set up a docker registry on wobserver

akkoma.org

@@ -0,0 +1,256 @@
+:PROPERTIES:
+:ID:       20221202T122017.620403
+:ROAM_REFS: https://akkoma.dev/AkkomaGang/akkoma https://akkoma.social/
+:END:
+#+TITLE: Self-Hosting on the Fediverse with (Pleroma for now, eventually) Akkoma
+#+FILETAGS: :Akkoma Social:
+#+ARCOLOGY_KEY: cce/akkoma
+
+Akkoma is a [[id:62538db5-d94a-47c3-9998-086ded91fd88][Fediverse]]/[[id:activitypub][ActivityPub]] server forked from [[roam:Pleroma]] written in [[id:cce/elixir][Elixir]], supporting the [[id:339daa8c-cc01-4654-aa89-330a4e62aafa][Mastodon Server]] API. This is a light-weight thing and I intend to self-publish to the Fediverse with an instance running on [[id:20211120T220054.226284][The Wobserver]].
+
+* [[https://github.com/NixOS/nixpkgs/pull/192285][akkoma: init at 3.4.0 by illdefined · Pull Request #192285 · NixOS/nixpkgs]] 
+:PROPERTIES:
+:ROAM_REF: [[https://github.com/NixOS/nixpkgs/pull/192285]]
+:ID:       20221202T122230.525913
+:END:
+[2022-12-02 Fri 12:22]
+
+* +Akkoma+ Pleroma on [[id:c75d20e6-8888-4c5a-ac97-5997e2f1c711][NixOS]]
+:PROPERTIES:
+:ID:       20221202T122135.502628
+:END:
+:LOGBOOK:
+CLOCK: [2022-12-02 Fri 12:22]--[2022-12-02 Fri 16:24] =>  4:02
+:END:
+
+Akkoma is properly on its way to being integrated with NixOS through [[id:c75d20e6-8888-4c5a-ac97-5997e2f1c711][nixpkgs]] in [[id:20221202T122230.525913][nixpkgs PR #192285]], but until then I will run pleroma after trying to get Akkoma to run in docker containers.
+
+The [[https://docs.akkoma.dev/stable/installation/docker_en/][Docker installation]] instructions for Akkoma are built around [[roam:Docker Compose]] which is, fine, but I want to use my system [[id:cce/wobserver/postgres][PostgreSQL]] instead of one hidden in the Compose image so we'll have to do Some Work ourselves. I'll have to set up [[id:20221202T124113.404212][Docker on the Wobserver]] first...
+
+This sucks though, i'll just wait for that nixos module and run Pleroma in the meantime. In theory it'll be easy enough to [[https://docs.akkoma.dev/stable/installation/migrating_to_akkoma/][migrate to akkoma]]...
+
+It's not super complicated but we'll break it up in to multiple imports so that I can explain what is going on a bit:
+
+#+ARROYO_NIXOS_ROLE: server
+#+ARROYO_NIXOS_MODULE: nixos/akkoma.nix
+#+AUTO_TANGLE: t
+
+#+begin_src nix :tangle ~/arroyo-nix/nixos/akkoma.nix :noweb yes
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./akkoma-users.nix
+    ./akkoma-statics.nix
+    ./akkoma-frontends.nix
+    ./akkoma-wobservability.nix
+  ];
+
+  services.postgresql.ensureDatabases = ["akkoma"];
+  # have to run psql for migrations to pass:
+  # ALTER DATABASE akkoma OWNER TO akkoma;
+  services.postgresql.ensureUsers = [
+    {
+      name = "akkoma";
+      ensurePermissions = {
+        "DATABASE akkoma" = "ALL PRIVILEGES";
+      };
+    }
+  ];
+
+  systemd.services.pleroma.path = with pkgs; [exiftool ffmpeg imagemagick];
+  services.pleroma = {
+    enable = true;
+
+    # don't feel like needing to chown later on...
+    group = "akkoma";
+    user = "akkoma";
+
+    configs = [
+      ''
+      <<initial-configuration>>
+      ''
+    ];
+    # manually populated
+    secretConfigFile = "/srv/akkoma/secrets.exs";
+  };
+}
+#+end_src
+
+** Initial =config.exs=
+
+This configuration tells Pleroma that it's fine to be configured in the =admin-fe= interface and provides some defaults from the configuration generator:
+
+#+begin_src elixir :noweb-ref initial-configuration
+import Config
+
+config :pleroma, Pleroma.Web.Endpoint,
+   url: [host: "notes.whatthefuck.computer", scheme: "https", port: 443],
+   http: [ip: {127, 0, 0, 1}, port: 4000]
+
+config :pleroma, :instance,
+  name: "Computers :(",
+  email: "fedi@whatthefuck.computer",
+  notify_email: "fedi@whatthefuck.computer",
+  limit: 5000,
+  registrations_open: false
+
+config :pleroma, :media_proxy,
+  enabled: false,
+  redirect_on_failure: true
+
+config :pleroma, :database, rum_enabled: false
+config :pleroma, :instance, static_dir: "/srv/akkoma/static"
+config :pleroma, Pleroma.Uploaders.Local, uploads: "/srv/akkoma/uploads"
+
+# Enable Strict-Transport-Security once SSL is working:
+# config :pleroma, :http_security,
+#   sts: true
+
+config :pleroma, configurable_from_database: true
+
+config :pleroma, Pleroma.Upload, filters: [Pleroma.Upload.Filter.Exiftool, Pleroma.Upload.Filter.Dedupe]
+
+#+end_src
+
+** System Users
+
+I really would like to manage my uids and gids better, but alas.
+
+#+begin_src nix :tangle ~/arroyo-nix/nixos/akkoma-users.nix
+{ config, pkgs, ... }:
+
+{
+  ids.uids.akkoma = 901;
+  ids.gids.akkoma = 901;
+
+  users.groups.akkoma = {
+    gid = config.ids.gids.akkoma;
+  };
+
+  users.users.akkoma = {
+    group = "akkoma";
+    uid = config.ids.uids.akkoma;
+    shell = "${pkgs.bash}/bin/bash";
+    isSystemUser = true;
+    # ugh... services.pleroma.stateDir is readonly
+    home = "/var/lib/pleroma";
+    createHome = true;
+  };
+}
+#+end_src
+
+** Static Files
+
+I could just splat this on to the filesystem but no harm in having it in the Nix store:
+
+#+begin_src html :noweb-ref tos
+<p>
+  Now look; this is a single-user
+  instance. <a href="https://notes.whatthefuck.computer/rrix">rrix</a>
+  posts inane bullshit here. Look at their profile if you care about
+  what is going on here.
+</p>
+
+<p>
+  This is a Pleroma instance. Not because I want it to be but because
+  Akkoma isn't natively packaged in NixOS yet.
+</p>
+
+<p>
+  <ul>
+  <li>I'm not a fascist.</li>
+  <li>I'm not a cop.</li>
+  <li>I'm not a narc.</li>
+  <li>I'm not a racist.</li>
+  <li>I'm not a transphobe.</li>
+  <li>I'm not gonna put up with bullshit.</li>
+  <li>I'm just a little computer goblin who wants to self-host.</li>
+  </ul>
+</p>
+
+<p>
+  If you care about the privacy policy if this instance, don't
+  federate with it. rrix is a consummate privacy professional, but
+  they're also just one person. I have no intention to do anything
+  untoward with posts federated to my instance, nor engage in
+  non-standard behavior on the fediverse. At the same time, I'm likely
+  not going to be able to go up against government requests for data
+  stored on this instace. As of [2022-12-04] this instance has not
+  been compelled to give data to any government or law enforcement
+  agency and has not done so voluntarily. I'm just one homie hanging
+  out making posts with my friends and trying to make new ones, and
+  you're here reading this. What's up?
+</p>
+
+#+end_src
+
+#+begin_src nix :tangle ~/arroyo-nix/nixos/akkoma-statics.nix :noweb yes
+{ config, pkgs, ... }:
+
+{
+  system.activationScripts = let
+    tos = pkgs.writeTextFile {
+      name="pleroma-terms-of-service";
+      text = ''
+        <<tos>>
+      '';
+    };
+  in {
+    install-pleroma-tos.text = ''
+      export DEST_DIR=/srv/akkoma/static/
+      mkdir -p $DEST_DIR
+      ln -sf ${tos} $DEST_DIR/terms-of-service.html
+    '';
+  };
+}
+#+end_src
+
+** Nginx Frontend for Akkoma
+
+Nothing special here -- I have it split in to two blocks here because one of my old iterations of [[id:1d917282-ecf4-4d4c-ba49-628cbb4bb8cc][The Arcology Project]] used this domain to host short-form [[id:fa6cee69-dca0-45f5-ae9e-b71cad3702a6][IndieWeb]]/microformat notes. The old files still exist and can be resolved in the =try_files= block, and any failures will proxy through to the app backend. I also adjust the max body size for image uploads, etc. I might replace that with S3 in the future but for now the images can just go on to the file system.
+
+#+begin_src nix :tangle ~/arroyo-nix/nixos/akkoma-frontends.nix
+{ ... }:
+
+{
+  services.nginx.virtualHosts."notes.whatthefuck.computer" = {
+    extraConfig = ''
+      client_max_body_size 100M;
+    '';
+    locations."/".extraConfig = ''
+      try_files $uri @proxy;
+    '';
+    locations."@proxy" = {
+      proxyPass = "http://127.0.0.1:4000";
+      extraConfig = ''
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $http_host;
+      '';
+    };
+  };
+}
+#+end_src
+
+** [[id:20220101T190353.843667][Wobservability]]
+
+I would like to have some usage metrics emitted, this is just service-level stuff:
+
+Enable =Pleroma.Web.Endpoint.MetricsExporter= in settings.
+
+#+begin_src  nix :tangle ~/arroyo-nix/nixos/akkoma-wobservability.nix
+{ ... }:
+
+{
+  services.prometheus.scrapeConfigs = [
+    {
+      job_name = "akkoma";
+      metrics_path = "/api/pleroma/app_metrics";
+      static_configs = [{ targets = [ "127.0.0.1:4000" ]; }];
+    }
+  ];
+}
+#+end_src

applications_i_use.org

@@ -17,7 +17,8 @@
 #+begin_src nix :tangle ~/arroyo-nix/hm/applications.nix :noweb yes
 { config, pkgs, ... }:
 
-let mkNixGLWrapper = pkgs.lib.mkNixGLWrapper;
+with pkgs;
+let mkNixGLWrapper = lib.mkNixGLWrapper;
 in 
 {
   programs.htop = {
@@ -41,16 +42,16 @@ in
     "x-scheme-handler/sgnl" = ["signal-desktop.desktop"];
   };
 
-  home.file.".config/autostart/cantata.desktop".source = "${pkgs.cantata}/share/applications/cantata.desktop";
-  home.file.".config/autostart/signal-desktop.desktop".source = "${pkgs.signal-desktop}/share/applications/signal-desktop.desktop";
-  home.file.".config/autostart/discord.desktop".source = "${pkgs.discord}/share/applications/discord.desktop";
-  home.file.".config/autostart/element-desktop.desktop".source = "${pkgs.element-desktop}/share/applications/element-desktop.desktop";
+  home.file.".config/autostart/cantata.desktop".source = "${cantata}/share/applications/cantata.desktop";
+  home.file.".config/autostart/signal-desktop.desktop".source = "${signal-desktop}/share/applications/signal-desktop.desktop";
+  home.file.".config/autostart/discord.desktop".source = "${discord}/share/applications/discord.desktop";
+  home.file.".config/autostart/element-desktop.desktop".source = "${element-desktop}/share/applications/element-desktop.desktop";
 
   home.packages = [
-    pkgs.ktorrent
+    ktorrent
     (mkNixGLWrapper {
       name = "calibre";
-      pkg = (pkgs.calibre.override { unrarSupport = true; });
+      pkg = (calibre.override { unrarSupport = true; });
     })
     (mkNixGLWrapper { name="gimp"; })
     (mkNixGLWrapper { name="obs-studio"; })
@@ -66,46 +67,46 @@ in
     (mkNixGLWrapper { name="signal-desktop"; })
     # (mkNixGLWrapper { name="tdesktop"; }) # telegram-desktop
 
-    pkgs.pavucontrol
+    pavucontrol
     (mkNixGLWrapper { name="vlc"; })
-    pkgs.youtube-dl
-    pkgs.transmission-remote-gtk
+    youtube-dl
+    transmission-remote-gtk
 
-    pkgs.cataclysm-dda
+    cataclysm-dda
     (mkNixGLWrapper { name="runelite"; })
 
-    pkgs.virt-manager
-    pkgs.libvirt
-    pkgs.zbar
+    virt-manager
+    libvirt
+    zbar
 
-    pkgs.plasma5Packages.qttools
+    plasma5Packages.qttools
 
-    pkgs.plasma5Packages.kontact
-    pkgs.plasma5Packages.kaccounts-integration
-    pkgs.plasma5Packages.akonadi
-    pkgs.plasma5Packages.akonadiconsole
-    pkgs.plasma5Packages.kdepim-runtime
-    pkgs.plasma5Packages.kdepim-addons
-    pkgs.okteta
+    plasma5Packages.kontact
+    plasma5Packages.kaccounts-integration
+    plasma5Packages.akonadi
+    plasma5Packages.akonadiconsole
+    plasma5Packages.kdepim-runtime
+    plasma5Packages.kdepim-addons
+    okteta
 
-    pkgs.plasma5Packages.kteatime
+    plasma5Packages.kteatime
 
     (mkNixGLWrapper { name="endless-sky"; })
-    pkgs.crawlTiles
+    crawlTiles
 
     (mkNixGLWrapper { name="zoom-us"; })
 
     (mkNixGLWrapper { name="stellarium"; })
-    pkgs.kstars
+    kstars
 
-    pkgs.heroku
+    heroku
 
-    pkgs.graphviz
+    graphviz
 
     # calibre de-drm plugin for kobo
-    # (pkgs.stdenv.mkDerivation {
+    # (stdenv.mkDerivation {
     #   name = "calibre_obok_dedrm";
-    #   src = pkgs.fetchFromGitHub {
+    #   src = fetchFromGitHub {
     #     # https://github.com/lalmeras/DeDRM_tools/blob/Python3/make_release.py
     #     owner = "lalmeras";
     #     repo = "DeDRM_tools";
@@ -114,14 +115,17 @@ in
     #   };
     #   installPhase = ''
     #       export SOURCE_DATE_EPOCH=315532800;
-    #       ${pkgs.python3}/bin/python3 make_release.py Python3
+    #       ${python3}/bin/python3 make_release.py Python3
     #     '';
     # })
-    pkgs.zip
-    pkgs.unzip
-    pkgs.bind.dnsutils
+  ] +++ [
+    zip
+    unzip
+    bind.dnsutils
 
-    pkgs.cmark-gfm
+    cmark-gfm
+
+    file
   ];
 }
 #+end_src

drawingbot-v3.org

@@ -0,0 +1,77 @@
+:PROPERTIES:
+:ID:       20221211T141924.762816
+:ROAM_REFS: https://drawingbotv3.ollielansdell.co.uk/ https://github.com/SonarSonic/DrawingBotV3/
+:END:
+#+TITLE: DrawingBot
+#+FILETAGS: :Software:CCE:
+
+#+begin_quote
+DrawingBotV3 is a software for converting images to line drawings for Plotters / Drawing Machines / 3D printers. It also serves as an application for visual artists to create stylised line drawings from images / video
+#+end_quote
+
+* DrawingBot V3 on NixOS
+
+#+ARROYO_HOME_MODULE: hm/drawingbot.nix
+#+ARROYO_NIXOS_ROLE: endpoint
+#+AUTO_TANGLE: t
+
+DrawingBot uses JavaFX and is distributed as a JAR, rpm, deb, windows... The Premium version is just shoved in to my [[id:cce/syncthing][Syncthing]] directory and is provided in an override in [[id:20221021T121120.541960][rixpkgs]]. It should work just fine with the free/libre version which is =lib.license.gplv3=, but I use the proprietary version.
+
+#+begin_src nix :tangle ~/arroyo-nix/pkgs/drawingbot.nix
+{ pkgs,
+  name ? "drawingbotv3-free",
+  ... }:
+
+with pkgs;
+stdenv.mkDerivation rec {
+  inherit name;
+  version = "1.5.0-beta";
+
+  src = fetchurl {
+    url = "https://github.com/SonarSonic/DrawingBotV3/releases/download/v${version}-free/DrawingBotV3-Free-${version}-all.jar";
+    sha256 = lib.fakeSha256;
+  };
+  nativeBuildInputs = [ wrapGAppsHook gtk3 ];
+
+  dontUnpack = true;
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/share/java/
+    cp $src $out/share/java/${name}-${version}.jar
+
+    makeWrapper ${jre}/bin/java $out/bin/${name} \
+      ''${gappsWrapperArgs[@]} \
+      --add-flags "-jar $out/share/java/${name}-${version}.jar"
+
+    runHook postInstall
+  '';
+
+  desktopItems = [
+    (makeDesktopItem {
+      inherit name;
+      exec = name;
+      comment = "Software for converting images to line drawings for Plotters / Drawing Machines / 3D printers";
+      desktopName = "DrawingBot V3";
+      categories = [ "Graphics" ];
+    })
+  ];
+
+  meta = {
+    homepage = "https://github.com/SonarSonic/DrawingBotV3";
+    description = "DrawingBotV3 is a software for converting images to line drawings";
+    license = lib.licenses.gplv3;
+    maintainers = with lib.maintainers; [ rrix ];
+  };
+}
+
+#+end_src
+
+#+begin_src nix :tangle ~/arroyo-nix/hm/drawingbot.nix
+{ pkgs, ... }:
+
+{ 
+  home.packages =  [ pkgs.drawingbot-premium ];
+}
+#+end_src

gitea.org

@@ -0,0 +1,84 @@
+:PROPERTIES:
+:ID:       20221130T103851.207871
+:END:
+#+TITLE: Gitea on NixOS
+#+FILETAGS: :CCE:NixOS:Wobserver:
+
+#+ARROYO_NIXOS_MODULE: nixos/gitea.nix
+#+ARROYO_NIXOS_ROLE: server
+
+#+AUTO_TANGLE: t
+
+#+begin_src nix :tangle ~/arroyo-nix/nixos/gitea.nix
+{ config, ... }:
+
+let cfg = config.services.gitea;
+in {
+  services.postgresql.ensureDatabases = ["gitea"];
+  services.postgresql.ensureUsers = [
+    {
+      name = "gitea";
+      ensurePermissions = {
+        "DATABASE gitea" = "ALL PRIVILEGES";
+      };
+    }
+  ];
+
+  networking.firewall.allowedTCPPorts = [ 2222 ];
+
+  services.gitea = {
+    enable = true;
+    appName = "rrix's code with a cup of tea";
+    stateDir = "/srv/gitea";
+
+    domain = "code.rix.si";
+    rootUrl = "https://code.rix.si";
+
+    httpAddress = "127.0.0.1";
+    httpPort = 3009;
+
+    settings = {
+      server = {
+        DISABLE_REGISTRATION = true;
+        START_SSH_SERVER = true;
+        SSH_LISTEN_PORT = 2222;
+        SSH_PORT = 2222;
+        ENABLE_GZIP = true;
+        LANDING_PAGE = "explore";
+      };
+      ui.DEFAULT_THEME = "arc-green";
+      session.COOKIE_SECURE = true;
+      federation.ENABLED = true;
+      metrics.ENABLED = true;
+      packages.ENABLED = false;
+      picture.ENABLE_FEDERATED_AVATAR = true;
+      time.DEFAULT_UI_LOCATION = config.time.timeZone;
+    };
+
+    database = {
+      socket = "/run/postgresql/";
+      type = "postgres";
+    };
+  };
+
+  services.prometheus.scrapeConfigs = [
+    {
+      job_name = "gitea";
+      static_configs = [{ targets = ["${cfg.httpAddress}:${toString cfg.httpPort}"]; }];
+    }
+  ];
+
+  services.nginx.virtualHosts."code.rix.si" = {
+    locations."/" = {
+      proxyPass = "http://${cfg.httpAddress}:${toString cfg.httpPort}";
+      extraConfig = ''
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $http_host;
+      '';
+    };
+  };
+}
+#+end_src

nginx.org

@@ -160,10 +160,14 @@ I use [[https://letsencrypt.org/][Lets Encrypt]] for my DNS, I really like 'em.
 
 ** NEXT move afd.fontkeming.fail vhost to [[id:d7d936ab-781c-4e04-88bb-af65b23c6c43][Area Forecast Discussion]]
 
-** INPROGRESS plumb these through on fontkeming
+** DONE plumb these through on fontkeming
 :LOGBOOK:
+- State "DONE"       from "INPROGRESS" [2022-12-20 Tue 10:29]
 - State "INPROGRESS" from "NEXT"       [2022-11-12 Sat 21:19]
 :END:
+
+need to finish up [[id:20220101T190353.843667][Wobserver Observability]] to migrate =home.rix.si=
+
 * INPROGRESS virtualHosts
 :LOGBOOK:
 - State "INPROGRESS" from "NEXT"       [2022-11-12 Sat 20:01]

nixos.org

@@ -30,6 +30,16 @@ Nix is a [[id:a7420bb9-395f-4afa-92fb-8eaa0b8a4cd8][Tool]] for building [[id:0d9
                 (make-local-variable 'company-backends)
                 (add-to-list 'company-backends 'company-nixos-options))))
 (use-package nix-sandbox)
+
+(defun cce-find-nix-output-at-point ()
+  (interactive)
+  (->>
+   (nix-store-path-at-point)
+   (make-instance 'nix-store-path :path )
+   (nix-store-fill-data )
+   (nix-store-path-outputs )
+   (completing-read "Select an output" )
+   (find-file)))
 #+end_src
 
 #+begin_src yaml

wobserver-docker.org

@@ -0,0 +1,56 @@
+:PROPERTIES:
+:ID:       20221202T124113.404212
+:END:
+#+TITLE: Docker Containers on the Wobserver
+#+FILETAGS: :CCE:
+
+I don't really *want* to use [[roam:Docker]], but it's the most-supported way to get some services etc running on my server. This is kind of the Minimum Viable Docker...
+
+The =htpasswd= file was generated locally and then copied to the server so that it doesn't make it in to any =nix store=... It has to be done with =apacheHttpd='s =htpasswd= like so: =sudo -u docker-registry htpasswd -B /srv/docker-registry/htpasswd rrix=.
+
+#+ARROYO_NIXOS_MODULE: nixos/wobserver-docker.nix
+#+ARROYO_NIXOS_ROLE: server
+#+AUTO_TANGLE: t
+
+#+begin_src nix :tangle ~/arroyo-nix/nixos/wobserver-docker.nix
+{ config, ... }:
+
+let
+  cfg = config.services.dockerRegistry;
+in{
+  virtualisation.containers = {
+    registries.search = ["docker.fontkeming.fail" "docker.io"];
+    storage.settings = {
+      storage.driver = "zfs";
+    };
+  };
+  virtualisation.oci-containers.backend = "docker";
+
+  services.dockerRegistry = {
+    enable = true;
+    enableGarbageCollect = true;
+    storagePath = "/srv/docker-registry/";
+    extraConfig = {
+      auth.htpasswd = {
+        realm = "basic-realm";
+        path = "/srv/docker-registry/htpasswd";
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."docker.fontkeming.fail" = {
+    locations."/".proxyPass = "http://${cfg.listenAddress}:${toString cfg.port}";
+    locations."/".extraConfig = ''
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto https; # workaround for double-proxying https://github.com/distribution/distribution/issues/2862 ???
+      proxy_set_header X-Forwarded-Host $http_host;
+    '';
+    extraConfig = ''
+      client_max_body_size 1G;
+    '';
+  };
+}
+#+end_src
+
+There's a question of whether to set =virtualisation.oci-containers.backend= to docker or use Podman -- I'm tempted to just leave this until I don't need to.

wobserver-observability.org

@@ -1,5 +1,6 @@
 :PROPERTIES:
 :ID:       20220101T190353.843667
+:ROAM_ALIASES: Wobservability
 :END:
 #+title: Wobserver Observability
 #+filetags: :Project:Wobserver:Development:
@@ -28,17 +29,48 @@ I need to set up alerts and dashboards for the most common operations, and I'd l
 #+begin_src nix :tangle ~/arroyo-nix/nixos/wobservability.nix
 { pkgs, config, ... }:
 
+with pkgs.lib;
+
+let mkStaticScrape =
+      (name: cfg:
+        let addr = 
+              if hasAttr "listenAddr" cfg then
+                cfg.listenAddr
+              else
+                "localhost";
+        in
+          {
+            job_name = name;
+            static_configs = [
+              { targets = ["${addr}:${toString cfg.port}"]; }
+            ];
+          }
+      );
+in
 rec {
   services.prometheus = {
+    enable = true;
     retentionTime = "60d";
-    # scrapConfigs = [];
+    webExternalUrl = "https://home.rix.si/prom";
     listenAddress = "127.0.0.1";
-    exporters = {
-      node = {
-        enable = true;
-        enabledCollectors = [ "systemd" ];
-      };
-    };
+    scrapeConfigs = [
+      (mkStaticScrape "node" config.services.prometheus.exporters.node)
+      (mkStaticScrape "process" config.services.prometheus.exporters.process)
+      (mkStaticScrape "smartctl" config.services.prometheus.exporters.smartctl)
+      (mkStaticScrape "postgres" config.services.prometheus.exporters.postgres)
+      (mkStaticScrape "zfs" config.services.prometheus.exporters.zfs)
+      {
+        job_name = "octopi";
+        metrics_path = "/plugin/prometheus_exporter/metrics";
+        params.apikey = ["27816EF9BA5C43749A022573B0862C71"];
+        static_configs = [{ targets = ["octopi:80"]; }];
+      }
+      {
+        job_name = "arcology";
+        static_configs = [{ targets = ["localhost:8000"]; }];
+      }
+      # gitea
+    ];
   };
 
   # services.prometheus.exporters.pihole = {};
@@ -46,6 +78,11 @@ rec {
   # services.prometheus.exporters.nginxlog = {};
   # services.prometheus.exporters.unifi = {};
 
+  services.prometheus.exporters.node = {
+    enable = true;
+    enabledCollectors = [ "systemd" ];
+  };
+
   services.prometheus.exporters.process = {
     enable = true;
     settings.process_names = [
@@ -54,6 +91,10 @@ rec {
         name = "{{.Matches.Wrapped}} {{ .Matches.Args }}";
         cmdline = [ "^/nix/store[^ ]*/(?P<Wrapped>[^ /]*) (?P<Args>.*)" ];
       }
+      {
+        name = "{{.Matches.Command}}: {{ .Matches.Specialization }}";
+        cmdline = [ "(?P<Command>[a-zA-Z0-9\-_+]+): (?P<Specialization>.*)" ];
+      }
     ];
   };
 
@@ -84,6 +125,7 @@ rec {
         http_addr = "127.0.0.1";
         http_port = 3000;
         root_url = "https://home.rix.si/grafana";
+        serve_from_sub_path = true;
       };
     };
   };
@@ -105,11 +147,15 @@ rec {
 
   services.nginx.virtualHosts."home.rix.si" = {
     locations."/prom" = {
-      proxyPass = "http://127.0.0.1:${toString config.services.prometheus.port}";
+      proxyPass = "http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}";
+      extraConfig = ''
+        auth_basic           "closed site";
+        auth_basic_user_file /etc/nginx-htpasswd;
+      '';
     };
     
     locations."/grafana" = {
-      proxyPass = "http://${config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}";
+      proxyPass = "http://${config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}/grafana";
       extraConfig = ''
         proxy_set_header Host $host;
       '';