diff --git a/systems/etna/immich.nix b/systems/etna/immich.nix index 65b520b..f355dd6 100644 --- a/systems/etna/immich.nix +++ b/systems/etna/immich.nix @@ -1,4 +1,3 @@ -{ ... }: { services.immich = { enable = true; diff --git a/systems/etna/metrics.nix b/systems/etna/metrics.nix index 186747b..a79c11a 100644 --- a/systems/etna/metrics.nix +++ b/systems/etna/metrics.nix @@ -24,51 +24,53 @@ in }; }; - services.grafana = { - enable = true; - settings = { - server = { - http_port = 2432; - root_url = "https://grafana.uku3lig.net"; + services = { + grafana = { + enable = true; + settings = { + server = { + http_port = 2432; + root_url = "https://grafana.uku3lig.net"; + }; }; }; - }; - services.victoriametrics = { - enable = true; - listenAddress = "127.0.0.1:9090"; - retentionPeriod = "5y"; - }; + victoriametrics = { + enable = true; + listenAddress = "127.0.0.1:9090"; + retentionPeriod = "5y"; + }; - services.vmagent = { - enable = true; - prometheusConfig = { - global.scrape_interval = "15s"; + vmagent = { + enable = true; + prometheusConfig = { + global.scrape_interval = "15s"; - # node scraping is sent to vm directly via vmauth - scrape_configs = [ + # node scraping is sent to vm directly via vmauth + scrape_configs = [ + { + job_name = "victoriametrics"; + static_configs = [ { targets = [ "${builtins.toString vmcfg.listenAddress}" ]; } ]; + } + + { + job_name = "api-rs"; + static_configs = [ { targets = [ "localhost:5001" ]; } ]; + } + ]; + }; + }; + + vmauth = { + enable = true; + listenAddress = "127.0.0.1:9089"; + environmentFile = vmauthEnv.path; + authConfig.users = [ { - job_name = "victoriametrics"; - static_configs = [ { targets = [ "${builtins.toString vmcfg.listenAddress}" ]; } ]; - } - - { - job_name = "api-rs"; - static_configs = [ { targets = [ "localhost:5001" ]; } ]; + bearer_token = "%{VM_AUTH_TOKEN}"; + url_prefix = "http://${vmcfg.listenAddress}"; } ]; }; }; - - services.vmauth = { - enable = true; - listenAddress = "127.0.0.1:9089"; - environmentFile = vmauthEnv.path; - authConfig.users = [ - { - bearer_token = "%{VM_AUTH_TOKEN}"; - url_prefix = "http://${vmcfg.listenAddress}"; - } - ]; - }; } diff --git a/systems/fuji-wsl/default.nix b/systems/fuji-wsl/default.nix index 566f739..f2caa0c 100644 --- a/systems/fuji-wsl/default.nix +++ b/systems/fuji-wsl/default.nix @@ -43,7 +43,7 @@ replacements = [ { oldDependency = pkgs.ffmpeg-full; - newDependency = (pkgs.ffmpeg-full.override { withUnfree = true; }); + newDependency = pkgs.ffmpeg-full.override { withUnfree = true; }; } ]; }; diff --git a/systems/vesuvio/default.nix b/systems/vesuvio/default.nix index 04c43a0..46a7b3d 100644 --- a/systems/vesuvio/default.nix +++ b/systems/vesuvio/default.nix @@ -1,60 +1,17 @@ +{ pkgs, ... }: { - pkgs, - config, - _utils, - ... -}: -let - secrets = _utils.setupSharedSecrets config { secrets = [ "frpToken" ]; }; -in -{ - imports = [ secrets.generate ]; - - zramSwap.enable = true; + imports = [ + ./frp.nix + ./hetzner.nix + ]; environment.systemPackages = with pkgs; [ dig traceroute ]; - services = { - openssh.ports = [ 4269 ]; - - # Needed by the Hetzner Cloud password reset feature. - qemuGuest.enable = true; - - resolved = { - dnssec = "allow-downgrade"; - dnsovertls = "false"; - }; - - frp = { - enable = true; - role = "server"; - settings = { - bindPort = 7000; - auth = { - method = "token"; - token = "{{ .Envs.FRP_TOKEN }}"; - }; - }; - }; - }; - - systemd.services = { - frp.serviceConfig.EnvironmentFile = secrets.get "frpToken"; - - # https://discourse.nixos.org/t/qemu-guest-agent-on-hetzner-cloud-doesnt-work/8864/2 - qemu-guest-agent.path = [ pkgs.shadow ]; - }; - - networking.firewall = { - allowedTCPPorts = [ 22 ]; # forgejo-ssh - allowedTCPPortRanges = [ - { - from = 6000; - to = 7000; - } - ]; + services.openssh = { + ports = [ 4269 ]; + openFirewall = true; }; } diff --git a/systems/vesuvio/frp.nix b/systems/vesuvio/frp.nix new file mode 100644 index 0000000..a437ee5 --- /dev/null +++ b/systems/vesuvio/frp.nix @@ -0,0 +1,31 @@ +{ config, _utils, ... }: +let + secrets = _utils.setupSharedSecrets config { secrets = [ "frpToken" ]; }; +in +{ + imports = [ secrets.generate ]; + + services.frp = { + enable = true; + role = "server"; + settings = { + bindPort = 7000; + auth = { + method = "token"; + token = "{{ .Envs.FRP_TOKEN }}"; + }; + }; + }; + + networking.firewall = { + allowedTCPPorts = [ 22 ]; # forgejo-ssh + allowedTCPPortRanges = [ + { + from = 6000; + to = 7000; + } + ]; + }; + + systemd.services.frp.serviceConfig.EnvironmentFile = secrets.get "frpToken"; +} diff --git a/systems/vesuvio/hetzner.nix b/systems/vesuvio/hetzner.nix new file mode 100644 index 0000000..4505de0 --- /dev/null +++ b/systems/vesuvio/hetzner.nix @@ -0,0 +1,18 @@ +{ pkgs, ... }: +{ + services = { + # Needed by the Hetzner Cloud password reset feature. + qemuGuest.enable = true; + + # Hetzner DNS does not work with DoT + resolved = { + dnssec = "allow-downgrade"; + dnsovertls = "false"; + }; + }; + + # https://discourse.nixos.org/t/qemu-guest-agent-on-hetzner-cloud-doesnt-work/8864/2 + systemd.services.qemu-guest-agent.path = [ pkgs.shadow ]; + + zramSwap.enable = true; +}