diff options
Diffstat (limited to 'host')
10 files changed, 51 insertions, 486 deletions
diff --git a/host/Spacebar-monitoring/configuration.nix b/host/Spacebar-monitoring/configuration.nix deleted file mode 100755 index 436dc47..0000000 --- a/host/Spacebar-monitoring/configuration.nix +++ /dev/null @@ -1,267 +0,0 @@ -{ config, pkgs, lib, secrets, ... }: - -{ - imports = - [ - ../../modules/base.nix - ]; - - networking = { - hostName = "Spacebar-monitoring"; - interfaces.ens18.ipv4.addresses = [ { - address = "192.168.1.99"; - prefixLength = 24; - } ]; - interfaces.ens19.ipv4.addresses = [ { - address = "10.10.11.99"; - prefixLength = 16; - } ]; - }; - - services = { - prometheus = { - enable = true; - stateDir = "prometheus"; - retentionTime = "1y"; - extraFlags = [ - ]; - # alertmanagerURL = [ "http://localhost:9093" ]; - # rules = [ - # '' - # ALERT node_down - # IF up == 0 - # FOR 5m - # LABELS { - # severity="page" - # } - # ANNOTATIONS { - # summary = "{{$labels.alias}}: Node is down.", - # description = "{{$labels.alias}} has been down for more than 5 minutes." - # } - # ALERT node_systemd_service_failed - # IF node_systemd_unit_state{state="failed"} == 1 - # FOR 4m - # LABELS { - # severity="page" - # } - # ANNOTATIONS { - # summary = "{{$labels.alias}}: Service {{$labels.name}} failed to start.", - # description = "{{$labels.alias}} failed to (re)start service {{$labels.name}}." - # } - # ALERT node_filesystem_full_90percent - # IF sort(node_filesystem_free{device!="ramfs"} < node_filesystem_size{device!="ramfs"} * 0.1) / 1024^3 - # FOR 5m - # LABELS { - # severity="page" - # } - # ANNOTATIONS { - # summary = "{{$labels.alias}}: Filesystem is running out of space soon.", - # description = "{{$labels.alias}} device {{$labels.device}} on {{$labels.mountpoint}} got less than 10% space left on its filesystem." - # } - # ALERT node_filesystem_full_in_4h - # IF predict_linear(node_filesystem_free{device!="ramfs"}[1h], 4*3600) <= 0 - # FOR 5m - # LABELS { - # severity="page" - # } - # ANNOTATIONS { - # summary = "{{$labels.alias}}: Filesystem is running out of space in 4 hours.", - # description = "{{$labels.alias}} device {{$labels.device}} on {{$labels.mountpoint}} is running out of space of in approx. 4 hours" - # } - # ALERT node_filedescriptors_full_in_3h - # IF predict_linear(node_filefd_allocated[1h], 3*3600) >= node_filefd_maximum - # FOR 20m - # LABELS { - # severity="page" - # } - # ANNOTATIONS { - # summary = "{{$labels.alias}} is running out of available file descriptors in 3 hours.", - # description = "{{$labels.alias}} is running out of available file descriptors in approx. 3 hours" - # } - # ALERT node_load1_90percent - # IF node_load1 / on(alias) count(node_cpu{mode="system"}) by (alias) >= 0.9 - # FOR 1h - # LABELS { - # severity="page" - # } - # ANNOTATIONS { - # summary = "{{$labels.alias}}: Running on high load.", - # description = "{{$labels.alias}} is running with > 90% total load for at least 1h." - # } - # ALERT node_cpu_util_90percent - # IF 100 - (avg by (alias) (irate(node_cpu{mode="idle"}[5m])) * 100) >= 90 - # FOR 1h - # LABELS { - # severity="page" - # } - # ANNOTATIONS { - # summary = "{{$labels.alias}}: High CPU utilization.", - # description = "{{$labels.alias}} has total CPU utilization over 90% for at least 1h." - # } - # ALERT node_ram_using_90percent - # IF node_memory_MemFree + node_memory_Buffers + node_memory_Cached < node_memory_MemTotal * 0.1 - # FOR 30m - # LABELS { - # severity="page" - # } - # ANNOTATIONS { - # summary="{{$labels.alias}}: Using lots of RAM.", - # description="{{$labels.alias}} is using at least 90% of its RAM for at least 30 minutes now.", - # } - # ALERT node_swap_using_80percent - # IF node_memory_SwapTotal - (node_memory_SwapFree + node_memory_SwapCached) > node_memory_SwapTotal * 0.8 - # FOR 10m - # LABELS { - # severity="page" - # } - # ANNOTATIONS { - # summary="{{$labels.alias}}: Running out of swap soon.", - # description="{{$labels.alias}} is using 80% of its swap space for at least 10 minutes now." - # } - # '' - # ]; - scrapeConfigs = [ - { - job_name = "node"; - scrape_interval = "5s"; - static_configs = [ - { - targets = [ - "localhost:9100" - ]; - labels = { - alias = "monitoring"; - }; - } - { - targets = [ - "192.168.1.2:9100" - ]; - labels = { - alias = "nginx"; - }; - } - { - targets = [ - "192.168.1.3:9100" - ]; - labels = { - alias = "email"; - }; - } - { - targets = [ - "192.168.1.4:9100" - ]; - labels = { - alias = "postgres"; - }; - } - # { - # targets = [ - # "192.168.1.5:9100" - # ]; - # labels = { - # alias = "synapse"; - # }; - # } - ]; - } - ]; - alertmanager = { - enable = false; - listenAddress = "0.0.0.0"; - configuration = { - "global" = { - "smtp_smarthost" = "smtp.example.com:587"; - "smtp_from" = "alertmanager@example.com"; - }; - "route" = { - "group_by" = [ "alertname" "alias" ]; - "group_wait" = "30s"; - "group_interval" = "2m"; - "repeat_interval" = "4h"; - "receiver" = "team-admins"; - }; - "receivers" = [ - { - "name" = "team-admins"; - "email_configs" = [ - { - "to" = "devnull@example.com"; - "send_resolved" = true; - } - ]; - "webhook_configs" = [ - { - "url" = "https://example.com/prometheus-alerts"; - "send_resolved" = true; - } - ]; - } - ]; - }; - }; - }; - grafana = { - enable = true; - settings = { - server = { - root_url = "https://grafana.spacebar.chat/"; - enable_gzip = true; - http_addr = "0.0.0.0"; - domain = "grafana.spacebar.chat"; - }; - analytics.reporting_enabled = false; - security.secret_key = secrets.secret_keys.grafana; - }; - provision = { - datasources.settings = { - datasources = [ - { - name = "Prometheus"; - type = "prometheus"; - url = "http://localhost:9090"; - access = "proxy"; - isDefault = true; - } - ]; - }; - dashboards.settings = { - apiVersion = 1; - providers = [ - { - name = "Prometheus 2.0 Overview"; - revision = "1"; - folder = "prometheus"; - uid = "prometheus2"; - type = "file"; - options = { - path = pkgs.fetchurl { - url = "https://grafana.com/api/dashboards/3662/revisions/2/download"; - hash = "sha256:111krihyc4ydwcb9r9a6xrn10841nprvb7sz36az2djqyzrj4yzs"; - }; - }; - } - { - name = "Node Exporter Full"; - revision = "31"; - folder = "prometheus"; - uid = "node-exporter-full"; - type = "file"; - options = { - path = pkgs.fetchurl { - url = "https://grafana.com/api/dashboards/1860/revisions/31/download"; - hash = "sha256:120wyg0d1ycn8wkyng9ngms4v2hri8b7x37dfd318qdjfsr4gi22"; - }; - }; - } - ]; - }; - }; - }; - }; - - system.stateVersion = "22.11"; # DO NOT EDIT! -} - diff --git a/host/Spacebar-nginx/configuration.nix b/host/Spacebar-nginx/configuration.nix index 56b5bf1..434b2ff 100755 --- a/host/Spacebar-nginx/configuration.nix +++ b/host/Spacebar-nginx/configuration.nix @@ -26,6 +26,13 @@ recommendedProxySettings = true; recommendedTlsSettings = true; clientMaxBodySize = "50m"; + appendConfig = '' + worker_processes 16; + ''; + eventsConfig = '' + #use kqueue; + worker_connections 512; + ''; virtualHosts = { # legacy "matrix.thearcanebrony.net" = import ./nginx-hosts/thearcanebrony.net/matrix.nix; @@ -44,6 +51,11 @@ }; }; }; + + systemd.services.nginx.serviceConfig = { + LimitNOFILE=5000000; + }; + systemd.services.nginx.requires = [ "data.mount" ]; security.acme.acceptTerms = true; security.acme.defaults.email = "chris@spacebar.chat"; diff --git a/host/Spacebar-nginx/containers/spacebar-server-dev-nix/container.nix b/host/Spacebar-nginx/containers/spacebar-server-dev-nix/container.nix index bed6690..277a556 100755 --- a/host/Spacebar-nginx/containers/spacebar-server-dev-nix/container.nix +++ b/host/Spacebar-nginx/containers/spacebar-server-dev-nix/container.nix @@ -16,7 +16,7 @@ ''; networking.firewall = { enable = true; - allowedTCPPorts = [ 80 ]; + allowedTCPPorts = [ 80 5432 ]; }; }; hostAddress = "192.168.101.1"; diff --git a/host/Spacebar-nginx/containers/spacebar-server-dev-nix/root.nix b/host/Spacebar-nginx/containers/spacebar-server-dev-nix/root.nix index bb005f9..d543ef2 100755 --- a/host/Spacebar-nginx/containers/spacebar-server-dev-nix/root.nix +++ b/host/Spacebar-nginx/containers/spacebar-server-dev-nix/root.nix @@ -5,6 +5,7 @@ [ ./services/nginx.nix ./services/spacebar-server.nix + ./services/postgres.nix ]; environment.systemPackages = with pkgs; [ diff --git a/host/Spacebar-nginx/containers/spacebar-server-dev-nix/services/postgres.nix b/host/Spacebar-nginx/containers/spacebar-server-dev-nix/services/postgres.nix index 97ea3e6..b3c8cad 100644 --- a/host/Spacebar-nginx/containers/spacebar-server-dev-nix/services/postgres.nix +++ b/host/Spacebar-nginx/containers/spacebar-server-dev-nix/services/postgres.nix @@ -16,7 +16,7 @@ ''; initialScript = pkgs.writeText "backend-initScript" '' CREATE ROLE spacebar WITH LOGIN PASSWORD 'spacebar' CREATEDB; - CREATE DATABASE spacebar; + CREATE DATABASE spacebar WITH OWNER spacebar ENCODING 'UTF8'; GRANT ALL PRIVILEGES ON DATABASE spacebar TO spacebar; ''; #dataDir = "/data/pg"; diff --git a/host/Spacebar-nginx/containers/spacebar-server-dev-nix/services/spacebar-server.nix b/host/Spacebar-nginx/containers/spacebar-server-dev-nix/services/spacebar-server.nix index d207687..1debbbd 100755 --- a/host/Spacebar-nginx/containers/spacebar-server-dev-nix/services/spacebar-server.nix +++ b/host/Spacebar-nginx/containers/spacebar-server-dev-nix/services/spacebar-server.nix @@ -1,41 +1,71 @@ { config, pkgs, lib, spacebar-server, ... }: { + services.rabbitmq.enable = true; + + systemd.tmpfiles.rules = [ "d /var/lib/spacebar-server 0750 spacebar spacebar" ]; + users.users.spacebar = { + isSystemUser = true; + group = "spacebar"; + home = "/var/lib/spacebar-server"; + createHome = true; + shell = "/bin/false"; + }; + + users.groups.spacebar = { + #isSystemGroup = true; + }; + systemd.services = { "spacebar-server-api" = { wantedBy = [ "multi-user.target" ]; - after = [ "resolvconf.target" ]; + after = [ "resolvconf.target" "postgresql.service" "rabbitmq.service" ]; serviceConfig = { ExecStart = '' ${spacebar-server.packages.${pkgs.system}.default}/bin/start-api ''; #Restart = "never"; - User = "root"; + User = "spacebar"; WorkingDirectory = "/var/lib/spacebar-server"; + Environment = [ + "DATABASE=postgres://spacebar:spacebar@127.0.0.1/spacebar" + "LOG_REQUESTS='-'" + #"DB_LOGGING='true'" + ]; }; }; "spacebar-server-gateway" = { wantedBy = [ "multi-user.target" ]; - after = [ "resolvconf.target" ]; + after = [ "resolvconf.target" "postgresql.service" "rabbitmq.service" "spacebar-server-api.service" ]; serviceConfig = { ExecStart = '' ${spacebar-server.packages.${pkgs.system}.default}/bin/start-gateway ''; #Restart = "never"; - User = "root"; + User = "spacebar"; WorkingDirectory = "/var/lib/spacebar-server"; + Environment = [ + "DATABASE=postgres://spacebar:spacebar@127.0.0.1/spacebar" + "LOG_REQUESTS='-'" + #"DB_LOGGING='true'" + ]; }; }; "spacebar-server-cdn" = { wantedBy = [ "multi-user.target" ]; - after = [ "resolvconf.target" ]; + after = [ "resolvconf.target" "postgresql.service" "rabbitmq.service" "spacebar-server-api.service" ]; serviceConfig = { ExecStart = '' ${spacebar-server.packages.${pkgs.system}.default}/bin/start-cdn ''; #Restart = "never"; - User = "root"; + User = "spacebar"; WorkingDirectory = "/var/lib/spacebar-server"; + Environment = [ + "DATABASE=postgres://spacebar:spacebar@127.0.0.1/spacebar" + "LOG_REQUESTS='-'" + #"DB_LOGGING='true'" + ]; }; }; }; diff --git a/host/Spacebar-postgres/configuration.nix b/host/Spacebar-postgres/configuration.nix deleted file mode 100755 index b40fd3a..0000000 --- a/host/Spacebar-postgres/configuration.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ config, pkgs, lib, ... }: - -{ - imports = - [ - ../../modules/base.nix - ]; - - networking = { - hostName = "Spacebar-postgres"; - interfaces.ens18.ipv4.addresses = [ { - address = "192.168.1.4"; - prefixLength = 24; - } ]; - interfaces.ens19.ipv4.addresses = [ { - address = "10.10.11.4"; - prefixLength = 16; - } ]; - }; - - systemd.tmpfiles.rules = [ "d /data/pg 0750 postgres postgres" ]; - - services.postgresql = { - enable = true; - package = pkgs.postgresql_14; - enableTCPIP = true; - authentication = pkgs.lib.mkOverride 10 '' - # TYPE, DATABASE, USER, ADDRESS, METHOD - local all all trust - host all all 127.0.0.1/32 trust - host all all ::1/128 trust - host matrix-synapse-spacebar-chat matrix-synapse-spacebar-chat 192.168.1.5/32 trust - host all all 0.0.0.0/0 md5 - ''; - initialScript = pkgs.writeText "backend-initScript" '' - CREATE ROLE matrix-synapse-spacebar-chat WITH LOGIN PASSWORD '${pkgs.postgresql_14}' CREATEDB; - CREATE DATABASE matrix-synapse-spacebar-chat; - GRANT ALL PRIVILEGES ON DATABASE matrix-synapse-spacebar-chat TO matrix-synapse-spacebar-chat; - ''; - dataDir = "/data/pg"; - settings = { - "max_connections" = "100"; - "shared_buffers" = "128MB"; - "max_wal_size" = "1GB"; - "min_wal_size" = "80MB"; - }; - }; - - system.stateVersion = "22.11"; # DO NOT EDIT! -} - diff --git a/host/Spacebar-synapse/configuration.nix b/host/Spacebar-synapse/configuration.nix deleted file mode 100755 index a06a83d..0000000 --- a/host/Spacebar-synapse/configuration.nix +++ /dev/null @@ -1,121 +0,0 @@ -{ config, pkgs, lib, ... }: - -{ - imports = - [ - ../../modules/base-server.nix - ]; - - networking = { - hostName = "Spacebar-synapse"; - interfaces.ens18.ipv4.addresses = [ { - address = "192.168.1.5"; - prefixLength = 24; - } ]; - interfaces.ens19.ipv4.addresses = [ { - address = "10.10.11.5"; - prefixLength = 16; - } ]; - }; - - # Discord bridge - services.matrix-appservice-discord = { - enable = false; # Alicia - figure out secret first... - environmentFile = /etc/keyring/matrix-appservice-discord/tokens.env; - settings = { - bridge = { - domain = "spacebar.chat"; - homeserverUrl = "https://matrix.spacebar.chat"; - }; - database = { - connString = "postgres://postgres@192.168.1.3/matrix-appservice-discord"; - }; - }; - }; - - services.matrix-synapse = { - enable = true; - settings = { - server_name = "spacebar.chat"; - enable_registration = false; - registration_shared_secret_path = "/var/lib/matrix-synapse/registration_shared_secret.txt"; - # Alicia - types: https://github.com/NixOS/nixpkgs/blob/release-22.11/nixos/modules/services/matrix/synapse.nix#L410 - listeners = [ - { - port = 8008; - bind_addresses = [ "192.168.1.5" "127.0.0.1" ]; - type = "http"; - tls = false; - x_forwarded = true; - resources = [ { - names = [ "client" "federation" ]; - compress = true; - } ]; - } - ]; - dynamic_thumbnails = true; - presence = { - enable = true; - update_interval = 60; - }; - url_preview_enabled = true; - - database = { - name = "psycopg2"; - args = { - user = "matrix-synapse-spacebar-chat"; - password = "somepassword"; - database = "matrix-synapse-spacebar-chat"; - host = "192.168.1.3"; - }; - }; - app_service_config_files = [ ]; - }; - - plugins = with pkgs.matrix-synapse-plugins; [ ]; - }; - - # Alicia - doesnt work yet... until in nixpkgs... - services.draupnir = { - enable = true; - - pantalaimon = { - enable = true; - username = "draupnir"; - passwordFile = "/etc/draupnir-password"; - options = { - homeserver = "http://localhost:8008"; - ssl = false; - }; - }; - managementRoom = "#draupnir-mgmt:spacebar.chat"; - homeserverUrl = "http://localhost:8008"; - verboseLogging = false; - settings = { - recordIgnoredInvites = false; - automaticallyRedactForReasons = [ "*" ]; - fasterMembershipChecks = true; - backgroundDelayMS = 100; - pollReports = true; - admin.enableMakeRoomAdminCommand = true; - commands.ban.defaultReasons = [ - "spam" - "harassment" - "transphobia" - "scam" - ]; - protections = { - wordlist = { - words = [ - "tranny" - "faggot" - ]; - minutesBeforeTrusting = 0; - }; - }; - }; - }; - - system.stateVersion = "22.11"; # DO NOT EDIT! -} - diff --git a/host/Spacebar-synapse/post-rebuild.sh b/host/Spacebar-synapse/post-rebuild.sh deleted file mode 100755 index 8dc0e7d..0000000 --- a/host/Spacebar-synapse/post-rebuild.sh +++ /dev/null @@ -1,30 +0,0 @@ -#!/usr/bin/env nix-shell -#!nix-shell -i bash -p curl gnused nix coreutils jq openssl -#set -x -REG_KEY=`cat /var/lib/matrix-synapse/registration_shared_secret.txt` -LOCALPART='rory.gay' -REACHABLE_DOMAIN='http://localhost:8008' - -# -- LICENSE: CNPL v7+ - https://thufie.lain.haus/files/CNPLv7.md -# Modified from Nyaaori (https://nyaaori.cat) <+@nyaaori.cat> -# Explicit authorisation to use the code has been granted by the original author -# for use by members of the Rory system (https://rory.gay) - -# the magic function: -register(){ - echo "Registering $1 with password $2" - _nonce=`curl http://localhost:8008/_synapse/admin/v1/register | jq -r .nonce` - #data: nonce, domain, username, password - _hmac=`printf '%s\0%s\0%s\0%s' "$_nonce" "$1" "$2" "admin" | openssl dgst -sha1 -hmac "$REG_KEY" | awk '{print $2}'` - curl -XPOST -d '{"nonce": "'"$_nonce"'", "username": "'"$1"'", "displayname": "'"$1"'", "password": "'"$2"'", "admin": true, "mac": "'"$_hmac"'"}' $REACHABLE_DOMAIN/_synapse/admin/v1/register | tee -a matrix-user-tokens.txt -} - -# -- END OF LICENSED CODE - - - -PASSWD=`cat /etc/matrix-user-pass` -for u in {draupnir,rory,chris,maddy,cat} -do - register $u $PASSWD -done diff --git a/host/Spacebar-synapse/pre-rebuild.sh b/host/Spacebar-synapse/pre-rebuild.sh deleted file mode 100755 index 32905e3..0000000 --- a/host/Spacebar-synapse/pre-rebuild.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/usr/bin/env sh -set -x -mkdir -p /var/lib/matrix-synapse -if [ ! -f "/var/lib/matrix-synapse/registration_shared_secret.txt" ] -then - cat /dev/urandom | tr -dc a-zA-Z0-9 | fold -w 256 | head -n 1 | tee /var/lib/matrix-synapse/registration_shared_secret.txt -else - echo Not generating key, key exists -fi \ No newline at end of file |