reformat and restructure

hosts/common.nix

@@ -122,10 +122,9 @@
       defaults = {
         validMinDays = 14;
         renewInterval = "daily";
-        email = "acme@xengi.de";
+        email = "adimn@berlin.ccc.de";
         group = "nginx";
       };
     };
   };
 }
-

hosts/matrix/default.nix

@@ -5,9 +5,6 @@
     ../common.nix
     ../../services/openssh.nix
     ../../services/prometheus-node.nix
-    ../../services/nginx.nix
-    ./nginx.nix
-    ../../services/prometheus-nginx.nix
     ./synapse.nix
     ./draupnir.nix
   ];

hosts/matrix/draupnir.nix

@@ -14,4 +14,3 @@
     secrets.accessToken = config.age.secrets.draupnir_access_token.path;
   };
 }
-

hosts/matrix/nginx.nix

@@ -1,32 +0,0 @@
-{ config, ... }:
-
-{
-  services.nginx.virtualHosts."matrix.${config.networking.domain}" = {
-    default = true;
-    quic = true;
-    kTLS = true;
-    forceSSL = true;
-    enableACME = true;
-    locations = {
-      "/".return = "418 \"🫖\"";
-      "~ ^(/_matrix|/_synapse/client)" = {
-        recommendedProxySettings = true;
-        proxyPass = "http://[::1]:8008";
-        extraConfig = ''
-          client_max_body_size 64M;
-          proxy_set_header X-Request-ID $request_id;
-          proxy_http_version 1.1;
-        '';
-      };
-      "/_synapse/metrics" = {
-        proxyPass = "http://[::1]:9009";
-        recommendedProxySettings = true;
-        extraConfig = ''
-          allow 2001:678:760:cccb::14;
-          allow 195.160.173.14;
-          deny all;
-        '';
-      };
-    };
-  };
-}

hosts/matrix/synapse.nix

@@ -1,6 +1,11 @@
 { config, ... }:
 
 {
+  imports = [
+    ../../services/nginx.nix
+    ../../services/prometheus-nginx.nix
+  ];
+
   services = {
     matrix-synapse = {
       enable = true;
@@ -62,4 +67,33 @@
       enableRegistrationScript = true;
     };
   };
+
+  nginx.virtualHosts."matrix.${config.networking.domain}" = {
+    default = true;
+    quic = true;
+    kTLS = true;
+    forceSSL = true;
+    enableACME = true;
+    locations = {
+      "/".return = "418 \"🫖\"";
+      "~ ^(/_matrix|/_synapse/client)" = {
+        recommendedProxySettings = true;
+        proxyPass = "http://[::1]:8008";
+        extraConfig = ''
+          client_max_body_size 64M;
+          proxy_set_header X-Request-ID $request_id;
+          proxy_http_version 1.1;
+        '';
+      };
+      "/_synapse/metrics" = {
+        proxyPass = "http://[::1]:9009";
+        recommendedProxySettings = true;
+        extraConfig = ''
+          allow 2001:678:760:cccb::14;
+          allow 195.160.173.14;
+          deny all;
+        '';
+      };
+    };
+  };
 }

hosts/md/default.nix

@@ -6,9 +6,6 @@
     ../../services/openssh.nix
     ../../services/prometheus-node.nix
     ./hedgedoc.nix
-    ../../services/nginx.nix
-    ./nginx.nix
-    ../../services/prometheus-nginx.nix
   ];
 
   networking = {

hosts/md/hedgedoc.nix

@@ -1,7 +1,17 @@
 { config, ... }:
 
+let
+  cfg = config.services.hedgedoc.settings;
+in
 {
-  services.hedgedoc = {
+  imports = [
+    ../../services/nginx.nix
+    ./nginx.nix
+    ../../services/prometheus-nginx.nix
+  ];
+
+  services = {
+    hedgedoc = {
       enable = true;
       environmentFile = config.age.secrets.hedgedoc_db_password.path;
       settings = {
@@ -12,5 +22,45 @@
         enableStatsApi = true;
       };
     };
-}
 
+    nginx.virtualHosts."md.${config.networking.domain}" = {
+      default = true;
+      quic = true;
+      kTLS = true;
+      forceSSL = true;
+      enableACME = true;
+      locations = {
+        "/" = {
+          proxyPass = "http://${cfg.host}:${toString cfg.port}";
+          recommendedProxySettings = true;
+          extraConfig = ''
+            add_header Content-Security-Policy "frame-src 'self'; default-src 'self'; script-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; form-action 'self'; upgrade-insecure-requests;" always;
+          '';
+        };
+        "/socket.io/" = {
+          proxyPass = "http://${cfg.host}:${toString cfg.port}";
+          proxyWebsockets = true;
+          recommendedProxySettings = true;
+        };
+        "/metrics" = {
+          proxyPass = "http://${cfg.host}:${toString cfg.port}";
+          recommendedProxySettings = true;
+          extraConfig = ''
+            allow 195.160.173.14;
+            allow 2001:678:760:cccb::14;
+            deny all;
+          '';
+        };
+        "/status" = {
+          proxyPass = "http://${cfg.host}:${toString cfg.port}";
+          recommendedProxySettings = true;
+          extraConfig = ''
+            allow 195.160.173.14;
+            allow 2001:678:760:cccb::14;
+            deny all;
+          '';
+        };
+      };
+    };
+  };
+}

hosts/md/nginx.nix

@@ -1,47 +0,0 @@
-{ config, ... }:
-
-let
-  cfg = config.services.hedgedoc.settings;
-in
-{
-  services.nginx.virtualHosts."md.${config.networking.domain}" = {
-    default = true;
-    quic = true;
-    kTLS = true;
-    forceSSL = true;
-    enableACME = true;
-    locations = {
-      "/" = {
-        proxyPass = "http://${cfg.host}:${toString cfg.port}";
-        recommendedProxySettings = true;
-        extraConfig = ''
-          #add_header Content-Security-Policy "frame-src 'self'; default-src 'self'; script-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; form-action 'self'; upgrade-insecure-requests;" always;
-        '';
-      };
-      "/socket.io/" = {
-        proxyPass = "http://${cfg.host}:${toString cfg.port}";
-        proxyWebsockets = true;
-        recommendedProxySettings = true;
-      };
-      "/metrics" = {
-        proxyPass = "http://${cfg.host}:${toString cfg.port}";
-        recommendedProxySettings = true;
-        extraConfig = ''
-          allow 195.160.173.14;
-          allow 2001:678:760:cccb::14;
-          deny all;
-        '';
-      };
-      "/status" = {
-        proxyPass = "http://${cfg.host}:${toString cfg.port}";
-        recommendedProxySettings = true;
-        extraConfig = ''
-          allow 195.160.173.14;
-          allow 2001:678:760:cccb::14;
-          deny all;
-        '';
-      };
-    };
-  };
-}
-

hosts/monitoring/default.nix

@@ -5,9 +5,6 @@
     ../common.nix
     ../../services/openssh.nix
     ../../services/prometheus-node.nix
-    ../../services/nginx.nix
-    ./nginx.nix
-    ../../services/prometheus-nginx.nix
     ./prometheus.nix
     ./grafana.nix
   ];
@@ -41,4 +38,3 @@
 
   system.stateVersion = "25.11";
 }
-

hosts/monitoring/grafana.nix

@@ -4,6 +4,11 @@
 # - Synapse: https://github.com/element-hq/synapse/tree/master/contrib/grafana
 
 {
+  imports = [
+    ../../services/nginx.nix
+    ../../services/prometheus-nginx.nix
+  ];
+
   services = {
     grafana = {
       enable = true;
@@ -43,6 +48,35 @@
         ];
       };
     };
+
+    nginx = {
+      upstreams."grafana".servers."[${config.services.grafana.settings.server.http_addr}]:${toString config.services.grafana.settings.server.http_port}" =
+        { };
+      virtualHosts."monitoring.${config.networking.domain}" = {
+        default = true;
+        quic = true;
+        kTLS = true;
+        forceSSL = true;
+        enableACME = true;
+        #extraConfig = ''
+        #  map $http_upgrade $connection_upgrade {
+        #    default upgrade;
+        #    \'\' close;
+        #  }
+        #'';
+        locations = {
+          "/" = {
+            basicAuthFile = config.age.secrets.grafana_basic_auth.path;
+            proxyPass = "http://grafana";
+            recommendedProxySettings = true;
+          };
+          "/api/live/" = {
+            proxyPass = "http://grafana";
+            recommendedProxySettings = true;
+            proxyWebsockets = true;
+          };
+        };
+      };
+    };
   };
 }
-

hosts/monitoring/nginx.nix

@@ -1,33 +0,0 @@
-{ config, ... }:
-
-{
-  services.nginx = {
-    upstreams."grafana".servers."[${config.services.grafana.settings.server.http_addr}]:${toString config.services.grafana.settings.server.http_port}" = {};
-    virtualHosts."monitoring.${config.networking.domain}" = {
-      default = true;
-      quic = true;
-      kTLS = true;
-      forceSSL = true;
-      enableACME = true;
-      #extraConfig = ''
-      #  map $http_upgrade $connection_upgrade {
-      #    default upgrade;
-      #    \'\' close;
-      #  }
-      #'';
-      locations = {
-        "/" = {
-          basicAuthFile = config.age.secrets.grafana_basic_auth.path;
-          proxyPass = "http://grafana";
-          recommendedProxySettings = true;
-        };
-        "/api/live/" = {
-          proxyPass = "http://grafana";
-          recommendedProxySettings = true;
-          proxyWebsockets = true;
-        };
-      };
-    };
-  };
-}
-

hosts/monitoring/prometheus.nix

@@ -1,4 +1,9 @@
-{ config, pkgs, lib, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
 
