v/infrastructure
1
0
Fork 0
Code Issues 13 Pull requests 1 Projects Releases Packages Activity Actions

fixed linting

Browse source
This commit is contained in:
Vivian 2023-09-25 11:56:02 +02:00
parent 6105d8bc05
commit 0933b2b504
59 changed files with 2843 additions and 2638 deletions
Download patch file Download diff file Expand all files Collapse all files

3
nixos/hosts/olympus/bastion/configuration.nix
View file

@ -17,7 +17,8 @@ let
done
fi
'';
in {
in
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix

12
nixos/hosts/olympus/bastion/hardware-configuration.nix
View file

@ -5,12 +5,14 @@
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot = {
boot.initrd.availableKernelModules =
[ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
initrd.availableKernelModules =
[ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
initrd.kernelModules = [ ];
kernelModules = [ ];
extraModulePackages = [ ];
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/e8427097-8545-4924-b033-2659fcf9adca";

3
nixos/hosts/olympus/dex/configuration.nix
View file

@ -9,7 +9,8 @@ let
db_name = "dex";
inherit (config.meta.exposes.dex) port;
metricsPort = 5558;
in {
in
{
imports = [ ];
# This value determines the NixOS release from which the default

5
nixos/hosts/olympus/dhcp/configuration.nix
View file

@ -9,8 +9,9 @@ let
localDomain = config.networking.domain;
hosts =
filter (h: hasAttr "ip" h && hasAttr "mac" h && h.realm == localDomain)
flat_hosts;
in {
flat_hosts;
in
{
networking = {
defaultGateway = "10.42.42.1";
nameservers = [ "10.42.42.15" "10.42.42.16" ];

12
nixos/hosts/olympus/eevee/hardware-configuration.nix
View file

@ -5,12 +5,14 @@
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
boot.initrd.availableKernelModules =
[ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
initrd.availableKernelModules =
[ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
initrd.kernelModules = [ ];
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/947a98af-9a4e-4811-a2ca-9aa00b319e9c";

62
nixos/hosts/olympus/eevee/hardware.nix
View file

@ -1,42 +1,46 @@
{ pkgs, config, ... }: {
hardware.enableAllFirmware = true;
hardware = {
enableAllFirmware = true;
nvidia = {
package = config.boot.kernelPackages.nvidiaPackages.stable;
services.hardware.bolt.enable = true;
# Open drivers cause gdm to crash
# open = true;
services.xserver.videoDrivers = [ "nvidia" ];
hardware.nvidia = {
package = config.boot.kernelPackages.nvidiaPackages.stable;
# nvidia-drm.modeset=1
modesetting.enable = true;
};
# Open drivers cause gdm to crash
# open = true;
# Hardware acceleration
opengl = {
enable = true;
# nvidia-drm.modeset=1
modesetting.enable = true;
# Vulkan
driSupport = true;
};
logitech.wireless = {
enable = true;
enableGraphical = true;
};
};
services = {
# Hardware acceleration
hardware.opengl = {
enable = true;
hardware.bolt.enable = true;
# Vulkan
driSupport = true;
xserver.videoDrivers = [ "nvidia" ];
# udev
udev.packages = with pkgs; [
android-udev-rules
logitech-udev-rules
wooting-udev-rules
];
# SSD Trim
fstrim.enable = true;
};
hardware.logitech.wireless = {
enable = true;
enableGraphical = true;
};
# udev
services.udev.packages = with pkgs; [
android-udev-rules
logitech-udev-rules
wooting-udev-rules
];
# FS
fileSystems."/".options = [ "compress=zstd" ];
# SSD Trim
services.fstrim.enable = true;
}

127
nixos/hosts/olympus/gitea/configuration.nix
View file

@ -6,7 +6,8 @@
let
vs = config.vault-secrets.secrets;
inherit (config.meta.exposes.git) port;
in {
in
{
imports = [ ];
# This value determines the NixOS release from which the default
@ -23,12 +24,71 @@ in {
environment.noXlibs = lib.mkForce false;
networking.firewall.allowedTCPPorts = [ port ];
services = {
services.openssh.startWhenNeeded = false;
openssh.startWhenNeeded = false;
services.fail2ban = {
enable = true;
maxretry = 3;
fail2ban = {
enable = true;
maxretry = 3;
};
gitea = {
enable = true;
package = pkgs.forgejo;
lfs.enable = true;
dump.type = "tar.gz";
database.type = "postgres";
mailerPasswordFile = "${vs.gitea}/mailPassword";
settings = {
default.WORK_PATH = "/var/lib/gitea";
actions = { "ENABLED" = true; };
repository = {
"ENABLE_PUSH_CREATE_USER" = true;
"DEFAULT_PUSH_CREATE_PRIVATE" = false;
};
service = {
"DEFAULT_KEEP_EMAIL_PRIVATE" = true;
"DISABLE_REGISTRATION" = true;
};
indexer = {
"REPO_INDEXER_ENABLED" = true;
"REPO_INDEXER_PATH" = "indexers/repos.bleve";
"MAX_FILE_SIZE" = 1048576;
"REPO_INDEXER_EXCLUDE" = "node_modules/**";
};
ui = {
"THEMES" = "forgejo-auto,forgejo-light,forgejo-dark,auto,gitea,arc-green,agatheme";
"DEFAULT_THEME" = "forgejo-auto";
"USE_SERVICE_WORKER" = true;
};
server = {
LANDING_PAGE = "explore";
SSH_PORT = 42;
DOMAIN = "git.0x76.dev";
ROOT_URL = "https://git.0x76.dev";
HTTP_PORT = port;
};
session = {
"PROVIDER" = "db";
"COOKIE_SECURE" = true;
};
mailer = {
"ENABLED" = true;
# "IS_TLS_ENABLED" = true;
# "HOST" = "mail.0x76.dev:465";
"FROM" = "gitea@0x76.dev";
# "MAILER_TYPE" = "smtp";
"USER" = "gitea@0x76.dev";
# Below is prep for 1.18
"PROTOCOL" = "smtps";
"SMTP_ADDR" = "mail.0x76.dev";
"SMTP_PORT" = 465;
};
};
};
};
vault-secrets.secrets.gitea = {
@ -42,61 +102,4 @@ in {
mkdir -p ${target_dir}
ln -sf ${pkgs.v.gitea-agatheme} "${target_dir}/theme-agatheme.css"
'';
services.gitea = {
enable = true;
package = pkgs.forgejo;
lfs.enable = true;
dump.type = "tar.gz";
database.type = "postgres";
mailerPasswordFile = "${vs.gitea}/mailPassword";
settings = {
default.WORK_PATH = "/var/lib/gitea";
actions = { "ENABLED" = true; };
repository = {
"ENABLE_PUSH_CREATE_USER" = true;
"DEFAULT_PUSH_CREATE_PRIVATE" = false;
};
service = {
"DEFAULT_KEEP_EMAIL_PRIVATE" = true;
"DISABLE_REGISTRATION" = true;
};
indexer = {
"REPO_INDEXER_ENABLED" = true;
"REPO_INDEXER_PATH" = "indexers/repos.bleve";
"MAX_FILE_SIZE" = 1048576;
"REPO_INDEXER_EXCLUDE" = "node_modules/**";
};
ui = {
"THEMES" = "forgejo-auto,forgejo-light,forgejo-dark,auto,gitea,arc-green,agatheme";
"DEFAULT_THEME" = "forgejo-auto";
"USE_SERVICE_WORKER" = true;
};
server = {
LANDING_PAGE = "explore";
SSH_PORT = 42;
DOMAIN = "git.0x76.dev";
ROOT_URL = "https://git.0x76.dev";
HTTP_PORT = port;
};
session = {
"PROVIDER" = "db";
"COOKIE_SECURE" = true;
};
mailer = {
"ENABLED" = true;
# "IS_TLS_ENABLED" = true;
# "HOST" = "mail.0x76.dev:465";
"FROM" = "gitea@0x76.dev";
# "MAILER_TYPE" = "smtp";
"USER" = "gitea@0x76.dev";
# Below is prep for 1.18
"PROTOCOL" = "smtps";
"SMTP_ADDR" = "mail.0x76.dev";
"SMTP_PORT" = 465;
};
};
};
}

30
nixos/hosts/olympus/hedgedoc/configuration.nix
View file

@ -8,7 +8,8 @@ let
db_user = "hedgedoc";
inherit (config.meta.exposes.md) port;
vs = config.vault-secrets.secrets;
in {
in
{
imports = [ ];
# This value determines the NixOS release from which the default
@ -67,19 +68,20 @@ in {
secretKey = "$MINIO_SECRET_KEY";
};
email = false;
oauth2 = let url = "https://dex.0x76.dev";
in {
providerName = "Dex";
clientID = "hedgedoc";
clientSecret = "$DEX_CLIENT_SECRET";
scope = "openid email profile";
authorizationURL = "${url}/auth";
tokenURL = "${url}/token";
userProfileURL = "${url}/userinfo";
userProfileUsernameAttr = "preferred_username";
userProfileDisplayNameAttr = "name";
userProfileEmailAttr = "email";
};
oauth2 =
let url = "https://dex.0x76.dev";
in {
providerName = "Dex";
clientID = "hedgedoc";
clientSecret = "$DEX_CLIENT_SECRET";
scope = "openid email profile";
authorizationURL = "${url}/auth";
tokenURL = "${url}/token";
userProfileURL = "${url}/userinfo";
userProfileUsernameAttr = "preferred_username";
userProfileDisplayNameAttr = "name";
userProfileEmailAttr = "email";
};
};
};
}

78
nixos/hosts/olympus/mailserver/configuration.nix
View file

@ -97,48 +97,50 @@ in {
autoIndexExclude = [ "\\Junk" ];
};
};
services = {
services.postfix.relayHost = "smtp.ziggozakelijk.nl";
services.postfix.relayPort = 587;
postfix.relayHost = "smtp.ziggozakelijk.nl";
postfix.relayPort = 587;
services.roundcube = {
enable = true;
package = pkgs.roundcube.withPlugins
(plugins: [ plugins.persistent_login pkgs.v.roundcube-swipe ]);
plugins = [
"archive"
"managesieve"
"swipe"
# "enigma"
# "markasjunk"
"persistent_login"
];
# this is the url of the vhost, not necessarily the same as the fqdn of
# the mailserver
hostName = "webmail.0x76.dev";
extraConfig = ''
# starttls needed for authentication, so the fqdn required to match
# the certificate
$config['smtp_host'] = "tls://${config.mailserver.fqdn}";
$config['smtp_user'] = "%u";
$config['smtp_pass'] = "%p";
$config['swipe_actions'] = [
'messagelist' => [
'left' => 'archive',
'right' => 'archive',
'down' => 'none'
],
'contactlist' => [
'left' => 'none',
'right' => 'none',
'down' => 'none'
]
roundcube = {
enable = true;
package = pkgs.roundcube.withPlugins
(plugins: [ plugins.persistent_login pkgs.v.roundcube-swipe ]);
plugins = [
"archive"
"managesieve"
"swipe"
# "enigma"
# "markasjunk"
"persistent_login"
];
'';
};
# this is the url of the vhost, not necessarily the same as the fqdn of
# the mailserver
hostName = "webmail.0x76.dev";
extraConfig = ''
# starttls needed for authentication, so the fqdn required to match
# the certificate
$config['smtp_host'] = "tls://${config.mailserver.fqdn}";
$config['smtp_user'] = "%u";
$config['smtp_pass'] = "%p";
services.nginx = { enable = true; };
$config['swipe_actions'] = [
'messagelist' => [
'left' => 'archive',
'right' => 'archive',
'down' => 'none'
],
'contactlist' => [
'left' => 'none',
'right' => 'none',
'down' => 'none'
]
];
'';
};
nginx = { enable = true; };
};
security.acme.acceptTerms = true;
security.acme.defaults.email = "v@0x76.dev";

