aurore/nixos
9
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: aurore:da86fe8fac34c0c4eedb4926a718d578048c1c14
Branches Tags
aurore:main
aurore:colmena
aurore:log
...
compare: aurore:886f3898d3f791d31442f46bbc4f70c19b0080b3
Branches Tags
aurore:colmena
aurore:log
aurore:main

4 commits
da86fe8fac ... 886f3898d3

Author SHA1 Message Date
korenstin
886f3898d3
grafana: nginx recommended factorization 2025-10-07 21:22:48 +02:00
korenstin
15fcba2b26
grafana: configuration du service 2025-10-07 21:20:49 +02:00
korenstin
d98c1e47ce
nginx: configuration recommended 2025-10-07 21:18:38 +02:00
korenstin
a41d4ab911
jitsi: enable nginx and videobridge 2025-10-07 20:52:14 +02:00
12 changed files with 234 additions and 15 deletions
Show stats Expand all files Collapse all files

7
flake.nix
View file

@ -53,6 +53,13 @@
++ defaultConfig; ++ defaultConfig;
in in
{ {
grafana = nixosSystem {
specialArgs = inputs;
modules = [
./hosts/vm/grafana
]
++ defaultVM;
};
# VL: Peut-être avoir de l'auto-discovery: On a beaucoup trop de machines # VL: Peut-être avoir de l'auto-discovery: On a beaucoup trop de machines
jitsi = nixosSystem { jitsi = nixosSystem {
specialArgs = inputs; specialArgs = inputs;

52
hosts/vm/grafana/default.nix Normal file
View file

@ -0,0 +1,52 @@
{ ... }:
{
imports = [
./grafana.nix
];
networking = {
hostName = "grafana";
domain = "ext.infra.auro.re";
};
boot.loader.systemd-boot.enable = true;
systemd.network = {
enable = true;
links = {
"10-ext" = {
matchConfig.MACAddress = "ae:ae:ae:a4:7d:ab";
linkConfig.Name = "ext";
};
};
networks = {
"10-ext" = {
domains = [
"ext.infra.auro.re"
"auro.re"
];
matchConfig.Name = "ext";
linkConfig.RequiredForOnline = "routable";
address = [
"10.211.1.7/16"
"2a09:6840:211::1:7/64"
];
routes = [
{ Gateway = "10.211.0.1"; }
{ Gateway = "2a09:6840:211::1"; }
];
dns = [
"10.206.1.1"
"10.206.1.2"
"2a09:6840:206::1:1"
"2a09:6840:206::1:2"
];
};
};
};
system.stateVersion = "25.05";
}

110
hosts/vm/grafana/grafana.nix Normal file
View file

@ -0,0 +1,110 @@
{ pkgs, config, ... }:
let
cfg = config.services.grafana;
fileProvider = path: "$__file{${path}}";
ldapServer = {
host = "re2o-ldap.adm.auro.re ldap-replica-edc 10.128.0.21 10.128.4.249";
port = 389;
use_ssl = false;
start_tls = false;
bind_dn = "cn=grafana,ou=service-users,dc=auro,dc=re";
bind_password = fileProvider config.age.secrets.grafana-ldap-password.path;
search_filter = "(&(objectClass=posixAccount)(cn=%s))";
search_base_dns = [ "cn=Utilisateurs,dc=auro,dc=re" ];
group_search_base_dns = [ "ou=posix,ou=groups,dc=auro,dc=re" ];
group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))";
group_search_filter_user_attribute = "uid";
attributes = {
email = "mail";
};
"group_mappings" = [
{
group_dn = "cn=sudoldap,ou=posix,ou=groups,dc=auro,dc=re";
org_role = "Admin";
grafana_admin = true;
}
{
group_dn = "cn=technicien,ou=posix,ou=groups,dc=auro,dc=re";
org_role = "Editor";
}
{
group_dn = "*";
org_role = "Viewer";
}
];
};
ldapConfig = (pkgs.formats.toml { }).generate "ldap.toml" {
servers = [ ldapServer ];
};
in
{
age.secrets = {
grafana-admin-password = {
file = ../../../secrets/grafana/admin_password.age;
owner = "grafana";
group = "grafana";
};
grafana-secret-key = {
file = ../../../secrets/grafana/secret_key.age;
owner = "grafana";
group = "grafana";
};
grafana-ldap-password = {
file = ../../../secrets/grafana/ldap_password.age;
owner = "grafana";
group = "grafana";
};
};
services.grafana = {
enable = true;
settings = {
server.protocol = "socket";
analytics = {
reporting_enabled = false;
feedback_links_enabled = false;
};
security = {
admin_user = "admin";
admin_password = fileProvider config.age.secrets.grafana-admin-password.path;
secret_key = fileProvider config.age.secrets.grafana-secret-key.path;
};
"auth.ldap" = {
enabled = true;
allow_sign_up = true;
skip_org_role_sync = false;
config_file = toString ldapConfig;
};
};
provision.datasources.settings.datasources =
[
{
name = "Infrastructure 1";
type = "prometheus";
uid = "infra-1";
url = "http://10.204.1.1:9090";
editable = false;
jsonData = {
isDefault = true;
};
}
];
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
upstreams.grafana.servers."unix:/${cfg.settings.server.socket}" = { };
virtualHosts."grafana-ng.auro.re" = {
root = cfg.settings.server.static_root_path;
locations."/".tryFiles = "$uri @grafana";
locations."@grafana".proxyPass = "http://grafana";
};
};
users.users.${config.services.nginx.user}.extraGroups = [ "grafana" ];
}

3
hosts/vm/jitsi/jitsi.nix
View file

@ -6,6 +6,9 @@
enable = true; enable = true;
hostName = "jitsi-ng.auro.re"; hostName = "jitsi-ng.auro.re";
nginx.enable = true;
videobridge.enable = true;
config = { config = {
liveStreaming.enabled = true; liveStreaming.enabled = true;
}; };

11
profiles/common/ssh.nix
View file

@ -1,16 +1,6 @@
{ config, ... }: { config, ... }:
{ {
age.secrets = {
ssh_users_ca = {
file = ../../secrets/common/ssh/users_ca.age;
path = "/etc/ssh/users_ca.pub";
owner = "root";
group = "root";
mode = "400";
};
};
services.openssh = { services.openssh = {
enable = true; enable = true;
@ -28,7 +18,6 @@
SyslogFacility AUTH SyslogFacility AUTH
UsePAM no UsePAM no
TCPKeepAlive yes TCPKeepAlive yes
TrustedUserCAKeys ${config.age.secrets.ssh_users_ca.path}
VersionAddendum none VersionAddendum none
''; '';

1
profiles/vm/default.nix
View file

@ -3,6 +3,7 @@
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
./nginx.nix
./virtualisation.nix ./virtualisation.nix
]; ];
} }

10
profiles/vm/nginx.nix Normal file
View file

@ -0,0 +1,10 @@
{ ... }:
{
services.nginx = {
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
};
}

16
secrets.nix
View file

@ -1,17 +1,25 @@
let let
# responsable technique # responsable technique
korenstin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBu/fWY86IU7s5JIcxu8rsDwHd0JalvK1tUSzAAy3S3e korenstin@nixos"; korenstin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBu/fWY86IU7s5JIcxu8rsDwHd0JalvK1tUSzAAy3S3e";
lafeychine = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHHt8Bk4HAmuLYif/K6JAXteZFyihX6KKL5gM7gCA2Cl lafeychine@P14s"; lafeychine = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHHt8Bk4HAmuLYif/K6JAXteZFyihX6KKL5gM7gCA2Cl";
hachino = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCZ+Km78tkWXnmRTeg2F5kHgTGYS+JYM3SfAoTqvaisBRLpYHOtG889FvRjczVJn7A2q4aLGuejzjJ9V3wyF+aJjdzANPnVMUCGQXSnbHC4pMfL8fD67J+8gJil/QwGgpKpYlU0u81tgcjszYMv/ub8d9HnqLeYFkTvy2678vrsA2GoB/pO6iWOA4cubI0R0BYOP1zRnsgBM7L3swag/7lQ0L+6g+M8IcU2fr2Fp/L0gQ33e6H59fyuDaEp2GyQM66r0N+dMqjAyvB7tZlM2S28wji+DW46p4SJxNiqE8mzAjzWxV4rQDXfg+89LvzDN6iOKOtYAP9otWj14X4MOlQaKws4gicGjdUX9MiiChEjl3LET5i/zQqAMylMvm8qKTJ6PqIOootuUi6rv5d1IqLoaHXcU++h8HtYJU8o4MfGYBe4mFT4SRvJaX6C+UTdi6JKEJBmmBVwJIUCRCfXeqitc15Xb3xDgoOf0VsWiIaFnduYRDWfPKBCDl1raafxYO0=";
respo_technique = [ respo_technique = [
korenstin korenstin
lafeychine lafeychine
hachino
]; ];
# vm # vm
jitsi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFBwpK5qfEsuapx+8tOCmEY0hpy3V6M0OSqwoByriCX5 root@jitsi"; jitsi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFBwpK5qfEsuapx+8tOCmEY0hpy3V6M0OSqwoByriCX5 root@jitsi";
vm = [ jitsi ]; grafana = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIErGGJ9JNa7sZQOADXWCfcKpgF0xuYTLUC+ErMV9IkPJ root@grafana";
vm = [
jitsi
grafana
];
in in
{ {
"secrets/common/ssh/users_ca.age".publicKeys = respo_technique ++ vm; "secrets/grafana/admin_password.age".publicKeys = respo_technique ++ [ grafana ];
"secrets/grafana/ldap_password.age".publicKeys = respo_technique ++ [ grafana ];
"secrets/grafana/secret_key.age".publicKeys = respo_technique ++ [ grafana ];
} }

BIN
secrets/common/ssh/users_ca.age
View file

Binary file not shown.

19
secrets/grafana/admin_password.age Normal file
View file

@ -0,0 +1,19 @@
age-encryption.org/v1
-> ssh-ed25519 6qBTxA rpz6GQsKHdPX+Hc6pMvSpWzgBMYpYpKPOjIyU+rX21A
KNLlxBgAVped7g3B24kHLJHyI0i8vwSB3tvXrMi+WiE
-> ssh-ed25519 tQAKMw mPZPUXxd9THMuuR4KGnQu/9zKAXuoijEMp1RecaDGgU
S8U2HxCLbHMMyo5JYsdhX6H+mtl9rkXgSVWBrX3Cf28
-> ssh-rsa REaZBA
PkLlexB3ZsI+Gc4dP9SDUTHDScPnZTMJ+cU5msrquFXhUbZd3xMRh17E0bH8dFD0
JkTYNsMdPH5NtcsN2uPLHlB3KMDO32boPhCZOrWqyFeJ/os/wZm9wY7HzrbEYNV2
RBGCzb4EhvctKPhQL5J0CkuemJI3RL+E20p2BdwWfUDQxcqxdUQHzszm3ONpyTkf
20eN/rd0P2LBRc2NxHrbesRqsY4HmusTSBYBHqvNfkdBFV/GkMYUGlF1h2JhxLv0
fK7AB3G+u+HX4Grhhl0Vdl+r7wjRVW6T6IC1iwHaPw7Iwg1QJ0PRuoJGo2+iJnnF
yC8HvaqDdq+M/Z17SnAbdGaW+wpFam/GOxBRaS4atltdeZGXu911l6PUzvPqHaIZ
FlhfGedLExcIetF1wzgvD/l+NT3Obu+On2Pa8JGec17d+bJekfG3Y1wXckOhoX26
IbnT3iygJ99kxIXLvrYqEgJxL7QsgtIdlO1OMs1HYFT5H2X1O7ERW1z8htSKJF+A
-> ssh-ed25519 1baUFg Q59tfDG1iM0EcTXiZ5pfEOJ7MjYSuuroljgtTvQ9CRE
Xrk54B1FFiYxFFKAhHjgZB9a0RNVeGzPtLH2ATUqQ6g
--- 3qwWrafWUzecR6Qxc3iBTsa1qHSgX6p9ef6H4svB0HI
¸«öÌOK˜ø )3Oèwï½É¡ª1ÀQ(<28>1¶}S»¦çP/ÎêïN<> K ÅFÏÂ

BIN
secrets/grafana/ldap_password.age Normal file
View file

Binary file not shown.

20
secrets/grafana/secret_key.age Normal file
View file

@ -0,0 +1,20 @@
age-encryption.org/v1
-> ssh-ed25519 6qBTxA fzgvb33y/ccMbjxrzPiBRpcM5KqHGv8lDsn/LFCvbgU
HIQJNjELuFvyyncKiduNEwzII/Bcp9oYhbZWzvZkvK8
-> ssh-ed25519 tQAKMw Jrhrys8NOiXukzc5fEbedoMV+ls8bW3wwzS7K41PS2Y
gPU1H2QI0XObePui5CKf1pO5C93igQTwMcJSwTC4xYY
-> ssh-rsa REaZBA
XUsv/XEoyb2ckPE7pGV9ntH+Gn8vd06uDL3pMIv4CesEQcvn1Ppn0Uymlmm096jw
umY66FHetl45tJbEWx9os2vNw420+ESHfyZCef32D+hM94VTYV6r3hMTPVEsHsrf
+lWXCLVhTaUpKfAb3w7E7gnKm0JTBX//hbrZKoQrBZ6nvn/5clkNBmRa43GKqi22
FlfOe7y+DiNBp9c15K16FHijO2u8QONqcD/iHdVwOQncQAhVnzdTs048aLWefhFJ
VHXcmX3/LLc1LtMnMTloHsOUa3UU8TEG9xet7KeWxgyeMITBKuY3nmVFKPHEl6Ty
wSyarADyrTLV8tT2UUGPQmyGh868CHTg7Jy422riM8JG5FJRxg8sxK7UOokGflHI
vHPTUx+94/goN3IyyW9qum+2Mr+Dee3k2kBWb25gOAIme3vnxOBCAVgw7irz7Nsg
avYnQLuQR8T/8ldWgst2aDTIe0rijxtP2i6JwzfSQGfaENXe/6U06f50wuBcYdm9
-> ssh-ed25519 1baUFg iEpEJcziOF24syWa7TiUNi904a/ajacQaws2Y+NjnG8
09a1FRksRWGYYdpHHyWZ96OfbGzXXKfqX+hnfGpUjL8
--- H/TyEYeNgKY1Q5p6bdw8AyEjXYcBjftRRayvUVq9Dy0
"
ûòjˆÜºÊ¢f$%UÌê“Áëv­øÓZ-¿]˜?KwQ¶€°«÷»UÂ}¹ª‡V