arch/infra
arch/infra
1
0
Fork 0
Code Actions Packages Activity

Compare commits

base: arch:dd3a96e222d0c248b9596bf7a45ef0ae83525a04
Branches Tags
arch:trunk
arch:woodpecker-ci
..
compare: arch:ed21f70a53c4dc16a13c517ed99def7dce898750
Branches Tags
arch:trunk
arch:woodpecker-ci

No commits in common. "dd3a96e222d0c248b9596bf7a45ef0ae83525a04" and "ed21f70a53c4dc16a13c517ed99def7dce898750" have entirely different histories.
dd3a96e222 ... ed21f70a53

24 changed files with 253 additions and 510 deletions
Show stats Expand all files Collapse all files

81
flake.lock
View file

@ -7,11 +7,11 @@
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs"
}, },
"locked": { "locked": {
"lastModified": 1694793763, "lastModified": 1690228878,
"narHash": "sha256-y6gTE1C9mIoSkymRYyzCmv62PFgy+hbZ5j8fuiQK5KI=", "narHash": "sha256-9Xe7JV0krp4RJC9W9W9WutZVlw6BlHTFMiUP/k48LQY=",
"owner": "ryantm", "owner": "ryantm",
"repo": "agenix", "repo": "agenix",
"rev": "572baca9b0c592f71982fca0790db4ce311e3c75", "rev": "d8c973fd228949736dedf61b7f8cc1ece3236792",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -20,25 +20,6 @@
"type": "github" "type": "github"
} }
}, },
"alertmanager-ntfy": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1672175240,
"narHash": "sha256-znVCx+4j9961QJJGI5RHIFrv2SGFd799Hao+LRThm+I=",
"owner": "alexbakker",
"repo": "alertmanager-ntfy",
"rev": "1e8a0901410207fa4357799f4e9f6d8f26e15626",
"type": "github"
},
"original": {
"owner": "alexbakker",
"repo": "alertmanager-ntfy",
"type": "github"
}
},
"bats-assert": { "bats-assert": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -94,21 +75,6 @@
} }
}, },
"flake-utils": { "flake-utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"locked": { "locked": {
"lastModified": 1634851050, "lastModified": 1634851050,
"narHash": "sha256-N83GlSGPJJdcqhUxSCS/WwW5pksYf3VP1M13cDRTSVA=", "narHash": "sha256-N83GlSGPJJdcqhUxSCS/WwW5pksYf3VP1M13cDRTSVA=",
@ -151,11 +117,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1694643239, "lastModified": 1694375657,
"narHash": "sha256-pv2k/5FvyirDE8g4TNehzwZ0T4UOMMmqWSQnM/luRtE=", "narHash": "sha256-32X8dcty4vPXx+D4yJPQZBo5hJ1NQikALhevGv6elO4=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "d9b88b43524db1591fb3d9410a21428198d75d49", "rev": "f7848d3e5f15ed02e3f286029697e41ee31662d7",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -166,7 +132,7 @@
}, },
"nixinate": { "nixinate": {
"inputs": { "inputs": {
"nixpkgs": "nixpkgs_3" "nixpkgs": "nixpkgs_2"
}, },
"locked": { "locked": {
"lastModified": 1688141737, "lastModified": 1688141737,
@ -235,22 +201,6 @@
} }
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": {
"lastModified": 1670242877,
"narHash": "sha256-jBLh7dRHnbfvPPA9znOC6oQfKrCPJ0El8Zoe0BqnCjQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6e51c97f1c849efdfd4f3b78a4870e6aa2da4198",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1653060744, "lastModified": 1653060744,
"narHash": "sha256-kfRusllRumpt33J1hPV+CeCCylCXEU7e0gn2/cIM7cY=", "narHash": "sha256-kfRusllRumpt33J1hPV+CeCCylCXEU7e0gn2/cIM7cY=",
@ -266,13 +216,13 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_4": { "nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1694948089, "lastModified": 1694343207,
"narHash": "sha256-d2B282GmQ9o8klc22/Rbbbj6r99EnELQpOQjWMyv0rU=", "narHash": "sha256-jWi7OwFxU5Owi4k2JmiL1sa/OuBCQtpaAesuj5LXC8w=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "5148520bfab61f99fd25fb9ff7bfbb50dad3c9db", "rev": "78058d810644f5ed276804ce7ea9e82d92bee293",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -282,7 +232,7 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_5": { "nixpkgs_4": {
"locked": { "locked": {
"lastModified": 1636823747, "lastModified": 1636823747,
"narHash": "sha256-oWo1nElRAOZqEf90Yek2ixdHyjD+gqtS/pAgwaQ9UhQ=", "narHash": "sha256-oWo1nElRAOZqEf90Yek2ixdHyjD+gqtS/pAgwaQ9UhQ=",
@ -300,11 +250,10 @@
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix", "agenix": "agenix",
"alertmanager-ntfy": "alertmanager-ntfy",
"home-manager": "home-manager_2", "home-manager": "home-manager_2",
"nixinate": "nixinate", "nixinate": "nixinate",
"nixos-generators": "nixos-generators", "nixos-generators": "nixos-generators",
"nixpkgs": "nixpkgs_4", "nixpkgs": "nixpkgs_3",
"terranix": "terranix" "terranix": "terranix"
} }
}, },
@ -312,8 +261,8 @@
"inputs": { "inputs": {
"bats-assert": "bats-assert", "bats-assert": "bats-assert",
"bats-support": "bats-support", "bats-support": "bats-support",
"flake-utils": "flake-utils_2", "flake-utils": "flake-utils",
"nixpkgs": "nixpkgs_5", "nixpkgs": "nixpkgs_4",
"terranix-examples": "terranix-examples" "terranix-examples": "terranix-examples"
}, },
"locked": { "locked": {

