Compare commits
No commits in common. "ba4f6b50ccfba7d742c307fcdab8b0108a4b5f1a" and "84ca3f739a5b793185055440c7d702966cb3979d" have entirely different histories.
ba4f6b50cc
...
84ca3f739a
@ -10,6 +10,7 @@
|
|||||||
colmena
|
colmena
|
||||||
vim
|
vim
|
||||||
agenix
|
agenix
|
||||||
|
nixos-firewall-tool
|
||||||
nixfiles-system-upgrade
|
nixfiles-system-upgrade
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|||||||
18
flake.lock
18
flake.lock
@ -186,11 +186,11 @@
|
|||||||
},
|
},
|
||||||
"nixos-hardware": {
|
"nixos-hardware": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1702245580,
|
"lastModified": 1701656485,
|
||||||
"narHash": "sha256-tTVRB42Ljo2uWGP7ei5h5/qQjOsdXoz0GHRy9hrVrdw=",
|
"narHash": "sha256-xDFormrGCKKGqngHa2Bz1GTeKlFMMjLnHhTDRdMJ1hs=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixos-hardware",
|
"repo": "nixos-hardware",
|
||||||
"rev": "030edbb68e69f2b97231479f98a9597024650df2",
|
"rev": "fa194fc484fd7270ab324bb985593f71102e84d1",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@ -218,11 +218,11 @@
|
|||||||
},
|
},
|
||||||
"nixpkgs-krypton": {
|
"nixpkgs-krypton": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1702151865,
|
"lastModified": 1701718080,
|
||||||
"narHash": "sha256-9VAt19t6yQa7pHZLDbil/QctAgVsA66DLnzdRGqDisg=",
|
"narHash": "sha256-6ovz0pG76dE0P170pmmZex1wWcQoeiomUZGggfH9XPs=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "666fc80e7b2afb570462423cb0e1cf1a3a34fedd",
|
"rev": "2c7f3c0fb7c08a0814627611d9d7d45ab6d75335",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@ -234,11 +234,11 @@
|
|||||||
},
|
},
|
||||||
"nixpkgs_2": {
|
"nixpkgs_2": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1702151865,
|
"lastModified": 1701718080,
|
||||||
"narHash": "sha256-9VAt19t6yQa7pHZLDbil/QctAgVsA66DLnzdRGqDisg=",
|
"narHash": "sha256-6ovz0pG76dE0P170pmmZex1wWcQoeiomUZGggfH9XPs=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "666fc80e7b2afb570462423cb0e1cf1a3a34fedd",
|
"rev": "2c7f3c0fb7c08a0814627611d9d7d45ab6d75335",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|||||||
@ -26,8 +26,7 @@
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
outputs = { self, agenix, nixpkgs, nixos-hardware, chaosevents, fernglas, nixos-exporter, solid-xmpp-alarm, ... }@inputs: let
|
outputs = { self, agenix, nixpkgs, nixos-hardware, chaosevents, fernglas, nixos-exporter, solid-xmpp-alarm, ... }@inputs: let
|
||||||
lib = import ./lib inputs;
|
helper = (import ./lib/flake-helper.nix) inputs;
|
||||||
helper = lib.flake-helper;
|
|
||||||
in {
|
in {
|
||||||
clerie.hosts = {
|
clerie.hosts = {
|
||||||
aluminium = {
|
aluminium = {
|
||||||
@ -117,6 +116,7 @@
|
|||||||
nixfiles-system-upgrade
|
nixfiles-system-upgrade
|
||||||
nixfiles-updated-inputs
|
nixfiles-updated-inputs
|
||||||
nixfiles-update-ssh-host-keys
|
nixfiles-update-ssh-host-keys
|
||||||
|
nixos-firewall-tool
|
||||||
pyexcel-xlsx
|
pyexcel-xlsx
|
||||||
pyexcel-webio
|
pyexcel-webio
|
||||||
update-from-hydra
|
update-from-hydra
|
||||||
|
|||||||
@ -1,20 +0,0 @@
|
|||||||
inputs:
|
|
||||||
|
|
||||||
let
|
|
||||||
|
|
||||||
callLibs = file: import file ({
|
|
||||||
inherit lib inputs;
|
|
||||||
} // inputs);
|
|
||||||
|
|
||||||
lib = {
|
|
||||||
flake-helper = callLibs ./flake-helper.nix;
|
|
||||||
inherit ("flake-helper")
|
|
||||||
generateNixosSystem
|
|
||||||
mapToNixosConfigurations
|
|
||||||
generateColmenaHost
|
|
||||||
mapToColmenaHosts
|
|
||||||
buildHosts;
|
|
||||||
};
|
|
||||||
|
|
||||||
in
|
|
||||||
lib
|
|
||||||
@ -25,7 +25,7 @@ in
|
|||||||
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
ExecStart = pkgs.nixfiles-system-upgrade + "/bin/nixfiles-system-upgrade --no-confirm${optionalString cfg.allowReboot " --allow-reboot"}${optionalString (config.clerie.monitoring.enable) " --node-exporter-metrics-path /var/lib/prometheus-node-exporter/textfiles/nixfiles-system-upgrade.prom"}";
|
ExecStart = pkgs.nixfiles-system-upgrade + "/bin/nixfiles-system-upgrade --no-confirm${optionalString cfg.allowReboot " --allow-reboot"}";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
systemd.timers.nixfiles-system-auto-upgrade = {
|
systemd.timers.nixfiles-system-auto-upgrade = {
|
||||||
|
|||||||
@ -4,7 +4,6 @@ set -euo pipefail
|
|||||||
|
|
||||||
ALLOW_REBOOT=
|
ALLOW_REBOOT=
|
||||||
NO_CONFIRM=
|
NO_CONFIRM=
|
||||||
NODE_EXPORTER_METRICS_PATH=
|
|
||||||
|
|
||||||
while [[ $# -gt 0 ]]; do
|
while [[ $# -gt 0 ]]; do
|
||||||
case $1 in
|
case $1 in
|
||||||
@ -16,11 +15,6 @@ while [[ $# -gt 0 ]]; do
|
|||||||
NO_CONFIRM=1
|
NO_CONFIRM=1
|
||||||
shift
|
shift
|
||||||
;;
|
;;
|
||||||
--node-exporter-metrics-path)
|
|
||||||
NODE_EXPORTER_METRICS_PATH=$2
|
|
||||||
shift
|
|
||||||
shift
|
|
||||||
;;
|
|
||||||
*)
|
*)
|
||||||
echo "Unknown option $1"
|
echo "Unknown option $1"
|
||||||
exit 1
|
exit 1
|
||||||
@ -53,11 +47,6 @@ nix-env -p "/nix/var/nix/profiles/system" --set "${STORE_PATH}"
|
|||||||
echo "Set as boot target"
|
echo "Set as boot target"
|
||||||
/nix/var/nix/profiles/system/bin/switch-to-configuration boot
|
/nix/var/nix/profiles/system/bin/switch-to-configuration boot
|
||||||
|
|
||||||
if [[ -n "$NODE_EXPORTER_METRICS_PATH" ]]; then
|
|
||||||
echo "Write monitoring check data"
|
|
||||||
echo "nixfiles_system_upgrade_last_check $(date +%s)" > "$NODE_EXPORTER_METRICS_PATH"
|
|
||||||
fi
|
|
||||||
|
|
||||||
BOOTED_SYSTEM_KERNEL="$(readlink /run/booted-system/{initrd,kernel,kernel-modules})"
|
BOOTED_SYSTEM_KERNEL="$(readlink /run/booted-system/{initrd,kernel,kernel-modules})"
|
||||||
ACTIVATING_SYSTEM_KERNEL="$(readlink /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})"
|
ACTIVATING_SYSTEM_KERNEL="$(readlink /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})"
|
||||||
|
|
||||||
|
|||||||
10
pkgs/nixos-firewall-tool/default.nix
Normal file
10
pkgs/nixos-firewall-tool/default.nix
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
{ pkgs, ... }:
|
||||||
|
|
||||||
|
pkgs.writeShellApplication {
|
||||||
|
name = "nixos-firewall-tool";
|
||||||
|
text = builtins.readFile ./nixos-firewall-tool.sh;
|
||||||
|
runtimeInputs = with pkgs; [
|
||||||
|
iptables
|
||||||
|
];
|
||||||
|
}
|
||||||
|
|
||||||
55
pkgs/nixos-firewall-tool/nixos-firewall-tool.sh
Executable file
55
pkgs/nixos-firewall-tool/nixos-firewall-tool.sh
Executable file
@ -0,0 +1,55 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
ip46tables() {
|
||||||
|
iptables -w "$@"
|
||||||
|
ip6tables -w "$@"
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
show_help() {
|
||||||
|
echo "nixos-firewall-tool"
|
||||||
|
echo ""
|
||||||
|
echo "Can temporarily manipulate the NixOS firewall"
|
||||||
|
echo ""
|
||||||
|
echo "Open TCP port:"
|
||||||
|
echo " nixos-firewall-tool open tcp 8888"
|
||||||
|
echo ""
|
||||||
|
echo "Show all firewall rules:"
|
||||||
|
echo " nixos-firewall-tool show"
|
||||||
|
echo ""
|
||||||
|
echo "Open UDP port:"
|
||||||
|
echo " nixos-firewall-tool open udp 51820"
|
||||||
|
echo ""
|
||||||
|
echo "Reset firewall configuration to system settings:"
|
||||||
|
echo " nixos-firewall-tool reset"
|
||||||
|
}
|
||||||
|
|
||||||
|
if [[ -z ${1+x} ]]; then
|
||||||
|
show_help
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
case $1 in
|
||||||
|
"open")
|
||||||
|
protocol="$2"
|
||||||
|
port="$3"
|
||||||
|
|
||||||
|
ip46tables -I nixos-fw -p "$protocol" --dport "$port" -j nixos-fw-accept
|
||||||
|
;;
|
||||||
|
"show")
|
||||||
|
ip46tables --numeric --list nixos-fw
|
||||||
|
;;
|
||||||
|
"reset")
|
||||||
|
systemctl restart firewall.service
|
||||||
|
;;
|
||||||
|
-h|--help|help)
|
||||||
|
show_help
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
show_help
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
@ -9,6 +9,7 @@ final: prev: {
|
|||||||
nixfiles-system-upgrade = final.callPackage ./nixfiles/nixfiles-system-upgrade.nix {};
|
nixfiles-system-upgrade = final.callPackage ./nixfiles/nixfiles-system-upgrade.nix {};
|
||||||
nixfiles-updated-inputs = final.callPackage ./nixfiles/nixfiles-updated-inputs.nix {};
|
nixfiles-updated-inputs = final.callPackage ./nixfiles/nixfiles-updated-inputs.nix {};
|
||||||
nixfiles-update-ssh-host-keys = final.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {};
|
nixfiles-update-ssh-host-keys = final.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {};
|
||||||
|
nixos-firewall-tool = final.callPackage ./nixos-firewall-tool {};
|
||||||
pyexcel-xlsx = final.python3.pkgs.callPackage ./pyexcel-xlsx {};
|
pyexcel-xlsx = final.python3.pkgs.callPackage ./pyexcel-xlsx {};
|
||||||
pyexcel-webio = final.python3.pkgs.callPackage ./pyexcel-webio {};
|
pyexcel-webio = final.python3.pkgs.callPackage ./pyexcel-webio {};
|
||||||
update-from-hydra = final.callPackage ./update-from-hydra {};
|
update-from-hydra = final.callPackage ./update-from-hydra {};
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user