diff options
-rw-r--r-- | .gitignore | 5 | ||||
-rw-r--r-- | hosts/surtr/dns/zones/li.yggdrasil.soa | 4 | ||||
-rw-r--r-- | hosts/surtr/prometheus/default.nix | 73 | ||||
-rw-r--r-- | hosts/surtr/prometheus/tls.crt | 10 | ||||
-rw-r--r-- | hosts/surtr/prometheus/tls.key | 26 | ||||
-rw-r--r-- | hosts/vidhar/dns/zones/yggdrasil.soa | 5 | ||||
-rw-r--r-- | hosts/vidhar/prometheus/ca/.gitignore | 3 | ||||
-rw-r--r-- | hosts/vidhar/prometheus/ca/ca.crt | 12 | ||||
-rw-r--r-- | hosts/vidhar/prometheus/ca/ca.key.sops | 21 | ||||
-rw-r--r-- | hosts/vidhar/prometheus/ca/certs/01.pem | 39 | ||||
-rw-r--r-- | hosts/vidhar/prometheus/ca/certs/02.pem | 38 | ||||
-rw-r--r-- | hosts/vidhar/prometheus/ca/index.txt | 2 | ||||
-rw-r--r-- | hosts/vidhar/prometheus/ca/index.txt.attr | 1 | ||||
-rw-r--r-- | hosts/vidhar/prometheus/ca/serial | 1 | ||||
-rw-r--r-- | hosts/vidhar/prometheus/default.nix | 30 | ||||
-rw-r--r-- | hosts/vidhar/prometheus/tls.crt | 9 | ||||
-rw-r--r-- | hosts/vidhar/prometheus/tls.key | 26 |
17 files changed, 300 insertions, 5 deletions
@@ -2,4 +2,7 @@ | |||
2 | **/result-* | 2 | **/result-* |
3 | **/#*# | 3 | **/#*# |
4 | **/.#* | 4 | **/.#* |
5 | **/.gup \ No newline at end of file | 5 | **/.gup |
6 | |||
7 | **.csr | ||
8 | hosts/*/prometheus/tls.cnf \ No newline at end of file | ||
diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa index ff623211..74b7170e 100644 --- a/hosts/surtr/dns/zones/li.yggdrasil.soa +++ b/hosts/surtr/dns/zones/li.yggdrasil.soa | |||
@@ -1,7 +1,7 @@ | |||
1 | $ORIGIN yggdrasil.li. | 1 | $ORIGIN yggdrasil.li. |
2 | $TTL 3600 | 2 | $TTL 3600 |
3 | @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( | 3 | @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( |
4 | 2022022201 ; serial | 4 | 2022040800 ; serial |
5 | 10800 ; refresh | 5 | 10800 ; refresh |
6 | 3600 ; retry | 6 | 3600 ; retry |
7 | 604800 ; expire | 7 | 604800 ; expire |
@@ -40,6 +40,8 @@ surtr IN AAAA 2a03:4000:52:ada:: | |||
40 | surtr IN MX 0 ymir.yggdrasil.li | 40 | surtr IN MX 0 ymir.yggdrasil.li |
41 | surtr IN TXT "v=spf1 redirect=yggdrasil.li" | 41 | surtr IN TXT "v=spf1 redirect=yggdrasil.li" |
42 | 42 | ||
43 | prometheus.surtr IN CNAME surtr.yggdrasil.li. | ||
44 | |||
43 | vidhar IN AAAA 2a03:4000:52:ada:4:1:: | 45 | vidhar IN AAAA 2a03:4000:52:ada:4:1:: |
44 | vidhar IN MX 0 ymir.yggdrasil.li | 46 | vidhar IN MX 0 ymir.yggdrasil.li |
45 | vidhar IN TXT "v=spf1 redirect=yggdrasil.li" | 47 | vidhar IN TXT "v=spf1 redirect=yggdrasil.li" |
diff --git a/hosts/surtr/prometheus/default.nix b/hosts/surtr/prometheus/default.nix new file mode 100644 index 00000000..3fdfc2aa --- /dev/null +++ b/hosts/surtr/prometheus/default.nix | |||
