diff --git a/hosts/common/optional/nixos-containers/baseddata-worker.nix b/hosts/common/optional/nixos-containers/baseddata-worker.nix new file mode 100644 index 0000000..b0ff85d --- /dev/null +++ b/hosts/common/optional/nixos-containers/baseddata-worker.nix @@ -0,0 +1,251 @@ +{ + lib, + pkgs, + configVars, + inputs, + config, + ... +}: let + pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; + containerName = "bd-worker"; + containerIp = configVars.networking.addresses.bd-worker.ip; + mongodbIp = configVars.networking.addresses.mongodb.ip; + mongodbPort = toString configVars.networking.addresses.mongodb.port; + gatewayIp = configVars.networking.addresses.gateway.ip; + postgresIp = configVars.networking.addresses.postgres.ip; + postgresPort = toString configVars.networking.addresses.postgres.port; + + #secrets + sshKeyFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."ssh_keys/baseddata-models-access/id_ed25519".path; + notifybotUsername = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."comms/xmpp/notifybot/username".path; + notifybotPwd = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."comms/xmpp/notifybot/password".path; + recipientUsername = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."comms/xmpp/mrsu/username".path; + mongoclientAuth = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/mongodb/baseddata/auth".path; + mongoclientUser = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/mongodb/baseddata/username".path; + mongoclientPassword = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/mongodb/baseddata/password".path; + postgresUser = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/postgres/baseddata/user_username".path; + postgresPassword = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/postgres/baseddata/user_password".path; + baseddataEnv = "dev"; +in { + sops.secrets = { + "ssh_keys/baseddata-models-access/id_ed25519" = {}; + "comms/xmpp/notifybot/username" = {}; + "comms/xmpp/notifybot/password" = {}; + "comms/xmpp/mrsu/username" = {}; + "software/mongodb/baseddata/auth" = {}; + "software/mongodb/baseddata/username" = {}; + "software/mongodb/baseddata/password" = {}; + "software/postgres/baseddata/user_password" = {}; + "software/postgres/baseddata/user_username" = {}; + }; + + environment.persistence."/persist" = { + hideMounts = true; + directories = [ + "/var/lib/nixos-containers/${containerName}" + ]; + }; + + networking.nat.enable = true; + networking.nat.internalInterfaces = ["ve-+"]; + networking.nat.externalInterface = "br0"; + + containers.${containerName} = { + autoStart = true; + privateNetwork = true; + hostBridge = "br0"; + nixpkgs = pkgs.path; + bindMounts = { + "/root/.ssh/id_ed25519" = { + hostPath = "${sshKeyFile}"; + isReadOnly = true; + }; + "/run/secrets/notifybotUsername" = { + hostPath = "${notifybotUsername}"; + isReadOnly = true; + }; + "/run/secrets/notifybotPassword" = { + hostPath = "${notifybotPwd}"; + isReadOnly = true; + }; + "/run/secrets/recipientUsername" = { + hostPath = "${recipientUsername}"; + isReadOnly = true; + }; + "/run/secrets/mongoclientAuth" = { + hostPath = "${mongoclientAuth}"; + isReadOnly = true; + }; + "/run/secrets/mongoclientUser" = { + hostPath = "${mongoclientUser}"; + isReadOnly = true; + }; + "/run/secrets/mongoclientPassword" = { + hostPath = "${mongoclientPassword}"; + isReadOnly = true; + }; + "/run/secrets/postgresPassword" = { + hostPath = "${postgresPassword}"; + isReadOnly = true; + }; + "/run/secrets/postgresUser" = { + hostPath = "${postgresUser}"; + isReadOnly = true; + }; + "/media/baseddata-data" = { + hostPath = "/media/main-ssd/baseddata-data"; + isReadOnly = false; + }; + }; + + config = { + pkgs, + lib, + ... + }: { + networking = { + defaultGateway = "${gatewayIp}"; + interfaces.eth0.ipv4.addresses = [ + { + "address" = "${containerIp}"; + "prefixLength" = 24; + } + ]; + firewall = { + enable = true; + allowedTCPPorts = [ + 4200 + ]; + }; + useHostResolvConf = lib.mkForce false; + }; + + services.resolved.enable = true; + + environment.systemPackages = [ + pkgs.vim + pkgs.git + pkgs.python311 + pkgs.poetry + ]; + + environment.variables = { + BASEDDATA_ENVIRONMENT = "dev"; + NIX_LD_LIBRARY_PATH = "/run/current-system/sw/share/nix-ld/lib"; + NIX_LD = "/run/current-system/sw/share/nix-ld/lib/ld.so"; + LD_LIBRARY_PATH = "/run/current-system/sw/share/nix-ld/lib"; + }; + + systemd.services.baseddata-deploy-service = { + wantedBy = ["multi-user.target"]; + after = ["network.target"]; + description = "Initiates deployment of application and builds python environment using Poetry"; + environment = { + BASEDDATA_ENVIRONMENT = "${baseddataEnv}"; + }; + serviceConfig = { + ExecStart = pkgs.writeShellScript "baseddata-deploy-service" '' + GITCMD="${pkgs.openssh}/bin/ssh -i /root/.ssh/id_ed25519" + if [ ! -d "/srv/baseddata-models" ]; then + GIT_SSH_COMMAND=$GITCMD ${pkgs.git}/bin/git clone --branch $BASEDDATA_ENVIRONMENT git@git.bitlab21.com:sam/baseddata-models.git /srv/baseddata-models + else + cd /srv/baseddata-models + GIT_SSH_COMMAND=$GITCMD ${pkgs.git}/bin/git stash --include-untracked + GIT_SSH_COMMAND=$GITCMD ${pkgs.git}/bin/git pull + fi + + cd /srv/baseddata-models + mkdir .venv + ${pkgs.poetry}/bin/poetry install + ''; + Restart = "on-failure"; + }; + }; + + systemd.services.baseddata-prefect-server = { + wantedBy = ["multi-user.target"]; + after = ["baseddata-deploy-service.target"]; + description = "Initates the Prefect server"; + environment = { + NIX_LD_LIBRARY_PATH = "/run/current-system/sw/share/nix-ld/lib"; + NIX_LD = "/run/current-system/sw/share/nix-ld/lib/ld.so"; + LD_LIBRARY_PATH = "/run/current-system/sw/share/nix-ld/lib"; + PREFECT_API_URL = "http://${containerIp}:4200/api"; + BASEDDATA_ENVIRONMENT = "${baseddataEnv}"; + }; + serviceConfig = { + WorkingDirectory = "/srv/baseddata-models"; + ExecStart = pkgs.writeShellScript "baseddata-prefect-server" '' + + # run prefect server + .venv/bin/prefect server start --host 0.0.0.0 + + ''; + Restart = "on-failure"; + }; + }; + + systemd.services.baseddata-serve-flows = { + wantedBy = ["multi-user.target"]; + after = ["baseddata-prefect-server.target"]; + description = "Serves the Prefect flows"; + environment = { + PREFECT_API_URL = "http://${containerIp}:4200/api"; + BASEDDATA_ENVIRONMENT = "${baseddataEnv}"; + }; + serviceConfig = { + Environment = "PATH=/run/current-system/sw/bin/"; + WorkingDirectory = "/srv/baseddata-models"; + ExecStart = pkgs.writeShellScript "baseddata-serve-flows" '' + + # set prefect environment variables + .venv/bin/prefect variable set "xmpp_jid" $(cat /run/secrets/notifybotUsername) + .venv/bin/prefect variable set "xmpp_password" $(cat /run/secrets/notifybotPassword) + .venv/bin/prefect variable set "xmpp_recipient" $(cat /run/secrets/recipientUsername) + .venv/bin/prefect variable set "mongoclient_auth" $(cat /run/secrets/mongoclientAuth) + .venv/bin/prefect variable set "mongoclient_host" "${mongodbIp}:${mongodbPort}" + .venv/bin/prefect variable set "mongoclient_user" $(cat /run/secrets/mongoclientUser) + .venv/bin/prefect variable set "mongoclient_pwd" $(cat /run/secrets/mongoclientPassword) + .venv/bin/prefect variable set "postgres_host" ${postgresIp} + .venv/bin/prefect variable set "postgres_port" ${postgresPort} + .venv/bin/prefect variable set "postgres_user" $(cat /run/secrets/postgresUser) + .venv/bin/prefect variable set "postgres_pwd" $(cat /run/secrets/postgresPassword) + + .venv/bin/prefect variable set "osm_history_dir" "/media/baseddata-data/osm-history" + .venv/bin/prefect variable set "mongo_db_name" "baseddata" + .venv/bin/prefect variable set "postgres_dbname" "dev_baseddata_models" + .venv/bin/prefect variable set "postgres_schema" "models_final" + .venv/bin/prefect variable set "unique_key" "row_uuid" + + # serve flows + .venv/bin/python automation/flows/serve-flows.py + ''; + Restart = "on-failure"; + }; + }; + + programs.nix-ld.enable = true; + programs.nix-ld.libraries = with pkgs; [ + zlib + libgcc + ]; + + programs.ssh.knownHosts = { + "git.bitlab21.com" = { + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALNd2BGf64heYjWT9yt0fVmngepiHRIMsL7au/MRteg"; + }; + }; + + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + }; + + users.users.root = { + openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); + }; + + system.stateVersion = "24.05"; + }; + }; +} diff --git a/hosts/common/optional/nixos-containers/mongodb.nix b/hosts/common/optional/nixos-containers/mongodb.nix new file mode 100644 index 0000000..3f7497c --- /dev/null +++ b/hosts/common/optional/nixos-containers/mongodb.nix @@ -0,0 +1,98 @@ +{ + inputs, + lib, + config, + configVars, + pkgs, + ... +}: let + mongodbPasswordPath = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/mongodb/baseddata/password".path; + pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; + containerName = "mongodb"; + containerIp = configVars.networking.addresses.mongodb.ip; + gatewayIp = configVars.networking.addresses.gateway.ip; +in { + sops.secrets = { + "software/postgres/postgres/password" = { + }; + }; + + environment.persistence."/persist" = { + hideMounts = true; + directories = [ + "/var/lib/nixos-containers/${containerName}" + ]; + }; + + networking.nat.enable = true; + networking.nat.internalInterfaces = ["ve-+"]; + networking.nat.externalInterface = "br0"; + + containers.${containerName} = { + autoStart = true; + privateNetwork = true; + hostBridge = "br0"; + nixpkgs = pkgs.path; + bindMounts = { + # "/var/db/mongodb" = { + # hostPath = "/media/main-ssd/mongodb"; + # isReadOnly = false; + # }; + }; + + config = { + pkgs, + lib, + ... + }: { + networking = { + defaultGateway = "${gatewayIp}"; + interfaces.eth0.ipv4.addresses = [ + { + "address" = "${containerIp}"; + "prefixLength" = 24; + } + ]; + firewall = { + enable = true; + allowedTCPPorts = [ + 27017 + ]; + }; + useHostResolvConf = lib.mkForce false; + }; + + services.resolved.enable = true; + + environment.systemPackages = with pkgs; [ + mongosh + ]; + + # allow unfree packages + nixpkgs.config.allowUnfreePredicate = let + whitelist = map lib.getName [ + pkgs.mongodb + ]; + in + pkg: builtins.elem (lib.getName pkg) whitelist; + + services.mongodb = { + enable = true; + # enableAuth = true; + # initialRootPassword = mongodbPasswordPath; + bind_ip = "0.0.0.0"; + }; + + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + }; + + users.users.root = { + openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); + }; + + system.stateVersion = "24.05"; + }; + }; +}