diff --git a/config/modules/nixos/monitoring.nix b/config/modules/nixos/monitoring.nix index 61d82971..57d9acb6 100644 --- a/config/modules/nixos/monitoring.nix +++ b/config/modules/nixos/monitoring.nix @@ -4,12 +4,13 @@ let cfg = config.kw.monitoring; prom_configs = (mapAttrs (hostName: host: host.services.prometheus.exporters.node) - (filterAttrs - (_: host: host.services.prometheus.exporters.node.enable) - meta.network.nodes)); - nd_configs = (mapAttrs (hostName: host: host.services.netdata) + (filterAttrs + (_: host: host.services.prometheus.exporters.node.enable) + meta.network.nodes)); + nd_configs = (mapAttrs (hostName: host: host.services.netdata) (filterAttrs (_: host: host.services.netdata.enable) meta.network.nodes)); -in { +in +{ options.kw.monitoring = { server = { enable = mkEnableOption "Monitoring Stack Server"; @@ -90,9 +91,9 @@ in { (mkIf cfg.server.enable { kw.secrets = [ "grafana-admin-pass" - ]; + ]; - secrets.files.grafana-admin-pass = { + secrets.files.grafana-admin-pass = { text = "${tf.variables.grafana-admin-pass.ref}"; owner = "grafana"; group = "grafana"; @@ -101,42 +102,42 @@ in { services.grafana.security.adminPasswordFile = config.secrets.files.grafana-admin-pass.path; - services.postgresql = { - ensureDatabases = [ "grafana" ]; - ensureUsers = [{ - name = "grafana"; - ensurePermissions."DATABASE grafana" = "ALL PRIVILEGES"; - }]; - }; + services.postgresql = { + ensureDatabases = [ "grafana" ]; + ensureUsers = [{ + name = "grafana"; + ensurePermissions."DATABASE grafana" = "ALL PRIVILEGES"; + }]; + }; - services.grafana = { - enable = true; - port = 3001; - domain = "graph.${config.network.dns.domain}"; - rootUrl = "https://graph.${config.network.dns.domain}/"; - database = { - type = "postgres"; - host = "/run/postgresql/"; - user = "grafana"; - name = "grafana"; - }; + services.grafana = { + enable = true; + port = 3001; + domain = "graph.${config.network.dns.domain}"; + rootUrl = "https://graph.${config.network.dns.domain}/"; + database = { + type = "postgres"; + host = "/run/postgresql/"; + user = "grafana"; + name = "grafana"; }; + }; - services.nginx.virtualHosts."graph.${config.network.dns.domain}" = { - enableACME = true; - forceSSL = true; - locations = { "/".proxyPass = "http://127.0.0.1:3001"; }; - }; + services.nginx.virtualHosts."graph.${config.network.dns.domain}" = { + enableACME = true; + forceSSL = true; + locations = { "/".proxyPass = "http://127.0.0.1:3001"; }; + }; - deploy.tf.dns.records.services_grafana = { - tld = config.network.dns.tld; - domain = "graph"; - cname.target = "${config.networking.hostName}.${config.network.dns.tld}"; - }; + deploy.tf.dns.records.services_grafana = { + tld = config.network.dns.tld; + domain = "graph"; + cname.target = "${config.networking.hostName}.${config.network.dns.tld}"; + }; - services.prometheus = { - enable = true; - scrapeConfigs = mapAttrsToList + services.prometheus = { + enable = true; + scrapeConfigs = mapAttrsToList (hostName: prom: { job_name = "${hostName}-nd"; metrics_path = "/api/v1/allmetrics"; @@ -152,69 +153,71 @@ in { }; }) prom_configs; - }; - }) - (mkIf cfg.client.enable { - network.firewall.private.tcp.ports = [ 9002 19999 ]; + }; + }) + (mkIf cfg.client.enable { + network.firewall.private.tcp.ports = [ 9002 19999 ]; - services.netdata.enable = true; + services.netdata.enable = true; - services.nginx.virtualHosts = kw.virtualHostGen { - networkFilter = singleton "yggdrasil"; - block = { - locations."/netdata" = { - proxyPass = "http://[::1]:19999/"; - }; + services.nginx.virtualHosts = kw.virtualHostGen { + networkFilter = singleton "yggdrasil"; + block = { + locations."