diff --git a/applications/acme.nix b/applications/acme.nix index 1031cf5..97aff51 100644 --- a/applications/acme.nix +++ b/applications/acme.nix @@ -27,7 +27,6 @@ in { age.secrets.acme.file = ../secrets/dns_certs.secret.age; security.acme = { - preliminarySelfsigned = false; acceptTerms = true; defaults = { diff --git a/applications/itd/splunk/module.nix b/applications/itd/splunk/module.nix new file mode 100644 index 0000000..304d29e --- /dev/null +++ b/applications/itd/splunk/module.nix @@ -0,0 +1,189 @@ +{ + config, + pkgs, + lib, + ... +}: +with lib; let + name = "splunk"; + cfg = config.services.itd."${name}"; + + package = pkgs.callPackage ./package.nix {}; +in { + imports = []; + + options.services.itd."${name}" = { + enable = mkEnableOption "ITD Splunk"; + + user = { + user = mkOption { + type = types.str; + default = "splunk"; + }; + group = mkOption { + type = types.str; + default = "splunk"; + }; + + home = mkOption { + type = types.str; + default = "/etc/itd/splunk"; + }; + }; + }; + + config = mkIf cfg.enable { + # create user and group for the program + users.groups."${cfg.user.group}" = {}; + users.users."${cfg.user.user}" = { + createHome = true; + isNormalUser = true; + home = cfg.user.home; + group = cfg.user.group; + # X11 is to ensure the directory can be traversed + homeMode = "711"; + }; + + # might not be required + networking.firewall.allowedTCPPorts = [8089]; + + # need to set access controls + systemd.tmpfiles.rules = [ + "a /var/log - - - - u:splunk:rx" + "a /var/log/auth.log - - - - u:splunk:r " + "a /var/log/messages - - - - u:splunk:r " + "a /var/log/secure - - - - u:splunk:r " + "a /var/log/audit - - - - u:splunk:rx" + "a /var/log/audit.log - - - - u:splunk:r " + "a /var/log/audit/audit.log - - - - u:splunk:r " + "a /root - - - - u:splunk:rx" + "a /root/.bash_history - - - - u:splunk:r " + "a /home/* - - - - u:splunk:rx" + "a /home/*/.bash_history - - - - u:splunk:r " + ]; + + security.auditd = { + enable = true; + settings = { + log_group = cfg.user.group; + }; + }; + + # set up the core files + systemd.services."${name}_prestart" = { + wantedBy = [ + # "gitlab.target" + ]; + partOf = [ + # "gitlab.target" + ]; + path = with pkgs; [util-linux]; + serviceConfig = { + Type = "oneshot"; + User = "root"; + Group = "root"; + # User = cfg.user.user; + # Group = cfg.user.group; + # TimeoutSec = "infinity"; + # Restart = "on-failure"; + # WorkingDirectory = "${cfg.package}/share/gitlab"; + # Slice = "system-gitlab.slice"; + RemainAfterExit = true; + ExecStart = let + # from $SPLUNK_HOME/etc/splunk-launch.conf.default + splunk_launch = pkgs.writeText "splunk-launch" '' + SPLUNK_HOME=${cfg.user.home} + SPLUNK_SERVER_NAME=SplunkForwarder + PYTHONHTTPSVERIFY=0 + PYTHONUTF8=1 + ''; + + etc_passwd = pkgs.writeText "passwd" '' + :admin:$6$XOFhpq0Y1Ul1pejO$DUkXU6xSAKYrl3nLTPFS7LJqlnWC4r97SSikjCzv7XNEG6lgP32TZHyLDY/aJs8ZYyblZ5spfmnlMvh8Lxndi/::Administrator:admin:changeme@example.com:::20329 + ''; + + deployment_client = pkgs.writeText "deploymentclient" '' + [deployment-client] + clientName = UL_client + [target-broker:deploymentServer] + targetUri = soc-deployment.heanet.ie:8089 + ''; + in + pkgs.writeShellScript "splunk-config" '' + set -o errexit -o pipefail -o nounset + shopt -s inherit_errexit + + umask u=rwx,g=rx,o= + + # start with a clean slate, it yells at ye if ye try to boot it up without doing this + rm -rf ${cfg.user.home}/* + + chmod 771 -R ${cfg.user.home} + + # pull in all relevent files + cp -f -R ${package}/* ${cfg.user.home} + + chmod 771 -R ${cfg.user.home} + chown ${cfg.user.user}:${cfg.user.group} -R ${cfg.user.home} + + # if [ ! -f ${cfg.user.home}/etc/splunk-launch.conf ]; then + export SPLUNK_HOME=${cfg.user.home} + + cp ${splunk_launch} $SPLUNK_HOME/etc/splunk-launch.conf + + cp ${etc_passwd} $SPLUNK_HOME/etc/passwd + + # ensure