+experimental pangolin config for m3-atlas

2025-04-07 19:45:20 +02:00 · 2025-04-07 19:45:20 +02:00 · 374a17e6fc
commit 374a17e6fc
parent b1e1a95a1c
6 changed files with 230 additions and 18 deletions
--- a/flake.lock
+++ b/flake.lock
@ -151,11 +151,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1743136572,
-        "narHash": "sha256-uwaVrKgi6g1TUq56247j6QvvFtYHloCkjCrEpGBvV54=",
+        "lastModified": 1743360001,
+        "narHash": "sha256-HtpS/ZdgWXw0y+aFdORcX5RuBGTyz3WskThspNR70SM=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "1efd2503172016a6742c87b47b43ca2c8145607d",
+        "rev": "b6fd653ef8fbeccfd4958650757e91767a65506d",
        "type": "github"
      },
      "original": {
@ -192,11 +192,11 @@
        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
-        "lastModified": 1743151945,
-        "narHash": "sha256-CJdaROeW3mAjHObi4QejArDAOOOc/e9hQ121mx+y4JQ=",
+        "lastModified": 1743311006,
+        "narHash": "sha256-LfKnTg1Ic17d5yPIqmMQyyHTKjMC4a82/zLdKmooayE=",
        "owner": "Jas-SinghFSU",
        "repo": "HyprPanel",
-        "rev": "b6b58edf76b3f4c30bca96a403efbbc5c975e56e",
+        "rev": "3bcd3c4710fc025bbe403948f10c3922a8bf5193",
        "type": "github"
      },
      "original": {
@ -255,11 +255,11 @@
    },
    "nixpkgs-master": {
      "locked": {
-        "lastModified": 1743156314,
-        "narHash": "sha256-FytnGAiNOTKQL4lreFtsSe8P3HJQKBo5eWVfAF1k83Y=",
+        "lastModified": 1743402453,
+        "narHash": "sha256-KShquKhKlxOsqxd3yofVHckR0Tla9IAxwSTUTxk1biw=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "cf8998e8de1e7aee37aa67cb8d8ba4e95d133e2e",
+        "rev": "49ca8bcb4d7637abc0318918a7f461fb7415c7b5",
        "type": "github"
      },
      "original": {
@ -271,11 +271,11 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1742937945,
-        "narHash": "sha256-lWc+79eZRyvHp/SqMhHTMzZVhpxkRvthsP1Qx6UCq0E=",
+        "lastModified": 1743231893,
+        "narHash": "sha256-tpJsHMUPEhEnzySoQxx7+kA+KUtgWqvlcUBqROYNNt0=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "d02d88f8de5b882ccdde0465d8fa2db3aa1169f7",
+        "rev": "c570c1f5304493cafe133b8d843c7c1c4a10d3a6",
        "type": "github"
      },
      "original": {
@ -303,11 +303,11 @@
    },
    "nixpkgs_3": {
      "locked": {
-        "lastModified": 1742889210,
-        "narHash": "sha256-hw63HnwnqU3ZQfsMclLhMvOezpM7RSB0dMAtD5/sOiw=",
+        "lastModified": 1743315132,
+        "narHash": "sha256-6hl6L/tRnwubHcA4pfUUtk542wn2Om+D4UnDhlDW9BE=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "698214a32beb4f4c8e3942372c694f40848b360d",
+        "rev": "52faf482a3889b7619003c0daec593a1912fddc1",
        "type": "github"
      },
      "original": {
--- a/home/features/desktop/coding.nix
+++ b/home/features/desktop/coding.nix
@ -21,7 +21,7 @@ in {
      userSettings = {
        features = {
          inline_prediction_provider = "zed";
-          inline_completion_provider = "zed";
+          edit_prediction_provider = "zed";
          copilot = false;
        };
        telemetry = {
--- a/hosts/m3-atlas/services/containers/default.nix
+++ b/hosts/m3-atlas/services/containers/default.nix
@ -5,6 +5,7 @@
    ./littlelink.nix
    ./matomo.nix
    ./n8n.nix
+    # ./pangolin.nix
    ./restreamer.nix
    ./slash.nix
  ];
--- a/hosts/m3-atlas/services/containers/pangolin.nix
+++ b/hosts/m3-atlas/services/containers/pangolin.nix
@ -0,0 +1,211 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  # Define the Pangolin configuration as a Nix attribute set
+  pangolinConfig = {
+    app = {
+      dashboard_url = "https://vpn.m3tam3re.com";
+      log_level = "info";
+      save_logs = false;
+    };
+
+    domains = {
+      vpn = {
+        base_domain = "m3tam3re.com";
+        cert_resolver = "godaddy";
+        prefer_wildcard_cert = false;
+      };
+    };
+
+    server = {
+      external_port = 3000;
+      internal_port = 3001;
+      next_port = 3002;
+      internal_hostname = "pangolin";
+      session_cookie_name = "p_session_token";
+      resource_access_token_param = "p_token";
+      resource_session_request_param = "p_session_request";
+    };
+
+    traefik = {
+      cert_resolver = "godaddy";
+      http_entrypoint = "web";
+      https_entrypoint = "websecure";
+    };
+
+    gerbil = {
+      start_port = 51820;
+      base_endpoint = "vpn.m3tam3re.com";
+      use_subdomain = false;
+      block_size = 24;
+      site_block_size = 30;
+      subnet_group = "100.89.137.0/20";
+    };
+
+    rate_limits = {
+      global = {
+        window_minutes = 1;
+        max_requests = 100;
+      };
+    };
+
+    email = {
+      smtp_host = config.age.secrets.smtp-host.path;
+      smtp_port = 587;
+      smtp_user = config.age.secrets.smtp-user.path;
+      smtp_pass = config.age.secrets.smtp-pass.path;
+      no_reply = config.age.secrets.smtp-user.path;
+    };
+
+    users = {
