fi/nix-infra
1
2
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: fi:0e5427a3883ab9914bcf3a686dc0390f31972ae0
Branches Tags
fi:main
fi:ikiwiki
fi:mas
..
compare: fi:1ad857a33adcbda97a4164190ed131fbcc8020e3
Branches Tags
fi:main
fi:ikiwiki
fi:mas

No commits in common. "0e5427a3883ab9914bcf3a686dc0390f31972ae0" and "1ad857a33adcbda97a4164190ed131fbcc8020e3" have entirely different histories.
0e5427a388 ... 1ad857a33a

12 changed files with 9 additions and 190 deletions
Download patch file Download diff file Expand all files Collapse all files

8
config/hosts/mail-1/secrets.nix
View file

@ -73,14 +73,6 @@
permissions = "0640"; permissions = "0640";
uploadAt = "pre-activation"; uploadAt = "pre-activation";
}; };
"mail-nekomesh-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/nekomesh-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-social-nekover-se.secret" = { "mail-social-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/social-nekover-se" ]; keyCommand = keyCommandEnv ++ [ "pass" "mail/social-nekover-se" ];
destDir = "/secrets"; destDir = "/secrets";

5
config/hosts/mail-1/simple-nixos-mailserver.nix
View file

@ -46,11 +46,6 @@
sendOnly = true; sendOnly = true;
aliases = [ "nyareply@nekover.se" ]; aliases = [ "nyareply@nekover.se" ];
}; };
"nekomesh@nekover.se" = {
hashedPasswordFile = "/secrets/mail-nekomesh-nekover-se.secret";
sendOnly = true;
aliases = [ "nyareply@nekover.se" ];
};
"social@nekover.se" = { "social@nekover.se" = {
hashedPasswordFile = "/secrets/mail-social-nekover-se.secret"; hashedPasswordFile = "/secrets/mail-social-nekover-se.secret";
sendOnly = true; sendOnly = true;

17
config/hosts/metrics-nekomesh/configuration.nix
View file

@ -1,17 +0,0 @@
{ ... }:
{
boot.loader.grub = {
enable = true;
device = "/dev/vda";
};
networking = {
hostName = "metrics-nekomesh";
firewall = {
enable = true;
allowedTCPPorts = [ 80 8443 9091 ];
};
};
system.stateVersion = "25.11";
}

9
config/hosts/metrics-nekomesh/default.nix
View file

@ -1,9 +0,0 @@
{ ... }:
{
imports = [
./configuration.nix
./grafana.nix
./prometheus.nix
./nginx.nix
];
}

54
config/hosts/metrics-nekomesh/grafana.nix
View file

@ -1,54 +0,0 @@
{ config, ... }:
{
services.grafana = {
enable = true;
settings = {
server = {
domain = "mesh.nekover.se";
root_url = "https://${config.services.grafana.settings.server.domain}";
};
security = {
cookie_secure = true;
cookie_samesite = "strict";
admin_user = "admin";
admin_password = "$__file{/secrets/metrics-nekomesh-grafana-admin-password.secret}";
admin_email = "fi@nekover.se";
};
smtp = {
enabled = true;
host = "mail.grzb.de:465";
user = "nekomesh@grzb.de";
password = "$__file{/secrets/mail-nekomesh-nekover-se.secret}";
from_address = "nyareply@nekover.se";
from_name = "Nekomesh";
startTLS_policy = "NoStartTLS";
};
"auth.generic_oauth" = {
enabled = true;
name = "Nekoverse ID";
allow_sign_up = true;
client_id = "nekomesh";
client_secret = "$__file{/secrets/metrics-nekomesh-grafana-keycloak-client-secret.secret}";
scopes = "openid email profile offline_access roles";
email_attribute_path = "email";
login_attribute_path = "preferred_username";
name_attribute_path = "preferred_username";
auth_url = "https://id.nekover.se/realms/nekoverse/protocol/openid-connect/auth";
token_url = "https://id.nekover.se/realms/nekoverse/protocol/openid-connect/token";
api_url = "https://id.nekover.se/realms/nekoverse/protocol/openid-connect/userinfo";
use_refresh_token = true;
allow_assign_grafana_admin = true;
role_attribute_strict = true;
role_attribute_path = "contains(resource_access.nekomesh.roles[*], 'grafanaadmin') && 'GrafanaAdmin' || contains(resource_access.nekomesh.roles[*], 'admin') && 'Admin' || contains(resource_access.nekomesh.roles[*], 'editor') && 'Editor' || 'Viewer'";
};
};
provision.datasources.settings.datasources = [
{
name = "Prometheus";
type = "prometheus";
url = "http://localhost:${builtins.toString config.services.prometheus.port}";
isDefault = true;
}
];
};
}

32
config/hosts/metrics-nekomesh/nginx.nix
View file

@ -1,32 +0,0 @@
{ config, ... }:
{
services.nginx = {
enable = true;
virtualHosts = {
${config.services.grafana.settings.server.domain} = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
extraParameters = [ "proxy_protocol" ];
}
];
locations."/" = {
proxyPass = "http://${config.services.grafana.settings.server.http_addr}:${builtins.toString config.services.grafana.settings.server.http_port}";
proxyWebsockets = true;
};
extraConfig = ''
set_real_ip_from 10.202.41.100;
real_ip_header proxy_protocol;
'';
};
};
};
}

