debug.html

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>nora's server</title>
+</head>
+<body>
+    <h1>congrats, you landed on my server (0% NixOS) directly!?</h1>
+    <p>sorry, but there isn't anything cool here. this is <b>my</b> infra, you are not allowed here.</p>
+    <p>if you do want to be allowed here, then uh.. still no.</p>
+    <p>:3</p>
+</body>
+</html>

nix/apps/cargo-bisect-rustc-service/default.nix

@@ -0,0 +1,35 @@
+{ config, lib, ... }:
+let
+  dockerLogin = {
+    registry = "docker.noratrieb.dev";
+    username = "nils";
+    passwordFile = config.age.secrets.docker_registry_password.path;
+  };
+in
+{
+  virtualisation.oci-containers.containers = {
+    cargo-bisect-rustc-service = {
+      image = "docker.noratrieb.dev/cargo-bisect-rustc-service:316a4044";
+      volumes = [
+        "/var/lib/cargo-bisect-rustc-service:/data"
+      ];
+      environment = {
+        SQLITE_DB = "/data/db.sqlite";
+      };
+      ports = [ "127.0.0.1:5005:4000" ];
+      login = dockerLogin;
+    };
+  };
+
+  services.custom-backup.jobs = [
+    {
+      app = "cargo-bisect-rustc-service";
+      file = "/var/lib/cargo-bisect-rustc-service/db.sqlite";
+    }
+  ];
+
+  system.activationScripts.makeCargoBisectRustcServiceDir = lib.stringAfter [ "var" ] ''
+    mkdir -p /var/lib/cargo-bisect-rustc-service/
+    chmod ugo+w /var/lib/cargo-bisect-rustc-service/
+  '';
+}

nix/apps/does-it-build/default.nix

@@ -1,7 +1,7 @@
-{ pkgs, lib, my-projects-versions, ... }:
+{ pkgs, lib, does-it-build, my-projects-versions, ... }:
 let
-  does-it-build-base = (import (fetchTarball "https://github.com/Noratrieb/does-it-build/archive/${my-projects-versions.does-it-build}.tar.gz")) { inherit pkgs; };
-  does-it-build = does-it-build-base.overrideAttrs (finalAttrs: previousAttrs: {
+  does-it-build-base = does-it-build { inherit pkgs; };
+  does-it-build-with-commit = does-it-build-base.overrideAttrs (finalAttrs: previousAttrs: {
     DOES_IT_BUILD_OVERRIDE_VERSION = my-projects-versions.does-it-build;
   });
 in
@@ -15,7 +15,7 @@ in
     serviceConfig = {
       User = "does-it-build";
       Group = "does-it-build";
-      ExecStart = "${lib.getExe' (does-it-build) "does-it-build" }";
+      ExecStart = "${lib.getExe' (does-it-build-with-commit) "does-it-build" }";
       Environment = "DB_PATH=/var/lib/does-it-build/db.sqlite";
     };
   };

nix/apps/fakessh/default.nix

@@ -1,29 +0,0 @@
-{ lib, pkgs, my-projects-versions, ... }:
-let cluelessh = import (fetchTarball "https://github.com/Noratrieb/cluelessh/archive/${my-projects-versions.cluelessh}.tar.gz");
-in
-{
-  systemd.services.fakessh = {
-    description = "cluelessh-faked ssh honeypot";
-    wantedBy = [ "multi-user.target" ];
-    after = [ "network.target" ];
-    serviceConfig = {
-      Restart = "on-failure";
-      RestartSec = "5s";
-      ExecStart = "${lib.getExe' (cluelessh {inherit pkgs;}) "cluelessh-faked" }";
-
-      # i really don't trust this.
-      DynamicUser = true;
-      AmbientCapabilities = "CAP_NET_BIND_SERVICE";
-      MemoryHigh = "100M";
-      MemoryMax = "200M";
-
-      # config
-      Environment = [
-        "FAKESSH_LISTEN_ADDR=0.0.0.0:22"
-        "RUST_LOG=debug"
-        #"FAKESSH_JSON_LOGS=1"
-      ];
-    };
-  };
-  networking.firewall.allowedTCPPorts = [ 22 ];
-}

nix/apps/killua/default.nix

@@ -1,27 +1,23 @@
-{ config, lib, pkgs, ... }:
-let
-  jarfile = pkgs.fetchurl {
-    url =
-      "https://github.com/Noratrieb/killua-bot/releases/download/2023-08-26/KilluaBot.jar";
-    hash = "sha256-LUABYq6cRhLTLyZVzkIjIFHERcb7YQTzyAGaJB49Mxk=";
-  };
-  dataDir = "/var/lib/killua";
-in
+{ config, lib, ... }:
+let dataDir = "/var/lib/killua"; in
 {
   age.secrets.killua_env.file = ../../secrets/killua_env.age;
 
