Merge pull request #146 from DarkKirb/auth-chir-rs

Add auth.chir.rs

config/instance-20221213-1915.nix

@@ -15,6 +15,7 @@
     ./wireguard/public-server.nix
     ./services/named-submissive.nix
     ./services/shitalloverme.nix
+    ./services/chir.rs
   ];
 
   boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "usbhid"];

config/nixos-8gb-fsn1-1.nix

@@ -31,6 +31,7 @@
     ./services/rspamd.nix
     ./wireguard/public-server.nix
     ./services/shitalloverme.nix
+    ./services/chir.rs
   ];
 
   boot.initrd.availableKernelModules = ["ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod"];

config/services/chir.rs/auth.nix

@@ -0,0 +1,67 @@
+{
+  pkgs,
+  system,
+  chir-rs,
+  config,
+  ...
+}: let
+  d = "$";
+  dhallConfig = ''
+    let password = ${config.sops.secrets."services/chir-rs/auth/password".path} as Text
+    let BaseConfig =
+          { Type =
+              { database_url : Text
+              , listen_addr : Text
+              , redis_url : Text
+              }
+            , default.listen_addr = "[::1]:5621"
+          }
+
+    in  BaseConfig::{
+        , database_url = "postgres://auth_chir_rs:${d}{password}@nixos-8gb-fsn1-1.int.chir.rs",
+        , listen_addr = "[::1]:7954"
+        , redis_url = "redis://localhost:53538/0"
+        }
+  '';
+in {
+  systemd.services.auth-chir-rs = {
+    description = "auth.chir.rs";
+    after = ["network.target"];
+    wantedBy = ["multi-user.target"];
+    script = ''
+      export CONFIG_FILE=${pkgs.writeText "config.dhall" dhallConfig}
+      exec ${chir-rs.packages.${system}.chir-rs-auth}/bin/chir-rs-auth
+    '';
+    serviceConfig = {
+      Type = "simple";
+      User = "auth-chir-rs";
+      Group = "auth-chir-rs";
+      Restart = "always";
+    };
+  };
+  sops.secrets."services/chir-rs/auth/password".owner = "auth-chir-rs";
+  users.users.auth-chir-rs = {
+    description = "auth.chir.rs";
+    home = "/var/empty";
+    useDefaultShell = true;
+    group = "auth-chir-rs";
+    isSystemUser = true;
+  };
+  users.groups.auth-chir-rs = {};
+  services.postgresql.ensureDatabases = [
+    "auth_chir_rs"
+  ];
+  services.postgresql.ensureUsers = [
+    {
+      name = "auth_chir_rs";
+      ensurePermissions = {
+        "DATABASE auth_chir_rs" = "ALL PRIVILEGES";
+      };
+    }
+  ];
+  services.redis.servers."auth_chir_rs" = {
+    enable = true;
+    port = 53538;
+    save = [];
+  };
+}

config/services/chir.rs/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./auth.nix
+  ];
+}

