4 files changed, 112 insertions, 1 deletions
diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa
index ff623211..74b7170e 100644
--- a/hosts/surtr/dns/zones/li.yggdrasil.soa
+++ b/hosts/surtr/dns/zones/li.yggdrasil.soa
@@ -1,7 +1,7 @@
 $ORIGIN yggdrasil.li.
 $TTL 3600
 @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
-  2022022201 ; serial
+  2022040800 ; serial
  10800      ; refresh
  3600       ; retry
  604800     ; expire
@@ -40,6 +40,8 @@ surtr			IN	AAAA	2a03:4000:52:ada::
 surtr                   IN      MX      0 ymir.yggdrasil.li
 surtr                   IN      TXT     "v=spf1 redirect=yggdrasil.li"
+prometheus.surtr        IN      CNAME   surtr.yggdrasil.li.
 vidhar                  IN      AAAA    2a03:4000:52:ada:4:1::
 vidhar                  IN      MX      0 ymir.yggdrasil.li
 vidhar                  IN      TXT     "v=spf1 redirect=yggdrasil.li"
diff --git a/hosts/surtr/prometheus/default.nix b/hosts/surtr/prometheus/default.nix
new file mode 100644
index 00000000..3fdfc2aa
--- /dev/null
+++ b/hosts/surtr/prometheus/default.nix
@@ -0,0 +1,73 @@
+{ config, lib, pkgs, ... }:
+with lib;
+let
+  relabelHosts = [
+    { source_labels = ["__address__"];
+      target_label = "instance";
+      regex = "(localhost|127\.[0-9]+\.[0-9]+\.[0-9]+)(:[0-9]+)?";
+      replacement = "surtr";
+    }
+  ];
+in {
+  config = {
+    services.prometheus = {
+      enable = true;
+      exporters = {
+        node = {
+          enable = true;
+          enabledCollectors = [];
+        };
+      };
+      globalConfig = {
+        evaluation_interval = "1s";
+        remote_write = {
+          url = "https://prometheus.vidhar.yggdrasil/api/v1/write";
+          name = "vidhar";
+          tls_config = {
+            ca_file = ../../vidhar/prometheus/ca/ca.crt;
+            cert_file = ./tls.crt;
+            key_file = "/run/credentials/prometheus.service/tls.key";
+          };
+        };
+      };
+      scrapeConfigs = [
+        { job_name = "prometheus";
+          static_configs = [
+            { targets = ["localhost:${toString config.services.prometheus.port}"]; }
+          ];
+          relabel_configs = relabelHosts;
+          scrape_interval = "1s";
+        }
+        { job_name = "node";
+          static_configs = [
+            { targets = ["localhost:${toString config.services.prometheus.exporters.node.port}"]; }
+          ];
+          relabel_configs = relabelHosts;
+          scrape_interval = "1s";
+        }
+      ];
+      rules = [
+        (generators.toYAML {} {
+          groups = [
+          ];
+        })
+      ];
+    };
+    sops.secrets."prometheus.key" = {
+      format = "binary";
+      sopsFile = ./tls.key;
+    };
+    systemd.services.prometheus.serviceConfig.LoadCredential = [
+      "tls.key:${config.sops.secrets."prometheus.key".path}"
+    ];
+  };
+}
diff --git a/hosts/surtr/prometheus/tls.crt b/hosts/surtr/prometheus/tls.crt
new file mode 100644
index 00000000..ba958f40
--- /dev/null
+++ b/hosts/surtr/prometheus/tls.crt
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBXzCCARGgAwIBAgIBATAFBgMrZXAwHzEdMBsGA1UEAwwUcHJvbWV0aGV1cy55
+Z2dkcmFzaWwwIBcNMjIwNDA4MjAwMzU1WhgPMjA5MDA0MjYyMDAzNTVaMBoxGDAW
+BgNVBAMMD3N1cnRyLnlnZ2RyYXNpbDAqMAUGAytlcAMhAAJd8I32X/z9J0cO2Oz+
+4KAoIJq0igdMdbLBA+8WO+vgo3UwczAMBgNVHRMBAf8EAjAAMEQGA1UdEQQ9MDuC
+GnByb21ldGhldXMuc3VydHIueWdnZHJhc2lsgh1wcm9tZXRoZXVzLnN1cnRyLnln
+Z2RyYXNpbC5saTAdBgNVHQ4EFgQUN52tPcv5FFppzeJx2AiXk6UgPDgwBQYDK2Vw
+A0EAPN9zhaeBB2C1TursdARH0jVBz9g0dRhP7sO5ZG0K+xp24paLXiTF1rYub24p
+/yZw71p7M0BAE+hJqYBzYo5YBQ==
+-----END CERTIFICATE-----
diff --git a/hosts/surtr/prometheus/tls.key b/hosts/surtr/prometheus/tls.key
new file mode 100644
index 00000000..95e28db2
--- /dev/null
+++ b/hosts/surtr/prometheus/tls.key
@@ -0,0 +1,26 @@
+{
+        "data": "ENC[AES256_GCM,data:YBbLT5kFi1KKQ4xOvyiJGkwQG/xoxz55/giVg2iY6+0nV+jEp3mF4oFjc14gFg3mIN9x6bLdFVY3DUHT1PrQdjrqIZtX8AVCA8BUIQj6JDY6YMi3/kK6mR9up9o/pxJfu8mQVjWjSx78Ko9aNat8/FltJnq69cA=,iv:PfslzrP5AbTNHpXfh4bz3q6CD9anQyCpmqtZ8ZTEG3k=,tag:eJLb0LIoNwDD1JQ6kUmACA==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": null,
+                "lastmodified": "2022-04-08T20:09:16Z",
+                "mac": "ENC[AES256_GCM,data:UW3ngxCjYl2kmOinRNmwNliBg2Xm/5rCrLp39bo7PXksZcuijV800IKuY91PWjkgaIbjD2jlU0ycJNDw3MzxfVim6gz91kUXQgQV+me8AEXAiO6Sf2j08jEtTh1SCr4qqdw0FE5aULDvGRtTgR+hhNk0xbbeG9fPhU95eeLW8vg=,iv:wG54336E4PouNgXhZbW4/onqbecsRrdYzTXSXDft/VI=,tag:BASCu9YNPMPfbScepLDiRQ==,type:str]",
+                "pgp": [
+                        {
+                                "created_at": "2022-04-08T20:09:16Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAfzL8SSjlYxe8e5yOipQClJffUgxFnlew+N6VK4UhRGYw\naHaDmOmusuTRoBOX4V4PpRg3gLFRoPPy+q9L4Z+gtX97JK+9UgN1mxYPkB9X5M8K\n0l4BQ9caVjtlmMuKp3EROUYrSjau6Ulkzd43P+BwwQ6jv8T52EtKO8WLVnQEheIV\njOMH4DWaxKYbad7lXphix1oFhVvQQVGEzawceWolKDt/T+QS4spJBFoL7V1ml105\n=Cdh0\n-----END PGP MESSAGE-----\n",
+                                "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+                        },
+                        {
+                                "created_at": "2022-04-08T20:09:16Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdACGP5pn9MiRCa7CJYqosY9Aw4TJx+/9tOsdO5YZn1ZSIw\n/xOMfKjHvT5PlMT9gnk9187MhjR9G/2YcW5ggfyEypo8ei65RkJYzTG2m5Pdneg3\n0l4BzMEQtYAbmZBp9XSkqjacCTpc2y6YV55qcuFudtRfsFFi28JSb5NxZ61AKy0g\nSk/e+IHQvTGahD2akrHBNIPncUOo4GHHzEjADvdDuJNpMkYUgnhEUod2JPYBjFmL\n=JN/O\n-----END PGP MESSAGE-----\n",
+                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+                        }
+                ],
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.7.2"
+        }
+}
+\ No newline at end of file

diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa index ff623211..74b7170e 100644 --- a/hosts/surtr/dns/zones/li.yggdrasil.soa +++ b/hosts/surtr/dns/zones/li.yggdrasil.soa
@@ -1,7 +1,7 @@
1	$ORIGIN yggdrasil.li.	1	$ORIGIN yggdrasil.li.
2	$TTL 3600	2	$TTL 3600
3	@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (	3	@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
4	2022022201 ; serial	4	2022040800 ; serial
5	10800 ; refresh	5	10800 ; refresh
6	3600 ; retry	6	3600 ; retry
7	604800 ; expire	7	604800 ; expire
@@ -40,6 +40,8 @@ surtr IN AAAA 2a03:4000:52:ada::
40	surtr IN MX 0 ymir.yggdrasil.li	40	surtr IN MX 0 ymir.yggdrasil.li
41	surtr IN TXT "v=spf1 redirect=yggdrasil.li"	41	surtr IN TXT "v=spf1 redirect=yggdrasil.li"
42		42
		43	prometheus.surtr IN CNAME surtr.yggdrasil.li.
		44
43	vidhar IN AAAA 2a03:4000:52:ada:4:1::	45	vidhar IN AAAA 2a03:4000:52:ada:4:1::
44	vidhar IN MX 0 ymir.yggdrasil.li	46	vidhar IN MX 0 ymir.yggdrasil.li
45	vidhar IN TXT "v=spf1 redirect=yggdrasil.li"	47	vidhar IN TXT "v=spf1 redirect=yggdrasil.li"


diff --git a/hosts/surtr/prometheus/default.nix b/hosts/surtr/prometheus/default.nix new file mode 100644 index 00000000..3fdfc2aa --- /dev/null +++ b/hosts/surtr/prometheus/default.nix
@@ -0,0 +1,73 @@
		1	{ config, lib, pkgs, ... }:
		2
		3	with lib;
		4
		5	let
		6	relabelHosts = [
		7	{ source_labels = ["__address__"];
		8	target_label = "instance";
		9	regex = "(localhost\|127\.[0-9]+\.[0-9]+\.[0-9]+)(:[0-9]+)?";
		10	replacement = "surtr";
		11	}
		12	];
		13	in {
		14	config = {
		15	services.prometheus = {
		16	enable = true;
		17
		18	exporters = {
		19	node = {
		20	enable = true;
		21	enabledCollectors = [];
		22	};
		23	};
		24
		25	globalConfig = {
		26	evaluation_interval = "1s";
		27
		28	remote_write = {
		29	url = "https://prometheus.vidhar.yggdrasil/api/v1/write";
		30	name = "vidhar";
		31	tls_config = {
		32	ca_file = ../../vidhar/prometheus/ca/ca.crt;
		33	cert_file = ./tls.crt;
		34	key_file = "/run/credentials/prometheus.service/tls.key";
		35	};
		36	};
		37	};
		38
		39	scrapeConfigs = [
		40	{ job_name = "prometheus";
		41	static_configs = [
		42	{ targets = ["localhost:${toString config.services.prometheus.port}"]; }
		43	];
		44	relabel_configs = relabelHosts;
		45	scrape_interval = "1s";
		46	}
		47	{ job_name = "node";
		48	static_configs = [
		49	{ targets = ["localhost:${toString config.services.prometheus.exporters.node.port}"]; }
		50	];
		51	relabel_configs = relabelHosts;
		52	scrape_interval = "1s";
		53	}
		54	];
		55
		56	rules = [
		57	(generators.toYAML {} {
		58	groups = [
		59	];
		60	})
		61	];
		62	};
		63
		64	sops.secrets."prometheus.key" = {
		65	format = "binary";
		66	sopsFile = ./tls.key;
		67	};
		68
		69	systemd.services.prometheus.serviceConfig.LoadCredential = [
		70	"tls.key:${config.sops.secrets."prometheus.key".path}"
		71	];
		72	};
		73	}


