diff --git a/README.md b/README.md index fb55bd4..4410e01 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,5 @@ # Nix based CCCB infra -## Folder structure - -- `./services` holds generic service configuration that is shared between hosts -- `./hosts` holds host specific configuration -- `./secrets` holds age encrypted secrets using [agenix](https://github.com/ryantm/agenix) - ## Admin handbook ### Update a container @@ -13,7 +7,7 @@ ```shell ssh cd /etc/nixos -nix run .#apps.nixos-diff # git pull + build + diff wth running config +nix run .#apps.nixos-diff # Show what changes would be applied nixos-rebuild switch # Apply changes ``` @@ -21,13 +15,12 @@ nixos-rebuild switch # Apply changes Production: -- [Matrix (matrix.berlin.ccc.de)](./README.matrix.md) +- [Matrix](./README.matrix.md) Testing: -- [Hedgedoc (md.berlin.ccc.de)](./README.hedgedoc.md) -- [Postgres (sql.berlin.ccc.de)](./README.postgres.md) -- [Grafana/Prometheus (monitoring.berlin.ccc.de)](./README.monitoring.md) +- [Hedgedoc](./README.hedgedoc.md) +- [Postgres](./README.postgres.md) --- diff --git a/README.monitoring.md b/README.monitoring.md deleted file mode 100644 index cc0224f..0000000 --- a/README.monitoring.md +++ /dev/null @@ -1,10 +0,0 @@ -# Monitoring - -## Grafana - -## Prometheus - ---- - -Build with ❤️ and ❄️. - diff --git a/flake.nix b/flake.nix index a81fd91..6d6c0f4 100644 --- a/flake.nix +++ b/flake.nix @@ -100,16 +100,6 @@ modules = [ agenix.nixosModules.default { environment.systemPackages = [ (agenix.packages.${system}.default) ]; } - { - age.secrets = { - hedgedoc-env = { - file = ./secrets/hedgedoc-env.age; - mode = "440"; - owner = "hedgedoc"; - group = "hedgedoc"; - }; - }; - } ./hosts/md ]; }; @@ -134,53 +124,11 @@ group = "postgres"; mode = "0400"; }; - postgres-grafana = { - file = ./secrets/postgres-grafana.age; - owner = "postgres"; - group = "postgres"; - mode = "0400"; - }; }; } ./hosts/sql ]; }; - nixosConfigurations."monitoring" = nixpkgs.lib.nixosSystem { - #system = "x86_64-linux"; - #pkgs = import nixpkgs { inherit system; }; - inherit system; - modules = [ - agenix.nixosModules.default - { environment.systemPackages = [ (agenix.packages.${system}.default) ]; } - { - age.secrets = { - postgres-grafana = { - file = ./secrets/postgres-grafana.age; - owner = "postgres"; - group = "postgres"; - mode = "0400"; - }; - }; - } - ./hosts/monitoring - ]; - }; - nixosConfigurations."www" = nixpkgs.lib.nixosSystem { - #system = "x86_64-linux"; - #pkgs = import nixpkgs { inherit system; }; - inherit system; - modules = [ - ./hosts/www - ]; - }; - nixosConfigurations."git-run" = nixpkgs.lib.nixosSystem { - #system = "x86_64-linux"; - #pkgs = import nixpkgs { inherit system; }; - inherit system; - modules = [ - ./hosts/git-run - ]; - }; }; #); } diff --git a/hosts/common.nix b/hosts/common.nix index 7397864..e795c64 100644 --- a/hosts/common.nix +++ b/hosts/common.nix @@ -8,7 +8,6 @@ { imports = [ (modulesPath + "/virtualisation/proxmox-lxc.nix") - ../services/node-exporter.nix ]; systemd.suppressedSystemUnits = [ diff --git a/hosts/matrix/default.nix b/hosts/matrix/default.nix index f502edf..9d30fb4 100644 --- a/hosts/matrix/default.nix +++ b/hosts/matrix/default.nix @@ -5,9 +5,11 @@ ../common.nix ../../services/openssh.nix ../../services/nginx.nix - ./nginx.nix - ./synapse.nix - ./draupnir.nix + ../../services/postgres.nix + ../../services/synapse.nix + ../../services/draupnir.nix + ../../services/prometheus.nix + ../../services/grafana.nix ]; networking = { diff --git a/hosts/matrix/nginx.nix b/hosts/matrix/nginx.nix deleted file mode 100644 index 7fd4abc..0000000 --- a/hosts/matrix/nginx.