Update inputs

defaults/backplane-net/default.nix

@@ -1,65 +0,0 @@
-{
-  pkgs,
-  lib,
-  config,
-  ...
-}:
-let
-  hostName = config.networking.hostName;
-  netName = "backplane";
-  netConfig = config.qois.meta.network.virtual.${netName};
-  hostNetConfig = netConfig.hosts.${hostName};
-  wgDefaultPort = 51825;
-in
-{
-  sops.secrets."wgautomesh/gossip-secret".restartUnits = [ "wgautomesh.service" ];
-
-  networking.wireguard.enable = true;
-  networking.wireguard.interfaces."wg-${netName}" = {
-    ips = [ "${hostNetConfig.v4.ip}/${builtins.toString netConfig.v4.prefixLength}" ];
-    listenPort = if hostNetConfig.endpoint != null then hostNetConfig.endpoint.port else wgDefaultPort;
-    privateKeyFile = "/secrets/wireguard/private/${netName}";
-    generatePrivateKeyFile = true;
-  };
-
-  systemd.network.wait-online.ignoredInterfaces = [ "wg-${netName}" ];
-
-  networking.firewall.allowedUDPPorts =
-    if hostNetConfig.endpoint != null then [ hostNetConfig.endpoint.port ] else [ wgDefaultPort ];
-
-  # Configure wgautomesh to setup peers. Make sure that the name is not used in the VPN module
-  services.wgautomesh = {
-    enable = true;
-    gossipSecretFile = builtins.toString config.sops.secrets."wgautomesh/gossip-secret".path;
-    openFirewall = true;
-    logLevel = "info";
-    settings = {
-      interface = "wg-${netName}";
-
-      # Map meta network configuration to the format of wgautomesh and filter out peers with endpoints
-      peers =
-        let
-          reachableHosts = lib.filterAttrs (
-            peerHostName: peerConfig: peerHostName != hostName # Not this host
-          ) netConfig.hosts;
-        in
-        lib.mapAttrsToList (_: peerConfig: {
-          address = peerConfig.v4.ip;
-          endpoint =
-            if peerConfig.endpoint != null then
-              with peerConfig.endpoint; "${fqdn}:${builtins.toString port}"
-            else
-              null;
-          pubkey = peerConfig.publicKey;
-        }) reachableHosts;
-    };
-  };
-  systemd.services.wgautomesh =
-    let
-      wgInterface = [ "wireguard-wg-backplane.service" ];
-    in
-    {
-      requires = wgInterface;
-      after = wgInterface;
-    };
-}

flake.lock

@@ -74,11 +74,11 @@
     },
     "nixpkgs-nixos-stable": {
       "locked": {
-        "lastModified": 1733261153,
+        "lastModified": 1733550349,
-        "narHash": "sha256-eq51hyiaIwtWo19fPEeE0Zr2s83DYMKJoukNLgGGpek=",
+        "narHash": "sha256-NcGumB4Lr6KSDq+nIqXtNA8QwAQKDSZT7N9OTGWbTrs=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b681065d0919f7eb5309a93cea2cfa84dec9aa88",
+        "rev": "e2605d0744c2417b09f8bf850dfca42fcf537d34",
         "type": "github"
       },
       "original": {
@@ -90,11 +90,11 @@
     },
     "nixpkgs-nixos-unstable": {
       "locked": {
-        "lastModified": 1733212471,
+        "lastModified": 1733581040,
-        "narHash": "sha256-M1+uCoV5igihRfcUKrr1riygbe73/dzNnzPsmaLCmpo=",
+        "narHash": "sha256-Qn3nPMSopRQJgmvHzVqPcE3I03zJyl8cSbgnnltfFDY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "55d15ad12a74eb7d4646254e13638ad0c4128776",
+        "rev": "22c3f2cf41a0e70184334a958e6b124fb0ce3e01",
         "type": "github"
       },
       "original": {

nixos-configurations/calanda/networking.nix

@@ -7,8 +7,6 @@ let
   getCalandaIp4 = net: net.hosts.calanda.v4.ip;
 in
 {
-  imports = [ ../../defaults/backplane-net ];
-
   networking.hostName = meta.hosts.calanda.hostName;
   networking.domain = "ilanz.fh2.ch";
   networking.enableIPv6 = false; # TODO
@@ -30,6 +28,8 @@ in
     ];
   };
 
+  qois.backplane-net.enable = true;
+
   # TODO: Metaize ips
   services.qois.router = {
     enable = true;

nixos-configurations/cyprianspitz/networking.nix

@@ -6,8 +6,6 @@ in
 {
   networking.hostName = meta.hosts.cyprianspitz.hostName;
 
-  imports = [ ../../defaults/backplane-net ];
-
   networking.useDHCP = false;
   networking.interfaces.enp0s31f6.useDHCP = true;
   networking.interfaces.enp2s0.useDHCP = true;
@@ -77,6 +75,8 @@ in
     # TODO Solve sops dependency porblem: config.sops.secrets."system/initrd-ssh-key".path;
   };
 
+  qois.backplane-net.enable = true;
+
   # Configure this node to be used as an vpn exit node
   qois.backup-client.includePaths = [ "/var/lib/tailscale" ];
   services.tailscale = {

nixos-configurations/lindberg-build/applications/attic.nix

@@ -1,79 +0,0 @@
-{ config, pkgs, ... }:
-
-let
-  atticPort = 8080;
-  atticHostname = "attic.qo.is";
-in
-
-{
-
-  services.atticd = {
-    enable = true;
-
-    # Replace with absolute path to your credentials file
-    # generate secret with
-    # nix run system#openssl rand 64 | base64 -w0
-    # ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64="output from openssl"
-    environmentFile = config.sops.secrets."attic/server_token".path;
-
-    settings = {
-      listen = "127.0.0.1:${builtins.toString atticPort}";
-      allowed-hosts = [ "attic.qo.is" ];
-      api-endpoint = "https://attic.qo.is/";
-
-      # Data chunking
-      #
-      # Warning: If you change any of the values here, it will be
-      # difficult to reuse existing chunks for newly-uploaded NARs
-      # since the cutpoints will be different. As a result, the
-      # deduplication ratio will suffer for a while after the change.
-      chunking = {
-        # The minimum NAR size to trigger chunking
-        #
-        # If 0, chunking is disabled entirely for newly-uploaded NARs.
-        # If 1, all NARs are chunked.
-        nar-size-threshold = 64 * 1024; # 64 KiB
-
-        # The preferred minimum size of a chunk, in bytes
-        min-size = 16 * 1024; # 16 KiB
-
-        # The preferred average size of a chunk, in bytes
-        avg-size = 64 * 1024; # 64 KiB
-
-        # The preferred maximum size of a chunk, in bytes
-        max-size = 256 * 1024; # 256 KiB
-      };
-
-      garbage-collection.default-retention-period = "6 months";
-
-      database.url = "postgresql:///atticd?host=/run/postgresql";
-    };
-  };
-
-  imports = [ ../../../defaults/webserver ];
-
-  # Note: Attic cache availability is "best effort", so no artifacts are backed up.
-
-  services.postgresql = {
-    enable = true;
-    ensureDatabases = [ "atticd" ];
-    ensureUsers = [
-      {
-        name = "atticd";
-        ensureDBOwnership = true;
-      }
-    ];
-  };
-
-  services.nginx = {
-    enable = true;
-    clientMaxBodySize = "1g";
-    virtualHosts.${atticHostname} = {
-      kTLS = true;
-      forceSSL = true;
-      enableACME = true;
-
-      locations."/".proxyPass = "http://127.0.0.1:${builtins.toString atticPort}";
-    };
-  };
-}

nixos-configurations/lindberg-build/applications/default.nix

@@ -1,11 +1,24 @@
-{ config, pkgs, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
 {
 
   imports = [
-    ./attic.nix
     ./nixpkgs-cache.nix
   ];
 
