From 39ed30937ec29217820583e07ff1f447d08b9898 Mon Sep 17 00:00:00 2001 From: Azat Bahawi Date: Fri, 14 Apr 2023 02:51:09 +0300 Subject: 2023-04-14 --- modules/common/common/nix/default.nix | 2 +- modules/nixos/git/default.nix | 6 +-- modules/nixos/ipfs.nix | 21 ++------ modules/nixos/lidarr.nix | 13 +++-- modules/nixos/monitoring/rules/node.yaml | 19 +------ modules/nixos/monitoring/rules/redis.yaml | 89 ------------------------------- modules/nixos/mpd.nix | 2 + modules/nixos/nsd.nix | 2 +- modules/nixos/radarr.nix | 13 +++-- modules/nixos/shadowsocks.nix | 2 +- modules/nixos/sonarr.nix | 13 +++-- modules/nixos/unbound.nix | 11 +++- 12 files changed, 53 insertions(+), 140 deletions(-) (limited to 'modules') diff --git a/modules/common/common/nix/default.nix b/modules/common/common/nix/default.nix index dc73d68..dea9358 100644 --- a/modules/common/common/nix/default.nix +++ b/modules/common/common/nix/default.nix @@ -99,7 +99,7 @@ with lib; { patches = [./patches/alejandra-no-ads.patch]; }); - inherit (pkgsPR "225109" "sha256-aLQcBwo2y92bn/nugidJtFCCEdkNOkSsTeoZ5B2Qt1c=") libvlc; + inherit (pkgsPR "225985" "sha256-wS8vyIEH2gFt3cLvSrROTULu8N8FCUle6cy2zqHN+VI=") mangohud; } // (with super; let np = nodePackages; diff --git a/modules/nixos/git/default.nix b/modules/nixos/git/default.nix index fd25eec..62a200c 100644 --- a/modules/nixos/git/default.nix +++ b/modules/nixos/git/default.nix @@ -30,9 +30,9 @@ in { locations = { "/".extraConfig = let cgitrc = pkgs.writeText "cgitrc" '' - root-title=github sux >:^( - root-desc=Homo sum, humani a me nihil alienum puto. - footer= + root-title=github sux (⩺_⩹) + root-desc=https://github.com/azahi + footer=https://GiveUpGitHub.com clone-url=https://${cfg.server.domain}/$CGIT_REPO_URL diff --git a/modules/nixos/ipfs.nix b/modules/nixos/ipfs.nix index 68075ff..6d32ec6 100644 --- a/modules/nixos/ipfs.nix +++ b/modules/nixos/ipfs.nix @@ -60,6 +60,7 @@ in { emptyRepo = true; enableGC = true; + # https://github.com/ipfs/kubo/blob/master/docs/config.md settings = mkMerge [ ( let @@ -94,30 +95,18 @@ in { "/ip4/0.0.0.0/tcp/${port}" "/ip6/::/tcp/${port}" "/ip4/0.0.0.0/udp/${port}/quic" + "/ip4/0.0.0.0/udp/${port}/quic-v1" + "/ip4/0.0.0.0/udp/${port}/quic-v1/webtransport" "/ip6/::/udp/${port}/quic" + "/ip6/::/udp/${port}/quic-v1" + "/ip6/::/udp/${port}/quic-v1/webtransport" ]; NoAnnounce = filterAddresses; }; Swarm.AddrFilters = filterAddresses; - API.HTTPHeaders.Access-Control-Allow-Methods = [ - "GET" - "POST" - "PUT" - ]; } ) - (mkIf this.isHeadful { - API.HTTPHeaders.Access-Control-Allow-Origin = ["*"]; - }) - (mkIf this.isHeadless { - API.HTTPHeaders.Access-Control-Allow-Origin = map (v: "http${ - optionalString config.nixfiles.modules.acme.enable "s" - }://${v}") (with cfg; [ - domain - "api.${domain}" - ]); - }) ]; }; diff --git a/modules/nixos/lidarr.nix b/modules/nixos/lidarr.nix index f73f917..8439ec0 100644 --- a/modules/nixos/lidarr.nix +++ b/modules/nixos/lidarr.nix @@ -12,7 +12,7 @@ in { domain = mkOption { description = "Domain name sans protocol scheme."; type = with types; str; - default = "lidarr.${config.networking.fqdn}"; + default = "lidarr.${config.networking.domain}"; }; }; @@ -20,9 +20,16 @@ in { nixfiles.modules.nginx = { enable = true; upstreams.lidarr.servers."127.0.0.1:8686" = {}; - virtualHosts.${cfg.domain}.locations."/".proxyPass = "http://lidarr"; + virtualHosts.${cfg.domain} = { + locations."