Noratrieb/vps
1
0
Fork 0
mirror of https://github.com/Noratrieb/vps.git synced 2026-03-14 21:26:08 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: Noratrieb:d8a05d949af2778c436628cf5944eca383d5ba4b
Branches Tags
Noratrieb:main
Noratrieb:dynamic-dns-updates
Noratrieb:ipv6
Noratrieb:mail
Noratrieb:nixos
Noratrieb:email
...
compare: Noratrieb:f3326c4310fcbbcd2eb7ff29bc58b89d662ecccf
Branches Tags
Noratrieb:main
Noratrieb:dynamic-dns-updates
Noratrieb:ipv6
Noratrieb:mail
Noratrieb:nixos
Noratrieb:email

10 commits
d8a05d949a ... f3326c4310

Author SHA1 Message Date
Noratrieb
f3326c4310 decrease cpu usage 2025-08-03 18:13:34 +02:00
Noratrieb
ac2678fcdd systemd killua 2025-08-03 17:22:52 +02:00
Noratrieb
0d9250c75c retire uptime 2025-08-03 17:08:05 +02:00
Noratrieb
1c94ed5f5d widetom in systemd 2025-08-03 17:03:25 +02:00
Noratrieb
0d83cecc9f retire 2025-08-03 16:46:39 +02:00
Noratrieb
a4e5e3720b cleanup 2025-08-03 16:37:18 +02:00
Noratrieb
beb86b7ea9 METRICS 2025-08-03 15:17:43 +02:00
Noratrieb
61d4c9a3d3 sunset uptimew 2025-08-03 14:22:02 +02:00
Noratrieb
43d6682e7e garage 2.0 2025-08-03 14:16:14 +02:00
Noratrieb
9dc90dacf7 update to 25.05 2025-08-03 14:03:46 +02:00
23 changed files with 259 additions and 348 deletions
Download patch file Download diff file Expand all files Collapse all files

14
debug.html
View file

@ -1,14 +0,0 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>nora's server</title>
</head>
<body>
<h1>congrats, you landed on my server (0% NixOS) directly!?</h1>
<p>sorry, but there isn't anything cool here. this is <b>my</b> infra, you are not allowed here.</p>
<p>if you do want to be allowed here, then uh.. still no.</p>
<p>:3</p>
</body>
</html>

35
nix/apps/cargo-bisect-rustc-service/default.nix
View file

@ -1,35 +0,0 @@
{ config, lib, ... }:
let
dockerLogin = {
registry = "docker.noratrieb.dev";
username = "nils";
passwordFile = config.age.secrets.docker_registry_password.path;
};
in
{
virtualisation.oci-containers.containers = {
cargo-bisect-rustc-service = {
image = "docker.noratrieb.dev/cargo-bisect-rustc-service:316a4044";
volumes = [
"/var/lib/cargo-bisect-rustc-service:/data"
];
environment = {
SQLITE_DB = "/data/db.sqlite";
};
ports = [ "127.0.0.1:5005:4000" ];
login = dockerLogin;
};
};
services.custom-backup.jobs = [
{
app = "cargo-bisect-rustc-service";
file = "/var/lib/cargo-bisect-rustc-service/db.sqlite";
}
];
system.activationScripts.makeCargoBisectRustcServiceDir = lib.stringAfter [ "var" ] ''
mkdir -p /var/lib/cargo-bisect-rustc-service/
chmod ugo+w /var/lib/cargo-bisect-rustc-service/
'';
}

8
nix/apps/does-it-build/default.nix
View file

@ -1,7 +1,7 @@
{ pkgs, lib, does-it-build, my-projects-versions, ... }:
{ pkgs, lib, my-projects-versions, ... }:
let
does-it-build-base = does-it-build { inherit pkgs; };
does-it-build-with-commit = does-it-build-base.overrideAttrs (finalAttrs: previousAttrs: {
does-it-build-base = (import (fetchTarball "https://github.com/Noratrieb/does-it-build/archive/${my-projects-versions.does-it-build}.tar.gz")) { inherit pkgs; };
does-it-build = does-it-build-base.overrideAttrs (finalAttrs: previousAttrs: {
DOES_IT_BUILD_OVERRIDE_VERSION = my-projects-versions.does-it-build;
});
in
@ -15,7 +15,7 @@ in
serviceConfig = {
User = "does-it-build";
Group = "does-it-build";
ExecStart = "${lib.getExe' (does-it-build-with-commit) "does-it-build" }";
ExecStart = "${lib.getExe' (does-it-build) "does-it-build" }";
Environment = "DB_PATH=/var/lib/does-it-build/db.sqlite";
};
};

