Klub-RZ/infrastructure
4
0
Fork 0
Code Issues 7 Pull requests Projects Releases Packages Wiki Activity

core01: allow *, unfirewall wgmon

Browse source
This commit is contained in:
Raito Bezarius 2022-05-15 00:08:46 +02:00
parent 5f2a5ff782
commit f842b30e05
1 changed files with 35 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
machines/core-services-01/monitoring.nix
View file

@ -13,26 +13,35 @@ let
testClusterHypervisors = lib.attrValues { testClusterHypervisors = lib.attrValues {
pve01 = { pve01 = {
uuid = "ff9a34ec-2bf4-4389-a01a-6e242424e675"; uuid = "ff9a34ec-2bf4-4389-a01a-6e242424e675";
allowFrom = "fd85:27e8:0fc9::2"; allowFrom = "*";
# allowFrom = "fd85:27e8:0fc9::2";
}; };
pve02 = { pve02 = {
uuid = "ed393d76-e325-48c4-be90-3d7a1d3066ee"; uuid = "ed393d76-e325-48c4-be90-3d7a1d3066ee";
allowFrom = "fd85:27e8:0fc9::3"; allowFrom = "*";
# allowFrom = "fd85:27e8:0fc9::3";
}; };
pve03 = { pve03 = {
uuid = "abeeab1f-d4f4-4ca7-aabb-54ff28031f82"; uuid = "abeeab1f-d4f4-4ca7-aabb-54ff28031f82";
allowFrom = "fd85:27e8:0fc9::4"; allowFrom = "*";
# allowFrom = "fd85:27e8:0fc9::4";
}; };
pve04 = { pve04 = {
uuid = "ee0f7cec-86f8-4fa2-8258-f7bf4172eb4b"; uuid = "ee0f7cec-86f8-4fa2-8258-f7bf4172eb4b";
allowFrom = "fd85:27e8:0fc9::5"; allowFrom = "*";
# allowFrom = "fd85:27e8:0fc9::5";
}; };
}; };
in in
{ {
services.netdata.enable = true; services.netdata.enable = true;
networking.interfaces.wireguard.wgmon = { # Allow WireGuard VPN
networking.firewall.allowedUDPPorts = [ 51820 ];
# Allow access to the raw netdata
networking.firewall.interfaces.wgmon.allowedUDPPorts = [ 19999 ];
networking.firewall.interfaces.wgmon.allowedTCPPorts = [ 19999 ];
networking.wireguard.interfaces.wgmon = {
ips = [ "fd85:27e8:0fc9::1/48" ]; ips = [ "fd85:27e8:0fc9::1/48" ];
listenPort = 51820; listenPort = 51820;
@ -40,7 +49,14 @@ in
privateKeyFile = "/etc/secrets/wgmon"; privateKeyFile = "/etc/secrets/wgmon";
generatePrivateKeyFile = true; generatePrivateKeyFile = true;
peers = []; peers = [
{ publicKey = "6IHA4e+UcCSx9+e5BZwLvzeZv5RWwqO1CCLJedN2nU4="; allowedIPs = [ "fd85:27e8:fc9::2/128" ]; }
{ publicKey = "xRdfylDpi8c+BRwDCxenRs6i4XWesdd75keWfKItZFo="; allowedIPs = [ "fd85:27e8:fc9::3/128" ]; }
{ publicKey = "rjodopHTEyD+DyDsNp8xyNC0KeZGH462Ls495NXT1VI="; allowedIPs = [ "fd85:27e8:fc9::4/128" ];}
{ publicKey = "IJRsrhzCRAHpaEHLZRNdPuDp25FXzuAm+CGmZDsRThk="; allowedIPs = [ "fd85:27e8:fc9::5/128" ]; }
{ publicKey = "oYsN1Qy+a7dwVOKapN5s5KJOmhSflLHZqh+GLMeNpHw="; allowedIPs = [ "fd85:27e8:fc9::6/128" ]; }
# { publicKey = ""; allowedIPs = [ "fd85:27e8:fc9::7/128" ]; }
];
}; };
systemd.services.netdata.restartTriggers = map (v: config.environment.etc."netdata/${v}.conf".source) [ systemd.services.netdata.restartTriggers = map (v: config.environment.etc."netdata/${v}.conf".source) [
@ -64,8 +80,8 @@ in
user = "netdata"; user = "netdata";
group = "netdata"; group = "netdata";
mode = "0600"; mode = "0600";
text = (concatMapStrings map (cfg: mkChildNode cfg {}) text = (lib.concatMapStringsSep "\n" (cfg: mkChildNode cfg {})
[ ([
# PVE01 hypervisor # PVE01 hypervisor
{ {
uuid = "e245097d-bf52-4f66-9c10-984e8d5ee178"; uuid = "e245097d-bf52-4f66-9c10-984e8d5ee178";
@ -76,7 +92,7 @@ in
uuid = "c48e6ef1-5cdf-408d-ae2f-86aadb14e3fe"; uuid = "c48e6ef1-5cdf-408d-ae2f-86aadb14e3fe";
allowFrom = "10.1.1.21"; allowFrom = "10.1.1.21";
} }
]; ++ testClusterHypervisors; ] ++ testClusterHypervisors));
}; };
environment.etc."netdata/health_alarm_notify.conf" = { environment.etc."netdata/health_alarm_notify.conf" = {