noah/dotfiles
1
0
Fork 0
mirror of https://github.com/nmasur/dotfiles synced 2025-07-05 12:40:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

remote prometheus and reconfig server modules

Browse Source
This commit is contained in:
Noah Masur
2023-07-04 16:20:43 -06:00
parent cd0c93c6d9
commit 066ea8e440
17 changed files with 157 additions and 86 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
modules/common/applications/firefox.nix
View File

@ -33,7 +33,6 @@
vimium
multi-account-containers
facebook-container
temporary-containers
(lib.mkIf config._1password.enable onepassword-password-manager)
okta-browser-plugin
sponsorblock

5
modules/nixos/gaming/minecraft-server.nix
View File

@ -9,10 +9,7 @@ let
in {
options.gaming.minecraft-server.enable =
lib.mkEnableOption "Minecraft Server.";
config = lib.mkIf config.gaming.minecraft-server.enable {
config = lib.mkIf config.services.minecraft-server.enable {
unfreePackages = [ "minecraft-server" ];

7
modules/nixos/services/arr.nix
View File

@ -1,14 +1,15 @@
{ config, lib, ... }: {
options = {
arrServer = lib.mkOption {
arrs.enable = lib.mkEnableOption "Arr services";
downloadServer = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Hostname for arr services";
description = "Hostname for download services";
default = null;
};
};
config = lib.mkIf (config.arrServer != null) {
config = lib.mkIf config.arrs.enable {
services = {
bazarr = {

53
modules/nixos/services/caddy.nix
View File

@ -1,7 +1,6 @@
{ config, pkgs, lib, ... }: {
options = {
caddy.enable = lib.mkEnableOption "Caddy reverse proxy.";
caddy.tlsPolicies = lib.mkOption {
type = lib.types.listOf lib.types.attrs;
description = "Caddy JSON TLS policies";
@ -19,35 +18,35 @@
};
};
config = lib.mkIf (config.caddy.enable && config.caddy.routes != [ ]) {
config =
lib.mkIf (config.services.caddy.enable && config.caddy.routes != [ ]) {
services.caddy = {
enable = true;
adapter = "''"; # Required to enable JSON
configFile = pkgs.writeText "Caddyfile" (builtins.toJSON {
apps.http.servers.main = {
listen = [ ":443" ];
routes = config.caddy.routes;
errors.routes = config.caddy.blocks;
# logs = { }; # Uncomment to collect access logs
};
apps.tls.automation.policies = config.caddy.tlsPolicies;
logging.logs.main = {
encoder = { format = "console"; };
writer = {
output = "file";
filename = "${config.services.caddy.logDir}/caddy.log";
roll = true;
services.caddy = {
adapter = "''"; # Required to enable JSON
configFile = pkgs.writeText "Caddyfile" (builtins.toJSON {
apps.http.servers.main = {
listen = [ ":443" ];
routes = config.caddy.routes;
errors.routes = config.caddy.blocks;
# logs = { }; # Uncomment to collect access logs
};
level = "INFO";
};
});
apps.tls.automation.policies = config.caddy.tlsPolicies;
logging.logs.main = {
encoder = { format = "console"; };
writer = {
output = "file";
filename = "${config.services.caddy.logDir}/caddy.log";
roll = true;
};
level = "INFO";
};
});
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [ 443 ];
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [ 443 ];
};
}

3
modules/nixos/services/calibre.nix
View File

@ -19,10 +19,9 @@ in {
};
};
config = lib.mkIf (config.bookServer != null) {
config = lib.mkIf config.services.calibre-web.enable {
services.calibre-web = {
enable = true;
openFirewall = true;
options = {
reverseProxyAuth.enable = false;

1
modules/nixos/services/default.nix
View File

@ -9,6 +9,7 @@
./cloudflare.nix
./gitea.nix
./gnupg.nix
./grafana.nix
./honeypot.nix
./jellyfin.nix
./keybase.nix

