✅ add a lot more healthchecks

2024-10-09 21:27:12 +09:00 · 2024-10-09 21:27:12 +09:00 · c73e0f43f4
commit c73e0f43f4
parent 171e7400ba
26 changed files with 120 additions and 9 deletions
--- a/components/network/wireguard.nix
+++ b/components/network/wireguard.nix
@ -25,6 +25,8 @@ with lib;
  config = {
    networking.extraHosts = ''
      10.100.0.1 cache.orbi.wg0
+      10.100.0.1 orbi.wg0
+      10.100.0.2 chungus.wg0
    '';
  };

--- a/flake.lock
+++ b/flake.lock
@ -496,11 +496,11 @@
        "treefmt-nix": "treefmt-nix_2"
      },
      "locked": {
-        "lastModified": 1727858670,
-        "narHash": "sha256-WMtfs5Fv68ELcPYyfOqyQG7p+hraSon7lKsoq3Dutwc=",
+        "lastModified": 1728474281,
+        "narHash": "sha256-0urbkJgTgTIyFUxka6OZ3zgUHKxdOso1ML7MB4rxnyI=",
        "owner": "mrvandalo",
        "repo": "nixos-healthchecks",
-        "rev": "fa48fca26eca92a77a89ecff59b58ec124577b8c",
+        "rev": "b22067284a52b114209528fd20587629b6ffcf21",
        "type": "github"
      },
      "original": {
--- a/machines/cherry/network-tinc.nix
+++ b/machines/cherry/network-tinc.nix
@ -1,10 +1,18 @@
-{ config, ... }:
+{ pkgs, config, ... }:
 {

  tinc.private.enable = true;
  tinc.private.ipv4 = "10.23.42.29";

+  healthchecks.localCommands.ping-private = pkgs.writers.writeBash "ping-private" ''
+    ping -c 1 -W 5 ${config.tinc.private.ipv4}
+  '';
+
  tinc.secret.enable = true;
  tinc.secret.ipv4 = "10.123.42.29";

+  healthchecks.localCommands.ping-secret = pkgs.writers.writeBash "ping-secret" ''
+    ping -c 1 -W 5 ${config.tinc.secret.ipv4}
+  '';
+
 }
--- a/machines/cherry/network-tinc_retiolum.nix
+++ b/machines/cherry/network-tinc_retiolum.nix
@ -1,4 +1,9 @@
-{ config, factsGenerator, ... }:
+{
+  config,
+  factsGenerator,
+  pkgs,
+  ...
+}:
 {

  clan.core.facts.services.tinc_retiolum = factsGenerator.tinc { name = "retiolum"; };
@ -6,6 +11,10 @@
  networking.retiolum.port = 720;
  networking.retiolum.nodename = "cherry";

+  healthchecks.localCommands.ping-retiolum = pkgs.writers.writeBash "ping-retiolum" ''
+    ping -c 1 -W 5 ${config.networking.retiolum.nodename}.r
+  '';
+
  services.tinc.networks.retiolum = {
    ed25519PrivateKeyFile =
      config.clan.core.facts.services.tinc_retiolum.secret."tinc.retiolum.ed25519_key.priv".path;
--- a/machines/cherry/network-wireguard-wg0.nix
+++ b/machines/cherry/network-wireguard-wg0.nix
@ -1,10 +1,16 @@
 {
+  pkgs,
  config,
  factsGenerator,
  clanLib,
  ...
 }:
 {
+
+  healthchecks.localCommands.ping-wg0 = pkgs.writers.writeBash "ping-wg0" ''
+    ping -c 1 -W 5 ${config.clan.core.facts.services.wireguard_ip.public."wireguard.wg0.ip".value}
+  '';
+
  networking.firewall.allowedUDPPorts = [ 51820 ];
  clan.core.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
  clan.core.facts.services.wireguard_ip = factsGenerator.public {
--- a/machines/chungus/configuration.nix
+++ b/machines/chungus/configuration.nix
@ -73,6 +73,9 @@
  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 4317 ];
  networking.firewall.interfaces.wg0.allowedUDPPorts = [ 4317 ];

+  healthchecks.closed.wg0.host = "10.100.0.2";
+  healthchecks.closed.retiolum.host = "centauri.r";
+
  services.printing.enable = false;

  networking.hostName = "chungus";
--- a/machines/chungus/hass-mqtt.nix
+++ b/machines/chungus/hass-mqtt.nix
@ -16,4 +16,5 @@
  networking.firewall.interfaces.enp0s31f6.allowedTCPPorts = [ 1883 ];
  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 1883 ];

