Add other services

This commit is contained in:
Théo Barnouin 2024-09-09 15:19:57 +02:00
parent 0bbb49efee
commit ff8a4d23a9
10 changed files with 377 additions and 7 deletions

View file

@ -13,17 +13,18 @@
outputs = inputs@{ self, nixpkgs, home-manager, microvm, ... }: outputs = inputs@{ self, nixpkgs, home-manager, microvm, ... }:
let let
hostName = "nixos";
system = "x86_64-linux"; system = "x86_64-linux";
username = "tbarnouin"; username = "tbarnouin";
in in
{ {
nixosConfigurations = { nixosConfigurations = {
nixos = nixpkgs.lib.nixosSystem { ${hostName} = nixpkgs.lib.nixosSystem {
inherit system; inherit system;
modules = [ modules = [
./configuration.nix ./configuration.nix
{ {
networking.hostName = "nixos"; networking.hostName = hostName;
} }
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
{ {

View file

@ -0,0 +1,14 @@
{ inputs, config, lib, authentik-nix, ... }:
let
cfg = config.services.vm_authentik;
in
{
options.services.vm_authentik = {
enable = lib.mkEnableOption "Enable minimal config";
};
config = lib.mkIf cfg.enable {
networking = {
firewall.allowedTCPPorts = [ 9000 9300 9443 ];
};
};
}

View file

@ -2,6 +2,13 @@
{ {
imports = [ imports = [
./nginx ./nginx
./gitea
./redis
./jellyfin
./nextcloud
./grafana
./authentik
./postgresql
./minimalConfig ./minimalConfig
]; ];
} }

View file

@ -0,0 +1,32 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.vm_gitea;
in
{
options.services.vm_gitea = {
enable = lib.mkEnableOption "Enable minimal config";
db_ip = lib.mkOption {
type = lib.types.str;
description = "Gitea database IP address";
};
};
config = lib.mkIf cfg.enable {
services.gitea = {
enable = true;
user = "tbarnouin";
settings = {
server.HTTP_PORT = 3000;
server.ROOT_URL = "http://${config.services.vm.vm_ip}/";
service.DISABLE_REGISTRATION = true;
};
database = {
createDatabase = false;
type = "postgres";
host = "${cfg.db_ip}";
user = "gitea";
passwordFile = "/run/secrets/gitea/gitea-dbpass";
};
};
networking.firewall.allowedTCPPorts = [ 3000 ];
};
}

View file

@ -0,0 +1,151 @@
{ lib, config, pkgs, ... }:
let
cfg = config.services.vm_grafana;
in
{
options.services.vm_grafana = {
enable = lib.mkEnableOption "Enable minimal config";
proxy_ip = lib.mkOption {
type = lib.types.str;
description = "The Nginx proxy IP address";
};
};
config = lib.mkIf cfg.enable {
services.rsyslogd.enable = true;
services.grafana = {
enable = true;
settings = {
server = {
protocol = "http";
http_addr = "${config.services.vm.vm_ip}";
http_port = 3000;
domain = "logs.le43.eu";
root_url = "https://logs.le43.eu";
serve_from_sub_path = false;
};
};
};
services.prometheus = {
enable = true;
port = 9001;
scrapeConfigs = [
{
job_name = "grafana";
static_configs = [{
targets = [ "127.0.0.1:9002" ];
}];
}
{
job_name = "nginx";
static_configs = [{
targets = [ "${cfg.proxy_ip}:9002" ];
}];
}
];
exporters = {
node = {
enable = true;
enabledCollectors = [ "systemd" ];
port = 9002;
};
};
};
services.loki = {
enable = true;
configuration = {
server.http_listen_port = 3100;
server.grpc_listen_port = 9096;
auth_enabled = false;
ingester = {
lifecycler = {
address = "127.0.0.1";
ring = {
kvstore = {
store = "inmemory";
};
replication_factor = 1;
};
};
chunk_idle_period = "1h";
max_chunk_age = "1h";
chunk_target_size = 999999;
chunk_retain_period = "30s";
};
schema_config = {
configs = [{
from = "2022-06-06";
store = "boltdb-shipper";
object_store = "filesystem";
schema = "v13";
index = {
prefix = "index_";
period = "24h";
};
}];
};
storage_config = {
boltdb_shipper = {
active_index_directory = "/var/lib/loki/boltdb-shipper-active";
cache_location = "/var/lib/loki/boltdb-shipper-cache";
cache_ttl = "24h";
};
filesystem = {
directory = "/var/lib/loki/chunks";
};
};
limits_config = {
reject_old_samples = true;
reject_old_samples_max_age = "168h";
allow_structured_metadata = false;
};
table_manager = {
retention_deletes_enabled = false;
retention_period = "0s";
};
compactor = {
working_directory = "/var/lib/loki";
compactor_ring = {
kvstore = {
store = "inmemory";
};
};
};
};
};
services.promtail = {
enable = true;
configuration = {
server = {
http_listen_port = 3101;
grpc_listen_port = 9095;
};
positions = {
filename = "/tmp/positions.yaml";
};
clients = [{
url = "http://127.0.0.1:3100/loki/api/v1/push";
}];
scrape_configs = [{
job_name = "journal";
journal = {
max_age = "12h";
labels = {
job = "systemd-journal";
host = "localhost";
};
};
relabel_configs = [{
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}];
}];
};
};
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [ 3000 3100 3101 9001 ];
};
}

