From 58f434407addf4e41f9f5ccac07dc56cbe518981 Mon Sep 17 00:00:00 2001 From: isabel Date: Thu, 19 Oct 2023 01:49:46 +0100 Subject: [PATCH] i hope this works --- .../core/system/virtualization/default.nix | 25 +++++- .../services/databases/postgresql/default.nix | 31 ++++++- .../services/databases/redis/default.nix | 34 ++++++++ .../types/server/services/gitea/default.nix | 57 ++++++------ .../server/services/monitoring/default.nix | 4 +- .../server/services/monitoring/grafana.nix | 52 ----------- .../services/monitoring/grafana/default.nix | 86 +++++++++++++++++++ .../server/services/monitoring/prometheus.nix | 44 ---------- .../monitoring/prometheus/default.nix | 69 +++++++++++++++ 9 files changed, 277 insertions(+), 125 deletions(-) create mode 100644 modules/common/types/server/services/databases/redis/default.nix delete mode 100644 modules/common/types/server/services/monitoring/grafana.nix create mode 100644 modules/common/types/server/services/monitoring/grafana/default.nix delete mode 100644 modules/common/types/server/services/monitoring/prometheus.nix create mode 100644 modules/common/types/server/services/monitoring/prometheus/default.nix diff --git a/modules/common/core/system/virtualization/default.nix b/modules/common/core/system/virtualization/default.nix index 1665f817d..834a0ef75 100644 --- a/modules/common/core/system/virtualization/default.nix +++ b/modules/common/core/system/virtualization/default.nix @@ -10,8 +10,7 @@ in { config = mkIf cfg.enable { environment.systemPackages = with pkgs; - [] - ++ optionals cfg.qemu.enable [ + optionals cfg.qemu.enable [ virt-manager virt-viewer ] @@ -63,6 +62,28 @@ in { waydroid.enable = cfg.waydroid.enable; lxd.enable = mkDefault config.virtualisation.waydroid.enable; + + systemd.user = mkIf cfg.distrobox.enable { + timers."distrobox-update" = { + enable = true; + wantedBy = ["timers.target"]; + timerConfig = { + OnBootSec = "1h"; + OnUnitActiveSec = "1d"; + Unit = "distrobox-update.service"; + }; + }; + + services."distrobox-update" = { + enable = true; + script = '' + ${pkgs.distrobox}/bin/distrobox upgrade --all + ''; + serviceConfig = { + Type = "oneshot"; + }; + }; + }; }; }; } diff --git a/modules/common/types/server/services/databases/postgresql/default.nix b/modules/common/types/server/services/databases/postgresql/default.nix index dd0c69ff2..cd4f27272 100644 --- a/modules/common/types/server/services/databases/postgresql/default.nix +++ b/modules/common/types/server/services/databases/postgresql/default.nix @@ -14,17 +14,46 @@ in { services.postgresql = { enable = true; package = pkgs.postgresql; - checkConfig = true; dataDir = "/srv/storage/postgresql/${config.services.postgresql.package.psqlSchema}"; + enableTCPIP = false; + + checkConfig = true; + settings = { + log_connections = true; + log_statement = "all"; + logging_collector = true; + log_disconnections = true; + log_destination = lib.mkForce "syslog"; + }; + ensureDatabases = [ "miniflux" + "gitea" + "grafana" + "vaultwarden" ]; ensureUsers = [ { name = "miniflux"; ensurePermissions."DATABASE miniflux" = "ALL PRIVILEGES"; } + { + name = "postgres"; + ensurePermissions."ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES"; + } + { + name = "gitea"; + ensurePermissions."DATABASE gitea" = "ALL PRIVILEGES"; + } + { + name = "grafana"; + ensurePermissions."DATABASE grafana" = "ALL PRIVILEGES"; + } + { + name = "vaultwarden"; + ensurePermissions."DATABASE vaultwarden" = "ALL PRIVILEGES"; + } ]; }; }; diff --git a/modules/common/types/server/services/databases/redis/default.nix b/modules/common/types/server/services/databases/redis/default.nix new file mode 100644 index 000000000..8b5c02851 --- /dev/null +++ b/modules/common/types/server/services/databases/redis/default.nix @@ -0,0 +1,34 @@ +{ + config, + lib, + ... +}: let + inherit (lib) mkIf; + + cfg = config.modules.services.database.redis; +in { + config = mkIf cfg.enable { + services.redis = { + vmOverCommit = true; + servers = { + gitea = mkIf cfg.gitea.enable { + enable = true; + user = "gitea"; + port = 6371; + databases = 16; + logLevel = "debug"; + requirePass = "gitea"; + }; + + searxng = mkIf cfg.searxng.enable { + enable = true; + user = "searx"; + port = 6370; + databases = 16; + logLevel = "debug"; + requirePass = "searxng"; + }; + }; + }; + }; +} diff --git a/modules/common/types/server/services/gitea/default.nix b/modules/common/types/server/services/gitea/default.nix index bbfb6f334..671ebf113 100644 --- a/modules/common/types/server/services/gitea/default.nix +++ b/modules/common/types/server/services/gitea/default.nix @@ -17,7 +17,15 @@ with lib; let }; in { config = mkIf cfg.enable { - networking.firewall.allowedTCPPorts = [config.services.gitea.settings.server.HTTP_PORT]; + networking.firewall.allowedTCPPorts = [ + config.services.gitea.settings.server.HTTP_PORT + config.services.forgejo.settings.server.SSH_PORT + ]; + + modules.system.services.database = { + redis.enable = true; + postgresql.enable = true; + }; systemd.services = { gitea = { @@ -38,21 +46,10 @@ in { enable = true; package = pkgs.forgejo; appName = "iztea"; - lfs.enable = true; - user = "git"; - group = "git"; - database.user = "git"; stateDir = "/srv/storage/gitea/data"; mailerPasswordFile = config.sops.secrets.mailserver-gitea-nohash.path; - dump = { - enable = true; - backupDir = "/srv/storage/gitea/dump"; - interval = "06:00"; - type = "tar.zst"; - }; - settings = { server = { ROOT_URL = "https://${gitea_domain}"; @@ -81,10 +78,23 @@ in { (builtins.attrNames (builtins.readDir theme)))); }; - "ui.meta" = { - AUTHOR = "Isabel Roses"; - DESCRIPTION = "A great place to hide my code from you"; - KEYWORDS = "git,self-hosted,gitea,isabelroses,catppuccin,open-source,forgejo"; + actions = { + ENABLED = true; + DEFAULT_ACTIONS_URL = "https://code.forgejo.org"; + }; + + database = { + DB_TYPE = lib.mkForce "postgres"; + HOST = "/run/postgresql"; + NAME = "gitea"; + USER = "gitea"; + PASSWD = "gitea"; + }; + + cache = { + ENABLED = true; + ADAPTER = "redis"; + HOST = "redis://:gitea@localhost:6371"; }; migrations.ALLOWED_DOMAINS = "github.com, *.github.com, gitlab.com, *.gitlab.com"; @@ -103,15 +113,14 @@ in { USER = "git@${domain}"; }; }; - }; - openssh = { - extraConfig = '' - Match User git - AuthorizedKeysCommandUser git - AuthorizedKeysCommand ${lib.getExe pkgs.forgejo} keys -e git -u %u -t %t -k %k - Match all - ''; + # backup + dump = { + enable = true; + backupDir = "/srv/storage/forgejo/dump"; + interval = "06:00"; + type = "tar.zst"; + }; }; }; }; diff --git a/modules/common/types/server/services/monitoring/default.nix b/modules/common/types/server/services/monitoring/default.nix index fad5e0cc3..2d4770acc 100644 --- a/modules/common/types/server/services/monitoring/default.nix +++ b/modules/common/types/server/services/monitoring/default.nix @@ -1,6 +1,6 @@ _: { imports = [ - ./grafana.nix - ./prometheus.nix + ./grafana + ./prometheus ]; } diff --git a/modules/common/types/server/services/monitoring/grafana.nix b/modules/common/types/server/services/monitoring/grafana.nix deleted file mode 100644 index a4332f730..000000000 --- a/modules/common/types/server/services/monitoring/grafana.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ - config, - lib, - ... -}: let - inherit (lib) mkIf; - inherit (config.networking) domain; - - cfg = config.modules.services.monitoring.grafana; - - port = 3100; -in { - config = mkIf cfg.enable { - networking.firewall.allowedTCPPorts = [port]; - - services.grafana = { - enable = true; - dataDir = "/srv/storage/grafana"; - - settings = { - analytics = { - reporting_enabled = false; - check_for_updates = false; - }; - - server = { - # Listening address and TCP port - http_port = port; - # Grafana needs to know on which domain and URL it's running on: - http_addr = "127.0.0.1"; - domain = "graph.${domain}"; - - # true means HTTP compression is enabled - enable_gzip = true; - }; - - smtp = let - mailer = "grafana@${domain}"; - in { - enabled = true; - - user = mailer; - password = "$__file{" + config.sops.secrets.mailserver-grafana-nohash.path + "}"; - - host = "mail.