From e4cb215d394073f348b52e6c622fcc778fabc6bb Mon Sep 17 00:00:00 2001 From: Daniel Olsen Date: Tue, 17 Jan 2023 10:27:18 +0100 Subject: [PATCH 1/8] Simplify networking configs Introduces values.nix, a place to store information relevant across systems --- base.nix | 4 +++- flake.nix | 4 ++-- hosts/ildkule/configuration.nix | 2 -- hosts/jokum/configuration.nix | 13 +++++-------- values.nix | 25 +++++++++++++++++++++++++ 5 files changed, 35 insertions(+), 13 deletions(-) create mode 100644 values.nix diff --git a/base.nix b/base.nix index b5f6c84..13c9e4b 100644 --- a/base.nix +++ b/base.nix @@ -1,4 +1,4 @@ -{ config, pkgs, inputs, ... }: +{ config, lib, pkgs, inputs, values, ... }: { imports = [ @@ -8,6 +8,8 @@ networking.domain = "pvv.ntnu.no"; networking.useDHCP = false; networking.search = [ "pvv.ntnu.no" "pvv.org" ]; + networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ]; + networking.defaultGateway = values.gateway; services.resolved = { enable = true; diff --git a/flake.nix b/flake.nix index 75d91d2..dc11725 100644 --- a/flake.nix +++ b/flake.nix @@ -22,7 +22,7 @@ nixosConfigurations = { jokum = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; - specialArgs = { inherit unstable inputs; }; + specialArgs = { inherit unstable inputs; values = import ./values.nix; }; modules = [ ./hosts/jokum/configuration.nix sops-nix.nixosModules.sops @@ -32,7 +32,7 @@ }; ildkule = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; - specialArgs = { inherit unstable inputs; }; + specialArgs = { inherit unstable inputs; values = import ./values.nix; }; modules = [ ./hosts/ildkule/configuration.nix sops-nix.nixosModules.sops diff --git a/hosts/ildkule/configuration.nix b/hosts/ildkule/configuration.nix index d733751..77037cb 100644 --- a/hosts/ildkule/configuration.nix +++ b/hosts/ildkule/configuration.nix @@ -22,7 +22,6 @@ networking.interfaces.ens18.useDHCP = false; - networking.defaultGateway = "129.241.210.129"; networking.interfaces.ens18.ipv4 = { addresses = [ { @@ -39,7 +38,6 @@ } ]; }; - networking.nameservers = [ "129.241.0.200" "129.241.0.201" ]; # List packages installed in system profile environment.systemPackages = with pkgs; [ diff --git a/hosts/jokum/configuration.nix b/hosts/jokum/configuration.nix index f00a047..a4dd882 100644 --- a/hosts/jokum/configuration.nix +++ b/hosts/jokum/configuration.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, pkgs, values, ... }: { imports = [ # Include the results of the hardware scan. @@ -27,16 +27,14 @@ networking.hostName = "jokum"; # Define your hostname. networking.interfaces.ens18.useDHCP = false; - - networking.defaultGateway = "129.241.210.129"; networking.interfaces.ens18.ipv4 = { addresses = [ { - address = "129.241.210.169"; + address = values.jokum.ipv4; prefixLength = 25; } { - address = "129.241.210.213"; + address = values.turn.ipv4; prefixLength = 25; } ]; @@ -44,16 +42,15 @@ networking.interfaces.ens18.ipv6 = { addresses = [ { - address = "2001:700:300:1900::169"; + address = values.jokum.ipv6; prefixLength = 64; } { - address = "2001:700:300:1900::213"; + address = values.turn.ipv6; prefixLength = 64; } ]; }; - networking.nameservers = [ "129.241.0.200" "129.241.0.201" ]; # List packages installed in system profile environment.systemPackages = with pkgs; [ diff --git a/values.nix b/values.nix new file mode 100644 index 0000000..e6cc7f8 --- /dev/null +++ b/values.nix @@ -0,0 +1,25 @@ +# Feel free to change the structure of this file + +rec { + gateway = "129.241.210.129"; + + + jokum = { + ipv4 = "129.241.210.169"; + ipv6 = "2001:700:300:1900::169"; + }; + matrix = { + ipv4 = jokum.ipv4; + ipv6 = jokum.ipv6; + }; + # Also on jokum + turn = { + ipv4 = "129.241.210.213"; + ipv6 = "2001:700:300:1900::213"; + }; + + ildkule = { + ipv4 = "129.241.210.187"; + ipv6 = "2001:700:300:1900::187"; + }; +} From 96b6dee40488a16dbda5fcd0d9f35376021a1b0b Mon Sep 17 00:00:00 2001 From: Daniel Olsen Date: Tue, 17 Jan 2023 10:30:20 +0100 Subject: [PATCH 2/8] Add firewalling to metric exporters --- hosts/jokum/services/matrix/synapse.nix | 10 +++++++++- misc/metrics-exporters.nix | 7 ++++++- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/hosts/jokum/services/matrix/synapse.nix b/hosts/jokum/services/matrix/synapse.nix index 4e4652e..a88aa24 100644 --- a/hosts/jokum/services/matrix/synapse.nix +++ b/hosts/jokum/services/matrix/synapse.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, values, ... }: let cfg = config.services.matrix-synapse-next; @@ -190,6 +190,10 @@ in { ({ locations."/metrics/master/1" = { proxyPass = "http://127.0.0.1:9000/_synapse/metrics"; + extraConfig = '' + allow ${values.ildkule.ipv4}; + deny all; + ''; }; locations."/metrics/" = let @@ -209,6 +213,10 @@ in { { targets = endpoints; labels = { }; }]) + "/"; + extraConfig = '' + allow ${values.ildkule.ipv4}; + deny all; + ''; }; })]; } diff --git a/misc/metrics-exporters.nix b/misc/metrics-exporters.nix index 7d0b929..35c220d 100644 --- a/misc/metrics-exporters.nix +++ b/misc/metrics-exporters.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, pkgs, values, ... }: { services.prometheus.exporters.node = { @@ -7,6 +7,11 @@ enabledCollectors = [ "systemd" ]; }; + systemd.services.prometheus-node-exporter.serviceConfig = { + IPAddressDeny = "any"; + IPAddressAllow = values.ildkule.ipv4; + }; + services.promtail = { enable = true; configuration = { From 5b798b2f1d09b149c61eff858e8787997812e654 Mon Sep 17 00:00:00 2001 From: Daniel Olsen Date: Tue, 17 Jan 2023 10:32:10 +0100 Subject: [PATCH 3/8] jokum: enable metric exporters --- hosts/ildkule/services/metrics/prometheus.nix | 1 + hosts/jokum/configuration.nix | 3 +-- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/ildkule/services/metrics/prometheus.nix b/hosts/ildkule/services/metrics/prometheus.nix index 2f206e6..90bba88 100644 --- a/hosts/ildkule/services/metrics/prometheus.nix +++ b/hosts/ildkule/services/metrics/prometheus.nix @@ -20,6 +20,7 @@ in { "knakelibrak.pvv.ntnu.no:9100" "hildring.pvv.ntnu.no:9100" "bicep.pvv.ntnu.no:9100" + "jokum.pvv.ntnu.no:9100" ]; } ]; diff --git a/hosts/jokum/configuration.nix b/hosts/jokum/configuration.nix index a4dd882..4866abe 100644 --- a/hosts/jokum/configuration.nix +++ b/hosts/jokum/configuration.nix @@ -5,8 +5,7 @@ ./hardware-configuration.nix ../../base.nix - # Users can just import any configuration they want even for non-user things. Improve the users/default.nix to just load some specific attributes if this isn't wanted - + ../../misc/metrics-exporters.nix ../../misc/rust-motd.nix ./services/matrix From 99fed59f1a4d5b7cc133b1e5cee4eb56ffb1d93c Mon Sep 17 00:00:00 2001 From: Daniel Olsen Date: Tue, 17 Jan 2023 11:17:29 +0100 Subject: [PATCH 4/8] update flake and point to right matrix-synapse-next branch --- flake.lock | 31 +++++++++++++++---------------- flake.nix | 2 +- 2 files changed, 16 insertions(+), 17 deletions(-) diff --git a/flake.lock b/flake.lock index e8a8056..35b3a71 