meow

2025-06-30 15:02:33 +02:00 · 2025-06-30 15:02:33 +02:00 · ab44dd5abb
commit ab44dd5abb
parent 1ca1890e33
7 changed files with 191 additions and 106 deletions
--- a/hosts/ds9/attic.nix
+++ b/hosts/ds9/attic.nix
@ -5,13 +5,17 @@
  inputs,
  ...
 }:
+let
+  stateDir = "/var/lib/atticd2";
+in
 {
  # imports = [ inputs.attic.nixosModules.atticd ];
  ragon.agenix.secrets.ds9AtticEnv = { };
  ragon.persist.extraDirectories = [
-    "/var/lib/atticd"
+    stateDir
  ];
-  
+
+  systemd.services.atticd.serviceConfig.ReadWritePaths = [ stateDir ];
  services.atticd = {
    enable = true;

@ -20,6 +24,11 @@

    settings = {
      listen = "[::]:8089";
+      database.url = "sqlite://${stateDir}/server.db?mode=rwc";
+      storage = {
+        type = "local";
+        path = "${stateDir}/storage";
+      };

      jwt = { };

--- a/hosts/ds9/containers.nix
+++ b/hosts/ds9/containers.nix
@ -72,6 +72,7 @@ in
    image = "docker.io/tensorchord/pgvecto-rs:pg16-v0.2.1";
    extraOptions = [
      "--network=db-net"
+      "--network=podman"
      "--health-cmd"
      "pg_isready -U postgres"
    ];
@ -82,6 +83,7 @@ in
    environmentFiles = [
      config.age.secrets.ds9PostgresEnv.path
    ];
+    ports = [ "5432:5432"];
    volumes = [
      "${postgres-multi-db}:/docker-entrypoint-initdb.d/create-multiple-postgresql-databases.sh"
      "postgres:/var/lib/postgresql/data"
--- a/hosts/ds9/default.nix
+++ b/hosts/ds9/default.nix
@ -299,11 +299,15 @@ in
          import podmanRedir http://copyparty:3923
        }
        @noauth {
-          method GET OPTIONS HEAD
          path_regexp ^\/(noauth(\/.*|)|[a-z.]+\.(css|js)|[1-9].png)$
        }
+        @getoptionshead {
+          method GET OPTIONS HEAD
+        }
        handle @noauth {
-          import podmanRedir http://copyparty:3923
+          handle @getoptionshead {
+            import podmanRedir http://copyparty:3923
+          }
        }
        handle {
          import podmanRedirWithAuth http://copyparty:3923
@ -321,14 +325,18 @@ in
      enable = true;
      enabledCollectors = [ "systemd" ];
    };
+    exporters.postgres = {
+      enable = true;
+      environmentFile = config.age.secrets.ds9PostgresExporterEnv.path;
+    };
    scrapeConfigs = [
-
      {
-        job_name = "jellyfin";
+        job_name = "postgres";
        static_configs = [
          {
            targets = [
-              "127.0.0.1:8096"
+              "localhost:${toString config.services.prometheus.exporters.postgres.port}"
+              "picard.kangaroo-galaxy.ts.net:${toString config.services.prometheus.exporters.postgres.port}"
            ];
          }
        ];
@ -393,6 +401,7 @@ in
  ragon = {
    agenix.secrets."desec" = { };
    agenix.secrets."ds9DynDns" = { };
+    agenix.secrets."ds9PostgresExporterEnv" = { };
    user.enable = true;
    persist.enable = true;
    persist.extraDirectories = [
--- a/hosts/picard/default.nix
+++ b/hosts/picard/default.nix
@ -2,34 +2,39 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).

-{ inputs, config, pkgs, lib, ... }:
+{
+  inputs,
+  config,
+  pkgs,
+  lib,
+  ...
+}:

 {
-  imports =
-    [
-      # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-      ./xynospace-matrix.nix
-      ./plausible.nix
-      ./obsidianshare.nix
-      ./mail.nix
-      ./gotosocial.nix
-      # ./ts-ovpn.nix
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    ./xynospace-matrix.nix
+    ./plausible.nix
+    ./obsidianshare.nix
+    ./mail.nix
+    ./gotosocial.nix
+    # ./ts-ovpn.nix

-      ../../nixos-modules/system/persist.nix
-      ../../nixos-modules/system/agenix.nix
-      ../../nixos-modules/system/fs.nix
-      ../../nixos-modules/system/security.nix
-      ../../nixos-modules/services/ssh.nix
-      ../../nixos-modules/services/msmtp.nix
-      ../../nixos-modules/services/caddy
-      ../../nixos-modules/services/bitwarden.nix
-      ../../nixos-modules/networking/tailscale.nix
-      ../../nixos-modules/services/authelia.nix
-      ../../nixos-modules/services/hedgedoc.nix
-      ../../nixos-modules/services/ts3.nix
-      ../../nixos-modules/user
-    ];
+    ../../nixos-modules/system/persist.nix
+    ../../nixos-modules/system/agenix.nix
+    ../../nixos-modules/system/fs.nix
+    ../../nixos-modules/system/security.nix
+    ../../nixos-modules/services/ssh.nix
+    ../../nixos-modules/services/msmtp.nix
+    ../../nixos-modules/services/caddy
+    ../../nixos-modules/services/bitwarden.nix
+    ../../nixos-modules/networking/tailscale.nix
+    # ../../nixos-modules/services/authelia.nix
+    ../../nixos-modules/services/hedgedoc.nix
+    ../../nixos-modules/services/ts3.nix
+    ../../nixos-modules/user
+  ];

  documentation.enable = false;
  documentation.nixos.enable = false;
@ -42,7 +47,6 @@
  services.syncthing.group = "users";
  services.syncthing.user = "ragon";

-
  networking.interfaces."ens3" = {
    ipv6 = {
      addresses = [
@ -53,8 +57,14 @@
      ];
    };
  };
-  networking.defaultGateway6 = { address = "fe80::1"; interface = "enp0s3"; };
-  networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];
+  networking.defaultGateway6 = {
+    address = "fe80::1";
+    interface = "enp0s3";
+  };
+  networking.nameservers = [
+    "1.1.1.1"
+    "8.8.8.8"
+  ];
  # networking.interfaces.eno1.useDHCP = true;
  networking.hostId = "7c21236a";

@ -63,12 +73,26 @@

  services.postgresql.package = pkgs.postgresql_13;

-  
-
  systemd.services.caddy.serviceConfig.EnvironmentFile = config.age.secrets.desec.path;
-  networking.firewall.allowedTCPPorts = [ 80 443 config.services.forgejo.settings.server.SSH_PORT 25 143 465 587 993 ];
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+    config.services.forgejo.settings.server.SSH_PORT
+    25
+    143
+    465
+    587
+    993
+  ];
  networking.firewall.allowedUDPPorts = [ 443 ];
-  services.prometheus.exporters.node = { enable = true; enabledCollectors = [ "systemd" ]; };
+  services.prometheus.exporters.node = {
+    enable = true;
+    enabledCollectors = [ "systemd" ];
+  };
+  services.prometheus.exporters.postgres = {
+    enable = true;
+    runAsLocalSuperUser = true;
+  };
  services.caddy = {
    logFormat = "level INFO";
    enable = true;
@ -118,10 +142,16 @@
    virtualHosts."xyno.space".extraConfig =
      let
        fqdn = "matrix.xyno.space";
-        wkServer = { "m.server" = "${fqdn}:443"; };
+        wkServer = {
+          "m.server" = "${fqdn}:443";
+        };
        wkClient = {
-          "m.homeserver" = { "base_url" = "https://${fqdn}"; };
-          "m.identity_server" = { "base_url" = "https://vector.im"; };
+          "m.homeserver" = {
+            "base_url" = "https://${fqdn}";
+          };
+          "m.identity_server" = {
+            "base_url" = "https://vector.im";
+          };
          # "org.matrix.msc3575.proxy" = { "url" = "https://slidingsync.ragon.xyz"; };
        };
      in
@ -175,19 +205,19 @@
      handle @md {
        reverse_proxy http://[::1]:${toString config.services.hedgedoc.settings.port}
      }
-      @sso host sso.xyno.systems
-      handle @sso {
-        reverse_proxy http://127.0.0.1:9091
-      }
-      @git host git.xyno.systems
-      handle @git {
-        reverse_proxy http://127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}
-      }
+      # @sso host sso.xyno.systems
+      # handle @sso {
+      #   reverse_proxy http://127.0.0.1:9091
+      # }
+      # @git host git.xyno.systems
+      # handle @git {
+      #   reverse_proxy http://127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}
+      # }
      @notes host notes.xyno.systems
      handle @notes {
        reverse_proxy http://127.0.0.1:8086
      }
-      
+
      handle {
        abort
      }
@ -196,43 +226,43 @@
      redir https://xyno.space{uri}
    '';
    virtualHosts."robotgirl.cloud".extraConfig = ''
-        handle / {
-           header Content-Type text/html
-           header Access-Control-Allow-Origin "*"
-           respond `<!DOCTYPE html><html><head><title>beep</title></head><body>
-          <h2>
-          beep :3
-          </h2>
-          <p>
-all the robots are on <a href="https://catgirl.cloud">catgirl.cloud</a> mew :3
-</p>
-          </body></head>` 200
-        }
+              handle / {
+                 header Content-Type text/html
+                 header Access-Control-Allow-Origin "*"
+                 respond `<!DOCTYPE html><html><head><title>beep</title></head><body>
+                <h2>
+                beep :3
+                </h2>
+                <p>
+      all the robots are on <a href="https://catgirl.cloud">catgirl.cloud</a> mew :3
+      </p>
+                </body></head>` 200
+              }
    '';
  };

