - - buildInputs = [ - terraform - tfsec - terrascan - ripgrep - bat - ]; -} From ddee725268697206c8f0f21b3e85a797a3ae7f1d Mon Sep 17 00:00:00 2001 From: r17x Date: Fri, 22 Nov 2024 01:09:13 +0700 Subject: [PATCH 14/15] chore(lockfile): update & sync --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 6a8cc76..55917b9 100644 --- a/flake.lock +++ b/flake.lock @@ -69,11 +69,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1730768919, - "narHash": "sha256-8AKquNnnSaJRXZxc5YmF/WfmxiHX6MMZZasRP6RRQkE=", + "lastModified": 1731890469, + "narHash": "sha256-D1FNZ70NmQEwNxpSSdTXCSklBH1z2isPR84J6DQrJGs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a04d33c0c3f1a59a2c1cb0c6e34cd24500e5a1dc", + "rev": "5083ec887760adfe12af64830a66807423a859a7", "type": "github" }, "original": { @@ -101,11 +101,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1727089097, - "narHash": "sha256-ZMHMThPsthhUREwDebXw7GX45bJnBCVbfnH1g5iuSPc=", + "lastModified": 1731890469, + "narHash": "sha256-D1FNZ70NmQEwNxpSSdTXCSklBH1z2isPR84J6DQrJGs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "568bfef547c14ca438c56a0bece08b8bb2b71a9c", + "rev": "5083ec887760adfe12af64830a66807423a859a7", "type": "github" }, "original": { From a0b4d617b52c9262e2f14c0a3492b0302a264bff Mon Sep 17 00:00:00 2001 From: r17x Date: Sun, 1 Dec 2024 21:17:18 +0700 Subject: [PATCH 15/15] ci: update tailscale auth using ephemeral --- secrets/secret.yaml | 48 ++++++++++++++++++++++----------------------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/secrets/secret.yaml b/secrets/secret.yaml index e6947aa..b309b3e 100644 --- a/secrets/secret.yaml +++ b/secrets/secret.yaml @@ -1,4 +1,4 @@ -tailscale_auth_key: ENC[AES256_GCM,data:dmYEr+eOf6UO2u7wBFWABERE5kt+3plKQOGQWR4HA+9gC0BGDgtW/AYNyoy4b1p50pQP9vo16X9UPXmTIg==,iv:hNS2NaAiQmzpYSv7A0hGooBPwDPBlvh+5cTURy0U280=,tag:r3zephEEu7KK77mt2ft9tQ==,type:str] +tailscale_auth_key: ENC[AES256_GCM,data:PZnV0h1Hx0jxy9nlxK8Xevw/FMxRwXzLpm+bPmAEjXlF1YTNakAyOxfkmI0YDu6cMfg7dIwhM7FTeTLiv3s=,iv:pg+91SCiIz1PO9x1yu98RMjcaTUZFg2qoOPf/xOQKrY=,tag:6SH5IHkWj8wg9CSUoITF/g==,type:str] sops: kms: [] gcp_kms: [] @@ -8,34 +8,34 @@ sops: - recipient: age13rrpdnr7f9knpgdvafvjkp74ejacuhcvzhdw2j8h5xjwyrmrhv4s4tvr8j enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1UFhka0dZbkt6eGd2L2VB - RGx5eW9uMEkrbHJqM1FGcUU5N0l2MkJrdkNBClhvTWJ0Z0lWOFRRZzQ3NCsrZUox - amV0UVM4TU1hS0NFclQ5TVZEVnN1ZzQKLS0tIERmSmwralpLRzNIeWJYaG92VTVR - YlVNM3RidG56bHIvbHRkeWs3NlJMRDQKBO+jzjiIxg3u/6LuqWIjTTVimcukED0V - P+P8duF+keHnchpvD4Vi6EIcVK9Gb6MfODiUWqntsfL3R9Uc4DyutQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxcDY1OEZTb3RWbTgwV2xu + NHVSNHNUMnZrS2o3SVMzZUVMRTdoOWpsODJnCmIzd2JCdG5aa1daQVhWNGpXNXls + OXF2VnkrV1lsMld0aU5ybXZ1TUsvSFUKLS0tIDF2T3hUNC9DYmFaSnVvL0FQdXNH + aUp6TjB6WGpwMlhqZkNqcU9ZeXlldnMKzwx4kqORo3Gg1mqY5iwlZGbAGVlJ9fP0 + Pe3AUBMMfWIfqC4cJs7IxdDCj0hIf65OEm9clM1zzKgZ7dhJGminkw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-10T08:13:27Z" - mac: ENC[AES256_GCM,data:cGaGo4y/NqHUOIWO82j6kIbJ1YQWZGdZO7CQFEDY+oyK5sPQR9m6KNVXyPLjgc9omiiF3BFyiPK7vmz2TV9xQx5hnSqYZn+KO8iM0d99LeBKQCYPzTVJA476oVhdnGxhuvNhVvMQ2k4OWuLufSB+NXXzTeiPVZmIRmfbz9jM6fY=,iv:DHYTN5hxqfzALIxaaqnvUCPi8q/5LqadOyHBIwMzrKw=,tag:j1dLRYSYxaW8mCWXoPXTEA==,type:str] + lastmodified: "2024-12-01T13:46:18Z" + mac: ENC[AES256_GCM,data:oK3zgYwGpReODsmRXMxFcywR7pKOSdaeQ1lpDfxjUdfFi923jLcfwrrHPyAuIjSIFRxDk/9EVpRW2d2ngaEC03XAmOH1jFmPMbWfGnszSPzuSF5cGiOf5ZRDREeQ6lwZqfHhU/x/8WdS69UXglgFQlBTA4n6fhWOUA+mxAFt2Pc=,iv:OrAzas6hJETTAtaJRreu6Dlemzo3Q3GAl7ws3HbAo20=,tag:yDq9XyG93Ib3tNgb0C2OXA==,type:str] pgp: - - created_at: "2024-11-10T09:14:37Z" + - created_at: "2024-12-01T13:46:18Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA7z/T8UoYDaeARAAqg3MtNk7Y1T95qnEbWTw0OvO7GuPmiRO+cvctCbcvkRS - CpQ7rSfni+roJOI6uvny/MAFJtS/uybSVbgaaQj/rljWv+e/nCx/sYsg3vjIlL8l - MPEjjxcYn82CFkIOXJbsRuFMtKzE3wFugBojZIEql/byZ84fGQp3J53N6pYdSp04 - eK/nJnYoMj0bhyQIugn7F4hRDvl0rH1nSHFFdBiPuqa86DVyermnQtNoQhL2Xqk5 - QN3Ug4HWJ9h7qPofPIjVXn+bbMTwJaDZn4V9JKgJT79XQ+0oRz560N10XMMuqOUt - xpoUjakFW+GRToLu0zyG1hmXog0whxL1uK0RAdHxPQAADjy0fFJUR54fKVu0tmxX - 2O/TI8wOhxFM1xgAFOT+Ta8v5lwtQoVKGq7rCnsLRfU2UnSkpyH3QqygXD2Br1BV - YVzYzPND/H5uTKSp7sWVn/QMubTX96o/bXa1Pf0Lc3I6iGAOmwFq5ayKO6gRhd6P - G2IVW0rspg6qOPEBbTwbrbu1ZsEoNF4gkxtn9sAinLWSKyzQnrqJbWScVFd2NWSn - +4iy0ZjxExG5JyU3IgEknQ6wPnJjYGnKqQZSD5ZBtVFE4DBBt2FV5nSbVSK1YK0a - tl1EeVB5Tv/hRVdZRC/amoDUKO9iury7UlzVj7MYh8knf5Q5bUfrkEb+0vUJPUrS - XAHESNWRiS+wdetivov5wQV13sV99RBvO1HW1S6i0sb0lIeQHvUglbBiuGXSNNaN - qNlykGB2HHVsB6kIZfbT6XAjVY6zzTUb+qmV3IUTBLjTgTq6fXWY4TuDXgzR - =qffB + hQIMA7z/T8UoYDaeARAAppUmjSqFkEc80P0p0/wip/vpSqHxXmBmLXv2d4WsFaGY + ZES8PN5YpJKmyBr6+2QuF3IzDhAUwzoFfSsKY02aGuOnCYlm0WtBUADocUv4IPp8 + Wu+9JegTeXXpgS4oU4lcOiit2mLIFg06DjMitRoC28Ip7vT+rWqtLXPwVpjAf7Ae + 3h6pVc6QcEi3iKHdl2To886NwmGObmMthl/IT1LhqPYPR2Y6Z/byVz3J71aPjcA2 + p4fLPA3CmykGJTLAQiSKBzZhIEz3dsHpoWDjPNleoCP9qpD0LedrpmiNgVFeqyg6 + q7XW2Dm+93Etzj77WJXtWEpCXV4d/9HRGiUwreWAS0TuNtlzPHJW1ZN6VYZEKoiW + XZ8+dU9Pxw1xmN5dxEzCf9wAt/FVx1V8gXFjvtJvklaDHUFDCc2hul87xGLYxmq4 + N69OQp7+rYQ+S5UbUkHcgMvdKcJXJds5pcZpjrVwY5wKyjU4K5+s7PAWiF0zwUl6 + o6GMznwMUD5BOO4sv4ZinT98BaiDzZNp0aKvwtRj75gVjtCNaR0pl9iVZ6o9K2at + CJ1wnGN5VEpzvNmypqN6V0UG6q5i1xw5TQ6wMzu52z0TgWOqCszNu0+KqGlYBpxD + S8Qoy2PfqOZhqD6IHBiHVpKw03uLkweit6nsb1q6ygC1OUFPs2CjCRaNqMlW9uLS + XgGeMniuWRSFSCcF05q1w/9wWxv/9/jCQ4Q9eXLP1kveY53CvgD7Ns9v318w1i4T + k+AKoN70cUafUDbyPSlelCUyZHMIOqzvjgHsjDGKb9zyIE9BUBb2XULeIwR9GHs= + =dY4Q -----END PGP MESSAGE----- fp: B0B63B776767DFAA669D06715CA1E57AFBF76F90 unencrypted_suffix: _unencrypted - version: 3.9.0 + version: 3.9.1