default.nix

@@ -2,7 +2,7 @@
 
 let
   inherit (builtins) toString;
-  inherit (lib.modules) mkDefault mkIf;
+  inherit (lib.modules) mkDefault;
   inherit (lib.my) mapModulesRec';
 in {
   imports =
@@ -15,7 +15,6 @@ in {
     package = pkgs.nix;
 
     # flake registry and nix path pinning
-    # might not be needed? see: https://github.com/NixOS/nixpkgs/commit/e456032addae76701eb17e6c03fc515fd78ad74f
     nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
     registry.nixpkgs.flake = inputs.nixpkgs;
   
@@ -33,9 +32,6 @@ in {
   	};
   };
 
-  # set our git revision inside `nixos-version`
-  system.configurationRevision = with inputs; mkIf (self ? rev) self.rev;
-
   time.timeZone = mkDefault "America/Los_Angeles";
   
   i18n.defaultLocale = mkDefault "en_US.UTF-8";

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1710164657,
+        "lastModified": 1709485962,
-        "narHash": "sha256-l64+ZjaQAVkHDVaK0VHwtXBdjcBD6nLBD+p7IfyBp/w=",
+        "narHash": "sha256-rmFB4uE10+LJbcVE4ePgiuHOBlUIjQOeZt4VQVJTU8M=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "017b12de5b899ef9b64e2c035ce257bfe95b8ae2",
+        "rev": "d579633ff9915a8f4058d5c439281097e92380a8",
         "type": "github"
       },
       "original": {
@@ -22,11 +22,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1709961763,
+        "lastModified": 1709237383,
-        "narHash": "sha256-6H95HGJHhEZtyYA3rIQpvamMKAGoa8Yh2rFV29QnuGw=",
+        "narHash": "sha256-cy6ArO4k5qTx+l5o+0mL9f5fa86tYUX3ozE1S+Txlds=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "3030f185ba6a4bf4f18b87f345f104e6a6961f34",
+        "rev": "1536926ef5621b09bba54035ae2bb6d806d72ac8",
         "type": "github"
       },
       "original": {

flake.nix

@@ -1,5 +1,5 @@
 {
-  description = "a collection of personal nix configurations";
+  description = "Flake-o-rama";
 
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";

hosts/server/default.nix

@@ -4,16 +4,20 @@ let
 
 in {
   imports = [
-    ./hardware.nix
+    ./hardware-configuration.nix
     ./webapps/default.nix
   ];
 
+  users.groups.dotfiles = {};
+
+  # HACK HACK HACK
+  services.logrotate.checkConfig = false;
+  # HACK HACK HACK
+
   normalUsers = {
     reidlab = {
       conf = {
-        packages = with pkgs; [
+        packages = with pkgs; [ bat tree micro duf ];
-          bat btop duf file micro nix-output-monitor tree which
-        ];
         extraGroups = [ "wheel" "dotfiles" ];
         openssh.authorizedKeys.keys = [
           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICmwWuwS+a1GzYFSNOkgk/zF5bolXqat1RP5FXJv+vto reidlab@rei-pc"
@@ -29,6 +33,11 @@ in {
     };
   };
 
+  keyboard = {
+    locale = "en_US.UTF-8";
+    variant = "qwerty";
+  };
+
   modules = {
     services = {
       ssh = {
@@ -46,6 +55,8 @@ in {
     security.useDoas = false;
   };
 
-  # enable network manager - probably not the best on a single server but Oh Well
+  networking = {
-  networking.networkmanager.enable = true;
+    hostName = "nixos-server-reid";
+    networkmanager.enable = true;
+  };
 }

hosts/server/hardware-configuration.nix

@@ -7,12 +7,10 @@
     ];
 
   boot = {
-    initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" ];
+    initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ];
 	initrd.kernelModules = [ ];
-	kernelModules = [ ];
-	extraModulePackages = [ ];
-	# TODO: move bootloader, networking, boot speed to another file?
     kernelPackages = pkgs.linuxPackages_latest;
+	kernelModules = [ ];
     loader = {
       # use u-boot over grub
       grub.enable = lib.mkForce false;
@@ -20,13 +18,14 @@
     };
   };
 
-  fileSystems."/" = {
+  fileSystems = {
+  	"/" = {
   	  device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
       fsType = "ext4";
     };
+  };
 
-  swapDevices = 
+  swapDevices = [ ];
-    [ ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's

hosts/server/webapps/default.nix

@@ -12,10 +12,15 @@ in {
           port = 3000;
         };
 
