1
0

Compare commits

...

11 Commits

19 changed files with 270 additions and 20 deletions

View File

@ -10,6 +10,7 @@
colmena
vim
agenix
nixos-firewall-tool
];
programs.mtr.enable = true;

View File

@ -183,11 +183,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1699044561,
"narHash": "sha256-3uHmbq74CicpBPP40a6NHp830S7Rvh33uFgfIIC+7nw=",
"lastModified": 1699159446,
"narHash": "sha256-cL63IjsbPl2otS7R4kdXbVOJOXYMpGw5KGZoWgdCuCM=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "87f8403371fa74d9ad21ed677403cc235f37b96c",
"rev": "627bc9b88256379578885a7028c9e791c29fb581",
"type": "github"
},
"original": {
@ -215,11 +215,11 @@
},
"nixpkgs-krypton": {
"locked": {
"lastModified": 1698924604,
"narHash": "sha256-GCFbkl2tj8fEZBZCw3Tc0AkGo0v+YrQlohhEGJ/X4s0=",
"lastModified": 1699099776,
"narHash": "sha256-X09iKJ27mGsGambGfkKzqvw5esP1L/Rf8H3u3fCqIiU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "fa804edfb7869c9fb230e174182a8a1a7e512c40",
"rev": "85f1ba3e51676fa8cc604a3d863d729026a6b8eb",
"type": "github"
},
"original": {
@ -231,11 +231,11 @@
},
"nixpkgs-schule": {
"locked": {
"lastModified": 1698924604,
"narHash": "sha256-GCFbkl2tj8fEZBZCw3Tc0AkGo0v+YrQlohhEGJ/X4s0=",
"lastModified": 1699099776,
"narHash": "sha256-X09iKJ27mGsGambGfkKzqvw5esP1L/Rf8H3u3fCqIiU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "fa804edfb7869c9fb230e174182a8a1a7e512c40",
"rev": "85f1ba3e51676fa8cc604a3d863d729026a6b8eb",
"type": "github"
},
"original": {
@ -247,11 +247,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1698924604,
"narHash": "sha256-GCFbkl2tj8fEZBZCw3Tc0AkGo0v+YrQlohhEGJ/X4s0=",
"lastModified": 1699099776,
"narHash": "sha256-X09iKJ27mGsGambGfkKzqvw5esP1L/Rf8H3u3fCqIiU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "fa804edfb7869c9fb230e174182a8a1a7e512c40",
"rev": "85f1ba3e51676fa8cc604a3d863d729026a6b8eb",
"type": "github"
},
"original": {

View File

@ -109,8 +109,10 @@
nixfiles-auto-install
nixfiles-generate-backup-secrets
nixfiles-generate-config
nixfiles-system-sync-to-hydra
nixfiles-updated-inputs
nixfiles-update-ssh-host-keys
nixos-firewall-tool
pyexcel-xlsx
pyexcel-webio
update-from-hydra

View File

@ -329,6 +329,11 @@
}
'';
clerie.nixfiles.system-auto-sync-to-hydra = {
enable = true;
allowReboot = true;
};
clerie.monitoring = {
enable = true;
id = "301";

View File

@ -163,6 +163,11 @@
}
'';
clerie.nixfiles.system-auto-sync-to-hydra = {
enable = true;
allowReboot = true;
};
clerie.monitoring = {
enable = true;
id = "305";

View File

@ -163,6 +163,11 @@
}
'';
clerie.nixfiles.system-auto-sync-to-hydra = {
enable = true;
allowReboot = true;
};
clerie.monitoring = {
enable = true;
id = "306";

View File

@ -0,0 +1,30 @@
{ pkgs, ... }:
{
services.prometheus.exporters.blackbox = {
enable = true;
openFirewall = true;
configFile = pkgs.writeText "blackbox.yml" ''
modules:
icmp6:
prober: icmp
icmp:
preferred_ip_protocol: ip6
ip_protocol_fallback: false
icmp4:
prober: icmp
icmp:
preferred_ip_protocol: ip4
ip_protocol_fallback: false
synapse:
prober: http
http:
valid_status_codes:
- 200
method: GET
fail_if_not_ssl: true
fail_if_body_not_matches_regexp:
- "Synapse is running"
'';
};
}

View File

@ -6,6 +6,7 @@
./hardware-configuration.nix
../../configuration/proxmox-vm
./alertmanager.nix
./blackbox.nix
./grafana.nix
./nixos-validator.nix
./prometheus.nix

View File

@ -188,6 +188,7 @@ in {
"fluorine.net.clerie.de"
"www.fem.tu-ilmenau.de"
"www.heise.de"
"dyon.net.entr0py.de"
];
}
];
@ -237,6 +238,8 @@ in {
"ie10-due1.nodes.nethinks.com"
"pe10-due1.nodes.nethinks.com"
"matrix.bau-ha.us"
"dyon.net.entr0py.de"
"matrix.entr0py.de"
];
}
];
@ -260,6 +263,36 @@ in {
relabelAddressToInstance
];
}
{
job_name = "blackbox_local_synapse";
scrape_interval = "20s";
metrics_path = "/probe";
params = {
module = [ "synapse" ];
};
static_configs = [
{
targets = [
"https://matrix.entr0py.de/_matrix/static/"
];
}
];
relabel_configs = [
{
source_labels = [ "__address__" ];
target_label = "__param_target";
}
{
source_labels = [ "__param_target" ];
target_label = "target";
}
{
target_label = "__address__";
replacement = "monitoring-3.mon.clerie.de:9115";
}
relabelAddressToInstance
];
}
{
job_name = "zimmer-temp";
scrape_interval = "20s";

View File

@ -39,6 +39,11 @@
networking.firewall.allowedUDPPorts = [];
clerie.nixfiles.system-auto-sync-to-hydra = {
enable = true;
allowReboot = true;
};
clerie.monitoring = {
enable = true;
id = "103";

View File

@ -24,8 +24,6 @@
networking.hostName = "zinc";
security.sudo.wheelNeedsPassword = lib.mkForce false;
services.wg-clerie = {
enable = true;
ipv6s = [ "2a01:4f8:c0c:15f1::8109/128" ];

View File

@ -13,6 +13,7 @@
./monitoring
./nginx-port-forward
./nixfiles
./nixfiles/system-auto-sync-to-hydra.nix
./update-from-hydra
./wg-clerie
./wireguard-initrd

View File

@ -0,0 +1,29 @@
{ pkgs, lib, config, ... }:
with lib;
let
cfg = config.clerie.nixfiles.system-auto-sync-to-hydra;
in
{
options = {
clerie.nixfiles.system-auto-sync-to-hydra = {
enable = mkEnableOption "clerie nixfiles tools";
allowReboot = mkOption {
type = types.bool;
default = false;
description = "Monitor NixOS";
};
};
};
config = mkIf cfg.enable {
systemd.services.nixfiles-system-auto-sync-to-hydra = {
serviceConfig = {
Type = "oneshot";
ExecStart = pkgs.nixfiles-system-sync-to-hydra + "/bin/nixfiles-system-sync-to-hydra${optionalString cfg.allowReboot " --allow-reboot"}";
};
startAt = "*-*-* 06:47:00";
};
};
}

View File

@ -58,16 +58,21 @@ in
persistent-keepalive "25" \
allowed-ips "0.0.0.0/0,::/0,10.20.30.0/24,2a01:4f8:c0c:15f1::/113"
#ip route add "::/0" dev "wg-initrd" table 1337
#ip route add "0.0.0.0/0" dev "wg-initrd" table 1337
ip route add "::/0" dev "wg-initrd" table 1337
ip route add "0.0.0.0/0" dev "wg-initrd" table 1337
# Error: Argument "udp" is wrong: Invalid "ipproto" value
# For some reason ip rule does not recognize "udp" as a value for "ipproto" in initrd,
# so we pass the numeric value for it manually
# This is from linux/include/uapi/linux/in.h
IPPROTO_UDP=17
${concatMapStringsSep "\n" (ip: ''
ip -6 rule add from "${ip}" lookup 1337 prio 19000
ip -6 rule add from "${ip}" unreachable prio 19001
'') cfg.ipv6s}
ip -6 rule add to "2a01:4f8:c0c:15f1::1/128" ipproto udp dport 51820 lookup main prio 20000
ip -6 rule add to "2a01:4f8:c0c:15f1::1/128" ipproto udp dport 51820 unreachable prio 20001
ip -6 rule add to "2a01:4f8:c0c:15f1::1/128" ipproto $IPPROTO_UDP dport 51820 lookup main prio 20000
ip -6 rule add to "2a01:4f8:c0c:15f1::1/128" ipproto $IPPROTO_UDP dport 51820 unreachable prio 20001
ip -6 rule add lookup main prio 21000
ip -6 rule add lookup 1337 prio 21001
ip -6 rule add unreachable prio 21000
@ -77,8 +82,8 @@ in
ip -4 rule add from "${ip}" lookup 1337 prio 19000
ip -4 rule add from "${ip}" unreachable prio 19001
'') cfg.ipv4s}
ip -4 rule add to "78.47.183.82/32" ipproto udp dport 51820 lookup main prio 20000
ip -4 rule add to "78.47.183.82/32" ipproto udp dport 51820 unreachable prio 20001
ip -4 rule add to "78.47.183.82/32" ipproto $IPPROTO_UDP dport 51820 lookup main prio 20000
ip -4 rule add to "78.47.183.82/32" ipproto $IPPROTO_UDP dport 51820 unreachable prio 20001
ip -4 rule add lookup main prio 21000
ip -4 rule add lookup 1337 prio 21001
ip -4 rule add unreachable prio 21000

View File

@ -0,0 +1,11 @@
{ pkgs, ... }:
pkgs.writeShellApplication {
name = "nixfiles-system-sync-to-hydra";
text = builtins.readFile ./nixfiles-system-sync-to-hydra.sh;
runtimeInputs = with pkgs; [
curl
jq
nix
];
}

View File

@ -0,0 +1,52 @@
#!/usr/bin/env bash
set -euo pipefail
ALLOW_REBOOT=
while [[ $# -gt 0 ]]; do
case $1 in
--allow-reboot)
ALLOW_REBOOT=1
shift
;;
*)
echo "Unknown option $1"
exit 1
;;
esac
done
HYDRA_JOB_URL="https://hydra.clerie.de/job/nixfiles/nixfiles/nixosConfigurations.${HOSTNAME}/latest-finished"
echo "Fetching job output from ${HYDRA_JOB_URL}"
STORE_PATH="$(curl --fail -s -L -H "Accept: application/json" "${HYDRA_JOB_URL}" | jq -r ".buildoutputs.out.path")"
echo "Download ${STORE_PATH}"
nix copy --from "https://nix-cache.clerie.de" "${STORE_PATH}"
echo "Add to system profile"
nix-env -p "/nix/var/nix/profiles/system" --set "${STORE_PATH}"
echo "Set as boot target"
/nix/var/nix/profiles/system/bin/switch-to-configuration boot
BOOTED_SYSTEM_KERNEL="$(readlink /run/booted-system/{initrd,kernel,kernel-modules})"
ACTIVATING_SYSTEM_KERNEL="$(readlink /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})"
if [[ "$BOOTED_SYSTEM_KERNEL" != "$ACTIVATING_SYSTEM_KERNEL" ]]; then
echo "Reboot is required"
if [[ -n "$ALLOW_REBOOT" ]]; then
echo "Rebooting system now"
shutdown -r +1 "System update requires reboot"
else
echo "Automatic reboot not allowed (maybe use --allow-reboot next time)"
echo "The system upgrade is staged, please reboot manually soon"
fi
else
echo "No reboot is required"
echo "Activating system now"
/nix/var/nix/profiles/system/bin/switch-to-configuration switch
fi
echo "Finished system upgrade"

View File

@ -0,0 +1,10 @@
{ pkgs, ... }:
pkgs.writeShellApplication {
name = "nixos-firewall-tool";
text = builtins.readFile ./nixos-firewall-tool.sh;
runtimeInputs = with pkgs; [
iptables
];
}

View File

@ -0,0 +1,55 @@
#!/usr/bin/env bash
set -euo pipefail
ip46tables() {
iptables -w "$@"
ip6tables -w "$@"
}
show_help() {
echo "nixos-firewall-tool"
echo ""
echo "Can temporarily manipulate the NixOS firewall"
echo ""
echo "Open TCP port:"
echo " nixos-firewall-tool open tcp 8888"
echo ""
echo "Show all firewall rules:"
echo " nixos-firewall-tool show"
echo ""
echo "Open UDP port:"
echo " nixos-firewall-tool open udp 51820"
echo ""
echo "Reset firewall configuration to system settings:"
echo " nixos-firewall-tool reset"
}
if [[ -z ${1+x} ]]; then
show_help
exit 1
fi
case $1 in
"open")
protocol="$2"
port="$3"
ip46tables -I nixos-fw -p "$protocol" --dport "$port" -j nixos-fw-accept
;;
"show")
ip46tables --numeric --list nixos-fw
;;
"reset")
systemctl restart firewall.service
;;
-h|--help|help)
show_help
exit 0
;;
*)
show_help
exit 1
;;
esac

View File

@ -6,8 +6,10 @@ self: super: {
nixfiles-auto-install = self.callPackage ./nixfiles/nixfiles-auto-install.nix {};
nixfiles-generate-backup-secrets = self.callPackage ./nixfiles/nixfiles-generate-backup-secrets.nix {};
nixfiles-generate-config = self.callPackage ./nixfiles/nixfiles-generate-config.nix {};
nixfiles-system-sync-to-hydra = self.callPackage ./nixfiles/nixfiles-system-sync-to-hydra.nix {};
nixfiles-updated-inputs = self.callPackage ./nixfiles/nixfiles-updated-inputs.nix {};
nixfiles-update-ssh-host-keys = self.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {};
nixos-firewall-tool = self.callPackage ./nixos-firewall-tool {};
pyexcel-xlsx = self.python3.pkgs.callPackage ./pyexcel-xlsx {};
pyexcel-webio = self.python3.pkgs.callPackage ./pyexcel-webio {};
update-from-hydra = self.callPackage ./update-from-hydra {};