feat(server): setup beszel for monitoring vps's.

2025-05-20 00:29:17 +02:00 · 2025-05-20 00:29:17 +02:00 · 9a5b0770e2
commit 9a5b0770e2
parent 9a8286e43b
4 changed files with 100 additions and 0 deletions
--- a/modules/servers/general/beszel-agent.nix
+++ b/modules/servers/general/beszel-agent.nix
@ -0,0 +1,51 @@
+{pkgs, ...}: {
+  systemd.services.beszel-agent = {
+    enable = true;
+    description = "Beszel Agent";
+    after = ["network.target"];
+    wants = ["network.target"];
+
+    serviceConfig = {
+      Type = "simple";
+      Restart = "always";
+      RestartSec = 3;
+      User = "beszel";
+      Group = "beszel";
+      WorkingDirectory = "/var/lib/beszel";
+      StateDirectory = "beszel-agent";
+
+      KeyringMode = "private";
+      LockPersonality = "yes";
+      NoNewPrivileges = "yes";
+      ProtectClock = "yes";
+      ProtectHome = "read-only";
+      ProtectHostname = "yes";
+      ProtectKernelLogs = "yes";
+      ProtectSystem = "strict";
+      RemoveIPC = "yes";
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+    };
+
+    script = "${pkgs.beszel}/bin/beszel-agent -listen '45876' --key 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC+T3fFx+Sv8jBGr2gNUHfuwUCbGhj8Mr/h4pmkI2Zjn'";
+
+    wantedBy = ["multi-user.target"];
+  };
+
+  users = {
+    users.beszel = {
+      isSystemUser = true;
+      home = "/var/lib/beszel";
+      createHome = true;
+      group = "beszel";
+    };
+    groups.beszel = {};
+  };
+
+  networking.firewall.extraCommands = ''
+    iptables -N beszel  # create a new chain named beszel
+    iptables -A beszel --src 65.21.241.194 -j ACCEPT  # allow 65.21.241.194
+    iptables -A beszel -j DROP  # drop everyone else
+    iptables -I INPUT -m tcp -p tcp --dport 45876 -j beszel  # use chain beszel for packets coming to TCP port 45876
+  '';
+}
--- a/modules/servers/general/default.nix
+++ b/modules/servers/general/default.nix
@ -7,5 +7,6 @@
    ./podman.nix
    ./additional-pkgs.nix
    ./root.nix
+    ./beszel-agent.nix
  ];
 }
--- a/modules/servers/heimdall/beszel-hub.nix
+++ b/modules/servers/heimdall/beszel-hub.nix
@ -0,0 +1,47 @@
+{pkgs, ...}: {
+  systemd.services.beszel-hub = {
+    enable = true;
+    description = "Beszel agent";
+    after = ["network.target"];
+
+    serviceConfig = {
+      Type = "simple";
+      Restart = "always";
+      RestartSec = 3;
+      User = "beszel";
+      Group = "beszel";
+      WorkingDirectory = "/var/lib/beszel";
+    };
+
+    script = "${pkgs.beszel}/bin/beszel-hub serve --http '127.0.0.1:6789'";
+
+    wantedBy = ["multi-user.target"];
+  };
+
+  users = {
+    users.beszel = {
+      isSystemUser = true;
+      home = "/var/lib/beszel";
+      createHome = true;
+      group = "beszel";
+    };
+    groups.beszel = {};
+  };
+
+  services.traefik.dynamicConfigOptions.http = {
+    services.beszel.loadBalancer.servers = [
+      {
+        url = "http://localhost:6789";
+      }
+    ];
+
+    routers.beszel = {
+      rule = "Host(`beszel.cronyakatsuki.xyz`)";
+      tls = {
+        certResolver = "porkbun";
+      };
+      service = "beszel";
+      entrypoints = "websecure";
+    };
+  };
+}
--- a/modules/servers/heimdall/default.nix
+++ b/modules/servers/heimdall/default.nix
@ -5,5 +5,6 @@
    ./wireguard.nix
    ./secrets.nix
    ./redlib.nix
+    ./beszel-hub.nix
  ];
 }