sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: add elewrap to elevate telegraf permissions

Browse source
This commit is contained in:
oddlama 2023-07-05 14:30:42 +02:00
parent a087b1f731
commit 7c3a40cd89
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
4 changed files with 327 additions and 37 deletions
Download patch file Download diff file Expand all files Collapse all files

308
flake.lock generated
View file

@ -1,5 +1,21 @@
{
"nodes": {
"advisory-db": {
"flake": false,
"locked": {
"lastModified": 1688041319,
"narHash": "sha256-J4lJWSRTOvXDS/Tckj+/5RvAnPCK+qQUMNZhsojR1SM=",
"owner": "rustsec",
"repo": "advisory-db",
"rev": "1f538e6f3b8ad37e89b1386e06be080fbe474b3c",
"type": "github"
},
"original": {
"owner": "rustsec",
"repo": "advisory-db",
"type": "github"
}
},
"agenix": {
"inputs": {
"darwin": "darwin",
@ -69,6 +85,30 @@
"type": "github"
}
},
"crane": {
"inputs": {
"flake-compat": "flake-compat_2",
"flake-utils": "flake-utils",
"nixpkgs": [
"elewrap",
"nixpkgs"
],
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1688082682,
"narHash": "sha256-nMG/A7qYm9pyHJowKuaNmNYgo748xZrzMJPqtoGozSA=",
"owner": "ipetkov",
"repo": "crane",
"rev": "4d350bb94fdf8ec9d2e22d68bb13e136d73aa9d8",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
@ -119,11 +159,11 @@
]
},
"locked": {
"lastModified": 1687134796,
"narHash": "sha256-gjBAkEtNPMQzqK4IHjTQBUv3VhggszOHLJbhXZy0OVQ=",
"lastModified": 1688544596,
"narHash": "sha256-/rbDM71Qpj4gMp54r9mQ2AdD10jEMtnrQ3b2Xf+HYTU=",
"owner": "nix-community",
"repo": "disko",
"rev": "4823509bb3b014dc85abefc13efcfa076d36338a",
"rev": "fc3c3817c9f1fcd405463c6a7f0f98baab97c692",
"type": "github"
},
"original": {
@ -132,6 +172,30 @@
"type": "github"
}
},
"elewrap": {
"inputs": {
"advisory-db": "advisory-db",
"crane": "crane",
"flake-utils": "flake-utils_2",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks": "pre-commit-hooks"
},
"locked": {
"lastModified": 1688559207,
"narHash": "sha256-PMdOEV3bAqZSiN7qsu9voEsSugMaPFI8YAx+Xhd7vO4=",
"owner": "oddlama",
"repo": "elewrap",
"rev": "0c9bf39af5ff0c65dfaaad3c32769cdd73aa1c29",
"type": "github"
},
"original": {
"owner": "oddlama",
"repo": "elewrap",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
@ -164,16 +228,84 @@
"type": "github"
}
},
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_4": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1687171271,
"narHash": "sha256-BJlq+ozK2B1sJDQXS3tzJM5a+oVZmi1q0FlBK/Xqv7M=",
"lastModified": 1685518550,
"narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "abfb11bd1aec8ced1c9bb9adfe68018230f4fb3c",
"rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1687709756,
"narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1687709756,
"narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7",
"type": "github"
},
"original": {
@ -183,6 +315,28 @@
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"elewrap",
"pre-commit-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1660459072,
"narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"gitignore_2": {
"inputs": {
"nixpkgs": [
"pre-commit-hooks",
@ -210,11 +364,11 @@
]
},
"locked": {
"lastModified": 1687301540,
"narHash": "sha256-vFbCrE9WlOSVpyAT5VNR3bqMB7W7sDzMNDcO6JqtmBw=",
"lastModified": 1688552611,
"narHash": "sha256-pV/1/AU1l5CNFeKmdJ1jofcaKHhtKAbxY4gazeCyoSo=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "9a76fb9a852fdf9edd3b0aabc119efa1d618f969",
"rev": "b23c7501f7e0a001486c9a5555a6c53ac7b08e85",
"type": "github"
},
"original": {
@ -260,12 +414,10 @@
]
},
"locked": {
"lastModified": 1686962046,
"narHash": "sha256-QE5I3/ONKubR2lvLwUbsS4OaOPc9gTburw9OBcYfgdw=",
"owner": "astro",
"repo": "microvm.nix",
"rev": "484e6e2209a0ead8ea43a9a79b193026026becfc",
"type": "github"
"lastModified": 1687369979,
"narHash": "sha256-Dr6BQSKE1iX85h5kanhSPyJR9RSjJYa20T5PhukQTV8=",
"type": "git",
"url": "file:///root/projects/microvm.nix"
},
"original": {
"owner": "astro",
@ -275,11 +427,11 @@
},
"nixlib": {
"locked": {
"lastModified": 1687049841,
"narHash": "sha256-FBNZQfWtA7bb/rwk92mfiWc85x4hXta2OAouDqO5W8w=",
"lastModified": 1688259758,
"narHash": "sha256-CYVbYQfIm3vwciCf6CCYE+WOOLE3vcfxfEfNHIfKUJQ=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "908af6d1fa3643c5818ea45aa92b21d6385fbbe5",
"rev": "a92befce80a487380ea5e92ae515fe33cebd3ac6",
"type": "github"
},
"original": {
@ -296,11 +448,11 @@
]
},
"locked": {
"lastModified": 1687183443,
"narHash": "sha256-foX4pkph2AwUdJL3JURa7IHog+YRIheZ54vwHwxqwhU=",
"lastModified": 1688349424,
"narHash": "sha256-/wRCJP2d9ZmfZKrREWthpDHIx/F02Z1J2bytbC+gUiU=",
"owner": "nix-community",
"repo": "nixos-generators",
"rev": "09140f23f5ffce828db4ef040070bdd9595b1f3a",
"rev": "cf341a2c94338eed91c35df291931ea775b31e99",
"type": "github"
},
"original": {
@ -375,24 +527,68 @@
"type": "github"
}
},
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1685801374,
"narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c37ca420157f4abc31e26f436c1145f8951ff373",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"pre-commit-hooks": {
"inputs": {
"flake-compat": "flake-compat_2",
"flake-compat": "flake-compat_3",
"flake-utils": [
"elewrap",
"flake-utils"
],
"gitignore": "gitignore",
"nixpkgs": [
"elewrap",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1687251716,
"narHash": "sha256-+sFS41thsB5U+lY/dBYPSmU4AJ7nz/VdM1WD35fXVeM=",
"lastModified": 1688137124,
"narHash": "sha256-ramG4s/+A5+t/QG2MplTNPP/lmBWDtbW6ilpwb9sKVo=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "7807e1851d95828ed98491930d2d9e7ddbe65da4",
"rev": "522fd47af79b66cdd04b92618e65c7a11504650a",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"pre-commit-hooks_2": {
"inputs": {
"flake-compat": "flake-compat_4",
"flake-utils": [
"flake-utils"
],
"gitignore": "gitignore_2",
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable_2"
},
"locked": {
"lastModified": 1688473851,
"narHash": "sha256-j+ViA3lh4uQGIDqB6TjM4+wijX2M5mfNb6MVJVekpAs=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "f6a6863a3bcb61e846a9e4777b90ee365607a925",
"type": "github"
},
"original": {
@ -407,7 +603,8 @@
"agenix-rekey": "agenix-rekey",
"colmena": "colmena",
"disko": "disko",
"flake-utils": "flake-utils",
"elewrap": "elewrap",
"flake-utils": "flake-utils_3",
"home-manager": "home-manager",
"impermanence": "impermanence",
"lib-net": "lib-net",
@ -416,10 +613,37 @@
"nixos-hardware": "nixos-hardware",
"nixos-nftables-firewall": "nixos-nftables-firewall",
"nixpkgs": "nixpkgs",
"pre-commit-hooks": "pre-commit-hooks",
"pre-commit-hooks": "pre-commit-hooks_2",
"templates": "templates"
}
},
"rust-overlay": {
"inputs": {
"flake-utils": [
"elewrap",
"crane",
"flake-utils"
],
"nixpkgs": [
"elewrap",
"crane",
"nixpkgs"
]
},
"locked": {
"lastModified": 1685759304,
"narHash": "sha256-I3YBH6MS3G5kGzNuc1G0f9uYfTcNY9NYoRc3QsykLk4=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "c535b4f3327910c96dcf21851bbdd074d0760290",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"stable": {
"locked": {
"lastModified": 1669735802,
@ -451,6 +675,36 @@
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"templates": {
"locked": {
"lastModified": 1678524284,

13
flake.nix
View file

@ -13,6 +13,11 @@
inputs.nixpkgs.follows = "nixpkgs";
};
elewrap = {
url = "github:oddlama/elewrap";
inputs.nixpkgs.follows = "nixpkgs";
};
home-manager = {
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs";
@ -68,6 +73,7 @@
outputs = {
self,
colmena,
elewrap,
nixpkgs,
microvm,
flake-utils,
@ -129,12 +135,15 @@
}
// flake-utils.lib.eachDefaultSystem (system: rec {
pkgs = import nixpkgs {
localSystem = system;
inherit system;
config.allowUnfree = true;
overlays =
import ./lib inputs
++ import ./pkgs/default.nix
++ [microvm.overlay];
++ [
microvm.overlay
elewrap.overlays.default
];
};
apps =

41
modules/meta/telegraf.nix
View file

@ -56,6 +56,26 @@ in {
group = "telegraf";
};
security.elewrap.telegraf-sensors = {
command = ["${pkgs.lm_sensors}/bin/sensors" "-A" "-d"];
targetUser = "root";
allowedUsers = ["telegraf"];
};
security.elewrap.telegraf-nvme = {
command = ["${pkgs.nvme-cli}/bin/nvme"];
targetUser = "root";
allowedUsers = ["telegraf"];
passArguments = true;
};
security.elewrap.telegraf-smartctl = {
command = ["${pkgs.smartmontools}/bin/smartctl"];
targetUser = "root";
allowedUsers = ["telegraf"];
passArguments = true;
};
services.telegraf = {
enable = true;
environmentFiles = [config.age.secrets.telegraf-influxdb-token.path];
@ -95,10 +115,14 @@ in {
netstat = {};
nstat = {};
processes = {};
sensors = {};
sensors = {
inherit (config.security.elewrap.telegraf-sensors) path;
};
swap = {};
system = {};
systemd_units = {unittype = "service";};
systemd_units = {
unittype = "service";
};
temp = {};
wireguard = {};
# http_response = { urls = [ "http://localhost/" ]; };
@ -106,20 +130,21 @@ in {
}
// optionalAttrs config.services.smartd.enable {
smart = {
path_nvme = "${pkgs.nvme-cli}/bin/nvme";
path_smartctl = "${pkgs.smartmontools}/bin/smartctl";
use_sudo = true;
path_nvme = config.security.elewrap.telegraf-nvme.path;
path_smartctl = config.security.elewrap.telegraf-smartctl.path;
use_sudo = false;
};
}
// optionalAttrs config.services.nginx.enable {
nginx.urls = ["http://localhost/nginx_status"];
# TODO } // optionalAttrs config.services.iwd.enable {
# TODO wireless = { };
}
// optionalAttrs (config.networking.wireless.enable || config.networking.wireless.iwd.enable) {
wireless = {};
};
};
};
services.nginx.virtualHosts = mkIf config.services.telegraf.enable {
services.nginx.virtualHosts = mkIf config.services.nginx.enable {
localhost.listenAddresses = ["127.0.0.1" "[::1]"];
localhost.locations."= /nginx_status".extraConfig = ''
allow 127.0.0.0/8;

2
nix/generate-node.nix
View file

@ -4,6 +4,7 @@
agenix-rekey,
colmena,
disko,
elewrap,
home-manager,
impermanence,
microvm,
@ -33,6 +34,7 @@
agenix.nixosModules.default
agenix-rekey.nixosModules.default
disko.nixosModules.disko
elewrap.nixosModules.default
home-manager.nixosModules.default
impermanence.nixosModules.impermanence
nixos-nftables-firewall.nixosModules.default