xengi/infra
0
1
Fork 0
Code Pull requests Activity Actions

Compare commits

base: xengi:307ee605a4e0b16896d4cf302b78da98ab2c52c9
Branches Tags
xengi:main
xengi:wip
..
compare: xengi:57328d19e94f55bc988a17fd9edf4c79c93a1745
Branches Tags
xengi:main
xengi:wip

No commits in common. "307ee605a4e0b16896d4cf302b78da98ab2c52c9" and "57328d19e94f55bc988a17fd9edf4c79c93a1745" have entirely different histories.
307ee605a4 ... 57328d19e9

11 changed files with 109 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

1
hosts/matrix/default.nix
View file

@ -5,7 +5,6 @@
../common.nix ../common.nix
../../services/openssh.nix ../../services/openssh.nix
../../services/nginx.nix ../../services/nginx.nix
../../services/prometheus-node.nix
./nginx.nix ./nginx.nix
./synapse.nix ./synapse.nix
./draupnir.nix ./draupnir.nix

1
hosts/md/default.nix
View file

@ -4,7 +4,6 @@
imports = [ imports = [
../common.nix ../common.nix
../../services/openssh.nix ../../services/openssh.nix
../../services/prometheus-node.nix
./hedgedoc.nix ./hedgedoc.nix
../../services/nginx.nix ../../services/nginx.nix
./nginx.nix ./nginx.nix

3
hosts/monitoring/default.nix
View file

@ -4,9 +4,8 @@
imports = [ imports = [
../common.nix ../common.nix
../../services/openssh.nix ../../services/openssh.nix
../../services/prometheus-node.nix
../../services/nginx.nix ../../services/nginx.nix
./nginx.nix #./nginx.nix
#./prometheus.nix #./prometheus.nix
#./grafana.nix #./grafana.nix
]; ];

2
hosts/monitoring/nginx.nix
View file

@ -7,7 +7,7 @@
kTLS = true; kTLS = true;
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
basicAuthFile = config.age.secrets.grafana_basic_auth.path; #basicAuthFile = config.age.secrets.grafana_basic_auth.path;
locations = { locations = {
"/" = { "/" = {
#proxyPass = "http://"; #proxyPass = "http://";

35
hosts/powerdns/default.nix Normal file
View file

@ -0,0 +1,35 @@
{ ... }:
{
imports = [
../common.nix
../../services/openssh.nix
../../services/powerdns.nix
];
networking = {
hostName = "powerdns";
firewall = {
allowedTCPPorts = [
53 # DNS
];
allowedUDPPorts = [
53 # DNS
];
};
};
services = {
openssh.banner = ''
__ __
/\ \__ /\ \
___ ____ ___ ____\ \ ,_\ ___ ___ ___\ \ \____
/' _ `\ /',__\ / __`\ /',__\\ \ \/ /'___\ /'___\ /'___\ \ '__`\
/\ \/\ \/\__, `\__/\ \L\ \/\__, `\\ \ \_ __/\ \__//\ \__//\ \__/\ \ \L\ \
\ \_\ \_\/\____/\_\ \____/\/\____/ \ \__\/\_\ \____\ \____\ \____\\ \_,__/
\/_/\/_/\/___/\/_/\/___/ \/___/ \/__/\/_/\/____/\/____/\/____/ \/___/
'';
};
system.stateVersion = "25.11";
}

1
hosts/sql/default.nix
View file

@ -4,7 +4,6 @@
imports = [ imports = [
../common.nix ../common.nix
../../services/openssh.nix ../../services/openssh.nix
../../services/prometheus-node.nix
./postgres.nix ./postgres.nix
]; ];

1
hosts/www/default.nix
View file

@ -5,7 +5,6 @@
../common.nix ../common.nix
../../services/openssh.nix ../../services/openssh.nix
./openssh.nix ./openssh.nix
../../services/prometheus-node.nix
../../services/nginx.nix ../../services/nginx.nix
./nginx.nix ./nginx.nix
]; ];

BIN
secrets/grafana_basic_auth.age
View file

Binary file not shown.

1
secrets/secrets.nix
View file

@ -35,7 +35,6 @@ in
"grafana_admin_password.age".publicKeys = users ++ [ _monitoring ]; "grafana_admin_password.age".publicKeys = users ++ [ _monitoring ];
"grafana_secret_key.age".publicKeys = users ++ [ _monitoring ]; "grafana_secret_key.age".publicKeys = users ++ [ _monitoring ];
"grafana_basic_auth.age".publicKeys = users ++ [ _monitoring ];
"postgres-matrix-synapse.age".publicKeys = users ++ [ _sql _matrix ]; "postgres-matrix-synapse.age".publicKeys = users ++ [ _sql _matrix ];
"postgres-hedgedoc.age".publicKeys = users ++ [ _sql _md ]; "postgres-hedgedoc.age".publicKeys = users ++ [ _sql _md ];

72
services/powerdns.nix Normal file
View file

@ -0,0 +1,72 @@
{ config, ... }:
{
# exposes prometheus metrics at http://127.0.0.1:8081/metrics
services = {
powerdns = {
enable = true;
secretFile = config.age.secrets.powerdns.path;
# API_KEY=supersecret123!
# WEBSERVER_PASSWORD=supersecre123!
extraConfig = ''
api=yes
api-key=$API_KEY
local-address=0.0.0.0, ::
local-port=53
log-timestamp=no # journald already does this
resolver=127.0.0.54:5300 # Used for ALIAS lookup
secondary=yes
version-string=anonymous
webserver-password=$WEBSERVER_PASSWORD
webserver-port=8081
launch=bind
'';
};
powerdns-admin = {
enable = true;
secretKeyFile = config.age.secrets.powerdns-admin-cookie-secret.path;
saltFile = config.age.secrets.powerdns-admin-salt.path;
extraArgs = [];
config = ''
# PDA
SIGNUP_ENABLED = True
LOCAL_DB_ENABLED = True
# Flask
BIND_ADDRESS = '127.0.0.1'
PORT = 8000
#SESSION_COOKIE_SECURE = True
# Flask-Session
import cachelib
SESSION_TYPE = 'cachelib'
SESSION_CACHELIB = cachelib.simple.SimpleCache()
# Flask-SQLAlchemy
SQLALCHEMY_DATABASE_URI = 'postgresql://powerdnsadmin@/powerdnsadmin?host=/run/postgresql'
SQLALCHEMY_TRACK_MODIFICATIONS = True
# FLask-SeaSurf
#CSRF_COOKIE_SECURE = True
'';
};
postgresql = {
enable = true;
package = pkgs.postgresql_18;
ensureUsers = [
{
name = "pda";
ensureDBOwnership = true;
}
];
ensureDatabases = [ "pda" ];
};
postgresqlBackup = {
enable = true;
compression = "zstd";
startAt = "@midnight";
};
};
}

15
services/prometheus-node.nix
View file

@ -1,15 +0,0 @@
{ ... }:
{
services.prometheus.exporters.node = {
enable = true;
#listenAddress = "0.0.0.0";
firewallRules = ''
ip saddr 195.160.173.14/32 tcp dport ${config.services.prometheus.exporters.node.port} accept comment "Allow prometheus on monitoring.berlin.ccc.der"
ip6 saddr 2001:678:760:cccb::14/128 tcp dport ${config.services.prometheus.exporters.node.port} accept comment "Allow prometheus on monitoring.berlin.ccc.der"
'';
enabledCollectors = [];
disabledCollectors = [];
};
}