patch of nixify appview · round #0 · pull #3 · tangled.org/infra

+4 -4

flake.lock

···

       337
       337
        
               "sqlite-lib-src": "sqlite-lib-src"

     

       338
       338
        
             },

     

       339
       339
        
             "locked": {

     

       340
       340
       -
               "lastModified": 1758898964,

     

       341
       341
       -
               "narHash": "sha256-UFCO4KN7EzT058WcJtjiQiIaoKwSP2ddkhPK74S8zug=",

     

       340
       340
       +
               "lastModified": 1762506184,

     

       341
       341
       +
               "narHash": "sha256-4NqqrAHQXMUasM5Vw7BUUgjvXA1xrfYkhaKu6YNxFpo=",

     

       342
       342
        
               "ref": "refs/heads/master",

     

       343
       343
       -
               "rev": "7ddfed41ed0e2241dbb2edb9b0f69fce7e40f820",

     

       344
       344
       -
               "revCount": 1450,

     

       343
       343
       +
               "rev": "30d281f77d830b1c45104a44c9e7e5eafb52b354",

     

       344
       344
       +
               "revCount": 1611,

     

       345
       345
        
               "type": "git",

     

       346
       346
        
               "url": "https://tangled.org/@tangled.org/core"

     

       347
       347
        
             },

+30

flake.nix

···

       29
       29
        
             };

     

       30
       30
        
             nixosConfigurations.pds = nixpkgs.lib.nixosSystem {

     

       31
       31
        
               system = "x86_64-linux";

     

       32
       32
       +
               specialArgs = {

     

       33
       33
       +
                 commonArgs = import ./common/ssh.nix;

     

       34
       34
       +
               };

     

       32
       35
        
               modules = [

     

       33
       36
        
                 disko.nixosModules.disko

     

       34
       37
        
                 ./hosts/pds/configuration.nix

     

       35
       38
        
               ];

     

       36
       39
        
             };

     

       40
       40
       +
             nixosConfigurations.appview = nixpkgs.lib.nixosSystem {

     

       41
       41
       +
               system = "x86_64-linux";

     

       42
       42
       +
               specialArgs = {

     

       43
       43
       +
                 commonArgs = import ./common/ssh.nix;

     

       44
       44
       +
               };

     

       45
       45
       +
               modules = [

     

       46
       46
       +
                 disko.nixosModules.disko

     

       47
       47
       +
                 ./hosts/appview/configuration.nix

     

       48
       48
       +
               ];

     

       49
       49
       +
             };

     

       37
       50
        
       

     

       38
       51
        
             colmenaHive = colmena.lib.makeHive {

     

       39
       52
        
               meta = {

     
···

       51
       64
        
                   pkgs.curl

     

       52
       65
        
                 ];

     

       53
       66
        
               };

     

       67
       67
       +
               appview = { pkgs, ... }: {

     

       68
       68
       +
                 deployment = {

     

       69
       69
       +
                   targetHost = "alpha.tangled.sh";

     

       70
       70
       +
                   targetPort = 22;

     

       71
       71
       +
                   targetUser = "tangler";

     

       72
       72
       +
                   buildOnTarget = true;

     

       73
       73
       +
                 };

     

       74
       74
       +
                 nixpkgs.system = "x86_64-linux";

     

       75
       75
       +
                 imports = [

     

       76
       76
       +
                   disko.nixosModules.disko

     

       77
       77
       +
                   tangled.nixosModules.appview

     

       78
       78
       +
                   ./hosts/appview/configuration.nix

     

       79
       79
       +
                   ./hosts/appview/services/appview.nix

     

       80
       80
       +
                   ./hosts/appview/services/nginx-alpha.nix

     

       81
       81
       +
                 ];

     

       82
       82
       +
                 time.timeZone = "Europe/Helsinki";

     

       83
       83
       +
               };

     

       54
       84
        
               pds = { pkgs, ... }: {

     

       55
       85
        
                 deployment = {

     

       56
       86
        
                   targetHost = "tngl.sh";

+57

hosts/appview/configuration.nix

···

       1
       1
       +
       { modulesPath

     

       2
       2
       +
       , lib

     

       3
       3
       +
       , pkgs

     

       4
       4
       +
       , ...

