Grafana now has a 'settings' submap

2022-12-02 08:49:52 -08:00 · 2022-12-02 08:49:52 -08:00 · 3663be3460
parent ff1aa983bf
commit 3663be3460
2 changed files with 49 additions and 42 deletions
--- a/lib/fudo/grafana.nix
+++ b/lib/fudo/grafana.nix
@ -1,6 +1,6 @@
 # NOTE: this assumes that postgres is running locally.

-{ config, lib, pkgs, ... } @ toplevel:
+{ config, lib, pkgs, ... }@toplevel:

 with lib;
 let
@ -92,8 +92,10 @@ in {

      email = mkOption {
        type = str;
-        description = "Address from which mail will be sent (i.e. 'from' address).";
-        default = "${toplevel.config.fudo.grafana.smtp.username}@${domain-name}";
+        description =
+          "Address from which mail will be sent (i.e. 'from' address).";
+        default =
+          "${toplevel.config.fudo.grafana.smtp.username}@${domain-name}";
      };

      domain = mkOption {
@ -138,13 +140,14 @@ in {

    secret-key-file = mkOption {
      type = str;
-      description = "Path to a file containing the server's secret key, used for signatures.";
+      description =
+        "Path to a file containing the server's secret key, used for signatures.";
    };

    datasources = mkOption {
      type = attrsOf (submodule datasourceOpts);
      description = "A list of datasources supplied to Grafana.";
-      default = {};
+      default = { };
    };

    state-directory = mkOption {
@ -158,11 +161,9 @@ in {

  config = mkIf cfg.enable {
    systemd = {
-      tmpfiles.rules = let
-        grafana-user = config.systemd.services.grafana.serviceConfig.User;
-      in [
-        "d ${cfg.state-directory} 0700 ${grafana-user} - - -"
-      ];
+      tmpfiles.rules =
+        let grafana-user = config.systemd.services.grafana.serviceConfig.User;
+        in [ "d ${cfg.state-directory} 0700 ${grafana-user} - - -" ];

      services.grafana.serviceConfig = {
        EnvironmentFile = host-secrets.grafana-environment-file.target-file;
@ -172,7 +173,7 @@ in {
    fudo.secrets.host-secrets.${hostname}.grafana-environment-file = {
      source-file = pkgs.writeText "grafana.env" ''
        ${optionalString (cfg.ldap != null)
-          ''GRAFANA_LDAP_BIND_PASSWD="${cfg.ldap.bind-passwd}"''}
+        ''GRAFANA_LDAP_BIND_PASSWD="${cfg.ldap.bind-passwd}"''}
      '';
      target-file = "/run/metrics/grafana/auth-bind.passwd";
      user = config.systemd.services.grafana.serviceConfig.User;
@ -186,8 +187,8 @@ in {

        virtualHosts = {
          "${cfg.hostname}" = {
-            enableACME = ! cfg.private-network;
-            forceSSL = ! cfg.private-network;
+            enableACME = !cfg.private-network;
+            forceSSL = !cfg.private-network;
            locations."/".proxyPass = "http://127.0.0.1:3000";
          };
        };
@ -200,8 +201,7 @@ in {
        protocol = "http";
        port = 3000;
        domain = cfg.hostname;
-        rootUrl = let
-          scheme = if cfg.private-network then "http" else "https";
+        rootUrl = let scheme = if cfg.private-network then "http" else "https";
        in "${scheme}://${cfg.hostname}/";
        dataDir = cfg.state-directory;

@ -210,13 +210,15 @@ in {
          secretKeyFile = cfg.secret-key-file;
        };

