gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 04:19:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(gatus): permission to ping

Browse source
This commit is contained in:
arcnmx 2024-11-20 11:30:21 -08:00
parent e3d22ca33f
commit bd7c9ee8f3
8 changed files with 66 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

41
modules/nixos/gatus.nix
View file

@ -4,7 +4,7 @@
pkgs, pkgs,
... ...
}: let }: let
inherit (lib.options) mkOption; inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkMerge mkForce; inherit (lib.modules) mkIf mkMerge mkForce;
inherit (lib.attrsets) attrValues; inherit (lib.attrsets) attrValues;
inherit (lib.lists) length unique; inherit (lib.lists) length unique;
@ -211,6 +211,10 @@ in {
}; };
}; };
in with types; { in with types; {
hardening = {
enable = mkEnableOption "sandbox and harden service";
icmp.enable = mkEnableOption "needed for ICMP probes";
};
user = mkOption { user = mkOption {
type = nullOr str; type = nullOr str;
default = null; default = null;
@ -236,11 +240,44 @@ in {
} }
]; ];
conf.systemd.services.gatus = { conf.systemd.services.gatus = {
serviceConfig.User = mkIf (cfg.user != null) (mkForce cfg.user); serviceConfig = mkMerge [
serviceConfig
(mkIf cfg.hardening.enable serviceConfig'hardening)
];
}; };
serviceConf = { serviceConf = {
services.gatus.settings.endpoints = mkIf (cfg.endpoints != {}) (attrValues cfg.endpoints); services.gatus.settings.endpoints = mkIf (cfg.endpoints != {}) (attrValues cfg.endpoints);
}; };
serviceConfig = {
User = mkIf (cfg.user != null) (mkForce cfg.user);
AmbientCapabilities = mkIf cfg.hardening.icmp.enable ["CAP_NET_RAW"];
};
serviceConfig'hardening = {
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
UMask = "0077";
};
in mkMerge [ in mkMerge [
(mkIf cfg.enable conf) (mkIf cfg.enable conf)
serviceConf serviceConf

4
modules/system/exports/monitoring.nix
View file

@ -258,6 +258,10 @@ in
// { // {
default = config.access.online.enable; default = config.access.online.enable;
}; };
displayName = mkOption {
type = str;
default = config.name;
};
alert = { alert = {
enable = enable =
mkEnableOption "health check alerts" mkEnableOption "health check alerts"

1
modules/system/exports/unifi.nix
View file

@ -6,6 +6,7 @@
inherit (gensokyo-zone.lib) mkAlmostOptionDefault; inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
in { in {
config.exports.services.unifi = {config, ...}: { config.exports.services.unifi = {config, ...}: {
displayName = mkAlmostOptionDefault "UniFi";
nixos.serviceAttr = "unifi"; nixos.serviceAttr = "unifi";
defaults.port.listen = mkAlmostOptionDefault "lan"; defaults.port.listen = mkAlmostOptionDefault "lan";
ports = { ports = {

7
nixos/monitoring/gatus.nix
View file

@ -110,7 +110,7 @@
[alertingConfig] [alertingConfig]
++ optional status.alert.enable alertingConfigAlerts; ++ optional status.alert.enable alertingConfigAlerts;
config = { config = {
name = mkAlmostOptionDefault system.name; name = mkAlmostOptionDefault system.exports.status.displayName;
# XXX: it can't seem to ping ipv6 for some reason..? :< # XXX: it can't seem to ping ipv6 for some reason..? :<
enabled = mkIf addrIs6 (mkAlmostOptionDefault false); enabled = mkIf addrIs6 (mkAlmostOptionDefault false);
client.network = mkIf addrIs6 (mkAlmostOptionDefault "ip6"); client.network = mkIf addrIs6 (mkAlmostOptionDefault "ip6");
@ -177,6 +177,11 @@ in {
user = mkDefault "gatus"; user = mkDefault "gatus";
environmentFile = config.sops.secrets.gatus_environment_file.path; environmentFile = config.sops.secrets.gatus_environment_file.path;
hardening = {
enable = mkDefault true;
icmp.enable = mkDefault true;
};
# Endpoint configuration # Endpoint configuration
endpoints = listToAttrs (concatMap mapSystem statusSystems); endpoints = listToAttrs (concatMap mapSystem statusSystems);

2
systems/idrac-gengetsu/default.nix
View file

@ -5,11 +5,13 @@ _: {
}; };
network.networks = { network.networks = {
local = { local = {
slaac.enable = false;
address4 = "10.1.1.12"; address4 = "10.1.1.12";
address6 = null; address6 = null;
}; };
}; };
exports = { exports = {
status.displayName = "gengetsu/IDRAC";
services = { services = {
sshd = { sshd = {
enable = true; enable = true;

14
systems/kvm-reisen/default.nix
View file

@ -1,5 +1,8 @@
{...}: { {...}: {
type = "Linux"; type = "Linux";
access = {
online.available = true;
};
network.networks = { network.networks = {
local = { local = {
slaac.enable = false; slaac.enable = false;
@ -11,9 +14,12 @@
address6 = "fd7a:115c:a1e0::1901:9d62"; address6 = "fd7a:115c:a1e0::1901:9d62";
}; };
}; };
exports.services = { exports = {
tailscale.enable = true; status.displayName = "reisen/KVM";
sshd.enable = true; services = {
#nkvm.enable = true; tailscale.enable = true;
sshd.enable = true;
#nkvm.enable = true;
};
}; };
} }

3
systems/reisen/default.nix
View file

@ -3,6 +3,9 @@ _: {
proxmox.node = { proxmox.node = {
enable = true; enable = true;
}; };
access = {
online.available = true;
};
extern.files = { extern.files = {
"/etc/sysctl.d/50-net.conf" = { "/etc/sysctl.d/50-net.conf" = {
source = ./sysctl.50-net.conf; source = ./sysctl.50-net.conf;

1
systems/u7pro/default.nix
View file

@ -11,6 +11,7 @@ _: {
}; };
}; };
exports = { exports = {
status.displayName = "U7 Pro";
services = { services = {
sshd = { sshd = {
enable = true; enable = true;