nixos/modules/monitoring/server/grafana.nix

@@ -7,18 +7,9 @@
 
 let
   cfg = config.services.private-storage.monitoring.grafana;
-  grafanaAuth = if (cfg.googleOAuthClientID == "") then {
-                  anonymous.enable = true;
-                } else {
-                  google.enable = true;
-                  # Grafana considers it "sign up" to let in a user it has
-                  # never seen before.
-                  google.allowSignUp = true;
-                  google.clientSecretFile = cfg.googleOAuthClientSecretFile;
-                  google.clientId = cfg.googleOAuthClientID;
-                };
 
 in {
+
   options.services.private-storage.monitoring.grafana = {
     domains = lib.mkOption
     { type = lib.types.listOf lib.types.str;
@@ -77,6 +68,21 @@ in {
         Where to find the file that containts the slack URL.
       '';
     };
+    enableZulipAlert = lib.mkOption
+    { type = lib.types.bool;
+      default = false;
+      description = ''
+        Enables the Zulip alerter. Expects a file that contains
+        the secret Zulip Web Hook URL in grafanaZulipUrlFile (see below).
+      '';
+    };
+    grafanaZulipUrlFile = lib.mkOption
+    { type = lib.types.path;
+      default = /run/keys/grafana-zulip-url;
+      description = ''
+        Where to find the file that containts the Zulip URL.
+      '';
+    };
   };
 
   config =
@@ -90,59 +96,80 @@ in {
 
     services.grafana = {
       enable = true;
-      inherit domain; 
-      port = 2342;
-      addr = "127.0.0.1";
 
-      # No phoning home
-      analytics.reporting.enable = false;
+      settings = {
+
+        server = {
+          domain = "${toString domain}";
+          http_port = 2342;
+          http_addr = "127.0.0.1";
+
+          # Defend against DNS rebinding attacks.
+          enforce_domain = true;
 
           # Force Grafana to believe it is reachable via https on the default port
           # number because that's where the nginx that forwards traffic to it is
           # listening.  Grafana's own server listens on an internal address that
           # doesn't matter to anyone except our nginx instance.
-      rootUrl = "https://%(domain)s/";
+          root_url = "https://%(domain)s/";
+        };
+
+        # No phoning home
+        analytics.reporting_enabled = false;
 
-      extraOptions = {
-        # Defend against DNS rebinding attacks.
-        SERVER_ENFORCE_DOMAIN = "true";
         # Same time zone for all users by default
-        DATE_FORMATS_DEFAULT_TIMEZONE = "UTC";
-      };
+        date_formats.default_timezone = "UTC";
 
-      auth = {
-        anonymous.org_role = "Admin";
-        anonymous.org_name = "Main Org.";
-      } // grafanaAuth;
+        # The auth sections since NixOS 22.11 are named a bit funky with a dot in the name
+        #
+        # https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/grafana/#anonymous-authentication
+        # https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/google/
+        "auth.anonymous" = lib.mkIf (cfg.googleOAuthClientID == "") {
+          enabled = true;
+          org_role = "Admin";
+          org_name = "Main Org.";
+        };
+        "auth.google" = lib.mkIf (cfg.googleOAuthClientID != "") {
+          enabled = true;
+          # Grafana considers it "sign up" to let in a user it has
+          # never seen before.
+          allow_sign_up = true;
+          client_secret = "$__file{${toString cfg.googleOAuthClientSecretFile}}";
+          client_id = cfg.googleOAuthClientID;
+        };
 
         # Give users that come through GSuite SSO the highest possible privileges:
-      users.autoAssignOrgRole = "Editor";
+        users.auto_assign_org_role = "Editor";
 
         # Read the admin password from a file in our secrets folder:
-      security.adminPasswordFile = cfg.adminPasswordFile;
+        security.admin_password = "$__file{${toString cfg.adminPasswordFile}}";
+      };
 
       provision = {
         enable = true;
         # See https://grafana.com/docs/grafana/latest/administration/provisioning/#datasources
-        datasources = [{
+        datasources.settings.datasources = [{
           name = "Prometheus";
           type = "prometheus";
+          uid = "LocalPrometheus";
           access = "proxy";
           url = cfg.prometheusUrl;
           isDefault = true;
         } {
           name = "Loki";
           type = "loki";
+          uid = "LocalLoki";
           access = "proxy";
           url = cfg.lokiUrl;
         }];
         # See https://grafana.com/docs/grafana/latest/administration/provisioning/#dashboards
-        dashboards = [{
+        dashboards.settings.providers = [{
           name = "provisioned";
           options.path = ./grafana-dashboards;
         }];
-        # See https://grafana.com/docs/grafana/latest/administration/provisioning/#example-alert-notification-channels-config-file
-        notifiers = [ ] ++ (lib.optionals (cfg.enableSlackAlert) [{
+        # See https://grafana.com/docs/grafana/latest/alerting/set-up/provision-alerting-resources/file-provisioning/#provision-contact-points
+        alerting.contactPoints.settings.contactPoints =
+        [ ] ++ (lib.optionals (cfg.enableSlackAlert) [{
           uid = "slack-notifier-1";
           name = "Slack";
           type = "slack";
@@ -157,12 +184,22 @@ in {
             # See https://grafana.com/docs/grafana/latest/administration/configuration/#file-provider
             url = "$__file{${toString cfg.grafanaSlackUrlFile}}";
           };
+        }]) ++ (lib.optionals (cfg.enableZulipAlert) [{
+          # See https://zulip.com/integrations/doc/grafana
+          uid = "zulip-notifier-1";
+          name = "Zulip";
+          type = "webhook";
+          is_default = true;
+          send_reminder = false;
+          settings = {
+            url = "$__file{${toString cfg.grafanaZulipUrlFile}}";
+          };
         }]);
       };
     };
 
     # nginx reverse proxy
-    security.acme.email = cfg.letsEncryptAdminEmail;
+    security.acme.defaults.email = cfg.letsEncryptAdminEmail;
     security.acme.acceptTerms = true;
     services.nginx = {
       enable = true;
@@ -180,9 +217,20 @@ in {
         enableACME = true;
         forceSSL = true;
         locations."/" = {
-          proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
+          proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
           proxyWebsockets = true;
         };
+        locations."/metrics" = {
+          # Only allow our monitoringvpn subnet
+          # And localhost since we're the monitoring server currently
+          extraConfig = ''
+            allow ${config.grid.monitoringvpnIPv4}/24;
+            allow 127.0.0.1;
+            allow ::1;
+            deny all;
+          '';
+          proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
+        };
       };
     };
 

nixos/modules/monitoring/server/prometheus.nix

@@ -10,9 +10,10 @@ let
   cfg = config.services.private-storage.monitoring.prometheus;
   dropPortNumber = {
     source_labels = [ "__address__" ];
-    regex = "^(.*):\\d+$";
+    regex = "^(.*)(?:\\.monitoringvpn):\\d+$";
     target_label = "instance";
   };
+  logRetention = toString(config.services.private-storage.monitoring.policy.logRetentionSeconds) + "s";
 
 in {
   options.services.private-storage.monitoring.prometheus = {
@@ -44,6 +45,7 @@ in {
     services.prometheus = {
       enable = true;
       # port = 9090; # Option only in recent (20.09?) nixpkgs, 9090 default
+      retentionTime = logRetention;
       scrapeConfigs = [
         {
           job_name = "node-exporters";

nixos/modules/packages.nix

 # A NixOS module which exposes custom packages to other modules.
 { pkgs, ...}:
 let
-  ourpkgs = pkgs.callPackage ../../nixos/pkgs {};
+  # Get our custom packages; either from the nixpkgs attribute added via an
+  # overlay in `morph/lib/default.nix`, or by importing them directly.
+  ourpkgs = pkgs.ourpkgs or (pkgs.callPackage ../pkgs {});
 in {
   config = {
     # Expose `nixos/pkgs` as a new module argument `ourpkgs`.

nixos/modules/restricted-service.nix

+# Provide secure defaults for systemd services
+#
+# Good reads:
+# https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04
+# https://docs.arbitrary.ch/security/systemd.html
+# https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+
+{
+  DynamicUser = true;
+
+  # This set of restrictions is mostly dervied from
+  # - running `systemd-analyze security zkap-spending-service.service`
+  # - Looking at the restrictions from the nixos nginx config.
+  AmbientCapabilities = "";
+  CapabilityBoundingSet = "";
+  LockPersonality = true;
+  MemoryDenyWriteExecute = true;
+  NoNewPrivileges = true;
+  PrivateDevices = true;
+  PrivateMounts = true;
+  PrivateNetwork = true;
+  PrivateTmp = true;
+  PrivateUsers = true;
+  ProcSubset = "pid";
+  ProtectClock = true;
+  ProtectControlGroups = true;
+  ProtectHome = true;
+  ProtectHostname = true;
+  ProtectKernelLogs = true;
+  ProtectKernelModules = true;
+  ProtectKernelTunables = true;
+  ProtectProc = "invisible";
+  ProtectSystem = "strict";
+  RemoveIPC = true;
+  RestrictAddressFamilies = "AF_UNIX";
+  RestrictNamespaces = true;
+  RestrictRealtime = true;
+  RestrictSUIDSGID = true;
+  SystemCallArchitectures = "native";
+  # Lines starting with "~" are deny-list the others are allow-list
+  # Since the first line is allow, that bounds the set of allowed syscalls
+  # and the further lines restrict it.
+  SystemCallFilter = [
+    # From systemd.exec(5), @system-service is "A reasonable set of
+    # system calls used by common system [...]"
+    "@system-service"
+    # This is from the nginx config, except that `@ipc` is not removed,
+    # since twisted uses a self-pipe.
+    "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid"
+  ];
+  Umask = "0077";
+}

nixos/pkgs/default.nix

@@ -5,6 +5,8 @@
 #    pkgs.callPackage ./nixos/pkgs
 {buildPlatform, hostPlatform, callPackage}:
 {
+  lib = callPackage ../lib {};
+
   leasereport = callPackage ./leasereport {};
   # `privatestorage` is a derivation with a good Tahoe+ZKAP environment
   # that is exposed by ZKAPAuthorizer.

nixos/pkgs/leasereport/repo.json

@@ -2,8 +2,8 @@
   "owner": "privatestorage",
   "repo": "LeaseReport",
   "branch": "main",
-  "domain": "whetstone.privatestorage.io",
-  "rev": "3739ffde14e698f56118a444e6946edb736b6983",
+  "domain": "whetstone.private.storage",
+  "rev": "25174533c782f5e5f17aa1fa4d29e2adbdf96a08",
   "outputHashAlgo": "sha512",
-  "outputHash": "37b4hrhjghvza0bqvmngcdapqfjjjiv0gx90y0i4wvj72nf1xsh7g2kwpvjm4prpb5s7fxb50x971xfw4sqpwwsk2zdll4nbl5764ij"
+  "outputHash": "0h3yzmcizxkz2dl54b8xzbkdb1bvnqiyp8xrhjgzi59y3iq3ggss9i5cy2mbmy467ri8llnax2p2paykv29lw6c8d8zihw1qq5gv46v"
 }
\ No newline at end of file