3
nixos/hosts/olympus/minio/configuration.nix
View file

@ -7,7 +7,8 @@ let
vs = config.vault-secrets.secrets;
listenPort = config.meta.exposes.minio.port;
consolePort = listenPort + 1;
in {
in
{
imports = [ ];
# This value determines the NixOS release from which the default

201
nixos/hosts/olympus/nginx/configuration.nix
View file

@ -13,7 +13,8 @@ let
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in {
in
{
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
@ -23,115 +24,127 @@ in {
system.stateVersion = "21.05"; # Did you read the comment?
networking.firewall.allowedTCPPorts = [ 80 443 ];
services = {
# Generates vhosts for all hosts that have an `exposes` section
services.v.nginx.autoExpose = true;
# Generates vhosts for all hosts that have an `exposes` section
v.nginx.autoExpose = true;
services.nginx = {
enable = true;
statusPage = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedBrotliSettings = true;
clientMaxBodySize = "500m";
nginx = {
enable = true;
statusPage = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedBrotliSettings = true;
clientMaxBodySize = "500m";
package = pkgs.nginxMainline;
package = pkgs.nginxMainline;
# Templated
virtualHosts = {
"pass.0x76.dev" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://vaultwarden.olympus:8222";
proxyWebsockets = true;
};
locations."/notifications/hub/negotiate" = {
proxyPass = "http://vaultwarden.olympus:8222";
proxyWebsockets = true;
};
locations."/notifications/hub" = {
proxyPass = "http://vaultwarden.olympus:3012";
proxyWebsockets = true;
};
};
# Templated
virtualHosts = {
"pass.0x76.dev" = {
enableACME = true;
forceSSL = true;
locations = {
# Meow
"meowy.tech" = {
enableACME = true;
forceSSL = true;
locations."/".extraConfig = ''
add_header Content-Type 'text/html; charset=UTF-8';
return 200 '<h1>meow</h1>';
'';
locations."= /.well-known/matrix/client".extraConfig =
mkWellKnown clientConfig;
locations."= /.well-known/matrix/server".extraConfig =
mkWellKnown serverConfig;
};
"chat.meowy.tech" = {
enableACME = true;
forceSSL = true;
locations."/".extraConfig = ''
return 307 https://element.chat.meowy.tech;
'';
locations."/_matrix".proxyPass = "http://synapse.olympus:8008";
locations."/_synapse/client".proxyPass = "http://synapse.olympus:8008";
locations."/_synapse/admin" = {
# Allow only local and my own IPs
extraConfig = ''
allow 127.0.0.1;
allow 10.42.42.0/23;
allow 192.168.0.0/23;
allow 80.60.83.220;
allow 83.128.154.23;
allow 195.85.167.32/29;
deny all;
'';
proxyPass = "http://synapse.olympus:8008";
};
};
"element.chat.meowy.tech" = {
enableACME = true;
forceSSL = true;
"/".proxyPass = "http://vaultwarden.olympus:8222";
"/".proxyWebsockets = true;
root = pkgs.element-web.override {
conf = {
default_server_config = clientConfig;
show_labs_settings = true;
brand = "chat.meowy.tech";
"/notifications/hub/negotiate" = {
proxyPass = "http://vaultwarden.olympus:8222";
proxyWebsockets = true;
};
"/notifications/hub" = {
proxyPass = "http://vaultwarden.olympus:3012";
proxyWebsockets = true;
};
};
};
};
"cinny.chat.meowy.tech" = {
enableACME = true;
forceSSL = true;
root = pkgs.cinny.override {
conf = {
defaultHomeserver = 0;
allowCustomHomeservers = false;
homeserverList = [ "chat.meowy.tech" ];
# Meow
"meowy.tech" = {
enableACME = true;
forceSSL = true;
locations = {
"/".extraConfig = ''
add_header Content-Type 'text/html; charset=UTF-8';
return 200 '<h1>meow</h1>';
'';
"= /.well-known/matrix/client".extraConfig =
mkWellKnown clientConfig;
"= /.well-known/matrix/server".extraConfig =
mkWellKnown serverConfig;
};
};
"chat.meowy.tech" = {
enableACME = true;
forceSSL = true;
locations = {
"/".extraConfig = ''
return 307 https://element.chat.meowy.tech;
'';
"/_matrix".proxyPass = "http://synapse.olympus:8008";
"/_synapse/client".proxyPass = "http://synapse.olympus:8008";
"/_synapse/admin" = {
# Allow only local and my own IPs
extraConfig = ''
allow 127.0.0.1;
allow 10.42.42.0/23;
allow 192.168.0.0/23;
allow 80.60.83.220;
allow 83.128.154.23;
allow 195.85.167.32/29;
deny all;
'';
proxyPass = "http://synapse.olympus:8008";
};
};
};
"element.chat.meowy.tech" = {
enableACME = true;
forceSSL = true;
root = pkgs.element-web.override {
conf = {
default_server_config = clientConfig;
show_labs_settings = true;
brand = "chat.meowy.tech";
};
};
};
"cinny.chat.meowy.tech" = {
enableACME = true;
forceSSL = true;
root = pkgs.cinny.override {
conf = {
defaultHomeserver = 0;
allowCustomHomeservers = false;
homeserverList = [ "chat.meowy.tech" ];
};
};
};
"admin.chat.meowy.tech" = {
enableACME = true;
forceSSL = true;
root = pkgs.synapse-admin;
};
};
"admin.chat.meowy.tech" = {
enableACME = true;
forceSSL = true;
root = pkgs.synapse-admin;
};
prometheus.exporters = {
nginx = {
enable = true;
openFirewall = true;
};
};
};
security = {
acme = {
security.acme.defaults.email = "victorheld12@gmail.com";
security.acme.acceptTerms = true;
security.acme.preliminarySelfsigned = true;
services.prometheus.exporters = {
nginx = {
enable = true;
openFirewall = true;
defaults.email = "victorheld12@gmail.com";
acceptTerms = true;
preliminarySelfsigned = true;
};
};
}

