From 374a17e6fc3d498ad0651bfb47828990124fe66f Mon Sep 17 00:00:00 2001 From: m3tam3re Date: Mon, 7 Apr 2025 19:45:20 +0200 Subject: [PATCH] +experimental pangolin config for m3-atlas --- flake.lock | 30 +-- home/features/desktop/coding.nix | 2 +- .../m3-atlas/services/containers/default.nix | 1 + .../m3-atlas/services/containers/pangolin.nix | 211 ++++++++++++++++++ .../services/containers/restreamer.nix | 2 +- hosts/m3-atlas/services/traefik.nix | 2 +- 6 files changed, 230 insertions(+), 18 deletions(-) create mode 100644 hosts/m3-atlas/services/containers/pangolin.nix diff --git a/flake.lock b/flake.lock index 1238986..566259e 100644 --- a/flake.lock +++ b/flake.lock @@ -151,11 +151,11 @@ ] }, "locked": { - "lastModified": 1743136572, - "narHash": "sha256-uwaVrKgi6g1TUq56247j6QvvFtYHloCkjCrEpGBvV54=", + "lastModified": 1743360001, + "narHash": "sha256-HtpS/ZdgWXw0y+aFdORcX5RuBGTyz3WskThspNR70SM=", "owner": "nix-community", "repo": "home-manager", - "rev": "1efd2503172016a6742c87b47b43ca2c8145607d", + "rev": "b6fd653ef8fbeccfd4958650757e91767a65506d", "type": "github" }, "original": { @@ -192,11 +192,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1743151945, - "narHash": "sha256-CJdaROeW3mAjHObi4QejArDAOOOc/e9hQ121mx+y4JQ=", + "lastModified": 1743311006, + "narHash": "sha256-LfKnTg1Ic17d5yPIqmMQyyHTKjMC4a82/zLdKmooayE=", "owner": "Jas-SinghFSU", "repo": "HyprPanel", - "rev": "b6b58edf76b3f4c30bca96a403efbbc5c975e56e", + "rev": "3bcd3c4710fc025bbe403948f10c3922a8bf5193", "type": "github" }, "original": { @@ -255,11 +255,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1743156314, - "narHash": "sha256-FytnGAiNOTKQL4lreFtsSe8P3HJQKBo5eWVfAF1k83Y=", + "lastModified": 1743402453, + "narHash": "sha256-KShquKhKlxOsqxd3yofVHckR0Tla9IAxwSTUTxk1biw=", "owner": "nixos", "repo": "nixpkgs", - "rev": "cf8998e8de1e7aee37aa67cb8d8ba4e95d133e2e", + "rev": "49ca8bcb4d7637abc0318918a7f461fb7415c7b5", "type": "github" }, "original": { @@ -271,11 +271,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1742937945, - "narHash": "sha256-lWc+79eZRyvHp/SqMhHTMzZVhpxkRvthsP1Qx6UCq0E=", + "lastModified": 1743231893, + "narHash": "sha256-tpJsHMUPEhEnzySoQxx7+kA+KUtgWqvlcUBqROYNNt0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "d02d88f8de5b882ccdde0465d8fa2db3aa1169f7", + "rev": "c570c1f5304493cafe133b8d843c7c1c4a10d3a6", "type": "github" }, "original": { @@ -303,11 +303,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1742889210, - "narHash": "sha256-hw63HnwnqU3ZQfsMclLhMvOezpM7RSB0dMAtD5/sOiw=", + "lastModified": 1743315132, + "narHash": "sha256-6hl6L/tRnwubHcA4pfUUtk542wn2Om+D4UnDhlDW9BE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "698214a32beb4f4c8e3942372c694f40848b360d", + "rev": "52faf482a3889b7619003c0daec593a1912fddc1", "type": "github" }, "original": { diff --git a/home/features/desktop/coding.nix b/home/features/desktop/coding.nix index f73688d..3be93d6 100644 --- a/home/features/desktop/coding.nix +++ b/home/features/desktop/coding.nix @@ -21,7 +21,7 @@ in { userSettings = { features = { inline_prediction_provider = "zed"; - inline_completion_provider = "zed"; + edit_prediction_provider = "zed"; copilot = false; }; telemetry = { diff --git a/hosts/m3-atlas/services/containers/default.nix b/hosts/m3-atlas/services/containers/default.nix index 6489a82..da64c3f 100644 --- a/hosts/m3-atlas/services/containers/default.nix +++ b/hosts/m3-atlas/services/containers/default.nix @@ -5,6 +5,7 @@ ./littlelink.nix ./matomo.nix ./n8n.nix + # ./pangolin.nix ./restreamer.nix ./slash.nix ]; diff --git a/hosts/m3-atlas/services/containers/pangolin.nix b/hosts/m3-atlas/services/containers/pangolin.nix new file mode 100644 index 0000000..0bf5a34 --- /dev/null +++ b/hosts/m3-atlas/services/containers/pangolin.nix @@ -0,0 +1,211 @@ +{ + config, + pkgs, + lib, + ... +}: let + # Define the Pangolin configuration as a Nix attribute set + pangolinConfig = { + app = { + dashboard_url = "https://vpn.m3tam3re.com"; + log_level = "info"; + save_logs = false; + }; + + domains = { + vpn = { + base_domain = "m3tam3re.com"; + cert_resolver = "godaddy"; + prefer_wildcard_cert = false; + }; + }; + + server = { + external_port = 3000; + internal_port = 3001; + next_port = 3002; + internal_hostname = "pangolin"; + session_cookie_name = "p_session_token"; + resource_access_token_param = "p_token"; + resource_session_request_param = "p_session_request"; + }; + + traefik = { + cert_resolver = "godaddy"; + http_entrypoint = "web"; + https_entrypoint = "websecure"; + }; + + gerbil = { + start_port = 51820; + base_endpoint = "vpn.m3tam3re.com"; + use_subdomain = false; + block_size = 24; + site_block_size = 30; + subnet_group = "100.89.137.0/20"; + }; + + rate_limits = { + global = { + window_minutes = 1; + max_requests = 100; + }; + }; + + email = { + smtp_host = config.age.secrets.smtp-host.path; + smtp_port = 587; + smtp_user = config.age.secrets.smtp-user.path; + smtp_pass = config.age.secrets.smtp-pass.path; + no_reply = config.age.secrets.smtp-user.path; + }; + + users = { + server_admin = { + email = "admin@m3tam3re.com"; + password = config.age.secrets.pangolin-admin-password.path; + }; + }; + + flags = { + require_email_verification = true; + disable_signup_without_invite = true; + disable_user_create_org = true; + allow_raw_resources = true; + allow_base_domain_resources = true; + }; + }; + + # Convert Nix attribute set to YAML using a simpler approach + pangolinConfigYaml = pkgs.writeTextFile { + name = "config.yml"; + text = lib.generators.toYAML {} pangolinConfig; + }; +in { + # Define the containers + virtualisation.oci-containers.containers = { + "pangolin" = { + image = "fosrl/pangolin:1.1.0"; + autoStart = true; + volumes = [ + "${pangolinConfigYaml}:/app/config/config.yml:ro" # Mount the config file directly + "pangolin_config:/app/config/data" # Volume for persistent data + ]; + ports = [ + "127.0.0.1:3020:3001" # API server + "127.0.0.1:3021:3002" # Next.js server + "127.0.0.1:3022:3000" # API/WebSocket server + ]; + extraOptions = ["--ip=10.89.0.20" "--network=web"]; + }; + + "gerbil" = { + image = "fosrl/gerbil:1.0.0"; + autoStart = true; + volumes = [ + "pangolin_config:/var/config" # Share the volume for persistent data + ]; + cmd = [ + "--reachableAt=http://gerbil:3003" + "--generateAndSaveKeyTo=/var/config/key" + "--remoteConfig=http://pangolin:3001/api/v1/gerbil/get-config" + "--reportBandwidthTo=http://pangolin:3001/api/v1/gerbil/receive-bandwidth" + ]; + ports = [ + "51820:51820/udp" # WireGuard port + ]; + extraOptions = [ + "--ip=10.89.0.21" + "--network=web" + "--cap-add=NET_ADMIN" + "--cap-add=SYS_MODULE" + ]; + }; + }; + + # Secrets for Pangolin + # age.secrets = { + # "smtp-host" = { + # file = ../secrets/smtp-host.age; + # owner = "root"; + # group = "root"; + # mode = "0400"; + # }; + # "smtp-user" = { + # file = ../secrets/smtp-user.age; + # owner = "root"; + # group = "root"; + # mode = "0400"; + # }; + # "smtp-pass" = { + # file = ../secrets/smtp-pass.age; + # owner = "root"; + # group = "root"; + # mode = "0400"; + # }; + # "pangolin-admin-password" = { + # file = ../secrets/pangolin-admin-password.age; + # owner = "root"; + # group = "root"; + # mode = "0400"; + # }; + # }; + + # Traefik configuration for Pangolin + services.traefik.dynamicConfigOptions = { + http = { + # Next.js service (front-end) + services.pangolin-next-service.loadBalancer.servers = [ + {url = "http://localhost:3021";} + ]; + + # API service + services.pangolin-api-service.loadBalancer.servers = [ + {url = "http://localhost:3022";} + ]; + + # Routers + routers = { + # Next.js router (handles everything except API paths) + "pangolin-next" = { + rule = "Host(`vpn.m3tam3re.com`) && !PathPrefix(`/api/v1`)"; + service = "pangolin-next-service"; + entrypoints = ["websecure"]; + tls = { + certResolver = "godaddy"; + }; + }; + + # API router + "pangolin-api" = { + rule = "Host(`vpn.m3tam3re.com`) && PathPrefix(`/api/v1`)"; + service = "pangolin-api-service"; + entrypoints = ["websecure"]; + tls = { + certResolver = "godaddy"; + }; + }; + }; + }; + }; + + # Add HTTP provider to Traefik for dynamic configuration from Pangolin + services.traefik.staticConfigOptions.providers.http = { + endpoint = "http://localhost:3020/api/v1/traefik-config"; + pollInterval = "5s"; + }; + + # Add experimental section for Badger plugin + services.traefik.staticConfigOptions.experimental = { + plugins = { + #TODO create an overlay for the plugin + badger = { + moduleName = "github.com/fosrl/badger"; + version = "v1.0.0"; + }; + }; + }; + + # Firewall configuration for WireGuard + networking.firewall.allowedUDPPorts = [51820]; # WireGuard port +} diff --git a/hosts/m3-atlas/services/containers/restreamer.nix b/hosts/m3-atlas/services/containers/restreamer.nix index 4a86875..640462b 100644 --- a/hosts/m3-atlas/services/containers/restreamer.nix +++ b/hosts/m3-atlas/services/containers/restreamer.nix @@ -70,6 +70,6 @@ # Firewall configuration networking.firewall = { - allowedTCPPorts = [80 443 1935 1945]; + allowedTCPPorts = [1935 1945]; }; } diff --git a/hosts/m3-atlas/services/traefik.nix b/hosts/m3-atlas/services/traefik.nix index dabd529..d25de91 100644 --- a/hosts/m3-atlas/services/traefik.nix +++ b/hosts/m3-atlas/services/traefik.nix @@ -12,7 +12,7 @@ dnsChallenge = { provider = "godaddy"; resolvers = ["1.1.1.1:53" "8.8.8.8:53"]; - propagation.delayBeforeChecks = 60; + propagation.delayBeforeChecks = 120; }; }; };