From eca3826fa16d1a49c64d048d76cb42d42988abf4 Mon Sep 17 00:00:00 2001 From: Gabriel Arazas Date: Fri, 20 Sep 2024 18:34:58 +0800 Subject: [PATCH] hosts/plover: update service configs --- .../plover/modules/services/database.nix | 26 +++---------------- .../modules/services/dns-server/default.nix | 10 ++++++- .../plover/modules/services/fail2ban.nix | 6 +---- configs/nixos/plover/modules/services/idm.nix | 3 ++- .../plover/modules/services/monitoring.nix | 17 ------------ .../plover/modules/services/reverse-proxy.nix | 10 +++++++ 6 files changed, 26 insertions(+), 46 deletions(-) diff --git a/configs/nixos/plover/modules/services/database.nix b/configs/nixos/plover/modules/services/database.nix index 5d39b2f4..000c1149 100644 --- a/configs/nixos/plover/modules/services/database.nix +++ b/configs/nixos/plover/modules/services/database.nix @@ -14,38 +14,20 @@ in config = lib.mkIf cfg.enable (lib.mkMerge [ { + state.ports.postgresql.value = 5432; + services.postgresql = { enable = true; package = pkgs.postgresql_16; enableTCPIP = true; - # Create per-user schema as documented from Usage Patterns. This is to make - # use of the secure schema usage pattern they encouraged to do. - # - # Now, you just have to keep in mind about applications making use of them. - # Most of them should have the setting to set the schema to be used. If - # not, then screw them (or just file an issue and politely ask for the - # feature). - initialScript = - let - # This will be run once anyways so it is acceptable to create users - # "forcibly". - perUserSchemas = lib.lists.map - (user: '' - CREATE USER ${user.name}; - CREATE SCHEMA AUTHORIZATION ${user.name}; - '') - config.services.postgresql.ensureUsers; - in - pkgs.writeText "plover-initial-postgresql-script" '' - ${lib.concatStringsSep "\n" perUserSchemas} - ''; - settings = let credsDir = path: "/run/credentials/postgresql.service/${path}"; in { + port = config.state.ports.postgresql.value; + # Still doing the secure schema usage pattern. search_path = ''"$user"''; diff --git a/configs/nixos/plover/modules/services/dns-server/default.nix b/configs/nixos/plover/modules/services/dns-server/default.nix index 90f17a4b..8c2bc4f4 100644 --- a/configs/nixos/plover/modules/services/dns-server/default.nix +++ b/configs/nixos/plover/modules/services/dns-server/default.nix @@ -33,7 +33,6 @@ in config = lib.mkIf cfg.enable (lib.mkMerge [ { state.ports = { - bindStatistics.value = 9423; dns.value = 53; dnsOverHTTPS.value = 8443; dnsOverTLS.value = 853; @@ -282,11 +281,20 @@ in } (lib.mkIf hostCfg.setups.monitoring.enable { + state.ports.bindStatistics.value = 9423; + services.bind.extraConfig = '' statistics-channels { inet 127.0.0.1 port ${builtins.toString config.state.ports.bindStatistics.value} allow { 127.0.0.1; }; }; ''; + + services.prometheus.exporters = { + bind = { + enable = true; + bindURI = "http://127.0.0.1/${builtins.toString config.state.ports.bindStatistics.value}"; + }; + }; }) (lib.mkIf hostCfg.services.reverse-proxy.enable { diff --git a/configs/nixos/plover/modules/services/fail2ban.nix b/configs/nixos/plover/modules/services/fail2ban.nix index 5cd84a96..4cb3ac00 100644 --- a/configs/nixos/plover/modules/services/fail2ban.nix +++ b/configs/nixos/plover/modules/services/fail2ban.nix @@ -20,11 +20,7 @@ in overalljails = true; }; extraPackages = with pkgs; [ ipset ]; - ignoreIP = [ - # VPN clients. - "${interfaces.wireguard0.IPv4.address}/13" - "${interfaces.wireguard0.IPv6.address}/64" - ]; + ignoreIP = [ "10.0.0.0/8" ]; # We're going to be unforgiving with this one since we only have key # authentication and password authentication is disabled anyways. diff --git a/configs/nixos/plover/modules/services/idm.nix b/configs/nixos/plover/modules/services/idm.nix index 69e2d11d..da06cbc1 100644 --- a/configs/nixos/plover/modules/services/idm.nix +++ b/configs/nixos/plover/modules/services/idm.nix @@ -5,7 +5,7 @@ let cfg = hostCfg.services.idm; authDomain = "auth.${config.networking.domain}"; - port = 9443; + port = config.state.ports.kanidm.value; certsDir = config.security.acme.certs."${authDomain}".directory; @@ -16,6 +16,7 @@ in config = lib.mkIf cfg.enable (lib.mkMerge [ { + state.ports.kanidm.value = 9443; hosts.plover.services.vouch-proxy.enable = lib.mkDefault true; services.kanidm = { diff --git a/configs/nixos/plover/modules/services/monitoring.nix b/configs/nixos/plover/modules/services/monitoring.nix index 50d2aba0..9e6e2a61 100644 --- a/configs/nixos/plover/modules/services/monitoring.nix +++ b/configs/nixos/plover/modules/services/monitoring.nix @@ -4,7 +4,6 @@ let hostCfg = config.hosts.plover; cfg = hostCfg.services.monitoring; - bindStatsPort = 8053; prometheusExports = config.services.prometheus.exporters; in { @@ -17,14 +16,6 @@ in enable = true; exporters = { - bind = { - enable = true; - bindURI = "http://127.0.0.1/${builtins.toString bindStatsPort}"; - }; - - nginx.enable = true; - nginxlog.enable = true; - node = { enable = true; enabledCollectors = [ "systemd" ]; @@ -40,14 +31,6 @@ in } ]; }; - - # Requiring this for Prometheus being able to monitor my services. - services.nginx.statusPage = true; - services.bind.extraConfig = '' - statistics-channels { - inet 127.0.0.1 port ${builtins.toString bindStatsPort} allow { 127.0.0.1; }; - }; - ''; } ]); } diff --git a/configs/nixos/plover/modules/services/reverse-proxy.nix b/configs/nixos/plover/modules/services/reverse-proxy.nix index 17621c57..281112d3 100644 --- a/configs/nixos/plover/modules/services/reverse-proxy.nix +++ b/configs/nixos/plover/modules/services/reverse-proxy.nix @@ -83,5 +83,15 @@ in nginx-bad-request.settings = { enabled = true; }; }; }) + + (lib.mkIf hostCfg.services.monitoring.enable { + # Requiring this for Prometheus being able to monitor my services. + services.nginx.statusPage = true; + + services.prometheus.exporters = { + nginx.enable = true; + nginxlog.enable = true; + }; + }) ]); }