27
nixos/hosts/olympus/ntfy/configuration.nix
View file

@ -20,18 +20,19 @@
networking.firewall.allowedTCPPorts = [ 80 9090 ];
services.ntfy-sh = let datadir = "/var/lib/ntfy-sh";
in {
enable = true;
settings = {
base-url = "https://ntfy.0x76.dev";
listen-http = ":80";
cache-file = "${datadir}/cache.db";
auth-file = "${datadir}/user.db";
auth-default-access = "deny-all";
behind-proxy = true;
attachment-cache-dir = "${datadir}/attachments";
metrics-listen-http = ":9090";
services.ntfy-sh =
let datadir = "/var/lib/ntfy-sh";
in {
enable = true;
settings = {
base-url = "https://ntfy.0x76.dev";
listen-http = ":80";
cache-file = "${datadir}/cache.db";
auth-file = "${datadir}/user.db";
auth-default-access = "deny-all";
behind-proxy = true;
attachment-cache-dir = "${datadir}/attachments";
metrics-listen-http = ":9090";
};
};
};
}

3
nixos/hosts/olympus/outline/configuration.nix
View file

@ -6,7 +6,8 @@
let
vs = config.vault-secrets.secrets;
inherit (config.meta.exposes.outline) port;
in {
in
{
imports = [ ];
# This value determines the NixOS release from which the default

