hectic-lab/util.nix
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(package): sentinèlla: add auth

Browse Source
This commit is contained in:
yukkop
2025-10-03 02:30:24 +00:00
parent 0eb95197bc
commit 7fd3ba46c9
10 changed files with 346 additions and 186 deletions
Download Patch File Download Diff File Expand all files Collapse all files

106
nixos/module/hectic/service/sentinèlla.nix Normal file
View File

@@ -0,0 +1,106 @@
{
inputs,
flake,
self,
}:
{
pkgs,
lib,
config,
...
}: let
system = pkgs.system;
cfg = config.hectic.services.server-health;
# URLS="http://..." # default: none
# VOLUMES="/ /home" # default: all from df -P
in {
options = {
hectic.services."sentinèlla" = {
probe = {
enable = lib.mkEnableOption "enable sentinèlla probe services, that provides endpoints for server status check";
urls = lib.mkOption {
type = lib.types.port;
description = ''
urls to check
'';
};
volumes = lib.mkOption {
type = lib.types.port;
description = ''
volumes to check
'';
};
port = lib.mkOption {
type = lib.types.port;
description = ''
service's port
'';
};
environmentPath = lib.mkOption {
type = lib.types.path;
example = ''
config.sops.secrets."name-of-service/environment".path
'';
description = ''
in case when you do not want show configurations in repository
```
VOLUMES=
URLS=
PORT=
```
'';
};
};
sentinel = {
enable = lib.mkEnableOption "enable sentinèlla sentinel services, that reported servers statuses based on probe polls";
environmentPath = lib.mkOption {
type = lib.types.path;
example = ''
config.sops.secrets."name-of-service/environment".path
'';
description = ''
in case when you do not want show configurations in repository
'';
};
};
};
};
config = lib.mkMerge [
(lib.mkIf cfg.probe.enable {
services.nginx.virtualHosts = {
};
systemd.services."sentinèlla-probe" = {
description = "Hectic server health check";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
ExecStart = "${self.packages.${system}.server-health}/bin/probe";
EnvironmentFile = cfg.probe.environmentPath;
Environment = (if cfg.probe.urls != null then [
"URLS=${cfg.probe.urls}"
] else []) ++ (if cfg.probe.volumes != null then [
"VOLUMES=${cfg.volumes}"
] else []) ++ (if cfg.probe.port != null then [
"PORT=${builtins.toString cfg.probe.port}"
] else []);
Restart = "always";
RestartSec = "5s";
# Shutdown configuration
TimeoutStopSec = "30s";
KillSignal = "SIGTERM";
KillMode = "mixed";
# Security and process management
RemainAfterExit = false;
StandardOutput = "journal";
StandardError = "journal";
};
};
})
(lib.mkIf cfg.sentinel.enable {
})
];
}

71
nixos/module/hectic/service/server-health.nix
View File

@@ -1,71 +0,0 @@
{
inputs,
flake,
self,
}:
{
pkgs,
lib,
config,
...
}: let
system = pkgs.system;
cfg = config.hectic.services.server-health;
# URLS="http://..." # default: none
# VOLUMES="/ /home" # default: all from df -P
in {
options = {
hectic.services.server-health = {
enable = lib.mkEnableOption "enable serverhelth services";
urls = lib.mkOption {
type = lib.types.port;
default = "5899";
description = ''
urls to check
'';
};
volumes = lib.mkOption {
type = lib.types.port;
default = "5899";
description = ''
volumes to check
'';
};
port = lib.mkOption {
type = lib.types.port;
default = "5899";
description = ''
service's port
'';
};
};
};
config = lib.mkIf cfg.enable {
systemd.services."hectic-server-health" = {
description = "Hectic server health check";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
ExecStart = "${self.packages.${system}.server-health}/bin/server-health";
Environment = (if cfg.urls != null then [
"URLS=${cfg.urls}"
] else []) ++ (if cfg.volumes != null then [
"VOLUMES=${cfg.volumes}"
] else []);
Restart = "always";
RestartSec = "5s";
# Shutdown configuration
TimeoutStopSec = "30s";
KillSignal = "SIGTERM";
KillMode = "mixed";
# Security and process management
RemainAfterExit = false;
StandardOutput = "journal";
StandardError = "journal";
};
};
};
}

