diff --git a/docker-compose/chaotic-v4/docker-compose.yml b/docker-compose/chaotic-v4/docker-compose.yml index 49d08e4..17f0bb7 100644 --- a/docker-compose/chaotic-v4/docker-compose.yml +++ b/docker-compose/chaotic-v4/docker-compose.yml @@ -87,34 +87,12 @@ services: }, "garuda": { "url": "https://gitlab.com/garuda-linux/pkgbuilds" - }, - "garuda-aur": { - "url": "https://gitlab.com/garuda-linux/pkgbuilds-aur" } } PACKAGE_TARGET_REPOS: >- { "chaotic-aur": { "extra_repos": [ - { - "name": "chaotic-aur", - "servers": [ - "https://builds.garudalinux.org/chaotic-v4/x86_64" - ] - } - ], - "extra_keyrings": [ - "https://cdn-mirror.chaotic.cx/chaotic-aur/chaotic-keyring.pkg.tar.zst" - ] - }, - "garuda": { - "extra_repos": [ - { - "name": "garuda", - "servers": [ - "https://builds.garudalinux.org/repos/garuda/x86_64" - ] - }, { "name": "chaotic-aur", "servers": [ @@ -126,7 +104,7 @@ services: "https://cdn-mirror.chaotic.cx/chaotic-aur/chaotic-keyring.pkg.tar.zst" ] }, - "garuda-aur": { + "garuda": { "extra_repos": [ { "name": "garuda", @@ -157,11 +135,6 @@ services: "id": "48461689", "token": "${GITLAB_TOKEN:-?err}", "check_name": "garuda: %pkgbase%" - }, - "garuda-aur": { - "id": "52092196", - "token": "${GITLAB_TOKEN:-?err}", - "check_name": "garuda: %pkgbase%" } } volumes: @@ -170,7 +143,7 @@ services: - /srv/http/repos:/repo_root extra_hosts: - "host.docker.internal:host-gateway" - ports: ["8080:8080", "3030:3030"] + ports: ["127.0.0.1:8080:8080", "127.0.0.1:3030:3030"] # Metadata for the Chaotic website caur-backend: @@ -186,7 +159,7 @@ services: TELEGRAM_API_HASH: ${TELEGRAM_API_HASH:-?err} TELEGRAM_API_ID: ${TELEGRAM_API_ID:-?err} TELEGRAM_DB_ENCRYPTION_KEY: ${TELEGRAM_DB_ENCRYPTION_KEY:-?err} - ports: ["3000:3000"] + ports: ["127.0.0.1:3000:3000"] volumes: ["./tdlib:/app/tdlib"] # Automated container updates diff --git a/docker-compose/gitlab-runner/docker-compose.yml b/docker-compose/gitlab-runner/docker-compose.yml index 332fc70..80e44fd 100644 --- a/docker-compose/gitlab-runner/docker-compose.yml +++ b/docker-compose/gitlab-runner/docker-compose.yml @@ -27,6 +27,6 @@ services: image: containrrr/watchtower:1.7.1 container_name: watchtower command: - --cleanup gitlab-runner-chaotic gitlab-runner-garuda gitlab-runner-dind - volumes: [/var/run/docker.sock:/var/run/docker.sock] + --cleanup watchtower gitlab-runner-chaotic gitlab-runner-garuda gitlab-runner-dind + volumes: ["/var/run/docker.sock:/var/run/docker.sock"] restart: always diff --git a/docs/src/SUMMARY.md b/docs/src/SUMMARY.md index fd5c5ff..73f76d9 100644 --- a/docs/src/SUMMARY.md +++ b/docs/src/SUMMARY.md @@ -23,7 +23,6 @@ - [mastodon](./nixos-containers/mastodon.md) - [mongodb](./nixos-containers/mongodb.md) - [postgres](./nixos-containers/postgres.md) - - [temeraire](./nixos-containers/temeraire.md) - [web-front](./nixos-containers/web-front.md) - [garuda-build](./hosts/garuda-build.md) - [garuda-mail](./hosts/garuda-mail.md) diff --git a/docs/src/hosts/immortalis.md b/docs/src/hosts/immortalis.md index e3d3378..6df124b 100644 --- a/docs/src/hosts/immortalis.md +++ b/docs/src/hosts/immortalis.md @@ -28,7 +28,6 @@ lemmy container systemd-nspawn nixos 24.11 10.0.5.120… mastodon container systemd-nspawn nixos 24.11 10.0.5.80… mongodb container systemd-nspawn nixos 24.11 10.0.5.60… postgres container systemd-nspawn nixos 24.11 10.0.5.50… -temeraire container systemd-nspawn nixos 24.11 10.0.5.20… web-front container systemd-nspawn nixos 24.11 10.0.5.10… ``` @@ -37,7 +36,7 @@ We are seeing: - 1 ISO builder (`iso-runner`) - 1 reverse proxy serving all the websites and services (`web-front`) - 2 Docker dedicated nspawn containers (`docker` & `docker-proxied`) -- 3 Chaotic-AUR builders ( `chaotic-v4`, `github-runner` & `temeraire`) +- 3 Chaotic-AUR builders ( `chaotic-v4`, `github-runner` ) - 6 app dedicated containers (`forum`, `lemmy`, `mastodon`, `mongodb` & `postgres`) ### Connecting to the server @@ -46,7 +45,6 @@ After connecting to the host