-  systemd.services.killua = {
-    description = "killua, an awesome discord bot";
-    wantedBy = [ "multi-user.target" ];
-    after = [ "network.target" ];
-    environment = {
-      BOT_TOKEN_PATH = config.age.secrets.widetom_bot_token.path;
-      CONFIG_PATH = config.age.secrets.widetom_config_toml.path;
-    };
-    serviceConfig = {
-      DynamicUser = true;
-      ExecStart = "${lib.getExe' pkgs.jdk17 "java"} -jar ${jarfile}";
-      EnvironmentFile = [ config.age.secrets.killua_env.path ];
+  virtualisation.oci-containers.containers = {
+    killua = {
+      image = "docker.noratrieb.dev/killua-bot:ac8203d2";
+      volumes = [
+        "${dataDir}:/data"
+      ];
+      environment = {
+        KILLUA_JSON_PATH = "/data/trivia_questions.json";
+      };
+      environmentFiles = [ config.age.secrets.killua_env.path ];
+      login = {
+        registry = "docker.noratrieb.dev";
+        username = "nils";
+        passwordFile = config.age.secrets.docker_registry_password.path;
+      };
     };
   };
 

nix/apps/upload-files/default.nix

@@ -1,6 +1,4 @@
-{ my-projects-versions, pkgs, lib, config, ... }:
-let upload-files = import (fetchTarball "https://github.com/Noratrieb/upload.files.noratrieb.dev/archive/${my-projects-versions."upload.files.noratrieb.dev"}.tar.gz"); in
-{
+{ upload-files, pkgs, lib, config, ... }: {
   age.secrets.upload_files_s3_secret.file = ../../secrets/upload_files_s3_secret.age;
 
   systemd.services.upload-files = {

nix/apps/uptime/default.nix

@@ -0,0 +1,42 @@
+{ lib, config, ... }: {
+  virtualisation.oci-containers.containers.uptime = {
+    /*
+      uptime:
+      container_name: uptime
+      image: "docker.noratrieb.dev/uptime:50d15bc4"
+      restart: always
+      volumes:
+        - "/apps/uptime:/app/config"
+      environment:
+        UPTIME_CONFIG_PATH: /app/config/uptime.json
+      ports:
+        - "5010:3000"
+    */
+
+    image = "docker.noratrieb.dev/uptime:50d15bc4";
+    volumes = [
+      "${./uptime.json}:/uptime.json"
+      "/var/lib/uptime:/data"
+    ];
+    environment = {
+      UPTIME_CONFIG_PATH = "/uptime.json";
+    };
+    ports = [ "127.0.0.1:5010:3000" ];
+    login = {
+      registry = "docker.noratrieb.dev";
+      username = "nils";
+      passwordFile = config.age.secrets.docker_registry_password.path;
+    };
+  };
+
+  services.custom-backup.jobs = [
+    {
+      app = "uptime";
+      file = "/var/lib/uptime/uptime.db";
+    }
+  ];
+
+  system.activationScripts.makeUptimeDir = lib.stringAfter [ "var" ] ''
+    mkdir -p /var/lib/uptime/
+  '';
+}

nix/apps/uptime/uptime.json

@@ -0,0 +1,50 @@
+{
+  "interval_seconds": 30,
+  "db_url": "/data/uptime.db",
+  "websites": [
+    {
+      "name": "noratrieb.dev",
+      "url": "https://noratrieb.dev"
+    },
+    {
+      "name": "nilstrieb.dev",
+      "url": "https://nilstrieb.dev"
+    },
+    {
+      "name": "docker.nilstrieb.dev",
+      "url": "https://docker.noratrieb.dev"
+    },
+    {
+      "name": "vps1.nilstrieb.dev",
+      "url": "https://vps1.infra.noratrieb.dev"
+    },
+    {
+      "name": "vps2.nilstrieb.dev",
+      "url": "https://vps2.nilstrieb.dev"
+    },
+    {
+      "name": "bisect-rustc.nilstrieb.dev",
+      "url": "https://bisect-rustc.noratrieb.dev"
+    },
+    {
+      "name": "hugo-chat.nilstrieb.dev",
+      "url": "https://hugo-chat.noratrieb.dev"
+    },
+    {
+      "name": "api.hugo-chat.nilstrieb.dev",
+      "url": "https://api.hugo-chat.noratrieb.dev/api/v2/rooms"
+    },
+    {
+      "name": "cors-school.nilstrieb.dev",
+      "url": "https://cors-school.nilstrieb.dev"
+    },
+    {
+      "name": "api.cors-school.nilstrieb.dev",
+      "url": "https://api.cors-school.nilstrieb.dev/api/hugo"
+    },
+    {
+      "name": "olat.nilstrieb.dev",
+      "url": "https://olat.nilstrieb.dev/dmz/"
+    }
+  ]
+}

nix/apps/widetom/default.nix

@@ -1,47 +1,33 @@
-{ config, pkgs, lib, my-projects-versions, ... }:
-let
-  widetom = pkgs.rustPlatform.buildRustPackage {
-    src = pkgs.fetchFromGitHub {
-      owner = "Noratrieb";
-      repo = "widetom";
-      rev = my-projects-versions.widetom;
-      hash = "sha256-lSjlDozwKRLF62jsDaWo+8+rcQdeEgurEnuw00hk3o8=";
-    };
-    pname = "widetom";
-    version = "0.1.0";
-    cargoHash = "sha256-AWbdPcDc+QOW7U/FYbqlIsg+3MwfggKCTCw1z/ZbSEE=";
-    meta = {
-      mainProgram = "widertom";
-    };
-  };
-in
-{
-  age.secrets.widetom_bot_token = {
-    file = ../../secrets/widetom_bot_token.age;
-    owner = config.users.users.widetom.name;
-  };
-  age.secrets.widetom_config_toml = {
-    file = ../../secrets/widetom_config_toml.age;
-    owner = config.users.users.widetom.name;
-  };
+{ config, ... }: {
+  age.secrets.widetom_bot_token.file = ../../secrets/widetom_bot_token.age;
+  age.secrets.widetom_config_toml.file = ../../secrets/widetom_config_toml.age;
 
-  systemd.services.widetom = {
-    description = "widetom, the extremely funny discord bot";
-    wantedBy = [ "multi-user.target" ];
-    after = [ "network.target" ];
-    environment = {
-      BOT_TOKEN_PATH = config.age.secrets.widetom_bot_token.path;
-      CONFIG_PATH = config.age.secrets.widetom_config_toml.path;
-    };
-    serviceConfig = {
-      DynamicUser = true;
-      ExecStart = lib.getExe widetom;
+  virtualisation.oci-containers.containers = {
+    /*
+      container_name: widetom
+      image: "docker.noratrieb.dev/widetom:33d17387"
+      restart: always
+      volumes:
+        - "/apps/widetom:/app/config"
+      environment:
+        CONFIG_PATH: /app/config/config.toml
+        BOT_TOKEN_PATH: /app/config/bot_token
+    */
+    widetom = {
+      image = "docker.noratrieb.dev/widetom:33d17387";
+      volumes = [
+        "${config.age.secrets.widetom_config_toml.path}:/config.toml"
+        "${config.age.secrets.widetom_bot_token.path}:/token"
+      ];
+      environment = {
+        CONFIG_PATH = "/config.toml";
+        BOT_TOKEN_PATH = "/token";
+      };
+      login = {
+        registry = "docker.noratrieb.dev";
+        username = "nils";
+        passwordFile = config.age.secrets.docker_registry_password.path;
+      };
     };
   };
-
-  users.users.widetom = {
-    group = "widetom";
-    isSystemUser = true;
-  };
-  users.groups.widetom = { };
 }

nix/deploy/smoke-tests.sh

@@ -36,11 +36,13 @@ http_hosts=(
     vps3.infra.noratrieb.dev
     vps4.infra.noratrieb.dev
     vps5.infra.noratrieb.dev
+    bisect-rustc.noratrieb.dev
     docker.noratrieb.dev
     does-it-build.noratrieb.dev
     grafana.noratrieb.dev
     hugo-chat.noratrieb.dev
     api.hugo-chat.noratrieb.dev/api/v2/rooms
+    uptime.noratrieb.dev
     www.noratrieb.dev
 
     # legacy:

nix/hive.nix

@@ -1,8 +1,9 @@
 {
   meta =
     let
-      nixpkgs-version = builtins.fromJSON (builtins.readFile ./nixpkgs.json);
-      nixpkgs-path = (fetchTarball "https://github.com/NixOS/nixpkgs/archive/${nixpkgs-version.commit}.tar.gz");
+      my-projects-versions = builtins.fromJSON (builtins.readFile ./my-projects.json);
+      nixpkgs-hash = "50ab793786d9de88ee30ec4e4c24fb4236fc2674"; # nixos-24.11 2025-07-27
+      nixpkgs-path = (fetchTarball "https://github.com/NixOS/nixpkgs/archive/${nixpkgs-hash}.tar.gz");
     in
     {
       # Override to pin the Nixpkgs version (recommended). This option
@@ -13,7 +14,15 @@
       nixpkgs = import nixpkgs-path;
 
       specialArgs = {
-        my-projects-versions = builtins.fromJSON (builtins.readFile ./my-projects.json);
+        website = import (fetchTarball "https://github.com/Noratrieb/website/archive/${my-projects-versions.website}.tar.gz");
+        blog = fetchTarball "https://github.com/Noratrieb/blog/archive/${my-projects-versions.blog}.tar.gz";
+        slides = fetchTarball "https://github.com/Noratrieb/slides/archive/${my-projects-versions.slides}.tar.gz";
+        pretense = import (fetchTarball "https://github.com/Noratrieb/pretense/archive/${my-projects-versions.pretense}.tar.gz");
+        quotdd = import (fetchTarball "https://github.com/Noratrieb/quotdd/archive/${my-projects-versions.quotdd}.tar.gz");
+        does-it-build = import (fetchTarball "https://github.com/Noratrieb/does-it-build/archive/${my-projects-versions.does-it-build}.tar.gz");
+        upload-files = import (fetchTarball "https://github.com/Noratrieb/upload.files.noratrieb.dev/archive/${my-projects-versions."upload.files.noratrieb.dev"}.tar.gz");
+
+        inherit my-projects-versions;
 
         inherit nixpkgs-path;
 
@@ -26,7 +35,6 @@
               publicKey = "7jy2q93xYBHG5yKqLmNuMWSuFMnUGWXVuKQ1yMmxoV4=";
               peers = [ "vps3" ];
             };
-            tags = [ "dns" ];
           };
           dns2 = {
             publicIPv4 = "128.140.3.7";
@@ -38,7 +46,6 @@
               publicKey = "yfOc/q5M+2DWPoZ4ZgwrTYYkviQxGxRWpcBCDcauDnc=";
               peers = [ "vps3" ];
             };
-            tags = [ "dns" ];
           };
           vps1 = {
             publicIPv4 = "161.97.165.1";
@@ -48,7 +55,6 @@
               publicKey = "5tg3w/TiCuCeKIBJCd6lHUeNjGEA76abT1OXnhNVyFQ=";
               peers = [ "vps2" "vps3" "vps4" "vps5" ];
             };
-            tags = [ "apps" ];
           };
           vps2 = {
             publicIPv4 = "184.174.32.252";
@@ -58,7 +64,6 @@
               publicKey = "SficHHJ0ynpZoGah5heBpNKnEVIVrgs72Z5HEKd3jHA=";
               peers = [ "vps1" "vps3" "vps4" "vps5" ];
             };
-            tags = [ "apps" ];
           };
           vps3 = {
             publicIPv4 = "134.255.181.139";
@@ -68,7 +73,6 @@
               publicKey = "pdUxG1vhmYraKzIIEFxTRAMhGwGztBL/Ly5icJUV3g0=";
               peers = [ "vps1" "vps2" "vps4" "vps5" "dns1" "dns2" ];
             };
-            tags = [ "apps" ];
           };
           vps4 = {
             publicIPv4 = "195.201.147.17";
@@ -80,7 +84,6 @@
               publicKey = "+n2XKKaSFdCanEGRd41cvnuwJ0URY0HsnpBl6ZrSBRs=";
               peers = [ "vps1" "vps2" "vps3" "vps5" ];
             };
-            tags = [ "apps" ];
           };
           vps5 = {
             publicIPv4 = "45.94.209.30";
@@ -90,7 +93,6 @@
               publicKey = "r1cwt63fcOR+FTqMTUpZdK4/MxpalkDYRHXyy7osWUk=";
               peers = [ "vps1" "vps2" "vps3" "vps4" ];
             };
-            tags = [ "apps" ];
           };
         };
       };
@@ -118,6 +120,9 @@
       ./modules/wg-mesh
     ];
 
+    # The name and nodes parameters are supported in Colmena,
+    # allowing you to reference configurations in other nodes.
+    deployment.tags = [ "dns" "us" ];
     system.stateVersion = "23.11";
   };
   dns2 = { name, nodes, modulesPath, lib, ... }: {
@@ -127,6 +132,7 @@
       ./modules/wg-mesh
     ];
 
+    deployment.tags = [ "dns" "eu" "hetzner" ];
     system.stateVersion = "23.11";
 
     boot.loader.grub.device = "/dev/sda";
@@ -182,12 +188,15 @@
       # apps
       ./apps/widetom
       ./apps/hugo-chat
+      ./apps/uptime
+      ./apps/cargo-bisect-rustc-service
       ./apps/killua
       ./apps/forgejo
       ./apps/openolat
       ./apps/upload-files
     ];
 
+    deployment.tags = [ "caddy" "eu" "apps" "website" ];
     system.stateVersion = "23.11";
   };
   # VPS2 exists
@@ -200,6 +209,7 @@
       ./modules/garage
     ];
 
+    deployment.tags = [ "caddy" "eu" "apps" ];
     system.stateVersion = "23.11";
   };
   # VPS3 is the primary monitoring/metrics server.
@@ -213,6 +223,7 @@
       ./modules/prometheus
     ];
 
+    deployment.tags = [ "eu" "apps" "website" ];
     system.stateVersion = "23.11";
   };
   # VPS4 exists. It's useful for garage replication and runs does-it-build which uses some CPU.
@@ -228,6 +239,7 @@
       ./apps/does-it-build
     ];
 
+    deployment.tags = [ "eu" "apps" "hetzner" "website" ];
     system.stateVersion = "23.11";
 
     boot.loader.grub.device = "/dev/sda";
@@ -270,6 +282,10 @@
   };
   # VPS5 is the primary test server, where new things are being deployed that could break stuff maybe.
   vps5 = { name, nodes, modulesPath, config, pkgs, lib, ... }:
+    let
+      commit = "5f203d0f5ba2639043bd5bd1c3687c406d6abac1";
+      cluelessh = import (fetchTarball "https://github.com/Noratrieb/cluelessh/archive/${commit}.tar.gz");
+    in
     {
       imports = [
         (modulesPath + "/profiles/qemu-guest.nix")
@@ -277,12 +293,37 @@
         ./modules/caddy
         ./modules/wg-mesh
         ./modules/garage
-        ./apps/fakessh
       ];
 
-      services.openssh.ports = [ 2000 ];
-      deployment.targetPort = 2000;
 
+      services.openssh.ports = [ 2000 ];
+      systemd.services.fakessh = {
+        description = "cluelessh-faked ssh honeypot";
+        wantedBy = [ "multi-user.target" ];
+        after = [ "network.target" ];
+        serviceConfig = {
+          Restart = "on-failure";
+          RestartSec = "5s";
+          ExecStart = "${lib.getExe' (cluelessh {inherit pkgs;}) "cluelessh-faked" }";
+
+          # i really don't trust this.
+          DynamicUser = true;
+          AmbientCapabilities = "CAP_NET_BIND_SERVICE";
+          MemoryHigh = "100M";
+          MemoryMax = "200M";
+
+          # config
+          Environment = [
+            "FAKESSH_LISTEN_ADDR=0.0.0.0:22"
+            "RUST_LOG=debug"
+            #"FAKESSH_JSON_LOGS=1"
+          ];
+        };
+      };
+      networking.firewall.allowedTCPPorts = [ 22 ];
+
+      deployment.targetPort = 2000;
+      deployment.tags = [ "eu" "apps" ];
       system.stateVersion = "23.11";
     };
 }

nix/modules/caddy/default.nix

@@ -1,4 +1,4 @@
-{ pkgs, config, lib, name, my-projects-versions, ... }:
+{ pkgs, config, lib, name, website, slides, blog, ... }:
 
 let
   caddy = pkgs.callPackage ./caddy-build.nix {
@@ -11,10 +11,6 @@ let
     ];
     vendorHash = "sha256-KP9bYitM/Pocw4DxOXPVBigWh4IykNf8yKJiBlTFZmI=";
   };
-  website = import (fetchTarball "https://github.com/Noratrieb/website/archive/${my-projects-versions.website}.tar.gz");
-  blog = fetchTarball "https://github.com/Noratrieb/blog/archive/${my-projects-versions.blog}.tar.gz";
-  slides = fetchTarball "https://github.com/Noratrieb/slides/archive/${my-projects-versions.slides}.tar.gz";
-  website-build = website { inherit pkgs slides blog; };
 in
 {
   environment.systemPackages = [ caddy ];
@@ -66,7 +62,7 @@ in
                 header -Last-Modified
                 root * ${import ./caddy-static-prepare {
                   name = "website";
-                  src = website-build;
+                  src = website { inherit pkgs slides blog; };
                   inherit pkgs lib;
                 }}
                 file_server {

nix/modules/caddy/vps1.Caddyfile

@@ -3,6 +3,12 @@ www.noratrieb.dev {
 	redir https://noratrieb.dev{uri} permanent
 }
 
+uptime.noratrieb.dev {
+	log
+	encode zstd gzip
+	reverse_proxy * localhost:5010
+}
+
 hugo-chat.noratrieb.dev {
 	log
 	encode zstd gzip
@@ -16,6 +22,12 @@ api.hugo-chat.noratrieb.dev {
 	reverse_proxy * localhost:5001
 }
 
+bisect-rustc.noratrieb.dev {
+	log
+	encode zstd gzip
+	reverse_proxy * localhost:5005
+}
+
 docker.noratrieb.dev {
 	log
 	reverse_proxy * localhost:5000
@@ -49,17 +61,7 @@ upload.files.noratrieb.dev {
 }
 
 ################################################################
-# retired
-
-bisect-rustc.noratrieb.dev {
-	log
-	redir https://github.com/Noratrieb/cargo-bisect-rustc-service?tab=readme-ov-file#cargo-bisect-rustc-service
-}
-
-uptime.noratrieb.dev {
-	log
-	redir https://github.com/Noratrieb/uptime?tab=readme-ov-file#uptime
-}
+# redirects
 
 blog.noratrieb.dev {
 	log
@@ -83,7 +85,7 @@ blog.nilstrieb.dev {
 
 bisect-rustc.nilstrieb.dev {
 	log
-	redir https://bisect-rustc.noratrieb.dev/blog{uri} permanent
+	redir https://bisect-rustc.dev/blog{uri} permanent
 }
 
 docker.nilstrieb.dev {

nix/modules/default/default.nix

@@ -1,10 +1,5 @@
-{ pkgs, lib, name, my-projects-versions, networkingConfig, nixpkgs-path, ... }:
-let
-  pretense = import (fetchTarball "https://github.com/Noratrieb/pretense/archive/${my-projects-versions.pretense}.tar.gz");
-  quotdd = import (fetchTarball "https://github.com/Noratrieb/quotdd/archive/${my-projects-versions.quotdd}.tar.gz");
-in
-{
-  deployment.targetHost = "${name}.infra.noratrieb.dev";
+{ pkgs, lib, config, name, pretense, quotdd, nixpkgs-path, ... }: {
+  deployment.targetHost = "${config.networking.hostName}.infra.noratrieb.dev";
 
   imports = [
     "${builtins.fetchTarball "https://github.com/ryantm/agenix/archive/de96bd907d5fbc3b14fc33ad37d1b9a3cb15edc6.tar.gz"}/modules/age.nix" # main 2024-07-26
@@ -97,26 +92,13 @@ in
   # monitoring
 
   networking.firewall.interfaces.wg0.allowedTCPPorts = [
-    8080 # cadvisor exporter
     9100 # node exporter
     9150 # pretense exporter
-    9558 # systemd exporter
   ];
   services.prometheus.exporters = {
     node = {
       enable = true;
     };
-    systemd = {
-      enable = true;
-    };
-  };
-  services.cadvisor = {
-    enable = true;
-    listenAddress = "0.0.0.0";
-    extraOptions = [
-      # significantly decreases CPU usage (https://github.com/google/cadvisor/issues/2523)
-      "--housekeeping_interval=30s"
-    ];
   };
   services.promtail = {
     enable = true;
@@ -178,6 +160,4 @@ in
       ];
     };
   };
-
-  deployment.tags = networkingConfig."${name}".tags;
 }

nix/modules/dns/default.nix

@@ -1,6 +1,4 @@
-{ pkgs, lib, networkingConfig, ... }:
-let metricsPort = 9433; in
-{
+{ pkgs, lib, networkingConfig, ... }: {
   # get the package for the debugging tools
   environment.systemPackages = with pkgs; [ knot-dns ];
 
@@ -42,9 +40,9 @@ let metricsPort = 9433; in
     };
   };
 
-  networking.firewall.interfaces.wg0.allowedTCPPorts = [ metricsPort ];
+  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 9433 ]; # metrics
   services.prometheus.exporters.knot = {
     enable = true;
-    port = metricsPort;
+    port = 9433;
   };
 }

nix/modules/dns/noratrieb.dev.nix

@@ -61,6 +61,7 @@ let
         };
 
         # --- apps
+        bisect-rustc = vps1;
         docker = vps1;
         hugo-chat = vps1 // {
           subdomains.api = vps1;
@@ -97,9 +98,6 @@ let
         _dmarc.TXT = [
           "v=DMARC1; p=quarantine"
         ];
-
-        # retired
-        bisect-rustc = vps1;
       };
     };
 in

nix/modules/garage/default.nix

@@ -1,9 +1,4 @@
-{ config, pkgs, name, ... }:
-let
-  rpcPort = 3901;
-  adminPort = 3903;
-in
-{
+{ config, pkgs, name, ... }: {
   age.secrets.garage_secrets.file = ../../secrets/garage_secrets.age;
 
   environment.systemPackages = with pkgs; [
@@ -11,13 +6,13 @@ in
   ];
 
   networking.firewall.interfaces.wg0.allowedTCPPorts = [
-    rpcPort
-    adminPort
+    3901 # RPC
+    3903 # admin for metrics
   ];
 
   services.garage = {
     enable = true;
-    package = pkgs.garage_2_0_0;
+    package = pkgs.garage_1_1_0;
     settings = {
       metadata_dir = "/var/lib/garage/meta";
       data_dir = "/var/lib/garage/data";
@@ -29,8 +24,8 @@ in
       # arbitrary, but a bit higher as disk space matters more than time. she says, cluelessly.
       compression-level = 5;
 
-      rpc_bind_addr = "[::]:${toString rpcPort}";
-      rpc_public_addr = "${name}.local:${toString rpcPort}";
+      rpc_bind_addr = "[::]:3901";
+      rpc_public_addr = "${name}.local:3901";
 
       s3_api = {
         s3_region = "garage";
@@ -45,7 +40,7 @@ in
       };
 
       admin = {
-        api_bind_addr = "[::]:${toString adminPort}";
+        api_bind_addr = "[::]:3903";
       };
     };
     environmentFile = config.age.secrets.garage_secrets.path;

nix/modules/prometheus/default.nix

@@ -1,52 +1,72 @@
-{ config, lib, networkingConfig, ... }: {
+{ config, lib, ... }: {
   services.prometheus = {
     enable = true;
     globalConfig = { };
-    scrapeConfigs =
-      let hostsWithTag = tag: map (entry: entry.name) (builtins.filter (entry: builtins.elem tag entry.value.tags) (lib.attrsToList networkingConfig)); in
-      [
-        {
-          job_name = "prometheus";
-          static_configs = [
-            { targets = [ "localhost:9090" ]; }
-          ];
-        }
-        {
-          job_name = "node";
-          static_configs = [{ targets = map (name: "${name}.local:9100") (builtins.attrNames networkingConfig); }];
-        }
-        {
-          job_name = "cadvisor";
-          static_configs = [{ targets = map (name: "${name}.local:8080") (builtins.attrNames networkingConfig); }];
-
-        }
-        {
-          job_name = "systemd";
-          static_configs = [{ targets = map (name: "${name}.local:9558") (builtins.attrNames networkingConfig); }];
-        }
-        {
-          job_name = "caddy";
-          static_configs = [{ targets = map (name: "${name}.local:9010") (hostsWithTag "apps"); }];
-        }
-        {
-          job_name = "docker-registry";
-          static_configs = [
-            { targets = [ "vps1.local:9011" ]; }
-          ];
-        }
-        {
-          job_name = "garage";
-          static_configs = [{ targets = map (name: "${name}.local:3903") (hostsWithTag "apps"); }];
-        }
-        {
-          job_name = "knot";
-          static_configs = [{ targets = map (name: "${name}.local:9433") (hostsWithTag "dns"); }];
-        }
-        {
-          job_name = "pretense";
-          static_configs = [{ targets = map (name: "${name}.local:9150") (builtins.attrNames networkingConfig); }];
-        }
-      ];
+    scrapeConfigs = [
+      {
+        job_name = "prometheus";
+        static_configs = [
+          { targets = [ "localhost:9090" ]; }
+        ];
+      }
+      {
+        job_name = "node";
+        static_configs = [
+          { targets = [ "dns1.local:9100" ]; }
+          { targets = [ "dns2.local:9100" ]; }
+          { targets = [ "vps1.local:9100" ]; }
+          { targets = [ "vps2.local:9100" ]; }
+          { targets = [ "vps3.local:9100" ]; }
+          { targets = [ "vps4.local:9100" ]; }
+          { targets = [ "vps5.local:9100" ]; }
+        ];
+      }
+      {
+        job_name = "caddy";
+        static_configs = [
+          { targets = [ "vps1.local:9010" ]; }
+          { targets = [ "vps2.local:9010" ]; }
+          { targets = [ "vps3.local:9010" ]; }
+          { targets = [ "vps4.local:9010" ]; }
+          { targets = [ "vps5.local:9010" ]; }
+        ];
+      }
+      {
+        job_name = "docker-registry";
+        static_configs = [
+          { targets = [ "vps1.local:9011" ]; }
+        ];
+      }
+      {
+        job_name = "garage";
+        static_configs = [
+          { targets = [ "vps1.local:3903" ]; }
+          { targets = [ "vps2.local:3903" ]; }
+          { targets = [ "vps3.local:3903" ]; }
+          { targets = [ "vps4.local:3903" ]; }
+          { targets = [ "vps5.local:3903" ]; }
+        ];
+      }
+      {
+        job_name = "knot";
+        static_configs = [
+          { targets = [ "dns1.local:9433" ]; }
+          { targets = [ "dns2.local:9433" ]; }
+        ];
+      }
+      {
+        job_name = "pretense";
+        static_configs = [
+          { targets = [ "dns1.local:9150" ]; }
+          { targets = [ "dns2.local:9150" ]; }
+          { targets = [ "vps1.local:9150" ]; }
+          { targets = [ "vps2.local:9150" ]; }
+          { targets = [ "vps3.local:9150" ]; }
+          { targets = [ "vps4.local:9150" ]; }
+          { targets = [ "vps5.local:9150" ]; }
+        ];
+      }
+    ];
   };
 
   age.secrets.grafana_admin_password.file = ../../secrets/grafana_admin_password.age;
@@ -88,7 +108,7 @@
     };
   };
 
-  networking.firewall.interfaces.wg0.allowedTCPPorts = [ config.services.loki.configuration.server.http_listen_port ];
+  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 3100 ]; # loki
   age.secrets.loki_env.file = ../../secrets/loki_env.age;
   systemd.services.loki.serviceConfig.EnvironmentFile = config.age.secrets.loki_env.path;
   services.loki = {

nix/modules/registry/default.nix

@@ -10,14 +10,9 @@
     };
   };
 
-  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 9011 ];
+  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 9011 ]; # metrics
 
-  systemd.services.docker-registry = {
-    serviceConfig.EnvironmentFile = config.age.secrets.registry_s3_key_secret.path;
-    environment = {
-      OTEL_TRACES_EXPORTER = "none";
-    };
-  };
+  systemd.services.docker-registry.serviceConfig.EnvironmentFile = config.age.secrets.registry_s3_key_secret.path;
   services.dockerRegistry = {
     enable = true;
     storagePath = null;

nix/my-projects.json

@@ -5,7 +5,5 @@
   "pretense": "270b01fc1118dfd713c1c41530d1a7d98f04527d",
   "quotdd": "e922229e1d9e055be35dabd112bafc87a0686548",
   "does-it-build": "81790825173d87f89656f66f12a123bc99e2f6f1",
-  "upload.files.noratrieb.dev": "0124fa5ba5446cb463fb6b3c4f52e7e6b84e5077",
-  "cluelessh": "c711cd405da4b7951e554577d09c9576bedf7970",
-  "widetom": "33d1738799618d72fe2b86896f766cbfea58dc76"
+  "upload.files.noratrieb.dev": "0124fa5ba5446cb463fb6b3c4f52e7e6b84e5077"
 }

nix/nixpkgs.json

@@ -1,5 +0,0 @@
-{
-  "channel": "nixos-25.05",
-  "lastUpdated": "2025-08-03T11:42:11.747Z",
-  "commit": "59e69648d345d6e8fef86158c555730fa12af9de"
-}

nix/update-nixpkgs.mjs

@@ -1,23 +0,0 @@
-import fs from "node:fs/promises";
-
-const path = `${import.meta.dirname}/nixpkgs.json`;
-const nixpkgs = JSON.parse(await fs.readFile(path));
-
-const res = await fetch(
-  `https://api.github.com/repos/NixOS/nixpkgs/commits/${nixpkgs.channel}`
-);
-
-if (!res.ok) {
-  throw new Error(
-    `get commit for ${name}: ${res.status} - ${await res.text()}`
-  );
-}
-
-const body = await res.json();
-
-if (body.sha !== nixpkgs.commit) {
-  nixpkgs.commit = body.sha;
-  nixpkgs.lastUpdated = new Date().toISOString();
-
-  await fs.writeFile(path, JSON.stringify(nixpkgs, null, 2) + "\n");
-}

update-my-projects.mjs

@@ -1,6 +1,6 @@
 import fs from "node:fs/promises";
 
-const path = `${import.meta.dirname}/my-projects.json`;
+const path = `${import.meta.dirname}/nix/my-projects.json`;
 const projects = JSON.parse(await fs.readFile(path));
 
 let hasChanges = false;