From ab3c57c29edac1e6987fa7659655552667963d6d Mon Sep 17 00:00:00 2001 From: Ivan Reshetnikov Date: Sun, 3 Mar 2024 20:05:50 +0500 Subject: [PATCH 01/10] feat: add grafana --- nixos/configuration.nix | 2 ++ nixos/programs/grafana.nix | 21 +++++++++++++++++++++ 2 files changed, 23 insertions(+) create mode 100644 nixos/programs/grafana.nix diff --git a/nixos/configuration.nix b/nixos/configuration.nix index 901b05b..3e5734b 100644 --- a/nixos/configuration.nix +++ b/nixos/configuration.nix @@ -26,6 +26,8 @@ ./programs/deluge.nix ./programs/prosody.nix ./programs/yggdrasil.nix + + ./programs/grafana.nix ]; nix = { diff --git a/nixos/programs/grafana.nix b/nixos/programs/grafana.nix new file mode 100644 index 0000000..a6f2354 --- /dev/null +++ b/nixos/programs/grafana.nix @@ -0,0 +1,21 @@ +{ config, ... }: { + services.grafana = { + enable = true; + settings = { + server = { + http_addr = "127.0.0.1"; + http_port = 55010; + domain = "grafana.comfycamp.space"; + }; + }; + }; + + services.nginx.virtualHosts."grafana.comfycamp.space" = { + useACMEHost = "comfycamp.space"; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:55010"; + proxyWebsockets = true; + }; + }; +} From 84b4c2b0a7ee02b6e4baf8bff228c09501413dfe Mon Sep 17 00:00:00 2001 From: Ivan Reshetnikov Date: Sun, 3 Mar 2024 20:36:56 +0500 Subject: [PATCH 02/10] chore: migrate grafana to postgres database --- nixos/programs/grafana.nix | 6 ++++++ nixos/programs/postgres.nix | 10 +++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/nixos/programs/grafana.nix b/nixos/programs/grafana.nix index a6f2354..c5b3c18 100644 --- a/nixos/programs/grafana.nix +++ b/nixos/programs/grafana.nix @@ -7,6 +7,12 @@ http_port = 55010; domain = "grafana.comfycamp.space"; }; + database = { + user = "grafana"; + type = "postgres"; + name = "grafana"; + host = "/var/run/postgresql"; + }; }; }; diff --git a/nixos/programs/postgres.nix b/nixos/programs/postgres.nix index 63eef59..6234c5a 100644 --- a/nixos/programs/postgres.nix +++ b/nixos/programs/postgres.nix @@ -3,7 +3,7 @@ config.services.postgresql = { enable = true; package = pkgs.postgresql_15; - ensureDatabases = [ "mastodon" "matrix-synapse" "nextcloud" "maddy" "plausible" "microboard" "freshrss" "prosody" ]; + ensureDatabases = [ "mastodon" "matrix-synapse" "nextcloud" "maddy" "plausible" "microboard" "freshrss" "prosody" "grafana" ]; ensureUsers = [ { name = "mastodon"; @@ -61,6 +61,13 @@ }; ensureClauses.login = true; } + { + name = "grafana"; + ensurePermissions = { + "DATABASE grafana" = "ALL PRIVILEGES"; + }; + ensureClauses.login = true; + } ]; initialScript = pkgs.writeText "pg-init.sql" '' ALTER DATABASE nextcloud OWNER TO nextcloud; @@ -71,6 +78,7 @@ ALTER DATABASE microboard OWNER TO microboard; ALTER DATABASE freshrss OWNER TO freshrss; ALTER DATABASE prosody OWNER TO prosody; + ALTER DATABASE grafana OWNER TO grafana; ''; identMap = '' # ArbitraryMapName systemUser DBUser From e26d4f9722453ca8e282abcb48179ff6b110825b Mon Sep 17 00:00:00 2001 From: Ivan Reshetnikov Date: Mon, 4 Mar 2024 19:35:42 +0500 Subject: [PATCH 03/10] feat: enable nginx access log --- nixos/programs/nginx.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/nixos/programs/nginx.nix b/nixos/programs/nginx.nix index c7b6852..a680b3c 100644 --- a/nixos/programs/nginx.nix +++ b/nixos/programs/nginx.nix @@ -16,6 +16,15 @@ in { recommendedGzipSettings = true; recommendedProxySettings = true; + appendHttpConfig = '' + map $status $loggable { + ~^[23] 0; + default 1; + } + + access_log /var/log/nginx/access.log combined if=$loggable; + ''; + commonHttpConfig = '' # Add HSTS header with preloading to HTTPS requests. # Adding this header to HTTP requests is discouraged From 2e511cc4de2e3daed907ad28c0182d21e718e3c0 Mon Sep 17 00:00:00 2001 From: Ivan Reshetnikov Date: Mon, 4 Mar 2024 19:59:16 +0500 Subject: [PATCH 04/10] refactor: simplify nginx config --- nixos/programs/comfycamp.nix | 14 +++ nixos/programs/freshrss.nix | 5 + nixos/programs/jellyfin.nix | 11 +++ nixos/programs/maddy.nix | 6 ++ nixos/programs/mastodon.nix | 27 ++++++ nixos/programs/microboard.nix | 10 ++ nixos/programs/nextcloud.nix | 5 + nixos/programs/nginx.nix | 170 ++-------------------------------- nixos/programs/phoenix.nix | 6 ++ nixos/programs/photoprism.nix | 11 +++ nixos/programs/synapse.nix | 37 +++++++- 11 files changed, 139 insertions(+), 163 deletions(-) diff --git a/nixos/programs/comfycamp.nix b/nixos/programs/comfycamp.nix index f53764e..2ca9f78 100644 --- a/nixos/programs/comfycamp.nix +++ b/nixos/programs/comfycamp.nix @@ -5,4 +5,18 @@ image = "ghcr.io/ordinary-dev/comfycamp:v0.6.0"; ports = ["55007:80"]; }; + + services.nginx.virtualHosts."[201:80ed:6eeb:aea4:cdc0:c836:2831:f2dd]" = { + locations = { + "/".proxyPass = "http://127.0.0.1:55007"; + }; + }; + + services.nginx.virtualHosts."comfycamp.space" = { + useACMEHost = "comfycamp.space"; + forceSSL = true; + locations = { + "/".proxyPass = "http://127.0.0.1:55007"; + }; + }; } diff --git a/nixos/programs/freshrss.nix b/nixos/programs/freshrss.nix index fa8ae3b..50c596f 100644 --- a/nixos/programs/freshrss.nix +++ b/nixos/programs/freshrss.nix @@ -13,4 +13,9 @@ passwordFile = "/var/lib/secrets/freshrss/password.txt"; virtualHost = "freshrss.comfycamp.space"; }; + + services.nginx.virtualHosts."freshrss.comfycamp.space" = { + useACMEHost = "comfycamp.space"; + forceSSL = true; + }; } diff --git a/nixos/programs/jellyfin.nix b/nixos/programs/jellyfin.nix index 7db3a10..5841eac 100644 --- a/nixos/programs/jellyfin.nix +++ b/nixos/programs/jellyfin.nix @@ -3,4 +3,15 @@ services.jellyfin = { enable = true; }; + + services.nginx.virtualHosts."jf.comfycamp.space" = { + useACMEHost = "comfycamp.space"; + forceSSL = true; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:8096"; + proxyWebsockets = true; + }; + }; + }; } diff --git a/nixos/programs/maddy.nix b/nixos/programs/maddy.nix index dcaf89b..af20ae4 100644 --- a/nixos/programs/maddy.nix +++ b/nixos/programs/maddy.nix @@ -25,4 +25,10 @@ "driver postgres" ] options.services.maddy.config.default; }; + + services.nginx.virtualHosts."mta-sts.comfycamp.space" = { + useACMEHost = "comfycamp.space"; + forceSSL = true; + root = "/var/lib/mta-sts"; + }; } diff --git a/nixos/programs/mastodon.nix b/nixos/programs/mastodon.nix index 8e7050e..b6dcbf8 100644 --- a/nixos/programs/mastodon.nix +++ b/nixos/programs/mastodon.nix @@ -78,4 +78,31 @@ systemd.services.mastodon-sidekiq-all = { serviceConfig.ReadWritePaths = "/hdd/mastodon-public-system"; }; + + services.nginx.virtualHosts."m.comfycamp.space" = { + useACMEHost = "comfycamp.space"; + forceSSL = true; + + root = "${config.services.mastodon.package}/public/"; + + locations = { + "/system/" = { + alias = "/var/lib/mastodon/public-system/"; + }; + + "/" = { + tryFiles = "$uri @proxy"; + }; + + "@proxy" = { + proxyPass = "http://unix:/run/mastodon-web/web.socket"; + proxyWebsockets = true; + }; + + "/api/v1/streaming/" = { + proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket"; + proxyWebsockets = true; + }; + }; + }; } diff --git a/nixos/programs/microboard.nix b/nixos/programs/microboard.nix index bd0094f..3909c50 100644 --- a/nixos/programs/microboard.nix +++ b/nixos/programs/microboard.nix @@ -15,4 +15,14 @@ in "/run/postgresql:/run/postgresql" ]; }; + + services.nginx.virtualHosts."0ch.space" = { + useACMEHost = "0ch.space"; + forceSSL = true; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:55006"; + }; + }; + }; } diff --git a/nixos/programs/nextcloud.nix b/nixos/programs/nextcloud.nix index 4332d17..ada45ea 100644 --- a/nixos/programs/nextcloud.nix +++ b/nixos/programs/nextcloud.nix @@ -20,4 +20,9 @@ createLocally = false; }; }; + + services.nginx.virtualHosts."nc.comfycamp.space" = { + useACMEHost = "comfycamp.space"; + forceSSL = true; + }; } diff --git a/nixos/programs/nginx.nix b/nixos/programs/nginx.nix index a680b3c..ebffa33 100644 --- a/nixos/programs/nginx.nix +++ b/nixos/programs/nginx.nix @@ -1,14 +1,4 @@ -{ config, ... }: -let - # Required stuff for synapse - clientConfig."m.homeserver".base_url = "https://matrix.comfycamp.space"; - serverConfig."m.server" = "matrix.comfycamp.space:443"; - mkWellKnown = data: '' - add_header Content-Type application/json; - add_header Access-Control-Allow-Origin *; - return 200 '${builtins.toJSON data}'; - ''; -in { +{ config, ... }: { services.nginx = { enable = true; recommendedTlsSettings = true; @@ -16,15 +6,6 @@ in { recommendedGzipSettings = true; recommendedProxySettings = true; - appendHttpConfig = '' - map $status $loggable { - ~^[23] 0; - default 1; - } - - access_log /var/log/nginx/access.log combined if=$loggable; - ''; - commonHttpConfig = '' # Add HSTS header with preloading to HTTPS requests. # Adding this header to HTTP requests is discouraged @@ -32,149 +13,14 @@ in { https "max-age=31536000; includeSubdomains; preload"; } add_header Strict-Transport-Security $hsts_header; - access_log off; - ''; - - virtualHosts = { - "[201:80ed:6eeb:aea4:cdc0:c836:2831:f2dd]" = { - locations = { - "/".proxyPass = "http://127.0.0.1:55007"; - }; - }; - - "comfycamp.space" = { - useACMEHost = "comfycamp.space"; - forceSSL = true; - locations = { - "/".proxyPass = "http://127.0.0.1:55007"; - # This section is not needed if the server_name of matrix-synapse is equal to - # the domain (i.e. example.org from @foo:example.org) and the federation port - # is 8448. - # Further reference can be found in the docs about delegation under - # https://matrix-org.github.io/synapse/latest/delegate.html - "/.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; - # This is usually needed for homeserver discovery (from e.g. other Matrix clients). - # Further reference can be found in the upstream docs at - # https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient - "/.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; - }; - }; - - # Phoenix - "ph.comfycamp.space" = { - useACMEHost = "comfycamp.space"; - forceSSL = true; - locations."/".proxyPass = "http://127.0.0.1:55009"; - }; - - # Nextcloud - "nc.comfycamp.space" = { - useACMEHost = "comfycamp.space"; - forceSSL = true; - }; - - # Jellyfin - "jf.comfycamp.space" = { - useACMEHost = "comfycamp.space"; - forceSSL = true; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:8096"; - proxyWebsockets = true; - }; - }; - }; - - # Plausible - "plausible.comfycamp.space" = { - useACMEHost = "comfycamp.space"; - forceSSL = true; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:55005"; - }; - }; - }; - # Microboard - "0ch.space" = { - useACMEHost = "0ch.space"; - forceSSL = true; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:55006"; - }; - }; - }; - - # Mail: MTA-STS - "mta-sts.comfycamp.space" = { - useACMEHost = "comfycamp.space"; - forceSSL = true; - root = "/var/lib/mta-sts"; - }; - - "matrix.comfycamp.space" = { - useACMEHost = "comfycamp.space"; - forceSSL = true; - locations = { - "/".extraConfig = '' - return 404; - ''; - # Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash - # *must not* be used here. - "/_matrix".proxyPass = "http://127.0.0.1:8008"; - # Forward requests for e.g. SSO and password-resets. - "/_synapse/client".proxyPass = "http://127.0.0.1:8008"; - }; - }; - - # Photoprism - "pp.comfycamp.space" = { - useACMEHost = "comfycamp.space"; - forceSSL = true; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:55004"; - proxyWebsockets = true; - }; - }; - }; - - # Freshrss - "freshrss.comfycamp.space" = { - useACMEHost = "comfycamp.space"; - forceSSL = true; - }; - - # Mastodon - "m.comfycamp.space" = { - useACMEHost = "comfycamp.space"; - forceSSL = true; - - root = "${config.services.mastodon.package}/public/"; - - locations = { - "/system/" = { - alias = "/var/lib/mastodon/public-system/"; - }; - - "/" = { - tryFiles = "$uri @proxy"; - }; - - "@proxy" = { - proxyPass = "http://unix:/run/mastodon-web/web.socket"; - proxyWebsockets = true; - }; - - "/api/v1/streaming/" = { - proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket"; - proxyWebsockets = true; - }; - }; - }; - }; + # Log 4xx and 5xx errors. + map $status $loggable { + ~^[23] 0; + default 1; + } + access_log /var/log/nginx/access.log combined if=$loggable; + ''; }; users.users.nginx.extraGroups = [ "acme" ]; diff --git a/nixos/programs/phoenix.nix b/nixos/programs/phoenix.nix index dc9d55c..91e8713 100644 --- a/nixos/programs/phoenix.nix +++ b/nixos/programs/phoenix.nix @@ -12,4 +12,10 @@ "/var/lib/phoenix:/var/lib/phoenix" ]; }; + + services.nginx.virtualHosts."ph.comfycamp.space" = { + useACMEHost = "comfycamp.space"; + forceSSL = true; + locations."/".proxyPass = "http://127.0.0.1:55009"; + }; } diff --git a/nixos/programs/photoprism.nix b/nixos/programs/photoprism.nix index d1854ce..0a024e2 100644 --- a/nixos/programs/photoprism.nix +++ b/nixos/programs/photoprism.nix @@ -21,4 +21,15 @@ PHOTOPRISM_DETECT_NSFW = "false"; }; }; + + services.nginx.virtualHosts."pp.comfycamp.space" = { + useACMEHost = "comfycamp.space"; + forceSSL = true; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:55004"; + proxyWebsockets = true; + }; + }; + }; } diff --git a/nixos/programs/synapse.nix b/nixos/programs/synapse.nix index 16f3d42..c95bd0f 100644 --- a/nixos/programs/synapse.nix +++ b/nixos/programs/synapse.nix @@ -1,5 +1,14 @@ { config, ... }: -{ +let + # Required stuff for synapse + clientConfig."m.homeserver".base_url = "https://matrix.comfycamp.space"; + serverConfig."m.server" = "matrix.comfycamp.space:443"; + mkWellKnown = data: '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON data}'; + ''; +in { services.matrix-synapse = { enable = true; settings = { @@ -31,4 +40,30 @@ "/var/lib/secrets/matrix-synapse/config.yml" ]; }; + + services.nginx.virtualHosts."matrix.comfycamp.space" = { + useACMEHost = "comfycamp.space"; + forceSSL = true; + locations = { + "/".extraConfig = '' + return 404; + ''; + # Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash + # *must not* be used here. + "/_matrix".proxyPass = "http://127.0.0.1:8008"; + # Forward requests for e.g. SSO and password-resets. + "/_synapse/client".proxyPass = "http://127.0.0.1:8008"; + }; + }; + + # This section is not needed if the server_name of matrix-synapse is equal to + # the domain (i.e. example.org from @foo:example.org) and the federation port + # is 8448. + # Further reference can be found in the docs about delegation under + # https://matrix-org.github.io/synapse/latest/delegate.html + services.nginx.virtualHosts."comfycamp.space".locations."