From 5218868b3362414b6f2b3b0e44acd83a31e261b4 Mon Sep 17 00:00:00 2001 From: Inex Code Date: Tue, 30 Jul 2024 19:19:06 +0300 Subject: [PATCH] feat: Server monitroing, NixOS 24.05 (#84) Co-authored-by: nhnn Reviewed-on: https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config/pulls/84 --- configuration.nix | 7 +-- flake.lock | 14 ++--- sp-modules/bitwarden/module.nix | 49 +++++++++------- sp-modules/gitea/module.nix | 14 ++++- sp-modules/jitsi-meet/module.nix | 10 ++++ sp-modules/monitoring/module.nix | 28 ++++++++- sp-modules/nextcloud/module.nix | 50 ++++++++++------ sp-modules/ocserv/module.nix | 12 +++- sp-modules/pleroma/module.nix | 57 +++++++++++-------- sp-modules/roundcube/module.nix | 8 +++ sp-modules/simple-nixos-mailserver/config.nix | 14 +++++ sp-modules/simple-nixos-mailserver/flake.lock | 34 +++-------- 12 files changed, 195 insertions(+), 102 deletions(-) diff --git a/configuration.nix b/configuration.nix index a9a8e7a..463994a 100644 --- a/configuration.nix +++ b/configuration.nix @@ -27,15 +27,12 @@ in # ./resources/limits.nix ]; - # We have to use this version to be able to migrate from Gitea. - nixpkgs.config.permittedInsecurePackages = [ - "forgejo-1.20.6-1-unstable-2024-04-18" - ]; - fileSystems."/".options = [ "noatime" ]; services.selfprivacy-api.enable = true; + services.redis.package = pkgs.valkey; + services.redis.servers.${redis-sp-api-srv-name} = { enable = true; save = [ diff --git a/flake.lock b/flake.lock index 1cb4715..f9b7c36 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1720535198, - "narHash": "sha256-zwVvxrdIzralnSbcpghA92tWu2DV2lwv89xZc8MTrbg=", + "lastModified": 1722221733, + "narHash": "sha256-sga9SrrPb+pQJxG1ttJfMPheZvDOxApFfwXCFO0H9xw=", "owner": "nixos", "repo": "nixpkgs", - "rev": "205fd4226592cc83fd4c0885a3e4c9c400efabb5", + "rev": "12bf09802d77264e441f48e25459c10c93eada2e", "type": "github" }, "original": { @@ -28,11 +28,11 @@ ] }, "locked": { - "lastModified": 1719847554, - "narHash": "sha256-DSPpfFVG7NOxJXhIe0FWOzII9nPG4WSwP4RD8sYRZFo=", + "lastModified": 1722347757, + "narHash": "sha256-zXnhxAnNV3KyLa3BKc1ZMakQdZBj6M3UZ4TIr1cbUSQ=", "ref": "master", - "rev": "4066be38ec11aabf47b03afd35778a53c6d28942", - "revCount": 1309, + "rev": "4cd90d0c93d758fcd931092edd3b68585e24ecb9", + "revCount": 1401, "type": "git", "url": "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api.git" }, diff --git a/sp-modules/bitwarden/module.nix b/sp-modules/bitwarden/module.nix index 5f4b799..ad4ab09 100644 --- a/sp-modules/bitwarden/module.nix +++ b/sp-modules/bitwarden/module.nix @@ -59,6 +59,9 @@ in ]; }; }; + systemd.tmpfiles.rules = lib.mkIf sp.useBinds [ + "d /volumes/${cfg.location}/bitwarden/backup 0700 vaultwarden vaultwarden -" + ]; services.vaultwarden = { enable = true; dbBackend = "sqlite"; @@ -72,28 +75,36 @@ in EMERGENCY_ACCESS_ALLOWED = cfg.emergencyAccessAllowed; }; }; - systemd.services.bitwarden-secrets = { - before = [ "vaultwarden.service" ]; - requiredBy = [ "vaultwarden.service" ]; - serviceConfig.Type = "oneshot"; - path = with pkgs; [ coreutils jq ]; - script = '' - set -o nounset + systemd = { + services = { + vaultwarden.serviceConfig.Slice = "bitwarden.slice"; + bitwarden-secrets = { + before = [ "vaultwarden.service" ]; + requiredBy = [ "vaultwarden.service" ]; + serviceConfig.Type = "oneshot"; + path = with pkgs; [ coreutils jq ]; + script = '' + set -o nounset - token="$(jq -r '.bitwarden.adminToken' ${secrets-filepath})" - if [ "$token" == "null" ]; then - # If it's null, empty the contents of the file - bitwarden_env="" - else - bitwarden_env="ADMIN_TOKEN=$token" - fi + token="$(jq -r '.bitwarden.adminToken' ${secrets-filepath})" + if [ "$token" == "null" ]; then + # If it's null, empty the contents of the file + bitwarden_env="" + else + bitwarden_env="ADMIN_TOKEN=$token" + fi - install -C -m 0700 -o vaultwarden -g vaultwarden \ - -d /var/lib/bitwarden + install -C -m 0700 -o vaultwarden -g vaultwarden \ + -d /var/lib/bitwarden - install -C -m 0600 -o vaultwarden -g vaultwarden -DT \ - <(printf "%s" "$bitwarden_env") ${bitwarden-env} - ''; + install -C -m 0600 -o vaultwarden -g vaultwarden -DT \ + <(printf "%s" "$bitwarden_env") ${bitwarden-env} + ''; + }; + }; + slices.bitwarden = { + description = "Bitwarden service slice"; + }; }; services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = { useACMEHost = sp.domain; diff --git a/sp-modules/gitea/module.nix b/sp-modules/gitea/module.nix index ca7d012..d854127 100644 --- a/sp-modules/gitea/module.nix +++ b/sp-modules/gitea/module.nix @@ -146,7 +146,17 @@ in }; }; }; - systemd.services.forgejo.unitConfig.RequiresMountsFor = - lib.mkIf sp.useBinds "/volumes/${cfg.location}/gitea"; + systemd = { + services.forgejo = { + unitConfig.RequiresMountsFor = lib.mkIf sp.useBinds "/volumes/${cfg.location}/gitea"; + serviceConfig = { + Slice = "gitea.slice"; + }; + }; + slices.gitea = { + description = "Forgejo service slice"; + }; + }; + }; } diff --git a/sp-modules/jitsi-meet/module.nix b/sp-modules/jitsi-meet/module.nix index 3dae656..09c6699 100644 --- a/sp-modules/jitsi-meet/module.nix +++ b/sp-modules/jitsi-meet/module.nix @@ -40,5 +40,15 @@ in useACMEHost = domain; enableACME = false; }; + systemd = { + services = { + jicofo.serviceConfig.Slice = "jitsi_meet.slice"; + jitsi-videobridge2.serviceConfig.Slice = "jitsi_meet.slice"; + prosody.serviceConfig.Slice = "jitsi_meet.slice"; + }; + slices.jitsi_meet = { + description = "Jitsi Meet service slice"; + }; + }; }; } diff --git a/sp-modules/monitoring/module.nix b/sp-modules/monitoring/module.nix index 7ad8f83..5981af7 100644 --- a/sp-modules/monitoring/module.nix +++ b/sp-modules/monitoring/module.nix @@ -1,6 +1,8 @@ -{config, lib, ...}: let +{ config, lib, ... }: +let cfg = config.selfprivacy.modules.monitoring; -in { +in +{ options.selfprivacy.modules.monitoring = { enable = lib.mkOption { default = false; @@ -21,6 +23,12 @@ in { ]; }; }; + services.cadvisor = { + enable = true; + port = 9003; + listenAddress = "127.0.0.1"; + extraOptions = [ "--enable_metrics=cpu,memory,diskIO" ]; + }; services.prometheus = { enable = true; port = 9001; @@ -40,7 +48,23 @@ in { targets = [ "127.0.0.1:9002" ]; }]; } + { + job_name = "cadvisor"; + static_configs = [{ + targets = [ "127.0.0.1:9003" ]; + }]; + } ]; }; + systemd = { + services = { + prometheus.serviceConfig.Slice = "monitoring.slice"; + prometheus-node-exporter.serviceConfig.Slice = "monitoring.slice"; + cadvisor.serviceConfig.Slice = "monitoring.slice"; + }; + slices.monitoring = { + description = "Monitoring service slice"; + }; + }; }; } diff --git a/sp-modules/nextcloud/module.nix b/sp-modules/nextcloud/module.nix index 95286c7..b713f0d 100644 --- a/sp-modules/nextcloud/module.nix +++ b/sp-modules/nextcloud/module.nix @@ -34,27 +34,39 @@ ]; }; }; - systemd.services.nextcloud-secrets = { - before = [ "nextcloud-setup.service" ]; - requiredBy = [ "nextcloud-setup.service" ]; - serviceConfig.Type = "oneshot"; - path = with pkgs; [ coreutils jq ]; - script = '' - databasePassword=$(jq -re '.modules.nextcloud.databasePassword' ${secrets-filepath}) - adminPassword=$(jq -re '.modules.nextcloud.adminPassword' ${secrets-filepath}) + systemd = { + services = { + phpfpm-nextcloud.serviceConfig.Slice = lib.mkForce "nextcloud.slice"; + nextcloud-setup.serviceConfig.Slice = "nextcloud.slice"; + nextcloud-cron.serviceConfig.Slice = "nextcloud.slice"; + nextcloud-update-db.serviceConfig.Slice = "nextcloud.slice"; + nextcloud-update-plugins.serviceConfig.Slice = "nextcloud.slice"; + nextcloud-secrets = { + before = [ "nextcloud-setup.service" ]; + requiredBy = [ "nextcloud-setup.service" ]; + serviceConfig.Type = "oneshot"; + path = with pkgs; [ coreutils jq ]; + script = '' + databasePassword=$(jq -re '.modules.nextcloud.databasePassword' ${secrets-filepath}) + adminPassword=$(jq -re '.modules.nextcloud.adminPassword' ${secrets-filepath}) - install -C -m 0440 -o nextcloud -g nextcloud -DT \ - <(printf "%s\n" "$databasePassword") \ - ${db-pass-filepath} + install -C -m 0440 -o nextcloud -g nextcloud -DT \ + <(printf "%s\n" "$databasePassword") \ + ${db-pass-filepath} - install -C -m 0440 -o nextcloud -g nextcloud -DT \ - <(printf "%s\n" "$adminPassword") \ - ${admin-pass-filepath} - ''; + install -C -m 0440 -o nextcloud -g nextcloud -DT \ + <(printf "%s\n" "$adminPassword") \ + ${admin-pass-filepath} + ''; + }; + }; + slices.nextcloud = { + description = "Nextcloud service slice"; + }; }; services.nextcloud = { enable = true; - package = pkgs.nextcloud27; + package = pkgs.nextcloud28; inherit hostName; # Use HTTPS for links @@ -65,10 +77,12 @@ # set what time makes sense for you autoUpdateApps.startAt = "05:00:00"; - config = { + settings = { # further forces Nextcloud to use HTTPS - overwriteProtocol = "https"; + overwriteprotocol = "https"; + }; + config = { dbtype = "sqlite"; dbuser = "nextcloud"; dbname = "nextcloud"; diff --git a/sp-modules/ocserv/module.nix b/sp-modules/ocserv/module.nix index b7ebd6b..f4d2dc0 100644 --- a/sp-modules/ocserv/module.nix +++ b/sp-modules/ocserv/module.nix @@ -75,6 +75,16 @@ in proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; ''; }; - systemd.services.ocserv.unitConfig.ConditionPathExists = [ cert key ]; + systemd = { + services = { + ocserv = { + unitConfig.ConditionPathExists = [ cert key ]; + serviceConfig.Slice = "ocserv.slice"; + }; + }; + slices.ocserv = { + description = "ocserv service slice"; + }; + }; }; } diff --git a/sp-modules/pleroma/module.nix b/sp-modules/pleroma/module.nix index 97cda59..f345e5d 100644 --- a/sp-modules/pleroma/module.nix +++ b/sp-modules/pleroma/module.nix @@ -68,28 +68,7 @@ in ]; }; }; - systemd.services.pleroma-secrets = { - before = [ "pleroma.service" ]; - requiredBy = [ "pleroma.service" ]; - serviceConfig.Type = "oneshot"; - path = with pkgs; [ coreutils jq ]; - script = '' - set -o nounset - password="$(jq -re '.databasePassword' ${secrets-filepath})" - filecontents=$(cat <<- EOF - import Config - config :pleroma, Pleroma.Repo, - password: "$password" - EOF - ) - - install -C -m 0700 -o pleroma -g pleroma -d /var/lib/pleroma - - install -C -m 0600 -o pleroma -g pleroma -DT \ - <(printf "%s" "$filecontents") ${secrets-exs} - ''; - }; environment.etc."setup.psql".text = '' CREATE USER pleroma; CREATE DATABASE pleroma OWNER pleroma; @@ -105,8 +84,40 @@ in isSystemUser = true; group = "pleroma"; }; - # seems to be an upstream nixpkgs/nixos bug (missing hexdump) - systemd.services.pleroma.path = [ pkgs.util-linux ]; + systemd = { + services = { + pleroma-secrets = { + before = [ "pleroma.service" ]; + requiredBy = [ "pleroma.service" ]; + serviceConfig.Type = "oneshot"; + path = with pkgs; [ coreutils jq ]; + script = '' + set -o nounset + + password="$(jq -re '.databasePassword' ${secrets-filepath})" + filecontents=$(cat <<- EOF + import Config + config :pleroma, Pleroma.Repo, + password: "$password" + EOF + ) + + install -C -m 0700 -o pleroma -g pleroma -d /var/lib/pleroma + + install -C -m 0600 -o pleroma -g pleroma -DT \ + <(printf "%s" "$filecontents") ${secrets-exs} + ''; + }; + pleroma = { + # seems to be an upstream nixpkgs/nixos bug (missing hexdump) + path = [ pkgs.util-linux ]; + serviceConfig.Slice = "pleroma.slice"; + }; + }; + slices.pleroma = { + description = "Pleroma service slice"; + }; + }; services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = { useACMEHost = sp.domain; root = "/var/www/${cfg.subdomain}.${sp.domain}"; diff --git a/sp-modules/roundcube/module.nix b/sp-modules/roundcube/module.nix index 01b6566..a279ff1 100644 --- a/sp-modules/roundcube/module.nix +++ b/sp-modules/roundcube/module.nix @@ -35,5 +35,13 @@ in useACMEHost = domain; enableACME = false; }; + systemd = { + services = { + phpfpm-roundcube.serviceConfig.Slice = lib.mkForce "roundcube.slice"; + }; + slices.roundcube = { + description = "Roundcube service slice"; + }; + }; }; } diff --git a/sp-modules/simple-nixos-mailserver/config.nix b/sp-modules/simple-nixos-mailserver/config.nix index 81d847f..a969f36 100644 --- a/sp-modules/simple-nixos-mailserver/config.nix +++ b/sp-modules/simple-nixos-mailserver/config.nix @@ -89,4 +89,18 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable virusScanning = false; }; + + systemd = { + services = { + dovecot2.serviceConfig.Slice = "simple_nixos_mailserver.slice"; + postfix.serviceConfig.Slice = "simple_nixos_mailserver.slice"; + rspamd.serviceConfig.Slice = "simple_nixos_mailserver.slice"; + redis-rspamd.serviceConfig.Slice = "simple_nixos_mailserver.slice"; + opendkim.serviceConfig.Slice = "simple_nixos_mailserver.slice"; + }; + slices."simple_nixos_mailserver" = { + name = "simple_nixos_mailserver.slice"; + description = "Simple NixOS Mailserver service slice"; + }; + }; } diff --git a/sp-modules/simple-nixos-mailserver/flake.lock b/sp-modules/simple-nixos-mailserver/flake.lock index bd18746..7f92ada 100644 --- a/sp-modules/simple-nixos-mailserver/flake.lock +++ b/sp-modules/simple-nixos-mailserver/flake.lock @@ -37,16 +37,15 @@ "blobs": "blobs", "flake-compat": "flake-compat", "nixpkgs": "nixpkgs", - "nixpkgs-22_11": "nixpkgs-22_11", - "nixpkgs-23_05": "nixpkgs-23_05", + "nixpkgs-24_05": "nixpkgs-24_05", "utils": "utils" }, "locked": { - "lastModified": 1700085753, - "narHash": "sha256-qtib7f3eRwfaUF+VziJXiBcZFqpHCAXS4HlrFsnzzl4=", + "lastModified": 1718084203, + "narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "008d78cc21959e33d0d31f375b88353a7d7121ae", + "rev": "29916981e7b3b5782dc5085ad18490113f8ff63b", "type": "gitlab" }, "original": { @@ -70,33 +69,18 @@ "type": "indirect" } }, - "nixpkgs-22_11": { + "nixpkgs-24_05": { "locked": { - "lastModified": 1669558522, - "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=", + "lastModified": 1721949857, + "narHash": "sha256-DID446r8KsmJhbCzx4el8d9SnPiE8qa6+eEQOJ40vR0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82", + "rev": "a1cc729dcbc31d9b0d11d86dc7436163548a9665", "type": "github" }, "original": { "id": "nixpkgs", - "ref": "nixos-22.11", - "type": "indirect" - } - }, - "nixpkgs-23_05": { - "locked": { - "lastModified": 1684782344, - "narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "8966c43feba2c701ed624302b6a935f97bcbdf88", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "ref": "nixos-23.05", + "ref": "nixos-24.05", "type": "indirect" } },