rouven.seifert/nixos-config
1
1
Fork 0
mirror of https://git.sr.ht/~rouven/nixos-config synced 2025-05-31 06:48:47 +02:00
Code Issues Projects Releases Packages Wiki Activity

Compare commits

..

No commits in common. "f0a1129c7d94da78435a253f37bf19c2845b4de5" and "7291a93a1a803cd388fbe7d869f25e84a7e7942a" have entirely different histories.
f0a1129c7d ... 7291a93a1a

15 changed files with 75 additions and 283 deletions
flake.lock
hosts
falkenstein
default.nix
modules
caddy
default.nix
logging
default.nix
mail
rspamd.nix
monitoring
default.nix
trucksimulatorbot
default.nix
fujitsu/modules/monitoring
default.nix
nuc/modules
backup
default.nix
caddy
default.nix
monitoring
default.nix
overlays
default.nix
secrets.nix
secrets
nuc
maxmind.age
shared
maxmind.age

24
flake.lock generated
View file

@ -312,11 +312,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1717097707, "lastModified": 1716457508,
"narHash": "sha256-HC5vJ3oYsjwsCaSbkIPv80e4ebJpNvFKQTBOGlHvjLs=", "narHash": "sha256-ZxzffLuWRyuMrkVVq7wastNUqeO0HJL9xqfY1QsYaqo=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "0eb314b4f0ba337e88123e0b1e57ef58346aafd9", "rev": "850cb322046ef1a268449cf1ceda5fd24d930b05",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -460,11 +460,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1716772633, "lastModified": 1716170277,
"narHash": "sha256-Idcye44UW+EgjbjCoklf2IDF+XrehV6CVYvxR1omst4=", "narHash": "sha256-fCAiox/TuzWGVaAz16PxrR4Jtf9lN5dwWL2W74DS0yI=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-index-database", "repo": "nix-index-database",
"rev": "ff80cb4a11bb87f3ce8459be6f16a25ac86eb2ac", "rev": "e0638db3db43b582512a7de8c0f8363a162842b9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -475,11 +475,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1716948383, "lastModified": 1716509168,
"narHash": "sha256-SzDKxseEcHR5KzPXLwsemyTR/kaM9whxeiJohbL04rs=", "narHash": "sha256-4zSIhSRRIoEBwjbPm3YiGtbd8HDWzFxJjw5DYSDy1n8=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "ad57eef4ef0659193044870c731987a6df5cf56b", "rev": "bfb7a882678e518398ce9a31a881538679f6f092",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -623,11 +623,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1717103025, "lastModified": 1716449531,
"narHash": "sha256-bn/YPVgu6YmHnKhwMfwIFe7USGvIOC5ge4Ps6o47Tr8=", "narHash": "sha256-T/BycXsf5MZM+uqemM2/CzaZSjInKrjJc8MOOAOLKiw=",
"owner": "~rouven", "owner": "~rouven",
"repo": "purge", "repo": "purge",
"rev": "4f8f075eeaafc90737216031eb644792a4652ead", "rev": "4b8353adb065c41d4ca6debba011eb8c1561ce80",
"type": "sourcehut" "type": "sourcehut"
}, },
"original": { "original": {

1
hosts/falkenstein/default.nix
View file

@ -6,6 +6,7 @@
./hardware-configuration.nix ./hardware-configuration.nix
./modules/backup ./modules/backup
./modules/caddy ./modules/caddy
./modules/logging
./modules/dns ./modules/dns
./modules/fail2ban ./modules/fail2ban
./modules/mail ./modules/mail

