sercanto/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

modules/nixos/monitoring: move to agenix

Browse source
This commit is contained in:
zowoq 2024-10-24 14:54:16 +10:00
parent 5be8586b31
commit 065e315647
7 changed files with 42 additions and 76 deletions

68
hosts/web02/secrets.yaml
View file

@ -1,68 +0,0 @@
nix-community-matrix-bot-token: ENC[AES256_GCM,data:p9sQnsEIJEGi6AYLxemCN/zkf+lx6dEjrIVfFD28DWtOvCxIy7QKImWIMsbOjWHW/0sjHQYoGwDBrrBzpYed3+AK38J+WEnCi6MSGQ==,iv:BdV3bMjuXFLFTvcXLL/2l08qonIXHFtUvpj2QM0n3Ws=,tag:EhCwGinqZZuLa5CIpCaKeA==,type:str]
nginx-basic-auth-file: ENC[AES256_GCM,data:andS+j0bOp4m7Xty1RuAmyNGz36rUChhl4dtY+mvguHzei2lYDfdZWilx2VUFT5mmsWCeyrT5otVVg==,iv:BuawT6dsaI6s/vXbfG2HijUBzHec2D47w8KRj6Bba2Y=,tag:PjkfdKhjWmP6+NKFGEPijg==,type:str]
nginx-basic-auth-password: ENC[AES256_GCM,data:ne6h4KoBo7dNkrKhe4thFkgE/EmIOkfzDh0Bag==,iv:ZsHANsb6PI4a84K81fM1PHtPPa0mi8nYLfh1A9CbaqY=,tag:IYQyFasarwh/EPZ3iUNX3Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age158v8dpppnw3yt2kqgqekwamaxpst5alfrnvvt7z36wfdk4veydrsqxc2tl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtTHNIYkY2eE1rWnVDVlk1
ZXg0ZFJEQ0JlNEYwOFZRNUh3K0I5L2lKNkFrCkl1c01YNDZobHM2djhSdGEyVklL
V1I0UzRqY0hxUm1oajZNZXB0a2JyeGsKLS0tIDlPUU1XVStkZUppM09NclkyRDFu
UC80VU01SS96dytmWkdHeHBkZzlsT2sKTbRmdfN5l3tFqi0bXQ5FQheunbabSBZ4
bGpju602wejkNx9L3rmHQCVTkRncr4UqYVeezRLq8rdBsPePsssYnQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWTHR5Zm0yR1crQi9ITjQx
Zlh2SXpnN1pmSGRseHFRTzhKMFhNL0h5d0hBCm0vQWNmSVhaTm4yN3pVeHhZbk5r
ZE9zM2VXSU9RV2IzMXlQNFFhNXZGeEkKLS0tIC9JNm9VVEFZM0FPSjJSS2VkbkVD
THNidzhQempPdmQzdklKSUJlTThjaXMKJ1DzntjD0Zca0NVNUIcMj1gAErnFqcfi
1f7w5PLIJZ0zTR+c2ozAYj+O/lD6cxA9q3cgdkFJRDIG/UP0sHuQ+w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbUJ4RGVKcFFHeUUwTC8x
Sy9rUjg1elo2eW9kNmw4RklCbVRNUjdQQXpnCjBzQ1p3VDFxUkdyeXZLVUNta2l6
dmtLYUE2L29ueFp1OWtHRHB6SCtvekkKLS0tIFc0a3EzengwR1cwekxqeEQ4YWhn
T21CNzNCU2NqeWwzMEw4UkJjcnlSd0UKf+1tn7/+0+RDWU0PLk2zGqOaXNLnhqK9
IhvbJrI+/dsY7fsPxR9c+p3z8TFltb3Q0jgUlmcujQ1VyTJB9qiu2Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAybHRHZUU0dEFzdXIxQWtL
RGRKZm9uWVRWd0tDTDVPdFJGT1liY01HbUI4CkY3SFFwS1Y2UGprUDhkdlFibXBT
MWZUbDdEb2JBZ2x1VFJsWVVtZUY5NXcKLS0tIDdTY21jc2llM3ZoeUhpbzBnMTFQ
am5LMVgyVGRhdnRVUjZ6QlFWbDVTWE0KF6gctt/6t9WGhNQMXdfk+KctwUYKnEGq
ed+xCZ7flm2ifY3l8baaX1jVaYU56xsNnhNGyxVzfgbDOXnlPEcN+w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxZ1dDQVZLN3RCYVo5bkFm
ZkZYNlUwYU9adnZqck5kYjM4OHAwSWtta2c4CmltckJnRTZnR2VVSnZjYnZwQnFB
OXJkZHpkSVdFN29qMkZ2c2JzcFB6OTgKLS0tIHY5SVB3TGp6L2txeU1YUmJBNitr
dFIwN1BIb1dWc1hPZUYxWU9ob0xVR28KnsuH74n4c0beUwyAoN6j4BbUYUFRmJA2
6RFl032mjGu/k2eeGc5gV8CqBtyOTualqWt9P/+efWrVT4p1FMsbDg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsZmxhWFZ1WE5adXhlaUpp
cno1VDBtY0I4Q253UW9SaUc3UzZyc0tyamtVClprLzkvOCthanRha3JGWU85YmVh
OTFLSldvREhiNFk0TU9ZTW5rd25oN0kKLS0tIEFMbXBlaWNQQWJqYUlJRi9ZcW84
QnJZZzN1a1M5b1dwa3hvL3ZHYkpxQUkK1g9sQB0UHl9coaznjIn4WDpQv21Y8cl9
LNqnv0Q6KrxNliq2JEJoEpjD5+xTcqV/5FgylKhtdNWUZ0eAX8taog==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-30T03:19:37Z"
mac: ENC[AES256_GCM,data:TScUSdUv+SEG2MJ5MdCP7/zuCDG857erbLYG1Vp3/4d3Pvq//Jp5nVtnFSw9Y63Do/r1gzfmiU/B4HFbn40hVo7+/KjKOl8wb9qUheh2UaW+m+gd05mDjjQvrnTVjJJ8/Rj4/kFYvYzsPag8KY37CG0dBqiE7esyk9hUf7kv/4w=,iv:gCsM4oGq0zAR1r0E5xeKAGezXSyh9Eqho/rsU+3x3E8=,tag:A/0KP15zdJUpS3fc9z6/0A==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

