diff --git a/hosts/common.nix b/hosts/common.nix index 1724822..9e45883 100644 --- a/hosts/common.nix +++ b/hosts/common.nix @@ -122,10 +122,9 @@ defaults = { validMinDays = 14; renewInterval = "daily"; - email = "acme@xengi.de"; + email = "adimn@berlin.ccc.de"; group = "nginx"; }; }; }; } - diff --git a/hosts/matrix/default.nix b/hosts/matrix/default.nix index 7c2b962..7fc2fac 100644 --- a/hosts/matrix/default.nix +++ b/hosts/matrix/default.nix @@ -5,9 +5,6 @@ ../common.nix ../../services/openssh.nix ../../services/prometheus-node.nix - ../../services/nginx.nix - ./nginx.nix - ../../services/prometheus-nginx.nix ./synapse.nix ./draupnir.nix ]; diff --git a/hosts/matrix/draupnir.nix b/hosts/matrix/draupnir.nix index cde19c7..e0c70d8 100644 --- a/hosts/matrix/draupnir.nix +++ b/hosts/matrix/draupnir.nix @@ -14,4 +14,3 @@ secrets.accessToken = config.age.secrets.draupnir_access_token.path; }; } - diff --git a/hosts/matrix/nginx.nix b/hosts/matrix/nginx.nix deleted file mode 100644 index c2bd257..0000000 --- a/hosts/matrix/nginx.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ config, ... }: - -{ - services.nginx.virtualHosts."matrix.${config.networking.domain}" = { - default = true; - quic = true; - kTLS = true; - forceSSL = true; - enableACME = true; - locations = { - "/".return = "418 \"🫖\""; - "~ ^(/_matrix|/_synapse/client)" = { - recommendedProxySettings = true; - proxyPass = "http://[::1]:8008"; - extraConfig = '' - client_max_body_size 64M; - proxy_set_header X-Request-ID $request_id; - proxy_http_version 1.1; - ''; - }; - "/_synapse/metrics" = { - proxyPass = "http://[::1]:9009"; - recommendedProxySettings = true; - extraConfig = '' - allow 2001:678:760:cccb::14; - allow 195.160.173.14; - deny all; - ''; - }; - }; - }; -} diff --git a/hosts/matrix/synapse.nix b/hosts/matrix/synapse.nix index b49b881..e25e211 100644 --- a/hosts/matrix/synapse.nix +++ b/hosts/matrix/synapse.nix @@ -1,6 +1,11 @@ { config, ... }: { + imports = [ + ../../services/nginx.nix + ../../services/prometheus-nginx.nix + ]; + services = { matrix-synapse = { enable = true; @@ -62,4 +67,33 @@ enableRegistrationScript = true; }; }; + + nginx.virtualHosts."matrix.${config.networking.domain}" = { + default = true; + quic = true; + kTLS = true; + forceSSL = true; + enableACME = true; + locations = { + "/".return = "418 \"🫖\""; + "~ ^(/_matrix|/_synapse/client)" = { + recommendedProxySettings = true; + proxyPass = "http://[::1]:8008"; + extraConfig = '' + client_max_body_size 64M; + proxy_set_header X-Request-ID $request_id; + proxy_http_version 1.1; + ''; + }; + "/_synapse/metrics" = { + proxyPass = "http://[::1]:9009"; + recommendedProxySettings = true; + extraConfig = '' + allow 2001:678:760:cccb::14; + allow 195.160.173.14; + deny all; + ''; + }; + }; + }; } diff --git a/hosts/md/default.nix b/hosts/md/default.nix index 8234469..3ff5f33 100644 --- a/hosts/md/default.nix +++ b/hosts/md/default.nix @@ -6,9 +6,6 @@ ../../services/openssh.nix ../../services/prometheus-node.nix ./hedgedoc.nix - ../../services/nginx.nix - ./nginx.nix - ../../services/prometheus-nginx.nix ]; networking = { diff --git a/hosts/md/hedgedoc.nix b/hosts/md/hedgedoc.nix index ccc67d4..62732c6 100644 --- a/hosts/md/hedgedoc.nix +++ b/hosts/md/hedgedoc.nix @@ -1,16 +1,66 @@ { config, ... }: +let + cfg = config.services.hedgedoc.settings; +in { - services.hedgedoc = { - enable = true; - environmentFile = config.age.secrets.hedgedoc_db_password.path; - settings = { - domain = "md.