76
package/default.nix
View File

@@ -238,42 +238,42 @@ in {
sha256 = "sha256-atKhccp8Pr8anJUo+M9hnYkYrcgnB9SxrpmsiVusJZs="; sha256 = "sha256-atKhccp8Pr8anJUo+M9hnYkYrcgnB9SxrpmsiVusJZs=";
}; };
}; };
nvim-alias = pkgs.callPackage ./nvim-alias.nix {}; nvim-alias = pkgs.callPackage ./nvim-alias.nix {};
bolt-unpack = pkgs.callPackage ./bolt-unpack.nix {}; bolt-unpack = pkgs.callPackage ./bolt-unpack.nix {};
nvim-pager = pkgs.callPackage ./nvim-pager.nix {}; nvim-pager = pkgs.callPackage ./nvim-pager.nix {};
printobstacle = pkgs.callPackage ./printobstacle.nix {}; printobstacle = pkgs.callPackage ./printobstacle.nix {};
printprogress = pkgs.callPackage ./printprogress.nix {}; printprogress = pkgs.callPackage ./printprogress.nix {};
colorize = pkgs.callPackage ./colorize.nix {}; colorize = pkgs.callPackage ./colorize.nix {};
github-gh-tl = pkgs.callPackage ./github/gh-tl.nix {}; github-gh-tl = pkgs.callPackage ./github/gh-tl.nix {};
supabase-with-env-collection = pkgs.callPackage ./supabase-with-env-collection.nix {}; supabase-with-env-collection = pkgs.callPackage ./supabase-with-env-collection.nix {};
migration-name = pkgs.callPackage ./migration-name.nix {}; migration-name = pkgs.callPackage ./migration-name.nix {};
prettify-log = pkgs.callPackage ./prettify-log/default.nix rust.commonArgs; prettify-log = pkgs.callPackage ./prettify-log/default.nix rust.commonArgs;
pg-from = pkgs.callPackage ./postgres/pg-from/default.nix rust.commonArgs; pg-from = pkgs.callPackage ./postgres/pg-from/default.nix rust.commonArgs;
pg-schema = pkgs.callPackage ./postgres/pg-schema/default.nix rust.commonArgs; pg-schema = pkgs.callPackage ./postgres/pg-schema/default.nix rust.commonArgs;
pg_wdumpall = pkgs.callPackage ./postgres/pg_wdumpall.nix rust.commonArgs; pg_wdumpall = pkgs.callPackage ./postgres/pg_wdumpall.nix rust.commonArgs;
pg_wdump = pkgs.callPackage ./postgres/pg_wdump.nix rust.commonArgs; pg_wdump = pkgs.callPackage ./postgres/pg_wdump.nix rust.commonArgs;
pg-migration = pkgs.callPackage ./postgres/pg-migration/default.nix rust.commonArgs; pg-migration = pkgs.callPackage ./postgres/pg-migration/default.nix rust.commonArgs;
pg-17-ext-hemar = buildHemarExt pkgs "17"; slpt = pkgs.callPackage ./slpt.nix {};
pg-17-ext-http = buildHttpExt pkgs "17"; c-hectic = pkgs.callPackage ./c/hectic/default.nix {};
pg-17-ext-smtp-client = buildSmtpExt pkgs "17"; watch = pkgs.callPackage ./c/watch/default.nix {};
pg-17-ext-plhaskell = buildPlHaskellExt pkgs "17"; support-bot = pkgs.callPackage ./support-bot {};
pg-17-ext-plsh = buildPlShExt pkgs "17"; nix-derivation-hash = pkgs.callPackage ./nix-derivation-hash {};
pg-16-ext-hemar = buildHemarExt pkgs "16"; "sentinèlla" = pkgs.callPackage (./. + "/sentinèlla") {};
pg-16-ext-http = buildHttpExt pkgs "16"; shellplot = pkgs.callPackage ./shellplot {};
pg-16-ext-smtp-client = buildSmtpExt pkgs "16"; sops = pkgs.callPackage ./sops.nix {};
pg-16-ext-plhaskell = buildPlHaskellExt pkgs "16"; pg-17-ext-hemar = buildHemarExt pkgs "17";
pg-16-ext-plsh = buildPlShExt pkgs "16"; pg-17-ext-http = buildHttpExt pkgs "17";
pg-15-ext-hemar = buildHemarExt pkgs "15"; pg-17-ext-smtp-client = buildSmtpExt pkgs "17";
pg-15-ext-http = buildHttpExt pkgs "15"; pg-17-ext-plhaskell = buildPlHaskellExt pkgs "17";
pg-15-ext-smtp-client = buildSmtpExt pkgs "15"; pg-17-ext-plsh = buildPlShExt pkgs "17";
pg-15-ext-plhaskell = buildPlHaskellExt pkgs "15"; pg-16-ext-hemar = buildHemarExt pkgs "16";
pg-15-ext-plsh = buildPlShExt pkgs "15"; pg-16-ext-http = buildHttpExt pkgs "16";
slpt = pkgs.callPackage ./slpt.nix {}; pg-16-ext-smtp-client = buildSmtpExt pkgs "16";
c-hectic = pkgs.callPackage ./c/hectic/default.nix {}; pg-16-ext-plhaskell = buildPlHaskellExt pkgs "16";
watch = pkgs.callPackage ./c/watch/default.nix {}; pg-16-ext-plsh = buildPlShExt pkgs "16";
support-bot = pkgs.callPackage ./support-bot {}; pg-15-ext-hemar = buildHemarExt pkgs "15";
nix-derivation-hash = pkgs.callPackage ./nix-derivation-hash {}; pg-15-ext-http = buildHttpExt pkgs "15";
server-health = pkgs.callPackage ./server-health {}; pg-15-ext-smtp-client = buildSmtpExt pkgs "15";
shellplot = pkgs.callPackage ./shellplot {}; pg-15-ext-plhaskell = buildPlHaskellExt pkgs "15";
sops = pkgs.callPackage ./sops.nix {}; pg-15-ext-plsh = buildPlShExt pkgs "15";
} }

