rouven.seifert/nixos-config
1
1
Fork 0
mirror of https://git.sr.ht/~rouven/nixos-config synced 2025-04-20 05:36:15 +02:00
Code Issues Projects Releases Packages Wiki Activity

Compare commits

base: rouven.seifert:f0a1129c7d94da78435a253f37bf19c2845b4de5
Branches Tags
rouven.seifert:main
rouven.seifert:push-vxnoqsltyuxy
..
compare: rouven.seifert:7291a93a1a803cd388fbe7d869f25e84a7e7942a
Branches Tags
rouven.seifert:main
rouven.seifert:push-vxnoqsltyuxy

No commits in common. "f0a1129c7d94da78435a253f37bf19c2845b4de5" and "7291a93a1a803cd388fbe7d869f25e84a7e7942a" have entirely different histories.
f0a1129c7d ... 7291a93a1a

15 changed files with 75 additions and 283 deletions
Show stats Expand all files Collapse all files

24
flake.lock generated
View file

@ -312,11 +312,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1717097707, "lastModified": 1716457508,
"narHash": "sha256-HC5vJ3oYsjwsCaSbkIPv80e4ebJpNvFKQTBOGlHvjLs=", "narHash": "sha256-ZxzffLuWRyuMrkVVq7wastNUqeO0HJL9xqfY1QsYaqo=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "0eb314b4f0ba337e88123e0b1e57ef58346aafd9", "rev": "850cb322046ef1a268449cf1ceda5fd24d930b05",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -460,11 +460,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1716772633, "lastModified": 1716170277,
"narHash": "sha256-Idcye44UW+EgjbjCoklf2IDF+XrehV6CVYvxR1omst4=", "narHash": "sha256-fCAiox/TuzWGVaAz16PxrR4Jtf9lN5dwWL2W74DS0yI=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-index-database", "repo": "nix-index-database",
"rev": "ff80cb4a11bb87f3ce8459be6f16a25ac86eb2ac", "rev": "e0638db3db43b582512a7de8c0f8363a162842b9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -475,11 +475,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1716948383, "lastModified": 1716509168,
"narHash": "sha256-SzDKxseEcHR5KzPXLwsemyTR/kaM9whxeiJohbL04rs=", "narHash": "sha256-4zSIhSRRIoEBwjbPm3YiGtbd8HDWzFxJjw5DYSDy1n8=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "ad57eef4ef0659193044870c731987a6df5cf56b", "rev": "bfb7a882678e518398ce9a31a881538679f6f092",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -623,11 +623,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1717103025, "lastModified": 1716449531,
"narHash": "sha256-bn/YPVgu6YmHnKhwMfwIFe7USGvIOC5ge4Ps6o47Tr8=", "narHash": "sha256-T/BycXsf5MZM+uqemM2/CzaZSjInKrjJc8MOOAOLKiw=",
"owner": "~rouven", "owner": "~rouven",
"repo": "purge", "repo": "purge",
"rev": "4f8f075eeaafc90737216031eb644792a4652ead", "rev": "4b8353adb065c41d4ca6debba011eb8c1561ce80",
"type": "sourcehut" "type": "sourcehut"
}, },
"original": { "original": {

1
hosts/falkenstein/default.nix
View file

@ -6,6 +6,7 @@
./hardware-configuration.nix ./hardware-configuration.nix
./modules/backup ./modules/backup
./modules/caddy ./modules/caddy
./modules/logging
./modules/dns ./modules/dns
./modules/fail2ban ./modules/fail2ban
./modules/mail ./modules/mail

