motiejus/config
1
Fork 0
Code Packages Releases Activity

nix fmt

Browse Source
This commit is contained in:
Motiejus Jakštys
2025-07-28 05:17:49 +00:00
parent 66568d814c
commit b30ef5392e
5 changed files with 215 additions and 215 deletions
Download Patch File Download Diff File Expand all files Collapse all files

169
hosts/fwminex/configuration.nix
View File

@@ -424,49 +424,49 @@ in
evaluation_interval = "1m"; evaluation_interval = "1m";
}; };
scrapeConfigs = scrapeConfigs = [
[ (
( let
let port = toString config.services.prometheus.exporters.ping.port;
port = toString config.services.prometheus.exporters.ping.port; hosts = [
hosts = [ "fwminex.jakst.vpn"
"fwminex.jakst.vpn" "vno3-nk.jakst.vpn"
"vno3-nk.jakst.vpn" "fra1-c.jakst.vpn"
"fra1-c.jakst.vpn" "vno1-gdrx.jakst.vpn"
"vno1-gdrx.jakst.vpn" ];
]; in
in
{
job_name = "ping";
static_configs = [ { targets = map (host: "${host}:${port}") hosts; } ];
}
)
{ {
job_name = "prometheus"; job_name = "ping";
static_configs = [ { targets = [ "127.0.0.1:${toString myData.ports.prometheus}" ]; } ]; static_configs = [ { targets = map (host: "${host}:${port}") hosts; } ];
} }
{ )
job_name = "caddy"; {
static_configs = [ { targets = [ "127.0.0.1:${toString myData.ports.exporters.caddy}" ]; } ]; job_name = "prometheus";
} static_configs = [ { targets = [ "127.0.0.1:${toString myData.ports.prometheus}" ]; } ];
{ }
job_name = "hass_p7_50"; {
scrape_interval = "1m"; job_name = "caddy";
metrics_path = "/api/prometheus"; static_configs = [ { targets = [ "127.0.0.1:${toString myData.ports.exporters.caddy}" ]; } ];
static_configs = [ { targets = [ "127.0.0.1:${toString myData.ports.hass}" ]; } ]; }
} {
{ job_name = "hass_p7_50";
job_name = "weather"; scrape_interval = "1m";
scrape_interval = "10m"; metrics_path = "/api/prometheus";
static_configs = [ { targets = [ "127.0.0.1:${toString myData.ports.exporters.weather}" ]; } ]; static_configs = [ { targets = [ "127.0.0.1:${toString myData.ports.hass}" ]; } ];
} }
{ {
job_name = "vno1-vinc.jakst.vpn"; job_name = "weather";
static_configs = [ { targets = [ "vno1-vinc.jakst.vpn:9100" ]; } ]; scrape_interval = "10m";
} static_configs = [ { targets = [ "127.0.0.1:${toString myData.ports.exporters.weather}" ]; } ];
] }
++ map {
job_name = "vno1-vinc.jakst.vpn";
static_configs = [ { targets = [ "vno1-vinc.jakst.vpn:9100" ]; } ];
}
]
++
map
( (
let let
port = builtins.toString myData.ports.exporters.node; port = builtins.toString myData.ports.exporters.node;
@@ -601,55 +601,54 @@ in
enable = true; enable = true;
passwordPath = config.age.secrets.borgbackup-password.path; passwordPath = config.age.secrets.borgbackup-password.path;
sshKeyPath = "/etc/ssh/ssh_host_ed25519_key"; sshKeyPath = "/etc/ssh/ssh_host_ed25519_key";
dirs = dirs = [
[ {
subvolume = "/var/lib";
repo = "${vno3-nk}:${this}-var_lib_lesser";
paths = [
"prometheus2"
"private/timelapse-r11"
];
backup_at = "*-*-* 02:01:00 UTC";
compression = "none";
}
]
++ (builtins.concatMap
(host: [
{ {
subvolume = "/var/lib"; subvolume = "/var/lib";
repo = "${vno3-nk}:${this}-var_lib_lesser"; repo = "${host}:${this}-var_lib";
paths = [ paths = [
"prometheus2" "hass"
"private/timelapse-r11" "gitea"
]; "caddy"
backup_at = "*-*-* 02:01:00 UTC"; "grafana"
compression = "none"; "headscale"
} "bitwarden_rs"
] "matrix-synapse"
++ (builtins.concatMap "private/soju"
(host: [
{
subvolume = "/var/lib";
repo = "${host}:${this}-var_lib";
paths = [
"hass"
"gitea"
"caddy"
"grafana"
"headscale"
"bitwarden_rs"
"matrix-synapse"
"private/soju"
# https://immich.app/docs/administration/backup-and-restore/ # https://immich.app/docs/administration/backup-and-restore/
"immich/library" "immich/library"
"immich/upload" "immich/upload"
"immich/profile" "immich/profile"
"postgresql" "postgresql"
]; ];
patterns = [ "- gitea/data/repo-archive/" ]; patterns = [ "- gitea/data/repo-archive/" ];
backup_at = "*-*-* 01:00:01 UTC"; backup_at = "*-*-* 01:00:01 UTC";
} }
{ {
subvolume = "/home"; subvolume = "/home";
repo = "${host}:${this}-home-motiejus-annex2"; repo = "${host}:${this}-home-motiejus-annex2";
paths = [ "motiejus/annex2" ]; paths = [ "motiejus/annex2" ];
backup_at = "*-*-* 02:30:01 UTC"; backup_at = "*-*-* 02:30:01 UTC";
} }
]) ])
[ [
rsync-net rsync-net
vno3-nk vno3-nk
] ]
); );
}; };
btrfssnapshot = { btrfssnapshot = {