/netdata" = { + proxyPass = "http://[::1]:19999/"; }; }; + }; - systemd.services.promtail = { - enable = any id (attrValues (mapAttrs (node: conf: conf.kw.monitoring.server.loki ) meta.network.nodes)); - description = "Promtail service for Loki"; - wantedBy = [ "multi-user.target" ]; - wants = [ "yggdrassil.service" ]; + systemd.services.promtail = { + enable = any id (attrValues (mapAttrs (node: conf: conf.kw.monitoring.server.loki) meta.network.nodes)); + description = "Promtail service for Loki"; + wantedBy = [ "multi-user.target" ]; + wants = [ "yggdrassil.service" ]; - serviceConfig = mkIf (any id (attrValues (mapAttrs (node: conf: conf.kw.monitoring.server.loki ) meta.network.nodes))) { - ExecStart = let + serviceConfig = mkIf (any id (attrValues (mapAttrs (node: conf: conf.kw.monitoring.server.loki) meta.network.nodes))) { + ExecStart = + let serverNode = head (attrNames (filterAttrs (node: enabled: enabled == true) (mapAttrs (node: conf: conf.kw.monitoring.server.loki) meta.network.nodes))); promtailConfig = pkgs.writeText "prom-config.json" (builtins.toJSON { clients = [{ url = "http://${serverNode}${cfg.server.domainPrefix}:3100/loki/api/v1/push"; }]; - positions = { filename = "/tmp/positions.yaml"; }; - scrape_configs = [{ - job_name = "journal"; - journal = { - labels = { - host = config.networking.hostName; - job = "systemd-journal"; - }; - max_age = "12h"; + positions = { filename = "/tmp/positions.yaml"; }; + scrape_configs = [{ + job_name = "journal"; + journal = { + labels = { + host = config.networking.hostName; + job = "systemd-journal"; }; - relabel_configs = [{ - source_labels = [ "__journal__systemd_unit" ]; - target_label = "unit"; - }]; - }]; - server = { - grpc_listen_port = 0; - http_listen_port = 28183; + max_age = "12h"; }; - }); - in '' + relabel_configs = [{ + source_labels = [ "__journal__systemd_unit" ]; + target_label = "unit"; + }]; + }]; + server = { + grpc_listen_port = 0; + http_listen_port = 28183; + }; + }); + in + '' ${pkgs.grafana-loki}/bin/promtail --config.file ${promtailConfig} ''; - }; }; + }; - services.prometheus = { - exporters = { - node = { - enable = true; - enabledCollectors = [ "systemd" ]; - port = 9002; - }; + services.prometheus = { + exporters = { + node = { + enable = true; + enabledCollectors = [ "systemd" ]; + port = 9002; }; }; - }) - ]; - } + }; + }) + ]; +} diff --git a/config/services/znc/default.nix b/config/services/znc/default.nix index 99e0564d..33210c12 100644 --- a/config/services/znc/default.nix +++ b/config/services/znc/default.nix @@ -4,15 +4,15 @@ with lib; let sortedAttrs = set: sort - (l: r: - if l == "extraConfig" then false # Always put extraConfig last - else if isAttrs set.${l} == isAttrs set.${r} then l < r - else isAttrs set.${r} # Attrsets should be last, makes for a nice config + (l: r: + if l == "extraConfig" then false # Always put extraConfig last + else if isAttrs set.${l} == isAttrs set.${r} then l < r + else isAttrs set.${r} # Attrsets should be last, makes for a nice config # This last case occurs when any side (but not both) is an attrset # The order of these is correct when the attrset is on the right # which we're just returning - ) - (attrNames set); + ) + (attrNames set); # Specifies an attrset that encodes the value according to its type encode = name: value: { @@ -34,19 +34,20 @@ let # Qux=qux # set = concatMap - (subname: optionals (value.${subname} != null) ([ - "<${name} ${subname}>" - ] ++ map (line: "\t${line}") (toLines value.${subname}) ++ [ - "" - ])) - (filter (v: v != null) (attrNames value)); + (subname: optionals (value.${subname} != null) ([ + "<${name} ${subname}>" + ] ++ map (line: "\t${line}") (toLines value.${subname}) ++ [ + "" + ])) + (filter (v: v != null) (attrNames value)); }.${builtins.typeOf value}; # One level "above" encode, acts upon a set and uses encode on each name,value pair toLines = set: concatMap (name: encode name set.${name}) (sortedAttrs set); -in { +in +{ network.firewall.public.tcp.ports = singleton 5001; kw.secrets = [ "znc-softnet-address" "znc-espernet-pass" "znc-liberachat-pass" "znc-savebuff-pass" "znc-espernet-cert" "znc-liberachat-cert" "znc-softnet-cert" ]; @@ -72,20 +73,20 @@ in { system.activationScripts = { softnet-cert-deploy = { text = '' - mkdir -p /var/lib/znc/users/kat/networks/softnet/moddata/cert - ln -fs ${config.secrets.files.softnet-cert.path} /var/lib/znc/users/kat/networks/softnet/moddata/cert/user.pem + mkdir -p /var/lib/znc/users/kat/networks/softnet/moddata/cert + ln -fs ${config.secrets.files.softnet-cert.path} /var/lib/znc/users/kat/networks/softnet/moddata/cert/user.pem ''; }; esperrnet-cert-deploy = { text = '' - mkdir -p /var/lib/znc/users/kat/networks/espernet/moddata/cert - ln -fs ${config.secrets.files.espernet-cert.path} /var/lib/znc/users/kat/networks/espernet/moddata/cert/user.pem + mkdir -p /var/lib/znc/users/kat/networks/espernet/moddata/cert + ln -fs ${config.secrets.files.espernet-cert.path} /var/lib/znc/users/kat/networks/espernet/moddata/cert/user.pem ''; }; liberachat-cert-deploy = { text = '' - mkdir -p /var/lib/znc/users/kat/networks/liberachat/moddata/cert - ln -fs ${config.secrets.files.liberachat-cert.path} /var/lib/znc/users/kat/networks/liberachat/moddata/cert/user.pem + mkdir -p /var/lib/znc/users/kat/networks/liberachat/moddata/cert + ln -fs ${config.secrets.files.liberachat-cert.path} /var/lib/znc/users/kat/networks/liberachat/moddata/cert/user.pem ''; }; }; diff --git a/config/users/kat/personal/weechat.nix b/config/users/kat/personal/weechat.nix index e634e5cf..eaee2353 100644 --- a/config/users/kat/personal/weechat.nix +++ b/config/users/kat/personal/weechat.nix @@ -1,32 +1,36 @@ { config, nixos, pkgs, lib, ... }: { - home.file = lib.mkIf config.deploy.profile.trusted (let - bitw = pkgs.writeShellScriptBin "bitw" ''${pkgs.rbw-bitw}/bin/bitw -p gpg://${config.kw.repoSecrets.bitw.source} "$@"''; - in { ".local/share/weechat/sec.conf".text = '' - # - # weechat -- sec.conf - # - # WARNING: It is NOT recommended to edit this file by hand, - # especially if WeeChat is running. - # - # Use /set or similar command to change settings in WeeChat. - # - # For more info, see: https://weechat.org/doc/quickstart - # + home.file = lib.mkIf config.deploy.profile.trusted ( + let + bitw = pkgs.writeShellScriptBin "bitw" ''${pkgs.rbw-bitw}/bin/bitw -p gpg://${config.kw.repoSecrets.bitw.source} "$@"''; + in + { + ".local/share/weechat/sec.conf".text = '' + # + # weechat -- sec.conf + # + # WARNING: It is NOT recommended to edit this file by hand, + # especially if WeeChat is running. + # + # Use /set or similar command to change settings in WeeChat. + # + # For more info, see: https://weechat.org/doc/quickstart + # - [crypt] - cipher = aes256 - hash_algo = sha512 - passphrase_command = "${bitw}/bin/bitw get comms/weechat" - salt = on + [crypt] + cipher = aes256 + hash_algo = sha512 + passphrase_command = "${bitw}/bin/bitw get comms/weechat" + salt = on - [data] - __passphrase__ = on - znc = "552E98A5111B986C1003CF86C67DF2AF4B3FDE88E5762FC01EB4A00E31B8363ABFCBBE7A702CB72C298F61D4005D1C5AABB30602BBFCE9E4013CBE88D3D3DB66B18C551743D7816C4F0C9DA44B83DB5807BBB02A48B66D" - matrix = "CC989DF79CDAECC1CE32F10FA9B42B6AE9FA63B41C0B3FCCCD4A309AB798CDEE695E0B4A2E0C975C6364927C76D4FEB25BC84C7AF8989DC418A205A5D62E9330E142E4F11AB59E0720867915DEEFCA70E80102C639D35B" - ''; - }); + [data] + __passphrase__ = on + znc = "552E98A5111B986C1003CF86C67DF2AF4B3FDE88E5762FC01EB4A00E31B8363ABFCBBE7A702CB72C298F61D4005D1C5AABB30602BBFCE9E4013CBE88D3D3DB66B18C551743D7816C4F0C9DA44B83DB5807BBB02A48B66D" + matrix = "CC989DF79CDAECC1CE32F10FA9B42B6AE9FA63B41C0B3FCCCD4A309AB798CDEE695E0B4A2E0C975C6364927C76D4FEB25BC84C7AF8989DC418A205A5D62E9330E142E4F11AB59E0720867915DEEFCA70E80102C639D35B" + ''; + } + ); programs.weechat = { enable = true;