tux/tawm
1
0
Fork 0
mirror of https://github.com/tuxdotrs/tawm.git synced 2025-07-05 20:56:33 +05:30
Code Issues Packages Projects Releases Wiki Activity

move monitoring services to a new host

Browse Source
This commit is contained in:
0xTux
2024-09-13 20:06:54 +05:30
parent 5ca2129eeb
commit 8287257e29
8 changed files with 232 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
.sops.yaml
View File

@ -5,6 +5,7 @@ keys:
- &hosts
- &canopus age1cc9phftkzcwaey2rw63m74tyxdjxxzanxphsdrhy6vwlwhgehfzq9rh6e4
- &controller age1zsl5d4vj6gl3h96y5p53sq5y4vr4vtlwp727h7rp9a4xfkxm53lqrh6r50
- &alpha age145uq9emlxqzm3wqauy9zqj78wqx9e6h09xag6wust7jjgn4upfzsaemcvx
- &wsl age1lyvzg4ud96trsuv6gsvjw0p3rtd6qjpyl9uleq8hcrzwekuhpfesnlqauf
creation_rules:
@ -14,6 +15,7 @@ creation_rules:
- *tux
- *canopus
- *controller
- *alpha
- *wsl
- path_regex: hosts/canopus/secrets.yaml$
key_groups:
@ -25,6 +27,11 @@ creation_rules:
- age:
- *tux
- *controller
- path_regex: hosts/alpha/secrets.yaml$
key_groups:
- age:
- *tux
- *alpha
- path_regex: hosts/wsl/secrets.yaml$
key_groups:
- age:

19
flake.nix
View File

@ -84,6 +84,25 @@
];
};
alpha = nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs outputs username;};
modules = [
./hosts/alpha
home-manager.nixosModules.home-manager
{
home-manager.backupFileExtension = "backup";
home-manager.useUserPackages = true;
home-manager.extraSpecialArgs = {inherit inputs outputs username;};
home-manager.users.${username} = {
imports = [
./hosts/alpha/home.nix
];
};
}
];
};
wsl = nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs outputs username;};
modules = [

103
hosts/alpha/default.nix Normal file
View File

@ -0,0 +1,103 @@
{
pkgs,
username,
config,
...
}: {
imports = [
./hardware-configuration.nix
../common
../../modules/nixos/uptime-kuma.nix
];
sops.secrets = {
borg_encryption_key = {
sopsFile = ./secrets.yaml;
};
"cloudflare_credentials/email" = {
sopsFile = ./secrets.yaml;
};
"cloudflare_credentials/dns_api_token" = {
sopsFile = ./secrets.yaml;
};
};
boot = {
kernelPackages = pkgs.linuxPackages_zen;
initrd.systemd.enable = true;
loader = {
grub.device = "/dev/sda";
timeout = 1;
};
};
networking = {
hostName = "alpha";
firewall = {
enable = true;
allowedTCPPorts = [80 443 22];
};
};
security = {
sudo.wheelNeedsPassword = false;
acme = {
acceptTerms = true;
defaults.email = "0xtux@pm.me";
certs = {
"tux.rs" = {
domain = "*.tux.rs";
extraDomainNames = ["tux.rs"];
dnsProvider = "cloudflare";
credentialFiles = {
CLOUDFLARE_EMAIL_FILE = config.sops.secrets."cloudflare_credentials/email".path;
CLOUDFLARE_DNS_API_TOKEN_FILE = config.sops.secrets."cloudflare_credentials/dns_api_token".path;
};
};
};
};
};
users.users.nginx.extraGroups = ["acme"];
services = {
nginx = {
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
};
borgbackup.jobs.alpha-backup = {
paths = [
"/var/lib/private/uptime-kuma"
];
encryption = {
mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets.borg_encryption_key.path}";
};
environment.BORG_RSH = "ssh -i /home/${username}/.ssh/storagebox";
repo = "ssh://u416910@u416910.your-storagebox.de:23/./alpha-backups";
compression = "auto,zstd";
startAt = "daily";
};
};
programs = {
zsh.enable = true;
nix-ld = {
enable = true;
package = pkgs.nix-ld-rs;
};
dconf.enable = true;
};
fonts.packages = with pkgs; [(nerdfonts.override {fonts = ["FiraCode" "JetBrainsMono"];})];
system.stateVersion = "23.11";
}

33
hosts/alpha/hardware-configuration.nix Normal file
View File

@ -0,0 +1,33 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
lib,
modulesPath,
...
}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = ["ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
fileSystems."/" = {
device = "/dev/disk/by-uuid/471d0988-e57c-4767-a2b4-c93797a8c16f";
fsType = "ext4";
};
swapDevices = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eth0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

5
hosts/alpha/home.nix Normal file
View File

@ -0,0 +1,5 @@
{...}: {
imports = [
../common/home.nix
];
}

33
hosts/alpha/secrets.yaml Normal file
View File

@ -0,0 +1,33 @@
borg_encryption_key: ENC[AES256_GCM,data:4rS4RVUbSErLEVJuUluYOrw0m2LlYP7zEeYTL4yTmc4=,iv:epNhm2nSDF4Lp+Iu/vZuDiTna+1q59lY7Ztmpcpmb5o=,tag:7o0MwZBdiDSPaL07qVOfWg==,type:str]
cloudflare_credentials:
email: ENC[AES256_GCM,data:Re656wFjQWWNO/k=,iv:NsRdtzMbkOPS9kN/y/IYzRrBr+xmDXp87DTiNwHKesc=,tag:4hGnmto08H2MKxk/7QkI5w==,type:str]
dns_api_token: ENC[AES256_GCM,data:703Nk1PaePWYuKNVJkSVTplAvsSTLrYrWdhZlTqlMNRa6m2j5neahg==,iv:RHpz1O1TgFsooYGIJiI8Owwmk5hzd+x+DFADvt+k9C0=,tag:zlDnKbLbSBVXMaHOnk0AuQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age14vktfes95f33vuefwnmuvryas7az04u76dsgyhfvsx73czkvmp2q7njkl4
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkTnRhZVg3MmNiOFpoeTE3
SXdtRXN1VS82S3AveDFMRjFYQVJpMDdyQWowCjJrQlIwN2VHQUlUazNaMERnRDJR
dFQ2VUpDMlJENVU5cWtIY3pZZU9wSmcKLS0tIEF1NzRkSHJ5cTQrM3RWdUtrYzkw
VXI3QzE5UlBhS2g1RUl0TEtaS0NPTW8KAQ+9Hk3HNMhwm33T3mzgkavs6mx4zKqZ
xjfB5d5W5UI+7uYC+RQNNA/cVxAgkMiW4OL4HAt2hXD6lrsjNzxzpQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age145uq9emlxqzm3wqauy9zqj78wqx9e6h09xag6wust7jjgn4upfzsaemcvx
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4OHkvTk5JaWxLbmZ5VEtV
S2VkMVl0WGZOYk5WRTJISWMxU0tja0x6alFrCnJISFNTbDhNRXJjUDJDS1JmWmRK
aGhyaFBjNTlhanE3UGdQb0JFUWFCTWcKLS0tIDhVZ1JxcGJUcWsvWVFSWFZWYjdx
K2syUkFRb3F3aFFFeis3OFR4ZENielEKGrUQCi7xaPzJKypvy4tyoSG1a2/l5Le0
dVcheJcRJvoo89WWrciMhZ/MCs5kffI464RVW7q9BxbJRDO2Obm2dw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-13T09:10:11Z"
mac: ENC[AES256_GCM,data:GTzDXeEzRFmrX0PU0GKPF5JwscZUrzUmB90ThHPZ7oqflOPpZBrotOo4MZCcU37HEPAXVeFUzVnsjN5bOp5RFqs70r9upj2jXiIsbx/yskcPOML3GAFmVc9HbjOK9TLyie2bJWaFhT+b7CgiJvyIu0QEh43dqSI4d3H1T8Hqn1o=,iv:kcV3Xz276+PKrztSIDB2SiJjDV2iqCn2A90AjEO326M=,tag:3xu3sQeRB15Os06i484GFw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0

55
hosts/common/secrets.yaml
View File

@ -1,4 +1,4 @@
tux-password: ENC[AES256_GCM,data:a8htpUD+eFsOl2Wc9N+tILZADazS15pfOhtAFRrdmoZNn0ZtXeAeVkb/edKYVihlG4g6ONIvOKARfvAof6sR85WrVJJgkbFO9A==,iv:jm73an3+1mEJQjbfiOps90JHfwk329n60EsjfUe/t/w=,tag:U5BwAw+BSZavBFseGetLSg==,type:str]
tux-password: ENC[AES256_GCM,data:YWhOZdgSMR0ukCFD8yj4vVQ0MJXv1IuecqlRCbBc0/LfJS5n9baffujrOwIEETtFuu7/g+vWmP5DeH08ebwol6MlXRIckpwugw==,iv:UN50Ri2/WGZBTs8Io6U3oJcqmiHPhZc4gGFeecVDW5k=,tag:5ROCGD89ONmbSxFJSYV/sg==,type:str]
sops:
kms: []
gcp_kms: []
@ -8,41 +8,50 @@ sops:
- recipient: age14vktfes95f33vuefwnmuvryas7az04u76dsgyhfvsx73czkvmp2q7njkl4
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqMHg5SW1HOGVScHc3Mm1h
V0p0Si9WNHFRamt0ZFU4M2VvSG5LSlZob1dnCkc0RjBTVnMxOFpjQjR1VU44WDZz
RVVLTG5DRHo2bnlvK01RZXJQRFpZc1EKLS0tIExTVlpCaEtYeXJ5bmJTQndQSDZi
MERJYjYyYk9TcGtwb2xEK3R4b0xrNlUKFlqLVVEUdPyFB3LKTg8OKdNtDpNB68ds
ffpR0Iq8eGv1eZKHCBivIZzO/9GmzapQIjVz7prYg8OPBdAHcC+BAw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzLzB3L1NNV0REZzJVL21L
VkJlaGM4WlY2RzRDUXJIdEdpQytTTXd3eFVrCjUzTWRMK3lCbzl5R2ZDcm9Cc2h0
dWQ4VW01Sk5ORUVyZWNxMmpuRElBaU0KLS0tIEV2TUNCNmRKRjE5bXArSlN5a1N0
SkhuSFV2RDc4VXJhVm9aV29JdjFtWE0KbM+7ZLnPcJjglbdI2JjKl3quqJutQ+rc
xQyiNy03cwXZLQIAZ+5BBm+2JvOwHGn3nT7c2zlLxf2QJM21FuQb9A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cc9phftkzcwaey2rw63m74tyxdjxxzanxphsdrhy6vwlwhgehfzq9rh6e4
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSVzBEWXd2bHVsUWhHSUVB
QTMzTjNzOU9zeHhLVTZNVno1eHRoVUVrTUFvClhNRmtvWFpPTk95c25JNk42dGhE
M2lQS2dNc1N0eTRQdGdseGxFemFianMKLS0tIE5CT0xja1pQazFlcm12b3JrWUFK
eGttaGh4S0pCUGFBYlFFYU5IWlVWSm8KXISSh2xmGZXYeWbEpcaW9m0G+cDYC8Mh
M320U7+cwvc9BVSqoZBj7SI0YoSw3LXubzuqRHmEGHOI+v6CZAfrUw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyblhEOGpzcVpvemsyRWll
SVhGNGZqSmF5dUdZaklmUk9UZHpzM3pRRlZnCmJ1a1Fldy9oOFRCMGF5LzY1YUQy
cTU2WjNpeGl6QzN0UENCS2xYdmhpVDAKLS0tIFVvR29NUE9Ha3JFVFN0K3ArM2F2
OVB2T21RcG51Qnkxa0szUjFlZFozNUkKezIEMfE9uAH3ndx4IRgp9QyWm/SSn5Y8
aomvI9bEQJLE0oieeDjdGZvms7Z6Yw9jg8eDufjee/XfPSRLQCl6iw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1zsl5d4vj6gl3h96y5p53sq5y4vr4vtlwp727h7rp9a4xfkxm53lqrh6r50
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZd2Q2OXVkRGxBc01wQm5C
cCtzNDNrTXlpRVBWcDdHNVRtY2dPa3RxUlIwCnBKUnZ3RUxnZ0U3OEtiUjByMno2
azVXb0VuN0poTTlsMWtqQStLSUZmU28KLS0tIDl5SzBvY1ZWYW1zNTBUUWJ6bHFk
VDI3enY0L1kxeWVlQ3RBSUFhYW96M2MK05BP3eU6NSr/N02fNnB2VGx2qSradk3j
mpRGONAH21LvMLRcqsp6MTWqbAtOM1YXudWWNgZUZYgaJsn2iApKig==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOSDJhRUo1VUEzMUJZSzNv
bmNOcXh0UFUyRUt1Y3dsWTBKTHJleFc3VHhNCmQ5cFF0S0J1L1BUT2VSdEhDYVZv
dW90Y1BaWW96enVDaHQwYWNkNE5YSWsKLS0tIGdxYnVXT29aNlMvYmlkWDI5SktN
a0E1RVVhQ0p1d2g0cFExZGZZWForbGMKNY/p3jHTMsodszx3ouRnSCvOSWCg+uRt
mzy2cknlE9Do30RClbRKbFPKvF3gqAp+FjK7VYs1/dn4LAOhcFsraw==
-----END AGE ENCRYPTED FILE-----
- recipient: age145uq9emlxqzm3wqauy9zqj78wqx9e6h09xag6wust7jjgn4upfzsaemcvx
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvRk8wc1VEa3drWTJHQXRs
cFgzM1dOdHJvcTZ6VWI5WHJBWjZyalUvTEZRClQ0TkVMNGpTYUdFVkZwRC9tcnJN
SWFsS1FHd0tGN0NETXlwb0VaTUlEOW8KLS0tIEtnZVR3SmJIUXg4OHV4Z0RkTVZp
MjVxc0F4b0FsRHg0LzRsbWg0SFFQeGsKwlipfbrTdWkfsvvk03fQz5xHHdwNj5Ce
PzUOgaQzK6ufkjQ/TAghv397YzqOhzcQ7B6LGQ/AVozDdYem3wl9Pg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1lyvzg4ud96trsuv6gsvjw0p3rtd6qjpyl9uleq8hcrzwekuhpfesnlqauf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUZUk0eExSTFRRU2VST2k1
Q3VtYTNpRHM1U0gvQkhReUUwWWc1RmMxVmo0Ckd4d0lGdWg3L0JHak9aOG14T0or
Y3JUOGpWaWh6Zm16VlA0MlZIQXJqKzAKLS0tIHRac2lSOW44WEswLzN5L3ZzbTd4
WkhjakVMVHIvbC9ZUk5QYU9NYUw3azgKAC2Am3/1mCx5O/XCf01PFlEsN/iVxgf1
OQfyTsX6GzDEIj9fnd/9q66Wkee/FNdL25hAnOdlFo6+ujscH8eeVg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2Q0xPL2dBZFFwUitxQlpM
S1dHVkQvb0szWFE4bFdaUXgvaThkYnVUZVNrCkw1WUR5S0w2eUlxQm4wdGVMQ3VK
NDJxbGt3ejEvanM3V3FOaHd2dDNaRW8KLS0tIHYxY2I2dXVhcGpJZDFBSDhuNWV0
dzFIL2cwb29TTlZuWTNSZnBaU3VlSjQK9jXjslY75C7UtArlAZ2rIK4+bLd+eYKd
lJiSD0YByMUPDFgCGksmMMyUIuvsxNt+eIxzUCN4kjGl+3GNA1ZBRQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-29T06:25:18Z"
mac: ENC[AES256_GCM,data:tgFPeIUKzi1EntpVd8dZmGpxIofm65zZi3WZIpNTzE8fkqHpddMx/qUpRE2KLhpW+H9cOUi66ZFeNOLNu6mTHmQvq3Mcho5KxYODokJOL7i046DMq9FD/rY/5hNzDDVB5xehNDyRblbD7f0GCobxeO/NgO+GCzsqNGply6hW6NM=,iv:bOVFwX55zERg28qc0e0VrBatYMZsr21Ob2yXNgGZtb4=,tag:sfpUgmcJxrnqHmYYwCIGxQ==,type:str]
lastmodified: "2024-09-13T09:14:50Z"
mac: ENC[AES256_GCM,data:Zg0vvFo+HwCpRZuitHSbRMIIrHt62Tr4tlW6xirzPaDGrADKZsLTg+NbTLWEamwrYHReYlO3xDZ6t10g0dXKPPC1nGWN8K+qm+0dHqyEcfDzi0sXOxfXvETKZVQiGFdH/SUKzgjtUehwHwmSpLhGZzwifOwNZ6+c620Loi8kJZs=,iv:kjYa8JbZw0+FOQ6OxTpjkiFBCpJOxZz1p8sAemMuvKw=,tag:96yQTsSfizX3GEJWt9lMog==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0

2
hosts/controller/default.nix
View File

@ -9,7 +9,6 @@
../common
../../modules/nixos/headscale.nix
../../modules/nixos/vaultwarden.nix
../../modules/nixos/uptime-kuma.nix
../../modules/nixos/gitea.nix
../../modules/nixos/monitoring/grafana.nix
../../modules/nixos/monitoring/loki.nix
@ -88,7 +87,6 @@
"/var/lib/grafana"
"/var/lib/loki"
"/var/lib/private/ntfy-sh"
"/var/lib/private/uptime-kuma"
];
encryption = {
mode = "repokey-blake2";