NixOS flake for prod

Author: AlphaKeks

NixOS/configuration.nix

@@ -0,0 +1,132 @@
+{ lib, pkgs, modulesPath, system, cs2kz-api, ... }:
+
+let
+  sshKeys = [
+    ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB4SBKTQ7WJcihtw3QocLXi+xEc/6HklXigYoltI8iNH alphakeks@dawn''
+    ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPe34iB4eZ5KnO8nKXHtH4V0QZNb7Ro/YxZw7xuCEJ7C max@framework''
+  ];
+in
+
+{
+  environment = {
+    systemPackages = with pkgs; [ coreutils vim ];
+    defaultPackages = with pkgs; [ tmux curl git btop fd fzf neovim jq ripgrep ];
+    variables.EDITOR = "nvim";
+  };
+  networking = {
+    hostName = "cs2kz-api";
+    firewall = {
+      interfaces = {
+        "enp0s6" = {
+          allowedTCPPorts = [ 22 80 443 ];
+        };
+      };
+    };
+  };
+  nixpkgs.hostPlatform = system;
+  programs.zsh.enable = true;
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "cs2kz@dawn.sh";
+  };
+  services = {
+    openssh = {
+      enable = true;
+      settings.PasswordAuthentication = false;
+    };
+    mysql = {
+      enable = true;
+      package = pkgs.mariadb;
+      ensureDatabases = [ "cs2kz" ];
+      ensureUsers = [{
+        name = "schnose";
+        ensurePermissions = {
+          "cs2kz.*" = "ALL PRIVILEGES"; # TODO: more granular permissions
+        };
+      }];
+      initialDatabases = [{
+        name = "cs2kz";
+        schema = ../crates/cs2kz/migrations/0001_initial.up.sql;
+      }];
+    };
+    mysqlBackup = {
+      enable = true;
+      calendar = "02:30:00";
+      databases = [ "cs2kz" ];
+    };
+    nginx = {
+      enable = true;
+      recommendedTlsSettings = true;
+      recommendedProxySettings = true;
+      virtualHosts."api.cs2kz.org" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://[::1]:42069";
+          proxyWebsockets = true;
+          extraConfig = ''
+            if ($cloudflare_ip != 1) {
+              return 403;
+            }
+
+            # required when the server wants to use HTTP Authentication
+            proxy_pass_header Authorization;
+          '';
+        };
+      };
+      commonHttpConfig =
+        let
+          realIpsFromList = lib.strings.concatMapStringsSep "\n" (x: "set_real_ip_from  ${x};");
+          allowFromList = lib.strings.concatMapStringsSep "\n" (x: "${x} 1;");
+          fileToList = x: lib.strings.splitString "\n" (builtins.readFile x);
+          cfipv4 = fileToList (pkgs.fetchurl {
+            url = "https://www.cloudflare.com/ips-v4";
+            sha256 = "0ywy9sg7spafi3gm9q5wb59lbiq0swvf0q3iazl0maq1pj1nsb7h";
+          });
+          cfipv6 = fileToList (pkgs.fetchurl {
+            url = "https://www.cloudflare.com/ips-v6";
+            sha256 = "1ad09hijignj6zlqvdjxv7rjj8567z357zfavv201b9vx3ikk7cy";
+          });
+        in
+        ''
+          geo $realip_remote_addr $cloudflare_ip {
+            default          0;
+            ${allowFromList cfipv4}
+            ${allowFromList cfipv6}
+          }
+
+          # Proxy CF-ConnectingIP header
+          ${realIpsFromList cfipv4}
+          ${realIpsFromList cfipv6}
+          real_ip_header CF-Connecting-IP;
+        '';
+    };
+  };
+  system.stateVersion = "24.05";
+  systemd.user.services.cs2kz-api = {
+    enable = true;
+    wantedBy = [ "multi-user.target" ];
+    unitConfig.ConditionUser = "schnose";
+    environment = {
+      RUST_LOG = "cs2kz=trace,warn";
+      KZ_API_ENVIRONMENT = "production";
+    };
+    script = ''
+      ${cs2kz-api}/bin/cs2kz-api \
+        --config "/etc/cs2kz-api.toml" \
+        --depot-downloader-path "${pkgs.depotdownloader}/bin/DepotDownloader"
+    '';
+  };
+  time.timeZone = "Europe/Berlin";
+  users = {
+    defaultUserShell = pkgs.zsh;
+    users.root.openssh.authorizedKeys.keys = sshKeys;
+    users.schnose = {
+      isNormalUser = true;
+      linger = true;
+      useDefaultShell = true;
+      extraGroups = [ "wheel" ];
+      openssh.authorizedKeys.keys = sshKeys;
+    };
+  };
+}

NixOS/hardware-configuration.nix

@@ -0,0 +1,30 @@
+{ modulesPath, ... }:
+
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  boot = {
+    loader.grub = {
+      efiSupport = true;
+      efiInstallAsRemovable = true;
+      device = "nodev";
+    };
+    initrd = {
+      availableKernelModules = [
+        "ata_piix"
+        "uhci_hcd"
+        "xen_blkfront"
+      ];
+      kernelModules = [ "nvme" ];
+    };
+  };
+  fileSystems = {
+    "/" = {
+      device = "/dev/sda1";
+      fsType = "ext4";
+    };
+    "/boot" = {
+      device = "/dev/disk/by-uuid/1B9E-BDB1";
+      fsType = "vfat";
+    };
+  };
+}

crates/cs2kz-api/src/bin/server/main.rs

@@ -24,9 +24,11 @@ fn main() -> anyhow::Result<()> {
 
     cli_args.apply_to_config(&mut config);
 
