Compare commits
3 commits
d34dee84bd
...
ba7db4a16f
Author | SHA1 | Date | |
---|---|---|---|
ba7db4a16f | |||
e5c120fee0 | |||
6eac33cc22 |
9 changed files with 145 additions and 0 deletions
|
@ -28,6 +28,8 @@
|
||||||
./modules/matrix.nix
|
./modules/matrix.nix
|
||||||
./modules/puffer.nix
|
./modules/puffer.nix
|
||||||
./modules/gitea.nix
|
./modules/gitea.nix
|
||||||
|
./modules/grafana.nix
|
||||||
|
./modules/prometheus.nix
|
||||||
./modules/letsencrypt.nix
|
./modules/letsencrypt.nix
|
||||||
./modules/fail2ban.nix
|
./modules/fail2ban.nix
|
||||||
./modules/email.nix
|
./modules/email.nix
|
||||||
|
|
|
@ -18,6 +18,9 @@ in {
|
||||||
hashedPasswordFile = ./mailpass/contact;
|
hashedPasswordFile = ./mailpass/contact;
|
||||||
aliases = ["kontakt@${root_host}"];
|
aliases = ["kontakt@${root_host}"];
|
||||||
};
|
};
|
||||||
|
"admin@${root_host}" = {
|
||||||
|
hashedPasswordFile = ./mailpass/admin;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
|
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
|
||||||
|
|
43
modules/grafana.nix
Normal file
43
modules/grafana.nix
Normal file
|
@ -0,0 +1,43 @@
|
||||||
|
{ config, ... }:
|
||||||
|
let
|
||||||
|
root_host = "grimmauld.de";
|
||||||
|
grafana_host = "grafana.${root_host}";
|
||||||
|
grafana_port = 8082;
|
||||||
|
in {
|
||||||
|
age.secrets.grafana_admin_pass = {
|
||||||
|
file = ../secrets/grafana_admin_pass.age;
|
||||||
|
owner = "grafana";
|
||||||
|
group = "grafana";
|
||||||
|
mode = "0600";
|
||||||
|
};
|
||||||
|
|
||||||
|
security.acme.certs."${root_host}".extraDomainNames = [ grafana_host ];
|
||||||
|
services.grafana = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
security = {
|
||||||
|
admin_user = "admin";
|
||||||
|
admin_email = "admin@${root_host}";
|
||||||
|
admin_password = "$__file{${config.age.secrets.grafana_admin_pass.path}}";
|
||||||
|
};
|
||||||
|
server = {
|
||||||
|
domain = grafana_host;
|
||||||
|
root_url = "https://${grafana_host}";
|
||||||
|
http_port = grafana_port;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
virtualHosts."${grafana_host}" = {
|
||||||
|
serverName = grafana_host;
|
||||||
|
forceSSL = true;
|
||||||
|
useACMEHost = root_host;
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://127.0.0.1:${builtins.toString config.services.grafana.settings.server.http_port}";
|
||||||
|
proxyWebsockets = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
1
modules/mailpass/admin
Normal file
1
modules/mailpass/admin
Normal file
|
@ -0,0 +1 @@
|
||||||
|
$2b$05$9E2phVa/06fZW3daV3CeYuLTCLcBBDY7xF5TOpeHdCBGU5yNemBgy
|
|
@ -57,15 +57,18 @@ host replication all ::1/128 md5
|
||||||
workers.normalSyncers = 1;
|
workers.normalSyncers = 1;
|
||||||
workers.eventPersisters = 2;
|
workers.eventPersisters = 2;
|
||||||
workers.useUserDirectoryWorker = true;
|
workers.useUserDirectoryWorker = true;
|
||||||
|
mainLogConfig = ./matrix_synapse_log_config.yaml;
|
||||||
|
|
||||||
enableNginx = true;
|
enableNginx = true;
|
||||||
enableSlidingSync = false;
|
enableSlidingSync = false;
|
||||||
|
|
||||||
settings = {
|
settings = {
|
||||||
|
suppress_key_server_warning = true;
|
||||||
server_name = root_host;
|
server_name = root_host;
|
||||||
public_baseurl = "https://${root_host}";
|
public_baseurl = "https://${root_host}";
|
||||||
enable_registration = false;
|
enable_registration = false;
|
||||||
enable_registration_without_verification = true;
|
enable_registration_without_verification = true;
|
||||||
|
# mainLogConfig = ./matrix_synapse_log_config.yaml;
|
||||||
|
|
||||||
# registrations_require_3pid = [ "email" ];
|
# registrations_require_3pid = [ "email" ];
|
||||||
database = {
|
database = {
|
||||||
|
|
25
modules/matrix_synapse_log_config.yaml
Normal file
25
modules/matrix_synapse_log_config.yaml
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
version: 1
|
||||||
|
|
||||||
|
# In systemd's journal, loglevel is implicitly stored, so let's omit it
|
||||||
|
# from the message text.
|
||||||
|
formatters:
|
||||||
|
journal_fmt:
|
||||||
|
format: '%(name)s: [%(request)s] %(message)s'
|
||||||
|
|
||||||
|
filters:
|
||||||
|
context:
|
||||||
|
(): synapse.util.logcontext.LoggingContextFilter
|
||||||
|
request: ""
|
||||||
|
|
||||||
|
handlers:
|
||||||
|
journal:
|
||||||
|
class: systemd.journal.JournalHandler
|
||||||
|
formatter: journal_fmt
|
||||||
|
filters: [context]
|
||||||
|
SYSLOG_IDENTIFIER: synapse
|
||||||
|
|
||||||
|
root:
|
||||||
|
level: WARNING
|
||||||
|
handlers: [journal]
|
||||||
|
|
||||||
|
disable_existing_loggers: False
|
52
modules/prometheus.nix
Normal file
52
modules/prometheus.nix
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
{ config, ... } :
|
||||||
|
let
|
||||||
|
root_host = "grimmauld.de";
|
||||||
|
prometheus_host = "prometheus.${root_host}";
|
||||||
|
prometheus_port = 9090; # netstat -nlp | grep 9090
|
||||||
|
in {
|
||||||
|
security.acme.certs."${root_host}".extraDomainNames = [ prometheus_host];
|
||||||
|
|
||||||
|
services.prometheus = {
|
||||||
|
enable = true;
|
||||||
|
port = prometheus_port;
|
||||||
|
globalConfig.scrape_interval = "15s";
|
||||||
|
scrapeConfigs = [
|
||||||
|
{
|
||||||
|
job_name = "chrysalis";
|
||||||
|
static_configs = [{
|
||||||
|
targets = [
|
||||||
|
"127.0.0.1:${toString config.services.prometheus.exporters.node.port}"
|
||||||
|
"127.0.0.1:${toString config.services.prometheus.exporters.nginx.port}"
|
||||||
|
"127.0.0.1:${toString config.services.prometheus.exporters.postgres.port}"
|
||||||
|
];
|
||||||
|
}];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
exporters = {
|
||||||
|
nginx.enable = true;
|
||||||
|
redis.enable = true;
|
||||||
|
domain.enable = true;
|
||||||
|
postgres.enable = true;
|
||||||
|
nginxlog.enable = true;
|
||||||
|
jitsi.enable = true;
|
||||||
|
node = {
|
||||||
|
enable = true;
|
||||||
|
enabledCollectors = [ "systemd" ];
|
||||||
|
port = 9002;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
virtualHosts."${prometheus_host}" = {
|
||||||
|
serverName = prometheus_host;
|
||||||
|
forceSSL = true;
|
||||||
|
useACMEHost = root_host;
|
||||||
|
locations."/" = {
|
||||||
|
# proxyPass = "http://127.0.0.1:${builtins.toString config.services.prometheus.port}";
|
||||||
|
return = "307 https://${root_host}"; # nuh uh, no raw prometheus access for you!
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
15
secrets/grafana_admin_pass.age
Normal file
15
secrets/grafana_admin_pass.age
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-rsa jWbwAg
|
||||||
|
ieBCGzdQNeFiy2vjh2SbQz2jM9SFsqESvydY3ok681KYIBZKhw0FkQQPADCJElnM
|
||||||
|
L0XxLSXkOB2l3hhie5i+O3iSHKlXAwPvbfxUcsZmDgV9F9MJtdqrDWrp8qpnIzau
|
||||||
|
qsecyM28o37laD0hr+Zt6nG8QWPDmSBnNfVfdflYUkMQCPaNHrMa0+XQqABAJ7mi
|
||||||
|
PssjYLHkVJzPTi4p0bYkewkBS45gsp7j6DlF2Gg5Ce+l2FxB+RWc5Pl8mp76IntR
|
||||||
|
Vxm8gaGXG667IjwFqfxhsIbygyIZ2SX38GUJbtn3Is0aSOQCZtSkdLTkrjFtB+LP
|
||||||
|
FUfvvqkPKC5ttQm6lkODrMo3Ai0VfT6kCo/F52A0T5mkrF5jVCQdeqo92zBPWI6S
|
||||||
|
Um93uNLFmQ+OIDNnSVZKO0znpw6Vq9N7Q7LUPG1etRasnH5agMzBVlAeotbvD9Y/
|
||||||
|
Y6jLOB7aTruX4Snw83WF8J4jjzr6MYG71wQ/0aGOA5EfS/njrWRT6PSgVERny/WW
|
||||||
|
h/TaVV+Zw7vm7kw4cxSmnwcnvpst2W4Xg2hulj2MPO0OXlXPvIuIg68Olcctclox
|
||||||
|
HR2BKjDDQ+9jScu0cQcYIsnXuJ5JillpETtYI5Z4AGmKLj0rqXxrZDmjr0WKE5AE
|
||||||
|
qlbOw6/Jpn5vtmS4qEuSnbK11vhm4EWN/tv0Zz7KShM
|
||||||
|
--- yNCRCxrMUj+Kx54kwJ0Tq3X/QmxRi3eUcDCIkAtnrk8
|
||||||
|
~‰E~ß}IÝR9•<39>â*·\–™f›rèÿyÅU›w¤BÔ
1<>!¨ÝÞã÷ðtez“yxX¾W<øs!ëÛ
|
|
@ -6,4 +6,5 @@ in
|
||||||
# "duckdns_token.age".publicKeys = [ contabo_nix_pub ];
|
# "duckdns_token.age".publicKeys = [ contabo_nix_pub ];
|
||||||
"synapse_db_pass.age".publicKeys = [ contabo_nix_pub ];
|
"synapse_db_pass.age".publicKeys = [ contabo_nix_pub ];
|
||||||
"synapse_db_pass_prepared.age".publicKeys = [ contabo_nix_pub ];
|
"synapse_db_pass_prepared.age".publicKeys = [ contabo_nix_pub ];
|
||||||
|
"grafana_admin_pass".publicKeys = [ contabo_nix_pub ];
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue