From dfe1abdfde29a7a875406310f0d6a55fb73b84a1 Mon Sep 17 00:00:00 2001 From: oddlama Date: Mon, 12 Jun 2023 00:23:07 +0200 Subject: [PATCH] refactor: ward microvms are now own folders --- hosts/ward/default.nix | 4 +- hosts/ward/microvms/grafana/default.nix | 227 +++++++++++------------- hosts/ward/microvms/kanidm/default.nix | 139 +++++++-------- hosts/ward/microvms/loki/default.nix | 179 +++++++++---------- 4 files changed, 258 insertions(+), 291 deletions(-) diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix index 07f3b72..c9af3a5 100644 --- a/hosts/ward/default.nix +++ b/hosts/ward/default.nix @@ -36,8 +36,8 @@ }; in { kanidm = defaults; - grafana = defaultsa; - loki = defaults + grafana = defaults; + loki = defaults; }; #ddclient = defineVm; diff --git a/hosts/ward/microvms/grafana/default.nix b/hosts/ward/microvms/grafana/default.nix index 7f207de..f95b79e 100644 --- a/hosts/ward/microvms/grafana/default.nix +++ b/hosts/ward/microvms/grafana/default.nix @@ -1,125 +1,114 @@ { - extra.microvms.vms.grafana = { - system = "x86_64-linux"; - autostart = true; - zfs = { - enable = true; - pool = "rpool"; + config, + lib, + nodeName, + nodes, + utils, + ... +}: { + age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBXXjI6uB26xOF0DPy/QyLladoGIKfAtofyqPgIkCH/g"; + + extra.wireguard.proxy-sentinel.client.via = "sentinel"; + + networking.nftables.firewall = { + zones = lib.mkForce { + proxy-sentinel.interfaces = ["proxy-sentinel"]; + sentinel = { + parent = "proxy-sentinel"; + ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4]; + ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6]; + }; + }; + + rules = lib.mkForce { + sentinel-to-local = { + from = ["sentinel"]; + to = ["local"]; + allowedTCPPorts = [3001]; + }; }; }; - microvm.vms.grafana.config = { - config, - lib, - nodeName, - nodes, - utils, - ... - }: { - age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBXXjI6uB26xOF0DPy/QyLladoGIKfAtofyqPgIkCH/g"; - - extra.wireguard.proxy-sentinel.client.via = "sentinel"; - - networking.nftables.firewall = { - zones = lib.mkForce { - proxy-sentinel.interfaces = ["proxy-sentinel"]; - sentinel = { - parent = "proxy-sentinel"; - ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4]; - ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6]; - }; - }; - - rules = lib.mkForce { - sentinel-to-local = { - from = ["sentinel"]; - to = ["local"]; - allowedTCPPorts = [3001]; - }; - }; - }; - - age.secrets.grafana-secret-key = { - rekeyFile = ./secrets/grafana-secret-key.age; - mode = "440"; - group = "grafana"; - }; - - age.secrets.loki-basic-auth-password = { - rekeyFile = ./secrets/loki-basic-auth-password.age; - generator = "alnum"; - mode = "440"; - group = "grafana"; - }; - - services.grafana = { - enable = true; - settings = { - analytics.reporting_enabled = false; - users.allow_sign_up = false; - - server = { - domain = nodes.sentinel.config.proxiedDomains.grafana; - root_url = "https://${nodes.sentinel.config.proxiedDomains.grafana}"; - enforce_domain = true; - enable_gzip = true; - http_addr = config.extra.wireguard.proxy-sentinel.ipv4; - http_port = 3001; - }; - - security = { - disable_initial_admin_creation = true; - secret_key = "$__file{${config.age.secrets.grafana-secret-key.path}}"; - cookie_secure = true; - disable_gravatar = true; - hide_version = true; - }; - - auth.disable_login_form = true; - "auth.generic_oauth" = { - enabled = true; - name = "Kanidm"; - icon = "signin"; - allow_sign_up = true; - auto_login = true; - client_id = "grafana"; - #client_secret = "$__file{${config.age.secrets.grafana-oauth-client-secret.path}}"; - client_secret = "r6Yk5PPSXFfYDPpK6TRCzXK8y1rTrfcb8F7wvNC5rZpyHTMF"; # TODO temporary test not a real secret - scopes = "openid email profile"; - login_attribute_path = "prefered_username"; - auth_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/ui/oauth2"; - token_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/oauth2/token"; - api_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/oauth2/openid/grafana/userinfo"; - use_pkce = true; - # Allow mapping oauth2 roles to server admin - allow_assign_grafana_admin = true; - role_attribute_path = "contains(scopes[*], 'server_admin') && 'GrafanaAdmin' || contains(scopes[*], 'admin') && 'Admin' || contains(scopes[*], 'editor') && 'Editor' || 'Viewer'"; - }; - }; - - provision = { - enable = true; - datasources.settings.datasources = [ - #{ - # name = "Prometheus"; - # type = "prometheus"; - # url = "http://127.0.0.1:9090"; - # orgId = 1; - #} - { - name = "Loki"; - type = "loki"; - access = "proxy"; - url = "https://${nodes.sentinel.config.proxiedDomains.loki}"; - orgId = 1; - basicAuth = true; - basicAuthUser = nodeName; - secureJsonData.basicAuthPassword = "$__file{${config.age.secrets.loki-basic-auth-password.path}}"; - } - ]; - }; - }; - - systemd.services.grafana.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"]; + age.secrets.grafana-secret-key = { + rekeyFile = ./secrets/grafana-secret-key.age; + mode = "440"; + group = "grafana"; }; + + age.secrets.loki-basic-auth-password = { + rekeyFile = ./secrets/loki-basic-auth-password.age; + generator = "alnum"; + mode = "440"; + group = "grafana"; + }; + + services.grafana = { + enable = true; + settings = { + analytics.reporting_enabled = false; + users.allow_sign_up = false; + + server = { + domain = nodes.sentinel.config.proxiedDomains.grafana; + root_url = "https://${nodes.sentinel.config.proxiedDomains.grafana}"; + enforce_domain = true; + enable_gzip = true; + http_addr = config.extra.wireguard.proxy-sentinel.ipv4; + http_port = 3001; + }; + + security = { + disable_initial_admin_creation = true; + secret_key = "$__file{${config.age.secrets.grafana-secret-key.path}}"; + cookie_secure = true; + disable_gravatar = true; + hide_version = true; + }; + + auth.disable_login_form = true; + "auth.generic_oauth" = { + enabled = true; + name = "Kanidm"; + icon = "signin"; + allow_sign_up = true; + auto_login = true; + client_id = "grafana"; + #client_secret = "$__file{${config.age.secrets.grafana-oauth-client-secret.path}}"; + client_secret = "r6Yk5PPSXFfYDPpK6TRCzXK8y1rTrfcb8F7wvNC5rZpyHTMF"; # TODO temporary test not a real secret + scopes = "openid email profile"; + login_attribute_path = "prefered_username"; + auth_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/ui/oauth2"; + token_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/oauth2/token"; + api_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/oauth2/openid/grafana/userinfo"; + use_pkce = true; + # Allow mapping oauth2 roles to server admin + allow_assign_grafana_admin = true; + role_attribute_path = "contains(scopes[*], 'server_admin') && 'GrafanaAdmin' || contains(scopes[*], 'admin') && 'Admin' || contains(scopes[*], 'editor') && 'Editor' || 'Viewer'"; + }; + }; + + provision = { + enable = true; + datasources.settings.datasources = [ + #{ + # name = "Prometheus"; + # type = "prometheus"; + # url = "http://127.0.0.1:9090"; + # orgId = 1; + #} + { + name = "Loki"; + type = "loki"; + access = "proxy"; + url = "https://${nodes.sentinel.config.proxiedDomains.loki}"; + orgId = 1; + basicAuth = true; + basicAuthUser = nodeName; + secureJsonData.basicAuthPassword = "$__file{${config.age.secrets.loki-basic-auth-password.path}}"; + } + ]; + }; + }; + + systemd.services.grafana.