mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00
Code Activity

feat: make modules/distributed-config.nix extensible; don't run telegraf on containers because of missing memlock

Browse source
This commit is contained in:
oddlama 2023-12-25 17:14:32 +01:00
parent 2120aefef5
commit 3036c53d87
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
3 changed files with 61 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

9
hosts/ward/guests/common.nix
View file

@ -1,4 +1,9 @@
{nodes, ...}: let {
config,
lib,
nodes,
...
}: let
sentinelCfg = nodes.sentinel.config; sentinelCfg = nodes.sentinel.config;
in { in {
meta.wireguard-proxy.sentinel = {}; meta.wireguard-proxy.sentinel = {};
@ -9,7 +14,7 @@ in {
# Connect safely via wireguard to skip http authentication # Connect safely via wireguard to skip http authentication
networking.hosts.${sentinelCfg.meta.wireguard.proxy-sentinel.ipv4} = [sentinelCfg.networking.providedDomains.influxdb]; networking.hosts.${sentinelCfg.meta.wireguard.proxy-sentinel.ipv4} = [sentinelCfg.networking.providedDomains.influxdb];
meta.telegraf = { meta.telegraf = lib.mkIf (!config.boot.isContainer) {
enable = true; enable = true;
scrapeSensors = false; scrapeSensors = false;
influxdb2 = { influxdb2 = {

66
modules/distributed-config.nix
View file

@ -8,40 +8,62 @@
(lib) (lib)
attrNames attrNames
concatMap concatMap
concatStringsSep
foldl'
getAttrFromPath getAttrFromPath
mkMerge
mkOption mkOption
mkOptionType mkOptionType
mkMerge optionals
hasAttrByPath recursiveUpdate
setAttrByPath
types types
; ;
nodeName = config.node.name; nodeName = config.node.name;
mkForwardedOption = path:
mkOption {
type = mkOptionType {
name = "Same type that the receiving option `${concatStringsSep "." path}` normally accepts.";
merge = _loc: defs:
builtins.filter
(x: builtins.isAttrs x -> ((x._type or "") != "__distributed_config_empty"))
(map (x: x.value) defs);
};
default = {_type = "__distributed_config_empty";};
description = ''
Anything specified here will be forwarded to `${concatStringsSep "." path}`
on the given node. Forwarding happens as-is to the raw values,
so validity can only be checked on the receiving node.
'';
};
forwardedOptions = [
["age" "secrets"]
["networking" "providedDomains"]
["services" "nginx" "upstreams"]
["services" "nginx" "virtualHosts"]
["services" "influxdb2" "provision" "organizations"]
["services" "kanidm" "provision" "groups"]
["services" "kanidm" "provision" "systems" "oauth2"]
];
attrsForEachOption = f: foldl' (acc: path: recursiveUpdate acc (setAttrByPath path (f path))) {} forwardedOptions;
in { in {
# TODO expose exactly what we can configure! not everything
options.nodes = mkOption { options.nodes = mkOption {
description = "Options forwareded to the given node.";
default = {}; default = {};
description = "Allows extending the configuration of other machines."; type = types.attrsOf (types.submodule {
type = types.attrsOf (mkOptionType { options = attrsForEachOption mkForwardedOption;
name = "Toplevel NixOS config";
merge = _loc: map (x: x.value);
}); });
}; };
config = let config = let
allNodes = attrNames nodes; getConfig = path: otherNode: let
foreignConfigs = concatMap (n: nodes.${n}.config.nodes.${nodeName} or []) allNodes; cfg = nodes.${otherNode}.config.nodes.${nodeName} or null;
mergeFromOthers = path: in
mkMerge (map optionals (cfg != null) (getAttrFromPath path cfg);
(x: (getAttrFromPath path x)) mergeConfigFromOthers = path: mkMerge (concatMap (getConfig path) (attrNames nodes));
(lib.filter (x: (hasAttrByPath path x)) foreignConfigs)); in
in { attrsForEachOption mergeConfigFromOthers;
age.secrets = mergeFromOthers ["age" "secrets"];
networking.providedDomains = mergeFromOthers ["networking" "providedDomains"];
services.nginx.upstreams = mergeFromOthers ["services" "nginx" "upstreams"];
services.nginx.virtualHosts = mergeFromOthers ["services" "nginx" "virtualHosts"];
services.influxdb2.provision.organizations = mergeFromOthers ["services" "influxdb2" "provision" "organizations"];
services.kanidm.provision.groups = mergeFromOthers ["services" "kanidm" "provision" "groups"];
services.kanidm.provision.systems.oauth2 = mergeFromOthers ["services" "kanidm" "provision" "systems" "oauth2"];
};
} }

11
modules/telegraf.nix
View file

@ -58,6 +58,13 @@ in {
}; };
config = mkIf (!minimal && cfg.enable) { config = mkIf (!minimal && cfg.enable) {
assertions = [
{
assertion = !config.boot.isContainer;
message = "Containers don't support telegraf because memlock is not enabled.";
}
];
nodes.${cfg.influxdb2.node} = { nodes.${cfg.influxdb2.node} = {
# Mirror the original secret on the influx host # Mirror the original secret on the influx host
age.secrets."telegraf-influxdb-token-${config.node.name}" = { age.secrets."telegraf-influxdb-token-${config.node.name}" = {
@ -135,7 +142,9 @@ in {
kernel_vmstat = {}; kernel_vmstat = {};
linux_sysctl_fs = {}; linux_sysctl_fs = {};
mem = {}; mem = {};
net = {}; net = {
ignore_protocol_stats = true;
};
netstat = {}; netstat = {};
nstat = {}; nstat = {};
processes = {}; processes = {};