@@ -0,0 +1,73 @@ | |||
1 | { config, lib, pkgs, ... }: | ||
2 | |||
3 | with lib; | ||
4 | |||
5 | let | ||
6 | relabelHosts = [ | ||
7 | { source_labels = ["__address__"]; | ||
8 | target_label = "instance"; | ||
9 | regex = "(localhost|127\.[0-9]+\.[0-9]+\.[0-9]+)(:[0-9]+)?"; | ||
10 | replacement = "surtr"; | ||
11 | } | ||
12 | ]; | ||
13 | in { | ||
14 | config = { | ||
15 | services.prometheus = { | ||
16 | enable = true; | ||
17 | |||
18 | exporters = { | ||
19 | node = { | ||
20 | enable = true; | ||
21 | enabledCollectors = []; | ||
22 | }; | ||
23 | }; | ||
24 | |||
25 | globalConfig = { | ||
26 | evaluation_interval = "1s"; | ||
27 | |||
28 | remote_write = { | ||
29 | url = "https://prometheus.vidhar.yggdrasil/api/v1/write"; | ||
30 | name = "vidhar"; | ||
31 | tls_config = { | ||
32 | ca_file = ../../vidhar/prometheus/ca/ca.crt; | ||
33 | cert_file = ./tls.crt; | ||
34 | key_file = "/run/credentials/prometheus.service/tls.key"; | ||
35 | }; | ||
36 | }; | ||
37 | }; | ||
38 | |||
39 | scrapeConfigs = [ | ||
40 | { job_name = "prometheus"; | ||
41 | static_configs = [ | ||
42 | { targets = ["localhost:${toString config.services.prometheus.port}"]; } | ||
43 | ]; | ||
44 | relabel_configs = relabelHosts; | ||
45 | scrape_interval = "1s"; | ||
46 | } | ||
47 | { job_name = "node"; | ||
48 | static_configs = [ | ||
49 | { targets = ["localhost:${toString config.services.prometheus.exporters.node.port}"]; } | ||
50 | ]; | ||
51 | relabel_configs = relabelHosts; | ||
52 | scrape_interval = "1s"; | ||
53 | } | ||
54 | ]; | ||
55 | |||
56 | rules = [ | ||
57 | (generators.toYAML {} { | ||
58 | groups = [ | ||
59 | ]; | ||
60 | }) | ||
61 | ]; | ||
62 | }; | ||
63 | |||
64 | sops.secrets."prometheus.key" = { | ||
65 | format = "binary"; | ||
66 | sopsFile = ./tls.key; | ||
67 | }; | ||
68 | |||
69 | systemd.services.prometheus.serviceConfig.LoadCredential = [ | ||
70 | "tls.key:${config.sops.secrets."prometheus.key".path}" | ||
71 | ]; | ||
72 | }; | ||
73 | } | ||
diff --git a/hosts/surtr/prometheus/tls.crt b/hosts/surtr/prometheus/tls.crt new file mode 100644 index 00000000..ba958f40 --- /dev/null +++ b/hosts/surtr/prometheus/tls.crt | |||
@@ -0,0 +1,10 @@ | |||
1 | -----BEGIN CERTIFICATE----- | ||
2 | MIIBXzCCARGgAwIBAgIBATAFBgMrZXAwHzEdMBsGA1UEAwwUcHJvbWV0aGV1cy55 | ||
3 | Z2dkcmFzaWwwIBcNMjIwNDA4MjAwMzU1WhgPMjA5MDA0MjYyMDAzNTVaMBoxGDAW | ||
4 | BgNVBAMMD3N1cnRyLnlnZ2RyYXNpbDAqMAUGAytlcAMhAAJd8I32X/z9J0cO2Oz+ | ||
5 | 4KAoIJq0igdMdbLBA+8WO+vgo3UwczAMBgNVHRMBAf8EAjAAMEQGA1UdEQQ9MDuC | ||
6 | GnByb21ldGhldXMuc3VydHIueWdnZHJhc2lsgh1wcm9tZXRoZXVzLnN1cnRyLnln | ||
7 | Z2RyYXNpbC5saTAdBgNVHQ4EFgQUN52tPcv5FFppzeJx2AiXk6UgPDgwBQYDK2Vw | ||
8 | A0EAPN9zhaeBB2C1TursdARH0jVBz9g0dRhP7sO5ZG0K+xp24paLXiTF1rYub24p | ||
9 | /yZw71p7M0BAE+hJqYBzYo5YBQ== | ||
10 | -----END CERTIFICATE----- | ||
diff --git a/hosts/surtr/prometheus/tls.key b/hosts/surtr/prometheus/tls.key new file mode 100644 index 00000000..95e28db2 --- /dev/null +++ b/hosts/surtr/prometheus/tls.key | |||
@@ -0,0 +1,26 @@ | |||
1 | { | ||
2 | "data": "ENC[AES256_GCM,data:YBbLT5kFi1KKQ4xOvyiJGkwQG/xoxz55/giVg2iY6+0nV+jEp3mF4oFjc14gFg3mIN9x6bLdFVY3DUHT1PrQdjrqIZtX8AVCA8BUIQj6JDY6YMi3/kK6mR9up9o/pxJfu8mQVjWjSx78Ko9aNat8/FltJnq69cA=,iv:PfslzrP5AbTNHpXfh4bz3q6CD9anQyCpmqtZ8ZTEG3k=,tag:eJLb0LIoNwDD1JQ6kUmACA==,type:str]", | ||
3 | "sops": { | ||
4 | "kms": null, | ||
5 | "gcp_kms": null, | ||
6 | "azure_kv": null, | ||
7 | "hc_vault": null, | ||
8 | "age": null, | ||
9 | "lastmodified": "2022-04-08T20:09:16Z", | ||
10 | "mac": "ENC[AES256_GCM,data:UW3ngxCjYl2kmOinRNmwNliBg2Xm/5rCrLp39bo7PXksZcuijV800IKuY91PWjkgaIbjD2jlU0ycJNDw3MzxfVim6gz91kUXQgQV+me8AEXAiO6Sf2j08jEtTh1SCr4qqdw0FE5aULDvGRtTgR+hhNk0xbbeG9fPhU95eeLW8vg=,iv:wG54336E4PouNgXhZbW4/onqbecsRrdYzTXSXDft/VI=,tag:BASCu9YNPMPfbScepLDiRQ==,type:str]", | ||
11 | "pgp": [ | ||
12 | { | ||
13 | "created_at": "2022-04-08T20:09:16Z", | ||
14 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAfzL8SSjlYxe8e5yOipQClJffUgxFnlew+N6VK4UhRGYw\naHaDmOmusuTRoBOX4V4PpRg3gLFRoPPy+q9L4Z+gtX97JK+9UgN1mxYPkB9X5M8K\n0l4BQ9caVjtlmMuKp3EROUYrSjau6Ulkzd43P+BwwQ6jv8T52EtKO8WLVnQEheIV\njOMH4DWaxKYbad7lXphix1oFhVvQQVGEzawceWolKDt/T+QS4spJBFoL7V1ml105\n=Cdh0\n-----END PGP MESSAGE-----\n", | ||
15 | "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" | ||
16 | }, | ||
17 | { | ||
18 | "created_at": "2022-04-08T20:09:16Z", | ||
19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdACGP5pn9MiRCa7CJYqosY9Aw4TJx+/9tOsdO5YZn1ZSIw\n/xOMfKjHvT5PlMT9gnk9187MhjR9G/2YcW5ggfyEypo8ei65RkJYzTG2m5Pdneg3\n0l4BzMEQtYAbmZBp9XSkqjacCTpc2y6YV55qcuFudtRfsFFi28JSb5NxZ61AKy0g\nSk/e+IHQvTGahD2akrHBNIPncUOo4GHHzEjADvdDuJNpMkYUgnhEUod2JPYBjFmL\n=JN/O\n-----END PGP MESSAGE-----\n", | ||
20 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
21 | } | ||
22 | ], | ||
23 | "unencrypted_suffix": "_unencrypted", | ||
24 | "version": "3.7.2" | ||
25 | } | ||
26 | } \ No newline at end of file | ||
diff --git a/hosts/vidhar/dns/zones/yggdrasil.soa b/hosts/vidhar/dns/zones/yggdrasil.soa index 4235c602..ffa79ee1 100644 --- a/hosts/vidhar/dns/zones/yggdrasil.soa +++ b/hosts/vidhar/dns/zones/yggdrasil.soa | |||
@@ -1,7 +1,7 @@ | |||
1 | $ORIGIN yggdrasil. | 1 | $ORIGIN yggdrasil. |
2 | $TTL 300 | 2 | $TTL 300 |
3 | @ IN SOA vidhar.yggdrasil. root.yggdrasil.li. ( | 3 | @ IN SOA vidhar.yggdrasil. root.yggdrasil.li. ( |
4 | 2022040800 ; serial | 4 | 2022040802 ; serial |
5 | 300 ; refresh | 5 | 300 ; refresh |
6 | 300 ; retry | 6 | 300 ; retry |
7 | 300 ; expire | 7 | 300 ; expire |
@@ -14,7 +14,8 @@ surtr IN AAAA 2a03:4000:52:ada:1:: | |||
14 | vidhar IN AAAA 2a03:4000:52:ada:1:1:: | 14 | vidhar IN AAAA 2a03:4000:52:ada:1:1:: |
15 | sif IN AAAA 2a03:4000:52:ada:1:2:: | 15 | sif IN AAAA 2a03:4000:52:ada:1:2:: |
16 | 16 | ||
17 | grafana.vidhar IN CNAME vidhar.yggdrasil. | 17 | grafana.vidhar IN CNAME vidhar.yggdrasil. |
18 | prometheus.vidhar IN CNAME vidhar.yggdrasil. | ||
18 | 19 | ||
19 | 20 | ||
20 | vidhar.lan IN A 10.141.0.1 | 21 | vidhar.lan IN A 10.141.0.1 |
diff --git a/hosts/vidhar/prometheus/ca/.gitignore b/hosts/vidhar/prometheus/ca/.gitignore new file mode 100644 index 00000000..7c894574 --- /dev/null +++ b/hosts/vidhar/prometheus/ca/.gitignore | |||
@@ -0,0 +1,3 @@ | |||
1 | ca.key | ||
2 | ca.cnf | ||
3 | *.old \ No newline at end of file | ||
diff --git a/hosts/vidhar/prometheus/ca/ca.crt b/hosts/vidhar/prometheus/ca/ca.crt new file mode 100644 index 00000000..922fed28 --- /dev/null +++ b/hosts/vidhar/prometheus/ca/ca.crt | |||
@@ -0,0 +1,12 @@ | |||
1 | -----BEGIN CERTIFICATE----- | ||
2 | MIIBsjCCAWSgAwIBAgIUOzZ8XcFb8XtI2yyWp4S/WMD6QxQwBQYDK2VwMB8xHTAb | ||
3 | BgNVBAMMFHByb21ldGhldXMueWdnZHJhc2lsMCAXDTIyMDQwODE5NDgwMFoYDzIw | ||
4 | OTAwNDI2MTk0ODAwWjAfMR0wGwYDVQQDDBRwcm9tZXRoZXVzLnlnZ2RyYXNpbDAq | ||
5 | MAUGAytlcAMhAOoxPLBH6pnCRtE7V5gejM92gg1vLNLHw3rFIXXchOJmo4GvMIGs | ||
6 | MB0GA1UdDgQWBBRnwBkgZFnueEa7aV8aEAoMRzW4CTBaBgNVHSMEUzBRgBRnwBkg | ||
7 | ZFnueEa7aV8aEAoMRzW4CaEjpCEwHzEdMBsGA1UEAwwUcHJvbWV0aGV1cy55Z2dk | ||
8 | cmFzaWyCFDs2fF3BW/F7SNsslqeEv1jA+kMUMA8GA1UdEwEB/wQFMAMBAf8wCwYD | ||
9 | VR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwICBDAFBgMrZXADQQD9AC2OHtzW8QSC | ||
10 | HU/4rGdRWRqr3pfclKXimSWaAXMPly2M1qehPI402lhQrIAVF+D1pi/EAGJfbbzF | ||
11 | aurykEMB | ||
12 | -----END CERTIFICATE----- | ||
diff --git a/hosts/vidhar/prometheus/ca/ca.key.sops b/hosts/vidhar/prometheus/ca/ca.key.sops new file mode 100644 index 00000000..5313056e --- /dev/null +++ b/hosts/vidhar/prometheus/ca/ca.key.sops | |||
@@ -0,0 +1,21 @@ | |||
1 | { | ||
2 | "data": "ENC[AES256_GCM,data:XW6h0psHOSV0cR03vRg479A5XRM7KfiBfVgvm4QlxCZzhkk5U1ToDJIaCxqKpxlEu8wm79wmz+/CmSLDEBcs7x05a5vBDt81mlWJ49PolOrG9bL9Qkyq5u8sB8HWXRXxCP5kg2su+n9NqdHX9AIhYCXy7VJDuGo=,iv:v661AhF2Q/O+a7JtwHtnSkSI0mL8ltu5rPny8vWCL/Q=,tag:c7b0a6o6y/MI5vG85uFuUg==,type:str]", | ||
3 | "sops": { | ||
4 | "kms": null, | ||
5 | "gcp_kms": null, | ||
6 | "azure_kv": null, | ||
7 | "hc_vault": null, | ||
8 | "age": null, | ||
9 | "lastmodified": "2022-04-08T20:12:22Z", | ||
10 | "mac": "ENC[AES256_GCM,data:W/IF6WgTscbkcMUTR3aeqM/H/UwgFgILDbKBxYJQxcFtt4kq3UqzSd/e0hk5NQ9IkagAC4X0gZDuzco2mc7caUGyzMKRdA2ekgcdDwzruQ4i+UYyr80dFhqHpV+aksdZJVR+dJzkmIRmza3Ia5e/X01XNIbIrU13JKYm9jCskd0=,iv:2g+UFcSTxcTrf+toi4BDVvAaY5ydk7yRnhpQ/rrNvVo=,tag:3X01wEqL/Q8cIiF+DEMnpg==,type:str]", | ||
11 | "pgp": [ | ||
12 | { | ||
13 | "created_at": "2022-04-08T20:12:22Z", | ||
14 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdADN+s7UQS8hEBc2mMRovD/zKuIoIAS3swLpP6ul9kRGMw\nDCUvOL41sxXmuodi4Pg69YB2YcL47Fod7nQWUYaK8L3CuyjWUq1cxomlYtTd03eH\n0l4BiyWTuZ+1OG4Xng8B4zdcM5jWfeTRWupDIXcnPFjwz47FetmrcCAaROKYL87e\nAjK76Y6gR/gSj0GTTAUIfKFpqsqAdBAf6oBekQcPgeqcrJcZ2ZZFWzmswGBvcGjs\n=gqhG\n-----END PGP MESSAGE-----\n", | ||
15 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
16 | } | ||
17 | ], | ||
18 | "unencrypted_suffix": "_unencrypted", | ||
19 | "version": "3.7.2" | ||
20 | } | ||
21 | } \ No newline at end of file | ||
diff --git a/hosts/vidhar/prometheus/ca/certs/01.pem b/hosts/vidhar/prometheus/ca/certs/01.pem new file mode 100644 index 00000000..81abe0b7 --- /dev/null +++ b/hosts/vidhar/prometheus/ca/certs/01.pem | |||
@@ -0,0 +1,39 @@ | |||
1 | Certificate: | ||
2 | Data: | ||
3 | Version: 3 (0x2) | ||
4 | Serial Number: 1 (0x1) | ||
5 | Signature Algorithm: ED25519 | ||
6 | Issuer: CN=prometheus.yggdrasil | ||
7 | Validity | ||
8 | Not Before: Apr 8 20:03:55 2022 GMT | ||
9 | Not After : Apr 26 20:03:55 2090 GMT | ||
10 | Subject: CN=surtr.yggdrasil | ||
11 | Subject Public Key Info: | ||
12 | Public Key Algorithm: ED25519 | ||
13 | ED25519 Public-Key: | ||
14 | pub: | ||
15 | 02:5d:f0:8d:f6:5f:fc:fd:27:47:0e:d8:ec:fe:e0: | ||
16 | a0:28:20:9a:b4:8a:07:4c:75:b2:c1:03:ef:16:3b: | ||
17 | eb:e0 | ||
18 | X509v3 extensions: | ||
19 | X509v3 Basic Constraints: critical | ||
20 | CA:FALSE | ||
21 | X509v3 Subject Alternative Name: | ||
22 | DNS:prometheus.surtr.yggdrasil, DNS:prometheus.surtr.yggdrasil.li | ||
23 | X509v3 Subject Key Identifier: | ||
24 | 37:9D:AD:3D:CB:F9:14:5A:69:CD:E2:71:D8:08:97:93:A5:20:3C:38 | ||
25 | Signature Algorithm: ED25519 | ||
26 | 3c:df:73:85:a7:81:07:60:b5:4e:ea:ec:74:04:47:d2:35:41: | ||
27 | cf:d8:34:75:18:4f:ee:c3:b9:64:6d:0a:fb:1a:76:e2:96:8b: | ||
28 | 5e:24:c5:d6:b6:2e:6f:6e:29:ff:26:70:ef:5a:7b:33:40:40: | ||
29 | 13:e8:49:a9:80:73:62:8e:58:05 | ||
30 | -----BEGIN CERTIFICATE----- | ||
31 | MIIBXzCCARGgAwIBAgIBATAFBgMrZXAwHzEdMBsGA1UEAwwUcHJvbWV0aGV1cy55 | ||