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"]; } diff --git a/hosts/ward/microvms/kanidm/default.nix b/hosts/ward/microvms/kanidm/default.nix index 5edba9e..da6a99b 100644 --- a/hosts/ward/microvms/kanidm/default.nix +++ b/hosts/ward/microvms/kanidm/default.nix @@ -1,81 +1,70 @@ { - extra.microvms.vms.kanidm = { - system = "x86_64-linux"; - autostart = true; - zfs = { - enable = true; - pool = "rpool"; + config, + lib, + nodes, + pkgs, + utils, + ... +}: { + age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2TxWynLb8V9SP45kFqsoCWhe/dG8N1xWNuJG5VQndq"; + + extra.wireguard.proxy-sentinel.client.via = "sentinel"; + + # TODO this as includable module? + networking.nftables.firewall = { + zones = lib.mkForce { + proxy-sentinel.interfaces = ["proxy-sentinel"]; + sentinel = { + parent = "proxy-sentinel"; + ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4]; + ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6]; + }; + }; + + rules = lib.mkForce { + sentinel-to-local = { + from = ["sentinel"]; + to = ["local"]; + allowedTCPPorts = [8300]; + }; }; }; - microvm.vms.kanidm.config = { - config, - lib, - nodes, - pkgs, - utils, - ... - }: { - age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2TxWynLb8V9SP45kFqsoCWhe/dG8N1xWNuJG5VQndq"; - - extra.wireguard.proxy-sentinel.client.via = "sentinel"; - - # TODO this as includable module? - networking.nftables.firewall = { - zones = lib.mkForce { - proxy-sentinel.interfaces = ["proxy-sentinel"]; - sentinel = { - parent = "proxy-sentinel"; - ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4]; - ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6]; - }; - }; - - rules = lib.mkForce { - sentinel-to-local = { - from = ["sentinel"]; - to = ["local"]; - allowedTCPPorts = [8300]; - }; - }; - }; - - age.secrets."kanidm-self-signed.crt" = { - rekeyFile = ./secrets/kanidm-self-signed.crt.age; - mode = "440"; - group = "kanidm"; - }; - - age.secrets."kanidm-self-signed.key" = { - rekeyFile = ./secrets/kanidm-self-signed.key.age; - mode = "440"; - group = "kanidm"; - }; - - services.kanidm = { - enableServer = true; - # enablePAM = true; - serverSettings = { - domain = nodes.sentinel.config.proxiedDomains.kanidm; - origin = "https://${nodes.sentinel.config.proxiedDomains.kanidm}"; - tls_chain = config.age.secrets."kanidm-self-signed.crt".path; - tls_key = config.age.secrets."kanidm-self-signed.key".path; - bindaddress = "${config.extra.wireguard.proxy-sentinel.ipv4}:8300"; - trust_x_forward_for = true; - }; - }; - - environment.systemPackages = [pkgs.kanidm]; - - services.kanidm = { - enableClient = true; - clientSettings = { - uri = config.services.kanidm.serverSettings.origin; - verify_ca = true; - verify_hostnames = true; - }; - }; - - systemd.services.kanidm.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"]; + age.secrets."kanidm-self-signed.crt" = { + rekeyFile = ./secrets/kanidm-self-signed.crt.age; + mode = "440"; + group = "kanidm"; }; + + age.secrets."kanidm-self-signed.key" = { + rekeyFile = ./secrets/kanidm-self-signed.key.age; + mode = "440"; + group = "kanidm"; + }; + + services.kanidm = { + enableServer = true; + # enablePAM = true; + serverSettings = { + domain = nodes.sentinel.config.proxiedDomains.kanidm; + origin = "https://${nodes.sentinel.config.proxiedDomains.kanidm}"; + tls_chain = config.age.secrets."kanidm-self-signed.crt".path; + tls_key = config.age.secrets."kanidm-self-signed.key".path; + bindaddress = "${config.extra.wireguard.proxy-sentinel.ipv4}:8300"; + trust_x_forward_for = true; + }; + }; + + environment.systemPackages = [pkgs.kanidm]; + + services.kanidm = { + enableClient = true; + clientSettings = { + uri = config.services.kanidm.serverSettings.origin; + verify_ca = true; + verify_hostnames = true; + }; + }; + + systemd.services.kanidm.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"]; } diff --git a/hosts/ward/microvms/loki/default.nix b/hosts/ward/microvms/loki/default.nix index f5c50c4..463aa02 100644 --- a/hosts/ward/microvms/loki/default.nix +++ b/hosts/ward/microvms/loki/default.nix @@ -1,113 +1,102 @@ { - extra.microvms.vms.loki = { - system = "x86_64-linux"; - autostart = true; - zfs = { - enable = true; - pool = "rpool"; + config, + lib, + nodes, + utils, + ... +}: { + age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDDvvF3+KwfoZrPAUAt2HS7y5FM9S5Mr1iRkBUqoXno"; + + extra.wireguard.proxy-sentinel.client.via = "sentinel"; + + networking.nftables.firewall = { + zones = lib.mkForce { + proxy-sentinel.interfaces = ["proxy-sentinel"]; + sentinel = { + parent = "proxy-sentinel"; + ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4]; + ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6]; + }; + }; + + rules = lib.mkForce { + sentinel-to-local = { + from = ["sentinel"]; + to = ["local"]; + allowedTCPPorts = [3100]; + }; }; }; - microvm.vms.loki.config = { - config, - lib, - nodes, - utils, - ... - }: { - age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDDvvF3+KwfoZrPAUAt2HS7y5FM9S5Mr1iRkBUqoXno"; + services.loki = let + lokiDir = "/var/lib/loki"; + in { + enable = true; + configuration = { + analytics.reporting_enabled = false; + auth_enabled = false; - extra.wireguard.proxy-sentinel.client.via = "sentinel"; - - networking.nftables.firewall = { - zones = lib.mkForce { - proxy-sentinel.interfaces = ["proxy-sentinel"]; - sentinel = { - parent = "proxy-sentinel"; - ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4]; - ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6]; - }; + server = { + http_listen_address = config.extra.wireguard.proxy-sentinel.ipv4; + http_listen_port = 3100; + log_level = "warn"; }; - rules = lib.mkForce { - sentinel-to-local = { - from = ["sentinel"]; - to = ["local"]; - allowedTCPPorts = [3100]; + ingester = { + lifecycler = { + interface_names = ["proxy-sentinel"]; + ring = { + kvstore.store = "inmemory"; + replication_factor = 1; + }; + final_sleep = "0s"; }; + chunk_idle_period = "5m"; + chunk_retain_period = "30s"; }; - }; - services.loki = let - lokiDir = "/var/lib/loki"; - in { - enable = true; - configuration = { - analytics.reporting_enabled = false; - auth_enabled = false; - - server = { - http_listen_address = config.extra.wireguard.proxy-sentinel.ipv4; - http_listen_port = 3100; - log_level = "warn"; - }; - - ingester = { - lifecycler = { - interface_names = ["proxy-sentinel"]; - ring = { - kvstore.store = "inmemory"; - replication_factor = 1; - }; - final_sleep = "0s"; + schema_config.configs = [ + { + from = "2023-06-01"; + store = "tsdb"; + object_store = "filesystem"; + schema = "v12"; + index = { + prefix = "index_"; + period = "24h"; }; - chunk_idle_period = "5m"; - chunk_retain_period = "30s"; - }; + } + ]; - schema_config.configs = [ - { - from = "2023-06-01"; - store = "tsdb"; - object_store = "filesystem"; - schema = "v12"; - index = { - prefix = "index_"; - period = "24h"; - }; - } - ]; - - storage_config = { - tsdb_shipper = { - active_index_directory = "${lokiDir}/tsdb-index"; - cache_location = "${lokiDir}/tsdb-cache"; - cache_ttl = "24h"; - shared_store = "filesystem"; - }; - filesystem.directory = "${lokiDir}/chunks"; - }; - - # Do not accept new logs that are ingressed when they are actually already old. - limits_config = { - reject_old_samples = true; - reject_old_samples_max_age = "168h"; - }; - - # Do not delete old logs automatically - table_manager = { - retention_deletes_enabled = false; - retention_period = "0s"; - }; - - compactor = { - working_directory = lokiDir; + storage_config = { + tsdb_shipper = { + active_index_directory = "${lokiDir}/tsdb-index"; + cache_location = "${lokiDir}/tsdb-cache"; + cache_ttl = "24h"; shared_store = "filesystem"; - compactor_ring.kvstore.store = "inmemory"; }; + filesystem.directory = "${lokiDir}/chunks"; + }; + + # Do not accept new logs that are ingressed when they are actually already old. + limits_config = { + reject_old_samples = true; + reject_old_samples_max_age = "168h"; + }; + + # Do not delete old logs automatically + table_manager = { + retention_deletes_enabled = false; + retention_period = "0s"; + }; + + compactor = { + working_directory = lokiDir; + shared_store = "filesystem"; + compactor_ring.kvstore.store = "inmemory"; }; }; - - systemd.services.loki.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"]; }; + + systemd.services.loki.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"]; }