From ccd62a730afa0376119e52b9ff4b2e924ea18c3c Mon Sep 17 00:00:00 2001 From: oddlama Date: Fri, 23 Jun 2023 18:07:54 +0200 Subject: [PATCH] feat: add influxdb microvm --- hosts/common/core/impermanence.nix | 8 ++ hosts/common/core/system.nix | 3 +- hosts/ward/default.nix | 1 + hosts/ward/microvms/grafana/default.nix | 23 +++++ .../grafana-influxdb-basic-auth-password.age | 9 ++ hosts/ward/microvms/influxdb/default.nix | 81 ++++++++++++++++++ hosts/ward/microvms/influxdb/secrets/host.pub | 1 + .../secrets/influxdb-basic-auth-hashes.age | 10 +++ .../promtail-loki-basic-auth-password.age | Bin 0 -> 467 bytes .../loki/secrets/loki-basic-auth-hashes.age | Bin 1200 -> 1391 bytes .../proxy-sentinel/keys/ward-influxdb.age | 10 +++ .../proxy-sentinel/keys/ward-influxdb.pub | 1 + .../psks/sentinel+ward-influxdb.age | 11 +++ 13 files changed, 157 insertions(+), 1 deletion(-) create mode 100644 hosts/ward/microvms/grafana/secrets/grafana-influxdb-basic-auth-password.age create mode 100644 hosts/ward/microvms/influxdb/default.nix create mode 100644 hosts/ward/microvms/influxdb/secrets/host.pub create mode 100644 hosts/ward/microvms/influxdb/secrets/influxdb-basic-auth-hashes.age create mode 100644 hosts/ward/microvms/influxdb/secrets/promtail-loki-basic-auth-password.age create mode 100644 secrets/wireguard/proxy-sentinel/keys/ward-influxdb.age create mode 100644 secrets/wireguard/proxy-sentinel/keys/ward-influxdb.pub create mode 100644 secrets/wireguard/proxy-sentinel/psks/sentinel+ward-influxdb.age diff --git a/hosts/common/core/impermanence.nix b/hosts/common/core/impermanence.nix index fee4e62..50d4ad5 100644 --- a/hosts/common/core/impermanence.nix +++ b/hosts/common/core/impermanence.nix @@ -139,6 +139,14 @@ group = "vaultwarden"; mode = "0700"; } + ] + ++ lib.optionals config.services.influxdb2.enable [ + { + directory = "/var/lib/influxdb2"; + user = "influxdb2"; + group = "influxdb2"; + mode = "0700"; + } ]; }; } diff --git a/hosts/common/core/system.nix b/hosts/common/core/system.nix index dc3e18f..a4f4a6b 100644 --- a/hosts/common/core/system.nix +++ b/hosts/common/core/system.nix @@ -378,7 +378,7 @@ echo " -> Aggregating "${lib.escapeShellArg host}":"${lib.escapeShellArg name}"" >&2 ${decrypt} ${lib.escapeShellArg file} \ | ${pkgs.apacheHttpd}/bin/htpasswd -niBC 12 ${lib.escapeShellArg host}"+"${lib.escapeShellArg name} \ - || die "Failure while aggregating caddy basic auth hashes" + || die "Failure while aggregating basic auth hashes" ''); boot = { @@ -435,5 +435,6 @@ loki = uidGid 989; vaultwarden = uidGid 988; oauth2_proxy = uidGid 987; + influxdb2 = uidGid 986; }; } diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix index 5456e0c..2871410 100644 --- a/hosts/ward/default.nix +++ b/hosts/ward/default.nix @@ -40,6 +40,7 @@ loki = defaults; vaultwarden = defaults; adguardhome = defaults; + influxdb = defaults; }; #ddclient = defineVm; diff --git a/hosts/ward/microvms/grafana/default.nix b/hosts/ward/microvms/grafana/default.nix index 922528b..0dfa03a 100644 --- a/hosts/ward/microvms/grafana/default.nix +++ b/hosts/ward/microvms/grafana/default.nix @@ -35,11 +35,22 @@ in { group = "grafana"; }; + age.secrets.grafana-influxdb-basic-auth-password = { + rekeyFile = ./secrets/grafana-influxdb-basic-auth-password.age; + generator = "alnum"; + mode = "440"; + group = "grafana"; + }; + nodes.sentinel = { age.secrets.loki-basic-auth-hashes.generator.dependencies = [ config.age.secrets.grafana-loki-basic-auth-password ]; + age.secrets.influxdb-basic-auth-hashes.generator.dependencies = [ + config.age.secrets.grafana-influxdb-basic-auth-password + ]; + proxiedDomains.grafana = grafanaDomain; services.nginx = { @@ -53,6 +64,8 @@ in { virtualHosts.${grafanaDomain} = { forceSSL = true; useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert grafanaDomain; + oauth2.enable = true; + oauth2.allowedGroups = ["access_grafana"]; locations."/" = { proxyPass = "http://grafana"; proxyWebsockets = true; @@ -115,6 +128,16 @@ in { # url = "http://127.0.0.1:9090"; # orgId = 1; #} + { + name = "InfluxDB"; + type = "influxdb"; + access = "proxy"; + url = "https://${sentinelCfg.proxiedDomains.influxdb}"; + orgId = 1; + basicAuth = true; + basicAuthUser = "${nodeName}+grafana-influxdb-basic-auth-password"; + secureJsonData.basicAuthPassword = "$__file{${config.age.secrets.grafana-influxdb-basic-auth-password.path}}"; + } { name = "Loki"; type = "loki"; diff --git a/hosts/ward/microvms/grafana/secrets/grafana-influxdb-basic-auth-password.age b/hosts/ward/microvms/grafana/secrets/grafana-influxdb-basic-auth-password.age new file mode 100644 index 0000000..68310c6 --- /dev/null +++ b/hosts/ward/microvms/grafana/secrets/grafana-influxdb-basic-auth-password.