mirror of
https://github.com/oddlama/nix-config.git
synced 2025-10-11 07:10:39 +02:00
fix: propagate influxdb token secrets properly and simplify distributed configuration implementation (repo.nodes)
This commit is contained in:
parent
0ed8f2041d
commit
c494c66f5a
5 changed files with 58 additions and 42 deletions
|
@ -29,16 +29,25 @@ in {
|
|||
group = "grafana";
|
||||
};
|
||||
|
||||
nodes.ward-influxdb.services.influxdb2.provision.ensureApiTokens = [
|
||||
{
|
||||
name = "grafana servers:telegraf (${config.node.name})";
|
||||
org = "servers";
|
||||
user = "admin";
|
||||
readBuckets = ["telegraf"];
|
||||
writeBuckets = ["telegraf"];
|
||||
tokenFile = config.age.secrets.grafana-influxdb-token.path;
|
||||
}
|
||||
];
|
||||
nodes.ward-influxdb = {
|
||||
# Mirror the original secret on the influx host
|
||||
age.secrets."grafana-influxdb-token-${config.node.name}" = {
|
||||
inherit (config.age.secrets.grafana-influxdb-token) rekeyFile;
|
||||
mode = "440";
|
||||
group = "influxdb2";
|
||||
};
|
||||
|
||||
services.influxdb2.provision.ensureApiTokens = [
|
||||
{
|
||||
name = "grafana servers:telegraf (${config.node.name})";
|
||||
org = "servers";
|
||||
user = "admin";
|
||||
readBuckets = ["telegraf"];
|
||||
writeBuckets = ["telegraf"];
|
||||
tokenFile = nodes.ward-influxdb.config.age.secrets."grafana-influxdb-token-${config.node.name}".path;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
nodes.sentinel = {
|
||||
age.secrets.loki-basic-auth-hashes.generator.dependencies = [
|
||||
|
|
|
@ -43,6 +43,13 @@
|
|||
}' main.go
|
||||
'';
|
||||
vendorHash = "sha256-zBZk7JbNILX18g9+2ukiESnFtnIVWhdN/J/MBhIITh8=";
|
||||
|
||||
meta = with lib; {
|
||||
description = "Utility program to manipulate influxdb api tokens for declarative setups";
|
||||
mainProgram = "influx-token-manipulator";
|
||||
license = with licenses; [mit];
|
||||
maintainers = with maintainers; [oddlama];
|
||||
};
|
||||
};
|
||||
in {
|
||||
options.services.influxdb2.provision = {
|
||||
|
|
|
@ -88,10 +88,6 @@
|
|||
};
|
||||
};
|
||||
|
||||
# Propagate node expansions, since doing this directly in the
|
||||
# distributed-config module would cause infinite recursion.
|
||||
nodes = mkMerge config.microvm.vms.${vmName}.config.options.nodes.definitions;
|
||||
|
||||
microvm.vms.${vmName} = let
|
||||
node = import ../../nix/generate-node.nix inputs {
|
||||
name = vmCfg.nodeName;
|
||||
|
@ -369,6 +365,6 @@ in {
|
|||
};
|
||||
};
|
||||
}
|
||||
// mergeToplevelConfigs ["nodes" "disko" "microvm" "systemd"] (mapAttrsToList microvmConfig vms)
|
||||
// mergeToplevelConfigs ["disko" "microvm" "systemd"] (mapAttrsToList microvmConfig vms)
|
||||
);
|
||||
}
|
||||
|
|
|
@ -57,16 +57,25 @@ in {
|
|||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
nodes.${cfg.influxdb2.node}.services.influxdb2.provision.ensureApiTokens = [
|
||||
{
|
||||
name = "telegraf (${config.node.name})";
|
||||
org = "servers";
|
||||
user = "admin";
|
||||
readBuckets = ["telegraf"];
|
||||
writeBuckets = ["telegraf"];
|
||||
tokenFile = config.age.secrets.telegraf-influxdb-token.path;
|
||||
}
|
||||
];
|
||||
nodes.${cfg.influxdb2.node} = {
|
||||
# Mirror the original secret on the influx host
|
||||
age.secrets."telegraf-influxdb-token-${config.node.name}" = {
|
||||
inherit (config.age.secrets.telegraf-influxdb-token) rekeyFile;
|
||||
mode = "440";
|
||||
group = "influxdb2";
|
||||
};
|
||||
|
||||
services.influxdb2.provision.ensureApiTokens = [
|
||||
{
|
||||
name = "telegraf (${config.node.name})";
|
||||
org = "servers";
|
||||
user = "admin";
|
||||
readBuckets = ["telegraf"];
|
||||
writeBuckets = ["telegraf"];
|
||||
tokenFile = nodes.${cfg.influxdb2.node}.config.age.secrets."telegraf-influxdb-token-${config.node.name}".path;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
age.secrets.telegraf-influxdb-token = {
|
||||
generator.script = "alnum";
|
||||
|
|
|
@ -3,6 +3,7 @@
|
|||
inputs,
|
||||
lib,
|
||||
options,
|
||||
nodes,
|
||||
...
|
||||
}: let
|
||||
inherit
|
||||
|
@ -35,23 +36,17 @@ in {
|
|||
};
|
||||
|
||||
config = let
|
||||
allNodes = attrNames inputs.self.colmenaNodes;
|
||||
isColmenaNode = elem nodeName allNodes;
|
||||
foreignConfigs = concatMap (n: inputs.self.colmenaNodes.${n}.config.nodes.${nodeName} or []) allNodes;
|
||||
relevantConfigs = foreignConfigs ++ [config.nodes.${nodeName} or {}];
|
||||
allNodes = attrNames nodes;
|
||||
foreignConfigs = concatMap (n: nodes.${n}.config.nodes.${nodeName} or []) allNodes;
|
||||
mergeFromOthers = path:
|
||||
mkMerge (map
|
||||
(x: mkIf (hasAttrByPath path x) (getAttrFromPath path x))
|
||||
relevantConfigs);
|
||||
pathsToMerge = [
|
||||
["age" "secrets"]
|
||||
["networking" "providedDomains"]
|
||||
["services" "nginx" "upstreams"]
|
||||
["services" "nginx" "virtualHosts"]
|
||||
];
|
||||
in
|
||||
mkIf isColmenaNode (foldl'
|
||||
(acc: path: recursiveUpdate acc (setAttrByPath path (mergeFromOthers path)))
|
||||
{}
|
||||
pathsToMerge);
|
||||
(x: (getAttrFromPath path x))
|
||||
(lib.filter (x: (hasAttrByPath path x)) foreignConfigs));
|
||||
in {
|
||||
age.secrets = mergeFromOthers ["age" "secrets"];
|
||||
networking.providedDomains = mergeFromOthers ["networking" "providedDomains"];
|
||||
services.nginx.upstreams = mergeFromOthers ["services" "nginx" "upstreams"];
|
||||
services.nginx.virtualHosts = mergeFromOthers ["services" "nginx" "virtualHosts"];
|
||||
services.influxdb2.provision.ensureApiTokens = mergeFromOthers ["services" "influxdb2" "provision" "ensureApiTokens"];
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue