adding nornsight

2026-04-27 09:19:09 -04:00 · 2026-04-25 14:37:26 -04:00
parent 0d0ed5445a
commit 73e221716f
9 changed files with 70 additions and 4 deletions
--- a/systems/jeeves/default.nix
+++ b/systems/jeeves/default.nix
@@ -37,5 +37,10 @@ in
    zerotierone.joinNetworks = [ "a09acf02330d37b9" ];
  };

+  users.groups = {
+    nornsight = { };
+    nornsight-admin = { };
+  };
+
  system.stateVersion = "24.05";
 }
--- a/systems/jeeves/scripts/zfs.sh
+++ b/systems/jeeves/scripts/zfs.sh
@@ -41,3 +41,4 @@ sudo zfs create storage/secure/plex -o recordsize=1M -o compression=zstd-19
 sudo zfs create storage/secure/secrets -o compression=zstd-19 -o copies=3
 sudo zfs create storage/secure/syncthing -o compression=zstd-19
 sudo zfs create storage/secure/transmission -o recordsize=1M -o compression=zstd-9 -o exec=off -o sync=disabled
+sudo zfs create storage/secure/important -o compression=zstd-19 -o copies=2 -o mountpoint=/zfs/storage/important
--- a/systems/jeeves/web_services/acme.nix
+++ b/systems/jeeves/web_services/acme.nix
@@ -5,7 +5,9 @@ let
    "gitea"
    "jellyfin"
    "share"
+    "verilux"
  ];
+  extraDomains = [ "www.norn-sight.com" ];

  makeCert = name: {
    name = "${name}.tmmworkshop.com";
@@ -16,7 +18,18 @@ let
    };
  };

-  acmeServices = map (domain: "acme-${domain}.tmmworkshop.com.service") domains;
+  makeExtraCert = name: {
+    inherit name;
+    value = {
+      webroot = "/var/lib/acme/.challenges";
+      group = "acme";
+      reloadServices = [ "haproxy.service" ];
+    };
+  };
+
+  acmeServices =
+    map (domain: "acme-${domain}.tmmworkshop.com.service") domains
+    ++ map (domain: "acme-${domain}.service") extraDomains;
 in
 {
  users.users.haproxy.extraGroups = [ "acme" ];
@@ -24,7 +37,7 @@ in
  security.acme = {
    acceptTerms = true;
    defaults.email = "Richie@tmmworkshop.com";
-    certs = builtins.listToAttrs (map makeCert domains);
+    certs = builtins.listToAttrs ((map makeCert domains) ++ (map makeExtraCert extraDomains));
  };

  # Minimal nginx to serve ACME HTTP-01 challenge files for HAProxy
--- a/systems/jeeves/web_services/haproxy.cfg
+++ b/systems/jeeves/web_services/haproxy.cfg
@@ -23,7 +23,7 @@ defaults
 #Application Setup
 frontend ContentSwitching
  bind *:80 v4v6
-  bind *:443 v4v6 ssl crt /var/lib/acme/audiobookshelf.tmmworkshop.com/full.pem crt /var/lib/acme/cache.tmmworkshop.com/full.pem crt /var/lib/acme/jellyfin.tmmworkshop.com/full.pem crt /var/lib/acme/share.tmmworkshop.com/full.pem crt /var/lib/acme/gitea.tmmworkshop.com/full.pem
+  bind *:443 v4v6 ssl crt /var/lib/acme/audiobookshelf.tmmworkshop.com/full.pem crt /var/lib/acme/cache.tmmworkshop.com/full.pem crt /var/lib/acme/jellyfin.tmmworkshop.com/full.pem crt /var/lib/acme/share.tmmworkshop.com/full.pem crt /var/lib/acme/gitea.tmmworkshop.com/full.pem crt /var/lib/acme/www.norn-sight.com/full.pem
  mode  http

  # ACME challenge routing (must be first)
@@ -36,6 +36,7 @@ frontend ContentSwitching
  acl host_jellyfin  hdr(host) -i jellyfin.tmmworkshop.com
  acl host_share  hdr(host) -i share.tmmworkshop.com
  acl host_gitea  hdr(host) -i gitea.tmmworkshop.com
+  acl host_norn_sight  hdr(host) -i www.norn-sight.com

  # Hosts allowed to serve plain HTTP (add entries to skip the HTTPS redirect)
  acl allow_http hdr(host) -i __none__
@@ -49,6 +50,7 @@ frontend ContentSwitching
  use_backend jellyfin if host_jellyfin
  use_backend share_nodes  if host_share
  use_backend gitea  if host_gitea
+  use_backend norn_sight  if host_norn_sight

 backend acme_challenge
  mode http
@@ -76,3 +78,7 @@ backend share_nodes
 backend gitea
  mode http
  server server 127.0.0.1:6443
+
+backend norn_sight
+  mode http
+  server server 192.168.90.49:8000
--- a/systems/rhapsody-in-green/agent_logger.nix
+++ b/systems/rhapsody-in-green/agent_logger.nix
@@ -0,0 +1,35 @@
+{
+  pkgs,
+  inputs,
+  ...
+}:
+{
+  systemd.services.agent-logger = {
+    description = "Unified agent logger";
+    after = [ "local-fs.target" ];
+    wantedBy = [ "multi-user.target" ];
+
+    environment = {
+      AGENT_LOG_DB = "/var/lib/agent-logger/agent_log.sqlite";
+      HOME = "/home/richie";
+      PYTHONPATH = "${inputs.self}";
+    };
+
+    serviceConfig = {
+      Type = "simple";
+      User = "richie";
+      WorkingDirectory = "/home/richie";
+      ExecStart = "${pkgs.my_python}/bin/python -m python.agent_logger.main";
+      StateDirectory = "agent-logger";
+      Restart = "on-failure";
+      RestartSec = "5s";
+      StandardOutput = "journal";
+      StandardError = "journal";
+      NoNewPrivileges = true;
+      ProtectSystem = "strict";
+      ProtectHome = "read-only";
+      PrivateTmp = true;
+      ReadOnlyPaths = [ "${inputs.self}" ];
+    };
+  };
+}
--- a/systems/rhapsody-in-green/open_webui.nix
+++ b/systems/rhapsody-in-green/open_webui.nix
@@ -1,6 +1,7 @@
 {
  services.open-webui = {
    enable = true;
+    host = "0.0.0.0";
    environment = {
      ANONYMIZED_TELEMETRY = "False";
      DO_NOT_TRACK = "True";