update packages + patches that come w/ it

2026-04-17 19:16:39 -07:00 · 2026-04-17 19:16:39 -07:00 · 2621308fc0
commit 2621308fc0
parent 4304b5c887
7 changed files with 56 additions and 69 deletions
--- a/modules/security.nix
+++ b/modules/security.nix
@ -69,9 +69,6 @@ in {
    (mkIf cfg.useDoas {
      security.sudo.enable = false;
      security.doas.enable = true;
-      security.doas.extraRules = [
-        { users = [ config.user.name ]; noPass = true; persist = false; keepEnv = true; }
-      ];
      environment.systemPackages = with pkgs; [ doas-sudo-shim ];
    })
  ];
--- a/modules/services/amdl.nix
+++ b/modules/services/amdl.nix
@ -8,7 +8,7 @@ in {
    enable = mkEnableOption "enable amdl, an apple music download server";
    port = mkOption {
      type = types.int;
-      default = 3001;
+      default = 2001;
    };
    domain = mkOption {
      type = types.str;
--- a/modules/services/forgejo.nix
+++ b/modules/services/forgejo.nix
@ -8,7 +8,7 @@ in {
    enable = mkEnableOption "enable forgejo, a lightweight git server";
    port = mkOption {
      type = types.int;
-      default = 3000;
+      default = 2000;
    };
    domain = mkOption {
      type = types.str;
--- a/modules/services/metrics.nix
+++ b/modules/services/metrics.nix
@ -5,7 +5,7 @@ let
  cfg = config.modules.services.metrics;
 in {
  options.modules.services.metrics = {
-    enable = mkEnableOption "enable grafana with loki, prometheus, and promtail";
+    enable = mkEnableOption "enable grafana with prometheus, alloy, and loki";
    domain = mkOption {
      type = types.str;
      default = "grafana.reidlab.pink";
@ -16,15 +16,15 @@ in {
    };
    grafanaPort = mkOption {
      type = types.int;
-      default = 2000;
+      default = 3000;
    };
-    promtailPort = mkOption {
+    alloyPort = mkOption {
      type = types.int;
-      default = 2001;
+      default = 12345;
    };
    lokiPort = mkOption {
      type = types.int;
-      default = 2002;
+      default = 3100;
    };
    prometheusPort = mkOption {
      type = types.int;
@ -46,6 +46,10 @@ in {
          http_port = cfg.grafanaPort;
          http_addr = "127.0.0.1";
        };
+        database.type = "sqlite3"; # TODO: use postgres?
+        # use default secret key
+        # TODO: maybe don't do that idk 
+        security.secret_key = "SW2YcwTIb9zpOOhoPsMm";
      };

      provision.datasources.settings = {
@ -201,38 +205,40 @@ in {
      };
    };

-    services.promtail = {
+    services.alloy = {
      enable = true;

-      configuration = {
-        server = {
-          http_listen_port = cfg.promtailPort;
-          grpc_listen_port = 0;
-        };
-
-        positions.filename = "/tmp/positions.yaml";
-
-        client.url = "http://127.0.0.1:${toString cfg.lokiPort}/loki/api/v1/push";
-
-        scrape_configs = [
-          {
-            job_name = "journal";
-            journal = {
-              max_age = "12h";
-              labels = {
-                job = "systemd-journal";
-                hostname = config.networking.hostName;
-              };
-            };
-            relabel_configs = [
-              {
-                source_labels = [ "__journal__systemd_unit" ];
-                target_label = "unit";
-              }
-            ];
+      extraFlags = [
+        "--server.http.listen-addr=127.0.0.1:${toString cfg.alloyPort}"
+        "--disable-reporting" # disable telemetry
+      ];
+      configPath = pkgs.writeText "config.alloy" ''
+        loki.relabel "journal" {
+          forward_to = []
+          rule {
+            source_labels = ["__journal__systemd_unit"]
+            target_label = "unit"
          }
-        ];
-      };
+          rule {
+            source_labels = ["__journal__hostname"]
+            target_label = "hostname"
+          }
+        }
+
+        loki.source.journal "journal" {
+          forward_to = [loki.write.default.receiver]
+          max_age = "12h"
+
+          labels = {job = "systemd-journal"}
+          relabel_rules = loki.relabel.journal.rules
+        }
+
+        loki.write "default" {
+          endpoint {
+            url = "http://localhost:${toString cfg.lokiPort}/loki/api/v1/push"
+          }
+        }
+      '';
    };

    services.nginx.statusPage = true;
--- a/modules/services/staticSites.nix
+++ b/modules/services/staticSites.nix
@ -22,12 +22,6 @@ let
      default = {};
    };

-    disableLogsForMisc = mkOption {
-      type = types.bool;
-      description = "Disables access logs for /favicon.ico and /robots.txt";
-      default = true;
-    };
-
    denySensitivePaths = mkOption {
      type = types.bool;
      description = "Disables access to paths starting with a . (except well-known) to prevent leaking potentially sensitive data";
@ -63,17 +57,6 @@ in {
        locations = mkMerge [
          { "/".basicAuth = site.auth; }

-          ( mkIf site.disableLogsForMisc {
-            "= /favicon.ico".extraConfig = ''
-              access_log off;
-              log_not_found off;
-            '';
-            "= /robots.txt".extraConfig = ''
-              access_log off;
-              log_not_found off;
-            '';
-          })
-
          ( mkIf site.denySensitivePaths {
            "${''~ /\.(?!well-known).*''}".extraConfig = ''deny all;'';
          })
--- a/modules/services/uptime.nix
+++ b/modules/services/uptime.nix
@ -8,7 +8,7 @@ in {
    enable = mkEnableOption "enable uptime kuma, a self-hosted uptime website";
    port = mkOption {
     type = types.int;
-      default = 3002;
+      default = 2002;
    };
    domain = mkOption {
      type = types.str;
@ -20,6 +20,7 @@ in {
    services.uptime-kuma = {
      enable = true;
      settings.PORT = toString cfg.port;
+      # TODO: use postgres?
    };

    services.nginx.virtualHosts."${cfg.domain}" = {