-        smtp = {
-          enable = true;
-          # TODO: create system user as necessary
-          fromAddress = "${cfg.smtp.username}@${cfg.smtp.domain}";
-          host = "${cfg.smtp.hostname}:25";
-          user = cfg.smtp.username;
-          passwordFile = cfg.smtp.password-file;
+        settings = {
+          smtp = {
+            enable = true;
+            # TODO: create system user as necessary
+            fromAddress = "${cfg.smtp.username}@${cfg.smtp.domain}";
+            host = "${cfg.smtp.hostname}:25";
+            user = cfg.smtp.username;
+            passwordFile = cfg.smtp.password-file;
+          };
        };

        extraOptions = mkIf (cfg.ldap != null) (let
--- a/lib/fudo/minecraft-clj.nix
+++ b/lib/fudo/minecraft-clj.nix
@ -202,6 +202,8 @@ in {
      groups."${cfg.group}" = { members = [ cfg.user ]; };
    };

+    networking.firewall.allowedTCPPorts = [ 25555 ];
+
    systemd = {
      tmpfiles.rules = map (worldOpts:
        "d ${worldStateDir worldOpts} 0700 ${cfg.user} ${cfg.group} - -")
@ -212,13 +214,13 @@ in {
          sanitizedName = sanitizeName worldOpts.world-name;
          serverName = "minecraft-clj-${sanitizedName}";
          stateDir = worldStateDir worldOpts;
-          startScript = let
+
+          preStartScript = let
            admins-file = pkgs.writeText "${sanitizedName}-ops.txt"
              (concatStringsSep "\n" cfg.admins);
            props-file = genPropsFile worldOpts;
            eula-file =
              pkgs.writeText "mc-${sanitizedName}-eula.txt" "eula=true";
-
          in pkgs.writeShellScript "mc-initialize-${sanitizedName}.sh" ''
            cp -f ${admins-file} ${stateDir}/ops.txt
            cp -f ${props-file} ${stateDir}/server.properties
@ -228,6 +230,15 @@ in {
            chmod u+w ${stateDir}/server.properties
          '';

+          startScript = let
+            mem = "${toString worldOpts.allocated-memory}G";
+            memFlags = [ "-Xms${mem}" "-Xmx${mem}" ];
+            flags = commonFlags ++ memFlags
+              ++ (optionals (worldOpts.allocated-memory >= 12) highMemFlags);
+            flagStr = concatStringsSep " " flags;
+          in pkgs.writeShellScript "mc-start-${sanitized-Name}.sh"
+          "${pkgs.papermc}/bin/minecraft-server ${flagStr}";
+
        in nameValuePair serverName {
          enable = worldOpts.enable;
          description =
@ -238,27 +249,21 @@ in {
            User = cfg.user;
            Group = cfg.group;
            WorkingDirectory = stateDir;
-            ExecStartPre = "${startScript}";
-            ExecStart = let
-              mem = "${toString worldOpts.allocated-memory}G";
-              memFlags = [ "-Xms${mem}" "-Xmx${mem}" ];
-              flags = commonFlags ++ memFlags
-                ++ (optionals (worldOpts.allocated-memory >= 12) highMemFlags);
-              flagStr = concatStringsSep " " flags;
-            in "${pkgs.papermc}/bin/minecraft-server ${flagStr}";
+            ExecStartPre = "${preStartScript}";
+            ExecStart = "${startScript}";

            Restart = "always";
-            # NoNewPrivileges = true;
+            NoNewPrivileges = true;
            # PrivateTmp = true;
-            # PrivateDevices = true;
-            # ProtectSystem = "strict";
-            # ProtectHome = true;
-            # ProtectControlGroups = true;
-            # ProtectKernelModules = true;
-            # ProtectKernelTunables = true;
-            # RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
-            # RestrictRealtime = true;
-            # RestrictNamespaces = true;
+            PrivateDevices = true;
+            ProtectSystem = "strict";
+            ProtectHome = true;
+            ProtectControlGroups = true;
+            ProtectKernelModules = true;
+            ProtectKernelTunables = true;
+            RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+            RestrictRealtime = true;
+            RestrictNamespaces = true;
            ReadWritePaths = [ cfg.state-directory ];
          };
        }) cfg.worlds;