diff options
author | Azat Bahawi <azat@bahawi.net> | 2022-08-13 12:48:36 +0300 |
---|---|---|
committer | Azat Bahawi <azat@bahawi.net> | 2022-08-13 12:48:36 +0300 |
commit | 44d0f54b477ca1d370d0b6c2fa06f5400e151e42 (patch) | |
tree | 6de343568f70d643eb897a14f44fca5ba92b3105 /modules | |
parent | 2022-08-12 (diff) |
2022-08-13
Diffstat (limited to 'modules')
-rw-r--r-- | modules/nixfiles/alertmanager.nix | 19 | ||||
-rw-r--r-- | modules/nixfiles/common/users.nix | 4 | ||||
-rw-r--r-- | modules/nixfiles/grafana.nix | 9 | ||||
-rw-r--r-- | modules/nixfiles/loki.nix | 12 | ||||
-rw-r--r-- | modules/nixfiles/monitoring.nix | 47 | ||||
-rw-r--r-- | modules/nixfiles/nsd.nix | 5 | ||||
-rw-r--r-- | modules/nixfiles/profiles/dev/containers/default.nix | 1 | ||||
-rw-r--r-- | modules/nixfiles/prometheus.nix | 14 | ||||
-rw-r--r-- | modules/nixfiles/promtail.nix | 2 | ||||
-rw-r--r-- | modules/nixfiles/radicale.nix | 9 | ||||
-rw-r--r-- | modules/nixfiles/syncthing.nix | 25 | ||||
-rw-r--r-- | modules/nixfiles/wireguard.nix | 2 |
12 files changed, 59 insertions, 90 deletions
diff --git a/modules/nixfiles/alertmanager.nix b/modules/nixfiles/alertmanager.nix index e067cd1..d903ee3 100644 --- a/modules/nixfiles/alertmanager.nix +++ b/modules/nixfiles/alertmanager.nix @@ -18,21 +18,15 @@ in { domain = mkOption { description = "Domain name sans protocol scheme."; type = with types; nullOr str; - default = config.nixfiles.modules.monitoring.domain; - }; - - path = mkOption { - description = "Path."; - type = with types; str; - default = "/alertmanager"; + default = "alertmanager.${config.networking.domain}"; }; }; config = mkIf cfg.enable { nixfiles.modules.nginx = with cfg; { enable = true; - virtualHosts.${cfg.domain}.locations.${path} = { - proxyPass = "http://127.0.0.1:${toString port}${path}"; + virtualHosts.${cfg.domain}.locations."/" = { + proxyPass = "http://127.0.0.1:${toString port}"; extraConfig = '' if ($internal != 1) { return 403; @@ -50,13 +44,8 @@ in { listenAddress = "127.0.0.1"; inherit (cfg) port; - extraFlags = [ - "--web.external-url=http${ - optionalString acme "s" - }://${cfg.domain}${cfg.path}" - ]; + extraFlags = ["--web.external-url=https://${cfg.domain}"]; - # TODO Make an option. configuration = { global = { smtp_from = "alertmanager@${my.domain.shire}"; diff --git a/modules/nixfiles/common/users.nix b/modules/nixfiles/common/users.nix index 0878db6..c761f55 100644 --- a/modules/nixfiles/common/users.nix +++ b/modules/nixfiles/common/users.nix @@ -6,12 +6,16 @@ with lib; { mutableUsers = false; users = { + # This will unset the root password so that it would be impossible to + # login as it directory. The root user will still be accessable via + # `sudo`. root.hashedPassword = "[REDACTED]"; ${my.username} = { isNormalUser = true; uid = 1000; description = my.fullname; + # TODO Consider switching to passwordFile inherit (my) hashedPassword; openssh.authorizedKeys.keys = [my.ssh.key]; extraGroups = ["wheel"]; diff --git a/modules/nixfiles/grafana.nix b/modules/nixfiles/grafana.nix index 4340f04..c2954bd 100644 --- a/modules/nixfiles/grafana.nix +++ b/modules/nixfiles/grafana.nix @@ -19,7 +19,7 @@ in { domain = mkOption { description = "Domain name sans protocol scheme."; type = with types; nullOr str; - default = null; + default = "grafana.${config.networking.domain}"; }; }; @@ -40,7 +40,10 @@ in { nixfiles.modules = { nginx = { enable = true; - virtualHosts.${cfg.domain}.locations."/".proxyPass = "http://127.0.0.1:${toString cfg.port}"; + virtualHosts.${cfg.domain}.locations."/" = { + proxyPass = "http://127.0.0.1:${toString cfg.port}"; + proxyWebsockets = true; + }; }; postgresql.enable = true; }; @@ -68,6 +71,8 @@ in { secretKeyFile = grafana-key.path; adminPasswordFile = grafana-admin-password.path; }; + + extraOptions.LOG_LEVEL = "warn"; }; postgresql = { diff --git a/modules/nixfiles/loki.nix b/modules/nixfiles/loki.nix index 27217bd..c1dc136 100644 --- a/modules/nixfiles/loki.nix +++ b/modules/nixfiles/loki.nix @@ -8,7 +8,6 @@ with lib; let cfg = config.nixfiles.modules.loki; in { options.nixfiles.modules.loki = { - # TODO Figure out why this shit refuses to work with my configuraiton. enable = mkEnableOption "Whether to enable Loki."; port = mkOption { @@ -20,20 +19,14 @@ in { domain = mkOption { description = "Domain name sans protocol scheme."; type = with types; str; - default = config.nixfiles.modules.monitoring.domain; - }; - - path = mkOption { - description = "Path."; - type = with types; str; - default = "/loki"; + default = "loki.${config.networking.domain}"; }; }; config = mkIf cfg.enable { nixfiles.modules.nginx = with cfg; { enable = true; - virtualHosts.${domain}.locations.${path} = { + virtualHosts.${domain}.locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; extraConfig = '' if ($internal != 1) { @@ -52,7 +45,6 @@ in { server = rec { http_listen_address = "127.0.0.1"; http_listen_port = cfg.port; - http_path_prefix = cfg.path; grpc_listen_address = "127.0.0.1"; grpc_listen_port = http_listen_port + 1; diff --git a/modules/nixfiles/monitoring.nix b/modules/nixfiles/monitoring.nix index 6db74d4..ceb40d0 100644 --- a/modules/nixfiles/monitoring.nix +++ b/modules/nixfiles/monitoring.nix @@ -7,39 +7,19 @@ with lib; let cfg = config.nixfiles.modules.monitoring; in { - options.nixfiles.modules.monitoring = { - enable = mkEnableOption '' - Whether to enable custom monitoring stack. + options.nixfiles.modules.monitoring.enable = mkEnableOption '' + Whether to enable custom monitoring stack. - Currently this configures and enables Grafana, Loki, Prometheus and - Alertmanager. - ''; - - domain = mkOption { - description = "Domain name sans protocol scheme."; - type = with types; nullOr str; - default = "monitoring.${config.networking.domain}"; - }; - }; + Currently this configures and enables Grafana, Loki, Prometheus and + Alertmanager. + ''; config = mkIf cfg.enable { nixfiles.modules = { - grafana = { - enable = true; - inherit (cfg) domain; - }; - loki = { - enable = true; - inherit (cfg) domain; - }; - prometheus = { - enable = true; - inherit (cfg) domain; - }; - alertmanager = { - enable = true; - inherit (cfg) domain; - }; + grafana.enable = true; + loki.enable = true; + prometheus.enable = true; + alertmanager.enable = true; }; services = { @@ -50,14 +30,14 @@ in { name = "Prometheus"; type = "prometheus"; access = "proxy"; - url = with prometheus; "https://${domain}${path}"; + url = "https://${prometheus.domain}"; isDefault = true; } { name = "Loki"; type = "loki"; access = "proxy"; - url = with loki; "https://${domain}${path}"; + url = "https://${loki.domain}"; } ]; # TODO Move dashboards to this repository. @@ -100,13 +80,12 @@ in { ]; }; - loki.configuration.ruler.alertmanager_url = with config.nixfiles.modules.alertmanager; "https://${domain}${path}"; + loki.configuration.ruler.alertmanager_url = "https://${config.nixfiles.modules.alertmanager.domain}"; prometheus.alertmanagers = [ { scheme = "https"; - path_prefix = config.nixfiles.modules.alertmanager.path; - static_configs = [{targets = [cfg.domain];}]; + static_configs = [{targets = [config.nixfiles.modules.alertmanager.domain];}]; } ]; }; diff --git a/modules/nixfiles/nsd.nix b/modules/nixfiles/nsd.nix index f328b5c..c8ed44b 100644 --- a/modules/nixfiles/nsd.nix +++ b/modules/nixfiles/nsd.nix @@ -99,9 +99,12 @@ in { ns1 = manwe; # ns2 = varda; + alertmanager = manwe; flood = yavanna; gotify = manwe; - monitoring = manwe; + grafana = manwe; + loki = manwe; + prometheus = manwe; radicale = varda; rss-bridge = varda; vaultwarden = varda; diff --git a/modules/nixfiles/profiles/dev/containers/default.nix b/modules/nixfiles/profiles/dev/containers/default.nix index d0e7ed7..3196654 100644 --- a/modules/nixfiles/profiles/dev/containers/default.nix +++ b/modules/nixfiles/profiles/dev/containers/default.nix @@ -26,6 +26,7 @@ in { WERF_LOG_PRETTY = "false"; WERF_LOG_VERBOSE = "true"; WERF_SYNCHRONIZATION = ":local"; + WERF_TELEMETRY = 0; }; file.".minikube/config/config.json".text = generators.toJSON {} { diff --git a/modules/nixfiles/prometheus.nix b/modules/nixfiles/prometheus.nix index b67dd2e..96e74f7 100644 --- a/modules/nixfiles/prometheus.nix +++ b/modules/nixfiles/prometheus.nix @@ -18,20 +18,14 @@ in { domain = mkOption { description = "Domain name sans protocol scheme."; type = with types; str; - default = config.nixfiles.modules.monitoring.domain; - }; - - path = mkOption { - description = "Path."; - type = with types; str; - default = "/prometheus"; + default = "prometheus.