hostNetwork for nginx ingress

Add TTL to CoreDNS file
Enable Forgejo indexer
2023-09-25 10:50:25 +01:00 · 2023-09-25 10:50:06 +01:00 · 2023-09-25 10:49:56 +01:00 · 2023-09-25 10:49:37 +01:00 · 2023-09-25 10:49:19 +01:00 · 2023-09-25 10:48:52 +01:00
12 changed files with 131 additions and 33 deletions
--- a/flake.lock
+++ b/flake.lock
@ -7,11 +7,11 @@
        "nixpkgs": "nixpkgs"
      },
      "locked": {
-        "lastModified": 1694793763,
+        "lastModified": 1695339232,
-        "narHash": "sha256-y6gTE1C9mIoSkymRYyzCmv62PFgy+hbZ5j8fuiQK5KI=",
+        "narHash": "sha256-6wQHW3uHECpGIBolTccQ6x3/9b8E1SrO+VzTABKe2xM=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "572baca9b0c592f71982fca0790db4ce311e3c75",
+        "rev": "7f9dfa309f24dc74450ecab6e74bc3d11c7ce735",
        "type": "github"
      },
      "original": {
@ -151,11 +151,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1694643239,
+        "lastModified": 1695224363,
-        "narHash": "sha256-pv2k/5FvyirDE8g4TNehzwZ0T4UOMMmqWSQnM/luRtE=",
+        "narHash": "sha256-+hfjJLUMck5G92RVFDZA7LWkR3kOxs5zQ7RPW9t3eM8=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "d9b88b43524db1591fb3d9410a21428198d75d49",
+        "rev": "408ba13188ff9ce309fa2bdd2f81287d79773b00",
        "type": "github"
      },
      "original": {
@ -268,11 +268,11 @@
    },
    "nixpkgs_4": {
      "locked": {
-        "lastModified": 1694948089,
+        "lastModified": 1695132891,
-        "narHash": "sha256-d2B282GmQ9o8klc22/Rbbbj6r99EnELQpOQjWMyv0rU=",
+        "narHash": "sha256-cJR9AFHmt816cW/C9necLJyOg/gsnkvEeFAfxgeM1hc=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "5148520bfab61f99fd25fb9ff7bfbb50dad3c9db",
+        "rev": "8b5ab8341e33322e5b66fb46ce23d724050f6606",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -138,6 +138,36 @@
            }
          ];
        };
        seattle = nixpkgs.lib.nixosSystem {
          system = "aarch64-linux";
          modules = [
            (import ./nix/seattle/configuration.nix)
            {
              _module.args.nixinate = {
                host = "seattle";
                sshUser = "gsimmer";
                buildOn = "remote";
                substituteOnTarget = true;
                hermetic = false;
              };
            }
          ];
        };
        glasgow = nixpkgs.lib.nixosSystem {
          system = "aarch64-linux";
          modules = [
            (import ./nix/glasgow/configuration.nix)
            {
              _module.args.nixinate = {
                host = "glasgow";
                sshUser = "gsimmer";
                buildOn = "remote";
                substituteOnTarget = true;
                hermetic = false;
              };
            }
          ];
        };
      };
    };
 }
--- a/homelab/nginx-ingress.yml
+++ b/homelab/nginx-ingress.yml
@ -1,4 +1,5 @@
 controller:
  replicaCount: 2
  metrics:
    enabled: true
    serviceMonitor:
@ -10,3 +11,8 @@ controller:
    prometheus.io/port: "10254"
  ingressClassResource:
    default: true
  publishService:
    enabled: true
  service:
    externalTrafficPolicy: Local
  hostNetwork: true
--- a/nix/glasgow/configuration.nix
+++ b/nix/glasgow/configuration.nix
@ -100,8 +100,6 @@
    };
  };
  system.copySystemConfiguration = true;
  system.stateVersion = "23.11"; # dId YoU rEaD tHe CoMmEnT?
 }
--- a/nix/london/configuration.nix
+++ b/nix/london/configuration.nix
@ -71,6 +71,7 @@
  i18n.defaultLocale = "en_GB.utf8";
  services = {
    fwupd.enable = true;
    syncthing = {
      enable = true;
      overrideDevices = false;
--- a/nix/london/gsimmer.nix
+++ b/nix/london/gsimmer.nix
@ -16,7 +16,7 @@
        [
          (import (builtins.fetchTarball {
            url = "https://github.com/nix-community/emacs-overlay/archive/master.tar.gz";
-            sha256 = "17y4i3p35qbw4xq7fybs60d2ym3brqzpv9mgsb55ma1rfc08m1jc";
+            sha256 = "1jn0gw1a0dffvqizy15yni6qnsr94k48zl7b2vqfvfr409nxsyaw";
          })) discordOverlay];
  };
  home = {
--- a/nix/monitoring/configuration.nix
+++ b/nix/monitoring/configuration.nix
@ -1,4 +1,54 @@
-{ config, pkgs, ... }: {
+{ config, pkgs, ... }:
 # let
 #   py = pkgs.python3.override {
 #     packageOverrides = final: prev: {
 #       django = prev.django_4;
 #     };
 #   };
 #   pydantic-edge = py.pkgs.pydantic.overridePythonAttrs (oldAttrs: rec {
 #     version = "2.3.0";
 #     src = pkgs.fetchFromGitHub {
 #       owner = "pydantic";
 #       repo = "pydantic";
 #       rev = "refs/tags/v${version}";
 #       hash = "sha256-toqrWg8bYzc3UmvG/YmXawfmT8nqaA9fxy24k1cdj+M=";
 #     };
 #     patches = [ ];
 #   });
 #   healthchecks-edge = pkgs.healthchecks.overridePythonAttrs (oldAttrs: rec {
 #     version = "unstable-2023-09-24";
 #     pname = "healthchecksedge";
 #     src = pkgs.fetchFromGitHub {
 #       owner = "healthchecks";
 #       repo = "healthchecks";
 #       rev = "507fd840d8c83a1685c8cccf47c67f939f295da1";
 #       hash = "sha256-EBfZQ41kc/H2BgzCPW0QZ8Js2DHU3ps4U1YaTZnGqg8=";
 #     };
 #     propagatedBuildInputs = with py.pkgs; [
 #       apprise
 #       cron-descriptor
 #       cronsim
 #       django
 #       django-compressor
 #       fido2
 #       minio
 #       psycopg2
 #       pycurl
 #       pydantic-edge
 #       pyotp
 #       segno
 #       statsd
 #       whitenoise
 #     ];
 #     passthru = {
 #       # PYTHONPATH of all dependencies used by the package
 #       pythonPath = py.pkgs.makePythonPath propagatedBuildInputs;
 #     };
 #     doCheck = false;
 #   });
 # in
 {
  imports = [
    ./hardware.nix
    ./networking.nix # generated at runtime by nixos-infect
@ -13,6 +63,12 @@
    file = ../../secrets/fastmail-smtp.age;
    owner = "healthchecks";
  };
  age.secrets.healthchecks-telegram = {
    file = ../../secrets/healthchecks-telegram.age;
    owner = "healthchecks";
  };
  age.secrets.prometheus-webconfig-secret = {
    file = ../../secrets/monitoring-prometheus-webconfig.age;
    owner = "prometheus";
@ -179,14 +235,17 @@
  services.healthchecks = {
    enable = true;
    # package = healthchecks-edge;
    settings = {
      SECRET_KEY_FILE = config.age.secrets.healthchecks-secret.path;
      SITE_ROOT = "https://healthchecks.gmem.ca";
-      SITE_NAME = "Arch's Healthchecks";
+      SITE_NAME = "Archs Healthchecks";
      EMAIL_HOST = "smtp.fastmail.com";
      EMAIL_HOST_PASSWORD_FILE = config.age.secrets.healthchecks-smtp.path;
      EMAIL_HOST_USER = "g@gmem.ca";
      DEFAULT_FROM_EMAIL = "healthchecks@gmem.ca";
      TELEGRAM_BOT_NAME = "arch_healthchecks_bot";
      TELEGRAM_TOKEN_FILE = config.age.secrets.healthchecks-telegram.path;