     

       5
       5
       +
       } @ args:

     

       6
       6
       +
       {

     

       7
       7
       +
         imports = [

     

       8
       8
       +
           (modulesPath + "/installer/scan/not-detected.nix")

     

       9
       9
       +
           (modulesPath + "/profiles/qemu-guest.nix")

     

       10
       10
       +
           ./disk-config.nix

     

       11
       11
       +
         ];

     

       12
       12
       +
         boot.loader.grub = {

     

       13
       13
       +
           # no need to set devices, disko will add all devices that have a EF02 partition to the list already

     

       14
       14
       +
           # devices = [ ];

     

       15
       15
       +
           efiSupport = true;

     

       16
       16
       +
           efiInstallAsRemovable = true;

     

       17
       17
       +
         };

     

       18
       18
       +
       

     

       19
       19
       +
         networking.hostName = "appview-arn";

     

       20
       20
       +
         services = {

     

       21
       21
       +
           openssh.enable = true;

     

       22
       22
       +
         };

     

       23
       23
       +
       

     

       24
       24
       +
       

     

       25
       25
       +
         nix = {

     

       26
       26
       +
           extraOptions = ''

     

       27
       27
       +
             experimental-features = nix-command flakes ca-derivations

     

       28
       28
       +
             warn-dirty = false

     

       29
       29
       +
             keep-outputs = false

     

       30
       30
       +
           '';

     

       31
       31
       +
         };

     

       32
       32
       +
       

     

       33
       33
       +
         environment.systemPackages = map lib.lowPrio [

     

       34
       34
       +
           pkgs.curl

     

       35
       35
       +
           pkgs.gitMinimal

     

       36
       36
       +
         ];

     

       37
       37
       +
       

     

       38
       38
       +
         users.users.tangler = {

     

       39
       39
       +
           extraGroups = [ "networkmanager" "wheel" ];

     

       40
       40
       +
           openssh.authorizedKeys.keys = args.commonArgs.sshKeys;

     

       41
       41
       +
           isNormalUser = true;

     

       42
       42
       +
         };

     

       43
       43
       +
       

     

       44
       44
       +
         security.sudo.extraRules = [

     

       45
       45
       +
           {

     

       46
       46
       +
             users = [ "tangler" ];

     

       47
       47
       +
             commands = [

     

       48
       48
       +
               {

     

       49
       49
       +
                 command = "ALL";

     

       50
       50
       +
                 options = [ "NOPASSWD" ];

     

       51
       51
       +
               }

     

       52
       52
       +
             ];

     

       53
       53
       +
           }

     

       54
       54
       +
         ];

     

       55
       55
       +
       

     

       56
       56
       +
         system.stateVersion = "25.05";

     

       57
       57
       +
       }

+56

hosts/appview/disk-config.nix

···

       1
       1
       +
       # Example to create a bios compatible gpt partition

     

       2
       2
       +
       { lib, ... }:

     

       3
       3
       +
       {

     

       4
       4
       +
         disko.devices = {

     

       5
       5
       +
           disk.disk1 = {

     

       6
       6
       +
             device = lib.mkDefault "/dev/vda";

     

       7
       7
       +
             type = "disk";

     

       8
       8
       +
             content = {

     

       9
       9
       +
               type = "gpt";

     

       10
       10
       +
               partitions = {

     

       11
       11
       +
                 boot = {

     

       12
       12
       +
                   name = "boot";

     

       13
       13
       +
                   size = "1M";

     

       14
       14
       +
                   type = "EF02";

     

       15
       15
       +
                 };

     

       16
       16
       +
                 esp = {

     

       17
       17
       +
                   name = "ESP";

     

       18
       18
       +
                   size = "500M";

     

       19
       19
       +
                   type = "EF00";

     

       20
       20
       +
                   content = {

     

       21
       21
       +
                     type = "filesystem";

     

       22
       22
       +
                     format = "vfat";

     

       23
       23
       +
                     mountpoint = "/boot";

     

       24
       24
       +
                   };

     

       25
       25
       +
                 };

     

       26
       26
       +
                 root = {

     

       27
       27
       +
                   name = "root";

     

       28
       28
       +
                   size = "100%";

     

       29
       29
       +
                   content = {

     

       30
       30
       +
                     type = "lvm_pv";

     

       31
       31
       +
                     vg = "pool";

     

       32
       32
       +
                   };

     

       33
       33
       +
                 };

     

       34
       34
       +
               };

     

       35
       35
       +
             };

     

       36
       36
       +
           };

     

       37
       37
       +
           lvm_vg = {

     

       38
       38
       +
             pool = {

     

       39
       39
       +
               type = "lvm_vg";

     

       40
       40
       +
               lvs = {

     

       41
       41
       +
                 root = {

     

       42
       42
       +
                   size = "100%FREE";

     

       43
       43
       +
                   content = {

     

       44
       44
       +
                     type = "filesystem";

     

       45
       45
       +
                     format = "ext4";

     

       46
       46
       +
                     mountpoint = "/";

     

       47
       47
       +
                     mountOptions = [

     

       48
       48
       +
                       "defaults"

     

       49
       49
       +
                     ];

     

       50
       50
       +
                   };

     

       51
       51
       +
                 };

     

       52
       52
       +
               };

     

       53
       53
       +
             };

     

       54
       54
       +
           };

     

       55
       55
       +
         };

     

       56
       56
       +
       }

+11

hosts/appview/services/appview.nix

···

       1
       1
       +
       { modulesPath

     

       2
       2
       +
       , lib

     

       3
       3
       +
       , pkgs

     

       4
       4
       +
       , ...

