From 11da229f3f892d3346a83cbb11b5e26cf9974687 Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Tue, 17 Feb 2026 19:22:11 +0100 Subject: [PATCH 1/2] grafana basic auth --- hosts/matrix/default.nix | 1 + hosts/md/default.nix | 1 + hosts/monitoring/default.nix | 3 ++- hosts/monitoring/nginx.nix | 2 +- hosts/sql/default.nix | 1 + hosts/www/default.nix | 1 + secrets/grafana_basic_auth.age | Bin 0 -> 942 bytes secrets/secrets.nix | 1 + services/prometheus-node.nix | 15 +++++++++++++++ 9 files changed, 23 insertions(+), 2 deletions(-) create mode 100644 secrets/grafana_basic_auth.age create mode 100644 services/prometheus-node.nix diff --git a/hosts/matrix/default.nix b/hosts/matrix/default.nix index 1b321d8..7ab9d3c 100644 --- a/hosts/matrix/default.nix +++ b/hosts/matrix/default.nix @@ -5,6 +5,7 @@ ../common.nix ../../services/openssh.nix ../../services/nginx.nix + ../../services/prometheus-node.nix ./nginx.nix ./synapse.nix ./draupnir.nix diff --git a/hosts/md/default.nix b/hosts/md/default.nix index e30f687..437a864 100644 --- a/hosts/md/default.nix +++ b/hosts/md/default.nix @@ -4,6 +4,7 @@ imports = [ ../common.nix ../../services/openssh.nix + ../../services/prometheus-node.nix ./hedgedoc.nix ../../services/nginx.nix ./nginx.nix diff --git a/hosts/monitoring/default.nix b/hosts/monitoring/default.nix index fb2e323..18ccdce 100644 --- a/hosts/monitoring/default.nix +++ b/hosts/monitoring/default.nix @@ -4,8 +4,9 @@ imports = [ ../common.nix ../../services/openssh.nix + ../../services/prometheus-node.nix ../../services/nginx.nix - #./nginx.nix + ./nginx.nix #./prometheus.nix #./grafana.nix ]; diff --git a/hosts/monitoring/nginx.nix b/hosts/monitoring/nginx.nix index 5712204..bb61893 100644 --- a/hosts/monitoring/nginx.nix +++ b/hosts/monitoring/nginx.nix @@ -7,7 +7,7 @@ kTLS = true; forceSSL = true; enableACME = true; - #basicAuthFile = config.age.secrets.grafana_basic_auth.path; + basicAuthFile = config.age.secrets.grafana_basic_auth.path; locations = { "/" = { #proxyPass = "http://"; diff --git a/hosts/sql/default.nix b/hosts/sql/default.nix index 707f731..50c94ce 100644 --- a/hosts/sql/default.nix +++ b/hosts/sql/default.nix @@ -4,6 +4,7 @@ imports = [ ../common.nix ../../services/openssh.nix + ../../services/prometheus-node.nix ./postgres.nix ]; diff --git a/hosts/www/default.nix b/hosts/www/default.nix index fd41fe2..2a62713 100644 --- a/hosts/www/default.nix +++ b/hosts/www/default.nix @@ -5,6 +5,7 @@ ../common.nix ../../services/openssh.nix ./openssh.nix + ../../services/prometheus-node.nix ../../services/nginx.nix ./nginx.nix ]; diff --git a/secrets/grafana_basic_auth.age b/secrets/grafana_basic_auth.age new file mode 100644 index 0000000000000000000000000000000000000000..0a9d08f4464fe75aa5ea15f44982bb5f377b800b GIT binary patch literal 942 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSH_0Y~UELRBdP4V~5 z%L+Ggw9F}Ta}O;_G%GW6F3a=u%QiGl4@oYKO7`;%FgMh%G~hC~tk5?~GI!7NjwntJ z)OOZ(&#y``@$t(t@CpcyN~!b<%QwvN$uaT{3`Muiwah0eyj&r*GBhpOEFwAAG$YBR zGAF9SB+{ka$FwRtEI-_`Jh3R(saQMG#52RpAe}2*zc3>&GQ`z!ZWkTvC!N-+$}daB`UNm*aY3S6kqK$pFjmC|8(~tj|dZ&taA5A?J`Hhs-$4& zbZvtIqj0x~6xVbQzo1n2D#JpH@^miqBExWt;5-u#cTauaB2$+rgU~W<3+>bbS96bC zlaz4h0D~mM;E+6zpnP=OvMR!TjRFgS$TV>* zaSJwxat-7PaB=Y~4J!4_^)pLOcXTu?NDB1v%P;me&J4{ih%_{{w6rkR&nZd`$+AGV z&CR{Q)G%Ek+1R`)*CI8$D!(9Azuep_$s)%+DLGTyPus-OG2K5^KQg!2E25+#Da4n{ z*VD-|pt7)7+qA&9Dm}$BG1<^G)jT~hGECpoHOb4#sid;lDc2_>-wh)qJrfH`lhYME z{nEnSvQko9ihX_3GJTDMa*`dBowSW}Jv@qoO^X6TvlBCmJcHBB-OIT`!g9SMLe10D z0t`dUjl)eXLY+e@q6~vAQ-gEU0@D0K&9fa#0ur;bBO|$Vb#)aC&4aWnl6-wi{EagV zUDA?VQ?>mpbM%A#LyJm_lDw0=OWiDzlhc!;%0jt5Hhx?dxp|qnSLnAW*F%55%zOCo zSAXB{8^1p)mbtyFchDqdB4=$YfnKAH#)HH=6zZ nB3@i)kaf7?@$opr@=FOfJs*^uPY+2rEbe+dC;pJfp4j~W2r56& literal 0 HcmV?d00001 diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 3114dbe..d687b70 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -35,6 +35,7 @@ in "grafana_admin_password.age".publicKeys = users ++ [ _monitoring ]; "grafana_secret_key.age".publicKeys = users ++ [ _monitoring ]; + "grafana_basic_auth.age".publicKeys = users ++ [ _monitoring ]; "postgres-matrix-synapse.age".publicKeys = users ++ [ _sql _matrix ]; "postgres-hedgedoc.age".publicKeys = users ++ [ _sql _md ]; diff --git a/services/prometheus-node.nix b/services/prometheus-node.nix new file mode 100644 index 0000000..71e75e7 --- /dev/null +++ b/services/prometheus-node.nix @@ -0,0 +1,15 @@ +{ ... }: + +{ + services.prometheus.exporters.node = { + enable = true; + #listenAddress = "0.0.0.0"; + firewallRules = '' + ip saddr 195.160.173.14/32 tcp dport ${config.services.prometheus.exporters.node.port} accept comment "Allow prometheus on monitoring.berlin.ccc.der" + ip6 saddr 2001:678:760:cccb::14/128 tcp dport ${config.services.prometheus.exporters.node.port} accept comment "Allow prometheus on monitoring.berlin.ccc.der" + ''; + enabledCollectors = []; + disabledCollectors = []; + }; +} + From 307ee605a4e0b16896d4cf302b78da98ab2c52c9 Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Tue, 17 Feb 2026 19:22:42 +0100 Subject: [PATCH 2/2] cleanup --- hosts/powerdns/default.nix | 35 ------------------ services/powerdns.nix | 72 -------------------------------------- 2 files changed, 107 deletions(-) delete mode 100644 hosts/powerdns/default.nix delete mode 100644 services/powerdns.nix diff --git a/hosts/powerdns/default.nix b/hosts/powerdns/default.nix deleted file mode 100644 index 270ce81..0000000 --- a/hosts/powerdns/default.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ ... }: - -{ - imports = [ - ../common.nix - ../../services/openssh.nix - ../../services/powerdns.nix - ]; - - networking = { - hostName = "powerdns"; - firewall = { - allowedTCPPorts = [ - 53 # DNS - ]; - allowedUDPPorts = [ - 53 # DNS - ]; - }; - }; - - services = { - openssh.banner = '' - __ __ - /\ \__ /\ \ - ___ ____ ___ ____\ \ ,_\ ___ ___ ___\ \ \____ - /' _ `\ /',__\ / __`\ /',__\\ \ \/ /'___\ /'___\ /'___\ \ '__`\ - /\ \/\ \/\__, `\__/\ \L\ \/\__, `\\ \ \_ __/\ \__//\ \__//\ \__/\ \ \L\ \ - \ \_\ \_\/\____/\_\ \____/\/\____/ \ \__\/\_\ \____\ \____\ \____\\ \_,__/ - \/_/\/_/\/___/\/_/\/___/ \/___/ \/__/\/_/\/____/\/____/\/____/ \/___/ - ''; - }; - - system.stateVersion = "25.11"; -} diff --git a/services/powerdns.nix b/services/powerdns.nix deleted file mode 100644 index 209a978..0000000 --- a/services/powerdns.nix +++ /dev/null @@ -1,72 +0,0 @@ -{ config, ... }: - -{ - # exposes prometheus metrics at http://127.0.0.1:8081/metrics - services = { - powerdns = { - enable = true; - secretFile = config.age.secrets.powerdns.path; - # API_KEY=supersecret123! - # WEBSERVER_PASSWORD=supersecre123! - extraConfig = '' - api=yes - api-key=$API_KEY - local-address=0.0.0.0, :: - local-port=53 - log-timestamp=no # journald already does this - resolver=127.0.0.54:5300 # Used for ALIAS lookup - secondary=yes - version-string=anonymous - webserver-password=$WEBSERVER_PASSWORD - webserver-port=8081 - - launch=bind - ''; - }; - powerdns-admin = { - enable = true; - secretKeyFile = config.age.secrets.powerdns-admin-cookie-secret.path; - saltFile = config.age.secrets.powerdns-admin-salt.path; - extraArgs = []; - config = '' - # PDA - SIGNUP_ENABLED = True - LOCAL_DB_ENABLED = True - - # Flask - BIND_ADDRESS = '127.0.0.1' - PORT = 8000 - #SESSION_COOKIE_SECURE = True - - # Flask-Session - import cachelib - SESSION_TYPE = 'cachelib' - SESSION_CACHELIB = cachelib.simple.SimpleCache() - - # Flask-SQLAlchemy - SQLALCHEMY_DATABASE_URI = 'postgresql://powerdnsadmin@/powerdnsadmin?host=/run/postgresql' - SQLALCHEMY_TRACK_MODIFICATIONS = True - - # FLask-SeaSurf - #CSRF_COOKIE_SECURE = True - ''; - }; - postgresql = { - enable = true; - package = pkgs.postgresql_18; - ensureUsers = [ - { - name = "pda"; - ensureDBOwnership = true; - } - ]; - ensureDatabases = [ "pda" ]; - }; - postgresqlBackup = { - enable = true; - compression = "zstd"; - startAt = "@midnight"; - }; - }; -} -