From d6af975817b64a253f95b99bdac6de2758f7c403 Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Sun, 18 Jun 2023 14:31:23 +0200
Subject: [PATCH] feat: enable promtail on all vms

---
 README.md                                     |  10 ++---
 flake.lock                                    |  42 +++++++++---------
 hosts/ward/microvms/grafana/default.nix       |   9 +++-
 .../promtail-loki-basic-auth-password.age     |  10 +++++
 hosts/ward/microvms/kanidm/default.nix        |   5 +++
 .../promtail-loki-basic-auth-password.age     | Bin 0 -> 438 bytes
 hosts/ward/microvms/loki/default.nix          |   7 ++-
 .../loki/secrets/loki-basic-auth-hashes.age   | Bin 600 -> 1130 bytes
 .../promtail-loki-basic-auth-password.age     |  11 +++++
 hosts/ward/microvms/vaultwarden/default.nix   |   5 +++
 .../promtail-loki-basic-auth-password.age     |  10 +++++
 modules/promtail.nix                          |   2 +-
 12 files changed, 81 insertions(+), 30 deletions(-)
 create mode 100644 hosts/ward/microvms/grafana/secrets/promtail-loki-basic-auth-password.age
 create mode 100644 hosts/ward/microvms/kanidm/secrets/promtail-loki-basic-auth-password.age
 create mode 100644 hosts/ward/microvms/loki/secrets/promtail-loki-basic-auth-password.age
 create mode 100644 hosts/ward/microvms/vaultwarden/secrets/promtail-loki-basic-auth-password.age

diff --git a/README.md b/README.md
index ab4a4ec..202b5b7 100644
--- a/README.md
+++ b/README.md
@@ -136,15 +136,15 @@ openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
 
 ```bash
 # Recover admin account (server must not be running)
-> systemctl stop kanidmd
-> kanidmd recover_account -c server.toml admin
-aM4Fk1dvM8AjyYzuVsFuxGkY4PqcVJaZwaHSfvFQGvFkH2Ez
-> systemctl start kanidmd
+> systemctl stop kanidm
+> kanidmd recover-account -c server.toml admin
+AhNeQgKkwwEHZ85dxj1GPjx58vWsBU8QsvKSyYwUL7bz57bp
+> systemctl start kanidm
 # Login with recovered root account
 > kanidm login --name admin
 # Generate new credentials for idm_admin account
 > kanidm service-account credential generate -D admin idm_admin
-cVXKuT9LGpCN0RTjgjEG52bPFANxbPKbT9LjSb3H4K2NeW2g
+Yk0W24SQGzkLp97DNxxExCcryDLvA7Q2dR0A7ZuaVQevLR6B
 # Generate new oauth2 app for grafana
 > kanidm group create grafana-access
 > kanidm group create grafana-server-admins
diff --git a/flake.lock b/flake.lock
index f8fcf49..449ba50 100644
--- a/flake.lock
+++ b/flake.lock
@@ -31,11 +31,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1686617801,
-        "narHash": "sha256-fXNOCYjuFL4427jRW9C5xdc7KSJKhoFxXbBrxE3kibU=",
+        "lastModified": 1687090623,
+        "narHash": "sha256-LdlH20WGKY1ebO3YJ85gPgmMPlGJUP4JUdqM+k5MsZw=",
         "owner": "oddlama",
         "repo": "agenix-rekey",
-        "rev": "787efa41f1611403320517bbd41cd7cb7ebdf93d",
+        "rev": "317558abbec903324e6d38393e2e84b42c25f479",
         "type": "github"
       },
       "original": {
@@ -119,11 +119,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1686545384,
-        "narHash": "sha256-XniReOaWLjubBAXk6Wx2Ny6/b9Xdsx3viLhhs7ycuWw=",
+        "lastModified": 1687028856,
+        "narHash": "sha256-vKV3I31tmXwaWHiUOgfDVd27cEHqaPBr1lt9+NKdIp8=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "55eea2030a42845102334eb29f054f0c6604a32c",
+        "rev": "64c9c78c15fd4c899d857bf09dba88bda771b43a",
         "type": "github"
       },
       "original": {
@@ -210,11 +210,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1686604884,
-        "narHash": "sha256-AkfxSmGGvNMtyXt1us9Lm8cMeIwqxpkSTeNeBQ00SL8=",
+        "lastModified": 1687081547,
+        "narHash": "sha256-/JV70TxhvP2r4xYtTlbQ2rrRDcj7MqHnF13r5ZE0oFc=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "b01eb1eb3b579c74e6a4189ef33cc3fa24c40613",
+        "rev": "28c823032cabfaa340a09e1d84cf45d11375c644",
         "type": "github"
       },
       "original": {
@@ -260,11 +260,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1686444102,
-        "narHash": "sha256-6J+pkUauanh6qfvyD80ngYZSyUmdmngMaO4TFY2Z0OA=",
+        "lastModified": 1686962046,
+        "narHash": "sha256-QE5I3/ONKubR2lvLwUbsS4OaOPc9gTburw9OBcYfgdw=",
         "owner": "astro",
         "repo": "microvm.nix",
-        "rev": "551239936a1c86479f6026658c4d1f1a3635d286",
+        "rev": "484e6e2209a0ead8ea43a9a79b193026026becfc",
         "type": "github"
       },
       "original": {
@@ -296,11 +296,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1685943944,
-        "narHash": "sha256-GpaQwOkvwkmSWxvWaZqbMKyyOSaBAwgdEcHCqLW/240=",
+        "lastModified": 1686924781,
+        "narHash": "sha256-6r3Hm2Fxf4F7LIWRYKU9bsS/xJwlG6L2+/I/pdffvOs=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "122dcc32cadf14c5015aa021fae8882c5058263a",
+        "rev": "a54683aa7eff00ee5b33dec225525d0eb6ab02de",
         "type": "github"
       },
       "original": {
@@ -311,11 +311,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1686452266,
-        "narHash": "sha256-zLKiX0iu6jZFeZDpR1gE6fNyMr8eiM8GLnj9SoUCjFs=",
+        "lastModified": 1686838567,
+        "narHash": "sha256-aqKCUD126dRlVSKV6vWuDCitfjFrZlkwNuvj5LtjRRU=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "2a807ad6e8dc458db08588b78cc3c0f0ec4ff321",
+        "rev": "429f232fe1dc398c5afea19a51aad6931ee0fb89",
         "type": "github"
       },
       "original": {
@@ -388,11 +388,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1686213770,
-        "narHash": "sha256-Re6xXLEqQ/HRnThryumyGzEf3Uv0Pl4cuG50MrDofP8=",
+        "lastModified": 1686668298,
+        "narHash": "sha256-AADh9NqHh6X2LOem4BvI7oCkMm+JPCSCE7iIw5nn0VA=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "182af51202998af5b64ddecaa7ff9be06425399b",
+        "rev": "5b6b54d3f722aa95cbf4ddbe35390a0af8c0015a",
         "type": "github"
       },
       "original": {
diff --git a/hosts/ward/microvms/grafana/default.nix b/hosts/ward/microvms/grafana/default.nix
index b83185a..028f570 100644
--- a/hosts/ward/microvms/grafana/default.nix
+++ b/hosts/ward/microvms/grafana/default.nix
@@ -13,6 +13,11 @@ in {
     ../../../../modules/proxy-via-sentinel.nix
   ];
 
+  extra.promtail = {
+    enable = true;
+    proxy = "sentinel";
+  };
+
   networking.nftables.firewall.rules = lib.mkForce {
     sentinel-to-local.allowedTCPPorts = [config.services.grafana.settings.server.http_port];
   };
@@ -81,7 +86,7 @@ in {
         auto_login = true;
         client_id = "grafana";
         #client_secret = "$__file{${config.age.secrets.grafana-oauth-client-secret.path}}";
-        client_secret = "r6Yk5PPSXFfYDPpK6TRCzXK8y1rTrfcb8F7wvNC5rZpyHTMF"; # TODO temporary test not a real secret
+        client_secret = "aZKNCM6KpjBy4RqwKJXMLXzyx9rKH6MZTFk4wYrKWuBqLj6t"; # TODO temporary test not a real secret
         scopes = "openid email profile";
         login_attribute_path = "prefered_username";
         auth_url = "https://${sentinelCfg.proxiedDomains.kanidm}/ui/oauth2";
@@ -110,7 +115,7 @@ in {
           url = "https://${sentinelCfg.proxiedDomains.loki}";
           orgId = 1;
           basicAuth = true;
-          basicAuthUser = nodeName;
+          basicAuthUser = "${nodeName}:grafana-loki-basic-auth-password";
           secureJsonData.basicAuthPassword = "$__file{${config.age.secrets.grafana-loki-basic-auth-password.path}}";
         }
       ];
diff --git a/hosts/ward/microvms/grafana/secrets/promtail-loki-basic-auth-password.age b/hosts/ward/microvms/grafana/secrets/promtail-loki-basic-auth-password.age
new file mode 100644
index 0000000..c1c6f93
--- /dev/null
+++ b/hosts/ward/microvms/grafana/secrets/promtail-loki-basic-auth-password.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 eJWTsTZwak+CdL0UPXcav0OmE2WFV525MS71EUREQRI
+4EVofvIdJooLW5GIGUMnKbjdBGvaq5PJc59pTcWfi2I
+-> piv-p256 xqSe8Q A54r2NQ4TDs0tzJs3hAOLIfwL/63kxw8UrFSyFUOoOpX
+BYs5RA4H1GgIiWp9hI0dsMQh43kOOKQjGvNeJjezbz0
+-> %jrC:-grease ;
+kSYxb5Aa4C7zMe+2nsSw+hn+xyU7EmVDznX5k7acTOOlEfUQOlUAiF4DhObUsFgS
+Rz045u3t6SK7p0tqkYI/84chCJPfDc0wxVBiE2poYkZrs96a2iJa5LUw8oUiXlo
+--- ueHYLEER0SQZdLT9eKJZVPdiFynhP7SgfwvTAbzHRco
+·Á’L*#Z”“VbÉªF>Âë‰+ƒ¿ßxÈƒYfé$õá®ö¬ÞŸ	‡T ›=n«(@y¾çÃ*†—‚wXeq^Ê#‚
\ No newline at end of file
diff --git a/hosts/ward/microvms/kanidm/default.nix b/hosts/ward/microvms/kanidm/default.nix
index 8272ce9..29b262a 100644
--- a/hosts/ward/microvms/kanidm/default.nix
+++ b/hosts/ward/microvms/kanidm/default.nix
@@ -14,6 +14,11 @@ in {
     ../../../../modules/proxy-via-sentinel.nix
   ];
 
+  extra.promtail = {
+    enable = true;
+    proxy = "sentinel";
+  };
+
   networking.nftables.firewall.rules = lib.mkForce {
     sentinel-to-local.allowedTCPPorts = [kanidmPort];
   };
diff --git a/hosts/ward/microvms/kanidm/secrets/promtail-loki-basic-auth-password.age b/hosts/ward/microvms/kanidm/secrets/promtail-loki-basic-auth-password.age
new file mode 100644
index 0000000000000000000000000000000000000000..d7fed3a2c751e056511118343b602602635f0e1d
GIT binary patch
literal 438
zcmWm7yKd7^002<77Edhfu8@krxbd}P*A^00oH&i^G_jqe&5bI-wR7V*FF$eZl(vHM
z0Sp-#paLW)f`tWjVq-vTOdTqAh=73=)bj%eIhe*1JIwsp^(HG`=;RVW(09l-%kw}Y
zRYwg+wGDmDU^l?4qGs3mkV-UtY|4EOV`WsZ6F7~y^*rHn9a{?q-7?~V1`3<bb}TCr
zP&q1IZ|M-T1G^+7Io)u@i@|pj+GlxzOoIj%4YCj^8sj9LVR3AyQC6%%q1&XU4YAT3
zmR$x3DFcTkPR^U@i0IXkqY0Ciw92+o*W0u#C{<L<=xW8*ykfWG@?fhqlxtbx;#yW8
z+`Jz`+6gg=Flnr`uQLn@ZdpxjjTHCxmX-)J^fZ%Wyk;2y+z{%LojI^C)=X^a)Km}*
z%ag{IB<>mnP17VEbaD`)dOo1GC!FN<EICqpDfE3V-ck@WHrTAHC_xS|#O&-G{kd}V
z{NB&<=YLOrfBgG+zkl_`F*~D6Zx7#`o*b`%SNx}whwr{r=F4~I@4sDMJh<_6;q|5S
c#rd`Ghdb4;&(2Qeo%rSMhugDXwMRex195Pg5C8xG

literal 0
HcmV?d00001

diff --git a/hosts/ward/microvms/loki/default.nix b/hosts/ward/microvms/loki/default.nix
index 373a216..b5c5e08 100644
--- a/hosts/ward/microvms/loki/default.nix
+++ b/hosts/ward/microvms/loki/default.nix
@@ -12,6 +12,11 @@ in {
     ../../../../modules/proxy-via-sentinel.nix
   ];
 
+  extra.promtail = {
+    enable = true;
+    proxy = "sentinel";
+  };
+
   networking.nftables.firewall.rules = lib.mkForce {
     sentinel-to-local.allowedTCPPorts = [config.services.loki.configuration.server.http_listen_port];
   };
@@ -36,7 +41,7 @@ in {
             file,
           }: ''
             echo " -> Aggregating [32m"${lib.escapeShellArg host}":[m[33m"${lib.escapeShellArg name}"[m" >&2
-            echo -n ${lib.escapeShellArg host}" "
+            echo -n ${lib.escapeShellArg host}":"${lib.escapeShellArg name}" "
             ${decrypt} ${lib.escapeShellArg file} \
               | ${pkgs.caddy}/bin/caddy hash-password --algorithm bcrypt \
               || die "Failure while aggregating caddy basic auth hashes"
diff --git a/hosts/ward/microvms/loki/secrets/loki-basic-auth-hashes.age b/hosts/ward/microvms/loki/secrets/loki-basic-auth-hashes.age
index 24fd8480b91be99e86931dabbd40c2b31fe3c8ea..63dcba521dd2cf703e7017211e7aa396f66c4ca9 100644
GIT binary patch
delta 1113
zcmV-f1g87g1nLNoAb&z_XGCyoG)QekF+*1`K}9uLOE+~kWOhYCYIQkjV@EemQ*TsB
zD^*fzX9`v;MsQP2LS|Jkcu_f2G-*>XSYcIYRV!~uV{t1`O<Gu2a4R!IV|HbBGzu*~
zAaH4REpRe5HXwL$Q)M_&AVD~DHF;8Ed2458S6FaxPH|>5G=EQ6K{G@!L1Io~Q7=YI
zGILgIS65?tLqQ5?Z#PFoSz1L(dN*omPE%M%MrT7eXlZ43XGAzRZ)QP6XJa&PO)_$F
zbubDoJ|Hk8B04rPDlKPnWnpt=AYCmhI9wo7J6mB?dq7YiS153JUrJISBz!VRduB#`
z3Tii1GEX&PWPe9!R8dnmV{|lnN>DRmLUA@tMNw3EQcGcXPeDjjaBXp7S!6_GH%w4i
zW==$9NqT2tR#HcCVKNG3S~W~+b}~3~L|S4;SXM@FOgA=UM{qJTMOt@9FE~XwHBM+Z
zS8ZZtY%4=}M{`zgRW*2INo8U*SVM6)dS+t^Y*7j=Eq^T_H&IPbLPctENmWg8SvOHP
zS2S-@R5VI2N;7G1K}B+EN>fE;aW!`|QaN`DA{;&b{YHp?z~7|o>Ju%4Pn%d_o^kjk
z4PX>>Sex9!f<}g}G}g&Nsb$100=m~?z@#yU>-A`#ik=w>4yk_cEHRab<2SjN%^|Le
z<`Rep(|>MZ`OF{B)=H1=rR60&jf_GTXD{sY^-gX;hEAd5trYN=WH<nG4FKQ>C46s!
zGmDY5;lrk@lABNm(qYbODeP>1EKsfvs|B6XDksn9Oy9C~7l^A@=nE^EG2I)g*jwNC
z;KZNK+l!`($FvVHDs(g$-a)PR^46`eP%bU#Zh!BA_U|>BZxW_D(<QY|BAWX6;{TFF
zSd4sximNkJYuLv<&EgKV+Eolma|3sPCSfbX<Z|h5cNO=5(0#Ax=l-zBIRCuSp&MIt
z(BuoyQg`sa+HE&e&q~xd5j=u-NudoRMg8Ny$zf~s|Dk}AAi^@0<`5-$LYX9C`?s@o
zKY#XhyAB|e`zm<8e||h&4aC_<Y9NUL@;nFLp}OyAJPLC}j6T#*3e&>k9;1uFDqZg9
zL|ZiQ=+?cE-p18;AU7PzjOUg6LgkP$uSf|BD~!mNy_i%NwTPab<H+;QD=B;&WGv;c
z6xq#BdI`RVztN|5<@Pc>G}EC(=oYTmYJUcVgW4DUg1u>jq}dIDO+U$bIHC3a@AT7z
zv{aid-TFXpn83=}t#IaFQhk*R>|jAJ$MBwc@x24nY;AbIaC>X8xiVe|iWQ}aW&cx6
zj(xOrmGE8#1?&rX=t#KXCf6S6SB!>WmKggGnSGeGqARn#DFiAdd}Muxe+t$fAW}sx
zH0n^T74T}K+?tS*s{{fOEBsv?Nc#sII&huUN)3c!4}c~yLM1gR(w7E30HvMF^dV(Y
f3*|qD<m7rALSbiJ4q0<;E#0zaP6mjpBNRi8V?5o<

delta 579
zcmV-J0=)g|2-pOWAb)REabrhWa(ZKGR(V-#S5a<cX=F<`Y-V{)W>Hl}VN7*vOm#VO
zbvJouV+t^KX-`))Z!b_$MQB=PT1HQJG*x(FQbI#VRaiq=V|GM#HgY&<X*OYLQ3@?S
zAaH4REpRe5HXwL$Q)M_&AVF(vFF|54P<LcZb9rb=b~8(QP=9!2K}>XXaY|%PYcY3D
zYAbL~ZgNI*Id%$0Vpec-FlbCPSa4xbcydWXMr}fAD`7NQOG#=}S#xnhYEC&ycY1JZ
zP&f)LJ|JE%KYBM!WG!cMWnpt=AW=kSO=nb33SujFG-qltS$K0cZ(~A3N=`OGXG}z4
zWHB!*MOrIJT7NKlc1?CiN@03*cx6dwPE1pCX>o5tZZb!3cUU$_V_6DWS8z;jPcue$
zF?eBBIZAPEIY>%Lad}xsMp!XVHDp3;c4u`la&c#Pd31MaMMYyoT47jEK`~lMb#O%r
zEiEk|Fltz1Su;yeI4ep`b5S-cb!bdQGGbFPc1K}#FMnuqGGaAaL^4xJRcm5J3b~5(
z7Ct}_A2KLgo^#G7pN6z#5W7o`x{^G1iEGwz;H;`zBvus4Tf}A^U&fJSEp@b-iR<6J
zpL|~5*T%xOmQgo>V@bzsD(2wYAK9~?3%r1{oRkos5tW#kv@-hfdS_!*;(B2<J~4g6
zX~tg(emsHB&7Q#(nXUYYtFqZq5aM}((A-xCuuwX2QGFuQ^bqm^T`N%FI<&xXX9RpR
RYxdD5HWUB#$=G0MM+==_-W>n{

diff --git a/hosts/ward/microvms/loki/secrets/promtail-loki-basic-auth-password.age b/hosts/ward/microvms/loki/secrets/promtail-loki-basic-auth-password.age
new file mode 100644
index 0000000..99228b2
--- /dev/null
+++ b/hosts/ward/microvms/loki/secrets/promtail-loki-basic-auth-password.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 3x+QeciEIcDcJO3U+0386XIoJtOVn3b4myIxWOgDxjs
+oFCwl+TjzC6kjDcEm2CNgHuWIta/j9Zq9c9ZvoDAKBc
+-> piv-p256 xqSe8Q Ax9ZRwkb1UMUmpqg8U1vPU3+8wnWxOA3AkvPEjMDvduj
+e/iORb0ckijeWEg9N4IpBP+YxCB2eZnEt1FgcwrAL8c
+-> mcyx<Hk-grease
+npBOgSbaCG2/DizSzk9Ynaoq9T4mfFDujSptkpkRXzn247iR6kSYAGkjWN6eqCsH
+DrECWw
+--- 2tgfQ7Ff2bUUDo24ceUiyDiNHoK+UbIFqmCv74dGQ/E
+ø­Hój¡øvkÑ³€êØj’c¦ˆBÑMQÉ{§Óœ‰	¤¦‹¸Ûkf`Ãˆp]‡w²ª5’€”çå¬'`:£Ó?]
