let secrets = import ../secrets.nix; trackServiceMetrics = { systemd.extraConfig = '' DefaultCPUAccounting=yes DefaultIOAccounting=yes DefaultIPAccounting=yes DefaultBlockIOAccounting=yes DefaultMemoryAccounting=yes DefaultTasksAccounting=yes ''; services.cadvisor = { enable = true; port = 9333; listenAddress = "0.0.0.0"; storageDriver = "stdout"; }; virtualisation.docker.enable = false; networking.firewall.allowedTCPPorts = [ 9333 ]; }; in { network.description = "Cryto"; workbot = {config, lib, pkgs, ...}@args: { imports = [ trackServiceMetrics ]; config = { services.nginx = let hostRoot = pkgs.writeTextDir "index.html" "Hello world!"; reverseProxy = target: { proxyPass = target; extraConfig = '' proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Port 443; ''; }; requireTLS = { enableACME = true; forceSSL = true; }; in { enable = true; virtualHosts = { "_" = { default = true; root = hostRoot; }; "hydra.cryto.net" = { locations = { "/" = reverseProxy "http://localhost:3333"; }; } // requireTLS; "prometheus.cryto.net" = { locations = { "/" = reverseProxy "http://localhost:9090"; }; } // requireTLS; "metrics.cryto.net" = { locations = { "/" = reverseProxy "http://localhost:8452"; }; } // requireTLS; "nix-cache.cryto.net" = { root = "/var/lib/hydra-builds"; } // requireTLS; }; }; services.postgresql = { enable = true; }; services.hydra = { enable = true; port = 3333; hydraURL = "http://hydra.cryto.net/"; notificationSender = "hydra@cryto.net"; useSubstitutes = false; minimumDiskFree = 20; minimumDiskFreeEvaluator = 20; buildMachinesFiles = pkgs.lib.mkIf (config.nix.buildMachines == []) []; extraConfig = '' store_uri = file:///var/lib/hydra-builds?secret-key=/var/lib/hydra/binary-cache.key&write-nar-listing=1 binary_cache_public_uri = https://nix-cache.cryto.net ''; }; /* FIXME: Declaratively define data sources; Grafana module for NixOS does not appear to support this yet? */ services.grafana = { enable = true; port = 8452; rootUrl = "https://metrics.cryto.net/"; security = { adminUser = secrets.grafana.username; adminPassword = secrets.grafana.password; }; auth = { anonymous.enable = true; }; }; services.prometheus = { enable = true; globalConfig = { scrape_interval = "30s"; }; scrapeConfigs = let nameInstance = address: name: { source_labels = [ "__address__" ]; target_label = "instance"; regex = address; replacement = name; }; in [ { job_name = "prometheus"; static_configs = [{ targets = [ "localhost:9090" ]; }]; relabel_configs = [ (nameInstance "localhost:9090" "workbot") ]; } { job_name = "nodes"; scrape_interval = "10s"; static_configs = [{ targets = [ "localhost:9100" "80.255.0.137:9100" "64.187.233.73:9100" ]; }]; relabel_configs = [ (nameInstance "localhost:9100" "workbot") (nameInstance "80.255.0.137:9100" "osmium") (nameInstance "64.187.233.73:9100" "nijaxor") ]; } { job_name = "systemd"; scrape_interval = "60s"; static_configs = [{ targets = [ "localhost:9333" "80.255.0.137:9333" "64.187.233.73:9333" ]; }]; relabel_configs = [ (nameInstance "localhost:9333" "workbot") (nameInstance "80.255.0.137:9333" "osmium") (nameInstance "64.187.233.73:9333" "nijaxor") ]; } ]; exporters = { node = { enable = true; enabledCollectors = [ "systemd" ]; }; }; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; }; }; osmium = { config, lib, pkgs, ... }@args: let pastebinStream = (import ../applications/pastebin-stream.nix) args; generateCaddyConfiguration = (import ../lib/generate/caddy-configuration.nix) args; in let proxiedApplications = [{ hostname = config.systems.osmium.applications.pastebin-stream.hostname; tls = true; proxyTarget = "http://localhost:3000"; }]; in { imports = [ (pastebinStream { errorPath = "/var/lib/pastebin-stream/errors"; rev = "d7a09deda0916fa99920156e928d281a5bd3d97a"; sha256 = "08xjcwmbzdmkzbz1al3vkryiix1y2zqc8yv4lsrw21dz0c5zl726"; }) trackServiceMetrics (import ../lib/low-ram-nix.nix) ]; config = { services.caddy = { enable = true; agree = true; email = "admin@cryto.net"; config = '' ${generateCaddyConfiguration proxiedApplications} ''; }; services.node-pastebin-stream = { enable = true; errorReporting = { enable = true; metadata = { from = "ops@cryto.net"; to = "admin@cryto.net"; }; }; }; networking.firewall.allowedTCPPorts = [ 80 443 9100 # Prometheus node exporter ]; environment.systemPackages = with pkgs; [ htop ]; services.prometheus.exporters = { node = { enable = true; enabledCollectors = [ "systemd" ]; }; }; }; options.systems.osmium = with lib; { applications.pastebin-stream = { hostname = mkOption { description = '' The hostname to expose the pastebin-stream application on. ''; type = types.str; }; }; }; }; nijaxor = { config, lib, pkgs, ... }@args: { imports = [ (import ../lib/low-ram-nix.nix) trackServiceMetrics ]; config = { networking.firewall.allowedTCPPorts = [ 9100 # Prometheus node exporter ]; services.prometheus.exporters = { node = { enable = true; enabledCollectors = [ "systemd" ]; }; }; }; }; }