mirror of
https://github.com/foo-dogsquared/nixos-config.git
synced 2025-02-25 18:19:00 +00:00
hosts/plover: update service configs
This commit is contained in:
parent
a8d0eb47a0
commit
eca3826fa1
configs/nixos/plover/modules/services
@ -14,38 +14,20 @@ in
|
||||
|
||||
config = lib.mkIf cfg.enable (lib.mkMerge [
|
||||
{
|
||||
state.ports.postgresql.value = 5432;
|
||||
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
package = pkgs.postgresql_16;
|
||||
enableTCPIP = true;
|
||||
|
||||
# Create per-user schema as documented from Usage Patterns. This is to make
|
||||
# use of the secure schema usage pattern they encouraged to do.
|
||||
#
|
||||
# Now, you just have to keep in mind about applications making use of them.
|
||||
# Most of them should have the setting to set the schema to be used. If
|
||||
# not, then screw them (or just file an issue and politely ask for the
|
||||
# feature).
|
||||
initialScript =
|
||||
let
|
||||
# This will be run once anyways so it is acceptable to create users
|
||||
# "forcibly".
|
||||
perUserSchemas = lib.lists.map
|
||||
(user: ''
|
||||
CREATE USER ${user.name};
|
||||
CREATE SCHEMA AUTHORIZATION ${user.name};
|
||||
'')
|
||||
config.services.postgresql.ensureUsers;
|
||||
in
|
||||
pkgs.writeText "plover-initial-postgresql-script" ''
|
||||
${lib.concatStringsSep "\n" perUserSchemas}
|
||||
'';
|
||||
|
||||
settings =
|
||||
let
|
||||
credsDir = path: "/run/credentials/postgresql.service/${path}";
|
||||
in
|
||||
{
|
||||
port = config.state.ports.postgresql.value;
|
||||
|
||||
# Still doing the secure schema usage pattern.
|
||||
search_path = ''"$user"'';
|
||||
|
||||
|
@ -33,7 +33,6 @@ in
|
||||
config = lib.mkIf cfg.enable (lib.mkMerge [
|
||||
{
|
||||
state.ports = {
|
||||
bindStatistics.value = 9423;
|
||||
dns.value = 53;
|
||||
dnsOverHTTPS.value = 8443;
|
||||
dnsOverTLS.value = 853;
|
||||
@ -282,11 +281,20 @@ in
|
||||
}
|
||||
|
||||
(lib.mkIf hostCfg.setups.monitoring.enable {
|
||||
state.ports.bindStatistics.value = 9423;
|
||||
|
||||
services.bind.extraConfig = ''
|
||||
statistics-channels {
|
||||
inet 127.0.0.1 port ${builtins.toString config.state.ports.bindStatistics.value} allow { 127.0.0.1; };
|
||||
};
|
||||
'';
|
||||
|
||||
services.prometheus.exporters = {
|
||||
bind = {
|
||||
enable = true;
|
||||
bindURI = "http://127.0.0.1/${builtins.toString config.state.ports.bindStatistics.value}";
|
||||
};
|
||||
};
|
||||
})
|
||||
|
||||
(lib.mkIf hostCfg.services.reverse-proxy.enable {
|
||||
|
@ -20,11 +20,7 @@ in
|
||||
overalljails = true;
|
||||
};
|
||||
extraPackages = with pkgs; [ ipset ];
|
||||
ignoreIP = [
|
||||
# VPN clients.
|
||||
"${interfaces.wireguard0.IPv4.address}/13"
|
||||
"${interfaces.wireguard0.IPv6.address}/64"
|
||||
];
|
||||
ignoreIP = [ "10.0.0.0/8" ];
|
||||
|
||||
# We're going to be unforgiving with this one since we only have key
|
||||
# authentication and password authentication is disabled anyways.
|
||||
|
@ -5,7 +5,7 @@ let
|
||||
cfg = hostCfg.services.idm;
|
||||
|
||||
authDomain = "auth.${config.networking.domain}";
|
||||
port = 9443;
|
||||
port = config.state.ports.kanidm.value;
|
||||
|
||||
certsDir = config.security.acme.certs."${authDomain}".directory;
|
||||
|
||||
@ -16,6 +16,7 @@ in
|
||||
|
||||
config = lib.mkIf cfg.enable (lib.mkMerge [
|
||||
{
|
||||
state.ports.kanidm.value = 9443;
|
||||
hosts.plover.services.vouch-proxy.enable = lib.mkDefault true;
|
||||
|
||||
services.kanidm = {
|
||||
|
@ -4,7 +4,6 @@ let
|
||||
hostCfg = config.hosts.plover;
|
||||
cfg = hostCfg.services.monitoring;
|
||||
|
||||
bindStatsPort = 8053;
|
||||
prometheusExports = config.services.prometheus.exporters;
|
||||
in
|
||||
{
|
||||
@ -17,14 +16,6 @@ in
|
||||
enable = true;
|
||||
|
||||
exporters = {
|
||||
bind = {
|
||||
enable = true;
|
||||
bindURI = "http://127.0.0.1/${builtins.toString bindStatsPort}";
|
||||
};
|
||||
|
||||
nginx.enable = true;
|
||||
nginxlog.enable = true;
|
||||
|
||||
node = {
|
||||
enable = true;
|
||||
enabledCollectors = [ "systemd" ];
|
||||
@ -40,14 +31,6 @@ in
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
# Requiring this for Prometheus being able to monitor my services.
|
||||
services.nginx.statusPage = true;
|
||||
services.bind.extraConfig = ''
|
||||
statistics-channels {
|
||||
inet 127.0.0.1 port ${builtins.toString bindStatsPort} allow { 127.0.0.1; };
|
||||
};
|
||||
'';
|
||||
}
|
||||
]);
|
||||
}
|
||||
|
@ -83,5 +83,15 @@ in
|
||||
nginx-bad-request.settings = { enabled = true; };
|
||||
};
|
||||
})
|
||||
|
||||
(lib.mkIf hostCfg.services.monitoring.enable {
|
||||
# Requiring this for Prometheus being able to monitor my services.
|
||||
services.nginx.statusPage = true;
|
||||
|
||||
services.prometheus.exporters = {
|
||||
nginx.enable = true;
|
||||
nginxlog.enable = true;
|
||||
};
|
||||
})
|
||||
]);
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user