feat: adguardhome use DoT; fix loki home proxy; allow arbitrary telegraf secrets

2024-05-25 15:49:41 +02:00 · 2024-05-25 15:49:41 +02:00 · 045f15239a
commit 045f15239a
parent 93061af475
11 changed files with 114 additions and 173 deletions
--- a/hosts/ward/guests/adguardhome.nix
+++ b/hosts/ward/guests/adguardhome.nix
@ -59,12 +59,11 @@ in {
        # allowed_clients = [
        # ];
        #trusted_proxies = [];
-        ratelimit = 60;
+        ratelimit = 300;
        upstream_dns = [
-          "1.1.1.1"
-          # FIXME: enable ipv6 "2606:4700:4700::1111"
-          "8.8.8.8"
-          # FIXME: enable ipv6 "2001:4860:4860::8844"
+          "https://dns.cloudflare.com/dns-query"
+          "https://dns.google/dns-query"
+          "https://doh.mullvad.net/dns-query"
        ];
        bootstrap_dns = [
          "1.1.1.1"
--- a/hosts/ward/guests/web-proxy.nix
+++ b/hosts/ward/guests/web-proxy.nix
@ -33,6 +33,72 @@ in {
    inherit (acme) certs wildcardDomains;
  };

+  age.secrets.github-access-token = {
+    rekeyFile = config.node.secretsDir + "/github-access-token.age";
+    mode = "440";
+    group = "telegraf";
+  };
+
+  meta.telegraf.secrets."@GITHUB_ACCESS_TOKEN@" = config.age.secrets.github-access-token.path;
+  services.telegraf.extraConfig.inputs = {
+    ping = [
+      {
+        method = "native";
+        urls = [
+          "192.168.178.1"
+          "192.168.1.1"
+        ];
+        tags.type = "internal";
+        fieldpass = [
+          "percent_packet_loss"
+          "average_response_ms"
+          "standard_deviation_ms"
+          "reply_received"
+          "percent_reply_loss"
+        ];
+      }
+      {
+        method = "native";
+        urls = [
+          "1.1.1.1"
+          "8.8.8.8"
+          config.repo.secrets.global.domains.me
+          config.repo.secrets.global.domains.personal
+        ];
+        tags.type = "external";
+        fieldpass = [
+          "percent_packet_loss"
+          "average_response_ms"
+          "standard_deviation_ms"
+          "reply_received"
+          "percent_reply_loss"
+        ];
+      }
+    ];
+
+    # FIXME: pls define this on the relevant hosts. Then we can ping it from multiple other hosts
+    #http_response = [
+    #  {
+    #    urls = [
+    #    ];
+    #    response_string_match = "Index of /";
+    #    response_status_code = 200;
+    #  }
+    #];
+
+    github = {
+      access_token = "@GITHUB_ACCESS_TOKEN@";
+      repositories = [
+        "oddlama/agenix-rekey"
+        "oddlama/autokernel"
+        "oddlama/gentoo-install"
+        "oddlama/nix-config"
+        "oddlama/nix-topology"
+        "oddlama/vane"
+      ];
+    };
+  };
+
  services.nginx = {
    upstreams.fritzbox = {
      servers."192.168.178.1" = {};