From 39ed30937ec29217820583e07ff1f447d08b9898 Mon Sep 17 00:00:00 2001 From: Azat Bahawi Date: Fri, 14 Apr 2023 02:51:09 +0300 Subject: 2023-04-14 --- flake.lock | 78 ++++++++++++++++----------- lib/my.nix | 6 ++- modules/common/common/nix/default.nix | 2 +- modules/nixos/git/default.nix | 6 +-- modules/nixos/ipfs.nix | 21 ++------ modules/nixos/lidarr.nix | 13 +++-- modules/nixos/monitoring/rules/node.yaml | 19 +------ modules/nixos/monitoring/rules/redis.yaml | 89 ------------------------------- modules/nixos/mpd.nix | 2 + modules/nixos/nsd.nix | 2 +- modules/nixos/radarr.nix | 13 +++-- modules/nixos/shadowsocks.nix | 2 +- modules/nixos/sonarr.nix | 13 +++-- modules/nixos/unbound.nix | 11 +++- nixosConfigurations/manwe/default.nix | 1 - nixosConfigurations/yavanna/default.nix | 15 ++---- 16 files changed, 108 insertions(+), 185 deletions(-) diff --git a/flake.lock b/flake.lock index 31fe897..0d30364 100644 --- a/flake.lock +++ b/flake.lock @@ -121,11 +121,11 @@ ] }, "locked": { - "lastModified": 1680266963, - "narHash": "sha256-IW/lzbUCOcldLHWHjNSg1YoViDnZOmz0ZJL7EH9OkV8=", + "lastModified": 1681154394, + "narHash": "sha256-avnu1K9AuouygBiwVKuDp6emiTET43az3rcpv0ctLjc=", "owner": "LnL7", "repo": "nix-darwin", - "rev": "99d4187d11be86b49baa3a1aec0530004072374f", + "rev": "025912529dd0b31dead95519e944ea05f1ad56f2", "type": "github" }, "original": { @@ -179,11 +179,11 @@ "flake-registry": { "flake": false, "locked": { - "lastModified": 1674218164, - "narHash": "sha256-oLNWhwrV252kiy2tGQwwJNKFR+iG0fjsw0GSE/XVTR8=", + "lastModified": 1681032461, + "narHash": "sha256-3xrrC7YpoajVynlvj0+iQev6PWJRjS213ulTi3HNLeo=", "owner": "NixOS", "repo": "flake-registry", - "rev": "507c028d8d189b6647592dfd10ee677578de45a1", + "rev": "4ea5076e347dda44283714b8f4d580f6922064e9", "type": "github" }, "original": { @@ -194,12 +194,15 @@ } }, "flake-utils": { + "inputs": { + "systems": "systems" + }, "locked": { - "lastModified": 1680776469, - "narHash": "sha256-3CXUDK/3q/kieWtdsYpDOBJw3Gw4Af6x+2EiSnIkNQw=", + "lastModified": 1681202837, + "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", "owner": "numtide", "repo": "flake-utils", - "rev": "411e8764155aa9354dbcd6d5faaeb97e9e3dce24", + "rev": "cfacdce06f30d2b68473a46042957675eebb3401", "type": "github" }, "original": { @@ -240,11 +243,11 @@ ] }, "locked": { - "lastModified": 1680667162, - "narHash": "sha256-2vgxK4j42y73S3XB2cThz1dSEyK9J9tfu4mhuEfAw68=", + "lastModified": 1681250798, + "narHash": "sha256-fQMROyKzPFBPqJy9J4ffywm02ZuqAI0GW1O1QibVpdQ=", "owner": "nix-community", "repo": "home-manager", - "rev": "440faf5ae472657ef2d8cc7756d77b6ab0ace68d", + "rev": "28698126bd825aff21cae9ffd15cf83e169051b0", "type": "github" }, "original": { @@ -296,11 +299,11 @@ ] }, "locked": { - "lastModified": 1680830495, - "narHash": "sha256-w7JCznnip3HcuviaSHRsSuMBTTSNBkEoS8NaYP0EE/E=", + "lastModified": 1681262808, + "narHash": "sha256-A4CCPgNUDTLnu7WNdcE0GD/IhcIdV9fmNvWl6bC5f8Q=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "7407f3287a8e1f51b03d7a4de327c9ff318de0b9", + "rev": "2d5c4d090c759b7cf9ef6292f33d0702dab21d09", "type": "github" }, "original": { @@ -328,11 +331,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1680819799, - "narHash": "sha256-zuHl2LNr1Bll64zfr7805Yvvu23S1e//5Up0oqvjknY=", + "lastModified": 