xin/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

treewide: apply the new rfc nixfmt

Browse source
This commit is contained in:
xinyangli 2024-08-25 17:45:58 +08:00
parent e702d503b9
commit 7a795e5ed9
Signed by: xin
SSH key fingerprint: SHA256:qZ/tzd8lYRtUFSrfBDBMcUqV4GHKxqeqRA3huItgvbk
53 changed files with 1371 additions and 888 deletions
Download patch file Download diff file Expand all files Collapse all files

15
modules/nixos/common-settings/auth.nix
View file

@ -1,7 +1,17 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
inherit (lib) mkIf mkEnableOption mkOption types;
inherit (lib)
mkIf
mkEnableOption
mkOption
types
;
cfg = config.commonSettings.auth;
in
@ -38,4 +48,3 @@ in
};
};
}

24
modules/nixos/common-settings/nix-conf.nix
View file

@ -1,7 +1,17 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
inherit (lib) mkIf mkEnableOption mkOption types;
inherit (lib)
mkIf
mkEnableOption
mkOption
types
;
cfg = config.commonSettings.nix;
in
@ -33,7 +43,10 @@ in
nix.optimise.automatic = true;
nix.settings = {
experimental-features = [ "nix-command" "flakes" ];
experimental-features = [
"nix-command"
"flakes"
];
auto-optimise-store = true;
trusted-users = [ "root" ];
@ -52,10 +65,7 @@ in
"xin-1:8/ul1IhdWLswERF/8RfeAw8VZqjwHrJ1x55y1yjxQ+Y="
];
secret-key-files = mkIf cfg.signing.enable [
cfg.signing.keyFile
];
secret-key-files = mkIf cfg.signing.enable [ cfg.signing.keyFile ];
};
};
}

11
modules/nixos/forgejo-actions-runner.nix
View file

@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
let
cfg = config.custom.forgejo-actions-runner;
in
@ -6,9 +11,7 @@ in
options = {
custom.forgejo-actions-runner = {
enable = lib.mkEnableOption "TPM supported ssh agent in go";
tokenFile = lib.mkOption {
type = lib.types.path;
};
tokenFile = lib.mkOption { type = lib.types.path; };
};
};
config = lib.mkIf cfg.enable {

27
modules/nixos/hedgedoc.nix
View file

@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
with lib;
@ -26,22 +31,12 @@ in
};
oidc = {
enable = mkEnableOption "OIDC support for HedgeDoc";
baseURL = mkOption {
type = types.str;
};
authorizationURL = mkOption {
type = types.str;
};
tokenURL = mkOption {
type = types.str;
};
userProfileURL = mkOption {
type = types.str;
};
};
environmentFile = mkOption {
type = types.path;
baseURL = mkOption { type = types.str; };
authorizationURL = mkOption { type = types.str; };
tokenURL = mkOption { type = types.str; };
userProfileURL = mkOption { type = types.str; };
};
environmentFile = mkOption { type = types.path; };
};
};
config = mkIf cfg.enable {

86
modules/nixos/inbounds.nix
View file

@ -1,19 +1,16 @@
{ config
, lib
, ... }:
{ config, lib, ... }:
let
cfg = config.custom.sing-box-server;
secretFileType = lib.types.submodule {
_secret = lib.types.path;
};
secretFileType = lib.types.submodule { _secret = lib.types.path; };
singTls = {
enabled = true;
server_name = config.deployment.targetHost;
key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem";
certificate_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem";
certificate_path =
config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem";
};
in
in
{
options = {
enable = lib.mkEnableOption "sing-box proxy server";
@ -22,17 +19,11 @@ in
type = lib.types.str;
default = "proxy";
};
password = lib.mkOption {
type = secretFileType;
};
uuid = lib.mkOption {
type = secretFileType;
};
password = lib.mkOption { type = secretFileType; };
uuid = lib.mkOption { type = secretFileType; };
};
wgOut = {
privKeyFile = lib.mkOption {
type = lib.types.path;
};
privKeyFile = lib.mkOption { type = lib.types.path; };
pubkey = lib.mkOption {
type = lib.types.str;
default = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=";
@ -73,17 +64,19 @@ in
}
];
};
inbounds = [
# TODO: Trojan and tuic enable
{
tag = "trojan-in";
type = "trojan";
listen = "::";
listen_port = 8080;
users = map (u: removeAttrs u [ "uuid" ]) cfg.users;
tls = singTls;
}
] ++ lib.forEach (cfg.tuic.ports ++ cfg.tuic.directPorts) (port: {
inbounds =
[
# TODO: Trojan and tuic enable
{
tag = "trojan-in";
type = "trojan";
listen = "::";
listen_port = 8080;
users = map (u: removeAttrs u [ "uuid" ]) cfg.users;
tls = singTls;
}
]
++ lib.forEach (cfg.tuic.ports ++ cfg.tuic.directPorts) (port: {
tag = "tuic-in" + toString port;
type = "tuic";
listen = "::";
@ -102,25 +95,40 @@ in
"2606:4700:110:82ed:a443:3c62:6cbc:b59b/128"
];
peers = [
{ public_key= cfg.wgOut.pubkey;
allowed_ips = [ "0.0.0.0/0" "::/0" ];
{
public_key = cfg.wgOut.pubkey;
allowed_ips = [
"0.0.0.0/0"
"::/0"
];
server = "162.159.192.1";
server_port = 500;
}
];
}
{ type = "direct"; tag = "direct-out"; }
{ type = "dns"; tag = "dns-out"; }
{
type = "direct";
tag = "direct-out";
}
{
type = "dns";
tag = "dns-out";
}
];
route = {
rules = [
{ outbound = "dns-out"; protocol = "dns"; }
] ++ lib.forEach cfg.tuic.directPorts (port: {
inbound = "tuic-in" + toString port;
outbound = "direct-out";
});
rules =
[
{
outbound = "dns-out";
protocol = "dns";
}
]
++ lib.forEach cfg.tuic.directPorts (port: {
inbound = "tuic-in" + toString port;
outbound = "direct-out";
});
};
};
};
};
}
}

49
modules/nixos/kanidm-client.nix
View file

@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
with lib;
let
@ -27,31 +32,29 @@ in
type = types.listOf types.str;
default = [ ];
};
uri = mkOption {
type = types.str;
};
uri = mkOption { type = types.str; };
};
};
config = mkIf cfg.enable {
services.kanidm = mkMerge
[ (mkIf cfg.enable {
enableClient = true;
clientSettings = {
uri = cfg.uri;
};
})
(mkIf cfg.asSSHAuth.enable {
enablePam = true;
unixSettings = {
pam_allowed_login_groups = cfg.asSSHAuth.allowedGroups;
default_shell = "/bin/sh";
};
})
];
services.kanidm = mkMerge [
(mkIf cfg.enable {
enableClient = true;
clientSettings = {
uri = cfg.uri;
};
})
(mkIf cfg.asSSHAuth.enable {
enablePam = true;
unixSettings = {
pam_allowed_login_groups = cfg.asSSHAuth.allowedGroups;
default_shell = "/bin/sh";
};
})
];
services.openssh = mkIf cfg.asSSHAuth.enable {
enable = true;
authorizedKeysCommand = "/etc/ssh/auth %u";
authorizedKeysCommandUser = "kanidm-ssh-runner";
authorizedKeysCommandUser = "kanidm-ssh-runner";
settings = mkIf cfg.asSSHAuth.enable {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
@ -70,8 +73,10 @@ in
};
users.groups.wheel.members = cfg.sudoers;
users.groups.kanidm-ssh-runner = { };
users.users.kanidm-ssh-runner = { isSystemUser = true; group = "kanidm-ssh-runner"; };
users.users.kanidm-ssh-runner = {
isSystemUser = true;
group = "kanidm-ssh-runner";
};
};
}

62
modules/nixos/miniflux.nix
View file

@ -1,6 +1,19 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
let
inherit (lib) mkEnableOption mkPackageOption mkOption types literalExpression mkIf mkDefault;
inherit (lib)
mkEnableOption
mkPackageOption
mkOption
types
literalExpression
mkIf
mkDefault
;
cfg = config.custom.miniflux;
defaultAddress = "localhost:8080";
@ -18,12 +31,15 @@ in
package = mkPackageOption pkgs "miniflux" { };
oauth2SecretFile = mkOption {
type = types.path;
};
oauth2SecretFile = mkOption { type = types.path; };
environment = mkOption {
type = with types; attrsOf (oneOf [ int str ]);
type =
with types;
attrsOf (oneOf [
int
str
]);
};
createDatabaseLocally = mkOption {
@ -50,17 +66,22 @@ in
services.postgresql = lib.mkIf cfg.createDatabaseLocally {
enable = true;
ensureUsers = [{
name = "miniflux";
ensureDBOwnership = true;
}];
ensureUsers = [
{
name = "miniflux";
ensureDBOwnership = true;
}
];
ensureDatabases = [ "miniflux" ];
};
systemd.services.miniflux-dbsetup = lib.mkIf cfg.createDatabaseLocally {
description = "Miniflux database setup";
requires = [ "postgresql.service" ];
after = [ "network.target" "postgresql.service" ];
after = [
"network.target"
"postgresql.service"
];
serviceConfig = {
Type = "oneshot";
User = config.services.postgresql.superUser;
@ -72,8 +93,12 @@ in
description = "Miniflux service";
wantedBy = [ "multi-user.target" ];
requires = lib.optional cfg.createDatabaseLocally "miniflux-dbsetup.service";
after = [ "network.target" ]
++ lib.optionals cfg.createDatabaseLocally [ "postgresql.service" "miniflux-dbsetup.service" ];
after =
[ "network.target" ]
++ lib.optionals cfg.createDatabaseLocally [
"postgresql.service"
"miniflux-dbsetup.service"
];
serviceConfig = {
Type = "notify";
@ -104,12 +129,19 @@ in
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@privileged" ];
SystemCallFilter = [
"@system-service"
"~@privileged"
];
UMask = "0077";
};

18
modules/nixos/oidc-agent.nix
View file

@ -1,10 +1,20 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
inherit (lib) mkIf mkEnableOption mkOption types;
inherit (lib)
mkIf
mkEnableOption
mkOption
types
;
cfg = config.programs.oidc-agent;
providerFormat = pkgs.formats.json {};
providerFormat = pkgs.formats.json { };
in
{
options.programs.oidc-agent = {
@ -18,7 +28,7 @@ in
};
providers = mkOption {
type = providerFormat.type;
default = {};
default = { };
description = ''
Configuration of providers which contains a json array of json objects
each describing an issuer, see https://indigo-dc.gitbook.io/oidc-agent/configuration/issuers

20
modules/nixos/prometheus/blackbox.nix
View file

@ -1,4 +1,9 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
cfg = config.custom.prometheus;
in
@ -8,7 +13,7 @@ in
enable = true;
listenAddress = "127.0.0.1";
configFile = pkgs.writeText "blackbox.config.yaml" (
lib.generators.toYAML {} {
lib.generators.toYAML { } {
modules = {
tcp4_connect = {
prober = "tcp";
@ -25,7 +30,7 @@ in
};
services.prometheus.scrapeConfigs = [
{
{
job_name = "blackbox";
scrape_interval = "1m";
metrics_path = "/probe";
@ -73,8 +78,13 @@ in
alert = "HighProbeLatency";
expr = "probe_duration_seconds > 0.5";
for = "2m";
labels = { severity = "warning"; };
annotations = { summary = "High request latency on {{ $labels.instance }}"; description = "95th percentile of request latency is above 0.5 seconds for the last 2 minutes."; };
labels = {
severity = "warning";
};
annotations = {
summary = "High request latency on {{ $labels.instance }}";
description = "95th percentile of request latency is above 0.5 seconds for the last 2 minutes.";
};
}
];
}

