remote prometheus and reconfig server modules

This commit is contained in:
Noah Masur 2023-07-04 16:20:43 -06:00
parent cd0c93c6d9
commit 066ea8e440
17 changed files with 157 additions and 86 deletions

View File

@ -105,7 +105,8 @@
let
# Global configuration for my systems
globals = rec {
globals = let baseName = "masu.rs";
in rec {
user = "noah";
fullName = "Noah Masur";
gitName = fullName;
@ -114,6 +115,14 @@
mail.imapHost = "imap.purelymail.com";
mail.smtpHost = "smtp.purelymail.com";
dotfilesRepo = "git@github.com:nmasur/dotfiles";
gitServer = "git.${baseName}";
metricsServer = "metrics.${baseName}";
prometheusServer = "prom.${baseName}";
secretsServer = "vault.${baseName}";
streamServer = "stream.${baseName}";
contentServer = "cloud.${baseName}";
bookServer = "books.${baseName}";
downloadServer = "download.${baseName}";
};
# Common overlays to always use

View File

@ -10,7 +10,7 @@ inputs.nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
specialArgs = { };
modules = [
(removeAttrs globals [ "mail.server" ])
globals
inputs.home-manager.nixosModules.home-manager
../../modules/common
../../modules/nixos
@ -43,14 +43,16 @@ inputs.nixpkgs.lib.nixosSystem {
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s";
# Programs and services
caddy.enable = true;
cloudflare.enable = true; # Proxy traffic with Cloudflare
dotfiles.enable = true; # Clone dotfiles
gaming.minecraft-server.enable = true; # Setup Minecraft server
giteaServer = "git.masu.rs";
metricsServer = "metrics.masu.rs";
neovim.enable = true;
vaultwardenServer = "vault.masu.rs";
services.caddy.enable = true;
services.grafana.enable = true;
services.prometheus.enable = true;
services.gitea.enable = true;
services.vaultwarden.enable = true;
services.minecraft-server.enable = true; # Setup Minecraft server
cloudflareTunnel = {
enable = true;

View File

@ -48,14 +48,16 @@ inputs.nixpkgs.lib.nixosSystem {
theme = { colors = (import ../../colorscheme/gruvbox).dark; };
nixpkgs.overlays = overlays;
neovim.enable = true;
caddy.enable = true;
cloudflare.enable = true;
dotfiles.enable = true;
streamServer = "stream.masu.rs";
nextcloudServer = "cloud.masu.rs";
bookServer = "books.masu.rs";
arrServer = "download.masu.rs";
samba.enable = true;
arrs.enable = true;
services.caddy.enable = true;
services.jellyfin.enable = true;
services.nextcloud.enable = true;
services.calibre-web.enable = true;
services.prometheus.enable = true;
services.samba.enable = true;
cloudflareTunnel = {
enable = true;

View File

@ -33,7 +33,6 @@
vimium
multi-account-containers
facebook-container
temporary-containers
(lib.mkIf config._1password.enable onepassword-password-manager)
okta-browser-plugin
sponsorblock

View File

@ -9,10 +9,7 @@ let
in {
options.gaming.minecraft-server.enable =
lib.mkEnableOption "Minecraft Server.";
config = lib.mkIf config.gaming.minecraft-server.enable {
config = lib.mkIf config.services.minecraft-server.enable {
unfreePackages = [ "minecraft-server" ];

View File

@ -1,14 +1,15 @@
{ config, lib, ... }: {
options = {
arrServer = lib.mkOption {
arrs.enable = lib.mkEnableOption "Arr services";
downloadServer = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Hostname for arr services";
description = "Hostname for download services";
default = null;
};
};
config = lib.mkIf (config.arrServer != null) {
config = lib.mkIf config.arrs.enable {
services = {
bazarr = {

View File

@ -1,7 +1,6 @@
{ config, pkgs, lib, ... }: {
options = {
caddy.enable = lib.mkEnableOption "Caddy reverse proxy.";
caddy.tlsPolicies = lib.mkOption {
type = lib.types.listOf lib.types.attrs;
description = "Caddy JSON TLS policies";
@ -19,10 +18,10 @@
};
};
config = lib.mkIf (config.caddy.enable && config.caddy.routes != [ ]) {
config =
lib.mkIf (config.services.caddy.enable && config.caddy.routes != [ ]) {
services.caddy = {
enable = true;
adapter = "''"; # Required to enable JSON
configFile = pkgs.writeText "Caddyfile" (builtins.toJSON {
apps.http.servers.main = {

