From 266e7330bea1e3f416798207b39f4f69b90f5d9e Mon Sep 17 00:00:00 2001 From: clerie Date: Wed, 27 Aug 2025 20:54:08 +0200 Subject: [PATCH] Init bundles for debian systems --- .../files/prometheus-node-exporter | 1 + .../prometheus-node-exporter-override.conf | 3 ++ .../files/wg-monitoring.conf | 9 ++++ bundles/debian-clerie-monitoring/items.py | 46 +++++++++++++++++++ .../debian-user-clerie/files/sudoers-clerie | 1 + bundles/debian-user-clerie/items.py | 34 ++++++++++++++ bundles/systemd/items.py | 7 +++ nodes.py | 17 +++++++ secrets.json | 16 +++---- 9 files changed, 125 insertions(+), 9 deletions(-) create mode 100644 bundles/debian-clerie-monitoring/files/prometheus-node-exporter create mode 100644 bundles/debian-clerie-monitoring/files/prometheus-node-exporter-override.conf create mode 100644 bundles/debian-clerie-monitoring/files/wg-monitoring.conf create mode 100644 bundles/debian-clerie-monitoring/items.py create mode 100644 bundles/debian-user-clerie/files/sudoers-clerie create mode 100644 bundles/debian-user-clerie/items.py create mode 100644 bundles/systemd/items.py diff --git a/bundles/debian-clerie-monitoring/files/prometheus-node-exporter b/bundles/debian-clerie-monitoring/files/prometheus-node-exporter new file mode 100644 index 0000000..eac3897 --- /dev/null +++ b/bundles/debian-clerie-monitoring/files/prometheus-node-exporter @@ -0,0 +1 @@ +ARGS="--web.listen-address=\"[fd00:327:327:327::{{ node.metadata.get("clerie-monitoring/id") }}]:9100\"" diff --git a/bundles/debian-clerie-monitoring/files/prometheus-node-exporter-override.conf b/bundles/debian-clerie-monitoring/files/prometheus-node-exporter-override.conf new file mode 100644 index 0000000..fbe5682 --- /dev/null +++ b/bundles/debian-clerie-monitoring/files/prometheus-node-exporter-override.conf @@ -0,0 +1,3 @@ +[Unit] +Requires=wg-quick@wg-monitoring.service +After=wg-quick@wg-monitoring.service diff --git a/bundles/debian-clerie-monitoring/files/wg-monitoring.conf b/bundles/debian-clerie-monitoring/files/wg-monitoring.conf new file mode 100644 index 0000000..2a7ad54 --- /dev/null +++ b/bundles/debian-clerie-monitoring/files/wg-monitoring.conf @@ -0,0 +1,9 @@ +[Interface] +PrivateKey = {{ node.metadata.get("clerie-monitoring/private-key") }} +Address = fd00:327:327:327::{{ node.metadata.get("clerie-monitoring/id") }}/64 + +[Peer] +Endpoint = [2001:638:904:ffca::7]:54523 +PublicKey = eyhJKV41E1F0gZHBNqyzUnj72xg5f3bdDduVtpPN4AY= +AllowedIPS = fd00:327:327:327::/64 +PersistentKeepalive = 25 diff --git a/bundles/debian-clerie-monitoring/items.py b/bundles/debian-clerie-monitoring/items.py new file mode 100644 index 0000000..bc83e90 --- /dev/null +++ b/bundles/debian-clerie-monitoring/items.py @@ -0,0 +1,46 @@ +files = { + f"/etc/wireguard/wg-monitoring.conf": { + "source": "wg-monitoring.conf", + "content_type": "jinja2", + "triggers": [ + "svc_systemd:wg-quick@wg-monitoring:restart", + ], + "needs": [ + "pkg_apt:wireguard", + ], + }, + f"/etc/default/prometheus-node-exporter": { + "source": "prometheus-node-exporter", + "content_type": "jinja2", + "triggers": [ + "svc_systemd:prometheus-node-exporter:restart", + ], + "needs": [ + "pkg_apt:prometheus-node-exporter", + ], + }, + f"/etc/systemd/system/prometheus-node-exporter.d/override.conf": { + "source": "prometheus-node-exporter-override.conf", + "triggers": [ + "action:systemd-daemon-reload", + ], + }, +} + +pkg_apt = { + "wireguard": {}, + "prometheus-node-exporter": {}, +} + +svc_systemd = { + "wg-quick@wg-monitoring": { + "needs": [ + "file:/etc/wireguard/wg-monitoring.conf", + ], + }, + "prometheus-node-exporter": { + "needs": [ + "file:/etc/systemd/system/prometheus-node-exporter.d/override.conf", + ], + }, +} diff --git a/bundles/debian-user-clerie/files/sudoers-clerie b/bundles/debian-user-clerie/files/sudoers-clerie new file mode 100644 index 0000000..cf2a127 --- /dev/null +++ b/bundles/debian-user-clerie/files/sudoers-clerie @@ -0,0 +1 @@ +clerie ALL=(ALL) NOPASSWD:ALL diff --git a/bundles/debian-user-clerie/items.py b/bundles/debian-user-clerie/items.py new file mode 100644 index 0000000..a04a722 --- /dev/null +++ b/bundles/debian-user-clerie/items.py @@ -0,0 +1,34 @@ +users = { + "clerie": { + "groups": [ "sudo" ], + "shell": "/bin/bash", + }, +} + +directories = { + "/home/clerie/.ssh": { + "mode": "0700", + "owner": "clerie", + "group": "clerie", + "needs": [ + "user:clerie", + ], + }, +} + +files = { + f'/home/clerie/.ssh/authorized_keys': { + "content_type": "download", + "source": "https://git.clerie.de/clerie/nixfiles/raw/commit/dd76691f7da3f860b25f770b65e602f90e1a1de8/users/clerie/ssh.pub", + "content_hash": "f37b63f98c5d4bd5292a81ce01dd7f6bc5e356fc", + "mode": "0700", + "owner": "clerie", + "group": "clerie", + "needs": [ + "directory:/home/clerie/.ssh", + ], + }, + f'/etc/sudoers.d/sudoers-clerie': { + "source": "sudoers-clerie", + }, +} diff --git a/bundles/systemd/items.py b/bundles/systemd/items.py new file mode 100644 index 0000000..6dd12c1 --- /dev/null +++ b/bundles/systemd/items.py @@ -0,0 +1,7 @@ +actions['systemd-daemon-reload'] = { + 'command': 'systemctl daemon-reload', + 'triggered': True, + 'needed_by': { + 'svc_systemd:', + }, +} diff --git a/nodes.py b/nodes.py index 963e805..50d1336 100644 --- a/nodes.py +++ b/nodes.py @@ -75,3 +75,20 @@ nodes = uberspaceify.nodes({ }, }, }) + +nodes.update({ + "mercury.net.clerie.de": { + "username": "root", + "bundles": ( + "systemd", + "debian-user-clerie", + "debian-clerie-monitoring", + ), + "metadata": { + "clerie-monitoring": { + "id": 401, + "private-key": bws.get(["mercury.net.clerie.de", "wg-monitoring"]), + }, + }, + }, +}) diff --git a/secrets.json b/secrets.json index 9abe928..509eee1 100644 --- a/secrets.json +++ b/secrets.json @@ -9,14 +9,12 @@ "clerie-backup-target-cyan": "ENC[AES256_GCM,data:Fi9balI8FtDskI2d3t6Mag66ltAuszbTLIL2UV/5mHpb5t5b6VlJFPHa8Xi2ah7a0cI6Ko212pxFp5kunS01Hg==,iv:sqBFq8kE0FhfQqCHjZYyeJt1ej1UrQBz3gpc6cSq8F8=,tag:Ny7+x1teHPrmgWNYoqU51Q==,type:str]", "clerie-backup-target-magenta": "ENC[AES256_GCM,data:M8kfwUDV8Sd0Um4ZdE3aOiUOwJmtKgARqob+X9E3BLIGCqnJsmgKiEc5jmnkziGkepeT+IynkXJ76zLoz7WKaw==,iv:ruiXAEw3n+o1cYlSlWkUR4XUAjXegb4dUMaTgDbDaXw=,tag:drYDl0VBWW8OMBBoAmQS7Q==,type:str]" }, + "mercury.net.clerie.de": { + "wg-monitoring": "ENC[AES256_GCM,data:zwWOTYbS4khpzyGvK1AdlhxTZrmu7SiwWudbPzKXuuYARz22tGh874mWuhU=,iv:C0vyHvZXxujtrg/SrEL/Q/+tGW12B/R+9/7Wa3uOaPY=,tag:cXz8EbbWMe58XOBQn0AUqQ==,type:str]" + }, "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": null, - "lastmodified": "2025-02-16T18:41:27Z", - "mac": "ENC[AES256_GCM,data:QyU1INnlZVP5RNPczuZEAeCah+c3rjWHhiGGjDn87tUSp+OwEkL44Hosr9vThk6FNdKWbtqcUh1wBW/UCgy5/jmh2BHv3pTIOzkXWAD1fy/Kb/jNYo0IH1+7cte98+NcDPw7do4k1fYM/H5VD3SPpGp5bWxEcrkrZuiupThuduI=,iv:QXqL4hbymO7uOBfghYZwSFgTWUnBeA52sHl201ChRME=,tag:c8Za2rcaO5WRnu4HIJtWWQ==,type:str]", + "lastmodified": "2025-08-27T17:24:34Z", + "mac": "ENC[AES256_GCM,data:OaRVF+Z+epsWo8nMSymrsHavz+vETIj7zjBqI9rmRPpATbZYnkKHPYB8I9IwXkYTnWxLl81nJCkBpsWULV5DAV2kIU89a1CC2BPzBDT/20zKfD2LORSuD/2yN44ZIYqK0TZjm8dJAqwpdBQYqkdu7pvAxEiq5FuTRE3BT2JQMmA=,iv:/7clc4EIbCNI/YHVV6oqrg3sTlWRyUHDz+HVjzzrB/M=,tag:U7tP30c+l82jhMG2eYy5FQ==,type:str]", "pgp": [ { "created_at": "2025-02-15T16:00:02Z", @@ -25,6 +23,6 @@ } ], "unencrypted_suffix": "_unencrypted", - "version": "3.9.2" + "version": "3.10.2" } -} \ No newline at end of file +}