+12 -10

deploy.nu

reviewed

··· 37 37 38 38 def update-input [input: string] { 39 39 let result = nix flake update $input | complete 40 40 - if ($result.stderr | str contains "Updated input") or ($result.exit_code != 0) { 40 40 + let is_ok = ($result.stderr | str contains "Updated input") 41 41 + let is_err = ($result.exit_code != 0) 42 42 + if $is_ok or $is_err { 41 43 webhook $"/inputs/($input)" $"=== updated input ($input) ===\n\n($result.stderr)" $result.exit_code 42 44 } 45 45 + if $is_ok { 46 46 + # try committing flake updates 47 47 + try { 48 48 + git add flake.lock 49 49 + let commit_msg = $"chore\(nix\): update input ($input) [skip ci]" 50 50 + git commit -m $commit_msg 51 51 + git push 52 52 + } 53 53 + } 43 54 } 44 55 45 56 def main [] { 46 57 webhook "deploy" "=== started deploying all ===" 47 58 48 59 update-input "blog" 49 49 - 50 50 - # try committing flake updates 51 51 - try { 52 52 - git restore -S . 53 53 - git add flake.lock 54 54 - let commit_msg = "chore: update flake dependencies (deploy)" 55 55 - git commit -m $"($commit_msg) [skip ci]" 56 56 - git push 57 57 - } 58 60 59 61 try { 60 62 nix run ".#dns" -- push

+47

hosts/wolumonde/modules/fluentbit.nix

reviewed

··· 1 1 + { 2 2 + pkgs, 3 3 + config, 4 4 + lib, 5 5 + ... 6 6 + }: 7 7 + { 8 8 + services.fluent-bit = { 9 9 + enable = true; 10 10 + settings = { 11 11 + parsers = [ 12 12 + { 13 13 + name = "nginx"; 14 14 + format = "regex"; 15 15 + regex = ''^(?<remote_addr>[^ ]+) - (?<remote_user>[^ ]+) \[(?<time_local>[^\]]+)\] "(?<request>[^"]*)" (?<status>\d{3}) (?<body_bytes_sent>\d+) "(?<http_referer>[^"]*)" "(?<http_user_agent>[^"]*)" (?<request_time>[0-9\.]+)$''; 16 16 + time_key = "time_local"; 17 17 + time_format = "%d/%b/%Y:%H:%M:%S %z"; 18 18 + time_keep = "off"; 19 19 + } 20 20 + ]; 21 21 + pipeline = { 22 22 + inputs = [ 23 23 + { 24 24 + name = "tail"; 25 25 + tag = "nginx.access"; 26 26 + path = "/var/lib/nginx/access.log"; 27 27 + db = "/var/lib/fluent-bit/nginx-access.db"; 28 28 + parser = "nginx"; 29 29 + } 30 30 + ]; 31 31 + outputs = [ 32 32 + { 33 33 + name = "http"; 34 34 + match = "nginx.access"; 35 35 + host = "127.0.0.1"; 36 36 + port = lib.removePrefix ":" config.services.victorialogs.listenAddress; 37 37 + uri = "/insert/jsonline?_stream_fields=stream&_msg_field=log&_time_field=date"; 38 38 + format = "json_lines"; 39 39 + json_date_format = "iso8601"; 40 40 + } 41 41 + ]; 42 42 + }; 43 43 + }; 44 44 + }; 45 45 + 46 46 + systemd.services.fluent-bit.serviceConfig.StateDirectory = "fluent-bit"; 47 47 + }

+28

hosts/wolumonde/modules/nginx.nix

reviewed

··· 7 7 recommendedOptimisation = true; 8 8 recommendedGzipSettings = true; 9 9 recommendedProxySettings = true; 10 10 + statusPage = true; 10 11 }; 11 12 12 13 users.users.nginx.extraGroups = [ "acme" ]; ··· 33 34 ]; 34 35 }; 35 36 }; 37 37 + 38 38 + services.prometheus.exporters.nginx = { 39 39 + enable = true; 40 40 + port = 9113; 41 41 + }; 42 42 + 43 43 + services.vmalert.rules.groups = [ 44 44 + { 45 45 + name = "nginx-logs"; 46 46 + type = "vlogs"; 47 47 + interval = "1m"; 48 48 + rules = [ 49 49 + { 50 50 + record = "nginx_request_count"; 51 51 + expr = "* | stats count() as requests"; 52 52 + } 53 53 + { 54 54 + record = "nginx_5xx_count"; 55 55 + expr = ''* | status:~"5.." | stats count() as errors''; 56 56 + } 57 57 + { 58 58 + record = "nginx_request_latency_avg"; 59 59 + expr = "* | stats avg(request_time) as avg_latency"; 60 60 + } 61 61 + ]; 62 62 + } 63 63 + ]; 36 64 }

+6

hosts/wolumonde/modules/node-exporter.nix

reviewed

··· 1 1 + { 2 2 + services.prometheus.exporters.node = { 3 3 + enable = true; 4 4 + port = 9100; # default 5 5 + }; 6 6 + }

+37 -9

hosts/wolumonde/modules/perses.nix

reviewed

··· 1 1 - {pkgs, config, ...}: 1 1 + { pkgs, config, ... }: 2 2 let 3 3 domain = "dash.gaze.systems"; 4 4 port = 7412; ··· 6 6 7 7 persesImage = pkgs.dockerTools.pullImage { 8 8 imageName = "docker.io/persesdev/perses"; 9 9 - imageDigest = "sha256:30a6c2d66e48d64619076e4f088d7d535d14409c9083256f0d56c4cc91294684"; 10 10 - sha256 = "sha256-U6sorhUnQ0AH9cygnrnz6XDFEtD41GtQSie/Hri7u8c="; 9 9 + imageDigest = "sha256:7d4647ce31841f67c2361bd10ea344de1edd7fbf65711c75805a5aacdc7735d0"; 10 10 + sha256 = "sha256-oOQYJzGEEEkjfqlVkEGLOH3e4iywd8QnptY9UxPd1iw="; 11 11 }; 12 12 persesHealthcheckImage = pkgs.dockerTools.streamLayeredImage { 13 13 name = "perses"; 14 14 tag = "latest"; 15 15 fromImage = persesImage; 16 16 - contents = [pkgs.curl]; 17 17 - config.Entrypoint = ["/bin/perses"]; 18 18 - config.Cmd = ["--config=/etc/perses/config.yaml" "--log.level=error"]; 16 16 + contents = [ pkgs.curl ]; 17 17 + config.Entrypoint = [ "/bin/perses" ]; 18 18 + config.Cmd = [ 19 19 + "--config=/etc/perses/config.yaml" 20 20 + "--log.level=info" 21 21 + # "--log.method-trace" 22 22 + ]; 19 23 config.Healthcheck = { 20 20 - Test = ["/bin/curl" "http://localhost:8080/api/v1/health"]; 24 24 + Test = [ 25 25 + "/bin/curl" 26 26 + "http://localhost:8080/api/v1/health" 27 27 + ]; 21 28 Retries = 3; 22 29 }; 23 30 }; 31 31 + 32 32 + persesEnv = config.virtualisation.oci-containers.containers.perses.environment; 33 33 + secrets = config.age.secrets; 34 34 + provisionFolder = "provisioning"; 24 35 in 25 36 { 26 37 users.users.${user} = { ··· 31 42 linger = true; 32 43 autoSubUidGidRange = true; 33 44 }; 34 34 - users.groups.${user} = {}; 45 45 + users.groups.${user} = { }; 35 46 36 47 age.secrets.persesSecret = { 37 48 file = ../../../secrets/persesSecret.age; 38 49 owner = user; 39 50 group = user; 40 51 }; 52 52 + age.secrets.persesAdminUser = { 53 53 + file = ../../../secrets/persesAdminUser.age; 54 54 + owner = user; 55 55 + group = user; 56 56 + }; 57 57 + 58 58 + systemd.services.perses.preStart = 59 59 + let 60 60 + provisioningFolder = "${config.users.users.${user}.home}/${provisionFolder}"; 61 61 + in 62 62 + '' 63 63 + rm -rf ${provisioningFolder} && mkdir -p ${provisioningFolder} 64 64 + cp -f ${secrets.persesAdminUser.path} ${provisioningFolder}/1-admin-user.json 65 65 + cp -f ${./perses/provision}/* ${provisioningFolder} 66 66 + ''; 41 67 42 68 virtualisation.oci-containers.containers.perses = { 43 69 serviceName = "perses"; ··· 49 75 inherit user; 50 76 sdnotify = "healthy"; 51 77 }; 52 52 - environmentFiles = [config.age.secrets.persesSecret.path]; 78 78 + environmentFiles = [ secrets.persesSecret.path ]; 53 79 environment = { 54 80 PERSES_SECURITY_AUTHENTICATION_PROVIDERS_ENABLE_NATIVE = "true"; 55 81 PERSES_SECURITY_AUTHENTICATION_DISABLE_SIGN_UP = "true"; 56 82 PERSES_SECURITY_ENABLE_AUTH = "true"; 57 83 PERSES_SECURITY_COOKIE_SAME_SITE = "strict"; 58 84 PERSES_SECURITY_COOKIE_SECURE = "true"; 85 85 + PERSES_PROVISIONING_FOLDERS_0 = "/perses/${provisionFolder}"; 86 86 + # PERSES_PROVISIONING_INTERVAL = "1m"; 59 87 # PERSES_AUTHORIZATION_GUEST_PERMISSIONS_ACTIONS = "read"; 60 88 }; 61 89 volumes = [

+22

hosts/wolumonde/modules/perses/provision/10-victoria.json

reviewed

··· 1 1 + [ 2 2 + { 3 3 + "kind": "GlobalDatasource", 4 4 + "metadata": { 5 5 + "name": "victoria" 6 6 + }, 7 7 + "spec": { 8 8 + "default": false, 9 9 + "plugin": { 10 10 + "kind": "PrometheusDatasource", 11 11 + "spec": { 12 12 + "proxy": { 13 13 + "kind": "HTTPProxy", 14 14 + "spec": { 15 15 + "url": "http://localhost:8428" 16 16 + } 17 17 + } 18 18 + } 19 19 + } 20 20 + } 21 21 + } 22 22 + ]

+20

hosts/wolumonde/modules/perses/provision/2-admin-role.json

reviewed

··· 1 1 + [ 2 2 + { 3 3 + "kind": "GlobalRole", 4 4 + "metadata": { 5 5 + "name": "admin" 6 6 + }, 7 7 + "spec": { 8 8 + "permissions": [ 9 9 + { 10 10 + "actions": [ 11 11 + "*" 12 12 + ], 13 13 + "scopes": [ 14 14 + "*" 15 15 + ] 16 16 + } 17 17 + ] 18 18 + } 19 19 + } 20 20 + ]

+17

hosts/wolumonde/modules/perses/provision/3-admin-bind-role.json

reviewed

··· 1 1 + [ 2 2 + { 3 3 + "kind": "GlobalRoleBinding", 4 4 + "metadata": { 5 5 + "name": "admin" 6 6 + }, 7 7 + "spec": { 8 8 + "role": "admin", 9 9 + "subjects": [ 10 10 + { 11 11 + "kind": "User", 12 12 + "name": "admin" 13 13 + } 14 14 + ] 15 15 + } 16 16 + } 17 17 + ]

+40 -1

hosts/wolumonde/modules/victoria.nix

reviewed

··· 1 1 + { config, ... }: 1 2 { 3 3 + # Enable single-node VictoriaMetrics on port 8428 (default) 2 4 services.victoriametrics = { 3 5 enable = true; 4 4 - listenAddress = ":9090"; 6 6 + listenAddress = ":8428"; # default port for metrics 7 7 + prometheusConfig = { 8 8 + scrape_configs = [ 9 9 + { 10 10 + job_name = "node"; 11 11 + static_configs = [ 12 12 + { 13 13 + targets = [ "localhost:9100" ]; 14 14 + labels.type = "node"; 15 15 + } 16 16 + ]; 17 17 + } 18 18 + { 19 19 + job_name = "nginx"; 20 20 + static_configs = [ { targets = [ "localhost:9113" ]; } ]; 21 21 + } 22 22 + ]; 23 23 + }; 24 24 + }; 25 25 + 26 26 + # Enable VictoriaLogs (logs database) on port 9428 (default) 27 27 + services.victorialogs = { 28 28 + enable = true; 29 29 + listenAddress = ":9428"; # default port for logs 30 30 + # You can add extra options if needed, e.g. authentication or retention 31 31 + # extraOptions = [ "-loggerLevel=INFO" ]; 32 32 + }; 33 33 + 34 34 + # Enable vmalert for LogsQL recording rules 35 35 + services.vmalert = { 36 36 + enable = true; 37 37 + # Point vmalert to VictoriaLogs and VictoriaMetrics 38 38 + settings = { 39 39 + "datasource.url" = "http://127.0.0.1${config.services.victorialogs.listenAddress}"; # VictoriaLogs address 40 40 + "remoteWrite.url" = "http://127.0.0.1${config.services.victoriametrics.listenAddress}"; # Remote-write to VictoriaMetrics 41 41 + "remoteRead.url" = "http://127.0.0.1${config.services.victoriametrics.listenAddress}"; # Remote-read from VictoriaMetrics 42 42 + "rule.defaultRuleType" = "vlogs"; # Use LogsQL rules by default 43 43 + }; 5 44 }; 6 45 }

+17

secrets/persesAdminUser.age

reviewed

··· 1 1 + age-encryption.org/v1 2 2 + -> ssh-rsa Abmvag 3 3 + aC8NJ4nTL3enyic3ZKiPRM/iSvw25bJNLWxjSOX4GK5bigBYUZ/IBcxfIY6wZU9i 4 4 + AQk3Eq+K3C3CmN01+pljQGwz40+fgAr1eRaiBCzjb4D27Tm8bWalNbXqoAjsvS18 5 5 + KakmE1LFUckCTi1UbvyzkfGJm4x7tWBVHf86m187oMa7frSble37hiHW6e+FHQYS 6 6 + N3Pwpgt7vw3T3cIJu6KYytPtPeOgMGng8/VhJNjPC5cI0Ms6qDZYdnuqu7mLYIs+ 7 7 + zUB2OLmyilwmOg+fEb29XZ+SlgWwRWs9UYaU7exQk8oV6ciNgXonWJEATxZf70Ys 8 8 + 5Qs8yIABNNYNwK3kGltJ69N/qPx6wy7+BmHCHrp7nAXMWT1BAR+dwGGPOcYOeJSq 9 9 + eG5dcztxbU028uJyboeSdQ0kJWUr1oMbj6O9h33OwHnvQU/Uv0LeN4sVTyDV16CB 10 10 + pc7DuFVMQH/1/qXlhIHzB4STAQ/Rl47B/EiTh4VpPXMCEAMkRf/I+8sdi20n0Ccx 11 11 + 1fcqcUPbTTt6w9IsO8YePhs+ranOoc4A45c4/Z4VOBac25x1+c0QQwKKvuqc0nUv 12 12 + PY+PYhsijCfFLKfs+6XtgVyxL18JnFCIRnBBC26f1Uob03OtSrHHmNU1XInClfJA 13 13 + AkM+CNqq0Dd22UvaCQCNlbVYgXMxDKfCmWgJxvEZqPI 14 14 + -> ssh-ed25519 KjIL7g luwaQ0SGxd1MjJsfVaRd+ByjHGnPHLvqHD0KqX7cf28 15 15 + 1Arj+ObFifzCkJnz0MVrzbXb9+PNQszX1JEEBlJUtv8 16 16 + --- Mg03KflF4IK4VxxPwYG1ks+rK/ilu6fuYEykJHeJJTU 17 17 + �CG�cY-Q��,]a�༿�
���÷��s ��R&����^e`�ů���@��X�y�ńH����`�ߤ �>$��Tj�{�5�M$���^�����r��n9'7�1��X�=�v;����ns9���1��ʠ���B���[yEg7����9�:*�yעWGX}m�&�Rɚ�P�Y2�>�oԎ
�A�<�V#�

+9 -2

secrets/secrets.nix

reviewed

··· 32 32 yusdacra 33 33 wolumonde 34 34 ]; 35 35 - "deployWebhook.age".publicKeys = [yusdacra]; 36 36 - "persesSecret.age".publicKeys = [yusdacra wolumonde]; 35 35 + "deployWebhook.age".publicKeys = [ yusdacra ]; 36 36 + "persesSecret.age".publicKeys = [ 37 37 + yusdacra 38 38 + wolumonde 39 39 + ]; 40 40 + "persesAdminUser.age".publicKeys = [ 41 41 + yusdacra 42 42 + wolumonde 43 43 + ]; 37 44 }

+5 -1

shells/default.nix

reviewed

··· 32 32 rage 33 33 nh 34 34 ]) 35 35 - ++ [ agenix-wrapped commit deploy ]; 35 35 + ++ [ 36 36 + agenix-wrapped 37 37 + commit 38 38 + deploy 39 39 + ]; 36 40 shellHook = '' 37 41 echo \"$(tput bold)welcome to PRTS, $USER$(tput sgr0)\" 38 42 export FLAKE=$PWD