Compare commits

...

5 Commits

Author SHA1 Message Date
Adrian G L e05c4ed8ca feat: add initialdeploy hashed password to root 2026-06-21 18:24:01 +02:00
h7x4 3fee83ec05 ildkule/loki: restrict incoming connections to pvv + ntnu 2026-06-22 01:23:16 +09:00
h7x4 a1f02fc39d {ildkule/loki,base/fluentbit}: send data over https 2026-06-22 01:23:16 +09:00
Adrian G L 6e37635aac ildkule/loki: firewall all endpoints except push API
Co-authored-by: Øystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>
2026-06-22 01:23:14 +09:00
h7x4 cdc3ad488b bicep/postgres: add script for updating all collations 2026-06-22 01:12:59 +09:00
5 changed files with 53 additions and 7 deletions
+2
View File
@@ -101,6 +101,8 @@
# users.mutableUsers = lib.mkDefault false;
users.users.root.initialHashedPassword = "$y$j9T$ahP6GAdttD17OMBo7Yqeh.$Ad7qBcFvTL7HrJ9uTtrQzksN3220Nj9t/CrP6DwgK34"; # generated using mkpasswd, see huttiheita root on vaultwarden
users.groups."drift".name = "drift";
# Trusted users on the nix builder machines
-1
View File
@@ -8,6 +8,5 @@
# Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:
virtualisation.vmVariant = {
security.acme.defaults.server = "https://127.0.0.1";
users.users.root.initialPassword = "root";
};
}
+4 -2
View File
@@ -62,8 +62,10 @@ in
name = "loki";
match = "*";
host = "ildkule.pvv.ntnu.no";
port = 3100;
host = "loki.pvv.ntnu.no";
port = 443;
tls = "on";
"tls.verify" = "on";
uri = "/loki/api/v1/push";
compress = "gzip";
@@ -127,4 +127,27 @@ in
networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 5432 ];
networking.firewall.allowedUDPPorts = lib.mkIf cfg.enable [ 5432 ];
environment.systemPackages = [
(pkgs.writeShellApplication {
name = "postgres-update-collations.sh";
runtimeInputs = [
config.systemd.package
cfg.package
];
text = ''
run0 --user=postgres psql <${pkgs.writeText "postgres-update-collations.sql" ''
CREATE FUNCTION exec(text) returns text language plpgsql volatile
AS $f$
BEGIN
EXECUTE $1;
RETURN $1;
END;
$f$;
SELECT exec('ALTER DATABASE "' || datname || '" REFRESH COLLATION VERSION') FROM pg_database WHERE datistemplate = false;
''}
'';
})
];
}
+24 -4
View File
@@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ config, pkgs, values, ... }:
let
cfg = config.services.loki;
@@ -9,8 +9,8 @@ in {
configuration = {
auth_enabled = false;
server = {
http_listen_port = 3100;
http_listen_address = "0.0.0.0";
http_listen_port = 31832;
http_listen_address = "127.0.0.1";
grpc_listen_port = 9096;
};
@@ -81,5 +81,25 @@ in {
};
};
networking.firewall.allowedTCPPorts = [ cfg.configuration.server.http_listen_port ];
services.nginx.virtualHosts."loki.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
kTLS = true;
locations = {
"/".return = "403";
"/loki/api/v1/push" = {
proxyPass = "http://${cfg.configuration.server.http_listen_address}:${toString cfg.configuration.server.http_listen_port}/loki/api/v1/push";
extraConfig = ''
allow 127.0.0.1;
allow ::1;
allow ${values.ipv4-space};
allow ${values.ipv6-space};
allow ${values.ntnu.ipv4-space};
allow ${values.ntnu.ipv6-space};
deny all;
'';
};
};
};
}