Compare commits
No commits in common. "dd3a96e222d0c248b9596bf7a45ef0ae83525a04" and "ed21f70a53c4dc16a13c517ed99def7dce898750" have entirely different histories.
dd3a96e222
...
ed21f70a53
81
flake.lock
81
flake.lock
|
@ -7,11 +7,11 @@
|
|||
"nixpkgs": "nixpkgs"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1694793763,
|
||||
"narHash": "sha256-y6gTE1C9mIoSkymRYyzCmv62PFgy+hbZ5j8fuiQK5KI=",
|
||||
"lastModified": 1690228878,
|
||||
"narHash": "sha256-9Xe7JV0krp4RJC9W9W9WutZVlw6BlHTFMiUP/k48LQY=",
|
||||
"owner": "ryantm",
|
||||
"repo": "agenix",
|
||||
"rev": "572baca9b0c592f71982fca0790db4ce311e3c75",
|
||||
"rev": "d8c973fd228949736dedf61b7f8cc1ece3236792",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -20,25 +20,6 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"alertmanager-ntfy": {
|
||||
"inputs": {
|
||||
"flake-utils": "flake-utils",
|
||||
"nixpkgs": "nixpkgs_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1672175240,
|
||||
"narHash": "sha256-znVCx+4j9961QJJGI5RHIFrv2SGFd799Hao+LRThm+I=",
|
||||
"owner": "alexbakker",
|
||||
"repo": "alertmanager-ntfy",
|
||||
"rev": "1e8a0901410207fa4357799f4e9f6d8f26e15626",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "alexbakker",
|
||||
"repo": "alertmanager-ntfy",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"bats-assert": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
|
@ -94,21 +75,6 @@
|
|||
}
|
||||
},
|
||||
"flake-utils": {
|
||||
"locked": {
|
||||
"lastModified": 1667395993,
|
||||
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-utils_2": {
|
||||
"locked": {
|
||||
"lastModified": 1634851050,
|
||||
"narHash": "sha256-N83GlSGPJJdcqhUxSCS/WwW5pksYf3VP1M13cDRTSVA=",
|
||||
|
@ -151,11 +117,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1694643239,
|
||||
"narHash": "sha256-pv2k/5FvyirDE8g4TNehzwZ0T4UOMMmqWSQnM/luRtE=",
|
||||
"lastModified": 1694375657,
|
||||
"narHash": "sha256-32X8dcty4vPXx+D4yJPQZBo5hJ1NQikALhevGv6elO4=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "d9b88b43524db1591fb3d9410a21428198d75d49",
|
||||
"rev": "f7848d3e5f15ed02e3f286029697e41ee31662d7",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -166,7 +132,7 @@
|
|||
},
|
||||
"nixinate": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs_3"
|
||||
"nixpkgs": "nixpkgs_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1688141737,
|
||||
|
@ -235,22 +201,6 @@
|
|||
}
|
||||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1670242877,
|
||||
"narHash": "sha256-jBLh7dRHnbfvPPA9znOC6oQfKrCPJ0El8Zoe0BqnCjQ=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "6e51c97f1c849efdfd4f3b78a4870e6aa2da4198",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_3": {
|
||||
"locked": {
|
||||
"lastModified": 1653060744,
|
||||
"narHash": "sha256-kfRusllRumpt33J1hPV+CeCCylCXEU7e0gn2/cIM7cY=",
|
||||
|
@ -266,13 +216,13 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_4": {
|
||||
"nixpkgs_3": {
|
||||
"locked": {
|
||||
"lastModified": 1694948089,
|
||||
"narHash": "sha256-d2B282GmQ9o8klc22/Rbbbj6r99EnELQpOQjWMyv0rU=",
|
||||
"lastModified": 1694343207,
|
||||
"narHash": "sha256-jWi7OwFxU5Owi4k2JmiL1sa/OuBCQtpaAesuj5LXC8w=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "5148520bfab61f99fd25fb9ff7bfbb50dad3c9db",
|
||||
"rev": "78058d810644f5ed276804ce7ea9e82d92bee293",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -282,7 +232,7 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_5": {
|
||||
"nixpkgs_4": {
|
||||
"locked": {
|
||||
"lastModified": 1636823747,
|
||||
"narHash": "sha256-oWo1nElRAOZqEf90Yek2ixdHyjD+gqtS/pAgwaQ9UhQ=",
|
||||
|
@ -300,11 +250,10 @@
|
|||
"root": {
|
||||
"inputs": {
|
||||
"agenix": "agenix",
|
||||
"alertmanager-ntfy": "alertmanager-ntfy",
