Update from master 2023-11-06T02:03+00:00

configuration/common/programs.nix

@@ -10,6 +10,7 @@
     colmena
     vim
     agenix
+    nixos-firewall-tool
   ];
 
   programs.mtr.enable = true;

flake.nix

@@ -109,8 +109,10 @@
         nixfiles-auto-install
         nixfiles-generate-backup-secrets
         nixfiles-generate-config
+        nixfiles-system-sync-to-hydra
         nixfiles-updated-inputs
         nixfiles-update-ssh-host-keys
+        nixos-firewall-tool
         pyexcel-xlsx
         pyexcel-webio
         update-from-hydra

hosts/dn42-il-gw1/configuration.nix

@@ -329,6 +329,11 @@
   }
   '';
 
+  clerie.nixfiles.system-auto-sync-to-hydra = {
+    enable = true;
+    allowReboot = true;
+  };
+
   clerie.monitoring = {
     enable = true;
     id = "301";

hosts/dn42-il-gw5/configuration.nix

@@ -163,6 +163,11 @@
   }
   '';
 
+  clerie.nixfiles.system-auto-sync-to-hydra = {
+    enable = true;
+    allowReboot = true;
+  };
+
   clerie.monitoring = {
     enable = true;
     id = "305";

hosts/dn42-il-gw6/configuration.nix

@@ -163,6 +163,11 @@
   }
   '';
 
+  clerie.nixfiles.system-auto-sync-to-hydra = {
+    enable = true;
+    allowReboot = true;
+  };
+
   clerie.monitoring = {
     enable = true;
     id = "306";

hosts/monitoring-3/blackbox.nix

@@ -0,0 +1,30 @@
+{ pkgs, ... }:
+
+{
+  services.prometheus.exporters.blackbox = {
+    enable = true;
+    openFirewall = true;
+    configFile = pkgs.writeText "blackbox.yml" ''
+      modules:
+        icmp6:
+          prober: icmp
+          icmp:
+            preferred_ip_protocol: ip6
+            ip_protocol_fallback: false
+        icmp4:
+          prober: icmp
+          icmp:
+            preferred_ip_protocol: ip4
+            ip_protocol_fallback: false
+        synapse:
+          prober: http
+          http:
+            valid_status_codes:
+              - 200
+            method: GET
+            fail_if_not_ssl: true
+            fail_if_body_not_matches_regexp:
+              - "Synapse is running"
+    '';
+  };
+}

hosts/monitoring-3/configuration.nix

@@ -6,6 +6,7 @@
       ./hardware-configuration.nix
       ../../configuration/proxmox-vm
       ./alertmanager.nix
+      ./blackbox.nix
       ./grafana.nix
       ./nixos-validator.nix
       ./prometheus.nix

hosts/monitoring-3/prometheus.nix

@@ -188,6 +188,7 @@ in {
               "fluorine.net.clerie.de"
               "www.fem.tu-ilmenau.de"
               "www.heise.de"
+              "dyon.net.entr0py.de"
             ];
           }
         ];
@@ -237,6 +238,8 @@ in {
               "ie10-due1.nodes.nethinks.com"
               "pe10-due1.nodes.nethinks.com"
               "matrix.bau-ha.us"
+              "dyon.net.entr0py.de"
+              "matrix.entr0py.de"
             ];
           }
         ];
@@ -260,6 +263,36 @@ in {
           relabelAddressToInstance
         ];
       }
+      {
+        job_name = "blackbox_local_synapse";
+        scrape_interval = "20s";
+        metrics_path = "/probe";
+        params = {
+          module = [ "synapse" ];
+        };
+        static_configs = [
+          {
+            targets = [
+              "https://matrix.entr0py.de/_matrix/static/"
+            ];
+          }
+        ];
+        relabel_configs = [
+          {
+            source_labels = [ "__address__" ];
+            target_label = "__param_target";
+          }
+          {
+            source_labels = [ "__param_target" ];
+            target_label = "target";
+          }
+          {
+            target_label = "__address__";
+            replacement = "monitoring-3.mon.clerie.de:9115";
+          }
+          relabelAddressToInstance
+        ];
+      }
       {
         job_name = "zimmer-temp";
         scrape_interval = "20s";

hosts/nonat/configuration.nix

@@ -39,6 +39,11 @@
 
   networking.firewall.allowedUDPPorts = [];
 
+  clerie.nixfiles.system-auto-sync-to-hydra = {
+    enable = true;
+    allowReboot = true;
+  };
+
   clerie.monitoring = {
     enable = true;
     id = "103";

hosts/zinc/configuration.nix

@@ -24,8 +24,6 @@
 
   networking.hostName = "zinc";
 
-  security.sudo.wheelNeedsPassword = lib.mkForce false;
-
   services.wg-clerie = {
     enable = true;
     ipv6s = [ "2a01:4f8:c0c:15f1::8109/128" ];

modules/default.nix

@@ -13,6 +13,7 @@
     ./monitoring
     ./nginx-port-forward
     ./nixfiles
+    ./nixfiles/system-auto-sync-to-hydra.nix
     ./update-from-hydra
     ./wg-clerie
     ./wireguard-initrd

modules/nixfiles/system-auto-sync-to-hydra.nix

@@ -0,0 +1,29 @@
+{ pkgs, lib, config, ... }:
+
+with lib;
+
+let
+  cfg = config.clerie.nixfiles.system-auto-sync-to-hydra;
+in
+
+{
+  options = {
+    clerie.nixfiles.system-auto-sync-to-hydra = {
+      enable = mkEnableOption "clerie nixfiles tools";
+      allowReboot = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Monitor NixOS";
+      };
+    };
+  };
+  config = mkIf cfg.enable {
+    systemd.services.nixfiles-system-auto-sync-to-hydra = {
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = pkgs.nixfiles-system-sync-to-hydra + "/bin/nixfiles-system-sync-to-hydra${optionalString cfg.allowReboot " --allow-reboot"}";
+      };
+      startAt = "*-*-* 06:47:00";
+    };
+  };
+}

modules/wireguard-initrd/default.nix

@@ -58,16 +58,21 @@ in
         persistent-keepalive "25" \
         allowed-ips "0.0.0.0/0,::/0,10.20.30.0/24,2a01:4f8:c0c:15f1::/113"
 
-      #ip route add "::/0" dev "wg-initrd" table 1337
-      #ip route add "0.0.0.0/0" dev "wg-initrd" table 1337
+      ip route add "::/0" dev "wg-initrd" table 1337
+      ip route add "0.0.0.0/0" dev "wg-initrd" table 1337
 
+      # Error: Argument "udp" is wrong: Invalid "ipproto" value
+      # For some reason ip rule does not recognize "udp" as a value for "ipproto" in initrd,
+      # so we pass the numeric value for it manually
+      # This is from linux/include/uapi/linux/in.h
+      IPPROTO_UDP=17
 
       ${concatMapStringsSep "\n" (ip: ''
         ip -6 rule add from "${ip}" lookup 1337 prio 19000
         ip -6 rule add from "${ip}" unreachable prio 19001
       '') cfg.ipv6s}
-      ip -6 rule add to "2a01:4f8:c0c:15f1::1/128" ipproto udp dport 51820 lookup main prio 20000
-      ip -6 rule add to "2a01:4f8:c0c:15f1::1/128" ipproto udp dport 51820 unreachable prio 20001
+      ip -6 rule add to "2a01:4f8:c0c:15f1::1/128" ipproto $IPPROTO_UDP dport 51820 lookup main prio 20000
+      ip -6 rule add to "2a01:4f8:c0c:15f1::1/128" ipproto $IPPROTO_UDP dport 51820 unreachable prio 20001
       ip -6 rule add lookup main prio 21000
       ip -6 rule add lookup 1337 prio 21001
       ip -6 rule add unreachable prio 21000
@@ -77,8 +82,8 @@ in
         ip -4 rule add from "${ip}" lookup 1337 prio 19000
         ip -4 rule add from "${ip}" unreachable prio 19001
       '') cfg.ipv4s}
-      ip -4 rule add to "78.47.183.82/32" ipproto udp dport 51820 lookup main prio 20000
-      ip -4 rule add to "78.47.183.82/32" ipproto udp dport 51820 unreachable prio 20001
+      ip -4 rule add to "78.47.183.82/32" ipproto $IPPROTO_UDP dport 51820 lookup main prio 20000
+      ip -4 rule add to "78.47.183.82/32" ipproto $IPPROTO_UDP dport 51820 unreachable prio 20001
       ip -4 rule add lookup main prio 21000
       ip -4 rule add lookup 1337 prio 21001
       ip -4 rule add unreachable prio 21000

pkgs/nixfiles/nixfiles-system-sync-to-hydra.nix

@@ -0,0 +1,11 @@
+{ pkgs, ... }:
+
+pkgs.writeShellApplication {
+  name = "nixfiles-system-sync-to-hydra";
+  text = builtins.readFile ./nixfiles-system-sync-to-hydra.sh;
+  runtimeInputs = with pkgs; [
+    curl
+    jq
+    nix
+  ];
+}

