nix
/
lib
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Many changes

This commit is contained in:
niten 2022-06-01 13:57:36 -07:00
parent 9edae4a39c
commit df53c13bb7
4 changed files with 293 additions and 242 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

136
lib/fudo/chat.nix
View File

@ -102,7 +102,7 @@ in {
EmailSettings = {
RequireEmailVerification = true;
SMTPServer = cfg.smtp.server;
SMTPPort = 587;
SMTPPort = "587";
EnableSMTPAuth = true;
SMTPUsername = cfg.smtp.user;
SMTPPassword = "__SMTP_PASSWD__";
@ -113,22 +113,20 @@ in {
};
EnableEmailInvitations = true;
SqlSettings.DriverName = "postgres";
SqlSettings.DataSource = "postgres://${
cfg.database.user
}:__DATABASE_PASSWORD__@${
cfg.database.hostname
}:5432/${
cfg.database.name
}";
SqlSettings.DataSource =
"postgres://${cfg.database.user}:__DATABASE_PASSWORD__@${cfg.database.hostname}:5432/${cfg.database.name}";
};
mattermost-config-file-template =
pkgs.writeText "mattermost-config.json.template" (builtins.toJSON modified-config);
pkgs.writeText "mattermost-config.json.template"
(builtins.toJSON modified-config);
generate-mattermost-config = target: template: smtp-passwd-file: db-passwd-file:
generate-mattermost-config =
target: template: smtp-passwd-file: db-passwd-file:
pkgs.writeScript "mattermost-config-generator.sh" ''
rm ${target}
SMTP_PASSWD=$( cat ${smtp-passwd-file} )
DATABASE_PASSWORD=$( cat ${db-passwd-file} )
sed -e 's/__SMTP_PASSWD__/"$SMTP_PASSWD"/' -e 's/__DATABASE_PASSWORD__/"$DATABASE_PASSWORD"/' ${template} > ${target}
sed -e "s/__SMTP_PASSWD__/$SMTP_PASSWD/" -e "s/__DATABASE_PASSWORD__/$DATABASE_PASSWORD/" ${template} > ${target}
'';
in {
@ -136,10 +134,10 @@ in {
users = {
${cfg.user} = {
isSystemUser = true;
group = mattermost-group;
group = cfg.group;
};
};
groups.${cfg.group}.members = [ cfg.user ];
groups = { ${cfg.group} = { members = [ cfg.user ]; }; };
};
fudo.system.services.mattermost = {
@ -147,16 +145,24 @@ in {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
preStart = ''
${generate-mattermost-config
mattermost-config-target
mattermost-config-file-template
cfg.smtp.password-file
cfg.database.password-file}
cp ${cfg.smtp.password-file} ${cfg.state-directory}/config/config.json
preStart =
let config-target = "${cfg.state-directory}/config/config.json";
in ''
if [ ! -f ${config-target} ]; then
${
generate-mattermost-config mattermost-config-target
mattermost-config-file-template cfg.smtp.password-file
cfg.database.password-file
}
cp ${mattermost-config-target} ${config-target}
chown ${cfg.user}:${cfg.group} ${config-target}
chmod 640 ${config-target}
fi
if [ ! -e ${cfg.state-directory} ]; then
cp -uRL ${pkg}/client ${cfg.state-directory}
chown ${cfg.user}:${cfg.group} ${cfg.state-directory}/client
chmod 0750 ${cfg.state-directory}/client
fi
'';
execStart = "${pkg}/bin/mattermost";
workingDirectory = cfg.state-directory;
@ -167,8 +173,9 @@ in {
systemd = {
tmpfiles.rules = [
"d ${cfg.state-directory} 0750 ${cfg.user} ${cfg.group} - -"
"d ${cfg.state-directory}/config 0750 ${cfg.user} ${cfg.group} - -"
"d ${cfg.state-directory} 0750 ${cfg.user} - - -"
"d ${cfg.state-directory}/config 0750 ${cfg.user} - - -"
"d ${dirOf mattermost-config-target} 0750 ${cfg.user} - - -"
"L ${cfg.state-directory}/bin - - - - ${pkg}/bin"
"L ${cfg.state-directory}/fonts - - - - ${pkg}/fonts"
"L ${cfg.state-directory}/i18n - - - - ${pkg}/i18n"
@ -183,6 +190,8 @@ in {
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off;
'';
recommendedProxySettings = true;
virtualHosts = {
"${cfg.hostname}" = {
enableACME = true;
@ -190,51 +199,52 @@ in {
locations."/" = {
proxyPass = "http://127.0.0.1:8065";
proxyWebsockets = true;
extraConfig = ''
client_max_body_size 50M;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
proxy_read_timeout 600s;
proxy_cache mattermost_cache;
proxy_cache_revalidate on;
proxy_cache_min_uses 2;
proxy_cache_use_stale timeout;
proxy_cache_lock on;
proxy_http_version 1.1;
'';
# extraConfig = ''
# client_max_body_size 50M;
# proxy_set_header Connection "";
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-By $server_addr:$server_port;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Frame-Options SAMEORIGIN;
# proxy_buffers 256 16k;
# proxy_buffer_size 16k;
# proxy_read_timeout 600s;
# proxy_cache mattermost_cache;
# proxy_cache_revalidate on;
# proxy_cache_min_uses 2;
# proxy_cache_use_stale timeout;
# proxy_cache_lock on;
# proxy_http_version 1.1;
# '';
};
locations."~ /api/v[0-9]+/(users/)?websocket$" = {
proxyPass = "http://127.0.0.1:8065";
# locations."~ /api/v[0-9]+/(users/)?websocket$" = {
# proxyPass = "http://127.0.0.1:8065";
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
client_max_body_size 50M;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
client_body_timeout 60;
send_timeout 300;
lingering_timeout 5;
proxy_connect_timeout 90;
proxy_send_timeout 300;
proxy_read_timeout 90s;
'';
};
# extraConfig = ''
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "upgrade";
# client_max_body_size 50M;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-By $server_addr:$server_port;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Frame-Options SAMEORIGIN;
# proxy_buffers 256 16k;
# proxy_buffer_size 16k;
# client_body_timeout 60;
# send_timeout 300;
# lingering_timeout 5;
# proxy_connect_timeout 90;
# proxy_send_timeout 300;
# proxy_read_timeout 90s;
# '';
# };
};
};
};

