dump-dvb/nix-config
dump-dvb
/
nix-config
mirror of https://github.com/dump-dvb/nix-config.git
3
0
Fork 0
Code Issues Projects Releases Wiki Activity

add borzoi

This commit is contained in:
oxapentane - 2023-05-19 19:08:52 +02:00
parent 39e82d4f7f
commit 7e25e245f5
Signed by: oxapentane
GPG Key ID: 91FA5E5BF9AA901C
7 changed files with 391 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.sops.yaml
View File

@ -11,6 +11,7 @@ keys:
- &data-hoarder-staging age1m4g4y5ga2m8xdvs7rarda3tyk4gtkyta6pfyq2n3xmy47z20kfxq73m8r8
- &data-hoarder-borken age10wj28zkuy3ewmv6hmup7849667qmevgdv4gxa8vyljye7mpu7shsjt4jeh
- &notice-me-senpai age1wxewmzwlzgtsmr29tnu76n30kv29ra5p0ptvr2e3f3ymkqh569kqm07fv4
- &tram-borzoi age1wxewmzwlzgtsmr29tnu76n30kv29ra5p0ptvr2e3f3ymkqh569kqm07fv4
# turmlabor
- &traffic-stop-box-0 age1yxtur968m4xe0m3kj0waqpm2kuuywpp9f6t0rxl4f0262ze9n9jqehw0k5
@ -194,3 +195,12 @@ creation_rules:
- *admin_marenz-2
age:
- *traffic-stop-box-10
- path_regex: secrets/tram-borzoi/[^/]+\.yaml$
key_groups:
- pgp:
- *admin_oxa
- *admin_revol-xut
- *admin_marenz-1
- *admin_marenz-2
age:
- *tram-borzoi

71
flake.lock
View File

@ -1,5 +1,27 @@
{
"nodes": {
"borzoi": {
"inputs": {
"naersk": "naersk",
"nixpkgs": [
"nixpkgs"
],
"utils": "utils"
},
"locked": {
"lastModified": 1684403585,
"narHash": "sha256-YdMKJEwyf+VTxLWx5eeVxpv39lsMvPAlHIhGx7kFoCc=",
"owner": "tlm-solutions",
"repo": "borzoi",
"rev": "a5ba8a9fd4c2d826593091945c3b29d65b614b73",
"type": "github"
},
"original": {
"owner": "tlm-solutions",
"repo": "borzoi",
"type": "github"
}
},
"bureaucrat": {
"inputs": {
"crane": "crane",
@ -30,7 +52,7 @@
"nixpkgs": [
"nixpkgs"
],
"utils": "utils"
"utils": "utils_2"
},
"locked": {
"lastModified": 1682901220,
@ -156,10 +178,10 @@
"datacare": {
"inputs": {
"fenix": "fenix",
"naersk": "naersk",
"naersk": "naersk_2",
"nixpkgs": "nixpkgs_2",
"tlms-rs": "tlms-rs",
"utils": "utils_2"
"utils": "utils_3"
},
"locked": {
"lastModified": 1684100761,
@ -413,7 +435,7 @@
"naersk": {
"inputs": {
"nixpkgs": [
"datacare",
"borzoi",
"nixpkgs"
]
},
@ -432,6 +454,27 @@
}
},
"naersk_2": {
"inputs": {
"nixpkgs": [
"datacare",
"nixpkgs"
]
},
"locked": {
"lastModified": 1679567394,
"narHash": "sha256-ZvLuzPeARDLiQUt6zSZFGOs+HZmE+3g4QURc8mkBsfM=",
"owner": "nix-community",
"repo": "naersk",
"rev": "88cd22380154a2c36799fe8098888f0f59861a15",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "naersk",
"type": "github"
}
},
"naersk_3": {
"inputs": {
"nixpkgs": [
"nixpkgs"
@ -517,6 +560,7 @@
},
"root": {
"inputs": {
"borzoi": "borzoi",
"bureaucrat": "bureaucrat",
"chemo": "chemo",
"data-accumulator": "data-accumulator",
@ -528,7 +572,7 @@
"kindergarten": "kindergarten",
"lizard": "lizard",
"microvm": "microvm",
"naersk": "naersk_2",
"naersk": "naersk_3",
"nixpkgs": "nixpkgs_3",
"sops-nix": "sops-nix",
"telegram-decoder": "telegram-decoder",
@ -814,6 +858,21 @@
}
},
"utils": {
"locked": {
"lastModified": 1680776469,
"narHash": "sha256-3CXUDK/3q/kieWtdsYpDOBJw3Gw4Af6x+2EiSnIkNQw=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "411e8764155aa9354dbcd6d5faaeb97e9e3dce24",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"utils_2": {
"inputs": {
"systems": "systems"
},
@ -831,7 +890,7 @@
"type": "github"
}
},
"utils_2": {
"utils_3": {
"inputs": {
"systems": "systems_2"
},

20
flake.nix
View File

@ -104,10 +104,15 @@
url = "github:tlm-solutions/chemo";
inputs.nixpkgs.follows = "nixpkgs";
};
borzoi = {
url = "github:tlm-solutions/borzoi";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs =
inputs@{ self
, borzoi
, data-accumulator
, datacare
, documentation-src
@ -360,6 +365,21 @@
];
};
tram-borzoi = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit inputs self; };
modules = [
sops-nix.nixosModules.sops
microvm.nixosModules.microvm
borzoi.nixosModules.default
{ nixpkgs.overlays = [ borzoi.overlays.default ]; }
./modules/TLMS
./hosts/tram-borzoi
];
};
};
apps."x86_64-linux".mctest = {
type = "app";

28
hosts/tram-borzoi/borzoi.nix Normal file
View File

@ -0,0 +1,28 @@
{ config, ... }:
let
borzoi-port = 8080;
in
{
networking.firewall.allowedTCPPorts = [ borzoi-port ];
TLMS.borzoi = {
enable = true;
http = {
host = "0.0.0.0";
port = borzoi-port;
};
database = {
host = "127.0.0.1";
port = config.services.postgresql.port;
passwordFile = config.sops.secrets.postgres-borzoi-pw.path;
user = "borzoi";
database = "borzoi";
};
};
systemd.services."borzoi" = {
after = [ "postgresql.service" ];
wants = [ "postgresql.service" ];
};
}

100
hosts/tram-borzoi/default.nix Normal file
View File

@ -0,0 +1,100 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, self, ... }:
let
mac_addr = "00:de:5b:f9:e2:fe";
in
{
imports = [
./borzoi.nix
./postgres.nix
];
microvm = {
vcpu = 2;
mem = 1024 * 2;
hypervisor = "cloud-hypervisor";
socket = "${config.networking.hostName}.socket";
interfaces = [{
type = "tap";
id = "serv-dvb-borz";
mac = mac_addr;
}];
shares = [{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "store";
proto = "virtiofs";
socket = "store.socket";
}
{
source = "/var/lib/microvms/tram-borzoi/etc";
mountPoint = "/etc";
tag = "etc";
proto = "virtiofs";
socket = "etc.socket";
}
{
source = "/var/lib/microvms/tram-borzoi/var";
mountPoint = "/var";
tag = "var";
proto = "virtiofs";
socket = "var.socket";
}];
};
networking.hostName = "tram-borzoi";
time.timeZone = "Europe/Berlin";
networking.useNetworkd = true;
sops.defaultSopsFile = ../../secrets/tram-borzoi/secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets.wg-seckey = {
owner = config.users.users.systemd-network.name;
};
deployment-TLMS.net = {
iface.uplink = {
name = "ens3";
mac = mac_addr;
matchOn = "mac";
useDHCP = false;
addr4 = "172.20.73.38/25";
dns = [ "172.20.73.8" "9.9.9.9" ];
routes = [
{
routeConfig = {
Gateway = "172.20.73.1";
GatewayOnLink = true;
Destination = "0.0.0.0/0";
};
}
];
};
wg = {
addr4 = "10.13.37.8";
prefix4 = 24;
privateKeyFile = config.sops.secrets.wg-seckey.path;
publicKey = "wCW+r5kAaIarvZUWf4KsJNetyHobP0nNy5QOhqmsCCs=";
};
};
deployment-TLMS.domain = "staging.tlm.solutions";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.11"; # Did you read the comment?
}

