diff options
Diffstat (limited to 'flakes/private')
-rw-r--r-- | flakes/private/chatons/flake.lock | 2 | ||||
-rw-r--r-- | flakes/private/environment/flake.nix | 49 | ||||
-rw-r--r-- | flakes/private/mail-relay/flake.lock | 2 | ||||
-rw-r--r-- | flakes/private/milters/flake.lock | 2 | ||||
-rw-r--r-- | flakes/private/monitoring/flake.lock | 2 | ||||
-rw-r--r-- | flakes/private/monitoring/flake.nix | 55 | ||||
-rw-r--r-- | flakes/private/monitoring/myplugins.nix | 24 | ||||
-rw-r--r-- | flakes/private/opendmarc/flake.lock | 2 | ||||
-rw-r--r-- | flakes/private/ssh/flake.lock | 2 | ||||
-rw-r--r-- | flakes/private/system/flake.lock | 4 | ||||
-rw-r--r-- | flakes/private/system/flake.nix | 11 |
11 files changed, 145 insertions, 10 deletions
diff --git a/flakes/private/chatons/flake.lock b/flakes/private/chatons/flake.lock index 5e84cc2..1e163a2 100644 --- a/flakes/private/chatons/flake.lock +++ b/flakes/private/chatons/flake.lock | |||
@@ -3,7 +3,7 @@ | |||
3 | "environment": { | 3 | "environment": { |
4 | "locked": { | 4 | "locked": { |
5 | "lastModified": 1, | 5 | "lastModified": 1, |
6 | "narHash": "sha256-VO82m/95IcX3xxJ63wcLh3hXzXDRFKUohYil/18pBSY=", | 6 | "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=", |
7 | "path": "../environment", | 7 | "path": "../environment", |
8 | "type": "path" | 8 | "type": "path" |
9 | }, | 9 | }, |
diff --git a/flakes/private/environment/flake.nix b/flakes/private/environment/flake.nix index 24cbb7a..389a601 100644 --- a/flakes/private/environment/flake.nix +++ b/flakes/private/environment/flake.nix | |||
@@ -369,6 +369,36 @@ | |||
369 | }; | 369 | }; |
370 | }; | 370 | }; |
371 | }; | 371 | }; |
372 | borg_backup = mkOption { | ||
373 | description = '' | ||
374 | Remote backup with borg/borgmatic | ||
375 | ''; | ||
376 | type = submodule { | ||
377 | options = { | ||
378 | password = mkOption { type = str; description = "Password for encrypting files"; }; | ||
379 | remotes = mkOption { | ||
380 | type = attrsOf (submodule { | ||
381 | options = { | ||
382 | remote = mkOption { | ||
383 | type = functionTo (functionTo str); | ||
384 | example = literalExample '' | ||
385 | bucket: "ssh://some_host/${bucket}"; | ||
386 | ''; | ||
387 | description = '' | ||
388 | Function. | ||
389 | Takes a bucket name as argument and returns a url | ||
390 | ''; | ||
391 | }; | ||
392 | sshRsyncPort = mkOption { type = str; default = "22"; description = "SSH port"; }; | ||
393 | sshRsyncHost = mkOption { type = nullOr str; default = null; description = "SSH host"; }; | ||
394 | |||
395 | sshKnownHosts = mkOption { type = nullOr str; default = null; description = "Ssh known hosts"; }; | ||
396 | }; | ||
397 | }); | ||
398 | }; | ||
399 | }; | ||
400 | }; | ||
401 | }; | ||
372 | backup = mkOption { | 402 | backup = mkOption { |
373 | description = '' | 403 | description = '' |
374 | Remote backup with duplicity | 404 | Remote backup with duplicity |
@@ -379,6 +409,9 @@ | |||
379 | remotes = mkOption { | 409 | remotes = mkOption { |
380 | type = attrsOf (submodule { | 410 | type = attrsOf (submodule { |
381 | options = { | 411 | options = { |
412 | remote_type = mkOption { | ||
413 | type = enum [ "s3" "rsync" ]; | ||
414 | }; | ||
382 | remote = mkOption { | 415 | remote = mkOption { |
383 | type = functionTo str; | 416 | type = functionTo str; |
384 | example = literalExample '' | 417 | example = literalExample '' |
@@ -389,8 +422,12 @@ | |||
389 | Takes a bucket name as argument and returns a url | 422 | Takes a bucket name as argument and returns a url |
390 | ''; | 423 | ''; |
391 | }; | 424 | }; |
392 | accessKeyId = mkOption { type = str; description = "Remote access-key"; }; | 425 | sshRsyncPort = mkOption { type = str; default = "22"; description = "SSH port for rsync"; }; |
393 | secretAccessKey = mkOption { type = str; description = "Remote access secret"; }; | 426 | sshRsyncHost = mkOption { type = nullOr str; default = null; description = "SSH host for rsync"; }; |
427 | |||
428 | sshKnownHosts = mkOption { type = nullOr str; default = null; description = "Ssh known hosts"; }; | ||
429 | s3AccessKeyId = mkOption { type = nullOr str; default = null; description = "Remote access-key"; }; | ||
430 | s3SecretAccessKey = mkOption { type = nullOr str; default = null; description = "Remote access secret"; }; | ||
394 | }; | 431 | }; |
395 | }); | 432 | }); |
396 | }; | 433 | }; |
@@ -905,6 +942,14 @@ | |||
905 | }; | 942 | }; |
906 | }; | 943 | }; |
907 | }; | 944 | }; |
945 | matrix = mkOption { | ||
946 | description = "Matrix configuration"; | ||
947 | type = submodule { | ||
948 | options = { | ||
949 | ldap = mkLdapOptions "Mediagoblin" {}; | ||
950 | }; | ||
951 | }; | ||
952 | }; | ||
908 | mediagoblin = mkOption { | 953 | mediagoblin = mkOption { |
909 | description = "Mediagoblin configuration"; | 954 | description = "Mediagoblin configuration"; |
910 | type = submodule { | 955 | type = submodule { |
diff --git a/flakes/private/mail-relay/flake.lock b/flakes/private/mail-relay/flake.lock index d1447b7..4d620ad 100644 --- a/flakes/private/mail-relay/flake.lock +++ b/flakes/private/mail-relay/flake.lock | |||
@@ -3,7 +3,7 @@ | |||
3 | "environment": { | 3 | "environment": { |
4 | "locked": { | 4 | "locked": { |
5 | "lastModified": 1, | 5 | "lastModified": 1, |
6 | "narHash": "sha256-VO82m/95IcX3xxJ63wcLh3hXzXDRFKUohYil/18pBSY=", | 6 | "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=", |
7 | "path": "../environment", | 7 | "path": "../environment", |
8 | "type": "path" | 8 | "type": "path" |
9 | }, | 9 | }, |
diff --git a/flakes/private/milters/flake.lock b/flakes/private/milters/flake.lock index e2366fa..6891e49 100644 --- a/flakes/private/milters/flake.lock +++ b/flakes/private/milters/flake.lock | |||
@@ -3,7 +3,7 @@ | |||
3 | "environment": { | 3 | "environment": { |
4 | "locked": { | 4 | "locked": { |
5 | "lastModified": 1, | 5 | "lastModified": 1, |
6 | "narHash": "sha256-VO82m/95IcX3xxJ63wcLh3hXzXDRFKUohYil/18pBSY=", | 6 | "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=", |
7 | "path": "../environment", | 7 | "path": "../environment", |
8 | "type": "path" | 8 | "type": "path" |
9 | }, | 9 | }, |
diff --git a/flakes/private/monitoring/flake.lock b/flakes/private/monitoring/flake.lock index e76ca08..cdba7c2 100644 --- a/flakes/private/monitoring/flake.lock +++ b/flakes/private/monitoring/flake.lock | |||
@@ -3,7 +3,7 @@ | |||
3 | "environment": { | 3 | "environment": { |
4 | "locked": { | 4 | "locked": { |
5 | "lastModified": 1, | 5 | "lastModified": 1, |
6 | "narHash": "sha256-VO82m/95IcX3xxJ63wcLh3hXzXDRFKUohYil/18pBSY=", | 6 | "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=", |
7 | "path": "../environment", | 7 | "path": "../environment", |
8 | "type": "path" | 8 | "type": "path" |
9 | }, | 9 | }, |
diff --git a/flakes/private/monitoring/flake.nix b/flakes/private/monitoring/flake.nix index b7c3997..5610d67 100644 --- a/flakes/private/monitoring/flake.nix +++ b/flakes/private/monitoring/flake.nix | |||
@@ -164,6 +164,13 @@ | |||
164 | Whether to enable monitoring. | 164 | Whether to enable monitoring. |
165 | ''; | 165 | ''; |
166 | }; | 166 | }; |
167 | smartdDisks = lib.mkOption { | ||
168 | type = lib.types.listOf lib.types.str; | ||
169 | default = []; | ||
170 | description = '' | ||