|
||||
"home-manager": "home-manager_2",
|
||||
"nixinate": "nixinate",
|
||||
"nixos-generators": "nixos-generators",
|
||||
"nixpkgs": "nixpkgs_4",
|
||||
"nixpkgs": "nixpkgs_3",
|
||||
"terranix": "terranix"
|
||||
}
|
||||
},
|
||||
|
@ -312,8 +261,8 @@
|
|||
"inputs": {
|
||||
"bats-assert": "bats-assert",
|
||||
"bats-support": "bats-support",
|
||||
"flake-utils": "flake-utils_2",
|
||||
"nixpkgs": "nixpkgs_5",
|
||||
"flake-utils": "flake-utils",
|
||||
"nixpkgs": "nixpkgs_4",
|
||||
"terranix-examples": "terranix-examples"
|
||||
},
|
||||
"locked": {
|
||||
|
|
|
@ -13,10 +13,9 @@
|
|||
url = "github:nix-community/nixos-generators";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
alertmanager-ntfy.url = "github:alexbakker/alertmanager-ntfy";
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs, nixos-generators, nixinate, home-manager, agenix, terranix, alertmanager-ntfy }:
|
||||
outputs = { self, nixpkgs, nixos-generators, nixinate, home-manager, agenix, terranix }:
|
||||
let
|
||||
pkgs = nixpkgs.legacyPackages.x86_64-linux;
|
||||
tf = terranix.lib.terranixConfiguration {
|
||||
|
@ -108,7 +107,6 @@
|
|||
modules = [
|
||||
(import ./nix/monitoring/configuration.nix)
|
||||
agenix.nixosModules.default
|
||||
alertmanager-ntfy.nixosModules.x86_64-linux.default
|
||||
{
|
||||
_module.args.nixinate = {
|
||||
host = "monitoring";
|
||||
|
|
|
@ -52,31 +52,7 @@ kind: ConfigMap
|
|||
metadata:
|
||||
name: atuin
|
||||
data:
|
||||
ATUIN_OPEN_REGISTRATION: "false"
|
||||
ATUIN_OPEN_REGISTRATION: "true"
|
||||
ATUIN_DB_URI: "sqlite:///config/database.sqlite"
|
||||
ATUIN_HOST: "0.0.0.0"
|
||||
ATUIN_PORT: "8888"
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: atuin
|
||||
annotations:
|
||||
cert-manager.io/issuer: "le-issuer"
|
||||
namespace: default
|
||||
spec:
|
||||
tls:
|
||||
- hosts:
|
||||
- atuin.gmem.ca
|
||||
secretName: gmem-ca-wildcard
|
||||
rules:
|
||||
- host: atuin.gmem.ca
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: atuin
|
||||
port:
|
||||
number: 8888
|
||||
|
|
|
@ -42,27 +42,3 @@ spec:
|
|||
ports:
|
||||
- port: 3000
|
||||
targetPort: 3000
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: dref
|
||||
annotations:
|
||||
cert-manager.io/issuer: "le-issuer"
|
||||
namespace: default
|
||||
spec:
|
||||
tls:
|
||||
- hosts:
|
||||
- dref.gmem.ca
|
||||
secretName: gmem-ca-wildcard
|
||||
rules:
|
||||
- host: dref.gmem.ca
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: dref
|
||||
port:
|
||||
number: 3000
|
||||
|
|
|
@ -21,27 +21,3 @@ subsets:
|
|||
- name: ombi
|
||||
port: 3579
|
||||
protocol: TCP
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: request-media
|
||||
annotations:
|
||||
cert-manager.io/issuer: "le-issuer"
|
||||
namespace: default
|
||||
spec:
|
||||
tls:
|
||||
- hosts:
|
||||
- request-media.gmem.ca
|
||||
secretName: gmem-ca-wildcard
|
||||
rules:
|
||||
- host: request-media.gmem.ca
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: ombi
|
||||
port:
|
||||
number: 3579
|
||||
|
|
|
@ -116,31 +116,3 @@ spec:
|
|||
endpoints:
|
||||
- port: metrics
|
||||
interval: 30s
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: food
|
||||
annotations:
|
||||
cert-manager.io/issuer: "le-issuer"
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: 100m
|
||||
nginx.ingress.kubernetes.io/ssl-redirect: "false"
|
||||
nginx.ingress.kubernetes.io/configuration-snippet: |
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
namespace: default
|
||||
spec:
|
||||
tls:
|
||||
- hosts:
|
||||
- food.gmem.ca
|
||||
secretName: gmem-ca-wildcard
|
||||
rules:
|
||||
- host: food.gmem.ca
|
||||
http:
|
||||
paths:
|
||||
- backend:
|
||||
service:
|
||||
name: grocy
|
||||
port:
|
||||
number: 80
|
||||
path: /
|
||||
pathType: Prefix
|
||||
|
|
|
@ -72,27 +72,3 @@ spec:
|
|||
ports:
|
||||
- port: 80
|
||||
targetPort: 80
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: freshrss
|
||||
annotations:
|
||||
cert-manager.io/issuer: "le-issuer"
|
||||
namespace: default
|
||||
spec:
|
||||
tls:
|
||||
- hosts:
|
||||
- freshrss.gmem.ca
|
||||
secretName: gmem-ca-wildcard
|
||||
rules:
|
||||
- host: freshrss.gmem.ca
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: freshrss
|
||||
port:
|
||||
number: 80
|
||||
|
|
|
@ -47,28 +47,3 @@ spec:
|
|||
- port: 80
|
||||
targetPort: 80
|
||||
name: web
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: home
|
||||
annotations:
|
||||
cert-manager.io/issuer: "le-issuer"
|
||||
namespace: default
|
||||
|
||||
spec:
|
||||
tls:
|
||||
- hosts:
|
||||
- home.gmem.ca
|
||||
secretName: gmem-ca-wildcard
|
||||
rules:
|
||||
- host: home.gmem.ca
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: dashy
|
||||
port:
|
||||
number: 80
|
||||
|
|
|
@ -66,27 +66,3 @@ spec:
|
|||
- port: 5353
|
||||
targetPort: 5353
|
||||
name: bonjour
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: homebridge
|
||||
annotations:
|
||||
cert-manager.io/issuer: "le-issuer"
|
||||
namespace: default
|
||||
spec:
|
||||
tls:
|
||||
- hosts:
|
||||
- hb.gmem.ca
|
||||
secretName: gmem-ca-wildcard
|
||||
rules:
|
||||
- host: hb.gmem.ca
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: homebridge
|
||||
port:
|
||||
number: 8581
|
||||
|
|
|
@ -48,27 +48,3 @@ spec:
|
|||
ports:
|
||||
- port: 80
|
||||
targetPort: 80
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: hue
|
||||
annotations:
|
||||
cert-manager.io/issuer: "le-issuer"
|
||||
namespace: default
|
||||
spec:
|
||||
tls:
|
||||
- hosts:
|
||||
- hue.gmem.ca
|
||||
secretName: gmem-ca-wildcard
|
||||
rules:
|
||||
- host: hue.gmem.ca
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: hue
|
||||
port:
|
||||
number: 80
|
||||
|
|
|
@ -0,0 +1,153 @@
|
|||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: primary-ingress
|
||||
annotations:
|
||||
cert-manager.io/issuer: "le-issuer"
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: 100m
|
||||
namespace: default
|
||||
|
||||
spec:
|
||||
tls:
|
||||
- hosts:
|
||||
- home.gmem.ca
|
||||
- atuin.gmem.ca
|
||||
- pw.gmem.ca
|
||||
- icr.gmem.ca
|
||||
- hue.gmem.ca
|
||||
- request-media.gmem.ca
|
||||
- ntfy.gmem.ca
|
||||
- dref.gmem.ca
|
||||
- freshrss.gmem.ca
|
||||
- hb.gmem.ca
|
||||
secretName: primary-tls
|
||||
rules:
|
||||
- host: pw.gmem.ca
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: vaultwarden
|
||||
port:
|
||||
number: 80
|
||||
- host: icr.gmem.ca
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: registry
|
||||
port:
|
||||
number: 5000
|
||||
- host: hue.gmem.ca
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: hue
|
||||
port:
|
||||
number: 80
|
||||
- host: request-media.gmem.ca
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: ombi
|
||||
port:
|
||||
number: 3579
|
||||
- host: ntfy.gmem.ca
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: ntfy
|
||||
port:
|
||||
number: 80
|
||||
- host: dref.gmem.ca
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: dref
|
||||
port:
|
||||
number: 3000
|
||||
- host: freshrss.gmem.ca
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: freshrss
|
||||
port:
|
||||
number: 80
|
||||
- host: hb.gmem.ca
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: homebridge
|
||||
port:
|
||||
number: 8581
|
||||
- host: atuin.gmem.ca
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: atuin
|
||||
port:
|
||||
number: 8888
|
||||
- host: home.gmem.ca
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: dashy
|
||||
port:
|
||||
number: 80
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: funneled-ingress
|
||||
annotations:
|
||||
cert-manager.io/issuer: "le-issuer"
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: 100m
|
||||
nginx.ingress.kubernetes.io/ssl-redirect: "false"
|
||||
nginx.ingress.kubernetes.io/configuration-snippet: |
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
namespace: default
|
||||
|
||||
spec:
|
||||
tls:
|
||||
- hosts:
|
||||
- food.gmem.ca
|
||||
secretName: funnel-tls
|
||||
rules:
|
||||
- host: food.gmem.ca
|
||||
http:
|
||||
paths:
|
||||
- backend:
|
||||
service:
|
||||
name: grocy
|
||||
port:
|
||||
number: 80
|
||||
path: /
|
||||
pathType: Prefix
|
|
@ -7,7 +7,7 @@ spec:
|
|||
# The ACME server URL
|
||||
server: https://acme-v02.api.letsencrypt.org/directory
|
||||
# Email address used for ACME registration
|
||||
email: acme@gmem.ca
|
||||
email: mc-invites@gmem.ca
|
||||
# Name of a secret used to store the ACME account private key
|
||||
privateKeySecretRef:
|
||||
name: letsencrypt-pro
|
||||
|
@ -17,20 +17,9 @@ spec:
|
|||
dnsZones:
|
||||
- "gmem.ca"
|
||||
dns01:
|
||||
cloudflare:
|
||||
apiTokenSecretRef:
|
||||
name: cloudflare-cert-api
|
||||
key: api-token
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: gmem-ca-wildcard
|
||||
spec:
|
||||
secretName: gmem-ca-wildcard
|
||||
issuerRef:
|
||||
kind: Issuer
|
||||
name: le-issuer
|
||||
commonName: "*.gmem.ca"
|
||||
dnsNames:
|
||||
- "*.gmem.ca"
|
||||
route53:
|
||||
region: us-east-1
|
||||
accessKeyID: AKIA5VMESTY2UY5MRR42
|
||||
secretAccessKeySecretRef:
|
||||
name: route53
|
||||
key: secret-access-key
|
|
@ -52,27 +52,4 @@ data:
|
|||
base-url: https://ntfy.gmem.ca
|
||||
behind-proxy: true
|
||||
upstream-base-url: "https://ntfy.sh"
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: ntfy
|
||||
annotations:
|
||||
cert-manager.io/issuer: "le-issuer"
|
||||
namespace: default
|
||||
spec:
|
||||
tls:
|
||||
- hosts:
|
||||
- ntfy.gmem.ca
|
||||
secretName: gmem-ca-wildcard
|
||||
rules:
|
||||
- host: ntfy.gmem.ca
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: ntfy
|
||||
port:
|
||||
number: 80
|
||||
|
||||
|
|
|
@ -52,12 +52,5 @@ prometheus:
|
|||
remoteWrite:
|
||||
- name: monitoring
|
||||
url: http://grafana.gmem.ca:9001/api/v1/write
|
||||
basicAuth:
|
||||
username:
|
||||
name: prometheus-remote-basic-auth
|
||||
key: username
|
||||
password:
|
||||
name: prometheus-remote-basic-auth
|
||||
key: password
|
||||
grafana:
|
||||
enabled: false
|
||||
|
|
|
@ -46,28 +46,3 @@ spec:
|
|||
accessModes:
|
||||
- ReadWriteOnce
|
||||
storageClassName: nfs-client
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: container-registry
|
||||
annotations:
|
||||
cert-manager.io/issuer: "le-issuer"
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: 100m
|
||||
namespace: default
|
||||
spec:
|
||||
tls:
|
||||
- hosts:
|
||||
- icr.gmem.ca
|
||||
secretName: gmem-ca-wildcard
|
||||
rules:
|
||||
- host: icr.gmem.ca
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: registry
|
||||
port:
|
||||
number: 5000
|
||||
|
|
|
@ -22,7 +22,7 @@ spec:
|
|||
name: vaultwarden
|
||||
initContainers:
|
||||
- name: init-litestream
|
||||
image: litestream/litestream:0.3.11
|
||||
image: litestream/litestream:sha-749bc0d
|
||||
args: ['restore', '-if-db-not-exists', '-if-replica-exists', '-v', '/data/db.sqlite3']
|
||||
volumeMounts:
|
||||
- name: data
|
||||
|
@ -54,7 +54,7 @@ spec:
|
|||
mountPath: /data/config.json
|
||||
subPath: vaultwarden.json
|
||||
- name: litestream
|
||||
image: litestream/litestream:0.3.11
|
||||
image: litestream/litestream:sha-749bc0d
|
||||
args: ['replicate']
|
||||
volumeMounts:
|
||||
- name: data
|
||||
|
@ -116,27 +116,3 @@ spec:
|
|||
endpoints:
|
||||
- port: metrics
|
||||
interval: 30s
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: vaultwarden
|
||||
annotations:
|
||||
cert-manager.io/issuer: "le-issuer"
|
||||
namespace: default
|
||||
spec:
|
||||
tls:
|
||||
- hosts:
|
||||
- pw.gmem.ca
|
||||
secretName: gmem-ca-wildcard
|
||||
rules:
|
||||
- host: pw.gmem.ca
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: vaultwarden
|
||||
port:
|
||||
number: 80
|
||||
|
|
|
@ -1,5 +1,24 @@
|
|||
{ config, pkgs, ... }:
|
||||
let
|
||||
|
||||
syncthingLatest =
|
||||
let
|
||||
version = "1.24.0";
|
||||
src = pkgs.fetchFromGitHub {
|
||||
owner = "syncthing";
|
||||
repo = "syncthing";
|
||||
rev = "v1.24.0";
|
||||
hash = "sha256-5vr9qWMHBYpu8wHpV1JZcX1kEPi+mYeZ7ZQBqXASp9I=";
|
||||
};
|
||||
in
|
||||
(pkgs.syncthing.override rec {
|
||||
buildGoModule = args: pkgs.buildGoModule.override {} (args // {
|
||||
inherit src version;
|
||||
vendorHash = "sha256-BZwZ6npmWFU0lvynjRZOBOhtxqic0djoSUdCOLbUwjE=";
|
||||
});
|
||||
});
|
||||
|
||||
in
|
||||
{
|
||||
imports =
|
||||
[
|
||||
|
@ -59,7 +78,7 @@
|
|||
enable = true;
|
||||
allowedUDPPortRanges = [ { from = 27031; to = 27036; } ];
|
||||
allowedTCPPortRanges = [ { from = 27036; to = 27037; } ];
|
||||
allowedTCPPorts = [ 7000 7100 22000 8000 ];
|
||||
allowedTCPPorts = [ 7000 7100 22000 ];
|
||||
allowedUDPPorts = [ 6000 6001 7011 41641 3478 22000 21027 ];
|
||||
trustedInterfaces = [ "tailscale0" ];
|
||||
checkReversePath = "loose";
|
||||
|
@ -78,6 +97,7 @@
|
|||
user = "gsimmer";
|
||||
dataDir = "/home/gsimmer";
|
||||
guiAddress = "100.95.77.62:8384";
|
||||
package = syncthingLatest;
|
||||
};
|
||||
usbmuxd.enable = true;
|
||||
prometheus.exporters.node = {
|
||||
|
@ -135,8 +155,6 @@
|
|||
nvidia = {
|
||||
modesetting.enable = true;
|
||||
nvidiaSettings = true;
|
||||
open = true;
|
||||
package = config.boot.kernelPackages.nvidiaPackages.vulkan_beta;
|
||||
};
|
||||
sane.enable = true;
|
||||
sane.extraBackends = [ pkgs.epkowa ];
|
||||
|
@ -154,7 +172,6 @@
|
|||
};
|
||||
|
||||
programs = {
|
||||
river.enable = true;
|
||||
gamemode.enable = true;
|
||||
zsh.enable = true;
|
||||
fish.enable = true;
|
||||
|
@ -216,8 +233,6 @@
|
|||
yubikey-touch-detector
|
||||
docker-compose
|
||||
home-manager
|
||||
libimobiledevice
|
||||
ifuse
|
||||
];
|
||||
};
|
||||
|
||||
|
|
|
@ -16,7 +16,7 @@
|
|||
[
|
||||
(import (builtins.fetchTarball {
|
||||
url = "https://github.com/nix-community/emacs-overlay/archive/master.tar.gz";
|
||||
sha256 = "17y4i3p35qbw4xq7fybs60d2ym3brqzpv9mgsb55ma1rfc08m1jc";
|
||||
sha256 = "0h5jabl78dpgknf5p3q5wmwx1856ywjh3nxlbsrqk8fr1g3aix8n";
|
||||
})) discordOverlay];
|
||||
};
|
||||
home = {
|
||||
|
@ -565,7 +565,6 @@ $env.config = {
|
|||
discord
|
||||
mangohud
|
||||
comma
|
||||
gamescope
|
||||
];
|
||||
|
||||
# This value determines the Home Manager release that your
|
||||
|
|
|
@ -9,17 +9,6 @@
|
|||
owner = "healthchecks";
|
||||
};
|
||||
|
||||
age.secrets.prometheus-webconfig-secret = {
|
||||
file = ../../secrets/monitoring-prometheus-webconfig.age;
|
||||
owner = "prometheus";
|
||||
mode = "775";
|
||||
};
|
||||
|
||||
age.secrets.prometheus-password-secret = {
|
||||
file = ../../secrets/monitoring-prometheus-password.age;
|
||||
owner = "prometheus";
|
||||
};
|
||||
|
||||
boot.tmp.cleanOnBoot = true;
|
||||
zramSwap.enable = true;
|
||||
networking.hostName = "monitoring";
|
||||
|
@ -38,89 +27,11 @@
|
|||
http_addr = "127.0.0.1";
|
||||
};
|
||||
};
|
||||
services.alertmanager-ntfy = {
|
||||
enable = true;
|
||||
settings = {
|
||||
http = {
|
||||
addr = "127.0.0.1:8111";
|
||||
};
|
||||
ntfy = {
|
||||
baseurl = "https://ntfy.gmem.ca";
|
||||
notification = {
|
||||
topic = "alerts";
|
||||
priority = ''
|
||||
status == "firing" ? "high" : "default"
|
||||
'';
|
||||
templates = {
|
||||
title = ''{{ if eq .Status "resolved" }}Resolved: {{ end }}{{ index .Annotations "summary" }}'';
|
||||
description = ''{{ index .Annotations "description" }}'';
|
||||
click = ''http://grafana.gmem.ca/d/{{ index .Annotations "dashboard" }}'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
services.prometheus = {
|
||||
enable = true;
|
||||
webConfigFile = config.age.secrets.prometheus-webconfig-secret.path;
|
||||
globalConfig = {
|
||||
scrape_interval = "15s";
|
||||
};
|
||||
alertmanagers = [ {
|
||||
basic_auth = {
|
||||
username = "homelab";
|
||||
password_file = config.age.secrets.prometheus-password-secret.path;
|
||||
};
|
||||
static_configs = [ {
|
||||
targets = [
|
||||
"localhost:9093"
|
||||
];
|
||||
} ];
|
||||
} ];
|
||||
rules = [(builtins.toJSON {
|
||||
groups = [{
|
||||
name = "healthchecks";
|
||||
rules = [
|
||||
{
|
||||
alert = "HealthcheckFailedCheckin";
|
||||
expr = ''hc_check_up < 1'';
|
||||
for = "5m";
|
||||
labels.severity = "page";
|
||||
annotations = {
|
||||
summary = "{{ $labels.name }} healthcheck failed";
|
||||
description = "The {{ $labels.name }} healthcheck failed to check in.";
|
||||
dashboard = "f594ea85-45f2-4019-b988-2d17638b5cf3";
|
||||
};
|
||||
}
|
||||
];
|
||||
}];
|
||||
})];
|
||||
alertmanager = {
|
||||
enable = true;
|
||||
extraFlags = [ "--web.config.file=${config.age.secrets.prometheus-webconfig-secret.path}" ];
|
||||
webExternalUrl = "https://alerts.gmem.ca";
|
||||
configText = ''
|
||||
global: {}
|
||||
|
||||
# The directory from which notification templates are read.
|
||||
templates:
|
||||
- '/etc/alertmanager/template/*.tmpl'
|
||||
|
||||
# The root route on which each incoming alert enters.
|
||||
route:
|
||||
group_by: ['alertname', 'cluster', 'service']
|
||||
group_wait: 0s
|
||||
group_interval: 5m
|
||||
repeat_interval: 3h
|
||||
# A default receiver
|
||||
receiver: ntfy
|
||||
|
||||
receivers:
|
||||
- name: ntfy
|
||||
webhook_configs:
|
||||
- url: http://localhost:8111/hook
|
||||
'';
|
||||
};
|
||||
port = 9001;
|
||||
extraFlags = [ "--web.enable-remote-write-receiver" ];
|
||||
scrapeConfigs = [
|
||||
|
@ -142,10 +53,6 @@
|
|||
job_name = "forgejo";
|
||||
static_configs = [ { targets = [ "git.gmem.ca" ]; } ];
|
||||
}
|
||||
{
|
||||
job_name = "coredns";
|
||||
static_configs = [ { targets = [ "vancouver:9253" ]; } ];
|
||||
}
|
||||
{
|
||||
job_name = "healthchecks";
|
||||
scrape_interval = "60s";
|
||||
|
@ -200,7 +107,6 @@
|
|||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
|
||||
virtualHosts."healthchecks.gmem.ca" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
@ -208,6 +114,9 @@
|
|||
proxyPass = "http://127.0.0.1:8000";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
locations."~ \/projects\/.+\/metrics\/.+" = {
|
||||
extraConfig = "deny all;";
|
||||
};
|
||||
};
|
||||
};
|
||||
security.acme.acceptTerms = true;
|
||||
|
|
|
@ -1,15 +1,29 @@
|
|||
{ config, pkgs, ... }:
|
||||
|
||||
let
|
||||
syncthingLatest =
|
||||
let
|
||||
version = "1.24.0";
|
||||
src = pkgs.fetchFromGitHub {
|
||||
owner = "syncthing";
|
||||
repo = "syncthing";
|
||||
rev = "v1.24.0";
|
||||
hash = "sha256-5vr9qWMHBYpu8wHpV1JZcX1kEPi+mYeZ7ZQBqXASp9I=";
|
||||
};
|
||||
in
|
||||
(pkgs.syncthing.override rec {
|
||||
buildGoModule = args: pkgs.buildGoModule.override {} (args // {
|
||||
inherit src version;
|
||||
vendorHash = "sha256-BZwZ6npmWFU0lvynjRZOBOhtxqic0djoSUdCOLbUwjE=";
|
||||
});
|
||||
});
|
||||
in
|
||||
{
|
||||
imports =
|
||||
[ # Include the results of the hardware scan.
|
||||
./hardware.nix
|
||||
];
|
||||
|
||||
age.secrets.action-token = {
|
||||
file = ../../secrets/vancouver-action-runner.age;
|
||||
owner = "gitea-runner";
|
||||
};
|
||||
age.secrets.action-token.file = ../../secrets/vancouver-action-runner.age;
|
||||
age.secrets.restic-b2-credentials = {
|
||||
file = ../../secrets/vancouver-restic-b2.age;
|
||||
group = "users";
|
||||
|
@ -81,7 +95,6 @@
|
|||
repository = "s3:s3.us-west-000.backblazeb2.com/bsimmer-backup";
|
||||
paths = [
|
||||
"\"/Primary/becki/VRChat\ Avatars\""
|
||||
"/Primary/becki/Pictures"
|
||||
];
|
||||
timerConfig = {
|
||||
OnCalendar = "daily";
|
||||
|
@ -140,6 +153,7 @@
|
|||
user = "gsimmer";
|
||||
dataDir = "/Primary/gabriel";
|
||||
guiAddress = "100.116.48.47:8384";
|
||||
package = syncthingLatest;
|
||||
};
|
||||
prometheus.exporters = {
|
||||
blackbox = {
|
||||
|
@ -159,8 +173,6 @@
|
|||
config =
|
||||
''
|
||||
.:53 {
|
||||
prometheus 100.116.48.47:9253
|
||||
|
||||
health
|
||||
file /var/src/dns.db git.gmem.ca food.gmem.ca
|
||||
forward . 45.90.28.116 45.90.30.116
|
||||
|
@ -336,13 +348,6 @@
|
|||
metrics = {
|
||||
ENABLED = true;
|
||||
};
|
||||
"repository.signing" = {
|
||||
SIGNING_KEY = "default";
|
||||
INITIAL_COMMIT = "always";
|
||||
WIKI = "always";
|
||||
CRUD_ACTIONS = "always";
|
||||
MERGES = "always";
|
||||
};
|
||||
};
|
||||
};
|
||||
gitea-actions-runner = {
|
||||
|
@ -444,8 +449,6 @@
|
|||
cloudflared
|
||||
bat
|
||||
virtiofsd
|
||||
gnupg
|
||||
pinentry
|
||||
];
|
||||
|
||||
time.timeZone = "Europe/London";
|
||||
|
@ -471,7 +474,7 @@
|
|||
openssh.authorizedKeys.keys = let
|
||||
authorizedKeys = pkgs.fetchurl {
|
||||
url = "https://gmem.ca/ssh";
|
||||
hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4=";
|
||||
sha256 = "0vm0q5fzx55mmgw7md430c20rvywmknmpvnkffx9szlm0l74bypc";
|
||||
};
|
||||
in pkgs.lib.splitString "\n" (builtins.readFile
|
||||
authorizedKeys);
|
||||
|
@ -484,7 +487,7 @@
|
|||
root.openssh.authorizedKeys.keys = let
|
||||
authorizedKeys = pkgs.fetchurl {
|
||||
url = "https://gmem.ca/ssh";
|
||||
hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4=";
|
||||
sha256 = "0iwrm80hsadr0midy0h3da4x0sbci76a92g8f9wnz5pj38gimdi9";
|
||||
};
|
||||
in pkgs.lib.splitString "\n" (builtins.readFile
|
||||
authorizedKeys);
|
||||
|
|
|
@ -1,6 +1,13 @@
|
|||
{ config, pkgs, callPackage, ... }:
|
||||
|
||||
{
|
||||
nixpkgs.overlays = [
|
||||
(import (builtins.fetchTarball {
|
||||
url = "https://github.com/nix-community/emacs-overlay/archive/master.tar.gz";
|
||||
sha256 = "11knjfj2gnj8y6jy4xali11g86clq7jmy5ndzy1gg0yy1y72xrhm";
|
||||
}))
|
||||
];
|
||||
|
||||
home.username = "gsimmer";
|
||||
home.homeDirectory = "/Primary/gabriel";
|
||||
|
||||
|
@ -51,6 +58,16 @@ end
|
|||
nix-direnv.enable = true;
|
||||
};
|
||||
|
||||
# services.lorri.enable = true;
|
||||
|
||||
programs.emacs = {
|
||||
enable = false;
|
||||
package = pkgs.emacs-unstable-pgtk;
|
||||
extraPackages = epkgs: [
|
||||
epkgs.vterm
|
||||
];
|
||||
};
|
||||
|
||||
programs.eza = {
|
||||
enable = true;
|
||||
enableAliases = true;
|
||||
|
|
|
@ -12,7 +12,5 @@ in
|
|||
"secrets/vancouver-restic-password.age".publicKeys = [ vancouver gsimmer ];
|
||||
"secrets/monitoring-healthchecks-secret.age".publicKeys = [ monitoring gsimmer ];
|
||||
"secrets/monitoring-healthchecks-ro.age".publicKeys = [ monitoring gsimmer ];
|
||||
"secrets/monitoring-prometheus-webconfig.age".publicKeys = [ monitoring gsimmer ];
|
||||
"secrets/monitoring-prometheus-password.age".publicKeys = [ monitoring gsimmer ];
|
||||
"secrets/healthchecks-ping.sh.age".publicKeys = machines ++ users;
|
||||
}
|
||||
|
|
|
@ -1,10 +0,0 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 J+a91w qN8Z94Hx1iQy12DngGD5/AiLJxbGbs51Tr3aE1/80gk
|
||||
6eH40Q7Hn/ES463b7FPjyUnNDlcOFCC1VM1qf5G7F/M
|
||||
-> ssh-ed25519 qbziOw k3d+DHeevcGtHJnPfCEKro/f2R8S2auaH+3BGE1meVI
|
||||
rAEfQWRi5CDYDPdYwFAV4cQgDT/B77lVBFKCGfeDk7I
|
||||
-> wU3bY.f)-grease m#L* _b8 `WSigN 3%
|
||||
A+cZ7hzU7HvAu6zUWZZ5pPMW20A8gCtCK6mUzMXbnjDNMtxW+bIRuQeKIOqKKjdw
|
||||
azUjJKU6NaEktNrNWG7G9PXn9uQ
|
||||
--- WDkj0HNNagL9VWzwgUZjAe4V/hZ1jZVkmVBgxHzXN7c
|
||||
¯%R»rJ[2̨<C38C>ºRbˆšë#o`5Q<35>+:ŽÊŽíî‡ÚV\LøQêoê°g:ÈRFL¼ÁÙýAƒL/ü<>peÛ!7ü¿©/Wÿ5€R<E282AC> <20>ÈËŽxKY Û³fô*Ò'î<>KÎ*.ýg¢×1RTÍFêû.2z5ðÿ¾~ˆý=|ecàP:„+{«ÈšeÂ0úù¿ÎS°ÛÄnS¥ao¨Š¸¢¿ç9†ƒÞ§ü<C2A7>¤W
—†„Õ<E2809E>³a> »ø!‚Â
|
|
@ -1,10 +1,9 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 oN6OTQ 290Jjq3X3EKWAJjbrxxNdLVYq7OOdTZAQBLnb0JlzEw
|
||||
Ci/Ngx0O5JbCbxNqkUdSz1zuHs2YMvi+st/Nf+BlhXk
|
||||
-> ssh-ed25519 qbziOw pexX+lrzjrIvjD1BXDOwZ6jvHNwHvI8NN7t0g+WAHE4
|
||||
8TlaRQnd/H/1nML+bJOL9J6rG1FOSFY7qTTiu11gqRo
|
||||
-> Q5TArB-grease
|
||||
bYTE3nqG4aLFTuXCpjRNM7rnVFlL7BCJ2BlqJbMn0CImH3owoMnYwpBBEO2i5/O7
|
||||
XdBin6lrZDYiFZMLzQ4DRd8B
|
||||
--- GfQW76dgud6sOfFfB1VoRiiZZqDePubrWRTbvKcx3Z0
|
||||
“n-‡ŽA3]Éró]YHp'`º…2óH^Î%Ï}= Nzútoöä:³5õ³ˆª‚éùê—R <52>§¾áýL瞶6‹©ÀÐÝ24¼ª"WË
|
||||
-> ssh-ed25519 oN6OTQ BBqv4gyfV+ZTQTKNhEUPRrzWNKz1YjVr3qyouxZ1l1s
|
||||
ApaqQizmjolL/f1j2iQAvRUuCrrv9l0R8ms63TsKmU0
|
||||
-> ssh-ed25519 qbziOw XL46mKp0s0IqX3sOY7wdyuxgIAdsNSb+pMl1oUgI2EY
|
||||
C+4Zy+62bzn7VkRdndpaiDtHc013K9PIrQXBpSqxD3s
|
||||
-> <#q*-grease
|
||||
GKgzRmWm4lA3tKsx96FM0QFnDI8Mu8jc76XM5uFZJnEY
|
||||
--- FZbu3X6NM/NxZBnjbc/BRIsccomlfkwIelFdc4NXt5g
|
||||
PÄó¨‹u®'®¦TÛ åßšµ¹^ªTÃ{ñevô÷Rb{ð1ì<31>K¦Í´eN œAàØéîÊÎ}MûjZ5K…öXd®vÜ+yƒ³”vÝE
|
Loading…
Reference in a new issue