karaolidis/nix
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Cleanup

Browse Source 
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
Nick Karaolidis
2025-06-25 23:03:12 +01:00
parent b9d57d2d58
commit aca10fdc66
12 changed files with 420 additions and 425 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
hosts/common/configs/user/gui/firefox/default.nix
View File

@@ -97,16 +97,10 @@ in
"downloads-button" "downloads-button"
"privatebrowsing-button" "privatebrowsing-button"
]; ];
"toolbar-menubar" = [ "toolbar-menubar" = [ "menubar-items" ];
"menubar-items"
];
"TabsToolbar" = [ ]; "TabsToolbar" = [ ];
"vertical-tabs" = [ "vertical-tabs" = [ "tabbrowser-tabs" ];
"tabbrowser-tabs" "PersonalToolbar" = [ "personal-bookmarks" ];
];
"PersonalToolbar" = [
"personal-bookmarks"
];
}; };
"seen" = [ "seen" = [
"wayback_machine_mozilla_org-browser-action" "wayback_machine_mozilla_org-browser-action"

341
hosts/jupiter/users/storm/configs/console/podman/gitea/default.nix
View File

@@ -13,8 +13,6 @@
let let
selfPkgs = inputs.self.packages.${system}; selfPkgs = inputs.self.packages.${system};
hmConfig = config.home-manager.users.${user}; hmConfig = config.home-manager.users.${user};
inherit (hmConfig.virtualisation.quadlet) containers volumes networks;
autheliaClientId = "I2ZYDFGWP1bzfiauXe94IaiReZF6SqoEskSp6phoL2L8l16Cq7YX3Vr4pkQOSYfNDOwuFjTRIpqQ8eAqK0M93NeEgpr8YoPhKHyR";
podman = lib.meta.getExe pkgs.podman; podman = lib.meta.getExe pkgs.podman;
podmanAsUser = "${config.security.wrapperDir}/git-sudo -u ${user} ${podman}"; podmanAsUser = "${config.security.wrapperDir}/git-sudo -u ${user} ${podman}";
in in
@@ -65,196 +63,201 @@ in
AuthorizedKeysCommand ${podmanAsUser} exec -i gitea gitea keys -c /etc/gitea/app.ini -e git -u %u -t %t -k %k AuthorizedKeysCommand ${podmanAsUser} exec -i gitea gitea keys -c /etc/gitea/app.ini -e git -u %u -t %t -k %k
''; '';
home-manager.users.${user} = { home-manager.users.${user} =
sops = { let
secrets = { autheliaClientId = "I2ZYDFGWP1bzfiauXe94IaiReZF6SqoEskSp6phoL2L8l16Cq7YX3Vr4pkQOSYfNDOwuFjTRIpqQ8eAqK0M93NeEgpr8YoPhKHyR";
"gitea/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml; inherit (hmConfig.virtualisation.quadlet) containers volumes networks;
"gitea/smtp".sopsFile = ../../../../../../secrets/secrets.yaml; in
"gitea/secretKey".sopsFile = ../../../../../../secrets/secrets.yaml; {
"gitea/internalToken".sopsFile = ../../../../../../secrets/secrets.yaml; sops = {
"gitea/jwtSecret".sopsFile = ../../../../../../secrets/secrets.yaml; secrets = {
"gitea/lfsJwtSecret".sopsFile = ../../../../../../secrets/secrets.yaml; "gitea/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml;
"gitea/authelia/password".sopsFile = ../../../../../../secrets/secrets.yaml; "gitea/smtp".sopsFile = ../../../../../../secrets/secrets.yaml;
"gitea/authelia/digest".sopsFile = ../../../../../../secrets/secrets.yaml; "gitea/secretKey".sopsFile = ../../../../../../secrets/secrets.yaml;
}; "gitea/internalToken".sopsFile = ../../../../../../secrets/secrets.yaml;
"gitea/jwtSecret".sopsFile = ../../../../../../secrets/secrets.yaml;
"gitea/lfsJwtSecret".sopsFile = ../../../../../../secrets/secrets.yaml;
"gitea/authelia/password".sopsFile = ../../../../../../secrets/secrets.yaml;
"gitea/authelia/digest".sopsFile = ../../../../../../secrets/secrets.yaml;
};
templates = { templates = {
gitea-postgresql-env.content = '' gitea-postgresql-env.content = ''
POSTGRES_PASSWORD=${hmConfig.sops.placeholder."gitea/postgresql"} POSTGRES_PASSWORD=${hmConfig.sops.placeholder."gitea/postgresql"}
''; '';
