feat: add influxdb microvm

2025-10-11 07:10:39 +02:00 · 2023-06-23 18:07:54 +02:00 · 2023-06-23 18:07:54 +02:00 · ccd62a730a
commit ccd62a730a
parent eb9ee0bf0d
13 changed files with 157 additions and 1 deletions
--- a/hosts/common/core/impermanence.nix
+++ b/hosts/common/core/impermanence.nix
@ -139,6 +139,14 @@
          group = "vaultwarden";
          mode = "0700";
        }
      ]
      ++ lib.optionals config.services.influxdb2.enable [
        {
          directory = "/var/lib/influxdb2";
          user = "influxdb2";
          group = "influxdb2";
          mode = "0700";
        }
      ];
  };
 }
--- a/hosts/common/core/system.nix
+++ b/hosts/common/core/system.nix
@ -378,7 +378,7 @@
      echo " -> Aggregating [32m"${lib.escapeShellArg host}":[m[33m"${lib.escapeShellArg name}"[m" >&2
      ${decrypt} ${lib.escapeShellArg file} \
        | ${pkgs.apacheHttpd}/bin/htpasswd -niBC 12 ${lib.escapeShellArg host}"+"${lib.escapeShellArg name} \
-        || die "Failure while aggregating caddy basic auth hashes"
+        || die "Failure while aggregating basic auth hashes"
    '');
  boot = {
@ -435,5 +435,6 @@
    loki = uidGid 989;
    vaultwarden = uidGid 988;
    oauth2_proxy = uidGid 987;
    influxdb2 = uidGid 986;
  };
 }
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@ -40,6 +40,7 @@
    loki = defaults;
    vaultwarden = defaults;
    adguardhome = defaults;
    influxdb = defaults;
  };
  #ddclient = defineVm;
--- a/hosts/ward/microvms/grafana/default.nix
+++ b/hosts/ward/microvms/grafana/default.nix
@ -35,11 +35,22 @@ in {
    group = "grafana";
  };
  age.secrets.grafana-influxdb-basic-auth-password = {
    rekeyFile = ./secrets/grafana-influxdb-basic-auth-password.age;
    generator = "alnum";
    mode = "440";
    group = "grafana";
  };
  nodes.sentinel = {
    age.secrets.loki-basic-auth-hashes.generator.dependencies = [
      config.age.secrets.grafana-loki-basic-auth-password
    ];
    age.secrets.influxdb-basic-auth-hashes.generator.dependencies = [
      config.age.secrets.grafana-influxdb-basic-auth-password
    ];
    proxiedDomains.grafana = grafanaDomain;
    services.nginx = {
@ -53,6 +64,8 @@ in {
      virtualHosts.${grafanaDomain} = {
        forceSSL = true;
        useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert grafanaDomain;
        oauth2.enable = true;
        oauth2.allowedGroups = ["access_grafana"];
        locations."/" = {
          proxyPass = "http://grafana";
          proxyWebsockets = true;
@ -115,6 +128,16 @@ in {
        #  url = "http://127.0.0.1:9090";
        #  orgId = 1;
        #}
        {
          name = "InfluxDB";
          type = "influxdb";
          access = "proxy";
          url = "https://${sentinelCfg.proxiedDomains.influxdb}";
          orgId = 1;
          basicAuth = true;
          basicAuthUser = "${nodeName}+grafana-influxdb-basic-auth-password";
          secureJsonData.basicAuthPassword = "$__file{${config.age.secrets.grafana-influxdb-basic-auth-password.path}}";
        }
        {
          name = "Loki";
          type = "loki";
--- a/hosts/ward/microvms/grafana/secrets/grafana-influxdb-basic-auth-password.age
+++ b/hosts/ward/microvms/grafana/secrets/grafana-influxdb-basic-auth-password.age
@ -0,0 +1,9 @@
 age-encryption.org/v1
 -> X25519 JkYU2Cl00JF/GhXzdpiUgflrbrccHJs21Fzu3Qaw5gE
 fC1m7yieLy3DxiUyz7twBLpS7f81Jq59jWMYf1DgFBE
 -> piv-p256 xqSe8Q AgV+3PVzCEKzk8BFNpxH3aQ+aEtUj8J/h+nvNStufABq
 8kNzjmSyg2KsHtQT9ZEPHoL7zz8S/KM/u8yAu/vp8vs
 -> {-grease tf)|=
 cDF+oRa+QUDN9YzV7BnKiI94C7JkDw
 --- B8X7W4qjJYPC4W7+hHgTLA34seGqgfJ24lrWA3q/Cgs
 ý!hdÎß`0ýœ”Áìú�Rýdµ0‚k-ç·¯©	„/ðNêòìÌmø•‚¸x„Åy±Ä?7'š¡r®J=>_¦¦\©„MMxðD˜™)
--- a/hosts/ward/microvms/influxdb/default.nix
+++ b/hosts/ward/microvms/influxdb/default.nix
@ -0,0 +1,81 @@
 {
  config,
  lib,
  nodes,
  utils,
  ...