32 | Z2dkcmFzaWwwIBcNMjIwNDA4MjAwMzU1WhgPMjA5MDA0MjYyMDAzNTVaMBoxGDAW | ||
33 | BgNVBAMMD3N1cnRyLnlnZ2RyYXNpbDAqMAUGAytlcAMhAAJd8I32X/z9J0cO2Oz+ | ||
34 | 4KAoIJq0igdMdbLBA+8WO+vgo3UwczAMBgNVHRMBAf8EAjAAMEQGA1UdEQQ9MDuC | ||
35 | GnByb21ldGhldXMuc3VydHIueWdnZHJhc2lsgh1wcm9tZXRoZXVzLnN1cnRyLnln | ||
36 | Z2RyYXNpbC5saTAdBgNVHQ4EFgQUN52tPcv5FFppzeJx2AiXk6UgPDgwBQYDK2Vw | ||
37 | A0EAPN9zhaeBB2C1TursdARH0jVBz9g0dRhP7sO5ZG0K+xp24paLXiTF1rYub24p | ||
38 | /yZw71p7M0BAE+hJqYBzYo5YBQ== | ||
39 | -----END CERTIFICATE----- | ||
diff --git a/hosts/vidhar/prometheus/ca/certs/02.pem b/hosts/vidhar/prometheus/ca/certs/02.pem new file mode 100644 index 00000000..d908ca7d --- /dev/null +++ b/hosts/vidhar/prometheus/ca/certs/02.pem | |||
@@ -0,0 +1,38 @@ | |||
1 | Certificate: | ||
2 | Data: | ||
3 | Version: 3 (0x2) | ||
4 | Serial Number: 2 (0x2) | ||
5 | Signature Algorithm: ED25519 | ||
6 | Issuer: CN=prometheus.yggdrasil | ||
7 | Validity | ||
8 | Not Before: Apr 8 20:07:13 2022 GMT | ||
9 | Not After : Apr 26 20:07:13 2090 GMT | ||
10 | Subject: CN=vidhar.yggdrasil | ||
11 | Subject Public Key Info: | ||
12 | Public Key Algorithm: ED25519 | ||
13 | ED25519 Public-Key: | ||
14 | pub: | ||
15 | 13:84:a6:01:07:7a:5e:8d:2b:8d:83:ee:73:1d:c6: | ||
16 | b8:9a:ad:b9:3d:40:51:ec:2c:f3:52:7d:81:90:e7: | ||
17 | ac:88 | ||
18 | X509v3 extensions: | ||
19 | X509v3 Basic Constraints: critical | ||
20 | CA:FALSE | ||
21 | X509v3 Subject Alternative Name: | ||
22 | DNS:prometheus.vidhar.yggdrasil | ||
23 | X509v3 Subject Key Identifier: | ||
24 | 44:AA:8E:CC:AB:C9:A7:D1:A1:D0:FA:7F:DB:87:1E:08:AA:6E:4D:59 | ||
25 | Signature Algorithm: ED25519 | ||
26 | 47:65:87:17:50:96:77:56:20:ac:9e:f4:e4:6d:19:6d:b7:24: | ||
27 | 11:af:0c:c3:f3:fd:75:19:d9:77:06:41:79:7f:a5:00:0c:18: | ||
28 | ee:82:3e:9e:09:61:34:cf:8f:f5:83:d1:5d:b2:e4:42:b6:3f: | ||
29 | 9c:b6:5a:f3:40:92:e6:8f:24:0f | ||
30 | -----BEGIN CERTIFICATE----- | ||
31 | MIIBQTCB9KADAgECAgECMAUGAytlcDAfMR0wGwYDVQQDDBRwcm9tZXRoZXVzLnln | ||
32 | Z2RyYXNpbDAgFw0yMjA0MDgyMDA3MTNaGA8yMDkwMDQyNjIwMDcxM1owGzEZMBcG | ||
33 | A1UEAwwQdmlkaGFyLnlnZ2RyYXNpbDAqMAUGAytlcAMhABOEpgEHel6NK42D7nMd | ||
34 | xriarbk9QFHsLPNSfYGQ56yIo1cwVTAMBgNVHRMBAf8EAjAAMCYGA1UdEQQfMB2C | ||
35 | G3Byb21ldGhldXMudmlkaGFyLnlnZ2RyYXNpbDAdBgNVHQ4EFgQURKqOzKvJp9Gh | ||
36 | 0Pp/24ceCKpuTVkwBQYDK2VwA0EAR2WHF1CWd1YgrJ705G0ZbbckEa8Mw/P9dRnZ | ||
37 | dwZBeX+lAAwY7oI+nglhNM+P9YPRXbLkQrY/nLZa80CS5o8kDw== | ||
38 | -----END CERTIFICATE----- | ||
diff --git a/hosts/vidhar/prometheus/ca/index.txt b/hosts/vidhar/prometheus/ca/index.txt new file mode 100644 index 00000000..41ebb0f4 --- /dev/null +++ b/hosts/vidhar/prometheus/ca/index.txt | |||
