SelfPrivacy/selfprivacy-nixos-config
1
0
Fork 0
mirror of https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config.git synced 2024-11-22 03:41:26 +00:00
Code Issues Projects Releases Wiki Activity

feat: Server monitroing, NixOS 24.05 (#84)

Browse source 
Co-authored-by: nhnn <nhnn@disroot.org>
Reviewed-on: https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config/pulls/84
This commit is contained in:
Inex Code 2024-07-30 19:19:06 +03:00
parent a6caa18981
commit 5218868b33
12 changed files with 195 additions and 102 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
configuration.nix
View file

@ -27,15 +27,12 @@ in
# ./resources/limits.nix
];
# We have to use this version to be able to migrate from Gitea.
nixpkgs.config.permittedInsecurePackages = [
"forgejo-1.20.6-1-unstable-2024-04-18"
];
fileSystems."/".options = [ "noatime" ];
services.selfprivacy-api.enable = true;
services.redis.package = pkgs.valkey;
services.redis.servers.${redis-sp-api-srv-name} = {
enable = true;
save = [

14
flake.lock
View file

@ -2,11 +2,11 @@
"nodes": {
"nixpkgs": {
"locked": {
"lastModified": 1720535198,
"narHash": "sha256-zwVvxrdIzralnSbcpghA92tWu2DV2lwv89xZc8MTrbg=",
"lastModified": 1722221733,
"narHash": "sha256-sga9SrrPb+pQJxG1ttJfMPheZvDOxApFfwXCFO0H9xw=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "205fd4226592cc83fd4c0885a3e4c9c400efabb5",
"rev": "12bf09802d77264e441f48e25459c10c93eada2e",
"type": "github"
},
"original": {
@ -28,11 +28,11 @@
]
},
"locked": {
"lastModified": 1719847554,
"narHash": "sha256-DSPpfFVG7NOxJXhIe0FWOzII9nPG4WSwP4RD8sYRZFo=",
"lastModified": 1722347757,
"narHash": "sha256-zXnhxAnNV3KyLa3BKc1ZMakQdZBj6M3UZ4TIr1cbUSQ=",
"ref": "master",
"rev": "4066be38ec11aabf47b03afd35778a53c6d28942",
"revCount": 1309,
"rev": "4cd90d0c93d758fcd931092edd3b68585e24ecb9",
"revCount": 1401,
"type": "git",
"url": "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api.git"
},

49
sp-modules/bitwarden/module.nix
View file

@ -59,6 +59,9 @@ in
];
};
};
systemd.tmpfiles.rules = lib.mkIf sp.useBinds [
"d /volumes/${cfg.location}/bitwarden/backup 0700 vaultwarden vaultwarden -"
];
services.vaultwarden = {
enable = true;
dbBackend = "sqlite";
@ -72,28 +75,36 @@ in
EMERGENCY_ACCESS_ALLOWED = cfg.emergencyAccessAllowed;
};
};
systemd.services.bitwarden-secrets = {
before = [ "vaultwarden.service" ];
requiredBy = [ "vaultwarden.service" ];
serviceConfig.Type = "oneshot";
path = with pkgs; [ coreutils jq ];
script = ''
set -o nounset
systemd = {
services = {
vaultwarden.serviceConfig.Slice = "bitwarden.slice";
bitwarden-secrets = {
before = [ "vaultwarden.service" ];
requiredBy = [ "vaultwarden.service" ];
serviceConfig.Type = "oneshot";
path = with pkgs; [ coreutils jq ];
script = ''
set -o nounset
token="$(jq -r '.bitwarden.adminToken' ${secrets-filepath})"
if [ "$token" == "null" ]; then
# If it's null, empty the contents of the file
bitwarden_env=""
else
bitwarden_env="ADMIN_TOKEN=$token"
fi
token="$(jq -r '.bitwarden.adminToken' ${secrets-filepath})"
if [ "$token" == "null" ]; then
# If it's null, empty the contents of the file
bitwarden_env=""
else
bitwarden_env="ADMIN_TOKEN=$token"
fi
install -C -m 0700 -o vaultwarden -g vaultwarden \
-d /var/lib/bitwarden
install -C -m 0700 -o vaultwarden -g vaultwarden \
-d /var/lib/bitwarden
install -C -m 0600 -o vaultwarden -g vaultwarden -DT \
<(printf "%s" "$bitwarden_env") ${bitwarden-env}
'';
install -C -m 0600 -o vaultwarden -g vaultwarden -DT \
<(printf "%s" "$bitwarden_env") ${bitwarden-env}
'';
};
};
slices.bitwarden = {
description = "Bitwarden service slice";
};
};
services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
useACMEHost = sp.domain;

14
sp-modules/gitea/module.nix
View file

@ -146,7 +146,17 @@ in
};
};
};
systemd.services.forgejo.unitConfig.RequiresMountsFor =
lib.mkIf sp.useBinds "/volumes/${cfg.location}/gitea";
systemd = {
services.forgejo = {
unitConfig.RequiresMountsFor = lib.mkIf sp.useBinds "/volumes/${cfg.location}/gitea";
serviceConfig = {
Slice = "gitea.slice";
};
};
slices.gitea = {
description = "Forgejo service slice";
};
};
};
}

