summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--hosts/vidhar/default.nix31
-rw-r--r--hosts/vidhar/grafana-admin-password26
-rw-r--r--hosts/vidhar/grafana-secret-key26
-rw-r--r--hosts/vidhar/zfs.nix6
-rw-r--r--modules/yggdrasil-wg/default.nix5
5 files changed, 93 insertions, 1 deletions
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index 29cd96db..ee67d254 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -119,5 +119,36 @@
119 119
120 cpuFreqGovernor = "schedutil"; 120 cpuFreqGovernor = "schedutil";
121 }; 121 };
122
123 services.nginx = {
124 enable = true;
125 upstreams.grafana = {
126 servers = { "unix:${config.services.grafana.socket}" = {}; };
127 };
128 virtualHosts = {
129 ${config.services.grafana.domain} = {
130 locations."/" = {
131 proxyPass = "http://grafana";
132 proxyWebsockets = true;
133 };
134 };
135 };
136 };
137 services.grafana = {
138 enable = true;
139 analytics.reporting.enable = false;
140 domain = "grafana.vidhar.yggdrasil";
141 security.adminPasswordFile = config.sops.secrets."grafana-admin-password".path;
142 security.secretKeyFile = config.sops.secrets."grafana-secret-key".path;
143 protocol = "socket";
144 };
145 sops.secrets."grafana-admin-password" = {
146 format = "binary";
147 sopsFile = ./grafana-admin-password;
148 };
149 sops.secrets."grafana-secret-key" = {
150 format = "binary";
151 sopsFile = ./grafana-secret-key;
152 };
122 }; 153 };
123} 154}
diff --git a/hosts/vidhar/grafana-admin-password b/hosts/vidhar/grafana-admin-password
new file mode 100644
index 00000000..56a69070
--- /dev/null
+++ b/hosts/vidhar/grafana-admin-password
@@ -0,0 +1,26 @@
1{
2 "data": "ENC[AES256_GCM,data:HHEQGFQxEfyuQZIHjvS4kw==,iv:04dLr3xnha39cObi9LXjzhbfxIcy13tgNm510e/WQfw=,tag:SnVtPyjmtcfjdc4fsDEMpg==,type:str]",
3 "sops": {
4 "kms": null,
5 "gcp_kms": null,
6 "azure_kv": null,
7 "hc_vault": null,
8 "age": null,
9 "lastmodified": "2021-12-31T15:57:51Z",
10 "mac": "ENC[AES256_GCM,data:Dqp4zA7D/hV5FQsp0czjym4MOjusC1CkmsitIHsD2XE87PN0LdAKTL/8tYSH+UGRdoSAnjyPYL5EastF5l4ubWNibom0R/it+TotvFBfaD27DWquZ3zvrwgjBXjaswGPYD5YbRocUmi1kOmZQtjegb6KTGpKicxwKbxg0xU/oHk=,iv:oHCqnCCSmwz23FItsThtNZC2J4doebMNVdhNkGv5+UM=,tag:u3owTxS9FHCZtG7YmDGbuw==,type:str]",
11 "pgp": [
12 {
13 "created_at": "2021-12-31T15:57:38Z",
14 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DbYDvGI0HDr0SAQdAQzuwBJzuzxQRohpEqMZtMaJo3c7FWAxJ1BrC0zOAJCQw\nzLfsrjUWCsxqBJkbK4h84Iun8OdulMHyAbg2knSGNWOQoe7ec1cGl06gFhuxkXzy\n0l4BEW/pamCejbYKw+OISBBB6atjs4b3aOzSbnJSBjauommsCnn8aJtZt1ZfctiY\nNo6tawcodNzYCzVmVDjfBM1270yrIP3W0hsttoyO/DQeZn2vB9YiFI59xnVqhrE7\n=tNlA\n-----END PGP MESSAGE-----\n",
15 "fp": "A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362"
16 },
17 {
18 "created_at": "2021-12-31T15:57:38Z",
19 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA10EukKZpWrIMHrNrhbGBjKMvpco+UusoYebYNuSi9RAw\nc+UuuxmshOxq0n0RTjNBZvhixPcj7P9t12ldk1V1NYlHOocMFf5te1wPbkMoqZKz\n0l4Bl93nSz43RQYjeoQWleUSrBchNQ/WOs7Wr4DKgoZ5nC3q+Pn6qQ/yYayhDjpW\nHR+06wk41uF3lnoa1vhu43eK/7CbaqzUZPInBrYbkat7MvE33Mq9rcoXBomNT4eO\n=dSyp\n-----END PGP MESSAGE-----\n",
20 "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
21 }
22 ],
23 "unencrypted_suffix": "_unencrypted",
24 "version": "3.7.1"
25 }
26} \ No newline at end of file
diff --git a/hosts/vidhar/grafana-secret-key b/hosts/vidhar/grafana-secret-key
new file mode 100644
index 00000000..aea7a8b6
--- /dev/null
+++ b/hosts/vidhar/grafana-secret-key
@@ -0,0 +1,26 @@
1{
2 "data": "ENC[AES256_GCM,data:wX0eku+X3z11qszRjbzANkpnzb0UPA==,iv:vDFM+mK0ylbzsm8bqUfByAylxJW36AM4O96ThbPVEps=,tag:fu2hHRhNCO4AAmXswWOr+w==,type:str]",
3 "sops": {
