forked from DGNum/infrastructure
feat(tvix-store): Init
This commit is contained in:
parent
fca52e471e
commit
c14e263b98
10 changed files with 4635 additions and 1 deletions
|
@ -11,6 +11,7 @@ lib.extra.mkConfig {
|
||||||
enabledServices = [
|
enabledServices = [
|
||||||
# List of services to enable
|
# List of services to enable
|
||||||
"atticd"
|
"atticd"
|
||||||
|
"tvix-cache"
|
||||||
"forgejo"
|
"forgejo"
|
||||||
"forgejo-runners"
|
"forgejo-runners"
|
||||||
"garage"
|
"garage"
|
||||||
|
|
28
machines/storage01/secrets/nginx-tvix-store-password
Normal file
28
machines/storage01/secrets/nginx-tvix-store-password
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 jIXfPA hiozo++fCkzjrvUQRLnAh4uwlmIXcTwkVbjkYbcH4mQ
|
||||||
|
boST8EzrWdNAuyOylbBX//DnWtO7RL2W++Wnm40w2MA
|
||||||
|
-> ssh-ed25519 QlRB9Q i0StXRfRRlTsN7MNZmlfBQdacHQlmTmriyiRcJu74g0
|
||||||
|
dhkD9ZfW+mkkryHBu+2fHe76hXrWVGKl+orxkPJD6gU
|
||||||
|
-> ssh-ed25519 r+nK/Q Ekn/Bz+c+G+KwgZEOCdk58lV9XN12d7/f+wi8ZEysgU
|
||||||
|
QdvnL+HtpHnxUbKD06WZDAi55q3xOYn3OiHViNdFt+I
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
ijGL8v8Otp59VvF0tDIReazFzchihsutr+zbcQuB6m3JZ6SAWyoKwhFdwiaLOfUd
|
||||||
|
DMAo2FOKfCbWS+M1VpdSJfu9LKroMCkeW+FOK81h6ywEYSAw/vt2FJP2TLiljZou
|
||||||
|
d7hiqNv0u/yiIoQiTs9hwOAPtLofiWcX//18TNTCgqm9Ttn0mKlfBjTkUQJdkZVM
|
||||||
|
j1rofzgHDdkyZDdr1op3sc4iURJ98dVN7ic035Fz+Ggs0yBh9T7qtVsUe7swuoH9
|
||||||
|
b9yxOSHdV3b4BYg75UrfiRNTOeQq8pxsga1DIs2x7oHkeVb8Ypmr1tXuAtWi20eg
|
||||||
|
1cYP5+BxY8ry6uaYNLYpKw
|
||||||
|
-> ssh-ed25519 /vwQcQ ZuVSKV4sI53zDaTOHIkk6ntPy9IxSBNIN/JEDPfT71Y
|
||||||
|
C5UgzlDJCcA8CP5D0kppqJKti76qe5IVFFnNirRtl/s
|
||||||
|
-> ssh-ed25519 0R97PA bNQCB3PAp5Ka2drYm74R7nuGM7NFUsKluPo6EEEyiVA
|
||||||
|
1/NFavNSG1pdMiWr2q2z9XwHs6iqhh5+3KIlr8ToPOo
|
||||||
|
-> ssh-ed25519 JGx7Ng 6X2a/FNvglr8ZSWvgEb37B67JJpJV0x1+fdlo6K6pzo
|
||||||
|
8AxYhMJ5+XGKNnpRBTSUM4GSbRj8s7amMQa8sp+tQWM
|
||||||
|
-> ssh-ed25519 5SY7Kg xw7EQG3mz6gQZXSh2LpY5zFRyMZOqEypvnOorRLBBHQ
|
||||||
|
WTcl4rLfg/siaGFmk/Odc6fsX+C6OPRWTHFQ0eENwgY
|
||||||
|
-> ssh-ed25519 p/Mg4Q hSz69OeCJyLJIpnI1tJqGNRErbDF2v6OdxWxi/pfF3k
|
||||||
|
nM6aJWcuzXEqRarkkAQx4636bALK3g0AwCsSfc8fXrk
|
||||||
|
-> ssh-ed25519 rHotTw xyrUv1xRQGG+CyL7Ftdw50S8LtN3Bd07f+8JInmBdGg
|
||||||
|
ehZkeby649QdiSyCDP4wTplLU7mtXac9QzILFIkIX/8
|
||||||
|
--- xWjuc/9B2UAHi7vuOjdvwJ2K3MEeDeTon5XDU1zi6rw
|
||||||
|
i«(rçfJ!–G$<24>e)¤êý¡é•%)„‚9<>KÙ®UK¿Ëé]oǹË@Âv<C382>ŒÀ2Ipè\<12>ˆ^©9ä]¿ÂL,Ÿ•5æö/wvYŽÒ<C5BD>Í«‡³¬¼
|
BIN
machines/storage01/secrets/nginx-tvix-store-password-ci
Normal file
BIN
machines/storage01/secrets/nginx-tvix-store-password-ci
Normal file
Binary file not shown.
|
@ -13,10 +13,13 @@ lib.setDefault { inherit publicKeys; } [
|
||||||
"influxdb2-initial_token_file"
|
"influxdb2-initial_token_file"
|
||||||
"influxdb2-telegraf_token_file"
|
"influxdb2-telegraf_token_file"
|
||||||
"netbird-auth_client_secret_file"
|
"netbird-auth_client_secret_file"
|
||||||
|
"nginx-tvix-store-password"
|
||||||
|
"nginx-tvix-store-password-ci"
|
||||||
"peertube-secrets_file"
|
"peertube-secrets_file"
|
||||||
"peertube-service_environment_file"
|
"peertube-service_environment_file"
|
||||||
"peertube-smtp_password_file"
|
"peertube-smtp_password_file"
|
||||||
"prometheus-web_config_file"
|
|
||||||
"prometheus-garage_api"
|
"prometheus-garage_api"
|
||||||
"prometheus-uptime-kuma-apikey"
|
"prometheus-uptime-kuma-apikey"
|
||||||
|
"prometheus-web_config_file"
|
||||||
|
"tvix-store-infra-signing-key"
|
||||||
]
|
]
|
||||||
|
|
29
machines/storage01/secrets/tvix-store-infra-signing-key
Normal file
29
machines/storage01/secrets/tvix-store-infra-signing-key
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 jIXfPA /4nTbCIrufpN0Jho+8ZqTdZpc8mzSQrpG78flq+b9lM
|
||||||
|
x6Pg9oMGzboBg4WSAHxPwtNKcJUIG007Wx1ZjlzneLc
|
||||||
|
-> ssh-ed25519 QlRB9Q LsPsxbx6zvcLNf/EC3yFRP7Gr5tLYcg+8WGx6n0S724
|
||||||
|
4cyAHEdVBR885G4nfJSvUPqKWr/0abAtDTHmwksADp8
|
||||||
|
-> ssh-ed25519 r+nK/Q 9MisKxWalh0oubQFjwm2SDggxrj/fhdXGCYuYaP99jA
|
||||||
|
18o9juckqPtR4gh2MTXdmonxV9oZymyhCUqW3sOVltQ
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
j6AIypswOisUPlL538E3dpIWsHU/7H1c3+bEXXDFarP3Y5tjWltMRgKoPZUFlcRk
|
||||||
|
2yoVpOjDVkDvMTTu62Yn+Le6oYqoYQYzZ4e5incAR/v7sI76yPo1w+JN3BWBKPab
|
||||||
|
DN6h7Bdr8uzMISvxrRpCNDaU9n9GwA6ylJWvtFKjQZ6IDORVsa1tP44cndm6zAt6
|
||||||
|
Oq11bUDFSJLHiDtxjp0vJFa/4mq5Ay0G10xM/EI8Wf+Tiam/r3ytoBGnNYj1ENp8
|
||||||
|
AQkSxVF4cCORjQAokg+eUYCOzErJqpOx0ACx1SvuRvG4qcQ55ChYxs9zjnlCII2x
|
||||||
|
7JeUM/gjy0FnalxWWDX+cQ
|
||||||
|
-> ssh-ed25519 /vwQcQ bdzz3o+erI4c7ReafjhMYBgpebcJVcdB5vWK7cQ05Cs
|
||||||
|
3rVELKWfeiBksMzmm9XLmEgzdEASxSKcYJOpDQd7A+w
|
||||||
|
-> ssh-ed25519 0R97PA 4k2mZBQJTYhbjdzpxDuNw405iNxd96hVSMwzas/D3nU
|
||||||
|
neRy8ca2SguOJJQxalbPaq5SUH4taH+XxzkU/o/GVig
|
||||||
|
-> ssh-ed25519 JGx7Ng BlMr9FS9vuC1wnvDBAqEMJWzyuqoMqoU7YiFC9633xo
|
||||||
|
Xhvn+luDLE7AFbvgJs6V9cyRh8aJ2JrZfpVvXJhclu4
|
||||||
|
-> ssh-ed25519 5SY7Kg NkkDnN0z+2EzqpEdypnM7AROjjGVzoEvHfzaVbsyDiE
|
||||||
|
qbFUDBx4ghp9TG9YfjGjDXt35go0pMq0HH9GE+WT4v8
|
||||||
|
-> ssh-ed25519 p/Mg4Q rC/DrdXDUDWhbM7LMfQR203JClF/12o4rxJeGs+4rXY
|
||||||
|
Aj3P3skTbMvt2qN/FPSq97D1QwtHlKvFd4CsoujV2JI
|
||||||
