From c8305dd3d89435e032d8e2b7dfa6e85f5af36cb8 Mon Sep 17 00:00:00 2001 From: Polen Date: Sat, 14 Jun 2025 08:53:35 -0400 Subject: [PATCH 1/3] pi/server more observable --- Makefile | 2 +- devices/pi/configuration.nix | 76 +++++++++++++++++++------------- devices/server/configuration.nix | 28 ++++++++++++ devices/xps13/configuration.nix | 4 +- 4 files changed, 77 insertions(+), 33 deletions(-) diff --git a/Makefile b/Makefile index 8d99f63..69b63fc 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ build-pi-image: # Doest work yet rebuild-pi: - nixos-rebuild switch --flake .#pi --target-host polen@192.168.1.241 --use-remote-sudo + nixos-rebuild switch --flake .#pi --target-host pi --build-host server --use-remote-sudo deploy-server: nixos-rebuild switch --flake .#server --target-host server --build-host server --use-remote-sudo diff --git a/devices/pi/configuration.nix b/devices/pi/configuration.nix index 6beb5e6..863d948 100644 --- a/devices/pi/configuration.nix +++ b/devices/pi/configuration.nix @@ -1,12 +1,16 @@ -{ inputs, config, pkgs, lib, ... }: - -let +{ + inputs, + config, + pkgs, + lib, + ... +}: let user = "polen"; hostname = "pi"; in { boot = { kernelPackages = pkgs.linuxKernel.packages.linux_rpi3; - initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ]; + initrd.availableKernelModules = ["xhci_pci" "usbhid" "usb_storage"]; loader = { grub.enable = false; generic-extlinux-compatible.enable = true; @@ -17,51 +21,63 @@ in { "/" = { device = "/dev/disk/by-label/NIXOS_SD"; fsType = "ext4"; - options = [ "noatime" ]; + options = ["noatime"]; }; }; - #sops.defaultSopsFile = ../../secrets/secrets.yaml; - #sops.defaultSopsFormat = "yaml"; - #sops.age.keyFile = "/home/polen/.config/sops/age/keys.txt"; - #sops.secrets.pi_user_pass.neededForUsers = true; + swapDevices = [ + { + device = "/var/lib/swapfile"; + size = 10 * 1024; + } + ]; + + #sops.defaultSopsFile = ../../secrets/secrets.yaml; + #sops.defaultSopsFormat = "yaml"; + #sops.age.keyFile = "/home/polen/.config/sops/age/keys.txt"; + #sops.secrets.pi_user_pass.neededForUsers = true; networking = { - networkmanager.enable = true; - wireless.enable = false; + networkmanager.enable = true; + wireless.enable = false; hostName = hostname; - firewall.allowedTCPPorts = [ 80 443 ]; + firewall.allowedTCPPorts = [80 443]; }; - services.caddy = { - enable = true; - virtualHosts."mealie.polensky.me".extraConfig = '' - reverse_proxy http://localhost:9925 - ''; - }; + services.caddy = { + enable = true; + virtualHosts."mealie.polensky.me".extraConfig = '' + reverse_proxy http://localhost:9925 + ''; + }; - nix.settings.trusted-users = [ user ]; + services.prometheus.exporters = { + node.enable = true; + node.openFirewall = true; + }; - environment.systemPackages = with pkgs; [ - htop-vim - neovim - tmux - curl - wget - git - ranger - ]; + nix.settings.trusted-users = [user]; + + environment.systemPackages = with pkgs; [ + htop-vim + neovim + tmux + curl + wget + git + ranger + ]; services.openssh.enable = true; - virtualisation.docker.enable = true; + virtualisation.docker.enable = true; users = { mutableUsers = false; users."${user}" = { isNormalUser = true; #hashedPasswordFile = config.sops.secrets.pi_user_pass.path; - extraGroups = [ "wheel" "docker" ]; + extraGroups = ["wheel" "docker"]; }; }; diff --git a/devices/server/configuration.nix b/devices/server/configuration.nix index 29fd7f6..f0c644f 100644 --- a/devices/server/configuration.nix +++ b/devices/server/configuration.nix @@ -15,6 +15,8 @@ }; #boot.kernelModules = ["msr"]; + boot.binfmt.emulatedSystems = ["aarch64-linux"]; + services.openssh.enable = true; services = { @@ -29,6 +31,31 @@ rpc-whitelist = "127.0.0.1,192.168.*.*"; }; }; + prometheus = { + enable = true; + exporters = { + node.enable = true; + }; + scrapeConfigs = [ + { + job_name = "node-exporters-lan"; + static_configs = [ + { + targets = ["192.168.1.241:9100"]; + labels = { + instance = "pi"; + }; + } + { + targets = ["127.0.0.1:9100"]; + labels = { + instance = "server"; + }; + } + ]; + } + ]; + }; }; networking = { @@ -36,6 +63,7 @@ firewall.allowedTCPPorts = [ 8096 # jellyfin 9091 # transmission + 9090 # prometheus ]; }; diff --git a/devices/xps13/configuration.nix b/devices/xps13/configuration.nix index a07f4b5..21ad49d 100644 --- a/devices/xps13/configuration.nix +++ b/devices/xps13/configuration.nix @@ -29,14 +29,14 @@ nix = { settings.experimental-features = ["nix-command" "flakes"]; settings.trusted-users = ["polen"]; - # settings.extra-platforms = config.boot.binfmt.emulatedSystems; + settings.extra-platforms = config.boot.binfmt.emulatedSystems; gc = { automatic = true; dates = "weekly"; options = "--delete-older-than 15d"; }; }; - # boot.binfmt.emulatedSystems = ["aarch64-linux"]; + boot.binfmt.emulatedSystems = ["aarch64-linux"]; # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; From c40c7df3134c180112d75925d32a3f5edf4b9f85 Mon Sep 17 00:00:00 2001 From: Polen Date: Mon, 16 Jun 2025 14:35:53 -0400 Subject: [PATCH 2/3] mealie transfered --- Makefile | 2 +- devices/pi/configuration.nix | 6 +----- devices/server/configuration.nix | 17 ++++++++++++++--- 3 files changed, 16 insertions(+), 9 deletions(-) diff --git a/Makefile b/Makefile index 69b63fc..bfcca3a 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ build-pi-image: # Doest work yet rebuild-pi: - nixos-rebuild switch --flake .#pi --target-host pi --build-host server --use-remote-sudo + NIX_SSHOPTS="-o IdentitiesOnly=yes -i ~/.ssh/id_rsa" nixos-rebuild switch --flake .#pi --target-host pi --build-host server --use-remote-sudo deploy-server: nixos-rebuild switch --flake .#server --target-host server --build-host server --use-remote-sudo diff --git a/devices/pi/configuration.nix b/devices/pi/configuration.nix index 863d948..98ff71f 100644 --- a/devices/pi/configuration.nix +++ b/devices/pi/configuration.nix @@ -47,7 +47,7 @@ in { services.caddy = { enable = true; virtualHosts."mealie.polensky.me".extraConfig = '' - reverse_proxy http://localhost:9925 + reverse_proxy http://192.168.1.242:9000 ''; }; @@ -61,17 +61,13 @@ in { environment.systemPackages = with pkgs; [ htop-vim neovim - tmux curl wget - git ranger ]; services.openssh.enable = true; - virtualisation.docker.enable = true; - users = { mutableUsers = false; users."${user}" = { diff --git a/devices/server/configuration.nix b/devices/server/configuration.nix index 65e260a..8e94352 100644 --- a/devices/server/configuration.nix +++ b/devices/server/configuration.nix @@ -62,6 +62,18 @@ in { inherit user; enable = true; }; + mealie = { + enable = true; + settings = { + ALLOW_SIGNUP = "false"; + PUID = 1000; + PGID = 1000; + TZ = "Canada/Eastern"; + MAX_WORKERS = 1; + WEB_CONCURRENCY = 1; + #BASE_URL = "https://mealie.polensky.me"; + }; + }; }; networking = { @@ -70,15 +82,14 @@ in { 8096 # jellyfin 9091 # transmission 9090 # prometheus + 9000 # mealie 10222 # taskchampion-sync-server ]; }; time.timeZone = "America/Toronto"; - users.users.user = { - isNormalUser = true; - description = user; + users.users."${user}" = { extraGroups = ["wheel" "transmission" "jellyfin"]; shell = pkgs.zsh; openssh.authorizedKeys.keys = [ From 6d4ae2f0e468197341054030e8cf879619242464 Mon Sep 17 00:00:00 2001 From: Polen Date: Tue, 17 Jun 2025 11:23:09 -0400 Subject: [PATCH 3/3] grafana enabled --- devices/server/configuration.nix | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/devices/server/configuration.nix b/devices/server/configuration.nix index 8e94352..860e8f7 100644 --- a/devices/server/configuration.nix +++ b/devices/server/configuration.nix @@ -21,16 +21,15 @@ in { services.openssh.enable = true; + # observability services = { - jellyfin = { - inherit user; - enable = true; - }; - transmission = { + grafana = { enable = true; settings = { - rpc-bind-address = "0.0.0.0"; - rpc-whitelist = "127.0.0.1,192.168.*.*"; + server = { + http_addr = "0.0.0.0"; + http_port = 3000; + }; }; }; prometheus = { @@ -58,9 +57,25 @@ in { } ]; }; + }; + + # media + services = { + jellyfin = { + inherit user; + enable = true; + }; + transmission = { + enable = true; + settings = { + rpc-bind-address = "0.0.0.0"; + rpc-whitelist = "127.0.0.1,192.168.*.*"; + }; + }; taskchampion-sync-server = { inherit user; enable = true; + host = "0.0.0.0"; }; mealie = { enable = true; @@ -79,9 +94,10 @@ in { networking = { hostName = "server"; firewall.allowedTCPPorts = [ + 9090 # prometheus + 3000 # grafana 8096 # jellyfin 9091 # transmission - 9090 # prometheus 9000 # mealie 10222 # taskchampion-sync-server ];