Skip to content

Commit

Permalink
initial commit
Browse files Browse the repository at this point in the history
  • Loading branch information
drsk0 committed Mar 31, 2022
0 parents commit 0ecc305
Show file tree
Hide file tree
Showing 185 changed files with 11,614 additions and 0 deletions.
8 changes: 8 additions & 0 deletions .envrc
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
use_flake() {
ulimit -s 50000
watch_file flake.nix
watch_file flake.lock
eval "$(nix -L print-dev-env --profile "$(direnv_layout_dir)/flake-profile")"
}

use flake
4 changes: 4 additions & 0 deletions .git-crypt/.gitattributes
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
# Do not edit this file. To specify the files to encrypt, create your own
# .gitattributes file in the directory where your files are.
* !filter !diff
*.gpg binary
Binary file not shown.
3 changes: 3 additions & 0 deletions .gitattributes
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
secrets/** filter=git-crypt diff=git-crypt
ui/android/key.properties filter=git-crypt diff=git-crypt
deployment/.lego/** filter=git-crypt diff=git-crypt
10 changes: 10 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
/.daml
dist-newstyle
result
log/*
state/*
src/state/*
src/db/*
src/service-account.json
.direnv/*
result-doc
22 changes: 22 additions & 0 deletions LICENSE
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
MIT License

Copyright (c) 2015 Ian Hellström
Copyright (c) 2016 Harris Brakmic

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
4 changes: 4 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
Swarm
=====

A platform for making decissions together. See https://swarmapp.org.
1 change: 1 addition & 0 deletions TODO.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
TODO remove firebase_options.dart from git index.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
122 changes: 122 additions & 0 deletions deployment/backend.nix
Original file line number Diff line number Diff line change
@@ -0,0 +1,122 @@
{ config, pkgs, lib, domain, swarm, ... }:
let
projectConfig = import ./config.nix;
inherit (lib) fileContents;
in
{

# deployment on digital ocean
deployment = {
targetEnv = "droplet";
droplet.enableIpv6 = true;
droplet.region = projectConfig.serverRegion;
droplet.size = projectConfig.serverSize;
keys = {
service-account-json = {
text = fileContents ../secrets/swarm-90059-firebase-adminsdk-s0gjo-30c54e4045.json;
user = "swarm";
group = "swarm";
permissions = "0640";
};
acme-dns-creds = {
text = fileContents ../secrets/godaddy-api-creds;
user = "acme";
group = "acme";
permissions = "0640";
};
};
};

environment.systemPackages = [ pkgs.neovim pkgs.zenith pkgs.tmux ];
networking.firewall.allowedTCPPorts = [ 22 443 ];
# networking.firewall.allowedUDPPortRanges = [ {from=0; to=65535;} ];

imports = [./swarm-service.nix];

# ssh
services.openssh = {
enable = true;
challengeResponseAuthentication = false;
passwordAuthentication = true; # originally true
permitRootLogin = "yes";
};

users.groups.acme.members = [ "nginx" ];
users.users.swarm.group = "swarm";
users.groups.swarm = {};

security.acme = {
acceptTerms = true;
email = "admin+acme@${domain}";
certs."${domain}" = {
domain = "*.${domain}";
extraDomainNames = [ domain ];
dnsProvider = "godaddy";
credentialsFile = "/run/keys/acme-dns-creds";
dnsPropagationCheck = true;
};
};

# nginx
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
virtualHosts."${domain}" = {
useACMEHost = domain;
forceSSL = true;
root = config.nixpkgs.pkgs.site;
locations."/api/query" = {
proxyPass = "http://127.0.0.1:8000";
# extraConfig = ''
# proxy_read_timeout 300s;
# proxy_connect_timeout 75s;
# '';
};
locations."/api/subscribe" = {
proxyWebsockets = true;
proxyPass = "http://127.0.0.1:8000";
# extraConfig = ''
# proxy_read_timeout 300s;
# proxy_connect_timeout 75s;
# '';
# extraConfig = ''
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header Host $host;

# proxy_pass_header Authorization;
# proxy_pass_header Swarm;

# proxy_http_version 1.1;
# proxy_set_header Connection "upgrade";
# proxy_set_header Upgrade $http_upgrade;
# '';
};
# extraConfig = "error_page 404 /404.html;";
};
};

# fail2ban
services.fail2ban.enable=true;
services.fail2ban.jails.ssh-iptables2 = ''
filter = sshd[mode=aggressive]
action = iptables-multiport[name=SSH, port="22", protocol=tcp]
maxretry = 10
'';
services.fail2ban.jails.nginx-botsearch = ''
filter = nginx-botsearch
action = iptables-multiport[name=NGINXBOT, port="443", protocol=tcp]
'';
services.fail2ban.jails.nginx-http-auth = ''
filter = nginx-http-auth
action = iptables-multiport[name=NGINXAUTH, port="443", protocol=tcp]
'';

services.swarm = {
enable = true;
port = 8000;
serviceAccountJsonPath = "/run/keys/service-account-json";
package = swarm;
};
}
6 changes: 6 additions & 0 deletions deployment/config.nix
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
{
serverRegion = "ams3";
serverSize = "s-1vcpu-1gb";
hostName = "swarm"; # can be bogus
authToken = builtins.readFile ./do-token.txt;
}
94 changes: 94 additions & 0 deletions deployment/swarm-service.nix
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
{ config, lib, pkgs, ... }:

with lib;
let
projectConfig = import ./config.nix;
cfg = config.services.swarm;
in
{
options = {
services.swarm = {

package = mkOption {
type = types.package;
default = pkgs.swarm;
defaultText = "pkgs.swarm";
description = ''
The swarm backend server.
'';
};

enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to run the swarm backend.
'';
};

port = mkOption {
type = types.port;
default = 8000;
description = ''
The port where the swarm API will be served.
'';
};

serviceAccountJsonPath = mkOption {
type = types.nullOr types.path;
default = "/run/keys/service-account-json";
example = "/run/keys/service-account-json";
description = ''
Path to firebase service account .json file.
'';
};

};
};

config = mkIf cfg.enable {

# swarm user
users.users.swarm = {
isSystemUser = true;
description = "The swarm system user";
extraGroups = [ "swarm" "wheel" ];
};
users.groups.swarm = {
};

systemd.services.swarm =
{
description = "swarm backend server";
wantedBy = [ "multi-user.target" ];
wants = [ ];
after = [ "network.target" ];
serviceConfig =
{
User = "swarm";
Group = "swarm";
ExecStart = ''
${cfg.package}/bin/swarm \
--port=${toString cfg.port} \
--db=/run/swarm/db \
--access-log=/var/log/swarm/access.log \
--error-log=/var/log/swarm/error.log \
--service-account-file=${cfg.serviceAccountJsonPath}
'';
# Restart = "on-failure";
# RestartSec = "2s";
LogsDirectory = "swarm";
RuntimeDirectory = ["swarm" "keys"];
RuntimeDirectoryPreserve = true;

# Shut down swarm using SIGINT
KillSignal = "SIGINT";
KillMode = "mixed";

# Give swarm a decent amount of time to clean up after
# receiving systemd's SIGINT.
TimeoutSec = 20;
};
};
};
}
Loading

0 comments on commit 0ecc305

Please sign in to comment.