Compare commits

...

10 commits

Author SHA1 Message Date
c4343b9855
firefox: Enable extra stuff 2024-02-28 23:54:56 +01:00
bdd51d8d89
loki: Disable post-build-hook 2024-02-28 23:41:59 +01:00
52d153f27e
eww: Remove temporary workaround for wayland 2024-02-28 23:29:32 +01:00
b381239227
flake.lock: Update
Flake lock file updates:

• Updated input 'emacs-overlay':
    'github:nix-community/emacs-overlay/dc68b375c2733198f642804a3cfacab5ede99761' (2024-02-26)
  → 'github:nix-community/emacs-overlay/8c56baa0e5ba4bbf9947605a31672e2f4735b1a9' (2024-02-28)
• Updated input 'emacs-overlay/nixpkgs-stable':
    'github:NixOS/nixpkgs/5bf1cadb72ab4e77cb0b700dab76bcdaf88f706b' (2024-02-25)
  → 'github:NixOS/nixpkgs/b7ee09cf5614b02d289cd86fcfa6f24d4e078c2a' (2024-02-26)
• Updated input 'flake-utils':
    'github:numtide/flake-utils/1ef2e671c3b0c19053962c07dbda38332dcebf26' (2024-01-15)
  → 'github:numtide/flake-utils/d465f4819400de7c8d874d50b982301f28a84605' (2024-02-28)
• Updated input 'home-manager':
    'github:nix-community/home-manager/4ee704cb13a5a7645436f400b9acc89a67b9c08a' (2024-02-24)
  → 'github:nix-community/home-manager/1d085ea4444d26aa52297758b333b449b2aa6fca' (2024-02-26)
• Updated input 'microvm':
    'github:astro/microvm.nix/4583e2394e1e5723746fb55dbb912385c6c6bda1' (2024-02-26)
  → 'github:astro/microvm.nix/df3254b6a9ff2ddbbd4be27d75d8cc9f1b637d4b' (2024-02-27)
• Updated input 'nixos-hardware':
    'github:NixOS/nixos-hardware/3f7d0bca003eac1a1a7f4659bbab9c8f8c2a0958' (2024-02-22)
  → 'github:NixOS/nixos-hardware/33a97b5814d36ddd65ad678ad07ce43b1a67f159' (2024-02-28)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/73de017ef2d18a04ac4bfd0c02650007ccb31c2a' (2024-02-24)
  → 'github:nixos/nixpkgs/13aff9b34cc32e59d35c62ac9356e4a41198a538' (2024-02-26)
• Updated input 'rust-overlay':
    'github:oxalica/rust-overlay/cbdf3e5bb205ff2ca165fe661fbd6d885cbd0106' (2024-02-26)
  → 'github:oxalica/rust-overlay/5d56056fb905ff550ee61b6ebb6674d494f57a9e' (2024-02-28)
• Updated input 'sops':
    'github:Mic92/sops-nix/2874fbbe4a65bd2484b0ad757d27a16107f6bc17' (2024-02-25)
  → 'github:Mic92/sops-nix/a1c8de14f60924fafe13aea66b46157f0150f4cf' (2024-02-26)
2024-02-28 22:51:32 +01:00
a285a2bc19
loki: filter horus_vcpkg from cache uploads 2024-02-28 22:50:35 +01:00
7506048118
nix-cache: Tweak settings 2024-02-28 22:50:23 +01:00
7d4f3d8d51
podman: Update deprecated option 2024-02-28 22:50:09 +01:00
e04fb83881
valkyrie: Enable unbound prometheus exporter 2024-02-28 22:49:50 +01:00
5f866a8b98
saga: monitoring server 2024-02-28 22:49:27 +01:00
1ef59b6364
firefox: Don't guess favicon 2024-02-28 22:48:22 +01:00
14 changed files with 272 additions and 119 deletions

