Skynet/nixos
7
1
Fork 0
Code Issues 45 Pull requests 1 Projects Releases Packages Wiki Activity Actions

Compare commits

merge into: Skynet:main
Branches Tags
Skynet:main
Skynet:2025_committee_agm
Skynet:#142_install-splunk
Skynet:#139_more-runners
Skynet:test-nixos-pelican
Skynet:#76-Nuked-Backup
Skynet:#70-logging-dns
Skynet:#56-external-dns
Skynet:#52-dns-for-non-nixos
Skynet:second-interface-routing
Skynet:add_automx2
...
pull from: Skynet:#142_install-splunk
Branches Tags
Skynet:main
Skynet:2025_committee_agm
Skynet:#142_install-splunk
Skynet:#139_more-runners
Skynet:test-nixos-pelican
Skynet:#76-Nuked-Backup
Skynet:#70-logging-dns
Skynet:#56-external-dns
Skynet:#52-dns-for-non-nixos
Skynet:second-interface-routing
Skynet:add_automx2
Sign in to create a new pull request.

9 commits
main ... #142_insta

Author SHA1 Message Date
Brendan Golden
a3b9d89b1a
fmt: formatted 2025-09-05 22:45:32 +01:00
Brendan Golden
1fa89834d0
feat: enabled auditd 2025-09-05 22:35:09 +01:00
Brendan Golden
0075fca986
feat: needed to update nixpkgs to gain access to `security.auditd.settings`. 2025-09-05 22:30:33 +01:00
Brendan Golden
534dabca19
feat: set ACL's 2025-09-05 22:27:35 +01:00
Brendan Golden
f47e95c61d
fix: service no longer stalling 
CPUShares and MemoryLimit are depricated
Sep 05 20:30:42 marvin systemd[1]: /etc/systemd/system/splunk.service:9: Unit uses CPUShares=; please use CPUWeight= instead. Support for CPUShares= will be removed soon.
Sep 05 20:30:42 marvin systemd[1]: /etc/systemd/system/splunk.service:18: Unit uses MemoryLimit=; please use MemoryMax= instead. Support for MemoryLimit= will be removed soon.
 2025-09-05 22:27:35 +01:00
Brendan Golden
b742a09c43
fix: move the fixing of the path to the package and not teh module 2025-09-05 22:27:35 +01:00
Brendan Golden
f8826c5d2f
dbg: using marvin to test out teh new logging 
(slightly depressing)
 2025-09-05 22:27:35 +01:00
Brendan Golden
d2712117e5
feat: module in current state, not fully complete yet but working well enough 2025-09-05 22:27:35 +01:00
Brendan Golden
2c5938437d
feat: packaged up the main application 2025-09-05 22:27:35 +01:00
5 changed files with 245 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

1
applications/acme.nix
View file

@ -27,7 +27,6 @@ in {
age.secrets.acme.file = ../secrets/dns_certs.secret.age;
security.acme = {
preliminarySelfsigned = false;
acceptTerms = true;
defaults = {