10
package/sentinèlla/default.nix Normal file
View File

@@ -0,0 +1,10 @@
{ writeShellScriptBin, socat, dash }:
writeShellScriptBin "server-health" ''
set +a
LOOP_FILE=${./probe-loop.sh}
socat() { ${socat}/bin/socat $@ }
dash() { ${dash}/bin/dash $@ }
set -a
${dash}/bin/dash ${./probe.sh}
''

185
package/sentinèlla/probe-loop.sh Normal file
View File

@@ -0,0 +1,185 @@
#!/bin/dash
# router.sh — POSIX sh HTTP backend (for socat)
# usage: socat -T5 -t5 TCP-LISTEN:${port},reuseaddr,fork EXEC:"sh ${currentfile}"
# Routes:
# GET /status -> check $URLS (0/0 if unset)
# GET /disk -> check $VOLUMES (all if unset)
# Env:
# URLS="http://..." # default: none
# VOLUMES="/ /home" # default: all from df -P
# TIMEOUT=5
base64() {
local mod
mod="${1:?}"
case "$mod" in
encode)
printf '%s' "${2:?}" | od -An -t u1 | tr -s ' ' | tr -d '\n' | awk '
BEGIN {
A="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
}
function dec2bin(n, r,len,pad) {
if (n==0) return "00000000"
while (n>0) {
r = (n%2) r
n = int(n/2)
}
return sprintf("%08s", r)
}
function bin2dec(s, i,d,r) {
r=0
for(i=1;i<=length(s);i++) {
d=substr(s,i,1)
r = r*2 + d
}
return r
}
function buildbin(t, r) {
for(i=1;i<=NF;i+=1) {
#printf("%s | %s\n", dec2bin($i), $i)
r = sprintf("%s%s", r, dec2bin($i))
}
return r
}
function base64(b, r,c) {
for(i=1;i<=length(b);i+=6) {
#printf("%s | %s\n", substr(b,i,6), bin2dec(substr(b,i,6)))
c = substr(A, bin2dec(substr(b,i,6))+1, 1)
r = sprintf("%s%s", r, c)
}
return r
}
{
b=buildbin($1)
l=length(b)
lack = (6 - l % 6) % 6
b = sprintf("%s%0*d", b, lack, 0)
r = base64(b)
print lack
for(i=1;i<=lack/2;i+=1) {
r = sprintf("%s=", r)
}
print r
}
'
;;
decode)
printf '%b\n' "$(printf '%s' "${2:?}" | awk ' BEGIN {
A="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
}
function dec2bin(n, r,len,pad) {
if (n==0) return "000000"
while (n>0) {
r = (n%2) r
n = int(n/2)
}
r = sprintf("%6s", r)
gsub(/ /,"0",r)
return r
}
{
for(i=1;i<=length($1);i+=1) {
b=sprintf("%s%s", b, dec2bin(index(A, substr($1,i,1))-1))
}
for(i=1; i<=length(b); i+=8){
n=0
for(j=0;j<8;j++) n = n*2 + (substr(b,i+j,1)=="1")
printf "\\x%02X", n
}
}
')"
;;
esac
}
TIMEOUT=${TIMEOUT:-5}
[ -n "$VOLUMES" ] || VOLUMES=$(df -P | awk 'NR>1{print $6}')
route_status() {
if [ -z "$URLS" ]; then
printf '{\n "checks": [],\n "summary":{"total":0,"ok":0}\n}\n'
return
fi
{
printf '{\n "checks": [\n'
first=1 okcnt=0 tot=0
for u in $URLS; do
tot=$((tot+1))
