input-output-hk · cleverca22 · May 24, 2019 · May 23, 2019 · May 23, 2019 · May 23, 2019
diff --git a/deployments/monitoring-aws.nix b/deployments/monitoring-aws.nix
@@ -0,0 +1,38 @@
+{ globals, IOHKaccessKeyId, ... }:
+
+with import ../lib.nix;
+let
+  accessKeyId = IOHKaccessKeyId;
+  nodeMap = { inherit (globals.fullMap) monitoring; };
+  monitoring = nodeMap.monitoring;
+  region = monitoring.region;
+  org = monitoring.org;
+in {
+  resources = {
+    ec2SecurityGroups = {
+      "allow-wireguard-in-${region}-${org}" = {
+        inherit region accessKeyId;
+        description = "wireguard";
+        rules = [{
+          protocol = "udp";
+          fromPort = 51820; toPort = 51820;
+          sourceIp = "0.0.0.0/0";
+        }];
+      };
+    };
+  };
+  monitoring = { resources, ... }: {
+    deployment.ec2 = {
+      securityGroups = [
+        resources.ec2SecurityGroups."allow-wireguard-in-${region}-${org}"
+        resources.ec2SecurityGroups."allow-to-monitoring-${region}"
+        resources.ec2SecurityGroups."allow-monitoring-static-peers-${region}-${org}"
+      ];
+      region         = mkForce monitoring.region;
+      accessKeyId    = monitoring.accessKeyId;
+      keyPair        = resources.ec2KeyPairs.${monitoring.keyPairName};
+    };
+  };
+
+  resources.elasticIPs = nodesElasticIPs nodeMap;
+}
diff --git a/deployments/monitoring-env-devops.nix b/deployments/monitoring-env-devops.nix
@@ -1,11 +1,42 @@
-{
+{ IOHKaccessKeyId, ... }:
+let
+  iohklib = import ../lib.nix;
+  mkUplink = iohklib.mkMkUplink {
+    central = "192.168.20.1";
+    subnet = "192.168.20";
+    # TODO, `monitoring-ip` will be wrong if monitoring isnt using an elastic ip by that name
+    endpoint = "monitoring-ip:51820";
+  };
+in {
   require = [ ./monitoring.nix ];
-  monitoring = { ... }:
+  a1 = mkUplink 10 ../static/a1.wgprivate;
+  b1 = mkUplink 11 ../static/b1.wgprivate;
+  c1 = mkUplink 12 ../static/c1.wgprivate;
+  monitoring = { lib, resources, ... }:
   {
     imports = [
       ../modules/devops.nix
     ];
+    networking.wireguard.interfaces.wg0 = {
+      peers = let
+        genPeer = n: path: {
+          allowedIPs = [ "192.168.20.${toString n}/32" ];
+          publicKey = lib.strings.removeSuffix "\n" (builtins.readFile path);
+        };
+      in [
+        (genPeer 10 ../static/a1.wgpublic)
+        (genPeer 11 ../static/b1.wgpublic)
+        (genPeer 12 ../static/c1.wgpublic)
+        { allowedIPs = [ "192.168.20.20/32" ]; publicKey = "Iv+pHGJ6uGYfrSeF3PMSlN4v6YPZF52Xr5f8teH8OEE="; } # sams mac
+        { allowedIPs = [ "192.168.21.1/32" ]; publicKey = "oycbQ1DhtRh0hhD5gpyiKTUh0USkAwbjMer6/h/aHg8="; } # michaels desktop
+      ];
+    };
 
+    services.monitoring-services.enableWireguard = true;
+    deployment.keys."monitoring.wgprivate" = {
+      destDir = "/etc/wireguard";
+      keyFile = ../static/monitoring.wgprivate;
+    };
     services.monitoring-services.applicationDashboards = ../modules/grafana/cardano;
     services.monitoring-services.applicationRules = [
       {

diff --git a/deployments/monitoring.nix b/deployments/monitoring.nix
@@ -1,16 +1,30 @@
-{ globals, ... }: with (import ./../lib.nix);
+{ globals, ... }:
+
+with import ../lib.nix;
 let
   nodeMap = { inherit (globals.fullMap) monitoring; };
   monitoring = nodeMap.monitoring;
 in
 
