Compare commits

...

3 commits

9 changed files with 145 additions and 0 deletions

View file

@ -28,6 +28,8 @@
./modules/matrix.nix ./modules/matrix.nix
./modules/puffer.nix ./modules/puffer.nix
./modules/gitea.nix ./modules/gitea.nix
./modules/grafana.nix
./modules/prometheus.nix
./modules/letsencrypt.nix ./modules/letsencrypt.nix
./modules/fail2ban.nix ./modules/fail2ban.nix
./modules/email.nix ./modules/email.nix

View file

@ -18,6 +18,9 @@ in {
hashedPasswordFile = ./mailpass/contact; hashedPasswordFile = ./mailpass/contact;
aliases = ["kontakt@${root_host}"]; aliases = ["kontakt@${root_host}"];
}; };
"admin@${root_host}" = {
hashedPasswordFile = ./mailpass/admin;
};
}; };
# Use Let's Encrypt certificates. Note that this needs to set up a stripped # Use Let's Encrypt certificates. Note that this needs to set up a stripped

43
modules/grafana.nix Normal file
View file

@ -0,0 +1,43 @@
{ config, ... }:
let
root_host = "grimmauld.de";
grafana_host = "grafana.${root_host}";
grafana_port = 8082;
in {
age.secrets.grafana_admin_pass = {
file = ../secrets/grafana_admin_pass.age;
owner = "grafana";
group = "grafana";
mode = "0600";
};
security.acme.certs."${root_host}".extraDomainNames = [ grafana_host ];
services.grafana = {
enable = true;
settings = {
security = {
admin_user = "admin";
admin_email = "admin@${root_host}";
admin_password = "$__file{${config.age.secrets.grafana_admin_pass.path}}";
};
server = {
domain = grafana_host;
root_url = "https://${grafana_host}";
http_port = grafana_port;
};
};
};
services.nginx = {
enable = true;
virtualHosts."${grafana_host}" = {
serverName = grafana_host;
forceSSL = true;
useACMEHost = root_host;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString config.services.grafana.settings.server.http_port}";
proxyWebsockets = true;
};
};
};
}

1
modules/mailpass/admin Normal file
View file

@ -0,0 +1 @@
$2b$05$9E2phVa/06fZW3daV3CeYuLTCLcBBDY7xF5TOpeHdCBGU5yNemBgy

View file

@ -57,15 +57,18 @@ host replication all ::1/128 md5
workers.normalSyncers = 1; workers.normalSyncers = 1;
workers.eventPersisters = 2; workers.eventPersisters = 2;
workers.useUserDirectoryWorker = true; workers.useUserDirectoryWorker = true;
mainLogConfig = ./matrix_synapse_log_config.yaml;
enableNginx = true; enableNginx = true;
enableSlidingSync = false; enableSlidingSync = false;
settings = { settings = {
suppress_key_server_warning = true;
server_name = root_host; server_name = root_host;
public_baseurl = "https://${root_host}"; public_baseurl = "https://${root_host}";
enable_registration = false; enable_registration = false;
enable_registration_without_verification = true; enable_registration_without_verification = true;
# mainLogConfig = ./matrix_synapse_log_config.yaml;
# registrations_require_3pid = [ "email" ]; # registrations_require_3pid = [ "email" ];
database = { database = {

View file

@ -0,0 +1,25 @@
version: 1
# In systemd's journal, loglevel is implicitly stored, so let's omit it
# from the message text.
formatters:
journal_fmt:
format: '%(name)s: [%(request)s] %(message)s'
filters:
context:
(): synapse.util.logcontext.LoggingContextFilter
request: ""
handlers:
journal:
class: systemd.journal.JournalHandler
formatter: journal_fmt
filters: [context]
SYSLOG_IDENTIFIER: synapse
root:
level: WARNING
handlers: [journal]
disable_existing_loggers: False

