feat: enable telegraf on all server nodes; add 10 minute autorestart

2023-06-25 02:34:05 +02:00 · 2023-06-25 02:34:05 +02:00 · f606e6e554
commit f606e6e554
parent b8f647fb4a
25 changed files with 228 additions and 41 deletions
--- a/hosts/sentinel/default.nix
+++ b/hosts/sentinel/default.nix
@ -24,4 +24,13 @@
    enable = true;
    proxy = "sentinel";
  };
+
+  # Connect safely via wireguard to skip authentication
+  networking.hosts.${config.extra.wireguard.proxy-sentinel.ipv4} = [config.providedDomains.influxdb];
+  extra.telegraf = {
+    enable = true;
+    influxdb2.url = config.providedDomains.influxdb;
+    influxdb2.organization = "servers";
+    influxdb2.bucket = "telegraf";
+  };
 }
--- a/hosts/sentinel/net.nix
+++ b/hosts/sentinel/net.nix
@ -40,6 +40,15 @@
  networking.nftables.firewall = {
    zones = lib.mkForce {
      untrusted.interfaces = ["wan"];
+      proxy-sentinel.interfaces = ["proxy-sentinel"];
+    };
+    rules = lib.mkForce {
+      # Allow accessing nginx through the proxy
+      proxy-sentinel-to-local = {
+        from = ["proxy-sentinel"];
+        to = ["local"];
+        allowedTCPPorts = [80 443];
+      };
    };
  };

--- a/hosts/sentinel/oauth2.nix
+++ b/hosts/sentinel/oauth2.nix
@ -22,15 +22,15 @@
  in {
    provider = "oidc";
    scope = "openid email";
-    loginURL = "https://${config.proxiedDomains.kanidm}/ui/oauth2";
-    redeemURL = "https://${config.proxiedDomains.kanidm}/oauth2/token";
-    validateURL = "https://${config.proxiedDomains.kanidm}/oauth2/openid/${clientId}/userinfo";
+    loginURL = "https://${config.providedDomains.kanidm}/ui/oauth2";
+    redeemURL = "https://${config.providedDomains.kanidm}/oauth2/token";
+    validateURL = "https://${config.providedDomains.kanidm}/oauth2/openid/${clientId}/userinfo";
    clientID = clientId;
    keyFile = config.age.secrets.oauth2-proxy-secret.path;
    email.domains = ["*"];

    extraConfig = {
-      oidc-issuer-url = "https://${config.proxiedDomains.kanidm}/oauth2/openid/${clientId}";
+      oidc-issuer-url = "https://${config.providedDomains.kanidm}/oauth2/openid/${clientId}";
      provider-display-name = "Kanidm";
      #skip-provider-button = true;
    };
--- a/hosts/sentinel/secrets/telegraf-influxdb-token.age
+++ b/hosts/sentinel/secrets/telegraf-influxdb-token.age
@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> X25519 DCVhASEENA4z7QkZIAz+7shz69B3UGfuR4QwV28e3w4
+KcvcVb5PxsRMlA5n35c/4nRLdv7WoIL2bqJn6Ry0tBU
+-> piv-p256 xqSe8Q ArDV5TYzLEFhnRxXIY1OMPe4nPE7rtNhsUhU+7J2La3o
+SoqSbbPvxlF4uaGSRNKSumajM9aEr2EoHE8PyPr3sMk
+-> e\9`z-grease
+PtN7lO2jjyBoMojXSiPLmWGgv23uUbzd9TxrAwwDiCcBbW5RL5vvR2HFzc+k+ZVa
+RA3xLg5UeIzjsZdkWBezPHX1p7OALN49ZxtJ21fzfDhdUCTfVIKK4mi++At2hEJF
+6g
+--- FdR7X/jFWv+BhzuO8kpGr8xC3SKgmrwHg4YaHRxnwHE
+¶ßÌÚÝp 6SD´…˜W(¶YRÜ3ƒs_Ûª/2g}ÄÜ¶§W?ub
+)‘¯/û,{÷&ƒFÿ-ŒØ5£ß/u.�p¬	\%ÊÉŸæ—üï4qÓ‰�ðÛ˜yKQk4W™3÷ËŒ
+§Óˆ[Áþ°t‡__4y× ±q�¬^/F×©*