10
sp-modules/jitsi-meet/module.nix
View file

@ -40,5 +40,15 @@ in
useACMEHost = domain;
enableACME = false;
};
systemd = {
services = {
jicofo.serviceConfig.Slice = "jitsi_meet.slice";
jitsi-videobridge2.serviceConfig.Slice = "jitsi_meet.slice";
prosody.serviceConfig.Slice = "jitsi_meet.slice";
};
slices.jitsi_meet = {
description = "Jitsi Meet service slice";
};
};
};
}

28
sp-modules/monitoring/module.nix
View file

@ -1,6 +1,8 @@
{config, lib, ...}: let
{ config, lib, ... }:
let
cfg = config.selfprivacy.modules.monitoring;
in {
in
{
options.selfprivacy.modules.monitoring = {
enable = lib.mkOption {
default = false;
@ -21,6 +23,12 @@ in {
];
};
};
services.cadvisor = {
enable = true;
port = 9003;
listenAddress = "127.0.0.1";
extraOptions = [ "--enable_metrics=cpu,memory,diskIO" ];
};
services.prometheus = {
enable = true;
port = 9001;
@ -40,7 +48,23 @@ in {
targets = [ "127.0.0.1:9002" ];
}];
}
{
job_name = "cadvisor";
static_configs = [{
targets = [ "127.0.0.1:9003" ];
}];
}
];
};
systemd = {
services = {
prometheus.serviceConfig.Slice = "monitoring.slice";
prometheus-node-exporter.serviceConfig.Slice = "monitoring.slice";
cadvisor.serviceConfig.Slice = "monitoring.slice";
};
slices.monitoring = {
description = "Monitoring service slice";
};
};
};
}

50
sp-modules/nextcloud/module.nix
View file

@ -34,27 +34,39 @@
];
};
};
systemd.services.nextcloud-secrets = {
before = [ "nextcloud-setup.service" ];
requiredBy = [ "nextcloud-setup.service" ];
serviceConfig.Type = "oneshot";
path = with pkgs; [ coreutils jq ];
script = ''
databasePassword=$(jq -re '.modules.nextcloud.databasePassword' ${secrets-filepath})
adminPassword=$(jq -re '.modules.nextcloud.adminPassword' ${secrets-filepath})
systemd = {
services = {
phpfpm-nextcloud.serviceConfig.Slice = lib.mkForce "nextcloud.slice";
nextcloud-setup.serviceConfig.Slice = "nextcloud.slice";
nextcloud-cron.serviceConfig.Slice = "nextcloud.slice";
nextcloud-update-db.serviceConfig.Slice = "nextcloud.slice";
nextcloud-update-plugins.serviceConfig.Slice = "nextcloud.slice";
nextcloud-secrets = {
before = [ "nextcloud-setup.service" ];
requiredBy = [ "nextcloud-setup.service" ];
serviceConfig.Type = "oneshot";
path = with pkgs; [ coreutils jq ];
script = ''
databasePassword=$(jq -re '.modules.nextcloud.databasePassword' ${secrets-filepath})
adminPassword=$(jq -re '.modules.nextcloud.adminPassword' ${secrets-filepath})
install -C -m 0440 -o nextcloud -g nextcloud -DT \
<(printf "%s\n" "$databasePassword") \
${db-pass-filepath}
install -C -m 0440 -o nextcloud -g nextcloud -DT \
<(printf "%s\n" "$databasePassword") \
${db-pass-filepath}
install -C -m 0440 -o nextcloud -g nextcloud -DT \
<(printf "%s\n" "$adminPassword") \
${admin-pass-filepath}
'';
install -C -m 0440 -o nextcloud -g nextcloud -DT \
<(printf "%s\n" "$adminPassword") \
${admin-pass-filepath}
'';
};
};
slices.nextcloud = {
description = "Nextcloud service slice";
};
};
services.nextcloud = {
enable = true;
package = pkgs.nextcloud27;
package = pkgs.nextcloud28;
inherit hostName;
# Use HTTPS for links
@ -65,10 +77,12 @@
# set what time makes sense for you
autoUpdateApps.startAt = "05:00:00";
config = {
settings = {
# further forces Nextcloud to use HTTPS
overwriteProtocol = "https";
overwriteprotocol = "https";
};
config = {
dbtype = "sqlite";
dbuser = "nextcloud";
dbname = "nextcloud";

12
sp-modules/ocserv/module.nix
View file

@ -75,6 +75,16 @@ in
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'';
};
systemd.services.ocserv.unitConfig.ConditionPathExists = [ cert key ];
systemd = {
services = {
ocserv = {
unitConfig.ConditionPathExists = [ cert key ];
serviceConfig.Slice = "ocserv.slice";
};
};
slices.ocserv = {
description = "ocserv service slice";
};
};
};
}

57
sp-modules/pleroma/module.nix
View file

@ -68,28 +68,7 @@ in
];
};
};
systemd.services.pleroma-secrets = {
before = [ "pleroma.service" ];
requiredBy = [ "pleroma.service" ];
serviceConfig.Type = "oneshot";
path = with pkgs; [ coreutils jq ];
script = ''
set -o nounset
password="$(jq -re '.databasePassword' ${secrets-filepath})"
filecontents=$(cat <<- EOF
import Config
config :pleroma, Pleroma.Repo,
password: "$password"
EOF
)
install -C -m 0700 -o pleroma -g pleroma -d /var/lib/pleroma
install -C -m 0600 -o pleroma -g pleroma -DT \
<(printf "%s" "$filecontents") ${secrets-exs}
'';
};
environment.etc."setup.psql".text = ''
CREATE USER pleroma;
CREATE DATABASE pleroma OWNER pleroma;
@ -105,8 +84,40 @@ in
isSystemUser = true;
group = "pleroma";
};
# seems to be an upstream nixpkgs/nixos bug (missing hexdump)
systemd.services.pleroma.path = [ pkgs.util-linux ];
systemd = {
services = {
pleroma-secrets = {
before = [ "pleroma.service" ];
requiredBy = [ "pleroma.service" ];
serviceConfig.Type = "oneshot";
path = with pkgs; [ coreutils jq ];
script = ''
set -o nounset
password="$(jq -re '.databasePassword' ${secrets-filepath})"
filecontents=$(cat <<- EOF
import Config
config :pleroma, Pleroma.Repo,
password: "$password"
EOF
)
install -C -m 0700 -o pleroma -g pleroma -d /var/lib/pleroma
install -C -m 0600 -o pleroma -g pleroma -DT \
<(printf "%s" "$filecontents") ${secrets-exs}
'';
};
pleroma = {
# seems to be an upstream nixpkgs/nixos bug (missing hexdump)
path = [ pkgs.util-linux ];
serviceConfig.Slice = "pleroma.slice";
};
};
slices.pleroma = {
description = "Pleroma service slice";
};
};
services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
useACMEHost = sp.domain;
root = "/var/www/${cfg.subdomain}.${sp.domain}";

8
sp-modules/roundcube/module.nix
View file

@ -35,5 +35,13 @@ in
useACMEHost = domain;
enableACME = false;
};
systemd = {
services = {
phpfpm-roundcube.serviceConfig.Slice = lib.mkForce "roundcube.slice";
};
slices.roundcube = {
description = "Roundcube service slice";
};
};
};
}

14
sp-modules/simple-nixos-mailserver/config.nix
View file

@ -89,4 +89,18 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable
virusScanning = false;
};
systemd = {
services = {
dovecot2.serviceConfig.Slice = "simple_nixos_mailserver.slice";
postfix.serviceConfig.Slice = "simple_nixos_mailserver.slice";
rspamd.serviceConfig.Slice = "simple_nixos_mailserver.slice";
redis-rspamd.serviceConfig.Slice = "simple_nixos_mailserver.slice";
opendkim.serviceConfig.Slice = "simple_nixos_mailserver.slice";
};
slices."simple_nixos_mailserver" = {
name = "simple_nixos_mailserver.slice";
description = "Simple NixOS Mailserver service slice";
};
};
}

34
sp-modules/simple-nixos-mailserver/flake.lock
View file

@ -37,16 +37,15 @@
"blobs": "blobs",
"flake-compat": "flake-compat",
"nixpkgs": "nixpkgs",
"nixpkgs-22_11": "nixpkgs-22_11",
"nixpkgs-23_05": "nixpkgs-23_05",
"nixpkgs-24_05": "nixpkgs-24_05",
"utils": "utils"
},
"locked": {
"lastModified": 1700085753,
"narHash": "sha256-qtib7f3eRwfaUF+VziJXiBcZFqpHCAXS4HlrFsnzzl4=",
"lastModified": 1718084203,
"narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "008d78cc21959e33d0d31f375b88353a7d7121ae",
"rev": "29916981e7b3b5782dc5085ad18490113f8ff63b",
"type": "gitlab"
},
"original": {
@ -70,33 +69,18 @@
"type": "indirect"
}
},
"nixpkgs-22_11": {
"nixpkgs-24_05": {
"locked": {
"lastModified": 1669558522,
"narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=",
"lastModified": 1721949857,
"narHash": "sha256-DID446r8KsmJhbCzx4el8d9SnPiE8qa6+eEQOJ40vR0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82",
"rev": "a1cc729dcbc31d9b0d11d86dc7436163548a9665",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-22.11",
"type": "indirect"
}
},
"nixpkgs-23_05": {
"locked": {
"lastModified": 1684782344,
"narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "8966c43feba2c701ed624302b6a935f97bcbdf88",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-23.05",
"ref": "nixos-24.05",
"type": "indirect"
}
},