Compare commits

...

6 Commits

Author SHA1 Message Date
h7x4 e062a849f3 base/scrutiny-collector: disable if machine is qemu guest 2026-05-27 23:45:30 +09:00
h7x4 b0f81c9379 lupine/smartd: reenable 2026-05-27 23:41:54 +09:00
h7x4 2c819776f8 treewide/nginx: enable kTLS for a bunch more virtualHosts 2026-05-27 23:36:18 +09:00
h7x4 c2d6989350 base/scrutiny-collector: init 2026-05-27 23:35:32 +09:00
h7x4 2b4817b75a ildkule/scrutiny: init 2026-05-27 23:33:45 +09:00
h7x4 0e2a8ed3ed base/polkit: let wheel users use AUTH_KEEP_SELF for systemd actions 2026-05-27 14:13:36 +09:00
10 changed files with 68 additions and 8 deletions
+1
View File
@@ -35,6 +35,7 @@
./services/prometheus-node-exporter.nix ./services/prometheus-node-exporter.nix
./services/prometheus-systemd-exporter.nix ./services/prometheus-systemd-exporter.nix
./services/roowho2.nix ./services/roowho2.nix
./services/scrutiny-collector.nix
./services/smartd.nix ./services/smartd.nix
./services/thermald.nix ./services/thermald.nix
./services/uptimed.nix ./services/uptimed.nix
+8 -5
View File
@@ -6,10 +6,13 @@ in
security.polkit.enable = true; security.polkit.enable = true;
environment.etc."polkit-1/rules.d/9-nixos-overrides.rules".text = lib.mkIf cfg.enable '' environment.etc."polkit-1/rules.d/9-nixos-overrides.rules".text = lib.mkIf cfg.enable ''
polkit.addAdminRule(function(action, subject) { polkit.addRule(function(action, subject) {
if(subject.isInGroup("wheel")) { if (
return ["unix-user:"+subject.user]; action.id.startsWith("org.freedesktop.systemd1.") &&
} subject.isInGroup("wheel")
}); ) {
return polkit.Result.AUTH_SELF_KEEP;
}
});
''; '';
} }
+11
View File
@@ -0,0 +1,11 @@
{ config, ... }:
{
services.scrutiny.collector = {
enable = !config.services.qemuGuest.enable;
settings = {
version = 1;
host.id = config.networking.hostName;
api.endpoint = "https://scrutiny.pvv.ntnu.no/";
};
};
}
@@ -119,6 +119,7 @@ in {
services.nginx.virtualHosts."pvv.ntnu.no" = { services.nginx.virtualHosts."pvv.ntnu.no" = {
globalRedirect = cfg.domainName; globalRedirect = cfg.domainName;
redirectCode = 307; redirectCode = 307;
kTLS = true;
forceSSL = true; forceSSL = true;
useACMEHost = "www.pvv.ntnu.no"; useACMEHost = "www.pvv.ntnu.no";
}; };
@@ -126,6 +127,7 @@ in {
services.nginx.virtualHosts."www.pvv.org" = { services.nginx.virtualHosts."www.pvv.org" = {
globalRedirect = cfg.domainName; globalRedirect = cfg.domainName;
redirectCode = 307; redirectCode = 307;
kTLS = true;
forceSSL = true; forceSSL = true;
useACMEHost = "www.pvv.ntnu.no"; useACMEHost = "www.pvv.ntnu.no";
}; };
@@ -133,11 +135,13 @@ in {
services.nginx.virtualHosts."pvv.org" = { services.nginx.virtualHosts."pvv.org" = {
globalRedirect = cfg.domainName; globalRedirect = cfg.domainName;
redirectCode = 307; redirectCode = 307;
kTLS = true;
forceSSL = true; forceSSL = true;
useACMEHost = "www.pvv.ntnu.no"; useACMEHost = "www.pvv.ntnu.no";
}; };
services.nginx.virtualHosts.${cfg.domainName} = { services.nginx.virtualHosts.${cfg.domainName} = {
kTLS = true;
locations = { locations = {
# Proxy home directories # Proxy home directories
"^~ /~" = { "^~ /~" = {
@@ -83,6 +83,7 @@ in
}; };
services.nginx.virtualHosts."mirrors.pvv.ntnu.no" = { services.nginx.virtualHosts."mirrors.pvv.ntnu.no" = {
kTLS = true;
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
@@ -146,6 +146,7 @@ in
}; };
services.nginx.virtualHosts."hookshot.pvv.ntnu.no" = { services.nginx.virtualHosts."hookshot.pvv.ntnu.no" = {
kTLS = true;
enableACME = true; enableACME = true;
addSSL = true; addSSL = true;
locations."/" = { locations."/" = {
@@ -80,6 +80,7 @@ in
}; };
services.nginx.virtualHosts."ooye.pvv.ntnu.no" = { services.nginx.virtualHosts."ooye.pvv.ntnu.no" = {
kTLS = true;
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/".proxyPass = "http://localhost:${cfg.socket}"; locations."/".proxyPass = "http://localhost:${cfg.socket}";
@@ -5,6 +5,7 @@
./grafana.nix ./grafana.nix
./loki.nix ./loki.nix
./prometheus ./prometheus
./scrutiny.nix
./uptime-kuma.nix ./uptime-kuma.nix
]; ];
} }
@@ -0,0 +1,40 @@
{ config, values, ... }:
let
cfg = config.services.scrutiny;
in
{
services.scrutiny = {
enable = true;
settings = {
web.listen = {
host = "127.0.0.1";
port = 18293;
basepath = "";
};
# notify.urls = [
# "matrix://username:password@host:port/[?rooms=!roomID1[,roomAlias2]]"
# ];
};
};
services.nginx.virtualHosts."scrutiny.pvv.ntnu.no" = {
kTLS = true;
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://${cfg.settings.web.listen.host}:${toString cfg.settings.web.listen.port}";
};
# TODO: allow website access to the outside world, but restrict input api
extraConfig = ''
allow ${values.hosts.ildkule.ipv4}/32;
allow ${values.hosts.ildkule.ipv6}/128;
allow 127.0.0.1/32;
allow ::1/128;
allow ${values.ipv4-space};
allow ${values.ipv6-space};
deny all;
'';
};
}
-3
View File
@@ -18,9 +18,6 @@
anyInterface = true; anyInterface = true;
}; };
# There are no smart devices
services.smartd.enable = false;
# Don't change (even during upgrades) unless you know what you are doing. # Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion # See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "25.05"; system.stateVersion = "25.05";