mdebray/tvl-depot
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor(ops): Split //ops/nixos into different locations

Browse source 
Splits //ops/nixos into:

* //ops/nixos.nix - utility functions for building systems
* //ops/machines - shared machine definitions (read by readTree)
* //ops/modules - shared NixOS modules (skipped by readTree)

This simplifies working with the configuration fixpoint in whitby, and
is overall a bit more in line with how NixOS systems in user folders
currently work.

Change-Id: I1322ec5cc76c0207c099c05d44828a3df0b3ffc1
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2931
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: glittershark <grfn@gws.fyi>
This commit is contained in:
Vincent Ambo 2021-04-11 22:50:30 +02:00 committed by tazjin
parent 7deabb8c8d
commit 90281c4eac
38 changed files with 41 additions and 60 deletions
Download patch file Download diff file Expand all files Collapse all files

32
ops/modules/www/b.tvl.fyi.nix Normal file
View file

@ -0,0 +1,32 @@
{ config, ... }:
{
imports = [
./base.nix
];
config = {
services.nginx.virtualHosts."b-shortlink" = {
serverName = "b";
extraConfig = "return 302 https://b.tvl.fyi$request_uri;";
};
services.nginx.virtualHosts."b.tvl.fyi" = {
serverName = "b.tvl.fyi";
serverAliases = [ "b.tvl.su" ];
enableACME = true;
forceSSL = true;
extraConfig = ''
# Forward short links to issues to the issue itself (b/32)
location ~ ^/(\d+)$ {
return 302 https://b.tvl.fyi/issues$request_uri;
}
location / {
proxy_pass http://localhost:${toString config.services.depot.panettone.port};
}
'';
};
};
}

36
ops/modules/www/base.nix Normal file
View file

@ -0,0 +1,36 @@
{ config, pkgs, ... }:
{
config = {
services.nginx = {
enable = true;
enableReload = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
};
# NixOS 20.03 broke nginx and I can't be bothered to debug it
# anymore, all solution attempts have failed, so here's a
# brute-force fix.
#
# TODO(tazjin): Find a link to the upstream issue and see if
# they've sorted it after ~20.09
systemd.services.fix-nginx = {
script = "${pkgs.coreutils}/bin/chown -f -R nginx: /var/spool/nginx /var/cache/nginx";
serviceConfig = {
User = "root";
Type = "oneshot";
};
};
systemd.timers.fix-nginx = {
wantedBy = [ "multi-user.target" ];
timerConfig = {
OnCalendar = "minutely";
};
};
};
}

26
ops/modules/www/cache.tvl.su.nix Normal file
View file

@ -0,0 +1,26 @@
{ config, ... }:
{
imports = [
./base.nix
];
config = {
services.nginx.virtualHosts."cache.tvl.su" = {
serverName = "cache.tvl.su";
serverAliases = [ "cache.tvl.fyi" ];
enableACME = true;
forceSSL = true;
extraConfig = ''
location = /cache-key.pub {
alias /etc/secrets/nix-cache-key.pub;
}
location / {
proxy_pass http://localhost:${toString config.services.nix-serve.port};
}
'';
};
};
}

30
ops/modules/www/cl.tvl.fyi.nix Normal file
View file

@ -0,0 +1,30 @@
{ config, ... }:
{
imports = [
./base.nix
];
config = {
services.nginx.virtualHosts."cl-shortlink" = {
serverName = "cl";
extraConfig = "return 302 https://cl.tvl.fyi$request_uri;";
};
services.nginx.virtualHosts.gerrit = {
serverName = "cl.tvl.fyi";
serverAliases = [ "cl.tvl.su" ];
enableACME = true;
forceSSL = true;
extraConfig = ''
location / {
proxy_pass http://localhost:4778;
proxy_set_header X-Forwarded-For $remote_addr;
# The :443 suffix is a workaround for https://b.tvl.fyi/issues/88.
proxy_set_header Host $host:443;
}
'';
};
};
}

35
ops/modules/www/code.tvl.fyi.nix Normal file
View file

@ -0,0 +1,35 @@
{ depot, ... }:
{
imports = [
./base.nix
];
config = {
services.nginx.virtualHosts.cgit = {
serverName = "code.tvl.fyi";
serverAliases = [ "code.tvl.su" ];
enableACME = true;
forceSSL = true;
extraConfig = ''
# Serve the rendered Tvix component SVG.
#
# TODO(tazjin): Implement a way of serving this dynamically
location = /about/tvix/docs/component-flow.svg {
alias ${depot.tvix.docs.svg}/component-flow.svg;
}
# Static assets must always hit the root.
location ~ ^/(favicon\.ico|cgit\.(css|png))$ {
proxy_pass http://localhost:2448;
}
# Everything else hits the depot directly.
location / {
proxy_pass http://localhost:2448/cgit.cgi/depot/;
}
'';
};
};
}

31
ops/modules/www/cs.tvl.fyi.nix Normal file
View file

@ -0,0 +1,31 @@
{ config, ... }:
{
imports = [
./base.nix
];
config = {
services.nginx.virtualHosts."cs.tvl.fyi" = {
serverName = "cs.tvl.fyi";
serverAliases = [ "cs.tvl.su" ];
enableACME = true;
forceSSL = true;
extraConfig = ''
location = / {
return 301 https://cs.tvl.fyi/depot;
}
location / {
proxy_set_header X-Sg-Auth "Anonymous";
proxy_pass http://localhost:${toString config.services.depot.sourcegraph.port};
}
location /users/Anonymous/settings {
return 301 https://cs.tvl.fyi;
}
'';
};
};
}

24
ops/modules/www/login.tvl.fyi.nix Normal file
View file

@ -0,0 +1,24 @@
{ ... }:
{
imports = [
./base.nix
];
config = {
services.nginx.virtualHosts."login.tvl.fyi" = {
serverName = "login.tvl.fyi";
enableACME = true;
forceSSL = true;
extraConfig = ''
location / {
proxy_pass http://localhost:8443;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $host;
}
'';
};
};
}

40
ops/modules/www/tazj.in.nix Normal file
View file

@ -0,0 +1,40 @@
# serve tazjin's website & blog
{ depot, config, lib, pkgs, ... }:
{
imports = [
./base.nix
];
config = {
services.nginx.virtualHosts."tazj.in" = {
enableACME = true;
forceSSL = true;
root = depot.users.tazjin.homepage;
extraConfig = ''
${depot.users.tazjin.blog.oldRedirects}
location /blog/ {
alias ${depot.users.tazjin.blog.rendered}/;
if ($request_uri ~ ^/(.*)\.html$) {
return 302 /$1;
}
try_files $uri $uri.html $uri/ =404;
}
# Temporary place for serving static files.
location /blobs/ {
alias /var/lib/tazjins-blobs/;
}
'';
};
services.nginx.virtualHosts."git.tazj.in" = {
enableACME = true;
forceSSL = true;
extraConfig = "return 301 https://code.tvl.fyi$request_uri;";
};
};
}

25
ops/modules/www/todo.tvl.fyi.nix Normal file
View file

@ -0,0 +1,25 @@
{ depot, ... }:
{
imports = [
./base.nix
];
config = {
services.nginx.virtualHosts."todo.tvl.fyi" = {
serverName = "todo.tvl.fyi";
serverAliases = [ "todo.tvl.su" ];
root = depot.web.todolist;
enableACME = true;
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
location ~* \.(webp|woff2)$ {
add_header Cache-Control "public, max-age=31536000";
}
'';
};
};
}

30
ops/modules/www/tvl.fyi.nix Normal file
View file

@ -0,0 +1,30 @@
{ depot, ... }:
{
imports = [
./base.nix
];
config = {
services.nginx.virtualHosts."tvl.fyi" = {
serverName = "tvl.fyi";
root = depot.web.tvl;
enableACME = true;
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
rewrite ^/builds/?$ https://buildkite.com/tvl/depot/ last;
rewrite ^/monorepo-doc/?$ https://docs.google.com/document/d/1nnyByXcH0F6GOmEezNOUa2RFelpeRpDToBLYD_CtjWE/edit?usp=sharing last;
rewrite ^/irc/?$ ircs://chat.freenode.net:6697/##tvl last;
location ~* \.(webp|woff2)$ {
add_header Cache-Control "public, max-age=31536000";
}
'';
};
};
}

15
ops/modules/www/wigglydonke.rs.nix Normal file
View file

@ -0,0 +1,15 @@
{ depot, lib, pkgs, ... }:
{
imports = [
./base.nix
];
config = {
services.nginx.virtualHosts."wigglydonke.rs" = {
enableACME = true;
forceSSL = true;
root = "${depot.depotPath}/users/glittershark/wigglydonke.rs";
};
};
}