+      server_admin = {
+        email = "admin@m3tam3re.com";
+        password = config.age.secrets.pangolin-admin-password.path;
+      };
+    };
+
+    flags = {
+      require_email_verification = true;
+      disable_signup_without_invite = true;
+      disable_user_create_org = true;
+      allow_raw_resources = true;
+      allow_base_domain_resources = true;
+    };
+  };
+
+  # Convert Nix attribute set to YAML using a simpler approach
+  pangolinConfigYaml = pkgs.writeTextFile {
+    name = "config.yml";
+    text = lib.generators.toYAML {} pangolinConfig;
+  };
+in {
+  # Define the containers
+  virtualisation.oci-containers.containers = {
+    "pangolin" = {
+      image = "fosrl/pangolin:1.1.0";
+      autoStart = true;
+      volumes = [
+        "${pangolinConfigYaml}:/app/config/config.yml:ro" # Mount the config file directly
+        "pangolin_config:/app/config/data" # Volume for persistent data
+      ];
+      ports = [
+        "127.0.0.1:3020:3001" # API server
+        "127.0.0.1:3021:3002" # Next.js server
+        "127.0.0.1:3022:3000" # API/WebSocket server
+      ];
+      extraOptions = ["--ip=10.89.0.20" "--network=web"];
+    };
+
+    "gerbil" = {
+      image = "fosrl/gerbil:1.0.0";
+      autoStart = true;
+      volumes = [
+        "pangolin_config:/var/config" # Share the volume for persistent data
+      ];
+      cmd = [
+        "--reachableAt=http://gerbil:3003"
+        "--generateAndSaveKeyTo=/var/config/key"
+        "--remoteConfig=http://pangolin:3001/api/v1/gerbil/get-config"
+        "--reportBandwidthTo=http://pangolin:3001/api/v1/gerbil/receive-bandwidth"
+      ];
+      ports = [
+        "51820:51820/udp" # WireGuard port
+      ];
+      extraOptions = [
+        "--ip=10.89.0.21"
+        "--network=web"
+        "--cap-add=NET_ADMIN"
+        "--cap-add=SYS_MODULE"
+      ];
+    };
+  };
+
+  # Secrets for Pangolin
+  # age.secrets = {
+  #   "smtp-host" = {
+  #     file = ../secrets/smtp-host.age;
+  #     owner = "root";
+  #     group = "root";
+  #     mode = "0400";
+  #   };
+  #   "smtp-user" = {
+  #     file = ../secrets/smtp-user.age;
+  #     owner = "root";
+  #     group = "root";
+  #     mode = "0400";
+  #   };
+  #   "smtp-pass" = {
+  #     file = ../secrets/smtp-pass.age;
+  #     owner = "root";
+  #     group = "root";
+  #     mode = "0400";
+  #   };
+  #   "pangolin-admin-password" = {
+  #     file = ../secrets/pangolin-admin-password.age;
+  #     owner = "root";
+  #     group = "root";
+  #     mode = "0400";
+  #   };
+  # };
+
+  # Traefik configuration for Pangolin
+  services.traefik.dynamicConfigOptions = {
+    http = {
+      # Next.js service (front-end)
+      services.pangolin-next-service.loadBalancer.servers = [
+        {url = "http://localhost:3021";}
+      ];
+
+      # API service
+      services.pangolin-api-service.loadBalancer.servers = [
+        {url = "http://localhost:3022";}
+      ];
+
+      # Routers
+      routers = {
+        # Next.js router (handles everything except API paths)
+        "pangolin-next" = {
+          rule = "Host(`vpn.m3tam3re.com`) && !PathPrefix(`/api/v1`)";
+          service = "pangolin-next-service";
+          entrypoints = ["websecure"];
+          tls = {
+            certResolver = "godaddy";
+          };
+        };
+
+        # API router
+        "pangolin-api" = {
+          rule = "Host(`vpn.m3tam3re.com`) && PathPrefix(`/api/v1`)";
+          service = "pangolin-api-service";
+          entrypoints = ["websecure"];
+          tls = {
+            certResolver = "godaddy";
+          };
+        };
+      };
+    };
+  };
+
+  # Add HTTP provider to Traefik for dynamic configuration from Pangolin
+  services.traefik.staticConfigOptions.providers.http = {
+    endpoint = "http://localhost:3020/api/v1/traefik-config";
+    pollInterval = "5s";
+  };
+
+  # Add experimental section for Badger plugin
+  services.traefik.staticConfigOptions.experimental = {
+    plugins = {
+      #TODO create an overlay for the plugin
+      badger = {
+        moduleName = "github.com/fosrl/badger";
+        version = "v1.0.0";
+      };
+    };
+  };
+
+  # Firewall configuration for WireGuard
+  networking.firewall.allowedUDPPorts = [51820]; # WireGuard port
+}
--- a/hosts/m3-atlas/services/containers/restreamer.nix
+++ b/hosts/m3-atlas/services/containers/restreamer.nix
@ -70,6 +70,6 @@

  # Firewall configuration
  networking.firewall = {
-    allowedTCPPorts = [80 443 1935 1945];
+    allowedTCPPorts = [1935 1945];
  };
 }
--- a/hosts/m3-atlas/services/traefik.nix
+++ b/hosts/m3-atlas/services/traefik.nix
@ -12,7 +12,7 @@
            dnsChallenge = {
              provider = "godaddy";
              resolvers = ["1.1.1.1:53" "8.8.8.8:53"];
-              propagation.delayBeforeChecks = 60;
+              propagation.delayBeforeChecks = 120;
            };
          };
        };