Compare commits
7 Commits
f17f36bf61
...
1735e49157
Author | SHA1 | Date |
---|---|---|
Ryan Rix | 1735e49157 | |
Ryan Rix | bab132ad55 | |
Ryan Rix | 82b5a724dd | |
Ryan Rix | e05d51c871 | |
Ryan Rix | d52ebcd292 | |
Ryan Rix | 5b4e385006 | |
Ryan Rix | 1bff7c31a4 |
|
@ -0,0 +1,256 @@
|
|||
:PROPERTIES:
|
||||
:ID: 20221202T122017.620403
|
||||
:ROAM_REFS: https://akkoma.dev/AkkomaGang/akkoma https://akkoma.social/
|
||||
:END:
|
||||
#+TITLE: Self-Hosting on the Fediverse with (Pleroma for now, eventually) Akkoma
|
||||
#+FILETAGS: :Akkoma Social:
|
||||
#+ARCOLOGY_KEY: cce/akkoma
|
||||
|
||||
Akkoma is a [[id:62538db5-d94a-47c3-9998-086ded91fd88][Fediverse]]/[[id:activitypub][ActivityPub]] server forked from [[roam:Pleroma]] written in [[id:cce/elixir][Elixir]], supporting the [[id:339daa8c-cc01-4654-aa89-330a4e62aafa][Mastodon Server]] API. This is a light-weight thing and I intend to self-publish to the Fediverse with an instance running on [[id:20211120T220054.226284][The Wobserver]].
|
||||
|
||||
* [[https://github.com/NixOS/nixpkgs/pull/192285][akkoma: init at 3.4.0 by illdefined · Pull Request #192285 · NixOS/nixpkgs]]
|
||||
:PROPERTIES:
|
||||
:ROAM_REF: [[https://github.com/NixOS/nixpkgs/pull/192285]]
|
||||
:ID: 20221202T122230.525913
|
||||
:END:
|
||||
[2022-12-02 Fri 12:22]
|
||||
|
||||
* +Akkoma+ Pleroma on [[id:c75d20e6-8888-4c5a-ac97-5997e2f1c711][NixOS]]
|
||||
:PROPERTIES:
|
||||
:ID: 20221202T122135.502628
|
||||
:END:
|
||||
:LOGBOOK:
|
||||
CLOCK: [2022-12-02 Fri 12:22]--[2022-12-02 Fri 16:24] => 4:02
|
||||
:END:
|
||||
|
||||
Akkoma is properly on its way to being integrated with NixOS through [[id:c75d20e6-8888-4c5a-ac97-5997e2f1c711][nixpkgs]] in [[id:20221202T122230.525913][nixpkgs PR #192285]], but until then I will run pleroma after trying to get Akkoma to run in docker containers.
|
||||
|
||||
The [[https://docs.akkoma.dev/stable/installation/docker_en/][Docker installation]] instructions for Akkoma are built around [[roam:Docker Compose]] which is, fine, but I want to use my system [[id:cce/wobserver/postgres][PostgreSQL]] instead of one hidden in the Compose image so we'll have to do Some Work ourselves. I'll have to set up [[id:20221202T124113.404212][Docker on the Wobserver]] first...
|
||||
|
||||
This sucks though, i'll just wait for that nixos module and run Pleroma in the meantime. In theory it'll be easy enough to [[https://docs.akkoma.dev/stable/installation/migrating_to_akkoma/][migrate to akkoma]]...
|
||||
|
||||
It's not super complicated but we'll break it up in to multiple imports so that I can explain what is going on a bit:
|
||||
|
||||
#+ARROYO_NIXOS_ROLE: server
|
||||
#+ARROYO_NIXOS_MODULE: nixos/akkoma.nix
|
||||
#+AUTO_TANGLE: t
|
||||
|
||||
#+begin_src nix :tangle ~/arroyo-nix/nixos/akkoma.nix :noweb yes
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./akkoma-users.nix
|
||||
./akkoma-statics.nix
|
||||
./akkoma-frontends.nix
|
||||
./akkoma-wobservability.nix
|
||||
];
|
||||
|
||||
services.postgresql.ensureDatabases = ["akkoma"];
|
||||
# have to run psql for migrations to pass:
|
||||
# ALTER DATABASE akkoma OWNER TO akkoma;
|
||||
services.postgresql.ensureUsers = [
|
||||
{
|
||||
name = "akkoma";
|
||||
ensurePermissions = {
|
||||
"DATABASE akkoma" = "ALL PRIVILEGES";
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
systemd.services.pleroma.path = with pkgs; [exiftool ffmpeg imagemagick];
|
||||
services.pleroma = {
|
||||
enable = true;
|
||||
|
||||
# don't feel like needing to chown later on...
|
||||
group = "akkoma";
|
||||
user = "akkoma";
|
||||
|
||||
configs = [
|
||||
''
|
||||
<<initial-configuration>>
|
||||
''
|
||||
];
|
||||
# manually populated
|
||||
secretConfigFile = "/srv/akkoma/secrets.exs";
|
||||
};
|
||||
}
|
||||
#+end_src
|
||||
|
||||
** Initial =config.exs=
|
||||
|
||||
This configuration tells Pleroma that it's fine to be configured in the =admin-fe= interface and provides some defaults from the configuration generator:
|
||||
|
||||
#+begin_src elixir :noweb-ref initial-configuration
|
||||
import Config
|
||||
|
||||
config :pleroma, Pleroma.Web.Endpoint,
|
||||
url: [host: "notes.whatthefuck.computer", scheme: "https", port: 443],
|
||||
http: [ip: {127, 0, 0, 1}, port: 4000]
|
||||
|
||||
config :pleroma, :instance,
|
||||
name: "Computers :(",
|
||||
email: "fedi@whatthefuck.computer",
|
||||
notify_email: "fedi@whatthefuck.computer",
|
||||
limit: 5000,
|
||||
registrations_open: false
|
||||
|
||||
config :pleroma, :media_proxy,
|
||||
enabled: false,
|
||||
redirect_on_failure: true
|
||||
|
||||
config :pleroma, :database, rum_enabled: false
|
||||
config :pleroma, :instance, static_dir: "/srv/akkoma/static"
|
||||
config :pleroma, Pleroma.Uploaders.Local, uploads: "/srv/akkoma/uploads"
|
||||
|
||||
# Enable Strict-Transport-Security once SSL is working:
|
||||
# config :pleroma, :http_security,
|
||||
# sts: true
|
||||
|
||||
config :pleroma, configurable_from_database: true
|
||||
|
||||
config :pleroma, Pleroma.Upload, filters: [Pleroma.Upload.Filter.Exiftool, Pleroma.Upload.Filter.Dedupe]
|
||||
|
||||
#+end_src
|
||||
|
||||
** System Users
|
||||
|
||||
I really would like to manage my uids and gids better, but alas.
|
||||
|
||||
#+begin_src nix :tangle ~/arroyo-nix/nixos/akkoma-users.nix
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
ids.uids.akkoma = 901;
|
||||
ids.gids.akkoma = 901;
|
||||
|
||||
users.groups.akkoma = {
|
||||
gid = config.ids.gids.akkoma;
|
||||
};
|
||||
|
||||
users.users.akkoma = {
|
||||
group = "akkoma";
|
||||
uid = config.ids.uids.akkoma;
|
||||
shell = "${pkgs.bash}/bin/bash";
|
||||
isSystemUser = true;
|
||||
# ugh... services.pleroma.stateDir is readonly
|
||||
home = "/var/lib/pleroma";
|
||||
createHome = true;
|
||||
};
|
||||
}
|
||||
#+end_src
|
||||
|
||||
** Static Files
|
||||
|
||||
I could just splat this on to the filesystem but no harm in having it in the Nix store:
|
||||
|
||||
#+begin_src html :noweb-ref tos
|
||||
<p>
|
||||
Now look; this is a single-user
|
||||
instance. <a href="https://notes.whatthefuck.computer/rrix">rrix</a>
|
||||
posts inane bullshit here. Look at their profile if you care about
|
||||
what is going on here.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
This is a Pleroma instance. Not because I want it to be but because
|
||||
Akkoma isn't natively packaged in NixOS yet.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
<ul>
|
||||
<li>I'm not a fascist.</li>
|
||||
<li>I'm not a cop.</li>
|
||||
<li>I'm not a narc.</li>
|
||||
<li>I'm not a racist.</li>
|
||||
<li>I'm not a transphobe.</li>
|
||||
<li>I'm not gonna put up with bullshit.</li>
|
||||
<li>I'm just a little computer goblin who wants to self-host.</li>
|
||||
</ul>
|
||||
</p>
|
||||
|
||||
<p>
|
||||
If you care about the privacy policy if this instance, don't
|
||||
federate with it. rrix is a consummate privacy professional, but
|
||||
they're also just one person. I have no intention to do anything
|
||||
untoward with posts federated to my instance, nor engage in
|
||||
non-standard behavior on the fediverse. At the same time, I'm likely
|
||||
not going to be able to go up against government requests for data
|
||||
stored on this instace. As of [2022-12-04] this instance has not
|
||||
been compelled to give data to any government or law enforcement
|
||||
agency and has not done so voluntarily. I'm just one homie hanging
|
||||
out making posts with my friends and trying to make new ones, and
|
||||
you're here reading this. What's up?
|
||||
</p>
|
||||
|
||||
#+end_src
|
||||
|
||||
#+begin_src nix :tangle ~/arroyo-nix/nixos/akkoma-statics.nix :noweb yes
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
system.activationScripts = let
|
||||
tos = pkgs.writeTextFile {
|
||||
name="pleroma-terms-of-service";
|
||||
text = ''
|
||||
<<tos>>
|
||||
'';
|
||||
};
|
||||
in {
|
||||
install-pleroma-tos.text = ''
|
||||
export DEST_DIR=/srv/akkoma/static/
|
||||
mkdir -p $DEST_DIR
|
||||
ln -sf ${tos} $DEST_DIR/terms-of-service.html
|
||||
'';
|
||||
};
|
||||
}
|
||||
#+end_src
|
||||
|
||||
** Nginx Frontend for Akkoma
|
||||
|
||||
Nothing special here -- I have it split in to two blocks here because one of my old iterations of [[id:1d917282-ecf4-4d4c-ba49-628cbb4bb8cc][The Arcology Project]] used this domain to host short-form [[id:fa6cee69-dca0-45f5-ae9e-b71cad3702a6][IndieWeb]]/microformat notes. The old files still exist and can be resolved in the =try_files= block, and any failures will proxy through to the app backend. I also adjust the max body size for image uploads, etc. I might replace that with S3 in the future but for now the images can just go on to the file system.
|
||||
|
||||
#+begin_src nix :tangle ~/arroyo-nix/nixos/akkoma-frontends.nix
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
services.nginx.virtualHosts."notes.whatthefuck.computer" = {
|
||||
extraConfig = ''
|
||||
client_max_body_size 100M;
|
||||
'';
|
||||
locations."/".extraConfig = ''
|
||||
try_files $uri @proxy;
|
||||
'';
|
||||
locations."@proxy" = {
|
||||
proxyPass = "http://127.0.0.1:4000";
|
||||
extraConfig = ''
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
#+end_src
|
||||
|
||||
** [[id:20220101T190353.843667][Wobservability]]
|
||||
|
||||
I would like to have some usage metrics emitted, this is just service-level stuff:
|
||||
|
||||
Enable =Pleroma.Web.Endpoint.MetricsExporter= in settings.
|
||||
|
||||
#+begin_src nix :tangle ~/arroyo-nix/nixos/akkoma-wobservability.nix
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
services.prometheus.scrapeConfigs = [
|
||||
{
|
||||
job_name = "akkoma";
|
||||
metrics_path = "/api/pleroma/app_metrics";
|
||||
static_configs = [{ targets = [ "127.0.0.1:4000" ]; }];
|
||||
}
|
||||
];
|
||||
}
|
||||
#+end_src
|
|
@ -17,7 +17,8 @@
|
|||
#+begin_src nix :tangle ~/arroyo-nix/hm/applications.nix :noweb yes
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
let mkNixGLWrapper = pkgs.lib.mkNixGLWrapper;
|
||||
with pkgs;
|
||||
let mkNixGLWrapper = lib.mkNixGLWrapper;
|
||||
in
|
||||
{
|
||||
programs.htop = {
|
||||
|
@ -41,16 +42,16 @@ in
|
|||
"x-scheme-handler/sgnl" = ["signal-desktop.desktop"];
|
||||
};
|
||||
|
||||
home.file.".config/autostart/cantata.desktop".source = "${pkgs.cantata}/share/applications/cantata.desktop";
|
||||
home.file.".config/autostart/signal-desktop.desktop".source = "${pkgs.signal-desktop}/share/applications/signal-desktop.desktop";
|
||||
home.file.".config/autostart/discord.desktop".source = "${pkgs.discord}/share/applications/discord.desktop";
|
||||
home.file.".config/autostart/element-desktop.desktop".source = "${pkgs.element-desktop}/share/applications/element-desktop.desktop";
|
||||
home.file.".config/autostart/cantata.desktop".source = "${cantata}/share/applications/cantata.desktop";
|
||||
home.file.".config/autostart/signal-desktop.desktop".source = "${signal-desktop}/share/applications/signal-desktop.desktop";
|
||||
home.file.".config/autostart/discord.desktop".source = "${discord}/share/applications/discord.desktop";
|
||||
home.file.".config/autostart/element-desktop.desktop".source = "${element-desktop}/share/applications/element-desktop.desktop";
|
||||
|
||||
home.packages = [
|
||||
pkgs.ktorrent
|
||||
ktorrent
|
||||
(mkNixGLWrapper {
|
||||
name = "calibre";
|
||||
pkg = (pkgs.calibre.override { unrarSupport = true; });
|
||||
pkg = (calibre.override { unrarSupport = true; });
|
||||
})
|
||||
(mkNixGLWrapper { name="gimp"; })
|
||||
(mkNixGLWrapper { name="obs-studio"; })
|
||||
|
@ -66,46 +67,46 @@ in
|
|||
(mkNixGLWrapper { name="signal-desktop"; })
|
||||
# (mkNixGLWrapper { name="tdesktop"; }) # telegram-desktop
|
||||
|
||||
pkgs.pavucontrol
|
||||
pavucontrol
|
||||
(mkNixGLWrapper { name="vlc"; })
|
||||
pkgs.youtube-dl
|
||||
pkgs.transmission-remote-gtk
|
||||
youtube-dl
|
||||
transmission-remote-gtk
|
||||
|
||||
pkgs.cataclysm-dda
|
||||
cataclysm-dda
|
||||
(mkNixGLWrapper { name="runelite"; })
|
||||
|
||||
pkgs.virt-manager
|
||||
pkgs.libvirt
|
||||
pkgs.zbar
|
||||
virt-manager
|
||||
libvirt
|
||||
zbar
|
||||
|
||||
pkgs.plasma5Packages.qttools
|
||||
plasma5Packages.qttools
|
||||
|
||||
pkgs.plasma5Packages.kontact
|
||||
pkgs.plasma5Packages.kaccounts-integration
|
||||
pkgs.plasma5Packages.akonadi
|
||||
pkgs.plasma5Packages.akonadiconsole
|
||||
pkgs.plasma5Packages.kdepim-runtime
|
||||
pkgs.plasma5Packages.kdepim-addons
|
||||
pkgs.okteta
|
||||
plasma5Packages.kontact
|
||||
plasma5Packages.kaccounts-integration
|
||||
plasma5Packages.akonadi
|
||||
plasma5Packages.akonadiconsole
|
||||
plasma5Packages.kdepim-runtime
|
||||
plasma5Packages.kdepim-addons
|
||||
okteta
|
||||
|
||||
pkgs.plasma5Packages.kteatime
|
||||
plasma5Packages.kteatime
|
||||
|
||||
(mkNixGLWrapper { name="endless-sky"; })
|
||||
pkgs.crawlTiles
|
||||
crawlTiles
|
||||
|
||||
(mkNixGLWrapper { name="zoom-us"; })
|
||||
|
||||
(mkNixGLWrapper { name="stellarium"; })
|
||||
pkgs.kstars
|
||||
kstars
|
||||
|
||||
pkgs.heroku
|
||||
heroku
|
||||
|
||||
pkgs.graphviz
|
||||
graphviz
|
||||
|
||||
# calibre de-drm plugin for kobo
|
||||
# (pkgs.stdenv.mkDerivation {
|
||||
# (stdenv.mkDerivation {
|
||||
# name = "calibre_obok_dedrm";
|
||||
# src = pkgs.fetchFromGitHub {
|
||||
# src = fetchFromGitHub {
|
||||
# # https://github.com/lalmeras/DeDRM_tools/blob/Python3/make_release.py
|
||||
# owner = "lalmeras";
|
||||
# repo = "DeDRM_tools";
|
||||
|
@ -114,14 +115,17 @@ in
|
|||
# };
|
||||
# installPhase = ''
|
||||
# export SOURCE_DATE_EPOCH=315532800;
|
||||
# ${pkgs.python3}/bin/python3 make_release.py Python3
|
||||
# ${python3}/bin/python3 make_release.py Python3
|
||||
# '';
|
||||
# })
|
||||
pkgs.zip
|
||||
pkgs.unzip
|
||||
pkgs.bind.dnsutils
|
||||
] +++ [
|
||||
zip
|
||||
unzip
|
||||
bind.dnsutils
|
||||
|
||||
pkgs.cmark-gfm
|
||||
cmark-gfm
|
||||
|
||||
file
|
||||
];
|
||||
}
|
||||
#+end_src
|
||||
|
|
|
@ -0,0 +1,77 @@
|
|||
:PROPERTIES:
|
||||
:ID: 20221211T141924.762816
|
||||
:ROAM_REFS: https://drawingbotv3.ollielansdell.co.uk/ https://github.com/SonarSonic/DrawingBotV3/
|
||||
:END:
|
||||
#+TITLE: DrawingBot
|
||||
#+FILETAGS: :Software:CCE:
|
||||
|
||||
#+begin_quote
|
||||
DrawingBotV3 is a software for converting images to line drawings for Plotters / Drawing Machines / 3D printers. It also serves as an application for visual artists to create stylised line drawings from images / video
|
||||
#+end_quote
|
||||
|
||||
* DrawingBot V3 on NixOS
|
||||
|
||||
#+ARROYO_HOME_MODULE: hm/drawingbot.nix
|
||||
#+ARROYO_NIXOS_ROLE: endpoint
|
||||
#+AUTO_TANGLE: t
|
||||
|
||||
DrawingBot uses JavaFX and is distributed as a JAR, rpm, deb, windows... The Premium version is just shoved in to my [[id:cce/syncthing][Syncthing]] directory and is provided in an override in [[id:20221021T121120.541960][rixpkgs]]. It should work just fine with the free/libre version which is =lib.license.gplv3=, but I use the proprietary version.
|
||||
|
||||
#+begin_src nix :tangle ~/arroyo-nix/pkgs/drawingbot.nix
|
||||
{ pkgs,
|
||||
name ? "drawingbotv3-free",
|
||||
... }:
|
||||
|
||||
with pkgs;
|
||||
stdenv.mkDerivation rec {
|
||||
inherit name;
|
||||
version = "1.5.0-beta";
|
||||
|
||||
src = fetchurl {
|
||||
url = "https://github.com/SonarSonic/DrawingBotV3/releases/download/v${version}-free/DrawingBotV3-Free-${version}-all.jar";
|
||||
sha256 = lib.fakeSha256;
|
||||
};
|
||||
nativeBuildInputs = [ wrapGAppsHook gtk3 ];
|
||||
|
||||
dontUnpack = true;
|
||||
|
||||
installPhase = ''
|
||||
runHook preInstall
|
||||
|
||||
mkdir -p $out/share/java/
|
||||
cp $src $out/share/java/${name}-${version}.jar
|
||||
|
||||
makeWrapper ${jre}/bin/java $out/bin/${name} \
|
||||
''${gappsWrapperArgs[@]} \
|
||||
--add-flags "-jar $out/share/java/${name}-${version}.jar"
|
||||
|
||||
runHook postInstall
|
||||
'';
|
||||
|
||||
desktopItems = [
|
||||
(makeDesktopItem {
|
||||
inherit name;
|
||||
exec = name;
|
||||
comment = "Software for converting images to line drawings for Plotters / Drawing Machines / 3D printers";
|
||||
desktopName = "DrawingBot V3";
|
||||
categories = [ "Graphics" ];
|
||||
})
|
||||
];
|
||||
|
||||
meta = {
|
||||
homepage = "https://github.com/SonarSonic/DrawingBotV3";
|
||||
description = "DrawingBotV3 is a software for converting images to line drawings";
|
||||
license = lib.licenses.gplv3;
|
||||
maintainers = with lib.maintainers; [ rrix ];
|
||||
};
|
||||
}
|
||||
|
||||
#+end_src
|
||||
|
||||
#+begin_src nix :tangle ~/arroyo-nix/hm/drawingbot.nix
|
||||
{ pkgs, ... }:
|
||||
|
||||
{
|
||||
home.packages = [ pkgs.drawingbot-premium ];
|
||||
}
|
||||
#+end_src
|
|
@ -0,0 +1,84 @@
|
|||
:PROPERTIES:
|
||||
:ID: 20221130T103851.207871
|
||||
:END:
|
||||
#+TITLE: Gitea on NixOS
|
||||
#+FILETAGS: :CCE:NixOS:Wobserver:
|
||||
|
||||
#+ARROYO_NIXOS_MODULE: nixos/gitea.nix
|
||||
#+ARROYO_NIXOS_ROLE: server
|
||||
|
||||
#+AUTO_TANGLE: t
|
||||
|
||||
#+begin_src nix :tangle ~/arroyo-nix/nixos/gitea.nix
|
||||
{ config, ... }:
|
||||
|
||||
let cfg = config.services.gitea;
|
||||
in {
|
||||
services.postgresql.ensureDatabases = ["gitea"];
|
||||
services.postgresql.ensureUsers = [
|
||||
{
|
||||
name = "gitea";
|
||||
ensurePermissions = {
|
||||
"DATABASE gitea" = "ALL PRIVILEGES";
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 2222 ];
|
||||
|
||||
services.gitea = {
|
||||
enable = true;
|
||||
appName = "rrix's code with a cup of tea";
|
||||
stateDir = "/srv/gitea";
|
||||
|
||||
domain = "code.rix.si";
|
||||
rootUrl = "https://code.rix.si";
|
||||
|
||||
httpAddress = "127.0.0.1";
|
||||
httpPort = 3009;
|
||||
|
||||
settings = {
|
||||
server = {
|
||||
DISABLE_REGISTRATION = true;
|
||||
START_SSH_SERVER = true;
|
||||
SSH_LISTEN_PORT = 2222;
|
||||
SSH_PORT = 2222;
|
||||
ENABLE_GZIP = true;
|
||||
LANDING_PAGE = "explore";
|
||||
};
|
||||
ui.DEFAULT_THEME = "arc-green";
|
||||
session.COOKIE_SECURE = true;
|
||||
federation.ENABLED = true;
|
||||
metrics.ENABLED = true;
|
||||
packages.ENABLED = false;
|
||||
picture.ENABLE_FEDERATED_AVATAR = true;
|
||||
time.DEFAULT_UI_LOCATION = config.time.timeZone;
|
||||
};
|
||||
|
||||
database = {
|
||||
socket = "/run/postgresql/";
|
||||
type = "postgres";
|
||||
};
|
||||
};
|
||||
|
||||
services.prometheus.scrapeConfigs = [
|
||||
{
|
||||
job_name = "gitea";
|
||||
static_configs = [{ targets = ["${cfg.httpAddress}:${toString cfg.httpPort}"]; }];
|
||||
}
|
||||
];
|
||||
|
||||
services.nginx.virtualHosts."code.rix.si" = {
|
||||
locations."/" = {
|
||||
proxyPass = "http://${cfg.httpAddress}:${toString cfg.httpPort}";
|
||||
extraConfig = ''
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
#+end_src
|
|
@ -160,10 +160,14 @@ I use [[https://letsencrypt.org/][Lets Encrypt]] for my DNS, I really like 'em.
|
|||
|
||||
** NEXT move afd.fontkeming.fail vhost to [[id:d7d936ab-781c-4e04-88bb-af65b23c6c43][Area Forecast Discussion]]
|
||||
|
||||
** INPROGRESS plumb these through on fontkeming
|
||||
** DONE plumb these through on fontkeming
|
||||
:LOGBOOK:
|
||||
- State "DONE" from "INPROGRESS" [2022-12-20 Tue 10:29]
|
||||
- State "INPROGRESS" from "NEXT" [2022-11-12 Sat 21:19]
|
||||
:END:
|
||||
|
||||
need to finish up [[id:20220101T190353.843667][Wobserver Observability]] to migrate =home.rix.si=
|
||||
|
||||
* INPROGRESS virtualHosts
|
||||
:LOGBOOK:
|
||||
- State "INPROGRESS" from "NEXT" [2022-11-12 Sat 20:01]
|
||||
|
|
10
nixos.org
10
nixos.org
|
@ -30,6 +30,16 @@ Nix is a [[id:a7420bb9-395f-4afa-92fb-8eaa0b8a4cd8][Tool]] for building [[id:0d9
|
|||
(make-local-variable 'company-backends)
|
||||
(add-to-list 'company-backends 'company-nixos-options))))
|
||||
(use-package nix-sandbox)
|
||||
|
||||
(defun cce-find-nix-output-at-point ()
|
||||
(interactive)
|
||||
(->>
|
||||
(nix-store-path-at-point)
|
||||
(make-instance 'nix-store-path :path )
|
||||
(nix-store-fill-data )
|
||||
(nix-store-path-outputs )
|
||||
(completing-read "Select an output" )
|
||||
(find-file)))
|
||||
#+end_src
|
||||
|
||||
#+begin_src yaml
|
||||
|
|
|
@ -0,0 +1,56 @@
|
|||
:PROPERTIES:
|
||||
:ID: 20221202T124113.404212
|
||||
:END:
|
||||
#+TITLE: Docker Containers on the Wobserver
|
||||
#+FILETAGS: :CCE:
|
||||
|
||||
I don't really *want* to use [[roam:Docker]], but it's the most-supported way to get some services etc running on my server. This is kind of the Minimum Viable Docker...
|
||||
|
||||
The =htpasswd= file was generated locally and then copied to the server so that it doesn't make it in to any =nix store=... It has to be done with =apacheHttpd='s =htpasswd= like so: =sudo -u docker-registry htpasswd -B /srv/docker-registry/htpasswd rrix=.
|
||||
|
||||
#+ARROYO_NIXOS_MODULE: nixos/wobserver-docker.nix
|
||||
#+ARROYO_NIXOS_ROLE: server
|
||||
#+AUTO_TANGLE: t
|
||||
|
||||
#+begin_src nix :tangle ~/arroyo-nix/nixos/wobserver-docker.nix
|
||||
{ config, ... }:
|
||||
|
||||
let
|
||||
cfg = config.services.dockerRegistry;
|
||||
in{
|
||||
virtualisation.containers = {
|
||||
registries.search = ["docker.fontkeming.fail" "docker.io"];
|
||||
storage.settings = {
|
||||
storage.driver = "zfs";
|
||||
};
|
||||
};
|
||||
virtualisation.oci-containers.backend = "docker";
|
||||
|
||||
services.dockerRegistry = {
|
||||
enable = true;
|
||||
enableGarbageCollect = true;
|
||||
storagePath = "/srv/docker-registry/";
|
||||
extraConfig = {
|
||||
auth.htpasswd = {
|
||||
realm = "basic-realm";
|
||||
path = "/srv/docker-registry/htpasswd";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."docker.fontkeming.fail" = {
|
||||
locations."/".proxyPass = "http://${cfg.listenAddress}:${toString cfg.port}";
|
||||
locations."/".extraConfig = ''
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https; # workaround for double-proxying https://github.com/distribution/distribution/issues/2862 ???
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
'';
|
||||
extraConfig = ''
|
||||
client_max_body_size 1G;
|
||||
'';
|
||||
};
|
||||
}
|
||||
#+end_src
|
||||
|
||||
There's a question of whether to set =virtualisation.oci-containers.backend= to docker or use Podman -- I'm tempted to just leave this until I don't need to.
|
|
@ -1,5 +1,6 @@
|
|||
:PROPERTIES:
|
||||
:ID: 20220101T190353.843667
|
||||
:ROAM_ALIASES: Wobservability
|
||||
:END:
|
||||
#+title: Wobserver Observability
|
||||
#+filetags: :Project:Wobserver:Development:
|
||||
|
@ -28,17 +29,48 @@ I need to set up alerts and dashboards for the most common operations, and I'd l
|
|||
#+begin_src nix :tangle ~/arroyo-nix/nixos/wobservability.nix
|
||||
{ pkgs, config, ... }:
|
||||
|
||||
with pkgs.lib;
|
||||
|
||||
let mkStaticScrape =
|
||||
(name: cfg:
|
||||
let addr =
|
||||
if hasAttr "listenAddr" cfg then
|
||||
cfg.listenAddr
|
||||
else
|
||||
"localhost";
|
||||
in
|
||||
{
|
||||
job_name = name;
|
||||
static_configs = [
|
||||
{ targets = ["${addr}:${toString cfg.port}"]; }
|
||||
];
|
||||
}
|
||||
);
|
||||
in
|
||||
rec {
|
||||
services.prometheus = {
|
||||
enable = true;
|
||||
retentionTime = "60d";
|
||||
# scrapConfigs = [];
|
||||
webExternalUrl = "https://home.rix.si/prom";
|
||||
listenAddress = "127.0.0.1";
|
||||
exporters = {
|
||||
node = {
|
||||
enable = true;
|
||||
enabledCollectors = [ "systemd" ];
|
||||
};
|
||||
};
|
||||
scrapeConfigs = [
|
||||
(mkStaticScrape "node" config.services.prometheus.exporters.node)
|
||||
(mkStaticScrape "process" config.services.prometheus.exporters.process)
|
||||
(mkStaticScrape "smartctl" config.services.prometheus.exporters.smartctl)
|
||||
(mkStaticScrape "postgres" config.services.prometheus.exporters.postgres)
|
||||
(mkStaticScrape "zfs" config.services.prometheus.exporters.zfs)
|
||||
{
|
||||
job_name = "octopi";
|
||||
metrics_path = "/plugin/prometheus_exporter/metrics";
|
||||
params.apikey = ["27816EF9BA5C43749A022573B0862C71"];
|
||||
static_configs = [{ targets = ["octopi:80"]; }];
|
||||
}
|
||||
{
|
||||
job_name = "arcology";
|
||||
static_configs = [{ targets = ["localhost:8000"]; }];
|
||||
}
|
||||
# gitea
|
||||
];
|
||||
};
|
||||
|
||||
# services.prometheus.exporters.pihole = {};
|
||||
|
@ -46,6 +78,11 @@ rec {
|
|||
# services.prometheus.exporters.nginxlog = {};
|
||||
# services.prometheus.exporters.unifi = {};
|
||||
|
||||
services.prometheus.exporters.node = {
|
||||
enable = true;
|
||||
enabledCollectors = [ "systemd" ];
|
||||
};
|
||||
|
||||
services.prometheus.exporters.process = {
|
||||
enable = true;
|
||||
settings.process_names = [
|
||||
|
@ -54,6 +91,10 @@ rec {
|
|||
name = "{{.Matches.Wrapped}} {{ .Matches.Args }}";
|
||||
cmdline = [ "^/nix/store[^ ]*/(?P<Wrapped>[^ /]*) (?P<Args>.*)" ];
|
||||
}
|
||||
{
|
||||
name = "{{.Matches.Command}}: {{ .Matches.Specialization }}";
|
||||
cmdline = [ "(?P<Command>[a-zA-Z0-9\-_+]+): (?P<Specialization>.*)" ];
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
|
@ -84,6 +125,7 @@ rec {
|
|||
http_addr = "127.0.0.1";
|
||||
http_port = 3000;
|
||||
root_url = "https://home.rix.si/grafana";
|
||||
serve_from_sub_path = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -105,11 +147,15 @@ rec {
|
|||
|
||||
services.nginx.virtualHosts."home.rix.si" = {
|
||||
locations."/prom" = {
|
||||
proxyPass = "http://127.0.0.1:${toString config.services.prometheus.port}";
|
||||
proxyPass = "http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}";
|
||||
extraConfig = ''
|
||||
auth_basic "closed site";
|
||||
auth_basic_user_file /etc/nginx-htpasswd;
|
||||
'';
|
||||
};
|
||||
|
||||
locations."/grafana" = {
|
||||
proxyPass = "http://${config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}";
|
||||
proxyPass = "http://${config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}/grafana";
|
||||
extraConfig = ''
|
||||
proxy_set_header Host $host;
|
||||
'';
|
||||
|
|
Loading…
Reference in New Issue