gitea-env.content = '' gitea-env.content = ''
GITEA_OAUTH_SECRET=${hmConfig.sops.placeholder."gitea/authelia/password"} GITEA_OAUTH_SECRET=${hmConfig.sops.placeholder."gitea/authelia/password"}
''; '';
gitea.content = builtins.readFile ( gitea.content = builtins.readFile (
(pkgs.formats.iniWithGlobalSection { }).generate "app.ini" { (pkgs.formats.iniWithGlobalSection { }).generate "app.ini" {
globalSection = { globalSection = {
I_AM_BEING_UNSAFE_RUNNING_AS_ROOT = true; I_AM_BEING_UNSAFE_RUNNING_AS_ROOT = true;
};
sections = {
server = {
ROOT_URL = "https://git.karaolidis.com:443/";
# FIXME: https://github.com/go-gitea/gitea/issues/31112
OFFLINE_MODE = false;
SSH_USER = "git";
SSH_DOMAIN = "karaolidis.com";
SSH_CREATE_AUTHORIZED_KEYS_FILE = false;
LFS_START_SERVER = true;
LFS_ALLOW_PURE_SSH = true;
LFS_JWT_SECRET = hmConfig.sops.placeholder."gitea/lfsJwtSecret";
}; };
service = { sections = {
ALLOW_ONLY_EXTERNAL_REGISTRATION = true; server = {
SHOW_REGISTRATION_BUTTON = false; ROOT_URL = "https://git.karaolidis.com:443/";
};
openid = { # FIXME: https://github.com/go-gitea/gitea/issues/31112
ENABLE_OPENID_SIGNUP = true; OFFLINE_MODE = false;
WHITELISTED_URIS = "id.karaolidis.com";
};
oauth2 = { SSH_USER = "git";
JWT_SECRET = hmConfig.sops.placeholder."gitea/jwtSecret"; SSH_DOMAIN = "karaolidis.com";
}; SSH_CREATE_AUTHORIZED_KEYS_FILE = false;
oauth2_client = { LFS_START_SERVER = true;
ENABLE_AUTO_REGISTRATION = true; LFS_ALLOW_PURE_SSH = true;
USERNAME = "preferred_username"; LFS_JWT_SECRET = hmConfig.sops.placeholder."gitea/lfsJwtSecret";
}; };
repository = { service = {
ENABLE_PUSH_CREATE_USER = true; ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
}; SHOW_REGISTRATION_BUTTON = false;
};
database = { openid = {
DB_TYPE = "postgres"; ENABLE_OPENID_SIGNUP = true;
HOST = "gitea-postgresql:5432"; WHITELISTED_URIS = "id.karaolidis.com";
NAME = "gitea"; };
USER = "gitea";
PASSWD = hmConfig.sops.placeholder."gitea/postgresql";
};
mailer = { oauth2 = {
ENABLE = true; JWT_SECRET = hmConfig.sops.placeholder."gitea/jwtSecret";
PROTOCOL = "smtp+starttls"; };
SMTP_ADDR = "smtp.protonmail.ch";
SMTP_PORT = 587;
USER = "jupiter@karaolidis.com";
PASSWD = hmConfig.sops.placeholder."gitea/smtp";
FROM = "jupiter@karaolidis.com";
};
security = { oauth2_client = {
INSTALL_LOCK = true; ENABLE_AUTO_REGISTRATION = true;
SECRET_KEY = hmConfig.sops.placeholder."gitea/secretKey"; USERNAME = "preferred_username";
INTERNAL_TOKEN = hmConfig.sops.placeholder."gitea/internalToken"; };
};
metrics = { repository = {
ENABLED = true; ENABLE_PUSH_CREATE_USER = true;
}; };
};
}
);
authelia-gitea.content = builtins.readFile ( database = {
(pkgs.formats.yaml { }).generate "gitea.yaml" { DB_TYPE = "postgres";
identity_providers.oidc = { HOST = "gitea-postgresql:5432";
authorization_policies.gitea = { NAME = "gitea";
default_policy = "deny"; USER = "gitea";
rules = [ PASSWD = hmConfig.sops.placeholder."gitea/postgresql";
};
mailer = {
ENABLE = true;
PROTOCOL = "smtp+starttls";
SMTP_ADDR = "smtp.protonmail.ch";
SMTP_PORT = 587;
USER = "jupiter@karaolidis.com";
PASSWD = hmConfig.sops.placeholder."gitea/smtp";
FROM = "jupiter@karaolidis.com";
};
security = {
INSTALL_LOCK = true;
SECRET_KEY = hmConfig.sops.placeholder."gitea/secretKey";
INTERNAL_TOKEN = hmConfig.sops.placeholder."gitea/internalToken";
};
metrics = {
ENABLED = true;
};
};
}
);
authelia-gitea.content = builtins.readFile (
(pkgs.formats.yaml { }).generate "gitea.yaml" {
identity_providers.oidc = {
authorization_policies.gitea = {
default_policy = "deny";
rules = [
{
policy = "one_factor";
