From 0560fcb9dfde142bfc73d31fa09bea17bce30f40 Mon Sep 17 00:00:00 2001 From: Ingolf Wagner Date: Wed, 30 Dec 2020 01:18:37 +0100 Subject: [PATCH] rc3: experiments --- configs/sterni/configuration.nix | 12 ++- terranix/jitsi-cloud/.gitignore | 2 + terranix/jitsi-cloud/README.md | 45 +++++++++++ terranix/jitsi-cloud/config.nix | 47 +++++++++++ .../configs/nixserver-host/configuration.nix | 79 +++++++++++++++++++ .../nixserver-host/hardware-configuration.nix | 10 +++ terranix/jitsi-cloud/plops/shell.nix | 71 +++++++++++++++++ terranix/jitsi-cloud/shell.nix | 44 +++++++++++ 8 files changed, 309 insertions(+), 1 deletion(-) create mode 100644 terranix/jitsi-cloud/.gitignore create mode 100644 terranix/jitsi-cloud/README.md create mode 100644 terranix/jitsi-cloud/config.nix create mode 100644 terranix/jitsi-cloud/plops/configs/nixserver-host/configuration.nix create mode 100644 terranix/jitsi-cloud/plops/configs/nixserver-host/hardware-configuration.nix create mode 100644 terranix/jitsi-cloud/plops/shell.nix create mode 100644 terranix/jitsi-cloud/shell.nix diff --git a/configs/sterni/configuration.nix b/configs/sterni/configuration.nix index d298ccc..67b8b54 100644 --- a/configs/sterni/configuration.nix +++ b/configs/sterni/configuration.nix @@ -66,7 +66,17 @@ # enable this to use sidequest programs.adb.enable = true; - users.users.mainUser.extraGroups = [ "adbusers" ]; + users.users.mainUser.extraGroups = [ "adbusers" "video" ]; + + # for congress and streaming + hardware.opengl = { + enable = true; + extraPackages = [ pkgs.vaapiIntel ]; + driSupport32Bit = true; + }; + nixpkgs.config.packageOverrides = pkgs: { + vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; + }; } diff --git a/terranix/jitsi-cloud/.gitignore b/terranix/jitsi-cloud/.gitignore new file mode 100644 index 0000000..6073c1a --- /dev/null +++ b/terranix/jitsi-cloud/.gitignore @@ -0,0 +1,2 @@ +plops/generated/ +sshkey* \ No newline at end of file diff --git a/terranix/jitsi-cloud/README.md b/terranix/jitsi-cloud/README.md new file mode 100644 index 0000000..40dfe49 --- /dev/null +++ b/terranix/jitsi-cloud/README.md @@ -0,0 +1,45 @@ +# NixOS Server Example with plops + +This setup shows: + +* how to use a terranix module +* how to use 3rd party provision software after terraform. +* how to run terranix and terraform + +Setup containing opinionated modules to deploy +[NixOS servers](https://nixos.org/) +on +[hcloud](https://www.hetzner.com/cloud) +using +[nixos-infect](https://github.com/elitak/nixos-infect) +with my +[plops](https://github.com/mrVanDalo/plops) +provisioning tool for NixOS, +which is an overlay on +[krops](https://cgit.krebsco.de/krops/about/). + +After server creation, +the initial provisioning uploads the +nixos-infect +script and applys it. +After server creation and initialization +terranix/terraform generates +files used for the "real" provisioning +done by plops. + +Of course instead of plops you can use every provsioning tool you like +here (e.g. NixOps, Ansible, ... ) + +# How to Run + +## What you need + +* a setup [passwordstore](https://www.passwordstore.org/). +* a [hcloud token](https://docs.hetzner.cloud/#overview-getting-started) + stored under `development/hetzner.com/api-token` + +## Steps + +* `example-prepare`: to create ssh keys. +* `example-ssh`: to run terranix and terraform do create server. +* `example-cleanup`: to delete server, ssh keys and terraform data. (don't forget that step, or else it gets costly) diff --git a/terranix/jitsi-cloud/config.nix b/terranix/jitsi-cloud/config.nix new file mode 100644 index 0000000..a7a075e --- /dev/null +++ b/terranix/jitsi-cloud/config.nix @@ -0,0 +1,47 @@ +{ config, lib, pkgs, ... }: +let + hcloud-modules = pkgs.fetchgit { + url = "https://github.com/mrVanDalo/terranix-hcloud.git"; + rev = "5fa359a482892cd973dcc6ecfc607f4709f24495"; + sha256 = "0smgmdiklj98y71fmcdjsqjq8l41i66hs8msc7k4m9dpkphqk86p"; + }; +in { + + imports = [ "${hcloud-modules}/default.nix" ]; + + # configure admin ssh keys + users.admins.palo.publicKey = "${lib.fileContents ./sshkey.pub}"; + + # configure provisioning private Key to be used when running provisioning on the machines + provisioner.privateKeyFile = toString ./sshkey; + + hcloud.nixserver = { + host = { + enable = true; + serverType = "cx51"; # 35€/month + configurationFile = pkgs.writeText "configuration.nix" '' + { pkgs, lib, config, ... }: + { + environment.systemPackages = [ pkgs.git ]; + } + ''; + }; + }; + + hcloud.export.nix = toString ./plops/generated/nixos-machines.nix; + + resource.local_file.sshConfig = { + filename = "${toString ./plops/generated/ssh-configuration}"; + content = with lib; + let + configPart = name: '' + Host ''${ hcloud_server.nixserver-${name}.ipv4_address } + IdentityFile ${toString ./sshkey} + ServerAliveInterval 60 + ServerAliveCountMax 3 + ''; + in concatStringsSep "\n" + (map configPart (attrNames config.hcloud.nixserver)); + }; + +} diff --git a/terranix/jitsi-cloud/plops/configs/nixserver-host/configuration.nix b/terranix/jitsi-cloud/plops/configs/nixserver-host/configuration.nix new file mode 100644 index 0000000..d912c06 --- /dev/null +++ b/terranix/jitsi-cloud/plops/configs/nixserver-host/configuration.nix @@ -0,0 +1,79 @@ +{ config, pkgs, lib, ... }: { + imports = [ ./hardware-configuration.nix ]; + + services.sshd.enable = true; + + environment.systemPackages = [ pkgs.git ]; + + networking.hostName = "host"; + + security.acme.email = "contact@ingolf-wagner.de"; + security.acme.acceptTerms = true; + + # the public ssh key used at deployment + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw==" + ]; + + # + + + # | | + # | | + # v v + # 80, 443 TCP 443 TCP, 10000 UDP + # +--------------+ +---------------------+ + # | nginx | 5222, 5347 TCP | | + # | jitsi-meet |<-------------------+| jitsi-videobridge | + # | prosody | | | | + # | jicofo | | +---------------------+ + # +--------------+ | + # | +---------------------+ + # | | | + # +----------+| jitsi-videobridge | + # | | | + # | +---------------------+ + # | + # | +---------------------+ + # | | | + # +----------+| jitsi-videobridge | + # | | + # +---------------------+ + + # This is a one server setup + services.jitsi-meet = { + enable = true; + hostName = "meet.palovandalo.com"; + + # JItsi COnference FOcus is a server side focus component used in Jitsi Meet conferences. + # https://github.com/jitsi/jicofo + jicofo.enable = true; + + # Whether to enable nginx virtual host that will serve the javascript application and act as a proxy for the XMPP server. + # Further nginx configuration can be done by adapting services.nginx.virtualHosts.. When this is enabled, ACME + # will be used to retrieve a TLS certificate by default. To disable this, set the + # services.nginx.virtualHosts..enableACME to false and if appropriate do the same for + # services.nginx.virtualHosts..forceSSL. + nginx.enable = true; + + # https://github.com/jitsi/jitsi-meet/blob/master/config.js + config = { + enableWelcomePage = false; + defaultLang = "en"; + + }; + + # https://github.com/jitsi/jitsi-meet/blob/master/interface_config.js + interfaceConfig = { + SHOW_JITSI_WATERMARK = false; + SHOW_WATERMARK_FOR_GUESTS = false; + }; + + }; + + # todo : ssh nur mit ssh key machen + + networking.firewall = { + allowedTCPPorts = [ 80 443 ]; + allowedUDPPorts = [ 10000 ]; + }; + +} diff --git a/terranix/jitsi-cloud/plops/configs/nixserver-host/hardware-configuration.nix b/terranix/jitsi-cloud/plops/configs/nixserver-host/hardware-configuration.nix new file mode 100644 index 0000000..ae82a10 --- /dev/null +++ b/terranix/jitsi-cloud/plops/configs/nixserver-host/hardware-configuration.nix @@ -0,0 +1,10 @@ +{ ... }: { + imports = [ ]; + boot.initrd.availableKernelModules = + [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ]; + boot.loader.grub.device = "/dev/sda"; + fileSystems."/" = { + device = "/dev/sda1"; + fsType = "ext4"; + }; +} diff --git a/terranix/jitsi-cloud/plops/shell.nix b/terranix/jitsi-cloud/plops/shell.nix new file mode 100644 index 0000000..22a6f94 --- /dev/null +++ b/terranix/jitsi-cloud/plops/shell.nix @@ -0,0 +1,71 @@ +let + + # import plops with pkgs and lib + opsImport = import ((import { }).fetchgit { + url = "https://github.com/mrVanDalo/plops.git"; + rev = "9fabba016a3553ae6e13d5d17d279c4de2eb00ad"; + sha256 = "193pajq1gcd9jyd12nii06q1sf49xdhbjbfqk3lcq83s0miqfs63"; + }); + + ops = let + overlay = self: super: { + # overwrite ssh to use the generated ssh configuration + openssh = super.writeShellScriptBin "ssh" '' + ${super.openssh}/bin/ssh -F ${ + toString ./generated/ssh-configuration + } "$@" + ''; + }; + in opsImport { overlays = [ overlay ]; }; + + lib = ops.lib; + pkgs = ops.pkgs; + + # define all sources + source = { + + # nixpkgs (no need for channels anymore) + nixPkgs.nixpkgs.git = { + ref = "nixos-20.09"; + url = "https://github.com/NixOS/nixpkgs"; + }; + + # system configurations + system = name: { + configs.file = toString ./configs; + nixos-config.symlink = "configs/${name}/configuration.nix"; + }; + + # secrets which are hold and stored by pass + secrets = name: { + secrets.pass = { + dir = toString ./secrets; + name = name; + }; + }; + }; + + servers = import ./generated/nixos-machines.nix; + + deployServer = name: + { user ? "root", host, ... }: + with ops; + jobs "deploy-${name}" "${user}@${host.ipv4}" [ + # deploy secrets to /run/plops-secrets/secrets + # (populateTmpfs (source.secrets name)) + # deploy system to /var/src/system + (populate (source.system name)) + # deploy nixpkgs to /var/src/nixpkgs + (populate source.nixPkgs) + switch + ]; + +in pkgs.mkShell { + + buildInputs = lib.mapAttrsToList deployServer servers; + + shellHook = '' + export PASSWORD_STORE_DIR=./secrets + ''; + +} diff --git a/terranix/jitsi-cloud/shell.nix b/terranix/jitsi-cloud/shell.nix new file mode 100644 index 0000000..a934fa1 --- /dev/null +++ b/terranix/jitsi-cloud/shell.nix @@ -0,0 +1,44 @@ +{ pkgs ? import { } }: +let + + terranix = pkgs.callPackage (pkgs.fetchgit { + url = "https://github.com/mrVanDalo/terranix.git"; + rev = "2.3.0"; + sha256 = "030067h3gjc02llaa7rx5iml0ikvw6szadm0nrss2sqzshsfimm4"; + }) { }; + + terraform = pkgs.writers.writeBashBin "terraform" '' + export TF_VAR_hcloud_api_token=`${pkgs.pass}/bin/pass development/hetzner.com/api-token` + ${pkgs.terraform_0_12}/bin/terraform "$@" + ''; + +in pkgs.mkShell { + + buildInputs = [ + + terranix + terraform + + (pkgs.writers.writeBashBin "example-prepare" '' + ${pkgs.openssh}/bin/ssh-keygen -P "" -f ${toString ./.}/sshkey + '') + + (pkgs.writers.writeBashBin "example-run" '' + set -e + set -o pipefail + ${terranix}/bin/terranix | ${pkgs.jq}/bin/jq '.' > config.tf.json + ${terraform}/bin/terraform init + ${terraform}/bin/terraform apply + '') + + (pkgs.writers.writeBashBin "example-cleanup" '' + ${terraform}/bin/terraform destroy + rm ${toString ./.}/config.tf.json + rm ${toString ./.}/sshkey + rm ${toString ./.}/sshkey.pub + rm ${toString ./.}/terraform.tfstate* + '') + + ]; +} +