diff --git a/hosts/matrix/default.nix b/hosts/matrix/default.nix index 7ab9d3c..1b321d8 100644 --- a/hosts/matrix/default.nix +++ b/hosts/matrix/default.nix @@ -5,7 +5,6 @@ ../common.nix ../../services/openssh.nix ../../services/nginx.nix - ../../services/prometheus-node.nix ./nginx.nix ./synapse.nix ./draupnir.nix diff --git a/hosts/md/default.nix b/hosts/md/default.nix index 437a864..e30f687 100644 --- a/hosts/md/default.nix +++ b/hosts/md/default.nix @@ -4,7 +4,6 @@ imports = [ ../common.nix ../../services/openssh.nix - ../../services/prometheus-node.nix ./hedgedoc.nix ../../services/nginx.nix ./nginx.nix diff --git a/hosts/monitoring/default.nix b/hosts/monitoring/default.nix index 18ccdce..fb2e323 100644 --- a/hosts/monitoring/default.nix +++ b/hosts/monitoring/default.nix @@ -4,9 +4,8 @@ imports = [ ../common.nix ../../services/openssh.nix - ../../services/prometheus-node.nix ../../services/nginx.nix - ./nginx.nix + #./nginx.nix #./prometheus.nix #./grafana.nix ]; diff --git a/hosts/monitoring/nginx.nix b/hosts/monitoring/nginx.nix index bb61893..5712204 100644 --- a/hosts/monitoring/nginx.nix +++ b/hosts/monitoring/nginx.nix @@ -7,7 +7,7 @@ kTLS = true; forceSSL = true; enableACME = true; - basicAuthFile = config.age.secrets.grafana_basic_auth.path; + #basicAuthFile = config.age.secrets.grafana_basic_auth.path; locations = { "/" = { #proxyPass = "http://"; diff --git a/hosts/powerdns/default.nix b/hosts/powerdns/default.nix new file mode 100644 index 0000000..270ce81 --- /dev/null +++ b/hosts/powerdns/default.nix @@ -0,0 +1,35 @@ +{ ... }: + +{ + imports = [ + ../common.nix + ../../services/openssh.nix + ../../services/powerdns.nix + ]; + + networking = { + hostName = "powerdns"; + firewall = { + allowedTCPPorts = [ + 53 # DNS + ]; + allowedUDPPorts = [ + 53 # DNS + ]; + }; + }; + + services = { + openssh.banner = '' + __ __ + /\ \__ /\ \ + ___ ____ ___ ____\ \ ,_\ ___ ___ ___\ \ \____ + /' _ `\ /',__\ / __`\ /',__\\ \ \/ /'___\ /'___\ /'___\ \ '__`\ + /\ \/\ \/\__, `\__/\ \L\ \/\__, `\\ \ \_ __/\ \__//\ \__//\ \__/\ \ \L\ \ + \ \_\ \_\/\____/\_\ \____/\/\____/ \ \__\/\_\ \____\ \____\ \____\\ \_,__/ + \/_/\/_/\/___/\/_/\/___/ \/___/ \/__/\/_/\/____/\/____/\/____/ \/___/ + ''; + }; + + system.stateVersion = "25.11"; +} diff --git a/hosts/sql/default.nix b/hosts/sql/default.nix index 50c94ce..707f731 100644 --- a/hosts/sql/default.nix +++ b/hosts/sql/default.nix @@ -4,7 +4,6 @@ imports = [ ../common.nix ../../services/openssh.nix - ../../services/prometheus-node.nix ./postgres.nix ]; diff --git a/hosts/www/default.nix b/hosts/www/default.nix index 2a62713..fd41fe2 100644 --- a/hosts/www/default.nix +++ b/hosts/www/default.nix @@ -5,7 +5,6 @@ ../common.nix ../../services/openssh.nix ./openssh.nix - ../../services/prometheus-node.nix ../../services/nginx.nix ./nginx.nix ]; diff --git a/secrets/grafana_basic_auth.age b/secrets/grafana_basic_auth.age deleted file mode 100644 index 0a9d08f..0000000 Binary files a/secrets/grafana_basic_auth.age and /dev/null differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index d687b70..3114dbe 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -35,7 +35,6 @@ in "grafana_admin_password.age".publicKeys = users ++ [ _monitoring ]; "grafana_secret_key.age".publicKeys = users ++ [ _monitoring ]; - "grafana_basic_auth.age".publicKeys = users ++ [ _monitoring ]; "postgres-matrix-synapse.age".publicKeys = users ++ [ _sql _matrix ]; "postgres-hedgedoc.age".publicKeys = users ++ [ _sql _md ]; diff --git a/services/powerdns.nix b/services/powerdns.nix new file mode 100644 index 0000000..209a978 --- /dev/null +++ b/services/powerdns.nix @@ -0,0 +1,72 @@ +{ config, ... }: + +{ + # exposes prometheus metrics at http://127.0.0.1:8081/metrics + services = { + powerdns = { + enable = true; + secretFile = config.age.secrets.powerdns.path; + # API_KEY=supersecret123! + # WEBSERVER_PASSWORD=supersecre123! + extraConfig = '' + api=yes + api-key=$API_KEY + local-address=0.0.0.0, :: + local-port=53 + log-timestamp=no # journald already does this + resolver=127.0.0.54:5300 # Used for ALIAS lookup + secondary=yes + version-string=anonymous + webserver-password=$WEBSERVER_PASSWORD + webserver-port=8081 + + launch=bind + ''; + }; + powerdns-admin = { + enable = true; + secretKeyFile = config.age.secrets.powerdns-admin-cookie-secret.path; + saltFile = config.age.secrets.powerdns-admin-salt.path; + extraArgs = []; + config = '' + # PDA + SIGNUP_ENABLED = True + LOCAL_DB_ENABLED = True + + # Flask + BIND_ADDRESS = '127.0.0.1' + PORT = 8000 + #SESSION_COOKIE_SECURE = True + + # Flask-Session + import cachelib + SESSION_TYPE = 'cachelib' + SESSION_CACHELIB = cachelib.simple.SimpleCache() + + # Flask-SQLAlchemy + SQLALCHEMY_DATABASE_URI = 'postgresql://powerdnsadmin@/powerdnsadmin?host=/run/postgresql' + SQLALCHEMY_TRACK_MODIFICATIONS = True + + # FLask-SeaSurf + #CSRF_COOKIE_SECURE = True + ''; + }; + postgresql = { + enable = true; + package = pkgs.postgresql_18; + ensureUsers = [ + { + name = "pda"; + ensureDBOwnership = true; + } + ]; + ensureDatabases = [ "pda" ]; + }; + postgresqlBackup = { + enable = true; + compression = "zstd"; + startAt = "@midnight"; + }; + }; +} + diff --git a/services/prometheus-node.nix b/services/prometheus-node.nix deleted file mode 100644 index 71e75e7..0000000 --- a/services/prometheus-node.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ ... }: - -{ - services.prometheus.exporters.node = { - enable = true; - #listenAddress = "0.0.0.0"; - firewallRules = '' - ip saddr 195.160.173.14/32 tcp dport ${config.services.prometheus.exporters.node.port} accept comment "Allow prometheus on monitoring.berlin.ccc.der" - ip6 saddr 2001:678:760:cccb::14/128 tcp dport ${config.services.prometheus.exporters.node.port} accept comment "Allow prometheus on monitoring.berlin.ccc.der" - ''; - enabledCollectors = []; - disabledCollectors = []; - }; -} -