-  services.forgejo = {
-    enable = true;
-    lfs.enable = true;
-    settings = {
-      global.APP_NAME = "xyno.systems git";
-      session.COOKIE_SECURE = true;
-      server.DOMAIN = "git.xyno.systems";
-      server.ROOT_URL = "https://git.xyno.systems/";
-      server.HTTP_PORT = 3031;
-      server.HTTP_HOST = "127.0.0.1";
-      service.DISABLE_REGISTRATION = false;
-      service.ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
-      service.SHOW_REGISTRATION_BUTTON = false;
+  # services.forgejo = {
+  #   enable = true;
+  #   lfs.enable = true;
+  #   settings = {
+  #     global.APP_NAME = "xyno.systems git";
+  #     session.COOKIE_SECURE = true;
+  #     server.DOMAIN = "git.xyno.systems";
+  #     server.ROOT_URL = "https://git.xyno.systems/";
+  #     server.HTTP_PORT = 3031;
+  #     server.HTTP_HOST = "127.0.0.1";
+  #     service.DISABLE_REGISTRATION = false;
+  #     service.ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
+  #     service.SHOW_REGISTRATION_BUTTON = false;

-      openid = {
-        ENABLE_OPENID_SIGNIN = false;
-        ENABLE_OPENID_SIGNUP = true;
-        WHITELISTED_URIS = "sso.xyno.systems";
-      };
+  #     openid = {
+  #       ENABLE_OPENID_SIGNIN = false;
+  #       ENABLE_OPENID_SIGNUP = true;
+  #       WHITELISTED_URIS = "sso.xyno.systems";
+  #     };

-    };
-  };
+  #   };
+  # };

  ragon.agenix.secrets."desec" = { };

@ -252,8 +282,14 @@ all the robots are on <a href="https://catgirl.cloud">catgirl.cloud</a> mew :3
    configurations."picard-ds9" = {
      source_directories = [ "/persistent" ];
      repositories = [
-        { label = "ds9"; path = "ssh://picardbackup@ds9/backups/picard/borgmatic"; }
-        { label = "gatebridge"; path = "ssh://root@gatebridge/media/backup/picard"; }
+        {
+          label = "ds9";
+          path = "ssh://picardbackup@ds9/backups/picard/borgmatic";
+        }
+        {
+          label = "gatebridge";
+          path = "ssh://root@gatebridge/media/backup/picard";
+        }
      ];
      exclude_if_present = [ ".nobackup" ];
      encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets.picardResticPassword.path}";
@ -265,10 +301,22 @@ all the robots are on <a href="https://catgirl.cloud">catgirl.cloud</a> mew :3
        keep_monthly = 12;
        keep_yearly = 10;
      };
-      before_actions = [ "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.picardResticHealthCheckUrl.path})/start" ];
-      after_actions = [ "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.picardResticHealthCheckUrl.path})" ];
-      on_error = [ "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.picardResticHealthCheckUrl.path})/fail" ];
-      postgresql_databases = [{ name = "all"; pg_dump_command = "${pkgs.postgresql}/bin/pg_dumpall"; pg_restore_command = "${pkgs.postgresql}/bin/pg_restore"; }];
+      before_actions = [
+        "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.picardResticHealthCheckUrl.path})/start"
+      ];
+      after_actions = [
+        "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.picardResticHealthCheckUrl.path})"
+      ];
+      on_error = [
+        "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.picardResticHealthCheckUrl.path})/fail"
+      ];
+      postgresql_databases = [
+        {
+          name = "all";
+          pg_dump_command = "${pkgs.postgresql}/bin/pg_dumpall";
+          pg_restore_command = "${pkgs.postgresql}/bin/pg_restore";
+        }
+      ];
    };
  };

@ -281,23 +329,39 @@ all the robots are on <a href="https://catgirl.cloud">catgirl.cloud</a> mew :3
  # services.lolpizza2.enable = true;
  programs.mosh.enable = true;

-  home-manager.users.ragon = { pkgs, lib, inputs, config, ... }: {
-    imports = [
-      # ../../hm-modules/nvim
-      # ../../hm-modules/zsh
-      ../../hm-modules/tmux
-      ../../hm-modules/cli.nix
-      ../../hm-modules/files.nix
-    ];
+  home-manager.users.ragon =
+    {
+      pkgs,
+      lib,
+      inputs,
+      config,
+      ...
+    }:
+    {
+      imports = [
+        # ../../hm-modules/nvim
+        # ../../hm-modules/zsh
+        ../../hm-modules/tmux
+        ../../hm-modules/cli.nix
+        ../../hm-modules/files.nix
+      ];

-    programs.home-manager.enable = true;
-    home.stateVersion = "23.11";
-  };
+      programs.home-manager.enable = true;
+      home.stateVersion = "23.11";
+    };

  ragon = {
    user.enable = true;
    persist.enable = true;
-    persist.extraDirectories = [ "/var/lib/nixos-containers" "/srv/www" config.services.caddy.dataDir "/var/lib/syncthing" "/var/lib/${config.services.xynoblog.stateDirectory}" "/var/lib/postgresql" config.services.forgejo.stateDir ];
+    persist.extraDirectories = [
+      "/var/lib/nixos-containers"
+      "/srv/www"
+      config.services.caddy.dataDir
+      "/var/lib/syncthing"
+      "/var/lib/${config.services.xynoblog.stateDirectory}"
+      "/var/lib/postgresql"
+      config.services.forgejo.stateDir
+    ];

    services = {
      caddy.enable = true;
@ -306,7 +370,7 @@ all the robots are on <a href="https://catgirl.cloud">catgirl.cloud</a> mew :3
      bitwarden.enable = true;
      tailscale.enable = true;
      hedgedoc.enable = true;
-      authelia.enable = true;
+      # authelia.enable = true;
      ts3.enable = true;
    };

--- a/nixos-modules/services/hedgedoc.nix
+++ b/nixos-modules/services/hedgedoc.nix
@ -10,10 +10,10 @@ in
      default = "md.xyno.systems";
    };
  config = lib.mkIf cfg.enable {
-    ragon.agenix.secrets.autheliaHedgedoc = { owner = "authelia-main"; };
-    services.authelia.instances.main.settingsFiles = [
-      config.age.secrets.autheliaHedgedoc.path
-    ];
+    # ragon.agenix.secrets.autheliaHedgedoc = { owner = "authelia-main"; };
+    # services.authelia.instances.main.settingsFiles = [
+    #   config.age.secrets.autheliaHedgedoc.path
+    # ];
    services.hedgedoc = {
      enable = true;
      environmentFile = "${config.age.secrets.hedgedocSecret.path}";
--- a/secrets/ds9PostgresExporterEnv.age
+++ b/secrets/ds9PostgresExporterEnv.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -26,6 +26,7 @@ in
  "ds9WoodpeckerAgentSecretEnv.age".publicKeys = pubkeys.ragon.host "ds9";
  "ds9PartDbEnv.age".publicKeys = pubkeys.ragon.host "ds9";
  "ds9AuthentikLdapEnv.age".publicKeys = pubkeys.ragon.host "ds9";
+  "ds9PostgresExporterEnv.age".publicKeys = pubkeys.ragon.host "ds9";
  "gatebridgeHostKeys.age".publicKeys = pubkeys.ragon.server;
  "plausibleAdminPw.age".publicKeys = pubkeys.ragon.host "picard";
  "plausibleGoogleClientId.age".publicKeys = pubkeys.ragon.host "picard";