✅ add a lot more healthchecks

components/network/wireguard.nix

@@ -25,6 +25,8 @@ with lib;
   config = {
     networking.extraHosts = ''
       10.100.0.1 cache.orbi.wg0
+      10.100.0.1 orbi.wg0
+      10.100.0.2 chungus.wg0
     '';
   };
 

flake.lock

@@ -496,11 +496,11 @@
         "treefmt-nix": "treefmt-nix_2"
       },
       "locked": {
-        "lastModified": 1727858670,
+        "lastModified": 1728474281,
-        "narHash": "sha256-WMtfs5Fv68ELcPYyfOqyQG7p+hraSon7lKsoq3Dutwc=",
+        "narHash": "sha256-0urbkJgTgTIyFUxka6OZ3zgUHKxdOso1ML7MB4rxnyI=",
         "owner": "mrvandalo",
         "repo": "nixos-healthchecks",
-        "rev": "fa48fca26eca92a77a89ecff59b58ec124577b8c",
+        "rev": "b22067284a52b114209528fd20587629b6ffcf21",
         "type": "github"
       },
       "original": {

machines/cherry/network-tinc.nix

@@ -1,10 +1,18 @@
-{ config, ... }:
+{ pkgs, config, ... }:
 {
 
   tinc.private.enable = true;
   tinc.private.ipv4 = "10.23.42.29";
 
+  healthchecks.localCommands.ping-private = pkgs.writers.writeBash "ping-private" ''
+    ping -c 1 -W 5 ${config.tinc.private.ipv4}
+  '';
+
   tinc.secret.enable = true;
   tinc.secret.ipv4 = "10.123.42.29";
 
+  healthchecks.localCommands.ping-secret = pkgs.writers.writeBash "ping-secret" ''
+    ping -c 1 -W 5 ${config.tinc.secret.ipv4}
+  '';
+
 }

machines/cherry/network-tinc_retiolum.nix

@@ -1,4 +1,9 @@
-{ config, factsGenerator, ... }:
+{
+  config,
+  factsGenerator,
+  pkgs,
+  ...
+}:
 {
 
   clan.core.facts.services.tinc_retiolum = factsGenerator.tinc { name = "retiolum"; };
@@ -6,6 +11,10 @@
   networking.retiolum.port = 720;
   networking.retiolum.nodename = "cherry";
 
+  healthchecks.localCommands.ping-retiolum = pkgs.writers.writeBash "ping-retiolum" ''
+    ping -c 1 -W 5 ${config.networking.retiolum.nodename}.r
+  '';
+
   services.tinc.networks.retiolum = {
     ed25519PrivateKeyFile =
       config.clan.core.facts.services.tinc_retiolum.secret."tinc.retiolum.ed25519_key.priv".path;

machines/cherry/network-wireguard-wg0.nix

@@ -1,10 +1,16 @@
 {
+  pkgs,
   config,
   factsGenerator,
   clanLib,
   ...
 }:
 {
+
+  healthchecks.localCommands.ping-wg0 = pkgs.writers.writeBash "ping-wg0" ''
+    ping -c 1 -W 5 ${config.clan.core.facts.services.wireguard_ip.public."wireguard.wg0.ip".value}
+  '';
+
   networking.firewall.allowedUDPPorts = [ 51820 ];
   clan.core.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
   clan.core.facts.services.wireguard_ip = factsGenerator.public {

machines/chungus/configuration.nix

@@ -73,6 +73,9 @@
   networking.firewall.interfaces.wg0.allowedTCPPorts = [ 4317 ];
   networking.firewall.interfaces.wg0.allowedUDPPorts = [ 4317 ];
 
+  healthchecks.closed.wg0.host = "10.100.0.2";
+  healthchecks.closed.retiolum.host = "centauri.r";
+
   services.printing.enable = false;
 
   networking.hostName = "chungus";

machines/chungus/hass-mqtt.nix

@@ -16,4 +16,5 @@
   networking.firewall.interfaces.enp0s31f6.allowedTCPPorts = [ 1883 ];
   networking.firewall.interfaces.wg0.allowedTCPPorts = [ 1883 ];
 
+  healthchecks.closed.retiolum.ports.mqtt = [ 1883 ];
 }

machines/chungus/hass-zigbee2mqtt.nix

@@ -8,6 +8,11 @@
 {
   imports = [ ./hass-mqtt.nix ];
 
+  healthchecks.closed.retiolum.ports.zigbee2mqtt = [
+    1337
+    9666
+  ];
+
   services.zigbee2mqtt = {
     enable = true;
     dataDir = "/srv2/zigbee2mqtt";

machines/chungus/hass.nix

@@ -18,4 +18,6 @@
   networking.firewall.interfaces.wg0.allowedTCPPorts = [ 8123 ];
   networking.firewall.interfaces.wg0.allowedUDPPorts = [ 8123 ];
 
+  healthchecks.closed.retiolum.ports.hass = [ 8123 ];
+
 }

machines/chungus/media-jellyfin.nix

@@ -12,6 +12,12 @@
     user = "media";
   };
 
+  healthchecks.http.jellyfin = {
+    url = "flix.${config.networking.hostName}.private";
+  };
+
+  healthchecks.closed.retiolum.ports.jellyfin = [ 8096 ];
+
   services.nginx = {
     enable = true;
     virtualHosts."flix.${config.networking.hostName}.private" = {

machines/chungus/media-navidrome.nix

@@ -6,6 +6,16 @@
 }:
 {
 
+  healthchecks.http.navidrome = {
+    #url = "${config.networking.hostName}.wg0:${toString config.services.navidrome.settings.Port}/app/#/login";
+    url = "${
+      config.clan.core.facts.services.wireguard_ip.public."wireguard.wg0.ip".value
+    }:${toString config.services.navidrome.settings.Port}/app/#/login";
+    expectedContent = "Navidrome";
+  };
+
+  healthchecks.closed.retiolum.ports.navidrome = [ config.services.navidrome.settings.Port ];
+
   services.navidrome = {
     enable = true;
     openFirewall = true;

machines/chungus/media-share.nix

@@ -1,6 +1,12 @@
 { config, ... }:
 {
 
+  healthchecks.closed.retiolum.ports.share = [
+    137
+    138
+    139
+    445
+  ];
   networking.firewall.interfaces.enp0s31f6.allowedTCPPorts = [
     445
     139

machines/chungus/media-syncthing.nix

@@ -10,6 +10,7 @@
     url = config.services.syncthing.guiAddress;
     expectedContent = "syncthing";
   };
+  healthchecks.closed.retiolum.ports.syncthing-gui = [ 8384 ];
 
   services.syncthing = {
     enable = true;

machines/chungus/network-tinc-retiolum.nix

@@ -1,4 +1,9 @@
-{ config, factsGenerator, ... }:
+{
+  config,
+  factsGenerator,
+  pkgs,
+  ...
+}:
 {
   clan.core.facts.services.tinc_retiolum = factsGenerator.tinc { name = "retiolum"; };
 

machines/chungus/network-tinc.nix

@@ -1,6 +1,11 @@
+{ pkgs, config, ... }:
 {
 
   tinc.private.enable = true;
   tinc.private.ipv4 = "10.23.42.28";
 
+  healthchecks.localCommands.ping-private = pkgs.writers.writeBash "ping-private" ''
+    ping -c 1 -W 5 ${config.tinc.private.ipv4}
+  '';
+
 }

machines/chungus/network-wireguard.nix

@@ -1,10 +1,16 @@
 {
+  pkgs,
   config,
   factsGenerator,
   clanLib,
   ...
 }:
 {
+
+  healthchecks.localCommands.ping-wg0 = pkgs.writers.writeBash "ping-wg0" ''
+    ping -c 1 -W 5 ${config.clan.core.facts.services.wireguard_ip.public."wireguard.wg0.ip".value}
+  '';
+
   networking.firewall.allowedUDPPorts = [ 51820 ];
   clan.core.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
   clan.core.facts.services.wireguard_ip = factsGenerator.public {

machines/chungus/service-atuin.nix

@@ -1,10 +1,13 @@
 {
-  config,
   pkgs,
+  config,
   assets,
   ...
 }:
 {
+
+  healthchecks.closed.retiolum.ports.atuin = [ config.services.atuin.port ];
+
   services.atuin = {
     enable = true;
     package = pkgs.legacy_2405.atuin.overrideAttrs (_old: {

machines/chungus/service-forgejo.nix

@@ -10,6 +10,8 @@
     expectedContent = "nixinate";
   };
 
+  healthchecks.closed.retiolum.ports.forgejo = [ config.services.forgejo.settings.server.HTTP_PORT ];
+
   services.nginx = {
     enable = true;
     statusPage = true;

machines/chungus/service-paperless.nix

@@ -35,6 +35,7 @@
     url = "http://paperless.ingolf-wagner.de/accounts/login/?next=/";
     expectedContent = "paperless.chungus.private";
   };
+  healthchecks.closed.retiolum.ports.paperless = [ config.services.paperless.port ];
 
   services.nginx.virtualHosts."paperless.${config.networking.hostName}.private" = {
     serverAliases = [ "paperless.ingolf-wagner.de" ];

machines/chungus/service-s3.nix

@@ -1,6 +1,11 @@
 { config, factsGenerator, ... }:
 {
 
+  healthchecks.closed.retiolum.ports.s3 = [
+    9000
+    9001
+  ];
+
   clan.core.facts.services.s3 = factsGenerator.password {
     name = "root";
     service = "s3";

machines/chungus/service-taskwarrior.nix

@@ -6,6 +6,8 @@
 }:
 {
 
+  healthchecks.closed.retiolum.ports.taskwarrior-webui = [ 8080 ];
+
   virtualisation.oci-containers = {
     containers.taskwarrior-webui = {
       volumes = [

machines/chungus/service-vault.nix

@@ -1,5 +1,8 @@
 { pkgs, ... }:
 {
+
+  healthchecks.closed.retiolum.ports.vault = [ 8200 ];
+
   services.vault = {
     enable = true;
     #adress = "chungus.private:8200";

machines/chungus/telemetry/grafana.nix

@@ -12,6 +12,10 @@
     };
   };
 
+  healthchecks.http.grafana = {
+    url = "grafana.${config.networking.hostName}.private";
+  };
+
   services.grafana = {
     enable = true;
     settings = {

machines/chungus/zerotier-controller.nix

@@ -21,6 +21,9 @@ let
     '';
 in
 {
+
+  healthchecks.closed.retiolum.ports.vault = [ 9993 ];
+
   environment.systemPackages = [
     (zerotierCommand "zerotier-script-members" ''
       curl "http://localhost:9993/controller/network/''${NWID}/member" -H "X-ZT1-AUTH: ''${TOKEN}" | gojq

machines/orbi/network-tinc.nix

@@ -1,3 +1,4 @@
+{ pkgs, config, ... }:
 {
 
   networking.firewall = {
@@ -14,7 +15,15 @@
   tinc.private.enable = true;
   tinc.private.ipv4 = "10.23.42.100";
 
-  tinc.secret.enable = true;
+  healthchecks.localCommands.ping-private = pkgs.writers.writeBash "ping-private" ''
-  tinc.secret.ipv4 = "10.123.42.100";
+    ping -c 1 -W 5 ${config.tinc.private.ipv4}
+  '';
+
+  #  tinc.secret.enable = true;
+  #  tinc.secret.ipv4 = "10.123.42.100";
+  #
+  #  healthchecks.localCommands.ping-secret = pkgs.writers.writeBash "ping-secret" ''
+  #    ping -c 1 -W 5 ${config.tinc.secret.ipv4}
+  #  '';
 
 }

machines/orbi/network-wireguard.nix

@@ -27,6 +27,10 @@ in
     "wireguard.wg0.ip" = "10.100.0.1";
   };
 
+  healthchecks.localCommands.ping-wg0 = pkgs.writers.writeBash "ping-wg0" ''
+    ping -c 1 -W 5 ${config.clan.core.facts.services.wireguard_ip.public."wireguard.wg0.ip".value}
+  '';
+
   boot.kernel.sysctl."net.ipv4.ip_forward" = true;
 
   # Enable WireGuard