54
flake.lock generated
View file

@ -148,11 +148,11 @@
"nixpkgs-stable": "nixpkgs-stable_2"
},
"locked": {
"lastModified": 1708938386,
"narHash": "sha256-WTSScoG1LhH+PBo3l4+Fcl1oGNuISmRzkYDrASPWefk=",
"lastModified": 1709140068,
"narHash": "sha256-lvRBx3t6wF4crVlHko6Rm7rV2bSES4rgPC8a2zoaic8=",
"owner": "nix-community",
"repo": "emacs-overlay",
"rev": "dc68b375c2733198f642804a3cfacab5ede99761",
"rev": "8c56baa0e5ba4bbf9947605a31672e2f4735b1a9",
"type": "github"
},
"original": {
@ -324,11 +324,11 @@
"systems": "systems"
},
"locked": {
"lastModified": 1705309234,
"narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
"lastModified": 1709126324,
"narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
"rev": "d465f4819400de7c8d874d50b982301f28a84605",
"type": "github"
},
"original": {
@ -414,11 +414,11 @@
]
},
"locked": {
"lastModified": 1708806879,
"narHash": "sha256-MSbxtF3RThI8ANs/G4o1zIqF5/XlShHvwjl9Ws0QAbI=",
"lastModified": 1708988456,
"narHash": "sha256-RCz7Xe64tN2zgWk+MVHkzg224znwqknJ1RnB7rVqUWw=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "4ee704cb13a5a7645436f400b9acc89a67b9c08a",
"rev": "1d085ea4444d26aa52297758b333b449b2aa6fca",
"type": "github"
},
"original": {
@ -438,11 +438,11 @@
"spectrum": "spectrum"
},
"locked": {
"lastModified": 1708906061,
"narHash": "sha256-8WlGYMCtggvybPdzQschOoC9r3dl0d3lnGmlTZB6pAw=",
"lastModified": 1709054352,
"narHash": "sha256-JGxCz3Zv7sErrf1ROn1OjWy8BtP5w/YDp5PnQrJxZnQ=",
"owner": "astro",
"repo": "microvm.nix",
"rev": "4583e2394e1e5723746fb55dbb912385c6c6bda1",
"rev": "df3254b6a9ff2ddbbd4be27d75d8cc9f1b637d4b",
"type": "github"
},
"original": {
@ -521,11 +521,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1708594753,
"narHash": "sha256-c/gH7iXS/IYH9NrFOT+aJqTq+iEBkvAkpWuUHGU3+f0=",
"lastModified": 1709147990,
"narHash": "sha256-vpXMWoaCtMYJ7lisJedCRhQG9BSsInEyZnnG5GfY9tQ=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "3f7d0bca003eac1a1a7f4659bbab9c8f8c2a0958",
"rev": "33a97b5814d36ddd65ad678ad07ce43b1a67f159",
"type": "github"
},
"original": {
@ -586,11 +586,11 @@
},
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1708831307,
"narHash": "sha256-0iL/DuGjiUeck1zEaL+aIe2WvA3/cVhp/SlmTcOZXH4=",
"lastModified": 1708979614,
"narHash": "sha256-FWLWmYojIg6TeqxSnHkKpHu5SGnFP5um1uUjH+wRV6g=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "5bf1cadb72ab4e77cb0b700dab76bcdaf88f706b",
"rev": "b7ee09cf5614b02d289cd86fcfa6f24d4e078c2a",
"type": "github"
},
"original": {
@ -634,11 +634,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1708807242,
"narHash": "sha256-sRTRkhMD4delO/hPxxi+XwLqPn8BuUq6nnj4JqLwOu0=",
"lastModified": 1708984720,
"narHash": "sha256-gJctErLbXx4QZBBbGp78PxtOOzsDaQ+yw1ylNQBuSUY=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "73de017ef2d18a04ac4bfd0c02650007ccb31c2a",
"rev": "13aff9b34cc32e59d35c62ac9356e4a41198a538",
"type": "github"
},
"original": {
@ -762,11 +762,11 @@
]
},
"locked": {
"lastModified": 1708913568,
"narHash": "sha256-76PGANC2ADf0h7fe0w2nWpfdGN+bemFs2rvW2EdU/ZY=",
"lastModified": 1709086241,
"narHash": "sha256-3QHK5zu/5XOa+ghBeKzvt+/BLdEPjw/xDNLcpDfbkmg=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "cbdf3e5bb205ff2ca165fe661fbd6d885cbd0106",
"rev": "5d56056fb905ff550ee61b6ebb6674d494f57a9e",
"type": "github"
},
"original": {
@ -783,11 +783,11 @@
"nixpkgs-stable": "nixpkgs-stable_4"
},
"locked": {
"lastModified": 1708830076,
"narHash": "sha256-Cjh2xdjxC6S6nW6Whr2dxSeh8vjodzhTmQdI4zPJ4RA=",
"lastModified": 1708987867,
"narHash": "sha256-k2lDaDWNTU5sBVHanYzjDKVDmk29RHIgdbbXu5sdzBA=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "2874fbbe4a65bd2484b0ad757d27a16107f6bc17",
"rev": "a1c8de14f60924fafe13aea66b46157f0150f4cf",
"type": "github"
},
"original": {

View file

@ -9,6 +9,7 @@ let
cfg = config.eboskma.programs.firefox;
profileSettings = {
"browser.chrome.guess_favicon" = false;
"browser.shell.checkDefaultBrowser" = false;
"browser.translations.enable" = false;
"devtools.theme" = "dark";

View file

@ -36,7 +36,11 @@ rec {
config = {
allowUnfree = true;
firefox.speechSynthesisSupport = true;
firefox = {
speechSynthesisSupport = true;
ffmpegSupport = true;
pipewireSupport = true;
};
};
};
home-manager = {

View file

@ -4,7 +4,7 @@ inputs: {
# deploy = {
# # host = "10.0.0.202";
# host = "ci.barn-beaver.ts.net";
# sshUser = "erwin";
# targetUser = "erwin";
# buildOn = "local";
# substituteOnTarget = true;
# tags = [ "container" ];
@ -15,7 +15,7 @@ inputs: {
deploy = {
# host = "10.0.0.205";
host = "frigate.barn-beaver.ts.net";
sshUser = "erwin";
targetUser = "erwin";
buildOn = "local";
substituteOnTarget = true;
tags = [ "container" ];
@ -26,7 +26,7 @@ inputs: {
deploy = {
# host = "10.0.0.203";
host = "gitea.barn-beaver.ts.net";
sshUser = "erwin";
targetUser = "erwin";
buildOn = "local";
substituteOnTarget = true;
tags = [ "container" ];
@ -37,7 +37,7 @@ inputs: {
deploy = {
# host = "10.0.0.210";
host = "gitea-runner.barn-beaver.ts.net";
sshUser = "erwin";
targetUser = "erwin";
buildOn = "local";
substituteOnTarget = true;
tags = [ "container" ];
@ -48,7 +48,7 @@ inputs: {
deploy = {
# host = "heimdall.datarift.nl";
host = "heimdall.barn-beaver.ts.net";
sshUser = "erwin";
targetUser = "erwin";
buildOn = "local";
substituteOnTarget = true;
tags = [ "metal" ];
@ -59,7 +59,7 @@ inputs: {
deploy = {
# host = "10.0.0.167";
host = "10.0.0.208";
sshUser = "erwin";
targetUser = "erwin";
buildOn = "local";
substituteOnTarget = true;
tags = [ "container" ];
@ -76,7 +76,7 @@ inputs: {
deploy = {
# host = "10.0.0.204";
host = "minio.barn-beaver.ts.net";
sshUser = "erwin";
targetUser = "erwin";
buildOn = "local";
substituteOnTarget = true;
tags = [ "container" ];
@ -106,7 +106,7 @@ inputs: {
deploy = {
# host = "10.0.0.251";
host = "proxy.barn-beaver.ts.net";
sshUser = "erwin";
targetUser = "erwin";
buildOn = "local";
substituteOnTarget = true;
tags = [ "container" ];
@ -116,12 +116,21 @@ inputs: {
system = "aarch64-linux";
config = import ./regin/configuration.nix inputs;
};
saga = {
config = import ./saga/configuration.nix inputs;
deploy = {
# host = "10.0.0.212";
host = "saga.barn-beaver.ts.net";
targetUser = "erwin";
tags = [ "container" ];
};
};
# thor = {
# system = "aarch64-linux";
# config = import ./thor/configuration.nix inputs;
# # deploy = {
# # host = "10.0.0.198";
# # sshUser = "erwin";
# # targetUser = "erwin";
# # buildOn = "local";
# # substituteOnTarget = true;
# # };
@ -131,7 +140,7 @@ inputs: {
deploy = {
# host = "10.0.0.207";
host = "unifi.barn-beaver.ts.net";
sshUser = "erwin";
targetUser = "erwin";
buildOn = "local";
substituteOnTarget = true;
tags = [ "container" ];
@ -142,7 +151,7 @@ inputs: {
deploy = {
# host = "10.0.0.206";
host = "valkyrie.barn-beaver.ts.net";
sshUser = "erwin";
targetUser = "erwin";
buildOn = "local";
substituteOnTarget = true;
tags = [ "container" ];

View file

@ -1,9 +1,4 @@
{
nixos-hardware,
nix-ld-rs,
attic,
...
}:
{ nixos-hardware, nix-ld-rs, ... }:
{ pkgs, config, ... }:
{
imports = [
@ -478,18 +473,19 @@
];
};
nix.settings.post-build-hook =
let
inherit (attic.packages.${pkgs.system}) attic-client;
in
pkgs.writeScript "upload-to-cache" ''
set -eu
set -f
export IFS=' '
# nix.settings.post-build-hook =
# let
# inherit (attic.packages.${pkgs.system}) attic-client;
# in
# pkgs.writeScript "upload-to-cache" ''
# set -eu
# set -f
# export IFS=' '
echo "Uploading paths to cache " ''${OUT_PATHS}
exec ${attic-client}/bin/attic push main ''${OUT_PATHS}
'';
# OUT_PATHS=$(echo -n ''${OUT_PATHS} | ${pkgs.gawk}/bin/awk 'BEGIN { RS = " "; ORS = " "; } $0 !~ /horus_vcpkg/ { print $0 }')
# echo "Uploading paths to cache " ''${OUT_PATHS}
# exec ${attic-client}/bin/attic push main ''${OUT_PATHS}
# '';
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets = {

View file

@ -95,7 +95,7 @@
listen = "127.0.0.1:8080";
garbage-collection = {
default-retention-period = "3 months";
default-retention-period = "6 weeks";
};
storage = {
@ -116,16 +116,16 @@
#
# If 0, chunking is disabled entirely for newly-uploaded NARs.
# If 1, all NARs are chunked.
nar-size-threshold = 64 * 1024; # 64 KiB
nar-size-threshold = 256 * 1024; # 256 KiB
# The preferred minimum size of a chunk, in bytes
min-size = 16 * 1024; # 16 KiB
min-size = 128 * 1024; # 128 KiB
# The preferred average size of a chunk, in bytes
avg-size = 64 * 1024; # 64 KiB
avg-size = 256 * 1024; # 256 KiB
# The preferred maximum size of a chunk, in bytes
max-size = 256 * 1024; # 256 KiB
max-size = 1024 * 1024; # 1024 KiB
};
};
};

View file

@ -0,0 +1,80 @@
{ self, ... }:
{ modulesPath, lib, ... }:
{
imports = [
(modulesPath + "/virtualisation/lxc-container.nix")
../../users/root
../../users/erwin
./grafana
./prometheus
];
eboskma = {
users.erwin = {
enable = true;
server = true;
};
nix-common = {
enable = true;
remote-builders = true;
};
tailscale.enable = true;
};
boot = {
isContainer = true;
};
time.timeZone = "Europe/Amsterdam";
system.configurationRevision = lib.mkIf (self ? rev) self.rev;
networking = {
hostName = "saga";
useDHCP = false;
useHostResolvConf = false;
networkmanager.enable = false;
useNetworkd = true;
nftables.enable = true;
firewall.trustedInterfaces = [ "tailscale0" ];
};
systemd.network = {
enable = true;
wait-online.anyInterface = true;
networks = {
"40-eth0" = {
matchConfig = {
Name = "eth0";
};
networkConfig = {
Address = "10.0.0.212/24";
Gateway = "10.0.0.1";
DNS = "10.0.0.206";
DHCP = "no";
};
};
};
};
security = {
sudo-rs = {
enable = true;
execWheelOnly = true;
wheelNeedsPassword = false;
};
sudo.enable = false;
};
# sops.defaultSopsFile = ./secrets.yaml;
# sops.secrets = {
# };
system.stateVersion = "24.05";
}

View file

@ -0,0 +1,13 @@
{
services.grafana = {
enable = true;
settings = {
server = {
domain = "saga.datarift.nl";
enforce_domain = true;
http_addr = "0.0.0.0";
root_url = "https://saga.datarift.nl";
};
};
};
}

View file

@ -0,0 +1,37 @@
{ config, ... }:
{
services.prometheus = {
enable = true;
scrapeConfigs = [
{
job_name = "saga";
static_configs = [
{
targets = [
"saga:${toString config.services.prometheus.exporters.node.port}" # node
];
}
];
}
{
job_name = "valkyrie";
static_configs = [
{
targets = [
"valkyrie:${toString config.services.prometheus.exporters.node.port}" # node
"valkyrie:${toString config.services.prometheus.exporters.unbound.port}" # unbound
];
}
];
}
];
exporters = {
node = {
enable = true;
enabledCollectors = [ "systemd" ];
};
};
};
}

View file

@ -1,68 +1,82 @@
{
services.unbound = {
enable = true;
localControlSocketPath = "/run/unbound/unbound.ctl";
settings = {
server = {
# Setting logfile to an empty string outputs to stderr
log-queries = false;
verbosity = 1;
services = {
unbound = {
enable = true;
localControlSocketPath = "/run/unbound/unbound.ctl";
settings = {
server = {
# Setting logfile to an empty string outputs to stderr
log-queries = false;
verbosity = 1;
port = 5335;
do-ip4 = true;
do-ip6 = true;
do-udp = true;
do-tcp = true;
prefer-ip6 = true;
port = 5335;
do-ip4 = true;
do-ip6 = true;
do-udp = true;
do-tcp = true;
prefer-ip6 = true;
hide-identity = true;
hide-version = true;
hide-identity = true;
hide-version = true;
# Trust glue only if it is within the server's authority
harden-glue = true;
# Trust glue only if it is within the server's authority
harden-glue = true;
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped = true;
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped = true;
harden-referral-path = true;
harden-referral-path = true;
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id = false;
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id = false;
# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size = 1472;
# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size = 1472;
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch = true;
prefetch-key = true;
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch = true;
prefetch-key = true;
# This attempts to reduce latency by serving the outdated record before
# updating it instead of the other way around. Alternative is to increase
# cache-min-ttl to e.g. 3600.
cache-min-ttl = 0;
serve-expired = true;
# This attempts to reduce latency by serving the outdated record before
# updating it instead of the other way around. Alternative is to increase
# cache-min-ttl to e.g. 3600.
cache-min-ttl = 0;
serve-expired = true;
rrset-cache-size = "256m";
msg-cache-size = "128m";
msg-cache-slabs = 4;
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads = 2;
rrset-cache-size = "256m";
msg-cache-size = "128m";
msg-cache-slabs = 4;
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads = 2;
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf = "1m";
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf = "8m";
# Ensure privacy of local IP ranges
private-address = [
"192.168.0.0/16"
"169.254.0.0/16"
"172.16.0.0/12"
"10.0.0.0/8"
"fd00::/8"
"fe80::/10"
];
# Ensure privacy of local IP ranges
private-address = [
"192.168.0.0/16"
"169.254.0.0/16"
"172.16.0.0/12"
"10.0.0.0/8"
"fd00::/8"
"fe80::/10"
];
};
};
};
prometheus.exporters = {
node = {
enable = true;
enabledCollectors = [ "systemd" ];
};
unbound = {
enable = true;
unbound.host = "unix:///run/unbound/unbound.ctl";
};
};
};

View file

@ -14,6 +14,7 @@ let
tls {
dns cloudflare {env.CF_API_TOKEN}
propagation_timeout -1
}
'';
};
@ -32,6 +33,7 @@ let
tls {
dns cloudflare {env.CF_API_TOKEN}
propagation_timeout -1
}
'';
};
@ -49,7 +51,7 @@ in
email = "erwin@datarift.nl";
# acmeCA = "https://acme-staging-v02.api.letsencrypt.org/directory";
acmeCA = "https://acme-v02.api.letsencrypt.org/directory";
virtualHosts = {
"home.datarift.nl" = mkProxyHost "homeassistant.barn-beaver.ts.net:8123";
@ -58,6 +60,7 @@ in
"git.datarift.nl" = mkProxyHost "gitea.barn-beaver.ts.net:3000";
"minio.datarift.nl" = mkProxyHost "minio.barn-beaver.ts.net:9000";
"minio-admin.datarift.nl" = mkLocalProxyHost "minio.barn-beaver.ts.net:9001";
"saga.datarift.nl" = mkLocalProxyHost "saga.barn-beaver.ts.net:3000";
"unifi.datarift.nl" = mkLocalProxyHost "unifi.barn-beaver.ts.net:8443";
};
};

View file

@ -30,7 +30,6 @@ in
virtualisation.podman = {
enable = true;
enableNvidia = cfg.enableNvidia;
dockerCompat = true;
autoPrune = {
@ -43,6 +42,7 @@ in
virtualisation.containers = {
enable = true;
cdi.dynamic.nvidia.enable = cfg.enableNvidia;
registries = {
insecure = cfg.insecureRegistries;
};

View file

@ -72,8 +72,6 @@ in
};
eww = {
enable = true;
# This will fail once https://github.com/NixOS/nixpkgs/pull/289595 is merged
package = pkgs.eww.override { withWayland = true; };
};
firefox = {
enable = true;

View file

@ -87,8 +87,6 @@ in
};
eww = {
enable = true;
# This will fail once https://github.com/NixOS/nixpkgs/pull/289595 is merged
package = pkgs.eww.override { withWayland = true; };
};
firefox = {
enable = true;