From b01db30564fe54a6f1435bc5060bfed4f7134267 Mon Sep 17 00:00:00 2001
From: zowoq <59103226+zowoq@users.noreply.github.com>
Date: Sun, 24 Nov 2024 11:31:47 +1000
Subject: [PATCH] modules/nixos/monitoring: switch to oauth-proxy for
alertmanager
---
modules/nixos/monitoring/default.nix | 13 +++---------
modules/nixos/monitoring/oauth2-proxy.nix | 24 +++++++++++++++++++++++
secrets.yaml | 5 ++---
secrets/nginx-basic-auth-file.age | 20 -------------------
secrets/oauth2-proxy-key-file.age | 20 +++++++++++++++++++
secrets/secrets.nix | 2 +-
6 files changed, 50 insertions(+), 34 deletions(-)
create mode 100644 modules/nixos/monitoring/oauth2-proxy.nix
delete mode 100644 secrets/nginx-basic-auth-file.age
create mode 100644 secrets/oauth2-proxy-key-file.age
diff --git a/modules/nixos/monitoring/default.nix b/modules/nixos/monitoring/default.nix
index 2d7cdd6..81cb3f2 100644
--- a/modules/nixos/monitoring/default.nix
+++ b/modules/nixos/monitoring/default.nix
@@ -1,24 +1,17 @@
-{ config, inputs, ... }:
+{ inputs, ... }:
{
imports = [
inputs.srvos.nixosModules.roles-prometheus
./alert-rules.nix
./grafana.nix
./matrix-hook.nix
+ ./oauth2-proxy.nix
./prometheus.nix
./telegraf.nix
];
- age.secrets.nginx-basic-auth-file = {
- file = "${inputs.self}/secrets/nginx-basic-auth-file.age";
- owner = "nginx";
- };
-
services.nginx.virtualHosts."alertmanager.nix-community.org" = {
- locations."/" = {
- basicAuthFile = config.age.secrets.nginx-basic-auth-file.path;
- proxyPass = "http://localhost:9093/";
- };
+ locations."/".proxyPass = "http://localhost:9093/";
};
services.nginx.virtualHosts."grafana.nix-community.org" = {
locations."/" = {
diff --git a/modules/nixos/monitoring/oauth2-proxy.nix b/modules/nixos/monitoring/oauth2-proxy.nix
new file mode 100644
index 0000000..09a98fb
--- /dev/null
+++ b/modules/nixos/monitoring/oauth2-proxy.nix
@@ -0,0 +1,24 @@
+{ config, inputs, ... }:
+{
+ age.secrets.oauth2-proxy-key-file = {
+ file = "${inputs.self}/secrets/oauth2-proxy-key-file.age";
+ owner = "oauth2-proxy";
+ };
+
+ # https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/github
+ services.oauth2-proxy = {
+ enable = true;
+ provider = "github";
+ github = {
+ org = "nix-community";
+ team = "admin";
+ };
+ clientID = "Ov23liKOQPREko8sCk6F";
+ keyFile = config.age.secrets.oauth2-proxy-key-file.path;
+ nginx.domain = "alertmanager.nix-community.org";
+ nginx.virtualHosts = {
+ "alertmanager.nix-community.org" = { };
+ };
+ email.domains = [ "*" ];
+ };
+}
diff --git a/secrets.yaml b/secrets.yaml
index a6a1e23..e075025 100644
--- a/secrets.yaml
+++ b/secrets.yaml
@@ -8,7 +8,6 @@ accounts:
- name: ENC[AES256_GCM,data:BGA/HMgie64=,iv:c+utmChiZA73GRS4uzZDyfdU+DZaDpB3WljC2uye8o0=,tag:lr1w5TWr05lpfBNLK0Swxw==,type:str]
totpsecret: ENC[AES256_GCM,data:Q5aJq9sLmW/0oMIgy4FErA==,iv:cFhVj/QV4tMjvB/Y8ExOSSLArvjxCV8+39YtMaADK04=,tag:aPJFH7WhaBYAW7eYsGzGYg==,type:str]
emergency_access_password: ENC[AES256_GCM,data:ELpkrEQjFQwDicz3WeJoivrZBAWeAKkfFg==,iv:rzbKvnS5IBjUCCT2NAHINZs60F0jrRPJvZ1wnBa6xkI=,tag:hWax9+gTRhuhtIikP/jO/Q==,type:str]
-nginx-basic-auth-password: ENC[AES256_GCM,data:THXCfzuXXEsEARk1Hz4eEtzqqzzbf/IF0hHy,iv:mvOu8CSomzUYzpt1PkhSeBMgwHluUtTQZHozi6Am+RM=,tag:itQJu7Dp/N48BJMYTleuqw==,type:str]
ssh_host_ed25519_key:
build01: ENC[AES256_GCM,data:5rG0+Iw8uVKXTrT5A/uvbz9MJZHPyTBPKIxSbMIgvwEVHDsCENDihxL5C00PisZ4dgMIW1WQIvD3zLtJ5RxedY832K9dwO36lWH2uHZW96qlObnTqMpi0vtsZQ1FQVUtNWPj146uz7QyasisFu6CFFMBBbx6y5ZAipfJ+bsth7YliCMPL+1bM84b8a40m3k9gI4xpYH9txrq1+yvTLau25rNsmAq4oHDGKEZqRoN2WflBZLP0DL3zQ/8uPODUjOmyFpKnbDeKsDQ3RuFcPaLZOGEBruayYldxiv215pdFgw72TbvtLXc726y7bUTOvsOiLfVMdfiXZCRPzVbjGB+NLtiyz9hlCa5WdJrQmLceqC/v5zy1TbV0azlZCDNopw1yznLn8fPA8KIYJUGw+PkdKPDFKRn+F78+5QG4wpYFK9qZ/vaukvpuZrUdboFIU/qFdjplrGhniYfbh7enIGhnd2Y+qLC92IG0SQPVpI2fQNx7h3MD2V9w2spk8hZ4QGWsA4JU0fJ9mKY4w6eElGLggzT15vuCrrJx4zbThSfyVYHmlE=,iv:ksSPKFNHdy646BU2x0fr6ey+kif1jpPhlsQ5Kmxjqd4=,tag:2SL/1x4/9LoNqfHPMk8H8Q==,type:str]
