summaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
Diffstat (limited to 'modules')
-rw-r--r--modules/common/common/nix/default.nix2
-rw-r--r--modules/nixos/git/default.nix6
-rw-r--r--modules/nixos/ipfs.nix21
-rw-r--r--modules/nixos/lidarr.nix13
-rw-r--r--modules/nixos/monitoring/rules/node.yaml19
-rw-r--r--modules/nixos/monitoring/rules/redis.yaml89
-rw-r--r--modules/nixos/mpd.nix2
-rw-r--r--modules/nixos/nsd.nix2
-rw-r--r--modules/nixos/radarr.nix13
-rw-r--r--modules/nixos/shadowsocks.nix2
-rw-r--r--modules/nixos/sonarr.nix13
-rw-r--r--modules/nixos/unbound.nix11
12 files changed, 53 insertions, 140 deletions
diff --git a/modules/common/common/nix/default.nix b/modules/common/common/nix/default.nix
index dc73d68..dea9358 100644
--- a/modules/common/common/nix/default.nix
+++ b/modules/common/common/nix/default.nix
@@ -99,7 +99,7 @@ with lib; {
patches = [./patches/alejandra-no-ads.patch];
});
- inherit (pkgsPR "225109" "sha256-aLQcBwo2y92bn/nugidJtFCCEdkNOkSsTeoZ5B2Qt1c=") libvlc;
+ inherit (pkgsPR "225985" "sha256-wS8vyIEH2gFt3cLvSrROTULu8N8FCUle6cy2zqHN+VI=") mangohud;
}
// (with super; let
np = nodePackages;
diff --git a/modules/nixos/git/default.nix b/modules/nixos/git/default.nix
index fd25eec..62a200c 100644
--- a/modules/nixos/git/default.nix
+++ b/modules/nixos/git/default.nix
@@ -30,9 +30,9 @@ in {
locations = {
"/".extraConfig = let
cgitrc = pkgs.writeText "cgitrc" ''
- root-title=github sux >:^(
- root-desc=Homo sum, humani a me nihil alienum puto.
- footer=
+ root-title=github sux (⩺_⩹)
+ root-desc=https://github.com/azahi
+ footer=https://GiveUpGitHub.com
clone-url=https://${cfg.server.domain}/$CGIT_REPO_URL
diff --git a/modules/nixos/ipfs.nix b/modules/nixos/ipfs.nix
index 68075ff..6d32ec6 100644
--- a/modules/nixos/ipfs.nix
+++ b/modules/nixos/ipfs.nix
@@ -60,6 +60,7 @@ in {
emptyRepo = true;
enableGC = true;
+ # https://github.com/ipfs/kubo/blob/master/docs/config.md
settings = mkMerge [
(
let
@@ -94,30 +95,18 @@ in {
"/ip4/0.0.0.0/tcp/${port}"
"/ip6/::/tcp/${port}"
"/ip4/0.0.0.0/udp/${port}/quic"
+ "/ip4/0.0.0.0/udp/${port}/quic-v1"
+ "/ip4/0.0.0.0/udp/${port}/quic-v1/webtransport"
"/ip6/::/udp/${port}/quic"
+ "/ip6/::/udp/${port}/quic-v1"
+ "/ip6/::/udp/${port}/quic-v1/webtransport"
];
NoAnnounce = filterAddresses;
};
Swarm.AddrFilters = filterAddresses;
- API.HTTPHeaders.Access-Control-Allow-Methods = [
- "GET"
- "POST"
- "PUT"
- ];
}
)
- (mkIf this.isHeadful {
- API.HTTPHeaders.Access-Control-Allow-Origin = ["*"];
- })
- (mkIf this.isHeadless {
- API.HTTPHeaders.Access-Control-Allow-Origin = map (v: "http${
- optionalString config.nixfiles.modules.acme.enable "s"
- }://${v}") (with cfg; [
- domain
- "api.${domain}"
- ]);
- })
];
};
diff --git a/modules/nixos/lidarr.nix b/modules/nixos/lidarr.nix
index f73f917..8439ec0 100644
--- a/modules/nixos/lidarr.nix
+++ b/modules/nixos/lidarr.nix
@@ -12,7 +12,7 @@ in {
domain = mkOption {
description = "Domain name sans protocol scheme.";
type = with types; str;
- default = "lidarr.${config.networking.fqdn}";
+ default = "lidarr.${config.networking.domain}";
};
};
@@ -20,9 +20,16 @@ in {
nixfiles.modules.nginx = {
enable = true;
upstreams.lidarr.servers."127.0.0.1:8686" = {};
- virtualHosts.${cfg.domain}.locations."/".proxyPass = "http://lidarr";
+ virtualHosts.${cfg.domain} = {
+ locations."/".proxyPass = "http://lidarr";
+ extraConfig = nginxInternalOnly;
+ };
};
- services.lidarr.enable = true;
+ services.lidarr = {
+ enable = true;
+ user = "rtorrent";
+ group = "rtorrent";
+ };
};
}
diff --git a/modules/nixos/monitoring/rules/node.yaml b/modules/nixos/monitoring/rules/node.yaml
index 98217b3..eee5939 100644
--- a/modules/nixos/monitoring/rules/node.yaml
+++ b/modules/nixos/monitoring/rules/node.yaml
@@ -238,28 +238,11 @@ groups:
VALUE = {{ $value }}
LABELS = {{ $labels }}
- - alert: HostCpuStealNoisyNeighbor
- expr: >-
- avg by(instance) (rate(node_cpu_seconds_total{mode="steal"}[5m]))
- * 100
- > 15
- for: 0m
- labels:
- severity: warning
- annotations:
- summary: Host CPU steal noisy neighbor at {{ $labels.instance }}.
