decrease cpu usage

debug.html

@@ -1,14 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-    <meta charset="UTF-8">
-    <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <title>nora's server</title>
-</head>
-<body>
-    <h1>congrats, you landed on my server (0% NixOS) directly!?</h1>
-    <p>sorry, but there isn't anything cool here. this is <b>my</b> infra, you are not allowed here.</p>
-    <p>if you do want to be allowed here, then uh.. still no.</p>
-    <p>:3</p>
-</body>
-</html>

nix/apps/cargo-bisect-rustc-service/default.nix

@@ -1,35 +0,0 @@
-{ config, lib, ... }:
-let
-  dockerLogin = {
-    registry = "docker.noratrieb.dev";
-    username = "nils";
-    passwordFile = config.age.secrets.docker_registry_password.path;
-  };
-in
-{
-  virtualisation.oci-containers.containers = {
-    cargo-bisect-rustc-service = {
-      image = "docker.noratrieb.dev/cargo-bisect-rustc-service:316a4044";
-      volumes = [
-        "/var/lib/cargo-bisect-rustc-service:/data"
-      ];
-      environment = {
-        SQLITE_DB = "/data/db.sqlite";
-      };
-      ports = [ "127.0.0.1:5005:4000" ];
-      login = dockerLogin;
-    };
-  };
-
-  services.custom-backup.jobs = [
-    {
-      app = "cargo-bisect-rustc-service";
-      file = "/var/lib/cargo-bisect-rustc-service/db.sqlite";
-    }
-  ];
-
-  system.activationScripts.makeCargoBisectRustcServiceDir = lib.stringAfter [ "var" ] ''
-    mkdir -p /var/lib/cargo-bisect-rustc-service/
-    chmod ugo+w /var/lib/cargo-bisect-rustc-service/
-  '';
-}

nix/apps/does-it-build/default.nix

@@ -1,7 +1,7 @@
-{ pkgs, lib, does-it-build, my-projects-versions, ... }:
+{ pkgs, lib, my-projects-versions, ... }:
 let
-  does-it-build-base = does-it-build { inherit pkgs; };
+  does-it-build-base = (import (fetchTarball "https://github.com/Noratrieb/does-it-build/archive/${my-projects-versions.does-it-build}.tar.gz")) { inherit pkgs; };
-  does-it-build-with-commit = does-it-build-base.overrideAttrs (finalAttrs: previousAttrs: {
+  does-it-build = does-it-build-base.overrideAttrs (finalAttrs: previousAttrs: {
     DOES_IT_BUILD_OVERRIDE_VERSION = my-projects-versions.does-it-build;
   });
 in
@@ -15,7 +15,7 @@ in
     serviceConfig = {
       User = "does-it-build";
       Group = "does-it-build";
-      ExecStart = "${lib.getExe' (does-it-build-with-commit) "does-it-build" }";
+      ExecStart = "${lib.getExe' (does-it-build) "does-it-build" }";
       Environment = "DB_PATH=/var/lib/does-it-build/db.sqlite";
     };
   };

nix/apps/fakessh/default.nix

@@ -0,0 +1,29 @@
+{ lib, pkgs, my-projects-versions, ... }:
+let cluelessh = import (fetchTarball "https://github.com/Noratrieb/cluelessh/archive/${my-projects-versions.cluelessh}.tar.gz");
+in
+{
+  systemd.services.fakessh = {
+    description = "cluelessh-faked ssh honeypot";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" ];
+    serviceConfig = {
+      Restart = "on-failure";
+      RestartSec = "5s";
+      ExecStart = "${lib.getExe' (cluelessh {inherit pkgs;}) "cluelessh-faked" }";
+
+      # i really don't trust this.
+      DynamicUser = true;
+      AmbientCapabilities = "CAP_NET_BIND_SERVICE";
+      MemoryHigh = "100M";
+      MemoryMax = "200M";
+
+      # config
+      Environment = [
+        "FAKESSH_LISTEN_ADDR=0.0.0.0:22"
+        "RUST_LOG=debug"
+        #"FAKESSH_JSON_LOGS=1"
+      ];
+    };
+  };
+  networking.firewall.allowedTCPPorts = [ 22 ];
+}

nix/apps/killua/default.nix

@@ -1,23 +1,27 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
-let dataDir = "/var/lib/killua"; in
+let
+  jarfile = pkgs.fetchurl {
+    url =
+      "https://github.com/Noratrieb/killua-bot/releases/download/2023-08-26/KilluaBot.jar";
+    hash = "sha256-LUABYq6cRhLTLyZVzkIjIFHERcb7YQTzyAGaJB49Mxk=";
+  };
+  dataDir = "/var/lib/killua";
+in
 {
   age.secrets.killua_env.file = ../../secrets/killua_env.age;
 
-  virtualisation.oci-containers.containers = {
+  systemd.services.killua = {
-    killua = {
+    description = "killua, an awesome discord bot";
-      image = "docker.noratrieb.dev/killua-bot:ac8203d2";
+    wantedBy = [ "multi-user.target" ];
-      volumes = [
+    after = [ "network.target" ];
-        "${dataDir}:/data"
-      ];
     environment = {
-        KILLUA_JSON_PATH = "/data/trivia_questions.json";
+      BOT_TOKEN_PATH = config.age.secrets.widetom_bot_token.path;
-      };
+      CONFIG_PATH = config.age.secrets.widetom_config_toml.path;
-      environmentFiles = [ config.age.secrets.killua_env.path ];
-      login = {
-        registry = "docker.noratrieb.dev";
-        username = "nils";
-        passwordFile = config.age.secrets.docker_registry_password.path;
     };
+    serviceConfig = {
+      DynamicUser = true;
+      ExecStart = "${lib.getExe' pkgs.jdk17 "java"} -jar ${jarfile}";
+      EnvironmentFile = [ config.age.secrets.killua_env.path ];
     };
   };
 

nix/apps/upload-files/default.nix

@@ -1,4 +1,6 @@
-{ upload-files, pkgs, lib, config, ... }: {
+{ my-projects-versions, pkgs, lib, config, ... }:
+let upload-files = import (fetchTarball "https://github.com/Noratrieb/upload.files.noratrieb.dev/archive/${my-projects-versions."upload.files.noratrieb.dev"}.tar.gz"); in
+{
   age.secrets.upload_files_s3_secret.file = ../../secrets/upload_files_s3_secret.age;
 
   systemd.services.upload-files = {

nix/apps/uptime/default.nix

@@ -1,42 +0,0 @@
-{ lib, config, ... }: {
-  virtualisation.oci-containers.containers.uptime = {
-    /*
-      uptime:
-      container_name: uptime
-      image: "docker.noratrieb.dev/uptime:50d15bc4"
-      restart: always
-      volumes:
-        - "/apps/uptime:/app/config"
-      environment:
-        UPTIME_CONFIG_PATH: /app/config/uptime.json
-      ports:
-        - "5010:3000"
-    */
-
-    image = "docker.noratrieb.dev/uptime:50d15bc4";
-    volumes = [
-      "${./uptime.json}:/uptime.json"
-      "/var/lib/uptime:/data"
-    ];
-    environment = {
-      UPTIME_CONFIG_PATH = "/uptime.json";
-    };
-    ports = [ "127.0.0.1:5010:3000" ];
-    login = {
-      registry = "docker.noratrieb.dev";
-      username = "nils";
-      passwordFile = config.age.secrets.docker_registry_password.path;
-    };
-  };
-
-  services.custom-backup.jobs = [
-    {
-      app = "uptime";
-      file = "/var/lib/uptime/uptime.db";
-    }
-  ];
-
-  system.activationScripts.makeUptimeDir = lib.stringAfter [ "var" ] ''
-    mkdir -p /var/lib/uptime/
-  '';
-}

nix/apps/uptime/uptime.json

@@ -1,50 +0,0 @@
-{
-  "interval_seconds": 30,
-  "db_url": "/data/uptime.db",
-  "websites": [
-    {
-      "name": "noratrieb.dev",
-      "url": "https://noratrieb.dev"
-    },
-    {
-      "name": "nilstrieb.dev",
-      "url": "https://nilstrieb.dev"
-    },
-    {
-      "name": "docker.nilstrieb.dev",
-      "url": "https://docker.noratrieb.dev"
-    },
-    {
-      "name": "vps1.nilstrieb.dev",
-      "url": "https://vps1.infra.noratrieb.dev"
-    },
-    {
-      "name": "vps2.nilstrieb.dev",
-      "url": "https://vps2.nilstrieb.dev"
-    },
-    {
-      "name": "bisect-rustc.nilstrieb.dev",
-      "url": "https://bisect-rustc.noratrieb.dev"
-    },
-    {
-      "name": "hugo-chat.nilstrieb.dev",
-      "url": "https://hugo-chat.noratrieb.dev"
-    },
-    {
-      "name": "api.hugo-chat.nilstrieb.dev",
-      "url": "https://api.hugo-chat.noratrieb.dev/api/v2/rooms"
-    },
-    {
-      "name": "cors-school.nilstrieb.dev",
-      "url": "https://cors-school.nilstrieb.dev"
-    },
-    {
-      "name": "api.cors-school.nilstrieb.dev",
-      "url": "https://api.cors-school.nilstrieb.dev/api/hugo"
-    },
-    {
-      "name": "olat.nilstrieb.dev",
-      "url": "https://olat.nilstrieb.dev/dmz/"
-    }
-  ]
-}

nix/apps/widetom/default.nix

@@ -1,33 +1,47 @@
-{ config, ... }: {
+{ config, pkgs, lib, my-projects-versions, ... }:
-  age.secrets.widetom_bot_token.file = ../../secrets/widetom_bot_token.age;
+let
-  age.secrets.widetom_config_toml.file = ../../secrets/widetom_config_toml.age;
+  widetom = pkgs.rustPlatform.buildRustPackage {
+    src = pkgs.fetchFromGitHub {
+      owner = "Noratrieb";
+      repo = "widetom";
+      rev = my-projects-versions.widetom;
+      hash = "sha256-lSjlDozwKRLF62jsDaWo+8+rcQdeEgurEnuw00hk3o8=";
+    };
+    pname = "widetom";
+    version = "0.1.0";
+    cargoHash = "sha256-AWbdPcDc+QOW7U/FYbqlIsg+3MwfggKCTCw1z/ZbSEE=";
+    meta = {
+      mainProgram = "widertom";
+    };
+  };
+in
+{
+  age.secrets.widetom_bot_token = {
+    file = ../../secrets/widetom_bot_token.age;
+    owner = config.users.users.widetom.name;
+  };
+  age.secrets.widetom_config_toml = {
+    file = ../../secrets/widetom_config_toml.age;
+    owner = config.users.users.widetom.name;
+  };
 
-  virtualisation.oci-containers.containers = {
+  systemd.services.widetom = {
-    /*
+    description = "widetom, the extremely funny discord bot";
-      container_name: widetom
+    wantedBy = [ "multi-user.target" ];
-      image: "docker.noratrieb.dev/widetom:33d17387"
+    after = [ "network.target" ];
-      restart: always
-      volumes:
-        - "/apps/widetom:/app/config"
-      environment:
-        CONFIG_PATH: /app/config/config.toml
-        BOT_TOKEN_PATH: /app/config/bot_token
-    */
-    widetom = {
-      image = "docker.noratrieb.dev/widetom:33d17387";
-      volumes = [
-        "${config.age.secrets.widetom_config_toml.path}:/config.toml"
-        "${config.age.secrets.widetom_bot_token.path}:/token"
-      ];
     environment = {
-        CONFIG_PATH = "/config.toml";
+      BOT_TOKEN_PATH = config.age.secrets.widetom_bot_token.path;
-        BOT_TOKEN_PATH = "/token";
+      CONFIG_PATH = config.age.secrets.widetom_config_toml.path;
     };
-      login = {
+    serviceConfig = {
-        registry = "docker.noratrieb.dev";
+      DynamicUser = true;
-        username = "nils";
+      ExecStart = lib.getExe widetom;
-        passwordFile = config.age.secrets.docker_registry_password.path;
     };
   };
+
+  users.users.widetom = {
+    group = "widetom";
+    isSystemUser = true;
   };
+  users.groups.widetom = { };
 }

nix/deploy/smoke-tests.sh

@@ -36,13 +36,11 @@ http_hosts=(
     vps3.infra.noratrieb.dev
     vps4.infra.noratrieb.dev
     vps5.infra.noratrieb.dev
-    bisect-rustc.noratrieb.dev
     docker.noratrieb.dev
     does-it-build.noratrieb.dev
     grafana.noratrieb.dev
     hugo-chat.noratrieb.dev
     api.hugo-chat.noratrieb.dev/api/v2/rooms
-    uptime.noratrieb.dev
     www.noratrieb.dev
 
     # legacy:

nix/hive.nix

@@ -1,9 +1,8 @@
 {
   meta =
     let
-      my-projects-versions = builtins.fromJSON (builtins.readFile ./my-projects.json);
+      nixpkgs-version = builtins.fromJSON (builtins.readFile ./nixpkgs.json);
-      nixpkgs-hash = "50ab793786d9de88ee30ec4e4c24fb4236fc2674"; # nixos-24.11 2025-07-27
+      nixpkgs-path = (fetchTarball "https://github.com/NixOS/nixpkgs/archive/${nixpkgs-version.commit}.tar.gz");
-      nixpkgs-path = (fetchTarball "https://github.com/NixOS/nixpkgs/archive/${nixpkgs-hash}.tar.gz");
     in
     {
       # Override to pin the Nixpkgs version (recommended). This option
@@ -14,15 +13,7 @@
       nixpkgs = import nixpkgs-path;
 
       specialArgs = {
-        website = import (fetchTarball "https://github.com/Noratrieb/website/archive/${my-projects-versions.website}.tar.gz");
+        my-projects-versions = builtins.fromJSON (builtins.readFile ./my-projects.json);
-        blog = fetchTarball "https://github.com/Noratrieb/blog/archive/${my-projects-versions.blog}.tar.gz";
-        slides = fetchTarball "https://github.com/Noratrieb/slides/archive/${my-projects-versions.slides}.tar.gz";
-        pretense = import (fetchTarball "https://github.com/Noratrieb/pretense/archive/${my-projects-versions.pretense}.tar.gz");
-        quotdd = import (fetchTarball "https://github.com/Noratrieb/quotdd/archive/${my-projects-versions.quotdd}.tar.gz");
-        does-it-build = import (fetchTarball "https://github.com/Noratrieb/does-it-build/archive/${my-projects-versions.does-it-build}.tar.gz");
-        upload-files = import (fetchTarball "https://github.com/Noratrieb/upload.files.noratrieb.dev/archive/${my-projects-versions."upload.files.noratrieb.dev"}.tar.gz");
-
-        inherit my-projects-versions;
 
         inherit nixpkgs-path;
 
@@ -35,6 +26,7 @@
               publicKey = "7jy2q93xYBHG5yKqLmNuMWSuFMnUGWXVuKQ1yMmxoV4=";
               peers = [ "vps3" ];
             };
+            tags = [ "dns" ];
           };
           dns2 = {
             publicIPv4 = "128.140.3.7";
@@ -46,6 +38,7 @@
               publicKey = "yfOc/q5M+2DWPoZ4ZgwrTYYkviQxGxRWpcBCDcauDnc=";
               peers = [ "vps3" ];
             };
+            tags = [ "dns" ];
           };
           vps1 = {
             publicIPv4 = "161.97.165.1";
@@ -55,6 +48,7 @@
               publicKey = "5tg3w/TiCuCeKIBJCd6lHUeNjGEA76abT1OXnhNVyFQ=";
               peers = [ "vps2" "vps3" "vps4" "vps5" ];
             };
+            tags = [ "apps" ];
           };
           vps2 = {
             publicIPv4 = "184.174.32.252";
@@ -64,6 +58,7 @@
               publicKey = "SficHHJ0ynpZoGah5heBpNKnEVIVrgs72Z5HEKd3jHA=";
               peers = [ "vps1" "vps3" "vps4" "vps5" ];
             };
+            tags = [ "apps" ];
           };
           vps3 = {
             publicIPv4 = "134.255.181.139";
@@ -73,6 +68,7 @@
               publicKey = "pdUxG1vhmYraKzIIEFxTRAMhGwGztBL/Ly5icJUV3g0=";
               peers = [ "vps1" "vps2" "vps4" "vps5" "dns1" "dns2" ];
             };
+            tags = [ "apps" ];
           };
           vps4 = {
             publicIPv4 = "195.201.147.17";
@@ -84,6 +80,7 @@
               publicKey = "+n2XKKaSFdCanEGRd41cvnuwJ0URY0HsnpBl6ZrSBRs=";
               peers = [ "vps1" "vps2" "vps3" "vps5" ];
             };
+            tags = [ "apps" ];
           };
           vps5 = {
             publicIPv4 = "45.94.209.30";
@@ -93,6 +90,7 @@
               publicKey = "r1cwt63fcOR+FTqMTUpZdK4/MxpalkDYRHXyy7osWUk=";
               peers = [ "vps1" "vps2" "vps3" "vps4" ];
             };
+            tags = [ "apps" ];
           };
         };
       };
@@ -120,9 +118,6 @@
       ./modules/wg-mesh
     ];
 
-    # The name and nodes parameters are supported in Colmena,
-    # allowing you to reference configurations in other nodes.
-    deployment.tags = [ "dns" "us" ];
     system.stateVersion = "23.11";
   };
   dns2 = { name, nodes, modulesPath, lib, ... }: {
@@ -132,7 +127,6 @@
       ./modules/wg-mesh
     ];
 
-    deployment.tags = [ "dns" "eu" "hetzner" ];
     system.stateVersion = "23.11";
 
     boot.loader.grub.device = "/dev/sda";
@@ -188,15 +182,12 @@
       # apps
       ./apps/widetom
       ./apps/hugo-chat
-      ./apps/uptime
-      ./apps/cargo-bisect-rustc-service
       ./apps/killua
       ./apps/forgejo
       ./apps/openolat
       ./apps/upload-files
     ];
 
-    deployment.tags = [ "caddy" "eu" "apps" "website" ];
     system.stateVersion = "23.11";
   };
   # VPS2 exists
@@ -209,7 +200,6 @@
       ./modules/garage
     ];
 
-    deployment.tags = [ "caddy" "eu" "apps" ];
     system.stateVersion = "23.11";
   };
   # VPS3 is the primary monitoring/metrics server.
@@ -223,7 +213,6 @@
       ./modules/prometheus
     ];
 
-    deployment.tags = [ "eu" "apps" "website" ];
     system.stateVersion = "23.11";
   };
   # VPS4 exists. It's useful for garage replication and runs does-it-build which uses some CPU.
@@ -239,7 +228,6 @@
       ./apps/does-it-build
     ];
 
-    deployment.tags = [ "eu" "apps" "hetzner" "website" ];
     system.stateVersion = "23.11";
 
     boot.loader.grub.device = "/dev/sda";
@@ -282,10 +270,6 @@
   };
   # VPS5 is the primary test server, where new things are being deployed that could break stuff maybe.
   vps5 = { name, nodes, modulesPath, config, pkgs, lib, ... }:
-    let
-      commit = "5f203d0f5ba2639043bd5bd1c3687c406d6abac1";
-      cluelessh = import (fetchTarball "https://github.com/Noratrieb/cluelessh/archive/${commit}.tar.gz");
-    in
     {
       imports = [
         (modulesPath + "/profiles/qemu-guest.nix")
@@ -293,37 +277,12 @@
         ./modules/caddy
         ./modules/wg-mesh
         ./modules/garage
+        ./apps/fakessh
       ];
 
-
       services.openssh.ports = [ 2000 ];
-      systemd.services.fakessh = {
-        description = "cluelessh-faked ssh honeypot";
-        wantedBy = [ "multi-user.target" ];
-        after = [ "network.target" ];
-        serviceConfig = {
-          Restart = "on-failure";
-          RestartSec = "5s";
-          ExecStart = "${lib.getExe' (cluelessh {inherit pkgs;}) "cluelessh-faked" }";
-
-          # i really don't trust this.
-          DynamicUser = true;
-          AmbientCapabilities = "CAP_NET_BIND_SERVICE";
-          MemoryHigh = "100M";
-          MemoryMax = "200M";
-
-          # config
-          Environment = [
-            "FAKESSH_LISTEN_ADDR=0.0.0.0:22"
-            "RUST_LOG=debug"
-            #"FAKESSH_JSON_LOGS=1"
-          ];
-        };
-      };
-      networking.firewall.allowedTCPPorts = [ 22 ];
-
       deployment.targetPort = 2000;
-      deployment.tags = [ "eu" "apps" ];
+
       system.stateVersion = "23.11";
     };
 }

nix/modules/caddy/default.nix

@@ -1,4 +1,4 @@
-{ pkgs, config, lib, name, website, slides, blog, ... }:
+{ pkgs, config, lib, name, my-projects-versions, ... }:
 
 let
   caddy = pkgs.callPackage ./caddy-build.nix {
@@ -11,6 +11,10 @@ let
     ];
     vendorHash = "sha256-KP9bYitM/Pocw4DxOXPVBigWh4IykNf8yKJiBlTFZmI=";
   };
+  website = import (fetchTarball "https://github.com/Noratrieb/website/archive/${my-projects-versions.website}.tar.gz");
+  blog = fetchTarball "https://github.com/Noratrieb/blog/archive/${my-projects-versions.blog}.tar.gz";
+  slides = fetchTarball "https://github.com/Noratrieb/slides/archive/${my-projects-versions.slides}.tar.gz";
+  website-build = website { inherit pkgs slides blog; };
 in
 {
   environment.systemPackages = [ caddy ];
@@ -62,7 +66,7 @@ in
                 header -Last-Modified
                 root * ${import ./caddy-static-prepare {
                   name = "website";
-                  src = website { inherit pkgs slides blog; };
+                  src = website-build;
                   inherit pkgs lib;
                 }}
                 file_server {

nix/modules/caddy/vps1.Caddyfile

@@ -3,12 +3,6 @@ www.noratrieb.dev {
 	redir https://noratrieb.dev{uri} permanent
 }
 