     

       5
       5
       +
       } @ args:

     

       6
       6
       +
       {

     

       7
       7
       +
         services.tangled.appview = {

     

       8
       8
       +
           enable = true;

     

       9
       9
       +
           environmentFile = "/etc/secrets/appview.env";

     

       10
       10
       +
         };

     

       11
       11
       +
       }

+53

hosts/appview/services/nginx-alpha.nix

···

       1
       1
       +
       { config, pkgs, ... }:

     

       2
       2
       +
       {

     

       3
       3
       +
         services.nginx = {

     

       4
       4
       +
           enable = true;

     

       5
       5
       +
           recommendedTlsSettings = true;

     

       6
       6
       +
           recommendedOptimisation = true;

     

       7
       7
       +
           recommendedGzipSettings = true;

     

       8
       8
       +
       

     

       9
       9
       +
           # Fix proxy headers hash warnings

     

       10
       10
       +
           appendHttpConfig = ''

     

       11
       11
       +
             proxy_headers_hash_max_size 1024;

     

       12
       12
       +
             proxy_headers_hash_bucket_size 128;

     

       13
       13
       +
           '';

     

       14
       14
       +
       

     

       15
       15
       +
           virtualHosts = {

     

       16
       16
       +
             # AppView service on alpha.tangled.sh

     

       17
       17
       +
             "alpha.tangled.sh" = {

     

       18
       18
       +
               forceSSL = true;

     

       19
       19
       +
               enableACME = true;

     

       20
       20
       +
       

     

       21
       21
       +
               locations."/" = {

     

       22
       22
       +
                 proxyPass = "http://127.0.0.1:3000";

     

       23
       23
       +
                 extraConfig = ''

     

       24
       24
       +
                   proxy_http_version 1.1;

     

       25
       25
       +
                   proxy_set_header Host $host;

     

       26
       26
       +
                   proxy_set_header X-Real-IP $remote_addr;

     

       27
       27
       +
                   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

     

       28
       28
       +
                   proxy_set_header X-Forwarded-Proto $scheme;

     

       29
       29
       +
                   client_max_body_size 100M;

     

       30
       30
       +
                 '';

     

       31
       31
       +
               };

     

       32
       32
       +
       

     

       33
       33
       +
               # WebSocket support for /logs endpoint

     

       34
       34
       +
               locations."~ /logs$" = {

     

       35
       35
       +
                 proxyPass = "http://127.0.0.1:3000";

     

       36
       36
       +
                 proxyWebsockets = true;

     

       37
       37
       +
                 extraConfig = ''

     

       38
       38
       +
                   proxy_read_timeout 86400;

     

       39
       39
       +
                 '';

     

       40
       40
       +
               };

     

       41
       41
       +
             };

     

       42
       42
       +
           };

     

       43
       43
       +
         };

     

       44
       44
       +
       

     

       45
       45
       +
         # Open firewall ports

     

       46
       46
       +
         networking.firewall.allowedTCPPorts = [ 80 443 ];

     

       47
       47
       +
       

     

       48
       48
       +
         # ACME configuration for Let's Encrypt

     

       49
       49
       +
         security.acme = {

     

       50
       50
       +
           acceptTerms = true;

     

       51
       51
       +
           defaults.email = "team@tangled.org";

     

       52
       52
       +
         };

     

       53
       53
       +
       }

+93

hosts/appview/services/nginx.nix

···

       1
       1
       +
       { config, pkgs, ... }:

     

       2
       2
       +
       {

     

       3
       3
       +
         services.nginx = {

     

       4
       4
       +
           enable = true;

     

       5
       5
       +
           recommendedProxySettings = true;

     

       6
       6
       +
           recommendedTlsSettings = true;

     

       7
       7
       +
           recommendedOptimisation = true;

     

       8
       8
       +
           recommendedGzipSettings = true;

     

       9
       9
       +
       

     

       10
       10
       +
           virtualHosts = {

     

       11
       11
       +
             # Redirect tangled.sh → tangled.org

     

       12
       12
       +
             "tangled.sh" = {

     

       13
       13
       +
               serverAliases = [ "www.tangled.sh" ];

     

       14
       14
       +
               locations."/" = {

     

       15
       15
       +
                 return = "301 https://tangled.org$request_uri";

     

       16
       16
       +
               };

     

       17
       17
       +
               forceSSL = true;

     