@@ -0,0 +1,2 @@ | |||
1 | V 20900426200355Z 01 unknown /CN=surtr.yggdrasil | ||
2 | V 20900426200713Z 02 unknown /CN=vidhar.yggdrasil | ||
diff --git a/hosts/vidhar/prometheus/ca/index.txt.attr b/hosts/vidhar/prometheus/ca/index.txt.attr new file mode 100644 index 00000000..8f7e63a3 --- /dev/null +++ b/hosts/vidhar/prometheus/ca/index.txt.attr | |||
@@ -0,0 +1 @@ | |||
unique_subject = yes | |||
diff --git a/hosts/vidhar/prometheus/ca/serial b/hosts/vidhar/prometheus/ca/serial new file mode 100644 index 00000000..75016ea3 --- /dev/null +++ b/hosts/vidhar/prometheus/ca/serial | |||
@@ -0,0 +1 @@ | |||
03 | |||
diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix index c60afd11..adcfdae9 100644 --- a/hosts/vidhar/prometheus/default.nix +++ b/hosts/vidhar/prometheus/default.nix | |||
@@ -26,7 +26,7 @@ in { | |||
26 | enable = true; | 26 | enable = true; |
27 | 27 | ||
28 | extraFlags = [ | 28 | extraFlags = [ |
29 | "--enable-feature=remote-write-receiver" | 29 | "--web.enable-remote-write-receiver" |
30 | ]; | 30 | ]; |
31 | 31 | ||
32 | exporters = { | 32 | exporters = { |
@@ -387,5 +387,33 @@ in { | |||
387 | AmbientCapabilities = lib.mkForce ["CAP_SYS_ADMIN"]; | 387 | AmbientCapabilities = lib.mkForce ["CAP_SYS_ADMIN"]; |
388 | }; | 388 | }; |
389 | }; | 389 | }; |
390 | |||
391 | services.nginx = { | ||
392 | upstreams.prometheus = { | ||
393 | servers = { "localhost:${config.services.prometheus.port}" = {}; }; | ||
394 | }; | ||
395 | virtualHosts."prometheus.vidhar.yggdrasil" = { | ||
396 | forceSSl = true; | ||
397 | sslCertificate = ./tls.crt; | ||
398 | sslCertificateKey = "/run/credentials/nginx.service/prometheus.key"; | ||
399 | extraConfig = '' | ||
400 | ssl_client_certificate ${./ca/ca.crt}; | ||
401 | ssl_trusted_certificate ${./ca/ca.crt}; | ||
402 | ssl_verify_client on; | ||
403 | ''; | ||
404 | locations."/" = { | ||
405 | proxyPass = "http://prometheus/"; | ||
406 | proxyWebsockets = true; | ||
407 | }; | ||
408 | }; | ||
409 | }; | ||
410 | |||
411 | sops.secrets."prometheus.key" = { | ||
412 | format = "binary"; | ||
413 | sopsFile = ./tls.key; | ||
414 | }; | ||
415 | systemd.services.nginx.serviceConfig.LoadCredential = [ | ||
416 | "prometheus.key:${config.sops.secrets."prometheus.key".path}" | ||
417 | ]; | ||
390 | }; | 418 | }; |
391 | } | 419 | } |
diff --git a/hosts/vidhar/prometheus/tls.crt b/hosts/vidhar/prometheus/tls.crt new file mode 100644 index 00000000..792ed542 --- /dev/null +++ b/hosts/vidhar/prometheus/tls.crt | |||
@@ -0,0 +1,9 @@ | |||
1 | -----BEGIN CERTIFICATE----- | ||
2 | MIIBQTCB9KADAgECAgECMAUGAytlcDAfMR0wGwYDVQQDDBRwcm9tZXRoZXVzLnln | ||