    };
  };
--- a/nix/nas/configuration.nix
+++ b/nix/nas/configuration.nix
@ -69,10 +69,11 @@
          ];
          passwordFile = config.age.secrets.restic-password.path;
          backupPrepareCommand = ''
-            ${pkgs.bash}/bin/bash -c '${pkgs.curl}/bin/curl -fsS -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.healthcheck-ping.path})/gsimmer-backup/start'
+            ${pkgs.curl}/bin/curl -fsS -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.healthcheck-ping.path})/gsimmer-backup/start
          '';
          backupCleanupCommand = ''
-            ${pkgs.bash}/bin/bash -c '${pkgs.curl}/bin/curl -fsS -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.healthcheck-ping.path})/gsimmer-backup'
+            output="$(journalctl --unit restic-backups-gsimmer.service --since=today --boot --no-pager | ${pkgs.coreutils}/bin/tail --bytes 100000)"
            ${pkgs.curl}/bin/curl -fsS -m 10 --retry 5 -o /dev/null "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.healthcheck-ping.path})/gsimmer-backup/$?" --data-raw "$output"
          '';
        };
        "becki" = {
@ -97,10 +98,11 @@
          passwordFile = config.age.secrets.restic-password.path;
          initialize = true;
          backupPrepareCommand = ''
-            ${pkgs.bash}/bin/bash -c '${pkgs.curl}/bin/curl -fsS -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.healthcheck-ping.path})/becki-backup/start'
+            ${pkgs.curl}/bin/curl -fsS -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.healthcheck-ping.path})/becki-backup/start
          '';
          backupCleanupCommand = ''
-            ${pkgs.bash}/bin/bash -c '${pkgs.curl}/bin/curl -fsS -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.healthcheck-ping.path})/becki-backup'
+            output="$(journalctl --unit restic-backups-becki.service --since=today --boot --no-pager | ${pkgs.coreutils}/bin/tail --bytes 100000)"
            ${pkgs.curl}/bin/curl -fsS -m 10 --retry 5 -o /dev/null "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.healthcheck-ping.path})/becki-backup/$?" --data-raw "$output"
          '';
        };
        "apps" = {
@ -123,10 +125,11 @@
            "--keep-yearly 75"
          ];
          backupPrepareCommand = ''
-            ${pkgs.bash}/bin/bash -c '${pkgs.curl}/bin/curl -fsS -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.healthcheck-ping.path})/apps-backup/start'
+            ${pkgs.curl}/bin/curl -fsS -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.healthcheck-ping.path})/apps-backup/start
          '';
          backupCleanupCommand = ''
-            ${pkgs.bash}/bin/bash -c '${pkgs.curl}/bin/curl -fsS -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.healthcheck-ping.path})/apps-backup'
+            output="$(journalctl --unit restic-backups-apps.service --since=today --boot --no-pager | ${pkgs.coreutils}/bin/tail --bytes 100000)"
            ${pkgs.curl}/bin/curl -fsS -m 10 --retry 5 -o /dev/null "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.healthcheck-ping.path})/apps-backup/$?" --data-raw "$output"
          '';
          passwordFile = config.age.secrets.restic-password.path;
          initialize = true;
@ -343,6 +346,9 @@