29
nix/apps/fakessh/default.nix Normal file
View file

@ -0,0 +1,29 @@
{ lib, pkgs, my-projects-versions, ... }:
let cluelessh = import (fetchTarball "https://github.com/Noratrieb/cluelessh/archive/${my-projects-versions.cluelessh}.tar.gz");
in
{
systemd.services.fakessh = {
description = "cluelessh-faked ssh honeypot";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
Restart = "on-failure";
RestartSec = "5s";
ExecStart = "${lib.getExe' (cluelessh {inherit pkgs;}) "cluelessh-faked" }";
# i really don't trust this.
DynamicUser = true;
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
MemoryHigh = "100M";
MemoryMax = "200M";
# config
Environment = [
"FAKESSH_LISTEN_ADDR=0.0.0.0:22"
"RUST_LOG=debug"
#"FAKESSH_JSON_LOGS=1"
];
};
};
networking.firewall.allowedTCPPorts = [ 22 ];
}

38
nix/apps/killua/default.nix
View file

@ -1,23 +1,27 @@
{ config, lib, ... }:
let dataDir = "/var/lib/killua"; in
{ config, lib, pkgs, ... }:
let
jarfile = pkgs.fetchurl {
url =
"https://github.com/Noratrieb/killua-bot/releases/download/2023-08-26/KilluaBot.jar";
hash = "sha256-LUABYq6cRhLTLyZVzkIjIFHERcb7YQTzyAGaJB49Mxk=";
};
dataDir = "/var/lib/killua";
in
{
age.secrets.killua_env.file = ../../secrets/killua_env.age;
virtualisation.oci-containers.containers = {
killua = {
image = "docker.noratrieb.dev/killua-bot:ac8203d2";
volumes = [
"${dataDir}:/data"
];
environment = {
KILLUA_JSON_PATH = "/data/trivia_questions.json";
};
environmentFiles = [ config.age.secrets.killua_env.path ];
login = {
registry = "docker.noratrieb.dev";
username = "nils";
passwordFile = config.age.secrets.docker_registry_password.path;
};
systemd.services.killua = {
description = "killua, an awesome discord bot";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
environment = {
BOT_TOKEN_PATH = config.age.secrets.widetom_bot_token.path;
CONFIG_PATH = config.age.secrets.widetom_config_toml.path;
};
serviceConfig = {
DynamicUser = true;
ExecStart = "${lib.getExe' pkgs.jdk17 "java"} -jar ${jarfile}";
EnvironmentFile = [ config.age.secrets.killua_env.path ];
};
};

4
nix/apps/upload-files/default.nix
View file

@ -1,4 +1,6 @@
{ upload-files, pkgs, lib, config, ... }: {
{ my-projects-versions, pkgs, lib, config, ... }:
let upload-files = import (fetchTarball "https://github.com/Noratrieb/upload.files.noratrieb.dev/archive/${my-projects-versions."upload.files.noratrieb.dev"}.tar.gz"); in
{
age.secrets.upload_files_s3_secret.file = ../../secrets/upload_files_s3_secret.age;
systemd.services.upload-files = {

42
nix/apps/uptime/default.nix
View file

@ -1,42 +0,0 @@
{ lib, config, ... }: {
virtualisation.oci-containers.containers.uptime = {
/*
uptime:
container_name: uptime
image: "docker.noratrieb.dev/uptime:50d15bc4"
restart: always
volumes:
- "/apps/uptime:/app/config"
environment:
UPTIME_CONFIG_PATH: /app/config/uptime.json
ports:
- "5010:3000"
*/
image = "docker.noratrieb.dev/uptime:50d15bc4";
volumes = [
"${./uptime.json}:/uptime.json"
"/var/lib/uptime:/data"
];
environment = {
UPTIME_CONFIG_PATH = "/uptime.json";
};
ports = [ "127.0.0.1:5010:3000" ];
login = {
registry = "docker.noratrieb.dev";
username = "nils";
passwordFile = config.age.secrets.docker_registry_password.path;
};
};
services.custom-backup.jobs = [
{
app = "uptime";
file = "/var/lib/uptime/uptime.db";
}
];
system.activationScripts.makeUptimeDir = lib.stringAfter [ "var" ] ''
mkdir -p /var/lib/uptime/
'';
}

