feat: sentinella: some

2026-04-27 12:58:36 +00:00
parent 50d682d6f7
commit 0dfbee6472
6 changed files with 112 additions and 53 deletions
--- a/nixos/module/hectic/service/sentinèlla.nix
+++ b/nixos/module/hectic/service/sentinèlla.nix
@@ -10,17 +10,15 @@
  ...
 }: let
  system = pkgs.stdenv.hostPlatform.system;
-  cfg = config.hectic.services."sentinèlla";
+  cfg    = config.hectic.services."sentinèlla";
+
+  probePort = 5988;
+  peersDns  = "peers.sentinella.hectic-lab.com";
 in {
  options = {
    hectic.services."sentinèlla" = {
      probe = {
        enable = lib.mkEnableOption "sentinèlla probe — HTTP server exposing this node's health";
-        port = lib.mkOption {
-          type    = lib.types.port;
-          default = 5988;
-          description = "TCP port the probe listens on.";
-        };
        urls = lib.mkOption {
          type    = with lib.types; listOf str;
          default = [];
@@ -52,16 +50,6 @@ in {

      watcher = {
        enable = lib.mkEnableOption "sentinèlla watcher — polls peers discovered via DNS and sends Telegram alerts";
-        peersDns = lib.mkOption {
-          type    = lib.types.str;
-          example = "peers.sentinella.com";
-          description = ''
-            DNS name with multiple A records, one per peer node.
-            Configure externally (e.g. Cloudflare) with TTL 60:
-              peers.sentinella.com  A  1.2.3.4
-              peers.sentinella.com  A  5.6.7.8
-          '';
-        };
        self = lib.mkOption {
          type    = with lib.types; nullOr str;
          default = null;
@@ -73,11 +61,6 @@ in {
            has a floating IP that hostname -I does not report correctly.
          '';
        };
-        peersPort = lib.mkOption {
-          type    = lib.types.port;
-          default = 5988;
-          description = "Port all peer probes listen on.";
-        };
        peersScheme = lib.mkOption {
          type    = lib.types.str;
          default = "http";
@@ -125,6 +108,13 @@ in {

  config = lib.mkMerge [
    (lib.mkIf cfg.probe.enable {
+      networking.firewall = {
+        enable = true;
+        allowedTCPPorts = [
+          probePort     
+        ];
+      };
+
      systemd.services."sentinella-probe" = {
        description = "sentinèlla probe — node health HTTP server";
        after       = [ "network.target" ];
@@ -142,7 +132,7 @@ in {
            StandardOutput  = "journal";
            StandardError   = "journal";
            Environment = lib.filter (s: s != "") [
-              "PORT=${builtins.toString cfg.probe.port}"
+              "PORT=${builtins.toString probePort}"
              (lib.optionalString (cfg.probe.urls    != []) "URLS=${lib.concatStringsSep " " cfg.probe.urls}")
              (lib.optionalString (cfg.probe.volumes != []) "VOLUMES=${lib.concatStringsSep " " cfg.probe.volumes}")
              (lib.optionalString (cfg.probe.authFile != null) "AUTH_FILE=${cfg.probe.authFile}")
@@ -178,9 +168,9 @@ in {
            StandardError   = "journal";
            StateDirectory  = "sentinella";
            Environment = lib.filter (s: s != "") [
-              "PEERS_DNS=${cfg.watcher.peersDns}"
-              (lib.optionalString (cfg.watcher.self     != null) "SELF=${cfg.watcher.self}")
-              "PEERS_PORT=${builtins.toString cfg.watcher.peersPort}"
+              "PEERS_DNS=${peersDns}"
+              (lib.optionalString (cfg.watcher.self != null) "SELF=${cfg.watcher.self}")
+              "PEERS_PORT=${builtins.toString probePort}"
              "PEERS_SCHEME=${cfg.watcher.peersScheme}"
              "POLLING_INTERVAL_SEC=${builtins.toString cfg.watcher.pollingIntervalSec}"
              "STATE_DIR=/var/lib/sentinella"
--- a/nixos/system/hectic-lab/hectic-lab.nix
+++ b/nixos/system/hectic-lab/hectic-lab.nix
@@ -100,12 +100,12 @@ in {
    ];
  };

-  sops.secrets."mailserver/security/hashedPassword"     = {};
-  sops.secrets."mailserver/yukkop/hashedPassword"       = {};
+  sops.secrets."mailserver/security/hashedPassword"      = {};
+  sops.secrets."mailserver/yukkop/hashedPassword"        = {};
  sops.secrets."mailserver/daniil-perlyk/hashedPassword" = {};
-  sops.secrets."mailserver/snuff/hashedPassword"        = {};
-  sops.secrets."mailserver/antoshka/hashedPassword"     = {};
-  sops.secrets."mailserver/founders/hashedPassword"     = {};
+  sops.secrets."mailserver/snuff/hashedPassword"         = {};
+  sops.secrets."mailserver/antoshka/hashedPassword"      = {};
+  sops.secrets."mailserver/founders/hashedPassword"      = {};

  services.mailserver = {
    enable = true;
--- a/nixos/system/hectic-lab/sentinèlla.nix
+++ b/nixos/system/hectic-lab/sentinèlla.nix
@@ -5,19 +5,12 @@
  domain,
  sslOpts,
  ...
-}: { ... }: let
-  port = 5869;
-in {
+}: { ... }: {
  hectic.services."sentinèlla" = {
-    probe = {
-      enable = true;
-      inherit port;
-    };
+    probe.enable = true;
    watcher = {
-      enable              = true;
-      peersDns            = "peers.${domain}";
-      peersPort           = port;
-      pollingIntervalSec  = 60;
+      enable             = true;
+      pollingIntervalSec = 60;
      # TG_TOKEN= and TG_CHAT_ID= are read from sus/sentinella-default.yaml
      # (auto-declared by the module as sops.secrets."sentinèlla/watcher/environment")
    };
@@ -27,7 +20,7 @@ in {
    virtualHosts."probe.${domain}" = sslOpts // {
      forceSSL = true;
      locations."/" = {
-        proxyPass = "http://127.0.0.1:${builtins.toString port}";
+        proxyPass = "http://127.0.0.1:5988";
      };
    };
  };