From 6a1445103305706513f8b64a131a1faa49f202c0 Mon Sep 17 00:00:00 2001 From: oddlama Date: Mon, 14 Aug 2023 22:59:21 +0200 Subject: [PATCH] chore: test all aspects of influxdb provisioning (and fix minor issues) --- hosts/nom/default.nix | 109 ++++++++++++++++++++++++++++++++++++++ modules/meta/influxdb.nix | 51 +++++++++--------- modules/meta/kanidm.nix | 28 ++++++++++ 3 files changed, 164 insertions(+), 24 deletions(-) create mode 100644 modules/meta/kanidm.nix diff --git a/hosts/nom/default.nix b/hosts/nom/default.nix index ee8229f..cfea34f 100644 --- a/hosts/nom/default.nix +++ b/hosts/nom/default.nix @@ -32,4 +32,113 @@ font = "ter-v28n"; packages = [pkgs.terminus_font]; }; + + services.influxdb2 = { + enable = true; + settings = { + reporting-disabled = true; + http-bind-address = "localhost:8086"; + }; + initialSetup = { + enable = true; + organization = "servers"; + bucket = "telegraf"; + + passwordFile = pkgs.writeText "tmp-pw" "ExAmPl3PA55W0rD"; + tokenFile = pkgs.writeText "tmp-tok" "asroiuhoiuahnawo4unhasdorviuhngoiuhraoug"; + }; + deleteOrganizations = ["delorg"]; + deleteBuckets = [ + { + name = "delbucket"; + org = "delorg"; + } + ]; + deleteUsers = ["deluser"]; + deleteRemotes = [ + { + name = "delremote"; + org = "delorg"; + } + ]; + deleteReplications = [ + { + name = "delreplication"; + org = "delorg"; + } + ]; + deleteApiTokens = [ + { + name = "deltoken"; + org = "delorg"; + user = "deluser"; + } + ]; + ensureOrganizations = [ + { + name = "myorg"; + description = "Myorg description"; + } + #{ + # name = "delorg"; + #} + ]; + ensureBuckets = [ + { + name = "mybucket"; + org = "myorg"; + description = "Mybucket description"; + } + #{ + # name = "delbucket"; + # org = "delorg"; + #} + ]; + ensureUsers = [ + { + name = "myuser"; + org = "myorg"; + passwordFile = pkgs.writeText "tmp-pw" "abcgoiuhaoga"; + } + #{ + # name = "deluser"; + # org = "delorg"; + # passwordFile = pkgs.writeText "tmp-pw" "abcgoiuhaoga"; + #} + ]; + #ensureRemotes = [ + # { + # name = "delremote"; + # org = "delorg"; + # remoteUrl = "http://localhost:8087"; + # remoteOrgId = "a1b2c3d4a1b2c3d4"; + # remoteTokenFile = pkgs.writeText "tmp-pw" "abcgoiuhaoga"; + # } + #]; + #ensureReplications = [ + # { + # name = "delreplication"; + # org = "delorg"; + # remote = "delremote"; + # localBucket = "delbucket"; + # remoteBucket = "delbucket2"; + # } + #]; + ensureApiTokens = [ + { + name = "mytoken"; + org = "myorg"; + user = "myuser"; + readBuckets = ["mybucket"]; + writeBuckets = ["mybucket"]; + } + #{ + # name = "deltoken"; + # org = "delorg"; + # user = "deluser"; + # readBuckets = ["delbucket"]; + # writeBuckets = ["delbucket"]; + #} + ]; + }; } diff --git a/modules/meta/influxdb.nix b/modules/meta/influxdb.nix index c2f2914..972f8c0 100644 --- a/modules/meta/influxdb.nix +++ b/modules/meta/influxdb.nix @@ -575,7 +575,7 @@ in { ${influxCli} auth list --json --org ${escapeShellArg apiToken.org} 2>/dev/null \ | ${getExe pkgs.jq} -r '.[] | select(.description | contains("${apiToken.id}")) | .id' ) && [[ -n "$id" ]]; then - ${influxCli} auth delete --id "$id" &>/dev/null + ${influxCli} auth delete --id "$id" >/dev/null echo "Deleted api token id="${escapeShellArg apiToken.id} fi '') @@ -584,7 +584,7 @@ in { ${influxCli} replication list --json --org ${escapeShellArg replication.org} --name ${escapeShellArg replication.name} 2>/dev/null \ | ${getExe pkgs.jq} -r ".[0].id" ); then - ${influxCli} replication delete --id "$id" &>/dev/null + ${influxCli} replication delete --id "$id" >/dev/null echo "Deleted replication org="${escapeShellArg replication.org}" name="${escapeShellArg replication.name} fi '') @@ -593,7 +593,7 @@ in { ${influxCli} remote list --json --org ${escapeShellArg remote.org} --name ${escapeShellArg remote.name} 2>/dev/null \ | ${getExe pkgs.jq} -r ".[0].id" ); then - ${influxCli} remote delete --id "$id" &>/dev/null + ${influxCli} remote delete --id "$id" >/dev/null echo "Deleted remote org="${escapeShellArg remote.org}" name="${escapeShellArg remote.name} fi '') @@ -602,7 +602,7 @@ in { ${influxCli} user list --json --name ${escapeShellArg user} 2>/dev/null \ | ${getExe pkgs.jq} -r ".[0].id" ); then - ${influxCli} user delete --id "$id" &>/dev/null + ${influxCli} user delete --id "$id" >/dev/null echo "Deleted user name="${escapeShellArg user} fi '') @@ -611,7 +611,7 @@ in { ${influxCli} bucket list --json --org ${escapeShellArg bucket.org} --name ${escapeShellArg bucket.name} 2>/dev/null \ | ${getExe pkgs.jq} -r ".[0].id" ); then - ${influxCli} bucket delete --id "$id" &>/dev/null + ${influxCli} bucket delete --id "$id" >/dev/null echo "Deleted bucket org="${escapeShellArg bucket.org}" name="${escapeShellArg bucket.name} fi '') @@ -620,7 +620,7 @@ in { ${influxCli} org list --json --name ${escapeShellArg org} 2>/dev/null \ | ${getExe pkgs.jq} -r ".[0].id" ); then - ${influxCli} org delete --id "$id" &>/dev/null + ${influxCli} org delete --id "$id" >/dev/null echo "Deleted org name="${escapeShellArg org} fi '') @@ -639,9 +639,9 @@ in { ${influxCli} org list --json ${escapeShellArgs listArgs} 2>/dev/null \ | ${getExe pkgs.jq} -r ".[0].id" ); then - ${influxCli} org update --id "$id" ${escapeShellArgs updateArgs} &>/dev/null + ${influxCli} org update --id "$id" ${escapeShellArgs updateArgs} >/dev/null else - ${influxCli} org create ${escapeShellArgs createArgs} &>/dev/null + ${influxCli} org create ${escapeShellArgs createArgs} >/dev/null echo "Created org name="${escapeShellArg org.name} fi '') @@ -667,9 +667,9 @@ in { ${influxCli} bucket list --json ${escapeShellArgs listArgs} 2>/dev/null \ | ${getExe pkgs.jq} -r ".[0].id" ); then - ${influxCli} bucket update --id "$id" ${escapeShellArgs updateArgs} &>/dev/null + ${influxCli} bucket update --id "$id" ${escapeShellArgs updateArgs} >/dev/null else - ${influxCli} bucket create ${escapeShellArgs createArgs} &>/dev/null + ${influxCli} bucket create ${escapeShellArgs createArgs} >/dev/null echo "Created bucket org="${escapeShellArg bucket.org}" name="${escapeShellArg bucket.name} fi '') @@ -692,13 +692,13 @@ in { ); then true # No updateable args else - ${influxCli} user create ${escapeShellArgs createArgs} &>/dev/null + ${influxCli} user create ${escapeShellArgs createArgs} >/dev/null echo "Created user name="${escapeShellArg user.name} fi '' + optionalString (user.passwordFile != null) '' ${influxCli} user password ${escapeShellArgs listArgs} \ - --password "$(< ${escapeShellArg user.passwordFile})" &>/dev/null + --password "$(< ${escapeShellArg user.passwordFile})" >/dev/null '') + flip concatMapStrings cfg.ensureRemotes (remote: let listArgs = [ @@ -726,7 +726,7 @@ in { ${influxCli} remote list --json ${escapeShellArgs listArgs} 2>/dev/null \ | ${getExe pkgs.jq} -r ".[0].id" ); then - ${influxCli} remote update --id "$id" ${escapeShellArgs updateArgs} &>/dev/null \ + ${influxCli} remote update --id "$id" ${escapeShellArgs updateArgs} >/dev/null \ --remote-api-token "$(< ${escapeShellArg remote.remoteTokenFile})" else extraArgs=() @@ -735,12 +735,12 @@ in { ${influxCli} org list --json \ --host ${escapeShellArg remote.remoteUrl} \ --token "$(< ${escapeShellArg remote.remoteTokenFile})" \ - --name ${escapeShellArg remote.remoteOrg} 2>/dev/null \ + --name ${escapeShellArg remote.remoteOrg} \ | ${getExe pkgs.jq} -r ".[0].id" ) extraArgs+=("--remote-org-id" "$remote_org_id") ''} - ${influxCli} remote create ${escapeShellArgs createArgs} &>/dev/null \ + ${influxCli} remote create ${escapeShellArgs createArgs} >/dev/null \ --remote-api-token "$(< ${escapeShellArg remote.remoteTokenFile})" \ "''${extraArgs[@]}" echo "Created remote org="${escapeShellArg remote.org}" name="${escapeShellArg remote.name} @@ -756,8 +756,6 @@ in { createArgs = listArgs ++ [ - "--local-bucket" - replication.localBucket "--remote-bucket" replication.remoteBucket ]; @@ -769,11 +767,16 @@ in { true # No updateable args else remote_id=$( - ${influxCli} remote list --json --name ${escapeShellArg replication.remote} 2>/dev/null \ + ${influxCli} remote list --json --org ${escapeShellArg replication.org} --name ${escapeShellArg replication.remote} \ | ${getExe pkgs.jq} -r ".[0].id" ) - ${influxCli} replication create ${escapeShellArgs createArgs} &>/dev/null \ - --remote-id "$remote_id" + local_bucket_id=$( + ${influxCli} bucket list --json --org ${escapeShellArg replication.org} --name ${escapeShellArg replication.localBucket} \ + | ${getExe pkgs.jq} -r ".[0].id" + ) + ${influxCli} replication create ${escapeShellArgs createArgs} >/dev/null \ + --remote-id "$remote_id" \ + --local-bucket-id "$local_bucket_id" echo "Created replication org="${escapeShellArg replication.org}" name="${escapeShellArg replication.name} fi '') @@ -796,15 +799,15 @@ in { ++ map (x: "--write-${x}") apiToken.writePermissions; in '' if id=$( - ${influxCli} apiToken list --json ${escapeShellArgs listArgs} 2>/dev/null \ - | ${getExe pkgs.jq} -r ".[0].id" + ${influxCli} auth list --json --org ${escapeShellArg apiToken.org} 2>/dev/null \ + | ${getExe pkgs.jq} -r '.[] | select(.description | contains("${apiToken.id}")) | .id' ); then true # No updateable args else declare -A bucketIds ${flip concatMapStrings (unique (apiToken.readBuckets ++ apiToken.writeBuckets)) (bucket: '' bucketIds[${escapeShellArg bucket}]=$( - ${influxCli} bucket list --json --org ${escapeShellArg apiToken.org} --name ${escapeShellArg bucket} 2>/dev/null \ + ${influxCli} bucket list --json --org ${escapeShellArg apiToken.org} --name ${escapeShellArg bucket} \ | ${getExe pkgs.jq} -r ".[0].id" ) '')} @@ -816,7 +819,7 @@ in { "--write-bucket" "''${bucketIds[${escapeShellArg bucket}]}" '')} ) - ${influxCli} auth create ${escapeShellArgs createArgs} &>/dev/null \ + ${influxCli} auth create ${escapeShellArgs createArgs} >/dev/null \ "''${extraArgs[@]}" echo "Created api token org="${escapeShellArg apiToken.org}" user="${escapeShellArg apiToken.user} fi diff --git a/modules/meta/kanidm.nix b/modules/meta/kanidm.nix new file mode 100644 index 0000000..186eadb --- /dev/null +++ b/modules/meta/kanidm.nix @@ -0,0 +1,28 @@ +{ + config, + lib, + ... +}: let + inherit + (lib) + assertMsg + filter + genAttrs + hasInfix + head + mdDoc + mkIf + mkOption + removeSuffix + types + ; +in { + options.services.kanidm.provision = { + enable = mkEnableOption "provisioning of systems, groups and users"; + systems = { + }; + }; + + config = { + }; +}