diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index aa1a0dd..a8cb4e6 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -26,7 +26,7 @@ in tlsMode = "external"; settings = { Port = 9092; - ExternalDomain = "auth-z.kruining.eu"; + ExternalDomain = "auth.amarth.cloud"; ExternalPort = 443; ExternalSecure = true; @@ -47,9 +47,9 @@ in }; steps = { FirstInstance = { - InstanceName = "auth-z.kruining.eu"; + InstanceName = "auth.amarth.cloud"; Org = { - Name = "Default"; + Name = "Amarth"; Human = { UserName = "chris"; FirstName = "Chris"; @@ -86,7 +86,7 @@ in caddy = { enable = true; virtualHosts = { - "auth-z.kruining.eu".extraConfig = '' + "auth.amarth.cloud".extraConfig = '' reverse_proxy h2c://127.0.0.1:9092 ''; }; diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index 22c3123..87882b6 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -3,7 +3,7 @@ let inherit (lib) mkIf mkEnableOption; cfg = config.${namespace}.services.development.forgejo; - domain = "git.kruining.eu"; + domain = "git.amarth.cloud"; in { options.${namespace}.services.development.forgejo = { @@ -35,7 +35,7 @@ in cors = { ENABLED = true; - ALLOW_DOMAIN = "https://*.kruining.eu"; + ALLOW_DOMAIN = "https://*.amarth.cloud"; }; security = { @@ -63,8 +63,9 @@ in service = { # Auth ENABLE_BASIC_AUTHENTICATION = false; - DISABLE_REGISTRATION = true; + DISABLE_REGISTRATION = false; ALLOW_ONLY_EXTERNAL_REGISTRATION = true; + SHOW_REGISTRATION_BUTTON = false; # Privacy DEFAULT_KEEP_EMAIL_PRIVATE = true; @@ -78,12 +79,13 @@ in openid = { ENABLE_OPENID_SIGNIN = true; ENABLE_OPENID_SIGNUP = true; - WHITELISTED_URIS = "https://auth-z.kruining.eu"; + WHITELISTED_URIS = "https://auth.amarth.cloud"; }; oauth2_client = { ENABLE_AUTO_REGISTRATION = true; UPDATE_AVATAR = true; + ACCOUNT_LINKING = "auto"; }; actions = { @@ -111,8 +113,8 @@ in mailer = { ENABLED = true; SMTP_ADDR = "smpts://smtp.black-mail.nl"; - FROM = "noreply@kruining.eu"; - USER = "noreply@kruining.eu"; + FROM = "info@amarth.cloud"; + USER = "amarth"; PASSWD = "/var/lib/forgejo/custom/mail_password"; }; }; @@ -125,7 +127,7 @@ in instances.default = { enable = true; name = "default"; - url = "https://git.kruining.eu"; + url = "https://git.amarth.cloud"; # Obtaining the path to the runner token file may differ # tokenFile should be in format TOKEN=, since it's EnvironmentFile for systemd # tokenFile = config.age.secrets.forgejo-runner-token.path; diff --git a/modules/nixos/services/observability/grafana/default.nix b/modules/nixos/services/observability/grafana/default.nix index 1747330..c399729 100644 --- a/modules/nixos/services/observability/grafana/default.nix +++ b/modules/nixos/services/observability/grafana/default.nix @@ -14,87 +14,117 @@ in }; config = mkIf cfg.enable { - services.grafana = { - enable = true; - openFirewall = true; - - settings = { - server = { - http_port = 9001; - http_addr = "0.0.0.0"; - }; - database = { - type = "postgres"; - host = "/var/run/postgresql:5432"; - name = db_name; - user = db_user; - ssl_mode = "disable"; - }; - - users = { - allow_sign_up = false; - allow_org_create = false; - viewers_can_edit = false; - - default_theme = "system"; - }; - - analytics = { - reporting_enabled = false; - check_for_updates = false; - check_for_plugin_updates = false; - feedback_links_enabled = false; - }; - }; - - provision = { + services = { + grafana = { enable = true; + openFirewall = true; - dashboards.settings = { - apiVersion = 1; - providers = [ + settings = { + server = { + http_port = 9001; + http_addr = "0.0.0.0"; + domain = "ulmo"; + }; + + auth = { + disable_login_form = false; + oauth_auto_login = true; + }; + + "auth.basic".enable = false; + "auth.generic_oauth" = { + enable = true; + name = "Zitadel"; + client_id = "334170712283611395"; + client_secret = "AFjypmURdladmQn1gz2Ke0Ta5LQXapnuKkALVZ43riCL4qWicgV2Z6RlwpoWBZg1"; + scopes = "openid email profile offline_access urn:zitadel:iam:org:project:roles"; + email_attribute_path = "email"; + login_attribute_path = "username"; + name_attribute_path = "full_name"; + role_attribute_path = "contains(urn:zitadel:iam:org:project:roles[*], 'owner') && 'GrafanaAdmin' || contains(urn:zitadel:iam:org:project:roles[*], 'contributer') && 'Editor' || 'Viewer'"; + auth_url = "https://auth.amarth.cloud/oauth/v2/authorize"; + token_url = "https://auth.amarth.cloud/oauth/v2/token"; + api_url = "https://auth.amarth.cloud/oidc/v1/userinfo"; + allow_sign_up = true; + auto_login = true; + use_pkce = true; + usr_refresh_token = true; + allow_assign_grafana_admin = true; + }; + + database = { + type = "postgres"; + host = "/var/run/postgresql:5432"; + name = db_name; + user = db_user; + ssl_mode = "disable"; + }; + + users = { + allow_sign_up = false; + allow_org_create = false; + viewers_can_edit = false; + + default_theme = "system"; + }; + + analytics = { + reporting_enabled = false; + check_for_updates = false; + check_for_plugin_updates = false; + feedback_links_enabled = false; + }; + }; + + provision = { + enable = true; + + dashboards.settings = { + apiVersion = 1; + providers = [ + { + name = "Default Dashboard"; + disableDeletion = true; + allowUiUpdates = false; + options = { + path = "/etc/grafana/dashboards"; + foldersFromFilesStructure = true; + }; + } + ]; + }; + + datasources.settings.datasources = [ { - name = "Default Dashboard"; - disableDeletion = true; - allowUiUpdates = false; - options = { - path = "/etc/grafana/dashboards"; - foldersFromFilesStructure = true; - }; + name = "Prometheus"; + type = "prometheus"; + url = "http://localhost:9005"; + isDefault = true; + editable = false; + } + + { + name = "Loki"; + type = "loki"; + url = "http://localhost:9003"; + editable = false; } ]; }; + }; - datasources.settings.datasources = [ + postgresql = { + enable = true; + ensureDatabases = [ db_name ]; + ensureUsers = [ { - name = "Prometheus"; - type = "prometheus"; - url = "http://localhost:9002"; - isDefault = true; - editable = false; - } - - { - name = "Loki"; - type = "loki"; - url = "http://localhost:9003"; - editable = false; + name = db_user; + ensureDBOwnership = true; } ]; }; }; - services.postgresql = { - enable = true; - ensureDatabases = [ db_name ]; - ensureUsers = [ - { - name = db_user; - ensureDBOwnership = true; - } - ]; - }; - environment.etc."/grafana/dashboards/default.json".source = ./dashboards/default.json; }; } diff --git a/modules/nixos/services/observability/prometheus/default.nix b/modules/nixos/services/observability/prometheus/default.nix index 666a356..af5ee9d 100644 --- a/modules/nixos/services/observability/prometheus/default.nix +++ b/modules/nixos/services/observability/prometheus/default.nix @@ -1,7 +1,7 @@ { pkgs, config, lib, namespace, ... }: let - inherit (lib.modules) mkIf; - inherit (lib.options) mkEnableOption; + inherit (builtins) toString; + inherit (lib) mkIf mkEnableOption; cfg = config.${namespace}.services.observability.prometheus; in @@ -24,7 +24,23 @@ in { targets = [ "localhost:9002" ]; } ]; } + + { + job_name = "node"; + static_configs = [ + { targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; } + ]; + } ]; + + exporters = { + node = { + enable = true; + port = 9005; + enabledCollectors = [ "systemd" ]; + openFirewall = true; + }; + }; }; networking.firewall.allowedTCPPorts = [ 9002 ];