BIG BIG MESS

Kranzes · Feb 4, 2025 · 0bf38f7 · 0bf38f7
1 parent 41ef29b
commit 0bf38f7
Show file tree

Hide file tree

Showing 32 changed files with 216 additions and 193 deletions.
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -11,7 +11,6 @@
     srvos = { url = "github:nix-community/srvos"; inputs.nixpkgs.follows = "nixpkgs"; };
     agenix = { url = "github:ryantm/agenix"; inputs.nixpkgs.follows = "nixpkgs"; };
     disko = { url = "github:nix-community/disko"; inputs.nixpkgs.follows = "nixpkgs"; };
-    impermanence.url = "github:nix-community/impermanence";
     lanzaboote.url = "github:nix-community/lanzaboote";
     hercules-ci-agent.url = "github:hercules-ci/hercules-ci-agent";
     hercules-ci-effects = { url = "github:hercules-ci/hercules-ci-effects"; inputs.nixpkgs.follows = "nixpkgs"; inputs.flake-parts.follows = "flake-parts"; };

diff --git a/hosts/hetzner/default.nix b/hosts/hetzner/default.nix
@@ -1,13 +1,15 @@
-{ inputs, ... }:
-
+{ lib, inputs, modulesPath, ... }:
 {
   imports = [
     ./hardware-configuration.nix
     ./hosted
-    inputs.self.nixosModules.profiles-impermanence
+    inputs.srvos.nixosModules.server
+    "${modulesPath}/profiles/minimal.nix"
   ];
 
-  security.sudo.wheelNeedsPassword = false;
+  time.timeZone = "UTC";
+
+  networking.useDHCP = lib.mkForce true;
 
-  system.stateVersion = "23.11";
+  system.stateVersion = "25.05";
 }
diff --git a/hosts/hetzner/hardware-configuration.nix b/hosts/hetzner/hardware-configuration.nix
@@ -1,67 +1,44 @@
-{ modulesPath, inputs, pkgs, ... }:
+{ inputs, pkgs, ... }:
 let
   device = "/dev/sda";
 in
 {
   imports = [
-    (modulesPath + "/profiles/qemu-guest.nix")
+    inputs.srvos.nixosModules.hardware-hetzner-cloud
     inputs.disko.nixosModules.disko
   ];
 
-  disko.devices = {
-    disk.${baseNameOf device} = {
-      inherit device;
-      type = "disk";
-      content = {
-        type = "gpt";
-        partitions = {
-          boot = {
-            size = "1M";
-            type = "EF02";
-          };
-          ESP = {
-            name = "ESP";
-            size = "512M";
-            type = "EF00";
-            content = {
-              type = "filesystem";
-              format = "vfat";
-              mountpoint = "/boot";
-            };
-          };
-          nix = {
-            size = "100%";
-            content = {
-              type = "filesystem";
-              format = "xfs";
-              mountpoint = "/nix";
-            };
+  disko.devices.disk.main = {
+    inherit device;
+    type = "disk";
+    content = {
+      type = "gpt";
+      partitions = {
+        boot = {
+          size = "1M";
+          type = "EF02";
+        };
+        root = {
+          size = "100%";
+          content = {
+            type = "filesystem";
+            format = "xfs";
+            mountpoint = "/";
           };
         };
       };
     };
-    nodev."/" = {
-      fsType = "tmpfs";
-      mountOptions = [
-        "size=2G"
-        "defaults"
-        "mode=755"
-      ];
-    };
   };
 
   boot = {
     kernelPackages = pkgs.linuxPackages_latest;
     initrd.systemd.enable = true;
     tmp.cleanOnBoot = true;
-    loader.grub = {
-      enable = true;
-      inherit device;
-      efiSupport = true;
-    };
   };
 
   zramSwap.enable = true;
 
   powerManagement.cpuFreqGovernor = "performance";
+
+  services.cloud-init.enable = false; # We don't make use of cloud-init at the moment.
 }
diff --git a/hosts/hetzner/hosted/default.nix b/hosts/hetzner/hosted/default.nix
@@ -6,11 +6,8 @@
     ./grafana.nix
     ./prometheus.nix
     ./homer.nix
+    ./ntfy.nix
     inputs.self.nixosModules.hosted-nginx
     inputs.self.nixosModules.hosted-node-exporter
   ];
-
-  environment.persistence."/nix/persistent".directories = [
-    "/var/lib/acme"
-  ];
 }
diff --git a/hosts/hetzner/hosted/grafana.nix b/hosts/hetzner/hosted/grafana.nix
@@ -81,17 +81,4 @@ in
       proxyWebsockets = true;
     };
   };
-
-  environment.persistence."/nix/persistent".directories = [
-    {
-      directory = config.services.grafana.dataDir;
-      user = "grafana";
-      group = "grafana";
-    }
-    {
-      directory = builtins.dirOf config.services.postgresql.dataDir;
-      user = "postgresql";
-      group = "postgresql";
-    }
-  ];
 }
diff --git a/hosts/hetzner/hosted/kanidm.nix b/hosts/hetzner/hosted/kanidm.nix
@@ -48,13 +48,15 @@ in
           preferShortUsername = true;
           allowInsecureClientDisablePkce = true;
           scopeMaps."tailscale_users" = [ "openid" "profile" "email" ];
+          basicSecretFile = config.age.secrets.kanidm-oauth2-tailscale-basic-secret.path;
         };
         "nextcloud" = {
           displayName = "Nextcloud";
           originUrl = "https://cloud.ilanjoselevich.com/apps/user_oidc/code";
           originLanding = "https://cloud.ilanjoselevich.com";
           preferShortUsername = true;
           scopeMaps."nextcloud_users" = [ "openid" ];
+          basicSecretFile = config.age.secrets.kanidm-oauth2-nextcloud-basic-secret.path;
         };
         "jellyfin" = {
           displayName = "Jellyfin";
@@ -65,14 +67,15 @@ in
           originLanding = "https://jellyfin.ilanjoselevich.com";
           preferShortUsername = true;
           scopeMaps."jellyfin_users" = [ "openid" "profile" "groups" ];
+          basicSecretFile = config.age.secrets.kanidm-oauth2-jellyfin-basic-secret.path;
         };
         "grafana" = {
           displayName = "Grafana";
           originUrl = "https://monitoring.ilanjoselevich.com/login/generic_oauth";
           originLanding = "https://monitoring.ilanjoselevich.com";
           preferShortUsername = true;
           scopeMaps."grafana_users" = [ "openid" "profile" "email" "groups" ];
-          basicSecretFile = config.age.secrets.oauth2-grafana-basic-secret.path;
+          basicSecretFile = config.age.secrets.kanidm-oauth2-grafana-basic-secret.path;
         };
       };
     };
@@ -89,13 +92,15 @@ in
     locations."/".proxyPass = "https://${config.services.kanidm.serverSettings.bindaddress}";
   };
 
-  environment.persistence."/nix/persistent".directories = [
-    "/var/lib/kanidm"
-  ];
-
-  age.secrets.oauth2-grafana-basic-secret = {
-    file = ../../../secrets/${config.networking.hostName}-oauth2-grafana-basic-secret.age;
-    owner = "kanidm";
-    group = "kanidm";
-  };
+  age.secrets = lib.genAttrs [
+    "kanidm-oauth2-tailscale-basic-secret"
+    "kanidm-oauth2-nextcloud-basic-secret"
+    "kanidm-oauth2-jellyfin-basic-secret"
+    "kanidm-oauth2-grafana-basic-secret"
+  ]
+    (secretName: {
+      file = ../../../secrets/${config.networking.hostName}-${secretName}.age;
+      owner = "kanidm";
+      group = "kanidm";
+    });
 }
diff --git a/hosts/hetzner/hosted/ntfy.nix b/hosts/hetzner/hosted/ntfy.nix
@@ -0,0 +1,70 @@
+{ config, ... }:
+let
+  domain = "push.ilanjoselevich.com";
+in
+{
+  age.secrets = {
+    ntfy-sh-firebase-key.file = ../../../secrets/hetzner-ntfy-sh-firebase-key.age;
+    grafana-to-ntfy-ntfy-pass.file = ../../../secrets/hetzner-grafana-to-ntfy-ntfy-pass.age;
+    grafana-to-ntfy-pass.file = ../../../secrets/hetzner-grafana-to-ntfy-pass.age;
+  };
+
+  systemd.services.ntfy-sh.serviceConfig.LoadCredential = [ "firebase-key:${config.age.secrets.ntfy-sh-firebase-key.path}" ];
+
+  services.ntfy-sh = {
+    enable = true;
+    settings = {
+      base-url = "https://${domain}";
+      behind-proxy = true;
+      web-root = "disable";
+      enable-signup = false;
+      enable-login = false;
+      auth-default-access = "deny-all";
+      firebase-key-file = "/run/credentials/ntfy-sh.service/firebase-key";
+    };
+  };
+
+  services.nginx.virtualHosts.${domain} = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://${config.services.ntfy-sh.settings.listen-http}";
+      proxyWebsockets = true;
+    };
+  };
+
+  services.grafana-to-ntfy = {
+    enable = true;
+    settings = {
+      ntfyUrl = "${config.services.ntfy-sh.settings.base-url}/grafana";
+      ntfyBAuthUser = "grafana";
+      ntfyBAuthPass = config.age.secrets.grafana-to-ntfy-ntfy-pass.path;
+      bauthPass = config.age.secrets.grafana-to-ntfy-pass.path;
+    };
+  };
+
+  systemd.services.grafana.serviceConfig.LoadCredential = [ "ntfy_password:${config.services.grafana-to-ntfy.settings.bauthPass}" ];
+
+  services.grafana.provision.alerting.contactPoints.settings = {
+    apiVersion = 1;
+    contactPoints = [{
+      orgId = 1;
+      name = "ntfy";
+      receivers = [{
+        uid = "ntfy";
+        type = "webhook";
+        disableResolveMessage = false;
+        settings = {
+          url = "http://127.0.0.1:8000";
+          httpMethod = "POST";
+          username = config.services.grafana-to-ntfy.settings.bauthUser;
+          password = "$__file{/run/credentials/grafana.service/ntfy_password}";
+        };
+      }];
+    }];
+    deleteContactPoints = [{
+      orgId = 1;
+      uid = "ntfy";
+    }];
+  };
+}
diff --git a/hosts/hetzner/hosted/prometheus.nix b/hosts/hetzner/hosted/prometheus.nix
@@ -36,10 +36,4 @@
       orgId = 1;
     }];
   };
-
-  environment.persistence."/nix/persistent".directories = [{
-    directory = "/var/lib/${config.services.prometheus.stateDir}";
-    user = "prometheus";
-    group = "prometheus";
-  }];
 }
diff --git a/profiles/agenix.nix b/profiles/agenix.nix
@@ -1,12 +1,7 @@
 { inputs, ... }:
-
-{ config, options, ... }:
-
-let
-  sshHostKeys = builtins.catAttrs "path" config.services.openssh.hostKeys;
-in
+{ config, ... }:
 {
   imports = [ inputs.agenix.nixosModules.age ];
 
-  age.identityPaths = if (options ? environment.persistence) then (map (x: "/nix/persistent" + x) sshHostKeys) else sshHostKeys;
+  age.identityPaths = builtins.catAttrs "path" config.services.openssh.hostKeys;
 }
diff --git a/profiles/flake-module.nix b/profiles/flake-module.nix
@@ -7,7 +7,6 @@
     profiles-audio = ./audio.nix;
     profiles-cachix-deploy = ./cachix-deploy.nix;
     profiles-docs = ./docs.nix;
-    profiles-impermanence = lib.modules.importApply ./impermanence.nix { inherit inputs; };
     profiles-laptop = ./laptop.nix;
     profiles-misc = ./misc.nix;
     profiles-nix-nixpkgs = lib.modules.importApply ./nix-nixpkgs.nix { inherit inputs; };

diff --git a/profiles/impermanence.nix b/profiles/impermanence.nix
diff --git a/profiles/tailscale.nix b/profiles/tailscale.nix
@@ -1,21 +1,15 @@
-{ lib, config, options, ... }:
+{ lib, config, ... }:
 
 {
-  config = lib.mkMerge [
-    {
-      services.tailscale = {
-        enable = true;
-        useRoutingFeatures = lib.mkDefault "client";
-        extraSetFlags = lib.mkIf (lib.elem config.services.tailscale.useRoutingFeatures [ "both" "server" ]) [
-          "--advertise-exit-node"
-        ];
-        authKeyFile = lib.mkDefault config.age.secrets.tailscale-auth-key.path;
-      };
 
-      age.secrets.tailscale-auth-key.file = lib.mkDefault ../secrets/all-tailscale-auth-key.age;
-    }
-    (lib.optionalAttrs (options ? environment.persistence) {
-      environment.persistence."/nix/persistent".directories = [ "/var/lib/tailscale" ];
-    })
-  ];
+  services.tailscale = {
+    enable = true;
+    useRoutingFeatures = lib.mkDefault "client";
+    extraUpFlags = lib.mkIf (lib.elem config.services.tailscale.useRoutingFeatures [ "both" "server" ]) [
+      "--advertise-exit-node"
+    ];
+    authKeyFile = lib.mkDefault config.age.secrets.tailscale-auth-key.path;
+  };
+
+  age.secrets.tailscale-auth-key.file = lib.mkDefault ../secrets/all-tailscale-auth-key.age;
 }