patch of nixify spindle box · round #0 · pull #5 · tangled.org/infra

+13

flake.nix

···

       79
       79
        
                 ];

     

       80
       80
        
                 target = "nixery.tangled.sh";

     

       81
       81
        
               };

     

       82
       82
       +
       

     

       83
       83
       +
               spindle = {

     

       84
       84
       +
                 modules = [

     

       85
       85
       +
                   tangled.nixosModules.spindle

     

       86
       86
       +
                   ./hosts/spindle/services/openbao/openbao.nix

     

       87
       87
       +
                   ./hosts/spindle/services/openbao/proxy.nix

     

       88
       88
       +
                   ./hosts/spindle/services/spindle.nix

     

       89
       89
       +
                   ./hosts/spindle/services/nginx.nix

     

       90
       90
       +
                 ];

     

       91
       91
       +
                 target = "spindle.alpha.tangled.sh";

     

       92
       92
       +
               };

     

       82
       93
        
             };

     

       83
       94
        
           in

     

       84
       95
        
           {

     
···

       87
       98
        
               appview = mkHost "appview" hosts.appview.modules;

     

       88
       99
        
               pds = mkHost "pds" hosts.pds.modules;

     

       89
       100
        
               nixery = mkHost "nixery" hosts.nixery.modules;

     

       101
       101
       +
               spindle = mkHost "spindle" hosts.spindle.modules;

     

       90
       102
        
             };

     

       91
       103
        
       

     

       92
       104
        
             # colmena uses this

     
···

       108
       120
        
               appview = mkColmenaHost "appview" hosts.appview.target hosts.appview.modules;

     

       109
       121
        
               pds = mkColmenaHost "pds" hosts.pds.target hosts.pds.modules;

     

       110
       122
        
               nixery = mkColmenaHost "nixery" hosts.nixery.target hosts.nixery.modules;

     

       123
       123
       +
               spindle = mkColmenaHost "spindle" hosts.spindle.target hosts.spindle.modules;

     

       111
       124
        
             };

     

       112
       125
        
           };

     

       113
       126
        
       }

+57

hosts/spindle/configuration.nix

···

       1
       1
       +
       { modulesPath

     

       2
       2
       +
       , lib

     

       3
       3
       +
       , pkgs

     

       4
       4
       +
       , ...

     

       5
       5
       +
       } @ args:

     

       6
       6
       +
       {

     

       7
       7
       +
         imports = [

     

       8
       8
       +
           (modulesPath + "/installer/scan/not-detected.nix")

     

       9
       9
       +
           (modulesPath + "/profiles/qemu-guest.nix")

     

       10
       10
       +
           ./disk-config.nix

     

       11
       11
       +
         ];

     

       12
       12
       +
         boot.loader.grub = {

     

       13
       13
       +
           # no need to set devices, disko will add all devices that have a EF02 partition to the list already

     

       14
       14
       +
           # devices = [ ];

     

       15
       15
       +
           efiSupport = true;

     

       16
       16
       +
           efiInstallAsRemovable = true;

     

       17
       17
       +
         };

     

       18
       18
       +
       

     

       19
       19
       +
         networking.hostName = "spindle-waw";

     

       20
       20
       +
         services = {

     

       21
       21
       +
           openssh.enable = true;

     

       22
       22
       +
         };

     

       23
       23
       +
       

     

       24
       24
       +
       

     

       25
       25
       +
         nix = {

     

       26
       26
       +
           extraOptions = ''

     

       27
       27
       +
             experimental-features = nix-command flakes ca-derivations

     

       28
       28
       +
             warn-dirty = false

     

       29
       29
       +
             keep-outputs = false

     

       30
       30
       +
           '';

     

       31
       31
       +
         };

     

       32
       32
       +
       

     

       33
       33
       +
         environment.systemPackages = map lib.lowPrio [

     

       34
       34
       +
           pkgs.curl

     

       35
       35
       +
           pkgs.gitMinimal

     

       36
       36
       +
         ];

     

       37
       37
       +
       

     

       38
       38
       +
         users.users.tangler = {

     

       39
       39
       +
           extraGroups = [ "networkmanager" "wheel" "docker" ];

     

       40
       40
       +
           openssh.authorizedKeys.keys = args.commonArgs.sshKeys;

     

       41
       41
       +
           isNormalUser = true;

     

       42
       42
       +
         };

     

       43
       43
       +
       

     

       44
       44
       +
         security.sudo.extraRules = [

     

       45
       45
       +
           {

     

       46
       46
       +
             users = [ "tangler" ];

     

       47
       47
       +
             commands = [

     

       48
       48
       +
               {

     

       49
       49
       +
                 command = "ALL";

     

       50
       50
       +
                 options = [ "NOPASSWD" ];

     

       51
       51
       +
               }

     

       52
       52
       +
             ];

     

       53
       53
       +
           }

     

       54
       54
       +
         ];

     

       55
       55
       +
       

     

       56
       56
       +
         system.stateVersion = "25.05";

     

       57
       57
       +
       }

+56

hosts/spindle/disk-config.nix

···

       1
       1
       +
       # Example to create a bios compatible gpt partition

     

       2
       2
       +
       { lib, ... }:

     

       3
       3
       +
       {

     

       4
       4
       +
         disko.devices = {

     

       5
       5
       +
           disk.disk1 = {

     

       6
       6
       +
             device = lib.mkDefault "/dev/vda";

     

       7
       7
       +
             type = "disk";

     

       8
       8
       +
             content = {

     

       9
       9
       +
               type = "gpt";

     

       10
       10
       +
               partitions = {

     

       11
       11
       +
                 boot = {

     

       12
       12
       +
                   name = "boot";

     

       13
       13
       +
                   size = "1M";

     

       14
       14
       +
                   type = "EF02";

     

       15
       15
       +
                 };

     

       16
       16
       +
                 esp = {

     

       17
       17
       +
                   name = "ESP";

     

       18
       18
       +
                   size = "500M";

     

       19
       19
       +
                   type = "EF00";

     

       20
       20
       +
                   content = {

     

       21
       21
       +
                     type = "filesystem";

     

       22
       22
       +
                     format = "vfat";

     

       23
       23
       +
                     mountpoint = "/boot";

     

       24
       24
       +
                   };

     

       25
       25
       +
                 };

     

       26
       26
       +
                 root = {

     

       27
       27
       +
                   name = "root";

     

       28
       28
       +
                   size = "100%";

     

       29
       29
       +
                   content = {

     

       30
       30
       +
                     type = "lvm_pv";

     

       31
       31
       +
                     vg = "pool";

     

       32
       32
       +
                   };

     

       33
       33
       +
                 };

     

       34
       34
       +
               };

     

       35
       35
       +
             };

     

       36
       36
       +
           };

     

       37
       37
       +
           lvm_vg = {

     

       38
       38
       +
             pool = {

     

       39
       39
       +
               type = "lvm_vg";

     

       40
       40
       +
               lvs = {

     

       41
       41
       +
                 root = {

     

       42
       42
       +
                   size = "100%FREE";

     

       43
       43
       +
                   content = {

     

       44
       44
       +
                     type = "filesystem";

     

       45
       45
       +
                     format = "ext4";

     

       46
       46
       +
                     mountpoint = "/";

     

       47
       47
       +
                     mountOptions = [

     

       48
       48
       +
                       "defaults"

     

       49
       49
       +
                     ];

     

       50
       50
       +
                   };

     

       51
       51
       +
                 };

     

       52
       52
       +
               };

     

       53
       53
       +
             };

     

       54
       54
       +
           };

     

       55
       55
       +
         };

     

       56
       56
       +
       }

+37

hosts/spindle/services/nginx.nix

···

       1
       1
       +
       {

     

       2
       2
       +
         services.nginx = {

     

       3
       3
       +
           enable = true;

     

       4
       4
       +
           virtualHosts = {

     

       5
       5
       +
             "spindle.alpha.tangled.sh" = {

     

       6
       6
       +
               forceSSL = true;

     

       7
       7
       +
               enableACME = true;

     

       8
       8
       +
               locations."/" = {

     

       9
       9
       +
                 proxyPass = "http://127.0.0.1:6555";

     

       10
       10
       +
               };

     

       11
       11
       +
               locations."/events" = {

     

       12
       12
       +
                 proxyPass = "http://127.0.0.1:6555";

     

       13
       13
       +
                 extraConfig = ''

     

       14
       14
       +
                   proxy_set_header X-Forwarded-For $remote_addr;

     

       15
       15
       +
                   proxy_set_header Host $host;

     

       16
       16
       +
                   proxy_set_header Upgrade $http_upgrade;

     

       17
       17
       +
                   proxy_set_header Connection "upgrade";

     

       18
       18
       +
                 '';

     

       19
       19
       +
               };

     

       20
       20
       +
               locations."/logs/" = {

     

       21
       21
       +
                 proxyPass = "http://127.0.0.1:6555";

     

       22
       22
       +
                 extraConfig = ''

     

       23
       23
       +
                   proxy_set_header X-Forwarded-For $remote_addr;

     

       24
       24
       +
                   proxy_set_header Host $host;

     

       25
       25
       +
                   proxy_set_header Upgrade $http_upgrade;

     

       26
       26
       +
                   proxy_set_header Connection "upgrade";

     

       27
       27
       +
                 '';

     

       28
       28
       +
               };

     

       29
       29
       +
             };

     

       30
       30
       +
           };

     

       31
       31
       +
         };

     

       32
       32
       +
         security.acme = {

     

       33
       33
       +
           acceptTerms = true;

     

       34
       34
       +
           defaults.email = "team@tangled.org";

     

       35
       35
       +
         };

     

       36
       36
       +
         networking.firewall.allowedTCPPorts = [ 80 443 ];

     

       37
       37
       +
       }

+39

hosts/spindle/services/openbao/openbao.nix

···

       1
       1
       +
       { config, pkgs, lib, ... }:

     

       2
       2
       +
       {

     

       3
       3
       +
         # Create openbao user and group

     

       4
       4
       +
         users.groups.openbao = {};

     

       5
       5
       +
       

     

       6
       6
       +
         users.users.openbao = {

     

       7
       7
       +
           isSystemUser = true;

     

       8
       8
       +
           group = "openbao";

     

       9
       9
       +
           home = "/var/lib/openbao";

     

       10
       10
       +
           createHome = true;

     

       11
       11
       +
           description = "OpenBao service user";

     

       12
       12
       +
         };

     

       13
       13
       +
       

     

       14
       14
       +
         systemd.services.openbao = {

     

       15
       15
       +
           serviceConfig = {

     

       16
       16
       +
             DynamicUser = lib.mkForce false;

     

       17
       17
       +
             User = "openbao";

     

       18
       18
       +
             Group = "openbao";

     

       19
       19
       +
           };

     

       20
       20
       +
         };

     

       21
       21
       +
       

     

       22
       22
       +
         services.openbao = {

     

       23
       23
       +
           enable = true;

     

       24
       24
       +
           settings = {

     

       25
       25
       +
             ui = true;

     

       26
       26
       +
       

     

       27
       27
       +
             listener.default = {

     

       28
       28
       +
               type = "tcp";

     

       29
       29
       +
               address = "127.0.0.1:8201";

     

       30
       30
       +
               tls_disable = true;

     

       31
       31
       +
             };

     

       32
       32
       +
       

     

       33
       33
       +
             cluster_addr = "http://127.0.0.1:8202";

     

       34
       34
       +
             api_addr = "http://127.0.0.1:8201";

     

       35
       35
       +
       

     

       36
       36
       +
             storage.raft.path = "/var/lib/openbao";

     

       37
       37
       +
           };

     

       38
       38
       +
         };

     

       39
       39
       +
       }

+100

hosts/spindle/services/openbao/proxy.nix

···

       1
       1
       +
       { pkgs, ... }:

     

       2
       2
       +
       

     

       3
       3
       +
       {

     

       4
       4
       +
         systemd.services.openbao-proxy = {

     

       5
       5
       +
           description = "OpenBao Proxy with Auto-Auth";

     

       6
       6
       +
           after = [ "network.target" ];

     

       7
       7
       +
           wantedBy = [ "multi-user.target" ];

     

       8
       8
       +
           serviceConfig = {

     

       9
       9
       +
             User = "root";

     

       10
       10
       +
             ExecStart = "${pkgs.openbao}/bin/bao proxy -config=/etc/openbao/proxy.hcl";

     

       11
       11
       +
             Restart = "always";

     

       12
       12
       +
             RestartSec = "5";

     

       13
       13
       +
             LimitNOFILE = "65536";

     

       14
       14
       +
           };

     

       15
       15
       +
         };

     

       16
       16
       +
       

     

       17
       17
       +
       

     

       18
       18
       +
       

     

       19
       19
       +
         environment.etc."openbao/proxy.hcl".text = ''

     

       20
       20
       +
           vault {

     

       21
       21
       +
             address = "http://localhost:8201"

     

       22
       22
       +
       

     

       23
       23
       +
             # Retry configuration

     

       24
       24
       +
             retry {

     

       25
       25
       +
               num_retries = 5

     

       26
       26
       +
             }

     

       27
       27
       +
           }

     

       28
       28
       +
       

     

       29
       29
       +
           # Auto-Auth using AppRole

     

       30
       30
       +
           auto_auth {

     

       31
       31
       +
             method "approle" {

     

       32
       32
       +
               mount_path = "auth/approle"

     

       33
       33
       +
               config = {

     

       34
       34
       +
                 role_id_file_path   = "/etc/openbao/role-id"

     

       35
       35
       +
                 secret_id_file_path = "/etc/openbao/secret-id"

     

       36
       36
       +
                 remove_secret_id_file_after_reading = false

     

       37
       37
       +
               }

     

       38
       38
       +
             }

     

       39
       39
       +
       

     

       40
       40
       +
             # Write authenticated token to file

     

       41
       41
       +
             sink "file" {

     

       42
       42
       +
               config = {

     

       43
       43
       +
                 path = "/var/lib/openbao/token"

     

       44
       44
       +
                 mode = 0640

     

       45
       45
       +
               }

     

       46
       46
       +
             }

     

       47
       47
       +
           }

     

       48
       48
       +
       

     

       49
       49
       +
           # API Proxy listener for Spindle

     

       50
       50
       +
           listener "tcp" {

     

       51
       51
       +
             address     = "127.0.0.1:8200"

     

       52
       52
       +
             tls_disable = true

     

       53
       53
       +
       

     

       54
       54
       +
             # Security headers

     

       55
       55
       +
             require_request_header = false

     

       56
       56
       +
       

     

       57
       57
       +
             # Enable proxy API for management

     

       58
       58
       +
             proxy_api {

     

       59
       59
       +
               enable_quit = true

     

       60
       60
       +
             }

     

       61
       61
       +
           }

     

       62
       62
       +
       

     

       63
       63
       +
           # Enable API proxy with auto-auth token

     

       64
       64
       +
           api_proxy {

     

       65
       65
       +
             use_auto_auth_token = true

     

       66
       66
       +
           }

     

       67
       67
       +
       

     

       68
       68
       +
           cache {

     

       69
       69
       +
           }

     

       70
       70
       +
       

     

       71
       71
       +
           # Logging configuration

     

       72
       72
       +
           log_level = "info"

     

       73
       73
       +
           log_format = "standard"

     

       74
       74
       +
           log_file = "/var/log/openbao/proxy.log"

     

       75
       75
       +
           log_rotate_duration = "24h"

     

       76
       76
       +
           log_rotate_max_files = 30

     

       77
       77
       +
       

     

       78
       78
       +
           # Process management

     

       79
       79
       +
           pid_file = "/var/lib/openbao/proxy.pid"

     

       80
       80
       +
       

     

       81
       81
       +
           # Disable idle connections for reliability

     

       82
       82
       +
           disable_idle_connections = ["auto-auth", "proxying"]

     

       83
       83
       +
         '';

     

       84
       84
       +
       

     

       85
       85
       +
         # Create necessary directories and files

     

       86
       86
       +
         systemd.tmpfiles.rules = [

     

       87
       87
       +
           # Directories

     

       88
       88
       +
           "d /var/lib/openbao 0755 root root -"

     

       89
       89
       +
           "d /var/lib/openbao/cache 0755 root root -"

     

       90
       90
       +
           "d /var/log/openbao 0755 root root -"

     

       91
       91
       +
           "d /etc/openbao 0755 root root -"

     

       92
       92
       +
       

     

       93
       93
       +
           # Credential files (content must be populated externally)

     

       94
       94
       +
           "f /etc/openbao/role-id 0600 root root -"

     

       95
       95
       +
           "f /etc/openbao/secret-id 0600 root root -"

     

       96
       96
       +
       

     

       97
       97
       +
           # Configuration file

     

       98
       98
       +
           "f /etc/openbao/proxy.hcl 0644 root root -"

     

       99
       99
       +
         ];

     

       100
       100
       +
       }

+19

hosts/spindle/services/spindle.nix

···

       1
       1
       +
       { config, pkgs, ... }:

     

       2
       2
       +
       {

     

       3
       3
       +
         services.tangled.spindle = {

     

       4
       4
       +
           enable = true;

     

       5
       5
       +
           server = {

     

       6
       6
       +
             owner = "did:plc:wshs7t2adsemcrrd4snkeqli"; # @tangled.sh

     

       7
       7
       +
             hostname = "spindle.alpha.tangled.sh";

     

       8
       8
       +
             listenAddr = "127.0.0.1:6555";

     

       9
       9
       +
             queueSize = 100;

     

       10
       10
       +
             maxJobCount = 2;

     

       11
       11
       +
             secrets = {

     

       12
       12
       +
               provider = "openbao";

     

       13
       13
       +
             };

     

       14
       14
       +
           };

     

       15
       15
       +
           pipelines = {

     

       16
       16
       +
             workflowTimeout = "15m";

     

       17
       17
       +
           };

     

       18
       18
       +
         };

     

       19
       19
       +
       }