-uptime.noratrieb.dev {
-	log
-	encode zstd gzip
-	reverse_proxy * localhost:5010
-}
-
 hugo-chat.noratrieb.dev {
 	log
 	encode zstd gzip
@@ -22,12 +16,6 @@ api.hugo-chat.noratrieb.dev {
 	reverse_proxy * localhost:5001
 }
 
-bisect-rustc.noratrieb.dev {
-	log
-	encode zstd gzip
-	reverse_proxy * localhost:5005
-}
-
 docker.noratrieb.dev {
 	log
 	reverse_proxy * localhost:5000
@@ -61,7 +49,17 @@ upload.files.noratrieb.dev {
 }
 
 ################################################################
-# redirects
+# retired
+
+bisect-rustc.noratrieb.dev {
+	log
+	redir https://github.com/Noratrieb/cargo-bisect-rustc-service?tab=readme-ov-file#cargo-bisect-rustc-service
+}
+
+uptime.noratrieb.dev {
+	log
+	redir https://github.com/Noratrieb/uptime?tab=readme-ov-file#uptime
+}
 
 blog.noratrieb.dev {
 	log
@@ -85,7 +83,7 @@ blog.nilstrieb.dev {
 
 bisect-rustc.nilstrieb.dev {
 	log
-	redir https://bisect-rustc.dev/blog{uri} permanent
+	redir https://bisect-rustc.noratrieb.dev/blog{uri} permanent
 }
 
 docker.nilstrieb.dev {

nix/modules/default/default.nix

@@ -1,5 +1,10 @@
-{ pkgs, lib, config, name, pretense, quotdd, nixpkgs-path, ... }: {
+{ pkgs, lib, name, my-projects-versions, networkingConfig, nixpkgs-path, ... }:
-  deployment.targetHost = "${config.networking.hostName}.infra.noratrieb.dev";
+let
+  pretense = import (fetchTarball "https://github.com/Noratrieb/pretense/archive/${my-projects-versions.pretense}.tar.gz");
+  quotdd = import (fetchTarball "https://github.com/Noratrieb/quotdd/archive/${my-projects-versions.quotdd}.tar.gz");
+in
+{
+  deployment.targetHost = "${name}.infra.noratrieb.dev";
 
   imports = [
     "${builtins.fetchTarball "https://github.com/ryantm/agenix/archive/de96bd907d5fbc3b14fc33ad37d1b9a3cb15edc6.tar.gz"}/modules/age.nix" # main 2024-07-26
@@ -92,13 +97,26 @@
   # monitoring
 
   networking.firewall.interfaces.wg0.allowedTCPPorts = [
+    8080 # cadvisor exporter
     9100 # node exporter
     9150 # pretense exporter
+    9558 # systemd exporter
   ];
   services.prometheus.exporters = {
     node = {
       enable = true;
     };
+    systemd = {
+      enable = true;
+    };
+  };
+  services.cadvisor = {
+    enable = true;
+    listenAddress = "0.0.0.0";
+    extraOptions = [
+      # significantly decreases CPU usage (https://github.com/google/cadvisor/issues/2523)
+      "--housekeeping_interval=30s"
+    ];
   };
   services.promtail = {
     enable = true;
@@ -160,4 +178,6 @@
       ];
     };
   };
+
+  deployment.tags = networkingConfig."${name}".tags;
 }

nix/modules/dns/default.nix

@@ -1,4 +1,6 @@
-{ pkgs, lib, networkingConfig, ... }: {
+{ pkgs, lib, networkingConfig, ... }:
+let metricsPort = 9433; in
+{
   # get the package for the debugging tools
   environment.systemPackages = with pkgs; [ knot-dns ];
 
@@ -40,9 +42,9 @@
     };
   };
 
