batteredbunny/server.nix
1
0
Fork 0
Code Issues 11 Pull requests Projects Releases Packages Wiki Activity Actions

Add loki and promtail for caddy

Browse source
This commit is contained in:
batteredbunny 2024-11-30 01:10:27 +02:00
parent e64f96ecdb
commit 1318db7a4f
12 changed files with 459 additions and 207 deletions
Download patch file Download diff file Expand all files Collapse all files

225
caddy/default.nix
View file

@ -54,16 +54,28 @@ in
}
'';
serverAliases = [ "üü.ee" ];
logFormat = ''
output file ${config.services.caddy.logDir}/access.log {
mode 640
}
'';
};
"kaya.ee" = {
extraConfig = ''
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
"kaya.ee".extraConfig = ''
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
respond owo
'';
respond owo
'';
logFormat = ''
output file ${config.services.caddy.logDir}/access.log {
mode 640
}
'';
};
"bsky.ee" = {
extraConfig = ''
tls {
@ -94,15 +106,27 @@ in
}
'';
serverAliases = [ "*.bsky.ee" ];
logFormat = ''
output file ${config.services.caddy.logDir}/access.log {
mode 640
}
'';
};
"lastfm.catnip.ee".extraConfig = ''
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
"lastfm.catnip.ee" = {
extraConfig = ''
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
reverse_proxy :${toString config.services.lastfm-status.port}
'';
reverse_proxy :${toString config.services.lastfm-status.port}
'';
logFormat = ''
output file ${config.services.caddy.logDir}/access.log {
mode 640
}
'';
};
"http://syncthing.internal".extraConfig = ''
@local remote_ip private_ranges 100.64.0.0/10
@ -148,21 +172,28 @@ in
}
'';
"files.catnip.ee".extraConfig = ''
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
"files.catnip.ee" = {
extraConfig = ''
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
basic_auth {
mrow {env.FILES_PASSWORD_HASH}
}
basic_auth {
mrow {env.FILES_PASSWORD_HASH}
}
root * /mnt/media
file_server browse {
hide .Trash-1000
}
'';
root * /mnt/media
file_server browse {
hide .Trash-1000
}
'';
logFormat = ''
output file ${config.services.caddy.logDir}/access.log {
mode 640
}
'';
};
"chat.catnip.ee".extraConfig = ''
tls {
@ -182,73 +213,99 @@ in
root * ${synapse-admin}
file_server
'';
"matrix.catnip.ee".extraConfig = ''
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
"matrix.catnip.ee" = {
extraConfig = ''
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
reverse_proxy :${toString settings.ports.synapse}
reverse_proxy :${toString settings.ports.synapse}
redir /telegram /telegram/
redir /telegram /telegram/
handle /.well-known/matrix/client {
header Content-Type application/json
header Access-Control-Allow-Origin *
respond `{"m.homeserver":{"base_url":"https://matrix.catnip.ee/"},"org.matrix.msc3575.proxy":{"url":"https://sliding-sync.catnip.ee"}}`
}
handle /.well-known/matrix/server {
header Content-Type application/json
header Access-Control-Allow-Origin *
respond `{"m.server": "matrix.catnip.ee:443"}`
}
handle /.well-known/matrix/client {
header Content-Type application/json
header Access-Control-Allow-Origin *
respond `{"m.homeserver":{"base_url":"https://matrix.catnip.ee/"},"org.matrix.msc3575.proxy":{"url":"https://sliding-sync.catnip.ee"}}`
}
handle /.well-known/matrix/server {
header Content-Type application/json
header Access-Control-Allow-Origin *
respond `{"m.server": "matrix.catnip.ee:443"}`
}
handle /telegram/* {
reverse_proxy :${toString settings.ports.mautrix-telegram}
}
'';
handle /telegram/* {
reverse_proxy :${toString settings.ports.mautrix-telegram}
}
'';
logFormat = ''
output file ${config.services.caddy.logDir}/access.log {
mode 640
}
'';
};
"catnip.ee" = {
extraConfig = ''
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
root * ${inputs.catnip-website}
file_server browse {
hide .git
}
"catnip.ee".extraConfig = ''
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
handle /.well-known/matrix/client {
header Content-Type application/json
header Access-Control-Allow-Origin *
respond `{"m.homeserver":{"base_url":"https://matrix.catnip.ee/"},"org.matrix.msc3575.proxy":{"url":"https://sliding-sync.catnip.ee"}}`
}
handle /.well-known/matrix/server {
header Content-Type application/json
header Access-Control-Allow-Origin *
respond `{"m.server": "matrix.catnip.ee:443"}`
}
'';
logFormat = ''
output file ${config.services.caddy.logDir}/access.log {
mode 640
}
'';
};
"www.catnip.ee" = {
extraConfig = ''
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
root * ${inputs.catnip-website}
file_server browse {
hide .git
}
redir https://catnip.ee{uri} permanent
'';
logFormat = ''
output file ${config.services.caddy.logDir}/access.log {
mode 640
}
'';
};
handle /.well-known/matrix/client {
header Content-Type application/json
header Access-Control-Allow-Origin *
respond `{"m.homeserver":{"base_url":"https://matrix.catnip.ee/"},"org.matrix.msc3575.proxy":{"url":"https://sliding-sync.catnip.ee"}}`
}
handle /.well-known/matrix/server {
header Content-Type application/json
header Access-Control-Allow-Origin *
respond `{"m.server": "matrix.catnip.ee:443"}`
}
'';
"www.catnip.ee".extraConfig = ''
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
"confess.catnip.ee" = {
extraConfig = ''
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
redir https://catnip.ee{uri} permanent
'';
"confess.catnip.ee".extraConfig = ''
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
reverse_proxy :${toString config.services.confess-web.port}
'';
reverse_proxy :${toString config.services.confess-web.port}
'';
logFormat = ''
output file ${config.services.caddy.logDir}/access.log {
mode 640
}
'';
};
":80".extraConfig = ''
respond awawaw

11
games/minecraft/default.nix
View file

@ -7,9 +7,16 @@
nixpkgs.overlays = [ inputs.nix-minecraft.overlay ];
services = {
caddy.virtualHosts."drasl.snailcore.net".extraConfig = ''
caddy.virtualHosts."drasl.snailcore.net" = {
extraConfig = ''
reverse_proxy http://${config.services.drasl.settings.ListenAddress}
'';
'';
logFormat = ''
output file ${config.services.caddy.logDir}/access.log {
mode 640
}
'';
};
minecraft-servers = { # /srv/minecraft
enable = true;
eula = true;

6
services/coturn.nix
View file

@ -17,6 +17,12 @@ in
'';
useACMEHost = config.services.coturn.realm;
logFormat = ''
output file ${config.services.caddy.logDir}/access.log {
mode 640
}
'';
};
coturn = rec {

23
services/feishin.nix
View file

@ -1,4 +1,4 @@
{ settings, ... }: {
{ config, settings, ... }: {
virtualisation.oci-containers.containers.feishin = {
autoStart = true;
image = "ghcr.io/jeffvli/feishin:latest";
@ -18,12 +18,19 @@
];
};
services.caddy.virtualHosts."player.catnip.ee".extraConfig = ''
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
services.caddy.virtualHosts."player.catnip.ee" = {
extraConfig = ''
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
reverse_proxy :${toString settings.ports.feishin}
'';
reverse_proxy :${toString settings.ports.feishin}
'';
logFormat = ''
output file ${config.services.caddy.logDir}/access.log {
mode 640
}
'';
};
}

21
services/forgejo.nix
View file

@ -55,14 +55,21 @@
};
caddy.virtualHosts = {
"forge.catnip.ee".extraConfig = ''
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
"forge.catnip.ee" = {
extraConfig = ''
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
reverse_proxy :${toString config.services.forgejo.settings.server.HTTP_PORT}
'';
reverse_proxy :${toString config.services.forgejo.settings.server.HTTP_PORT}
'';
logFormat = ''
output file ${config.services.caddy.logDir}/access.log {
mode 640
}
'';
};
};
borgbackup.jobs."borgbase" = {

137
services/grafana.nix
View file

@ -1,22 +1,141 @@
{ config, ... }: {
services = {
grafana = {
enable = true;
settings = {
server = {
http_addr = "127.0.0.1";
http_port = 3002;
enable_gzip = true;
domain = "stats.internal";
};
enable = true;
analytics.reporting_enabled = false;
provision = {
enable = true;
datasources.settings.datasources = [
{
name = "loki";
type = "loki";
access = "proxy";
url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}";
}
];
};
settings = {
server = {
http_addr = "127.0.0.1";
http_port = 3002;
enable_gzip = true;
domain = "stats.internal";
};
analytics.reporting_enabled = false;
};
};
promtail = {
enable = true;
configuration = {
server = {
http_listen_port = 3003;
grpc_listen_port = 0;
};
positions.filename = "/tmp/positions.yaml";
clients = [{
url = "http://localhost:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push";
}];
scrape_configs = [{
job_name = "caddy";
static_configs = [{
targets = [ "localhost" ];
labels = {
job = "caddy";
__path__ = "/var/log/caddy/access.log";
};
}];
}];
};
};
loki = {
enable = true;
configuration = {
server.http_listen_port = 3030;
auth_enabled = false;
ingester = {
lifecycler = {
address = "127.0.0.1";
ring = {
kvstore = {
store = "inmemory";
};
replication_factor = 1;
};
};
chunk_idle_period = "1h";
max_chunk_age = "1h";
chunk_target_size = 999999;
chunk_retain_period = "30s";
};
schema_config = {
configs = [{
from = "2024-04-01";
store = "tsdb";
object_store = "filesystem";
schema = "v13";
index = {
prefix = "index_";
period = "24h";
};
}];
};
storage_config = {
tsdb_shipper = {
active_index_directory = "/var/lib/loki/tsdb-index";
cache_location = "/var/lib/loki/tsdb-cache";
cache_ttl = "24h";
};
filesystem = {
directory = "/var/lib/loki/chunks";
};
};
query_scheduler.max_outstanding_requests_per_tenant = 32768;
querier.max_concurrent = 16;
limits_config = {
reject_old_samples = true;
reject_old_samples_max_age = "168h";
};
table_manager = {
retention_deletes_enabled = false;
retention_period = "0s";
};
compactor = {
working_directory = "/var/lib/loki";
compactor_ring = {
kvstore = {
store = "inmemory";
};
};
};
};
};
caddy.virtualHosts."http://stats.internal".extraConfig = ''
@local remote_ip private_ranges 100.64.0.0/10
reverse_proxy @local http://${config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}
'';
borgbackup.jobs."borgbase".paths = [
"/var/lib/loki"
"/var/lib/grafana"
];
};
users.users.promtail.extraGroups = [
config.systemd.services.caddy.serviceConfig.Group # Promtail needs caddy group to access its logs
];
}

46
services/jellyfin.nix
View file

@ -1,4 +1,4 @@
{ settings, ... }: {
{ config, settings, ... }: {
virtualisation.oci-containers.containers.jellyfin-vue = {
autoStart = true;
image = "docker.io/jellyfin/jellyfin-vue:unstable";
@ -34,22 +34,36 @@
jellyfin.enable = true;
caddy.virtualHosts = {
"vue.jellyfin.catnip.ee".extraConfig = ''
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
"vue.jellyfin.catnip.ee" = {
extraConfig = ''
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
reverse_proxy :${toString settings.ports.jellyfin_vue}
'';
"jellyfin.catnip.ee".extraConfig = ''
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
reverse_proxy :${toString settings.ports.jellyfin_vue}
'';
logFormat = ''
output file ${config.services.caddy.logDir}/access.log {
mode 640
}
'';
};
"jellyfin.catnip.ee" = {
extraConfig = ''
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
reverse_proxy :${toString settings.ports.jellyfin}
'';
reverse_proxy :${toString settings.ports.jellyfin}
'';
logFormat = ''
output file ${config.services.caddy.logDir}/access.log {
mode 640
}
'';
};
};
borgbackup.jobs."borgbase" = {
@ -61,4 +75,4 @@
];
};
};
}
}

75
services/mastodon.nix
View file

@ -21,46 +21,53 @@
};
};
caddy.virtualHosts."fedi.catnip.ee".extraConfig = ''
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
handle_path /system/* {
file_server * {
root /var/lib/mastodon/public-system
caddy.virtualHosts."fedi.catnip.ee" = {
extraConfig = ''
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
}
handle /api/v1/streaming/* {
reverse_proxy unix//run/mastodon-streaming/streaming.socket
}
route * {
file_server * {
root ${pkgs.mastodon}/public
pass_thru
handle_path /system/* {
file_server * {
root /var/lib/mastodon/public-system
}
}
reverse_proxy :${toString config.services.mastodon.webPort}
}
handle_errors {
root * ${pkgs.mastodon}/public
rewrite 500.html
file_server
}
handle /api/v1/streaming/* {
reverse_proxy unix//run/mastodon-streaming/streaming.socket
}
encode gzip
route * {
file_server * {
root ${pkgs.mastodon}/public
pass_thru
}
reverse_proxy :${toString config.services.mastodon.webPort}
}
header /* {
Strict-Transport-Security "max-age=31536000;"
}
header /emoji/* Cache-Control "public, max-age=31536000, immutable"
header /packs/* Cache-Control "public, max-age=31536000, immutable"
header /system/accounts/avatars/* Cache-Control "public, max-age=31536000, immutable"
header /system/media_attachments/files/* Cache-Control "public, max-age=31536000, immutable"
'';
handle_errors {
root * ${pkgs.mastodon}/public
rewrite 500.html
file_server
}
encode gzip
header /* {
Strict-Transport-Security "max-age=31536000;"
}
header /emoji/* Cache-Control "public, max-age=31536000, immutable"
header /packs/* Cache-Control "public, max-age=31536000, immutable"
header /system/accounts/avatars/* Cache-Control "public, max-age=31536000, immutable"
header /system/media_attachments/files/* Cache-Control "public, max-age=31536000, immutable"
'';
logFormat = ''
output file ${config.services.caddy.logDir}/access.log {
mode 640
}
'';
};
borgbackup.jobs."borgbase" = {
paths = [

23
services/mautrix.nix
View file

@ -1,4 +1,4 @@
{ pkgs, settings, ... }: {
{ config, pkgs, settings, ... }: {
virtualisation.oci-containers.containers.mautrix-discord = {
autoStart = true;
image = "dock.mau.dev/mautrix/discord:v0.7.0";
@ -12,14 +12,21 @@
services = {
# mautrix-discord media proxy https://docs.mau.fi/bridges/go/discord/direct-media.html
caddy.virtualHosts."discord-media.catnip.ee".extraConfig = ''
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
caddy.virtualHosts."discord-media.catnip.ee" = {
extraConfig = ''
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
reverse_proxy :29334
'';
reverse_proxy :29334
'';
logFormat = ''
output file ${config.services.caddy.logDir}/access.log {
mode 640
}
'';
};
# /var/lib/mautrix-telegram
mautrix-telegram = {

41
services/nextcloud.nix
View file

@ -4,26 +4,33 @@
];
services = {
caddy.virtualHosts."cloud.catnip.ee".extraConfig = ''
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
caddy.virtualHosts."cloud.catnip.ee" = {
extraConfig = ''
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains"
Referrer-Policy no-referrer
Referrer-Policy same-origin
Referrer-Policy strict-origin
Referrer-Policy strict-origin-when-cross-origin
Referrer-Policy no-referrer-when-downgrade
}
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains"
Referrer-Policy no-referrer
Referrer-Policy same-origin
Referrer-Policy strict-origin
Referrer-Policy strict-origin-when-cross-origin
Referrer-Policy no-referrer-when-downgrade
}
reverse_proxy 127.0.0.1:${toString settings.ports.nextcloud}
'';
reverse_proxy 127.0.0.1:${toString settings.ports.nextcloud}
'';
logFormat = ''
output file ${config.services.caddy.logDir}/access.log {
mode 640
}
'';
};
# /var/lib/nextcloud
nextcloud = {

37
services/ntfy.nix
View file

@ -8,23 +8,30 @@
base-url = "https://ntfy.catnip.ee";
};
};
caddy.virtualHosts."ntfy.catnip.ee".extraConfig = ''
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
caddy.virtualHosts."ntfy.catnip.ee" = {
extraConfig = ''
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
reverse_proxy ${config.services.ntfy-sh.settings.listen-http}
reverse_proxy ${config.services.ntfy-sh.settings.listen-http}
# Redirect HTTP to HTTPS, but only for GET topic addresses, since we want
# it to work with curl without the annoying https:// prefix.
@httpget {
protocol http
method GET
path_regexp ^/([-_a-z0-9]{0,64}$|docs/|static/)
}
redir @httpget https://{host}{uri}
'';
# Redirect HTTP to HTTPS, but only for GET topic addresses, since we want
# it to work with curl without the annoying https:// prefix.
@httpget {
protocol http
method GET
path_regexp ^/([-_a-z0-9]{0,64}$|docs/|static/)
}
redir @httpget https://{host}{uri}
'';
logFormat = ''
output file ${config.services.caddy.logDir}/access.log {
mode 640
}
'';
};
borgbackup.jobs."borgbase".paths = [
"/var/lib/ntfy-sh"

21
services/wakapi.nix
View file

@ -1,13 +1,20 @@
{ config, ... }: {
services = {
caddy.virtualHosts."waka.catnip.ee".extraConfig = ''
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
caddy.virtualHosts."waka.catnip.ee" = {
extraConfig = ''
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
reverse_proxy :${toString config.services.wakapi.settings.server.port}
'';
reverse_proxy :${toString config.services.wakapi.settings.server.port}
'';
logFormat = ''
output file ${config.services.caddy.logDir}/access.log {
mode 640
}
'';
};
wakapi = {
enable = true;