From 68852681f7e00953ca2010f9d6c010504315f478 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Mon, 2 Dec 2024 16:30:49 +0800 Subject: [PATCH 1/8] minor fix --- machines/biotite/services/gotosocial.nix | 3 +-- machines/thorite/monitoring.nix | 5 +++++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/machines/biotite/services/gotosocial.nix b/machines/biotite/services/gotosocial.nix index 743b3f7..fb26a69 100644 --- a/machines/biotite/services/gotosocial.nix +++ b/machines/biotite/services/gotosocial.nix @@ -32,8 +32,7 @@ services.caddy = { virtualHosts."https://gts.xiny.li".extraConfig = '' - encode zstd gzip - reverse_proxy * http://${config.services.gotosocial.settings.bind-address}:${toString config.services.gotosocial.settings.port} { + reverse_proxy http://${config.services.gotosocial.settings.bind-address}:${toString config.services.gotosocial.settings.port} { flush_interval -1 } ''; diff --git a/machines/thorite/monitoring.nix b/machines/thorite/monitoring.nix index bc10492..ac6586f 100644 --- a/machines/thorite/monitoring.nix +++ b/machines/thorite/monitoring.nix @@ -70,6 +70,11 @@ with my-lib; name = "grafana-eu"; address = "grafana.xinyang.life"; } + { + name = "loki"; + address = "thorite.coho-tet.ts.net"; + port = 3100; + } ]) ++ (mkCaddyScrapes [ { address = "thorite.coho-tet.ts.net"; } From bd9f66238eca8ef2d0d842aff466641ae1b69913 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Mon, 2 Dec 2024 16:44:22 +0800 Subject: [PATCH 2/8] flake.lock: Update to 24.11 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit • Updated input 'catppuccin': 'github:catppuccin/nix/32359bf226fe874d3b7a0a5753d291a4da9616fe?narHash=sha256-0aIwr/RC/oe7rYkfJb47xjdEQDSNcqpFGsEa%2BEPlDEs%3D' (2024-11-10) → 'github:catppuccin/nix/a817009ebfd2cca7f70a77884e5098d0a8c83f8e?narHash=sha256-uX/9m0TbdhEzuWA0muM5mI/AaWcLiDLjCCyu5Qr9MRk%3D' (2024-11-30) • Updated input 'disko': 'github:nix-community/disko/869ba3a87486289a4197b52a6c9e7222edf00b3e?narHash=sha256-%2B4U2I2653JvPFxcux837ulwYS864QvEueIljUkwytsk%3D' (2024-11-26) → 'github:nix-community/disko/2814a5224a47ca19e858e027f7e8bff74a8ea9f1?narHash=sha256-2uMaVAZn7fiyTUGhKgleuLYe5%2BEAAYB/diKxrM7g3as%3D' (2024-11-30) • Updated input 'home-manager': 'github:nix-community/home-manager/1bd5616e33c0c54d7a5b37db94160635a9b27aeb?narHash=sha256-130gQ5k8kZlxjBEeLpE%2BSvWFgSOFgQFeZlqIik7KgtQ%3D' (2024-11-16) → 'github:nix-community/home-manager/c1fee8d4a60b89cae12b288ba9dbc608ff298163?narHash=sha256-dVmNuUajnU18oHzBQWZm1BQtANCHaqNuxTHZQ%2BGN0r8%3D' (2024-12-01) • Updated input 'my-nixvim': 'git+https://git.xinyang.life/xin/nixvim?ref=refs/heads/master&rev=a09d2b94efb5e2d801275a244eedaab0816f3702' (2024-11-03) → 'git+https://git.xinyang.life/xin/nixvim?ref=refs/heads/master&rev=a3709a89797ea094f82d38edeb4a538c07c8c3fa' (2024-11-30) • Updated input 'my-nixvim/nixvim': 'github:nix-community/nixvim/6f210158b03b01a1fd44bf3968165e6da80635ce?narHash=sha256-NByr7l7JetL9kIrdCOcRqBu%2BlAkruYXETp1DMiDHNQs%3D' (2024-11-02) → 'github:nix-community/nixvim/f11a877bcc1d66cc8bd7990c704f91c1e99c7d08?narHash=sha256-12OpSgbLDiKmxvBXwVracIfGI9FpjFyHpa1r0Ho%2BNFA%3D' (2024-11-13) • Updated input 'my-nixvim/nixvim/git-hooks': 'github:cachix/git-hooks.nix/af8a16fe5c264f5e9e18bcee2859b40a656876cf?narHash=sha256-W1MIJpADXQCgosJZT8qBYLRuZls2KSiKdpnTVdKBuvU%3D' (2024-10-30) → 'github:cachix/git-hooks.nix/d70155fdc00df4628446352fc58adc640cd705c2?narHash=sha256-fWPHyhYE6xvMI1eGY3pwBTq85wcy1YXqdzTZF%2B06nOg%3D' (2024-11-05) • Updated input 'my-nixvim/nixvim/home-manager': 'github:nix-community/home-manager/1743615b61c7285976f85b303a36cdf88a556503?narHash=sha256-AvCVDswOUM9D368HxYD25RsSKp%2B5o0L0/JHADjLoD38%3D' (2024-11-01) → 'github:nix-community/home-manager/60bb110917844d354f3c18e05450606a435d2d10?narHash=sha256-NjavpgE9/bMe/ABvZpyHIUeYF1mqR5lhaep3wB79ucs%3D' (2024-11-10) • Updated input 'my-nixvim/nixvim/nix-darwin': 'github:lnl7/nix-darwin/683d0c4cd1102dcccfa3f835565378c7f3cbe05e?narHash=sha256-qE/cYKBhzxHMtKtLK3hlSR3uzO1pWPGLrBuQK7r0CHc%3D' (2024-11-01) → 'github:lnl7/nix-darwin/5c74ab862c8070cbf6400128a1b56abb213656da?narHash=sha256-3Ftf9oqOypcEyyrWJ0baVkRpvQqroK/SVBFLvU3nPuc%3D' (2024-11-09) • Updated input 'my-nixvim/nixvim/nixpkgs': 'github:NixOS/nixpkgs/807e9154dcb16384b1b765ebe9cd2bba2ac287fd?narHash=sha256-l253w0XMT8nWHGXuXqyiIC/bMvh1VRszGXgdpQlfhvU%3D' (2024-10-29) → 'github:NixOS/nixpkgs/76612b17c0ce71689921ca12d9ffdc9c23ce40b2?narHash=sha256-IigrKK3vYRpUu%2BHEjPL/phrfh7Ox881er1UEsZvw9Q4%3D' (2024-11-09) • Updated input 'my-nixvim/nixvim/nuschtosSearch': 'github:NuschtOS/search/9e22bd742480916ff5d0ab20ca2522eaa3fa061e?narHash=sha256-8lklUZRV7nwkPLF3roxzi4C2oyLydDXyAzAnDvjkOms%3D' (2024-11-02) → 'github:NuschtOS/search/ef493352f9e1f051e01a55c062731503a6b36b4e?narHash=sha256-43yLsOm/wxBbfYSNDWVJeVv5Ij%2B23X3BIjFUfsdx/6M%3D' (2024-11-08) • Updated input 'my-nixvim/nixvim/nuschtosSearch/ixx': 'github:NuschtOS/ixx/65c207c92befec93e22086da9456d3906a4e999c?narHash=sha256-YcyJLvTmN6uLEBGCvYoMLwsinblXMkoYkNLEO4WnKus%3D' (2024-10-21) → 'github:NuschtOS/ixx/9fd01aad037f345350eab2cd45e1946cc66da4eb?narHash=sha256-EiOq8jF4Z/zQe0QYVc3%2BqSKxRK//CFHMB84aYrYGwEs%3D' (2024-10-26) • Updated input 'nix-index-database': 'github:Mic92/nix-index-database/bdba246946fb079b87b4cada4df9b1cdf1c06132?narHash=sha256-l9ryrx1Twh08a%2BgxrMGM9O/aZKEimZfa6sZVyPCImgI%3D' (2024-11-17) → 'github:Mic92/nix-index-database/6e0b7f81367069589a480b91603a10bcf71f3103?narHash=sha256-vy9Q41hBE7Zg0yakF79neVgb3i3PQMSMR7uHPpPywFE%3D' (2024-12-01) • Updated input 'nix-vscode-extensions': 'github:nix-community/nix-vscode-extensions/5cf92678e6799ce45442dee4c9cb8094843c7cfa?narHash=sha256-WwJqguc/5Q7HEwHlgDzDT8mtd8ZxInxZM2neJKC1oh8%3D' (2024-11-17) → 'github:nix-community/nix-vscode-extensions/e3a9b717e8327886d4ab6115f6989f4d1ef44e51?narHash=sha256-UhlyYYO84s36aSj0/xZdclY6CgwJSWPYtTHTOBuHodM%3D' (2024-12-02) • Updated input 'nixos-hardware': 'github:NixOS/nixos-hardware/672ac2ac86f7dff2f6f3406405bddecf960e0db6?narHash=sha256-UhWmEZhwJZmVZ1jfHZFzCg%2BZLO9Tb/v3Y6LC0UNyeTo%3D' (2024-11-16) → 'github:NixOS/nixos-hardware/fe01780d356d70fd119a19277bff71d3e78dad00?narHash=sha256-aQorWITXZu7b095UwnpUvcGt9dNJie/GO9r4hZfe2sU%3D' (2024-12-01) • Updated input 'nixpkgs': 'github:xinyangli/nixpkgs/b2644ed7258502987ad4a70cf8959bf5a26ce26d?narHash=sha256-nfqKsQhFCakM%2BeIKGf/JWu/g56rOPoGny10EZN8q7R0%3D' (2024-11-17) → 'github:xinyangli/nixpkgs/6273ca0a0fd51ac708a71e380c0cda97a72bbb07?narHash=sha256-JOIhbU0EPRXwFv1wCXGTkUZ9KnIcLxChvCqeV9hh63U%3D' (2024-12-02) • Updated input 'nixpkgs-stable': 'github:nixos/nixpkgs/c21b77913ea840f8bcf9adf4c41cecc2abffd38d?narHash=sha256-XUO0JKP1hlww0d7mm3kpmIr4hhtR4zicg5Wwes9cPMg%3D' (2024-11-15) → 'github:nixos/nixpkgs/7e1ca67996afd8233d9033edd26e442836cc2ad6?narHash=sha256-8qwPSE2g1othR1u4uP86NXxm6i7E9nHPyJX3m3lx7Q4%3D' (2024-12-01) • Updated input 'nur': 'github:nix-community/NUR/59740d792bea5caa547c9bc7ce366802ecfafb7f?narHash=sha256-GGp/rEfxRdi1BD9TlHoXxp2g9IuKDp0Jk7wYh1LacP8%3D' (2024-11-17) → 'github:nix-community/NUR/1844924bf1e7e5a98198eca17b6c27cc9a363b05?narHash=sha256-C8f6ekiZ4kP84JWLDrMigvnSK6RXQoxLEDoteXMx1yc%3D' (2024-12-02) • Updated input 'sops-nix': 'github:Mic92/sops-nix/47fc1d8c72dbd69b32ecb2019b5b648da3dd20ce?narHash=sha256-TGnMXCeXS924w9W6CvRFtUCUFr8E/RK138lHxU3vcw8%3D' (2024-11-17) → 'github:Mic92/sops-nix/c6134b6fff6bda95a1ac872a2a9d5f32e3c37856?narHash=sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc%3D' (2024-12-02) --- flake.lock | 131 +++++++++++++---------------- machines/calcite/configuration.nix | 24 ++---- 2 files changed, 65 insertions(+), 90 deletions(-) diff --git a/flake.lock b/flake.lock index c23bdb6..e45132d 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "catppuccin": { "locked": { - "lastModified": 1731232837, - "narHash": "sha256-0aIwr/RC/oe7rYkfJb47xjdEQDSNcqpFGsEa+EPlDEs=", + "lastModified": 1733001911, + "narHash": "sha256-uX/9m0TbdhEzuWA0muM5mI/AaWcLiDLjCCyu5Qr9MRk=", "owner": "catppuccin", "repo": "nix", - "rev": "32359bf226fe874d3b7a0a5753d291a4da9616fe", + "rev": "a817009ebfd2cca7f70a77884e5098d0a8c83f8e", "type": "github" }, "original": { @@ -68,11 +68,11 @@ ] }, "locked": { - "lastModified": 1732645828, - "narHash": "sha256-+4U2I2653JvPFxcux837ulwYS864QvEueIljUkwytsk=", + "lastModified": 1732988076, + "narHash": "sha256-2uMaVAZn7fiyTUGhKgleuLYe5+EAAYB/diKxrM7g3as=", "owner": "nix-community", "repo": "disko", - "rev": "869ba3a87486289a4197b52a6c9e7222edf00b3e", + "rev": "2814a5224a47ca19e858e027f7e8bff74a8ea9f1", "type": "github" }, "original": { @@ -238,11 +238,11 @@ ] }, "locked": { - "lastModified": 1730302582, - "narHash": "sha256-W1MIJpADXQCgosJZT8qBYLRuZls2KSiKdpnTVdKBuvU=", + "lastModified": 1730814269, + "narHash": "sha256-fWPHyhYE6xvMI1eGY3pwBTq85wcy1YXqdzTZF+06nOg=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "af8a16fe5c264f5e9e18bcee2859b40a656876cf", + "rev": "d70155fdc00df4628446352fc58adc640cd705c2", "type": "github" }, "original": { @@ -281,11 +281,11 @@ ] }, "locked": { - "lastModified": 1731786860, - "narHash": "sha256-130gQ5k8kZlxjBEeLpE+SvWFgSOFgQFeZlqIik7KgtQ=", + "lastModified": 1733085484, + "narHash": "sha256-dVmNuUajnU18oHzBQWZm1BQtANCHaqNuxTHZQ+GN0r8=", "owner": "nix-community", "repo": "home-manager", - "rev": "1bd5616e33c0c54d7a5b37db94160635a9b27aeb", + "rev": "c1fee8d4a60b89cae12b288ba9dbc608ff298163", "type": "github" }, "original": { @@ -303,11 +303,11 @@ ] }, "locked": { - "lastModified": 1730490306, - "narHash": "sha256-AvCVDswOUM9D368HxYD25RsSKp+5o0L0/JHADjLoD38=", + "lastModified": 1731235328, + "narHash": "sha256-NjavpgE9/bMe/ABvZpyHIUeYF1mqR5lhaep3wB79ucs=", "owner": "nix-community", "repo": "home-manager", - "rev": "1743615b61c7285976f85b303a36cdf88a556503", + "rev": "60bb110917844d354f3c18e05450606a435d2d10", "type": "github" }, "original": { @@ -332,16 +332,16 @@ ] }, "locked": { - "lastModified": 1729544999, - "narHash": "sha256-YcyJLvTmN6uLEBGCvYoMLwsinblXMkoYkNLEO4WnKus=", + "lastModified": 1729958008, + "narHash": "sha256-EiOq8jF4Z/zQe0QYVc3+qSKxRK//CFHMB84aYrYGwEs=", "owner": "NuschtOS", "repo": "ixx", - "rev": "65c207c92befec93e22086da9456d3906a4e999c", + "rev": "9fd01aad037f345350eab2cd45e1946cc66da4eb", "type": "github" }, "original": { "owner": "NuschtOS", - "ref": "v0.0.5", + "ref": "v0.0.6", "repo": "ixx", "type": "github" } @@ -355,11 +355,11 @@ "nixvim": "nixvim" }, "locked": { - "lastModified": 1730642581, - "narHash": "sha256-Tcq+RnctJTm+TUr1fN3ivqYNcd1pJnHYzLDQdgUCX70=", + "lastModified": 1732936640, + "narHash": "sha256-NcluA0L+ZV5MUj3UuQhlkGCj8KoEhX/ObWlMHZ/F/ac=", "ref": "refs/heads/master", - "rev": "a09d2b94efb5e2d801275a244eedaab0816f3702", - "revCount": 18, + "rev": "a3709a89797ea094f82d38edeb4a538c07c8c3fa", + "revCount": 20, "type": "git", "url": "https://git.xinyang.life/xin/nixvim" }, @@ -377,11 +377,11 @@ ] }, "locked": { - "lastModified": 1730448474, - "narHash": "sha256-qE/cYKBhzxHMtKtLK3hlSR3uzO1pWPGLrBuQK7r0CHc=", + "lastModified": 1731153869, + "narHash": "sha256-3Ftf9oqOypcEyyrWJ0baVkRpvQqroK/SVBFLvU3nPuc=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "683d0c4cd1102dcccfa3f835565378c7f3cbe05e", + "rev": "5c74ab862c8070cbf6400128a1b56abb213656da", "type": "github" }, "original": { @@ -418,11 +418,11 @@ ] }, "locked": { - "lastModified": 1731814505, - "narHash": "sha256-l9ryrx1Twh08a+gxrMGM9O/aZKEimZfa6sZVyPCImgI=", + "lastModified": 1733024876, + "narHash": "sha256-vy9Q41hBE7Zg0yakF79neVgb3i3PQMSMR7uHPpPywFE=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "bdba246946fb079b87b4cada4df9b1cdf1c06132", + "rev": "6e0b7f81367069589a480b91603a10bcf71f3103", "type": "github" }, "original": { @@ -442,11 +442,11 @@ ] }, "locked": { - "lastModified": 1731808759, - "narHash": "sha256-WwJqguc/5Q7HEwHlgDzDT8mtd8ZxInxZM2neJKC1oh8=", + "lastModified": 1733104664, + "narHash": "sha256-UhlyYYO84s36aSj0/xZdclY6CgwJSWPYtTHTOBuHodM=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "5cf92678e6799ce45442dee4c9cb8094843c7cfa", + "rev": "e3a9b717e8327886d4ab6115f6989f4d1ef44e51", "type": "github" }, "original": { @@ -457,11 +457,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1731797098, - "narHash": "sha256-UhWmEZhwJZmVZ1jfHZFzCg+ZLO9Tb/v3Y6LC0UNyeTo=", + "lastModified": 1733066523, + "narHash": "sha256-aQorWITXZu7b095UwnpUvcGt9dNJie/GO9r4hZfe2sU=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "672ac2ac86f7dff2f6f3406405bddecf960e0db6", + "rev": "fe01780d356d70fd119a19277bff71d3e78dad00", "type": "github" }, "original": { @@ -473,11 +473,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1730200266, - "narHash": "sha256-l253w0XMT8nWHGXuXqyiIC/bMvh1VRszGXgdpQlfhvU=", + "lastModified": 1731139594, + "narHash": "sha256-IigrKK3vYRpUu+HEjPL/phrfh7Ox881er1UEsZvw9Q4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "807e9154dcb16384b1b765ebe9cd2bba2ac287fd", + "rev": "76612b17c0ce71689921ca12d9ffdc9c23ce40b2", "type": "github" }, "original": { @@ -501,11 +501,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1731652201, - "narHash": "sha256-XUO0JKP1hlww0d7mm3kpmIr4hhtR4zicg5Wwes9cPMg=", + "lastModified": 1733016324, + "narHash": "sha256-8qwPSE2g1othR1u4uP86NXxm6i7E9nHPyJX3m3lx7Q4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c21b77913ea840f8bcf9adf4c41cecc2abffd38d", + "rev": "7e1ca67996afd8233d9033edd26e442836cc2ad6", "type": "github" }, "original": { @@ -515,29 +515,13 @@ "type": "github" } }, - "nixpkgs-stable_2": { - "locked": { - "lastModified": 