          CRUD_ACTIONS = "always";
          MERGES = "always";
        };
        indexer = {
          REPO_INDEXER_ENABLED = true;
        };
      };
    };
    gitea-actions-runner = {
--- a/nix/nas/dns.db
+++ b/nix/nas/dns.db
@ -1,9 +1,9 @@
-git.gmem.ca.            IN      SOA     sns.dns.icann.org. noc.dns.icann.org. 2015082541 7200 3600 1209600 3600
+git.gmem.ca.            3600 IN     SOA     sns.dns.icann.org. noc.dns.icann.org. 2015082541 7200 3600 1209600 3600
-food.gmem.ca.           IN      SOA     sns.dns.icann.org. noc.dns.icann.org. 2015082541 7200 3600 1209600 3600
+food.gmem.ca.           3600 IN     SOA     sns.dns.icann.org. noc.dns.icann.org. 2015082541 7200 3600 1209600 3600
-git.gmem.ca.            IN      A       100.116.48.47
+git.gmem.ca.            3600 IN     A       100.116.48.47
-git.gmem.ca.            IN      AAAA    fd7a:115c:a1e0:ab12:4843:cd96:6274:302f
+git.gmem.ca.            3600 IN     AAAA    fd7a:115c:a1e0:ab12:4843:cd96:6274:302f
-food.gmem.ca.           IN      A       100.77.43.133
+food.gmem.ca.           3600 IN     A       100.77.43.133
-food.gmem.ca.           IN      AAAA    fd7a:115c:a1e0:ab12:4843:cd96:624d:2b85
+food.gmem.ca.           3600 IN     AAAA    fd7a:115c:a1e0:ab12:4843:cd96:624d:2b85
-gmem.ca.            IN      SOA     sns.dns.icann.org. noc.dns.icann.org. 2015082541 7200 3600 1209600 3600
+gmem.ca.            3600 IN     SOA     sns.dns.icann.org. noc.dns.icann.org. 2015082541 7200 3600 1209600 3600
-gmem.ca.			IN		NS      ruth.ns.cloudflare.com. seth.ns.cloudflare.com.
+gmem.ca.			3600 IN		NS      ruth.ns.cloudflare.com. seth.ns.cloudflare.com.
--- a/nix/seattle/configuration.nix
+++ b/nix/seattle/configuration.nix
@ -21,7 +21,6 @@
      device = "/var/lib/swapfile";
      size = 8*1024;
    }
  ];
  nix = {
@ -89,7 +88,7 @@
      enable = true;
      role = "server";
      extraFlags = toString [
-        "--secrets-encryption --disable=traefik"
+        "--secrets-encryption --disable=traefik,servicelb"
      ];
    };
  };
@ -101,8 +100,6 @@
    };
  };
  system.copySystemConfiguration = true;
  system.stateVersion = "23.11"; # dId YoU rEaD tHe CoMmEnT?
 }
--- a/secrets.nix
+++ b/secrets.nix
@ -16,4 +16,5 @@ in
  "secrets/monitoring-prometheus-password.age".publicKeys = [ monitoring gsimmer ];
  "secrets/healthchecks-ping.sh.age".publicKeys = machines ++ users;
  "secrets/fastmail-smtp.age".publicKeys = machines ++ users;
  "secrets/healthchecks-telegram.age".publicKeys = [ monitoring gsimmer ];
 }
--- a/secrets/healthchecks-telegram.age
+++ b/secrets/healthchecks-telegram.age
Author	SHA1	Message	Date
Gabriel Simmer	ee71aa1563	hostNetwork for nginx ingress All checks were successful Lint / lint (push) Successful in 13s Details	2023-09-25 10:50:25 +01:00
Gabriel Simmer	557620e258	Add TTL to CoreDNS file	2023-09-25 10:50:06 +01:00
Gabriel Simmer	f95e5323fb	Enable Forgejo indexer	2023-09-25 10:49:56 +01:00
Gabriel Simmer	7ecb18c85c	Enable fwupd on London	2023-09-25 10:49:37 +01:00
Gabriel Simmer	9f2f4ed670	Better healthcheck for restic	2023-09-25 10:49:19 +01:00
Gabriel Simmer	275fedcde2	Attempting to get Telegram working with Healthchecks	2023-09-25 10:48:52 +01:00
Gabriel Simmer	df973e2bb9	Add glawgow and seattle to flake	2023-09-25 10:48:31 +01:00