10
hosts/falkenstein/modules/caddy/default.nix
View file

@ -20,14 +20,6 @@ in
enable = true; enable = true;
email = "ca@${config.networking.domain}"; email = "ca@${config.networking.domain}";
logFormat = "format console"; logFormat = "format console";
globalConfig = ''
servers {
metrics
}
'';
virtualHosts.":2018".extraConfig = ''
metrics
'';
virtualHosts."${config.networking.domain}".extraConfig = '' virtualHosts."${config.networking.domain}".extraConfig = ''
file_server browse file_server browse
root * /srv/web/${config.networking.domain} root * /srv/web/${config.networking.domain}
@ -36,6 +28,6 @@ in
''; '';
}; };
systemd.services.caddy.environment.XDG_DATA_HOME = "/var/lib"; systemd.services.caddy.environment.XDG_DATA_HOME = "/var/lib";
networking.firewall.allowedTCPPorts = [ 80 443 2018 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [ 443 ]; networking.firewall.allowedUDPPorts = [ 443 ];
} }

29
hosts/falkenstein/modules/logging/default.nix Normal file
View file

@ -0,0 +1,29 @@
{ pkgs, ... }:
{
services.rsyslogd = {
enable = true;
defaultConfig = ''
:programname, isequal, "postfix" /var/log/postfix.log
auth.* -/var/log/auth.log
'';
};
services.logrotate.configFile = pkgs.writeText "logrotate.conf" ''
weekly
missingok
notifempty
rotate 4
"/var/log/postfix.log" {
compress
delaycompress
weekly
rotate 156
}
'';
# "/var/log/caddy/*.log" {
# compress
# delaycompress
# weekly
# rotate 26
# }
}

4
hosts/falkenstein/modules/mail/rspamd.nix
View file

@ -7,8 +7,7 @@
postfix.enable = true; postfix.enable = true;
locals = { locals = {
"worker-controller.inc".text = '' "worker-controller.inc".text = ''
secure_ip = [ "0.0.0.0/0", "::/0"]; secure_ip = "0.0.0.0/0";
bind_socket = "0.0.0.0:11334";
''; '';
"redis.conf".text = '' "redis.conf".text = ''
read_servers = "/run/redis-rspamd/redis.sock"; read_servers = "/run/redis-rspamd/redis.sock";
@ -55,7 +54,6 @@
reverse_proxy 127.0.0.1:11334 reverse_proxy 127.0.0.1:11334
''; '';
}; };
networking.firewall.allowedTCPPorts = [ 11334 ];
systemd = { systemd = {
services.rspamd-dmarc-report = { services.rspamd-dmarc-report = {
description = "rspamd dmarc reporter"; description = "rspamd dmarc reporter";

102
hosts/falkenstein/modules/monitoring/default.nix
View file

@ -1,9 +1,5 @@
{ config, ... }: { config, ... }:
{ {
age.secrets."maxmind" = {
file = ../../../../secrets/shared/maxmind.age;
};
users.users."promtail".extraGroups = [ "caddy" "systemd-journal" ];
services.prometheus = { services.prometheus = {
exporters = { exporters = {
node = { node = {
@ -15,104 +11,6 @@
}; };
}; };
}; };
services.geoipupdate = {
enable = true;
settings = {
AccountID = 1018346;
LicenseKey = config.age.secrets."maxmind".path;
EditionIDs = [
"GeoLite2-ASN"
"GeoLite2-City"
"GeoLite2-Country"
];
DatabaseDirectory = "/var/lib/GeoIP";
};
};
services.promtail = {
enable = true;
configuration = {
server = {
http_listen_port = 3031;
grpc_listen_port = 0;
};
positions = {
filename = "/tmp/positions.yaml";
};
clients = [{
url = "http://nuc.vpn.rfive.de:3030/loki/api/v1/push";
}];
scrape_configs = [
{
job_name = "journal";
journal = {
json = false;
max_age = "12h";
path = "/var/log/journal";
labels.job = "systemd-journal";
};
relabel_configs = [
{
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}
{
source_labels = [ "__journal__hostname" ];
target_label = "host";
}
{
source_labels = [ "__journal_priority_keyword" ];
target_label = "level";
}
{
source_labels = [ "__journal_syslog_identifier" ];
target_label = "syslog_identifier";
}
];
pipeline_stages = [
{
match = {
selector = ''{unit="promtail.servicel"}'';
action = "drop";
};
}
];
}
{
job_name = "caddy_access_log";
static_configs = [
{
targets = [ "localhost" ];
labels = {
job = "caddy_access_log";
agent = "caddy-promtail";
__path__ = "/var/log/caddy/*.log";
};
}
];
pipeline_stages = [
{
# remove :443 from matrix or rspamd logs
replace = {
expression = ".*(de:443).*";
replace = "de";
};
}
{
json.expressions.remote_ip = "request.remote_ip";
}
{
geoip = {
db = "/var/lib/GeoIP/GeoLite2-City.mmdb";
source = "remote_ip";
db_type = "city";
};
}
];
}
];
};
};
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
config.services.prometheus.exporters.node.port config.services.prometheus.exporters.node.port
config.services.prometheus.exporters.postfix.port config.services.prometheus.exporters.postfix.port

