feat: adguardhome use DoT; fix loki home proxy; allow arbitrary telegraf secrets

2024-05-25 15:49:41 +02:00 · 2024-05-25 15:49:41 +02:00 · 045f15239a
commit 045f15239a
parent 93061af475
11 changed files with 114 additions and 173 deletions
--- a/hosts/sire/default.nix
+++ b/hosts/sire/default.nix
@ -42,9 +42,6 @@
    };
  };

-  # TODO track my github stats
-  # services.telegraf.extraConfig.inputs.github = {};
-
  guests = let
    mkGuest = guestName: {
      enableStorageDataset ? false,
--- a/hosts/sire/guests/loki.nix
+++ b/hosts/sire/guests/loki.nix
@ -1,12 +1,10 @@
 {
  config,
-  lib,
  nodes,
  ...
 }: let
  sentinelCfg = nodes.sentinel.config;
  wardWebProxyCfg = nodes.ward-web-proxy.config;
-  wardCfg = nodes.ward.config;
  lokiDomain = "loki.${config.repo.secrets.global.domains.me}";
 in {
  wireguard.proxy-sentinel = {
@ -44,14 +42,11 @@ in {
          proxyWebsockets = true;
          extraConfig = ''
            auth_basic "Authentication required";
-            auth_basic_user_file ${wardWebProxyCfg.age.secrets.loki-basic-auth-hashes.path};
+            auth_basic_user_file ${sentinelCfg.age.secrets.loki-basic-auth-hashes.path};

            proxy_read_timeout 1800s;
            proxy_connect_timeout 1600s;

-            ${lib.concatMapStrings (ip: "allow ${ip};\n") wardCfg.wireguard.proxy-home.server.reservedAddresses}
-            deny all;
-
            access_log off;
          '';
        };
@ -89,7 +84,7 @@ in {
          proxyWebsockets = true;
          extraConfig = ''
            auth_basic "Authentication required";
-            auth_basic_user_file ${sentinelCfg.age.secrets.loki-basic-auth-hashes.path};
+            auth_basic_user_file ${wardWebProxyCfg.age.secrets.loki-basic-auth-hashes.path};

            proxy_read_timeout 1800s;
            proxy_connect_timeout 1600s;
--- a/hosts/ward/guests/adguardhome.nix
+++ b/hosts/ward/guests/adguardhome.nix
@ -59,12 +59,11 @@ in {
        # allowed_clients = [
        # ];
        #trusted_proxies = [];
-        ratelimit = 60;
+        ratelimit = 300;
        upstream_dns = [
-          "1.1.1.1"
-          # FIXME: enable ipv6 "2606:4700:4700::1111"
-          "8.8.8.8"
-          # FIXME: enable ipv6 "2001:4860:4860::8844"
+          "https://dns.cloudflare.com/dns-query"
+          "https://dns.google/dns-query"
+          "https://doh.mullvad.net/dns-query"
        ];
        bootstrap_dns = [
          "1.1.1.1"
--- a/hosts/ward/guests/web-proxy.nix
+++ b/hosts/ward/guests/web-proxy.nix
@ -33,6 +33,72 @@ in {
    inherit (acme) certs wildcardDomains;
  };

+  age.secrets.github-access-token = {
+    rekeyFile = config.node.secretsDir + "/github-access-token.age";
+    mode = "440";
+    group = "telegraf";
+  };
+
+  meta.telegraf.secrets."@GITHUB_ACCESS_TOKEN@" = config.age.secrets.github-access-token.path;
+  services.telegraf.extraConfig.inputs = {
+    ping = [
+      {
+        method = "native";
+        urls = [
+          "192.168.178.1"
+          "192.168.1.1"
+        ];
+        tags.type = "internal";
+        fieldpass = [
+          "percent_packet_loss"
+          "average_response_ms"
+          "standard_deviation_ms"
+          "reply_received"
+          "percent_reply_loss"
+        ];
+      }
+      {
+        method = "native";
+        urls = [
+          "1.1.1.1"
+          "8.8.8.8"
+          config.repo.secrets.global.domains.me
+          config.repo.secrets.global.domains.personal
+        ];
+        tags.type = "external";
+        fieldpass = [
+          "percent_packet_loss"
+          "average_response_ms"
+          "standard_deviation_ms"
+          "reply_received"
+          "percent_reply_loss"
+        ];
+      }
+    ];
+
+    # FIXME: pls define this on the relevant hosts. Then we can ping it from multiple other hosts
+    #http_response = [
+    #  {
+    #    urls = [
+    #    ];
+    #    response_string_match = "Index of /";
+    #    response_status_code = 200;
+    #  }
+    #];
+
+    github = {
+      access_token = "@GITHUB_ACCESS_TOKEN@";
+      repositories = [
+        "oddlama/agenix-rekey"
+        "oddlama/autokernel"
+        "oddlama/gentoo-install"
+        "oddlama/nix-config"
+        "oddlama/nix-topology"
+        "oddlama/vane"
+      ];
+    };
+  };
+
  services.nginx = {
    upstreams.fritzbox = {
      servers."192.168.178.1" = {};
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@ -75,25 +75,23 @@ in {
        IPForward = "yes";
        IPv6PrivacyExtensions = "yes";
        IPv6SendRA = true;
+        IPv6AcceptRA = false;
+        DHCPPrefixDelegation = true;
        MulticastDNS = true;
      };
      # Announce a static prefix
      ipv6Prefixes = [
        {ipv6PrefixConfig.Prefix = lanCidrv6;}
      ];
-      # Delegate prefix from wan
-      #dhcpPrefixDelegationConfig = {
-      #  UplinkInterface = "wan";
-      #  Announce = true;
-      #  SubnetId = "auto";
-      #};
+      # Delegate prefix
+      dhcpPrefixDelegationConfig = {
+        SubnetId = "22";
+      };
      # Provide a DNS resolver
-      # TODO ipv6SendRAConfig = {
-      # TODO   EmitDNS = true;
-      # TODO   # TODO change to self later
-      # TODO   #DNS = lib.net.cidr.host 1 net.lan.ipv6cidr;
-      # TODO   DNS = ["2606:4700:4700::1111" "2001:4860:4860::8888"];
-      # TODO };
+      ipv6SendRAConfig = {
+        EmitDNS = true;
+        DNS = lib.net.cidr.host 3 lanCidrv6;
+      };
      linkConfig.RequiredForOnline = "routable";
    };
    # Remaining macvtap interfaces should not be touched.
--- a/hosts/ward/secrets/web-proxy/github-access-token.age
+++ b/hosts/ward/secrets/web-proxy/github-access-token.age