]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/radicle.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
mermet: radicle: update
[sourcephile-nix.git] / hosts / mermet / radicle.nix
1 { config, pkgs, lib, host, hostName, ... }:
2 let
3 inherit (config.networking) domain;
4 inherit (config.users) users;
5 srv = "radicle";
6 radicle = config.services.radicle;
7 seed = "${srv}-${hostName}.${domain}";
8 in
9 {
10 services.radicle = {
11 enable = true;
12 privateKeyFile = "key:${radicle/key.cred}";
13 publicKeyFile = radicle/key.pub;
14 #package = pkgs.radicle-node;
15 node = { };
16 # FIXME: because radicle-node from the heartwood's flake.nix does not include rad
17 # Should be re-enabled once radicle-node comes from Nixpkgs
18 checkConfig = false;
19 httpd = {
20 enable = true;
21 package = pkgs.radicle-httpd;
22 nginx = {
23 serverName = seed;
24 forceSSL = true;
25 enableACME = false;
26 useACMEHost = domain;
27 extraConfig = ''
28 access_log off;
29 error_log /var/log/nginx/${domain}/${srv}-${hostName}/error.log warn;
30 '';
31 };
32 };
33 settings = {
34 preferredSeeds = [
35 "z6MkrLMMsiPWUcNPHcRajuMi9mDfYckSoJyPwwnknocNYPm7@seed.radicle.garden:8776"
36 #"z6Mkmqogy2qEM2ummccUthFEaaHvyYmYBYh3dbe9W4ebScxo@ash.radicle.garden:8776"
37 ];
38 publicExplorer = "https://${srv}.${domain}/nodes/$host/$rid$path";
39 node = {
40 policy = "block";
41 scope = "all";
42 # Relaying produces a constant network stream!
43 relay = "never";
44 # Make this a public node
45 #externalAddresses = [
46 # "${seed}:${toString radicle.node.listenPort}"
47 # #"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.onion:${toString radicle.node.listenPort}"
48 #];
49 peers = {
50 type = "dynamic";
51 target = 0;
52 };
53 limits = {
54 routingMaxSize = 1000;
55 routingMaxAge = 1 * 7 * 24 * 60 * 60; # 1 week
56 gossipMaxAge = 1 * 7 * 24 * 60 * 60; # 1 week
57 fetchConcurrency = 1;
58 maxOpenFiles = 4096;
59 rate = {
60 inbound = {
61 fillRate = 1;
62 capacity = 1;
63 };
64 outbound = {
65 fillRate = 1;
66 capacity = 1;
67 };
68 };
69 connection = {
70 inbound = 16;
71 outbound = 8;
72 };
73 };
74 workers = host.CPUs;
75 /*
76 onion = {
77 mode = "proxy";
78 address = "127.0.0.1:9050";
79 };
80 */
81 };
82 web = {
83 pinned = {
84 # Pinned repositories must be `rad clone`-d before.
85 repositories = [
86 "rad:z2364hmzZUAGy1nKdSFa1gLSoUE2M" # literate-phylomemy
87 "rad:z3795BqJN8hSMGkyAUr8hHviEEi2H" # logic
88 "rad:z4NtwMC1GmUuCRLngaZrVrSZLmUvh" # symantic-base
89 ];
90 };
91 };
92 };
93 };
94 systemd.services.radicle-node = {
95 environment.RUST_LOG = "debug";
96 serviceConfig = {
97 CPUAccounting = true;
98 CPUWeight = "idle";
99 #CPUQuota = "60%";
100 MemoryAccounting = true;
101 MemoryHigh = "500M";
102 MemoryMax = "600M";
103 CPUSchedulingPolicy = "idle";
104 IOSchedulingClass = "idle";
105 # 0: high priority, 7: low priority
106 IOSchedulingPriority = 3;
107 Nice = 15;
108 };
109 };
110 services.sanoid.datasets."rpool/var/lib/${srv}" = {
111 use_template = [ "snap" ];
112 hourly = 0;
113 daily = 7;
114 monthly = 0;
115 recursive = true;
116 };
117 environment.systemPackages = [
118 pkgs.radicle-node
119 ];
120
121 networking.nftables.ruleset = ''
122 table inet filter {
123 chain input-net {
124 tcp dport ${toString radicle.node.listenPort} counter accept comment "radicle-node"
125 }
126 chain input-neb-sourcephile {
127 tcp dport ${toString radicle.node.listenPort} counter accept comment "radicle-node"
128 }
129 chain output-net {
130 skuid ${users.radicle.name} meta l4proto tcp counter accept comment "radicle-node"
131 }
132 }
133 '';
134
135 services.nginx.virtualHosts."${srv}-explorer.${domain}" = {
136 serverAliases = [ "${srv}.${domain}" ];
137 forceSSL = true;
138 useACMEHost = domain;
139 extraConfig = ''
140 access_log off;
141 error_log /var/log/nginx/${domain}/${srv}-explorer/error.log warn;
142 '';
143 locations."/" = {
144 extraConfig = ''
145 try_files $uri $uri/ /index.html;
146 '';
147 index = "index.html";
148 root = pkgs.radicle-explorer.overrideAttrs (previousAttrs: {
149 postPatch = (previousAttrs.postPatch or "") + ''
150 cp ${pkgs.writeText "local.json" ''
151 {
152 "nodes": {
153 "fallbackPublicExplorer": "https://app.radicle.xyz/nodes/$host/$rid$path",
154 "defaultHttpdPort": 443,
155 "defaultLocalHttpdPort": 8080,
156 "defaultHttpdHostname": "localhost",
157 "defaultHttpdScheme": "https",
158 "defaultNodePort": 8776,
159 "pinned": [
160 {
161 "baseUrl": {
162 "hostname": "${seed}",
163 "port": 443,
164 "scheme": "https"
165 }
166 }
167 ]
168 },
169 "supportWebsite": "https://radicle.zulipchat.com",
170 "reactions": ["👍", "👎", "😄", "🙁", "👀"],
171 "fallbackPreferredSeed": {
172 "hostname": "${seed}",
173 "port": 443,
174 "scheme": "https"
175 }
176 }
177 ''} config/local.json
178 '';
179 });
180 };
181 };
182 systemd.services.nginx.serviceConfig.LogsDirectory = lib.mkForce [
183 "nginx/${domain}/${srv}-${hostName}"
184 "nginx/${domain}/${srv}-explorer"
185 ];
186
187 }
NixOS configurations for Sourcephile's infrastructure