10
hosts/falkenstein/modules/caddy/default.nix
View file

@ -20,14 +20,6 @@ in
enable = true; enable = true;
email = "ca@${config.networking.domain}"; email = "ca@${config.networking.domain}";
logFormat = "format console"; logFormat = "format console";
globalConfig = ''
servers {
metrics
}
'';
virtualHosts.":2018".extraConfig = ''
metrics
'';
virtualHosts."${config.networking.domain}".extraConfig = '' virtualHosts."${config.networking.domain}".extraConfig = ''
file_server browse file_server browse
root * /srv/web/${config.networking.domain} root * /srv/web/${config.networking.domain}
@ -36,6 +28,6 @@ in
''; '';
}; };
systemd.services.caddy.environment.XDG_DATA_HOME = "/var/lib"; systemd.services.caddy.environment.XDG_DATA_HOME = "/var/lib";
networking.firewall.allowedTCPPorts = [ 80 443 2018 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [ 443 ]; networking.firewall.allowedUDPPorts = [ 443 ];
} }

29
hosts/falkenstein/modules/logging/default.nix Normal file
View file

@ -0,0 +1,29 @@
{ pkgs, ... }:
{
services.rsyslogd = {
enable = true;
defaultConfig = ''
:programname, isequal, "postfix" /var/log/postfix.log
auth.* -/var/log/auth.log
'';
};
services.logrotate.configFile = pkgs.writeText "logrotate.conf" ''
weekly
missingok
notifempty
rotate 4
"/var/log/postfix.log" {
compress
delaycompress
weekly
rotate 156
}
'';
# "/var/log/caddy/*.log" {
# compress
# delaycompress
# weekly
# rotate 26
# }
}

4
hosts/falkenstein/modules/mail/rspamd.nix
View file

@ -7,8 +7,7 @@
postfix.enable = true; postfix.enable = true;
locals = { locals = {
"worker-controller.inc".text = '' "worker-controller.inc".text = ''
secure_ip = [ "0.0.0.0/0", "::/0"]; secure_ip = "0.0.0.0/0";
bind_socket = "0.0.0.0:11334";
''; '';
"redis.conf".text = '' "redis.conf".text = ''
read_servers = "/run/redis-rspamd/redis.sock"; read_servers = "/run/redis-rspamd/redis.sock";
@ -55,7 +54,6 @@
reverse_proxy 127.0.0.1:11334 reverse_proxy 127.0.0.1:11334
''; '';
}; };
networking.firewall.allowedTCPPorts = [ 11334 ];
systemd = { systemd = {
services.rspamd-dmarc-report = { services.rspamd-dmarc-report = {
description = "rspamd dmarc reporter"; description = "rspamd dmarc reporter";

102
hosts/falkenstein/modules/monitoring/default.nix
View file

@ -1,9 +1,5 @@
{ config, ... }: { config, ... }:
{ {
age.secrets."maxmind" = {
file = ../../../../secrets/shared/maxmind.age;
};
users.users."promtail".extraGroups = [ "caddy" "systemd-journal" ];
services.prometheus = { services.prometheus = {
exporters = { exporters = {
node = { node = {
@ -15,104 +11,6 @@
}; };
}; };
}; };
services.geoipupdate = {
enable = true;
settings = {
AccountID = 1018346;
LicenseKey = config.age.secrets."maxmind".path;
EditionIDs = [
"GeoLite2-ASN"
"GeoLite2-City"
"GeoLite2-Country"
];
DatabaseDirectory = "/var/lib/GeoIP";
};
};
services.promtail = {
enable = true;
configuration = {
server = {
http_listen_port = 3031;
grpc_listen_port = 0;
};
positions = {
filename = "/tmp/positions.yaml";
};
clients = [{
url = "http://nuc.vpn.rfive.de:3030/loki/api/v1/push";
}];
scrape_configs = [
{
job_name = "journal";
journal = {
json = false;
max_age = "12h";
path = "/var/log/journal";
labels.job = "systemd-journal";
};
relabel_configs = [
{
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}
{
source_labels = [ "__journal__hostname" ];
target_label = "host";
}
{
source_labels = [ "__journal_priority_keyword" ];
target_label = "level";
}
{
source_labels = [ "__journal_syslog_identifier" ];
target_label = "syslog_identifier";
}
];
pipeline_stages = [
{
match = {
selector = ''{unit="promtail.servicel"}'';
action = "drop";
};
}
];
}
{
job_name = "caddy_access_log";
static_configs = [
{
targets = [ "localhost" ];
labels = {
job = "caddy_access_log";
agent = "caddy-promtail";
__path__ = "/var/log/caddy/*.log";
};
}
];
pipeline_stages = [
{
# remove :443 from matrix or rspamd logs
replace = {
expression = ".*(de:443).*";
replace = "de";
};
}
{
json.expressions.remote_ip = "request.remote_ip";
}
{
geoip = {
db = "/var/lib/GeoIP/GeoLite2-City.mmdb";
source = "remote_ip";
db_type = "city";
};
}
];
}
];
};
};
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
config.services.prometheus.exporters.node.port config.services.prometheus.exporters.node.port
config.services.prometheus.exporters.postfix.port config.services.prometheus.exporters.postfix.port

