1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
# This doesn't seem to work for some reason. I wonder why.
# The VMs themselves don't want to launch properly.
kittybox:
{ lib, system, ... }: let
kittyboxModule = { config, pkgs, lib, ... }: {
imports = [ kittybox.nixosModules.default commonModule ];
services.kittybox = {
enable = true;
backendUri = "file:///srv/kittybox/data";
blobstoreUri = "file:///srv/kittybox/media";
jobQueueUri = "postgres://primrose/kittybox";
};
environment.systemPackages = with pkgs; [ xh ];
virtualisation.fileSystems."/srv" = {
fsType = "nfs";
options = [ "vers=4" ];
device = "primrose:/";
};
systemd.services.kittybox = {
bindsTo = [ "srv.mount" ];
after = [ "srv.mount" ];
environment.PGPASSWORD = "swordfish";
serviceConfig = {
DynamicUser = lib.mkForce false;
User = "kittybox";
Group = "kittybox";
ReadWritePaths = [ "/srv/kittybox" ];
};
};
};
commonModule = {
users.users.kittybox = {
isSystemUser = true;
uid = 990;
group = "kittybox";
};
users.groups.kittybox.gid = 990;
networking.firewall.enable = false;
};
in {
name = "kittybox-distributed";
nodes = {
primrose = { config, pkgs, lib, ... }: {
imports = [ commonModule ];
services.nfs.server.enable = true;
services.nfs.server.createMountPoints = true;
services.nfs.server.exports = ''
/srv 192.168.1.0/255.255.255.0(rw,no_root_squash,no_subtree_check,fsid=0)
'';
systemd.tmpfiles.rules = [
"d /srv/kittybox 1750 kittybox root -"
"d /srv/kittybox/data 1750 kittybox root -"
"d /srv/kittybox/media 1750 kittybox root -"
];
services.postgresql = {
enable = true;
enableTCPIP = true;
initialScript = pkgs.writeText "init-sql-script" ''
CREATE USER kittybox WITH LOGIN PASSWORD 'swordfish';
CREATE DATABASE kittybox;
GRANT ALL PRIVILEGES ON DATABASE kittybox TO kittybox;
'';
authentication = lib.mkOverride 10 ''
# type database DBuser origin-address auth-method
local all all trust
# This is not exactly a good config. It would be better to use TLS and harden this line.
# But it'll work for the purpose of this test, as we only need a job queue.
# (And possibly for posts, too, though historically this test exists to demonstrate shared
# storage behavior with the file backend over NFS, which is simpler than Postgres)
host all all all scram-sha-256
''; };
networking.firewall.allowedTCPPorts = [ 5432 ];
};
longiflorum = { config, pkgs, lib, ... }: {
imports = [ kittyboxModule ];
};
amaranthus = { config, pkgs, lib, ... }: {
imports = [ kittyboxModule ];
};
hydrangea = { config, pkgs, lib, ... }: {
imports = [ kittyboxModule ];
};
};
testScript = ''
primary = primrose;
servants = [longiflorum, amaranthus, hydrangea];
primary.wait_for_unit("nfs-server")
primary.succeed("systemctl start network-online.target")
primary.wait_for_unit("network-online.target")
start_all()
for machine in servants:
machine.wait_for_open_port(8080)
# Onboarding
servants[0].copy_from_host("${./onboarding.json}", "/root/onboarding.json")
servants[0].succeed("xh --follow http://localhost:8080/.kittybox/onboarding -j @/root/onboarding.json")
# Check that all machines got this address onboarded
for machine in servants:
machine.succeed("xh http://localhost:8080/ | grep 'vestige of the past long gone'")
'';
}
|