joepie91
/
nixops-configuration
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'ba576f94b3'
${ noResults }
nixops-configuration/networks/default.nix

273 lines
6.4 KiB
Nix
Raw Blame History

let
secrets = import ../secrets.nix;
hosts = import ../lib/hosts.nix;
vpnConfiguration = import ../lib/vpn.nix;
in {
network.description = "Cryto";
workbot = {config, lib, pkgs, ...}@args:
{
imports = [
(import ../lib/presets/track-service-metrics.nix "127.0.0.1")
(vpnConfiguration "workbot")
];
config = {
services.nginx = let
hostRoot = pkgs.writeTextDir "index.html" "Hello world!";
reverseProxy = target: {
proxyPass = target;
extraConfig = ''
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
'';
};
requireTLS = {
enableACME = true;
forceSSL = true;
};
in {
enable = true;
virtualHosts = {
"_" = {
default = true;
root = hostRoot;
};
"hydra.cryto.net" = {
locations = {
"/" = reverseProxy "http://localhost:3333";
};
} // requireTLS;
"prometheus.cryto.net" = {
locations = {
"/" = reverseProxy "http://localhost:9090";
};
} // requireTLS;
"metrics.cryto.net" = {
locations = {
"/" = reverseProxy "http://localhost:8452";
};
} // requireTLS;
"nix-cache.cryto.net" = {
root = "/var/lib/hydra-builds";
} // requireTLS;
};
};
services.postgresql = {
enable = true;
};
services.hydra = {
enable = true;
port = 3333;
hydraURL = "http://hydra.cryto.net/";
notificationSender = "hydra@cryto.net";
useSubstitutes = false;
minimumDiskFree = 20;
minimumDiskFreeEvaluator = 20;
buildMachinesFiles = pkgs.lib.mkIf (config.nix.buildMachines == []) [];
extraConfig = ''
store_uri = file:///var/lib/hydra-builds?secret-key=/var/lib/hydra/binary-cache.key&write-nar-listing=1
binary_cache_public_uri = https://nix-cache.cryto.net
'';
};
/* FIXME: Declaratively define data sources; Grafana module for NixOS does not appear to support this yet? */
services.grafana = {
enable = true;
port = 8452;
rootUrl = "https://metrics.cryto.net/";
security = {
adminUser = secrets.grafana.username;
adminPassword = secrets.grafana.password;
};
auth = {
anonymous.enable = true;
};
};
services.prometheus = {
enable = true;
globalConfig = {
scrape_interval = "30s";
};
scrapeConfigs = let
nameInstance = address: name: {
source_labels = [ "__address__" ];
target_label = "instance";
regex = address;
replacement = name;
};
in [
{
job_name = "prometheus";
static_configs = [{
targets = [
"localhost:9090"
];
}];
relabel_configs = [
(nameInstance "localhost:9090" "workbot")
];
} {
job_name = "nodes";
scrape_interval = "10s";
static_configs = [{
targets = [
"localhost:9100"
"${hosts.osmium.internalIpv4}:9100"
"${hosts.nijaxor.internalIpv4}:9100"
];
}];
relabel_configs = [
(nameInstance "localhost:9100" "workbot")
(nameInstance "${hosts.osmium.internalIpv4}:9100" "osmium")
(nameInstance "${hosts.nijaxor.internalIpv4}:9100" "nijaxor")
];
} {
job_name = "systemd";
scrape_interval = "60s";
static_configs = [{
targets = [
"localhost:9333"
"${hosts.osmium.internalIpv4}:9333"
"${hosts.nijaxor.internalIpv4}:9333"
];
}];
relabel_configs = [
(nameInstance "localhost:9333" "workbot")
(nameInstance "${hosts.osmium.internalIpv4}:9333" "osmium")
(nameInstance "${hosts.nijaxor.internalIpv4}:9333" "nijaxor")
];
}
];
exporters = {
node = {
enable = true;
listenAddress = "127.0.0.1";
enabledCollectors = [
"systemd"
];
};
};
};
networking.firewall.allowedTCPPorts = [
80
443
];
};
};
osmium = { config, lib, pkgs, ... }@args:
let
pastebinStream = (import ../applications/pastebin-stream.nix) args;
generateCaddyConfiguration = (import ../lib/generate/caddy-configuration.nix) args;
in let
proxiedApplications = [{
hostname = config.systems.osmium.applications.pastebin-stream.hostname;
tls = true;
proxyTarget = "http://localhost:3000";
}];
in
{
imports = [
(pastebinStream {
errorPath = "/var/lib/pastebin-stream/errors";
rev = "d7a09deda0916fa99920156e928d281a5bd3d97a";
sha256 = "08xjcwmbzdmkzbz1al3vkryiix1y2zqc8yv4lsrw21dz0c5zl726";
})
(import ../lib/presets/track-service-metrics.nix hosts.osmium.internalIpv4)
(import ../lib/presets/low-ram-nix.nix)
(vpnConfiguration "osmium")
];
config = {
services.caddy = {
enable = true;
agree = true;
email = "admin@cryto.net";
config = ''
${generateCaddyConfiguration proxiedApplications}
'';
};
services.node-pastebin-stream = {
enable = true;
errorReporting = {
enable = true;
metadata = {
from = "ops@cryto.net";
to = "admin@cryto.net";
};
};
};
networking.firewall.allowedTCPPorts = [
80
443
/* 9100 # Prometheus node exporter */
];
environment.systemPackages = with pkgs; [
htop
];
services.prometheus.exporters = {
node = {
enable = true;
listenAddress = hosts.osmium.internalIpv4;
enabledCollectors = [
"systemd"
];
};
};
};
options.systems.osmium = with lib; {
applications.pastebin-stream = {
hostname = mkOption {
description = ''
The hostname to expose the pastebin-stream application on.
'';
type = types.str;
};
};
};
};
nijaxor = { config, lib, pkgs, ... }@args:
{
imports = [
(import ../lib/presets/low-ram-nix.nix)
(import ../lib/presets/track-service-metrics.nix hosts.nijaxor.internalIpv4)
(vpnConfiguration "nijaxor")
];
config = {
networking.firewall.allowedTCPPorts = [
/* 9100 # Prometheus node exporter */
];
services.prometheus.exporters = {
node = {
enable = true;
listenAddress = hosts.nijaxor.internalIpv4;
enabledCollectors = [
"systemd"
];
};
};
};
};
}
Reference in New Issue View Git Blame Copy Permalink