+        metrics = {
+          enable = false;
+          domain = "metrics.reidlab.online";
+          port = 2342;
+        };
+
         # you should probably keep this on
-        # actually enables nginx, configures acme,
+        # configures acme, gzip, optimization, proxy, and ssl config
-        # gzip, optimization, proxy, ssl config,
+        # opens ports and adds some Headers
-        # opens ports, and adds some Headers
         nginx-config = {
           enable = true;
           defaultLuaPackagePath = /var/www/reidlab.online/lua;

modules/keyboard.nix

@@ -0,0 +1,17 @@
+{ config, lib, pkgs, options, ... }:
+
+with lib;
+let
+  cfg = config.keyboard;
+in {
+  options.keyboard = {
+    locale = mkOption {
+      type = types.str;
+      default = "en_US.UTF-8";
+    };
+    variant = mkOption {
+      type = types.str;
+      default = "";
+    };
+  };
+}

modules/security.nix

@@ -5,7 +5,7 @@ let
   cfg = config.modules.security;
 in {
   options.modules.security = {
-    useDoas = mkEnableOption "use opendoas instead of sudo";
+    useDoas = mkEnableOption "use doas instead of sudo";
   };
 
   config = mkIf cfg.enable {
@@ -23,7 +23,7 @@ in {
           # do not accept IP source packets (we are not a router)
           "net.ipv4.conf.all.accept_source_route" = 0;
           "net.ipv6.conf.all.accept_source_route" = 0;
-          # don't send ICMP redirects (again, we're not a router)
+          # Don't send ICMP redirects (again, we're not a router)
           "net.ipv4.conf.all.send_redirects" = 0;
           "net.ipv4.conf.default.send_redirects" = 0;
           # refuse ICMP redirects (MITM mitigations)
@@ -49,16 +49,9 @@ in {
       };
 
       security = {
-        # prevents replacing the kernel without a reboot
       	protectKernelImage = true;
-      	# rtkit allows unprivileged processes to use realtime scheduling
-        # polkit allows unprivileged processes to speak to privileged processes (ex. nmtui, reboot)
       	rtkit.enable = true;
-        polkit.enable = true;
       };
-
-      # while this is on by default, i am going to explicitly specify this
-      networking.firewall.enable = true;
     } // (mkIf cfg.useDoas {
     	security.sudo.enable = false;
     	security.doas.enable = true;

modules/services/loki.yml

@@ -0,0 +1,55 @@
+auth_enabled: false
+
+server:
+  http_listen_port: 3100
+
+ingester:
+  lifecycler:
+    address: 0.0.0.0
+    ring:
+      kvstore:
+        store: inmemory
+      replication_factor: 1
+    final_sleep: 0s
+  chunk_idle_period: 1h       # Any chunk not receiving new logs in this time will be flushed
+  max_chunk_age: 1h           # All chunks will be flushed when they hit this age, default is 1h
+  chunk_target_size: 1048576  # Loki will attempt to build chunks up to 1.5MB, flushing first if chunk_idle_period or max_chunk_age is reached first
+  chunk_retain_period: 30s    # Must be greater than index read cache TTL if using an index cache (Default index read cache TTL is 5m)
+  max_transfer_retries: 0     # Chunk transfers disabled
+
+schema_config:
+  configs:
+    - from: 2023-12-08
+      store: boltdb-shipper
+      object_store: filesystem
+      schema: v11
+      index:
+        prefix: index_
+        period: 24h
+
+storage_config:
+  boltdb_shipper:
+    active_index_directory: /var/lib/loki/boltdb-shipper-active
+    cache_location: /var/lib/loki/boltdb-shipper-cache
+    cache_ttl: 24h         # Can be increased for faster performance over longer query periods, uses more disk space
+    shared_store: filesystem
+  filesystem:
+    directory: /var/lib/loki/chunks
+
+limits_config:
+  reject_old_samples: true
+  reject_old_samples_max_age: 168h
+
+chunk_store_config:
+  max_look_back_period: 0s
+
+table_manager:
+  retention_deletes_enabled: false
+  retention_period: 0s
+
+compactor:
+  working_directory: /var/lib/loki
+  shared_store: filesystem
+  compactor_ring:
+    kvstore:
+      store: inmemory

