Compare commits

...

4 commits

Author SHA1 Message Date
745ce62f88
feat: better prometheus integration 2024-07-30 20:14:37 +08:00
1830ab192c
feat: enable tailscale on servers 2024-07-30 20:13:20 +08:00
013d87afdf
fix 2024-07-30 20:09:41 +08:00
c88f86eec2
feat: enable tailscale on servers 2024-07-30 17:03:27 +08:00
4 changed files with 19 additions and 57 deletions

View file

@ -208,7 +208,6 @@
element-desktop element-desktop
tdesktop tdesktop
qq qq
feishu
# Password manager # Password manager
bitwarden bitwarden
@ -265,6 +264,11 @@
custom.forgejo-actions-runner.enable = true; custom.forgejo-actions-runner.enable = true;
custom.forgejo-actions-runner.tokenFile = config.sops.secrets.gitea_env.path; custom.forgejo-actions-runner.tokenFile = config.sops.secrets.gitea_env.path;
custom.prometheus = {
enable = true;
exporters.enable = true;
};
# MTP support # MTP support
services.gvfs.enable = true; services.gvfs.enable = true;

View file

@ -14,6 +14,12 @@ in
config = { config = {
isBandwagon = builtins.elem config.networking.hostName bwgHosts; isBandwagon = builtins.elem config.networking.hostName bwgHosts;
isLightsail = builtins.elem config.networking.hostName awsHosts; isLightsail = builtins.elem config.networking.hostName awsHosts;
commonSettings = {
auth.enable = true;
nix.enable = true;
};
sops = { sops = {
secrets = { secrets = {
wg_private_key = { wg_private_key = {
@ -43,6 +49,8 @@ in
networking.firewall.allowedTCPPorts = [ 80 8080 ]; networking.firewall.allowedTCPPorts = [ 80 8080 ];
networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314); networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314);
services.tailscale.enable = true;
custom.prometheus = { custom.prometheus = {
enable = false; enable = false;
exporters.enable = false; exporters.enable = false;
@ -52,33 +60,6 @@ in
}; };
}; };
custom.kanidm-client = {
enable = true;
uri = "https://auth.xinyang.life/";
asSSHAuth = {
enable = true;
allowedGroups = [ "linux_users" ];
};
sudoers = [ "xin@auth.xinyang.life" ];
};
services.openssh = {
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = lib.mkForce "no";
GSSAPIAuthentication = "no";
KerberosAuthentication = "no";
};
};
services.fail2ban.enable = true;
programs.mosh.enable = true;
security.sudo = {
execWheelOnly = true;
wheelNeedsPassword = false;
};
services.sing-box = let services.sing-box = let
singTls = { singTls = {
enabled = true; enabled = true;

View file

@ -8,6 +8,11 @@
./services.nix ./services.nix
]; ];
commonSettings = {
auth.enable = true;
nix.enable = true;
};
sops = { sops = {
defaultSopsFile = ./secrets.yaml; defaultSopsFile = ./secrets.yaml;
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
@ -53,33 +58,5 @@
hostName = "massicot"; hostName = "massicot";
}; };
custom.kanidm-client = {
enable = true;
uri = "https://auth.xinyang.life/";
asSSHAuth = {
enable = true;
allowedGroups = [ "linux_users" ];
};
sudoers = [ "xin@auth.xinyang.life" ];
};
security.sudo = {
execWheelOnly = true;
wheelNeedsPassword = false;
};
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = "no";
GSSAPIAuthentication = "no";
KerberosAuthentication = "no";
};
};
services.fail2ban.enable = true;
programs.mosh.enable = true;
systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ]; systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ];
} }

View file

@ -103,7 +103,7 @@ in
name = "ntfy"; name = "ntfy";
webhook_configs = [ webhook_configs = [
{ {
url = "${config.services.ntfy-sh.settings.base-url}/prometheus-alerts"; url = "https://ntfy.xinyang.life/prometheus-alerts";
send_resolved = true; send_resolved = true;
} }
]; ];