189
applications/itd/splunk/module.nix Normal file
View file

@ -0,0 +1,189 @@
{
config,
pkgs,
lib,
...
}:
with lib; let
name = "splunk";
cfg = config.services.itd."${name}";
package = pkgs.callPackage ./package.nix {};
in {
imports = [];
options.services.itd."${name}" = {
enable = mkEnableOption "ITD Splunk";
user = {
user = mkOption {
type = types.str;
default = "splunk";
};
group = mkOption {
type = types.str;
default = "splunk";
};
home = mkOption {
type = types.str;
default = "/etc/itd/splunk";
};
};
};
config = mkIf cfg.enable {
# create user and group for the program
users.groups."${cfg.user.group}" = {};
users.users."${cfg.user.user}" = {
createHome = true;
isNormalUser = true;
home = cfg.user.home;
group = cfg.user.group;
# X11 is to ensure the directory can be traversed
homeMode = "711";
};
# might not be required
networking.firewall.allowedTCPPorts = [8089];
# need to set access controls
systemd.tmpfiles.rules = [
"a /var/log - - - - u:splunk:rx"
"a /var/log/auth.log - - - - u:splunk:r "
"a /var/log/messages - - - - u:splunk:r "
"a /var/log/secure - - - - u:splunk:r "
"a /var/log/audit - - - - u:splunk:rx"
"a /var/log/audit.log - - - - u:splunk:r "
"a /var/log/audit/audit.log - - - - u:splunk:r "
"a /root - - - - u:splunk:rx"
"a /root/.bash_history - - - - u:splunk:r "
"a /home/* - - - - u:splunk:rx"
"a /home/*/.bash_history - - - - u:splunk:r "
];
security.auditd = {
enable = true;
settings = {
log_group = cfg.user.group;
};
};
# set up the core files
systemd.services."${name}_prestart" = {
wantedBy = [
# "gitlab.target"
];
partOf = [
# "gitlab.target"
];
path = with pkgs; [util-linux];
serviceConfig = {
Type = "oneshot";
User = "root";
Group = "root";
# User = cfg.user.user;
# Group = cfg.user.group;
# TimeoutSec = "infinity";
# Restart = "on-failure";
# WorkingDirectory = "${cfg.package}/share/gitlab";
# Slice = "system-gitlab.slice";
RemainAfterExit = true;
ExecStart = let
# from $SPLUNK_HOME/etc/splunk-launch.conf.default
splunk_launch = pkgs.writeText "splunk-launch" ''
SPLUNK_HOME=${cfg.user.home}
SPLUNK_SERVER_NAME=SplunkForwarder
PYTHONHTTPSVERIFY=0
PYTHONUTF8=1
'';
etc_passwd = pkgs.writeText "passwd" ''
:admin:$6$XOFhpq0Y1Ul1pejO$DUkXU6xSAKYrl3nLTPFS7LJqlnWC4r97SSikjCzv7XNEG6lgP32TZHyLDY/aJs8ZYyblZ5spfmnlMvh8Lxndi/::Administrator:admin:changeme@example.com:::20329
'';
deployment_client = pkgs.writeText "deploymentclient" ''
[deployment-client]
clientName = UL_client
[target-broker:deploymentServer]
targetUri = soc-deployment.heanet.ie:8089
'';
in
pkgs.writeShellScript "splunk-config" ''
set -o errexit -o pipefail -o nounset
shopt -s inherit_errexit
umask u=rwx,g=rx,o=
# start with a clean slate, it yells at ye if ye try to boot it up without doing this
rm -rf ${cfg.user.home}/*
chmod 771 -R ${cfg.user.home}
# pull in all relevent files
cp -f -R ${package}/* ${cfg.user.home}
chmod 771 -R ${cfg.user.home}
chown ${cfg.user.user}:${cfg.user.group} -R ${cfg.user.home}
# if [ ! -f ${cfg.user.home}/etc/splunk-launch.conf ]; then
export SPLUNK_HOME=${cfg.user.home}
cp ${splunk_launch} $SPLUNK_HOME/etc/splunk-launch.conf
cp ${etc_passwd} $SPLUNK_HOME/etc/passwd
# ensure the dir exists
mkdir -p $SPLUNK_HOME/etc/apps/000_ul_umbrio_essentials/local/
cp ${deployment_client} $SPLUNK_HOME/etc/apps/000_ul_umbrio_essentials/local/deploymentclient.conf
# make sure user permissions are correct
chmod 771 -R ${cfg.user.home}
chown ${cfg.user.user}:${cfg.user.group} -R ${cfg.user.home}
# run it to see if that works
runuser -u ${cfg.user.user} -- $SPLUNK_HOME/bin/splunk start --accept-license
# $SPLUNK_HOME/bin/splunk enable boot-start
# /etc/systemd/system/multi-user.target.wants/SplunkForwarder.service
# fi
'';
};
};
systemd.services."${name}" = {
wantedBy = [
];
requires = [
"${name}_prestart.service"
];
path = with pkgs; [util-linux toybox];
serviceConfig = {
Type = "simple";
Restart = "always";
Environment = "SPLUNK_HOME=${cfg.user.home}";
ExecStart = "${package}/bin/splunk _internal_launch_under_systemd";
KillMode = "mixed";
KillSignal = "SIGINT";
TimeoutStopSec = 360;
LimitNOFILE = 65536;
LimitRTPRIO = 99;
SuccessExitStatus = "51 52";
RestartPreventExitStatus = 51;
RestartForceExitStatus = 52;
User = cfg.user.user;
Group = cfg.user.group;
NoNewPrivileges = "yes";
AmbientCapabilities = "CAP_DAC_READ_SEARCH";
# ExecStartPre=-/bin/bash -c "chown -R splunk:splunk /opt/splunkforwarder"
Delegate = "true";
# CPUShares=1024;
# MemoryLimit=3973632000;
PermissionsStartOnly = "true";
# ExecStartPost=-/bin/bash -c "chown -R splunk:splunk /sys/fs/cgroup/cpu/system.slice/%n"
# ExecStartPost=-/bin/bash -c "chown -R splunk:splunk /sys/fs/cgroup/memory/system.slice/%n"
};
};
};
}

