diff --git a/flake.lock b/flake.lock index 68fbaaa..f871b8e 100644 --- a/flake.lock +++ b/flake.lock @@ -39,11 +39,11 @@ }, "hardware": { "locked": { - "lastModified": 1761933221, - "narHash": "sha256-rNHeoG3ZrA94jczyLSjxCtu67YYPYIlXXr0uhG3wNxM=", + "lastModified": 1775490113, + "narHash": "sha256-2ZBhDNZZwYkRmefK5XLOusCJHnoeKkoN95hoSGgMxWM=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "7467f155fcba189eb088a7601f44fbef7688669b", + "rev": "c775c2772ba56e906cbeb4e0b2db19079ef11ff7", "type": "github" }, "original": { @@ -59,11 +59,11 @@ ] }, "locked": { - "lastModified": 1762041416, - "narHash": "sha256-rmJKABRXnhFjjI6RB/MnEvLTQa569zu684Th9y6UlOI=", + "lastModified": 1776454077, + "narHash": "sha256-7zSUFWsU0+jlD7WB3YAxQ84Z/iJurA5hKPm8EfEyGJk=", "owner": "nix-community", "repo": "home-manager", - "rev": "c0016dd14773f4ca0b467b74c7cdcc501570df4b", + "rev": "565e5349208fe7d0831ef959103c9bafbeac0681", "type": "github" }, "original": { @@ -90,11 +90,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1761907660, - "narHash": "sha256-kJ8lIZsiPOmbkJypG+B5sReDXSD1KGu2VEPNqhRa/ew=", + "lastModified": 1776169885, + "narHash": "sha256-l/iNYDZ4bGOAFQY2q8y5OAfBBtrDAaPuRQqWaFHVRXM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "2fb006b87f04c4d3bdf08cfdbc7fab9c13d94a15", + "rev": "4bd9165a9165d7b5e33ae57f3eecbcb28fb231c9", "type": "github" }, "original": { @@ -179,11 +179,11 @@ "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1753541826, - "narHash": "sha256-foGgZu8+bCNIGeuDqQ84jNbmKZpd+JvnrL2WlyU4tuU=", + "lastModified": 1770124655, + "narHash": "sha256-yHmd2B13EtBUPLJ+x0EaBwNkQr9LTne1arLVxT6hSnY=", "owner": "nix-community", "repo": "nixos-vscode-server", - "rev": "6d5f074e4811d143d44169ba4af09b20ddb6937d", + "rev": "92ce71c3ba5a94f854e02d57b14af4997ab54ef0", "type": "github" }, "original": { diff --git a/modules/security.nix b/modules/security.nix index b702c64..c201aa5 100755 --- a/modules/security.nix +++ b/modules/security.nix @@ -69,9 +69,6 @@ in { (mkIf cfg.useDoas { security.sudo.enable = false; security.doas.enable = true; - security.doas.extraRules = [ - { users = [ config.user.name ]; noPass = true; persist = false; keepEnv = true; } - ]; environment.systemPackages = with pkgs; [ doas-sudo-shim ]; }) ]; diff --git a/modules/services/amdl.nix b/modules/services/amdl.nix index 7dd3d42..2baa9c2 100644 --- a/modules/services/amdl.nix +++ b/modules/services/amdl.nix @@ -8,7 +8,7 @@ in { enable = mkEnableOption "enable amdl, an apple music download server"; port = mkOption { type = types.int; - default = 3001; + default = 2001; }; domain = mkOption { type = types.str; diff --git a/modules/services/forgejo.nix b/modules/services/forgejo.nix index 363f678..3e15c87 100755 --- a/modules/services/forgejo.nix +++ b/modules/services/forgejo.nix @@ -8,7 +8,7 @@ in { enable = mkEnableOption "enable forgejo, a lightweight git server"; port = mkOption { type = types.int; - default = 3000; + default = 2000; }; domain = mkOption { type = types.str; diff --git a/modules/services/metrics.nix b/modules/services/metrics.nix index 3575655..27e0e8d 100644 --- a/modules/services/metrics.nix +++ b/modules/services/metrics.nix @@ -5,7 +5,7 @@ let cfg = config.modules.services.metrics; in { options.modules.services.metrics = { - enable = mkEnableOption "enable grafana with loki, prometheus, and promtail"; + enable = mkEnableOption "enable grafana with prometheus, alloy, and loki"; domain = mkOption { type = types.str; default = "grafana.reidlab.pink"; @@ -16,15 +16,15 @@ in { }; grafanaPort = mkOption { type = types.int; - default = 2000; + default = 3000; }; - promtailPort = mkOption { + alloyPort = mkOption { type = types.int; - default = 2001; + default = 12345; }; lokiPort = mkOption { type = types.int; - default = 2002; + default = 3100; }; prometheusPort = mkOption { type = types.int; @@ -46,6 +46,10 @@ in { http_port = cfg.grafanaPort; http_addr = "127.0.0.1"; }; + database.type = "sqlite3"; # TODO: use postgres? + # use default secret key + # TODO: maybe don't do that idk + security.secret_key = "SW2YcwTIb9zpOOhoPsMm"; }; provision.datasources.settings = { @@ -201,38 +205,40 @@ in { }; }; - services.promtail = { + services.alloy = { enable = true; - configuration = { - server = { - http_listen_port = cfg.promtailPort; - grpc_listen_port = 0; - }; - - positions.filename = "/tmp/positions.yaml"; - - client.url = "http://127.0.0.1:${toString cfg.lokiPort}/loki/api/v1/push"; - - scrape_configs = [ - { - job_name = "journal"; - journal = { - max_age = "12h"; - labels = { - job = "systemd-journal"; - hostname = config.networking.hostName; - }; - }; - relabel_configs = [ - { - source_labels = [ "__journal__systemd_unit" ]; - target_label = "unit"; - } - ]; + extraFlags = [ + "--server.http.listen-addr=127.0.0.1:${toString cfg.alloyPort}" + "--disable-reporting" # disable telemetry + ]; + configPath = pkgs.writeText "config.alloy" '' + loki.relabel "journal" { + forward_to = [] + rule { + source_labels = ["__journal__systemd_unit"] + target_label = "unit" } - ]; - }; + rule { + source_labels = ["__journal__hostname"] + target_label = "hostname" + } + } + + loki.source.journal "journal" { + forward_to = [loki.write.default.receiver] + max_age = "12h" + + labels = {job = "systemd-journal"} + relabel_rules = loki.relabel.journal.rules + } + + loki.write "default" { + endpoint { + url = "http://localhost:${toString cfg.lokiPort}/loki/api/v1/push" + } + } + ''; }; services.nginx.statusPage = true; diff --git a/modules/services/staticSites.nix b/modules/services/staticSites.nix index 5549400..443169f 100755 --- a/modules/services/staticSites.nix +++ b/modules/services/staticSites.nix @@ -22,12 +22,6 @@ let default = {}; }; - disableLogsForMisc = mkOption { - type = types.bool; - description = "Disables access logs for /favicon.ico and /robots.txt"; - default = true; - }; - denySensitivePaths = mkOption { type = types.bool; description = "Disables access to paths starting with a . (except well-known) to prevent leaking potentially sensitive data"; @@ -63,17 +57,6 @@ in { locations = mkMerge [ { "/".basicAuth = site.auth; } - ( mkIf site.disableLogsForMisc { - "= /favicon.ico".extraConfig = '' - access_log off; - log_not_found off; - ''; - "= /robots.txt".extraConfig = '' - access_log off; - log_not_found off; - ''; - }) - ( mkIf site.denySensitivePaths { "${''~ /\.(?!well-known).*''}".extraConfig = ''deny all;''; }) diff --git a/modules/services/uptime.nix b/modules/services/uptime.nix index 54d0a81..d1ecfb4 100644 --- a/modules/services/uptime.nix +++ b/modules/services/uptime.nix @@ -8,7 +8,7 @@ in { enable = mkEnableOption "enable uptime kuma, a self-hosted uptime website"; port = mkOption { type = types.int; - default = 3002; + default = 2002; }; domain = mkOption { type = types.str; @@ -20,6 +20,7 @@ in { services.uptime-kuma = { enable = true; settings.PORT = toString cfg.port; + # TODO: use postgres? }; services.nginx.virtualHosts."${cfg.domain}" = {