arch/infra
arch/infra
1
0
Fork 0
Code Actions Packages Activity

Compare commits

base: arch:ed21f70a53c4dc16a13c517ed99def7dce898750
Branches Tags
arch:trunk
arch:woodpecker-ci
...
compare: arch:dd3a96e222d0c248b9596bf7a45ef0ae83525a04
Branches Tags
arch:trunk
arch:woodpecker-ci

5 commits
ed21f70a53 ... dd3a96e222

Author SHA1 Message Date
Gabriel Simmer dd3a96e222
Nix updates
All checks were successful
Lint / lint (push) Successful in 1m36s
Details 
open vulkan beta drivers for london, alertmanager, remove syncthing
overrides, setup forgejo signing
 2023-09-19 23:59:44 +01:00
Gabriel Simmer d1fee34623
Split Kubernetes ingresses, wildcard cert 2023-09-19 23:58:57 +01:00
Gabriel Simmer 6ebaaa6606
Backup becki pictures, expose coredns metrics 2023-09-15 09:22:15 +01:00
Gabriel Simmer cebf3e0831
CoreDNS scraping job 2023-09-15 09:22:02 +01:00
Gabriel Simmer df767e3638
Add basic auth to Prometheus 2023-09-15 09:21:50 +01:00
24 changed files with 510 additions and 253 deletions
Show stats Expand all files Collapse all files

81
flake.lock
View file

@ -7,11 +7,11 @@
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1690228878,
"narHash": "sha256-9Xe7JV0krp4RJC9W9W9WutZVlw6BlHTFMiUP/k48LQY=",
"lastModified": 1694793763,
"narHash": "sha256-y6gTE1C9mIoSkymRYyzCmv62PFgy+hbZ5j8fuiQK5KI=",
"owner": "ryantm",
"repo": "agenix",
"rev": "d8c973fd228949736dedf61b7f8cc1ece3236792",
"rev": "572baca9b0c592f71982fca0790db4ce311e3c75",
"type": "github"
},
"original": {
@ -20,6 +20,25 @@
"type": "github"
}
},
"alertmanager-ntfy": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1672175240,
"narHash": "sha256-znVCx+4j9961QJJGI5RHIFrv2SGFd799Hao+LRThm+I=",
"owner": "alexbakker",
"repo": "alertmanager-ntfy",
"rev": "1e8a0901410207fa4357799f4e9f6d8f26e15626",
"type": "github"
},
"original": {
"owner": "alexbakker",
"repo": "alertmanager-ntfy",
"type": "github"
}
},
"bats-assert": {
"flake": false,
"locked": {
@ -75,6 +94,21 @@
}
},
"flake-utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"locked": {
"lastModified": 1634851050,
"narHash": "sha256-N83GlSGPJJdcqhUxSCS/WwW5pksYf3VP1M13cDRTSVA=",
@ -117,11 +151,11 @@
]
},
"locked": {
"lastModified": 1694375657,
"narHash": "sha256-32X8dcty4vPXx+D4yJPQZBo5hJ1NQikALhevGv6elO4=",
"lastModified": 1694643239,
"narHash": "sha256-pv2k/5FvyirDE8g4TNehzwZ0T4UOMMmqWSQnM/luRtE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "f7848d3e5f15ed02e3f286029697e41ee31662d7",
"rev": "d9b88b43524db1591fb3d9410a21428198d75d49",
"type": "github"
},
"original": {
@ -132,7 +166,7 @@
},
"nixinate": {
"inputs": {
"nixpkgs": "nixpkgs_2"
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1688141737,
@ -201,6 +235,22 @@
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1670242877,
"narHash": "sha256-jBLh7dRHnbfvPPA9znOC6oQfKrCPJ0El8Zoe0BqnCjQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6e51c97f1c849efdfd4f3b78a4870e6aa2da4198",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1653060744,
"narHash": "sha256-kfRusllRumpt33J1hPV+CeCCylCXEU7e0gn2/cIM7cY=",
@ -216,13 +266,13 @@
"type": "github"
}
},
"nixpkgs_3": {
"nixpkgs_4": {
"locked": {
"lastModified": 1694343207,
"narHash": "sha256-jWi7OwFxU5Owi4k2JmiL1sa/OuBCQtpaAesuj5LXC8w=",
"lastModified": 1694948089,
"narHash": "sha256-d2B282GmQ9o8klc22/Rbbbj6r99EnELQpOQjWMyv0rU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "78058d810644f5ed276804ce7ea9e82d92bee293",
"rev": "5148520bfab61f99fd25fb9ff7bfbb50dad3c9db",
"type": "github"
},
"original": {
@ -232,7 +282,7 @@
"type": "github"
}
},
"nixpkgs_4": {
"nixpkgs_5": {
"locked": {
"lastModified": 1636823747,
"narHash": "sha256-oWo1nElRAOZqEf90Yek2ixdHyjD+gqtS/pAgwaQ9UhQ=",
@ -250,10 +300,11 @@
"root": {
"inputs": {
"agenix": "agenix",
"alertmanager-ntfy": "alertmanager-ntfy",
"home-manager": "home-manager_2",
"nixinate": "nixinate",
"nixos-generators": "nixos-generators",
"nixpkgs": "nixpkgs_3",
"nixpkgs": "nixpkgs_4",
"terranix": "terranix"
}
},
@ -261,8 +312,8 @@
"inputs": {
"bats-assert": "bats-assert",
"bats-support": "bats-support",
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs_4",
"flake-utils": "flake-utils_2",
"nixpkgs": "nixpkgs_5",
"terranix-examples": "terranix-examples"
},
"locked": {

4
flake.nix
View file

@ -13,9 +13,10 @@
url = "github:nix-community/nixos-generators";
inputs.nixpkgs.follows = "nixpkgs";
};
alertmanager-ntfy.url = "github:alexbakker/alertmanager-ntfy";
};
outputs = { self, nixpkgs, nixos-generators, nixinate, home-manager, agenix, terranix }:
outputs = { self, nixpkgs, nixos-generators, nixinate, home-manager, agenix, terranix, alertmanager-ntfy }:
let
pkgs = nixpkgs.legacyPackages.x86_64-linux;
tf = terranix.lib.terranixConfiguration {
@ -107,6 +108,7 @@
modules = [
(import ./nix/monitoring/configuration.nix)
agenix.nixosModules.default
alertmanager-ntfy.nixosModules.x86_64-linux.default
{
_module.args.nixinate = {
host = "monitoring";

26
homelab/atuin.yaml
View file

@ -52,7 +52,31 @@ kind: ConfigMap
metadata:
name: atuin
data:
ATUIN_OPEN_REGISTRATION: "true"
ATUIN_OPEN_REGISTRATION: "false"
ATUIN_DB_URI: "sqlite:///config/database.sqlite"
ATUIN_HOST: "0.0.0.0"
ATUIN_PORT: "8888"
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: atuin
annotations:
cert-manager.io/issuer: "le-issuer"
namespace: default
spec:
tls:
- hosts:
- atuin.gmem.ca
secretName: gmem-ca-wildcard
rules:
- host: atuin.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: atuin
port:
number: 8888

24
homelab/dref.yaml
View file

@ -42,3 +42,27 @@ spec:
ports:
- port: 3000
targetPort: 3000
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: dref
annotations:
cert-manager.io/issuer: "le-issuer"
namespace: default
spec:
tls:
- hosts:
- dref.gmem.ca
secretName: gmem-ca-wildcard
rules:
- host: dref.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: dref
port:
number: 3000

24
homelab/endpoints.yml
View file

@ -21,3 +21,27 @@ subsets:
- name: ombi
port: 3579
protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: request-media
annotations:
cert-manager.io/issuer: "le-issuer"
namespace: default
spec:
tls:
- hosts:
- request-media.gmem.ca
secretName: gmem-ca-wildcard
rules:
- host: request-media.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: ombi
port:
number: 3579

28
homelab/food.yaml
View file

@ -116,3 +116,31 @@ spec:
endpoints:
- port: metrics
interval: 30s
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: food
annotations:
cert-manager.io/issuer: "le-issuer"
nginx.ingress.kubernetes.io/proxy-body-size: 100m
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_set_header X-Forwarded-Proto $scheme;
namespace: default
spec:
tls:
- hosts:
- food.gmem.ca
secretName: gmem-ca-wildcard
rules:
- host: food.gmem.ca
http:
paths:
- backend:
service:
name: grocy
port:
number: 80
path: /
pathType: Prefix

24
homelab/freshrss.yaml
View file

@ -72,3 +72,27 @@ spec:
ports:
- port: 80
targetPort: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: freshrss
annotations:
cert-manager.io/issuer: "le-issuer"
namespace: default
spec:
tls:
- hosts:
- freshrss.gmem.ca
secretName: gmem-ca-wildcard
rules:
- host: freshrss.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: freshrss
port:
number: 80

25
homelab/home.yml
View file

@ -47,3 +47,28 @@ spec:
- port: 80
targetPort: 80
name: web
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: home
annotations:
cert-manager.io/issuer: "le-issuer"
namespace: default
spec:
tls:
- hosts:
- home.gmem.ca
secretName: gmem-ca-wildcard
rules:
- host: home.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: dashy
port:
number: 80

24
homelab/homebridge.yaml
View file

@ -66,3 +66,27 @@ spec:
- port: 5353
targetPort: 5353
name: bonjour
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: homebridge
annotations:
cert-manager.io/issuer: "le-issuer"
namespace: default
spec:
tls:
- hosts:
- hb.gmem.ca
secretName: gmem-ca-wildcard
rules:
- host: hb.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: homebridge
port:
number: 8581

24
homelab/hue.yml
View file

@ -48,3 +48,27 @@ spec:
ports:
- port: 80
targetPort: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: hue
annotations:
cert-manager.io/issuer: "le-issuer"
namespace: default
spec:
tls:
- hosts:
- hue.gmem.ca
secretName: gmem-ca-wildcard
rules:
- host: hue.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: hue
port:
number: 80

153
homelab/ingress.yml
View file

@ -1,153 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: primary-ingress
annotations:
cert-manager.io/issuer: "le-issuer"
nginx.ingress.kubernetes.io/proxy-body-size: 100m
namespace: default
spec:
tls:
- hosts:
- home.gmem.ca
- atuin.gmem.ca
- pw.gmem.ca
- icr.gmem.ca
- hue.gmem.ca
- request-media.gmem.ca
- ntfy.gmem.ca
- dref.gmem.ca
- freshrss.gmem.ca
- hb.gmem.ca
secretName: primary-tls
rules:
- host: pw.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: vaultwarden
port:
number: 80
- host: icr.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: registry
port:
number: 5000
- host: hue.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: hue
port:
number: 80
- host: request-media.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: ombi
port:
number: 3579
- host: ntfy.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: ntfy
port:
number: 80
- host: dref.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: dref
port:
number: 3000
- host: freshrss.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: freshrss
port:
number: 80
- host: hb.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: homebridge
port:
number: 8581
- host: atuin.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: atuin
port:
number: 8888
- host: home.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: dashy
port:
number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: funneled-ingress
annotations:
cert-manager.io/issuer: "le-issuer"
nginx.ingress.kubernetes.io/proxy-body-size: 100m
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_set_header X-Forwarded-Proto $scheme;
namespace: default
spec:
tls:
- hosts:
- food.gmem.ca
secretName: funnel-tls
rules:
- host: food.gmem.ca
http:
paths:
- backend:
service:
name: grocy
port:
number: 80
path: /
pathType: Prefix

25
homelab/issuer.yml
View file

@ -7,7 +7,7 @@ spec:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: mc-invites@gmem.ca
email: acme@gmem.ca
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-pro
@ -17,9 +17,20 @@ spec:
dnsZones:
- "gmem.ca"
dns01:
route53:
region: us-east-1
accessKeyID: AKIA5VMESTY2UY5MRR42
secretAccessKeySecretRef:
name: route53
key: secret-access-key
cloudflare:
apiTokenSecretRef:
name: cloudflare-cert-api
key: api-token
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: gmem-ca-wildcard
spec:
secretName: gmem-ca-wildcard
issuerRef:
kind: Issuer
name: le-issuer
commonName: "*.gmem.ca"
dnsNames:
- "*.gmem.ca"