   qois.git-ci-runner.enable = true;
+  qois.attic.enable = true;
   qois.postgresql.package = pkgs.postgresql_15;
+
+  # Remove substituters that are hosted on this node, to prevent lockups
+  #  since the current nix implementation is not forgiving with unavailable subsituters.
+  # The qois-infrastructure cache is not needed,
+  #  since the builds are done (and cached) on this host anyway.
+  nix.settings.substituters = lib.mkForce [
+    "https://cache.nixos.org?priority=40"
+  ];
 }

nixos-configurations/lindberg-build/default.nix

@@ -4,7 +4,6 @@
   imports = [
     ../../defaults/base-vm
     ../../defaults/meta
-    ../../defaults/backplane-net
 
     ./applications
     ./backup.nix

nixos-configurations/lindberg-build/networking.nix

@@ -6,6 +6,8 @@
   networking.useDHCP = false;
   networking.interfaces.enp11s0.useDHCP = true;
 
+  qois.backplane-net.enable = true;
+
   networking.firewall.allowedTCPPorts = [
     80
     443

nixos-configurations/lindberg-build/secrets.nix

@@ -1,9 +1,6 @@
 { ... }:
 {
   sops.secrets = {
-    "attic/server_token" = {
-      restartUnits = [ "atticd.service" ];
-    };
     "gitlab-runner/default-registration" = {
       restartUnits = [ "gitlab-runner.service" ];
     };

nixos-configurations/lindberg-nextcloud/default.nix

@@ -2,10 +2,8 @@
 
 {
   imports = [
-    ../../defaults/backplane-net
     ../../defaults/base-vm
     ../../defaults/meta
-    ../../defaults/webserver
     ./applications
     ./backup.nix
     ./secrets.nix
@@ -32,6 +30,8 @@
   networking.useDHCP = false;
   networking.interfaces.enp2s0.useDHCP = true;
 
+  qois.backplane-net.enable = true;
+
   networking.firewall.allowedTCPPorts = [
     80
     443

nixos-configurations/lindberg-webapps/default.nix

@@ -4,7 +4,6 @@
   imports = [
     ../../defaults/base-vm
     ../../defaults/meta
-    ../../defaults/backplane-net
 
     ./applications
     ./disko-config.nix

nixos-configurations/lindberg-webapps/networking.nix

@@ -6,6 +6,8 @@
   networking.useDHCP = false;
   networking.interfaces.enp1s0.useDHCP = true;
 
+  qois.backplane-net.enable = true;
+
   networking.firewall.allowedTCPPorts = [
     80
     443

nixos-configurations/lindberg/networking.nix

@@ -6,8 +6,6 @@ in
 {
   networking.hostName = meta.hosts.lindberg.hostName;
 
-  imports = [ ../../defaults/backplane-net ];
-
   networking.useDHCP = false;
   networking.interfaces.enp5s0.useDHCP = true;
 
@@ -74,6 +72,8 @@ in
     sshPort = 2222;
   };
 
+  qois.backplane-net.enable = true;
+
   # Use this node as vpn exit node
   qois.backup-client.includePaths = [ "/var/lib/tailscale" ];
   services.tailscale = {

nixos-configurations/stompert/default.nix

@@ -6,7 +6,6 @@
 
 {
   imports = [
-    ../../defaults/backplane-net
     ../../defaults/hardware/apu.nix
     ../../defaults/base
     ../../defaults/meta
@@ -52,6 +51,8 @@
   networking.interfaces.enp3s0.useDHCP = true;
   networking.tempAddresses = "disabled";
 
+  qois.backplane-net.enable = true;
+
   # Set your time zone.
   # time.timeZone = "Europe/Amsterdam";
 

nixos-configurations/tierberg/networking.nix

@@ -7,8 +7,6 @@ in
 {
   networking.hostName = meta.hosts.tierberg.hostName;
 
-  imports = [ ../../defaults/backplane-net ];
-
   networking.enableIPv6 = false; # TODO
 
   networking.useDHCP = false;
@@ -21,6 +19,8 @@ in
   ];
   networking.interfaces.enp3s0.useDHCP = true;
 
+  qois.backplane-net.enable = true;
+
   services.qois.luks-ssh = {
     enable = true;
     interface = "eth0";

nixos-modules/qois/attic/default.nix

@@ -0,0 +1,98 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib;
+let
+  cfg = config.qois.attic;
+in
+{
+
+  options.qois.attic = {
+    enable = mkEnableOption "Enable attic service";
+    domain = mkOption {
+      description = "Domain for attic server";
+      type = types.str;
+      default = "attic.qo.is";
+    };
+    port = mkOption {
+      description = "Server Port";
+      type = types.numbers.between 1 65536;
+      default = 8080;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    sops.secrets."attic/server_token".restartUnits = [ "atticd.service" ];
+
+    services.atticd = {
+      enable = true;
+
+      # Replace with absolute path to your credentials file
+      # generate secret with
+      # nix run system#openssl rand 64 | base64 -w0
+      # ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64="output from openssl"
+      environmentFile = config.sops.secrets."attic/server_token".path;
+
+      settings = {
+        listen = "127.0.0.1:${toString cfg.port}";
+        allowed-hosts = [ cfg.domain ];
+        api-endpoint = "https://${cfg.domain}/";
+
+        # Data chunking
+        #
+        # Warning: If you change any of the values here, it will be
+        # difficult to reuse existing chunks for newly-uploaded NARs
+        # since the cutpoints will be different. As a result, the
+        # deduplication ratio will suffer for a while after the change.
+        chunking = {
+          # The minimum NAR size to trigger chunking
+          #
+          # If 0, chunking is disabled entirely for newly-uploaded NARs.
+          # If 1, all NARs are chunked.
+          nar-size-threshold = 64 * 1024; # 64 KiB
+
+          # The preferred minimum size of a chunk, in bytes
+          min-size = 16 * 1024; # 16 KiB
+
+          # The preferred average size of a chunk, in bytes
+          avg-size = 64 * 1024; # 64 KiB
+
+          # The preferred maximum size of a chunk, in bytes
+          max-size = 256 * 1024; # 256 KiB
+        };
+
+        garbage-collection.default-retention-period = "6 months";
+
+        database.url = "postgresql:///atticd?host=/run/postgresql";
+      };
+    };
+
+    # Note: Attic cache availability is "best effort", so no artifacts are backed up.
+
+    services.postgresql = {
+      enable = true;
+      ensureDatabases = [ "atticd" ];
+      ensureUsers = [
+        {
+          name = "atticd";
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+
+    services.nginx = {
+      enable = true;
+      clientMaxBodySize = "1g";
+      virtualHosts.${cfg.domain} = {
+        kTLS = true;
+        forceSSL = true;
+        enableACME = true;
+
+        locations."/".proxyPass = "http://127.0.0.1:${toString cfg.port}";
+      };
+    };
+  };
+}

nixos-modules/qois/backplane-net.hosts/default.nix

@@ -0,0 +1,42 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib;
+let
+  cfg = config.qois.backplane-net.hosts;
+  defaultDomains = attrNames config.qois.loadbalancer.domains;
+  defaultLoadbalancers = [ "lindberg" ];
+in
+{
+
+  options.qois.backplane-net.hosts = {
+    enable = mkOption {
+      default = true;
+      description = "Whether to enable hosts aliases for loadbalanced services. This prevents turnarounds over external networks for these services.";
+      type = types.bool;
+    };
+
+    domains = mkOption {
+      description = "Domains that are hosted by the backplane loadbalancer";
+      type = with types; listOf str;
+      default = defaultDomains;
+    };
+    loadbalancers = mkOption {
+      description = "List of Loadbalancer hostnames as listed in the backplane network";
+      type = with types; listOf str;
+      default = defaultLoadbalancers;
+    };
+  };
+
+  config = mkIf cfg.enable {
+
+    networking.hosts = pipe cfg.loadbalancers [
+      (map (hostname: config.qois.meta.network.virtual.backplane.hosts.${hostname}.v4.ip))
+      (flip genAttrs (lb: cfg.domains))
+    ];
+
+  };
+}

nixos-modules/qois/backplane-net/default.nix

@@ -0,0 +1,83 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib;
+let
+  cfg = config.qois.backplane-net;
+  hostName = config.networking.hostName;
+  netConfig = config.qois.meta.network.virtual.${cfg.netName};
+  hostNetConfig = netConfig.hosts.${hostName};
+  interface = "wg-${cfg.netName}";
+  wgService = [ "wireguard-${interface}.service" ];
+in
+
+{
+  options.qois.backplane-net = {
+    enable = mkEnableOption "Enable backplane server services";
+    netName = mkOption {
+      description = "Network Name";
+      type = types.str;
+      default = "backplane";
+    };
+    domain = mkOption {
+      description = "Domain";
+      type = types.str;
+      default = hostNetConfig;
+    };
+    port = mkOption {
+      description = "Wireguard Default Port";
+      type = types.number;
+      default = 51825;
+    };
+  };
+
+  config = {
+    sops.secrets."wgautomesh/gossip-secret".restartUnits = [ "wgautomesh.service" ];
+
+    networking.wireguard.enable = true;
+    networking.wireguard.interfaces."wg-${cfg.netName}" = {
+      ips = [ "${hostNetConfig.v4.ip}/${toString netConfig.v4.prefixLength}" ];
+      listenPort = if hostNetConfig.endpoint != null then hostNetConfig.endpoint.port else cfg.port;
+      privateKeyFile = "/secrets/wireguard/private/${cfg.netName}";
+      generatePrivateKeyFile = true;
+    };
+
+    systemd.network.wait-online.ignoredInterfaces = [ interface ];
+
+    networking.firewall.allowedUDPPorts =
+      if hostNetConfig.endpoint != null then [ hostNetConfig.endpoint.port ] else [ cfg.port ];
+
+    # Configure wgautomesh to setup peers. Make sure that the name is not used in the VPN module
+    services.wgautomesh = {
+      enable = true;
+      gossipSecretFile = config.sops.secrets."wgautomesh/gossip-secret".path;
+      openFirewall = true;
+      settings = {
+        inherit interface;
+
+        # Map meta network configuration to the format of wgautomesh and filter out peers with endpoints
+        peers = pipe netConfig.hosts [
+          (filterAttrs (peerHostName: _: peerHostName != hostName)) # Not this host
+          (mapAttrsToList (
+            _: peerConfig: {
+              address = peerConfig.v4.ip;
+              endpoint =
+                if (peerConfig.endpoint != null) then
+                  with peerConfig.endpoint; "${fqdn}:${toString port}"
+                else
+                  null;
+              pubkey = peerConfig.publicKey;
+            }
+          ))
+        ];
+      };
+    };
+    systemd.services.wgautomesh = {
+      requires = wgService;
+      after = wgService;
+    };
+  };
+}

nixos-modules/qois/nginx/default.nix

@@ -1,12 +1,9 @@
 {
-  config,
-  lib,
-  pkgs,
   ...
 }:
 
 {
-  services.nginx = {
+  config.services.nginx = {
     recommendedTlsSettings = true;
     recommendedOptimisation = true;
     recommendedProxySettings = true;

nixos-modules/qois/vpn-server/default.nix

@@ -58,7 +58,7 @@ in
       let
         vnet = config.qois.meta.network.virtual;
         vpnNet = vnet.vpn;
-        vpnNetPrefix = "${vpnNet.v4.id}/${builtins.toString vpnNet.v4.prefixLength}";
+        vpnNetPrefix = "${vpnNet.v4.id}/${toString vpnNet.v4.prefixLength}";
         backplaneNetPrefix = "${vnet.backplane.v4.id}/${builtins.toString vnet.backplane.v4.prefixLength}";
       in
       {