feat(gs/yeren): Add Kolide

Add kolide, the endpoint monitoring system / MDM we're using at work, to the system derivation for my work computer. I hate MDMs almost universally, and this one is no different, but SOC2 waits for no one. Change-Id: I99bcb5341182a81512699d50b279efd9e1b2194b Reviewed-on: https://cl.tvl.fyi/c/depot/+/2903 Tested-by: BuildkiteCI Reviewed-by: glittershark <grfn@gws.fyi>
2021-04-07 10:33:38 -04:00 · 2021-04-07 10:33:38 -04:00 · 5d71617eda
commit 5d71617eda
parent 0419aa1f63
3 changed files with 50 additions and 0 deletions
--- a/users/glittershark/system/system/machines/yeren.nix
+++ b/users/glittershark/system/system/machines/yeren.nix
@ -10,6 +10,7 @@
    ../modules/sound.nix
    ../modules/tvl.nix
    ../modules/development.nix
+    ../modules/work/kolide.nix
  ];

  networking.hostName = "yeren";
--- a/users/glittershark/system/system/modules/work/kolide.deb
+++ b/users/glittershark/system/system/modules/work/kolide.deb
--- a/users/glittershark/system/system/modules/work/kolide.nix
+++ b/users/glittershark/system/system/modules/work/kolide.nix
@ -0,0 +1,49 @@
+{ config, lib, pkgs, ... }:
+
+let
+  deb = ./kolide.deb;
+
+  kolide = pkgs.runCommand "kolide-data" {
+    buildInputs = [ pkgs.binutils-unwrapped ];
+  } ''
+    cp ${deb} ./kolide.deb
+    ar x kolide.deb
+    mkdir result
+    tar xzf data.tar.gz -C result
+    patchelf \
+      --set-interpreter ${pkgs.glibc}/lib/ld-linux-x86-64.so.2 \
+      --set-rpath "${lib.makeLibraryPath (with pkgs; [
+        zlib
+      ])}" \
+      result/usr/local/kolide-k2/bin/osqueryd
+    mv result $out
+  '';
+
+in {
+  systemd.services."launcher.kolide-k2" = {
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" "syslog.service" ];
+    description = "The Kolide Launcher";
+    serviceConfig = {
+      ExecStart = ''
+        ${kolide}/usr/local/kolide-k2/bin/launcher \
+          -config \
+          ${pkgs.writeText "launcher.flags" ''
+            with_initial_runner
+            control
+            autoupdate
+            root_directory /var/lib/kolide
+            osqueryd_path ${kolide}/usr/local/kolide-k2/bin/osqueryd
+            enroll_secret_path ${kolide}/etc/kolide-k2/secret
+            control_hostname k2control.kolide.com
+            update_channel stable
+            transport jsonrpc
+            hostname k2device.kolide.com
+          ''}
+      '';
+      StateDirectory = "kolide";
+      Restart = "on-failure";
+      RestartSec = 3;
+    };
+  };
+}