From dddb28783f31bf93a5bb5332f4ae9d7f6a9c13b7 Mon Sep 17 00:00:00 2001 From: Anirudh Oppiliappan Date: Mon, 10 Nov 2025 12:18:30 +0200 Subject: [PATCH] nixify spindle box Change-Id: wlmrszrwtnsmunuxqvkmtsupkkvzmvrw Signed-off-by: Anirudh Oppiliappan --- flake.nix | 13 +++ hosts/spindle/configuration.nix | 57 ++++++++++++ hosts/spindle/disk-config.nix | 56 ++++++++++++ hosts/spindle/services/nginx.nix | 37 ++++++++ hosts/spindle/services/openbao/openbao.nix | 39 ++++++++ hosts/spindle/services/openbao/proxy.nix | 100 +++++++++++++++++++++ hosts/spindle/services/spindle.nix | 19 ++++ 7 files changed, 321 insertions(+) create mode 100644 hosts/spindle/configuration.nix create mode 100644 hosts/spindle/disk-config.nix create mode 100644 hosts/spindle/services/nginx.nix create mode 100644 hosts/spindle/services/openbao/openbao.nix create mode 100644 hosts/spindle/services/openbao/proxy.nix create mode 100644 hosts/spindle/services/spindle.nix diff --git a/flake.nix b/flake.nix index b270b77..8c2ea9e 100644 --- a/flake.nix +++ b/flake.nix @@ -79,6 +79,17 @@ ]; target = "nixery.tangled.sh"; }; + + spindle = { + modules = [ + tangled.nixosModules.spindle + ./hosts/spindle/services/openbao/openbao.nix + ./hosts/spindle/services/openbao/proxy.nix + ./hosts/spindle/services/spindle.nix + ./hosts/spindle/services/nginx.nix + ]; + target = "spindle.alpha.tangled.sh"; + }; }; in { @@ -87,6 +98,7 @@ appview = mkHost "appview" hosts.appview.modules; pds = mkHost "pds" hosts.pds.modules; nixery = mkHost "nixery" hosts.nixery.modules; + spindle = mkHost "spindle" hosts.spindle.modules; }; # colmena uses this @@ -108,6 +120,7 @@ appview = mkColmenaHost "appview" hosts.appview.target hosts.appview.modules; pds = mkColmenaHost "pds" hosts.pds.target hosts.pds.modules; nixery = mkColmenaHost "nixery" hosts.nixery.target hosts.nixery.modules; + spindle = mkColmenaHost "spindle" hosts.spindle.target hosts.spindle.modules; }; }; } diff --git a/hosts/spindle/configuration.nix b/hosts/spindle/configuration.nix new file mode 100644 index 0000000..103195b --- /dev/null +++ b/hosts/spindle/configuration.nix @@ -0,0 +1,57 @@ +{ modulesPath +, lib +, pkgs +, ... +} @ args: +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + (modulesPath + "/profiles/qemu-guest.nix") + ./disk-config.nix + ]; + boot.loader.grub = { + # no need to set devices, disko will add all devices that have a EF02 partition to the list already + # devices = [ ]; + efiSupport = true; + efiInstallAsRemovable = true; + }; + + networking.hostName = "spindle-waw"; + services = { + openssh.enable = true; + }; + + + nix = { + extraOptions = '' + experimental-features = nix-command flakes ca-derivations + warn-dirty = false + keep-outputs = false + ''; + }; + + environment.systemPackages = map lib.lowPrio [ + pkgs.curl + pkgs.gitMinimal + ]; + + users.users.tangler = { + extraGroups = [ "networkmanager" "wheel" "docker" ]; + openssh.authorizedKeys.keys = args.commonArgs.sshKeys; + isNormalUser = true; + }; + + security.sudo.extraRules = [ + { + users = [ "tangler" ]; + commands = [ + { + command = "ALL"; + options = [ "NOPASSWD" ]; + } + ]; + } + ]; + + system.stateVersion = "25.05"; +} diff --git a/hosts/spindle/disk-config.nix b/hosts/spindle/disk-config.nix new file mode 100644 index 0000000..88e17e5 --- /dev/null +++ b/hosts/spindle/disk-config.nix @@ -0,0 +1,56 @@ +# Example to create a bios compatible gpt partition +{ lib, ... }: +{ + disko.devices = { + disk.disk1 = { + device = lib.mkDefault "/dev/vda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + name = "boot"; + size = "1M"; + type = "EF02"; + }; + esp = { + name = "ESP"; + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + name = "root"; + size = "100%"; + content = { + type = "lvm_pv"; + vg = "pool"; + }; + }; + }; + }; + }; + lvm_vg = { + pool = { + type = "lvm_vg"; + lvs = { + root = { + size = "100%FREE"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + mountOptions = [ + "defaults" + ]; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/spindle/services/nginx.nix b/hosts/spindle/services/nginx.nix new file mode 100644 index 0000000..73b5b3e --- /dev/null +++ b/hosts/spindle/services/nginx.nix @@ -0,0 +1,37 @@ +{ + services.nginx = { + enable = true; + virtualHosts = { + "spindle.alpha.tangled.sh" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:6555"; + }; + locations."