1
hosts/falkenstein/modules/trucksimulatorbot/default.nix
View file

@ -35,6 +35,5 @@ in
uri strip_prefix /images uri strip_prefix /images
reverse_proxy unix//run/trucksimulator/images.sock reverse_proxy unix//run/trucksimulator/images.sock
} }
reverse_proxy unix//run/trucksimulator/app.sock
''; '';
} }

53
hosts/fujitsu/modules/monitoring/default.nix
View file

@ -1,6 +1,5 @@
{ config, ... }: { config, ... }:
{ {
users.users."promtail".extraGroups = [ "caddy" "systemd-journal" ];
services.prometheus = { services.prometheus = {
exporters = { exporters = {
node = { node = {
@ -9,58 +8,6 @@
}; };
}; };
}; };
services.promtail = {
enable = true;
configuration = {
server = {
http_listen_port = 3031;
grpc_listen_port = 0;
};
positions = {
filename = "/tmp/positions.yaml";
};
clients = [{
url = "http://nuc.vpn.rfive.de:3030/loki/api/v1/push";
}];
scrape_configs = [
{
job_name = "journal";
journal = {
json = false;
max_age = "12h";
path = "/var/log/journal";
labels.job = "systemd-journal";
};
relabel_configs = [
{
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}
{
source_labels = [ "__journal__hostname" ];
target_label = "host";
}
{
source_labels = [ "__journal_priority_keyword" ];
target_label = "level";
}
{
source_labels = [ "__journal_syslog_identifier" ];
target_label = "syslog_identifier";
}
];
pipeline_stages = [
{
match = {
selector = ''{unit="promtail.servicel"}'';
action = "drop";
};
}
];
}
];
};
};
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
config.services.prometheus.exporters.node.port config.services.prometheus.exporters.node.port
]; ];

12
hosts/nuc/modules/backup/default.nix
View file

@ -38,16 +38,4 @@
keep_yearly = 3; keep_yearly = 3;
}; };
}; };
services.postgresqlBackup = {
enable = true;
databases = [
"authentik"
"grafana"
"matrix-synapse"
"mautrix-telegram"
"postgres"
"vaultwarden"
];
};
} }

8
hosts/nuc/modules/caddy/default.nix
View file

@ -4,14 +4,6 @@
enable = true; enable = true;
email = "ca@${config.networking.domain}"; email = "ca@${config.networking.domain}";
logFormat = "format console"; logFormat = "format console";
globalConfig = ''
servers {
metrics
}
'';
virtualHosts.":2018".extraConfig = ''
metrics
'';
}; };
systemd.services.caddy.environment.XDG_DATA_HOME = "/var/lib"; systemd.services.caddy.environment.XDG_DATA_HOME = "/var/lib";
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];

