feat: enable promtail on all vms

2025-10-11 07:10:39 +02:00 · 2023-06-18 14:31:23 +02:00 · 2023-06-18 14:31:23 +02:00 · d6af975817
commit d6af975817
parent 4d5813a2ad
12 changed files with 81 additions and 30 deletions
--- a/hosts/ward/microvms/grafana/default.nix
+++ b/hosts/ward/microvms/grafana/default.nix
@ -13,6 +13,11 @@ in {
    ../../../../modules/proxy-via-sentinel.nix
  ];

+  extra.promtail = {
+    enable = true;
+    proxy = "sentinel";
+  };
+
  networking.nftables.firewall.rules = lib.mkForce {
    sentinel-to-local.allowedTCPPorts = [config.services.grafana.settings.server.http_port];
  };
@ -81,7 +86,7 @@ in {
        auto_login = true;
        client_id = "grafana";
        #client_secret = "$__file{${config.age.secrets.grafana-oauth-client-secret.path}}";
-        client_secret = "r6Yk5PPSXFfYDPpK6TRCzXK8y1rTrfcb8F7wvNC5rZpyHTMF"; # TODO temporary test not a real secret
+        client_secret = "aZKNCM6KpjBy4RqwKJXMLXzyx9rKH6MZTFk4wYrKWuBqLj6t"; # TODO temporary test not a real secret
        scopes = "openid email profile";
        login_attribute_path = "prefered_username";
        auth_url = "https://${sentinelCfg.proxiedDomains.kanidm}/ui/oauth2";
@ -110,7 +115,7 @@ in {
          url = "https://${sentinelCfg.proxiedDomains.loki}";
          orgId = 1;
          basicAuth = true;
-          basicAuthUser = nodeName;
+          basicAuthUser = "${nodeName}:grafana-loki-basic-auth-password";
          secureJsonData.basicAuthPassword = "$__file{${config.age.secrets.grafana-loki-basic-auth-password.path}}";
        }
      ];
--- a/hosts/ward/microvms/grafana/secrets/promtail-loki-basic-auth-password.age
+++ b/hosts/ward/microvms/grafana/secrets/promtail-loki-basic-auth-password.age
@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 eJWTsTZwak+CdL0UPXcav0OmE2WFV525MS71EUREQRI
+4EVofvIdJooLW5GIGUMnKbjdBGvaq5PJc59pTcWfi2I
+-> piv-p256 xqSe8Q A54r2NQ4TDs0tzJs3hAOLIfwL/63kxw8UrFSyFUOoOpX
+BYs5RA4H1GgIiWp9hI0dsMQh43kOOKQjGvNeJjezbz0
+-> %jrC:-grease ;
+kSYxb5Aa4C7zMe+2nsSw+hn+xyU7EmVDznX5k7acTOOlEfUQOlUAiF4DhObUsFgS
+Rz045u3t6SK7p0tqkYI/84chCJPfDc0wxVBiE2poYkZrs96a2iJa5LUw8oUiXlo
+--- ueHYLEER0SQZdLT9eKJZVPdiFynhP7SgfwvTAbzHRco
+·�Á’L*
#�Z”“�VbÉªF>Âë
‰+ƒ¿ßxÈƒYfé$õá®ö¬ÞŸ	‡T ›=n«(�@y¾çÃ*†—‚wXeq�^Ê#‚
--- a/hosts/ward/microvms/kanidm/default.nix
+++ b/hosts/ward/microvms/kanidm/default.nix
@ -14,6 +14,11 @@ in {
    ../../../../modules/proxy-via-sentinel.nix
  ];

+  extra.promtail = {
+    enable = true;
+    proxy = "sentinel";
+  };
+
  networking.nftables.firewall.rules = lib.mkForce {
    sentinel-to-local.allowedTCPPorts = [kanidmPort];
  };
--- a/hosts/ward/microvms/kanidm/secrets/promtail-loki-basic-auth-password.age
+++ b/hosts/ward/microvms/kanidm/secrets/promtail-loki-basic-auth-password.age
--- a/hosts/ward/microvms/loki/default.nix
+++ b/hosts/ward/microvms/loki/default.nix
@ -12,6 +12,11 @@ in {
    ../../../../modules/proxy-via-sentinel.nix
  ];

+  extra.promtail = {
+    enable = true;
+    proxy = "sentinel";
+  };
+
  networking.nftables.firewall.rules = lib.mkForce {
    sentinel-to-local.allowedTCPPorts = [config.services.loki.configuration.server.http_listen_port];
  };
@ -36,7 +41,7 @@ in {
            file,
          }: ''
            echo " -> Aggregating [32m"${lib.escapeShellArg host}":[m[33m"${lib.escapeShellArg name}"[m" >&2
-            echo -n ${lib.escapeShellArg host}" "
+            echo -n ${lib.escapeShellArg host}":"${lib.escapeShellArg name}" "
            ${decrypt} ${lib.escapeShellArg file} \
              | ${pkgs.caddy}/bin/caddy hash-password --algorithm bcrypt \
              || die "Failure while aggregating caddy basic auth hashes"
--- a/hosts/ward/microvms/loki/secrets/loki-basic-auth-hashes.age
+++ b/hosts/ward/microvms/loki/secrets/loki-basic-auth-hashes.age
--- a/hosts/ward/microvms/loki/secrets/promtail-loki-basic-auth-password.age
+++ b/hosts/ward/microvms/loki/secrets/promtail-loki-basic-auth-password.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 3x+QeciEIcDcJO3U+0386XIoJtOVn3b4myIxWOgDxjs
+oFCwl+TjzC6kjDcEm2CNgHuWIta/j9Zq9c9ZvoDAKBc
+-> piv-p256 xqSe8Q Ax9ZRwkb1UMUmpqg8U1vPU3+8wnWxOA3AkvPEjMDvduj
+e/iORb0ckijeWEg9N4IpBP+YxCB2eZnEt1FgcwrAL8c
+-> mcyx<Hk-grease
+npBOgSbaCG2/DizSzk9Ynaoq9T4mfFDujSptkpkRXzn247iR6kSYAGkjWN6eqCsH
+DrECWw
+--- 2tgfQ7Ff2bUUDo24ceUiyDiNHoK+UbIFqmCv74dGQ/E
+ø�Hój¡øvkÑ³€êØj’c¦ˆBÑMQÉ{§Óœ‰	¤¦‹¸Ûkf`Ãˆp]�‡w²ª5’€�”çå¬'`:£Ó?]
+@gr
--- a/hosts/ward/microvms/vaultwarden/default.nix
+++ b/hosts/ward/microvms/vaultwarden/default.nix
@ -12,6 +12,11 @@ in {
    ../../../../modules/proxy-via-sentinel.nix
  ];

+  extra.promtail = {
+    enable = true;
+    proxy = "sentinel";
+  };
+
  age.secrets.vaultwarden-env = {
    rekeyFile = ./secrets/vaultwarden-env.age;
    mode = "440";
--- a/hosts/ward/microvms/vaultwarden/secrets/promtail-loki-basic-auth-password.age
+++ b/hosts/ward/microvms/vaultwarden/secrets/promtail-loki-basic-auth-password.age
@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 3mvQNS9Df1Kw6g4DK2OezJLlhRjeJuzoqu2LcQXobV8
+zsBLhAEhcUcun3GsDMP69zDqlhaYXIw3bNUGP7w0fWQ
+-> piv-p256 xqSe8Q AwmwPRJqCuGx5lVPro9yRP0vRvpkgufB/MwRRgYi3VZl
+3TvviCPeB4uSQc1raS5F4ky6IClqo+duR7jDPBrlE4M
+-> o-grease i0o: +r`
+LIUlecnKyS32IU1xbPVKqNN86PaiJP6ujjX7NCwUZD+PgvWWTxiiEdJMJbGO1fZ+
+9En9Ekiq7mGnLsRIMiWFAaoT8ZYe8ymuK4AOTG2Lb6s
+--- Hc8thFUczd8KIKMgQruJC8/9k1O22DPzEizmk7rlJt0
+mßu�ìÙßëÂ©¾:MQ¾QÏöóf˜’¨x½Ë‚Í?7< ‰ÊØkPÏ!é3ÀU›ršudÛè;æfÜkkªÖ€‹ØÀEncÚÏ˜‚gÅj