From c8525b4e6b823b4344572c8c54fa7444496e3c99 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Motiejus=20Jak=C5=A1tys?= Date: Sun, 6 Aug 2023 00:47:32 +0300 Subject: [PATCH] node_exporter on hel1-a --- hosts/hel1-a/configuration.nix | 10 +++++++ hosts/vno1-oh2/configuration.nix | 30 +++++++++++-------- modules/services/friendlyport/default.nix | 36 +++++++++++++++++++---- modules/services/syncthing/default.nix | 2 +- 4 files changed, 58 insertions(+), 20 deletions(-) diff --git a/hosts/hel1-a/configuration.nix b/hosts/hel1-a/configuration.nix index a7fc9a5..fd43cbb 100644 --- a/hosts/hel1-a/configuration.nix +++ b/hosts/hel1-a/configuration.nix @@ -69,6 +69,10 @@ in { }; services = { + friendlyport.vpn.ports = [ + myData.ports.exporters.node + ]; + deployerbot = { follower = { enable = true; @@ -120,6 +124,12 @@ in { services = { tailscale.enable = true; + prometheus.exporters.node = { + enable = true; + enabledCollectors = ["systemd" "processes"]; + port = myData.ports.exporters.node; + }; + nsd = { enable = true; interfaces = ["0.0.0.0" "::"]; diff --git a/hosts/vno1-oh2/configuration.nix b/hosts/vno1-oh2/configuration.nix index a9f50a5..d57f93c 100644 --- a/hosts/vno1-oh2/configuration.nix +++ b/hosts/vno1-oh2/configuration.nix @@ -64,7 +64,7 @@ services = { # TODO move to grafana service lib - friendlyport.ports = [ + friendlyport.vpn.ports = [ myData.ports.grafana myData.ports.prometheus myData.ports.exporters.node @@ -119,12 +119,14 @@ enable = true; datasources.settings = { apiVersion = 1; - datasources = [{ - name = "Prometheus"; - type = "prometheus"; - access = "proxy"; - url = "http://127.0.0.1:${toString config.services.prometheus.port}"; - }]; + datasources = [ + { + name = "Prometheus"; + type = "prometheus"; + access = "proxy"; + url = "http://127.0.0.1:${toString config.services.prometheus.port}"; + } + ]; }; }; settings = { @@ -148,14 +150,16 @@ }; }; - scrapeConfigs = [ + scrapeConfigs = let + port = builtins.toString myData.ports.exporters.node; + in [ { job_name = "${config.networking.hostName}.${config.networking.domain}"; - static_configs = [ - { - targets = ["127.0.0.1:${toString config.services.prometheus.exporters.node.port}"]; - } - ]; + static_configs = [{targets = ["127.0.0.1:${port}"];}]; + } + { + job_name = "hel1-a.servers.jakst"; + static_configs = [{targets = ["${myData.hosts."hel1-a.servers.jakst".jakstIP}:${port}"];}]; } ]; }; diff --git a/modules/services/friendlyport/default.nix b/modules/services/friendlyport/default.nix index 9f21893..ee33b10 100644 --- a/modules/services/friendlyport/default.nix +++ b/modules/services/friendlyport/default.nix @@ -4,7 +4,13 @@ myData, ... }: { - options.mj.services.friendlyport = with lib.types; { + options.mj.services.friendlyport.motiejus = with lib.types; { + ports = lib.mkOption { + type = listOf int; + default = []; + }; + }; + options.mj.services.friendlyport.vpn = with lib.types; { ports = lib.mkOption { type = listOf int; default = []; @@ -12,15 +18,33 @@ }; config = let - ports = builtins.concatStringsSep "," (map builtins.toString config.mj.services.friendlyport.ports); + portsM = config.mj.services.friendlyport.motiejus.ports; + portsV = config.mj.services.friendlyport.vpn.ports; + portsMStr = builtins.concatStringsSep "," (map builtins.toString config.mj.services.friendlyport.motiejus.ports); + portsVStr = builtins.concatStringsSep "," (map builtins.toString config.mj.services.friendlyport.vpn.ports); hosts = lib.attrVals ["mxp10.motiejus.jakst" "fwmine.motiejus.jakst"] myData.hosts; ips = lib.catAttrs "jakstIP" hosts; - startLines = map (ip: "iptables -A INPUT -p tcp --match multiport --dports ${ports} --source ${ip} -j ACCEPT") ips; + startLinesM = + if builtins.length portsM > 0 + then map (ip: "iptables -A INPUT -p tcp --match multiport --dports ${portsMStr} --source ${ip} -j ACCEPT") ips + else []; + startLinesV = + if builtins.length portsV > 0 + then "iptables -A INPUT -p tcp --match multiport --dports ${portsVStr} --source ${myData.tailscale_subnet.cidr} -j ACCEPT" + else ""; + # TODO: when stopping the firewall, systemd uses the old ports. So this is a two-phase process. # How to stop the old one and start the new one? - stopLines = map (ip: "iptables -D INPUT -p tcp --match multiport --dports ${ports} --source ${ip} -j ACCEPT || :") ips; + stopLinesM = + if builtins.length portsM > 0 + then map (ip: "iptables -D INPUT -p tcp --match multiport --dports ${portsMStr} --source ${ip} -j ACCEPT || :") ips + else []; + stopLinesV = + if builtins.length portsV > 0 + then "iptables -D INPUT -p tcp --match multiport --dports ${portsVStr} --source ${myData.tailscale_subnet.cidr} -j ACCEPT || :" + else ""; in { - networking.firewall.extraCommands = lib.concatLines startLines; - networking.firewall.extraStopCommands = lib.concatLines stopLines; + networking.firewall.extraCommands = lib.concatLines (startLinesM ++ [startLinesV]); + networking.firewall.extraStopCommands = lib.concatLines (stopLinesM ++ [stopLinesV]); }; } diff --git a/modules/services/syncthing/default.nix b/modules/services/syncthing/default.nix index 702cb86..b203dd8 100644 --- a/modules/services/syncthing/default.nix +++ b/modules/services/syncthing/default.nix @@ -14,7 +14,7 @@ in { }; config = lib.mkIf config.mj.services.syncthing.enable { - mj.services.friendlyport.ports = [8384]; + mj.services.friendlyport.motiejus.ports = [8384]; services.syncthing = { enable = config.mj.services.syncthing.enable;