hosts/plover: update service configs

This commit is contained in:
Gabriel Arazas 2024-09-20 18:34:58 +08:00
parent a8d0eb47a0
commit eca3826fa1
No known key found for this signature in database
GPG Key ID: 62104B43D00AA360
6 changed files with 26 additions and 46 deletions

View File

@ -14,38 +14,20 @@ in
config = lib.mkIf cfg.enable (lib.mkMerge [
{
state.ports.postgresql.value = 5432;
services.postgresql = {
enable = true;
package = pkgs.postgresql_16;
enableTCPIP = true;
# Create per-user schema as documented from Usage Patterns. This is to make
# use of the secure schema usage pattern they encouraged to do.
#
# Now, you just have to keep in mind about applications making use of them.
# Most of them should have the setting to set the schema to be used. If
# not, then screw them (or just file an issue and politely ask for the
# feature).
initialScript =
let
# This will be run once anyways so it is acceptable to create users
# "forcibly".
perUserSchemas = lib.lists.map
(user: ''
CREATE USER ${user.name};
CREATE SCHEMA AUTHORIZATION ${user.name};
'')
config.services.postgresql.ensureUsers;
in
pkgs.writeText "plover-initial-postgresql-script" ''
${lib.concatStringsSep "\n" perUserSchemas}
'';
settings =
let
credsDir = path: "/run/credentials/postgresql.service/${path}";
in
{
port = config.state.ports.postgresql.value;
# Still doing the secure schema usage pattern.
search_path = ''"$user"'';

View File

@ -33,7 +33,6 @@ in
config = lib.mkIf cfg.enable (lib.mkMerge [
{
state.ports = {
bindStatistics.value = 9423;
dns.value = 53;
dnsOverHTTPS.value = 8443;
dnsOverTLS.value = 853;
@ -282,11 +281,20 @@ in
}
(lib.mkIf hostCfg.setups.monitoring.enable {
state.ports.bindStatistics.value = 9423;
services.bind.extraConfig = ''
statistics-channels {
inet 127.0.0.1 port ${builtins.toString config.state.ports.bindStatistics.value} allow { 127.0.0.1; };
};
'';
services.prometheus.exporters = {
bind = {
enable = true;
bindURI = "http://127.0.0.1/${builtins.toString config.state.ports.bindStatistics.value}";
};
};
})
(lib.mkIf hostCfg.services.reverse-proxy.enable {

View File

@ -20,11 +20,7 @@ in
overalljails = true;
};
extraPackages = with pkgs; [ ipset ];
ignoreIP = [
# VPN clients.
"${interfaces.wireguard0.IPv4.address}/13"
"${interfaces.wireguard0.IPv6.address}/64"
];
ignoreIP = [ "10.0.0.0/8" ];
# We're going to be unforgiving with this one since we only have key
# authentication and password authentication is disabled anyways.

View File

@ -5,7 +5,7 @@ let
cfg = hostCfg.services.idm;
authDomain = "auth.${config.networking.domain}";
port = 9443;
port = config.state.ports.kanidm.value;
certsDir = config.security.acme.certs."${authDomain}".directory;
@ -16,6 +16,7 @@ in
config = lib.mkIf cfg.enable (lib.mkMerge [
{
state.ports.kanidm.value = 9443;
hosts.plover.services.vouch-proxy.enable = lib.mkDefault true;
services.kanidm = {

View File

@ -4,7 +4,6 @@ let
hostCfg = config.hosts.plover;
cfg = hostCfg.services.monitoring;
bindStatsPort = 8053;
prometheusExports = config.services.prometheus.exporters;
in
{
@ -17,14 +16,6 @@ in
enable = true;
exporters = {
bind = {
enable = true;
bindURI = "http://127.0.0.1/${builtins.toString bindStatsPort}";
};
nginx.enable = true;
nginxlog.enable = true;
node = {
enable = true;
enabledCollectors = [ "systemd" ];
@ -40,14 +31,6 @@ in
}
];
};
# Requiring this for Prometheus being able to monitor my services.
services.nginx.statusPage = true;
services.bind.extraConfig = ''
statistics-channels {
inet 127.0.0.1 port ${builtins.toString bindStatsPort} allow { 127.0.0.1; };
};
'';
}
]);
}

View File

@ -83,5 +83,15 @@ in
nginx-bad-request.settings = { enabled = true; };
};
})
(lib.mkIf hostCfg.services.monitoring.enable {
# Requiring this for Prometheus being able to monitor my services.
services.nginx.statusPage = true;
services.prometheus.exporters = {
nginx.enable = true;
nginxlog.enable = true;
};
})
]);
}