From 557be818daab4b62a93c949aaac5eb03358fe2b8 Mon Sep 17 00:00:00 2001 From: Nolan Darilek Date: Thu, 24 Apr 2025 14:58:51 -0500 Subject: [PATCH 1/3] Add Grafana/Prometheus. --- hosts/hub/apps/grafana.nix | 19 +++++++++++-------- hosts/hub/apps/karakeep.nix | 23 +++++++++++++++++++++++ hosts/hub/apps/prometheus.nix | 23 +++++++++++++++++++++++ hosts/hub/default.nix | 4 ++++ 4 files changed, 61 insertions(+), 8 deletions(-) create mode 100644 hosts/hub/apps/karakeep.nix diff --git a/hosts/hub/apps/grafana.nix b/hosts/hub/apps/grafana.nix index e37ceb0..a41f8a5 100644 --- a/hosts/hub/apps/grafana.nix +++ b/hosts/hub/apps/grafana.nix @@ -3,19 +3,22 @@ grafana = { enable = true; settings = { - auth.proxy = { - enabled = true; - header_name = "Remote-User"; - headers = "Name:Remote-Name Email:Remote-Email Groups:Remote-Groups"; + server = { + root_url = "https://grafana.tailc50184.ts.net"; }; + # "auth.proxy" = { + # enabled = true; + # header_name = "Remote-User"; + # headers = "Name:Remote-Name Email:Remote-Email Groups:Remote-Groups"; + # }; }; }; caddy.virtualHosts."grafana.tailc50184.ts.net".extraConfig = '' bind tailscale/grafana - forward_auth localhost:9091 { - uri /api/authz/forward-auth - copy_headers Remote-User Remote-Name Remote-Email Remote-Groups - } + # forward_auth localhost:9091 { + # uri /api/authz/forward-auth + # copy_headers Remote-User Remote-Name Remote-Email Remote-Groups + # } reverse_proxy localhost:3000 ''; }; diff --git a/hosts/hub/apps/karakeep.nix b/hosts/hub/apps/karakeep.nix new file mode 100644 index 0000000..8bf4170 --- /dev/null +++ b/hosts/hub/apps/karakeep.nix @@ -0,0 +1,23 @@ +{ config, ... }: + +{ + systemd.tmpfiles.rules = [ + "d /var/lib/actual 0755 root root" + ]; + + virtualisation.oci-containers.containers.actual = { + image = "actualbudget/actual-server:latest"; + ports = [ + "5006:5006" + ]; + environment = { + ACTUAL_LOGIN_METHOD = "header"; + }; + volumes = [ "/var/lib/actual:/data" ]; + }; + + services.caddy.virtualHosts."https://budget.tailc50184.ts.net".extraConfig = '' + bind tailscale/budget + reverse_proxy http://localhost:5006 + ''; +} diff --git a/hosts/hub/apps/prometheus.nix b/hosts/hub/apps/prometheus.nix index e69de29..8a90c38 100644 --- a/hosts/hub/apps/prometheus.nix +++ b/hosts/hub/apps/prometheus.nix @@ -0,0 +1,23 @@ +{ config, ... }: + +{ + services = { + prometheus = { + enable = true; + scrapeConfigs = [ + { + job_name = "thewordnerd"; + static_configs = [ + { + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; + } + ]; + } + ]; + }; + caddy.virtualHosts."prometheus.tailc50184.ts.net".extraConfig = '' + bind tailscale/prometheus + reverse_proxy localhost:9090 + ''; + }; +} diff --git a/hosts/hub/default.nix b/hosts/hub/default.nix index c2feb93..5efc676 100644 --- a/hosts/hub/default.nix +++ b/hosts/hub/default.nix @@ -11,8 +11,10 @@ ../../roles/restic.nix ../../base.nix ../../users/root.nix + ../../roles/restic.nix ../../roles/fail2ban.nix ../../roles/tailscale.nix + ../../roles/prometheus.nix ../../roles/lldap.nix ../../roles/authelia.nix ../../roles/podman.nix @@ -21,6 +23,8 @@ ../../roles/vscode-remote.nix ../../roles/postgres.nix ../../roles/syncthing.nix + ./apps/grafana.nix + ./apps/prometheus.nix ./apps/dev.nix ./apps/nextcloud.nix ./apps/paperless.nix From c657a2c301cb7f4ad73e1a38adb4a9ab38593085 Mon Sep 17 00:00:00 2001 From: Nolan Darilek Date: Thu, 24 Apr 2025 14:59:23 -0500 Subject: [PATCH 2/3] Only bind to local ports. --- hosts/hub/apps/actual.nix | 2 +- hosts/hub/apps/open-webui.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/hub/apps/actual.nix b/hosts/hub/apps/actual.nix index 8bf4170..739f465 100644 --- a/hosts/hub/apps/actual.nix +++ b/hosts/hub/apps/actual.nix @@ -8,7 +8,7 @@ virtualisation.oci-containers.containers.actual = { image = "actualbudget/actual-server:latest"; ports = [ - "5006:5006" + "127.0.0.1:5006:5006" ]; environment = { ACTUAL_LOGIN_METHOD = "header"; diff --git a/hosts/hub/apps/open-webui.nix b/hosts/hub/apps/open-webui.nix index e9662d0..840bf5e 100644 --- a/hosts/hub/apps/open-webui.nix +++ b/hosts/hub/apps/open-webui.nix @@ -10,7 +10,7 @@ in virtualisation.oci-containers.containers.open-webui = { image = "ghcr.io/open-webui/open-webui:main"; ports = [ - "8090:8080" + "127.0.0.1:8090:8080" ]; volumes = [ "/var/lib/open-webui:/app/backend/data" ]; environment = { From 7d82ac39a65fffbecd4ebf8e5fb231152c328b67 Mon Sep 17 00:00:00 2001 From: Nolan Darilek Date: Thu, 24 Apr 2025 15:10:34 -0500 Subject: [PATCH 3/3] Bump dependencies. --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index 301b821..b3a341c 100644 --- a/flake.lock +++ b/flake.lock @@ -169,11 +169,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1744633460, - "narHash": "sha256-fbWE4Xpw6eH0Q6in+ymNuDwTkqmFmtxcQEmtRuKDTTk=", + "lastModified": 1745503349, + "narHash": "sha256-bUGjvaPVsOfQeTz9/rLTNLDyqbzhl0CQtJJlhFPhIYw=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "9a049b4a421076d27fee3eec664a18b2066824cb", + "rev": "f7bee55a5e551bd8e7b5b82c9bc559bc50d868d1", "type": "github" }, "original": { @@ -216,11 +216,11 @@ }, "nixpkgsUnstable": { "locked": { - "lastModified": 1744463964, - "narHash": "sha256-LWqduOgLHCFxiTNYi3Uj5Lgz0SR+Xhw3kr/3Xd0GPTM=", + "lastModified": 1745391562, + "narHash": "sha256-sPwcCYuiEopaafePqlG826tBhctuJsLx/mhKKM5Fmjo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2631b0b7abcea6e640ce31cd78ea58910d31e650", + "rev": "8a2f738d9d1f1d986b5a4cd2fd2061a7127237d7", "type": "github" }, "original": { @@ -244,11 +244,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1744440957, - "narHash": "sha256-FHlSkNqFmPxPJvy+6fNLaNeWnF1lZSgqVCl/eWaJRc4=", + "lastModified": 1745487689, + "narHash": "sha256-FQoi3R0NjQeBAsEOo49b5tbDPcJSMWc3QhhaIi9eddw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "26d499fc9f1d567283d5d56fcf367edd815dba1d", + "rev": "5630cf13cceac06cefe9fc607e8dfa8fb342dde3", "type": "github" }, "original": {