diff --git a/machines/biotite/default.nix b/machines/biotite/default.nix index d67ad62..212527c 100644 --- a/machines/biotite/default.nix +++ b/machines/biotite/default.nix @@ -35,7 +35,6 @@ commonSettings = { auth.enable = true; - autoupgrade.enable = true; }; custom.monitoring = { diff --git a/machines/biotite/services/gotosocial.nix b/machines/biotite/services/gotosocial.nix index e410a7c..3114cf6 100644 --- a/machines/biotite/services/gotosocial.nix +++ b/machines/biotite/services/gotosocial.nix @@ -1,4 +1,7 @@ { config, ... }: +let + inherit (config.my-lib.settings) idpUrl; +in { sops.secrets."gotosocial/oidc_client_secret" = { owner = "gotosocial"; @@ -23,7 +26,7 @@ instance-expose-public-timeline = true; oidc-enabled = true; oidc-idp-name = "Kanidm"; - oidc-issuer = "https://auth.xinyang.life/oauth2/openid/gotosocial"; + oidc-issuer = "${idpUrl}/oauth2/openid/gotosocial"; oidc-client-id = "gotosocial"; oidc-link-existing = true; }; diff --git a/machines/biotite/services/synapse.nix b/machines/biotite/services/synapse.nix index 7d4712b..51bc94a 100644 --- a/machines/biotite/services/synapse.nix +++ b/machines/biotite/services/synapse.nix @@ -1,5 +1,11 @@ -{ config, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let + inherit (config.my-lib.settings) idpUrl synapseDelegateUrl synapseUrl; port-synapse = 6823; in { @@ -27,7 +33,7 @@ in enable = true; settings = { server_name = "xiny.li"; - public_baseurl = "https://synapse.xiny.li"; + public_baseurl = synapseDelegateUrl; database = { name = "psycopg2"; args = { @@ -71,11 +77,11 @@ in oidc_providers = [ { idp_id = "Kanidm"; - idp_name = "auth.xinyang.life"; - issuer = "https://auth.xinyang.life/oauth2/openid/synapse"; - authorization_endpoint = "https://auth.xinyang.life/ui/oauth2"; - token_endpoint = "https://auth.xinyang.life/oauth2/token"; - userinfo_endpoint = "https://auth.xinyang.life/oauth2/openid/synapse/userinfo"; + idp_name = lib.removePrefix "https://" idpUrl; + issuer = "${idpUrl}/oauth2/openid/synapse"; + authorization_endpoint = "${idpUrl}/ui/oauth2"; + token_endpoint = "${idpUrl}/oauth2/token"; + userinfo_endpoint = "${idpUrl}/oauth2/openid/synapse/userinfo"; client_id = "synapse"; client_secret_path = config.sops.secrets."synapse/oidc_client_secret".path; scopes = [ @@ -95,13 +101,13 @@ in }; services.caddy = { - virtualHosts."https://xiny.li".extraConfig = '' + virtualHosts.${synapseUrl}.extraConfig = '' header /.well-known/matrix/* Content-Type application/json header /.well-known/matrix/* Access-Control-Allow-Origin * respond /.well-known/matrix/server `{"m.server":"synapse.xiny.li:443"}` - respond /.well-known/matrix/client `{"m.homeserver":{"base_url":"https://synapse.xiny.li/"}}` + respond /.well-known/matrix/client `{"m.homeserver":{"base_url":"${synapseDelegateUrl}"}}` ''; - virtualHosts."https://synapse.xiny.li".extraConfig = '' + virtualHosts.${synapseDelegateUrl}.extraConfig = '' reverse_proxy /_matrix/* 127.0.0.1:${toString port-synapse} reverse_proxy /_synapse/client/* 127.0.0.1:${toString port-synapse} ''; diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index b8213bf..7b56e15 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -15,18 +15,9 @@ defaultSopsFile = ./secrets.yaml; age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; secrets = { - storage_box_mount = { - owner = "root"; - }; gts_env = { owner = "gotosocial"; }; - "miniflux/oauth2_secret" = { - owner = "root"; - }; - "forgejo/env" = { - owner = "forgejo"; - }; }; }; diff --git a/machines/massicot/kanidm-provision.nix b/machines/massicot/kanidm-provision.nix index 94e977c..e44c729 100644 --- a/machines/massicot/kanidm-provision.nix +++ b/machines/massicot/kanidm-provision.nix @@ -1,10 +1,12 @@ -{ pkgs, ... }: +{ pkgs, config, ... }: let inherit (config.my-lib.settings) gotosocialUrl minifluxUrl hedgedocDomain forgejoDomain + grafanaUrl + synapseDelegateUrl ; in { @@ -200,8 +202,8 @@ in }; grafana = { displayName = "Grafana"; - originUrl = "https://grafana.xinyang.life/login/generic_oauth"; - originLanding = "https://grafana.xinyang.life/"; + originUrl = "${grafanaUrl}/login/generic_oauth"; + originLanding = "${grafanaUrl}/"; scopeMaps = { grafana-users = [ "openid" @@ -223,8 +225,8 @@ in }; synapse = { displayName = "Synapse"; - originUrl = "https://synapse.xiny.li/_synapse/client/oidc/callback"; - originLanding = "https://synapse.xiny.li/"; + originUrl = "${synapseDelegateUrl}/_synapse/client/oidc/callback"; + originLanding = "${synapseDelegateUrl}/"; scopeMaps = { synapse-users = [ "openid" diff --git a/machines/massicot/services/restic.nix b/machines/massicot/services/restic.nix index c205989..e8d2501 100644 --- a/machines/massicot/services/restic.nix +++ b/machines/massicot/services/restic.nix @@ -34,13 +34,6 @@ in ]; }; - services.postgresqlBackup = { - enable = true; - compression = "zstd"; - compressionLevel = 9; - location = "/backup/postgresql"; - }; - services.restic.backups.${config.networking.hostName} = { extraBackupArgs = [ "--limit-upload=1024" diff --git a/machines/thorite/default.nix b/machines/thorite/default.nix index afe2e58..c1480d6 100644 --- a/machines/thorite/default.nix +++ b/machines/thorite/default.nix @@ -3,6 +3,7 @@ ./hardware-configurations.nix ./monitoring.nix ./restic.nix + ./ntfy.nix ]; config = { diff --git a/machines/thorite/monitoring.nix b/machines/thorite/monitoring.nix index 671a9d0..1458e20 100644 --- a/machines/thorite/monitoring.nix +++ b/machines/thorite/monitoring.nix @@ -10,7 +10,8 @@ let minifluxUrl gotosocialUrl hedgedocDomain - forgejoDomain + grafanaUrl + ntfyUrl ; removeHttps = s: lib.removePrefix "https://" s; in @@ -44,7 +45,7 @@ in promtail.enable = true; }; - services.caddy.virtualHosts."https://grafana.xinyang.life".extraConfig = + services.caddy.virtualHosts.${grafanaUrl}.extraConfig = with config.services.grafana.settings.server; '' reverse_proxy http://${http_addr}:${toString http_port} ''; @@ -98,17 +99,13 @@ in name = "hedgedoc"; address = hedgedocDomain; } - { - name = "forgejo"; - address = forgejoDomain; - } { name = "ntfy"; - address = "ntfy.xinyang.life"; + address = removeHttps ntfyUrl; } { name = "grafana-eu"; - address = "grafana.xinyang.life"; + address = removeHttps grafanaUrl; } { name = "loki"; diff --git a/machines/thorite/ntfy.nix b/machines/thorite/ntfy.nix new file mode 100644 index 0000000..8e950f8 --- /dev/null +++ b/machines/thorite/ntfy.nix @@ -0,0 +1,29 @@ +{ config, ... }: +let + inherit (config.my-lib.settings) ntfyUrl; +in +{ + + services.ntfy-sh = { + enable = true; + group = "caddy"; + settings = { + listen-unix = "/var/run/ntfy-sh/ntfy.sock"; + listen-unix-mode = 432; # octal 0660 + base-url = ntfyUrl; + }; + }; + + systemd.services.ntfy-sh.serviceConfig.RuntimeDirectory = "ntfy-sh"; + + services.caddy.virtualHosts.${ntfyUrl}.extraConfig = '' + reverse_proxy unix/${config.services.ntfy-sh.settings.listen-unix} + @httpget { + protocol http + method GET + path_regexp ^/([-_a-z0-9]{0,64}$|docs/|static/) + } + redir @httpget https://{host}{uri} + ''; + +} diff --git a/machines/weilite/default.nix b/machines/weilite/default.nix index 68fc2ee..9d8cd04 100644 --- a/machines/weilite/default.nix +++ b/machines/weilite/default.nix @@ -69,7 +69,7 @@ }; custom.monitoring = { - loki.enable = true; + promtail.enable = true; }; systemd.mounts = [ diff --git a/modules/nixos/monitor/default.nix b/modules/nixos/monitor/default.nix index 249f13b..09904b7 100644 --- a/modules/nixos/monitor/default.nix +++ b/modules/nixos/monitor/default.nix @@ -11,6 +11,7 @@ let mkMerge types ; + inherit (config.my-lib.settings) ntfyUrl; cfg = config.custom.prometheus; mkRulesOption = mkOption { @@ -121,12 +122,11 @@ in name = "ntfy"; webhook_configs = [ { - url = "https://ntfy.xinyang.life/prometheus-alerts?tpl=yes&m=${lib.escapeURL '' - Alert {{.status}} - {{range .alerts}}-----{{range $k,$v := .labels}} + url = "${ntfyUrl}/prometheus-alerts?tpl=yes&m=${lib.escapeURL '' + {{range .alerts}}[{{ if eq .status "resolved" }}✅ RESOLVED{{ else }}{{ if eq .status "firing" }}🔥 FIRING{{end}}{{end}}]{{range $k,$v := .labels}} {{$k}}={{$v}}{{end}} - {{end}} - ''}"; + + {{end}}''}"; send_resolved = true; } ]; diff --git a/modules/nixos/monitor/grafana.nix b/modules/nixos/monitor/grafana.nix index e1b2cf3..9692fb5 100644 --- a/modules/nixos/monitor/grafana.nix +++ b/modules/nixos/monitor/grafana.nix @@ -1,5 +1,6 @@ { config, lib, ... }: let + inherit (config.my-lib.settings) grafanaUrl idpUrl; cfg = config.custom.monitoring.grafana; in { @@ -13,17 +14,17 @@ in server = { http_addr = "127.0.0.1"; http_port = 3003; - root_url = "https://grafana.xinyang.life"; - domain = "grafana.xinyang.life"; + root_url = grafanaUrl; + domain = lib.removePrefix "https://" grafanaUrl; }; "auth.generic_oauth" = { enabled = true; name = "Kanidm"; client_id = "grafana"; scopes = "openid,profile,email,groups"; - auth_url = "https://auth.xinyang.life/ui/oauth2"; - token_url = "https://auth.xinyang.life/oauth2/token"; - api_url = "https://auth.xinyang.life/oauth2/openid/grafana/userinfo"; + auth_url = "${idpUrl}/ui/oauth2"; + token_url = "${idpUrl}/oauth2/token"; + api_url = "${idpUrl}/oauth2/openid/grafana/userinfo"; use_pkce = true; use_refresh_token = true; allow_sign_up = true; diff --git a/overlays/my-lib/settings.nix b/overlays/my-lib/settings.nix index 9c2570a..eea6812 100644 --- a/overlays/my-lib/settings.nix +++ b/overlays/my-lib/settings.nix @@ -8,5 +8,9 @@ forgejoDomain = "git.xiny.li"; forgejoGitDomain = "git.xiny.li"; vaultwardenUrl = "https://vaultwarden.xiny.li"; + ntfyUrl = "https://ntfy.xiny.li"; + grafanaUrl = "https://grafana.xiny.li"; + synapseUrl = "https://xiny.li"; + synapseDelegateUrl = "https://synapse.xiny.li"; }; }