13
modules/nixos/services/gitea.nix
View File

@ -6,23 +6,22 @@ in {
options = {
giteaServer = lib.mkOption {
description = "Hostname for Gitea.";
gitServer = lib.mkOption {
description = "Hostname for git server (Gitea).";
type = lib.types.nullOr lib.types.str;
default = null;
};
};
config = lib.mkIf (config.giteaServer != null) {
config = lib.mkIf config.services.gitea.enable {
services.gitea = {
enable = true;
database.type = "sqlite3";
settings = {
repository = {
DEFAULT_PUSH_CREATE_PRIVATE = true;
DISABLE_HTTP_GIT = false;
ACCESS_CONTROL_ALLOW_ORIGIN = config.giteaServer;
ACCESS_CONTROL_ALLOW_ORIGIN = config.gitServer;
ENABLE_PUSH_CREATE_USER = true;
ENABLE_PUSH_CREATE_ORG = true;
DEFAULT_BRANCH = "main";
@ -30,7 +29,7 @@ in {
server = {
HTTP_PORT = 3001;
HTTP_ADDRESS = "127.0.0.1";
ROOT_URL = "https://${config.giteaServer}/";
ROOT_URL = "https://${config.gitServer}/";
SSH_PORT = 22;
START_SSH_SERVER = false; # Use sshd instead
DISABLE_SSH = false;
@ -47,7 +46,7 @@ in {
networking.firewall.allowedTCPPorts = [ 122 ];
caddy.routes = [{
match = [{ host = [ config.giteaServer ]; }];
match = [{ host = [ config.gitServer ]; }];
handle = [{
handler = "reverse_proxy";
upstreams = [{ dial = "localhost:3001"; }];

24
modules/nixos/services/grafana.nix Normal file
View File

@ -0,0 +1,24 @@
{ config, lib, ... }: {
options.metricsServer = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Hostname of the metrics server.";
default = null;
};
config = lib.mkIf config.services.grafana.enable {
# Required to fix error in latest nixpkgs
services.grafana.settings = { };
caddy.routes = [{
match = [{ host = [ config.metricsServer ]; }];
handle = [{
handler = "reverse_proxy";
upstreams = [{ dial = "localhost:3000"; }];
}];
}];
};
}

3
modules/nixos/services/jellyfin.nix
View File

@ -8,9 +8,8 @@
};
};
config = lib.mkIf (config.streamServer != null) {
config = lib.mkIf config.services.jellyfin.enable {
services.jellyfin.enable = true;
services.jellyfin.group = "media";
users.users.jellyfin = { isSystemUser = true; };

10
modules/nixos/services/nextcloud.nix
View File

@ -2,15 +2,15 @@
options = {
nextcloudServer = lib.mkOption {
contentServer = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Hostname for Nextcloud";
description = "Hostname for personal content system (Nextcloud)";
default = null;
};
};
config = lib.mkIf (config.nextcloudServer != null) {
config = lib.mkIf config.services.nextcloud.enable {
services.nextcloud = {
enable = true;
@ -21,7 +21,7 @@
maxUploadSize = "50G";
config = {
adminpassFile = config.secrets.nextcloud.dest;
extraTrustedDomains = [ config.nextcloudServer ];
extraTrustedDomains = [ config.contentServer ];
};
};
@ -33,7 +33,7 @@
# Point Caddy to Nginx
caddy.routes = [{
match = [{ host = [ config.nextcloudServer ]; }];
match = [{ host = [ config.contentServer ]; }];
handle = [{
handler = "reverse_proxy";
upstreams = [{ dial = "localhost:8080"; }];