modules/services/metrics.nix

@@ -0,0 +1,95 @@
+{ config, lib, pkgs, options, ... }:
+
+with lib;
+let
+  cfg = config.modules.services.metrics;
+in {
+  options.modules.services.metrics = {
+    enable = mkEnableOption "enable grafana with loki, prometheus, and promtail";
+    domain = mkOption {
+      type = types.str;
+      default = "grafana.reidlab.online";
+    };
+    port = mkOption {
+      type = types.int;
+      default = 2342;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.promtail = {
+      description = "promtail, an agent for loki";
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig = {
+        ExecStart = ''
+          ${pkgs.grafana-loki}/bin/promtail --config.file ${./promtail.yml}
+        '';
+      };
+    };
+    services = {
+      grafana = {
+        enable = true;
+
+        settings = {
+          server = {
+            domain = cfg.domain;
+            http_port = cfg.port;
+            http_addr = "127.0.0.1";
+          };
+        };
+      };
+
+      prometheus = let
+        ports = {
+          base = 9001;
+          node = 9002;
+          nginx = 9003;
+        };
+      in {
+        enable = true;
+        port = ports.base;
+
+        exporters = {
+          node = {
+            enable = true;
+            enabledCollectors = [ "systemd" ];
+            port = ports.node;
+          };
+          nginx = {
+            enable = true;
+            port = ports.nginx;
+          };
+        };
+
+        scrapeConfigs = [
+          {
+            job_name = "nixos-server-reid";
+            static_configs = [{
+              targets = [
+                "127.0.0.1:${toString ports.node}"
+                "127.0.0.1:${toString ports.nginx}"
+              ];
+            }];
+          }
+        ];
+      };
+
+      loki = {
+        enable = true;
+        configFile = ./loki.yml;
+      };
+
+      nginx.statusPage = true;
+
+      nginx.virtualHosts."${cfg.domain}" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString cfg.port}";
+          proxyWebsockets = true;
+        };
+      };
+    };
+  };
+}

modules/services/nginx-conf.nix

@@ -5,7 +5,7 @@ let
   cfg = config.modules.services.nginx-config;
 in {
   options.modules.services.nginx-config = {
-	enable = mkEnableOption "enable and configure nginx. you know what nginx is.";
+	enable = mkEnableOption "enable nginx, a high performance web server along with default configurations";
 
     package = mkOption {
       type = types.package;
@@ -28,7 +28,6 @@ in {
     security.acme = {
       acceptTerms = true;
       defaults.email = "reidlab325@gmail.com";
-      # uncomment me for staging!
       # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
     };
 
@@ -41,6 +40,8 @@ in {
       recommendedGzipSettings = true;
       recommendedProxySettings = true;
 
+      logError = "stderr warn";
+
       # TODO: clean this up oh my god like everything here :sob: im vomiting shaking and crying looking at this.
       commonHttpConfig = let
         # lua

modules/services/promtail.yml

@@ -0,0 +1,20 @@
+server:
+  http_listen_port: 28183
+  grpc_listen_port: 0
+
+positions:
+  filename: /tmp/positions.yaml
+
+clients:
+  - url: http://127.0.0.1:3100/loki/api/v1/push
+
+scrape_configs:
+  - job_name: journal
+    journal:
+      max_age: 12h
+      labels:
+        job: systemd-journal
+        host: nixos-server-reid
+    relabel_configs:
+      - source_labels: ["__journal__systemd_unit"]
+        target_label: "unit"

readme.md

@@ -1,19 +1,27 @@
-# nix-server
+# flake-o-rama
 
 nix flake config! this is just used on my personal server at the moment
 
+please do not use this as a learning resource for nix as i have essentially zero clue what i'm doing
+
 ## users
 
-this flake is built for a multi-user experience per host, enforced by [`modules/users.nix`](./modules/users.nix), and found in the `default.nix` file for each host.
+this flake is built for a multi-user experience per host, enforced by `modules/user.nix`, and found in the `default.nix` file for each host.
+
+as this is a multi-user setup, the `dotfiles` group will be used for read and write access to the flake
+
+## development
+
+to build the system, run `sudo nixos-rebuild switch --flake .#server`
+
+please periodically run `nix flake update` to make sure we arent slacking on package versions
+
+before committing, please run `nix flake check` and make sure everything is ok
 
 ## todo
 
-- remove the lua static stuff from nginx + maybe cloudflare ips too + redis
+- remove the lua static stuff from nginx + maybe cloudflare ips too
 - per-host architecture selection, atm it is hardcoded to `aarch64`
 - some weird perl error abt locales when building using doas - `keepEnv` might fix this
-- move common config such as bootloader and networking settings to [`default.nix`](./default.nix)
-- swap back to hardened kernel
 - leverage nixos-hardware
-- somehow add desktop evironments and per-user dotfiles while keeping a multi-user setup - we can always give this up if needed
+- somehow add desktop evironments and per-user dotfiles while keeping a multi-user setup
-- flake-parts
-- god im ruining everything for myself. maybe just make another repo for desktops