1
1
Fork 0
mirror of https://git.sr.ht/~rouven/nixos-config synced 2025-05-12 15:30:54 +02:00

Compare commits

..

No commits in common. "f0a1129c7d94da78435a253f37bf19c2845b4de5" and "7291a93a1a803cd388fbe7d869f25e84a7e7942a" have entirely different histories.

15 changed files with 75 additions and 283 deletions
flake.lock
hosts
falkenstein
default.nix
modules
caddy
logging
mail
monitoring
trucksimulatorbot
fujitsu/modules/monitoring
nuc/modules
overlays
secrets.nix
secrets

24
flake.lock generated
View file

@ -312,11 +312,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1717097707, "lastModified": 1716457508,
"narHash": "sha256-HC5vJ3oYsjwsCaSbkIPv80e4ebJpNvFKQTBOGlHvjLs=", "narHash": "sha256-ZxzffLuWRyuMrkVVq7wastNUqeO0HJL9xqfY1QsYaqo=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "0eb314b4f0ba337e88123e0b1e57ef58346aafd9", "rev": "850cb322046ef1a268449cf1ceda5fd24d930b05",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -460,11 +460,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1716772633, "lastModified": 1716170277,
"narHash": "sha256-Idcye44UW+EgjbjCoklf2IDF+XrehV6CVYvxR1omst4=", "narHash": "sha256-fCAiox/TuzWGVaAz16PxrR4Jtf9lN5dwWL2W74DS0yI=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-index-database", "repo": "nix-index-database",
"rev": "ff80cb4a11bb87f3ce8459be6f16a25ac86eb2ac", "rev": "e0638db3db43b582512a7de8c0f8363a162842b9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -475,11 +475,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1716948383, "lastModified": 1716509168,
"narHash": "sha256-SzDKxseEcHR5KzPXLwsemyTR/kaM9whxeiJohbL04rs=", "narHash": "sha256-4zSIhSRRIoEBwjbPm3YiGtbd8HDWzFxJjw5DYSDy1n8=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "ad57eef4ef0659193044870c731987a6df5cf56b", "rev": "bfb7a882678e518398ce9a31a881538679f6f092",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -623,11 +623,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1717103025, "lastModified": 1716449531,
"narHash": "sha256-bn/YPVgu6YmHnKhwMfwIFe7USGvIOC5ge4Ps6o47Tr8=", "narHash": "sha256-T/BycXsf5MZM+uqemM2/CzaZSjInKrjJc8MOOAOLKiw=",
"owner": "~rouven", "owner": "~rouven",
"repo": "purge", "repo": "purge",
"rev": "4f8f075eeaafc90737216031eb644792a4652ead", "rev": "4b8353adb065c41d4ca6debba011eb8c1561ce80",
"type": "sourcehut" "type": "sourcehut"
}, },
"original": { "original": {

View file

@ -6,6 +6,7 @@
./hardware-configuration.nix ./hardware-configuration.nix
./modules/backup ./modules/backup
./modules/caddy ./modules/caddy
./modules/logging
./modules/dns ./modules/dns
./modules/fail2ban ./modules/fail2ban
./modules/mail ./modules/mail

View file

@ -20,14 +20,6 @@ in
enable = true; enable = true;
email = "ca@${config.networking.domain}"; email = "ca@${config.networking.domain}";
logFormat = "format console"; logFormat = "format console";
globalConfig = ''
servers {
metrics
}
'';
virtualHosts.":2018".extraConfig = ''
metrics
'';
virtualHosts."${config.networking.domain}".extraConfig = '' virtualHosts."${config.networking.domain}".extraConfig = ''
file_server browse file_server browse
root * /srv/web/${config.networking.domain} root * /srv/web/${config.networking.domain}
@ -36,6 +28,6 @@ in
''; '';
}; };
systemd.services.caddy.environment.XDG_DATA_HOME = "/var/lib"; systemd.services.caddy.environment.XDG_DATA_HOME = "/var/lib";
networking.firewall.allowedTCPPorts = [ 80 443 2018 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [ 443 ]; networking.firewall.allowedUDPPorts = [ 443 ];
} }

View file

@ -0,0 +1,29 @@
{ pkgs, ... }:
{
services.rsyslogd = {
enable = true;
defaultConfig = ''
:programname, isequal, "postfix" /var/log/postfix.log
auth.* -/var/log/auth.log
'';
};
services.logrotate.configFile = pkgs.writeText "logrotate.conf" ''
weekly
missingok
notifempty
rotate 4
"/var/log/postfix.log" {
compress
delaycompress
weekly
rotate 156
}
'';
# "/var/log/caddy/*.log" {
# compress
# delaycompress
# weekly
# rotate 26
# }
}

