lib: add mkCaddyReverseProxy, mkFail2banJail, mkGrafanaAnnotationService, extractArrApiKey

2026-04-09 19:00:47 -04:00
parent c74d356595
commit 75319256f3
23 changed files with 221 additions and 180 deletions
--- a/services/grafana/grafana.nix
+++ b/services/grafana/grafana.nix
@@ -12,6 +12,11 @@
    (lib.serviceFilePerms "grafana" [
      "Z ${service_configs.grafana.dir} 0700 grafana grafana"
    ])
+    (lib.mkCaddyReverseProxy {
+      domain = service_configs.grafana.domain;
+      port = service_configs.ports.private.grafana.port;
+      auth = true;
+    })
  ];

  services.grafana = {
@@ -85,11 +90,6 @@
    };
  };

-  services.caddy.virtualHosts."${service_configs.grafana.domain}".extraConfig = ''
-    import ${config.age.secrets.caddy_auth.path}
-    reverse_proxy :${toString service_configs.ports.private.grafana.port}
-  '';
-
  services.postgresql = {
    ensureDatabases = [ "grafana" ];
    ensureUsers = [
--- a/services/grafana/jellyfin-annotations.nix
+++ b/services/grafana/jellyfin-annotations.nix
@@ -1,40 +1,18 @@
 {
  config,
-  pkgs,
  service_configs,
  lib,
  ...
 }:
-lib.mkIf (config.services.grafana.enable && config.services.jellyfin.enable) {
-  systemd.services.jellyfin-annotations = {
+lib.mkIf (config.services.grafana.enable && config.services.jellyfin.enable) (
+  lib.mkGrafanaAnnotationService {
+    name = "jellyfin";
    description = "Jellyfin stream annotation service for Grafana";
-    after = [
-      "network.target"
-      "grafana.service"
-    ];
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      ExecStart = "${pkgs.python3}/bin/python3 ${./jellyfin-annotations.py}";
-      Restart = "always";
-      RestartSec = "10s";
-      LoadCredential = "jellyfin-api-key:${config.age.secrets.jellyfin-api-key.path}";
-      DynamicUser = true;
-      StateDirectory = "jellyfin-annotations";
-      NoNewPrivileges = true;
-      ProtectSystem = "strict";
-      ProtectHome = true;
-      PrivateTmp = true;
-      RestrictAddressFamilies = [
-        "AF_INET"
-        "AF_INET6"
-      ];
-      MemoryDenyWriteExecute = true;
-    };
+    script = ./jellyfin-annotations.py;
    environment = {
      JELLYFIN_URL = "http://127.0.0.1:${toString service_configs.ports.private.jellyfin.port}";
-      GRAFANA_URL = "http://127.0.0.1:${toString service_configs.ports.private.grafana.port}";
-      STATE_FILE = "/var/lib/jellyfin-annotations/state.json";
      POLL_INTERVAL = "30";
    };
-  };
-}
+    loadCredential = "jellyfin-api-key:${config.age.secrets.jellyfin-api-key.path}";
+  }
+)
--- a/services/grafana/llama-cpp-annotations.nix
+++ b/services/grafana/llama-cpp-annotations.nix
@@ -1,39 +1,18 @@
 {
  config,
-  pkgs,
  service_configs,
  lib,
  ...
 }:
-lib.mkIf (config.services.grafana.enable && config.services.llama-cpp.enable) {
-  systemd.services.llama-cpp-annotations = {
+lib.mkIf (config.services.grafana.enable && config.services.llama-cpp.enable) (
+  lib.mkGrafanaAnnotationService {
+    name = "llama-cpp";
    description = "LLM request annotation service for Grafana";
-    after = [
-      "grafana.service"
-      "llama-cpp.service"
-    ];
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      ExecStart = "${pkgs.python3}/bin/python3 ${./llama-cpp-annotations.py}";
-      Restart = "always";
-      RestartSec = "10s";
-      DynamicUser = true;
-      StateDirectory = "llama-cpp-annotations";
-      NoNewPrivileges = true;
-      ProtectSystem = "strict";
-      ProtectHome = true;
-      PrivateTmp = true;
-      RestrictAddressFamilies = [
-        "AF_INET"
-        "AF_INET6"
-      ];
-      MemoryDenyWriteExecute = true;
-    };
+    script = ./llama-cpp-annotations.py;
+    after = [ "llama-cpp.service" ];
    environment = {
-      GRAFANA_URL = "http://127.0.0.1:${toString service_configs.ports.private.grafana.port}";
-      STATE_FILE = "/var/lib/llama-cpp-annotations/state.json";
      POLL_INTERVAL = "5";
      CPU_THRESHOLD = "50";
    };
-  };
-}
+  }
+)