Various changes

2022-02-27 12:19:01 +01:00 · 2022-02-27 12:19:01 +01:00 · 5b420f07a6
parent 97981c9224
commit 5b420f07a6
14 changed files with 430 additions and 96 deletions
--- a/configuration/data/nodes.nix
+++ b/configuration/data/nodes.nix
@ -1,17 +1,32 @@
 {
+	"machine-workbot-01.cryto.net" = {
+		friendlyName = "workbot";
+		ipv4 = "148.251.195.23";
+		internalIpv4 = "10.217.0.1";
+		tincPublicKey = builtins.readFile ./tinc-keys/machine-workbot-01.cryto.net.pub;
+	};
 	"machine-haless-03.cryto.net" = {
+		friendlyName = "haless";
 		ipv4 = "31.7.187.145";
 		internalIpv4 = "10.217.0.5";
 		tincPublicKey = builtins.readFile ./tinc-keys/machine-haless-03.cryto.net.pub;
 	};
 	"machine-borg2-01.cryto.net" = {
+		friendlyName = "borg2";
 		ipv4 = "205.185.121.93";
 		internalIpv4 = "10.217.0.6";
 		tincPublicKey = builtins.readFile ./tinc-keys/machine-borg2-01.cryto.net.pub;
 	};
 	"machine-konjassiem-02.cryto.net" = {
+		friendlyName = "konjassiem";
 		ipv4 = "81.4.122.123";
 		internalIpv4 = "10.217.0.7";
 		tincPublicKey = builtins.readFile ./tinc-keys/machine-konjassiem-02.cryto.net.pub;
 	};
+	"machine-pikachu-02.cryto.net" = {
+		friendlyName = "pikachu";
+		ipv4 = "2.59.133.101";
+		internalIpv4 = "10.217.0.8";
+		tincPublicKey = builtins.readFile ./tinc-keys/machine-pikachu-02.cryto.net.pub;
+	};
 }
--- a/configuration/data/tinc-keys/machine-pikachu-02.cryto.net.pub
+++ b/configuration/data/tinc-keys/machine-pikachu-02.cryto.net.pub
@ -0,0 +1 @@
+YfaykKs117gIGXbcLcc+asUqX5goF97EKIoLLgYZ4uG
--- a/configuration/data/tinc-keys/machine-workbot-01.cryto.net.pub
+++ b/configuration/data/tinc-keys/machine-workbot-01.cryto.net.pub
@ -0,0 +1 @@
+r+f4yLySll2Qx4m1aTba4wGteFTP38jq2EqINpgz5XJ
--- a/configuration/default.nix
+++ b/configuration/default.nix
@ -13,7 +13,7 @@ let
 			})
 		];
 	};
-	pkgs = (import (fetchTarball "https://github.com/NixOS/nixpkgs-channels/archive/nixos-20.03.tar.gz") nixpkgsOptions);
+	pkgs = (import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/nixos-21.11.tar.gz") nixpkgsOptions);
 	presets = {
 		base = (import ./presets/base.nix);
 		kvm = (import ./presets/kvm.nix);
@ -25,6 +25,9 @@ let
 	};
 	nodes = (import ./data/nodes.nix);
 	tincConfiguration = (import ./lib/tinc-configuration.nix);
+	trackSystemMetrics = (import ./lib/track-system-metrics.nix);
+	trackServiceMetrics = (import ./lib/track-service-metrics.nix);
+	httpHealthChecks = (import ./lib/http-health-checks.nix);
 in {
 	network = {
 		inherit pkgs;
@ -33,6 +36,7 @@ in {

 	"machine-borg2-01.cryto.net" = { pkgs, lib, ... }: {
 		system.stateVersion = "18.09";
+		networking.hostName = "machine-borg2-01";

 		# FIXME: Why is this needed?
 		nixpkgs.overlays = [];
@ -42,6 +46,8 @@ in {
 			presets.kvm
 			./hardware-configurations/machine-borg2-01.nix
 			(tincConfiguration { hostname = "machine-borg2-01.cryto.net"; nodes = nodes; })
+			(trackSystemMetrics nodes."machine-borg2-01.cryto.net".internalIpv4)
+			(trackServiceMetrics nodes."machine-borg2-01.cryto.net".internalIpv4)
 		];

 		boot.loader.grub.device = lib.mkForce "/dev/vda";
@ -71,6 +77,7 @@ in {
 				group = "backup-f0x";
 				authorizedKeys = [
 					"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjJDP2TDyj1X/L6gNgHCXASIWoW/VnJ77FQy39VRTi8 f0x@elephantus"
+					"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+dwsWe1/ujR0N4IxPv7mfyiuKWURc6QwYNJ+VV8KA6 f0x@behemoth"
 				];
 				authorizedKeysAppendOnly = [
 					"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG7WSUY6Y2lsIawo8dPBu4/Omx6c7/1SMD9ve/vpcorN borg-backup@terra"
@ -94,41 +101,37 @@ in {

 	"machine-haless-03.cryto.net" = { pkgs, lib, config, ... }@args: {
 		system.stateVersion = "19.03";
+		networking.hostName = "machine-haless-03";

 		imports = [
 			presets.base
 			presets.kvm
 			./hardware-configurations/machine-haless-03.nix
 			(tincConfiguration { hostname = "machine-haless-03.cryto.net"; nodes = nodes; })
-		];
-
-		deployment.healthChecks.http = let
-			makeHostChecker = { protocol, port }: host: {
-				scheme = protocol;
-				port = port;
-				path = "/";
-				host = host;
-				description = "${host} (${protocol} :${toString port}) is up";
-			};
-			httpHosts = hosts: map (makeHostChecker { protocol = "http"; port = 80; }) hosts;
-			httpsHosts = hosts: map (makeHostChecker { protocol = "https"; port = 443; }) hosts;
-		in lib.mkMerge [
-			(httpHosts [
-				"iomfats.cryto.net"
-				"castleroland.cryto.net"
-				"awesomedude.cryto.net"
-				"matrix-rooms.cryto.net"
-				"validatem.cryto.net"
-				"nixos-manual-mdx.cryto.net"
-			])
-			(httpsHosts [
-				"iomfats.cryto.net"
-				"castleroland.cryto.net"
-				"awesomedude.cryto.net"
-				"matrix-rooms.cryto.net"
-				"validatem.cryto.net"
-				"nixos-manual-mdx.cryto.net"
-			])
+			(trackSystemMetrics nodes."machine-haless-03.cryto.net".internalIpv4)
+			(trackServiceMetrics nodes."machine-haless-03.cryto.net".internalIpv4)
+			(httpHealthChecks {
+				http = [
+					"iomfats.cryto.net"
+					"castleroland.cryto.net"
+					"awesomedude.cryto.net"
+					"matrix-rooms.cryto.net"
+					"validatem.cryto.net"
+					"nixos-manual-mdx.cryto.net"
+					"geojson.cryto.net"
+					"ossworks.nl"
+				];
+				https = [
+					"iomfats.cryto.net"
+					"castleroland.cryto.net"
+					"awesomedude.cryto.net"
+					"matrix-rooms.cryto.net"
+					"validatem.cryto.net"
+					"nixos-manual-mdx.cryto.net"
+					"geojson.cryto.net"
+					"ossworks.nl"
+				];
+			})
 		];

 		networking.firewall.allowedTCPPorts = [ 80 443 ];
@ -166,6 +169,10 @@ in {
 					(nginxPresets.letsEncrypt)
 					{ root = ./sources/modular-matrix; }
 				];
+				"geojson.cryto.net" = lib.mkMerge [
+					(nginxPresets.letsEncrypt)
+					{ root = ../../image-to-geojson/static; }
+				];
 				# "validatem.cryto.net" = lib.mkMerge [
 				# 	(nginxPresets.letsEncrypt)
 				# 	{ root = ./sources/validatem-site; }
@ -174,6 +181,10 @@ in {
 					(nginxPresets.letsEncrypt)
 					{ root = ../../validatem/site/build; }
 				];
+				"ossworks.nl" = lib.mkMerge [
+					(nginxPresets.letsEncrypt)
+					{ root = ../../ossworks-site/build; }
+				];
 				"nixos-manual-mdx.cryto.net" = lib.mkMerge [
 					(nginxPresets.letsEncrypt)
 					{ root = ../../nixos-manual-mdx/build; }
@ -222,8 +233,11 @@ in {
 			};
 		};

-		users.extraUsers.mobile-proxy = {
+		users.groups.mobile-proxy = {};
+		users.users.mobile-proxy = {
 			description = "mobile-proxy Service User";
+			isSystemUser = true;
+			group = "mobile-proxy";
 		};

 		systemd.services.mobile-proxy = let
@ -250,8 +264,11 @@ in {
 			};
 		};

-		users.extraUsers.matrix-rooms = {
+		users.groups.matrix-rooms = {};
+		users.users.matrix-rooms = {
 			description = "mobile-proxy Service User";
+			isSystemUser = true;
+			group = "matrix-rooms";
 		};

 		systemd.services.matrix-rooms = let
@ -283,12 +300,15 @@ in {

 	"machine-konjassiem-02.cryto.net" = { pkgs, lib, config, ... }@args: {
 		system.stateVersion = "20.03";
+		networking.hostName = "machine-konjassiem-02";

 		imports = [
 			presets.base
 			presets.kvm
 			./hardware-configurations/machine-konjassiem-02.nix
 			(tincConfiguration { hostname = "machine-konjassiem-02.cryto.net"; nodes = nodes; })
+			(trackSystemMetrics nodes."machine-konjassiem-02.cryto.net".internalIpv4)
+			(trackServiceMetrics nodes."machine-konjassiem-02.cryto.net".internalIpv4)
 		];

 		services.postgresql = {
@ -331,13 +351,40 @@ in {
 		};

 		# NOTE: Workaround that removes `setuid` from the disallowed syscall list, because otherwise sendmail/opensmtpd breaks
-		systemd.services.gitea.serviceConfig.SystemCallFilter = lib.mkForce "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @swap";
+		# systemd.services.gitea.serviceConfig.SystemCallFilter = lib.mkForce "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @swap";
+		
+		# Temporary workaround to make opensmtpd sendmail work (ref. https://github.com/NixOS/nixpkgs/issues/103446)
+		# Can remain enabled
+		systemd.services.gitea.serviceConfig.PrivateMounts = lib.mkForce true;
+		systemd.services.gitea.serviceConfig.PrivateTmp = lib.mkForce true;
+		systemd.services.gitea.serviceConfig.ProtectControlGroups = lib.mkForce true;
+		systemd.services.gitea.serviceConfig.ProtectHome = lib.mkForce true;
+		systemd.services.gitea.serviceConfig.ProtectSystem = lib.mkForce "full"; # downgraded from "strict"

+		# Have to be disabled
+		systemd.services.gitea.serviceConfig.LockPersonality = lib.mkForce false;
+		systemd.services.gitea.serviceConfig.MemoryDenyWriteExecute = lib.mkForce false;
+		systemd.services.gitea.serviceConfig.NoNewPrivileges = lib.mkForce false;
+		systemd.services.gitea.serviceConfig.PrivateDevices = lib.mkForce false;
+		systemd.services.gitea.serviceConfig.PrivateUsers = lib.mkForce false;
+		systemd.services.gitea.serviceConfig.ProtectClock = lib.mkForce false;
+		systemd.services.gitea.serviceConfig.ProtectHostname = lib.mkForce false;
+		systemd.services.gitea.serviceConfig.ProtectKernelLogs = lib.mkForce false;
+		systemd.services.gitea.serviceConfig.ProtectKernelModules = lib.mkForce false;
+		systemd.services.gitea.serviceConfig.ProtectKernelTunables = lib.mkForce false;
+		systemd.services.gitea.serviceConfig.RestrictAddressFamilies = lib.mkForce [];
+		systemd.services.gitea.serviceConfig.RestrictRealtime = lib.mkForce false;
+		systemd.services.gitea.serviceConfig.RestrictSUIDSGID = lib.mkForce false;
+		systemd.services.gitea.serviceConfig.SystemCallArchitectures = lib.mkForce "";
+		systemd.services.gitea.serviceConfig.SystemCallFilter = lib.mkForce [];
+
+		# FIXME: Healthcheck for this!
 		services.gitea = {
 			enable = true;
 			user = "git";
 			appName = "Cryto Git";
 			repositoryRoot = "/var/lib/repositories";
+			log.level = "Info";

 			domain = "git.cryto.net";
 			httpAddress = "localhost";
@ -351,57 +398,38 @@ in {
 				user = "git";
 			};

-			extraConfig = ''
-				[database]
-				LOG_SQL = false
+			settings = {
+				server = {
+					LOCAL_ROOT_URL = "http://localhost:3000/";
+				};

-				[service]
-				ENABLE_CAPTCHA = true
-				REGISTER_EMAIL_CONFIRM = true
-				ENABLE_NOTIFY_MAIL = true
-				ENABLE_USER_HEATMAP = false
+				database = {
+					LOG_SQL = false;
+				};

-				[security]
-				PASSWORD_COMPLEXITY = off
+				service = {
+					ENABLE_CAPTCHA = true;
+					REGISTER_EMAIL_CONFIRM = true;
+					ENABLE_NOTIFY_MAIL = true;
+					ENABLE_USER_HEATMAP = false;
+				};

-				[session]
-				PROVIDER = file
+				security = {
+					PASSWORD_COMPLEXITY = "off";
+					INTERNAL_TOKEN = lib.mkForce "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE2MDU0NzQ1Mzh9.XqS6-ha22VNgtUP_mVkZXCMmst-lO8blFAEpWMSlU5g";
+				};

-				[mailer]
-				ENABLED = true
-				MAILER_TYPE = sendmail
-				FROM = "Cryto Git" <noreply@git.cryto.net>
-				SENDMAIL_PATH = ${pkgs.system-sendmail}/bin/sendmail
-			'';
+				session = {
+					PROVIDER = "file";
+				};

-			# FIXME: Use this instead of extraConfig in 20.09
-			# settings = {
-			# 	database = {
-			# 		LOG_SQL = false;
-			# 	};
-
-			# 	service = {
-			# 		ENABLE_CAPTCHA = true;
-			# 		REGISTER_EMAIL_CONFIRM = true;
-			# 		ENABLE_NOTIFY_MAIL = true;
-			# 		ENABLE_USER_HEATMAP = false;
-			# 	};
-
-			# 	security = {
-			# 		PASSWORD_COMPLEXITY = "off";
-			# 	};
-
-			# 	session = {
-			# 		PROVIDER = "file";
-			# 	};
-
-			# 	mailer = {
-			# 		ENABLED = true;
-			# 		MAILER_TYPE = "sendmail";
-			# 		FROM = "\"Cryto Git\" <noreply@git.cryto.net>";
-			# 		SENDMAIL_PATH = "${pkgs.system-sendmail}/bin/sendmail";
-			# 	};
-			# };
+				mailer = {
+					ENABLED = true;
+					MAILER_TYPE = "sendmail";
+					FROM = "\"Cryto Git\" <noreply@git.cryto.net>";
+					SENDMAIL_PATH = "${pkgs.system-sendmail}/bin/sendmail";
+				};
+			};
 		};

 		# FIXME: DKIM/DMARC
@ -415,4 +443,161 @@ in {
 			'';
 		};
 	};
+
+	"machine-pikachu-02.cryto.net" = { pkgs, lib, config, ... }@args: {
+		system.stateVersion = "19.03";
+		networking.hostName = "machine-pikachu-02";
+
+		imports = [
+			presets.base
+			presets.kvm
+			./hardware-configurations/machine-pikachu-02.nix
+			(tincConfiguration { hostname = "machine-pikachu-02.cryto.net"; nodes = nodes; })
+			(trackSystemMetrics nodes."machine-pikachu-02.cryto.net".internalIpv4)
+			(trackServiceMetrics nodes."machine-pikachu-02.cryto.net".internalIpv4)
+		];
+	};
+
+	"machine-workbot-01.cryto.net" = { pkgs, lib, config, ... }@args: {
+		system.stateVersion = "18.03";
+		networking.hostName = "machine-workbot-01";
+
+		imports = [
+			presets.base
+			./hardware-configurations/machine-workbot-01.nix
+			(tincConfiguration { hostname = "machine-workbot-01.cryto.net"; nodes = nodes; })
+			(trackSystemMetrics "127.0.0.1")
+			(trackServiceMetrics "127.0.0.1")
+			(httpHealthChecks {
+				both = [
+					"hydra.cryto.net"
+					"prometheus.cryto.net"
+					"metrics.cryto.net"
+					# "nix-cache.cryto.net" # Not directory-indexable
+				];
+			})
+		];
+
+		services.nginx = {
+			enable = true;
+			virtualHosts = {
+				"404.cryto.net" = {
+					# Pseudo-hostname just to set a default when no Host header is specified
+					default = true;
+					extraConfig = ''
+						return 404;
+					'';
+				};
+				"hydra.cryto.net" = lib.mkMerge [
+					(nginxPresets.letsEncrypt)
+					(nginxPresets.reverseProxy "http://localhost:3333/")
+				];
+				"prometheus.cryto.net" = lib.mkMerge [
+					(nginxPresets.letsEncrypt)
+					(nginxPresets.reverseProxy "http://localhost:9090/")
+				];
+				"metrics.cryto.net" = lib.mkMerge [
+					(nginxPresets.letsEncrypt)
+					(nginxPresets.reverseProxy "http://localhost:8452/")
+				];
+				"nix-cache.cryto.net" = lib.mkMerge [
+					(nginxPresets.letsEncrypt)
+					{ root = "/var/lib/hydra-builds"; }
+				];
+			};
+		};
+
+		services.postgresql = {
+			enable = true;
+		};
+
+		services.hydra = {
+			enable = true;
+			port = 3333;
+			hydraURL = "http://hydra.cryto.net/";
+			notificationSender = "hydra@cryto.net";
+			useSubstitutes = false;
+			minimumDiskFree = 20;
+			minimumDiskFreeEvaluator = 20;
+			buildMachinesFiles = pkgs.lib.mkIf (config.nix.buildMachines == []) [];
+			extraConfig = ''
+				store_uri = file:///var/lib/hydra-builds?secret-key=/var/lib/hydra/binary-cache.key&write-nar-listing=1
+				binary_cache_public_uri = https://nix-cache.cryto.net
+			'';
+		};
+
+		services.prometheus = {
+			enable = true;
+
+			globalConfig = {
+				scrape_interval = "30s";
+			};
+
+			scrapeConfigs = let
+				nameInstance = address: name: {
+					source_labels = [ "__address__" ];
+					target_label = "instance";
+					regex = address;
+					replacement = name;
+				};
+				mapToPort = port: builtins.map (host: "${host.internalIpv4}:${builtins.toString port}");
+				mapToPortRelabel = port: builtins.map (host: (nameInstance "${host.internalIpv4}:${builtins.toString port}" host.friendlyName));
+				# Replace the workbot node (ie. ourselves) with an entry that points directly at localhost instead
+				nodes_ = builtins.attrValues (nodes // {
+					"machine-workbot-01.cryto.net" = {
+						friendlyName = "workbot";
+						internalIpv4 = "localhost";
+					};
+				});
+			in [
+				{
+					job_name = "prometheus";
+					static_configs = [{
+						targets = [
+							"localhost:9090"
+						];
+					}];
+					relabel_configs = [
+						(nameInstance "localhost:9090" "workbot")
+					];
+				} {
+					job_name = "nodes";
+					scrape_interval = "10s";
+					static_configs = [{
+						targets = mapToPort 9100 nodes_;
+					}];
+					relabel_configs = mapToPortRelabel 9100 nodes_;
+				} {
+					job_name = "systemd";
+					scrape_interval = "60s";
+					static_configs = [{
+						targets = mapToPort 9333 nodes_;
+					}];
+					relabel_configs = mapToPortRelabel 9333 nodes_;
+				}
+			];
+		};
+
+		services.grafana = {
+			enable = true;
+			port = 8452;
+			rootUrl = "https://metrics.cryto.net/";
+
+			security = let
+				credentials = import ../private/grafana-credentials.nix;
+			in {
+				adminUser = credentials.username;
+				adminPassword = credentials.password;
+			};
+
+			auth = {
+				anonymous.enable = true;
+			};
+		};
+
+		networking.firewall.allowedTCPPorts = [
+			80
+			443
+		];
+	};
 }
--- a/configuration/hardware-configurations/machine-pikachu-02.nix
+++ b/configuration/hardware-configurations/machine-pikachu-02.nix
@ -0,0 +1,33 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+  boot.loader.grub.device = lib.mkForce "/dev/vda";
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/17286b1d-6bbb-42cb-9f61-078c4a0c2171";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/f7a09e71-19fa-437d-bb07-841c42f49ec5";
+      fsType = "ext4";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/8a51e276-166b-4664-9f47-92e07ceb0587"; }
+    ];
+
+  nix.maxJobs = lib.mkDefault 2;
+}
+
--- a/configuration/hardware-configurations/machine-workbot-01.nix
+++ b/configuration/hardware-configurations/machine-workbot-01.nix
@ -0,0 +1,34 @@
+{ config, lib, pkgs, ... }:
+
+{
+	/* Begin hardware configuration section */
+	boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
+	boot.kernelModules = [ "kvm-intel" ];
+	boot.extraModulePackages = [ ];
+	swapDevices = [ ];
+	nix.maxJobs = pkgs.lib.mkDefault 8;
+	powerManagement.cpuFreqGovernor = pkgs.lib.mkDefault "powersave";
+	hardware.enableRedistributableFirmware = true;
+	/* End hardware configuration section */
+
+	boot.loader.grub = {
+		enable = true;
+		version = 2;
+		device = "/dev/sda";
+	};
+
+	fileSystems = {
+		"/" = {
+			device = "/dev/disk/by-label/nix";
+			fsType = "ext4";
+		};
+		"/boot" = {
+			device = "/dev/disk/by-label/boot";
+			fsType = "ext4";
+		};
+	};
+
+	# networking = {
+	# 	hostName = "workbot";
+	# };
+}
--- a/configuration/lib/http-health-checks.nix
+++ b/configuration/lib/http-health-checks.nix
@ -0,0 +1,20 @@
+{ http ? [], https ? [], both ? [] }:
+	{ pkgs, lib, ... }:
+		{
+			deployment.healthChecks.http = let
+				makeHostChecker = { protocol, port }: host: {
+					scheme = protocol;
+					port = port;
+					path = "/";
+					host = host;
+					description = "${host} (${protocol} :${toString port}) is up";
+				};
+				allHttpHosts = http ++ both;
+				allHttpsHosts = https ++ both;
+				generateHttpChecks = hosts: map (makeHostChecker { protocol = "http"; port = 80; }) hosts;
+				generateHttpsChecks = hosts: map (makeHostChecker { protocol = "https"; port = 443; }) hosts;
+			in lib.mkMerge [
+				(generateHttpChecks allHttpHosts)
+				(generateHttpsChecks allHttpsHosts)
+			];
+		}
--- a/configuration/lib/tinc-configuration.nix
+++ b/configuration/lib/tinc-configuration.nix
@ -31,18 +31,29 @@
 			};

