From aca10fdc660494818a2df8ed2e76181d67bc5c48 Mon Sep 17 00:00:00 2001 From: Nikolaos Karaolidis Date: Wed, 25 Jun 2025 23:03:12 +0100 Subject: [PATCH] Cleanup Signed-off-by: Nikolaos Karaolidis --- .../configs/user/gui/firefox/default.nix | 12 +- .../configs/console/podman/gitea/default.nix | 341 +++++++------- .../configs/console/podman/ntfy/entrypoint.sh | 8 +- .../console/podman/prometheus/default.nix | 434 +++++++++--------- .../console/podman/traefik/default.nix | 12 +- packages/docker/mariadb/default.nix | 2 +- packages/docker/mariadb/entrypoint.sh | 12 +- packages/docker/nextcloud/entrypoint.sh | 14 +- packages/docker/postgresql/default.nix | 2 +- packages/docker/postgresql/entrypoint.sh | 2 - .../entrypoint.sh | 3 - .../prometheus-podman-exporter/entrypoint.sh | 3 - 12 files changed, 420 insertions(+), 425 deletions(-) diff --git a/hosts/common/configs/user/gui/firefox/default.nix b/hosts/common/configs/user/gui/firefox/default.nix index 83062c7..fbdd81f 100644 --- a/hosts/common/configs/user/gui/firefox/default.nix +++ b/hosts/common/configs/user/gui/firefox/default.nix @@ -97,16 +97,10 @@ in "downloads-button" "privatebrowsing-button" ]; - "toolbar-menubar" = [ - "menubar-items" - ]; + "toolbar-menubar" = [ "menubar-items" ]; "TabsToolbar" = [ ]; - "vertical-tabs" = [ - "tabbrowser-tabs" - ]; - "PersonalToolbar" = [ - "personal-bookmarks" - ]; + "vertical-tabs" = [ "tabbrowser-tabs" ]; + "PersonalToolbar" = [ "personal-bookmarks" ]; }; "seen" = [ "wayback_machine_mozilla_org-browser-action" diff --git a/hosts/jupiter/users/storm/configs/console/podman/gitea/default.nix b/hosts/jupiter/users/storm/configs/console/podman/gitea/default.nix index 67da6a1..f0f684f 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/gitea/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/gitea/default.nix @@ -13,8 +13,6 @@ let selfPkgs = inputs.self.packages.${system}; hmConfig = config.home-manager.users.${user}; - inherit (hmConfig.virtualisation.quadlet) containers volumes networks; - autheliaClientId = "I2ZYDFGWP1bzfiauXe94IaiReZF6SqoEskSp6phoL2L8l16Cq7YX3Vr4pkQOSYfNDOwuFjTRIpqQ8eAqK0M93NeEgpr8YoPhKHyR"; podman = lib.meta.getExe pkgs.podman; podmanAsUser = "${config.security.wrapperDir}/git-sudo -u ${user} ${podman}"; in @@ -65,196 +63,201 @@ in AuthorizedKeysCommand ${podmanAsUser} exec -i gitea gitea keys -c /etc/gitea/app.ini -e git -u %u -t %t -k %k ''; - home-manager.users.${user} = { - sops = { - secrets = { - "gitea/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml; - "gitea/smtp".sopsFile = ../../../../../../secrets/secrets.yaml; - "gitea/secretKey".sopsFile = ../../../../../../secrets/secrets.yaml; - "gitea/internalToken".sopsFile = ../../../../../../secrets/secrets.yaml; - "gitea/jwtSecret".sopsFile = ../../../../../../secrets/secrets.yaml; - "gitea/lfsJwtSecret".sopsFile = ../../../../../../secrets/secrets.yaml; - "gitea/authelia/password".sopsFile = ../../../../../../secrets/secrets.yaml; - "gitea/authelia/digest".sopsFile = ../../../../../../secrets/secrets.yaml; - }; + home-manager.users.${user} = + let + autheliaClientId = "I2ZYDFGWP1bzfiauXe94IaiReZF6SqoEskSp6phoL2L8l16Cq7YX3Vr4pkQOSYfNDOwuFjTRIpqQ8eAqK0M93NeEgpr8YoPhKHyR"; + inherit (hmConfig.virtualisation.quadlet) containers volumes networks; + in + { + sops = { + secrets = { + "gitea/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml; + "gitea/smtp".sopsFile = ../../../../../../secrets/secrets.yaml; + "gitea/secretKey".sopsFile = ../../../../../../secrets/secrets.yaml; + "gitea/internalToken".sopsFile = ../../../../../../secrets/secrets.yaml; + "gitea/jwtSecret".sopsFile = ../../../../../../secrets/secrets.yaml; + "gitea/lfsJwtSecret".sopsFile = ../../../../../../secrets/secrets.yaml; + "gitea/authelia/password".sopsFile = ../../../../../../secrets/secrets.yaml; + "gitea/authelia/digest".sopsFile = ../../../../../../secrets/secrets.yaml; + }; - templates = { - gitea-postgresql-env.content = '' - POSTGRES_PASSWORD=${hmConfig.sops.placeholder."gitea/postgresql"} - ''; + templates = { + gitea-postgresql-env.content = '' + POSTGRES_PASSWORD=${hmConfig.sops.placeholder."gitea/postgresql"} + ''; - gitea-env.content = '' - GITEA_OAUTH_SECRET=${hmConfig.sops.placeholder."gitea/authelia/password"} - ''; + gitea-env.content = '' + GITEA_OAUTH_SECRET=${hmConfig.sops.placeholder."gitea/authelia/password"} + ''; - gitea.content = builtins.readFile ( - (pkgs.formats.iniWithGlobalSection { }).generate "app.ini" { - globalSection = { - I_AM_BEING_UNSAFE_RUNNING_AS_ROOT = true; - }; - - sections = { - server = { - ROOT_URL = "https://git.karaolidis.com:443/"; - - # FIXME: https://github.com/go-gitea/gitea/issues/31112 - OFFLINE_MODE = false; - - SSH_USER = "git"; - SSH_DOMAIN = "karaolidis.com"; - SSH_CREATE_AUTHORIZED_KEYS_FILE = false; - - LFS_START_SERVER = true; - LFS_ALLOW_PURE_SSH = true; - LFS_JWT_SECRET = hmConfig.sops.placeholder."gitea/lfsJwtSecret"; + gitea.content = builtins.readFile ( + (pkgs.formats.iniWithGlobalSection { }).generate "app.ini" { + globalSection = { + I_AM_BEING_UNSAFE_RUNNING_AS_ROOT = true; }; - service = { - ALLOW_ONLY_EXTERNAL_REGISTRATION = true; - SHOW_REGISTRATION_BUTTON = false; - }; + sections = { + server = { + ROOT_URL = "https://git.karaolidis.com:443/"; - openid = { - ENABLE_OPENID_SIGNUP = true; - WHITELISTED_URIS = "id.karaolidis.com"; - }; + # FIXME: https://github.com/go-gitea/gitea/issues/31112 + OFFLINE_MODE = false; - oauth2 = { - JWT_SECRET = hmConfig.sops.placeholder."gitea/jwtSecret"; - }; + SSH_USER = "git"; + SSH_DOMAIN = "karaolidis.com"; + SSH_CREATE_AUTHORIZED_KEYS_FILE = false; - oauth2_client = { - ENABLE_AUTO_REGISTRATION = true; - USERNAME = "preferred_username"; - }; + LFS_START_SERVER = true; + LFS_ALLOW_PURE_SSH = true; + LFS_JWT_SECRET = hmConfig.sops.placeholder."gitea/lfsJwtSecret"; + }; - repository = { - ENABLE_PUSH_CREATE_USER = true; - }; + service = { + ALLOW_ONLY_EXTERNAL_REGISTRATION = true; + SHOW_REGISTRATION_BUTTON = false; + }; - database = { - DB_TYPE = "postgres"; - HOST = "gitea-postgresql:5432"; - NAME = "gitea"; - USER = "gitea"; - PASSWD = hmConfig.sops.placeholder."gitea/postgresql"; - }; + openid = { + ENABLE_OPENID_SIGNUP = true; + WHITELISTED_URIS = "id.karaolidis.com"; + }; - mailer = { - ENABLE = true; - PROTOCOL = "smtp+starttls"; - SMTP_ADDR = "smtp.protonmail.ch"; - SMTP_PORT = 587; - USER = "jupiter@karaolidis.com"; - PASSWD = hmConfig.sops.placeholder."gitea/smtp"; - FROM = "jupiter@karaolidis.com"; - }; + oauth2 = { + JWT_SECRET = hmConfig.sops.placeholder."gitea/jwtSecret"; + }; - security = { - INSTALL_LOCK = true; - SECRET_KEY = hmConfig.sops.placeholder."gitea/secretKey"; - INTERNAL_TOKEN = hmConfig.sops.placeholder."gitea/internalToken"; - }; + oauth2_client = { + ENABLE_AUTO_REGISTRATION = true; + USERNAME = "preferred_username"; + }; - metrics = { - ENABLED = true; - }; - }; - } - ); + repository = { + ENABLE_PUSH_CREATE_USER = true; + }; - authelia-gitea.content = builtins.readFile ( - (pkgs.formats.yaml { }).generate "gitea.yaml" { - identity_providers.oidc = { - authorization_policies.gitea = { - default_policy = "deny"; - rules = [ + database = { + DB_TYPE = "postgres"; + HOST = "gitea-postgresql:5432"; + NAME = "gitea"; + USER = "gitea"; + PASSWD = hmConfig.sops.placeholder."gitea/postgresql"; + }; + + mailer = { + ENABLE = true; + PROTOCOL = "smtp+starttls"; + SMTP_ADDR = "smtp.protonmail.ch"; + SMTP_PORT = 587; + USER = "jupiter@karaolidis.com"; + PASSWD = hmConfig.sops.placeholder."gitea/smtp"; + FROM = "jupiter@karaolidis.com"; + }; + + security = { + INSTALL_LOCK = true; + SECRET_KEY = hmConfig.sops.placeholder."gitea/secretKey"; + INTERNAL_TOKEN = hmConfig.sops.placeholder."gitea/internalToken"; + }; + + metrics = { + ENABLED = true; + }; + }; + } + ); + + authelia-gitea.content = builtins.readFile ( + (pkgs.formats.yaml { }).generate "gitea.yaml" { + identity_providers.oidc = { + authorization_policies.gitea = { + default_policy = "deny"; + rules = [ + { + policy = "one_factor"; + subject = "group:gitea"; + } + ]; + }; + + clients = [ { - policy = "one_factor"; - subject = "group:gitea"; + client_id = autheliaClientId; + client_name = "Gitea"; + client_secret = hmConfig.sops.placeholder."gitea/authelia/digest"; + redirect_uris = [ "https://git.karaolidis.com/user/oauth2/authelia/callback" ]; + authorization_policy = "gitea"; } ]; }; - - clients = [ - { - client_id = autheliaClientId; - client_name = "Gitea"; - client_secret = hmConfig.sops.placeholder."gitea/authelia/digest"; - redirect_uris = [ "https://git.karaolidis.com/user/oauth2/authelia/callback" ]; - authorization_policy = "gitea"; - } - ]; - }; - } - ); - }; - }; - - virtualisation.quadlet = { - networks.gitea.networkConfig.internal = true; - - volumes = { - gitea-postgresql = { }; - # TODO: Move LFS to mass storage - gitea = { }; + } + ); + }; }; - containers = { - gitea = - let - entrypoint = pkgs.writeTextFile { - name = "entrypoint.sh"; - executable = true; - text = builtins.readFile ./entrypoint.sh; - }; - in - { - containerConfig = { - image = "docker-archive:${selfPkgs.docker-gitea}"; - networks = [ - networks.gitea.ref - networks.traefik.ref - ]; - volumes = [ - "${volumes.gitea.ref}:/var/lib/gitea/data" - "${hmConfig.sops.templates.gitea.path}:/etc/gitea/app.ini:ro" - "${entrypoint}:/entrypoint.sh:ro" - ]; - environments.GITEA_OAUTH_KEY = autheliaClientId; - environmentFiles = [ hmConfig.sops.templates.gitea-env.path ]; - entrypoint = "/entrypoint.sh"; - labels = [ - "traefik.enable=true" - "traefik.http.routers.gitea.rule=Host(`git.karaolidis.com`)" - ]; - }; + virtualisation.quadlet = { + networks.gitea.networkConfig.internal = true; - unitConfig.After = [ - "${containers.gitea-postgresql._serviceName}.service" - "sops-nix.service" - ]; - }; - - gitea-postgresql = { - containerConfig = { - image = "docker-archive:${selfPkgs.docker-postgresql}"; - networks = [ networks.gitea.ref ]; - volumes = [ "${volumes.gitea-postgresql.ref}:/var/lib/postgresql/data" ]; - environments = { - POSTGRES_DB = "gitea"; - POSTGRES_USER = "gitea"; - }; - environmentFiles = [ hmConfig.sops.templates.gitea-postgresql-env.path ]; - }; - - unitConfig.After = [ "sops-nix.service" ]; + volumes = { + gitea-postgresql = { }; + # TODO: Move LFS to mass storage + gitea = { }; }; - authelia-init.containerConfig.volumes = [ - "${hmConfig.sops.templates.authelia-gitea.path}:/etc/authelia/conf.d/gitea.yaml:ro" - ]; + containers = { + gitea = + let + entrypoint = pkgs.writeTextFile { + name = "entrypoint.sh"; + executable = true; + text = builtins.readFile ./entrypoint.sh; + }; + in + { + containerConfig = { + image = "docker-archive:${selfPkgs.docker-gitea}"; + networks = [ + networks.gitea.ref + networks.traefik.ref + ]; + volumes = [ + "${volumes.gitea.ref}:/var/lib/gitea/data" + "${hmConfig.sops.templates.gitea.path}:/etc/gitea/app.ini:ro" + "${entrypoint}:/entrypoint.sh:ro" + ]; + environments.GITEA_OAUTH_KEY = autheliaClientId; + environmentFiles = [ hmConfig.sops.templates.gitea-env.path ]; + entrypoint = "/entrypoint.sh"; + labels = [ + "traefik.enable=true" + "traefik.http.routers.gitea.rule=Host(`git.karaolidis.com`)" + ]; + }; + + unitConfig.After = [ + "${containers.gitea-postgresql._serviceName}.service" + "sops-nix.service" + ]; + }; + + gitea-postgresql = { + containerConfig = { + image = "docker-archive:${selfPkgs.docker-postgresql}"; + networks = [ networks.gitea.ref ]; + volumes = [ "${volumes.gitea-postgresql.ref}:/var/lib/postgresql/data" ]; + environments = { + POSTGRES_DB = "gitea"; + POSTGRES_USER = "gitea"; + }; + environmentFiles = [ hmConfig.sops.templates.gitea-postgresql-env.path ]; + }; + + unitConfig.After = [ "sops-nix.service" ]; + }; + + authelia-init.containerConfig.volumes = [ + "${hmConfig.sops.templates.authelia-gitea.path}:/etc/authelia/conf.d/gitea.yaml:ro" + ]; + }; }; }; - }; } diff --git a/hosts/jupiter/users/storm/configs/console/podman/ntfy/entrypoint.sh b/hosts/jupiter/users/storm/configs/console/podman/ntfy/entrypoint.sh index 16025df..3af46bc 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/ntfy/entrypoint.sh +++ b/hosts/jupiter/users/storm/configs/console/podman/ntfy/entrypoint.sh @@ -3,14 +3,14 @@ mkdir -p /tmp PIPE=$(mktemp -u) mkfifo "$PIPE" -trap 'rm -f "$PIPE"' EXIT ntfy serve > "$PIPE" 2>&1 & -pid=$! +PID=$! grep -q "INFO Listening on :80\[http\]" < "$PIPE" -kill "$pid" -wait "$pid" || true +kill "$PID" +wait "$PID" || true +rm -f "$PIPE" export NTFY_PASSWORD="$NTFY_ADMIN_PASSWORD" ntfy user add "$NTFY_ADMIN_USER" || true diff --git a/hosts/jupiter/users/storm/configs/console/podman/prometheus/default.nix b/hosts/jupiter/users/storm/configs/console/podman/prometheus/default.nix index 4d6a9fb..3ef1959 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/prometheus/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/prometheus/default.nix @@ -14,11 +14,11 @@ let selfPkgs = inputs.self.packages.${system}; hmConfig = config.home-manager.users.${user}; jupiterVpsConfig = inputs.self.nixosConfigurations.jupiter-vps.config; - inherit (hmConfig.virtualisation.quadlet) volumes containers networks; in { boot.kernelParams = [ "psi=1" ]; + # TODO: Secure with unix sockets # The below containers all need to run as root to collect host metrics. virtualisation.quadlet.containers = { prometheus-node-exporter.containerConfig = { @@ -78,233 +78,237 @@ in }; }; - home-manager.users.${user} = { - virtualisation.quadlet = { - networks = { - prometheus.networkConfig.internal = true; - prometheus-ext = { }; - }; - - volumes = { - prometheus-data = { }; - prometheus-config = { }; - }; - - containers = { - prometheus-node-exporter.containerConfig = { - image = "docker-archive:${selfPkgs.docker-prometheus-node-exporter}"; - networks = [ networks.prometheus.ref ]; - volumes = - let - uid = builtins.toString config.users.users.${user}.uid; - in - [ "/run/user/${uid}/bus:/var/run/dbus/system_bus_socket:ro" ]; - exec = [ - "--log.level=warn" - "--path.rootfs=/host" - "--collector.disable-defaults" - "--collector.systemd" - ]; + home-manager.users.${user} = + let + inherit (hmConfig.virtualisation.quadlet) volumes containers networks; + in + { + virtualisation.quadlet = { + networks = { + prometheus.networkConfig.internal = true; + prometheus-ext = { }; }; - prometheus-podman-exporter.containerConfig = { - image = "docker-archive:${selfPkgs.docker-prometheus-podman-exporter}"; - networks = [ networks.prometheus.ref ]; - volumes = - let - uid = builtins.toString config.users.users.${user}.uid; - in - [ "/run/user/${uid}/podman/podman.sock:/run/podman/podman.sock:ro" ]; - exec = [ "--collector.enable-all" ]; + volumes = { + prometheus-data = { }; + prometheus-config = { }; }; - prometheus-init = - let - prometheusConfig = (pkgs.formats.yaml { }).generate "prometheus.yaml" { - global.scrape_interval = "15s"; - - scrape_configs = - let - hostname = config.networking.hostName; - jupiterVpsHostname = jupiterVpsConfig.networking.hostName; - in - [ - { - job_name = "${hostname}-node-exporter"; - static_configs = [ - { - targets = [ "host.containers.internal:9100" ]; - labels = { - app = "node-exporter"; - user = "root"; - inherit hostname; - }; - } - { - targets = [ "prometheus-node-exporter:9100" ]; - labels = { - app = "node-exporter"; - inherit user hostname; - }; - } - ]; - } - { - job_name = "${hostname}-podman-exporter"; - static_configs = [ - { - targets = [ "host.containers.internal:9882" ]; - labels = { - app = "podman-exporter"; - user = "root"; - inherit hostname; - }; - } - { - targets = [ "prometheus-podman-exporter:9882" ]; - labels = { - app = "podman-exporter"; - inherit user hostname; - }; - } - ]; - } - { - job_name = "${hostname}-fail2ban-exporter"; - static_configs = [ - { - targets = [ "host.containers.internal:9191" ]; - labels = { - app = "fail2ban-exporter"; - user = "root"; - inherit hostname; - }; - } - ]; - } - { - job_name = "${hostname}-smartctl-exporter"; - static_configs = [ - { - targets = [ "host.containers.internal:9633" ]; - labels = { - app = "smartctl-exporter"; - user = "root"; - inherit hostname; - }; - } - ]; - } - { - job_name = "${jupiterVpsHostname}-node-exporter"; - static_configs = [ - { - targets = [ "10.0.0.1:9100" ]; - labels = { - app = "node-exporter"; - user = "root"; - hostname = jupiterVpsHostname; - }; - } - ]; - } - { - job_name = "${jupiterVpsHostname}-podman-exporter"; - static_configs = [ - { - targets = [ "10.0.0.1:9882" ]; - labels = { - app = "podman-exporter"; - user = "root"; - hostname = jupiterVpsHostname; - }; - } - ]; - } - { - job_name = "${jupiterVpsHostname}-fail2ban-exporter"; - static_configs = [ - { - targets = [ "10.0.0.1:9191" ]; - labels = { - app = "fail2ban-exporter"; - user = "root"; - hostname = jupiterVpsHostname; - }; - } - ]; - } - ]; - }; - in - { - containerConfig = { - image = "docker-archive:${selfPkgs.docker-yq}"; - volumes = [ - "${volumes.prometheus-config.ref}:/etc/prometheus" - "${prometheusConfig}:/etc/prometheus/conf.d/prometheus.yaml" - ]; - entrypoint = "/bin/bash"; - exec = [ - "-c" - "yq eval-all '. as $item ireduce ({}; . *+ $item)' /etc/prometheus/conf.d/*.yaml > /etc/prometheus/prometheus.yaml" - ]; - }; - - serviceConfig = { - Type = "oneshot"; - Restart = "on-failure"; - }; - }; - - prometheus = { - containerConfig = { - image = "docker-archive:${selfPkgs.docker-prometheus}"; - volumes = [ - "${volumes.prometheus-config.ref}:/etc/prometheus" - "${volumes.prometheus-data.ref}:/var/lib/prometheus" - ]; - networks = [ - networks.grafana.ref - networks.prometheus.ref - # Access to root exporters - networks.prometheus-ext.ref - ]; + containers = { + prometheus-node-exporter.containerConfig = { + image = "docker-archive:${selfPkgs.docker-prometheus-node-exporter}"; + networks = [ networks.prometheus.ref ]; + volumes = + let + uid = builtins.toString config.users.users.${user}.uid; + in + [ "/run/user/${uid}/bus:/var/run/dbus/system_bus_socket:ro" ]; exec = [ "--log.level=warn" - "--config.file=/etc/prometheus/prometheus.yaml" - "--storage.tsdb.path=/var/lib/prometheus" - "--storage.tsdb.retention.time=1y" + "--path.rootfs=/host" + "--collector.disable-defaults" + "--collector.systemd" ]; }; - unitConfig.After = [ "${containers.prometheus-init._serviceName}.service" ]; - }; + prometheus-podman-exporter.containerConfig = { + image = "docker-archive:${selfPkgs.docker-prometheus-podman-exporter}"; + networks = [ networks.prometheus.ref ]; + volumes = + let + uid = builtins.toString config.users.users.${user}.uid; + in + [ "/run/user/${uid}/podman/podman.sock:/run/podman/podman.sock:ro" ]; + exec = [ "--collector.enable-all" ]; + }; - grafana.containerConfig.volumes = - let - datasource = (pkgs.formats.yaml { }).generate "prometheus.yaml" { - apiVersion = 1; + prometheus-init = + let + prometheusConfig = (pkgs.formats.yaml { }).generate "prometheus.yaml" { + global.scrape_interval = "15s"; - datasources = [ - { - name = "Prometheus"; - type = "prometheus"; - access = "proxy"; - url = "http://prometheus:9090"; - uid = "prometheus"; - jsonData = { - httpMethod = "POST"; - manageAlerts = true; - prometheusType = "Prometheus"; - prometheusVersion = lib.strings.getVersion pkgs.prometheus; - }; - } + scrape_configs = + let + hostname = config.networking.hostName; + jupiterVpsHostname = jupiterVpsConfig.networking.hostName; + in + [ + { + job_name = "${hostname}-node-exporter"; + static_configs = [ + { + targets = [ "host.containers.internal:9100" ]; + labels = { + app = "node-exporter"; + user = "root"; + inherit hostname; + }; + } + { + targets = [ "prometheus-node-exporter:9100" ]; + labels = { + app = "node-exporter"; + inherit user hostname; + }; + } + ]; + } + { + job_name = "${hostname}-podman-exporter"; + static_configs = [ + { + targets = [ "host.containers.internal:9882" ]; + labels = { + app = "podman-exporter"; + user = "root"; + inherit hostname; + }; + } + { + targets = [ "prometheus-podman-exporter:9882" ]; + labels = { + app = "podman-exporter"; + inherit user hostname; + }; + } + ]; + } + { + job_name = "${hostname}-fail2ban-exporter"; + static_configs = [ + { + targets = [ "host.containers.internal:9191" ]; + labels = { + app = "fail2ban-exporter"; + user = "root"; + inherit hostname; + }; + } + ]; + } + { + job_name = "${hostname}-smartctl-exporter"; + static_configs = [ + { + targets = [ "host.containers.internal:9633" ]; + labels = { + app = "smartctl-exporter"; + user = "root"; + inherit hostname; + }; + } + ]; + } + { + job_name = "${jupiterVpsHostname}-node-exporter"; + static_configs = [ + { + targets = [ "10.0.0.1:9100" ]; + labels = { + app = "node-exporter"; + user = "root"; + hostname = jupiterVpsHostname; + }; + } + ]; + } + { + job_name = "${jupiterVpsHostname}-podman-exporter"; + static_configs = [ + { + targets = [ "10.0.0.1:9882" ]; + labels = { + app = "podman-exporter"; + user = "root"; + hostname = jupiterVpsHostname; + }; + } + ]; + } + { + job_name = "${jupiterVpsHostname}-fail2ban-exporter"; + static_configs = [ + { + targets = [ "10.0.0.1:9191" ]; + labels = { + app = "fail2ban-exporter"; + user = "root"; + hostname = jupiterVpsHostname; + }; + } + ]; + } + ]; + }; + in + { + containerConfig = { + image = "docker-archive:${selfPkgs.docker-yq}"; + volumes = [ + "${volumes.prometheus-config.ref}:/etc/prometheus" + "${prometheusConfig}:/etc/prometheus/conf.d/prometheus.yaml" + ]; + entrypoint = "/bin/bash"; + exec = [ + "-c" + "yq eval-all '. as $item ireduce ({}; . *+ $item)' /etc/prometheus/conf.d/*.yaml > /etc/prometheus/prometheus.yaml" + ]; + }; + + serviceConfig = { + Type = "oneshot"; + Restart = "on-failure"; + }; + }; + + prometheus = { + containerConfig = { + image = "docker-archive:${selfPkgs.docker-prometheus}"; + volumes = [ + "${volumes.prometheus-config.ref}:/etc/prometheus" + "${volumes.prometheus-data.ref}:/var/lib/prometheus" + ]; + networks = [ + networks.grafana.ref + networks.prometheus.ref + # Access to root exporters + networks.prometheus-ext.ref + ]; + exec = [ + "--log.level=warn" + "--config.file=/etc/prometheus/prometheus.yaml" + "--storage.tsdb.path=/var/lib/prometheus" + "--storage.tsdb.retention.time=1y" ]; }; - in - [ "${datasource}:/etc/grafana/conf/provisioning/datasources/prometheus.yaml" ]; + + unitConfig.After = [ "${containers.prometheus-init._serviceName}.service" ]; + }; + + grafana.containerConfig.volumes = + let + datasource = (pkgs.formats.yaml { }).generate "prometheus.yaml" { + apiVersion = 1; + + datasources = [ + { + name = "Prometheus"; + type = "prometheus"; + access = "proxy"; + url = "http://prometheus:9090"; + uid = "prometheus"; + jsonData = { + httpMethod = "POST"; + manageAlerts = true; + prometheusType = "Prometheus"; + prometheusVersion = lib.strings.getVersion pkgs.prometheus; + }; + } + ]; + }; + in + [ "${datasource}:/etc/grafana/conf/provisioning/datasources/prometheus.yaml" ]; + }; }; }; - }; } diff --git a/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix b/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix index db4f970..39c7272 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix @@ -37,7 +37,7 @@ in virtualisation.quadlet = { networks.traefik = { }; - volumes.letsencrypt = { }; + volumes.traefik = { }; containers = { traefik = { @@ -53,9 +53,11 @@ in in [ "/run/user/${uid}/podman/podman.sock:/var/run/docker.sock" - "${volumes.letsencrypt.ref}:/letsencrypt" + "${volumes.traefik.ref}:/var/lib/traefik" ]; exec = [ + "--experimental.fastProxy" + "--api.dashboard=true" "--api.disabledashboardad=true" @@ -86,7 +88,7 @@ in "--certificatesresolvers.letsencrypt.acme.dnschallenge=true" "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare" "--certificatesresolvers.letsencrypt.acme.email=nick@karaolidis.com" - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" + "--certificatesresolvers.letsencrypt.acme.storage=/var/lib/traefik/acme.json" "--metrics.prometheus=true" ]; @@ -178,7 +180,7 @@ in }; Install = { - WantedBy = [ "sockets.target" ]; + WantedBy = [ "default.target" ]; }; }; @@ -190,7 +192,7 @@ in }; Install = { - WantedBy = [ "sockets.target" ]; + WantedBy = [ "default.target" ]; }; }; }; diff --git a/packages/docker/mariadb/default.nix b/packages/docker/mariadb/default.nix index ce66c0e..9c4c27f 100644 --- a/packages/docker/mariadb/default.nix +++ b/packages/docker/mariadb/default.nix @@ -26,7 +26,7 @@ pkgs.dockerTools.buildImage { }; runAsRoot = '' - mkdir -p /var/lib/mysql /run/mysqld + mkdir -p /run/mysqld ''; config = { diff --git a/packages/docker/mariadb/entrypoint.sh b/packages/docker/mariadb/entrypoint.sh index dce16e6..0b692ed 100644 --- a/packages/docker/mariadb/entrypoint.sh +++ b/packages/docker/mariadb/entrypoint.sh @@ -13,7 +13,7 @@ if [ ! -f "$DATADIR/mysql_upgrade_info" ]; then mariadb-install-db --datadir="$DATADIR" --skip-test-db mariadbd --user=root --datadir="$DATADIR" --skip-networking --skip-grant-tables & - pid="$!" + PID="$!" while ! mariadb --protocol=socket -e " FLUSH PRIVILEGES; @@ -28,12 +28,12 @@ if [ ! -f "$DATADIR/mysql_upgrade_info" ]; then sleep 0.1 done - kill -QUIT "$pid" - wait "$pid" || true + kill -QUIT "$PID" + wait "$PID" || true fi -trap 'kill -QUIT "$pid"' INT +trap 'kill -QUIT "$PID"' INT mariadbd --user=root --datadir="$DATADIR" "$@" & -pid=$! -wait "$pid" +PID=$! +wait "$PID" exit $? diff --git a/packages/docker/nextcloud/entrypoint.sh b/packages/docker/nextcloud/entrypoint.sh index 5ef3e62..a13a4ff 100644 --- a/packages/docker/nextcloud/entrypoint.sh +++ b/packages/docker/nextcloud/entrypoint.sh @@ -65,20 +65,20 @@ cron PHPRC="$(dirname "$(readlink -f "$(which php)")")/../lib/php.ini" export PHPRC -pidfile=$(mktemp) +PIDFILE=$(mktemp) # shellcheck disable=SC2016 setsid sh -c ' echo "$$" > "$1" shift exec httpd "$@" -' _ "$pidfile" "$@" & +' _ "$PIDFILE" "$@" & -until [ -s "$pidfile" ]; do sleep 0.01; done +until [ -s "$PIDFILE" ]; do sleep 0.01; done -pid=$(cat "$pidfile") -rm "$pidfile" +PID=$(cat "$PIDFILE") +rm "$PIDFILE" -trap 'kill -INT "$pid"' INT -wait "$pid" +trap 'kill -INT "$PID"' INT +wait "$PID" exit $? diff --git a/packages/docker/postgresql/default.nix b/packages/docker/postgresql/default.nix index 828be5b..e6f240b 100644 --- a/packages/docker/postgresql/default.nix +++ b/packages/docker/postgresql/default.nix @@ -30,7 +30,7 @@ pkgs.dockerTools.buildImage { runAsRoot = '' ${pkgs.dockerTools.shadowSetup} - mkdir -p /etc/postgresql /var/lib/postgresql /run/postgresql + mkdir -p /etc/postgresql /run/postgresql cp ${postgresql}/share/postgresql/postgresql.conf.sample /etc/postgresql/postgresql.conf ${pkgs.gnused}/bin/sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /etc/postgresql/postgresql.conf ''; diff --git a/packages/docker/postgresql/entrypoint.sh b/packages/docker/postgresql/entrypoint.sh index 871f280..4a278a5 100644 --- a/packages/docker/postgresql/entrypoint.sh +++ b/packages/docker/postgresql/entrypoint.sh @@ -21,7 +21,6 @@ mkfifo "$LOG_PIPE" fi done < "$LOG_PIPE" ) & -LOG_PID=$! if [ ! -s "$PGDATA/PG_VERSION" ]; then tmpfile=$(mktemp) @@ -42,5 +41,4 @@ if [ ! -s "$PGDATA/PG_VERSION" ]; then pg_ctl -m fast -w stop fi -trap 'kill $LOG_PID' EXIT exec postgres -c config_file="/etc/postgresql/postgresql.conf" "$@" > "$LOG_PIPE" 2>&1 diff --git a/packages/docker/prometheus-fail2ban-exporter/entrypoint.sh b/packages/docker/prometheus-fail2ban-exporter/entrypoint.sh index fab4a07..39ef1cb 100644 --- a/packages/docker/prometheus-fail2ban-exporter/entrypoint.sh +++ b/packages/docker/prometheus-fail2ban-exporter/entrypoint.sh @@ -16,8 +16,5 @@ mkfifo "$LOG_PIPE" fi done < "$LOG_PIPE" ) & -LOG_PID=$! - -trap 'kill $LOG_PID' EXIT exec prometheus-fail2ban-exporter "$@" > "$LOG_PIPE" 2>&1 diff --git a/packages/docker/prometheus-podman-exporter/entrypoint.sh b/packages/docker/prometheus-podman-exporter/entrypoint.sh index 681b8e2..ac3130c 100644 --- a/packages/docker/prometheus-podman-exporter/entrypoint.sh +++ b/packages/docker/prometheus-podman-exporter/entrypoint.sh @@ -16,8 +16,5 @@ mkfifo "$LOG_PIPE" fi done < "$LOG_PIPE" ) & -LOG_PID=$! - -trap 'kill $LOG_PID' EXIT exec prometheus-podman-exporter "$@" > "$LOG_PIPE" 2>&1