2024-12-07 16:26:03 +01:00
14 changed files with 356 additions and 5 deletions
--- a/default.nix
+++ b/default.nix
@ -71,7 +71,7 @@ in

 {
  nodes = builtins.mapAttrs (
-    host: { site, ... }: "${host}.${site}.infra.dgnum.eu"
+    host: { site, ... }: "${host}.${site}.lab.infra.dgnum.eu"
  ) (import ./meta/nodes.nix);

  mkCacheSettings = import ./machines/storage01/tvix-cache/cache-settings.nix;
--- a/keys/default.nix
+++ b/keys/default.nix
@ -14,6 +14,7 @@ rec {
  _keys = (import "${_sources.infrastructure}/keys")._keys // {
    krz01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4o65gWOgNrxbSd3kiQIGZUM+YD6kuZOQtblvzUGsfB" ];
    router02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5t0InDV9nTLEqXrenqMJZAjkCAmfzHk6LLLHme3k3j" ];
+    status01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAQFCsn/8c46O7JLx0QYdbZsXnS+NYtsgUNHPd2Toksj" ];
  };

  getKeys = ls: builtins.concatLists (builtins.map (getAttr _keys) ls);
--- a/machines/dns01/lab.dgnum.eu.nix
+++ b/machines/dns01/lab.dgnum.eu.nix
@ -27,6 +27,8 @@ with dns.lib.combinators;

    homebox = host "129.199.146.102" null;

+    status = host "129.199.146.103" null;
+
    # Nameservers
    ns01 = host "45.13.104.26" "2a0e:e701:1120:1000:ffff::45.13.104.26";

--- a/machines/status01/_configuration.nix
+++ b/machines/status01/_configuration.nix
@ -0,0 +1,24 @@
+{ lib, ... }:
+
+lib.extra.mkConfig {
+  enabledModules = [
+    # List of modules to enable
+  ];
+
+  enabledServices = [
+    # List of services to enable
+    "nginx"
+    "uptime-kuma"
+  ];
+
+  extraConfig = {
+    networking = {
+      firewall.allowedTCPPorts = [
+        80
+        443
+      ];
+    };
+  };
+
+  root = ./.;
+}
--- a/machines/status01/_hardware-configuration.nix
+++ b/machines/status01/_hardware-configuration.nix
@ -0,0 +1,34 @@
+{ lib, modulesPath, ... }:
+
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+
+  boot = {
+    loader.systemd-boot.enable = true;
+    initrd.kernelModules = [ ];
+    kernelModules = [ ];
+    extraModulePackages = [ ];
+    initrd.availableKernelModules = [
+      "ata_piix"
+      "uhci_hcd"
+      "virtio_pci"
+      "virtio_scsi"
+      "sd_mod"
+      "sr_mod"
+    ];
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-partlabel/disk-sda-root";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-partlabel/disk-sda-ESP";
+    fsType = "vfat";
+  };
+
+  networking.useDHCP = lib.mkDefault false;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
--- a/machines/status01/nginx.nix
+++ b/machines/status01/nginx.nix
@ -0,0 +1,10 @@
+{
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+    clientMaxBodySize = "500m";
+  };
+}
--- a/machines/status01/secrets/secrets.nix
+++ b/machines/status01/secrets/secrets.nix
@ -0,0 +1,4 @@
+(import ../../../keys).mkSecrets [ "status01" ] [
+  # List of secrets for router02
+  "stateless-uptime-kuma-password"
+]
--- a/machines/status01/secrets/stateless-uptime-kuma-password
+++ b/machines/status01/secrets/stateless-uptime-kuma-password
@ -0,0 +1,39 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA 53kqaGHoIiBW34TabFATNf+2Nju2FAQm5euxBlp4L2E
+65jmuV2qa4FggzatITYncVQNSYTRtKEFZsBbtkQ487A
+-> ssh-ed25519 QlRB9Q VwYIAUut50rqvm4nOUZf6Sp/HzyfE1Fg6JSsMF0H53s
+euInJsL53RwaCza7OTZNRx+swsXcnN9FUMFMgmSnLug
+-> ssh-ed25519 r+nK/Q 4ZxPhgovFEX8cX3mEarpl83i4Gg1IjDBdFwqlqt0p0E
+n0oIgVJbCV9wd8GgPm4zDSKU+WPxrpXe1hNOH0M9orE
+-> ssh-rsa krWCLQ
+QxjqLVS1ANlU4kOSq9ybEHLlTrC9V9l5kQAakG9FLvGg6J88MM5v2oJzqN0MdRMy
+HC26YFwibUMrues0qXfEYAx3uuss2TS82XAlZPGC4/dn31czI7mTjgbkkwVZZ1ED
+SP8VWCAb/zjJoN+cSiVsTbu++b5dnavI2HrEA45pGopkG0usJE8Llr7kI/1Pb5Hi
+GaYdjBk5MVrA+K8PTRJ3OdDM3aTKFaoPS5vgWM2RfSSkhVK51fKxIWkiphk5hZ7l
+dmHk9qNiwZkg2wWp0W4pBCbHRzoIT2osNlbsO1IpsaNrVijrvxg5qHUHa1uqw5pB
+fJ/7dh59Ckc6FkE7Mka1EQ
+-> ssh-ed25519 /vwQcQ h3/pglzg2HhJ9AYixQgm//hDDfKwDm0qfdEYj94FF0Y
+mJh35flVyki/cpuIlHMR2j2WI35W/HarJzJBvpa2hps
+-> ssh-ed25519 0R97PA FKZr+kWHbRcZ0Ne6KdCH6mALFgTjAzquDyw3/HvTHXA
+m0hzEpVB0n8LXEjFompdmDbGQQSEvXhQrxJWaCAhziA
+-> ssh-ed25519 JGx7Ng TjvfKNCJIf8wW4p4VurJG4Ynl/s9ZoDndcP9GQs7K24
+5Ps+MgsCaws3PKv1EFPHv1BdZVD4u/DfPiNgxTIEPDI
+-> ssh-ed25519 bUjjig UEHCVJRj+Np4EvAUacUKaEIEtcv/92h/mdxpqwW9XjQ
+nQfWPkwJ7MufMbTJ1ktE3skBxKu89ps7b/P48bevkwM
+-> ssh-ed25519 5SY7Kg wP8S7omqt+wibyrLGdwChOilKLhlk3Uttouofrvn6Hg
+PeHvagZGw11Jq8NZFi6Pvh+XSNgklY/235YKhUPogN4
+-> ssh-ed25519 p/Mg4Q SC0lkuoNTFyPzVWW+CFQfsV5thLhnAlNMlW6r/M70WA
+DR1hkNnQ1xOwSC6gk0i33Tn52iDNqsszPmxBrSS2/aU
+-> ssh-ed25519 5rrg4g isrznX6EZE5Do1eNekhqaR/ZFeiMIzkk+y3+nIJ3dTM
+nxLDqq/xhgCWQKlolE+7u06j3GrMKxSAirkDl5Y8zzA
+-> ssh-ed25519 oRtTqQ GvvIExclzvOhzRs9TqSyPUMpPvFDcwOkthEKgxoOH3I
+LkdOSCDASTS9EryBmarT9m2TVL3aafeN+FVGSyxN9AY
