From 008e14f2d222b6b9b6212195d4534cd83fff772c Mon Sep 17 00:00:00 2001 From: teutat3s Date: Thu, 6 Jun 2024 12:49:58 +0200 Subject: [PATCH 1/7] mail: add missing NixOS module to metronom --- hosts/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/default.nix b/hosts/default.nix index 8ded7cc..378e990 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -67,6 +67,7 @@ self.nixosModules.overlays self.nixosModules.unlock-zfs-on-boot self.nixosModules.core + self.nixosModules.mail self.inputs.simple-nixos-mailserver.nixosModule ]; From 6143f56c0136ea0ebc7510fcd83d5246b131de52 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Thu, 6 Jun 2024 12:50:24 +0200 Subject: [PATCH 2/7] flake: use DNS hostnames for deploy-rs --- flake.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/flake.nix b/flake.nix index d96ccf7..e361d3f 100644 --- a/flake.nix +++ b/flake.nix @@ -119,19 +119,19 @@ deploy.nodes = self.lib.deploy.mkDeployNodes self.nixosConfigurations { nachtigall = { - hostname = "10.7.6.1"; + hostname = "nachtigall.wg.pub.solar"; sshUser = username; }; flora-6 = { - hostname = "10.7.6.2"; + hostname = "flora-6.wg.pub.solar"; sshUser = username; }; metronom = { - hostname = "10.7.6.3"; + hostname = "metronom.wg.pub.solar"; sshUser = username; }; tankstelle = { - hostname = "80.244.242.5"; + hostname = "tankstelle.wg.pub.solar"; sshUser = username; }; }; From b93608a8fa590204c4e868ffa7dddc3ee80daa7a Mon Sep 17 00:00:00 2001 From: teutat3s Date: Thu, 6 Jun 2024 12:52:55 +0200 Subject: [PATCH 3/7] metronom: add promtail, prometheus node-exporter configure wireguard to push logs to and scrape metrics from flora-6 open firewall for node-exporter port on wg-ssh interface --- hosts/default.nix | 2 ++ hosts/flora-6/wireguard.nix | 10 ++++++++++ modules/prometheus-exporters/default.nix | 3 +++ modules/prometheus/default.nix | 6 ++++++ 4 files changed, 21 insertions(+) diff --git a/hosts/default.nix b/hosts/default.nix index 378e990..f0a54d7 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -68,6 +68,8 @@ self.nixosModules.unlock-zfs-on-boot self.nixosModules.core self.nixosModules.mail + self.nixosModules.prometheus-exporters + self.nixosModules.promtail self.inputs.simple-nixos-mailserver.nixosModule ]; diff --git a/hosts/flora-6/wireguard.nix b/hosts/flora-6/wireguard.nix index c5bcd64..f37f898 100644 --- a/hosts/flora-6/wireguard.nix +++ b/hosts/flora-6/wireguard.nix @@ -28,6 +28,16 @@ "fd00:fae:fae:fae:fae:1::/96" ]; } + { + # metronom.pub.solar + endpoint = "49.13.236.167:51820"; + publicKey = "zOSYGO7MfnOOUnzaTcWiKRQM0qqxR3JQrwx/gtEtHmo="; + allowedIPs = [ + "10.7.6.3/32" + "fd00:fae:fae:fae:fae:3::/96" + ]; + persistentKeepalive = 15; + } ]; }; }; diff --git a/modules/prometheus-exporters/default.nix b/modules/prometheus-exporters/default.nix index 996a771..1c9a474 100644 --- a/modules/prometheus-exporters/default.nix +++ b/modules/prometheus-exporters/default.nix @@ -1,5 +1,8 @@ { config, ... }: { + # Only expose prometheus exporter port via wireguard interface + networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 9002 ]; + services.prometheus = { exporters = { node = { diff --git a/modules/prometheus/default.nix b/modules/prometheus/default.nix index 564d650..62a3795 100644 --- a/modules/prometheus/default.nix +++ b/modules/prometheus/default.nix @@ -53,6 +53,12 @@ instance = "nachtigall"; }; } + { + targets = [ "metronom.wg.${config.pub-solar-os.networking.domain}:${toString config.services.prometheus.exporters.node.port}" ]; + labels = { + instance = "metronom"; + }; + } ]; } { From 4350cbf7c4ff4784379669af2af650598f3fd490 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Thu, 6 Jun 2024 12:53:49 +0200 Subject: [PATCH 4/7] tankstelle: add promtail, prometheus node-exporter for monitoring, configure wireguard between flora-6 and tankstelle --- hosts/default.nix | 2 ++ hosts/flora-6/wireguard.nix | 9 +++++++++ hosts/tankstelle/wireguard.nix | 9 +++++++++ modules/prometheus/default.nix | 6 ++++++ 4 files changed, 26 insertions(+) diff --git a/hosts/default.nix b/hosts/default.nix index f0a54d7..e1881a4 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -82,6 +82,8 @@ ./tankstelle self.nixosModules.overlays self.nixosModules.core + self.nixosModules.prometheus-exporters + self.nixosModules.promtail ]; }; }; diff --git a/hosts/flora-6/wireguard.nix b/hosts/flora-6/wireguard.nix index f37f898..3da4e16 100644 --- a/hosts/flora-6/wireguard.nix +++ b/hosts/flora-6/wireguard.nix @@ -38,6 +38,15 @@ ]; persistentKeepalive = 15; } + { + # tankstelle.pub.solar + endpoint = "80.244.242.5:51820"; + publicKey = "iRTlY1lB7nPXf2eXzX8ZZDkfMmXyGjff5/joccbP8Cg="; + allowedIPs = [ + "10.7.6.4/32" + "fd00:fae:fae:fae:fae:4::/96" + ]; + } ]; }; }; diff --git a/hosts/tankstelle/wireguard.nix b/hosts/tankstelle/wireguard.nix index 2100d43..d8979eb 100644 --- a/hosts/tankstelle/wireguard.nix +++ b/hosts/tankstelle/wireguard.nix @@ -28,6 +28,15 @@ "fd00:fae:fae:fae:fae:1::/96" ]; } + { + # flora-6.pub.solar + endpoint = "80.71.153.210:51820"; + publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU="; + allowedIPs = [ + "10.7.6.2/32" + "fd00:fae:fae:fae:fae:2::/96" + ]; + } ]; }; }; diff --git a/modules/prometheus/default.nix b/modules/prometheus/default.nix index 62a3795..5d0f5f7 100644 --- a/modules/prometheus/default.nix +++ b/modules/prometheus/default.nix @@ -59,6 +59,12 @@ instance = "metronom"; }; } + { + targets = [ "tankstelle.wg.${config.pub-solar-os.networking.domain}:${toString config.services.prometheus.exporters.node.port}" ]; + labels = { + instance = "tankstelle"; + }; + } ]; } { From 2fdfd3b80e33fb547d7f9bc6cd4ad36567c9a7da Mon Sep 17 00:00:00 2001 From: teutat3s Date: Thu, 6 Jun 2024 12:54:14 +0200 Subject: [PATCH 5/7] docs: fix syntax in example --- docs/administrative-access.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/administrative-access.md b/docs/administrative-access.md index 6b7faa4..55bd5ed 100644 --- a/docs/administrative-access.md +++ b/docs/administrative-access.md @@ -14,7 +14,7 @@ People with admin access to the infrastructure are added to [`logins/admins.nix` publicKey = ; allowedIPs = [ "10.7.6./32" "fd00:fae:fae:fae:fae:::/96" ]; } - }]; + ]; secretEncryptionKeys = { = ; From 9707edf2dea4b271bd3e54fa980934fb58bb455e Mon Sep 17 00:00:00 2001 From: teutat3s Date: Thu, 6 Jun 2024 12:54:31 +0200 Subject: [PATCH 6/7] docs: add example for wireguard client config --- docs/administrative-access.md | 49 +++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/docs/administrative-access.md b/docs/administrative-access.md index 55bd5ed..2257fe0 100644 --- a/docs/administrative-access.md +++ b/docs/administrative-access.md @@ -30,6 +30,55 @@ SSH is not reachable from the open internet. Instead, SSH Port 22 is protected b 1. **SSH Public key**: self-explanatory. Add your public key to your user attrset under `sshPubKeys`. 2. **Wireguard device**: each wireguard device has two parts: the public key and the IP addresses it should have in the wireguard network. The pub.solar wireguard network is spaced under `10.7.6.0/24` and `fd00:fae:fae:fae:fae::/80`. To add your device, it's best to choose a free number between 200 and 255 and use that in both the ipv4 and ipv6 ranges: `10.7.6./32` `fd00:fae:fae:fae:fae:::/96`. For more information on how to generate keypairs, see [the NixOS Wireguard docs](https://nixos.wiki/wiki/WireGuard#Generate_keypair). +Example NixOS snippet for WireGuard client config +``` +{ + networking = { + wireguard.enable = true; + wg-quick.interfaces = { + wg-pub-solar = { + address = ["10.7.6.201/32"]; + address = ["10.7.6.201/32" "fd00:fae:fae:fae:fae:201::/96"]; + privateKeyFile = "/etc/wireguard/wg-pub-solar.privatekey"; + + peers = [ + { # nachtigall.pub.solar + publicKey = "qzNywKY9RvqTnDO8eLik75/SHveaSk9OObilDzv+xkk="; + allowedIPs = [ "10.7.6.1/32" "fd00:fae:fae:fae:fae:1::/96" ]; + endpoint = "[2a01:4f8:172:1c25::1]:51820"; + # Use this endpoint in IPv4 only networks + #endpoint = "138.201.80.102:51820"; + persistentKeepalive = 15; + } + { # flora-6.pub.solar + publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU="; + allowedIPs = [ "10.7.6.2/32" "fd00:fae:fae:fae:fae:2::/96" ]; + endpoint = "80.71.153.210:51820"; + persistentKeepalive = 15; + } + { # metronom.pub.solar + publicKey = "zOSYGO7MfnOOUnzaTcWiKRQM0qqxR3JQrwx/gtEtHmo="; + allowedIPs = [ "10.7.6.3/32" "fd00:fae:fae:fae:fae:3::/96" ]; + #endpoint = "[2a01:4f8:c2c:7082::]:51820"; + # Use this endpoint in IPv4 only networks + endpoint = "49.13.236.167:51820"; + persistentKeepalive = 15; + } + { # tankstelle.pub.solar + publicKey = "iRTlY1lB7nPXf2eXzX8ZZDkfMmXyGjff5/joccbP8Cg="; + allowedIPs = [ "10.7.6.4/32" "fd00:fae:fae:fae:fae:4::/96" ]; + endpoint = "[2001:4d88:1ffa:26::5]:51820"; + # Use this endpoint in IPv4 only networks + #endpoint = "80.244.242.5:51820"; + persistentKeepalive = 15; + } + ]; + }; + }; + }; +} +``` + # Secret encryption Deployment secrets are added to the repository in encrypted files. To be able to work with these encrypted files, your public key(s) will have to be added to your user attrset under `secretEncryptionKeys`. From eaed05c834245634856a19b0ae086d88d78c2b83 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Thu, 6 Jun 2024 12:56:55 +0200 Subject: [PATCH 7/7] style: apply treefmt --- docs/administrative-access.md | 1 + modules/prometheus/default.nix | 8 ++++++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/docs/administrative-access.md b/docs/administrative-access.md index 2257fe0..f22ed08 100644 --- a/docs/administrative-access.md +++ b/docs/administrative-access.md @@ -31,6 +31,7 @@ SSH is not reachable from the open internet. Instead, SSH Port 22 is protected b 2. **Wireguard device**: each wireguard device has two parts: the public key and the IP addresses it should have in the wireguard network. The pub.solar wireguard network is spaced under `10.7.6.0/24` and `fd00:fae:fae:fae:fae::/80`. To add your device, it's best to choose a free number between 200 and 255 and use that in both the ipv4 and ipv6 ranges: `10.7.6./32` `fd00:fae:fae:fae:fae:::/96`. For more information on how to generate keypairs, see [the NixOS Wireguard docs](https://nixos.wiki/wiki/WireGuard#Generate_keypair). Example NixOS snippet for WireGuard client config + ``` { networking = { diff --git a/modules/prometheus/default.nix b/modules/prometheus/default.nix index 5d0f5f7..709f6a2 100644 --- a/modules/prometheus/default.nix +++ b/modules/prometheus/default.nix @@ -54,13 +54,17 @@ }; } { - targets = [ "metronom.wg.${config.pub-solar-os.networking.domain}:${toString config.services.prometheus.exporters.node.port}" ]; + targets = [ + "metronom.wg.${config.pub-solar-os.networking.domain}:${toString config.services.prometheus.exporters.node.port}" + ]; labels = { instance = "metronom"; }; } { - targets = [ "tankstelle.wg.${config.pub-solar-os.networking.domain}:${toString config.services.prometheus.exporters.node.port}" ]; + targets = [ + "tankstelle.wg.${config.pub-solar-os.networking.domain}:${toString config.services.prometheus.exporters.node.port}" + ]; labels = { instance = "tankstelle"; };