noah/dotfiles
1
0
Fork 0
mirror of https://github.com/nmasur/dotfiles synced 2025-07-08 14:10:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: noah:nixosmodules
Branches Tags
noah:master noah:platform noah:home-manager-fix noah:immich-proxy noah:microcode noah:nixd noah:eblume-mole noah:language-checks noah:keyd-2.4.3 noah:sway noah:nixosmodules noah:unfree-predicate-by-pkgs noah:darwin-ssl
noah:pre-platform noah:begin-nixos noah:begin-nix noah:neovim-lua noah:pre-nix noah:legacy
...
compare: noah:76a7480a1dba5c18247ce17be2e65cad5b63569d
Branches Tags
noah:master noah:platform noah:home-manager-fix noah:immich-proxy noah:microcode noah:nixd noah:eblume-mole noah:language-checks noah:keyd-2.4.3 noah:sway noah:nixosmodules noah:unfree-predicate-by-pkgs noah:darwin-ssl
noah:pre-platform noah:begin-nixos noah:begin-nix noah:neovim-lua noah:pre-nix noah:legacy

4 Commits
nixosmodul ... 76a7480a1d

Author SHA1 Message Date
Noah Masur
76a7480a1d working prometheus setup with processes 2023-07-16 01:04:52 +00:00
Noah Masur
9d4bf082c7 fix: prometheus remote write 2023-07-14 02:52:23 +00:00
Noah Masur
e86b2f184f fix: cloudflare tunnel on tempest 
requires openssh, but removing public key
 2023-07-12 23:33:35 -04:00
Noah Masur
d14054ab17 update to nextcloud 27 2023-07-13 03:22:45 +00:00
7 changed files with 59 additions and 7 deletions
Expand all files Collapse all files

1
hosts/flame/default.nix
View File

@ -49,6 +49,7 @@ inputs.nixpkgs.lib.nixosSystem {
services.caddy.enable = true; services.caddy.enable = true;
services.grafana.enable = true; services.grafana.enable = true;
services.openssh.enable = true;
services.prometheus.enable = true; services.prometheus.enable = true;
services.gitea.enable = true; services.gitea.enable = true;
services.vaultwarden.enable = true; services.vaultwarden.enable = true;

1
hosts/swan/default.nix
View File

@ -56,6 +56,7 @@ inputs.nixpkgs.lib.nixosSystem {
services.jellyfin.enable = true; services.jellyfin.enable = true;
services.nextcloud.enable = true; services.nextcloud.enable = true;
services.calibre-web.enable = true; services.calibre-web.enable = true;
services.openssh.enable = true;
services.prometheus.enable = true; services.prometheus.enable = true;
services.samba.enable = true; services.samba.enable = true;

1
hosts/tempest/default.nix
View File

@ -92,6 +92,7 @@ inputs.nixpkgs.lib.nixosSystem {
ryujinx.enable = true; ryujinx.enable = true;
}; };
services.openssh.enable = true; # Required for Cloudflare tunnel
cloudflareTunnel = { cloudflareTunnel = {
enable = true; enable = true;
id = "ac133a82-31fb-480c-942a-cdbcd4c58173"; id = "ac133a82-31fb-480c-942a-cdbcd4c58173";

6
modules/nixos/hardware/zfs.nix
View File

@ -10,6 +10,12 @@
config.boot.zfs.package.latestCompatibleLinuxPackages; config.boot.zfs.package.latestCompatibleLinuxPackages;
boot.kernelParams = [ "nohibernate" ]; boot.kernelParams = [ "nohibernate" ];
boot.supportedFilesystems = [ "zfs" ]; boot.supportedFilesystems = [ "zfs" ];
services.prometheus.exporters.zfs.enable = true;
scrapeTargets = [
"127.0.0.1:${
builtins.toString config.services.prometheus.exporters.zfs.port
}"
];
}; };

