Added lots of sops

2025-09-13 22:02:42 +02:00 · 2025-09-13 22:02:42 +02:00 · 01c04cd91c
commit 01c04cd91c
parent 84bec55415
25 changed files with 532 additions and 183 deletions
--- a/moduler/services/headscale/default.nix
+++ b/moduler/services/headscale/default.nix
@ -0,0 +1,46 @@
+{
+  lib,
+  config,
+  ...
+}:
+with lib;
+{
+  options = {
+    headscale = {
+      enable = mkEnableOption "enables headscale";
+      domain = lib.mkOption {
+        type = lib.types.str;
+        default = "headscale.wastring.com";
+        description = "The domain that headscale is served on.";
+      };
+    };
+  };
+
+  config = mkMerge [
+    (mkIf config.headscale.enable {
+      services = {
+        headscale = {
+          enable = true;
+          address = "0.0.0.0";
+          port = 8080;
+          server_url = "https://${domain}";
+          dns = {
+            baseDomain = "example.com";
+          };
+          settings = {
+            logtail.enabled = false;
+          };
+        };
+
+        nginx.virtualHosts.${domain} = {
+          forceSSL = true;
+          enableACME = true;
+          locations."/" = {
+            proxyPass = "http://localhost:${toString config.services.headscale.port}";
+            proxyWebsockets = true;
+          };
+        };
+      };
+    })
+  ];
+}
--- a/moduler/services/monitoring/default.nix
+++ b/moduler/services/monitoring/default.nix
@ -1,53 +1,115 @@
 {
  lib,
  config,
-  pkgs,
  ...
 }:
+with lib;
+
+let
+
+in
 {
  options = {
    grafana = {
-      enable = lib.mkEnableOption "enables grafana";
-      host = lib.mkDefault "127.0.0.1";
-      port = lib.mkDefault 2342;
-      domain = lib.mkOption {
-        type = lib.types.str;
+      enable = mkEnableOption "enables grafana";
+      port = lib.mkOption {
+        type = lib.types.int;
+        default = 2342;
+        description = "The port Grafana listens on.";
+      };
+      host = mkOption {
+        type = types.str;
+        defaultText = literalExpression "127.0.0.1";
+        description = "The hostname that Grafana binds to";
+      };
+      domain = mkOption {
+        type = types.str;
        description = "Domain name for Grafana to be served on.";
      };
    };
+    alloy = {
+      enable = mkEnableOption "enables alloy";
+      configPath = lib.mkOption {
+        type = lib.types.path;
+        default = ./alloy.yaml;
+        description = "The path to the configPath.";
+      };
+    };
    prometheus = {
-      enable = lib.mkEnableOption "enables prometheus";
-      port = lib.mkDefault 9001;
-      exporter = {
-        enable = lib.mkEnableOption "enables node exporter";
-        port = lib.mkDefault 9002;
+      enable = mkEnableOption "enables prometheus";
+      port = lib.mkOption {
+        type = lib.types.int;
+        default = 9001;
+        description = "The port Prometheus listens on.";
+      };
+      exporters = {
+        enable = mkEnableOption "enables node exporters";
+        port = lib.mkOption {
+          type = lib.types.int;
+          default = 9002;
+          description = "The port Prometheus node exporter listens on.";
+        };
+      };
+    };
+    loki = {
+      enable = mkEnableOption "enables prometheus";
+      configFile = lib.mkOption {
+        type = lib.types.path;
+        default = ./loki.yaml;
+        description = "The path to the configFile.";
+      };
+      dataDir = lib.mkOption {
+        type = lib.types.str;
+        default = "/var/loki";
+        description = "The path to the data directory.";
      };
    };
  };

-  config = lib.mkMerge [
-    (lib.mkIf config.grafana.enable {
+  config = mkMerge [
+    (mkIf config.grafana.enable {
      services.grafana = {
        enable = true;
-        domain = config.grafana.domain;
-        port = config.grafana.port;
-        addr = config.grafana.host;
+        settings = {
+          server = {
+            domain = config.grafana.domain;
+            http_port = config.grafana.port;
+            http_addr = config.grafana.host;
+          };
+        };
      };

      # nginx reverse proxy
      services.nginx.virtualHosts."${config.grafana.domain}" = {
+        enableACME = true;
+        forceSSL = true;
        locations."/" = {
          proxyPass = "http://${config.grafana.host}:${toString config.grafana.port}";
          proxyWebsockets = true;
+          extraConfig = "proxy_ssl_server_name on;" + "proxy_pass_header Authorization;";
        };
      };
    })
+    (mkIf config.loki.enable {
+      networking.firewall.allowedTCPPorts = [ 3100 ];
+      services.loki = {
+        enable = true;
+        configFile = config.loki.configFile;
+        dataDir = config.loki.dataDir;
+      };
+    })
+    (mkIf config.alloy.enable {
+      services.alloy = {
+        enable = true;
+        configPath = config.alloy.configPath;
+      };
+    })

-    (lib.mkIf config.prometheus.enable {
+    (mkIf config.prometheus.enable {
      services.prometheus = {
        enable = true;
        port = config.prometheus.port;
-        exporters = lib.mkIf config.prometheus.exporters {
+        exporters = mkIf config.prometheus.exporters.enable {
          node = {
            enable = true;
            enabledCollectors = [ "systemd" ];
@ -56,7 +118,7 @@
        };
        scrapeConfigs = [
          {
-            job_name = "chrysalis";
+            job_name = "desktop";
            static_configs = [
              {
                targets = [ "${config.grafana.host}:${toString config.prometheus.exporters.port}" ];
@ -64,7 +126,6 @@
            ];
          }
        ];
-
      };
    })
  ];
--- a/moduler/services/monitoring/loki.yaml
+++ b/moduler/services/monitoring/loki.yaml
@ -0,0 +1,55 @@
+auth_enabled: false
+
+server:
+  http_listen_port: 3100
+
+ingester:
+  lifecycler:
+    address: 0.0.0.0
+    ring:
+      kvstore:
+        store: inmemory
+      replication_factor: 1
+    final_sleep: 0s
+  chunk_idle_period: 1h
+  max_chunk_age: 1h
+  chunk_target_size: 1048576
+  chunk_retain_period: 30s    
+
+schema_config:
+  configs:
+    - from: 2020-10-24
+      store: boltdb-shipper
+      object_store: filesystem
+      schema: v11
+      index:
+        prefix: index_
+        period: 24h
+    - from: 2025-09-14 # Set this to a future date
+      store: tsdb
+      object_store: filesystem
+      schema: v13
+      index:
+        prefix: index_
+        period: 24h
+
+storage_config:
+  boltdb_shipper:
+    active_index_directory: /var/lib/loki/boltdb-shipper-active
+    cache_location: /var/lib/loki/boltdb-shipper-cache
+    cache_ttl: 24h         
+  filesystem:
+    directory: /var/lib/loki/chunks
+  tsdb_shipper:
+    active_index_directory: /var/lib/loki/tsdb-active-index
+    cache_location: /var/lib/loki/tsdb-cache
+
+limits_config:
+  reject_old_samples: true
+  reject_old_samples_max_age: 168h
+  allow_structured_metadata: false
+
+table_manager:
+  retention_deletes_enabled: false
+  retention_period: 0s
+
--- a/moduler/services/wireguard-server/default.nix
+++ b/moduler/services/wireguard-server/default.nix
@ -0,0 +1,63 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+with lib;
+
+let
+
+in
+{
+  options = {
+    wireguard-server = {
+      enable = mkEnableOption "enables wireguard-server";
+      port = lib.mkOption {
+        type = lib.types.int;
+        default = 51820;
+        description = "The port that the Wireguard server listens on.";
+      };
+    };
+  };
+
+  config = mkMerge [
+    (mkIf config.loki.enable {
+      sops.secrets.wireguard_private_key = {};
+	  users.users."systemd-network".extraGroups = [ "keys" ];
+      networking.nat.enable = true;
+      networking.nat.externalInterface = "eth0";
+      networking.nat.internalInterfaces = [ "wg0" ];
+      networking.firewall = {
+        allowedUDPPorts = [ config.wireguard-server.port ];
+      };
+
+      networking.wireguard.enable = true;
+      networking.wireguard.interfaces = {
+        wg0 = {
+          ips = [ "10.100.0.1/24" ];
+
+          listenPort = config.wireguard-server.port;
+
+          postSetup = ''
+            ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+          '';
+
+          postShutdown = ''
+            ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+          '';
+
+          privateKeyFile = config.sops.secrets.wireguard_private_key.path;
+
+          peers = [
+            {
+              name = "fwastring";
+              publicKey = "iJw5Km99HT9/TuVtSyDhOwPPcoWeRO67dhhrKPbjRTA=";
+              allowedIPs = [ "10.100.0.2/32" ];
+            }
+          ];
+        };
+      };
+    })
+  ];
+}