diff --git a/hosts/surtr/prometheus/tls.crt b/hosts/surtr/prometheus/tls.crt new file mode 100644 index 00000000..ba958f40 --- /dev/null +++ b/hosts/surtr/prometheus/tls.crt
@@ -0,0 +1,10 @@
		1	-----BEGIN CERTIFICATE-----
		2	MIIBXzCCARGgAwIBAgIBATAFBgMrZXAwHzEdMBsGA1UEAwwUcHJvbWV0aGV1cy55
		3	Z2dkcmFzaWwwIBcNMjIwNDA4MjAwMzU1WhgPMjA5MDA0MjYyMDAzNTVaMBoxGDAW
		4	BgNVBAMMD3N1cnRyLnlnZ2RyYXNpbDAqMAUGAytlcAMhAAJd8I32X/z9J0cO2Oz+
		5	4KAoIJq0igdMdbLBA+8WO+vgo3UwczAMBgNVHRMBAf8EAjAAMEQGA1UdEQQ9MDuC
		6	GnByb21ldGhldXMuc3VydHIueWdnZHJhc2lsgh1wcm9tZXRoZXVzLnN1cnRyLnln
		7	Z2RyYXNpbC5saTAdBgNVHQ4EFgQUN52tPcv5FFppzeJx2AiXk6UgPDgwBQYDK2Vw
		8	A0EAPN9zhaeBB2C1TursdARH0jVBz9g0dRhP7sO5ZG0K+xp24paLXiTF1rYub24p
		9	/yZw71p7M0BAE+hJqYBzYo5YBQ==
		10	-----END CERTIFICATE-----


diff --git a/hosts/surtr/prometheus/tls.key b/hosts/surtr/prometheus/tls.key new file mode 100644 index 00000000..95e28db2 --- /dev/null +++ b/hosts/surtr/prometheus/tls.key
@@ -0,0 +1,26 @@
		1	{
		2	"data": "ENC[AES256_GCM,data:YBbLT5kFi1KKQ4xOvyiJGkwQG/xoxz55/giVg2iY6+0nV+jEp3mF4oFjc14gFg3mIN9x6bLdFVY3DUHT1PrQdjrqIZtX8AVCA8BUIQj6JDY6YMi3/kK6mR9up9o/pxJfu8mQVjWjSx78Ko9aNat8/FltJnq69cA=,iv:PfslzrP5AbTNHpXfh4bz3q6CD9anQyCpmqtZ8ZTEG3k=,tag:eJLb0LIoNwDD1JQ6kUmACA==,type:str]",
		3	"sops": {
		4	"kms": null,
		5	"gcp_kms": null,
		6	"azure_kv": null,
		7	"hc_vault": null,
		8	"age": null,
		9	"lastmodified": "2022-04-08T20:09:16Z",
		10	"mac": "ENC[AES256_GCM,data:UW3ngxCjYl2kmOinRNmwNliBg2Xm/5rCrLp39bo7PXksZcuijV800IKuY91PWjkgaIbjD2jlU0ycJNDw3MzxfVim6gz91kUXQgQV+me8AEXAiO6Sf2j08jEtTh1SCr4qqdw0FE5aULDvGRtTgR+hhNk0xbbeG9fPhU95eeLW8vg=,iv:wG54336E4PouNgXhZbW4/onqbecsRrdYzTXSXDft/VI=,tag:BASCu9YNPMPfbScepLDiRQ==,type:str]",
		11	"pgp": [
		12	{
		13	"created_at": "2022-04-08T20:09:16Z",
		14	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAfzL8SSjlYxe8e5yOipQClJffUgxFnlew+N6VK4UhRGYw\naHaDmOmusuTRoBOX4V4PpRg3gLFRoPPy+q9L4Z+gtX97JK+9UgN1mxYPkB9X5M8K\n0l4BQ9caVjtlmMuKp3EROUYrSjau6Ulkzd43P+BwwQ6jv8T52EtKO8WLVnQEheIV\njOMH4DWaxKYbad7lXphix1oFhVvQQVGEzawceWolKDt/T+QS4spJBFoL7V1ml105\n=Cdh0\n-----END PGP MESSAGE-----\n",
		15	"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
		16	},
		17	{
		18	"created_at": "2022-04-08T20:09:16Z",
		19	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdACGP5pn9MiRCa7CJYqosY9Aw4TJx+/9tOsdO5YZn1ZSIw\n/xOMfKjHvT5PlMT9gnk9187MhjR9G/2YcW5ggfyEypo8ei65RkJYzTG2m5Pdneg3\n0l4BzMEQtYAbmZBp9XSkqjacCTpc2y6YV55qcuFudtRfsFFi28JSb5NxZ61AKy0g\nSk/e+IHQvTGahD2akrHBNIPncUOo4GHHzEjADvdDuJNpMkYUgnhEUod2JPYBjFmL\n=JN/O\n-----END PGP MESSAGE-----\n",
		20	"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
		21	}
		22	],
		23	"unencrypted_suffix": "_unencrypted",
		24	"version": "3.7.2"
		25	}
		26	} \ No newline at end of file