12
modules/nixos/prometheus/caddy.nix
View file

@ -13,9 +13,7 @@ in
services.prometheus.scrapeConfigs = [
{
job_name = "caddy";
static_configs = [
{ targets = [ "127.0.0.1:2019" ]; }
];
static_configs = [ { targets = [ "127.0.0.1:2019" ]; } ];
}
];
@ -27,8 +25,12 @@ in
alert = "UpstreamHealthy";
expr = "caddy_reverse_proxy_upstreams_healthy != 1";
for = "5m";
labels = { severity = "critical"; };
annotations = { summary = "Upstream {{ $labels.unstream }} not healthy"; };
labels = {
severity = "critical";
};
annotations = {
summary = "Upstream {{ $labels.unstream }} not healthy";
};
}
];
}

312
modules/nixos/prometheus/default.nix
View file

@ -1,26 +1,31 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
with lib;
let
cfg = config.custom.prometheus;
mkExporterOption = enableOption: (mkOption {
type = types.bool;
default = enableOption;
description = "Enable this exporter";
});
mkExporterOption =
enableOption:
(mkOption {
type = types.bool;
default = enableOption;
description = "Enable this exporter";
});
mkRulesOption = mkOption {
type = types.listOf (types.submodule {
options = {
name = mkOption {
type = lib.types.str;
type = types.listOf (
types.submodule {
options = {
name = mkOption { type = lib.types.str; };
rules = mkOption { type = lib.types.listOf lib.types.attrs; };
};
rules = mkOption {
type = lib.types.listOf lib.types.attrs;
};
};
});
}
);
};
in
{
@ -54,153 +59,172 @@ in
};
grafana = {
enable = mkEnableOption "Grafana Cloud";
password_file = mkOption {
type = types.path;
};
password_file = mkOption { type = types.path; };
};
ruleModules = mkRulesOption;
};
};
config = mkIf cfg.enable
{
services.tailscale = {
enable = true;
permitCertUid = config.services.caddy.user;
openFirewall = true;
};
config = mkIf cfg.enable {
services.tailscale = {
enable = true;
permitCertUid = config.services.caddy.user;
openFirewall = true;
};
services.caddy = {
enable = true;
virtualHosts."${config.networking.hostName}.coho-tet.ts.net".extraConfig = ''
reverse_proxy 127.0.0.1:${toString config.services.prometheus.port}
'';
};
services.caddy = {
enable = true;
virtualHosts."${config.networking.hostName}.coho-tet.ts.net".extraConfig = ''
reverse_proxy 127.0.0.1:${toString config.services.prometheus.port}
'';
};
services.prometheus = mkIf cfg.enable
services.prometheus = mkIf cfg.enable {
enable = true;
port = 9091;
globalConfig.external_labels = {
hostname = config.networking.hostName;
};
remoteWrite = mkIf cfg.grafana.enable [
{
name = "grafana";
url = "https://prometheus-prod-24-prod-eu-west-2.grafana.net/api/prom/push";
basic_auth = {
username = "1340065";
password_file = cfg.grafana.password_file;
};
}
];
exporters = {
node = {
enable = true;
port = 9091;
globalConfig.external_labels = { hostname = config.networking.hostName; };
remoteWrite = mkIf cfg.grafana.enable [
{
name = "grafana";
url = "https://prometheus-prod-24-prod-eu-west-2.grafana.net/api/prom/push";
basic_auth = {
username = "1340065";
password_file = cfg.grafana.password_file;
};
}
enabledCollectors = [
"loadavg"
"time"
"systemd"
];
exporters = {
node = {
enable = true;
enabledCollectors = [
"loadavg"
"time"
"systemd"
];
listenAddress = "127.0.0.1";
port = 9100;
};
};
scrapeConfigs = [
{
job_name = "prometheus";
static_configs = [
{ targets = [ "localhost:${toString config.services.prometheus.port}" ]; }
];
}
{
job_name = "node";
static_configs = [
{ targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; }
];
}
];
alertmanager = {
enable = true;
listenAddress = "127.0.0.1";
logLevel = "debug";
configuration = {
route = {
receiver = "ntfy";
};
receivers = [
{
name = "ntfy";
webhook_configs = [
{
url = "https://ntfy.xinyang.life/prometheus-alerts?tpl=yes&m=${lib.escapeURL ''
Alert {{.status}}
{{range .alerts}}-----{{range $k,$v := .labels}}
{{$k}}={{$v}}{{end}}
{{end}}
''}";
send_resolved = true;
}
];
}
];
};
};
alertmanagers = [
{
scheme = "http";
static_configs = [
{
targets = [
"${config.services.prometheus.alertmanager.listenAddress}:${toString config.services.prometheus.alertmanager.port}"
];
}
];
}
];
rules = [ (lib.generators.toYAML { } { groups = cfg.ruleModules; }) ];
listenAddress = "127.0.0.1";
port = 9100;
};
custom.prometheus.ruleModules = [
};
