feat: add influxdb microvm

hosts/common/core/impermanence.nix

@@ -139,6 +139,14 @@
           group = "vaultwarden";
           mode = "0700";
         }
+      ]
+      ++ lib.optionals config.services.influxdb2.enable [
+        {
+          directory = "/var/lib/influxdb2";
+          user = "influxdb2";
+          group = "influxdb2";
+          mode = "0700";
+        }
       ];
   };
 }

hosts/common/core/system.nix

@@ -378,7 +378,7 @@
       echo " -> Aggregating "${lib.escapeShellArg host}":"${lib.escapeShellArg name}"" >&2
       ${decrypt} ${lib.escapeShellArg file} \
         | ${pkgs.apacheHttpd}/bin/htpasswd -niBC 12 ${lib.escapeShellArg host}"+"${lib.escapeShellArg name} \
-        || die "Failure while aggregating caddy basic auth hashes"
+        || die "Failure while aggregating basic auth hashes"
     '');
 
   boot = {
@@ -435,5 +435,6 @@
     loki = uidGid 989;
     vaultwarden = uidGid 988;
     oauth2_proxy = uidGid 987;
+    influxdb2 = uidGid 986;
   };
 }

hosts/ward/default.nix

@@ -40,6 +40,7 @@
     loki = defaults;
     vaultwarden = defaults;
     adguardhome = defaults;
+    influxdb = defaults;
   };
 
   #ddclient = defineVm;

hosts/ward/microvms/grafana/default.nix

@@ -35,11 +35,22 @@ in {
     group = "grafana";
   };
 
+  age.secrets.grafana-influxdb-basic-auth-password = {
+    rekeyFile = ./secrets/grafana-influxdb-basic-auth-password.age;
+    generator = "alnum";
+    mode = "440";
+    group = "grafana";
+  };
+
   nodes.sentinel = {
     age.secrets.loki-basic-auth-hashes.generator.dependencies = [
       config.age.secrets.grafana-loki-basic-auth-password
     ];
 
+    age.secrets.influxdb-basic-auth-hashes.generator.dependencies = [
+      config.age.secrets.grafana-influxdb-basic-auth-password
+    ];
+
     proxiedDomains.grafana = grafanaDomain;
 
     services.nginx = {
@@ -53,6 +64,8 @@ in {
       virtualHosts.${grafanaDomain} = {
         forceSSL = true;
         useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert grafanaDomain;
+        oauth2.enable = true;
+        oauth2.allowedGroups = ["access_grafana"];
         locations."/" = {
           proxyPass = "http://grafana";
           proxyWebsockets = true;
@@ -115,6 +128,16 @@ in {
         #  url = "http://127.0.0.1:9090";
         #  orgId = 1;
         #}
+        {
+          name = "InfluxDB";
+          type = "influxdb";
+          access = "proxy";
+          url = "https://${sentinelCfg.proxiedDomains.influxdb}";
+          orgId = 1;
+          basicAuth = true;
+          basicAuthUser = "${nodeName}+grafana-influxdb-basic-auth-password";
+          secureJsonData.basicAuthPassword = "$__file{${config.age.secrets.grafana-influxdb-basic-auth-password.path}}";
+        }
         {
           name = "Loki";
           type = "loki";

hosts/ward/microvms/grafana/secrets/grafana-influxdb-basic-auth-password.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 JkYU2Cl00JF/GhXzdpiUgflrbrccHJs21Fzu3Qaw5gE
+fC1m7yieLy3DxiUyz7twBLpS7f81Jq59jWMYf1DgFBE
+-> piv-p256 xqSe8Q AgV+3PVzCEKzk8BFNpxH3aQ+aEtUj8J/h+nvNStufABq
+8kNzjmSyg2KsHtQT9ZEPHoL7zz8S/KM/u8yAu/vp8vs
+-> {-grease tf)|=
+cDF+oRa+QUDN9YzV7BnKiI94C7JkDw
+--- B8X7W4qjJYPC4W7+hHgTLA34seGqgfJ24lrWA3q/Cgs
+ý­!hdÎß`0ýœ”Áìú�Rýdµ0‚k-ç·¯©	„/ðNêòìÌmø•‚¸x„Åy±Ä?7'š¡r®J=>
_¦¦\©„MMxðD˜™)

