felixalb/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Move metrics,gitea,vaultwarden from voyager to defiant

Browse Source
This commit is contained in:
Felix Albrigtsen
2023-12-26 11:45:12 +01:00
committed by Felix Albrigtsen
parent bb2d4138ea
commit 7976c4820a
17 changed files with 78 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
hosts/defiant/configuration.nix
View File

@@ -13,6 +13,9 @@
./services/flame.nix
./services/hedgedoc.nix
./services/pihole.nix
./services/gitea.nix
./services/vaultwarden.nix
./services/metrics
];
networking = {
@@ -33,6 +36,13 @@
zfs
];
boot = {
zfs.extraPools = [ "tank" ];
supportedFilesystems = [ "zfs" ];
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
};
services.prometheus.exporters.zfs.enable = true;
virtualisation.docker.enable = true;
virtualisation.oci-containers.backend = "docker";

62
hosts/defiant/services/gitea.nix Normal file
View File

@@ -0,0 +1,62 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.gitea;
domain = "git.feal.no";
httpPort = 3004;
sshPort = 2222;
in {
services.gitea = {
enable = true;
appName = "felixalbs Gitea";
database.type = "postgres";
stateDir = "/tank/services/gitea";
settings = {
server = {
# Serve on local unix socket, exposed in hosts/defiant/services/nginx.nix
PROTOCOL = "http+unix";
DOMAIN = domain;
ROOT_URL = "https://${domain}";
LANDING_PAGE=''"/felixalb"'';
SSH_PORT = sshPort;
SSH_LISTEN_PORT = sshPort;
START_SSH_SERVER = true;
BUILTIN_SSH_SERVER_USER = "git";
};
service.DISABLE_REGISTRATION = true;
session.COOKIE_SECURE = true;
packages.ENABLED = false;
packages.CHUNKED_UPLOAD_PATH = "${cfg.stateDir}/tmp/package-upload";
oauth2_client = {
ENABLE_AUTO_REGISTRATION = true;
OPENID_CONNECT_SCOPES = "email profile openid";
UPDATE_AVATAR = true;
ACCOUNT_LINKING = "auto";
USERNAME = "email";
};
log.LEVEL = "Info";
database.LOG_SQL = false;
ui = {
THEMES="gitea,arc-green,nord";
DEFAULT_THEME="nord";
};
};
# TODO:
# - Backup
# - services.gitea.dump?
# - ZFS snapshots?
# - configure mailer
};
systemd.services.gitea.serviceConfig.WorkingDirectory = lib.mkForce "${cfg.stateDir}/work";
networking.firewall.allowedTCPPorts = [ sshPort ];
}

23147
hosts/defiant/services/metrics/dashboards/node-exporter-full.json Normal file
View File

File diff suppressed because it is too large Load Diff

7019
hosts/defiant/services/metrics/dashboards/openwrt.json Normal file
View File

File diff suppressed because it is too large Load Diff

7114
hosts/defiant/services/metrics/dashboards/synology-nas-details.json Normal file
View File

File diff suppressed because it is too large Load Diff

10
hosts/defiant/services/metrics/default.nix Normal file
View File

@@ -0,0 +1,10 @@
{ config, pkgs, ... }:
{
imports = [
./prometheus.nix
./grafana.nix
./loki.nix
#./snmp-exporter.nix
];
}

69
hosts/defiant/services/metrics/grafana.nix Normal file
View File

@@ -0,0 +1,69 @@
{ config, pkgs, ... }:
let
cfg = config.services.grafana;
in {
services.grafana = {
enable = true;
dataDir = "/tank/services/metrics/grafana";
# TODO: Migrate sqlite to postgres
settings.server = {
domain = "grafana.home.feal.no";
http_port = 2342;
http_addr = "127.0.0.1";
};
provision = {
enable = true;
datasources.settings.datasources = [
{
name = "Prometheus";
type = "prometheus";
uid = "prom1";
url = ("http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}");
isDefault = true;
}
{
name = "Loki";
type = "loki";
url = ("http://${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port}");
}
];
dashboards.settings.providers = [
{
name = "Node Exporter Full";
type = "file";
url = "https://grafana.com/api/dashboards/1860/revisions/29/download";
options.path = dashboards/node-exporter-full.json;
}
{
name = "Synology NAS Details";
type = "file";
url = "https://grafana.com/api/dashboards/14284/revisions/9/download";
options.path = dashboards/synology-nas-details.json;
}
{
name = "OpenWRT";
type = "file";
url = "https://grafana.com/api/dashboards/11147/revisions/1/download";
options.path = dashboards/openwrt.json;
}
];
};
};
services.nginx.virtualHosts.${cfg.settings.server.domain} = {
locations = {
"/" = {
proxyPass = "http://127.0.0.1:${toString cfg.settings.server.http_port}";
proxyWebsockets = true;
extraConfig = ''
proxy_buffers 8 1024k;
proxy_buffer_size 1024k;
'';
};
};
};
}

