1
0

Compare commits

...

7 Commits

14 changed files with 49 additions and 23 deletions

View File

@ -11,6 +11,7 @@
vim vim
agenix agenix
nixos-firewall-tool nixos-firewall-tool
nixfiles-system-upgrade
]; ];
programs.mtr.enable = true; programs.mtr.enable = true;

View File

@ -218,11 +218,11 @@
}, },
"nixpkgs-krypton": { "nixpkgs-krypton": {
"locked": { "locked": {
"lastModified": 1701068326, "lastModified": 1701253981,
"narHash": "sha256-vmMceA+q6hG1yrjb+MP8T0YFDQIrW3bl45e7z24IEts=", "narHash": "sha256-ztaDIyZ7HrTAfEEUt9AtTDNoCYxUdSd6NrRHaYOIxtk=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "8cfef6986adfb599ba379ae53c9f5631ecd2fd9c", "rev": "e92039b55bcd58469325ded85d4f58dd5a4eaf58",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -234,11 +234,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1701068326, "lastModified": 1701253981,
"narHash": "sha256-vmMceA+q6hG1yrjb+MP8T0YFDQIrW3bl45e7z24IEts=", "narHash": "sha256-ztaDIyZ7HrTAfEEUt9AtTDNoCYxUdSd6NrRHaYOIxtk=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "8cfef6986adfb599ba379ae53c9f5631ecd2fd9c", "rev": "e92039b55bcd58469325ded85d4f58dd5a4eaf58",
"type": "github" "type": "github"
}, },
"original": { "original": {

View File

@ -107,7 +107,7 @@
nixfiles-auto-install nixfiles-auto-install
nixfiles-generate-backup-secrets nixfiles-generate-backup-secrets
nixfiles-generate-config nixfiles-generate-config
nixfiles-system-sync-to-hydra nixfiles-system-upgrade
nixfiles-updated-inputs nixfiles-updated-inputs
nixfiles-update-ssh-host-keys nixfiles-update-ssh-host-keys
nixos-firewall-tool nixos-firewall-tool

View File

@ -329,7 +329,7 @@
} }
''; '';
clerie.nixfiles.system-auto-sync-to-hydra = { clerie.nixfiles.system-auto-upgrade = {
enable = true; enable = true;
allowReboot = true; allowReboot = true;
}; };

View File

@ -183,7 +183,7 @@
} }
''; '';
clerie.nixfiles.system-auto-sync-to-hydra = { clerie.nixfiles.system-auto-upgrade = {
enable = true; enable = true;
allowReboot = true; allowReboot = true;
}; };

View File

@ -183,7 +183,7 @@
} }
''; '';
clerie.nixfiles.system-auto-sync-to-hydra = { clerie.nixfiles.system-auto-upgrade = {
enable = true; enable = true;
allowReboot = true; allowReboot = true;
}; };

View File

@ -273,7 +273,7 @@ in {
static_configs = [ static_configs = [
{ {
targets = [ targets = [
"https://matrix.entr0py.de/_matrix/static/" "matrix.entr0py.de"
]; ];
} }
]; ];
@ -281,9 +281,10 @@ in {
{ {
source_labels = [ "__address__" ]; source_labels = [ "__address__" ];
target_label = "__param_target"; target_label = "__param_target";
replacement = "https://\${1}/_matrix/static/";
} }
{ {
source_labels = [ "__param_target" ]; source_labels = [ "__address__" ];
target_label = "target"; target_label = "target";
} }
{ {

View File

@ -57,3 +57,11 @@ groups:
annotations: annotations:
summary: "Kernel of {{ $labels.instance }} changed" summary: "Kernel of {{ $labels.instance }} changed"
description: "The Kernel {{ $labels.instance }} booted with, isn't the target Kernel. A reboot may be required." description: "The Kernel {{ $labels.instance }} booted with, isn't the target Kernel. A reboot may be required."
- alert: SynapseUnavailable
expr: last_over_time(probe_success{instance="monitoring-3.net.clerie.de", job="blackbox_local_synapse", target="matrix.entr0py.de"}[5m]) == 0
for: 5m
labels:
severity: warning
annotations:
summary: "Synapse of {{ $labels.target }} unavailable"
description: "The Synapse backend of {{ $labels.instance }} is unreachable or returns garbage"

View File

@ -39,7 +39,7 @@
networking.firewall.allowedUDPPorts = []; networking.firewall.allowedUDPPorts = [];
clerie.nixfiles.system-auto-sync-to-hydra = { clerie.nixfiles.system-auto-upgrade = {
enable = true; enable = true;
allowReboot = true; allowReboot = true;
}; };

View File

@ -13,7 +13,7 @@
./monitoring ./monitoring
./nginx-port-forward ./nginx-port-forward
./nixfiles ./nixfiles
./nixfiles/system-auto-sync-to-hydra.nix ./nixfiles/nixfiles-system-upgrade.nix
./update-from-hydra ./update-from-hydra
./wg-clerie ./wg-clerie
./wireguard-initrd ./wireguard-initrd

View File

@ -3,12 +3,12 @@
with lib; with lib;
let let
cfg = config.clerie.nixfiles.system-auto-sync-to-hydra; cfg = config.clerie.nixfiles.system-auto-upgrade;
in in
{ {
options = { options = {
clerie.nixfiles.system-auto-sync-to-hydra = { clerie.nixfiles.system-auto-upgrade = {
enable = mkEnableOption "clerie nixfiles tools"; enable = mkEnableOption "clerie nixfiles tools";
allowReboot = mkOption { allowReboot = mkOption {
type = types.bool; type = types.bool;
@ -18,10 +18,10 @@ in
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
systemd.services.nixfiles-system-auto-sync-to-hydra = { systemd.services.nixfiles-system-auto-upgrade = {
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
ExecStart = pkgs.nixfiles-system-sync-to-hydra + "/bin/nixfiles-system-sync-to-hydra${optionalString cfg.allowReboot " --allow-reboot"}"; ExecStart = pkgs.nixfiles-system-upgrade + "/bin/nixfiles-system-upgrade --no-confirm${optionalString cfg.allowReboot " --allow-reboot"}";
}; };
startAt = "*-*-* 06:47:00"; startAt = "*-*-* 06:47:00";
}; };

View File

@ -1,8 +1,8 @@
{ pkgs, ... }: { pkgs, ... }:
pkgs.writeShellApplication { pkgs.writeShellApplication {
name = "nixfiles-system-sync-to-hydra"; name = "nixfiles-system-upgrade";
text = builtins.readFile ./nixfiles-system-sync-to-hydra.sh; text = builtins.readFile ./nixfiles-system-upgrade.sh;
runtimeInputs = with pkgs; [ runtimeInputs = with pkgs; [
curl curl
jq jq

View File

@ -3,17 +3,22 @@
set -euo pipefail set -euo pipefail
ALLOW_REBOOT= ALLOW_REBOOT=
NO_CONFIRM=
while [[ $# -gt 0 ]]; do while [[ $# -gt 0 ]]; do
case $1 in case $1 in
--allow-reboot) --allow-reboot)
ALLOW_REBOOT=1 ALLOW_REBOOT=1
shift shift
;; ;;
--no-confirm)
NO_CONFIRM=1
shift
;;
*) *)
echo "Unknown option $1" echo "Unknown option $1"
exit 1 exit 1
;; ;;
esac esac
done done
@ -22,6 +27,17 @@ HYDRA_JOB_URL="https://hydra.clerie.de/job/nixfiles/nixfiles/nixosConfigurations
echo "Fetching job output from ${HYDRA_JOB_URL}" echo "Fetching job output from ${HYDRA_JOB_URL}"
STORE_PATH="$(curl --fail -s -L -H "Accept: application/json" "${HYDRA_JOB_URL}" | jq -r ".buildoutputs.out.path")" STORE_PATH="$(curl --fail -s -L -H "Accept: application/json" "${HYDRA_JOB_URL}" | jq -r ".buildoutputs.out.path")"
if [[ -z $NO_CONFIRM ]]; then
echo ""
echo " ! WARNING !"
echo ""
echo " You are about to upgrade ${HOSTNAME} to ${STORE_PATH}."
echo " This can be an older version than currently running on this system."
echo ""
read -e -r -p "Continue?" confirm
echo "$confirm" > /dev/null
fi
echo "Download ${STORE_PATH}" echo "Download ${STORE_PATH}"
nix copy --from "https://nix-cache.clerie.de" "${STORE_PATH}" nix copy --from "https://nix-cache.clerie.de" "${STORE_PATH}"

View File

@ -6,7 +6,7 @@ self: super: {
nixfiles-auto-install = self.callPackage ./nixfiles/nixfiles-auto-install.nix {}; nixfiles-auto-install = self.callPackage ./nixfiles/nixfiles-auto-install.nix {};
nixfiles-generate-backup-secrets = self.callPackage ./nixfiles/nixfiles-generate-backup-secrets.nix {}; nixfiles-generate-backup-secrets = self.callPackage ./nixfiles/nixfiles-generate-backup-secrets.nix {};
nixfiles-generate-config = self.callPackage ./nixfiles/nixfiles-generate-config.nix {}; nixfiles-generate-config = self.callPackage ./nixfiles/nixfiles-generate-config.nix {};
nixfiles-system-sync-to-hydra = self.callPackage ./nixfiles/nixfiles-system-sync-to-hydra.nix {}; nixfiles-system-upgrade = self.callPackage ./nixfiles/nixfiles-system-upgrade.nix {};
nixfiles-updated-inputs = self.callPackage ./nixfiles/nixfiles-updated-inputs.nix {}; nixfiles-updated-inputs = self.callPackage ./nixfiles/nixfiles-updated-inputs.nix {};
nixfiles-update-ssh-host-keys = self.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {}; nixfiles-update-ssh-host-keys = self.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {};
nixos-firewall-tool = self.callPackage ./nixos-firewall-tool {}; nixos-firewall-tool = self.callPackage ./nixos-firewall-tool {};