about summary refs log tree commit diff
path: root/modules/nixos
diff options
context:
space:
mode:
authorAzat Bahawi <azat@bahawi.net>2023-03-22 15:20:22 +0300
committerAzat Bahawi <azat@bahawi.net>2023-03-22 15:20:22 +0300
commiteb6eebde166112397e8711a16a8618a52ecbcaca (patch)
tree8650b606bf9c5f48d843fb99e2212c052825d79a /modules/nixos
parent2023-03-21 (diff)
2023-03-22
Diffstat (limited to 'modules/nixos')
-rw-r--r--modules/nixos/default.nix2
-rw-r--r--modules/nixos/monitoring/default.nix154
-rw-r--r--modules/nixos/nsd.nix3
-rw-r--r--modules/nixos/ntfy.nix57
-rw-r--r--modules/nixos/redis.nix36
-rw-r--r--modules/nixos/unbound.nix39
-rw-r--r--modules/nixos/victoriametrics.nix46
7 files changed, 233 insertions, 104 deletions
diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index 269ce39..3c4192d 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -36,6 +36,7 @@ _: {
     ./nginx.nix
     ./node-exporter.nix
     ./nsd.nix
+    ./ntfy.nix
     ./nullmailer.nix
     ./openssh.nix
     ./podman.nix
@@ -46,6 +47,7 @@ _: {
     ./psd.nix
     ./radarr.nix
     ./radicale.nix
+    ./redis.nix
     ./rss-bridge.nix
     ./rtorrent.nix
     ./searx.nix
diff --git a/modules/nixos/monitoring/default.nix b/modules/nixos/monitoring/default.nix
index 1108be6..6cdc2c9 100644
--- a/modules/nixos/monitoring/default.nix
+++ b/modules/nixos/monitoring/default.nix
@@ -1,78 +1,93 @@
 {
   config,
   lib,
+  pkgs,
   ...
 }:
 with lib; let
   cfg = config.nixfiles.modules.monitoring;
 in {
   options.nixfiles.modules.monitoring.enable = mkEnableOption ''
-    a custom monitoring stack bas on the Grafana Labs toolkit
+    a glue to provision a monitoring stack
   '';
 
   config = mkIf cfg.enable {
     nixfiles.modules = {
+      alertmanager.enable = true;
       grafana.enable = true;
       loki.enable = true;
       prometheus.enable = true;
-      alertmanager.enable = true;
     };
 
     services = {
-      grafana.provision = {
-        enable = true;
-
-        # https://grafana.com/docs/grafana/latest/administration/provisioning/#data-sources
-        datasources.settings.datasources = with config.nixfiles.modules; [
-          {
-            name = "Prometheus";
-            type = "prometheus";
-            access = "proxy";
-            url = "https://${prometheus.domain}";
-            isDefault = true;
-          }
-          {
-            name = "Loki";
-            type = "loki";
-            access = "proxy";
-            url = "https://${loki.domain}";
-          }
-          {
-            name = "Alertmanager";
-            type = "alertmanager";
-            access = "proxy";
-            jsonData.implementation = "prometheus";
-            url = "https://${alertmanager.domain}";
-          }
+      grafana = {
+        declarativePlugins = with pkgs.grafanaPlugins; [
+          redis-app
+          redis-datasource
+          redis-explorer-app
         ];
 
-        # https://grafana.com/docs/grafana/latest/administration/provisioning/#dashboards
-        dashboards.settings.providers = [
-          # System dashboard is imported manually from here[1]. Too bad
-          # provisioned dashboards cannot properly integrate dynamic datasources
-          # yet.
-          #
-          # [1]: https://grafana.com/grafana/dashboards/1860-node-exporter-full
-          {
-            name = "endlessh";
-            options.path = ./dashboards/endlessh.json;
-          }
-          {
-            name = "unbound";
-            options.path = ./dashboards/unbound.json;
-          }
-          {
-            name = "nginx";
-            options.path = ./dashboards/nginx.json;
-          }
-          {
-            name = "postgersql";
-            options.path = ./dashboards/postgresql.json;
-          }
-        ];
+        provision = {
+          enable = true;
 
-        alerting = {
-          contactPoints.settings.contactPoints = [
+          # https://grafana.com/docs/grafana/latest/administration/provisioning/#data-sources
+          datasources.settings.datasources = with config.nixfiles.modules; [
+            {
+              name = "Alertmanager";
+              type = "alertmanager";
+              access = "proxy";
+              jsonData.implementation = "prometheus";
+              url = "https://${alertmanager.domain}";
+            }
+            {
+              name = "Loki";
+              type = "loki";
+              access = "proxy";
+              url = "https://${loki.domain}";
+              isDefault = true;
+            }
+            {
+              name = "Prometheus";
+              type = "prometheus";
+              access = "proxy";
+              url = "https://${prometheus.domain}";
+            }
+            (mkIf config.nixfiles.modules.redis.enable {
+              name = "Redis";
+              type = "redis-datasource";
+              access = "proxy";
+              url = with config.services.redis.servers.default; "redis://${bind}:${toString port}";
+              jsonData.client = "standalone";
+            })
+          ];
+
+          # https://grafana.com/docs/grafana/latest/administration/provisioning/#dashboards
+          dashboards.settings.providers = [
+            # The System dashboard is imported manually from here[1]. Too bad
+            # provisioned dashboards cannot properly integrate dynamic datasources
+            # yet.
+            #
+            # [1]: https://grafana.com/grafana/dashboards/1860-node-exporter-full
+            {
+              name = "endlessh";
+              options.path = ./dashboards/endlessh.json;
+            }
+            {
+              name = "unbound";
+              options.path = ./dashboards/unbound.json;
+            }
+            {
+              name = "nginx";
+              options.path = ./dashboards/nginx.json;
+            }
+            {
+              name = "postgersql";
+              options.path = ./dashboards/postgresql.json;
+            }
+          ];
+
+          # https://grafana.com/docs/grafana/latest/administration/provisioning/#alerting
+          alerting.contactPoints.settings.contactPoints = [
             {
               name = "Alertmanager";
               receivers = [
@@ -84,25 +99,6 @@ in {
               ];
             }
           ];
-          muteTimings.settings.muteTimes = [
-            {
-              name = "Sleep";
-              time_intervals = [
-                {
-                  times = [
-                    {
-                      start_time = "23:00";
-                      end_time = "24:00";
-                    }
-                    {
-                      start_time = "00:00";
-                      end_time = "09:00";
-                    }
-                  ];
-                }
-              ];
-            }
-          ];
         };
       };
 
@@ -139,7 +135,6 @@ in {
                     mkTargets
                     [
                       manwe
-                      varda
                       yavanna
                     ]
                     nginx.port;
@@ -175,6 +170,19 @@ in {
               ];
             }
             {
+              job_name = "redis";
+              static_configs = [
+                {
+                  targets =
+                    mkTargets
+                    [
+                      manwe
+                    ]
+                    redis.port;
+                }
+              ];
+            }
+            {
               job_name = "unbound";
               static_configs = [
                 {
diff --git a/modules/nixos/nsd.nix b/modules/nixos/nsd.nix
index 0dade8f..d2ab117 100644
--- a/modules/nixos/nsd.nix
+++ b/modules/nixos/nsd.nix
@@ -112,13 +112,12 @@ in {
                       gotify = manwe;
                       grafana = manwe;
                       loki = manwe;
+                      ntfy = manwe;
                       prometheus = manwe;
                       radicale = manwe;
                       rss-bridge = manwe;
                       vaultwarden = manwe;
 
-                      minecraft = varda;
-
                       flood = yavanna;
                     };
                   }
diff --git a/modules/nixos/ntfy.nix b/modules/nixos/ntfy.nix
new file mode 100644
index 0000000..2fd3234
--- /dev/null
+++ b/modules/nixos/ntfy.nix
@@ -0,0 +1,57 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.nixfiles.modules.ntfy;
+in {
+  options.nixfiles.modules.ntfy = {
+    enable = mkEnableOption "ntfy";
+
+    port = mkOption {
+      description = "Port.";
+      type = types.port;
+      default = 2586;
+    };
+
+    domain = mkOption {
+      description = "Domain name sans protocol scheme.";
+      type = with types; str;
+      default = "ntfy.${config.networking.domain}";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    nixfiles.modules.nginx = {
+      enable = true;
+      upstreams.ntfy.servers.${config.services.ntfy-sh.settings.listen-http} = {};
+      virtualHosts.${cfg.domain} = {
+        locations."/" = {
+          proxyPass = "http://ntfy";
+          proxyWebsockets = true;
+        };
+        extraConfig = nginxInternalOnly;
+      };
+    };
+
+    services.ntfy-sh = {
+      enable = true;
+      settings = {
+        listen-http = "127.0.0.1:${toString cfg.port}";
+        base-url = "https://${cfg.domain}";
+        cache-file = "/var/cache/ntfy/cache.db";
+        behind-proxy = true;
+        attachment-cache-dir = "/var/cache/ntfy/attachments";
+        auth-file = "/var/lib/ntfy/user.db";
+        auth-default-access = "deny-all";
+      };
+    };
+
+    systemd.tmpfiles.rules = with config.services.ntfy-sh; [
+      "d /var/lib/ntfy 0700 ${user} ${group} - -"
+      "d /var/cache/ntfy 0700 ${user} ${group} - -"
+      "d /var/cache/ntfy/attachments 0700 ${user} ${group} - -"
+    ];
+  };
+}
diff --git a/modules/nixos/redis.nix b/modules/nixos/redis.nix
new file mode 100644
index 0000000..166407e
--- /dev/null
+++ b/modules/nixos/redis.nix
@@ -0,0 +1,36 @@
+{
+  config,
+  lib,
+  this,
+  ...
+}:
+with lib; let
+  cfg = config.nixfiles.modules.redis;
+in {
+  options.nixfiles.modules.redis.enable = mkEnableOption "Redis";
+
+  config = mkIf cfg.enable {
+    services = {
+      redis = {
+        servers.default = {
+          enable = true;
+          bind = "127.0.0.1";
+          port = 6379;
+        };
+        vmOverCommit = true;
+      };
+
+      prometheus.exporters = {
+        redis = {
+          enable = true;
+          listenAddress = mkDefault this.wireguard.ipv4.address;
+          port = mkDefault 9121;
+          extraFlags = with config.services.redis.servers.default; [
+            "--redis.addr=redis://${bind}:${toString port}"
+            "--redis.user=${user}"
+          ];
+        };
+      };
+    };
+  };
+}
diff --git a/modules/nixos/unbound.nix b/modules/nixos/unbound.nix
index 103e375..2291cc7 100644
--- a/modules/nixos/unbound.nix
+++ b/modules/nixos/unbound.nix
@@ -22,6 +22,8 @@ in {
     adblock-conf = "${config.services.unbound.stateDir}/adblock.conf";
   in
     mkIf cfg.enable {
+      nixfiles.modules.redis.enable = true;
+
       services = {
         unbound = {
           enable = true;
@@ -114,7 +116,7 @@ in {
               }
             ];
 
-            cachedb = with config.services.redis.servers.unbound; {
+            cachedb = with config.services.redis.servers.default; {
               backend = "redis";
               redis-server-host = bind;
               redis-server-port = port;
@@ -124,34 +126,13 @@ in {
           localControlSocketPath = "/run/unbound/unbound.socket";
         };
 
-        redis = {
-          servers.unbound = {
-            enable = true;
-            bind = "127.0.0.1";
-            port = 6379;
-          };
-          vmOverCommit = mkForce true;
-        };
-
-        prometheus.exporters = {
-          unbound = {
-            enable = true;
-            listenAddress = mkDefault this.wireguard.ipv4.address;
-            port = 9167;
-            fetchType = "uds";
-            controlInterface = config.services.unbound.localControlSocketPath;
-            inherit (config.services.unbound) group user;
-          };
-
-          redis = {
-            enable = true;
-            listenAddress = mkDefault this.wireguard.ipv4.address;
-            port = mkDefault 9121;
-            extraFlags = with config.services.redis.servers.unbound; [
-              "--redis.addr=redis://${bind}:${toString port}"
-              "--redis.user=${user}"
-            ];
-          };
+        prometheus.exporters.unbound = {
+          enable = true;
+          listenAddress = mkDefault this.wireguard.ipv4.address;
+          port = 9167;
+          fetchType = "uds";
+          controlInterface = config.services.unbound.localControlSocketPath;
+          inherit (config.services.unbound) group user;
         };
       };
 
diff --git a/modules/nixos/victoriametrics.nix b/modules/nixos/victoriametrics.nix
new file mode 100644
index 0000000..509ee17
--- /dev/null
+++ b/modules/nixos/victoriametrics.nix
@@ -0,0 +1,46 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.nixfiles.modules.prometheus;
+in {
+  options.nixfiles.modules.prometheus = {
+    enable = mkEnableOption "VictoriaMetrics";
+
+    port = mkOption {
+      description = "Port.";
+      type = with types; port;
+      default = 30113;
+    };
+
+    domain = mkOption {
+      description = "Domain name sans protocol scheme.";
+      type = with types; str;
+      default = "victoriametrics.${config.networking.domain}";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    nixfiles.modules.nginx = with cfg; {
+      enable = true;
+      upstreams.victoriametrics.servers."127.0.0.1:${toString cfg.port}" = {};
+      virtualHosts.${domain} = {
+        locations."/".proxyPass = "http://victoriametrics";
+        extraConfig = nginxInternalOnly;
+      };
+    };
+
+    services.victoriametrics = {
+      enable = true;
+
+      listenAddress = "127.0.0.1:${toString cfg.port}";
+
+      extraOptions = [
+        "-loggerLevel=WARN"
+        # TODO scrape_config
+      ];
+    };
+  };
+}

Consider giving Nix/NixOS a try! <3