via `ssh -p 666 $user@116.202.208.112`, containers running `nixos-container login $containername`, eg. `nixos-container login web-front`. Some containers may also be connected via SSH using the following ports: -- 22: `temeraire` (needs to be 22 to allow pushing packages to the main Chaotic-AUR node via rsync) - 224: `forum` - 225: `docker` - 227: `iso-runner` @@ -63,24 +61,6 @@ to deploy those with the rest of the system. Secrets are handled via our secret submodule `secret` (private repo with `ansible-vault` encrypted files) and `garuda-lib` (see secrets section). Those contain a `docker-compose` directory in which the `.env` files for the `docker-compose.yml` are stored. -### Chaotic-AUR / repository - -Our repository leverages [Chaotic-AUR's](https://aur.chaotic.cx) [toolbox](https://github.com/chaotic-aur/toolbox) to -provide the main node for the `[chaotic-aur]` repository as well as two more instances building the `[garuda]` -and `[chaotic-kde]` repositories. Users of the `chaotic_op` group may build packages on the corresponding -nixos-container via the [chaotic](https://github.com/chaotic-aur/toolbox/blob/main/README.md) command: - -```sh -chaotic get $package # pull PKGBUILD -chaotic mkd $package # build package in the previously cloned directory -chaotic bump $package # increment pkgver of $package by 0.1 to allow a rebuild -chaotic rm $package # remove the package from the repository -``` - -Further information may be obtained by clicking `chaotic` seen above. The corresponding builders are: - -- `[chaotic-aur]`: `temeraire` - ### Squid proxy Squid is being installed on the host machine to proxy outgoing requests via random IPv6 addresses of the /64 subnet diff --git a/docs/src/nixos-containers/temeraire.md b/docs/src/nixos-containers/temeraire.md deleted file mode 100644 index 2fe119d..0000000 --- a/docs/src/nixos-containers/temeraire.md +++ /dev/null @@ -1,14 +0,0 @@ -# temeraire - -## General - -This is our package builder, which also serves as the main node for Chaotic-AUR. - -For information on how to use the build system, -please refer to the [Chaotic toolbox](https://github.com/chaotic-aur/toolbox) documentation. - -## Nix expression - -```nix -{{#include ../../../nixos/hosts/temeraire.nix}} -``` diff --git a/nixos/hosts/chaotic-v4.nix b/nixos/hosts/chaotic-v4.nix index 3e39769..57e8185 100644 --- a/nixos/hosts/chaotic-v4.nix +++ b/nixos/hosts/chaotic-v4.nix @@ -4,13 +4,6 @@ , pkgs , ... }: -let - wrapperScript = pkgs.writeScriptBin "chaotic-restart" '' - cd /var/garuda/docker-compose-runner/chaotic-v4/ - docker compose down - docker compose up -d - ''; -in { imports = sources.defaultModules ++ [ ../modules "${sources.chaotic-portable-builder}/nix/nixos.nix" ]; @@ -68,20 +61,14 @@ in }; networking.firewall.allowedTCPPorts = [ - 8080 - config.services.prometheus.port - config.services.grafana.settings.server.http_port + config.services.grafana.settings.server.http_port # Grafana + config.services.rsyncd.port # Rsync + 8384 # Syncthing web interface ]; # Enable the user accounts of chaotic maintainers garuda-lib.chaoticUsers = true; - # Allow controlling infra 4.0's containers without root - environment.systemPackages = [ wrapperScript ]; - security.sudo.extraRules = [ - { users = [ "xiota" ]; commands = [{ command = "${wrapperScript}/bin/chaotic-restart"; options = [ "NOPASSWD" ]; }]; } - ]; - # Prometheus for monitoring the metrics exported by chaotic-manager services.prometheus = { enable = true; @@ -137,5 +124,226 @@ in }; }; + # Syncthing setup + services.syncthing = { + enable = true; + openDefaultPorts = true; + configDir = config.services.syncthing.dataDir; + inherit (garuda-lib.secrets.syncthing.esxi-build) cert key; + overrideFolders = false; + overrideDevices = false; + user = "root"; + group = "chaotic-op"; + settings = { + gui = { + apikey = "garudalinux"; + insecureSkipHostcheck = true; + inherit (garuda-lib.secrets.syncthing.esxi-build.credentials) user