biotite: move all services to biotite except kanidm

2024-12-05 13:28:22 +08:00 · 2024-12-05 13:28:22 +08:00 · 756357552a
commit 756357552a
parent 7bc5db676d
13 changed files with 78 additions and 52 deletions
--- a/machines/biotite/default.nix
+++ b/machines/biotite/default.nix
@ -35,7 +35,6 @@

  commonSettings = {
    auth.enable = true;
-    autoupgrade.enable = true;
  };

  custom.monitoring = {
--- a/machines/biotite/services/gotosocial.nix
+++ b/machines/biotite/services/gotosocial.nix
@ -1,4 +1,7 @@
 { config, ... }:
+let
+  inherit (config.my-lib.settings) idpUrl;
+in
 {
  sops.secrets."gotosocial/oidc_client_secret" = {
    owner = "gotosocial";
@ -23,7 +26,7 @@
      instance-expose-public-timeline = true;
      oidc-enabled = true;
      oidc-idp-name = "Kanidm";
-      oidc-issuer = "https://auth.xinyang.life/oauth2/openid/gotosocial";
+      oidc-issuer = "${idpUrl}/oauth2/openid/gotosocial";
      oidc-client-id = "gotosocial";
      oidc-link-existing = true;
    };
--- a/machines/biotite/services/synapse.nix
+++ b/machines/biotite/services/synapse.nix
@ -1,5 +1,11 @@
-{ config, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 let
+  inherit (config.my-lib.settings) idpUrl synapseDelegateUrl synapseUrl;
  port-synapse = 6823;
 in
 {
@ -27,7 +33,7 @@ in
    enable = true;
    settings = {
      server_name = "xiny.li";
-      public_baseurl = "https://synapse.xiny.li";
+      public_baseurl = synapseDelegateUrl;
      database = {
        name = "psycopg2";
        args = {
@ -71,11 +77,11 @@ in
      oidc_providers = [
        {
          idp_id = "Kanidm";
-          idp_name = "auth.xinyang.life";
-          issuer = "https://auth.xinyang.life/oauth2/openid/synapse";
-          authorization_endpoint = "https://auth.xinyang.life/ui/oauth2";
-          token_endpoint = "https://auth.xinyang.life/oauth2/token";
-          userinfo_endpoint = "https://auth.xinyang.life/oauth2/openid/synapse/userinfo";
+          idp_name = lib.removePrefix "https://" idpUrl;
+          issuer = "${idpUrl}/oauth2/openid/synapse";
+          authorization_endpoint = "${idpUrl}/ui/oauth2";
+          token_endpoint = "${idpUrl}/oauth2/token";
+          userinfo_endpoint = "${idpUrl}/oauth2/openid/synapse/userinfo";
          client_id = "synapse";
          client_secret_path = config.sops.secrets."synapse/oidc_client_secret".path;
          scopes = [
@ -95,13 +101,13 @@ in
  };

  services.caddy = {
-    virtualHosts."https://xiny.li".extraConfig = ''
+    virtualHosts.${synapseUrl}.extraConfig = ''
      header /.well-known/matrix/* Content-Type application/json
      header /.well-known/matrix/* Access-Control-Allow-Origin *
      respond /.well-known/matrix/server `{"m.server":"synapse.xiny.li:443"}`
-      respond /.well-known/matrix/client `{"m.homeserver":{"base_url":"https://synapse.xiny.li/"}}`
+      respond /.well-known/matrix/client `{"m.homeserver":{"base_url":"${synapseDelegateUrl}"}}`
    '';
-    virtualHosts."https://synapse.xiny.li".extraConfig = ''
+    virtualHosts.${synapseDelegateUrl}.extraConfig = ''
      reverse_proxy /_matrix/* 127.0.0.1:${toString port-synapse}
      reverse_proxy /_synapse/client/* 127.0.0.1:${toString port-synapse}
    '';
--- a/machines/massicot/default.nix
+++ b/machines/massicot/default.nix
@ -15,18 +15,9 @@
    defaultSopsFile = ./secrets.yaml;
    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
    secrets = {
-      storage_box_mount = {
-        owner = "root";
-      };
      gts_env = {
        owner = "gotosocial";
      };
-      "miniflux/oauth2_secret" = {
-        owner = "root";
-      };
-      "forgejo/env" = {
-        owner = "forgejo";
-      };
    };
  };

--- a/machines/massicot/kanidm-provision.nix
+++ b/machines/massicot/kanidm-provision.nix
@ -1,10 +1,12 @@
-{ pkgs, ... }:
+{ pkgs, config, ... }:
 let
  inherit (config.my-lib.settings)
    gotosocialUrl
    minifluxUrl
    hedgedocDomain
    forgejoDomain
+    grafanaUrl
+    synapseDelegateUrl
    ;
 in
 {
@ -200,8 +202,8 @@ in
      };
      grafana = {
        displayName = "Grafana";
-        originUrl = "https://grafana.xinyang.life/login/generic_oauth";
-        originLanding = "https://grafana.xinyang.life/";
+        originUrl = "${grafanaUrl}/login/generic_oauth";
+        originLanding = "${grafanaUrl}/";
        scopeMaps = {
          grafana-users = [
            "openid"
@ -223,8 +225,8 @@ in
      };
      synapse = {
        displayName = "Synapse";
-        originUrl = "https://synapse.xiny.li/_synapse/client/oidc/callback";
-        originLanding = "https://synapse.xiny.li/";
+        originUrl = "${synapseDelegateUrl}/_synapse/client/oidc/callback";
+        originLanding = "${synapseDelegateUrl}/";
        scopeMaps = {
          synapse-users = [
            "openid"
--- a/machines/massicot/services/restic.nix
+++ b/machines/massicot/services/restic.nix
@ -34,13 +34,6 @@ in
    ];
  };

-  services.postgresqlBackup = {
-    enable = true;
-    compression = "zstd";
-    compressionLevel = 9;
-    location = "/backup/postgresql";
-  };
-
  services.restic.backups.${config.networking.hostName} = {
    extraBackupArgs = [
      "--limit-upload=1024"
--- a/machines/thorite/default.nix
+++ b/machines/thorite/default.nix
@ -3,6 +3,7 @@
    ./hardware-configurations.nix
    ./monitoring.nix
    ./restic.nix
+    ./ntfy.nix
  ];

  config = {
--- a/machines/thorite/monitoring.nix
+++ b/machines/thorite/monitoring.nix
@ -10,7 +10,8 @@ let
    minifluxUrl
    gotosocialUrl
    hedgedocDomain
-    forgejoDomain
+    grafanaUrl
+    ntfyUrl
    ;
  removeHttps = s: lib.removePrefix "https://" s;
 in
@ -44,7 +45,7 @@ in
      promtail.enable = true;
    };

-    services.caddy.virtualHosts."https://grafana.xinyang.life".extraConfig =
+    services.caddy.virtualHosts.${grafanaUrl}.extraConfig =
      with config.services.grafana.settings.server; ''
        reverse_proxy http://${http_addr}:${toString http_port}
      '';
@ -98,17 +99,13 @@ in
          name = "hedgedoc";
          address = hedgedocDomain;
        }
-        {
-          name = "forgejo";
-          address = forgejoDomain;
-        }
        {
          name = "ntfy";
-          address = "ntfy.xinyang.life";
+          address = removeHttps ntfyUrl;
        }
        {
          name = "grafana-eu";
-          address = "grafana.xinyang.life";
+          address = removeHttps grafanaUrl;
        }
        {
          name = "loki";
--- a/machines/thorite/ntfy.nix
+++ b/machines/thorite/ntfy.nix
@ -0,0 +1,29 @@
+{ config, ... }:
+let
+  inherit (config.my-lib.settings) ntfyUrl;
+in
+{
+
+  services.ntfy-sh = {
+    enable = true;
+    group = "caddy";
+    settings = {
+      listen-unix = "/var/run/ntfy-sh/ntfy.sock";
+      listen-unix-mode = 432; # octal 0660
+      base-url = ntfyUrl;
+    };
+  };
+
+  systemd.services.ntfy-sh.serviceConfig.RuntimeDirectory = "ntfy-sh";
+
+  services.caddy.virtualHosts.${ntfyUrl}.extraConfig = ''
+    reverse_proxy unix/${config.services.ntfy-sh.settings.listen-unix}
+    @httpget {
+      protocol http
+      method GET
+      path_regexp ^/([-_a-z0-9]{0,64}$|docs/|static/)
+    }
+    redir @httpget https://{host}{uri}
+  '';
+
+}
--- a/machines/weilite/default.nix
+++ b/machines/weilite/default.nix
@ -69,7 +69,7 @@
    };

    custom.monitoring = {
-      loki.enable = true;
+      promtail.enable = true;
    };

    systemd.mounts = [
--- a/modules/nixos/monitor/default.nix
+++ b/modules/nixos/monitor/default.nix
@ -11,6 +11,7 @@ let
    mkMerge
    types
    ;
+  inherit (config.my-lib.settings) ntfyUrl;
  cfg = config.custom.prometheus;

  mkRulesOption = mkOption {
@ -121,12 +122,11 @@ in
                name = "ntfy";
                webhook_configs = [
                  {
-                    url = "https://ntfy.xinyang.life/prometheus-alerts?tpl=yes&m=${lib.escapeURL ''
-                      Alert {{.status}}
-                      {{range .alerts}}-----{{range $k,$v := .labels}}
+                    url = "${ntfyUrl}/prometheus-alerts?tpl=yes&m=${lib.escapeURL ''
+                      {{range .alerts}}[{{ if eq .status "resolved" }}✅ RESOLVED{{ else }}{{ if eq .status "firing" }}🔥 FIRING{{end}}{{end}}]{{range $k,$v := .labels}}
                      {{$k}}={{$v}}{{end}}
-                      {{end}}
-                    ''}";
+
+                      {{end}}''}";
                    send_resolved = true;
                  }
                ];
--- a/modules/nixos/monitor/grafana.nix
+++ b/modules/nixos/monitor/grafana.nix
@ -1,5 +1,6 @@
 { config, lib, ... }:
 let
+  inherit (config.my-lib.settings) grafanaUrl idpUrl;
  cfg = config.custom.monitoring.grafana;
 in
 {
@ -13,17 +14,17 @@ in
        server = {
          http_addr = "127.0.0.1";
          http_port = 3003;
-          root_url = "https://grafana.xinyang.life";
-          domain = "grafana.xinyang.life";
+          root_url = grafanaUrl;
+          domain = lib.removePrefix "https://" grafanaUrl;
        };
        "auth.generic_oauth" = {
          enabled = true;
          name = "Kanidm";
          client_id = "grafana";
          scopes = "openid,profile,email,groups";
-          auth_url = "https://auth.xinyang.life/ui/oauth2";
-          token_url = "https://auth.xinyang.life/oauth2/token";
-          api_url = "https://auth.xinyang.life/oauth2/openid/grafana/userinfo";
+          auth_url = "${idpUrl}/ui/oauth2";
+          token_url = "${idpUrl}/oauth2/token";
+          api_url = "${idpUrl}/oauth2/openid/grafana/userinfo";
          use_pkce = true;
          use_refresh_token = true;
          allow_sign_up = true;
--- a/overlays/my-lib/settings.nix
+++ b/overlays/my-lib/settings.nix
@ -8,5 +8,9 @@
    forgejoDomain = "git.xiny.li";
    forgejoGitDomain = "git.xiny.li";
    vaultwardenUrl = "https://vaultwarden.xiny.li";
+    ntfyUrl = "https://ntfy.xiny.li";
+    grafanaUrl = "https://grafana.xiny.li";
+    synapseUrl = "https://xiny.li";
+    synapseDelegateUrl = "https://synapse.xiny.li";
  };
 }