grafana-agent has been removed, but the failing eval was missed due to #80. Change-Id: I87cfc71c8c98e27e32f4e95e4d85901195cb5b75 Reviewed-on: https://cl.snix.dev/c/snix/+/30347 Autosubmit: Florian Klink <flokli@flokli.de> Reviewed-by: Ryan Lahfa <masterancpp@gmail.com> Tested-by: besadii
		
			
				
	
	
		
			135 lines
		
	
	
	
		
			3.4 KiB
		
	
	
	
		
			Nix
		
	
	
	
	
	
			
		
		
	
	
			135 lines
		
	
	
	
		
			3.4 KiB
		
	
	
	
		
			Nix
		
	
	
	
	
	
| { depot, lib, pkgs, ... }: # readTree options
 | |
| { config, ... }: # passed by module system
 | |
| 
 | |
| let
 | |
|   mod = name: depot.path.origSrc + ("/ops/modules/" + name);
 | |
| in
 | |
| {
 | |
|   imports = [
 | |
|     ./disko.nix
 | |
| 
 | |
|     (mod "hetzner-cloud.nix")
 | |
|     (mod "o11y/alloy.nix")
 | |
|     (mod "o11y/mimir.nix")
 | |
|     (mod "o11y/loki.nix")
 | |
|     (mod "o11y/tempo.nix")
 | |
|     (mod "o11y/alertmanager-irc-relay.nix")
 | |
|     (mod "known-hosts.nix")
 | |
|     (mod "clbot.nix")
 | |
| 
 | |
|     (mod "www/mimir.snix.dev.nix")
 | |
|     (mod "www/loki.snix.dev.nix")
 | |
|     (mod "www/tempo.snix.dev.nix")
 | |
| 
 | |
|     (depot.third_party.agenix.src + "/modules/age.nix")
 | |
|     (depot.third_party.disko.src + "/module.nix")
 | |
|   ];
 | |
| 
 | |
|   nixpkgs.hostPlatform = "x86_64-linux";
 | |
| 
 | |
|   infra.hardware.hetzner-cloud = {
 | |
|     enable = true;
 | |
|     ipv6 = "2a01:4f8:c013:4a58::1/64";
 | |
|   };
 | |
| 
 | |
|   networking = {
 | |
|     hostName = "meta01";
 | |
|     domain = "infra.snix.dev";
 | |
|   };
 | |
| 
 | |
|   time.timeZone = "UTC";
 | |
| 
 | |
|   programs.mtr.enable = true;
 | |
|   programs.mosh.enable = true;
 | |
|   services.openssh = {
 | |
|     enable = true;
 | |
|     settings = {
 | |
|       PasswordAuthentication = false;
 | |
|       KbdInteractiveAuthentication = false;
 | |
|     };
 | |
|   };
 | |
|   nix.gc.automatic = true;
 | |
| 
 | |
|   services.depot = {
 | |
|     # TODO: make it possible to do `alertmanager.enable = true;`
 | |
|     prometheus.enable = true;
 | |
|     loki.enable = true;
 | |
|     tempo.enable = true;
 | |
|     clbot = {
 | |
|       enable = false;
 | |
|       channels = {
 | |
|         "#snix" = { };
 | |
| 
 | |
|         flags = {
 | |
|           gerrit_host = "cl.snix.dev:29418";
 | |
|           gerrit_ssh_auth_username = "clbot";
 | |
|           # gerrit_ssh_auth_key = config.age.secrets.clbot-ssh-private-key.path;
 | |
| 
 | |
|           irc_server = "irc.hackint.org:6697";
 | |
|           irc_tls = true;
 | |
|           irc_user = "snixbot";
 | |
|           irc_nick = "snixbot";
 | |
| 
 | |
|           notify_branches = "canon,refs/meta/config";
 | |
|           notify_repo = "snix";
 | |
| 
 | |
|           irc_pass = "$CLBOT_PASS";
 | |
|         };
 | |
|       };
 | |
|     };
 | |
|   };
 | |
| 
 | |
|   networking.nftables.enable = true;
 | |
|   networking.firewall.extraInputRules = ''
 | |
|     # Prometheus, Loki, Tempo
 | |
|     ip6 saddr { 2a01:4f8:c013:3e62::1 } tcp dport { 9009, 9090, 9190 } accept
 | |
|     ip saddr { 49.13.70.233 } tcp dport { 9009, 9090, 9190 } accept
 | |
|   '';
 | |
| 
 | |
|   age.secrets =
 | |
|     let
 | |
|       secretFile = name: depot.ops.secrets."${name}.age";
 | |
|     in
 | |
|     {
 | |
|       mimir-environment.file = secretFile "mimir-environment";
 | |
|       # Yes, they are literally the same: Hetzner Cloud has no support for per-bucket keys.
 | |
|       loki-environment.file = secretFile "mimir-environment";
 | |
|       tempo-environment.file = secretFile "mimir-environment";
 | |
|       metrics-push-htpasswd.file = secretFile "metrics-push-htpasswd";
 | |
|       metrics-push-htpasswd.owner = "nginx";
 | |
|       mimir-webhook-url.file = secretFile "mimir-webhook-url";
 | |
|       alertmanager-irc-relay-environment.file = secretFile "alertmanager-irc-relay-environment";
 | |
|       restic-repository-password.file = secretFile "restic-repository-password";
 | |
|       restic-bucket-credentials.file = secretFile "restic-bucket-credentials";
 | |
|     };
 | |
| 
 | |
|   services.fail2ban.enable = true;
 | |
| 
 | |
|   environment.systemPackages = with pkgs; [
 | |
|     bat
 | |
|     bb
 | |
|     curl
 | |
|     direnv
 | |
|     fd
 | |
|     git
 | |
|     htop
 | |
|     hyperfine
 | |
|     jq
 | |
|     nano
 | |
|     nvd
 | |
|     ripgrep
 | |
|     tree
 | |
|     unzip
 | |
|     vim
 | |
|   ];
 | |
| 
 | |
|   # Required for prometheus to be able to scrape stats
 | |
|   services.nginx.statusPage = true;
 | |
| 
 | |
|   users.users.root.openssh.authorizedKeys.keys = depot.ops.users.edef ++ depot.ops.users.flokli ++ depot.ops.users.raito;
 | |
| 
 | |
|   boot.initrd.systemd.enable = true;
 | |
|   zramSwap.enable = true;
 | |
| 
 | |
|   system.stateVersion = "25.05";
 | |
| }
 |