about summary refs log tree commit diff
path: root/modules
diff options
context:
space:
mode:
authorAzat Bahawi <azat@bahawi.net>2022-08-13 12:48:36 +0300
committerAzat Bahawi <azat@bahawi.net>2022-08-13 12:48:36 +0300
commit44d0f54b477ca1d370d0b6c2fa06f5400e151e42 (patch)
tree6de343568f70d643eb897a14f44fca5ba92b3105 /modules
parent2022-08-12 (diff)
2022-08-13
Diffstat (limited to 'modules')
-rw-r--r--modules/nixfiles/alertmanager.nix19
-rw-r--r--modules/nixfiles/common/users.nix4
-rw-r--r--modules/nixfiles/grafana.nix9
-rw-r--r--modules/nixfiles/loki.nix12
-rw-r--r--modules/nixfiles/monitoring.nix47
-rw-r--r--modules/nixfiles/nsd.nix5
-rw-r--r--modules/nixfiles/profiles/dev/containers/default.nix1
-rw-r--r--modules/nixfiles/prometheus.nix14
-rw-r--r--modules/nixfiles/promtail.nix2
-rw-r--r--modules/nixfiles/radicale.nix9
-rw-r--r--modules/nixfiles/syncthing.nix25
-rw-r--r--modules/nixfiles/wireguard.nix2
12 files changed, 59 insertions, 90 deletions
diff --git a/modules/nixfiles/alertmanager.nix b/modules/nixfiles/alertmanager.nix
index e067cd1..d903ee3 100644
--- a/modules/nixfiles/alertmanager.nix
+++ b/modules/nixfiles/alertmanager.nix
@@ -18,21 +18,15 @@ in {
     domain = mkOption {
       description = "Domain name sans protocol scheme.";
       type = with types; nullOr str;
-      default = config.nixfiles.modules.monitoring.domain;
-    };
-
-    path = mkOption {
-      description = "Path.";
-      type = with types; str;
-      default = "/alertmanager";
+      default = "alertmanager.${config.networking.domain}";
     };
   };
 
   config = mkIf cfg.enable {
     nixfiles.modules.nginx = with cfg; {
       enable = true;
-      virtualHosts.${cfg.domain}.locations.${path} = {
-        proxyPass = "http://127.0.0.1:${toString port}${path}";
+      virtualHosts.${cfg.domain}.locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString port}";
         extraConfig = ''
           if ($internal != 1) {
             return 403;
@@ -50,13 +44,8 @@ in {
         listenAddress = "127.0.0.1";
         inherit (cfg) port;
 
-        extraFlags = [
-          "--web.external-url=http${
-            optionalString acme "s"
-          }://${cfg.domain}${cfg.path}"
-        ];
+        extraFlags = ["--web.external-url=https://${cfg.domain}"];
 
-        # TODO Make an option.
         configuration = {
           global = {
             smtp_from = "alertmanager@${my.domain.shire}";
diff --git a/modules/nixfiles/common/users.nix b/modules/nixfiles/common/users.nix
index 0878db6..c761f55 100644
--- a/modules/nixfiles/common/users.nix
+++ b/modules/nixfiles/common/users.nix
@@ -6,12 +6,16 @@ with lib; {
     mutableUsers = false;
 
     users = {
+      # This will unset the root password so that it would be impossible to
+      # login as it directory. The root user will still be accessable via
+      # `sudo`.
       root.hashedPassword = "[REDACTED]";
 
       ${my.username} = {
         isNormalUser = true;
         uid = 1000;
         description = my.fullname;
+        # TODO Consider switching to passwordFile
         inherit (my) hashedPassword;
         openssh.authorizedKeys.keys = [my.ssh.key];
         extraGroups = ["wheel"];
diff --git a/modules/nixfiles/grafana.nix b/modules/nixfiles/grafana.nix
index 4340f04..c2954bd 100644
--- a/modules/nixfiles/grafana.nix
+++ b/modules/nixfiles/grafana.nix
@@ -19,7 +19,7 @@ in {
     domain = mkOption {
       description = "Domain name sans protocol scheme.";
       type = with types; nullOr str;
-      default = null;
+      default = "grafana.${config.networking.domain}";
     };
   };
 
@@ -40,7 +40,10 @@ in {
     nixfiles.modules = {
       nginx = {
         enable = true;
-        virtualHosts.${cfg.domain}.locations."/".proxyPass = "http://127.0.0.1:${toString cfg.port}";
+        virtualHosts.${cfg.domain}.locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString cfg.port}";
+          proxyWebsockets = true;
+        };
       };
       postgresql.enable = true;
     };
@@ -68,6 +71,8 @@ in {
           secretKeyFile = grafana-key.path;
           adminPasswordFile = grafana-admin-password.path;
         };
+
+        extraOptions.LOG_LEVEL = "warn";
       };
 
       postgresql = {
diff --git a/modules/nixfiles/loki.nix b/modules/nixfiles/loki.nix
index 27217bd..c1dc136 100644
--- a/modules/nixfiles/loki.nix
+++ b/modules/nixfiles/loki.nix
@@ -8,7 +8,6 @@ with lib; let
   cfg = config.nixfiles.modules.loki;
 in {
   options.nixfiles.modules.loki = {
-    # TODO Figure out why this shit refuses to work with my configuraiton.
     enable = mkEnableOption "Whether to enable Loki.";
 
     port = mkOption {
@@ -20,20 +19,14 @@ in {
     domain = mkOption {
       description = "Domain name sans protocol scheme.";
       type = with types; str;
-      default = config.nixfiles.modules.monitoring.domain;
-    };
-
-    path = mkOption {
-      description = "Path.";
-      type = with types; str;
-      default = "/loki";
+      default = "loki.${config.networking.domain}";
     };
   };
 
   config = mkIf cfg.enable {
     nixfiles.modules.nginx = with cfg; {
       enable = true;
-      virtualHosts.${domain}.locations.${path} = {
+      virtualHosts.${domain}.locations."/" = {
         proxyPass = "http://127.0.0.1:${toString port}";
         extraConfig = ''
           if ($internal != 1) {
@@ -52,7 +45,6 @@ in {
         server = rec {
           http_listen_address = "127.0.0.1";
           http_listen_port = cfg.port;
-          http_path_prefix = cfg.path;
 
           grpc_listen_address = "127.0.0.1";
           grpc_listen_port = http_listen_port + 1;
diff --git a/modules/nixfiles/monitoring.nix b/modules/nixfiles/monitoring.nix
index 6db74d4..ceb40d0 100644
--- a/modules/nixfiles/monitoring.nix
+++ b/modules/nixfiles/monitoring.nix
@@ -7,39 +7,19 @@
 with lib; let
   cfg = config.nixfiles.modules.monitoring;
 in {
-  options.nixfiles.modules.monitoring = {
-    enable = mkEnableOption ''
-      Whether to enable custom monitoring stack.
+  options.nixfiles.modules.monitoring.enable = mkEnableOption ''
+    Whether to enable custom monitoring stack.
 
-      Currently this configures and enables Grafana, Loki, Prometheus and
-      Alertmanager.
-    '';
-
-    domain = mkOption {
-      description = "Domain name sans protocol scheme.";
-      type = with types; nullOr str;
-      default = "monitoring.${config.networking.domain}";
-    };
-  };
+    Currently this configures and enables Grafana, Loki, Prometheus and
+    Alertmanager.
+  '';
 
   config = mkIf cfg.enable {
     nixfiles.modules = {
-      grafana = {
-        enable = true;
-        inherit (cfg) domain;
-      };
-      loki = {
-        enable = true;
-        inherit (cfg) domain;
-      };
-      prometheus = {
-        enable = true;
-        inherit (cfg) domain;
-      };
-      alertmanager = {
-        enable = true;
-        inherit (cfg) domain;
-      };
+      grafana.enable = true;
+      loki.enable = true;
+      prometheus.enable = true;
+      alertmanager.enable = true;
     };
 
     services = {
@@ -50,14 +30,14 @@ in {
             name = "Prometheus";
             type = "prometheus";
             access = "proxy";
-            url = with prometheus; "https://${domain}${path}";
+            url = "https://${prometheus.domain}";
             isDefault = true;
           }
           {
             name = "Loki";
             type = "loki";
             access = "proxy";
-            url = with loki; "https://${domain}${path}";
+            url = "https://${loki.domain}";
           }
         ];
         # TODO Move dashboards to this repository.
@@ -100,13 +80,12 @@ in {
         ];
       };
 
-      loki.configuration.ruler.alertmanager_url = with config.nixfiles.modules.alertmanager; "https://${domain}${path}";
+      loki.configuration.ruler.alertmanager_url = "https://${config.nixfiles.modules.alertmanager.domain}";
 
       prometheus.alertmanagers = [
         {
           scheme = "https";
-          path_prefix = config.nixfiles.modules.alertmanager.path;
-          static_configs = [{targets = [cfg.domain];}];
+          static_configs = [{targets = [config.nixfiles.modules.alertmanager.domain];}];
         }
       ];
     };
diff --git a/modules/nixfiles/nsd.nix b/modules/nixfiles/nsd.nix
index f328b5c..c8ed44b 100644
--- a/modules/nixfiles/nsd.nix
+++ b/modules/nixfiles/nsd.nix
@@ -99,9 +99,12 @@ in {
                       ns1 = manwe;
                       # ns2 = varda;
 
+                      alertmanager = manwe;
                       flood = yavanna;
                       gotify = manwe;
-                      monitoring = manwe;
+                      grafana = manwe;
+                      loki = manwe;
+                      prometheus = manwe;
                       radicale = varda;
                       rss-bridge = varda;
                       vaultwarden = varda;
diff --git a/modules/nixfiles/profiles/dev/containers/default.nix b/modules/nixfiles/profiles/dev/containers/default.nix
index d0e7ed7..3196654 100644
--- a/modules/nixfiles/profiles/dev/containers/default.nix
+++ b/modules/nixfiles/profiles/dev/containers/default.nix
@@ -26,6 +26,7 @@ in {
           WERF_LOG_PRETTY = "false";
           WERF_LOG_VERBOSE = "true";
           WERF_SYNCHRONIZATION = ":local";
+          WERF_TELEMETRY = 0;
         };
 
         file.".minikube/config/config.json".text = generators.toJSON {} {
diff --git a/modules/nixfiles/prometheus.nix b/modules/nixfiles/prometheus.nix
index b67dd2e..96e74f7 100644
--- a/modules/nixfiles/prometheus.nix
+++ b/modules/nixfiles/prometheus.nix
@@ -18,20 +18,14 @@ in {
     domain = mkOption {
       description = "Domain name sans protocol scheme.";
       type = with types; str;
-      default = config.nixfiles.modules.monitoring.domain;
-    };
-
-    path = mkOption {
-      description = "Path.";
-      type = with types; str;
-      default = "/prometheus";
+      default = "prometheus.${config.networking.domain}";
     };
   };
 
   config = mkIf cfg.enable {
     nixfiles.modules.nginx = with cfg; {
       enable = true;
-      virtualHosts.${domain}.locations.${path} = {
+      virtualHosts.${domain}.locations."/" = {
         proxyPass = with cfg; "http://127.0.0.1:${toString port}";
         extraConfig = ''
           if ($internal != 1) {
@@ -48,9 +42,7 @@ in {
       inherit port;
 
       extraFlags = [
-        "--web.external-url=http${
-          optionalString config.nixfiles.modules.acme.enable "s"
-        }://${domain}${path}"
+        "--web.external-url=https://${domain}"
         "--storage.tsdb.retention.size=50GB"
         "--storage.tsdb.retention.time=1y"
         "--storage.tsdb.wal-compression"
diff --git a/modules/nixfiles/promtail.nix b/modules/nixfiles/promtail.nix
index ba4e635..e3d7428 100644
--- a/modules/nixfiles/promtail.nix
+++ b/modules/nixfiles/promtail.nix
@@ -14,7 +14,7 @@ in {
       url = mkOption {
         description = "Address of a listening Loki service.";
         type = with types; str;
-        default = with config.nixfiles.modules.loki; "https://${domain}${path}";
+        default = "https://${config.nixfiles.modules.loki.domain}";
       };
     };
   };
diff --git a/modules/nixfiles/radicale.nix b/modules/nixfiles/radicale.nix
index 8286be1..ed1fc4f 100644
--- a/modules/nixfiles/radicale.nix
+++ b/modules/nixfiles/radicale.nix
@@ -29,7 +29,14 @@ in {
 
       nixfiles.modules.nginx = {
         enable = true;
-        virtualHosts.${cfg.domain}.locations."/".proxyPass = "http://127.0.0.1:${toString port}";
+        virtualHosts.${cfg.domain}.locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString port}";
+          extraConfig = ''
+            if ($internal != 1) {
+              return 403;
+            }
+          '';
+        };
       };
 
       services.radicale = {
diff --git a/modules/nixfiles/syncthing.nix b/modules/nixfiles/syncthing.nix
index 5a973cc..44465d9 100644
--- a/modules/nixfiles/syncthing.nix
+++ b/modules/nixfiles/syncthing.nix
@@ -17,14 +17,14 @@ in {
       default = "syncthing.${config.networking.fqdn}";
     };
 
-    # TODO Make this simpler.
+    # TODO Set this automatically shire on the hostname.
     cert = mkOption {
       description = "Path to the cert file.";
       type = with types; nullOr string;
       default = null;
     };
 
-    # TODO Make this simpler.
+    # TODO Set this automatically shire on the hostname.
     key = mkOption {
       description = "Path to the key file.";
       type = with types; nullOr string;
@@ -84,21 +84,14 @@ in {
           };
           trashcan = {
             type = "trashcan";
-            params.cleanoutDays = "30";
-          };
-          void = {
-            type = "external";
-            params.versionPath = with pkgs;
-              writeShellScriptBin "backup" ''
-                ${coreutils-full}/bin/rm -rf $1/$2
-              '';
+            params.cleanoutDays = "7";
           };
         in
           with config.hm.xdg.userDirs; {
             share = {
               path = publicShare;
               devices = notHeadless;
-              versioning = void;
+              versioning = trashcan;
             };
             pass = {
               path =
@@ -124,7 +117,7 @@ in {
             vidya = {
               path = "${documents}/vidya";
               devices = notOther;
-              versioning = void;
+              versioning = trashcan;
             };
           };
 
@@ -134,9 +127,13 @@ in {
             insecureSkipHostcheck = this.isHeadless;
           };
           options = {
-            # Only local discovery is used over VPN.
-            globalAnnounceEnabled = false;
+            autoUpgradeIntervalH = 0;
+            crashReportingEnabled = false;
+            globalAnnounceEnabled = false; # We don't need that with Wireguard.
             relaysEnabled = false;
+            setLowPriority = this.isHeadless;
+            stunKeepaliveMinS = 0;
+            stunKeepaliveStartS = 0;
             urAccepted = -1;
           };
         };
diff --git a/modules/nixfiles/wireguard.nix b/modules/nixfiles/wireguard.nix
index 1da3e74..e35d0ee 100644
--- a/modules/nixfiles/wireguard.nix
+++ b/modules/nixfiles/wireguard.nix
@@ -9,7 +9,7 @@ with lib; let
   cfg = config.nixfiles.modules.wireguard;
 in {
   options.nixfiles.modules.wireguard = {
-    # TODO Make this simpler.
+    # TODO Set this automatically shire on the hostname.
     privateKeyFile = mkOption {
       description = "Path to the private key file.";
       type = with types; nullOr string;

Consider giving Nix/NixOS a try! <3