subject = "group:gitea";
}
];
};
clients = [
{ {
policy = "one_factor"; client_id = autheliaClientId;
subject = "group:gitea"; client_name = "Gitea";
client_secret = hmConfig.sops.placeholder."gitea/authelia/digest";
redirect_uris = [ "https://git.karaolidis.com/user/oauth2/authelia/callback" ];
authorization_policy = "gitea";
} }
]; ];
}; };
}
clients = [ );
{ };
client_id = autheliaClientId;
client_name = "Gitea";
client_secret = hmConfig.sops.placeholder."gitea/authelia/digest";
redirect_uris = [ "https://git.karaolidis.com/user/oauth2/authelia/callback" ];
authorization_policy = "gitea";
}
];
};
}
);
};
};
virtualisation.quadlet = {
networks.gitea.networkConfig.internal = true;
volumes = {
gitea-postgresql = { };
# TODO: Move LFS to mass storage
gitea = { };
}; };
containers = { virtualisation.quadlet = {
gitea = networks.gitea.networkConfig.internal = true;
let
entrypoint = pkgs.writeTextFile {
name = "entrypoint.sh";
executable = true;
text = builtins.readFile ./entrypoint.sh;
};
in
{
containerConfig = {
image = "docker-archive:${selfPkgs.docker-gitea}";
networks = [
networks.gitea.ref
networks.traefik.ref
];
volumes = [
"${volumes.gitea.ref}:/var/lib/gitea/data"
"${hmConfig.sops.templates.gitea.path}:/etc/gitea/app.ini:ro"
"${entrypoint}:/entrypoint.sh:ro"
];
environments.GITEA_OAUTH_KEY = autheliaClientId;
environmentFiles = [ hmConfig.sops.templates.gitea-env.path ];
entrypoint = "/entrypoint.sh";
labels = [
"traefik.enable=true"
"traefik.http.routers.gitea.rule=Host(`git.karaolidis.com`)"
];
};
unitConfig.After = [ volumes = {
"${containers.gitea-postgresql._serviceName}.service" gitea-postgresql = { };
"sops-nix.service" # TODO: Move LFS to mass storage
]; gitea = { };
};
gitea-postgresql = {
containerConfig = {
image = "docker-archive:${selfPkgs.docker-postgresql}";
networks = [ networks.gitea.ref ];
volumes = [ "${volumes.gitea-postgresql.ref}:/var/lib/postgresql/data" ];
environments = {
POSTGRES_DB = "gitea";
POSTGRES_USER = "gitea";
};
environmentFiles = [ hmConfig.sops.templates.gitea-postgresql-env.path ];
};
unitConfig.After = [ "sops-nix.service" ];
}; };
authelia-init.containerConfig.volumes = [ containers = {
"${hmConfig.sops.templates.authelia-gitea.path}:/etc/authelia/conf.d/gitea.yaml:ro" gitea =
]; let
entrypoint = pkgs.writeTextFile {
name = "entrypoint.sh";
executable = true;
text = builtins.readFile ./entrypoint.sh;
};
in
{
containerConfig = {
image = "docker-archive:${selfPkgs.docker-gitea}";
networks = [
networks.gitea.ref
networks.traefik.ref
];
volumes = [
"${volumes.gitea.ref}:/var/lib/gitea/data"
"${hmConfig.sops.templates.gitea.path}:/etc/gitea/app.ini:ro"
"${entrypoint}:/entrypoint.sh:ro"
];
environments.GITEA_OAUTH_KEY = autheliaClientId;
environmentFiles = [ hmConfig.sops.templates.gitea-env.path ];
entrypoint = "/entrypoint.sh";
labels = [
"traefik.enable=true"
"traefik.http.routers.gitea.rule=Host(`git.karaolidis.com`)"
];
};
unitConfig.After = [
"${containers.gitea-postgresql._serviceName}.service"
"sops-nix.service"
];
};
gitea-postgresql = {
containerConfig = {
image = "docker-archive:${selfPkgs.docker-postgresql}";
networks = [ networks.gitea.ref ];
volumes = [ "${volumes.gitea-postgresql.ref}:/var/lib/postgresql/data" ];
environments = {
POSTGRES_DB = "gitea";
POSTGRES_USER = "gitea";
};
environmentFiles = [ hmConfig.sops.templates.gitea-postgresql-env.path ];
};
unitConfig.After = [ "sops-nix.service" ];
};
authelia-init.containerConfig.volumes = [
"${hmConfig.sops.templates.authelia-gitea.path}:/etc/authelia/conf.d/gitea.yaml:ro"
];
};
}; };
}; };
};
} }

