arch/infra
arch/infra
1
0
Fork 0
Code Actions Packages Activity

Compare commits

base: arch:ed21f70a53c4dc16a13c517ed99def7dce898750
Branches Tags
arch:trunk
arch:woodpecker-ci
..
compare: arch:dd3a96e222d0c248b9596bf7a45ef0ae83525a04
Branches Tags
arch:trunk
arch:woodpecker-ci

5 commits
ed21f70a53 ... dd3a96e222

Author SHA1 Message Date
Gabriel Simmer dd3a96e222
Nix updates
All checks were successful
Lint / lint (push) Successful in 1m36s
Details 
open vulkan beta drivers for london, alertmanager, remove syncthing
overrides, setup forgejo signing
 2023-09-19 23:59:44 +01:00
Gabriel Simmer d1fee34623
Split Kubernetes ingresses, wildcard cert 2023-09-19 23:58:57 +01:00
Gabriel Simmer 6ebaaa6606
Backup becki pictures, expose coredns metrics 2023-09-15 09:22:15 +01:00
Gabriel Simmer cebf3e0831
CoreDNS scraping job 2023-09-15 09:22:02 +01:00
Gabriel Simmer df767e3638
Add basic auth to Prometheus 2023-09-15 09:21:50 +01:00
24 changed files with 510 additions and 253 deletions
Show stats Expand all files Collapse all files

81
flake.lock
View file

@ -7,11 +7,11 @@
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs"
}, },
"locked": { "locked": {
"lastModified": 1690228878, "lastModified": 1694793763,
"narHash": "sha256-9Xe7JV0krp4RJC9W9W9WutZVlw6BlHTFMiUP/k48LQY=", "narHash": "sha256-y6gTE1C9mIoSkymRYyzCmv62PFgy+hbZ5j8fuiQK5KI=",
"owner": "ryantm", "owner": "ryantm",
"repo": "agenix", "repo": "agenix",
"rev": "d8c973fd228949736dedf61b7f8cc1ece3236792", "rev": "572baca9b0c592f71982fca0790db4ce311e3c75",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -20,6 +20,25 @@
"type": "github" "type": "github"
} }
}, },
"alertmanager-ntfy": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1672175240,
"narHash": "sha256-znVCx+4j9961QJJGI5RHIFrv2SGFd799Hao+LRThm+I=",
"owner": "alexbakker",
"repo": "alertmanager-ntfy",
"rev": "1e8a0901410207fa4357799f4e9f6d8f26e15626",
"type": "github"
},
"original": {
"owner": "alexbakker",
"repo": "alertmanager-ntfy",
"type": "github"
}
},
"bats-assert": { "bats-assert": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -75,6 +94,21 @@
} }
}, },
"flake-utils": { "flake-utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"locked": { "locked": {
"lastModified": 1634851050, "lastModified": 1634851050,
"narHash": "sha256-N83GlSGPJJdcqhUxSCS/WwW5pksYf3VP1M13cDRTSVA=", "narHash": "sha256-N83GlSGPJJdcqhUxSCS/WwW5pksYf3VP1M13cDRTSVA=",
@ -117,11 +151,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1694375657, "lastModified": 1694643239,
"narHash": "sha256-32X8dcty4vPXx+D4yJPQZBo5hJ1NQikALhevGv6elO4=", "narHash": "sha256-pv2k/5FvyirDE8g4TNehzwZ0T4UOMMmqWSQnM/luRtE=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "f7848d3e5f15ed02e3f286029697e41ee31662d7", "rev": "d9b88b43524db1591fb3d9410a21428198d75d49",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -132,7 +166,7 @@
}, },
"nixinate": { "nixinate": {
"inputs": { "inputs": {
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_3"
}, },
"locked": { "locked": {
"lastModified": 1688141737, "lastModified": 1688141737,
@ -201,6 +235,22 @@
} }
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": {
"lastModified": 1670242877,
"narHash": "sha256-jBLh7dRHnbfvPPA9znOC6oQfKrCPJ0El8Zoe0BqnCjQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6e51c97f1c849efdfd4f3b78a4870e6aa2da4198",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1653060744, "lastModified": 1653060744,
"narHash": "sha256-kfRusllRumpt33J1hPV+CeCCylCXEU7e0gn2/cIM7cY=", "narHash": "sha256-kfRusllRumpt33J1hPV+CeCCylCXEU7e0gn2/cIM7cY=",
@ -216,13 +266,13 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_3": { "nixpkgs_4": {
"locked": { "locked": {
"lastModified": 1694343207, "lastModified": 1694948089,
"narHash": "sha256-jWi7OwFxU5Owi4k2JmiL1sa/OuBCQtpaAesuj5LXC8w=", "narHash": "sha256-d2B282GmQ9o8klc22/Rbbbj6r99EnELQpOQjWMyv0rU=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "78058d810644f5ed276804ce7ea9e82d92bee293", "rev": "5148520bfab61f99fd25fb9ff7bfbb50dad3c9db",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -232,7 +282,7 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_4": { "nixpkgs_5": {
"locked": { "locked": {
"lastModified": 1636823747, "lastModified": 1636823747,
"narHash": "sha256-oWo1nElRAOZqEf90Yek2ixdHyjD+gqtS/pAgwaQ9UhQ=", "narHash": "sha256-oWo1nElRAOZqEf90Yek2ixdHyjD+gqtS/pAgwaQ9UhQ=",
@ -250,10 +300,11 @@
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix", "agenix": "agenix",
"alertmanager-ntfy": "alertmanager-ntfy",
"home-manager": "home-manager_2", "home-manager": "home-manager_2",
"nixinate": "nixinate", "nixinate": "nixinate",
"nixos-generators": "nixos-generators", "nixos-generators": "nixos-generators",
"nixpkgs": "nixpkgs_3", "nixpkgs": "nixpkgs_4",
"terranix": "terranix" "terranix": "terranix"
} }
}, },
@ -261,8 +312,8 @@
"inputs": { "inputs": {
"bats-assert": "bats-assert", "bats-assert": "bats-assert",
"bats-support": "bats-support", "bats-support": "bats-support",
"flake-utils": "flake-utils", "flake-utils": "flake-utils_2",
"nixpkgs": "nixpkgs_4", "nixpkgs": "nixpkgs_5",
"terranix-examples": "terranix-examples" "terranix-examples": "terranix-examples"
}, },
"locked": { "locked": {