${config.networking.domain}"; }; }; config = mkIf cfg.enable { nixfiles.modules.nginx = with cfg; { enable = true; - virtualHosts.${domain}.locations.${path} = { + virtualHosts.${domain}.locations."/" = { proxyPass = with cfg; "http://127.0.0.1:${toString port}"; extraConfig = '' if ($internal != 1) { @@ -48,9 +42,7 @@ in { inherit port; extraFlags = [ - "--web.external-url=http${ - optionalString config.nixfiles.modules.acme.enable "s" - }://${domain}${path}" + "--web.external-url=https://${domain}" "--storage.tsdb.retention.size=50GB" "--storage.tsdb.retention.time=1y" "--storage.tsdb.wal-compression" diff --git a/modules/nixfiles/promtail.nix b/modules/nixfiles/promtail.nix index ba4e635..e3d7428 100644 --- a/modules/nixfiles/promtail.nix +++ b/modules/nixfiles/promtail.nix @@ -14,7 +14,7 @@ in { url = mkOption { description = "Address of a listening Loki service."; type = with types; str; - default = with config.nixfiles.modules.loki; "https://${domain}${path}"; + default = "https://${config.nixfiles.modules.loki.domain}"; }; }; }; diff --git a/modules/nixfiles/radicale.nix b/modules/nixfiles/radicale.nix index 8286be1..ed1fc4f 100644 --- a/modules/nixfiles/radicale.nix +++ b/modules/nixfiles/radicale.nix @@ -29,7 +29,14 @@ in { nixfiles.modules.nginx = { enable = true; - virtualHosts.${cfg.domain}.locations."/".proxyPass = "http://127.0.0.1:${toString port}"; + virtualHosts.${cfg.domain}.locations."/" = { + proxyPass = "http://127.0.0.1:${toString port}"; + extraConfig = '' + if ($internal != 1) { + return 403; + } + ''; + }; }; services.radicale = { diff --git a/modules/nixfiles/syncthing.nix b/modules/nixfiles/syncthing.nix index 5a973cc..44465d9 100644 --- a/modules/nixfiles/syncthing.nix +++ b/modules/nixfiles/syncthing.nix @@ -17,14 +17,14 @@ in { default = "syncthing.${config.networking.fqdn}"; }; - # TODO Make this simpler. + # TODO Set this automatically shire on the hostname. cert = mkOption { description = "Path to the cert file."; type = with types; nullOr string; default = null; }; - # TODO Make this simpler. + # TODO Set this automatically shire on the hostname. key = mkOption { description = "Path to the key file."; type = with types; nullOr string; @@ -84,21 +84,14 @@ in { }; trashcan = { type = "trashcan"; - params.cleanoutDays = "30"; - }; - void = { - type = "external"; - params.versionPath = with pkgs; - writeShellScriptBin "backup" '' - ${coreutils-full}/bin/rm -rf $1/$2 - ''; + params.cleanoutDays = "7"; }; in with config.hm.xdg.userDirs; { share = { path = publicShare; devices = notHeadless; - versioning = void; + versioning = trashcan; }; pass = { path = @@ -124,7 +117,7 @@ in { vidya = { path = "${documents}/vidya"; devices = notOther; - versioning = void; + versioning = trashcan; }; }; @@ -134,9 +127,13 @@ in { insecureSkipHostcheck = this.isHeadless; }; options = { - # Only local discovery is used over VPN. - globalAnnounceEnabled = false; + autoUpgradeIntervalH = 0; + crashReportingEnabled = false; + globalAnnounceEnabled = false; # We don't need that with Wireguard. relaysEnabled = false; + setLowPriority = this.isHeadless; + stunKeepaliveMinS = 0; + stunKeepaliveStartS = 0; urAccepted = -1; }; }; diff --git a/modules/nixfiles/wireguard.nix b/modules/nixfiles/wireguard.nix index 1da3e74..e35d0ee 100644 --- a/modules/nixfiles/wireguard.nix +++ b/modules/nixfiles/wireguard.nix @@ -9,7 +9,7 @@ with lib; let cfg = config.nixfiles.modules.wireguard; in { options.nixfiles.modules.wireguard = { - # TODO Make this simpler. + # TODO Set this automatically shire on the hostname. privateKeyFile = mkOption { description = "Path to the private key file."; type = with types; nullOr string; |