+@gr
\ No newline at end of file
diff --git a/hosts/ward/microvms/vaultwarden/default.nix b/hosts/ward/microvms/vaultwarden/default.nix
index 741fc12..6815918 100644
--- a/hosts/ward/microvms/vaultwarden/default.nix
+++ b/hosts/ward/microvms/vaultwarden/default.nix
@@ -12,6 +12,11 @@ in {
     ../../../../modules/proxy-via-sentinel.nix
   ];
 
+  extra.promtail = {
+    enable = true;
+    proxy = "sentinel";
+  };
+
   age.secrets.vaultwarden-env = {
     rekeyFile = ./secrets/vaultwarden-env.age;
     mode = "440";
diff --git a/hosts/ward/microvms/vaultwarden/secrets/promtail-loki-basic-auth-password.age b/hosts/ward/microvms/vaultwarden/secrets/promtail-loki-basic-auth-password.age
new file mode 100644
index 0000000..c1d41a9
--- /dev/null
+++ b/hosts/ward/microvms/vaultwarden/secrets/promtail-loki-basic-auth-password.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 3mvQNS9Df1Kw6g4DK2OezJLlhRjeJuzoqu2LcQXobV8
+zsBLhAEhcUcun3GsDMP69zDqlhaYXIw3bNUGP7w0fWQ
+-> piv-p256 xqSe8Q AwmwPRJqCuGx5lVPro9yRP0vRvpkgufB/MwRRgYi3VZl
+3TvviCPeB4uSQc1raS5F4ky6IClqo+duR7jDPBrlE4M
+-> o-grease i0o: +r`
+LIUlecnKyS32IU1xbPVKqNN86PaiJP6ujjX7NCwUZD+PgvWWTxiiEdJMJbGO1fZ+
+9En9Ekiq7mGnLsRIMiWFAaoT8ZYe8ymuK4AOTG2Lb6s
+--- Hc8thFUczd8KIKMgQruJC8/9k1O22DPzEizmk7rlJt0
+mßuìÙßëÂ©¾:MQ¾QÏöóf˜’¨x½Ë‚Í?7< ‰ÊØkPÏ!é3ÀU­›ršudÛè;æfÜkkªÖ€‹ØÀEncÚÏ˜‚gÅj
\ No newline at end of file
diff --git a/modules/promtail.nix b/modules/promtail.nix
index 50fe674..c1ab389 100644
--- a/modules/promtail.nix
+++ b/modules/promtail.nix
@@ -48,7 +48,7 @@ in {
 
         clients = [
           {
-            basic_auth.username = nodeName;
+            basic_auth.username = "${nodeName}:promtail-loki-basic-auth-password";
             basic_auth.password_file = config.age.secrets.promtail-loki-basic-auth-password.path;
             url = "https://${nodes.${cfg.proxy}.config.proxiedDomains.loki}/loki/api/v1/push";
           }