25
homelab/ntfy.yaml
View file

@ -52,4 +52,27 @@ data:
base-url: https://ntfy.gmem.ca
behind-proxy: true
upstream-base-url: "https://ntfy.sh"
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ntfy
annotations:
cert-manager.io/issuer: "le-issuer"
namespace: default
spec:
tls:
- hosts:
- ntfy.gmem.ca
secretName: gmem-ca-wildcard
rules:
- host: ntfy.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: ntfy
port:
number: 80

7
homelab/prometheus-agent.yml
View file

@ -52,5 +52,12 @@ prometheus:
remoteWrite:
- name: monitoring
url: http://grafana.gmem.ca:9001/api/v1/write
basicAuth:
username:
name: prometheus-remote-basic-auth
key: username
password:
name: prometheus-remote-basic-auth
key: password
grafana:
enabled: false

25
homelab/registry.yml
View file

@ -46,3 +46,28 @@ spec:
accessModes:
- ReadWriteOnce
storageClassName: nfs-client
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: container-registry
annotations:
cert-manager.io/issuer: "le-issuer"
nginx.ingress.kubernetes.io/proxy-body-size: 100m
namespace: default
spec:
tls:
- hosts:
- icr.gmem.ca
secretName: gmem-ca-wildcard
rules:
- host: icr.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: registry
port:
number: 5000

28
homelab/vaultwarden.yml
View file

@ -22,7 +22,7 @@ spec:
name: vaultwarden
initContainers:
- name: init-litestream
image: litestream/litestream:sha-749bc0d
image: litestream/litestream:0.3.11
args: ['restore', '-if-db-not-exists', '-if-replica-exists', '-v', '/data/db.sqlite3']
volumeMounts:
- name: data
@ -54,7 +54,7 @@ spec:
mountPath: /data/config.json
subPath: vaultwarden.json
- name: litestream
image: litestream/litestream:sha-749bc0d
image: litestream/litestream:0.3.11
args: ['replicate']
volumeMounts:
- name: data
@ -116,3 +116,27 @@ spec:
endpoints:
- port: metrics
interval: 30s
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: vaultwarden
annotations:
cert-manager.io/issuer: "le-issuer"
namespace: default
spec:
tls:
- hosts:
- pw.gmem.ca
secretName: gmem-ca-wildcard
rules:
- host: pw.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: vaultwarden
port:
number: 80

27
nix/london/configuration.nix
View file

@ -1,24 +1,5 @@
{ config, pkgs, ... }:
let
syncthingLatest =
let
version = "1.24.0";
src = pkgs.fetchFromGitHub {
owner = "syncthing";
repo = "syncthing";
rev = "v1.24.0";
hash = "sha256-5vr9qWMHBYpu8wHpV1JZcX1kEPi+mYeZ7ZQBqXASp9I=";
};
in
(pkgs.syncthing.override rec {
buildGoModule = args: pkgs.buildGoModule.override {} (args // {
inherit src version;
vendorHash = "sha256-BZwZ6npmWFU0lvynjRZOBOhtxqic0djoSUdCOLbUwjE=";
});
});
in
{
imports =
[
@ -78,7 +59,7 @@ in
enable = true;
allowedUDPPortRanges = [ { from = 27031; to = 27036; } ];
allowedTCPPortRanges = [ { from = 27036; to = 27037; } ];
allowedTCPPorts = [ 7000 7100 22000 ];
allowedTCPPorts = [ 7000 7100 22000 8000 ];
allowedUDPPorts = [ 6000 6001 7011 41641 3478 22000 21027 ];
trustedInterfaces = [ "tailscale0" ];
checkReversePath = "loose";
@ -97,7 +78,6 @@ in
user = "gsimmer";
dataDir = "/home/gsimmer";
guiAddress = "100.95.77.62:8384";
package = syncthingLatest;
};
usbmuxd.enable = true;
prometheus.exporters.node = {
@ -155,6 +135,8 @@ in
nvidia = {
modesetting.enable = true;
nvidiaSettings = true;
open = true;
package = config.boot.kernelPackages.nvidiaPackages.vulkan_beta;
};
sane.enable = true;
sane.extraBackends = [ pkgs.epkowa ];
@ -172,6 +154,7 @@ in
};
programs = {
river.enable = true;
gamemode.enable = true;
zsh.enable = true;
fish.enable = true;
@ -233,6 +216,8 @@ in
yubikey-touch-detector
docker-compose
home-manager
libimobiledevice
ifuse
];
};

