diff --git a/configuration/data/nodes.nix b/configuration/data/nodes.nix index 8726a5a..be7d31d 100644 --- a/configuration/data/nodes.nix +++ b/configuration/data/nodes.nix @@ -1,17 +1,32 @@ { + "machine-workbot-01.cryto.net" = { + friendlyName = "workbot"; + ipv4 = "148.251.195.23"; + internalIpv4 = "10.217.0.1"; + tincPublicKey = builtins.readFile ./tinc-keys/machine-workbot-01.cryto.net.pub; + }; "machine-haless-03.cryto.net" = { + friendlyName = "haless"; ipv4 = "31.7.187.145"; internalIpv4 = "10.217.0.5"; tincPublicKey = builtins.readFile ./tinc-keys/machine-haless-03.cryto.net.pub; }; "machine-borg2-01.cryto.net" = { + friendlyName = "borg2"; ipv4 = "205.185.121.93"; internalIpv4 = "10.217.0.6"; tincPublicKey = builtins.readFile ./tinc-keys/machine-borg2-01.cryto.net.pub; }; "machine-konjassiem-02.cryto.net" = { + friendlyName = "konjassiem"; ipv4 = "81.4.122.123"; internalIpv4 = "10.217.0.7"; tincPublicKey = builtins.readFile ./tinc-keys/machine-konjassiem-02.cryto.net.pub; }; + "machine-pikachu-02.cryto.net" = { + friendlyName = "pikachu"; + ipv4 = "2.59.133.101"; + internalIpv4 = "10.217.0.8"; + tincPublicKey = builtins.readFile ./tinc-keys/machine-pikachu-02.cryto.net.pub; + }; } diff --git a/configuration/data/tinc-keys/machine-pikachu-02.cryto.net.pub b/configuration/data/tinc-keys/machine-pikachu-02.cryto.net.pub new file mode 100644 index 0000000..9b191f1 --- /dev/null +++ b/configuration/data/tinc-keys/machine-pikachu-02.cryto.net.pub @@ -0,0 +1 @@ +YfaykKs117gIGXbcLcc+asUqX5goF97EKIoLLgYZ4uG diff --git a/configuration/data/tinc-keys/machine-workbot-01.cryto.net.pub b/configuration/data/tinc-keys/machine-workbot-01.cryto.net.pub new file mode 100644 index 0000000..973760e --- /dev/null +++ b/configuration/data/tinc-keys/machine-workbot-01.cryto.net.pub @@ -0,0 +1 @@ +r+f4yLySll2Qx4m1aTba4wGteFTP38jq2EqINpgz5XJ diff --git a/configuration/default.nix b/configuration/default.nix index 30216d7..efea59e 100644 --- a/configuration/default.nix +++ b/configuration/default.nix @@ -13,7 +13,7 @@ let }) ]; }; - pkgs = (import (fetchTarball "https://github.com/NixOS/nixpkgs-channels/archive/nixos-20.03.tar.gz") nixpkgsOptions); + pkgs = (import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/nixos-21.11.tar.gz") nixpkgsOptions); presets = { base = (import ./presets/base.nix); kvm = (import ./presets/kvm.nix); @@ -25,6 +25,9 @@ let }; nodes = (import ./data/nodes.nix); tincConfiguration = (import ./lib/tinc-configuration.nix); + trackSystemMetrics = (import ./lib/track-system-metrics.nix); + trackServiceMetrics = (import ./lib/track-service-metrics.nix); + httpHealthChecks = (import ./lib/http-health-checks.nix); in { network = { inherit pkgs; @@ -33,6 +36,7 @@ in { "machine-borg2-01.cryto.net" = { pkgs, lib, ... }: { system.stateVersion = "18.09"; + networking.hostName = "machine-borg2-01"; # FIXME: Why is this needed? nixpkgs.overlays = []; @@ -42,6 +46,8 @@ in { presets.kvm ./hardware-configurations/machine-borg2-01.nix (tincConfiguration { hostname = "machine-borg2-01.cryto.net"; nodes = nodes; }) + (trackSystemMetrics nodes."machine-borg2-01.cryto.net".internalIpv4) + (trackServiceMetrics nodes."machine-borg2-01.cryto.net".internalIpv4) ]; boot.loader.grub.device = lib.mkForce "/dev/vda"; @@ -71,6 +77,7 @@ in { group = "backup-f0x"; authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjJDP2TDyj1X/L6gNgHCXASIWoW/VnJ77FQy39VRTi8 f0x@elephantus" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+dwsWe1/ujR0N4IxPv7mfyiuKWURc6QwYNJ+VV8KA6 f0x@behemoth" ]; authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG7WSUY6Y2lsIawo8dPBu4/Omx6c7/1SMD9ve/vpcorN borg-backup@terra" @@ -94,41 +101,37 @@ in { "machine-haless-03.cryto.net" = { pkgs, lib, config, ... }@args: { system.stateVersion = "19.03"; + networking.hostName = "machine-haless-03"; imports = [ presets.base presets.kvm ./hardware-configurations/machine-haless-03.nix (tincConfiguration { hostname = "machine-haless-03.cryto.net"; nodes = nodes; }) - ]; - - deployment.healthChecks.http = let - makeHostChecker = { protocol, port }: host: { - scheme = protocol; - port = port; - path = "/"; - host = host; - description = "${host} (${protocol} :${toString port}) is up"; - }; - httpHosts = hosts: map (makeHostChecker { protocol = "http"; port = 80; }) hosts; - httpsHosts = hosts: map (makeHostChecker { protocol = "https"; port = 443; }) hosts; - in lib.mkMerge [ - (httpHosts [ - "iomfats.cryto.net" - "castleroland.cryto.net" - "awesomedude.cryto.net" - "matrix-rooms.cryto.net" - "validatem.cryto.net" - "nixos-manual-mdx.cryto.net" - ]) - (httpsHosts [ - "iomfats.cryto.net" - "castleroland.cryto.net" - "awesomedude.cryto.net" - "matrix-rooms.cryto.net" - "validatem.cryto.net" - "nixos-manual-mdx.cryto.net" - ]) + (trackSystemMetrics nodes."machine-haless-03.cryto.net".internalIpv4) + (trackServiceMetrics nodes."machine-haless-03.cryto.net".internalIpv4) + (httpHealthChecks { + http = [ + "iomfats.cryto.net" + "castleroland.cryto.net" + "awesomedude.cryto.net" + "matrix-rooms.cryto.net" + "validatem.cryto.net" + "nixos-manual-mdx.cryto.net" + "geojson.cryto.net" + "ossworks.nl" + ]; + https = [ + "iomfats.cryto.net" + "castleroland.cryto.net" + "awesomedude.cryto.net" + "matrix-rooms.cryto.net" + "validatem.cryto.net" + "nixos-manual-mdx.cryto.net" + "geojson.cryto.net" + "ossworks.nl" + ]; + }) ]; networking.firewall.allowedTCPPorts = [ 80 443 ]; @@ -166,6 +169,10 @@ in { (nginxPresets.letsEncrypt) { root = ./sources/modular-matrix; } ]; + "geojson.cryto.net" = lib.mkMerge [ + (nginxPresets.letsEncrypt) + { root = ../../image-to-geojson/static; } + ]; # "validatem.cryto.net" = lib.mkMerge [ # (nginxPresets.letsEncrypt) # { root = ./sources/validatem-site; } @@ -174,6 +181,10 @@ in { (nginxPresets.letsEncrypt) { root = ../../validatem/site/build; } ]; + "ossworks.nl" = lib.mkMerge [ + (nginxPresets.letsEncrypt) + { root = ../../ossworks-site/build; } + ]; "nixos-manual-mdx.cryto.net" = lib.mkMerge [ (nginxPresets.letsEncrypt) { root = ../../nixos-manual-mdx/build; } @@ -222,8 +233,11 @@ in { }; }; - users.extraUsers.mobile-proxy = { + users.groups.mobile-proxy = {}; + users.users.mobile-proxy = { description = "mobile-proxy Service User"; + isSystemUser = true; + group = "mobile-proxy"; }; systemd.services.mobile-proxy = let @@ -250,8 +264,11 @@ in { }; }; - users.extraUsers.matrix-rooms = { + users.groups.matrix-rooms = {}; + users.users.matrix-rooms = { description = "mobile-proxy Service User"; + isSystemUser = true; + group = "matrix-rooms"; }; systemd.services.matrix-rooms = let @@ -283,12 +300,15 @@ in { "machine-konjassiem-02.cryto.net" = { pkgs, lib, config, ... }@args: { system.stateVersion = "20.03"; + networking.hostName = "machine-konjassiem-02"; imports = [ presets.base presets.kvm ./hardware-configurations/machine-konjassiem-02.nix (tincConfiguration { hostname = "machine-konjassiem-02.cryto.net"; nodes = nodes; }) + (trackSystemMetrics nodes."machine-konjassiem-02.cryto.net".internalIpv4) + (trackServiceMetrics nodes."machine-konjassiem-02.cryto.net".internalIpv4) ]; services.postgresql = { @@ -331,13 +351,40 @@ in { }; # NOTE: Workaround that removes `setuid` from the disallowed syscall list, because otherwise sendmail/opensmtpd breaks - systemd.services.gitea.serviceConfig.SystemCallFilter = lib.mkForce "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @swap"; - + # systemd.services.gitea.serviceConfig.SystemCallFilter = lib.mkForce "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @swap"; + + # Temporary workaround to make opensmtpd sendmail work (ref. https://github.com/NixOS/nixpkgs/issues/103446) + # Can remain enabled + systemd.services.gitea.serviceConfig.PrivateMounts = lib.mkForce true; + systemd.services.gitea.serviceConfig.PrivateTmp = lib.mkForce true; + systemd.services.gitea.serviceConfig.ProtectControlGroups = lib.mkForce true; + systemd.services.gitea.serviceConfig.ProtectHome = lib.mkForce true; + systemd.services.gitea.serviceConfig.ProtectSystem = lib.mkForce "full"; # downgraded from "strict" + + # Have to be disabled + systemd.services.gitea.serviceConfig.LockPersonality = lib.mkForce false; + systemd.services.gitea.serviceConfig.MemoryDenyWriteExecute = lib.mkForce false; + systemd.services.gitea.serviceConfig.NoNewPrivileges = lib.mkForce false; + systemd.services.gitea.serviceConfig.PrivateDevices = lib.mkForce false; + systemd.services.gitea.serviceConfig.PrivateUsers = lib.mkForce false; + systemd.services.gitea.serviceConfig.ProtectClock = lib.mkForce false; + systemd.services.gitea.serviceConfig.ProtectHostname = lib.mkForce false; + systemd.services.gitea.serviceConfig.ProtectKernelLogs = lib.mkForce false; + systemd.services.gitea.serviceConfig.ProtectKernelModules = lib.mkForce false; + systemd.services.gitea.serviceConfig.ProtectKernelTunables = lib.mkForce false; + systemd.services.gitea.serviceConfig.RestrictAddressFamilies = lib.mkForce []; + systemd.services.gitea.serviceConfig.RestrictRealtime = lib.mkForce false; + systemd.services.gitea.serviceConfig.RestrictSUIDSGID = lib.mkForce false; + systemd.services.gitea.serviceConfig.SystemCallArchitectures = lib.mkForce ""; + systemd.services.gitea.serviceConfig.SystemCallFilter = lib.mkForce []; + + # FIXME: Healthcheck for this! services.gitea = { enable = true; user = "git"; appName = "Cryto Git"; repositoryRoot = "/var/lib/repositories"; + log.level = "Info"; domain = "git.cryto.net"; httpAddress = "localhost"; @@ -351,57 +398,38 @@ in { user = "git"; }; - extraConfig = '' - [database] - LOG_SQL = false - - [service] - ENABLE_CAPTCHA = true - REGISTER_EMAIL_CONFIRM = true - ENABLE_NOTIFY_MAIL = true - ENABLE_USER_HEATMAP = false - - [security] - PASSWORD_COMPLEXITY = off - - [session] - PROVIDER = file - - [mailer] - ENABLED = true - MAILER_TYPE = sendmail - FROM = "Cryto Git" - SENDMAIL_PATH = ${pkgs.system-sendmail}/bin/sendmail - ''; + settings = { + server = { + LOCAL_ROOT_URL = "http://localhost:3000/"; + }; + + database = { + LOG_SQL = false; + }; + + service = { + ENABLE_CAPTCHA = true; + REGISTER_EMAIL_CONFIRM = true; + ENABLE_NOTIFY_MAIL = true; + ENABLE_USER_HEATMAP = false; + }; + + security = { + PASSWORD_COMPLEXITY = "off"; + INTERNAL_TOKEN = lib.mkForce "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE2MDU0NzQ1Mzh9.XqS6-ha22VNgtUP_mVkZXCMmst-lO8blFAEpWMSlU5g"; + }; - # FIXME: Use this instead of extraConfig in 20.09 - # settings = { - # database = { - # LOG_SQL = false; - # }; - - # service = { - # ENABLE_CAPTCHA = true; - # REGISTER_EMAIL_CONFIRM = true; - # ENABLE_NOTIFY_MAIL = true; - # ENABLE_USER_HEATMAP = false; - # }; - - # security = { - # PASSWORD_COMPLEXITY = "off"; - # }; - - # session = { - # PROVIDER = "file"; - # }; - - # mailer = { - # ENABLED = true; - # MAILER_TYPE = "sendmail"; - # FROM = "\"Cryto Git\" "; - # SENDMAIL_PATH = "${pkgs.system-sendmail}/bin/sendmail"; - # }; - # }; + session = { + PROVIDER = "file"; + }; + + mailer = { + ENABLED = true; + MAILER_TYPE = "sendmail"; + FROM = "\"Cryto Git\" "; + SENDMAIL_PATH = "${pkgs.system-sendmail}/bin/sendmail"; + }; + }; }; # FIXME: DKIM/DMARC @@ -415,4 +443,161 @@ in { ''; }; }; + + "machine-pikachu-02.cryto.net" = { pkgs, lib, config, ... }@args: { + system.stateVersion = "19.03"; + networking.hostName = "machine-pikachu-02"; + + imports = [ + presets.base + presets.kvm + ./hardware-configurations/machine-pikachu-02.nix + (tincConfiguration { hostname = "machine-pikachu-02.cryto.net"; nodes = nodes; }) + (trackSystemMetrics nodes."machine-pikachu-02.cryto.net".internalIpv4) + (trackServiceMetrics nodes."machine-pikachu-02.cryto.net".internalIpv4) + ]; + }; + + "machine-workbot-01.cryto.net" = { pkgs, lib, config, ... }@args: { + system.stateVersion = "18.03"; + networking.hostName = "machine-workbot-01"; + + imports = [ + presets.base + ./hardware-configurations/machine-workbot-01.nix + (tincConfiguration { hostname = "machine-workbot-01.cryto.net"; nodes = nodes; }) + (trackSystemMetrics "127.0.0.1") + (trackServiceMetrics "127.0.0.1") + (httpHealthChecks { + both = [ + "hydra.cryto.net" + "prometheus.cryto.net" + "metrics.cryto.net" + # "nix-cache.cryto.net" # Not directory-indexable + ]; + }) + ]; + + services.nginx = { + enable = true; + virtualHosts = { + "404.cryto.net" = { + # Pseudo-hostname just to set a default when no Host header is specified + default = true; + extraConfig = '' + return 404; + ''; + }; + "hydra.cryto.net" = lib.mkMerge [ + (nginxPresets.letsEncrypt) + (nginxPresets.reverseProxy "http://localhost:3333/") + ]; + "prometheus.cryto.net" = lib.mkMerge [ + (nginxPresets.letsEncrypt) + (nginxPresets.reverseProxy "http://localhost:9090/") + ]; + "metrics.cryto.net" = lib.mkMerge [ + (nginxPresets.letsEncrypt) + (nginxPresets.reverseProxy "http://localhost:8452/") + ]; + "nix-cache.cryto.net" = lib.mkMerge [ + (nginxPresets.letsEncrypt) + { root = "/var/lib/hydra-builds"; } + ]; + }; + }; + + services.postgresql = { + enable = true; + }; + + services.hydra = { + enable = true; + port = 3333; + hydraURL = "http://hydra.cryto.net/"; + notificationSender = "hydra@cryto.net"; + useSubstitutes = false; + minimumDiskFree = 20; + minimumDiskFreeEvaluator = 20; + buildMachinesFiles = pkgs.lib.mkIf (config.nix.buildMachines == []) []; + extraConfig = '' + store_uri = file:///var/lib/hydra-builds?secret-key=/var/lib/hydra/binary-cache.key&write-nar-listing=1 + binary_cache_public_uri = https://nix-cache.cryto.net + ''; + }; + + services.prometheus = { + enable = true; + + globalConfig = { + scrape_interval = "30s"; + }; + + scrapeConfigs = let + nameInstance = address: name: { + source_labels = [ "__address__" ]; + target_label = "instance"; + regex = address; + replacement = name; + }; + mapToPort = port: builtins.map (host: "${host.internalIpv4}:${builtins.toString port}"); + mapToPortRelabel = port: builtins.map (host: (nameInstance "${host.internalIpv4}:${builtins.toString port}" host.friendlyName)); + # Replace the workbot node (ie. ourselves) with an entry that points directly at localhost instead + nodes_ = builtins.attrValues (nodes // { + "machine-workbot-01.cryto.net" = { + friendlyName = "workbot"; + internalIpv4 = "localhost"; + }; + }); + in [ + { + job_name = "prometheus"; + static_configs = [{ + targets = [ + "localhost:9090" + ]; + }]; + relabel_configs = [ + (nameInstance "localhost:9090" "workbot") + ]; + } { + job_name = "nodes"; + scrape_interval = "10s"; + static_configs = [{ + targets = mapToPort 9100 nodes_; + }]; + relabel_configs = mapToPortRelabel 9100 nodes_; + } { + job_name = "systemd"; + scrape_interval = "60s"; + static_configs = [{ + targets = mapToPort 9333 nodes_; + }]; + relabel_configs = mapToPortRelabel 9333 nodes_; + } + ]; + }; + + services.grafana = { + enable = true; + port = 8452; + rootUrl = "https://metrics.cryto.net/"; + + security = let + credentials = import ../private/grafana-credentials.nix; + in { + adminUser = credentials.username; + adminPassword = credentials.password; + }; + + auth = { + anonymous.enable = true; + }; + }; + + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + }; } diff --git a/configuration/hardware-configurations/machine-pikachu-02.nix b/configuration/hardware-configurations/machine-pikachu-02.nix new file mode 100644 index 0000000..26d366b --- /dev/null +++ b/configuration/hardware-configurations/machine-pikachu-02.nix @@ -0,0 +1,33 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, ... }: + +{ + imports = + [ + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + boot.loader.grub.device = lib.mkForce "/dev/vda"; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/17286b1d-6bbb-42cb-9f61-078c4a0c2171"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/f7a09e71-19fa-437d-bb07-841c42f49ec5"; + fsType = "ext4"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/8a51e276-166b-4664-9f47-92e07ceb0587"; } + ]; + + nix.maxJobs = lib.mkDefault 2; +} + diff --git a/configuration/hardware-configurations/machine-workbot-01.nix b/configuration/hardware-configurations/machine-workbot-01.nix new file mode 100644 index 0000000..dfd2696 --- /dev/null +++ b/configuration/hardware-configurations/machine-workbot-01.nix @@ -0,0 +1,34 @@ +{ config, lib, pkgs, ... }: + +{ + /* Begin hardware configuration section */ + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + swapDevices = [ ]; + nix.maxJobs = pkgs.lib.mkDefault 8; + powerManagement.cpuFreqGovernor = pkgs.lib.mkDefault "powersave"; + hardware.enableRedistributableFirmware = true; + /* End hardware configuration section */ + + boot.loader.grub = { + enable = true; + version = 2; + device = "/dev/sda"; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-label/nix"; + fsType = "ext4"; + }; + "/boot" = { + device = "/dev/disk/by-label/boot"; + fsType = "ext4"; + }; + }; + + # networking = { + # hostName = "workbot"; + # }; +} diff --git a/configuration/lib/http-health-checks.nix b/configuration/lib/http-health-checks.nix new file mode 100644 index 0000000..a60fa33 --- /dev/null +++ b/configuration/lib/http-health-checks.nix @@ -0,0 +1,20 @@ +{ http ? [], https ? [], both ? [] }: + { pkgs, lib, ... }: + { + deployment.healthChecks.http = let + makeHostChecker = { protocol, port }: host: { + scheme = protocol; + port = port; + path = "/"; + host = host; + description = "${host} (${protocol} :${toString port}) is up"; + }; + allHttpHosts = http ++ both; + allHttpsHosts = https ++ both; + generateHttpChecks = hosts: map (makeHostChecker { protocol = "http"; port = 80; }) hosts; + generateHttpsChecks = hosts: map (makeHostChecker { protocol = "https"; port = 443; }) hosts; + in lib.mkMerge [ + (generateHttpChecks allHttpHosts) + (generateHttpsChecks allHttpsHosts) + ]; + } diff --git a/configuration/lib/tinc-configuration.nix b/configuration/lib/tinc-configuration.nix index e65d738..5702ce9 100644 --- a/configuration/lib/tinc-configuration.nix +++ b/configuration/lib/tinc-configuration.nix @@ -31,18 +31,29 @@ }; hosts = let - mapper = nodeName: nodeConfiguration: - lib.nameValuePair - /* NOTE: The below is because for a machine named `foo.bar-baz.net`, tinc expects a configuration file named `foo_bar_baz_net`. */ - ( builtins.replaceStrings [ "." "-" ] [ "_" "_" ] nodeName ) - ( generateConfiguration { - # Address = nodeName; - /* TODO: Figure out why a DNS name doesn't work here ("Error looking up machine-borg2-01.cryto.net port 655: Device or resource busy") */ - Address = nodeConfiguration.ipv4; - Subnet = "${nodeConfiguration.internalIpv4}/32"; - Ed25519PublicKey = nodeConfiguration.tincPublicKey; - } ); - in lib.mapAttrs' mapper nodes; + escapeHostname = hostname: builtins.replaceStrings [ "." "-" ] [ "_" "_" ] hostname; + stripSuffix = hostname: builtins.head (builtins.match "^(.+?)\.cryto\.net$" hostname); + makeMapper = keyMapper: ( + nodeName: nodeConfiguration: + lib.nameValuePair + /* NOTE: The below is because for a machine named `foo.bar-baz.net`, tinc expects a configuration file named `foo_bar_baz_net`. */ + # ( builtins.replaceStrings [ "." "-" ] [ "_" "_" ] nodeName ) + ( keyMapper nodeName ) + ( generateConfiguration { + # Address = nodeName; + /* TODO: Figure out why a DNS name doesn't work here ("Error looking up machine-borg2-01.cryto.net port 655: Device or resource busy") */ + Address = nodeConfiguration.ipv4; + Subnet = "${nodeConfiguration.internalIpv4}/32"; + Ed25519PublicKey = nodeConfiguration.tincPublicKey; + } ) + ); + # NOTE: We generate both hostname formats and then just use one, since this seems to keep changing... this makes it easier to revert later + mapperA = makeMapper ( nodeName: escapeHostname (stripSuffix nodeName) ); + mapperB = makeMapper ( nodeName: escapeHostname nodeName ); + hostsA = lib.mapAttrs' mapperA nodes; + # hostsB = lib.mapAttrs' mapperB nodes; + hostsB = {}; + in hostsA // hostsB; }; # networking.interfaces."tinc.cryto".ipv4.addresses = [{ diff --git a/configuration/lib/track-service-metrics.nix b/configuration/lib/track-service-metrics.nix new file mode 100644 index 0000000..7b1c373 --- /dev/null +++ b/configuration/lib/track-service-metrics.nix @@ -0,0 +1,18 @@ +listenAddress: { + systemd.extraConfig = '' + DefaultCPUAccounting=yes + DefaultIOAccounting=yes + DefaultIPAccounting=yes + DefaultBlockIOAccounting=yes + DefaultMemoryAccounting=yes + DefaultTasksAccounting=yes + ''; + + services.cadvisor = { + enable = true; + port = 9333; + listenAddress = listenAddress; + }; + + virtualisation.docker.enable = false; +} diff --git a/configuration/lib/track-system-metrics.nix b/configuration/lib/track-system-metrics.nix new file mode 100644 index 0000000..eee906e --- /dev/null +++ b/configuration/lib/track-system-metrics.nix @@ -0,0 +1,14 @@ +listenAddress: { + services.prometheus = { + exporters = { + node = { + enable = true; + listenAddress = listenAddress; + enabledCollectors = [ + # FIXME: Move to track-service-metrics instead! + "systemd" + ]; + }; + }; + }; +} diff --git a/configuration/packages/matrix-rooms/default.nix b/configuration/packages/matrix-rooms/default.nix index e464ff2..02e4869 100644 --- a/configuration/packages/matrix-rooms/default.nix +++ b/configuration/packages/matrix-rooms/default.nix @@ -7,12 +7,12 @@ owner = "joepie91"; repo = "matrix-room-list-viewer"; rev = "5912b79024cba33ee7e291f325d0286b8304af99"; - sha256 = "199in3m3vll0i0qsz869x2q6zqn1xxgyvia3fxnmschvfmybbf8r"; + sha256 = "1mjygxgk79qhr4kwqcw66x01q9bj6dchq6ksw3k7bj5wkv3pzn90"; }; buildCommand = '' mkdir -p $out - tar -xzvf $src -C $out + tar --strip-components=1 -xzvf $src -C $out ''; }; } diff --git a/configuration/packages/mobile-proxy/default.nix b/configuration/packages/mobile-proxy/default.nix index 1024793..838be9e 100644 --- a/configuration/packages/mobile-proxy/default.nix +++ b/configuration/packages/mobile-proxy/default.nix @@ -7,12 +7,12 @@ owner = "joepie91"; repo = "mobile-proxy"; rev = "1628f4be61621c1783e93ef6719b1dae4f352be8"; - sha256 = "1d9zc3phflsi2gsi7hmzybr0q983x7155bildvlbc7za3y8hry78"; + sha256 = "1qi07psj88fqlsyr6kaypaxq9ayhc95pp66qa53ln0w58yvjgims"; }; buildCommand = '' mkdir -p $out - tar -xzvf $src -C $out + tar --strip-components=1 -xzvf $src -C $out cp ${configFile} $out/config.jsx ''; }; diff --git a/configuration/presets/base.nix b/configuration/presets/base.nix index 5ee9949..0590fa7 100644 --- a/configuration/presets/base.nix +++ b/configuration/presets/base.nix @@ -43,4 +43,6 @@ acceptTerms = true; email = "admin+certs@cryto.net"; }; + + networking.firewall.logRefusedConnections = false; } diff --git a/configuration/sources/modular-matrix/index.html b/configuration/sources/modular-matrix/index.html index e55ece0..c5e9463 100644 --- a/configuration/sources/modular-matrix/index.html +++ b/configuration/sources/modular-matrix/index.html @@ -14,7 +14,7 @@ Hi! This will eventually be the website for Modular Matrix, a project to build a modular JavaScript SDK for the Matrix protocol, as an alternative to the matrix-js-sdk.

- Currently there's not much here yet, though you can have a look at the already-published packages if you're curious about how things are going. + Currently there's not much here yet, though you can have a look at the already-published packages if you're curious about how things are going. Most of the ongoing work currently lives in the client repository, and will be split out into separate modules as individual pieces are completed.

You can contact me on Matrix as @joepie91:pixie.town.