feat: add influxdb microvm

hosts/ward/default.nix

@@ -40,6 +40,7 @@
     loki = defaults;
     vaultwarden = defaults;
     adguardhome = defaults;
+    influxdb = defaults;
   };
 
   #ddclient = defineVm;

hosts/ward/microvms/grafana/default.nix

@@ -35,11 +35,22 @@ in {
     group = "grafana";
   };
 
+  age.secrets.grafana-influxdb-basic-auth-password = {
+    rekeyFile = ./secrets/grafana-influxdb-basic-auth-password.age;
+    generator = "alnum";
+    mode = "440";
+    group = "grafana";
+  };
+
   nodes.sentinel = {
     age.secrets.loki-basic-auth-hashes.generator.dependencies = [
       config.age.secrets.grafana-loki-basic-auth-password
     ];
 
+    age.secrets.influxdb-basic-auth-hashes.generator.dependencies = [
+      config.age.secrets.grafana-influxdb-basic-auth-password
+    ];
+
     proxiedDomains.grafana = grafanaDomain;
 
     services.nginx = {
@@ -53,6 +64,8 @@ in {
       virtualHosts.${grafanaDomain} = {
         forceSSL = true;
         useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert grafanaDomain;
+        oauth2.enable = true;
+        oauth2.allowedGroups = ["access_grafana"];
         locations."/" = {
           proxyPass = "http://grafana";
           proxyWebsockets = true;
@@ -115,6 +128,16 @@ in {
         #  url = "http://127.0.0.1:9090";
         #  orgId = 1;
         #}
+        {
+          name = "InfluxDB";
+          type = "influxdb";
+          access = "proxy";
+          url = "https://${sentinelCfg.proxiedDomains.influxdb}";
+          orgId = 1;
+          basicAuth = true;
+          basicAuthUser = "${nodeName}+grafana-influxdb-basic-auth-password";
+          secureJsonData.basicAuthPassword = "$__file{${config.age.secrets.grafana-influxdb-basic-auth-password.path}}";
+        }
         {
           name = "Loki";
           type = "loki";

hosts/ward/microvms/grafana/secrets/grafana-influxdb-basic-auth-password.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 JkYU2Cl00JF/GhXzdpiUgflrbrccHJs21Fzu3Qaw5gE
+fC1m7yieLy3DxiUyz7twBLpS7f81Jq59jWMYf1DgFBE
+-> piv-p256 xqSe8Q AgV+3PVzCEKzk8BFNpxH3aQ+aEtUj8J/h+nvNStufABq
+8kNzjmSyg2KsHtQT9ZEPHoL7zz8S/KM/u8yAu/vp8vs
+-> {-grease tf)|=
+cDF+oRa+QUDN9YzV7BnKiI94C7JkDw
+--- B8X7W4qjJYPC4W7+hHgTLA34seGqgfJ24lrWA3q/Cgs
+ý­!hdÎß`0ýœ”Áìú�Rýdµ0‚k-ç·¯©	„/ðNêòìÌmø•‚¸x„Åy±Ä?7'š¡r®J=>
_¦¦\©„MMxðD˜™)

hosts/ward/microvms/influxdb/default.nix

@@ -0,0 +1,81 @@
+{
+  config,
+  lib,
+  nodes,
+  utils,
+  ...
+}: let
+  sentinelCfg = nodes.sentinel.config;
+  influxdbDomain = "influxdb.${sentinelCfg.repo.secrets.local.personalDomain}";
+  influxdbPort = 8086;
+in {
+  imports = [
+    ../../../../modules/proxy-via-sentinel.nix
+  ];
+
+  extra.promtail = {
+    enable = true;
+    proxy = "sentinel";
+  };
+
+  networking.nftables.firewall.rules = lib.mkForce {
+    sentinel-to-local.allowedTCPPorts = [influxdbPort];
+  };
+
+  nodes.sentinel = {
+    proxiedDomains.influxdb = influxdbDomain;
+
+    age.secrets.influxdb-basic-auth-hashes = {
+      rekeyFile = ./secrets/influxdb-basic-auth-hashes.age;
+      # Copy only the script so the dependencies can be added by the nodes
+      # that define passwords (using distributed-config).
+      generator.script = config.age.generators.basic-auth.script;
+      mode = "440";
+      group = "nginx";
+    };
+
+    services.nginx = {
+      upstreams.influxdb = {
+        servers."${config.services.influxdb2.settings.http-bind-address}" = {};
+        extraConfig = ''
+          zone influxdb 64k;
+          keepalive 2;
+        '';
+      };
+      virtualHosts.${influxdbDomain} = {
+        forceSSL = true;
+        useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert influxdbDomain;
+        locations."/" = {
+          proxyPass = "http://influxdb";
+          proxyWebsockets = true;
+          extraConfig = ''
+            auth_basic "Authentication required";
+            auth_basic_user_file ${sentinelCfg.age.secrets.influxdb-basic-auth-hashes.path};
+
+            proxy_read_timeout 1800s;
+            proxy_connect_timeout 1600s;
+
+            access_log off;
+          '';
+        };
+        locations."= /ready" = {
+          proxyPass = "http://influxdb";
+          extraConfig = ''
+            auth_basic off;
+            access_log off;
+          '';
+        };
+      };
+    };
+  };
+
+  services.influxdb2 = {
+    enable = true;
+    settings = {
+      reporting-disabled = true;
+      http-bind-address = "${config.extra.wireguard.proxy-sentinel.ipv4}:${toString influxdbPort}";
+    };
+  };
+
+  systemd.services.influxdb2.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
+}

hosts/ward/microvms/influxdb/secrets/host.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMoiozZHb2lXv9sZGXDeL2hdYYVPTMVrxdUl/lRro4zh

hosts/ward/microvms/influxdb/secrets/influxdb-basic-auth-hashes.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 wIILrAv9cxwxUAj5vKlq2aXP4x0s5TNLUPN21hRPgBk
+rBkmqo+M4TIZckd3v4pGNZYCiMmLl1rYip0A4oa0gGs
+-> piv-p256 xqSe8Q AsyP5tTGP8M1MoxDDUva5fZWIhPfTa6fYwHQXkMvsN1N
+pO2L8sb6+KWYZc679rPT9RqeMpGoA2vOyczyqeQlsOQ
+-> bY$-grease {h390 xQaD N=F.Lo;C 0.j?v
+TekhIdQVm6bTHeFZaYv7LpwAmh2UyGAItBSEtCCJ+nGTCpSRavnePud9SON79S/c
+CWOGQUP3/j7CE8COpmoNTNUNdy3OopiheKI
+--- T/c3JAs9+lch5/rW0QDozLe36L5B4DhvBLqFBBwZ3f0
+·¼wÐgP?3àç·¨‹a«ÕóÏD³s™µKÛè½¾o¥Û�_ˆlø4\ÿ…
ùe¯“MlÀQR�ÄeƒåoÂ
‚?<ÅçÆ¢ó¿3��c0íÙñ5>„}Ir�<ÑDÌóã9L2•�3é…¼­jÜ& +ÀÏk³Â’‚t©¬þ~ƤO
õV
}SŒþ²¦áœöùÙ