diff --git a/modules/nixos/gatus.nix b/modules/nixos/gatus.nix index 7530d18d..a714a882 100644 --- a/modules/nixos/gatus.nix +++ b/modules/nixos/gatus.nix @@ -4,7 +4,7 @@ pkgs, ... }: let - inherit (lib.options) mkOption; + inherit (lib.options) mkOption mkEnableOption; inherit (lib.modules) mkIf mkMerge mkForce; inherit (lib.attrsets) attrValues; inherit (lib.lists) length unique; @@ -211,6 +211,10 @@ in { }; }; in with types; { + hardening = { + enable = mkEnableOption "sandbox and harden service"; + icmp.enable = mkEnableOption "needed for ICMP probes"; + }; user = mkOption { type = nullOr str; default = null; @@ -236,11 +240,44 @@ in { } ]; conf.systemd.services.gatus = { - serviceConfig.User = mkIf (cfg.user != null) (mkForce cfg.user); + serviceConfig = mkMerge [ + serviceConfig + (mkIf cfg.hardening.enable serviceConfig'hardening) + ]; }; serviceConf = { services.gatus.settings.endpoints = mkIf (cfg.endpoints != {}) (attrValues cfg.endpoints); }; + serviceConfig = { + User = mkIf (cfg.user != null) (mkForce cfg.user); + + AmbientCapabilities = mkIf cfg.hardening.icmp.enable ["CAP_NET_RAW"]; + }; + serviceConfig'hardening = { + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + UMask = "0077"; + }; in mkMerge [ (mkIf cfg.enable conf) serviceConf diff --git a/modules/system/exports/monitoring.nix b/modules/system/exports/monitoring.nix index cef98c06..0558b26a 100644 --- a/modules/system/exports/monitoring.nix +++ b/modules/system/exports/monitoring.nix @@ -258,6 +258,10 @@ in // { default = config.access.online.enable; }; + displayName = mkOption { + type = str; + default = config.name; + }; alert = { enable = mkEnableOption "health check alerts" diff --git a/modules/system/exports/unifi.nix b/modules/system/exports/unifi.nix index ebbb5785..4d6fe48f 100644 --- a/modules/system/exports/unifi.nix +++ b/modules/system/exports/unifi.nix @@ -6,6 +6,7 @@ inherit (gensokyo-zone.lib) mkAlmostOptionDefault; in { config.exports.services.unifi = {config, ...}: { + displayName = mkAlmostOptionDefault "UniFi"; nixos.serviceAttr = "unifi"; defaults.port.listen = mkAlmostOptionDefault "lan"; ports = { diff --git a/nixos/monitoring/gatus.nix b/nixos/monitoring/gatus.nix index db7403a1..ffd6f435 100644 --- a/nixos/monitoring/gatus.nix +++ b/nixos/monitoring/gatus.nix @@ -110,7 +110,7 @@ [alertingConfig] ++ optional status.alert.enable alertingConfigAlerts; config = { - name = mkAlmostOptionDefault system.name; + name = mkAlmostOptionDefault system.exports.status.displayName; # XXX: it can't seem to ping ipv6 for some reason..? :< enabled = mkIf addrIs6 (mkAlmostOptionDefault false); client.network = mkIf addrIs6 (mkAlmostOptionDefault "ip6"); @@ -177,6 +177,11 @@ in { user = mkDefault "gatus"; environmentFile = config.sops.secrets.gatus_environment_file.path; + hardening = { + enable = mkDefault true; + icmp.enable = mkDefault true; + }; + # Endpoint configuration endpoints = listToAttrs (concatMap mapSystem statusSystems); diff --git a/systems/idrac-gengetsu/default.nix b/systems/idrac-gengetsu/default.nix index 08616f02..0c498072 100644 --- a/systems/idrac-gengetsu/default.nix +++ b/systems/idrac-gengetsu/default.nix @@ -5,11 +5,13 @@ _: { }; network.networks = { local = { + slaac.enable = false; address4 = "10.1.1.12"; address6 = null; }; }; exports = { + status.displayName = "gengetsu/IDRAC"; services = { sshd = { enable = true; diff --git a/systems/kvm-reisen/default.nix b/systems/kvm-reisen/default.nix index 64d98b8b..07446af4 100644 --- a/systems/kvm-reisen/default.nix +++ b/systems/kvm-reisen/default.nix @@ -1,5 +1,8 @@ {...}: { type = "Linux"; + access = { + online.available = true; + }; network.networks = { local = { slaac.enable = false; @@ -11,9 +14,12 @@ address6 = "fd7a:115c:a1e0::1901:9d62"; }; }; - exports.services = { - tailscale.enable = true; - sshd.enable = true; - #nkvm.enable = true; + exports = { + status.displayName = "reisen/KVM"; + services = { + tailscale.enable = true; + sshd.enable = true; + #nkvm.enable = true; + }; }; } diff --git a/systems/reisen/default.nix b/systems/reisen/default.nix index ef638b0a..24b6a3f1 100644 --- a/systems/reisen/default.nix +++ b/systems/reisen/default.nix @@ -3,6 +3,9 @@ _: { proxmox.node = { enable = true; }; + access = { + online.available = true; + }; extern.files = { "/etc/sysctl.d/50-net.conf" = { source = ./sysctl.50-net.conf; diff --git a/systems/u7pro/default.nix b/systems/u7pro/default.nix index 596d0ed2..7afd1dfe 100644 --- a/systems/u7pro/default.nix +++ b/systems/u7pro/default.nix @@ -11,6 +11,7 @@ _: { }; }; exports = { + status.displayName = "U7 Pro"; services = { sshd = { enable = true;