diff --git a/hosts/ward/microvms/grafana.nix b/hosts/ward/microvms/grafana.nix index 1b47a4c..1b3af52 100644 --- a/hosts/ward/microvms/grafana.nix +++ b/hosts/ward/microvms/grafana.nix @@ -29,16 +29,25 @@ in { group = "grafana"; }; - nodes.ward-influxdb.services.influxdb2.provision.ensureApiTokens = [ - { - name = "grafana servers:telegraf (${config.node.name})"; - org = "servers"; - user = "admin"; - readBuckets = ["telegraf"]; - writeBuckets = ["telegraf"]; - tokenFile = config.age.secrets.grafana-influxdb-token.path; - } - ]; + nodes.ward-influxdb = { + # Mirror the original secret on the influx host + age.secrets."grafana-influxdb-token-${config.node.name}" = { + inherit (config.age.secrets.grafana-influxdb-token) rekeyFile; + mode = "440"; + group = "influxdb2"; + }; + + services.influxdb2.provision.ensureApiTokens = [ + { + name = "grafana servers:telegraf (${config.node.name})"; + org = "servers"; + user = "admin"; + readBuckets = ["telegraf"]; + writeBuckets = ["telegraf"]; + tokenFile = nodes.ward-influxdb.config.age.secrets."grafana-influxdb-token-${config.node.name}".path; + } + ]; + }; nodes.sentinel = { age.secrets.loki-basic-auth-hashes.generator.dependencies = [ diff --git a/modules/meta/influxdb.nix b/modules/meta/influxdb.nix index fe0de5b..34f8492 100644 --- a/modules/meta/influxdb.nix +++ b/modules/meta/influxdb.nix @@ -43,6 +43,13 @@ }' main.go ''; vendorHash = "sha256-zBZk7JbNILX18g9+2ukiESnFtnIVWhdN/J/MBhIITh8="; + + meta = with lib; { + description = "Utility program to manipulate influxdb api tokens for declarative setups"; + mainProgram = "influx-token-manipulator"; + license = with licenses; [mit]; + maintainers = with maintainers; [oddlama]; + }; }; in { options.services.influxdb2.provision = { diff --git a/modules/meta/microvms.nix b/modules/meta/microvms.nix index dd3b420..b6aeec1 100644 --- a/modules/meta/microvms.nix +++ b/modules/meta/microvms.nix @@ -88,10 +88,6 @@ }; }; - # Propagate node expansions, since doing this directly in the - # distributed-config module would cause infinite recursion. - nodes = mkMerge config.microvm.vms.${vmName}.config.options.nodes.definitions; - microvm.vms.${vmName} = let node = import ../../nix/generate-node.nix inputs { name = vmCfg.nodeName; @@ -369,6 +365,6 @@ in { }; }; } - // mergeToplevelConfigs ["nodes" "disko" "microvm" "systemd"] (mapAttrsToList microvmConfig vms) + // mergeToplevelConfigs ["disko" "microvm" "systemd"] (mapAttrsToList microvmConfig vms) ); } diff --git a/modules/meta/telegraf.nix b/modules/meta/telegraf.nix index c55e288..23b10a8 100644 --- a/modules/meta/telegraf.nix +++ b/modules/meta/telegraf.nix @@ -57,16 +57,25 @@ in { }; config = mkIf cfg.enable { - nodes.${cfg.influxdb2.node}.services.influxdb2.provision.ensureApiTokens = [ - { - name = "telegraf (${config.node.name})"; - org = "servers"; - user = "admin"; - readBuckets = ["telegraf"]; - writeBuckets = ["telegraf"]; - tokenFile = config.age.secrets.telegraf-influxdb-token.path; - } - ]; + nodes.${cfg.influxdb2.node} = { + # Mirror the original secret on the influx host + age.secrets."telegraf-influxdb-token-${config.node.name}" = { + inherit (config.age.secrets.telegraf-influxdb-token) rekeyFile; + mode = "440"; + group = "influxdb2"; + }; + + services.influxdb2.provision.ensureApiTokens = [ + { + name = "telegraf (${config.node.name})"; + org = "servers"; + user = "admin"; + readBuckets = ["telegraf"]; + writeBuckets = ["telegraf"]; + tokenFile = nodes.${cfg.influxdb2.node}.config.age.secrets."telegraf-influxdb-token-${config.node.name}".path; + } + ]; + }; age.secrets.telegraf-influxdb-token = { generator.script = "alnum"; diff --git a/modules/repo/distributed-config.nix b/modules/repo/distributed-config.nix index 4724b33..0b7ce02 100644 --- a/modules/repo/distributed-config.nix +++ b/modules/repo/distributed-config.nix @@ -3,6 +3,7 @@ inputs, lib, options, + nodes, ... }: let inherit @@ -35,23 +36,17 @@ in { }; config = let - allNodes = attrNames inputs.self.colmenaNodes; - isColmenaNode = elem nodeName allNodes; - foreignConfigs = concatMap (n: inputs.self.colmenaNodes.${n}.config.nodes.${nodeName} or []) allNodes; - relevantConfigs = foreignConfigs ++ [config.nodes.${nodeName} or {}]; + allNodes = attrNames nodes; + foreignConfigs = concatMap (n: nodes.${n}.config.nodes.${nodeName} or []) allNodes; mergeFromOthers = path: mkMerge (map - (x: mkIf (hasAttrByPath path x) (getAttrFromPath path x)) - relevantConfigs); - pathsToMerge = [ - ["age" "secrets"] - ["networking" "providedDomains"] - ["services" "nginx" "upstreams"] - ["services" "nginx" "virtualHosts"] - ]; - in - mkIf isColmenaNode (foldl' - (acc: path: recursiveUpdate acc (setAttrByPath path (mergeFromOthers path))) - {} - pathsToMerge); + (x: (getAttrFromPath path x)) + (lib.filter (x: (hasAttrByPath path x)) foreignConfigs)); + in { + age.secrets = mergeFromOthers ["age" "secrets"]; + networking.providedDomains = mergeFromOthers ["networking" "providedDomains"]; + services.nginx.upstreams = mergeFromOthers ["services" "nginx" "upstreams"]; + services.nginx.virtualHosts = mergeFromOthers ["services" "nginx" "virtualHosts"]; + services.influxdb2.provision.ensureApiTokens = mergeFromOthers ["services" "influxdb2" "provision" "ensureApiTokens"]; + }; }