build02: ENC[AES256_GCM,data:kwc1rs7xbKod7+vV9yDNqAZMmTqencDe6LTMqxihNLuvGny1atjJ/4cf2vnWEyPar4AvqLtawbIexowbpgyzIiJBKskw0voUgUan0TMH7dsjeZtcdnBSsGWDlcBSjq8bK+yfNMWxwaq7FB9eTJkhN41UhQwqXIVpitEJg0LQcz7+BeQnYhCMnMOc+AG78zIZK+lbzAikejFJUV1A0/kmEl9VirBTpGqxhsiPUSCpAq9c3mE16f31YF9bUn9Dr/4gLW42xxbt/+6psDstKlKgfldzC+izCCCfL1qKcKz7RtyLX37O1MkQqLWvC5I5XRt81tKPOgmtjtGSM0iYmx9zy6FKGJlWqHGNb5K+g1NugWuKMzkBQNoWIypS/yHUY9R3eLa6JJM+tfE/Hvw4Q6/4HGBePMauULd/sgTC8D6o+6023a9ZdC6vdwAWzgWzhbG8uN8vjRR9JKy8/tzgzWJsR4PvPFw9ka0HbRMjigmMxZ817Z6iB2BcO2xmJvD5hP2YpPKCNLQzUznq0vh1s91C,iv:cQERNZJUQ0TJW0pbEzJF6O+1Idkt2e+I06+Kjygr4lk=,tag:2X4KhuEd/0153sCT7qeyqQ==,type:str]
@@ -112,8 +111,8 @@ sops:
MkcvL1JyVFBJV0Y5RFFCMGN1OUFXdU0Kdx1wy6ZOOTg1a6VKaq52SMBvC26lMsW/
oMP+hmXc2WtoqZp+jZ9rrXz6cZW6/dO7CPqxl3aUEKg6BkXIwgyKeg==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2024-10-26T00:28:59Z"
- mac: ENC[AES256_GCM,data:Ds3v0YTPxlpV+QTtRs1Lq3LyvnVXVU4Hp37mGOwrAgD76ek19dyMPVeJu1Q9QZwYcoSrq7GccQvo/GfTM+WVxW48B3aH+qeUye9RcdV6SYLmtQANhUyyBQurzyN7sJt2qyOWsE/VpF3NViUMkVYhLqwd/wYIiaEVmCaEpkjHp38=,iv:Vhoj+Vm8n8VcQZhmGOZU9OVZ0S+VxrZEZ178yx8aezk=,tag:D4p7Az+LqC7eQkI2QIyVfA==,type:str]
+ lastmodified: "2024-11-24T01:03:20Z"
+ mac: ENC[AES256_GCM,data:XA6/nsjHlpn7kgFPdifYKdWgswuq6vXmIBpzfRAPgucYZiaxWhinuv5tXKXgI5b0wPwVWb40l6poE2qA5ExOXKV5tzk0uPEaNVlPDEB5z24Ya5eXhOWMhxlSlfeCM+xPyY/egsFhg/Ewm0eax/nHKsZYOZw7a9RYr2Ch42G6xk4=,iv:smuKPEdbHGg4JH27mOsFulSLu0ATJsjX0oZe9LlGBPQ=,tag:HA34KNDy7yrkkBqie+CIGA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1
diff --git a/secrets/nginx-basic-auth-file.age b/secrets/nginx-basic-auth-file.age
deleted file mode 100644
index 83ac83a..0000000
--- a/secrets/nginx-basic-auth-file.age
+++ /dev/null
@@ -1,20 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 meza2g tOhoYzkG+lCD2ONeWe32iOT+qCOvFFM2MOSTMw86ck4
-N4xw2JWB0BvQy12lIb1CS4QifkiFCHHHYBep9XzhpFI
--> ssh-rsa ALNSWw
-lzYsNzDw+FQRwcgk2ezjfw4fr5PundiR+As4Xa/OCsHFZa94QVhBVlFzgtB5nO8s
-wnoENRSQIkYqzJtGxAF8VGOvGpOsuIxNLNy/AvN4YeXYVvhPlpZjRmkCKpWG2r1w
-gprc+2VdUVjeUJiWYYhCZdn62yMXS0HI+aC8eLghtovl4dhWKh4sq8SMlNtzHLKZ
-D1nLY2rDNM+u00NEMMTOr879zfp4LHAsaol0HJrc3BnC1KmyYFd4dTivwVEU1X/r
-jw+mv8duQrbXJHckf8si7GuwQxsA0eDxKQb0y8F2hIMAkmAUMsvrJF0kyPS3UGyp
-qkby51wMLIOzzvcrgJ9KJQ
--> ssh-ed25519 Qi7vNw hiomOFHJB1MuK7rf6x6lDr6CvTMo3CN9x4/rYov6lD4
-ILX7g5TugewxzJuHF3Og06135rohMLs+vhnrcGlTO6s
--> ssh-ed25519 MW0fCg 5gofg/CnnH3aI7WnAMqHd5P7Gvyb9XV8M7v1FF8TdXU
-wwLUGvVGngz1rMZa0eIVSwf0TmUqQHTPjZDgubtoMgk
--> ssh-ed25519 92bXiA OcbjXruCXI43g/mJC/I65m7I/p04OHNWUXZuFa2vUEM
-5+NimqArjB+cbSNMh53LUmmBlXiecjdjcilS9zYVE2w
--> ssh-ed25519 h1lenA mtoPhHkVeGkSwirRAvcfHgwdZrmWalB8KEwBFfix2xE
-FyCMnN2MzQmuCjYF+cElRl1wAPumz8mAgJFzMcUXfk0
---- u5BHJScdFfK3/JdJs5dLFGTGUmX0wPAo5jra3cmYI1c
-`�����2Λ� κ�w����̐b3f��6y�:���1q���iA�
��9G�w��W�eS�鯙���m��~��ף�,f����%=��Q�O6
\ No newline at end of file
diff --git a/secrets/oauth2-proxy-key-file.age b/secrets/oauth2-proxy-key-file.age
new file mode 100644
index 0000000..a92ec43
--- /dev/null
+++ b/secrets/oauth2-proxy-key-file.age
@@ -0,0 +1,20 @@
+age-encryption.org/v1
+-> ssh-ed25519 meza2g fzLc8IHnc4PPrzITLwBg+VOlLQvDwsJrZhOsRliZ/jc
+7GCGfgEtInqaAGISBCIBOjDGkDXbpZYXpOV3HyMt3r8
+-> ssh-rsa ALNSWw
+m3hoX1WRsEQ0M3oyavPldhx0q1VTOVCdNNgk8E6wNijHfPe4ClujH/McAaX3hDs1
+f2tnO9OH4t02p03j3cTQsEFMCorDT8qd7er0Ago2NcpVK5FOvOdnShkDAf4RGqLM
+v2CXsdoClsZoQJf59MfgGnAYQh9KzXs1mTKb+2Rv4eza4gcFucmVRuuyOpwkkwha
+iCbKJKMpJ/zymxf2InrHMkrvFoRho5DmV9X82PeXjspEMoYryVStAPlrrUjYrddV
+wXmdazvj/K/Kj7xjhakgvxQTCZbGxG5WbvPMFr2wK3FK2KJr0X0ZzigLGwfWzp+u
+ak5IV9ake9jlicFS/mUdYg
+-> ssh-ed25519 Qi7vNw sRlOqwFcfIZsyIGtBWSeAFZBb8uv/PJye57nxVVjzUs
+B+jZMYeoNNr5fn2AjUtLWB7u2EXgTZpm3F5JmNRGiTc
+-> ssh-ed25519 MW0fCg CfEoiC6q23tNDYBc/Fe64ous4qz2Nv+p/U4oM+PLFzE
+7Cca1MFSHqt/NDMQrj4w2mtLV6oUvfknLaRFk2fzYLo
+-> ssh-ed25519 92bXiA jCV9d+0AiLupdV6OqmsiocUcdmDK4Cqhxz/CsHzORww
+heBzRcZle76rd3R/fMxrLvo9di/9u/JQukmbIWK8s28
+-> ssh-ed25519 h1lenA fxkWlT1SKm3V+qSlS8XZ00llsILy3y8dvBwj9S3vtUQ
+IU8aWp4hqmxDanS1q10vVp8ve2IDOaJfiwy8MpnT7AM
+--- 3UYeJjdcLXxJiCdP/MF59YAvPMJp415A4MaHQIoaZzk
+�_�M�^�{fT�(C�U�F�����8�]�:V�G��~�~����5I���6���9���jW�0 �础�3,�͢�Eݕ��zG��wO��rg�kޖ�_�@穰Lu'�RՉ��ޠ+�B�@�����dm���,��d}�\��|�wdx���6�p~-rHڱ�(��3��3j�M���p�I�
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 092ce59..6d8ef00 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -47,8 +47,8 @@ let
build03
web02
];
- nginx-basic-auth-file = [ web02 ];
nix-community-matrix-bot-token = [ web02 ];
+ oauth2-proxy-key-file = [ web02 ];
};
in
builtins.listToAttrs (