summaryrefslogtreecommitdiff
path: root/hosts
diff options
context:
space:
mode:
Diffstat (limited to 'hosts')
-rw-r--r--hosts/surtr/dns/zones/li.yggdrasil.soa4
-rw-r--r--hosts/surtr/prometheus/default.nix73
-rw-r--r--hosts/surtr/prometheus/tls.crt10
-rw-r--r--hosts/surtr/prometheus/tls.key26
-rw-r--r--hosts/vidhar/dns/zones/yggdrasil.soa5
-rw-r--r--hosts/vidhar/prometheus/ca/.gitignore3
-rw-r--r--hosts/vidhar/prometheus/ca/ca.crt12
-rw-r--r--hosts/vidhar/prometheus/ca/ca.key.sops21
-rw-r--r--hosts/vidhar/prometheus/ca/certs/01.pem39
-rw-r--r--hosts/vidhar/prometheus/ca/certs/02.pem38
-rw-r--r--hosts/vidhar/prometheus/ca/index.txt2
-rw-r--r--hosts/vidhar/prometheus/ca/index.txt.attr1
-rw-r--r--hosts/vidhar/prometheus/ca/serial1
-rw-r--r--hosts/vidhar/prometheus/default.nix30
-rw-r--r--hosts/vidhar/prometheus/tls.crt9
-rw-r--r--hosts/vidhar/prometheus/tls.key26
16 files changed, 296 insertions, 4 deletions
diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa
index ff623211..74b7170e 100644
--- a/hosts/surtr/dns/zones/li.yggdrasil.soa
+++ b/hosts/surtr/dns/zones/li.yggdrasil.soa
@@ -1,7 +1,7 @@
1$ORIGIN yggdrasil.li. 1$ORIGIN yggdrasil.li.
2$TTL 3600 2$TTL 3600
3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( 3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
4 2022022201 ; serial 4 2022040800 ; serial
5 10800 ; refresh 5 10800 ; refresh
6 3600 ; retry 6 3600 ; retry
7 604800 ; expire 7 604800 ; expire
@@ -40,6 +40,8 @@ surtr IN AAAA 2a03:4000:52:ada::
40surtr IN MX 0 ymir.yggdrasil.li 40surtr IN MX 0 ymir.yggdrasil.li
41surtr IN TXT "v=spf1 redirect=yggdrasil.li" 41surtr IN TXT "v=spf1 redirect=yggdrasil.li"
42 42
43prometheus.surtr IN CNAME surtr.yggdrasil.li.
44
43vidhar IN AAAA 2a03:4000:52:ada:4:1:: 45vidhar IN AAAA 2a03:4000:52:ada:4:1::
44vidhar IN MX 0 ymir.yggdrasil.li 46vidhar IN MX 0 ymir.yggdrasil.li
45vidhar IN TXT "v=spf1 redirect=yggdrasil.li" 47vidhar IN TXT "v=spf1 redirect=yggdrasil.li"
diff --git a/hosts/surtr/prometheus/default.nix b/hosts/surtr/prometheus/default.nix
new file mode 100644
index 00000000..3fdfc2aa
--- /dev/null
+++ b/hosts/surtr/prometheus/default.nix
@@ -0,0 +1,73 @@
1{ config, lib, pkgs, ... }:
2
3with lib;
4
5let
6 relabelHosts = [
7 { source_labels = ["__address__"];
8 target_label = "instance";
9 regex = "(localhost|127\.[0-9]+\.[0-9]+\.[0-9]+)(:[0-9]+)?";
10 replacement = "surtr";
11 }
12 ];
13in {
14 config = {
15 services.prometheus = {
16 enable = true;
17
18 exporters = {
19 node = {
20 enable = true;
21 enabledCollectors = [];
22 };
23 };
24
25 globalConfig = {
26 evaluation_interval = "1s";
27
28 remote_write = {
29 url = "https://prometheus.vidhar.yggdrasil/api/v1/write";
30 name = "vidhar";
31 tls_config = {
32 ca_file = ../../vidhar/prometheus/ca/ca.crt;
33 cert_file = ./tls.crt;
34 key_file = "/run/credentials/prometheus.service/tls.key";
35 };
36 };
37 };
38
39 scrapeConfigs = [
40 { job_name = "prometheus";
41 static_configs = [
42 { targets = ["localhost:${toString config.services.prometheus.port}"]; }
43 ];
44 relabel_configs = relabelHosts;
45 scrape_interval = "1s";
46 }
47 { job_name = "node";
48 static_configs = [
49 { targets = ["localhost:${toString config.services.prometheus.exporters.node.port}"]; }
50 ];
51 relabel_configs = relabelHosts;
52 scrape_interval = "1s";
53 }
54 ];
55
56 rules = [
57 (generators.toYAML {} {
58 groups = [
59 ];
60 })
61 ];
62 };
63
64 sops.secrets."prometheus.key" = {
65 format = "binary";
66 sopsFile = ./tls.key;
67 };
68
69 systemd.services.prometheus.serviceConfig.LoadCredential = [
70 "tls.key:${config.sops.secrets."prometheus.key".path}"
71 ];
72 };
73}
diff --git a/hosts/surtr/prometheus/tls.crt b/hosts/surtr/prometheus/tls.crt
new file mode 100644
index 00000000..ba958f40
--- /dev/null
+++ b/hosts/surtr/prometheus/tls.crt
@@ -0,0 +1,10 @@
1-----BEGIN CERTIFICATE-----
2MIIBXzCCARGgAwIBAgIBATAFBgMrZXAwHzEdMBsGA1UEAwwUcHJvbWV0aGV1cy55
3Z2dkcmFzaWwwIBcNMjIwNDA4MjAwMzU1WhgPMjA5MDA0MjYyMDAzNTVaMBoxGDAW
4BgNVBAMMD3N1cnRyLnlnZ2RyYXNpbDAqMAUGAytlcAMhAAJd8I32X/z9J0cO2Oz+
54KAoIJq0igdMdbLBA+8WO+vgo3UwczAMBgNVHRMBAf8EAjAAMEQGA1UdEQQ9MDuC
6GnByb21ldGhldXMuc3VydHIueWdnZHJhc2lsgh1wcm9tZXRoZXVzLnN1cnRyLnln
7Z2RyYXNpbC5saTAdBgNVHQ4EFgQUN52tPcv5FFppzeJx2AiXk6UgPDgwBQYDK2Vw
8A0EAPN9zhaeBB2C1TursdARH0jVBz9g0dRhP7sO5ZG0K+xp24paLXiTF1rYub24p
9/yZw71p7M0BAE+hJqYBzYo5YBQ==
10-----END CERTIFICATE-----
diff --git a/hosts/surtr/prometheus/tls.key b/hosts/surtr/prometheus/tls.key
new file mode 100644
index 00000000..95e28db2
--- /dev/null
+++ b/hosts/surtr/prometheus/tls.key
@@ -0,0 +1,26 @@
1{
2 "data": "ENC[AES256_GCM,data:YBbLT5kFi1KKQ4xOvyiJGkwQG/xoxz55/giVg2iY6+0nV+jEp3mF4oFjc14gFg3mIN9x6bLdFVY3DUHT1PrQdjrqIZtX8AVCA8BUIQj6JDY6YMi3/kK6mR9up9o/pxJfu8mQVjWjSx78Ko9aNat8/FltJnq69cA=,iv:PfslzrP5AbTNHpXfh4bz3q6CD9anQyCpmqtZ8ZTEG3k=,tag:eJLb0LIoNwDD1JQ6kUmACA==,type:str]",
