From 69ccc0c692fdf55d728d3072610d5829aa21b41f Mon Sep 17 00:00:00 2001 From: clerie Date: Thu, 8 May 2025 11:34:05 +0200 Subject: [PATCH 1/9] profiles/wg-clerie: Convert systemd timer into a service with sleep --- profiles/wg-clerie/default.nix | 39 +++---------------- .../wg-clerie/wg-clerie-endpoint-refresh.sh | 31 +++++++++++++++ 2 files changed, 36 insertions(+), 34 deletions(-) create mode 100755 profiles/wg-clerie/wg-clerie-endpoint-refresh.sh diff --git a/profiles/wg-clerie/default.nix b/profiles/wg-clerie/default.nix index 2d99082..1e2d2f4 100644 --- a/profiles/wg-clerie/default.nix +++ b/profiles/wg-clerie/default.nix @@ -180,45 +180,16 @@ in }; systemd.services."wg-clerie-endpoint-refresh" = { + wantedBy = [ "multi-user.target" ]; serviceConfig = { - Type = "oneshot"; + Type = "simple"; + Restart = "always"; + RestartSec = 5; }; path = [ pkgs.wireguard-tools pkgs.iproute2 ]; - script = '' - set -euo pipefail - - # Don't do anything as long as interface is not configured - if ! wg show wg-clerie endpoints > /dev/null; then - exit 0 - fi - - endpoint="" - - if ip route get 2a01:4f8:c0c:15f1::1 ipproto udp dport 51820 &>/dev/null; then - endpoint="[2a01:4f8:c0c:15f1::1]:51820" - else - endpoint="78.47.183.82:51820" - fi - - wg set wg-clerie peer "2p1Jqs3bkXbXHFWE6vp1yxHIFoUaZQEARS2nJzbkuBA=" endpoint "''${endpoint}" - ''; - - requires = [ "network-online.target" ]; - after = [ "network-online.target" ]; - }; - - systemd.timers."wg-clerie-endpoint-refresh" = { - wantedBy = [ "timers.target" ]; - - timerConfig = { - OnCalendar = "*-*-* *:*:0/5"; - RandomizedDelaySec = "5s"; - }; - - requires = [ "network-online.target" ]; - after = [ "network-online.target" ]; + script = builtins.readFile ./wg-clerie-endpoint-refresh.sh; }; environment.systemPackages = [ pkgs.wireguard-tools ]; diff --git a/profiles/wg-clerie/wg-clerie-endpoint-refresh.sh b/profiles/wg-clerie/wg-clerie-endpoint-refresh.sh new file mode 100755 index 0000000..b0c8833 --- /dev/null +++ b/profiles/wg-clerie/wg-clerie-endpoint-refresh.sh @@ -0,0 +1,31 @@ +#!/usr/bin/env bash + +set -euo pipefail + +prev_endpoint="" + +while true; do + if ! wg show wg-clerie endpoints &>/dev/null; then + if [[ "${prev_endpoint}" != "" ]]; then + echo "Interface wg-clerie unavailable, doing nothing" + prev_endpoint="" + fi + + sleep 5 + continue + fi + + if ip route get 2a01:4f8:c0c:15f1::1 ipproto udp dport 51820 &>/dev/null; then + new_endpoint="[2a01:4f8:c0c:15f1::1]:51820" + else + new_endpoint="78.47.183.82:51820" + fi + + if [[ "${new_endpoint}" != "${prev_endpoint}" ]]; then + echo "Switching endpoint for wg-clerie to ${new_endpoint}" + wg set wg-clerie peer "2p1Jqs3bkXbXHFWE6vp1yxHIFoUaZQEARS2nJzbkuBA=" endpoint "${new_endpoint}" + prev_endpoint="${new_endpoint}" + fi + + sleep 5 +done From 0b6d9623bc1f26c6022efcf4a545d9494c48e9c6 Mon Sep 17 00:00:00 2001 From: clerie Date: Thu, 8 May 2025 12:03:35 +0200 Subject: [PATCH 2/9] modules/monitoring: Migrate firewall from iptables to NixOS declarative --- modules/monitoring/default.nix | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/modules/monitoring/default.nix b/modules/monitoring/default.nix index e543a5a..c24107f 100644 --- a/modules/monitoring/default.nix +++ b/modules/monitoring/default.nix @@ -61,9 +61,6 @@ in services.prometheus.exporters.node = { enable = true; - #listenAddress = "${monitoring-network-base}${cfg.id}"; - openFirewall = true; - firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9100"; enabledCollectors = [ "systemd" ]; @@ -80,14 +77,10 @@ in services.prometheus.exporters.bird = mkIf cfg.bird { enable = true; - openFirewall = true; - firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9324"; }; services.prometheus.exporters.blackbox = mkIf cfg.blackbox { enable = true; - openFirewall = true; - firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9115"; configFile = pkgs.writeText "blackbox.yml" '' modules: icmp6: @@ -109,8 +102,13 @@ in listen = "[::]:9152"; }; - networking.firewall.extraCommands = '' - ip46tables -A nixos-fw -i wg-monitoring -p tcp -m tcp --dport 9152 -m comment --comment nixos-exporter -j nixos-fw-accept - ''; + networking.firewall.interfaces."wg-monitoring".allowedTCPPorts = [ + 9100 # node-exporter + 9152 # nixos-exporter + ] ++ (if cfg.bird then [ + 9324 # bird-exporter + ] else []) ++ (if cfg.blackbox then [ + 9115 # blackbox-exporter + ] else []); }; } From 8b9acbb9b199334adb69bf22bdd72f8b683ea5be Mon Sep 17 00:00:00 2001 From: clerie Date: Thu, 8 May 2025 12:13:54 +0200 Subject: [PATCH 3/9] hosts/monitoring-3: Display pretty scraping address for nixos-validator --- hosts/monitoring-3/prometheus.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/monitoring-3/prometheus.nix b/hosts/monitoring-3/prometheus.nix index dd7533b..cd130e9 100644 --- a/hosts/monitoring-3/prometheus.nix +++ b/hosts/monitoring-3/prometheus.nix @@ -200,7 +200,7 @@ in { relabelAddressToInstance { target_label = "__address__"; - replacement = "[::1]:9153"; + replacement = "monitoring-3.mon.clerie.de:9153"; } ]; } From fa1220dcf848d9f3728d5b074957c82c6d28211a Mon Sep 17 00:00:00 2001 From: clerie Date: Thu, 8 May 2025 15:55:59 +0200 Subject: [PATCH 4/9] configuration/router: All hosts using this config don't do BGP and OSPF --- configuration/router/default.nix | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/configuration/router/default.nix b/configuration/router/default.nix index afc974e..23541a7 100644 --- a/configuration/router/default.nix +++ b/configuration/router/default.nix @@ -12,16 +12,4 @@ }; networking.firewall.checkReversePath = false; - - networking.firewall.allowedTCPPorts = [ - # Open Firewall for BGP - 179 - ]; - - networking.firewall.extraCommands = '' - # Open fireall for OSPF - ip46tables -A nixos-fw -p ospfigp -j nixos-fw-accept - # Open firewall for GRE - ip46tables -A nixos-fw -p gre -j nixos-fw-accept - ''; } From ced991b911f38580111e73d6409d3d0d2f0600b9 Mon Sep 17 00:00:00 2001 From: clerie Date: Thu, 8 May 2025 16:17:26 +0200 Subject: [PATCH 5/9] profiles/router: Migrate configuration to profile --- configuration/router/default.nix | 15 --------------- hosts/carbon/configuration.nix | 2 +- hosts/gatekeeper/configuration.nix | 2 +- hosts/nonat/configuration.nix | 2 +- hosts/porter/configuration.nix | 2 +- profiles/default.nix | 1 + profiles/router/default.nix | 26 ++++++++++++++++++++++++++ 7 files changed, 31 insertions(+), 19 deletions(-) delete mode 100644 configuration/router/default.nix create mode 100644 profiles/router/default.nix diff --git a/configuration/router/default.nix b/configuration/router/default.nix deleted file mode 100644 index 23541a7..0000000 --- a/configuration/router/default.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ pkgs, ... }: - -{ - environment.systemPackages = with pkgs; [ - wireguard-tools - tcpdump - ]; - - boot.kernel.sysctl = { - "net.ipv4.ip_forward" = true; - "net.ipv6.conf.all.forwarding" = true; - }; - - networking.firewall.checkReversePath = false; -} diff --git a/hosts/carbon/configuration.nix b/hosts/carbon/configuration.nix index 5bf6cf3..b0fc794 100644 --- a/hosts/carbon/configuration.nix +++ b/hosts/carbon/configuration.nix @@ -4,7 +4,6 @@ imports = [ ./hardware-configuration.nix - ../../configuration/router ./dns.nix ./mdns.nix @@ -23,6 +22,7 @@ ]; profiles.clerie.common-networking.enable = false; + profiles.clerie.router.enable = true; boot.kernelParams = [ "console=ttyS0,115200n8" ]; diff --git a/hosts/gatekeeper/configuration.nix b/hosts/gatekeeper/configuration.nix index 7fe8de2..ed30b6d 100644 --- a/hosts/gatekeeper/configuration.nix +++ b/hosts/gatekeeper/configuration.nix @@ -4,10 +4,10 @@ imports = [ ./hardware-configuration.nix - ../../configuration/router ]; profiles.clerie.hetzner-cloud.enable = true; + profiles.clerie.router.enable = true; boot.loader.grub.enable = true; boot.loader.grub.device = "/dev/sda"; diff --git a/hosts/nonat/configuration.nix b/hosts/nonat/configuration.nix index 47d7495..dfee059 100644 --- a/hosts/nonat/configuration.nix +++ b/hosts/nonat/configuration.nix @@ -4,10 +4,10 @@ imports = [ ./hardware-configuration.nix - ../../configuration/router ]; profiles.clerie.mercury-vm.enable = true; + profiles.clerie.router.enable = true; boot.loader.grub.enable = true; boot.loader.grub.device = "/dev/vda"; diff --git a/hosts/porter/configuration.nix b/hosts/porter/configuration.nix index d4a24a3..2e236c2 100644 --- a/hosts/porter/configuration.nix +++ b/hosts/porter/configuration.nix @@ -4,10 +4,10 @@ imports = [ ./hardware-configuration.nix - ../../configuration/router ]; profiles.clerie.netcup.enable = true; + profiles.clerie.router.enable = true; boot.loader.grub.enable = true; boot.loader.grub.device = "/dev/sda"; diff --git a/profiles/default.nix b/profiles/default.nix index 52a6699..a7ae051 100644 --- a/profiles/default.nix +++ b/profiles/default.nix @@ -14,6 +14,7 @@ ./mercury-vm ./netcup ./network-fallback-dhcp + ./router ./ruby-vm ./serial-console ./wg-clerie diff --git a/profiles/router/default.nix b/profiles/router/default.nix new file mode 100644 index 0000000..11a7a51 --- /dev/null +++ b/profiles/router/default.nix @@ -0,0 +1,26 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + + options.profiles.clerie.router = { + enable = mkEnableOption "Basic router setup"; + }; + + config = mkIf config.profiles.clerie.router.enable { + + environment.systemPackages = with pkgs; [ + wireguard-tools + tcpdump + ]; + + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = true; + "net.ipv6.conf.all.forwarding" = true; + }; + + networking.firewall.checkReversePath = false; + + }; +} From fe23b7745ff951cc0185d5d2b422cebb31685171 Mon Sep 17 00:00:00 2001 From: clerie Date: Thu, 8 May 2025 16:31:33 +0200 Subject: [PATCH 6/9] configuration/dn42: Remove obsolete configuration --- configuration/dn42/default.nix | 22 ---------------------- 1 file changed, 22 deletions(-) delete mode 100644 configuration/dn42/default.nix diff --git a/configuration/dn42/default.nix b/configuration/dn42/default.nix deleted file mode 100644 index 93ae00e..0000000 --- a/configuration/dn42/default.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ pkgs, ... }: - -{ - environment.systemPackages = with pkgs; [ - wireguard-tools - ]; - - boot.kernel.sysctl = { - "net.ipv4.ip_forward" = true; - "net.ipv6.conf.all.forwarding" = true; - }; - - networking.firewall.checkReversePath = false; - - # Open Firewall for BGP - networking.firewall.allowedTCPPorts = [ 179 ]; - # Open Fireall for OSPF - networking.firewall.extraCommands = '' - ip6tables -A INPUT -p ospfigp -j ACCEPT - iptables -A INPUT -p ospfigp -j ACCEPT - ''; -} From 1042cf279feb99baa78e409f2ce5fe082ebe1c09 Mon Sep 17 00:00:00 2001 From: clerie Date: Thu, 8 May 2025 17:17:01 +0200 Subject: [PATCH 7/9] profiles/hydra-build-machine: Migrate configuration to profile --- configuration/hydra-build-machine/default.nix | 16 ------------ hosts/hydra-1/configuration.nix | 2 +- hosts/hydra-2/configuration.nix | 2 +- profiles/default.nix | 1 + profiles/hydra-build-machine/default.nix | 26 +++++++++++++++++++ 5 files changed, 29 insertions(+), 18 deletions(-) delete mode 100644 configuration/hydra-build-machine/default.nix create mode 100644 profiles/hydra-build-machine/default.nix diff --git a/configuration/hydra-build-machine/default.nix b/configuration/hydra-build-machine/default.nix deleted file mode 100644 index b27bef5..0000000 --- a/configuration/hydra-build-machine/default.