4 "kms": null,
5 "gcp_kms": null,
6 "azure_kv": null,
7 "hc_vault": null,
8 "age": null,
9 "lastmodified": "2021-12-31T15:58:23Z",
10 "mac": "ENC[AES256_GCM,data:6UhUWxJ1IAgM4tubK0dD1bTQwmJZCZ6KkLTlkPRkbVRpN6zQAK/RT665Ok2lGpxEZ2yYrAMUMGs4Kvpii7NwEd6vj2Ad+4rKZygJ1V2hnmSCN0AUC/EdzGorFheMy+yjqJSJIZTc+ZIpQ7n/mtdPe6SyxJfzJOLXIZ6xFlteAhQ=,iv:3Xwa0pBwieGDmPTCD1i8qavRI5oa1Bm8AIz+EA/l2X4=,tag:X0s9WfxtlaR6GKtnmnFvDg==,type:str]",
11 "pgp": [
12 {
13 "created_at": "2021-12-31T15:57:56Z",
14 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DbYDvGI0HDr0SAQdA9CYiNCA1h7DNMvPg4qeFT1Yg1v3HdQRgUEj48QIYrDAw\navNJMsqFby1udTs4j80eY7hUm6FbD98MIr/Od0Pb1RznrLPcmTWYbSM6dHKLUjav\n0l4BJkl3Q8AiLsSWMfg9YQ7s5kBpzWmdajRJnV41lbMBKph0tRzzf/DvGjm9dDe2\nUS+rzi7WzWlmQS1ekMwNKAzz3ip4yJA4J591JOhtt96SqmQAHV8ww2q9IE6bOw6k\n=LmRs\n-----END PGP MESSAGE-----\n",
15 "fp": "A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362"
16 },
17 {
18 "created_at": "2021-12-31T15:57:56Z",
19 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAQbyLmRaWWln+lPYj5lAtbcQ4KQ7ntPyJJIsMl2kkBFYw\nIedaJ+SpExs2kXTlAWxa5B74RFmAPRlCq+ByErWDorovhn1uYI2ljeYIHKvrcgbY\n0l4B7XQlAV3pz3v/ZwUhB20zatPCprUWdJH+3Gd8xQr46djdHGK9WQSetxxEuL8j\nyfENUOu/jnPlfMVyDwRHbweq7Ar60GXVfs2UrjsL7yRjr0FpMNu3Ho4O4kO9HBn6\n=B+g2\n-----END PGP MESSAGE-----\n",
20 "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
21 }
22 ],
23 "unencrypted_suffix": "_unencrypted",
24 "version": "3.7.1"
25 }
26} \ No newline at end of file
diff --git a/hosts/vidhar/zfs.nix b/hosts/vidhar/zfs.nix
index 38c3a4e8..53ba5120 100644
--- a/hosts/vidhar/zfs.nix
+++ b/hosts/vidhar/zfs.nix
@@ -83,6 +83,12 @@ in {
83 options = [ "zfsutil" ]; 83 options = [ "zfsutil" ];
84 }; 84 };
85 85
86 "/var/lib/grafana" =
87 { device = "ssd-raid1/local/var-lib-grafana";
88 fsType = "zfs";
89 options = [ "zfsutil" ];
90 };
91
86 "/var/log" = 92 "/var/log" =
87 { device = "ssd-raid1/local/var-log"; 93 { device = "ssd-raid1/local/var-log";
88 fsType = "zfs"; 94 fsType = "zfs";
diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix
index 3690964f..16f8d3a9 100644
--- a/modules/yggdrasil-wg/default.nix
+++ b/modules/yggdrasil-wg/default.nix
@@ -77,6 +77,9 @@ let
77 sif = ["${batSubnet}:2::/${toString batHostLength}"]; 77 sif = ["${batSubnet}:2::/${toString batHostLength}"];
78 }; 78 };
79 routers = [ "surtr" ]; 79 routers = [ "surtr" ];
80 hostNames = {
81 vidhar = [ "grafana.vidhar.yggdrasil" ];
82 };
80 83
81 mkPublicKeyPath = family: host: ./hosts + "/${family}" + "/${host}.pub"; 84 mkPublicKeyPath = family: host: ./hosts + "/${family}" + "/${host}.pub";
82 mkPrivateKeyPath = family: host: ./hosts + "/${family}" + "/${host}.priv"; 85 mkPrivateKeyPath = family: host: ./hosts + "/${family}" + "/${host}.priv";
@@ -241,7 +244,7 @@ in {
241 244
242 sops.secrets = listToAttrs (map familyToSopsSecret hostFamilies); 245 sops.secrets = listToAttrs (map familyToSopsSecret hostFamilies);
243 246
244 networking.hosts = mkIf inNetwork (listToAttrs (concatMap ({name, value}: map (ip: nameValuePair (stripSubnet ip) ["${name}.yggdrasil"]) value) (mapAttrsToList nameValuePair batHostIPs))); 247 networking.hosts = mkIf inNetwork (listToAttrs (concatMap ({name, value}: map (ip: nameValuePair (stripSubnet ip) (["${name}.yggdrasil"] ++ (hostNames.${name} or []))) value) (mapAttrsToList nameValuePair batHostIPs)));
245 248
246 boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv]; 249 boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv];
247 environment.systemPackages = with pkgs; [ wireguard-tools batctl ]; 250 environment.systemPackages = with pkgs; [ wireguard-tools batctl ];