blob: a2c207c4b095df989e7b17c0b08709cb0c789079 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
|
{ config, lib, pkgs, modulesPath, ... }:
with lib;
{
imports = [
../modules/common.nix
(modulesPath + "/installer/scan/not-detected.nix")
];
networking.hostName = "mugwump";
boot = {
loader.systemd-boot.enable = true;
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
initrd = {
availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
kernelModules = [
"uas" "usbcore" "usb_storage" "vfat" "nls_cp437" "nls_iso8859_1"
];
postDeviceCommands = pkgs.lib.mkBefore ''
mkdir -m 0755 -p /key
sleep 2
mount -n -t vfat -o ro `findfs UUID=9048-A9D5` /key
'';
luks.devices."cryptroot" = {
device = "/dev/disk/by-uuid/803a9028-339c-4617-a213-4fe138161f6d";
keyFile = "/key/keyfile";
preLVM = false;
};
};
};
fileSystems = {
"/" = {
device = "/dev/mapper/cryptroot";
fsType = "btrfs";
};
"/boot" = {
device = "/dev/disk/by-uuid/7D74-0E4B";
fsType = "vfat";
};
};
networking.interfaces = {
enp0s25.useDHCP = false;
wlp2s0.useDHCP = false;
};
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [ 22 80 443 ];
security.sudo.extraRules = [{
groups = ["wheel"];
commands = [{ command = "ALL"; options = ["NOPASSWD"]; }];
}];
services.fail2ban = {
enable = true;
ignoreIP = [
"172.16.0.0/16"
];
};
services.openssh = {
allowSFTP = false;
passwordAuthentication = false;
permitRootLogin = "no";
};
services.grafana = {
enable = true;
port = 3000;
domain = "metrics.gws.fyi";
rootUrl = "https://metrics.gws.fyi";
dataDir = "/var/lib/grafana";
analytics.reporting.enable = false;
provision = {
enable = true;
datasources = [{
name = "Prometheus";
type = "prometheus";
url = "localhost:9090";
}];
};
};
security.acme.email = "root@gws.fyi";
security.acme.acceptTerms = true;
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
virtualHosts = {
"metrics.gws.fyi" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.grafana.port}";
};
};
};
};
services.prometheus = {
enable = true;
exporters = {
node = {
enable = true;
openFirewall = false;
enabledCollectors = [
"processes"
"systemd"
"tcpstat"
"wifi"
];
};
nginx = {
enable = true;
openFirewall = true;
};
};
scrapeConfigs = [{
job_name = "node";
scrape_interval = "5s";
static_configs = [{
targets = ["localhost:${toString config.services.prometheus.exporters.node.port}"];
}];
}];
};
security.acme.certs."metrics.gws.fyi" = {
dnsProvider = "namecheap";
credentialsFile = "/etc/secrets/namecheap.env";
webroot = mkForce null;
};
}
|