diff --git a/components/network/wireguard.nix b/components/network/wireguard.nix index c657cb6..000d2d7 100644 --- a/components/network/wireguard.nix +++ b/components/network/wireguard.nix @@ -25,6 +25,8 @@ with lib; config = { networking.extraHosts = '' 10.100.0.1 cache.orbi.wg0 + 10.100.0.1 orbi.wg0 + 10.100.0.2 chungus.wg0 ''; }; diff --git a/flake.lock b/flake.lock index c3e3aef..ec3daeb 100644 --- a/flake.lock +++ b/flake.lock @@ -496,11 +496,11 @@ "treefmt-nix": "treefmt-nix_2" }, "locked": { - "lastModified": 1727858670, - "narHash": "sha256-WMtfs5Fv68ELcPYyfOqyQG7p+hraSon7lKsoq3Dutwc=", + "lastModified": 1728474281, + "narHash": "sha256-0urbkJgTgTIyFUxka6OZ3zgUHKxdOso1ML7MB4rxnyI=", "owner": "mrvandalo", "repo": "nixos-healthchecks", - "rev": "fa48fca26eca92a77a89ecff59b58ec124577b8c", + "rev": "b22067284a52b114209528fd20587629b6ffcf21", "type": "github" }, "original": { diff --git a/machines/cherry/network-tinc.nix b/machines/cherry/network-tinc.nix index a2754ce..07c2549 100644 --- a/machines/cherry/network-tinc.nix +++ b/machines/cherry/network-tinc.nix @@ -1,10 +1,18 @@ -{ config, ... }: +{ pkgs, config, ... }: { tinc.private.enable = true; tinc.private.ipv4 = "10.23.42.29"; + healthchecks.localCommands.ping-private = pkgs.writers.writeBash "ping-private" '' + ping -c 1 -W 5 ${config.tinc.private.ipv4} + ''; + tinc.secret.enable = true; tinc.secret.ipv4 = "10.123.42.29"; + healthchecks.localCommands.ping-secret = pkgs.writers.writeBash "ping-secret" '' + ping -c 1 -W 5 ${config.tinc.secret.ipv4} + ''; + } diff --git a/machines/cherry/network-tinc_retiolum.nix b/machines/cherry/network-tinc_retiolum.nix index f86da8e..1006e81 100644 --- a/machines/cherry/network-tinc_retiolum.nix +++ b/machines/cherry/network-tinc_retiolum.nix @@ -1,4 +1,9 @@ -{ config, factsGenerator, ... }: +{ + config, + factsGenerator, + pkgs, + ... +}: { clan.core.facts.services.tinc_retiolum = factsGenerator.tinc { name = "retiolum"; }; @@ -6,6 +11,10 @@ networking.retiolum.port = 720; networking.retiolum.nodename = "cherry"; + healthchecks.localCommands.ping-retiolum = pkgs.writers.writeBash "ping-retiolum" '' + ping -c 1 -W 5 ${config.networking.retiolum.nodename}.r + ''; + services.tinc.networks.retiolum = { ed25519PrivateKeyFile = config.clan.core.facts.services.tinc_retiolum.secret."tinc.retiolum.ed25519_key.priv".path; diff --git a/machines/cherry/network-wireguard-wg0.nix b/machines/cherry/network-wireguard-wg0.nix index 9962536..45ea509 100644 --- a/machines/cherry/network-wireguard-wg0.nix +++ b/machines/cherry/network-wireguard-wg0.nix @@ -1,10 +1,16 @@ { + pkgs, config, factsGenerator, clanLib, ... }: { + + healthchecks.localCommands.ping-wg0 = pkgs.writers.writeBash "ping-wg0" '' + ping -c 1 -W 5 ${config.clan.core.facts.services.wireguard_ip.public."wireguard.wg0.ip".value} + ''; + networking.firewall.allowedUDPPorts = [ 51820 ]; clan.core.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; }; clan.core.facts.services.wireguard_ip = factsGenerator.public { diff --git a/machines/chungus/configuration.nix b/machines/chungus/configuration.nix index a146eb4..a3c80d1 100644 --- a/machines/chungus/configuration.nix +++ b/machines/chungus/configuration.nix @@ -73,6 +73,9 @@ networking.firewall.interfaces.wg0.allowedTCPPorts = [ 4317 ]; networking.firewall.interfaces.wg0.allowedUDPPorts = [ 4317 ]; + healthchecks.closed.wg0.host = "10.100.0.2"; + healthchecks.closed.retiolum.host = "centauri.r"; + services.printing.enable = false; networking.hostName = "chungus"; diff --git a/machines/chungus/hass-mqtt.nix b/machines/chungus/hass-mqtt.nix index c82e0ee..db16169 100644 --- a/machines/chungus/hass-mqtt.nix +++ b/machines/chungus/hass-mqtt.nix @@ -16,4 +16,5 @@ networking.firewall.interfaces.enp0s31f6.allowedTCPPorts = [ 1883 ]; networking.firewall.interfaces.wg0.allowedTCPPorts = [ 1883 ]; + healthchecks.closed.retiolum.ports.mqtt = [ 1883 ]; } diff --git a/machines/chungus/hass-zigbee2mqtt.nix b/machines/chungus/hass-zigbee2mqtt.nix index f47d73e..964dcaf 100644 --- a/machines/chungus/hass-zigbee2mqtt.nix +++ b/machines/chungus/hass-zigbee2mqtt.nix @@ -8,6 +8,11 @@ { imports = [ ./hass-mqtt.nix ]; + healthchecks.closed.retiolum.ports.zigbee2mqtt = [ + 1337 + 9666 + ]; + services.zigbee2mqtt = { enable = true; dataDir = "/srv2/zigbee2mqtt"; diff --git a/machines/chungus/hass.nix b/machines/chungus/hass.nix index 868b969..a59b3e9 100644 --- a/machines/chungus/hass.nix +++ b/machines/chungus/hass.nix @@ -18,4 +18,6 @@ networking.firewall.interfaces.wg0.allowedTCPPorts = [ 8123 ]; networking.firewall.interfaces.wg0.allowedUDPPorts = [ 8123 ]; + healthchecks.closed.retiolum.ports.hass = [ 8123 ]; + } diff --git a/machines/chungus/media-jellyfin.nix b/machines/chungus/media-jellyfin.nix index 89094df..7841037 100644 --- a/machines/chungus/media-jellyfin.nix +++ b/machines/chungus/media-jellyfin.nix @@ -12,6 +12,12 @@ user = "media"; }; + healthchecks.http.jellyfin = { + url = "flix.${config.networking.hostName}.private"; + }; + + healthchecks.closed.retiolum.ports.jellyfin = [ 8096 ]; + services.nginx = { enable = true; virtualHosts."flix.${config.networking.hostName}.private" = { diff --git a/machines/chungus/media-navidrome.nix b/machines/chungus/media-navidrome.nix index 24ce819..7c72e7f 100644 --- a/machines/chungus/media-navidrome.nix +++ b/machines/chungus/media-navidrome.nix @@ -6,6 +6,16 @@ }: { + healthchecks.http.navidrome = { + #url = "${config.networking.hostName}.wg0:${toString config.services.navidrome.settings.Port}/app/#/login"; + url = "${ + config.clan.core.facts.services.wireguard_ip.public."wireguard.wg0.ip".value + }:${toString config.services.navidrome.settings.Port}/app/#/login"; + expectedContent = "Navidrome"; + }; + + healthchecks.closed.retiolum.ports.navidrome = [ config.services.navidrome.settings.Port ]; + services.navidrome = { enable = true; openFirewall = true; diff --git a/machines/chungus/media-share.nix b/machines/chungus/media-share.nix index 012c25b..f9b4313 100644 --- a/machines/chungus/media-share.nix +++ b/machines/chungus/media-share.nix @@ -1,6 +1,12 @@ { config, ... }: { + healthchecks.closed.retiolum.ports.share = [ + 137 + 138 + 139 + 445 + ]; networking.firewall.interfaces.enp0s31f6.allowedTCPPorts = [ 445 139 diff --git a/machines/chungus/media-syncthing.nix b/machines/chungus/media-syncthing.nix index e266204..d83c42a 100644 --- a/machines/chungus/media-syncthing.nix +++ b/machines/chungus/media-syncthing.nix @@ -10,6 +10,7 @@ url = config.services.syncthing.guiAddress; expectedContent = "syncthing"; }; + healthchecks.closed.retiolum.ports.syncthing-gui = [ 8384 ]; services.syncthing = { enable = true; diff --git a/machines/chungus/network-tinc-retiolum.nix b/machines/chungus/network-tinc-retiolum.nix index f1cc648..faa62f7 100644 --- a/machines/chungus/network-tinc-retiolum.nix +++ b/machines/chungus/network-tinc-retiolum.nix @@ -1,4 +1,9 @@ -{ config, factsGenerator, ... }: +{ + config, + factsGenerator, + pkgs, + ... +}: { clan.core.facts.services.tinc_retiolum = factsGenerator.tinc { name = "retiolum"; }; diff --git a/machines/chungus/network-tinc.nix b/machines/chungus/network-tinc.nix index b4144a6..1ebf79e 100644 --- a/machines/chungus/network-tinc.nix +++ b/machines/chungus/network-tinc.nix @@ -1,6 +1,11 @@ +{ pkgs, config, ... }: { tinc.private.enable = true; tinc.private.ipv4 = "10.23.42.28"; + healthchecks.localCommands.ping-private = pkgs.writers.writeBash "ping-private" '' + ping -c 1 -W 5 ${config.tinc.private.ipv4} + ''; + } diff --git a/machines/chungus/network-wireguard.nix b/machines/chungus/network-wireguard.nix index f62f5aa..be9fb62 100644 --- a/machines/chungus/network-wireguard.nix +++ b/machines/chungus/network-wireguard.nix @@ -1,10 +1,16 @@ { + pkgs, config, factsGenerator, clanLib, ... }: { + + healthchecks.localCommands.ping-wg0 = pkgs.writers.writeBash "ping-wg0" '' + ping -c 1 -W 5 ${config.clan.core.facts.services.wireguard_ip.public."wireguard.wg0.ip".value} + ''; + networking.firewall.allowedUDPPorts = [ 51820 ]; clan.core.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; }; clan.core.facts.services.wireguard_ip = factsGenerator.public { diff --git a/machines/chungus/service-atuin.nix b/machines/chungus/service-atuin.nix index db876be..1524876 100644 --- a/machines/chungus/service-atuin.nix +++ b/machines/chungus/service-atuin.nix @@ -1,10 +1,13 @@ { - config, pkgs, + config, assets, ... }: { + + healthchecks.closed.retiolum.ports.atuin = [ config.services.atuin.port ]; + services.atuin = { enable = true; package = pkgs.legacy_2405.atuin.overrideAttrs (_old: { diff --git a/machines/chungus/service-forgejo.nix b/machines/chungus/service-forgejo.nix index 49dc36f..bb5e528 100644 --- a/machines/chungus/service-forgejo.nix +++ b/machines/chungus/service-forgejo.nix @@ -10,6 +10,8 @@ expectedContent = "nixinate"; }; + healthchecks.closed.retiolum.ports.forgejo = [ config.services.forgejo.settings.server.HTTP_PORT ]; + services.nginx = { enable = true; statusPage = true; diff --git a/machines/chungus/service-paperless.nix b/machines/chungus/service-paperless.nix index 479a8b8..af31737 100644 --- a/machines/chungus/service-paperless.nix +++ b/machines/chungus/service-paperless.nix @@ -35,6 +35,7 @@ url = "http://paperless.ingolf-wagner.de/accounts/login/?next=/"; expectedContent = "paperless.chungus.private"; }; + healthchecks.closed.retiolum.ports.paperless = [ config.services.paperless.port ]; services.nginx.virtualHosts."paperless.