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ ... }: - -{ - - # Allow Hydra to fetch remote URLs in restricted mode - nix.settings.allowed-uris = "http: https: git+https: github:"; - - services.openssh.settings= { - PermitRootLogin = "yes"; - }; - - users.extraUsers.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMv8Lbca/CR4das3HJ2F/sQ9dA7kdGS1hSVTt5lX4diP root@hydra-1" - ]; - -} diff --git a/hosts/hydra-1/configuration.nix b/hosts/hydra-1/configuration.nix index 33958ac..4a3e8c2 100644 --- a/hosts/hydra-1/configuration.nix +++ b/hosts/hydra-1/configuration.nix @@ -4,7 +4,6 @@ imports = [ ./hardware-configuration.nix - ../../configuration/hydra-build-machine ./build-machines.nix ./hydra.nix @@ -12,6 +11,7 @@ ]; profiles.clerie.mercury-vm.enable = true; + profiles.clerie.hydra-build-machine.enable = true; boot.loader.grub.enable = true; boot.loader.grub.device = "/dev/vda"; diff --git a/hosts/hydra-2/configuration.nix b/hosts/hydra-2/configuration.nix index 753f77a..e09c071 100644 --- a/hosts/hydra-2/configuration.nix +++ b/hosts/hydra-2/configuration.nix @@ -4,10 +4,10 @@ imports = [ ./hardware-configuration.nix - ../../configuration/hydra-build-machine ]; profiles.clerie.cybercluster-vm.enable = true; + profiles.clerie.hydra-build-machine.enable = true; boot.loader.grub.enable = true; boot.loader.grub.device = "/dev/vda"; diff --git a/profiles/default.nix b/profiles/default.nix index a7ae051..9052485 100644 --- a/profiles/default.nix +++ b/profiles/default.nix @@ -11,6 +11,7 @@ ./fem-net ./firefox ./hetzner-cloud + ./hydra-build-machine ./mercury-vm ./netcup ./network-fallback-dhcp diff --git a/profiles/hydra-build-machine/default.nix b/profiles/hydra-build-machine/default.nix new file mode 100644 index 0000000..c812f8b --- /dev/null +++ b/profiles/hydra-build-machine/default.nix @@ -0,0 +1,26 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + + options.profiles.clerie.hydra-build-machine = { + enable = mkEnableOption "Set defaults for hydra build machines"; + }; + + config = mkIf config.profiles.clerie.hydra-build-machine.enable { + + # Allow Hydra to fetch remote URLs in restricted mode + nix.settings.allowed-uris = "http: https: git+https: github:"; + + services.openssh.settings= { + PermitRootLogin = "yes"; + }; + + users.extraUsers.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMv8Lbca/CR4das3HJ2F/sQ9dA7kdGS1hSVTt5lX4diP root@hydra-1" + ]; + + }; + +} From d0c6ecff4cf31b90c2bbcd493777054f6b01774d Mon Sep 17 00:00:00 2001 From: clerie Date: Thu, 8 May 2025 21:50:31 +0200 Subject: [PATCH 8/9] flake.lock: Update nixos-exporter --- flake.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/flake.lock b/flake.lock index a86e8d2..fb4be50 100644 --- a/flake.lock +++ b/flake.lock @@ -440,11 +440,11 @@ ] }, "locked": { - "lastModified": 1683625533, - "narHash": "sha256-GvKE97JdQuEZ697TLSMRTNABbVJfGVnJ0vfzK4AIFyI=", + "lastModified": 1746733297, + "narHash": "sha256-CPo/F6oJq3tswg2YT6DsWDFPYXOjw00/3m45JN84PVY=", "ref": "refs/heads/main", - "rev": "5e86139ee4af27f84228708fd32903bb0c4230f0", - "revCount": 19, + "rev": "f1a832f445c9994d9729a6fa1862b8d4a123bd31", + "revCount": 22, "type": "git", "url": "https://git.clerie.de/clerie/nixos-exporter.git" }, From a6f1881389e4ba95d5238514e0c8143a9ae58b0a Mon Sep 17 00:00:00 2001 From: Flake Update Bot Date: Fri, 9 May 2025 03:04:03 +0200 Subject: [PATCH 9/9] Update nixpkgs 2025-05-09-01-03 --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index fb4be50..996bbb3 100644 --- a/flake.lock +++ b/flake.lock @@ -551,11 +551,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1746328495, - "narHash": "sha256-uKCfuDs7ZM3QpCE/jnfubTg459CnKnJG/LwqEVEdEiw=", + "lastModified": 1746663147, + "narHash": "sha256-Ua0drDHawlzNqJnclTJGf87dBmaO/tn7iZ+TCkTRpRc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "979daf34c8cacebcd917d540070b52a3c2b9b16e", + "rev": "dda3dcd3fe03e991015e9a74b22d35950f264a54", "type": "github" }, "original": {