109
nixos/hosts/olympus/synapse/configuration.nix
View file

@ -7,7 +7,8 @@ let
vs = config.vault-secrets.secrets;
port = 8008;
metricsPort = 9000;
in {
in
{
imports = [ ];
# This value determines the NixOS release from which the default
@ -49,60 +50,62 @@ in {
"${vs.synapse}/email_password" # Also contains the rest of the email config
];
settings = let
log_file = pkgs.writeText "log.yml" ''
version: 1
settings =
let
log_file = pkgs.writeText "log.yml" ''
version: 1
formatters:
structured:
class: synapse.logging.TerseJsonFormatter
formatters:
structured:
class: synapse.logging.TerseJsonFormatter
handlers:
file:
class: logging.handlers.TimedRotatingFileHandler
formatter: structured
filename: /var/lib/matrix-synapse/synapse.log
when: midnight
backupCount: 3 # Does not include the current log file.
encoding: utf8
handlers:
file:
class: logging.handlers.TimedRotatingFileHandler
formatter: structured
filename: /var/lib/matrix-synapse/synapse.log
when: midnight
backupCount: 3 # Does not include the current log file.
encoding: utf8
loggers:
synapse:
level: INFO
handlers: [file]
'';
in {
server_name = "meowy.tech";
enable_registration = true;
public_baseurl = "https://chat.meowy.tech";
enable_metrics = true;
max_upload_size = "100M";
registration_requires_token = true;
media_retention = { remote_media_lifetime = "90d"; };
log_config = "${log_file}";
listeners = [
{
inherit port;
bind_addresses = [ "0.0.0.0" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [{
names = [ "client" "federation" ];
compress = true;
}];
}
{
port = metricsPort;
bind_addresses = [ "0.0.0.0" ];
type = "metrics";
tls = false;
resources = [{
names = [ "metrics" ];
compress = false;
}];
}
];
};
loggers:
synapse:
level: INFO
handlers: [file]
'';
in
{
server_name = "meowy.tech";
enable_registration = true;
public_baseurl = "https://chat.meowy.tech";
enable_metrics = true;
max_upload_size = "100M";
registration_requires_token = true;
media_retention = { remote_media_lifetime = "90d"; };
log_config = "${log_file}";
listeners = [
{
inherit port;
bind_addresses = [ "0.0.0.0" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [{
names = [ "client" "federation" ];
compress = true;
}];
}
{
port = metricsPort;
bind_addresses = [ "0.0.0.0" ];
type = "metrics";
tls = false;
resources = [{
names = [ "metrics" ];
compress = false;
}];
}
];
};
};
}

3
nixos/hosts/olympus/vaultwarden/configuration.nix
View file

@ -6,7 +6,8 @@
let
vs = config.vault-secrets.secrets;
cfg = config.services.vaultwarden.config;
in {
in
{
imports = [ ];
# This value determines the NixOS release from which the default