8
hosts/jupiter/users/storm/configs/console/podman/ntfy/entrypoint.sh
View File

@@ -3,14 +3,14 @@
mkdir -p /tmp mkdir -p /tmp
PIPE=$(mktemp -u) PIPE=$(mktemp -u)
mkfifo "$PIPE" mkfifo "$PIPE"
trap 'rm -f "$PIPE"' EXIT
ntfy serve > "$PIPE" 2>&1 & ntfy serve > "$PIPE" 2>&1 &
pid=$! PID=$!
grep -q "INFO Listening on :80\[http\]" < "$PIPE" grep -q "INFO Listening on :80\[http\]" < "$PIPE"
kill "$pid" kill "$PID"
wait "$pid" || true wait "$PID" || true
rm -f "$PIPE"
export NTFY_PASSWORD="$NTFY_ADMIN_PASSWORD" export NTFY_PASSWORD="$NTFY_ADMIN_PASSWORD"
ntfy user add "$NTFY_ADMIN_USER" || true ntfy user add "$NTFY_ADMIN_USER" || true

434
hosts/jupiter/users/storm/configs/console/podman/prometheus/default.nix
View File

@@ -14,11 +14,11 @@ let
selfPkgs = inputs.self.packages.${system}; selfPkgs = inputs.self.packages.${system};
hmConfig = config.home-manager.users.${user}; hmConfig = config.home-manager.users.${user};
jupiterVpsConfig = inputs.self.nixosConfigurations.jupiter-vps.config; jupiterVpsConfig = inputs.self.nixosConfigurations.jupiter-vps.config;
inherit (hmConfig.virtualisation.quadlet) volumes containers networks;
in in
{ {
boot.kernelParams = [ "psi=1" ]; boot.kernelParams = [ "psi=1" ];
# TODO: Secure with unix sockets
# The below containers all need to run as root to collect host metrics. # The below containers all need to run as root to collect host metrics.
virtualisation.quadlet.containers = { virtualisation.quadlet.containers = {
prometheus-node-exporter.containerConfig = { prometheus-node-exporter.containerConfig = {
@@ -78,233 +78,237 @@ in
}; };
}; };
home-manager.users.${user} = { home-manager.users.${user} =
virtualisation.quadlet = { let
networks = { inherit (hmConfig.virtualisation.quadlet) volumes containers networks;
prometheus.networkConfig.internal = true; in
prometheus-ext = { }; {
}; virtualisation.quadlet = {
networks = {
volumes = { prometheus.networkConfig.internal = true;
prometheus-data = { }; prometheus-ext = { };
prometheus-config = { };
};
containers = {
prometheus-node-exporter.containerConfig = {
image = "docker-archive:${selfPkgs.docker-prometheus-node-exporter}";
networks = [ networks.prometheus.ref ];
volumes =
let
uid = builtins.toString config.users.users.${user}.uid;
in
[ "/run/user/${uid}/bus:/var/run/dbus/system_bus_socket:ro" ];
exec = [
"--log.level=warn"
"--path.rootfs=/host"
"--collector.disable-defaults"
"--collector.systemd"
];
}; };
prometheus-podman-exporter.containerConfig = { volumes = {
image = "docker-archive:${selfPkgs.docker-prometheus-podman-exporter}"; prometheus-data = { };
networks = [ networks.prometheus.ref ]; prometheus-config = { };
volumes =
let
uid = builtins.toString config.users.users.${user}.uid;
in
[ "/run/user/${uid}/podman/podman.sock:/run/podman/podman.sock:ro" ];
exec = [ "--collector.enable-all" ];
}; };
prometheus-init = containers = {
let prometheus-node-exporter.containerConfig = {
prometheusConfig = (pkgs.formats.yaml { }).generate "prometheus.yaml" { image = "docker-archive:${selfPkgs.docker-prometheus-node-exporter}";
global.scrape_interval = "15s"; networks = [ networks.prometheus.ref ];
volumes =
scrape_configs = let
let uid = builtins.toString config.users.users.${user}.uid;
hostname = config.networking.hostName; in
jupiterVpsHostname = jupiterVpsConfig.networking.hostName; [ "/run/user/${uid}/bus:/var/run/dbus/system_bus_socket:ro" ];
in
[
{
job_name = "${hostname}-node-exporter";
static_configs = [
{
targets = [ "host.containers.internal:9100" ];
labels = {
app = "node-exporter";
user = "root";
inherit hostname;
};
}
{
targets = [ "prometheus-node-exporter:9100" ];
labels = {
app = "node-exporter";
inherit user hostname;
};
}
];
}
{
job_name = "${hostname}-podman-exporter";
static_configs = [
{
targets = [ "host.containers.internal:9882" ];
labels = {
app = "podman-exporter";
user = "root";
inherit hostname;
};
}
{
targets = [ "prometheus-podman-exporter:9882" ];
labels = {
app = "podman-exporter";
inherit user hostname;
};
}
];
}
{
job_name = "${hostname}-fail2ban-exporter";
static_configs = [
{
targets = [ "host.containers.internal:9191" ];
labels = {
app = "fail2ban-exporter";
user = "root";
inherit hostname;
};
}
];
}
{
job_name = "${hostname}-smartctl-exporter";
static_configs = [
{
targets = [ "host.containers.internal:9633" ];
labels = {
app = "smartctl-exporter";
user = "root";
inherit hostname;
};
}
];
}
{
job_name = "${jupiterVpsHostname}-node-exporter";
static_configs = [
{
targets = [ "10.0.0.1:9100" ];
labels = {
app = "node-exporter";
user = "root";
hostname = jupiterVpsHostname;
};
}
];
}
{
job_name = "${jupiterVpsHostname}-podman-exporter";
static_configs = [
{
targets = [ "10.0.0.1:9882" ];
labels = {
app = "podman-exporter";
user = "root";
hostname = jupiterVpsHostname;
};
}
];
}
{
job_name = "${jupiterVpsHostname}-fail2ban-exporter";
static_configs = [
{
targets = [ "10.0.0.1:9191" ];
labels = {
app = "fail2ban-exporter";
user = "root";
hostname = jupiterVpsHostname;
};
}
];
}
];
};
in
{
containerConfig = {
image = "docker-archive:${selfPkgs.docker-yq}";
volumes = [
"${volumes.prometheus-config.ref}:/etc/prometheus"
"${prometheusConfig}:/etc/prometheus/conf.d/prometheus.yaml"
];
entrypoint = "/bin/bash";
exec = [
"-c"
"yq eval-all '. as $item ireduce ({}; . *+ $item)' /etc/prometheus/conf.d/*.yaml > /etc/prometheus/prometheus.yaml"
];
};
serviceConfig = {
Type = "oneshot";
Restart = "on-failure";
};
};
prometheus = {
containerConfig = {
image = "docker-archive:${selfPkgs.docker-prometheus}";
volumes = [
"${volumes.prometheus-config.ref}:/etc/prometheus"
"${volumes.prometheus-data.ref}:/var/lib/prometheus"
];
networks = [
networks.grafana.ref
networks.prometheus.ref
# Access to root exporters
networks.prometheus-ext.ref
];
exec = [ exec = [
"--log.level=warn" "--log.level=warn"
"--config.file=/etc/prometheus/prometheus.yaml" "--path.rootfs=/host"
"--storage.tsdb.path=/var/lib/prometheus" "--collector.disable-defaults"
"--storage.tsdb.retention.time=1y" "--collector.systemd"
]; ];
}; };
unitConfig.After = [ "${containers.prometheus-init._serviceName}.service" ]; prometheus-podman-exporter.containerConfig = {
}; image = "docker-archive:${selfPkgs.docker-prometheus-podman-exporter}";
networks = [ networks.prometheus.ref ];
volumes =
let
uid = builtins.toString config.users.users.${user}.uid;
in
[ "/run/user/${uid}/podman/podman.sock:/run/podman/podman.sock:ro" ];
exec = [ "--collector.enable-all" ];
};
grafana.containerConfig.volumes = prometheus-init =
let let
datasource = (pkgs.formats.yaml { }).generate "prometheus.yaml" { prometheusConfig = (pkgs.formats.yaml { }).generate "prometheus.yaml" {
apiVersion = 1; global.scrape_interval = "15s";
datasources = [ scrape_configs =
{ let
name = "Prometheus"; hostname = config.networking.hostName;
type = "prometheus"; jupiterVpsHostname = jupiterVpsConfig.networking.hostName;