50
nix/apps/uptime/uptime.json
View file

@ -1,50 +0,0 @@
{
"interval_seconds": 30,
"db_url": "/data/uptime.db",
"websites": [
{
"name": "noratrieb.dev",
"url": "https://noratrieb.dev"
},
{
"name": "nilstrieb.dev",
"url": "https://nilstrieb.dev"
},
{
"name": "docker.nilstrieb.dev",
"url": "https://docker.noratrieb.dev"
},
{
"name": "vps1.nilstrieb.dev",
"url": "https://vps1.infra.noratrieb.dev"
},
{
"name": "vps2.nilstrieb.dev",
"url": "https://vps2.nilstrieb.dev"
},
{
"name": "bisect-rustc.nilstrieb.dev",
"url": "https://bisect-rustc.noratrieb.dev"
},
{
"name": "hugo-chat.nilstrieb.dev",
"url": "https://hugo-chat.noratrieb.dev"
},
{
"name": "api.hugo-chat.nilstrieb.dev",
"url": "https://api.hugo-chat.noratrieb.dev/api/v2/rooms"
},
{
"name": "cors-school.nilstrieb.dev",
"url": "https://cors-school.nilstrieb.dev"
},
{
"name": "api.cors-school.nilstrieb.dev",
"url": "https://api.cors-school.nilstrieb.dev/api/hugo"
},
{
"name": "olat.nilstrieb.dev",
"url": "https://olat.nilstrieb.dev/dmz/"
}
]
}

74
nix/apps/widetom/default.nix
View file

@ -1,33 +1,47 @@
{ config, ... }: {
age.secrets.widetom_bot_token.file = ../../secrets/widetom_bot_token.age;
age.secrets.widetom_config_toml.file = ../../secrets/widetom_config_toml.age;
virtualisation.oci-containers.containers = {
/*
container_name: widetom
image: "docker.noratrieb.dev/widetom:33d17387"
restart: always
volumes:
- "/apps/widetom:/app/config"
environment:
CONFIG_PATH: /app/config/config.toml
BOT_TOKEN_PATH: /app/config/bot_token
*/
widetom = {
image = "docker.noratrieb.dev/widetom:33d17387";
volumes = [
"${config.age.secrets.widetom_config_toml.path}:/config.toml"
"${config.age.secrets.widetom_bot_token.path}:/token"
];
environment = {
CONFIG_PATH = "/config.toml";
BOT_TOKEN_PATH = "/token";
};
login = {
registry = "docker.noratrieb.dev";
username = "nils";
passwordFile = config.age.secrets.docker_registry_password.path;
};
{ config, pkgs, lib, my-projects-versions, ... }:
let
widetom = pkgs.rustPlatform.buildRustPackage {
src = pkgs.fetchFromGitHub {
owner = "Noratrieb";
repo = "widetom";
rev = my-projects-versions.widetom;
hash = "sha256-lSjlDozwKRLF62jsDaWo+8+rcQdeEgurEnuw00hk3o8=";
};
pname = "widetom";
version = "0.1.0";
cargoHash = "sha256-AWbdPcDc+QOW7U/FYbqlIsg+3MwfggKCTCw1z/ZbSEE=";
meta = {
mainProgram = "widertom";
};
};
in
{
age.secrets.widetom_bot_token = {
file = ../../secrets/widetom_bot_token.age;
owner = config.users.users.widetom.name;
};
age.secrets.widetom_config_toml = {
file = ../../secrets/widetom_config_toml.age;
owner = config.users.users.widetom.name;
};
systemd.services.widetom = {
description = "widetom, the extremely funny discord bot";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
environment = {
BOT_TOKEN_PATH = config.age.secrets.widetom_bot_token.path;
CONFIG_PATH = config.age.secrets.widetom_config_toml.path;
};
serviceConfig = {
DynamicUser = true;
ExecStart = lib.getExe widetom;
};
};
users.users.widetom = {
group = "widetom";
isSystemUser = true;
};
users.groups.widetom = { };
}

2
nix/deploy/smoke-tests.sh
View file

@ -36,13 +36,11 @@ http_hosts=(
vps3.infra.noratrieb.dev
vps4.infra.noratrieb.dev
vps5.infra.noratrieb.dev
bisect-rustc.noratrieb.dev
docker.noratrieb.dev
does-it-build.noratrieb.dev
grafana.noratrieb.dev
hugo-chat.noratrieb.dev
api.hugo-chat.noratrieb.dev/api/v2/rooms
uptime.noratrieb.dev
www.noratrieb.dev
# legacy:

65
nix/hive.nix
View file

@ -1,9 +1,8 @@
{
meta =
let
my-projects-versions = builtins.fromJSON (builtins.readFile ./my-projects.json);
nixpkgs-hash = "50ab793786d9de88ee30ec4e4c24fb4236fc2674"; # nixos-24.11 2025-07-27
nixpkgs-path = (fetchTarball "https://github.com/NixOS/nixpkgs/archive/${nixpkgs-hash}.tar.gz");
nixpkgs-version = builtins.fromJSON (builtins.readFile ./nixpkgs.json);
nixpkgs-path = (fetchTarball "https://github.com/NixOS/nixpkgs/archive/${nixpkgs-version.commit}.tar.gz");
in
{
# Override to pin the Nixpkgs version (recommended). This option
@ -14,15 +13,7 @@
nixpkgs = import nixpkgs-path;
specialArgs = {
website = import (fetchTarball "https://github.com/Noratrieb/website/archive/${my-projects-versions.website}.tar.gz");
blog = fetchTarball "https://github.com/Noratrieb/blog/archive/${my-projects-versions.blog}.tar.gz";
slides = fetchTarball "https://github.com/Noratrieb/slides/archive/${my-projects-versions.slides}.tar.gz";
pretense = import (fetchTarball "https://github.com/Noratrieb/pretense/archive/${my-projects-versions.pretense}.tar.gz");
quotdd = import (fetchTarball "https://github.com/Noratrieb/quotdd/archive/${my-projects-versions.quotdd}.tar.gz");
does-it-build = import (fetchTarball "https://github.com/Noratrieb/does-it-build/archive/${my-projects-versions.does-it-build}.tar.gz");
upload-files = import (fetchTarball "https://github.com/Noratrieb/upload.files.noratrieb.dev/archive/${my-projects-versions."upload.files.noratrieb.dev"}.tar.gz");
inherit my-projects-versions;
my-projects-versions = builtins.fromJSON (builtins.readFile ./my-projects.json);
inherit nixpkgs-path;
@ -35,6 +26,7 @@
publicKey = "7jy2q93xYBHG5yKqLmNuMWSuFMnUGWXVuKQ1yMmxoV4=";
peers = [ "vps3" ];
};
tags = [ "dns" ];
};
dns2 = {
publicIPv4 = "128.140.3.7";
@ -46,6 +38,7 @@
publicKey = "yfOc/q5M+2DWPoZ4ZgwrTYYkviQxGxRWpcBCDcauDnc=";
peers = [ "vps3" ];
};
tags = [ "dns" ];
};
vps1 = {
publicIPv4 = "161.97.165.1";
@ -55,6 +48,7 @@
publicKey = "5tg3w/TiCuCeKIBJCd6lHUeNjGEA76abT1OXnhNVyFQ=";
peers = [ "vps2" "vps3" "vps4" "vps5" ];
};
tags = [ "apps" ];
};
vps2 = {
publicIPv4 = "184.174.32.252";
@ -64,6 +58,7 @@
publicKey = "SficHHJ0ynpZoGah5heBpNKnEVIVrgs72Z5HEKd3jHA=";
peers = [ "vps1" "vps3" "vps4" "vps5" ];
};
tags = [ "apps" ];
};
vps3 = {
publicIPv4 = "134.255.181.139";
@ -73,6 +68,7 @@
publicKey = "pdUxG1vhmYraKzIIEFxTRAMhGwGztBL/Ly5icJUV3g0=";
peers = [ "vps1" "vps2" "vps4" "vps5" "dns1" "dns2" ];
};
tags = [ "apps" ];
};
vps4 = {
publicIPv4 = "195.201.147.17";
@ -84,6 +80,7 @@
publicKey = "+n2XKKaSFdCanEGRd41cvnuwJ0URY0HsnpBl6ZrSBRs=";
peers = [ "vps1" "vps2" "vps3" "vps5" ];
};
tags = [ "apps" ];
};
vps5 = {
publicIPv4 = "45.94.209.30";
@ -93,6 +90,7 @@
publicKey = "r1cwt63fcOR+FTqMTUpZdK4/MxpalkDYRHXyy7osWUk=";
peers = [ "vps1" "vps2" "vps3" "vps4" ];
};
tags = [ "apps" ];
};
};
};
@ -120,9 +118,6 @@
./modules/wg-mesh
];
# The name and nodes parameters are supported in Colmena,
# allowing you to reference configurations in other nodes.
deployment.tags = [ "dns" "us" ];
system.stateVersion = "23.11";
};
dns2 = { name, nodes, modulesPath, lib, ... }: {
@ -132,7 +127,6 @@
./modules/wg-mesh
];
deployment.tags = [ "dns" "eu" "hetzner" ];
system.stateVersion = "23.11";
boot.loader.grub.device = "/dev/sda";
@ -188,15 +182,12 @@
# apps
./apps/widetom
./apps/hugo-chat
./apps/uptime
./apps/cargo-bisect-rustc-service
./apps/killua
./apps/forgejo
./apps/openolat
./apps/upload-files
];
deployment.tags = [ "caddy" "eu" "apps" "website" ];
system.stateVersion = "23.11";
};
# VPS2 exists
@ -209,7 +200,6 @@
./modules/garage
];
deployment.tags = [ "caddy" "eu" "apps" ];
system.stateVersion = "23.11";
};
# VPS3 is the primary monitoring/metrics server.
@ -223,7 +213,6 @@
./modules/prometheus
];
deployment.tags = [ "eu" "apps" "website" ];
system.stateVersion = "23.11";
};
# VPS4 exists. It's useful for garage replication and runs does-it-build which uses some CPU.
@ -239,7 +228,6 @@
./apps/does-it-build
];
deployment.tags = [ "eu" "apps" "hetzner" "website" ];
system.stateVersion = "23.11";
boot.loader.grub.device = "/dev/sda";
@ -282,10 +270,6 @@
};
# VPS5 is the primary test server, where new things are being deployed that could break stuff maybe.
vps5 = { name, nodes, modulesPath, config, pkgs, lib, ... }:
let
commit = "5f203d0f5ba2639043bd5bd1c3687c406d6abac1";
cluelessh = import (fetchTarball "https://github.com/Noratrieb/cluelessh/archive/${commit}.tar.gz");
in
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
@ -293,37 +277,12 @@
./modules/caddy
./modules/wg-mesh
./modules/garage
./apps/fakessh
];
services.openssh.ports = [ 2000 ];
systemd.services.fakessh = {
description = "cluelessh-faked ssh honeypot";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
Restart = "on-failure";
RestartSec = "5s";
ExecStart = "${lib.getExe' (cluelessh {inherit pkgs;}) "cluelessh-faked" }";
# i really don't trust this.
DynamicUser = true;
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
MemoryHigh = "100M";
MemoryMax = "200M";
# config
Environment = [
"FAKESSH_LISTEN_ADDR=0.0.0.0:22"
"RUST_LOG=debug"
#"FAKESSH_JSON_LOGS=1"
];
};
};
networking.firewall.allowedTCPPorts = [ 22 ];
deployment.targetPort = 2000;
deployment.tags = [ "eu" "apps" ];
system.stateVersion = "23.11";
};
}

8
nix/modules/caddy/default.nix
View file

@ -1,4 +1,4 @@
{ pkgs, config, lib, name, website, slides, blog, ... }:
{ pkgs, config, lib, name, my-projects-versions, ... }:
let
caddy = pkgs.callPackage ./caddy-build.nix {
@ -11,6 +11,10 @@ let
];
vendorHash = "sha256-KP9bYitM/Pocw4DxOXPVBigWh4IykNf8yKJiBlTFZmI=";
};
website = import (fetchTarball "https://github.com/Noratrieb/website/archive/${my-projects-versions.website}.tar.gz");
blog = fetchTarball "https://github.com/Noratrieb/blog/archive/${my-projects-versions.blog}.tar.gz";
slides = fetchTarball "https://github.com/Noratrieb/slides/archive/${my-projects-versions.slides}.tar.gz";
website-build = website { inherit pkgs slides blog; };
in
{
environment.systemPackages = [ caddy ];
@ -62,7 +66,7 @@ in
header -Last-Modified
root * ${import ./caddy-static-prepare {
name = "website";
src = website { inherit pkgs slides blog; };
src = website-build;
inherit pkgs lib;
}}
file_server {

26
nix/modules/caddy/vps1.Caddyfile
View file

@ -3,12 +3,6 @@ www.noratrieb.dev {
redir https://noratrieb.dev{uri} permanent
}
uptime.noratrieb.dev {
log
encode zstd gzip
reverse_proxy * localhost:5010
}
hugo-chat.noratrieb.dev {
log
encode zstd gzip
@ -22,12 +16,6 @@ api.hugo-chat.noratrieb.dev {
reverse_proxy * localhost:5001
}
bisect-rustc.noratrieb.dev {
log
encode zstd gzip
reverse_proxy * localhost:5005
}
docker.noratrieb.dev {
log
reverse_proxy * localhost:5000
@ -61,7 +49,17 @@ upload.files.noratrieb.dev {
}
################################################################
# redirects
# retired
bisect-rustc.noratrieb.dev {
log
redir https://github.com/Noratrieb/cargo-bisect-rustc-service?tab=readme-ov-file#cargo-bisect-rustc-service
}
uptime.noratrieb.dev {
log
redir https://github.com/Noratrieb/uptime?tab=readme-ov-file#uptime
}
blog.noratrieb.dev {
log
@ -85,7 +83,7 @@ blog.nilstrieb.dev {
bisect-rustc.nilstrieb.dev {
log
redir https://bisect-rustc.dev/blog{uri} permanent
redir https://bisect-rustc.noratrieb.dev/blog{uri} permanent
}
docker.nilstrieb.dev {

24
nix/modules/default/default.nix
View file

@ -1,5 +1,10 @@
{ pkgs, lib, config, name, pretense, quotdd, nixpkgs-path, ... }: {
deployment.targetHost = "${config.networking.hostName}.infra.noratrieb.dev";
{ pkgs, lib, name, my-projects-versions, networkingConfig, nixpkgs-path, ... }:
let
pretense = import (fetchTarball "https://github.com/Noratrieb/pretense/archive/${my-projects-versions.pretense}.tar.gz");
quotdd = import (fetchTarball "https://github.com/Noratrieb/quotdd/archive/${my-projects-versions.quotdd}.tar.gz");
in
{
deployment.targetHost = "${name}.infra.noratrieb.dev";
imports = [
"${builtins.fetchTarball "https://github.com/ryantm/agenix/archive/de96bd907d5fbc3b14fc33ad37d1b9a3cb15edc6.tar.gz"}/modules/age.nix" # main 2024-07-26
@ -92,13 +97,26 @@
# monitoring
networking.firewall.interfaces.wg0.allowedTCPPorts = [
8080 # cadvisor exporter
9100 # node exporter
9150 # pretense exporter
9558 # systemd exporter
];
services.prometheus.exporters = {
node = {
enable = true;
};
systemd = {
enable = true;
};
};
services.cadvisor = {
enable = true;
listenAddress = "0.0.0.0";
extraOptions = [
# significantly decreases CPU usage (https://github.com/google/cadvisor/issues/2523)
"--housekeeping_interval=30s"
];
};
services.promtail = {
enable = true;
@ -160,4 +178,6 @@
];
};
};
deployment.tags = networkingConfig."${name}".tags;
}

8
nix/modules/dns/default.nix
View file

@ -1,4 +1,6 @@
{ pkgs, lib, networkingConfig, ... }: {
{ pkgs, lib, networkingConfig, ... }:
let metricsPort = 9433; in
{
# get the package for the debugging tools
environment.systemPackages = with pkgs; [ knot-dns ];
@ -40,9 +42,9 @@
};
};
networking.firewall.interfaces.wg0.allowedTCPPorts = [ 9433 ]; # metrics
networking.firewall.interfaces.wg0.allowedTCPPorts = [ metricsPort ];
services.prometheus.exporters.knot = {
enable = true;
port = 9433;
port = metricsPort;
};
}

4
nix/modules/dns/noratrieb.dev.nix
View file

@ -61,7 +61,6 @@ let
};
# --- apps
bisect-rustc = vps1;
docker = vps1;
hugo-chat = vps1 // {
subdomains.api = vps1;
@ -98,6 +97,9 @@ let
_dmarc.TXT = [
"v=DMARC1; p=quarantine"
];
# retired
bisect-rustc = vps1;
};
};
in