1681358109, + "narHash": "sha256-eKyxW4OohHQx9Urxi7TQlFBTDWII+F+x2hklDOQPB50=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "144133c526040a5140e89366ff72ac2d387e9bbb", + "rev": "96ba1c52e54e74c3197f4d43026b3f3d92e83ff9", "type": "github" }, "original": { @@ -344,11 +347,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1680882415, - "narHash": "sha256-trt2pwLDu1+kEtp3bx2DiYgg8CFWNbes+ujdAtSBO/U=", + "lastModified": 1681414187, + "narHash": "sha256-Vwl5bTDAZA28/M0/31tBgKw9g+vnHtDm6m5EkG9rmHU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "cd07e0258cf73e1bcbd0c9abc5513baa091ee801", + "rev": "f53d20ef81e9d98033ccf34509aace3e99dcfbb7", "type": "github" }, "original": { @@ -360,11 +363,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1680879128, - "narHash": "sha256-ISFCCZ3/Dw5WK/6kFKwqA6gIEaOjqU/5NoB6Vge87sE=", + "lastModified": 1681411673, + "narHash": "sha256-23S0skJVstbQtrhy+65Bi4Jrdw74hY1OYbBnuuQausc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "fa98075869eb8264052548dde5c2ce9e68cf4cf1", + "rev": "80d54821fffaffbc90409a1262ea91071e0dff8f", "type": "github" }, "original": { @@ -410,11 +413,11 @@ }, "nur": { "locked": { - "lastModified": 1680878697, - "narHash": "sha256-CKdUnm3Nuh0rWLXq9p/FHTop7SkYOO+4XRgRGumxc0M=", + "lastModified": 1681413105, + "narHash": "sha256-RVurZLx/l83DOSB2Uy92kGyuhMOc+jEieHvjtJy4t90=", "owner": "nix-community", "repo": "NUR", - "rev": "e3157bf0c8429092a4b84e45504ed8e3efb3a8d3", + "rev": "81da935a918fa216295272c576705f816f0fc36a", "type": "github" }, "original": { @@ -466,11 +469,11 @@ ] }, "locked": { - "lastModified": 1680865110, - "narHash": "sha256-SOBuUZe+icM5zqeEBGRY/fM6BDanEySw4Ph9TQgC3MY=", + "lastModified": 1681413034, + "narHash": "sha256-/t7OjNQcNkeWeSq/CFLYVBfm+IEnkjoSm9iKvArnUUI=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "a6a5e1fa5327a8809c51bc6c69407b8a76f1a4ec", + "rev": "d3de8f69ca88fb6f8b09e5b598be5ac98d28ede5", "type": "github" }, "original": { @@ -538,6 +541,21 @@ "type": "gitlab" } }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "xmonad-ng": { "inputs": { "flake-utils": [ diff --git a/lib/my.nix b/lib/my.nix index 96f26f3..77d3ea1 100644 --- a/lib/my.nix +++ b/lib/my.nix @@ -165,7 +165,6 @@ with lib; "bitwarden.${shire}" "git.${azahi}" "git.${shire}" - "gotify.${shire}" "grafana.${shire}" "loki.${shire}" "ntfy.${shire}" @@ -218,7 +217,10 @@ with lib; ipv6.address = "fd69::1:2"; publicKey = "@PUBLIC_KEY@"; }; - domains = with my.domain; ["flood.${shire}"]; + domains = with my.domain; [ + "flood.${shire}" + "lidarr.${shire}" + ]; syncthing.id = "@SYNCTHING_ID@"; }; diff --git a/modules/common/common/nix/default.nix b/modules/common/common/nix/default.nix index dc73d68..dea9358 100644 --- a/modules/common/common/nix/default.nix +++ b/modules/common/common/nix/default.nix @@ -99,7 +99,7 @@ with lib; { patches = [./patches/alejandra-no-ads.patch]; }); - inherit (pkgsPR "225109" "sha256-aLQcBwo2y92bn/nugidJtFCCEdkNOkSsTeoZ5B2Qt1c=") libvlc; + inherit (pkgsPR "225985" "sha256-wS8vyIEH2gFt3cLvSrROTULu8N8FCUle6cy2zqHN+VI=") mangohud; } // (with super; let np = nodePackages; diff --git a/modules/nixos/git/default.nix b/modules/nixos/git/default.nix index fd25eec..62a200c 100644 --- a/modules/nixos/git/default.nix +++ b/modules/nixos/git/default.nix @@ -30,9 +30,9 @@ in { locations = { "/".extraConfig = let cgitrc = pkgs.writeText "cgitrc" '' - root-title=github sux >:^( - root-desc=Homo sum, humani a me nihil alienum puto. - footer= + root-title=github sux (⩺_⩹) + root-desc=https://github.com/azahi + footer=https://GiveUpGitHub.com clone-url=https://${cfg.server.domain}/$CGIT_REPO_URL diff --git a/modules/nixos/ipfs.nix b/modules/nixos/ipfs.nix index 68075ff..6d32ec6 100644 --- a/modules/nixos/ipfs.nix +++ b/modules/nixos/ipfs.nix @@ -60,6 +60,7 @@ in { emptyRepo = true; enableGC = true; + # https://github.com/ipfs/kubo/blob/master/docs/config.md settings = mkMerge [ ( let @@ -94,30 +95,18 @@ in { "/ip4/0.0.0.0/tcp/${port}" "/ip6/::/tcp/${port}" "/ip4/0.0.0.0/udp/${port}/quic" + "/ip4/0.0.0.0/udp/${port}/quic-v1" + "/ip4/0.0.0.0/udp/${port}/quic-v1/webtransport" "/ip6/::/udp/${port}/quic" + "/ip6/::/udp/${port}/quic-v1" + "/ip6/::/udp/${port}/quic-v1/webtransport" ]; NoAnnounce = filterAddresses; }; Swarm.AddrFilters = filterAddresses; - API.HTTPHeaders.Access-Control-Allow-Methods = [ - "GET" - "POST" - "PUT" - ]; } ) - (mkIf this.isHeadful { - API.HTTPHeaders.Access-Control-Allow-Origin = ["*"]; - }) - (mkIf this.isHeadless { - API.HTTPHeaders.Access-Control-Allow-Origin = map (v: "http${ - optionalString config.nixfiles.modules.acme.enable "s" - }://${v}") (with cfg; [ - domain - "api.${domain}" - ]); - }) ]; }; diff --git a/modules/nixos/lidarr.nix b/modules/nixos/lidarr.nix index f73f917..8439ec0 100644 --- a/modules/nixos/lidarr.nix +++ b/modules/nixos/lidarr.nix @@ -12,7 +12,7 @@ in { domain = mkOption { description = "Domain name sans protocol scheme."; type = with types; str; - default = "lidarr.${config.networking.fqdn}"; + default = "lidarr.${config.networking.domain}"; }; }; @@ -20,9 +20,16 @@ in { nixfiles.modules.nginx = { enable = true; upstreams.lidarr.servers."127.0.0.1:8686" = {}; - virtualHosts.${cfg.domain}.locations."/".proxyPass = "http://lidarr"; + virtualHosts.${cfg.domain} = { + locations."/".proxyPass = "http://lidarr"; + extraConfig = nginxInternalOnly; + }; }; - services.lidarr.enable = true; + services.lidarr = { + enable = true; + user = "rtorrent"; + group = "rtorrent"; + }; }; } diff --git a/modules/nixos/monitoring/rules/node.yaml b/modules/nixos/monitoring/rules/node.yaml index 98217b3..eee5939 100644 --- a/modules/nixos/monitoring/rules/node.yaml +++ b/modules/nixos/monitoring/rules/node.yaml @@ -238,28 +238,11 @@ groups: VALUE = {{ $value }} LABELS = {{ $labels }} - - alert: HostCpuStealNoisyNeighbor - expr: >- - avg by(instance) (rate(node_cpu_seconds_total{mode="steal"}[5m])) - * 100 - > 15 - for: 0m - labels: - severity: warning - annotations: - summary: Host CPU steal noisy neighbor at {{ $labels.instance }}. - description: |- - CPU steal is > 10%. A noisy neighbor is killing VM performances or a - spot instance may be out of credit. - - VALUE = {{ $value }} - LABELS = {{ $labels }} - - alert: HostCpuHighIowait expr: |- avg by (instance) (rate(node_cpu_seconds_total{mode="iowait"}[5m])) * 100 - > 15 + > 50 for: 0m labels: severity: warning diff --git a/modules/nixos/monitoring/rules/redis.yaml b/modules/nixos/monitoring/rules/redis.yaml index c07c819..b47c313 100644 --- a/modules/nixos/monitoring/rules/redis.yaml +++ b/modules/nixos/monitoring/rules/redis.yaml @@ -17,95 +17,6 @@ groups: VALUE = {{ $value }} LABELS = {{ $labels }} - - alert: RedisMissingMaster - expr: >- - (count(redis_instance_info{role="master"}) or vector(0)) - < 1 - for: 0m - labels: - severity: critical - annotations: - summary: Redis missing master at {{ $labels.instance }}). - description: |- - Redis cluster has no node marked as a master. - - VALUE = {{ $value }} - LABELS = {{ $labels }} - - - alert: RedisTooManyMasters - expr: >- - count(redis_instance_info{role="master"}) > 1 - for: 0m - labels: - severity: critical - annotations: - summary: Redis too many masters at {{ $labels.instance }}. - description: |- - Redis cluster has too many nodes marked as a master. - - VALUE = {{ $value }} - LABELS = {{ $labels }} - - - alert: RedisDisconnectedSlaves - expr: >- - count without (instance, job) (redis_connected_slaves) - - sum without (instance, job) (redis_connected_slaves) - - 1 - > 1 - for: 0m - labels: - severity: critical - annotations: - summary: Redis disconnected slaves at {{ $labels.instance }}. - description: |- - Redis is not replicating for all slaves. - - VALUE = {{ $value }} - LABELS = {{ $labels }} - - - alert: RedisReplicationBroken - expr: >- - delta(redis_connected_slaves[1m]) < 0 - for: 0m - labels: - severity: critical - annotations: - summary: Redis replication broken at {{ $labels.instance }}. - description: |- - Redis instance lost a slave. - - VALUE = {{ $value }} - LABELS = {{ $labels }} - - - alert: RedisClusterFlapping - expr: >- - changes(redis_connected_slaves[1m]) > 1 - for: 2m - labels: - severity: critical - annotations: - summary: Redis cluster flapping at {{ $labels.instance }}. - description: |- - Changes have been detected in the Redis replica connection. This can occur when replica nodes lose connection to the master and reconnect (a.k.a flapping). - - VALUE = {{ $value }} - LABELS = {{ $labels }} - - - alert: RedisMissingBackup - expr: >- - time() - redis_rdb_last_save_timestamp_seconds - > 60 * 60 * 24 - for: 0m - labels: - severity: critical - annotations: - summary: Redis missing backup at {{ $labels.instance }}. - description: |- - Redis has not been backed up for 24 hours. - - VALUE = {{ $value }} - LABELS = {{ $labels }} - - alert: RedisOutOfSystemMemory expr: >- redis_memory_used_bytes diff --git a/modules/nixos/mpd.nix b/modules/nixos/mpd.nix index b38ab9f..6db83f8 100644 --- a/modules/nixos/mpd.nix +++ b/modules/nixos/mpd.nix @@ -10,6 +10,8 @@ in { options.nixfiles.modules.mpd.enable = mkEnableOption "MPD and its clients."; config = mkIf cfg.enable { + nixfiles.modules.sound.enable = true; + hm = { home.packages = with pkgs; [mpc_cli]; diff --git a/modules/nixos/nsd.nix b/modules/nixos/nsd.nix index d2ab117..3659a7a 100644 --- a/modules/nixos/nsd.nix +++ b/modules/nixos/nsd.nix @@ -109,7 +109,6 @@ in { alertmanager = manwe; bitwarden = manwe; git = manwe; - gotify = manwe; grafana = manwe; loki = manwe; ntfy = manwe; @@ -119,6 +118,7 @@ in { vaultwarden = manwe; flood = yavanna; + lidarr = yavanna; }; } ]; diff --git a/modules/nixos/radarr.nix b/modules/nixos/radarr.nix index 0abfdf2..c706eae 100644 --- a/modules/nixos/radarr.nix +++ b/modules/nixos/radarr.nix @@ -12,7 +12,7 @@ in { domain = mkOption { description = "Domain name sans protocol scheme."; type = with types; str; - default = "radarr.${config.networking.fqdn}"; + default = "radarr.${config.networking.domain}"; }; }; @@ -20,9 +20,16 @@ in { nixfiles.modules.nginx = { enable = true; upstreams.radarr.servers."127.0.0.1:7878" = {}; - virtualHosts.${cfg.domain}.locations."/".proxyPass = "http://radarr"; + virtualHosts.${cfg.domain} = { + locations."