rspamd: also whitelist ipv6

more monitoring
nuc: configure database backups
2024-11-15 13:23:11 +01:00 · 2024-05-31 20:49:11 +02:00 · 2024-05-31 14:51:58 +02:00 · 2024-05-31 14:51:25 +02:00 · 2024-05-31 14:50:27 +02:00 · 2024-05-31 14:48:41 +02:00
15 changed files with 283 additions and 75 deletions
--- a/flake.lock
+++ b/flake.lock
@ -312,11 +312,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1716457508,
+        "lastModified": 1717097707,
-        "narHash": "sha256-ZxzffLuWRyuMrkVVq7wastNUqeO0HJL9xqfY1QsYaqo=",
+        "narHash": "sha256-HC5vJ3oYsjwsCaSbkIPv80e4ebJpNvFKQTBOGlHvjLs=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "850cb322046ef1a268449cf1ceda5fd24d930b05",
+        "rev": "0eb314b4f0ba337e88123e0b1e57ef58346aafd9",
        "type": "github"
      },
      "original": {
@ -460,11 +460,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1716170277,
+        "lastModified": 1716772633,
-        "narHash": "sha256-fCAiox/TuzWGVaAz16PxrR4Jtf9lN5dwWL2W74DS0yI=",
+        "narHash": "sha256-Idcye44UW+EgjbjCoklf2IDF+XrehV6CVYvxR1omst4=",
        "owner": "nix-community",
        "repo": "nix-index-database",
-        "rev": "e0638db3db43b582512a7de8c0f8363a162842b9",
+        "rev": "ff80cb4a11bb87f3ce8459be6f16a25ac86eb2ac",
        "type": "github"
      },
      "original": {
@ -475,11 +475,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1716509168,
+        "lastModified": 1716948383,
-        "narHash": "sha256-4zSIhSRRIoEBwjbPm3YiGtbd8HDWzFxJjw5DYSDy1n8=",
+        "narHash": "sha256-SzDKxseEcHR5KzPXLwsemyTR/kaM9whxeiJohbL04rs=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "bfb7a882678e518398ce9a31a881538679f6f092",
+        "rev": "ad57eef4ef0659193044870c731987a6df5cf56b",
        "type": "github"
      },
      "original": {
@ -623,11 +623,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1716449531,
+        "lastModified": 1717103025,
-        "narHash": "sha256-T/BycXsf5MZM+uqemM2/CzaZSjInKrjJc8MOOAOLKiw=",
+        "narHash": "sha256-bn/YPVgu6YmHnKhwMfwIFe7USGvIOC5ge4Ps6o47Tr8=",
        "owner": "~rouven",
        "repo": "purge",
-        "rev": "4b8353adb065c41d4ca6debba011eb8c1561ce80",
+        "rev": "4f8f075eeaafc90737216031eb644792a4652ead",
        "type": "sourcehut"
      },
      "original": {
--- a/hosts/falkenstein/default.nix
+++ b/hosts/falkenstein/default.nix
@ -6,7 +6,6 @@
      ./hardware-configuration.nix
      ./modules/backup
      ./modules/caddy
      ./modules/logging
      ./modules/dns
      ./modules/fail2ban
      ./modules/mail
--- a/hosts/falkenstein/modules/caddy/default.nix
+++ b/hosts/falkenstein/modules/caddy/default.nix
@ -20,6 +20,14 @@ in
    enable = true;
    email = "ca@${config.networking.domain}";
    logFormat = "format console";
    globalConfig = ''
      servers {
        metrics
      }
    '';
    virtualHosts.":2018".extraConfig = ''
      metrics
    '';
    virtualHosts."${config.networking.domain}".extraConfig = ''
      file_server browse
      root * /srv/web/${config.networking.domain}
@ -28,6 +36,6 @@ in
    '';
  };
  systemd.services.caddy.environment.XDG_DATA_HOME = "/var/lib";
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  networking.firewall.allowedTCPPorts = [ 80 443 2018 ];
  networking.firewall.allowedUDPPorts = [ 443 ];
 }
--- a/hosts/falkenstein/modules/logging/default.nix
+++ b/hosts/falkenstein/modules/logging/default.nix
@ -1,29 +0,0 @@
 { pkgs, ... }:
 {
  services.rsyslogd = {
    enable = true;
    defaultConfig = ''
      :programname, isequal, "postfix" /var/log/postfix.log
      auth.*                          -/var/log/auth.log
    '';
  };
  services.logrotate.configFile = pkgs.writeText "logrotate.conf" ''
    weekly
    missingok
    notifempty
    rotate 4
    "/var/log/postfix.log" {
      compress
      delaycompress
      weekly
      rotate 156
    }
  '';
  # "/var/log/caddy/*.log" {
  #   compress
  #   delaycompress
  #   weekly
  #   rotate 26
  # }
 }
--- a/hosts/falkenstein/modules/mail/rspamd.nix
+++ b/hosts/falkenstein/modules/mail/rspamd.nix
@ -7,7 +7,8 @@
      postfix.enable = true;
      locals = {
        "worker-controller.inc".text = ''
-          secure_ip = "0.0.0.0/0";
