fix: caddy denylist and jellyfin prometheus

requires openssh, but removing public key

hosts/flame/default.nix

@@ -49,7 +49,8 @@ inputs.nixpkgs.lib.nixosSystem {
 
       services.caddy.enable = true;
       services.grafana.enable = true;
-      services.prometheus.enable = true;
+      services.openssh.enable = true;
+      services.victoriametrics.enable = true;
       services.gitea.enable = true;
       services.vaultwarden.enable = true;
       services.minecraft-server.enable = true; # Setup Minecraft server

hosts/swan/default.nix

@@ -56,7 +56,9 @@ inputs.nixpkgs.lib.nixosSystem {
       services.jellyfin.enable = true;
       services.nextcloud.enable = true;
       services.calibre-web.enable = true;
-      services.prometheus.enable = true;
+      services.openssh.enable = true;
+      services.prometheus.enable = false;
+      services.vmagent.enable = true;
       services.samba.enable = true;
 
       cloudflareTunnel = {

hosts/tempest/default.nix

@@ -91,7 +91,9 @@ inputs.nixpkgs.lib.nixosSystem {
         leagueoflegends.enable = true;
         ryujinx.enable = true;
       };
+      services.vmagent.enable = true;
 
+      services.openssh.enable = true; # Required for Cloudflare tunnel
       cloudflareTunnel = {
         enable = true;
         id = "ac133a82-31fb-480c-942a-cdbcd4c58173";

modules/nixos/hardware/zfs.nix

@@ -10,6 +10,13 @@
         config.boot.zfs.package.latestCompatibleLinuxPackages;
       boot.kernelParams = [ "nohibernate" ];
       boot.supportedFilesystems = [ "zfs" ];
+      services.prometheus.exporters.zfs.enable =
+        config.prometheus.exporters.enable;
+      prometheus.scrapeTargets = [
+        "127.0.0.1:${
+          builtins.toString config.services.prometheus.exporters.zfs.port
+        }"
+      ];
 
     };
 

modules/nixos/services/caddy.nix

@@ -30,6 +30,7 @@
             errors.routes = config.caddy.blocks;
             # logs = { }; # Uncomment to collect access logs
           };
+          apps.http.servers.metrics = { }; # Enables Prometheus metrics
           apps.tls.automation.policies = config.caddy.tlsPolicies;
           logging.logs.main = {
             encoder = { format = "console"; };
@@ -47,6 +48,8 @@
       networking.firewall.allowedTCPPorts = [ 80 443 ];
       networking.firewall.allowedUDPPorts = [ 443 ];
 
+      prometheus.scrapeTargets = [ "127.0.0.1:2019" ];
+
     };
 
 }

modules/nixos/services/cloudflare.nix

@@ -41,11 +41,11 @@ in {
   config = lib.mkIf config.cloudflare.enable {
 
     # Forces Caddy to error if coming from a non-Cloudflare IP
-    caddy.blocks = [{
+    caddy.routes = [{
       match = [{ not = [{ remote_ip.ranges = cloudflareIpRanges; }]; }];
       handle = [{
         handler = "static_response";
-        abort = true;
+        status_code = "403";
       }];
     }];
 

modules/nixos/services/default.nix

@@ -24,6 +24,7 @@
     ./sshd.nix
     ./transmission.nix
     ./vaultwarden.nix
+    ./victoriametrics.nix
     ./wireguard.nix
   ];
 

modules/nixos/services/gitea-runner.nix

@@ -10,9 +10,9 @@
       enable = true;
       labels = [
         # Provide a Debian base with NodeJS for actions
-        "debian-latest:docker://node:18-bullseye"
+        # "debian-latest:docker://node:18-bullseye"
         # Fake the Ubuntu name, because Node provides no Ubuntu builds
-        "ubuntu-latest:docker://node:18-bullseye"
+        # "ubuntu-latest:docker://node:18-bullseye"
         # Provide native execution on the host using below packages
         "native:host"
       ];
@@ -31,6 +31,23 @@
       tokenFile = config.secrets.giteaRunnerToken.dest;
     };
 
+    secrets.giteaRunnerToken = {
+      source = ../../../private/gitea-runner-token.age; # TOKEN=xyz
+      dest = "${config.secretsDirectory}/gitea-runner-token";
+    };
+    systemd.services.giteaRunnerToken-secret = {
+      requiredBy = [
+        "gitea-runner-${
+          config.services.gitea-actions-runner.instances.${config.networking.hostName}.name
+        }.service"
+      ];
+      before = [
+        "gitea-runner-${
+          config.services.gitea-actions-runner.instances.${config.networking.hostName}.name
+        }.service"
+      ];
+    };
+
   };
 
 }

modules/nixos/services/grafana.nix

@@ -13,7 +13,12 @@
       match = [{ host = [ config.hostnames.metrics ]; }];
       handle = [{
         handler = "reverse_proxy";
-        upstreams = [{ dial = "localhost:3000"; }];
+        upstreams = [{
+          dial = "localhost:${
+              builtins.toString
+              config.services.grafana.settings.server.http_port
+            }";
+        }];
       }];
     }];
 

modules/nixos/services/jellyfin.nix

@@ -5,13 +5,25 @@
     services.jellyfin.group = "media";
     users.users.jellyfin = { isSystemUser = true; };
 
-    caddy.routes = [{
+    caddy.routes = [
-      match = [{ host = [ config.hostnames.stream ]; }];
+      {
-      handle = [{
+        match = [{
-        handler = "reverse_proxy";
+          host = [ config.hostnames.stream ];
-        upstreams = [{ dial = "localhost:8096"; }];
+          path = [ "/metrics*" ];
-      }];
+        }];
-    }];
+        handle = [{
+          handler = "static_response";
+          status_code = "403";
+        }];
+      }
+      {
+        match = [{ host = [ config.hostnames.stream ]; }];
+        handle = [{
+          handler = "reverse_proxy";
+          upstreams = [{ dial = "localhost:8096"; }];
+        }];
+      }
+    ];
 
     # Create videos directory, allow anyone in Jellyfin group to manage it
     systemd.tmpfiles.rules = [
@@ -35,6 +47,9 @@
     users.users.jellyfin.extraGroups =
       [ "render" "video" ]; # Access to /dev/dri
 
+    # Requires MetricsEnable is true in /var/lib/jellyfin/config/system.xml
+    prometheus.scrapeTargets = [ "127.0.0.1:8096" ];
+
   };
 
 }

modules/nixos/services/nextcloud.nix

@@ -1,9 +1,15 @@
-{ config, pkgs, lib, ... }: {
+{ config, pkgs, lib, ... }:
+
+let
+
+  port = 8080;
+
+in {
 
   config = lib.mkIf config.services.nextcloud.enable {
 
     services.nextcloud = {
-      package = pkgs.nextcloud26; # Required to specify
+      package = pkgs.nextcloud27; # Required to specify
       datadir = "/data/nextcloud";
       https = true;
       hostName = "localhost";
@@ -11,13 +17,14 @@
       config = {
         adminpassFile = config.secrets.nextcloud.dest;
         extraTrustedDomains = [ config.hostnames.content ];
+        trustedProxies = [ "127.0.0.1" ];
       };
     };
 
     # Don't let Nginx use main ports (using Caddy instead)
     services.nginx.virtualHosts."localhost".listen = [{
       addr = "127.0.0.1";
-      port = 8080;
+      port = port;
     }];
 
     # Point Caddy to Nginx
@@ -25,7 +32,7 @@
       match = [{ host = [ config.hostnames.content ]; }];
       handle = [{
         handler = "reverse_proxy";
-        upstreams = [{ dial = "localhost:8080"; }];
+        upstreams = [{ dial = "localhost:${builtins.toString port}"; }];
       }];
     }];
 
@@ -74,6 +81,23 @@
       requires = [ "phpfpm-nextcloud.service" ];
     };
 
+    # Log metrics to prometheus
+    services.prometheus.exporters.nextcloud = {
+      enable = config.prometheus.exporters.enable;
+      username = config.services.nextcloud.config.adminuser;
+      url = "http://localhost:${builtins.toString port}";
+      passwordFile = config.services.nextcloud.config.adminpassFile;
+    };
+    prometheus.scrapeTargets = [
+      "127.0.0.1:${
+        builtins.toString config.services.prometheus.exporters.nextcloud.port
+      }"
+    ];
+    # Allows nextcloud-exporter to read passwordFile
+    users.users.nextcloud-exporter.extraGroups =
+      lib.mkIf config.services.prometheus.exporters.nextcloud.enable
+      [ "nextcloud" ];
+
   };
 
 }

modules/nixos/services/prometheus.nix

@@ -1,18 +1,58 @@
 { config, pkgs, lib, ... }: {
 
+  options.prometheus = {
+    exporters.enable = lib.mkEnableOption "Enable Prometheus exporters";
+    scrapeTargets = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      description = "Prometheus scrape targets";
+      default = [ ];
+    };
+  };
+
   config = let
 
     # If hosting Grafana, host local Prometheus and listen for inbound jobs. If
     # not hosting Grafana, send remote Prometheus writes to primary host.
     isServer = config.services.grafana.enable;
 
-  in lib.mkIf config.services.prometheus.enable {
+  in {
+
+    # Turn on exporters if any Prometheus scraper is running
+    prometheus.exporters.enable = builtins.any (x: x) [
+      config.services.prometheus.enable
+      config.services.victoriametrics.enable
+      config.services.vmagent.enable
+    ];
+
+    prometheus.scrapeTargets = [
+      "127.0.0.1:${
+        builtins.toString config.services.prometheus.exporters.node.port
+      }"
+      "127.0.0.1:${
+        builtins.toString config.services.prometheus.exporters.systemd.port
+      }"
+      "127.0.0.1:${
+        builtins.toString config.services.prometheus.exporters.process.port
+      }"
+    ];
 
     services.prometheus = {
-      exporters.node.enable = true;
+      exporters.node.enable = config.prometheus.exporters.enable;
+      exporters.node.enabledCollectors = [ ];
+      exporters.node.disabledCollectors = [ "cpufreq" ];
+      exporters.systemd.enable = config.prometheus.exporters.enable;
+      exporters.process.enable = config.prometheus.exporters.enable;
+      exporters.process.settings.process_names = [
+        # Remove nix store path from process name
+        {
+          name = "{{.Matches.Wrapped}} {{ .Matches.Args }}";
+          cmdline = [ "^/nix/store[^ ]*/(?P<Wrapped>[^ /]*) (?P<Args>.*)" ];
+        }
+      ];
+      extraFlags = lib.mkIf isServer [ "--web.enable-remote-write-receiver" ];
       scrapeConfigs = [{
-        job_name = "local";
+        job_name = config.networking.hostName;
-        static_configs = [{ targets = [ "127.0.0.1:9100" ]; }];
+        static_configs = [{ targets = config.scrapeTargets; }];
       }];
       webExternalUrl =
         lib.mkIf isServer "https://${config.hostnames.prometheus}";
@@ -28,7 +68,7 @@
         });
       remoteWrite = lib.mkIf (!isServer) [{
         name = config.networking.hostName;
-        url = "https://${config.hostnames.prometheus}";
+        url = "https://${config.hostnames.prometheus}/api/v1/write";
         basic_auth = {
           # Uses password hashed with bcrypt above
           username = "prometheus";
@@ -38,23 +78,26 @@
     };
 
     # Create credentials file for remote Prometheus push
-    secrets.prometheus = lib.mkIf (!isServer) {
+    secrets.prometheus =
-      source = ../../../private/prometheus.age;
+      lib.mkIf (config.services.prometheus.enable && !isServer) {
-      dest = "${config.secretsDirectory}/prometheus";
+        source = ../../../private/prometheus.age;
-      owner = "prometheus";
+        dest = "${config.secretsDirectory}/prometheus";
-      group = "prometheus";
+        owner = "prometheus";
-      permissions = "0440";
+        group = "prometheus";
-    };
+        permissions = "0440";
-    systemd.services.prometheus-secret = lib.mkIf (!isServer) {
+      };
-      requiredBy = [ "prometheus.service" ];
+    systemd.services.prometheus-secret =
-      before = [ "prometheus.service" ];
+      lib.mkIf (config.services.prometheus.enable && !isServer) {
-    };
+        requiredBy = [ "prometheus.service" ];
+        before = [ "prometheus.service" ];
+      };
 
-    caddy.routes = lib.mkIf isServer [{
+    caddy.routes = lib.mkIf (config.services.prometheus.enable && isServer) [{
       match = [{ host = [ config.hostnames.prometheus ]; }];
       handle = [{
         handler = "reverse_proxy";
-        upstreams = [{ dial = "localhost:9090"; }];
+        upstreams =
+          [{ dial = "localhost:${config.services.prometheus.port}"; }];
       }];
     }];
 

modules/nixos/services/secrets.nix

@@ -39,6 +39,11 @@
             type = lib.types.str;
             description = "Permissions expressed as octal.";
           };
+          prefix = lib.mkOption {
+            default = "";
+            type = lib.types.str;
+            description = "Prefix for secret value (for environment files).";
+          };
         };
       });
       description = "Set of secrets to decrypt to disk.";
@@ -65,10 +70,10 @@
         wantedBy = [ "multi-user.target" ];
         serviceConfig.Type = "oneshot";
         script = ''
-          ${pkgs.age}/bin/age --decrypt \
+          echo "${attrs.prefix}$(
-            --identity ${config.identityFile} \
+            ${pkgs.age}/bin/age --decrypt \
-            --output ${attrs.dest} \
+                --identity ${config.identityFile} ${attrs.source}
-            ${attrs.source}
+          )" > ${attrs.dest}
 
           chown '${attrs.owner}':'${attrs.group}' '${attrs.dest}'
           chmod '${attrs.permissions}' '${attrs.dest}'

modules/nixos/services/sshd.nix

@@ -13,9 +13,8 @@
     };
   };
 
-  config = lib.mkIf (config.publicKey != null) {
+  config = lib.mkIf config.services.openssh.enable {
     services.openssh = {
-      enable = true;
       ports = [ 22 ];
       allowSFTP = true;
       settings = {
@@ -27,7 +26,7 @@
     };
 
     users.users.${config.user}.openssh.authorizedKeys.keys =
-      [ config.publicKey ];
+      lib.mkIf (config.publicKey != null) [ config.publicKey ];
 