3 "sops": {
4 "kms": null,
5 "gcp_kms": null,
6 "azure_kv": null,
7 "hc_vault": null,
8 "age": null,
9 "lastmodified": "2022-04-08T20:09:16Z",
10 "mac": "ENC[AES256_GCM,data:UW3ngxCjYl2kmOinRNmwNliBg2Xm/5rCrLp39bo7PXksZcuijV800IKuY91PWjkgaIbjD2jlU0ycJNDw3MzxfVim6gz91kUXQgQV+me8AEXAiO6Sf2j08jEtTh1SCr4qqdw0FE5aULDvGRtTgR+hhNk0xbbeG9fPhU95eeLW8vg=,iv:wG54336E4PouNgXhZbW4/onqbecsRrdYzTXSXDft/VI=,tag:BASCu9YNPMPfbScepLDiRQ==,type:str]",
11 "pgp": [
12 {
13 "created_at": "2022-04-08T20:09:16Z",
14 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAfzL8SSjlYxe8e5yOipQClJffUgxFnlew+N6VK4UhRGYw\naHaDmOmusuTRoBOX4V4PpRg3gLFRoPPy+q9L4Z+gtX97JK+9UgN1mxYPkB9X5M8K\n0l4BQ9caVjtlmMuKp3EROUYrSjau6Ulkzd43P+BwwQ6jv8T52EtKO8WLVnQEheIV\njOMH4DWaxKYbad7lXphix1oFhVvQQVGEzawceWolKDt/T+QS4spJBFoL7V1ml105\n=Cdh0\n-----END PGP MESSAGE-----\n",
15 "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
16 },
17 {
18 "created_at": "2022-04-08T20:09:16Z",
19 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdACGP5pn9MiRCa7CJYqosY9Aw4TJx+/9tOsdO5YZn1ZSIw\n/xOMfKjHvT5PlMT9gnk9187MhjR9G/2YcW5ggfyEypo8ei65RkJYzTG2m5Pdneg3\n0l4BzMEQtYAbmZBp9XSkqjacCTpc2y6YV55qcuFudtRfsFFi28JSb5NxZ61AKy0g\nSk/e+IHQvTGahD2akrHBNIPncUOo4GHHzEjADvdDuJNpMkYUgnhEUod2JPYBjFmL\n=JN/O\n-----END PGP MESSAGE-----\n",
20 "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
21 }
22 ],
23 "unencrypted_suffix": "_unencrypted",
24 "version": "3.7.2"
25 }
26} \ No newline at end of file
diff --git a/hosts/vidhar/dns/zones/yggdrasil.soa b/hosts/vidhar/dns/zones/yggdrasil.soa
index 4235c602..ffa79ee1 100644
--- a/hosts/vidhar/dns/zones/yggdrasil.soa
+++ b/hosts/vidhar/dns/zones/yggdrasil.soa
@@ -1,7 +1,7 @@
1$ORIGIN yggdrasil. 1$ORIGIN yggdrasil.
2$TTL 300 2$TTL 300
3@ IN SOA vidhar.yggdrasil. root.yggdrasil.li. ( 3@ IN SOA vidhar.yggdrasil. root.yggdrasil.li. (
4 2022040800 ; serial 4 2022040802 ; serial
5 300 ; refresh 5 300 ; refresh
6 300 ; retry 6 300 ; retry
7 300 ; expire 7 300 ; expire
@@ -14,7 +14,8 @@ surtr IN AAAA 2a03:4000:52:ada:1::
14vidhar IN AAAA 2a03:4000:52:ada:1:1:: 14vidhar IN AAAA 2a03:4000:52:ada:1:1::
15sif IN AAAA 2a03:4000:52:ada:1:2:: 15sif IN AAAA 2a03:4000:52:ada:1:2::
16 16
17grafana.vidhar IN CNAME vidhar.yggdrasil. 17grafana.vidhar IN CNAME vidhar.yggdrasil.
18prometheus.vidhar IN CNAME vidhar.yggdrasil.
