From 9dc90dacf7d3c6f13fd7799a3fd723dfc0869d6f Mon Sep 17 00:00:00 2001 From: Noratrieb <48135649+Noratrieb@users.noreply.github.com> Date: Sun, 3 Aug 2025 14:03:46 +0200 Subject: [PATCH 01/10] update to 25.05 --- nix/hive.nix | 4 ++-- nix/modules/garage/default.nix | 2 +- nix/nixpkgs.json | 5 ++++ .../update-my-projects.mjs | 2 +- nix/update-nixpkgs.mjs | 23 +++++++++++++++++++ 5 files changed, 32 insertions(+), 4 deletions(-) create mode 100644 nix/nixpkgs.json rename update-my-projects.mjs => nix/update-my-projects.mjs (92%) create mode 100644 nix/update-nixpkgs.mjs diff --git a/nix/hive.nix b/nix/hive.nix index 6182440..b140d42 100644 --- a/nix/hive.nix +++ b/nix/hive.nix @@ -2,8 +2,8 @@ meta = let my-projects-versions = builtins.fromJSON (builtins.readFile ./my-projects.json); - nixpkgs-hash = "50ab793786d9de88ee30ec4e4c24fb4236fc2674"; # nixos-24.11 2025-07-27 - nixpkgs-path = (fetchTarball "https://github.com/NixOS/nixpkgs/archive/${nixpkgs-hash}.tar.gz"); + nixpkgs-version = builtins.fromJSON (builtins.readFile ./nixpkgs.json); + nixpkgs-path = (fetchTarball "https://github.com/NixOS/nixpkgs/archive/${nixpkgs-version.commit}.tar.gz"); in { # Override to pin the Nixpkgs version (recommended). This option diff --git a/nix/modules/garage/default.nix b/nix/modules/garage/default.nix index 3f8be39..1977c47 100644 --- a/nix/modules/garage/default.nix +++ b/nix/modules/garage/default.nix @@ -12,7 +12,7 @@ services.garage = { enable = true; - package = pkgs.garage_1_1_0; + package = pkgs.garage_1_2_0; settings = { metadata_dir = "/var/lib/garage/meta"; data_dir = "/var/lib/garage/data"; diff --git a/nix/nixpkgs.json b/nix/nixpkgs.json new file mode 100644 index 0000000..e63baef --- /dev/null +++ b/nix/nixpkgs.json @@ -0,0 +1,5 @@ +{ + "channel": "nixos-25.05", + "lastUpdated": "2025-08-03T11:42:11.747Z", + "commit": "59e69648d345d6e8fef86158c555730fa12af9de" +} diff --git a/update-my-projects.mjs b/nix/update-my-projects.mjs similarity index 92% rename from update-my-projects.mjs rename to nix/update-my-projects.mjs index e940822..ee2cbe9 100644 --- a/update-my-projects.mjs +++ b/nix/update-my-projects.mjs @@ -1,6 +1,6 @@ import fs from "node:fs/promises"; -const path = `${import.meta.dirname}/nix/my-projects.json`; +const path = `${import.meta.dirname}/my-projects.json`; const projects = JSON.parse(await fs.readFile(path)); let hasChanges = false; diff --git a/nix/update-nixpkgs.mjs b/nix/update-nixpkgs.mjs new file mode 100644 index 0000000..fa63e62 --- /dev/null +++ b/nix/update-nixpkgs.mjs @@ -0,0 +1,23 @@ +import fs from "node:fs/promises"; + +const path = `${import.meta.dirname}/nixpkgs.json`; +const nixpkgs = JSON.parse(await fs.readFile(path)); + +const res = await fetch( + `https://api.github.com/repos/NixOS/nixpkgs/commits/${nixpkgs.channel}` +); + +if (!res.ok) { + throw new Error( + `get commit for ${name}: ${res.status} - ${await res.text()}` + ); +} + +const body = await res.json(); + +if (body.sha !== nixpkgs.commit) { + nixpkgs.commit = body.sha; + nixpkgs.lastUpdated = new Date().toISOString(); + + await fs.writeFile(path, JSON.stringify(nixpkgs, null, 2) + "\n"); +} From 43d6682e7e86a449e5b9278ed1e5df123ad99c1a Mon Sep 17 00:00:00 2001 From: Noratrieb <48135649+Noratrieb@users.noreply.github.com> Date: Sun, 3 Aug 2025 14:16:14 +0200 Subject: [PATCH 02/10] garage 2.0 --- nix/modules/garage/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nix/modules/garage/default.nix b/nix/modules/garage/default.nix index 1977c47..0351b2c 100644 --- a/nix/modules/garage/default.nix +++ b/nix/modules/garage/default.nix @@ -12,7 +12,7 @@ services.garage = { enable = true; - package = pkgs.garage_1_2_0; + package = pkgs.garage_2_0_0; settings = { metadata_dir = "/var/lib/garage/meta"; data_dir = "/var/lib/garage/data"; From 61d4c9a3d3a50f3b267829527e3e84e81d4882d2 Mon Sep 17 00:00:00 2001 From: Noratrieb <48135649+Noratrieb@users.noreply.github.com> Date: Sun, 3 Aug 2025 14:22:02 +0200 Subject: [PATCH 03/10] sunset uptimew --- nix/apps/uptime/uptime.json | 47 +------------------------------------ 1 file changed, 1 insertion(+), 46 deletions(-) diff --git a/nix/apps/uptime/uptime.json b/nix/apps/uptime/uptime.json index af235e3..35da4ff 100644 --- a/nix/apps/uptime/uptime.json +++ b/nix/apps/uptime/uptime.json @@ -1,50 +1,5 @@ { "interval_seconds": 30, "db_url": "/data/uptime.db", - "websites": [ - { - "name": "noratrieb.dev", - "url": "https://noratrieb.dev" - }, - { - "name": "nilstrieb.dev", - "url": "https://nilstrieb.dev" - }, - { - "name": "docker.nilstrieb.dev", - "url": "https://docker.noratrieb.dev" - }, - { - "name": "vps1.nilstrieb.dev", - "url": "https://vps1.infra.noratrieb.dev" - }, - { - "name": "vps2.nilstrieb.dev", - "url": "https://vps2.nilstrieb.dev" - }, - { - "name": "bisect-rustc.nilstrieb.dev", - "url": "https://bisect-rustc.noratrieb.dev" - }, - { - "name": "hugo-chat.nilstrieb.dev", - "url": "https://hugo-chat.noratrieb.dev" - }, - { - "name": "api.hugo-chat.nilstrieb.dev", - "url": "https://api.hugo-chat.noratrieb.dev/api/v2/rooms" - }, - { - "name": "cors-school.nilstrieb.dev", - "url": "https://cors-school.nilstrieb.dev" - }, - { - "name": "api.cors-school.nilstrieb.dev", - "url": "https://api.cors-school.nilstrieb.dev/api/hugo" - }, - { - "name": "olat.nilstrieb.dev", - "url": "https://olat.nilstrieb.dev/dmz/" - } - ] + "websites": [] } From beb86b7ea9ba18eb2263765d7cb7f5fefe2dfd50 Mon Sep 17 00:00:00 2001 From: Noratrieb <48135649+Noratrieb@users.noreply.github.com> Date: Sun, 3 Aug 2025 15:17:43 +0200 Subject: [PATCH 04/10] METRICS --- nix/modules/default/default.nix | 9 +++++++++ nix/modules/prometheus/default.nix | 24 ++++++++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/nix/modules/default/default.nix b/nix/modules/default/default.nix index c2ff120..b74d4b4 100644 --- a/nix/modules/default/default.nix +++ b/nix/modules/default/default.nix @@ -92,13 +92,22 @@ # monitoring networking.firewall.interfaces.wg0.allowedTCPPorts = [ + 8080 # cadvisor exporter 9100 # node exporter 9150 # pretense exporter + 9558 # systemd exporter ]; services.prometheus.exporters = { node = { enable = true; }; + systemd = { + enable = true; + }; + }; + services.cadvisor = { + enable = true; + listenAddress = "0.0.0.0"; # todo: $wg-ip }; services.promtail = { enable = true; diff --git a/nix/modules/prometheus/default.nix b/nix/modules/prometheus/default.nix index b30d69d..094c719 100644 --- a/nix/modules/prometheus/default.nix +++ b/nix/modules/prometheus/default.nix @@ -21,6 +21,30 @@ { targets = [ "vps5.local:9100" ]; } ]; } + { + job_name = "cadvisor"; + static_configs = [ + { targets = [ "dns1.local:8080" ]; } + { targets = [ "dns2.local:8080" ]; } + { targets = [ "vps1.local:8080" ]; } + { targets = [ "vps2.local:8080" ]; } + { targets = [ "vps3.local:8080" ]; } + { targets = [ "vps4.local:8080" ]; } + { targets = [ "vps5.local:8080" ]; } + ]; + } + { + job_name = "systemd"; + static_configs = [ + { targets = [ "dns1.local:9558" ]; } + { targets = [ "dns2.local:9558" ]; } + { targets = [ "vps1.local:9558" ]; } + { targets = [ "vps2.local:9558" ]; } + { targets = [ "vps3.local:9558" ]; } + { targets = [ "vps4.local:9558" ]; } + { targets = [ "vps5.local:9558" ]; } + ]; + } { job_name = "caddy"; static_configs = [ From a4e5e3720bdc7e0ecc29f9a0f7e3d220a5a507d5 Mon Sep 17 00:00:00 2001 From: Noratrieb <48135649+Noratrieb@users.noreply.github.com> Date: Sun, 3 Aug 2025 16:37:18 +0200 Subject: [PATCH 05/10] cleanup --- debug.html | 14 --- nix/apps/does-it-build/default.nix | 8 +- nix/apps/fakessh/default.nix | 29 ++++++ nix/apps/upload-files/default.nix | 4 +- nix/hive.nix | 59 +++--------- nix/modules/caddy/default.nix | 8 +- nix/modules/default/default.nix | 13 ++- nix/modules/dns/default.nix | 8 +- nix/modules/garage/default.nix | 17 ++-- nix/modules/prometheus/default.nix | 138 ++++++++++------------------- nix/modules/registry/default.nix | 9 +- nix/my-projects.json | 3 +- 12 files changed, 134 insertions(+), 176 deletions(-) delete mode 100644 debug.html create mode 100644 nix/apps/fakessh/default.nix diff --git a/debug.html b/debug.html deleted file mode 100644 index 5f69c80..0000000 --- a/debug.html +++ /dev/null @@ -1,14 +0,0 @@ - - - - - - nora's server - - -

congrats, you landed on my server (0% NixOS) directly!?

-

sorry, but there isn't anything cool here. this is my infra, you are not allowed here.

-

if you do want to be allowed here, then uh.. still no.