67
modules/base/unitstatus/default.nix
View File

@@ -17,44 +17,43 @@
}; };
config = lib.mkIf config.mj.base.unitstatus.enable { config = lib.mkIf config.mj.base.unitstatus.enable {
systemd.services = systemd.services = {
{ "unit-status-mail@" =
"unit-status-mail@" = let
let # https://northernlightlabs.se/2014-07-05/systemd-status-mail-on-unit-failure.html
# https://northernlightlabs.se/2014-07-05/systemd-status-mail-on-unit-failure.html script = pkgs.writeShellScript "unit-status-mail" ''
script = pkgs.writeShellScript "unit-status-mail" '' set -e
set -e MAILTO="${config.mj.base.unitstatus.email}"
MAILTO="${config.mj.base.unitstatus.email}" UNIT=$1
UNIT=$1 EXTRA=""
EXTRA="" for e in "''${@:2}"; do
for e in "''${@:2}"; do EXTRA+="$e"$'\n'
EXTRA+="$e"$'\n' done
done UNITSTATUS=$(${pkgs.systemd}/bin/systemctl status -l -n 1000 "$UNIT" || :)
UNITSTATUS=$(${pkgs.systemd}/bin/systemctl status -l -n 1000 "$UNIT" || :) ${pkgs.postfix}/bin/sendmail $MAILTO <<EOF
${pkgs.postfix}/bin/sendmail $MAILTO <<EOF Subject:Status mail for unit: $UNIT
Subject:Status mail for unit: $UNIT
Status report for unit: $UNIT Status report for unit: $UNIT
$EXTRA $EXTRA
$UNITSTATUS $UNITSTATUS
EOF EOF
echo -e "Status mail sent to: $MAILTO for unit: $UNIT" echo -e "Status mail sent to: $MAILTO for unit: $UNIT"
''; '';
in in
{ {
description = "Send an email on unit failure"; description = "Send an email on unit failure";
serviceConfig = { serviceConfig = {
Type = "simple"; Type = "simple";
ExecStart = ''${script} "%i" "Hostname: %H" "Machine ID: %m" "Boot ID: %b" ''; ExecStart = ''${script} "%i" "Hostname: %H" "Machine ID: %m" "Boot ID: %b" '';
};
}; };
}
// lib.genAttrs config.mj.base.unitstatus.units (unit: {
unitConfig = {
OnFailure = "unit-status-mail@${unit}.service";
}; };
}); }
// lib.genAttrs config.mj.base.unitstatus.units (unit: {
unitConfig = {
OnFailure = "unit-status-mail@${unit}.service";
};
});
}; };
} }

6
modules/base/users/default.nix
View File

@@ -53,7 +53,8 @@ in
"dialout" "dialout"
"video" "video"
"audio" "audio"
] ++ cfg.user.extraGroups; ]
++ cfg.user.extraGroups;
uid = myData.uidgid.motiejus; uid = myData.uidgid.motiejus;
openssh.authorizedKeys.keys = openssh.authorizedKeys.keys =
let let
@@ -69,7 +70,8 @@ in
(''from="127.0.0.1,::1" '' + myData.hosts.${fqdn}.publicKey) (''from="127.0.0.1,::1" '' + myData.hosts.${fqdn}.publicKey)
]) ])
]; ];
} // lib.filterAttrs (n: v: n != "extraGroups" && v != null) cfg.user or { }; }
// lib.filterAttrs (n: v: n != "extraGroups" && v != null) cfg.user or { };
root = lib.filterAttrs (_: v: v != null) cfg.root; root = lib.filterAttrs (_: v: v != null) cfg.root;
}; };

3
modules/services/btrfsborg/default.nix
View File

@@ -92,7 +92,8 @@ in
h = config.networking; h = config.networking;
in in
"${h.hostName}.${h.domain}@${h.hostId}"; "${h.hostName}.${h.domain}@${h.hostId}";
} // lib.optionalAttrs (cfg.sshKeyPath != null) { BORG_RSH = ''ssh -i "${cfg.sshKeyPath}"''; }; }
// lib.optionalAttrs (cfg.sshKeyPath != null) { BORG_RSH = ''ssh -i "${cfg.sshKeyPath}"''; };
} }
// lib.optionalAttrs (attrs ? patterns) { inherit (attrs) patterns; } // lib.optionalAttrs (attrs ? patterns) { inherit (attrs) patterns; }
// lib.optionalAttrs (attrs ? prune) { inherit (attrs) prune; } // lib.optionalAttrs (attrs ? prune) { inherit (attrs) prune; }

185
modules/services/nsd-acme/default.nix
View File

@@ -102,103 +102,102 @@ in
systemd = { systemd = {
tmpfiles.rules = [ "d /var/lib/nsd/acmezones 0755 nsd nsd -" ]; tmpfiles.rules = [ "d /var/lib/nsd/acmezones 0755 nsd nsd -" ];
services = services = {
{ nsd-control-setup = {
nsd-control-setup = { requiredBy = [ "nsd.service" ];
requiredBy = [ "nsd.service" ]; before = [ "nsd.service" ];
before = [ "nsd.service" ]; unitConfig.ConditionPathExists =
unitConfig.ConditionPathExists = let
rc = config.services.nsd.remoteControl;
in
[
"|!${rc.controlKeyFile}"
"|!${rc.controlCertFile}"
"|!${rc.serverKeyFile}"
"|!${rc.serverCertFile}"
];
serviceConfig = {
Type = "oneshot";
UMask = 77;
};
script = ''
${pkgs.nsd}/bin/nsd-control-setup
chown nsd:nsd /etc/nsd/nsd_{control,server}.{key,pem}
'';
path = [ pkgs.openssl ];
};
}
// lib.mapAttrs' (
zone: cfg:
lib.nameValuePair "nsd-acme-${zone}" {
description = "dns-01 acme update for ${zone}";
path = [
pkgs.openssh
pkgs.nsd
];
preStart = ''
mkdir -p "$STATE_DIRECTORY/private"
ln -sf "$CREDENTIALS_DIRECTORY/letsencrypt-account-key" \
"$STATE_DIRECTORY/private/key.pem"
'';
serviceConfig = {
ExecStart =
let let
rc = config.services.nsd.remoteControl; hook = mkHook zone;
days = builtins.toString cfg.days;
in in
[ "${pkgs.uacme}/bin/uacme -c \${STATE_DIRECTORY} --verbose --days ${days} --hook ${hook} ${lib.optionalString cfg.staging "--staging"} issue ${zone}";
"|!${rc.controlKeyFile}"
"|!${rc.controlCertFile}" UMask = "0022";
"|!${rc.serverKeyFile}" User = "nsd";
"|!${rc.serverCertFile}" Group = "nsd";
]; StateDirectory = "nsd-acme/${zone}";
serviceConfig = { LoadCredential = [ "letsencrypt-account-key:${cfg.accountKey}" ];
Type = "oneshot"; ReadWritePaths = [ "/var/lib/nsd/acmezones" ];
UMask = 77; SuccessExitStatus = [
}; 0
script = '' 1
${pkgs.nsd}/bin/nsd-control-setup ];
chown nsd:nsd /etc/nsd/nsd_{control,server}.{key,pem}
''; # from nixos/modules/security/acme/default.nix
path = [ pkgs.openssl ]; ProtectSystem = "strict";
PrivateTmp = true;
CapabilityBoundingSet = [ "" ];
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
ProtectControlGroups = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProcSubset = "pid";
RemoveIPC = true;
# "cannot get devices"
#RestrictAddressFamilies = [
# "AF_INET"
# "AF_INET6"
#];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
# 1. allow a reasonable set of syscalls
"@system-service @resources"
# 2. and deny unreasonable ones
"~@privileged"
# 3. then allow the required subset within denied groups
"@chown"
];
}; };
} }
// lib.mapAttrs' ( ) cfg.zones;
zone: cfg:
lib.nameValuePair "nsd-acme-${zone}" {
description = "dns-01 acme update for ${zone}";
path = [
pkgs.openssh
pkgs.nsd
];
preStart = ''
mkdir -p "$STATE_DIRECTORY/private"
ln -sf "$CREDENTIALS_DIRECTORY/letsencrypt-account-key" \
"$STATE_DIRECTORY/private/key.pem"
'';
serviceConfig = {
ExecStart =
let
hook = mkHook zone;
days = builtins.toString cfg.days;
in
"${pkgs.uacme}/bin/uacme -c \${STATE_DIRECTORY} --verbose --days ${days} --hook ${hook} ${lib.optionalString cfg.staging "--staging"} issue ${zone}";
UMask = "0022";
User = "nsd";
Group = "nsd";
StateDirectory = "nsd-acme/${zone}";
LoadCredential = [ "letsencrypt-account-key:${cfg.accountKey}" ];
ReadWritePaths = [ "/var/lib/nsd/acmezones" ];
SuccessExitStatus = [
0
1
];
# from nixos/modules/security/acme/default.nix
ProtectSystem = "strict";
PrivateTmp = true;
CapabilityBoundingSet = [ "" ];
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
ProtectControlGroups = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProcSubset = "pid";
RemoveIPC = true;
# "cannot get devices"
#RestrictAddressFamilies = [
# "AF_INET"
# "AF_INET6"
#];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
# 1. allow a reasonable set of syscalls
"@system-service @resources"
# 2. and deny unreasonable ones
"~@privileged"
# 3. then allow the required subset within denied groups
"@chown"
];
};
}
) cfg.zones;
timers = lib.mapAttrs' ( timers = lib.mapAttrs' (
zone: _: zone: _: