From 3fcd4272518756a76f17f97a2907f2b15a3329e5 Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 2 Nov 2025 21:20:49 +0100 Subject: [PATCH 01/10] Add metrics-nekomesh host --- .../hosts/mail-1/simple-nixos-mailserver.nix | 5 +++ .../hosts/metrics-nekomesh/configuration.nix | 17 +++++++++ config/hosts/metrics-nekomesh/default.nix | 9 +++++ config/hosts/metrics-nekomesh/grafana.nix | 36 +++++++++++++++++++ config/hosts/metrics-nekomesh/nginx.nix | 27 ++++++++++++++ config/hosts/metrics-nekomesh/prometheus.nix | 16 +++++++++ config/hosts/metrics-nekomesh/secrets.nix | 21 +++++++++++ config/hosts/web-public-2/nginx.nix | 1 + .../virtualHosts/acme-challenge.nix | 1 + hosts.nix | 5 +++ 10 files changed, 138 insertions(+) create mode 100644 config/hosts/metrics-nekomesh/configuration.nix create mode 100644 config/hosts/metrics-nekomesh/default.nix create mode 100644 config/hosts/metrics-nekomesh/grafana.nix create mode 100644 config/hosts/metrics-nekomesh/nginx.nix create mode 100644 config/hosts/metrics-nekomesh/prometheus.nix create mode 100644 config/hosts/metrics-nekomesh/secrets.nix diff --git a/config/hosts/mail-1/simple-nixos-mailserver.nix b/config/hosts/mail-1/simple-nixos-mailserver.nix index a4b426a..c08a1a3 100644 --- a/config/hosts/mail-1/simple-nixos-mailserver.nix +++ b/config/hosts/mail-1/simple-nixos-mailserver.nix @@ -46,6 +46,11 @@ sendOnly = true; aliases = [ "nyareply@nekover.se" ]; }; + "nekomesh@nekover.se" = { + hashedPasswordFile = "/secrets/mail-nekomesh-nekover-se.secret"; + sendOnly = true; + aliases = [ "nyareply@nekover.se" ]; + }; "social@nekover.se" = { hashedPasswordFile = "/secrets/mail-social-nekover-se.secret"; sendOnly = true; diff --git a/config/hosts/metrics-nekomesh/configuration.nix b/config/hosts/metrics-nekomesh/configuration.nix new file mode 100644 index 0000000..0f46c1d --- /dev/null +++ b/config/hosts/metrics-nekomesh/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "metrics-nekomesh"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + }; + + system.stateVersion = "25.11"; +} diff --git a/config/hosts/metrics-nekomesh/default.nix b/config/hosts/metrics-nekomesh/default.nix new file mode 100644 index 0000000..ef5c25c --- /dev/null +++ b/config/hosts/metrics-nekomesh/default.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./grafana.nix + ./prometheus.nix + ./nginx.nix + ]; +} diff --git a/config/hosts/metrics-nekomesh/grafana.nix b/config/hosts/metrics-nekomesh/grafana.nix new file mode 100644 index 0000000..69e5a6d --- /dev/null +++ b/config/hosts/metrics-nekomesh/grafana.nix @@ -0,0 +1,36 @@ +{ config, ... }: +{ + services.grafana = { + enable = true; + settings = { + server = { + domain = "nekomesh.nekover.se"; + root_url = "https://${config.services.grafana.settings.server.domain}"; + }; + security = { + cookie_secure = true; + cookie_samesite = "strict"; + admin_user = "fi"; + admin_password = "$__file{/secrets/metrics-nekomesh-grafana-admin-password.secret}"; + admin_email = "fi@nekover.se"; + }; + smtp = { + enabled = true; + host = "mail.grzb.de:465"; + user = "nekomesh@grzb.de"; + password = "$__file{/secrets/mail-nekomesh-nekover-se.secret}"; + from_address = "nyareply@nekover.se"; + from_name = "Nekomesh"; + startTLS_policy = "NoStartTLS"; + }; + }; + provision.datasources.settings.datasources = [ + { + name = "Prometheus"; + type = "prometheus"; + url = "http://localhost:${builtins.toString config.services.prometheus.port}"; + isDefault = true; + } + ]; + }; +} diff --git a/config/hosts/metrics-nekomesh/nginx.nix b/config/hosts/metrics-nekomesh/nginx.nix new file mode 100644 index 0000000..9e31454 --- /dev/null +++ b/config/hosts/metrics-nekomesh/nginx.nix @@ -0,0 +1,27 @@ +{ config, ... }: +{ + services.nginx = { + enable = true; + virtualHosts = { + ${config.services.grafana.settings.server.domain} = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + locations."/" = { + proxyPass = "http://${config.services.grafana.settings.server.http_addr}:${builtins.toString config.services.grafana.settings.server.http_port}"; + proxyWebsockets = true; + }; + }; + }; + }; +} diff --git a/config/hosts/metrics-nekomesh/prometheus.nix b/config/hosts/metrics-nekomesh/prometheus.nix new file mode 100644 index 0000000..1e139a1 --- /dev/null +++ b/config/hosts/metrics-nekomesh/prometheus.nix @@ -0,0 +1,16 @@ +{ ... }: +{ + services.prometheus = { + enable = true; + retentionTime = "2y"; + scrapeConfigs = [ + { + job_name = "meshcore"; + scrape_interval = "15m"; + static_configs = [{ + targets = [ "localhost:9091" ]; + }]; + } + ]; + }; +} diff --git a/config/hosts/metrics-nekomesh/secrets.nix b/config/hosts/metrics-nekomesh/secrets.nix new file mode 100644 index 0000000..4b68fbb --- /dev/null +++ b/config/hosts/metrics-nekomesh/secrets.nix @@ -0,0 +1,21 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "metrics-nekomesh-grafana-admin-password.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "metrics-nekomesh/grafana/admin-password" ]; + destDir = "/secrets"; + user = "grafana"; + group = "grafana"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-nekomesh-nekover-se.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/nekomesh-nekover-se" ]; + destDir = "/secrets"; + user = "grafana"; + group = "grafana"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index 73699fb..5c790f7 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -30,6 +30,7 @@ matrix-rtc.nekover.se 10.202.41.112:8443; mewtube.nekover.se 127.0.0.1:8443; nekover.se 127.0.0.1:8443; + nekomesh.nekover.se 10.202.41.126:8443; nix-cache.nekover.se 10.202.41.121:8443; searx.nekover.se 10.202.41.105:8443; social.nekover.se 10.202.41.104:8443; diff --git a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix index 38d2804..7e970f3 100644 --- a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -7,6 +7,7 @@ let "mas.nekover.se" = "matrix.vs.grzb.de"; "matrix.nekover.se" = "matrix.vs.grzb.de"; "matrix-rtc.nekover.se" = "matrix.vs.grzb.de"; + "nekomesh.nekover.se" = "metrics-nekomesh.vs.grzb.de"; "netbox.grzb.de" = "netbox.vs.grzb.de"; "git.nekover.se" = "forgejo.vs.grzb.de"; "grafana.grzb.de" = "metrics.vs.grzb.de"; diff --git a/hosts.nix b/hosts.nix index 11a8e05..b59e3d5 100644 --- a/hosts.nix +++ b/hosts.nix @@ -76,6 +76,11 @@ in site = "vs"; environment = "proxmox"; }; + metrics-nekomesh = { + hostNixpkgs = nixpkgs-unstable; + site = "vs"; + environment = "proxmox"; + }; nextcloud = { site = "vs"; environment = "proxmox"; From d5356831cc30f835e83be56006832f8f3d8ff8bd Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 2 Nov 2025 21:22:01 +0100 Subject: [PATCH 02/10] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/daf6dc47aa4b44791372d6139ab7b25269184d55?narHash=sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8%2BON/0Yy8%2Ba5vsDU%3D' (2025-10-27) → 'github:NixOS/nixpkgs/0257fc3c4a1ba60fb2a9d19c2915e7315bad41db?narHash=sha256-SchwrZR0pUgTCY10IxC4Lf40u3gLmbAdVeGNyomVxaE%3D' (2025-11-02) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/1028e8c843056e126be9e31d579bdd20942d7dd7?narHash=sha256-oGt8VAGzOS87XPl0GoG815V2YysxCCShPy32uQlHQhw%3D' (2025-10-29) → 