/".proxyPass = "http://radarr"; + extraConfig = nginxInternalOnly; + }; }; - services.radarr.enable = true; + services.radarr = { + enable = true; + user = "rtorrent"; + group = "rtorrent"; + }; }; } diff --git a/modules/nixos/shadowsocks.nix b/modules/nixos/shadowsocks.nix index b59359c..f9997ba 100644 --- a/modules/nixos/shadowsocks.nix +++ b/modules/nixos/shadowsocks.nix @@ -105,7 +105,7 @@ in { "net.ipv4.ip_local_port_range" = "10000 65000"; "net.ipv4.tcp_max_syn_backlog" = pow 2 13; "net.ipv4.tcp_max_tw_buckets" = pow 2 12; - "net.ipv4.tcp_fastopen" = 3; + "net.ipv4.tcp_fastopen" = mkOverride 100 3; "net.ipv4.tcp_mem" = mkOverride 100 (mkTcpMem 15 16 17); "net.ipv4.tcp_rmem" = mkOverride 100 (mkTcpMem 12 16 26); "net.ipv4.tcp_wmem" = mkOverride 100 (mkTcpMem 12 16 26); diff --git a/modules/nixos/sonarr.nix b/modules/nixos/sonarr.nix index 8c79175..5990ff1 100644 --- a/modules/nixos/sonarr.nix +++ b/modules/nixos/sonarr.nix @@ -12,7 +12,7 @@ in { domain = mkOption { description = "Domain name sans protocol scheme."; type = with types; str; - default = "sonarr.${config.networking.fqdn}"; + default = "sonarr.${config.networking.domain}"; }; }; @@ -20,9 +20,16 @@ in { nixfiles.modules.nginx = { enable = true; upstreams.sonarr.servers."127.0.0.1:8989" = {}; - virtualHosts.${cfg.domain}.locations."/".proxyPass = "http://sonarr"; + virtualHosts.${cfg.domain} = { + locations."/".proxyPass = "http://sonarr"; + extraConfig = nginxInternalOnly; + }; }; - services.sonarr.enable = true; + services.sonarr = { + enable = true; + user = "rtorrent"; + group = "rtorrent"; + }; }; } diff --git a/modules/nixos/unbound.nix b/modules/nixos/unbound.nix index 2291cc7..79d52eb 100644 --- a/modules/nixos/unbound.nix +++ b/modules/nixos/unbound.nix @@ -86,13 +86,16 @@ in { "${ipv6.subnet} allow" ]; - private-domain = cfg.domain; + private-domain = "${cfg.domain}."; private-address = with config.nixfiles.modules.wireguard; [ ipv4.subnet ipv6.subnet ]; - domain-insecure = cfg.domain; + cache-min-ttl = 0; + + serve-expired = true; + serve-expired-reply-ttl = 0; prefetch = true; prefetch-key = true; @@ -123,6 +126,8 @@ in { }; }; + enableRootTrustAnchor = true; + localControlSocketPath = "/run/unbound/unbound.socket"; }; @@ -174,5 +179,7 @@ in { wantedBy = ["timers.target"]; }; }; + + boot.kernel.sysctl."net.ipv4.tcp_fastopen" = mkOverride 200 3; }; } diff --git a/nixosConfigurations/manwe/default.nix b/nixosConfigurations/manwe/default.nix index a3c16b0..267654d 100644 --- a/nixosConfigurations/manwe/default.nix +++ b/nixosConfigurations/manwe/default.nix @@ -29,7 +29,6 @@ with lib; { domain = "git.${my.domain.azahi}"; }; - gotify.enable = true; matrix.dendrite = { enable = true; domain = my.domain.azahi; diff --git a/nixosConfigurations/yavanna/default.nix b/nixosConfigurations/yavanna/default.nix index 145a872..908b6d3 100644 --- a/nixosConfigurations/yavanna/default.nix +++ b/nixosConfigurations/yavanna/default.nix @@ -8,19 +8,10 @@ with lib; { acme.enable = true; rtorrent.enable = true; + lidarr.enable = true; - ipfs.enable = true; - }; - - # The /nix/var/nix/db/db.sqlite file is currently corrupt. This is technically - # fixable with a reinstall, but this system doesn't have a recovery mode - # access and I'm too lazy to redo everything with nixos-infect at this point. - # - # These services fail because of that. Although, updating configuration works - # just fine. - nix = { - gc.automatic = mkForce false; - optimise.automatic = mkForce false; + # Eats too much CPU to run unattended :( + # ipfs.enable = true; }; boot = { -- cgit v1.2.3