View file

@ -0,0 +1,25 @@
{ lib, config, pkgs, ... }:
let
cfg = config.services.vm_jellyfin;
in
{
options.services.vm_jellyfin = {
enable = lib.mkEnableOption "Enable minimal config";
};
config = lib.mkIf cfg.enable {
environment.systemPackages = [ pkgs.cifs-utils ];
services.jellyfin = {
enable = true;
user = "tbarnouin";
openFirewall = true;
};
fileSystems."/mnt/media" = {
device = "192.168.1.125:/DATA";
fsType = "nfs";
options = [
"x-systemd.automount"
"noauto"
];
};
};
}

View file

@ -0,0 +1,78 @@
{ lib, config, pkgs, ... }:
let
cfg = config.services.vm_nextcloud;
in
{
options.services.vm_nextcloud = {
enable = lib.mkEnableOption "Enable minimal config";
proxy_ip = lib.mkOption {
type = lib.types.str;
description = "The Nginx proxy IP address";
};
db_ip = lib.mkOption {
type = lib.types.str;
description = "Gitea database IP address";
};
};
config = lib.mkIf cfg.enable {
environment.etc = {
"fail2ban/filter.d/nextcloud.conf".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[Definition]
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Two-factor challenge failed:
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
'');
};
services = {
fail2ban = {
jails = {
nextcloud = ''
backend = auto
enabled = true
port = http,https
filter = nextcloud
maxretry = 3
bantime = 86400
findtime = 43200
logpath = /var/lib/nextcloud/data/nextcloud.log
'';
};
};
nextcloud = {
enable = true;
hostName = "${config.services.vm.vm_ip}";
home = "/var/lib/nextcloud";
maxUploadSize = "10240M";
caching.redis = true;
configureRedis = true;
database.createLocally = false;
phpOptions = {
"opcache.interned_strings_buffer" = "16";
"opcache.memory_consumption" = "512";
};
settings = {
trusted_proxies = [ "${cfg.proxy_ip}" ];
trusted_domains = [ "${cfg.proxy_ip}" ];
overwriteprotocol = "http";
overwrite.cli.url = "http://${cfg.proxy_ip}/cloud/";
"overwritehost" = "${cfg.proxy_ip}";
"overwritewebroot" = "/cloud";
htaccess.RewriteBase = "/cloud";
log_type = "file";
};
config = {
dbhost = "${cfg.db_ip}:5432";
dbname = "nextcloud";
dbuser = "nextcloud";
dbtype = "pgsql";
dbpassFile = "/run/secrets/nextcloud/nextcloud-dbpass";
adminuser = "tbarnouin";
adminpassFile = "/run/secrets/nextcloud/nextcloud-adminpass";
};
};
};
networking.firewall.allowedTCPPorts = [ 80 ];
};
}

View file

@ -0,0 +1,39 @@
{ lib, config, pkgs, ... }:
let
cfg = config.services.vm_postgresql;
in
{
options.services.vm_postgresql = {
enable = lib.mkEnableOption "Enable minimal config";
};
config = lib.mkIf cfg.enable {
services.postgresql = {
enable = true;
enableTCPIP = true;
settings.port = 5432;
ensureDatabases = [ "gitea" "nextcloud" ];
ensureUsers = [
{
name = "gitea";
ensureDBOwnership = true;
}
{
name = "nextcloud";
ensureDBOwnership = true;
}
];
authentication = pkgs.lib.mkOverride 10 ''
#type database user origin-address auth-method
# IPv4 local connections:
local all all trust
host gitea gitea 192.168.122.3/24 trust
host nextcloud nextcloud 192.168.122.7/24 trust
'';
initialScript = pkgs.writeText "init-sql-script" ''
alter user gitea with password 'gitea';
alter user nextcloud with password 'nextcloud';
'';
};
networking.firewall.allowedTCPPorts = [ 5432 ];
};
}

View file

@ -0,0 +1,23 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.vm_redis;
in
{
options.services.vm_redis = {
enable = lib.mkEnableOption "Enable minimal config";
};
config = lib.mkIf cfg.enable {
services.redis = {
vmOverCommit = true;
servers.redis = {
enable = true;
port = 6379;
bind = "0.0.0.0";
settings = {
protected-mode = "no";
};
};
};
networking.firewall.allowedTCPPorts = [ 6379 ];
};
}

View file

@ -68,8 +68,8 @@ in
matchConfig.Type = "ether"; matchConfig.Type = "ether";
networkConfig = { networkConfig = {
Address = ["${cfg.vm_ip}/24"]; Address = ["${cfg.vm_ip}/24"];
Gateway = "192.168.122.1"; Gateway = "192.168.1.254";
DNS = ["192.168.122.1"]; DNS = ["192.168.1.254"];
IPv6AcceptRA = true; IPv6AcceptRA = true;
DHCP = "no"; DHCP = "no";
}; };