search

henrygd / beszel

Lightweight server monitoring hub with historical data, docker stats, and alerts.
MIT License
2.71k stars 88 forks source link

Hub programmatic configuration? #275

Closed giorgiga closed 6 days ago

giorgiga commented 1 week ago

I am packaging for beszel for NixOs, because I want to use it in my home lab and I guess others too may want to (I do plan contribute my efforts to the official repo once I'm satisfied).

At the moment, I have packaged both the agent and hub and I'm working on the agent's module (you may think of it as an elaborate installation script).

Since things are going well with the agent (I think I'll be done this weekend or the next one), so I took a preliminary look at the hub, but it seems the hub is intended to be configured interactively by a person, while the "nixos way" would be for the nixos module to generate all the needed configuration so that one can materialize a working system.

Is it possible to programmatically configure the hub beyond the two environment variables mentioned in the README?

henrygd commented 1 week ago

Cool! Thanks for doing that. I think there's also some work being done for nixpgs here: https://github.com/NixOS/nixpkgs/pull/345444

Systems can be defined programmatically in beszel_data/config.yml:

# Values for port and users are optional.
# Defaults are port 45876 and the first created user.

systems:
    - name: thinkpad
      host: 192.168.33.5
      port: 45876
      users:
        - name@example.com

But creation of the first user is done in the application. What would be the ideal "nixos way" to do this?

giorgiga commented 1 week ago

It didn't really occur to me to check if there was already some work in progress at nixpkgs... thanks a bunch: I'll see to coordinate my efforts with the existing ones.

The general idea with nixos is that one can spin up a working machine (minus the data of course) from the nixos config alone and that they can update the machine configuration by the same mean, but that's by no means a rule or requirement and different programs/services have different level of support.

From the nixos module I can generate whatever script to initialize beszel, so there's a lot of flexibility there (eg. the syncthing one uses curl to configure the service via its API)... I would try and manage the whole configuration if it makes sense (ie. if there's not too much stuff or stuff that you plan to drop in the near future)...

Could you please help with the following questions?

  1. I was thinking of using sqlite to setup the user accounts, but I'm a bit confused by the presence of both a users and a _admins table... should I insert/delete into/from both?
  2. User passwords are hashed with bcrypt ($2a$), do you happen to know if I can use stronger schemes, such as sha512crypt ($6$)? (see wikipedia)
  3. The info in that beszel_data/config.yml file seems to actually come from the database... would you recommend I generate the file or update the database directy?
  4. Beszel seem to be able to send emails... where can I find the configuration for that?
  5. If I start beszel with --https, how can I specify the SSL key and certificate?
  6. Besides the above and ssh keys, are there other settings that you think could make sense in the nixos module?

Thanks a bunch!

henrygd commented 1 week ago

I don't have a lot of time tonight to go over this but want to give you some quick thoughts.

The API would be a good option for set up. The hub is built on PocketBase. You can check the docs for the API here: https://pocketbase.io/docs/api-records/

PocketBase also has a very active github discussions page with a lot of helpful info.

  1. Admins and users are completely separate entities. Admin accounts are able to log into the PocketBase backend. Users are users for the Beszel hub only. When setting up the app, an Admin account and a User account are created with the same email / password. Here is the relevant part of the code.
  2. Pocketbase uses golang.org/x/crypto/bcrypt so I think it needs to be bcrypt. Here's the code.
  3. If systems are defined in config.yml then that is the single source of truth. Anything that differs in the database will be overwritten on restart. So don't use the file unless you only want to manage systems in the file and not via the DB or web UI.
  4. It uses sendmail by default. It supports a user defined SMTP server, which can be set manually in the PocketBase backend or via the API.
  5. --https issues a Let's Encrypt cert and doesn't support using custom certificates. See here: https://github.com/pocketbase/pocketbase/discussions/3161
  6. Let me get back to you on that. If there's anything specifically that you need updated for better compatibility, I will try to take care of it. Also, I don't think this is what you meant, but we need to make sure that identical SSH keys are not packaged / distributed. That needs to be generated at runtime for every instance.
giorgiga commented 6 days ago

Thanks @henrygd: that helps a lot!

I'll bother you again if I get stuck, but I should be able to work with that.

henrygd commented 6 days ago

No worries. It's not a bother so let me know if you have any other questions.