From 7976c4820af11dc19051370985fd54536d1f6daa Mon Sep 17 00:00:00 2001 From: Felix Albrigtsen Date: Tue, 26 Dec 2023 11:45:12 +0100 Subject: [PATCH] Move metrics,gitea,vaultwarden from voyager to defiant --- common/metrics-exporters.nix | 2 +- hosts/defiant/configuration.nix | 10 +++++ hosts/{voyager => defiant}/services/gitea.nix | 28 +++++++------ .../dashboards/node-exporter-full.json | 0 .../services/metrics/dashboards/openwrt.json | 0 .../dashboards/synology-nas-details.json | 0 .../services/metrics/default.nix | 0 .../services/metrics/grafana.nix | 4 ++ .../services/metrics/loki.nix | 5 +-- .../services/metrics/prometheus.nix | 15 +++++-- .../services/metrics/snmp-exporter.nix | 0 hosts/defiant/services/nginx.nix | 1 + hosts/defiant/services/pihole.nix | 7 +++- .../services/vaultwarden.nix | 40 +++++++++---------- hosts/voyager/configuration.nix | 3 -- hosts/voyager/filesystems.nix | 6 ++- secrets/defiant/defiant.yaml | 6 ++- 17 files changed, 78 insertions(+), 49 deletions(-) rename hosts/{voyager => defiant}/services/gitea.nix (67%) rename hosts/{voyager => defiant}/services/metrics/dashboards/node-exporter-full.json (100%) rename hosts/{voyager => defiant}/services/metrics/dashboards/openwrt.json (100%) rename hosts/{voyager => defiant}/services/metrics/dashboards/synology-nas-details.json (100%) rename hosts/{voyager => defiant}/services/metrics/default.nix (100%) rename hosts/{voyager => defiant}/services/metrics/grafana.nix (95%) rename hosts/{voyager => defiant}/services/metrics/loki.nix (92%) rename hosts/{voyager => defiant}/services/metrics/prometheus.nix (77%) rename hosts/{voyager => defiant}/services/metrics/snmp-exporter.nix (100%) rename hosts/{voyager => defiant}/services/vaultwarden.nix (66%) diff --git a/common/metrics-exporters.nix b/common/metrics-exporters.nix index 6ebad35..26a9b10 100644 --- a/common/metrics-exporters.nix +++ b/common/metrics-exporters.nix @@ -25,7 +25,7 @@ }; clients = [ { - url = "http://voyager.home.feal.no:3100/loki/api/v1/push"; + url = "http://grafana.home.feal.no:3100/loki/api/v1/push"; } ]; scrape_configs = [ diff --git a/hosts/defiant/configuration.nix b/hosts/defiant/configuration.nix index 776c5c0..7650fde 100644 --- a/hosts/defiant/configuration.nix +++ b/hosts/defiant/configuration.nix @@ -13,6 +13,9 @@ ./services/flame.nix ./services/hedgedoc.nix ./services/pihole.nix + ./services/gitea.nix + ./services/vaultwarden.nix + ./services/metrics ]; networking = { @@ -33,6 +36,13 @@ zfs ]; + boot = { + zfs.extraPools = [ "tank" ]; + supportedFilesystems = [ "zfs" ]; + kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; + }; + services.prometheus.exporters.zfs.enable = true; + virtualisation.docker.enable = true; virtualisation.oci-containers.backend = "docker"; diff --git a/hosts/voyager/services/gitea.nix b/hosts/defiant/services/gitea.nix similarity index 67% rename from hosts/voyager/services/gitea.nix rename to hosts/defiant/services/gitea.nix index 5a5d315..9781829 100644 --- a/hosts/voyager/services/gitea.nix +++ b/hosts/defiant/services/gitea.nix @@ -3,23 +3,26 @@ let cfg = config.services.gitea; domain = "git.feal.no"; httpPort = 3004; - #sshPort = 2222; + sshPort = 2222; in { services.gitea = { enable = true; appName = "felixalbs Gitea"; - database = { - type = "postgres"; - }; + database.type = "postgres"; + stateDir = "/tank/services/gitea"; settings = { server = { - LANDING_PAGE=''"/felixalb"''; - HTTP_PORT = httpPort; - /* SSH_PORT = sshPort; */ - SSH_DOMAIN = "voyager.home.feal.no"; + # Serve on local unix socket, exposed in hosts/defiant/services/nginx.nix + PROTOCOL = "http+unix"; DOMAIN = domain; ROOT_URL = "https://${domain}"; + LANDING_PAGE=''"/felixalb"''; + + SSH_PORT = sshPort; + SSH_LISTEN_PORT = sshPort; + START_SSH_SERVER = true; + BUILTIN_SSH_SERVER_USER = "git"; }; service.DISABLE_REGISTRATION = true; @@ -47,12 +50,13 @@ in { }; # TODO: - # - dump (automatic backups) + # - Backup + # - services.gitea.dump? + # - ZFS snapshots? # - configure mailer }; - systemd.services.gitea.serviceConfig.WorkingDirectory = lib.mkForce "/var/lib/gitea/work"; + systemd.services.gitea.serviceConfig.WorkingDirectory = lib.mkForce "${cfg.stateDir}/work"; - networking.firewall.allowedTCPPorts = [ httpPort ]; - /* networking.firewall.allowedTCPPorts = [ httpPort sshPort ]; */ + networking.firewall.allowedTCPPorts = [ sshPort ]; } diff --git a/hosts/voyager/services/metrics/dashboards/node-exporter-full.json b/hosts/defiant/services/metrics/dashboards/node-exporter-full.json similarity index 100% rename from hosts/voyager/services/metrics/dashboards/node-exporter-full.json rename to hosts/defiant/services/metrics/dashboards/node-exporter-full.json diff --git a/hosts/voyager/services/metrics/dashboards/openwrt.json b/hosts/defiant/services/metrics/dashboards/openwrt.json similarity index 100% rename from hosts/voyager/services/metrics/dashboards/openwrt.json rename to hosts/defiant/services/metrics/dashboards/openwrt.json diff --git a/hosts/voyager/services/metrics/dashboards/synology-nas-details.json b/hosts/defiant/services/metrics/dashboards/synology-nas-details.json similarity index 100% rename from hosts/voyager/services/metrics/dashboards/synology-nas-details.json rename to hosts/defiant/services/metrics/dashboards/synology-nas-details.json diff --git a/hosts/voyager/services/metrics/default.nix b/hosts/defiant/services/metrics/default.nix similarity index 100% rename from hosts/voyager/services/metrics/default.nix rename to hosts/defiant/services/metrics/default.nix diff --git a/hosts/voyager/services/metrics/grafana.nix b/hosts/defiant/services/metrics/grafana.nix similarity index 95% rename from hosts/voyager/services/metrics/grafana.nix rename to hosts/defiant/services/metrics/grafana.nix index 80d23f8..a6f477a 100644 --- a/hosts/voyager/services/metrics/grafana.nix +++ b/hosts/defiant/services/metrics/grafana.nix @@ -5,6 +5,10 @@ let in { services.grafana = { enable = true; + dataDir = "/tank/services/metrics/grafana"; + + # TODO: Migrate sqlite to postgres + settings.server = { domain = "grafana.home.feal.no"; http_port = 2342; diff --git a/hosts/voyager/services/metrics/loki.nix b/hosts/defiant/services/metrics/loki.nix similarity index 92% rename from hosts/voyager/services/metrics/loki.nix rename to hosts/defiant/services/metrics/loki.nix index 0038142..1ecf68d 100644 --- a/hosts/voyager/services/metrics/loki.nix +++ b/hosts/defiant/services/metrics/loki.nix @@ -1,10 +1,11 @@ { config, pkgs, ... }: let cfg = config.services.loki; - saveDirectory = "/tank/var/lib/loki"; + saveDirectory = "/tank/services/metrics/loki"; in { services.loki = { enable = true; + dataDir = saveDirectory; configuration = { auth_enabled = false; server = { @@ -70,6 +71,4 @@ in { }; }; }; - - networking.firewall.allowedTCPPorts = [ cfg.configuration.server.http_listen_port ]; } diff --git a/hosts/voyager/services/metrics/prometheus.nix b/hosts/defiant/services/metrics/prometheus.nix similarity index 77% rename from hosts/voyager/services/metrics/prometheus.nix rename to hosts/defiant/services/metrics/prometheus.nix