feat: make modules/distributed-config.nix extensible; don't run telegraf on containers because of missing memlock

2023-12-25 17:14:32 +01:00 · 2023-12-25 17:14:32 +01:00 · 3036c53d87
commit 3036c53d87
parent 2120aefef5
3 changed files with 61 additions and 25 deletions
--- a/hosts/ward/guests/common.nix
+++ b/hosts/ward/guests/common.nix
@ -1,4 +1,9 @@
-{nodes, ...}: let
+{
+  config,
+  lib,
+  nodes,
+  ...
+}: let
  sentinelCfg = nodes.sentinel.config;
 in {
  meta.wireguard-proxy.sentinel = {};
@ -9,7 +14,7 @@ in {

  # Connect safely via wireguard to skip http authentication
  networking.hosts.${sentinelCfg.meta.wireguard.proxy-sentinel.ipv4} = [sentinelCfg.networking.providedDomains.influxdb];
-  meta.telegraf = {
+  meta.telegraf = lib.mkIf (!config.boot.isContainer) {
    enable = true;
    scrapeSensors = false;
    influxdb2 = {
--- a/modules/distributed-config.nix
+++ b/modules/distributed-config.nix
@ -8,40 +8,62 @@
    (lib)
    attrNames
    concatMap
+    concatStringsSep
+    foldl'
    getAttrFromPath
+    mkMerge
    mkOption
    mkOptionType
-    mkMerge
-    hasAttrByPath
+    optionals
+    recursiveUpdate
+    setAttrByPath
    types
    ;

  nodeName = config.node.name;
+  mkForwardedOption = path:
+    mkOption {
+      type = mkOptionType {
+        name = "Same type that the receiving option `${concatStringsSep "." path}` normally accepts.";
+        merge = _loc: defs:
+          builtins.filter
+          (x: builtins.isAttrs x -> ((x._type or "") != "__distributed_config_empty"))
+          (map (x: x.value) defs);
+      };
+      default = {_type = "__distributed_config_empty";};
+      description = ''
+        Anything specified here will be forwarded to `${concatStringsSep "." path}`
+        on the given node. Forwarding happens as-is to the raw values,
+        so validity can only be checked on the receiving node.
+      '';
+    };
+
+  forwardedOptions = [
+    ["age" "secrets"]
+    ["networking" "providedDomains"]
+    ["services" "nginx" "upstreams"]
+    ["services" "nginx" "virtualHosts"]
+    ["services" "influxdb2" "provision" "organizations"]
+    ["services" "kanidm" "provision" "groups"]
+    ["services" "kanidm" "provision" "systems" "oauth2"]
+  ];
+
+  attrsForEachOption = f: foldl' (acc: path: recursiveUpdate acc (setAttrByPath path (f path))) {} forwardedOptions;
 in {
-  # TODO expose exactly what we can configure! not everything
  options.nodes = mkOption {
+    description = "Options forwareded to the given node.";
    default = {};
-    description = "Allows extending the configuration of other machines.";
-    type = types.attrsOf (mkOptionType {
-      name = "Toplevel NixOS config";
-      merge = _loc: map (x: x.value);
+    type = types.attrsOf (types.submodule {
+      options = attrsForEachOption mkForwardedOption;
    });
  };

  config = let
-    allNodes = attrNames nodes;
-    foreignConfigs = concatMap (n: nodes.${n}.config.nodes.${nodeName} or []) allNodes;
-    mergeFromOthers = path:
-      mkMerge (map
-        (x: (getAttrFromPath path x))
-        (lib.filter (x: (hasAttrByPath path x)) foreignConfigs));
-  in {
-    age.secrets = mergeFromOthers ["age" "secrets"];
-    networking.providedDomains = mergeFromOthers ["networking" "providedDomains"];
-    services.nginx.upstreams = mergeFromOthers ["services" "nginx" "upstreams"];
-    services.nginx.virtualHosts = mergeFromOthers ["services" "nginx" "virtualHosts"];
-    services.influxdb2.provision.organizations = mergeFromOthers ["services" "influxdb2" "provision" "organizations"];
-    services.kanidm.provision.groups = mergeFromOthers ["services" "kanidm" "provision" "groups"];
-    services.kanidm.provision.systems.oauth2 = mergeFromOthers ["services" "kanidm" "provision" "systems" "oauth2"];
-  };
+    getConfig = path: otherNode: let
+      cfg = nodes.${otherNode}.config.nodes.${nodeName} or null;
+    in
+      optionals (cfg != null) (getAttrFromPath path cfg);
+    mergeConfigFromOthers = path: mkMerge (concatMap (getConfig path) (attrNames nodes));
+  in
+    attrsForEachOption mergeConfigFromOthers;
 }
--- a/modules/telegraf.nix
+++ b/modules/telegraf.nix
@ -58,6 +58,13 @@ in {
  };

  config = mkIf (!minimal && cfg.enable) {
+    assertions = [
+      {
+        assertion = !config.boot.isContainer;
+        message = "Containers don't support telegraf because memlock is not enabled.";
+      }
+    ];
+
    nodes.${cfg.influxdb2.node} = {
      # Mirror the original secret on the influx host
      age.secrets."telegraf-influxdb-token-${config.node.name}" = {
@ -135,7 +142,9 @@ in {
            kernel_vmstat = {};
            linux_sysctl_fs = {};
            mem = {};
-            net = {};
+            net = {
+              ignore_protocol_stats = true;
+            };
            netstat = {};
            nstat = {};
            processes = {};