18 19
19 20
20vidhar.lan IN A 10.141.0.1 21vidhar.lan IN A 10.141.0.1
diff --git a/hosts/vidhar/prometheus/ca/.gitignore b/hosts/vidhar/prometheus/ca/.gitignore
new file mode 100644
index 00000000..7c894574
--- /dev/null
+++ b/hosts/vidhar/prometheus/ca/.gitignore
@@ -0,0 +1,3 @@
1ca.key
2ca.cnf
3*.old \ No newline at end of file
diff --git a/hosts/vidhar/prometheus/ca/ca.crt b/hosts/vidhar/prometheus/ca/ca.crt
new file mode 100644
index 00000000..922fed28
--- /dev/null
+++ b/hosts/vidhar/prometheus/ca/ca.crt
@@ -0,0 +1,12 @@
1-----BEGIN CERTIFICATE-----
2MIIBsjCCAWSgAwIBAgIUOzZ8XcFb8XtI2yyWp4S/WMD6QxQwBQYDK2VwMB8xHTAb
3BgNVBAMMFHByb21ldGhldXMueWdnZHJhc2lsMCAXDTIyMDQwODE5NDgwMFoYDzIw
4OTAwNDI2MTk0ODAwWjAfMR0wGwYDVQQDDBRwcm9tZXRoZXVzLnlnZ2RyYXNpbDAq
5MAUGAytlcAMhAOoxPLBH6pnCRtE7V5gejM92gg1vLNLHw3rFIXXchOJmo4GvMIGs
6MB0GA1UdDgQWBBRnwBkgZFnueEa7aV8aEAoMRzW4CTBaBgNVHSMEUzBRgBRnwBkg
7ZFnueEa7aV8aEAoMRzW4CaEjpCEwHzEdMBsGA1UEAwwUcHJvbWV0aGV1cy55Z2dk
8cmFzaWyCFDs2fF3BW/F7SNsslqeEv1jA+kMUMA8GA1UdEwEB/wQFMAMBAf8wCwYD
9VR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwICBDAFBgMrZXADQQD9AC2OHtzW8QSC
10HU/4rGdRWRqr3pfclKXimSWaAXMPly2M1qehPI402lhQrIAVF+D1pi/EAGJfbbzF
11aurykEMB
12-----END CERTIFICATE-----
diff --git a/hosts/vidhar/prometheus/ca/ca.key.sops b/hosts/vidhar/prometheus/ca/ca.key.sops
new file mode 100644
index 00000000..5313056e
--- /dev/null
+++ b/hosts/vidhar/prometheus/ca/ca.key.sops
@@ -0,0 +1,21 @@
1{
2 "data": "ENC[AES256_GCM,data:XW6h0psHOSV0cR03vRg479A5XRM7KfiBfVgvm4QlxCZzhkk5U1ToDJIaCxqKpxlEu8wm79wmz+/CmSLDEBcs7x05a5vBDt81mlWJ49PolOrG9bL9Qkyq5u8sB8HWXRXxCP5kg2su+n9NqdHX9AIhYCXy7VJDuGo=,iv:v661AhF2Q/O+a7JtwHtnSkSI0mL8ltu5rPny8vWCL/Q=,tag:c7b0a6o6y/MI5vG85uFuUg==,type:str]",
3 "sops": {
4 "kms": null,
5 "gcp_kms": null,
6 "azure_kv": null,
7 "hc_vault": null,
8 "age": null,
9 "lastmodified": "2022-04-08T20:12:22Z",
10 "mac": "ENC[AES256_GCM,data:W/IF6WgTscbkcMUTR3aeqM/H/UwgFgILDbKBxYJQxcFtt4kq3UqzSd/e0hk5NQ9IkagAC4X0gZDuzco2mc7caUGyzMKRdA2ekgcdDwzruQ4i+UYyr80dFhqHpV+aksdZJVR+dJzkmIRmza3Ia5e/X01XNIbIrU13JKYm9jCskd0=,iv:2g+UFcSTxcTrf+toi4BDVvAaY5ydk7yRnhpQ/rrNvVo=,tag:3X01wEqL/Q8cIiF+DEMnpg==,type:str]",
11 "pgp": [
12 {
13 "created_at": "2022-04-08T20:12:22Z",
14 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdADN+s7UQS8hEBc2mMRovD/zKuIoIAS3swLpP6ul9kRGMw\nDCUvOL41sxXmuodi4Pg69YB2YcL47Fod7nQWUYaK8L3CuyjWUq1cxomlYtTd03eH\n0l4BiyWTuZ+1OG4Xng8B4zdcM5jWfeTRWupDIXcnPFjwz47FetmrcCAaROKYL87e\nAjK76Y6gR/gSj0GTTAUIfKFpqsqAdBAf6oBekQcPgeqcrJcZ2ZZFWzmswGBvcGjs\n=gqhG\n-----END PGP MESSAGE-----\n",