|
-> ssh-ed25519 rHotTw 5IBV+q7+F7vNs5Tsx0S+ZEstiqoAaH1x78i/vAwrwDw
|
||||||
|
f729cEfMo/ozygHiRcNXmn8G+M+B68cM48ji7N6VgmY
|
||||||
|
--- TWScQDjdR4g/2v5oirYJgQw4zhhuMnmfvXtrigwmZC4
|
||||||
|
é°1ØLÅÄ‘ßán`Îq^ˆîÚ<C3AE>ï³Q²,ðT«Ó)Lñaü„226M•‘¿Éú½Ü~››4<E280BA>(~’e±.®Y"´M·×!Žp!ÊU<ÖÜŒ–<C592>Â;mn§`,öP–6*&}HPM‡I¶ºòïH
|
||||||
|
Ûôï×Ãmõ<6D>‡ m£<6D>dGΠ߆ß÷T¥?G<>É»/
|
148
machines/storage01/tvix-cache/default.nix
Normal file
148
machines/storage01/tvix-cache/default.nix
Normal file
|
@ -0,0 +1,148 @@
|
||||||
|
{ pkgs, config, ... }:
|
||||||
|
let
|
||||||
|
settingsFormat = pkgs.formats.toml { };
|
||||||
|
|
||||||
|
dataDir = "/data/slow/tvix-store";
|
||||||
|
|
||||||
|
store-config = {
|
||||||
|
composition = {
|
||||||
|
blobservices.default = {
|
||||||
|
type = "objectstore";
|
||||||
|
object_store_url = "file://${dataDir}/blob.objectstore";
|
||||||
|
object_store_options = { };
|
||||||
|
};
|
||||||
|
directoryservices = {
|
||||||
|
sled = {
|
||||||
|
type = "sled";
|
||||||
|
is_temporary = false;
|
||||||
|
path = "${dataDir}/directory.sled";
|
||||||
|
};
|
||||||
|
object = {
|
||||||
|
type = "objectstore";
|
||||||
|
object_store_url = "file://${dataDir}/directory.objectstore";
|
||||||
|
object_store_options = { };
|
||||||
|
};
|
||||||
|
};
|
||||||
|
pathinfoservices = {
|
||||||
|
infra = {
|
||||||
|
type = "sled";
|
||||||
|
is_temporary = false;
|
||||||
|
path = "${dataDir}/pathinfo.sled";
|
||||||
|
};
|
||||||
|
infra-signing = {
|
||||||
|
type = "keyfile-signing";
|
||||||
|
inner = "infra";
|
||||||
|
keyfile = config.age.secrets."tvix-store-infra-signing-key".path;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
endpoints = {
|
||||||
|
"127.0.0.1:8056" = {
|
||||||
|
endpoint_type = "Http";
|
||||||
|
blob_service = "default";
|
||||||
|
directory_service = "object";
|
||||||
|
path_info_service = "infra";
|
||||||
|
};
|
||||||
|
"127.0.0.1:8058" = {
|
||||||
|
endpoint_type = "Http";
|
||||||
|
blob_service = "default";
|
||||||
|
directory_service = "object";
|
||||||
|
path_info_service = "infra-signing";
|
||||||
|
};
|
||||||
|
# Add grpc for management and because it is nice
|
||||||
|
"127.0.0.1:8057" = {
|
||||||
|
endpoint_type = "Grpc";
|
||||||
|
blob_service = "default";
|
||||||
|
directory_service = "object";
|
||||||
|
path_info_service = "infra";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
systemdHardening = {
|
||||||
|
PrivateDevices = true;
|
||||||
|
PrivateTmp = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
RestrictSUIDSGID = true;
|