/.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; + # This is usually needed for homeserver discovery (from e.g. other Matrix clients). + # Further reference can be found in the upstream docs at + # https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient + services.nginx.virtualHosts."comfycamp.space".locations."/.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; } From 8215ffde8a2c2f6218ea8d41a49f86713d6e1a56 Mon Sep 17 00:00:00 2001 From: Ivan Reshetnikov Date: Mon, 4 Mar 2024 20:34:12 +0500 Subject: [PATCH 05/10] feat: add prometheus --- nixos/configuration.nix | 1 + nixos/programs/grafana.nix | 4 ++-- nixos/programs/prometheus.nix | 23 +++++++++++++++++++++++ 3 files changed, 26 insertions(+), 2 deletions(-) create mode 100644 nixos/programs/prometheus.nix diff --git a/nixos/configuration.nix b/nixos/configuration.nix index 3e5734b..e9ddbb0 100644 --- a/nixos/configuration.nix +++ b/nixos/configuration.nix @@ -28,6 +28,7 @@ ./programs/yggdrasil.nix ./programs/grafana.nix + ./programs/prometheus.nix ]; nix = { diff --git a/nixos/programs/grafana.nix b/nixos/programs/grafana.nix index c5b3c18..3b25be2 100644 --- a/nixos/programs/grafana.nix +++ b/nixos/programs/grafana.nix @@ -16,11 +16,11 @@ }; }; - services.nginx.virtualHosts."grafana.comfycamp.space" = { + services.nginx.virtualHosts.${config.services.grafana.settings.server.domain} = { useACMEHost = "comfycamp.space"; forceSSL = true; locations."/" = { - proxyPass = "http://127.0.0.1:55010"; + proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}"; proxyWebsockets = true; }; }; diff --git a/nixos/programs/prometheus.nix b/nixos/programs/prometheus.nix new file mode 100644 index 0000000..0d575a5 --- /dev/null +++ b/nixos/programs/prometheus.nix @@ -0,0 +1,23 @@ +{ config, ... }: { + services.prometheus = { + enable = true; + port = 55011; + + exporters = { + node = { + enable = true; + enabledCollectors = [ "systemd" ]; + port = 55012; + }; + }; + + scrapeConfigs = [ + { + job_name = "node"; + static_configs = [{ + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; + }]; + } + ]; + }; +} From 5a355b163a7db457d5258c91fa1ee30a48d7f262 Mon Sep 17 00:00:00 2001 From: Ivan Reshetnikov Date: Mon, 4 Mar 2024 20:52:33 +0500 Subject: [PATCH 06/10] feat: synapse monitoring --- nixos/programs/prometheus.nix | 7 +++++++ nixos/programs/synapse.nix | 35 ++++++++++++++++++++++++----------- 2 files changed, 31 insertions(+), 11 deletions(-) diff --git a/nixos/programs/prometheus.nix b/nixos/programs/prometheus.nix index 0d575a5..15fbfb7 100644 --- a/nixos/programs/prometheus.nix +++ b/nixos/programs/prometheus.nix @@ -18,6 +18,13 @@ targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; }]; } + { + job_name = "synapse"; + metrics_path = "/_synapse/metrics"; + static_configs = [{ + targets = [ "127.0.0.1:55013" ]; + }]; + } ]; }; } diff --git a/nixos/programs/synapse.nix b/nixos/programs/synapse.nix index c95bd0f..8dd0f02 100644 --- a/nixos/programs/synapse.nix +++ b/nixos/programs/synapse.nix @@ -21,19 +21,32 @@ in { database = "matrix-synapse"; }; }; + enable_metrics = true; enable_registration = true; report_stats = true; - listeners = [{ - bind_addresses = [ "127.0.0.1" ]; - port = 8008; - type = "http"; - tls = false; - x_forwarded = true; - resources = [{ - names = [ "client" "federation" ]; - compress = false; - }]; - }]; + listeners = [ + { + bind_addresses = [ "127.0.0.1" ]; + port = 8008; + type = "http"; + tls = false; + x_forwarded = true; + resources = [{ + names = [ "client" "federation" ]; + compress = false; + }]; + } + { + bind_addresses = [ "127.0.0.1" ]; + port = 55013; + type = "metrics"; + tls = false; + resources = [{ + names = [ "metrics" ]; + compress = false; + }]; + } + ]; signing_key_path = "/var/lib/matrix-synapse/matrix.comfycamp.space.signing.key"; }; extraConfigFiles = [ From 9c76c57d9ebec24a37ea56f63c5cbd01525e48d0 Mon Sep 17 00:00:00 2001 From: Ivan Reshetnikov Date: Tue, 5 Mar 2024 23:46:44 +0500 Subject: [PATCH 07/10] feat: update my website to v0.7.0 --- nixos/programs/comfycamp.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/programs/comfycamp.nix b/nixos/programs/comfycamp.nix index 2ca9f78..a4f4398 100644 --- a/nixos/programs/comfycamp.nix +++ b/nixos/programs/comfycamp.nix @@ -2,7 +2,7 @@ { virtualisation.oci-containers.containers.comfycamp = { autoStart = true; - image = "ghcr.io/ordinary-dev/comfycamp:v0.6.0"; + image = "ghcr.io/ordinary-dev/comfycamp:v0.7.0"; ports = ["55007:80"]; }; From 16e61fb814d0a2f0ce3ec0a5cfb7ef1cd8e8295d Mon Sep 17 00:00:00 2001 From: Ivan Reshetnikov Date: Mon, 11 Mar 2024 21:13:15 +0500 Subject: [PATCH 08/10] feat: update my website to v0.8.0, configure redirect from www --- nixos/programs/comfycamp.nix | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/nixos/programs/comfycamp.nix b/nixos/programs/comfycamp.nix index a4f4398..9ef924a 100644 --- a/nixos/programs/comfycamp.nix +++ b/nixos/programs/comfycamp.nix @@ -2,21 +2,23 @@ { virtualisation.oci-containers.containers.comfycamp = { autoStart = true; - image = "ghcr.io/ordinary-dev/comfycamp:v0.7.0"; + image = "ghcr.io/ordinary-dev/comfycamp:v0.8.0"; ports = ["55007:80"]; }; services.nginx.virtualHosts."[201:80ed:6eeb:aea4:cdc0:c836:2831:f2dd]" = { - locations = { - "/".proxyPass = "http://127.0.0.1:55007"; - }; + locations."/".proxyPass = "http://127.0.0.1:55007"; }; services.nginx.virtualHosts."comfycamp.space" = { useACMEHost = "comfycamp.space"; forceSSL = true; - locations = { - "/".proxyPass = "http://127.0.0.1:55007"; - }; + locations."/".proxyPass = "http://127.0.0.1:55007"; + }; + + services.nginx.virtualHosts."www.comfycamp.space" = { + useACMEHost = "comfycamp.space"; + forceSSL = true; + locations."/".return = "301 https://comfycamp.space$request_uri"; }; } From 543b6153bfb661fa4ecaa25fdf25a717343b23c1 Mon Sep 17 00:00:00 2001 From: Ivan Reshetnikov Date: Mon, 11 Mar 2024 21:51:42 +0500 Subject: [PATCH 09/10] refactor: group databases --- nixos/configuration.nix | 8 +- nixos/{programs => databases}/mysql.nix | 0 nixos/databases/postgres.nix | 80 ++++++++++++++++++++ nixos/{programs => databases}/redis.nix | 0 nixos/programs/postgres.nix | 99 ------------------------- 5 files changed, 85 insertions(+), 102 deletions(-) rename nixos/{programs => databases}/mysql.nix (100%) create mode 100644 nixos/databases/postgres.nix rename nixos/{programs => databases}/redis.nix (100%) delete mode 100644 nixos/programs/postgres.nix diff --git a/nixos/configuration.nix b/nixos/configuration.nix index e9ddbb0..70a346a 100644 --- a/nixos/configuration.nix +++ b/nixos/configuration.nix @@ -5,15 +5,17 @@ ./networking.nix ./users.nix ./time.nix + + ./databases/postgres.nix + ./databases/mysql.nix + ./databases/redis.nix + ./programs/nginx.nix ./programs/bash.nix ./programs/acme.nix - ./programs/postgres.nix ./programs/mastodon.nix - ./programs/redis.nix ./programs/nextcloud.nix ./programs/jellyfin.nix - ./programs/mysql.nix ./programs/photoprism.nix ./programs/synapse.nix ./programs/fail2ban.nix diff --git a/nixos/programs/mysql.nix b/nixos/databases/mysql.nix similarity index 100% rename from nixos/programs/mysql.nix rename to nixos/databases/mysql.nix diff --git a/nixos/databases/postgres.nix b/nixos/databases/postgres.nix new file mode 100644 index 0000000..233641c --- /dev/null +++ b/nixos/databases/postgres.nix @@ -0,0 +1,80 @@ +{ config, pkgs, ... }: +{ + config.services.postgresql = { + enable = true; + package = pkgs.postgresql_15; + ensureDatabases = [ + "mastodon" + "matrix-synapse" + "nextcloud" + "maddy" + "plausible" + "microboard" + "freshrss" + "prosody" + "grafana" + ]; + ensureUsers = [ + { + name = "mastodon"; + ensureDBOwnership = true; + ensureClauses.login = true; + } + { + name = "nextcloud"; + ensureDBOwnership = true; + ensureClauses.login = true; + } + { + name = "matrix-synapse"; + ensureDBOwnership = true; + ensureClauses.login = true; + } + { + name = "maddy"; + ensureDBOwnership = true; + ensureClauses.login = true; + } + { + name = "plausible"; + ensureDBOwnership = true; + ensureClauses.login = true; + } + { + name = "microboard"; + ensureDBOwnership = true; + ensureClauses.login = true; + } + { + name = "freshrss"; + ensureDBOwnership = true; + ensureClauses.login = true; + } + { + name = "prosody"; + ensureDBOwnership = true; + ensureClauses.login = true; + } + { + name = "grafana"; + ensureDBOwnership = true; + ensureClauses.login = true; + } + ]; + identMap = '' + # ArbitraryMapName systemUser DBUser + superuser_map root postgres + superuser_map postgres postgres + + # Let other names login as themselves + superuser_map /^(.*)$ \1 + ''; + authentication = pkgs.lib.mkOverride 10 '' + #type database DBuser auth-method optional_ident_map + local sameuser all peer map=superuser_map + + #type database DBuser origin-address auth-method + host all all 127.0.0.1/32 scram-sha-256 + ''; + }; +} diff --git a/nixos/programs/redis.nix b/nixos/databases/redis.nix similarity index 100% rename from nixos/programs/redis.nix rename to nixos/databases/redis.nix diff --git a/nixos/programs/postgres.nix b/nixos/programs/postgres.nix deleted file mode 100644 index 6234c5a..0000000 --- a/nixos/programs/postgres.nix +++ /dev/null @@ -1,99 +0,0 @@ -{ config, pkgs, ... }: -{ - config.services.postgresql = { - enable = true; - package = pkgs.postgresql_15; - ensureDatabases = [ "mastodon" "matrix-synapse" "nextcloud" "maddy" "plausible" "microboard" "freshrss" "prosody" "grafana" ]; - ensureUsers = [ - { - name = "mastodon"; - ensurePermissions = { - "DATABASE mastodon" = "ALL PRIVILEGES"; - }; - ensureClauses.login = true; - } - { - name = "nextcloud"; - ensurePermissions = { - "DATABASE nextcloud" = "ALL PRIVILEGES"; - }; - ensureClauses.login = true; - } - { - name = "matrix-synapse"; - ensurePermissions = { - "DATABASE \"matrix-synapse\"" = "ALL PRIVILEGES"; - }; - ensureClauses.login = true; - } - { - name = "maddy"; - ensurePermissions = { - "DATABASE maddy" = "ALL PRIVILEGES"; - }; - ensureClauses.login = true; - } - { - name = "plausible"; - ensurePermissions = { - "DATABASE plausible" = "ALL PRIVILEGES"; - }; - ensureClauses.login = true; - } - { - name = "microboard"; - ensurePermissions = { - "DATABASE microboard" = "ALL PRIVILEGES"; - }; - ensureClauses.login = true; - } - { - name = "freshrss"; - ensurePermissions = { - "DATABASE freshrss" = "ALL PRIVILEGES"; - }; - ensureClauses.login = true; - } - { - name = "prosody"; - ensurePermissions = { - "DATABASE prosody" = "ALL PRIVILEGES"; - }; - ensureClauses.login = true; - } - { - name = "grafana"; - ensurePermissions = { - "DATABASE grafana" = "ALL PRIVILEGES"; - }; - ensureClauses.login = true; - } - ]; - initialScript = pkgs.writeText "pg-init.sql" '' - ALTER DATABASE nextcloud OWNER TO nextcloud; - ALTER DATABASE mastodon OWNER TO mastodon; - ALTER DATABASE "matrix-synapse" OWNER TO "matrix-synapse"; - ALTER DATABASE maddy OWNER TO maddy; - ALTER DATABASE plausible OWNER TO plausible; - ALTER DATABASE microboard OWNER TO microboard; - ALTER DATABASE freshrss OWNER TO freshrss; - ALTER DATABASE prosody OWNER TO prosody; - ALTER DATABASE grafana OWNER TO grafana; - ''; - identMap = '' - # ArbitraryMapName systemUser DBUser - superuser_map root postgres - superuser_map postgres postgres - - # Let other names login as themselves - superuser_map /^(.*)$ \1 - ''; - authentication = pkgs.lib.mkOverride 10 '' - #type database DBuser auth-method optional_ident_map - local sameuser all peer map=superuser_map - - #type database DBuser origin-address auth-method - host all all 127.0.0.1/32 scram-sha-256 - ''; - }; -} From 0bcd6def8c01fb5478621125ccdce3293d03653f Mon Sep 17 00:00:00 2001 From: Ivan Reshetnikov Date: Mon, 11 Mar 2024 22:05:46 +0500 Subject: [PATCH 10/10] feat: enable postgres exporter, group monitoring programs --- nixos/configuration.nix | 4 ++-- nixos/databases/postgres.nix | 6 ++++++ nixos/{programs => monitoring}/grafana.nix | 0 nixos/{programs => monitoring}/prometheus.nix | 11 +++++++++++ 4 files changed, 19 insertions(+), 2 deletions(-) rename nixos/{programs => monitoring}/grafana.nix (100%) rename nixos/{programs => monitoring}/prometheus.nix (62%) diff --git a/nixos/configuration.nix b/nixos/configuration.nix index 70a346a..85925b1 100644 --- a/nixos/configuration.nix +++ b/nixos/configuration.nix @@ -29,8 +29,8 @@ ./programs/prosody.nix ./programs/yggdrasil.nix - ./programs/grafana.nix - ./programs/prometheus.nix + ./monitoring/grafana.nix + ./monitoring/prometheus.nix ]; nix = { diff --git a/nixos/databases/postgres.nix b/nixos/databases/postgres.nix index 233641c..47fbe98 100644 --- a/nixos/databases/postgres.nix +++ b/nixos/databases/postgres.nix @@ -13,6 +13,7 @@ "freshrss" "prosody" "grafana" + "postgres-exporter" ]; ensureUsers = [ { @@ -60,6 +61,11 @@ ensureDBOwnership = true; ensureClauses.login = true; } + { + name = "postgres-exporter"; + ensureDBOwnership = true; + ensureClauses.login = true; + } ]; identMap = '' # ArbitraryMapName systemUser DBUser diff --git a/nixos/programs/grafana.nix b/nixos/monitoring/grafana.nix similarity index 100% rename from nixos/programs/grafana.nix rename to nixos/monitoring/grafana.nix diff --git a/nixos/programs/prometheus.nix b/nixos/monitoring/prometheus.nix similarity index 62% rename from nixos/programs/prometheus.nix rename to nixos/monitoring/prometheus.nix index 15fbfb7..1eac4dd 100644 --- a/nixos/programs/prometheus.nix +++ b/nixos/monitoring/prometheus.nix @@ -9,6 +9,11 @@ enabledCollectors = [ "systemd" ]; port = 55012; }; + postgres = { + enable = true; + port = 55014; + dataSourceName = "user=postgres-exporter database=postgres-exporter host=/run/postgresql sslmode=disable"; + }; }; scrapeConfigs = [ @@ -25,6 +30,12 @@ targets = [ "127.0.0.1:55013" ]; }]; } + { + job_name = "postgres"; + static_configs = [{ + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.postgres.port}" ]; + }]; + } ]; }; }