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 JkYU2Cl00JF/GhXzdpiUgflrbrccHJs21Fzu3Qaw5gE +fC1m7yieLy3DxiUyz7twBLpS7f81Jq59jWMYf1DgFBE +-> piv-p256 xqSe8Q AgV+3PVzCEKzk8BFNpxH3aQ+aEtUj8J/h+nvNStufABq +8kNzjmSyg2KsHtQT9ZEPHoL7zz8S/KM/u8yAu/vp8vs +-> {-grease tf)|= +cDF+oRa+QUDN9YzV7BnKiI94C7JkDw +--- B8X7W4qjJYPC4W7+hHgTLA34seGqgfJ24lrWA3q/Cgs +!hd`0Rd0k- /Nmxy?7'rJ=>  _\MMxD) \ No newline at end of file diff --git a/hosts/ward/microvms/influxdb/default.nix b/hosts/ward/microvms/influxdb/default.nix new file mode 100644 index 0000000..612b635 --- /dev/null +++ b/hosts/ward/microvms/influxdb/default.nix @@ -0,0 +1,81 @@ +{ + config, + lib, + nodes, + utils, + ... +}: let + sentinelCfg = nodes.sentinel.config; + influxdbDomain = "influxdb.${sentinelCfg.repo.secrets.local.personalDomain}"; + influxdbPort = 8086; +in { + imports = [ + ../../../../modules/proxy-via-sentinel.nix + ]; + + extra.promtail = { + enable = true; + proxy = "sentinel"; + }; + + networking.nftables.firewall.rules = lib.mkForce { + sentinel-to-local.allowedTCPPorts = [influxdbPort]; + }; + + nodes.sentinel = { + proxiedDomains.influxdb = influxdbDomain; + + age.secrets.influxdb-basic-auth-hashes = { + rekeyFile = ./secrets/influxdb-basic-auth-hashes.age; + # Copy only the script so the dependencies can be added by the nodes + # that define passwords (using distributed-config). + generator.script = config.age.generators.basic-auth.script; + mode = "440"; + group = "nginx"; + }; + + services.nginx = { + upstreams.influxdb = { + servers."${config.services.influxdb2.settings.http-bind-address}" = {}; + extraConfig = '' + zone influxdb 64k; + keepalive 2; + ''; + }; + virtualHosts.${influxdbDomain} = { + forceSSL = true; + useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert influxdbDomain; + locations."/" = { + proxyPass = "http://influxdb"; + proxyWebsockets = true; + extraConfig = '' + auth_basic "Authentication required"; + auth_basic_user_file ${sentinelCfg.age.secrets.influxdb-basic-auth-hashes.path}; + + proxy_read_timeout 1800s; + proxy_connect_timeout 1600s; + + access_log off; + ''; + }; + locations."= /ready" = { + proxyPass = "http://influxdb"; + extraConfig = '' + auth_basic off; + access_log off; + ''; + }; + }; + }; + }; + + services.influxdb2 = { + enable = true; + settings = { + reporting-disabled = true; + http-bind-address = "${config.extra.wireguard.proxy-sentinel.ipv4}:${toString influxdbPort}"; + }; + }; + + systemd.services.influxdb2.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"]; +} diff --git a/hosts/ward/microvms/influxdb/secrets/host.pub b/hosts/ward/microvms/influxdb/secrets/host.pub new file mode 100644 index 0000000..a929802 --- /dev/null +++ b/hosts/ward/microvms/influxdb/secrets/host.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMoiozZHb2lXv9sZGXDeL2hdYYVPTMVrxdUl/lRro4zh diff --git a/hosts/ward/microvms/influxdb/secrets/influxdb-basic-auth-hashes.age b/hosts/ward/microvms/influxdb/secrets/influxdb-basic-auth-hashes.age new file mode 100644 index 0000000..f08d727 --- /dev/null +++ b/hosts/ward/microvms/influxdb/secrets/influxdb-basic-auth-hashes.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 wIILrAv9cxwxUAj5vKlq2aXP4x0s5TNLUPN21hRPgBk +rBkmqo+M4TIZckd3v4pGNZYCiMmLl1rYip0A4oa0gGs +-> piv-p256 xqSe8Q AsyP5tTGP8M1MoxDDUva5fZWIhPfTa6fYwHQXkMvsN1N +pO2L8sb6+KWYZc679rPT9RqeMpGoA2vOyczyqeQlsOQ +-> bY$-grease {h390 xQaD N=F.Lo;C 0.j?v +TekhIdQVm6bTHeFZaYv7LpwAmh2UyGAItBSEtCCJ+nGTCpSRavnePud9SON79S/c +CWOGQUP3/j7CE8COpmoNTNUNdy3OopiheKI +--- T/c3JAs9+lch5/rW0QDozLe36L5B4DhvBLqFBBwZ3f0 +wgP?3編aDsK轾oۏ_l4\eMlQReo?<3c05>}Ir<D9L23酼j&+k’t~ƤO V}S \ No newline at end of file diff --git a/hosts/ward/microvms/influxdb/secrets/promtail-loki-basic-auth-password.age b/hosts/ward/microvms/influxdb/secrets/promtail-loki-basic-auth-password.age new file mode 100644 index 0000000000000000000000000000000000000000..34cd284d9f8a4cc1a48f57080e56c98ee8e04ac2 GIT binary patch literal 467 zcmWm7yN{D#003|=PGU?n#=%G8cbBL`MM?{lZ!w|JS_&+4) zZWrTpgKiGq1N{OqN9^>(B0t{bH9J!H}nvW0yoa1bQ%T^!q_8LB!)i(R)wZX z2zVuStU)Q0I8yD`>?VxiaJ=cG=3IhwGp1U-#xiJi*Q}6WBCAzOmf+0!29d9-=3Er% z?5`ZxCQDd#YipNt}h1#(++uO=~K{l zvyD8^Clkqsp`yx~Lm;eeX+2tRGe*0@rJWRx{DsaJCava-2M4_g>AKlMp=vP<&#rs8 z#5wnIFGj-z0Y$9s0*}mD&@~`Tn5@|^`uS4FWFdWALGa}6{K?t3gOB2~Ol!#c{dV}rr zX<$c1y<{x{164i!AjCc$3V)9-pS$_x>fJx9AIhG4;lt63i{F1;>1=O&{I-*9&AsjM xsP^^qwfE0}p+0_h>B*hvw+{b3Iz0g=FVA0pbNlV-Pq;rNU%j6FZtS#<{{t3+oq7NO literal 0 HcmV?d00001 diff --git a/hosts/ward/microvms/loki/secrets/loki-basic-auth-hashes.age b/hosts/ward/microvms/loki/secrets/loki-basic-auth-hashes.age index 8c1a251586fbcff46fbc8b8f0cac8837e60ea2d5..25345663faf19fa00d9171d0adb2da63d637134e 100644 GIT binary patch delta 1376 zcmV-m1)ut`3GWJ!Ab&DNQgm%*P-HhkS2l1faZoFEPj^XWF;RDUNn%(|G&4sqXL3kZ zPH$gW_L{(yGY&Ju2ICw}eH!yc?Wl?8UYcx?$NeV4K zAaH4REpRe5HXwL$Q)M_&AVE1+QZ;8cOgCChZ8tYZT5m%)Z+}8sT5xtuD_J&6YGYzK zb2&(BWJD`XH8u)%MKM(|Y%+0LQFv`IYFcJxYgR~PSx7KZO-FZka#JuxG&x5|MlWeK zFIfsLJ|KEEHEmu%LoH`=Wnpt=AareODlj%SOdum^DRFCEM<7-=Phc@jrF@JA$WH)APH*qm}ba_uobvHL|LNjGBX>?{rRcU!Id2cptR%%dFY)?Ts zK~^w0HF9Y%Sy2itEiE8rWpZgkWi(7nNqJ*QbWn0yS#NYSS9McVVR?3TNLOhuLREQT zL3waVS8objo5qPyAV46veJzOVO7#`c3Fzj=oU# zLusOi$SLXxUJ^-Jh?;Vm%vxlxjAfz8m-C8FzsV6}lwg$+5ak>n3p}Rn0Cumu!aH>a ztp$Zx!B%*dJ*RAnzxJy?_nCeJ)yn7K=!BTi(9-ByY6A+Bb#P+)FTo`(YjUktr*>eI z-ain(e&*kYjy>a)lOsKeIEbjs+3xeW7f5M?Qhy(UOcI~a$jG}^Mcd-E_$yAii!%ku zqFM9CrxuRfKL;r9?;@d!