From 7e25e245f5b32375ee4815226822d0e190bde64f Mon Sep 17 00:00:00 2001 From: Grigory Shipunov Date: Fri, 19 May 2023 19:08:52 +0200 Subject: [PATCH] add borzoi --- .sops.yaml | 10 ++++ flake.lock | 71 ++++++++++++++++++++-- flake.nix | 20 +++++++ hosts/tram-borzoi/borzoi.nix | 28 +++++++++ hosts/tram-borzoi/default.nix | 100 +++++++++++++++++++++++++++++++ hosts/tram-borzoi/postgres.nix | 75 +++++++++++++++++++++++ secrets/tram-borzoi/secrets.yaml | 93 ++++++++++++++++++++++++++++ 7 files changed, 391 insertions(+), 6 deletions(-) create mode 100644 hosts/tram-borzoi/borzoi.nix create mode 100644 hosts/tram-borzoi/default.nix create mode 100644 hosts/tram-borzoi/postgres.nix create mode 100644 secrets/tram-borzoi/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index 3c09e37..1e74c81 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -11,6 +11,7 @@ keys: - &data-hoarder-staging age1m4g4y5ga2m8xdvs7rarda3tyk4gtkyta6pfyq2n3xmy47z20kfxq73m8r8 - &data-hoarder-borken age10wj28zkuy3ewmv6hmup7849667qmevgdv4gxa8vyljye7mpu7shsjt4jeh - ¬ice-me-senpai age1wxewmzwlzgtsmr29tnu76n30kv29ra5p0ptvr2e3f3ymkqh569kqm07fv4 + - &tram-borzoi age1wxewmzwlzgtsmr29tnu76n30kv29ra5p0ptvr2e3f3ymkqh569kqm07fv4 # turmlabor - &traffic-stop-box-0 age1yxtur968m4xe0m3kj0waqpm2kuuywpp9f6t0rxl4f0262ze9n9jqehw0k5 @@ -194,3 +195,12 @@ creation_rules: - *admin_marenz-2 age: - *traffic-stop-box-10 + - path_regex: secrets/tram-borzoi/[^/]+\.yaml$ + key_groups: + - pgp: + - *admin_oxa + - *admin_revol-xut + - *admin_marenz-1 + - *admin_marenz-2 + age: + - *tram-borzoi diff --git a/flake.lock b/flake.lock index f4f32b3..2be40b7 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,27 @@ { "nodes": { + "borzoi": { + "inputs": { + "naersk": "naersk", + "nixpkgs": [ + "nixpkgs" + ], + "utils": "utils" + }, + "locked": { + "lastModified": 1684403585, + "narHash": "sha256-YdMKJEwyf+VTxLWx5eeVxpv39lsMvPAlHIhGx7kFoCc=", + "owner": "tlm-solutions", + "repo": "borzoi", + "rev": "a5ba8a9fd4c2d826593091945c3b29d65b614b73", + "type": "github" + }, + "original": { + "owner": "tlm-solutions", + "repo": "borzoi", + "type": "github" + } + }, "bureaucrat": { "inputs": { "crane": "crane", @@ -30,7 +52,7 @@ "nixpkgs": [ "nixpkgs" ], - "utils": "utils" + "utils": "utils_2" }, "locked": { "lastModified": 1682901220, @@ -156,10 +178,10 @@ "datacare": { "inputs": { "fenix": "fenix", - "naersk": "naersk", + "naersk": "naersk_2", "nixpkgs": "nixpkgs_2", "tlms-rs": "tlms-rs", - "utils": "utils_2" + "utils": "utils_3" }, "locked": { "lastModified": 1684100761, @@ -413,7 +435,7 @@ "naersk": { "inputs": { "nixpkgs": [ - "datacare", + "borzoi", "nixpkgs" ] }, @@ -432,6 +454,27 @@ } }, "naersk_2": { + "inputs": { + "nixpkgs": [ + "datacare", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1679567394, + "narHash": "sha256-ZvLuzPeARDLiQUt6zSZFGOs+HZmE+3g4QURc8mkBsfM=", + "owner": "nix-community", + "repo": "naersk", + "rev": "88cd22380154a2c36799fe8098888f0f59861a15", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "naersk", + "type": "github" + } + }, + "naersk_3": { "inputs": { "nixpkgs": [ "nixpkgs" @@ -517,6 +560,7 @@ }, "root": { "inputs": { + "borzoi": "borzoi", "bureaucrat": "bureaucrat", "chemo": "chemo", "data-accumulator": "data-accumulator", @@ -528,7 +572,7 @@ "kindergarten": "kindergarten", "lizard": "lizard", "microvm": "microvm", - "naersk": "naersk_2", + "naersk": "naersk_3", "nixpkgs": "nixpkgs_3", "sops-nix": "sops-nix", "telegram-decoder": "telegram-decoder", @@ -814,6 +858,21 @@ } }, "utils": { + "locked": { + "lastModified": 1680776469, + "narHash": "sha256-3CXUDK/3q/kieWtdsYpDOBJw3Gw4Af6x+2EiSnIkNQw=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "411e8764155aa9354dbcd6d5faaeb97e9e3dce24", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "utils_2": { "inputs": { "systems": "systems" }, @@ -831,7 +890,7 @@ "type": "github" } }, - "utils_2": { + "utils_3": { "inputs": { "systems": "systems_2" }, diff --git a/flake.nix b/flake.nix index 901b017..c76674b 100644 --- a/flake.nix +++ b/flake.nix @@ -104,10 +104,15 @@ url = "github:tlm-solutions/chemo"; inputs.nixpkgs.follows = "nixpkgs"; }; + borzoi = { + url = "github:tlm-solutions/borzoi"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = inputs@{ self + , borzoi , data-accumulator , datacare , documentation-src @@ -360,6 +365,21 @@ ]; }; + tram-borzoi = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = { inherit inputs self; }; + modules = [ + sops-nix.nixosModules.sops + microvm.nixosModules.microvm + + borzoi.nixosModules.default + { nixpkgs.overlays = [ borzoi.overlays.default ]; } + + ./modules/TLMS + ./hosts/tram-borzoi + ]; + }; + }; apps."x86_64-linux".mctest = { type = "app"; diff --git a/hosts/tram-borzoi/borzoi.nix b/hosts/tram-borzoi/borzoi.nix new file mode 100644 index 0000000..f832ed3 --- /dev/null +++ b/hosts/tram-borzoi/borzoi.nix @@ -0,0 +1,28 @@ +{ config, ... }: +let + borzoi-port = 8080; +in +{ + networking.firewall.allowedTCPPorts = [ borzoi-port ]; + + TLMS.borzoi = { + enable = true; + http = { + host = "0.0.0.0"; + port = borzoi-port; + }; + database = { + host = "127.0.0.1"; + port = config.services.postgresql.port; + passwordFile = config.sops.secrets.postgres-borzoi-pw.path; + user = "borzoi"; + database = "borzoi"; + }; + }; + + systemd.services."borzoi" = { + after = [ "postgresql.service" ]; + wants = [ "postgresql.service" ]; + }; + +} diff --git a/hosts/tram-borzoi/default.nix b/hosts/tram-borzoi/default.nix new file mode 100644 index 0000000..8b46048 --- /dev/null +++ b/hosts/tram-borzoi/default.nix @@ -0,0 +1,100 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, self, ... }: +let + mac_addr = "00:de:5b:f9:e2:fe"; +in +{ + imports = [ + ./borzoi.nix + ./postgres.nix + ]; + microvm = { + vcpu = 2; + mem = 1024 * 2; + hypervisor = "cloud-hypervisor"; + socket = "${config.networking.hostName}.socket"; + + interfaces = [{ + type = "tap"; + id = "serv-dvb-borz"; + mac = mac_addr; + }]; + + shares = [{ + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + tag = "store"; + proto = "virtiofs"; + socket = "store.socket"; + } + { + source = "/var/lib/microvms/tram-borzoi/etc"; + mountPoint = "/etc"; + tag = "etc"; + proto = "virtiofs"; + socket = "etc.socket"; + } + { + source = "/var/lib/microvms/tram-borzoi/var"; + mountPoint = "/var"; + tag = "var"; + proto = "virtiofs"; + socket = "var.socket"; + }]; + }; + + networking.hostName = "tram-borzoi"; + + time.timeZone = "Europe/Berlin"; + + networking.useNetworkd = true; + + + sops.defaultSopsFile = ../../secrets/tram-borzoi/secrets.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + + sops.secrets.wg-seckey = { + owner = config.users.users.systemd-network.name; + }; + deployment-TLMS.net = { + iface.uplink = { + name = "ens3"; + mac = mac_addr; + matchOn = "mac"; + useDHCP = false; + addr4 = "172.20.73.38/25"; + dns = [ "172.20.73.8" "9.9.9.9" ]; + routes = [ + { + routeConfig = { + Gateway = "172.20.73.1"; + GatewayOnLink = true; + Destination = "0.0.0.0/0"; + }; + } + ]; + }; + + wg = { + addr4 = "10.13.37.8"; + prefix4 = 24; + privateKeyFile = config.sops.secrets.wg-seckey.path; + publicKey = "wCW+r5kAaIarvZUWf4KsJNetyHobP0nNy5QOhqmsCCs="; + }; + + }; + + deployment-TLMS.domain = "staging.tlm.solutions"; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "21.11"; # Did you read the comment? + +} diff --git a/hosts/tram-borzoi/postgres.nix b/hosts/tram-borzoi/postgres.nix new file mode 100644 index 0000000..2f1ceb2 --- /dev/null +++ b/hosts/tram-borzoi/postgres.nix @@ -0,0 +1,75 @@ +{ lib, pkgs, config, inputs, self, ... }: { + + sops.secrets.postgres-borzoi-pw = { + owner = config.users.users.postgres.name; + }; + sops.secrets.postgres-borzoi-grafana-pw = { + owner = config.users.users.postgres.name; + }; + services.postgresql = { + enable = true; + enableTCPIP = true; + port = 5432; + authentication = + let + senpai-ip = self.nixosConfigurations.notice-me-senpai.config.deployment-TLMS.net.wg.addr4; + in + pkgs.lib.mkOverride 10 '' + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + host tlms grafana ${senpai-ip}/32 trust + host borzoi grafana ${senpai-ip}/32 trust + ''; + package = pkgs.postgresql_14; + ensureDatabases = [ "borzoi" ]; + ensureUsers = [ + { + name = "grafana"; + } + { + name = "borzoi"; + ensurePermissions = { + "DATABASE borzoi" = "ALL PRIVILEGES"; + "ALL TABLES IN SCHEMA public" = "ALL"; + }; + } + ]; + }; + + environment.systemPackages = [ inputs.tlms-rs.packages.x86_64-linux.run-migration-based ]; + + systemd.services.postgresql = { + unitConfig = { + TimeoutStartSec = 3000; + }; + serviceConfig = { + TimeoutSec = lib.mkForce 3000; + }; + postStart = lib.mkAfter '' + # set pw for the users + $PSQL -c "ALTER ROLE grafana WITH PASSWORD '$(cat ${config.sops.secrets.postgres-borzoi-grafana-pw.path})';" + $PSQL -c "ALTER ROLE borzoi WITH PASSWORD '$(cat ${config.sops.secrets.postgres-borzoi-pw.path})';" + + # fixup permissions + # tlms is practically root, we need to FIXME something about it + $PSQL -c "GRANT ALL ON DATABASE borzoi TO borzoi;" + $PSQL -d borzoi -c "GRANT ALL ON ALL TABLES IN SCHEMA public TO borzoi;" + $PSQL -d borzoi -c "GRANT ALL ON ALL SEQUENCES IN SCHEMA public TO borzoi;" + + # Get graphana to SELECT from tables that might be interesting for it + $PSQL -c "GRANT CONNECT ON DATABASE borzoi TO grafana;" + $PSQL -d borzoi -c "GRANT SELECT ON ALL TABLES IN SCHEMA public TO grafana;" + + unset DATABASE_URL + + # borzoi setup + export DATABASE_URL=postgres:///borzoi + + ${inputs.borzoi.packages.x86_64-linux.run-migration-borzoi}/bin/run-migration + $PSQL -c "GRANT ALL ON DATABASE borzoi TO borzoi;" + + unset DATABASE_URL + ''; + }; +} diff --git a/secrets/tram-borzoi/secrets.yaml b/secrets/tram-borzoi/secrets.yaml new file mode 100644 index 0000000..ba6eb4c --- /dev/null +++ b/secrets/tram-borzoi/secrets.yaml @@ -0,0 +1,93 @@ +wg-seckey: ENC[AES256_GCM,data:PfKIAUNBNgeAijs14J8K/6F/lojlelCVKnuVZUVvKkDSjPSW0PEVrx9RGI4=,iv:eoP8jKpjjBrcc4oM2i5Ew58qXiUQOW95PcesAuhB2DA=,tag:G7oU/x3fquO15JvlSzMTDQ==,type:str] +postgres-borzoi-pw: ENC[AES256_GCM,data:MExagupDQI9EGUJSne8H93Q2JJlH2KcCL0/Y8ChIlWIyXnMZna9jdA==,iv:BHGIW2OGQzta8je1bG3lQd+NYsTmgufyrlHAaa2lyZc=,tag:FixjyaGLcHiWQr+KOMRDAw==,type:str] +postgres-borzoi-grafana-pw: ENC[AES256_GCM,data:Sh6qrCTknaNufBGEATcJqnPYFIeKrmNNTLTmtNWN5u0x6j6DvVnRxw==,iv:oTiSS6J1O1QW2thNlcbxlg25vdc+T82mKjML1Rrz2VY=,tag:hYeAIdcKiaLhJDoD957keQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1wxewmzwlzgtsmr29tnu76n30kv29ra5p0ptvr2e3f3ymkqh569kqm07fv4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOd3RabkxMaUU5QTJ6eFk3 + Njd5cDdvWCtZcjYvOTRINE5ZY1RWZUZkelhFClhSVTdaN3VDSVc4Q0dWTGhEV0tn + V2t2bDhMS0JNeHYwWlhlWGIvaHdKQk0KLS0tIEZDdUgxYS9tMU4zNTBMb1Exbmhk + NUwrdFR3WFdFc1pqZmh5eXR3SXB6VEEKt//RX2umvJnlaAgeKoSqDFO++mmjbwQZ + N58GaxFx2JYC9Mc01szqOM5yc6qMrvBqdXm7x02SboMzTZ7qWywMyw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-05-19T16:48:23Z" + mac: ENC[AES256_GCM,data:la7JNr0IQO5CVqbFj0XCRWNNkR1NnjFt92myTswHIqInOGXNh0L2ZfJHoIAZdNYz6IzdazNMYhMO4VPECKV0HzT97OVHv3HZ1Na8ctbCEc+s8NqHD+52x1crvhsINil6iWNFydMdYkG+OF9fME2VZYpMtE09h9k9gqxrCoq3USw=,iv:xKJdbgFXK5tlOv3dixeMTrwycD6eaz+tnivUGYgkKlQ=,tag:7Hnf5jlN5SKezNrh4Q30ug==,type:str] + pgp: + - created_at: "2023-05-19T16:11:28Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA7zUOKwzpAE7AQ/+LoIfVnhOMZHoZOJeaUkNc3lPN5uTTfeX3uSK/UKH3/nn + 4zhRuOFLWEChhsKIRdHqgCcltP9EYEvgDPX2ap0pRblbAp8ocljSltv8DWqwWSJL + LezV0yDNOH719Q/czI8PIducptlYTelSbLyfMrC60rJHR2MeYn35+kMuJ2Pr0Hg+ + fAv4UsCE4Tq2WbqGHOdjAmwCRvBObhQLzk08M6QwXcai75VFBVClqkF/H1QBhfrq + YpHhrV7+Pi31FijLp4OAwFaLoB5Z9ZVs3sHWn/qnnh/GSxbk/cMReG5oUXRljuvf + DNWd2ZDvL+BN5aU1I2JtabTqdZsZQyNJkXYjQjeDbNpytiF+VTozbnDJRcNdhdA0 + X8OUf5FfDYcmA6oeiDWuzXXbU7u4rihw2afE5PyxwOxr/b8dfkrm1UzOosXfnB1R + c3qUQ85Yk1ju9gox7IKa+DSUCoYDrravfeQ1p7ZxsRdPAYh1mSFujvMWJyAwn+vH + uYtNInuhr584ld5QQ+iXywFYrBicRtMYpalEsPClYPeV/xPySPaSr5MiPuynLuDr + nvi9v8oGf9pv1rgNEZusgJAfyC1durSSqeNPeomnHDYHg1pObulrY0igprwTGDdH + Dr/0DTu9uCwAV47/M/eThvfam2xOlHiZOMgna76vvafKCaUgQIg+HKw5tGV5IGjS + UQGr2aoPYCaH8H9gBLHQjdBMSqf7l5FTJe0GDPvpxnqrp3+utY1gjhJv2lzbdyIl + nGegpQ/MOJI3Adyad55NvVVXnLOJIF/1y5a++7pqkm4JsQ== + =8sFk + -----END PGP MESSAGE----- + fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C + - created_at: "2023-05-19T16:11:28Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA/YLzOYaRIJJAQ//SFlxklZd5bS7zu2y7LSzrFiW5TEH43uoGYHYyU+E9cWl + +4nMJAqSdSD54wiVPfLjelMuwwN9LT3ljsA9C1ZPSxf9WYx175637TG+LFQpBnsj + Tzq2g1Ozl1rZe88UQ71DlT93zaarvyX7xNNNYNmbVHygHKED4wBVuKc9X3LMru/p + anpYJtex/uZJHs6rm0oJigFSQlZem9U9spYfPUY+Ak7kSOhJWfK74Sy/Q2sl6+8i + vFJMA8zAcfZDSEO+ugKODfe0gTdlNnrI+lNdSVNvl8j8QLE8QuxpkEbR7r0Iv5ov + dnPeWZiKBpTzj5FRn9YZw1eilWg4qaLNFzHvXHabtKelODof/ErgQx6UNlMLkDxu + 0o4J2mck42d/55U0b+hsZFrUQcKDfBiIeukbiQDf2zxeAwR4qXXrbRjr+B7cbZou + akbtFuoRjzAJPQ9V/Z4Dw39JqIgtcqlxby4gXYLYt5ib4p2iubuXr3sYQbFSq0RR + 94qo42RrSdj0z4IjXGSHYhgtJAqAW1fu+JfhOCheEwFWhXFoEML83mQXu6uCjTRD + KITyzzi7FbMRc/JTVnaf51dZuHVKfAx8oSSQY5uLN+49mDuZcPDqoHv7OAqL8TDw + FQEfuo4+hQuF0CBXLQF64NUsvu4UTpqrEibUiwv53KdryFYal4O6qxGfIrxg9mrS + XgFznbitnQjifKdVNYHvly8oVwlNbgm6czRR4xpr+Eiu6KvdWnDUgwsRVoWEbd9L + cFaCiRQFBoq8dTlM4bDccUIOHEnFMsSM8VWhQRKvlOslBqSWhUUSutAiDkO1Wbo= + =Uqfw + -----END PGP MESSAGE----- + fp: 91EBE87016391323642A6803B966009D57E69CC6 + - created_at: "2023-05-19T16:11:28Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQEMA1N/l9+zlMQzAQf+JBODNlse25vm5iZ8r75BgYmUk5cXgCkNu9jL5Vw1nB+U + T3H4hlsQgpFQevgbLzYO+mxQbH2iGgVrnYukqgKJZT7880UgVkiriplD8GFD81na + 1g48v6gDuPDwNU1hLmevbDL+AlZaa/oedQsJI1k2KnluxWfRp2jq84oiIf1sAr/g + q960mN+MLR18heBnNrL6dFzvWMNRqmB0GX/34/IZc1w24C/SyOC0KRnQUz1zZvSX + PO28/cJrW5wC3MqE/Z/Luxn93R6axCNBE4zBDudVlwO7BdL99Umz6M+kXIU+m00/ + UwUJAj0LBMEcM7c69BAihe271SF6AJmhMyPefQkJMtJeAc3fG71dfkuX6L6DOmUV + LQKGizRkR+qvTEgb5Sq+pweLLFuRSwjgQqhPCk4nJehQfw/eImm60GueUYFTB2Wa + LkiTgFv6zo2yFv5UsJkbjE0v8tYMQHRbXIWTtPrk3g== + =Lco9 + -----END PGP MESSAGE----- + fp: 069836A578F7939612DB4934F77D0F7E247A1EE4 + - created_at: "2023-05-19T16:11:28Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQEMA1N/l9+zlMQzAQf/fBl9uGEZBONjjeD99zRplUg0OBixaS4qkqvOImdcSp4N + fofqYSvEN8YDkHcgyoX/2qZZSyx3Sp2vOLa/ETzMkAerJFxPcaWYUWRWxRNSWBmu + XYw5pmETQx6fVQd0gz8P9P9+TmpoXA3hvpOpA+eBYogYsDmwAqxqzV8NIxiVhEVs + v2B+HDxMmnN/GGUeDjKDiHpdYEcuhc81cbNA71qAWHBi6UY/l4vgxyBbyviyF6kf + bMM0zpZ5AbPX+YT2OrqPLYaCGMfdmU1ilhgNcrsxsmBWc8M9dY1hG/RKjGO1LWeP + kXjBoUdtXE25ZgFSDXHoFOhYo40WI6BR1+Fa2lv8J9JeAd/F0dvF6d/24oDu806k + 3OSo7ZYRjkoWRj1cbWE4rRu2YT9fZDRkHmrLEnmGY02nOG3EAIruApfLbTaOq6vb + kUdsD/VLRVjXrjZE7t777m5fo+4xOR9jmko2NKKcuQ== + =RFJ7 + -----END PGP MESSAGE----- + fp: ED06986DFAAE6A61B751DC2F537F97DFB394C433 + unencrypted_suffix: _unencrypted + version: 3.7.3