191
nixos/hosts/olympus/victoriametrics/configuration.nix
View file

@ -8,7 +8,8 @@ let
grafanaDomain = config.meta.exposes.grafana.domain;
grafanaPort = config.meta.exposes.grafana.port;
vs = config.vault-secrets.secrets;
in {
in
{
imports = [ ];
# This value determines the NixOS release from which the default
@ -20,73 +21,104 @@ in {
system.stateVersion = "21.11"; # Did you read the comment?
networking.firewall.allowedTCPPorts = [ vmPort grafanaPort ];
networking.firewall.allowedUDPPorts = [ vmPort ];
services = {
services.victoriametrics = {
enable = true;
listenAddress = ":${toString vmPort}";
# Data Retention period in months
retentionPeriod = 36;
};
victoriametrics = {
enable = true;
listenAddress = ":${toString vmPort}";
# Data Retention period in months
retentionPeriod = 36;
};
vmagent = {
enable = true;
openFirewall = true;
prometheusConfig = {
global = {
scrape_interval = "1m";
scrape_timeout = "30s";
};
scrape_configs = [
{
job_name = "kea";
static_configs = [{
targets = [ "dhcp.olympus:9547" ];
labels.app = "dhcp";
}];
}
{
job_name = "nginx";
static_configs = [{
targets = [ "nginx.olympus:9113" ];
labels.app = "nginx";
}];
}
{
job_name = "synapse";
static_configs = [{
targets = [ "synapse.olympus:9000" ];
labels.app = "synapse";
}];
}
{
job_name = "wireguard";
static_configs = [{
targets = [ "wireguard.olympus:9586" ];
labels.app = "wireguard";
}];
}
{
job_name = "ntfy";
static_configs = [{
targets = [ "ntfy.olympus:9090" ];
labels.app = "ntfy";
}];
}
{
job_name = "dex";
static_configs = [{
targets = [ "dex.olympus:5558" ];
labels.app = "dex";
}];
}
{
job_name = "unbound";
static_configs = [{
targets = [ "dns-1.olympus:9167" "dns-2.olympus:9167" ];
labels.app = "dns";
}];
}
];
};
};
grafana = {
enable = true;
settings = {
server = {
domain = grafanaDomain;
root_url = "https://${grafanaDomain}";
http_addr = "0.0.0.0";
http_port = grafanaPort;
};
security.admin_password = "$__file{${vs.grafana}/password}";
"auth.generic_oauth" = {
name = "Dex";
icon = "signin";
enabled = true;
allow_sign_up = true;
client_id = "grafana";
client_secret = "$__file{${vs.grafana}/dex_client_secret}";
scopes = toString [ "openid" "profile" "email" "groups" ];
auth_url = "https://dex.0x76.dev/auth";
token_url = "https://dex.0x76.dev/token";
api_url = "https://dex.0x76.dev/userinfo";
skip_org_role_sync = true;
auto_login = true;
};
services.vmagent = {
enable = true;
openFirewall = true;
prometheusConfig = {
global = {
scrape_interval = "1m";
scrape_timeout = "30s";
};
scrape_configs = [
{
job_name = "kea";
static_configs = [{
targets = [ "dhcp.olympus:9547" ];
labels.app = "dhcp";
}];
}
{
job_name = "nginx";
static_configs = [{
targets = [ "nginx.olympus:9113" ];
labels.app = "nginx";
}];
}
{
job_name = "synapse";
static_configs = [{
targets = [ "synapse.olympus:9000" ];
labels.app = "synapse";
}];
}
{
job_name = "wireguard";
static_configs = [{
targets = [ "wireguard.olympus:9586" ];
labels.app = "wireguard";
}];
}
{
job_name = "ntfy";
static_configs = [{
targets = [ "ntfy.olympus:9090"];
labels.app = "ntfy";
}];
}
{
job_name = "dex";
static_configs = [{
targets = [ "dex.olympus:5558" ];
labels.app = "dex";
}];
}
{
job_name = "unbound";
static_configs = [{
targets = [ "dns-1.olympus:9167" "dns-2.olympus:9167" ];
labels.app = "dns";
}];
}
];
};
};
@ -94,33 +126,4 @@ in {
user = "grafana";
group = "grafana";
};
services.grafana = {
enable = true;
settings = {
server = {
domain = grafanaDomain;
root_url = "https://${grafanaDomain}";
http_addr = "0.0.0.0";
http_port = grafanaPort;
};
security.admin_password = "$__file{${vs.grafana}/password}";
"auth.generic_oauth" = {
name = "Dex";
icon = "signin";
enabled = true;
allow_sign_up = true;
client_id = "grafana";
client_secret = "$__file{${vs.grafana}/dex_client_secret}";
scopes = toString [ "openid" "profile" "email" "groups" ];
auth_url = "https://dex.0x76.dev/auth";
token_url = "https://dex.0x76.dev/token";
api_url = "https://dex.0x76.dev/userinfo";
skip_org_role_sync = true;
auto_login = true;
};
};
};
}

