Tom Hubrecht
88d9b8c3e3
Some checks failed
Check meta / check_dns (pull_request) Successful in 19s
Check meta / check_meta (pull_request) Successful in 20s
Check workflows / check_workflows (pull_request) Successful in 24s
Build all the nodes / ap01 (pull_request) Successful in 1m15s
Build all the nodes / bridge01 (pull_request) Successful in 1m53s
Build all the nodes / geo01 (pull_request) Successful in 1m55s
Build all the nodes / geo02 (pull_request) Successful in 1m53s
Build all the nodes / compute01 (pull_request) Successful in 2m33s
Build all the nodes / rescue01 (pull_request) Successful in 2m13s
Build all the nodes / storage01 (pull_request) Successful in 1m57s
Run pre-commit on all files / check (pull_request) Successful in 30s
Build all the nodes / web02 (pull_request) Successful in 1m47s
Build all the nodes / vault01 (pull_request) Successful in 2m21s
Build all the nodes / web03 (pull_request) Successful in 1m40s
Build all the nodes / web01 (pull_request) Successful in 2m54s
Check meta / check_dns (push) Successful in 20s
Check meta / check_meta (push) Successful in 19s
Check workflows / check_workflows (push) Successful in 25s
Build all the nodes / ap01 (push) Successful in 1m16s
Build all the nodes / bridge01 (push) Successful in 1m41s
Build all the nodes / geo02 (push) Successful in 1m44s
Build all the nodes / geo01 (push) Successful in 1m53s
Build all the nodes / compute01 (push) Successful in 2m20s
Build all the nodes / rescue01 (push) Successful in 1m49s
Build all the nodes / storage01 (push) Successful in 1m46s
Build all the nodes / vault01 (push) Successful in 1m45s
Run pre-commit on all files / check (push) Successful in 30s
Build all the nodes / web02 (push) Has been cancelled
Build all the nodes / web01 (push) Has been cancelled
Build all the nodes / web03 (push) Has been cancelled
Signed-off-by: Tom Hubrecht <tom.hubrecht@dgnum.eu> Acked-by: Ryan Lahfa <ryan.lahfa@dgnum.eu> Acked-by: Maurice Debray <maurice.debray@dgnum.eu> Acked-by: Lubin Bailly <lubin.bailly@dgnum.eu> Acked-by: Jean-Marc Gailis <jean-marc.gailis@dgnum.eu> as the legal authority, at the time of writing, in DGNum. Acked-by: Elias Coppens <elias.coppens@dgnum.eu> as a member, at the time of writing, of the DGNum executive counsel.
159 lines
4.2 KiB
Nix
159 lines
4.2 KiB
Nix
# SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
|
|
#
|
|
# SPDX-License-Identifier: EUPL-1.2
|
|
|
|
{ pkgs, config, ... }:
