WIP: Add hydra

webserver: Use SIGKILL instead of SIGTERM
This is necessary because rocket 0.4 does not support SIGTERM.
2021-05-17 00:15:07 +01:00 · 2021-05-17 00:14:00 +01:00 · 2021-05-17 00:13:58 +01:00 · 2021-05-17 00:13:38 +01:00 · 2021-05-17 00:13:28 +01:00 · 2021-05-16 01:34:03 +01:00
9 changed files with 70 additions and 25 deletions
--- a/configuration/default.nix
+++ b/configuration/default.nix
@ -1,8 +1,9 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 {
  imports = [
    ./services/gitea.nix
    ./services/hydra.nix
    ./services/minecraft.nix
    ./services/nextcloud.nix
    ./services/webserver.nix
@ -54,18 +55,21 @@
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
    clientMaxBodySize = "10G";
    domain = "tlater.net";
    virtualHosts = let
      host = port: extra:
-        {
+        lib.recursiveUpdate {
          forceSSL = true;
          enableACME = true;
-          locations."/" = { proxyPass = "http://localhost:${toString port}"; };
+          locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; };
-        } // extra;
+        } extra;
      domain = config.services.nginx.domain;
    in {
-      "tlater.net" = host 3002 { serverAliases = [ "www.tlater.net" ]; };
+      "${domain}" = host 3002 { serverAliases = [ "www.${domain}" ]; };
-      "gitea.tlater.net" = host 3000 { };
+      "gitea.${domain}" = host 3000 { };
-      "nextcloud.tlater.net" = host 3001 { };
+      "nextcloud.${domain}" = host 3001 { };
      "hydra.${domain}" = host config.services.hydra.port { };
    };
  };
--- a/configuration/services/gitea.nix
+++ b/configuration/services/gitea.nix
@ -14,6 +14,7 @@
  virtualisation.pods.gitea = {
    hostname = "gitea.tlater.net";
    publish = [ "3000:3000" "2221:2221" ];
    network = "slirp4netns";
    containers = {
      gitea = {
@ -26,7 +27,6 @@
          DB_HOST = "gitea-postgres:5432";
          DB_NAME = "gitea";
          DB_USER = "gitea";
          DB_PASSWD = "/qNDDK9WCMuubfA7D8DFwfl9T+Gy2IMDvPhiNpcxZjY=";
          USER_UID = toString config.users.extraUsers.gitea.uid;
          USER_GID = toString config.users.extraGroups.gitea.gid;
@ -42,7 +42,6 @@
        environment = {
          POSTGRES_DB = "gitea";
          POSTGRES_USER = "gitea";
          POSTGRES_PASSWORD = "/qNDDK9WCMuubfA7D8DFwfl9T+Gy2IMDvPhiNpcxZjY=";
        };
        volumes = [ "gitea-db-data:/var/lib/postgresql/data" ];
      };
--- a/configuration/services/hydra.nix
+++ b/configuration/services/hydra.nix
@ -0,0 +1,16 @@
 { ... }:
 {
  services.hydra = {
    enable = true;
    port = 3003;
    hydraURL = "hydra.tlater.net";
    notificationSender = "hydra@tlater.net";
    extraConfig = ''
      <gitea_authorization>
      </gitea_authorization>
    '';
  };
 }
--- a/configuration/services/minecraft.nix
+++ b/configuration/services/minecraft.nix
@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 let
  minecraft-server-args = [
@ -52,7 +52,7 @@ let
 in {
  nixpkgs.config.allowUnfreePredicate = pkg:
-    builtins.elem (pkgs.lib.getName pkg) [ "forge-server" ];
+    builtins.elem (lib.getName pkg) [ "forge-server" ];
  virtualisation.oci-containers.containers.minecraft-voor-kia = let
    properties = ./configs/minecraft/voor-kia/server.properties;
--- a/configuration/services/nextcloud.nix
+++ b/configuration/services/nextcloud.nix
@ -4,6 +4,7 @@
  virtualisation.pods.nextcloud = {
    hostname = "nextcloud.tlater.net";
    publish = [ "3001:80" ];
    network = "slirp4netns";
    containers = {
      nextcloud = {
@ -18,7 +19,6 @@
          POSTGRES_DB = "nextcloud";
          POSTGRES_USER = "nextcloud";
          POSTGRES_HOST = "nextcloud-postgres";
          POSTGRES_PASSWORD = "rI7t7Nek1yGA9ucrRc7Uhy0jcjwPjnXa8me4o8tJON8=";
          OVERWRITEPROTOCOL = "https";
        };
      };
@ -43,7 +43,6 @@
        environment = {
          POSTGRES_DB = "nextcloud";
          POSTGRES_USER = "nextcloud";
          POSTGRES_PASSWORD = "rI7t7Nek1yGA9ucrRc7Uhy0jcjwPjnXa8me4o8tJON8=";
        };
        volumes = [ "nextcloud-db-data:/var/lib/postgresql/data" ];
      };
--- a/configuration/services/webserver.nix
+++ b/configuration/services/webserver.nix
@ -34,6 +34,10 @@
    ports = [ "3002:3002" ];
    volumes = [ "tlaternet-mail:/srv/mail" ];
-    extraOptions = [ "--hostname=tlater.net" ];
+    extraOptions = [
      "--hostname=tlater.net"
      # This can change with rocket 0.5.
      "--stop-signal=SIGKILL"
    ];
  };
 }
--- a/flake.lock
+++ b/flake.lock
@ -2,11 +2,11 @@
  "nodes": {
    "flake-utils": {
      "locked": {
-        "lastModified": 1619345332,
+        "lastModified": 1620759905,
-        "narHash": "sha256-qHnQkEp1uklKTpx3MvKtY6xzgcqXDsz5nLilbbuL+3A=",
+        "narHash": "sha256-WiyWawrgmyN0EdmiHyG2V+fqReiVi8bM9cRdMaKQOFg=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "2ebf2558e5bf978c7fb8ea927dfaed8fefab2e28",
+        "rev": "b543720b25df6ffdfcf9227afafc5b8c1fabfae8",
        "type": "github"
      },
      "original": {
@ -37,11 +37,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1619336929,
+        "lastModified": 1620983891,
-        "narHash": "sha256-joIC2D26jtSbHodR/o8r+5T9XL2hXs6NIp5mVyA4JOc=",
+        "narHash": "sha256-E2OKVgGo/cUqDsrIeYGVx64b4cxgzd7+bX33NHL0rbA=",
        "owner": "nixos",
        "repo": "nixos-hardware",
-        "rev": "f7540d6c27704ec0fe56ecc8b2a9b663181850b0",
+        "rev": "c4399b921fa7ff5f93ee10b3521b56b722ed74d8",
        "type": "github"
      },
      "original": {
@ -53,11 +53,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1619486598,
+        "lastModified": 1621088295,
-        "narHash": "sha256-ZEvJ+uItcKLQ9uSjGbQFE6Euu9w1Y98x0TWydXIgHAI=",
+        "narHash": "sha256-hn8Rk6o5nRbWK/GE+z2OK8DIDIgGxCmVkaXpNYkald0=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "d4e7af972158a14ebdd9c828b1c2e07e2ce7ef1c",
+        "rev": "17d3dab8647a31a00d8a11433a56cc12d84b5ab4",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -68,12 +68,28 @@
            (import ./modules)
            (import ./configuration)
-            ({ ... }: {
+            ({ config, lib, ... }: {
              users.users.tlater.password = "insecure";
              # Disable graphical tty so -curses works
              boot.kernelParams = [ "nomodeset" ];
              # Sets the base domain for nginx to localhost so that we
              # can easily test locally with the VM.
              services.nginx.domain = lib.mkOverride 99 "localhost";
              # Hydra uses X-Forwarded-Port to figure out how to
              # include links to static files, but because we redirect
              # 443 -> 3443 in the vm we need to explicitly set this
              # (nginx can't see qemu's port redirection).
              services.nginx.virtualHosts =
                let domain = config.services.nginx.domain;
                in {
                  "hydra.${domain}".locations."/".extraConfig = ''
                    proxy_set_header X-Forwarded-Port 3443;
                  '';
                };
              # # Set up VM settings to match real VPS
              # virtualisation.memorySize = 3941;
              # virtualisation.cores = 2;
--- a/modules/default.nix
+++ b/modules/default.nix
@ -1,5 +1,12 @@
-{ ... }:
+{ lib, ... }:
 with lib;
 {
  imports = [ ./virtualisation/pods.nix ];
  options.services.nginx.domain = mkOption {
    type = types.str;
    description = "The base domain name to append to virtual domain names";
  };
 }
Author	SHA1	Message	Date
Tristan Daniël Maat	2a7f905bc2	WIP: Add hydra	2021-05-17 00:15:07 +01:00
Tristan Daniël Maat	a24c68d9db	webserver: Use SIGKILL instead of SIGTERM This is necessary because rocket 0.4 does not support SIGTERM.	2021-05-17 00:14:00 +01:00
Tristan Daniël Maat	343c7fcc36	nginx: Don't override extra options in the host helper	2021-05-17 00:13:58 +01:00
Tristan Daniël Maat	5f8899d542	nginx: Make VM testing easier by binding virtualHosts to localhost	2021-05-17 00:13:38 +01:00
Tristan Daniël Maat	b8bf3bd3a2	minecraft: Clean up use of pkgs.lib	2021-05-17 00:13:28 +01:00
Tristan Daniël Maat	458f6c7f7b	nginx: Avoid connection issues caused by IPv6 resolution If localhost is specified in the proxyPass url, nginx will happily resolve IPv6 addresses, even if the upstream doesn't support them. This can result in connection issues, especially with containers that don't support IPv6.	2021-05-16 01:34:03 +01:00
Tristan Daniël Maat	517f4f0080	postgres: Get rid of password authentication Podman pods make this obsolete; though we need to explicitly set slirp4netns, otherwise podman will not create private network namespaces for the pods.	2021-05-16 00:40:09 +01:00
Tristan Daniël Maat	2d61711e07	flake.lock: Update Flake input changes: * Updated 'flake-utils': 'github:numtide/flake-utils/2ebf2558e5bf978c7fb8ea927dfaed8fefab2e28' -> 'github:numtide/flake-utils/b543720b25df6ffdfcf9227afafc5b8c1fabfae8' * Updated 'nixos-hardware': 'github:nixos/nixos-hardware/f7540d6c27704ec0fe56ecc8b2a9b663181850b0' -> 'github:nixos/nixos-hardware/c4399b921fa7ff5f93ee10b3521b56b722ed74d8' * Updated 'nixpkgs': 'github:nixos/nixpkgs/d4e7af972158a14ebdd9c828b1c2e07e2ce7ef1c' -> 'github:nixos/nixpkgs/17d3dab8647a31a00d8a11433a56cc12d84b5ab4'	2021-05-15 20:57:59 +01:00