${config.networking.hostName}.private" = { serverAliases = [ "paperless.ingolf-wagner.de" ]; diff --git a/machines/chungus/service-s3.nix b/machines/chungus/service-s3.nix index 4c26646..bb2d22c 100644 --- a/machines/chungus/service-s3.nix +++ b/machines/chungus/service-s3.nix @@ -1,6 +1,11 @@ { config, factsGenerator, ... }: { + healthchecks.closed.retiolum.ports.s3 = [ + 9000 + 9001 + ]; + clan.core.facts.services.s3 = factsGenerator.password { name = "root"; service = "s3"; diff --git a/machines/chungus/service-taskwarrior.nix b/machines/chungus/service-taskwarrior.nix index 31c8812..654e4e4 100644 --- a/machines/chungus/service-taskwarrior.nix +++ b/machines/chungus/service-taskwarrior.nix @@ -6,6 +6,8 @@ }: { + healthchecks.closed.retiolum.ports.taskwarrior-webui = [ 8080 ]; + virtualisation.oci-containers = { containers.taskwarrior-webui = { volumes = [ diff --git a/machines/chungus/service-vault.nix b/machines/chungus/service-vault.nix index ad7923e..b62a55a 100644 --- a/machines/chungus/service-vault.nix +++ b/machines/chungus/service-vault.nix @@ -1,5 +1,8 @@ { pkgs, ... }: { + + healthchecks.closed.retiolum.ports.vault = [ 8200 ]; + services.vault = { enable = true; #adress = "chungus.private:8200"; diff --git a/machines/chungus/telemetry/grafana.nix b/machines/chungus/telemetry/grafana.nix index 3fcf9dd..961bf96 100644 --- a/machines/chungus/telemetry/grafana.nix +++ b/machines/chungus/telemetry/grafana.nix @@ -12,6 +12,10 @@ }; }; + healthchecks.http.grafana = { + url = "grafana.${config.networking.hostName}.private"; + }; + services.grafana = { enable = true; settings = { diff --git a/machines/chungus/zerotier-controller.nix b/machines/chungus/zerotier-controller.nix index 8c9ed2e..f05fea9 100644 --- a/machines/chungus/zerotier-controller.nix +++ b/machines/chungus/zerotier-controller.nix @@ -21,6 +21,9 @@ let ''; in { + + healthchecks.closed.retiolum.ports.vault = [ 9993 ]; + environment.systemPackages = [ (zerotierCommand "zerotier-script-members" '' curl "http://localhost:9993/controller/network/''${NWID}/member" -H "X-ZT1-AUTH: ''${TOKEN}" | gojq diff --git a/machines/orbi/network-tinc.nix b/machines/orbi/network-tinc.nix index 4467de9..38451a9 100644 --- a/machines/orbi/network-tinc.nix +++ b/machines/orbi/network-tinc.nix @@ -1,3 +1,4 @@ +{ pkgs, config, ... }: { networking.firewall = { @@ -14,7 +15,15 @@ tinc.private.enable = true; tinc.private.ipv4 = "10.23.42.100"; - tinc.secret.enable = true; - tinc.secret.ipv4 = "10.123.42.100"; + healthchecks.localCommands.ping-private = pkgs.writers.writeBash "ping-private" '' + ping -c 1 -W 5 ${config.tinc.private.ipv4} + ''; + + # tinc.secret.enable = true; + # tinc.secret.ipv4 = "10.123.42.100"; + # + # healthchecks.localCommands.ping-secret = pkgs.writers.writeBash "ping-secret" '' + # ping -c 1 -W 5 ${config.tinc.secret.ipv4} + # ''; } diff --git a/machines/orbi/network-wireguard.nix b/machines/orbi/network-wireguard.nix index 09a9710..f48b84f 100644 --- a/machines/orbi/network-wireguard.nix +++ b/machines/orbi/network-wireguard.nix @@ -27,6 +27,10 @@ in "wireguard.wg0.ip" = "10.100.0.1"; }; + healthchecks.localCommands.ping-wg0 = pkgs.writers.writeBash "ping-wg0" '' + ping -c 1 -W 5 ${config.clan.core.facts.services.wireguard_ip.public."wireguard.wg0.ip".value} + ''; + boot.kernel.sysctl."net.ipv4.ip_forward" = true; # Enable WireGuard