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ config, pkgs, ... }: - -{ - services.nginx.virtualHosts."matrix.berlin.ccc.de" = { - default = true; - quic = true; - kTLS = true; - forceSSL = true; - enableACME = true; - locations = { - #"/.well-known/acme-challenge".root = config.security.acme.defaults.webroot; - "/".return = "418 \"🫖\""; - "~ ^(/_matrix|/_synapse/client)" = { - recommendedProxySettings = true; - proxyPass = "http://[::1]:8008"; - extraConfig = '' - client_max_body_size 64M; - proxy_set_header X-Request-ID $request_id; - proxy_http_version 1.1; - ''; - }; - }; - }; -} diff --git a/hosts/md/default.nix b/hosts/md/default.nix index cf07d26..9c7bc32 100644 --- a/hosts/md/default.nix +++ b/hosts/md/default.nix @@ -4,7 +4,7 @@ imports = [ ../common.nix ../../services/openssh.nix - ./hedgedoc.nix + ../../services/hedgedoc.nix ]; networking = { diff --git a/hosts/md/hedgedoc.nix b/hosts/md/hedgedoc.nix deleted file mode 100644 index 137c91a..0000000 --- a/hosts/md/hedgedoc.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ config, pkgs, ... }: - -let - db = { - host = "sql.berlin.ccc.de"; - port = 5432; - username = "hedgedoc"; - database = "hedgedoc"; - }; -in -{ - services.hedgedoc = { - enable = true; - settings = { - domain = "${config.networking.hostName}.${config.networking.domain}"; - dbURL = "postgres://${db.username}:\${DB_PASSWORD}@${db.host}:${toString db.port}/${db.name}"; - # sync with config.age.secrets.postgres-hedgedoc.path - environmentFile = config.age.secrets.hedgedoc-env.path; - protocolUseSSL = true; - enableStatsApi = true; - }; - }; -} - diff --git a/hosts/md/nginx.nix b/hosts/md/nginx.nix deleted file mode 100644 index c0cf2ac..0000000 --- a/hosts/md/nginx.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ config, pkgs, ... }: - -let - cfg = config.services.hedgedoc.settings; -in -{ - services.nginx.virtualHosts."${config.networking.hostName}.${config.networking.domain}" = { - default = true; - quic = true; - kTLS = true; - forceSSL = true; - enableACME = true; - locations = { - "/" = { - recommendedProxySettings = true; - proxyPass = "http://${cfg.host}:${toString cfg.port}"; - }; - "/socket.io/" = { - recommendedProxySettings = true; - proxyWebsockets = true; - proxyPass = "http://${cfg.host}:${toString cfg.port}"; - }; - "/metrics" = { - recommendedProxySettings = true; - proxyPass = "http://${cfg.host}:${toString cfg.port}"; - extraConfig = '' - allow 195.160.173.14; - allow 2001:678:760:cccb::14; - deny all; - ''; - }; - "/status" = { - recommendedProxySettings = true; - proxyPass = "http://${cfg.host}:${toString cfg.port}"; - extraConfig = '' - allow 195.160.173.14; - allow 2001:678:760:cccb::14; - deny all; - ''; - }; - }; - }; -} - diff --git a/hosts/monitoring/default.nix b/hosts/monitoring/default.nix deleted file mode 100644 index 10f7e18..0000000 --- a/hosts/monitoring/default.