about summary refs log tree commit diff
path: root/modules/nixos
diff options
context:
space:
mode:
authorAzat Bahawi <azat@bahawi.net>2023-04-14 02:51:09 +0300
committerAzat Bahawi <azat@bahawi.net>2023-04-14 02:51:09 +0300
commit39ed30937ec29217820583e07ff1f447d08b9898 (patch)
tree96dc9d1a62e320c89510cd910add2ce8fb819850 /modules/nixos
parent2023-04-12 (diff)
2023-04-14
Diffstat (limited to '')
-rw-r--r--modules/nixos/git/default.nix6
-rw-r--r--modules/nixos/ipfs.nix21
-rw-r--r--modules/nixos/lidarr.nix13
-rw-r--r--modules/nixos/monitoring/rules/node.yaml19
-rw-r--r--modules/nixos/monitoring/rules/redis.yaml89
-rw-r--r--modules/nixos/mpd.nix2
-rw-r--r--modules/nixos/nsd.nix2
-rw-r--r--modules/nixos/radarr.nix13
-rw-r--r--modules/nixos/shadowsocks.nix2
-rw-r--r--modules/nixos/sonarr.nix13
-rw-r--r--modules/nixos/unbound.nix11
11 files changed, 52 insertions, 139 deletions
diff --git a/modules/nixos/git/default.nix b/modules/nixos/git/default.nix
index fd25eec..62a200c 100644
--- a/modules/nixos/git/default.nix
+++ b/modules/nixos/git/default.nix
@@ -30,9 +30,9 @@ in {
         locations = {
           "/".extraConfig = let
             cgitrc = pkgs.writeText "cgitrc" ''
-              root-title=github sux >:^(
-              root-desc=Homo sum, humani a me nihil alienum puto.
-              footer=
+              root-title=github sux (⩺_⩹)
+              root-desc=https://github.com/azahi
+              footer=https://GiveUpGitHub.com
 
               clone-url=https://${cfg.server.domain}/$CGIT_REPO_URL
 
diff --git a/modules/nixos/ipfs.nix b/modules/nixos/ipfs.nix
index 68075ff..6d32ec6 100644
--- a/modules/nixos/ipfs.nix
+++ b/modules/nixos/ipfs.nix
@@ -60,6 +60,7 @@ in {
         emptyRepo = true;
         enableGC = true;
 
+        # https://github.com/ipfs/kubo/blob/master/docs/config.md
         settings = mkMerge [
           (
             let
@@ -94,30 +95,18 @@ in {
                   "/ip4/0.0.0.0/tcp/${port}"
                   "/ip6/::/tcp/${port}"
                   "/ip4/0.0.0.0/udp/${port}/quic"
+                  "/ip4/0.0.0.0/udp/${port}/quic-v1"
+                  "/ip4/0.0.0.0/udp/${port}/quic-v1/webtransport"
                   "/ip6/::/udp/${port}/quic"
+                  "/ip6/::/udp/${port}/quic-v1"
+                  "/ip6/::/udp/${port}/quic-v1/webtransport"
                 ];
 
                 NoAnnounce = filterAddresses;
               };
               Swarm.AddrFilters = filterAddresses;
-              API.HTTPHeaders.Access-Control-Allow-Methods = [
-                "GET"
-                "POST"
-                "PUT"
-              ];
             }
           )
-          (mkIf this.isHeadful {
-            API.HTTPHeaders.Access-Control-Allow-Origin = ["*"];
-          })
-          (mkIf this.isHeadless {
-            API.HTTPHeaders.Access-Control-Allow-Origin = map (v: "http${
-              optionalString config.nixfiles.modules.acme.enable "s"
-            }://${v}") (with cfg; [
-              domain
-              "api.${domain}"
-            ]);
-          })
         ];
       };
 
diff --git a/modules/nixos/lidarr.nix b/modules/nixos/lidarr.nix
index f73f917..8439ec0 100644
--- a/modules/nixos/lidarr.nix
+++ b/modules/nixos/lidarr.nix
@@ -12,7 +12,7 @@ in {
     domain = mkOption {
       description = "Domain name sans protocol scheme.";
       type = with types; str;
-      default = "lidarr.${config.networking.fqdn}";
+      default = "lidarr.${config.networking.domain}";
     };
   };
 
@@ -20,9 +20,16 @@ in {
     nixfiles.modules.nginx = {
       enable = true;
       upstreams.lidarr.servers."127.0.0.1:8686" = {};
-      virtualHosts.${cfg.domain}.locations."/".proxyPass = "http://lidarr";
+      virtualHosts.${cfg.domain} = {
+        locations."/".proxyPass = "http://lidarr";
+        extraConfig = nginxInternalOnly;
+      };
     };
 