44
lib/fudo/domains.nix
View File

@ -5,8 +5,8 @@ let
hostname = config.instance.hostname;
domain = config.instance.local-domain;
domainOpts = { name, ... }: let
domain = name;
domainOpts = { name, ... }:
let domain = name;
in {
options = with types; {
domain = mkOption {
@ -50,8 +50,9 @@ let
grafana-hosts = mkOption {
type = listOf str;
description = "List of hosts acting as Grafana metric analyzers. Requires prometheus hosts as well.";
default = [];
description =
"List of hosts acting as Grafana metric analyzers. Requires prometheus hosts as well.";
default = [ ];
};
log-aggregator = mkOption {
@ -66,6 +67,13 @@ let
default = null;
};
chat-server = mkOption {
type = nullOr str;
description =
"Hostname acting as the domain chat server (using Mattermost).";
default = null;
};
backplane = mkOption {
type = nullOr (submodule {
options = {
@ -83,7 +91,8 @@ let
domain = mkOption {
type = str;
description = "Domain name of the dynamic zone served by this server.";
description =
"Domain name of the dynamic zone served by this server.";
};
};
});
@ -117,26 +126,30 @@ let
kerberos-master = mkOption {
type = nullOr str;
description = "Hostname of the Kerberos master server for the domain, if applicable.";
description =
"Hostname of the Kerberos master server for the domain, if applicable.";
default = null;
};
kerberos-slaves = mkOption {
type = listOf str;
description = "List of hosts acting as Kerberos slaves for the domain.";
default = [];
description =
"List of hosts acting as Kerberos slaves for the domain.";
default = [ ];
};
ldap-servers = mkOption {
type = listOf str;
description = "List of hosts acting as LDAP authentication servers for the domain.";
default = [];
description =
"List of hosts acting as LDAP authentication servers for the domain.";
default = [ ];
};
prometheus-hosts = mkOption {
type = listOf str;
description = "List of hosts acting aas prometheus metric scrapers for hosts in this network.";
default = [];
description =
"List of hosts acting aas prometheus metric scrapers for hosts in this network.";
default = [ ];
};
primary-nameserver = mkOption {
@ -147,8 +160,9 @@ let
secondary-nameservers = mkOption {
type = listOf str;
description = "List of hostnames of slave nameservers for this domain.";
default = [];
description =
"List of hostnames of slave nameservers for this domain.";
default = [ ];
};
primary-mailserver = mkOption {
@ -160,7 +174,7 @@ let
xmpp-servers = mkOption {
type = listOf str;
description = "Hostnames of the domain XMPP servers.";
default = [];
default = [ ];
};
zone = mkOption {