171 | List of smartd disks ids (symlinks in /dev/disk/by-id/) to monitor | ||
172 | ''; | ||
173 | }; | ||
167 | master = lib.mkOption { | 174 | master = lib.mkOption { |
168 | type = lib.types.bool; | 175 | type = lib.types.bool; |
169 | default = false; | 176 | default = false; |
@@ -261,6 +268,54 @@ | |||
261 | objectDefs = | 268 | objectDefs = |
262 | self.lib.toObjects cfg.objects; | 269 | self.lib.toObjects cfg.objects; |
263 | }; | 270 | }; |
271 | |||
272 | myServices.monitoring.objects.service = builtins.map (d: { | ||
273 | service_description = "Disk /dev/disk/by-id/${d} is sane"; | ||
274 | use = "local-service"; | ||
275 | check_command = [ "check_smartctl" "/dev/disk/by-id/${d}" ]; | ||
276 | __passive_servicegroups = "webstatus-resources"; | ||
277 | |||
278 | check_interval = 60; | ||
279 | }) cfg.smartdDisks; | ||
280 | |||
281 | systemd = let | ||
282 | checkShortTimer = { | ||
283 | timerConfig = { | ||
284 | OnCalendar = "monthly"; | ||
285 | RandomizedDelaySec = "3 weeks"; | ||
286 | FixedRandomDelay = true; | ||
287 | }; | ||
288 | wantedBy = [ "timers.target" ]; | ||
289 | }; | ||
290 | checkLongTimer = { | ||
291 | timerConfig = { | ||
292 | OnCalendar = "monthly"; | ||
293 | RandomizedDelaySec = "3 weeks"; | ||
294 | FixedRandomDelay = true; | ||
295 | }; | ||
296 | wantedBy = [ "timers.target" ]; | ||
297 | }; | ||
298 | toSDTimers = id: { | ||
299 | "check-smartd-long-${id}" = checkLongTimer; | ||
300 | "check-smartd-short-${id}" = checkShortTimer; | ||
301 | }; | ||
302 | toCheckService = id: type: { | ||
303 | description = "Run ${type} smartctl test for /dev/disk/by-id/${id}"; | ||
304 | after = [ "multi-user.target" ]; | ||
305 | serviceConfig = { | ||
306 | Type = "oneshot"; | ||
307 | ExecStart = "${pkgs.smartmontools}/bin/smartctl -t ${type} /dev/disk/by-id/${id}"; | ||
308 | }; | ||
309 | }; | ||
310 | toSDServices = id: { | ||
311 | "check-smartd-long-${id}" = toCheckService id "long"; | ||
312 | "check-smartd-short-${id}" = toCheckService id "short"; | ||
313 | }; | ||
314 | |||
315 | in { | ||
316 | services = lib.attrsets.mergeAttrsList (builtins.map toSDServices cfg.smartdDisks); | ||
317 | timers = lib.attrsets.mergeAttrsList (builtins.map toSDTimers cfg.smartdDisks); | ||
318 | }; | ||
264 | }; | 319 | }; |
265 | }; | 320 | }; |
266 | }; | 321 | }; |
diff --git a/flakes/private/monitoring/myplugins.nix b/flakes/private/monitoring/myplugins.nix index f76f2c1..bb3a383 100644 --- a/flakes/private/monitoring/myplugins.nix +++ b/flakes/private/monitoring/myplugins.nix | |||
@@ -284,6 +284,30 @@ in | |||
284 | ]} | 284 | ]} |
285 | ''; | 285 | ''; |
286 | }; | 286 | }; |
287 | smartctl = { | ||
288 | commands = { | ||
289 | check_smartctl = "$USER2$/check_smartctl -i auto -d $ARG1$"; | ||
290 | }; | ||
291 | chunk = let | ||
292 | smartPlugin = pkgs.fetchurl { | ||
293 | url = "https://www.claudiokuenzler.com/monitoring-plugins/check_smart.pl"; | ||
294 | sha256 = "sha256-gxGkzyycUl+I3WziKhOnZSoQjpqbPqjbunfUQxmeb7w="; | ||
295 | }; | ||
296 | in '' | ||
297 | cp ${smartPlugin} $out/check_smartctl | ||
298 | chmod +x $out/check_smartctl | ||
299 | patchShebangs $out | ||
300 | substituteInPlace $out/check_smartctl --replace "/usr/bin /bin /usr/sbin /sbin /usr/local/bin /usr/local/sbin" "${pkgs.smartmontools}/bin" | ||
301 | substituteInPlace $out/check_smartctl --replace "sudo" "${sudo}" | ||
302 | ''; | ||
303 | |||
304 | sudo = _: { | ||
305 | commands = [ | ||
306 | { command = "${pkgs.smartmontools}/bin/smartctl *"; options = [ "NOPASSWD" ]; } | ||
307 | ]; | ||
308 | runAs = "root"; | ||
309 | }; | ||
310 | }; | ||
