set caddy prometheus port dynamically

requires openssh, but removing public key

hosts/flame/default.nix

@@ -49,6 +49,7 @@ inputs.nixpkgs.lib.nixosSystem {
 
       services.caddy.enable = true;
       services.grafana.enable = true;
+      services.openssh.enable = true;
       services.prometheus.enable = true;
       services.gitea.enable = true;
       services.vaultwarden.enable = true;

hosts/swan/default.nix

@@ -56,6 +56,7 @@ inputs.nixpkgs.lib.nixosSystem {
       services.jellyfin.enable = true;
       services.nextcloud.enable = true;
       services.calibre-web.enable = true;
+      services.openssh.enable = true;
       services.prometheus.enable = true;
       services.samba.enable = true;
 

hosts/tempest/default.nix

@@ -92,6 +92,7 @@ inputs.nixpkgs.lib.nixosSystem {
         ryujinx.enable = true;
       };
 
+      services.openssh.enable = true; # Required for Cloudflare tunnel
       cloudflareTunnel = {
         enable = true;
         id = "ac133a82-31fb-480c-942a-cdbcd4c58173";

modules/nixos/hardware/zfs.nix

@@ -10,6 +10,12 @@
         config.boot.zfs.package.latestCompatibleLinuxPackages;
       boot.kernelParams = [ "nohibernate" ];
       boot.supportedFilesystems = [ "zfs" ];
+      services.prometheus.exporters.zfs.enable = true;
+      scrapeTargets = [
+        "127.0.0.1:${
+          builtins.toString config.services.prometheus.exporters.zfs.port
+        }"
+      ];
 
     };
 

modules/nixos/services/gitea-runner.nix

@@ -10,9 +10,9 @@
       enable = true;
       labels = [
         # Provide a Debian base with NodeJS for actions
-        "debian-latest:docker://node:18-bullseye"
+        # "debian-latest:docker://node:18-bullseye"
         # Fake the Ubuntu name, because Node provides no Ubuntu builds
-        "ubuntu-latest:docker://node:18-bullseye"
+        # "ubuntu-latest:docker://node:18-bullseye"
         # Provide native execution on the host using below packages
         "native:host"
       ];
@@ -31,6 +31,23 @@
       tokenFile = config.secrets.giteaRunnerToken.dest;
     };
 
+    secrets.giteaRunnerToken = {
+      source = ../../../private/gitea-runner-token.age; # TOKEN=xyz
+      dest = "${config.secretsDirectory}/gitea-runner-token";
+    };
+    systemd.services.giteaRunnerToken-secret = {
+      requiredBy = [
+        "gitea-runner-${
+          config.services.gitea-actions-runner.instances.${config.networking.hostName}.name
+        }.service"
+      ];
+      before = [
+        "gitea-runner-${
+          config.services.gitea-actions-runner.instances.${config.networking.hostName}.name
+        }.service"
+      ];
+    };
+
   };
 
 }

modules/nixos/services/nextcloud.nix

@@ -3,7 +3,7 @@
   config = lib.mkIf config.services.nextcloud.enable {
 
     services.nextcloud = {
-      package = pkgs.nextcloud26; # Required to specify
+      package = pkgs.nextcloud27; # Required to specify
       datadir = "/data/nextcloud";
       https = true;
       hostName = "localhost";
@@ -11,6 +11,7 @@
       config = {
         adminpassFile = config.secrets.nextcloud.dest;
         extraTrustedDomains = [ config.hostnames.content ];
+        trustedProxies = [ "127.0.0.1" ];
       };
     };
 
@@ -74,6 +75,21 @@
       requires = [ "phpfpm-nextcloud.service" ];
     };
 
+    # Log metrics to prometheus
+    services.prometheus.exporters.nextcloud = {
+      enable = true;
+      username = config.services.nextcloud.config.adminuser;
+      url = "http://localhost:8080";
+      passwordFile = config.services.nextcloud.config.adminpassFile;
+    };
+    scrapeTargets = [
+      "127.0.0.1:${
+        builtins.toString config.services.prometheus.exporters.nextcloud.port
+      }"
+    ];
+    # Allows nextcloud-exporter to read passwordFile
+    users.users.nextcloud-exporter.extraGroups = [ "nextcloud" ];
+
   };
 
 }

modules/nixos/services/prometheus.nix

@@ -1,5 +1,11 @@
 { config, pkgs, lib, ... }: {
 
+  options.scrapeTargets = lib.mkOption {
+    type = lib.types.listOf lib.types.str;
+    description = "Prometheus scrape targets";
+    default = [ ];
+  };
+
   config = let
 
     # If hosting Grafana, host local Prometheus and listen for inbound jobs. If
@@ -8,11 +14,33 @@
 
   in lib.mkIf config.services.prometheus.enable {
 
+    scrapeTargets = [
+      "127.0.0.1:${
+        builtins.toString config.services.prometheus.exporters.node.port
+      }"
+      "127.0.0.1:${
+        builtins.toString config.services.prometheus.exporters.systemd.port
+      }"
+      "127.0.0.1:${
+        builtins.toString config.services.prometheus.exporters.process.port
+      }"
+    ];
+
     services.prometheus = {
       exporters.node.enable = true;
+      exporters.systemd.enable = true;
+      exporters.process.enable = true;
+      exporters.process.settings.process_names = [
+        # Remove nix store path from process name
+        {
+          name = "{{.Matches.Wrapped}} {{ .Matches.Args }}";
+          cmdline = [ "^/nix/store[^ ]*/(?P<Wrapped>[^ /]*) (?P<Args>.*)" ];
+        }
+      ];
+      extraFlags = lib.mkIf isServer [ "--web.enable-remote-write-receiver" ];
       scrapeConfigs = [{
-        job_name = "local";
-        static_configs = [{ targets = [ "127.0.0.1:9100" ]; }];
+        job_name = config.networking.hostName;
+        static_configs = [{ targets = config.scrapeTargets; }];
       }];
       webExternalUrl =
         lib.mkIf isServer "https://${config.hostnames.prometheus}";
@@ -28,7 +56,7 @@
         });
       remoteWrite = lib.mkIf (!isServer) [{
         name = config.networking.hostName;
-        url = "https://${config.hostnames.prometheus}";
+        url = "https://${config.hostnames.prometheus}/api/v1/write";
         basic_auth = {
           # Uses password hashed with bcrypt above
           username = "prometheus";
@@ -54,7 +82,8 @@
       match = [{ host = [ config.hostnames.prometheus ]; }];
       handle = [{
         handler = "reverse_proxy";
-        upstreams = [{ dial = "localhost:9090"; }];
+        upstreams =
+          [{ dial = "localhost:${config.services.prometheus.port}"; }];
       }];
     }];
 

modules/nixos/services/sshd.nix

@@ -13,9 +13,8 @@
     };
   };
 
-  config = lib.mkIf (config.publicKey != null) {
+  config = lib.mkIf config.services.openssh.enable {
     services.openssh = {
-      enable = true;
       ports = [ 22 ];
       allowSFTP = true;
       settings = {
@@ -27,7 +26,7 @@
     };
 
     users.users.${config.user}.openssh.authorizedKeys.keys =
-      [ config.publicKey ];
+      lib.mkIf (config.publicKey != null) [ config.publicKey ];
 
     # Implement a simple fail2ban service for sshd
     services.sshguard.enable = true;

private/gitea-runner-token.age

@@ -0,0 +1,12 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBoOVF1
+NmZocHpQQnRJcWpWUHh2bU93NkdnZWNzSlFiaHdTd24rcHpsczFRCmJaSzNkNGs1
+UDJCN2dYUVE3UTE1OU5RUWljQlN4dmxuUnpOMFYxQTdUaVEKLT4gc3NoLWVkMjU1
+MTkgWXlTVU1RIE5HdGd6aTlKM0lFUlYzT1VhS05nZ2ZxTndVZHBNQlJxYlovdXkx
+ei96d2cKdzlUYVFFaEIzaS9LZmY3MzM1RmNnR0xjOEpHK1kxM0FMTWRQSlVnczVF
+dwotPiBzc2gtZWQyNTUxOSBuanZYNUEgQ1lhMGQvUy9OWkRBR3BZV1pFNmNtb2pq
+Y2VEUzhRWGVWUkZJY1l4RGtWdwphdFZtM0ZLZURvYVZQYjV4bWVPdWJxa3RmWmVh
+SHl0T0pQWmxnVlFPR2drCi0tLSBnd2lwS3dqUk5Jelg0b3RxbFdEcnJ6ZkkvZTVN
+UllBeUUyOXBxVDBKMG5BCkGo9kj9sMVhbnXVM35lGScAb8r5LH9vf5jOdhLC/Wj2
++uA0ONIh7F2GELzf5Cw1KZJ8aHTURM2r41vZvfAQN1RwrmYOiUzlyMrvTDe78cY=
+-----END AGE ENCRYPTED FILE-----