1
1
Fork 0

Compare commits

..

No commits in common. "4f331322ffaec1900e8ba01276f1e7efd65e6175" and "825b68fc93231213e561b6fdba9c56aaa9100fa5" have entirely different histories.

3 changed files with 58 additions and 163 deletions

View File

@ -2,10 +2,7 @@
{ {
disabledModules = [ "system/boot/loader/raspberrypi/raspberrypi.nix" ]; disabledModules = [ "system/boot/loader/raspberrypi/raspberrypi.nix" ];
imports = [ imports = [ ./modules/system/boot/loader/raspberrypi/raspberrypi.nix ];
./modules/system/boot/loader/raspberrypi/raspberrypi.nix
./fileserver.nix
];
boot = { boot = {
kernelPackages = pkgs.linuxPackages_rpi4; kernelPackages = pkgs.linuxPackages_rpi4;
@ -58,7 +55,6 @@
tinc_pre tinc_pre
#file-rename #file-rename
rsync rsync
rclone gnupg
]; ];
networking = { networking = {
@ -67,7 +63,7 @@
firewall = { firewall = {
enable = true; enable = true;
allowPing = true; allowPing = true;
allowedTCPPorts = [ 22 139 445 ]; allowedTCPPorts = [ 22 80 139 445 7473 ];
allowedUDPPorts = [ 137 138 ]; allowedUDPPorts = [ 137 138 ];
}; };
}; };
@ -79,8 +75,7 @@
services.cron = { services.cron = {
enable = true; enable = true;
systemCronJobs = [ systemCronJobs = [
"0 20 * * 1 root /root/reassert-nas-permissions.sh" "* 20 * * 1 root /root/reassert-nas-permissions.sh"
"0 0 * * 1 tvb . /etc/profile; /home/tvb/gitea-backup"
]; ];
}; };
@ -89,6 +84,31 @@
passwordAuthentication = true; passwordAuthentication = true;
}; };
services.nginx = {
enable = true;
virtualHosts."catacomb-server" = {
listen = [ { addr = "10.7.3.16"; } ];
root = "/nas";
locations."/".tryFiles = "\$uri @indexer";
locations."@indexer".extraConfig = "
proxy_buffering off;
proxy_pass http://127.0.0.1:5000;
";
};
virtualHosts."guest-server" = {
listen = [ { addr = "10.7.3.16"; port = 7473; } ];
extraConfig = "
access_log /var/log/nginx/access.guest-server.log;
";
locations."/".extraConfig = "
proxy_buffering off;
proxy_pass http://127.0.0.1:7473/;
";
};
};
services.ntp = { services.ntp = {
enable = true; enable = true;
servers = ["time.nist.gov"]; servers = ["time.nist.gov"];
@ -185,6 +205,34 @@
}; };
}; };
systemd.services.host-server = {
enable = true;
description = "catapool host index server";
serviceConfig = {
Type = "simple";
ExecStart = "/nas-indexer/host-server/run.sh";
Restart = "on-failure";
User = "tvb";
WorkingDirectory = "/nas-indexer/host-server";
};
requires = [ "zfs.target" ];
wantedBy = [ "multi-user.target" ];
};
systemd.services.guest-server = {
enable = true;
description = "catapool guest index server";
serviceConfig = {
Type = "simple";
ExecStart = "/nas-indexer/guest-server/run.sh";
Restart = "on-failure";
User = "tvb";
WorkingDirectory = "/nas-indexer/guest-server";
};
requires = [ "zfs.target" ];
wantedBy = [ "multi-user.target" ];
};
users.groups = { users.groups = {
nas = { gid = 1600; }; nas = { gid = 1600; };
}; };
@ -199,10 +247,11 @@
./keys/tvb.palamas.pub ./keys/tvb.palamas.pub
./keys/tvb.stagirite.pub ./keys/tvb.stagirite.pub
./keys/monitor.isidore.pub ./keys/monitor.isidore.pub
./keys/inquisitor.conduit.pub
]; ];
}; };
#./keys/tvb.empyrean.pub #./keys/tvb.empyrean.pub
users.users.nginx.extraGroups = ["nas"];
nix.buildCores = 4; nix.buildCores = 4;
} }

View File

@ -1,153 +0,0 @@
# nas indexer server module
{ pkgs, ... }:
let
# Build the catacomb server package
catacombServerSource = builtins.fetchGit {
url = "https://git.alogoulogoi.com/Jaculabilis/catacomb-server.git";
ref = "develop-nix";
rev = "08749de4adeb2ea01f0f646c53c6e30aa9a240e7";
};
catacombServer = pkgs.callPackage catacombServerSource {};
catacombUser = "tvb";
# Define the service directory, which pretty much only stores tokens
catacombServerDir = "/var/lib/nas-indexer/";
# Create a setup script to ensure the token directory exists
catacombSetup = pkgs.writeShellScriptBin "catacomb-setup.sh" ''
${pkgs.coreutils}/bin/mkdir -p ${catacombServerDir}tokens
chown -R ${catacombUser} ${catacombServerDir}
'';
# Host-mode server run script
hostRun = pkgs.writeShellScriptBin "catacomb-run-host.sh" ''
cd ${catacombServerDir}
${catacombServer}/bin/gunicorn \
--bind=localhost:5000 \
--workers=3 \
--log-level=debug \
--env CATACOMB_ROOT=/nas \
--env CATACOMB_TOKENS=${catacombServerDir}tokens \
--env CATACOMB_MODE=host \
"catacomb.server:wsgi()"
'';
# Guest-mode server run script
guestRun = pkgs.writeShellScriptBin "catacomb-run-guest.sh" ''
cd ${catacombServerDir}
${catacombServer}/bin/gunicorn \
--bind=localhost:5001 \
--workers=3 \
--log-level=debug \
--env CATACOMB_ROOT=/nas \
--env CATACOMB_TOKENS=${catacombServerDir}tokens \
--env CATACOMB_MODE=guest \
"catacomb.server:wsgi()"
'';
# Guest-mode auth server for direct nginx file serving
accessRun = pkgs.writeShellScriptBin "catacomb-run-access.sh" ''
cd ${catacombServerDir}
${catacombServer}/bin/gunicorn \
--bind=localhost:5002 \
--workers=3 \
--log-level=debug \
--env CATACOMB_TOKENS=${catacombServerDir}tokens \
"catacomb.access.nginx:wsgi()"
'';
in
{
# Run the setup script on activation
system.activationScripts.catacombSetup = "${catacombSetup}/bin/catacomb-setup.sh";
# Set up the host mode service
systemd.services."catacomb-host" = {
enable = true;
description = "catapool host-mode index server";
script = "${hostRun}/bin/catacomb-run-host.sh";
serviceConfig = {
Type = "simple";
WorkingDirectory = "${catacombServerDir}";
};
requires = [ "zfs.target" ];
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
};
# Set up the guest mode service
systemd.services."catacomb-guest" = {
enable = true;
description = "catapool guest-mode index server";
script = "${guestRun}/bin/catacomb-run-guest.sh";
serviceConfig = {
Type = "simple";
User = "${catacombUser}";
WorkingDirectory = "${catacombServerDir}";
};
requires = [ "zfs.target" ];
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
};
# Set up the access server service
systemd.services."catacomb-access" = {
enable = true;
description = "catapool access token authenticator";
script = "${accessRun}/bin/catacomb-run-access.sh";
serviceConfig = {
Type = "simple";
User = "${catacombUser}";
WorkingDirectory = "${catacombServerDir}";
};
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
};
networking.firewall.allowedTCPPorts = [ 80 7470 7471 7472 ];
# Set up nginx to reverse proxy to these services
services.nginx = {
enable = true;
# Serve the host server over the internal ip at the default port
virtualHosts."catacomb-host-server" = {
listen = [ { addr = "10.7.3.16"; } ];
root = "/nas";
locations."/".tryFiles = "\$uri @indexer";
locations."@indexer".proxyPass = "http://localhost:5000";
};
# Serve the guest server over the internal ip at a custom port
virtualHosts."catacomb-guest-server" = {
listen = [ { addr = "10.7.3.16"; port = 7472; } ];
extraConfig = ''
access_log /var/log/nginx/access.guest-server.log;
'';
locations."/".proxyPass = "http://localhost:5001";
};
# Serve the auth server at a custom port internally
virtualHosts."catacomb-auth" = {
listen = [ { addr = "10.7.3.16"; port = 7471; } ];
extraConfig = ''
access_log /var/log/nginx/access.guest-auth.log;
'';
locations."/".proxyPass = "http://localhost:5002";
};
# Serve files at a custom port internally
virtualHosts."catacomb-guest-files" = {
listen = [ { addr = "10.7.3.16"; port = 7470; } ];
extraConfig = ''
access_log /var/log/nginx/access.guest-files.log;
'';
locations."/".root = "/nas";
};
};
# Allow nginx to read catapool files
users.users.nginx.extraGroups = ["nas"];
}

View File

@ -1 +0,0 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDS8T7Vb2z6Xy2XBzy/HCmnRb9R/0gD71tt6m4/MyHCQBoG+zsUcPhTP2tfOeYd8xeAZKiPfunrtTOpICIxsaugeCf9xoOmEag4i965OcUyRpphPc0UtaK7ux5oqT6+rdSuuriGtKlycSn9mX5Uq4Lhwo3mlFOUJtJTrnifHua3pPnBtLwMEFftufhUn+n5UOx9NWL/ItqEPoLiVB5t8ltXhckqrjlnL9lchJN+6nlgXVScwN/EkDqFjVNQ7OjsMShlJPQDYFbJky1ejnn0wkPBJs7xmKgdxwGxlkLrtnhTx0TBIDbRV0YKdcRNm55mhK/3FWBp8IK0vKOpb6BH5CF9fPadwmHC4z9qIgWNI4cjVTjLvxJpBn8tZTzuFeXrPHYkXL1EQCY8uyojIYtMEzUIIsJ42fUEHJ52iFxa1RddvRlxl/zablPH+kfytbCNLJW1DcWMMcRy7VjUlI1U+X1P2pYOFyLxtq6bDNrkdcR3v+n3k2z2CPhKWUP3qoc+bZ8= inquisitor@conduit