feat(nixosConfigurations): add new machine serving {turn,signal,bootstrap}.infra.holochain.org #64
Conversation
steveej
commented
Mar 15, 2024
•
steveej
commented
- blanket config to get the machine up and running.
- opinionated coturn module
- service
- acme cert via redirection
- ensure cli-password is effective
- opinionated tx5 signal server module
- service
- reverse TLS proxy with acme cert
- tx5 signal server package
- secrets for turn credentials
- kitsune-bootstrap module with reverse TLS proxy
- fixes dweb-reverse-tls-proxy: disko config is outdated #66
- partially addresses CI foundations: lint, eval, and build all darwin and linux configs on CI #65
steveej
force-pushed
the
turn-server
branch
2 times, most recently
from
5d9d7d6
to
fb072ad
Compare
|
@ThetaSinner this server is deployed now. just needs the turn server config added. |
steveej
changed the title
…d module the flake-part encapsulates and exposes both the overlay and the module. the coturn overlay adds a coturn that working acme-redirection which we make use of here.
disable jost-s key as i don't have it in the keychain and cannot find it immediately.
this relies on a package in holochain/holochain so adding that too.
steveej
changed the title
steveej
changed the title
steveej
changed the title
| wantedBy = ["multi-user.target"]; | ||
|
|
||
| environment = { | ||
| TMPDIR = "%T"; |
There was a problem hiding this comment.
it ensures that TMPDIR environment variable is set to something that systemd considers temporary and writable. for some reason it wasn't set otherwise. systemd.unit or some other manual might explain why.
There was a problem hiding this comment.
Specifically the %T bit looked magical to me
| serviceConfig = { | ||
| DynamicUser = true; | ||
| PrivateTmp = true; | ||
| ExecStartPre = pkgs.writeShellScript "tx5-start-pre" '' |
There was a problem hiding this comment.
Is it not possible to put this in a directory without scripting? Like /var/lib/bootstrap/config.json or somewhere like that. Not really bothered where but I think there's a way to output files to standard locations to be consumed by services with NixOS?
There was a problem hiding this comment.
nix can by design only put files in the nix store. the point here isn't that it's not in the nix store though, it's that the permissions are 0400 which is enforced by the tx5-signal-srv.
There was a problem hiding this comment.
in addition i also thought about how we can inject secrets into the config.json at runtime. it turns out we're not needing that now because we've got a hashed password in the config.
There was a problem hiding this comment.
I think you can create files alongside services like this https://unix.stackexchange.com/questions/500025/how-to-add-a-file-to-etc-in-nixos
There was a problem hiding this comment.
I think you can create files alongside services like this https://unix.stackexchange.com/questions/500025/how-to-add-a-file-to-etc-in-nixos
using environment.etc, the file is going to be written to the nix store first, and then linked to from /etc with the link's permissions being adjusted. the file in the nix store will we world-readable which i'd like to avoid in this case. that's because i want to reserve the functionality of injecting secret information into this config, which should never reach the nix store in plain text.
what do you think are the downsides of the current implementation?
There was a problem hiding this comment.
Ahh okay, got it, yeah that's fine then