52
modules/prometheus.nix Normal file
View file

@ -0,0 +1,52 @@
{ config, ... } :
let
root_host = "grimmauld.de";
prometheus_host = "prometheus.${root_host}";
prometheus_port = 9090; # netstat -nlp | grep 9090
in {
security.acme.certs."${root_host}".extraDomainNames = [ prometheus_host];
services.prometheus = {
enable = true;
port = prometheus_port;
globalConfig.scrape_interval = "15s";
scrapeConfigs = [
{
job_name = "chrysalis";
static_configs = [{
targets = [
"127.0.0.1:${toString config.services.prometheus.exporters.node.port}"
"127.0.0.1:${toString config.services.prometheus.exporters.nginx.port}"
"127.0.0.1:${toString config.services.prometheus.exporters.postgres.port}"
];
}];
}
];
exporters = {
nginx.enable = true;
redis.enable = true;
domain.enable = true;
postgres.enable = true;
nginxlog.enable = true;
jitsi.enable = true;
node = {
enable = true;
enabledCollectors = [ "systemd" ];
port = 9002;
};
};
};
services.nginx = {
enable = true;
virtualHosts."${prometheus_host}" = {
serverName = prometheus_host;
forceSSL = true;
useACMEHost = root_host;
locations."/" = {
# proxyPass = "http://127.0.0.1:${builtins.toString config.services.prometheus.port}";
return = "307 https://${root_host}"; # nuh uh, no raw prometheus access for you!
};
};
};
}

View file

@ -0,0 +1,15 @@
age-encryption.org/v1
-> ssh-rsa jWbwAg
ieBCGzdQNeFiy2vjh2SbQz2jM9SFsqESvydY3ok681KYIBZKhw0FkQQPADCJElnM
L0XxLSXkOB2l3hhie5i+O3iSHKlXAwPvbfxUcsZmDgV9F9MJtdqrDWrp8qpnIzau
qsecyM28o37laD0hr+Zt6nG8QWPDmSBnNfVfdflYUkMQCPaNHrMa0+XQqABAJ7mi
PssjYLHkVJzPTi4p0bYkewkBS45gsp7j6DlF2Gg5Ce+l2FxB+RWc5Pl8mp76IntR
Vxm8gaGXG667IjwFqfxhsIbygyIZ2SX38GUJbtn3Is0aSOQCZtSkdLTkrjFtB+LP
FUfvvqkPKC5ttQm6lkODrMo3Ai0VfT6kCo/F52A0T5mkrF5jVCQdeqo92zBPWI6S
Um93uNLFmQ+OIDNnSVZKO0znpw6Vq9N7Q7LUPG1etRasnH5agMzBVlAeotbvD9Y/
Y6jLOB7aTruX4Snw83WF8J4jjzr6MYG71wQ/0aGOA5EfS/njrWRT6PSgVERny/WW
h/TaVV+Zw7vm7kw4cxSmnwcnvpst2W4Xg2hulj2MPO0OXlXPvIuIg68Olcctclox
HR2BKjDDQ+9jScu0cQcYIsnXuJ5JillpETtYI5Z4AGmKLj0rqXxrZDmjr0WKE5AE
qlbOw6/Jpn5vtmS4qEuSnbK11vhm4EWN/tv0Zz7KShM
--- yNCRCxrMUj+Kx54kwJ0Tq3X/QmxRi3eUcDCIkAtnrk8
~‰E~ß}IÝR9•<39>â*·\™frèÿyÅUw¤BÔ 1<>!¨ÝÞã÷ðtez“yxX¾W<øs!ëÛ

View file

@ -6,4 +6,5 @@ in
# "duckdns_token.age".publicKeys = [ contabo_nix_pub ]; # "duckdns_token.age".publicKeys = [ contabo_nix_pub ];
"synapse_db_pass.age".publicKeys = [ contabo_nix_pub ]; "synapse_db_pass.age".publicKeys = [ contabo_nix_pub ];
"synapse_db_pass_prepared.age".publicKeys = [ contabo_nix_pub ]; "synapse_db_pass_prepared.age".publicKeys = [ contabo_nix_pub ];
"grafana_admin_pass".publicKeys = [ contabo_nix_pub ];
} }