blackbox

Author: randomizedcoder

hp/hp4/blackbox.nix

@@ -318,13 +318,36 @@ let
 
 in {
   # Blackbox exporter configuration
+  # systemctl status prometheus-blackbox-exporter
+  # journalctl -u  prometheus-blackbox-exporter -f -n 20
   services.prometheus.exporters.blackbox = {
     enable = true;
     port = 9115;
-    listenAddress = "::1";
+    listenAddress = "127.0.0.1";
     configFile = pkgs.writeText "blackbox.yml" (builtins.toJSON blackboxConfig);
   };
 
+  # Systemd service configuration for blackbox exporter with memory limits
+  systemd.services.prometheus-blackbox-exporter = {
+    serviceConfig = {
+      # Resource limits
+      MemoryMax = "300M";
+      MemoryHigh = "280M";
+      CPUQuota = "25%";
+      TasksMax = 100;
+
+      # Process limits
+      LimitNOFILE = 1024;
+      LimitNPROC = 50;
+
+      # Environment variable for Go memory limit (260MB = ~90% of 300MB)
+      Environment = [ "GOMEMLIMIT=260MiB" ];
+
+      # Nice priority
+      Nice = 10;
+    };
+  };
+
   # Export targets for use in prometheus.nix
   _module.args.blackboxTargets = targets;
   _module.args.wireguardTargets = flatWireguardTargets;

hp/hp4/grafana.nix

@@ -4,6 +4,7 @@
   # https://search.nixos.org/options?query=services.grafana
   # https://xeiaso.net/blog/prometheus-grafana-loki-nixos-2020-11-20/
   # https://grafana.com/grafana/dashboards/1860-node-exporter-full/
+  # https://grafana.com/grafana/dashboards/7587-prometheus-blackbox-exporter/
   services.grafana = {
     enable = true;
     #openFirewall = true; # this doesn't exist
@@ -19,6 +20,25 @@
         serve_from_sub_path = true;
         enable_gzip = true;
       };
+
+      # Security settings - set persistent admin password
+      security = {
+        admin_user = "admin";
+        admin_password = "adin";  # Change this to your desired password
+        admin_email = "admin@localhost";
+        # Disable initial admin creation to prevent password resets
+        disable_initial_admin_creation = false;
+      };
+
+      # User settings
+      users = {
+        # Allow sign up (optional - set to false for more security)
+        allow_sign_up = false;
+        # Auto assign new users to main organization
+        auto_assign_org = true;
+        # Default role for new users
+        auto_assign_org_role = "Viewer";
+      };
     };
   };
 }

hp/hp4/nginx.nix

@@ -98,6 +98,24 @@
     process.group = "smokeping";
     socket = { inherit (config.services.nginx) user group; };
   };
+
+  # Systemd service configuration for nginx with resource limits
+  systemd.services.nginx = {
+    serviceConfig = {
+      # Resource limits - moderate for web server
+      MemoryMax = "300M";
+      MemoryHigh = "250M";
+      CPUQuota = "20%";
+      TasksMax = 200;
+
+      # Process limits
+      LimitNOFILE = 65536;
+      LimitNPROC = 100;
+
+      # Nice priority
+      Nice = 10;
+    };
+  };
 }
 # {
 #   # https://nixos.wiki/wiki/Nginx

hp/hp4/pdns-recursor.nix

@@ -1,42 +1,75 @@
 { config, lib, pkgs, ... }:
 
 {
-  # PowerDNS Recursor configuration
+  # PowerDNS Recursor
   # This acts as a local DNS cache and forwards queries to 172.16.50.1
+  # sudo lsof -i :53
+  # systemctl status pdns-recursor
   services.pdns-recursor = {
     enable = true;
 
     # Bind to localhost only for security
     dns.address = [ "::1" "127.0.0.1" ];
 
     # Allow queries from localhost only
-    dns.allowFrom = [ "127.0.0.0/8" "::1/128" ];
+    dns.allowFrom = [ "::1/128" "127.0.0.0/8" ];
 
     # API configuration (for monitoring)
     api.address = "::1";
     api.port = 8082;
     api.allowFrom = [ "127.0.0.1" "::1" ];
 
-    # Forward all zones to the upstream DNS server
-    forwardZones = {
-      "." = "172.16.50.1";  # Forward all queries to upstream DNS
+    # Configure DNS settings for proper DNSSEC validation
+    settings = {
+      # Enable DNSSEC validation
+      dnssec = "validate";
+      # Set query local address to enable IPv6 for outgoing queries
+      query-local-address = "::";
+      # Disable security polling to avoid external queries
+      security-poll-suffix = "";
+      # Configure forward zones for specific domains if needed
+      # forward-zones = "example.com=172.16.50.1";
     };
 
-    # DNSSEC validation
-    dnssecValidation = "validate";
-
     # Export /etc/hosts entries
     exportHosts = true;
 
     # Serve RFC1918 reverse zones locally
     serveRFC1918 = true;
   };
 
+  # Systemd service configuration for pdns-recursor with resource limits
+  systemd.services.pdns-recursor = {
+    serviceConfig = {
+      # Resource limits - conservative for DNS service
+      MemoryMax = "100M";
+      MemoryHigh = "90M";
+      CPUQuota = "15%";
+      TasksMax = 50;
+
+      # Process limits
+      LimitNPROC = 100;
+
+      # Nice priority
+      Nice = 15;
+    };
+  };
+
   # Firewall rules for pdns-recursor
   networking.firewall.allowedUDPPorts = [ 53 ];
   networking.firewall.allowedTCPPorts = [ 53 8082 ];
 
   # Configure system to use local pdns-recursor
-  networking.nameservers = [ "::1" "127.0.0.1" ];
+  #networking.nameservers = [ "::1" "127.0.0.1" ];
+  networking.nameservers = [ "172.16.50.1" ];
   networking.resolvconf.useLocalResolver = true;
+
+  environment.etc."resolv.conf".text = ''
+    # pdns
+    nameserver ::1
+    nameserver 127.0.0.1
+    # emergency cloudflare
+    nameserver 2606:4700:4700::1111
+    nameserver 1.1.1.1
+  '';
 }

hp/hp4/prometheus.nix

@@ -158,6 +158,27 @@ in {
     ];
   };
 
+  # Systemd service configuration for Prometheus with security restrictions
+  systemd.services.prometheus = {
+    serviceConfig = {
+      # Resource limits - generous for time series storage
+      MemoryMax = "10G";
+      MemoryHigh = "9.5G";
+      CPUQuota = "50%";
+      TasksMax = 500;
+
+      # Process limits
+      LimitNOFILE = 65536;
+      LimitNPROC = 200;
+
+      # Environment variable for Go memory limit (9GB = ~90% of 10GB limit)
+      Environment = [ "GOMEMLIMIT=9GiB" ];
+
+      # Nice priority
+      Nice = 5;
+    };
+  };
+
   # Firewall rules for Prometheus
   networking.firewall.allowedTCPPorts = [ 9090 ];
 }