||||||
|
|
||||||
|
ProtectSystem = "strict";
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectProc = "invisible";
|
||||||
|
PrivateUsers = true;
|
||||||
|
ProtectHome = true;
|
||||||
|
UMask = "0077";
|
||||||
|
RuntimeDirectoryMode = "0750";
|
||||||
|
StateDirectoryMode = "0750";
|
||||||
|
};
|
||||||
|
toml = {
|
||||||
|
composition = settingsFormat.generate "composition.toml" store-config.composition;
|
||||||
|
endpoints = settingsFormat.generate "endpoints.toml" store-config.endpoints;
|
||||||
|
};
|
||||||
|
package = pkgs.callPackage ./package { };
|
||||||
|
in
|
||||||
|
{
|
||||||
|
|
||||||
|
age-secrets.autoMatch = [
|
||||||
|
"tvix-store"
|
||||||
|
"nginx"
|
||||||
|
];
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."tvix-store.dgnum.eu" = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
locations = {
|
||||||
|
"/infra/" = {
|
||||||
|
proxyPass = "http://127.0.0.1:8056/";
|
||||||
|
extraConfig = ''
|
||||||
|
client_max_body_size 50G;
|
||||||
|
limit_except GET {
|
||||||
|
auth_basic "Password required";
|
||||||
|
auth_basic_user_file ${config.age.secrets."nginx-tvix-store-password".path};
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
"/infra-signing/" = {
|
||||||
|
proxyPass = "http://127.0.0.1:8058/";
|
||||||
|
extraConfig = ''
|
||||||
|
client_max_body_size 50G;
|
||||||
|
auth_basic "Password required";
|
||||||
|
auth_basic_user_file ${config.age.secrets."nginx-tvix-store-password-ci".path};
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
"/.well-known/nix-signing-keys/" = {
|
||||||
|
alias = "${./pubkeys}/";
|
||||||
|
extraConfig = "autoindex on;";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
# TODO add tvix-store cli here
|
||||||
|
# environment.systemPackages = [ ];
|
||||||
|
users.users.tvix-store = {
|
||||||
|
isSystemUser = true;
|
||||||
|
group = "tvix-store";
|
||||||
|
};
|
||||||
|
users.groups.tvix-store = { };
|
||||||
|
|
||||||
|
systemd.tmpfiles.rules = [ "d ${dataDir} 770 tvix-castore tvix-castore -" ];
|
||||||
|
|
||||||
|
systemd.services."tvix-store" = {
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
environment = {
|
||||||
|
RUST_LOG = "debug";
|
||||||
|
};
|
||||||
|
serviceConfig = {
|
||||||
|
UMask = "007";
|
||||||
|
ExecStart = "${package}/bin/multitier-tvix-cache --endpoints-config ${toml.endpoints} --store-composition ${toml.composition}";
|
||||||
|
StateDirectory = "tvix-store";
|
||||||
|
RuntimeDirectory = "tvix-store";
|
||||||
|
User = "tvix-store";
|
||||||
|
Group = "tvix-store";
