Merge pull request #2939 from input-output-hk/morph-refactor

morph deployment refactoring
IntersectMBO · Apr 6, 2021 · 6771caa · 6771caa
2 parents eab63ad + 240f366
commit 6771caa
Show file tree

Hide file tree

Showing 15 changed files with 329 additions and 565 deletions.
diff --git a/deployment/morph/configurations.nix b/deployment/morph/configurations.nix
diff --git a/deployment/morph/machines/marlowe-dash.nix b/deployment/morph/machines/marlowe-dash.nix
@@ -0,0 +1,26 @@
+{ pkgs, config, lib, ... }:
+{
+  imports = [
+    ../../../nix/modules/pab.nix
+  ];
+
+  networking = {
+    firewall.allowedTCPPorts = [ 22 80 9080 ];
+  };
+
+  services.pab = {
+    enable = true;
+    pab-package = pkgs.plutus-pab.pab-exes.plutus-pab;
+    contracts = [ "${pkgs.marlowe-app}/bin/marlowe-app" ];
+    staticContent = pkgs.marlowe-dashboard.client;
+    dbFile = "/var/lib/pab/pab-core.db";
+    defaultWallet = 1;
+    webserverPort = 9080;
+    walletPort = 8081;
+    nodePort = 8082;
+    chainIndexPort = 8083;
+    signingProcessPort = 8084;
+    metadataPort = 8085;
+  };
+
+}
diff --git a/deployment/morph/machines/playground.nix b/deployment/morph/machines/playground.nix
@@ -0,0 +1,155 @@
+{ pkgs, config, lib, ... }:
+let
+  tfinfo = builtins.fromJSON (builtins.readFile ./../machines.json);
+in
+{
+
+  imports = [
+    ../../../nix/modules/plutus-playground.nix
+    ../../../nix/modules/marlowe-playground.nix
+  ];
+
+  networking = {
+    firewall.allowedTCPPorts = [ 22 80 8080 9080 ];
+  };
+
+  services.marlowe-playground = {
+    enable = true;
+    port = 4001;
+    frontendURL = "https://${tfinfo.environment}.${tfinfo.marloweTld}";
+    playground-server-package = pkgs.marlowe-playground.server;
+  };
+
+  services.plutus-playground = {
+    enable = true;
+    port = 4000;
+    webghcURL = "http://${tfinfo.environment}.${tfinfo.plutusTld}";
+    frontendURL = "https://${tfinfo.environment}.${tfinfo.plutusTld}";
+    playground-server-package = pkgs.plutus-playground.server;
+  };
+
+  services.nginx =
+    let
+      staticFileCacheControl = ''
+        # static files should not be too costly to serve so we can allow more generous rates
+        limit_req zone=staticlimit burst=1000;
+        add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
+        expires off;
+      '';
+    in
+    {
+      enable = true;
+      recommendedGzipSettings = true;
+      recommendedProxySettings = true;
+      recommendedOptimisation = true;
+
+      appendHttpConfig = ''
+        limit_req_zone $binary_remote_addr zone=plutuslimit:10m rate=2r/s;
+        limit_req_zone $binary_remote_addr zone=staticlimit:500m rate=100r/s;
+        server_names_hash_bucket_size 128;
+        log_format compression '$remote_addr - $remote_user [$time_local] '
+        '"$request" $status $body_bytes_sent '
+        '"$http_referer" "$http_user_agent" "$gzip_ratio"';
+      '';
+
+      upstreams = {
+        plutus-playground.servers."127.0.0.1:4000" = { };
+        marlowe-playground.servers."127.0.0.1:4001" = { };
+      };
+      virtualHosts = {
+        "plutus-playground" = {
+          listen = [{ addr = "0.0.0.0"; port = 8080; }];
+          locations = {
+            "/version" = {
+              proxyPass = "http://plutus-playground";
+            };
+            "/health" = {
+              proxyPass = "http://plutus-playground";
+            };
+            "/" = {
+              root = "${pkgs.plutus-playground.client}";
+              extraConfig = ''
+                ${staticFileCacheControl}
+                error_page 404 = @fallback;
+              '';
+            };
+            "^~ /tutorial/" = {
+              alias = "${pkgs.plutus-playground.tutorial}/";
+              extraConfig = ''
+                error_page 404 = @fallback;
+              '';
+            };
+            "@fallback" = {
+              proxyPass = "http://plutus-playground";
+              proxyWebsockets = true;
+              extraConfig = ''
+                limit_req zone=plutuslimit burst=10;
+              '';
+            };
+          };
+        };
+        "marlowe-playground" = {
+          listen = [{ addr = "0.0.0.0"; port = 9080; }];
+          locations = {
+            "/version" = {
+              proxyPass = "http://marlowe-playground";
+            };
+            "/health" = {
+              proxyPass = "http://marlowe-playground";
+            };
+            "/" = {
+              root = "${pkgs.marlowe-playground.client}";
+              extraConfig = ''
+                ${staticFileCacheControl}
+                error_page 404 = @fallback;
+              '';
+            };
+            "^~ /tutorial/" = {
+              alias = "${pkgs.marlowe-playground.tutorial}/";
+              extraConfig = ''
+                error_page 404 = @fallback;
+              '';
+            };
+            "@fallback" = {
+              proxyPass = "http://marlowe-playground";
+              proxyWebsockets = true;
+              extraConfig = ''
+                limit_req zone=plutuslimit burst=10;
+              '';
+            };
+          };
+        };
+      };
+    };
+
+  deployment = {
+    secrets = {
+      "plutus-secrets" = {
+        source = "./secrets.plutus.${tfinfo.environment}.env";
+        destination = "/var/lib/playgrounds/plutus.env";
+        action = [ "systemctl" "restart" "plutus-playground" ];
+        permissions = "0444";
+      };
+      "marlowe-secrets" = {
+        source = "./secrets.marlowe.${tfinfo.environment}.env";
+        destination = "/var/lib/playgrounds/marlowe.env";
+        action = [ "systemctl" "restart" "marlowe-playground" ];
+        permissions = "0444";
+      };
+
+    };
+    healthChecks = {
+      cmd = [
+        {
+          cmd = [ "systemctl" "status" "plutus-playground.service" ];
+          description = "Check if plutus-playground systemd service is running";
+        }
+        {
+          cmd = [ "systemctl" "status" "marlowe-playground.service" ];
+          description = "Check if marlowe-playground systemd service is running";
+        }
+      ];
+    };
+  };
+
+}
diff --git a/deployment/morph/default-machine.nix → deployment/morph/machines/std.nix b/deployment/morph/default-machine.nix → deployment/morph/machines/std.nix
@@ -1,15 +1,16 @@
-{ machines, stdOverlays, nixpkgsLocation, ... }: hostName: pkgs:
+{ config, lib, pkgs, ... }:
 {
+
+  imports = [ <nixpkgs/nixos/modules/virtualisation/amazon-image.nix> ];
+
+  ec2.hvm = true;
+
   nixpkgs.localSystem.system = "x86_64-linux";
-  nixpkgs.overlays = stdOverlays;
+
   nix = {
-    nixPath = [
-      "nixpkgs=${nixpkgsLocation}"
-    ];
     binaryCaches = [ https://hydra.iohk.io https://cache.nixos.org ];
     requireSignedBinaryCaches = false;
     extraOptions = ''
-      build-cores = 8
       auto-optimise-store = true
     '';
     trustedBinaryCaches = [ https://hydra.iohk.io ];
@@ -21,30 +22,22 @@
     gc.options = "--delete-older-than 7d";
   };
 
-  imports = [ <nixpkgs/nixos/modules/virtualisation/amazon-image.nix> ];
-
-  systemd.services.amazon-init.wantedBy = pkgs.lib.mkForce [ ];
-
-  # HVM is recommeneded by AWS: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/virtualization_types.html
-  ec2.hvm = true;
-
-  networking.timeServers = [ "1.amazon.pool.ntp.org" "2.amazon.pool.ntp.org" "3.amazon.pool.ntp.org" ];
-
-  networking.hostName = pkgs.lib.mkForce hostName;
-
-  ## Disable journald ratelimiting.
-  services.journald.rateLimitBurst = 0;
+  #
+  # Enable the firewall, ports will opened up per machine
+  #
+  networking = {
+    firewall.enable = true;
+    timeServers = [ "1.amazon.pool.ntp.org" "2.amazon.pool.ntp.org" "3.amazon.pool.ntp.org" ];
+  };
 
-  ## This makes our networking stack ignore the AWS MTU advertisement of 9001,
-  ## that silently breaks intra-VPC, for some reason.
-  ## The intent of this is to reduce the MTU to 1500.
+  # This makes our networking stack ignore the AWS MTU advertisement of 9001,
+  # that silently breaks intra-VPC, for some reason.
+  # The intent of this is to reduce the MTU to 1500.
+  # TODO: check if this is really needed.
   networking.dhcpcd.extraConfig = ''
     nooption interface_mtu
   '';
 
-  users.extraUsers.root.openssh.authorizedKeys.keys = machines.rootSshKeys;
-  services.fail2ban.enable = true;
-
   # Allow `--substitute-on-destination` causing the target machine to fetch
   # dependencies from the iohk binary cache instead of copying everything
   # from the machine executing morph.

diff --git a/deployment/morph/machines/web-ghc.nix b/deployment/morph/machines/web-ghc.nix
@@ -0,0 +1,33 @@
+{ pkgs, config, lib, ... }:
+{
+
+  imports = [
+    ../../../nix/modules/web-ghc.nix
+  ];
+
+  networking = {
+    firewall.allowedTCPPorts = [ 22 80 ];
+  };
+
+  services = {
+    web-ghc = {
+      enable = true;
+      port = 80;
+      web-ghc-package = pkgs.web-ghc;
+    };
+  };
+
+  deployment.healthChecks = {
+    cmd = [
+      {
+        cmd = [ "systemctl" "status" "web-ghc.service" ];
+        description = "Check if webghc systemd service is running";
+      }
+      {
+        cmd = [ "curl" "http://localhost/health" ];
+        description = "webghc /health endpoint is responding";
+      }
+    ];
+  };
+
+}