 }: let
  sentinelCfg = nodes.sentinel.config;
  influxdbDomain = "influxdb.${sentinelCfg.repo.secrets.local.personalDomain}";
  influxdbPort = 8086;
 in {
  imports = [
    ../../../../modules/proxy-via-sentinel.nix
  ];
  extra.promtail = {
    enable = true;
    proxy = "sentinel";
  };
  networking.nftables.firewall.rules = lib.mkForce {
    sentinel-to-local.allowedTCPPorts = [influxdbPort];
  };
  nodes.sentinel = {
    proxiedDomains.influxdb = influxdbDomain;
    age.secrets.influxdb-basic-auth-hashes = {
      rekeyFile = ./secrets/influxdb-basic-auth-hashes.age;
      # Copy only the script so the dependencies can be added by the nodes
      # that define passwords (using distributed-config).
      generator.script = config.age.generators.basic-auth.script;
      mode = "440";
      group = "nginx";
    };
    services.nginx = {
      upstreams.influxdb = {
        servers."${config.services.influxdb2.settings.http-bind-address}" = {};
        extraConfig = ''
          zone influxdb 64k;
          keepalive 2;
        '';
      };
      virtualHosts.${influxdbDomain} = {
        forceSSL = true;
        useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert influxdbDomain;
        locations."/" = {
          proxyPass = "http://influxdb";
          proxyWebsockets = true;
          extraConfig = ''
            auth_basic "Authentication required";
            auth_basic_user_file ${sentinelCfg.age.secrets.influxdb-basic-auth-hashes.path};
            proxy_read_timeout 1800s;
            proxy_connect_timeout 1600s;
            access_log off;
          '';
        };
        locations."= /ready" = {
          proxyPass = "http://influxdb";
          extraConfig = ''
            auth_basic off;
            access_log off;
          '';
        };
      };
    };
  };
  services.influxdb2 = {
    enable = true;
    settings = {
      reporting-disabled = true;
      http-bind-address = "${config.extra.wireguard.proxy-sentinel.ipv4}:${toString influxdbPort}";
    };
  };
  systemd.services.influxdb2.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
 }
--- a/hosts/ward/microvms/influxdb/secrets/host.pub
+++ b/hosts/ward/microvms/influxdb/secrets/host.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMoiozZHb2lXv9sZGXDeL2hdYYVPTMVrxdUl/lRro4zh
--- a/hosts/ward/microvms/influxdb/secrets/influxdb-basic-auth-hashes.age
+++ b/hosts/ward/microvms/influxdb/secrets/influxdb-basic-auth-hashes.age
@ -0,0 +1,10 @@
 age-encryption.org/v1
 -> X25519 wIILrAv9cxwxUAj5vKlq2aXP4x0s5TNLUPN21hRPgBk
 rBkmqo+M4TIZckd3v4pGNZYCiMmLl1rYip0A4oa0gGs
 -> piv-p256 xqSe8Q AsyP5tTGP8M1MoxDDUva5fZWIhPfTa6fYwHQXkMvsN1N
 pO2L8sb6+KWYZc679rPT9RqeMpGoA2vOyczyqeQlsOQ
 -> bY$-grease {h390 xQaD N=F.Lo;C 0.j?v
 TekhIdQVm6bTHeFZaYv7LpwAmh2UyGAItBSEtCCJ+nGTCpSRavnePud9SON79S/c
 CWOGQUP3/j7CE8COpmoNTNUNdy3OopiheKI
 --- T/c3JAs9+lch5/rW0QDozLe36L5B4DhvBLqFBBwZ3f0
 ·¼wÐgP?3àç·¨‹a«ÕóÏD³s™µKÛè½¾o¥Û�_ˆlø4\ÿ…ùe¯“MlÀQR�ÄeƒåoÂ‚?<ÅçÆ¢ó¿3��c0íÙñ5>„}Ir�<ÑDÌóã9L2•�3é…¼jÜ& +ÀÏk³Â’‚t©¬þ~Æ¤O
õV}SŒþ²¦áœöùÙ
--- a/hosts/ward/microvms/influxdb/secrets/promtail-loki-basic-auth-password.age
+++ b/hosts/ward/microvms/influxdb/secrets/promtail-loki-basic-auth-password.age
--- a/hosts/ward/microvms/loki/secrets/loki-basic-auth-hashes.age
+++ b/hosts/ward/microvms/loki/secrets/loki-basic-auth-hashes.age
--- a/secrets/wireguard/proxy-sentinel/keys/ward-influxdb.age
+++ b/secrets/wireguard/proxy-sentinel/keys/ward-influxdb.age
@ -0,0 +1,10 @@
 age-encryption.org/v1
 -> X25519 295FjSf7LoG5QxmQQB+Bg8DX3pRB5vOIbwTbXFtwXGo
 XMs+jM+N9WT48KpwV/RbbpDtoaW+zoK0eAq62MB3gjg
 -> piv-p256 xqSe8Q Ai1FhAusbT9+4D0J5c7m5Xs6yXNq9jEQMqlHR77AYmBl
 5hFesAn83jJHGHesluUKgMwmVblvRy+fEcOyKsCFwoc
 -> (J4l-grease E>Z y]Zbj.?p tXA>0AdC VZB>*+
 DGRYmQ35cn/oeaJWOW8eoQHDlFDitVTv9ZpdbLeyrxYWSgB/tNKICp5c4oshpQH7
 CVakMeDyEoK0u5zjnEJNSKSRZN8Zy39Gk2lLphg1FkiGoAJy3x2grhLSxB9mTWk
 --- Fb2rhapMETrHhajG2NLjYrLxvo62N9pThNViX25Qhls
 	Âi¾ƒ?Gmë¦ÞË¢~è¼8r×üL•¢p"Øsß3Ò":E}j�'ùkc9™…I(XMÏí@^É5‹<Z‡âˆ‚Šµ$ÍÝÝ*1
--- a/secrets/wireguard/proxy-sentinel/keys/ward-influxdb.pub
+++ b/secrets/wireguard/proxy-sentinel/keys/ward-influxdb.pub
@ -0,0 +1 @@
 i0kH5sPZHDCxJ1yxkp7AWpqk6qpTiSnjv/M2k2VvPWY=
--- a/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-influxdb.age
+++ b/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-influxdb.age
@ -0,0 +1,11 @@
 age-encryption.org/v1
 -> X25519 XAG97f4eNRbBk3BAG+EguiurZAfEcJaJtAQ3YreU5Cg
 +2npFg9eLHbc34sGgm2HT3PimtokqDZcoiyqzJZzWxc
 -> piv-p256 xqSe8Q A4se2nR8oWoUjT2kNPn/5KpWbh6I7+g7JQL2pcIgpPJU
 q+oANrYE/ZBK5xGza4xcq9dpW7v4zSZrTYBlPEmc/q8
 -> =4lY>-grease \# n+FegV1c }/u d2()VUx
 N4SibufvahKqV5dmw+rkayc
 --- Tx9cpvbZ2JKVqz6t/Mcf4VMtze2aiAulTJz+Rdw53HY
 _eæÎ¤×ÀÁÚR¸®ØÙHÖuD")'ùˆzÎúf	
 Y)›X>äDyŒ=o4«ê11ã²Qmå
 Ü©dHëpý£SˆÃ?)2JJ
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMoiozZHb2lXv9sZGXDeL2hdYYVPTMVrxdUl/lRro4zh`
		`@ -0,0 +1 @@`
							`i0kH5sPZHDCxJ1yxkp7AWpqk6qpTiSnjv/M2k2VvPWY=`