${config.networking.domain}"; - dbURL = "postgres://hedgedoc:\${DB_PASSWORD}@sql.berlin.ccc.de:5432/hedgedoc"; - db.dialect = "postgresql"; - protocolUseSSL = true; - enableStatsApi = true; + imports = [ + ../../services/nginx.nix + ./nginx.nix + ../../services/prometheus-nginx.nix + ]; + + services = { + hedgedoc = { + enable = true; + environmentFile = config.age.secrets.hedgedoc_db_password.path; + settings = { + domain = "md.${config.networking.domain}"; + dbURL = "postgres://hedgedoc:\${DB_PASSWORD}@sql.berlin.ccc.de:5432/hedgedoc"; + db.dialect = "postgresql"; + protocolUseSSL = true; + enableStatsApi = true; + }; + }; + + nginx.virtualHosts."md.${config.networking.domain}" = { + default = true; + quic = true; + kTLS = true; + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://${cfg.host}:${toString cfg.port}"; + recommendedProxySettings = true; + extraConfig = '' + add_header Content-Security-Policy "frame-src 'self'; default-src 'self'; script-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; form-action 'self'; upgrade-insecure-requests;" always; + ''; + }; + "/socket.io/" = { + proxyPass = "http://${cfg.host}:${toString cfg.port}"; + proxyWebsockets = true; + recommendedProxySettings = true; + }; + "/metrics" = { + proxyPass = "http://${cfg.host}:${toString cfg.port}"; + recommendedProxySettings = true; + extraConfig = '' + allow 195.160.173.14; + allow 2001:678:760:cccb::14; + deny all; + ''; + }; + "/status" = { + proxyPass = "http://${cfg.host}:${toString cfg.port}"; + recommendedProxySettings = true; + extraConfig = '' + allow 195.160.173.14; + allow 2001:678:760:cccb::14; + deny all; + ''; + }; + }; }; }; } - diff --git a/hosts/md/nginx.nix b/hosts/md/nginx.nix deleted file mode 100644 index 8f5f8c6..0000000 --- a/hosts/md/nginx.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ config, ... }: - -let - cfg = config.services.hedgedoc.settings; -in -{ - services.nginx.virtualHosts."md.${config.networking.domain}" = { - default = true; - quic = true; - kTLS = true; - forceSSL = true; - enableACME = true; - locations = { - "/" = { - proxyPass = "http://${cfg.host}:${toString cfg.port}"; - recommendedProxySettings = true; - extraConfig = '' - #add_header Content-Security-Policy "frame-src 'self'; default-src 'self'; script-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; form-action 'self'; upgrade-insecure-requests;" always; - ''; - }; - "/socket.io/" = { - proxyPass = "http://${cfg.host}:${toString cfg.port}"; - proxyWebsockets = true; - recommendedProxySettings = true; - }; - "/metrics" = { - proxyPass = "http://${cfg.host}:${toString cfg.port}"; - recommendedProxySettings = true; - extraConfig = '' - allow 195.160.173.14; - allow 2001:678:760:cccb::14; - deny all; - ''; - }; - "/status" = { - proxyPass = "http://${cfg.host}:${toString cfg.port}"; - recommendedProxySettings = true; - extraConfig = '' - allow 195.160.173.14; - allow 2001:678:760:cccb::14; - deny all; - ''; - }; - }; - }; -} - diff --git a/hosts/monitoring/default.nix b/hosts/monitoring/default.nix index f98be6a..21b93ae 100644 --- a/hosts/monitoring/default.nix +++ b/hosts/monitoring/default.nix @@ -5,9 +5,6 @@ ../common.nix ../../services/openssh.nix ../../services/prometheus-node.nix - ../../services/nginx.nix - ./nginx.nix - ../../services/prometheus-nginx.nix ./prometheus.nix ./grafana.nix ]; @@ -41,4 +38,3 @@ system.stateVersion = "25.11"; } - diff --git a/hosts/monitoring/grafana.nix b/hosts/monitoring/grafana.nix index cca6943..e3acc5e 100644 --- a/hosts/monitoring/grafana.nix +++ b/hosts/monitoring/grafana.nix @@ -4,6 +4,11 @@ # - Synapse: https://github.com/element-hq/synapse/tree/master/contrib/grafana { + imports = [ + ../../services/nginx.nix + ../../services/prometheus-nginx.nix + ]; + services = { grafana = { enable = true; @@ -43,6 +48,35 @@ ]; }; }; + + nginx = { + upstreams."grafana".servers."