res=$(curl -sS -m "$TIMEOUT" -o /dev/null -w '%{http_code} %{time_total}' "$u" 2>/dev/null) || res="000 0"
code=${res%% *}; ttot=${res#* }
case $code in 2*|3*) ok=true; okcnt=$((okcnt+1));; *) ok=false;; esac
[ $first -eq 0 ] && printf ',\n'; first=0
printf ' {"url":"%s","code":%s,"time_s":%s,"ok":%s}' "$u" "$code" "$ttot" "$ok"
done
printf '\n ],\n "summary":{"total":%s,"ok":%s}\n}\n' "$tot" "$okcnt"
}
}
route_disk() {
{
printf '{\n "volumes": [\n'
first=1
for v in $VOLUMES; do
# POSIX df -P: Filesystem 1K-blocks Used Available Capacity Mounted on
# shellcheck disable=SC2046
set -- $(df -P "$v" 2>/dev/null | awk 'NR==2{print $2, $3, $4, $5, $6}')
size=$1 used=$2 avail=$3 usep=$4 mnt=$5
[ -z "$size" ] && continue
[ $first -eq 0 ] && printf ',\n'; first=0
printf ' {"mount":"%s","size_blocks":%s,"used":%s,"avail":%s,"use_percent":"%s"}' \
"$mnt" "$size" "$used" "$avail" "$usep"
done
printf '\n ]\n}\n'
}
}
require_auth=false
[ -n "$USER" ] && [ -n "$PASS" ] && require_auth=true
# --- read request & headers ---
IFS= read -r req || exit 0
cr=$(printf '\r')
while IFS= read -r line; do
[ -z "$line" ] && break
[ "$line" = "$cr" ] && break
case "$line" in
"Authorization: Basic "*)
tok=${line#Authorization: Basic }
tok=$(printf '%s' "$tok" | tr -d '\r\n')
expect=$(base64 encode "$USER:$PASS")
[ "$tok" = "$expect" ] && auth_ok=true
;;
esac
done
# --- auth gate ---
unauth() {
body='{"error":"unauthorized"}'
len=$(printf '%s' "$body" | wc -c | awk '{print $1}')
printf 'HTTP/1.1 401 Unauthorized\r\n'
printf 'Content-Type: application/json\r\n'
printf 'Content-Length: %s\r\n' "$len"
printf 'WWW-Authenticate: Basic realm="minimal", charset="UTF-8"\r\n'
printf 'Connection: close\r\n\r\n'
printf '%s' "$body"
}
if $require_auth && ! $auth_ok; then
unauth
exit 0
fi
tmp=$(mktemp) || exit 1
trap 'rm -f "$tmp"' EXIT INT HUP
case "$req" in
"GET /status "*) route_status >"$tmp"; status='200 OK'; ctype='application/json' ;;
"GET /disk "*) route_disk >"$tmp"; status='200 OK'; ctype='application/json' ;;
*) printf 'Not found\n' >"$tmp"; status='404 Not Found'; ctype='text/plain' ;;
esac
len=$(wc -c <"$tmp" | awk '{print $1}')
printf 'HTTP/1.1 %s\r\nContent-Type: %s\r\nContent-Length: %s\r\nConnection: close\r\n\r\n' "$status" "$ctype" "$len"
cat "$tmp"

3
package/sentinèlla/probe.sh Normal file
View File

@@ -0,0 +1,3 @@
#!/bin/dash
socat -T5 -t5 TCP-LISTEN:"${PORT:-5988}",reuseaddr,fork EXEC:"dash $LOOP_FILE"

3
package/sentinèlla/sentinel.sh Normal file
View File

@@ -0,0 +1,3 @@
#!/bin/dash

4
package/server-health/default.nix
View File

@@ -1,4 +0,0 @@
{ writeShellScriptBin, socat, bash }:
writeShellScriptBin "server-health" ''
${socat}/bin/socat -T5 -t5 TCP-LISTEN:''${PORT:-5988},reuseaddr,fork EXEC:"${bash}/bin/sh ${./server-health.sh}"
''

72
package/server-health/server-health.sh
View File

@@ -1,72 +0,0 @@
#!/bin/sh
# router.sh — POSIX sh HTTP backend (for socat)
# usage: socat -T5 -t5 TCP-LISTEN:${port},reuseaddr,fork EXEC:"sh ${currentfile}"
# Routes:
# GET /status -> check $URLS (0/0 if unset)
# GET /disk -> check $VOLUMES (all if unset)
# Env:
# URLS="http://..." # default: none
# VOLUMES="/ /home" # default: all from df -P
# TIMEOUT=5
TIMEOUT=${TIMEOUT:-5}
[ -n "$VOLUMES" ] || VOLUMES=$(df -P | awk 'NR>1{print $6}')
route_status() {
if [ -z "$URLS" ]; then
printf '{\n "checks": [],\n "summary":{"total":0,"ok":0}\n}\n'
return
fi
{
printf '{\n "checks": [\n'
first=1 okcnt=0 tot=0
for u in $URLS; do
tot=$((tot+1))
res=$(curl -sS -m "$TIMEOUT" -o /dev/null -w '%{http_code} %{time_total}' "$u" 2>/dev/null) || res="000 0"
code=${res%% *}; ttot=${res#* }
case $code in 2*|3*) ok=true; okcnt=$((okcnt+1));; *) ok=false;; esac
[ $first -eq 0 ] && printf ',\n'; first=0
printf ' {"url":"%s","code":%s,"time_s":%s,"ok":%s}' "$u" "$code" "$ttot" "$ok"
done
printf '\n ],\n "summary":{"total":%s,"ok":%s}\n}\n' "$tot" "$okcnt"
}
}
route_disk() {
{
printf '{\n "volumes": [\n'
first=1
for v in $VOLUMES; do
# POSIX df -P: Filesystem 1K-blocks Used Available Capacity Mounted on
# shellcheck disable=SC2046
set -- $(df -P "$v" 2>/dev/null | awk 'NR==2{print $2, $3, $4, $5, $6}')
size=$1 used=$2 avail=$3 usep=$4 mnt=$5
[ -z "$size" ] && continue
[ $first -eq 0 ] && printf ',\n'; first=0
printf ' {"mount":"%s","size_blocks":%s,"used":%s,"avail":%s,"use_percent":"%s"}' \
"$mnt" "$size" "$used" "$avail" "$usep"
done
printf '\n ]\n}\n'
}
}
# --- read request & headers ---
IFS= read -r req || exit 0
cr=$(printf '\r')
while IFS= read -r line; do
[ -z "$line" ] && break
[ "$line" = "$cr" ] && break
done
tmp=$(mktemp) || exit 1
trap 'rm -f "$tmp"' EXIT INT HUP
case "$req" in
"GET /status "*) route_status >"$tmp"; status='200 OK'; ctype='application/json' ;;
"GET /disk "*) route_disk >"$tmp"; status='200 OK'; ctype='application/json' ;;
*) printf 'Not found\n' >"$tmp"; status='404 Not Found'; ctype='text/plain' ;;
esac
len=$(wc -c <"$tmp" | awk '{print $1}')
printf 'HTTP/1.1 %s\r\nContent-Type: %s\r\nContent-Length: %s\r\nConnection: close\r\n\r\n' "$status" "$ctype" "$len"
cat "$tmp"

2
package/shellplot/shellplot.sh
View File

@@ -1,4 +1,4 @@
#!/bin/sh #!/bin/dash
# ImageMagick: scatter plot "by dots" from (x y) data # ImageMagick: scatter plot "by dots" from (x y) data
# - Input: points.txt with "x y" per line (whitespace-separated) # - Input: points.txt with "x y" per line (whitespace-separated)
# - Output: plot.png (white bg, black dots). Also draws an optional polyline through points. # - Output: plot.png (white bg, black dots). Also draws an optional polyline through points.