From 9a5b0770e2009f6ff0bd2c413b8fc82545fb7246 Mon Sep 17 00:00:00 2001 From: Crony Akatsuki Date: Tue, 20 May 2025 00:29:17 +0200 Subject: [PATCH] feat(server): setup beszel for monitoring vps's. --- modules/servers/general/beszel-agent.nix | 51 ++++++++++++++++++++++++ modules/servers/general/default.nix | 1 + modules/servers/heimdall/beszel-hub.nix | 47 ++++++++++++++++++++++ modules/servers/heimdall/default.nix | 1 + 4 files changed, 100 insertions(+) create mode 100644 modules/servers/general/beszel-agent.nix create mode 100644 modules/servers/heimdall/beszel-hub.nix diff --git a/modules/servers/general/beszel-agent.nix b/modules/servers/general/beszel-agent.nix new file mode 100644 index 0000000..4fbbd0f --- /dev/null +++ b/modules/servers/general/beszel-agent.nix @@ -0,0 +1,51 @@ +{pkgs, ...}: { + systemd.services.beszel-agent = { + enable = true; + description = "Beszel Agent"; + after = ["network.target"]; + wants = ["network.target"]; + + serviceConfig = { + Type = "simple"; + Restart = "always"; + RestartSec = 3; + User = "beszel"; + Group = "beszel"; + WorkingDirectory = "/var/lib/beszel"; + StateDirectory = "beszel-agent"; + + KeyringMode = "private"; + LockPersonality = "yes"; + NoNewPrivileges = "yes"; + ProtectClock = "yes"; + ProtectHome = "read-only"; + ProtectHostname = "yes"; + ProtectKernelLogs = "yes"; + ProtectSystem = "strict"; + RemoveIPC = "yes"; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + }; + + script = "${pkgs.beszel}/bin/beszel-agent -listen '45876' --key 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC+T3fFx+Sv8jBGr2gNUHfuwUCbGhj8Mr/h4pmkI2Zjn'"; + + wantedBy = ["multi-user.target"]; + }; + + users = { + users.beszel = { + isSystemUser = true; + home = "/var/lib/beszel"; + createHome = true; + group = "beszel"; + }; + groups.beszel = {}; + }; + + networking.firewall.extraCommands = '' + iptables -N beszel # create a new chain named beszel + iptables -A beszel --src 65.21.241.194 -j ACCEPT # allow 65.21.241.194 + iptables -A beszel -j DROP # drop everyone else + iptables -I INPUT -m tcp -p tcp --dport 45876 -j beszel # use chain beszel for packets coming to TCP port 45876 + ''; +} diff --git a/modules/servers/general/default.nix b/modules/servers/general/default.nix index f6005fe..7645c87 100644 --- a/modules/servers/general/default.nix +++ b/modules/servers/general/default.nix @@ -7,5 +7,6 @@ ./podman.nix ./additional-pkgs.nix ./root.nix + ./beszel-agent.nix ]; } diff --git a/modules/servers/heimdall/beszel-hub.nix b/modules/servers/heimdall/beszel-hub.nix new file mode 100644 index 0000000..0504331 --- /dev/null +++ b/modules/servers/heimdall/beszel-hub.nix @@ -0,0 +1,47 @@ +{pkgs, ...}: { + systemd.services.beszel-hub = { + enable = true; + description = "Beszel agent"; + after = ["network.target"]; + + serviceConfig = { + Type = "simple"; + Restart = "always"; + RestartSec = 3; + User = "beszel"; + Group = "beszel"; + WorkingDirectory = "/var/lib/beszel"; + }; + + script = "${pkgs.beszel}/bin/beszel-hub serve --http '127.0.0.1:6789'"; + + wantedBy = ["multi-user.target"]; + }; + + users = { + users.beszel = { + isSystemUser = true; + home = "/var/lib/beszel"; + createHome = true; + group = "beszel"; + }; + groups.beszel = {}; + }; + + services.traefik.dynamicConfigOptions.http = { + services.beszel.loadBalancer.servers = [ + { + url = "http://localhost:6789"; + } + ]; + + routers.beszel = { + rule = "Host(`beszel.cronyakatsuki.xyz`)"; + tls = { + certResolver = "porkbun"; + }; + service = "beszel"; + entrypoints = "websecure"; + }; + }; +} diff --git a/modules/servers/heimdall/default.nix b/modules/servers/heimdall/default.nix index d140b92..bf6c3e7 100644 --- a/modules/servers/heimdall/default.nix +++ b/modules/servers/heimdall/default.nix @@ -5,5 +5,6 @@ ./wireguard.nix ./secrets.nix ./redlib.nix + ./beszel-hub.nix ]; }