7
modules/nixos/monitoring/default.nix
View file

@ -8,12 +8,15 @@
./telegraf.nix
];
sops.secrets.nginx-basic-auth-file.owner = "nginx";
age.secrets.nginx-basic-auth-file = {
file = "${inputs.self}/secrets/nginx-basic-auth-file.age";
owner = "nginx";
};
services.nginx.virtualHosts."monitoring.nix-community.org" = {
locations."/".return = "302 https://nix-community.org/monitoring";
locations."/alertmanager/" = {
basicAuthFile = config.sops.secrets.nginx-basic-auth-file.path;
basicAuthFile = config.age.secrets.nginx-basic-auth-file.path;
proxyPass = "http://localhost:9093/";
};
locations."/prometheus/".proxyPass = "http://localhost:9090/";

13
modules/nixos/monitoring/matrix-hook.nix
View file

@ -1,9 +1,16 @@
{ config, pkgs, ... }:
{
config,
inputs,
pkgs,
...
}:
let
matrixHook = pkgs.matrix-hook;
in
{
sops.secrets.nix-community-matrix-bot-token = { };
age.secrets.nix-community-matrix-bot-token = {
file = "${inputs.self}/secrets/nix-community-matrix-bot-token.age";
};
users.users.matrix-hook = {
isSystemUser = true;
@ -27,7 +34,7 @@ in
serviceConfig = {
Type = "simple";
ExecStart = "${matrixHook}/bin/matrix-hook";
EnvironmentFile = [ config.sops.secrets.nix-community-matrix-bot-token.path ];
EnvironmentFile = [ config.age.secrets.nix-community-matrix-bot-token.path ];
Restart = "always";
RestartSec = "10";
User = "matrix-hook";

