diff --git a/hosts/matrix/default.nix b/hosts/matrix/default.nix index 1b321d8..7ab9d3c 100644 --- a/hosts/matrix/default.nix +++ b/hosts/matrix/default.nix @@ -5,6 +5,7 @@ ../common.nix ../../services/openssh.nix ../../services/nginx.nix + ../../services/prometheus-node.nix ./nginx.nix ./synapse.nix ./draupnir.nix diff --git a/hosts/md/default.nix b/hosts/md/default.nix index e30f687..437a864 100644 --- a/hosts/md/default.nix +++ b/hosts/md/default.nix @@ -4,6 +4,7 @@ imports = [ ../common.nix ../../services/openssh.nix + ../../services/prometheus-node.nix ./hedgedoc.nix ../../services/nginx.nix ./nginx.nix diff --git a/hosts/monitoring/default.nix b/hosts/monitoring/default.nix index fb2e323..18ccdce 100644 --- a/hosts/monitoring/default.nix +++ b/hosts/monitoring/default.nix @@ -4,8 +4,9 @@ imports = [ ../common.nix ../../services/openssh.nix + ../../services/prometheus-node.nix ../../services/nginx.nix - #./nginx.nix + ./nginx.nix #./prometheus.nix #./grafana.nix ]; diff --git a/hosts/monitoring/nginx.nix b/hosts/monitoring/nginx.nix index 5712204..bb61893 100644 --- a/hosts/monitoring/nginx.nix +++ b/hosts/monitoring/nginx.nix @@ -7,7 +7,7 @@ kTLS = true; forceSSL = true; enableACME = true; - #basicAuthFile = config.age.secrets.grafana_basic_auth.path; + basicAuthFile = config.age.secrets.grafana_basic_auth.path; locations = { "/" = { #proxyPass = "http://"; diff --git a/hosts/powerdns/default.nix b/hosts/powerdns/default.nix deleted file mode 100644 index 270ce81..0000000 --- a/hosts/powerdns/default.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ ... }: - -{ - imports = [ - ../common.nix - ../../services/openssh.nix - ../../services/powerdns.nix - ]; - - networking = { - hostName = "powerdns"; - firewall = { - allowedTCPPorts = [ - 53 # DNS - ]; - allowedUDPPorts = [ - 53 # DNS - ]; - }; - }; - - services = { - openssh.banner = '' - __ __ - /\ \__ /\ \ - ___ ____ ___ ____\ \ ,_\ ___ ___ ___\ \ \____ - /' _ `\ /',__\ / __`\ /',__\\ \ \/ /'___\ /'___\ /'___\ \ '__`\ - /\ \/\ \/\__, `\__/\ \L\ \/\__, `\\ \ \_ __/\ \__//\ \__//\ \__/\ \ \L\ \ - \ \_\ \_\/\____/\_\ \____/\/\____/ \ \__\/\_\ \____\ \____\ \____\\ \_,__/ - \/_/\/_/\/___/\/_/\/___/ \/___/ \/__/\/_/\/____/\/____/\/____/ \/___/ - ''; - }; - - system.stateVersion = "25.11"; -} diff --git a/hosts/sql/default.nix b/hosts/sql/default.nix index 707f731..50c94ce 100644 --- a/hosts/sql/default.nix +++ b/hosts/sql/default.nix @@ -4,6 +4,7 @@ imports = [ ../common.nix ../../services/openssh.nix + ../../services/prometheus-node.nix ./postgres.nix ]; diff --git a/hosts/www/default.nix b/hosts/www/default.nix index fd41fe2..2a62713 100644 --- a/hosts/www/default.nix +++ b/hosts/www/default.nix @@ -5,6 +5,7 @@ ../common.nix ../../services/openssh.nix ./openssh.nix + ../../services/prometheus-node.nix ../../services/nginx.nix ./nginx.nix ]; diff --git a/secrets/grafana_basic_auth.age b/secrets/grafana_basic_auth.age new file mode 100644 index 0000000..0a9d08f Binary files /dev/null and b/secrets/grafana_basic_auth.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 3114dbe..d687b70 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -35,6 +35,7 @@ in "grafana_admin_password.age".publicKeys = users ++ [ _monitoring ]; "grafana_secret_key.age".publicKeys = users ++ [ _monitoring ]; + "grafana_basic_auth.age".publicKeys = users ++ [ _monitoring ]; "postgres-matrix-synapse.age".publicKeys = users ++ [ _sql _matrix ]; "postgres-hedgedoc.age".publicKeys = users ++ [ _sql _md ]; diff --git a/services/powerdns.nix b/services/powerdns.nix deleted file mode 100644 index 209a978..0000000 --- a/services/powerdns.nix +++ /dev/null @@ -1,72 +0,0 @@ -{ config, ... }: - -{ - # exposes prometheus metrics at http://127.0.0.1:8081/metrics - services = { - powerdns = { - enable = true; - secretFile = config.age.secrets.powerdns.path; - # API_KEY=supersecret123! - # WEBSERVER_PASSWORD=supersecre123! - extraConfig = '' - api=yes - api-key=$API_KEY - local-address=0.0.0.0, :: - local-port=53 - log-timestamp=no # journald already does this - resolver=127.0.0.54:5300 # Used for ALIAS lookup - secondary=yes - version-string=anonymous - webserver-password=$WEBSERVER_PASSWORD - webserver-port=8081 - - launch=bind - ''; - }; - powerdns-admin = { - enable = true; - secretKeyFile = config.age.secrets.powerdns-admin-cookie-secret.path; - saltFile = config.age.secrets.powerdns-admin-salt.path; - extraArgs = []; - config = '' - # PDA - SIGNUP_ENABLED = True - LOCAL_DB_ENABLED = True - - # Flask - BIND_ADDRESS = '127.0.0.1' - PORT = 8000 - #SESSION_COOKIE_SECURE = True - - # Flask-Session - import cachelib - SESSION_TYPE = 'cachelib' - SESSION_CACHELIB = cachelib.simple.SimpleCache() - - # Flask-SQLAlchemy - SQLALCHEMY_DATABASE_URI = 'postgresql://powerdnsadmin@/powerdnsadmin?host=/run/postgresql' - SQLALCHEMY_TRACK_MODIFICATIONS = True - - # FLask-SeaSurf - #CSRF_COOKIE_SECURE = True - ''; - }; - postgresql = { - enable = true; - package = pkgs.postgresql_18; - ensureUsers = [ - { - name = "pda"; - ensureDBOwnership = true; - } - ]; - ensureDatabases = [ "pda" ]; - }; - postgresqlBackup = { - enable = true; - compression = "zstd"; - startAt = "@midnight"; - }; - }; -} - diff --git a/services/prometheus-node.nix b/services/prometheus-node.nix new file mode 100644 index 0000000..71e75e7 --- /dev/null +++ b/services/prometheus-node.nix @@ -0,0 +1,15 @@ +{ ... }: + +{ + services.prometheus.exporters.node = { + enable = true; + #listenAddress = "0.0.0.0"; + firewallRules = '' + ip saddr 195.160.173.14/32 tcp dport ${config.services.prometheus.exporters.node.port} accept comment "Allow prometheus on monitoring.berlin.ccc.der" + ip6 saddr 2001:678:760:cccb::14/128 tcp dport ${config.services.prometheus.exporters.node.port} accept comment "Allow prometheus on monitoring.berlin.ccc.der" + ''; + enabledCollectors = []; + disabledCollectors = []; + }; +} +