/".proxyPass = "http://lidarr"; + extraConfig = nginxInternalOnly; + }; }; - services.lidarr.enable = true; + services.lidarr = { + enable = true; + user = "rtorrent"; + group = "rtorrent"; + }; }; } diff --git a/modules/nixos/monitoring/rules/node.yaml b/modules/nixos/monitoring/rules/node.yaml index 98217b3..eee5939 100644 --- a/modules/nixos/monitoring/rules/node.yaml +++ b/modules/nixos/monitoring/rules/node.yaml @@ -238,28 +238,11 @@ groups: VALUE = {{ $value }} LABELS = {{ $labels }} - - alert: HostCpuStealNoisyNeighbor - expr: >- - avg by(instance) (rate(node_cpu_seconds_total{mode="steal"}[5m])) - * 100 - > 15 - for: 0m - labels: - severity: warning - annotations: - summary: Host CPU steal noisy neighbor at {{ $labels.instance }}. - description: |- - CPU steal is > 10%. A noisy neighbor is killing VM performances or a - spot instance may be out of credit. - - VALUE = {{ $value }} - LABELS = {{ $labels }} - - alert: HostCpuHighIowait expr: |- avg by (instance) (rate(node_cpu_seconds_total{mode="iowait"}[5m])) * 100 - > 15 + > 50 for: 0m labels: severity: warning diff --git a/modules/nixos/monitoring/rules/redis.yaml b/modules/nixos/monitoring/rules/redis.yaml index c07c819..b47c313 100644 --- a/modules/nixos/monitoring/rules/redis.yaml +++ b/modules/nixos/monitoring/rules/redis.yaml @@ -17,95 +17,6 @@ groups: VALUE = {{ $value }} LABELS = {{ $labels }} - - alert: RedisMissingMaster - expr: >- - (count(redis_instance_info{role="master"}) or vector(0)) - < 1 - for: 0m - labels: - severity: critical - annotations: - summary: Redis missing master at {{ $labels.instance }}). - description: |- - Redis cluster has no node marked as a master. - - VALUE = {{ $value }} - LABELS = {{ $labels }} - - - alert: RedisTooManyMasters - expr: >- - count(redis_instance_info{role="master"}) > 1 - for: 0m - labels: - severity: critical - annotations: - summary: Redis too many masters at {{ $labels.instance }}. - description: |- - Redis cluster has too many nodes marked as a master. - - VALUE = {{ $value }} - LABELS = {{ $labels }} - - - alert: RedisDisconnectedSlaves - expr: >- - count without (instance, job) (redis_connected_slaves) - - sum without (instance, job) (redis_connected_slaves) - - 1 - > 1 - for: 0m - labels: - severity: critical - annotations: - summary: Redis disconnected slaves at {{ $labels.instance }}. - description: |- - Redis is not replicating for all slaves. - - VALUE = {{ $value }} - LABELS = {{ $labels }} - - - alert: RedisReplicationBroken - expr: >- - delta(redis_connected_slaves[1m]) < 0 - for: 0m - labels: - severity: critical - annotations: - summary: Redis replication broken at {{ $labels.instance }}. - description: |- - Redis instance lost a slave. - - VALUE = {{ $value }} - LABELS = {{ $labels }} - - - alert: RedisClusterFlapping - expr: >- - changes(redis_connected_slaves[1m]) > 1 - for: 2m - labels: - severity: critical - annotations: - summary: Redis cluster flapping at {{ $labels.instance }}. - description: |- - Changes have been detected in the Redis replica connection. This can occur when replica nodes lose connection to the master and reconnect (a.k.a flapping). - - VALUE = {{ $value }} - LABELS = {{ $labels }} - - - alert: RedisMissingBackup - expr: >- - time() - redis_rdb_last_save_timestamp_seconds - > 60 * 60 * 24 - for: 0m - labels: - severity: critical - annotations: - summary: Redis missing backup at {{ $labels.instance }}. - description: |- - Redis has not been backed up for 24 hours. - - VALUE = {{ $value }} - LABELS = {{ $labels }} - - alert: RedisOutOfSystemMemory expr: >- redis_memory_used_bytes diff --git a/modules/nixos/mpd.nix b/modules/nixos/mpd.nix index b38ab9f..6db83f8 100644 --- a/modules/nixos/mpd.nix +++ b/modules/nixos/mpd.nix @@ -10,6 +10,8 @@ in { options.nixfiles.modules.mpd.enable = mkEnableOption "MPD and its clients."; config = mkIf cfg.enable { + nixfiles.modules.sound.enable = true; + hm = { home.packages = with pkgs; [mpc_cli]; diff --git a/modules/nixos/nsd.nix b/modules/nixos/nsd.nix index d2ab117..3659a7a 100644 --- a/modules/nixos/nsd.nix +++ b/modules/nixos/nsd.nix @@ -109,7 +109,6 @@ in { alertmanager = manwe; bitwarden = manwe; git = manwe; - gotify = manwe; grafana = manwe; loki = manwe; ntfy = manwe; @@ -119,6 +118,7 @@ in { vaultwarden = manwe; flood = yavanna; + lidarr = yavanna; }; } ]; diff --git a/modules/nixos/radarr.nix b/modules/nixos/radarr.nix index 0abfdf2..c706eae 100644 --- a/modules/nixos/radarr.nix +++ b/modules/nixos/radarr.nix @@ -12,7 +12,7 @@ in { domain = mkOption { description = "Domain name sans protocol scheme."; type = with types; str; - default = "radarr.${config.networking.fqdn}"; + default = "radarr.${config.networking.domain}"; }; }; @@ -20,9 +20,16 @@ in { nixfiles.modules.nginx = { enable = true; upstreams.radarr.servers."127.0.0.1:7878" = {}; - virtualHosts.${cfg.domain}.locations."/".proxyPass = "http://radarr"; + virtualHosts.${cfg.domain} = { + locations."/".proxyPass = "http://radarr"; + extraConfig = nginxInternalOnly; + }; }; - services.radarr.enable = true; + services.radarr = { + enable = true; + user = "rtorrent"; + group = "rtorrent"; + }; }; } diff --git a/modules/nixos/shadowsocks.nix b/modules/nixos/shadowsocks.nix index b59359c..f9997ba 100644 --- a/modules/nixos/shadowsocks.nix +++ b/modules/nixos/shadowsocks.nix @@ -105,7 +105,7 @@ in { "net.ipv4.ip_local_port_range" = "10000 65000"; "net.ipv4.tcp_max_syn_backlog" = pow 2 13; "net.ipv4.tcp_max_tw_buckets" = pow 2 12; - "net.ipv4.tcp_fastopen" = 3; + "net.ipv4.tcp_fastopen" = mkOverride 100 3; "net.ipv4.tcp_mem" = mkOverride 100 (mkTcpMem 15 16 17); "net.ipv4.tcp_rmem" = mkOverride 100 (mkTcpMem 12 16 26); "net.ipv4.tcp_wmem" = mkOverride 100 (mkTcpMem 12 16 26); diff --git a/modules/nixos/sonarr.nix b/modules/nixos/sonarr.nix index 8c79175..5990ff1 100644 --- a/modules/nixos/sonarr.nix +++ b/modules/nixos/sonarr.nix @@ -12,7 +12,7 @@ in { domain = mkOption { description = "Domain name sans protocol scheme."; type = with types; str; - default = "sonarr.${config.networking.fqdn}"; + default = "sonarr.${config.networking.domain}"; }; }; @@ -20,9 +20,16 @@ in { nixfiles.modules.nginx = { enable = true; upstreams.sonarr.servers."127.0.0.1:8989" = {}; - virtualHosts.${cfg.domain}.locations."/".proxyPass = "http://sonarr"; + virtualHosts.${cfg.domain} = { + locations."/".proxyPass = "http://sonarr"; + extraConfig = nginxInternalOnly; + }; }; - services.sonarr.enable = true; + services.sonarr = { + enable = true; + user = "rtorrent"; + group = "rtorrent"; + }; }; } diff --git a/modules/nixos/unbound.nix b/modules/nixos/unbound.nix index 2291cc7..79d52eb 100644 --- a/modules/nixos/unbound.nix +++ b/modules/nixos/unbound.nix @@ -86,13 +86,16 @@ in { "${ipv6.subnet} allow" ]; - private-domain = cfg.domain; + private-domain = "${cfg.domain}."; private-address = with config.nixfiles.modules.wireguard; [ ipv4.subnet ipv6.subnet ]; - domain-insecure = cfg.domain; + cache-min-ttl = 0; + + serve-expired = true; + serve-expired-reply-ttl = 0; prefetch = true; prefetch-key = true; @@ -123,6 +126,8 @@ in { }; }; + enableRootTrustAnchor = true; + localControlSocketPath = "/run/unbound/unbound.socket"; }; @@ -174,5 +179,7 @@ in { wantedBy = ["timers.target"]; }; }; + + boot.kernel.sysctl."net.ipv4.tcp_fastopen" = mkOverride 200 3; }; } -- cgit 1.4.1