 			hosts = let
-				mapper = nodeName: nodeConfiguration:
-					lib.nameValuePair
-						/* NOTE: The below is because for a machine named `foo.bar-baz.net`, tinc expects a configuration file named `foo_bar_baz_net`. */
-						( builtins.replaceStrings [ "." "-" ] [ "_" "_" ] nodeName )
-						( generateConfiguration {
-							# Address = nodeName;
-							/* TODO: Figure out why a DNS name doesn't work here ("Error looking up machine-borg2-01.cryto.net port 655: Device or resource busy") */
-							Address = nodeConfiguration.ipv4;
-							Subnet = "${nodeConfiguration.internalIpv4}/32";
-							Ed25519PublicKey = nodeConfiguration.tincPublicKey;
-						} );
-			in lib.mapAttrs' mapper nodes;
+				escapeHostname = hostname: builtins.replaceStrings [ "." "-" ] [ "_" "_" ] hostname;
+				stripSuffix = hostname: builtins.head (builtins.match "^(.+?)\.cryto\.net$" hostname);
+				makeMapper = keyMapper: (
+					nodeName: nodeConfiguration:
+						lib.nameValuePair
+							/* NOTE: The below is because for a machine named `foo.bar-baz.net`, tinc expects a configuration file named `foo_bar_baz_net`. */
+							# ( builtins.replaceStrings [ "." "-" ] [ "_" "_" ] nodeName )
+							( keyMapper nodeName )
+							( generateConfiguration {
+								# Address = nodeName;
+								/* TODO: Figure out why a DNS name doesn't work here ("Error looking up machine-borg2-01.cryto.net port 655: Device or resource busy") */
+								Address = nodeConfiguration.ipv4;
+								Subnet = "${nodeConfiguration.internalIpv4}/32";
+								Ed25519PublicKey = nodeConfiguration.tincPublicKey;
+							} )
+				);
+				# NOTE: We generate both hostname formats and then just use one, since this seems to keep changing... this makes it easier to revert later
+				mapperA = makeMapper ( nodeName: escapeHostname (stripSuffix nodeName) );
+				mapperB = makeMapper ( nodeName: escapeHostname nodeName );
+				hostsA = lib.mapAttrs' mapperA nodes;
+				# hostsB = lib.mapAttrs' mapperB nodes;
+				hostsB = {};
+			in hostsA // hostsB;
 		};