hosts/ward/microvms/influxdb/default.nix

@@ -0,0 +1,81 @@
+{
+  config,
+  lib,
+  nodes,
+  utils,
+  ...
+}: let
+  sentinelCfg = nodes.sentinel.config;
+  influxdbDomain = "influxdb.${sentinelCfg.repo.secrets.local.personalDomain}";
+  influxdbPort = 8086;
+in {
+  imports = [
+    ../../../../modules/proxy-via-sentinel.nix
+  ];
+
+  extra.promtail = {
+    enable = true;
+    proxy = "sentinel";
+  };
+
+  networking.nftables.firewall.rules = lib.mkForce {
+    sentinel-to-local.allowedTCPPorts = [influxdbPort];
+  };
+
+  nodes.sentinel = {
+    proxiedDomains.influxdb = influxdbDomain;
+
+    age.secrets.influxdb-basic-auth-hashes = {
+      rekeyFile = ./secrets/influxdb-basic-auth-hashes.age;
+      # Copy only the script so the dependencies can be added by the nodes
+      # that define passwords (using distributed-config).
+      generator.script = config.age.generators.basic-auth.script;
+      mode = "440";
+      group = "nginx";
+    };
+
+    services.nginx = {
+      upstreams.influxdb = {
+        servers."${config.services.influxdb2.settings.http-bind-address}" = {};
+        extraConfig = ''
+          zone influxdb 64k;
+          keepalive 2;
+        '';
+      };
+      virtualHosts.${influxdbDomain} = {
+        forceSSL = true;
+        useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert influxdbDomain;
+        locations."/" = {
+          proxyPass = "http://influxdb";
+          proxyWebsockets = true;
+          extraConfig = ''
+            auth_basic "Authentication required";
+            auth_basic_user_file ${sentinelCfg.age.secrets.influxdb-basic-auth-hashes.path};
+
+            proxy_read_timeout 1800s;
+            proxy_connect_timeout 1600s;
+
+            access_log off;
+          '';
+        };
+        locations."= /ready" = {
+          proxyPass = "http://influxdb";
+          extraConfig = ''
+            auth_basic off;
+            access_log off;
+          '';
+        };
+      };
+    };
+  };
+
+  services.influxdb2 = {
+    enable = true;
+    settings = {
+      reporting-disabled = true;
+      http-bind-address = "${config.extra.wireguard.proxy-sentinel.ipv4}:${toString influxdbPort}";
+    };
+  };
+
+  systemd.services.influxdb2.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
+}

hosts/ward/microvms/influxdb/secrets/host.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMoiozZHb2lXv9sZGXDeL2hdYYVPTMVrxdUl/lRro4zh

hosts/ward/microvms/influxdb/secrets/influxdb-basic-auth-hashes.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 wIILrAv9cxwxUAj5vKlq2aXP4x0s5TNLUPN21hRPgBk
+rBkmqo+M4TIZckd3v4pGNZYCiMmLl1rYip0A4oa0gGs
+-> piv-p256 xqSe8Q AsyP5tTGP8M1MoxDDUva5fZWIhPfTa6fYwHQXkMvsN1N
+pO2L8sb6+KWYZc679rPT9RqeMpGoA2vOyczyqeQlsOQ
+-> bY$-grease {h390 xQaD N=F.Lo;C 0.j?v
+TekhIdQVm6bTHeFZaYv7LpwAmh2UyGAItBSEtCCJ+nGTCpSRavnePud9SON79S/c
+CWOGQUP3/j7CE8COpmoNTNUNdy3OopiheKI
+--- T/c3JAs9+lch5/rW0QDozLe36L5B4DhvBLqFBBwZ3f0
+·¼wÐgP?3àç·¨‹a«ÕóÏD³s™µKÛè½¾o¥Û�_ˆlø4\ÿ…
ùe¯“MlÀQR�ÄeƒåoÂ
‚?<ÅçÆ¢ó¿3��c0íÙñ5>„}Ir�<ÑDÌóã9L2•�3é…¼­jÜ& +ÀÏk³Â’‚t©¬þ~ƤO
õV
}SŒþ²¦áœöùÙ

secrets/wireguard/proxy-sentinel/keys/ward-influxdb.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 295FjSf7LoG5QxmQQB+Bg8DX3pRB5vOIbwTbXFtwXGo
+XMs+jM+N9WT48KpwV/RbbpDtoaW+zoK0eAq62MB3gjg
+-> piv-p256 xqSe8Q Ai1FhAusbT9+4D0J5c7m5Xs6yXNq9jEQMqlHR77AYmBl
+5hFesAn83jJHGHesluUKgMwmVblvRy+fEcOyKsCFwoc
+-> (J4l-grease E>Z y]Zbj.?p tXA>0AdC VZB>*+
+DGRYmQ35cn/oeaJWOW8eoQHDlFDitVTv9ZpdbLeyrxYWSgB/tNKICp5c4oshpQH7
+CVakMeDyEoK0u5zjnEJNSKSRZN8Zy39Gk2lLphg1FkiGoAJy3x2grhLSxB9mTWk
+--- Fb2rhapMETrHhajG2NLjYrLxvo62N9pThNViX25Qhls
+	Âi¾ƒ?Gmë¦ÞË¢~è¼8r×üL•¢­p"Øsß3Ò":E}j�'ùkc9™…I(XMÏí@^É5‹<Z‡âˆ‚Šµ$ÍÝÝ*1

secrets/wireguard/proxy-sentinel/keys/ward-influxdb.pub

@@ -0,0 +1 @@
+i0kH5sPZHDCxJ1yxkp7AWpqk6qpTiSnjv/M2k2VvPWY=

secrets/wireguard/proxy-sentinel/psks/sentinel+ward-influxdb.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 XAG97f4eNRbBk3BAG+EguiurZAfEcJaJtAQ3YreU5Cg
++2npFg9eLHbc34sGgm2HT3PimtokqDZcoiyqzJZzWxc
+-> piv-p256 xqSe8Q A4se2nR8oWoUjT2kNPn/5KpWbh6I7+g7JQL2pcIgpPJU
+q+oANrYE/ZBK5xGza4xcq9dpW7v4zSZrTYBlPEmc/q8
+-> =4lY>-grease \# n+FegV1c }/u d2()VUx
+N4SibufvahKqV5dmw+rkayc
+--- Tx9cpvbZ2JKVqz6t/Mcf4VMtze2aiAulTJz+Rdw53HY
+_eæΤ׭ÀÁÚR¸®ØÙHÖuD")'ùˆzÎú­f	
+Y)›X>äDyŒ=o4«ê11ã²Qmå
+Ü©­dHëpý£SˆÃ?)­2JJ