View File

@ -19,10 +19,9 @@ in {
};
};
config = lib.mkIf (config.bookServer != null) {
config = lib.mkIf config.services.calibre-web.enable {
services.calibre-web = {
enable = true;
openFirewall = true;
options = {
reverseProxyAuth.enable = false;

View File

@ -9,6 +9,7 @@
./cloudflare.nix
./gitea.nix
./gnupg.nix
./grafana.nix
./honeypot.nix
./jellyfin.nix
./keybase.nix

View File

@ -6,23 +6,22 @@ in {
options = {
giteaServer = lib.mkOption {
description = "Hostname for Gitea.";
gitServer = lib.mkOption {
description = "Hostname for git server (Gitea).";
type = lib.types.nullOr lib.types.str;
default = null;
};
};
config = lib.mkIf (config.giteaServer != null) {
config = lib.mkIf config.services.gitea.enable {
services.gitea = {
enable = true;
database.type = "sqlite3";
settings = {
repository = {
DEFAULT_PUSH_CREATE_PRIVATE = true;
DISABLE_HTTP_GIT = false;
ACCESS_CONTROL_ALLOW_ORIGIN = config.giteaServer;
ACCESS_CONTROL_ALLOW_ORIGIN = config.gitServer;
ENABLE_PUSH_CREATE_USER = true;
ENABLE_PUSH_CREATE_ORG = true;
DEFAULT_BRANCH = "main";
@ -30,7 +29,7 @@ in {
server = {
HTTP_PORT = 3001;
HTTP_ADDRESS = "127.0.0.1";
ROOT_URL = "https://${config.giteaServer}/";
ROOT_URL = "https://${config.gitServer}/";
SSH_PORT = 22;
START_SSH_SERVER = false; # Use sshd instead
DISABLE_SSH = false;
@ -47,7 +46,7 @@ in {
networking.firewall.allowedTCPPorts = [ 122 ];
caddy.routes = [{
match = [{ host = [ config.giteaServer ]; }];
match = [{ host = [ config.gitServer ]; }];
handle = [{
handler = "reverse_proxy";
upstreams = [{ dial = "localhost:3001"; }];

View File

@ -0,0 +1,24 @@
{ config, lib, ... }: {
options.metricsServer = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Hostname of the metrics server.";
default = null;
};
config = lib.mkIf config.services.grafana.enable {
# Required to fix error in latest nixpkgs
services.grafana.settings = { };
caddy.routes = [{
match = [{ host = [ config.metricsServer ]; }];
handle = [{
handler = "reverse_proxy";
upstreams = [{ dial = "localhost:3000"; }];
}];
}];
};
}

View File

@ -8,9 +8,8 @@
};
};
config = lib.mkIf (config.streamServer != null) {
config = lib.mkIf config.services.jellyfin.enable {
services.jellyfin.enable = true;
services.jellyfin.group = "media";
users.users.jellyfin = { isSystemUser = true; };

View File

@ -2,15 +2,15 @@
options = {
nextcloudServer = lib.mkOption {
contentServer = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Hostname for Nextcloud";
description = "Hostname for personal content system (Nextcloud)";
default = null;
};
};
config = lib.mkIf (config.nextcloudServer != null) {
config = lib.mkIf config.services.nextcloud.enable {
services.nextcloud = {
enable = true;
@ -21,7 +21,7 @@
maxUploadSize = "50G";
config = {
adminpassFile = config.secrets.nextcloud.dest;
extraTrustedDomains = [ config.nextcloudServer ];
extraTrustedDomains = [ config.contentServer ];
};
};
@ -33,7 +33,7 @@
# Point Caddy to Nginx
caddy.routes = [{
match = [{ host = [ config.nextcloudServer ]; }];
match = [{ host = [ config.contentServer ]; }];
handle = [{
handler = "reverse_proxy";
upstreams = [{ dial = "localhost:8080"; }];

