cleanup

grafana basic auth
2026-02-17 19:22:42 +01:00 · 2026-02-17 19:22:11 +01:00
11 changed files with 23 additions and 109 deletions
--- a/hosts/matrix/default.nix
+++ b/hosts/matrix/default.nix
@ -5,6 +5,7 @@
    ../common.nix
    ../../services/openssh.nix
    ../../services/nginx.nix
+    ../../services/prometheus-node.nix
    ./nginx.nix
    ./synapse.nix
    ./draupnir.nix
--- a/hosts/md/default.nix
+++ b/hosts/md/default.nix
@ -4,6 +4,7 @@
  imports = [
    ../common.nix
    ../../services/openssh.nix
+    ../../services/prometheus-node.nix
    ./hedgedoc.nix
    ../../services/nginx.nix
    ./nginx.nix
--- a/hosts/monitoring/default.nix
+++ b/hosts/monitoring/default.nix
@ -4,8 +4,9 @@
  imports = [
    ../common.nix
    ../../services/openssh.nix
+    ../../services/prometheus-node.nix
    ../../services/nginx.nix
-    #./nginx.nix
+    ./nginx.nix
    #./prometheus.nix
    #./grafana.nix
  ];
--- a/hosts/monitoring/nginx.nix
+++ b/hosts/monitoring/nginx.nix
@ -7,7 +7,7 @@
    kTLS = true;
    forceSSL = true;
    enableACME = true;
-    #basicAuthFile = config.age.secrets.grafana_basic_auth.path;
+    basicAuthFile = config.age.secrets.grafana_basic_auth.path;
    locations = {
      "/" = {
        #proxyPass = "http://";
--- a/hosts/powerdns/default.nix
+++ b/hosts/powerdns/default.nix
@ -1,35 +0,0 @@
-{ ... }:
-
-{
-  imports = [
-    ../common.nix
-    ../../services/openssh.nix
-    ../../services/powerdns.nix
-  ];
-
-  networking = {
-    hostName = "powerdns";
-    firewall = {
-      allowedTCPPorts = [
-        53 # DNS
-      ];
-      allowedUDPPorts = [
-        53 # DNS
-      ];
-    };
-  };
-
-  services = {
-    openssh.banner = ''
-                                       __                             __
-                                      /\ \__                         /\ \
-        ___     ____      ___     ____\ \ ,_\       ___    ___    ___\ \ \____
-      /' _ `\  /',__\    / __`\  /',__\\ \ \/      /'___\ /'___\ /'___\ \ '__`\
-      /\ \/\ \/\__, `\__/\ \L\ \/\__, `\\ \ \_  __/\ \__//\ \__//\ \__/\ \ \L\ \
-      \ \_\ \_\/\____/\_\ \____/\/\____/ \ \__\/\_\ \____\ \____\ \____\\ \_,__/
-       \/_/\/_/\/___/\/_/\/___/  \/___/   \/__/\/_/\/____/\/____/\/____/ \/___/
-    '';
-  };
-
-  system.stateVersion = "25.11";
-}
--- a/hosts/sql/default.nix
+++ b/hosts/sql/default.nix
@ -4,6 +4,7 @@
  imports = [
    ../common.nix
    ../../services/openssh.nix
+    ../../services/prometheus-node.nix
    ./postgres.nix
  ];

--- a/hosts/www/default.nix
+++ b/hosts/www/default.nix
@ -5,6 +5,7 @@
    ../common.nix
    ../../services/openssh.nix
    ./openssh.nix
+    ../../services/prometheus-node.nix
    ../../services/nginx.nix
    ./nginx.nix
  ];
--- a/secrets/grafana_basic_auth.age
+++ b/secrets/grafana_basic_auth.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -35,6 +35,7 @@ in

  "grafana_admin_password.age".publicKeys = users ++ [ _monitoring ];
  "grafana_secret_key.age".publicKeys = users ++ [ _monitoring ];
+  "grafana_basic_auth.age".publicKeys = users ++ [ _monitoring ];

  "postgres-matrix-synapse.age".publicKeys = users ++ [ _sql _matrix ];
  "postgres-hedgedoc.age".publicKeys = users ++ [ _sql _md ];
--- a/services/powerdns.nix
+++ b/services/powerdns.nix
@ -1,72 +0,0 @@
-{ config, ... }:
-
-{
-  # exposes prometheus metrics at http://127.0.0.1:8081/metrics
-  services = {
-    powerdns = {
-      enable = true;
-      secretFile = config.age.secrets.powerdns.path;
-      # API_KEY=supersecret123!
-      # WEBSERVER_PASSWORD=supersecre123!
-      extraConfig = ''
-        api=yes
-        api-key=$API_KEY
-        local-address=0.0.0.0, ::
-        local-port=53
-        log-timestamp=no  # journald already does this
-        resolver=127.0.0.54:5300  # Used for ALIAS lookup
-        secondary=yes
-        version-string=anonymous
-        webserver-password=$WEBSERVER_PASSWORD
-        webserver-port=8081
-
-        launch=bind
-      '';
-    };
-    powerdns-admin = {
-      enable = true;
-      secretKeyFile = config.age.secrets.powerdns-admin-cookie-secret.path;
-      saltFile = config.age.secrets.powerdns-admin-salt.path;
-      extraArgs = [];
-      config = ''
-        # PDA
-        SIGNUP_ENABLED = True
-        LOCAL_DB_ENABLED = True
-
-        # Flask
-        BIND_ADDRESS = '127.0.0.1'
-        PORT = 8000
-        #SESSION_COOKIE_SECURE = True
-
-        # Flask-Session
-        import cachelib
-        SESSION_TYPE = 'cachelib'
-        SESSION_CACHELIB = cachelib.simple.SimpleCache()
-
-        # Flask-SQLAlchemy
-        SQLALCHEMY_DATABASE_URI = 'postgresql://powerdnsadmin@/powerdnsadmin?host=/run/postgresql'
-        SQLALCHEMY_TRACK_MODIFICATIONS = True
-
-        # FLask-SeaSurf
-        #CSRF_COOKIE_SECURE = True
-      '';
-    };
-    postgresql = {
-      enable = true;
-      package = pkgs.postgresql_18;
-      ensureUsers = [
-        {
-          name = "pda";
-          ensureDBOwnership = true;
-        }
-      ];
-      ensureDatabases = [ "pda" ];
-    };
-    postgresqlBackup = {
-      enable = true;
-      compression = "zstd";
-      startAt = "@midnight";
-    };
-  };
-}
-
--- a/services/prometheus-node.nix
+++ b/services/prometheus-node.nix
@ -0,0 +1,15 @@
+{ ... }:
+
+{
+  services.prometheus.exporters.node = {
+    enable = true;
+    #listenAddress = "0.0.0.0";
+    firewallRules = ''
+      ip saddr 195.160.173.14/32 tcp dport ${config.services.prometheus.exporters.node.port} accept comment "Allow prometheus on monitoring.berlin.ccc.der"
+      ip6 saddr 2001:678:760:cccb::14/128 tcp dport ${config.services.prometheus.exporters.node.port} accept comment "Allow prometheus on monitoring.berlin.ccc.der"
+    '';
+    enabledCollectors = [];
+    disabledCollectors = [];
+  };
+}
+
Author	SHA1	Message	Date
Ricardo (XenGi) Band	307ee605a4	cleanup	2026-02-17 19:22:42 +01:00
Ricardo (XenGi) Band	11da229f3f	grafana basic auth	2026-02-17 19:22:11 +01:00