scrapeConfigs = [
{
name = "system_alerts";
rules = [
job_name = "prometheus";
static_configs = [ { targets = [ "localhost:${toString config.services.prometheus.port}" ]; } ];
}
{
job_name = "node";
static_configs = [
{ targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; }
];
}
];
alertmanager = {
enable = true;
listenAddress = "127.0.0.1";
logLevel = "debug";
configuration = {
route = {
receiver = "ntfy";
};
receivers = [
{
alert = "SystemdFailedUnits";
expr = "node_systemd_unit_state{state=\"failed\"} > 0";
for = "5m";
labels = { severity = "critical"; };
annotations = { summary = "Systemd has failed units on {{ $labels.instance }}"; description = "There are {{ $value }} failed units on {{ $labels.instance }}. Immediate attention required!"; };
name = "ntfy";
webhook_configs = [
{
url = "https://ntfy.xinyang.life/prometheus-alerts?tpl=yes&m=${lib.escapeURL ''
Alert {{.status}}
{{range .alerts}}-----{{range $k,$v := .labels}}
{{$k}}={{$v}}{{end}}
{{end}}
''}";
send_resolved = true;
}
];
}
];
};
};
alertmanagers = [
{
scheme = "http";
static_configs = [
{
alert = "HighLoadAverage";
expr = "node_load1 > 0.8 * count without (cpu) (node_cpu_seconds_total{mode=\"idle\"})";
for = "1m";
labels = { severity = "warning"; };
annotations = { summary = "High load average detected on {{ $labels.instance }}"; description = "The 1-minute load average ({{ $value }}) exceeds 80% the number of CPUs."; };
}
{
alert = "HighTransmitTraffic";
expr = "rate(node_network_transmit_bytes_total{device!=\"lo\"}[5m]) > 100000000";
for = "1m";
labels = { severity = "warning"; };
annotations = { summary = "High network transmit traffic on {{ $labels.instance }} ({{ $labels.device }})"; description = "The network interface {{ $labels.device }} on {{ $labels.instance }} is transmitting data at a rate exceeding 100 MB/s for the last 1 minute."; };
}
{
alert = "NetworkTrafficExceedLimit";
expr = ''increase(node_network_transmit_bytes_total{device!="lo",device!~"tailscale.*",device!~"wg.*",device!~"br.*"}[30d]) > 322122547200'';
for = "0m";
labels = { severity = "critical"; };
annotations = { summary = "Outbound network traffic exceed 300GB for last 30 day"; };
}
{
alert = "JobDown";
expr = "up == 0";
for = "1m";
labels = { severity = "critical"; };
annotations = { summary = "Job {{ $labels.job }} down for 1m."; };
targets = [
"${config.services.prometheus.alertmanager.listenAddress}:${toString config.services.prometheus.alertmanager.port}"
];
}
];
}
];
rules = [ (lib.generators.toYAML { } { groups = cfg.ruleModules; }) ];
};
custom.prometheus.ruleModules = [
{
name = "system_alerts";
rules = [
{
alert = "SystemdFailedUnits";
expr = "node_systemd_unit_state{state=\"failed\"} > 0";
for = "5m";
labels = {
severity = "critical";
};
annotations = {
summary = "Systemd has failed units on {{ $labels.instance }}";
description = "There are {{ $value }} failed units on {{ $labels.instance }}. Immediate attention required!";
};
}
{
alert = "HighLoadAverage";
expr = "node_load1 > 0.8 * count without (cpu) (node_cpu_seconds_total{mode=\"idle\"})";
for = "1m";
labels = {
severity = "warning";
};
annotations = {
summary = "High load average detected on {{ $labels.instance }}";
description = "The 1-minute load average ({{ $value }}) exceeds 80% the number of CPUs.";
};
}
{
alert = "HighTransmitTraffic";
expr = "rate(node_network_transmit_bytes_total{device!=\"lo\"}[5m]) > 100000000";
for = "1m";
labels = {
severity = "warning";
};
annotations = {
summary = "High network transmit traffic on {{ $labels.instance }} ({{ $labels.device }})";
description = "The network interface {{ $labels.device }} on {{ $labels.instance }} is transmitting data at a rate exceeding 100 MB/s for the last 1 minute.";
};
}
{
alert = "NetworkTrafficExceedLimit";
expr = ''increase(node_network_transmit_bytes_total{device!="lo",device!~"tailscale.*",device!~"wg.*",device!~"br.*"}[30d]) > 322122547200'';
for = "0m";
labels = {
severity = "critical";
};
annotations = {
summary = "Outbound network traffic exceed 300GB for last 30 day";
};
}
{
alert = "JobDown";
expr = "up == 0";
for = "1m";
labels = {
severity = "critical";
};
annotations = {
summary = "Job {{ $labels.job }} down for 1m.";
};
}
];
}
];
};
}

4
modules/nixos/prometheus/gotosocial.nix
View file

@ -10,9 +10,7 @@ in
services.prometheus.scrapeConfigs = [
{
job_name = "gotosocial";
static_configs = [
{ targets = [ "localhost:8080" ]; }
];
static_configs = [ { targets = [ "localhost:8080" ]; } ];
}
];
};

11
modules/nixos/prometheus/immich.nix
View file

@ -3,9 +3,10 @@ let
cfg = config.custom.prometheus;
immichEnv = config.services.immich.environment;
metricPort =
if builtins.hasAttr "IMMICH_API_METRICS_PORT" immichEnv
then immichEnv.IMMICH_API_METRICS_PORT
else 8081;
if builtins.hasAttr "IMMICH_API_METRICS_PORT" immichEnv then
immichEnv.IMMICH_API_METRICS_PORT
else
8081;
in
{
config = lib.mkIf (cfg.enable && cfg.exporters.immich.enable) {
@ -16,9 +17,7 @@ in
services.prometheus.scrapeConfigs = [
{
job_name = "immich";
static_configs = [
{ targets = [ "127.0.0.1:${toString metricPort}" ]; }
];
static_configs = [ { targets = [ "127.0.0.1:${toString metricPort}" ]; } ];
}
];
};

4
modules/nixos/prometheus/miniflux.nix
View file

@ -8,9 +8,7 @@ in
services.prometheus.scrapeConfigs = [
{
job_name = "miniflux";
static_configs = [
{ targets = [ config.systemd.services.miniflux.environment.LISTEN_ADDR ]; }
];
static_configs = [ { targets = [ config.systemd.services.miniflux.environment.LISTEN_ADDR ]; } ];
}
];
};

