diff --git a/.sops.yaml b/.sops.yaml index ad2d8e4..c092203 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -15,7 +15,6 @@ creation_rules: - age: - *xin - *host-calcite - - *host-weilite - *host-massicot - *host-thorite - *host-biotite diff --git a/flake.lock b/flake.lock index e45132d..c23bdb6 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "catppuccin": { "locked": { - "lastModified": 1733001911, - "narHash": "sha256-uX/9m0TbdhEzuWA0muM5mI/AaWcLiDLjCCyu5Qr9MRk=", + "lastModified": 1731232837, + "narHash": "sha256-0aIwr/RC/oe7rYkfJb47xjdEQDSNcqpFGsEa+EPlDEs=", "owner": "catppuccin", "repo": "nix", - "rev": "a817009ebfd2cca7f70a77884e5098d0a8c83f8e", + "rev": "32359bf226fe874d3b7a0a5753d291a4da9616fe", "type": "github" }, "original": { @@ -68,11 +68,11 @@ ] }, "locked": { - "lastModified": 1732988076, - "narHash": "sha256-2uMaVAZn7fiyTUGhKgleuLYe5+EAAYB/diKxrM7g3as=", + "lastModified": 1732645828, + "narHash": "sha256-+4U2I2653JvPFxcux837ulwYS864QvEueIljUkwytsk=", "owner": "nix-community", "repo": "disko", - "rev": "2814a5224a47ca19e858e027f7e8bff74a8ea9f1", + "rev": "869ba3a87486289a4197b52a6c9e7222edf00b3e", "type": "github" }, "original": { @@ -238,11 +238,11 @@ ] }, "locked": { - "lastModified": 1730814269, - "narHash": "sha256-fWPHyhYE6xvMI1eGY3pwBTq85wcy1YXqdzTZF+06nOg=", + "lastModified": 1730302582, + "narHash": "sha256-W1MIJpADXQCgosJZT8qBYLRuZls2KSiKdpnTVdKBuvU=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "d70155fdc00df4628446352fc58adc640cd705c2", + "rev": "af8a16fe5c264f5e9e18bcee2859b40a656876cf", "type": "github" }, "original": { @@ -281,11 +281,11 @@ ] }, "locked": { - "lastModified": 1733085484, - "narHash": "sha256-dVmNuUajnU18oHzBQWZm1BQtANCHaqNuxTHZQ+GN0r8=", + "lastModified": 1731786860, + "narHash": "sha256-130gQ5k8kZlxjBEeLpE+SvWFgSOFgQFeZlqIik7KgtQ=", "owner": "nix-community", "repo": "home-manager", - "rev": "c1fee8d4a60b89cae12b288ba9dbc608ff298163", + "rev": "1bd5616e33c0c54d7a5b37db94160635a9b27aeb", "type": "github" }, "original": { @@ -303,11 +303,11 @@ ] }, "locked": { - "lastModified": 1731235328, - "narHash": "sha256-NjavpgE9/bMe/ABvZpyHIUeYF1mqR5lhaep3wB79ucs=", + "lastModified": 1730490306, + "narHash": "sha256-AvCVDswOUM9D368HxYD25RsSKp+5o0L0/JHADjLoD38=", "owner": "nix-community", "repo": "home-manager", - "rev": "60bb110917844d354f3c18e05450606a435d2d10", + "rev": "1743615b61c7285976f85b303a36cdf88a556503", "type": "github" }, "original": { @@ -332,16 +332,16 @@ ] }, "locked": { - "lastModified": 1729958008, - "narHash": "sha256-EiOq8jF4Z/zQe0QYVc3+qSKxRK//CFHMB84aYrYGwEs=", + "lastModified": 1729544999, + "narHash": "sha256-YcyJLvTmN6uLEBGCvYoMLwsinblXMkoYkNLEO4WnKus=", "owner": "NuschtOS", "repo": "ixx", - "rev": "9fd01aad037f345350eab2cd45e1946cc66da4eb", + "rev": "65c207c92befec93e22086da9456d3906a4e999c", "type": "github" }, "original": { "owner": "NuschtOS", - "ref": "v0.0.6", + "ref": "v0.0.5", "repo": "ixx", "type": "github" } @@ -355,11 +355,11 @@ "nixvim": "nixvim" }, "locked": { - "lastModified": 1732936640, - "narHash": "sha256-NcluA0L+ZV5MUj3UuQhlkGCj8KoEhX/ObWlMHZ/F/ac=", + "lastModified": 1730642581, + "narHash": "sha256-Tcq+RnctJTm+TUr1fN3ivqYNcd1pJnHYzLDQdgUCX70=", "ref": "refs/heads/master", - "rev": "a3709a89797ea094f82d38edeb4a538c07c8c3fa", - "revCount": 20, + "rev": "a09d2b94efb5e2d801275a244eedaab0816f3702", + "revCount": 18, "type": "git", "url": "https://git.xinyang.life/xin/nixvim" }, @@ -377,11 +377,11 @@ ] }, "locked": { - "lastModified": 1731153869, - "narHash": "sha256-3Ftf9oqOypcEyyrWJ0baVkRpvQqroK/SVBFLvU3nPuc=", + "lastModified": 1730448474, + "narHash": "sha256-qE/cYKBhzxHMtKtLK3hlSR3uzO1pWPGLrBuQK7r0CHc=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "5c74ab862c8070cbf6400128a1b56abb213656da", + "rev": "683d0c4cd1102dcccfa3f835565378c7f3cbe05e", "type": "github" }, "original": { @@ -418,11 +418,11 @@ ] }, "locked": { - "lastModified": 1733024876, - "narHash": "sha256-vy9Q41hBE7Zg0yakF79neVgb3i3PQMSMR7uHPpPywFE=", + "lastModified": 1731814505, + "narHash": "sha256-l9ryrx1Twh08a+gxrMGM9O/aZKEimZfa6sZVyPCImgI=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "6e0b7f81367069589a480b91603a10bcf71f3103", + "rev": "bdba246946fb079b87b4cada4df9b1cdf1c06132", "type": "github" }, "original": { @@ -442,11 +442,11 @@ ] }, "locked": { - "lastModified": 1733104664, - "narHash": "sha256-UhlyYYO84s36aSj0/xZdclY6CgwJSWPYtTHTOBuHodM=", + "lastModified": 1731808759, + "narHash": "sha256-WwJqguc/5Q7HEwHlgDzDT8mtd8ZxInxZM2neJKC1oh8=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "e3a9b717e8327886d4ab6115f6989f4d1ef44e51", + "rev": "5cf92678e6799ce45442dee4c9cb8094843c7cfa", "type": "github" }, "original": { @@ -457,11 +457,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1733066523, - "narHash": "sha256-aQorWITXZu7b095UwnpUvcGt9dNJie/GO9r4hZfe2sU=", + "lastModified": 1731797098, + "narHash": "sha256-UhWmEZhwJZmVZ1jfHZFzCg+ZLO9Tb/v3Y6LC0UNyeTo=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "fe01780d356d70fd119a19277bff71d3e78dad00", + "rev": "672ac2ac86f7dff2f6f3406405bddecf960e0db6", "type": "github" }, "original": { @@ -473,11 +473,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1731139594, - "narHash": "sha256-IigrKK3vYRpUu+HEjPL/phrfh7Ox881er1UEsZvw9Q4=", + "lastModified": 1730200266, + "narHash": "sha256-l253w0XMT8nWHGXuXqyiIC/bMvh1VRszGXgdpQlfhvU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "76612b17c0ce71689921ca12d9ffdc9c23ce40b2", + "rev": "807e9154dcb16384b1b765ebe9cd2bba2ac287fd", "type": "github" }, "original": { @@ -501,11 +501,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1733016324, - "narHash": "sha256-8qwPSE2g1othR1u4uP86NXxm6i7E9nHPyJX3m3lx7Q4=", + "lastModified": 1731652201, + "narHash": "sha256-XUO0JKP1hlww0d7mm3kpmIr4hhtR4zicg5Wwes9cPMg=", "owner": "nixos", "repo": "nixpkgs", - "rev": "7e1ca67996afd8233d9033edd26e442836cc2ad6", + "rev": "c21b77913ea840f8bcf9adf4c41cecc2abffd38d", "type": "github" }, "original": { @@ -515,13 +515,29 @@ "type": "github" } }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1731797254, + "narHash": "sha256-df3dJApLPhd11AlueuoN0Q4fHo/hagP75LlM5K1sz9g=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "e8c38b73aeb218e27163376a2d617e61a2ad9b59", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { - "lastModified": 1733128666, - "narHash": "sha256-JOIhbU0EPRXwFv1wCXGTkUZ9KnIcLxChvCqeV9hh63U=", + "lastModified": 1731819057, + "narHash": "sha256-nfqKsQhFCakM+eIKGf/JWu/g56rOPoGny10EZN8q7R0=", "owner": "xinyangli", "repo": "nixpkgs", - "rev": "6273ca0a0fd51ac708a71e380c0cda97a72bbb07", + "rev": "b2644ed7258502987ad4a70cf8959bf5a26ce26d", "type": "github" }, "original": { @@ -544,11 +560,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1731527733, - "narHash": "sha256-12OpSgbLDiKmxvBXwVracIfGI9FpjFyHpa1r0Ho+NFA=", + "lastModified": 1730569492, + "narHash": "sha256-NByr7l7JetL9kIrdCOcRqBu+lAkruYXETp1DMiDHNQs=", "owner": "nix-community", "repo": "nixvim", - "rev": "f11a877bcc1d66cc8bd7990c704f91c1e99c7d08", + "rev": "6f210158b03b01a1fd44bf3968165e6da80635ce", "type": "github" }, "original": { @@ -559,11 +575,11 @@ }, "nur": { "locked": { - "lastModified": 1733125101, - "narHash": "sha256-C8f6ekiZ4kP84JWLDrMigvnSK6RXQoxLEDoteXMx1yc=", + "lastModified": 1731819675, + "narHash": "sha256-GGp/rEfxRdi1BD9TlHoXxp2g9IuKDp0Jk7wYh1LacP8=", "owner": "nix-community", "repo": "NUR", - "rev": "1844924bf1e7e5a98198eca17b6c27cc9a363b05", + "rev": "59740d792bea5caa547c9bc7ce366802ecfafb7f", "type": "github" }, "original": { @@ -583,11 +599,11 @@ ] }, "locked": { - "lastModified": 1731060242, - "narHash": "sha256-43yLsOm/wxBbfYSNDWVJeVv5Ij+23X3BIjFUfsdx/6M=", + "lastModified": 1730515563, + "narHash": "sha256-8lklUZRV7nwkPLF3roxzi4C2oyLydDXyAzAnDvjkOms=", "owner": "NuschtOS", "repo": "search", - "rev": "ef493352f9e1f051e01a55c062731503a6b36b4e", + "rev": "9e22bd742480916ff5d0ab20ca2522eaa3fa061e", "type": "github" }, "original": { @@ -617,14 +633,15 @@ "inputs": { "nixpkgs": [ "nixpkgs" - ] + ], + "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1733128155, - "narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=", + "lastModified": 1731814239, + "narHash": "sha256-TGnMXCeXS924w9W6CvRFtUCUFr8E/RK138lHxU3vcw8=", "owner": "Mic92", "repo": "sops-nix", - "rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856", + "rev": "47fc1d8c72dbd69b32ecb2019b5b648da3dd20ce", "type": "github" }, "original": { diff --git a/home/xin/calcite.nix b/home/xin/calcite.nix index d90cc4d..9f246cf 100644 --- a/home/xin/calcite.nix +++ b/home/xin/calcite.nix @@ -125,8 +125,7 @@ in profiles.default = { isDefault = true; userChrome = '' - - #TabsToolbar { + #titlebar { display: none; } @@ -137,7 +136,7 @@ in [titlepreface*="."] #sidebar-header { visibility: collapse !important; } - [titlepreface*="."] #TabsToolbar { + [titlepreface*="."] #titlebar { visibility: collapse; } @@ -149,7 +148,7 @@ in min-width: var(--uc-sidebar-width) !important; width: var(--uc-sidebar-width) !important; max-width: var(--uc-sidebar-width) !important; - z-index: calc(var(--browser-area-z-index-tabbox) + 1); + z-index:1; } #sidebar-box[positionend]{ direction: rtl } @@ -191,12 +190,12 @@ in transition-delay: 0ms !important; } - .sidebar-placeTree { - /* background-color: transparent !important; */ + .sidebar-panel{ + background-color: transparent !important; color: var(--newtab-text-primary-color) !important; } - .sidebar-placeTree #search-box{ + .sidebar-panel #search-box{ -moz-appearance: none !important; background-color: rgba(249,249,250,0.1) !important; color: inherit !important; diff --git a/machines/biotite/default.nix b/machines/biotite/default.nix index cf652c8..a507675 100644 --- a/machines/biotite/default.nix +++ b/machines/biotite/default.nix @@ -1,5 +1,4 @@ { - pkgs, lib, ... }: @@ -8,8 +7,6 @@ imports = [ ./hardware-configurations.nix ./services/gotosocial.nix - ./services/synapse.nix - ./services/restic.nix ]; networking.hostName = "biotite"; @@ -46,37 +43,6 @@ services.caddy.enable = true; services.tailscale.enable = true; - services.postgresql = { - enable = true; - package = pkgs.postgresql_17; - settings = { - allow_alter_system = false; - # DB Version: 17 - # OS Type: linux - # DB Type: mixed - # Total Memory (RAM): 8 GB - # CPUs num: 4 - # Data Storage: ssd - max_connections = 100; - shared_buffers = "2GB"; - effective_cache_size = "6GB"; - maintenance_work_mem = "512MB"; - checkpoint_completion_target = 0.9; - wal_buffers = "16MB"; - default_statistics_target = 100; - random_page_cost = 1.1; - effective_io_concurrency = 200; - work_mem = "5242kB"; - huge_pages = "off"; - min_wal_size = "1GB"; - max_wal_size = "4GB"; - max_worker_processes = 4; - max_parallel_workers_per_gather = 2; - max_parallel_workers = 4; - max_parallel_maintenance_workers = 2; - }; - }; - users.users.root.hashedPassword = "$y$j9T$NToEZWJBONjSgRnMd9Ur9/$o6n7a9b8eUILQz4d37oiHCCVnDJ8hZTZt.c.37zFfU."; system.stateVersion = "24.11"; diff --git a/machines/biotite/secrets.yaml b/machines/biotite/secrets.yaml index b2ed748..5d8f181 100644 --- a/machines/biotite/secrets.yaml +++ b/machines/biotite/secrets.yaml @@ -1,10 +1,5 @@ gotosocial: oidc_client_secret: ENC[AES256_GCM,data:KVQxzs67sohax2h0Y/jjhnbY4fetrdVvWhBGbqgDSGgBC7QazrOmTA++BSRzMmVv,iv:HIRMc56aLanqQRTWH9E0wzzXymImi0pxK/ccPEP8Fcc=,tag:PMhOLeE3mKIIQveRdfpgpA==,type:str] -synapse: - oidc_client_secret: ENC[AES256_GCM,data:TdZF8Bo+h34fn03sPpt7JEqmP8Cwm8V++q9VDvaapMBc3rlkrVu3iDUhQE2DvJri,iv:/QNX+aYUPpDKIqWZ13TLAznR3ZpUPI8rQHrJuqv7R+g=,tag:lcBIpeWiIXK/NV84uuxNiA==,type:str] -restic: - repo_url: ENC[AES256_GCM,data:ZcBMqwEsyc7zyEftJZj4XkKBzUHwlqd6cjX8xVDn9m26jBL7aP5atpnXDRE9FXY4CuAllFyQZyAOQ2L61Nfx+iplL2ADbSoH,iv:fhNODiyoOlZEqYR2O/GsH2IWTPDr3rXSJgWC/EFDLSA=,tag:nZdKKnpiszSiXxdZI1KQ/A==,type:str] - repo_password: ENC[AES256_GCM,data:9YDOz1tiyykz6zSXboWtIg==,iv:j96mRLXGuD4NZcC0Nv1yXFbtOlr6UborqclefZ7J94w=,tag:MqhSewK2NuckTJBf7xu+lA==,type:str] sops: kms: [] gcp_kms: [] @@ -29,8 +24,8 @@ sops: RzBMVDNjS29SUkdRK3dIV01sU0hYR3cK1SbvKAM6Gpsffv3HIi/WtWnCZUBic0AT ZRv4pvJBx1oxWsKIHW0t6VrqWMQ+suup8p6dW+h5HE8Z4ciIMrXLEg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-12-03T07:38:24Z" - mac: ENC[AES256_GCM,data:KMKdwgu9+3DjG1lrQYQEz/jYWsHUBK6RgHRyRKzWG0jTDg30owRpCgnSnX5gHzygmSYSnVRtcTOWzqm5bI7/KJkXBivaqkLqCh6EHnTj+pnAHmeEOAjoOVLOMSCEYvHMf/EuJIL199Hf2G12LtulDJV7Wi5r5Jy8L9odVlYuM9g=,iv:WTeqWdIztScZnXc2hzI7JHO/4ySgqycOp2eN9EPTQpw=,tag:lTMrE5JVVFCIDehXCxJZoQ==,type:str] + lastmodified: "2024-12-02T05:10:32Z" + mac: ENC[AES256_GCM,data:ZAdFsjVuk1Fiv+DKmHrc1yu1XQpRDmRHaQhu5hduSZUa1W1cXdTlChvIW5vADFg5tVCjuYptuLvCMW+ZSQeqqG2ntHHZ+IkuovZzKFuc+BIiL/jF2ZzbyJ7X4Wj1GziCScHVxx98dgbpFoufHe6N3wCaHmngo1RYsY5N1RRbRdU=,iv:5IMQ0kOX9UAOm8bcsQRyu6zu8GJjvnHFufCNjY0s9UI=,tag:zBEPSR9DZDpwbCaIka8mXA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.1 diff --git a/machines/biotite/services/gotosocial.nix b/machines/biotite/services/gotosocial.nix index e410a7c..743b3f7 100644 --- a/machines/biotite/services/gotosocial.nix +++ b/machines/biotite/services/gotosocial.nix @@ -27,13 +27,13 @@ oidc-client-id = "gotosocial"; oidc-link-existing = true; }; - setupPostgresqlDB = true; environmentFile = config.sops.templates."gotosocial.env".path; }; services.caddy = { virtualHosts."https://gts.xiny.li".extraConfig = '' - reverse_proxy http://${config.services.gotosocial.settings.bind-address}:${toString config.services.gotosocial.settings.port} { + encode zstd gzip + reverse_proxy * http://${config.services.gotosocial.settings.bind-address}:${toString config.services.gotosocial.settings.port} { flush_interval -1 } ''; diff --git a/machines/biotite/services/restic.nix b/machines/biotite/services/restic.nix deleted file mode 100644 index 2e53c46..0000000 --- a/machines/biotite/services/restic.nix +++ /dev/null @@ -1,55 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -let - sqliteBackup = fromPath: toPath: file: '' - mkdir -p ${toPath} - ${lib.getExe pkgs.sqlite} ${fromPath} ".backup '${toPath}/${file}'" - ''; -in -{ - sops.secrets = { - "restic/repo_url" = { - sopsFile = ../secrets.yaml; - }; - "restic/repo_password" = { - sopsFile = ../secrets.yaml; - }; - }; - - custom.restic = { - enable = true; - paths = [ - "/backup/db" - "/backup/var/lib" - ]; - backupPrepareCommand = [ - '' - mkdir -p /backup/var - ${pkgs.btrfs-progs}/bin/btrfs subvolume snapshot -r /var/lib /backup/var/lib - '' - ]; - backupCleanupCommand = [ - '' - ${pkgs.btrfs-progs}/bin/btrfs subvolume delete /backup/var/lib - '' - ]; - btrfsRoots = [ ]; - }; - - services.postgresqlBackup = { - enable = true; - compression = "zstd"; - compressionLevel = 9; - location = "/backup/db/postgresql"; - }; - - services.restic.backups.${config.networking.hostName} = { - extraBackupArgs = [ - "--limit-upload=1024" - ]; - }; -} diff --git a/machines/biotite/services/synapse.nix b/machines/biotite/services/synapse.nix deleted file mode 100644 index 7d4712b..0000000 --- a/machines/biotite/services/synapse.nix +++ /dev/null @@ -1,113 +0,0 @@ -{ config, pkgs, ... }: -let - port-synapse = 6823; -in -{ - sops.secrets."synapse/oidc_client_secret" = { - owner = "matrix-synapse"; - }; - - nixpkgs.config.permittedInsecurePackages = [ - "olm-3.2.16" - ]; - - services.postgresql = { - # Not using ensure here because LC_COLLATE and LC_CTYPE must be provided - # at db creation - initialScript = pkgs.writeText "synapse-init.sql" '' - CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; - CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - ''; - }; - - services.matrix-synapse = { - enable = true; - settings = { - server_name = "xiny.li"; - public_baseurl = "https://synapse.xiny.li"; - database = { - name = "psycopg2"; - args = { - user = "matrix-synapse"; - }; - }; - listeners = [ - { - bind_addresses = [ - "127.0.0.1" - ]; - port = port-synapse; - resources = [ - { - compress = true; - names = [ - "client" - "federation" - ]; - } - ]; - tls = false; - type = "http"; - x_forwarded = true; - } - ]; - experimental_features = { - # Room summary api - msc3266_enabled = true; - # Removing account data - msc3391_enabled = true; - # Thread notifications - msc3773_enabled = true; - # Remotely toggle push notifications for another client - msc3881_enabled = true; - # Remotely silence local notifications - msc3890_enabled = true; - # Remove legacy mentions - msc4210_enabled = true; - }; - oidc_providers = [ - { - idp_id = "Kanidm"; - idp_name = "auth.xinyang.life"; - issuer = "https://auth.xinyang.life/oauth2/openid/synapse"; - authorization_endpoint = "https://auth.xinyang.life/ui/oauth2"; - token_endpoint = "https://auth.xinyang.life/oauth2/token"; - userinfo_endpoint = "https://auth.xinyang.life/oauth2/openid/synapse/userinfo"; - client_id = "synapse"; - client_secret_path = config.sops.secrets."synapse/oidc_client_secret".path; - scopes = [ - "openid" - "profile" - ]; - allow_existing_users = true; - backchannel_logout_enabled = true; - user_mapping_provider.config = { - confirm_localpart = true; - localpart_template = "{{ user.preferred_username }}"; - display_name_template = "{{ user.name }}"; - }; - } - ]; - }; - }; - - services.caddy = { - virtualHosts."https://xiny.li".extraConfig = '' - header /.well-known/matrix/* Content-Type application/json - header /.well-known/matrix/* Access-Control-Allow-Origin * - respond /.well-known/matrix/server `{"m.server":"synapse.xiny.li:443"}` - respond /.well-known/matrix/client `{"m.homeserver":{"base_url":"https://synapse.xiny.li/"}}` - ''; - virtualHosts."https://synapse.xiny.li".extraConfig = '' - reverse_proxy /_matrix/* 127.0.0.1:${toString port-synapse} - reverse_proxy /_synapse/client/* 127.0.0.1:${toString port-synapse} - ''; - }; - - networking.firewall.allowedTCPPorts = [ - 443 - ]; -} diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index f80351b..27760b5 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -78,7 +78,6 @@ in } ]; - programs.vim.enable = true; programs.vim.defaultEditor = true; # Keep this even if enabled in home manager @@ -308,7 +307,13 @@ in bitwarden # Browser - chromium + (chromium.override { + commandLineArgs = [ + "--ozone-platform-hint=auto" + "--enable-wayland-ime" + ]; + }) + brave # Writting zotero @@ -374,12 +379,15 @@ in # Fonts fonts = { packages = with pkgs; [ - nerd-fonts.ubuntu-sans - nerd-fonts.ubuntu - nerd-fonts.fira-code - nerd-fonts.fira-mono - nerd-fonts.jetbrains-mono - nerd-fonts.roboto-mono + (nerdfonts.override { + fonts = [ + "FiraCode" + "FiraMono" + "JetBrainsMono" + "RobotoMono" + "Ubuntu" + ]; + }) noto-fonts noto-fonts-emoji liberation_ttf diff --git a/machines/massicot/kanidm-provision.nix b/machines/massicot/kanidm-provision.nix index 1e6927a..8a95a99 100644 --- a/machines/massicot/kanidm-provision.nix +++ b/machines/massicot/kanidm-provision.nix @@ -45,9 +45,6 @@ miniflux-users = { members = [ "xin" ]; }; - synapse-users = { - members = [ "xin" ]; - }; idm_people_self_mail_write = { members = [ ]; }; @@ -214,17 +211,6 @@ }; }; }; - synapse = { - displayName = "Synapse"; - originUrl = "https://synapse.xiny.li/_synapse/client/oidc/callback"; - originLanding = "https://synapse.xiny.li/"; - scopeMaps = { - synapse-users = [ - "openid" - "profile" - ]; - }; - }; }; }; } diff --git a/machines/secrets.yaml b/machines/secrets.yaml index 6d94d7e..69456c4 100644 --- a/machines/secrets.yaml +++ b/machines/secrets.yaml @@ -10,83 +10,74 @@ sops: - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5SjAzOEozUzh1bzVvaHgr - T2xsVUszTHVSdWIyM3B5TFhtUEFMeVZlYzNrCk5IOWFNbTErbTVkQnNlVllMZWlV - Q2lHZXRIdzBiRFRSZnNUVWd2NXVXVGcKLS0tIERhcjh3VVlqSGxHUHpnc1JzVksv - VXpQVVVCUC9xR3crWm9rTk13LzVhK1EKwiuvwx3ZhcDE+9w7/dR4PrZSSoJMvklT - m7I32dMRk0o9zcl5KYU5L9Hwb+z+EBE34raoGKBF5K4aQcbZQUX3Cw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwMHB1bFQ3dWJIU3NiOVVP + Yi9LZE1PTVdMY1BqS1JHV3VPLzZIY0hGK0NZClNlclVXKzBvNTBrTlhiR0VsaVoz + RlVLNVBEVDgzSXB5ZGxDd3hqNDh2V2MKLS0tIEhBZHFUY3c2VXJBVEVKamZ6TzBa + MlFsNnVEV0xCdlJoRnBhUHF2MmswUEUKNYD9zssGBy9SaKeOMvTz71B6KMPW87cM + tFJzgnQceEQF658lVa5cCzG1gzraCgBtQU15XzC7e8zWI9CHquRRlQ== -----END AGE ENCRYPTED FILE----- - recipient: age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5R1ZIRlN2b3M2OUQ0T2cw - eE5DTm9KY1NUY1p5eDhLNG4xMDVkVjRyWDNRClp3MTRWeGJMYTczcC9YQTNZdkxx - ejJ3QnhjcUcyUldUNEVqVUh6Z2grd00KLS0tIDVvbDZWbmZPZVhDNHM1K1kzaE95 - aHJqSU16dlJiRGl0VWNMVXVYMmhPb2MKMboq9ShGIJMFVENgLPlQdwdtTOjVb0CC - 4ttM3xWnYkf8416a0OYFrda5l1kfJJzQakbk/tbGcTu1yTcd+6lOtA== - -----END AGE ENCRYPTED FILE----- - - recipient: age17r3fxfmt6hgwe984w4lds9u0cnkf5ttq8hnqt800ayfmx7t8t5gqjddyml - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVby8wYS9pa0szTlVUS3FI - VWhjaCtyUzNLbkw2VXRlWkVMZlRkeXJMZGlRCnBTWklnZ0Uzd2lTMGt1M2wxZ0px - NFl2RW5hSUZVdHI0aVFRMHJtMFQ3ODAKLS0tIFlYOHVRYVFGbkcvUWRmQitQQnI5 - bG5vemMvcWdpOEtxNGRpS0doQmtuUFkK8Hxl//kOtbEw3jf96ZZ4G1Yb94f4Jeb4 - TfPs7O/ESJY8ovNsoXRQEt99vOR5D1wBzyZBY9E3f2ZzY/uBmup0cw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTTnZLTlZQRzc1enVEa1BN + SHdoSi9oOXk4UTV0SlRZS2tLS2FFL3VjNzNNClVWTTNKekF6T0RTUzdEeWhLbHoz + WFZKaHJEaVBWa04zRWRiVnJZRjU0YVEKLS0tIFJVL0FEemowS3V6MmsxbWJMU2I1 + U2NnUnVKdFlRSGVzUFQ4ZFcwL0lWTlkKz1t3yqjgIdMWS/Nsy2nq3oCjOhGDP+UT + L+LAuFExJPV0qlsOG/kCGB/WtCJfnBvcp6vPDBLqjK8NllIX/iPI5g== -----END AGE ENCRYPTED FILE----- - recipient: age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPSmRYMkNIdERJZVBxV1p1 - emlqOTBpN3l2WXkzNjRRcFI5NUZDZnQ1WXdnCkRVbm8xais5aGVCTmtSTGxaTXlT - L2ZWQ0p5WFZNRWl5SWVkRUYwc2R3b1UKLS0tIEZEck4yMmJUQWVvNHRJQnpCQTBo - cDJsaG83MTdXWVd2NUpLczhjWTBBZVUK5BxBIYVqkqVLw9LTbnJ8SQWN2i4USdI8 - 8m/hZFXTJ4GI0f795DEmbcZq9xET14aQqta0wSASqwP/5Ld1mo0a0w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBETWpkcjhINktqeGxjdWxz + UTVVNC9kalorcVJOdHpJSkZJNXlGUHZ2VUdrCjRCclBTZnJEZ3JGOVpqS1Y0b0dt + eldFMS91WUc2Y1FnWWZoN0grc01pT0UKLS0tIC96TjlEaVBGRkZhZ0hac2lmbEdI + eHMzTFhsQ0FqY05uUEZSbExCcmdscEkKdxITlc0V5ayq+9fmj77SnEMFxKJhOOta + RfJhOQUv8g3nCN+SsuaOy0TitUCiDWh5XoB0DufEQPcS/kzGZN1Inw== -----END AGE ENCRYPTED FILE----- - recipient: age12ng08vjx5jde5ncqutwkd5vm4ygfwy33mzhzwe0lkxzglulgpqusc89r96 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwSkhjRTdBWklZUEpUanM0 - Wjl4b2c3K0g0ZUxxMlRrUFhhZzhNRXhPVnpvCmpNWVBNTXNYczV3aWhCd05FOGJ0 - YlNobFhWdStGbDRZV2NlUWV6ZFRVNEkKLS0tIGd1RUR4K21GOEQ0aWtqRi9RREpE - RXBXcXFYUDVXVzN4Q25zSklFU21wbFkKQuTHkgFC5HRPO7/PuVhJzbbHOTPaFXvN - +Y31AK3OAVdUETMEuJ2mk50Bi5BiiUeOnnv1bZ6O+iX0o20ysUseTg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBydlQ4S1duQU53Wk1nd21K + d2RqM1F0VDFJVXB2aGRTZ2hxczI2V1lndVdrCjArVlE2N0RGZ0htUEZYdVlQMlU5 + SWIwWHVCaWxaQTJMNzg3WC8xRS9IYzgKLS0tIDRvSS8ybVlrSy9zYjQ2NXBaMlZk + Ulg4cUFBejRoS3VEWkRaZEUxMExUeWMKNeq6TN1gaBNU9vAitGttcU+8HmFQipdm + LPwo4/toyf27emb4KGs0AV0Dm4Sxj9S3Xvrv1B+qvhfT638/RIUm2w== -----END AGE ENCRYPTED FILE----- - recipient: age1v5h946jfke6ae8pcgz52mhj26cacqcpl9dmmrrkf37x55rnq2v3szqctvv enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnc3NOZFRYT1VnaVZSaTRi - WnluSEk4d1U5TWx2REZRZ3VCRVp2ZzlKY0NvCjNlUnIwdWVqSnlQOWp1dlJ5THlW - c2xTNHhnaE94a2ZTeXJjQTVxeGRLTmsKLS0tIFV4c2NZK1ZnL2xtUlVvSksxNi9o - L3dodkJXVjZrekVldTVsRFRxSFlrTmMKiokjgIRIsI8D2aFP/Qem4iGzC4yr5lm2 - ZwggC/UfD56ysTEqrVaDnR7f5fSqZLWdstPJn7I/vr5CwKRMbMPYSA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4YXpyOXE3MFovWEQvMVRr + TGVST3U0N2dCVDJGT1A3eUtlRis3bFEvTHlFClZHQ2xRWklMMCtER01QNEVHaVYr + MC94V3R4MVdNdUU3eXQ2RGFFVGo4VFEKLS0tIDQ4b2ZuMy9URUswWUZqNHlxandU + OFducVVzdGZGY0tnbFFBZDdjVzVkaUEKN8qAbbrd4pAHRGIN8O64fl7bQ6hx6Isr + Qx0xKeuhJCVXgtE8xc7xmnEhqrcONlflJ/XUnYV9jOkB71zSBJxruA== -----END AGE ENCRYPTED FILE----- - recipient: age1p2dlc8gfgyrvtta6mty2pezjycn244gmvh456qd3wvkfwesp253qnwyta9 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpN0llOTBJU1pNNVFxVWxt - aFdKdStKL1ZlZ0p6WFRQbHpGNnpmdlJXdG1FCkx5eDhZWWJvQ2xSWEJqWnZ6NmNt - Y0MzNDg5QzVSbEZteW1LNlFyRFg5Q0EKLS0tIDBrT0dEZlBoTExYcGRNZjZ5Znpz - cnE4YWRTMmRsTENhOTl5R2dYSzQwazAKvnTvZz842Mg5AVlIoYHI2BG+0/hO5zIv - jRVJri98fgGterXADTPmeoY3p+fFQggTPhs/5s5GSQxd5aiX8vvvrA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzczdPMDdWU1ZtckJRQm5j + UWJub0Yzd3NzOEh4YWdId01nYWI1YVY3dng0ClpEYXBJV2cvWEdjdXcwUFI3Y0NG + MDgvTmNZOXRQQndyVmRHamNRbzVaVU0KLS0tIGFKVTI4TkE2UjhDUSsxQTlNQ0Vk + QmFMNnlqbnhScC90T012K1QxRnRUOHcKAV7NxUn0CMcjKwK8zrocoLO1P9jc22uG + eG+vdJ6xzA99UX51aPxQOeEJgdFPEd3y1QJszQmRzThvid7y4lv0Cw== -----END AGE ENCRYPTED FILE----- - recipient: age18u4mqrhqkrpcytxfxfex6aeap04u38emhy6u4wrp5k62sz2vae4qm5jj7s enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPQWljdGg4VTlDdGhoblpk - LytxK2FnQVI1dzB2bnFaWUtoUVNGS3lpU3prCnRwUTNnZVVXTnZ6eCtScTk5YzI3 - TGM2MmNhaHQ3NXAzMk0rcnJoTlp5STQKLS0tIEp2U3YvUUhXTkt3VFczY3J1LzMv - ZzM0VHpqamRIZVROS2lQdXFhQTNBekEKEySldC+VvZvPY398ZVkB5s73bT3QbuLh - IqTv+wbkbjlvZJUavVyycY5SwMXkSX3ge9W/64mt/RDs88gSXFS+Sw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsVmpzenRvWE5EK2wzRFkx + SERZV0s1Rkt0ZnZ1U3JQSFNhdGVvaWhWcTA4CjVxK0Z0MHI0ZnMrUS9YYWhTTG1z + L2lVS1Q2UkVQd2x5b1E1eWpQVGp2ZHMKLS0tIHNLOGhTYjkzWkFEM05wYkRZeXFQ + SXNTSGZZSFE2bFhybXdIc1FUb1ZBd0kKkYzflPRk6GrE6t9oVGOzc8xcyZDxiIw8 + 9SVXIgV0WVpY4lnFKYKH2i4+1sIm6tKOpizlQxTg5VgmmrTtfazWAA== -----END AGE ENCRYPTED FILE----- - recipient: age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4bGppem15NlVod2hCRkM5 - MzY1aUZOdEVzRzdEYTRNakdMQWJlRkk0eEZzClRLSnRrQUoreU5MVG40KzRKSGcw - bUU4ZnpLU0VtOWxXVllrSW5lN0NWb0kKLS0tIE1iemRlVVpieEhxRnlIb2dFUHZr - am04NVRtU2N6SThYZWdXVE5RZ1B2aE0KVcHvB5k2Gcu/St0P8WPFzlCtuZthZTKo - hwVc0lC6Xxt25hriaUFinwnyvcjxrLCx0Nq7f9Zn16nJcza5kev1nQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0NHpkOTFHaXRhVGNua0dV + alRieWJ6WG5ZNzlvcTR2aTVUeWFBVGVVUUNZCnY2VUZUOWVlNGY1ZldyVGE2bkpi + VXVtQ3IyK0kyV1cyMU5nN1lYaW1oOUkKLS0tIFRVRGFCNWlGendSVEhHY0w0QTl6 + emJEQkQ3QlU0TFVWaW1uQytaUndmQlEKKahqJpX8vI+PASOzzod/sFvXSkQFnJ9O + YmnmiFxm5WZDPLHwkgVx8FgCq9RfAad4HybhsMjYPKXJ/fNa/WVZRA== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-11-30T06:31:42Z" mac: ENC[AES256_GCM,data:xh8x9IrQ01ZzdcCTIfBrifIGduMYVmSSP52BkTyr/bx7AgQAz2WeA7LFrccxIayCGHrQKfMQDLUKJ/EBamG/6p8AX6QqZBTfqFD688ZhmRfxgpj7fYR9jPYnhb/9XHI9R2jTaJWwrorXvu3pa+Gy/hWB3Kb+WZc3fslmIuKuLH0=,iv:GDrHSFZxPbpACdusVDPHXEjeEusYfk53N/KGHtdvrYo=,tag:ap38sCSTZVDQ0ZazXM3vlg==,type:str] diff --git a/machines/thorite/default.nix b/machines/thorite/default.nix index afe2e58..b85bab8 100644 --- a/machines/thorite/default.nix +++ b/machines/thorite/default.nix @@ -2,7 +2,6 @@ imports = [ ./hardware-configurations.nix ./monitoring.nix - ./restic.nix ]; config = { diff --git a/machines/thorite/monitoring.nix b/machines/thorite/monitoring.nix index 164776e..bc10492 100644 --- a/machines/thorite/monitoring.nix +++ b/machines/thorite/monitoring.nix @@ -14,19 +14,7 @@ with my-lib; custom.monitoring = { grafana.enable = true; - loki = { - enable = true; - rules = { - sshd_closed = { - condition = ''count_over_time({unit="sshd.service"} |~ "Connection closed by authenticating user" [15m]) > 25''; - description = "More then 25 users have tried logging in the last 15 min without success"; - }; - unusual_log_volume = { - condition = ''sum by (unit) (rate({unit=~".