'github:NixOS/nixpkgs/134fe04e1dad764124c515007533cdd3c9a01aaf?narHash=sha256-iiv03ogrvPXanFWJIBM2/wQn/3mKAYNpN/1bxWELhUE%3D' (2025-11-02) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/7f2539ca08e04c9bd337c00a80fefec5bd146b29?narHash=sha256-mAB2hKwu%2B6ufnxdNJganMbPbfhTYzJGAWnfcC2JLEeQ%3D' (2025-10-28) → 'github:NixOS/nixpkgs/bc7f6fa86de9b208edf4ea7bbf40bcd8cc7d70a5?narHash=sha256-fFunzA7ITlPHRr7dECaFGTBucNiWYEVDNPBw/9gFmII%3D' (2025-11-02) --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index 9edf099..e85d80b 100644 --- a/flake.lock +++ b/flake.lock @@ -118,11 +118,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1761597516, - "narHash": "sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8+ON/0Yy8+a5vsDU=", + "lastModified": 1762098551, + "narHash": "sha256-SchwrZR0pUgTCY10IxC4Lf40u3gLmbAdVeGNyomVxaE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "daf6dc47aa4b44791372d6139ab7b25269184d55", + "rev": "0257fc3c4a1ba60fb2a9d19c2915e7315bad41db", "type": "github" }, "original": { @@ -150,11 +150,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1761698251, - "narHash": "sha256-oGt8VAGzOS87XPl0GoG815V2YysxCCShPy32uQlHQhw=", + "lastModified": 1762113106, + "narHash": "sha256-iiv03ogrvPXanFWJIBM2/wQn/3mKAYNpN/1bxWELhUE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1028e8c843056e126be9e31d579bdd20942d7dd7", + "rev": "134fe04e1dad764124c515007533cdd3c9a01aaf", "type": "github" }, "original": { @@ -166,11 +166,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1761676996, - "narHash": "sha256-mAB2hKwu+6ufnxdNJganMbPbfhTYzJGAWnfcC2JLEeQ=", + "lastModified": 1762080734, + "narHash": "sha256-fFunzA7ITlPHRr7dECaFGTBucNiWYEVDNPBw/9gFmII=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7f2539ca08e04c9bd337c00a80fefec5bd146b29", + "rev": "bc7f6fa86de9b208edf4ea7bbf40bcd8cc7d70a5", "type": "github" }, "original": { From 3b888d375ac8b94b98e26f032fece1782e69d26f Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 2 Nov 2025 21:33:54 +0100 Subject: [PATCH 03/10] Add prometheus-pushgateway to metrics-nekomesh --- config/hosts/metrics-nekomesh/configuration.nix | 2 +- config/hosts/metrics-nekomesh/prometheus.nix | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/config/hosts/metrics-nekomesh/configuration.nix b/config/hosts/metrics-nekomesh/configuration.nix index 0f46c1d..27ec8f0 100644 --- a/config/hosts/metrics-nekomesh/configuration.nix +++ b/config/hosts/metrics-nekomesh/configuration.nix @@ -9,7 +9,7 @@ hostName = "metrics-nekomesh"; firewall = { enable = true; - allowedTCPPorts = [ 80 443 ]; + allowedTCPPorts = [ 80 443 9091 ]; }; }; diff --git a/config/hosts/metrics-nekomesh/prometheus.nix b/config/hosts/metrics-nekomesh/prometheus.nix index 1e139a1..7d52369 100644 --- a/config/hosts/metrics-nekomesh/prometheus.nix +++ b/config/hosts/metrics-nekomesh/prometheus.nix @@ -12,5 +12,9 @@ }]; } ]; + pushgateway = { + enable = true; + web.external-url = "metrics-nekomesh.vs.grzb.de:9091"; + }; }; } From b5318d86fb6c040850bac5a99f0a9ce92e836cc8 Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 2 Nov 2025 21:52:50 +0100 Subject: [PATCH 04/10] fix nekomesh mail secret --- config/hosts/mail-1/secrets.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/config/hosts/mail-1/secrets.nix b/config/hosts/mail-1/secrets.nix index 581461f..c7dd92c 100644 --- a/config/hosts/mail-1/secrets.nix +++ b/config/hosts/mail-1/secrets.nix @@ -73,6 +73,14 @@ permissions = "0640"; uploadAt = "pre-activation"; }; + "mail-nekomesh-nekover-se.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/nekomesh-nekover-se" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; "mail-social-nekover-se.secret" = { keyCommand = keyCommandEnv ++ [ "pass" "mail/social-nekover-se" ]; destDir = "/secrets"; From 475134a84723d625d4ee944434c21ca9c5700a32 Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 2 Nov 2025 22:20:31 +0100 Subject: [PATCH 05/10] Add anubis to nekomesh host --- config/hosts/metrics-nekomesh/anubis.nix | 12 ++++++++++++ config/hosts/metrics-nekomesh/default.nix | 1 + config/hosts/metrics-nekomesh/grafana.nix | 2 +- config/hosts/metrics-nekomesh/nginx.nix | 2 +- config/hosts/web-public-2/nginx.nix | 2 +- .../web-public-2/virtualHosts/acme-challenge.nix | 2 +- 6 files changed, 17 insertions(+), 4 deletions(-) create mode 100644 config/hosts/metrics-nekomesh/anubis.nix diff --git a/config/hosts/metrics-nekomesh/anubis.nix b/config/hosts/metrics-nekomesh/anubis.nix new file mode 100644 index 0000000..52dd7fb --- /dev/null +++ b/config/hosts/metrics-nekomesh/anubis.nix @@ -0,0 +1,12 @@ +{ config, ... }: +{ + services.anubis = { + instances."nekomesh" = { + enable = true; + settings = { + TARGET = "http://${config.services.grafana.settings.server.http_addr}:${builtins.toString config.services.grafana.settings.server.http_port}"; + SERVE_ROBOTS_TXT = true; + }; + }; + }; +} diff --git a/config/hosts/metrics-nekomesh/default.nix b/config/hosts/metrics-nekomesh/default.nix index ef5c25c..2052624 100644 --- a/config/hosts/metrics-nekomesh/default.nix +++ b/config/hosts/metrics-nekomesh/default.nix @@ -1,6 +1,7 @@ { ... }: { imports = [ + ./anubis.nix ./configuration.nix ./grafana.nix ./prometheus.nix diff --git a/config/hosts/metrics-nekomesh/grafana.nix b/config/hosts/metrics-nekomesh/grafana.nix index 69e5a6d..5443fce 100644 --- a/config/hosts/metrics-nekomesh/grafana.nix +++ b/config/hosts/metrics-nekomesh/grafana.nix @@ -4,7 +4,7 @@ enable = true; settings = { server = { - domain = "nekomesh.nekover.se"; + domain = "mesh.nekover.se"; root_url = "https://${config.services.grafana.settings.server.domain}"; }; security = { diff --git a/config/hosts/metrics-nekomesh/nginx.nix b/config/hosts/metrics-nekomesh/nginx.nix index 9e31454..885fc05 100644 --- a/config/hosts/metrics-nekomesh/nginx.nix +++ b/config/hosts/metrics-nekomesh/nginx.nix @@ -18,7 +18,7 @@ } ]; locations."/" = { - proxyPass = "http://${config.services.grafana.settings.server.http_addr}:${builtins.toString config.services.grafana.settings.server.http_port}"; + proxyPass = "http://unix:/run/anubis/anubis-nekomesh.sock"; proxyWebsockets = true; }; }; diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index 5c790f7..608d6a7 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -30,7 +30,7 @@ matrix-rtc.nekover.se 10.202.41.112:8443; mewtube.nekover.se 127.0.0.1:8443; nekover.se 127.0.0.1:8443; - nekomesh.nekover.se 10.202.41.126:8443; + mesh.nekover.se 10.202.41.126:8443; nix-cache.nekover.se 10.202.41.121:8443; searx.nekover.se 10.202.41.105:8443; social.nekover.se 10.202.41.104:8443; diff --git a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix index 7e970f3..b3d0cc4 100644 --- a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -7,7 +7,7 @@ let "mas.nekover.se" = "matrix.vs.grzb.de"; "matrix.nekover.se" = "matrix.vs.grzb.de"; "matrix-rtc.nekover.se" = "matrix.vs.grzb.de"; - "nekomesh.nekover.se" = "metrics-nekomesh.vs.grzb.de"; + "mesh.nekover.se" = "metrics-nekomesh.vs.grzb.de"; "netbox.grzb.de" = "netbox.vs.grzb.de"; "git.nekover.se" = "forgejo.vs.grzb.de"; "grafana.grzb.de" = "metrics.vs.grzb.de"; From 4e7f683b61179cf3f93a52f9a163141dbcd8b884 Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 2 Nov 2025 23:00:55 +0100 Subject: [PATCH 06/10] Fix nekomesh nginx config --- config/hosts/metrics-nekomesh/nginx.