diff --git a/machines/fuuko/configuration.nix b/machines/fuuko/configuration.nix index f39501d..2a8f8ad 100644 --- a/machines/fuuko/configuration.nix +++ b/machines/fuuko/configuration.nix @@ -7,11 +7,9 @@ ./services/binary-cache.nix ./services/dnsmasq.nix - ./services/grafana.nix - ./services/matrix + ./services/fritzbox-exporter.nix ./services/media-backup.nix ./services/media.nix - ./services/prometheus.nix ./services/scan.nix ./services/torrent.nix ./services/wordclock-dimmer.nix @@ -47,27 +45,10 @@ enableACME = true; forceSSL = true; }; - - virtualHosts."sbruder.de" = { - enableACME = true; - forceSSL = true; - - root = pkgs.sbruder.contact; - }; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; systemd.services.nginx.serviceConfig.SupplementaryGroups = lib.singleton "keys"; - services.postgresqlBackup = { - enable = true; - startAt = [ ]; # triggered by restic system backup - location = "/data/backup/postgresql"; - }; - systemd.services.restic-backups-system = { - after = [ "postgresqlBackup.service" ]; - wants = [ "postgresqlBackup.service" ]; - }; - networking.hostName = "fuuko"; system.stateVersion = "20.09"; diff --git a/machines/fuuko/secrets.yaml b/machines/fuuko/secrets.yaml index 4addc94..77facee 100644 --- a/machines/fuuko/secrets.yaml +++ b/machines/fuuko/secrets.yaml @@ -1,11 +1,6 @@ -go-neb-overrides: ENC[AES256_GCM,data:Ws/2yCNNLLEpa9MbN7mZk6BBBaJxtHN2X9I41baWJylZeUld6/h4WCxyHw4MWzigK7k26E+7CGVGThF5Ucd6AuvuD9dd21uaoOtwsAKJVsCavk6VPQvfAuSqYJcBYY2pSwDpA6KbXbQqhC9OgcktvYQdnvNPbsSffK4zhrDjcFpDYYyBRQWxqHu/ZGh2088ECbhm2OCWeC9/5u/2id8dHutip6tUXBIalFmWObc6zgx4atCJGdq9/bOPgajQzrpWlauV0h3ioMwp0gsulOJl2LuI7Lvbsvm+UWe8hVd9ZLqR+4ZAwC5oCQht68AxekKrLNl02KQ8rM4fmWJpbK4NsR/m8+ifMZhqIe8tqUUhWGvJqbxEI/Rsbqm92ToIHL5x9hNSZ/crm+hF4c2Uh9jnSA3E/tOxjZaMU5hB+2Y4tF83nz61tzFnwhQ32VxFeq6IHyMOhgQzGZkDPAyFg2e4tbG6zp5oMx2lsUlgbaXrSrzBU73CjWiLDiJFNyGLx7ADeZ4aZVsZnvGL6y7K4p0uVuK7KSNzoW0=,iv:tniWSP8RgSDJ8ap+PK83TcPAvRdaXWC/gchF6+8uffs=,tag:SC6RB8zyVmjjbLA73cFb4A==,type:str] -hcloud_exporter-environment: ENC[AES256_GCM,data:TPMeNK7uC716PC8UqDCnUKtriueIkg3l1ql9e3lse46Ko3TVvwW1oAQRSbwK8CG5AjuF2s2Y8GJdYcI8PN6Z5kERYF1RL2GDpN4pLSuw/l0YqsFkt0uK,iv:cmB+hZHvbk1p8uRmLDyYdPr6rTsFxKcoTcQVo729sAQ=,tag:nkiSvy7rsoInDN0l+1FOOQ==,type:str] nix-binary-cache-htpasswd: ENC[AES256_GCM,data:IktPHrrvExeZlCPmP82W9AovC59ILPbMQExVDO7U2S9lJ9cQKP14mQPuYwA+yKTycIdA01MwRDbt/SxhVleZ+aKkyOPwx/iG5B0cQX6cVqQWVTNVmxlW2sjupnnwwibcdikU21CIw6YsDKs7pMqRAfC/U2OJ3POo2qH5GgFY,iv:ofzEQ143HQQGZIEVkdWCrcENz0i6JPljLDGmG0A7aJ8=,tag:a557cdgRD25jWHhZeT+CnQ==,type:str] -prometheus-htpasswd: ENC[AES256_GCM,data:eJOWrcTC3YISJJLuQV6sxzD0r8Gr8uoUt48D9sSEHhsbNUUy3pDgIPqJHrkG0ek2sIF6NvpWdDGK1kFcduRAL9h7nLxQLOtf7dxsdObGlPH5nwe6CwdR+1wTE/2WzrsmTGnUrMjMiBgLPV2yRiQg3VJ7W1Me8tHPYHrqYhM=,iv:WvgwIoIfxc3vyjF+znyUzOElv+sd/thoYpxWVaIavx0=,tag:9FnRw7ol++1PCbl1c2IyoA==,type:str] restic-password: ENC[AES256_GCM,data:IVFXmuzzvvqDS0T3P0R5ZMIn2wdkbE1AqwDMkWqMpDdCOVMP4/HhP4jF+tEarq22,iv:Eu6Wspzm0rPl0CuSoYTTLz+MmaEtmwCD57nH2JTBuaA=,tag:tKqt5Z7nF7lLcSsDKS4E3A==,type:str] restic-s3: ENC[AES256_GCM,data:VJ/jgYnUSkbsNMb1ciLiCcRVEpuaznsSFf0QkEnPhTRHpFv4Nt0f8ARnNtG5j3iXSIT4+H2+5HWKXEsjhvL85p0XE3xe4h45xGKnvvVO2obF+b/zsMDdceFJtLbcq+APzPBjchYU,iv:W+80GhAvYD/52dNZsNYiEhiLo4dhO8oxkd+GAbk42NU=,tag:Kj9CaGo/xAmYxdoLE/Lo1Q==,type:str] -synapse-registration-shared-secret: ENC[AES256_GCM,data:lNzK/7QAk4Scv+lNM8bTTKvowI139c4R4Y7Qpq60n8R61aahlxrnWc/PUEOv85Pdx+8IdBOLnV0kp7OQF6tStGBBCOkAicYmnsLoR36DmuDCvTSKVArryV7BrxL8pv0=,iv:ZT9IIF7W0NHqvnU3lPQclVS5uXXK5HIQUzXNYwYFMIo=,tag:a/sUixOlHEvn5ZOINPwQlg==,type:str] -synapse-turn-shared-secret: ENC[AES256_GCM,data:sAvP4/jVma7Uq9TR4W/zEoJA17Stj75uG+G4niYaQ1tflxRhE+/HfrhMn7whnmpSgXDb/ZPtLfVaW1DCfU2jovz3Y9Ij1kveXar2aAjlPSsSVwTbFmei,iv:S7uVlE2rhK7ta2S/eX+KXBMQyc69onHYjfMNro3OCjM=,tag:rvI299PQ9TVfVzQjgfUKww==,type:str] wg-home-private-key: ENC[AES256_GCM,data:6l3CgB4qCsPuyYOWuwU2vNiEeC0D1wl6yZvXGGYVsZfYvdPjRz8j5yV7ekQ=,iv:slB/qr+cxi8r7cnTuZAd8CuzWVnvp24Li6A/AnZaFzo=,tag:ynh1Z2+IELAJcgBbHwFC0A==,type:str] wg-qbittorrent-private-key: ENC[AES256_GCM,data:9sjqTCMXqN0oWS95RQOmfLK0/2dH6V4Rs2LX8ydnYl+7zR55PG5pW3kROH8=,iv:m+4xKthKNCQBOEP9ExOHY5Dg3i+yTgREwrAci4zhqUk=,tag:L0vnwyiGOAoarr7FZFE91A==,type:str] sops: @@ -14,8 +9,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2022-03-18T21:16:29Z" - mac: ENC[AES256_GCM,data:r3wg7jnc9TS5gk4qGtdxbxIJ64tt/C6NehIR9w/RcNs7aF2SVNB2yYhZCPGgAwC7Zi3addlY7wGEGn76vN0ioA09L4JXQ8WfSh3wPZEN5msGzv48Jh7jViagsAn2h6ZchQtEBV8YuxC6lKuJFA29xisf1BBB7Bxw+7wU1LfEF8U=,iv:umLtAlDgc9Kup47e49BjNuCUX/49eiDxZJ4eD5s1jag=,tag:0ivpkGqEDGJyxD+oGJifMw==,type:str] + lastmodified: "2022-03-25T20:28:47Z" + mac: ENC[AES256_GCM,data:d2zsNwkaBShHUUY7953YKViQQpxw9YB2dNoP9jY8e6yd5vpPhXXmuP8dm4JhjBAeqeuUsKa4Kmd+bg2NqUCA1k3bkRRCMEmt0W4NlSNqVzzCpiPnzZkjP83a/n+b4mAaTK2soh5RXjfGpVosYGrbJ7JrF53xdcwij07CdlMYBa8=,iv:IQxPbQFhM9J0r/xrid3YRl64VGae+tQ/ldXMgvi5T3A=,tag:JeG35fjhnV/X2Ecn1SV/Ew==,type:str] pgp: - created_at: "2021-04-06T11:27:21Z" enc: | diff --git a/machines/fuuko/services/dnsmasq.nix b/machines/fuuko/services/dnsmasq.nix index 762fa5d..0df1262 100644 --- a/machines/fuuko/services/dnsmasq.nix +++ b/machines/fuuko/services/dnsmasq.nix @@ -35,7 +35,7 @@ services.prometheus.exporters.dnsmasq = { enable = true; - listenAddress = "127.0.0.1"; + listenAddress = "0.0.0.0"; leasesPath = "/var/lib/dnsmasq/dnsmasq.leases"; }; diff --git a/machines/fuuko/services/fritzbox-exporter.nix b/machines/fuuko/services/fritzbox-exporter.nix new file mode 100644 index 0000000..f9d540c --- /dev/null +++ b/machines/fuuko/services/fritzbox-exporter.nix @@ -0,0 +1,7 @@ +{ + services.prometheus.exporters.fritzbox = { + enable = true; + gatewayAddress = "192.168.100.1"; + listenAddress = "0.0.0.0"; + }; +} diff --git a/machines/renge/configuration.nix b/machines/renge/configuration.nix index b4cc0df..607bb93 100644 --- a/machines/renge/configuration.nix +++ b/machines/renge/configuration.nix @@ -1,3 +1,5 @@ +{ pkgs, ... }: + { imports = [ ./hardware-configuration.nix @@ -6,11 +8,14 @@ ./services/ankisyncd.nix ./services/element-web.nix ./services/gitea.nix + ./services/grafana.nix ./services/hedgedoc.nix ./services/invidious ./services/libreddit.nix + ./services/matrix ./services/murmur.nix ./services/nitter.nix + ./services/prometheus.nix ./services/sbruder.xyz ]; @@ -33,6 +38,13 @@ recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; + + virtualHosts."sbruder.de" = { + enableACME = true; + forceSSL = true; + + root = pkgs.sbruder.contact; + }; }; networking.firewall.allowedTCPPorts = [ diff --git a/machines/renge/secrets.yaml b/machines/renge/secrets.yaml index d9427c4..e57bf23 100644 --- a/machines/renge/secrets.yaml +++ b/machines/renge/secrets.yaml @@ -1,6 +1,11 @@ gitea-mail: ENC[AES256_GCM,data:593Ks8r3W6i7oTsTu7d9NUQpeX64l2bU9/fo6jYHkPU=,iv:NLPh2B85CWmr9n8mbB/XrprG8kfu9AR3v8PqjgEsIjQ=,tag:q2fPoOtuFrEmXIe7Rvfj2Q==,type:str] +go-neb-overrides: ENC[AES256_GCM,data:nogN8wqu5U1BXIAZwgKpTFbOvt18lVu/slJiimz0eJXi2UODokkHhCePGmiqaf+O7YUF7TQBriAas0MtwsDpE8MJIM2Y6rI4padW82WUjbUfiYNkqX04w7PO0uLPqApSjKVg6EoVi9Bta/03qBKQovvOnY/nDfuk81rQ3BgNnsuQn7vuNMx0UlsrN+sOryufz5214decJuAbTreMEWE1+9KBPgu2bxtaPrE4Wns5pSDYK6EjmFabe4xufIBxO5F36KzVmUojx2ZBiybYJr+LAy6xhMFE/SLqOClYn4bo7B8yt5v6zamrVTsyliqgs7m8NkJ3v3IkfCXStXgf+niWodKOfpOjEXNEOmV7FeNQurBvGX7cNeRz6wIw/gly/v2VRVz0trZ+A1pFXfmUYyj/yjfQRB7YSt694rgzo3IoDzqEuz28X7hrqdxERSUwnwh8ZdAClnjz3C6gcPHky4iZeLmB59xq/7FZN3wrpBwjNR3VCVFQh4KE3beqKJYEbNquA+NX7JJ1rlmBciIsBtFg4T4ItHr5HsY=,iv:ivOY92kz7Ibtog1drbWYZmcimYJYdCwzxFh2bWSmQx4=,tag:aaz7Kjv2YQqvdm6WGWvuRg==,type:str] +hcloud_exporter-environment: ENC[AES256_GCM,data:EtGDTr7bnQeHAx1TjzmMSGFaiuZM7AzGIyDiXhfd2V9mVF7ebuaWnMw3ioN4gbvXT5rrxkFr2xNj6IoVl/oPgjdWxg32zwT862zWMwvbLTRGMYDUUovF,iv:+u9vx4A4IoPLIbwzagm4R31aQ9bJzMWFOc4ui62dgcs=,tag:oh9bOyLGOCBgujZvMJNmQg==,type:str] invidious-extra-settings: ENC[AES256_GCM,data:njAVRilLVlNLgFY5g0FMn7uZsSX3mWK8PnWW/oJoaUj7L0g597eRmL76LfvScz6+pbSYaY2H2Olt+YL0LWY0jt+gM0+FwG2+0ddrtrpjGeGa,iv:rNwvSV9YXqnQqNtzW79hEUKx6c0rddEcC31EVE7qr3w=,tag:iGiDNj5zDHXiO+mhmAwK4Q==,type:str] murmur-superuser: ENC[AES256_GCM,data:Jac1Vs3tiSmL/qLwDhPhSoVzMNT0nAP+cg==,iv:ReUkEjCkEqUJKzHzIKdp77szhHitiDBXaxQnNWKQU9c=,tag:HfVrtSJwDPrHgZlKxcUiuA==,type:str] +prometheus-htpasswd: ENC[AES256_GCM,data:glClg69iOdFMKNtQexg38+81aLkxD9EHJMD1IpuwEQlMNuUC4mX9EbRYbRnDE1jY4AeVsF3Xm8RxH65Ga5LYx6V2lOQrQRr+KFSLTLW1bjBnPi+9VoambTL7S3YyR5BnJAghi3mkIegv66DSaezprC+bGROcwgSKvdR/m5U=,iv:VLWlv4cr52VmZAVeXq3GDjoPE11DmiIMJnGek+lNiV4=,tag:WBNYdT+D49qXfPh6R5uXnQ==,type:str] +synapse-registration-shared-secret: ENC[AES256_GCM,data:PG50Z6fP5hLJwREosB6t1EqV7qKNpFAi9j1b7pzdSUEGFoOXiW9kDeV3jBjwJdFNRFaOX0lK7+AH5I/BuBvqHDRTi2guFiQPPvX6fo+fBnD9kR5Fy4w9hr0Z3NA0Hhg=,iv:bGP8J+fSgdghtjtjXnL1hXAEFD56zacJhJmJHX0rIFg=,tag:SIUOXU2MvdwIuxkrKqScgg==,type:str] +synapse-turn-shared-secret: ENC[AES256_GCM,data:nerJ4Lc9zQSJ2HU6VpO+f7gAviYdQGgOxGqqFapYb1QwvFNlC25yT1SHkY42ZkYy97YBBednXjaoLTnRFbRmzTe80eyWzjlYneouVB33w8zx7xiwzDyk,iv:7vS3whvzi1FDpTAcnDsZZXrr707L9Fo5WAL+k3orMCM=,tag:n11U3bYSzmTCWu9Wg/cmKw==,type:str] wg-home-private-key: ENC[AES256_GCM,data:j+L7Egy3coCajL/LBGcaEbN3WuFzj7aenEQoktcIeKOTMmrA4643bCSDuUE=,iv:gKJQfrMMaeF2muJhtfq0h/GJ7VXGk1axGPtRFccLhHc=,tag:Bsqe3QBNdXo8vWo1p9pxfw==,type:str] sops: kms: [] @@ -8,8 +13,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2022-03-23T17:00:11Z" - mac: ENC[AES256_GCM,data:JguwJushHrsKc7y5LwRRHJp6+nxo7gJ4IjU5gdvbdWBqWQe2WTO+ZLzl08mh4mnPnGdHSdFlTyGbns8lpBuE/lTvEgQS27Jjc5vS4EltpJ7WM7P13gNKf+jD4gU9tsTs7SomZhB891s6ssTRbrbF/WcMZAMy/4kjFswqiGe476c=,iv:OZAIc2rO69BflOkl94zs6/lzuOEHVZeRVCDa25o7PxE=,tag:3HWMIKqKZDW4CZjN7jaGIw==,type:str] + lastmodified: "2022-03-25T20:28:56Z" + mac: ENC[AES256_GCM,data:Nu97D0jFTk3l/NxAmCAFnMul1icv/90rPpP38KOOEBGgfm2r9nl5gbsK8iXFe30myFs9TeLB+goe3bwuSQZH9gqbPvoSoftXYpn6Z0qgSrBnEzS+6F09vW65DNg+nyW48dgVKRJ46APtOHBm9Vk5/4IWq1phzWaiEs/SwGM9WNQ=,iv:W+WMyW686Vr0fFA2NkD+wkJIkq9kRQKa5Lhy7TaWuAM=,tag:f5WhJdTRYzr0WgfclKsrIA==,type:str] pgp: - created_at: "2022-03-23T13:59:53Z" enc: | diff --git a/machines/fuuko/services/grafana.nix b/machines/renge/services/grafana.nix similarity index 98% rename from machines/fuuko/services/grafana.nix rename to machines/renge/services/grafana.nix index 11eb18e..9d6d35f 100644 --- a/machines/fuuko/services/grafana.nix +++ b/machines/renge/services/grafana.nix @@ -7,6 +7,7 @@ in enable = true; # grafana supports sockets, but no permission management (always 660 grafana:grafana) addr = "127.0.0.1"; + port = 3002; domain = "grafana.sbruder.de"; rootUrl = "https://%(domain)s/"; database = { diff --git a/machines/fuuko/services/matrix/default.nix b/machines/renge/services/matrix/default.nix similarity index 100% rename from machines/fuuko/services/matrix/default.nix rename to machines/renge/services/matrix/default.nix diff --git a/machines/fuuko/services/matrix/go-neb.nix b/machines/renge/services/matrix/go-neb.nix similarity index 100% rename from machines/fuuko/services/matrix/go-neb.nix rename to machines/renge/services/matrix/go-neb.nix diff --git a/machines/fuuko/services/matrix/mautrix-whatsapp.nix b/machines/renge/services/matrix/mautrix-whatsapp.nix similarity index 100% rename from machines/fuuko/services/matrix/mautrix-whatsapp.nix rename to machines/renge/services/matrix/mautrix-whatsapp.nix diff --git a/machines/fuuko/services/matrix/synapse.nix b/machines/renge/services/matrix/synapse.nix similarity index 99% rename from machines/fuuko/services/matrix/synapse.nix rename to machines/renge/services/matrix/synapse.nix index d8a05d5..be376fd 100644 --- a/machines/fuuko/services/matrix/synapse.nix +++ b/machines/renge/services/matrix/synapse.nix @@ -35,8 +35,6 @@ in }; }; - dataDir = "/data/matrix/synapse"; - turn_uris = [ "turns:turn.sbruder.de:5349?transport=udp" "turns:turn.sbruder.de:5349?transport=tcp" diff --git a/machines/fuuko/services/prometheus.nix b/machines/renge/services/prometheus.nix similarity index 94% rename from machines/fuuko/services/prometheus.nix rename to machines/renge/services/prometheus.nix index c94e112..170bed3 100644 --- a/machines/fuuko/services/prometheus.nix +++ b/machines/renge/services/prometheus.nix @@ -84,7 +84,7 @@ in } { job_name = "fritzbox"; - static_configs = mkStaticTarget "127.0.0.1:9133"; + static_configs = mkStaticTarget "fuuko.vpn.sbruder.de:9133"; } ( let @@ -102,7 +102,7 @@ in ) { job_name = "dnsmasq"; - static_configs = mkStaticTarget (with config.services.prometheus.exporters.dnsmasq; "${listenAddress}:${toString port}"); + static_configs = mkStaticTarget "fuuko.vpn.sbruder.de:${toString config.services.prometheus.exporters.dnsmasq.port}"; relabel_configs = lib.singleton { target_label = "instance"; replacement = "fuuko.home.sbruder.de"; @@ -158,14 +158,6 @@ in }; }) ]; - - exporters = { - fritzbox = { - enable = true; - gatewayAddress = "192.168.100.1"; - listenAddress = "127.0.0.1"; - }; - }; }; # get rid of “could not call action: authorization required” every scrape