atlas: stop hosting victorialogs/victoriametrics & grafana

6 files changed, 0 insertions, 233 deletions

diff --git a/modules/nixos/custom/default.nix b/modules/nixos/custom/default.nix
index 1009cee..e2224d3 100644
--- a/modules/nixos/custom/default.nix
+++ b/modules/nixos/custom/default.nix
@@ -6,6 +6,5 @@
     ./nvk.nix
     ./remote-builders.nix
     ./systemd-discord-notifier.nix
-    ./victorialogs.nix
   ];
 }
diff --git a/modules/nixos/custom/victorialogs.nix b/modules/nixos/custom/victorialogs.nix
deleted file mode 100644
index ab6be3a..0000000
--- a/modules/nixos/custom/victorialogs.nix
+++ /dev/null
@@ -1,129 +0,0 @@
-# From https://github.com/NixOS/nixpkgs/pull/376834
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-
-let
-  inherit (lib)
-    getBin
-    hasPrefix
-    literalExpression
-    mkBefore
-    mkEnableOption
-    mkIf
-    mkOption
-    mkPackageOption
-    optionalString
-    types
-    ;
-
-  cfg = config.borealis.victorialogs;
-
-  startCLIList = [
-    "${cfg.package}/bin/victoria-logs"
-    "-storageDataPath=/var/lib/${cfg.stateDir}"
-    "-httpListenAddr=${cfg.listenAddress}"
-  ] ++ cfg.extraOptions;
-in
-
-{
-  options.borealis.victorialogs = {
-    enable = mkEnableOption "VictoriaLogs is an open source user-friendly database for logs from VictoriaMetrics";
-    package = mkPackageOption pkgs "victoriametrics" { };
-    listenAddress = lib.mkOption {
-      default = "127.0.0.1:9428";
-      type = types.str;
-      description = ''
-        TCP address to listen for incoming http requests.
-      '';
-    };
-    stateDir = mkOption {
-      type = types.str;
-      default = "victorialogs";
-      description = ''
-        Directory below `/var/lib` to store VictoriaLogs data.
-        This directory will be created automatically using systemd's StateDirectory mechanism.
-      '';
-    };
-    extraOptions = mkOption {
-      type = types.listOf types.str;
-      default = [ ];
-      example = literalExpression ''
-        [
-          "-httpAuth.username=username"
-          "-httpAuth.password=file:///abs/path/to/file"
-          "-loggerLevel=WARN"
-        ]
-      '';
-      description = ''
-        Extra options to pass to VictoriaLogs. See {command}`victoria-logs -help` for
-        possible options.
-      '';
-    };
-  };
-  config = mkIf cfg.enable {
-    systemd.services.victorialogs = {
-      description = "VictoriaLogs logs database";
-      wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" ];
-      startLimitBurst = 5;
-
-      serviceConfig = {
-        ExecStart = lib.escapeShellArgs startCLIList;
-        DynamicUser = true;
-        RestartSec = 1;
-        Restart = "on-failure";
-        RuntimeDirectory = "victorialogs";
-        RuntimeDirectoryMode = "0700";
-        StateDirectory = cfg.stateDir;
-        StateDirectoryMode = "0700";
-
-        # Hardening
-        DeviceAllow = [ "/dev/null rw" ];
-        DevicePolicy = "strict";
-        LockPersonality = true;
-        MemoryDenyWriteExecute = true;
-        NoNewPrivileges = true;
-        PrivateDevices = true;
-        PrivateTmp = true;
-        PrivateUsers = true;
-        ProtectClock = true;
-        ProtectControlGroups = true;
-        ProtectHome = true;
-        ProtectHostname = true;
-        ProtectKernelLogs = true;
-        ProtectKernelModules = true;
-        ProtectKernelTunables = true;
-        ProtectProc = "invisible";
-        ProtectSystem = "full";
-        RemoveIPC = true;
-        RestrictAddressFamilies = [
-          "AF_INET"
-          "AF_INET6"
-          "AF_UNIX"
-        ];
-        RestrictNamespaces = true;
-        RestrictRealtime = true;
-        RestrictSUIDSGID = true;
-        SystemCallArchitectures = "native";
-        SystemCallFilter = [
-          "@system-service"
-          "~@privileged"
-        ];
-      };
-
-      postStart =
-        let
-          bindAddr = (optionalString (hasPrefix ":" cfg.listenAddress) "127.0.0.1") + cfg.listenAddress;
-        in
-        mkBefore ''
-          until ${getBin pkgs.curl}/bin/curl -s -o /dev/null http://${bindAddr}/ping; do
-            sleep 1;
-          done
-        '';
-    };
-  };
-}
diff --git a/modules/nixos/mixins/default.nix b/modules/nixos/mixins/default.nix
index 70f0fad..2adc5bb 100644
--- a/modules/nixos/mixins/default.nix
+++ b/modules/nixos/mixins/default.nix
@@ -6,16 +6,13 @@
     ./catppuccin.nix
     ./forgejo.nix
     ./gnome.nix
-    ./grafana.nix
     ./hedgedoc.nix
     ./home-manager.nix
-    ./journal-upload.nix
     ./kanidm.nix
     ./lanzaboote.nix
     ./miniflux.nix
     ./nginx.nix
     ./niri.nix
-    ./node-exporter.nix
     ./nvidia.nix
     ./pipewire.nix
     ./plasma.nix
diff --git a/modules/nixos/mixins/grafana.nix b/modules/nixos/mixins/grafana.nix
deleted file mode 100644
index 03f2c6a..0000000
--- a/modules/nixos/mixins/grafana.nix
+++ /dev/null
@@ -1,82 +0,0 @@
-{
-  config,
-  lib,
-  secretsDir,
-  ...
-}:
-
-let
-  grafanaCfg = config.services.grafana;
-in
-
-{
-  config = lib.mkMerge [
-    {
-      services.grafana = {
-        settings = {
-          analytics = {
-            feedback_links_enabled = false;
-            reporting_enabled = false;
-          };
-
-          server = {
-            http_port = 6000;
-
-            domain = lib.mkDefault ("grafana." + config.networking.domain);
-            enable_gzip = true;
-            enforce_domain = true;
-            root_url = "https://" + grafanaCfg.settings.server.domain + "/";
-          };
-        };
-      };
-    }
-
-    (lib.mkIf grafanaCfg.enable {
-      services = {
-        nginx.virtualHosts.${grafanaCfg.settings.server.domain} = {
-          locations."/" = {
-            proxyPass = "http://${grafanaCfg.settings.server.http_addr}:${toString grafanaCfg.settings.server.http_port}";
-            proxyWebsockets = true;
-          };
-        };
-      };
-    })
-
-    (lib.mkIf config.services.kanidm.enableServer {
-      services.grafana = {
-        settings = {
-          "auth.basic".enabled = false;
-
-          "auth.generic_oauth" = {
-            enabled = true;
-
-            name = "Kanidm";
-            client_id = "grafana";
-            client_secret = "$__file{${config.age.secrets.grafanaKanidm.path}}";
-            scopes = "openid,profile,email,groups";
-            auth_url = config.services.kanidm.serverSettings.origin + "/ui/oauth2";
-            token_url = config.services.kanidm.serverSettings.origin + "/oauth2/token";
-            api_url = config.services.kanidm.serverSettings.origin + "/oauth2/openid/grafana/userinfo";
-            use_pkce = true;
-            use_refresh_token = true;
-
-            allow_assign_grafana_admin = true;
-            allow_sign_up = true;
-            auto_login = true;
-            groups_attribute_path = "groups";
-            login_attribute_path = "preferred_username";
-            role_attribute_path = "contains(grafana_role[*], 'GrafanaAdmin') && 'GrafanaAdmin' || contains(grafana_role[*], 'Admin') && 'Admin' || contains(grafana_role[*], 'Editor') && 'Editor' || 'Viewer'";
-          };
-        };
-      };
-    })
-
-    (lib.mkIf (grafanaCfg.enable && config.services.kanidm.enableServer) {
-      age.secrets.grafanaKanidm = {
-        file = secretsDir + "/grafanaKanidmSecret.age";
-        owner = config.users.users.grafana.name;
-        group = config.users.groups.grafana.name;
-      };
-    })
-  ];
-}
diff --git a/modules/nixos/mixins/journal-upload.nix b/modules/nixos/mixins/journal-upload.nix
deleted file mode 100644
index 4d780c9..0000000
--- a/modules/nixos/mixins/journal-upload.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{
-  services.journald.upload = {
-    settings = {
-      Upload.URL = "http://atlas:9428/insert/journald";
-    };
-  };
-}
diff --git a/modules/nixos/mixins/node-exporter.nix b/modules/nixos/mixins/node-exporter.nix
deleted file mode 100644
index 752ff1d..0000000
--- a/modules/nixos/mixins/node-exporter.nix
+++ /dev/null
@@ -1,11 +0,0 @@
-{ lib, ... }:
-
-{
-  services.prometheus.exporters.node = {
-    openFirewall = lib.mkDefault true;
-
-    enabledCollectors = [
-      "systemd"
-    ];
-  };
-}