Compare commits
3 commits
d34dee84bd
...
ba7db4a16f
Author | SHA1 | Date | |
---|---|---|---|
ba7db4a16f | |||
e5c120fee0 | |||
6eac33cc22 |
9 changed files with 145 additions and 0 deletions
|
@ -28,6 +28,8 @@
|
|||
./modules/matrix.nix
|
||||
./modules/puffer.nix
|
||||
./modules/gitea.nix
|
||||
./modules/grafana.nix
|
||||
./modules/prometheus.nix
|
||||
./modules/letsencrypt.nix
|
||||
./modules/fail2ban.nix
|
||||
./modules/email.nix
|
||||
|
|
|
@ -18,6 +18,9 @@ in {
|
|||
hashedPasswordFile = ./mailpass/contact;
|
||||
aliases = ["kontakt@${root_host}"];
|
||||
};
|
||||
"admin@${root_host}" = {
|
||||
hashedPasswordFile = ./mailpass/admin;
|
||||
};
|
||||
};
|
||||
|
||||
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
|
||||
|
|
43
modules/grafana.nix
Normal file
43
modules/grafana.nix
Normal file
|
@ -0,0 +1,43 @@
|
|||
{ config, ... }:
|
||||
let
|
||||
root_host = "grimmauld.de";
|
||||
grafana_host = "grafana.${root_host}";
|
||||
grafana_port = 8082;
|
||||
in {
|
||||
age.secrets.grafana_admin_pass = {
|
||||
file = ../secrets/grafana_admin_pass.age;
|
||||
owner = "grafana";
|
||||
group = "grafana";
|
||||
mode = "0600";
|
||||
};
|
||||
|
||||
security.acme.certs."${root_host}".extraDomainNames = [ grafana_host ];
|
||||
services.grafana = {
|
||||
enable = true;
|
||||
settings = {
|
||||
security = {
|
||||
admin_user = "admin";
|
||||
admin_email = "admin@${root_host}";
|
||||
admin_password = "$__file{${config.age.secrets.grafana_admin_pass.path}}";
|
||||
};
|
||||
server = {
|
||||
domain = grafana_host;
|
||||
root_url = "https://${grafana_host}";
|
||||
http_port = grafana_port;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts."${grafana_host}" = {
|
||||
serverName = grafana_host;
|
||||
forceSSL = true;
|
||||
useACMEHost = root_host;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${builtins.toString config.services.grafana.settings.server.http_port}";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
1
modules/mailpass/admin
Normal file
1
modules/mailpass/admin
Normal file
|
@ -0,0 +1 @@
|
|||
$2b$05$9E2phVa/06fZW3daV3CeYuLTCLcBBDY7xF5TOpeHdCBGU5yNemBgy
|
|
@ -57,15 +57,18 @@ host replication all ::1/128 md5
|
|||
workers.normalSyncers = 1;
|
||||
workers.eventPersisters = 2;
|
||||
workers.useUserDirectoryWorker = true;
|
||||
mainLogConfig = ./matrix_synapse_log_config.yaml;
|
||||
|
||||
enableNginx = true;
|
||||
enableSlidingSync = false;
|
||||
|
||||
settings = {
|
||||
suppress_key_server_warning = true;
|
||||
server_name = root_host;
|
||||
public_baseurl = "https://${root_host}";
|
||||
enable_registration = false;
|
||||
enable_registration_without_verification = true;
