diff --git a/flake.lock b/flake.lock index be7ae2e..a8f4872 100644 --- a/flake.lock +++ b/flake.lock @@ -312,11 +312,11 @@ ] }, "locked": { - "lastModified": 1717097707, - "narHash": "sha256-HC5vJ3oYsjwsCaSbkIPv80e4ebJpNvFKQTBOGlHvjLs=", + "lastModified": 1716457508, + "narHash": "sha256-ZxzffLuWRyuMrkVVq7wastNUqeO0HJL9xqfY1QsYaqo=", "owner": "nix-community", "repo": "home-manager", - "rev": "0eb314b4f0ba337e88123e0b1e57ef58346aafd9", + "rev": "850cb322046ef1a268449cf1ceda5fd24d930b05", "type": "github" }, "original": { @@ -460,11 +460,11 @@ ] }, "locked": { - "lastModified": 1716772633, - "narHash": "sha256-Idcye44UW+EgjbjCoklf2IDF+XrehV6CVYvxR1omst4=", + "lastModified": 1716170277, + "narHash": "sha256-fCAiox/TuzWGVaAz16PxrR4Jtf9lN5dwWL2W74DS0yI=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "ff80cb4a11bb87f3ce8459be6f16a25ac86eb2ac", + "rev": "e0638db3db43b582512a7de8c0f8363a162842b9", "type": "github" }, "original": { @@ -475,11 +475,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1716948383, - "narHash": "sha256-SzDKxseEcHR5KzPXLwsemyTR/kaM9whxeiJohbL04rs=", + "lastModified": 1716509168, + "narHash": "sha256-4zSIhSRRIoEBwjbPm3YiGtbd8HDWzFxJjw5DYSDy1n8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ad57eef4ef0659193044870c731987a6df5cf56b", + "rev": "bfb7a882678e518398ce9a31a881538679f6f092", "type": "github" }, "original": { @@ -623,11 +623,11 @@ ] }, "locked": { - "lastModified": 1717103025, - "narHash": "sha256-bn/YPVgu6YmHnKhwMfwIFe7USGvIOC5ge4Ps6o47Tr8=", + "lastModified": 1716449531, + "narHash": "sha256-T/BycXsf5MZM+uqemM2/CzaZSjInKrjJc8MOOAOLKiw=", "owner": "~rouven", "repo": "purge", - "rev": "4f8f075eeaafc90737216031eb644792a4652ead", + "rev": "4b8353adb065c41d4ca6debba011eb8c1561ce80", "type": "sourcehut" }, "original": { diff --git a/hosts/falkenstein/default.nix b/hosts/falkenstein/default.nix index 5a657fb..9213bed 100644 --- a/hosts/falkenstein/default.nix +++ b/hosts/falkenstein/default.nix @@ -6,6 +6,7 @@ ./hardware-configuration.nix ./modules/backup ./modules/caddy + ./modules/logging ./modules/dns ./modules/fail2ban ./modules/mail diff --git a/hosts/falkenstein/modules/caddy/default.nix b/hosts/falkenstein/modules/caddy/default.nix index 7aa569a..a92eb55 100644 --- a/hosts/falkenstein/modules/caddy/default.nix +++ b/hosts/falkenstein/modules/caddy/default.nix @@ -20,14 +20,6 @@ in enable = true; email = "ca@${config.networking.domain}"; logFormat = "format console"; - globalConfig = '' - servers { - metrics - } - ''; - virtualHosts.":2018".extraConfig = '' - metrics - ''; virtualHosts."${config.networking.domain}".extraConfig = '' file_server browse root * /srv/web/${config.networking.domain} @@ -36,6 +28,6 @@ in ''; }; systemd.services.caddy.environment.XDG_DATA_HOME = "/var/lib"; - networking.firewall.allowedTCPPorts = [ 80 443 2018 ]; + networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedUDPPorts = [ 443 ]; } diff --git a/hosts/falkenstein/modules/logging/default.nix b/hosts/falkenstein/modules/logging/default.nix new file mode 100644 index 0000000..b858199 --- /dev/null +++ b/hosts/falkenstein/modules/logging/default.nix @@ -0,0 +1,29 @@ +{ pkgs, ... }: +{ + services.rsyslogd = { + enable = true; + defaultConfig = '' + :programname, isequal, "postfix" /var/log/postfix.log + + auth.