password; + }; + }; + guiAddress = "10.0.5.140:8384"; + }; + + # Auto reset syncthing stuff + systemd.services.syncthing-reset = { + serviceConfig.Type = "oneshot"; + script = '' + "${pkgs.curl}/bin/curl" -X POST -H "X-API-Key: garudalinux" http://10.0.5.140:8384/rest/db/override?folder=${garuda-lib.secrets.syncthing.folders.chaotic-aur} + ''; + }; + systemd.timers.syncthing-reset = { + wantedBy = [ "timers.target" ]; + timerConfig.OnCalendar = [ "hourly" ]; + }; + + # This disables HTTPS certificates and forced redirects + garuda-lib.behind_proxy = true; + + # Nginx + services.nginx = { + enable = true; + virtualHosts = { + "builds.garudalinux.org" = { + extraConfig = '' + # Disable index.html + index fully_disabled.html; + # Our beautiful autoindex theme + autoindex on; + autoindex_exact_size off; + autoindex_format xml; + xslt_string_param path $uri; + xslt_string_param hostname "Chaotic-AUR main node - Temeraire"; + + # Security + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "no-referrer-when-downgrade" always; + add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always; + add_header Permissions-Policy "interest-cohort=()" always; + + # Locations + location ~* ^.+\.log { + default_type text/plain; + } + location ~* /repos/(chaotic-aur|garuda)/x86_64/(?!.*(chaotic-aur|garuda)\.(db|files)).+\.tar.* { + return 301 https://cf-builds.garudalinux.org$request_uri; + expires 2d; + } + location /api/ { + proxy_pass http://127.0.0.1:8080/api/; + } + location /backend/ { + proxy_pass http://127.0.0.1:3000/; + } + location /logs/ { + proxy_pass http://127.0.0.1:8080/; + proxy_buffering off; + proxy_read_timeout 330s; + } + location / { + xslt_string_param path $uri; + xslt_string_param hostname "Chaotic-AUR main node - Temeraire 🐉"; + xslt_stylesheet "${garuda-lib.xslt_style}"; + location /iso { + expires 2d; + return 301 https://iso.builds.garudalinux.org$request_uri; + } + } + ''; + http3 = true; + root = "/srv/http/"; + }; + "cf-builds.garudalinux.org" = { + extraConfig = '' + location ~* /repos/(chaotic-aur|garuda)/x86_64/(?!.*(chaotic-aur|garuda)\.(db|files)).+\.tar.* { + add_header Cache-Control "max-age=150, stale-while-revalidate=150, stale-if-error=86400"; + } + location ~* /repos/(chaotic-aur|garuda)/x86_64/(chaotic-aur|garuda)\.db.* { + add_header Cache-Control 'no-cache'; + } + location /repos/chaotic-aur { + expires 5m; + error_page 403 =301 https://builds.garudalinux.org$request_uri; + error_page 404 =301 https://builds.garudalinux.org$request_uri; + } + location /repos/garuda { + expires 5m; + error_page 403 =301 https://builds.garudalinux.org$request_uri; + error_page 404 =301 https://builds.garudalinux.org$request_uri; + } + location / { + expires 2d; + return 301 https://builds.garudalinux.org$request_uri; + } + ''; + http3 = true; + root = "/srv/http/"; + }; + "iso.builds.garudalinux.org" = { + extraConfig = '' + autoindex on; + autoindex_format xml; + xslt_string_param path $uri; + xslt_string_param hostname "Garuda Linux ISO Builds"; + ''; + locations."/".return = "307 https://builds.garudalinux.org"; + locations."/iso" = { + root = "/srv/http/"; + extraConfig = '' + xslt_stylesheet "${garuda-lib.xslt_style}"; + if ($symlink_target_rel != "") { + rewrite ^ https://$server_name/iso/$symlink_target_rel redirect; + } + if ($arg_sourceforge) { + rewrite ^/iso/(.*)$ https://sourceforge.net/projects/garuda-linux/files/$1? permanent; + } + if ($arg_r2) { + set $args ""; + rewrite ^/iso/(.