SelfPrivacy/selfprivacy-nixos-config
1
0
Fork 0
mirror of https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config.git synced 2025-02-18 07:14:36 +00:00
Code Issues Projects Releases Wiki Activity

feat: Server monitroing, NixOS 24.05 (#84)

Browse source 
Co-authored-by: nhnn <nhnn@disroot.org>
Reviewed-on: https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config/pulls/84
This commit is contained in:
Inex Code 2024-07-30 19:19:06 +03:00
parent a6caa18981
commit 5218868b33
12 changed files with 195 additions and 102 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
configuration.nix
View file

@ -27,15 +27,12 @@ in
# ./resources/limits.nix # ./resources/limits.nix
]; ];
# We have to use this version to be able to migrate from Gitea.
nixpkgs.config.permittedInsecurePackages = [
"forgejo-1.20.6-1-unstable-2024-04-18"
];
fileSystems."/".options = [ "noatime" ]; fileSystems."/".options = [ "noatime" ];
services.selfprivacy-api.enable = true; services.selfprivacy-api.enable = true;
services.redis.package = pkgs.valkey;
services.redis.servers.${redis-sp-api-srv-name} = { services.redis.servers.${redis-sp-api-srv-name} = {
enable = true; enable = true;
save = [ save = [

14
flake.lock
View file

@ -2,11 +2,11 @@
"nodes": { "nodes": {
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1720535198, "lastModified": 1722221733,
"narHash": "sha256-zwVvxrdIzralnSbcpghA92tWu2DV2lwv89xZc8MTrbg=", "narHash": "sha256-sga9SrrPb+pQJxG1ttJfMPheZvDOxApFfwXCFO0H9xw=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "205fd4226592cc83fd4c0885a3e4c9c400efabb5", "rev": "12bf09802d77264e441f48e25459c10c93eada2e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -28,11 +28,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1719847554, "lastModified": 1722347757,
"narHash": "sha256-DSPpfFVG7NOxJXhIe0FWOzII9nPG4WSwP4RD8sYRZFo=", "narHash": "sha256-zXnhxAnNV3KyLa3BKc1ZMakQdZBj6M3UZ4TIr1cbUSQ=",
"ref": "master", "ref": "master",
"rev": "4066be38ec11aabf47b03afd35778a53c6d28942", "rev": "4cd90d0c93d758fcd931092edd3b68585e24ecb9",
"revCount": 1309, "revCount": 1401,
"type": "git", "type": "git",
"url": "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api.git" "url": "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api.git"
}, },

49
sp-modules/bitwarden/module.nix
View file

@ -59,6 +59,9 @@ in
]; ];
}; };
}; };
systemd.tmpfiles.rules = lib.mkIf sp.useBinds [
"d /volumes/${cfg.location}/bitwarden/backup 0700 vaultwarden vaultwarden -"
];
services.vaultwarden = { services.vaultwarden = {
enable = true; enable = true;
dbBackend = "sqlite"; dbBackend = "sqlite";
@ -72,28 +75,36 @@ in
EMERGENCY_ACCESS_ALLOWED = cfg.emergencyAccessAllowed; EMERGENCY_ACCESS_ALLOWED = cfg.emergencyAccessAllowed;
}; };
}; };
systemd.services.bitwarden-secrets = { systemd = {
before = [ "vaultwarden.service" ]; services = {
requiredBy = [ "vaultwarden.service" ]; vaultwarden.serviceConfig.Slice = "bitwarden.slice";
serviceConfig.Type = "oneshot"; bitwarden-secrets = {
path = with pkgs; [ coreutils jq ]; before = [ "vaultwarden.service" ];
script = '' requiredBy = [ "vaultwarden.service" ];
set -o nounset serviceConfig.Type = "oneshot";
path = with pkgs; [ coreutils jq ];
script = ''
set -o nounset
token="$(jq -r '.bitwarden.adminToken' ${secrets-filepath})" token="$(jq -r '.bitwarden.adminToken' ${secrets-filepath})"
if [ "$token" == "null" ]; then if [ "$token" == "null" ]; then
# If it's null, empty the contents of the file # If it's null, empty the contents of the file
bitwarden_env="" bitwarden_env=""
else else
bitwarden_env="ADMIN_TOKEN=$token" bitwarden_env="ADMIN_TOKEN=$token"
fi fi
install -C -m 0700 -o vaultwarden -g vaultwarden \ install -C -m 0700 -o vaultwarden -g vaultwarden \
-d /var/lib/bitwarden -d /var/lib/bitwarden
install -C -m 0600 -o vaultwarden -g vaultwarden -DT \ install -C -m 0600 -o vaultwarden -g vaultwarden -DT \
<(printf "%s" "$bitwarden_env") ${bitwarden-env} <(printf "%s" "$bitwarden_env") ${bitwarden-env}
''; '';
};
};
slices.bitwarden = {
description = "Bitwarden service slice";
};
}; };
services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = { services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
useACMEHost = sp.domain; useACMEHost = sp.domain;