       18
       18
       +
               enableACME = true;

     

       19
       19
       +
             };

     

       20
       20
       +
       

     

       21
       21
       +
             # Redirect strings.tangled.sh → tangled.org/strings/*

     

       22
       22
       +
             "strings.tangled.sh" = {

     

       23
       23
       +
               locations."/" = {

     

       24
       24
       +
                 return = "301 https://tangled.org/strings$request_uri";

     

       25
       25
       +
               };

     

       26
       26
       +
               forceSSL = true;

     

       27
       27
       +
               enableACME = true;

     

       28
       28
       +
             };

     

       29
       29
       +
       

     

       30
       30
       +
             # Redirect strings.tangled.org → tangled.org/strings/*

     

       31
       31
       +
             "strings.tangled.org" = {

     

       32
       32
       +
               locations."/" = {

     

       33
       33
       +
                 return = "301 https://tangled.org/strings$request_uri";

     

       34
       34
       +
               };

     

       35
       35
       +
               forceSSL = true;

     

       36
       36
       +
               enableACME = true;

     

       37
       37
       +
             };

     

       38
       38
       +
       

     

       39
       39
       +
             # Main app on tangled.org

     

       40
       40
       +
             "tangled.org" = {

     

       41
       41
       +
               serverAliases = [ "www.tangled.org" ];

     

       42
       42
       +
       

     

       43
       43
       +
               forceSSL = true;

     

       44
       44
       +
               enableACME = true;

     

       45
       45
       +
       

     

       46
       46
       +
               extraConfig = ''

     

       47
       47
       +
                 # Redirect www → bare domain

     

       48
       48
       +
                 if ($host = www.tangled.org) {

     

       49
       49
       +
                   return 301 https://tangled.org$request_uri;

     

       50
       50
       +
                 }

     

       51
       51
       +
       

     

       52
       52
       +
                 client_max_body_size 100M;

     

       53
       53
       +
               '';

     

       54
       54
       +
       

     

       55
       55
       +
               locations."~ ^/@tangled\\.sh(/.*)?$" = {

     

       56
       56
       +
                 return = "301 https://tangled.org/@tangled.org$1$is_args$args";

     

       57
       57
       +
               };

     

       58
       58
       +
       

     

       59
       59
       +
               locations."~ ^/tangled\\.sh(/.*)?$" = {

     

       60
       60
       +
                 return = "301 https://tangled.org/tangled.org$1$is_args$args";

     

       61
       61
       +
               };

     

       62
       62
       +
       

     

       63
       63
       +
               locations."~ /logs$" = {

     

       64
       64
       +
                 proxyPass = "http://127.0.0.1:3000";

     

       65
       65
       +
                 proxyWebsockets = true;

     

       66
       66
       +
                 extraConfig = ''

     

       67
       67
       +
                   proxy_read_timeout 86400;

     

       68
       68
       +
                 '';

     

       69
       69
       +
               };

     

       70
       70
       +
       

     

       71
       71
       +
               locations."/" = {

     

       72
       72
       +
                 proxyPass = "http://127.0.0.1:3000";

     

       73
       73
       +
                 extraConfig = ''

     

       74
       74
       +
                   proxy_set_header Host $host;

     

       75
       75
       +
                   proxy_set_header X-Real-IP $remote_addr;

     

       76
       76
       +
                   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

     

       77
       77
       +
                   proxy_set_header X-Forwarded-Proto $scheme;

     

       78
       78
       +
                   include ${config.services.nginx.package}/conf/mime.types;

     

       79
       79
       +
                 '';

     

       80
       80
       +
               };

     

       81
       81
       +
             };

     

       82
       82
       +
           };

     

       83
       83
       +
         };

     

       84
       84
       +
       

     

       85
       85
       +
         # Open firewall ports

     

       86
       86
       +
         networking.firewall.allowedTCPPorts = [ 80 443 ];

     

       87
       87
       +
       

     

       88
       88
       +
         # ACME configuration for Let's Encrypt

     

       89
       89
       +
         security.acme = {

     

       90
       90
       +
           acceptTerms = true;

     

       91
       91
       +
           defaults.email = "team@tangled.org";

     

       92
       92
       +
         };

     

       93
       93
       +
       }

+1 -1

hosts/nixery/configuration.nix

···

       19
       19
        
         networking.hostName = "nixery";

     

       20
       20
        
         services = {

     

       21
       21
        
           openssh.enable = true;

     

       22
       22
       -
           tangled-spindle = {

     

       22
       22
       +
           tangled.spindle = {

     

       23
       23
        
             enable = true;

     

       24
       24
        
             server = {

     

       25
       25
        
               owner = "did:plc:wshs7t2adsemcrrd4snkeqli"; # @tangled.sh