pkgs/nixfiles/nixfiles-system-sync-to-hydra.sh

@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+ALLOW_REBOOT=
+
+while [[ $# -gt 0 ]]; do
+	case $1 in
+		--allow-reboot)
+			ALLOW_REBOOT=1
+			shift
+			;;
+		*)
+			echo "Unknown option $1"
+			exit 1
+			;;
+	esac
+done
+
+HYDRA_JOB_URL="https://hydra.clerie.de/job/nixfiles/nixfiles/nixosConfigurations.${HOSTNAME}/latest-finished"
+
+echo "Fetching job output from ${HYDRA_JOB_URL}"
+STORE_PATH="$(curl --fail -s -L -H "Accept: application/json" "${HYDRA_JOB_URL}" | jq -r ".buildoutputs.out.path")"
+
+echo "Download ${STORE_PATH}"
+nix copy --from "https://nix-cache.clerie.de" "${STORE_PATH}"
+
+echo "Add to system profile"
+nix-env -p "/nix/var/nix/profiles/system" --set "${STORE_PATH}"
+
+echo "Set as boot target"
+/nix/var/nix/profiles/system/bin/switch-to-configuration boot
+
+BOOTED_SYSTEM_KERNEL="$(readlink /run/booted-system/{initrd,kernel,kernel-modules})"
+ACTIVATING_SYSTEM_KERNEL="$(readlink /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})"
+
+if [[ "$BOOTED_SYSTEM_KERNEL" != "$ACTIVATING_SYSTEM_KERNEL" ]]; then
+	echo "Reboot is required"
+	if [[ -n "$ALLOW_REBOOT" ]]; then
+		echo "Rebooting system now"
+		shutdown -r +1 "System update requires reboot"
+	else
+		echo "Automatic reboot not allowed (maybe use --allow-reboot next time)"
+		echo "The system upgrade is staged, please reboot manually soon"
+	fi
+else
+	echo "No reboot is required"
+	echo "Activating system now"
+	/nix/var/nix/profiles/system/bin/switch-to-configuration switch
+fi
+
+echo "Finished system upgrade"

pkgs/nixos-firewall-tool/default.nix

@@ -0,0 +1,10 @@
+{ pkgs, ... }:
+
+pkgs.writeShellApplication {
+  name = "nixos-firewall-tool";
+  text = builtins.readFile ./nixos-firewall-tool.sh;
+  runtimeInputs = with pkgs; [
+    iptables
+  ];
+}
+

pkgs/nixos-firewall-tool/nixos-firewall-tool.sh

@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+ip46tables() {
+  iptables -w "$@"
+  ip6tables -w "$@"
+
+}
+
+show_help() {
+    echo "nixos-firewall-tool"
+    echo ""
+    echo "Can temporarily manipulate the NixOS firewall"
+    echo ""
+    echo "Open TCP port:"
+    echo " nixos-firewall-tool open tcp 8888"
+    echo ""
+    echo "Show all firewall rules:"
+    echo " nixos-firewall-tool show"
+    echo ""
+    echo "Open UDP port:"
+    echo " nixos-firewall-tool open udp 51820"
+    echo ""
+    echo "Reset firewall configuration to system settings:"
+    echo " nixos-firewall-tool reset"
+}
+
+if [[ -z ${1+x} ]]; then
+  show_help
+  exit 1
+fi
+
+case $1 in
+  "open")
+    protocol="$2"
+    port="$3"
+
+    ip46tables -I nixos-fw -p "$protocol" --dport "$port" -j nixos-fw-accept
+  ;;
+  "show")
+    ip46tables --numeric --list nixos-fw
+  ;;
+  "reset")
+    systemctl restart firewall.service
+  ;;
+  -h|--help|help)
+    show_help
+    exit 0
+  ;;
+  *)
+    show_help
+    exit 1
+  ;;
+esac

pkgs/overlay.nix

@@ -6,8 +6,10 @@ self: super: {
   nixfiles-auto-install = self.callPackage ./nixfiles/nixfiles-auto-install.nix {};
   nixfiles-generate-backup-secrets = self.callPackage ./nixfiles/nixfiles-generate-backup-secrets.nix {};
   nixfiles-generate-config = self.callPackage ./nixfiles/nixfiles-generate-config.nix {};
+  nixfiles-system-sync-to-hydra = self.callPackage ./nixfiles/nixfiles-system-sync-to-hydra.nix {};
   nixfiles-updated-inputs = self.callPackage ./nixfiles/nixfiles-updated-inputs.nix {};
   nixfiles-update-ssh-host-keys = self.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {};
+  nixos-firewall-tool = self.callPackage ./nixos-firewall-tool {};
   pyexcel-xlsx = self.python3.pkgs.callPackage ./pyexcel-xlsx {};
   pyexcel-webio = self.python3.pkgs.callPackage ./pyexcel-webio {};
   update-from-hydra = self.callPackage ./update-from-hydra {};