15 "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
16 }
17 ],
18 "unencrypted_suffix": "_unencrypted",
19 "version": "3.7.2"
20 }
21} \ No newline at end of file
diff --git a/hosts/vidhar/prometheus/ca/certs/01.pem b/hosts/vidhar/prometheus/ca/certs/01.pem
new file mode 100644
index 00000000..81abe0b7
--- /dev/null
+++ b/hosts/vidhar/prometheus/ca/certs/01.pem
@@ -0,0 +1,39 @@
1Certificate:
2 Data:
3 Version: 3 (0x2)
4 Serial Number: 1 (0x1)
5 Signature Algorithm: ED25519
6 Issuer: CN=prometheus.yggdrasil
7 Validity
8 Not Before: Apr 8 20:03:55 2022 GMT
9 Not After : Apr 26 20:03:55 2090 GMT
10 Subject: CN=surtr.yggdrasil
11 Subject Public Key Info:
12 Public Key Algorithm: ED25519
13 ED25519 Public-Key:
14 pub:
15 02:5d:f0:8d:f6:5f:fc:fd:27:47:0e:d8:ec:fe:e0:
16 a0:28:20:9a:b4:8a:07:4c:75:b2:c1:03:ef:16:3b:
17 eb:e0
18 X509v3 extensions:
19 X509v3 Basic Constraints: critical
20 CA:FALSE
21 X509v3 Subject Alternative Name:
22 DNS:prometheus.surtr.yggdrasil, DNS:prometheus.surtr.yggdrasil.li
23 X509v3 Subject Key Identifier:
24 37:9D:AD:3D:CB:F9:14:5A:69:CD:E2:71:D8:08:97:93:A5:20:3C:38
25 Signature Algorithm: ED25519
26 3c:df:73:85:a7:81:07:60:b5:4e:ea:ec:74:04:47:d2:35:41:
27 cf:d8:34:75:18:4f:ee:c3:b9:64:6d:0a:fb:1a:76:e2:96:8b:
28 5e:24:c5:d6:b6:2e:6f:6e:29:ff:26:70:ef:5a:7b:33:40:40:
29 13:e8:49:a9:80:73:62:8e:58:05
30-----BEGIN CERTIFICATE-----
31MIIBXzCCARGgAwIBAgIBATAFBgMrZXAwHzEdMBsGA1UEAwwUcHJvbWV0aGV1cy55
32Z2dkcmFzaWwwIBcNMjIwNDA4MjAwMzU1WhgPMjA5MDA0MjYyMDAzNTVaMBoxGDAW
33BgNVBAMMD3N1cnRyLnlnZ2RyYXNpbDAqMAUGAytlcAMhAAJd8I32X/z9J0cO2Oz+
344KAoIJq0igdMdbLBA+8WO+vgo3UwczAMBgNVHRMBAf8EAjAAMEQGA1UdEQQ9MDuC
35GnByb21ldGhldXMuc3VydHIueWdnZHJhc2lsgh1wcm9tZXRoZXVzLnN1cnRyLnln
36Z2RyYXNpbC5saTAdBgNVHQ4EFgQUN52tPcv5FFppzeJx2AiXk6UgPDgwBQYDK2Vw
37A0EAPN9zhaeBB2C1TursdARH0jVBz9g0dRhP7sO5ZG0K+xp24paLXiTF1rYub24p
38/yZw71p7M0BAE+hJqYBzYo5YBQ==
39-----END CERTIFICATE-----
diff --git a/hosts/vidhar/prometheus/ca/certs/02.pem b/hosts/vidhar/prometheus/ca/certs/02.pem
new file mode 100644
index 00000000..d908ca7d
--- /dev/null
+++ b/hosts/vidhar/prometheus/ca/certs/02.pem
@@ -0,0 +1,38 @@
1Certificate:
2 Data:
3 Version: 3 (0x2)
4 Serial Number: 2 (0x2)
5 Signature Algorithm: ED25519
6 Issuer: CN=prometheus.yggdrasil
7 Validity
8 Not Before: Apr 8 20:07:13 2022 GMT
9 Not After : Apr 26 20:07:13 2090 GMT
10 Subject: CN=vidhar.yggdrasil
11 Subject Public Key Info:
12 Public Key Algorithm: ED25519
13 ED25519 Public-Key:
14 pub:
15 13:84:a6:01:07:7a:5e:8d:2b:8d:83:ee:73:1d:c6:
16 b8:9a:ad:b9:3d:40:51:ec:2c:f3:52:7d:81:90:e7:
17 ac:88
18 X509v3 extensions:
19 X509v3 Basic Constraints: critical
20 CA:FALSE
21 X509v3 Subject Alternative Name:
22 DNS:prometheus.vidhar.yggdrasil
23 X509v3 Subject Key Identifier:
24 44:AA:8E:CC:AB:C9:A7:D1:A1:D0:FA:7F:DB:87:1E:08:AA:6E:4D:59
25 Signature Algorithm: ED25519
26 47:65:87:17:50:96:77:56:20:ac:9e:f4:e4:6d:19:6d:b7:24:
27 11:af:0c:c3:f3:fd:75:19:d9:77:06:41:79:7f:a5:00:0c:18:
28 ee:82:3e:9e:09:61:34:cf:8f:f5:83:d1:5d:b2:e4:42:b6:3f:
29 9c:b6:5a:f3:40:92:e6:8f:24:0f
30-----BEGIN CERTIFICATE-----
31MIIBQTCB9KADAgECAgECMAUGAytlcDAfMR0wGwYDVQQDDBRwcm9tZXRoZXVzLnln
32Z2RyYXNpbDAgFw0yMjA0MDgyMDA3MTNaGA8yMDkwMDQyNjIwMDcxM1owGzEZMBcG
33A1UEAwwQdmlkaGFyLnlnZ2RyYXNpbDAqMAUGAytlcAMhABOEpgEHel6NK42D7nMd
34xriarbk9QFHsLPNSfYGQ56yIo1cwVTAMBgNVHRMBAf8EAjAAMCYGA1UdEQQfMB2C
35G3Byb21ldGhldXMudmlkaGFyLnlnZ2RyYXNpbDAdBgNVHQ4EFgQURKqOzKvJp9Gh
360Pp/24ceCKpuTVkwBQYDK2VwA0EAR2WHF1CWd1YgrJ705G0ZbbckEa8Mw/P9dRnZ
37dwZBeX+lAAwY7oI+nglhNM+P9YPRXbLkQrY/nLZa80CS5o8kDw==
38-----END CERTIFICATE-----
diff --git a/hosts/vidhar/prometheus/ca/index.txt b/hosts/vidhar/prometheus/ca/index.txt
new file mode 100644
index 00000000..41ebb0f4
--- /dev/null
+++ b/hosts/vidhar/prometheus/ca/index.txt
@@ -0,0 +1,2 @@
1V 20900426200355Z 01 unknown /CN=surtr.yggdrasil
2V 20900426200713Z 02 unknown /CN=vidhar.yggdrasil
diff --git a/hosts/vidhar/prometheus/ca/index.txt.attr b/hosts/vidhar/prometheus/ca/index.txt.attr
new file mode 100644
index 00000000..8f7e63a3
--- /dev/null
+++ b/hosts/vidhar/prometheus/ca/index.txt.attr
@@ -0,0 +1 @@
unique_subject = yes
diff --git a/hosts/vidhar/prometheus/ca/serial b/hosts/vidhar/prometheus/ca/serial
new file mode 100644
index 00000000..75016ea3
--- /dev/null
+++ b/hosts/vidhar/prometheus/ca/serial
@@ -0,0 +1 @@
03
diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix
index c60afd11..adcfdae9 100644
--- a/hosts/vidhar/prometheus/default.nix
+++ b/hosts/vidhar/prometheus/default.nix
@@ -26,7 +26,7 @@ in {
26 enable = true; 26 enable = true;
27 27
28 extraFlags = [ 28 extraFlags = [
29 "--enable-feature=remote-write-receiver" 29 "--web.enable-remote-write-receiver"
30 ]; 30 ];
31 31
32 exporters = { 32 exporters = {
@@ -387,5 +387,33 @@ in {