75
hosts/tram-borzoi/postgres.nix Normal file
View File

@ -0,0 +1,75 @@
{ lib, pkgs, config, inputs, self, ... }: {
sops.secrets.postgres-borzoi-pw = {
owner = config.users.users.postgres.name;
};
sops.secrets.postgres-borzoi-grafana-pw = {
owner = config.users.users.postgres.name;
};
services.postgresql = {
enable = true;
enableTCPIP = true;
port = 5432;
authentication =
let
senpai-ip = self.nixosConfigurations.notice-me-senpai.config.deployment-TLMS.net.wg.addr4;
in
pkgs.lib.mkOverride 10 ''
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
host tlms grafana ${senpai-ip}/32 trust
host borzoi grafana ${senpai-ip}/32 trust
'';
package = pkgs.postgresql_14;
ensureDatabases = [ "borzoi" ];
ensureUsers = [
{
name = "grafana";
}
{
name = "borzoi";
ensurePermissions = {
"DATABASE borzoi" = "ALL PRIVILEGES";
"ALL TABLES IN SCHEMA public" = "ALL";
};
}
];
};
environment.systemPackages = [ inputs.tlms-rs.packages.x86_64-linux.run-migration-based ];
systemd.services.postgresql = {
unitConfig = {
TimeoutStartSec = 3000;
};
serviceConfig = {
TimeoutSec = lib.mkForce 3000;
};
postStart = lib.mkAfter ''
# set pw for the users
$PSQL -c "ALTER ROLE grafana WITH PASSWORD '$(cat ${config.sops.secrets.postgres-borzoi-grafana-pw.path})';"
$PSQL -c "ALTER ROLE borzoi WITH PASSWORD '$(cat ${config.sops.secrets.postgres-borzoi-pw.path})';"
# fixup permissions
# tlms is practically root, we need to FIXME something about it
$PSQL -c "GRANT ALL ON DATABASE borzoi TO borzoi;"
$PSQL -d borzoi -c "GRANT ALL ON ALL TABLES IN SCHEMA public TO borzoi;"
$PSQL -d borzoi -c "GRANT ALL ON ALL SEQUENCES IN SCHEMA public TO borzoi;"
# Get graphana to SELECT from tables that might be interesting for it
$PSQL -c "GRANT CONNECT ON DATABASE borzoi TO grafana;"
$PSQL -d borzoi -c "GRANT SELECT ON ALL TABLES IN SCHEMA public TO grafana;"
unset DATABASE_URL
# borzoi setup
export DATABASE_URL=postgres:///borzoi
${inputs.borzoi.packages.x86_64-linux.run-migration-borzoi}/bin/run-migration
$PSQL -c "GRANT ALL ON DATABASE borzoi TO borzoi;"
unset DATABASE_URL
'';
};
}

93
secrets/tram-borzoi/secrets.yaml Normal file
View File

@ -0,0 +1,93 @@
wg-seckey: ENC[AES256_GCM,data:PfKIAUNBNgeAijs14J8K/6F/lojlelCVKnuVZUVvKkDSjPSW0PEVrx9RGI4=,iv:eoP8jKpjjBrcc4oM2i5Ew58qXiUQOW95PcesAuhB2DA=,tag:G7oU/x3fquO15JvlSzMTDQ==,type:str]
postgres-borzoi-pw: ENC[AES256_GCM,data:MExagupDQI9EGUJSne8H93Q2JJlH2KcCL0/Y8ChIlWIyXnMZna9jdA==,iv:BHGIW2OGQzta8je1bG3lQd+NYsTmgufyrlHAaa2lyZc=,tag:FixjyaGLcHiWQr+KOMRDAw==,type:str]
postgres-borzoi-grafana-pw: ENC[AES256_GCM,data:Sh6qrCTknaNufBGEATcJqnPYFIeKrmNNTLTmtNWN5u0x6j6DvVnRxw==,iv:oTiSS6J1O1QW2thNlcbxlg25vdc+T82mKjML1Rrz2VY=,tag:hYeAIdcKiaLhJDoD957keQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1wxewmzwlzgtsmr29tnu76n30kv29ra5p0ptvr2e3f3ymkqh569kqm07fv4
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOd3RabkxMaUU5QTJ6eFk3
Njd5cDdvWCtZcjYvOTRINE5ZY1RWZUZkelhFClhSVTdaN3VDSVc4Q0dWTGhEV0tn
V2t2bDhMS0JNeHYwWlhlWGIvaHdKQk0KLS0tIEZDdUgxYS9tMU4zNTBMb1Exbmhk
NUwrdFR3WFdFc1pqZmh5eXR3SXB6VEEKt//RX2umvJnlaAgeKoSqDFO++mmjbwQZ
N58GaxFx2JYC9Mc01szqOM5yc6qMrvBqdXm7x02SboMzTZ7qWywMyw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-05-19T16:48:23Z"
mac: ENC[AES256_GCM,data:la7JNr0IQO5CVqbFj0XCRWNNkR1NnjFt92myTswHIqInOGXNh0L2ZfJHoIAZdNYz6IzdazNMYhMO4VPECKV0HzT97OVHv3HZ1Na8ctbCEc+s8NqHD+52x1crvhsINil6iWNFydMdYkG+OF9fME2VZYpMtE09h9k9gqxrCoq3USw=,iv:xKJdbgFXK5tlOv3dixeMTrwycD6eaz+tnivUGYgkKlQ=,tag:7Hnf5jlN5SKezNrh4Q30ug==,type:str]
pgp:
- created_at: "2023-05-19T16:11:28Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA7zUOKwzpAE7AQ/+LoIfVnhOMZHoZOJeaUkNc3lPN5uTTfeX3uSK/UKH3/nn
4zhRuOFLWEChhsKIRdHqgCcltP9EYEvgDPX2ap0pRblbAp8ocljSltv8DWqwWSJL
LezV0yDNOH719Q/czI8PIducptlYTelSbLyfMrC60rJHR2MeYn35+kMuJ2Pr0Hg+
fAv4UsCE4Tq2WbqGHOdjAmwCRvBObhQLzk08M6QwXcai75VFBVClqkF/H1QBhfrq
YpHhrV7+Pi31FijLp4OAwFaLoB5Z9ZVs3sHWn/qnnh/GSxbk/cMReG5oUXRljuvf
DNWd2ZDvL+BN5aU1I2JtabTqdZsZQyNJkXYjQjeDbNpytiF+VTozbnDJRcNdhdA0
X8OUf5FfDYcmA6oeiDWuzXXbU7u4rihw2afE5PyxwOxr/b8dfkrm1UzOosXfnB1R
c3qUQ85Yk1ju9gox7IKa+DSUCoYDrravfeQ1p7ZxsRdPAYh1mSFujvMWJyAwn+vH
uYtNInuhr584ld5QQ+iXywFYrBicRtMYpalEsPClYPeV/xPySPaSr5MiPuynLuDr
nvi9v8oGf9pv1rgNEZusgJAfyC1durSSqeNPeomnHDYHg1pObulrY0igprwTGDdH
Dr/0DTu9uCwAV47/M/eThvfam2xOlHiZOMgna76vvafKCaUgQIg+HKw5tGV5IGjS
UQGr2aoPYCaH8H9gBLHQjdBMSqf7l5FTJe0GDPvpxnqrp3+utY1gjhJv2lzbdyIl
nGegpQ/MOJI3Adyad55NvVVXnLOJIF/1y5a++7pqkm4JsQ==
=8sFk
-----END PGP MESSAGE-----
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
- created_at: "2023-05-19T16:11:28Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA/YLzOYaRIJJAQ//SFlxklZd5bS7zu2y7LSzrFiW5TEH43uoGYHYyU+E9cWl
+4nMJAqSdSD54wiVPfLjelMuwwN9LT3ljsA9C1ZPSxf9WYx175637TG+LFQpBnsj
Tzq2g1Ozl1rZe88UQ71DlT93zaarvyX7xNNNYNmbVHygHKED4wBVuKc9X3LMru/p
anpYJtex/uZJHs6rm0oJigFSQlZem9U9spYfPUY+Ak7kSOhJWfK74Sy/Q2sl6+8i
vFJMA8zAcfZDSEO+ugKODfe0gTdlNnrI+lNdSVNvl8j8QLE8QuxpkEbR7r0Iv5ov
dnPeWZiKBpTzj5FRn9YZw1eilWg4qaLNFzHvXHabtKelODof/ErgQx6UNlMLkDxu
0o4J2mck42d/55U0b+hsZFrUQcKDfBiIeukbiQDf2zxeAwR4qXXrbRjr+B7cbZou
akbtFuoRjzAJPQ9V/Z4Dw39JqIgtcqlxby4gXYLYt5ib4p2iubuXr3sYQbFSq0RR
94qo42RrSdj0z4IjXGSHYhgtJAqAW1fu+JfhOCheEwFWhXFoEML83mQXu6uCjTRD
KITyzzi7FbMRc/JTVnaf51dZuHVKfAx8oSSQY5uLN+49mDuZcPDqoHv7OAqL8TDw
FQEfuo4+hQuF0CBXLQF64NUsvu4UTpqrEibUiwv53KdryFYal4O6qxGfIrxg9mrS
XgFznbitnQjifKdVNYHvly8oVwlNbgm6czRR4xpr+Eiu6KvdWnDUgwsRVoWEbd9L
cFaCiRQFBoq8dTlM4bDccUIOHEnFMsSM8VWhQRKvlOslBqSWhUUSutAiDkO1Wbo=
=Uqfw
-----END PGP MESSAGE-----
fp: 91EBE87016391323642A6803B966009D57E69CC6
- created_at: "2023-05-19T16:11:28Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQEMA1N/l9+zlMQzAQf+JBODNlse25vm5iZ8r75BgYmUk5cXgCkNu9jL5Vw1nB+U
T3H4hlsQgpFQevgbLzYO+mxQbH2iGgVrnYukqgKJZT7880UgVkiriplD8GFD81na
1g48v6gDuPDwNU1hLmevbDL+AlZaa/oedQsJI1k2KnluxWfRp2jq84oiIf1sAr/g
q960mN+MLR18heBnNrL6dFzvWMNRqmB0GX/34/IZc1w24C/SyOC0KRnQUz1zZvSX
PO28/cJrW5wC3MqE/Z/Luxn93R6axCNBE4zBDudVlwO7BdL99Umz6M+kXIU+m00/
UwUJAj0LBMEcM7c69BAihe271SF6AJmhMyPefQkJMtJeAc3fG71dfkuX6L6DOmUV
LQKGizRkR+qvTEgb5Sq+pweLLFuRSwjgQqhPCk4nJehQfw/eImm60GueUYFTB2Wa
LkiTgFv6zo2yFv5UsJkbjE0v8tYMQHRbXIWTtPrk3g==
=Lco9
-----END PGP MESSAGE-----
fp: 069836A578F7939612DB4934F77D0F7E247A1EE4
- created_at: "2023-05-19T16:11:28Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQEMA1N/l9+zlMQzAQf/fBl9uGEZBONjjeD99zRplUg0OBixaS4qkqvOImdcSp4N
fofqYSvEN8YDkHcgyoX/2qZZSyx3Sp2vOLa/ETzMkAerJFxPcaWYUWRWxRNSWBmu
XYw5pmETQx6fVQd0gz8P9P9+TmpoXA3hvpOpA+eBYogYsDmwAqxqzV8NIxiVhEVs
v2B+HDxMmnN/GGUeDjKDiHpdYEcuhc81cbNA71qAWHBi6UY/l4vgxyBbyviyF6kf
bMM0zpZ5AbPX+YT2OrqPLYaCGMfdmU1ilhgNcrsxsmBWc8M9dY1hG/RKjGO1LWeP
kXjBoUdtXE25ZgFSDXHoFOhYo40WI6BR1+Fa2lv8J9JeAd/F0dvF6d/24oDu806k
3OSo7ZYRjkoWRj1cbWE4rRu2YT9fZDRkHmrLEnmGY02nOG3EAIruApfLbTaOq6vb
kUdsD/VLRVjXrjZE7t777m5fo+4xOR9jmko2NKKcuQ==
=RFJ7
-----END PGP MESSAGE-----
fp: ED06986DFAAE6A61B751DC2F537F97DFB394C433
unencrypted_suffix: _unencrypted
version: 3.7.3