flake.lock

@@ -1,5 +1,32 @@
 {
   "nodes": {
+    "cargo2nix": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "flake-utils": [
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "rust-overlay": [
+          "rust-overlay"
+        ]
+      },
+      "locked": {
+        "lastModified": 1655189312,
+        "narHash": "sha256-gpJ57OgIebUpO+7F00VltxSEy6dz2x6HeJ5BcRM8rDA=",
+        "owner": "cargo2nix",
+        "repo": "cargo2nix",
+        "rev": "c149357cc3d17f2849c73eb7a09d07a307cdcfe8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cargo2nix",
+        "repo": "cargo2nix",
+        "type": "github"
+      }
+    },
     "check-flake": {
       "locked": {
         "lastModified": 1662502605,
@@ -15,6 +42,33 @@
         "type": "github"
       }
     },
+    "chir-rs": {
+      "inputs": {
+        "cargo2nix": [
+          "cargo2nix"
+        ],
+        "flake-utils": [
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "rust-overlay": "rust-overlay"
+      },
+      "locked": {
+        "lastModified": 1673620617,
+        "narHash": "sha256-O52S5V1/T2DYeVS3+oWohpX45p1Cosd2azXkigZ9jP8=",
+        "owner": "DarkKirb",
+        "repo": "chir.rs",
+        "rev": "f921629e7dc7299788a3f99943e069ffa545e529",
+        "type": "github"
+      },
+      "original": {
+        "owner": "DarkKirb",
+        "repo": "chir.rs",
+        "type": "github"
+      }
+    },
     "dns": {
       "inputs": {
         "flake-utils": [
@@ -93,6 +147,22 @@
       }
     },
     "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1650374568,
+        "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "b4a34015c698c7793d592d66adbab377907a2be8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_2": {
       "flake": false,
       "locked": {
         "lastModified": 1668681692,
@@ -503,7 +573,7 @@
     },
     "prismmc": {
       "inputs": {
-        "flake-compat": "flake-compat",
+        "flake-compat": "flake-compat_2",
         "libnbtplusplus": "libnbtplusplus",
         "nixpkgs": [
           "nixpkgs"
@@ -525,6 +595,8 @@
     },
     "root": {
       "inputs": {
+        "cargo2nix": "cargo2nix",
+        "chir-rs": "chir-rs",
         "dns": "dns",
         "ema": "ema",
         "emanote": "emanote",
@@ -540,10 +612,59 @@
         "nixpkgs-noto-variable": "nixpkgs-noto-variable",
         "nur": "nur",
         "prismmc": "prismmc",
+        "rust-overlay": "rust-overlay_2",
         "sops-nix": "sops-nix",
         "tomlplusplus": "tomlplusplus"
       }
     },
+    "rust-overlay": {
+      "inputs": {
+        "flake-utils": [
+          "chir-rs",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "chir-rs",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1673404037,
+        "narHash": "sha256-9yhRzFiqzVQaJN5jsAIwApDolkORRQ3EJi7D4yu58ig=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "a979c85ed4691bf996af88504522b32e9611ccfe",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
+    "rust-overlay_2": {
+      "inputs": {
+        "flake-utils": [
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1673576998,
+        "narHash": "sha256-I6vYVejEWTao+Ze/F6VFSTFxu6/X2OPT3Eu4AM/zzec=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "ca474ccdd5f81ed742328e15dae38bb57a1006e3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
     "sops-nix": {
       "inputs": {
         "nixpkgs": [

flake.nix

@@ -4,6 +4,18 @@ rec {
   # Use NixOS unstable
   inputs = {
     # Sorted by name
+    cargo2nix = {
+      url = "github:cargo2nix/cargo2nix";
+      inputs.flake-utils.follows = "flake-utils";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.rust-overlay.follows = "rust-overlay";
+    };
+    chir-rs = {
+      url = "github:DarkKirb/chir.rs";
+      inputs.cargo2nix.follows = "cargo2nix";
+      inputs.flake-utils.follows = "flake-utils";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     dns = {
       url = "github:DarkKirb/dns.nix";
       inputs.flake-utils.follows = "flake-utils";
@@ -49,6 +61,11 @@ rec {
       url = "github:PrismLauncher/PrismLauncher";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    rust-overlay = {
+      url = "github:oxalica/rust-overlay";
+      inputs.flake-utils.follows = "flake-utils";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     sops-nix = {
       url = "github:Mic92/sops-nix";
       inputs.nixpkgs.follows = "nixpkgs";

secrets/instance-20221213-1915.yaml

@@ -12,6 +12,9 @@ services:
         cache-key: ENC[AES256_GCM,data:e9dQNADhH+8l1hTj+CdVu0gow/LmqrQf0HWiTTlFdY81t/8zWkdHdi0Rat5AKUS6x/oBCfTskIKcoRo0Jc0MYJhmOHtDLXlT+I91bSuxVzb9d+TwmhZ/Zce1yP1OXic+/A==,iv:DZ4yCi4YjsAulDyXl3CDCTXB21p2jZIYuDhHORpTE94=,tag:zXcgyBYgFv229seRDLGzsg==,type:str]
     ssh:
         host-key: ENC[AES256_GCM,data:oiy1thPKRVgH0XltFQCKwGMdLZde8zp1Ag1dL/el/2jXp1be1Evtr+kkZv56nhlaJ6KpYi5VsfrfpFVnKUkcYGUMmqVf2lFDu2fPcWB+PW7nol9K+sVRhHgTPP1wz385o5bof4OnbMF9sUbV0PT/pd4yAvluKq9s2vBBb2GEZ+HDBwkurmgVrFqUb66AvCdncXTpK47qpWZQMDTMGKqv5d1hJOoCCIulX3iJ4ko2xDD7qRlFtcdLNFLw3q4R6eP+L0OqoQs8dnjpIQOLVItzHTHTTcQRVoFvD7OMYSyU5RIIxTIOoS9tWzQu/QpHpO4cgjQ/GX09uj+a6/Cy8Itavd88YeSoYEPGwBYEciYLakFpNQ8aFl0yEsEMdZbfHgOUAOlbv28Mv93+RFMs5HrdIup/lZr5PsCBSsrMVkwJNVQKTxbN34LCTGOeCkuzohAwmwEVB/Ysuh23WyFKcdkGWAwlnVvgaNT5/TsNTCCI8Hf6fJecD4imWrJAtlXG7o+mnE+f0LlixxsnMgSnlkX4,iv:mnW23zPiSDoluMjQJEUFHDkVO6IT/4+RgAlaKuie3Qw=,tag:F+KOH/MkjrF1wYCR9OzFkQ==,type:str]
+    chir-rs:
+        auth:
+            password: ENC[AES256_GCM,data:9tJQIoCgquUkX+FeAT0+1tfyIF9YdNT26AOyd7hiS8BgLSa8WdG+v3H0zMt48ETc8duCMTDKII0sJTtgYxtaKQ==,iv:ZukeYF4yTf7fkrkTpbUsuNkpMOgjMDGbYtUcbvfu50g=,tag:HutgW+KyEVoePVZIO+uExg==,type:str]
 email:
     lotte@chir.rs: ENC[AES256_GCM,data:YrJ/+VG6/ZSu8g+PQxYUqwd1RQ==,iv:IeFhCrMQ1+4KvenylyizbwmCvsCPGvTiZAw5VyZb3Zs=,tag:xoK+aBykGV2bLqHles1LMQ==,type:str]
     mdelenk@hs-mittweida.de: ENC[AES256_GCM,data:l57AwqL90zV2BIn04ZhhEB3TE0WAFNJ7Bci1ljHgYvki0mZ5TrLP4PYZ681uKdzN7xlFsDjhCQN0C+iuz3Aj0g==,iv:qXNQq+03KFTazggckGRqHbnuOHo2enmQKCSzAw6mqsY=,tag:HE+tenPWwB8FIilV2r1wRQ==,type:str]
@@ -36,8 +39,8 @@ sops:
             bVJUcDZLWTk3MiszOWp4enRRQmNsajQKF8QJs/Wb0SqnvsQEkRKlS1Ms9xLIdyvZ
             QCFAPclaOfaTLTiRJWXjDneBkMBduYKkRPiXCR+Bn7i4z8ixLXFmWw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-12-14T15:34:13Z"
+    lastmodified: "2023-01-13T19:15:53Z"
-    mac: ENC[AES256_GCM,data:9DHLfOjTVKWbsWiUDr7pu5pyh6dzoExcgjRsAd2HMtdu+R/Y04Zy5dbCJpFu4mvyRD9GJ5aI4hufYRLvFsTuO9k8aWNUbqb1IYnX+D6zzLlecCHxEJ6zhm0PhjkcuN0XxFhBQb/aCUaisP891PqHM8ZbXblIaCdl4FFX/me3Cls=,iv:MnMInA14AxnCPjLYvksSdZVfpvcIjpbLSQRMbzSYr2M=,tag:eQsCwg6S60FpZ4bxaBMiJg==,type:str]
+    mac: ENC[AES256_GCM,data:oZpSCWI29zEQAKe/PkeTVi8zZZwCDMoWQNXqTWP5Azyqze9/NHT/OmRhq6GtBl7X0y3P78x1Zu/3SziB935STCX0HhDN8JqJvo9vlkJ71gwBhn7pzhJwiByISlAN9WQCCJaNTrvr4QmNOAPHuJUqMhPwc5C5LUBaOvwdwwTXei0=,iv:Lo5NBanWkv0A3UC1C+iaNBMl/XsbPW8MIRc9RqPBWUQ=,tag:yA45fMs2x5MCuXspaL4MwA==,type:str]
     pgp:
         - created_at: "2022-12-14T15:34:13Z"
           enc: |

