diff --git a/README.MD b/README.MD index 0362e90..02e51f8 100644 --- a/README.MD +++ b/README.MD @@ -16,7 +16,7 @@ Det er sikkert lurt å lage en PR først om du ikke er vandt til nix enda. Innen 24h skal alle systemene hente ned den nye konfigurasjonen og deploye den. Du kan tvinge en maskin til å oppdatere seg før dette ved å kjøre: -`nixos-rebuild switch --update-input nixpkgs --update-input unstable --no-write-lock-file --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade` +`nixos-rebuild switch --update-input nixpkgs --update-input unstable --no-write-lock-file --refresh --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade` som root på maskinen. diff --git a/base.nix b/base.nix index b5f6c84..c9c99bc 100644 --- a/base.nix +++ b/base.nix @@ -1,4 +1,4 @@ -{ config, pkgs, inputs, ... }: +{ config, lib, pkgs, inputs, values, ... }: { imports = [ @@ -8,6 +8,9 @@ networking.domain = "pvv.ntnu.no"; networking.useDHCP = false; networking.search = [ "pvv.ntnu.no" "pvv.org" ]; + networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ]; + networking.tempAddresses = lib.mkDefault "disabled"; + networking.defaultGateway = values.gateway; services.resolved = { enable = true; diff --git a/flake.lock b/flake.lock index e8a8056..35b3a71 100644 --- a/flake.lock +++ b/flake.lock @@ -2,27 +2,26 @@ "nodes": { "matrix-next": { "locked": { - "lastModified": 1671009204, - "narHash": "sha256-gqA9po/KmHyh44XYqv/LfFJ1+MGufhaaD6DhDqBeaF8=", + "lastModified": 1671663871, + "narHash": "sha256-06G6xYTFPVuvmN/k2QDeBk9XIp4LDxEKWRL3aLAFFNo=", "owner": "dali99", "repo": "nixos-matrix-modules", - "rev": "43dbc17526576cb8e0980cef51c48b6598f97550", + "rev": "b6f0a026a78200c0e526aa73279c228e08673437", "type": "github" }, "original": { "owner": "dali99", - "ref": "flake-experiments", "repo": "nixos-matrix-modules", "type": "github" } }, "nixpkgs": { "locked": { - "lastModified": 1670946965, - "narHash": "sha256-PDJfKgK/aSV3ISnD1TbKpLPW85LO/AQI73yQjbwribA=", + "lastModified": 1673785634, + "narHash": "sha256-4SPGYVNutklnlpSMaqL+GA2x5DJ+QL85T+hOF6MHAZE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "265caf30fa0a5148395b62777389b57eb0a537fd", + "rev": "54d5d59cb19728a0321efbcd22c539109489965b", "type": "github" }, "original": { @@ -34,11 +33,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1670146390, - "narHash": "sha256-XrEoDpuloRHHbUkbPnhF2bQ0uwHllXq3NHxtuVe/QK4=", + "lastModified": 1673740915, + "narHash": "sha256-MMH8zONfqahgHly3K8/A++X34800rajA/XgZ2DzNL/M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "86370507cb20c905800527539fc049a2bf09c667", + "rev": "7c65528c3f8462b902e09d1ccca23bb9034665c2", "type": "github" }, "original": { @@ -64,11 +63,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1670149631, - "narHash": "sha256-rwmtlxx45PvOeZNP51wql/cWjY3rqzIR3Oj2Y+V7jM0=", + "lastModified": 1673752321, + "narHash": "sha256-EFfXY1ZHJq4FNaNQA9x0djtu/jiOhBbT0Xi+BT06cJw=", "owner": "Mic92", "repo": "sops-nix", - "rev": "da98a111623101c64474a14983d83dad8f09f93d", + "rev": "e18eefd2b133a58309475298052c341c08470717", "type": "github" }, "original": { @@ -79,11 +78,11 @@ }, "unstable": { "locked": { - "lastModified": 1670918062, - "narHash": "sha256-iOhkyBYUU9Jfkk0lvI4ahpjyrTsLXj9uyJWwmjKg+gg=", + "lastModified": 1673855649, + "narHash": "sha256-Pc1VumquuFMDR1Ers1QOVDDabL/trVwfqWXeKJPXLQg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "84575b0bd882be979516f4fecfe4d7c8de8f6a92", + "rev": "c85d08692966cf022b0a741a794cb1650602d8af", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 75d91d2..938d4f8 100644 --- a/flake.nix +++ b/flake.nix @@ -8,7 +8,7 @@ sops-nix.url = "github:Mic92/sops-nix"; sops-nix.inputs.nixpkgs.follows = "nixpkgs"; - matrix-next.url = "github:dali99/nixos-matrix-modules/flake-experiments"; + matrix-next.url = "github:dali99/nixos-matrix-modules"; }; outputs = { self, nixpkgs, unstable, sops-nix, ... }@inputs: @@ -22,7 +22,7 @@ nixosConfigurations = { jokum = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; - specialArgs = { inherit unstable inputs; }; + specialArgs = { inherit unstable inputs; values = import ./values.nix; }; modules = [ ./hosts/jokum/configuration.nix sops-nix.nixosModules.sops @@ -32,7 +32,7 @@ }; ildkule = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; - specialArgs = { inherit unstable inputs; }; + specialArgs = { inherit unstable inputs; values = import ./values.nix; }; modules = [ ./hosts/ildkule/configuration.nix