74
hosts/defiant/services/metrics/loki.nix Normal file
View File

@@ -0,0 +1,74 @@
{ config, pkgs, ... }:
let
cfg = config.services.loki;
saveDirectory = "/tank/services/metrics/loki";
in {
services.loki = {
enable = true;
dataDir = saveDirectory;
configuration = {
auth_enabled = false;
server = {
http_listen_port = 3100;
http_listen_address = "0.0.0.0";
grpc_listen_port = 9096;
};
ingester = {
wal = {
enabled = true;
dir = "${saveDirectory}/wal";
};
lifecycler = {
address = "127.0.0.1";
ring = {
kvstore = {
store = "inmemory";
};
replication_factor = 1;
};
final_sleep = "0s";
};
chunk_idle_period = "1h";
};
schema_config = {
configs = [
{
from = "2022-12-01";
store = "boltdb-shipper";
object_store = "filesystem";
schema = "v11";
index = {
prefix = "index_";
period = "24h";
};
}
];
};
storage_config = {
boltdb_shipper = {
active_index_directory = "${saveDirectory}/boltdb-shipper-index";
cache_location = "${saveDirectory}/boltdb-shipper-cache";
shared_store = "filesystem";
cache_ttl = "24h";
};
filesystem = {
directory = "${saveDirectory}/chunks";
};
};
limits_config = {
enforce_metric_name = false;
reject_old_samples = true;
reject_old_samples_max_age = "72h";
};
compactor = {
working_directory = "${saveDirectory}/compactor";
shared_store = "filesystem";
};
};
};
}

73
hosts/defiant/services/metrics/prometheus.nix Normal file
View File

@@ -0,0 +1,73 @@
{ config, pkgs, ... }:
let
cfg = config.services.prometheus;
in {
services.prometheus = {
enable = true;
listenAddress = "127.0.0.1";
port = 9001;
# StateDirectory must be under /var/lib.
# TODO: Back up to /tank/services/metrics/prometheus
scrapeConfigs = [
{
job_name = "node";
static_configs = [
{
targets = [
"voyager.home.feal.no:9100"
"sulu.home.feal.no:9100"
"mccoy.home.feal.no:9100"
"dlink-feal.home.feal.no:9100"
"edison.home.feal.no:9100"
"defiant.home.feal.no:9100"
"scotty.home.feal.no:9100"
];
}
];
}
{
job_name = "openwrt";
static_configs = [
{ targets = ["dlink-feal.home.feal.no:9100"]; }
];
}
{
job_name = "snmp";
static_configs = [{
targets = [
"feal-syn1.home.feal.no"
"feal-syn2.home.feal.no"
];
}];
metrics_path = "/snmp";
params.module = ["synology"];
relabel_configs = [
{
source_labels = ["__address__"];
target_label = "__param_target";
}
{
source_labels = ["__param_target"];
target_label = "instance";
}
{
target_label = "__address__";
replacement = "127.0.0.1:9116";
}
];
}
{
job_name = "zfs";
static_configs = [
{ targets = [
"voyager.home.feal.no:9134"
"defiant.home.feal.no:9134"
]; }
];
}
];
};
}

20
hosts/defiant/services/metrics/snmp-exporter.nix Normal file
View File

@@ -0,0 +1,20 @@
{ config, pkgs, ... }:
{
environment.systemPackages = [
pkgs.prometheus-snmp-exporter
];
systemd.services.prometheus-snmp-exporter = {
enable = true;
description = "Gather data from SNMP devices and expose them as Prometheus metrics";
unitConfig = {
Type = "simple";
};
serviceConfig = {
ExecStart = "${pkgs.prometheus-snmp-exporter}/bin/snmp_exporter --config.file='/var/prometheus/snmp.yml'";
# TODO: Fix this conf file!
};
wantedBy = [ "multi-user.target" ];
};
}

1
hosts/defiant/services/nginx.nix
View File

@@ -43,6 +43,7 @@
};
in {
"jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/";
"git.feal.no" = publicProxy "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}";
"wiki.wackattack.eu" = publicProxy "http://pascal.wackattack.home.feal.no/";
};
}

7
hosts/defiant/services/pihole.nix
View File

@@ -24,7 +24,12 @@ in {
};
services.nginx.virtualHosts."${domain}" = {
locations."/".proxyPass = "http://${webuiListen}";
locations."/" = {
proxyPass = "http://${webuiListen}";
extraConfig = ''
rewrite /(.*) /admin/$1 break;
'';
};
};
}

63
hosts/defiant/services/vaultwarden.nix Normal file
View File

@@ -0,0 +1,63 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.vaultwarden;
domain = "pw.feal.no";
address = "127.0.0.1";
port = 3011; # Note: The websocket port is left as default(3012)
in {
sops.secrets."vaultwarden/admintoken" = {
owner = "vaultwarden";
group = "vaultwarden";
};
services.vaultwarden = {
enable = true;
dbBackend = "postgresql";
environmentFile = config.sops.secrets."vaultwarden/admintoken".path;
config = {
domain = "https://${domain}";
rocketAddress = address;
rocketPort = port;
websocketEnabled = true;
# databaseUrl = "postgresql://vaultwarden:@localhost/vaultwarden?sslmode=disable";
databaseUrl = "postgresql://vaultwarden@/vaultwarden";
signupsAllowed = false;
};
};
services.postgresql = {
ensureDatabases = [ "vaultwarden" ];
ensureUsers = [{
name = "vaultwarden";
ensureDBOwnership = true;
}];
};
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
listen = [
{ addr = "192.168.10.175"; port = 43443; ssl = true; }
{ addr = "192.168.10.175"; port = 43080; ssl = false; }
];
extraConfig = ''
client_max_body_size 128M;
'';
locations."/" = {
proxyPass = "http://${address}:${toString port}";
proxyWebsockets = true;
};
locations."/notifications/hub" = {
proxyPass = "http://localhost:3012";
proxyWebsockets = true;
};
locations."/notifications/hub/negotiate" = {
proxyPass = "http://${address}:${toString port}";
proxyWebsockets = true;
};
};
}