-    services.lidarr.enable = true;
+    services.lidarr = {
+      enable = true;
+      user = "rtorrent";
+      group = "rtorrent";
+    };
   };
 }
diff --git a/modules/nixos/monitoring/rules/node.yaml b/modules/nixos/monitoring/rules/node.yaml
index 98217b3..eee5939 100644
--- a/modules/nixos/monitoring/rules/node.yaml
+++ b/modules/nixos/monitoring/rules/node.yaml
@@ -238,28 +238,11 @@ groups:
             VALUE = {{ $value }}
             LABELS = {{ $labels }}
 
-      - alert: HostCpuStealNoisyNeighbor
-        expr: >-
-          avg by(instance) (rate(node_cpu_seconds_total{mode="steal"}[5m]))
-          * 100
-          > 15
-        for: 0m
-        labels:
-          severity: warning
-        annotations:
-          summary: Host CPU steal noisy neighbor at {{ $labels.instance }}.
-          description: |-
-            CPU steal is > 10%. A noisy neighbor is killing VM performances or a
-            spot instance may be out of credit.
-
-              VALUE = {{ $value }}
-              LABELS = {{ $labels }}
-
       - alert: HostCpuHighIowait
         expr: |-
           avg by (instance) (rate(node_cpu_seconds_total{mode="iowait"}[5m]))
           * 100
-          > 15
+          > 50
         for: 0m
         labels:
           severity: warning
diff --git a/modules/nixos/monitoring/rules/redis.yaml b/modules/nixos/monitoring/rules/redis.yaml
index c07c819..b47c313 100644
--- a/modules/nixos/monitoring/rules/redis.yaml
+++ b/modules/nixos/monitoring/rules/redis.yaml
@@ -17,95 +17,6 @@ groups:
             VALUE = {{ $value }}
             LABELS = {{ $labels }}
 
-      - alert: RedisMissingMaster
-        expr: >-
-          (count(redis_instance_info{role="master"}) or vector(0))
-          < 1
-        for: 0m
-        labels:
-          severity: critical
-        annotations:
-          summary: Redis missing master at {{ $labels.instance }}).
-          description: |-
-            Redis cluster has no node marked as a master.
-
-            VALUE = {{ $value }}
-            LABELS = {{ $labels }}
-
-      - alert: RedisTooManyMasters
-        expr: >-
-          count(redis_instance_info{role="master"}) > 1
-        for: 0m
-        labels:
-          severity: critical
-        annotations:
-          summary: Redis too many masters at {{ $labels.instance }}.
-          description: |-
-            Redis cluster has too many nodes marked as a master.
-
-            VALUE = {{ $value }}
-            LABELS = {{ $labels }}
-
-      - alert: RedisDisconnectedSlaves
-        expr: >-
-          count without (instance, job) (redis_connected_slaves)
-          - sum without (instance, job) (redis_connected_slaves)
-          - 1
-          > 1
-        for: 0m
-        labels:
-          severity: critical
-        annotations:
-          summary: Redis disconnected slaves at {{ $labels.instance }}.
-          description: |-
-            Redis is not replicating for all slaves.
-
-            VALUE = {{ $value }}
-            LABELS = {{ $labels }}
-
-      - alert: RedisReplicationBroken
-        expr: >-
-          delta(redis_connected_slaves[1m]) < 0
-        for: 0m
-        labels:
-          severity: critical
-        annotations:
-          summary: Redis replication broken at {{ $labels.instance }}.
-          description: |-
-            Redis instance lost a slave.
-
-            VALUE = {{ $value }}
-            LABELS = {{ $labels }}
-
-      - alert: RedisClusterFlapping
-        expr: >-
-          changes(redis_connected_slaves[1m]) > 1
-        for: 2m
-        labels:
-          severity: critical
-        annotations:
-          summary: Redis cluster flapping at {{ $labels.instance }}.
-          description: |-
-            Changes have been detected in the Redis replica connection. This can occur when replica nodes lose connection to the master and reconnect (a.k.a flapping).
-
-            VALUE = {{ $value }}
-            LABELS = {{ $labels }}
-
-      - alert: RedisMissingBackup
-        expr: >-
-          time() - redis_rdb_last_save_timestamp_seconds
-          > 60 * 60 * 24
-        for: 0m
-        labels:
-          severity: critical
-        annotations:
-          summary: Redis missing backup at {{ $labels.instance }}.
-          description: |-
-            Redis has not been backed up for 24 hours.
-
-            VALUE = {{ $value }}
-            LABELS = {{ $labels }}
-
       - alert: RedisOutOfSystemMemory
         expr: >-
           redis_memory_used_bytes
diff --git a/modules/nixos/mpd.nix b/modules/nixos/mpd.nix
index b38ab9f..6db83f8 100644
--- a/modules/nixos/mpd.nix
+++ b/modules/nixos/mpd.nix
@@ -10,6 +10,8 @@ in {
   options.nixfiles.modules.mpd.enable = mkEnableOption "MPD and its clients.";
 
   config = mkIf cfg.enable {
+    nixfiles.modules.sound.enable = true;
+
     hm = {
       home.packages = with pkgs; [mpc_cli];
 
