modules/monitoring: add loki and promtail

2024-12-02 14:44:26 +08:00 · 2024-12-02 14:44:26 +08:00 · 4b5b41b05a
commit 4b5b41b05a
parent 92db38383e
20 changed files with 406 additions and 86 deletions
--- a/machines/biotite/default.nix
+++ b/machines/biotite/default.nix
@ -1,12 +1,13 @@
 {
-  config,
  lib,
-  pkgs,
  ...
 }:

 {
-  imports = [ ./hardware-configurations.nix ];
+  imports = [
+    ./hardware-configurations.nix
+    ./services/gotosocial.nix
+  ];

  networking.hostName = "biotite";
  networking.useNetworkd = true;
@ -20,11 +21,28 @@
    address = [ "2a03:4000:4a:148::1/64" ];
  };

+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
  commonSettings = {
    auth.enable = true;
    autoupgrade.enable = true;
  };

+  custom.monitoring = {
+    promtail.enable = true;
+  };
+
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  };
+
+  services.caddy.enable = true;
+  services.tailscale.enable = true;
+
  users.users.root.hashedPassword = "$y$j9T$NToEZWJBONjSgRnMd9Ur9/$o6n7a9b8eUILQz4d37oiHCCVnDJ8hZTZt.c.37zFfU.";

  system.stateVersion = "24.11";
--- a/machines/biotite/secrets.yaml
+++ b/machines/biotite/secrets.yaml
@ -0,0 +1,31 @@
+gotosocial:
+    oidc_client_secret: ENC[AES256_GCM,data:KVQxzs67sohax2h0Y/jjhnbY4fetrdVvWhBGbqgDSGgBC7QazrOmTA++BSRzMmVv,iv:HIRMc56aLanqQRTWH9E0wzzXymImi0pxK/ccPEP8Fcc=,tag:PMhOLeE3mKIIQveRdfpgpA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxVXpUNXA3eEZEeGxpMmZT
+            L0lPUzYzNXlrS2JDbWlYNzJiYmwwYm1PSjFNCjAzSGluME1hd1Fnc0ZCNUhUMzdU
+            UHkwbmxwdTdVOFhIYUo3N0laVlJRV0EKLS0tIHR5NDJqQnI3ZkFGcmwwaHZwOGd2
+            Y2gvVTRMc2RSd1UxWUdEWVZDRm5VbHMKLYJ59s2MDDokJRAAXoTAL1VTU4WKY8qS
+            GiXZu954JzacAR9Ey2GQTFdMN73Aw+PbiWw6cph33gZaOQt9/QA92w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1v5h946jfke6ae8pcgz52mhj26cacqcpl9dmmrrkf37x55rnq2v3szqctvv
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3djErT0VVOU9ydmpjL01a
+            aDFQa2JiMVBURzhCZ0NBUDdaMDZCV2piUjI0ClBmSGJIallnTzdmV3RYZlNBK0Ji
+            K21qRkg0SDY3WkZ5bXFrWitBSGNEQ1EKLS0tIGhHMGRsZGNaL2hNWFdKUTJUUk1G
+            RzBMVDNjS29SUkdRK3dIV01sU0hYR3cK1SbvKAM6Gpsffv3HIi/WtWnCZUBic0AT
+            ZRv4pvJBx1oxWsKIHW0t6VrqWMQ+suup8p6dW+h5HE8Z4ciIMrXLEg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-12-02T05:10:32Z"
+    mac: ENC[AES256_GCM,data:ZAdFsjVuk1Fiv+DKmHrc1yu1XQpRDmRHaQhu5hduSZUa1W1cXdTlChvIW5vADFg5tVCjuYptuLvCMW+ZSQeqqG2ntHHZ+IkuovZzKFuc+BIiL/jF2ZzbyJ7X4Wj1GziCScHVxx98dgbpFoufHe6N3wCaHmngo1RYsY5N1RRbRdU=,iv:5IMQ0kOX9UAOm8bcsQRyu6zu8GJjvnHFufCNjY0s9UI=,tag:zBEPSR9DZDpwbCaIka8mXA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1
--- a/machines/biotite/services/gotosocial.nix
+++ b/machines/biotite/services/gotosocial.nix
@ -0,0 +1,46 @@
+{ config, ... }:
+{
+  sops.secrets."gotosocial/oidc_client_secret" = {
+    owner = "gotosocial";
+  };
+
+  sops.templates."gotosocial.env" = {
+    owner = "gotosocial";
+    content = ''
+      GTS_OIDC_CLIENT_SECRET=${config.sops.placeholder."gotosocial/oidc_client_secret"}
+    '';
+  };
+
+  services.gotosocial = {
+    enable = true;
+    settings = {
+      log-level = "info";
+      bind-address = "127.0.0.1";
+      port = 19571;
+      host = "gts.xiny.li";
+      account-domain = "xiny.li";
+      letsencrypt-enabled = false;
+      instance-expose-public-timeline = true;
+      oidc-enabled = true;
+      oidc-idp-name = "Kanidm";
+      oidc-issuer = "https://auth.xinyang.life/oauth2/openid/gotosocial";
+      oidc-client-id = "gotosocial";
+      oidc-link-existing = true;
+    };
+    environmentFile = config.sops.templates."gotosocial.env".path;
+  };
+
+  services.caddy = {
+    virtualHosts."https://gts.xiny.li".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy * http://${config.services.gotosocial.settings.bind-address}:${toString config.services.gotosocial.settings.port} {
+          flush_interval -1
+      }
+    '';
+    virtualHosts."https://xiny.li".extraConfig = ''
+      redir /.well-known/host-meta* https://gts.xiny.li{uri} permanent  # host
+      redir /.well-known/webfinger* https://gts.xiny.li{uri} permanent  # host
+      redir /.well-known/nodeinfo* https://gts.xiny.li{uri} permanent   # host
+    '';
+  };
+}