74
hosts/nuc/modules/monitoring/default.nix
View file

@ -8,10 +8,10 @@ in
owner = "grafana"; owner = "grafana";
}; };
age.secrets."maxmind" = { age.secrets."maxmind" = {
file = ../../../../secrets/shared/maxmind.age; file = ../../../../secrets/nuc/maxmind.age;
owner = "grafana";
}; };
users.users."promtail".extraGroups = [ "caddy" "systemd-journal" ]; users.users."promtail".extraGroups = [ "caddy" ];
networking.firewall.allowedTCPPorts = [ config.services.loki.configuration.server.http_listen_port ];
# grafana configuration # grafana configuration
# todo: move to own file # todo: move to own file
@ -48,7 +48,6 @@ in
user = "grafana"; user = "grafana";
host = "/run/postgresql"; host = "/run/postgresql";
}; };
auth.disable_login_form = true;
"auth.generic_oauth" = { "auth.generic_oauth" = {
enabled = true; enabled = true;
name = "Authentik"; name = "Authentik";
@ -110,30 +109,6 @@ in
targets = [ "falkenstein.vpn.rfive.de:${toString config.services.prometheus.exporters.postfix.port}" ]; targets = [ "falkenstein.vpn.rfive.de:${toString config.services.prometheus.exporters.postfix.port}" ];
}]; }];
} }
{
job_name = "synapse";
static_configs = [{
targets = [ "matrix.rfive.de:8008" ];
}];
metrics_path = "/synapse/metrics";
scrape_interval = "15s";
}
{
job_name = "rspamd";
static_configs = [{
targets = [ "falkenstein.vpn.rfive.de:11334" ];
}];
}
{
job_name = "caddy";
static_configs = [{
targets = [
"falkenstein.vpn.rfive.de:2018"
"nuc.vpn.rfive.de:2018"
];
}];
scrape_interval = "15s";
}
]; ];
}; };
services.loki = { services.loki = {
@ -230,41 +205,6 @@ in
url = "http://nuc.vpn.rfive.de:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push"; url = "http://nuc.vpn.rfive.de:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push";
}]; }];
scrape_configs = [ scrape_configs = [
{
job_name = "journal";
journal = {
json = false;
max_age = "12h";
path = "/var/log/journal";
labels.job = "systemd-journal";
};
relabel_configs = [
{
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}
{
source_labels = [ "__journal__hostname" ];
target_label = "host";
}
{
source_labels = [ "__journal_priority_keyword" ];
target_label = "level";
}
{
source_labels = [ "__journal_syslog_identifier" ];
target_label = "syslog_identifier";
}
];
pipeline_stages = [
{
match = {
selector = ''{unit="promtail.servicel"}'';
action = "drop";
};
}
];
}
{ {
job_name = "caddy_access_log"; job_name = "caddy_access_log";
static_configs = [ static_configs = [
@ -279,13 +219,6 @@ in
} }
]; ];
pipeline_stages = [ pipeline_stages = [
{
# remove :443 from matrix or rspamd logs
replace = {
expression = ".*(de:443).*";
replace = "de";
};
}
{ {
json.expressions.remote_ip = "request.remote_ip"; json.expressions.remote_ip = "request.remote_ip";
} }
@ -303,6 +236,7 @@ in
}; };
}; };
# nginx reverse proxy # nginx reverse proxy
services.caddy.virtualHosts.${domain}.extraConfig = '' services.caddy.virtualHosts.${domain}.extraConfig = ''
reverse_proxy 127.0.0.1:${toString config.services.grafana.settings.server.http_port} reverse_proxy 127.0.0.1:${toString config.services.grafana.settings.server.http_port}