diff --git a/modules/nixos/nsd.nix b/modules/nixos/nsd.nix
index d2ab117..3659a7a 100644
--- a/modules/nixos/nsd.nix
+++ b/modules/nixos/nsd.nix
@@ -109,7 +109,6 @@ in {
                       alertmanager = manwe;
                       bitwarden = manwe;
                       git = manwe;
-                      gotify = manwe;
                       grafana = manwe;
                       loki = manwe;
                       ntfy = manwe;
@@ -119,6 +118,7 @@ in {
                       vaultwarden = manwe;
 
                       flood = yavanna;
+                      lidarr = yavanna;
                     };
                   }
                 ];
diff --git a/modules/nixos/radarr.nix b/modules/nixos/radarr.nix
index 0abfdf2..c706eae 100644
--- a/modules/nixos/radarr.nix
+++ b/modules/nixos/radarr.nix
@@ -12,7 +12,7 @@ in {
     domain = mkOption {
       description = "Domain name sans protocol scheme.";
       type = with types; str;
-      default = "radarr.${config.networking.fqdn}";
+      default = "radarr.${config.networking.domain}";
     };
   };
 
@@ -20,9 +20,16 @@ in {
     nixfiles.modules.nginx = {
       enable = true;
       upstreams.radarr.servers."127.0.0.1:7878" = {};
-      virtualHosts.${cfg.domain}.locations."/".proxyPass = "http://radarr";
+      virtualHosts.${cfg.domain} = {
+        locations."/".proxyPass = "http://radarr";
+        extraConfig = nginxInternalOnly;
+      };
     };
 
-    services.radarr.enable = true;
+    services.radarr = {
+      enable = true;
+      user = "rtorrent";
+      group = "rtorrent";
+    };
   };
 }
diff --git a/modules/nixos/shadowsocks.nix b/modules/nixos/shadowsocks.nix
index b59359c..f9997ba 100644
--- a/modules/nixos/shadowsocks.nix
+++ b/modules/nixos/shadowsocks.nix
@@ -105,7 +105,7 @@ in {
       "net.ipv4.ip_local_port_range" = "10000 65000";
       "net.ipv4.tcp_max_syn_backlog" = pow 2 13;
       "net.ipv4.tcp_max_tw_buckets" = pow 2 12;
-      "net.ipv4.tcp_fastopen" = 3;
+      "net.ipv4.tcp_fastopen" = mkOverride 100 3;
       "net.ipv4.tcp_mem" = mkOverride 100 (mkTcpMem 15 16 17);
       "net.ipv4.tcp_rmem" = mkOverride 100 (mkTcpMem 12 16 26);
       "net.ipv4.tcp_wmem" = mkOverride 100 (mkTcpMem 12 16 26);
diff --git a/modules/nixos/sonarr.nix b/modules/nixos/sonarr.nix
index 8c79175..5990ff1 100644
--- a/modules/nixos/sonarr.nix
+++ b/modules/nixos/sonarr.nix
@@ -12,7 +12,7 @@ in {
     domain = mkOption {
       description = "Domain name sans protocol scheme.";
       type = with types; str;
-      default = "sonarr.${config.networking.fqdn}";
+      default = "sonarr.${config.networking.domain}";
     };
   };
 
@@ -20,9 +20,16 @@ in {
     nixfiles.modules.nginx = {
       enable = true;
       upstreams.sonarr.servers."127.0.0.1:8989" = {};
-      virtualHosts.${cfg.domain}.locations."/".proxyPass = "http://sonarr";
+      virtualHosts.${cfg.domain} = {
+        locations."/".proxyPass = "http://sonarr";
+        extraConfig = nginxInternalOnly;
+      };
     };
 
-    services.sonarr.enable = true;
+    services.sonarr = {
+      enable = true;
+      user = "rtorrent";
+      group = "rtorrent";
+    };
   };
 }
diff --git a/modules/nixos/unbound.nix b/modules/nixos/unbound.nix
index 2291cc7..79d52eb 100644
--- a/modules/nixos/unbound.nix
+++ b/modules/nixos/unbound.nix
@@ -86,13 +86,16 @@ in {
                 "${ipv6.subnet} allow"
               ];
 
-              private-domain = cfg.domain;
+              private-domain = "${cfg.domain}.";
               private-address = with config.nixfiles.modules.wireguard; [
                 ipv4.subnet
                 ipv6.subnet
               ];
 
-              domain-insecure = cfg.domain;
+              cache-min-ttl = 0;
+
+              serve-expired = true;
+              serve-expired-reply-ttl = 0;
 
               prefetch = true;
               prefetch-key = true;
@@ -123,6 +126,8 @@ in {
             };
           };
 
+          enableRootTrustAnchor = true;
+
           localControlSocketPath = "/run/unbound/unbound.socket";
         };
 
@@ -174,5 +179,7 @@ in {
           wantedBy = ["timers.target"];
         };
       };
+
+      boot.kernel.sysctl."net.ipv4.tcp_fastopen" = mkOverride 200 3;
     };
 }

Consider giving Nix/NixOS a try! <3