index 4cf871b..bbdae69 100644 --- a/hosts/voyager/services/metrics/prometheus.nix +++ b/hosts/defiant/services/metrics/prometheus.nix @@ -8,18 +8,22 @@ in { listenAddress = "127.0.0.1"; port = 9001; + # StateDirectory must be under /var/lib. + # TODO: Back up to /tank/services/metrics/prometheus + scrapeConfigs = [ { job_name = "node"; static_configs = [ { targets = [ - "voyager.home.feal.no:${toString cfg.exporters.node.port}" + "voyager.home.feal.no:9100" "sulu.home.feal.no:9100" "mccoy.home.feal.no:9100" - "borg.home.feal.no:9100" - "troi.home.feal.no:9100" "dlink-feal.home.feal.no:9100" + "edison.home.feal.no:9100" + "defiant.home.feal.no:9100" + "scotty.home.feal.no:9100" ]; } ]; @@ -58,7 +62,10 @@ in { { job_name = "zfs"; static_configs = [ - { targets = ["127.0.0.1:${toString config.services.prometheus.exporters.zfs.port}"]; } + { targets = [ + "voyager.home.feal.no:9134" + "defiant.home.feal.no:9134" + ]; } ]; } ]; diff --git a/hosts/voyager/services/metrics/snmp-exporter.nix b/hosts/defiant/services/metrics/snmp-exporter.nix similarity index 100% rename from hosts/voyager/services/metrics/snmp-exporter.nix rename to hosts/defiant/services/metrics/snmp-exporter.nix diff --git a/hosts/defiant/services/nginx.nix b/hosts/defiant/services/nginx.nix index 576537b..aee37b0 100644 --- a/hosts/defiant/services/nginx.nix +++ b/hosts/defiant/services/nginx.nix @@ -43,6 +43,7 @@ }; in { "jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/"; + "git.feal.no" = publicProxy "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}"; "wiki.wackattack.eu" = publicProxy "http://pascal.wackattack.home.feal.no/"; }; } diff --git a/hosts/defiant/services/pihole.nix b/hosts/defiant/services/pihole.nix index b869826..f6e65ee 100644 --- a/hosts/defiant/services/pihole.nix +++ b/hosts/defiant/services/pihole.nix @@ -24,7 +24,12 @@ in { }; services.nginx.virtualHosts."${domain}" = { - locations."/".proxyPass = "http://${webuiListen}"; + locations."/" = { + proxyPass = "http://${webuiListen}"; + extraConfig = '' + rewrite /(.*) /admin/$1 break; + ''; + }; }; } diff --git a/hosts/voyager/services/vaultwarden.nix b/hosts/defiant/services/vaultwarden.nix similarity index 66% rename from hosts/voyager/services/vaultwarden.nix rename to hosts/defiant/services/vaultwarden.nix index 9e55475..856c9fd 100644 --- a/hosts/voyager/services/vaultwarden.nix +++ b/hosts/defiant/services/vaultwarden.nix @@ -3,7 +3,7 @@ let cfg = config.services.vaultwarden; domain = "pw.feal.no"; address = "127.0.0.1"; - port = 3011; # Note! The websocket port is left as default + port = 3011; # Note: The websocket port is left as default(3012) in { sops.secrets."vaultwarden/admintoken" = { owner = "vaultwarden"; @@ -20,27 +20,30 @@ in { rocketAddress = address; rocketPort = port; websocketEnabled = true; - databaseUrl = "postgresql://vaultwarden@localhost/vaultwarden?sslmode=disable"; + # databaseUrl = "postgresql://vaultwarden:@localhost/vaultwarden?sslmode=disable"; + databaseUrl = "postgresql://vaultwarden@/vaultwarden"; signupsAllowed = false; - rocketLog = "critical"; - - # This example assumes a mailserver running on localhost, - # thus without transport encryption. - # If you use an external mail server, follow: - # https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration - /* SMTP_HOST = "127.0.0.1"; */ - /* SMTP_PORT = 25; */ - /* SMTP_SSL = false; */ - - /* SMTP_FROM = "admin@bitwarden.example.com"; */ - /* SMTP_FROM_NAME = "example.com Bitwarden server"; */ - }; }; + services.postgresql = { + ensureDatabases = [ "vaultwarden" ]; + ensureUsers = [{ + name = "vaultwarden"; + ensureDBOwnership = true; + }]; + }; services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + + listen = [ + { addr = "192.168.10.175"; port = 43443; ssl = true; } + { addr = "192.168.10.175"; port = 43080; ssl = false; } + ]; + extraConfig = '' client_max_body_size 128M; ''; @@ -57,11 +60,4 @@ in { proxyWebsockets = true; }; }; - services.postgresql = { - ensureDatabases = [ "vaultwarden" ]; - ensureUsers = [{ - name = "vaultwarden"; - ensureDBOwnership = true; - }]; - }; } diff --git a/hosts/voyager/configuration.nix b/hosts/voyager/configuration.nix index 74406a0..888a9dd 100644 --- a/hosts/voyager/configuration.nix +++ b/hosts/voyager/configuration.nix @@ -13,15 +13,12 @@ ./services/snappymail.nix ./services/calibre.nix ./services/fancontrol.nix - ./services/gitea.nix ./services/jellyfin.nix ./services/kanidm.nix - ./services/metrics ./services/nginx ./services/postgres.nix ./services/timemachine.nix ./services/transmission.nix - ./services/vaultwarden.nix ]; networking = { diff --git a/hosts/voyager/filesystems.nix b/hosts/voyager/filesystems.nix index 969ab29..b51c9d7 100644 --- a/hosts/voyager/filesystems.nix +++ b/hosts/voyager/filesystems.nix @@ -11,7 +11,11 @@ kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; }; services.zfs.autoScrub.enable = true; - services.prometheus.exporters.zfs.enable = true; + services.prometheus.exporters.zfs = { + enable = true; + openFirewall = true; + firewallFilter = "-p tcp -m tcp -s 192.168.10.175 --dport 9134"; # Only allow defiant + }; # Network mounts (import) fileSystems = { diff --git a/secrets/defiant/defiant.yaml b/secrets/defiant/defiant.yaml index 7678531..c37f7e2 100644 --- a/secrets/defiant/defiant.yaml +++ b/secrets/defiant/defiant.yaml @@ -3,6 +3,8 @@ matrix: registrationsecret: ENC[AES256_GCM,data:6gRW6t080VSyNRAmIrMqXL/oj7dj0JbcQekG3lac7zcdvJbgkUaqEGoWdrym2XiEOSLBOVMthnpLdalC2wcyJdmxB7xMNsYS4RfjR3PMKIo1Ap7JSmuKBl3eeaOalHk=,iv:dZl4/qFMoqEbSwL4JF/sjG21e6DuKVxbXwrGHkxfW4U=,tag:LWdCcmUUeTO4YAHkHOSJuw==,type:str] hedgedoc: env: ENC[AES256_GCM,data:7UU8MNo3AEpG1L0lpbfow4mGsIj7qMgtldCxv2T8rimintl1PN+avb2yxXz2P+1MqxNhacYYfBn5AkVqUJvAvo/HaQmsu+M1iFuMG6vEQuMGZZ1bjcslKxjVFWe9Rxzb9O33jqielsBiUmkP7f0MoGzfdyncpRuGjge+ADL7YXdRdH2zyDLW0txM3P593MQYiGo9wzwb7ZpycX4NsuE=,iv:4QE4RwD6c7KQS/w15YP/P2u7iOTWd36/YhpA2Jtdu0U=,tag:QBvO3q5C9TK0oSeso367/Q==,type:str] +vaultwarden: + admintoken: ENC[AES256_GCM,data:sUPOe3goxpJFpe5fBdwcM5Z6+DXNdZr5Xd6HzRUb7LtDk9IUtwL4wtlckwnMRoLF628XvCV3ObrX2UmTqUX/6pWqLkWL/vWb3C8ogq4=,iv:vvO9nEkCjcKvl+ILEMlMorMmvyNM1juRYRnEolwg9sQ=,tag:wFnz9oOA+ZGrb4UqKrtUcA==,type:str] sops: kms: [] gcp_kms: [] @@ -27,8 +29,8 @@ sops: RXcvQU1JYnl0bUtocTZuNkRxcGQwR2MKnyAYtF2y7XBmNuIYi6RzqEJEPPg7B22A fQVeDfIhiNSVva784KTU+y4TU1UPxumriRrLRFPF3h42ZEq2zQAgrQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-12-24T23:15:29Z" - mac: ENC[AES256_GCM,data:h+omoqeN7ssm7lfF/kdUCX7umQwWtTeph2C9tJQEAP7naL+Sm5WgXl/6PYHjjDSJ8X56tQgNdA2F5P5xIwTEfi6ip0Xbqy9vL+TfqjRhaT897O9W3Gka0zKTIkLFH2klgv3FXRd1CybxfyZpuz8Gpyy/tHZMcdIbEt+snlAII/A=,iv:+MgU7SfErnTMc63liEr8SmJLAthlbG8kU/xY6fUC7jU=,tag:I56xwXpVOF38QelGqW0XPg==,type:str] + lastmodified: "2023-12-25T23:07:08Z" + mac: ENC[AES256_GCM,data:q+e4CbkTrpAl2gsiYi/cJ7v5cv6IoT/o4eBF+3IbkO36c9CWTlV0ntfTYJInhMvjWfiKaTpx0s3CzSB+WmI541zGudSraxibL7ZPdpaTO9YeODRPg5mkUe5lfEqhy1kdXeqeen+3kSUalJOzbefkZOmITBMLtYUzTOs8HW7NQqE=,iv:zbZdSXoPnJAYk8oozTsxNCZlImu+aAJlVrqzBWAKieQ=,tag:UYhIu5YN2OBYgvCEXUy5kA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1