|
||||||
|
ReadWritePaths = [ dataDir ];
|
||||||
|
} // systemdHardening;
|
||||||
|
};
|
||||||
|
networking.firewall.allowedTCPPorts = [
|
||||||
|
80
|
||||||
|
443
|
||||||
|
];
|
||||||
|
}
|
4378
machines/storage01/tvix-cache/package/Cargo.lock
generated
Normal file
4378
machines/storage01/tvix-cache/package/Cargo.lock
generated
Normal file
File diff suppressed because it is too large
Load diff
45
machines/storage01/tvix-cache/package/default.nix
Normal file
45
machines/storage01/tvix-cache/package/default.nix
Normal file
|
@ -0,0 +1,45 @@
|
||||||
|
{
|
||||||
|
fetchgit,
|
||||||
|
rustPlatform,
|
||||||
|
protobuf,
|
||||||
|
runCommand,
|
||||||
|
}:
|
||||||
|
let
|
||||||
|
tvix-hash = "sha256-KNl+Lv0aMqSFVFt6p/GdmNDddzccW4wKfZB7W6Gv5F0=";
|
||||||
|
tvix-src = fetchgit {
|
||||||
|
name = "tvix";
|
||||||
|
url = "https://git.dgnum.eu/mdebray/tvl-depot";
|
||||||
|
rev = "920b7118d5b0917e426367107f7b7b66089a8d7b";
|
||||||
|
hash = tvix-hash;
|
||||||
|
};
|
||||||
|
protos = runCommand "tvix-protos" { } ''
|
||||||
|
mkdir $out
|
||||||
|
cd ${tvix-src}/tvix #remove tvix maybe
|
||||||
|
find . -name '*.proto' -exec install -D {} $out/{} \;
|
||||||
|
'';
|
||||||
|
in
|
||||||
|
|
||||||
|
rustPlatform.buildRustPackage rec {
|
||||||
|
pname = "multitenant-binary-cache";
|
||||||
|
version = "0.1.0";
|
||||||
|
|
||||||
|
src = fetchgit {
|
||||||
|
url = "https://git.lix.systems/sinavir/multitenant-tvix-binary-cache.git";
|
||||||
|
rev = "0d7d4cf66242facecba485b1085e285e8d46c038";
|
||||||
|
hash = "sha256-IU3OS3ePJeBNiY8HbhoYW5b03Nq8BJ4AWe+bGv4dAuw=";
|
||||||
|
};
|
||||||
|
|
||||||
|
PROTO_ROOT = protos;
|
||||||
|
|
||||||
|
nativeBuildInputs = [ protobuf ];
|
||||||
|
|
||||||
|
cargoLock = {
|
||||||
|
lockFile = ./Cargo.lock;
|
||||||
|
outputHashes = {
|
||||||
|
"nar-bridge-0.1.0" = tvix-hash;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
cargoHash = "";
|
||||||
|
|
||||||
|
meta = { };
|
||||||
|
}
|
1
machines/storage01/tvix-cache/pubkeys/infra
Normal file
1
machines/storage01/tvix-cache/pubkeys/infra
Normal file
|
@ -0,0 +1 @@
|
||||||
|
infra.tvix-store.dgnum.eu-1:8CAY64o3rKjyw2uA5mzr/aTzstnc+Uj4g8OC6ClG1m8=
|
|
@ -67,6 +67,7 @@ let
|
||||||
|
|
||||||
storage01.dual = [
|
storage01.dual = [
|
||||||
"cachix" # Attic
|
"cachix" # Attic
|
||||||
|
"tvix-store" # tvix store
|
||||||
"git" # Forgejo
|
"git" # Forgejo
|
||||||
"influx" # InfluxDB
|
"influx" # InfluxDB
|
||||||
"netbird" # Netbird
|
"netbird" # Netbird
|
||||||
|
|
Loading…
Reference in a new issue