4
modules/nixos/prometheus/ntfy-sh.nix
View file

@ -8,9 +8,7 @@ in
services.prometheus.scrapeConfigs = [
{
job_name = "ntfy-sh";
static_configs = [
{ targets = [ "ntfy.xinyang.life" ]; }
];
static_configs = [ { targets = [ "ntfy.xinyang.life" ]; } ];
}
];
};

22
modules/nixos/prometheus/restic.nix
View file

@ -9,9 +9,7 @@ in
services.prometheus.scrapeConfigs = [
(lib.mkIf cfg.exporters.restic.enable {
job_name = "restic";
static_configs = [
{ targets = [ config.services.restic.server.listenAddress ]; }
];
static_configs = [ { targets = [ config.services.restic.server.listenAddress ]; } ];
})
];
@ -23,15 +21,25 @@ in
alert = "ResticCheckFailed";
expr = "restic_check_success == 0";
for = "5m";
labels = { severity = "critical"; };
annotations = { summary = "Restic check failed (instance {{ $labels.instance }})"; description = "Restic check failed\\n VALUE = {{ $value }}\\n LABELS = {{ $labels }}"; };
labels = {
severity = "critical";
};
annotations = {
summary = "Restic check failed (instance {{ $labels.instance }})";
description = "Restic check failed\\n VALUE = {{ $value }}\\n LABELS = {{ $labels }}";
};
}
{
alert = "ResticOutdatedBackup";
expr = "time() - restic_backup_timestamp > 518400";
for = "0m";
labels = { severity = "critical"; };
annotations = { summary = "Restic {{ $labels.client_hostname }} / {{ $labels.client_username }} backup is outdated"; description = "Restic backup is outdated\\n VALUE = {{ $value }}\\n LABELS = {{ $labels }}"; };
labels = {
severity = "critical";
};
annotations = {
summary = "Restic {{ $labels.client_hostname }} / {{ $labels.client_username }} backup is outdated";
description = "Restic backup is outdated\\n VALUE = {{ $value }}\\n LABELS = {{ $labels }}";
};
}
];
}

8
modules/nixos/restic.nix
View file

@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
let
cfg = config.custom.restic;
in
@ -45,4 +50,3 @@ in
};
};
}

21
modules/nixos/sing-box.nix
View file

@ -1,4 +1,10 @@
{ config, pkgs, lib, utils, ... }:
{
config,
pkgs,
lib,
utils,
...
}:
let
cfg = config.custom.sing-box;
settingsFormat = pkgs.formats.json { };
@ -16,9 +22,7 @@ in
};
configFile = {
urlFile = lib.mkOption {
type = lib.types.path;
};
urlFile = lib.mkOption { type = lib.types.path; };
name = lib.mkOption {
type = lib.types.str;
default = "config.json";
@ -62,10 +66,10 @@ in
systemd.packages = [ cfg.package ];
systemd.services.sing-box =
let
configFile = cfg.stateDir + "/${cfg.configFile.name}";
in
systemd.services.sing-box =
let
configFile = cfg.stateDir + "/${cfg.configFile.name}";
in
{
preStart = ''
umask 0077
@ -81,4 +85,3 @@ in
};
};
}

7
modules/nixos/ssh-tpm-agent.nix
View file

@ -1,5 +1,10 @@
# Temporary workaround
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
let
cfg = config.services.ssh-tpm-agent;
in

10
modules/nixos/vaultwarden.nix
View file

@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
with lib;
@ -23,7 +28,7 @@ in
};
};
config = mkIf cfg.enable {
services.vaultwarden = {
services.vaultwarden = {
enable = true;
dbBackend = "sqlite";
config = {
@ -44,4 +49,3 @@ in
};
};
}