4
flake.nix
View file

@ -13,10 +13,9 @@
url = "github:nix-community/nixos-generators"; url = "github:nix-community/nixos-generators";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
alertmanager-ntfy.url = "github:alexbakker/alertmanager-ntfy";
}; };
outputs = { self, nixpkgs, nixos-generators, nixinate, home-manager, agenix, terranix, alertmanager-ntfy }: outputs = { self, nixpkgs, nixos-generators, nixinate, home-manager, agenix, terranix }:
let let
pkgs = nixpkgs.legacyPackages.x86_64-linux; pkgs = nixpkgs.legacyPackages.x86_64-linux;
tf = terranix.lib.terranixConfiguration { tf = terranix.lib.terranixConfiguration {
@ -108,7 +107,6 @@
modules = [ modules = [
(import ./nix/monitoring/configuration.nix) (import ./nix/monitoring/configuration.nix)
agenix.nixosModules.default agenix.nixosModules.default
alertmanager-ntfy.nixosModules.x86_64-linux.default
{ {
_module.args.nixinate = { _module.args.nixinate = {
host = "monitoring"; host = "monitoring";

26
homelab/atuin.yaml
View file

@ -52,31 +52,7 @@ kind: ConfigMap
metadata: metadata:
name: atuin name: atuin
data: data:
ATUIN_OPEN_REGISTRATION: "false" ATUIN_OPEN_REGISTRATION: "true"
ATUIN_DB_URI: "sqlite:///config/database.sqlite" ATUIN_DB_URI: "sqlite:///config/database.sqlite"
ATUIN_HOST: "0.0.0.0" ATUIN_HOST: "0.0.0.0"
ATUIN_PORT: "8888" ATUIN_PORT: "8888"
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: atuin
annotations:
cert-manager.io/issuer: "le-issuer"
namespace: default
spec:
tls:
- hosts:
- atuin.gmem.ca
secretName: gmem-ca-wildcard
rules:
- host: atuin.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: atuin
port:
number: 8888

24
homelab/dref.yaml
View file

@ -42,27 +42,3 @@ spec:
ports: ports:
- port: 3000 - port: 3000
targetPort: 3000 targetPort: 3000
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: dref
annotations:
cert-manager.io/issuer: "le-issuer"
namespace: default
spec:
tls:
- hosts:
- dref.gmem.ca
secretName: gmem-ca-wildcard
rules:
- host: dref.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: dref
port:
number: 3000

24
homelab/endpoints.yml
View file

@ -21,27 +21,3 @@ subsets:
- name: ombi - name: ombi
port: 3579 port: 3579
protocol: TCP protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: request-media
annotations:
cert-manager.io/issuer: "le-issuer"
namespace: default
spec:
tls:
- hosts:
- request-media.gmem.ca
secretName: gmem-ca-wildcard
rules:
- host: request-media.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: ombi
port:
number: 3579

28
homelab/food.yaml
View file

@ -116,31 +116,3 @@ spec:
endpoints: endpoints:
- port: metrics - port: metrics
interval: 30s interval: 30s
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: food
annotations:
cert-manager.io/issuer: "le-issuer"
nginx.ingress.kubernetes.io/proxy-body-size: 100m
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_set_header X-Forwarded-Proto $scheme;
namespace: default
spec:
tls:
- hosts:
- food.gmem.ca
secretName: gmem-ca-wildcard
rules:
- host: food.gmem.ca
http:
paths:
- backend:
service:
name: grocy
port:
number: 80
path: /
pathType: Prefix

24
homelab/freshrss.yaml
View file

@ -72,27 +72,3 @@ spec:
ports: ports:
- port: 80 - port: 80
targetPort: 80 targetPort: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: freshrss
annotations:
cert-manager.io/issuer: "le-issuer"
namespace: default
spec:
tls:
- hosts:
- freshrss.gmem.ca
secretName: gmem-ca-wildcard
rules:
- host: freshrss.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: freshrss
port:
number: 80

25
homelab/home.yml
View file

@ -47,28 +47,3 @@ spec:
- port: 80 - port: 80
targetPort: 80 targetPort: 80
name: web name: web
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: home
annotations:
cert-manager.io/issuer: "le-issuer"
namespace: default
spec:
tls:
- hosts:
- home.gmem.ca
secretName: gmem-ca-wildcard
rules:
- host: home.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: dashy
port:
number: 80

24
homelab/homebridge.yaml
View file

@ -66,27 +66,3 @@ spec:
- port: 5353 - port: 5353
targetPort: 5353 targetPort: 5353
name: bonjour name: bonjour
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: homebridge
annotations:
cert-manager.io/issuer: "le-issuer"
namespace: default
spec:
tls:
- hosts:
- hb.gmem.ca
secretName: gmem-ca-wildcard
rules:
- host: hb.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: homebridge
port:
number: 8581

24
homelab/hue.yml
View file

@ -48,27 +48,3 @@ spec:
ports: ports:
- port: 80 - port: 80
targetPort: 80 targetPort: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: hue
annotations:
cert-manager.io/issuer: "le-issuer"
namespace: default
spec:
tls:
- hosts:
- hue.gmem.ca
secretName: gmem-ca-wildcard
rules:
- host: hue.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: hue
port:
number: 80

153
homelab/ingress.yml
View file

@ -0,0 +1,153 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: primary-ingress
annotations:
cert-manager.io/issuer: "le-issuer"
nginx.ingress.kubernetes.io/proxy-body-size: 100m
namespace: default
spec:
tls:
- hosts:
- home.gmem.ca
- atuin.gmem.ca
- pw.gmem.ca
- icr.gmem.ca
- hue.gmem.ca
- request-media.gmem.ca
- ntfy.gmem.ca
- dref.gmem.ca
- freshrss.gmem.ca
- hb.gmem.ca
secretName: primary-tls
rules:
- host: pw.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: vaultwarden
port:
number: 80
- host: icr.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: registry
port:
number: 5000
- host: hue.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: hue
port:
number: 80
- host: request-media.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: ombi
port:
number: 3579
- host: ntfy.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: ntfy
port:
number: 80
- host: dref.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: dref
port:
number: 3000
- host: freshrss.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: freshrss
port:
number: 80
- host: hb.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: homebridge
port:
number: 8581
- host: atuin.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: atuin
port:
number: 8888
- host: home.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: dashy
port:
number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: funneled-ingress
annotations:
cert-manager.io/issuer: "le-issuer"
nginx.ingress.kubernetes.io/proxy-body-size: 100m
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_set_header X-Forwarded-Proto $scheme;
namespace: default
spec:
tls:
- hosts:
- food.gmem.ca
secretName: funnel-tls
rules:
- host: food.gmem.ca
http:
paths:
- backend:
service:
name: grocy
port:
number: 80
path: /
pathType: Prefix

