From d3bfe16f7fa3c7592e9e1eb7bf41d98d1ab4c6c6 Mon Sep 17 00:00:00 2001 From: Constantin Gierczak--Galle Date: Sat, 7 Dec 2024 16:26:03 +0100 Subject: [PATCH] feat(status01): init (#11) Reviewed-on: https://git.dgnum.eu/DGNum/lab-infra/pulls/11 Co-authored-by: Constantin Gierczak--Galle Co-committed-by: Constantin Gierczak--Galle --- default.nix | 2 +- keys/default.nix | 1 + machines/dns01/lab.dgnum.eu.nix | 2 + machines/status01/_configuration.nix | 24 +++ machines/status01/_hardware-configuration.nix | 34 +++++ machines/status01/nginx.nix | 10 ++ machines/status01/secrets/secrets.nix | 4 + .../secrets/stateless-uptime-kuma-password | 39 +++++ machines/status01/uptime-kuma.nix | 139 ++++++++++++++++++ meta/network.nix | 17 +++ meta/nodes.nix | 8 + modules/default.nix | 9 +- modules/lab-network.nix | 59 ++++++++ npins/sources.json | 13 +- 14 files changed, 356 insertions(+), 5 deletions(-) create mode 100644 machines/status01/_configuration.nix create mode 100644 machines/status01/_hardware-configuration.nix create mode 100644 machines/status01/nginx.nix create mode 100644 machines/status01/secrets/secrets.nix create mode 100644 machines/status01/secrets/stateless-uptime-kuma-password create mode 100644 machines/status01/uptime-kuma.nix create mode 100644 modules/lab-network.nix diff --git a/default.nix b/default.nix index ac4404e..064ef87 100644 --- a/default.nix +++ b/default.nix @@ -71,7 +71,7 @@ in { nodes = builtins.mapAttrs ( - host: { site, ... }: "${host}.${site}.infra.dgnum.eu" + host: { site, ... }: "${host}.${site}.lab.infra.dgnum.eu" ) (import ./meta/nodes.nix); mkCacheSettings = import ./machines/storage01/tvix-cache/cache-settings.nix; diff --git a/keys/default.nix b/keys/default.nix index b3df704..090d61d 100644 --- a/keys/default.nix +++ b/keys/default.nix @@ -14,6 +14,7 @@ rec { _keys = (import "${_sources.infrastructure}/keys")._keys // { krz01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4o65gWOgNrxbSd3kiQIGZUM+YD6kuZOQtblvzUGsfB" ]; router02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5t0InDV9nTLEqXrenqMJZAjkCAmfzHk6LLLHme3k3j" ]; + status01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAQFCsn/8c46O7JLx0QYdbZsXnS+NYtsgUNHPd2Toksj" ]; }; getKeys = ls: builtins.concatLists (builtins.map (getAttr _keys) ls); diff --git a/machines/dns01/lab.dgnum.eu.nix b/machines/dns01/lab.dgnum.eu.nix index 1950817..de6d020 100644 --- a/machines/dns01/lab.dgnum.eu.nix +++ b/machines/dns01/lab.dgnum.eu.nix @@ -27,6 +27,8 @@ with dns.lib.combinators; homebox = host "129.199.146.102" null; + status = host "129.199.146.103" null; + # Nameservers ns01 = host "45.13.104.26" "2a0e:e701:1120:1000:ffff::45.13.104.26"; diff --git a/machines/status01/_configuration.nix b/machines/status01/_configuration.nix new file mode 100644 index 0000000..ebce6a4 --- /dev/null +++ b/machines/status01/_configuration.nix @@ -0,0 +1,24 @@ +{ lib, ... }: + +lib.extra.mkConfig { + enabledModules = [ + # List of modules to enable + ]; + + enabledServices = [ + # List of services to enable + "nginx" + "uptime-kuma" + ]; + + extraConfig = { + networking = { + firewall.allowedTCPPorts = [ + 80 + 443 + ]; + }; + }; + + root = ./.; +} diff --git a/machines/status01/_hardware-configuration.nix b/machines/status01/_hardware-configuration.nix new file mode 100644 index 0000000..8b0d66a --- /dev/null +++ b/machines/status01/_hardware-configuration.nix @@ -0,0 +1,34 @@ +{ lib, modulesPath, ... }: + +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot = { + loader.systemd-boot.enable = true; + initrd.kernelModules = [ ]; + kernelModules = [ ]; + extraModulePackages = [ ]; + initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; + }; + + fileSystems."/" = { + device = "/dev/disk/by-partlabel/disk-sda-root"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-partlabel/disk-sda-ESP"; + fsType = "vfat"; + }; + + networking.useDHCP = lib.mkDefault false; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/machines/status01/nginx.nix b/machines/status01/nginx.nix new file mode 100644 index 0000000..b44aeaa --- /dev/null +++ b/machines/status01/nginx.nix @@ -0,0 +1,10 @@ +{ + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + clientMaxBodySize = "500m"; + }; +} diff --git a/machines/status01/secrets/secrets.nix b/machines/status01/secrets/secrets.nix new file mode 100644 index 0000000..2314586 --- /dev/null +++ b/machines/status01/secrets/secrets.nix @@ -0,0 +1,4 @@ +(import ../../../keys).mkSecrets [ "status01" ] [ + # List of secrets for router02 + "stateless-uptime-kuma-password" +] diff --git a/machines/status01/secrets/stateless-uptime-kuma-password b/machines/status01/secrets/stateless-uptime-kuma-password new file mode 100644 index 0000000..ab28eed --- /dev/null +++ b/machines/status01/secrets/stateless-uptime-kuma-password @@ -0,0 +1,39 @@ +age-encryption.org/v1 +-> ssh-ed25519 jIXfPA 53kqaGHoIiBW34TabFATNf+2Nju2FAQm5euxBlp4L2E +65jmuV2qa4FggzatITYncVQNSYTRtKEFZsBbtkQ487A +-> ssh-ed25519 QlRB9Q VwYIAUut50rqvm4nOUZf6Sp/HzyfE1Fg6JSsMF0H53s +euInJsL53RwaCza7OTZNRx+swsXcnN9FUMFMgmSnLug +-> ssh-ed25519 r+nK/Q 4ZxPhgovFEX8cX3mEarpl83i4Gg1IjDBdFwqlqt0p0E +n0oIgVJbCV9wd8GgPm4zDSKU+WPxrpXe1hNOH0M9orE +-> ssh-rsa krWCLQ +QxjqLVS1ANlU4kOSq9ybEHLlTrC9V9l5kQAakG9FLvGg6J88MM5v2oJzqN0MdRMy +HC26YFwibUMrues0qXfEYAx3uuss2TS82XAlZPGC4/dn31czI7mTjgbkkwVZZ1ED +SP8VWCAb/zjJoN+cSiVsTbu++b5dnavI2HrEA45pGopkG0usJE8Llr7kI/1Pb5Hi +GaYdjBk5MVrA+K8PTRJ3OdDM3aTKFaoPS5vgWM2RfSSkhVK51fKxIWkiphk5hZ7l +dmHk9qNiwZkg2wWp0W4pBCbHRzoIT2osNlbsO1IpsaNrVijrvxg5qHUHa1uqw5pB +fJ/7dh59Ckc6FkE7Mka1EQ +-> ssh-ed25519 /vwQcQ h3/pglzg2HhJ9AYixQgm//hDDfKwDm0qfdEYj94FF0Y +mJh35flVyki/cpuIlHMR2j2WI35W/HarJzJBvpa2hps +-> ssh-ed25519 0R97PA FKZr+kWHbRcZ0Ne6KdCH6mALFgTjAzquDyw3/HvTHXA +m0hzEpVB0n8LXEjFompdmDbGQQSEvXhQrxJWaCAhziA +-> ssh-ed25519 JGx7Ng TjvfKNCJIf8wW4p4VurJG4Ynl/s9ZoDndcP9GQs7K24 +5Ps+MgsCaws3PKv1EFPHv1BdZVD4u/DfPiNgxTIEPDI +-> ssh-ed25519 bUjjig UEHCVJRj+Np4EvAUacUKaEIEtcv/92h/mdxpqwW9XjQ +nQfWPkwJ7MufMbTJ1ktE3skBxKu89ps7b/P48bevkwM +-> ssh-ed25519 5SY7Kg wP8S7omqt+wibyrLGdwChOilKLhlk3Uttouofrvn6Hg +PeHvagZGw11Jq8NZFi6Pvh+XSNgklY/235YKhUPogN4 +-> ssh-ed25519 p/Mg4Q SC0lkuoNTFyPzVWW+CFQfsV5thLhnAlNMlW6r/M70WA +DR1hkNnQ1xOwSC6gk0i33Tn52iDNqsszPmxBrSS2/aU +-> ssh-ed25519 5rrg4g isrznX6EZE5Do1eNekhqaR/ZFeiMIzkk+y3+nIJ3dTM +nxLDqq/xhgCWQKlolE+7u06j3GrMKxSAirkDl5Y8zzA +-> ssh-ed25519 oRtTqQ GvvIExclzvOhzRs9TqSyPUMpPvFDcwOkthEKgxoOH3I +LkdOSCDASTS9EryBmarT9m2TVL3aafeN+FVGSyxN9AY +-> ssh-ed25519 F2C+8w USOT3pzvufIWjz7zelcMDACuyGAbwHfJ1wQc0Z5aS0A +ZnuvqZ0NdgmpDSc//c99j2X+B0FvioLS1eBC4mX9PQ0 +-> ssh-ed25519 LCTbpA SLX/uFy8NniL/3dG2sOWFJqelwbcRC5UA+Ji7pYAFlQ +ckIg5nwZSsM1DAMT9DN2LPKnlQTQye54YUmHYDJ4rp4 +-> +ka/`8V-grease `iuUWsh +61TbfYZeLgnlK2g7xDxOvPyZx1i1WlkyM6HtZVUUlUag0+k2mF2kuANCsm8GDJd4 +qFDrRc6wmaCRnVf78HSdIJXKviR4QlxNXDnpTeh1jFGtIW4GXVHp +--- S/VYe23MY+e4qRXq615pCpV2VYHJF+s3ioeIEDaKPA8 +n~,l̓SD10BFj1bU>ֽ˹{b$ϧ \ No newline at end of file diff --git a/machines/status01/uptime-kuma.nix b/machines/status01/uptime-kuma.nix new file mode 100644 index 0000000..f531fd8 --- /dev/null +++ b/machines/status01/uptime-kuma.nix @@ -0,0 +1,139 @@ +{ + config, + lib, + nodes, + sources, + ... +}: +let + inherit (lib) concatLists mapAttrsToList mkMerge; + + inherit (config.statelessUptimeKuma.lib) + pingProbesFromHive + fromHive + httpProbesFromConfig + probesWithTag + ; + + probesCfg = config.statelessUptimeKuma.probesConfig; + + mkMonitors = name: builtins.attrNames (probesWithTag { inherit name; } probesCfg); + + host = "status.lab.dgnum.eu"; + + port = 3001; + + httpExcludes = [ + "localhost" + ] ++ (concatLists (mapAttrsToList (_: { config, ... }: config.dgn-redirections.retired) nodes)); + + extraProbes = { + monitors = { + # NOTE: Empty + }; + }; + + status_pages = { + "dgnum" = { + title = "DGNum"; + description = "Etat de l'infra du lab de la DGNum"; + showTags = true; + publicGroupList = [ + { + name = "Services"; + weight = 1; + monitorList = mkMonitors "Service"; + } + { + name = "Serveurs"; + weight = 2; + monitorList = mkMonitors "Ping"; + } + #{ + # name = "VPN Interne"; + # weight = 2; + # monitorList = mkMonitors "VPN"; + #} + ]; + }; + }; + + pingProbes = pingProbesFromHive { + inherit nodes; + mkHost = _: config: config.networking.fqdn; + tags = [ { name = "Ping"; } ]; + excludes = [ + "status01" + "labcore01" + ]; + }; + + #vpnProbes = pingProbesFromHive { + # inherit nodes; + # prefix = "VPN - "; + # mkHost = node: _: "${node}.dgnum"; + # tags = [ { name = "VPN"; } ]; + # excludes = [ + # "web02" + # "status01" + # ]; + #}; + + httpProbes = fromHive { + inherit nodes; + builder = + _: module: + httpProbesFromConfig { + inherit (module) config; + tags = [ + { + name = "Host"; + value = module.config.networking.fqdn; + } + { name = "Service"; } + ]; + excludes = httpExcludes; + }; + }; +in +{ + imports = [ (sources.stateless-uptime-kuma + "/nixos/module.nix") ]; + nixpkgs.overlays = [ (import (sources.stateless-uptime-kuma + "/overlay.nix")) ]; + + services.uptime-kuma.enable = true; + + services.nginx = { + enable = true; + + virtualHosts.${host} = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:${builtins.toString port}"; + proxyWebsockets = true; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + + statelessUptimeKuma = { + probesConfig = mkMerge [ + pingProbes + httpProbes + extraProbes + #vpnProbes + { inherit status_pages; } + ]; + + extraFlags = [ "-s" ]; + + host = "http://localhost:${builtins.toString port}/"; + username = "dgnum-lab"; + passwordFile = config.age.secrets."stateless-uptime-kuma-password".path; + enableService = true; + }; +} diff --git a/meta/network.nix b/meta/network.nix index 4a2657e..d07f62c 100644 --- a/meta/network.nix +++ b/meta/network.nix @@ -97,4 +97,21 @@ hostId = "bcf8ff03"; }; + status01 = { + interfaces = { + ens18 = { + ipv4 = [ + { + address = "129.199.146.103"; + prefixLength = 24; + } + ]; + + gateways = [ "129.199.146.254" ]; + enableDefaultDNS = true; + }; + }; + + hostId = "7ce86f3d"; + }; } diff --git a/meta/nodes.nix b/meta/nodes.nix index 1bdcafa..1f8c650 100644 --- a/meta/nodes.nix +++ b/meta/nodes.nix @@ -66,6 +66,14 @@ hashedPassword = "$y$j9T$aFhOWa05W7VKeKt3Nc.nA1$uBOvG4wf7/yWjwOxO8NLf9ipCsAkS1.5cD2EJpLx57A"; + stateVersion = "24.05"; + nixpkgs = "unstable"; + }; + status01 = { + site = "pav01"; + + hashedPassword = "$y$j9T$eNZQgDN.J5y7KTG2hXgat1$J1i5tjx5dnSZu.C9B7swXi5zMFIkUnmRrnmyLHFAt8/"; + stateVersion = "24.05"; nixpkgs = "unstable"; }; diff --git a/modules/default.nix b/modules/default.nix index 01a20cd..c4d4b41 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,8 +1,11 @@ { lib, sources, ... }: { - imports = (lib.extra.mkImports ./. [ "lab-acme" ]) ++ [ - "${sources."microvm.nix"}/nixos-modules/host" - ]; + imports = + (lib.extra.mkImports ./. [ + "lab-acme" + "lab-network" + ]) + ++ [ "${sources."microvm.nix"}/nixos-modules/host" ]; dgn-notify.enable = false; diff --git a/modules/lab-network.nix b/modules/lab-network.nix new file mode 100644 index 0000000..b3aaa90 --- /dev/null +++ b/modules/lab-network.nix @@ -0,0 +1,59 @@ +{ + config, + lib, + meta, + name, + nodeMeta, + ... +}: + +let + inherit (lib) + mapAttrs' + mkEnableOption + mkIf + mkForce + ; + + net' = meta.network.${name}; + + mkAddress = { address, prefixLength, ... }: "${address}/${builtins.toString prefixLength}"; + mkRoute = gateway: { + routeConfig = { + Gateway = gateway; + GatewayOnLink = true; + }; + }; + + mkInterface = interface: net: { + name = "10-${interface}"; + value = { + name = interface; + address = builtins.map mkAddress (net.ipv4 ++ net.ipv6); + routes = builtins.map mkRoute net.gateways; + + inherit (net) DHCP dns; + }; + }; + + cfg = config.lab-network; +in +{ + options.lab-network.enable = mkEnableOption "automatic network configuration based on metadata" // { + default = true; + }; + + config = mkIf cfg.enable (mkForce { + networking = { + inherit (net') hostId; + + hostName = name; + domain = "${nodeMeta.site}.infra.lab.dgnum.eu"; + useNetworkd = true; + + firewall.logRefusedConnections = false; + }; + + systemd.network.networks = mapAttrs' mkInterface net'.interfaces; + }); +} diff --git a/npins/sources.json b/npins/sources.json index c8c103b..9584e0c 100644 --- a/npins/sources.json +++ b/npins/sources.json @@ -197,7 +197,18 @@ "revision": "950e4cccac0f942076e8558f7f9f4d496cabfb18", "url": "https://github.com/SaumonNet/proxmox-nixos/archive/950e4cccac0f942076e8558f7f9f4d496cabfb18.tar.gz", "hash": "0bhqw42ydc0jfkfqw64xsg518a1pbxnvpqw92nna7lm8mzpxm6d4" + }, + "stateless-uptime-kuma": { + "type": "Git", + "repository": { + "type": "Git", + "url": "https://git.dgnum.eu/DGNum/stateless-uptime-kuma" + }, + "branch": "master", + "revision": "880f444ff7862d6127b051cf1a993ad1585b1652", + "url": null, + "hash": "166057469hhxnyqbpd7jjlccdmigzch51616n1d5r617xg0y1mwp" } }, "version": 3 -} +} \ No newline at end of file