arch/infra
arch/infra
1
0
Fork 0
Code Actions Packages Activity

Compare commits

base: arch:61f316b8e41638d6f1009b488aec9229d64ed8eb
Branches Tags
arch:trunk
arch:woodpecker-ci
...
compare: arch:12dd979483c5d550dd68355e13f2704f2be202a5
Branches Tags
arch:trunk
arch:woodpecker-ci

3 commits
61f316b8e4 ... 12dd979483

Author SHA1 Message Date
Gabriel Simmer 12dd979483
Grafana OAuth config
All checks were successful
Lint / lint (push) Successful in 21s
Details
2023-10-30 12:27:25 +00:00
Gabriel Simmer 541a1f9721
add tunnel to nixinate 2023-10-30 12:26:56 +00:00
Gabriel Simmer 92380a3b4b
Authentik + Postgrescluster 2023-10-30 12:26:40 +00:00
8 changed files with 180 additions and 147 deletions
Show stats Expand all files Collapse all files

154
flake.lock
View file

@ -1,21 +1,5 @@
{ {
"nodes": { "nodes": {
"advisory-db": {
"flake": false,
"locked": {
"lastModified": 1697318478,
"narHash": "sha256-ZEDgHfurZiv9lBGTmHnQ0YECoi6H2NYs3pTo1VU1koQ=",
"owner": "rustsec",
"repo": "advisory-db",
"rev": "71d80e811f2e29a4b82d3e545ad6591e35227e03",
"type": "github"
},
"original": {
"owner": "rustsec",
"repo": "advisory-db",
"type": "github"
}
},
"agenix": { "agenix": {
"inputs": { "inputs": {
"darwin": "darwin", "darwin": "darwin",
@ -88,27 +72,6 @@
"type": "github" "type": "github"
} }
}, },
"crane": {
"inputs": {
"nixpkgs": [
"vrchat-prometheus-adapter",
"nixpkgs"
]
},
"locked": {
"lastModified": 1697811061,
"narHash": "sha256-NhSq9+Ya8vTqsKzHpSWNGYxto71VZ4THAx3hn6maoTs=",
"owner": "ipetkov",
"repo": "crane",
"rev": "6b229eec8adc685e2cb95f27ad59c22e82992f70",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"darwin": { "darwin": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -131,30 +94,6 @@
"type": "github" "type": "github"
} }
}, },
"fenix": {
"inputs": {
"nixpkgs": [
"vrchat-prometheus-adapter",
"nixpkgs"
],
"rust-analyzer-src": [
"vrchat-prometheus-adapter"
]
},
"locked": {
"lastModified": 1697782927,
"narHash": "sha256-OikLtn3e0kR5ztHJbLzS/5mUMadXfgRGKA1BDgcTa60=",
"owner": "nix-community",
"repo": "fenix",
"rev": "e5f13bd304140705f6aba0f121cee7775d861897",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "fenix",
"type": "github"
}
},
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -256,24 +195,6 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils_4": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1694529238,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -302,11 +223,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1698392685, "lastModified": 1698479159,
"narHash": "sha256-yx/sbRneR2AfSAeAMqUu0hoVJdjh+qhl/7dkirp8yo8=", "narHash": "sha256-rJHBDwW4LbADEfhkgGHjKGfL2dF44NrlyXdXeZrQahs=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "1369d2cefb6f128c30e42fabcdebbacc07e18b3f", "rev": "f92a54fef4eacdbe86b0a2054054dd58b0e2a2a4",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -470,11 +391,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1698354843, "lastModified": 1698459598,
"narHash": "sha256-eTsga6QxX9gVwC6zsUNs0UPyQX9hToVi5jSE0XUH42Y=", "narHash": "sha256-2etAvtTLoPsvEJ4P6rKnHE8Ipp6MVNMGlik1JqHdqL0=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixpkgs-wayland", "repo": "nixpkgs-wayland",
"rev": "50c2725465ab035b232ef8ae9b976f4ac25c772b", "rev": "bcadcb13f0248fa7e6355a35c3c263fc76edc632",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -533,11 +454,11 @@
}, },
"nixpkgs_5": { "nixpkgs_5": {
"locked": { "locked": {
"lastModified": 1698266953, "lastModified": 1698336494,
"narHash": "sha256-jf72t7pC8+8h8fUslUYbWTX5rKsRwOzRMX8jJsGqDXA=", "narHash": "sha256-sO72WDBKyijYD1GcKPlGsycKbMBiTJMBCnmOxLAs880=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "75a52265bda7fd25e06e3a67dee3f0354e73243c", "rev": "808c0d8c53c7ae50f82aca8e7df263225cf235bf",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -578,22 +499,6 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_8": {
"locked": {
"lastModified": 1697730408,
"narHash": "sha256-Ww//zzukdTrwTrCUkaJA/NsaLEfUfQpWZXBdXBYfhak=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ff0a5a776b56e0ca32d47a4a47695452ec7f7d80",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix", "agenix": "agenix",
@ -604,8 +509,7 @@
"nixos-generators": "nixos-generators", "nixos-generators": "nixos-generators",
"nixpkgs": "nixpkgs_5", "nixpkgs": "nixpkgs_5",
"nixpkgs-wayland": "nixpkgs-wayland", "nixpkgs-wayland": "nixpkgs-wayland",
"terranix": "terranix", "terranix": "terranix"
"vrchat-prometheus-adapter": "vrchat-prometheus-adapter"
} }
}, },
"systems": { "systems": {
@ -637,21 +541,6 @@
"type": "github" "type": "github"
} }
}, },
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"terranix": { "terranix": {
"inputs": { "inputs": {
"bats-assert": "bats-assert", "bats-assert": "bats-assert",
@ -731,29 +620,6 @@
"repo": "treefmt-nix", "repo": "treefmt-nix",
"type": "github" "type": "github"
} }
},
"vrchat-prometheus-adapter": {
"inputs": {
"advisory-db": "advisory-db",
"crane": "crane",
"fenix": "fenix",
"flake-utils": "flake-utils_4",
"nixpkgs": "nixpkgs_8"
},
"locked": {
"lastModified": 1698265247,
"narHash": "sha256-e8MyvjIUt8Yatqt93rlmQIuMSTJcsqFdfXZ/AwF7lCg=",
"ref": "master",
"rev": "012771f2fbb026dffac8b60a54d28a68ea82b83a",
"revCount": 13,
"type": "git",
"url": "https://git.gmem.ca/arch/vrchat-prometheus-adapter"
},
"original": {
"ref": "master",
"type": "git",
"url": "https://git.gmem.ca/arch/vrchat-prometheus-adapter"
}
} }
}, },
"root": "root", "root": "root",

15
flake.nix
View file

@ -147,6 +147,21 @@
} }
]; ];
}; };
oracle-tunnel = nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
modules = [
(import ./nix/oracle-nix-cache/configuration.nix)
{
_module.args.nixinate = {
host = "100.110.30.80";
sshUser = "root";
buildOn = "remote";
substituteOnTarget = true;
hermetic = false;
};
}
];
};
monitoring = nixpkgs.lib.nixosSystem { monitoring = nixpkgs.lib.nixosSystem {
system = "aarch64-linux"; system = "aarch64-linux";
modules = [ modules = [

48
homelab/authentik.yml Normal file
View file

@ -0,0 +1,48 @@
authentik:
# This sends anonymous usage-data, stack traces on errors and
# performance data to sentry.io, and is fully opt-in
error_reporting:
enabled: false
envValueFrom:
AUTHENTIK_SECRET_KEY:
secretKeyRef:
name: authentik-secrets
key: secret-key
AUTHENTIK_POSTGRESQL__HOST:
secretKeyRef:
name: hippo-pguser-authentik
key: host
AUTHENTIK_POSTGRESQL__PASSWORD:
secretKeyRef:
name: hippo-pguser-authentik
key: password
AUTHENTIK_POSTGRESQL__USER:
secretKeyRef:
name: hippo-pguser-authentik
key: user
AUTHENTIK_POSTGRESQL__PORT:
secretKeyRef:
name: hippo-pguser-authentik
key: port
prometheus:
serviceMonitor:
create: true
ingress:
# Specify kubernetes ingress controller class name
ingressClassName: nginx
enabled: true
hosts:
# Specify external host name
- host: authentik.gmem.ca
paths:
- path: "/"
pathType: Prefix
# Specify external host name
- host: prometheus.gmem.ca
paths:
- path: "/"
pathType: Prefix
redis:
enabled: true

49
homelab/postgres-cluster.yml Normal file
View file

@ -0,0 +1,49 @@
apiVersion: postgres-operator.crunchydata.com/v1beta1
kind: PostgresCluster
metadata:
name: hippo
spec:
image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-15.4-1
postgresVersion: 15
databaseInitSQL:
key: init.sql
name: init-sql
instances:
- name: instance1
replicas: 3
dataVolumeClaimSpec:
accessModes:
- "ReadWriteOnce"
resources:
requests:
storage: 1Gi
backups:
pgbackrest:
image: registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.47-1
repos:
- name: repo1
volume:
volumeClaimSpec:
accessModes:
- "ReadWriteOnce"
resources:
requests:
storage: 1Gi
monitoring:
pgmonitor:
exporter:
image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres-exporter:ubi8-5.4.3-0
users:
- name: authentik
databases:
- authentik
---
apiVersion: v1
kind: ConfigMap
metadata:
name: init-sql
data:
init.sql: |
\c authentik
GRANT CREATE ON SCHEMA public TO "authentik";

25
nix/monitoring/configuration.nix
View file

@ -32,6 +32,11 @@
owner = "prometheus"; owner = "prometheus";
}; };
age.secrets.grafana-client-secret = {
file = ../../secrets/monitoring-grafana-client-secret.age;
owner = "grafana";
};
boot.tmp.cleanOnBoot = true; boot.tmp.cleanOnBoot = true;
zramSwap.enable = true; zramSwap.enable = true;
networking.hostName = "monitoring"; networking.hostName = "monitoring";
@ -48,10 +53,30 @@
feature_toggles = { feature_toggles = {
publicDashboards = true; publicDashboards = true;
}; };
log = {
filters = "oauth.generic_oauth:debug";
};
server = { server = {
domain = "grafana.gmem.ca"; domain = "grafana.gmem.ca";
http_port = 2342; http_port = 2342;
http_addr = "127.0.0.1"; http_addr = "127.0.0.1";
root_url = "https://grafana.gmem.ca";
};
auth = {
signout_redirect_url = "https://authentik.gmem.ca/application/o/grafana/end-session/";
oauth_auto_login = true;
};
"auth.generic_oauth" = {
name = "authentik";
client_id = "VbOQzwuf0UK9AUGrWvaVaWWHvX2fJsZChxJNGt61";
client_secret = "$__file{${config.age.secrets.grafana-client-secret.path}}";
auth_url = "https://authentik.gmem.ca/application/o/authorize/";
api_url = "https://authentik.gmem.ca/application/o/userinfo/";
token_url = "https://authentik.gmem.ca/application/o/token/";
enabled = true;
scopes = "openid email grafana-user";
role_attribute_path = "contains(info.groups[*], 'Grafana Admins') && 'Admin' || contains(info.groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'";
role_attribute_strict = true;
}; };
}; };
}; };

22
nix/oracle-nix-cache/configuration.nix
View file

@ -5,7 +5,7 @@
[ # Include the results of the hardware scan. [ # Include the results of the hardware scan.
./hardware.nix ./hardware.nix
]; ];
boot = { boot = {
tmp.cleanOnBoot = true; tmp.cleanOnBoot = true;
}; };
@ -102,6 +102,24 @@
''; '';
}; };
}; };
"authentik.gmem.ca" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyWebsockets = true;
proxyPass = "https://pi.gmem.ca";
recommendedProxySettings = true;
};
};
"prometheus.gmem.ca" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyWebsockets = true;
proxyPass = "https://pi.gmem.ca";
recommendedProxySettings = true;
};
};
}; };
}; };
}; };
@ -113,8 +131,6 @@
}; };
}; };
system.copySystemConfiguration = true;
system.stateVersion = "23.11"; # dId YoU rEaD tHe CoMmEnT? system.stateVersion = "23.11"; # dId YoU rEaD tHe CoMmEnT?
} }

2
secrets.nix
View file

@ -18,4 +18,6 @@ in
"secrets/fastmail-smtp.age".publicKeys = machines ++ users; "secrets/fastmail-smtp.age".publicKeys = machines ++ users;
"secrets/healthchecks-telegram.age".publicKeys = [ monitoring gsimmer ]; "secrets/healthchecks-telegram.age".publicKeys = [ monitoring gsimmer ];
"secrets/cloudflare-dns.age".publicKeys = machines ++ users; "secrets/cloudflare-dns.age".publicKeys = machines ++ users;
"secrets/monitoring-grafana-client-secret.age".publicKeys = [monitoring gsimmer ];
} }

12
secrets/monitoring-grafana-client-secret.age Normal file
View file

@ -0,0 +1,12 @@
age-encryption.org/v1
-> ssh-ed25519 J+a91w MspB+ESDy17zh+NaXVVvkDzJwmd6xvDZRLKLknI0HD0
lbDHx++2KiLriLPS7xen9gUBio3qhvTTjmRfsneY3jw
-> ssh-ed25519 qbziOw IYugyWtXbgT+Vog5LxA1uIBDuiUt9sHhl0y3raBbMjU
eXdKqKoNyvySpdwWz5iN1wMQQFS8ywsw0ewxZ0uPLIk
-> *k0)-grease
zR3oS3o1GDM0/uiHjtSfaxUemA+d8W3NITQqLIo74pxWnGcTNrBj9dfRVWrf6oBp
0p/FspjSLfruaATq9bU/REl+zLICKAy1oIpeq8gMA5yWsqh3lfiHntNF1lO3iGFn
--- 6FsNkLYmYMYsJ8Ao4fUoJ9lJqm2k+mXM6lLepEzO/h0
³<EFBFBD>”?@p«2~ øCŠ˜
óÎ1ôÂÆxâfiÏLÚ@õž}®ÃËJ¨V×ÖËòk¯ÜÎà´m`V€'˜œÜéÂzÔ.Ïþ”ëú n&g²Ó ÎïG1îUz©èLâ¸æ >÷<>#ø¨´*°ê<C2B0>•ïrYèyú|ÑRYP£%ônÛç!œzÇòºBË£Q#Ôüõv¾ëÌ<C3AB><C38C>