Compare commits
5 commits
1f4fd98883
...
aca275a49e
| Author | SHA1 | Date | |
|---|---|---|---|
|
aca275a49e | ||
|
|
7b58d8af01 | ||
a7def32a75
|
|||
| d6300e6e19 | |||
| c1afcb7768 |
10 changed files with 216 additions and 20 deletions
12
lon.lock
generated
12
lon.lock
generated
|
|
@ -195,10 +195,10 @@
|
|||
"type": "Git",
|
||||
"fetchType": "git",
|
||||
"branch": "dgnum",
|
||||
"revision": "44ccf96bd73c1bbbbcc849cb0f2e0d1f5f75f934",
|
||||
"revision": "fd4ba193ea3eda529ac27b43b206e9e3618b1975",
|
||||
"url": "https://git.hubrecht.ovh/hubrecht/nix-modules",
|
||||
"hash": "sha256-mkrCWowrCje3/TuAG0eAJplrtlz1hYmusSFn93/Ccok=",
|
||||
"lastModified": 1749629064,
|
||||
"hash": "sha256-O/lMCM0qKkd+TBV43Fp9uG3aEbDSc2lI3a5TetNYs0w=",
|
||||
"lastModified": 1749739595,
|
||||
"submodules": false
|
||||
},
|
||||
"nix-pkgs": {
|
||||
|
|
@ -247,9 +247,9 @@
|
|||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"branch": "nixos-25.05",
|
||||
"revision": "6c64dabd3aa85e0c02ef1cdcb6e1213de64baee3",
|
||||
"url": "https://github.com/NixOS/nixpkgs/archive/6c64dabd3aa85e0c02ef1cdcb6e1213de64baee3.tar.gz",
|
||||
"hash": "sha256-h/aac1dGLhS3qpaD2aZt25NdKY7b+JT0ZIP2WuGsJMU="
|
||||
"revision": "36ab78dab7da2e4e27911007033713bab534187b",
|
||||
"url": "https://github.com/NixOS/nixpkgs/archive/36ab78dab7da2e4e27911007033713bab534187b.tar.gz",
|
||||
"hash": "sha256-urV51uWH7fVnhIvsZIELIYalMYsyr2FCalvlRTzqWRw="
|
||||
},
|
||||
"nixos-unstable": {
|
||||
"type": "GitHub",
|
||||
|
|
|
|||
|
|
@ -28,6 +28,7 @@ lib.extra.mkConfig {
|
|||
"mastodon"
|
||||
# "netbox"
|
||||
"nextcloud"
|
||||
"nimbolus"
|
||||
"ollama-proxy"
|
||||
"opengist"
|
||||
"outline"
|
||||
|
|
|
|||
43
machines/nixos/compute01/nimbolus/default.nix
Normal file
43
machines/nixos/compute01/nimbolus/default.nix
Normal file
|
|
@ -0,0 +1,43 @@
|
|||
# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin@dgnum.eu>
|
||||
#
|
||||
# SPDX-License-Identifier: EUPL-1.2
|
||||
|
||||
{
|
||||
pkgs,
|
||||
sources,
|
||||
config,
|
||||
...
|
||||
}:
|
||||
let
|
||||
host = "nimbolus.dgnum.eu";
|
||||
port = 9008;
|
||||
in
|
||||
{
|
||||
imports = [ ./module.nix ];
|
||||
services.nimbolus-tf = {
|
||||
enable = true;
|
||||
package = (import sources.kat-pkgs { inherit pkgs; }).nimbolus-tf-backend;
|
||||
settings = {
|
||||
LISTEN_ADDR = "127.0.0.1:${toString port}";
|
||||
|
||||
STORAGE_BACKEND = "s3";
|
||||
STORAGE_S3_ENDPOINT = "s3.dgnum.eu";
|
||||
STORAGE_S3_USE_SSL = "true";
|
||||
STORAGE_S3_BUCKET = "nimbolus-dgnum";
|
||||
STORAGE_S3_ACCESS_KEY = "GKefa111701f349de3988f0010";
|
||||
|
||||
# TODO: configure openBAO
|
||||
# AUTH_BASIC_ENABLED = "false";
|
||||
# AUTH_JWT_OIDC_ISSUER_URL = "https://vault.dgnum.eu/v1/identity/oidc";
|
||||
};
|
||||
|
||||
credentials = {
|
||||
KMS_KEY_FILE = config.age.secrets."nimbolus-kms_key".path;
|
||||
STORAGE_S3_SECRET_KEY_FILE = config.age.secrets."nimbolus-s3_secret".path;
|
||||
};
|
||||
};
|
||||
|
||||
dgn-web.simpleProxies.nimbolus = {
|
||||
inherit host port;
|
||||
};
|
||||
}
|
||||
104
machines/nixos/compute01/nimbolus/module.nix
Normal file
104
machines/nixos/compute01/nimbolus/module.nix
Normal file
|
|
@ -0,0 +1,104 @@
|
|||
# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin@dgnum.eu>
|
||||
#
|
||||
# SPDX-License-Identifier: EUPL-1.2
|
||||
|
||||
{
|
||||
lib,
|
||||
config,
|
||||
sources,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (lib)
|
||||
getExe
|
||||
mapAttrsToList
|
||||
mkEnableOption
|
||||
mkIf
|
||||
mkPackageOption
|
||||
mkOption
|
||||
;
|
||||
inherit (lib.types)
|
||||
attrsOf
|
||||
path
|
||||
str
|
||||
;
|
||||
|
||||
cfg = config.services.nimbolus-tf;
|
||||
in
|
||||
{
|
||||
options.services.nimbolus-tf = {
|
||||
enable = mkEnableOption "the nimbolus terraform http backend";
|
||||
package = mkPackageOption (import sources.kat-pkgs { inherit pkgs; }) "nimbolus-tf-backend" {
|
||||
pkgsText = "kat-pkgs";
|
||||
};
|
||||
user = mkOption {
|
||||
type = str;
|
||||
description = ''
|
||||
User used by the nimbolus server.
|
||||
'';
|
||||
default = "nimbolus";
|
||||
};
|
||||
group = mkOption {
|
||||
type = str;
|
||||
description = ''
|
||||
Group used by the nimbolus server.
|
||||
'';
|
||||
default = "nimbolus";
|
||||
};
|
||||
settings = mkOption {
|
||||
type = attrsOf str;
|
||||
default = { };
|
||||
description = ''
|
||||
Environment variables for nimbolus configuration.
|
||||
'';
|
||||
};
|
||||
credentials = mkOption {
|
||||
type = attrsOf path;
|
||||
default = { };
|
||||
description = ''
|
||||
Files to pass by systemd LoadCredentials.
|
||||
'';
|
||||
};
|
||||
};
|
||||
config = mkIf cfg.enable {
|
||||
systemd.services.nimbolus-tf = {
|
||||
description = "Nimbolus terraform http backend";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
ExecStart = getExe cfg.package;
|
||||
Environment =
|
||||
mapAttrsToList (name: value: "${name}=${value}") cfg.settings
|
||||
++ mapAttrsToList (name: _: "${name}=%d/${name}") cfg.credentials;
|
||||
LoadCredential = mapAttrsToList (name: file: "${name}:${file}") cfg.credentials;
|
||||
|
||||
StateDirectory = "nimbolus-tf";
|
||||
StateDirectoryMode = "0700";
|
||||
WorkingDirectory = "/var/lib/nimbolus-tf";
|
||||
|
||||
# Hardening
|
||||
DynamicUser = true;
|
||||
CapabilityBoundingSet = "";
|
||||
PrivateDevices = true;
|
||||
ProtectClock = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectKernelModules = true;
|
||||
RestrictNamespaces = true;
|
||||
ProtectHostname = true;
|
||||
LockPersonality = true;
|
||||
RestrictRealtime = true;
|
||||
ProtectHome = true;
|
||||
ProtectProc = "noaccess";
|
||||
ProcSubset = "pid";
|
||||
PrivateUsers = true;
|
||||
UMask = "0077";
|
||||
ProtectKernelTunables = true;
|
||||
RestrictAddressFamilies = "AF_INET AF_INET6";
|
||||
SystemCallFilter = "~@clock @cpu-emulation @debug @module @mount @obsolete @privileged @raw-io @reboot @resources @swap";
|
||||
MemoryDenyWriteExecute = true;
|
||||
SystemCallArchitectures = "native";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
BIN
machines/nixos/compute01/secrets/nimbolus-kms_key
Normal file
BIN
machines/nixos/compute01/secrets/nimbolus-kms_key
Normal file
Binary file not shown.
BIN
machines/nixos/compute01/secrets/nimbolus-s3_secret
Normal file
BIN
machines/nixos/compute01/secrets/nimbolus-s3_secret
Normal file
Binary file not shown.
|
|
@ -25,6 +25,8 @@
|
|||
"netbox-environment_file"
|
||||
"nextcloud-adminpass_file"
|
||||
"nextcloud-s3_secret_file"
|
||||
"nimbolus-kms_key"
|
||||
"nimbolus-s3_secret"
|
||||
"opengist-environment_file"
|
||||
"outline-oidc_client_secret_file"
|
||||
"outline-smtp_password_file"
|
||||
|
|
|
|||
|
|
@ -37,8 +37,9 @@
|
|||
"dgn-web"
|
||||
"django-apps"
|
||||
"extranix"
|
||||
"openbao"
|
||||
"forgejo-multiuser-nix-runners"
|
||||
"openbao"
|
||||
"systemd-notify"
|
||||
])
|
||||
++ [
|
||||
"${sources.agenix}/modules/age.nix"
|
||||
|
|
@ -52,7 +53,6 @@
|
|||
"services/forgejo-nix-runners"
|
||||
"services/nginx-sni"
|
||||
"services/reaction"
|
||||
"services/systemd-notify"
|
||||
"services/victorialogs"
|
||||
"services/victoriametrics"
|
||||
]
|
||||
|
|
|
|||
|
|
@ -54,19 +54,16 @@ in
|
|||
};
|
||||
|
||||
services.systemd-notify = {
|
||||
enable = true;
|
||||
command = builtins.toString (
|
||||
pkgs.writeShellScript "sendmail" ''
|
||||
${pkgs.msmtp}/bin/sendmail -i -t <<ERRMAIL
|
||||
To: admins+monitoring@dgnum.eu, ${emails}
|
||||
Subject: [$HOSTNAME] Systemd failure: $1
|
||||
Content-Transfer-Encoding: 8bit
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
mail = pkgs.writeShellScript "sendmail" ''
|
||||
${pkgs.msmtp}/bin/sendmail -i -t <<ERRMAIL
|
||||
To: admins+monitoring@dgnum.eu, ${emails}
|
||||
Subject: [$HOSTNAME] Systemd failure: $1
|
||||
Content-Transfer-Encoding: 8bit
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
|
||||
$(systemctl status --full "$1")
|
||||
ERRMAIL
|
||||
''
|
||||
);
|
||||
$(systemctl status --full "$1")
|
||||
ERRMAIL
|
||||
'';
|
||||
};
|
||||
age-secrets.sources = [ ./. ];
|
||||
};
|
||||
|
|
|
|||
49
modules/nixos/systemd-notify.nix
Normal file
49
modules/nixos/systemd-notify.nix
Normal file
|
|
@ -0,0 +1,49 @@
|
|||
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
|
||||
#
|
||||
# SPDX-License-Identifier: EUPL-1.2
|
||||
|
||||
{ config, lib, ... }:
|
||||
|
||||
let
|
||||
inherit (lib)
|
||||
getExe
|
||||
mapAttrs'
|
||||
mapAttrsToList
|
||||
mkOption
|
||||
mkForce
|
||||
nameValuePair
|
||||
;
|
||||
inherit (lib.types) attrsOf package submodule;
|
||||
|
||||
cfg = config.services.systemd-notify;
|
||||
in
|
||||
|
||||
{
|
||||
options.services.systemd-notify = mkOption {
|
||||
type = attrsOf package;
|
||||
description = ''
|
||||
Commands to execute when a systemd unit fails.
|
||||
Attrs keys will be the unit name and attrs value is the command that
|
||||
will be run with the name of the failed unit as an argument.
|
||||
'';
|
||||
default = { };
|
||||
};
|
||||
|
||||
options.systemd.services = mkOption {
|
||||
type = attrsOf (submodule {
|
||||
config.onFailure = mapAttrsToList (name: _: "${name}@%n.service") cfg;
|
||||
});
|
||||
};
|
||||
|
||||
config.systemd.services = mapAttrs' (
|
||||
name: script:
|
||||
nameValuePair "${name}@" {
|
||||
description = "Run ${name} script on service failures.";
|
||||
onFailure = mkForce [ ]; # Avoid recursive failures
|
||||
serviceConfig = {
|
||||
ExecStart = "${getExe script} %i";
|
||||
Type = "oneshot";
|
||||
};
|
||||
}
|
||||
) cfg;
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue