diff options
| -rw-r--r-- | configuration.nix | 1 | ||||
| -rw-r--r-- | modules/caldav.nix | 6 | ||||
| -rw-r--r-- | modules/mailserver.nix | 16 | ||||
| -rw-r--r-- | modules/mealie.nix | 6 | ||||
| -rw-r--r-- | modules/minecraft-server.nix | 6 | ||||
| -rw-r--r-- | modules/monit.nix | 42 | ||||
| -rw-r--r-- | modules/polaris.nix | 6 | ||||
| -rw-r--r-- | modules/ssh.nix | 7 | ||||
| -rw-r--r-- | modules/syncthing.nix | 6 | ||||
| -rw-r--r-- | modules/vaultwarden.nix | 6 | ||||
| -rw-r--r-- | modules/webserver.nix | 7 |
11 files changed, 109 insertions, 0 deletions
diff --git a/configuration.nix b/configuration.nix index dc00716..2a40a44 100644 --- a/configuration.nix +++ b/configuration.nix @@ -14,6 +14,7 @@ ./modules/polaris.nix ./modules/caldav.nix ./modules/vaultwarden.nix + ./modules/monit.nix ]; networking.hostName = "nixos"; diff --git a/modules/caldav.nix b/modules/caldav.nix index c3ec294..6701648 100644 --- a/modules/caldav.nix +++ b/modules/caldav.nix @@ -22,4 +22,10 @@ security.acme.certs."krinitsin.com".extraDomainNames = [ "caldav.krinitsin.com" ]; + services.monit.config = '' + check process radicale with matching "radicale" + start program = "${pkgs.systemd}/bin/systemctl start radicale" + stop program = "${pkgs.systemd}/bin/systemctl stop radicale" + ''; + } diff --git a/modules/mailserver.nix b/modules/mailserver.nix index 71ca506..80c8af5 100644 --- a/modules/mailserver.nix +++ b/modules/mailserver.nix @@ -38,5 +38,21 @@ ''; }; + services.monit.config = '' + check process postfix with pidfile /var/lib/postfix/queue/pid/master.pid + start program = "${pkgs.systemd}/bin/systemctl start postfix" + stop program = "${pkgs.systemd}/bin/systemctl stop postfix" + if failed port 25 protocol smtp for 5 cycles then restart + + check process dovecot with pidfile /var/run/dovecot2/master.pid + start program = "${pkgs.systemd}/bin/systemctl start dovecot2" + stop program = "${pkgs.systemd}/bin/systemctl stop dovecot2" + if failed host mail.krinitsin.com port 993 type tcpssl sslauto protocol imap for 5 cycles then restart + + check process rspamd with matching "rspamd: main process" + start program = "${pkgs.systemd}/bin/systemctl start rspamd" + stop program = "${pkgs.systemd}/bin/systemctl stop rspamd" + ''; + security.acme.certs."krinitsin.com".extraDomainNames = [ "webmail.krinitsin.com" ]; } diff --git a/modules/mealie.nix b/modules/mealie.nix index 5059c8f..71ead54 100644 --- a/modules/mealie.nix +++ b/modules/mealie.nix @@ -18,4 +18,10 @@ in security.acme.certs."krinitsin.com".extraDomainNames = [ "recipes.krinitsin.com" "rezepte.krinitsin.com" ]; + services.monit.config = '' + check process mealie with matching "mealie" + start program = "${pkgs.systemd}/bin/systemctl start mealie" + stop program = "${pkgs.systemd}/bin/systemctl stop mealie" + ''; + } diff --git a/modules/minecraft-server.nix b/modules/minecraft-server.nix index 08c47b4..82ed988 100644 --- a/modules/minecraft-server.nix +++ b/modules/minecraft-server.nix @@ -24,4 +24,10 @@ in dataDir = "/var/lib/minecraft"; }; + services.monit.config = '' + check process minecraft-server with matching "papermc" + start program = "${pkgs.systemd}/bin/systemctl start minecraft-server" + stop program = "${pkgs.systemd}/bin/systemctl stop minecraft-server" + ''; + } diff --git a/modules/monit.nix b/modules/monit.nix new file mode 100644 index 0000000..b4155ee --- /dev/null +++ b/modules/monit.nix @@ -0,0 +1,42 @@ +{ pkgs, libs, config, ... }: +{ + + services.monit = { + enable = true; + config = '' + set mailserver localhost port 25 username admin + set alert mail@krinitsin.com + + set daemon 120 with start delay 60 + set mailserver + localhost + + set httpd port 2812 and use address localhost + allow localhost + + check filesystem root with path / + if space usage > 80% then alert + if inode usage > 80% then alert + + check system $HOST + if cpu usage > 95% for 10 cycles then alert + if memory usage > 75% for 5 cycles then alert + if swap usage > 20% for 10 cycles then alert + if loadavg (1min) > 90 for 15 cycles then alert + if loadavg (5min) > 80 for 10 cycles then alert + if loadavg (15min) > 70 for 8 cycles then alert + + check network network interface ens3 + ''; + }; + + services.nginx.virtualHosts."status.krinitsin.com" = { + forceSSL = true; + useACMEHost = "krinitsin.com"; + basicAuthFile = "/secret/monit"; + locations."/".proxyPass = "http://localhost:2812"; + }; + + security.acme.certs."krinitsin.com".extraDomainNames = [ "status.krinitsin.com" ]; + +} diff --git a/modules/polaris.nix b/modules/polaris.nix index 4facfb9..bc5d66a 100644 --- a/modules/polaris.nix +++ b/modules/polaris.nix @@ -23,4 +23,10 @@ security.acme.certs."krinitsin.com".extraDomainNames = [ "music.krinitsin.com" ]; + services.monit.config = '' + check process polaris with matching "polaris" + start program = "${pkgs.systemd}/bin/systemctl start polaris" + stop program = "${pkgs.systemd}/bin/systemctl stop polaris" + ''; + } diff --git a/modules/ssh.nix b/modules/ssh.nix index a23dacd..30a79ad 100644 --- a/modules/ssh.nix +++ b/modules/ssh.nix @@ -7,6 +7,13 @@ enable = true; settings.PasswordAuthentication = false; }; + networking.firewall.allowedTCPPorts = [ 22 ]; + services.monit.config = '' + check process sshd with pidfile /var/run/sshd.pid + start program "${pkgs.systemd}/bin/systemctl start sshd" + stop program "${pkgs.systemd}/bin/systemctl stop sshd" + if failed port 22 protocol ssh for 2 cycles then restart + ''; } diff --git a/modules/syncthing.nix b/modules/syncthing.nix index c25c956..cf213b2 100644 --- a/modules/syncthing.nix +++ b/modules/syncthing.nix @@ -16,4 +16,10 @@ security.acme.certs."krinitsin.com".extraDomainNames = [ "syncthing.krinitsin.com" ]; + services.monit.config = '' + check process syncthing with matching "syncthing" + start program = "${pkgs.systemd}/bin/systemctl start syncthing" + stop program = "${pkgs.systemd}/bin/systemctl stop syncthing" + ''; + } diff --git a/modules/vaultwarden.nix b/modules/vaultwarden.nix index 7511296..7a1a8ec 100644 --- a/modules/vaultwarden.nix +++ b/modules/vaultwarden.nix @@ -33,4 +33,10 @@ security.acme.certs."krinitsin.com".extraDomainNames = [ "vault.krinitsin.com" ]; + services.monit.config = '' + check process vaultwarden with matching "vaultwarden" + start program = "${pkgs.systemd}/bin/systemctl start vaultwarden" + stop program = "${pkgs.systemd}/bin/systemctl stop vaultwarden" + ''; + } diff --git a/modules/webserver.nix b/modules/webserver.nix index e61cb68..ac95ddf 100644 --- a/modules/webserver.nix +++ b/modules/webserver.nix @@ -34,4 +34,11 @@ }; networking.firewall.allowedTCPPorts = [ 80 443 5000 ]; + + services.monit.config = '' + check process nginx with pidfile /var/run/nginx/nginx.pid + start program = "${pkgs.systemd}/bin/systemctl start nginx" + stop program = "${pkgs.systemd}/bin/systemctl stop nginx" + if failed host 127.0.0.1 port 443 then restart + ''; } |