View file

@ -7,8 +7,7 @@
postfix.enable = true; postfix.enable = true;
locals = { locals = {
"worker-controller.inc".text = '' "worker-controller.inc".text = ''
secure_ip = [ "0.0.0.0/0", "::/0"]; secure_ip = "0.0.0.0/0";
bind_socket = "0.0.0.0:11334";
''; '';
"redis.conf".text = '' "redis.conf".text = ''
read_servers = "/run/redis-rspamd/redis.sock"; read_servers = "/run/redis-rspamd/redis.sock";
@ -55,7 +54,6 @@
reverse_proxy 127.0.0.1:11334 reverse_proxy 127.0.0.1:11334
''; '';
}; };
networking.firewall.allowedTCPPorts = [ 11334 ];
systemd = { systemd = {
services.rspamd-dmarc-report = { services.rspamd-dmarc-report = {
description = "rspamd dmarc reporter"; description = "rspamd dmarc reporter";

View file

@ -1,9 +1,5 @@
{ config, ... }: { config, ... }:
{ {
age.secrets."maxmind" = {
file = ../../../../secrets/shared/maxmind.age;
};
users.users."promtail".extraGroups = [ "caddy" "systemd-journal" ];
services.prometheus = { services.prometheus = {
exporters = { exporters = {
node = { node = {
@ -15,104 +11,6 @@
}; };
}; };
}; };
services.geoipupdate = {
enable = true;
settings = {
AccountID = 1018346;
LicenseKey = config.age.secrets."maxmind".path;
EditionIDs = [
"GeoLite2-ASN"
"GeoLite2-City"
"GeoLite2-Country"
];
DatabaseDirectory = "/var/lib/GeoIP";
};
};
services.promtail = {
enable = true;
configuration = {
server = {
http_listen_port = 3031;
grpc_listen_port = 0;
};
positions = {
filename = "/tmp/positions.yaml";
};
clients = [{
url = "http://nuc.vpn.rfive.de:3030/loki/api/v1/push";
}];
scrape_configs = [
{
job_name = "journal";
journal = {
json = false;
max_age = "12h";
path = "/var/log/journal";
labels.job = "systemd-journal";
};
relabel_configs = [
{
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}
{
source_labels = [ "__journal__hostname" ];
target_label = "host";
}
{
source_labels = [ "__journal_priority_keyword" ];
target_label = "level";
}
{
source_labels = [ "__journal_syslog_identifier" ];
target_label = "syslog_identifier";
}
];
pipeline_stages = [
{
match = {
selector = ''{unit="promtail.servicel"}'';
action = "drop";
};
}
];
}
{
job_name = "caddy_access_log";
static_configs = [
{
targets = [ "localhost" ];
labels = {
job = "caddy_access_log";
agent = "caddy-promtail";
__path__ = "/var/log/caddy/*.log";
};
}
];
pipeline_stages = [
{
# remove :443 from matrix or rspamd logs
replace = {
expression = ".*(de:443).*";
replace = "de";
};
}
{
json.expressions.remote_ip = "request.remote_ip";
}
{
geoip = {
db = "/var/lib/GeoIP/GeoLite2-City.mmdb";
source = "remote_ip";
db_type = "city";
};
}
];
}
];
};
};
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
config.services.prometheus.exporters.node.port config.services.prometheus.exporters.node.port
config.services.prometheus.exporters.postfix.port config.services.prometheus.exporters.postfix.port

View file

@ -35,6 +35,5 @@ in
uri strip_prefix /images uri strip_prefix /images
reverse_proxy unix//run/trucksimulator/images.sock reverse_proxy unix//run/trucksimulator/images.sock
} }
reverse_proxy unix//run/trucksimulator/app.sock
''; '';
} }

View file

@ -1,6 +1,5 @@
{ config, ... }: { config, ... }:
{ {
users.users."promtail".extraGroups = [ "caddy" "systemd-journal" ];
services.prometheus = { services.prometheus = {
exporters = { exporters = {
node = { node = {
@ -9,58 +8,6 @@
}; };
}; };
}; };
services.promtail = {
enable = true;
configuration = {
server = {
http_listen_port = 3031;
grpc_listen_port = 0;
};
positions = {
filename = "/tmp/positions.yaml";
};
clients = [{
url = "http://nuc.vpn.rfive.de:3030/loki/api/v1/push";
}];
scrape_configs = [
{
job_name = "journal";
journal = {
json = false;
max_age = "12h";
path = "/var/log/journal";
labels.job = "systemd-journal";
};
relabel_configs = [
{
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}
{
source_labels = [ "__journal__hostname" ];
target_label = "host";
}
{
source_labels = [ "__journal_priority_keyword" ];
target_label = "level";
}
{
source_labels = [ "__journal_syslog_identifier" ];
target_label = "syslog_identifier";
}
];
pipeline_stages = [
{
match = {
selector = ''{unit="promtail.servicel"}'';
action = "drop";
};
}
];
}
];
};
};
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
config.services.prometheus.exporters.node.port config.services.prometheus.exporters.node.port
]; ];

View file

@ -38,16 +38,4 @@
keep_yearly = 3; keep_yearly = 3;
}; };
}; };
services.postgresqlBackup = {
enable = true;
databases = [
"authentik"
"grafana"
"matrix-synapse"
"mautrix-telegram"
"postgres"
"vaultwarden"
];
};
} }

View file

@ -4,14 +4,6 @@
enable = true; enable = true;
email = "ca@${config.networking.domain}"; email = "ca@${config.networking.domain}";
logFormat = "format console"; logFormat = "format console";
globalConfig = ''
servers {
metrics
}
'';
virtualHosts.":2018".extraConfig = ''
metrics
'';
}; };
systemd.services.caddy.environment.XDG_DATA_HOME = "/var/lib"; systemd.services.caddy.environment.XDG_DATA_HOME = "/var/lib";
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];

View file

@ -8,10 +8,10 @@ in
owner = "grafana"; owner = "grafana";
}; };
age.secrets."maxmind" = { age.secrets."maxmind" = {
file = ../../../../secrets/shared/maxmind.age; file = ../../../../secrets/nuc/maxmind.age;
owner = "grafana";
}; };
users.users."promtail".extraGroups = [ "caddy" "systemd-journal" ]; users.users."promtail".extraGroups = [ "caddy" ];
networking.firewall.allowedTCPPorts = [ config.services.loki.configuration.server.http_listen_port ];
# grafana configuration # grafana configuration
# todo: move to own file # todo: move to own file
@ -48,7 +48,6 @@ in
user = "grafana"; user = "grafana";
host = "/run/postgresql"; host = "/run/postgresql";
}; };
auth.disable_login_form = true;
"auth.generic_oauth" = { "auth.generic_oauth" = {
enabled = true; enabled = true;
name = "Authentik"; name = "Authentik";
@ -110,30 +109,6 @@ in
targets = [ "falkenstein.vpn.rfive.de:${toString config.services.prometheus.exporters.postfix.port}" ]; targets = [ "falkenstein.vpn.rfive.de:${toString config.services.prometheus.exporters.postfix.port}" ];
}]; }];
} }
{
job_name = "synapse";
static_configs = [{
targets = [ "matrix.rfive.de:8008" ];
}];
metrics_path = "/synapse/metrics";
scrape_interval = "15s";
}
{
job_name = "rspamd";
static_configs = [{
targets = [ "falkenstein.vpn.rfive.de:11334" ];
}];
}
{
job_name = "caddy";
static_configs = [{
targets = [
"falkenstein.vpn.rfive.de:2018"
"nuc.vpn.rfive.de:2018"
];
}];
scrape_interval = "15s";
}
]; ];
}; };
services.loki = { services.loki = {
@ -230,41 +205,6 @@ in
url = "http://nuc.vpn.rfive.de:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push"; url = "http://nuc.vpn.rfive.de:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push";
}]; }];
scrape_configs = [ scrape_configs = [
{
job_name = "journal";
journal = {
json = false;
max_age = "12h";
path = "/var/log/journal";
labels.job = "systemd-journal";
};
relabel_configs = [
{
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}
{
source_labels = [ "__journal__hostname" ];
target_label = "host";
}
{
source_labels = [ "__journal_priority_keyword" ];
target_label = "level";
}
{
source_labels = [ "__journal_syslog_identifier" ];
target_label = "syslog_identifier";
}
];
pipeline_stages = [
{
match = {
selector = ''{unit="promtail.servicel"}'';
action = "drop";
};
}
];
}
{ {
job_name = "caddy_access_log"; job_name = "caddy_access_log";
static_configs = [ static_configs = [
@ -279,13 +219,6 @@ in
} }
]; ];
pipeline_stages = [ pipeline_stages = [
{
# remove :443 from matrix or rspamd logs
replace = {
expression = ".*(de:443).*";
replace = "de";
};
}
{ {
json.expressions.remote_ip = "request.remote_ip"; json.expressions.remote_ip = "request.remote_ip";
} }
@ -303,6 +236,7 @@ in
}; };
}; };
# nginx reverse proxy # nginx reverse proxy
services.caddy.virtualHosts.${domain}.extraConfig = '' services.caddy.virtualHosts.${domain}.extraConfig = ''
reverse_proxy 127.0.0.1:${toString config.services.grafana.settings.server.http_port} reverse_proxy 127.0.0.1:${toString config.services.grafana.settings.server.http_port}