-    if config.tracing.enable {
-        init_tracing(&config.tracing).context("failed to initialize tracing")?;
-    }
+    let _guard = if config.tracing.enable {
+        init_tracing(&config.tracing).context("failed to initialize tracing")?
+    } else {
+        None
+    };
 
     cs2kz_api::run(config).context("failed to run API")
 }

crates/cs2kz-api/src/lib.rs

@@ -199,10 +199,7 @@ pub fn run(config: Config) -> Result<(), Error> {
                     },
                 },
 
-                result = tokio::signal::ctrl_c() => match result {
-                    Ok(()) => warn!("shutting down"),
-                    Err(error) => error!(%error, "failed to listen for ctrl-c"),
-                },
+                () = runtime::signal::shutdown() => {},
             }
 
             let _ = shutdown_tx.send(());

crates/cs2kz-api/src/middleware/auth/localhost.rs

@@ -1,23 +1,25 @@
-use std::net::SocketAddr;
-
-use axum::extract::{ConnectInfo, Request};
+use axum::extract::Request;
 use axum::middleware::Next;
 use axum::response::Response;
 
 use crate::response::ErrorResponse;
+use crate::runtime::{self, Environment};
 
 /// Middleware to check if a given request is coming from localhost.
 ///
 /// This is used for private endpoints like `/metrics` and `/taskdump`.
 #[tracing::instrument(skip_all, err(Debug, level = "debug"))]
 pub async fn client_is_localhost(request: Request, next: Next) -> Result<Response, ErrorResponse> {
-    if request
-        .extensions()
-        .get::<ConnectInfo<SocketAddr>>()
-        .is_some_and(|addr| addr.ip().is_loopback())
-    {
-        Ok(next.run(request).await)
-    } else {
-        Err(ErrorResponse::not_found())
+    match runtime::environment() {
+        Environment::Local => Ok(next.run(request).await),
+        Environment::Staging | Environment::Production => {
+            // If there's an X-Real-Ip header, we went through nginx, which means the request came
+            // from the outside.
+            if request.headers().contains_key("X-Real-Ip") {
+                Err(ErrorResponse::not_found())
+            } else {
+                Ok(next.run(request).await)
+            }
+        },
     }
 }

crates/cs2kz-api/src/middleware/trace.rs

@@ -1,5 +1,5 @@
 use std::fmt;
-use std::net::SocketAddr;
+use std::net::{IpAddr, SocketAddr};
 use std::time::Duration;
 
 use axum::body::HttpBody;

crates/cs2kz-api/src/runtime.rs renamed to crates/cs2kz-api/src/runtime/environment.rs

@@ -1,10 +1,5 @@
+use std::env;
 use std::sync::LazyLock;
-use std::{env, io};
-
-use tokio::runtime::Builder;
-pub use tokio::runtime::Runtime;
-
-use crate::config::RuntimeConfig;
 
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub enum Environment {
@@ -27,7 +22,7 @@ impl Environment {
     }
 }
 
-pub fn environment() -> Environment {
+pub fn current() -> Environment {
     static ENV: LazyLock<Environment> =
         LazyLock::new(|| match env::var("KZ_API_ENVIRONMENT").map(|env| env.to_lowercase()) {
             Ok(env) => match env.as_str() {
@@ -48,21 +43,3 @@ pub fn environment() -> Environment {
 
     *ENV
 }
-
-/// Builds a [Tokio runtime] according to the given `config`.
-///
-/// [Tokio runtime]: Config
-pub fn build(config: &RuntimeConfig) -> io::Result<Runtime> {
-    let mut builder = Builder::new_multi_thread();
-    builder.enable_all();
-
-    if let Some(n) = config.worker_threads {
-        builder.worker_threads(n.get());
-    }
-
-    if let Some(n) = config.max_blocking_threads {
-        builder.max_blocking_threads(n.get());
-    }
-
-    builder.build()
-}

crates/cs2kz-api/src/runtime/mod.rs

@@ -0,0 +1,29 @@
+use std::io;
+
+use tokio::runtime::Builder;
+pub use tokio::runtime::Runtime;
+
+use crate::config::RuntimeConfig;
+
+mod environment;
+pub use environment::{Environment, current as environment};
+
+pub mod signal;
+
+/// Builds a [Tokio runtime] according to the given `config`.
+///
+/// [Tokio runtime]: Config
+pub fn build(config: &RuntimeConfig) -> io::Result<Runtime> {
+    let mut builder = Builder::new_multi_thread();
+    builder.enable_all();
+
+    if let Some(n) = config.worker_threads {
+        builder.worker_threads(n.get());
+    }
+
+    if let Some(n) = config.max_blocking_threads {
+        builder.max_blocking_threads(n.get());
+    }
+
+    builder.build()
+}

crates/cs2kz-api/src/runtime/signal.rs

@@ -0,0 +1,33 @@
+use tokio::signal;
+
+pub async fn shutdown() {
+    select! {
+        () = sigint() => {},
+        () = sigterm() => {},
+    }
+}
+
+async fn sigint() {
+    match signal::ctrl_c().await {
+        Ok(()) => warn!("shutting down"),
+        Err(error) => error!(%error, "failed to listen for ctrl-c"),
+    }
+}
+
+#[cfg(unix)]
+async fn sigterm() {
+    use tokio::signal::unix;
+
+    match unix::signal(unix::SignalKind::terminate()) {
+        Ok(mut signal) => match signal.recv().await {
+            Some(()) => warn!("shutting down"),
+            None => error!("could not listen for more SIGTERM events"),
+        },
+        Err(error) => error!(%error, "failed to listen for SIGTERM"),
+    }
+}
+
+#[cfg(not(unix))]
+async fn sigterm() {
+    std::future::pending().await
+}