7
secrets.yaml
View file

@ -8,6 +8,7 @@ accounts:
- name: ENC[AES256_GCM,data:BGA/HMgie64=,iv:c+utmChiZA73GRS4uzZDyfdU+DZaDpB3WljC2uye8o0=,tag:lr1w5TWr05lpfBNLK0Swxw==,type:str]
totpsecret: ENC[AES256_GCM,data:Q5aJq9sLmW/0oMIgy4FErA==,iv:cFhVj/QV4tMjvB/Y8ExOSSLArvjxCV8+39YtMaADK04=,tag:aPJFH7WhaBYAW7eYsGzGYg==,type:str]
emergency_access_password: ENC[AES256_GCM,data:ELpkrEQjFQwDicz3WeJoivrZBAWeAKkfFg==,iv:rzbKvnS5IBjUCCT2NAHINZs60F0jrRPJvZ1wnBa6xkI=,tag:hWax9+gTRhuhtIikP/jO/Q==,type:str]
nginx-basic-auth-password: ENC[AES256_GCM,data:THXCfzuXXEsEARk1Hz4eEtzqqzzbf/IF0hHy,iv:mvOu8CSomzUYzpt1PkhSeBMgwHluUtTQZHozi6Am+RM=,tag:itQJu7Dp/N48BJMYTleuqw==,type:str]
ssh_host_ed25519_key:
build01: ENC[AES256_GCM,data:5rG0+Iw8uVKXTrT5A/uvbz9MJZHPyTBPKIxSbMIgvwEVHDsCENDihxL5C00PisZ4dgMIW1WQIvD3zLtJ5RxedY832K9dwO36lWH2uHZW96qlObnTqMpi0vtsZQ1FQVUtNWPj146uz7QyasisFu6CFFMBBbx6y5ZAipfJ+bsth7YliCMPL+1bM84b8a40m3k9gI4xpYH9txrq1+yvTLau25rNsmAq4oHDGKEZqRoN2WflBZLP0DL3zQ/8uPODUjOmyFpKnbDeKsDQ3RuFcPaLZOGEBruayYldxiv215pdFgw72TbvtLXc726y7bUTOvsOiLfVMdfiXZCRPzVbjGB+NLtiyz9hlCa5WdJrQmLceqC/v5zy1TbV0azlZCDNopw1yznLn8fPA8KIYJUGw+PkdKPDFKRn+F78+5QG4wpYFK9qZ/vaukvpuZrUdboFIU/qFdjplrGhniYfbh7enIGhnd2Y+qLC92IG0SQPVpI2fQNx7h3MD2V9w2spk8hZ4QGWsA4JU0fJ9mKY4w6eElGLggzT15vuCrrJx4zbThSfyVYHmlE=,iv:ksSPKFNHdy646BU2x0fr6ey+kif1jpPhlsQ5Kmxjqd4=,tag:2SL/1x4/9LoNqfHPMk8H8Q==,type:str]
build02: ENC[AES256_GCM,data:kwc1rs7xbKod7+vV9yDNqAZMmTqencDe6LTMqxihNLuvGny1atjJ/4cf2vnWEyPar4AvqLtawbIexowbpgyzIiJBKskw0voUgUan0TMH7dsjeZtcdnBSsGWDlcBSjq8bK+yfNMWxwaq7FB9eTJkhN41UhQwqXIVpitEJg0LQcz7+BeQnYhCMnMOc+AG78zIZK+lbzAikejFJUV1A0/kmEl9VirBTpGqxhsiPUSCpAq9c3mE16f31YF9bUn9Dr/4gLW42xxbt/+6psDstKlKgfldzC+izCCCfL1qKcKz7RtyLX37O1MkQqLWvC5I5XRt81tKPOgmtjtGSM0iYmx9zy6FKGJlWqHGNb5K+g1NugWuKMzkBQNoWIypS/yHUY9R3eLa6JJM+tfE/Hvw4Q6/4HGBePMauULd/sgTC8D6o+6023a9ZdC6vdwAWzgWzhbG8uN8vjRR9JKy8/tzgzWJsR4PvPFw9ka0HbRMjigmMxZ817Z6iB2BcO2xmJvD5hP2YpPKCNLQzUznq0vh1s91C,iv:cQERNZJUQ0TJW0pbEzJF6O+1Idkt2e+I06+Kjygr4lk=,tag:2X4KhuEd/0153sCT7qeyqQ==,type:str]
@ -111,8 +112,8 @@ sops:
MkcvL1JyVFBJV0Y5RFFCMGN1OUFXdU0Kdx1wy6ZOOTg1a6VKaq52SMBvC26lMsW/
oMP+hmXc2WtoqZp+jZ9rrXz6cZW6/dO7CPqxl3aUEKg6BkXIwgyKeg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-16T07:30:20Z"
mac: ENC[AES256_GCM,data:nzK1E2M4gnsY/z6KG8uMsOau+Q96u/gRmXue9jA0BKEErEWA2AYg5p9Ig+pRWwhq1BdEN9PbjKBmuEmSTWdfFijbM7NaRSHelpUIccfoiMMW51/MHFiEMt7euCLE2i9O7q1Vx7br+NaHu+fqctrx1ikOXaWNhM6Q6NJ1NY0Z5dU=,iv:1S1NsVtILala9zBFMfEqxpokscpPW+Frq+T1qyrmVYI=,tag:87SYZkvSdqYldcVJnnw2/A==,type:str]
lastmodified: "2024-10-26T00:28:59Z"
mac: ENC[AES256_GCM,data:Ds3v0YTPxlpV+QTtRs1Lq3LyvnVXVU4Hp37mGOwrAgD76ek19dyMPVeJu1Q9QZwYcoSrq7GccQvo/GfTM+WVxW48B3aH+qeUye9RcdV6SYLmtQANhUyyBQurzyN7sJt2qyOWsE/VpF3NViUMkVYhLqwd/wYIiaEVmCaEpkjHp38=,iv:Vhoj+Vm8n8VcQZhmGOZU9OVZ0S+VxrZEZ178yx8aezk=,tag:D4p7Az+LqC7eQkI2QIyVfA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0
version: 3.9.1

20
secrets/nginx-basic-auth-file.age Normal file
View file

@ -0,0 +1,20 @@
age-encryption.org/v1
-> ssh-ed25519 meza2g tOhoYzkG+lCD2ONeWe32iOT+qCOvFFM2MOSTMw86ck4
N4xw2JWB0BvQy12lIb1CS4QifkiFCHHHYBep9XzhpFI
-> ssh-rsa ALNSWw
lzYsNzDw+FQRwcgk2ezjfw4fr5PundiR+As4Xa/OCsHFZa94QVhBVlFzgtB5nO8s
wnoENRSQIkYqzJtGxAF8VGOvGpOsuIxNLNy/AvN4YeXYVvhPlpZjRmkCKpWG2r1w
gprc+2VdUVjeUJiWYYhCZdn62yMXS0HI+aC8eLghtovl4dhWKh4sq8SMlNtzHLKZ
D1nLY2rDNM+u00NEMMTOr879zfp4LHAsaol0HJrc3BnC1KmyYFd4dTivwVEU1X/r
jw+mv8duQrbXJHckf8si7GuwQxsA0eDxKQb0y8F2hIMAkmAUMsvrJF0kyPS3UGyp
qkby51wMLIOzzvcrgJ9KJQ
-> ssh-ed25519 Qi7vNw hiomOFHJB1MuK7rf6x6lDr6CvTMo3CN9x4/rYov6lD4
ILX7g5TugewxzJuHF3Og06135rohMLs+vhnrcGlTO6s
-> ssh-ed25519 MW0fCg 5gofg/CnnH3aI7WnAMqHd5P7Gvyb9XV8M7v1FF8TdXU
wwLUGvVGngz1rMZa0eIVSwf0TmUqQHTPjZDgubtoMgk
-> ssh-ed25519 92bXiA OcbjXruCXI43g/mJC/I65m7I/p04OHNWUXZuFa2vUEM
5+NimqArjB+cbSNMh53LUmmBlXiecjdjcilS9zYVE2w
-> ssh-ed25519 h1lenA mtoPhHkVeGkSwirRAvcfHgwdZrmWalB8KEwBFfix2xE
FyCMnN2MzQmuCjYF+cElRl1wAPumz8mAgJFzMcUXfk0
--- u5BHJScdFfK3/JdJs5dLFGTGUmX0wPAo5jra3cmYI1c
`óþ¾»¼2Îï κÈw¿¯ Ì<>b3f²Ê6yÊ:é®ÌÀ1q—iAîµ óì²9G´wò“WÃeSð鯙üÁmÇô~<13>×£ñ,f„âøƒ%=éùQÍO6

BIN
secrets/nix-community-matrix-bot-token.age Normal file
View file

Binary file not shown.

3
secrets/secrets.nix
View file

@ -15,6 +15,7 @@ let
build03 = knownHosts.build03.publicKey;
build04 = knownHosts.build04.publicKey;
darwin02 = knownHosts.darwin02.publicKey;
web02 = knownHosts.web02.publicKey;
secrets = {
hercules-binary-caches = [
@ -36,6 +37,8 @@ let
build02
build03
];
nginx-basic-auth-file = [ web02 ];
nix-community-matrix-bot-token = [ web02 ];
};
in
builtins.listToAttrs (