cleanup

hosts/matrix/default.nix

@@ -5,6 +5,7 @@
     ../common.nix
     ../../services/openssh.nix
     ../../services/nginx.nix
+    ../../services/prometheus-node.nix
     ./nginx.nix
     ./synapse.nix
     ./draupnir.nix

hosts/md/default.nix

@@ -4,6 +4,7 @@
   imports = [
     ../common.nix
     ../../services/openssh.nix
+    ../../services/prometheus-node.nix
     ./hedgedoc.nix
     ../../services/nginx.nix
     ./nginx.nix

hosts/monitoring/default.nix

@@ -4,8 +4,9 @@
   imports = [
     ../common.nix
     ../../services/openssh.nix
+    ../../services/prometheus-node.nix
     ../../services/nginx.nix
-    #./nginx.nix
+    ./nginx.nix
     #./prometheus.nix
     #./grafana.nix
   ];

hosts/monitoring/nginx.nix

@@ -7,7 +7,7 @@
     kTLS = true;
     forceSSL = true;
     enableACME = true;
-    #basicAuthFile = config.age.secrets.grafana_basic_auth.path;
+    basicAuthFile = config.age.secrets.grafana_basic_auth.path;
     locations = {
       "/" = {
         #proxyPass = "http://";

hosts/powerdns/default.nix

@@ -1,35 +0,0 @@
-{ ... }:
-
-{
-  imports = [
-    ../common.nix
-    ../../services/openssh.nix
-    ../../services/powerdns.nix
-  ];
-
-  networking = {
-    hostName = "powerdns";
-    firewall = {
-      allowedTCPPorts = [
-        53 # DNS
-      ];
-      allowedUDPPorts = [
-        53 # DNS
-      ];
-    };
-  };
-
-  services = {
-    openssh.banner = ''
-                                       __                             __
-                                      /\ \__                         /\ \
-        ___     ____      ___     ____\ \ ,_\       ___    ___    ___\ \ \____
-      /' _ `\  /',__\    / __`\  /',__\\ \ \/      /'___\ /'___\ /'___\ \ '__`\
-      /\ \/\ \/\__, `\__/\ \L\ \/\__, `\\ \ \_  __/\ \__//\ \__//\ \__/\ \ \L\ \
-      \ \_\ \_\/\____/\_\ \____/\/\____/ \ \__\/\_\ \____\ \____\ \____\\ \_,__/
-       \/_/\/_/\/___/\/_/\/___/  \/___/   \/__/\/_/\/____/\/____/\/____/ \/___/
-    '';
-  };
-
-  system.stateVersion = "25.11";
-}

hosts/sql/default.nix

@@ -4,6 +4,7 @@
   imports = [
     ../common.nix
     ../../services/openssh.nix
+    ../../services/prometheus-node.nix
     ./postgres.nix
   ];
 

hosts/www/default.nix

@@ -5,6 +5,7 @@
     ../common.nix
     ../../services/openssh.nix
     ./openssh.nix
+    ../../services/prometheus-node.nix
     ../../services/nginx.nix
     ./nginx.nix
   ];

secrets/secrets.nix

@@ -35,6 +35,7 @@ in
 
   "grafana_admin_password.age".publicKeys = users ++ [ _monitoring ];
   "grafana_secret_key.age".publicKeys = users ++ [ _monitoring ];
+  "grafana_basic_auth.age".publicKeys = users ++ [ _monitoring ];
 
   "postgres-matrix-synapse.age".publicKeys = users ++ [ _sql _matrix ];
   "postgres-hedgedoc.age".publicKeys = users ++ [ _sql _md ];

services/powerdns.nix

@@ -1,72 +0,0 @@
-{ config, ... }:
-
-{
-  # exposes prometheus metrics at http://127.0.0.1:8081/metrics
-  services = {
-    powerdns = {
-      enable = true;
-      secretFile = config.age.secrets.powerdns.path;
-      # API_KEY=supersecret123!
-      # WEBSERVER_PASSWORD=supersecre123!
-      extraConfig = ''
-        api=yes
-        api-key=$API_KEY
-        local-address=0.0.0.0, ::
-        local-port=53
-        log-timestamp=no  # journald already does this
-        resolver=127.0.0.54:5300  # Used for ALIAS lookup
-        secondary=yes
-        version-string=anonymous
-        webserver-password=$WEBSERVER_PASSWORD
-        webserver-port=8081
-
-        launch=bind
-      '';
-    };
-    powerdns-admin = {
-      enable = true;
-      secretKeyFile = config.age.secrets.powerdns-admin-cookie-secret.path;
-      saltFile = config.age.secrets.powerdns-admin-salt.path;
-      extraArgs = [];
-      config = ''
-        # PDA
-        SIGNUP_ENABLED = True
-        LOCAL_DB_ENABLED = True
-
-        # Flask
-        BIND_ADDRESS = '127.0.0.1'
-        PORT = 8000
-        #SESSION_COOKIE_SECURE = True
-
-        # Flask-Session
-        import cachelib
-        SESSION_TYPE = 'cachelib'
-        SESSION_CACHELIB = cachelib.simple.SimpleCache()
-
-        # Flask-SQLAlchemy
-        SQLALCHEMY_DATABASE_URI = 'postgresql://powerdnsadmin@/powerdnsadmin?host=/run/postgresql'
-        SQLALCHEMY_TRACK_MODIFICATIONS = True
-
-        # FLask-SeaSurf
-        #CSRF_COOKIE_SECURE = True
-      '';
-    };
-    postgresql = {
-      enable = true;
-      package = pkgs.postgresql_18;
-      ensureUsers = [
-        {
-          name = "pda";
-          ensureDBOwnership = true;
-        }
-      ];
-      ensureDatabases = [ "pda" ];
-    };
-    postgresqlBackup = {
-      enable = true;
-      compression = "zstd";
-      startAt = "@midnight";
-    };
-  };
-}
-

services/prometheus-node.nix

@@ -0,0 +1,15 @@
+{ ... }:
+
+{
+  services.prometheus.exporters.node = {
+    enable = true;
+    #listenAddress = "0.0.0.0";
+    firewallRules = ''
+      ip saddr 195.160.173.14/32 tcp dport ${config.services.prometheus.exporters.node.port} accept comment "Allow prometheus on monitoring.berlin.ccc.der"
+      ip6 saddr 2001:678:760:cccb::14/128 tcp dport ${config.services.prometheus.exporters.node.port} accept comment "Allow prometheus on monitoring.berlin.ccc.der"
+    '';
+    enabledCollectors = [];
+    disabledCollectors = [];
+  };
+}
+