diff --git a/flake.lock b/flake.lock index a8f4872..be7ae2e 100644 --- a/flake.lock +++ b/flake.lock @@ -312,11 +312,11 @@ ] }, "locked": { - "lastModified": 1716457508, - "narHash": "sha256-ZxzffLuWRyuMrkVVq7wastNUqeO0HJL9xqfY1QsYaqo=", + "lastModified": 1717097707, + "narHash": "sha256-HC5vJ3oYsjwsCaSbkIPv80e4ebJpNvFKQTBOGlHvjLs=", "owner": "nix-community", "repo": "home-manager", - "rev": "850cb322046ef1a268449cf1ceda5fd24d930b05", + "rev": "0eb314b4f0ba337e88123e0b1e57ef58346aafd9", "type": "github" }, "original": { @@ -460,11 +460,11 @@ ] }, "locked": { - "lastModified": 1716170277, - "narHash": "sha256-fCAiox/TuzWGVaAz16PxrR4Jtf9lN5dwWL2W74DS0yI=", + "lastModified": 1716772633, + "narHash": "sha256-Idcye44UW+EgjbjCoklf2IDF+XrehV6CVYvxR1omst4=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "e0638db3db43b582512a7de8c0f8363a162842b9", + "rev": "ff80cb4a11bb87f3ce8459be6f16a25ac86eb2ac", "type": "github" }, "original": { @@ -475,11 +475,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1716509168, - "narHash": "sha256-4zSIhSRRIoEBwjbPm3YiGtbd8HDWzFxJjw5DYSDy1n8=", + "lastModified": 1716948383, + "narHash": "sha256-SzDKxseEcHR5KzPXLwsemyTR/kaM9whxeiJohbL04rs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "bfb7a882678e518398ce9a31a881538679f6f092", + "rev": "ad57eef4ef0659193044870c731987a6df5cf56b", "type": "github" }, "original": { @@ -623,11 +623,11 @@ ] }, "locked": { - "lastModified": 1716449531, - "narHash": "sha256-T/BycXsf5MZM+uqemM2/CzaZSjInKrjJc8MOOAOLKiw=", + "lastModified": 1717103025, + "narHash": "sha256-bn/YPVgu6YmHnKhwMfwIFe7USGvIOC5ge4Ps6o47Tr8=", "owner": "~rouven", "repo": "purge", - "rev": "4b8353adb065c41d4ca6debba011eb8c1561ce80", + "rev": "4f8f075eeaafc90737216031eb644792a4652ead", "type": "sourcehut" }, "original": { diff --git a/hosts/falkenstein/default.nix b/hosts/falkenstein/default.nix index 9213bed..5a657fb 100644 --- a/hosts/falkenstein/default.nix +++ b/hosts/falkenstein/default.nix @@ -6,7 +6,6 @@ ./hardware-configuration.nix ./modules/backup ./modules/caddy - ./modules/logging ./modules/dns ./modules/fail2ban ./modules/mail diff --git a/hosts/falkenstein/modules/caddy/default.nix b/hosts/falkenstein/modules/caddy/default.nix index a92eb55..7aa569a 100644 --- a/hosts/falkenstein/modules/caddy/default.nix +++ b/hosts/falkenstein/modules/caddy/default.nix @@ -20,6 +20,14 @@ in enable = true; email = "ca@${config.networking.domain}"; logFormat = "format console"; + globalConfig = '' + servers { + metrics + } + ''; + virtualHosts.":2018".extraConfig = '' + metrics + ''; virtualHosts."${config.networking.domain}".extraConfig = '' file_server browse root * /srv/web/${config.networking.domain} @@ -28,6 +36,6 @@ in ''; }; systemd.services.caddy.environment.XDG_DATA_HOME = "/var/lib"; - networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowedTCPPorts = [ 80 443 2018 ]; networking.firewall.allowedUDPPorts = [ 443 ]; } diff --git a/hosts/falkenstein/modules/logging/default.nix b/hosts/falkenstein/modules/logging/default.nix deleted file mode 100644 index b858199..0000000 --- a/hosts/falkenstein/modules/logging/default.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ pkgs, ... }: -{ - services.rsyslogd = { - enable = true; - defaultConfig = '' - :programname, isequal, "postfix" /var/log/postfix.log - - auth.* -/var/log/auth.log - ''; - }; - services.logrotate.configFile = pkgs.writeText "logrotate.conf" '' - weekly - missingok - notifempty - rotate 4 - "/var/log/postfix.log" { - compress - delaycompress - weekly - rotate 156 - } - ''; - # "/var/log/caddy/*.log" { - # compress - # delaycompress - # weekly - # rotate 26 - # } -} diff --git a/hosts/falkenstein/modules/mail/rspamd.nix b/hosts/falkenstein/modules/mail/rspamd.nix index f53b21a..15dbdde 100644 --- a/hosts/falkenstein/modules/mail/rspamd.nix +++ b/hosts/falkenstein/modules/mail/rspamd.nix @@ -7,7 +7,8 @@ postfix.enable = true; locals = { "worker-controller.inc".text = '' - secure_ip = "0.0.0.0/0"; + secure_ip = [ "0.0.0.0/0", "::/0"]; + bind_socket = "0.0.0.0:11334"; ''; "redis.conf".text = '' read_servers = "/run/redis-rspamd/redis.sock"; @@ -54,6 +55,7 @@ reverse_proxy 127.0.0.1:11334 ''; }; + networking.firewall.allowedTCPPorts = [ 11334 ]; systemd = { services.rspamd-dmarc-report = { description = "rspamd dmarc reporter"; diff --git a/hosts/falkenstein/modules/monitoring/default.nix b/hosts/falkenstein/modules/monitoring/default.nix index ced57e6..4f18bfe 100644 --- a/hosts/falkenstein/modules/monitoring/default.nix +++ b/hosts/falkenstein/modules/monitoring/default.nix @@ -1,5 +1,9 @@ { config, ... }: { + age.secrets."maxmind" = { + file = ../../../../secrets/shared/maxmind.age; + }; + users.users."promtail".extraGroups = [ "caddy" "systemd-journal" ]; services.prometheus = { exporters = { node = { @@ -11,6 +15,104 @@ }; }; }; + services.geoipupdate = { + enable = true; + settings = { + AccountID = 1018346; + LicenseKey = config.age.secrets."maxmind".path; + EditionIDs = [ + "GeoLite2-ASN" + "GeoLite2-City" + "GeoLite2-Country" + ]; + DatabaseDirectory = "/var/lib/GeoIP"; + }; + }; + services.promtail = { + enable = true; + configuration = { + server = { + http_listen_port = 3031; + grpc_listen_port = 0; + }; + positions = { + filename = "/tmp/positions.yaml"; + }; + clients = [{ + url = "http://nuc.vpn.rfive.de:3030/loki/api/v1/push"; + }]; + scrape_configs = [ + { + job_name = "journal"; + journal = { + json = false; + max_age = "12h"; + path = "/var/log/journal"; + labels.job = "systemd-journal"; + }; + relabel_configs = [ + { + source_labels = [ "__journal__systemd_unit" ]; + target_label = "unit"; + } + { + source_labels = [ "__journal__hostname" ]; + target_label = "host"; + } + { + source_labels = [ "__journal_priority_keyword" ]; + target_label = "level"; + } + { + source_labels = [ "__journal_syslog_identifier" ]; + target_label = "syslog_identifier"; + } + ]; + pipeline_stages = [ + { + match = { + selector = ''{unit="promtail.servicel"}''; + action = "drop"; + }; + } + ]; + } + { + job_name = "caddy_access_log"; + static_configs = [ + { + targets = [ "localhost" ]; + labels = { + job = "caddy_access_log"; + agent = "caddy-promtail"; + __path__ = "/var/log/caddy/*.log"; + }; + } + ]; + pipeline_stages = [ + { + # remove :443 from matrix or rspamd logs + replace = { + expression = ".*(de:443).*"; + replace = "de"; + }; + } + { + json.expressions.remote_ip = "request.remote_ip"; + } + { + geoip = { + db = "/var/lib/GeoIP/GeoLite2-City.mmdb"; + source = "remote_ip"; + db_type = "city"; + }; + } + ]; + + } + ]; + }; + }; networking.firewall.allowedTCPPorts = [ config.services.prometheus.exporters.node.port config.services.prometheus.exporters.postfix.port diff --git a/hosts/falkenstein/modules/trucksimulatorbot/default.nix b/hosts/falkenstein/modules/trucksimulatorbot/default.nix index b910134..50002a1 100644 --- a/hosts/falkenstein/modules/trucksimulatorbot/default.nix +++ b/hosts/falkenstein/modules/trucksimulatorbot/default.nix @@ -35,5 +35,6 @@ in uri strip_prefix /images reverse_proxy unix//run/trucksimulator/images.sock } + reverse_proxy unix//run/trucksimulator/app.sock ''; } diff --git a/hosts/fujitsu/modules/monitoring/default.nix b/hosts/fujitsu/modules/monitoring/default.nix index e394028..775946a 100644 --- a/hosts/fujitsu/modules/monitoring/default.nix +++ b/hosts/fujitsu/modules/monitoring/default.nix @@ -1,5 +1,6 @@ { config, ... }: { + users.users."promtail".extraGroups = [ "caddy" "systemd-journal" ]; services.prometheus = { exporters = { node = { @@ -8,6 +9,58 @@ }; }; }; + services.promtail = { + enable = true; + configuration = { + server = { + http_listen_port = 3031; + grpc_listen_port = 0; + }; + positions = { + filename = "/tmp/positions.yaml"; + }; + clients = [{ + url = "http://nuc.vpn.rfive.de:3030/loki/api/v1/push"; + }]; + scrape_configs = [ + { + job_name = "journal"; + journal = { + json = false; + max_age = "12h"; + path = "/var/log/journal"; + labels.job = "systemd-journal"; + }; + relabel_configs = [ + { + source_labels = [ "__journal__systemd_unit" ]; + target_label = "unit"; + } + { + source_labels = [ "__journal__hostname" ]; + target_label = "host"; + } + { + source_labels = [ "__journal_priority_keyword" ]; + target_label = "level"; + } + { + source_labels = [ "__journal_syslog_identifier" ]; + target_label = "syslog_identifier"; + } + ]; + pipeline_stages = [ + { + match = { + selector = ''{unit="promtail.servicel"}''; + action = "drop"; + }; + } + ]; + } + ]; + }; + }; networking.firewall.allowedTCPPorts = [ config.services.prometheus.exporters.node.port ]; diff --git a/hosts/nuc/modules/backup/default.nix b/hosts/nuc/modules/backup/default.nix index bc50c25..9bedef3 100644 --- a/hosts/nuc/modules/backup/default.nix +++ b/hosts/nuc/modules/backup/default.nix @@ -38,4 +38,16 @@ keep_yearly = 3; }; }; + services.postgresqlBackup = { + enable = true; + databases = [ + "authentik" + "grafana" + "matrix-synapse" + "mautrix-telegram" + "postgres" + "vaultwarden" + ]; + }; + } diff --git a/hosts/nuc/modules/caddy/default.nix b/hosts/nuc/modules/caddy/default.nix index 563ad7b..8d6bb3e 100644 --- a/hosts/nuc/modules/caddy/default.nix +++ b/hosts/nuc/modules/caddy/default.nix @@ -4,6 +4,14 @@ enable = true; email = "ca@${config.networking.domain}"; logFormat = "format console"; + globalConfig = '' + servers { + metrics + } + ''; + virtualHosts.":2018".extraConfig = '' + metrics + ''; }; systemd.services.caddy.environment.XDG_DATA_HOME = "/var/lib"; networking.firewall.allowedTCPPorts = [ 80 443 ]; diff --git a/hosts/nuc/modules/monitoring/default.nix b/hosts/nuc/modules/monitoring/default.nix index 83211c5..ba3aed7 100644 --- a/hosts/nuc/modules/monitoring/default.nix +++ b/hosts/nuc/modules/monitoring/default.nix @@ -8,10 +8,10 @@ in owner = "grafana"; }; age.secrets."maxmind" = { - file = ../../../../secrets/nuc/maxmind.age; - owner = "grafana"; + file = ../../../../secrets/shared/maxmind.age; }; - users.users."promtail".extraGroups = [ "caddy" ]; + users.users."promtail".extraGroups = [ "caddy" "systemd-journal" ]; + networking.firewall.allowedTCPPorts = [ config.services.loki.configuration.server.http_listen_port ]; # grafana configuration # todo: move to own file @@ -48,6 +48,7 @@ in user = "grafana"; host = "/run/postgresql"; }; + auth.disable_login_form = true; "auth.generic_oauth" = { enabled = true; name = "Authentik"; @@ -109,6 +110,30 @@ in targets = [ "falkenstein.vpn.rfive.de:${toString config.services.prometheus.exporters.postfix.port}" ]; }]; } + { + job_name = "synapse"; + static_configs = [{ + targets = [ "matrix.rfive.de:8008" ]; + }]; + metrics_path = "/synapse/metrics"; + scrape_interval = "15s"; + } + { + job_name = "rspamd"; + static_configs = [{ + targets = [ "falkenstein.vpn.rfive.de:11334" ]; + }]; + } + { + job_name = "caddy"; + static_configs = [{ + targets = [ + "falkenstein.vpn.rfive.de:2018" + "nuc.vpn.rfive.de:2018" + ]; + }]; + scrape_interval = "15s"; + } ]; }; services.loki = { @@ -205,6 +230,41 @@ in url = "http://nuc.vpn.rfive.de:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push"; }]; scrape_configs = [ + { + job_name = "journal"; + journal = { + json = false; + max_age = "12h"; + path = "/var/log/journal"; + labels.job = "systemd-journal"; + }; + relabel_configs = [ + { + source_labels = [ "__journal__systemd_unit" ]; + target_label = "unit"; + } + { + source_labels = [ "__journal__hostname" ]; + target_label = "host"; + } + { + source_labels = [ "__journal_priority_keyword" ]; + target_label = "level"; + } + { + source_labels = [ "__journal_syslog_identifier" ]; + target_label = "syslog_identifier"; + } + ]; + pipeline_stages = [ + { + match = { + selector = ''{unit="promtail.servicel"}''; + action = "drop"; + }; + } + ]; + } { job_name = "caddy_access_log"; static_configs = [ @@ -219,6 +279,13 @@ in } ]; pipeline_stages = [ + { + # remove :443 from matrix or rspamd logs + replace = { + expression = ".*(de:443).*"; + replace = "de"; + }; + } { json.expressions.remote_ip = "request.remote_ip"; } @@ -236,7 +303,6 @@ in }; }; - # nginx reverse proxy services.caddy.virtualHosts.${domain}.extraConfig = '' reverse_proxy 127.0.0.1:${toString config.services.grafana.settings.server.http_port} diff --git a/overlays/default.nix b/overlays/default.nix index 0e02a2a..7e4ccb5 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -3,7 +3,6 @@ let inherit (prev) callPackage; inherit (prev) fetchFromGitHub; inherit (prev) fetchPypi; - inherit (prev) fetchpatch; inherit (prev) makeWrapper; inherit (prev) python3Packages; in @@ -23,31 +22,6 @@ in # freeimage is broken withBackends = [ "libtiff" "libjpeg" "libpng" "librsvg" "libheif" ]; }; - # don't compile the bloat - rsyslog = prev.rsyslog.override { - withMysql = false; - withJemalloc = false; - withPostgres = false; - withUuid = false; - withCurl = false; - withDbi = false; - withNetSnmp = false; - withGnutls = false; - withGcrypt = false; - withLognorm = false; - withMaxminddb = false; - withOpenssl = false; - withRelp = false; - withKsi = false; - withLogging = false; - withHadoop = false; - withRdkafka = false; - withMongo = false; - withCzmq = false; - withRabbitmq = false; - withHiredis = false; - }; - zsh-fzf-tab = prev.zsh-fzf-tab.overrideAttrs (_: rec { version = "1.1.1"; src = fetchFromGitHub { diff --git a/secrets.nix b/secrets.nix index d068991..055be04 100644 --- a/secrets.nix +++ b/secrets.nix @@ -26,7 +26,6 @@ in "secrets/nuc/authentik/ldap.age".publicKeys = [ rouven nuc ]; "secrets/nuc/grafana/oidc.age".publicKeys = [ rouven nuc ]; "secrets/nuc/cache.age".publicKeys = [ rouven nuc ]; - "secrets/nuc/maxmind.age".publicKeys = [ rouven nuc ]; "secrets/nuc/borg/passphrase.age".publicKeys = [ rouven nuc ]; "secrets/nuc/borg/key.age".publicKeys = [ rouven nuc ]; @@ -37,4 +36,7 @@ in "secrets/falkenstein/wireguard/dorm/preshared.age".publicKeys = [ rouven falkenstein ]; "secrets/falkenstein/borg/passphrase.age".publicKeys = [ rouven falkenstein ]; "secrets/falkenstein/borg/key.age".publicKeys = [ rouven falkenstein ]; + + #shared + "secrets/shared/maxmind.age".publicKeys = [ rouven nuc falkenstein ]; } diff --git a/secrets/nuc/maxmind.age b/secrets/nuc/maxmind.age deleted file mode 100644 index 8dd1762..0000000 Binary files a/secrets/nuc/maxmind.age and /dev/null differ diff --git a/secrets/shared/maxmind.age b/secrets/shared/maxmind.age new file mode 100644 index 0000000..e044982 --- /dev/null +++ b/secrets/shared/maxmind.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 uWbAHQ hL+MYiYI/53SAw5Ue9L2E/W1sCwENhTqBReBwlRn6g0 +laaky6yfLkEPofvdZwu64WyVqPcxTt8Lng/uhBHaKjs +-> ssh-ed25519 2TRdXg dXERMyE1LqPxbAKn24SHruqrgKUTSIOLjy66nxiJSiE +lMGTDVxDUSu7r9Lp7mTfCzuTiUONv/K9b6y4mRlLLj8 +-> ssh-ed25519 slrRig Q7EcsiO/jsscDk9hHhtkHVxQ+NRO6O9SSQu4dfCPXG8 +LGCdVmGbMASuGGGuVrom+1ijafq0Sk0PDnyhOv2O2A0 +--- YeAR7BXc2heRrnvLa9YDGRIgI/3EQ3MfIJEZAJen8pY +Mü$¦óNù~KI ÀJÑÏ•èUæ¦.1q¶Y„‹-€"ë/_Øëý 2^“-Dÿ¯¬­Å4ã£/b+ +ô›V^MX_ç® ñ± \ No newline at end of file