4
flake.nix
View file

@ -13,9 +13,10 @@
url = "github:nix-community/nixos-generators"; url = "github:nix-community/nixos-generators";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
alertmanager-ntfy.url = "github:alexbakker/alertmanager-ntfy";
}; };
outputs = { self, nixpkgs, nixos-generators, nixinate, home-manager, agenix, terranix }: outputs = { self, nixpkgs, nixos-generators, nixinate, home-manager, agenix, terranix, alertmanager-ntfy }:
let let
pkgs = nixpkgs.legacyPackages.x86_64-linux; pkgs = nixpkgs.legacyPackages.x86_64-linux;
tf = terranix.lib.terranixConfiguration { tf = terranix.lib.terranixConfiguration {
@ -107,6 +108,7 @@
modules = [ modules = [
(import ./nix/monitoring/configuration.nix) (import ./nix/monitoring/configuration.nix)
agenix.nixosModules.default agenix.nixosModules.default
alertmanager-ntfy.nixosModules.x86_64-linux.default
{ {
_module.args.nixinate = { _module.args.nixinate = {
host = "monitoring"; host = "monitoring";

26
homelab/atuin.yaml
View file

@ -52,7 +52,31 @@ kind: ConfigMap
metadata: metadata:
name: atuin name: atuin
data: data:
ATUIN_OPEN_REGISTRATION: "true" ATUIN_OPEN_REGISTRATION: "false"
ATUIN_DB_URI: "sqlite:///config/database.sqlite" ATUIN_DB_URI: "sqlite:///config/database.sqlite"
ATUIN_HOST: "0.0.0.0" ATUIN_HOST: "0.0.0.0"
ATUIN_PORT: "8888" ATUIN_PORT: "8888"
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: atuin
annotations:
cert-manager.io/issuer: "le-issuer"
namespace: default
spec:
tls:
- hosts:
- atuin.gmem.ca
secretName: gmem-ca-wildcard
rules:
- host: atuin.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: atuin
port:
number: 8888

24
homelab/dref.yaml
View file

@ -42,3 +42,27 @@ spec:
ports: ports:
- port: 3000 - port: 3000
targetPort: 3000 targetPort: 3000
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: dref
annotations:
cert-manager.io/issuer: "le-issuer"
namespace: default
spec:
tls:
- hosts:
- dref.gmem.ca
secretName: gmem-ca-wildcard
rules:
- host: dref.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: dref
port:
number: 3000