3
nix/london/gsimmer.nix
View file

@ -16,7 +16,7 @@
[
(import (builtins.fetchTarball {
url = "https://github.com/nix-community/emacs-overlay/archive/master.tar.gz";
sha256 = "0h5jabl78dpgknf5p3q5wmwx1856ywjh3nxlbsrqk8fr1g3aix8n";
sha256 = "17y4i3p35qbw4xq7fybs60d2ym3brqzpv9mgsb55ma1rfc08m1jc";
})) discordOverlay];
};
home = {
@ -565,6 +565,7 @@ $env.config = {
discord
mangohud
comma
gamescope
];
# This value determines the Home Manager release that your

97
nix/monitoring/configuration.nix
View file

@ -9,6 +9,17 @@
owner = "healthchecks";
};
age.secrets.prometheus-webconfig-secret = {
file = ../../secrets/monitoring-prometheus-webconfig.age;
owner = "prometheus";
mode = "775";
};
age.secrets.prometheus-password-secret = {
file = ../../secrets/monitoring-prometheus-password.age;
owner = "prometheus";
};
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
networking.hostName = "monitoring";
@ -27,11 +38,89 @@
http_addr = "127.0.0.1";
};
};
services.alertmanager-ntfy = {
enable = true;
settings = {
http = {
addr = "127.0.0.1:8111";
};
ntfy = {
baseurl = "https://ntfy.gmem.ca";
notification = {
topic = "alerts";
priority = ''
status == "firing" ? "high" : "default"
'';
templates = {
title = ''{{ if eq .Status "resolved" }}Resolved: {{ end }}{{ index .Annotations "summary" }}'';
description = ''{{ index .Annotations "description" }}'';
click = ''http://grafana.gmem.ca/d/{{ index .Annotations "dashboard" }}'';
};
};
};
};
};
services.prometheus = {
enable = true;
webConfigFile = config.age.secrets.prometheus-webconfig-secret.path;
globalConfig = {
scrape_interval = "15s";
};
alertmanagers = [ {
basic_auth = {
username = "homelab";
password_file = config.age.secrets.prometheus-password-secret.path;
};
static_configs = [ {
targets = [
"localhost:9093"
];
} ];
} ];
rules = [(builtins.toJSON {
groups = [{
name = "healthchecks";
rules = [
{
alert = "HealthcheckFailedCheckin";
expr = ''hc_check_up < 1'';
for = "5m";
labels.severity = "page";
annotations = {
summary = "{{ $labels.name }} healthcheck failed";
description = "The {{ $labels.name }} healthcheck failed to check in.";
dashboard = "f594ea85-45f2-4019-b988-2d17638b5cf3";
};
}
];
}];
})];
alertmanager = {
enable = true;
extraFlags = [ "--web.config.file=${config.age.secrets.prometheus-webconfig-secret.path}" ];
webExternalUrl = "https://alerts.gmem.ca";
configText = ''
global: {}
# The directory from which notification templates are read.
templates:
- '/etc/alertmanager/template/*.tmpl'
# The root route on which each incoming alert enters.
route:
group_by: ['alertname', 'cluster', 'service']
group_wait: 0s
group_interval: 5m
repeat_interval: 3h
# A default receiver
receiver: ntfy
receivers:
- name: ntfy
webhook_configs:
- url: http://localhost:8111/hook
'';
};
port = 9001;
extraFlags = [ "--web.enable-remote-write-receiver" ];
scrapeConfigs = [
@ -53,6 +142,10 @@
job_name = "forgejo";
static_configs = [ { targets = [ "git.gmem.ca" ]; } ];
}
{
job_name = "coredns";
static_configs = [ { targets = [ "vancouver:9253" ]; } ];
}
{
job_name = "healthchecks";
scrape_interval = "60s";
@ -107,6 +200,7 @@
proxyWebsockets = true;
};
};
virtualHosts."healthchecks.gmem.ca" = {
enableACME = true;
forceSSL = true;
@ -114,9 +208,6 @@
proxyPass = "http://127.0.0.1:8000";
proxyWebsockets = true;
};
locations."~ \/projects\/.+\/metrics\/.+" = {
extraConfig = "deny all;";
};
};
};
security.acme.acceptTerms = true;