96
nixos/hosts/olympus/wireguard/configuration.nix
View file

@ -19,22 +19,62 @@ in {
environment.systemPackages = with pkgs; [ wireguard-tools ];
environment.noXlibs = lib.mkForce false;
networking = {
networking.firewall.allowedUDPPorts =
[ config.networking.wireguard.interfaces.wg0.listenPort ];
networking.firewall.checkReversePath = false;
firewall.allowedUDPPorts =
[ config.networking.wireguard.interfaces.wg0.listenPort ];
firewall.checkReversePath = false;
nat = {
enable = true;
internalInterfaces = [ "wg0" "eth0" ];
externalInterface = "eth0";
};
wireguard.interfaces.wg0 = {
ips = [ "10.100.0.1/24" ];
listenPort = 51821;
privateKeyFile = "${vs.wireguard}/privateKey";
peers = [
{
# Phone
publicKey = "K+99mvSYs4urcclreQDLA1pekD4xtu/mpS2uVWw8Bws=";
allowedIPs = [ "10.100.0.2/32" ];
}
{
# Laura's laptop
publicKey = "ZWIaDGrASlTkEK75j10VeGCvrIGfpk4GPobmqcYX2D0=";
allowedIPs = [ "10.100.0.3/32" ];
}
{
# Old Laptop
publicKey = "L8myt2bcdja7M+i+9eatdQRW8relPUoZZ9lEKSLe+m8=";
allowedIPs = [ "10.100.0.4/32" ];
}
{
# New Laptop
publicKey = "+Ms3xV6LxNZWTQk11zoz+AUIV2uds6A64Wz15JlR/Ak=";
allowedIPs = [ "10.100.0.6/32" ];
}
{
# Aerdenhout
# Useful setup video for opnsense: https://www.youtube.com/watch?v=RoXHe5dqCM0
# https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html
publicKey = "KgqLhmUMX6kyTjRoa/GOCrZOvXNE5HWYuOr/T3v8/VI=";
allowedIPs = [ "10.100.0.5/32" "192.168.0.0/23" "10.10.10.0/24" ];
endpoint = "83.128.154.23:51820";
persistentKeepalive = 25;
}
];
};
};
vault-secrets.secrets.wireguard = {
services = [ "wireguard-wg0" ];
loginRetries = 25;
};
networking.nat = {
enable = true;
internalInterfaces = [ "wg0" "eth0" ];
externalInterface = "eth0";
};
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1;
@ -44,42 +84,4 @@ in {
enable = true;
openFirewall = true;
};
networking.wireguard.interfaces.wg0 = {
ips = [ "10.100.0.1/24" ];
listenPort = 51821;
privateKeyFile = "${vs.wireguard}/privateKey";
peers = [
{
# Phone
publicKey = "K+99mvSYs4urcclreQDLA1pekD4xtu/mpS2uVWw8Bws=";
allowedIPs = [ "10.100.0.2/32" ];
}
{
# Laura's laptop
publicKey = "ZWIaDGrASlTkEK75j10VeGCvrIGfpk4GPobmqcYX2D0=";
allowedIPs = [ "10.100.0.3/32" ];
}
{
# Old Laptop
publicKey = "L8myt2bcdja7M+i+9eatdQRW8relPUoZZ9lEKSLe+m8=";
allowedIPs = [ "10.100.0.4/32" ];
}
{
# New Laptop
publicKey = "+Ms3xV6LxNZWTQk11zoz+AUIV2uds6A64Wz15JlR/Ak=";
allowedIPs = [ "10.100.0.6/32" ];
}
{
# Aerdenhout
# Useful setup video for opnsense: https://www.youtube.com/watch?v=RoXHe5dqCM0
# https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html
publicKey = "KgqLhmUMX6kyTjRoa/GOCrZOvXNE5HWYuOr/T3v8/VI=";
allowedIPs = [ "10.100.0.5/32" "192.168.0.0/23" "10.10.10.0/24" ];
endpoint = "83.128.154.23:51820";
persistentKeepalive = 25;
}
];
};
}