View file

@ -3,6 +3,7 @@ let
inherit (prev) callPackage; inherit (prev) callPackage;
inherit (prev) fetchFromGitHub; inherit (prev) fetchFromGitHub;
inherit (prev) fetchPypi; inherit (prev) fetchPypi;
inherit (prev) fetchpatch;
inherit (prev) makeWrapper; inherit (prev) makeWrapper;
inherit (prev) python3Packages; inherit (prev) python3Packages;
in in
@ -22,6 +23,31 @@ in
# freeimage is broken # freeimage is broken
withBackends = [ "libtiff" "libjpeg" "libpng" "librsvg" "libheif" ]; withBackends = [ "libtiff" "libjpeg" "libpng" "librsvg" "libheif" ];
}; };
# don't compile the bloat
rsyslog = prev.rsyslog.override {
withMysql = false;
withJemalloc = false;
withPostgres = false;
withUuid = false;
withCurl = false;
withDbi = false;
withNetSnmp = false;
withGnutls = false;
withGcrypt = false;
withLognorm = false;
withMaxminddb = false;
withOpenssl = false;
withRelp = false;
withKsi = false;
withLogging = false;
withHadoop = false;
withRdkafka = false;
withMongo = false;
withCzmq = false;
withRabbitmq = false;
withHiredis = false;
};
zsh-fzf-tab = prev.zsh-fzf-tab.overrideAttrs (_: rec { zsh-fzf-tab = prev.zsh-fzf-tab.overrideAttrs (_: rec {
version = "1.1.1"; version = "1.1.1";
src = fetchFromGitHub { src = fetchFromGitHub {

View file

@ -26,6 +26,7 @@ in
"secrets/nuc/authentik/ldap.age".publicKeys = [ rouven nuc ]; "secrets/nuc/authentik/ldap.age".publicKeys = [ rouven nuc ];
"secrets/nuc/grafana/oidc.age".publicKeys = [ rouven nuc ]; "secrets/nuc/grafana/oidc.age".publicKeys = [ rouven nuc ];
"secrets/nuc/cache.age".publicKeys = [ rouven nuc ]; "secrets/nuc/cache.age".publicKeys = [ rouven nuc ];
"secrets/nuc/maxmind.age".publicKeys = [ rouven nuc ];
"secrets/nuc/borg/passphrase.age".publicKeys = [ rouven nuc ]; "secrets/nuc/borg/passphrase.age".publicKeys = [ rouven nuc ];
"secrets/nuc/borg/key.age".publicKeys = [ rouven nuc ]; "secrets/nuc/borg/key.age".publicKeys = [ rouven nuc ];
@ -36,7 +37,4 @@ in
"secrets/falkenstein/wireguard/dorm/preshared.age".publicKeys = [ rouven falkenstein ]; "secrets/falkenstein/wireguard/dorm/preshared.age".publicKeys = [ rouven falkenstein ];
"secrets/falkenstein/borg/passphrase.age".publicKeys = [ rouven falkenstein ]; "secrets/falkenstein/borg/passphrase.age".publicKeys = [ rouven falkenstein ];
"secrets/falkenstein/borg/key.age".publicKeys = [ rouven falkenstein ]; "secrets/falkenstein/borg/key.age".publicKeys = [ rouven falkenstein ];
#shared
"secrets/shared/maxmind.age".publicKeys = [ rouven nuc falkenstein ];
} }

BIN
secrets/nuc/maxmind.age Normal file

Binary file not shown.

View file

@ -1,10 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 uWbAHQ hL+MYiYI/53SAw5Ue9L2E/W1sCwENhTqBReBwlRn6g0
laaky6yfLkEPofvdZwu64WyVqPcxTt8Lng/uhBHaKjs
-> ssh-ed25519 2TRdXg dXERMyE1LqPxbAKn24SHruqrgKUTSIOLjy66nxiJSiE
lMGTDVxDUSu7r9Lp7mTfCzuTiUONv/K9b6y4mRlLLj8
-> ssh-ed25519 slrRig Q7EcsiO/jsscDk9hHhtkHVxQ+NRO6O9SSQu4dfCPXG8
LGCdVmGbMASuGGGuVrom+1ijafq0Sk0PDnyhOv2O2A0
--- YeAR7BXc2heRrnvLa9YDGRIgI/3EQ3MfIJEZAJen8pY
Mü$¦óNù~KI ÀJÑÏ•èUæ¦.1q¶Y„-€"ë/_Øëý 2^“-Dÿ¯¬­Å4ã£/b+
ôV^MX_ç® ñ±