41
nix/nas/configuration.nix
View file

@ -1,29 +1,15 @@
{ config, pkgs, ... }:
let
syncthingLatest =
let
version = "1.24.0";
src = pkgs.fetchFromGitHub {
owner = "syncthing";
repo = "syncthing";
rev = "v1.24.0";
hash = "sha256-5vr9qWMHBYpu8wHpV1JZcX1kEPi+mYeZ7ZQBqXASp9I=";
};
in
(pkgs.syncthing.override rec {
buildGoModule = args: pkgs.buildGoModule.override {} (args // {
inherit src version;
vendorHash = "sha256-BZwZ6npmWFU0lvynjRZOBOhtxqic0djoSUdCOLbUwjE=";
});
});
in
{
imports =
[ # Include the results of the hardware scan.
./hardware.nix
];
age.secrets.action-token.file = ../../secrets/vancouver-action-runner.age;
age.secrets.action-token = {
file = ../../secrets/vancouver-action-runner.age;
owner = "gitea-runner";
};
age.secrets.restic-b2-credentials = {
file = ../../secrets/vancouver-restic-b2.age;
group = "users";
@ -95,6 +81,7 @@ in
repository = "s3:s3.us-west-000.backblazeb2.com/bsimmer-backup";
paths = [
"\"/Primary/becki/VRChat\ Avatars\""
"/Primary/becki/Pictures"
];
timerConfig = {
OnCalendar = "daily";
@ -153,7 +140,6 @@ in
user = "gsimmer";
dataDir = "/Primary/gabriel";
guiAddress = "100.116.48.47:8384";
package = syncthingLatest;
};
prometheus.exporters = {
blackbox = {
@ -173,6 +159,8 @@ in
config =
''
.:53 {
prometheus 100.116.48.47:9253
health
file /var/src/dns.db git.gmem.ca food.gmem.ca
forward . 45.90.28.116 45.90.30.116
@ -348,6 +336,13 @@ in
metrics = {
ENABLED = true;
};
"repository.signing" = {
SIGNING_KEY = "default";
INITIAL_COMMIT = "always";
WIKI = "always";
CRUD_ACTIONS = "always";
MERGES = "always";
};
};
};
gitea-actions-runner = {
@ -449,6 +444,8 @@ in
cloudflared
bat
virtiofsd
gnupg
pinentry
];
time.timeZone = "Europe/London";
@ -474,7 +471,7 @@ in
openssh.authorizedKeys.keys = let
authorizedKeys = pkgs.fetchurl {
url = "https://gmem.ca/ssh";
sha256 = "0vm0q5fzx55mmgw7md430c20rvywmknmpvnkffx9szlm0l74bypc";
hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4=";
};
in pkgs.lib.splitString "\n" (builtins.readFile
authorizedKeys);
@ -487,7 +484,7 @@ in
root.openssh.authorizedKeys.keys = let
authorizedKeys = pkgs.fetchurl {
url = "https://gmem.ca/ssh";
sha256 = "0iwrm80hsadr0midy0h3da4x0sbci76a92g8f9wnz5pj38gimdi9";
hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4=";
};
in pkgs.lib.splitString "\n" (builtins.readFile
authorizedKeys);

17
nix/nas/home.nix
View file

@ -1,13 +1,6 @@
{ config, pkgs, callPackage, ... }:
{
nixpkgs.overlays = [
(import (builtins.fetchTarball {
url = "https://github.com/nix-community/emacs-overlay/archive/master.tar.gz";
sha256 = "11knjfj2gnj8y6jy4xali11g86clq7jmy5ndzy1gg0yy1y72xrhm";
}))
];
home.username = "gsimmer";
home.homeDirectory = "/Primary/gabriel";
@ -58,16 +51,6 @@ end
nix-direnv.enable = true;
};
# services.lorri.enable = true;
programs.emacs = {
enable = false;
package = pkgs.emacs-unstable-pgtk;
extraPackages = epkgs: [
epkgs.vterm
];
};
programs.eza = {
enable = true;
enableAliases = true;

2
secrets.nix
View file

@ -12,5 +12,7 @@ in
"secrets/vancouver-restic-password.age".publicKeys = [ vancouver gsimmer ];
"secrets/monitoring-healthchecks-secret.age".publicKeys = [ monitoring gsimmer ];
"secrets/monitoring-healthchecks-ro.age".publicKeys = [ monitoring gsimmer ];
"secrets/monitoring-prometheus-webconfig.age".publicKeys = [ monitoring gsimmer ];
"secrets/monitoring-prometheus-password.age".publicKeys = [ monitoring gsimmer ];
"secrets/healthchecks-ping.sh.age".publicKeys = machines ++ users;
}

10
secrets/monitoring-prometheus-webconfig.age Normal file
View file

@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 J+a91w qN8Z94Hx1iQy12DngGD5/AiLJxbGbs51Tr3aE1/80gk
6eH40Q7Hn/ES463b7FPjyUnNDlcOFCC1VM1qf5G7F/M
-> ssh-ed25519 qbziOw k3d+DHeevcGtHJnPfCEKro/f2R8S2auaH+3BGE1meVI
rAEfQWRi5CDYDPdYwFAV4cQgDT/B77lVBFKCGfeDk7I
-> wU3bY.f)-grease m#L* _b8 `WSigN 3%
A+cZ7hzU7HvAu6zUWZZ5pPMW20A8gCtCK6mUzMXbnjDNMtxW+bIRuQeKIOqKKjdw
azUjJKU6NaEktNrNWG7G9PXn9uQ
--- WDkj0HNNagL9VWzwgUZjAe4V/hZ1jZVkmVBgxHzXN7c
¯%R»rJ[2̨<C38C>ºRbˆšë#o`5Q<35>+:ŽÊŽíî‡ÚV\LøQêoê°g:ÈRFL¼ÁÙýAƒL/ü<>peÛ!7ü¿­©/Wÿ5€R<E282AC> <20>ÈËŽxKY Û³fô*Ò'î<>KÎ* .ýg¢×1RTÍFêû.2z5ðÿ¾~ˆý=|ecàP:„+{«ÈšeÂ0úù¿ÎS°ÛÄnS¥ao¨Š¸¢¿ç9†ƒÞ§ü<C2A7>¤W —†„Õ<E2809E>³a > »ø!‚Â

17
secrets/vancouver-action-runner.age
View file

@ -1,9 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 oN6OTQ BBqv4gyfV+ZTQTKNhEUPRrzWNKz1YjVr3qyouxZ1l1s
ApaqQizmjolL/f1j2iQAvRUuCrrv9l0R8ms63TsKmU0
-> ssh-ed25519 qbziOw XL46mKp0s0IqX3sOY7wdyuxgIAdsNSb+pMl1oUgI2EY
C+4Zy+62bzn7VkRdndpaiDtHc013K9PIrQXBpSqxD3s
-> <#q*-grease
GKgzRmWm4lA3tKsx96FM0QFnDI8Mu8jc76XM5uFZJnEY
--- FZbu3X6NM/NxZBnjbc/BRIsccomlfkwIelFdc4NXt5g
PÄó¨¦TÛ åßšµ¹^ªTÃ{ñevô÷Rb{ð1ì<31>K¦Í´eN œAàØéîÊÎ}MûjZ5K…öXd®vÜ+yƒ³”vÝE
-> ssh-ed25519 oN6OTQ 290Jjq3X3EKWAJjbrxxNdLVYq7OOdTZAQBLnb0JlzEw
Ci/Ngx0O5JbCbxNqkUdSz1zuHs2YMvi+st/Nf+BlhXk
-> ssh-ed25519 qbziOw pexX+lrzjrIvjD1BXDOwZ6jvHNwHvI8NN7t0g+WAHE4
8TlaRQnd/H/1nML+bJOL9J6rG1FOSFY7qTTiu11gqRo
-> Q5TArB-grease
bYTE3nqG4aLFTuXCpjRNM7rnVFlL7BCJ2BlqJbMn0CImH3owoMnYwpBBEO2i5/O7
XdBin6lrZDYiFZMLzQ4DRd8B
--- GfQW76dgud6sOfFfB1VoRiiZZqDePubrWRTbvKcx3Z0
“n-‡ŽA3]Éró]YHp'`º2óH^Î%Ï}= Nzútoöä:³5õ³ˆªéùê—R <52>§¾áýL瞶6‹©ÀÐÝ24¼ª"WË