|
||||
# mainLogConfig = ./matrix_synapse_log_config.yaml;
|
||||
|
||||
# registrations_require_3pid = [ "email" ];
|
||||
database = {
|
||||
|
|
25
modules/matrix_synapse_log_config.yaml
Normal file
25
modules/matrix_synapse_log_config.yaml
Normal file
|
@ -0,0 +1,25 @@
|
|||
version: 1
|
||||
|
||||
# In systemd's journal, loglevel is implicitly stored, so let's omit it
|
||||
# from the message text.
|
||||
formatters:
|
||||
journal_fmt:
|
||||
format: '%(name)s: [%(request)s] %(message)s'
|
||||
|
||||
filters:
|
||||
context:
|
||||
(): synapse.util.logcontext.LoggingContextFilter
|
||||
request: ""
|
||||
|
||||
handlers:
|
||||
journal:
|
||||
class: systemd.journal.JournalHandler
|
||||
formatter: journal_fmt
|
||||
filters: [context]
|
||||
SYSLOG_IDENTIFIER: synapse
|
||||
|
||||
root:
|
||||
level: WARNING
|
||||
handlers: [journal]
|
||||
|
||||
disable_existing_loggers: False
|
52
modules/prometheus.nix
Normal file
52
modules/prometheus.nix
Normal file
|
@ -0,0 +1,52 @@
|
|||
{ config, ... } :
|
||||
let
|
||||
root_host = "grimmauld.de";
|
||||
prometheus_host = "prometheus.${root_host}";
|
||||
prometheus_port = 9090; # netstat -nlp | grep 9090
|
||||
in {
|
||||
security.acme.certs."${root_host}".extraDomainNames = [ prometheus_host];
|
||||
|
||||
services.prometheus = {
|
||||
enable = true;
|
||||
port = prometheus_port;
|
||||
globalConfig.scrape_interval = "15s";
|
||||
scrapeConfigs = [
|
||||
{
|
||||
job_name = "chrysalis";
|
||||
static_configs = [{
|
||||
targets = [
|
||||
"127.0.0.1:${toString config.services.prometheus.exporters.node.port}"
|
||||
"127.0.0.1:${toString config.services.prometheus.exporters.nginx.port}"
|
||||
"127.0.0.1:${toString config.services.prometheus.exporters.postgres.port}"
|
||||
];
|
||||
}];
|
||||
}
|
||||
];
|
||||
exporters = {
|
||||
nginx.enable = true;
|
||||
redis.enable = true;
|
||||
domain.enable = true;
|
||||
postgres.enable = true;
|
||||
nginxlog.enable = true;
|
||||
jitsi.enable = true;
|
||||
node = {
|
||||
enable = true;
|
||||
enabledCollectors = [ "systemd" ];
|
||||
port = 9002;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts."${prometheus_host}" = {
|
||||
serverName = prometheus_host;
|
||||
forceSSL = true;
|
||||
useACMEHost = root_host;
|
||||
locations."/" = {
|
||||
# proxyPass = "http://127.0.0.1:${builtins.toString config.services.prometheus.port}";
|
||||
return = "307 https://${root_host}"; # nuh uh, no raw prometheus access for you!
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
15
secrets/grafana_admin_pass.age
Normal file
15
secrets/grafana_admin_pass.age
Normal file
|
@ -0,0 +1,15 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-rsa jWbwAg
|
||||
ieBCGzdQNeFiy2vjh2SbQz2jM9SFsqESvydY3ok681KYIBZKhw0FkQQPADCJElnM
|
||||
L0XxLSXkOB2l3hhie5i+O3iSHKlXAwPvbfxUcsZmDgV9F9MJtdqrDWrp8qpnIzau
|
||||
qsecyM28o37laD0hr+Zt6nG8QWPDmSBnNfVfdflYUkMQCPaNHrMa0+XQqABAJ7mi
|
||||
PssjYLHkVJzPTi4p0bYkewkBS45gsp7j6DlF2Gg5Ce+l2FxB+RWc5Pl8mp76IntR
|
||||
Vxm8gaGXG667IjwFqfxhsIbygyIZ2SX38GUJbtn3Is0aSOQCZtSkdLTkrjFtB+LP
|
||||
FUfvvqkPKC5ttQm6lkODrMo3Ai0VfT6kCo/F52A0T5mkrF5jVCQdeqo92zBPWI6S
|
||||
Um93uNLFmQ+OIDNnSVZKO0znpw6Vq9N7Q7LUPG1etRasnH5agMzBVlAeotbvD9Y/
|
||||
Y6jLOB7aTruX4Snw83WF8J4jjzr6MYG71wQ/0aGOA5EfS/njrWRT6PSgVERny/WW
|
||||
h/TaVV+Zw7vm7kw4cxSmnwcnvpst2W4Xg2hulj2MPO0OXlXPvIuIg68Olcctclox
|
||||
HR2BKjDDQ+9jScu0cQcYIsnXuJ5JillpETtYI5Z4AGmKLj0rqXxrZDmjr0WKE5AE
|
||||
qlbOw6/Jpn5vtmS4qEuSnbK11vhm4EWN/tv0Zz7KShM
|
||||
--- yNCRCxrMUj+Kx54kwJ0Tq3X/QmxRi3eUcDCIkAtnrk8
|
||||
~‰E~ß}IÝR9•<39>â*·\–™f›rèÿyÅU›w¤BÔ
1<>!¨ÝÞã÷ðtez“yxX¾W<øs!ëÛ
|
|
@ -6,4 +6,5 @@ in
|
|||
# "duckdns_token.age".publicKeys = [ contabo_nix_pub ];
|
||||
"synapse_db_pass.age".publicKeys = [ contabo_nix_pub ];
|
||||
"synapse_db_pass_prepared.age".publicKeys = [ contabo_nix_pub ];
|
||||
"grafana_admin_pass".publicKeys = [ contabo_nix_pub ];
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue