From 31637568e24c4d10e08928bc48cfc0cb18e9d980 Mon Sep 17 00:00:00 2001 From: "xyno (Philipp Hochkamp)" Date: Sun, 18 Jun 2023 03:04:44 +0200 Subject: [PATCH] feat: add beliskner --- darwin-common.nix | 2 +- data/monitoring.toml | 17 +-- data/pubkeys.nix | 1 + flake.lock | 21 ++++ flake.nix | 3 + hosts/beliskner/default.nix | 116 +++++++++++++++++++++ hosts/beliskner/disk-config.nix | 94 +++++++++++++++++ hosts/beliskner/hardware-configuration.nix | 30 ++++++ hosts/picard/default.nix | 1 - nixos-modules/services/monitoring.nix | 17 +-- nixos-modules/services/ssh.nix | 4 +- nixos-modules/system/security.nix | 4 +- secrets/prometheusBlackboxConfig.age | 18 ++++ secrets/secrets.nix | 1 + 14 files changed, 294 insertions(+), 35 deletions(-) create mode 100644 hosts/beliskner/default.nix create mode 100644 hosts/beliskner/disk-config.nix create mode 100644 hosts/beliskner/hardware-configuration.nix create mode 100644 secrets/prometheusBlackboxConfig.age diff --git a/darwin-common.nix b/darwin-common.nix index d024f407..8a8d31bb 100644 --- a/darwin-common.nix +++ b/darwin-common.nix @@ -8,7 +8,7 @@ nix.settings.max-jobs = 10; # use all cores nix.settings.auto-optimise-store = true; nix.distributedBuilds = true; - nix.nixPath = [{ nixpkgs = "${inputs.nixpkgs-darwin}"; nixpkgs-master = "${inputs.nixpkgs-master}"; nixpkgs-nixos = "${inputs.nixpkgs}"; }]; + nix.nixPath = [{ nixpkgs = "${inputs.nixpkgs-darwin.outPath}"; nixpkgs-master = "${inputs.nixpkgs-master.outPath}"; nixpkgs-nixos = "${inputs.nixpkgs.outPath}"; }]; nix.buildMachines = [{ systems = [ "x86_64-linux" ]; supportedFeatures = [ "kvm" "big-parallel" ]; diff --git a/data/monitoring.toml b/data/monitoring.toml index 74920572..26d493dc 100644 --- a/data/monitoring.toml +++ b/data/monitoring.toml @@ -1,6 +1,6 @@ [master] -hostname = "ds9" -ip = "100.83.96.25" # tailscale +hostname = "beliskner" +ip = "beliskner.kangaroo-galaxy.ts.net" # tailscale [hostOverrides] @@ -16,17 +16,8 @@ hosts = [ "ds9", "picard" ] [exporters.smartctl] hosts = [ "ds9" ] -# [exporters.dnsmasq] -# hosts = [ "wormhole" ] -# -# [exporters.wireguard] -# hosts = [ "wormhole"] -# -# [exporters.smokeping] -# hosts = [ "wormhole"] - -[exporters.nginxlog] -hosts = [ "picard", "ds9" ] +[exporters.blackbox] +hosts = [ "beliskner" ] [promtail] hosts = [ "picard", "ds9" ] diff --git a/data/pubkeys.nix b/data/pubkeys.nix index 47aaffa6..8aebf73d 100644 --- a/data/pubkeys.nix +++ b/data/pubkeys.nix @@ -15,6 +15,7 @@ let picard = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAm3UXZaN95WBUaS9SiHLNEuI1tP1x1w07qnYxPe+vdr" ]; daedalusvm = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKJCNGGsnAPPmhQnEMBWJulM2pi3pw/tdX1vi3l6cRky" ]; octopi = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+0/lwNc/KN8LrS3KvDCuuipQokO+7qELfksepJXz6a" ]; + beliskner = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+0/lwNc/KN8LrS3KvDCuuipQokO+7qELfksepJXz6a" ]; }; in { diff --git a/flake.lock b/flake.lock index 9dfa292d..1d82d872 100644 --- a/flake.lock +++ b/flake.lock @@ -82,6 +82,26 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1687028856, + "narHash": "sha256-vKV3I31tmXwaWHiUOgfDVd27cEHqaPBr1lt9+NKdIp8=", + "owner": "nix-community", + "repo": "disko", + "rev": "64c9c78c15fd4c899d857bf09dba88bda771b43a", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -731,6 +751,7 @@ "agenix": "agenix", "agkozak-zsh-prompt": "agkozak-zsh-prompt", "darwin": "darwin_2", + "disko": "disko", "home-manager": "home-manager_2", "impermanence": "impermanence", "miro": "miro", diff --git a/flake.nix b/flake.nix index cb867278..ec8f6ae6 100644 --- a/flake.nix +++ b/flake.nix @@ -16,6 +16,8 @@ nixos-hardware.url = "github:NixOS/nixos-hardware/master"; darwin.url = "github:lnl7/nix-darwin/master"; darwin.inputs.nixpkgs.follows = "nixpkgs"; + disko.url = "github:nix-community/disko"; + disko.inputs.nixpkgs.follows = "nixpkgs"; neovim-nightly-overlay.url = "github:nix-community/neovim-nightly-overlay"; neovim-nightly-overlay.inputs.nixpkgs.follows = "nixpkgs-master"; neovim-nightly-overlay.inputs.neovim-flake.url = "github:neovim/neovim?dir=contrib&rev=eb151a9730f0000ff46e0b3467e29bb9f02ae362"; @@ -245,6 +247,7 @@ daedalusvm = nixosSystem "aarch64-linux" [ ./hosts/daedalusvm/default.nix ]; octopi = nixosSystem "aarch64-linux" [ ./hosts/octopi/default.nix ]; icarus = nixosSystem "x86_64-linux" [ ./hosts/icarus/default.nix ]; + beliskner = nixosSystem "x86_64-linux" [ ./hosts/beliskner/default.nix ]; }; darwinConfigurations = processConfigurations { daedalus = darwinSystem "aarch64-darwin" [ ./hosts/daedalus/default.nix ]; diff --git a/hosts/beliskner/default.nix b/hosts/beliskner/default.nix new file mode 100644 index 00000000..359794ed --- /dev/null +++ b/hosts/beliskner/default.nix @@ -0,0 +1,116 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ inputs, config, pkgs, lib, ... }: + +{ + imports = + [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + documentation.enable = false; + documentation.nixos.enable = false; + documentation.man.enable = false; + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/sda"; + boot.loader.systemd-boot.enable = false; + + #networking.interfaces."ens3" = { + # ipv6 = { + # addresses = [ + # { + # address = "2a03:4000:54:a98::1"; + # prefixLength = 64; + # } + # ]; + # }; + #}; + #networking.defaultGateway6 = { address = "fe80::1"; interface = "enp0s3"; }; + networking.nameservers = [ "1.1.1.1" "8.8.8.8" ]; + # networking.interfaces.eno1.useDHCP = true; + networking.hostId = "7c28236a"; + + # Immutable users due to tmpfs + users.mutableUsers = false; + + services.postgresql.package = pkgs.postgresql_13; + + services.grafana = { + enable = true; + settings.server = { + domain = "beliskner.kangaroo-galaxy.ts.net"; + root_url = "https://beliskner.kangaroo-galaxy.ts.net/"; + }; + }; + + + ragon.agenix.secrets."prometheusBlackboxConfig" = { owner = config.services.prometheus.exporters.blackbox.user; }; + services.prometheus.exporters.blackbox = { + enable = true; + configFile = config.age.secrets.prometheusBlackboxConfig.path; + enableConfigCheck = false; + }; + + + services.caddy = { + enable = true; + virtualHosts = { + "beliskner.kangaroo-galaxy.ts.net" = { + extraConfig = '' + reverse_proxy :${toString config.services.grafana.settings.server.http_port} + forward_auth unix//run/tailscale.nginx-auth.sock { + uri /auth + header_up Remote-Addr {remote_host} + header_up Remote-Port {remote_port} + header_up Original-URI {uri} + copy_headers { + Tailscale-User>X-Webauth-User + Tailscale-Name>X-Webauth-Name + Tailscale-Login>X-Webauth-Login + Tailscale-Tailnet>X-Webauth-Tailnet + Tailscale-Profile-Picture>X-Webauth-Profile-Picture + } + } + ''; + }; + }; + }; + + networking.firewall.trustedInterfaces = [ "lo" "tailscale0" ]; + services.grafana.settings = { + analytics.reporting_enabled = false; + users = { + allow_sign_up = false; + }; + auth.proxy = '' + enabled = true + header_name = "X-Webauth-User" + header_property = "username" + auto_sign_up = true + allow_sign_up = true + whitelist = "127.0.0.1, ::1" + ''; + }; + services.tailscale = { + enable = true; + permitCertUid = "caddy"; + }; + + + + ragon = { + cli.enable = false; + user.enable = false; + persist.enable = true; + persist.extraDirectories = [ + "/var/lib/tailscale" + "/var/lib/caddy" + ]; + services = { + ssh.enable = true; + }; + }; +} diff --git a/hosts/beliskner/disk-config.nix b/hosts/beliskner/disk-config.nix new file mode 100644 index 00000000..144ba633 --- /dev/null +++ b/hosts/beliskner/disk-config.nix @@ -0,0 +1,94 @@ +{ disks ? [ "/dev/vda" ], ... }: { + disko.devices = { + disk = { + vda = { + type = "disk"; + device = builtins.elemAt disks 0; + content = { + type = "table"; + format = "gpt"; + partitions = [ + { + name = "boot"; + start = "0"; + end = "1M"; + part-type = "primary"; + flags = [ "bios_grub" ]; + } + { + name = "ESP"; + start = "1MiB"; + end = "265MiB"; + bootable = true; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ + "defaults" + ]; + }; + } + { + name = "luks"; + start = "265MiB"; + end = "100%"; + content = { + type = "luks"; + name = "crypted"; + extraOpenArgs = [ "--allow-discards" ]; + # if you want to use the key for interactive login be sure there is no trailing newline + # for example use `echo -n "password" > /tmp/secret.key` + keyFile = "/tmp/secret.key"; + content = { + type = "lvm_pv"; + vg = "pool"; + }; + }; + } + ]; + }; + }; + }; + lvm_vg = { + pool = { + type = "lvm_vg"; + nix = { + persistent = { + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/nix"; + mountOptions = [ + "defaults" + ]; + }; + }; + }; + }; + }; + nodev = { + "/" = { + fsType = "tmpfs"; + mountOptions = [ + "size=2G" + "defaults" + "mode=755" + ]; + }; + }; + }; + fileSystems."/var/log" = + { + device = "/nix/persistent/varlog"; + fsType = "bind"; + neededForBoot = true; + }; + fileSystems."/persistent" = + { + device = "/nix/persistent"; + fsType = "bind"; + neededForBoot = true; + }; +} diff --git a/hosts/beliskner/hardware-configuration.nix b/hosts/beliskner/hardware-configuration.nix new file mode 100644 index 00000000..7910eeb2 --- /dev/null +++ b/hosts/beliskner/hardware-configuration.nix @@ -0,0 +1,30 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, inputs, ... }: +let + pubkeys = import ../../data/pubkeys.nix; +in +{ + imports = [ "${modulesPath}/profiles/qemu-guest.nix" inputs.disko.nixosModules.disko ]; + boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/d2cb12f8-67e3-4725-86c3-0b5c7ebee3a6"; + disko.devices = import ./disk-config.nix { + inherit lib; + }; + + boot.initrd = { + network = { + enable = true; + ssh = { + enable = true; + port = 2222; + hostKeys = [ + "/persistent/etc/nixos/secrets/initrd/ssh_host_rsa_key" + "/persistent/etc/nixos/secrets/initrd/ssh_host_ed25519_key" + ]; + authorizedKeys = pubkeys.ragon.user; + }; + }; + }; + powerManagement.cpuFreqGovernor = "performance"; +} diff --git a/hosts/picard/default.nix b/hosts/picard/default.nix index ccd748fe..f7dd9a21 100644 --- a/hosts/picard/default.nix +++ b/hosts/picard/default.nix @@ -15,7 +15,6 @@ documentation.nixos.enable = false; documentation.man.enable = false; boot.loader.grub.enable = true; - boot.loader.grub.version = 2; boot.loader.grub.device = "/dev/sda"; boot.loader.systemd-boot.enable = false; diff --git a/nixos-modules/services/monitoring.nix b/nixos-modules/services/monitoring.nix index c41ae4c1..23fe805d 100644 --- a/nixos-modules/services/monitoring.nix +++ b/nixos-modules/services/monitoring.nix @@ -19,7 +19,6 @@ in config = mkMerge ([ (mkIf (cfg.master.hostname == hostName) { services.loki.enable = true; - networking.firewall.allowedTCPPorts = [ 3100 ]; services.loki.configFile = pkgs.writeText "loki.yml" '' auth_enabled: false server: @@ -57,7 +56,7 @@ in boltdb_shipper: active_index_directory: /tmp/loki/boltdb-shipper-active cache_location: /tmp/loki/boltdb-shipper-cache - cache_ttl: 24h # Can be increased for faster performance over longer query periods, uses more disk space + cache_ttl: 4h # Can be increased for faster performance over longer query periods, uses more disk space shared_store: filesystem filesystem: directory: /tmp/loki/chunks @@ -114,21 +113,7 @@ in { # some global settings services.prometheus.exporters.node.enabledCollectors = [ "systemd" ]; - services.prometheus.exporters.dnsmasq.leasesPath = "/var/lib/dnsmasq/dnsmasq.leases"; - systemd.services."prometheus-smartctl-exporter".serviceConfig.DeviceAllow = [ "* r" ]; - services.prometheus.exporters.smartctl.user = "root"; - services.prometheus.exporters.smartctl.group = "root"; services.prometheus.exporters.smokeping.hosts = [ "1.1.1.1" ]; - services.nginx.statusPage = mkDefault config.services.prometheus.exporters.nginx.enable; - services.prometheus.exporters.nginxlog.user = "nginx"; - services.prometheus.exporters.nginxlog.group = "nginx"; - services.prometheus.exporters.nginxlog.settings = { - namespaces = [{ - name = "nginxlog"; - format = "$remote_addr - - [$time_local] \"$request\" $status $body_bytes_sent \"$http_referer\" \"$http_user_agent\""; - source.files = [ "/var/log/nginx/access.log" ]; - }]; - }; } (mkIf (builtins.elem hostName cfg.promtail.hosts) { services.promtail = { diff --git a/nixos-modules/services/ssh.nix b/nixos-modules/services/ssh.nix index b8d1f5d1..bfa4ddb2 100644 --- a/nixos-modules/services/ssh.nix +++ b/nixos-modules/services/ssh.nix @@ -6,9 +6,9 @@ in { options.ragon.services.ssh.enable = lib.mkEnableOption "Enables sshd"; config = lib.mkIf cfg.enable { - services.openssh.permitRootLogin = "without-password"; + services.openssh.settings.PermitRootLogin = "without-password"; services.openssh.enable = true; - services.openssh.passwordAuthentication = false; + services.openssh.settings.PasswordAuthentication = false; users.users.root.openssh.authorizedKeys.keys = pubkeys.ragon.user; }; } diff --git a/nixos-modules/system/security.nix b/nixos-modules/system/security.nix index 53fc4c49..9bf51618 100644 --- a/nixos-modules/system/security.nix +++ b/nixos-modules/system/security.nix @@ -11,9 +11,9 @@ in config = mkIf cfg.enable { security.sudo.execWheelOnly = true; services.openssh = { - passwordAuthentication = false; + settings.PasswordAuthentication = false; allowSFTP = true; # just use rsync, lol - kbdInteractiveAuthentication = false; + settings.KbdInteractiveAuthentication = false; extraConfig = '' AllowTcpForwarding yes X11Forwarding no diff --git a/secrets/prometheusBlackboxConfig.age b/secrets/prometheusBlackboxConfig.age new file mode 100644 index 00000000..b0f77bc9 --- /dev/null +++ b/secrets/prometheusBlackboxConfig.age @@ -0,0 +1,18 @@ +age-encryption.org/v1 +-> ssh-ed25519 46dvqg YDxtUSg3QOM3qbqxYuKO1ga4JOAumKpcuf9GlBd0Nn8 +d5tNS2c0LSqFXEzz1So4DG7ymdsjFf3fL0NmvUwMghw +-> ssh-ed25519 ugHWWw SOIF3aWQ0PWJqz7z5Ah4EtjXxAzfN4FwACEqXtqBrWY ++VEK3cDwW3lZiI+09jr4M1Kzf76klZgrcqr5qYtLtR4 +-> ssh-ed25519 UU9RSA y3sYSGTO+DC7btlBd9+KwIjzX9TjzPXPU39kH12f11E +IppTK0GKRPQ3CKAjqXoweb4n8N7IXSOpZjhgiBe+VUU +-> ssh-ed25519 RJI3BA d1Qw2K7LTibTh8+Zaha9ynmNk1xgDlXfDeF/vHPd2FM +indJ1NRruWxnhg3NtlkdhxkDCDGF4ghSyDgkTCBFDvU +-> ssh-ed25519 XnvJKw xsGYu6HUfUgkb93mhgDHNYJ+8dZZJpqFRAg1c32luUE +p9gDrwX9jvnuP+QRjqpLJp2qMpti5Oa+8dUIjMBZqrA +-> ssh-ed25519 7NL5Ng fiu2K+E1F/6A5WBHeAgEM40dbDUvqskOaxrJfOmCSlQ +nBVY0IZ10hatoxWQQkYatcxzYrU3Zn0z/o9tJia9ooI +-> ;\&a?k}-grease 2Xc0a 8J&H^ hR>D +EEyqIPv7t8ElVB/DilVhYGEDY1Jn5mrxVvmuUCPO3kPWJUdJCNAVv9uJPAN3/k0e +eP/qCcMJq5Y+W5hkAhH7SFk +--- XmJJ95cSiIMh9vOsct53Ix0d19Gwbl0aQYU+i5MNysA +4iCQqeCQ2mVT, ָ \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index e7ee30a2..69bc0615 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -23,6 +23,7 @@ in "gitlabSecretFile.age".publicKeys = pubkeys.ragon.host "picard"; "gitlabDBFile.age".publicKeys = pubkeys.ragon.host "picard"; "gitlabOTPFile.age".publicKeys = pubkeys.ragon.host "picard"; + "prometheusBlackboxConfig.age".publicKeys = pubkeys.ragon.host "beliskner"; "gitlabJWSFile.age".publicKeys = pubkeys.ragon.host "picard"; "nextcloudAdminPass.age".publicKeys = pubkeys.ragon.host "picard"; "picardResticSSHKey.age".publicKeys = pubkeys.ragon.host "picard";