secrets/nixos-8gb-fsn1-1.yaml

@@ -25,6 +25,9 @@ services:
         secret-access-key: ENC[AES256_GCM,data:RhyAyU81pmOlD4hlGkOyutLPpUI/QsleJYmubCZJfA==,iv:8BCVnPkW+sa15Cp1eG+thvDb1U5EE+GsIzgNlsSsxMw=,tag:PXDPCEzG31r4u0eF7B258g==,type:str]
         matrix-token: ENC[AES256_GCM,data:QVe1KC1QE74scI64JBdTbza+naVZmwyJ0TyipVvZfnAe6csR4Ri+,iv:aZvmairwtFti+DgEoTgFxRTKtrQPb4Ji5Kml9mLQU9o=,tag:INtQW3jXNdpf8Kgqs0vPPg==,type:str]
     chir.rs: ENC[AES256_GCM,data:f8Jrf6ksi6nxTExzeos+U5KXQKreViD0iGoKAEbfA1872WfhgH3VSpx2WQVCW5lTKio4pQ9Mej17W451N6bIc1U2lbQszFn+4wjXrOS9VJnB8+JV+05UGzGXmHJD8u19GG3vyMllKJLwKSsceWux7AAm9duBXoRSgEElA7sTWhGBjXXW+/yCRDKQcNdNvPpH6zHzXcApFmI7ECQKMF/Cq8Txl6yQkWIX/n3v/U8JNSzNzwllVSgx2JU7FDorqS7lrkYaz6lXuPZeiiISIIRShwYoW20uqvQvUQ1bQmDbJPsV4FXu1SynUNbHA7WbsR/Qh2bBAZozgxCy3NvfYfPkb2XANOBemFU+uRbrYMmoaucZnYBJijlc9FGfFsq10vT3BynPjCRLcZWtLTx52k83SP4NiLxkNkPPYERxwcT74IuhkyMOQdZe+EASASRWY0VVCKkGLX/v2dO/jf6gumxQ0xn5ehqGhlqq5wR8cA==,iv:S+mUPpwg1C7FW6or+7Y3fG4UjtWePYdH9N9apJ9TvHw=,tag:EH9Dix+g5tguZFDe/bfmYg==,type:str]
+    chir-rs:
+        auth:
+            password: ENC[AES256_GCM,data:7T4iu5rqkp8r6lxmSW1vj82uqwsASAu12CHuRqX/ee1xbrZfeUmHPJc4jRo8EKRR11RhSSEw2gcqksrGdwRltQ==,iv:kzBujm7LgzoXGiDPbDqz62ura+t2OjcrYf2vIvq2Q5M=,tag:uuh9N8O5UGMpu/ZO5C2esw==,type:str]
     hydra:
         gitea_token: ENC[AES256_GCM,data:8OOn7dlMaBTLNpRB9K2M+Cg4ZB9V2qFXdm7c0/2F/5CdOGfKF63a8Q==,iv:htbnKmNuaHlUw0E2PYRy3en00fni5hmwbkhDcQJRfE4=,tag:MpVnRX6HBxORghcsbEShNw==,type:str]
     gitea: ENC[AES256_GCM,data:i+reN0mYGY2iMQ06atN/i6YzAg==,iv:HT1H9/UIBweErA5+YFq7aprPjPB2d0gNbt/3MKayuHI=,tag:vDGL31LBw+9sU7UHE9GYKw==,type:str]
@@ -90,8 +93,8 @@ sops:
             N1lNTTRhSDFsczd4VjNudUU2NEt4MUEKdVJIJmaoGcwUHa0BGB45jqYnm9aPVZxP
             dl1vkMx8EAiKhWKbBwQm5fFZcNh371rspGE7KOXmwNbNWef5bVfHpQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-12-24T13:05:17Z"
+    lastmodified: "2023-01-13T19:16:14Z"
-    mac: ENC[AES256_GCM,data:zyDRuZOCgWQ/gAAhCpMxsSv85pUpcJryCSwtqhRWiGadvd4ZJv95t9nnChe08P0t3E9wZ+i9YeShTvycR2lye+J/mhJKl37iJhSHIBWqWMW16bj4elDsy7LJm/dzIb2s7yJgnV3Sm6aqT3hCStUtoFH23NQWxfXnVWQnGIbr7SM=,iv:TYrjVDWisStsllhH47FwWoDttV31JNgR3gOtIMolJaI=,tag:9s/5ncDtIXNVd2qyUAcm3Q==,type:str]
+    mac: ENC[AES256_GCM,data:syVA2n+ph+gtMcs/LS9zSfrUdXF6ccBz/cN4ERBt1TpIgrU762Z9Uuidh+vwY422OBNikz6UHV5T7R5pOZkh8VBhMj0WXR1pnrOGtOldamOQAfduuMUtwt75XY1rasT2Ye+Aju5WVCv+HuRg+wBY9O0+V6KyzIlL9/j9vTnPSYo=,iv:jgo2XOk2f/MHgeFkMNZ2TvT29Q0AA+aDNGZv2wHUxZM=,tag:1EkuDg6VbI47aSt6QCrymQ==,type:str]
     pgp:
         - created_at: "2022-02-02T17:50:42Z"
           enc: |