14
sp-modules/gitea/module.nix
View file

@ -146,7 +146,17 @@ in
}; };
}; };
}; };
systemd.services.forgejo.unitConfig.RequiresMountsFor = systemd = {
lib.mkIf sp.useBinds "/volumes/${cfg.location}/gitea"; services.forgejo = {
unitConfig.RequiresMountsFor = lib.mkIf sp.useBinds "/volumes/${cfg.location}/gitea";
serviceConfig = {
Slice = "gitea.slice";
};
};
slices.gitea = {
description = "Forgejo service slice";
};
};
}; };
} }

10
sp-modules/jitsi-meet/module.nix
View file

@ -40,5 +40,15 @@ in
useACMEHost = domain; useACMEHost = domain;
enableACME = false; enableACME = false;
}; };
systemd = {
services = {
jicofo.serviceConfig.Slice = "jitsi_meet.slice";
jitsi-videobridge2.serviceConfig.Slice = "jitsi_meet.slice";
prosody.serviceConfig.Slice = "jitsi_meet.slice";
};
slices.jitsi_meet = {
description = "Jitsi Meet service slice";
};
};
}; };
} }

28
sp-modules/monitoring/module.nix
View file

@ -1,6 +1,8 @@
{config, lib, ...}: let { config, lib, ... }:
let
cfg = config.selfprivacy.modules.monitoring; cfg = config.selfprivacy.modules.monitoring;
in { in
{
options.selfprivacy.modules.monitoring = { options.selfprivacy.modules.monitoring = {
enable = lib.mkOption { enable = lib.mkOption {
default = false; default = false;
@ -21,6 +23,12 @@ in {
]; ];
}; };
}; };
services.cadvisor = {
enable = true;
port = 9003;
listenAddress = "127.0.0.1";
extraOptions = [ "--enable_metrics=cpu,memory,diskIO" ];
};
services.prometheus = { services.prometheus = {
enable = true; enable = true;
port = 9001; port = 9001;
@ -40,7 +48,23 @@ in {
targets = [ "127.0.0.1:9002" ]; targets = [ "127.0.0.1:9002" ];
}]; }];
} }
{
job_name = "cadvisor";
static_configs = [{
targets = [ "127.0.0.1:9003" ];
}];
}
]; ];
}; };
systemd = {
services = {
prometheus.serviceConfig.Slice = "monitoring.slice";
prometheus-node-exporter.serviceConfig.Slice = "monitoring.slice";
cadvisor.serviceConfig.Slice = "monitoring.slice";
};
slices.monitoring = {
description = "Monitoring service slice";
};
};
}; };
} }

50
sp-modules/nextcloud/module.nix
View file

@ -34,27 +34,39 @@
]; ];
}; };
}; };
systemd.services.nextcloud-secrets = { systemd = {
before = [ "nextcloud-setup.service" ]; services = {
requiredBy = [ "nextcloud-setup.service" ]; phpfpm-nextcloud.serviceConfig.Slice = lib.mkForce "nextcloud.slice";
serviceConfig.Type = "oneshot"; nextcloud-setup.serviceConfig.Slice = "nextcloud.slice";
path = with pkgs; [ coreutils jq ]; nextcloud-cron.serviceConfig.Slice = "nextcloud.slice";
script = '' nextcloud-update-db.serviceConfig.Slice = "nextcloud.slice";
databasePassword=$(jq -re '.modules.nextcloud.databasePassword' ${secrets-filepath}) nextcloud-update-plugins.serviceConfig.Slice = "nextcloud.slice";
adminPassword=$(jq -re '.modules.nextcloud.adminPassword' ${secrets-filepath}) nextcloud-secrets = {
before = [ "nextcloud-setup.service" ];
requiredBy = [ "nextcloud-setup.service" ];
serviceConfig.Type = "oneshot";
path = with pkgs; [ coreutils jq ];
script = ''
databasePassword=$(jq -re '.modules.nextcloud.databasePassword' ${secrets-filepath})
adminPassword=$(jq -re '.modules.nextcloud.adminPassword' ${secrets-filepath})
install -C -m 0440 -o nextcloud -g nextcloud -DT \ install -C -m 0440 -o nextcloud -g nextcloud -DT \
<(printf "%s\n" "$databasePassword") \ <(printf "%s\n" "$databasePassword") \
${db-pass-filepath} ${db-pass-filepath}
install -C -m 0440 -o nextcloud -g nextcloud -DT \ install -C -m 0440 -o nextcloud -g nextcloud -DT \
<(printf "%s\n" "$adminPassword") \ <(printf "%s\n" "$adminPassword") \
${admin-pass-filepath} ${admin-pass-filepath}
''; '';
};
};
slices.nextcloud = {
description = "Nextcloud service slice";
};
}; };
services.nextcloud = { services.nextcloud = {
enable = true; enable = true;
package = pkgs.nextcloud27; package = pkgs.nextcloud28;
inherit hostName; inherit hostName;
# Use HTTPS for links # Use HTTPS for links
@ -65,10 +77,12 @@
# set what time makes sense for you # set what time makes sense for you
autoUpdateApps.startAt = "05:00:00"; autoUpdateApps.startAt = "05:00:00";
config = { settings = {
# further forces Nextcloud to use HTTPS # further forces Nextcloud to use HTTPS
overwriteProtocol = "https"; overwriteprotocol = "https";
};
config = {
dbtype = "sqlite"; dbtype = "sqlite";
dbuser = "nextcloud"; dbuser = "nextcloud";
dbname = "nextcloud"; dbname = "nextcloud";

12
sp-modules/ocserv/module.nix
View file

@ -75,6 +75,16 @@ in
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
''; '';
}; };
systemd.services.ocserv.unitConfig.ConditionPathExists = [ cert key ]; systemd = {
services = {
ocserv = {
unitConfig.ConditionPathExists = [ cert key ];
serviceConfig.Slice = "ocserv.slice";
};
};
slices.ocserv = {
description = "ocserv service slice";
};
};
}; };
} }

57
sp-modules/pleroma/module.nix
View file

@ -68,28 +68,7 @@ in
]; ];
}; };
}; };
systemd.services.pleroma-secrets = {
before = [ "pleroma.service" ];
requiredBy = [ "pleroma.service" ];
serviceConfig.Type = "oneshot";
path = with pkgs; [ coreutils jq ];
script = ''
set -o nounset
password="$(jq -re '.databasePassword' ${secrets-filepath})"
filecontents=$(cat <<- EOF
import Config
config :pleroma, Pleroma.Repo,
password: "$password"
EOF
)
install -C -m 0700 -o pleroma -g pleroma -d /var/lib/pleroma
install -C -m 0600 -o pleroma -g pleroma -DT \
<(printf "%s" "$filecontents") ${secrets-exs}
'';
};
environment.etc."setup.psql".text = '' environment.etc."setup.psql".text = ''
CREATE USER pleroma; CREATE USER pleroma;
CREATE DATABASE pleroma OWNER pleroma; CREATE DATABASE pleroma OWNER pleroma;
@ -105,8 +84,40 @@ in
isSystemUser = true; isSystemUser = true;
group = "pleroma"; group = "pleroma";
}; };
# seems to be an upstream nixpkgs/nixos bug (missing hexdump) systemd = {
systemd.services.pleroma.path = [ pkgs.util-linux ]; services = {
pleroma-secrets = {
before = [ "pleroma.service" ];
requiredBy = [ "pleroma.service" ];
serviceConfig.Type = "oneshot";
path = with pkgs; [ coreutils jq ];
script = ''
set -o nounset
password="$(jq -re '.databasePassword' ${secrets-filepath})"
filecontents=$(cat <<- EOF
import Config
config :pleroma, Pleroma.Repo,
password: "$password"
EOF
)
install -C -m 0700 -o pleroma -g pleroma -d /var/lib/pleroma
install -C -m 0600 -o pleroma -g pleroma -DT \
<(printf "%s" "$filecontents") ${secrets-exs}
'';
};
pleroma = {
# seems to be an upstream nixpkgs/nixos bug (missing hexdump)
path = [ pkgs.util-linux ];
serviceConfig.Slice = "pleroma.slice";
};
};
slices.pleroma = {
description = "Pleroma service slice";
};
};
services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = { services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
useACMEHost = sp.domain; useACMEHost = sp.domain;
root = "/var/www/${cfg.subdomain}.${sp.domain}"; root = "/var/www/${cfg.subdomain}.${sp.domain}";

8
sp-modules/roundcube/module.nix
View file

@ -35,5 +35,13 @@ in
useACMEHost = domain; useACMEHost = domain;
enableACME = false; enableACME = false;
}; };
systemd = {
services = {
phpfpm-roundcube.serviceConfig.Slice = lib.mkForce "roundcube.slice";
};
slices.roundcube = {
description = "Roundcube service slice";
};
};
}; };
} }

14
sp-modules/simple-nixos-mailserver/config.nix
View file

@ -89,4 +89,18 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable
virusScanning = false; virusScanning = false;
}; };
systemd = {
services = {
dovecot2.serviceConfig.Slice = "simple_nixos_mailserver.slice";
postfix.serviceConfig.Slice = "simple_nixos_mailserver.slice";
rspamd.serviceConfig.Slice = "simple_nixos_mailserver.slice";
redis-rspamd.serviceConfig.Slice = "simple_nixos_mailserver.slice";
opendkim.serviceConfig.Slice = "simple_nixos_mailserver.slice";
};
slices."simple_nixos_mailserver" = {
name = "simple_nixos_mailserver.slice";
description = "Simple NixOS Mailserver service slice";
};
};
} }

34
sp-modules/simple-nixos-mailserver/flake.lock
View file

@ -37,16 +37,15 @@
"blobs": "blobs", "blobs": "blobs",
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixpkgs-22_11": "nixpkgs-22_11", "nixpkgs-24_05": "nixpkgs-24_05",
"nixpkgs-23_05": "nixpkgs-23_05",
"utils": "utils" "utils": "utils"
}, },
"locked": { "locked": {
"lastModified": 1700085753, "lastModified": 1718084203,
"narHash": "sha256-qtib7f3eRwfaUF+VziJXiBcZFqpHCAXS4HlrFsnzzl4=", "narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=",
"owner": "simple-nixos-mailserver", "owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver", "repo": "nixos-mailserver",
"rev": "008d78cc21959e33d0d31f375b88353a7d7121ae", "rev": "29916981e7b3b5782dc5085ad18490113f8ff63b",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {
@ -70,33 +69,18 @@
"type": "indirect" "type": "indirect"
} }
}, },
"nixpkgs-22_11": { "nixpkgs-24_05": {
"locked": { "locked": {
"lastModified": 1669558522, "lastModified": 1721949857,
"narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=", "narHash": "sha256-DID446r8KsmJhbCzx4el8d9SnPiE8qa6+eEQOJ40vR0=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82", "rev": "a1cc729dcbc31d9b0d11d86dc7436163548a9665",
"type": "github" "type": "github"
}, },
"original": { "original": {
"id": "nixpkgs", "id": "nixpkgs",
"ref": "nixos-22.11", "ref": "nixos-24.05",
"type": "indirect"
}
},
"nixpkgs-23_05": {
"locked": {
"lastModified": 1684782344,
"narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "8966c43feba2c701ed624302b6a935f97bcbdf88",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-23.05",
"type": "indirect" "type": "indirect"
} }
}, },