+          secure_ip = [ "0.0.0.0/0", "::/0"];
          bind_socket = "0.0.0.0:11334";
        '';
        "redis.conf".text = ''
          read_servers = "/run/redis-rspamd/redis.sock";
@ -54,6 +55,7 @@
      reverse_proxy 127.0.0.1:11334
    '';
  };
  networking.firewall.allowedTCPPorts = [ 11334 ];
  systemd = {
    services.rspamd-dmarc-report = {
      description = "rspamd dmarc reporter";
--- a/hosts/falkenstein/modules/monitoring/default.nix
+++ b/hosts/falkenstein/modules/monitoring/default.nix
@ -1,5 +1,9 @@
 { config, ... }:
 {
  age.secrets."maxmind" = {
    file = ../../../../secrets/shared/maxmind.age;
  };
  users.users."promtail".extraGroups = [ "caddy" "systemd-journal" ];
  services.prometheus = {
    exporters = {
      node = {
@ -11,6 +15,104 @@
      };
    };
  };
  services.geoipupdate = {
    enable = true;
    settings = {
      AccountID = 1018346;
      LicenseKey = config.age.secrets."maxmind".path;
      EditionIDs = [
        "GeoLite2-ASN"
        "GeoLite2-City"
        "GeoLite2-Country"
      ];
      DatabaseDirectory = "/var/lib/GeoIP";
    };
  };
  services.promtail = {
    enable = true;
    configuration = {
      server = {
        http_listen_port = 3031;
        grpc_listen_port = 0;
      };
      positions = {
        filename = "/tmp/positions.yaml";
      };
      clients = [{
        url = "http://nuc.vpn.rfive.de:3030/loki/api/v1/push";
      }];
      scrape_configs = [
        {
          job_name = "journal";
          journal = {
            json = false;
            max_age = "12h";
            path = "/var/log/journal";
            labels.job = "systemd-journal";
          };
          relabel_configs = [
            {
              source_labels = [ "__journal__systemd_unit" ];
              target_label = "unit";
            }
            {
              source_labels = [ "__journal__hostname" ];
              target_label = "host";
            }
            {
              source_labels = [ "__journal_priority_keyword" ];
              target_label = "level";
            }
            {
              source_labels = [ "__journal_syslog_identifier" ];
              target_label = "syslog_identifier";
            }
          ];
          pipeline_stages = [
            {
              match = {
                selector = ''{unit="promtail.servicel"}'';
                action = "drop";
              };
            }
          ];
        }
        {
          job_name = "caddy_access_log";
          static_configs = [
            {
              targets = [ "localhost" ];
              labels = {
                job = "caddy_access_log";
                agent = "caddy-promtail";
                __path__ = "/var/log/caddy/*.log";
              };
            }
          ];
          pipeline_stages = [
            {
              # remove :443 from matrix or rspamd logs
              replace = {
                expression = ".*(de:443).*";
                replace = "de";
              };
            }
            {
              json.expressions.remote_ip = "request.remote_ip";
            }
            {
              geoip = {
                db = "/var/lib/GeoIP/GeoLite2-City.mmdb";
                source = "remote_ip";
                db_type = "city";
              };
            }
          ];
        }
      ];
    };
  };
  networking.firewall.allowedTCPPorts = [
    config.services.prometheus.exporters.node.port
    config.services.prometheus.exporters.postfix.port
--- a/hosts/falkenstein/modules/trucksimulatorbot/default.nix
+++ b/hosts/falkenstein/modules/trucksimulatorbot/default.nix
@ -35,5 +35,6 @@ in
      uri strip_prefix /images
      reverse_proxy unix//run/trucksimulator/images.sock
    }
    reverse_proxy unix//run/trucksimulator/app.sock
  '';
 }
--- a/hosts/fujitsu/modules/monitoring/default.nix
+++ b/hosts/fujitsu/modules/monitoring/default.nix
@ -1,5 +1,6 @@
 { config, ... }:
 {
  users.users."promtail".extraGroups = [ "caddy" "systemd-journal" ];
  services.prometheus = {
    exporters = {
      node = {
@ -8,6 +9,58 @@
      };
    };
  };
  services.promtail = {
    enable = true;
    configuration = {
      server = {
        http_listen_port = 3031;
        grpc_listen_port = 0;
      };
      positions = {
        filename = "/tmp/positions.yaml";
      };
      clients = [{
        url = "http://nuc.vpn.rfive.de:3030/loki/api/v1/push";
      }];
      scrape_configs = [
        {
          job_name = "journal";
          journal = {
            json = false;
            max_age = "12h";
            path = "/var/log/journal";
            labels.job = "systemd-journal";
          };
          relabel_configs = [
            {
              source_labels = [ "__journal__systemd_unit" ];
              target_label = "unit";
            }
            {
              source_labels = [ "__journal__hostname" ];
              target_label = "host";
            }
            {
              source_labels = [ "__journal_priority_keyword" ];
              target_label = "level";
            }
            {
              source_labels = [ "__journal_syslog_identifier" ];
              target_label = "syslog_identifier";
            }
          ];
          pipeline_stages = [
            {
              match = {
                selector = ''{unit="promtail.servicel"}'';
                action = "drop";
              };
            }
          ];
        }
      ];
    };
  };
  networking.firewall.allowedTCPPorts = [
    config.services.prometheus.exporters.node.port
  ];
--- a/hosts/nuc/modules/backup/default.nix
+++ b/hosts/nuc/modules/backup/default.nix
@ -38,4 +38,16 @@
      keep_yearly = 3;
    };
  };
  services.postgresqlBackup = {
    enable = true;
    databases = [
      "authentik"
      "grafana"
      "matrix-synapse"
      "mautrix-telegram"
      "postgres"
      "vaultwarden"
    ];
  };
 }
--- a/hosts/nuc/modules/caddy/default.nix
+++ b/hosts/nuc/modules/caddy/default.nix
@ -4,6 +4,14 @@
    enable = true;
    email = "ca@${config.networking.domain}";
    logFormat = "format console";
    globalConfig = ''
      servers {
        metrics
      }
    '';
    virtualHosts.":2018".extraConfig = ''
      metrics
    '';
  };
  systemd.services.caddy.environment.XDG_DATA_HOME = "/var/lib";
  networking.firewall.allowedTCPPorts = [ 80 443 ];
--- a/hosts/nuc/modules/monitoring/default.nix
+++ b/hosts/nuc/modules/monitoring/default.nix
@ -8,10 +8,10 @@ in
    owner = "grafana";
  };
  age.secrets."maxmind" = {
-    file = ../../../../secrets/nuc/maxmind.age;
+    file = ../../../../secrets/shared/maxmind.age;
    owner = "grafana";
  };
-  users.users."promtail".extraGroups = [ "caddy" ];
+  users.users."promtail".extraGroups = [ "caddy" "systemd-journal" ];
  networking.firewall.allowedTCPPorts = [ config.services.loki.configuration.server.http_listen_port ];
  # grafana configuration
  # todo: move to own file
@ -48,6 +48,7 @@ in
        user = "grafana";
        host = "/run/postgresql";
      };
      auth.disable_login_form = true;
      "auth.generic_oauth" = {
        enabled = true;
        name = "Authentik";
@ -109,6 +110,30 @@ in
          targets = [ "falkenstein.vpn.rfive.de:${toString config.services.prometheus.exporters.postfix.port}" ];
        }];
      }
      {
        job_name = "synapse";
        static_configs = [{
          targets = [ "matrix.rfive.de:8008" ];
        }];
        metrics_path = "/synapse/metrics";
        scrape_interval = "15s";
      }
      {
        job_name = "rspamd";
        static_configs = [{
          targets = [ "falkenstein.vpn.rfive.de:11334" ];
        }];
      }
      {
        job_name = "caddy";
        static_configs = [{
          targets = [
            "falkenstein.vpn.rfive.de:2018"
            "nuc.vpn.rfive.de:2018"
          ];
        }];
        scrape_interval = "15s";
      }
    ];
  };
  services.loki = {
@ -205,6 +230,41 @@ in
        url = "http://nuc.vpn.rfive.de:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push";
      }];
      scrape_configs = [
        {
          job_name = "journal";
          journal = {
            json = false;
            max_age = "12h";
            path = "/var/log/journal";
            labels.job = "systemd-journal";
          };
          relabel_configs = [
            {
              source_labels = [ "__journal__systemd_unit" ];
              target_label = "unit";
            }
            {
              source_labels = [ "__journal__hostname" ];
              target_label = "host";
            }
            {
              source_labels = [ "__journal_priority_keyword" ];
              target_label = "level";
            }
            {
              source_labels = [ "__journal_syslog_identifier" ];
              target_label = "syslog_identifier";
            }
          ];
          pipeline_stages = [
            {
              match = {
                selector = ''{unit="promtail.servicel"}'';
                action = "drop";
              };
            }
          ];
        }
        {
          job_name = "caddy_access_log";
          static_configs = [
@ -219,6 +279,13 @@ in
            }
          ];
          pipeline_stages = [
            {
              # remove :443 from matrix or rspamd logs
              replace = {
                expression = ".*(de:443).*";
                replace = "de";
              };
            }
            {
              json.expressions.remote_ip = "request.remote_ip";
            }
@ -236,7 +303,6 @@ in
    };
  };
  # nginx reverse proxy
  services.caddy.virtualHosts.${domain}.extraConfig = ''
    reverse_proxy 127.0.0.1:${toString config.services.grafana.settings.server.http_port}
--- a/overlays/default.nix
+++ b/overlays/default.nix
@ -3,7 +3,6 @@ let
  inherit (prev) callPackage;
  inherit (prev) fetchFromGitHub;
  inherit (prev) fetchPypi;
  inherit (prev) fetchpatch;
  inherit (prev) makeWrapper;
  inherit (prev) python3Packages;
 in
@ -23,31 +22,6 @@ in
    # freeimage is broken
    withBackends = [ "libtiff" "libjpeg" "libpng" "librsvg" "libheif" ];
  };
  # don't compile the bloat
  rsyslog = prev.rsyslog.override {
    withMysql = false;
    withJemalloc = false;
    withPostgres = false;
    withUuid = false;
    withCurl = false;
    withDbi = false;
    withNetSnmp = false;
    withGnutls = false;
    withGcrypt = false;
    withLognorm = false;
    withMaxminddb = false;
    withOpenssl = false;
    withRelp = false;
    withKsi = false;
    withLogging = false;
    withHadoop = false;
    withRdkafka = false;
    withMongo = false;
    withCzmq = false;
    withRabbitmq = false;
    withHiredis = false;
  };
  zsh-fzf-tab = prev.zsh-fzf-tab.overrideAttrs (_: rec {
    version = "1.1.1";
    src = fetchFromGitHub {
--- a/secrets.nix
+++ b/secrets.nix
@ -26,7 +26,6 @@ in
  "secrets/nuc/authentik/ldap.age".publicKeys = [ rouven nuc ];
  "secrets/nuc/grafana/oidc.age".publicKeys = [ rouven nuc ];
  "secrets/nuc/cache.age".publicKeys = [ rouven nuc ];
  "secrets/nuc/maxmind.age".publicKeys = [ rouven nuc ];
  "secrets/nuc/borg/passphrase.age".publicKeys = [ rouven nuc ];
  "secrets/nuc/borg/key.age".publicKeys = [ rouven nuc ];
@ -37,4 +36,7 @@ in
  "secrets/falkenstein/wireguard/dorm/preshared.age".publicKeys = [ rouven falkenstein ];
  "secrets/falkenstein/borg/passphrase.age".publicKeys = [ rouven falkenstein ];
  "secrets/falkenstein/borg/key.age".publicKeys = [ rouven falkenstein ];
  #shared
  "secrets/shared/maxmind.age".publicKeys = [ rouven nuc falkenstein ];
 }
--- a/secrets/nuc/maxmind.age
+++ b/secrets/nuc/maxmind.age
--- a/secrets/shared/maxmind.age
+++ b/secrets/shared/maxmind.age
@ -0,0 +1,10 @@
 age-encryption.org/v1
 -> ssh-ed25519 uWbAHQ hL+MYiYI/53SAw5Ue9L2E/W1sCwENhTqBReBwlRn6g0
 laaky6yfLkEPofvdZwu64WyVqPcxTt8Lng/uhBHaKjs
 -> ssh-ed25519 2TRdXg dXERMyE1LqPxbAKn24SHruqrgKUTSIOLjy66nxiJSiE
 lMGTDVxDUSu7r9Lp7mTfCzuTiUONv/K9b6y4mRlLLj8
 -> ssh-ed25519 slrRig Q7EcsiO/jsscDk9hHhtkHVxQ+NRO6O9SSQu4dfCPXG8
 LGCdVmGbMASuGGGuVrom+1ijafq0Sk0PDnyhOv2O2A0
 --- YeAR7BXc2heRrnvLa9YDGRIgI/3EQ3MfIJEZAJen8pY
 Mü$¦óNù~KI ÀJÑÏ•èUæ¦.1q¶Y„‹-€"ë/_Øëý 2^“-Dÿ¯¬Å4ã£/b+
 ô›V^MX_ç®
ñ±
Author	SHA1	Message	Date
Rouven Seifert	f0a1129c7d	rspamd: also whitelist ipv6	2024-05-31 20:49:11 +02:00
Rouven Seifert	d58be54704	more monitoring	2024-05-31 14:51:58 +02:00
Rouven Seifert	3f206d8fe0	nuc: configure database backups	2024-05-31 14:51:25 +02:00
Rouven Seifert	d96a4a341c	falkenstein: remove syslog	2024-05-31 14:50:27 +02:00
Rouven Seifert	f829430b35	nuc: enable loki and promtail	2024-05-31 14:48:41 +02:00