foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-02-26 06:19:01 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

hosts/plover: update service configs

Browse Source
This commit is contained in:
Gabriel Arazas 2024-09-20 18:34:58 +08:00
parent a8d0eb47a0
commit eca3826fa1
No known key found for this signature in database
GPG Key ID: 62104B43D00AA360
6 changed files with 26 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
configs/nixos/plover/modules/services/database.nix
View File

@ -14,38 +14,20 @@ in
config = lib.mkIf cfg.enable (lib.mkMerge [ config = lib.mkIf cfg.enable (lib.mkMerge [
{ {
state.ports.postgresql.value = 5432;
services.postgresql = { services.postgresql = {
enable = true; enable = true;
package = pkgs.postgresql_16; package = pkgs.postgresql_16;
enableTCPIP = true; enableTCPIP = true;
# Create per-user schema as documented from Usage Patterns. This is to make
# use of the secure schema usage pattern they encouraged to do.
#
# Now, you just have to keep in mind about applications making use of them.
# Most of them should have the setting to set the schema to be used. If
# not, then screw them (or just file an issue and politely ask for the
# feature).
initialScript =
let
# This will be run once anyways so it is acceptable to create users
# "forcibly".
perUserSchemas = lib.lists.map
(user: ''
CREATE USER ${user.name};
CREATE SCHEMA AUTHORIZATION ${user.name};
'')
config.services.postgresql.ensureUsers;
in
pkgs.writeText "plover-initial-postgresql-script" ''
${lib.concatStringsSep "\n" perUserSchemas}
'';
settings = settings =
let let
credsDir = path: "/run/credentials/postgresql.service/${path}"; credsDir = path: "/run/credentials/postgresql.service/${path}";
in in
{ {
port = config.state.ports.postgresql.value;
# Still doing the secure schema usage pattern. # Still doing the secure schema usage pattern.
search_path = ''"$user"''; search_path = ''"$user"'';

10
configs/nixos/plover/modules/services/dns-server/default.nix
View File

@ -33,7 +33,6 @@ in
config = lib.mkIf cfg.enable (lib.mkMerge [ config = lib.mkIf cfg.enable (lib.mkMerge [
{ {
state.ports = { state.ports = {
bindStatistics.value = 9423;
dns.value = 53; dns.value = 53;
dnsOverHTTPS.value = 8443; dnsOverHTTPS.value = 8443;
dnsOverTLS.value = 853; dnsOverTLS.value = 853;
@ -282,11 +281,20 @@ in
} }
(lib.mkIf hostCfg.setups.monitoring.enable { (lib.mkIf hostCfg.setups.monitoring.enable {
state.ports.bindStatistics.value = 9423;
services.bind.extraConfig = '' services.bind.extraConfig = ''
statistics-channels { statistics-channels {
inet 127.0.0.1 port ${builtins.toString config.state.ports.bindStatistics.value} allow { 127.0.0.1; }; inet 127.0.0.1 port ${builtins.toString config.state.ports.bindStatistics.value} allow { 127.0.0.1; };
}; };
''; '';
services.prometheus.exporters = {
bind = {
enable = true;
bindURI = "http://127.0.0.1/${builtins.toString config.state.ports.bindStatistics.value}";
};
};
}) })
(lib.mkIf hostCfg.services.reverse-proxy.enable { (lib.mkIf hostCfg.services.reverse-proxy.enable {

6
configs/nixos/plover/modules/services/fail2ban.nix
View File

@ -20,11 +20,7 @@ in
overalljails = true; overalljails = true;
}; };
extraPackages = with pkgs; [ ipset ]; extraPackages = with pkgs; [ ipset ];
ignoreIP = [ ignoreIP = [ "10.0.0.0/8" ];
# VPN clients.
"${interfaces.wireguard0.IPv4.address}/13"
"${interfaces.wireguard0.IPv6.address}/64"
];
# We're going to be unforgiving with this one since we only have key # We're going to be unforgiving with this one since we only have key
# authentication and password authentication is disabled anyways. # authentication and password authentication is disabled anyways.

3
configs/nixos/plover/modules/services/idm.nix
View File

@ -5,7 +5,7 @@ let
cfg = hostCfg.services.idm; cfg = hostCfg.services.idm;
authDomain = "auth.${config.networking.domain}"; authDomain = "auth.${config.networking.domain}";
port = 9443; port = config.state.ports.kanidm.value;
certsDir = config.security.acme.certs."${authDomain}".directory; certsDir = config.security.acme.certs."${authDomain}".directory;
@ -16,6 +16,7 @@ in
config = lib.mkIf cfg.enable (lib.mkMerge [ config = lib.mkIf cfg.enable (lib.mkMerge [
{ {
state.ports.kanidm.value = 9443;
hosts.plover.services.vouch-proxy.enable = lib.mkDefault true; hosts.plover.services.vouch-proxy.enable = lib.mkDefault true;
services.kanidm = { services.kanidm = {

17
configs/nixos/plover/modules/services/monitoring.nix
View File

@ -4,7 +4,6 @@ let
hostCfg = config.hosts.plover; hostCfg = config.hosts.plover;
cfg = hostCfg.services.monitoring; cfg = hostCfg.services.monitoring;
bindStatsPort = 8053;
prometheusExports = config.services.prometheus.exporters; prometheusExports = config.services.prometheus.exporters;
in in
{ {
@ -17,14 +16,6 @@ in
enable = true; enable = true;
exporters = { exporters = {
bind = {
enable = true;
bindURI = "http://127.0.0.1/${builtins.toString bindStatsPort}";
};
nginx.enable = true;
nginxlog.enable = true;
node = { node = {
enable = true; enable = true;
enabledCollectors = [ "systemd" ]; enabledCollectors = [ "systemd" ];
@ -40,14 +31,6 @@ in
} }
]; ];
}; };
# Requiring this for Prometheus being able to monitor my services.
services.nginx.statusPage = true;
services.bind.extraConfig = ''
statistics-channels {
inet 127.0.0.1 port ${builtins.toString bindStatsPort} allow { 127.0.0.1; };
};
'';
} }
]); ]);
} }

10
configs/nixos/plover/modules/services/reverse-proxy.nix
View File

@ -83,5 +83,15 @@ in
nginx-bad-request.settings = { enabled = true; }; nginx-bad-request.settings = { enabled = true; };
}; };
}) })
(lib.mkIf hostCfg.services.monitoring.enable {
# Requiring this for Prometheus being able to monitor my services.
services.nginx.statusPage = true;
services.prometheus.exporters = {
nginx.enable = true;
nginxlog.enable = true;
};
})
]); ]);
} }