xengi/infra
0
1
Fork 0
Code Pull requests Activity Actions

reformat and restructure

Browse source
This commit is contained in:
XenGi 2026-03-01 15:11:15 +01:00
parent cbb12c73e7
commit dc6b3805f6
Signed by: xengi
SSH key fingerprint: SHA256:dM+fLZGsDvyv6kunjE8bGduL24VsCFB4LEOSdmRHdG0
20 changed files with 173 additions and 158 deletions
Download patch file Download diff file Expand all files Collapse all files

3
hosts/common.nix
View file

@ -122,10 +122,9 @@
defaults = {
validMinDays = 14;
renewInterval = "daily";
email = "acme@xengi.de";
email = "adimn@berlin.ccc.de";
group = "nginx";
};
};
};
}

3
hosts/matrix/default.nix
View file

@ -5,9 +5,6 @@
../common.nix
../../services/openssh.nix
../../services/prometheus-node.nix
../../services/nginx.nix
./nginx.nix
../../services/prometheus-nginx.nix
./synapse.nix
./draupnir.nix
];

1
hosts/matrix/draupnir.nix
View file

@ -14,4 +14,3 @@
secrets.accessToken = config.age.secrets.draupnir_access_token.path;
};
}

32
hosts/matrix/nginx.nix
View file

@ -1,32 +0,0 @@
{ config, ... }:
{
services.nginx.virtualHosts."matrix.${config.networking.domain}" = {
default = true;
quic = true;
kTLS = true;
forceSSL = true;
enableACME = true;
locations = {
"/".return = "418 \"🫖\"";
"~ ^(/_matrix|/_synapse/client)" = {
recommendedProxySettings = true;
proxyPass = "http://[::1]:8008";
extraConfig = ''
client_max_body_size 64M;
proxy_set_header X-Request-ID $request_id;
proxy_http_version 1.1;
'';
};
"/_synapse/metrics" = {
proxyPass = "http://[::1]:9009";
recommendedProxySettings = true;
extraConfig = ''
allow 2001:678:760:cccb::14;
allow 195.160.173.14;
deny all;
'';
};
};
};
}

34
hosts/matrix/synapse.nix
View file

@ -1,6 +1,11 @@
{ config, ... }:
{
imports = [
../../services/nginx.nix
../../services/prometheus-nginx.nix
];
services = {
matrix-synapse = {
enable = true;
@ -62,4 +67,33 @@
enableRegistrationScript = true;
};
};
nginx.virtualHosts."matrix.${config.networking.domain}" = {
default = true;
quic = true;
kTLS = true;
forceSSL = true;
enableACME = true;
locations = {
"/".return = "418 \"🫖\"";
"~ ^(/_matrix|/_synapse/client)" = {
recommendedProxySettings = true;
proxyPass = "http://[::1]:8008";
extraConfig = ''
client_max_body_size 64M;
proxy_set_header X-Request-ID $request_id;
proxy_http_version 1.1;
'';
};
"/_synapse/metrics" = {
proxyPass = "http://[::1]:9009";
recommendedProxySettings = true;
extraConfig = ''
allow 2001:678:760:cccb::14;
allow 195.160.173.14;
deny all;
'';
};
};
};
}

3
hosts/md/default.nix
View file

@ -6,9 +6,6 @@
../../services/openssh.nix
../../services/prometheus-node.nix
./hedgedoc.nix
../../services/nginx.nix
./nginx.nix
../../services/prometheus-nginx.nix
];
networking = {