[${config.services.grafana.settings.server.http_addr}]:${toString config.services.grafana.settings.server.http_port}" = + { }; + virtualHosts."monitoring.${config.networking.domain}" = { + default = true; + quic = true; + kTLS = true; + forceSSL = true; + enableACME = true; + #extraConfig = '' + # map $http_upgrade $connection_upgrade { + # default upgrade; + # \'\' close; + # } + #''; + locations = { + "/" = { + basicAuthFile = config.age.secrets.grafana_basic_auth.path; + proxyPass = "http://grafana"; + recommendedProxySettings = true; + }; + "/api/live/" = { + proxyPass = "http://grafana"; + recommendedProxySettings = true; + proxyWebsockets = true; + }; + }; + }; + }; }; } - diff --git a/hosts/monitoring/nginx.nix b/hosts/monitoring/nginx.nix deleted file mode 100644 index 90e887c..0000000 --- a/hosts/monitoring/nginx.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ config, ... }: - -{ - services.nginx = { - upstreams."grafana".servers."[${config.services.grafana.settings.server.http_addr}]:${toString config.services.grafana.settings.server.http_port}" = {}; - virtualHosts."monitoring.${config.networking.domain}" = { - default = true; - quic = true; - kTLS = true; - forceSSL = true; - enableACME = true; - #extraConfig = '' - # map $http_upgrade $connection_upgrade { - # default upgrade; - # \'\' close; - # } - #''; - locations = { - "/" = { - basicAuthFile = config.age.secrets.grafana_basic_auth.path; - proxyPass = "http://grafana"; - recommendedProxySettings = true; - }; - "/api/live/" = { - proxyPass = "http://grafana"; - recommendedProxySettings = true; - proxyWebsockets = true; - }; - }; - }; - }; -} - diff --git a/hosts/monitoring/prometheus.nix b/hosts/monitoring/prometheus.nix index 27caa05..802f500 100644 --- a/hosts/monitoring/prometheus.nix +++ b/hosts/monitoring/prometheus.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: { services.prometheus = { @@ -11,12 +16,16 @@ scrape_interval = "15s"; scheme = "https"; metrics_path = "/_synapse/metrics"; - static_configs = [{ targets = [ "matrix.berlin.ccc.de:443" ]; }]; + static_configs = [ { targets = [ "matrix.berlin.ccc.de:443" ]; } ]; } { job_name = "postgres"; scrape_interval = "15s"; - static_configs = [{ targets = [ "sql.berlin.ccc.de:${toString config.services.prometheus.exporters.postgres.port}" ]; }]; + static_configs = [ + { + targets = [ "sql.berlin.ccc.de:${toString config.services.prometheus.exporters.postgres.port}" ]; + } + ]; } { job_name = "node"; @@ -53,7 +62,7 @@ scrape_interval = "15s"; static_configs = [ { - targets = ["ellsberg.berlin.ccc.de"]; + targets = [ "ellsberg.berlin.ccc.de" ]; } ]; metrics_path = "/pve"; diff --git a/hosts/sql/postgres.nix b/hosts/sql/postgres.nix index f60d04e..392969e 100644 --- a/hosts/sql/postgres.nix +++ b/hosts/sql/postgres.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let fqdn = "sql.${config.networking.domain}"; @@ -36,7 +41,9 @@ let END $do$; ''; - passwordScript = pkgs.writeText "postgres-passwords.sql" (builtins.concatStringsSep "\n" (map mkPasswordSQL entries)); + passwordScript = pkgs.writeText "postgres-passwords.sql" ( + builtins.concatStringsSep "\n" (map mkPasswordSQL entries) + ); in { services = { @@ -80,4 +87,3 @@ in --file=${passwordScript} ''; } - diff --git a/hosts/sql/prometheus-postgres.nix b/hosts/sql/prometheus-postgres.nix index a6c832d..afe4b6c 100644 --- a/hosts/sql/prometheus-postgres.nix +++ b/hosts/sql/prometheus-postgres.nix @@ -11,4 +11,3 @@ ''; }; } - diff --git a/hosts/www/default.nix b/hosts/www/default.nix index 4a9cc1b..0921a3b 100644 --- a/hosts/www/default.nix +++ b/hosts/www/default.nix @@ -6,9 +6,7 @@ ../../services/openssh.nix ./openssh.nix ../../services/prometheus-node.nix - ../../services/nginx.nix ./nginx.nix - ../../services/prometheus-nginx.nix ]; networking = { diff --git a/hosts/www/nginx.nix b/hosts/www/nginx.nix index c3ce108..763cafb 100644 --- a/hosts/www/nginx.nix +++ b/hosts/www/nginx.nix @@ -4,10 +4,15 @@ let # TODO: mkVHost in { + imports = [ + ../../services/nginx.nix + ../../services/prometheus-nginx.nix + ]; + services.nginx.virtualHosts = { "www.${config.networking.domain}" = { default = true; - serverAliases = [config.networking.domain]; + serverAliases = [ config.networking.domain ]; quic = true; kTLS = true; forceSSL = true; @@ -77,4 +82,3 @@ in }; }; } - diff --git a/hosts/www/openssh.nix b/hosts/www/openssh.nix index 2a91325..288b5d3 100644 --- a/hosts/www/openssh.nix +++ b/hosts/www/openssh.nix @@ -12,7 +12,7 @@ "command=\"${pkgs.rsync}/bin/rsync --server -vlogDtpre.iLsfxCIvu . /srv/http/www-staging/\",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjjLtnGf7w5D/ON+P2HpMZ5HA2fWp5YSQMGMuu5CjUt deploy@www.berlin.ccc.de staging" ]; }; - groups.deploy = {}; + groups.deploy = { }; }; services.openssh.extraConfig = '' @@ -20,4 +20,3 @@ Banner none ''; } - diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 8845eb3..7dba2da 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -38,10 +38,18 @@ in "grafana_basic_auth.age".publicKeys = users ++ [ _monitoring ]; "pve-exporter.age".publicKeys = users ++ [ _monitoring ]; - "postgres-matrix-synapse.age".publicKeys = users ++ [ _sql _matrix ]; - "postgres-hedgedoc.age".publicKeys = users ++ [ _sql _md ]; - "postgres-grafana.age".publicKeys = users ++ [ _sql _monitoring ]; + "postgres-matrix-synapse.age".publicKeys = users ++ [ + _sql + _matrix + ]; + "postgres-hedgedoc.age".publicKeys = users ++ [ + _sql + _md + ]; + "postgres-grafana.age".publicKeys = users ++ [ + _sql + _monitoring + ]; "www-staging-htpasswd.age".publicKeys = users ++ [ _www ]; } - diff --git a/services/prometheus-nginx.nix b/services/prometheus-nginx.nix index a02de4e..4abef44 100644 --- a/services/prometheus-nginx.nix +++ b/services/prometheus-nginx.nix @@ -10,4 +10,3 @@ ''; }; } - diff --git a/services/prometheus-node.nix b/services/prometheus-node.nix index af2c20e..a327fc4 100644 --- a/services/prometheus-node.nix +++ b/services/prometheus-node.nix @@ -8,8 +8,7 @@ ip saddr 195.160.173.14/32 tcp dport ${toString config.services.prometheus.exporters.node.port} accept comment "Allow prometheus on monitoring.berlin.ccc.der" ip6 saddr 2001:678:760:cccb::14/128 tcp dport ${toString config.services.prometheus.exporters.node.port} accept comment "Allow prometheus on monitoring.berlin.ccc.der" ''; - enabledCollectors = []; - disabledCollectors = []; + enabledCollectors = [ ]; + disabledCollectors = [ ]; }; } -