coolneng
/
zion
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Revert "Set up CGM repository"

This commit is contained in:
coolneng 2024-07-16 19:02:25 +02:00
parent 8d6ec59a29
commit 9d600f8c95
Signed by: coolneng
GPG Key ID: 9893DA236405AF57
6 changed files with 29 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
modules/containers.nix
View File

@ -38,38 +38,10 @@
ports = [ "127.0.0.1:9641:9641" ];
volumes = [ "/vault/mqtt2prometheus/config.yaml:/config.yaml" ];
};
# CGM repository
nightscout = {
image =
"nightscout/cgm-remote-monitor@sha256:ce522a9fe9b1373f576329e48349a622c8a9b6177c93dc2771152df36dd90876";
environmentFiles = [ config.age.secrets.nightscout.path ];
extraOptions = [ "--pod=cgm-repo" ];
dependsOn = [ "mongodb" ];
};
# CGM repository database
mongodb = {
image =
"mongo:4.4.9@sha256:0837a92d01bcc8c750a8d692ed4df33f0befd07ef261b23e7d9feda04bacd3eb";
volumes = [ "/vault/mongodb:/data/db" ];
extraOptions = [ "--pod=cgm-repo" ];
};
};
};
};
# Allow networking between Cgm-Repo and MongoDB
systemd.services.create-cgm-repo-pod = {
serviceConfig.Type = "oneshot";
wantedBy = [ "podman-mongodb.service" ];
script = with pkgs; ''
${podman}/bin/podman pod exists cgm-repo || ${podman}/bin/podman pod create -n cgm-repo -p '127.0.0.1:1337:1337'
'';
};
# Start services after ZFS mount
systemd.services.podman-mongodb.unitConfig.RequiresMountsFor =
[ /vault/mongodb ];
systemd.services.podman-mqtt2prometheus.unitConfig.RequiresMountsFor =
[ /vault/mqtt2prometheus ];
systemd.services.podman-mqtt2prometheus.unitConfig.RequiresMountsFor = [ /vault/mqtt2prometheus ];
}

15
modules/periodic.nix
View File

@ -1,10 +1,16 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
stateDir = "/var/lib/dnscrypt-proxy";
blocklist = "${stateDir}/blocklist.txt";
in {
in
{
# PostgreSQL daily backups
services.postgresqlBackup = {
enable = true;
@ -18,7 +24,10 @@ in {
systemd.services.download-dns-blocklist = {
description = "Download hosts-blocklists";
wantedBy = [ "default.target" ];
path = with pkgs; [ curl coreutils ];
path = with pkgs; [
curl
coreutils
];
script = ''
curl -L https://download.dnscrypt.info/blacklists/domains/mybase.txt -o ${blocklist}
'';

36
modules/webstack.nix
View File

@ -1,5 +1,11 @@
# Web services configuration
{ config, pkgs, lib, ... }: {
{
config,
pkgs,
lib,
...
}:
{
# Reverse proxy configuration
services.nginx = {
@ -9,8 +15,7 @@
recommendedProxySettings = true;
recommendedOptimisation = true;
clientMaxBodySize = "0";
sslCiphers =
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
sslCiphers = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
sslProtocols = "TLSv1.2 TLSv1.3";
sslDhparam = "/var/lib/dhparams/nginx.pem";
commonHttpConfig = ''
@ -36,10 +41,8 @@
locations = {
"/radicale/".return = "301 https://radicale.coolneng.duckdns.org";
"/syncthing/".return = "301 https://sync.coolneng.duckdns.org";
"/gitea/".extraConfig =
"rewrite ^/gitea/(.*)$ https://git.coolneng.duckdns.org/$1 last;";
"/miniflux/".extraConfig =
"rewrite ^/miniflux/(.*)$ https://rss.coolneng.duckdns.org/$1 last;";
"/gitea/".extraConfig = "rewrite ^/gitea/(.*)$ https://git.coolneng.duckdns.org/$1 last;";
"/miniflux/".extraConfig = "rewrite ^/miniflux/(.*)$ https://rss.coolneng.duckdns.org/$1 last;";
# Delegation for Matrix
"/.well-known/" = {
alias = "${../well-known}" + "/";
@ -111,8 +114,7 @@
ssl = true;
}
];
locations."~ ^(/_matrix|/_synapse/client)".proxyPass =
"http://localhost:8008";
locations."~ ^(/_matrix|/_synapse/client)".proxyPass = "http://localhost:8008";
};
"element.coolneng.duckdns.org" = {
useACMEHost = "coolneng.duckdns.org";
@ -165,16 +167,6 @@
proxyWebsockets = true;
};
};
"nightscout.coolneng.duckdns.org" = {
useACMEHost = "coolneng.duckdns.org";
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:1337";
extraConfig = ''
proxy_set_header X-Forwarded-For $remote_addr;
'';
};
};
};
};
@ -188,9 +180,9 @@
webroot = "/var/lib/acme/acme-challenge";
ocspMustStaple = true;
};
certs."coolneng.duckdns.org".extraDomainNames =
lib.attrsets.mapAttrsToList (name: value: "${name}")
config.services.nginx.virtualHosts;
certs."coolneng.duckdns.org".extraDomainNames = lib.attrsets.mapAttrsToList (
name: value: "${name}"
) config.services.nginx.virtualHosts;
};
# Generate dhparams

1
scripts/motd.sh
View File

@ -37,7 +37,6 @@ services=(
"podman-mqtt2prometheus.service"
"prometheus.service"
"grafana.service"
"podman-nightscout.service"
)
for var in "${services[@]}"; do

BIN
secrets/nightscout.age
View File

Binary file not shown.

7
secrets/secrets.nix
View File

@ -1,7 +1,7 @@
let
zion =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRqINHR7/zc+c3/PuR+NeSsBHXXzBiEtFWSK6QaxQTW";
in {
zion = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRqINHR7/zc+c3/PuR+NeSsBHXXzBiEtFWSK6QaxQTW";
in
{
"wireguard.age".publicKeys = [ zion ];
"syncthing.age".publicKeys = [ zion ];
"msmtp.age".publicKeys = [ zion ];
@ -14,7 +14,6 @@ in {
"telegram.age".publicKeys = [ zion ];
"mqtt-sender.age".publicKeys = [ zion ];
"mqtt-receiver.age".publicKeys = [ zion ];
"nightscout.age".publicKeys = [ zion ];
"facebook.age".publicKeys = [ zion ];
"signal.age".publicKeys = [ zion ];
}