nixos: backend server

nixos/backend/backend.nix

@@ -0,0 +1,59 @@
+{ config, lib, pkgs, ... }:
+{
+  imports = [
+    ./db.nix
+    ./fic-admin.nix
+    ./fic-backend.nix
+    ./fic-dashboard.nix
+    ./fic-evdist.nix
+    ./fic-synchro.nix
+  ];
+
+  config.sops = {
+    defaultSopsFile = ../secrets/phobos.yml; # We are currently in /nix/store/...-source/backend/
+    secrets.phobos_ssh = { mode = "0400"; };
+    # You may need to manualy remove `/run/secrets` if modified
+  };
+
+  config.system.activationScripts = {
+    # Create /var/lib/fic/** directories
+    makeFicDirs = lib.stringAfter [ "var" ] ''
+      mkdir -p /var/lib/fic/dashboard;
+      mkdir -p /var/lib/fic/files;
+      mkdir -p /var/lib/fic/pki;
+      mkdir -p /var/lib/fic/raw_files;
+      mkdir -p /var/lib/fic/settings;
+      mkdir -p /var/lib/fic/settingsdist;
+      mkdir -p /var/lib/fic/ssh;
+      mkdir -p /var/lib/fic/submissions;
+      mkdir -p /var/lib/fic/sync;
+      mkdir -p /var/lib/fic/teams;
+      mkdir -p /var/log/frontend;
+    '';
+    # Create docker network
+    createDockerNetworkPhobos =
+      let
+        docker = config.virtualisation.oci-containers.backend;
+        dockerBin = "${pkgs.${docker}}/bin/${docker}";
+      in
+      ''
+        ${dockerBin} network inspect phobos-lan >/dev/null 2>&1 \
+          || ${dockerBin} network create phobos-lan --subnet 172.18.0.0/24
+      '';
+  };
+
+  config = {
+    networking.hostName = "phobos";
+
+    # This is needed to install fic related pkgs
+    nixpkgs.config.allowUnfree = true;
+
+    # To switch, remove `phobos-lan` from the networks before running nixos-rebuild
+    # ```
+    # ${dockerBin} network rm phobos-lan
+    # ```
+    virtualisation.docker.enable = true;
+    virtualisation.podman.enable = false;
+    virtualisation.oci-containers.backend = "docker";
+  };
+}

nixos/backend/db.nix

@@ -0,0 +1,24 @@
+{ config, ... }:
+{
+  config.virtualisation.oci-containers.containers.mariadb = {
+    image = "mariadb:latest";
+    cmd = [
+      "/bin/bash"
+      "/usr/local/bin/docker-entrypoint.sh"
+      "mysqld"
+    ];
+    ports = [ "3306:3306" ];
+    extraOptions = [ "--network=phobos-lan" "--ip=172.18.0.42" ];
+    environment = {
+      MYSQL_DATABASE = "fic";
+      MYSQL_USER = "fic";
+      MYSQL_PASSWORD = "fic";
+      MYSQL_RANDOM_ROOT_PASSWORD = "yes";
+    };
+    volumes = [
+      "/etc/hosts:/etc/hosts:ro"
+      "/etc/mysql/conf.d:/etc/mysql/conf.d:ro"
+      "/var/lib/fic/mysql:/var/lib/mysql"
+    ];
+  };
+}

nixos/backend/fic-admin.nix

@@ -0,0 +1,40 @@
+{ config, inputs, pkgs, ... }:
+{
+  config.virtualisation.oci-containers.containers.fic-admin = {
+    image = "fic-admin:latest";
+    imageFile = pkgs.dockerTools.buildImage {
+      name = "fic-admin";
+      tag = "latest";
+      created = "now";
+      config = {
+        Cmd = [ "${inputs.ficpkgs.packages.x86_64-linux.fic-admin}/bin/admin" ];
+      };
+    };
+    autoStart = true;
+    cmd = [
+      "${inputs.ficpkgs.packages.x86_64-linux.fic-admin}/bin/admin"
+      "-4real"
+      "-bind=0.0.0.0:8081"
+      "-baseurl=/admin/"
+      "-localimport=/mnt/fic"
+      "-timestampCheck=/srv/submissions"
+    ];
+    ports = [ "8081:8081" ];
+    extraOptions = [ "--network=phobos-lan" "--ip=172.18.0.40" ];
+    environment = {
+      MYSQL_HOST = "db";
+      FICCA_PASS = "jee8AhloAith1aesCeQu5ahgIegaeM4K";
+    };
+    volumes = [
+      "/etc/hosts:/etc/hosts:ro"
+      "/var/lib/fic/raw_files:/mnt/fic"
+      "/var/lib/fic/dashboard:/srv/DASHBOARD"
+      "/var/lib/fic/files:/srv/FILES"
+      "/var/lib/fic/pki:/srv/PKI"
+      "/var/lib/fic/teams:/srv/TEAMS"
+      "/var/lib/fic/settings:/srv/SETTINGS"
+      "/var/lib/fic/sync:/srv/SYNC"
+      "/var/lib/fic/submissions:/srv/submissions:ro"
+    ];
+  };
+}

nixos/backend/fic-backend.nix

@@ -0,0 +1,26 @@
+{ config, inputs, pkgs, ... }:
+{
+  config.virtualisation.oci-containers.containers.fic-backend = {
+    image = "fic-backend:latest";
+    imageFile = pkgs.dockerTools.buildImage {
+      name = "fic-backend";
+      tag = "latest";
+      created = "now";
+      config = {
+        Cmd = [ "${inputs.ficpkgs.packages.x86_64-linux.fic-backend}/bin/backend" ];
+      };
+    };
+    autoStart = true;
+    environment = {
+      MYSQL_HOST = "db";
+    };
+    workdir = "/srv";
+    extraOptions = [ "--network=phobos-lan" "--ip=172.18.0.41" ];
+    volumes = [
+      "/etc/hosts:/etc/hosts:ro"
+      "/var/lib/fic/teams:/srv/TEAMS"
+      "/var/lib/fic/settingsdist:/srv/SETTINGSDIST:ro"
+      "/var/lib/fic/submissions:/srv/submissions"
+    ];
+  };
+}

nixos/backend/fic-dashboard.nix

@@ -0,0 +1,28 @@
+{ config, inputs, pkgs, ... }:
+{
+  config.virtualisation.oci-containers.containers.fic-dashboard = {
+    image = "fic-dashboard:latest";
+    imageFile = pkgs.dockerTools.buildImage {
+      name = "fic-dashboard";
+      tag = "latest";
+      created = "now";
+      config = {
+        Cmd = [ "${inputs.ficpkgs.packages.x86_64-linux.fic-dashboard}/bin/dashboard" ];
+      };
+    };
+    autoStart = true;
+    cmd = [
+      "${inputs.ficpkgs.packages.x86_64-linux.fic-dashboard}/bin/dashboard"
+      "-bind=:8082"
+      "-restrict-to-ips=/srv/DASHBOARD/restricted-ips.json"
+    ];
+    ports = [ "8082:8082" ];
+    volumes = [
+      "/etc/hosts:/etc/hosts:ro"
+      "/var/lib/fic/dashboard:/srv/DASHBOARD:ro"
+      "/var/lib/fic/files:/srv/FILES:ro"
+      "/var/lib/fic/teams:/srv/TEAMS:ro"
+      "/var/lib/fic/settingsdist:/srv/SETTINGSDIST:ro"
+    ];
+  };
+}

nixos/backend/fic-evdist.nix

@@ -0,0 +1,21 @@
+{ config, inputs, pkgs, ... }:
+{
+  config.virtualisation.oci-containers.containers.fic-evdist = {
+    image = "fic-evdist:latest";
+    imageFile = pkgs.dockerTools.buildImage {
+      name = "fic-evdist";
+      tag = "latest";
+      created = "now";
+      config = {
+        Cmd = [ "${inputs.ficpkgs.packages.x86_64-linux.fic-evdist}/bin/evdist" ];
+      };
+    };
+    autoStart = true;
+    workdir = "/srv";
+    volumes = [
+      "/etc/hosts:/etc/hosts:ro"
+      "/var/lib/fic/settings:/srv/SETTINGS"
+      "/var/lib/fic/settingsdist:/srv/SETTINGSDIST"
+    ];
+  };
+}

nixos/backend/fic-synchro.nix

@@ -0,0 +1,39 @@
+{ config, inputs, pkgs, ... }:
+{
+  config.virtualisation.oci-containers.containers.fic-synchro =
+    {
+      image = "fic-synchro:latest";
+      imageFile = pkgs.dockerTools.buildImage {
+        name = "fic-synchro";
+        tag = "latest";
+        created = "now";
+        copyToRoot = pkgs.buildEnv {
+          name = "packagelist";
+          paths = [ pkgs.coreutils pkgs.openssh pkgs.rsync ];
+        };
+        config = {
+          Cmd = [ "${inputs.ficpkgs.packages.x86_64-linux.fic-synchro}/bin/synchro" ];
+        };
+        runAsRoot = ''
+          #!${pkgs.runtimeShell}
+          ${pkgs.dockerTools.shadowSetup}
+          mkdir -p /tmp/
+          chmod a+rwx /tmp/
+        '';
+      };
+      autoStart = true;
+      extraOptions = [ "--network=phobos-lan" "--ip=172.18.0.43" ];
+      volumes = [
+        "/etc/hosts:/etc/hosts:ro"
+        "/var/lib/fic/ssh:/etc/ssh:ro"
+        "${config.sops.secrets.phobos_ssh.path}:/root/.ssh/id_ed25519:ro"
+        "/var/lib/fic/files:/srv/FILES:ro"
+        #"/var/lib/fic/pki/ca.key:/srv/PKI/ca.key:ro"
+        "/var/lib/fic/pki/shared:/srv/PKI/shared:ro"
+        "/var/lib/fic/settingsdist:/srv/SETTINGSDIST:ro"
+        "/var/lib/fic/submissions:/srv/submissions"
+        "/var/lib/fic/teams:/srv/TEAMS:ro"
+        "/var/log/frontend:/var/log/frontend"
+      ];
+    };
+}