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ ... }: - -{ - imports = [ - ../common.nix - ../../services/openssh.nix - ../../services/nginx.nix - ./nginx.nix - ./prometheus.nix - ./grafana.nix - ]; - - networking = { - hostName = "monitoring"; - firewall = { - allowedTCPPorts = [ - 80 # HTTP/1 - 443 # HTTP/2 - ]; - allowedUDPPorts = [ - 443 # HTTP/3 - ]; - }; - }; - - services = { - openssh.banner = '' - __ - __/\ \__ __ - ___ ___ ___ ___ /\_\ \ ,_\ ___ _ __ /\_\ ___ __ - /' __` __`\ / __`\ /' _ `\/\ \ \ \/ / __`\/\`'__\/\ \ /' _ `\ /'_ `\ - /\ \/\ \/\ \/\ \L\ \/\ \/\ \ \ \ \ \_/\ \L\ \ \ \/ \ \ \/\ \/\ \/\ \L\ \ - \ \_\ \_\ \_\ \____/\ \_\ \_\ \_\ \__\ \____/\ \_\ \ \_\ \_\ \_\ \____ \ - \/_/\/_/\/_/\/___/ \/_/\/_/\/_/\/__/\/___/ \/_/ \/_/\/_/\/_/\/___L\ \ - /\____/ - \_/__/ - ''; - }; - - system.stateVersion = "25.11"; -} diff --git a/hosts/monitoring/nginx.nix b/hosts/monitoring/nginx.nix deleted file mode 100644 index 31dddfe..0000000 --- a/hosts/monitoring/nginx.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ config, pkgs, ... }: - -{ - services.nginx = { - upstreams.grafana.servers."localhost:3000" = {}; - virtualHosts."${config.networking.hostName}.${config.networking.domain}" = { - default = true; - quic = true; - kTLS = true; - forceSSL = true; - enableACME = true; - #auth_basic "Administrator’s Area"; - #auth_basic_user_file ${config.age.secrets.grafana-basic-auth.path}; - locations = { - #"/.well-known/acme-challenge".root = config.security.acme.defaults.webroot; - "/" = { - recommendedProxySettings = true; - proxyPass = "http://grafana"; - }; - "/api/live/" = { - recommendedProxySettings = true; - proxyWebsockets = true; - proxyPass = "http://grafana"; - }; - }; - }; - }; -} - diff --git a/hosts/powerdns/default.nix b/hosts/powerdns/default.nix new file mode 100644 index 0000000..270ce81 --- /dev/null +++ b/hosts/powerdns/default.nix @@ -0,0 +1,35 @@ +{ ... }: + +{ + imports = [ + ../common.nix + ../../services/openssh.nix + ../../services/powerdns.nix + ]; + + networking = { + hostName = "powerdns"; + firewall = { + allowedTCPPorts = [ + 53 # DNS + ]; + allowedUDPPorts = [ + 53 # DNS + ]; + }; + }; + + services = { + openssh.banner = '' + __ __ + /\ \__ /\ \ + ___ ____ ___ ____\ \ ,_\ ___ ___ ___\ \ \____ + /' _ `\ /',__\ / __`\ /',__\\ \ \/ /'___\ /'___\ /'___\ \ '__`\ + /\ \/\ \/\__, `\__/\ \L\ \/\__, `\\ \ \_ __/\ \__//\ \__//\ \__/\ \ \L\ \ + \ \_\ \_\/\____/\_\ \____/\/\____/ \ \__\/\_\ \____\ \____\ \____\\ \_,__/ + \/_/\/_/\/___/\/_/\/___/ \/___/ \/__/\/_/\/____/\/____/\/____/ \/___/ + ''; + }; + + system.stateVersion = "25.11"; +} diff --git a/hosts/sql/postgresql.nix b/hosts/sql/postgres.nix similarity index 81% rename from hosts/sql/postgresql.nix rename to hosts/sql/postgres.nix index 0060db2..61f3af8 100644 --- a/hosts/sql/postgresql.nix +++ b/hosts/sql/postgres.nix @@ -7,7 +7,6 @@ let entries = [ (mkEntry "matrix-synapse" 25) # matrix.berlin.ccc.de (mkEntry "hedgedoc" 26) # md.berlin.ccc.de - (mkEntry "grafana" 255) # mon.berlin.ccc.de ]; mkEntry = name: octet: { user = { @@ -48,14 +47,6 @@ in # }; #}; postgresql = { - enable = true; - package = pkgs.postgresql_18; - enableJIT = true; - initdbArgs = [ - "--locale=C" - "--encoding=UTF8" - ]; - settings.listen_addresses = "*"; enableTCPIP = true; #settings = { # ssl = "on"; @@ -67,16 +58,6 @@ in ensureDatabases = map (e: e.database) entries; authentication = "${builtins.concatStringsSep "\n" (map (e: e.auth) entries)}"; }; - postgresqlBackup = { - enable = true; - startAt = "@daily"; - compression = "zstd"; - }; - prometheus.exporters.postgres = { - enable = true; - openFirewall = true; - firewallRules = services.prometheus.exporters.node.firewallRules; - }: }; systemd.services.postgresql.postStart = '' ${config.services.postgresql.package}/bin/psql \ diff --git a/secrets/hedgedoc-env.age b/secrets/hedgedoc-env.age deleted file mode 100644 index a462570..0000000 --- a/secrets/hedgedoc-env.age +++ /dev/null @@ -1,19 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 uH+n1w Hl5GuG/K5bKRhYLwG3z1pUfRPPs/O0T9ELWTAMT/DG8 -9nX8jNHmCQXa5Wv7huCTEk5kz3Me9QVSxJYPdrH5udw --> ssh-ed25519 EvLbWw T+0rljpwVOktHR21v5JvBPe1nog0TVN1erGtIyRMbQ4 -tpNz5eRC8vFFbdtXA6Vp+7X1VDq5doJi4hM1K/FOyVE --> ssh-ed25519 dM+fLQ R9t+cS4ye0jOaubNcMaqu8/APLkzAopkZh76tM0jQgM -DL4DykdFXXQONPqDGv5LKTrlg9+4BPHdXNPMGwPF7a4 --> ssh-ed25519 jxWM2Q PTEewNsybqn/4gejSGy5BNucQ5izKtqUGp6mGroYizg -HEaBhzmp+0ymUUbzCgb4KpyZJ2lKYKNlaI9zMY58CJg --> ssh-ed25519 /yCUCg 6wdCIPRGgPnPxzCdUDnDOl5lI2Fsl9DoA4QmM3DWfEs -ZdQ1sHtAsYrlaWNDZmf2+Gu9vIIp7adD6MI1oJyPPdU --> ssh-ed25519 FGp51g 1Lvo3hKE72UUKJaN4U1XlXoP8j7EAHN0UPIP11FurCI -csB1x/PYsQgQ0gPHJAD8EcHHVo1JJ8NCtx45KpreqaE --> ssh-ed25519 fEJY/A LlmksK8HR5YNpMwcqJUN5sgAM8jXCuanTNU+A53UMhY -kntfp+IUE1OLq03WLyuynyqSeUlrhy5piYKcqg9/DAg ---- NxH5yKP69Pq4DQx2Ziad7ECw6BdlbSfo7+vm9V3YWm8 - -Чim萮v0_d$Z#[.vأXjZH'sy4Qm -Z]^Œ nE>wf7%~DV \ No newline at end of file diff --git a/secrets/postgres-grafana.age b/secrets/postgres-grafana.age deleted file mode 100644 index 874dca2..0000000 Binary files a/secrets/postgres-grafana.age and /dev/null differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 38abf38..e8853ac 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -17,22 +17,17 @@ let _matrix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIApAkkhHLj918co/wUGuyW8WCPYHxsNM4uo32XDEu7VV root@matrix"; _md = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdFkdEEDXo8+k5YZpI1O2GqZlxcpCDtxqVun35duITm root@md"; _sql = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPcSXjDSyVVVdJbpheOhT0fIuOGFk+jsHhjrAVnBNLQV root@sql"; - _mon = ""; in { - "pushover_app_token.age".publicKeys = users ++ [ _matrix ]; - "pushover_user_key.age".publicKeys = users ++ [ _matrix ]; "matrix_admin_password.age".publicKeys = users; "draupnir_access_token.age".publicKeys = users ++ [ _matrix ]; "matrix_signing_key.age".publicKeys = users ++ [ _matrix ]; "matrix_registration_shared_secret.age".publicKeys = users ++ [ _matrix ]; + "pushover_app_token.age".publicKeys = users ++ [ _matrix ]; + "pushover_user_key.age".publicKeys = users ++ [ _matrix ]; "grafana_admin_password.age".publicKeys = users ++ [ _matrix ]; "grafana_secret_key.age".publicKeys = users ++ [ _matrix ]; - - "hedgedoc-env.age".publicKeys = users ++ [ _md ]; - "postgres-matrix-synapse.age".publicKeys = users ++ [ _sql _matrix ]; "postgres-hedgedoc.age".publicKeys = users ++ [ _sql _md ]; - "postgres-grafana.age".publicKeys = users ++ [ _sql _mon ]; } diff --git a/hosts/matrix/draupnir.nix b/services/draupnir.nix similarity index 100% rename from hosts/matrix/draupnir.nix rename to services/draupnir.nix diff --git a/hosts/monitoring/grafana.nix b/services/grafana.nix similarity index 79% rename from hosts/monitoring/grafana.nix rename to services/grafana.nix index e64080e..b14e43c 100644 --- a/hosts/monitoring/grafana.nix +++ b/services/grafana.nix @@ -11,10 +11,9 @@ server.http_addr = "::1"; database = { type = "postgres"; - host = "sql.berlin.ccc.de"; name = "grafana"; user = "grafana"; - password = "$__file{${config.age.secrets.postgres_grafana.path}}"; + host = "/run/postgresql"; }; security = { secret_key = "$__file{${config.age.secrets.grafana_secret_key.path}}"; @@ -43,5 +42,17 @@ ]; }; }; + + postgresql = { + ensureUsers = [ + { + name = config.services.grafana.settings.database.user; + ensureDBOwnership = true; + } + ]; + ensureDatabases = [ + config.services.grafana.settings.database.name + ]; + }; }; } diff --git a/services/hedgedoc.nix b/services/hedgedoc.nix new file mode 100644 index 0000000..9650ced --- /dev/null +++ b/services/hedgedoc.nix @@ -0,0 +1,89 @@ +{ config, pkgs, ... }: + +let + fqdn = "hedgedoc.berlin.ccc.de"; + cfg = config.services.hedgedoc.settings; +in +{ + services = { + hedgedoc = { + enable = true; + settings = { + domain = fqdn; + #environmentFile = config.age.secrets.hedgedoc_settings.path; + protocolUseSSL = true; + db = { + dialect = "postgresql"; + host = "/run/postgresql"; + username = "hedgedoc"; + database = "hedgedoc"; + }; + enableStatsApi = true; + }; + }; + nginx = { + enable = true; + resolver.addresses = [ + "[2606:4700:4700::1111]" + "[2620:fe::fe]" + "1.1.1.1" + "9.9.9.9" + ]; + statusPage = true; # http://127.0.0.1/nginx_status + sslProtocols = "TLSv1.3"; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedBrotliSettings = true; + virtualHosts."${fqdn}" = { + default = true; + quic = true; + kTLS = true; + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://${cfg.host}:${toString cfg.port}"; + recommendedProxySettings = true; + }; + "/socket.io/" = { + proxyPass = "http://${cfg.host}:${toString cfg.port}"; + proxyWebsockets = true; + recommendedProxySettings = true; + }; + "/metrics" = { + proxyPass = "http://${cfg.host}:${toString cfg.port}"; + recommendedProxySettings = true; + #allow 195.160.173.255; + #allow 2001:678:760:cccb::ffff; + #deny all; + }; + "/status" = { + proxyPass = "http://${cfg.host}:${toString cfg.port}"; + recommendedProxySettings = true; + #allow 195.160.173.255; + #allow 2001:678:760:cccb::ffff; + #deny all; + }; + }; + }; + }; + postgresql = { + enable = true; + package = pkgs.postgresql_18; + enableJIT = true; + initdbArgs = [ + "--locale=C" + "--encoding=UTF8" + ]; + ensureUsers = [{ name = cfg.db.username; ensureDBOwnership = true; }]; + ensureDatabases = [ cfg.db.database ]; + }; + postgresqlBackup = { + enable = true; + startAt = "*-*-* 09:00:00"; + compression = "zstd"; + }; + }; +} + diff --git a/services/nginx.nix b/services/nginx.nix index b7a4bd4..eff02e6 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -1,28 +1,44 @@ { config, pkgs, ... }: +let + fqdn = "matrix.berlin.ccc.de"; +in { users.users.nginx.extraGroups = [ "acme" ]; - services = { - nginx = { - enable = true; - resolver.addresses = [ - "[2606:4700:4700::1111]" - "[2620:fe::fe]" - "1.1.1.1" - "9.9.9.9" - ]; - statusPage = true; # http://127.0.0.1/nginx_status - sslProtocols = "TLSv1.3"; - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedBrotliSettings = true; - }; - prometheus.exporters.nginx = { - enable = true; - firewallRules = config.services.prometheus.exporters.node.firewallRules; - openFirewall = true; + services.nginx = { + enable = true; + resolver.addresses = [ + "[2606:4700:4700::1111]" + "[2620:fe::fe]" + "1.1.1.1" + "9.9.9.9" + ]; + statusPage = true; # http://127.0.0.1/nginx_status + sslProtocols = "TLSv1.3"; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedBrotliSettings = true; + virtualHosts."${fqdn}" = { + default = true; + quic = true; + kTLS = true; + forceSSL = true; + enableACME = true; + locations = { + #"/.well-known/acme-challenge".root = config.security.acme.defaults.webroot; + "/".return = "418 \"🫖\""; + "~ ^(/_matrix|/_synapse/client)" = { + recommendedProxySettings = true; + proxyPass = "http://[::1]:8008"; + extraConfig = '' + client_max_body_size 64M; + proxy_set_header X-Request-ID $request_id; + proxy_http_version 1.1; + ''; + }; + }; }; }; } diff --git a/services/node-exporter.nix b/services/node-exporter.nix deleted file mode 100644 index a29114c..0000000 --- a/services/node-exporter.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ ... }: - -{ - services.prometheus.exporters.node = { - enable = true; - openFirewall = true; - firewallRules = '' - ip saddr 195.160.173.14 tcp dport 9187 counter accept - ip6 saddr 2001:678:760:cccb::14 tcp dport 9187 counter accept - ''; - }; -} - diff --git a/services/postgres.nix b/services/postgres.nix new file mode 100644 index 0000000..e50f232 --- /dev/null +++ b/services/postgres.nix @@ -0,0 +1,21 @@ +{ pkgs, ... }: + +{ + services = { + postgresql = { + enable = true; + package = pkgs.postgresql_18; + enableJIT = true; + initdbArgs = [ + "--locale=C" + "--encoding=UTF8" + ]; + settings.listen_addresses = "*"; + }; + postgresqlBackup = { + enable = true; + startAt = "@daily"; + compression = "zstd"; + }; + }; +} diff --git a/services/powerdns.nix b/services/powerdns.nix new file mode 100644 index 0000000..209a978 --- /dev/null +++ b/services/powerdns.nix @@ -0,0 +1,72 @@ +{ config, ... }: + +{ + # exposes prometheus metrics at http://127.0.0.1:8081/metrics + services = { + powerdns = { + enable = true; + secretFile = config.age.secrets.powerdns.path; + # API_KEY=supersecret123! + # WEBSERVER_PASSWORD=supersecre123! + extraConfig = '' + api=yes + api-key=$API_KEY + local-address=0.0.0.0, :: + local-port=53 + log-timestamp=no # journald already does this + resolver=127.0.0.54:5300 # Used for ALIAS lookup + secondary=yes + version-string=anonymous + webserver-password=$WEBSERVER_PASSWORD + webserver-port=8081 + + launch=bind + ''; + }; + powerdns-admin = { + enable = true; + secretKeyFile = config.age.secrets.powerdns-admin-cookie-secret.path; + saltFile = config.age.secrets.powerdns-admin-salt.path; + extraArgs = []; + config = '' + # PDA + SIGNUP_ENABLED = True + LOCAL_DB_ENABLED = True + + # Flask + BIND_ADDRESS = '127.0.0.1' + PORT = 8000 + #SESSION_COOKIE_SECURE = True + + # Flask-Session + import cachelib + SESSION_TYPE = 'cachelib' + SESSION_CACHELIB = cachelib.simple.SimpleCache() + + # Flask-SQLAlchemy + SQLALCHEMY_DATABASE_URI = 'postgresql://powerdnsadmin@/powerdnsadmin?host=/run/postgresql' + SQLALCHEMY_TRACK_MODIFICATIONS = True + + # FLask-SeaSurf + #CSRF_COOKIE_SECURE = True + ''; + }; + postgresql = { + enable = true; + package = pkgs.postgresql_18; + ensureUsers = [ + { + name = "pda"; + ensureDBOwnership = true; + } + ]; + ensureDatabases = [ "pda" ]; + }; + postgresqlBackup = { + enable = true; + compression = "zstd"; + startAt = "@midnight"; + }; + }; +} + diff --git a/hosts/monitoring/prometheus.nix b/services/prometheus.nix similarity index 70% rename from hosts/monitoring/prometheus.nix rename to services/prometheus.nix index efb3e1f..d8c18b8 100644 --- a/hosts/monitoring/prometheus.nix +++ b/services/prometheus.nix @@ -5,42 +5,43 @@ enable = true; retentionTime = "14d"; listenAddress = "[::1]"; + exporters = { + node = { + enable = true; + listenAddress = config.services.prometheus.listenAddress; + }; + nginx = { + enable = true; + listenAddress = config.services.prometheus.listenAddress; + }; + #postgres = {}; + }; scrapeConfigs = [ - { - job_name = "hedgedoc"; - scrape_interval = "15s"; - scheme = "https"; - static_configs = [{ targets = ["md.berlin.ccc.de:443"]; }]; - } { job_name = "synapse"; scrape_interval = "15s"; - static_configs = [{ targets = ["matrix.berlin.ccc.de:9009"]; }]; + static_configs = [ + { + targets = lib.pipe config.services.matrix-synapse.settings.listeners [ + (lib.filter (l: l.type == "metrics")) + builtins.head + (l: [ "[${builtins.head l.bind_addresses}]:${toString l.port}" ]) + ]; + } + ]; } { job_name = "node"; scrape_interval = "15s"; static_configs = [ - { - targets = [ - "matrix.${config.networking.domain}:${toString config.services.prometheus.exporters.node.port}" - "md.${config.networking.domain}:${toString config.services.prometheus.exporters.node.port}" - "postgres.${config.networking.domain}:${toString config.services.prometheus.exporters.node.port}" - "monitoring:${toString config.services.prometheus.exporters.node.port}" - ]; - } + { targets = [ "${config.services.prometheus.exporters.node.listenAddress}:${toString config.services.prometheus.exporters.node.port}" ]; } ]; } { job_name = "nginx"; scrape_interval = "15s"; static_configs = [ - { - targets = [ - "monitoring:${toString config.services.prometheus.exporters.nginx.port}" - "matrix:${toString config.services.prometheus.exporters.nginx.port}" - ]; - } + { targets = [ "${config.services.prometheus.exporters.nginx.listenAddress}:${toString config.services.prometheus.exporters.nginx.port}" ]; } ]; } ]; diff --git a/hosts/matrix/synapse.nix b/services/synapse.nix similarity index 75% rename from hosts/matrix/synapse.nix rename to services/synapse.nix index 445f7ff..e0fa15e 100644 --- a/hosts/matrix/synapse.nix +++ b/services/synapse.nix @@ -1,18 +1,16 @@ { config, ... }: +let + domain = "berlin.ccc.de"; +in { - networking.firewall.extraInputRules = '' - ip saddr 195.160.173.14 tcp dport 9009 accept - ip6 saddr 2001:678:760:cccb::14 tcp dport 9009 accept - ''; - services = { matrix-synapse = { enable = true; settings = { - server_name = config.networking.domain; - public_baseurl = "https://${config.networking.hostName}.${config.networking.domain}:443/"; - # Creates "/var/lib/matrix-synapse/homeserver.signing.key" on first launch + server_name = domain; + public_baseurl = "https://matrix.${domain}:443/"; + # "/var/lib/matrix-synapse/homeserver.signing.key" signing_key_path = config.age.secrets.matrix_signing_key.path; registration_shared_secret_path = config.age.secrets.matrix_registration_shared_secret.path; database = { @@ -44,7 +42,7 @@ type = "metrics"; tls = false; port = 9009; - bind_addresses = ["::" "0.0.0.0"]; + bind_addresses = [ "::1" ]; resources = [ { compress = false; @@ -70,5 +68,17 @@ }; enableRegistrationScript = true; }; + + postgresql = { + ensureUsers = [ + { + name = config.services.matrix-synapse.settings.database.args.user; + ensureDBOwnership = true; + } + ]; + ensureDatabases = [ + config.services.matrix-synapse.settings.database.args.database + ]; + }; }; }