|
|
let
|
|
|
|
# How to add a cache:
|
|
# - Add the relevant services (likely only a pathinfoservice) to the
|
|
# composition config (store-config.composition).
|
|
# - Add an endpoint (store-config.endpoints).
|
|
# - Append a proxy configuration to nginx in order to make the store
|
|
# accessible.
|
|
# - Update cache-info.nix so users can add the cache to their configuration
|
|
store-config = {
|
|
composition = {
|
|
blobservices.default = {
|
|
type = "objectstore";
|
|
object_store_url = "file://${dataDir}/blob.objectstore";
|
|
object_store_options = { };
|
|
};
|
|
directoryservices = {
|
|
redb = {
|
|
type = "redb";
|
|
is_temporary = false;
|
|
path = "${dataDir}/directory.redb";
|
|
};
|
|
};
|
|
pathinfoservices = {
|
|
infra = {
|
|
type = "redb";
|
|
is_temporary = false;
|
|
path = "${dataDir}/pathinfo.redb";
|
|
};
|
|
infra-signing = {
|
|
type = "keyfile-signing";
|
|
inner = "infra";
|
|
keyfile = config.age.secrets."tvix-store-infra-signing-key".path;
|
|
};
|
|
};
|
|
};
|
|
|
|
endpoints = {
|
|
"127.0.0.1:8056" = {
|
|
endpoint_type = "Http";
|
|
blob_service = "default";
|
|
directory_service = "redb";
|
|
path_info_service = "infra";
|
|
};
|
|
"127.0.0.1:8058" = {
|
|
endpoint_type = "Http";
|
|
blob_service = "default";
|
|
directory_service = "redb";
|
|
path_info_service = "infra-signing";
|
|
};
|
|
# Add grpc for management and because it is nice
|
|
"127.0.0.1:8057" = {
|
|
endpoint_type = "Grpc";
|
|
blob_service = "default";
|
|
directory_service = "redb";
|
|
path_info_service = "infra";
|
|
};
|
|
};
|
|
};
|
|
|
|
settingsFormat = pkgs.formats.toml { };
|
|
|
|
webHost = "tvix-store.dgnum.eu";
|
|
|
|
dataDir = "/data/slow/tvix-store";
|
|
|
|
systemdHardening = {
|
|
PrivateDevices = true;
|
|
PrivateTmp = true;
|
|
ProtectControlGroups = true;
|
|
ProtectKernelTunables = true;
|
|
RestrictSUIDSGID = true;
|
|
|
|
ProtectSystem = "strict";
|
|
ProtectKernelLogs = true;
|
|
ProtectProc = "invisible";
|
|
PrivateUsers = true;
|
|
ProtectHome = true;
|
|
UMask = "0077";
|
|
RuntimeDirectoryMode = "0750";
|
|
StateDirectoryMode = "0750";
|
|
};
|
|
|
|
toml = {
|
|
composition = settingsFormat.generate "composition.toml" store-config.composition;
|
|
endpoints = settingsFormat.generate "endpoints.toml" store-config.endpoints;
|
|
};
|
|
|
|
package = pkgs.callPackage ./package { };
|
|
in
|
|
{
|
|
|
|
age-secrets.autoMatch = [
|
|
"tvix-store"
|
|
"nginx"
|
|
];
|
|
|
|
services.nginx.virtualHosts.${webHost} = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
locations = {
|
|
"/infra/" = {
|
|
proxyPass = "http://127.0.0.1:8056/";
|
|
extraConfig = ''
|
|
client_max_body_size 50G;
|
|
limit_except GET {
|
|
auth_basic "Password required";
|
|
auth_basic_user_file ${config.age.secrets."nginx-tvix-store-password".path};
|
|
}
|
|
'';
|
|
};
|
|
"/infra-signing/" = {
|
|
proxyPass = "http://127.0.0.1:8058/";
|
|
extraConfig = ''
|
|
client_max_body_size 50G;
|
|
auth_basic "Password required";
|
|
auth_basic_user_file ${config.age.secrets."nginx-tvix-store-password-ci".path};
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
# TODO add tvix-store cli here
|
|
# environment.systemPackages = [ ];
|
|
|
|
users.users.tvix-store = {
|
|
isSystemUser = true;
|
|
group = "tvix-store";
|
|
};
|
|
users.groups.tvix-store = { };
|
|
|
|
systemd.tmpfiles.rules = [ "d ${dataDir} 770 tvix-castore tvix-castore -" ];
|
|
|
|
systemd.services."tvix-store" = {
|
|
wantedBy = [ "multi-user.target" ];
|
|
environment = {
|
|
RUST_LOG = "info";
|
|
};
|
|
serviceConfig = {
|
|
UMask = "007";
|
|
LimitNOFILE = 1048576;
|
|
ExecStart = "${package}/bin/multitier-tvix-cache --endpoints-config ${toml.endpoints} --store-composition ${toml.composition}";
|
|
StateDirectory = "tvix-store";
|
|
RuntimeDirectory = "tvix-store";
|
|
User = "tvix-store";
|
|
Group = "tvix-store";
|
|
ReadWritePaths = [ dataDir ];
|
|
} // systemdHardening;
|
|
};
|
|
networking.firewall.allowedTCPPorts = [
|
|
80
|
|
443
|
|
];
|
|
}
|