48
applications/itd/splunk/package.nix Normal file
View file

@ -0,0 +1,48 @@
{
stdenv,
lib,
fetchurl,
gnused,
openssl,
zlib,
autoPatchelfHook,
}:
stdenv.mkDerivation rec {
pname = "splunk-forwarder";
version = "9.1.7";
version_long = "${version}-e17104057ef0";
src = fetchurl {
url = "https://download.splunk.com/products/universalforwarder/releases/${version}/linux/splunkforwarder-${version_long}-Linux-x86_64.tgz";
hash = "sha256-EWpfenEhExe5qDscqb7ZQUwahYgAgPQ+APLlweRQAoc=";
};
nativeBuildInputs = [autoPatchelfHook];
buildInputs = [
# alsaLib
openssl
zlib
gnused
];
sourceRoot = ".";
installPhase = ''
runHook preInstall
# gets unzipped and we just pop it all into teh output
cp -R ./splunkforwarder $out
# Splunk is doing a crime by deciding what teh path is, need to comment out this line in /bin/pid_check.sh
# PATH=/usr/xpg4/bin:/usr/bin:/bin
find $out -type f -name "*.sh" -print0 | xargs -0 sed -i -e 's/PATH=/#PATH=/g'
runHook postInstall
'';
meta = with lib; {
homepage = "https://splunk.com";
description = "Logging Service";
platforms = platforms.linux;
};
}

6
flake.lock generated
View file

@ -910,11 +910,11 @@
},
"nixpkgs_7": {
"locked": {
"lastModified": 1751271578,
"narHash": "sha256-P/SQmKDu06x8yv7i0s8bvnnuJYkxVGBWLWHaU+tt4YY=",
"lastModified": 1756787288,
"narHash": "sha256-rw/PHa1cqiePdBxhF66V7R+WAP8WekQ0mCDG4CFqT8Y=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3016b4b15d13f3089db8a41ef937b13a9e33a8df",
"rev": "d0fc30899600b9b3466ddb260fd83deb486c32f1",
"type": "github"
},
"original": {

5
machines/marvin.nix
View file

@ -30,6 +30,7 @@ Notes:
groups_trusted = map (x: "@${x}") groups;
in {
imports = [
../applications/itd/splunk/module.nix
];
deployment = {
@ -58,4 +59,8 @@ in {
host = host;
backup.enable = true;
};
services.itd.splunk = {
enable = true;
};
}