 {
+  # configure all machines in the cluster so they can find graylog
+  defaults = { config, lib, ... }: {
+    services.monitoring-exporters = {
+      # TODO, `monitoring-ip` will be wrong if monitoring isnt using an elastic ip by that name
+      graylogHost = "monitoring-ip:5044";
+      #graylogHost = "${config.deployment.arguments.globals.monitoringNV.name}-ip:5044";
+      ownIp = let
+        ip = config.networking.publicIPv4;
+      in if ip == null then "0.0.0.0" else ip;
+    };
+  };
   monitoring = { config, lib, pkgs, resources, nodes, ... }:
   let
+    # a list of { name=; ip=; withNginx=; } for every node in the deployment
     hostList = lib.mapAttrsToList
       (nodeName: node: {
         name = "${nodeName}.${node.config.deployment.name}";
-        ip = node.config.networking.publicIPv4;
+        ip = node.config.services.monitoring-exporters.ownIp;
         withNginx = node.config.services.nginx.enable;
       }) nodes;
     hostName = "monitoring.${config.global.dnsDomainname}";
@@ -28,6 +42,8 @@ in
       dnsHostname  = mkForce "monitoring";
     };
 
+    # add everything from hostList to /etc/hosts
+    # if a machine is using wireguard, the `services.monitoring-exporters.ownIp` will be the WG ip, and this will point to that
     networking.extraHosts = ''
       ${concatStringsSep "\n" (map (host: "${toString host.ip} ${host.name}") hostList)}
     '';
@@ -54,15 +70,5 @@ in
       pagerDuty = import ../static/pager-duty.nix;
       deadMansSnitch = import ../static/dead-mans-snitch.nix;
     };
-
-    deployment.ec2.region         = mkForce monitoring.region;
-    deployment.ec2.accessKeyId    = monitoring.accessKeyId;
-    deployment.ec2.keyPair        = resources.ec2KeyPairs.${monitoring.keyPairName};
-    deployment.ec2.securityGroups = [
-      resources.ec2SecurityGroups."allow-to-monitoring-${config.deployment.ec2.region}"
-      resources.ec2SecurityGroups."allow-monitoring-static-peers-${config.deployment.ec2.region}-${monitoring.org}"
-    ];
   };
-
-  resources.elasticIPs = nodesElasticIPs nodeMap;
 }
diff --git a/lib.nix b/lib.nix
@@ -114,6 +114,26 @@ in lib // (rec {
     then (import (./static + "/${service}-creds.nix"))
     else default;
 
+  mkMkUplink = { central, subnet, endpoint }: n: path: { lib, config, ... }: {
+    deployment.keys."uplink.wgprivate" = {
+      destDir = "/etc/wireguard";
+      keyFile = path;
+    };
+    services.monitoring-exporters = {
+      graylogHost = lib.mkForce "${central}:5044";
+      ownIp = lib.mkForce "${subnet}.${toString n}";
+    };
+    boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ];
+    networking.wireguard.interfaces.wg0 = {
+      ips = [ "${subnet}.${toString n}/32" ];
+      listenPort = 51820;
+      privateKeyFile = "/etc/wireguard/uplink.wgprivate";
+      peers = [
+        { allowedIPs = [ "${central}/32" ]; publicKey = lib.strings.removeSuffix "\n" (builtins.readFile ./static/monitoring.wgpublic); endpoint = endpoint; }
+      ];
+    };
+  };
+
   ## nodeElasticIP :: Node -> EIP
   nodeElasticIP = node:
     { name = "${node.name}-ip";

diff --git a/modules/devops.nix b/modules/devops.nix
@@ -1,13 +1,13 @@
 { name, config, resources, ... }:
 