zones/chir.rs.nix

@@ -120,11 +120,31 @@ with dns.lib.combinators; let
     ];
   };
   createZone = merge zoneBase;
+  createFullZone = merge (createZone {
+    A = [
+      (ttl zoneTTL (a "130.162.60.127"))
+      (ttl zoneTTL (a "138.201.155.128"))
+    ];
+    AAAA = [
+      (ttl zoneTTL (aaaa "2603:c020:8009:f100:f09a:894d:ef57:a278"))
+      (ttl zoneTTL (aaaa "2a01:4f8:1c17:d953:b4e1:8ff:e658:6f49"))
+    ];
+    HTTPS = [
+      {
+        svcPriority = 1;
+        targetName = ".";
+        alpn = ["http/1.1" "h2" "h3"];
+        ipv4hint = ["138.201.155.128" "130.162.60.127"];
+        ipv6hint = ["2a01:4f8:1c17:d953:b4e1:8ff:e658:6f49" "2603:c020:8009:f100:f09a:894d:ef57:a278"];
+        ttl = zoneTTL;
+      }
+    ];
+  });
   zone = createZone {
     SOA = {
       nameServer = "ns1.chir.rs.";
       adminEmail = "lotte@chir.rs";
-      serial = 24;
+      serial = 25;
     };
     NS = [
       "ns1.chir.rs."
@@ -222,6 +242,7 @@ with dns.lib.combinators; let
       ];
       peertube = createZone {};
       mediaproxy.CNAME = ["mediaproxy-chir-rs.b-cdn.net."];
+      auth = createFullZone {};
 
       int =
         delegateTo [