 		# networking.interfaces."tinc.cryto".ipv4.addresses = [{
--- a/configuration/lib/track-service-metrics.nix
+++ b/configuration/lib/track-service-metrics.nix
@ -0,0 +1,18 @@
+listenAddress: {
+	systemd.extraConfig = ''
+		DefaultCPUAccounting=yes
+		DefaultIOAccounting=yes
+		DefaultIPAccounting=yes
+		DefaultBlockIOAccounting=yes
+		DefaultMemoryAccounting=yes
+		DefaultTasksAccounting=yes
+	'';
+
+	services.cadvisor = {
+		enable = true;
+		port = 9333;
+		listenAddress = listenAddress;
+	};
+
+	virtualisation.docker.enable = false;
+}
--- a/configuration/lib/track-system-metrics.nix
+++ b/configuration/lib/track-system-metrics.nix
@ -0,0 +1,14 @@
+listenAddress: {
+	services.prometheus = {
+		exporters = {
+			node = {
+				enable = true;
+				listenAddress = listenAddress;
+				enabledCollectors = [
+					# FIXME: Move to track-service-metrics instead!
+					"systemd"
+				];
+			};
+		};
+	};
+}
--- a/configuration/packages/matrix-rooms/default.nix
+++ b/configuration/packages/matrix-rooms/default.nix
@ -7,12 +7,12 @@
 				owner = "joepie91";
 				repo = "matrix-room-list-viewer";
 				rev = "5912b79024cba33ee7e291f325d0286b8304af99";
-				sha256 = "199in3m3vll0i0qsz869x2q6zqn1xxgyvia3fxnmschvfmybbf8r";
+				sha256 = "1mjygxgk79qhr4kwqcw66x01q9bj6dchq6ksw3k7bj5wkv3pzn90";
 			};

 			buildCommand = ''
 				mkdir -p $out
-				tar -xzvf $src -C $out
+				tar --strip-components=1 -xzvf $src -C $out
 			'';
 		};
 	}
--- a/configuration/packages/mobile-proxy/default.nix
+++ b/configuration/packages/mobile-proxy/default.nix
@ -7,12 +7,12 @@
 				owner = "joepie91";
 				repo = "mobile-proxy";
 				rev = "1628f4be61621c1783e93ef6719b1dae4f352be8";
-				sha256 = "1d9zc3phflsi2gsi7hmzybr0q983x7155bildvlbc7za3y8hry78";
+				sha256 = "1qi07psj88fqlsyr6kaypaxq9ayhc95pp66qa53ln0w58yvjgims";
 			};

 			buildCommand = ''
 				mkdir -p $out
-				tar -xzvf $src -C $out
+				tar --strip-components=1 -xzvf $src -C $out
 				cp ${configFile} $out/config.jsx
 			'';
 		};
--- a/configuration/presets/base.nix
+++ b/configuration/presets/base.nix
@ -43,4 +43,6 @@
 			acceptTerms = true;
 			email = "admin+certs@cryto.net";
 		};
+
+		networking.firewall.logRefusedConnections = false;
 	}
--- a/configuration/sources/modular-matrix/index.html
+++ b/configuration/sources/modular-matrix/index.html
@ -14,7 +14,7 @@
 		Hi! This will eventually be the website for Modular Matrix, a project to build a modular JavaScript SDK for the <a href="https://matrix.org">Matrix protocol</a>, as an alternative to the <code>matrix-js-sdk</code>.
 	</p>
 	<p>
-		Currently there's not much here yet, though you can have a look at the <a href="https://www.npmjs.com/org/modular-matrix?tab=packages">already-published packages</a> if you're curious about how things are going.
+		Currently there's not much here yet, though you can have a look at the <a href="https://www.npmjs.com/org/modular-matrix?tab=packages">already-published packages</a> if you're curious about how things are going. Most of the ongoing work currently lives in the <a href="https://git.cryto.net/modular-matrix/client/src/branch/master/src/packages">client repository</a>, and will be split out into separate modules as individual pieces are completed.
 	</p>
 	<p>
 		You can contact me on Matrix as <a href="https://matrix.to/#/@joepie91:pixie.town">@joepie91:pixie.town</a>.