remote prometheus and reconfig server modules

This commit is contained in:
Noah Masur 2023-07-04 16:20:43 -06:00
parent cd0c93c6d9
commit 066ea8e440
17 changed files with 157 additions and 86 deletions

View File

@ -105,7 +105,8 @@
let let
# Global configuration for my systems # Global configuration for my systems
globals = rec { globals = let baseName = "masu.rs";
in rec {
user = "noah"; user = "noah";
fullName = "Noah Masur"; fullName = "Noah Masur";
gitName = fullName; gitName = fullName;
@ -114,6 +115,14 @@
mail.imapHost = "imap.purelymail.com"; mail.imapHost = "imap.purelymail.com";
mail.smtpHost = "smtp.purelymail.com"; mail.smtpHost = "smtp.purelymail.com";
dotfilesRepo = "git@github.com:nmasur/dotfiles"; dotfilesRepo = "git@github.com:nmasur/dotfiles";
gitServer = "git.${baseName}";
metricsServer = "metrics.${baseName}";
prometheusServer = "prom.${baseName}";
secretsServer = "vault.${baseName}";
streamServer = "stream.${baseName}";
contentServer = "cloud.${baseName}";
bookServer = "books.${baseName}";
downloadServer = "download.${baseName}";
}; };
# Common overlays to always use # Common overlays to always use

View File

@ -10,7 +10,7 @@ inputs.nixpkgs.lib.nixosSystem {
system = "aarch64-linux"; system = "aarch64-linux";
specialArgs = { }; specialArgs = { };
modules = [ modules = [
(removeAttrs globals [ "mail.server" ]) globals
inputs.home-manager.nixosModules.home-manager inputs.home-manager.nixosModules.home-manager
../../modules/common ../../modules/common
../../modules/nixos ../../modules/nixos
@ -43,14 +43,16 @@ inputs.nixpkgs.lib.nixosSystem {
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s"; "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s";
# Programs and services # Programs and services
caddy.enable = true;
cloudflare.enable = true; # Proxy traffic with Cloudflare cloudflare.enable = true; # Proxy traffic with Cloudflare
dotfiles.enable = true; # Clone dotfiles dotfiles.enable = true; # Clone dotfiles
gaming.minecraft-server.enable = true; # Setup Minecraft server
giteaServer = "git.masu.rs";
metricsServer = "metrics.masu.rs";
neovim.enable = true; neovim.enable = true;
vaultwardenServer = "vault.masu.rs";
services.caddy.enable = true;
services.grafana.enable = true;
services.prometheus.enable = true;
services.gitea.enable = true;
services.vaultwarden.enable = true;
services.minecraft-server.enable = true; # Setup Minecraft server
cloudflareTunnel = { cloudflareTunnel = {
enable = true; enable = true;

View File

@ -48,14 +48,16 @@ inputs.nixpkgs.lib.nixosSystem {
theme = { colors = (import ../../colorscheme/gruvbox).dark; }; theme = { colors = (import ../../colorscheme/gruvbox).dark; };
nixpkgs.overlays = overlays; nixpkgs.overlays = overlays;
neovim.enable = true; neovim.enable = true;
caddy.enable = true;
cloudflare.enable = true; cloudflare.enable = true;
dotfiles.enable = true; dotfiles.enable = true;
streamServer = "stream.masu.rs"; arrs.enable = true;
nextcloudServer = "cloud.masu.rs";
bookServer = "books.masu.rs"; services.caddy.enable = true;
arrServer = "download.masu.rs"; services.jellyfin.enable = true;
samba.enable = true; services.nextcloud.enable = true;
services.calibre-web.enable = true;
services.prometheus.enable = true;
services.samba.enable = true;
cloudflareTunnel = { cloudflareTunnel = {
enable = true; enable = true;

View File

@ -33,7 +33,6 @@
vimium vimium
multi-account-containers multi-account-containers
facebook-container facebook-container
temporary-containers
(lib.mkIf config._1password.enable onepassword-password-manager) (lib.mkIf config._1password.enable onepassword-password-manager)
okta-browser-plugin okta-browser-plugin
sponsorblock sponsorblock

View File

@ -9,10 +9,7 @@ let
in { in {
options.gaming.minecraft-server.enable = config = lib.mkIf config.services.minecraft-server.enable {
lib.mkEnableOption "Minecraft Server.";
config = lib.mkIf config.gaming.minecraft-server.enable {
unfreePackages = [ "minecraft-server" ]; unfreePackages = [ "minecraft-server" ];

View File

@ -1,14 +1,15 @@
{ config, lib, ... }: { { config, lib, ... }: {
options = { options = {
arrServer = lib.mkOption { arrs.enable = lib.mkEnableOption "Arr services";
downloadServer = lib.mkOption {
type = lib.types.nullOr lib.types.str; type = lib.types.nullOr lib.types.str;
description = "Hostname for arr services"; description = "Hostname for download services";
default = null; default = null;
}; };
}; };
config = lib.mkIf (config.arrServer != null) { config = lib.mkIf config.arrs.enable {
services = { services = {
bazarr = { bazarr = {

View File

@ -1,7 +1,6 @@
{ config, pkgs, lib, ... }: { { config, pkgs, lib, ... }: {
options = { options = {
caddy.enable = lib.mkEnableOption "Caddy reverse proxy.";
caddy.tlsPolicies = lib.mkOption { caddy.tlsPolicies = lib.mkOption {
type = lib.types.listOf lib.types.attrs; type = lib.types.listOf lib.types.attrs;
description = "Caddy JSON TLS policies"; description = "Caddy JSON TLS policies";
@ -19,35 +18,35 @@
}; };
}; };
config = lib.mkIf (config.caddy.enable && config.caddy.routes != [ ]) { config =
lib.mkIf (config.services.caddy.enable && config.caddy.routes != [ ]) {
services.caddy = { services.caddy = {
enable = true; adapter = "''"; # Required to enable JSON
adapter = "''"; # Required to enable JSON configFile = pkgs.writeText "Caddyfile" (builtins.toJSON {
configFile = pkgs.writeText "Caddyfile" (builtins.toJSON { apps.http.servers.main = {
apps.http.servers.main = { listen = [ ":443" ];
listen = [ ":443" ]; routes = config.caddy.routes;
routes = config.caddy.routes; errors.routes = config.caddy.blocks;
errors.routes = config.caddy.blocks; # logs = { }; # Uncomment to collect access logs
# logs = { }; # Uncomment to collect access logs
};
apps.tls.automation.policies = config.caddy.tlsPolicies;
logging.logs.main = {
encoder = { format = "console"; };
writer = {
output = "file";
filename = "${config.services.caddy.logDir}/caddy.log";
roll = true;
}; };
level = "INFO"; apps.tls.automation.policies = config.caddy.tlsPolicies;
}; logging.logs.main = {
}); encoder = { format = "console"; };
writer = {
output = "file";
filename = "${config.services.caddy.logDir}/caddy.log";
roll = true;
};
level = "INFO";
};
});
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [ 443 ];
}; };
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [ 443 ];
};
} }

View File

@ -19,10 +19,9 @@ in {
}; };
}; };
config = lib.mkIf (config.bookServer != null) { config = lib.mkIf config.services.calibre-web.enable {
services.calibre-web = { services.calibre-web = {
enable = true;
openFirewall = true; openFirewall = true;
options = { options = {
reverseProxyAuth.enable = false; reverseProxyAuth.enable = false;

View File

@ -9,6 +9,7 @@
./cloudflare.nix ./cloudflare.nix
./gitea.nix ./gitea.nix
./gnupg.nix ./gnupg.nix
./grafana.nix
./honeypot.nix ./honeypot.nix
./jellyfin.nix ./jellyfin.nix
./keybase.nix ./keybase.nix

View File

@ -6,23 +6,22 @@ in {
options = { options = {
giteaServer = lib.mkOption { gitServer = lib.mkOption {
description = "Hostname for Gitea."; description = "Hostname for git server (Gitea).";
type = lib.types.nullOr lib.types.str; type = lib.types.nullOr lib.types.str;
default = null; default = null;
}; };
}; };
config = lib.mkIf (config.giteaServer != null) { config = lib.mkIf config.services.gitea.enable {
services.gitea = { services.gitea = {
enable = true;
database.type = "sqlite3"; database.type = "sqlite3";
settings = { settings = {
repository = { repository = {
DEFAULT_PUSH_CREATE_PRIVATE = true; DEFAULT_PUSH_CREATE_PRIVATE = true;
DISABLE_HTTP_GIT = false; DISABLE_HTTP_GIT = false;
ACCESS_CONTROL_ALLOW_ORIGIN = config.giteaServer; ACCESS_CONTROL_ALLOW_ORIGIN = config.gitServer;
ENABLE_PUSH_CREATE_USER = true; ENABLE_PUSH_CREATE_USER = true;
ENABLE_PUSH_CREATE_ORG = true; ENABLE_PUSH_CREATE_ORG = true;
DEFAULT_BRANCH = "main"; DEFAULT_BRANCH = "main";
@ -30,7 +29,7 @@ in {
server = { server = {
HTTP_PORT = 3001; HTTP_PORT = 3001;
HTTP_ADDRESS = "127.0.0.1"; HTTP_ADDRESS = "127.0.0.1";
ROOT_URL = "https://${config.giteaServer}/"; ROOT_URL = "https://${config.gitServer}/";
SSH_PORT = 22; SSH_PORT = 22;
START_SSH_SERVER = false; # Use sshd instead START_SSH_SERVER = false; # Use sshd instead
DISABLE_SSH = false; DISABLE_SSH = false;
@ -47,7 +46,7 @@ in {
networking.firewall.allowedTCPPorts = [ 122 ]; networking.firewall.allowedTCPPorts = [ 122 ];
caddy.routes = [{ caddy.routes = [{
match = [{ host = [ config.giteaServer ]; }]; match = [{ host = [ config.gitServer ]; }];
handle = [{ handle = [{
handler = "reverse_proxy"; handler = "reverse_proxy";
upstreams = [{ dial = "localhost:3001"; }]; upstreams = [{ dial = "localhost:3001"; }];

View File

@ -0,0 +1,24 @@
{ config, lib, ... }: {
options.metricsServer = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Hostname of the metrics server.";
default = null;
};
config = lib.mkIf config.services.grafana.enable {
# Required to fix error in latest nixpkgs
services.grafana.settings = { };
caddy.routes = [{
match = [{ host = [ config.metricsServer ]; }];
handle = [{
handler = "reverse_proxy";
upstreams = [{ dial = "localhost:3000"; }];
}];
}];
};
}

View File

@ -8,9 +8,8 @@
}; };
}; };
config = lib.mkIf (config.streamServer != null) { config = lib.mkIf config.services.jellyfin.enable {
services.jellyfin.enable = true;
services.jellyfin.group = "media"; services.jellyfin.group = "media";
users.users.jellyfin = { isSystemUser = true; }; users.users.jellyfin = { isSystemUser = true; };

View File

@ -2,15 +2,15 @@
options = { options = {
nextcloudServer = lib.mkOption { contentServer = lib.mkOption {
type = lib.types.nullOr lib.types.str; type = lib.types.nullOr lib.types.str;
description = "Hostname for Nextcloud"; description = "Hostname for personal content system (Nextcloud)";
default = null; default = null;
}; };
}; };
config = lib.mkIf (config.nextcloudServer != null) { config = lib.mkIf config.services.nextcloud.enable {
services.nextcloud = { services.nextcloud = {
enable = true; enable = true;
@ -21,7 +21,7 @@
maxUploadSize = "50G"; maxUploadSize = "50G";
config = { config = {
adminpassFile = config.secrets.nextcloud.dest; adminpassFile = config.secrets.nextcloud.dest;
extraTrustedDomains = [ config.nextcloudServer ]; extraTrustedDomains = [ config.contentServer ];
}; };
}; };
@ -33,7 +33,7 @@
# Point Caddy to Nginx # Point Caddy to Nginx
caddy.routes = [{ caddy.routes = [{
match = [{ host = [ config.nextcloudServer ]; }]; match = [{ host = [ config.contentServer ]; }];
handle = [{ handle = [{
handler = "reverse_proxy"; handler = "reverse_proxy";
upstreams = [{ dial = "localhost:8080"; }]; upstreams = [{ dial = "localhost:8080"; }];

View File

@ -1,32 +1,64 @@
{ config, lib, ... }: { { config, pkgs, lib, ... }: {
options.metricsServer = lib.mkOption { options.prometheusServer = lib.mkOption {
type = lib.types.nullOr lib.types.str; type = lib.types.nullOr lib.types.str;
description = "Hostname of the Grafana server."; description = "Hostname of the Prometheus server.";
default = null; default = null;
}; };
config = lib.mkIf (config.metricsServer != null) { # If hosting Grafana, host local Prometheus and listen for inbound jobs.
# If not hosting Grafana, send remote Prometheus writes to primary host
services.grafana.enable = true; config = lib.mkIf config.services.prometheus.enable {
# Required to fix error in latest nixpkgs
services.grafana.settings = { };
services.prometheus = { services.prometheus = {
enable = true;
exporters.node.enable = true; exporters.node.enable = true;
scrapeConfigs = [{ scrapeConfigs = [{
job_name = "local"; job_name = "local";
static_configs = [{ targets = [ "127.0.0.1:9100" ]; }]; static_configs = [{ targets = [ "127.0.0.1:9100" ]; }];
}]; }];
webExternalUrl = lib.mkIf config.services.grafana.enable
"https://${config.prometheusServer}";
webConfigFile =
lib.mkIf config.services.grafana.enable (pkgs.formats.yaml { }).generate
"webconfig.yml" {
basic_auth_users = {
# Generate password: htpasswd -nBC 10 "" | tr -d ':\n'
# Encrypt and place in private/prometheus.age
"prometheus" =
"$2y$10$r7FWHLHTGPAY312PdhkPEuvb05aGn9Nk1IO7qtUUUjmaDl35l6sLa";
};
};
remoteWrite = lib.mkIf (!config.services.grafana.enable) [{
name = config.networking.hostName;
url = "https://${config.prometheusServer}";
basic_auth = {
# Uses password hashed with bcrypt above
username = "prometheus";
password_file = config.secrets.prometheus.dest;
};
}];
}; };
caddy.routes = [{ # Create credentials file for remote Prometheus push
match = [{ host = [ config.metricsServer ]; }]; secrets.prometheus = lib.mkIf (!config.services.grafana.enable) {
source = ../../../private/prometheus.age;
dest = "${config.secretsDirectory}/prometheus";
owner = "prometheus";
group = "prometheus";
permissions = "0440";
};
systemd.services.prometheus-secret =
lib.mkIf (!config.services.grafana.enable) {
requiredBy = [ "prometheus.service" ];
before = [ "prometheus.service" ];
};
caddy.routes = lib.mkIf config.services.grafana.enable [{
match = [{ host = [ config.prometheusServer ]; }];
handle = [{ handle = [{
handler = "reverse_proxy"; handler = "reverse_proxy";
upstreams = [{ dial = "localhost:3000"; }]; upstreams = [{ dial = "localhost:9090"; }];
}]; }];
}]; }];

View File

@ -1,11 +1,8 @@
{ config, lib, ... }: { { config, lib, ... }: {
options = { samba.enable = lib.mkEnableOption "Enable Samba sharing."; };
config = { config = {
services.samba = lib.mkIf (config.samba.enable) { services.samba = lib.mkIf config.services.samba.enable {
enable = true;
openFirewall = true; openFirewall = true;
shares.data = { shares.data = {
path = "/data"; path = "/data";

View File

@ -6,19 +6,18 @@ in {
options = { options = {
vaultwardenServer = lib.mkOption { secretsServer = lib.mkOption {
description = "Hostname for Vaultwarden."; description = "Hostname for passwords and secrets (Vaultwarden).";
type = lib.types.nullOr lib.types.str; type = lib.types.nullOr lib.types.str;
default = null; default = null;
}; };
}; };
config = lib.mkIf (config.vaultwardenServer != null) { config = lib.mkIf config.services.vaultwarden.enable {
services.vaultwarden = { services.vaultwarden = {
enable = true;
config = { config = {
DOMAIN = "https://${config.vaultwardenServer}"; DOMAIN = "https://${config.secretsServer}";
SIGNUPS_ALLOWED = false; SIGNUPS_ALLOWED = false;
SIGNUPS_VERIFY = true; SIGNUPS_VERIFY = true;
INVITATIONS_ALLOWED = true; INVITATIONS_ALLOWED = true;
@ -47,7 +46,7 @@ in {
networking.firewall.allowedTCPPorts = [ 3012 ]; networking.firewall.allowedTCPPorts = [ 3012 ];
caddy.routes = [{ caddy.routes = [{
match = [{ host = [ config.vaultwardenServer ]; }]; match = [{ host = [ config.secretsServer ]; }];
handle = [{ handle = [{
handler = "reverse_proxy"; handler = "reverse_proxy";
upstreams = [{ dial = "localhost:8222"; }]; upstreams = [{ dial = "localhost:8222"; }];

12
private/prometheus.age Normal file
View File

@ -0,0 +1,12 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBDRWNi
YlJubmg1Ly94cHgxbHV3dStaRkZDRXdNZzVjRCt0R2RNMFkxUEZNCnJxZnc1UHFB
MURselZuL1U5OHFQb0tPLytWelRzYXlvNngya3RQOXREUEkKLT4gc3NoLWVkMjU1
MTkgWXlTVU1RIDRiR2ZEMUZsYTlGbXFoR0NyZXVXMEZmS3BONDNFQUo4VU1XNkZ0
ZWFzMHcKM1crbDVsR2VmVTFNckxaa21MTW9UVWE3Z01qMi9VT0kwMm80V0tMSWM1
bwotPiBzc2gtZWQyNTUxOSBuanZYNUEgd0tIampOVU5ZeWtxNWZpaGdFQTBlWlha
Z0lBQWp0dzhMRHU5UnVzWVlUSQpnUHlCZ0w5Z1hMYm1Dc1UxQ1lLRHlnaUhJQllW
RGMvTEhhc29VL2JXZnhNCi0tLSB6TThQbmV0eFJ0d2pZd1h0c2RuTGFzUHhyYWJp
b2RhVTNkSXczRGJpN1UwCt7I+OsqQdQbFXhYPV5/kqDAr/jVoJ9H5PSfdLkeVIrr
AqScUaOrdctUZEBIF8/FouJkSbIiU8muBNrBKx9CylI=
-----END AGE ENCRYPTED FILE-----