let secrets = import ../secrets.nix; hosts = import ../lib/hosts.nix; vpnConfiguration = import ../lib/vpn.nix; in { network.description = "Cryto"; workbot = {config, lib, pkgs, ...}@args: { imports = [ (import ../lib/presets/track-service-metrics.nix "127.0.0.1") (vpnConfiguration "workbot") ]; config = { services.nginx = let hostRoot = pkgs.writeTextDir "index.html" "Hello world!"; reverseProxy = target: { proxyPass = target; extraConfig = '' proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Port 443; ''; }; requireTLS = { enableACME = true; forceSSL = true; }; in { enable = true; virtualHosts = { "_" = { default = true; root = hostRoot; }; "hydra.cryto.net" = { locations = { "/" = reverseProxy "http://localhost:3333"; }; } // requireTLS; "prometheus.cryto.net" = { locations = { "/" = reverseProxy "http://localhost:9090"; }; } // requireTLS; "metrics.cryto.net" = { locations = { "/" = reverseProxy "http://localhost:8452"; }; } // requireTLS; "nix-cache.cryto.net" = { root = "/var/lib/hydra-builds"; } // requireTLS; }; }; services.postgresql = { enable = true; }; services.hydra = { enable = true; port = 3333; hydraURL = "http://hydra.cryto.net/"; notificationSender = "hydra@cryto.net"; useSubstitutes = false; minimumDiskFree = 20; minimumDiskFreeEvaluator = 20; buildMachinesFiles = pkgs.lib.mkIf (config.nix.buildMachines == []) []; extraConfig = '' store_uri = file:///var/lib/hydra-builds?secret-key=/var/lib/hydra/binary-cache.key&write-nar-listing=1 binary_cache_public_uri = https://nix-cache.cryto.net ''; }; /* FIXME: Declaratively define data sources; Grafana module for NixOS does not appear to support this yet? */ services.grafana = { enable = true; port = 8452; rootUrl = "https://metrics.cryto.net/"; security = { adminUser = secrets.grafana.username; adminPassword = secrets.grafana.password; }; auth = { anonymous.enable = true; }; }; services.prometheus = { enable = true; globalConfig = { scrape_interval = "30s"; }; scrapeConfigs = let nameInstance = address: name: { source_labels = [ "__address__" ]; target_label = "instance"; regex = address; replacement = name; }; in [ { job_name = "prometheus"; static_configs = [{ targets = [ "localhost:9090" ]; }]; relabel_configs = [ (nameInstance "localhost:9090" "workbot") ]; } { job_name = "nodes"; scrape_interval = "10s"; static_configs = [{ targets = [ "localhost:9100" "${hosts.osmium.internalIpv4}:9100" "${hosts.nijaxor.internalIpv4}:9100" ]; }]; relabel_configs = [ (nameInstance "localhost:9100" "workbot") (nameInstance "${hosts.osmium.internalIpv4}:9100" "osmium") (nameInstance "${hosts.nijaxor.internalIpv4}:9100" "nijaxor") ]; } { job_name = "systemd"; scrape_interval = "60s"; static_configs = [{ targets = [ "localhost:9333" "${hosts.osmium.internalIpv4}:9333" "${hosts.nijaxor.internalIpv4}:9333" ]; }]; relabel_configs = [ (nameInstance "localhost:9333" "workbot") (nameInstance "${hosts.osmium.internalIpv4}:9333" "osmium") (nameInstance "${hosts.nijaxor.internalIpv4}:9333" "nijaxor") ]; } ]; exporters = { node = { enable = true; listenAddress = "127.0.0.1"; enabledCollectors = [ "systemd" ]; }; }; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; }; }; osmium = { config, lib, pkgs, ... }@args: let pastebinStream = (import ../applications/pastebin-stream.nix) args; generateCaddyConfiguration = (import ../lib/generate/caddy-configuration.nix) args; in let proxiedApplications = [{ hostname = config.systems.osmium.applications.pastebin-stream.hostname; tls = true; proxyTarget = "http://localhost:3000"; }]; in { imports = [ (pastebinStream { errorPath = "/var/lib/pastebin-stream/errors"; rev = "d7a09deda0916fa99920156e928d281a5bd3d97a"; sha256 = "08xjcwmbzdmkzbz1al3vkryiix1y2zqc8yv4lsrw21dz0c5zl726"; }) (import ../lib/presets/track-service-metrics.nix hosts.osmium.internalIpv4) (import ../lib/presets/low-ram-nix.nix) (vpnConfiguration "osmium") ]; config = { services.caddy = { enable = true; agree = true; email = "admin@cryto.net"; config = '' ${generateCaddyConfiguration proxiedApplications} ''; }; services.node-pastebin-stream = { enable = true; errorReporting = { enable = true; metadata = { from = "ops@cryto.net"; to = "admin@cryto.net"; }; }; }; networking.firewall.allowedTCPPorts = [ 80 443 /* 9100 # Prometheus node exporter */ ]; environment.systemPackages = with pkgs; [ htop ]; services.prometheus.exporters = { node = { enable = true; listenAddress = hosts.osmium.internalIpv4; enabledCollectors = [ "systemd" ]; }; }; }; options.systems.osmium = with lib; { applications.pastebin-stream = { hostname = mkOption { description = '' The hostname to expose the pastebin-stream application on. ''; type = types.str; }; }; }; }; nijaxor = { config, lib, pkgs, ... }@args: { imports = [ (import ../lib/presets/low-ram-nix.nix) (import ../lib/presets/track-service-metrics.nix hosts.nijaxor.internalIpv4) (vpnConfiguration "nijaxor") ]; config = { networking.firewall.allowedTCPPorts = [ /* 9100 # Prometheus node exporter */ ]; services.prometheus.exporters = { node = { enable = true; listenAddress = hosts.nijaxor.internalIpv4; enabledCollectors = [ "systemd" ]; }; }; }; }; }