phfroidmont/self-hosting
1
0
Fork 0
mirror of https://github.com/phfroidmont/self-hosting.git synced 2025-12-25 13:46:59 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

monit: update config

Browse source
This commit is contained in:
Paul-Henri Froidmont 2024-08-26 05:38:10 +02:00
parent 51c5b08985
commit 907575739c
Signed by: phfroidmont
GPG key ID: BE948AFD7E7873BE
2 changed files with 92 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

45
profiles/backend.nix
View file

@ -1,5 +1,15 @@
{ config, lib, pkgs, ... }: { {
imports = [ ../environment.nix ../hardware/hcloud.nix ../modules ]; config,
lib,
pkgs,
...
}:
{
imports = [
../environment.nix
../hardware/hcloud.nix
../modules
];
sops.secrets = { sops.secrets = {
borgSshKey = { borgSshKey = {
@ -13,8 +23,14 @@
services.backup-job = { services.backup-job = {
enable = true; enable = true;
repoName = "bk1"; repoName = "bk1";
additionalPaths = [ "/var/lib/nextcloud/config" "/var/lib/mastodon" ]; additionalPaths = [
readWritePaths = [ "/nix/var/data/murmur" "/nix/var/data/backup/" ]; "/var/lib/nextcloud/config"
"/var/lib/mastodon"
];
readWritePaths = [
"/nix/var/data/murmur"
"/nix/var/data/backup/"
];
preHook = '' preHook = ''
cp /var/lib/murmur/murmur.sqlite /nix/var/data/murmur/murmur.sqlite cp /var/lib/murmur/murmur.sqlite /nix/var/data/murmur/murmur.sqlite
''; '';
@ -48,7 +64,7 @@
status = 200 status = 200
request "/api/_health" request "/api/_health"
with timeout 5 seconds with timeout 5 seconds
content = '[{"]Healthy["]:[{}}]' content = "Healthy"
then alert then alert
''; '';
}; };
@ -66,7 +82,9 @@
services.uptime-kuma = { services.uptime-kuma = {
enable = true; enable = true;
settings = { PORT = "3001"; }; settings = {
PORT = "3001";
};
}; };
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
@ -82,8 +100,7 @@
enableACME = true; enableACME = true;
locations."/" = { locations."/" = {
proxyPass = proxyPass = "http://127.0.0.1:${config.services.uptime-kuma.settings.PORT}";
"http://127.0.0.1:${config.services.uptime-kuma.settings.PORT}";
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
@ -107,9 +124,15 @@
}; };
}; };
networking.firewall.allowedTCPPorts = [ 80 443 64738 ]; networking.firewall.allowedTCPPorts = [
80
443
64738
];
networking.firewall.allowedUDPPorts = [ 64738 ]; networking.firewall.allowedUDPPorts = [ 64738 ];
networking.firewall.interfaces."eth1".allowedTCPPorts = networking.firewall.interfaces."eth1".allowedTCPPorts = [
[ config.services.prometheus.exporters.node.port 9000 ]; config.services.prometheus.exporters.node.port
9000
];
} }

