diff --git a/newinfra/nix/hive.nix b/newinfra/nix/hive.nix index 09bd1ef..32829d6 100644 --- a/newinfra/nix/hive.nix +++ b/newinfra/nix/hive.nix @@ -29,7 +29,7 @@ wg = { privateIP = "10.0.0.1"; publicKey = "5tg3w/TiCuCeKIBJCd6lHUeNjGEA76abT1OXnhNVyFQ="; - peers = [ "vps3" "vps4" ]; + peers = [ "vps3" "vps4" "vps5" ]; }; }; vps3 = { @@ -142,6 +142,7 @@ ./modules/contabo ./modules/wg-mesh ./modules/ingress + ./modules/garage ./modules/podman # apps diff --git a/newinfra/nix/modules/dns/noratrieb.dev.nix b/newinfra/nix/modules/dns/noratrieb.dev.nix index 3c49bb3..40b6609 100644 --- a/newinfra/nix/modules/dns/noratrieb.dev.nix +++ b/newinfra/nix/modules/dns/noratrieb.dev.nix @@ -12,10 +12,15 @@ let vps2 = { A = [ "184.174.32.252" ]; }; + + combine = hosts: { + A = lib.lists.flatten (map (host: if builtins.hasAttr "A" host then host.A else [ ]) hosts); + AAAA = lib.lists.flatten (map (host: if builtins.hasAttr "AAAA" host then host.AAAA else [ ]) hosts); + }; in with hostsToDns; - # vps1 contains root noratrieb.dev - vps1 // { + # vps{1,3,4} contains root noratrieb.dev + combine [ vps1 vps3 vps4 ] // { SOA = { nameServer = "ns1.noratrieb.dev."; adminEmail = "void@noratrieb.dev"; diff --git a/newinfra/nix/modules/garage/README.md b/newinfra/nix/modules/garage/README.md index d049bb4..e1c57cb 100644 --- a/newinfra/nix/modules/garage/README.md +++ b/newinfra/nix/modules/garage/README.md @@ -8,6 +8,15 @@ | name | disk space | identifier | zone | | ---- | ---------- | ---------- | ----- | +| vps3 | 70GB | cabe | co-du | | vps3 | 100GB | 020bd | co-ka | | vps4 | 30GB | 41e40 | he-nu | | vps5 | 100GB | 848d8 | co-du | + +## buckets + +- `caddy-store`: Store for Caddy webservers + +## keys + +- `caddy`: `GK25e33d4ba20d54231e513b80` diff --git a/newinfra/nix/modules/ingress/base.Caddyfile b/newinfra/nix/modules/ingress/base.Caddyfile new file mode 100644 index 0000000..e429899 --- /dev/null +++ b/newinfra/nix/modules/ingress/base.Caddyfile @@ -0,0 +1,17 @@ +{ + email noratrieb@proton.me + auto_https disable_redirects + + storage s3 { + host "localhost:3900" + bucket "caddy-store" + # access_id ENV S3_ACCESS_ID + # secret_key ENV S3_SECRET_KEY + + insecure true + } +} + +http:// { + respond "This is an HTTPS-only server, silly you. Go to https:// instead." 418 +} diff --git a/newinfra/nix/modules/ingress/caddy-build.nix b/newinfra/nix/modules/ingress/caddy-build.nix new file mode 100644 index 0000000..e82302e --- /dev/null +++ b/newinfra/nix/modules/ingress/caddy-build.nix @@ -0,0 +1,116 @@ +# Copied from https://github.com/NixOS/nixpkgs/pull/259275 and updated. + +{ lib +, buildGoModule +, fetchFromGitHub +, gnused +, nixosTests +, caddy +, stdenv +, testers +, installShellFiles +, externalPlugins ? [ ] +, vendorHash ? "sha256-1Api8bBZJ1/oYk4ZGIiwWCSraLzK9L+hsKXkFtk6iVM=" +}: + +let + attrsToModules = attrs: + builtins.map ({ name, repo, version }: "${repo}") attrs; + attrsToSources = attrs: + builtins.map ({ name, repo, version }: "${repo}@${version}") attrs; +in +buildGoModule rec { + pname = "caddy"; + version = "2.8.4"; + + dist = fetchFromGitHub { + owner = "caddyserver"; + repo = "dist"; + rev = "v${version}"; + hash = "sha256-O4s7PhSUTXoNEIi+zYASx8AgClMC5rs7se863G6w+l0="; + }; + + src = fetchFromGitHub { + owner = "caddyserver"; + repo = "caddy"; + rev = "v${version}"; + hash = "sha256-CBfyqtWp3gYsYwaIxbfXO3AYaBiM7LutLC7uZgYXfkQ="; + }; + + inherit