/events" = { + proxyPass = "http://127.0.0.1:6555"; + extraConfig = '' + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host $host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + ''; + }; + locations."/logs/" = { + proxyPass = "http://127.0.0.1:6555"; + extraConfig = '' + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host $host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + ''; + }; + }; + }; + }; + security.acme = { + acceptTerms = true; + defaults.email = "team@tangled.org"; + }; + networking.firewall.allowedTCPPorts = [ 80 443 ]; +} diff --git a/hosts/spindle/services/openbao/openbao.nix b/hosts/spindle/services/openbao/openbao.nix new file mode 100644 index 0000000..ac3497b --- /dev/null +++ b/hosts/spindle/services/openbao/openbao.nix @@ -0,0 +1,39 @@ +{ config, pkgs, lib, ... }: +{ + # Create openbao user and group + users.groups.openbao = {}; + + users.users.openbao = { + isSystemUser = true; + group = "openbao"; + home = "/var/lib/openbao"; + createHome = true; + description = "OpenBao service user"; + }; + + systemd.services.openbao = { + serviceConfig = { + DynamicUser = lib.mkForce false; + User = "openbao"; + Group = "openbao"; + }; + }; + + services.openbao = { + enable = true; + settings = { + ui = true; + + listener.default = { + type = "tcp"; + address = "127.0.0.1:8201"; + tls_disable = true; + }; + + cluster_addr = "http://127.0.0.1:8202"; + api_addr = "http://127.0.0.1:8201"; + + storage.raft.path = "/var/lib/openbao"; + }; + }; +} diff --git a/hosts/spindle/services/openbao/proxy.nix b/hosts/spindle/services/openbao/proxy.nix new file mode 100644 index 0000000..d8dd7ea --- /dev/null +++ b/hosts/spindle/services/openbao/proxy.nix @@ -0,0 +1,100 @@ +{ pkgs, ... }: + +{ + systemd.services.openbao-proxy = { + description = "OpenBao Proxy with Auto-Auth"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = "root"; + ExecStart = "${pkgs.openbao}/bin/bao proxy -config=/etc/openbao/proxy.hcl"; + Restart = "always"; + RestartSec = "5"; + LimitNOFILE = "65536"; + }; + }; + + + + environment.etc."openbao/proxy.hcl".text = '' + vault { + address = "http://localhost:8201" + + # Retry configuration + retry { + num_retries = 5 + } + } + + # Auto-Auth using AppRole + auto_auth { + method "approle" { + mount_path = "auth/approle" + config = { + role_id_file_path = "/etc/openbao/role-id" + secret_id_file_path = "/etc/openbao/secret-id" + remove_secret_id_file_after_reading = false + } + } + + # Write authenticated token to file + sink "file" { + config = { + path = "/var/lib/openbao/token" + mode = 0640 + } + } + } + + # API Proxy listener for Spindle + listener "tcp" { + address = "127.0.0.1:8200" + tls_disable = true + + # Security headers + require_request_header = false + + # Enable proxy API for management + proxy_api { + enable_quit = true + } + } + + # Enable API proxy with auto-auth token + api_proxy { + use_auto_auth_token = true + } + + cache { + } + + # Logging configuration + log_level = "info" + log_format = "standard" + log_file = "/var/log/openbao/proxy.log" + log_rotate_duration = "24h" + log_rotate_max_files = 30 + + # Process management + pid_file = "/var/lib/openbao/proxy.pid" + + # Disable idle connections for reliability + disable_idle_connections = ["auto-auth", "proxying"] + ''; + + # Create necessary directories and files + systemd.tmpfiles.rules = [ + # Directories + "d /var/lib/openbao 0755 root root -" + "d /var/lib/openbao/cache 0755 root root -" + "d /var/log/openbao 0755 root root -" + "d /etc/openbao 0755 root root -" + + # Credential files (content must be populated externally) + "f /etc/openbao/role-id 0600 root root -" + "f /etc/openbao/secret-id 0600 root root -" + + # Configuration file + "f /etc/openbao/proxy.hcl 0644 root root -" + ]; +} diff --git a/hosts/spindle/services/spindle.nix b/hosts/spindle/services/spindle.nix new file mode 100644 index 0000000..b540588 --- /dev/null +++ b/hosts/spindle/services/spindle.nix @@ -0,0 +1,19 @@ +{ config, pkgs, ... }: +{ + services.tangled.spindle = { + enable = true; + server = { + owner = "did:plc:wshs7t2adsemcrrd4snkeqli"; # @tangled.sh + hostname = "spindle.alpha.tangled.sh"; + listenAddr = "127.0.0.1:6555"; + queueSize = 100; + maxJobCount = 2; + secrets = { + provider = "openbao"; + }; + }; + pipelines = { + workflowTimeout = "15m"; + }; + }; +} -- 2.43.0