81
profiles/storage.nix
View file

@ -1,4 +1,12 @@
{ config, lib, pkgs, pkgs-unstable, inputs, ... }: { {
config,
lib,
pkgs,
pkgs-unstable,
inputs,
...
}:
{
imports = [ imports = [
../environment.nix ../environment.nix
../hardware/hetzner-dedicated-storage1.nix ../hardware/hetzner-dedicated-storage1.nix
@ -10,13 +18,27 @@
owner = config.services.borgbackup.jobs.data.user; owner = config.services.borgbackup.jobs.data.user;
key = "borg/client_keys/storage1/private"; key = "borg/client_keys/storage1/private";
}; };
nixCacheKey = { key = "nix/cache_secret_key"; }; nixCacheKey = {
dmarcExporterPassword = { key = "dmarc_exporter/password"; }; key = "nix/cache_secret_key";
paultrialPassword = { key = "email/accounts_passwords/paultrial"; }; };
eliosPassword = { key = "email/accounts_passwords/elios"; }; dmarcExporterPassword = {
mariePassword = { key = "email/accounts_passwords/marie"; }; key = "dmarc_exporter/password";
alicePassword = { key = "email/accounts_passwords/alice"; }; };
monitPassword = { key = "email/accounts_passwords/monit"; }; paultrialPassword = {
key = "email/accounts_passwords/paultrial";
};
eliosPassword = {
key = "email/accounts_passwords/elios";
};
mariePassword = {
key = "email/accounts_passwords/marie";
};
alicePassword = {
key = "email/accounts_passwords/alice";
};
monitPassword = {
key = "email/accounts_passwords/monit";
};
noreplyBanditlairPassword = { noreplyBanditlairPassword = {
key = "email/accounts_passwords/noreply_banditlair"; key = "email/accounts_passwords/noreply_banditlair";
}; };
@ -80,7 +102,7 @@
status = 200 status = 200
request "/api/_health" request "/api/_health"
with timeout 5 seconds with timeout 5 seconds
content = '[{"]Healthy["]:[{}}]' content = "Healthy"
then alert then alert
check host osteoview-demo with address demo.osteoview.app check host osteoview-demo with address demo.osteoview.app
@ -90,7 +112,7 @@
status = 200 status = 200
request "/api/_health" request "/api/_health"
with timeout 5 seconds with timeout 5 seconds
content = '[{"]Healthy["]:[{}}]' content = "Healthy"
then alert then alert
''; '';
}; };
@ -110,7 +132,11 @@
mailserver = { mailserver = {
enable = true; enable = true;
fqdn = "mail.banditlair.com"; fqdn = "mail.banditlair.com";
domains = [ "banditlair.com" "froidmont.org" "falbo.fr" ]; domains = [
"banditlair.com"
"froidmont.org"
"falbo.fr"
];
localDnsResolver = false; localDnsResolver = false;
enableManageSieve = true; enableManageSieve = true;
mailDirectory = "/nix/var/data/vmail"; mailDirectory = "/nix/var/data/vmail";
@ -123,18 +149,27 @@
"paultrial@banditlair.com" = { "paultrial@banditlair.com" = {
# nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 > /hashed/password/file/location # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 > /hashed/password/file/location
hashedPasswordFile = config.sops.secrets.paultrialPassword.path; hashedPasswordFile = config.sops.secrets.paultrialPassword.path;
aliases = [ "contact@froidmont.org" "account@banditlair.com" ]; aliases = [
"contact@froidmont.org"
"account@banditlair.com"
];
}; };
"marie-alice@froidmont.org" = { "marie-alice@froidmont.org" = {
hashedPasswordFile = config.sops.secrets.mariePassword.path; hashedPasswordFile = config.sops.secrets.mariePassword.path;
aliases = [ "osteopathie@froidmont.org" "communication@froidmont.org" ]; aliases = [
"osteopathie@froidmont.org"
"communication@froidmont.org"
];
}; };
"alice@froidmont.org" = { "alice@froidmont.org" = {
hashedPasswordFile = config.sops.secrets.alicePassword.path; hashedPasswordFile = config.sops.secrets.alicePassword.path;
}; };
"elios@banditlair.com" = { "elios@banditlair.com" = {
hashedPasswordFile = config.sops.secrets.eliosPassword.path; hashedPasswordFile = config.sops.secrets.eliosPassword.path;
aliases = [ "webshit@banditlair.com" "outlook-pascal@banditlair.com" ]; aliases = [
"webshit@banditlair.com"
"outlook-pascal@banditlair.com"
];
}; };
"monit@banditlair.com" = { "monit@banditlair.com" = {
hashedPasswordFile = config.sops.secrets.monitPassword.path; hashedPasswordFile = config.sops.secrets.monitPassword.path;
@ -177,8 +212,7 @@
imap = { imap = {
host = "mail.banditlair.com"; host = "mail.banditlair.com";
username = "paultrial@banditlair.com"; username = "paultrial@banditlair.com";
passwordFile = passwordFile = "/run/credentials/prometheus-dmarc-exporter.service/password";
"/run/credentials/prometheus-dmarc-exporter.service/password";
}; };
folders = { folders = {
inbox = "dmarc_reports"; inbox = "dmarc_reports";
@ -186,8 +220,7 @@
error = "Archives.dmarc_report_error"; error = "Archives.dmarc_report_error";
}; };
}; };
systemd.services.prometheus-dmarc-exporter.serviceConfig.LoadCredential = systemd.services.prometheus-dmarc-exporter.serviceConfig.LoadCredential = "password:${config.sops.secrets.dmarcExporterPassword.path}";
"password:${config.sops.secrets.dmarcExporterPassword.path}";
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
80 80
@ -198,8 +231,9 @@
networking.firewall.allowedUDPPorts = [ networking.firewall.allowedUDPPorts = [
23363 # Minecraft 23363 # Minecraft
]; ];
networking.firewall.interfaces.vlan4001.allowedTCPPorts = networking.firewall.interfaces.vlan4001.allowedTCPPorts = [
[ config.services.loki.configuration.server.http_listen_port ]; config.services.loki.configuration.server.http_listen_port
];
networking.nat.enable = true; networking.nat.enable = true;
networking.nat.internalInterfaces = [ "ve-+" ]; networking.nat.internalInterfaces = [ "ve-+" ];
@ -215,7 +249,9 @@
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDc7kX8riTSxRNwqIwZ/XwTKHzl1C786TbeU5qx2gTidR4H56+GxA5jrpWLZrcu0MRBu11/URzyGrJGxdBps6Hu/Arp482Y5OxZeDUzD+tZJa79NylG9GQFMTmGLjH3IqBbmgx91WdYsLmgXjz0f+NxANzmgvzRt2IolHc4hxIkrDickfT2dT3uVtaJOGBsLC2BxVT0rCHFmvjB7+qnJ4jvC8b/V+F6+hijom1kUq9zhZzWEg8H5imR0UoXrXLetxY+PGAqKkDLm/pNQ/cUSX4FaKZ5bpGYed7ioSeRHW3xIh4zHhWbiyBPsrjyOmEnxNL5f4o4KgHfUDY0DpVrhs+6JPJTsMfsyb0GciqSYR5PCL73zY+IEo+ZHdGubib4G5+t1UqaK+ZZGqW+a7DLHMFR6tr3I/b/Jz8KHjYztdx/ZHS3CA2+17JgLG/ycq+a3ETBkIGSta5I4BUfcbVvkxKq7A99aODDyYc+jMp7gbQlwKhdHcAoVcWRKqck/sL0Qnb4e+BoUm+ajxRo6DNcpGL5LLtD/i1NuWjFugh6q1KcgXP/Bc11Owhqg3nlIUMUoVc2/h/9Er9Eaplv27rw180ItGR1UEQ4gQHCGQB6vCF5NRPjAS5y515UcDu+rceFIr1W15IZvhMrcphb8clu8E2us68ghas7ZgXKU2xypsaGPw== sshfs-2021-07-16" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDc7kX8riTSxRNwqIwZ/XwTKHzl1C786TbeU5qx2gTidR4H56+GxA5jrpWLZrcu0MRBu11/URzyGrJGxdBps6Hu/Arp482Y5OxZeDUzD+tZJa79NylG9GQFMTmGLjH3IqBbmgx91WdYsLmgXjz0f+NxANzmgvzRt2IolHc4hxIkrDickfT2dT3uVtaJOGBsLC2BxVT0rCHFmvjB7+qnJ4jvC8b/V+F6+hijom1kUq9zhZzWEg8H5imR0UoXrXLetxY+PGAqKkDLm/pNQ/cUSX4FaKZ5bpGYed7ioSeRHW3xIh4zHhWbiyBPsrjyOmEnxNL5f4o4KgHfUDY0DpVrhs+6JPJTsMfsyb0GciqSYR5PCL73zY+IEo+ZHdGubib4G5+t1UqaK+ZZGqW+a7DLHMFR6tr3I/b/Jz8KHjYztdx/ZHS3CA2+17JgLG/ycq+a3ETBkIGSta5I4BUfcbVvkxKq7A99aODDyYc+jMp7gbQlwKhdHcAoVcWRKqck/sL0Qnb4e+BoUm+ajxRo6DNcpGL5LLtD/i1NuWjFugh6q1KcgXP/Bc11Owhqg3nlIUMUoVc2/h/9Er9Eaplv27rw180ItGR1UEQ4gQHCGQB6vCF5NRPjAS5y515UcDu+rceFIr1W15IZvhMrcphb8clu8E2us68ghas7ZgXKU2xypsaGPw== sshfs-2021-07-16"
]; ];
}; };
users.groups.www-data = { gid = 991; }; users.groups.www-data = {
gid = 991;
};
services.openssh.settings.Macs = [ services.openssh.settings.Macs = [
"hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com"
@ -285,8 +321,7 @@
enableACME = true; enableACME = true;
locations."/" = { locations."/" = {
proxyPass = proxyPass = "http://127.0.0.1:${toString config.services.foundryvtt.port}";
"http://127.0.0.1:${toString config.services.foundryvtt.port}";
extraConfig = '' extraConfig = ''
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; proxy_set_header Connection "upgrade";