vendorHash; + + subPackages = [ "cmd/caddy" ]; + + ldflags = [ + "-s" + "-w" + "-X github.com/caddyserver/caddy/v2.CustomVersion=${version}" + ]; + + # matches upstream since v2.8.0 + tags = [ "nobadger" ]; + + nativeBuildInputs = [ gnused installShellFiles ]; + + modBuildPhase = '' + for module in ${builtins.toString (attrsToModules externalPlugins)}; do + sed -i "/standard/a _ \"$module\"" ./cmd/caddy/main.go + done + for plugin in ${builtins.toString (attrsToSources externalPlugins)}; do + go get $plugin + done + + go generate + go mod vendor + ''; + + modInstallPhase = '' + mv -t vendor go.mod go.sum + cp -r --reflink=auto vendor "$out" + ''; + + preBuild = '' + chmod -R u+w vendor + [ -f vendor/go.mod ] && mv -t . vendor/go.{mod,sum} + go generate + + for module in ${builtins.toString (attrsToModules externalPlugins)}; do + sed -i "/standard/a _ \"$module\"" ./cmd/caddy/main.go + done + ''; + + postInstall = '' + install -Dm644 ${dist}/init/caddy.service ${dist}/init/caddy-api.service -t $out/lib/systemd/system + + substituteInPlace $out/lib/systemd/system/caddy.service \ + --replace-fail "/usr/bin/caddy" "$out/bin/caddy" + substituteInPlace $out/lib/systemd/system/caddy-api.service \ + --replace-fail "/usr/bin/caddy" "$out/bin/caddy" + '' + lib.optionalString (stdenv.buildPlatform.canExecute stdenv.hostPlatform) '' + # Generating man pages and completions fail on cross-compilation + # https://github.com/NixOS/nixpkgs/issues/308283 + + $out/bin/caddy manpage --directory manpages + installManPage manpages/* + + installShellCompletion --cmd caddy \ + --bash <($out/bin/caddy completion bash) \ + --fish <($out/bin/caddy completion fish) \ + --zsh <($out/bin/caddy completion zsh) + ''; + passthru.tests = { + inherit (nixosTests) caddy; + version = testers.testVersion { + command = "${caddy}/bin/caddy version"; + package = caddy; + }; + }; + + meta = with lib; { + homepage = "https://caddyserver.com"; + description = "Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS"; + license = licenses.asl20; + mainProgram = "caddy"; + maintainers = with maintainers; [ Br1ght0ne emilylange techknowlogick ]; + }; +} diff --git a/newinfra/nix/modules/ingress/default.nix b/newinfra/nix/modules/ingress/default.nix index e0a2704..ea925d1 100644 --- a/newinfra/nix/modules/ingress/default.nix +++ b/newinfra/nix/modules/ingress/default.nix @@ -1,7 +1,20 @@ -{ pkgs, nixpkgs-unstable, config, lib, name, website, slides, blog, ... }: +{ pkgs, config, lib, name, website, slides, blog, ... }: -let caddy = nixpkgs-unstable.caddy; in +let + caddy = pkgs.callPackage ./caddy-build.nix { + externalPlugins = [ + { + name = "certmagic-s3"; + repo = "github.com/noratrieb-mirrors/certmagic-s3"; + version = "e48519f95173e982767cbb881d49335b6a00a599"; + } + ]; + vendorHash = "sha256-KP9bYitM/Pocw4DxOXPVBigWh4IykNf8yKJiBlTFZmI="; + }; +in { + environment.systemPackages = [ caddy ]; + networking.firewall = { allowedTCPPorts = [ 80 # HTTP @@ -12,22 +25,17 @@ let caddy = nixpkgs-unstable.caddy; in ]; }; + age.secrets.caddy_s3_key_secret.file = ../../secrets/caddy_s3_key_secret.age; + + systemd.services.caddy.serviceConfig.EnvironmentFile = config.age.secrets.caddy_s3_key_secret.path; services.caddy = { enable = true; package = caddy; configFile = pkgs.writeTextFile { name = "Caddyfile"; text = ( + builtins.readFile ./base.Caddyfile + '' - { - email nilstrieb@proton.me - auto_https disable_redirects - } - - http:// { - respond "This is an HTTPS-only server, silly you. Go to https:// instead." 