diff --git a/.sops.yaml b/.sops.yaml index dded97c..c092203 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -18,6 +18,9 @@ creation_rules: - *host-massicot - *host-thorite - *host-biotite + - *host-hk-00 + - *host-fra-00 + - *host-la-00 - path_regex: machines/calcite/secrets.yaml key_groups: - age: @@ -33,7 +36,7 @@ creation_rules: - age: - *xin - *host-massicot - - paht_regex: machines/biotite/secrets.yaml + - path_regex: machines/biotite/secrets.yaml key_groups: - age: - *xin @@ -45,11 +48,11 @@ creation_rules: - *host-thorite - path_regex: machines/dolomite/secrets/secrets.yaml key_groups: - - age: + - age: - *xin - - *host-la-00 - *host-hk-00 - *host-fra-00 + - *host-la-00 - path_regex: machines/dolomite/secrets/la-00.yaml key_groups: - age: @@ -60,7 +63,6 @@ creation_rules: - age: - *xin - *host-hk-00 - - path_regex: machines/dolomite/secrets/fra-00.yaml key_groups: - age: diff --git a/machines/biotite/default.nix b/machines/biotite/default.nix index 5021dc8..a507675 100644 --- a/machines/biotite/default.nix +++ b/machines/biotite/default.nix @@ -1,12 +1,13 @@ { - config, lib, - pkgs, ... }: { - imports = [ ./hardware-configurations.nix ]; + imports = [ + ./hardware-configurations.nix + ./services/gotosocial.nix + ]; networking.hostName = "biotite"; networking.useNetworkd = true; @@ -20,11 +21,28 @@ address = [ "2a03:4000:4a:148::1/64" ]; }; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + commonSettings = { auth.enable = true; autoupgrade.enable = true; }; + custom.monitoring = { + promtail.enable = true; + }; + + sops = { + defaultSopsFile = ./secrets.yaml; + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + }; + + services.caddy.enable = true; + services.tailscale.enable = true; + users.users.root.hashedPassword = "$y$j9T$NToEZWJBONjSgRnMd9Ur9/$o6n7a9b8eUILQz4d37oiHCCVnDJ8hZTZt.c.37zFfU."; system.stateVersion = "24.11"; diff --git a/machines/biotite/secrets.yaml b/machines/biotite/secrets.yaml new file mode 100644 index 0000000..5d8f181 --- /dev/null +++ b/machines/biotite/secrets.yaml @@ -0,0 +1,31 @@ +gotosocial: + oidc_client_secret: ENC[AES256_GCM,data:KVQxzs67sohax2h0Y/jjhnbY4fetrdVvWhBGbqgDSGgBC7QazrOmTA++BSRzMmVv,iv:HIRMc56aLanqQRTWH9E0wzzXymImi0pxK/ccPEP8Fcc=,tag:PMhOLeE3mKIIQveRdfpgpA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxVXpUNXA3eEZEeGxpMmZT + L0lPUzYzNXlrS2JDbWlYNzJiYmwwYm1PSjFNCjAzSGluME1hd1Fnc0ZCNUhUMzdU + UHkwbmxwdTdVOFhIYUo3N0laVlJRV0EKLS0tIHR5NDJqQnI3ZkFGcmwwaHZwOGd2 + Y2gvVTRMc2RSd1UxWUdEWVZDRm5VbHMKLYJ59s2MDDokJRAAXoTAL1VTU4WKY8qS + GiXZu954JzacAR9Ey2GQTFdMN73Aw+PbiWw6cph33gZaOQt9/QA92w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1v5h946jfke6ae8pcgz52mhj26cacqcpl9dmmrrkf37x55rnq2v3szqctvv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3djErT0VVOU9ydmpjL01a + aDFQa2JiMVBURzhCZ0NBUDdaMDZCV2piUjI0ClBmSGJIallnTzdmV3RYZlNBK0Ji + K21qRkg0SDY3WkZ5bXFrWitBSGNEQ1EKLS0tIGhHMGRsZGNaL2hNWFdKUTJUUk1G + RzBMVDNjS29SUkdRK3dIV01sU0hYR3cK1SbvKAM6Gpsffv3HIi/WtWnCZUBic0AT + ZRv4pvJBx1oxWsKIHW0t6VrqWMQ+suup8p6dW+h5HE8Z4ciIMrXLEg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-12-02T05:10:32Z" + mac: ENC[AES256_GCM,data:ZAdFsjVuk1Fiv+DKmHrc1yu1XQpRDmRHaQhu5hduSZUa1W1cXdTlChvIW5vADFg5tVCjuYptuLvCMW+ZSQeqqG2ntHHZ+IkuovZzKFuc+BIiL/jF2ZzbyJ7X4Wj1GziCScHVxx98dgbpFoufHe6N3wCaHmngo1RYsY5N1RRbRdU=,iv:5IMQ0kOX9UAOm8bcsQRyu6zu8GJjvnHFufCNjY0s9UI=,tag:zBEPSR9DZDpwbCaIka8mXA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/machines/biotite/services/gotosocial.nix b/machines/biotite/services/gotosocial.nix new file mode 100644 index 0000000..743b3f7 --- /dev/null +++ b/machines/biotite/services/gotosocial.nix @@ -0,0 +1,46 @@ +{ config, ... }: +{ + sops.secrets."gotosocial/oidc_client_secret" = { + owner = "gotosocial"; + }; + + sops.templates."gotosocial.env" = { + owner = "gotosocial"; + content = '' + GTS_OIDC_CLIENT_SECRET=${config.sops.placeholder."gotosocial/oidc_client_secret"} + ''; + }; + + services.gotosocial = { + enable = true; + settings = { + log-level = "info"; + bind-address = "127.0.0.1"; + port = 19571; + host = "gts.xiny.li"; + account-domain = "xiny.li"; + letsencrypt-enabled = false; + instance-expose-public-timeline = true; + oidc-enabled = true; + oidc-idp-name = "Kanidm"; + oidc-issuer = "https://auth.xinyang.life/oauth2/openid/gotosocial"; + oidc-client-id = "gotosocial"; + oidc-link-existing = true; + }; + environmentFile = config.sops.templates."gotosocial.env".path; + }; + + services.caddy = { + virtualHosts."https://gts.xiny.li".extraConfig = '' + encode zstd gzip + reverse_proxy * http://${config.services.gotosocial.settings.bind-address}:${toString config.services.gotosocial.settings.port} { + flush_interval -1 + } + ''; + virtualHosts."https://xiny.li".extraConfig = '' + redir /.well-known/host-meta* https://gts.xiny.li{uri} permanent # host + redir /.well-known/webfinger* https://gts.xiny.li{uri} permanent # host + redir /.well-known/nodeinfo* https://gts.xiny.li{uri} permanent # host + ''; + }; +} diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 181c81f..27760b5 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -18,7 +18,6 @@ in commonSettings = { auth.enable = true; nix = { - enableMirrors = true; signing.enable = true; }; }; @@ -330,10 +329,6 @@ in system.switch.enable = false; system.switch.enableNg = true; - nix.extraOptions = '' - !include "${config.sops.secrets.github_public_token.path}" - ''; - sops.secrets = { "restic/repo_url" = { owner = "xin"; diff --git a/machines/dolomite/common.nix b/machines/dolomite/common.nix index 23306c0..c50c1a9 100644 --- a/machines/dolomite/common.nix +++ b/machines/dolomite/common.nix @@ -2,6 +2,7 @@ { config = { sops = { + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; secrets = { wg_private_key = { owner = "root"; @@ -33,6 +34,10 @@ node.enable = true; }; + custom.monitoring = { + promtail.enable = true; + }; + services.tailscale.enable = true; commonSettings = { diff --git a/machines/dolomite/fra.nix b/machines/dolomite/fra.nix index c5a8d02..6cb3c23 100644 --- a/machines/dolomite/fra.nix +++ b/machines/dolomite/fra.nix @@ -62,7 +62,5 @@ address = [ "185.217.108.59/24" ]; }; - custom.prometheus.enable = false; - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } diff --git a/machines/dolomite/secrets/secrets.yaml b/machines/dolomite/secrets/secrets.yaml index 1cdd7e9..53a7131 100644 --- a/machines/dolomite/secrets/secrets.yaml +++ b/machines/dolomite/secrets/secrets.yaml @@ -1,6 +1,6 @@ sing-box: - password: ENC[AES256_GCM,data:aifvj/rBvmIF6M4SJ6j4rkw0J0oBGUmO,iv:C9KlVngh74z/VjjOGxnlpA4CqFv7TCSD3KSm2l/xGB4=,tag:10zUgbP2exTQ4KK0zeMM2A==,type:str] - uuid: ENC[AES256_GCM,data:ZPEqllAXeLMyVEp/6+9LSL346J2tiuM5tYs404/vp9rnkrvc,iv:Oy/U1c2sW5a2eQQxXAEjqaE85xX5rFapz9k/DtcZR+w=,tag:BHU+ScDBeWnctkDBRnm+4g==,type:str] + password: ENC[AES256_GCM,data:qCc1v8nAL0oYisRinMDXGrBQA+r6XNoa,iv:eTxtad4kEdE28XqnrZEek8BtXNY1rNgLvGLxlMzRtl4=,tag:s/shWAkYE4DSnScpTY8ulQ==,type:str] + uuid: ENC[AES256_GCM,data:lEpz15sLOVrGDzQwTJyS+tFJY0bMeO265bxocWAjB6qrvxYx,iv:lhk5jl/udUH3AZEuk5ffuvin/qhRUaOZ/3nk1Jaw+DI=,tag:4mKFIVKT+D47njfDsxe9iA==,type:str] sops: kms: [] gcp_kms: [] @@ -10,50 +10,41 @@ sops: - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmdCtZK2FVRTh3YVd3dm9m - ZWR5VVIvS3VOSGh2cmg2ZUFrYmNIdVNLSTNVCjlhVlJER1BZMlRUd1RkYnpvTE9F - bExGa1NBWWR0enBmUFJYVVA4UlI1cUkKLS0tIC8wa3FGRnFldVdTdkpBb2xQc3BD - cTlhNHplRUoyS3pxNnF0TVlFTy9kdzQK4kDSzSV4ZnELvCsajGwvsc/vzua2hbI1 - Vht7rmZ8Dl4Y3xEIXG7XVnWK2GOblpqZ/eza1T6kWEkXp2uCdQnM6Q== - -----END AGE ENCRYPTED FILE----- - - recipient: age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1dVV0U3kwSmdnTU1HcGpr - U2FKZVV1c1R6a3ovRGxoOUlrcUNWUUFHN25ZClBBTUZGeTc0Tkx1OXdaK1p6aWpr - aSsvN0ZDR1V3VnVrb1FBYzdHSTNXOVkKLS0tIFlSUk5LT1hVUUd1aVg1eVNTUURX - OXRVVmNRWEhmVXZkWC9HNTUyUTNrMlUK370K3D1vU97vHV9aGjYrFOIJzmOQAnzH - QR6XsOkM0FRvSkhTsEZ3qC4Wd2MTIyRzHYPKvZmz9LufIr1N/JFj1Q== - -----END AGE ENCRYPTED FILE----- - - recipient: age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQT0YyeXI4d2o4V0lWUE4x - ZXZWWDFiakdqNlU5RWt6QUdxYVRSZzQyZkZBCi9Tdm5wRXB2cTYxdnVYRXJaS0d0 - Lzg3VWpqQ1NOb1NTYXE4RGVRZVZoM1UKLS0tIFdGM01VU3FEc0ZyeEN3bVM1WEZq - M3BFa1hoWkQyRkJqSlZiTnBwQWphemcKLTAza2y96h+IyWB2EN6e4WIFQqeL5E7p - CDmHr+hSt6u9cr8C/etljxGMbKf9GqFOeuCyPugrJGdu4/qlR5iE0g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxV0RYNXFMdlhqc0RhdHEx + bkNXT0tYYmpTK2NyUnpKRjQzVkpTMk4yVHlFClBaVHZoVXlqRXFxYStzR2U0MzVG + OHI0Qjl0amw0V2tneWtrUHpSYVg3VmMKLS0tIEpneDFuVWZ2TFUwN0QxZWJnVEE3 + SEhGMG9ac3gyb21Sa3V0cnB5SnppM1EKzfuKBAjPChde2UAEib3yE5Dczv3/UePL + rHHxxSr6kIPIwtcjJpJJxqndLSCegXaomZukxuble3Xt4Nl4sVhaFg== -----END AGE ENCRYPTED FILE----- - recipient: age1p2dlc8gfgyrvtta6mty2pezjycn244gmvh456qd3wvkfwesp253qnwyta9 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFa1RHN2s4ajYzZmwvUlN2 - c05SdERTTEhPRnJWOUF6TExIMnBEZkVMb1I4CkxBeTRQWmZEOGNrcFlGV2wrMkhI - QnAwSzZPaWNWbmdnZmFjZVJyRVdzN2cKLS0tIHVMU3Z6a1MrV3BVV1hqbEdYODJu - cGgvNU05eGx4alRNT2d5MWp6Q3lWZDAKQ+D1niMzaso/lQwdmepvACF8/SDEt2mQ - 7nTRVJIpjGPTxO4ezcQWUGej+BSEnOoZno3epoIXLNlwDnHOAawTWQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1ci91a1lQa0NXUFhZNWEr + cHlsQ093NHpESGdZN2xvdEUyZS9SKzBvSkhvClBZNG82OGR1WTZUUXhCb0ZyYmVX + UlZlaHNxL3Z0ZjZ2dVRoOEJibWVZR0EKLS0tIFpQMlQyaTY0bHVsUk9nekh4R2dK + YkhMdG9MbUpDZzJvcXE0bkpLeXZVT3cKLCgizqmjO1hueLvvAWVyZ9dPQcYOQHwW + pE//uiFFpjRsXLVB556ZyGYHn4osTfq73XYqvpsE4gsxT2scGxP/ZQ== -----END AGE ENCRYPTED FILE----- - recipient: age18u4mqrhqkrpcytxfxfex6aeap04u38emhy6u4wrp5k62sz2vae4qm5jj7s enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNcHNReHZibVlrNUtncnl1 - SzczRGVFdUNvcFdqeWpZUk5FL0hwOS9LT3l3CnFLdXozcUxXYUpjUXJZWEtjMXo3 - d28reWd0Z1Y0NWdBTG1MTkRGSEphY2sKLS0tIGw5U3NiOU1DNitUd0x5SkJ3SHFj - RVpWNDNUb2d1SEZpQlFBK2tFVjFzU0kKtI7e+kkiBm1L/WzkBApRI8IIo3gHdrE1 - fzR+sbYEHWf95iEmb/oGlH++TrFW/zRXEyWPAi4ORTs7s/Ql1UC4Wg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4VmdsdHJJc0pMOVFUSmV5 + MUJaNTVWZUVrd2RrMUQxYVA2UlRlallwSmxJCjVOQWZESnViZVMxTTZPMElocm1C + TGlsOW90UytISDlGQi9zaGlZQ3BPamcKLS0tIDQwMW9WbUl2c29sVWxSWUk3bHAr + R0tTMHlPUlgxNVg0YlFyMm1kSm9ReHcKCMO2+wSj5OQJ+ClRsPADL9Zfg7oN6AzJ + IgKibbO2MGx/S+6x5K/QGEvaFWqh6bAWDgvdq/9I1kaO+fMpsmMqCA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-22T05:51:19Z" - mac: ENC[AES256_GCM,data:LPUb7YbELPsgYX+LvfuGdiNG1B5ZrvyRVZL9UiMHoJMDHaWpDGCQkT1bk5jEOewwFh+StK560UsPK4uW0+SqADJO80rmM3xfqlp5Ul2HJ8mU19l5C6FLpv2REIzhCp333rNJJlyhn3H6GZgMaWnjjLSX9XMOVaq1iz6Qt0P76SI=,iv://EdDr5D51RFuucq8gkei2RC7H2bkRYxP/7lerp9dtk=,tag:JrRQ19sZ0OAZouMgOiU/tQ==,type:str] + - recipient: age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxR0tzQ2JuZkRrMGlWN0JJ + U3pwdHBmQ1N2NUlyT0s4REpmVFEyRk9XeFdrCkZQdXRPMktjYnZqc0trOGtNeHd1 + QjZXZlozaVhYRUZ1TzQ0QVRxb20xZEUKLS0tIEF4WVh6VTFVVVVuajlXUGRSS2tS + K1F1SzI2NFNIKzlreVBXSjAxaUxQd28KFaf1uu7OlqIe0TirJFgS3iPjhXPyfNDE + m2XUjzdXp+chJCzVOFvpYStqz+e08ADEc+jp3YsTLcxyqvXhQdyL/Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-12-02T05:26:17Z" + mac: ENC[AES256_GCM,data:K94zFWPWGUisLCqDjSLs17QxHXPH4tPU/98Sb4lCnt7IRAIn14x/T+BnInY/DK+DOVLLtzSfuN0kgzzGjSzwJx5Vq1G3MkhngRQQRT9dvODTCMAw6lPt98Ofw1CEEsFQnpYo9zIUlCGKg2YPKFLqE7OjkPxqw7VYvgzr5dDw58s=,iv:3xcJfNX5v/e9HgZt3UrHs2/C5ivaBV1rXKIBs9hKKFg=,tag:RQPQQ1cmZiOpQjUwqnzZQA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.1 diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index a1e69a0..14dc9d9 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -43,6 +43,10 @@ in environmentFile = config.sops.secrets.hedgedoc_env.path; }; + custom.monitoring = { + promtail.enable = true; + }; + custom.prometheus.exporters = { enable = true; blackbox = { diff --git a/machines/osmium/default.nix b/machines/osmium/default.nix index 823d2f0..8378b1c 100644 --- a/machines/osmium/default.nix +++ b/machines/osmium/default.nix @@ -51,7 +51,7 @@ }; commonSettings = { - nix.enableMirrors = true; + nix.enable = true; auth.enable = true; }; diff --git a/machines/raspite/configuration.nix b/machines/raspite/configuration.nix index 234d0e9..2d9d25a 100644 --- a/machines/raspite/configuration.nix +++ b/machines/raspite/configuration.nix @@ -9,7 +9,7 @@ imports = [ ./hass.nix ]; commonSettings = { - nix.enableMirrors = true; + nix.enable = true; auth.enable = true; }; diff --git a/machines/secrets.yaml b/machines/secrets.yaml index e179455..69456c4 100644 --- a/machines/secrets.yaml +++ b/machines/secrets.yaml @@ -10,47 +10,74 @@ sops: - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmUUtKcU0va1F3SjFzcktl - S0FJNHlTUzBkMWlydGRjM1Y4SGd2SXpMVTJRCmtRSW9wNW9xMDBaQ0YzUWM4YjRz - SVRDNHRjNG5hTHBOOHorTTlJU1BwY1EKLS0tIEpLREJ1VzFaalczZlhKaitHVTJU - MDdJaVBtVmw4WTlBUEF5WXJSVFRFeDAKnvF6CmnU8hxXSdKQPUJqPT7Dewl4REOH - wDQELRaDkMPMKEOAc6wCmXNErvj/I7w7wuvB5WxtanC7g4IEphD6aA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwMHB1bFQ3dWJIU3NiOVVP + Yi9LZE1PTVdMY1BqS1JHV3VPLzZIY0hGK0NZClNlclVXKzBvNTBrTlhiR0VsaVoz + RlVLNVBEVDgzSXB5ZGxDd3hqNDh2V2MKLS0tIEhBZHFUY3c2VXJBVEVKamZ6TzBa + MlFsNnVEV0xCdlJoRnBhUHF2MmswUEUKNYD9zssGBy9SaKeOMvTz71B6KMPW87cM + tFJzgnQceEQF658lVa5cCzG1gzraCgBtQU15XzC7e8zWI9CHquRRlQ== -----END AGE ENCRYPTED FILE----- - recipient: age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBS2xqbWp0NkFMVm1Cci82 - d0ZmRXdRc2FFSklHNnZtV1Z0REFIelZDQ1U4CllmdllNVnp3WmpCeDNBRzVFbVR5 - WkJFMGs5ZWJEK1lSWDQwYUdOdFJseGcKLS0tIEZUU254aWtYdWthL3I2UkJ0eklj - WHhrRlRvLzlmY0REYktGSlh3MENzRzgKzO1XqXhcXAxfn86+IY+ccBII1SGYctAk - +ArpGmXaf53RFmPLSzMGNaiJzfhqk9U9bn3WV9CFdaA7Rtec0ZAcNw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTTnZLTlZQRzc1enVEa1BN + SHdoSi9oOXk4UTV0SlRZS2tLS2FFL3VjNzNNClVWTTNKekF6T0RTUzdEeWhLbHoz + WFZKaHJEaVBWa04zRWRiVnJZRjU0YVEKLS0tIFJVL0FEemowS3V6MmsxbWJMU2I1 + U2NnUnVKdFlRSGVzUFQ4ZFcwL0lWTlkKz1t3yqjgIdMWS/Nsy2nq3oCjOhGDP+UT + L+LAuFExJPV0qlsOG/kCGB/WtCJfnBvcp6vPDBLqjK8NllIX/iPI5g== -----END AGE ENCRYPTED FILE----- - recipient: age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBycmppSGR1YTMzTTJQSmx0 - eFlRQWpPRTR1L042MXlqd3dURStjaUZjR1M4Ci9VdzZkSmN3d1BDNTlJdXNSenhZ - MDE1VktBN252L2FYMjJmNEFITGptM3MKLS0tIDNYOEZqNjM1VCtEWDlGdzYveG5j - dEp2bmVQMmV5ZU9Jb3FFSDFoT2NJOE0Kx1ZifyU2WLoHeUmqP9oCUmIl6ZJeytGB - WPMJKcNtuJHL1OWhT0wMiv6NEF5UaYXIlCqSVtXAMy554G4JlX5tQw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBETWpkcjhINktqeGxjdWxz + UTVVNC9kalorcVJOdHpJSkZJNXlGUHZ2VUdrCjRCclBTZnJEZ3JGOVpqS1Y0b0dt + eldFMS91WUc2Y1FnWWZoN0grc01pT0UKLS0tIC96TjlEaVBGRkZhZ0hac2lmbEdI + eHMzTFhsQ0FqY05uUEZSbExCcmdscEkKdxITlc0V5ayq+9fmj77SnEMFxKJhOOta + RfJhOQUv8g3nCN+SsuaOy0TitUCiDWh5XoB0DufEQPcS/kzGZN1Inw== -----END AGE ENCRYPTED FILE----- - recipient: age12ng08vjx5jde5ncqutwkd5vm4ygfwy33mzhzwe0lkxzglulgpqusc89r96 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5OGlRWVM0Z01pYjdqYjEy - TGdhNFhpNEUwSFZaeHNwRkpraFF5RTU2SXhnCm5YWmM5SmdERzZBWTgva1E4MDFm - N0xyUExGV0MvbFF3M0ZRSVEydFNUSGMKLS0tIGxxNWhsSEt4WDR2a2hId1JkVFE3 - enJ6MzJxR0I4eStSQk9ON0dsdjFmRkEKBSGkv1O0vgHSsU3+6AGN7bKQ5lpN7AMT - eqEgWx7juZ7hKzLq1HMbiT61l0FrJNHEMfn15bzn7GsK5YJQvfiq9w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBydlQ4S1duQU53Wk1nd21K + d2RqM1F0VDFJVXB2aGRTZ2hxczI2V1lndVdrCjArVlE2N0RGZ0htUEZYdVlQMlU5 + SWIwWHVCaWxaQTJMNzg3WC8xRS9IYzgKLS0tIDRvSS8ybVlrSy9zYjQ2NXBaMlZk + Ulg4cUFBejRoS3VEWkRaZEUxMExUeWMKNeq6TN1gaBNU9vAitGttcU+8HmFQipdm + LPwo4/toyf27emb4KGs0AV0Dm4Sxj9S3Xvrv1B+qvhfT638/RIUm2w== -----END AGE ENCRYPTED FILE----- - recipient: age1v5h946jfke6ae8pcgz52mhj26cacqcpl9dmmrrkf37x55rnq2v3szqctvv enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjeVlxRk1PZUpUVm1xckRu - ZmMzdHdvKzExaTQxVHYvYjIvblo3b1ZORFJrCkpVdHFLbCtNS0xnamJ0T250YzUy - Uy9Xd0tMa3FSVlRkQXFaTWJVem9uWGsKLS0tIFRmT0VzL0hlLzkrRTZxcWtLN3Qv - YVMya3dUazFyaWRNNDJ3OVNIVXJLVTQK+7MxkmBjPszozXUO+zVaWdsovDmhWAfz - 8puIpXpWZY09BkS0vs4oNhiVA9PD11TBIVCEbC5E1TwpwboMXBYhCQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4YXpyOXE3MFovWEQvMVRr + TGVST3U0N2dCVDJGT1A3eUtlRis3bFEvTHlFClZHQ2xRWklMMCtER01QNEVHaVYr + MC94V3R4MVdNdUU3eXQ2RGFFVGo4VFEKLS0tIDQ4b2ZuMy9URUswWUZqNHlxandU + OFducVVzdGZGY0tnbFFBZDdjVzVkaUEKN8qAbbrd4pAHRGIN8O64fl7bQ6hx6Isr + Qx0xKeuhJCVXgtE8xc7xmnEhqrcONlflJ/XUnYV9jOkB71zSBJxruA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1p2dlc8gfgyrvtta6mty2pezjycn244gmvh456qd3wvkfwesp253qnwyta9 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzczdPMDdWU1ZtckJRQm5j + UWJub0Yzd3NzOEh4YWdId01nYWI1YVY3dng0ClpEYXBJV2cvWEdjdXcwUFI3Y0NG + MDgvTmNZOXRQQndyVmRHamNRbzVaVU0KLS0tIGFKVTI4TkE2UjhDUSsxQTlNQ0Vk + QmFMNnlqbnhScC90T012K1QxRnRUOHcKAV7NxUn0CMcjKwK8zrocoLO1P9jc22uG + eG+vdJ6xzA99UX51aPxQOeEJgdFPEd3y1QJszQmRzThvid7y4lv0Cw== + -----END AGE ENCRYPTED FILE----- + - recipient: age18u4mqrhqkrpcytxfxfex6aeap04u38emhy6u4wrp5k62sz2vae4qm5jj7s + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsVmpzenRvWE5EK2wzRFkx + SERZV0s1Rkt0ZnZ1U3JQSFNhdGVvaWhWcTA4CjVxK0Z0MHI0ZnMrUS9YYWhTTG1z + L2lVS1Q2UkVQd2x5b1E1eWpQVGp2ZHMKLS0tIHNLOGhTYjkzWkFEM05wYkRZeXFQ + SXNTSGZZSFE2bFhybXdIc1FUb1ZBd0kKkYzflPRk6GrE6t9oVGOzc8xcyZDxiIw8 + 9SVXIgV0WVpY4lnFKYKH2i4+1sIm6tKOpizlQxTg5VgmmrTtfazWAA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0NHpkOTFHaXRhVGNua0dV + alRieWJ6WG5ZNzlvcTR2aTVUeWFBVGVVUUNZCnY2VUZUOWVlNGY1ZldyVGE2bkpi + VXVtQ3IyK0kyV1cyMU5nN1lYaW1oOUkKLS0tIFRVRGFCNWlGendSVEhHY0w0QTl6 + emJEQkQ3QlU0TFVWaW1uQytaUndmQlEKKahqJpX8vI+PASOzzod/sFvXSkQFnJ9O + YmnmiFxm5WZDPLHwkgVx8FgCq9RfAad4HybhsMjYPKXJ/fNa/WVZRA== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-11-30T06:31:42Z" mac: ENC[AES256_GCM,data:xh8x9IrQ01ZzdcCTIfBrifIGduMYVmSSP52BkTyr/bx7AgQAz2WeA7LFrccxIayCGHrQKfMQDLUKJ/EBamG/6p8AX6QqZBTfqFD688ZhmRfxgpj7fYR9jPYnhb/9XHI9R2jTaJWwrorXvu3pa+Gy/hWB3Kb+WZc3fslmIuKuLH0=,iv:GDrHSFZxPbpACdusVDPHXEjeEusYfk53N/KGHtdvrYo=,tag:ap38sCSTZVDQ0ZazXM3vlg==,type:str] diff --git a/machines/thorite/monitoring.nix b/machines/thorite/monitoring.nix index 2f2b685..bc10492 100644 --- a/machines/thorite/monitoring.nix +++ b/machines/thorite/monitoring.nix @@ -14,6 +14,8 @@ with my-lib; custom.monitoring = { grafana.enable = true; + loki.enable = true; + promtail.enable = true; }; services.caddy.virtualHosts."https://grafana.xinyang.life".extraConfig = diff --git a/machines/weilite/default.nix b/machines/weilite/default.nix index b2c761d..b694f40 100644 --- a/machines/weilite/default.nix +++ b/machines/weilite/default.nix @@ -18,7 +18,6 @@ auth.enable = true; nix = { enable = true; - enableMirrors = true; }; }; diff --git a/modules/nixos/common-settings/mainland.nix b/modules/nixos/common-settings/mainland.nix new file mode 100644 index 0000000..3adedf1 --- /dev/null +++ b/modules/nixos/common-settings/mainland.nix @@ -0,0 +1,38 @@ +{ + config, + lib, + pkgs, + ... +}: + +let + inherit (lib) + mkIf + mkOption + types + mkDefault + ; + + cfg = config.inMainland; +in +{ + options.inMainland = mkOption { + type = types.bool; + default = config.time.timeZone == "Asia/Shanghai"; + }; + + config = mkIf cfg { + nix.settings.extra-substituters = [ + "https://mirrors.cernet.edu.cn/nix-channels/store?priority=20" + ]; + + networking.timeServers = [ + "cn.ntp.org.cn" + "ntp.ntsc.ac.cn" + ]; + + services.dae = { + enable = mkDefault true; + }; + }; +} diff --git a/modules/nixos/common-settings/nix-conf.nix b/modules/nixos/common-settings/nix-conf.nix index 96759bc..1af1419 100644 --- a/modules/nixos/common-settings/nix-conf.nix +++ b/modules/nixos/common-settings/nix-conf.nix @@ -21,7 +21,6 @@ in default = true; type = types.bool; }; - enableMirrors = mkEnableOption "cache.nixos.org mirrors in Mainland China"; signing = { enable = mkEnableOption "Sign locally-built paths"; keyFile = mkOption { @@ -55,10 +54,6 @@ in "https://cache.garnix.io" ]; - extra-substituters = mkIf cfg.enableMirrors [ - "https://mirrors.cernet.edu.cn/nix-channels/store?priority=20" - ]; - trusted-public-keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" diff --git a/modules/nixos/common-settings/proxy-server.nix b/modules/nixos/common-settings/proxy-server.nix index 5ed0416..b54774a 100644 --- a/modules/nixos/common-settings/proxy-server.nix +++ b/modules/nixos/common-settings/proxy-server.nix @@ -9,8 +9,6 @@ let mkIf mkEnableOption mkOption - mkDefault - types ; cfg = config.commonSettings.proxyServer; @@ -26,6 +24,9 @@ let mkSingConfig = { uuid, password, ... }: { + log = { + level = "warn"; + }; inbounds = [ { diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index f96c4c9..4669a94 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -4,6 +4,7 @@ ./common-settings/autoupgrade.nix ./common-settings/nix-conf.nix ./common-settings/proxy-server.nix + ./common-settings/mainland.nix ./disk-partitions ./restic.nix ./vaultwarden.nix diff --git a/modules/nixos/monitor/default.nix b/modules/nixos/monitor/default.nix index f426d1c..249f13b 100644 --- a/modules/nixos/monitor/default.nix +++ b/modules/nixos/monitor/default.nix @@ -28,6 +28,7 @@ in imports = [ ./exporters.nix ./grafana.nix + ./loki.nix ]; options = { diff --git a/modules/nixos/monitor/loki.nix b/modules/nixos/monitor/loki.nix new file mode 100644 index 0000000..324235f --- /dev/null +++ b/modules/nixos/monitor/loki.nix @@ -0,0 +1,166 @@ +{ + config, + lib, + ... +}: +let + inherit (lib) + mkEnableOption + mkIf + mkMerge + ; + cfg = config.custom.monitoring; + port-loki = 3100; +in +{ + options = { + custom.monitoring = { + loki.enable = mkEnableOption "loki"; + promtail.enable = mkEnableOption "promtail"; + }; + }; + + config = mkMerge [ + (mkIf cfg.loki.enable { + services.loki = { + enable = true; + configuration = { + auth_enabled = false; + server.http_listen_address = "${config.networking.hostName}.coho-tet.ts.net"; + server.http_listen_port = port-loki; + + common = { + ring = { + instance_addr = "${config.networking.hostName}.coho-tet.ts.net"; + kvstore.store = "inmemory"; + }; + replication_factor = 1; + path_prefix = "/var/lib/loki"; + }; + + schema_config.configs = [ + { + from = "2024-12-01"; + store = "boltdb-shipper"; + object_store = "filesystem"; + schema = "v13"; + index = { + prefix = "index_"; + period = "24h"; + }; + } + ]; + + storage_config = { + filesystem.directory = "/var/lib/loki/chunks"; + }; + + limits_config = { + reject_old_samples = true; + reject_old_samples_max_age = "168h"; + allow_structured_metadata = false; + }; + }; + }; + }) + (mkIf cfg.promtail.enable { + services.promtail = { + enable = true; + configuration = { + + server = { + http_listen_address = "${config.networking.hostName}.coho-tet.ts.net"; + http_listen_port = 28183; + grpc_listen_port = 0; + }; + + positions.filename = "/tmp/positions.yml"; + + clients = [ + { + url = "http://thorite.coho-tet.ts.net:${toString port-loki}/loki/api/v1/push"; + } + ]; + + scrape_configs = [ + { + job_name = "journal"; + # Copied from Mic92's config + journal = { + max_age = "12h"; + json = true; + labels.job = "systemd-journal"; + }; + pipeline_stages = [ + { + json.expressions = { + transport = "_TRANSPORT"; + unit = "_SYSTEMD_UNIT"; + msg = "MESSAGE"; + coredump_cgroup = "COREDUMP_CGROUP"; + coredump_exe = "COREDUMP_EXE"; + coredump_cmdline = "COREDUMP_CMDLINE"; + coredump_uid = "COREDUMP_UID"; + coredump_gid = "COREDUMP_GID"; + }; + } + { + # Set the unit (defaulting to the transport like audit and kernel) + template = { + source = "unit"; + template = "{{if .unit}}{{.unit}}{{else}}{{.transport}}{{end}}"; + }; + } + { + regex = { + expression = "(?P[^/]+)$"; + source = "coredump_cgroup"; + }; + } + { + template = { + source = "msg"; + # FIXME would be cleaner to have this in a match block, but could not get it to work + template = "{{if .coredump_exe}}{{.coredump_exe}} core dumped (user: {{.coredump_uid}}/{{.coredump_gid}}, command: {{.coredump_cmdline}}){{else}}{{.msg}}{{end}}"; + }; + } + { labels.coredump_unit = "coredump_unit"; } + { + # Normalize session IDs (session-1234.scope -> session.scope) to limit number of label values + replace = { + source = "unit"; + expression = "^(session-\\d+.scope)$"; + replace = "session.scope"; + }; + } + { labels.unit = "unit"; } + { + # Write the proper message instead of JSON + output.source = "msg"; + } + # silence nscd: + # ignore random portscans on the internet + { drop.expression = "refused connection: IN="; } + ]; + relabel_configs = [ + { + source_labels = [ "__journal__hostname" ]; + target_label = "host"; + } + ]; + } + # { + # job_name = "caddy-access"; + # file_sd_configs = { + # files = [ + # "/var/log/caddy/*.log" + # ]; + # refresh_interval = "5m"; + # }; + # } + ]; + }; + }; + }) + ]; +}