Update from master 2023-11-06T02:03+00:00

2023-11-06 03:03:02 +01:00 · 2023-11-06 03:03:02 +01:00 · 6e391a8c28
commit 6e391a8c28
parent 65b0a20208 9f77f2594c
18 changed files with 258 additions and 8 deletions
--- a/configuration/common/programs.nix
+++ b/configuration/common/programs.nix
@ -10,6 +10,7 @@
    colmena
    vim
    agenix
    nixos-firewall-tool
  ];
  programs.mtr.enable = true;
--- a/flake.nix
+++ b/flake.nix
@ -109,8 +109,10 @@
        nixfiles-auto-install
        nixfiles-generate-backup-secrets
        nixfiles-generate-config
        nixfiles-system-sync-to-hydra
        nixfiles-updated-inputs
        nixfiles-update-ssh-host-keys
        nixos-firewall-tool
        pyexcel-xlsx
        pyexcel-webio
        update-from-hydra
--- a/hosts/dn42-il-gw1/configuration.nix
+++ b/hosts/dn42-il-gw1/configuration.nix
@ -329,6 +329,11 @@
  }
  '';
  clerie.nixfiles.system-auto-sync-to-hydra = {
    enable = true;
    allowReboot = true;
  };
  clerie.monitoring = {
    enable = true;
    id = "301";
--- a/hosts/dn42-il-gw5/configuration.nix
+++ b/hosts/dn42-il-gw5/configuration.nix
@ -163,6 +163,11 @@
  }
  '';
  clerie.nixfiles.system-auto-sync-to-hydra = {
    enable = true;
    allowReboot = true;
  };
  clerie.monitoring = {
    enable = true;
    id = "305";
--- a/hosts/dn42-il-gw6/configuration.nix
+++ b/hosts/dn42-il-gw6/configuration.nix
@ -163,6 +163,11 @@
  }
  '';
  clerie.nixfiles.system-auto-sync-to-hydra = {
    enable = true;
    allowReboot = true;
  };
  clerie.monitoring = {
    enable = true;
    id = "306";
--- a/hosts/monitoring-3/blackbox.nix
+++ b/hosts/monitoring-3/blackbox.nix
@ -0,0 +1,30 @@
 { pkgs, ... }:
 {
  services.prometheus.exporters.blackbox = {
    enable = true;
    openFirewall = true;
    configFile = pkgs.writeText "blackbox.yml" ''
      modules:
        icmp6:
          prober: icmp
          icmp:
            preferred_ip_protocol: ip6
            ip_protocol_fallback: false
        icmp4:
          prober: icmp
          icmp:
            preferred_ip_protocol: ip4
            ip_protocol_fallback: false
        synapse:
          prober: http
          http:
            valid_status_codes:
              - 200
            method: GET
            fail_if_not_ssl: true
            fail_if_body_not_matches_regexp:
              - "Synapse is running"
    '';
  };
 }
--- a/hosts/monitoring-3/configuration.nix
+++ b/hosts/monitoring-3/configuration.nix
@ -6,6 +6,7 @@
      ./hardware-configuration.nix
      ../../configuration/proxmox-vm
      ./alertmanager.nix
      ./blackbox.nix
      ./grafana.nix
      ./nixos-validator.nix
      ./prometheus.nix
--- a/hosts/monitoring-3/prometheus.nix
+++ b/hosts/monitoring-3/prometheus.nix
@ -188,6 +188,7 @@ in {
              "fluorine.net.clerie.de"
              "www.fem.tu-ilmenau.de"
              "www.heise.de"
              "dyon.net.entr0py.de"
            ];
          }
        ];
@ -237,6 +238,8 @@ in {
              "ie10-due1.nodes.nethinks.com"
              "pe10-due1.nodes.nethinks.com"
              "matrix.bau-ha.us"
              "dyon.net.entr0py.de"
              "matrix.entr0py.de"
            ];
          }
        ];
@ -260,6 +263,36 @@ in {
          relabelAddressToInstance
        ];
      }
      {
        job_name = "blackbox_local_synapse";
        scrape_interval = "20s";
        metrics_path = "/probe";
        params = {
          module = [ "synapse" ];
        };
        static_configs = [
          {
            targets = [
              "https://matrix.entr0py.de/_matrix/static/"
            ];
          }
        ];
        relabel_configs = [
          {
            source_labels = [ "__address__" ];
            target_label = "__param_target";
          }
          {
            source_labels = [ "__param_target" ];
            target_label = "target";
          }
          {
            target_label = "__address__";
            replacement = "monitoring-3.mon.clerie.de:9115";
          }
          relabelAddressToInstance
        ];
      }
      {
        job_name = "zimmer-temp";
        scrape_interval = "20s";
--- a/hosts/nonat/configuration.nix
+++ b/hosts/nonat/configuration.nix
@ -39,6 +39,11 @@
  networking.firewall.allowedUDPPorts = [];
  clerie.nixfiles.system-auto-sync-to-hydra = {
    enable = true;
    allowReboot = true;
  };
  clerie.monitoring = {
    enable = true;
    id = "103";
--- a/hosts/zinc/configuration.nix
+++ b/hosts/zinc/configuration.nix
@ -24,8 +24,6 @@
  networking.hostName = "zinc";
  security.sudo.wheelNeedsPassword = lib.mkForce false;
  services.wg-clerie = {
    enable = true;
    ipv6s = [ "2a01:4f8:c0c:15f1::8109/128" ];
--- a/modules/default.nix
+++ b/modules/default.nix
@ -13,6 +13,7 @@
    ./monitoring
    ./nginx-port-forward
    ./nixfiles
    ./nixfiles/system-auto-sync-to-hydra.nix
    ./update-from-hydra
    ./wg-clerie
    ./wireguard-initrd
--- a/modules/nixfiles/system-auto-sync-to-hydra.nix
+++ b/modules/nixfiles/system-auto-sync-to-hydra.nix
@ -0,0 +1,29 @@
 { pkgs, lib, config, ... }:
 with lib;
 let
  cfg = config.clerie.nixfiles.system-auto-sync-to-hydra;
 in
 {
  options = {
    clerie.nixfiles.system-auto-sync-to-hydra = {
      enable = mkEnableOption "clerie nixfiles tools";
      allowReboot = mkOption {
        type = types.bool;
        default = false;
        description = "Monitor NixOS";
      };
    };
  };
  config = mkIf cfg.enable {
    systemd.services.nixfiles-system-auto-sync-to-hydra = {
      serviceConfig = {
        Type = "oneshot";
        ExecStart = pkgs.nixfiles-system-sync-to-hydra + "/bin/nixfiles-system-sync-to-hydra${optionalString cfg.allowReboot " --allow-reboot"}";
      };
      startAt = "*-*-* 06:47:00";
    };
  };
 }
--- a/modules/wireguard-initrd/default.nix
+++ b/modules/wireguard-initrd/default.nix
@ -58,16 +58,21 @@ in
        persistent-keepalive "25" \
        allowed-ips "0.0.0.0/0,::/0,10.20.30.0/24,2a01:4f8:c0c:15f1::/113"
-      #ip route add "::/0" dev "wg-initrd" table 1337
+      ip route add "::/0" dev "wg-initrd" table 1337
-      #ip route add "0.0.0.0/0" dev "wg-initrd" table 1337
+      ip route add "0.0.0.0/0" dev "wg-initrd" table 1337
      # Error: Argument "udp" is wrong: Invalid "ipproto" value
      # For some reason ip rule does not recognize "udp" as a value for "ipproto" in initrd,
      # so we pass the numeric value for it manually
      # This is from linux/include/uapi/linux/in.h
      IPPROTO_UDP=17
      ${concatMapStringsSep "\n" (ip: ''
        ip -6 rule add from "${ip}" lookup 1337 prio 19000
        ip -6 rule add from "${ip}" unreachable prio 19001
      '') cfg.ipv6s}
-      ip -6 rule add to "2a01:4f8:c0c:15f1::1/128" ipproto udp dport 51820 lookup main prio 20000
+      ip -6 rule add to "2a01:4f8:c0c:15f1::1/128" ipproto $IPPROTO_UDP dport 51820 lookup main prio 20000
-      ip -6 rule add to "2a01:4f8:c0c:15f1::1/128" ipproto udp dport 51820 unreachable prio 20001
+      ip -6 rule add to "2a01:4f8:c0c:15f1::1/128" ipproto $IPPROTO_UDP dport 51820 unreachable prio 20001
      ip -6 rule add lookup main prio 21000
      ip -6 rule add lookup 1337 prio 21001
      ip -6 rule add unreachable prio 21000
@ -77,8 +82,8 @@ in
        ip -4 rule add from "${ip}" lookup 1337 prio 19000
        ip -4 rule add from "${ip}" unreachable prio 19001
      '') cfg.ipv4s}
-      ip -4 rule add to "78.47.183.82/32" ipproto udp dport 51820 lookup main prio 20000
+      ip -4 rule add to "78.47.183.82/32" ipproto $IPPROTO_UDP dport 51820 lookup main prio 20000
-      ip -4 rule add to "78.47.183.82/32" ipproto udp dport 51820 unreachable prio 20001
+      ip -4 rule add to "78.47.183.82/32" ipproto $IPPROTO_UDP dport 51820 unreachable prio 20001
      ip -4 rule add lookup main prio 21000
      ip -4 rule add lookup 1337 prio 21001
      ip -4 rule add unreachable prio 21000
--- a/pkgs/nixfiles/nixfiles-system-sync-to-hydra.nix
+++ b/pkgs/nixfiles/nixfiles-system-sync-to-hydra.nix
@ -0,0 +1,11 @@
 { pkgs, ... }:
 pkgs.writeShellApplication {
  name = "nixfiles-system-sync-to-hydra";