the dir exists + mkdir -p $SPLUNK_HOME/etc/apps/000_ul_umbrio_essentials/local/ + cp ${deployment_client} $SPLUNK_HOME/etc/apps/000_ul_umbrio_essentials/local/deploymentclient.conf + + # make sure user permissions are correct + chmod 771 -R ${cfg.user.home} + chown ${cfg.user.user}:${cfg.user.group} -R ${cfg.user.home} + + # run it to see if that works + runuser -u ${cfg.user.user} -- $SPLUNK_HOME/bin/splunk start --accept-license + + # $SPLUNK_HOME/bin/splunk enable boot-start + # /etc/systemd/system/multi-user.target.wants/SplunkForwarder.service + # fi + ''; + }; + }; + + systemd.services."${name}" = { + wantedBy = [ + ]; + requires = [ + "${name}_prestart.service" + ]; + path = with pkgs; [util-linux toybox]; + serviceConfig = { + Type = "simple"; + Restart = "always"; + Environment = "SPLUNK_HOME=${cfg.user.home}"; + ExecStart = "${package}/bin/splunk _internal_launch_under_systemd"; + KillMode = "mixed"; + KillSignal = "SIGINT"; + TimeoutStopSec = 360; + LimitNOFILE = 65536; + LimitRTPRIO = 99; + SuccessExitStatus = "51 52"; + RestartPreventExitStatus = 51; + RestartForceExitStatus = 52; + User = cfg.user.user; + Group = cfg.user.group; + NoNewPrivileges = "yes"; + AmbientCapabilities = "CAP_DAC_READ_SEARCH"; + + # ExecStartPre=-/bin/bash -c "chown -R splunk:splunk /opt/splunkforwarder" + Delegate = "true"; + # CPUShares=1024; + # MemoryLimit=3973632000; + PermissionsStartOnly = "true"; + # ExecStartPost=-/bin/bash -c "chown -R splunk:splunk /sys/fs/cgroup/cpu/system.slice/%n" + # ExecStartPost=-/bin/bash -c "chown -R splunk:splunk /sys/fs/cgroup/memory/system.slice/%n" + }; + }; + }; +} diff --git a/applications/itd/splunk/package.nix b/applications/itd/splunk/package.nix new file mode 100644 index 0000000..c5a21ef --- /dev/null +++ b/applications/itd/splunk/package.nix @@ -0,0 +1,48 @@ +{ + stdenv, + lib, + fetchurl, + gnused, + openssl, + zlib, + autoPatchelfHook, +}: +stdenv.mkDerivation rec { + pname = "splunk-forwarder"; + version = "9.1.7"; + version_long = "${version}-e17104057ef0"; + + src = fetchurl { + url = "https://download.splunk.com/products/universalforwarder/releases/${version}/linux/splunkforwarder-${version_long}-Linux-x86_64.tgz"; + hash = "sha256-EWpfenEhExe5qDscqb7ZQUwahYgAgPQ+APLlweRQAoc="; + }; + + nativeBuildInputs = [autoPatchelfHook]; + + buildInputs = [ + # alsaLib + openssl + zlib + gnused + ]; + + sourceRoot = "."; + + installPhase = '' + runHook preInstall + # gets unzipped and we just pop it all into teh output + cp -R ./splunkforwarder $out + + # Splunk is doing a crime by deciding what teh path is, need to comment out this line in /bin/pid_check.sh + # PATH=/usr/xpg4/bin:/usr/bin:/bin + find $out -type f -name "*.sh" -print0 | xargs -0 sed -i -e 's/PATH=/#PATH=/g' + + runHook postInstall + ''; + + meta = with lib; { + homepage = "https://splunk.com"; + description = "Logging Service"; + platforms = platforms.linux; + }; +} diff --git a/flake.lock b/flake.lock index 81c5faa..285b680 100644 --- a/flake.lock +++ b/flake.lock @@ -910,11 +910,11 @@ }, "nixpkgs_7": { "locked": { - "lastModified": 1751271578, - "narHash": "sha256-P/SQmKDu06x8yv7i0s8bvnnuJYkxVGBWLWHaU+tt4YY=", + "lastModified": 1756787288, + "narHash": "sha256-rw/PHa1cqiePdBxhF66V7R+WAP8WekQ0mCDG4CFqT8Y=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3016b4b15d13f3089db8a41ef937b13a9e33a8df", + "rev": "d0fc30899600b9b3466ddb260fd83deb486c32f1", "type": "github" }, "original": { diff --git a/machines/marvin.nix b/machines/marvin.nix index 175d61d..abb15d1 100644 --- a/machines/marvin.nix +++ b/machines/marvin.nix @@ -30,6 +30,7 @@ Notes: groups_trusted = map (x: "@${x}") groups; in { imports = [ + ../applications/itd/splunk/module.nix ]; deployment = { @@ -58,4 +59,8 @@ in { host = host; backup.enable = true; }; + + services.itd.splunk = { + enable = true; + }; }