26
overlays/default.nix
View file

@ -3,6 +3,7 @@ let
inherit (prev) callPackage; inherit (prev) callPackage;
inherit (prev) fetchFromGitHub; inherit (prev) fetchFromGitHub;
inherit (prev) fetchPypi; inherit (prev) fetchPypi;
inherit (prev) fetchpatch;
inherit (prev) makeWrapper; inherit (prev) makeWrapper;
inherit (prev) python3Packages; inherit (prev) python3Packages;
in in
@ -22,6 +23,31 @@ in
# freeimage is broken # freeimage is broken
withBackends = [ "libtiff" "libjpeg" "libpng" "librsvg" "libheif" ]; withBackends = [ "libtiff" "libjpeg" "libpng" "librsvg" "libheif" ];
}; };
# don't compile the bloat
rsyslog = prev.rsyslog.override {
withMysql = false;
withJemalloc = false;
withPostgres = false;
withUuid = false;
withCurl = false;
withDbi = false;
withNetSnmp = false;
withGnutls = false;
withGcrypt = false;
withLognorm = false;
withMaxminddb = false;
withOpenssl = false;
withRelp = false;
withKsi = false;
withLogging = false;
withHadoop = false;
withRdkafka = false;
withMongo = false;
withCzmq = false;
withRabbitmq = false;
withHiredis = false;
};
zsh-fzf-tab = prev.zsh-fzf-tab.overrideAttrs (_: rec { zsh-fzf-tab = prev.zsh-fzf-tab.overrideAttrs (_: rec {
version = "1.1.1"; version = "1.1.1";
src = fetchFromGitHub { src = fetchFromGitHub {

4
secrets.nix
View file

@ -26,6 +26,7 @@ in
"secrets/nuc/authentik/ldap.age".publicKeys = [ rouven nuc ]; "secrets/nuc/authentik/ldap.age".publicKeys = [ rouven nuc ];
"secrets/nuc/grafana/oidc.age".publicKeys = [ rouven nuc ]; "secrets/nuc/grafana/oidc.age".publicKeys = [ rouven nuc ];
"secrets/nuc/cache.age".publicKeys = [ rouven nuc ]; "secrets/nuc/cache.age".publicKeys = [ rouven nuc ];
"secrets/nuc/maxmind.age".publicKeys = [ rouven nuc ];
"secrets/nuc/borg/passphrase.age".publicKeys = [ rouven nuc ]; "secrets/nuc/borg/passphrase.age".publicKeys = [ rouven nuc ];
"secrets/nuc/borg/key.age".publicKeys = [ rouven nuc ]; "secrets/nuc/borg/key.age".publicKeys = [ rouven nuc ];
@ -36,7 +37,4 @@ in
"secrets/falkenstein/wireguard/dorm/preshared.age".publicKeys = [ rouven falkenstein ]; "secrets/falkenstein/wireguard/dorm/preshared.age".publicKeys = [ rouven falkenstein ];
"secrets/falkenstein/borg/passphrase.age".publicKeys = [ rouven falkenstein ]; "secrets/falkenstein/borg/passphrase.age".publicKeys = [ rouven falkenstein ];
"secrets/falkenstein/borg/key.age".publicKeys = [ rouven falkenstein ]; "secrets/falkenstein/borg/key.age".publicKeys = [ rouven falkenstein ];
#shared
"secrets/shared/maxmind.age".publicKeys = [ rouven nuc falkenstein ];
} }

BIN
secrets/nuc/maxmind.age Normal file
View file

Binary file not shown.

10
secrets/shared/maxmind.age
View file

@ -1,10 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 uWbAHQ hL+MYiYI/53SAw5Ue9L2E/W1sCwENhTqBReBwlRn6g0
laaky6yfLkEPofvdZwu64WyVqPcxTt8Lng/uhBHaKjs
-> ssh-ed25519 2TRdXg dXERMyE1LqPxbAKn24SHruqrgKUTSIOLjy66nxiJSiE
lMGTDVxDUSu7r9Lp7mTfCzuTiUONv/K9b6y4mRlLLj8
-> ssh-ed25519 slrRig Q7EcsiO/jsscDk9hHhtkHVxQ+NRO6O9SSQu4dfCPXG8
LGCdVmGbMASuGGGuVrom+1ijafq0Sk0PDnyhOv2O2A0
--- YeAR7BXc2heRrnvLa9YDGRIgI/3EQ3MfIJEZAJen8pY
Mü$¦óNù~KI ÀJÑÏ•èUæ¦.1q¶Y„-€"ë/_Øëý 2^“-Dÿ¯¬­Å4ã£/b+
ôV^MX_ç® ñ±