19
nix/modules/garage/default.nix
View file

@ -1,4 +1,9 @@
{ config, pkgs, name, ... }: {
{ config, pkgs, name, ... }:
let
rpcPort = 3901;
adminPort = 3903;
in
{
age.secrets.garage_secrets.file = ../../secrets/garage_secrets.age;
environment.systemPackages = with pkgs; [
@ -6,13 +11,13 @@
];
networking.firewall.interfaces.wg0.allowedTCPPorts = [
3901 # RPC
3903 # admin for metrics
rpcPort
adminPort
];
services.garage = {
enable = true;
package = pkgs.garage_1_1_0;
package = pkgs.garage_2_0_0;
settings = {
metadata_dir = "/var/lib/garage/meta";
data_dir = "/var/lib/garage/data";
@ -24,8 +29,8 @@
# arbitrary, but a bit higher as disk space matters more than time. she says, cluelessly.
compression-level = 5;
rpc_bind_addr = "[::]:3901";
rpc_public_addr = "${name}.local:3901";
rpc_bind_addr = "[::]:${toString rpcPort}";
rpc_public_addr = "${name}.local:${toString rpcPort}";
s3_api = {
s3_region = "garage";
@ -40,7 +45,7 @@
};
admin = {
api_bind_addr = "[::]:3903";
api_bind_addr = "[::]:${toString adminPort}";
};
};
environmentFile = config.age.secrets.garage_secrets.path;

114
nix/modules/prometheus/default.nix
View file

@ -1,72 +1,52 @@
{ config, lib, ... }: {
{ config, lib, networkingConfig, ... }: {
services.prometheus = {
enable = true;
globalConfig = { };
scrapeConfigs = [
{
job_name = "prometheus";
static_configs = [
{ targets = [ "localhost:9090" ]; }
];
}
{
job_name = "node";
static_configs = [
{ targets = [ "dns1.local:9100" ]; }
{ targets = [ "dns2.local:9100" ]; }
{ targets = [ "vps1.local:9100" ]; }
{ targets = [ "vps2.local:9100" ]; }
{ targets = [ "vps3.local:9100" ]; }
{ targets = [ "vps4.local:9100" ]; }
{ targets = [ "vps5.local:9100" ]; }
];
}
{
job_name = "caddy";
static_configs = [
{ targets = [ "vps1.local:9010" ]; }
{ targets = [ "vps2.local:9010" ]; }
{ targets = [ "vps3.local:9010" ]; }
{ targets = [ "vps4.local:9010" ]; }
{ targets = [ "vps5.local:9010" ]; }
];
}
{
job_name = "docker-registry";
static_configs = [
{ targets = [ "vps1.local:9011" ]; }
];
}
{
job_name = "garage";
static_configs = [
{ targets = [ "vps1.local:3903" ]; }
{ targets = [ "vps2.local:3903" ]; }
{ targets = [ "vps3.local:3903" ]; }
{ targets = [ "vps4.local:3903" ]; }
{ targets = [ "vps5.local:3903" ]; }
];
}
{
job_name = "knot";
static_configs = [
{ targets = [ "dns1.local:9433" ]; }
{ targets = [ "dns2.local:9433" ]; }
];
}
{
job_name = "pretense";
static_configs = [
{ targets = [ "dns1.local:9150" ]; }
{ targets = [ "dns2.local:9150" ]; }
{ targets = [ "vps1.local:9150" ]; }
{ targets = [ "vps2.local:9150" ]; }
{ targets = [ "vps3.local:9150" ]; }
{ targets = [ "vps4.local:9150" ]; }
{ targets = [ "vps5.local:9150" ]; }
];
}
];
scrapeConfigs =
let hostsWithTag = tag: map (entry: entry.name) (builtins.filter (entry: builtins.elem tag entry.value.tags) (lib.attrsToList networkingConfig)); in
[
{
job_name = "prometheus";
static_configs = [
{ targets = [ "localhost:9090" ]; }
];
}
{
job_name = "node";
static_configs = [{ targets = map (name: "${name}.local:9100") (builtins.attrNames networkingConfig); }];
}
{
job_name = "cadvisor";
static_configs = [{ targets = map (name: "${name}.local:8080") (builtins.attrNames networkingConfig); }];
}
{
job_name = "systemd";
static_configs = [{ targets = map (name: "${name}.local:9558") (builtins.attrNames networkingConfig); }];
}
{
job_name = "caddy";
static_configs = [{ targets = map (name: "${name}.local:9010") (hostsWithTag "apps"); }];
}
{
job_name = "docker-registry";
static_configs = [
{ targets = [ "vps1.local:9011" ]; }
];
}
{
job_name = "garage";
static_configs = [{ targets = map (name: "${name}.local:3903") (hostsWithTag "apps"); }];
}
{
job_name = "knot";
static_configs = [{ targets = map (name: "${name}.local:9433") (hostsWithTag "dns"); }];
}
{
job_name = "pretense";
static_configs = [{ targets = map (name: "${name}.local:9150") (builtins.attrNames networkingConfig); }];
}
];
};
age.secrets.grafana_admin_password.file = ../../secrets/grafana_admin_password.age;
@ -108,7 +88,7 @@
};
};
networking.firewall.interfaces.wg0.allowedTCPPorts = [ 3100 ]; # loki
networking.firewall.interfaces.wg0.allowedTCPPorts = [ config.services.loki.configuration.server.http_listen_port ];
age.secrets.loki_env.file = ../../secrets/loki_env.age;
systemd.services.loki.serviceConfig.EnvironmentFile = config.age.secrets.loki_env.path;
services.loki = {

