add teslamate logger

flake.nix

@@ -37,6 +37,9 @@
 
     disko.url = "github:nix-community/disko";
     disko.inputs.nixpkgs.follows = "unstable";
+
+    teslamate.url = "github:teslamate-org/teslamate/v1.30.1";
+    teslamate.inputs.nixpkgs.follows = "unstable";
   };
 
   outputs = inputs @ {

home/graphical/default.nix

@@ -16,7 +16,7 @@ in {
   ];
 
   home.packages = with unstable-pkgs; [
-    (pkgs.wrapFirefox (pkgs.firefox-devedition-unwrapped.override {pipewireSupport = true;}) {})
+    (pkgs.wrapFirefox (pkgs.firefox-unwrapped.override {pipewireSupport = true;}) {})
     ungoogled-chromium
   ];
 

nixos/teslamate/default.nix

@@ -0,0 +1,153 @@
+{
+  pkgs,
+  system,
+  config,
+  inputs,
+  ...
+}: let
+  inherit (pkgs.lib) getExe;
+
+  port = "33005";
+  pkg =
+    inputs.teslamate.packages.${system}.default;
+
+  psql-init = pkgs.writeText "teslamate-psql-init" ''
+    CREATE USER teslamate with encrypted password '@@DB_PASSWORD@@';
+    GRANT ALL PRIVILEGES ON DATABASE teslamate TO teslamate;
+    ALTER USER teslamate WITH SUPERUSER;
+  '';
+in {
+  services.caddy.virtualHosts."tesla.stu-dev.me".extraConfig = ''
+    handle_path /.well-known/appspecific/* {
+      root * ${../../public/tesla}
+      file_server
+    }
+
+    handle {
+      basicauth {
+        stu $2a$14$qXVRhoHBZH38GNhbNcmHsOg8eJeDzgFmDuMAj.7wNzNG7qCDvdoEq
+      }
+      reverse_proxy :${port}
+    }
+  '';
+
+  age.secrets.teslamateEnv = {
+    file = ../../secrets/teslamate.env;
+    owner = "teslamate";
+    group = "teslamate";
+  };
+
+  users.users.teslamate = {
+    isSystemUser = true;
+    group = "teslamate";
+    home = "/var/lib/teslamate";
+    createHome = true;
+  };
+  users.groups.teslamate = {};
+
+  services.mosquitto = {
+    enable = true;
+    listeners = [
+      {
+        address = "127.0.0.1";
+        acl = ["pattern readwrite #"];
+        omitPasswordAuth = true;
+        settings.allow_anonymous = true;
+      }
+    ];
+  };
+
+  services.postgresql.ensureDatabases = ["teslamate"];
+
+  systemd.services."postgresql-teslamate-setup" = {
+    serviceConfig = {
+      Type = "oneshot";
+      User = "postgres";
+    };
+
+    requiredBy = ["teslamate.service"];
+    after = ["postgresql.service"];
+
+    path = with pkgs; [postgresql_16 replace-secret];
+
+    serviceConfig = {
+      RuntimeDirectory = "postgresql-setup";
+      RuntimeDirectoryMode = "700";
+      EnvironmentFile = config.age.secrets.teslamateEnv.path;
+    };
+
+    script = ''
+      # set bash options for early fail and error output
+      set -o errexit -o pipefail -o nounset -o errtrace -o xtrace
+      shopt -s inherit_errexit
+
+      install --mode 600 ${psql-init} ''$RUNTIME_DIRECTORY/init.sql
+      sed -i "s/@@DB_PASSWORD@@/$DATABASE_PASS/" ''$RUNTIME_DIRECTORY/init.sql
+
+      # run filled SQL template
+      psql teslamate --file "''$RUNTIME_DIRECTORY/init.sql"
+
+      rm $RUNTIME_DIRECTORY/init.sql
+    '';
+  };
+
+  systemd.services.teslamate = {
+    description = "TeslaMate";
+    after = ["network.target" "postgresql.service" "postgresql-teslamate-setup.service"];
+    wantedBy = ["multi-user.target"];
+    serviceConfig = {
+      User = "teslamate";
+      Restart = "on-failure";
+      RestartSec = 5;
+
+      WorkingDirectory = "/var/lib/teslamate";
+
+      ExecStartPre = ''${getExe pkg} eval "TeslaMate.Release.migrate"'';
+      ExecStart = "${getExe pkg} start";
+      ExecStop = "${getExe pkg} stop";
+
+      EnvironmentFile = config.age.secrets.teslamateEnv.path;
+    };
+
+    environment = {
+      PORT = port;
+      DATABASE_USER = "teslamate";
+      DATABASE_NAME = "teslamate";
+      DATABASE_HOST = "127.0.0.1";
+      DATABASE_PORT = "5432";
+      VIRTUAL_HOST = "tesla.stu-dev.me";
+      URL_PATH = "/";
+      HTTP_BINDING_ADDRESS = "127.0.0.1";
+      MQTT_HOST = "127.0.0.1";
+      MQTT_PORT = "1883";
+      CHECK_ORIGIN = "true";
+    };
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [4488];
+  };
+
+  virtualisation.oci-containers.containers.fleet-telemetry = {
+    image = "tesla/fleet-telemetry:v0.3.0";
+
+    volumes = [
+      "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tesla.stu-dev.me:/certs"
+      "${./telemetry-config.json}:/etc/fleet-telemetry/config.json"
+    ];
+
+    extraOptions = ["--network=host"];
+  };
+
+  services.apache-kafka = {
+    enable = true;
+    settings = {
+      "log.dirs" = ["/var/lib/kafka"];
+      "zookeeper.connect" = "127.0.0.1:${builtins.toString config.services.zookeeper.port}";
+    };
+  };
+
+  services.zookeeper = {
+    enable = true;
+  };
+}

