hosts/astatine: Add stack to monitor zte hypermobile 5g

flake.lock

@@ -404,6 +404,26 @@
         "url": "https://git.clerie.de/clerie/mitel_ommclient2.git"
       }
     },
+    "mu5001tool": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1757364612,
+        "narHash": "sha256-6MSqlWHH15qbWbvS9b6OTGdtIkW6GVb9SSLkEYAMdDw=",
+        "ref": "refs/heads/main",
+        "rev": "cb758d9bc97baa11e80a048e666c99986cabed43",
+        "revCount": 6,
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/mu5001tool.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/mu5001tool.git"
+      }
+    },
     "nix2container": {
       "flake": false,
       "locked": {
@@ -743,6 +763,7 @@
         "hydra": "hydra",
         "lix": "lix_2",
         "lix-module": "lix-module",
+        "mu5001tool": "mu5001tool",
         "nixos-exporter": "nixos-exporter",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs_5",

flake.nix

@@ -40,6 +40,10 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
     fieldpoc.url = "git+https://git.clerie.de/clerie/fieldpoc.git";
+    mu5001tool = {
+      url = "git+https://git.clerie.de/clerie/mu5001tool.git";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     nixos-exporter = {
       url = "git+https://git.clerie.de/clerie/nixos-exporter.git";
       inputs.nixpkgs.follows = "nixpkgs";

flake/inputs-overlay.nix

@@ -5,6 +5,7 @@
 , chaosevents
 , harmonia
 , hydra
+, mu5001tool
 , nurausstieg
 , rainbowrss
 , scan-to-gpg
@@ -25,6 +26,8 @@ final: prev: {
     harmonia;
   inherit (hydra.packages.${final.system})
     hydra;
+  inherit (mu5001tool.packages.${final.system})
+    mu5001tool;
   inherit (nurausstieg.packages.${final.system})
     nurausstieg;
   inherit (rainbowrss.packages.${final.system})

hosts/astatine/configuration.nix

@@ -4,6 +4,10 @@
   imports =
     [
       ./hardware-configuration.nix
+
+      ./grafana.nix
+      ./mu5001tool.nix
+      ./prometheus.nix
     ];
 
   profiles.clerie.network-fallback-dhcp.enable = true;
@@ -18,6 +22,16 @@
     terminal_output serial
   ";
 
+  sops.secrets.monitoring-htpasswd = {
+    owner = "nginx";
+    group = "nginx";
+  };
+  services.nginx = {
+    enable = true;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
   profiles.clerie.wg-clerie = {
     enable = true;
     ipv6s = [ "2a01:4f8:c0c:15f1::8108/128" ];

hosts/astatine/grafana.nix

@@ -0,0 +1,45 @@
+{ config, ... }:
+{
+  services.grafana = {
+    enable  = true;
+    settings = {
+      server = {
+        domain = "grafana.astatine.net.clerie.de";
+        root_url = "https://grafana.astatine.net.clerie.de";
+        http_port = 3001;
+        http_addr = "::1";
+      };
+      "auth.anonymous" = {
+        enabled = true;
+      };
+    };
+
+    provision = {
+      enable = true;
+      datasources.settings.datasources = [
+        {
+          type = "prometheus";
+          name = "Prometheus";
+          url = "http://[::1]:9090";
+          isDefault = true;
+        }
+      ];
+    };
+  };
+
+  services.nginx = {
+    virtualHosts = {
+      "grafana.astatine.net.clerie.de" = {
+        enableACME = true;
+        forceSSL   = true;
+        basicAuthFile = config.sops.secrets.monitoring-htpasswd.path;
+        locations."/".proxyPass = "http://[::1]:3001/";
+        locations."= /api/live/ws" = {
+          proxyPass = "http://[::1]:3001";
+          proxyWebsockets = true;
+        };
+      };
+    };
+  };
+
+}

hosts/astatine/mu5001tool.nix

@@ -0,0 +1,16 @@
+{ config, pkgs, lib, ... }:
+
+{
+
+  systemd.services."mu5001tool" = {
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      DynamicUser = true;
+      LoadCredential = "zte-hypermobile-5g-password:${config.sops.secrets."zte-hypermobile-5g-password".path}";
+    };
+    script = ''
+      ${lib.getExe pkgs.mu5001tool} --password-file ''${CREDENTIALS_DIRECTORY}/zte-hypermobile-5g-password prometheus-exporter --listen-port 9242
+    '';
+  };
+
+}

hosts/astatine/prometheus.nix

@@ -0,0 +1,46 @@
+{ config, ... }:
+
+{
+  services.prometheus = {
+    enable = true;
+    enableReload = true;
+    listenAddress = "[::1]";
+    scrapeConfigs = [
+      {
+        job_name = "prometheus";
+        scrape_interval = "20s";
+        scheme = "http";
+        static_configs = [
+          {
+            targets = [
+              "[::1]:9090"
+            ];
+          }
+        ];
+      }
+      {
+        job_name = "mu5001tool";
+        scrape_interval = "20s";
+        static_configs = [
+          {
+            targets = [
+              "[::1]:9242"
+            ];
+          }
+        ];
+      }
+    ];
+  };
+
+  services.nginx = {
+    virtualHosts = {
+      "prometheus.astatine.net.clerie.de" = {
+        enableACME = true;
+        forceSSL   = true;
+        basicAuthFile = config.sops.secrets.monitoring-htpasswd.path;
+        locations."/".proxyPass = "http://[::1]:9090/";
+      };
+    };
+  };
+
+}

hosts/astatine/secrets.json

@@ -1,19 +1,17 @@
 {
 	"wg-clerie": "ENC[AES256_GCM,data:DbchcO6GTmSFyoHrRAkfu2flaKYrQHPk+rIerekYO4Cto9sqaWLgaSigpS8=,iv:no1xNRVqsKzAN6ssYA0Ir+utOM9tg8OBUT9PY2v0HPA=,tag:lZj1wEPFWHaf52N7YHEQKQ==,type:str]",
 	"wg-monitoring": "ENC[AES256_GCM,data:dTKKeieaGvECkHUpATLorhOgr9Re5CAH25y1WTcSqJZDsvnwD4CBbqMv2QQ=,iv:u1n1wyAW5aNcVYfGN8BmrEhIhtA3EfRDBNu65IdBZMI=,tag:RJYgOpel9uy6dC72MmqS5A==,type:str]",
+	"monitoring-htpasswd": "ENC[AES256_GCM,data:0uQ+Gwedi9kTaOzrwVzkNkS9qL0Dwmph1leK2sj/TndfSn3yaq7ur7ZHoPjWUl5Oy1poxU2rIUxWHajYC0n3yHv2AuGT,iv:FyH4MHcgW5iHkAsahNFtshnqqPOMlukg8aYfhcN9onw=,tag:q3BsnyKLrKYi/xDP6GmSkA==,type:str]",
+	"zte-hypermobile-5g-password": "ENC[AES256_GCM,data:lqxQICmWYwMejn8=,iv:TPYOs/cL/ETw7Ee0+YG/+Fhd7ASi0kr4rDLEiste+2Y=,tag:6O6AXIHkIjPm7hJVC4Y/1g==,type:str]",
 	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1fffvnazdv3ys9ww8v4g832hv5nkvnk6d728syerzvpgskfmfkq8q00whpv",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMQUF5dkRwdXRmUkJ1SXN5\nLzdOVkhWYUJGdFd4Qklsa1BXeVZlTGx0eDE0ClZmYWNLMEVzaVVXWGkwQUt5ZHF5\nS1c5OU9PWjBTelM5R2phNFdVNncxUUkKLS0tIDlwSXFyZWNVT1dtdGU5dVFSRHNE\nUUpJZHJZRTd6TnBUU2dCWW90UTRVb0UKCWrHWmQTNhez16wgEKj4EQA4+UBRmGQn\n+NHSjBCMBmmTdHb05nENYVK515Z0T/60+9N3VlNyHWS9IgC3mZRUBg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2024-04-21T16:03:13Z",
-		"mac": "ENC[AES256_GCM,data:fA8fhOZbX30TYgwZXB7sQDNmck0JRDyAnEXf5nCYtli/Qvs78fTs4DdC08VOpOni8uAVARkFsGSo6Fjo/MpTSDVA8VNYZig/we/bWF+LQlEMCmiqwOI1R6eQ3GPxcRXltlO2aPPlT9BpLwIVZjGGjIsmjpVE8xjkCbLUUqj+UxY=,iv:fHLyw96QLVRrAQky2kR7TDDxf8CNXDV9lVQ5RETzJEI=,tag:y+cG9u3d6vCUmPyNMDRWpA==,type:str]",
+		"lastmodified": "2025-09-08T21:03:41Z",
+		"mac": "ENC[AES256_GCM,data:ztS/Z6mn8hFAPsks2evJRJFocw/3oz22O2HeSEkY7Mu+bfNvClsJuvuTbnDadB0IwKiLDFWRMGs/UPFmNP6J/euro4cFHDWXopdXg7eDFGDoJDKIg4fBUtofdXIqWvDoQ9LeZNvc5Z4EEQYhs3LwFnAU0x15acwIIxr5TB9l8g8=,iv:WVjavmcrEs2CyYTfoTTP44c9TqFubUdE+PBN2jRPR+s=,tag:fBXzU69Q9MwD3o/Nyu5OZA==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-04-21T16:02:41Z",
@@ -24,4 +22,4 @@
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.8.1"
 	}
-}
+}