diff options
| -rw-r--r-- | apps/authelia/module.nix | 3 | ||||
| -rw-r--r-- | apps/grafana/appspec.nix | 9 | ||||
| -rw-r--r-- | apps/grafana/integration.nix | 3 | ||||
| -rw-r--r-- | apps/grafana/module.nix | 35 | ||||
| -rw-r--r-- | configs/default.nix | 20 | ||||
| -rw-r--r-- | nix/sources.json | 2 | ||||
| m--------- | secrets | 0 | ||||
| -rw-r--r-- | systems/system1/configuration.nix | 4 | ||||
| -rw-r--r-- | terraform.output.json | 5 |
9 files changed, 79 insertions, 2 deletions
diff --git a/apps/authelia/module.nix b/apps/authelia/module.nix index fa4d35d..93119ba 100644 --- a/apps/authelia/module.nix +++ b/apps/authelia/module.nix @@ -8,7 +8,8 @@ services.authelia.instances.default.settings.notifier.filesystem.filename = "/var/lib/authelia-default/notifier.txt"; services.authelia.instances.default.settings.server.host = "0.0.0.0"; services.authelia.instances.default.settings.server.port = 9091; - services.authelia.instances.default.settings.session.domain = appConfig.domain; + # TODO this is not appConfig.domain! + services.authelia.instances.default.settings.session.domain = "nomath.org"; services.authelia.instances.default.settings.storage.local.path = "/var/lib/authelia-default/storage.sqlite3"; } # configure secrets diff --git a/apps/grafana/appspec.nix b/apps/grafana/appspec.nix new file mode 100644 index 0000000..1fe0d38 --- /dev/null +++ b/apps/grafana/appspec.nix @@ -0,0 +1,9 @@ +{ fysilib, lib, ... }: { + description = "Grafana"; + endOfLife = null; + options = { + domain = lib.mkOption { + type = fysilib.types.fqdn; + }; + }; +} diff --git a/apps/grafana/integration.nix b/apps/grafana/integration.nix new file mode 100644 index 0000000..936c6c7 --- /dev/null +++ b/apps/grafana/integration.nix @@ -0,0 +1,3 @@ +{ ... }: { + port = 3000; +} diff --git a/apps/grafana/module.nix b/apps/grafana/module.nix new file mode 100644 index 0000000..8f2a365 --- /dev/null +++ b/apps/grafana/module.nix @@ -0,0 +1,35 @@ +{ appConfig, lib, ... }: lib.mkMerge [ + { + services.grafana.enable = true; + services.grafana.settings.security.disable_initial_admin_creation = true; + services.grafana.settings.server.domain = appConfig.domain; + services.grafana.settings.server.http_addr = "[::0]"; + } + { + services.prometheus.enable = true; + services.prometheus.exporters.systemd.enable = true; + services.prometheus.scrapeConfigs = [ + { + job_name = "systemd"; + static_configs = [{ targets = [ "[::1]:9558" ]; }]; + } + ]; + } + { + services.grafana.settings."auth.proxy".auto_sign_up = true; + services.grafana.settings."auth.proxy".enabled = true; + services.grafana.settings."auth.proxy".header_name = "Remote-User"; + services.grafana.settings."auth.proxy".headers = lib.concatStringsSep " " [ "Email:Remote-Email" "Name:Remote-Name" "Role:Remote-Role" ]; + + services.grafana.settings."users".allow_sign_up = false; + } + { + services.grafana.provision.datasources.settings.datasources = [ + { + name = "Prometheus"; + type = "prometheus"; + url = "http://[23::1]:9090"; + } + ]; + } +] diff --git a/configs/default.nix b/configs/default.nix index 9d5a7c7..3693318 100644 --- a/configs/default.nix +++ b/configs/default.nix @@ -20,9 +20,29 @@ security.acme.certs."code.nomath.org".webroot = "/var/lib/acme/acme-challenge"; security.acme.certs."feed.nomath.org".email = "aforemny@posteo.de"; security.acme.certs."feed.nomath.org".webroot = "/var/lib/acme/acme-challenge"; + security.acme.certs."grafana.nomath.org".email = "aforemny@posteo.de"; + security.acme.certs."grafana.nomath.org".webroot = "/var/lib/acme/acme-challenge"; security.acme.certs."nomath.org".email = "aforemny@posteo.de"; security.acme.certs."nomath.org".webroot = "/var/lib/acme/acme-challenge"; security.acme.certs."static.nomath.org".email = "aforemny@posteo.de"; security.acme.certs."static.nomath.org".webroot = "/var/lib/acme/acme-challenge"; networking.firewall.allowedTCPPorts = [ 80 ]; + + # TODO IPv6 configuration should be handled by `fysiweb` + + # TODO this is system1-specific + networking.nameservers = [ + "2a01:4ff:ff00::add:1" + "2a01:4ff:ff00::add:2" + ]; + networking.interfaces.eth0.ipv6.addresses = [ + { + address = "2a01:4f8:c2c:2203::1"; + prefixLength = 64; + } + ]; + networking.defaultGateway6 = { + address = "fe80::1"; + interface = "eth0"; + }; } diff --git a/nix/sources.json b/nix/sources.json index ba38908..2fa6769 100644 --- a/nix/sources.json +++ b/nix/sources.json @@ -14,7 +14,7 @@ "fysiweb-cli": { "branch": "main", "repo": "git@github.com:aforemny/fysiweb-cli.git", - "rev": "d856c88b649d554c6c66005ac1080f16e45f62da", + "rev": "1b21cf28a606dfd5db3fcab433ffbcc76f2957de", "submodules": true, "type": "git" }, diff --git a/secrets b/secrets -Subproject 1efddacabaf31e5fcb0db4f2797224dc6a9e976 +Subproject e7b6b5d90ae72e7a04cdda28612db720f8e2f41 diff --git a/systems/system1/configuration.nix b/systems/system1/configuration.nix index da35852..594bae4 100644 --- a/systems/system1/configuration.nix +++ b/systems/system1/configuration.nix @@ -81,5 +81,9 @@ "/var/lib/git/static-nomath-org" ]; } + # enable grafana + { + fysiweb-apps.public.grafana.grafana-nomath-org.domain = "grafana.nomath.org"; + } ]; } diff --git a/terraform.output.json b/terraform.output.json index 045b102..51820c9 100644 --- a/terraform.output.json +++ b/terraform.output.json @@ -3,5 +3,10 @@ "sensitive": false, "type": "string", "value": "49.13.201.137" + }, + "system1-ipv6_address": { + "sensitive": false, + "type": "string", + "value": "2a01:4f8:c2c:2203::1" } } |