From 8da8f78ea4150561865a757d86c89d6a9defe226 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 27 Nov 2025 11:15:49 +0100 Subject: [PATCH 1/2] trying some stuff --- .../services/persistance/convex/default.nix | 21 +++ .../services/persistance/convex/source.nix | 149 ++++++++++++++++++ packages/convex/default.nix | 59 +++++++ systems/x86_64-linux/ulmo/default.nix | 2 + 4 files changed, 231 insertions(+) create mode 100644 modules/nixos/services/persistance/convex/default.nix create mode 100644 modules/nixos/services/persistance/convex/source.nix create mode 100644 packages/convex/default.nix diff --git a/modules/nixos/services/persistance/convex/default.nix b/modules/nixos/services/persistance/convex/default.nix new file mode 100644 index 0000000..3e01c59 --- /dev/null +++ b/modules/nixos/services/persistance/convex/default.nix @@ -0,0 +1,21 @@ +{ config, pkgs, lib, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.persistance.convex; +in +{ + imports = [ ./source.nix ]; + + options.${namespace}.services.persistance.convex = { + enable = mkEnableOption "enable Convex"; + }; + + config = mkIf cfg.enable { + services.convex = { + enable = true; + package = pkgs.${namespace}.convex; + secret = "ThisIsMyAwesomeSecret"; + }; + }; +} diff --git a/modules/nixos/services/persistance/convex/source.nix b/modules/nixos/services/persistance/convex/source.nix new file mode 100644 index 0000000..c56e3ab --- /dev/null +++ b/modules/nixos/services/persistance/convex/source.nix @@ -0,0 +1,149 @@ +{ config, pkgs, lib, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption mkPackageOption mkOption optional types; + + cfg = config.services.convex; + + default_user = "convex"; + default_group = "convex"; +in +{ + options.services.convex = { + enable = mkEnableOption "enable Convex (backend only for now)"; + + package = mkPackageOption pkgs "convex" {}; + + name = lib.mkOption { + type = types.str; + default = "convex"; + description = '' + Name for the instance. + ''; + }; + + secret = lib.mkOption { + type = types.str; + default = ""; + description = '' + Secret for the instance. + ''; + }; + + apiPort = mkOption { + type = types.port; + default = 3210; + description = '' + The TCP port to use for the API. + ''; + }; + + actionsPort = mkOption { + type = types.port; + default = 3211; + description = '' + The TCP port to use for the HTTP actions. + ''; + }; + + dashboardPort = mkOption { + type = types.port; + default = 6791; + description = '' + The TCP port to use for the Dashboard. + ''; + }; + + openFirewall = lib.mkOption { + type = types.bool; + default = false; + description = '' + Whether to open ports in the firewall for the server. + ''; + }; + + user = lib.mkOption { + type = types.str; + default = default_user; + description = '' + As which user to run the service. + ''; + }; + + group = lib.mkOption { + type = types.str; + default = default_group; + description = '' + As which group to run the service. + ''; + }; + }; + + config = mkIf cfg.enable { + assertions = [ + { + assertion = cfg.secret != ""; + message = '' + No secret provided for convex + ''; + } + ]; + + users = { + users.${cfg.user} = { + description = "System user for convex service"; + isSystemUser = true; + group = cfg.group; + }; + + groups.${cfg.group} = {}; + }; + + networking.firewall.allowedTCPPorts = optional cfg.openFirewall [ cfg.apiPort cfg.actionsPort cfg.dashboardPort ]; + + environment.systemPackages = [ cfg.package ]; + + systemd.services.convex = { + description = "Convex Backend server"; + + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + ExecStart = "${cfg.package}/bin --instance-name ${cfg.name} --instance-secret ${cfg.secret}"; + Type = "notify"; + + User = cfg.user; + Group = cfg.group; + + RuntimeDirectory = "convex"; + RuntimeDirectoryMode = "0775"; + StateDirectory = "convex"; + StateDirectoryMode = "0775"; + Umask = "0077"; + + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + + # Sandboxing + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = true; + ProtectClock = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + ]; + RestrictNamespaces = true; + LockPersonality = true; + }; + }; + }; +} diff --git a/packages/convex/default.nix b/packages/convex/default.nix new file mode 100644 index 0000000..9dab056 --- /dev/null +++ b/packages/convex/default.nix @@ -0,0 +1,59 @@ +{ + lib, + stdenv, + rustPlatform, + fetchFromGitHub, + + # dependencies + openssl, + pkg-config, + cmake, + llvmPackages, + postgresql, + sqlite, + + #options + dbBackend ? "postgresql", + + ... +}: +rustPlatform.buildRustPackage rec { + pname = "convex"; + version = "2025-08-20-c9b561e"; + + src = fetchFromGitHub { + owner = "get-convex"; + repo = "convex-backend"; + rev = "c9b561e1b365c85ef28af35d742cb7dd174b5555"; + hash = "sha256-4h4AQt+rQ+nTw6eTbbB5vqFt9MFjKYw3Z7bGXdXijJ0="; + }; + + cargoHash = "sha256-pcDNWGrk9D0qcF479QAglPLFDZp27f8RueP5/lq9jho="; + + cargoBuildFlags = [ + "-p" "local_backend" + "--bin" "convex-local-backend" + ]; + + env = { + LIBCLANG_PATH = "${llvmPackages.libclang}/lib"; + }; + + strictDeps = true; + + # Build-time dependencies + nativeBuildInputs = [ pkg-config cmake rustPlatform.bindgenHook ]; + + # Run-time dependencies + buildInputs = + [ openssl ] + ++ lib.optional (dbBackend == "sqlite") sqlite + ++ lib.optional (dbBackend == "postgresql") postgresql; + + buildFeatures = ""; + + meta = with lib; { + license = licenses.fsl11Asl20; + mainProgram = "convex"; + }; +} \ No newline at end of file diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 0310818..cb8f9cc 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -185,6 +185,8 @@ # uptime-kuma.enable = true; }; + persistance.convex.enable = true; + security.vaultwarden = { enable = true; database = { From ccef5caba0e9c199408b93a16bbc9cf4e7bbb56e Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 27 Nov 2025 11:44:18 +0100 Subject: [PATCH 2/2] feat: improve justfiles --- .just/machine.just | 17 ++++++++++------- .just/vars.just | 47 ++++++++++++++++++++++------------------------ .justfile | 45 +++++++++++++++++++++++++------------------- 3 files changed, 58 insertions(+), 51 deletions(-) diff --git a/.just/machine.just b/.just/machine.just index cbdf345..3e3ba14 100644 --- a/.just/machine.just +++ b/.just/machine.just @@ -1,11 +1,14 @@ -@_default: list +set unstable := true +set quiet := true + +_default: list [doc('List machines')] -@list: - ls -1 ../systems/x86_64-linux/ +list: + ls -1 ../systems/x86_64-linux/ -[no-exit-message] [doc('Update the target machine')] -@update machine: - just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | tr '\n' ' ')" - nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake ..#{{ machine }} \ No newline at end of file +[no-exit-message] +update machine: + just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | tr '\n' ' ')" + nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake ..#{{ machine }} diff --git a/.just/vars.just b/.just/vars.just index d8bd181..230f00c 100644 --- a/.just/vars.just +++ b/.just/vars.just @@ -1,36 +1,33 @@ -set unstable +set unstable := true +set quiet := true base_path := invocation_directory() / "systems/x86_64-linux" -# sops := "nix shell nixpkgs#sops --command sops" -# yq := "nix shell nixpkgs#yq --command yq" -sops := "sops" -yq := "yq" -@_default: - just --list +_default: + just --list [doc('list all vars of the target machine')] list machine: - sops decrypt {{ base_path }}/{{ machine }}/secrets.yml - -@edit machine: - sops edit {{ base_path }}/{{ machine }}/secrets.yml - + sops decrypt {{ base_path }}/{{ machine }}/secrets.yml + +edit machine: + sops edit {{ base_path }}/{{ machine }}/secrets.yml + @set machine key value: - sops set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" "\"$(echo '{{ value }}' | sed 's/\"/\\\"/g')\"" + sops set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" "\"$(echo '{{ value }}' | sed 's/\"/\\\"/g')\"" - git add {{ base_path }}/{{ machine }}/secrets.yml - git commit -m 'chore(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null + git add {{ base_path }}/{{ machine }}/secrets.yml + git commit -m 'chore(secrets): set secret "{{ key }}" for machine "{{ machine }}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null - echo "Done" - -@get machine key: - sops decrypt {{ base_path }}/{{ machine }}/secrets.yml | yq ".$(echo "{{ key }}" | sed -E 's/\//./g')" - -@remove machine key: - sops unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" + echo "Done" - git add {{ base_path }}/{{ machine }}/secrets.yml - git commit -m 'chore(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null +get machine key: + sops decrypt {{ base_path }}/{{ machine }}/secrets.yml | yq ".$(echo "{{ key }}" | sed -E 's/\//./g')" - echo "Done" \ No newline at end of file +remove machine key: + sops unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" + + git add {{ base_path }}/{{ machine }}/secrets.yml + git commit -m 'chore(secrets): removed secret "{{ key }}" from machine "{{ machine }}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null + + echo "Done" diff --git a/.justfile b/.justfile index 3a15d20..1937f04 100644 --- a/.justfile +++ b/.justfile @@ -1,33 +1,40 @@ -@_default: - just --list --list-submodules +_default: + just --list --list-submodules + +set unstable +set quiet -[doc('Manage vars')] mod vars '.just/vars.just' - -[doc('Manage machines')] mod machine '.just/machine.just' [doc('Show information about project')] -@show: - echo "show" +show: + echo "show" [doc('update the flake dependencies')] -@update: - nix flake update - git commit -m 'chore: update dependencies' -- ./flake.lock > /dev/null - echo "Done" +update: + nix flake update + git commit -m 'chore: update dependencies' -- ./flake.lock > /dev/null + echo "Done" + +[doc('Rebase branch on main')] +rebase: + git stash -q \ + && git fetch \ + && git rebase origin/main \ + && git stash pop -q + + echo "Done" [doc('Introspection on flake output')] -@select key: - nix eval --json .#{{ key }} | jq . - - +select key: + nix eval --json .#{{ key }} | jq . #=============================================================================================== # Utils -#=============================================================================================== -[no-exit-message] +# =============================================================================================== [no-cd] +[no-exit-message] [private] -@assert condition message: - [ {{ condition }} ] || { echo -e 1>&2 "\n\x1b[1;41m Error \x1b[0m {{ message }}\n"; exit 1; } \ No newline at end of file +assert condition message: + [ {{ condition }} ] || { echo -e 1>&2 "\n\x1b[1;41m Error \x1b[0m {{ message }}\n"; exit 1; }