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/config/hosts/metrics-nekomesh/nginx.nix b/config/hosts/metrics-nekomesh/nginx.nix index 885fc05..ffbfe98 100644 --- a/config/hosts/metrics-nekomesh/nginx.nix +++ b/config/hosts/metrics-nekomesh/nginx.nix @@ -13,14 +13,19 @@ } { addr = "0.0.0.0"; - port = 443; + port = 8443; ssl = true; + extraParameters = [ "proxy_protocol" ]; } ]; locations."/" = { proxyPass = "http://unix:/run/anubis/anubis-nekomesh.sock"; proxyWebsockets = true; }; + extraConfig = '' + set_real_ip_from 10.202.41.100; + real_ip_header proxy_protocol; + ''; }; }; }; From 122701ea08438f9f0fe7ecfa99674d165d0cdd3e Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 2 Nov 2025 23:09:55 +0100 Subject: [PATCH 07/10] fix nginx proxy procotol port for nekomesh --- config/hosts/metrics-nekomesh/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/hosts/metrics-nekomesh/configuration.nix b/config/hosts/metrics-nekomesh/configuration.nix index 27ec8f0..8d5b18f 100644 --- a/config/hosts/metrics-nekomesh/configuration.nix +++ b/config/hosts/metrics-nekomesh/configuration.nix @@ -9,7 +9,7 @@ hostName = "metrics-nekomesh"; firewall = { enable = true; - allowedTCPPorts = [ 80 443 9091 ]; + allowedTCPPorts = [ 80 8443 9091 ]; }; }; From 2abea07b87e5ba0f53b5a7a1b294a345b44fce1a Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 2 Nov 2025 23:14:37 +0100 Subject: [PATCH 08/10] Add nginx user to anubis group on nekomesh --- config/hosts/metrics-nekomesh/configuration.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/config/hosts/metrics-nekomesh/configuration.nix b/config/hosts/metrics-nekomesh/configuration.nix index 8d5b18f..8e07d60 100644 --- a/config/hosts/metrics-nekomesh/configuration.nix +++ b/config/hosts/metrics-nekomesh/configuration.nix @@ -13,5 +13,9 @@ }; }; + users.users.nginx = { + extraGroups = [ "anubis" ]; + }; + system.stateVersion = "25.11"; } From 2147597a73343ad540207e0df88f8993d6c35728 Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 3 Nov 2025 02:43:03 +0100 Subject: [PATCH 09/10] remove anubis from nekomesh --- config/hosts/metrics-nekomesh/anubis.nix | 12 ------------ config/hosts/metrics-nekomesh/configuration.nix | 4 ---- config/hosts/metrics-nekomesh/default.nix | 1 - config/hosts/metrics-nekomesh/nginx.nix | 2 +- 4 files changed, 1 insertion(+), 18 deletions(-) delete mode 100644 config/hosts/metrics-nekomesh/anubis.nix diff --git a/config/hosts/metrics-nekomesh/anubis.nix b/config/hosts/metrics-nekomesh/anubis.nix deleted file mode 100644 index 52dd7fb..0000000 --- a/config/hosts/metrics-nekomesh/anubis.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ config, ... }: -{ - services.anubis = { - instances."nekomesh" = { - enable = true; - settings = { - TARGET = "http://${config.services.grafana.settings.server.http_addr}:${builtins.toString config.services.grafana.settings.server.http_port}"; - SERVE_ROBOTS_TXT = true; - }; - }; - }; -} diff --git a/config/hosts/metrics-nekomesh/configuration.nix b/config/hosts/metrics-nekomesh/configuration.nix index 8e07d60..8d5b18f 100644 --- a/config/hosts/metrics-nekomesh/configuration.nix +++ b/config/hosts/metrics-nekomesh/configuration.nix @@ -13,9 +13,5 @@ }; }; - users.users.nginx = { - extraGroups = [ "anubis" ]; - }; - system.stateVersion = "25.11"; } diff --git a/config/hosts/metrics-nekomesh/default.nix b/config/hosts/metrics-nekomesh/default.nix index 2052624..ef5c25c 100644 --- a/config/hosts/metrics-nekomesh/default.nix +++ b/config/hosts/metrics-nekomesh/default.nix @@ -1,7 +1,6 @@ { ... }: { imports = [ - ./anubis.nix ./configuration.nix ./grafana.nix ./prometheus.nix diff --git a/config/hosts/metrics-nekomesh/nginx.nix b/config/hosts/metrics-nekomesh/nginx.nix index ffbfe98..e2fc483 100644 --- a/config/hosts/metrics-nekomesh/nginx.nix +++ b/config/hosts/metrics-nekomesh/nginx.nix @@ -19,7 +19,7 @@ } ]; locations."/" = { - proxyPass = "http://unix:/run/anubis/anubis-nekomesh.sock"; + proxyPass = "http://${config.services.grafana.settings.server.http_addr}:${builtins.toString config.services.grafana.settings.server.http_port}"; proxyWebsockets = true; }; extraConfig = '' From 0e5427a3883ab9914bcf3a686dc0390f31972ae0 Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 3 Nov 2025 02:55:19 +0100 Subject: [PATCH 10/10] Enable sign in with nekoverse ID on nekomesh --- config/hosts/metrics-nekomesh/grafana.nix | 20 +++++++++++++++++++- config/hosts/metrics-nekomesh/secrets.nix | 8 ++++++++ 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/config/hosts/metrics-nekomesh/grafana.nix b/config/hosts/metrics-nekomesh/grafana.nix index 5443fce..7697748 100644 --- a/config/hosts/metrics-nekomesh/grafana.nix +++ b/config/hosts/metrics-nekomesh/grafana.nix @@ -10,7 +10,7 @@ security = { cookie_secure = true; cookie_samesite = "strict"; - admin_user = "fi"; + admin_user = "admin"; admin_password = "$__file{/secrets/metrics-nekomesh-grafana-admin-password.secret}"; admin_email = "fi@nekover.se"; }; @@ -23,6 +23,24 @@ from_name = "Nekomesh"; startTLS_policy = "NoStartTLS"; }; + "auth.generic_oauth" = { + enabled = true; + name = "Nekoverse ID"; + allow_sign_up = true; + client_id = "nekomesh"; + client_secret = "$__file{/secrets/metrics-nekomesh-grafana-keycloak-client-secret.secret}"; + scopes = "openid email profile offline_access roles"; + email_attribute_path = "email"; + login_attribute_path = "preferred_username"; + name_attribute_path = "preferred_username"; + auth_url = "https://id.nekover.se/realms/nekoverse/protocol/openid-connect/auth"; + token_url = "https://id.nekover.se/realms/nekoverse/protocol/openid-connect/token"; + api_url = "https://id.nekover.se/realms/nekoverse/protocol/openid-connect/userinfo"; + use_refresh_token = true; + allow_assign_grafana_admin = true; + role_attribute_strict = true; + role_attribute_path = "contains(resource_access.nekomesh.roles[*], 'grafanaadmin') && 'GrafanaAdmin' || contains(resource_access.nekomesh.roles[*], 'admin') && 'Admin' || contains(resource_access.nekomesh.roles[*], 'editor') && 'Editor' || 'Viewer'"; + }; }; provision.datasources.settings.datasources = [ { diff --git a/config/hosts/metrics-nekomesh/secrets.nix b/config/hosts/metrics-nekomesh/secrets.nix index 4b68fbb..ef6bcec 100644 --- a/config/hosts/metrics-nekomesh/secrets.nix +++ b/config/hosts/metrics-nekomesh/secrets.nix @@ -9,6 +9,14 @@ permissions = "0640"; uploadAt = "pre-activation"; }; + "metrics-nekomesh-grafana-keycloak-client-secret.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "metrics-nekomesh/grafana/keycloak-client-secret" ]; + destDir = "/secrets"; + user = "grafana"; + group = "grafana"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; "mail-nekomesh-nekover-se.secret" = { keyCommand = keyCommandEnv ++ [ "pass" "mail/nekomesh-nekover-se" ]; destDir = "/secrets";