24
homelab/endpoints.yml
View file

@ -21,3 +21,27 @@ subsets:
- name: ombi - name: ombi
port: 3579 port: 3579
protocol: TCP protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: request-media
annotations:
cert-manager.io/issuer: "le-issuer"
namespace: default
spec:
tls:
- hosts:
- request-media.gmem.ca
secretName: gmem-ca-wildcard
rules:
- host: request-media.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: ombi
port:
number: 3579

28
homelab/food.yaml
View file

@ -116,3 +116,31 @@ spec:
endpoints: endpoints:
- port: metrics - port: metrics
interval: 30s interval: 30s
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: food
annotations:
cert-manager.io/issuer: "le-issuer"
nginx.ingress.kubernetes.io/proxy-body-size: 100m
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_set_header X-Forwarded-Proto $scheme;
namespace: default
spec:
tls:
- hosts:
- food.gmem.ca
secretName: gmem-ca-wildcard
rules:
- host: food.gmem.ca
http:
paths:
- backend:
service:
name: grocy
port:
number: 80
path: /
pathType: Prefix

24
homelab/freshrss.yaml
View file

@ -72,3 +72,27 @@ spec:
ports: ports:
- port: 80 - port: 80
targetPort: 80 targetPort: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: freshrss
annotations:
cert-manager.io/issuer: "le-issuer"
namespace: default
spec:
tls:
- hosts:
- freshrss.gmem.ca
secretName: gmem-ca-wildcard
rules:
- host: freshrss.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: freshrss
port:
number: 80

25
homelab/home.yml
View file

@ -47,3 +47,28 @@ spec:
- port: 80 - port: 80
targetPort: 80 targetPort: 80
name: web name: web
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: home
annotations:
cert-manager.io/issuer: "le-issuer"
namespace: default
spec:
tls:
- hosts:
- home.gmem.ca
secretName: gmem-ca-wildcard
rules:
- host: home.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: dashy
port:
number: 80

24
homelab/homebridge.yaml
View file

@ -66,3 +66,27 @@ spec:
- port: 5353 - port: 5353
targetPort: 5353 targetPort: 5353
name: bonjour name: bonjour
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: homebridge
annotations:
cert-manager.io/issuer: "le-issuer"
namespace: default
spec:
tls:
- hosts:
- hb.gmem.ca
secretName: gmem-ca-wildcard
rules:
- host: hb.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: homebridge
port:
number: 8581

24
homelab/hue.yml
View file

@ -48,3 +48,27 @@ spec:
ports: ports:
- port: 80 - port: 80
targetPort: 80 targetPort: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: hue
annotations:
cert-manager.io/issuer: "le-issuer"
namespace: default
spec:
tls:
- hosts:
- hue.gmem.ca
secretName: gmem-ca-wildcard
rules:
- host: hue.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: hue
port:
number: 80

153
homelab/ingress.yml
View file

@ -1,153 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: primary-ingress
annotations:
cert-manager.io/issuer: "le-issuer"
nginx.ingress.kubernetes.io/proxy-body-size: 100m
namespace: default
spec:
tls:
- hosts:
- home.gmem.ca
- atuin.gmem.ca
- pw.gmem.ca
- icr.gmem.ca
- hue.gmem.ca
- request-media.gmem.ca
- ntfy.gmem.ca
- dref.gmem.ca
- freshrss.gmem.ca
- hb.gmem.ca
secretName: primary-tls
rules:
- host: pw.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: vaultwarden
port:
number: 80
- host: icr.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: registry
port:
number: 5000
- host: hue.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: hue
port:
number: 80
- host: request-media.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: ombi
port:
number: 3579
- host: ntfy.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: ntfy
port:
number: 80
- host: dref.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: dref
port:
number: 3000
- host: freshrss.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: freshrss
port:
number: 80
- host: hb.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: homebridge
port:
number: 8581
- host: atuin.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: atuin
port:
number: 8888
- host: home.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: dashy
port:
number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: funneled-ingress
annotations:
cert-manager.io/issuer: "le-issuer"
nginx.ingress.kubernetes.io/proxy-body-size: 100m
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_set_header X-Forwarded-Proto $scheme;
namespace: default
spec:
tls:
- hosts:
- food.gmem.ca
secretName: funnel-tls
rules:
- host: food.gmem.ca
http:
paths:
- backend:
service:
name: grocy
port:
number: 80
path: /
pathType: Prefix