1
hosts/falkenstein/modules/trucksimulatorbot/default.nix
View file

@ -35,6 +35,5 @@ in
uri strip_prefix /images uri strip_prefix /images
reverse_proxy unix//run/trucksimulator/images.sock reverse_proxy unix//run/trucksimulator/images.sock
} }
reverse_proxy unix//run/trucksimulator/app.sock
''; '';
} }

53
hosts/fujitsu/modules/monitoring/default.nix
View file

@ -1,6 +1,5 @@
{ config, ... }: { config, ... }:
{ {
users.users."promtail".extraGroups = [ "caddy" "systemd-journal" ];
services.prometheus = { services.prometheus = {
exporters = { exporters = {
node = { node = {
@ -9,58 +8,6 @@
}; };
}; };
}; };
services.promtail = {
enable = true;
configuration = {
server = {
http_listen_port = 3031;
grpc_listen_port = 0;
};
positions = {
filename = "/tmp/positions.yaml";
};
clients = [{
url = "http://nuc.vpn.rfive.de:3030/loki/api/v1/push";
}];
scrape_configs = [
{
job_name = "journal";
journal = {
json = false;
max_age = "12h";
path = "/var/log/journal";
labels.job = "systemd-journal";
};
relabel_configs = [
{
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}
{
source_labels = [ "__journal__hostname" ];
target_label = "host";
}
{
source_labels = [ "__journal_priority_keyword" ];
target_label = "level";
}
{
source_labels = [ "__journal_syslog_identifier" ];
target_label = "syslog_identifier";
}
];
pipeline_stages = [
{
match = {
selector = ''{unit="promtail.servicel"}'';
action = "drop";
};
}
];
}
];
};
};
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
config.services.prometheus.exporters.node.port config.services.prometheus.exporters.node.port
]; ];

12
hosts/nuc/modules/backup/default.nix
View file

@ -38,16 +38,4 @@
keep_yearly = 3; keep_yearly = 3;
}; };
}; };
services.postgresqlBackup = {
enable = true;
databases = [
"authentik"
"grafana"
"matrix-synapse"
"mautrix-telegram"
"postgres"
"vaultwarden"
];
};
} }

8
hosts/nuc/modules/caddy/default.nix
View file

@ -4,14 +4,6 @@
enable = true; enable = true;
email = "ca@${config.networking.domain}"; email = "ca@${config.networking.domain}";
logFormat = "format console"; logFormat = "format console";
globalConfig = ''
servers {
metrics
}
'';
virtualHosts.":2018".extraConfig = ''
metrics
'';
}; };
systemd.services.caddy.environment.XDG_DATA_HOME = "/var/lib"; systemd.services.caddy.environment.XDG_DATA_HOME = "/var/lib";
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];

74
hosts/nuc/modules/monitoring/default.nix
View file

@ -8,10 +8,10 @@ in
owner = "grafana"; owner = "grafana";
}; };
age.secrets."maxmind" = { age.secrets."maxmind" = {
file = ../../../../secrets/shared/maxmind.age; file = ../../../../secrets/nuc/maxmind.age;
owner = "grafana";
}; };
users.users."promtail".extraGroups = [ "caddy" "systemd-journal" ]; users.users."promtail".extraGroups = [ "caddy" ];
networking.firewall.allowedTCPPorts = [ config.services.loki.configuration.server.http_listen_port ];
# grafana configuration # grafana configuration
# todo: move to own file # todo: move to own file
@ -48,7 +48,6 @@ in
user = "grafana"; user = "grafana";
host = "/run/postgresql"; host = "/run/postgresql";
}; };
auth.disable_login_form = true;
"auth.generic_oauth" = { "auth.generic_oauth" = {
enabled = true; enabled = true;
name = "Authentik"; name = "Authentik";
@ -110,30 +109,6 @@ in
targets = [ "falkenstein.vpn.rfive.de:${toString config.services.prometheus.exporters.postfix.port}" ]; targets = [ "falkenstein.vpn.rfive.de:${toString config.services.prometheus.exporters.postfix.port}" ];
}]; }];
} }
{
job_name = "synapse";
static_configs = [{
targets = [ "matrix.rfive.de:8008" ];
}];
metrics_path = "/synapse/metrics";
scrape_interval = "15s";
}
{
job_name = "rspamd";
static_configs = [{
targets = [ "falkenstein.vpn.rfive.de:11334" ];
}];
}
{
job_name = "caddy";
static_configs = [{
targets = [
"falkenstein.vpn.rfive.de:2018"
"nuc.vpn.rfive.de:2018"
];
}];
scrape_interval = "15s";
}
]; ];
}; };
services.loki = { services.loki = {
@ -230,41 +205,6 @@ in
url = "http://nuc.vpn.rfive.de:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push"; url = "http://nuc.vpn.rfive.de:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push";
}]; }];
scrape_configs = [ scrape_configs = [
{
job_name = "journal";
journal = {
json = false;
max_age = "12h";
path = "/var/log/journal";
labels.job = "systemd-journal";
};
relabel_configs = [
{
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}
{
source_labels = [ "__journal__hostname" ];
target_label = "host";
}
{
source_labels = [ "__journal_priority_keyword" ];
target_label = "level";
}
{
source_labels = [ "__journal_syslog_identifier" ];
target_label = "syslog_identifier";
}
];
pipeline_stages = [
{
match = {
selector = ''{unit="promtail.servicel"}'';
action = "drop";
};
}
];
}
{ {
job_name = "caddy_access_log"; job_name = "caddy_access_log";
static_configs = [ static_configs = [
@ -279,13 +219,6 @@ in
} }
]; ];
pipeline_stages = [ pipeline_stages = [
{
# remove :443 from matrix or rspamd logs
replace = {
expression = ".*(de:443).*";
replace = "de";
};
}
{ {
json.expressions.remote_ip = "request.remote_ip"; json.expressions.remote_ip = "request.remote_ip";
} }
@ -303,6 +236,7 @@ in
}; };
}; };
# nginx reverse proxy # nginx reverse proxy
services.caddy.virtualHosts.${domain}.extraConfig = '' services.caddy.virtualHosts.${domain}.extraConfig = ''
reverse_proxy 127.0.0.1:${toString config.services.grafana.settings.server.http_port} reverse_proxy 127.0.0.1:${toString config.services.grafana.settings.server.http_port}

26
overlays/default.nix
View file

@ -3,6 +3,7 @@ let
inherit (prev) callPackage; inherit (prev) callPackage;
inherit (prev) fetchFromGitHub; inherit (prev) fetchFromGitHub;
inherit (prev) fetchPypi; inherit (prev) fetchPypi;
inherit (prev) fetchpatch;
inherit (prev) makeWrapper; inherit (prev) makeWrapper;
inherit (prev) python3Packages; inherit (prev) python3Packages;
in in
@ -22,6 +23,31 @@ in
# freeimage is broken # freeimage is broken
withBackends = [ "libtiff" "libjpeg" "libpng" "librsvg" "libheif" ]; withBackends = [ "libtiff" "libjpeg" "libpng" "librsvg" "libheif" ];
}; };
# don't compile the bloat
rsyslog = prev.rsyslog.override {
withMysql = false;
withJemalloc = false;
withPostgres = false;
withUuid = false;
withCurl = false;
withDbi = false;
withNetSnmp = false;
withGnutls = false;
withGcrypt = false;
withLognorm = false;
withMaxminddb = false;
withOpenssl = false;
withRelp = false;
withKsi = false;
withLogging = false;
withHadoop = false;
withRdkafka = false;
withMongo = false;
withCzmq = false;
withRabbitmq = false;
withHiredis = false;
};
zsh-fzf-tab = prev.zsh-fzf-tab.overrideAttrs (_: rec { zsh-fzf-tab = prev.zsh-fzf-tab.overrideAttrs (_: rec {
version = "1.1.1"; version = "1.1.1";
src = fetchFromGitHub { src = fetchFromGitHub {

4
secrets.nix
View file

@ -26,6 +26,7 @@ in
"secrets/nuc/authentik/ldap.age".publicKeys = [ rouven nuc ]; "secrets/nuc/authentik/ldap.age".publicKeys = [ rouven nuc ];
"secrets/nuc/grafana/oidc.age".publicKeys = [ rouven nuc ]; "secrets/nuc/grafana/oidc.age".publicKeys = [ rouven nuc ];
"secrets/nuc/cache.age".publicKeys = [ rouven nuc ]; "secrets/nuc/cache.age".publicKeys = [ rouven nuc ];
"secrets/nuc/maxmind.age".publicKeys = [ rouven nuc ];
"secrets/nuc/borg/passphrase.age".publicKeys = [ rouven nuc ]; "secrets/nuc/borg/passphrase.age".publicKeys = [ rouven nuc ];
"secrets/nuc/borg/key.age".publicKeys = [ rouven nuc ]; "secrets/nuc/borg/key.age".publicKeys = [ rouven nuc ];
@ -36,7 +37,4 @@ in
"secrets/falkenstein/wireguard/dorm/preshared.age".publicKeys = [ rouven falkenstein ]; "secrets/falkenstein/wireguard/dorm/preshared.age".publicKeys = [ rouven falkenstein ];
"secrets/falkenstein/borg/passphrase.age".publicKeys = [ rouven falkenstein ]; "secrets/falkenstein/borg/passphrase.age".publicKeys = [ rouven falkenstein ];
"secrets/falkenstein/borg/key.age".publicKeys = [ rouven falkenstein ]; "secrets/falkenstein/borg/key.age".publicKeys = [ rouven falkenstein ];
#shared
"secrets/shared/maxmind.age".publicKeys = [ rouven nuc falkenstein ];
} }

BIN
secrets/nuc/maxmind.age Normal file
View file

Binary file not shown.

10
secrets/shared/maxmind.age
View file

@ -1,10 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 uWbAHQ hL+MYiYI/53SAw5Ue9L2E/W1sCwENhTqBReBwlRn6g0
laaky6yfLkEPofvdZwu64WyVqPcxTt8Lng/uhBHaKjs
-> ssh-ed25519 2TRdXg dXERMyE1LqPxbAKn24SHruqrgKUTSIOLjy66nxiJSiE
lMGTDVxDUSu7r9Lp7mTfCzuTiUONv/K9b6y4mRlLLj8
-> ssh-ed25519 slrRig Q7EcsiO/jsscDk9hHhtkHVxQ+NRO6O9SSQu4dfCPXG8
LGCdVmGbMASuGGGuVrom+1ijafq0Sk0PDnyhOv2O2A0
--- YeAR7BXc2heRrnvLa9YDGRIgI/3EQ3MfIJEZAJen8pY
Mü$¦óNù~KI ÀJÑÏ•èUæ¦.1q¶Y„-€"ë/_Øëý 2^“-Dÿ¯¬­Å4ã£/b+
ôV^MX_ç® ñ±