sorry, but there isn't anything cool here. this is my infra, you are not allowed here.
+if you do want to be allowed here, then uh.. still no.
+:3
+ + diff --git a/nix/apps/cargo-bisect-rustc-service/default.nix b/nix/apps/cargo-bisect-rustc-service/default.nix new file mode 100644 index 0000000..c9ae3d8 --- /dev/null +++ b/nix/apps/cargo-bisect-rustc-service/default.nix @@ -0,0 +1,35 @@ +{ config, lib, ... }: +let + dockerLogin = { + registry = "docker.noratrieb.dev"; + username = "nils"; + passwordFile = config.age.secrets.docker_registry_password.path; + }; +in +{ + virtualisation.oci-containers.containers = { + cargo-bisect-rustc-service = { + image = "docker.noratrieb.dev/cargo-bisect-rustc-service:316a4044"; + volumes = [ + "/var/lib/cargo-bisect-rustc-service:/data" + ]; + environment = { + SQLITE_DB = "/data/db.sqlite"; + }; + ports = [ "127.0.0.1:5005:4000" ]; + login = dockerLogin; + }; + }; + + services.custom-backup.jobs = [ + { + app = "cargo-bisect-rustc-service"; + file = "/var/lib/cargo-bisect-rustc-service/db.sqlite"; + } + ]; + + system.activationScripts.makeCargoBisectRustcServiceDir = lib.stringAfter [ "var" ] '' + mkdir -p /var/lib/cargo-bisect-rustc-service/ + chmod ugo+w /var/lib/cargo-bisect-rustc-service/ + ''; +} diff --git a/nix/apps/does-it-build/default.nix b/nix/apps/does-it-build/default.nix index fad6023..ad52759 100644 --- a/nix/apps/does-it-build/default.nix +++ b/nix/apps/does-it-build/default.nix @@ -1,7 +1,7 @@ -{ pkgs, lib, my-projects-versions, ... }: +{ pkgs, lib, does-it-build, my-projects-versions, ... }: let - does-it-build-base = (import (fetchTarball "https://github.com/Noratrieb/does-it-build/archive/${my-projects-versions.does-it-build}.tar.gz")) { inherit pkgs; }; - does-it-build = does-it-build-base.overrideAttrs (finalAttrs: previousAttrs: { + does-it-build-base = does-it-build { inherit pkgs; }; + does-it-build-with-commit = does-it-build-base.overrideAttrs (finalAttrs: previousAttrs: { DOES_IT_BUILD_OVERRIDE_VERSION = my-projects-versions.does-it-build; }); in @@ -15,7 +15,7 @@ in serviceConfig = { User = "does-it-build"; Group = "does-it-build"; - ExecStart = "${lib.getExe' (does-it-build) "does-it-build" }"; + ExecStart = "${lib.getExe' (does-it-build-with-commit) "does-it-build" }"; Environment = "DB_PATH=/var/lib/does-it-build/db.sqlite"; }; }; diff --git a/nix/apps/fakessh/default.nix b/nix/apps/fakessh/default.nix deleted file mode 100644 index b289036..0000000 --- a/nix/apps/fakessh/default.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ lib, pkgs, my-projects-versions, ... }: -let cluelessh = import (fetchTarball "https://github.com/Noratrieb/cluelessh/archive/${my-projects-versions.cluelessh}.tar.gz"); -in -{ - systemd.services.fakessh = { - description = "cluelessh-faked ssh honeypot"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - serviceConfig = { - Restart = "on-failure"; - RestartSec = "5s"; - ExecStart = "${lib.getExe' (cluelessh {inherit pkgs;}) "cluelessh-faked" }"; - - # i really don't trust this. - DynamicUser = true; - AmbientCapabilities = "CAP_NET_BIND_SERVICE"; - MemoryHigh = "100M"; - MemoryMax = "200M"; - - # config - Environment = [ - "FAKESSH_LISTEN_ADDR=0.0.0.0:22" - "RUST_LOG=debug" - #"FAKESSH_JSON_LOGS=1" - ]; - }; - }; - networking.firewall.allowedTCPPorts = [ 22 ]; -} diff --git a/nix/apps/killua/default.nix b/nix/apps/killua/default.nix index a9d23db..ce6b7be 100644 --- a/nix/apps/killua/default.nix +++ b/nix/apps/killua/default.nix @@ -1,27 +1,23 @@ -{ config, lib, pkgs, ... }: -let - jarfile = pkgs.fetchurl { - url = - "https://github.com/Noratrieb/killua-bot/releases/download/2023-08-26/KilluaBot.jar"; - hash = "sha256-LUABYq6cRhLTLyZVzkIjIFHERcb7YQTzyAGaJB49Mxk="; - }; - dataDir = "/var/lib/killua"; -in +{ config, lib, ... }: +let dataDir = "/var/lib/killua"; in { age.secrets.killua_env.file = ../../secrets/killua_env.age; - systemd.services.killua = { - description = "killua, an awesome discord bot"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - environment = { - BOT_TOKEN_PATH = config.age.secrets.widetom_bot_token.path; - CONFIG_PATH = config.age.secrets.widetom_config_toml.path; - }; - serviceConfig = { - DynamicUser = true; - ExecStart = "${lib.getExe' pkgs.jdk17 "java"} -jar ${jarfile}"; - EnvironmentFile = [ config.age.secrets.killua_env.path ]; + virtualisation.oci-containers.containers = { + killua = { + image = "docker.noratrieb.dev/killua-bot:ac8203d2"; + volumes = [ + "${dataDir}:/data" + ]; + environment = { + KILLUA_JSON_PATH = "/data/trivia_questions.json"; + }; + environmentFiles = [ config.age.secrets.killua_env.path ]; + login = { + registry = "docker.noratrieb.dev"; + username = "nils"; + passwordFile = config.age.secrets.docker_registry_password.path; + }; }; }; diff --git a/nix/apps/upload-files/default.nix b/nix/apps/upload-files/default.nix index 526adf3..aa108b5 100644 --- a/nix/apps/upload-files/default.nix +++ b/nix/apps/upload-files/default.nix @@ -1,6 +1,4 @@ -{ my-projects-versions, pkgs, lib, config, ... }: -let upload-files = import (fetchTarball "https://github.com/Noratrieb/upload.files.noratrieb.dev/archive/${my-projects-versions."upload.files.noratrieb.dev"}.tar.gz"); in -{ +{ upload-files, pkgs, lib, config, ... }: { age.secrets.upload_files_s3_secret.file = ../../secrets/upload_files_s3_secret.age; systemd.services.upload-files = { diff --git a/nix/apps/uptime/default.nix b/nix/apps/uptime/default.nix new file mode 100644 index 0000000..7552789 --- /dev/null +++ b/nix/apps/uptime/default.nix @@ -0,0 +1,42 @@ +{ lib, config, ... }: { + virtualisation.oci-containers.containers.uptime = { + /* + uptime: + container_name: uptime + image: "docker.noratrieb.dev/uptime:50d15bc4" + restart: always + volumes: + - "/apps/uptime:/app/config" + environment: + UPTIME_CONFIG_PATH: /app/config/uptime.json + ports: + - "5010:3000" + */ + + image = "docker.noratrieb.dev/uptime:50d15bc4"; + volumes = [ + "${./uptime.json}:/uptime.json" + "/var/lib/uptime:/data" + ]; + environment = { + UPTIME_CONFIG_PATH = "/uptime.json"; + }; + ports = [ "127.0.0.1:5010:3000" ]; + login = { + registry = "docker.noratrieb.dev"; + username = "nils"; + passwordFile = config.age.secrets.docker_registry_password.path; + }; + }; + + services.custom-backup.jobs = [ + { + app = "uptime"; + file = "/var/lib/uptime/uptime.db"; + } + ]; + + system.activationScripts.makeUptimeDir = lib.stringAfter [ "var" ] '' + mkdir -p /var/lib/uptime/ + ''; +} diff --git a/nix/apps/uptime/uptime.json b/nix/apps/uptime/uptime.json new file mode 100644 index 0000000..af235e3 --- /dev/null +++ b/nix/apps/uptime/uptime.json @@ -0,0 +1,50 @@ +{ + "interval_seconds": 30, + "db_url": "/data/uptime.db", + "websites": [ + { + "name": "noratrieb.dev", + "url": "https://noratrieb.dev" + }, + { + "name": "nilstrieb.dev", + "url": "https://nilstrieb.dev" + }, + { + "name": "docker.nilstrieb.dev", + "url": "https://docker.noratrieb.dev" + }, + { + "name": "vps1.nilstrieb.dev", + "url": "https://vps1.infra.noratrieb.dev" + }, + { + "name": "vps2.nilstrieb.dev", + "url": "https://vps2.nilstrieb.dev" + }, + { + "name": "bisect-rustc.nilstrieb.dev", + "url": "https://bisect-rustc.noratrieb.dev" + }, + { + "name": "hugo-chat.nilstrieb.dev", + "url": "https://hugo-chat.noratrieb.dev" + }, + { + "name": "api.hugo-chat.nilstrieb.dev", + "url": "https://api.hugo-chat.noratrieb.dev/api/v2/rooms" + }, + { + "name": "cors-school.nilstrieb.dev", + "url": "https://cors-school.nilstrieb.dev" + }, + { + "name": "api.cors-school.nilstrieb.dev", + "url": "https://api.cors-school.nilstrieb.dev/api/hugo" + }, + { + "name": "olat.nilstrieb.dev", + "url": "https://olat.nilstrieb.dev/dmz/" + } + ] +} diff --git a/nix/apps/widetom/default.nix b/nix/apps/widetom/default.nix index 45080a1..b58890c 100644 --- a/nix/apps/widetom/default.nix +++ b/nix/apps/widetom/default.nix @@ -1,47 +1,33 @@ -{ config, pkgs, lib, my-projects-versions, ... }: -let - widetom = pkgs.rustPlatform.buildRustPackage { - src = pkgs.fetchFromGitHub { - owner = "Noratrieb"; - repo = "widetom"; - rev = my-projects-versions.widetom; - hash = "sha256-lSjlDozwKRLF62jsDaWo+8+rcQdeEgurEnuw00hk3o8="; - }; - pname = "widetom"; - version = "0.1.0"; - cargoHash = "sha256-AWbdPcDc+QOW7U/FYbqlIsg+3MwfggKCTCw1z/ZbSEE="; - meta = { - mainProgram = "widertom"; - }; - }; -in -{ - age.secrets.widetom_bot_token = { - file = ../../secrets/widetom_bot_token.age; - owner = config.users.users.widetom.name; - }; - age.secrets.widetom_config_toml = { - file = ../../secrets/widetom_config_toml.age; - owner = config.users.users.widetom.name; - }; +{ config, ... }: { + age.secrets.widetom_bot_token.file = ../../secrets/widetom_bot_token.age; + age.secrets.widetom_config_toml.file = ../../secrets/widetom_config_toml.age; - systemd.services.widetom = { - description = "widetom, the extremely funny discord bot"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - environment = { - BOT_TOKEN_PATH = config.age.secrets.widetom_bot_token.path; - CONFIG_PATH = config.age.secrets.widetom_config_toml.path; - }; - serviceConfig = { - DynamicUser = true; - ExecStart = lib.getExe widetom; + virtualisation.oci-containers.containers = { + /* + container_name: widetom + image: "docker.noratrieb.dev/widetom:33d17387" + restart: always + volumes: + - "/apps/widetom:/app/config" + environment: + CONFIG_PATH: /app/config/config.toml + BOT_TOKEN_PATH: /app/config/bot_token + */ + widetom = { + image = "docker.noratrieb.dev/widetom:33d17387"; + volumes = [ + "${config.age.secrets.widetom_config_toml.path}:/config.toml" + "${config.age.secrets.widetom_bot_token.path}:/token" + ]; + environment = { + CONFIG_PATH = "/config.toml"; + BOT_TOKEN_PATH = "/token"; + }; + login = { + registry = "docker.noratrieb.dev"; + username = "nils"; + passwordFile = config.age.secrets.docker_registry_password.path; + }; }; }; - - users.users.widetom = { - group = "widetom"; - isSystemUser = true; - }; - users.groups.widetom = { }; } diff --git a/nix/deploy/smoke-tests.sh b/nix/deploy/smoke-tests.sh index 84107f9..c97be0a 100755 --- a/nix/deploy/smoke-tests.sh +++ b/nix/deploy/smoke-tests.sh @@ -36,11 +36,13 @@ http_hosts=( vps3.infra.noratrieb.dev vps4.infra.noratrieb.dev vps5.infra.noratrieb.dev + bisect-rustc.noratrieb.dev docker.noratrieb.dev does-it-build.noratrieb.dev grafana.noratrieb.dev hugo-chat.noratrieb.dev api.hugo-chat.noratrieb.dev/api/v2/rooms + uptime.noratrieb.dev www.noratrieb.dev # legacy: diff --git a/nix/hive.nix b/nix/hive.nix index 1d61ebc..6182440 100644 --- a/nix/hive.nix +++ b/nix/hive.nix @@ -1,8 +1,9 @@ { meta = let - nixpkgs-version = builtins.fromJSON (builtins.readFile ./nixpkgs.json); - nixpkgs-path = (fetchTarball "https://github.com/NixOS/nixpkgs/archive/${nixpkgs-version.commit}.tar.gz"); + my-projects-versions = builtins.fromJSON (builtins.readFile ./my-projects.json); + nixpkgs-hash = "50ab793786d9de88ee30ec4e4c24fb4236fc2674"; # nixos-24.11 2025-07-27 + nixpkgs-path = (fetchTarball "https://github.com/NixOS/nixpkgs/archive/${nixpkgs-hash}.tar.gz"); in { # Override to pin the Nixpkgs version (recommended). This option @@ -13,7 +14,15 @@ nixpkgs = import nixpkgs-path; specialArgs = { - my-projects-versions = builtins.fromJSON (builtins.readFile ./my-projects.json); + website = import (fetchTarball "https://github.com/Noratrieb/website/archive/${my-projects-versions.website}.tar.gz"); + blog = fetchTarball "https://github.com/Noratrieb/blog/archive/${my-projects-versions.blog}.tar.gz"; + slides = fetchTarball "https://github.com/Noratrieb/slides/archive/${my-projects-versions.slides}.tar.gz"; + pretense = import (fetchTarball "https://github.com/Noratrieb/pretense/archive/${my-projects-versions.pretense}.tar.gz"); + quotdd = import (fetchTarball "https://github.com/Noratrieb/quotdd/archive/${my-projects-versions.quotdd}.tar.gz"); + does-it-build = import (fetchTarball "https://github.com/Noratrieb/does-it-build/archive/${my-projects-versions.does-it-build}.tar.gz"); + upload-files = import (fetchTarball "https://github.com/Noratrieb/upload.files.noratrieb.dev/archive/${my-projects-versions."upload.files.noratrieb.dev"}.tar.gz"); + + inherit my-projects-versions; inherit nixpkgs-path; @@ -26,7 +35,6 @@ publicKey = "7jy2q93xYBHG5yKqLmNuMWSuFMnUGWXVuKQ1yMmxoV4="; peers = [ "vps3" ]; }; - tags = [ "dns" ]; }; dns2 = { publicIPv4 = "128.140.3.7"; @@ -38,7 +46,6 @@ publicKey = "yfOc/q5M+2DWPoZ4ZgwrTYYkviQxGxRWpcBCDcauDnc="; peers = [ "vps3" ]; }; - tags = [ "dns" ]; }; vps1 = { publicIPv4 = "161.97.165.1"; @@ -48,7 +55,6 @@ publicKey = "5tg3w/TiCuCeKIBJCd6lHUeNjGEA76abT1OXnhNVyFQ="; peers = [ "vps2" "vps3" "vps4" "vps5" ]; }; - tags = [ "apps" ]; }; vps2 = { publicIPv4 = "184.174.32.252"; @@ -58,7 +64,6 @@ publicKey = "SficHHJ0ynpZoGah5heBpNKnEVIVrgs72Z5HEKd3jHA="; peers = [ "vps1" "vps3" "vps4" "vps5" ]; }; - tags = [ "apps" ]; }; vps3 = { publicIPv4 = "134.255.181.139"; @@ -68,7 +73,6 @@ publicKey = "pdUxG1vhmYraKzIIEFxTRAMhGwGztBL/Ly5icJUV3g0="; peers = [ "vps1" "vps2" "vps4" "vps5" "dns1" "dns2" ]; }; - tags = [ "apps" ]; }; vps4 = { publicIPv4 = "195.201.147.17"; @@ -80,7 +84,6 @@ publicKey = "+n2XKKaSFdCanEGRd41cvnuwJ0URY0HsnpBl6ZrSBRs="; peers = [ "vps1" "vps2" "vps3" "vps5" ]; }; - tags = [ "apps" ]; }; vps5 = { publicIPv4 = "45.94.209.30"; @@ -90,7 +93,6 @@ publicKey = "r1cwt63fcOR+FTqMTUpZdK4/MxpalkDYRHXyy7osWUk="; peers = [ "vps1" "vps2" "vps3" "vps4" ]; }; - tags = [ "apps" ]; }; }; }; @@ -118,6 +120,9 @@ ./modules/wg-mesh ]; + # The name and nodes parameters are supported in Colmena, + # allowing you to reference configurations in other nodes. + deployment.tags = [ "dns" "us" ]; system.stateVersion = "23.11"; }; dns2 = { name, nodes, modulesPath, lib, ... }: { @@ -127,6 +132,7 @@ ./modules/wg-mesh ]; + deployment.tags = [ "dns" "eu" "hetzner" ]; system.stateVersion = "23.11"; boot.loader.grub.device = "/dev/sda"; @@ -182,12 +188,15 @@ # apps ./apps/widetom ./apps/hugo-chat + ./apps/uptime + ./apps/cargo-bisect-rustc-service ./apps/killua ./apps/forgejo ./apps/openolat ./apps/upload-files ]; + deployment.tags = [ "caddy" "eu" "apps" "website" ]; system.stateVersion = "23.11"; }; # VPS2 exists @@ -200,6 +209,7 @@ ./modules/garage ]; + deployment.tags = [ "caddy" "eu" "apps" ]; system.stateVersion = "23.11"; }; # VPS3 is the primary monitoring/metrics server. @@ -213,6 +223,7 @@ ./modules/prometheus ]; + deployment.tags = [ "eu" "apps" "website" ]; system.stateVersion = "23.11"; }; # VPS4 exists. It's useful for garage replication and runs does-it-build which uses some CPU. @@ -228,6 +239,7 @@ ./apps/does-it-build ]; + deployment.tags = [ "eu" "apps" "hetzner" "website" ]; system.stateVersion = "23.11"; boot.loader.grub.device = "/dev/sda"; @@ -270,6 +282,10 @@ }; # VPS5 is the primary test server, where new things are being deployed that could break stuff maybe. vps5 = { name, nodes, modulesPath, config, pkgs, lib, ... }: + let + commit = "5f203d0f5ba2639043bd5bd1c3687c406d6abac1"; + cluelessh = import (fetchTarball "https://github.com/Noratrieb/cluelessh/archive/${commit}.tar.gz"); + in { imports = [ (modulesPath + "/profiles/qemu-guest.nix") @@ -277,12 +293,37 @@ ./modules/caddy ./modules/wg-mesh ./modules/garage - ./apps/fakessh ]; - services.openssh.ports = [ 2000 ]; - deployment.targetPort = 2000; + services.openssh.ports = [ 2000 ]; + systemd.services.fakessh = { + description = "cluelessh-faked ssh honeypot"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = { + Restart = "on-failure"; + RestartSec = "5s"; + ExecStart = "${lib.getExe' (cluelessh {inherit pkgs;}) "cluelessh-faked" }"; + + # i really don't trust this. + DynamicUser = true; + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + MemoryHigh = "100M"; + MemoryMax = "200M"; + + # config + Environment = [ + "FAKESSH_LISTEN_ADDR=0.0.0.0:22" + "RUST_LOG=debug" + #"FAKESSH_JSON_LOGS=1" + ]; + }; + }; + networking.firewall.allowedTCPPorts = [ 22 ]; + + deployment.targetPort = 2000; + deployment.tags = [ "eu" "apps" ]; system.stateVersion = "23.11"; }; } diff --git a/nix/modules/caddy/default.nix b/nix/modules/caddy/default.nix index 0116fa0..07fd744 100644 --- a/nix/modules/caddy/default.nix +++ b/nix/modules/caddy/default.nix @@ -1,4 +1,4 @@ -{ pkgs, config, lib, name, my-projects-versions, ... }: +{ pkgs, config, lib, name, website, slides, blog, ... }: let caddy = pkgs.callPackage ./caddy-build.nix { @@ -11,10 +11,6 @@ let ]; vendorHash = "sha256-KP9bYitM/Pocw4DxOXPVBigWh4IykNf8yKJiBlTFZmI="; }; - website = import (fetchTarball "https://github.com/Noratrieb/website/archive/${my-projects-versions.website}.tar.gz"); - blog = fetchTarball "https://github.com/Noratrieb/blog/archive/${my-projects-versions.blog}.tar.gz"; - slides = fetchTarball "https://github.com/Noratrieb/slides/archive/${my-projects-versions.slides}.tar.gz"; - website-build = website { inherit pkgs slides blog; }; in { environment.systemPackages = [ caddy ]; @@ -66,7 +62,7 @@ in header -Last-Modified root * ${import ./caddy-static-prepare { name = "website"; - src = website-build; + src = website { inherit pkgs slides blog; }; inherit pkgs lib; }} file_server { diff --git a/nix/modules/caddy/vps1.Caddyfile b/nix/modules/caddy/vps1.Caddyfile index 4b3c58f..b595537 100644 --- a/nix/modules/caddy/vps1.Caddyfile +++ b/nix/modules/caddy/vps1.Caddyfile @@ -3,6 +3,12 @@ www.noratrieb.dev { redir https://noratrieb.dev{uri} permanent } +uptime.noratrieb.dev { + log + encode zstd gzip + reverse_proxy * localhost:5010 +} + hugo-chat.noratrieb.dev { log encode zstd gzip @@ -16,6 +22,12 @@ api.hugo-chat.noratrieb.dev { reverse_proxy * localhost:5001 } +bisect-rustc.noratrieb.dev { + log + encode zstd gzip + reverse_proxy * localhost:5005 +} + docker.noratrieb.dev { log reverse_proxy * localhost:5000 @@ -49,17 +61,7 @@ upload.files.noratrieb.dev { } ################################################################ -# retired - -bisect-rustc.noratrieb.dev { - log - redir https://github.com/Noratrieb/cargo-bisect-rustc-service?tab=readme-ov-file#cargo-bisect-rustc-service -} - -uptime.noratrieb.dev { - log - redir https://github.com/Noratrieb/uptime?tab=readme-ov-file#uptime -} +# redirects blog.noratrieb.dev { log @@ -83,7 +85,7 @@ blog.nilstrieb.dev { bisect-rustc.nilstrieb.dev { log - redir https://bisect-rustc.noratrieb.dev/blog{uri} permanent + redir https://bisect-rustc.dev/blog{uri} permanent } docker.nilstrieb.dev { diff --git a/nix/modules/default/default.nix b/nix/modules/default/default.nix index 9acbd60..c2ff120 100644 --- a/nix/modules/default/default.nix +++ b/nix/modules/default/default.nix @@ -1,10 +1,5 @@ -{ pkgs, lib, name, my-projects-versions, networkingConfig, nixpkgs-path, ... }: -let - pretense = import (fetchTarball "https://github.com/Noratrieb/pretense/archive/${my-projects-versions.pretense}.tar.gz"); - quotdd = import (fetchTarball "https://github.com/Noratrieb/quotdd/archive/${my-projects-versions.quotdd}.tar.gz"); -in -{ - deployment.targetHost = "${name}.infra.noratrieb.dev"; +{ pkgs, lib, config, name, pretense, quotdd, nixpkgs-path, ... }: { + deployment.targetHost = "${config.networking.hostName}.infra.noratrieb.dev"; imports = [ "${builtins.fetchTarball "https://github.com/ryantm/agenix/archive/de96bd907d5fbc3b14fc33ad37d1b9a3cb15edc6.tar.gz"}/modules/age.nix" # main 2024-07-26 @@ -97,26 +92,13 @@ in # monitoring networking.firewall.interfaces.wg0.allowedTCPPorts = [ - 8080 # cadvisor exporter 9100 # node exporter 9150 # pretense exporter - 9558 # systemd exporter ]; services.prometheus.exporters = { node = { enable = true; }; - systemd = { - enable = true; - }; - }; - services.cadvisor = { - enable = true; - listenAddress = "0.0.0.0"; - extraOptions = [ - # significantly decreases CPU usage (https://github.com/google/cadvisor/issues/2523) - "--housekeeping_interval=30s" - ]; }; services.promtail = { enable = true; @@ -178,6 +160,4 @@ in ]; }; }; - - deployment.tags = networkingConfig."${name}".tags; } diff --git a/nix/modules/dns/default.nix b/nix/modules/dns/default.nix index 815eed0..3326e9a 100644 --- a/nix/modules/dns/default.nix +++ b/nix/modules/dns/default.nix @@ -1,6 +1,4 @@ -{ pkgs, lib, networkingConfig, ... }: -let metricsPort = 9433; in -{ +{ pkgs, lib, networkingConfig, ... }: { # get the package for the debugging tools environment.systemPackages = with pkgs; [ knot-dns ]; @@ -42,9 +40,9 @@ let metricsPort = 9433; in }; }; - networking.firewall.interfaces.wg0.allowedTCPPorts = [ metricsPort ]; + networking.firewall.interfaces.wg0.allowedTCPPorts = [ 9433 ]; # metrics services.prometheus.exporters.knot = { enable = true; - port = metricsPort; + port = 9433; }; } diff --git a/nix/modules/dns/noratrieb.dev.nix b/nix/modules/dns/noratrieb.dev.nix index b14b131..dc52c14 100644 --- a/nix/modules/dns/noratrieb.dev.nix +++ b/nix/modules/dns/noratrieb.dev.nix @@ -61,6 +61,7 @@ let }; # --- apps + bisect-rustc = vps1; docker = vps1; hugo-chat = vps1 // { subdomains.api = vps1; @@ -97,9 +98,6 @@ let _dmarc.TXT = [ "v=DMARC1; p=quarantine" ]; - - # retired - bisect-rustc = vps1; }; }; in diff --git a/nix/modules/garage/default.nix b/nix/modules/garage/default.nix index e7f5331..3f8be39 100644 --- a/nix/modules/garage/default.nix +++ b/nix/modules/garage/default.nix @@ -1,9 +1,4 @@ -{ config, pkgs, name, ... }: -let - rpcPort = 3901; - adminPort = 3903; -in -{ +{ config, pkgs, name, ... }: { age.secrets.garage_secrets.file = ../../secrets/garage_secrets.age; environment.systemPackages = with pkgs; [ @@ -11,13 +6,13 @@ in ]; networking.firewall.interfaces.wg0.allowedTCPPorts = [ - rpcPort - adminPort + 3901 # RPC + 3903 # admin for metrics ]; services.garage = { enable = true; - package = pkgs.garage_2_0_0; + package = pkgs.garage_1_1_0; settings = { metadata_dir = "/var/lib/garage/meta"; data_dir = "/var/lib/garage/data"; @@ -29,8 +24,8 @@ in # arbitrary, but a bit higher as disk space matters more than time. she says, cluelessly. compression-level = 5; - rpc_bind_addr = "[::]:${toString rpcPort}"; - rpc_public_addr = "${name}.local:${toString rpcPort}"; + rpc_bind_addr = "[::]:3901"; + rpc_public_addr = "${name}.local:3901"; s3_api = { s3_region = "garage"; @@ -45,7 +40,7 @@ in }; admin = { - api_bind_addr = "[::]:${toString adminPort}"; + api_bind_addr = "[::]:3903"; }; }; environmentFile = config.age.secrets.garage_secrets.path; diff --git a/nix/modules/prometheus/default.nix b/nix/modules/prometheus/default.nix index b1e06da..b30d69d 100644 --- a/nix/modules/prometheus/default.nix +++ b/nix/modules/prometheus/default.nix @@ -1,52 +1,72 @@ -{ config, lib, networkingConfig, ... }: { +{ config, lib, ... }: { services.prometheus = { enable = true; globalConfig = { }; - scrapeConfigs = - let hostsWithTag = tag: map (entry: entry.name) (builtins.filter (entry: builtins.elem tag entry.value.tags) (lib.attrsToList networkingConfig)); in - [ - { - job_name = "prometheus"; - static_configs = [ - { targets = [ "localhost:9090" ]; } - ]; - } - { - job_name = "node"; - static_configs = [{ targets = map (name: "${name}.local:9100") (builtins.attrNames networkingConfig); }]; - } - { - job_name = "cadvisor"; - static_configs = [{ targets = map (name: "${name}.local:8080") (builtins.attrNames networkingConfig); }]; - - } - { - job_name = "systemd"; - static_configs = [{ targets = map (name: "${name}.local:9558") (builtins.attrNames networkingConfig); }]; - } - { - job_name = "caddy"; - static_configs = [{ targets = map (name: "${name}.local:9010") (hostsWithTag "apps"); }]; - } - { - job_name = "docker-registry"; - static_configs = [ - { targets = [ "vps1.local:9011" ]; } - ]; - } - { - job_name = "garage"; - static_configs = [{ targets = map (name: "${name}.local:3903") (hostsWithTag "apps"); }]; - } - { - job_name = "knot"; - static_configs = [{ targets = map (name: "${name}.local:9433") (hostsWithTag "dns"); }]; - } - { - job_name = "pretense"; - static_configs = [{ targets = map (name: "${name}.local:9150") (builtins.attrNames networkingConfig); }]; - } - ]; + scrapeConfigs = [ + { + job_name = "prometheus"; + static_configs = [ + { targets = [ "localhost:9090" ]; } + ]; + } + { + job_name = "node"; + static_configs = [ + { targets = [ "dns1.local:9100" ]; } + { targets = [ "dns2.local:9100" ]; } + { targets = [ "vps1.local:9100" ]; } + { targets = [ "vps2.local:9100" ]; } + { targets = [ "vps3.local:9100" ]; } + { targets = [ "vps4.local:9100" ]; } + { targets = [ "vps5.local:9100" ]; } + ]; + } + { + job_name = "caddy"; + static_configs = [ + { targets = [ "vps1.local:9010" ]; } + { targets = [ "vps2.local:9010" ]; } + { targets = [ "vps3.local:9010" ]; } + { targets = [ "vps4.local:9010" ]; } + { targets = [ "vps5.local:9010" ]; } + ]; + } + { + job_name = "docker-registry"; + static_configs = [ + { targets = [ "vps1.local:9011" ]; } + ]; + } + { + job_name = "garage"; + static_configs = [ + { targets = [ "vps1.local:3903" ]; } + { targets = [ "vps2.local:3903" ]; } + { targets = [ "vps3.local:3903" ]; } + { targets = [ "vps4.local:3903" ]; } + { targets = [ "vps5.local:3903" ]; } + ]; + } + { + job_name = "knot"; + static_configs = [ + { targets = [ "dns1.local:9433" ]; } + { targets = [ "dns2.local:9433" ]; } + ]; + } + { + job_name = "pretense"; + static_configs = [ + { targets = [ "dns1.local:9150" ]; } + { targets = [ "dns2.local:9150" ]; } + { targets = [ "vps1.local:9150" ]; } + { targets = [ "vps2.local:9150" ]; } + { targets = [ "vps3.local:9150" ]; } + { targets = [ "vps4.local:9150" ]; } + { targets = [ "vps5.local:9150" ]; } + ]; + } + ]; }; age.secrets.grafana_admin_password.file = ../../secrets/grafana_admin_password.age; @@ -88,7 +108,7 @@ }; }; - networking.firewall.interfaces.wg0.allowedTCPPorts = [ config.services.loki.configuration.server.http_listen_port ]; + networking.firewall.interfaces.wg0.allowedTCPPorts = [ 3100 ]; # loki age.secrets.loki_env.file = ../../secrets/loki_env.age; systemd.services.loki.serviceConfig.EnvironmentFile = config.age.secrets.loki_env.path; services.loki = { diff --git a/nix/modules/registry/default.nix b/nix/modules/registry/default.nix index a18c67c..13b1e97 100644 --- a/nix/modules/registry/default.nix +++ b/nix/modules/registry/default.nix @@ -10,14 +10,9 @@ }; }; - networking.firewall.interfaces.wg0.allowedTCPPorts = [ 9011 ]; + networking.firewall.interfaces.wg0.allowedTCPPorts = [ 9011 ]; # metrics - systemd.services.docker-registry = { - serviceConfig.EnvironmentFile = config.age.secrets.registry_s3_key_secret.path; - environment = { - OTEL_TRACES_EXPORTER = "none"; - }; - }; + systemd.services.docker-registry.serviceConfig.EnvironmentFile = config.age.secrets.registry_s3_key_secret.path; services.dockerRegistry = { enable = true; storagePath = null; diff --git a/nix/my-projects.json b/nix/my-projects.json index bf6a386..e1e8ac0 100644 --- a/nix/my-projects.json +++ b/nix/my-projects.json @@ -5,7 +5,5 @@ "pretense": "270b01fc1118dfd713c1c41530d1a7d98f04527d", "quotdd": "e922229e1d9e055be35dabd112bafc87a0686548", "does-it-build": "81790825173d87f89656f66f12a123bc99e2f6f1", - "upload.files.noratrieb.dev": "0124fa5ba5446cb463fb6b3c4f52e7e6b84e5077", - "cluelessh": "c711cd405da4b7951e554577d09c9576bedf7970", - "widetom": "33d1738799618d72fe2b86896f766cbfea58dc76" + "upload.files.noratrieb.dev": "0124fa5ba5446cb463fb6b3c4f52e7e6b84e5077" } diff --git a/nix/nixpkgs.json b/nix/nixpkgs.json deleted file mode 100644 index e63baef..0000000 --- a/nix/nixpkgs.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "channel": "nixos-25.05", - "lastUpdated": "2025-08-03T11:42:11.747Z", - "commit": "59e69648d345d6e8fef86158c555730fa12af9de" -} diff --git a/nix/update-nixpkgs.mjs b/nix/update-nixpkgs.mjs deleted file mode 100644 index fa63e62..0000000 --- a/nix/update-nixpkgs.mjs +++ /dev/null @@ -1,23 +0,0 @@ -import fs from "node:fs/promises"; - -const path = `${import.meta.dirname}/nixpkgs.json`; -const nixpkgs = JSON.parse(await fs.readFile(path)); - -const res = await fetch( - `https://api.github.com/repos/NixOS/nixpkgs/commits/${nixpkgs.channel}` -); - -if (!res.ok) { - throw new Error( - `get commit for ${name}: ${res.status} - ${await res.text()}` - ); -} - -const body = await res.json(); - -if (body.sha !== nixpkgs.commit) { - nixpkgs.commit = body.sha; - nixpkgs.lastUpdated = new Date().toISOString(); - - await fs.writeFile(path, JSON.stringify(nixpkgs, null, 2) + "\n"); -} diff --git a/nix/update-my-projects.mjs b/update-my-projects.mjs similarity index 92% rename from nix/update-my-projects.mjs rename to update-my-projects.mjs index ee2cbe9..e940822 100644 --- a/nix/update-my-projects.mjs +++ b/update-my-projects.mjs @@ -1,6 +1,6 @@ import fs from "node:fs/promises"; -const path = `${import.meta.dirname}/my-projects.json`; +const path = `${import.meta.dirname}/nix/my-projects.json`; const projects = JSON.parse(await fs.readFile(path)); let hasChanges = false;