diff --git a/modules/homelab/default.nix b/modules/homelab/default.nix index 842ce80..28057af 100644 --- a/modules/homelab/default.nix +++ b/modules/homelab/default.nix @@ -17,6 +17,8 @@ ./prometheus.nix ./qbittorrent.nix ./restic.nix + ./scrutiny.nix + ./security.nix ./sso.nix ./vaultwarden.nix ]; diff --git a/modules/homelab/glance.nix b/modules/homelab/glance.nix index 2c7e1fa..c90651b 100644 --- a/modules/homelab/glance.nix +++ b/modules/homelab/glance.nix @@ -251,6 +251,18 @@ in { icon = "sh:zitadel"; same-tab = true; } + { + title = "Scrutiny"; + url = "https://scrutiny.nickolaj.com"; + icon = "sh:scrutiny"; + same-tab = true; + } + { + title = "Grafana"; + url = "https://fireproof.grafana.net/a/grafana-setupguide-app/home"; + icon = "si:grafana"; + same-tab = true; + } ]; } { diff --git a/modules/homelab/nginx.nix b/modules/homelab/nginx.nix index e930b27..ad8e319 100644 --- a/modules/homelab/nginx.nix +++ b/modules/homelab/nginx.nix @@ -13,6 +13,19 @@ lib.mkIf config.fireproof.homelab.enable { recommendedProxySettings = true; recommendedGzipSettings = true; recommendedBrotliSettings = true; + + virtualHosts."status.localhost" = { + listen = [{ addr = "127.0.0.1"; port = 8070; }]; + locations."/metrics" = { + extraConfig = '' + stub_status; + access_log off; + allow 127.0.0.1; + allow ::1; + deny all; + ''; + }; + }; }; security.acme = { acceptTerms = true; diff --git a/modules/homelab/prometheus.nix b/modules/homelab/prometheus.nix index dda45c7..da18008 100644 --- a/modules/homelab/prometheus.nix +++ b/modules/homelab/prometheus.nix @@ -14,7 +14,7 @@ lib.mkIf config.fireproof.homelab.enable (let }; targets = [ - "${toString config.services.prometheus.exporters.${name}.listenAddress}:${toString config.services.prometheus.exporters.${name}.port}" + "127.0.0.1:${toString config.services.prometheus.exporters.${name}.port}" ]; } ]; @@ -42,13 +42,25 @@ in { scrapeConfigs = [ (mkScrapeConfig "node") + (mkScrapeConfig "nginx") + (mkScrapeConfig "postgres") ]; - exporters.node = { - enable = true; - extraFlags = [ - "--web.disable-exporter-metrics" - ]; + exporters = { + node = { + enable = true; + extraFlags = [ + "--web.disable-exporter-metrics" + ]; + }; + nginx = { + enable = true; + scrapeUri = "http://127.0.0.1:8070/metrics"; + }; + postgres = { + enable = true; + runAsLocalSuperUser = true; + }; }; }; }) diff --git a/modules/homelab/scrutiny.nix b/modules/homelab/scrutiny.nix new file mode 100644 index 0000000..c0f215f --- /dev/null +++ b/modules/homelab/scrutiny.nix @@ -0,0 +1,26 @@ +{ + config, + lib, + ... +}: +lib.mkIf config.fireproof.homelab.enable { + services.restic.backups.homelab.paths = ["/var/lib/scrutiny"]; + + services.scrutiny = { + enable = true; + collector.enable = true; + settings = { + web.listen.port = 8089; + }; + }; + + services.oauth2-proxy.nginx.virtualHosts."scrutiny.nickolaj.com".allowed_groups = ["admin"]; + + services.nginx.virtualHosts."scrutiny.nickolaj.com" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:8089"; + }; + }; +} diff --git a/modules/homelab/security.nix b/modules/homelab/security.nix new file mode 100644 index 0000000..1cefad0 --- /dev/null +++ b/modules/homelab/security.nix @@ -0,0 +1,36 @@ +{ + config, + lib, + ... +}: +lib.mkIf config.fireproof.homelab.enable { + services.fail2ban = { + enable = true; + maxretry = 5; + ignoreIP = [ + "127.0.0.1/8" + "10.0.0.0/8" + "172.16.0.0/12" + "192.168.0.0/16" + ]; + jails = { + nginx-http-auth.settings = { + enabled = true; + filter = "nginx-http-auth"; + port = "http,https"; + logpath = "/var/log/nginx/error.log"; + }; + nginx-botsearch.settings = { + enabled = true; + filter = "nginx-botsearch"; + port = "http,https"; + logpath = "/var/log/nginx/error.log"; + }; + nginx-bad-request.settings = { + enabled = true; + port = "http,https"; + logpath = "/var/log/nginx/error.log"; + }; + }; + }; +}