reformat and restructure

2026-03-01 15:11:15 +01:00 · 2026-03-01 15:11:15 +01:00 · dc6b3805f6
commit dc6b3805f6
parent cbb12c73e7
20 changed files with 173 additions and 158 deletions
--- a/hosts/common.nix
+++ b/hosts/common.nix
@ -122,10 +122,9 @@
      defaults = {
        validMinDays = 14;
        renewInterval = "daily";
-        email = "acme@xengi.de";
+        email = "adimn@berlin.ccc.de";
        group = "nginx";
      };
    };
  };
 }
-
--- a/hosts/matrix/default.nix
+++ b/hosts/matrix/default.nix
@ -5,9 +5,6 @@
    ../common.nix
    ../../services/openssh.nix
    ../../services/prometheus-node.nix
-    ../../services/nginx.nix
-    ./nginx.nix
-    ../../services/prometheus-nginx.nix
    ./synapse.nix
    ./draupnir.nix
  ];
--- a/hosts/matrix/draupnir.nix
+++ b/hosts/matrix/draupnir.nix
@ -14,4 +14,3 @@
    secrets.accessToken = config.age.secrets.draupnir_access_token.path;
  };
 }
-
--- a/hosts/matrix/nginx.nix
+++ b/hosts/matrix/nginx.nix
@ -1,32 +0,0 @@
-{ config, ... }:
-
-{
-  services.nginx.virtualHosts."matrix.${config.networking.domain}" = {
-    default = true;
-    quic = true;
-    kTLS = true;
-    forceSSL = true;
-    enableACME = true;
-    locations = {
-      "/".return = "418 \"🫖\"";
-      "~ ^(/_matrix|/_synapse/client)" = {
-        recommendedProxySettings = true;
-        proxyPass = "http://[::1]:8008";
-        extraConfig = ''
-          client_max_body_size 64M;
-          proxy_set_header X-Request-ID $request_id;
-          proxy_http_version 1.1;
-        '';
-      };
-      "/_synapse/metrics" = {
-        proxyPass = "http://[::1]:9009";
-        recommendedProxySettings = true;
-        extraConfig = ''
-          allow 2001:678:760:cccb::14;
-          allow 195.160.173.14;
-          deny all;
-        '';
-      };
-    };
-  };
-}
--- a/hosts/matrix/synapse.nix
+++ b/hosts/matrix/synapse.nix
@ -1,6 +1,11 @@
 { config, ... }:

 {
+  imports = [
+    ../../services/nginx.nix
+    ../../services/prometheus-nginx.nix
+  ];
+
  services = {
    matrix-synapse = {
      enable = true;
@ -62,4 +67,33 @@
      enableRegistrationScript = true;
    };
  };
+
+  nginx.virtualHosts."matrix.${config.networking.domain}" = {
+    default = true;
+    quic = true;
+    kTLS = true;
+    forceSSL = true;
+    enableACME = true;
+    locations = {
+      "/".return = "418 \"🫖\"";
+      "~ ^(/_matrix|/_synapse/client)" = {
+        recommendedProxySettings = true;
+        proxyPass = "http://[::1]:8008";
+        extraConfig = ''
+          client_max_body_size 64M;
+          proxy_set_header X-Request-ID $request_id;
+          proxy_http_version 1.1;
+        '';
+      };
+      "/_synapse/metrics" = {
+        proxyPass = "http://[::1]:9009";
+        recommendedProxySettings = true;
+        extraConfig = ''
+          allow 2001:678:760:cccb::14;
+          allow 195.160.173.14;
+          deny all;
+        '';
+      };
+    };
+  };
 }
--- a/hosts/md/default.nix
+++ b/hosts/md/default.nix
@ -6,9 +6,6 @@
    ../../services/openssh.nix
    ../../services/prometheus-node.nix
    ./hedgedoc.nix
-    ../../services/nginx.nix
-    ./nginx.nix
-    ../../services/prometheus-nginx.nix
  ];

  networking = {
--- a/hosts/md/hedgedoc.nix
+++ b/hosts/md/hedgedoc.nix
@ -1,7 +1,17 @@
 { config, ... }:

+let
+  cfg = config.services.hedgedoc.settings;
+in
 {
-  services.hedgedoc = {
+  imports = [
+    ../../services/nginx.nix
+    ./nginx.nix
+    ../../services/prometheus-nginx.nix
+  ];
+
+  services = {
+    hedgedoc = {
      enable = true;
      environmentFile = config.age.secrets.hedgedoc_db_password.path;
      settings = {
@ -12,5 +22,45 @@
        enableStatsApi = true;
      };
    };
-}

+    nginx.virtualHosts."md.${config.networking.domain}" = {
+      default = true;
+      quic = true;
+      kTLS = true;
+      forceSSL = true;
+      enableACME = true;
+      locations = {
+        "/" = {
+          proxyPass = "http://${cfg.host}:${toString cfg.port}";
+          recommendedProxySettings = true;
+          extraConfig = ''
+            add_header Content-Security-Policy "frame-src 'self'; default-src 'self'; script-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; form-action 'self'; upgrade-insecure-requests;" always;
+          '';
+        };
+        "/socket.io/" = {
+          proxyPass = "http://${cfg.host}:${toString cfg.port}";
+          proxyWebsockets = true;
+          recommendedProxySettings = true;
+        };
+        "/metrics" = {
+          proxyPass = "http://${cfg.host}:${toString cfg.port}";
+          recommendedProxySettings = true;
+          extraConfig = ''
+            allow 195.160.173.14;
+            allow 2001:678:760:cccb::14;
+            deny all;
+          '';
+        };
+        "/status" = {
+          proxyPass = "http://${cfg.host}:${toString cfg.port}";
+          recommendedProxySettings = true;
+          extraConfig = ''
+            allow 195.160.173.14;
+            allow 2001:678:760:cccb::14;
+            deny all;
+          '';
+        };
+      };
+    };
+  };
+}
--- a/hosts/md/nginx.nix
+++ b/hosts/md/nginx.nix
@ -1,47 +0,0 @@
-{ config, ... }:
-
-let
-  cfg = config.services.hedgedoc.settings;
-in
-{
-  services.nginx.virtualHosts."md.${config.networking.domain}" = {
-    default = true;
-    quic = true;
-    kTLS = true;
-    forceSSL = true;
-    enableACME = true;
-    locations = {
-      "/" = {
-        proxyPass = "http://${cfg.host}:${toString cfg.port}";
-        recommendedProxySettings = true;
-        extraConfig = ''
-          #add_header Content-Security-Policy "frame-src 'self'; default-src 'self'; script-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; form-action 'self'; upgrade-insecure-requests;" always;
-        '';
-      };
-      "/socket.io/" = {
-        proxyPass = "http://${cfg.host}:${toString cfg.port}";
-        proxyWebsockets = true;
-        recommendedProxySettings = true;
-      };
-      "/metrics" = {
-        proxyPass = "http://${cfg.host}:${toString cfg.port}";
-        recommendedProxySettings = true;
-        extraConfig = ''
-          allow 195.160.173.14;
-          allow 2001:678:760:cccb::14;
-          deny all;
-        '';
-      };
-      "/status" = {
-        proxyPass = "http://${cfg.host}:${toString cfg.port}";
-        recommendedProxySettings = true;
-        extraConfig = ''
-          allow 195.160.173.14;
-          allow 2001:678:760:cccb::14;
-          deny all;
-        '';
-      };
-    };
-  };
-}
-
--- a/hosts/monitoring/default.nix
+++ b/hosts/monitoring/default.nix
@ -5,9 +5,6 @@
    ../common.nix
    ../../services/openssh.nix
    ../../services/prometheus-node.nix
-    ../../services/nginx.nix
-    ./nginx.nix
-    ../../services/prometheus-nginx.nix
    ./prometheus.nix
    ./grafana.nix
  ];
@ -41,4 +38,3 @@

  system.stateVersion = "25.11";
 }
-
--- a/hosts/monitoring/grafana.nix
+++ b/hosts/monitoring/grafana.nix
@ -4,6 +4,11 @@
 # - Synapse: https://github.com/element-hq/synapse/tree/master/contrib/grafana

 {
+  imports = [
+    ../../services/nginx.nix
+    ../../services/prometheus-nginx.nix
+  ];
+
  services = {
    grafana = {
      enable = true;
@ -43,6 +48,35 @@
        ];
      };
    };
+
+    nginx = {
+      upstreams."grafana".servers."[${config.services.grafana.settings.server.http_addr}]:${toString config.services.grafana.settings.server.http_port}" =
+        { };
+      virtualHosts."monitoring.${config.networking.domain}" = {
+        default = true;
+        quic = true;
+        kTLS = true;
+        forceSSL = true;
+        enableACME = true;
+        #extraConfig = ''
+        #  map $http_upgrade $connection_upgrade {
+        #    default upgrade;
+        #    \'\' close;
+        #  }
+        #'';
+        locations = {
+          "/" = {
+            basicAuthFile = config.age.secrets.grafana_basic_auth.path;
+            proxyPass = "http://grafana";
+            recommendedProxySettings = true;
+          };
+          "/api/live/" = {
+            proxyPass = "http://grafana";
+            recommendedProxySettings = true;
+            proxyWebsockets = true;
+          };
+        };
+      };
+    };
  };
 }
-
--- a/hosts/monitoring/nginx.nix
+++ b/hosts/monitoring/nginx.nix
@ -1,33 +0,0 @@
-{ config, ... }:
-
-{
-  services.nginx = {
-    upstreams."grafana".servers."[${config.services.grafana.settings.server.http_addr}]:${toString config.services.grafana.settings.server.http_port}" = {};
-    virtualHosts."monitoring.${config.networking.domain}" = {
-      default = true;
-      quic = true;
-      kTLS = true;
-      forceSSL = true;
-      enableACME = true;
-      #extraConfig = ''
-      #  map $http_upgrade $connection_upgrade {
-      #    default upgrade;
-      #    \'\' close;
-      #  }
-      #'';
-      locations = {
-        "/" = {
-          basicAuthFile = config.age.secrets.grafana_basic_auth.path;
-          proxyPass = "http://grafana";
-          recommendedProxySettings = true;
-        };
-        "/api/live/" = {
-          proxyPass = "http://grafana";
-          recommendedProxySettings = true;
-          proxyWebsockets = true;
-        };
-      };
-    };
-  };
-}
-
--- a/hosts/monitoring/prometheus.nix
+++ b/hosts/monitoring/prometheus.nix
@ -1,4 +1,9 @@
-{ config, pkgs, lib, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:

 {
  services.prometheus = {
@ -11,12 +16,16 @@
        scrape_interval = "15s";
        scheme = "https";
        metrics_path = "/_synapse/metrics";
-        static_configs = [{ targets = [ "matrix.berlin.ccc.de:443" ]; }];
+        static_configs = [ { targets = [ "matrix.berlin.ccc.de:443" ]; } ];
      }
      {
        job_name = "postgres";
        scrape_interval = "15s";
-        static_configs = [{ targets = [ "sql.berlin.ccc.de:${toString config.services.prometheus.exporters.postgres.port}" ]; }];
+        static_configs = [
+          {
+            targets = [ "sql.berlin.ccc.de:${toString config.services.prometheus.exporters.postgres.port}" ];
+          }
+        ];
      }
      {
        job_name = "node";
@ -53,7 +62,7 @@
        scrape_interval = "15s";
        static_configs = [
          {
-            targets = ["ellsberg.berlin.ccc.de"];
+            targets = [ "ellsberg.berlin.ccc.de" ];
          }
        ];
        metrics_path = "/pve";
--- a/hosts/sql/postgres.nix
+++ b/hosts/sql/postgres.nix
@ -1,4 +1,9 @@
-{ config, pkgs, lib, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:

 let
  fqdn = "sql.${config.networking.domain}";
@ -36,7 +41,9 @@ let
    END
    $do$;
  '';
-  passwordScript = pkgs.writeText "postgres-passwords.sql" (builtins.concatStringsSep "\n" (map mkPasswordSQL entries));
+  passwordScript = pkgs.writeText "postgres-passwords.sql" (
+    builtins.concatStringsSep "\n" (map mkPasswordSQL entries)
+  );
 in
 {
  services = {
@ -80,4 +87,3 @@ in
      --file=${passwordScript}
  '';
 }
-
--- a/hosts/sql/prometheus-postgres.nix
+++ b/hosts/sql/prometheus-postgres.nix
@ -11,4 +11,3 @@
    '';
  };
 }
-
--- a/hosts/www/default.nix
+++ b/hosts/www/default.nix
@ -6,9 +6,7 @@
    ../../services/openssh.nix
    ./openssh.nix
    ../../services/prometheus-node.nix
-    ../../services/nginx.nix
    ./nginx.nix
-    ../../services/prometheus-nginx.nix
  ];

  networking = {
--- a/hosts/www/nginx.nix
+++ b/hosts/www/nginx.nix
@ -4,10 +4,15 @@ let
  # TODO: mkVHost
 in
 {
+  imports = [
+    ../../services/nginx.nix
+    ../../services/prometheus-nginx.nix
+  ];
+
  services.nginx.virtualHosts = {
    "www.${config.networking.domain}" = {
      default = true;
-      serverAliases = [config.networking.domain];
+      serverAliases = [ config.networking.domain ];
      quic = true;
      kTLS = true;
      forceSSL = true;
@ -77,4 +82,3 @@ in
    };
  };
 }
-
--- a/hosts/www/openssh.nix
+++ b/hosts/www/openssh.nix
@ -12,7 +12,7 @@
        "command=\"${pkgs.rsync}/bin/rsync --server -vlogDtpre.iLsfxCIvu . /srv/http/www-staging/\",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjjLtnGf7w5D/ON+P2HpMZ5HA2fWp5YSQMGMuu5CjUt deploy@www.berlin.ccc.de staging"
      ];
    };
-    groups.deploy = {};
+    groups.deploy = { };
  };

  services.openssh.extraConfig = ''
@ -20,4 +20,3 @@
      Banner none
  '';
 }
-
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -38,10 +38,18 @@ in
  "grafana_basic_auth.age".publicKeys = users ++ [ _monitoring ];
  "pve-exporter.age".publicKeys = users ++ [ _monitoring ];

-  "postgres-matrix-synapse.age".publicKeys = users ++ [ _sql _matrix ];
-  "postgres-hedgedoc.age".publicKeys = users ++ [ _sql _md ];
-  "postgres-grafana.age".publicKeys = users ++ [ _sql _monitoring ];
+  "postgres-matrix-synapse.age".publicKeys = users ++ [
+    _sql
+    _matrix
+  ];
+  "postgres-hedgedoc.age".publicKeys = users ++ [
+    _sql
+    _md
+  ];
+  "postgres-grafana.age".publicKeys = users ++ [
+    _sql
+    _monitoring
+  ];

  "www-staging-htpasswd.age".publicKeys = users ++ [ _www ];
 }
-
--- a/services/prometheus-nginx.nix
+++ b/services/prometheus-nginx.nix
@ -10,4 +10,3 @@
    '';
  };
 }
-
--- a/services/prometheus-node.nix
+++ b/services/prometheus-node.nix
@ -8,8 +8,7 @@
      ip saddr 195.160.173.14/32 tcp dport ${toString config.services.prometheus.exporters.node.port} accept comment "Allow prometheus on monitoring.berlin.ccc.der"
      ip6 saddr 2001:678:760:cccb::14/128 tcp dport ${toString config.services.prometheus.exporters.node.port} accept comment "Allow prometheus on monitoring.berlin.ccc.der"
    '';
-    enabledCollectors = [];
-    disabledCollectors = [];
+    enabledCollectors = [ ];
+    disabledCollectors = [ ];
  };
 }
-