1731797254, - "narHash": "sha256-df3dJApLPhd11AlueuoN0Q4fHo/hagP75LlM5K1sz9g=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "e8c38b73aeb218e27163376a2d617e61a2ad9b59", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "release-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs_2": { "locked": { - "lastModified": 1731819057, - "narHash": "sha256-nfqKsQhFCakM+eIKGf/JWu/g56rOPoGny10EZN8q7R0=", + "lastModified": 1733128666, + "narHash": "sha256-JOIhbU0EPRXwFv1wCXGTkUZ9KnIcLxChvCqeV9hh63U=", "owner": "xinyangli", "repo": "nixpkgs", - "rev": "b2644ed7258502987ad4a70cf8959bf5a26ce26d", + "rev": "6273ca0a0fd51ac708a71e380c0cda97a72bbb07", "type": "github" }, "original": { @@ -560,11 +544,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1730569492, - "narHash": "sha256-NByr7l7JetL9kIrdCOcRqBu+lAkruYXETp1DMiDHNQs=", + "lastModified": 1731527733, + "narHash": "sha256-12OpSgbLDiKmxvBXwVracIfGI9FpjFyHpa1r0Ho+NFA=", "owner": "nix-community", "repo": "nixvim", - "rev": "6f210158b03b01a1fd44bf3968165e6da80635ce", + "rev": "f11a877bcc1d66cc8bd7990c704f91c1e99c7d08", "type": "github" }, "original": { @@ -575,11 +559,11 @@ }, "nur": { "locked": { - "lastModified": 1731819675, - "narHash": "sha256-GGp/rEfxRdi1BD9TlHoXxp2g9IuKDp0Jk7wYh1LacP8=", + "lastModified": 1733125101, + "narHash": "sha256-C8f6ekiZ4kP84JWLDrMigvnSK6RXQoxLEDoteXMx1yc=", "owner": "nix-community", "repo": "NUR", - "rev": "59740d792bea5caa547c9bc7ce366802ecfafb7f", + "rev": "1844924bf1e7e5a98198eca17b6c27cc9a363b05", "type": "github" }, "original": { @@ -599,11 +583,11 @@ ] }, "locked": { - "lastModified": 1730515563, - "narHash": "sha256-8lklUZRV7nwkPLF3roxzi4C2oyLydDXyAzAnDvjkOms=", + "lastModified": 1731060242, + "narHash": "sha256-43yLsOm/wxBbfYSNDWVJeVv5Ij+23X3BIjFUfsdx/6M=", "owner": "NuschtOS", "repo": "search", - "rev": "9e22bd742480916ff5d0ab20ca2522eaa3fa061e", + "rev": "ef493352f9e1f051e01a55c062731503a6b36b4e", "type": "github" }, "original": { @@ -633,15 +617,14 @@ "inputs": { "nixpkgs": [ "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable_2" + ] }, "locked": { - "lastModified": 1731814239, - "narHash": "sha256-TGnMXCeXS924w9W6CvRFtUCUFr8E/RK138lHxU3vcw8=", + "lastModified": 1733128155, + "narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=", "owner": "Mic92", "repo": "sops-nix", - "rev": "47fc1d8c72dbd69b32ecb2019b5b648da3dd20ce", + "rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856", "type": "github" }, "original": { diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 27760b5..f80351b 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -78,6 +78,7 @@ in } ]; + programs.vim.enable = true; programs.vim.defaultEditor = true; # Keep this even if enabled in home manager @@ -307,13 +308,7 @@ in bitwarden # Browser - (chromium.override { - commandLineArgs = [ - "--ozone-platform-hint=auto" - "--enable-wayland-ime" - ]; - }) - brave + chromium # Writting zotero @@ -379,15 +374,12 @@ in # Fonts fonts = { packages = with pkgs; [ - (nerdfonts.override { - fonts = [ - "FiraCode" - "FiraMono" - "JetBrainsMono" - "RobotoMono" - "Ubuntu" - ]; - }) + nerd-fonts.ubuntu-sans + nerd-fonts.ubuntu + nerd-fonts.fira-code + nerd-fonts.fira-mono + nerd-fonts.jetbrains-mono + nerd-fonts.roboto-mono noto-fonts noto-fonts-emoji liberation_ttf From 5b6f6ce73589450430179fca0e669d36861743db Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 3 Dec 2024 11:32:21 +0800 Subject: [PATCH 3/8] home/firefox: fix sidebar and titlebar in userChrome.css --- home/xin/calcite.nix | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/home/xin/calcite.nix b/home/xin/calcite.nix index 9f246cf..d90cc4d 100644 --- a/home/xin/calcite.nix +++ b/home/xin/calcite.nix @@ -125,7 +125,8 @@ in profiles.default = { isDefault = true; userChrome = '' - #titlebar { + + #TabsToolbar { display: none; } @@ -136,7 +137,7 @@ in [titlepreface*="."] #sidebar-header { visibility: collapse !important; } - [titlepreface*="."] #titlebar { + [titlepreface*="."] #TabsToolbar { visibility: collapse; } @@ -148,7 +149,7 @@ in min-width: var(--uc-sidebar-width) !important; width: var(--uc-sidebar-width) !important; max-width: var(--uc-sidebar-width) !important; - z-index:1; + z-index: calc(var(--browser-area-z-index-tabbox) + 1); } #sidebar-box[positionend]{ direction: rtl } @@ -190,12 +191,12 @@ in transition-delay: 0ms !important; } - .sidebar-panel{ - background-color: transparent !important; + .sidebar-placeTree { + /* background-color: transparent !important; */ color: var(--newtab-text-primary-color) !important; } - .sidebar-panel #search-box{ + .sidebar-placeTree #search-box{ -moz-appearance: none !important; background-color: rgba(249,249,250,0.1) !important; color: inherit !important; From 83f7700949f0033f4763850b13717a94a94f6f48 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 3 Dec 2024 16:36:34 +0800 Subject: [PATCH 4/8] modules/monitoring: add alert rules to loki --- modules/nixos/monitor/exporters.nix | 2 +- modules/nixos/monitor/loki.nix | 166 +++++++++++++++++++++------- modules/nixos/restic.nix | 2 +- 3 files changed, 130 insertions(+), 40 deletions(-) diff --git a/modules/nixos/monitor/exporters.nix b/modules/nixos/monitor/exporters.nix index 0c9b95d..b48209e 100644 --- a/modules/nixos/monitor/exporters.nix +++ b/modules/nixos/monitor/exporters.nix @@ -71,7 +71,7 @@ in services.restic.server.prometheus = true; - # miniflux + # miniflux sops.templates."miniflux_metrics_env" = { content = '' METRICS_COLLECTOR=1 diff --git a/modules/nixos/monitor/loki.nix b/modules/nixos/monitor/loki.nix index 324235f..c3e0afd 100644 --- a/modules/nixos/monitor/loki.nix +++ b/modules/nixos/monitor/loki.nix @@ -1,68 +1,158 @@ { + pkgs, config, lib, + my-lib, ... }: let inherit (lib) + mkOption mkEnableOption mkIf mkMerge + types + literalExpression + ; + inherit (my-lib.settings) + alertmanagerPort ; cfg = config.custom.monitoring; - port-loki = 3100; + lokiPort = 3100; in { options = { custom.monitoring = { - loki.enable = mkEnableOption "loki"; + loki = { + enable = mkEnableOption "loki"; + rules = mkOption { + type = types.attrsOf ( + types.submodule { + options = { + condition = mkOption { + type = types.str; + description = '' + Loki alert expression. + ''; + example = ''count_over_time({job=~"secure"} |="sshd[" |~": Failed|: Invalid|: Connection closed by authenticating user" | __error__="" [15m]) > 15''; + default = null; + }; + description = mkOption { + type = types.str; + description = '' + Loki alert message. + ''; + example = "Prometheus encountered value {{ $value }} with {{ $labels }}"; + default = null; + }; + labels = mkOption { + type = types.nullOr (types.attrsOf types.str); + description = '' + Additional alert labels. + ''; + example = literalExpression '' + { severity = "page" }; + ''; + default = { }; + }; + time = mkOption { + type = types.str; + description = '' + Time until the alert is fired. + ''; + example = "5m"; + default = "2m"; + }; + }; + } + ); + description = '' + Defines the loki rules. + ''; + default = { }; + }; + }; promtail.enable = mkEnableOption "promtail"; }; }; config = mkMerge [ - (mkIf cfg.loki.enable { - services.loki = { - enable = true; - configuration = { - auth_enabled = false; - server.http_listen_address = "${config.networking.hostName}.coho-tet.ts.net"; - server.http_listen_port = port-loki; - - common = { - ring = { - instance_addr = "${config.networking.hostName}.coho-tet.ts.net"; - kvstore.store = "inmemory"; - }; - replication_factor = 1; - path_prefix = "/var/lib/loki"; - }; - - schema_config.configs = [ + ( + let + rulerConfig = { + groups = [ { - from = "2024-12-01"; - store = "boltdb-shipper"; - object_store = "filesystem"; - schema = "v13"; - index = { - prefix = "index_"; - period = "24h"; - }; + name = "alerting-rules"; + rules = lib.mapAttrsToList (name: opts: { + alert = name; + inherit (opts) condition labels; + for = opts.time; + annotations.description = opts.description; + }) cfg.loki.rules; } ]; + }; + rulerFile = pkgs.writeText "ruler.yml" (builtins.toJSON rulerConfig); + in + mkIf cfg.loki.enable { + services.loki = { + enable = true; + configuration = { + auth_enabled = false; + server.http_listen_address = "${config.networking.hostName}.coho-tet.ts.net"; + server.http_listen_port = lokiPort; - storage_config = { - filesystem.directory = "/var/lib/loki/chunks"; - }; + common = { + ring = { + instance_addr = "${config.networking.hostName}.coho-tet.ts.net"; + kvstore.store = "inmemory"; + }; + replication_factor = 1; + path_prefix = "/var/lib/loki"; + }; - limits_config = { - reject_old_samples = true; - reject_old_samples_max_age = "168h"; - allow_structured_metadata = false; + schema_config.configs = [ + { + from = "2024-12-01"; + store = "boltdb-shipper"; + object_store = "filesystem"; + schema = "v13"; + index = { + prefix = "index_"; + period = "24h"; + }; + } + ]; + + storage_config = { + filesystem.directory = "/var/lib/loki/chunks"; + }; + + limits_config = { + reject_old_samples = true; + reject_old_samples_max_age = "168h"; + allow_structured_metadata = false; + }; + + ruler = { + storage = { + type = "local"; + local.directory = "${config.services.loki.dataDir}/ruler"; + }; + rule_path = "${config.services.loki.dataDir}/rules"; + alertmanager_url = "http://127.0.0.1:${toString alertmanagerPort}"; + }; }; }; - }; - }) + systemd.tmpfiles.rules = [ + "d /var/lib/loki 0700 loki loki - -" + "d /var/lib/loki/ruler 0700 loki loki - -" + "d /var/lib/loki/rules 0700 loki loki - -" + "L /var/lib/loki/ruler/ruler.yml - - - - ${rulerFile}" + ]; + systemd.services.loki.reloadTriggers = [ rulerFile ]; + } + ) (mkIf cfg.promtail.enable { services.promtail = { enable = true; @@ -78,7 +168,7 @@ in clients = [ { - url = "http://thorite.coho-tet.ts.net:${toString port-loki}/loki/api/v1/push"; + url = "http://thorite.coho-tet.ts.net:${toString lokiPort}/loki/api/v1/push"; } ]; diff --git a/modules/nixos/restic.nix b/modules/nixos/restic.nix index bef9c44..f07bdfb 100644 --- a/modules/nixos/restic.nix +++ b/modules/nixos/restic.nix @@ -39,7 +39,7 @@ let echo "Creating snapshot for ${rootDir}" subvolumes=$(${pkgs.btrfs-progs}/bin/btrfs subvolume list -o "${rootDir}" | ${awk} '{print $NF}') mkdir -p "${backupDir}" - ${pkgs.btrfs-progs}/bin/btrfs subvolume snapshot -r "${rootDir}" "${backupDir}/rootfs" + ${pkgs.btrfs-progs}/bin/btrfs subvolume snapshot -r "${rootDir}" "${backupDir}/rootDirectory" for subvol in $subvolumes; do ${continueIfInExclude} [[ /"$subvol" == "${backupDir}"* ]] && continue From bf74a010490b4bf54a476d669b3123ad26085c2f Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 3 Dec 2024 16:37:42 +0800 Subject: [PATCH 5/8] machines/biotite: add matrix-synapse and backup --- machines/biotite/default.nix | 34 +++++++ machines/biotite/secrets.yaml | 9 +- machines/biotite/services/gotosocial.nix | 1 + machines/biotite/services/restic.nix | 55 +++++++++++ machines/biotite/services/synapse.nix | 113 +++++++++++++++++++++++ machines/massicot/kanidm-provision.nix | 14 +++ 6 files changed, 224 insertions(+), 2 deletions(-) create mode 100644 machines/biotite/services/restic.nix create mode 100644 machines/biotite/services/synapse.nix diff --git a/machines/biotite/default.nix b/machines/biotite/default.nix index a507675..cf652c8 100644 --- a/machines/biotite/default.nix +++ b/machines/biotite/default.nix @@ -1,4 +1,5 @@ { + pkgs, lib, ... }: @@ -7,6 +8,8 @@ imports = [ ./hardware-configurations.nix ./services/gotosocial.nix + ./services/synapse.nix + ./services/restic.nix ]; networking.hostName = "biotite"; @@ -43,6 +46,37 @@ services.caddy.enable = true; services.tailscale.enable = true; + services.postgresql = { + enable = true; + package = pkgs.postgresql_17; + settings = { + allow_alter_system = false; + # DB Version: 17 + # OS Type: linux + # DB Type: mixed + # Total Memory (RAM): 8 GB + # CPUs num: 4 + # Data Storage: ssd + max_connections = 100; + shared_buffers = "2GB"; + effective_cache_size = "6GB"; + maintenance_work_mem = "512MB"; + checkpoint_completion_target = 0.9; + wal_buffers = "16MB"; + default_statistics_target = 100; + random_page_cost = 1.1; + effective_io_concurrency = 200; + work_mem = "5242kB"; + huge_pages = "off"; + min_wal_size = "1GB"; + max_wal_size = "4GB"; + max_worker_processes = 4; + max_parallel_workers_per_gather = 2; + max_parallel_workers = 4; + max_parallel_maintenance_workers = 2; + }; + }; + users.users.root.hashedPassword = "$y$j9T$NToEZWJBONjSgRnMd9Ur9/$o6n7a9b8eUILQz4d37oiHCCVnDJ8hZTZt.c.37zFfU."; system.stateVersion = "24.11"; diff --git a/machines/biotite/secrets.yaml b/machines/biotite/secrets.yaml index 5d8f181..b2ed748 100644 --- a/machines/biotite/secrets.yaml +++ b/machines/biotite/secrets.yaml @@ -1,5 +1,10 @@ gotosocial: oidc_client_secret: ENC[AES256_GCM,data:KVQxzs67sohax2h0Y/jjhnbY4fetrdVvWhBGbqgDSGgBC7QazrOmTA++BSRzMmVv,iv:HIRMc56aLanqQRTWH9E0wzzXymImi0pxK/ccPEP8Fcc=,tag:PMhOLeE3mKIIQveRdfpgpA==,type:str] +synapse: + oidc_client_secret: ENC[AES256_GCM,data:TdZF8Bo+h34fn03sPpt7JEqmP8Cwm8V++q9VDvaapMBc3rlkrVu3iDUhQE2DvJri,iv:/QNX+aYUPpDKIqWZ13TLAznR3ZpUPI8rQHrJuqv7R+g=,tag:lcBIpeWiIXK/NV84uuxNiA==,type:str] +restic: + repo_url: ENC[AES256_GCM,data:ZcBMqwEsyc7zyEftJZj4XkKBzUHwlqd6cjX8xVDn9m26jBL7aP5atpnXDRE9FXY4CuAllFyQZyAOQ2L61Nfx+iplL2ADbSoH,iv:fhNODiyoOlZEqYR2O/GsH2IWTPDr3rXSJgWC/EFDLSA=,tag:nZdKKnpiszSiXxdZI1KQ/A==,type:str] + repo_password: ENC[AES256_GCM,data:9YDOz1tiyykz6zSXboWtIg==,iv:j96mRLXGuD4NZcC0Nv1yXFbtOlr6UborqclefZ7J94w=,tag:MqhSewK2NuckTJBf7xu+lA==,type:str] sops: kms: [] gcp_kms: [] @@ -24,8 +29,8 @@ sops: RzBMVDNjS29SUkdRK3dIV01sU0hYR3cK1SbvKAM6Gpsffv3HIi/WtWnCZUBic0AT ZRv4pvJBx1oxWsKIHW0t6VrqWMQ+suup8p6dW+h5HE8Z4ciIMrXLEg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-12-02T05:10:32Z" - mac: ENC[AES256_GCM,data:ZAdFsjVuk1Fiv+DKmHrc1yu1XQpRDmRHaQhu5hduSZUa1W1cXdTlChvIW5vADFg5tVCjuYptuLvCMW+ZSQeqqG2ntHHZ+IkuovZzKFuc+BIiL/jF2ZzbyJ7X4Wj1GziCScHVxx98dgbpFoufHe6N3wCaHmngo1RYsY5N1RRbRdU=,iv:5IMQ0kOX9UAOm8bcsQRyu6zu8GJjvnHFufCNjY0s9UI=,tag:zBEPSR9DZDpwbCaIka8mXA==,type:str] + lastmodified: "2024-12-03T07:38:24Z" + mac: ENC[AES256_GCM,data:KMKdwgu9+3DjG1lrQYQEz/jYWsHUBK6RgHRyRKzWG0jTDg30owRpCgnSnX5gHzygmSYSnVRtcTOWzqm5bI7/KJkXBivaqkLqCh6EHnTj+pnAHmeEOAjoOVLOMSCEYvHMf/EuJIL199Hf2G12LtulDJV7Wi5r5Jy8L9odVlYuM9g=,iv:WTeqWdIztScZnXc2hzI7JHO/4ySgqycOp2eN9EPTQpw=,tag:lTMrE5JVVFCIDehXCxJZoQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.1 diff --git a/machines/biotite/services/gotosocial.nix b/machines/biotite/services/gotosocial.nix index fb26a69..e410a7c 100644 --- a/machines/biotite/services/gotosocial.nix +++ b/machines/biotite/services/gotosocial.nix @@ -27,6 +27,7 @@ oidc-client-id = "gotosocial"; oidc-link-existing = true; }; + setupPostgresqlDB = true; environmentFile = config.sops.templates."gotosocial.env".path; }; diff --git a/machines/biotite/services/restic.nix b/machines/biotite/services/restic.nix new file mode 100644 index 0000000..2e53c46 --- /dev/null +++ b/machines/biotite/services/restic.nix @@ -0,0 +1,55 @@ +{ + config, + lib, + pkgs, + ... +}: +let + sqliteBackup = fromPath: toPath: file: '' + mkdir -p ${toPath} + ${lib.getExe pkgs.sqlite} ${fromPath} ".backup '${toPath}/${file}'" + ''; +in +{ + sops.secrets = { + "restic/repo_url" = { + sopsFile = ../secrets.yaml; + }; + "restic/repo_password" = { + sopsFile = ../secrets.yaml; + }; + }; + + custom.restic = { + enable = true; + paths = [ + "/backup/db" + "/backup/var/lib" + ]; + backupPrepareCommand = [ + '' + mkdir -p /backup/var + ${pkgs.btrfs-progs}/bin/btrfs subvolume snapshot -r /var/lib /backup/var/lib + '' + ]; + backupCleanupCommand = [ + '' + ${pkgs.btrfs-progs}/bin/btrfs subvolume delete /backup/var/lib + '' + ]; + btrfsRoots = [ ]; + }; + + services.postgresqlBackup = { + enable = true; + compression = "zstd"; + compressionLevel = 9; + location = "/backup/db/postgresql"; + }; + + services.restic.backups.${config.networking.hostName} = { + extraBackupArgs = [ + "--limit-upload=1024" + ]; + }; +} diff --git a/machines/biotite/services/synapse.nix b/machines/biotite/services/synapse.nix new file mode 100644 index 0000000..7d4712b --- /dev/null +++ b/machines/biotite/services/synapse.nix @@ -0,0 +1,113 @@ +{ config, pkgs, ... }: +let + port-synapse = 6823; +in +{ + sops.secrets."synapse/oidc_client_secret" = { + owner = "matrix-synapse"; + }; + + nixpkgs.config.permittedInsecurePackages = [ + "olm-3.2.16" + ]; + + services.postgresql = { + # Not using ensure here because LC_COLLATE and LC_CTYPE must be provided + # at db creation + initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + }; + + services.matrix-synapse = { + enable = true; + settings = { + server_name = "xiny.li"; + public_baseurl = "https://synapse.xiny.li"; + database = { + name = "psycopg2"; + args = { + user = "matrix-synapse"; + }; + }; + listeners = [ + { + bind_addresses = [ + "127.0.0.1" + ]; + port = port-synapse; + resources = [ + { + compress = true; + names = [ + "client" + "federation" + ]; + } + ]; + tls = false; + type = "http"; + x_forwarded = true; + } + ]; + experimental_features = { + # Room summary api + msc3266_enabled = true; + # Removing account data + msc3391_enabled = true; + # Thread notifications + msc3773_enabled = true; + # Remotely toggle push notifications for another client + msc3881_enabled = true; + # Remotely silence local notifications + msc3890_enabled = true; + # Remove legacy mentions + msc4210_enabled = true; + }; + oidc_providers = [ + { + idp_id = "Kanidm"; + idp_name = "auth.xinyang.life"; + issuer = "https://auth.xinyang.life/oauth2/openid/synapse"; + authorization_endpoint = "https://auth.xinyang.life/ui/oauth2"; + token_endpoint = "https://auth.xinyang.life/oauth2/token"; + userinfo_endpoint = "https://auth.xinyang.life/oauth2/openid/synapse/userinfo"; + client_id = "synapse"; + client_secret_path = config.sops.secrets."synapse/oidc_client_secret".path; + scopes = [ + "openid" + "profile" + ]; + allow_existing_users = true; + backchannel_logout_enabled = true; + user_mapping_provider.config = { + confirm_localpart = true; + localpart_template = "{{ user.preferred_username }}"; + display_name_template = "{{ user.name }}"; + }; + } + ]; + }; + }; + + services.caddy = { + virtualHosts."https://xiny.li".extraConfig = '' + header /.well-known/matrix/* Content-Type application/json + header /.well-known/matrix/* Access-Control-Allow-Origin * + respond /.well-known/matrix/server `{"m.server":"synapse.xiny.li:443"}` + respond /.well-known/matrix/client `{"m.homeserver":{"base_url":"https://synapse.xiny.li/"}}` + ''; + virtualHosts."https://synapse.xiny.li".extraConfig = '' + reverse_proxy /_matrix/* 127.0.0.1:${toString port-synapse} + reverse_proxy /_synapse/client/* 127.0.0.1:${toString port-synapse} + ''; + }; + + networking.firewall.allowedTCPPorts = [ + 443 + ]; +} diff --git a/machines/massicot/kanidm-provision.nix b/machines/massicot/kanidm-provision.nix index 8a95a99..1e6927a 100644 --- a/machines/massicot/kanidm-provision.nix +++ b/machines/massicot/kanidm-provision.nix @@ -45,6 +45,9 @@ miniflux-users = { members = [ "xin" ]; }; + synapse-users = { + members = [ "xin" ]; + }; idm_people_self_mail_write = { members = [ ]; }; @@ -211,6 +214,17 @@ }; }; }; + synapse = { + displayName = "Synapse"; + originUrl = "https://synapse.xiny.li/_synapse/client/oidc/callback"; + originLanding = "https://synapse.xiny.li/"; + scopeMaps = { + synapse-users = [ + "openid" + "profile" + ]; + }; + }; }; }; } From bd4d7b52174c6212e51fc94d2cbb882f0fcac79e Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 3 Dec 2024 16:38:43 +0800 Subject: [PATCH 6/8] machines/thorite: add more scrapes, alerts; add restic backup; --- machines/thorite/default.nix | 1 + machines/thorite/monitoring.nix | 31 ++++++++++++++++---- machines/thorite/restic.nix | 51 +++++++++++++++++++++++++++++++++ machines/thorite/secrets.yaml | 7 +++-- 4 files changed, 82 insertions(+), 8 deletions(-) create mode 100644 machines/thorite/restic.nix diff --git a/machines/thorite/default.nix b/machines/thorite/default.nix index b85bab8..afe2e58 100644 --- a/machines/thorite/default.nix +++ b/machines/thorite/default.nix @@ -2,6 +2,7 @@ imports = [ ./hardware-configurations.nix ./monitoring.nix + ./restic.nix ]; config = { diff --git a/machines/thorite/monitoring.nix b/machines/thorite/monitoring.nix index ac6586f..164776e 100644 --- a/machines/thorite/monitoring.nix +++ b/machines/thorite/monitoring.nix @@ -14,7 +14,19 @@ with my-lib; custom.monitoring = { grafana.enable = true; - loki.enable = true; + loki = { + enable = true; + rules = { + sshd_closed = { + condition = ''count_over_time({unit="sshd.service"} |~ "Connection closed by authenticating user" [15m]) > 25''; + description = "More then 25 users have tried logging in the last 15 min without success"; + }; + unusual_log_volume = { + condition = ''sum by (unit) (rate({unit=~".