darkkirb/nixos-config
1
0
Fork 0
Code Issues 1 Pull requests 1 Projects Releases Packages Wiki Activity Actions

move grafana back to nas

Browse source
This commit is contained in:
Charlotte 🦝 Delenk 2023-12-10 21:27:33 +01:00
parent 4ed71d125e
commit b5c500b762
No known key found for this signature in database
13 changed files with 247 additions and 256 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
config/default.nix
View file

@ -13,7 +13,6 @@
./services/restic.nix
./specialization.nix
./services/promtail.nix
./services/prometheus.nix
./env.nix
./tailscale.nix
./services/otel.nix

1
config/nas.nix
View file

@ -30,6 +30,7 @@
./services/nfs.nix
./services/tempo.nix
./services/loki.nix
./services/prometheus.nix
];
hardware.cpu.amd.updateMicrocode = true;

12
config/services/dovecot.nix
View file

@ -141,18 +141,6 @@ in {
enable = true;
port = 35496;
};
services.prometheus.scrapeConfigs = [
{
job_name = "dovecot";
static_configs = [
{
targets = [
"127.0.0.1:${toString config.services.prometheus.exporters.dovecot.port}"
];
}
];
}
];
sops.secrets."services/dovecot/rspamd_password" = {owner = "dovecot";};
sops.secrets."services/dovecot/dovecot-sql.conf.ext" = {owner = "dovecot";};
services.postgresql.ensureUsers = [

12
config/services/gitea.nix
View file

@ -95,16 +95,4 @@
port = 6379;
};
sops.secrets."services/gitea" = {owner = "gitea";};
services.prometheus.scrapeConfigs = [
{
job_name = "forgejo";
static_configs = [
{
targets = [
"127.0.0.1:${toString config.services.gitea.httpPort}"
];
}
];
}
];
}

16
config/services/hydra.nix
View file

@ -77,8 +77,8 @@ in {
</githubstatus>
<hydra_notify>
<prometheus>
listen_address = 127.0.0.1
port = 9199
listen_address = 0.0.0.0
port = 8905
</prometheus>
</hydra_notify>
binary_cache_secret_key_file = ${config.sops.secrets."services/hydra/cache-key".path}
@ -178,16 +178,4 @@ in {
OnUnitActiveSec = 604800;
};
};
services.prometheus.scrapeConfigs = [
{
job_name = "hydra";
static_configs = [
{
targets = [
"127.0.0.1:9199"
];
}
];
}
];
}

18
config/services/kubo-common.nix
View file

@ -4,6 +4,7 @@
lib,
...
}: {
systemd.services.kubo.environment.OTEL_TRACES_EXPORTER = "otlp";
services.kubo = {
autoMigrate = true;
emptyRepo = true;
@ -12,8 +13,8 @@
settings = {
Addresses = {
API = [
"/ip4/127.0.0.1/tcp/5001"
"/ip6/::1/tcp/5001"
"/ip4/0.0.0.0/tcp/5001"
"/ip6/::/tcp/5001"
];
Gateway = "/ip4/127.0.0.1/tcp/41876";
};
@ -89,17 +90,4 @@
networking.firewall.allowedUDPPorts = [
4001
];
services.prometheus.scrapeConfigs = [
{
job_name = "kubo";
metrics_path = "/debug/metrics/prometheus";
static_configs = [
{
targets = [
"127.0.0.1:5001"
];
}
];
}
];
}

14
config/services/matrix-media-repo.nix
View file

@ -46,7 +46,7 @@
metrics = {
enabled = true;
bindAddress = "::";
port = 9000;
port = 20855;
};
urlPreviews = {
enabled = true;
@ -216,16 +216,4 @@ in {
}
'';
};
services.prometheus.scrapeConfigs = [
{
job_name = "matrix-media-repo";
static_configs = [
{
targets = [
"127.0.0.1:9000"
];
}
];
}
];
}