20
config/hosts/metrics-nekomesh/prometheus.nix
View file

@ -1,20 +0,0 @@
{ ... }:
{
services.prometheus = {
enable = true;
retentionTime = "2y";
scrapeConfigs = [
{
job_name = "meshcore";
scrape_interval = "15m";
static_configs = [{
targets = [ "localhost:9091" ];
}];
}
];
pushgateway = {
enable = true;
web.external-url = "metrics-nekomesh.vs.grzb.de:9091";
};
};
}

29
config/hosts/metrics-nekomesh/secrets.nix
View file

@ -1,29 +0,0 @@
{ keyCommandEnv, ... }:
{
deployment.keys = {
"metrics-nekomesh-grafana-admin-password.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "metrics-nekomesh/grafana/admin-password" ];
destDir = "/secrets";
user = "grafana";
group = "grafana";
permissions = "0640";
uploadAt = "pre-activation";
};
"metrics-nekomesh-grafana-keycloak-client-secret.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "metrics-nekomesh/grafana/keycloak-client-secret" ];
destDir = "/secrets";
user = "grafana";
group = "grafana";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-nekomesh-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/nekomesh-nekover-se" ];
destDir = "/secrets";
user = "grafana";
group = "grafana";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

1
config/hosts/web-public-2/nginx.nix
View file

@ -30,7 +30,6 @@
matrix-rtc.nekover.se 10.202.41.112:8443; matrix-rtc.nekover.se 10.202.41.112:8443;
mewtube.nekover.se 127.0.0.1:8443; mewtube.nekover.se 127.0.0.1:8443;
nekover.se 127.0.0.1:8443; nekover.se 127.0.0.1:8443;
mesh.nekover.se 10.202.41.126:8443;
nix-cache.nekover.se 10.202.41.121:8443; nix-cache.nekover.se 10.202.41.121:8443;
searx.nekover.se 10.202.41.105:8443; searx.nekover.se 10.202.41.105:8443;
social.nekover.se 10.202.41.104:8443; social.nekover.se 10.202.41.104:8443;

1
config/hosts/web-public-2/virtualHosts/acme-challenge.nix
View file

@ -7,7 +7,6 @@ let
"mas.nekover.se" = "matrix.vs.grzb.de"; "mas.nekover.se" = "matrix.vs.grzb.de";
"matrix.nekover.se" = "matrix.vs.grzb.de"; "matrix.nekover.se" = "matrix.vs.grzb.de";
"matrix-rtc.nekover.se" = "matrix.vs.grzb.de"; "matrix-rtc.nekover.se" = "matrix.vs.grzb.de";
"mesh.nekover.se" = "metrics-nekomesh.vs.grzb.de";
"netbox.grzb.de" = "netbox.vs.grzb.de"; "netbox.grzb.de" = "netbox.vs.grzb.de";
"git.nekover.se" = "forgejo.vs.grzb.de"; "git.nekover.se" = "forgejo.vs.grzb.de";
"grafana.grzb.de" = "metrics.vs.grzb.de"; "grafana.grzb.de" = "metrics.vs.grzb.de";

18
flake.lock generated
View file

@ -118,11 +118,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1762098551, "lastModified": 1761597516,
"narHash": "sha256-SchwrZR0pUgTCY10IxC4Lf40u3gLmbAdVeGNyomVxaE=", "narHash": "sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8+ON/0Yy8+a5vsDU=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "0257fc3c4a1ba60fb2a9d19c2915e7315bad41db", "rev": "daf6dc47aa4b44791372d6139ab7b25269184d55",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -150,11 +150,11 @@
}, },
"nixpkgs-master": { "nixpkgs-master": {
"locked": { "locked": {
"lastModified": 1762113106, "lastModified": 1761698251,
"narHash": "sha256-iiv03ogrvPXanFWJIBM2/wQn/3mKAYNpN/1bxWELhUE=", "narHash": "sha256-oGt8VAGzOS87XPl0GoG815V2YysxCCShPy32uQlHQhw=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "134fe04e1dad764124c515007533cdd3c9a01aaf", "rev": "1028e8c843056e126be9e31d579bdd20942d7dd7",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -166,11 +166,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1762080734, "lastModified": 1761676996,
"narHash": "sha256-fFunzA7ITlPHRr7dECaFGTBucNiWYEVDNPBw/9gFmII=", "narHash": "sha256-mAB2hKwu+6ufnxdNJganMbPbfhTYzJGAWnfcC2JLEeQ=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "bc7f6fa86de9b208edf4ea7bbf40bcd8cc7d70a5", "rev": "7f2539ca08e04c9bd337c00a80fefec5bd146b29",
"type": "github" "type": "github"
}, },
"original": { "original": {

5
hosts.nix
View file

@ -76,11 +76,6 @@ in
site = "vs"; site = "vs";
environment = "proxmox"; environment = "proxmox";
}; };
metrics-nekomesh = {
hostNixpkgs = nixpkgs-unstable;
site = "vs";
environment = "proxmox";
};
nextcloud = { nextcloud = {
site = "vs"; site = "vs";
environment = "proxmox"; environment = "proxmox";