25
homelab/issuer.yml
View file

@ -7,7 +7,7 @@ spec:
# The ACME server URL # The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration # Email address used for ACME registration
email: mc-invites@gmem.ca email: acme@gmem.ca
# Name of a secret used to store the ACME account private key # Name of a secret used to store the ACME account private key
privateKeySecretRef: privateKeySecretRef:
name: letsencrypt-pro name: letsencrypt-pro
@ -17,9 +17,20 @@ spec:
dnsZones: dnsZones:
- "gmem.ca" - "gmem.ca"
dns01: dns01:
route53: cloudflare:
region: us-east-1 apiTokenSecretRef:
accessKeyID: AKIA5VMESTY2UY5MRR42 name: cloudflare-cert-api
secretAccessKeySecretRef: key: api-token
name: route53 ---
key: secret-access-key apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: gmem-ca-wildcard
spec:
secretName: gmem-ca-wildcard
issuerRef:
kind: Issuer
name: le-issuer
commonName: "*.gmem.ca"
dnsNames:
- "*.gmem.ca"

25
homelab/ntfy.yaml
View file

@ -52,4 +52,27 @@ data:
base-url: https://ntfy.gmem.ca base-url: https://ntfy.gmem.ca
behind-proxy: true behind-proxy: true
upstream-base-url: "https://ntfy.sh" upstream-base-url: "https://ntfy.sh"
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ntfy
annotations:
cert-manager.io/issuer: "le-issuer"
namespace: default
spec:
tls:
- hosts:
- ntfy.gmem.ca
secretName: gmem-ca-wildcard
rules:
- host: ntfy.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: ntfy
port:
number: 80

7
homelab/prometheus-agent.yml
View file

@ -52,5 +52,12 @@ prometheus:
remoteWrite: remoteWrite:
- name: monitoring - name: monitoring
url: http://grafana.gmem.ca:9001/api/v1/write url: http://grafana.gmem.ca:9001/api/v1/write
basicAuth:
username:
name: prometheus-remote-basic-auth
key: username
password:
name: prometheus-remote-basic-auth
key: password
grafana: grafana:
enabled: false enabled: false

25
homelab/registry.yml
View file

@ -46,3 +46,28 @@ spec:
accessModes: accessModes:
- ReadWriteOnce - ReadWriteOnce
storageClassName: nfs-client storageClassName: nfs-client
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: container-registry
annotations:
cert-manager.io/issuer: "le-issuer"
nginx.ingress.kubernetes.io/proxy-body-size: 100m
namespace: default
spec:
tls:
- hosts:
- icr.gmem.ca
secretName: gmem-ca-wildcard
rules:
- host: icr.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: registry
port:
number: 5000

28
homelab/vaultwarden.yml
View file

@ -22,7 +22,7 @@ spec:
name: vaultwarden name: vaultwarden
initContainers: initContainers:
- name: init-litestream - name: init-litestream
image: litestream/litestream:sha-749bc0d image: litestream/litestream:0.3.11
args: ['restore', '-if-db-not-exists', '-if-replica-exists', '-v', '/data/db.sqlite3'] args: ['restore', '-if-db-not-exists', '-if-replica-exists', '-v', '/data/db.sqlite3']
volumeMounts: volumeMounts:
- name: data - name: data
@ -54,7 +54,7 @@ spec:
mountPath: /data/config.json mountPath: /data/config.json
subPath: vaultwarden.json subPath: vaultwarden.json
- name: litestream - name: litestream
image: litestream/litestream:sha-749bc0d image: litestream/litestream:0.3.11
args: ['replicate'] args: ['replicate']
volumeMounts: volumeMounts:
- name: data - name: data
@ -116,3 +116,27 @@ spec:
endpoints: endpoints:
- port: metrics - port: metrics
interval: 30s interval: 30s
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: vaultwarden
annotations:
cert-manager.io/issuer: "le-issuer"
namespace: default
spec:
tls:
- hosts:
- pw.gmem.ca
secretName: gmem-ca-wildcard
rules:
- host: pw.gmem.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: vaultwarden
port:
number: 80

27
nix/london/configuration.nix
View file

@ -1,24 +1,5 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
let
syncthingLatest =
let
version = "1.24.0";
src = pkgs.fetchFromGitHub {
owner = "syncthing";
repo = "syncthing";
rev = "v1.24.0";
hash = "sha256-5vr9qWMHBYpu8wHpV1JZcX1kEPi+mYeZ7ZQBqXASp9I=";
};
in
(pkgs.syncthing.override rec {
buildGoModule = args: pkgs.buildGoModule.override {} (args // {
inherit src version;
vendorHash = "sha256-BZwZ6npmWFU0lvynjRZOBOhtxqic0djoSUdCOLbUwjE=";
});
});
in
{ {
imports = imports =
[ [
@ -78,7 +59,7 @@ in
enable = true; enable = true;
allowedUDPPortRanges = [ { from = 27031; to = 27036; } ]; allowedUDPPortRanges = [ { from = 27031; to = 27036; } ];
allowedTCPPortRanges = [ { from = 27036; to = 27037; } ]; allowedTCPPortRanges = [ { from = 27036; to = 27037; } ];
allowedTCPPorts = [ 7000 7100 22000 ]; allowedTCPPorts = [ 7000 7100 22000 8000 ];
allowedUDPPorts = [ 6000 6001 7011 41641 3478 22000 21027 ]; allowedUDPPorts = [ 6000 6001 7011 41641 3478 22000 21027 ];
trustedInterfaces = [ "tailscale0" ]; trustedInterfaces = [ "tailscale0" ];
checkReversePath = "loose"; checkReversePath = "loose";
@ -97,7 +78,6 @@ in
user = "gsimmer"; user = "gsimmer";
dataDir = "/home/gsimmer"; dataDir = "/home/gsimmer";
guiAddress = "100.95.77.62:8384"; guiAddress = "100.95.77.62:8384";
package = syncthingLatest;
}; };
usbmuxd.enable = true; usbmuxd.enable = true;
prometheus.exporters.node = { prometheus.exporters.node = {
@ -155,6 +135,8 @@ in
nvidia = { nvidia = {
modesetting.enable = true; modesetting.enable = true;
nvidiaSettings = true; nvidiaSettings = true;
open = true;
package = config.boot.kernelPackages.nvidiaPackages.vulkan_beta;
}; };
sane.enable = true; sane.enable = true;
sane.extraBackends = [ pkgs.epkowa ]; sane.extraBackends = [ pkgs.epkowa ];
@ -172,6 +154,7 @@ in
}; };
programs = { programs = {
river.enable = true;
gamemode.enable = true; gamemode.enable = true;
zsh.enable = true; zsh.enable = true;
fish.enable = true; fish.enable = true;
@ -233,6 +216,8 @@ in
yubikey-touch-detector yubikey-touch-detector
docker-compose docker-compose
home-manager home-manager
libimobiledevice
ifuse
]; ];
}; };

3
nix/london/gsimmer.nix
View file

@ -16,7 +16,7 @@
[ [
(import (builtins.fetchTarball { (import (builtins.fetchTarball {
url = "https://github.com/nix-community/emacs-overlay/archive/master.tar.gz"; url = "https://github.com/nix-community/emacs-overlay/archive/master.tar.gz";
sha256 = "0h5jabl78dpgknf5p3q5wmwx1856ywjh3nxlbsrqk8fr1g3aix8n"; sha256 = "17y4i3p35qbw4xq7fybs60d2ym3brqzpv9mgsb55ma1rfc08m1jc";
})) discordOverlay]; })) discordOverlay];
}; };
home = { home = {
@ -565,6 +565,7 @@ $env.config = {
discord discord
mangohud mangohud
comma comma
gamescope
]; ];
# This value determines the Home Manager release that your # This value determines the Home Manager release that your