-

:3

- - diff --git a/nix/apps/does-it-build/default.nix b/nix/apps/does-it-build/default.nix index ad52759..fad6023 100644 --- a/nix/apps/does-it-build/default.nix +++ b/nix/apps/does-it-build/default.nix @@ -1,7 +1,7 @@ -{ pkgs, lib, does-it-build, my-projects-versions, ... }: +{ pkgs, lib, my-projects-versions, ... }: let - does-it-build-base = does-it-build { inherit pkgs; }; - does-it-build-with-commit = does-it-build-base.overrideAttrs (finalAttrs: previousAttrs: { + does-it-build-base = (import (fetchTarball "https://github.com/Noratrieb/does-it-build/archive/${my-projects-versions.does-it-build}.tar.gz")) { inherit pkgs; }; + does-it-build = does-it-build-base.overrideAttrs (finalAttrs: previousAttrs: { DOES_IT_BUILD_OVERRIDE_VERSION = my-projects-versions.does-it-build; }); in @@ -15,7 +15,7 @@ in serviceConfig = { User = "does-it-build"; Group = "does-it-build"; - ExecStart = "${lib.getExe' (does-it-build-with-commit) "does-it-build" }"; + ExecStart = "${lib.getExe' (does-it-build) "does-it-build" }"; Environment = "DB_PATH=/var/lib/does-it-build/db.sqlite"; }; }; diff --git a/nix/apps/fakessh/default.nix b/nix/apps/fakessh/default.nix new file mode 100644 index 0000000..b289036 --- /dev/null +++ b/nix/apps/fakessh/default.nix @@ -0,0 +1,29 @@ +{ lib, pkgs, my-projects-versions, ... }: +let cluelessh = import (fetchTarball "https://github.com/Noratrieb/cluelessh/archive/${my-projects-versions.cluelessh}.tar.gz"); +in +{ + systemd.services.fakessh = { + description = "cluelessh-faked ssh honeypot"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = { + Restart = "on-failure"; + RestartSec = "5s"; + ExecStart = "${lib.getExe' (cluelessh {inherit pkgs;}) "cluelessh-faked" }"; + + # i really don't trust this. + DynamicUser = true; + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + MemoryHigh = "100M"; + MemoryMax = "200M"; + + # config + Environment = [ + "FAKESSH_LISTEN_ADDR=0.0.0.0:22" + "RUST_LOG=debug" + #"FAKESSH_JSON_LOGS=1" + ]; + }; + }; + networking.firewall.allowedTCPPorts = [ 22 ]; +} diff --git a/nix/apps/upload-files/default.nix b/nix/apps/upload-files/default.nix index aa108b5..526adf3 100644 --- a/nix/apps/upload-files/default.nix +++ b/nix/apps/upload-files/default.nix @@ -1,4 +1,6 @@ -{ upload-files, pkgs, lib, config, ... }: { +{ my-projects-versions, pkgs, lib, config, ... }: +let upload-files = import (fetchTarball "https://github.com/Noratrieb/upload.files.noratrieb.dev/archive/${my-projects-versions."upload.files.noratrieb.dev"}.tar.gz"); in +{ age.secrets.upload_files_s3_secret.file = ../../secrets/upload_files_s3_secret.age; systemd.services.upload-files = { diff --git a/nix/hive.nix b/nix/hive.nix index b140d42..9e3708e 100644 --- a/nix/hive.nix +++ b/nix/hive.nix @@ -1,7 +1,6 @@ { meta = let - my-projects-versions = builtins.fromJSON (builtins.readFile ./my-projects.json); nixpkgs-version = builtins.fromJSON (builtins.readFile ./nixpkgs.json); nixpkgs-path = (fetchTarball "https://github.com/NixOS/nixpkgs/archive/${nixpkgs-version.commit}.tar.gz"); in @@ -14,15 +13,7 @@ nixpkgs = import nixpkgs-path; specialArgs = { - website = import (fetchTarball "https://github.com/Noratrieb/website/archive/${my-projects-versions.website}.tar.gz"); - blog = fetchTarball "https://github.com/Noratrieb/blog/archive/${my-projects-versions.blog}.tar.gz"; - slides = fetchTarball "https://github.com/Noratrieb/slides/archive/${my-projects-versions.slides}.tar.gz"; - pretense = import (fetchTarball "https://github.com/Noratrieb/pretense/archive/${my-projects-versions.pretense}.tar.gz"); - quotdd = import (fetchTarball "https://github.com/Noratrieb/quotdd/archive/${my-projects-versions.quotdd}.tar.gz"); - does-it-build = import (fetchTarball "https://github.com/Noratrieb/does-it-build/archive/${my-projects-versions.does-it-build}.tar.gz"); - upload-files = import (fetchTarball "https://github.com/Noratrieb/upload.files.noratrieb.dev/archive/${my-projects-versions."upload.files.noratrieb.dev"}.tar.gz"); - - inherit my-projects-versions; + my-projects-versions = builtins.fromJSON (builtins.readFile ./my-projects.json); inherit nixpkgs-path; @@ -35,6 +26,7 @@ publicKey = "7jy2q93xYBHG5yKqLmNuMWSuFMnUGWXVuKQ1yMmxoV4="; peers = [ "vps3" ]; }; + tags = [ "dns" ]; }; dns2 = { publicIPv4 = "128.140.3.7"; @@ -46,6 +38,7 @@ publicKey = "yfOc/q5M+2DWPoZ4ZgwrTYYkviQxGxRWpcBCDcauDnc="; peers = [ "vps3" ]; }; + tags = [ "dns" ]; }; vps1 = { publicIPv4 = "161.97.165.1"; @@ -55,6 +48,7 @@ publicKey = "5tg3w/TiCuCeKIBJCd6lHUeNjGEA76abT1OXnhNVyFQ="; peers = [ "vps2" "vps3" "vps4" "vps5" ]; }; + tags = [ "apps" ]; }; vps2 = { publicIPv4 = "184.174.32.252"; @@ -64,6 +58,7 @@ publicKey = "SficHHJ0ynpZoGah5heBpNKnEVIVrgs72Z5HEKd3jHA="; peers = [ "vps1" "vps3" "vps4" "vps5" ]; }; + tags = [ "apps" ]; }; vps3 = { publicIPv4 = "134.255.181.139"; @@ -73,6 +68,7 @@ publicKey = "pdUxG1vhmYraKzIIEFxTRAMhGwGztBL/Ly5icJUV3g0="; peers = [ "vps1" "vps2" "vps4" "vps5" "dns1" "dns2" ]; }; + tags = [ "apps" ]; }; vps4 = { publicIPv4 = "195.201.147.17"; @@ -84,6 +80,7 @@ publicKey = "+n2XKKaSFdCanEGRd41cvnuwJ0URY0HsnpBl6ZrSBRs="; peers = [ "vps1" "vps2" "vps3" "vps5" ]; }; + tags = [ "apps" ]; }; vps5 = { publicIPv4 = "45.94.209.30"; @@ -93,6 +90,7 @@ publicKey = "r1cwt63fcOR+FTqMTUpZdK4/MxpalkDYRHXyy7osWUk="; peers = [ "vps1" "vps2" "vps3" "vps4" ]; }; + tags = [ "apps" ]; }; }; }; @@ -120,9 +118,6 @@ ./modules/wg-mesh ]; - # The name and nodes parameters are supported in Colmena, - # allowing you to reference configurations in other nodes. - deployment.tags = [ "dns" "us" ]; system.stateVersion = "23.11"; }; dns2 = { name, nodes, modulesPath, lib, ... }: { @@ -132,7 +127,6 @@ ./modules/wg-mesh ]; - deployment.tags = [ "dns" "eu" "hetzner" ]; system.stateVersion = "23.11"; boot.loader.grub.device = "/dev/sda"; @@ -196,7 +190,6 @@ ./apps/upload-files ]; - deployment.tags = [ "caddy" "eu" "apps" "website" ]; system.stateVersion = "23.11"; }; # VPS2 exists @@ -209,7 +202,6 @@ ./modules/garage ]; - deployment.tags = [ "caddy" "eu" "apps" ]; system.stateVersion = "23.11"; }; # VPS3 is the primary monitoring/metrics server. @@ -223,7 +215,6 @@ ./modules/prometheus ]; - deployment.tags = [ "eu" "apps" "website" ]; system.stateVersion = "23.11"; }; # VPS4 exists. It's useful for garage replication and runs does-it-build which uses some CPU. @@ -239,7 +230,6 @@ ./apps/does-it-build ]; - deployment.tags = [ "eu" "apps" "hetzner" "website" ]; system.stateVersion = "23.11"; boot.loader.grub.device = "/dev/sda"; @@ -282,10 +272,6 @@ }; # VPS5 is the primary test server, where new things are being deployed that could break stuff maybe. vps5 = { name, nodes, modulesPath, config, pkgs, lib, ... }: - let - commit = "5f203d0f5ba2639043bd5bd1c3687c406d6abac1"; - cluelessh = import (fetchTarball "https://github.com/Noratrieb/cluelessh/archive/${commit}.tar.gz"); - in { imports = [ (modulesPath + "/profiles/qemu-guest.nix") @@ -293,37 +279,12 @@ ./modules/caddy ./modules/wg-mesh ./modules/garage + ./apps/fakessh ]; - services.openssh.ports = [ 2000 ]; - systemd.services.fakessh = { - description = "cluelessh-faked ssh honeypot"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - serviceConfig = { - Restart = "on-failure"; - RestartSec = "5s"; - ExecStart = "${lib.getExe' (cluelessh {inherit pkgs;}) "cluelessh-faked" }"; - - # i really don't trust this. - DynamicUser = true; - AmbientCapabilities = "CAP_NET_BIND_SERVICE"; - MemoryHigh = "100M"; - MemoryMax = "200M"; - - # config - Environment = [ - "FAKESSH_LISTEN_ADDR=0.0.0.0:22" - "RUST_LOG=debug" - #"FAKESSH_JSON_LOGS=1" - ]; - }; - }; - networking.firewall.allowedTCPPorts = [ 22 ]; - deployment.targetPort = 2000; - deployment.tags = [ "eu" "apps" ]; + system.stateVersion = "23.11"; }; } diff --git a/nix/modules/caddy/default.nix b/nix/modules/caddy/default.nix index 07fd744..0116fa0 100644 --- a/nix/modules/caddy/default.nix +++ b/nix/modules/caddy/default.nix @@ -1,4 +1,4 @@ -{ pkgs, config, lib, name, website, slides, blog, ... }: +{ pkgs, config, lib, name, my-projects-versions, ... }: let caddy = pkgs.callPackage ./caddy-build.nix { @@ -11,6 +11,10 @@ let ]; vendorHash = "sha256-KP9bYitM/Pocw4DxOXPVBigWh4IykNf8yKJiBlTFZmI="; }; + website = import (fetchTarball "https://github.com/Noratrieb/website/archive/${my-projects-versions.website}.tar.gz"); + blog = fetchTarball "https://github.com/Noratrieb/blog/archive/${my-projects-versions.blog}.tar.gz"; + slides = fetchTarball "https://github.com/Noratrieb/slides/archive/${my-projects-versions.slides}.tar.gz"; + website-build = website { inherit pkgs slides blog; }; in { environment.systemPackages = [ caddy ]; @@ -62,7 +66,7 @@ in header -Last-Modified root * ${import ./caddy-static-prepare { name = "website"; - src = website { inherit pkgs slides blog; }; + src = website-build; inherit pkgs lib; }} file_server { diff --git a/nix/modules/default/default.nix b/nix/modules/default/default.nix index b74d4b4..274321f 100644 --- a/nix/modules/default/default.nix +++ b/nix/modules/default/default.nix @@ -1,5 +1,10 @@ -{ pkgs, lib, config, name, pretense, quotdd, nixpkgs-path, ... }: { - deployment.targetHost = "${config.networking.hostName}.infra.noratrieb.dev"; +{ pkgs, lib, name, my-projects-versions, networkingConfig, nixpkgs-path, ... }: +let + pretense = import (fetchTarball "https://github.com/Noratrieb/pretense/archive/${my-projects-versions.pretense}.tar.gz"); + quotdd = import (fetchTarball "https://github.com/Noratrieb/quotdd/archive/${my-projects-versions.quotdd}.tar.gz"); +in +{ + deployment.targetHost = "${name}.infra.noratrieb.dev"; imports = [ "${builtins.fetchTarball "https://github.com/ryantm/agenix/archive/de96bd907d5fbc3b14fc33ad37d1b9a3cb15edc6.tar.gz"}/modules/age.nix" # main 2024-07-26 @@ -107,7 +112,7 @@ }; services.cadvisor = { enable = true; - listenAddress = "0.0.0.0"; # todo: $wg-ip + listenAddress = "0.0.0.0"; }; services.promtail = { enable = true; @@ -169,4 +174,6 @@ ]; }; }; + + deployment.tags = networkingConfig."${name}".tags; } diff --git a/nix/modules/dns/default.nix b/nix/modules/dns/default.nix index 3326e9a..815eed0 100644 --- a/nix/modules/dns/default.nix +++ b/nix/modules/dns/default.nix @@ -1,4 +1,6 @@ -{ pkgs, lib, networkingConfig, ... }: { +{ pkgs, lib, networkingConfig, ... }: +let metricsPort = 9433; in +{ # get the package for the debugging tools environment.systemPackages = with pkgs; [ knot-dns ]; @@ -40,9 +42,9 @@ }; }; - networking.firewall.interfaces.wg0.allowedTCPPorts = [ 9433 ]; # metrics + networking.firewall.interfaces.wg0.allowedTCPPorts = [ metricsPort ]; services.prometheus.exporters.knot = { enable = true; - port = 9433; + port = metricsPort; }; } diff --git a/nix/modules/garage/default.nix b/nix/modules/garage/default.nix index 0351b2c..e7f5331 100644 --- a/nix/modules/garage/default.nix +++ b/nix/modules/garage/default.nix @@ -1,4 +1,9 @@ -{ config, pkgs, name, ... }: { +{ config, pkgs, name, ... }: +let + rpcPort = 3901; + adminPort = 3903; +in +{ age.secrets.garage_secrets.file = ../../secrets/garage_secrets.age; environment.systemPackages = with pkgs; [ @@ -6,8 +11,8 @@ ]; networking.firewall.interfaces.wg0.allowedTCPPorts = [ - 3901 # RPC - 3903 # admin for metrics + rpcPort + adminPort ]; services.garage = { @@ -24,8 +29,8 @@ # arbitrary, but a bit higher as disk space matters more than time. she says, cluelessly. compression-level = 5; - rpc_bind_addr = "[::]:3901"; - rpc_public_addr = "${name}.local:3901"; + rpc_bind_addr = "[::]:${toString rpcPort}"; + rpc_public_addr = "${name}.local:${toString rpcPort}"; s3_api = { s3_region = "garage"; @@ -40,7 +45,7 @@ }; admin = { - api_bind_addr = "[::]:3903"; + api_bind_addr = "[::]:${toString adminPort}"; }; }; environmentFile = config.age.secrets.garage_secrets.path; diff --git a/nix/modules/prometheus/default.nix b/nix/modules/prometheus/default.nix index 094c719..b1e06da 100644 --- a/nix/modules/prometheus/default.nix +++ b/nix/modules/prometheus/default.nix @@ -1,96 +1,52 @@ -{ config, lib, ... }: { +{ config, lib, networkingConfig, ... }: { services.prometheus = { enable = true; globalConfig = { }; - scrapeConfigs = [ - { - job_name = "prometheus"; - static_configs = [ - { targets = [ "localhost:9090" ]; } - ]; - } - { - job_name = "node"; - static_configs = [ - { targets = [ "dns1.local:9100" ]; } - { targets = [ "dns2.local:9100" ]; } - { targets = [ "vps1.local:9100" ]; } - { targets = [ "vps2.local:9100" ]; } - { targets = [ "vps3.local:9100" ]; } - { targets = [ "vps4.local:9100" ]; } - { targets = [ "vps5.local:9100" ]; } - ]; - } - { - job_name = "cadvisor"; - static_configs = [ - { targets = [ "dns1.local:8080" ]; } - { targets = [ "dns2.local:8080" ]; } - { targets = [ "vps1.local:8080" ]; } - { targets = [ "vps2.local:8080" ]; } - { targets = [ "vps3.local:8080" ]; } - { targets = [ "vps4.local:8080" ]; } - { targets = [ "vps5.local:8080" ]; } - ]; - } - { - job_name = "systemd"; - static_configs = [ - { targets = [ "dns1.local:9558" ]; } - { targets = [ "dns2.local:9558" ]; } - { targets = [ "vps1.local:9558" ]; } - { targets = [ "vps2.local:9558" ]; } - { targets = [ "vps3.local:9558" ]; } - { targets = [ "vps4.local:9558" ]; } - { targets = [ "vps5.local:9558" ]; } - ]; - } - { - job_name = "caddy"; - static_configs = [ - { targets = [ "vps1.local:9010" ]; } - { targets = [ "vps2.local:9010" ]; } - { targets = [ "vps3.local:9010" ]; } - { targets = [ "vps4.local:9010" ]; } - { targets = [ "vps5.local:9010" ]; } - ]; - } - { - job_name = "docker-registry"; - static_configs = [ - { targets = [ "vps1.local:9011" ]; } - ]; - } - { - job_name = "garage"; - static_configs = [ - { targets = [ "vps1.local:3903" ]; } - { targets = [ "vps2.local:3903" ]; } - { targets = [ "vps3.local:3903" ]; } - { targets = [ "vps4.local:3903" ]; } - { targets = [ "vps5.local:3903" ]; } - ]; - } - { - job_name = "knot"; - static_configs = [ - { targets = [ "dns1.local:9433" ]; } - { targets = [ "dns2.local:9433" ]; } - ]; - } - { - job_name = "pretense"; - static_configs = [ - { targets = [ "dns1.local:9150" ]; } - { targets = [ "dns2.local:9150" ]; } - { targets = [ "vps1.local:9150" ]; } - { targets = [ "vps2.local:9150" ]; } - { targets = [ "vps3.local:9150" ]; } - { targets = [ "vps4.local:9150" ]; } - { targets = [ "vps5.local:9150" ]; } - ]; - } - ]; + scrapeConfigs = + let hostsWithTag = tag: map (entry: entry.name) (builtins.filter (entry: builtins.elem tag entry.value.tags) (lib.attrsToList networkingConfig)); in + [ + { + job_name = "prometheus"; + static_configs = [ + { targets = [ "localhost:9090" ]; } + ]; + } + { + job_name = "node"; + static_configs = [{ targets = map (name: "${name}.local:9100") (builtins.attrNames networkingConfig); }]; + } + { + job_name = "cadvisor"; + static_configs = [{ targets = map (name: "${name}.local:8080") (builtins.attrNames networkingConfig); }]; + + } + { + job_name = "systemd"; + static_configs = [{ targets = map (name: "${name}.local:9558") (builtins.attrNames networkingConfig); }]; + } + { + job_name = "caddy"; + static_configs = [{ targets = map (name: "${name}.local:9010") (hostsWithTag "apps"); }]; + } + { + job_name = "docker-registry"; + static_configs = [ + { targets = [ "vps1.local:9011" ]; } + ]; + } + { + job_name = "garage"; + static_configs = [{ targets = map (name: "${name}.local:3903") (hostsWithTag "apps"); }]; + } + { + job_name = "knot"; + static_configs = [{ targets = map (name: "${name}.local:9433") (hostsWithTag "dns"); }]; + } + { + job_name = "pretense"; + static_configs = [{ targets = map (name: "${name}.local:9150") (builtins.attrNames networkingConfig); }]; + } + ]; }; age.secrets.grafana_admin_password.file = ../../secrets/grafana_admin_password.age; @@ -132,7 +88,7 @@ }; }; - networking.firewall.interfaces.wg0.allowedTCPPorts = [ 3100 ]; # loki + networking.firewall.interfaces.wg0.allowedTCPPorts = [ config.services.loki.configuration.server.http_listen_port ]; age.secrets.loki_env.file = ../../secrets/loki_env.age; systemd.services.loki.serviceConfig.EnvironmentFile = config.age.secrets.loki_env.path; services.loki = { diff --git a/nix/modules/registry/default.nix b/nix/modules/registry/default.nix index 13b1e97..a18c67c 100644 --- a/nix/modules/registry/default.nix +++ b/nix/modules/registry/default.nix @@ -10,9 +10,14 @@ }; }; - networking.firewall.interfaces.wg0.allowedTCPPorts = [ 9011 ]; # metrics + networking.firewall.interfaces.wg0.allowedTCPPorts = [ 9011 ]; - systemd.services.docker-registry.serviceConfig.EnvironmentFile = config.age.secrets.registry_s3_key_secret.path; + systemd.services.docker-registry = { + serviceConfig.EnvironmentFile = config.age.secrets.registry_s3_key_secret.path; + environment = { + OTEL_TRACES_EXPORTER = "none"; + }; + }; services.dockerRegistry = { enable = true; storagePath = null; diff --git a/nix/my-projects.json b/nix/my-projects.json index e1e8ac0..0fd82e9 100644 --- a/nix/my-projects.json +++ b/nix/my-projects.json @@ -5,5 +5,6 @@ "pretense": "270b01fc1118dfd713c1c41530d1a7d98f04527d", "quotdd": "e922229e1d9e055be35dabd112bafc87a0686548", "does-it-build": "81790825173d87f89656f66f12a123bc99e2f6f1", - "upload.files.noratrieb.dev": "0124fa5ba5446cb463fb6b3c4f52e7e6b84e5077" + "upload.files.noratrieb.dev": "0124fa5ba5446cb463fb6b3c4f52e7e6b84e5077", + "cluelessh": "5f203d0f5ba2639043bd5bd1c3687c406d6abac1" } From 0d83cecc9fcfc6e5534117a8a52a2fd98bc67dd8 Mon Sep 17 00:00:00 2001 From: Noratrieb <48135649+Noratrieb@users.noreply.github.com> Date: Sun, 3 Aug 2025 16:46:39 +0200 Subject: [PATCH 06/10] retire --- .../cargo-bisect-rustc-service/default.nix | 35 ------------------- nix/deploy/smoke-tests.sh | 1 - nix/hive.nix | 1 - nix/modules/caddy/vps1.Caddyfile | 5 ++- nix/modules/dns/noratrieb.dev.nix | 4 ++- 5 files changed, 5 insertions(+), 41 deletions(-) delete mode 100644 nix/apps/cargo-bisect-rustc-service/default.nix diff --git a/nix/apps/cargo-bisect-rustc-service/default.nix b/nix/apps/cargo-bisect-rustc-service/default.nix deleted file mode 100644 index c9ae3d8..0000000 --- a/nix/apps/cargo-bisect-rustc-service/default.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ config, lib, ... }: -let - dockerLogin = { - registry = "docker.noratrieb.dev"; - username = "nils"; - passwordFile = config.age.secrets.docker_registry_password.path; - }; -in -{ - virtualisation.oci-containers.containers = { - cargo-bisect-rustc-service = { - image = "docker.noratrieb.dev/cargo-bisect-rustc-service:316a4044"; - volumes = [ - "/var/lib/cargo-bisect-rustc-service:/data" - ]; - environment = { - SQLITE_DB = "/data/db.sqlite"; - }; - ports = [ "127.0.0.1:5005:4000" ]; - login = dockerLogin; - }; - }; - - services.custom-backup.jobs = [ - { - app = "cargo-bisect-rustc-service"; - file = "/var/lib/cargo-bisect-rustc-service/db.sqlite"; - } - ]; - - system.activationScripts.makeCargoBisectRustcServiceDir = lib.stringAfter [ "var" ] '' - mkdir -p /var/lib/cargo-bisect-rustc-service/ - chmod ugo+w /var/lib/cargo-bisect-rustc-service/ - ''; -} diff --git a/nix/deploy/smoke-tests.sh b/nix/deploy/smoke-tests.sh index c97be0a..9cfe000 100755 --- a/nix/deploy/smoke-tests.sh +++ b/nix/deploy/smoke-tests.sh @@ -36,7 +36,6 @@ http_hosts=( vps3.infra.noratrieb.dev vps4.infra.noratrieb.dev vps5.infra.noratrieb.dev - bisect-rustc.noratrieb.dev docker.noratrieb.dev does-it-build.noratrieb.dev grafana.noratrieb.dev diff --git a/nix/hive.nix b/nix/hive.nix index 9e3708e..04cc30b 100644 --- a/nix/hive.nix +++ b/nix/hive.nix @@ -183,7 +183,6 @@ ./apps/widetom ./apps/hugo-chat ./apps/uptime - ./apps/cargo-bisect-rustc-service ./apps/killua ./apps/forgejo ./apps/openolat diff --git a/nix/modules/caddy/vps1.Caddyfile b/nix/modules/caddy/vps1.Caddyfile index b595537..691b7bd 100644 --- a/nix/modules/caddy/vps1.Caddyfile +++ b/nix/modules/caddy/vps1.Caddyfile @@ -24,8 +24,7 @@ api.hugo-chat.noratrieb.dev { bisect-rustc.noratrieb.dev { log - encode zstd gzip - reverse_proxy * localhost:5005 + redir https://github.com/Noratrieb/cargo-bisect-rustc-service?tab=readme-ov-file#cargo-bisect-rustc-service } docker.noratrieb.dev { @@ -85,7 +84,7 @@ blog.nilstrieb.dev { bisect-rustc.nilstrieb.dev { log - redir https://bisect-rustc.dev/blog{uri} permanent + redir https://bisect-rustc.noratrieb.dev/blog{uri} permanent } docker.nilstrieb.dev { diff --git a/nix/modules/dns/noratrieb.dev.nix b/nix/modules/dns/noratrieb.dev.nix index dc52c14..b14b131 100644 --- a/nix/modules/dns/noratrieb.dev.nix +++ b/nix/modules/dns/noratrieb.dev.nix @@ -61,7 +61,6 @@ let }; # --- apps - bisect-rustc = vps1; docker = vps1; hugo-chat = vps1 // { subdomains.api = vps1; @@ -98,6 +97,9 @@ let _dmarc.TXT = [ "v=DMARC1; p=quarantine" ]; + + # retired + bisect-rustc = vps1; }; }; in From 1c94ed5f5d986804a70e226b4fb01500317da118 Mon Sep 17 00:00:00 2001 From: Noratrieb <48135649+Noratrieb@users.noreply.github.com> Date: Sun, 3 Aug 2025 17:03:25 +0200 Subject: [PATCH 07/10] widetom in systemd --- nix/apps/widetom/default.nix | 74 +++++++++++++++++++++--------------- nix/my-projects.json | 3 +- 2 files changed, 46 insertions(+), 31 deletions(-) diff --git a/nix/apps/widetom/default.nix b/nix/apps/widetom/default.nix index b58890c..45080a1 100644 --- a/nix/apps/widetom/default.nix +++ b/nix/apps/widetom/default.nix @@ -1,33 +1,47 @@ -{ config, ... }: { - age.secrets.widetom_bot_token.file = ../../secrets/widetom_bot_token.age; - age.secrets.widetom_config_toml.file = ../../secrets/widetom_config_toml.age; - - virtualisation.oci-containers.containers = { - /* - container_name: widetom - image: "docker.noratrieb.dev/widetom:33d17387" - restart: always - volumes: - - "/apps/widetom:/app/config" - environment: - CONFIG_PATH: /app/config/config.toml - BOT_TOKEN_PATH: /app/config/bot_token - */ - widetom = { - image = "docker.noratrieb.dev/widetom:33d17387"; - volumes = [ - "${config.age.secrets.widetom_config_toml.path}:/config.toml" - "${config.age.secrets.widetom_bot_token.path}:/token" - ]; - environment = { - CONFIG_PATH = "/config.toml"; - BOT_TOKEN_PATH = "/token"; - }; - login = { - registry = "docker.noratrieb.dev"; - username = "nils"; - passwordFile = config.age.secrets.docker_registry_password.path; - }; +{ config, pkgs, lib, my-projects-versions, ... }: +let + widetom = pkgs.rustPlatform.buildRustPackage { + src = pkgs.fetchFromGitHub { + owner = "Noratrieb"; + repo = "widetom"; + rev = my-projects-versions.widetom; + hash = "sha256-lSjlDozwKRLF62jsDaWo+8+rcQdeEgurEnuw00hk3o8="; + }; + pname = "widetom"; + version = "0.1.0"; + cargoHash = "sha256-AWbdPcDc+QOW7U/FYbqlIsg+3MwfggKCTCw1z/ZbSEE="; + meta = { + mainProgram = "widertom"; }; }; +in +{ + age.secrets.widetom_bot_token = { + file = ../../secrets/widetom_bot_token.age; + owner = config.users.users.widetom.name; + }; + age.secrets.widetom_config_toml = { + file = ../../secrets/widetom_config_toml.age; + owner = config.users.users.widetom.name; + }; + + systemd.services.widetom = { + description = "widetom, the extremely funny discord bot"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + environment = { + BOT_TOKEN_PATH = config.age.secrets.widetom_bot_token.path; + CONFIG_PATH = config.age.secrets.widetom_config_toml.path; + }; + serviceConfig = { + DynamicUser = true; + ExecStart = lib.getExe widetom; + }; + }; + + users.users.widetom = { + group = "widetom"; + isSystemUser = true; + }; + users.groups.widetom = { }; } diff --git a/nix/my-projects.json b/nix/my-projects.json index 0fd82e9..bf6a386 100644 --- a/nix/my-projects.json +++ b/nix/my-projects.json @@ -6,5 +6,6 @@ "quotdd": "e922229e1d9e055be35dabd112bafc87a0686548", "does-it-build": "81790825173d87f89656f66f12a123bc99e2f6f1", "upload.files.noratrieb.dev": "0124fa5ba5446cb463fb6b3c4f52e7e6b84e5077", - "cluelessh": "5f203d0f5ba2639043bd5bd1c3687c406d6abac1" + "cluelessh": "c711cd405da4b7951e554577d09c9576bedf7970", + "widetom": "33d1738799618d72fe2b86896f766cbfea58dc76" } From 0d9250c75c135a85db91916d1e666b8f5d48f68c Mon Sep 17 00:00:00 2001 From: Noratrieb <48135649+Noratrieb@users.noreply.github.com> Date: Sun, 3 Aug 2025 17:08:05 +0200 Subject: [PATCH 08/10] retire uptime --- nix/apps/uptime/default.nix | 42 -------------------------------- nix/apps/uptime/uptime.json | 5 ---- nix/deploy/smoke-tests.sh | 1 - nix/hive.nix | 1 - nix/modules/caddy/vps1.Caddyfile | 23 +++++++++-------- 5 files changed, 11 insertions(+), 61 deletions(-) delete mode 100644 nix/apps/uptime/default.nix delete mode 100644 nix/apps/uptime/uptime.json diff --git a/nix/apps/uptime/default.nix b/nix/apps/uptime/default.nix deleted file mode 100644 index 7552789..0000000 --- a/nix/apps/uptime/default.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ lib, config, ... }: { - virtualisation.oci-containers.containers.uptime = { - /* - uptime: - container_name: uptime - image: "docker.noratrieb.dev/uptime:50d15bc4" - restart: always - volumes: - - "/apps/uptime:/app/config" - environment: - UPTIME_CONFIG_PATH: /app/config/uptime.json - ports: - - "5010:3000" - */ - - image = "docker.noratrieb.dev/uptime:50d15bc4"; - volumes = [ - "${./uptime.json}:/uptime.json" - "/var/lib/uptime:/data" - ]; - environment = { - UPTIME_CONFIG_PATH = "/uptime.json"; - }; - ports = [ "127.0.0.1:5010:3000" ]; - login = { - registry = "docker.noratrieb.dev"; - username = "nils"; - passwordFile = config.age.secrets.docker_registry_password.path; - }; - }; - - services.custom-backup.jobs = [ - { - app = "uptime"; - file = "/var/lib/uptime/uptime.db"; - } - ]; - - system.activationScripts.makeUptimeDir = lib.stringAfter [ "var" ] '' - mkdir -p /var/lib/uptime/ - ''; -} diff --git a/nix/apps/uptime/uptime.json b/nix/apps/uptime/uptime.json deleted file mode 100644 index 35da4ff..0000000 --- a/nix/apps/uptime/uptime.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "interval_seconds": 30, - "db_url": "/data/uptime.db", - "websites": [] -} diff --git a/nix/deploy/smoke-tests.sh b/nix/deploy/smoke-tests.sh index 9cfe000..84107f9 100755 --- a/nix/deploy/smoke-tests.sh +++ b/nix/deploy/smoke-tests.sh @@ -41,7 +41,6 @@ http_hosts=( grafana.noratrieb.dev hugo-chat.noratrieb.dev api.hugo-chat.noratrieb.dev/api/v2/rooms - uptime.noratrieb.dev www.noratrieb.dev # legacy: diff --git a/nix/hive.nix b/nix/hive.nix index 04cc30b..1d61ebc 100644 --- a/nix/hive.nix +++ b/nix/hive.nix @@ -182,7 +182,6 @@ # apps ./apps/widetom ./apps/hugo-chat - ./apps/uptime ./apps/killua ./apps/forgejo ./apps/openolat diff --git a/nix/modules/caddy/vps1.Caddyfile b/nix/modules/caddy/vps1.Caddyfile index 691b7bd..4b3c58f 100644 --- a/nix/modules/caddy/vps1.Caddyfile +++ b/nix/modules/caddy/vps1.Caddyfile @@ -3,12 +3,6 @@ www.noratrieb.dev { redir https://noratrieb.dev{uri} permanent } -uptime.noratrieb.dev { - log - encode zstd gzip - reverse_proxy * localhost:5010 -} - hugo-chat.noratrieb.dev { log encode zstd gzip @@ -22,11 +16,6 @@ api.hugo-chat.noratrieb.dev { reverse_proxy * localhost:5001 } -bisect-rustc.noratrieb.dev { - log - redir https://github.com/Noratrieb/cargo-bisect-rustc-service?tab=readme-ov-file#cargo-bisect-rustc-service -} - docker.noratrieb.dev { log reverse_proxy * localhost:5000 @@ -60,7 +49,17 @@ upload.files.noratrieb.dev { } ################################################################ -# redirects +# retired + +bisect-rustc.noratrieb.dev { + log + redir https://github.com/Noratrieb/cargo-bisect-rustc-service?tab=readme-ov-file#cargo-bisect-rustc-service +} + +uptime.noratrieb.dev { + log + redir https://github.com/Noratrieb/uptime?tab=readme-ov-file#uptime +} blog.noratrieb.dev { log From ac2678fcdd5145cff96cfe6f1c6339c51cf9db7a Mon Sep 17 00:00:00 2001 From: Noratrieb <48135649+Noratrieb@users.noreply.github.com> Date: Sun, 3 Aug 2025 17:22:52 +0200 Subject: [PATCH 09/10] systemd killua --- nix/apps/killua/default.nix | 38 ++++++++++++++++++++----------------- 1 file changed, 21 insertions(+), 17 deletions(-) diff --git a/nix/apps/killua/default.nix b/nix/apps/killua/default.nix index ce6b7be..a9d23db 100644 --- a/nix/apps/killua/default.nix +++ b/nix/apps/killua/default.nix @@ -1,23 +1,27 @@ -{ config, lib, ... }: -let dataDir = "/var/lib/killua"; in +{ config, lib, pkgs, ... }: +let + jarfile = pkgs.fetchurl { + url = + "https://github.com/Noratrieb/killua-bot/releases/download/2023-08-26/KilluaBot.jar"; + hash = "sha256-LUABYq6cRhLTLyZVzkIjIFHERcb7YQTzyAGaJB49Mxk="; + }; + dataDir = "/var/lib/killua"; +in { age.secrets.killua_env.file = ../../secrets/killua_env.age; - virtualisation.oci-containers.containers = { - killua = { - image = "docker.noratrieb.dev/killua-bot:ac8203d2"; - volumes = [ - "${dataDir}:/data" - ]; - environment = { - KILLUA_JSON_PATH = "/data/trivia_questions.json"; - }; - environmentFiles = [ config.age.secrets.killua_env.path ]; - login = { - registry = "docker.noratrieb.dev"; - username = "nils"; - passwordFile = config.age.secrets.docker_registry_password.path; - }; + systemd.services.killua = { + description = "killua, an awesome discord bot"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + environment = { + BOT_TOKEN_PATH = config.age.secrets.widetom_bot_token.path; + CONFIG_PATH = config.age.secrets.widetom_config_toml.path; + }; + serviceConfig = { + DynamicUser = true; + ExecStart = "${lib.getExe' pkgs.jdk17 "java"} -jar ${jarfile}"; + EnvironmentFile = [ config.age.secrets.killua_env.path ]; }; }; From f3326c4310fcbbcd2eb7ff29bc58b89d662ecccf Mon Sep 17 00:00:00 2001 From: Noratrieb <48135649+Noratrieb@users.noreply.github.com> Date: Sun, 3 Aug 2025 18:13:34 +0200 Subject: [PATCH 10/10] decrease cpu usage --- nix/modules/default/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nix/modules/default/default.nix b/nix/modules/default/default.nix index 274321f..9acbd60 100644 --- a/nix/modules/default/default.nix +++ b/nix/modules/default/default.nix @@ -113,6 +113,10 @@ in services.cadvisor = { enable = true; listenAddress = "0.0.0.0"; + extraOptions = [ + # significantly decreases CPU usage (https://github.com/google/cadvisor/issues/2523) + "--housekeeping_interval=30s" + ]; }; services.promtail = { enable = true;