flake/configs/server.nix

{
  config,
  _utils,
  ...
}: let
  secrets = _utils.setupSharedSecrets config {
    secrets = ["vmAuthToken"];
  };
in {
  imports = [
    ./common.nix
    secrets.generate
  ];

  _module.args.nixinate = {
    host = config.networking.hostName;
    sshUser = "leo";
    buildOn = "remote";
    substituteOnTarget = true;
    hermetic = false; # hermetic fucks up for cross-system deployments
  };

  services = {
    tailscale.extraUpFlags = ["--advertise-exit-node"];

    openssh = {
      enable = true;
      settings = {
        PermitRootLogin = "no";
        PasswordAuthentication = false;
        KbdInteractiveAuthentication = false;
        X11Forwarding = false;
      };
    };

    prometheus.exporters.node = {
      enable = true;
      port = 9091;
      enabledCollectors = ["systemd"];
    };

    vmagent = {
      enable = true;
      remoteWrite.url = "https://metrics.uku3lig.net/api/v1/write";
      extraArgs = ["-remoteWrite.bearerToken $VM_AUTH_TOKEN"];
      prometheusConfig = {
        global.scrape_interval = "15s";

        scrape_configs = [
          {
            job_name = "node";
            static_configs = [{targets = ["localhost:${builtins.toString config.services.prometheus.exporters.node.port}"];}];
            relabel_configs = [
              {
                target_label = "instance";
                replacement = config.networking.hostName;
              }
            ];
          }
        ];
      };
    };
  };

  systemd.services.vmagent.serviceConfig.EnvironmentFile = secrets.get "vmAuthToken";
}
feat(server): add remote host metrics 2024-07-30 12:07:43 +02:00			`{`
			`config,`
			`_utils,`
			`...`
			`}: let`
			`secrets = _utils.setupSharedSecrets config {`
			`secrets = ["vmAuthToken"];`
			`};`
			`in {`
			`imports = [`
			`./common.nix`
			`secrets.generate`
			`];`
chore: refactor systems 2024-06-26 19:30:41 +02:00
chore: replace deploy-rs with nixinate 2024-06-23 22:48:22 +02:00			`_module.args.nixinate = {`
			`host = config.networking.hostName;`
fix: do not deploy as root 2024-07-25 13:37:51 +02:00			`sshUser = "leo";`
chore: replace deploy-rs with nixinate 2024-06-23 22:48:22 +02:00			`buildOn = "remote";`
			`substituteOnTarget = true;`
feat: add vesuvio 2024-03-24 14:02:03 +01:00			`hermetic = false; # hermetic fucks up for cross-system deployments`
chore: replace deploy-rs with nixinate 2024-06-23 22:48:22 +02:00			`};`

feat: harden openssh server 2024-06-20 16:49:12 +02:00			`services = {`
			`tailscale.extraUpFlags = ["--advertise-exit-node"];`

			`openssh = {`
			`enable = true;`
			`settings = {`
			`PermitRootLogin = "no";`
			`PasswordAuthentication = false;`
			`KbdInteractiveAuthentication = false;`
			`X11Forwarding = false;`
			`};`
			`};`
feat(etna): replace prometheus with victoriametrics 2024-07-29 22:55:37 +02:00
			`prometheus.exporters.node = {`
			`enable = true;`
			`port = 9091;`
			`enabledCollectors = ["systemd"];`
			`};`
feat(server): add remote host metrics 2024-07-30 12:07:43 +02:00
			`vmagent = {`
			`enable = true;`
			`remoteWrite.url = "https://metrics.uku3lig.net/api/v1/write";`
			`extraArgs = ["-remoteWrite.bearerToken $VM_AUTH_TOKEN"];`
			`prometheusConfig = {`
			`global.scrape_interval = "15s";`

			`scrape_configs = [`
			`{`
			`job_name = "node";`
			`static_configs = [{targets = ["localhost:${builtins.toString config.services.prometheus.exporters.node.port}"];}];`
			`relabel_configs = [`
			`{`
			`target_label = "instance";`
			`replacement = config.networking.hostName;`
			`}`
			`];`
			`}`
			`];`
			`};`
			`};`
feat: harden openssh server 2024-06-20 16:49:12 +02:00			`};`
feat(server): add remote host metrics 2024-07-30 12:07:43 +02:00
			`systemd.services.vmagent.serviceConfig.EnvironmentFile = secrets.get "vmAuthToken";`
feat: rearrange configs 2024-05-12 13:33:15 +02:00			`}`