${domain}:465"; - from_address = mailer; - startTLS_policy = "MandatoryStartTLS"; - }; - }; - }; - }; -} diff --git a/modules/common/types/server/services/monitoring/grafana/default.nix b/modules/common/types/server/services/monitoring/grafana/default.nix new file mode 100644 index 000000000..1ee463660 --- /dev/null +++ b/modules/common/types/server/services/monitoring/grafana/default.nix @@ -0,0 +1,86 @@ +{ + config, + lib, + ... +}: let + inherit (lib) mkIf; + inherit (config.networking) domain; + + cfg = config.modules.services.monitoring.grafana; + + port = 3100; +in { + config = mkIf cfg.enable { + networking.firewall.allowedTCPPorts = [port]; + + services = { + postgresql = { + enable = true; + ensureDatabases = ["grafana"]; + ensureUsers = [ + { + name = "grafana"; + ensurePermissions."DATABASE grafana" = "ALL PRIVILEGES"; + } + ]; + }; + + grafana = { + enable = true; + settings = { + analytics = { + reporting_enabled = false; + check_for_updates = false; + }; + + server = { + http_port = port; + http_addr = "0.0.0.0"; + domain = "graph.${domain}"; + enforce_domain = true; + }; + + "auth.anonymous".enabled = true; + "auth.basic".enabled = false; + + users = { + allow_signup = false; + }; + + database = { + type = "postgres"; + host = "/run/postgresql"; + name = "grafana"; + user = "grafana"; + ssl_mode = "disable"; + }; + + smtp = let + mailer = "grafana@${domain}"; + in { + enabled = true; + + user = mailer; + password = "$__file{" + config.sops.secrets.mailserver-grafana-nohash.path + "}"; + + host = "mail.${domain}:465"; + from_address = mailer; + startTLS_policy = "MandatoryStartTLS"; + }; + }; + provision = { + datasources.settings = { + datasources = [ + { + name = "Prometheus"; + type = "prometheus"; + url = "http://localhost:9090"; + orgId = 1; + } + ]; + }; + }; + }; + }; + }; +} diff --git a/modules/common/types/server/services/monitoring/prometheus.nix b/modules/common/types/server/services/monitoring/prometheus.nix deleted file mode 100644 index 60e25799b..000000000 --- a/modules/common/types/server/services/monitoring/prometheus.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ - config, - lib, - ... -}: let - inherit (lib) mkIf; - - cfg = config.modules.services.monitoring.prometheus; -in { - config = mkIf cfg.enable { - services = { - # Prometheus exporter for Grafana - prometheus = { - enable = true; - port = 9100; - # enabled exporters - exporters = { - node = { - enable = true; - port = 9101; - enabledCollectors = [ - "logind" - "systemd" - ]; - disabledCollectors = [ - "textfile" - ]; - openFirewall = true; - }; - }; - scrapeConfigs = [ - { - job_name = "test_job"; - static_configs = [ - { - targets = ["127.0.0.1:${toString config.services.prometheus.exporters.node.port}"]; - } - ]; - } - ]; - }; - }; - }; -} diff --git a/modules/common/types/server/services/monitoring/prometheus/default.nix b/modules/common/types/server/services/monitoring/prometheus/default.nix new file mode 100644 index 000000000..a91b14978 --- /dev/null +++ b/modules/common/types/server/services/monitoring/prometheus/default.nix @@ -0,0 +1,69 @@ +{ + config, + lib, + ... +}: let + inherit (lib) mkIf; + + cfg = config.modules.services.monitoring.prometheus; +in { + config = mkIf cfg.enable { + services = { + # Prometheus exporter for Grafana + prometheus = { + enable = true; + port = 9100; + # enabled exporters + exporters = { + node = { + enable = true; + port = 9101; + enabledCollectors = [ + "logind" + "systemd" + ]; + disabledCollectors = [ + "textfile" + ]; + openFirewall = true; + }; + + redis = { + enable = true; + openFirewall = true; + port = 9002; + }; + + postgres = { + enable = true; + openFirewall = true; + port = 9003; + }; + }; + + scrapeConfigs = [ + { + job_name = "prometheus"; + scrape_interval = "30s"; + static_configs = [{targets = ["localhost:9090"];}]; + } + { + job_name = "node"; + scrape_interval = "30s"; + static_configs = [{targets = ["localhost:9100"];}]; + } + { + job_name = "redis_exporter"; + scrape_interval = "30s"; + static_configs = [{targets = ["localhost:9002"];}]; + } + { + job_name = "postgres"; + scrape_interval = "30s"; + static_configs = [{targets = ["localhost:9003"];}]; + } + ]; + }; + }; + }; +}