 {
   services.prometheus = {
@@ -11,12 +16,16 @@
         scrape_interval = "15s";
         scheme = "https";
         metrics_path = "/_synapse/metrics";
-        static_configs = [{ targets = [ "matrix.berlin.ccc.de:443" ]; }];
+        static_configs = [ { targets = [ "matrix.berlin.ccc.de:443" ]; } ];
       }
       {
         job_name = "postgres";
         scrape_interval = "15s";
-        static_configs = [{ targets = [ "sql.berlin.ccc.de:${toString config.services.prometheus.exporters.postgres.port}" ]; }];
+        static_configs = [
+          {
+            targets = [ "sql.berlin.ccc.de:${toString config.services.prometheus.exporters.postgres.port}" ];
+          }
+        ];
       }
       {
         job_name = "node";
@@ -53,7 +62,7 @@
         scrape_interval = "15s";
         static_configs = [
           {
-            targets = ["ellsberg.berlin.ccc.de"];
+            targets = [ "ellsberg.berlin.ccc.de" ];
           }
         ];
         metrics_path = "/pve";

hosts/sql/postgres.nix

@@ -1,4 +1,9 @@
-{ config, pkgs, lib, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
 
 let
   fqdn = "sql.${config.networking.domain}";
@@ -36,7 +41,9 @@ let
     END
     $do$;
   '';
-  passwordScript = pkgs.writeText "postgres-passwords.sql" (builtins.concatStringsSep "\n" (map mkPasswordSQL entries));
+  passwordScript = pkgs.writeText "postgres-passwords.sql" (
+    builtins.concatStringsSep "\n" (map mkPasswordSQL entries)
+  );
 in
 {
   services = {
@@ -80,4 +87,3 @@ in
       --file=${passwordScript}
   '';
 }
-

hosts/sql/prometheus-postgres.nix

@@ -11,4 +11,3 @@
     '';
   };
 }
-

hosts/www/default.nix

@@ -6,9 +6,7 @@
     ../../services/openssh.nix
     ./openssh.nix
     ../../services/prometheus-node.nix
-    ../../services/nginx.nix
     ./nginx.nix
-    ../../services/prometheus-nginx.nix
   ];
 
   networking = {

hosts/www/nginx.nix

@@ -4,10 +4,15 @@ let
   # TODO: mkVHost
 in
 {
+  imports = [
+    ../../services/nginx.nix
+    ../../services/prometheus-nginx.nix
+  ];
+
   services.nginx.virtualHosts = {
     "www.${config.networking.domain}" = {
       default = true;
-      serverAliases = [config.networking.domain];
+      serverAliases = [ config.networking.domain ];
       quic = true;
       kTLS = true;
       forceSSL = true;
@@ -77,4 +82,3 @@ in
     };
   };
 }
-

hosts/www/openssh.nix

@@ -12,7 +12,7 @@
         "command=\"${pkgs.rsync}/bin/rsync --server -vlogDtpre.iLsfxCIvu . /srv/http/www-staging/\",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjjLtnGf7w5D/ON+P2HpMZ5HA2fWp5YSQMGMuu5CjUt deploy@www.berlin.ccc.de staging"
       ];
     };
-    groups.deploy = {};
+    groups.deploy = { };
   };
 
   services.openssh.extraConfig = ''
@@ -20,4 +20,3 @@
       Banner none
   '';
 }
-

secrets/secrets.nix

@@ -38,10 +38,18 @@ in
   "grafana_basic_auth.age".publicKeys = users ++ [ _monitoring ];
   "pve-exporter.age".publicKeys = users ++ [ _monitoring ];
 
-  "postgres-matrix-synapse.age".publicKeys = users ++ [ _sql _matrix ];
+  "postgres-matrix-synapse.age".publicKeys = users ++ [
-  "postgres-hedgedoc.age".publicKeys = users ++ [ _sql _md ];
+    _sql
-  "postgres-grafana.age".publicKeys = users ++ [ _sql _monitoring ];
+    _matrix
+  ];
+  "postgres-hedgedoc.age".publicKeys = users ++ [
+    _sql
+    _md
+  ];
+  "postgres-grafana.age".publicKeys = users ++ [
+    _sql
+    _monitoring
+  ];
 
   "www-staging-htpasswd.age".publicKeys = users ++ [ _www ];
 }
-

services/prometheus-nginx.nix

@@ -10,4 +10,3 @@
     '';
   };
 }
-

services/prometheus-node.nix

@@ -8,8 +8,7 @@
       ip saddr 195.160.173.14/32 tcp dport ${toString config.services.prometheus.exporters.node.port} accept comment "Allow prometheus on monitoring.berlin.ccc.der"
       ip6 saddr 2001:678:760:cccb::14/128 tcp dport ${toString config.services.prometheus.exporters.node.port} accept comment "Allow prometheus on monitoring.berlin.ccc.der"
     '';
-    enabledCollectors = [];
+    enabledCollectors = [ ];
-    disabledCollectors = [];
+    disabledCollectors = [ ];
   };
 }
-