3 | Z2RyYXNpbDAgFw0yMjA0MDgyMDA3MTNaGA8yMDkwMDQyNjIwMDcxM1owGzEZMBcG | ||
4 | A1UEAwwQdmlkaGFyLnlnZ2RyYXNpbDAqMAUGAytlcAMhABOEpgEHel6NK42D7nMd | ||
5 | xriarbk9QFHsLPNSfYGQ56yIo1cwVTAMBgNVHRMBAf8EAjAAMCYGA1UdEQQfMB2C | ||
6 | G3Byb21ldGhldXMudmlkaGFyLnlnZ2RyYXNpbDAdBgNVHQ4EFgQURKqOzKvJp9Gh | ||
7 | 0Pp/24ceCKpuTVkwBQYDK2VwA0EAR2WHF1CWd1YgrJ705G0ZbbckEa8Mw/P9dRnZ | ||
8 | dwZBeX+lAAwY7oI+nglhNM+P9YPRXbLkQrY/nLZa80CS5o8kDw== | ||
9 | -----END CERTIFICATE----- | ||
diff --git a/hosts/vidhar/prometheus/tls.key b/hosts/vidhar/prometheus/tls.key new file mode 100644 index 00000000..eba3bb5c --- /dev/null +++ b/hosts/vidhar/prometheus/tls.key | |||
@@ -0,0 +1,26 @@ | |||
1 | { | ||
2 | "data": "ENC[AES256_GCM,data:/4D30JZoWEYJIM5SW4vzXkS8sMSSyjQHDBZghc54n+lxMCaIczIreiFQFChzlKpw+ai0EvT4q073AZ+xuMTOWI80UdgKyNvFNAk5Ybp0F90BouXu6u7fodg9U3LhP3GhfjtSyC1P4fPZP3siQh+5IuEfxNFHcl0=,iv:khbWHOpZ8rJ/hJlxRYb98wUDSJiNFAHCO8guoUJLrpA=,tag:YTQB1T9jzubBxOqNVK0unQ==,type:str]", | ||
3 | "sops": { | ||
4 | "kms": null, | ||
5 | "gcp_kms": null, | ||
6 | "azure_kv": null, | ||
7 | "hc_vault": null, | ||
8 | "age": null, | ||
9 | "lastmodified": "2022-04-08T20:08:57Z", | ||
10 | "mac": "ENC[AES256_GCM,data:UfFRVfPGtGle1yHVj3FrZGb+LKzIBdAsAWJY0qzJTXR+uMxAjCOIBmtBBmzGViBX4mBXFXVbYHvXVlpJPYw1kUhQW+uVERJHvhsRsC9cg3MyNrGNkZIi+QazJaI5Xe+9yO5yjy0NE1e6jia/+BxOZ2tGv8uItRQxfyDCRT0+sWU=,iv:yDgjpubvnF2G07ulC+bopb90wMhfop3z3mEXgeIRQxg=,tag:+J6campz4SYk5xec1uHMog==,type:str]", | ||
11 | "pgp": [ | ||
12 | { | ||
13 | "created_at": "2022-04-08T20:08:56Z", | ||
14 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DbYDvGI0HDr0SAQdAvXcM76hJxWHJ0i/XMqtIUSxdT6AaHqduia7V1qUmEA8w\ntM89Pshkp8atxmCdRgTiS1e3qgGHRqp6pYEjt2gT6fGDh8nTmswWDNBqmAUw7gj6\n0l4BpBZgCgGsuAL49qiezBuR7BsrKmRxIPV7ZZFl5CNofy/38qjxY8FxJl+GsiHn\n3jkXh8kJEO3dPXSU+7ID7syxifFFkLcKhRcNXeeZdvz2J/8zYFUhqE4+7+S3AKjs\n=7IAZ\n-----END PGP MESSAGE-----\n", | ||
15 | "fp": "A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362" | ||
16 | }, | ||
17 | { | ||
18 | "created_at": "2022-04-08T20:08:56Z", | ||
19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAfS68HcCu+AgaXTG9VdIakO+Jr6Y04INcZTJ6vkNQPFEw\nclmmwVcjylP6BHUML9tSHsgxyW9IK7CYdojtmqRsYF4NCvbWlFRBbehjPlLL4yKs\n0l4Ba+3HaHK8w+lCdMWCLcxzzd2dfkTPNAJUzIAl/AIOx6EwdZseitYN9EkeJStt\nNXcoDPDmnntVlqpUYwHkTKaLSUVuwesaQ8LdHHInvvOXZ97xEcN7575vI0Stde/u\n=dNgh\n-----END PGP MESSAGE-----\n", | ||
20 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
21 | } | ||
22 | ], | ||
23 | "unencrypted_suffix": "_unencrypted", | ||
24 | "version": "3.7.2" | ||
25 | } | ||
26 | } \ No newline at end of file | ||