+-> ssh-ed25519 F2C+8w USOT3pzvufIWjz7zelcMDACuyGAbwHfJ1wQc0Z5aS0A
+ZnuvqZ0NdgmpDSc//c99j2X+B0FvioLS1eBC4mX9PQ0
+-> ssh-ed25519 LCTbpA SLX/uFy8NniL/3dG2sOWFJqelwbcRC5UA+Ji7pYAFlQ
+ckIg5nwZSsM1DAMT9DN2LPKnlQTQye54YUmHYDJ4rp4
+-> +ka/`8V-grease `iuUWsh
+61TbfYZeLgnlK2g7xDxOvPyZx1i1WlkyM6HtZVUUlUag0+k2mF2kuANCsm8GDJd4
+qFDrRc6wmaCRnVf78HSdIJXKviR4QlxNXDnpTeh1jFGtIW4GXVHp
+--- S/VYe23MY+e4qRXq615pCpV2VYHJF+s3ioeIEDaKPA8
+n~,lóÍƒ’ŽSïD10<31>“àBFjºÞ1çbÃU©íš>Ö½íøË¹Ýâ{÷§b$Ï§
--- a/machines/status01/uptime-kuma.nix
+++ b/machines/status01/uptime-kuma.nix
@ -0,0 +1,139 @@
+{
+  config,
+  lib,
+  nodes,
+  sources,
+  ...
+}:
+let
+  inherit (lib) concatLists mapAttrsToList mkMerge;
+
+  inherit (config.statelessUptimeKuma.lib)
+    pingProbesFromHive
+    fromHive
+    httpProbesFromConfig
+    probesWithTag
+    ;
+
+  probesCfg = config.statelessUptimeKuma.probesConfig;
+
+  mkMonitors = name: builtins.attrNames (probesWithTag { inherit name; } probesCfg);
+
+  host = "status.lab.dgnum.eu";
+
+  port = 3001;
+
+  httpExcludes = [
+    "localhost"
+  ] ++ (concatLists (mapAttrsToList (_: { config, ... }: config.dgn-redirections.retired) nodes));
+
+  extraProbes = {
+    monitors = {
+      # NOTE: Empty
+    };
+  };
+
+  status_pages = {
+    "dgnum" = {
+      title = "DGNum";
+      description = "Etat de l'infra du lab de la DGNum";
+      showTags = true;
+      publicGroupList = [
+        {
+          name = "Services";
+          weight = 1;
+          monitorList = mkMonitors "Service";
+        }
+        {
+          name = "Serveurs";
+          weight = 2;
+          monitorList = mkMonitors "Ping";
+        }
+        #{
+        #  name = "VPN Interne";
+        #  weight = 2;
+        #  monitorList = mkMonitors "VPN";
+        #}
+      ];
+    };
+  };
+
+  pingProbes = pingProbesFromHive {
+    inherit nodes;
+    mkHost = _: config: config.networking.fqdn;
+    tags = [ { name = "Ping"; } ];
+    excludes = [
+      "status01"
+      "labcore01"
+    ];
+  };
+
+  #vpnProbes = pingProbesFromHive {
+  #  inherit nodes;
+  #  prefix = "VPN - ";
+  #  mkHost = node: _: "${node}.dgnum";
+  #  tags = [ { name = "VPN"; } ];
+  #  excludes = [
+  #    "web02"
+  #    "status01"
+  #  ];
+  #};
+
+  httpProbes = fromHive {
+    inherit nodes;
+    builder =
+      _: module:
+      httpProbesFromConfig {
+        inherit (module) config;
+        tags = [
+          {
+            name = "Host";
+            value = module.config.networking.fqdn;
+          }
+          { name = "Service"; }
+        ];
+        excludes = httpExcludes;
+      };
+  };
+in
+{
+  imports = [ (sources.stateless-uptime-kuma + "/nixos/module.nix") ];
+  nixpkgs.overlays = [ (import (sources.stateless-uptime-kuma + "/overlay.nix")) ];
+
+  services.uptime-kuma.enable = true;
+
+  services.nginx = {
+    enable = true;
+
+    virtualHosts.${host} = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${builtins.toString port}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
+  statelessUptimeKuma = {
+    probesConfig = mkMerge [
+      pingProbes
+      httpProbes
+      extraProbes
+      #vpnProbes
+      { inherit status_pages; }
+    ];
+
+    extraFlags = [ "-s" ];
+
+    host = "http://localhost:${builtins.toString port}/";
+    username = "dgnum-lab";
+    passwordFile = config.age.secrets."stateless-uptime-kuma-password".path;
+    enableService = true;
+  };
+}
--- a/meta/network.nix
+++ b/meta/network.nix
@ -97,4 +97,21 @@

    hostId = "bcf8ff03";
  };
+  status01 = {
+    interfaces = {
+      ens18 = {
+        ipv4 = [
+          {
+            address = "129.199.146.103";
+            prefixLength = 24;
+          }
+        ];
+
+        gateways = [ "129.199.146.254" ];
+        enableDefaultDNS = true;
+      };
+    };
+
+    hostId = "7ce86f3d";
+  };
 }
--- a/meta/nodes.nix
+++ b/meta/nodes.nix
@ -66,6 +66,14 @@

    hashedPassword = "$y$j9T$aFhOWa05W7VKeKt3Nc.nA1$uBOvG4wf7/yWjwOxO8NLf9ipCsAkS1.5cD2EJpLx57A";

+    stateVersion = "24.05";
+    nixpkgs = "unstable";
+  };
+  status01 = {
+    site = "pav01";
+
+    hashedPassword = "$y$j9T$eNZQgDN.J5y7KTG2hXgat1$J1i5tjx5dnSZu.C9B7swXi5zMFIkUnmRrnmyLHFAt8/";
+
    stateVersion = "24.05";
    nixpkgs = "unstable";
  };
--- a/modules/default.nix
+++ b/modules/default.nix
@ -1,8 +1,11 @@
 { lib, sources, ... }:
 {
-  imports = (lib.extra.mkImports ./. [ "lab-acme" ]) ++ [
-    "${sources."microvm.nix"}/nixos-modules/host"
-  ];
+  imports =
+    (lib.extra.mkImports ./. [
+      "lab-acme"
+      "lab-network"
+    ])
+    ++ [ "${sources."microvm.nix"}/nixos-modules/host" ];

  dgn-notify.enable = false;

--- a/modules/lab-network.nix
+++ b/modules/lab-network.nix
@ -0,0 +1,59 @@
+{
+  config,
+  lib,
+  meta,
+  name,
+  nodeMeta,
+  ...
+}:
+
+let
+  inherit (lib)
+    mapAttrs'
+    mkEnableOption
+    mkIf
+    mkForce
+    ;
+
+  net' = meta.network.${name};
+
+  mkAddress = { address, prefixLength, ... }: "${address}/${builtins.toString prefixLength}";
+  mkRoute = gateway: {
+    routeConfig = {
+      Gateway = gateway;
+      GatewayOnLink = true;
+    };
+  };
+
+  mkInterface = interface: net: {
+    name = "10-${interface}";
+    value = {
+      name = interface;
+      address = builtins.map mkAddress (net.ipv4 ++ net.ipv6);
+      routes = builtins.map mkRoute net.gateways;
+
+      inherit (net) DHCP dns;
+    };
+  };
+
+  cfg = config.lab-network;
+in
+{
+  options.lab-network.enable = mkEnableOption "automatic network configuration based on metadata" // {
+    default = true;
+  };
+
+  config = mkIf cfg.enable (mkForce {
+    networking = {
+      inherit (net') hostId;
+
+      hostName = name;
+      domain = "${nodeMeta.site}.infra.lab.dgnum.eu";
+      useNetworkd = true;
+
+      firewall.logRefusedConnections = false;
+    };
+
+    systemd.network.networks = mapAttrs' mkInterface net'.interfaces;
+  });
+}
--- a/npins/sources.json
+++ b/npins/sources.json
@ -197,6 +197,17 @@
      "revision": "950e4cccac0f942076e8558f7f9f4d496cabfb18",
      "url": "https://github.com/SaumonNet/proxmox-nixos/archive/950e4cccac0f942076e8558f7f9f4d496cabfb18.tar.gz",
      "hash": "0bhqw42ydc0jfkfqw64xsg518a1pbxnvpqw92nna7lm8mzpxm6d4"
+    },
+    "stateless-uptime-kuma": {
+      "type": "Git",
+      "repository": {
+        "type": "Git",
+        "url": "https://git.dgnum.eu/DGNum/stateless-uptime-kuma"
+      },
+      "branch": "master",
+      "revision": "880f444ff7862d6127b051cf1a993ad1585b1652",
+      "url": null,
+      "hash": "166057469hhxnyqbpd7jjlccdmigzch51616n1d5r617xg0y1mwp"
    }
  },
  "version": 3