diff --git a/modules/base/common/host/os/networking/ssh.nix b/modules/base/common/host/os/networking/ssh.nix index e02b080d5..c57c26652 100644 --- a/modules/base/common/host/os/networking/ssh.nix +++ b/modules/base/common/host/os/networking/ssh.nix @@ -3,9 +3,17 @@ enable = true; startWhenNeeded = true; settings = { - PermitRootLogin = lib.mkForce "no"; + # Don't allow root login + PermitRootLogin = "no"; + + # only allow key based logins and not password PasswordAuthentication = false; KbdInteractiveAuthentication = lib.mkDefault false; + AuthenticationMethods = "publickey"; + PubkeyAuthentication = "yes"; + ChallengeResponseAuthentication = "no"; + UsePAM = "no"; + UseDns = false; X11Forwarding = false; @@ -18,6 +26,10 @@ "diffie-hellman-group18-sha512" "sntrup761x25519-sha512@openssh.com" ]; + + # kick out inactive sessions + ClientAliveCountMax = 5; + ClientAliveInterval = 60; }; openFirewall = true; diff --git a/modules/base/common/services/monitoring/loki/default.nix b/modules/base/common/services/monitoring/loki/default.nix index c6e01a896..3ec49056f 100644 --- a/modules/base/common/services/monitoring/loki/default.nix +++ b/modules/base/common/services/monitoring/loki/default.nix @@ -6,15 +6,21 @@ inherit (lib) mkIf; cfg = config.modules.services.monitoring.loki; + lcfg = config.services.loki; in { config = mkIf cfg.enable { # https://gist.github.com/rickhull/895b0cb38fdd537c1078a858cf15d63e services.loki = { enable = true; dataDir = "/srv/storage/loki"; + extraFlags = ["--config.expand-env=true"]; configuration = { - server.http_listen_port = 3030; + server = { + http_listen_port = 3030; + log_level = "warn"; + }; + auth_enabled = false; ingester = { @@ -34,32 +40,29 @@ in { max_transfer_retries = 0; }; - schema_config = { - configs = [ - { - from = "2022-06-06"; - store = "boltdb-shipper"; - object_store = "filesystem"; - schema = "v11"; - index = { - prefix = "index_"; - period = "24h"; - }; - } - ]; - }; + schema_config.configs = [ + { + from = "2022-06-06"; + store = "boltdb-shipper"; + object_store = "filesystem"; + schema = "v11"; + index = { + prefix = "index_"; + period = "24h"; + }; + } + ]; storage_config = { + boltdb.directory = "${lcfg.dataDir}/boltdb-index"; + filesystem.directory = "${lcfg.dataDir}/storage-chunks"; + boltdb_shipper = { - active_index_directory = "/srv/storage/loki/boltdb-shipper-active"; - cache_location = "/srv/storage/loki/boltdb-shipper-cache"; + active_index_directory = "${lcfg.dataDir}/boltdb-shipper-active"; + cache_location = "${lcfg.dataDir}/boltdb-shipper-cache"; cache_ttl = "24h"; shared_store = "filesystem"; }; - - filesystem = { - directory = "/srv/storage/loki/chunks"; - }; }; limits_config = { @@ -77,7 +80,7 @@ in { }; compactor = { - working_directory = "/srv/storage/loki"; + working_directory = "${lcfg.dataDir}/compactor-work"; shared_store = "filesystem"; compactor_ring = { kvstore = { diff --git a/modules/base/common/services/monitoring/prometheus/default.nix b/modules/base/common/services/monitoring/prometheus/default.nix index 4c8b7434f..68ffa0d29 100644 --- a/modules/base/common/services/monitoring/prometheus/default.nix +++ b/modules/base/common/services/monitoring/prometheus/default.nix @@ -25,6 +25,7 @@ in { port = 9101; enabledCollectors = [ "logind" + "processes" "systemd" ]; }; @@ -45,6 +46,15 @@ in { enable = false; port = 9104; }; + + smartctl = { + inherit (config.services.smartd) enable; + openFirewall = config.services.smartd.enable; + # Defaults: + user = "smartctl-exporter"; + group = "disk"; + port = 9110; + }; }; scrapeConfigs = [ @@ -68,16 +78,11 @@ in { scrape_interval = "30s"; static_configs = [{targets = ["localhost:9103"];}]; } - /* { job_name = "nginx"; - static_configs = [ - { - targets = ["127.0.0.1:${toString config.services.prometheus.exporters.nginx.port}"]; - } - ]; + scrape_interval = "30s"; + static_configs = [{targets = ["localhost:9104"];}]; } - */ ]; }; };