diff options
Diffstat (limited to 'parts/modules/nixos')
29 files changed, 853 insertions, 0 deletions
diff --git a/parts/modules/nixos/base/default.nix b/parts/modules/nixos/base/default.nix new file mode 100644 index 0000000..ed0fb23 --- /dev/null +++ b/parts/modules/nixos/base/default.nix @@ -0,0 +1,34 @@ +{ + config, + lib, + ... +}: let + cfg = config.base; + inherit (lib) mkDefault mkEnableOption mkIf; +in { + options.base.enable = mkEnableOption "base nixos module"; + + imports = [ + ../../shared + ./documentation.nix + ./locale.nix + ./network.nix + ./nix.nix + ./packages.nix + ./root.nix + ./security.nix + ./systemd.nix + ./upgrade-diff.nix + ]; + + config = mkIf cfg.enable { + base = { + defaultPackages.enable = mkDefault true; + defaultLocale.enable = mkDefault true; + defaultRoot.enable = mkDefault true; + documentation.enable = mkDefault true; + networking.enable = mkDefault true; + nix-settings.enable = mkDefault true; + }; + }; +} diff --git a/parts/modules/nixos/base/documentation.nix b/parts/modules/nixos/base/documentation.nix new file mode 100644 index 0000000..68a194f --- /dev/null +++ b/parts/modules/nixos/base/documentation.nix @@ -0,0 +1,21 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.base.documentation; + inherit (lib) mkIf; +in { + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [man-pages man-pages-posix]; + documentation = { + man = { + generateCaches = true; + man-db.enable = true; + }; + + dev.enable = true; + }; + }; +} diff --git a/parts/modules/nixos/base/locale.nix b/parts/modules/nixos/base/locale.nix new file mode 100644 index 0000000..7259ef2 --- /dev/null +++ b/parts/modules/nixos/base/locale.nix @@ -0,0 +1,18 @@ +{ + config, + lib, + ... +}: let + cfg = config.base.defaultLocale; + inherit (lib) mkIf; +in { + config = mkIf cfg.enable { + i18n = { + supportedLocales = [ + "en_US.UTF-8/UTF-8" + ]; + + defaultLocale = "en_US.UTF-8"; + }; + }; +} diff --git a/parts/modules/nixos/base/network.nix b/parts/modules/nixos/base/network.nix new file mode 100644 index 0000000..5bc90d1 --- /dev/null +++ b/parts/modules/nixos/base/network.nix @@ -0,0 +1,26 @@ +{ + config, + lib, + ... +}: let + cfg = config.base.networking; + inherit (lib) mkEnableOption mkIf; +in { + options.base.networking.enable = mkEnableOption "networking"; + + config = mkIf cfg.enable { + networking.networkmanager = { + enable = true; + dns = "systemd-resolved"; + }; + services.resolved = { + enable = lib.mkDefault true; + dnssec = "allow-downgrade"; + extraConfig = '' + [Resolve] + DNS=1.1.1.1 1.0.0.1 + DNSOverTLS=yes + ''; + }; + }; +} diff --git a/parts/modules/nixos/base/nix.nix b/parts/modules/nixos/base/nix.nix new file mode 100644 index 0000000..3dcac11 --- /dev/null +++ b/parts/modules/nixos/base/nix.nix @@ -0,0 +1,24 @@ +{ + config, + lib, + inputs, + ... +}: let + inherit (builtins) attrNames map; + inherit (lib) mkDefault mkIf; + cfg = config.base.nix-settings; + + channelPath = i: "/etc/nix/channels/${i}"; + + mapInputs = fn: map fn (attrNames inputs); +in { + config = mkIf cfg.enable { + nix = { + nixPath = mapInputs (i: "${i}=${channelPath i}"); + gc.dates = mkDefault "weekly"; + }; + + systemd.tmpfiles.rules = + mapInputs (i: "L+ ${channelPath i} - - - - ${inputs.${i}.outPath}"); + }; +} diff --git a/parts/modules/nixos/base/packages.nix b/parts/modules/nixos/base/packages.nix new file mode 100644 index 0000000..7390a40 --- /dev/null +++ b/parts/modules/nixos/base/packages.nix @@ -0,0 +1,15 @@ +{ + config, + lib, + ... +}: let + cfg = config.base.defaultPackages; + inherit (lib) mkIf; +in { + config = mkIf cfg.enable { + programs = { + git.enable = true; + vim.defaultEditor = true; + }; + }; +} diff --git a/parts/modules/nixos/base/root.nix b/parts/modules/nixos/base/root.nix new file mode 100644 index 0000000..ecc5203 --- /dev/null +++ b/parts/modules/nixos/base/root.nix @@ -0,0 +1,26 @@ +{ + config, + lib, + ... +}: let + cfg = config.base.defaultRoot; + inherit (lib) mkDefault mkEnableOption mkIf; + + # yes this is a bad way to detect which option should be used (or exists) + # but i'm lazy. please do not copy this + passwordFile = + if lib.versionAtLeast config.system.stateVersion "23.11" + then "hashedPasswordFile" + else "passwordFile"; +in { + options.base.defaultRoot.enable = mkEnableOption "default root user"; + + config = mkIf cfg.enable { + users.users.root = { + home = mkDefault "/root"; + uid = mkDefault config.ids.uids.root; + group = mkDefault "root"; + "${passwordFile}" = mkDefault config.age.secrets.rootPassword.path; + }; + }; +} diff --git a/parts/modules/nixos/base/security.nix b/parts/modules/nixos/base/security.nix new file mode 100644 index 0000000..e13d1c7 --- /dev/null +++ b/parts/modules/nixos/base/security.nix @@ -0,0 +1,27 @@ +{ + lib, + pkgs, + ... +}: let + inherit (lib) mkDefault; +in { + security = { + apparmor.enable = mkDefault true; + audit.enable = mkDefault true; + auditd.enable = mkDefault true; + polkit.enable = mkDefault true; + rtkit.enable = mkDefault true; + sudo.execWheelOnly = true; + }; + + services.dbus.apparmor = mkDefault "enabled"; + + users = { + defaultUserShell = pkgs.bash; + mutableUsers = false; + }; + + nix.settings = { + trusted-users = ["root" "@wheel"]; + }; +} diff --git a/parts/modules/nixos/base/systemd.nix b/parts/modules/nixos/base/systemd.nix new file mode 100644 index 0000000..2888c0b --- /dev/null +++ b/parts/modules/nixos/base/systemd.nix @@ -0,0 +1,7 @@ +_: { + services = { + journald.extraConfig = '' + MaxRetentionSec=1w + ''; + }; +} diff --git a/parts/modules/nixos/base/upgrade-diff.nix b/parts/modules/nixos/base/upgrade-diff.nix new file mode 100644 index 0000000..68be9af --- /dev/null +++ b/parts/modules/nixos/base/upgrade-diff.nix @@ -0,0 +1,12 @@ +{ + config, + pkgs, + ... +}: { + system.activationScripts."upgrade-diff" = { + supportsDryActivation = true; + text = '' + ${pkgs.nvd}/bin/nvd --nix-bin-dir=${config.nix.package}/bin diff /run/current-system "$systemConfig" + ''; + }; +} diff --git a/parts/modules/nixos/default.nix b/parts/modules/nixos/default.nix new file mode 100644 index 0000000..3ae2f08 --- /dev/null +++ b/parts/modules/nixos/default.nix @@ -0,0 +1,7 @@ +_: { + imports = [ + ./base + ./desktop + ./hardware + ]; +} diff --git a/parts/modules/nixos/desktop/audio.nix b/parts/modules/nixos/desktop/audio.nix new file mode 100644 index 0000000..c601563 --- /dev/null +++ b/parts/modules/nixos/desktop/audio.nix @@ -0,0 +1,23 @@ +{ + config, + lib, + ... +}: let + cfg = config.desktop.audio; + inherit (lib) mkEnableOption mkIf; +in { + options.desktop.audio.enable = mkEnableOption "audio support"; + + config = mkIf cfg.enable { + services = { + pipewire = { + enable = true; + wireplumber.enable = true; + alsa.enable = true; + jack.enable = true; + pulse.enable = true; + }; + }; + hardware.pulseaudio.enable = false; + }; +} diff --git a/parts/modules/nixos/desktop/budgie/default.nix b/parts/modules/nixos/desktop/budgie/default.nix new file mode 100644 index 0000000..4605eb1 --- /dev/null +++ b/parts/modules/nixos/desktop/budgie/default.nix @@ -0,0 +1,58 @@ +{ + config, + pkgs, + lib, + ... +}: let + cfg = config.desktop.budgie; + inherit (lib) mkEnableOption mkIf; +in { + options.desktop.budgie.enable = mkEnableOption "enable budgie"; + + config = mkIf cfg.enable { + desktop.enable = true; + + services.xserver = { + displayManager.lightdm.greeters.slick = { + theme = { + name = "Materia-dark"; + package = pkgs.materia-theme; + }; + iconTheme = { + name = "Papirus-Dark"; + package = pkgs.papirus-icon-theme; + }; + cursorTheme = { + name = "Breeze-gtk"; + package = pkgs.libsForQt5.breeze-gtk; + }; + }; + + desktopManager.budgie = { + enable = true; + extraGSettingsOverrides = '' + [org.gnome.desktop.interface:Budgie] + gtk-theme="Materia-dark" + icon-theme="Papirus-Dark" + cursor-theme="Breeze-gtk" + font-name="Noto Sans 10" + document-font-name="Noto Sans 10" + monospace-font-name="Fira Code 10" + enable-hot-corners=true + ''; + }; + }; + + environment.budgie.excludePackages = with pkgs; [ + qogir-theme + qogir-icon-theme + ]; + + environment.systemPackages = with pkgs; [ + alacritty + breeze-gtk + materia-theme + papirus-icon-theme + ]; + }; +} diff --git a/parts/modules/nixos/desktop/default.nix b/parts/modules/nixos/desktop/default.nix new file mode 100644 index 0000000..f0ab74c --- /dev/null +++ b/parts/modules/nixos/desktop/default.nix @@ -0,0 +1,41 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.desktop; + inherit (lib) mkDefault mkEnableOption mkIf; +in { + imports = [ + ./audio.nix + ./budgie + ./fonts.nix + ./gnome + ./plasma + ]; + + options.desktop.enable = mkEnableOption "desktop module"; + + config = mkIf cfg.enable { + base.enable = true; + desktop = { + audio.enable = mkDefault true; + fonts.enable = mkDefault true; + }; + + environment = { + noXlibs = lib.mkForce false; + systemPackages = with pkgs; [wl-clipboard xclip]; + }; + + programs = { + dconf.enable = true; + firefox.enable = true; + xwayland.enable = true; + }; + + services.xserver.enable = true; + xdg.portal.enable = true; + }; +} diff --git a/parts/modules/nixos/desktop/fonts.nix b/parts/modules/nixos/desktop/fonts.nix new file mode 100644 index 0000000..feedf07 --- /dev/null +++ b/parts/modules/nixos/desktop/fonts.nix @@ -0,0 +1,37 @@ +{ + config, + pkgs, + lib, + ... +}: let + cfg = config.desktop.fonts; + inherit (lib) mkEnableOption mkIf; +in { + options.desktop.fonts.enable = mkEnableOption "enable default fonts"; + + config = mkIf cfg.enable { + fonts = { + enableDefaultPackages = true; + + packages = with pkgs; [ + corefonts + fira-code + (nerdfonts.override {fonts = ["FiraCode"];}) + noto-fonts + noto-fonts-extra + noto-fonts-emoji + noto-fonts-cjk-sans + ]; + + fontconfig = { + enable = true; + defaultFonts = { + serif = ["Noto Serif"]; + sansSerif = ["Noto Sans"]; + emoji = ["Noto Color Emoji"]; + monospace = ["Fira Code"]; + }; + }; + }; + }; +} diff --git a/parts/modules/nixos/desktop/gnome/default.nix b/parts/modules/nixos/desktop/gnome/default.nix new file mode 100644 index 0000000..bfe3d20 --- /dev/null +++ b/parts/modules/nixos/desktop/gnome/default.nix @@ -0,0 +1,38 @@ +{ + config, + pkgs, + lib, + ... +}: let + cfg = config.desktop.gnome; + inherit (lib) mkEnableOption mkIf; +in { + options.desktop.gnome.enable = mkEnableOption "enable gnome"; + + config = mkIf cfg.enable { + desktop.enable = true; + + environment = { + gnome.excludePackages = with pkgs; [ + gnome-tour + ]; + + sessionVariables = { + NIXOS_OZONE_WL = "1"; + }; + + systemPackages = with pkgs; [ + adw-gtk3 + blackbox-terminal + ]; + }; + + services.xserver = { + displayManager.gdm = { + enable = true; + wayland = lib.mkForce true; + }; + desktopManager.gnome.enable = true; + }; + }; +} diff --git a/parts/modules/nixos/desktop/plasma/default.nix b/parts/modules/nixos/desktop/plasma/default.nix new file mode 100644 index 0000000..2034802 --- /dev/null +++ b/parts/modules/nixos/desktop/plasma/default.nix @@ -0,0 +1,31 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.desktop.plasma; + inherit (lib) mkEnableOption mkIf; +in { + options.desktop.plasma.enable = mkEnableOption "enable plasma"; + + config = mkIf cfg.enable { + desktop.enable = true; + + environment = { + plasma5.excludePackages = with pkgs.libsForQt5; [ + khelpcenter + plasma-browser-integration + print-manager + ]; + }; + + services.xserver = { + displayManager.sddm.enable = true; + desktopManager.plasma5 = { + enable = true; + useQtScaling = true; + }; + }; + }; +} diff --git a/parts/modules/nixos/features/tailscale.nix b/parts/modules/nixos/features/tailscale.nix new file mode 100644 index 0000000..5a00110 --- /dev/null +++ b/parts/modules/nixos/features/tailscale.nix @@ -0,0 +1,67 @@ +{ + config, + lib, + pkgs, + self, + ... +}: let + cfg = config.features.tailscale; + inherit (lib) mkDefault mkEnableOption mkIf optionalAttrs; +in { + options.features.tailscale = { + enable = mkEnableOption "enable support for tailscale"; + ssh.enable = mkEnableOption "enable support for tailscale ssh"; + }; + + config = mkIf cfg.enable { + age.secrets = let + baseDir = "${self}/parts/secrets/systems/${config.networking.hostName}"; + in + mkIf cfg.ssh.enable { + tailscaleAuthKey.file = "${baseDir}/tailscaleAuthKey.age"; + }; + + networking.firewall = + { + allowedUDPPorts = [config.services.tailscale.port]; + trustedInterfaces = ["tailscale0"]; + } + // optionalAttrs cfg.ssh.enable { + allowedTCPPorts = [22]; + }; + + services = { + tailscale.enable = mkDefault true; + }; + + # https://tailscale.com/kb/1096/nixos-minecraft/ + systemd.services = mkIf cfg.ssh.enable { + tailscale-autoconnect = { + description = "Automatic connection to Tailscale"; + + after = ["network-pre.target" "tailscale.service"]; + wants = ["network-pre.target" "tailscale.service"]; + wantedBy = ["multi-user.target"]; + + serviceConfig.Type = "oneshot"; + + script = let + inherit (pkgs) tailscale jq; + in '' + # wait for tailscaled to settle + sleep 2 + + # check if we are already authenticated to tailscale + status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" + if [ $status = "Running" ]; then # if so, then do nothing + exit 0 + fi + + # otherwise authenticate with tailscale + ${tailscale}/bin/tailscale up --ssh \ + --auth-key "file:${config.age.secrets.tailscaleAuthKey.path}" + ''; + }; + }; + }; +} diff --git a/parts/modules/nixos/features/virtualisation.nix b/parts/modules/nixos/features/virtualisation.nix new file mode 100644 index 0000000..206a98e --- /dev/null +++ b/parts/modules/nixos/features/virtualisation.nix @@ -0,0 +1,21 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.features.virtualisation; + inherit (lib) mkEnableOption mkIf; +in { + options.features.virtualisation.enable = mkEnableOption "enable podman"; + + config.virtualisation = mkIf cfg.enable { + podman = { + enable = true; + enableNvidia = true; + extraPackages = with pkgs; [podman-compose]; + autoPrune.enable = true; + }; + oci-containers.backend = "podman"; + }; +} diff --git a/parts/modules/nixos/hardware/default.nix b/parts/modules/nixos/hardware/default.nix new file mode 100644 index 0000000..1217b5a --- /dev/null +++ b/parts/modules/nixos/hardware/default.nix @@ -0,0 +1,19 @@ +{ + config, + lib, + ... +}: let + cfg = config.hardware; + inherit (lib) mkEnableOption mkIf; +in { + options.hardware.enable = mkEnableOption "hardware module"; + + imports = [ + ./ssd.nix + ./nvidia.nix + ]; + + config = mkIf cfg.enable { + hardware.enableAllFirmware = true; + }; +} diff --git a/parts/modules/nixos/hardware/nvidia.nix b/parts/modules/nixos/hardware/nvidia.nix new file mode 100644 index 0000000..dd371f2 --- /dev/null +++ b/parts/modules/nixos/hardware/nvidia.nix @@ -0,0 +1,36 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.hardware.nvidia; + inherit (lib) mkEnableOption mkIf; +in { + options.hardware.nvidia.enable = mkEnableOption "enable nvidia support"; + + config = mkIf cfg.enable { + environment.sessionVariables = { + LIBVA_DRIVER_NAME = "vdpau"; + VDPAU_DRIVER = "nvidia"; + }; + + hardware = { + enable = true; + + nvidia = { + package = config.boot.kernelPackages.nvidiaPackages.stable; + modesetting.enable = true; + }; + + opengl = { + enable = true; + # make steam work + driSupport32Bit = true; + extraPackages = [pkgs.vaapiVdpau]; + }; + }; + + services.xserver.videoDrivers = ["nvidia"]; + }; +} diff --git a/parts/modules/nixos/hardware/ssd.nix b/parts/modules/nixos/hardware/ssd.nix new file mode 100644 index 0000000..2995d93 --- /dev/null +++ b/parts/modules/nixos/hardware/ssd.nix @@ -0,0 +1,15 @@ +{ + config, + lib, + ... +}: let + cfg = config.hardware.ssd; + inherit (lib) mkEnableOption mkIf; +in { + options.hardware.ssd.enable = mkEnableOption "ssd settings"; + + config = mkIf cfg.enable { + hardware.enable = true; + services.fstrim.enable = true; + }; +} diff --git a/parts/modules/nixos/server/acme.nix b/parts/modules/nixos/server/acme.nix new file mode 100644 index 0000000..69e02ac --- /dev/null +++ b/parts/modules/nixos/server/acme.nix @@ -0,0 +1,26 @@ +{ + config, + lib, + self, + ... +}: let + cfg = config.server.acme; + inherit (lib) mkEnableOption mkIf; +in { + options.server.acme = { + enable = mkEnableOption "acme"; + }; + + config = mkIf cfg.enable { + age.secrets.cloudflareApiKey.file = "${self}/parts/secrets/systems/${config.networking.hostName}/cloudflareApiKey.age"; + + security.acme = { + acceptTerms = true; + defaults = { + email = "[email protected]"; + dnsProvider = "cloudflare"; + credentialsFile = config.age.secrets.cloudflareApiKey.path; + }; + }; + }; +} diff --git a/parts/modules/nixos/server/default.nix b/parts/modules/nixos/server/default.nix new file mode 100644 index 0000000..acab4fc --- /dev/null +++ b/parts/modules/nixos/server/default.nix @@ -0,0 +1,47 @@ +{ + config, + lib, + pkgs, + inputs, + ... +}: let + cfg = config.server; + inherit (lib) mkDefault mkEnableOption mkIf; +in { + options.server.enable = mkEnableOption "enable server configuration"; + + imports = [ + ./acme.nix + ./secrets.nix + ./services + ]; + + config = mkIf cfg.enable { + _module.args.unstable = inputs.nixpkgs.legacyPackages.${pkgs.stdenv.hostPlatform.system}; + + base = { + enable = true; + documentation.enable = false; + defaultPackages.enable = false; + networking.enable = false; + }; + + nix = { + gc = { + dates = "*-*-1,5,9,13,17,21,25,29 00:00:00"; + options = "-d --delete-older-than 2d"; + }; + + settings.allowed-users = [config.networking.hostName]; + }; + + programs = { + git.enable = mkDefault true; + vim.defaultEditor = mkDefault true; + }; + + security = { + pam.enableSSHAgentAuth = mkDefault true; + }; + }; +} diff --git a/parts/modules/nixos/server/secrets.nix b/parts/modules/nixos/server/secrets.nix new file mode 100644 index 0000000..2dc6083 --- /dev/null +++ b/parts/modules/nixos/server/secrets.nix @@ -0,0 +1,25 @@ +{ + config, + lib, + self, + ... +}: let + cfg = config.server.secrets; + inherit (lib) mkEnableOption mkIf; +in { + options.server.secrets = { + enable = mkEnableOption "enable secret management"; + }; + + config.age = let + baseDir = "${self}/parts/secrets/systems/${config.networking.hostName}"; + in + mkIf cfg.enable { + identityPaths = ["/etc/age/key"]; + + secrets = { + rootPassword.file = "${baseDir}/rootPassword.age"; + userPassword.file = "${baseDir}/userPassword.age"; + }; + }; +} diff --git a/parts/modules/nixos/server/services/cloudflared.nix b/parts/modules/nixos/server/services/cloudflared.nix new file mode 100644 index 0000000..2bf7907 --- /dev/null +++ b/parts/modules/nixos/server/services/cloudflared.nix @@ -0,0 +1,41 @@ +{ + config, + lib, + self, + ... +}: let + cfg = config.server.services.cloudflared; + inherit (lib) mkEnableOption mkIf; +in { + options.server.services.cloudflared = { + enable = mkEnableOption "cloudflared"; + }; + + config = mkIf cfg.enable { + age.secrets.cloudflaredCreds = { + file = "${self}/parts/secrets/systems/${config.networking.hostName}/cloudflaredCreds.age"; + mode = "400"; + owner = "cloudflared"; + group = "cloudflared"; + }; + + services.cloudflared = { + enable = true; + tunnels = { + "${config.networking.hostName}-nginx" = { + default = "http_status:404"; + + ingress = let + inherit (config.services) nginx; + in + lib.genAttrs + (builtins.attrNames nginx.virtualHosts) + (_: {service = "http://localhost:${builtins.toString nginx.defaultHTTPListenPort}";}); + + originRequest.noTLSVerify = true; + credentialsFile = config.age.secrets.cloudflaredCreds.path; + }; + }; + }; + }; +} diff --git a/parts/modules/nixos/server/services/default.nix b/parts/modules/nixos/server/services/default.nix new file mode 100644 index 0000000..23f2542 --- /dev/null +++ b/parts/modules/nixos/server/services/default.nix @@ -0,0 +1,7 @@ +_: { + imports = [ + ./cloudflared.nix + ./hercules.nix + ./promtail.nix + ]; +} diff --git a/parts/modules/nixos/server/services/hercules.nix b/parts/modules/nixos/server/services/hercules.nix new file mode 100644 index 0000000..b11a133 --- /dev/null +++ b/parts/modules/nixos/server/services/hercules.nix @@ -0,0 +1,57 @@ +{ + config, + lib, + self, + unstable, + ... +}: let + cfg = config.server.services.hercules-ci; + inherit (lib) mkEnableOption mkIf; +in { + options.server.services.hercules-ci = { + enable = mkEnableOption "enable hercules-ci"; + secrets.enable = mkEnableOption "manage secrets for hercules-ci"; + }; + + config = mkIf cfg.enable { + age.secrets = let + baseDir = "${self}/parts/secrets/systems/${config.networking.hostName}"; + hercArgs = { + mode = "400"; + owner = "hercules-ci-agent"; + group = "hercules-ci-agent"; + }; + in + mkIf cfg.secrets.enable { + binaryCache = + { + file = "${baseDir}/binaryCache.age"; + } + // hercArgs; + + clusterToken = + { + file = "${baseDir}/clusterToken.age"; + } + // hercArgs; + + secretsJson = + { + file = "${baseDir}/secretsJson.age"; + } + // hercArgs; + }; + + services = { + hercules-ci-agent = { + enable = true; + package = unstable.hercules-ci-agent; + settings = { + binaryCachesPath = config.age.secrets.binaryCache.path; + clusterJoinTokenPath = config.age.secrets.clusterToken.path; + secretsJsonPath = config.age.secrets.secretsJson.path; + }; + }; + }; + }; +} diff --git a/parts/modules/nixos/server/services/promtail.nix b/parts/modules/nixos/server/services/promtail.nix new file mode 100644 index 0000000..63faf15 --- /dev/null +++ b/parts/modules/nixos/server/services/promtail.nix @@ -0,0 +1,47 @@ +{ + config, + lib, + ... +}: let + cfg = config.server.services.promtail; + inherit (lib) mkEnableOption mkIf mkOption types; +in { + options.server.services.promtail = { + enable = mkEnableOption "enable promtail"; + + clients = mkOption { + type = types.listOf types.attrs; + default = [{}]; + description = "clients for promtail"; + }; + }; + + config.services.promtail = mkIf cfg.enable { + enable = true; + configuration = { + inherit (cfg) clients; + server.disable = true; + + scrape_configs = [ + { + job_name = "journal"; + + journal = { + max_age = "12h"; + labels = { + job = "systemd-journal"; + host = "${config.networking.hostName}"; + }; + }; + + relabel_configs = [ + { + source_labels = ["__journal__systemd_unit"]; + target_label = "unit"; + } + ]; + } + ]; + }; + }; +} |