100644 --- a/flake.lock +++ b/flake.lock @@ -2,27 +2,26 @@ "nodes": { "matrix-next": { "locked": { - "lastModified": 1671009204, - "narHash": "sha256-gqA9po/KmHyh44XYqv/LfFJ1+MGufhaaD6DhDqBeaF8=", + "lastModified": 1671663871, + "narHash": "sha256-06G6xYTFPVuvmN/k2QDeBk9XIp4LDxEKWRL3aLAFFNo=", "owner": "dali99", "repo": "nixos-matrix-modules", - "rev": "43dbc17526576cb8e0980cef51c48b6598f97550", + "rev": "b6f0a026a78200c0e526aa73279c228e08673437", "type": "github" }, "original": { "owner": "dali99", - "ref": "flake-experiments", "repo": "nixos-matrix-modules", "type": "github" } }, "nixpkgs": { "locked": { - "lastModified": 1670946965, - "narHash": "sha256-PDJfKgK/aSV3ISnD1TbKpLPW85LO/AQI73yQjbwribA=", + "lastModified": 1673785634, + "narHash": "sha256-4SPGYVNutklnlpSMaqL+GA2x5DJ+QL85T+hOF6MHAZE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "265caf30fa0a5148395b62777389b57eb0a537fd", + "rev": "54d5d59cb19728a0321efbcd22c539109489965b", "type": "github" }, "original": { @@ -34,11 +33,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1670146390, - "narHash": "sha256-XrEoDpuloRHHbUkbPnhF2bQ0uwHllXq3NHxtuVe/QK4=", + "lastModified": 1673740915, + "narHash": "sha256-MMH8zONfqahgHly3K8/A++X34800rajA/XgZ2DzNL/M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "86370507cb20c905800527539fc049a2bf09c667", + "rev": "7c65528c3f8462b902e09d1ccca23bb9034665c2", "type": "github" }, "original": { @@ -64,11 +63,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1670149631, - "narHash": "sha256-rwmtlxx45PvOeZNP51wql/cWjY3rqzIR3Oj2Y+V7jM0=", + "lastModified": 1673752321, + "narHash": "sha256-EFfXY1ZHJq4FNaNQA9x0djtu/jiOhBbT0Xi+BT06cJw=", "owner": "Mic92", "repo": "sops-nix", - "rev": "da98a111623101c64474a14983d83dad8f09f93d", + "rev": "e18eefd2b133a58309475298052c341c08470717", "type": "github" }, "original": { @@ -79,11 +78,11 @@ }, "unstable": { "locked": { - "lastModified": 1670918062, - "narHash": "sha256-iOhkyBYUU9Jfkk0lvI4ahpjyrTsLXj9uyJWwmjKg+gg=", + "lastModified": 1673855649, + "narHash": "sha256-Pc1VumquuFMDR1Ers1QOVDDabL/trVwfqWXeKJPXLQg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "84575b0bd882be979516f4fecfe4d7c8de8f6a92", + "rev": "c85d08692966cf022b0a741a794cb1650602d8af", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index dc11725..938d4f8 100644 --- a/flake.nix +++ b/flake.nix @@ -8,7 +8,7 @@ sops-nix.url = "github:Mic92/sops-nix"; sops-nix.inputs.nixpkgs.follows = "nixpkgs"; - matrix-next.url = "github:dali99/nixos-matrix-modules/flake-experiments"; + matrix-next.url = "github:dali99/nixos-matrix-modules"; }; outputs = { self, nixpkgs, unstable, sops-nix, ... }@inputs: From 473170cc410b6b01d6c2668495d35f341f2e9c26 Mon Sep 17 00:00:00 2001 From: Daniel Olsen Date: Tue, 17 Jan 2023 11:20:37 +0100 Subject: [PATCH 5/8] update deployment command to invalidate cache I had fixed the issue but since it was resuing the broken commit it didnt actually get deployed --- README.MD | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.MD b/README.MD index 0362e90..02e51f8 100644 --- a/README.MD +++ b/README.MD @@ -16,7 +16,7 @@ Det er sikkert lurt å lage en PR først om du ikke er vandt til nix enda. Innen 24h skal alle systemene hente ned den nye konfigurasjonen og deploye den. Du kan tvinge en maskin til å oppdatere seg før dette ved å kjøre: -`nixos-rebuild switch --update-input nixpkgs --update-input unstable --no-write-lock-file --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade` +`nixos-rebuild