diff --git a/default.nix b/default.nix index 79c1614..47c528e 100755 --- a/default.nix +++ b/default.nix @@ -2,7 +2,7 @@ let inherit (builtins) toString; - inherit (lib.modules) mkDefault mkIf; + inherit (lib.modules) mkDefault; inherit (lib.my) mapModulesRec'; in { imports = @@ -15,7 +15,6 @@ in { package = pkgs.nix; # flake registry and nix path pinning - # might not be needed? see: https://github.com/NixOS/nixpkgs/commit/e456032addae76701eb17e6c03fc515fd78ad74f nixPath = [ "nixpkgs=${inputs.nixpkgs}" ]; registry.nixpkgs.flake = inputs.nixpkgs; @@ -33,9 +32,6 @@ in { }; }; - # set our git revision inside `nixos-version` - system.configurationRevision = with inputs; mkIf (self ? rev) self.rev; - time.timeZone = mkDefault "America/Los_Angeles"; i18n.defaultLocale = mkDefault "en_US.UTF-8"; diff --git a/flake.lock b/flake.lock index f566bec..586528d 100755 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1710164657, - "narHash": "sha256-l64+ZjaQAVkHDVaK0VHwtXBdjcBD6nLBD+p7IfyBp/w=", + "lastModified": 1709485962, + "narHash": "sha256-rmFB4uE10+LJbcVE4ePgiuHOBlUIjQOeZt4VQVJTU8M=", "owner": "nix-community", "repo": "home-manager", - "rev": "017b12de5b899ef9b64e2c035ce257bfe95b8ae2", + "rev": "d579633ff9915a8f4058d5c439281097e92380a8", "type": "github" }, "original": { @@ -22,11 +22,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1709961763, - "narHash": "sha256-6H95HGJHhEZtyYA3rIQpvamMKAGoa8Yh2rFV29QnuGw=", + "lastModified": 1709237383, + "narHash": "sha256-cy6ArO4k5qTx+l5o+0mL9f5fa86tYUX3ozE1S+Txlds=", "owner": "nixos", "repo": "nixpkgs", - "rev": "3030f185ba6a4bf4f18b87f345f104e6a6961f34", + "rev": "1536926ef5621b09bba54035ae2bb6d806d72ac8", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 3527f24..3d96afd 100755 --- a/flake.nix +++ b/flake.nix @@ -1,5 +1,5 @@ { - description = "a collection of personal nix configurations"; + description = "Flake-o-rama"; inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; diff --git a/hosts/nixos-server-reid/default.nix b/hosts/server/default.nix similarity index 69% rename from hosts/nixos-server-reid/default.nix rename to hosts/server/default.nix index 03e1335..7608a91 100755 --- a/hosts/nixos-server-reid/default.nix +++ b/hosts/server/default.nix @@ -4,16 +4,20 @@ let in { imports = [ - ./hardware.nix + ./hardware-configuration.nix ./webapps/default.nix ]; + users.groups.dotfiles = {}; + + # HACK HACK HACK + services.logrotate.checkConfig = false; + # HACK HACK HACK + normalUsers = { reidlab = { conf = { - packages = with pkgs; [ - bat btop duf file micro nix-output-monitor tree which - ]; + packages = with pkgs; [ bat tree micro duf ]; extraGroups = [ "wheel" "dotfiles" ]; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICmwWuwS+a1GzYFSNOkgk/zF5bolXqat1RP5FXJv+vto reidlab@rei-pc" @@ -29,6 +33,11 @@ in { }; }; + keyboard = { + locale = "en_US.UTF-8"; + variant = "qwerty"; + }; + modules = { services = { ssh = { @@ -46,6 +55,8 @@ in { security.useDoas = false; }; - # enable network manager - probably not the best on a single server but Oh Well - networking.networkmanager.enable = true; + networking = { + hostName = "nixos-server-reid"; + networkmanager.enable = true; + }; } diff --git a/hosts/nixos-server-reid/hardware.nix b/hosts/server/hardware-configuration.nix similarity index 81% rename from hosts/nixos-server-reid/hardware.nix rename to hosts/server/hardware-configuration.nix index 83a985a..b880e8d 100755 --- a/hosts/nixos-server-reid/hardware.nix +++ b/hosts/server/hardware-configuration.nix @@ -7,12 +7,10 @@ ]; boot = { - initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" ]; + initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ]; initrd.kernelModules = [ ]; - kernelModules = [ ]; - extraModulePackages = [ ]; - # TODO: move bootloader, networking, boot speed to another file? kernelPackages = pkgs.linuxPackages_latest; + kernelModules = [ ]; loader = { # use u-boot over grub grub.enable = lib.mkForce false; @@ -20,13 +18,14 @@ }; }; - fileSystems."/" = { + fileSystems = { + "/" = { device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888"; fsType = "ext4"; }; + }; - swapDevices = - [ ]; + swapDevices = [ ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/hosts/nixos-server-reid/webapps/default.nix b/hosts/server/webapps/default.nix similarity index 86% rename from hosts/nixos-server-reid/webapps/default.nix rename to hosts/server/webapps/default.nix index 02cd416..cdacaeb 100755 --- a/hosts/nixos-server-reid/webapps/default.nix +++ b/hosts/server/webapps/default.nix @@ -12,10 +12,15 @@ in { port = 3000; }; + metrics = { + enable = false; + domain = "metrics.reidlab.online"; + port = 2342; + }; + # you should probably keep this on - # actually enables nginx, configures acme, - # gzip, optimization, proxy, ssl config, - # opens ports, and adds some Headers + # configures acme, gzip, optimization, proxy, and ssl config + # opens ports and adds some Headers nginx-config = { enable = true; defaultLuaPackagePath = /var/www/reidlab.online/lua; diff --git a/modules/keyboard.nix b/modules/keyboard.nix new file mode 100755 index 0000000..7c39e8d --- /dev/null +++ b/modules/keyboard.nix @@ -0,0 +1,17 @@ +{ config, lib, pkgs, options, ... }: + +with lib; +let + cfg = config.keyboard; +in { + options.keyboard = { + locale = mkOption { + type = types.str; + default = "en_US.UTF-8"; + }; + variant = mkOption { + type = types.str; + default = ""; + }; + }; +} diff --git a/modules/security.nix b/modules/security.nix index 1fdc7bc..474b50c 100755 --- a/modules/security.nix +++ b/modules/security.nix @@ -5,7 +5,7 @@ let cfg = config.modules.security; in { options.modules.security = { - useDoas = mkEnableOption "use opendoas instead of sudo"; + useDoas = mkEnableOption "use doas instead of sudo"; }; config = mkIf cfg.enable { @@ -23,7 +23,7 @@ in { # do not accept IP source packets (we are not a router) "net.ipv4.conf.all.accept_source_route" = 0; "net.ipv6.conf.all.accept_source_route" = 0; - # don't send ICMP redirects (again, we're not a router) + # Don't send ICMP redirects (again, we're not a router) "net.ipv4.conf.all.send_redirects" = 0; "net.ipv4.conf.default.send_redirects" = 0; # refuse ICMP redirects (MITM mitigations) @@ -49,16 +49,9 @@ in { }; security = { - # prevents replacing the kernel without a reboot protectKernelImage = true; - # rtkit allows unprivileged processes to use realtime scheduling - # polkit allows unprivileged processes to speak to privileged processes (ex. nmtui, reboot) rtkit.enable = true; - polkit.enable = true; }; - - # while this is on by default, i am going to explicitly specify this - networking.firewall.enable = true; } // (mkIf cfg.useDoas { security.sudo.enable = false; security.doas.enable = true; diff --git a/modules/services/loki.yml b/modules/services/loki.yml new file mode 100644 index 0000000..6c47d51 --- /dev/null +++ b/modules/services/loki.yml @@ -0,0 +1,55 @@ +auth_enabled: false + +server: + http_listen_port: 3100 + +ingester: + lifecycler: + address: 0.0.0.0 + ring: + kvstore: + store: inmemory + replication_factor: 1 + final_sleep: 0s + chunk_idle_period: 1h # Any chunk not receiving new logs in this time will be flushed + max_chunk_age: 1h # All chunks will be flushed when they hit this age, default is 1h + chunk_target_size: 1048576 # Loki will attempt to build chunks up to 1.5MB, flushing first if chunk_idle_period or max_chunk_age is reached first + chunk_retain_period: 30s # Must be greater than index read cache TTL if using an index cache (Default index read cache TTL is 5m) + max_transfer_retries: 0 # Chunk transfers disabled + +schema_config: + configs: + - from: 2023-12-08 + store: boltdb-shipper + object_store: filesystem + schema: v11 + index: + prefix: index_ + period: 24h + +storage_config: + boltdb_shipper: + active_index_directory: /var/lib/loki/boltdb-shipper-active + cache_location: /var/lib/loki/boltdb-shipper-cache + cache_ttl: 24h # Can be increased for faster performance over longer query periods, uses more disk space + shared_store: filesystem + filesystem: + directory: /var/lib/loki/chunks + +limits_config: + reject_old_samples: true + reject_old_samples_max_age: 168h + +chunk_store_config: + max_look_back_period: 0s + +table_manager: + retention_deletes_enabled: false + retention_period: 0s + +compactor: + working_directory: /var/lib/loki + shared_store: filesystem + compactor_ring: + kvstore: + store: inmemory \ No newline at end of file diff --git a/modules/services/metrics.nix b/modules/services/metrics.nix new file mode 100644 index 0000000..1cbd26b --- /dev/null +++ b/modules/services/metrics.nix @@ -0,0 +1,95 @@ +{ config, lib, pkgs, options, ... }: + +with lib; +let + cfg = config.modules.services.metrics; +in { + options.modules.services.metrics = { + enable = mkEnableOption "enable grafana with loki, prometheus, and promtail"; + domain = mkOption { + type = types.str; + default = "grafana.reidlab.online"; + }; + port = mkOption { + type = types.int; + default = 2342; + }; + }; + + config = mkIf cfg.enable { + systemd.services.promtail = { + description = "promtail, an agent for loki"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + ExecStart = '' + ${pkgs.grafana-loki}/bin/promtail --config.file ${./promtail.yml} + ''; + }; + }; + services = { + grafana = { + enable = true; + + settings = { + server = { + domain = cfg.domain; + http_port = cfg.port; + http_addr = "127.0.0.1"; + }; + }; + }; + + prometheus = let + ports = { + base = 9001; + node = 9002; + nginx = 9003; + }; + in { + enable = true; + port = ports.base; + + exporters = { + node = { + enable = true; + enabledCollectors = [ "systemd" ]; + port = ports.node; + }; + nginx = { + enable = true; + port = ports.nginx; + }; + }; + + scrapeConfigs = [ + { + job_name = "nixos-server-reid"; + static_configs = [{ + targets = [ + "127.0.0.1:${toString ports.node}" + "127.0.0.1:${toString ports.nginx}" + ]; + }]; + } + ]; + }; + + loki = { + enable = true; + configFile = ./loki.yml; + }; + + nginx.statusPage = true; + + nginx.virtualHosts."${cfg.domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString cfg.port}"; + proxyWebsockets = true; + }; + }; + }; + }; +} diff --git a/modules/services/nginx-conf.nix b/modules/services/nginx-conf.nix index 84a40ab..f446f57 100755 --- a/modules/services/nginx-conf.nix +++ b/modules/services/nginx-conf.nix @@ -5,7 +5,7 @@ let cfg = config.modules.services.nginx-config; in { options.modules.services.nginx-config = { - enable = mkEnableOption "enable and configure nginx. you know what nginx is."; + enable = mkEnableOption "enable nginx, a high performance web server along with default configurations"; package = mkOption { type = types.package; @@ -28,7 +28,6 @@ in { security.acme = { acceptTerms = true; defaults.email = "reidlab325@gmail.com"; - # uncomment me for staging! # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; }; @@ -41,6 +40,8 @@ in { recommendedGzipSettings = true; recommendedProxySettings = true; + logError = "stderr warn"; + # TODO: clean this up oh my god like everything here :sob: im vomiting shaking and crying looking at this. commonHttpConfig = let # lua diff --git a/modules/services/promtail.yml b/modules/services/promtail.yml new file mode 100644 index 0000000..1085e65 --- /dev/null +++ b/modules/services/promtail.yml @@ -0,0 +1,20 @@ +server: + http_listen_port: 28183 + grpc_listen_port: 0 + +positions: + filename: /tmp/positions.yaml + +clients: + - url: http://127.0.0.1:3100/loki/api/v1/push + +scrape_configs: + - job_name: journal + journal: + max_age: 12h + labels: + job: systemd-journal + host: nixos-server-reid + relabel_configs: + - source_labels: ["__journal__systemd_unit"] + target_label: "unit" \ No newline at end of file diff --git a/readme.md b/readme.md index 813af11..5db5b04 100755 --- a/readme.md +++ b/readme.md @@ -1,19 +1,27 @@ -# nix-server +# flake-o-rama nix flake config! this is just used on my personal server at the moment +please do not use this as a learning resource for nix as i have essentially zero clue what i'm doing + ## users -this flake is built for a multi-user experience per host, enforced by [`modules/users.nix`](./modules/users.nix), and found in the `default.nix` file for each host. +this flake is built for a multi-user experience per host, enforced by `modules/user.nix`, and found in the `default.nix` file for each host. + +as this is a multi-user setup, the `dotfiles` group will be used for read and write access to the flake + +## development + +to build the system, run `sudo nixos-rebuild switch --flake .#server` + +please periodically run `nix flake update` to make sure we arent slacking on package versions + +before committing, please run `nix flake check` and make sure everything is ok ## todo -- remove the lua static stuff from nginx + maybe cloudflare ips too + redis +- remove the lua static stuff from nginx + maybe cloudflare ips too - per-host architecture selection, atm it is hardcoded to `aarch64` - some weird perl error abt locales when building using doas - `keepEnv` might fix this -- move common config such as bootloader and networking settings to [`default.nix`](./default.nix) -- swap back to hardened kernel - leverage nixos-hardware -- somehow add desktop evironments and per-user dotfiles while keeping a multi-user setup - we can always give this up if needed -- flake-parts -- god im ruining everything for myself. maybe just make another repo for desktops +- somehow add desktop evironments and per-user dotfiles while keeping a multi-user setup