]>
Commit | Line | Data |
---|---|---|
05becbbb | 1 | { config, pkgs, lib, resources, ... }: |
e820134d | 2 | { |
34abd6af IB |
3 | deployment = { |
4 | targetUser = "root"; | |
05becbbb | 5 | targetHost = lib.head config.hostEnv.ips.main.ip4; |
34abd6af IB |
6 | substituteOnDestination = true; |
7 | }; | |
282c67a1 IB |
8 | # ssh-keyscan monitoring-1 | nix-shell -p ssh-to-age --run ssh-to-age |
9 | secrets.ageKeys = [ "age1dn4lzhgxusqrpjjnzm7w8ml39ptf326htuzmpqdqs2gg3wq7cqzqxuvx8k" ]; | |
e820134d | 10 | boot.kernelPackages = pkgs.linuxPackages_latest; |
282c67a1 | 11 | myEnv = import ../../../nixops/secrets/environment.nix; |
e820134d | 12 | |
34abd6af | 13 | imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ] ++ builtins.attrValues (import ../..); |
e820134d IB |
14 | |
15 | myServices.monitoring.enable = true; | |
16 | myServices.monitoring.master = true; | |
17 | myServices.status.enable = true; | |
18 | networking = { | |
19 | firewall.enable = true; | |
05becbbb IB |
20 | interfaces."ens3".ipv4.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList |
21 | (n: ips: map (ip: { address = ip; prefixLength = 32; }) (ips.ip4 or [])) | |
22 | (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips)); | |
e820134d IB |
23 | interfaces."ens3".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList |
24 | (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or [])) | |
619e4f46 | 25 | config.hostEnv.ips); |
e820134d IB |
26 | defaultGateway6 = { address = "fe80::1"; interface = "ens3"; }; |
27 | }; | |
34abd6af IB |
28 | boot.loader.grub.device = "nodev"; |
29 | fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; | |
e820134d IB |
30 | myServices.mailRelay.enable = true; |
31 | ||
171d8e1a IB |
32 | security.pki.certificateFiles = [ |
33 | (pkgs.fetchurl { | |
34 | url = "http://downloads.e.eriomem.net/eriomemca.pem"; | |
35 | sha256 = "1ixx4c6j3m26j8dp9a3dkvxc80v1nr5aqgmawwgs06bskasqkvvh"; | |
36 | }) | |
37 | ]; | |
38 | ||
e43fdf34 | 39 | services.netdata.enable = true; |
120bcf4d | 40 | services.netdata.configDir."stream.conf" = config.secrets.fullPaths."netdata-stream.conf"; |
e43fdf34 IB |
41 | services.netdata.config.web."allow dashboard from" = "localhost"; |
42 | services.netdata.config.web."allow badges from" = "*"; | |
43 | services.netdata.config.web."allow streaming from" = "*"; | |
44 | services.netdata.config.web."allow netdata.conf from" = "fd*"; | |
45 | services.netdata.config.web."allow management from" = "fd*"; | |
46 | networking.firewall.allowedTCPPorts = [ 19999 ]; | |
0e374709 | 47 | |
4c4652aa IB |
48 | secrets.keys = { |
49 | "netdata-stream.conf" = { | |
0e374709 IB |
50 | user = config.services.netdata.user; |
51 | group = config.services.netdata.group; | |
52 | permissions = "0400"; | |
53 | text = builtins.concatStringsSep "\n" (pkgs.lib.mapAttrsToList (_: key: '' | |
54 | [${key}] | |
55 | enabled = yes | |
56 | default history = 3600 | |
57 | default memory = ram | |
58 | health enabled by default = auto | |
59 | '') config.myEnv.monitoring.netdata_keys); | |
4c4652aa IB |
60 | }; |
61 | }; | |
0e374709 | 62 | users.users."${config.services.netdata.user}".extraGroups = [ "keys" ]; |
e820134d IB |
63 | # This value determines the NixOS release with which your system is |
64 | # to be compatible, in order to avoid breaking some software such as | |
65 | # database servers. You should change this only after NixOS release | |
66 | # notes say you should. | |
67 | # https://nixos.org/nixos/manual/release-notes.html | |
d43e0c61 | 68 | system.stateVersion = "20.03"; # Did you read the comment? |
e820134d | 69 | } |