access = "proxy"; in
url = "http://prometheus:9090"; [
uid = "prometheus"; {
jsonData = { job_name = "${hostname}-node-exporter";
httpMethod = "POST"; static_configs = [
manageAlerts = true; {
prometheusType = "Prometheus"; targets = [ "host.containers.internal:9100" ];
prometheusVersion = lib.strings.getVersion pkgs.prometheus; labels = {
}; app = "node-exporter";
} user = "root";
inherit hostname;
};
}
{
targets = [ "prometheus-node-exporter:9100" ];
labels = {
app = "node-exporter";
inherit user hostname;
};
}
];
}
{
job_name = "${hostname}-podman-exporter";
static_configs = [
{
targets = [ "host.containers.internal:9882" ];
labels = {
app = "podman-exporter";
user = "root";
inherit hostname;
};
}
{
targets = [ "prometheus-podman-exporter:9882" ];
labels = {
app = "podman-exporter";
inherit user hostname;
};
}
];
}
{
job_name = "${hostname}-fail2ban-exporter";
static_configs = [
{
targets = [ "host.containers.internal:9191" ];
labels = {
app = "fail2ban-exporter";
user = "root";
inherit hostname;
};
}
];
}
{
job_name = "${hostname}-smartctl-exporter";
static_configs = [
{
targets = [ "host.containers.internal:9633" ];
labels = {
app = "smartctl-exporter";
user = "root";
inherit hostname;
};
}
];
}
{
job_name = "${jupiterVpsHostname}-node-exporter";
static_configs = [
{
targets = [ "10.0.0.1:9100" ];
labels = {
app = "node-exporter";
user = "root";
hostname = jupiterVpsHostname;
};
}
];
}
{
job_name = "${jupiterVpsHostname}-podman-exporter";
static_configs = [
{
targets = [ "10.0.0.1:9882" ];
labels = {
app = "podman-exporter";
user = "root";
hostname = jupiterVpsHostname;
};
}
];
}
{
job_name = "${jupiterVpsHostname}-fail2ban-exporter";
static_configs = [
{
targets = [ "10.0.0.1:9191" ];
labels = {
app = "fail2ban-exporter";
user = "root";
hostname = jupiterVpsHostname;
};
}
];
}
];
};
in
{
containerConfig = {
image = "docker-archive:${selfPkgs.docker-yq}";
volumes = [
"${volumes.prometheus-config.ref}:/etc/prometheus"
"${prometheusConfig}:/etc/prometheus/conf.d/prometheus.yaml"
];
entrypoint = "/bin/bash";
exec = [
"-c"
"yq eval-all '. as $item ireduce ({}; . *+ $item)' /etc/prometheus/conf.d/*.yaml > /etc/prometheus/prometheus.yaml"
];
};
serviceConfig = {
Type = "oneshot";
Restart = "on-failure";
};
};
prometheus = {
containerConfig = {
image = "docker-archive:${selfPkgs.docker-prometheus}";
volumes = [
"${volumes.prometheus-config.ref}:/etc/prometheus"
"${volumes.prometheus-data.ref}:/var/lib/prometheus"
];
networks = [
networks.grafana.ref
networks.prometheus.ref
# Access to root exporters
networks.prometheus-ext.ref
];
exec = [
"--log.level=warn"
"--config.file=/etc/prometheus/prometheus.yaml"
"--storage.tsdb.path=/var/lib/prometheus"
"--storage.tsdb.retention.time=1y"
]; ];
}; };
in
[ "${datasource}:/etc/grafana/conf/provisioning/datasources/prometheus.yaml" ]; unitConfig.After = [ "${containers.prometheus-init._serviceName}.service" ];
};
grafana.containerConfig.volumes =
let
datasource = (pkgs.formats.yaml { }).generate "prometheus.yaml" {
apiVersion = 1;
datasources = [
{
name = "Prometheus";
type = "prometheus";
access = "proxy";
url = "http://prometheus:9090";
uid = "prometheus";
jsonData = {
httpMethod = "POST";
manageAlerts = true;
prometheusType = "Prometheus";
prometheusVersion = lib.strings.getVersion pkgs.prometheus;
};
}
];
};
in
[ "${datasource}:/etc/grafana/conf/provisioning/datasources/prometheus.yaml" ];
};
}; };
}; };
};
} }

