changes

2023-06-30 01:16:49 +02:00 · 2023-06-30 01:16:49 +02:00 · 061293e537
commit 061293e537
parent 94d60b5a4e
35 changed files with 319 additions and 276 deletions
--- a/hosts/beliskner/default.nix
+++ b/hosts/beliskner/default.nix
@ -39,6 +39,7 @@
  networking.defaultGateway6 = { address = "2a00:6800:3::1"; interface = "ens3"; };
  networking.defaultGateway = { address = "195.90.208.1"; interface = "ens3"; };
  networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];
+  networking.useDHCP = false;
  # networking.interfaces.eno1.useDHCP = true;
  networking.hostId = "7c28236a";

@ -54,9 +55,28 @@
      root_url = "https://beliskner.kangaroo-galaxy.ts.net/";
    };
  };
+  services.grafana.settings = {
+    analytics.reporting_enabled = false;
+    users = {
+      allow_sign_up = false;
+    };
+    #auth.proxy = ''
+    #  enabled = true
+    #  header_name = "X-Webauth-User"
+    #  header_property = "username"
+    #  auto_sign_up = true
+    #  allow_sign_up = true
+    #  whitelist = "127.0.0.1, ::1"
+    #'';
+  };


  ragon.agenix.secrets."prometheusBlackboxConfig" = { owner = config.services.prometheus.exporters.blackbox.user; };
+  users.groups.${config.services.prometheus.exporters.blackbox.user} = { };
+  users.users.${config.services.prometheus.exporters.blackbox.user} = {
+    isSystemUser = true;
+    group = config.services.prometheus.exporters.blackbox.user;
+  };
  services.prometheus.exporters.blackbox = {
    enable = true;
    configFile = config.age.secrets.prometheusBlackboxConfig.path;
@ -69,54 +89,50 @@
    virtualHosts = {
      "beliskner.kangaroo-galaxy.ts.net" = {
        extraConfig = ''
-                    reverse_proxy :${toString config.services.grafana.settings.server.http_port}
-                    forward_auth unix//run/tailscale.nginx-auth.sock {
-          	      uri /auth
-          	      header_up Remote-Addr {remote_host}
-          	      header_up Remote-Port {remote_port}
-          	      header_up Original-URI {uri}
-          	      copy_headers {
-               	        Tailscale-User>X-Webauth-User
-          	        Tailscale-Name>X-Webauth-Name
-          	        Tailscale-Login>X-Webauth-Login
-          	        Tailscale-Tailnet>X-Webauth-Tailnet
-          	        Tailscale-Profile-Picture>X-Webauth-Profile-Picture
-          	      }
-                    }
+          #forward_auth unix//run/tailscale/tailscaled.sock {
+          #  uri /auth
+          #  header_up Remote-Addr {remote_host}
+          #  header_up Remote-Port {remote_port}
+          #  header_up Original-URI {uri}
+          #  copy_headers {
+          #    Tailscale-User>X-Webauth-User
+          #    Tailscale-Name>X-Webauth-Name
+          #    Tailscale-Login>X-Webauth-Login
+          #    Tailscale-Tailnet>X-Webauth-Tailnet
+          #    Tailscale-Profile-Picture>X-Webauth-Profile-Picture
+          #  }
+          #}
+          reverse_proxy {
+            to http://localhost:${toString config.services.grafana.settings.server.http_port}
+            flush_interval -1
+            transport http {
+              keepalive 310s
+              compression off
+            }
+          }
        '';
      };
    };
  };

  networking.firewall.trustedInterfaces = [ "lo" "tailscale0" ];
-  services.grafana.settings = {
-    analytics.reporting_enabled = false;
-    users = {
-      allow_sign_up = false;
-    };
-    auth.proxy = ''
-      enabled = true
-      header_name = "X-Webauth-User"
-      header_property = "username"
-      auto_sign_up = true
-      allow_sign_up = true
-      whitelist = "127.0.0.1, ::1"
-    '';
-  };
  services.tailscale = {
    enable = true;
    permitCertUid = "caddy";
  };


+  age.identityPaths = lib.mkForce [ "/nix/persistent/etc/ssh/ssh_host_ed25519_key" ];

  ragon = {
    cli.enable = false;
    user.enable = false;
    persist.enable = true;
+    persist.baseDir = "/nix/persistent";
    persist.extraDirectories = [
      "/var/lib/tailscale"
      "/var/lib/caddy"
+      "/var/log"
    ];
    services = {
      ssh.enable = true;
--- a/hosts/beliskner/disk-config.nix
+++ b/hosts/beliskner/disk-config.nix
@ -16,9 +16,10 @@
              flags = [ "bios_grub" ];
            }
            {
-              name = "ESP";
+              name = "esp";
              start = "1MiB";
              end = "265MiB";
+              part-type = "primary";
              bootable = true;
              content = {
                type = "filesystem";
@ -33,6 +34,7 @@
              name = "luks";
              start = "265MiB";
              end = "100%";
+              part-type = "primary";
              content = {
                type = "luks";
                name = "crypted";
@ -46,6 +48,7 @@
                };
              };
            }
+
          ];
        };
      };
@ -55,10 +58,10 @@
        type = "lvm_vg";
        lvs = {
          nix = {
-            size = "100%";
+            size = "100%FREE";
            content = {
              type = "filesystem";
-              format = "ext4";
+              format = "xfs";
              mountpoint = "/nix";
              mountOptions = [
                "defaults"
@ -79,16 +82,4 @@
      };
    };
  };
-  fileSystems."/var/log" =
-    {
-      device = "/nix/persistent/varlog";
-      fsType = "bind";
-      neededForBoot = true;
-    };
-  fileSystems."/persistent" =
-    {
-      device = "/nix/persistent";
-      fsType = "bind";
-      neededForBoot = true;
-    };
 }
--- a/hosts/beliskner/hardware-configuration.nix
+++ b/hosts/beliskner/hardware-configuration.nix
@ -16,8 +16,8 @@ in
        enable = true;
        port = 2222;
        hostKeys = [
-          "/persistent/etc/nixos/secrets/initrd/ssh_host_rsa_key"
-          "/persistent/etc/nixos/secrets/initrd/ssh_host_ed25519_key"
+          "/nix/persistent/etc/nixos/secrets/initrd/ssh_host_rsa_key"
+          "/nix/persistent/etc/nixos/secrets/initrd/ssh_host_ed25519_key"
        ];
        authorizedKeys = pubkeys.ragon.user;
      };