418 - } - ${config.networking.hostName}.infra.noratrieb.dev { encode zstd gzip header -Last-Modified @@ -37,29 +45,33 @@ let caddy = nixpkgs-unstable.caddy; in inherit pkgs lib; }} file_server { - etag_file_extensions .sha256 - precompressed zstd gzip br + etag_file_extensions .sha256 + precompressed zstd gzip br } } ${ - if name == "vps1" then - builtins.readFile ./Caddyfile + '' - noratrieb.dev { - encode zstd gzip - header -Last-Modified - root * ${import ./caddy-static-prepare { - name = "website"; - src = website { inherit pkgs slides blog; }; - inherit pkgs lib; - }} - file_server { + if name == "vps1" || name == "vps3" || name == "vps4" then '' + noratrieb.dev { + encode zstd gzip + header -Last-Modified + root * ${import ./caddy-static-prepare { + name = "website"; + src = website { inherit pkgs slides blog; }; + inherit pkgs lib; + }} + file_server { etag_file_extensions .sha256 precompressed zstd gzip br - } - } + } + } '' else "" } + + ${ + if name == "vps1" then + builtins.readFile ./Caddyfile else "" + } '' ); checkPhase = '' diff --git a/newinfra/nix/secrets/caddy_s3_key_secret.age b/newinfra/nix/secrets/caddy_s3_key_secret.age new file mode 100644 index 0000000..fb2c2a7 Binary files /dev/null and b/newinfra/nix/secrets/caddy_s3_key_secret.age differ diff --git a/newinfra/nix/secrets/docker_registry_password.age b/newinfra/nix/secrets/docker_registry_password.age index 49979e7..954d1dd 100644 Binary files a/newinfra/nix/secrets/docker_registry_password.age and b/newinfra/nix/secrets/docker_registry_password.age differ diff --git a/newinfra/nix/secrets/garage_secrets.age b/newinfra/nix/secrets/garage_secrets.age index 4535b10..db044a1 100644 Binary files a/newinfra/nix/secrets/garage_secrets.age and b/newinfra/nix/secrets/garage_secrets.age differ diff --git a/newinfra/nix/secrets/hugochat_db_password.age b/newinfra/nix/secrets/hugochat_db_password.age index 17b2709..4a96015 100644 Binary files a/newinfra/nix/secrets/hugochat_db_password.age and b/newinfra/nix/secrets/hugochat_db_password.age differ diff --git a/newinfra/nix/secrets/minio_env_file.age b/newinfra/nix/secrets/minio_env_file.age index e257c84..8c5e8e2 100644 --- a/newinfra/nix/secrets/minio_env_file.age +++ b/newinfra/nix/secrets/minio_env_file.age @@ -1,8 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 qM6TYg 5dnvDdUqtCoJo4RYNTpIw4ckH0um6E50ZcOs08ZZLig -6hwjJMNit300VZhBeID7kdV8NJBbZg/3bq8vHO8R9i8 --> ssh-ed25519 XzACZQ g+vhR2tRcQHZ/8Ud0oDxA0a+d1+dyNMVi21GbNRXrx0 -6kYx9RQYfuqvEfm3qpSp9oKXktJccqQoYEvI+SEhEqg ---- 1Z17ztzvaWForsjjcF72J0/bdSmZCqEuScxEQ22V6xo -G}7[ES݌ aOONlTGN_ -!H@ѬM6^$۲o@څuMY;(8++ϐMlQamG|Y \ No newline at end of file +-> ssh-ed25519 qM6TYg Jtt9cLPGha9Qs5gEuKSwU3E1bNMhrjlHtnj/I3dKqW0 +0iDfPorED8lq0Rc5LVDNWID7l2F+AnmeEr7Yik/OC44 +-> ssh-ed25519 XzACZQ Q9WpNGn/k35J0/LzGAlcf1ktN2/VG3nZdpfMbJXAnWw +bl2Pasbxmb6LNbWiZrEVBQ99gYYC5Md6kdvIt4VAf7k +--- +B0f8ilJGkB7Qj+BdzeKfW6HRl9yzMd+iT4sOAmJI5Y +\ȁ'ZtbJ7AL⛣&C+LMnhІ]R; ԆJHKO7B\(QmΒU>r4"XhIdcE6G_oN \ No newline at end of file diff --git a/newinfra/nix/secrets/secrets.nix b/newinfra/nix/secrets/secrets.nix index 174ab60..3d82c2e 100644 --- a/newinfra/nix/secrets/secrets.nix +++ b/newinfra/nix/secrets/secrets.nix @@ -11,6 +11,7 @@ in "hugochat_db_password.age".publicKeys = [ vps1 ]; "minio_env_file.age".publicKeys = [ vps1 vps3 ]; "garage_secrets.age".publicKeys = [ vps1 vps3 vps4 vps5 ]; + "caddy_s3_key_secret.age".publicKeys = [ vps1 vps3 vps4 vps5 ]; "wg_private_vps1.age".publicKeys = [ vps1 ]; "wg_private_vps3.age".publicKeys = [ vps3 ]; "wg_private_vps4.age".publicKeys = [ vps4 ]; diff --git a/newinfra/nix/secrets/wg_private_vps1.age b/newinfra/nix/secrets/wg_private_vps1.age index 07c8d4f..2137537 100644 --- a/newinfra/nix/secrets/wg_private_vps1.age +++ b/newinfra/nix/secrets/wg_private_vps1.age @@ -1,5 +1,5 @@ age-encryption.org/v1 --> ssh-ed25519 qM6TYg Q5X+l2POBANoYyo8HNMy89MLtpodzzN9prnQY71mSTE -X3MJesW3kfHCfCyvaWm22mOI8vSgP7JWlLugCXtiy+U ---- ZH3UZFDfQwZ+DIF3yFADfBKEv2K6k9DTCh5wLVnyaTs -i,1Ff [_+[ !>)ep'YAWg <^= (B)~eG \ No newline at end of file +-> ssh-ed25519 qM6TYg xCaglRQkcl1+kGIVjPEn+NlnrBUvcWLSH7MMPLXK9kU +78t/Z81+NaXQMW30EQH8WMhed6Lm77+atPTkBQbDMd0 +--- AsnraeejCWHj1iRI/1btRXI6tqdnBW4S+twfx35eNEI +61KqH\vélWIX{K;#S&g^.KQ8a7V:e)9Ќ!O \ No newline at end of file diff --git a/newinfra/nix/secrets/wg_private_vps3.age b/newinfra/nix/secrets/wg_private_vps3.age index 12dbf45..7a46f3d 100644 --- a/newinfra/nix/secrets/wg_private_vps3.age +++ b/newinfra/nix/secrets/wg_private_vps3.age @@ -1,5 +1,5 @@ age-encryption.org/v1 --> ssh-ed25519 XzACZQ nsIkJQw/lrrXChkpFc87upQ4pbGefolI36wqMOWZGAE -t49QoSdb2azGQlDBX5AyWMxCOt+ETpT7erp4WU5p2rQ ---- 4UbCHfpAfwiuRYsiN3HgdhbSLFBG05DxGCw55XT1IGg -Y Ǝ 2Rs Q4d I.KpPFthaɍRX \ No newline at end of file +-> ssh-ed25519 XzACZQ PAqPA1RpuXwjKCsn838qwsuRmuh8ES7BPiyCIFdhMmA +QIAC+dfBMSZwzHwcQpO1IyDPKwTvr/iG35PkrFOyzwE +--- zNejM9ypNWH1Bg1J1V4UCqMIyVP+gIV/mmgBaCfFCKk +y2yv0W}qYmhZ{B|t7,@6B_V80iaz9@j) \ No newline at end of file diff --git a/newinfra/nix/secrets/wg_private_vps4.age b/newinfra/nix/secrets/wg_private_vps4.age index c019915..fd64f80 100644 --- a/newinfra/nix/secrets/wg_private_vps4.age +++ b/newinfra/nix/secrets/wg_private_vps4.age @@ -1,5 +1,6 @@ age-encryption.org/v1 --> ssh-ed25519 51bcvA 9dYzUZSs/ilKHHRiuMgT6GEbtyBwWHAl8ycBcsvTQz0 -iq0ozCU1p1sekOH4qbxKxWezY2pyVM6LjhUuNpmTQx0 ---- wjCRFJISrIrpgosh7ZBNM1qR78BPmhVBBwFpaQc10oA -a~ue?'iIl C"w:\R) (.ե%*>p"uy4s>2 \ No newline at end of file +-> ssh-ed25519 51bcvA mJYJJnaKusYBpSL5qAokXISlrXkBZ0QPKZVPkiyKSnk +IAsX5+UPxhap7ehB9za8Q9aEfeA0Ypd4Tw7XiU4f2eM +--- VBlmFpr+g83UfZ4rftOkNzKL/ZxSxAi7/tBl4TMaln4 +m侒AWcNW-F6ȆyT=~kg%U ;Dݲi&[j+_ + \ No newline at end of file diff --git a/newinfra/nix/secrets/wg_private_vps5.age b/newinfra/nix/secrets/wg_private_vps5.age index ad4e00a..156b44e 100644 Binary files a/newinfra/nix/secrets/wg_private_vps5.age and b/newinfra/nix/secrets/wg_private_vps5.age differ diff --git a/newinfra/nix/secrets/widetom_bot_token.age b/newinfra/nix/secrets/widetom_bot_token.age index 7a4f13c..009e9f6 100644 Binary files a/newinfra/nix/secrets/widetom_bot_token.age and b/newinfra/nix/secrets/widetom_bot_token.age differ diff --git a/newinfra/nix/secrets/widetom_config_toml.age b/newinfra/nix/secrets/widetom_config_toml.age index 4d6b7a4..273d1e1 100644 Binary files a/newinfra/nix/secrets/widetom_config_toml.age and b/newinfra/nix/secrets/widetom_config_toml.age differ diff --git a/newinfra/secrets-git-crypt/caddy_s3_key_secret b/newinfra/secrets-git-crypt/caddy_s3_key_secret new file mode 100644 index 0000000..955a6d8 Binary files /dev/null and b/newinfra/secrets-git-crypt/caddy_s3_key_secret differ