9
nix/modules/registry/default.nix
View file

@ -10,9 +10,14 @@
};
};
networking.firewall.interfaces.wg0.allowedTCPPorts = [ 9011 ]; # metrics
networking.firewall.interfaces.wg0.allowedTCPPorts = [ 9011 ];
systemd.services.docker-registry.serviceConfig.EnvironmentFile = config.age.secrets.registry_s3_key_secret.path;
systemd.services.docker-registry = {
serviceConfig.EnvironmentFile = config.age.secrets.registry_s3_key_secret.path;
environment = {
OTEL_TRACES_EXPORTER = "none";
};
};
services.dockerRegistry = {
enable = true;
storagePath = null;

4
nix/my-projects.json
View file

@ -5,5 +5,7 @@
"pretense": "270b01fc1118dfd713c1c41530d1a7d98f04527d",
"quotdd": "e922229e1d9e055be35dabd112bafc87a0686548",
"does-it-build": "81790825173d87f89656f66f12a123bc99e2f6f1",
"upload.files.noratrieb.dev": "0124fa5ba5446cb463fb6b3c4f52e7e6b84e5077"
"upload.files.noratrieb.dev": "0124fa5ba5446cb463fb6b3c4f52e7e6b84e5077",
"cluelessh": "c711cd405da4b7951e554577d09c9576bedf7970",
"widetom": "33d1738799618d72fe2b86896f766cbfea58dc76"
}

5
nix/nixpkgs.json Normal file
View file

@ -0,0 +1,5 @@
{
"channel": "nixos-25.05",
"lastUpdated": "2025-08-03T11:42:11.747Z",
"commit": "59e69648d345d6e8fef86158c555730fa12af9de"
}

2
update-my-projects.mjs → nix/update-my-projects.mjs
View file

@ -1,6 +1,6 @@
import fs from "node:fs/promises";
const path = `${import.meta.dirname}/nix/my-projects.json`;
const path = `${import.meta.dirname}/my-projects.json`;
const projects = JSON.parse(await fs.readFile(path));
let hasChanges = false;

23
nix/update-nixpkgs.mjs Normal file
View file

@ -0,0 +1,23 @@
import fs from "node:fs/promises";
const path = `${import.meta.dirname}/nixpkgs.json`;
const nixpkgs = JSON.parse(await fs.readFile(path));
const res = await fetch(
`https://api.github.com/repos/NixOS/nixpkgs/commits/${nixpkgs.channel}`
);
if (!res.ok) {
throw new Error(
`get commit for ${name}: ${res.status} - ${await res.text()}`
);
}
const body = await res.json();
if (body.sha !== nixpkgs.commit) {
nixpkgs.commit = body.sha;
nixpkgs.lastUpdated = new Date().toISOString();
await fs.writeFile(path, JSON.stringify(nixpkgs, null, 2) + "\n");
}