diff --git a/hosts/falkenstein/default.nix b/hosts/falkenstein/default.nix index 9213bed..12f8398 100644 --- a/hosts/falkenstein/default.nix +++ b/hosts/falkenstein/default.nix @@ -10,7 +10,6 @@ ./modules/dns ./modules/fail2ban ./modules/mail - ./modules/monitoring ./modules/networks ./modules/pfersel ./modules/purge diff --git a/hosts/falkenstein/modules/monitoring/default.nix b/hosts/falkenstein/modules/monitoring/default.nix deleted file mode 100644 index ced57e6..0000000 --- a/hosts/falkenstein/modules/monitoring/default.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ config, ... }: -{ - services.prometheus = { - exporters = { - node = { - enable = true; - enabledCollectors = [ "systemd" ]; - }; - postfix = { - enable = true; - }; - }; - }; - networking.firewall.allowedTCPPorts = [ - config.services.prometheus.exporters.node.port - config.services.prometheus.exporters.postfix.port - ]; -} diff --git a/hosts/fujitsu/default.nix b/hosts/fujitsu/default.nix index bbac861..6e5f8d7 100644 --- a/hosts/fujitsu/default.nix +++ b/hosts/fujitsu/default.nix @@ -3,7 +3,6 @@ imports = [ ./hardware-configuration.nix ./modules/networks - ./modules/monitoring ]; boot.loader.grub.enable = true; diff --git a/hosts/fujitsu/modules/monitoring/default.nix b/hosts/fujitsu/modules/monitoring/default.nix deleted file mode 100644 index e394028..0000000 --- a/hosts/fujitsu/modules/monitoring/default.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ config, ... }: -{ - services.prometheus = { - exporters = { - node = { - enable = true; - enabledCollectors = [ "systemd" ]; - }; - }; - }; - networking.firewall.allowedTCPPorts = [ - config.services.prometheus.exporters.node.port - ]; -} diff --git a/hosts/nuc/default.nix b/hosts/nuc/default.nix index 40f02fc..d82e999 100644 --- a/hosts/nuc/default.nix +++ b/hosts/nuc/default.nix @@ -12,7 +12,6 @@ ./modules/cache ./modules/matrix ./modules/mautrix-telegram - ./modules/monitoring ./modules/seafile ./modules/torrent ./modules/vaultwarden diff --git a/hosts/nuc/modules/monitoring/default.nix b/hosts/nuc/modules/monitoring/default.nix deleted file mode 100644 index c9642a4..0000000 --- a/hosts/nuc/modules/monitoring/default.nix +++ /dev/null @@ -1,97 +0,0 @@ -{ config, ... }: -let - domain = "monitoring.${config.networking.domain}"; -in -{ - age.secrets."grafana/oidc_secret" = { - file = ../../../../secrets/nuc/grafana/oidc.age; - owner = "grafana"; - }; - # grafana configuration - services.grafana = { - enable = true; - settings = { - server = { - inherit domain; - http_addr = "127.0.0.1"; - http_port = 2342; - root_url = "https://${domain}"; - }; - database = { - type = "postgres"; - user = "grafana"; - host = "/run/postgresql"; - }; - "auth.generic_oauth" = { - enabled = true; - name = "Authentik"; - allow_sign_up = true; - client_id = "grafana"; - client_secret = "$__file{${config.age.secrets."grafana/oidc_secret".path}}"; - scopes = "openid email profile offline_access roles"; - - email_attribute_path = "email"; - login_attribute_path = "username"; - name_attribute_path = "full_name"; - - auth_url = "https://auth.rfive.de/application/o/authorize/"; - token_url = "https://auth.rfive.de/application/o/token/"; - api_url = "https://auth.rfive.de/application/o/userinfo/"; - role_attribute_path = "contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'"; - - }; - - }; - }; - - services.postgresql = { - enable = true; - ensureUsers = [ - { - name = "grafana"; - ensureDBOwnership = true; - } - ]; - ensureDatabases = [ "grafana" ]; - }; - - services.prometheus = { - enable = true; - port = 9001; - exporters = { - node = { - enable = true; - enabledCollectors = [ "systemd" ]; - }; - # postfix = { - # enable = true; - # port = 9003; - # }; - }; - scrapeConfigs = [ - { - job_name = "node"; - static_configs = [{ - targets = [ - "nuc.vpn.rfive.de:${toString config.services.prometheus.exporters.node.port}" - "falkenstein.vpn.rfive.de:${toString config.services.prometheus.exporters.node.port}" - "cudy.vpn.rfive.de:${toString config.services.prometheus.exporters.node.port}" - "fujitsu.vpn.rfive.de:${toString config.services.prometheus.exporters.node.port}" - ]; - }]; - scrape_interval = "15s"; - } - { - job_name = "postfix"; - static_configs = [{ - targets = [ "falkenstein.vpn.rfive.de:${toString config.services.prometheus.exporters.postfix.port}" ]; - }]; - } - ]; - }; - - # nginx reverse proxy - services.caddy.virtualHosts.${domain}.extraConfig = '' - reverse_proxy 127.0.0.1:${toString config.services.grafana.settings.server.http_port} - ''; -} diff --git a/hosts/nuc/modules/networks/default.nix b/hosts/nuc/modules/networks/default.nix index 42d78e0..eebf8f8 100644 --- a/hosts/nuc/modules/networks/default.nix +++ b/hosts/nuc/modules/networks/default.nix @@ -35,7 +35,8 @@ }]; networkConfig = { DNS = [ - "192.168.42.1" + "9.9.9.9" + "149.112.112.112" ]; LLDP = true; EmitLLDP = "nearest-bridge"; diff --git a/overlays/default.nix b/overlays/default.nix index 0c98fd6..32a91de 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -63,92 +63,80 @@ in adguardian-term = callPackage ../pkgs/adguardian-term { }; # upstream package is broken and can't be fixed by overriding attrs. so I just completely redo it in here - seahub = (python3Packages.buildPythonApplication rec { - pname = "seahub"; - version = "11.0.1"; - format = "other"; - src = fetchFromGitHub { - owner = "haiwen"; - repo = "seahub"; - rev = "v11.0.1-pro"; - sha256 = "sha256-dxMvbiAdECMZIf+HgA5P2gZYI9l+k+nhmdzfg90037A="; - }; + seahub = (python3Packages.buildPythonApplication + rec { + pname = "seahub"; + version = "11.0.1"; + format = "other"; + src = fetchFromGitHub { + owner = "haiwen"; + repo = "seahub"; + rev = "v11.0.1-pro"; + sha256 = "sha256-dxMvbiAdECMZIf+HgA5P2gZYI9l+k+nhmdzfg90037A="; + }; - dontBuild = true; + dontBuild = true; - doCheck = false; # disabled because it requires a ccnet environment + doCheck = false; # disabled because it requires a ccnet environment - nativeBuildInputs = [ - makeWrapper - ]; + nativeBuildInputs = [ + makeWrapper + ]; - propagatedBuildInputs = with python3Packages; [ - django - future - django-compressor - django-statici18n - django-webpack-loader - django-simple-captcha - django-picklefield - django-formtools - mysqlclient - pillow - python-dateutil - djangorestframework - openpyxl - requests - requests-oauthlib - chardet - pyjwt - pycryptodome - qrcode - pysearpc - seaserv - gunicorn - markdown - bleach - python-ldap - pyopenssl - (buildPythonPackage rec { - pname = "djangosaml2"; - version = "1.7.0"; - doCheck = false; - propagatedBuildInputs = [ - pysaml2 - django - defusedxml - ]; - src = fetchPypi { - inherit pname version; - sha256 = "sha256-WiMl2UvbOskLA5o5LXPrBF2VktlDnlBNdc42eZ62Fko="; - }; - }) - ]; + propagatedBuildInputs = with python3Packages; [ + django + future + django-compressor + django-statici18n + django-webpack-loader + django-simple-captcha + django-picklefield + django-formtools + mysqlclient + pillow + python-dateutil + djangorestframework + openpyxl + requests + requests-oauthlib + chardet + pyjwt + pycryptodome + qrcode + pysearpc + seaserv + gunicorn + markdown + bleach + python-ldap + pyopenssl + (buildPythonPackage rec { + pname = "djangosaml2"; + version = "1.7.0"; + doCheck = false; + propagatedBuildInputs = [ + pysaml2 + django + defusedxml + ]; + src = fetchPypi { + inherit pname version; + sha256 = "sha256-WiMl2UvbOskLA5o5LXPrBF2VktlDnlBNdc42eZ62Fko="; + }; + }) + ]; - installPhase = '' - cp -dr --no-preserve='ownership' . $out/ - wrapProgram $out/manage.py \ - --prefix PYTHONPATH : "$PYTHONPATH:$out/thirdpart:" - ''; - - passthru = rec { - python = prev.python3; - pythonPath = python.pkgs.makePythonPath propagatedBuildInputs; - }; - }); - # (hopefully) fix systemd journal reading - prometheus-postfix-exporter = prev.prometheus-postfix-exporter.overrideAttrs (_old: { - patches = [ - ./prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch - ]; - src = fetchFromGitHub { - owner = "adangel"; - repo = "postfix_exporter"; - rev = "414ac12ee63415eede46cb3084d755a6da6fba23"; - hash = "sha256-m1kVaO3N7XC1vtnxXX9kMiEFPmZuoopRUYgA7gQzP8w="; - }; - }); + installPhase = '' + cp -dr --no-preserve='ownership' . $out/ + wrapProgram $out/manage.py \ + --prefix PYTHONPATH : "$PYTHONPATH:$out/thirdpart:" + ''; + passthru = rec { + python = prev.python3; + pythonPath = python.pkgs.makePythonPath propagatedBuildInputs; + }; + }); } diff --git a/overlays/prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch b/overlays/prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch deleted file mode 100644 index 2b60316..0000000 --- a/overlays/prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch +++ /dev/null @@ -1,25 +0,0 @@ -From f4c5dd5628c873981b2d6d6b8f3bbf036b9fd724 Mon Sep 17 00:00:00 2001 -From: Rouven Seifert -Date: Thu, 2 May 2024 11:20:27 +0200 -Subject: [PATCH] cleanup: also catch milter-reject - ---- - postfix_exporter.go | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/postfix_exporter.go b/postfix_exporter.go -index f20d99c..676d767 100644 ---- a/postfix_exporter.go -+++ b/postfix_exporter.go -@@ -335,6 +335,8 @@ func (e *PostfixExporter) CollectFromLogLine(line string) { - e.cleanupProcesses.Inc() - } else if strings.Contains(remainder, ": reject: ") { - e.cleanupRejects.Inc() -+ } else if strings.Contains(remainder, ": milter-reject: ") { -+ e.cleanupRejects.Inc() - } else { - e.addToUnsupportedLine(line, subprocess, level) - } --- -2.44.0 - diff --git a/secrets.nix b/secrets.nix index 025a849..86010a7 100644 --- a/secrets.nix +++ b/secrets.nix @@ -24,7 +24,6 @@ in "secrets/nuc/keycloak/db.age".publicKeys = [ rouven nuc ]; "secrets/nuc/authentik/core.age".publicKeys = [ rouven nuc ]; "secrets/nuc/authentik/ldap.age".publicKeys = [ rouven nuc ]; - "secrets/nuc/grafana/oidc.age".publicKeys = [ rouven nuc ]; "secrets/nuc/cache.age".publicKeys = [ rouven nuc ]; "secrets/nuc/borg/passphrase.age".publicKeys = [ rouven nuc ]; "secrets/nuc/borg/key.age".publicKeys = [ rouven nuc ]; diff --git a/secrets/nuc/grafana/oidc.age b/secrets/nuc/grafana/oidc.age deleted file mode 100644 index 504dbe9..0000000 Binary files a/secrets/nuc/grafana/oidc.age and /dev/null differ