-with import ./../lib.nix;
+with import ../lib.nix;
 {
   config = {
 
     global = {
       allocateElasticIP = true;
       enableEkgWeb      = false;
-      dnsDomainname     = "aws.iohkdev.io";
+      dnsDomainname     = "devops.aws.iohkdev.io";
     };
 
     services = {
@@ -18,7 +18,6 @@ with import ./../lib.nix;
       monitoring-exporters.enable = true;
       monitoring-exporters.metrics = true;
       monitoring-exporters.logging = true;
-      monitoring-exporters.graylogHost = "${config.deployment.arguments.globals.monitoringNV.name}-ip:5044";
     };
   };
 }
diff --git a/modules/gen-wireguard-keys.nix b/modules/gen-wireguard-keys.nix
@@ -0,0 +1,17 @@
+{ hosts ? [ "monitoring" ] }:
+
+let
+  pkgs = import (import ../fetch-nixpkgs.nix) {};
+in pkgs.stdenv.mkDerivation {
+  name = "gen-wireguard-keys";
+  buildInputs = [ pkgs.wireguard ];
+  shellHook = ''
+    cd ${toString ../static}
+    umask 077
+    for host in ${toString hosts}; do
+      wg genkey > ''${host}.wgprivate
+      wg pubkey < ''${host}.wgprivate > ''${host}.wgpublic
+    done
+    exit 0
+  '';
+}
diff --git a/modules/monitoring-exporters.nix b/modules/monitoring-exporters.nix
@@ -59,6 +59,11 @@ in {
           Enable papertrail.
         '';
       };
+
+      ownIp = mkOption {
+        type = types.str;
+        description = "the address a remote prometheus node will use to contact this machine";
+      };
     };
   };
 

diff --git a/modules/monitoring-services.nix b/modules/monitoring-services.nix
@@ -25,6 +25,11 @@ in {
         default = true;
       };
 
+      enableWireguard = mkOption {
+        type = types.bool;
+        default = false;
+      };
+
       metrics = mkOption {
         type = types.bool;
         default = true;
@@ -244,7 +249,17 @@ in {
   };
 
   config = mkIf cfg.enable (mkMerge [
-
+    (lib.mkIf cfg.enableWireguard {
+      boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ];
+      networking.firewall.allowedUDPPorts = [ 51820 ];
+      networking.wireguard.interfaces = {
+        wg0 = {
+          ips = [ "192.168.20.1/24" ];
+          listenPort = 51820;
+          privateKeyFile = "/etc/wireguard/monitoring.wgprivate";
+        };
+      };
+    })
     (lib.mkIf cfg.oauth.enable (let
       oauthProxyConfig = ''
         auth_request /oauth2/auth;

diff --git a/modules/test-hydra-locally.nix b/modules/test-hydra-locally.nix
@@ -0,0 +1,33 @@
+let
+  pkgsSrc = import ../fetch-nixpkgs.nix;
+  eval = import (pkgsSrc + "/nixos") {
+    configuration = cfg;
+  };
+  cfg = { lib, ... }: {
+    imports = [
+      ./hydra-master-main.nix
+      ./common.nix
+      ./hydra-slave.nix
+      ./hydra-master-common.nix
+    ];
+    virtualisation = {
+      memorySize = 2 * 1024;
+      graphics = false;
+      qemu.networkingOptions = [
+        "-net nic,netdev=user.0,model=virtio"
+        "-netdev user,id=user.0,hostfwd=tcp:127.0.0.1:8080-:80"
+      ];
+    };
+    services = {
+      mingetty.autologinUser = "root";
+      grafana.extraOptions.AUTH_GOOGLE_CLIENT_SECRET = lib.mkForce "";
+      nginx.virtualHosts."hydra.iohk.io" = {
+        forceSSL = lib.mkForce false;
+        enableACME = lib.mkForce false;
+      };
+    };
+    nixpkgs.overlays = [
+      (import ../overlays/monitoring-exporters.nix)
+    ];
+  };
+in eval.vm