1
0

Compare commits

..

5 Commits

9 changed files with 43 additions and 79 deletions

View File

@ -10,7 +10,6 @@
colmena colmena
vim vim
agenix agenix
nixos-firewall-tool
nixfiles-system-upgrade nixfiles-system-upgrade
]; ];

View File

@ -186,11 +186,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1701656485, "lastModified": 1702245580,
"narHash": "sha256-xDFormrGCKKGqngHa2Bz1GTeKlFMMjLnHhTDRdMJ1hs=", "narHash": "sha256-tTVRB42Ljo2uWGP7ei5h5/qQjOsdXoz0GHRy9hrVrdw=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "fa194fc484fd7270ab324bb985593f71102e84d1", "rev": "030edbb68e69f2b97231479f98a9597024650df2",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -218,11 +218,11 @@
}, },
"nixpkgs-krypton": { "nixpkgs-krypton": {
"locked": { "locked": {
"lastModified": 1701718080, "lastModified": 1702151865,
"narHash": "sha256-6ovz0pG76dE0P170pmmZex1wWcQoeiomUZGggfH9XPs=", "narHash": "sha256-9VAt19t6yQa7pHZLDbil/QctAgVsA66DLnzdRGqDisg=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "2c7f3c0fb7c08a0814627611d9d7d45ab6d75335", "rev": "666fc80e7b2afb570462423cb0e1cf1a3a34fedd",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -234,11 +234,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1701718080, "lastModified": 1702151865,
"narHash": "sha256-6ovz0pG76dE0P170pmmZex1wWcQoeiomUZGggfH9XPs=", "narHash": "sha256-9VAt19t6yQa7pHZLDbil/QctAgVsA66DLnzdRGqDisg=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "2c7f3c0fb7c08a0814627611d9d7d45ab6d75335", "rev": "666fc80e7b2afb570462423cb0e1cf1a3a34fedd",
"type": "github" "type": "github"
}, },
"original": { "original": {

View File

@ -26,7 +26,8 @@
}; };
}; };
outputs = { self, agenix, nixpkgs, nixos-hardware, chaosevents, fernglas, nixos-exporter, solid-xmpp-alarm, ... }@inputs: let outputs = { self, agenix, nixpkgs, nixos-hardware, chaosevents, fernglas, nixos-exporter, solid-xmpp-alarm, ... }@inputs: let
helper = (import ./lib/flake-helper.nix) inputs; lib = import ./lib inputs;
helper = lib.flake-helper;
in { in {
clerie.hosts = { clerie.hosts = {
aluminium = { aluminium = {
@ -116,7 +117,6 @@
nixfiles-system-upgrade nixfiles-system-upgrade
nixfiles-updated-inputs nixfiles-updated-inputs
nixfiles-update-ssh-host-keys nixfiles-update-ssh-host-keys
nixos-firewall-tool
pyexcel-xlsx pyexcel-xlsx
pyexcel-webio pyexcel-webio
update-from-hydra update-from-hydra

20
lib/default.nix Normal file
View File

@ -0,0 +1,20 @@
inputs:
let
callLibs = file: import file ({
inherit lib inputs;
} // inputs);
lib = {
flake-helper = callLibs ./flake-helper.nix;
inherit ("flake-helper")
generateNixosSystem
mapToNixosConfigurations
generateColmenaHost
mapToColmenaHosts
buildHosts;
};
in
lib

View File

@ -25,7 +25,7 @@ in
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
ExecStart = pkgs.nixfiles-system-upgrade + "/bin/nixfiles-system-upgrade --no-confirm${optionalString cfg.allowReboot " --allow-reboot"}"; ExecStart = pkgs.nixfiles-system-upgrade + "/bin/nixfiles-system-upgrade --no-confirm${optionalString cfg.allowReboot " --allow-reboot"}${optionalString (config.clerie.monitoring.enable) " --node-exporter-metrics-path /var/lib/prometheus-node-exporter/textfiles/nixfiles-system-upgrade.prom"}";
}; };
}; };
systemd.timers.nixfiles-system-auto-upgrade = { systemd.timers.nixfiles-system-auto-upgrade = {

View File

@ -4,6 +4,7 @@ set -euo pipefail
ALLOW_REBOOT= ALLOW_REBOOT=
NO_CONFIRM= NO_CONFIRM=
NODE_EXPORTER_METRICS_PATH=
while [[ $# -gt 0 ]]; do while [[ $# -gt 0 ]]; do
case $1 in case $1 in
@ -15,6 +16,11 @@ while [[ $# -gt 0 ]]; do
NO_CONFIRM=1 NO_CONFIRM=1
shift shift
;; ;;
--node-exporter-metrics-path)
NODE_EXPORTER_METRICS_PATH=$2
shift
shift
;;
*) *)
echo "Unknown option $1" echo "Unknown option $1"
exit 1 exit 1
@ -47,6 +53,11 @@ nix-env -p "/nix/var/nix/profiles/system" --set "${STORE_PATH}"
echo "Set as boot target" echo "Set as boot target"
/nix/var/nix/profiles/system/bin/switch-to-configuration boot /nix/var/nix/profiles/system/bin/switch-to-configuration boot
if [[ -n "$NODE_EXPORTER_METRICS_PATH" ]]; then
echo "Write monitoring check data"
echo "nixfiles_system_upgrade_last_check $(date +%s)" > "$NODE_EXPORTER_METRICS_PATH"
fi
BOOTED_SYSTEM_KERNEL="$(readlink /run/booted-system/{initrd,kernel,kernel-modules})" BOOTED_SYSTEM_KERNEL="$(readlink /run/booted-system/{initrd,kernel,kernel-modules})"
ACTIVATING_SYSTEM_KERNEL="$(readlink /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})" ACTIVATING_SYSTEM_KERNEL="$(readlink /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})"

View File

@ -1,10 +0,0 @@
{ pkgs, ... }:
pkgs.writeShellApplication {
name = "nixos-firewall-tool";
text = builtins.readFile ./nixos-firewall-tool.sh;
runtimeInputs = with pkgs; [
iptables
];
}

View File

@ -1,55 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
ip46tables() {
iptables -w "$@"
ip6tables -w "$@"
}
show_help() {
echo "nixos-firewall-tool"
echo ""
echo "Can temporarily manipulate the NixOS firewall"
echo ""
echo "Open TCP port:"
echo " nixos-firewall-tool open tcp 8888"
echo ""
echo "Show all firewall rules:"
echo " nixos-firewall-tool show"
echo ""
echo "Open UDP port:"
echo " nixos-firewall-tool open udp 51820"
echo ""
echo "Reset firewall configuration to system settings:"
echo " nixos-firewall-tool reset"
}
if [[ -z ${1+x} ]]; then
show_help
exit 1
fi
case $1 in
"open")
protocol="$2"
port="$3"
ip46tables -I nixos-fw -p "$protocol" --dport "$port" -j nixos-fw-accept
;;
"show")
ip46tables --numeric --list nixos-fw
;;
"reset")
systemctl restart firewall.service
;;
-h|--help|help)
show_help
exit 0
;;
*)
show_help
exit 1
;;
esac

View File

@ -9,7 +9,6 @@ final: prev: {
nixfiles-system-upgrade = final.callPackage ./nixfiles/nixfiles-system-upgrade.nix {}; nixfiles-system-upgrade = final.callPackage ./nixfiles/nixfiles-system-upgrade.nix {};
nixfiles-updated-inputs = final.callPackage ./nixfiles/nixfiles-updated-inputs.nix {}; nixfiles-updated-inputs = final.callPackage ./nixfiles/nixfiles-updated-inputs.nix {};
nixfiles-update-ssh-host-keys = final.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {}; nixfiles-update-ssh-host-keys = final.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {};
nixos-firewall-tool = final.callPackage ./nixos-firewall-tool {};
pyexcel-xlsx = final.python3.pkgs.callPackage ./pyexcel-xlsx {}; pyexcel-xlsx = final.python3.pkgs.callPackage ./pyexcel-xlsx {};
pyexcel-webio = final.python3.pkgs.callPackage ./pyexcel-webio {}; pyexcel-webio = final.python3.pkgs.callPackage ./pyexcel-webio {};
update-from-hydra = final.callPackage ./update-from-hydra {}; update-from-hydra = final.callPackage ./update-from-hydra {};