287 | mysql = { | 311 | mysql = { |
288 | commands = { | 312 | commands = { |
289 | check_mysql_replication = "${sudo} -u mysql $USER2$/check_mysql_replication \"$ARG1$\" \"$ARG2$\""; | 313 | check_mysql_replication = "${sudo} -u mysql $USER2$/check_mysql_replication \"$ARG1$\" \"$ARG2$\""; |
diff --git a/flakes/private/opendmarc/flake.lock b/flakes/private/opendmarc/flake.lock index a2eea1a..15fea39 100644 --- a/flakes/private/opendmarc/flake.lock +++ b/flakes/private/opendmarc/flake.lock | |||
@@ -3,7 +3,7 @@ | |||
3 | "environment": { | 3 | "environment": { |
4 | "locked": { | 4 | "locked": { |
5 | "lastModified": 1, | 5 | "lastModified": 1, |
6 | "narHash": "sha256-VO82m/95IcX3xxJ63wcLh3hXzXDRFKUohYil/18pBSY=", | 6 | "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=", |
7 | "path": "../environment", | 7 | "path": "../environment", |
8 | "type": "path" | 8 | "type": "path" |
9 | }, | 9 | }, |
diff --git a/flakes/private/ssh/flake.lock b/flakes/private/ssh/flake.lock index d1447b7..4d620ad 100644 --- a/flakes/private/ssh/flake.lock +++ b/flakes/private/ssh/flake.lock | |||
@@ -3,7 +3,7 @@ | |||
3 | "environment": { | 3 | "environment": { |
4 | "locked": { | 4 | "locked": { |
5 | "lastModified": 1, | 5 | "lastModified": 1, |
6 | "narHash": "sha256-VO82m/95IcX3xxJ63wcLh3hXzXDRFKUohYil/18pBSY=", | 6 | "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=", |
7 | "path": "../environment", | 7 | "path": "../environment", |
8 | "type": "path" | 8 | "type": "path" |
9 | }, | 9 | }, |
diff --git a/flakes/private/system/flake.lock b/flakes/private/system/flake.lock index 49fb3b5..c6362c5 100644 --- a/flakes/private/system/flake.lock +++ b/flakes/private/system/flake.lock | |||
@@ -19,7 +19,7 @@ | |||
19 | "environment": { | 19 | "environment": { |
20 | "locked": { | 20 | "locked": { |
21 | "lastModified": 1, | 21 | "lastModified": 1, |
22 | "narHash": "sha256-VO82m/95IcX3xxJ63wcLh3hXzXDRFKUohYil/18pBSY=", | 22 | "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=", |
23 | "path": "../environment", | 23 | "path": "../environment", |
24 | "type": "path" | 24 | "type": "path" |
25 | }, | 25 | }, |
@@ -69,7 +69,7 @@ | |||
69 | }, | 69 | }, |
70 | "locked": { | 70 | "locked": { |
71 | "lastModified": 1, | 71 | "lastModified": 1, |
72 | "narHash": "sha256-etK0kcWYmiCmdex+9CjWWqn4q8EonDutUP0yFH+odrE=", | 72 | "narHash": "sha256-yHJid6Rpxa5pfKI81FfI0VZir9seZMHtLzjdvmt0FVw=", |
73 | "path": "../../mypackages", | 73 | "path": "../../mypackages", |
74 | "type": "path" | 74 | "type": "path" |
75 | }, | 75 | }, |
diff --git a/flakes/private/system/flake.nix b/flakes/private/system/flake.nix index ad6c58c..6045fd4 100644 --- a/flakes/private/system/flake.nix +++ b/flakes/private/system/flake.nix | |||
@@ -30,6 +30,17 @@ | |||
30 | secrets.deleteSecretsVars = true; | 30 | secrets.deleteSecretsVars = true; |
31 | secrets.secretsVars = "/run/keys/vars.yml"; | 31 | secrets.secretsVars = "/run/keys/vars.yml"; |
32 | 32 | ||
33 | programs.ssh.package = lib.mkDefault ( | ||
34 | pkgs.openssh.overrideAttrs(old: rec { | ||
35 | patches = old.patches ++ [ | ||
36 | # Mitigation for CVE https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt | ||
37 | (pkgs.fetchpatch { | ||
38 | url = "https://raw.githubusercontent.com/NixOS/nixpkgs/342bfe5c431fd7828fee8fa7e07a4d8fbfd18618/pkgs/tools/networking/openssh/openssh-9.6_p1-CVE-2024-6387.patch"; | ||
39 | sha256 = "sha256-B3Wz/eWSdOnrOcVzDv+QqzLGdFlb3jivQ8qZMC3d0Qw="; | ||
40 | }) | ||
41 | ]; | ||
42 | }) | ||
43 | ); | ||
33 | services.openssh.enable = true; | 44 | services.openssh.enable = true; |
34 | 45 | ||
35 | nixpkgs.overlays = | 46 | nixpkgs.overlays = |