diff --git a/hosts/containers/prometheus/configuration.nix b/hosts/containers/prometheus/configuration.nix new file mode 100644 index 00000000..5268c9e2 --- /dev/null +++ b/hosts/containers/prometheus/configuration.nix @@ -0,0 +1,108 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, lib, ... }: + +{ + imports = + [ ../../../lib/lxc-container.nix + ../../../lib/shared.nix + ../../../lib/admins.nix + ]; + + environment.systemPackages = with pkgs; [ + vim + ]; + + networking = { + hostName = "prometheus"; + firewall = { + allowedTCPPorts = [ + 22 + 80 + 443 + 9090 + 9091 + 9093 + 9094 + ]; + enable = true; + }; + }; + + services.prometheus = { + enable = true; + + alertmanager = { + enable = true; + openFirewall = true; + webExternalUrl = "http://prometheus.serv.zentralwerk.org/alertmanager/"; + listenAddress = "0.0.0.0"; + configuration = { + "global" = { + "smtp_smarthost" = "mail.serv.zentralwerk.org:587"; + "smtp_from" = "alertmanager@prometheus.serv.zentralwerk.org"; + }; + "route" = { + "group_by" = [ "alertname" "alias" ]; + "group_wait" = "30s"; + "group_interval" = "2m"; + "repeat_interval" = "4h"; + "receiver" = "team-admins"; + }; + "receivers" = [ + { + "name" = "team-admins"; + # "email_configs" = [ + # { + # "to" = "devnull@example.com"; + # "send_resolved" = true; + # } + # ]; + # "webhook_configs" = [ + # { + # "url" = "https://example.com/prometheus-alerts"; + # "send_resolved" = true; + # } + # ]; + } + ]; + }; + }; + + alertmanagerURL = [ "http://prometheus.serv.zentralwerk.org/alertmanager/" ]; + + pushgateway = { + enable = true; + web.external-url = "http://prometheus.serv.zentralwerk.org/push/"; + }; + + exporters.collectd.enable = true; + exporters.collectd.openFirewall = true; + + exporters.nginx.enable = true; + + }; + + services.nginx = { + enable = true; + + virtualHosts."prometheus.serv.zentralwerk.org" = { + # serverAliases = [ "registry.serv.zentralwerk.org" ]; + enableACME = true; + enableSSL = true; + # forceSSL = true; + locations.".well-known/acme-challenge/" = { + root = "/var/lib/acme/acme-challenge/.well-known/acme-challenge/"; + }; + locations."/" = { + proxyPass = "http://localhost:9090"; + }; + }; + }; + + + system.stateVersion = "19.03"; # Did you read the comment? + +} diff --git a/hosts/containers/registry/configuration.nix b/hosts/containers/registry/configuration.nix index f9e0d071..ad736a24 100644 --- a/hosts/containers/registry/configuration.nix +++ b/hosts/containers/registry/configuration.nix @@ -1,19 +1,15 @@ - [ - ]; - nix.useSandbox = false; - nix.maxJobs = lib.mkDefault 4; +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). - boot.isContainer = true; - # /sbin/init - boot.loader.initScript.enable = true; - boot.loader.grub.enable = false; - #boot.supportedFilesystems = ["zfs" "ext2" "ext3" "vfat" "fat32" "bcache" "bcachefs"]; +{ config, pkgs, lib, ... }: - fileSystems."/" = { fsType = "rootfs"; device = "rootfs"; }; - - #networking.hostName = "docker-registry"; # Define your hostname. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - #networking.useNetworkd = true; +{ + imports = + [ ../../../lib/lxc-container.nix + ../../../lib/shared.nix + ../../../lib/admins.nix + ]; networking = { hostName = "registry"; @@ -29,8 +25,6 @@ dhcpcd.denyInterfaces = [ "eth0" ]; - nameservers = [ "8.8.8.8" "9.9.9.9" ]; - defaultGateway = { address = "172.22.99.1"; interface = "eth0"; @@ -42,8 +36,6 @@ #}; }; - services.openssh.enable = true; - # Open ports in the firewall. networking.firewall.allowedTCPPorts = [ 22 @@ -52,13 +44,6 @@ 5000 ]; - # Set your time zone. - time.timeZone = "Europe/Berlin"; - # Select internationalisation properties. - i18n = { - defaultLocale = "en_US.UTF-8"; - supportedLocales = lib.mkForce [ "en_US.UTF-8/UTF-8" ]; - }; # List packages installed in system profile. To search, run: # $ nix search wget @@ -66,21 +51,17 @@ wget vim ]; - - # Create a few files early before packing tarball for Proxmox - # architecture/OS detection. - system.extraSystemBuilderCmds = - '' - mkdir -m 0755 -p $out/bin - ln -s ${pkgs.bash}/bin/bash $out/bin/sh - mkdir -m 0755 -p $out/sbin - ln -s ../init $out/sbin/init - ''; - services.dockerRegistry.enable = true; + services.dockerRegistry = { + enable = true; + storagePath = "/srv/docker-registry"; + enableGarbageCollect = true; + enableDelete = true; + }; services.nginx.enable = true; services.nginx.virtualHosts."registry.hq.c3d2.de" = { + # serverAliases = [ "registry.serv.zentralwerk.org" ]; enableACME = true; enableSSL = true; # forceSSL = true; @@ -91,7 +72,7 @@ proxyPass = "http://localhost:5000"; }; extraConfig = '' - client_max_body_size 2048M; + client_max_body_size 4096M; gzip off; ''; }; @@ -100,7 +81,7 @@ # compatible, in order to avoid breaking some software such as database # servers. You should change this only after NixOS release notes say you # should. - system.stateVersion = "18.09"; # Did you read the comment? + system.stateVersion = "19.03"; # Did you read the comment? } diff --git a/hq.nixops b/hq.nixops index 009af515..14c3b38e 100644 --- a/hq.nixops +++ b/hq.nixops @@ -104,6 +104,28 @@ storeKeysOnMachine = true; }; }; + "registry" = + { ... }: + { + imports = [ + hosts/containers/registry/configuration.nix + ]; + deployment = { + targetHost = "2a02:8106:208:5201::34"; + storeKeysOnMachine = true; + }; + }; + "prometheus" = + { ... }: + { + imports = [ + hosts/containers/prometheus/configuration.nix + ]; + deployment = { + targetHost = "2a02:8106:208:5282:8c46:d6ff:fe43:6afd"; + storeKeysOnMachine = true; + }; + }; + - } diff --git a/lib/logging.nix b/lib/logging.nix new file mode 100644 index 00000000..43790230 --- /dev/null +++ b/lib/logging.nix @@ -0,0 +1,52 @@ +{ config, pkgs, lib, ... }: + +let + + nginxGlobalLogging = '' + log_format graylog2_json escape=json '{ "timestamp": "$time_iso8601", ' + '"remote_addr": "$remote_addr", ' + '"body_bytes_sent": $body_bytes_sent, ' + '"request_time": $request_time, ' + '"response_status": $status, ' + '"request": "$request", ' + '"request_method": "$request_method", ' + '"host": "$host",' + '"upstream_cache_status": "$upstream_cache_status",' + '"upstream_addr": "$upstream_addr",' + '"http_x_forwarded_for": "$http_x_forwarded_for",' + '"http_referrer": "$http_referer", ' + '"http_user_agent": "$http_user_agent" }'; + + # replace the hostnames with the IP or hostname of your Graylog2 server + access_log syslog:server=graylog.server.org:12301 graylog2_json; + error_log syslog:server=graylog.server.org:12302; +''; + +in +{ + + # add central logging + services.journalbeat = { + enable = true; + extraConfig = '' + journalbeat: + seek_position: cursor + cursor_seek_fallback: tail + write_cursor_state: true + cursor_flush_period: 5s + clean_field_names: true + convert_to_numbers: false + move_metadata_to_field: journal + default_type: journal + kernel: true + output.logstash: + # Boolean flag to enable or disable the output module. + enabled: true + hosts: ["logging.serv.zentralwerk.org:5044", "172.20.73.13:5044"] + ''; + }; + + services.prometheus.exporters.node.enable = true; + services.prometheus.exporters.node.openFirewall = true; + +} diff --git a/lib/shared.nix b/lib/shared.nix index 441170b1..b69d8d11 100644 --- a/lib/shared.nix +++ b/lib/shared.nix @@ -1,6 +1,7 @@ { lib, ... }: { + imports = [./logging.nix]; # Set your time zone. time.timeZone = "Europe/Berlin"; # Select internationalisation properties.