56
modules/nixos/services/prometheus.nix
View File

@ -1,32 +1,64 @@
{ config, lib, ... }: {
{ config, pkgs, lib, ... }: {
options.metricsServer = lib.mkOption {
options.prometheusServer = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Hostname of the Grafana server.";
description = "Hostname of the Prometheus server.";
default = null;
};
config = lib.mkIf (config.metricsServer != null) {
# If hosting Grafana, host local Prometheus and listen for inbound jobs.
# If not hosting Grafana, send remote Prometheus writes to primary host
services.grafana.enable = true;
# Required to fix error in latest nixpkgs
services.grafana.settings = { };
config = lib.mkIf config.services.prometheus.enable {
services.prometheus = {
enable = true;
exporters.node.enable = true;
scrapeConfigs = [{
job_name = "local";
static_configs = [{ targets = [ "127.0.0.1:9100" ]; }];
}];
webExternalUrl = lib.mkIf config.services.grafana.enable
"https://${config.prometheusServer}";
webConfigFile =
lib.mkIf config.services.grafana.enable (pkgs.formats.yaml { }).generate
"webconfig.yml" {
basic_auth_users = {
# Generate password: htpasswd -nBC 10 "" | tr -d ':\n'
# Encrypt and place in private/prometheus.age
"prometheus" =
"$2y$10$r7FWHLHTGPAY312PdhkPEuvb05aGn9Nk1IO7qtUUUjmaDl35l6sLa";
};
};
remoteWrite = lib.mkIf (!config.services.grafana.enable) [{
name = config.networking.hostName;
url = "https://${config.prometheusServer}";
basic_auth = {
# Uses password hashed with bcrypt above
username = "prometheus";
password_file = config.secrets.prometheus.dest;
};
}];
};
caddy.routes = [{
match = [{ host = [ config.metricsServer ]; }];
# Create credentials file for remote Prometheus push
secrets.prometheus = lib.mkIf (!config.services.grafana.enable) {
source = ../../../private/prometheus.age;
dest = "${config.secretsDirectory}/prometheus";
owner = "prometheus";
group = "prometheus";
permissions = "0440";
};
systemd.services.prometheus-secret =
lib.mkIf (!config.services.grafana.enable) {
requiredBy = [ "prometheus.service" ];
before = [ "prometheus.service" ];
};
caddy.routes = lib.mkIf config.services.grafana.enable [{
match = [{ host = [ config.prometheusServer ]; }];
handle = [{
handler = "reverse_proxy";
upstreams = [{ dial = "localhost:3000"; }];
upstreams = [{ dial = "localhost:9090"; }];
}];
}];

5
modules/nixos/services/samba.nix
View File

@ -1,11 +1,8 @@
{ config, lib, ... }: {
options = { samba.enable = lib.mkEnableOption "Enable Samba sharing."; };
config = {
services.samba = lib.mkIf (config.samba.enable) {
enable = true;
services.samba = lib.mkIf config.services.samba.enable {
openFirewall = true;
shares.data = {
path = "/data";

11
modules/nixos/services/vaultwarden.nix
View File

@ -6,19 +6,18 @@ in {
options = {
vaultwardenServer = lib.mkOption {
description = "Hostname for Vaultwarden.";
secretsServer = lib.mkOption {
description = "Hostname for passwords and secrets (Vaultwarden).";
type = lib.types.nullOr lib.types.str;
default = null;
};
};
config = lib.mkIf (config.vaultwardenServer != null) {
config = lib.mkIf config.services.vaultwarden.enable {
services.vaultwarden = {
enable = true;
config = {
DOMAIN = "https://${config.vaultwardenServer}";
DOMAIN = "https://${config.secretsServer}";
SIGNUPS_ALLOWED = false;
SIGNUPS_VERIFY = true;
INVITATIONS_ALLOWED = true;
@ -47,7 +46,7 @@ in {
networking.firewall.allowedTCPPorts = [ 3012 ];
caddy.routes = [{
match = [{ host = [ config.vaultwardenServer ]; }];
match = [{ host = [ config.secretsServer ]; }];
handle = [{
handler = "reverse_proxy";
upstreams = [{ dial = "localhost:8222"; }];