97
nix/monitoring/configuration.nix
View file

@ -9,6 +9,17 @@
owner = "healthchecks"; owner = "healthchecks";
}; };
age.secrets.prometheus-webconfig-secret = {
file = ../../secrets/monitoring-prometheus-webconfig.age;
owner = "prometheus";
mode = "775";
};
age.secrets.prometheus-password-secret = {
file = ../../secrets/monitoring-prometheus-password.age;
owner = "prometheus";
};
boot.tmp.cleanOnBoot = true; boot.tmp.cleanOnBoot = true;
zramSwap.enable = true; zramSwap.enable = true;
networking.hostName = "monitoring"; networking.hostName = "monitoring";
@ -27,11 +38,89 @@
http_addr = "127.0.0.1"; http_addr = "127.0.0.1";
}; };
}; };
services.alertmanager-ntfy = {
enable = true;
settings = {
http = {
addr = "127.0.0.1:8111";
};
ntfy = {
baseurl = "https://ntfy.gmem.ca";
notification = {
topic = "alerts";
priority = ''
status == "firing" ? "high" : "default"
'';
templates = {
title = ''{{ if eq .Status "resolved" }}Resolved: {{ end }}{{ index .Annotations "summary" }}'';
description = ''{{ index .Annotations "description" }}'';
click = ''http://grafana.gmem.ca/d/{{ index .Annotations "dashboard" }}'';
};
};
};
};
};
services.prometheus = { services.prometheus = {
enable = true; enable = true;
webConfigFile = config.age.secrets.prometheus-webconfig-secret.path;
globalConfig = { globalConfig = {
scrape_interval = "15s"; scrape_interval = "15s";
}; };
alertmanagers = [ {
basic_auth = {
username = "homelab";
password_file = config.age.secrets.prometheus-password-secret.path;
};
static_configs = [ {
targets = [
"localhost:9093"
];
} ];
} ];
rules = [(builtins.toJSON {
groups = [{
name = "healthchecks";
rules = [
{
alert = "HealthcheckFailedCheckin";
expr = ''hc_check_up < 1'';
for = "5m";
labels.severity = "page";
annotations = {
summary = "{{ $labels.name }} healthcheck failed";
description = "The {{ $labels.name }} healthcheck failed to check in.";
dashboard = "f594ea85-45f2-4019-b988-2d17638b5cf3";
};
}
];
}];
})];
alertmanager = {
enable = true;
extraFlags = [ "--web.config.file=${config.age.secrets.prometheus-webconfig-secret.path}" ];
webExternalUrl = "https://alerts.gmem.ca";
configText = ''
global: {}
# The directory from which notification templates are read.
templates:
- '/etc/alertmanager/template/*.tmpl'
# The root route on which each incoming alert enters.
route:
group_by: ['alertname', 'cluster', 'service']
group_wait: 0s
group_interval: 5m
repeat_interval: 3h
# A default receiver
receiver: ntfy
receivers:
- name: ntfy
webhook_configs:
- url: http://localhost:8111/hook
'';
};
port = 9001; port = 9001;
extraFlags = [ "--web.enable-remote-write-receiver" ]; extraFlags = [ "--web.enable-remote-write-receiver" ];
scrapeConfigs = [ scrapeConfigs = [
@ -53,6 +142,10 @@
job_name = "forgejo"; job_name = "forgejo";
static_configs = [ { targets = [ "git.gmem.ca" ]; } ]; static_configs = [ { targets = [ "git.gmem.ca" ]; } ];
} }
{
job_name = "coredns";
static_configs = [ { targets = [ "vancouver:9253" ]; } ];
}
{ {
job_name = "healthchecks"; job_name = "healthchecks";
scrape_interval = "60s"; scrape_interval = "60s";
@ -107,6 +200,7 @@
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
virtualHosts."healthchecks.gmem.ca" = { virtualHosts."healthchecks.gmem.ca" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
@ -114,9 +208,6 @@
proxyPass = "http://127.0.0.1:8000"; proxyPass = "http://127.0.0.1:8000";
proxyWebsockets = true; proxyWebsockets = true;
}; };
locations."~ \/projects\/.+\/metrics\/.+" = {
extraConfig = "deny all;";
};
}; };
}; };
security.acme.acceptTerms = true; security.acme.acceptTerms = true;

