]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/radicle.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
mermet: radicle: add service
[sourcephile-nix.git] / hosts / mermet / radicle.nix
1 { config, pkgs, lib, host, hostName, ... }:
2 let
3 inherit (config.networking) domain;
4 srv = "radicle";
5 radicle = config.services.radicle;
6 seed = "${srv}-${hostName}.${domain}";
7 in
8 {
9 services.radicle = {
10 enable = true;
11 privateKeyFile = "key:${radicle/key.cred}";
12 publicKeyFile = radicle/key.pub;
13 #package = pkgs.radicle-node;
14 node = { };
15 # FIXME: because radicle-node from the heartwood's flake.nix does not include rad
16 # Should be re-enabled once radicle-node comes from Nixpkgs
17 checkConfig = false;
18 httpd = {
19 enable = true;
20 package = pkgs.radicle-httpd;
21 nginx = {
22 serverName = seed;
23 forceSSL = true;
24 enableACME = false;
25 useACMEHost = domain;
26 extraConfig = ''
27 access_log off;
28 error_log /var/log/nginx/${domain}/${srv}-${hostName}/error.log warn;
29 '';
30 };
31 };
32 settings = {
33 preferredSeeds = [
34 "z6MkrLMMsiPWUcNPHcRajuMi9mDfYckSoJyPwwnknocNYPm7@seed.radicle.garden:8776"
35 #"z6Mkmqogy2qEM2ummccUthFEaaHvyYmYBYh3dbe9W4ebScxo@ash.radicle.garden:8776"
36 ];
37 publicExplorer = "https://${srv}.${domain}/nodes/$host/$rid$path";
38 node = {
39 policy = "block";
40 scope = "all";
41 # Relaying produces a constant network stream!
42 relay = "never";
43 # Make this a public node
44 #externalAddresses = [
45 # "${seed}:${toString radicle.node.listenPort}"
46 # #"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.onion:${toString radicle.node.listenPort}"
47 #];
48 peers = {
49 type = "dynamic";
50 target = 0;
51 };
52 limits = {
53 routingMaxSize = 1000;
54 routingMaxAge = 1 * 7 * 24 * 60 * 60; # 1 week
55 gossipMaxAge = 1 * 7 * 24 * 60 * 60; # 1 week
56 fetchConcurrency = 1;
57 maxOpenFiles = 4096;
58 rate = {
59 inbound = {
60 fillRate = 1;
61 capacity = 1;
62 };
63 outbound = {
64 fillRate = 1;
65 capacity = 1;
66 };
67 };
68 connection = {
69 inbound = 16;
70 outbound = 8;
71 };
72 };
73 workers = host.CPUs;
74 /*
75 onion = {
76 mode = "proxy";
77 address = "127.0.0.1:9050";
78 };
79 */
80 };
81 web = {
82 pinned = {
83 # Pinned repositories must be `rad clone`-d before.
84 repositories = [
85 "rad:z2364hmzZUAGy1nKdSFa1gLSoUE2M" # literate-phylomemy
86 "rad:z3795BqJN8hSMGkyAUr8hHviEEi2H" # logic
87 "rad:z4NtwMC1GmUuCRLngaZrVrSZLmUvh" # symantic-base
88 ];
89 };
90 };
91 };
92 };
93 systemd.services.radicle-node = {
94 environment.RUST_LOG = "debug";
95 serviceConfig = {
96 CPUAccounting = true;
97 CPUWeight = "idle";
98 #CPUQuota = "60%";
99 MemoryAccounting = true;
100 MemoryHigh = "500M";
101 MemoryMax = "600M";
102 CPUSchedulingPolicy = "idle";
103 IOSchedulingClass = "idle";
104 # 0: high priority, 7: low priority
105 IOSchedulingPriority = 3;
106 Nice = 15;
107 };
108 };
109 services.sanoid.datasets."rpool/var/lib/${srv}" = {
110 use_template = [ "snap" ];
111 hourly = 0;
112 daily = 7;
113 monthly = 0;
114 recursive = true;
115 };
116 environment.systemPackages = [
117 pkgs.radicle-node
118 ];
119
120 networking.nftables.ruleset = ''
121 table inet filter {
122 chain input-net {
123 tcp dport ${toString radicle.node.listenPort} counter accept comment "radicle-node"
124 }
125 chain input-neb-sourcephile {
126 tcp dport ${toString radicle.node.listenPort} counter accept comment "radicle-node"
127 }
128 chain output-net {
129 skuid @nixos_radicle_node_uids meta l4proto tcp counter accept comment "radicle-node"
130 }
131 }
132 '';
133
134 services.nginx.virtualHosts."${srv}-explorer.${domain}" = {
135 serverAliases = [ "${srv}.${domain}" ];
136 forceSSL = true;
137 useACMEHost = domain;
138 extraConfig = ''
139 access_log off;
140 error_log /var/log/nginx/${domain}/${srv}-explorer/error.log warn;
141 '';
142 locations."/" = {
143 extraConfig = ''
144 try_files $uri $uri/ /index.html;
145 '';
146 index = "index.html";
147 root = pkgs.radicle-explorer.overrideAttrs (previousAttrs: {
148 postPatch = (previousAttrs.postPatch or "") + ''
149 cp ${pkgs.writeText "local.json" ''
150 {
151 "nodes": {
152 "fallbackPublicExplorer": "https://app.radicle.xyz/nodes/$host/$rid$path",
153 "defaultHttpdPort": 443,
154 "defaultLocalHttpdPort": 8080,
155 "defaultHttpdHostname": "localhost",
156 "defaultHttpdScheme": "https",
157 "defaultNodePort": 8776,
158 "pinned": [
159 {
160 "baseUrl": {
161 "hostname": "${seed}",
162 "port": 443,
163 "scheme": "https"
164 }
165 }
166 ]
167 },
168 "supportWebsite": "https://radicle.zulipchat.com",
169 "reactions": ["👍", "👎", "😄", "🙁", "👀"],
170 "fallbackPreferredSeed": {
171 "hostname": "${seed}",
172 "port": 443,
173 "scheme": "https"
174 }
175 }
176 ''} config/local.json
177 '';
178 });
179 };
180 };
181 systemd.services.nginx.serviceConfig.LogsDirectory = lib.mkForce [
182 "nginx/${domain}/${srv}-${hostName}"
183 "nginx/${domain}/${srv}-explorer"
184 ];
185
186 }
NixOS configurations for Sourcephile's infrastructure