fi/nix-infra
1
2
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: fi:1ad857a33adcbda97a4164190ed131fbcc8020e3
Branches Tags
fi:main
fi:ikiwiki
fi:mas
...
compare: fi:0e5427a3883ab9914bcf3a686dc0390f31972ae0
Branches Tags
fi:main
fi:ikiwiki
fi:mas

10 commits
1ad857a33a ... 0e5427a388

Author SHA1 Message Date
fi
0e5427a388 Enable sign in with nekoverse ID on nekomesh 2025-11-03 04:15:33 +01:00
fi
2147597a73 remove anubis from nekomesh 2025-11-03 02:43:03 +01:00
fi
2abea07b87 Add nginx user to anubis group on nekomesh 2025-11-02 23:14:37 +01:00
fi
122701ea08 fix nginx proxy procotol port for nekomesh 2025-11-02 23:09:55 +01:00
fi
4e7f683b61 Fix nekomesh nginx config 2025-11-02 23:05:09 +01:00
fi
475134a847 Add anubis to nekomesh host 2025-11-02 22:20:31 +01:00
fi
b5318d86fb fix nekomesh mail secret 2025-11-02 21:52:50 +01:00
fi
3b888d375a Add prometheus-pushgateway to metrics-nekomesh 2025-11-02 21:35:49 +01:00
fi
d5356831cc flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/daf6dc47aa4b44791372d6139ab7b25269184d55?narHash=sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8%2BON/0Yy8%2Ba5vsDU%3D' (2025-10-27)
  → 'github:NixOS/nixpkgs/0257fc3c4a1ba60fb2a9d19c2915e7315bad41db?narHash=sha256-SchwrZR0pUgTCY10IxC4Lf40u3gLmbAdVeGNyomVxaE%3D' (2025-11-02)
• Updated input 'nixpkgs-master':
    'github:NixOS/nixpkgs/1028e8c843056e126be9e31d579bdd20942d7dd7?narHash=sha256-oGt8VAGzOS87XPl0GoG815V2YysxCCShPy32uQlHQhw%3D' (2025-10-29)
  → 'github:NixOS/nixpkgs/134fe04e1dad764124c515007533cdd3c9a01aaf?narHash=sha256-iiv03ogrvPXanFWJIBM2/wQn/3mKAYNpN/1bxWELhUE%3D' (2025-11-02)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/7f2539ca08e04c9bd337c00a80fefec5bd146b29?narHash=sha256-mAB2hKwu%2B6ufnxdNJganMbPbfhTYzJGAWnfcC2JLEeQ%3D' (2025-10-28)
  → 'github:NixOS/nixpkgs/bc7f6fa86de9b208edf4ea7bbf40bcd8cc7d70a5?narHash=sha256-fFunzA7ITlPHRr7dECaFGTBucNiWYEVDNPBw/9gFmII%3D' (2025-11-02)
 2025-11-02 21:22:01 +01:00
fi
3fcd427251 Add metrics-nekomesh host 2025-11-02 21:20:49 +01:00
12 changed files with 190 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

8
config/hosts/mail-1/secrets.nix
View file

@ -73,6 +73,14 @@
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-nekomesh-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/nekomesh-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-social-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/social-nekover-se" ];
destDir = "/secrets";

5
config/hosts/mail-1/simple-nixos-mailserver.nix
View file

@ -46,6 +46,11 @@
sendOnly = true;
aliases = [ "nyareply@nekover.se" ];
};
"nekomesh@nekover.se" = {
hashedPasswordFile = "/secrets/mail-nekomesh-nekover-se.secret";
sendOnly = true;
aliases = [ "nyareply@nekover.se" ];
};
"social@nekover.se" = {
hashedPasswordFile = "/secrets/mail-social-nekover-se.secret";
sendOnly = true;

17
config/hosts/metrics-nekomesh/configuration.nix Normal file
View file

@ -0,0 +1,17 @@
{ ... }:
{
boot.loader.grub = {
enable = true;
device = "/dev/vda";
};
networking = {
hostName = "metrics-nekomesh";
firewall = {
enable = true;
allowedTCPPorts = [ 80 8443 9091 ];
};
};
system.stateVersion = "25.11";
}

9
config/hosts/metrics-nekomesh/default.nix Normal file
View file

@ -0,0 +1,9 @@
{ ... }:
{
imports = [
./configuration.nix
./grafana.nix
./prometheus.nix
./nginx.nix
];
}

54
config/hosts/metrics-nekomesh/grafana.nix Normal file
View file

@ -0,0 +1,54 @@
{ config, ... }:
{
services.grafana = {
enable = true;
settings = {
server = {
domain = "mesh.nekover.se";
root_url = "https://${config.services.grafana.settings.server.domain}";
};
security = {
cookie_secure = true;
cookie_samesite = "strict";
admin_user = "admin";
admin_password = "$__file{/secrets/metrics-nekomesh-grafana-admin-password.secret}";
admin_email = "fi@nekover.se";
};
smtp = {
enabled = true;
host = "mail.grzb.de:465";
user = "nekomesh@grzb.de";
password = "$__file{/secrets/mail-nekomesh-nekover-se.secret}";
from_address = "nyareply@nekover.se";
from_name = "Nekomesh";
startTLS_policy = "NoStartTLS";
};
"auth.generic_oauth" = {
enabled = true;
name = "Nekoverse ID";
allow_sign_up = true;
client_id = "nekomesh";
client_secret = "$__file{/secrets/metrics-nekomesh-grafana-keycloak-client-secret.secret}";
scopes = "openid email profile offline_access roles";
email_attribute_path = "email";
login_attribute_path = "preferred_username";
name_attribute_path = "preferred_username";
auth_url = "https://id.nekover.se/realms/nekoverse/protocol/openid-connect/auth";
token_url = "https://id.nekover.se/realms/nekoverse/protocol/openid-connect/token";
api_url = "https://id.nekover.se/realms/nekoverse/protocol/openid-connect/userinfo";
use_refresh_token = true;
allow_assign_grafana_admin = true;
role_attribute_strict = true;
role_attribute_path = "contains(resource_access.nekomesh.roles[*], 'grafanaadmin') && 'GrafanaAdmin' || contains(resource_access.nekomesh.roles[*], 'admin') && 'Admin' || contains(resource_access.nekomesh.roles[*], 'editor') && 'Editor' || 'Viewer'";
};
};
provision.datasources.settings.datasources = [
{
name = "Prometheus";
type = "prometheus";
url = "http://localhost:${builtins.toString config.services.prometheus.port}";
isDefault = true;
}
];
};
}

32
config/hosts/metrics-nekomesh/nginx.nix Normal file
View file

@ -0,0 +1,32 @@
{ config, ... }:
{
services.nginx = {
enable = true;
virtualHosts = {
${config.services.grafana.settings.server.domain} = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
extraParameters = [ "proxy_protocol" ];
}
];
locations."/" = {
proxyPass = "http://${config.services.grafana.settings.server.http_addr}:${builtins.toString config.services.grafana.settings.server.http_port}";
proxyWebsockets = true;
};
extraConfig = ''
set_real_ip_from 10.202.41.100;
real_ip_header proxy_protocol;
'';
};
};
};
}

20
config/hosts/metrics-nekomesh/prometheus.nix Normal file
View file

@ -0,0 +1,20 @@
{ ... }:
{
services.prometheus = {
enable = true;
retentionTime = "2y";
scrapeConfigs = [
{
job_name = "meshcore";
scrape_interval = "15m";
static_configs = [{
targets = [ "localhost:9091" ];
}];
}
];
pushgateway = {
enable = true;
web.external-url = "metrics-nekomesh.vs.grzb.de:9091";
};
};
}

29
config/hosts/metrics-nekomesh/secrets.nix Normal file
View file

@ -0,0 +1,29 @@
{ keyCommandEnv, ... }:
{
deployment.keys = {
"metrics-nekomesh-grafana-admin-password.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "metrics-nekomesh/grafana/admin-password" ];
destDir = "/secrets";
user = "grafana";
group = "grafana";
permissions = "0640";
uploadAt = "pre-activation";
};
"metrics-nekomesh-grafana-keycloak-client-secret.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "metrics-nekomesh/grafana/keycloak-client-secret" ];
destDir = "/secrets";
user = "grafana";
group = "grafana";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-nekomesh-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/nekomesh-nekover-se" ];
destDir = "/secrets";
user = "grafana";
group = "grafana";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

1
config/hosts/web-public-2/nginx.nix
View file

@ -30,6 +30,7 @@
matrix-rtc.nekover.se 10.202.41.112:8443;
mewtube.nekover.se 127.0.0.1:8443;
nekover.se 127.0.0.1:8443;
mesh.nekover.se 10.202.41.126:8443;
nix-cache.nekover.se 10.202.41.121:8443;
searx.nekover.se 10.202.41.105:8443;
social.nekover.se 10.202.41.104:8443;

1
config/hosts/web-public-2/virtualHosts/acme-challenge.nix
View file

@ -7,6 +7,7 @@ let
"mas.nekover.se" = "matrix.vs.grzb.de";
"matrix.nekover.se" = "matrix.vs.grzb.de";
"matrix-rtc.nekover.se" = "matrix.vs.grzb.de";
"mesh.nekover.se" = "metrics-nekomesh.vs.grzb.de";
"netbox.grzb.de" = "netbox.vs.grzb.de";
"git.nekover.se" = "forgejo.vs.grzb.de";
"grafana.grzb.de" = "metrics.vs.grzb.de";

18
flake.lock generated
View file

@ -118,11 +118,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1761597516,
"narHash": "sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8+ON/0Yy8+a5vsDU=",
"lastModified": 1762098551,
"narHash": "sha256-SchwrZR0pUgTCY10IxC4Lf40u3gLmbAdVeGNyomVxaE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "daf6dc47aa4b44791372d6139ab7b25269184d55",
"rev": "0257fc3c4a1ba60fb2a9d19c2915e7315bad41db",
"type": "github"
},
"original": {
@ -150,11 +150,11 @@
},
"nixpkgs-master": {
"locked": {
"lastModified": 1761698251,
"narHash": "sha256-oGt8VAGzOS87XPl0GoG815V2YysxCCShPy32uQlHQhw=",
"lastModified": 1762113106,
"narHash": "sha256-iiv03ogrvPXanFWJIBM2/wQn/3mKAYNpN/1bxWELhUE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "1028e8c843056e126be9e31d579bdd20942d7dd7",
"rev": "134fe04e1dad764124c515007533cdd3c9a01aaf",
"type": "github"
},
"original": {
@ -166,11 +166,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1761676996,
"narHash": "sha256-mAB2hKwu+6ufnxdNJganMbPbfhTYzJGAWnfcC2JLEeQ=",
"lastModified": 1762080734,
"narHash": "sha256-fFunzA7ITlPHRr7dECaFGTBucNiWYEVDNPBw/9gFmII=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "7f2539ca08e04c9bd337c00a80fefec5bd146b29",
"rev": "bc7f6fa86de9b208edf4ea7bbf40bcd8cc7d70a5",
"type": "github"
},
"original": {

5
hosts.nix
View file

@ -76,6 +76,11 @@ in
site = "vs";
environment = "proxmox";
};
metrics-nekomesh = {
hostNixpkgs = nixpkgs-unstable;
site = "vs";
environment = "proxmox";
};
nextcloud = {
site = "vs";
environment = "proxmox";