diff --git a/hosts/ward/microvms/influxdb/default.nix b/hosts/ward/microvms/influxdb/default.nix index 6c804c1..85a027d 100644 --- a/hosts/ward/microvms/influxdb/default.nix +++ b/hosts/ward/microvms/influxdb/default.nix @@ -36,6 +36,26 @@ in { nodes.sentinel = { providedDomains.influxdb = influxdbDomain; + # Not actually used on the system, but to allow us to provision tokens + # when generating secrets. + age.secrets.admin-influxdb-basic-auth-password = { + rekeyFile = ./secrets/admin-influxdb-basic-auth-password.age; + generator = "alnum"; + mode = "000"; + }; + + age.secrets.influxdb-basic-auth-hashes = { + rekeyFile = ./secrets/influxdb-basic-auth-hashes.age; + # Copy only the script so the dependencies can be added by the nodes + # that define passwords (using distributed-config). + generator = { + inherit (config.age.generators.basic-auth) script; + dependencies = [sentinelCfg.age.secrets.admin-influxdb-basic-auth-password]; + }; + mode = "440"; + group = "nginx"; + }; + services.nginx = { upstreams.influxdb = { servers."${config.services.influxdb2.settings.http-bind-address}" = {}; @@ -54,6 +74,8 @@ in { proxyWebsockets = true; extraConfig = '' satisfy any; + auth_basic "Authentication required"; + auth_basic_user_file ${sentinelCfg.age.secrets.influxdb-basic-auth-hashes.path}; ${lib.concatMapStrings (ip: "allow ${ip};\n") sentinelCfg.extra.wireguard.proxy-sentinel.server.reservedAddresses} deny all; ''; diff --git a/hosts/ward/microvms/influxdb/secrets/admin-influxdb-basic-auth-password.age b/hosts/ward/microvms/influxdb/secrets/admin-influxdb-basic-auth-password.age new file mode 100644 index 0000000..49cc1b6 --- /dev/null +++ b/hosts/ward/microvms/influxdb/secrets/admin-influxdb-basic-auth-password.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 eDC4hGeQD8dKvjQGBSflv/kqswkwegtt7mpGTatDjlk +vMVjoIZ4/7293gMJBY+6oIuE3SVulm8Qz5d2TQCy8YA +-> piv-p256 xqSe8Q Av1JmXT6ELHJypYLCvvpa5HLphPJcQhBTLHrQWUu3BXU +K/KNd1uhA/fyYmnPKJexC8W/5W4ZhtzDQEci8sswqP8 +-> 6huK-grease iyY \}FcJ +k8F8LboYhZJtd2PyQQpRJUoSpBVGm3ocsIiYV9tEihOLahdqcyQawHU2mL7zMTo+ +j6FqPxOXBQ +--- gzu/0Qvwe1DU/wXCkzaZgFQks4Hq/OAudbkfPiQMHR4 +/P'|L%o>GpHKə3)zJD01xs-d|d'/k\6B}x \ No newline at end of file diff --git a/hosts/ward/microvms/influxdb/secrets/influxdb-basic-auth-hashes.age b/hosts/ward/microvms/influxdb/secrets/influxdb-basic-auth-hashes.age index f08d727..4ff7adf 100644 Binary files a/hosts/ward/microvms/influxdb/secrets/influxdb-basic-auth-hashes.age and b/hosts/ward/microvms/influxdb/secrets/influxdb-basic-auth-hashes.age differ diff --git a/modules/telegraf.nix b/modules/telegraf.nix index 80f9e39..daf54e7 100644 --- a/modules/telegraf.nix +++ b/modules/telegraf.nix @@ -43,6 +43,16 @@ in { config = mkIf cfg.enable { age.secrets.telegraf-influxdb-token = { rekeyFile = nodePath + "/secrets/telegraf-influxdb-token.age"; + # TODO generator.script = { pkgs, lib, decrypt, deps, ... }: let + # TODO adminBasicAuth = (builtins.head deps).file; + # TODO adminToken = (builtins.head deps).file; # TODO ..... filter by name? + # TODO in '' + # TODO echo " -> Provisioning influxdb token for telegraf on ${nodeName} at https://${cfg.influxdb2.domain}" >&2 + # TODO ${decrypt} ${lib.escapeShellArg aba.file} \ + # TODO INFLUX_HOST=https://${aba.host}+${aba.name}:${PW}@${URL} + # TODO | ${pkgs.influxdb2-cli}/bin/influx -niBC 12 ${lib.escapeShellArg host}"+"${lib.escapeShellArg name} \ + # TODO || die "Failure" + # TODO ''); mode = "440"; group = "telegraf"; }; diff --git a/nix/lib.nix b/nix/lib.nix index 5607331..dfdbe99 100644 --- a/nix/lib.nix +++ b/nix/lib.nix @@ -73,9 +73,7 @@ in rec { # Counts how often each element occurrs in xs countOccurrences = let addOrUpdate = acc: x: - if builtins.hasAttr x acc - then acc // {${x} = acc.${x} + 1;} - else acc // {${x} = 1;}; + acc // {${x} = (acc.${x} or 0) + 1;}; in foldl' addOrUpdate {};