nixos/teslamate/telemetry-config.json

@@ -0,0 +1,37 @@
+{
+  "host": "0.0.0.0",
+  "port": 4488,
+  "log_level": "info",
+  "json_log_enable": true,
+  "namespace": "tesla",
+  "reliable_ack": true,
+  "monitoring": {
+    "prometheus_metrics_port": 33007
+  },
+  "kafka": {
+    "bootstrap.servers": "127.0.0.1:9092",
+    "queue.buffering.max.messages": 1000000
+  },
+  "rate_limit": {
+    "enabled": true,
+    "message_interval_time": 30,
+    "message_limit": 1000
+  },
+  "records": {
+    "alerts": [
+      "logger"
+    ],
+    "errors": [
+      "logger"
+    ],
+    "V": [
+      "logger",
+      "kafka"
+    ]
+  },
+  "tls": {
+    "server_cert": "/certs/tesla.stu-dev.me.crt",
+    "server_key": "/certs/tesla.stu-dev.me.key"
+  },
+  "ca": "-----BEGIN CERTIFICATE-----\nMIIDgTCCAwagAwIBAgISBJSPJKA4ZoqbvMPBNWV7Dtd1MAoGCCqGSM49BAMDMDIx\nCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF\nNTAeFw0yNDA3MTkxMjE0MDJaFw0yNDEwMTcxMjE0MDFaMBsxGTAXBgNVBAMTEHRl\nc2xhLnN0dS1kZXYubWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARMwMWrSH9I\nLK5CiOpbvTHctiUSK9vf4FnQdwcMKLXiNopnKHa2hRw0LNrHTqD38Zn19UT80CRn\ntnPn7MH57Pj4o4ICETCCAg0wDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsG\nAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTGgGcUByV+\nwzY08fvILylMYWHbSjAfBgNVHSMEGDAWgBSfK1/PPCFPnQS37SssxMZwi9LXDTBV\nBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9lNS5vLmxlbmNyLm9y\nZzAiBggrBgEFBQcwAoYWaHR0cDovL2U1LmkubGVuY3Iub3JnLzAbBgNVHREEFDAS\nghB0ZXNsYS5zdHUtZGV2Lm1lMBMGA1UdIAQMMAowCAYGZ4EMAQIBMIIBAwYKKwYB\nBAHWeQIEAgSB9ASB8QDvAHUAPxdLT9ciR1iUHWUchL4NEu2QN38fhWrrwb8ohez4\nZG4AAAGQyyDLRQAABAMARjBEAiBRVNMiaqzqi9MF8hiz2rjeD63+B05OArjKMCpz\ntXE9JAIgRf6UuOBPAZEpp8MdpV2vwjFkL0pk9rm5f6tVMHoEOpkAdgDuzdBk1dsa\nzsVct520zROiModGfLzs3sNRSFlGcR+1mwAAAZDLIMtLAAAEAwBHMEUCIE3uvj4i\nJlkLCZrdUbOcW4OOiOeMA1lrShnQNwWyzudiAiEAlJRwBy23g6b9HuQhwggXH2QN\nTULArVuFYuPBVI6b8DIwCgYIKoZIzj0EAwMDaQAwZgIxAIUZPi/91kFkzD2+nVz4\nPUY0qhwVjsI4PPfaYsESRMGGzOuX9GuK74u6XXXuMjAjCgIxAL94kHBciSFsReKs\nFFAjpxgv3He4cU9DGupGv4/FVQTmd82qwP4QEE6STL6v+KSJ+g==\n-----END CERTIFICATE-----\n\n-----BEGIN CERTIFICATE-----\nMIIEVzCCAj+gAwIBAgIRAIOPbGPOsTmMYgZigxXJ/d4wDQYJKoZIhvcNAQELBQAw\nTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\ncmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw\nWhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg\nRW5jcnlwdDELMAkGA1UEAxMCRTUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQNCzqK\na2GOtu/cX1jnxkJFVKtj9mZhSAouWXW0gQI3ULc/FnncmOyhKJdyIBwsz9V8UiBO\nVHhbhBRrwJCuhezAUUE8Wod/Bk3U/mDR+mwt4X2VEIiiCFQPmRpM5uoKrNijgfgw\ngfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD\nATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSfK1/PPCFPnQS37SssxMZw\ni9LXDTAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB\nAQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g\nBAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu\nY3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAH3KdNEVCQdqk0LKyuNImTKdRJY1C\n2uw2SJajuhqkyGPY8C+zzsufZ+mgnhnq1A2KVQOSykOEnUbx1cy637rBAihx97r+\nbcwbZM6sTDIaEriR/PLk6LKs9Be0uoVxgOKDcpG9svD33J+G9Lcfv1K9luDmSTgG\n6XNFIN5vfI5gs/lMPyojEMdIzK9blcl2/1vKxO8WGCcjvsQ1nJ/Pwt8LQZBfOFyV\nXP8ubAp/au3dc4EKWG9MO5zcx1qT9+NXRGdVWxGvmBFRAajciMfXME1ZuGmk3/GO\nkoAM7ZkjZmleyokP1LGzmfJcUd9s7eeu1/9/eg5XlXd/55GtYjAM+C4DG5i7eaNq\ncm2F+yxYIPt6cbbtYVNJCGfHWqHEQ4FYStUyFnv8sjyqU8ypgZaNJ9aVcWSICLOI\nE1/Qv/7oKsnZCWJ926wU6RqG1OYPGOi1zuABhLw61cuPVDT28nQS/e6z95cJXq0e\nK1BcaJ6fJZsmbjRgD5p3mvEf5vdQM7MCEvU0tHbsx2I5mHHJoABHb8KVBgWp/lcX\nGWiWaeOyB7RP+OfDtvi2OsapxXiV7vNVs7fMlrRjY1joKaqmmycnBvAq14AEbtyL\nsVfOS66B8apkeFX2NY4XPEYV4ZSCe8VHPrdrERk2wILG3T/EGmSIkCYVUMSnjmJd\nVQD9F6Na/+zmXCc=\n-----END CERTIFICATE-----"
+}

public/tesla/com.tesla.3p.public-key.pem

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeZiz2tQY4hYXA3s6ouJqP1aBR8y0
+m1TMPF6MVsdfhJIMej3k5iaZSFmsWcoETKxalxA3uSAI7fNeF/bPn+aCAQ==
+-----END PUBLIC KEY-----

secrets/secrets.nix

@@ -1,8 +1,8 @@
 let
   users = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMyNWZe1K8/5yebGKey+yjJcASH7qZg6E24OPTj8veLN stu@nixius"
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJqATr5SfHhUcyMfqrBBCrLM33Ax2u4FiQMiUPi37jkP [email protected]"
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGfOv1f0ltBXJRN1DJSMzEIjWJ8Ty2LdPeOJowDTk4B stu@baldon"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG0ACjf5QdZyZxmWvTwAhFZSH6yJJOynmdbz9BXxmRYm stu@argon"
   ];
 
   systems = {
@@ -31,6 +31,7 @@ in {
 
   "rclone.conf".publicKeys = keysForSystems ["nether" "ironite"];
   "vaultwarden.env".publicKeys = keysForSystems ["nether" "ironite"];
+  "teslamate.env".publicKeys = keysForSystems ["ironite"];
 
   "spotify".publicKeys = keysForSystem "nixius";
   "esyvpn.ovpn".publicKeys = keysForSystem "nixius";

systems/default.nix

@@ -151,6 +151,7 @@ in {
           ../nixos/network/tailscale.nix
           ../nixos/minecraft-server.nix
           ../nixos/monitoring
+          ../nixos/teslamate
         ];
         home = true;
         homeModules = [