12
hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix
View File

@@ -37,7 +37,7 @@ in
virtualisation.quadlet = { virtualisation.quadlet = {
networks.traefik = { }; networks.traefik = { };
volumes.letsencrypt = { }; volumes.traefik = { };
containers = { containers = {
traefik = { traefik = {
@@ -53,9 +53,11 @@ in
in in
[ [
"/run/user/${uid}/podman/podman.sock:/var/run/docker.sock" "/run/user/${uid}/podman/podman.sock:/var/run/docker.sock"
"${volumes.letsencrypt.ref}:/letsencrypt" "${volumes.traefik.ref}:/var/lib/traefik"
]; ];
exec = [ exec = [
"--experimental.fastProxy"
"--api.dashboard=true" "--api.dashboard=true"
"--api.disabledashboardad=true" "--api.disabledashboardad=true"
@@ -86,7 +88,7 @@ in
"--certificatesresolvers.letsencrypt.acme.dnschallenge=true" "--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
"--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare" "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
"--certificatesresolvers.letsencrypt.acme.email=nick@karaolidis.com" "--certificatesresolvers.letsencrypt.acme.email=nick@karaolidis.com"
"--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" "--certificatesresolvers.letsencrypt.acme.storage=/var/lib/traefik/acme.json"
"--metrics.prometheus=true" "--metrics.prometheus=true"
]; ];
@@ -178,7 +180,7 @@ in
}; };
Install = { Install = {
WantedBy = [ "sockets.target" ]; WantedBy = [ "default.target" ];
}; };
}; };
@@ -190,7 +192,7 @@ in
}; };
Install = { Install = {
WantedBy = [ "sockets.target" ]; WantedBy = [ "default.target" ];
}; };
}; };
}; };

2
packages/docker/mariadb/default.nix
View File

@@ -26,7 +26,7 @@ pkgs.dockerTools.buildImage {
}; };
runAsRoot = '' runAsRoot = ''
mkdir -p /var/lib/mysql /run/mysqld mkdir -p /run/mysqld
''; '';
config = { config = {

12
packages/docker/mariadb/entrypoint.sh
View File

@@ -13,7 +13,7 @@ if [ ! -f "$DATADIR/mysql_upgrade_info" ]; then
mariadb-install-db --datadir="$DATADIR" --skip-test-db mariadb-install-db --datadir="$DATADIR" --skip-test-db
mariadbd --user=root --datadir="$DATADIR" --skip-networking --skip-grant-tables & mariadbd --user=root --datadir="$DATADIR" --skip-networking --skip-grant-tables &
pid="$!" PID="$!"
while ! mariadb --protocol=socket -e " while ! mariadb --protocol=socket -e "
FLUSH PRIVILEGES; FLUSH PRIVILEGES;
@@ -28,12 +28,12 @@ if [ ! -f "$DATADIR/mysql_upgrade_info" ]; then
sleep 0.1 sleep 0.1
done done
kill -QUIT "$pid" kill -QUIT "$PID"
wait "$pid" || true wait "$PID" || true
fi fi
trap 'kill -QUIT "$pid"' INT trap 'kill -QUIT "$PID"' INT
mariadbd --user=root --datadir="$DATADIR" "$@" & mariadbd --user=root --datadir="$DATADIR" "$@" &
pid=$! PID=$!
wait "$pid" wait "$PID"
exit $? exit $?

14
packages/docker/nextcloud/entrypoint.sh
View File

@@ -65,20 +65,20 @@ cron
PHPRC="$(dirname "$(readlink -f "$(which php)")")/../lib/php.ini" PHPRC="$(dirname "$(readlink -f "$(which php)")")/../lib/php.ini"
export PHPRC export PHPRC
pidfile=$(mktemp) PIDFILE=$(mktemp)
# shellcheck disable=SC2016 # shellcheck disable=SC2016
setsid sh -c ' setsid sh -c '
echo "$$" > "$1" echo "$$" > "$1"
shift shift
exec httpd "$@" exec httpd "$@"
' _ "$pidfile" "$@" & ' _ "$PIDFILE" "$@" &
until [ -s "$pidfile" ]; do sleep 0.01; done until [ -s "$PIDFILE" ]; do sleep 0.01; done
pid=$(cat "$pidfile") PID=$(cat "$PIDFILE")
rm "$pidfile" rm "$PIDFILE"
trap 'kill -INT "$pid"' INT trap 'kill -INT "$PID"' INT
wait "$pid" wait "$PID"
exit $? exit $?

2
packages/docker/postgresql/default.nix
View File

@@ -30,7 +30,7 @@ pkgs.dockerTools.buildImage {
runAsRoot = '' runAsRoot = ''
${pkgs.dockerTools.shadowSetup} ${pkgs.dockerTools.shadowSetup}
mkdir -p /etc/postgresql /var/lib/postgresql /run/postgresql mkdir -p /etc/postgresql /run/postgresql
cp ${postgresql}/share/postgresql/postgresql.conf.sample /etc/postgresql/postgresql.conf cp ${postgresql}/share/postgresql/postgresql.conf.sample /etc/postgresql/postgresql.conf
${pkgs.gnused}/bin/sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /etc/postgresql/postgresql.conf ${pkgs.gnused}/bin/sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /etc/postgresql/postgresql.conf
''; '';

2
packages/docker/postgresql/entrypoint.sh
View File

@@ -21,7 +21,6 @@ mkfifo "$LOG_PIPE"
fi fi
done < "$LOG_PIPE" done < "$LOG_PIPE"
) & ) &
LOG_PID=$!
if [ ! -s "$PGDATA/PG_VERSION" ]; then if [ ! -s "$PGDATA/PG_VERSION" ]; then
tmpfile=$(mktemp) tmpfile=$(mktemp)
@@ -42,5 +41,4 @@ if [ ! -s "$PGDATA/PG_VERSION" ]; then
pg_ctl -m fast -w stop pg_ctl -m fast -w stop
fi fi
trap 'kill $LOG_PID' EXIT
exec postgres -c config_file="/etc/postgresql/postgresql.conf" "$@" > "$LOG_PIPE" 2>&1 exec postgres -c config_file="/etc/postgresql/postgresql.conf" "$@" > "$LOG_PIPE" 2>&1

3
packages/docker/prometheus-fail2ban-exporter/entrypoint.sh
View File

@@ -16,8 +16,5 @@ mkfifo "$LOG_PIPE"
fi fi
done < "$LOG_PIPE" done < "$LOG_PIPE"
) & ) &
LOG_PID=$!
trap 'kill $LOG_PID' EXIT
exec prometheus-fail2ban-exporter "$@" > "$LOG_PIPE" 2>&1 exec prometheus-fail2ban-exporter "$@" > "$LOG_PIPE" 2>&1

3
packages/docker/prometheus-podman-exporter/entrypoint.sh
View File

@@ -16,8 +16,5 @@ mkfifo "$LOG_PIPE"
fi fi
done < "$LOG_PIPE" done < "$LOG_PIPE"
) & ) &
LOG_PID=$!
trap 'kill $LOG_PID' EXIT
exec prometheus-podman-exporter "$@" > "$LOG_PIPE" 2>&1 exec prometheus-podman-exporter "$@" > "$LOG_PIPE" 2>&1