From 92f8f69e2767679262098a46e07cde05c6d477e5 Mon Sep 17 00:00:00 2001 From: "PAEPCKE, Michael" Date: Sun, 27 Oct 2024 11:27:53 +0000 Subject: [PATCH] nixos/opnborg: init module --- .../manual/release-notes/rl-2411.section.md | 2 + nixos/modules/module-list.nix | 1 + nixos/modules/services/monitoring/opnborg.nix | 104 ++++++++++++++++++ 3 files changed, 107 insertions(+) create mode 100644 nixos/modules/services/monitoring/opnborg.nix diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md index 1874a3b336f47..b6f7ab36f4bac 100644 --- a/nixos/doc/manual/release-notes/rl-2411.section.md +++ b/nixos/doc/manual/release-notes/rl-2411.section.md @@ -162,6 +162,8 @@ - [OpenGFW](https://github.com/apernet/OpenGFW), an implementation of the Great Firewall on Linux. Available as [services.opengfw](#opt-services.opengfw.enable). +- [OPNBorg](https://github.com/paepckehh/opnborg), a Selfhost-able OPNSense Appliance Configuration Management & Backup Portal as [service.opnborg](#opt-services.opnborg.enable). + - [Rathole](https://github.com/rapiz1/rathole), a lightweight and high-performance reverse proxy for NAT traversal. Available as [services.rathole](#opt-services.rathole.enable). - [Proton Mail bridge](https://proton.me/mail/bridge), a desktop application that runs in the background, encrypting and decrypting messages as they enter and leave your computer. It lets you add your Proton Mail account to your favorite email client via IMAP/SMTP by creating a local email server on your computer. diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 98340036f7b64..5e891a0992e06 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -912,6 +912,7 @@ ./services/monitoring/nezha-agent.nix ./services/monitoring/ocsinventory-agent.nix ./services/monitoring/opentelemetry-collector.nix + ./services/monitoring/opnborg.nix ./services/monitoring/osquery.nix ./services/monitoring/parsedmarc.nix ./services/monitoring/prometheus/alertmanager-irc-relay.nix diff --git a/nixos/modules/services/monitoring/opnborg.nix b/nixos/modules/services/monitoring/opnborg.nix new file mode 100644 index 0000000000000..f62809b8b8ea8 --- /dev/null +++ b/nixos/modules/services/monitoring/opnborg.nix @@ -0,0 +1,104 @@ +{ + config, + pkgs, + lib, + ... +}: +with lib; +let + cfg = config.services.opnborg; +in +{ + options.services.opnborg = { + enable = mkEnableOption "opnborg"; + + user = mkOption { + type = types.str; + default = "opnborg"; + defaultText = "opnborg"; + description = "The local user to run OPNBorg on this computer with."; + }; + + extraOptions = mkOption { + type = with types; attrsOf str; + default = { }; + example = '' + # minimal + "OPN_TARGETS" = "opn01.lan"; + "OPN_APIKEY" = "+RIb6YWNdcDWMMM7W5ZYDkUvP4qx6e1r7e/Lg/Uh3aBH+veuWfKc7UvEELH/lajWtNxkOaOPjWR8uMcD"; + "OPN_APISECRET" = "8VbjM3HKKqQW2ozOe5PTicMXOBVi9jZTSPCGfGrHp8rW6m+TeTxHyZyAI1GjERbuzjmz6jK/usMCWR/p"; + # complex + "OPN_APIKEY" = "+RIb6YWNdcDWMMM7W5ZYDkUvP4qx6e1r7e/Lg/Uh3aBH+veuWfKc7UvEELH/lajWtNxkOaOPjWR8uMcD"; + "OPN_APISECRET" = "8VbjM3HKKqQW2ozOe5PTicMXOBVi9jZTSPCGfGrHp8rW6m+TeTxHyZyAI1GjERbuzjmz6jK/usMCWR/p"; + "OPN_TLSKEYPIN" = "8VbjM3HKKqQW2ozOe5PTicMXOBVi9jZTSPCGfGrHp8rW6m+TeTxHyZyAI1GjERbuzjmz6jK/usMCWR/p"; + "OPN_MASTER" = "opn00.lan:8443"; + "OPN_TARGETS_HOTSTANDBY" = "opn00.lan:8443"; + "OPN_TARGETS_PRODUCTION" = "opn01.lan:8443,opn02.lan:8443"; + "OPN_TARGETS_IMGURL_HOTSTANDBY" = "https://icon-library.com/images/freebsd-icon/freebsd-icon-16.jpg"; + "OPN_TARGETS_IMGURL_PRODUCTION" = "https://icon-library.com/images/freebsd-icon/freebsd-icon-16.jpg"; + "OPN_SLEEP" = "60"; + "OPN_DEBUG" = "true"; + "OPN_SYNC_PKG" = "true"; + "OPN_HTTPD_ENABLE" = "true"; + "OPN_HTTPD_SERVER" = "127.0.0.1:6464"; + "OPN_HTTPD_COLOR_FG" = "white"; + "OPN_HTTPD_COLOR_BG" = "grey"; + "OPN_RSYSLOG_ENABLE" = "true"; + "OPN_RSYSLOG_SERVER" = "192.168.122.1:5140"; + "OPN_GRAFANA_WEBUI" = "http://localhost:9090"; + "OPN_GRAFANA_DASHBOARD_FREEBSD" = "Kczn-jPZz/node-exporter-freebsd"; + "OPN_GRAFANA_DASHBOARD_HAPROXY" = "rEqu1u5ue/haproxy-2-full"; + "OPN_WAZUH_WEBUI" = "http://localhost:9292"; + "OPN_PROMETHEUS_WEBUI" = "http://localhost:9191"; + ''; + description = '' + Additional setup enviroment variables + Details and more examples: https://github.com/paepckehh/opnborg + ''; + }; + }; + + config = mkIf config.services.opnborg.enable { + users = { + users = optionalAttrs (cfg.user == "opnborg") { + opnborg = { + description = "opnborg service user"; + isSystemUser = true; + group = "opnborg"; + }; + }; + groups = optionalAttrs (cfg.user == "opnborg") { opnborg = { }; }; + }; + + environment.systemPackages = [ pkgs.opnborg ]; + + systemd.services.opnborg = { + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + description = "OPNBorg Service"; + environment = cfg.extraOptions; + serviceConfig = { + ExecStart = "${pkgs.opnborg}/bin/opnborg"; + KillMode = "process"; + Restart = "always"; + User = cfg.user; + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + RuntimeDirectory = "opnborg"; + CapabilityBoundingSet = ""; + LockPersonality = true; + RestrictRealtime = true; + PrivateMounts = true; + MemoryDenyWriteExecute = true; + }; + }; + + }; + + meta.maintainers = with maintainers; [ paepcke ]; +}