     # Implement a simple fail2ban service for sshd
     services.sshguard.enable = true;

modules/nixos/services/victoriametrics.nix

@@ -0,0 +1,95 @@
+{ config, pkgs, lib, ... }:
+
+let
+
+  username = "prometheus";
+
+  prometheusConfig = (pkgs.formats.yaml { }).generate "prometheus.yml" {
+    scrape_configs = [{
+      job_name = config.networking.hostName;
+      stream_parse = true;
+      static_configs = [{ targets = config.prometheus.scrapeTargets; }];
+    }];
+  };
+
+  authConfig = (pkgs.formats.yaml { }).generate "auth.yml" {
+    users = [{
+      username = username;
+      password = "%{PASSWORD}";
+      url_prefix =
+        "http://localhost${config.services.victoriametrics.listenAddress}";
+    }];
+  };
+
+  authPort = "8427";
+
+in {
+
+  config = {
+
+    services.victoriametrics.extraOptions =
+      [ "-promscrape.config=${prometheusConfig}" ];
+
+    systemd.services.vmauth = lib.mkIf config.services.victoriametrics.enable {
+      description = "VictoriaMetrics basic auth proxy";
+      after = [ "network.target" ];
+      startLimitBurst = 5;
+      serviceConfig = {
+        Restart = "on-failure";
+        RestartSec = 1;
+        DynamicUser = true;
+        EnvironmentFile = config.secrets.vmauth.dest;
+        ExecStart = ''
+          ${pkgs.victoriametrics}/bin/vmauth \
+                    -auth.config=${authConfig} \
+                    -httpListenAddr=:${authPort}'';
+      };
+      wantedBy = [ "multi-user.target" ];
+    };
+
+    secrets.vmauth = lib.mkIf config.services.victoriametrics.enable {
+      source = ../../../private/prometheus.age;
+      dest = "${config.secretsDirectory}/vmauth";
+      prefix = "PASSWORD=";
+    };
+    systemd.services.vmauth-secret =
+      lib.mkIf config.services.victoriametrics.enable {
+        requiredBy = [ "vmauth.service" ];
+        before = [ "vmauth.service" ];
+      };
+
+    caddy.routes = lib.mkIf config.services.victoriametrics.enable [{
+      match = [{ host = [ config.hostnames.prometheus ]; }];
+      handle = [{
+        handler = "reverse_proxy";
+        upstreams = [{ dial = "localhost:${authPort}"; }];
+      }];
+    }];
+
+    # VMAgent
+
+    services.vmagent.prometheusConfig = prometheusConfig; # Overwritten below
+    systemd.services.vmagent.serviceConfig =
+      lib.mkIf config.services.vmagent.enable {
+        ExecStart = lib.mkForce ''
+          ${pkgs.victoriametrics}/bin/vmagent \
+                  -promscrape.config=${prometheusConfig} \
+                  -remoteWrite.url="https://${config.hostnames.prometheus}/api/v1/write" \
+                  -remoteWrite.basicAuth.username=${username} \
+                  -remoteWrite.basicAuth.passwordFile=${config.secrets.vmagent.dest}'';
+      };
+
+    secrets.vmagent = lib.mkIf config.services.vmagent.enable {
+      source = ../../../private/prometheus.age;
+      dest = "${config.secretsDirectory}/vmagent";
+      owner = "vmagent";
+      group = "vmagent";
+    };
+    systemd.services.vmagent-secret = lib.mkIf config.services.vmagent.enable {
+      requiredBy = [ "vmagent.service" ];
+      before = [ "vmagent.service" ];
+    };
+
+  };
+
+}

private/gitea-runner-token.age

@@ -0,0 +1,12 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBoOVF1
+NmZocHpQQnRJcWpWUHh2bU93NkdnZWNzSlFiaHdTd24rcHpsczFRCmJaSzNkNGs1
+UDJCN2dYUVE3UTE1OU5RUWljQlN4dmxuUnpOMFYxQTdUaVEKLT4gc3NoLWVkMjU1
+MTkgWXlTVU1RIE5HdGd6aTlKM0lFUlYzT1VhS05nZ2ZxTndVZHBNQlJxYlovdXkx
+ei96d2cKdzlUYVFFaEIzaS9LZmY3MzM1RmNnR0xjOEpHK1kxM0FMTWRQSlVnczVF
+dwotPiBzc2gtZWQyNTUxOSBuanZYNUEgQ1lhMGQvUy9OWkRBR3BZV1pFNmNtb2pq
+Y2VEUzhRWGVWUkZJY1l4RGtWdwphdFZtM0ZLZURvYVZQYjV4bWVPdWJxa3RmWmVh
+SHl0T0pQWmxnVlFPR2drCi0tLSBnd2lwS3dqUk5Jelg0b3RxbFdEcnJ6ZkkvZTVN
+UllBeUUyOXBxVDBKMG5BCkGo9kj9sMVhbnXVM35lGScAb8r5LH9vf5jOdhLC/Wj2
++uA0ONIh7F2GELzf5Cw1KZJ8aHTURM2r41vZvfAQN1RwrmYOiUzlyMrvTDe78cY=
+-----END AGE ENCRYPTED FILE-----