+"}[5m])) > 80''; + description = "Unit {{ $labels.unit }} is logging at an unusually high rate"; + }; + }; + }; promtail.enable = true; }; @@ -30,7 +42,10 @@ with my-lib; blackbox.enable = true; node.enable = true; }; - ruleModules = (mkCaddyRules [ { host = "thorite"; } ]) ++ (mkNodeRules [ { host = "thorite"; } ]); + ruleModules = + (mkCaddyRules [ { host = "thorite"; } ]) + ++ (mkNodeRules [ { host = "thorite"; } ]) + ++ (mkBlackboxRules [ { host = "thorite"; } ]); }; services.prometheus.scrapeConfigs = @@ -39,8 +54,6 @@ with my-lib; "la-00.video.namely.icu:8080" "fre-00.video.namely.icu:8080" "hk-00.video.namely.icu:8080" - "49.13.13.122:443" - "45.142.178.32:22" "home.xinyang.life:8000" ]; passwordFile = config.sops.secrets."prometheus/metrics_password".path; @@ -52,6 +65,11 @@ with my-lib; address = "weilite.coho-tet.ts.net"; port = 8082; } + { + name = "restic_rest_server"; + address = "backup.xinyang.life"; + port = 8443; + } { inherit passwordFile; name = "gotosocial"; @@ -72,6 +90,7 @@ with my-lib; } { name = "loki"; + scheme = "http"; address = "thorite.coho-tet.ts.net"; port = 3100; } @@ -90,11 +109,11 @@ with my-lib; ++ (mkBlackboxScrapes [ { hostAddress = "thorite.coho-tet.ts.net"; - targetAddresses = probeList; + targetAddresses = probeList ++ [ "49.13.13.122:22" ]; } { hostAddress = "massicot.coho-tet.ts.net"; - targetAddresses = probeList; + targetAddresses = probeList ++ [ "45.142.178.32:22" ]; } { hostAddress = "weilite.coho-tet.ts.net"; diff --git a/machines/thorite/restic.nix b/machines/thorite/restic.nix new file mode 100644 index 0000000..ef21c66 --- /dev/null +++ b/machines/thorite/restic.nix @@ -0,0 +1,51 @@ +{ + config, + lib, + pkgs, + ... +}: +let + sqliteBackup = fromPath: toPath: file: '' + mkdir -p ${toPath} + ${lib.getExe pkgs.sqlite} ${fromPath} ".backup '${toPath}/${file}'" + ''; +in +{ + sops.secrets = { + "restic/repo_url" = { }; + "restic/repo_password" = { }; + }; + + custom.restic = { + enable = true; + paths = [ + "/backup/db" + "/backup/var/lib" + ]; + backupPrepareCommand = [ + '' + mkdir -p /backup/var + ${pkgs.btrfs-progs}/bin/btrfs subvolume snapshot -r /var/lib /backup/var/lib + '' + ]; + backupCleanupCommand = [ + '' + ${pkgs.btrfs-progs}/bin/btrfs subvolume delete /backup/var/lib + '' + ]; + btrfsRoots = [ ]; + }; + + services.postgresqlBackup = { + enable = true; + compression = "zstd"; + compressionLevel = 9; + location = "/backup/db/postgresql"; + }; + + services.restic.backups.${config.networking.hostName} = { + extraBackupArgs = [ + "--limit-upload=1024" + ]; + }; +} diff --git a/machines/thorite/secrets.yaml b/machines/thorite/secrets.yaml index 60d475f..c246e2b 100644 --- a/machines/thorite/secrets.yaml +++ b/machines/thorite/secrets.yaml @@ -1,5 +1,8 @@ grafana: oauth_secret: ENC[AES256_GCM,data:angZR3sl8vGcbAXyKFBvCSm+YhF5OooCcxRiSxR2zBoXMz5wv5/uMJFynwOTRVI6,iv:hVpOlM89lNbK6AsGf4Is/tLv3xPfg/XdtA8vuEK52L8=,tag:zCER+IdRnTcG2WHQ/AhxZA==,type:str] +restic: + repo_url: ENC[AES256_GCM,data:tc7wYRN20sHxATTZYEBpf6tNafzq9vcvqdUHYJDmJIArxprNd6WiyqPXowzbksZcEi5JwSwwJH/MYminnPGtrR8erWZg8OB3,iv:/z7mF58tMAviscFWHd4NJw7UZlq7Bzz+LU88J+kE9qg=,tag:i97FP4SmmNXOuxylkHhYCA==,type:str] + repo_password: ENC[AES256_GCM,data:o3MbXJRwR5UE9uCELN2ejQ==,iv:cYPNjJAV7H2BNCuFLDJoJvPk+CFvagXJwW9LRAGc0G0=,tag:qF6Di2W+8kESCRAphC/c0g==,type:str] sops: kms: [] gcp_kms: [] @@ -24,8 +27,8 @@ sops: M2pqMUJoMGlBZnpBaVBUTFFRZUMzb2sKrlWy26Cv55/8XQEl9hee8P29uj582sIx mUjaYE0U2qOP9bklXUQyyzQjfkBLWTLc1PTX9BjqOOsqXwkRQIYppA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-28T17:02:03Z" - mac: ENC[AES256_GCM,data:14FOUXuKP+8+sad1UlhBW37fWzmutpyn6d4q2qKtBiOyT5ivHunFHJfHrtX83X2fLDmUfiD42bXf+rYfdtKzVUmQ6vutCUQk+Hal8NElhjcq5Ns5kT4VZRKG7/ya9+eNEEkajtq/7OFEM5KOQKTKjyOBqBq/AdYQ+ni9r45c1sM=,iv:WrdWSfrZrGalZO4WGk3JpgACY7W0odt3vP+pRkMXHfA=,tag:jeRBfR2QYjLBylOLHxU3hQ==,type:str] + lastmodified: "2024-12-03T08:18:54Z" + mac: ENC[AES256_GCM,data:jqSt34avoMfL9g3LmvjrPTzW4xGLgX70CXI8qk4isaLbZ8FkxjVU8QY1ot9GZnFEQWUkReSuGD4gFxi8TjetlNdx0zDPcv6zGJUSfcYpyKDCqGdyL/2x8xnYtI2pWINBZxR/2XxT3cus39FJdXVcz3l7KX4DvYvm8t/D9+r4ef0=,iv:KY/OTbDOOD/bBDTIuIk1ck7wDxLogo2EKeSOfOe4j5o=,tag:B17iF5O32KDZfctubpXCng==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.1 From 4169513eada1f77633e4692235c0f10f7be18bdb Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 3 Dec 2024 16:39:34 +0800 Subject: [PATCH 7/8] weilite: add insecure dotnet required by sonarr --- machines/weilite/default.nix | 3 +++ machines/weilite/secrets.yaml | 8 +++++--- machines/weilite/services/media-download.nix | 7 +++++++ machines/weilite/services/restic.nix | 2 ++ 4 files changed, 17 insertions(+), 3 deletions(-) diff --git a/machines/weilite/default.nix b/machines/weilite/default.nix index b694f40..d0a93a3 100644 --- a/machines/weilite/default.nix +++ b/machines/weilite/default.nix @@ -56,6 +56,9 @@ owner = "immich"; mode = "400"; }; + "restic/localpass" = { + owner = "restic"; + }; }; }; diff --git a/machines/weilite/secrets.yaml b/machines/weilite/secrets.yaml index 8446f0a..0394a80 100644 --- a/machines/weilite/secrets.yaml +++ b/machines/weilite/secrets.yaml @@ -2,6 +2,8 @@ cloudflare_dns_token: ENC[AES256_GCM,data:m4euSkxxJmiMk9UPyeni/hwpl1W9A4MM0ssg71 dnspod_dns_token: ENC[AES256_GCM,data:uZfr3g103amywxh3NMU+AkwuYb61svzyavvQ4rxJijIMIbfPvERrVNcyivoOrFWYXHpPWkhZFdU=,iv:mArVAcebW9i+u26GmQmfmJTsFkR4ZRMIisTqjpMYan8=,tag:Zsmv1Wzfi3+PHigjReToHQ==,type:str] immich: oauth_client_secret: ENC[AES256_GCM,data:EFs2hPjGMj0idwY3oQVIDTOIWkdwoAoAVjDQE9Z2eAKzUDH3grmYpYE+33V8d/Ux,iv:A9cjwFr/ZqltG62/N8MQ1LhdDbSIVVAqIPVB492zYJw=,tag:VTTtE697BZTVsI32UF53/w==,type:str] +restic: + localpass: ENC[AES256_GCM,data:GIQAmkpDmGu4+sSG5/b5yQ==,iv:dcu6F8NnVjeQzEG2vM3fOV5owI0PWc86ts20UP3vN18=,tag:vsG8x062FG1pH5YNcAajeg==,type:str] sops: kms: [] gcp_kms: [] @@ -26,8 +28,8 @@ sops: V0thRjU4WGpQRGFpcnoxSjZTZHhTTkUKzNMHh9p7GUY3hL5XZ9S4x20CwaItsXFV RKujsFVVBd8Kuq/jyOCBTRCscuHI4LW/wYeZYHFEZFSTK2liAqspgw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-13T12:02:54Z" - mac: ENC[AES256_GCM,data:c5p+B2mPCDyS/Q4QH4MkzCww6jFDhP8RfHqrKLf4e/8XuNEGfNmPKaeliZG26j1YQWRvFHiGQX3AMnQ3Q+fSRUQCVi5KV+KW7fADNIB3TiTT5hAFuynhiWWQSmIrWP0GGek3GDGi7OJ1PrFbxWP9bwaf+zBegiaUcWoTorJg7No=,iv:6MohNgPpq80eTUlf3RvPKsxdx69V0jl+/hrMxAPpPQE=,tag:BtWp1FChP2hdclbGl5W+vQ==,type:str] + lastmodified: "2024-12-03T05:59:51Z" + mac: ENC[AES256_GCM,data:0dLbfkm7fJvH5Mmct0/qHulg2AtDCeeeOgWMXfeGRUaX3GlLDiLga0zW4uNPDuahVecdh6ofvYfBOxFaGUdBCHk9vq5GzrwrzBNhqObWQ3AqVuq5rjqSxEKoFM4Eb5qoqaOefFzT/9qC94NDETTsHhjiEeIgd4fgSr2dazNiFPE=,iv:Ggw0FHzkrhKh5Uzo3seHGwwHsWW/tTAgAl0iIq9PVk4=,tag:rJvUI5/wsLJ01XyKmkRghw==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.9.0 + version: 3.9.1 diff --git a/machines/weilite/services/media-download.nix b/machines/weilite/services/media-download.nix index 0e1ab58..6f22744 100644 --- a/machines/weilite/services/media-download.nix +++ b/machines/weilite/services/media-download.nix @@ -13,6 +13,13 @@ openFirewall = false; }; + nixpkgs.config.permittedInsecurePackages = [ + "aspnetcore-runtime-6.0.36" + "aspnetcore-runtime-wrapped-6.0.36" + "dotnet-sdk-6.0.428" + "dotnet-sdk-wrapped-6.0.428" + ]; + services.sonarr = { enable = true; }; diff --git a/machines/weilite/services/restic.nix b/machines/weilite/services/restic.nix index 4858590..f62786e 100644 --- a/machines/weilite/services/restic.nix +++ b/machines/weilite/services/restic.nix @@ -35,6 +35,8 @@ in services.restic.backups = builtins.listToAttrs [ (mkPrune "xin" "calcite") (mkPrune "xin" "massicot") + (mkPrune "xin" "biotite") + (mkPrune "xin" "thorite") ]; networking.firewall.allowedTCPPorts = [ 8443 ]; From d9a7b3d48ccae1144ba8d03a8608e8c0c1639459 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 3 Dec 2024 16:43:39 +0800 Subject: [PATCH 8/8] my-lib/settings: manage settings shared globally --- .sops.yaml | 1 + machines/secrets.yaml | 89 ++++++++++++++++++--------------- overlays/my-lib/default.nix | 8 +++ overlays/my-lib/prometheus.nix | 91 +++++++++++++++++++++++++++------- overlays/my-lib/settings.nix | 5 ++ 5 files changed, 135 insertions(+), 59 deletions(-) create mode 100644 overlays/my-lib/settings.nix diff --git a/.sops.yaml b/.sops.yaml index c092203..ad2d8e4 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -15,6 +15,7 @@ creation_rules: - age: - *xin - *host-calcite + - *host-weilite - *host-massicot - *host-thorite - *host-biotite diff --git a/machines/secrets.yaml b/machines/secrets.yaml index 69456c4..6d94d7e 100644 --- a/machines/secrets.yaml +++ b/machines/secrets.yaml @@ -10,74 +10,83 @@ sops: - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwMHB1bFQ3dWJIU3NiOVVP - Yi9LZE1PTVdMY1BqS1JHV3VPLzZIY0hGK0NZClNlclVXKzBvNTBrTlhiR0VsaVoz - RlVLNVBEVDgzSXB5ZGxDd3hqNDh2V2MKLS0tIEhBZHFUY3c2VXJBVEVKamZ6TzBa - MlFsNnVEV0xCdlJoRnBhUHF2MmswUEUKNYD9zssGBy9SaKeOMvTz71B6KMPW87cM - tFJzgnQceEQF658lVa5cCzG1gzraCgBtQU15XzC7e8zWI9CHquRRlQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5SjAzOEozUzh1bzVvaHgr + T2xsVUszTHVSdWIyM3B5TFhtUEFMeVZlYzNrCk5IOWFNbTErbTVkQnNlVllMZWlV + Q2lHZXRIdzBiRFRSZnNUVWd2NXVXVGcKLS0tIERhcjh3VVlqSGxHUHpnc1JzVksv + VXpQVVVCUC9xR3crWm9rTk13LzVhK1EKwiuvwx3ZhcDE+9w7/dR4PrZSSoJMvklT + m7I32dMRk0o9zcl5KYU5L9Hwb+z+EBE34raoGKBF5K4aQcbZQUX3Cw== -----END AGE ENCRYPTED FILE----- - recipient: age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTTnZLTlZQRzc1enVEa1BN - SHdoSi9oOXk4UTV0SlRZS2tLS2FFL3VjNzNNClVWTTNKekF6T0RTUzdEeWhLbHoz - WFZKaHJEaVBWa04zRWRiVnJZRjU0YVEKLS0tIFJVL0FEemowS3V6MmsxbWJMU2I1 - U2NnUnVKdFlRSGVzUFQ4ZFcwL0lWTlkKz1t3yqjgIdMWS/Nsy2nq3oCjOhGDP+UT - L+LAuFExJPV0qlsOG/kCGB/WtCJfnBvcp6vPDBLqjK8NllIX/iPI5g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5R1ZIRlN2b3M2OUQ0T2cw + eE5DTm9KY1NUY1p5eDhLNG4xMDVkVjRyWDNRClp3MTRWeGJMYTczcC9YQTNZdkxx + ejJ3QnhjcUcyUldUNEVqVUh6Z2grd00KLS0tIDVvbDZWbmZPZVhDNHM1K1kzaE95 + aHJqSU16dlJiRGl0VWNMVXVYMmhPb2MKMboq9ShGIJMFVENgLPlQdwdtTOjVb0CC + 4ttM3xWnYkf8416a0OYFrda5l1kfJJzQakbk/tbGcTu1yTcd+6lOtA== + -----END AGE ENCRYPTED FILE----- + - recipient: age17r3fxfmt6hgwe984w4lds9u0cnkf5ttq8hnqt800ayfmx7t8t5gqjddyml + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVby8wYS9pa0szTlVUS3FI + VWhjaCtyUzNLbkw2VXRlWkVMZlRkeXJMZGlRCnBTWklnZ0Uzd2lTMGt1M2wxZ0px + NFl2RW5hSUZVdHI0aVFRMHJtMFQ3ODAKLS0tIFlYOHVRYVFGbkcvUWRmQitQQnI5 + bG5vemMvcWdpOEtxNGRpS0doQmtuUFkK8Hxl//kOtbEw3jf96ZZ4G1Yb94f4Jeb4 + TfPs7O/ESJY8ovNsoXRQEt99vOR5D1wBzyZBY9E3f2ZzY/uBmup0cw== -----END AGE ENCRYPTED FILE----- - recipient: age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBETWpkcjhINktqeGxjdWxz - UTVVNC9kalorcVJOdHpJSkZJNXlGUHZ2VUdrCjRCclBTZnJEZ3JGOVpqS1Y0b0dt - eldFMS91WUc2Y1FnWWZoN0grc01pT0UKLS0tIC96TjlEaVBGRkZhZ0hac2lmbEdI - eHMzTFhsQ0FqY05uUEZSbExCcmdscEkKdxITlc0V5ayq+9fmj77SnEMFxKJhOOta - RfJhOQUv8g3nCN+SsuaOy0TitUCiDWh5XoB0DufEQPcS/kzGZN1Inw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPSmRYMkNIdERJZVBxV1p1 + emlqOTBpN3l2WXkzNjRRcFI5NUZDZnQ1WXdnCkRVbm8xais5aGVCTmtSTGxaTXlT + L2ZWQ0p5WFZNRWl5SWVkRUYwc2R3b1UKLS0tIEZEck4yMmJUQWVvNHRJQnpCQTBo + cDJsaG83MTdXWVd2NUpLczhjWTBBZVUK5BxBIYVqkqVLw9LTbnJ8SQWN2i4USdI8 + 8m/hZFXTJ4GI0f795DEmbcZq9xET14aQqta0wSASqwP/5Ld1mo0a0w== -----END AGE ENCRYPTED FILE----- - recipient: age12ng08vjx5jde5ncqutwkd5vm4ygfwy33mzhzwe0lkxzglulgpqusc89r96 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBydlQ4S1duQU53Wk1nd21K - d2RqM1F0VDFJVXB2aGRTZ2hxczI2V1lndVdrCjArVlE2N0RGZ0htUEZYdVlQMlU5 - SWIwWHVCaWxaQTJMNzg3WC8xRS9IYzgKLS0tIDRvSS8ybVlrSy9zYjQ2NXBaMlZk - Ulg4cUFBejRoS3VEWkRaZEUxMExUeWMKNeq6TN1gaBNU9vAitGttcU+8HmFQipdm - LPwo4/toyf27emb4KGs0AV0Dm4Sxj9S3Xvrv1B+qvhfT638/RIUm2w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwSkhjRTdBWklZUEpUanM0 + Wjl4b2c3K0g0ZUxxMlRrUFhhZzhNRXhPVnpvCmpNWVBNTXNYczV3aWhCd05FOGJ0 + YlNobFhWdStGbDRZV2NlUWV6ZFRVNEkKLS0tIGd1RUR4K21GOEQ0aWtqRi9RREpE + RXBXcXFYUDVXVzN4Q25zSklFU21wbFkKQuTHkgFC5HRPO7/PuVhJzbbHOTPaFXvN + +Y31AK3OAVdUETMEuJ2mk50Bi5BiiUeOnnv1bZ6O+iX0o20ysUseTg== -----END AGE ENCRYPTED FILE----- - recipient: age1v5h946jfke6ae8pcgz52mhj26cacqcpl9dmmrrkf37x55rnq2v3szqctvv enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4YXpyOXE3MFovWEQvMVRr - TGVST3U0N2dCVDJGT1A3eUtlRis3bFEvTHlFClZHQ2xRWklMMCtER01QNEVHaVYr - MC94V3R4MVdNdUU3eXQ2RGFFVGo4VFEKLS0tIDQ4b2ZuMy9URUswWUZqNHlxandU - OFducVVzdGZGY0tnbFFBZDdjVzVkaUEKN8qAbbrd4pAHRGIN8O64fl7bQ6hx6Isr - Qx0xKeuhJCVXgtE8xc7xmnEhqrcONlflJ/XUnYV9jOkB71zSBJxruA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnc3NOZFRYT1VnaVZSaTRi + WnluSEk4d1U5TWx2REZRZ3VCRVp2ZzlKY0NvCjNlUnIwdWVqSnlQOWp1dlJ5THlW + c2xTNHhnaE94a2ZTeXJjQTVxeGRLTmsKLS0tIFV4c2NZK1ZnL2xtUlVvSksxNi9o + L3dodkJXVjZrekVldTVsRFRxSFlrTmMKiokjgIRIsI8D2aFP/Qem4iGzC4yr5lm2 + ZwggC/UfD56ysTEqrVaDnR7f5fSqZLWdstPJn7I/vr5CwKRMbMPYSA== -----END AGE ENCRYPTED FILE----- - recipient: age1p2dlc8gfgyrvtta6mty2pezjycn244gmvh456qd3wvkfwesp253qnwyta9 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzczdPMDdWU1ZtckJRQm5j - UWJub0Yzd3NzOEh4YWdId01nYWI1YVY3dng0ClpEYXBJV2cvWEdjdXcwUFI3Y0NG - MDgvTmNZOXRQQndyVmRHamNRbzVaVU0KLS0tIGFKVTI4TkE2UjhDUSsxQTlNQ0Vk - QmFMNnlqbnhScC90T012K1QxRnRUOHcKAV7NxUn0CMcjKwK8zrocoLO1P9jc22uG - eG+vdJ6xzA99UX51aPxQOeEJgdFPEd3y1QJszQmRzThvid7y4lv0Cw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpN0llOTBJU1pNNVFxVWxt + aFdKdStKL1ZlZ0p6WFRQbHpGNnpmdlJXdG1FCkx5eDhZWWJvQ2xSWEJqWnZ6NmNt + Y0MzNDg5QzVSbEZteW1LNlFyRFg5Q0EKLS0tIDBrT0dEZlBoTExYcGRNZjZ5Znpz + cnE4YWRTMmRsTENhOTl5R2dYSzQwazAKvnTvZz842Mg5AVlIoYHI2BG+0/hO5zIv + jRVJri98fgGterXADTPmeoY3p+fFQggTPhs/5s5GSQxd5aiX8vvvrA== -----END AGE ENCRYPTED FILE----- - recipient: age18u4mqrhqkrpcytxfxfex6aeap04u38emhy6u4wrp5k62sz2vae4qm5jj7s enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsVmpzenRvWE5EK2wzRFkx - SERZV0s1Rkt0ZnZ1U3JQSFNhdGVvaWhWcTA4CjVxK0Z0MHI0ZnMrUS9YYWhTTG1z - L2lVS1Q2UkVQd2x5b1E1eWpQVGp2ZHMKLS0tIHNLOGhTYjkzWkFEM05wYkRZeXFQ - SXNTSGZZSFE2bFhybXdIc1FUb1ZBd0kKkYzflPRk6GrE6t9oVGOzc8xcyZDxiIw8 - 9SVXIgV0WVpY4lnFKYKH2i4+1sIm6tKOpizlQxTg5VgmmrTtfazWAA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPQWljdGg4VTlDdGhoblpk + LytxK2FnQVI1dzB2bnFaWUtoUVNGS3lpU3prCnRwUTNnZVVXTnZ6eCtScTk5YzI3 + TGM2MmNhaHQ3NXAzMk0rcnJoTlp5STQKLS0tIEp2U3YvUUhXTkt3VFczY3J1LzMv + ZzM0VHpqamRIZVROS2lQdXFhQTNBekEKEySldC+VvZvPY398ZVkB5s73bT3QbuLh + IqTv+wbkbjlvZJUavVyycY5SwMXkSX3ge9W/64mt/RDs88gSXFS+Sw== -----END AGE ENCRYPTED FILE----- - recipient: age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0NHpkOTFHaXRhVGNua0dV - alRieWJ6WG5ZNzlvcTR2aTVUeWFBVGVVUUNZCnY2VUZUOWVlNGY1ZldyVGE2bkpi - VXVtQ3IyK0kyV1cyMU5nN1lYaW1oOUkKLS0tIFRVRGFCNWlGendSVEhHY0w0QTl6 - emJEQkQ3QlU0TFVWaW1uQytaUndmQlEKKahqJpX8vI+PASOzzod/sFvXSkQFnJ9O - YmnmiFxm5WZDPLHwkgVx8FgCq9RfAad4HybhsMjYPKXJ/fNa/WVZRA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4bGppem15NlVod2hCRkM5 + MzY1aUZOdEVzRzdEYTRNakdMQWJlRkk0eEZzClRLSnRrQUoreU5MVG40KzRKSGcw + bUU4ZnpLU0VtOWxXVllrSW5lN0NWb0kKLS0tIE1iemRlVVpieEhxRnlIb2dFUHZr + am04NVRtU2N6SThYZWdXVE5RZ1B2aE0KVcHvB5k2Gcu/St0P8WPFzlCtuZthZTKo + hwVc0lC6Xxt25hriaUFinwnyvcjxrLCx0Nq7f9Zn16nJcza5kev1nQ== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-11-30T06:31:42Z" mac: ENC[AES256_GCM,data:xh8x9IrQ01ZzdcCTIfBrifIGduMYVmSSP52BkTyr/bx7AgQAz2WeA7LFrccxIayCGHrQKfMQDLUKJ/EBamG/6p8AX6QqZBTfqFD688ZhmRfxgpj7fYR9jPYnhb/9XHI9R2jTaJWwrorXvu3pa+Gy/hWB3Kb+WZc3fslmIuKuLH0=,iv:GDrHSFZxPbpACdusVDPHXEjeEusYfk53N/KGHtdvrYo=,tag:ap38sCSTZVDQ0ZazXM3vlg==,type:str] diff --git a/overlays/my-lib/default.nix b/overlays/my-lib/default.nix index 8d07bc1..c684e36 100644 --- a/overlays/my-lib/default.nix +++ b/overlays/my-lib/default.nix @@ -1,3 +1,11 @@ { + mkSystemdDebug = + { lib, pkgs }: + { + ExecStart = lib.mkForce "${pkgs.tmux}/bin/tmux -S /tmp/tmux.socket new-session -s my-session -d"; + ExecStop = lib.mkForce "${pkgs.tmux}/bin/tmux -S /tmp/tmux.socket kill-session -t my-session"; + Type = "forking"; + }; } // (import ./prometheus.nix) +// (import ./settings.nix) diff --git a/overlays/my-lib/prometheus.nix b/overlays/my-lib/prometheus.nix index da43f77..5143c71 100644 --- a/overlays/my-lib/prometheus.nix +++ b/overlays/my-lib/prometheus.nix @@ -108,22 +108,10 @@ in description = "The 1-minute load average ({{ $value }}) exceeds 80% the number of CPUs."; }; } - { - alert = "HighTransmitTraffic"; - expr = "rate(node_network_transmit_bytes_total{device!=\"lo\"}[5m]) > 100000000"; - for = "1m"; - labels = { - severity = "warning"; - }; - annotations = { - summary = "High network transmit traffic on {{ $labels.instance }} ({{ $labels.device }})"; - description = "The network interface {{ $labels.device }} on {{ $labels.instance }} is transmitting data at a rate exceeding 100 MB/s for the last 1 minute."; - }; - } { alert = "NetworkTrafficExceedLimit"; - expr = ''increase(node_network_transmit_bytes_total{device!="lo",device!~"tailscale.*",device!~"wg.*",device!~"br.*"}[30d]) > 322122547200''; - for = "0m"; + expr = ''sum by(instance) (increase(node_network_transmit_bytes_total{device!="lo", device!~"tailscale.*", device!~"wg.*", device!~"br.*"}[30d])) > 322122547200''; + for = "1m"; labels = { severity = "critical"; }; @@ -131,6 +119,66 @@ in summary = "Outbound network traffic exceed 300GB for last 30 day"; }; } + { + alert = "HighDiskUsage"; + expr = ''(1 - node_filesystem_free_bytes{fstype!~"vfat|ramfs"} / node_filesystem_size_bytes) * 100 > 85''; + for = "5m"; + labels = { + severity = "warning"; + }; + annotations = { + summary = "High disk usage on {{ $labels.instance }}"; + }; + } + { + alert = "DiskWillFull"; + expr = ''predict_linear(node_filesystem_free_bytes{fstype!~"vfat|ramfs"}[1h], 12 * 3600) < (node_filesystem_size_bytes * 0.05)''; + + for = "3m"; + labels = { + severity = "critical"; + }; + annotations = { + summary = "Disk usage will exceed 95% in 12 hours on {{ $labels.instance }}"; + description = "Disk {{ $labels.mountpoint }} is predicted to exceed 92% usage within 12 hours at current growth rate"; + }; + } + { + alert = "HighSwapUsage"; + expr = ''(1 - (node_memory_SwapFree_bytes / node_memory_SwapTotal_bytes)) * 100 > 80''; + for = "5m"; + labels = { + severity = "warning"; + }; + annotations = { + summary = "High swap usage on {{ $labels.instance }}"; + description = "Swap usage is above 80% for 5 minutes\n Current value: {{ $value }}%"; + }; + } + { + alert = "OOMKillDetected"; + expr = ''increase(node_vmstat_oom_kill[5m]) > 0''; + for = "1m"; + labels = { + severity = "critical"; + }; + annotations = { + summary = "OOM kill detected on {{ $labels.instance }}"; + description = "Out of memory killer was triggered in the last 5 minutes"; + }; + } + { + alert = "HighMemoryUsage"; + expr = ''(1 - (node_memory_MemAvailable_bytes / node_memory_MemTotal_bytes)) * 100 > 90''; + for = "5m"; + labels = { + severity = "warning"; + }; + annotations = { + summary = "High memory usage on {{ $labels.instance }}"; + description = "Memory usage is above 90% for 5 minutes\n Current value: {{ $value }}%"; + }; + } ]; } ); @@ -152,6 +200,9 @@ in static_configs = [ { targets = targetAddresses; + labels = { + from = hostAddress; + }; } ]; relabel_configs = [ @@ -187,23 +238,25 @@ in severity = "warning"; }; annotations = { - summary = "High request latency on {{ $labels.instance }}"; - description = "Request latency is above 0.5 seconds for the last 3 minutes."; + summary = "High request latency from {{ $labels.from }} to {{ $labels.instance }}"; + description = "Request latency is above 0.5 seconds for the last 2 minutes."; }; } { alert = "VeryHighProbeLatency"; - expr = "probe_duration_seconds > 1"; + expr = "probe_duration_seconds > 2"; for = "3m"; labels = { severity = "critical"; }; annotations = { - summary = "High request latency on {{ $labels.instance }}"; - description = "Request latency is above 0.5 seconds for the last 3 minutes."; + summary = "Very high request latency from {{ $labels.from }} to {{ $labels.instance }}"; + description = "Request latency is above 2 seconds for the last 2 minutes."; }; } ]; } ); + + # mkResticScrapes = mkFunction () ; } diff --git a/overlays/my-lib/settings.nix b/overlays/my-lib/settings.nix new file mode 100644 index 0000000..b0cc0eb --- /dev/null +++ b/overlays/my-lib/settings.nix @@ -0,0 +1,5 @@ +{ + settings = { + alertmanagerPort = 9093; + }; +}