-  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 9433 ]; # metrics
+  networking.firewall.interfaces.wg0.allowedTCPPorts = [ metricsPort ];
   services.prometheus.exporters.knot = {
     enable = true;
-    port = 9433;
+    port = metricsPort;
   };
 }

nix/modules/dns/noratrieb.dev.nix

@@ -61,7 +61,6 @@ let
         };
 
         # --- apps
-        bisect-rustc = vps1;
         docker = vps1;
         hugo-chat = vps1 // {
           subdomains.api = vps1;
@@ -98,6 +97,9 @@ let
         _dmarc.TXT = [
           "v=DMARC1; p=quarantine"
         ];
+
+        # retired
+        bisect-rustc = vps1;
       };
     };
 in

nix/modules/garage/default.nix

@@ -1,4 +1,9 @@
-{ config, pkgs, name, ... }: {
+{ config, pkgs, name, ... }:
+let
+  rpcPort = 3901;
+  adminPort = 3903;
+in
+{
   age.secrets.garage_secrets.file = ../../secrets/garage_secrets.age;
 
   environment.systemPackages = with pkgs; [
@@ -6,13 +11,13 @@
   ];
 
   networking.firewall.interfaces.wg0.allowedTCPPorts = [
-    3901 # RPC
+    rpcPort
-    3903 # admin for metrics
+    adminPort
   ];
 
   services.garage = {
     enable = true;
-    package = pkgs.garage_1_1_0;
+    package = pkgs.garage_2_0_0;
     settings = {
       metadata_dir = "/var/lib/garage/meta";
       data_dir = "/var/lib/garage/data";
@@ -24,8 +29,8 @@
       # arbitrary, but a bit higher as disk space matters more than time. she says, cluelessly.
       compression-level = 5;
 
-      rpc_bind_addr = "[::]:3901";
+      rpc_bind_addr = "[::]:${toString rpcPort}";
-      rpc_public_addr = "${name}.local:3901";
+      rpc_public_addr = "${name}.local:${toString rpcPort}";
 
       s3_api = {
         s3_region = "garage";
@@ -40,7 +45,7 @@
       };
 
       admin = {
-        api_bind_addr = "[::]:3903";
+        api_bind_addr = "[::]:${toString adminPort}";
       };
     };
     environmentFile = config.age.secrets.garage_secrets.path;

nix/modules/prometheus/default.nix

@@ -1,8 +1,10 @@
-{ config, lib, ... }: {
+{ config, lib, networkingConfig, ... }: {
   services.prometheus = {
     enable = true;
     globalConfig = { };
-    scrapeConfigs = [
+    scrapeConfigs =
+      let hostsWithTag = tag: map (entry: entry.name) (builtins.filter (entry: builtins.elem tag entry.value.tags) (lib.attrsToList networkingConfig)); in
+      [
         {
           job_name = "prometheus";
           static_configs = [
@@ -11,25 +13,20 @@
         }
         {
           job_name = "node";
-        static_configs = [
+          static_configs = [{ targets = map (name: "${name}.local:9100") (builtins.attrNames networkingConfig); }];
-          { targets = [ "dns1.local:9100" ]; }
+        }
-          { targets = [ "dns2.local:9100" ]; }
+        {
-          { targets = [ "vps1.local:9100" ]; }
+          job_name = "cadvisor";
-          { targets = [ "vps2.local:9100" ]; }
+          static_configs = [{ targets = map (name: "${name}.local:8080") (builtins.attrNames networkingConfig); }];
-          { targets = [ "vps3.local:9100" ]; }
+
-          { targets = [ "vps4.local:9100" ]; }
+        }
-          { targets = [ "vps5.local:9100" ]; }
+        {
-        ];
+          job_name = "systemd";
+          static_configs = [{ targets = map (name: "${name}.local:9558") (builtins.attrNames networkingConfig); }];
         }
         {
           job_name = "caddy";
-        static_configs = [
+          static_configs = [{ targets = map (name: "${name}.local:9010") (hostsWithTag "apps"); }];
-          { targets = [ "vps1.local:9010" ]; }
-          { targets = [ "vps2.local:9010" ]; }
-          { targets = [ "vps3.local:9010" ]; }
-          { targets = [ "vps4.local:9010" ]; }
-          { targets = [ "vps5.local:9010" ]; }
-        ];
         }
         {
           job_name = "docker-registry";
@@ -39,32 +36,15 @@
         }
         {
           job_name = "garage";
-        static_configs = [
+          static_configs = [{ targets = map (name: "${name}.local:3903") (hostsWithTag "apps"); }];
-          { targets = [ "vps1.local:3903" ]; }
-          { targets = [ "vps2.local:3903" ]; }
-          { targets = [ "vps3.local:3903" ]; }
-          { targets = [ "vps4.local:3903" ]; }
-          { targets = [ "vps5.local:3903" ]; }
-        ];
         }
         {
           job_name = "knot";
-        static_configs = [
+          static_configs = [{ targets = map (name: "${name}.local:9433") (hostsWithTag "dns"); }];
-          { targets = [ "dns1.local:9433" ]; }
-          { targets = [ "dns2.local:9433" ]; }
-        ];
         }
         {
           job_name = "pretense";
-        static_configs = [
+          static_configs = [{ targets = map (name: "${name}.local:9150") (builtins.attrNames networkingConfig); }];
-          { targets = [ "dns1.local:9150" ]; }
-          { targets = [ "dns2.local:9150" ]; }
-          { targets = [ "vps1.local:9150" ]; }
-          { targets = [ "vps2.local:9150" ]; }
-          { targets = [ "vps3.local:9150" ]; }
-          { targets = [ "vps4.local:9150" ]; }
-          { targets = [ "vps5.local:9150" ]; }
-        ];
         }
       ];
   };
@@ -108,7 +88,7 @@
     };
   };
 
