diff --git a/systems/etna/immich.nix b/systems/etna/immich.nix index f355dd6..65b520b 100644 --- a/systems/etna/immich.nix +++ b/systems/etna/immich.nix @@ -1,3 +1,4 @@ +{ ... }: { services.immich = { enable = true; diff --git a/systems/etna/metrics.nix b/systems/etna/metrics.nix index a79c11a..186747b 100644 --- a/systems/etna/metrics.nix +++ b/systems/etna/metrics.nix @@ -24,53 +24,51 @@ in }; }; - services = { - grafana = { - enable = true; - settings = { - server = { - http_port = 2432; - root_url = "https://grafana.uku3lig.net"; - }; + services.grafana = { + enable = true; + settings = { + server = { + http_port = 2432; + root_url = "https://grafana.uku3lig.net"; }; }; + }; - victoriametrics = { - enable = true; - listenAddress = "127.0.0.1:9090"; - retentionPeriod = "5y"; - }; + services.victoriametrics = { + enable = true; + listenAddress = "127.0.0.1:9090"; + retentionPeriod = "5y"; + }; - vmagent = { - enable = true; - prometheusConfig = { - global.scrape_interval = "15s"; + services.vmagent = { + enable = true; + prometheusConfig = { + global.scrape_interval = "15s"; - # node scraping is sent to vm directly via vmauth - scrape_configs = [ - { - job_name = "victoriametrics"; - static_configs = [ { targets = [ "${builtins.toString vmcfg.listenAddress}" ]; } ]; - } - - { - job_name = "api-rs"; - static_configs = [ { targets = [ "localhost:5001" ]; } ]; - } - ]; - }; - }; - - vmauth = { - enable = true; - listenAddress = "127.0.0.1:9089"; - environmentFile = vmauthEnv.path; - authConfig.users = [ + # node scraping is sent to vm directly via vmauth + scrape_configs = [ { - bearer_token = "%{VM_AUTH_TOKEN}"; - url_prefix = "http://${vmcfg.listenAddress}"; + job_name = "victoriametrics"; + static_configs = [ { targets = [ "${builtins.toString vmcfg.listenAddress}" ]; } ]; + } + + { + job_name = "api-rs"; + static_configs = [ { targets = [ "localhost:5001" ]; } ]; } ]; }; }; + + services.vmauth = { + enable = true; + listenAddress = "127.0.0.1:9089"; + environmentFile = vmauthEnv.path; + authConfig.users = [ + { + bearer_token = "%{VM_AUTH_TOKEN}"; + url_prefix = "http://${vmcfg.listenAddress}"; + } + ]; + }; } diff --git a/systems/fuji-wsl/default.nix b/systems/fuji-wsl/default.nix index f2caa0c..566f739 100644 --- a/systems/fuji-wsl/default.nix +++ b/systems/fuji-wsl/default.nix @@ -43,7 +43,7 @@ replacements = [ { oldDependency = pkgs.ffmpeg-full; - newDependency = pkgs.ffmpeg-full.override { withUnfree = true; }; + newDependency = (pkgs.ffmpeg-full.override { withUnfree = true; }); } ]; }; diff --git a/systems/vesuvio/default.nix b/systems/vesuvio/default.nix index 46a7b3d..04c43a0 100644 --- a/systems/vesuvio/default.nix +++ b/systems/vesuvio/default.nix @@ -1,17 +1,60 @@ -{ pkgs, ... }: { - imports = [ - ./frp.nix - ./hetzner.nix - ]; + pkgs, + config, + _utils, + ... +}: +let + secrets = _utils.setupSharedSecrets config { secrets = [ "frpToken" ]; }; +in +{ + imports = [ secrets.generate ]; + + zramSwap.enable = true; environment.systemPackages = with pkgs; [ dig traceroute ]; - services.openssh = { - ports = [ 4269 ]; - openFirewall = true; + services = { + openssh.ports = [ 4269 ]; + + # Needed by the Hetzner Cloud password reset feature. + qemuGuest.enable = true; + + resolved = { + dnssec = "allow-downgrade"; + dnsovertls = "false"; + }; + + frp = { + enable = true; + role = "server"; + settings = { + bindPort = 7000; + auth = { + method = "token"; + token = "{{ .Envs.FRP_TOKEN }}"; + }; + }; + }; + }; + + systemd.services = { + frp.serviceConfig.EnvironmentFile = secrets.get "frpToken"; + + # https://discourse.nixos.org/t/qemu-guest-agent-on-hetzner-cloud-doesnt-work/8864/2 + qemu-guest-agent.path = [ pkgs.shadow ]; + }; + + networking.firewall = { + allowedTCPPorts = [ 22 ]; # forgejo-ssh + allowedTCPPortRanges = [ + { + from = 6000; + to = 7000; + } + ]; }; } diff --git a/systems/vesuvio/frp.nix b/systems/vesuvio/frp.nix deleted file mode 100644 index a437ee5..0000000 --- a/systems/vesuvio/frp.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ config, _utils, ... }: -let - secrets = _utils.setupSharedSecrets config { secrets = [ "frpToken" ]; }; -in -{ - imports = [ secrets.generate ]; - - services.frp = { - enable = true; - role = "server"; - settings = { - bindPort = 7000; - auth = { - method = "token"; - token = "{{ .Envs.FRP_TOKEN }}"; - }; - }; - }; - - networking.firewall = { - allowedTCPPorts = [ 22 ]; # forgejo-ssh - allowedTCPPortRanges = [ - { - from = 6000; - to = 7000; - } - ]; - }; - - systemd.services.frp.serviceConfig.EnvironmentFile = secrets.get "frpToken"; -} diff --git a/systems/vesuvio/hetzner.nix b/systems/vesuvio/hetzner.nix deleted file mode 100644 index 4505de0..0000000 --- a/systems/vesuvio/hetzner.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ pkgs, ... }: -{ - services = { - # Needed by the Hetzner Cloud password reset feature. - qemuGuest.enable = true; - - # Hetzner DNS does not work with DoT - resolved = { - dnssec = "allow-downgrade"; - dnsovertls = "false"; - }; - }; - - # https://discourse.nixos.org/t/qemu-guest-agent-on-hetzner-cloud-doesnt-work/8864/2 - systemd.services.qemu-guest-agent.path = [ pkgs.shadow ]; - - zramSwap.enable = true; -}