Compare commits
4 commits
3de03a32ac
...
6f8d95781c
| Author | SHA1 | Date | |
|---|---|---|---|
6f8d95781c
|
|||
|
c373911a1b
|
|||
|
214c59b7b3
|
|||
|
eb539f6ee7
|
3 changed files with 71 additions and 5 deletions
|
|
@ -173,6 +173,9 @@ in {
|
|||
# Various other security settings
|
||||
no-tlsv1
|
||||
no-tlsv1_1
|
||||
|
||||
# Monitoring
|
||||
prometheus
|
||||
'';
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
{
|
||||
pkgs,
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}: let
|
||||
domain = "gitea.${config.services.nginx.domain}";
|
||||
|
|
@ -19,11 +20,23 @@ in {
|
|||
SSH_PORT = 2222;
|
||||
};
|
||||
|
||||
metrics = {
|
||||
ENABLED = true;
|
||||
TOKEN = "#metricstoken#";
|
||||
};
|
||||
service.DISABLE_REGISTRATION = true;
|
||||
session.COOKIE_SECURE = true;
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.gitea.serviceConfig.ExecStartPre = let
|
||||
replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
|
||||
secretPath = config.sops.secrets."gitea/metrics-token".path;
|
||||
runConfig = "${config.services.gitea.customDir}/conf/app.ini";
|
||||
in [
|
||||
"${replaceSecretBin} '#metricstoken#' '${secretPath}' '${runConfig}'"
|
||||
];
|
||||
|
||||
# Set up SSL
|
||||
services.nginx.virtualHosts."${domain}" = let
|
||||
httpAddress = config.services.gitea.settings.server.HTTP_ADDR;
|
||||
|
|
@ -37,6 +50,14 @@ in {
|
|||
'';
|
||||
|
||||
locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";
|
||||
locations."/metrics" = {
|
||||
extraConfig = ''
|
||||
access_log off;
|
||||
allow 127.0.0.1;
|
||||
${lib.optionalString config.networking.enableIPv6 "allow ::1;"}
|
||||
deny all;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
# Block repeated failed login attempts
|
||||
|
|
|
|||
|
|
@ -49,9 +49,21 @@ in {
|
|||
};
|
||||
|
||||
services.prometheus.exporters = {
|
||||
domain = {
|
||||
enable = true;
|
||||
listenAddress = "127.0.0.1";
|
||||
extraFlags = let
|
||||
conf.domains = [
|
||||
"tlater.net"
|
||||
"tlater.com"
|
||||
];
|
||||
in [
|
||||
"--config=${yaml.generate "domains.yml" conf}"
|
||||
];
|
||||
};
|
||||
|
||||
node = {
|
||||
enable = true;
|
||||
enabledCollectors = ["systemd"];
|
||||
listenAddress = "127.0.0.1";
|
||||
};
|
||||
|
||||
|
|
@ -85,6 +97,16 @@ in {
|
|||
})
|
||||
config.services.nginx.virtualHosts;
|
||||
};
|
||||
|
||||
systemd = {
|
||||
enable = true;
|
||||
listenAddress = "127.0.0.1";
|
||||
extraFlags = [
|
||||
# Disabled by default because only supported from systemd 235+
|
||||
"--systemd.collector.enable-restart-count"
|
||||
"--systemd.collector.enable-ip-accounting"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
services.prometheus.local-exporters = {
|
||||
|
|
@ -116,10 +138,30 @@ in {
|
|||
job_name = "tlater.net";
|
||||
static_configs = [
|
||||
{
|
||||
targets =
|
||||
lib.mapAttrsToList (name: exporter: "${exporter.listenAddress}:${toString exporter.port}")
|
||||
(lib.filterAttrs (name: exporter: (builtins.isAttrs exporter) && exporter.enable)
|
||||
(config.services.prometheus.exporters // config.services.prometheus.local-exporters));
|
||||
targets = let
|
||||
exporters = config.services.prometheus.exporters;
|
||||
localExporters = config.services.prometheus.local-exporters;
|
||||
in
|
||||
map (exporter: "${exporter.listenAddress}:${toString exporter.port}") [
|
||||
exporters.domain
|
||||
exporters.node
|
||||
exporters.nginx
|
||||
exporters.nginxlog
|
||||
exporters.systemd
|
||||
|
||||
localExporters.prometheus-fail2ban-exporter
|
||||
|
||||
{
|
||||
# coturn
|
||||
listenAddress = "127.0.0.1";
|
||||
port = "9641";
|
||||
}
|
||||
{
|
||||
# gitea
|
||||
listenAddress = "127.0.0.1";
|
||||
port = "3000";
|
||||
}
|
||||
];
|
||||
}
|
||||
];
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue