57 lines
1.6 KiB
Nix
57 lines
1.6 KiB
Nix
{ lib, config, ... }: {
|
|
|
|
imports = [
|
|
./grafana-alloy.nix
|
|
];
|
|
|
|
options = {
|
|
eko.enable = lib.mkEnableOption "enables eko";
|
|
};
|
|
|
|
config = lib.mkIf config.eko.enable {
|
|
sops.secrets.eko-server-cert-key = { owner = "eko"; };
|
|
|
|
services.eko.enable = true;
|
|
services.eko.certFile = config.sops.secrets.eko-server-cert-key.path;
|
|
services.eko.openFirewall = true;
|
|
|
|
# Make sure eko doesn't restart unless I explicitly restart it
|
|
systemd.services.eko.serviceConfig.Restart = lib.mkForce "no";
|
|
|
|
environment.etc = {
|
|
"eko/tos.md".text = builtins.readFile ./eko-tos.md;
|
|
"eko/privacy.md".text = builtins.readFile ./eko-privacy.md;
|
|
};
|
|
|
|
# Add my ssh key
|
|
users.users.eko.openssh.authorizedKeys.keys = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7P9K9D5RkBk+JCRRS6AtHuTAc6cRpXfRfRMg/Kyren"
|
|
];
|
|
|
|
# Allow grafana access to the sqlite db
|
|
users.users.grafana.extraGroups = [ "eko" ];
|
|
systemd.services.grafana.serviceConfig = {
|
|
ReadWritePaths = [ config.services.eko.dataDir ];
|
|
};
|
|
|
|
# Make sure acme module is active for the "kyren.codes" ssl cert
|
|
acme.enable = true;
|
|
|
|
# Configure reverse proxy for the website
|
|
services.nginx.enable = true;
|
|
services.nginx.virtualHosts."eko.kyren.codes" = {
|
|
useACMEHost = "kyren.codes";
|
|
forceSSL = true;
|
|
locations."/".proxyPass = "http://localhost:7443/";
|
|
};
|
|
|
|
# Monitoring/observibility
|
|
grafana.enable = true; # dashboard
|
|
loki.enable = true; # logging
|
|
services.prometheus.enable = true; # metrics
|
|
services.prometheus.configText = builtins.readFile ./eko-prometheus.yml;
|
|
grafana-alloy.enable = true; # collector
|
|
|
|
};
|
|
}
|