View File

@ -1,32 +1,64 @@
{ config, lib, ... }: {
{ config, pkgs, lib, ... }: {
options.metricsServer = lib.mkOption {
options.prometheusServer = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Hostname of the Grafana server.";
description = "Hostname of the Prometheus server.";
default = null;
};
config = lib.mkIf (config.metricsServer != null) {
# If hosting Grafana, host local Prometheus and listen for inbound jobs.
# If not hosting Grafana, send remote Prometheus writes to primary host
services.grafana.enable = true;
# Required to fix error in latest nixpkgs
services.grafana.settings = { };
config = lib.mkIf config.services.prometheus.enable {
services.prometheus = {
enable = true;
exporters.node.enable = true;
scrapeConfigs = [{
job_name = "local";
static_configs = [{ targets = [ "127.0.0.1:9100" ]; }];
}];
webExternalUrl = lib.mkIf config.services.grafana.enable
"https://${config.prometheusServer}";
webConfigFile =
lib.mkIf config.services.grafana.enable (pkgs.formats.yaml { }).generate
"webconfig.yml" {
basic_auth_users = {
# Generate password: htpasswd -nBC 10 "" | tr -d ':\n'
# Encrypt and place in private/prometheus.age
"prometheus" =
"$2y$10$r7FWHLHTGPAY312PdhkPEuvb05aGn9Nk1IO7qtUUUjmaDl35l6sLa";
};
};
remoteWrite = lib.mkIf (!config.services.grafana.enable) [{
name = config.networking.hostName;
url = "https://${config.prometheusServer}";
basic_auth = {
# Uses password hashed with bcrypt above
username = "prometheus";
password_file = config.secrets.prometheus.dest;
};
}];
};
caddy.routes = [{
match = [{ host = [ config.metricsServer ]; }];
# Create credentials file for remote Prometheus push
secrets.prometheus = lib.mkIf (!config.services.grafana.enable) {
source = ../../../private/prometheus.age;
dest = "${config.secretsDirectory}/prometheus";
owner = "prometheus";
group = "prometheus";
permissions = "0440";
};
systemd.services.prometheus-secret =
lib.mkIf (!config.services.grafana.enable) {
requiredBy = [ "prometheus.service" ];
before = [ "prometheus.service" ];
};
caddy.routes = lib.mkIf config.services.grafana.enable [{
match = [{ host = [ config.prometheusServer ]; }];
handle = [{
handler = "reverse_proxy";
upstreams = [{ dial = "localhost:3000"; }];
upstreams = [{ dial = "localhost:9090"; }];
}];
}];

View File

@ -1,11 +1,8 @@
{ config, lib, ... }: {
options = { samba.enable = lib.mkEnableOption "Enable Samba sharing."; };
config = {
services.samba = lib.mkIf (config.samba.enable) {
enable = true;
services.samba = lib.mkIf config.services.samba.enable {
openFirewall = true;
shares.data = {
path = "/data";

View File

@ -6,19 +6,18 @@ in {
options = {
vaultwardenServer = lib.mkOption {
description = "Hostname for Vaultwarden.";
secretsServer = lib.mkOption {
description = "Hostname for passwords and secrets (Vaultwarden).";
type = lib.types.nullOr lib.types.str;
default = null;
};
};
config = lib.mkIf (config.vaultwardenServer != null) {
config = lib.mkIf config.services.vaultwarden.enable {
services.vaultwarden = {
enable = true;
config = {
DOMAIN = "https://${config.vaultwardenServer}";
DOMAIN = "https://${config.secretsServer}";
SIGNUPS_ALLOWED = false;
SIGNUPS_VERIFY = true;
INVITATIONS_ALLOWED = true;
@ -47,7 +46,7 @@ in {
networking.firewall.allowedTCPPorts = [ 3012 ];
caddy.routes = [{
match = [{ host = [ config.vaultwardenServer ]; }];
match = [{ host = [ config.secretsServer ]; }];
handle = [{
handler = "reverse_proxy";
upstreams = [{ dial = "localhost:8222"; }];

12
private/prometheus.age Normal file
View File

@ -0,0 +1,12 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBDRWNi
YlJubmg1Ly94cHgxbHV3dStaRkZDRXdNZzVjRCt0R2RNMFkxUEZNCnJxZnc1UHFB
MURselZuL1U5OHFQb0tPLytWelRzYXlvNngya3RQOXREUEkKLT4gc3NoLWVkMjU1
MTkgWXlTVU1RIDRiR2ZEMUZsYTlGbXFoR0NyZXVXMEZmS3BONDNFQUo4VU1XNkZ0
ZWFzMHcKM1crbDVsR2VmVTFNckxaa21MTW9UVWE3Z01qMi9VT0kwMm80V0tMSWM1
bwotPiBzc2gtZWQyNTUxOSBuanZYNUEgd0tIampOVU5ZeWtxNWZpaGdFQTBlWlha
Z0lBQWp0dzhMRHU5UnVzWVlUSQpnUHlCZ0w5Z1hMYm1Dc1UxQ1lLRHlnaUhJQllW
RGMvTEhhc29VL2JXZnhNCi0tLSB6TThQbmV0eFJ0d2pZd1h0c2RuTGFzUHhyYWJp
b2RhVTNkSXczRGJpN1UwCt7I+OsqQdQbFXhYPV5/kqDAr/jVoJ9H5PSfdLkeVIrr
AqScUaOrdctUZEBIF8/FouJkSbIiU8muBNrBKx9CylI=
-----END AGE ENCRYPTED FILE-----