-  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 3100 ]; # loki
+  networking.firewall.interfaces.wg0.allowedTCPPorts = [ config.services.loki.configuration.server.http_listen_port ];
   age.secrets.loki_env.file = ../../secrets/loki_env.age;
   systemd.services.loki.serviceConfig.EnvironmentFile = config.age.secrets.loki_env.path;
   services.loki = {

nix/modules/registry/default.nix

@@ -10,9 +10,14 @@
     };
   };
 
-  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 9011 ]; # metrics
+  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 9011 ];
 
-  systemd.services.docker-registry.serviceConfig.EnvironmentFile = config.age.secrets.registry_s3_key_secret.path;
+  systemd.services.docker-registry = {
+    serviceConfig.EnvironmentFile = config.age.secrets.registry_s3_key_secret.path;
+    environment = {
+      OTEL_TRACES_EXPORTER = "none";
+    };
+  };
   services.dockerRegistry = {
     enable = true;
     storagePath = null;

nix/my-projects.json

@@ -5,5 +5,7 @@
   "pretense": "270b01fc1118dfd713c1c41530d1a7d98f04527d",
   "quotdd": "e922229e1d9e055be35dabd112bafc87a0686548",
   "does-it-build": "81790825173d87f89656f66f12a123bc99e2f6f1",
-  "upload.files.noratrieb.dev": "0124fa5ba5446cb463fb6b3c4f52e7e6b84e5077"
+  "upload.files.noratrieb.dev": "0124fa5ba5446cb463fb6b3c4f52e7e6b84e5077",
+  "cluelessh": "c711cd405da4b7951e554577d09c9576bedf7970",
+  "widetom": "33d1738799618d72fe2b86896f766cbfea58dc76"
 }

nix/nixpkgs.json

@@ -0,0 +1,5 @@
+{
+  "channel": "nixos-25.05",
+  "lastUpdated": "2025-08-03T11:42:11.747Z",
+  "commit": "59e69648d345d6e8fef86158c555730fa12af9de"
+}

nix/update-my-projects.mjs

@@ -1,6 +1,6 @@
 import fs from "node:fs/promises";
 
-const path = `${import.meta.dirname}/nix/my-projects.json`;
+const path = `${import.meta.dirname}/my-projects.json`;
 const projects = JSON.parse(await fs.readFile(path));
 
 let hasChanges = false;

nix/update-nixpkgs.mjs

@@ -0,0 +1,23 @@
+import fs from "node:fs/promises";
+
+const path = `${import.meta.dirname}/nixpkgs.json`;
+const nixpkgs = JSON.parse(await fs.readFile(path));
+
+const res = await fetch(
+  `https://api.github.com/repos/NixOS/nixpkgs/commits/${nixpkgs.channel}`
+);
+
+if (!res.ok) {
+  throw new Error(
+    `get commit for ${name}: ${res.status} - ${await res.text()}`
+  );
+}
+
+const body = await res.json();
+
+if (body.sha !== nixpkgs.commit) {
+  nixpkgs.commit = body.sha;
+  nixpkgs.lastUpdated = new Date().toISOString();
+
+  await fs.writeFile(path, JSON.stringify(nixpkgs, null, 2) + "\n");
+}