20
config/services/otel.nix
View file

@ -1,4 +1,8 @@
{config, pkgs, ...}: {
{
config,
pkgs,
...
}: {
services.opentelemetry-collector = {
enable = true;
package = pkgs.opentelemetry-collector-contrib;
@ -14,7 +18,7 @@
"otlp".endpoint = "nas.int.chir.rs:4317";
otlp.tls.insecure = true;
loki = {
endpoint = "https://nas.int.chir.rs:3100/loki/api/v1/push";
endpoint = "https://nas.int.chir.rs:3100/loki/api/v1/push";
};
};
extensions = {
@ -50,16 +54,4 @@
};
};
};
services.prometheus.scrapeConfigs = [
{
job_name = "opentelemetry-collector";
static_configs = [
{
targets = [
"127.0.0.1:63174"
];
}
];
}
];
}

95
config/services/prometheus.nix
View file

@ -23,7 +23,100 @@
static_configs = [
{
targets = [
"127.0.0.1:${toString config.services.prometheus.exporters.node.port}"
"nas.int.chir.rs:31941"
"nixos-8gb-fsn1-1.int.chir.rs:31941"
"instance-20221213-1915.int.chir.rs:31941"
"rainbow-resort.int.chir.rs:31941"
"thinkrac.int.chir.rs:31941"
];
}
];
}
{
job_name = "dovecot";
static_configs = [
{
targets = [
"nixos-8gb-fsn1-1.int.chir.rs:35496"
];
}
];
}
{
job_name = "forgejo";
static_configs = [
{
targets = [
"nixos-8gb-fsn1-1.int.chir.rs:6379"
];
}
];
}
{
job_name = "hydra";
static_configs = [
{
targets = [
"nas.int.chir.rs:8905"
];
}
];
}
{
job_name = "kubo";
metrics_path = "/debug/metrics/prometheus";
static_configs = [
{
targets = [
"instance-20221213-1915.int.chir.rs:5001"
"nas.int.chir.rs:5001"
"rainbow-road.int.chir.rs:5001"
"thinkrac.int.chir.rs:5001"
];
}
];
}
{
job_name = "matrix-media-repo";
static_configs = [
{
targets = [
"nixos-8gb-fsn1-1.int.chir.rs:20855"
];
}
];
}
{
job_name = "rspamd";
static_configs = [
{
targets = [
"nixos-8gb-fsn1-1.int.chir.rs:58636"
];
}
];
}
{
job_name = "matrix-synapse";
metrics_path = "/_synapse/metrics";
static_configs = [
{
targets = [
"instance-20221213-1915.int.chir.rs:8008"
];
}
];
}
{
job_name = "opentelemetry-collector";
static_configs = [
{
targets = [
"nas.int.chir.rs:63174"
"nixos-8gb-fsn1-1.int.chir.rs:63174"
"instance-20221213-1915.int.chir.rs:63174"
"rainbow-resort.int.chir.rs:63174"
"thinkrac.int.chir.rs:63174"
];
}
];

12
config/services/rspamd.nix
View file

@ -198,16 +198,4 @@
enable = true;
port = 58636;
};
services.prometheus.scrapeConfigs = [
{
job_name = "rspamd";
static_configs = [
{
targets = [
"127.0.0.1:58636"
];
}
];
}
];
}

38
config/services/statsd-exporter.nix
View file

@ -1,38 +0,0 @@
{pkgs, ...}: {
systemd.services."prometheus-statsd-exporter" = {
enable = true;
wantedBy = ["multi-user.target" "mastodon-web.service" "mastodon-sidekiq.service" "mastodon-streaming.service"];
after = ["network.target"];
serviceConfig = {
Restart = "always";
PrivateTmp = true;
WorkingDirectory = "/tmp";
DynamicUser = true;
CapabilityBoundingSet = [""];
DeviceAllow = [""];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = ["AF_INET" "AF_INET6"];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
UMask = "0077";
ExeStart = ''
${pkgs.prometheus-statsd-exporter}/bin/prometheus-statsd-exporter --web-listen-adress="[::]:9102" --statsd.listen-upd="127.0.0.1:9125"
'';
};
};
networking.firewall.interfaces."wg0".allowedTCPPorts = [9102];
}

13
config/services/synapse.nix
View file

@ -22,7 +22,7 @@
tls = false;
type = "http";
x_forwarded = true;
bind_addresses = ["::1" "127.0.0.1"];
bind_addresses = ["::" "0.0.0.0"];
resources = [
{
names = ["client" "federation" "metrics"];
@ -193,16 +193,5 @@
owner = "matrix-synapse";
};
services.prometheus.scrapeConfigs = [
{
job_name = "matrix-synapse";
metrics_path = "/_synapse/metrics";
static_configs = [
{
targets = [
"127.0.0.1:8008"
];
}
];
}
];
}

251
config/tailscale.hujson
View file

@ -1,127 +1,154 @@
// This file is managed in the nixos-config repo
{
// Declare static groups of users beyond those in the identity service.
"groups": {
"group:admins": ["DarkKirb@github"]
},
// Declare static groups of users beyond those in the identity service.
"groups": {
"group:admins": ["DarkKirb@github"],
},
// Access control lists.
"acls": [
// Allow DNS access to the DNS servers
{
"action": "accept",
"src": ["*"],
"dst": ["tag:dnsserver:53"]
},
// Allow ssh access to build devices
{
"action": "accept",
"src": ["*"],
"dst": ["tag:buildserver:22"]
},
// Allow all development devices to connect via ssh
{
"action": "accept",
"src": ["tag:devDevice"],
"dst": ["*:22"]
},
// Access control lists.
"acls": [
// Allow DNS access to the DNS servers
{
"action": "accept",
"src": ["*"],
"dst": ["tag:dnsserver:53"],
},
// Allow ssh access to build devices
{
"action": "accept",
"src": ["*"],
"dst": ["tag:buildserver:22"],
},
// Allow all development devices to connect via ssh
{
"action": "accept",
"src": ["tag:devDevice"],
"dst": ["*:22"],
},
// http servers running on the servers can be accessed
{
"action": "accept",
"src": ["*"],
"dst": ["tag:server:80", "tag:server:443"]
},
// http servers running on the servers can be accessed
{
"action": "accept",
"src": ["*"],
"dst": ["tag:server:80", "tag:server:443"],
},
// members can access email server
{
"action": "accept",
"src": ["*"],
"dst": [
"tag:nixos-8gb-fsn1-1:25", // SMTP
"tag:nixos-8gb-fsn1-1:110", // POP3
"tag:nixos-8gb-fsn1-1:143", // IMAP
"tag:nixos-8gb-fsn1-1:465", // Submission
"tag:nixos-8gb-fsn1-1:587", // SMTPS
"tag:nixos-8gb-fsn1-1:993", // IMAPS
"tag:nixos-8gb-fsn1-1:995" // POP3S
]
},
// members can access email server
{
"action": "accept",
"src": ["*"],
"dst": [
"tag:nixos-8gb-fsn1-1:25", // SMTP
"tag:nixos-8gb-fsn1-1:110", // POP3
"tag:nixos-8gb-fsn1-1:143", // IMAP
"tag:nixos-8gb-fsn1-1:465", // Submission
"tag:nixos-8gb-fsn1-1:587", // SMTPS
"tag:nixos-8gb-fsn1-1:993", // IMAPS
"tag:nixos-8gb-fsn1-1:995", // POP3S
],
},
// Prometheus scrapers
{
"action": "accept",
"src": ["tag:nixos-8gb-fsn1-1"],
"dst": [
"*:9100", // node exporter
"*:28183",
"*:41115", // promtail
"tag:dnsserver:9119", // bind
"tag:nixos-8gb-fsn1-1:9000", // matrix mediaa repo
"tag:nas:9102", // statsd-exporter
"tag:nixos-8gb-fsn1-1:3100", // loki
"tag:server:9187", // postgres
"tag:nutty-noon:9187"
]
},
// opentelemetry stuff
{
"action": "accept",
"src": ["*"],
"dst": [
"tag:nas:26678", // prometheus
"tag:nas:24545", // loki
"tag:nas:4317", // otel
],
},
// postgres and redis
{
"action": "accept",
"src": ["tag:instance-20221213-1915"],
"dst": ["tag:nixos-8gb-fsn1-1:5432", "tag:nixos-8gb-fsn1-1:53538"]
},
// syncthing
{
"action": "accept",
"src": ["tag:syncthing"],
"dst": ["tag:syncthing:22000"]
},
// syncthing admin panel, cups
{
"action": "accept",
"src": ["tag:devDevice"],
"dst": ["tag:nas:8384", "tag:nas:631", "tag:ipfs:5001"]
},
// Woodpecker agents
{
"action": "accept",
"src": ["tag:woodpeckerRunner"],
"dst": ["tag:nas:9000"]
},
// Mautrix bridges
// prometheus stuff
{
"action": "accept",
"src": ["tag:nas"],
"dst": [
"tag:instance-20221213-1915:29320", // mautrix-discord
"tag:instance-20221213-1915:29328", // mautrix-signal
"tag:instance-20221213-1915:29317", // mautrix-telegram
"tag:instance-20221213-1915:29318" // mautrix-whatsapp
"*:31941",
"*:35496",
"*:6379",
"*:8905",
"*:5001",
"*:20855",
"*:58636",
"*:8008",
"*:63174",
]
},
// IPFS
{
"action": "accept",
"src": ["tag:ipfs"],
"dst": ["tag:ipfs:4001"]
}
],
"tagOwners": {
"tag:instance-20221213-1915": ["DarkKirb@github"],
"tag:nixos-8gb-fsn1-1": ["DarkKirb@github"],
"tag:nas": ["DarkKirb@github"],
"tag:moto-g82-5g": ["DarkKirb@github"],
"tag:nutty-noon": ["DarkKirb@github"],
"tag:thinkrac": ["DarkKirb@github"],
"tag:dnsserver": ["DarkKirb@github"],
"tag:buildserver": ["DarkKirb@github"],
"tag:devDevice": ["DarkKirb@github"],
"tag:server": ["DarkKirb@github"],
"tag:syncthing": ["DarkKirb@github"],
"tag:woodpeckerRunner": ["DarkKirb@github"],
"tag:ipfs": ["DarkKirb@github"]
}
// postgres and redis
{
"action": "accept",
"src": ["tag:instance-20221213-1915"],
"dst": ["tag:nixos-8gb-fsn1-1:5432", "tag:nixos-8gb-fsn1-1:53538"],
},
// syncthing
{
"action": "accept",
"src": ["tag:syncthing"],
"dst": ["tag:syncthing:22000"],
},
// syncthing admin panel, cups
{
"action": "accept",
"src": ["tag:devDevice"],
"dst": ["tag:nas:8384", "tag:nas:631", "tag:ipfs:5001"],
},
// Woodpecker agents
{
"action": "accept",
"src": ["tag:woodpeckerRunner"],
"dst": ["tag:nas:9000"],
},
// IPFS
{
"action": "accept",
"src": ["tag:ipfs"],
"dst": ["tag:ipfs:4001"],
},
// KDE Connect
{
"action": "accept",
"src": ["tag:kdeconnect"],
"dst": ["tag:kdeconnect:1714-1764"],
},
],
"tagOwners": {
"tag:instance-20221213-1915": ["DarkKirb@github"],
"tag:nixos-8gb-fsn1-1": ["DarkKirb@github"],
"tag:nas": ["DarkKirb@github"],
"tag:moto-g82-5g": ["DarkKirb@github"],
"tag:nutty-noon": ["DarkKirb@github"],
"tag:thinkrac": ["DarkKirb@github"],
"tag:dnsserver": ["DarkKirb@github"],
"tag:buildserver": ["DarkKirb@github"],
"tag:devDevice": ["DarkKirb@github"],
"tag:server": ["DarkKirb@github"],
"tag:syncthing": ["DarkKirb@github"],
"tag:woodpeckerRunner": ["DarkKirb@github"],
"tag:ipfs": ["DarkKirb@github"],
"tag:kdeconnect": ["DarkKirb@github"],
},
"nodeAttrs": [
{
// Funnel policy, which lets tailnet members control Funnel
// for their own devices.
// Learn more at https://tailscale.com/kb/1223/tailscale-funnel/
"target": ["autogroup:member"],
"attr": ["funnel"],
},
{"target": ["100.75.9.4"], "attr": ["funnel"]},
],
"ssh": [
// The default SSH policy, which lets users SSH into devices they own.
// Learn more at https://tailscale.com/kb/1193/tailscale-ssh/
{
"action": "check",
"src": ["autogroup:member"],
"dst": ["autogroup:self"],
"users": ["autogroup:nonroot", "root"],
},
],
}