54
hosts/md/hedgedoc.nix
View file

@ -1,7 +1,17 @@
{ config, ... }:
let
cfg = config.services.hedgedoc.settings;
in
{
services.hedgedoc = {
imports = [
../../services/nginx.nix
./nginx.nix
../../services/prometheus-nginx.nix
];
services = {
hedgedoc = {
enable = true;
environmentFile = config.age.secrets.hedgedoc_db_password.path;
settings = {
@ -12,5 +22,45 @@
enableStatsApi = true;
};
};
}
nginx.virtualHosts."md.${config.networking.domain}" = {
default = true;
quic = true;
kTLS = true;
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://${cfg.host}:${toString cfg.port}";
recommendedProxySettings = true;
extraConfig = ''
add_header Content-Security-Policy "frame-src 'self'; default-src 'self'; script-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; form-action 'self'; upgrade-insecure-requests;" always;
'';
};
"/socket.io/" = {
proxyPass = "http://${cfg.host}:${toString cfg.port}";
proxyWebsockets = true;
recommendedProxySettings = true;
};
"/metrics" = {
proxyPass = "http://${cfg.host}:${toString cfg.port}";
recommendedProxySettings = true;
extraConfig = ''
allow 195.160.173.14;
allow 2001:678:760:cccb::14;
deny all;
'';
};
"/status" = {
proxyPass = "http://${cfg.host}:${toString cfg.port}";
recommendedProxySettings = true;
extraConfig = ''
allow 195.160.173.14;
allow 2001:678:760:cccb::14;
deny all;
'';
};
};
};
};
}

47
hosts/md/nginx.nix
View file

@ -1,47 +0,0 @@
{ config, ... }:
let
cfg = config.services.hedgedoc.settings;
in
{
services.nginx.virtualHosts."md.${config.networking.domain}" = {
default = true;
quic = true;
kTLS = true;
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://${cfg.host}:${toString cfg.port}";
recommendedProxySettings = true;
extraConfig = ''
#add_header Content-Security-Policy "frame-src 'self'; default-src 'self'; script-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; form-action 'self'; upgrade-insecure-requests;" always;
'';
};
"/socket.io/" = {
proxyPass = "http://${cfg.host}:${toString cfg.port}";
proxyWebsockets = true;
recommendedProxySettings = true;
};
"/metrics" = {
proxyPass = "http://${cfg.host}:${toString cfg.port}";
recommendedProxySettings = true;
extraConfig = ''
allow 195.160.173.14;
allow 2001:678:760:cccb::14;
deny all;
'';
};
"/status" = {
proxyPass = "http://${cfg.host}:${toString cfg.port}";
recommendedProxySettings = true;
extraConfig = ''
allow 195.160.173.14;
allow 2001:678:760:cccb::14;
deny all;
'';
};
};
};
}

4
hosts/monitoring/default.nix
View file

@ -5,9 +5,6 @@
../common.nix
../../services/openssh.nix
../../services/prometheus-node.nix
../../services/nginx.nix
./nginx.nix
../../services/prometheus-nginx.nix
./prometheus.nix
./grafana.nix
];
@ -41,4 +38,3 @@
system.stateVersion = "25.11";
}

36
hosts/monitoring/grafana.nix
View file

@ -4,6 +4,11 @@
# - Synapse: https://github.com/element-hq/synapse/tree/master/contrib/grafana
{
imports = [
../../services/nginx.nix
../../services/prometheus-nginx.nix
];
services = {
grafana = {
enable = true;
@ -43,6 +48,35 @@
];
};
};
nginx = {
upstreams."grafana".servers."[${config.services.grafana.settings.server.http_addr}]:${toString config.services.grafana.settings.server.http_port}" =
{ };
virtualHosts."monitoring.${config.networking.domain}" = {
default = true;
quic = true;
kTLS = true;
forceSSL = true;
enableACME = true;
#extraConfig = ''
# map $http_upgrade $connection_upgrade {
# default upgrade;
# \'\' close;
# }
#'';
locations = {
"/" = {
basicAuthFile = config.age.secrets.grafana_basic_auth.path;
proxyPass = "http://grafana";
recommendedProxySettings = true;
};
"/api/live/" = {
proxyPass = "http://grafana";
recommendedProxySettings = true;
proxyWebsockets = true;
};
};
};
};
};
}

33
hosts/monitoring/nginx.nix
View file

@ -1,33 +0,0 @@
{ config, ... }:
{
services.nginx = {
upstreams."grafana".servers."[${config.services.grafana.settings.server.http_addr}]:${toString config.services.grafana.settings.server.http_port}" = {};
virtualHosts."monitoring.${config.networking.domain}" = {
default = true;
quic = true;
kTLS = true;
forceSSL = true;
enableACME = true;
#extraConfig = ''
# map $http_upgrade $connection_upgrade {
# default upgrade;
# \'\' close;
# }
#'';
locations = {
"/" = {
basicAuthFile = config.age.secrets.grafana_basic_auth.path;
proxyPass = "http://grafana";
recommendedProxySettings = true;
};
"/api/live/" = {
proxyPass = "http://grafana";
recommendedProxySettings = true;
proxyWebsockets = true;
};
};
};
};
}

13
hosts/monitoring/prometheus.nix
View file

@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
{
services.prometheus = {
@ -16,7 +21,11 @@
{
job_name = "postgres";
scrape_interval = "15s";
static_configs = [{ targets = [ "sql.berlin.ccc.de:${toString config.services.prometheus.exporters.postgres.port}" ]; }];
static_configs = [
{
targets = [ "sql.berlin.ccc.de:${toString config.services.prometheus.exporters.postgres.port}" ];
}
];
}
{
job_name = "node";

12
hosts/sql/postgres.nix
View file

@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
let
fqdn = "sql.${config.networking.domain}";
@ -36,7 +41,9 @@ let
END
$do$;
'';
passwordScript = pkgs.writeText "postgres-passwords.sql" (builtins.concatStringsSep "\n" (map mkPasswordSQL entries));
passwordScript = pkgs.writeText "postgres-passwords.sql" (
builtins.concatStringsSep "\n" (map mkPasswordSQL entries)
);
in
{
services = {
@ -80,4 +87,3 @@ in
--file=${passwordScript}
'';
}

1
hosts/sql/prometheus-postgres.nix
View file

@ -11,4 +11,3 @@
'';
};
}

2
hosts/www/default.nix
View file

@ -6,9 +6,7 @@
../../services/openssh.nix
./openssh.nix
../../services/prometheus-node.nix
../../services/nginx.nix
./nginx.nix
../../services/prometheus-nginx.nix
];
networking = {

6
hosts/www/nginx.nix
View file

@ -4,6 +4,11 @@ let
# TODO: mkVHost
in
{
imports = [
../../services/nginx.nix
../../services/prometheus-nginx.nix
];
services.nginx.virtualHosts = {
"www.${config.networking.domain}" = {
default = true;
@ -77,4 +82,3 @@ in
};
};
}

1
hosts/www/openssh.nix
View file

@ -20,4 +20,3 @@
Banner none
'';
}

16
secrets/secrets.nix
View file

@ -38,10 +38,18 @@ in
"grafana_basic_auth.age".publicKeys = users ++ [ _monitoring ];
"pve-exporter.age".publicKeys = users ++ [ _monitoring ];
"postgres-matrix-synapse.age".publicKeys = users ++ [ _sql _matrix ];
"postgres-hedgedoc.age".publicKeys = users ++ [ _sql _md ];
"postgres-grafana.age".publicKeys = users ++ [ _sql _monitoring ];
"postgres-matrix-synapse.age".publicKeys = users ++ [
_sql
_matrix
];
"postgres-hedgedoc.age".publicKeys = users ++ [
_sql
_md
];
"postgres-grafana.age".publicKeys = users ++ [
_sql
_monitoring
];
"www-staging-htpasswd.age".publicKeys = users ++ [ _www ];
}

1
services/prometheus-nginx.nix
View file

@ -10,4 +10,3 @@
'';
};
}

1
services/prometheus-node.nix
View file

@ -12,4 +12,3 @@
disabledCollectors = [ ];
};
}