+"}[5m])) > 80''; - description = "Unit {{ $labels.unit }} is logging at an unusually high rate"; - }; - }; - }; + loki.enable = true; promtail.enable = true; }; @@ -42,10 +30,7 @@ with my-lib; blackbox.enable = true; node.enable = true; }; - ruleModules = - (mkCaddyRules [ { host = "thorite"; } ]) - ++ (mkNodeRules [ { host = "thorite"; } ]) - ++ (mkBlackboxRules [ { host = "thorite"; } ]); + ruleModules = (mkCaddyRules [ { host = "thorite"; } ]) ++ (mkNodeRules [ { host = "thorite"; } ]); }; services.prometheus.scrapeConfigs = @@ -54,6 +39,8 @@ with my-lib; "la-00.video.namely.icu:8080" "fre-00.video.namely.icu:8080" "hk-00.video.namely.icu:8080" + "49.13.13.122:443" + "45.142.178.32:22" "home.xinyang.life:8000" ]; passwordFile = config.sops.secrets."prometheus/metrics_password".path; @@ -65,11 +52,6 @@ with my-lib; address = "weilite.coho-tet.ts.net"; port = 8082; } - { - name = "restic_rest_server"; - address = "backup.xinyang.life"; - port = 8443; - } { inherit passwordFile; name = "gotosocial"; @@ -88,12 +70,6 @@ with my-lib; name = "grafana-eu"; address = "grafana.xinyang.life"; } - { - name = "loki"; - scheme = "http"; - address = "thorite.coho-tet.ts.net"; - port = 3100; - } ]) ++ (mkCaddyScrapes [ { address = "thorite.coho-tet.ts.net"; } @@ -109,11 +85,11 @@ with my-lib; ++ (mkBlackboxScrapes [ { hostAddress = "thorite.coho-tet.ts.net"; - targetAddresses = probeList ++ [ "49.13.13.122:22" ]; + targetAddresses = probeList; } { hostAddress = "massicot.coho-tet.ts.net"; - targetAddresses = probeList ++ [ "45.142.178.32:22" ]; + targetAddresses = probeList; } { hostAddress = "weilite.coho-tet.ts.net"; diff --git a/machines/thorite/restic.nix b/machines/thorite/restic.nix deleted file mode 100644 index ef21c66..0000000 --- a/machines/thorite/restic.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -let - sqliteBackup = fromPath: toPath: file: '' - mkdir -p ${toPath} - ${lib.getExe pkgs.sqlite} ${fromPath} ".backup '${toPath}/${file}'" - ''; -in -{ - sops.secrets = { - "restic/repo_url" = { }; - "restic/repo_password" = { }; - }; - - custom.restic = { - enable = true; - paths = [ - "/backup/db" - "/backup/var/lib" - ]; - backupPrepareCommand = [ - '' - mkdir -p /backup/var - ${pkgs.btrfs-progs}/bin/btrfs subvolume snapshot -r /var/lib /backup/var/lib - '' - ]; - backupCleanupCommand = [ - '' - ${pkgs.btrfs-progs}/bin/btrfs subvolume delete /backup/var/lib - '' - ]; - btrfsRoots = [ ]; - }; - - services.postgresqlBackup = { - enable = true; - compression = "zstd"; - compressionLevel = 9; - location = "/backup/db/postgresql"; - }; - - services.restic.backups.${config.networking.hostName} = { - extraBackupArgs = [ - "--limit-upload=1024" - ]; - }; -} diff --git a/machines/thorite/secrets.yaml b/machines/thorite/secrets.yaml index c246e2b..60d475f 100644 --- a/machines/thorite/secrets.yaml +++ b/machines/thorite/secrets.yaml @@ -1,8 +1,5 @@ grafana: oauth_secret: ENC[AES256_GCM,data:angZR3sl8vGcbAXyKFBvCSm+YhF5OooCcxRiSxR2zBoXMz5wv5/uMJFynwOTRVI6,iv:hVpOlM89lNbK6AsGf4Is/tLv3xPfg/XdtA8vuEK52L8=,tag:zCER+IdRnTcG2WHQ/AhxZA==,type:str] -restic: - repo_url: ENC[AES256_GCM,data:tc7wYRN20sHxATTZYEBpf6tNafzq9vcvqdUHYJDmJIArxprNd6WiyqPXowzbksZcEi5JwSwwJH/MYminnPGtrR8erWZg8OB3,iv:/z7mF58tMAviscFWHd4NJw7UZlq7Bzz+LU88J+kE9qg=,tag:i97FP4SmmNXOuxylkHhYCA==,type:str] - repo_password: ENC[AES256_GCM,data:o3MbXJRwR5UE9uCELN2ejQ==,iv:cYPNjJAV7H2BNCuFLDJoJvPk+CFvagXJwW9LRAGc0G0=,tag:qF6Di2W+8kESCRAphC/c0g==,type:str] sops: kms: [] gcp_kms: [] @@ -27,8 +24,8 @@ sops: M2pqMUJoMGlBZnpBaVBUTFFRZUMzb2sKrlWy26Cv55/8XQEl9hee8P29uj582sIx mUjaYE0U2qOP9bklXUQyyzQjfkBLWTLc1PTX9BjqOOsqXwkRQIYppA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-12-03T08:18:54Z" - mac: ENC[AES256_GCM,data:jqSt34avoMfL9g3LmvjrPTzW4xGLgX70CXI8qk4isaLbZ8FkxjVU8QY1ot9GZnFEQWUkReSuGD4gFxi8TjetlNdx0zDPcv6zGJUSfcYpyKDCqGdyL/2x8xnYtI2pWINBZxR/2XxT3cus39FJdXVcz3l7KX4DvYvm8t/D9+r4ef0=,iv:KY/OTbDOOD/bBDTIuIk1ck7wDxLogo2EKeSOfOe4j5o=,tag:B17iF5O32KDZfctubpXCng==,type:str] + lastmodified: "2024-11-28T17:02:03Z" + mac: ENC[AES256_GCM,data:14FOUXuKP+8+sad1UlhBW37fWzmutpyn6d4q2qKtBiOyT5ivHunFHJfHrtX83X2fLDmUfiD42bXf+rYfdtKzVUmQ6vutCUQk+Hal8NElhjcq5Ns5kT4VZRKG7/ya9+eNEEkajtq/7OFEM5KOQKTKjyOBqBq/AdYQ+ni9r45c1sM=,iv:WrdWSfrZrGalZO4WGk3JpgACY7W0odt3vP+pRkMXHfA=,tag:jeRBfR2QYjLBylOLHxU3hQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.1 diff --git a/machines/weilite/default.nix b/machines/weilite/default.nix index d0a93a3..b694f40 100644 --- a/machines/weilite/default.nix +++ b/machines/weilite/default.nix @@ -56,9 +56,6 @@ owner = "immich"; mode = "400"; }; - "restic/localpass" = { - owner = "restic"; - }; }; }; diff --git a/machines/weilite/secrets.yaml b/machines/weilite/secrets.yaml index 0394a80..8446f0a 100644 --- a/machines/weilite/secrets.yaml +++ b/machines/weilite/secrets.yaml @@ -2,8 +2,6 @@ cloudflare_dns_token: ENC[AES256_GCM,data:m4euSkxxJmiMk9UPyeni/hwpl1W9A4MM0ssg71 dnspod_dns_token: ENC[AES256_GCM,data:uZfr3g103amywxh3NMU+AkwuYb61svzyavvQ4rxJijIMIbfPvERrVNcyivoOrFWYXHpPWkhZFdU=,iv:mArVAcebW9i+u26GmQmfmJTsFkR4ZRMIisTqjpMYan8=,tag:Zsmv1Wzfi3+PHigjReToHQ==,type:str] immich: oauth_client_secret: ENC[AES256_GCM,data:EFs2hPjGMj0idwY3oQVIDTOIWkdwoAoAVjDQE9Z2eAKzUDH3grmYpYE+33V8d/Ux,iv:A9cjwFr/ZqltG62/N8MQ1LhdDbSIVVAqIPVB492zYJw=,tag:VTTtE697BZTVsI32UF53/w==,type:str] -restic: - localpass: ENC[AES256_GCM,data:GIQAmkpDmGu4+sSG5/b5yQ==,iv:dcu6F8NnVjeQzEG2vM3fOV5owI0PWc86ts20UP3vN18=,tag:vsG8x062FG1pH5YNcAajeg==,type:str] sops: kms: [] gcp_kms: [] @@ -28,8 +26,8 @@ sops: V0thRjU4WGpQRGFpcnoxSjZTZHhTTkUKzNMHh9p7GUY3hL5XZ9S4x20CwaItsXFV RKujsFVVBd8Kuq/jyOCBTRCscuHI4LW/wYeZYHFEZFSTK2liAqspgw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-12-03T05:59:51Z" - mac: ENC[AES256_GCM,data:0dLbfkm7fJvH5Mmct0/qHulg2AtDCeeeOgWMXfeGRUaX3GlLDiLga0zW4uNPDuahVecdh6ofvYfBOxFaGUdBCHk9vq5GzrwrzBNhqObWQ3AqVuq5rjqSxEKoFM4Eb5qoqaOefFzT/9qC94NDETTsHhjiEeIgd4fgSr2dazNiFPE=,iv:Ggw0FHzkrhKh5Uzo3seHGwwHsWW/tTAgAl0iIq9PVk4=,tag:rJvUI5/wsLJ01XyKmkRghw==,type:str] + lastmodified: "2024-09-13T12:02:54Z" + mac: ENC[AES256_GCM,data:c5p+B2mPCDyS/Q4QH4MkzCww6jFDhP8RfHqrKLf4e/8XuNEGfNmPKaeliZG26j1YQWRvFHiGQX3AMnQ3Q+fSRUQCVi5KV+KW7fADNIB3TiTT5hAFuynhiWWQSmIrWP0GGek3GDGi7OJ1PrFbxWP9bwaf+zBegiaUcWoTorJg7No=,iv:6MohNgPpq80eTUlf3RvPKsxdx69V0jl+/hrMxAPpPQE=,tag:BtWp1FChP2hdclbGl5W+vQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.9.1 + version: 3.9.0 diff --git a/machines/weilite/services/media-download.nix b/machines/weilite/services/media-download.nix index 6f22744..0e1ab58 100644 --- a/machines/weilite/services/media-download.nix +++ b/machines/weilite/services/media-download.nix @@ -13,13 +13,6 @@ openFirewall = false; }; - nixpkgs.config.permittedInsecurePackages = [ - "aspnetcore-runtime-6.0.36" - "aspnetcore-runtime-wrapped-6.0.36" - "dotnet-sdk-6.0.428" - "dotnet-sdk-wrapped-6.0.428" - ]; - services.sonarr = { enable = true; }; diff --git a/machines/weilite/services/restic.nix b/machines/weilite/services/restic.nix index f62786e..4858590 100644 --- a/machines/weilite/services/restic.nix +++ b/machines/weilite/services/restic.nix @@ -35,8 +35,6 @@ in services.restic.backups = builtins.listToAttrs [ (mkPrune "xin" "calcite") (mkPrune "xin" "massicot") - (mkPrune "xin" "biotite") - (mkPrune "xin" "thorite") ]; networking.firewall.allowedTCPPorts = [ 8443 ]; diff --git a/modules/nixos/monitor/exporters.nix b/modules/nixos/monitor/exporters.nix index b48209e..0c9b95d 100644 --- a/modules/nixos/monitor/exporters.nix +++ b/modules/nixos/monitor/exporters.nix @@ -71,7 +71,7 @@ in services.restic.server.prometheus = true; - # miniflux + # miniflux sops.templates."miniflux_metrics_env" = { content = '' METRICS_COLLECTOR=1 diff --git a/modules/nixos/monitor/loki.nix b/modules/nixos/monitor/loki.nix index c3e0afd..324235f 100644 --- a/modules/nixos/monitor/loki.nix +++ b/modules/nixos/monitor/loki.nix @@ -1,158 +1,68 @@ { - pkgs, config, lib, - my-lib, ... }: let inherit (lib) - mkOption mkEnableOption mkIf mkMerge - types - literalExpression - ; - inherit (my-lib.settings) - alertmanagerPort ; cfg = config.custom.monitoring; - lokiPort = 3100; + port-loki = 3100; in { options = { custom.monitoring = { - loki = { - enable = mkEnableOption "loki"; - rules = mkOption { - type = types.attrsOf ( - types.submodule { - options = { - condition = mkOption { - type = types.str; - description = '' - Loki alert expression. - ''; - example = ''count_over_time({job=~"secure"} |="sshd[" |~": Failed|: Invalid|: Connection closed by authenticating user" | __error__="" [15m]) > 15''; - default = null; - }; - description = mkOption { - type = types.str; - description = '' - Loki alert message. - ''; - example = "Prometheus encountered value {{ $value }} with {{ $labels }}"; - default = null; - }; - labels = mkOption { - type = types.nullOr (types.attrsOf types.str); - description = '' - Additional alert labels. - ''; - example = literalExpression '' - { severity = "page" }; - ''; - default = { }; - }; - time = mkOption { - type = types.str; - description = '' - Time until the alert is fired. - ''; - example = "5m"; - default = "2m"; - }; - }; - } - ); - description = '' - Defines the loki rules. - ''; - default = { }; - }; - }; + loki.enable = mkEnableOption "loki"; promtail.enable = mkEnableOption "promtail"; }; }; config = mkMerge [ - ( - let - rulerConfig = { - groups = [ + (mkIf cfg.loki.enable { + services.loki = { + enable = true; + configuration = { + auth_enabled = false; + server.http_listen_address = "${config.networking.hostName}.coho-tet.ts.net"; + server.http_listen_port = port-loki; + + common = { + ring = { + instance_addr = "${config.networking.hostName}.coho-tet.ts.net"; + kvstore.store = "inmemory"; + }; + replication_factor = 1; + path_prefix = "/var/lib/loki"; + }; + + schema_config.configs = [ { - name = "alerting-rules"; - rules = lib.mapAttrsToList (name: opts: { - alert = name; - inherit (opts) condition labels; - for = opts.time; - annotations.description = opts.description; - }) cfg.loki.rules; + from = "2024-12-01"; + store = "boltdb-shipper"; + object_store = "filesystem"; + schema = "v13"; + index = { + prefix = "index_"; + period = "24h"; + }; } ]; - }; - rulerFile = pkgs.writeText "ruler.yml" (builtins.toJSON rulerConfig); - in - mkIf cfg.loki.enable { - services.loki = { - enable = true; - configuration = { - auth_enabled = false; - server.http_listen_address = "${config.networking.hostName}.coho-tet.ts.net"; - server.http_listen_port = lokiPort; - common = { - ring = { - instance_addr = "${config.networking.hostName}.coho-tet.ts.net"; - kvstore.store = "inmemory"; - }; - replication_factor = 1; - path_prefix = "/var/lib/loki"; - }; + storage_config = { + filesystem.directory = "/var/lib/loki/chunks"; + }; - schema_config.configs = [ - { - from = "2024-12-01"; - store = "boltdb-shipper"; - object_store = "filesystem"; - schema = "v13"; - index = { - prefix = "index_"; - period = "24h"; - }; - } - ]; - - storage_config = { - filesystem.directory = "/var/lib/loki/chunks"; - }; - - limits_config = { - reject_old_samples = true; - reject_old_samples_max_age = "168h"; - allow_structured_metadata = false; - }; - - ruler = { - storage = { - type = "local"; - local.directory = "${config.services.loki.dataDir}/ruler"; - }; - rule_path = "${config.services.loki.dataDir}/rules"; - alertmanager_url = "http://127.0.0.1:${toString alertmanagerPort}"; - }; + limits_config = { + reject_old_samples = true; + reject_old_samples_max_age = "168h"; + allow_structured_metadata = false; }; }; - systemd.tmpfiles.rules = [ - "d /var/lib/loki 0700 loki loki - -" - "d /var/lib/loki/ruler 0700 loki loki - -" - "d /var/lib/loki/rules 0700 loki loki - -" - "L /var/lib/loki/ruler/ruler.yml - - - - ${rulerFile}" - ]; - systemd.services.loki.reloadTriggers = [ rulerFile ]; - } - ) + }; + }) (mkIf cfg.promtail.enable { services.promtail = { enable = true; @@ -168,7 +78,7 @@ in clients = [ { - url = "http://thorite.coho-tet.ts.net:${toString lokiPort}/loki/api/v1/push"; + url = "http://thorite.coho-tet.ts.net:${toString port-loki}/loki/api/v1/push"; } ]; diff --git a/modules/nixos/restic.nix b/modules/nixos/restic.nix index f07bdfb..bef9c44 100644 --- a/modules/nixos/restic.nix +++ b/modules/nixos/restic.nix @@ -39,7 +39,7 @@ let echo "Creating snapshot for ${rootDir}" subvolumes=$(${pkgs.btrfs-progs}/bin/btrfs subvolume list -o "${rootDir}" | ${awk} '{print $NF}') mkdir -p "${backupDir}" - ${pkgs.btrfs-progs}/bin/btrfs subvolume snapshot -r "${rootDir}" "${backupDir}/rootDirectory" + ${pkgs.btrfs-progs}/bin/btrfs subvolume snapshot -r "${rootDir}" "${backupDir}/rootfs" for subvol in $subvolumes; do ${continueIfInExclude} [[ /"$subvol" == "${backupDir}"* ]] && continue diff --git a/overlays/my-lib/default.nix b/overlays/my-lib/default.nix index c684e36..8d07bc1 100644 --- a/overlays/my-lib/default.nix +++ b/overlays/my-lib/default.nix @@ -1,11 +1,3 @@ { - mkSystemdDebug = - { lib, pkgs }: - { - ExecStart = lib.mkForce "${pkgs.tmux}/bin/tmux -S /tmp/tmux.socket new-session -s my-session -d"; - ExecStop = lib.mkForce "${pkgs.tmux}/bin/tmux -S /tmp/tmux.socket kill-session -t my-session"; - Type = "forking"; - }; } // (import ./prometheus.nix) -// (import ./settings.nix) diff --git a/overlays/my-lib/prometheus.nix b/overlays/my-lib/prometheus.nix index 5143c71..da43f77 100644 --- a/overlays/my-lib/prometheus.nix +++ b/overlays/my-lib/prometheus.nix @@ -109,9 +109,21 @@ in }; } { - alert = "NetworkTrafficExceedLimit"; - expr = ''sum by(instance) (increase(node_network_transmit_bytes_total{device!="lo", device!~"tailscale.*", device!~"wg.*", device!~"br.*"}[30d])) > 322122547200''; + alert = "HighTransmitTraffic"; + expr = "rate(node_network_transmit_bytes_total{device!=\"lo\"}[5m]) > 100000000"; for = "1m"; + labels = { + severity = "warning"; + }; + annotations = { + summary = "High network transmit traffic on {{ $labels.instance }} ({{ $labels.device }})"; + description = "The network interface {{ $labels.device }} on {{ $labels.instance }} is transmitting data at a rate exceeding 100 MB/s for the last 1 minute."; + }; + } + { + alert = "NetworkTrafficExceedLimit"; + expr = ''increase(node_network_transmit_bytes_total{device!="lo",device!~"tailscale.*",device!~"wg.*",device!~"br.*"}[30d]) > 322122547200''; + for = "0m"; labels = { severity = "critical"; }; @@ -119,66 +131,6 @@ in summary = "Outbound network traffic exceed 300GB for last 30 day"; }; } - { - alert = "HighDiskUsage"; - expr = ''(1 - node_filesystem_free_bytes{fstype!~"vfat|ramfs"} / node_filesystem_size_bytes) * 100 > 85''; - for = "5m"; - labels = { - severity = "warning"; - }; - annotations = { - summary = "High disk usage on {{ $labels.instance }}"; - }; - } - { - alert = "DiskWillFull"; - expr = ''predict_linear(node_filesystem_free_bytes{fstype!~"vfat|ramfs"}[1h], 12 * 3600) < (node_filesystem_size_bytes * 0.05)''; - - for = "3m"; - labels = { - severity = "critical"; - }; - annotations = { - summary = "Disk usage will exceed 95% in 12 hours on {{ $labels.instance }}"; - description = "Disk {{ $labels.mountpoint }} is predicted to exceed 92% usage within 12 hours at current growth rate"; - }; - } - { - alert = "HighSwapUsage"; - expr = ''(1 - (node_memory_SwapFree_bytes / node_memory_SwapTotal_bytes)) * 100 > 80''; - for = "5m"; - labels = { - severity = "warning"; - }; - annotations = { - summary = "High swap usage on {{ $labels.instance }}"; - description = "Swap usage is above 80% for 5 minutes\n Current value: {{ $value }}%"; - }; - } - { - alert = "OOMKillDetected"; - expr = ''increase(node_vmstat_oom_kill[5m]) > 0''; - for = "1m"; - labels = { - severity = "critical"; - }; - annotations = { - summary = "OOM kill detected on {{ $labels.instance }}"; - description = "Out of memory killer was triggered in the last 5 minutes"; - }; - } - { - alert = "HighMemoryUsage"; - expr = ''(1 - (node_memory_MemAvailable_bytes / node_memory_MemTotal_bytes)) * 100 > 90''; - for = "5m"; - labels = { - severity = "warning"; - }; - annotations = { - summary = "High memory usage on {{ $labels.instance }}"; - description = "Memory usage is above 90% for 5 minutes\n Current value: {{ $value }}%"; - }; - } ]; } ); @@ -200,9 +152,6 @@ in static_configs = [ { targets = targetAddresses; - labels = { - from = hostAddress; - }; } ]; relabel_configs = [ @@ -238,25 +187,23 @@ in severity = "warning"; }; annotations = { - summary = "High request latency from {{ $labels.from }} to {{ $labels.instance }}"; - description = "Request latency is above 0.5 seconds for the last 2 minutes."; + summary = "High request latency on {{ $labels.instance }}"; + description = "Request latency is above 0.5 seconds for the last 3 minutes."; }; } { alert = "VeryHighProbeLatency"; - expr = "probe_duration_seconds > 2"; + expr = "probe_duration_seconds > 1"; for = "3m"; labels = { severity = "critical"; }; annotations = { - summary = "Very high request latency from {{ $labels.from }} to {{ $labels.instance }}"; - description = "Request latency is above 2 seconds for the last 2 minutes."; + summary = "High request latency on {{ $labels.instance }}"; + description = "Request latency is above 0.5 seconds for the last 3 minutes."; }; } ]; } ); - - # mkResticScrapes = mkFunction () ; } diff --git a/overlays/my-lib/settings.nix b/overlays/my-lib/settings.nix deleted file mode 100644 index b0cc0eb..0000000 --- a/overlays/my-lib/settings.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ - settings = { - alertmanagerPort = 9093; - }; -}