switch --update-input nixpkgs --update-input unstable --no-write-lock-file --refresh --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade` som root på maskinen. From 1ea40456a5689f55489be6f563a68afcc0373c54 Mon Sep 17 00:00:00 2001 From: Daniel Olsen Date: Tue, 17 Jan 2023 18:23:42 +0100 Subject: [PATCH 6/8] add ipv6 to allowed ip addresses for metrics exporters --- hosts/jokum/services/matrix/synapse.nix | 15 ++++++++++----- misc/metrics-exporters.nix | 5 ++++- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/hosts/jokum/services/matrix/synapse.nix b/hosts/jokum/services/matrix/synapse.nix index a88aa24..7f883d2 100644 --- a/hosts/jokum/services/matrix/synapse.nix +++ b/hosts/jokum/services/matrix/synapse.nix @@ -184,7 +184,15 @@ in { metricsPath = w: "/metrics/${w.type}/${toString w.index}"; proxyPath = w: "http://${socketAddress w}/_synapse/metrics"; - in lib.mapAttrs' (n: v: lib.nameValuePair (metricsPath v) ({ proxyPass = proxyPath v; })) + in lib.mapAttrs' (n: v: lib.nameValuePair + (metricsPath v) ({ + proxyPass = proxyPath v; + extraConfig = '' + allow ${values.ildkule.ipv4}; + allow [${values.ildkule.ipv6}]; + deny all; + ''; + })) cfg.workers.instances; }) ({ @@ -192,6 +200,7 @@ in { proxyPass = "http://127.0.0.1:9000/_synapse/metrics"; extraConfig = '' allow ${values.ildkule.ipv4}; + allow [${values.ildkule.ipv6}]; deny all; ''; }; @@ -213,10 +222,6 @@ in { { targets = endpoints; labels = { }; }]) + "/"; - extraConfig = '' - allow ${values.ildkule.ipv4}; - deny all; - ''; }; })]; } diff --git a/misc/metrics-exporters.nix b/misc/metrics-exporters.nix index 35c220d..956b6b5 100644 --- a/misc/metrics-exporters.nix +++ b/misc/metrics-exporters.nix @@ -9,7 +9,10 @@ systemd.services.prometheus-node-exporter.serviceConfig = { IPAddressDeny = "any"; - IPAddressAllow = values.ildkule.ipv4; + IPAddressAllow = [ + values.ildkule.ipv4 + values.ildkule.ipv6 + ]; }; services.promtail = { From a5bbd657570347a28ccf68ede506d8a0c39a60c3 Mon Sep 17 00:00:00 2001 From: Daniel Olsen Date: Tue, 17 Jan 2023 18:24:58 +0100 Subject: [PATCH 7/8] disable ipv6 privacyExtension by default --- base.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/base.nix b/base.nix index 13c9e4b..c9c99bc 100644 --- a/base.nix +++ b/base.nix @@ -9,6 +9,7 @@ networking.useDHCP = false; networking.search = [ "pvv.ntnu.no" "pvv.org" ]; networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ]; + networking.tempAddresses = lib.mkDefault "disabled"; networking.defaultGateway = values.gateway; services.resolved = { From 64d0253aa0bca497dee72de53b4445e7743a63be Mon Sep 17 00:00:00 2001 From: Daniel Olsen Date: Tue, 17 Jan 2023 18:42:06 +0100 Subject: [PATCH 8/8] I dont think the nginx config verifier has caught a single configuration error ever --- hosts/jokum/services/matrix/synapse.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/jokum/services/matrix/synapse.nix b/hosts/jokum/services/matrix/synapse.nix index 7f883d2..7709a6f 100644 --- a/hosts/jokum/services/matrix/synapse.nix +++ b/hosts/jokum/services/matrix/synapse.nix @@ -189,7 +189,7 @@ in { proxyPass = proxyPath v; extraConfig = '' allow ${values.ildkule.ipv4}; - allow [${values.ildkule.ipv6}]; + allow ${values.ildkule.ipv6}; deny all; ''; })) @@ -200,7 +200,7 @@ in { proxyPass = "http://127.0.0.1:9000/_synapse/metrics"; extraConfig = '' allow ${values.ildkule.ipv4}; - allow [${values.ildkule.ipv6}]; + allow ${values.ildkule.ipv6}; deny all; ''; };