From 7c3a40cd894c3058742828007237800147eef47e Mon Sep 17 00:00:00 2001 From: oddlama Date: Wed, 5 Jul 2023 14:30:42 +0200 Subject: [PATCH] feat: add elewrap to elevate telegraf permissions --- flake.lock | 308 ++++++++++++++++++++++++++++++++++---- flake.nix | 13 +- modules/meta/telegraf.nix | 41 ++++- nix/generate-node.nix | 2 + 4 files changed, 327 insertions(+), 37 deletions(-) diff --git a/flake.lock b/flake.lock index 5fc6d92..87a41db 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,21 @@ { "nodes": { + "advisory-db": { + "flake": false, + "locked": { + "lastModified": 1688041319, + "narHash": "sha256-J4lJWSRTOvXDS/Tckj+/5RvAnPCK+qQUMNZhsojR1SM=", + "owner": "rustsec", + "repo": "advisory-db", + "rev": "1f538e6f3b8ad37e89b1386e06be080fbe474b3c", + "type": "github" + }, + "original": { + "owner": "rustsec", + "repo": "advisory-db", + "type": "github" + } + }, "agenix": { "inputs": { "darwin": "darwin", @@ -69,6 +85,30 @@ "type": "github" } }, + "crane": { + "inputs": { + "flake-compat": "flake-compat_2", + "flake-utils": "flake-utils", + "nixpkgs": [ + "elewrap", + "nixpkgs" + ], + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1688082682, + "narHash": "sha256-nMG/A7qYm9pyHJowKuaNmNYgo748xZrzMJPqtoGozSA=", + "owner": "ipetkov", + "repo": "crane", + "rev": "4d350bb94fdf8ec9d2e22d68bb13e136d73aa9d8", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "darwin": { "inputs": { "nixpkgs": [ @@ -119,11 +159,11 @@ ] }, "locked": { - "lastModified": 1687134796, - "narHash": "sha256-gjBAkEtNPMQzqK4IHjTQBUv3VhggszOHLJbhXZy0OVQ=", + "lastModified": 1688544596, + "narHash": "sha256-/rbDM71Qpj4gMp54r9mQ2AdD10jEMtnrQ3b2Xf+HYTU=", "owner": "nix-community", "repo": "disko", - "rev": "4823509bb3b014dc85abefc13efcfa076d36338a", + "rev": "fc3c3817c9f1fcd405463c6a7f0f98baab97c692", "type": "github" }, "original": { @@ -132,6 +172,30 @@ "type": "github" } }, + "elewrap": { + "inputs": { + "advisory-db": "advisory-db", + "crane": "crane", + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks": "pre-commit-hooks" + }, + "locked": { + "lastModified": 1688559207, + "narHash": "sha256-PMdOEV3bAqZSiN7qsu9voEsSugMaPFI8YAx+Xhd7vO4=", + "owner": "oddlama", + "repo": "elewrap", + "rev": "0c9bf39af5ff0c65dfaaad3c32769cdd73aa1c29", + "type": "github" + }, + "original": { + "owner": "oddlama", + "repo": "elewrap", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -164,16 +228,84 @@ "type": "github" } }, + "flake-compat_3": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_4": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems" }, "locked": { - "lastModified": 1687171271, - "narHash": "sha256-BJlq+ozK2B1sJDQXS3tzJM5a+oVZmi1q0FlBK/Xqv7M=", + "lastModified": 1685518550, + "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=", "owner": "numtide", "repo": "flake-utils", - "rev": "abfb11bd1aec8ced1c9bb9adfe68018230f4fb3c", + "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1687709756, + "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { + "inputs": { + "systems": "systems_3" + }, + "locked": { + "lastModified": 1687709756, + "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7", "type": "github" }, "original": { @@ -183,6 +315,28 @@ } }, "gitignore": { + "inputs": { + "nixpkgs": [ + "elewrap", + "pre-commit-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1660459072, + "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "gitignore_2": { "inputs": { "nixpkgs": [ "pre-commit-hooks", @@ -210,11 +364,11 @@ ] }, "locked": { - "lastModified": 1687301540, - "narHash": "sha256-vFbCrE9WlOSVpyAT5VNR3bqMB7W7sDzMNDcO6JqtmBw=", + "lastModified": 1688552611, + "narHash": "sha256-pV/1/AU1l5CNFeKmdJ1jofcaKHhtKAbxY4gazeCyoSo=", "owner": "nix-community", "repo": "home-manager", - "rev": "9a76fb9a852fdf9edd3b0aabc119efa1d618f969", + "rev": "b23c7501f7e0a001486c9a5555a6c53ac7b08e85", "type": "github" }, "original": { @@ -260,12 +414,10 @@ ] }, "locked": { - "lastModified": 1686962046, - "narHash": "sha256-QE5I3/ONKubR2lvLwUbsS4OaOPc9gTburw9OBcYfgdw=", - "owner": "astro", - "repo": "microvm.nix", - "rev": "484e6e2209a0ead8ea43a9a79b193026026becfc", - "type": "github" + "lastModified": 1687369979, + "narHash": "sha256-Dr6BQSKE1iX85h5kanhSPyJR9RSjJYa20T5PhukQTV8=", + "type": "git", + "url": "file:///root/projects/microvm.nix" }, "original": { "owner": "astro", @@ -275,11 +427,11 @@ }, "nixlib": { "locked": { - "lastModified": 1687049841, - "narHash": "sha256-FBNZQfWtA7bb/rwk92mfiWc85x4hXta2OAouDqO5W8w=", + "lastModified": 1688259758, + "narHash": "sha256-CYVbYQfIm3vwciCf6CCYE+WOOLE3vcfxfEfNHIfKUJQ=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "908af6d1fa3643c5818ea45aa92b21d6385fbbe5", + "rev": "a92befce80a487380ea5e92ae515fe33cebd3ac6", "type": "github" }, "original": { @@ -296,11 +448,11 @@ ] }, "locked": { - "lastModified": 1687183443, - "narHash": "sha256-foX4pkph2AwUdJL3JURa7IHog+YRIheZ54vwHwxqwhU=", + "lastModified": 1688349424, + "narHash": "sha256-/wRCJP2d9ZmfZKrREWthpDHIx/F02Z1J2bytbC+gUiU=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "09140f23f5ffce828db4ef040070bdd9595b1f3a", + "rev": "cf341a2c94338eed91c35df291931ea775b31e99", "type": "github" }, "original": { @@ -375,24 +527,68 @@ "type": "github" } }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1685801374, + "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c37ca420157f4abc31e26f436c1145f8951ff373", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, "pre-commit-hooks": { "inputs": { - "flake-compat": "flake-compat_2", + "flake-compat": "flake-compat_3", "flake-utils": [ + "elewrap", "flake-utils" ], "gitignore": "gitignore", "nixpkgs": [ + "elewrap", "nixpkgs" ], "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1687251716, - "narHash": "sha256-+sFS41thsB5U+lY/dBYPSmU4AJ7nz/VdM1WD35fXVeM=", + "lastModified": 1688137124, + "narHash": "sha256-ramG4s/+A5+t/QG2MplTNPP/lmBWDtbW6ilpwb9sKVo=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "7807e1851d95828ed98491930d2d9e7ddbe65da4", + "rev": "522fd47af79b66cdd04b92618e65c7a11504650a", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, + "pre-commit-hooks_2": { + "inputs": { + "flake-compat": "flake-compat_4", + "flake-utils": [ + "flake-utils" + ], + "gitignore": "gitignore_2", + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable_2" + }, + "locked": { + "lastModified": 1688473851, + "narHash": "sha256-j+ViA3lh4uQGIDqB6TjM4+wijX2M5mfNb6MVJVekpAs=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "f6a6863a3bcb61e846a9e4777b90ee365607a925", "type": "github" }, "original": { @@ -407,7 +603,8 @@ "agenix-rekey": "agenix-rekey", "colmena": "colmena", "disko": "disko", - "flake-utils": "flake-utils", + "elewrap": "elewrap", + "flake-utils": "flake-utils_3", "home-manager": "home-manager", "impermanence": "impermanence", "lib-net": "lib-net", @@ -416,10 +613,37 @@ "nixos-hardware": "nixos-hardware", "nixos-nftables-firewall": "nixos-nftables-firewall", "nixpkgs": "nixpkgs", - "pre-commit-hooks": "pre-commit-hooks", + "pre-commit-hooks": "pre-commit-hooks_2", "templates": "templates" } }, + "rust-overlay": { + "inputs": { + "flake-utils": [ + "elewrap", + "crane", + "flake-utils" + ], + "nixpkgs": [ + "elewrap", + "crane", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1685759304, + "narHash": "sha256-I3YBH6MS3G5kGzNuc1G0f9uYfTcNY9NYoRc3QsykLk4=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "c535b4f3327910c96dcf21851bbdd074d0760290", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "stable": { "locked": { "lastModified": 1669735802, @@ -451,6 +675,36 @@ "type": "github" } }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "templates": { "locked": { "lastModified": 1678524284, diff --git a/flake.nix b/flake.nix index 2efd995..51b4e13 100644 --- a/flake.nix +++ b/flake.nix @@ -13,6 +13,11 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + elewrap = { + url = "github:oddlama/elewrap"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + home-manager = { url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; @@ -68,6 +73,7 @@ outputs = { self, colmena, + elewrap, nixpkgs, microvm, flake-utils, @@ -129,12 +135,15 @@ } // flake-utils.lib.eachDefaultSystem (system: rec { pkgs = import nixpkgs { - localSystem = system; + inherit system; config.allowUnfree = true; overlays = import ./lib inputs ++ import ./pkgs/default.nix - ++ [microvm.overlay]; + ++ [ + microvm.overlay + elewrap.overlays.default + ]; }; apps = diff --git a/modules/meta/telegraf.nix b/modules/meta/telegraf.nix index a39dbc3..7a158c9 100644 --- a/modules/meta/telegraf.nix +++ b/modules/meta/telegraf.nix @@ -56,6 +56,26 @@ in { group = "telegraf"; }; + security.elewrap.telegraf-sensors = { + command = ["${pkgs.lm_sensors}/bin/sensors" "-A" "-d"]; + targetUser = "root"; + allowedUsers = ["telegraf"]; + }; + + security.elewrap.telegraf-nvme = { + command = ["${pkgs.nvme-cli}/bin/nvme"]; + targetUser = "root"; + allowedUsers = ["telegraf"]; + passArguments = true; + }; + + security.elewrap.telegraf-smartctl = { + command = ["${pkgs.smartmontools}/bin/smartctl"]; + targetUser = "root"; + allowedUsers = ["telegraf"]; + passArguments = true; + }; + services.telegraf = { enable = true; environmentFiles = [config.age.secrets.telegraf-influxdb-token.path]; @@ -95,10 +115,14 @@ in { netstat = {}; nstat = {}; processes = {}; - sensors = {}; + sensors = { + inherit (config.security.elewrap.telegraf-sensors) path; + }; swap = {}; system = {}; - systemd_units = {unittype = "service";}; + systemd_units = { + unittype = "service"; + }; temp = {}; wireguard = {}; # http_response = { urls = [ "http://localhost/" ]; }; @@ -106,20 +130,21 @@ in { } // optionalAttrs config.services.smartd.enable { smart = { - path_nvme = "${pkgs.nvme-cli}/bin/nvme"; - path_smartctl = "${pkgs.smartmontools}/bin/smartctl"; - use_sudo = true; + path_nvme = config.security.elewrap.telegraf-nvme.path; + path_smartctl = config.security.elewrap.telegraf-smartctl.path; + use_sudo = false; }; } // optionalAttrs config.services.nginx.enable { nginx.urls = ["http://localhost/nginx_status"]; - # TODO } // optionalAttrs config.services.iwd.enable { - # TODO wireless = { }; + } + // optionalAttrs (config.networking.wireless.enable || config.networking.wireless.iwd.enable) { + wireless = {}; }; }; }; - services.nginx.virtualHosts = mkIf config.services.telegraf.enable { + services.nginx.virtualHosts = mkIf config.services.nginx.enable { localhost.listenAddresses = ["127.0.0.1" "[::1]"]; localhost.locations."= /nginx_status".extraConfig = '' allow 127.0.0.0/8; diff --git a/nix/generate-node.nix b/nix/generate-node.nix index e75a221..ab2a407 100644 --- a/nix/generate-node.nix +++ b/nix/generate-node.nix @@ -4,6 +4,7 @@ agenix-rekey, colmena, disko, + elewrap, home-manager, impermanence, microvm, @@ -33,6 +34,7 @@ agenix.nixosModules.default agenix-rekey.nixosModules.default disko.nixosModules.disko + elewrap.nixosModules.default home-manager.nixosModules.default impermanence.nixosModules.impermanence nixos-nftables-firewall.nixosModules.default