*)$ https://r2.garudalinux.org/iso/$1?r2request permanent; + } + break; + ''; + }; + }; + }; + }; + + # Rsyncd + services.rsyncd = { + enable = true; + settings = { + chaotic = { + "read only" = "yes"; + comment = "Chaotic-AUR repository"; + exclude = "/chaotic-aur/archive/*** /garuda/archive/***"; + path = "/srv/http/repos/"; + }; + chaotic-minimal = { + "read only" = "yes"; + comment = "Chaotic-AUR repository minus largest packages"; + exclude = "/chaotic-aur/archive/*** /garuda/archive/*** /chaotic-aur/x86_64/quartus* /chaotic-aur/x86_64/unrealtournament4* /chaotic-aur/x86_64/urbanterror*"; + path = "/srv/http/repos/"; + }; + iso = { + path = "/srv/http/iso/"; + comment = "ISO downloads"; + "read only" = "yes"; + }; + global = { + "max connections" = 80; + "max verbosity" = 3; + "transfer logging" = true; + "use chroot" = false; + gid = "nobody"; + uid = "nobody"; + }; + }; + }; + + # Push chaotic to r2 hourly automatically + services.garuda-rclone.chaotic = { + src = "/srv/http/repos/"; + dest = "r2:/mirror/repos"; + config = garuda-lib.secrets.cloudflare.r2.rclone; + args = "--s3-upload-cutoff 5G --s3-chunk-size 4G --fast-list --s3-no-head --s3-no-check-bucket --ignore-checksum --s3-disable-checksum -u --use-server-modtime --delete-during --delete-excluded --include /*/x86_64/*.pkg.tar.zst --include /*/lastupdate --order-by modtime,ascending --stats-log-level NOTICE"; + startAt = "hourly"; + }; + systemd.services.chaotic-rclone-inotify = { + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + # Get all file changes, upload pkg.tar.zst. Not more than 5 per 5 seconds queued and only one uploaded at the same time. Queue dropped if uploading takes longer than 15 seconds. + # This prevents the queue from getting overloaded with nonsense requests if that ever were to happen. The hourly sync should take care of this. + script = '' + upload() { + operation="''${1%%|*}" + path="''${1#*|}" + relative="$(realpath --relative-to="." "$path")" + relative="''${relative#./}" + destpath="r2:/mirror/$relative" + if [ "$operation" != "MOVED_FROM" ]; then + ${pkgs.flock}/bin/flock -w 30 /tmp/chaotic-rclone-inotify.lock \ + ${pkgs.rclone}/bin/rclone copyto "$path" "$destpath" --s3-upload-cutoff 5G --s3-chunk-size 4G --s3-no-head --no-check-dest --s3-no-check-bucket --ignore-checksum --s3-disable-checksum --config "${garuda-lib.secrets.cloudflare.r2.rclone}" --stats-one-line -v + else + ${pkgs.flock}/bin/flock -w 30 /tmp/chaotic-rclone-inotify.lock ${pkgs.rclone}/bin/rclone deletefile "$destpath" --s3-no-head --no-check-dest --s3-no-check-bucket --config "${garuda-lib.secrets.cloudflare.r2.rclone}" --stats-one-line -v + ( + ${pkgs.flock}/bin/flock -w 200 -s 200 + ${pkgs.curl}/bin/curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_GARUDALINUX_ORG/purge_cache" -H "Authorization: Bearer $CF_CACHE_API_TOKEN" -H "Content-Type:application/json" --data "{\"files\":[\"https://r2.garudalinux.org/''${relative}\"]}" + sleep 0.5 + ) 200>/tmp/chaotic-rclone-inotify-invalidate.lock + fi + } + export -f upload + ${pkgs.inotify-tools}/bin/inotifywait -m ./repos/*/x86_64 -e CLOSE_WRITE,MOVED_TO,MOVED_FROM --format "%e|%w%f" | \ + ${pkgs.gawk}/bin/awk '/\.pkg\.tar\.zst$/ { print $0; fflush(); }' | \ + xargs -rP 0 -I % ${pkgs.bash}/bin/bash -c 'upload "%"' + ''; + serviceConfig = { + EnvironmentFile = garuda-lib.secrets.cloudflare.apikeys; + Restart = "always"; + WorkingDirectory = "/srv/http"; + }; + }; + system.stateVersion = "23.05"; } diff --git a/nixos/hosts/garuda-build.nix b/nixos/hosts/garuda-build.nix index 9474d13..54e2db4 100644 --- a/nixos/hosts/garuda-build.nix +++ b/nixos/hosts/garuda-build.nix @@ -1,15 +1,7 @@ { garuda-lib -, pkgs , sources , ... }: -let - wrapperScript = pkgs.writeScriptBin "chaotic-restart" '' - cd /var/garuda/docker-compose-runner/chaotic-v4-builder/ - docker compose down - docker compose up -d - ''; -in { imports = [ ../modules @@ -36,22 +28,6 @@ in # Enable the user accounts of chaotic maintainers garuda-lib.chaoticUsers = true; - # Allow controlling infra 4.0's containers without root - environment.systemPackages = [ wrapperScript ]; - security.sudo.extraRules = [ - { users = [ "xiota" ]; commands = [{ command = "${wrapperScript}/bin/chaotic-restart"; options = [ "NOPASSWD" ]; }]; } - ]; - - # Lock down chaotic-op group to SCP in landing zone - services.openssh.extraConfig = '' - Match Group chaotic-op - AllowAgentForwarding no - AllowTCPForwarding yes - ForceCommand internal-sftp - PermitOpen 127.0.0.1:6379 - PermitTunnel no - X11Forwarding no - ''; system.stateVersion = "22.05"; } diff --git a/nixos/hosts/immortalis/containers.nix b/nixos/hosts/immortalis/containers.nix index 5f13296..33e6e69 100644 --- a/nixos/hosts/immortalis/containers.nix +++ b/nixos/hosts/immortalis/containers.nix @@ -2,42 +2,6 @@ , lib , ... }: -let - chaotic_mounts = { - "gitconfig" = { - hostPath = "/root/.gitconfig"; - mountPoint = "/root/.gitconfig"; - }; - "keyring" = { - hostPath = "/root/.gnupg"; - isReadOnly = false; - mountPoint = "/root/.gnupg"; - }; - "pacman" = { - hostPath = "/data_2/chaotic/pkg"; - isReadOnly = false; - mountPoint = "/var/cache/pacman/pkg"; - }; - "chaotic-sources" = { - hostPath = "/data_2/chaotic/sources"; - isReadOnly = false; - mountPoint = "/var/cache/chaotic/sources"; - }; - "chaotic-cc" = { - hostPath = "/data_2/chaotic/cc"; - isReadOnly = false; - mountPoint = "/var/cache/chaotic/cc"; - }; - "telegram-send-group" = { - hostPath = "/var/garuda/secrets/chaotic/telegram-send-group"; - mountPoint = "/root/.config/telegram-send-group.conf"; - }; - "telegram-send-log" = { - hostPath = "/var/garuda/secrets/chaotic/telegram-send-log"; - mountPoint = "/root/.config/telegram-send-log.conf"; - }; - }; -in { # Custom systemd nspawn container configurations services.garuda-nspawn = { @@ -82,7 +46,39 @@ in isReadOnly = false; mountPoint = "/var/lib/redis-chaotic/"; }; + "iso-builds" = { + hostPath = "/data_2/iso/iso"; + isReadOnly = false; + mountPoint = "/srv/http/iso"; + }; + "syncthing" = { + hostPath = "/data_1/containers/chaotic-v4/syncthing"; + isReadOnly = false; + mountPoint = "/var/lib/syncthing"; + }; }; + forwardPorts = [ + { + containerPort = 873; + hostPort = 873; + protocol = "tcp"; + } + { + containerPort = 21027; + hostPort = 21027; + protocol = "udp"; + } + { + containerPort = 22000; + hostPort = 22000; + protocol = "tcp"; + } + { + containerPort = 22000; + hostPort = 22000; + protocol = "udp"; + } + ]; enableTun = true; ephemeral = lib.mkForce true; }; @@ -290,78 +286,6 @@ in }; ipAddress = "10.0.5.50"; }; - temeraire = { - config = import ../temeraire.nix; - extraOptions = { - bindMounts = lib.mkMerge [{ - "chaotic-v4" = { - hostPath = "/data_2/chaotic-v4/chaotic-aur"; - isReadOnly = false; - mountPoint = "/srv/http/chaotic-v4"; - }; - "garuda" = { - hostPath = "/data_2/chaotic-v4/garuda"; - isReadOnly = false; - mountPoint = "/srv/http/repos/garuda"; - }; - "chaotic" = { - hostPath = "/data_2/chaotic-aur"; - isReadOnly = false; - mountPoint = "/srv/http/repos"; - }; - "iso" = { - hostPath = "/data_2/iso/"; - isReadOnly = false; - mountPoint = "/var/garuda/buildiso"; - }; - "iso-builds" = { - hostPath = "/data_2/iso/iso"; - isReadOnly = false; - mountPoint = "/srv/http/iso"; - }; - "repoctl" = { - hostPath = "/data_2/containers/temeraire/chaotic-repoctl.toml"; - isReadOnly = false; - mountPoint = "/usr/local/etc/chaotic-repoctl.toml"; - }; - "syncthing" = { - hostPath = "/data_2/containers/temeraire/syncthing"; - isReadOnly = false; - mountPoint = "/var/lib/syncthing"; - }; - } - chaotic_mounts]; - forwardPorts = [ - { - containerPort = 22; - hostPort = 22; - protocol = "tcp"; - } - { - containerPort = 873; - hostPort = 873; - protocol = "tcp"; - } - { - containerPort = 21027; - hostPort = 21027; - protocol = "udp"; - } - { - containerPort = 22000; - hostPort = 22000; - protocol = "tcp"; - } - { - containerPort = 22000; - hostPort = 22000; - protocol = "udp"; - } - ]; - tmpfs = [ "/tmp:size=25G" ]; - }; - ipAddress = "10.0.5.20"; - }; web-front = { config = import ../web-front.nix; extraOptions = { diff --git a/nixos/hosts/temeraire.nix b/nixos/hosts/temeraire.nix deleted file mode 100644 index 642b10c..0000000 --- a/nixos/hosts/temeraire.nix +++ /dev/null @@ -1,302 +0,0 @@ -{ config -, garuda-lib -, pkgs -, sources -, ... -}: { - imports = sources.defaultModules ++ [ ../modules ]; - - # This disables HTTPS certificates and forced redirects - garuda-lib.behind_proxy = true; - - # Enable Chaotic-AUR building - services.chaotic.enable = true; - services.chaotic.cluster-name = "garuda-cluster"; - # Let nginx set itself up for this local domain - services.chaotic.host = "local.chaotic.invalid"; - services.chaotic.extraConfig = '' - export CAUR_DEPLOY_LABEL="Temeraire 🐉" - export CAUR_PACKAGER="Garuda Builder " - export CAUR_ROUTINES=/tmp/chaotic/routines - export CAUR_SIGN_KEY=D6C9442437365605 - export CAUR_SIGN_USER=root - export CAUR_TELEGRAM_TAG="@dr460nf1r3" - export CAUR_TYPE=primary - export CAUR_URL=https://builds.garudalinux.org/repos/chaotic-aur/x86_64 - export REPOCTL_CONFIG=/usr/local/etc/chaotic-repoctl.toml - - export GIT_SSH_COMMAND="ssh -i /var/garuda/secrets/chaotic/interfere_ed25519" - export HTTPS_PROXY=http://10.0.5.1:3128/ - export HTTP_PROXY=http://10.0.5.1:3128/ - export NO_PROXY=mirror.rackspace.com,cloudflaremirrors.com,github.com,downloads.sentry-cdn.com - ''; - services.chaotic.db-name = "chaotic-aur"; - services.chaotic.routines = [ "afternoon" "hourly.1" "hourly.2" "morning" "nightly" "tkg-wine" ]; - - # Special Syncthing configuration allowing to push to main node - services.syncthing = { - enable = true; - openDefaultPorts = true; - configDir = config.services.syncthing.dataDir; - inherit (garuda-lib.secrets.syncthing.esxi-build) cert key; - overrideFolders = false; - overrideDevices = false; - user = "root"; - group = "chaotic_op"; - settings = { - gui = { - apikey = "garudalinux"; - insecureSkipHostcheck = true; - inherit (garuda-lib.secrets.syncthing.esxi-build.credentials) user password; - }; - }; - guiAddress = "10.0.5.20:8384"; - }; - - # Allow systemd-nspawn to create subcgroups (for Chaotic-AUR builders) - systemd.services.remount-sysfscgroup = { - description = "Remount cgroup2 to allow systemd-nspawn to create subcgroups"; - wantedBy = [ "multi-user.target" ]; - serviceConfig.Type = "oneshot"; - script = '' - ${pkgs.mount}/bin/mount -t cgroup2 -o rw,nosuid,nodev,noexec,relatime none /sys/fs/cgroup - ''; - }; - - # Auto reset syncthing stuff - systemd.services.syncthing-reset = { - serviceConfig.Type = "oneshot"; - script = '' - "${pkgs.curl}/bin/curl" -X POST -H "X-API-Key: garudalinux" http://localhost:8384/rest/db/override?folder=${garuda-lib.secrets.syncthing.folders.chaotic-aur} - ''; - }; - systemd.timers.syncthing-reset = { - wantedBy = [ "timers.target" ]; - timerConfig.OnCalendar = [ "hourly" ]; - }; - - garuda-lib.chaoticUsers = true; - - # Chaotic-AUR builders need to upload their packages - users.users.ufscar_hpc = { - extraGroups = [ "chaotic_op" ]; - isNormalUser = true; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFslN7a613H3hztK/yzHE4ZBOJ4448+EN867Y/IDpAfc u726578@c6.cluster.infra.ufscar.br" - ]; - }; - users.users.catbuilder = { - extraGroups = [ "chaotic_op" ]; - isNormalUser = true; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHELhrMFNvxgAYMdzwerszypuvQc3uCFjkR6xCbcQnrcCrueJqTQ4y8WzddwxhRzKbSTQVhPdB5l95IYk7eOtmBmaMp4LAV2osMWDI/x3NyoY5s7YgpW815qNX9Io7VnrFUr0LK7hJ+Uw87nyxGp3zGddPVMUK7PIdJf2GxTxKPryycdLa9QWijfm3YBdN10yBMp6KrfPEnhtmNPMrc3wuBG4+xBoJxNOy0DJdIf2PRwU2CddP0zdDWwlMbGeHGcaJmlAx0u9e1jL8KWB/oyGT1D9q4l+fU8E9nZG+kAFMO1yG25je9bJnYNPMV1gdRT47G3J/B982XYO4G4AiOER0v0M0MN0qWTvIVBG6Vnly81ME91Qao34Lw2QOhZMVFwWz01u8KLLQy/Z2rX7jKyqeUyGXgs5NPmkeJ1vzpSRLXY+5GX5yva8A041Nft7sfKYPFjMsDaxAKVPz7LkKX1dYdiC4c3a/RcCzLKY+Uabjr0QAK4MKwmMW+SNF0QHr9mk= root@Chaotic" - ]; - }; - users.users.chaotic-dragon = { - extraGroups = [ "chaotic_op" ]; - isNormalUser = true; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC0zLuPM4IE4xsxen2XBqWKSQz5CpHONgguOhVuR5rTxRqijiwGro0VR4gPhpmuZjLkms4CJ2YGyjTbjDkh48+wAoiPjdvVqF6kJ9TLkHZabMJfx5chKMCVFcHM+0/F768fF/nRsfusbRO7H2nLGMXJ1eObemiCGg0e8Ccs0XA4PF9bGaDm+4bblNasVyT6PsnaYziyBtwU3fzBVbdQmErw37sjXV9jNsEq3XF9wSaFf/Dfzh9xY1CR1KC7Af84lL1vOj7QL06tEmDO6W4JJCpRS4OonpuahwaaR4gn6wW09eDgrpXUI5DhxGizwGPLdwENRONpcXP0xnWetC9IaUADHb9yZwQKZhN9RCoO5ytqrt/NkGfn7Si+mWSfMQRGvfgJocC89peIhbchXalT+JS1XWD+Isvj2I+sqmAcoKgji09MTF0lMW+m83/+YA7Jdhn5CLVs9RxZ5cwz1TqveuUaq4i9P867iKCltrqZxxgXD4emZXhHGvGrw8cNQZOVAhc= root@chaotic-dragon" - ]; - }; - users.users.dragons-ryzen = { - extraGroups = [ "chaotic_op" ]; - isNormalUser = true; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAd8nLLjysVefmk3I6BI/IkooUvnGSy7966T54gWNvgW nico@slim-lair" - ]; - }; - - # Ufscar-HPC needs diffie-hellman-group-exchange-sha1 - services.openssh.settings = { - KexAlgorithms = [ - "curve25519-sha256" - "curve25519-sha256@libssh.org" - "diffie-hellman-group-exchange-sha1" - "diffie-hellman-group16-sha512" - "diffie-hellman-group18-sha512" - "sntrup761x25519-sha512@openssh.com" - ]; - }; - - # Our main webserver on this machine - services.nginx = { - enable = true; - virtualHosts = { - "builds.garudalinux.org" = { - extraConfig = '' - # Disable index.html - index fully_disabled.html; - # Our beautiful autoindex theme - autoindex on; - autoindex_exact_size off; - autoindex_format xml; - xslt_string_param path $uri; - xslt_string_param hostname "Chaotic-AUR main node - Temeraire"; - - # Security - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-referrer-when-downgrade" always; - add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always; - add_header Permissions-Policy "interest-cohort=()" always; - - # Locations - location ~* ^.+\.log { - default_type text/plain; - } - location ~* /repos/(chaotic-aur|garuda)/x86_64/(?!.*(chaotic-aur|garuda)\.(db|files)).+\.tar.* { - return 301 https://cf-builds.garudalinux.org$request_uri; - expires 2d; - } - location / { - xslt_string_param path $uri; - xslt_string_param hostname "Chaotic-AUR main node - Temeraire 🐉"; - xslt_stylesheet "${garuda-lib.xslt_style}"; - location /iso { - expires 2d; - return 301 https://iso.builds.garudalinux.org$request_uri; - } - } - ''; - http3 = true; - root = "/srv/http/"; - }; - "cf-builds.garudalinux.org" = { - extraConfig = '' - location ~* /repos/(chaotic-aur|garuda)/x86_64/(?!.*(chaotic-aur|garuda)\.(db|files)).+\.tar.* { - add_header Cache-Control "max-age=150, stale-while-revalidate=150, stale-if-error=86400"; - } - location ~* /repos/(chaotic-aur|garuda)/x86_64/(chaotic-aur|garuda)\.db.* { - add_header Cache-Control 'no-cache'; - } - location /repos/chaotic-aur { - expires 5m; - error_page 403 =301 https://builds.garudalinux.org$request_uri; - error_page 404 =301 https://builds.garudalinux.org$request_uri; - } - location /repos/garuda { - expires 5m; - error_page 403 =301 https://builds.garudalinux.org$request_uri; - error_page 404 =301 https://builds.garudalinux.org$request_uri; - } - location / { - expires 2d; - return 301 https://builds.garudalinux.org$request_uri; - } - ''; - http3 = true; - root = "/srv/http/"; - }; - "iso.builds.garudalinux.org" = { - extraConfig = '' - autoindex on; - autoindex_format xml; - xslt_string_param path $uri; - xslt_string_param hostname "Garuda Linux ISO Builds"; - ''; - locations."/".return = "307 https://builds.garudalinux.org"; - locations."/iso" = { - root = "/var/garuda/buildiso"; - extraConfig = '' - xslt_stylesheet "${garuda-lib.xslt_style}"; - if ($symlink_target_rel != "") { - rewrite ^ https://$server_name/iso/$symlink_target_rel redirect; - } - if ($arg_sourceforge) { - rewrite ^/iso/(.*)$ https://sourceforge.net/projects/garuda-linux/files/$1? permanent; - } - if ($arg_r2) { - set $args ""; - rewrite ^/iso/(.*)$ https://r2.garudalinux.org/iso/$1?r2request permanent; - } - break; - ''; - }; - }; - }; - }; - - # Explicitly open our firewall ports - HTTPS & rsyncd - networking.firewall.allowedTCPPorts = [ config.services.rsyncd.port 8384 ]; - - # Our rsyncd server - services.rsyncd = { - enable = true; - settings = { - chaotic = { - "read only" = "yes"; - comment = "Chaotic-AUR repository"; - exclude = "/chaotic-aur/archive/*** /chaotic-aur/logs/***"; - path = "/srv/http/repos/"; - }; - chaotic-minimal = { - "read only" = "yes"; - comment = "Chaotic-AUR repository minus largest packages"; - exclude = "/chaotic-aur/archive/*** /chaotic-aur/logs/*** /chaotic-aur/x86_64/quartus* /chaotic-aur/x86_64/unrealtournament4* /chaotic-aur/x86_64/urbanterror*"; - path = "/srv/http/repos/"; - }; - iso = { - path = "/var/garuda/buildiso/iso/"; - comment = "ISO downloads"; - "read only" = "yes"; - }; - global = { - "max connections" = 80; - "max verbosity" = 3; - "transfer logging" = true; - "use chroot" = false; - gid = "nobody"; - uid = "nobody"; - }; - }; - }; - - # Push chaotic to r2 hourly automatically - services.garuda-rclone.chaotic = { - src = "/srv/http/repos/"; - dest = "r2:/mirror/repos"; - config = garuda-lib.secrets.cloudflare.r2.rclone; - args = "--s3-upload-cutoff 5G --s3-chunk-size 4G --fast-list --s3-no-head --s3-no-check-bucket --ignore-checksum --s3-disable-checksum -u --use-server-modtime --delete-during --delete-excluded --include /*/x86_64/*.pkg.tar.zst --include /*/lastupdate --order-by modtime,ascending --stats-log-level NOTICE"; - startAt = "hourly"; - }; - systemd.services.chaotic-rclone-inotify = { - wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - # Get all file changes, upload pkg.tar.zst. Not more than 5 per 5 seconds queued and only one uploaded at the same time. Queue dropped if uploading takes longer than 15 seconds. - # This prevents the queue from getting overloaded with nonsense requests if that ever were to happen. The hourly sync should take care of this. - script = '' - upload() { - operation="''${1%%|*}" - path="''${1#*|}" - relative="$(realpath --relative-to="." "$path")" - relative="''${relative#./}" - destpath="r2:/mirror/$relative" - if [ "$operation" != "MOVED_FROM" ]; then - ${pkgs.flock}/bin/flock -w 30 /tmp/chaotic-rclone-inotify.lock \ - ${pkgs.rclone}/bin/rclone copyto "$path" "$destpath" --s3-upload-cutoff 5G --s3-chunk-size 4G --s3-no-head --no-check-dest --s3-no-check-bucket --ignore-checksum --s3-disable-checksum --config "${garuda-lib.secrets.cloudflare.r2.rclone}" --stats-one-line -v - else - ${pkgs.flock}/bin/flock -w 30 /tmp/chaotic-rclone-inotify.lock ${pkgs.rclone}/bin/rclone deletefile "$destpath" --s3-no-head --no-check-dest --s3-no-check-bucket --config "${garuda-lib.secrets.cloudflare.r2.rclone}" --stats-one-line -v - ( - ${pkgs.flock}/bin/flock -w 200 -s 200 - ${pkgs.curl}/bin/curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_GARUDALINUX_ORG/purge_cache" -H "Authorization: Bearer $CF_CACHE_API_TOKEN" -H "Content-Type:application/json" --data "{\"files\":[\"https://r2.garudalinux.org/''${relative}\"]}" - sleep 0.5 - ) 200>/tmp/chaotic-rclone-inotify-invalidate.lock - fi - } - export -f upload - ${pkgs.inotify-tools}/bin/inotifywait -m ./repos/*/x86_64 -e CLOSE_WRITE,MOVED_TO,MOVED_FROM --format "%e|%w%f" | \ - ${pkgs.gawk}/bin/awk '/\.pkg\.tar\.zst$/ { print $0; fflush(); }' | \ - xargs -rP 0 -I % ${pkgs.bash}/bin/bash -c 'upload "%"' - ''; - serviceConfig = { - EnvironmentFile = garuda-lib.secrets.cloudflare.apikeys; - Restart = "always"; - WorkingDirectory = "/srv/http"; - }; - }; - - system.stateVersion = "23.05"; -} - diff --git a/nixos/hosts/web-front.nix b/nixos/hosts/web-front.nix index 4f1fb0e..0a0f2a0 100644 --- a/nixos/hosts/web-front.nix +++ b/nixos/hosts/web-front.nix @@ -346,18 +346,10 @@ rec { http3 = true; locations = { "/" = { - proxyPass = "http://10.0.5.20:80"; - }; - # Api of the Chaotic Manager - "/api/" = { - proxyPass = "http://10.0.5.140:8080/api/"; - }; - # Api for the website, for displaying news and deploy logs - "/backend/" = { - proxyPass = "http://10.0.5.140:3000/"; + proxyPass = "http://10.0.5.140:80"; }; "/logs/" = { - proxyPass = "http://10.0.5.140:8080/"; + proxyPass = "http://10.0.5.140:80"; extraConfig = '' proxy_buffering off; proxy_read_timeout 330s; @@ -506,7 +498,7 @@ rec { locations = { "/" = { extraConfig = '' - proxy_pass http://10.0.5.20:8384; + proxy_pass http://10.0.5.140:8384; proxy_set_header Authorization "Basic ${garuda-lib.secrets.syncthing.esxi-build.credentials.base64}"; ''; };