- description: |-
- CPU steal is > 10%. A noisy neighbor is killing VM performances or a
- spot instance may be out of credit.
-
- VALUE = {{ $value }}
- LABELS = {{ $labels }}
-
- alert: HostCpuHighIowait
expr: |-
avg by (instance) (rate(node_cpu_seconds_total{mode="iowait"}[5m]))
* 100
- > 15
+ > 50
for: 0m
labels:
severity: warning
diff --git a/modules/nixos/monitoring/rules/redis.yaml b/modules/nixos/monitoring/rules/redis.yaml
index c07c819..b47c313 100644
--- a/modules/nixos/monitoring/rules/redis.yaml
+++ b/modules/nixos/monitoring/rules/redis.yaml
@@ -17,95 +17,6 @@ groups:
VALUE = {{ $value }}
LABELS = {{ $labels }}
- - alert: RedisMissingMaster
- expr: >-
- (count(redis_instance_info{role="master"}) or vector(0))
- < 1
- for: 0m
- labels:
- severity: critical
- annotations:
- summary: Redis missing master at {{ $labels.instance }}).
- description: |-
- Redis cluster has no node marked as a master.
-
- VALUE = {{ $value }}
- LABELS = {{ $labels }}
-
- - alert: RedisTooManyMasters
- expr: >-
- count(redis_instance_info{role="master"}) > 1
- for: 0m
- labels:
- severity: critical
- annotations:
- summary: Redis too many masters at {{ $labels.instance }}.
- description: |-
- Redis cluster has too many nodes marked as a master.
-
- VALUE = {{ $value }}
- LABELS = {{ $labels }}
-
- - alert: RedisDisconnectedSlaves
- expr: >-
- count without (instance, job) (redis_connected_slaves)
- - sum without (instance, job) (redis_connected_slaves)
- - 1
- > 1
- for: 0m
- labels:
- severity: critical
- annotations:
- summary: Redis disconnected slaves at {{ $labels.instance }}.
- description: |-
- Redis is not replicating for all slaves.
-
- VALUE = {{ $value }}
- LABELS = {{ $labels }}
-
- - alert: RedisReplicationBroken
- expr: >-
- delta(redis_connected_slaves[1m]) < 0
- for: 0m
- labels:
- severity: critical
- annotations:
- summary: Redis replication broken at {{ $labels.instance }}.
- description: |-
- Redis instance lost a slave.
-
- VALUE = {{ $value }}
- LABELS = {{ $labels }}
-
- - alert: RedisClusterFlapping
- expr: >-
- changes(redis_connected_slaves[1m]) > 1
- for: 2m
- labels:
- severity: critical
- annotations:
- summary: Redis cluster flapping at {{ $labels.instance }}.
- description: |-
- Changes have been detected in the Redis replica connection. This can occur when replica nodes lose connection to the master and reconnect (a.k.a flapping).
-
- VALUE = {{ $value }}
- LABELS = {{ $labels }}
-
- - alert: RedisMissingBackup
- expr: >-
- time() - redis_rdb_last_save_timestamp_seconds
- > 60 * 60 * 24
- for: 0m
- labels:
- severity: critical
- annotations:
- summary: Redis missing backup at {{ $labels.instance }}.
- description: |-
- Redis has not been backed up for 24 hours.