18
lib/fudo/postgres.nix
View File

@ -64,6 +64,13 @@ let
"A list of users who should have full access to this database.";
default = [ ];
};
extensions = mkOption {
type = listOf str;
description =
"A list of extensions which should be created for this database.";
default = [ ];
};
};
};
@ -121,6 +128,13 @@ let
${network-entries user db}
'') (attrNames opts.databases))) (filterPasswordedUsers users));
enableExtensionSql = ext: ''CREATE EXTENSION IF NOT EXISTS "${ext}";'';
enableDatabaseExtensionsSql = database: databaseOpts: ''
\c ${database}
${join-lines (map enableExtensionSql databaseOpts.extensions)}
'';
userTableAccessSql = user: entity: access:
"GRANT ${access} ON ${entity} TO ${user};";
userDatabaseAccessSql = user: database: dbOpts: ''
@ -382,8 +396,12 @@ in {
allow-user-login = user: "ALTER ROLE ${user} WITH LOGIN;";
extra-settings-sql = pkgs.writeText "settings.sql" ''
${join-lines
(mapAttrsToList enableDatabaseExtensionsSql cfg.databases)}
${concatStringsSep "\n" (map allow-user-login
(mapAttrsToList (key: val: key) cfg.users))}
${usersAccessSql cfg.users}
'';
in pkgs.writeShellScript "postgresql-finalizer.sh" ''

33
lib/lib/network.nix
View File

@ -2,7 +2,8 @@
with pkgs.lib;
let
generate-mac-address = hostname: interface: pkgs.stdenv.mkDerivation {
generate-mac-address = hostname: interface:
pkgs.stdenv.mkDerivation {
name = "mk-mac-${hostname}-${interface}";
phases = [ "installPhase" ];
installPhase = ''
@ -28,32 +29,40 @@ let
# (lib.reverseList lines-front-stripped));
# in concatStringsSep "\n" lines-rear-stripped;
host-ipv4 = config: hostname: let
host-ipv4 = config: hostname:
let
domain = config.fudo.hosts.${hostname}.domain;
host-network = config.fudo.zones.${domain};
in host-network.hosts.${hostname}.ipv4-address;
host-ipv6 = config: hostname: let
host-ipv6 = config: hostname:
let
domain = config.fudo.hosts.${hostname}.domain;
host-network = config.fudo.zones.${domain};
in host-network.hosts.${hostname}.ipv6-address;
host-ips = config: hostname: let
host-ips = config: hostname:
let
ipv4 = host-ipv4 config hostname;
ipv6 = host-ipv6 config hostname;
not-null = o: o != null;
in filter not-null [ ipv4 ipv6 ];
site-gateway = config: site-name: let
site = config.fudo.sites.${site-name};
in if (site.local-gateway != null)
then host-ipv4 config site.local-gateway
else site.gateway-v4;
site-gateway = config: site-name:
let site = config.fudo.sites.${site-name};
in if (site.local-gateway != null) then
host-ipv4 config site.local-gateway
else
site.gateway-v4;
host-fqdn = config: hostname:
let domain-name = config.fudo.hosts.${hostname}.domain;
in "${hostname}.${domain-name}";
in {
inherit host-ipv4 host-ipv6 host-ips site-gateway;
inherit host-ipv4 host-ipv6 host-ips site-gateway host-fqdn;
generate-mac-address = hostname: interface: let
pkg = generate-mac-address hostname interface;
generate-mac-address = hostname: interface:
let pkg = generate-mac-address hostname interface;
in removeSuffix "\n" (builtins.readFile "${pkg}");
}