41
nix/nas/configuration.nix
View file

@ -1,29 +1,15 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
let
syncthingLatest =
let
version = "1.24.0";
src = pkgs.fetchFromGitHub {
owner = "syncthing";
repo = "syncthing";
rev = "v1.24.0";
hash = "sha256-5vr9qWMHBYpu8wHpV1JZcX1kEPi+mYeZ7ZQBqXASp9I=";
};
in
(pkgs.syncthing.override rec {
buildGoModule = args: pkgs.buildGoModule.override {} (args // {
inherit src version;
vendorHash = "sha256-BZwZ6npmWFU0lvynjRZOBOhtxqic0djoSUdCOLbUwjE=";
});
});
in
{ {
imports = imports =
[ # Include the results of the hardware scan. [ # Include the results of the hardware scan.
./hardware.nix ./hardware.nix
]; ];
age.secrets.action-token.file = ../../secrets/vancouver-action-runner.age; age.secrets.action-token = {
file = ../../secrets/vancouver-action-runner.age;
owner = "gitea-runner";
};
age.secrets.restic-b2-credentials = { age.secrets.restic-b2-credentials = {
file = ../../secrets/vancouver-restic-b2.age; file = ../../secrets/vancouver-restic-b2.age;
group = "users"; group = "users";
@ -95,6 +81,7 @@ in
repository = "s3:s3.us-west-000.backblazeb2.com/bsimmer-backup"; repository = "s3:s3.us-west-000.backblazeb2.com/bsimmer-backup";
paths = [ paths = [
"\"/Primary/becki/VRChat\ Avatars\"" "\"/Primary/becki/VRChat\ Avatars\""
"/Primary/becki/Pictures"
]; ];
timerConfig = { timerConfig = {
OnCalendar = "daily"; OnCalendar = "daily";
@ -153,7 +140,6 @@ in
user = "gsimmer"; user = "gsimmer";
dataDir = "/Primary/gabriel"; dataDir = "/Primary/gabriel";
guiAddress = "100.116.48.47:8384"; guiAddress = "100.116.48.47:8384";
package = syncthingLatest;
}; };
prometheus.exporters = { prometheus.exporters = {
blackbox = { blackbox = {
@ -173,6 +159,8 @@ in
config = config =
'' ''
.:53 { .:53 {
prometheus 100.116.48.47:9253
health health
file /var/src/dns.db git.gmem.ca food.gmem.ca file /var/src/dns.db git.gmem.ca food.gmem.ca
forward . 45.90.28.116 45.90.30.116 forward . 45.90.28.116 45.90.30.116
@ -348,6 +336,13 @@ in
metrics = { metrics = {
ENABLED = true; ENABLED = true;
}; };
"repository.signing" = {
SIGNING_KEY = "default";
INITIAL_COMMIT = "always";
WIKI = "always";
CRUD_ACTIONS = "always";
MERGES = "always";
};
}; };
}; };
gitea-actions-runner = { gitea-actions-runner = {
@ -449,6 +444,8 @@ in
cloudflared cloudflared
bat bat
virtiofsd virtiofsd
gnupg
pinentry
]; ];
time.timeZone = "Europe/London"; time.timeZone = "Europe/London";
@ -474,7 +471,7 @@ in
openssh.authorizedKeys.keys = let openssh.authorizedKeys.keys = let
authorizedKeys = pkgs.fetchurl { authorizedKeys = pkgs.fetchurl {
url = "https://gmem.ca/ssh"; url = "https://gmem.ca/ssh";
sha256 = "0vm0q5fzx55mmgw7md430c20rvywmknmpvnkffx9szlm0l74bypc"; hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4=";
}; };
in pkgs.lib.splitString "\n" (builtins.readFile in pkgs.lib.splitString "\n" (builtins.readFile
authorizedKeys); authorizedKeys);
@ -487,7 +484,7 @@ in
root.openssh.authorizedKeys.keys = let root.openssh.authorizedKeys.keys = let
authorizedKeys = pkgs.fetchurl { authorizedKeys = pkgs.fetchurl {
url = "https://gmem.ca/ssh"; url = "https://gmem.ca/ssh";
sha256 = "0iwrm80hsadr0midy0h3da4x0sbci76a92g8f9wnz5pj38gimdi9"; hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4=";
}; };
in pkgs.lib.splitString "\n" (builtins.readFile in pkgs.lib.splitString "\n" (builtins.readFile
authorizedKeys); authorizedKeys);

17
nix/nas/home.nix
View file

@ -1,13 +1,6 @@
{ config, pkgs, callPackage, ... }: { config, pkgs, callPackage, ... }:
{ {
nixpkgs.overlays = [
(import (builtins.fetchTarball {
url = "https://github.com/nix-community/emacs-overlay/archive/master.tar.gz";
sha256 = "11knjfj2gnj8y6jy4xali11g86clq7jmy5ndzy1gg0yy1y72xrhm";
}))
];
home.username = "gsimmer"; home.username = "gsimmer";
home.homeDirectory = "/Primary/gabriel"; home.homeDirectory = "/Primary/gabriel";
@ -58,16 +51,6 @@ end
nix-direnv.enable = true; nix-direnv.enable = true;
}; };
# services.lorri.enable = true;
programs.emacs = {
enable = false;
package = pkgs.emacs-unstable-pgtk;
extraPackages = epkgs: [
epkgs.vterm
];
};
programs.eza = { programs.eza = {
enable = true; enable = true;
enableAliases = true; enableAliases = true;

2
secrets.nix
View file

@ -12,5 +12,7 @@ in
"secrets/vancouver-restic-password.age".publicKeys = [ vancouver gsimmer ]; "secrets/vancouver-restic-password.age".publicKeys = [ vancouver gsimmer ];
"secrets/monitoring-healthchecks-secret.age".publicKeys = [ monitoring gsimmer ]; "secrets/monitoring-healthchecks-secret.age".publicKeys = [ monitoring gsimmer ];
"secrets/monitoring-healthchecks-ro.age".publicKeys = [ monitoring gsimmer ]; "secrets/monitoring-healthchecks-ro.age".publicKeys = [ monitoring gsimmer ];
"secrets/monitoring-prometheus-webconfig.age".publicKeys = [ monitoring gsimmer ];
"secrets/monitoring-prometheus-password.age".publicKeys = [ monitoring gsimmer ];
"secrets/healthchecks-ping.sh.age".publicKeys = machines ++ users; "secrets/healthchecks-ping.sh.age".publicKeys = machines ++ users;
} }

10
secrets/monitoring-prometheus-webconfig.age Normal file
View file

@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 J+a91w qN8Z94Hx1iQy12DngGD5/AiLJxbGbs51Tr3aE1/80gk
6eH40Q7Hn/ES463b7FPjyUnNDlcOFCC1VM1qf5G7F/M
-> ssh-ed25519 qbziOw k3d+DHeevcGtHJnPfCEKro/f2R8S2auaH+3BGE1meVI
rAEfQWRi5CDYDPdYwFAV4cQgDT/B77lVBFKCGfeDk7I
-> wU3bY.f)-grease m#L* _b8 `WSigN 3%
A+cZ7hzU7HvAu6zUWZZ5pPMW20A8gCtCK6mUzMXbnjDNMtxW+bIRuQeKIOqKKjdw
azUjJKU6NaEktNrNWG7G9PXn9uQ
--- WDkj0HNNagL9VWzwgUZjAe4V/hZ1jZVkmVBgxHzXN7c
¯%R»rJ[2̨<C38C>ºRbˆšë#o`5Q<35>+:ŽÊŽíî‡ÚV\LøQêoê°g:ÈRFL¼ÁÙýAƒL/ü<>peÛ!7ü¿­©/Wÿ5€R<E282AC> <20>ÈËŽxKY Û³fô*Ò'î<>KÎ* .ýg¢×1RTÍFêû.2z5ðÿ¾~ˆý=|ecàP:„+{«ÈšeÂ0úù¿ÎS°ÛÄnS¥ao¨Š¸¢¿ç9†ƒÞ§ü<C2A7>¤W —†„Õ<E2809E>³a > »ø!‚Â

17
secrets/vancouver-action-runner.age
View file

@ -1,9 +1,10 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 oN6OTQ BBqv4gyfV+ZTQTKNhEUPRrzWNKz1YjVr3qyouxZ1l1s -> ssh-ed25519 oN6OTQ 290Jjq3X3EKWAJjbrxxNdLVYq7OOdTZAQBLnb0JlzEw
ApaqQizmjolL/f1j2iQAvRUuCrrv9l0R8ms63TsKmU0 Ci/Ngx0O5JbCbxNqkUdSz1zuHs2YMvi+st/Nf+BlhXk
-> ssh-ed25519 qbziOw XL46mKp0s0IqX3sOY7wdyuxgIAdsNSb+pMl1oUgI2EY -> ssh-ed25519 qbziOw pexX+lrzjrIvjD1BXDOwZ6jvHNwHvI8NN7t0g+WAHE4
C+4Zy+62bzn7VkRdndpaiDtHc013K9PIrQXBpSqxD3s 8TlaRQnd/H/1nML+bJOL9J6rG1FOSFY7qTTiu11gqRo
-> <#q*-grease -> Q5TArB-grease
GKgzRmWm4lA3tKsx96FM0QFnDI8Mu8jc76XM5uFZJnEY bYTE3nqG4aLFTuXCpjRNM7rnVFlL7BCJ2BlqJbMn0CImH3owoMnYwpBBEO2i5/O7
--- FZbu3X6NM/NxZBnjbc/BRIsccomlfkwIelFdc4NXt5g XdBin6lrZDYiFZMLzQ4DRd8B
PÄó¨¦TÛ åßšµ¹^ªTÃ{ñevô÷Rb{ð1ì<31>K¦Í´eN œAàØéîÊÎ}MûjZ5K…öXd®vÜ+yƒ³”vÝE --- GfQW76dgud6sOfFfB1VoRiiZZqDePubrWRTbvKcx3Z0
“n-‡ŽA3]Éró]YHp'`º2óH^Î%Ï}= Nzútoöä:³5õ³ˆªéùê—R <52>§¾áýL瞶6‹©ÀÐÝ24¼ª"WË