* -/var/log/auth.log + ''; + }; + services.logrotate.configFile = pkgs.writeText "logrotate.conf" '' + weekly + missingok + notifempty + rotate 4 + "/var/log/postfix.log" { + compress + delaycompress + weekly + rotate 156 + } + ''; + # "/var/log/caddy/*.log" { + # compress + # delaycompress + # weekly + # rotate 26 + # } +} diff --git a/hosts/falkenstein/modules/mail/rspamd.nix b/hosts/falkenstein/modules/mail/rspamd.nix index 15dbdde..f53b21a 100644 --- a/hosts/falkenstein/modules/mail/rspamd.nix +++ b/hosts/falkenstein/modules/mail/rspamd.nix @@ -7,8 +7,7 @@ postfix.enable = true; locals = { "worker-controller.inc".text = '' - secure_ip = [ "0.0.0.0/0", "::/0"]; - bind_socket = "0.0.0.0:11334"; + secure_ip = "0.0.0.0/0"; ''; "redis.conf".text = '' read_servers = "/run/redis-rspamd/redis.sock"; @@ -55,7 +54,6 @@ reverse_proxy 127.0.0.1:11334 ''; }; - networking.firewall.allowedTCPPorts = [ 11334 ]; systemd = { services.rspamd-dmarc-report = { description = "rspamd dmarc reporter"; diff --git a/hosts/falkenstein/modules/monitoring/default.nix b/hosts/falkenstein/modules/monitoring/default.nix index 4f18bfe..ced57e6 100644 --- a/hosts/falkenstein/modules/monitoring/default.nix +++ b/hosts/falkenstein/modules/monitoring/default.nix @@ -1,9 +1,5 @@ { config, ... }: { - age.secrets."maxmind" = { - file = ../../../../secrets/shared/maxmind.age; - }; - users.users."promtail".extraGroups = [ "caddy" "systemd-journal" ]; services.prometheus = { exporters = { node = { @@ -15,104 +11,6 @@ }; }; }; - services.geoipupdate = { - enable = true; - settings = { - AccountID = 1018346; - LicenseKey = config.age.secrets."maxmind".path; - EditionIDs = [ - "GeoLite2-ASN" - "GeoLite2-City" - "GeoLite2-Country" - ]; - DatabaseDirectory = "/var/lib/GeoIP"; - }; - }; - services.promtail = { - enable = true; - configuration = { - server = { - http_listen_port = 3031; - grpc_listen_port = 0; - }; - positions = { - filename = "/tmp/positions.yaml"; - }; - clients = [{ - url = "http://nuc.vpn.rfive.de:3030/loki/api/v1/push"; - }]; - scrape_configs = [ - { - job_name = "journal"; - journal = { - json = false; - max_age = "12h"; - path = "/var/log/journal"; - labels.job = "systemd-journal"; - }; - relabel_configs = [ - { - source_labels = [ "__journal__systemd_unit" ]; - target_label = "unit"; - } - { - source_labels = [ "__journal__hostname" ]; - target_label = "host"; - } - { - source_labels = [ "__journal_priority_keyword" ]; - target_label = "level"; - } - { - source_labels = [ "__journal_syslog_identifier" ]; - target_label = "syslog_identifier"; - } - ]; - pipeline_stages = [ - { - match = { - selector = ''{unit="promtail.servicel"}''; - action = "drop"; - }; - } - ]; - } - { - job_name = "caddy_access_log"; - static_configs = [ - { - targets = [ "localhost" ]; - labels = { - job = "caddy_access_log"; - agent = "caddy-promtail"; - __path__ = "/var/log/caddy/*.log"; - }; - } - ]; - pipeline_stages = [ - { - # remove :443 from matrix or rspamd logs - replace = { - expression = ".*(de:443).*"; - replace = "de"; - }; - } - { - json.expressions.remote_ip = "request.remote_ip"; - } - { - geoip = { - db = "/var/lib/GeoIP/GeoLite2-City.mmdb"; - source = "remote_ip"; - db_type = "city"; - }; - } - ]; - - } - ]; - }; - }; networking.firewall.allowedTCPPorts = [ config.services.prometheus.exporters.node.port config.services.prometheus.exporters.postfix.port diff --git a/hosts/falkenstein/modules/trucksimulatorbot/default.nix b/hosts/falkenstein/modules/trucksimulatorbot/default.nix index 50002a1..b910134 100644 --- a/hosts/falkenstein/modules/trucksimulatorbot/default.nix +++ b/hosts/falkenstein/modules/trucksimulatorbot/default.nix @@ -35,6 +35,5 @@ in uri strip_prefix /images reverse_proxy unix//run/trucksimulator/images.sock } - reverse_proxy unix//run/trucksimulator/app.sock ''; } diff --git a/hosts/fujitsu/modules/monitoring/default.nix b/hosts/fujitsu/modules/monitoring/default.nix index 775946a..e394028 100644 --- a/hosts/fujitsu/modules/monitoring/default.nix +++ b/hosts/fujitsu/modules/monitoring/default.nix @@ -1,6 +1,5 @@ { config, ... }: { - users.users."promtail".extraGroups = [ "caddy" "systemd-journal" ]; services.prometheus = { exporters = { node = { @@ -9,58 +8,6 @@ }; }; }; - services.promtail = { - enable = true; - configuration = { - server = { - http_listen_port = 3031; - grpc_listen_port = 0; - }; - positions = { - filename = "/tmp/positions.yaml"; - }; - clients = [{ - url = "http://nuc.vpn.rfive.de:3030/loki/api/v1/push"; - }]; - scrape_configs = [ - { - job_name = "journal"; - journal = { - json = false; - max_age = "12h"; - path = "/var/log/journal"; - labels.job = "systemd-journal"; - }; - relabel_configs = [ - { - source_labels = [ "__journal__systemd_unit" ]; - target_label = "unit"; - } - { - source_labels = [ "__journal__hostname" ]; - target_label = "host"; - } - { - source_labels = [ "__journal_priority_keyword" ]; - target_label = "level"; - } - { - source_labels = [ "__journal_syslog_identifier" ]; - target_label = "syslog_identifier"; - } - ]; - pipeline_stages = [ - { - match = { - selector = ''{unit="promtail.servicel"}''; - action = "drop"; - }; - } - ]; - } - ]; - }; - }; networking.firewall.allowedTCPPorts = [ config.services.prometheus.exporters.node.port ]; diff --git a/hosts/nuc/modules/backup/default.nix b/hosts/nuc/modules/backup/default.nix index 9bedef3..bc50c25 100644 --- a/hosts/nuc/modules/backup/default.nix +++ b/hosts/nuc/modules/backup/default.nix @@ -38,16 +38,4 @@ keep_yearly = 3; }; }; - services.postgresqlBackup = { - enable = true; - databases = [ - "authentik" - "grafana" - "matrix-synapse" - "mautrix-telegram" - "postgres" - "vaultwarden" - ]; - }; - } diff --git a/hosts/nuc/modules/caddy/default.nix b/hosts/nuc/modules/caddy/default.nix index 8d6bb3e..563ad7b 100644 --- a/hosts/nuc/modules/caddy/default.nix +++ b/hosts/nuc/modules/caddy/default.nix @@ -4,14 +4,6 @@ enable = true; email = "ca@${config.networking.domain}"; logFormat = "format console"; - globalConfig = '' - servers { - metrics - } - ''; - virtualHosts.":2018".extraConfig = '' - metrics - ''; }; systemd.services.caddy.environment.XDG_DATA_HOME = "/var/lib"; networking.firewall.allowedTCPPorts = [ 80 443 ]; diff --git a/hosts/nuc/modules/monitoring/default.nix b/hosts/nuc/modules/monitoring/default.nix index ba3aed7..83211c5 100644 --- a/hosts/nuc/modules/monitoring/default.nix +++ b/hosts/nuc/modules/monitoring/default.nix @@ -8,10 +8,10 @@ in owner = "grafana"; }; age.secrets."maxmind" = { - file = ../../../../secrets/shared/maxmind.age; + file = ../../../../secrets/nuc/maxmind.age; + owner = "grafana"; }; - users.users."promtail".extraGroups = [ "caddy" "systemd-journal" ]; - networking.firewall.allowedTCPPorts = [ config.services.loki.configuration.server.http_listen_port ]; + users.users."promtail".extraGroups = [ "caddy" ]; # grafana configuration # todo: move to own file @@ -48,7 +48,6 @@ in user = "grafana"; host = "/run/postgresql"; }; - auth.disable_login_form = true; "auth.generic_oauth" = { enabled = true; name = "Authentik"; @@ -110,30 +109,6 @@ in targets = [ "falkenstein.vpn.rfive.de:${toString config.services.prometheus.exporters.postfix.port}" ]; }]; } - { - job_name = "synapse"; - static_configs = [{ - targets = [ "matrix.rfive.de:8008" ]; - }]; - metrics_path = "/synapse/metrics"; - scrape_interval = "15s"; - } - { - job_name = "rspamd"; - static_configs = [{ - targets = [ "falkenstein.vpn.rfive.de:11334" ]; - }]; - } - { - job_name = "caddy"; - static_configs = [{ - targets = [ - "falkenstein.vpn.rfive.de:2018" - "nuc.vpn.rfive.de:2018" - ]; - }]; - scrape_interval = "15s"; - } ]; }; services.loki = { @@ -230,41 +205,6 @@ in url = "http://nuc.vpn.rfive.de:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push"; }]; scrape_configs = [ - { - job_name = "journal"; - journal = { - json = false; - max_age = "12h"; - path = "/var/log/journal"; - labels.job = "systemd-journal"; - }; - relabel_configs = [ - { - source_labels = [ "__journal__systemd_unit" ]; - target_label = "unit"; - } - { - source_labels = [ "__journal__hostname" ]; - target_label = "host"; - } - { - source_labels = [ "__journal_priority_keyword" ]; - target_label = "level"; - } - { - source_labels = [ "__journal_syslog_identifier" ]; - target_label = "syslog_identifier"; - } - ]; - pipeline_stages = [ - { - match = { - selector = ''{unit="promtail.servicel"}''; - action = "drop"; - }; - } - ]; - } { job_name = "caddy_access_log"; static_configs = [ @@ -279,13 +219,6 @@ in } ]; pipeline_stages = [ - { - # remove :443 from matrix or rspamd logs - replace = { - expression = ".*(de:443).*"; - replace = "de"; - }; - } { json.expressions.remote_ip = "request.remote_ip"; } @@ -303,6 +236,7 @@ in }; }; + # nginx reverse proxy services.caddy.virtualHosts.${domain}.extraConfig = '' reverse_proxy 127.0.0.1:${toString config.services.grafana.settings.server.http_port} diff --git a/overlays/default.nix b/overlays/default.nix index 7e4ccb5..0e02a2a 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -3,6 +3,7 @@ let inherit (prev) callPackage; inherit (prev) fetchFromGitHub; inherit (prev) fetchPypi; + inherit (prev) fetchpatch; inherit (prev) makeWrapper; inherit (prev) python3Packages; in @@ -22,6 +23,31 @@ in # freeimage is broken withBackends = [ "libtiff" "libjpeg" "libpng" "librsvg" "libheif" ]; }; + # don't compile the bloat + rsyslog = prev.rsyslog.override { + withMysql = false; + withJemalloc = false; + withPostgres = false; + withUuid = false; + withCurl = false; + withDbi = false; + withNetSnmp = false; + withGnutls = false; + withGcrypt = false; + withLognorm = false; + withMaxminddb = false; + withOpenssl = false; + withRelp = false; + withKsi = false; + withLogging = false; + withHadoop = false; + withRdkafka = false; + withMongo = false; + withCzmq = false; + withRabbitmq = false; + withHiredis = false; + }; + zsh-fzf-tab = prev.zsh-fzf-tab.overrideAttrs (_: rec { version = "1.1.1"; src = fetchFromGitHub { diff --git a/secrets.nix b/secrets.nix index 055be04..d068991 100644 --- a/secrets.nix +++ b/secrets.nix @@ -26,6 +26,7 @@ in "secrets/nuc/authentik/ldap.age".publicKeys = [ rouven nuc ]; "secrets/nuc/grafana/oidc.age".publicKeys = [ rouven nuc ]; "secrets/nuc/cache.age".publicKeys = [ rouven nuc ]; + "secrets/nuc/maxmind.age".publicKeys = [ rouven nuc ]; "secrets/nuc/borg/passphrase.age".publicKeys = [ rouven nuc ]; "secrets/nuc/borg/key.age".publicKeys = [ rouven nuc ]; @@ -36,7 +37,4 @@ in "secrets/falkenstein/wireguard/dorm/preshared.age".publicKeys = [ rouven falkenstein ]; "secrets/falkenstein/borg/passphrase.age".publicKeys = [ rouven falkenstein ]; "secrets/falkenstein/borg/key.age".publicKeys = [ rouven falkenstein ]; - - #shared - "secrets/shared/maxmind.age".publicKeys = [ rouven nuc falkenstein ]; } diff --git a/secrets/nuc/maxmind.age b/secrets/nuc/maxmind.age new file mode 100644 index 0000000..8dd1762 Binary files /dev/null and b/secrets/nuc/maxmind.age differ diff --git a/secrets/shared/maxmind.age b/secrets/shared/maxmind.age deleted file mode 100644 index e044982..0000000 --- a/secrets/shared/maxmind.age +++ /dev/null @@ -1,10 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 uWbAHQ hL+MYiYI/53SAw5Ue9L2E/W1sCwENhTqBReBwlRn6g0 -laaky6yfLkEPofvdZwu64WyVqPcxTt8Lng/uhBHaKjs --> ssh-ed25519 2TRdXg dXERMyE1LqPxbAKn24SHruqrgKUTSIOLjy66nxiJSiE -lMGTDVxDUSu7r9Lp7mTfCzuTiUONv/K9b6y4mRlLLj8 --> ssh-ed25519 slrRig Q7EcsiO/jsscDk9hHhtkHVxQ+NRO6O9SSQu4dfCPXG8 -LGCdVmGbMASuGGGuVrom+1ijafq0Sk0PDnyhOv2O2A0 ---- YeAR7BXc2heRrnvLa9YDGRIgI/3EQ3MfIJEZAJen8pY -Mü$¦óNù~KI ÀJÑÏ•èUæ¦.1q¶Y„‹-€"ë/_Øëý 2^“-Dÿ¯¬­Å4ã£/b+ -ô›V^MX_ç® ñ± \ No newline at end of file