-
- VALUE = {{ $value }}
- LABELS = {{ $labels }}
-
- alert: RedisOutOfSystemMemory
expr: >-
redis_memory_used_bytes
diff --git a/modules/nixos/mpd.nix b/modules/nixos/mpd.nix
index b38ab9f..6db83f8 100644
--- a/modules/nixos/mpd.nix
+++ b/modules/nixos/mpd.nix
@@ -10,6 +10,8 @@ in {
options.nixfiles.modules.mpd.enable = mkEnableOption "MPD and its clients.";
config = mkIf cfg.enable {
+ nixfiles.modules.sound.enable = true;
+
hm = {
home.packages = with pkgs; [mpc_cli];
diff --git a/modules/nixos/nsd.nix b/modules/nixos/nsd.nix
index d2ab117..3659a7a 100644
--- a/modules/nixos/nsd.nix
+++ b/modules/nixos/nsd.nix
@@ -109,7 +109,6 @@ in {
alertmanager = manwe;
bitwarden = manwe;
git = manwe;
- gotify = manwe;
grafana = manwe;
loki = manwe;
ntfy = manwe;
@@ -119,6 +118,7 @@ in {
vaultwarden = manwe;
flood = yavanna;
+ lidarr = yavanna;
};
}
];
diff --git a/modules/nixos/radarr.nix b/modules/nixos/radarr.nix
index 0abfdf2..c706eae 100644
--- a/modules/nixos/radarr.nix
+++ b/modules/nixos/radarr.nix
@@ -12,7 +12,7 @@ in {
domain = mkOption {
description = "Domain name sans protocol scheme.";
type = with types; str;
- default = "radarr.${config.networking.fqdn}";
+ default = "radarr.${config.networking.domain}";
};
};
@@ -20,9 +20,16 @@ in {
nixfiles.modules.nginx = {
enable = true;
upstreams.radarr.servers."127.0.0.1:7878" = {};
- virtualHosts.${cfg.domain}.locations."/".proxyPass = "http://radarr";
+ virtualHosts.${cfg.domain} = {
+ locations."/".proxyPass = "http://radarr";
+ extraConfig = nginxInternalOnly;
+ };
};
- services.radarr.enable = true;
+ services.radarr = {
+ enable = true;
+ user = "rtorrent";
+ group = "rtorrent";
+ };
};
}
diff --git a/modules/nixos/shadowsocks.nix b/modules/nixos/shadowsocks.nix
index b59359c..f9997ba 100644
--- a/modules/nixos/shadowsocks.nix
+++ b/modules/nixos/shadowsocks.nix
@@ -105,7 +105,7 @@ in {
"net.ipv4.ip_local_port_range" = "10000 65000";
"net.ipv4.tcp_max_syn_backlog" = pow 2 13;
"net.ipv4.tcp_max_tw_buckets" = pow 2 12;
- "net.ipv4.tcp_fastopen" = 3;
+ "net.ipv4.tcp_fastopen" = mkOverride 100 3;
"net.ipv4.tcp_mem" = mkOverride 100 (mkTcpMem 15 16 17);
"net.ipv4.tcp_rmem" = mkOverride 100 (mkTcpMem 12 16 26);
"net.ipv4.tcp_wmem" = mkOverride 100 (mkTcpMem 12 16 26);
diff --git a/modules/nixos/sonarr.nix b/modules/nixos/sonarr.nix
index 8c79175..5990ff1 100644
--- a/modules/nixos/sonarr.nix
+++ b/modules/nixos/sonarr.nix
@@ -12,7 +12,7 @@ in {
domain = mkOption {
description = "Domain name sans protocol scheme.";
type = with types; str;
- default = "sonarr.${config.networking.fqdn}";
+ default = "sonarr.${config.networking.domain}";
};
};
@@ -20,9 +20,16 @@ in {
nixfiles.modules.nginx = {
enable = true;
upstreams.sonarr.servers."127.0.0.1:8989" = {};
- virtualHosts.${cfg.domain}.locations."/".proxyPass = "http://sonarr";
+ virtualHosts.${cfg.domain} = {
+ locations."/".proxyPass = "http://sonarr";
+ extraConfig = nginxInternalOnly;
+ };
};
- services.sonarr.enable = true;
+ services.sonarr = {
+ enable = true;
+ user = "rtorrent";
+ group = "rtorrent";
+ };
};
}
diff --git a/modules/nixos/unbound.nix b/modules/nixos/unbound.nix
index 2291cc7..79d52eb 100644
--- a/modules/nixos/unbound.nix
+++ b/modules/nixos/unbound.nix
@@ -86,13 +86,16 @@ in {
"${ipv6.subnet} allow"
];
- private-domain = cfg.domain;
+ private-domain = "${cfg.domain}.";
private-address = with config.nixfiles.modules.wireguard; [
ipv4.subnet
ipv6.subnet
];
- domain-insecure = cfg.domain;
+ cache-min-ttl = 0;
+
+ serve-expired = true;
+ serve-expired-reply-ttl = 0;
prefetch = true;
prefetch-key = true;
@@ -123,6 +126,8 @@ in {
};
};
+ enableRootTrustAnchor = true;
+
localControlSocketPath = "/run/unbound/unbound.socket";
};
@@ -174,5 +179,7 @@ in {
wantedBy = ["timers.target"];
};
};
+
+ boot.kernel.sysctl."net.ipv4.tcp_fastopen" = mkOverride 200 3;
};
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-20 05:29:34 +0000