  text = builtins.readFile ./nixfiles-system-sync-to-hydra.sh;
  runtimeInputs = with pkgs; [
    curl
    jq
    nix
  ];
 }
--- a/pkgs/nixfiles/nixfiles-system-sync-to-hydra.sh
+++ b/pkgs/nixfiles/nixfiles-system-sync-to-hydra.sh
@ -0,0 +1,52 @@
 #!/usr/bin/env bash
 set -euo pipefail
 ALLOW_REBOOT=
 while [[ $# -gt 0 ]]; do
 	case $1 in
 		--allow-reboot)
 			ALLOW_REBOOT=1
 			shift
 			;;
 		*)
 			echo "Unknown option $1"
 			exit 1
 			;;
 	esac
 done
 HYDRA_JOB_URL="https://hydra.clerie.de/job/nixfiles/nixfiles/nixosConfigurations.${HOSTNAME}/latest-finished"
 echo "Fetching job output from ${HYDRA_JOB_URL}"
 STORE_PATH="$(curl --fail -s -L -H "Accept: application/json" "${HYDRA_JOB_URL}" | jq -r ".buildoutputs.out.path")"
 echo "Download ${STORE_PATH}"
 nix copy --from "https://nix-cache.clerie.de" "${STORE_PATH}"
 echo "Add to system profile"
 nix-env -p "/nix/var/nix/profiles/system" --set "${STORE_PATH}"
 echo "Set as boot target"
 /nix/var/nix/profiles/system/bin/switch-to-configuration boot
 BOOTED_SYSTEM_KERNEL="$(readlink /run/booted-system/{initrd,kernel,kernel-modules})"
 ACTIVATING_SYSTEM_KERNEL="$(readlink /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})"
 if [[ "$BOOTED_SYSTEM_KERNEL" != "$ACTIVATING_SYSTEM_KERNEL" ]]; then
 	echo "Reboot is required"
 	if [[ -n "$ALLOW_REBOOT" ]]; then
 		echo "Rebooting system now"
 		shutdown -r +1 "System update requires reboot"
 	else
 		echo "Automatic reboot not allowed (maybe use --allow-reboot next time)"
 		echo "The system upgrade is staged, please reboot manually soon"
 	fi
 else
 	echo "No reboot is required"
 	echo "Activating system now"
 	/nix/var/nix/profiles/system/bin/switch-to-configuration switch
 fi
 echo "Finished system upgrade"
--- a/pkgs/nixos-firewall-tool/default.nix
+++ b/pkgs/nixos-firewall-tool/default.nix
@ -0,0 +1,10 @@
 { pkgs, ... }:
 pkgs.writeShellApplication {
  name = "nixos-firewall-tool";
  text = builtins.readFile ./nixos-firewall-tool.sh;
  runtimeInputs = with pkgs; [
    iptables
  ];
 }
--- a/pkgs/nixos-firewall-tool/nixos-firewall-tool.sh
+++ b/pkgs/nixos-firewall-tool/nixos-firewall-tool.sh
@ -0,0 +1,55 @@
 #!/usr/bin/env bash
 set -euo pipefail
 ip46tables() {
  iptables -w "$@"
  ip6tables -w "$@"
 }
 show_help() {
    echo "nixos-firewall-tool"
    echo ""
    echo "Can temporarily manipulate the NixOS firewall"
    echo ""
    echo "Open TCP port:"
    echo " nixos-firewall-tool open tcp 8888"
    echo ""
    echo "Show all firewall rules:"
    echo " nixos-firewall-tool show"
    echo ""
    echo "Open UDP port:"
    echo " nixos-firewall-tool open udp 51820"
    echo ""
    echo "Reset firewall configuration to system settings:"
    echo " nixos-firewall-tool reset"
 }
 if [[ -z ${1+x} ]]; then
  show_help
  exit 1
 fi
 case $1 in
  "open")
    protocol="$2"
    port="$3"
    ip46tables -I nixos-fw -p "$protocol" --dport "$port" -j nixos-fw-accept
  ;;
  "show")
    ip46tables --numeric --list nixos-fw
  ;;
  "reset")
    systemctl restart firewall.service
  ;;
  -h|--help|help)
    show_help
    exit 0
  ;;
  *)
    show_help
    exit 1
  ;;
 esac
--- a/pkgs/overlay.nix
+++ b/pkgs/overlay.nix
@ -6,8 +6,10 @@ self: super: {
  nixfiles-auto-install = self.callPackage ./nixfiles/nixfiles-auto-install.nix {};
  nixfiles-generate-backup-secrets = self.callPackage ./nixfiles/nixfiles-generate-backup-secrets.nix {};
  nixfiles-generate-config = self.callPackage ./nixfiles/nixfiles-generate-config.nix {};
  nixfiles-system-sync-to-hydra = self.callPackage ./nixfiles/nixfiles-system-sync-to-hydra.nix {};
  nixfiles-updated-inputs = self.callPackage ./nixfiles/nixfiles-updated-inputs.nix {};
  nixfiles-update-ssh-host-keys = self.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {};
  nixos-firewall-tool = self.callPackage ./nixos-firewall-tool {};
  pyexcel-xlsx = self.python3.pkgs.callPackage ./pyexcel-xlsx {};
  pyexcel-webio = self.python3.pkgs.callPackage ./pyexcel-webio {};
  update-from-hydra = self.callPackage ./update-from-hydra {};