diff --git a/flake.lock b/flake.lock index ba0c6b0..590bcc3 100644 --- a/flake.lock +++ b/flake.lock @@ -404,6 +404,26 @@ "url": "https://git.clerie.de/clerie/mitel_ommclient2.git" } }, + "mu5001tool": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1757364612, + "narHash": "sha256-6MSqlWHH15qbWbvS9b6OTGdtIkW6GVb9SSLkEYAMdDw=", + "ref": "refs/heads/main", + "rev": "cb758d9bc97baa11e80a048e666c99986cabed43", + "revCount": 6, + "type": "git", + "url": "https://git.clerie.de/clerie/mu5001tool.git" + }, + "original": { + "type": "git", + "url": "https://git.clerie.de/clerie/mu5001tool.git" + } + }, "nix2container": { "flake": false, "locked": { @@ -743,6 +763,7 @@ "hydra": "hydra", "lix": "lix_2", "lix-module": "lix-module", + "mu5001tool": "mu5001tool", "nixos-exporter": "nixos-exporter", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs_5", diff --git a/flake.nix b/flake.nix index e0af4c8..d56d5e0 100644 --- a/flake.nix +++ b/flake.nix @@ -40,6 +40,10 @@ inputs.nixpkgs.follows = "nixpkgs"; }; fieldpoc.url = "git+https://git.clerie.de/clerie/fieldpoc.git"; + mu5001tool = { + url = "git+https://git.clerie.de/clerie/mu5001tool.git"; + inputs.nixpkgs.follows = "nixpkgs"; + }; nixos-exporter = { url = "git+https://git.clerie.de/clerie/nixos-exporter.git"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/flake/inputs-overlay.nix b/flake/inputs-overlay.nix index df5e956..5efe733 100644 --- a/flake/inputs-overlay.nix +++ b/flake/inputs-overlay.nix @@ -5,6 +5,7 @@ , chaosevents , harmonia , hydra +, mu5001tool , nurausstieg , rainbowrss , scan-to-gpg @@ -25,6 +26,8 @@ final: prev: { harmonia; inherit (hydra.packages.${final.system}) hydra; + inherit (mu5001tool.packages.${final.system}) + mu5001tool; inherit (nurausstieg.packages.${final.system}) nurausstieg; inherit (rainbowrss.packages.${final.system}) diff --git a/hosts/astatine/configuration.nix b/hosts/astatine/configuration.nix index 74fed00..2cb03f4 100644 --- a/hosts/astatine/configuration.nix +++ b/hosts/astatine/configuration.nix @@ -4,6 +4,10 @@ imports = [ ./hardware-configuration.nix + + ./grafana.nix + ./mu5001tool.nix + ./prometheus.nix ]; profiles.clerie.network-fallback-dhcp.enable = true; @@ -18,6 +22,16 @@ terminal_output serial "; + sops.secrets.monitoring-htpasswd = { + owner = "nginx"; + group = "nginx"; + }; + services.nginx = { + enable = true; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + profiles.clerie.wg-clerie = { enable = true; ipv6s = [ "2a01:4f8:c0c:15f1::8108/128" ]; diff --git a/hosts/astatine/grafana.nix b/hosts/astatine/grafana.nix new file mode 100644 index 0000000..b214887 --- /dev/null +++ b/hosts/astatine/grafana.nix @@ -0,0 +1,45 @@ +{ config, ... }: +{ + services.grafana = { + enable = true; + settings = { + server = { + domain = "grafana.astatine.net.clerie.de"; + root_url = "https://grafana.astatine.net.clerie.de"; + http_port = 3001; + http_addr = "::1"; + }; + "auth.anonymous" = { + enabled = true; + }; + }; + + provision = { + enable = true; + datasources.settings.datasources = [ + { + type = "prometheus"; + name = "Prometheus"; + url = "http://[::1]:9090"; + isDefault = true; + } + ]; + }; + }; + + services.nginx = { + virtualHosts = { + "grafana.astatine.net.clerie.de" = { + enableACME = true; + forceSSL = true; + basicAuthFile = config.sops.secrets.monitoring-htpasswd.path; + locations."/".proxyPass = "http://[::1]:3001/"; + locations."= /api/live/ws" = { + proxyPass = "http://[::1]:3001"; + proxyWebsockets = true; + }; + }; + }; + }; + +} diff --git a/hosts/astatine/mu5001tool.nix b/hosts/astatine/mu5001tool.nix new file mode 100644 index 0000000..273103f --- /dev/null +++ b/hosts/astatine/mu5001tool.nix @@ -0,0 +1,16 @@ +{ config, pkgs, lib, ... }: + +{ + + systemd.services."mu5001tool" = { + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + DynamicUser = true; + LoadCredential = "zte-hypermobile-5g-password:${config.sops.secrets."zte-hypermobile-5g-password".path}"; + }; + script = '' + ${lib.getExe pkgs.mu5001tool} --password-file ''${CREDENTIALS_DIRECTORY}/zte-hypermobile-5g-password prometheus-exporter --listen-port 9242 + ''; + }; + +} diff --git a/hosts/astatine/prometheus.nix b/hosts/astatine/prometheus.nix new file mode 100644 index 0000000..68046be --- /dev/null +++ b/hosts/astatine/prometheus.nix @@ -0,0 +1,46 @@ +{ config, ... }: + +{ + services.prometheus = { + enable = true; + enableReload = true; + listenAddress = "[::1]"; + scrapeConfigs = [ + { + job_name = "prometheus"; + scrape_interval = "20s"; + scheme = "http"; + static_configs = [ + { + targets = [ + "[::1]:9090" + ]; + } + ]; + } + { + job_name = "mu5001tool"; + scrape_interval = "20s"; + static_configs = [ + { + targets = [ + "[::1]:9242" + ]; + } + ]; + } + ]; + }; + + services.nginx = { + virtualHosts = { + "prometheus.astatine.net.clerie.de" = { + enableACME = true; + forceSSL = true; + basicAuthFile = config.sops.secrets.monitoring-htpasswd.path; + locations."/".proxyPass = "http://[::1]:9090/"; + }; + }; + }; + +} diff --git a/hosts/astatine/secrets.json b/hosts/astatine/secrets.json index f721d52..6d196cc 100644 --- a/hosts/astatine/secrets.json +++ b/hosts/astatine/secrets.json @@ -1,19 +1,17 @@ { "wg-clerie": "ENC[AES256_GCM,data:DbchcO6GTmSFyoHrRAkfu2flaKYrQHPk+rIerekYO4Cto9sqaWLgaSigpS8=,iv:no1xNRVqsKzAN6ssYA0Ir+utOM9tg8OBUT9PY2v0HPA=,tag:lZj1wEPFWHaf52N7YHEQKQ==,type:str]", "wg-monitoring": "ENC[AES256_GCM,data:dTKKeieaGvECkHUpATLorhOgr9Re5CAH25y1WTcSqJZDsvnwD4CBbqMv2QQ=,iv:u1n1wyAW5aNcVYfGN8BmrEhIhtA3EfRDBNu65IdBZMI=,tag:RJYgOpel9uy6dC72MmqS5A==,type:str]", + "monitoring-htpasswd": "ENC[AES256_GCM,data:0uQ+Gwedi9kTaOzrwVzkNkS9qL0Dwmph1leK2sj/TndfSn3yaq7ur7ZHoPjWUl5Oy1poxU2rIUxWHajYC0n3yHv2AuGT,iv:FyH4MHcgW5iHkAsahNFtshnqqPOMlukg8aYfhcN9onw=,tag:q3BsnyKLrKYi/xDP6GmSkA==,type:str]", + "zte-hypermobile-5g-password": "ENC[AES256_GCM,data:lqxQICmWYwMejn8=,iv:TPYOs/cL/ETw7Ee0+YG/+Fhd7ASi0kr4rDLEiste+2Y=,tag:6O6AXIHkIjPm7hJVC4Y/1g==,type:str]", "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, "age": [ { "recipient": "age1fffvnazdv3ys9ww8v4g832hv5nkvnk6d728syerzvpgskfmfkq8q00whpv", "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMQUF5dkRwdXRmUkJ1SXN5\nLzdOVkhWYUJGdFd4Qklsa1BXeVZlTGx0eDE0ClZmYWNLMEVzaVVXWGkwQUt5ZHF5\nS1c5OU9PWjBTelM5R2phNFdVNncxUUkKLS0tIDlwSXFyZWNVT1dtdGU5dVFSRHNE\nUUpJZHJZRTd6TnBUU2dCWW90UTRVb0UKCWrHWmQTNhez16wgEKj4EQA4+UBRmGQn\n+NHSjBCMBmmTdHb05nENYVK515Z0T/60+9N3VlNyHWS9IgC3mZRUBg==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2024-04-21T16:03:13Z", - "mac": "ENC[AES256_GCM,data:fA8fhOZbX30TYgwZXB7sQDNmck0JRDyAnEXf5nCYtli/Qvs78fTs4DdC08VOpOni8uAVARkFsGSo6Fjo/MpTSDVA8VNYZig/we/bWF+LQlEMCmiqwOI1R6eQ3GPxcRXltlO2aPPlT9BpLwIVZjGGjIsmjpVE8xjkCbLUUqj+UxY=,iv:fHLyw96QLVRrAQky2kR7TDDxf8CNXDV9lVQ5RETzJEI=,tag:y+cG9u3d6vCUmPyNMDRWpA==,type:str]", + "lastmodified": "2025-09-08T21:03:41Z", + "mac": "ENC[AES256_GCM,data:ztS/Z6mn8hFAPsks2evJRJFocw/3oz22O2HeSEkY7Mu+bfNvClsJuvuTbnDadB0IwKiLDFWRMGs/UPFmNP6J/euro4cFHDWXopdXg7eDFGDoJDKIg4fBUtofdXIqWvDoQ9LeZNvc5Z4EEQYhs3LwFnAU0x15acwIIxr5TB9l8g8=,iv:WVjavmcrEs2CyYTfoTTP44c9TqFubUdE+PBN2jRPR+s=,tag:fBXzU69Q9MwD3o/Nyu5OZA==,type:str]", "pgp": [ { "created_at": "2024-04-21T16:02:41Z", @@ -24,4 +22,4 @@ "unencrypted_suffix": "_unencrypted", "version": "3.8.1" } -} \ No newline at end of file +}