diff --git a/flake.nix b/flake.nix index f686f88..6882367 100644 --- a/flake.nix +++ b/flake.nix @@ -112,7 +112,7 @@ pkgs = super; nurpkgs = super; }; - nix-gaming = nix-gaming.packages.${super.system}; + inherit nix-gaming; } // args); overlay = overlay' { }; # I override some settings down the line, but overlays always stay the same @@ -133,6 +133,7 @@ _module.args.notnft = if devNft then (import /${devPath}/notnft { inherit (nixpkgs) lib; }).config.notnft else notnft.lib.${system}; } (if devNixRt then import /${devPath}/nixos-router else nixos-router.nixosModules.default) + ./system/modules/ping-exporter.nix ]; }; crossConfig' = from: config: config // { diff --git a/home/common/general.nix b/home/common/general.nix index 4744e49..cdfc6c3 100644 --- a/home/common/general.nix +++ b/home/common/general.nix @@ -147,6 +147,7 @@ readline = { enable = true; variables.editing-mode = "vi"; + variables.show-mode-in-prompt = true; }; nix-index = { enable = true; diff --git a/pkgs/default.nix b/pkgs/default.nix index 007d892..6ca8974 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -14,7 +14,7 @@ let in { - inherit (nix-gaming) faf-client osu-lazer-bin; + inherit (nix-gaming.packages.${pkgs.system}) faf-client osu-lazer-bin; inherit nixForNixPlugins; nix = nixForNixPlugins; nixVersions = pkgs.nixVersions.extend (self: super: { @@ -108,6 +108,7 @@ in kvmfrOverlay = kvmfr: kvmfr.overrideAttrs (old: { inherit (pkgs'.looking-glass-client) version src; }); + ping-exporter = callPackage ./ping-exporter { }; proton-ge = pkgs.stdenvNoCC.mkDerivation { inherit (sources.proton-ge) pname version src; installPhase = '' diff --git a/pkgs/ping-exporter/default.nix b/pkgs/ping-exporter/default.nix new file mode 100644 index 0000000..d5cda66 --- /dev/null +++ b/pkgs/ping-exporter/default.nix @@ -0,0 +1,24 @@ +{ lib +, fetchFromGitHub +, rustPlatform +}: + +rustPlatform.buildRustPackage rec { + pname = "ping-exporter"; + version = "0.1"; + + src = fetchFromGitHub { + owner = "chayleaf"; + repo = "ping-exporter"; + rev = "cf5e5f7e96fb477e015d44cd462fb996b944c896"; + hash = "sha256-eZncfKTegLp+KBnAds8YR7ZMN8i7jDIIN8qt7832+0Y="; + }; + + cargoLock.lockFile = "${src}/Cargo.lock"; + + meta = with lib; { + description = "A ping exporter for Prometheus"; + license = with lib.licenses; [ mit asl20 ]; + maintainers = with lib.maintainers; [ chayleaf ]; + }; +} diff --git a/system/devices/bpi-r3-router.nix b/system/devices/bpi-r3-router.nix index 9a94b98..1a23919 100644 --- a/system/devices/bpi-r3-router.nix +++ b/system/devices/bpi-r3-router.nix @@ -14,6 +14,12 @@ in ]; networking.hostName = "nixos-router"; + systemd.enableEmergencyMode = false; + boot.kernel.sysctl = { + "net.core.default_qdisc" = "fq"; + "net.ipv4.tcp_congestion_control" = "bbr"; + }; + fileSystems = { # mount root on tmpfs "/" = { device = "none"; fsType = "tmpfs"; neededForBoot = true; diff --git a/system/devices/radxa-rock5a-server.nix b/system/devices/radxa-rock5a-server.nix index feb19ab..0012429 100644 --- a/system/devices/radxa-rock5a-server.nix +++ b/system/devices/radxa-rock5a-server.nix @@ -29,6 +29,12 @@ in "dm_mod" "dm_crypt" "encrypted_keys" ]; + systemd.enableEmergencyMode = false; + boot.kernel.sysctl = { + "net.core.default_qdisc" = "fq"; + "net.ipv4.tcp_congestion_control" = "bbr"; + }; + networking.useDHCP = true; /* # as expected, systemd initrd and networking didn't work well, and i really cba to debug it diff --git a/system/hosts/router/metrics.nix b/system/hosts/router/metrics.nix index e55d414..f1a316e 100644 --- a/system/hosts/router/metrics.nix +++ b/system/hosts/router/metrics.nix @@ -31,6 +31,18 @@ in { ]; listenAddress = netAddresses.lan4; }; + ping = { + enable = true; + listenAddress = netAddresses.lan4; + port = 9380; + config = { + type = "raw"; + targets = [ + "8.8.8.8" + { target = "8.8.8.8"; netns = "wan"; } + ]; + }; + }; }; router.interfaces.br0 = let # all of this just to avoid logging commands... diff --git a/system/hosts/server/default.nix b/system/hosts/server/default.nix index 1809914..2c16199 100644 --- a/system/hosts/server/default.nix +++ b/system/hosts/server/default.nix @@ -134,13 +134,12 @@ in { })}'')} real_ip_header CF-Connecting-IP; ''; - # brotli and zstd requires recompilation so I don't enable it - # services.nginx.recommendedBrotliSettings = true; - # services.nginx.recommendedZstdSettings = true; + services.nginx.recommendedBrotliSettings = true; services.nginx.recommendedGzipSettings = true; services.nginx.recommendedOptimisation = true; services.nginx.recommendedProxySettings = true; services.nginx.recommendedTlsSettings = true; + services.nginx.recommendedZstdSettings = true; # BLOG services.nginx.virtualHosts.${cfg.domainName} = { diff --git a/system/hosts/server/home.nix b/system/hosts/server/home.nix index cca260e..6347c0f 100644 --- a/system/hosts/server/home.nix +++ b/system/hosts/server/home.nix @@ -315,6 +315,7 @@ in { "retracker.local:9101" "retracker.local:9256" "retracker.local:9167" + "retracker.local:9380" ]; labels.machine = "router"; } ]; diff --git a/system/modules/ping-exporter.nix b/system/modules/ping-exporter.nix new file mode 100644 index 0000000..bb14d31 --- /dev/null +++ b/system/modules/ping-exporter.nix @@ -0,0 +1,151 @@ +{ config +, lib +, pkgs +, ... +}: + +let + cfg = config.services.prometheus.exporters.ping; + inherit (lib) concatStrings literalExpression mkMerge mkDefault mkEnableOption mkIf mkOption types; + # copied from nixpkgs/nixos/modules/services/monitoring/prometheus/exporters + mkExporterOpts = { name, port }: { + enable = mkEnableOption (lib.mdDoc "the prometheus ${name} exporter"); + port = mkOption { + type = types.port; + default = port; + description = lib.mdDoc '' + Port to listen on. + ''; + }; + listenAddress = mkOption { + type = types.str; + default = "0.0.0.0"; + description = lib.mdDoc '' + Address to listen on. + ''; + }; + extraFlags = mkOption { + type = types.listOf types.str; + default = []; + description = lib.mdDoc '' + Extra commandline options to pass to the ${name} exporter. + ''; + }; + openFirewall = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Open port in firewall for incoming connections. + ''; + }; + firewallFilter = mkOption { + type = types.nullOr types.str; + default = null; + example = literalExpression '' + "-i eth0 -p tcp -m tcp --dport ${toString port}" + ''; + description = lib.mdDoc '' + Specify a filter for iptables to use when + {option}`services.prometheus.exporters.${name}.openFirewall` + is true. It is used as `ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept`. + ''; + }; + user = mkOption { + type = types.str; + default = "${name}-exporter"; + description = lib.mdDoc '' + User name under which the ${name} exporter shall be run. + ''; + }; + group = mkOption { + type = types.str; + default = "${name}-exporter"; + description = lib.mdDoc '' + Group under which the ${name} exporter shall be run. + ''; + }; + }; + mkExporterConf = { name, conf, serviceOpts }: + let + enableDynamicUser = serviceOpts.serviceConfig.DynamicUser or true; + in + mkIf conf.enable { + warnings = conf.warnings or []; + users.users."${name}-exporter" = (mkIf (conf.user == "${name}-exporter" && !enableDynamicUser) { + description = "Prometheus ${name} exporter service user"; + isSystemUser = true; + inherit (conf) group; + }); + users.groups = (mkIf (conf.group == "${name}-exporter" && !enableDynamicUser) { + "${name}-exporter" = {}; + }); + networking.firewall.extraCommands = mkIf conf.openFirewall (concatStrings [ + "ip46tables -A nixos-fw ${conf.firewallFilter} " + "-m comment --comment ${name}-exporter -j nixos-fw-accept" + ]); + systemd.services."prometheus-${name}-exporter" = mkMerge ([{ + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig.Restart = mkDefault "always"; + serviceConfig.PrivateTmp = mkDefault true; + serviceConfig.WorkingDirectory = mkDefault /tmp; + serviceConfig.DynamicUser = mkDefault enableDynamicUser; + serviceConfig.User = mkDefault conf.user; + serviceConfig.Group = conf.group; + # Hardening + serviceConfig.CapabilityBoundingSet = mkDefault [ "" ]; + serviceConfig.DeviceAllow = [ "" ]; + serviceConfig.LockPersonality = true; + serviceConfig.MemoryDenyWriteExecute = true; + serviceConfig.NoNewPrivileges = true; + serviceConfig.PrivateDevices = mkDefault true; + serviceConfig.ProtectClock = mkDefault true; + serviceConfig.ProtectControlGroups = true; + serviceConfig.ProtectHome = true; + serviceConfig.ProtectHostname = true; + serviceConfig.ProtectKernelLogs = true; + serviceConfig.ProtectKernelModules = true; + serviceConfig.ProtectKernelTunables = true; + serviceConfig.ProtectSystem = mkDefault "strict"; + serviceConfig.RemoveIPC = true; + serviceConfig.RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + serviceConfig.RestrictNamespaces = true; + serviceConfig.RestrictRealtime = true; + serviceConfig.RestrictSUIDSGID = true; + serviceConfig.SystemCallArchitectures = "native"; + serviceConfig.UMask = "0077"; + } serviceOpts ]); + }; + format = pkgs.formats.toml { }; +in { + options.services.prometheus.exporters.ping = mkExporterOpts { name = "ping"; port = 9390; } // { + config = mkOption { + type = format.type; + default = { }; + description = "Exporter config"; + }; + }; + config = mkExporterConf { + name = "ping"; + conf = cfg; + serviceOpts = { + serviceConfig = rec { + # netns switching + AmbientCapabilities = [ + # set network namespace + "CAP_SYS_ADMIN" + # open icmp socket + "CAP_NET_RAW" + ]; + CapabilityBoundingSet = AmbientCapabilities; + RestrictNamespaces = lib.mkForce false; + ExecStart = '' + ${pkgs.ping-exporter}/bin/ping-exporter \ + --listen ${cfg.listenAddress}:${toString cfg.port} \ + --config ${format.generate "ping-exporter-config.toml" cfg.config} \ + ${lib.escapeShellArgs cfg.extraFlags} + ''; + }; + }; + }; +}