diff --git a/flake.nix b/flake.nix index 446781c..06a1e26 100755 --- a/flake.nix +++ b/flake.nix @@ -105,7 +105,7 @@ targetHost = "dallas.tg.lan"; targetUser = "deploy"; tags = [ - "relay" + "relay-amd64" ]; }; imports = @@ -218,7 +218,7 @@ targetHost = "bratwurst.tg.lan"; targetUser = "deploy"; tags = [ - "relay" + "relay-arm" ]; }; nixpkgs.system = "aarch64-linux"; diff --git a/modules/haproxy_common.nix b/modules/haproxy_common.nix new file mode 100644 index 0000000..3623170 --- /dev/null +++ b/modules/haproxy_common.nix @@ -0,0 +1,21 @@ +{ + config, + lib, + ... +}: { + systemd.tmpfiles.rules = [ + "d /var/lib/haproxy 770 ${config.services.haproxy.user} ${config.services.haproxy.group}" + ]; + services.haproxy = { + enable = true; + }; + systemd.services.haproxy = { + serviceConfig = { + AmbientCapabilities = lib.mkForce "CAP_NET_BIND_SERVCE CAP_NET_RAW"; + CapabilityBoundingSet = "CAP_NET_BIND_SERVICE CAP_NET_RAW"; + }; + environment = { + PROMETHEUS_PORT = "8405"; + }; + }; +} diff --git a/systems/edge-nodes/modules/haproxy_base/default.nix b/systems/edge-nodes/modules/haproxy_base/default.nix index d759fc6..88adcac 100644 --- a/systems/edge-nodes/modules/haproxy_base/default.nix +++ b/systems/edge-nodes/modules/haproxy_base/default.nix @@ -1,26 +1,11 @@ -{ - config, - lib, - pkgs, - ... -}: { - systemd.tmpfiles.rules = [ - "d /var/lib/haproxy 770 ${config.services.haproxy.user} ${config.services.haproxy.group}" +{...}: { + imports = [ + ../../../../modules/haproxy_common.nix ]; services.haproxy = { - enable = true; config = "# ==== GLOBAL CONFIG ====\n" + builtins.readFile ./haproxy.conf; }; - systemd.services.haproxy = { - serviceConfig = { - AmbientCapabilities = lib.mkForce "CAP_NET_BIND_SERVCE CAP_NET_RAW"; - CapabilityBoundingSet = "CAP_NET_BIND_SERVICE CAP_NET_RAW"; - }; - environment = { - PROMETHEUS_PORT = "8405"; - }; - }; services.tailscale.useRoutingFeatures = "server"; # IP Forwarding } diff --git a/systems/game-servers/modules/haproxy_base/default.nix b/systems/game-servers/modules/haproxy_base/default.nix index 72dd4bd..3054343 100644 --- a/systems/game-servers/modules/haproxy_base/default.nix +++ b/systems/game-servers/modules/haproxy_base/default.nix @@ -1,27 +1,16 @@ { - config, pkgs, lib, ... }: { - systemd.tmpfiles.rules = [ - "d /var/lib/haproxy 770 ${config.services.haproxy.user} ${config.services.haproxy.group}" + imports = [ + ../../../../modules/haproxy_common.nix ]; services.haproxy = { - enable = true; config = "# ==== GLOBAL CONFIG ====\n" + builtins.readFile ./haproxy.conf; }; - systemd.services.haproxy = { - serviceConfig = { - AmbientCapabilities = lib.mkForce "CAP_NET_BIND_SERVCE CAP_NET_RAW"; - CapabilityBoundingSet = "CAP_NET_BIND_SERVICE CAP_NET_RAW"; - }; - environment = { - PROMETHEUS_PORT = "8405"; - }; - }; services.tailscale.useRoutingFeatures = lib.mkForce "both"; # IP Forwarding networking.iproute2 = { diff --git a/systems/game-servers/systems/tgsatan/modules/grafana/default.nix b/systems/game-servers/systems/tgsatan/modules/grafana/default.nix index 77d8472..aa555ff 100644 --- a/systems/game-servers/systems/tgsatan/modules/grafana/default.nix +++ b/systems/game-servers/systems/tgsatan/modules/grafana/default.nix @@ -13,12 +13,11 @@ owner = "${config.systemd.services.grafana.serviceConfig.User}"; }; - networking.firewall.allowedTCPPorts = [ - 3000 - ]; - networking.firewall.allowedUDPPorts = [ - 3000 - ]; + age.secrets.grafana_admin = { + file = ../../secrets/grafana_admin.age; + owner = "${config.systemd.services.grafana.serviceConfig.User}"; + }; + services.grafana = { enable = true; dataDir = "/persist/grafana"; @@ -26,11 +25,21 @@ settings = { analytics.reporting_enabled = false; + security = { + admin_email = "admin@tgstation13.org"; + admin_username = "admin"; + admin_password = "$__file{${config.age.secrets.grafana_admin.path}}"; + strict_transport_security = true; + }; + server = { http_addr = "100.64.0.1"; # tailscale IP http_port = 3000; + protocol = "https"; enforce_domain = false; enable_gzip = true; + domain = "tgsatan.tg.lan"; + cookie_secure = true; }; database = { diff --git a/systems/game-servers/systems/tgsatan/modules/monitoring/prometheus.nix b/systems/game-servers/systems/tgsatan/modules/monitoring/prometheus.nix index 298e6a1..c29a41d 100644 --- a/systems/game-servers/systems/tgsatan/modules/monitoring/prometheus.nix +++ b/systems/game-servers/systems/tgsatan/modules/monitoring/prometheus.nix @@ -5,7 +5,7 @@ }: let systemdPromPort = toString config.services.prometheus.exporters.systemd.port; nodeExporterPort = toString config.services.prometheus.exporters.node.port; - # Needs moved into a common config + # Needs to be moved into a common config tgsPromPort = "5001"; prAnnouncerPort = "5004"; # The following is already a string, so no need to convert it @@ -15,18 +15,12 @@ in { enable = true; globalConfig.scrape_interval = "10s"; scrapeConfigs = [ - { - job_name = "tgsatan_node"; - static_configs = [ - {targets = ["tgsatan.tg.lan:${toString config.services.prometheus.exporters.node.port}"];} - ]; - } { job_name = "tgsatan_gpu_1"; static_configs = [{targets = ["tgsatan.tg.lan:9400"];}]; } { - job_name = "tgsatan_caddy"; + job_name = "caddy"; static_configs = [{targets = ["tgsatan.tg.lan:2019"];}]; } # { @@ -93,18 +87,18 @@ in { } ]; } - { - job_name = "systemd relay node"; - static_configs = [ - { - targets = - [ - "warsaw.tg.lan:${systemdPromPort}" - ] - ++ (import ./relay-nodes.nix) systemdPromPort; - } - ]; - } + # { + # job_name = "systemd relay node"; + # static_configs = [ + # { + # targets = + # [ + # "warsaw.tg.lan:${systemdPromPort}" + # ] + # ++ (import ./relay-nodes.nix) systemdPromPort; + # } + # ]; + # } { job_name = "stats relay node"; static_configs = [ diff --git a/systems/game-servers/systems/tgsatan/modules/monitoring/relay-nodes.nix b/systems/game-servers/systems/tgsatan/modules/monitoring/relay-nodes.nix index 8f8c4ab..4df89a9 100644 --- a/systems/game-servers/systems/tgsatan/modules/monitoring/relay-nodes.nix +++ b/systems/game-servers/systems/tgsatan/modules/monitoring/relay-nodes.nix @@ -9,7 +9,8 @@ if (builtins.hasAttr "deployment" values) && (builtins.hasAttr "tags" values.deployment) - && (builtins.elem "relay" values.deployment.tags) + && (builtins.elem "relay-amd64" values.deployment.tags + || builtins.elem "relay-arm" values.deployment.tags) then values.deployment.targetHost + ":" + (toString portNum) else "" ) diff --git a/systems/game-servers/systems/tgsatan/secrets/grafana_admin.age b/systems/game-servers/systems/tgsatan/secrets/grafana_admin.age new file mode 100644 index 0000000..c0972f7 --- /dev/null +++ b/systems/game-servers/systems/tgsatan/secrets/grafana_admin.age @@ -0,0 +1,24 @@ +age-encryption.org/v1 +-> ssh-ed25519 WbbH6w 57QfQbn8D1Lgm7lVla8Qvnk3vPIVbpvzZEisAW4SihQ ++GY8Ntswu6COVPs9MyFZC7bfB17tpXYFreww1ujzUnw +-> ssh-ed25519 tfxpqw UZ2TfxX7OYA79idI3+9ZfdcS1DkoppmgQVihl/zXdTE ++GTYJsqHAeMgqLTG6C1y8RTIaP7+ep1jxpd77LpYKIc +-> ssh-ed25519 YWFjQA ZBV5VL14FfUxnLigumQX0lIEim5GnBfv3xfF+wcsQAI +6FdP32TTO3SqXBvIxNgBJmk8FOJYt7WTsLAIgc1DEdA +-> ssh-ed25519 ngdYpA cOjh7jWQ+lydyN+t5e+WCQTECj4gcVZEekr+XZUvFTQ +NwT2omlrnxyzya6T4QzKfg1x4KTjbjpdrHYdqEKFOsE +-> ssh-ed25519 Iss0Mw ZtbnDx4UWS06VYqCrSSJ2stoicwkkGAh1EzOp0CKyk0 +Ae4KYK71ZQlo1YqhrsAb24CcR1NDpR9heodBO9OiE+I +-> ssh-ed25519 lMQWBQ 1m1zF3oIYLaIV/w3ZRWoEeccP/XX8JoXzqTS6Yw7+WQ +clFUgktsK55kE/B8lZBMSHBdlvRVM9lcpxuBsbOqQ1A +-> ssh-ed25519 8Y0Pbw A3OVARjvv06IOoVWXAZyT3ZL9mVXeNLEUpiDkQsb9wA +qNFPOTMMSYQ9iSioui3QtRmE711f+vbo/fW5YO+ks+Q +-> ssh-ed25519 0A43Cw 2t9NnK3Q7yFZpih/XsV8eDJVa1QQ4qboJSZ1AkU34nw +bPXnD5ZUv+lasYNquDmMIY45G2A442ffKYX+zm4wrI4 +-> ssh-ed25519 nd8Xaw hcBEChDOgV8yP4cZ2yF7ay5XSmRl1zD+H11r8Gz8EFw +D4MhAlQd5FoR5nZXP1TIFPCrcYq5HqUeAOPRV4aTkak +-> ssh-ed25519 1zD9Mg 6rYzGqauobBIES6SmFHR4cCFVVwUHg0Lz5LwtxRIYRQ +IvVsfBR88BnhWi6xmDcqRw1+rI0z8LqtWgTnSXIwAdU +--- pI1LqLKWKz7iBhro6Vp+vBx7e/RVp1qNn/yYB8Eo7f4 + Ur[?;@7gB:b+w'= }ϵS5>ø> +#ޥE;iӤ \ No newline at end of file diff --git a/systems/game-servers/systems/tgsatan/secrets/secrets.nix b/systems/game-servers/systems/tgsatan/secrets/secrets.nix index 699633d..7d8e01a 100644 --- a/systems/game-servers/systems/tgsatan/secrets/secrets.nix +++ b/systems/game-servers/systems/tgsatan/secrets/secrets.nix @@ -28,4 +28,5 @@ in { # Grafana "grafana_db.age".publicKeys = users ++ systems; "grafana_smtp.age".publicKeys = users ++ systems; + "grafana_admin.age".publicKeys = users ++ systems; }