+  healthchecks.closed.retiolum.ports.mqtt = [ 1883 ];
 }
--- a/machines/chungus/hass-zigbee2mqtt.nix
+++ b/machines/chungus/hass-zigbee2mqtt.nix
@ -8,6 +8,11 @@
 {
  imports = [ ./hass-mqtt.nix ];

+  healthchecks.closed.retiolum.ports.zigbee2mqtt = [
+    1337
+    9666
+  ];
+
  services.zigbee2mqtt = {
    enable = true;
    dataDir = "/srv2/zigbee2mqtt";
--- a/machines/chungus/hass.nix
+++ b/machines/chungus/hass.nix
@ -18,4 +18,6 @@
  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 8123 ];
  networking.firewall.interfaces.wg0.allowedUDPPorts = [ 8123 ];

+  healthchecks.closed.retiolum.ports.hass = [ 8123 ];
+
 }
--- a/machines/chungus/media-jellyfin.nix
+++ b/machines/chungus/media-jellyfin.nix
@ -12,6 +12,12 @@
    user = "media";
  };

+  healthchecks.http.jellyfin = {
+    url = "flix.${config.networking.hostName}.private";
+  };
+
+  healthchecks.closed.retiolum.ports.jellyfin = [ 8096 ];
+
  services.nginx = {
    enable = true;
    virtualHosts."flix.${config.networking.hostName}.private" = {
--- a/machines/chungus/media-navidrome.nix
+++ b/machines/chungus/media-navidrome.nix
@ -6,6 +6,16 @@
 }:
 {

+  healthchecks.http.navidrome = {
+    #url = "${config.networking.hostName}.wg0:${toString config.services.navidrome.settings.Port}/app/#/login";
+    url = "${
+      config.clan.core.facts.services.wireguard_ip.public."wireguard.wg0.ip".value
+    }:${toString config.services.navidrome.settings.Port}/app/#/login";
+    expectedContent = "Navidrome";
+  };
+
+  healthchecks.closed.retiolum.ports.navidrome = [ config.services.navidrome.settings.Port ];
+
  services.navidrome = {
    enable = true;
    openFirewall = true;
--- a/machines/chungus/media-share.nix
+++ b/machines/chungus/media-share.nix
@ -1,6 +1,12 @@
 { config, ... }:
 {

+  healthchecks.closed.retiolum.ports.share = [
+    137
+    138
+    139
+    445
+  ];
  networking.firewall.interfaces.enp0s31f6.allowedTCPPorts = [
    445
    139
--- a/machines/chungus/media-syncthing.nix
+++ b/machines/chungus/media-syncthing.nix
@ -10,6 +10,7 @@
    url = config.services.syncthing.guiAddress;
    expectedContent = "syncthing";
  };
+  healthchecks.closed.retiolum.ports.syncthing-gui = [ 8384 ];

  services.syncthing = {
    enable = true;
--- a/machines/chungus/network-tinc-retiolum.nix
+++ b/machines/chungus/network-tinc-retiolum.nix
@ -1,4 +1,9 @@
-{ config, factsGenerator, ... }:
+{
+  config,
+  factsGenerator,
+  pkgs,
+  ...
+}:
 {
  clan.core.facts.services.tinc_retiolum = factsGenerator.tinc { name = "retiolum"; };

--- a/machines/chungus/network-tinc.nix
+++ b/machines/chungus/network-tinc.nix
@ -1,6 +1,11 @@
+{ pkgs, config, ... }:
 {

  tinc.private.enable = true;
  tinc.private.ipv4 = "10.23.42.28";

+  healthchecks.localCommands.ping-private = pkgs.writers.writeBash "ping-private" ''
+    ping -c 1 -W 5 ${config.tinc.private.ipv4}
+  '';
+
 }
--- a/machines/chungus/network-wireguard.nix
+++ b/machines/chungus/network-wireguard.nix
@ -1,10 +1,16 @@
 {
+  pkgs,
  config,
  factsGenerator,
  clanLib,
  ...
 }:
 {
+
+  healthchecks.localCommands.ping-wg0 = pkgs.writers.writeBash "ping-wg0" ''
+    ping -c 1 -W 5 ${config.clan.core.facts.services.wireguard_ip.public."wireguard.wg0.ip".value}
+  '';
+
  networking.firewall.allowedUDPPorts = [ 51820 ];
  clan.core.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
  clan.core.facts.services.wireguard_ip = factsGenerator.public {
--- a/machines/chungus/service-atuin.nix
+++ b/machines/chungus/service-atuin.nix
@ -1,10 +1,13 @@
 {
-  config,
  pkgs,
+  config,
  assets,
  ...
 }:
 {
+
+  healthchecks.closed.retiolum.ports.atuin = [ config.services.atuin.port ];
+
  services.atuin = {
    enable = true;
    package = pkgs.legacy_2405.atuin.overrideAttrs (_old: {
--- a/machines/chungus/service-forgejo.nix
+++ b/machines/chungus/service-forgejo.nix
@ -10,6 +10,8 @@
    expectedContent = "nixinate";
  };

+  healthchecks.closed.retiolum.ports.forgejo = [ config.services.forgejo.settings.server.HTTP_PORT ];
+
  services.nginx = {
    enable = true;
    statusPage = true;
--- a/machines/chungus/service-paperless.nix
+++ b/machines/chungus/service-paperless.nix
@ -35,6 +35,7 @@
    url = "http://paperless.ingolf-wagner.de/accounts/login/?next=/";
    expectedContent = "paperless.chungus.private";
  };
+  healthchecks.closed.retiolum.ports.paperless = [ config.services.paperless.port ];

  services.nginx.virtualHosts."paperless.${config.networking.hostName}.private" = {
    serverAliases = [ "paperless.ingolf-wagner.de" ];
--- a/machines/chungus/service-s3.nix
+++ b/machines/chungus/service-s3.nix
@ -1,6 +1,11 @@
 { config, factsGenerator, ... }:
 {

+  healthchecks.closed.retiolum.ports.s3 = [
+    9000
+    9001
+  ];
+
  clan.core.facts.services.s3 = factsGenerator.password {
    name = "root";
    service = "s3";
--- a/machines/chungus/service-taskwarrior.nix
+++ b/machines/chungus/service-taskwarrior.nix
@ -6,6 +6,8 @@
 }:
 {

+  healthchecks.closed.retiolum.ports.taskwarrior-webui = [ 8080 ];
+
  virtualisation.oci-containers = {
    containers.taskwarrior-webui = {
      volumes = [
--- a/machines/chungus/service-vault.nix
+++ b/machines/chungus/service-vault.nix
@ -1,5 +1,8 @@
 { pkgs, ... }:
 {
+
+  healthchecks.closed.retiolum.ports.vault = [ 8200 ];
+
  services.vault = {
    enable = true;
    #adress = "chungus.private:8200";
--- a/machines/chungus/telemetry/grafana.nix
+++ b/machines/chungus/telemetry/grafana.nix
@ -12,6 +12,10 @@
    };
  };

+  healthchecks.http.grafana = {
+    url = "grafana.${config.networking.hostName}.private";
+  };
+
  services.grafana = {
    enable = true;
    settings = {
--- a/machines/chungus/zerotier-controller.nix
+++ b/machines/chungus/zerotier-controller.nix
@ -21,6 +21,9 @@ let
    '';
 in
 {
+
+  healthchecks.closed.retiolum.ports.vault = [ 9993 ];
+
  environment.systemPackages = [
    (zerotierCommand "zerotier-script-members" ''
      curl "http://localhost:9993/controller/network/''${NWID}/member" -H "X-ZT1-AUTH: ''${TOKEN}" | gojq
--- a/machines/orbi/network-tinc.nix
+++ b/machines/orbi/network-tinc.nix
@ -1,3 +1,4 @@
+{ pkgs, config, ... }:
 {

  networking.firewall = {
@ -14,7 +15,15 @@
  tinc.private.enable = true;
  tinc.private.ipv4 = "10.23.42.100";

-  tinc.secret.enable = true;
-  tinc.secret.ipv4 = "10.123.42.100";
+  healthchecks.localCommands.ping-private = pkgs.writers.writeBash "ping-private" ''
+    ping -c 1 -W 5 ${config.tinc.private.ipv4}
+  '';
+
+  #  tinc.secret.enable = true;
+  #  tinc.secret.ipv4 = "10.123.42.100";
+  #
+  #  healthchecks.localCommands.ping-secret = pkgs.writers.writeBash "ping-secret" ''
+  #    ping -c 1 -W 5 ${config.tinc.secret.ipv4}
+  #  '';

 }
--- a/machines/orbi/network-wireguard.nix
+++ b/machines/orbi/network-wireguard.nix
@ -27,6 +27,10 @@ in
    "wireguard.wg0.ip" = "10.100.0.1";
  };

+  healthchecks.localCommands.ping-wg0 = pkgs.writers.writeBash "ping-wg0" ''
+    ping -c 1 -W 5 ${config.clan.core.facts.services.wireguard_ip.public."wireguard.wg0.ip".value}
+  '';
+
  boot.kernel.sysctl."net.ipv4.ip_forward" = true;

  # Enable WireGuard