%3}4sMF_oC>(6Phho%=8Ik3&#LGWMvDV}NkdYu;~^aNEM z%6%(b?C})Lt6n^vYWmL!>c2;kIbd1y-~LdlV5v-9r~kY9r=4G_qtt3D;acpZA2if! zynk>637|Q@=`KdvJyAn4X8#dUPX#`);sRqjrY}I#Hv>cL?4F<7V<*opt=R8S&*|$8 zd$d^bP)%*iAxg8%-xnPA*YA#Pg(B_}6W!NrLnF)R(PlscQb^FxBhJL?(2SO_@D&uo z+_jv9P0p8HNPl~$Vyec~MkI76UMka|M}HonmYCJ4*FW_NP$T;_#-@^ILr))+YgP<# z8I_eFGRI6dx*E_wi)Pj!HzzbUA;qaD@6#H^w9mnpu!i!Y&JLk0tE7zkg;yqXv6Wnwy)NnIF`P70xMEpj%7rl8Z)nB;j3^s4B0=HS;tsy~OY-FYvOo>+{y#bA(ciCGlyPZjD*#^^Y z@)xGt;E}vq>kMS6rzVT+udl}^DP3K>()z0QH%_>2y)w%`kgcD*>J*h%kKk-mBj(D@ zz#zvZh3fX_sXr%d5H!uW;IN((&duU&}=NvCTZDTzChq+y_r44H$p`XKGclwt|@P3-{N0Kp5n(}UP+3Q iu5n{%6LD+Xn4a-k0bK%a4K6H7(?r|25-e_x1plzkXK;7` delta 1184 zcmV;R1Yi5_3a|-~Ab&=0Q9(3nV`y$^SWIIyOHN2KIYciva8hkBcQH#sYj=2AV@!5O zS4B@%O$tLnb$TyTba8WUYAZ@NdSW;-T5MTPdT((-ODkwkWkGRNd1+O8NltEKRSGRW zAaH4REpRe5HXwL$Q)M_&AVGC8Mpe>FECF}Y;QPcMPWi?PfTJ_K|@eZQc^Eb7de$d1p5-F$zpHPH0d;3N0-yAVp~~a5FYpc`rg(bV4*T zcxPv3Xh>N}Vt;Z=X=ZR(T4FJ4G)gj7M0aE~YYGFxp@GG^aVmMG&BHFq-uM|$R6jz8 zLa@$yM91sBtFAN-9rR({&H30b2B=!0lYgS&XyKrDd7m?cu3B5WOO)&k zd2IL?^1?bMVkK*!{(%nH2iR3DrtzTwZ{?gp&FJ8mo;O=QSr*LLqfbzN0HPIl@v$cZB4z>fT z$m4p*1X>JQ)uuGKBfaXnS#40}j24Uqf}b_+Un-}2U1=5RQvc;6DADoOb1KX^#T3dA zO+f91JcV0<>%JAD{BGN)`tMRpTU;Ef0~d{Z{(qK2pwuA8{hA8s%yN&8)1KF`xw5&F z1mjemGKN~=pi!)h2Sc{t?rR{b{FjGsN{o-A}wPZ;V2vZ3=)5TteX#pJR`OwSh#JOhw z?ti?tTrKg5cRk-LG3-uzDFFl`V#qsbw-Ie#HX8;gAqXSEpO^F1U)riYU`3_nV9?MW z?66-j*Wpscids;OD%M6!$%oV9m=?2%{_rL@CBXRZqM7_f$roy|PXfHzEMJC2Y!$rk z2$_ZW(_U?Ip$h-@hD_f=kMC;}a%L&hFn^2O#tP?E7G2YNu3E8#79C~A5kHhdSqX?Z zcCn1YZCw355Xl<=)qBgio?T9tDO3NN!AnU45sXxWVJKV1nV}K4B$_H08=l{)kWimeSddbL^aOfeSAo1Mue>$ec5Xa;(xnf z&U|9YFav8`l2d!7I>)=DQB(0Q$)ZI*p8np_IW}%iNzIa(T})W9J!$R2MFE4$w|ZIN zQ8A_WQH&}O`e#t2c{3J`ld}k;<)GQ<{k0=Bae44{mRczLs X25519 295FjSf7LoG5QxmQQB+Bg8DX3pRB5vOIbwTbXFtwXGo +XMs+jM+N9WT48KpwV/RbbpDtoaW+zoK0eAq62MB3gjg +-> piv-p256 xqSe8Q Ai1FhAusbT9+4D0J5c7m5Xs6yXNq9jEQMqlHR77AYmBl +5hFesAn83jJHGHesluUKgMwmVblvRy+fEcOyKsCFwoc +-> (J4l-grease E>Z y]Zbj.?p tXA>0AdC VZB>*+ +DGRYmQ35cn/oeaJWOW8eoQHDlFDitVTv9ZpdbLeyrxYWSgB/tNKICp5c4oshpQH7 +CVakMeDyEoK0u5zjnEJNSKSRZN8Zy39Gk2lLphg1FkiGoAJy3x2grhLSxB9mTWk +--- Fb2rhapMETrHhajG2NLjYrLxvo62N9pThNViX25Qhls + i?Gmˢ~8rLp"s3":E}j'kc9I(XM@^ 5 X25519 XAG97f4eNRbBk3BAG+EguiurZAfEcJaJtAQ3YreU5Cg ++2npFg9eLHbc34sGgm2HT3PimtokqDZcoiyqzJZzWxc +-> piv-p256 xqSe8Q A4se2nR8oWoUjT2kNPn/5KpWbh6I7+g7JQL2pcIgpPJU +q+oANrYE/ZBK5xGza4xcq9dpW7v4zSZrTYBlPEmc/q8 +-> =4lY>-grease \# n+FegV1c }/u d2()VUx +N4SibufvahKqV5dmw+rkayc +--- Tx9cpvbZ2JKVqz6t/Mcf4VMtze2aiAulTJz+Rdw53HY +_eΤ׭RHuD")'zf +Y)X>Dy=o411Qm +ܩdHpS?)2JJ \ No newline at end of file