From 008e14f2d222b6b9b6212195d4534cd83fff772c Mon Sep 17 00:00:00 2001 From: teutat3s Date: Thu, 6 Jun 2024 12:49:58 +0200 Subject: [PATCH 1/7] mail: add missing NixOS module to metronom --- hosts/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/default.nix b/hosts/default.nix index 8ded7cc3..378e990c 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -67,6 +67,7 @@ self.nixosModules.overlays self.nixosModules.unlock-zfs-on-boot self.nixosModules.core + self.nixosModules.mail self.inputs.simple-nixos-mailserver.nixosModule ]; From 6143f56c0136ea0ebc7510fcd83d5246b131de52 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Thu, 6 Jun 2024 12:50:24 +0200 Subject: [PATCH 2/7] flake: use DNS hostnames for deploy-rs --- flake.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/flake.nix b/flake.nix index d96ccf73..e361d3fa 100644 --- a/flake.nix +++ b/flake.nix @@ -119,19 +119,19 @@ deploy.nodes = self.lib.deploy.mkDeployNodes self.nixosConfigurations { nachtigall = { - hostname = "10.7.6.1"; + hostname = "nachtigall.wg.pub.solar"; sshUser = username; }; flora-6 = { - hostname = "10.7.6.2"; + hostname = "flora-6.wg.pub.solar"; sshUser = username; }; metronom = { - hostname = "10.7.6.3"; + hostname = "metronom.wg.pub.solar"; sshUser = username; }; tankstelle = { - hostname = "80.244.242.5"; + hostname = "tankstelle.wg.pub.solar"; sshUser = username; }; }; From b93608a8fa590204c4e868ffa7dddc3ee80daa7a Mon Sep 17 00:00:00 2001 From: teutat3s Date: Thu, 6 Jun 2024 12:52:55 +0200 Subject: [PATCH 3/7] metronom: add promtail, prometheus node-exporter configure wireguard to push logs to and scrape metrics from flora-6 open firewall for node-exporter port on wg-ssh interface --- hosts/default.nix | 2 ++ hosts/flora-6/wireguard.nix | 10 ++++++++++ modules/prometheus-exporters/default.nix | 3 +++ modules/prometheus/default.nix | 6 ++++++ 4 files changed, 21 insertions(+) diff --git a/hosts/default.nix b/hosts/default.nix index 378e990c..f0a54d7e 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -68,6 +68,8 @@ self.nixosModules.unlock-zfs-on-boot self.nixosModules.core self.nixosModules.mail + self.nixosModules.prometheus-exporters + self.nixosModules.promtail self.inputs.simple-nixos-mailserver.nixosModule ]; diff --git a/hosts/flora-6/wireguard.nix b/hosts/flora-6/wireguard.nix index c5bcd64d..f37f8980 100644 --- a/hosts/flora-6/wireguard.nix +++ b/hosts/flora-6/wireguard.nix @@ -28,6 +28,16 @@ "fd00:fae:fae:fae:fae:1::/96" ]; } + { + # metronom.pub.solar + endpoint = "49.13.236.167:51820"; + publicKey = "zOSYGO7MfnOOUnzaTcWiKRQM0qqxR3JQrwx/gtEtHmo="; + allowedIPs = [ + "10.7.6.3/32" + "fd00:fae:fae:fae:fae:3::/96" + ]; + persistentKeepalive = 15; + } ]; }; }; diff --git a/modules/prometheus-exporters/default.nix b/modules/prometheus-exporters/default.nix index 996a7717..1c9a474c 100644 --- a/modules/prometheus-exporters/default.nix +++ b/modules/prometheus-exporters/default.nix @@ -1,5 +1,8 @@ { config, ... }: { + # Only expose prometheus exporter port via wireguard interface + networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 9002 ]; + services.prometheus = { exporters = { node = { diff --git a/modules/prometheus/default.nix b/modules/prometheus/default.nix index 564d6506..62a37958 100644 --- a/modules/prometheus/default.nix +++ b/modules/prometheus/default.nix @@ -53,6 +53,12 @@ instance = "nachtigall"; }; } + { + targets = [ "metronom.wg.${config.pub-solar-os.networking.domain}:${toString config.services.prometheus.exporters.node.port}" ]; + labels = { + instance = "metronom"; + }; + } ]; } { From 4350cbf7c4ff4784379669af2af650598f3fd490 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Thu, 6 Jun 2024 12:53:49 +0200 Subject: [PATCH 4/7] tankstelle: add promtail, prometheus node-exporter for monitoring, configure wireguard between flora-6 and tankstelle --- hosts/default.nix | 2 ++ hosts/flora-6/wireguard.nix | 9 +++++++++ hosts/tankstelle/wireguard.nix | 9 +++++++++ modules/prometheus/default.nix | 6 ++++++ 4 files changed, 26 insertions(+) diff --git a/hosts/default.nix b/hosts/default.nix index f0a54d7e..e1881a43 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -82,6 +82,8 @@ ./tankstelle self.nixosModules.overlays self.nixosModules.core + self.nixosModules.prometheus-exporters + self.nixosModules.promtail ]; }; }; diff --git a/hosts/flora-6/wireguard.nix b/hosts/flora-6/wireguard.nix index f37f8980..3da4e16b 100644 --- a/hosts/flora-6/wireguard.nix +++ b/hosts/flora-6/wireguard.nix @@ -38,6 +38,15 @@ ]; persistentKeepalive = 15; } + { + # tankstelle.pub.solar + endpoint = "80.244.242.5:51820"; + publicKey = "iRTlY1lB7nPXf2eXzX8ZZDkfMmXyGjff5/joccbP8Cg="; + allowedIPs = [ + "10.7.6.4/32" + "fd00:fae:fae:fae:fae:4::/96" + ]; + } ]; }; }; diff --git a/hosts/tankstelle/wireguard.nix b/hosts/tankstelle/wireguard.nix index 2100d436..d8979eba 100644 --- a/hosts/tankstelle/wireguard.nix +++ b/hosts/tankstelle/wireguard.nix @@ -28,6 +28,15 @@ "fd00:fae:fae:fae:fae:1::/96" ]; } + { + # flora-6.pub.solar + endpoint = "80.71.153.210:51820"; + publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU="; + allowedIPs = [ + "10.7.6.2/32" + "fd00:fae:fae:fae:fae:2::/96" + ]; + } ]; }; }; diff --git a/modules/prometheus/default.nix b/modules/prometheus/default.nix index 62a37958..5d0f5f7b 100644 --- a/modules/prometheus/default.nix +++ b/modules/prometheus/default.nix @@ -59,6 +59,12 @@ instance = "metronom"; }; } + { + targets = [ "tankstelle.wg.${config.pub-solar-os.networking.domain}:${toString config.services.prometheus.exporters.node.port}" ]; + labels = { + instance = "tankstelle"; + }; + } ]; } { From 2fdfd3b80e33fb547d7f9bc6cd4ad36567c9a7da Mon Sep 17 00:00:00 2001 From: teutat3s Date: Thu, 6 Jun 2024 12:54:14 +0200 Subject: [PATCH 5/7] docs: fix syntax in example --- docs/administrative-access.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/administrative-access.md b/docs/administrative-access.md index 6b7faa40..55bd5edb 100644 --- a/docs/administrative-access.md +++ b/docs/administrative-access.md @@ -14,7 +14,7 @@ People with admin access to the infrastructure are added to [`logins/admins.nix` publicKey = ; allowedIPs = [ "10.7.6./32" "fd00:fae:fae:fae:fae:::/96" ]; } - }]; + ]; secretEncryptionKeys = { = ; From 9707edf2dea4b271bd3e54fa980934fb58bb455e Mon Sep 17 00:00:00 2001 From: teutat3s Date: Thu, 6 Jun 2024 12:54:31 +0200 Subject: [PATCH 6/7] docs: add example for wireguard client config --- docs/administrative-access.md | 49 +++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/docs/administrative-access.md b/docs/administrative-access.md index 55bd5edb..2257fe00 100644 --- a/docs/administrative-access.md +++ b/docs/administrative-access.md @@ -30,6 +30,55 @@ SSH is not reachable from the open internet. Instead, SSH Port 22 is protected b 1. **SSH Public key**: self-explanatory. Add your public key to your user attrset under `sshPubKeys`. 2. **Wireguard device**: each wireguard device has two parts: the public key and the IP addresses it should have in the wireguard network. The pub.solar wireguard network is spaced under `10.7.6.0/24` and `fd00:fae:fae:fae:fae::/80`. To add your device, it's best to choose a free number between 200 and 255 and use that in both the ipv4 and ipv6 ranges: `10.7.6./32` `fd00:fae:fae:fae:fae:::/96`. For more information on how to generate keypairs, see [the NixOS Wireguard docs](https://nixos.wiki/wiki/WireGuard#Generate_keypair). +Example NixOS snippet for WireGuard client config +``` +{ + networking = { + wireguard.enable = true; + wg-quick.interfaces = { + wg-pub-solar = { + address = ["10.7.6.201/32"]; + address = ["10.7.6.201/32" "fd00:fae:fae:fae:fae:201::/96"]; + privateKeyFile = "/etc/wireguard/wg-pub-solar.privatekey"; + + peers = [ + { # nachtigall.pub.solar + publicKey = "qzNywKY9RvqTnDO8eLik75/SHveaSk9OObilDzv+xkk="; + allowedIPs = [ "10.7.6.1/32" "fd00:fae:fae:fae:fae:1::/96" ]; + endpoint = "[2a01:4f8:172:1c25::1]:51820"; + # Use this endpoint in IPv4 only networks + #endpoint = "138.201.80.102:51820"; + persistentKeepalive = 15; + } + { # flora-6.pub.solar + publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU="; + allowedIPs = [ "10.7.6.2/32" "fd00:fae:fae:fae:fae:2::/96" ]; + endpoint = "80.71.153.210:51820"; + persistentKeepalive = 15; + } + { # metronom.pub.solar + publicKey = "zOSYGO7MfnOOUnzaTcWiKRQM0qqxR3JQrwx/gtEtHmo="; + allowedIPs = [ "10.7.6.3/32" "fd00:fae:fae:fae:fae:3::/96" ]; + #endpoint = "[2a01:4f8:c2c:7082::]:51820"; + # Use this endpoint in IPv4 only networks + endpoint = "49.13.236.167:51820"; + persistentKeepalive = 15; + } + { # tankstelle.pub.solar + publicKey = "iRTlY1lB7nPXf2eXzX8ZZDkfMmXyGjff5/joccbP8Cg="; + allowedIPs = [ "10.7.6.4/32" "fd00:fae:fae:fae:fae:4::/96" ]; + endpoint = "[2001:4d88:1ffa:26::5]:51820"; + # Use this endpoint in IPv4 only networks + #endpoint = "80.244.242.5:51820"; + persistentKeepalive = 15; + } + ]; + }; + }; + }; +} +``` + # Secret encryption Deployment secrets are added to the repository in encrypted files. To be able to work with these encrypted files, your public key(s) will have to be added to your user attrset under `secretEncryptionKeys`. From eaed05c834245634856a19b0ae086d88d78c2b83 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Thu, 6 Jun 2024 12:56:55 +0200 Subject: [PATCH 7/7] style: apply treefmt --- docs/administrative-access.md | 1 + modules/prometheus/default.nix | 8 ++++++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/docs/administrative-access.md b/docs/administrative-access.md index 2257fe00..f22ed08e 100644 --- a/docs/administrative-access.md +++ b/docs/administrative-access.md @@ -31,6 +31,7 @@ SSH is not reachable from the open internet. Instead, SSH Port 22 is protected b 2. **Wireguard device**: each wireguard device has two parts: the public key and the IP addresses it should have in the wireguard network. The pub.solar wireguard network is spaced under `10.7.6.0/24` and `fd00:fae:fae:fae:fae::/80`. To add your device, it's best to choose a free number between 200 and 255 and use that in both the ipv4 and ipv6 ranges: `10.7.6./32` `fd00:fae:fae:fae:fae:::/96`. For more information on how to generate keypairs, see [the NixOS Wireguard docs](https://nixos.wiki/wiki/WireGuard#Generate_keypair). Example NixOS snippet for WireGuard client config + ``` { networking = { diff --git a/modules/prometheus/default.nix b/modules/prometheus/default.nix index 5d0f5f7b..709f6a25 100644 --- a/modules/prometheus/default.nix +++ b/modules/prometheus/default.nix @@ -54,13 +54,17 @@ }; } { - targets = [ "metronom.wg.${config.pub-solar-os.networking.domain}:${toString config.services.prometheus.exporters.node.port}" ]; + targets = [ + "metronom.wg.${config.pub-solar-os.networking.domain}:${toString config.services.prometheus.exporters.node.port}" + ]; labels = { instance = "metronom"; }; } { - targets = [ "tankstelle.wg.${config.pub-solar-os.networking.domain}:${toString config.services.prometheus.exporters.node.port}" ]; + targets = [ + "tankstelle.wg.${config.pub-solar-os.networking.domain}:${toString config.services.prometheus.exporters.node.port}" + ]; labels = { instance = "tankstelle"; };