25
homelab/issuer.yml
View file

@ -7,7 +7,7 @@ spec:
# The ACME server URL # The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration # Email address used for ACME registration
email: acme@gmem.ca email: mc-invites@gmem.ca
# Name of a secret used to store the ACME account private key # Name of a secret used to store the ACME account private key
privateKeySecretRef: privateKeySecretRef:
name: letsencrypt-pro name: letsencrypt-pro
@ -17,20 +17,9 @@ spec:
dnsZones: dnsZones:
- "gmem.ca" - "gmem.ca"
dns01: dns01:
cloudflare: route53:
apiTokenSecretRef: region: us-east-1
name: cloudflare-cert-api accessKeyID: AKIA5VMESTY2UY5MRR42
key: api-token secretAccessKeySecretRef:
--- name: route53
apiVersion: cert-manager.io/v1 key: secret-access-key
kind: Certificate
metadata:
name: gmem-ca-wildcard
spec:
secretName: gmem-ca-wildcard
issuerRef:
kind: Issuer
name: le-issuer
commonName: "*.gmem.ca"
dnsNames:
- "*.gmem.ca"

25
homelab/ntfy.yaml
View file

@ -52,27 +52,4 @@ data:
base-url: https://ntfy.gmem.ca base-url: https://ntfy.gmem.ca
behind-proxy: true behind-proxy: true
upstream-base-url: "https://ntfy.sh" upstream-base-url: "https://ntfy.sh"
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ntfy
annotations:
cert-manager.io/issuer: "le-issuer"
namespace: default
spec:
tls:
- hosts:
- ntfy.gmem.ca
secretName: gmem-ca-wildcard
rules:
- host: ntfy.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: ntfy
port:
number: 80

7
homelab/prometheus-agent.yml
View file

@ -52,12 +52,5 @@ prometheus:
remoteWrite: remoteWrite:
- name: monitoring - name: monitoring
url: http://grafana.gmem.ca:9001/api/v1/write url: http://grafana.gmem.ca:9001/api/v1/write
basicAuth:
username:
name: prometheus-remote-basic-auth
key: username
password:
name: prometheus-remote-basic-auth
key: password
grafana: grafana:
enabled: false enabled: false

25
homelab/registry.yml
View file

@ -46,28 +46,3 @@ spec:
accessModes: accessModes:
- ReadWriteOnce - ReadWriteOnce
storageClassName: nfs-client storageClassName: nfs-client
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: container-registry
annotations:
cert-manager.io/issuer: "le-issuer"
nginx.ingress.kubernetes.io/proxy-body-size: 100m
namespace: default
spec:
tls:
- hosts:
- icr.gmem.ca
secretName: gmem-ca-wildcard
rules:
- host: icr.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: registry
port:
number: 5000

28
homelab/vaultwarden.yml
View file

@ -22,7 +22,7 @@ spec:
name: vaultwarden name: vaultwarden
initContainers: initContainers:
- name: init-litestream - name: init-litestream
image: litestream/litestream:0.3.11 image: litestream/litestream:sha-749bc0d
args: ['restore', '-if-db-not-exists', '-if-replica-exists', '-v', '/data/db.sqlite3'] args: ['restore', '-if-db-not-exists', '-if-replica-exists', '-v', '/data/db.sqlite3']
volumeMounts: volumeMounts:
- name: data - name: data
@ -54,7 +54,7 @@ spec:
mountPath: /data/config.json mountPath: /data/config.json
subPath: vaultwarden.json subPath: vaultwarden.json
- name: litestream - name: litestream
image: litestream/litestream:0.3.11 image: litestream/litestream:sha-749bc0d
args: ['replicate'] args: ['replicate']
volumeMounts: volumeMounts:
- name: data - name: data
@ -116,27 +116,3 @@ spec:
endpoints: endpoints:
- port: metrics - port: metrics
interval: 30s interval: 30s
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: vaultwarden
annotations:
cert-manager.io/issuer: "le-issuer"
namespace: default
spec:
tls:
- hosts:
- pw.gmem.ca
secretName: gmem-ca-wildcard
rules:
- host: pw.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: vaultwarden
port:
number: 80

27
nix/london/configuration.nix
View file

@ -1,5 +1,24 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
let
syncthingLatest =
let
version = "1.24.0";
src = pkgs.fetchFromGitHub {
owner = "syncthing";
repo = "syncthing";
rev = "v1.24.0";
hash = "sha256-5vr9qWMHBYpu8wHpV1JZcX1kEPi+mYeZ7ZQBqXASp9I=";
};
in
(pkgs.syncthing.override rec {
buildGoModule = args: pkgs.buildGoModule.override {} (args // {
inherit src version;
vendorHash = "sha256-BZwZ6npmWFU0lvynjRZOBOhtxqic0djoSUdCOLbUwjE=";
});
});
in
{ {
imports = imports =
[ [
@ -59,7 +78,7 @@
enable = true; enable = true;
allowedUDPPortRanges = [ { from = 27031; to = 27036; } ]; allowedUDPPortRanges = [ { from = 27031; to = 27036; } ];
allowedTCPPortRanges = [ { from = 27036; to = 27037; } ]; allowedTCPPortRanges = [ { from = 27036; to = 27037; } ];
allowedTCPPorts = [ 7000 7100 22000 8000 ]; allowedTCPPorts = [ 7000 7100 22000 ];
allowedUDPPorts = [ 6000 6001 7011 41641 3478 22000 21027 ]; allowedUDPPorts = [ 6000 6001 7011 41641 3478 22000 21027 ];
trustedInterfaces = [ "tailscale0" ]; trustedInterfaces = [ "tailscale0" ];
checkReversePath = "loose"; checkReversePath = "loose";
@ -78,6 +97,7 @@
user = "gsimmer"; user = "gsimmer";
dataDir = "/home/gsimmer"; dataDir = "/home/gsimmer";
guiAddress = "100.95.77.62:8384"; guiAddress = "100.95.77.62:8384";
package = syncthingLatest;
}; };
usbmuxd.enable = true; usbmuxd.enable = true;
prometheus.exporters.node = { prometheus.exporters.node = {
@ -135,8 +155,6 @@
nvidia = { nvidia = {
modesetting.enable = true; modesetting.enable = true;
nvidiaSettings = true; nvidiaSettings = true;
open = true;
package = config.boot.kernelPackages.nvidiaPackages.vulkan_beta;
}; };
sane.enable = true; sane.enable = true;
sane.extraBackends = [ pkgs.epkowa ]; sane.extraBackends = [ pkgs.epkowa ];
@ -154,7 +172,6 @@
}; };
programs = { programs = {
river.enable = true;
gamemode.enable = true; gamemode.enable = true;
zsh.enable = true; zsh.enable = true;
fish.enable = true; fish.enable = true;
@ -216,8 +233,6 @@
yubikey-touch-detector yubikey-touch-detector
docker-compose docker-compose
home-manager home-manager
libimobiledevice
ifuse
]; ];
}; };

3
nix/london/gsimmer.nix
View file

@ -16,7 +16,7 @@
[ [
(import (builtins.fetchTarball { (import (builtins.fetchTarball {
url = "https://github.com/nix-community/emacs-overlay/archive/master.tar.gz"; url = "https://github.com/nix-community/emacs-overlay/archive/master.tar.gz";
sha256 = "17y4i3p35qbw4xq7fybs60d2ym3brqzpv9mgsb55ma1rfc08m1jc"; sha256 = "0h5jabl78dpgknf5p3q5wmwx1856ywjh3nxlbsrqk8fr1g3aix8n";
})) discordOverlay]; })) discordOverlay];
}; };
home = { home = {
@ -565,7 +565,6 @@ $env.config = {
discord discord
mangohud mangohud
comma comma
gamescope
]; ];
# This value determines the Home Manager release that your # This value determines the Home Manager release that your

97
nix/monitoring/configuration.nix
View file

@ -9,17 +9,6 @@
owner = "healthchecks"; owner = "healthchecks";
}; };
age.secrets.prometheus-webconfig-secret = {
file = ../../secrets/monitoring-prometheus-webconfig.age;
owner = "prometheus";
mode = "775";
};
age.secrets.prometheus-password-secret = {
file = ../../secrets/monitoring-prometheus-password.age;
owner = "prometheus";
};
boot.tmp.cleanOnBoot = true; boot.tmp.cleanOnBoot = true;
zramSwap.enable = true; zramSwap.enable = true;
networking.hostName = "monitoring"; networking.hostName = "monitoring";
@ -38,89 +27,11 @@
http_addr = "127.0.0.1"; http_addr = "127.0.0.1";
}; };
}; };
services.alertmanager-ntfy = {
enable = true;
settings = {
http = {
addr = "127.0.0.1:8111";
};
ntfy = {
baseurl = "https://ntfy.gmem.ca";
notification = {
topic = "alerts";
priority = ''
status == "firing" ? "high" : "default"
'';
templates = {
title = ''{{ if eq .Status "resolved" }}Resolved: {{ end }}{{ index .Annotations "summary" }}'';
description = ''{{ index .Annotations "description" }}'';
click = ''http://grafana.gmem.ca/d/{{ index .Annotations "dashboard" }}'';
};
};
};
};
};
services.prometheus = { services.prometheus = {
enable = true; enable = true;
webConfigFile = config.age.secrets.prometheus-webconfig-secret.path;
globalConfig = { globalConfig = {
scrape_interval = "15s"; scrape_interval = "15s";
}; };
alertmanagers = [ {
basic_auth = {
username = "homelab";
password_file = config.age.secrets.prometheus-password-secret.path;
};
static_configs = [ {
targets = [
"localhost:9093"
];
} ];
} ];
rules = [(builtins.toJSON {
groups = [{
name = "healthchecks";
rules = [
{
alert = "HealthcheckFailedCheckin";
expr = ''hc_check_up < 1'';
for = "5m";
labels.severity = "page";
annotations = {
summary = "{{ $labels.name }} healthcheck failed";
description = "The {{ $labels.name }} healthcheck failed to check in.";
dashboard = "f594ea85-45f2-4019-b988-2d17638b5cf3";
};
}
];
}];
})];
alertmanager = {
enable = true;
extraFlags = [ "--web.config.file=${config.age.secrets.prometheus-webconfig-secret.path}" ];
webExternalUrl = "https://alerts.gmem.ca";
configText = ''
global: {}
# The directory from which notification templates are read.
templates:
- '/etc/alertmanager/template/*.tmpl'
# The root route on which each incoming alert enters.
route:
group_by: ['alertname', 'cluster', 'service']
group_wait: 0s
group_interval: 5m
repeat_interval: 3h
# A default receiver
receiver: ntfy
receivers:
- name: ntfy
webhook_configs:
- url: http://localhost:8111/hook
'';
};
port = 9001; port = 9001;
extraFlags = [ "--web.enable-remote-write-receiver" ]; extraFlags = [ "--web.enable-remote-write-receiver" ];
scrapeConfigs = [ scrapeConfigs = [
@ -142,10 +53,6 @@
job_name = "forgejo"; job_name = "forgejo";
static_configs = [ { targets = [ "git.gmem.ca" ]; } ]; static_configs = [ { targets = [ "git.gmem.ca" ]; } ];
} }
{
job_name = "coredns";
static_configs = [ { targets = [ "vancouver:9253" ]; } ];
}
{ {
job_name = "healthchecks"; job_name = "healthchecks";
scrape_interval = "60s"; scrape_interval = "60s";
@ -200,7 +107,6 @@
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
virtualHosts."healthchecks.gmem.ca" = { virtualHosts."healthchecks.gmem.ca" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
@ -208,6 +114,9 @@
proxyPass = "http://127.0.0.1:8000"; proxyPass = "http://127.0.0.1:8000";
proxyWebsockets = true; proxyWebsockets = true;
}; };
locations."~ \/projects\/.+\/metrics\/.+" = {
extraConfig = "deny all;";
};
}; };
}; };
security.acme.acceptTerms = true; security.acme.acceptTerms = true;

41
nix/nas/configuration.nix
View file

@ -1,15 +1,29 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
let
syncthingLatest =
let
version = "1.24.0";
src = pkgs.fetchFromGitHub {
owner = "syncthing";
repo = "syncthing";
rev = "v1.24.0";
hash = "sha256-5vr9qWMHBYpu8wHpV1JZcX1kEPi+mYeZ7ZQBqXASp9I=";
};
in
(pkgs.syncthing.override rec {
buildGoModule = args: pkgs.buildGoModule.override {} (args // {
inherit src version;
vendorHash = "sha256-BZwZ6npmWFU0lvynjRZOBOhtxqic0djoSUdCOLbUwjE=";
});
});
in
{ {
imports = imports =
[ # Include the results of the hardware scan. [ # Include the results of the hardware scan.
./hardware.nix ./hardware.nix
]; ];
age.secrets.action-token = { age.secrets.action-token.file = ../../secrets/vancouver-action-runner.age;
file = ../../secrets/vancouver-action-runner.age;
owner = "gitea-runner";
};
age.secrets.restic-b2-credentials = { age.secrets.restic-b2-credentials = {
file = ../../secrets/vancouver-restic-b2.age; file = ../../secrets/vancouver-restic-b2.age;
group = "users"; group = "users";
@ -81,7 +95,6 @@
repository = "s3:s3.us-west-000.backblazeb2.com/bsimmer-backup"; repository = "s3:s3.us-west-000.backblazeb2.com/bsimmer-backup";
paths = [ paths = [
"\"/Primary/becki/VRChat\ Avatars\"" "\"/Primary/becki/VRChat\ Avatars\""
"/Primary/becki/Pictures"
]; ];
timerConfig = { timerConfig = {
OnCalendar = "daily"; OnCalendar = "daily";
@ -140,6 +153,7 @@
user = "gsimmer"; user = "gsimmer";
dataDir = "/Primary/gabriel"; dataDir = "/Primary/gabriel";
guiAddress = "100.116.48.47:8384"; guiAddress = "100.116.48.47:8384";
package = syncthingLatest;
}; };
prometheus.exporters = { prometheus.exporters = {
blackbox = { blackbox = {
@ -159,8 +173,6 @@
config = config =
'' ''
.:53 { .:53 {
prometheus 100.116.48.47:9253
health health
file /var/src/dns.db git.gmem.ca food.gmem.ca file /var/src/dns.db git.gmem.ca food.gmem.ca
forward . 45.90.28.116 45.90.30.116 forward . 45.90.28.116 45.90.30.116
@ -336,13 +348,6 @@
metrics = { metrics = {
ENABLED = true; ENABLED = true;
}; };
"repository.signing" = {
SIGNING_KEY = "default";
INITIAL_COMMIT = "always";
WIKI = "always";
CRUD_ACTIONS = "always";
MERGES = "always";
};
}; };
}; };
gitea-actions-runner = { gitea-actions-runner = {
@ -444,8 +449,6 @@
cloudflared cloudflared
bat bat
virtiofsd virtiofsd
gnupg
pinentry
]; ];
time.timeZone = "Europe/London"; time.timeZone = "Europe/London";
@ -471,7 +474,7 @@
openssh.authorizedKeys.keys = let openssh.authorizedKeys.keys = let
authorizedKeys = pkgs.fetchurl { authorizedKeys = pkgs.fetchurl {
url = "https://gmem.ca/ssh"; url = "https://gmem.ca/ssh";
hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4="; sha256 = "0vm0q5fzx55mmgw7md430c20rvywmknmpvnkffx9szlm0l74bypc";
}; };
in pkgs.lib.splitString "\n" (builtins.readFile in pkgs.lib.splitString "\n" (builtins.readFile
authorizedKeys); authorizedKeys);
@ -484,7 +487,7 @@
root.openssh.authorizedKeys.keys = let root.openssh.authorizedKeys.keys = let
authorizedKeys = pkgs.fetchurl { authorizedKeys = pkgs.fetchurl {
url = "https://gmem.ca/ssh"; url = "https://gmem.ca/ssh";
hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4="; sha256 = "0iwrm80hsadr0midy0h3da4x0sbci76a92g8f9wnz5pj38gimdi9";
}; };
in pkgs.lib.splitString "\n" (builtins.readFile in pkgs.lib.splitString "\n" (builtins.readFile
authorizedKeys); authorizedKeys);

17
nix/nas/home.nix
View file

@ -1,6 +1,13 @@
{ config, pkgs, callPackage, ... }: { config, pkgs, callPackage, ... }:
{ {
nixpkgs.overlays = [
(import (builtins.fetchTarball {
url = "https://github.com/nix-community/emacs-overlay/archive/master.tar.gz";
sha256 = "11knjfj2gnj8y6jy4xali11g86clq7jmy5ndzy1gg0yy1y72xrhm";
}))
];
home.username = "gsimmer"; home.username = "gsimmer";
home.homeDirectory = "/Primary/gabriel"; home.homeDirectory = "/Primary/gabriel";
@ -51,6 +58,16 @@ end
nix-direnv.enable = true; nix-direnv.enable = true;
}; };
# services.lorri.enable = true;
programs.emacs = {
enable = false;
package = pkgs.emacs-unstable-pgtk;
extraPackages = epkgs: [
epkgs.vterm
];
};
programs.eza = { programs.eza = {
enable = true; enable = true;
enableAliases = true; enableAliases = true;

2
secrets.nix
View file

@ -12,7 +12,5 @@ in
"secrets/vancouver-restic-password.age".publicKeys = [ vancouver gsimmer ]; "secrets/vancouver-restic-password.age".publicKeys = [ vancouver gsimmer ];
"secrets/monitoring-healthchecks-secret.age".publicKeys = [ monitoring gsimmer ]; "secrets/monitoring-healthchecks-secret.age".publicKeys = [ monitoring gsimmer ];
"secrets/monitoring-healthchecks-ro.age".publicKeys = [ monitoring gsimmer ]; "secrets/monitoring-healthchecks-ro.age".publicKeys = [ monitoring gsimmer ];
"secrets/monitoring-prometheus-webconfig.age".publicKeys = [ monitoring gsimmer ];
"secrets/monitoring-prometheus-password.age".publicKeys = [ monitoring gsimmer ];
"secrets/healthchecks-ping.sh.age".publicKeys = machines ++ users; "secrets/healthchecks-ping.sh.age".publicKeys = machines ++ users;
} }

10
secrets/monitoring-prometheus-webconfig.age
View file

@ -1,10 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 J+a91w qN8Z94Hx1iQy12DngGD5/AiLJxbGbs51Tr3aE1/80gk
6eH40Q7Hn/ES463b7FPjyUnNDlcOFCC1VM1qf5G7F/M
-> ssh-ed25519 qbziOw k3d+DHeevcGtHJnPfCEKro/f2R8S2auaH+3BGE1meVI
rAEfQWRi5CDYDPdYwFAV4cQgDT/B77lVBFKCGfeDk7I
-> wU3bY.f)-grease m#L* _b8 `WSigN 3%
A+cZ7hzU7HvAu6zUWZZ5pPMW20A8gCtCK6mUzMXbnjDNMtxW+bIRuQeKIOqKKjdw
azUjJKU6NaEktNrNWG7G9PXn9uQ
--- WDkj0HNNagL9VWzwgUZjAe4V/hZ1jZVkmVBgxHzXN7c
¯%R»rJ[2̨<C38C>ºRbˆšë#o`5Q<35>+:ŽÊŽíî‡ÚV\LøQêoê°g:ÈRFL¼ÁÙýAƒL/ü<>peÛ!7ü¿­©/Wÿ5€R<E282AC> <20>ÈËŽxKY Û³fô*Ò'î<>KÎ* .ýg¢×1RTÍFêû.2z5ðÿ¾~ˆý=|ecàP:„+{«ÈšeÂ0úù¿ÎS°ÛÄnS¥ao¨Š¸¢¿ç9†ƒÞ§ü<C2A7>¤W —†„Õ<E2809E>³a > »ø!‚Â

17
secrets/vancouver-action-runner.age
View file

@ -1,10 +1,9 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 oN6OTQ 290Jjq3X3EKWAJjbrxxNdLVYq7OOdTZAQBLnb0JlzEw -> ssh-ed25519 oN6OTQ BBqv4gyfV+ZTQTKNhEUPRrzWNKz1YjVr3qyouxZ1l1s
Ci/Ngx0O5JbCbxNqkUdSz1zuHs2YMvi+st/Nf+BlhXk ApaqQizmjolL/f1j2iQAvRUuCrrv9l0R8ms63TsKmU0
-> ssh-ed25519 qbziOw pexX+lrzjrIvjD1BXDOwZ6jvHNwHvI8NN7t0g+WAHE4 -> ssh-ed25519 qbziOw XL46mKp0s0IqX3sOY7wdyuxgIAdsNSb+pMl1oUgI2EY
8TlaRQnd/H/1nML+bJOL9J6rG1FOSFY7qTTiu11gqRo C+4Zy+62bzn7VkRdndpaiDtHc013K9PIrQXBpSqxD3s
-> Q5TArB-grease -> <#q*-grease
bYTE3nqG4aLFTuXCpjRNM7rnVFlL7BCJ2BlqJbMn0CImH3owoMnYwpBBEO2i5/O7 GKgzRmWm4lA3tKsx96FM0QFnDI8Mu8jc76XM5uFZJnEY
XdBin6lrZDYiFZMLzQ4DRd8B --- FZbu3X6NM/NxZBnjbc/BRIsccomlfkwIelFdc4NXt5g
--- GfQW76dgud6sOfFfB1VoRiiZZqDePubrWRTbvKcx3Z0 PÄó¨¦TÛ åßšµ¹^ªTÃ{ñevô÷Rb{ð1ì<31>K¦Í´eN œAàØéîÊÎ}MûjZ5K…öXd®vÜ+yƒ³”vÝE
“n-‡ŽA3]Éró]YHp'`º2óH^Î%Ï}= Nzútoöä:³5õ³ˆªéùê—R <52>§¾áýL瞶6‹©ÀÐÝ24¼ª"WË