diff --git a/modules/grafana.nix b/modules/grafana.nix index b849e52..fa1bba7 100644 --- a/modules/grafana.nix +++ b/modules/grafana.nix @@ -1,7 +1,11 @@ { config, lib, ... }: -let cfg = config.custom.services.grafana; -in { - options.custom.services.grafana = { enable = lib.mkEnableOption "grafana"; }; +let + cfg = config.custom.services.grafana; +in +{ + options.custom.services.grafana = { + enable = lib.mkEnableOption "grafana"; + }; config = lib.mkIf cfg.enable { sops.secrets = { @@ -11,172 +15,171 @@ in { }; }; - services.grafana = { - enable = true; - dataDir = "/nix/var/data/grafana"; - settings = { - server = { domain = "grafana.${config.networking.domain}"; }; - security.admin_password = - "$__file{${config.sops.secrets.grafanaAdminPassword.path}}"; - }; - provision = { + services = { + grafana = { enable = true; - datasources.settings = { - datasources = [ + dataDir = "/nix/var/data/grafana"; + settings = { + server = { + domain = "grafana.${config.networking.domain}"; + }; + security.admin_password = "$__file{${config.sops.secrets.grafanaAdminPassword.path}}"; + }; + provision = { + enable = true; + datasources.settings = { + datasources = [ + { + name = "Prometheus"; + type = "prometheus"; + url = "http://127.0.0.1:${toString config.services.prometheus.port}"; + isDefault = true; + } + { + name = "Loki"; + type = "loki"; + access = "proxy"; + url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}"; + } + ]; + }; + dashboards.settings.providers = [ { - name = "Prometheus"; - type = "prometheus"; - url = - "http://127.0.0.1:${toString config.services.prometheus.port}"; - isDefault = true; - } - { - name = "Loki"; - type = "loki"; - access = "proxy"; - url = "http://127.0.0.1:${ - toString - config.services.loki.configuration.server.http_listen_port - }"; + name = "Config"; + options.path = ./dashboards; } ]; }; - dashboards.settings.providers = [{ - name = "Config"; - options.path = ./dashboards; - }]; }; - }; - services.nginx = { - virtualHosts = { - "${config.services.grafana.settings.server.domain}" = { + nginx = { + virtualHosts = { + "${config.services.grafana.settings.server.domain}" = { - enableACME = true; - forceSSL = true; + enableACME = true; + forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:${ - toString config.services.grafana.settings.server.http_port - }"; - proxyWebsockets = true; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}"; + proxyWebsockets = true; + }; }; }; }; - }; - services.prometheus = { - enable = true; - - scrapeConfigs = [ - { - job_name = "node"; - static_configs = [{ - targets = [ - "10.0.2.3:${ - toString config.services.prometheus.exporters.node.port - }" - "10.0.1.1:${ - toString config.services.prometheus.exporters.node.port - }" - "10.0.1.11:${ - toString config.services.prometheus.exporters.node.port - }" + prometheus = { + enable = true; + scrapeConfigs = [ + { + job_name = "node"; + static_configs = [ + { + targets = [ + "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" + ]; + } ]; - }]; - } - { - job_name = "synapse"; - scrape_interval = "15s"; - metrics_path = "/_synapse/metrics"; - static_configs = [{ targets = [ "10.0.1.1:9000" ]; }]; - } - { - job_name = "dmarc"; - scrape_interval = "15s"; - static_configs = [{ - targets = [ - "10.0.2.3:${ - toString config.services.prometheus.exporters.dmarc.port - }" + } + { + job_name = "synapse"; + scrape_interval = "15s"; + metrics_path = "/_synapse/metrics"; + static_configs = [ { targets = [ "127.0.0.1:9000" ]; } ]; + } + { + job_name = "dmarc"; + scrape_interval = "15s"; + static_configs = [ + { + targets = [ + "127.0.0.1:${toString config.services.prometheus.exporters.dmarc.port}" + ]; + } ]; - }]; - } - ]; - }; + } + ]; + }; - services.loki = { - enable = true; + loki = { + enable = true; - dataDir = "/nix/var/data/loki"; + configuration = { + server.http_listen_port = 3100; + auth_enabled = false; - configuration = { - server.http_listen_port = 3100; - auth_enabled = false; + ingester = { + lifecycler = { + address = "127.0.0.1"; + ring = { + kvstore = { + store = "inmemory"; + }; + replication_factor = 1; + }; + }; + chunk_idle_period = "1h"; + max_chunk_age = "1h"; + chunk_target_size = 999999; + chunk_retain_period = "30s"; + }; - ingester = { - lifecycler = { - address = "127.0.0.1"; - ring = { - kvstore = { store = "inmemory"; }; - replication_factor = 1; + limits_config = { + ingestion_rate_mb = 16; + allow_structured_metadata = false; + }; + + schema_config = { + configs = [ + { + from = "2022-09-15"; + store = "boltdb-shipper"; + object_store = "filesystem"; + schema = "v11"; + index = { + prefix = "index_"; + period = "24h"; + }; + } + ]; + }; + + storage_config = { + boltdb_shipper = { + active_index_directory = "${config.services.loki.dataDir}/boltdb-index"; + cache_location = "${config.services.loki.dataDir}/boltdb-cache"; + cache_ttl = "24h"; + }; + + filesystem = { + directory = "${config.services.loki.dataDir}/chunks"; }; }; - chunk_idle_period = "1h"; - max_chunk_age = "1h"; - chunk_target_size = 999999; - chunk_retain_period = "30s"; - }; - limits_config = { - ingestion_rate_mb = 16; - allow_structured_metadata = false; - }; + limits_config = { + reject_old_samples = true; + reject_old_samples_max_age = "168h"; + }; - schema_config = { - configs = [{ - from = "2022-09-15"; - store = "boltdb-shipper"; - object_store = "filesystem"; - schema = "v11"; - index = { - prefix = "index_"; - period = "24h"; + querier.engine.max_look_back_period = "0s"; + + table_manager = { + retention_deletes_enabled = false; + retention_period = "0s"; + }; + + compactor = { + working_directory = "${config.services.loki.dataDir}"; + compactor_ring = { + kvstore = { + store = "inmemory"; + }; }; - }]; - }; - - storage_config = { - boltdb_shipper = { - active_index_directory = - "${config.services.loki.dataDir}/boltdb-index"; - cache_location = "${config.services.loki.dataDir}/boltdb-cache"; - cache_ttl = "24h"; }; - filesystem = { - directory = "${config.services.loki.dataDir}/chunks"; + analytics = { + reporting_enabled = false; }; }; - - limits_config = { - reject_old_samples = true; - reject_old_samples_max_age = "168h"; - }; - - querier.engine.max_look_back_period = "0s"; - - table_manager = { - retention_deletes_enabled = false; - retention_period = "0s"; - }; - - compactor = { - working_directory = "${config.services.loki.dataDir}"; - compactor_ring = { kvstore = { store = "inmemory"; }; }; - }; - - analytics = { reporting_enabled = false; }; }; }; }; diff --git a/modules/monitoring-exporters.nix b/modules/monitoring-exporters.nix index 798dd56..3459dac 100644 --- a/modules/monitoring-exporters.nix +++ b/modules/monitoring-exporters.nix @@ -1,6 +1,8 @@ { config, lib, ... }: -let cfg = config.custom.services.monitoring-exporters; -in { +let + cfg = config.custom.services.monitoring-exporters; +in +{ options.custom.services.monitoring-exporters = { enable = lib.mkEnableOption "monitoring-exporters"; }; @@ -10,11 +12,30 @@ in { exporters = { node = { enable = true; - enabledCollectors = [ "systemd" "processes" ]; + enabledCollectors = [ + "systemd" + "processes" + ]; + }; + dmarc = { + enable = true; + debug = true; + imap = { + host = "mail.banditlair.com"; + username = "paultrial@banditlair.com"; + passwordFile = "/run/credentials/prometheus-dmarc-exporter.service/password"; + }; + folders = { + inbox = "dmarc_reports"; + done = "Archives.dmarc_report_processed"; + error = "Archives.dmarc_report_error"; + }; }; }; }; + systemd.services.prometheus-dmarc-exporter.serviceConfig.LoadCredential = "password:${config.sops.secrets.dmarcExporterPassword.path}"; + services.promtail = { enable = true; configuration = { @@ -22,7 +43,7 @@ in { http_listen_port = 3101; grpc_listen_port = 0; }; - clients = [{ url = "http://10.0.2.3:3100/loki/api/v1/push"; }]; + clients = [ { url = "http://127.0.0.1:3100/loki/api/v1/push"; } ]; scrape_configs = [ { job_name = "journal"; @@ -33,21 +54,25 @@ in { host = "${config.networking.hostName}"; }; }; - relabel_configs = [{ - source_labels = [ "__journal__systemd_unit" ]; - target_label = "unit"; - }]; + relabel_configs = [ + { + source_labels = [ "__journal__systemd_unit" ]; + target_label = "unit"; + } + ]; } (lib.mkIf config.services.nginx.enable { job_name = "nginx"; - static_configs = [{ - targets = [ "localhost" ]; - labels = { - job = "nginx"; - host = "${config.networking.hostName}"; - __path__ = "/var/log/nginx/*.log"; - }; - }]; + static_configs = [ + { + targets = [ "localhost" ]; + labels = { + job = "nginx"; + host = "${config.networking.hostName}"; + __path__ = "/var/log/nginx/*.log"; + }; + } + ]; }) ]; }; diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix index 1e6b329..3f51334 100644 --- a/modules/nextcloud.nix +++ b/modules/nextcloud.nix @@ -33,10 +33,15 @@ in forceSSL = true; }; + # Can't change home dir for now, use bind mount as workaround + # https://github.com/NixOS/nixpkgs/issues/356973 + fileSystems."/var/lib/nextcloud" = { + device = "/nix/var/data/nextcloud"; + options = [ "bind" ]; + }; + services.nextcloud = { enable = true; - # Can't be changed for now, could use a bind mount as workaround - # https://github.com/NixOS/nixpkgs/issues/356973 # home = "/nix/var/data/nextcloud"; package = pkgs.nextcloud29; hostName = "cloud.${config.networking.domain}"; diff --git a/profiles/hel.nix b/profiles/hel.nix index f205556..a50f21a 100644 --- a/profiles/hel.nix +++ b/profiles/hel.nix @@ -15,6 +15,9 @@ owner = config.users.users.gitlab-runner.name; key = "gitlab/runner_registration_config/hel1"; }; + dmarcExporterPassword = { + key = "dmarc_exporter/password"; + }; }; time.timeZone = "Europe/Amsterdam"; @@ -180,26 +183,29 @@ }; }; - custom = { - services.nginx.enable = true; - services.postgresql.enable = true; - services.dokuwiki.enable = true; - services.openssh.enable = true; - services.gitlab-runner = { + custom.services = { + nginx.enable = true; + postgresql.enable = true; + dokuwiki.enable = true; + openssh.enable = true; + gitlab-runner = { enable = true; runnerRegistrationConfigFile = config.sops.secrets.runnerRegistrationConfig.path; }; - services.jellyfin.enable = true; - services.torrents.enable = true; - services.foundryvtt.enable = true; - services.jitsi.enable = true; - services.stb.enable = true; - services.murmur.enable = true; - services.synapse.enable = true; - services.nextcloud.enable = true; - services.roundcube.enable = true; + jellyfin.enable = true; + torrents.enable = true; + foundryvtt.enable = true; + jitsi.enable = true; + stb.enable = true; + murmur.enable = true; + synapse.enable = true; + nextcloud.enable = true; + roundcube.enable = true; + monero.enable = true; + grafana.enable = true; + monitoring-exporters.enable = true; - services.backup-job = { + backup-job = { enable = true; repoName = "bl"; additionalPaths = [ @@ -235,7 +241,7 @@ sshKey = config.sops.secrets.borgSshKey.path; }; - services.monit = { + monit = { enable = true; additionalConfig = '' check host nextcloud with address cloud.banditlair.com @@ -331,6 +337,31 @@ ''; }; }; + + # services.minecraft-server = { + # enable = false; + # package = pkgs-unstable.minecraft-server; + # eula = true; + # openFirewall = false; + # declarative = true; + # serverProperties = { + # enable-rcon = true; + # "rcon.port" = 25575; + # "rcon.password" = "password"; + # server-port = 23363; + # online-mode = true; + # force-gamemode = true; + # white-list = true; + # diffuculty = "hard"; + # }; + # whitelist = { + # paulplay15 = "1d5abc95-2fdb-4dcb-98e8-4fb5a0fba953"; + # Xavier1258 = "e9059cf3-00ef-47a3-92ee-4e4a3fea0e6d"; + # denisjulien3333 = "3c93e1a2-42d8-4a51-9fe3-924c8e8d5b07"; + # }; + # dataDir = "/nix/var/data/minecraft"; + # }; + # virtualisation.oci-containers.containers = { # "minecraft" = { # image = "itzg/minecraft-server"; diff --git a/profiles/storage.nix b/profiles/storage.nix index 8342857..3d9517d 100644 --- a/profiles/storage.nix +++ b/profiles/storage.nix @@ -19,9 +19,6 @@ nixCacheKey = { key = "nix/cache_secret_key"; }; - dmarcExporterPassword = { - key = "dmarc_exporter/password"; - }; paultrialPassword = { key = "email/accounts_passwords/paultrial"; }; @@ -75,9 +72,6 @@ services.nginx.enable = true; services.openssh.enable = true; - services.monero.enable = false; - services.grafana.enable = true; - services.monitoring-exporters.enable = true; }; mailserver = { @@ -157,22 +151,6 @@ certificateScheme = "acme-nginx"; }; - services.prometheus.exporters.dmarc = { - enable = true; - debug = true; - imap = { - host = "mail.banditlair.com"; - username = "paultrial@banditlair.com"; - passwordFile = "/run/credentials/prometheus-dmarc-exporter.service/password"; - }; - folders = { - inbox = "dmarc_reports"; - done = "Archives.dmarc_report_processed"; - error = "Archives.dmarc_report_error"; - }; - }; - systemd.services.prometheus-dmarc-exporter.serviceConfig.LoadCredential = "password:${config.sops.secrets.dmarcExporterPassword.path}"; - networking.firewall.allowedTCPPorts = [ 80 443 @@ -182,9 +160,6 @@ networking.firewall.allowedUDPPorts = [ 23363 # Minecraft ]; - networking.firewall.interfaces.vlan4001.allowedTCPPorts = [ - config.services.loki.configuration.server.http_listen_port - ]; networking.nat.enable = true; networking.nat.internalInterfaces = [ "ve-+" ]; @@ -221,46 +196,6 @@ }; users.groups.steam = { }; - services.minecraft-server = { - enable = false; - package = pkgs-unstable.minecraft-server; - eula = true; - openFirewall = false; - declarative = true; - serverProperties = { - enable-rcon = true; - "rcon.port" = 25575; - "rcon.password" = "password"; - server-port = 23363; - online-mode = true; - force-gamemode = true; - white-list = true; - diffuculty = "hard"; - }; - whitelist = { - paulplay15 = "1d5abc95-2fdb-4dcb-98e8-4fb5a0fba953"; - Xavier1258 = "e9059cf3-00ef-47a3-92ee-4e4a3fea0e6d"; - denisjulien3333 = "3c93e1a2-42d8-4a51-9fe3-924c8e8d5b07"; - }; - dataDir = "/nix/var/data/minecraft"; - }; - - # virtualisation.oci-containers.containers = { - # "minecraft" = { - # image = "itzg/minecraft-server"; - # environment = { - # EULA = "TRUE"; - # VERSION = "1.18.2"; - # TYPE = "AUTO_CURSEFORGE"; - # MEMORY = "4G"; - # CF_SLUG = "modecube"; # https://www.curseforge.com/minecraft/modpacks/modecube/files - # }; - # ports = [ "25565:25565" ]; - # volumes = [ "/nix/var/data/minecraft-modded:/data" ]; - # autoStart = true; - # }; - # }; - # services.rustdesk-server = { # enable = true; # openFirewall = true; diff --git a/terraform/dns.tf b/terraform/dns.tf index 81bff1a..cd037bf 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -72,7 +72,7 @@ resource "hetznerdns_record" "hel1_a" { resource "hetznerdns_record" "grafana_a" { zone_id = data.hetznerdns_zone.banditlair_zone.id name = "grafana" - value = local.storage1_ip + value = local.hel1_ip type = "A" ttl = 600 }