18
modules/nixos/services/nextcloud.nix
View File

@ -3,7 +3,7 @@
config = lib.mkIf config.services.nextcloud.enable { config = lib.mkIf config.services.nextcloud.enable {
services.nextcloud = { services.nextcloud = {
package = pkgs.nextcloud26; # Required to specify package = pkgs.nextcloud27; # Required to specify
datadir = "/data/nextcloud"; datadir = "/data/nextcloud";
https = true; https = true;
hostName = "localhost"; hostName = "localhost";
@ -11,6 +11,7 @@
config = { config = {
adminpassFile = config.secrets.nextcloud.dest; adminpassFile = config.secrets.nextcloud.dest;
extraTrustedDomains = [ config.hostnames.content ]; extraTrustedDomains = [ config.hostnames.content ];
trustedProxies = [ "127.0.0.1" ];
}; };
}; };
@ -74,6 +75,21 @@
requires = [ "phpfpm-nextcloud.service" ]; requires = [ "phpfpm-nextcloud.service" ];
}; };
# Log metrics to prometheus
services.prometheus.exporters.nextcloud = {
enable = true;
username = config.services.nextcloud.config.adminuser;
url = "http://localhost:8080";
passwordFile = config.services.nextcloud.config.adminpassFile;
};
scrapeTargets = [
"127.0.0.1:${
builtins.toString config.services.prometheus.exporters.nextcloud.port
}"
];
# Allows nextcloud-exporter to read passwordFile
users.users.nextcloud-exporter.extraGroups = [ "nextcloud" ];
}; };
} }

34
modules/nixos/services/prometheus.nix
View File

@ -1,5 +1,11 @@
{ config, pkgs, lib, ... }: { { config, pkgs, lib, ... }: {
options.scrapeTargets = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = "Prometheus scrape targets";
default = [ ];
};
config = let config = let
# If hosting Grafana, host local Prometheus and listen for inbound jobs. If # If hosting Grafana, host local Prometheus and listen for inbound jobs. If
@ -8,11 +14,33 @@
in lib.mkIf config.services.prometheus.enable { in lib.mkIf config.services.prometheus.enable {
scrapeTargets = [
"127.0.0.1:${
builtins.toString config.services.prometheus.exporters.node.port
}"
"127.0.0.1:${
builtins.toString config.services.prometheus.exporters.systemd.port
}"
"127.0.0.1:${
builtins.toString config.services.prometheus.exporters.process.port
}"
];
services.prometheus = { services.prometheus = {
exporters.node.enable = true; exporters.node.enable = true;
exporters.systemd.enable = true;
exporters.process.enable = true;
exporters.process.settings.process_names = [
# Remove nix store path from process name
{
name = "{{.Matches.Wrapped}} {{ .Matches.Args }}";
cmdline = [ "^/nix/store[^ ]*/(?P<Wrapped>[^ /]*) (?P<Args>.*)" ];
}
];
extraFlags = lib.mkIf isServer [ "--web.enable-remote-write-receiver" ];
scrapeConfigs = [{ scrapeConfigs = [{
job_name = "local"; job_name = config.networking.hostName;
static_configs = [{ targets = [ "127.0.0.1:9100" ]; }]; static_configs = [{ targets = config.scrapeTargets; }];
}]; }];
webExternalUrl = webExternalUrl =
lib.mkIf isServer "https://${config.hostnames.prometheus}"; lib.mkIf isServer "https://${config.hostnames.prometheus}";
@ -28,7 +56,7 @@
}); });
remoteWrite = lib.mkIf (!isServer) [{ remoteWrite = lib.mkIf (!isServer) [{
name = config.networking.hostName; name = config.networking.hostName;
url = "https://${config.hostnames.prometheus}"; url = "https://${config.hostnames.prometheus}/api/v1/write";
basic_auth = { basic_auth = {
# Uses password hashed with bcrypt above # Uses password hashed with bcrypt above
username = "prometheus"; username = "prometheus";

5
modules/nixos/services/sshd.nix
View File

@ -13,9 +13,8 @@
}; };
}; };
config = lib.mkIf (config.publicKey != null) { config = lib.mkIf config.services.openssh.enable {
services.openssh = { services.openssh = {
enable = true;
ports = [ 22 ]; ports = [ 22 ];
allowSFTP = true; allowSFTP = true;
settings = { settings = {
@ -27,7 +26,7 @@
}; };
users.users.${config.user}.openssh.authorizedKeys.keys = users.users.${config.user}.openssh.authorizedKeys.keys =
[ config.publicKey ]; lib.mkIf (config.publicKey != null) [ config.publicKey ];
# Implement a simple fail2ban service for sshd # Implement a simple fail2ban service for sshd
services.sshguard.enable = true; services.sshguard.enable = true;