sops-nix.nixosModules.sops diff --git a/hosts/ildkule/configuration.nix b/hosts/ildkule/configuration.nix index d733751..77037cb 100644 --- a/hosts/ildkule/configuration.nix +++ b/hosts/ildkule/configuration.nix @@ -22,7 +22,6 @@ networking.interfaces.ens18.useDHCP = false; - networking.defaultGateway = "129.241.210.129"; networking.interfaces.ens18.ipv4 = { addresses = [ { @@ -39,7 +38,6 @@ } ]; }; - networking.nameservers = [ "129.241.0.200" "129.241.0.201" ]; # List packages installed in system profile environment.systemPackages = with pkgs; [ diff --git a/hosts/ildkule/services/metrics/prometheus.nix b/hosts/ildkule/services/metrics/prometheus.nix index 2f206e6..90bba88 100644 --- a/hosts/ildkule/services/metrics/prometheus.nix +++ b/hosts/ildkule/services/metrics/prometheus.nix @@ -20,6 +20,7 @@ in { "knakelibrak.pvv.ntnu.no:9100" "hildring.pvv.ntnu.no:9100" "bicep.pvv.ntnu.no:9100" + "jokum.pvv.ntnu.no:9100" ]; } ]; diff --git a/hosts/jokum/configuration.nix b/hosts/jokum/configuration.nix index f00a047..4866abe 100644 --- a/hosts/jokum/configuration.nix +++ b/hosts/jokum/configuration.nix @@ -1,12 +1,11 @@ -{ config, pkgs, ... }: +{ config, pkgs, values, ... }: { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix ../../base.nix - # Users can just import any configuration they want even for non-user things. Improve the users/default.nix to just load some specific attributes if this isn't wanted - + ../../misc/metrics-exporters.nix ../../misc/rust-motd.nix ./services/matrix @@ -27,16 +26,14 @@ networking.hostName = "jokum"; # Define your hostname. networking.interfaces.ens18.useDHCP = false; - - networking.defaultGateway = "129.241.210.129"; networking.interfaces.ens18.ipv4 = { addresses = [ { - address = "129.241.210.169"; + address = values.jokum.ipv4; prefixLength = 25; } { - address = "129.241.210.213"; + address = values.turn.ipv4; prefixLength = 25; } ]; @@ -44,16 +41,15 @@ networking.interfaces.ens18.ipv6 = { addresses = [ { - address = "2001:700:300:1900::169"; + address = values.jokum.ipv6; prefixLength = 64; } { - address = "2001:700:300:1900::213"; + address = values.turn.ipv6; prefixLength = 64; } ]; }; - networking.nameservers = [ "129.241.0.200" "129.241.0.201" ]; # List packages installed in system profile environment.systemPackages = with pkgs; [ diff --git a/hosts/jokum/services/matrix/synapse.nix b/hosts/jokum/services/matrix/synapse.nix index 4e4652e..7709a6f 100644 --- a/hosts/jokum/services/matrix/synapse.nix +++ b/hosts/jokum/services/matrix/synapse.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, values, ... }: let cfg = config.services.matrix-synapse-next; @@ -184,12 +184,25 @@ in { metricsPath = w: "/metrics/${w.type}/${toString w.index}"; proxyPath = w: "http://${socketAddress w}/_synapse/metrics"; - in lib.mapAttrs' (n: v: lib.nameValuePair (metricsPath v) ({ proxyPass = proxyPath v; })) + in lib.mapAttrs' (n: v: lib.nameValuePair + (metricsPath v) ({ + proxyPass = proxyPath v; + extraConfig = '' + allow ${values.ildkule.ipv4}; + allow ${values.ildkule.ipv6}; + deny all; + ''; + })) cfg.workers.instances; }) ({ locations."/metrics/master/1" = { proxyPass = "http://127.0.0.1:9000/_synapse/metrics"; + extraConfig = '' + allow ${values.ildkule.ipv4}; + allow ${values.ildkule.ipv6}; + deny all; + ''; }; locations."/metrics/" = let diff --git a/misc/metrics-exporters.nix b/misc/metrics-exporters.nix index 7d0b929..956b6b5 100644 --- a/misc/metrics-exporters.nix +++ b/misc/metrics-exporters.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, pkgs, values, ... }: { services.prometheus.exporters.node = { @@ -7,6 +7,14 @@ enabledCollectors = [ "systemd" ]; }; + systemd.services.prometheus-node-exporter.serviceConfig = { + IPAddressDeny = "any"; + IPAddressAllow = [ + values.ildkule.ipv4 + values.ildkule.ipv6 + ]; + }; + services.promtail = { enable = true; configuration = { diff --git a/values.nix b/values.nix new file mode 100644 index 0000000..e6cc7f8 --- /dev/null +++ b/values.nix @@ -0,0 +1,25 @@ +# Feel free to change the structure of this file + +rec { + gateway = "129.241.210.129"; + + + jokum = { + ipv4 = "129.241.210.169"; + ipv6 = "2001:700:300:1900::169"; + }; + matrix = { + ipv4 = jokum.ipv4; + ipv6 = jokum.ipv6; + }; + # Also on jokum + turn = { + ipv4 = "129.241.210.213"; + ipv6 = "2001:700:300:1900::213"; + }; + + ildkule = { + ipv4 = "129.241.210.187"; + ipv6 = "2001:700:300:1900::187"; + }; +}