387 AmbientCapabilities = lib.mkForce ["CAP_SYS_ADMIN"]; 387 AmbientCapabilities = lib.mkForce ["CAP_SYS_ADMIN"];
388 }; 388 };
389 }; 389 };
390
391 services.nginx = {
392 upstreams.prometheus = {
393 servers = { "localhost:${config.services.prometheus.port}" = {}; };
394 };
395 virtualHosts."prometheus.vidhar.yggdrasil" = {
396 forceSSl = true;
397 sslCertificate = ./tls.crt;
398 sslCertificateKey = "/run/credentials/nginx.service/prometheus.key";
399 extraConfig = ''
400 ssl_client_certificate ${./ca/ca.crt};
401 ssl_trusted_certificate ${./ca/ca.crt};
402 ssl_verify_client on;
403 '';
404 locations."/" = {
405 proxyPass = "http://prometheus/";
406 proxyWebsockets = true;
407 };
408 };
409 };
410
411 sops.secrets."prometheus.key" = {
412 format = "binary";
413 sopsFile = ./tls.key;
414 };
415 systemd.services.nginx.serviceConfig.LoadCredential = [
416 "prometheus.key:${config.sops.secrets."prometheus.key".path}"
417 ];
390 }; 418 };
391} 419}
diff --git a/hosts/vidhar/prometheus/tls.crt b/hosts/vidhar/prometheus/tls.crt
new file mode 100644
index 00000000..792ed542
--- /dev/null
+++ b/hosts/vidhar/prometheus/tls.crt
@@ -0,0 +1,9 @@
1-----BEGIN CERTIFICATE-----
2MIIBQTCB9KADAgECAgECMAUGAytlcDAfMR0wGwYDVQQDDBRwcm9tZXRoZXVzLnln
3Z2RyYXNpbDAgFw0yMjA0MDgyMDA3MTNaGA8yMDkwMDQyNjIwMDcxM1owGzEZMBcG
4A1UEAwwQdmlkaGFyLnlnZ2RyYXNpbDAqMAUGAytlcAMhABOEpgEHel6NK42D7nMd
5xriarbk9QFHsLPNSfYGQ56yIo1cwVTAMBgNVHRMBAf8EAjAAMCYGA1UdEQQfMB2C
6G3Byb21ldGhldXMudmlkaGFyLnlnZ2RyYXNpbDAdBgNVHQ4EFgQURKqOzKvJp9Gh
70Pp/24ceCKpuTVkwBQYDK2VwA0EAR2WHF1CWd1YgrJ705G0ZbbckEa8Mw/P9dRnZ
8dwZBeX+lAAwY7oI+nglhNM+P9YPRXbLkQrY/nLZa80CS5o8kDw==
9-----END CERTIFICATE-----
diff --git a/hosts/vidhar/prometheus/tls.key b/hosts/vidhar/prometheus/tls.key
new file mode 100644
index 00000000..eba3bb5c
--- /dev/null
+++ b/hosts/vidhar/prometheus/tls.key
@@ -0,0 +1,26 @@
1{
2 "data": "ENC[AES256_GCM,data:/4D30JZoWEYJIM5SW4vzXkS8sMSSyjQHDBZghc54n+lxMCaIczIreiFQFChzlKpw+ai0EvT4q073AZ+xuMTOWI80UdgKyNvFNAk5Ybp0F90BouXu6u7fodg9U3LhP3GhfjtSyC1P4fPZP3siQh+5IuEfxNFHcl0=,iv:khbWHOpZ8rJ/hJlxRYb98wUDSJiNFAHCO8guoUJLrpA=,tag:YTQB1T9jzubBxOqNVK0unQ==,type:str]",
3 "sops": {
4 "kms": null,
5 "gcp_kms": null,
6 "azure_kv": null,
7 "hc_vault": null,
8 "age": null,
9 "lastmodified": "2022-04-08T20:08:57Z",
10 "mac": "ENC[AES256_GCM,data:UfFRVfPGtGle1yHVj3FrZGb+LKzIBdAsAWJY0qzJTXR+uMxAjCOIBmtBBmzGViBX4mBXFXVbYHvXVlpJPYw1kUhQW+uVERJHvhsRsC9cg3MyNrGNkZIi+QazJaI5Xe+9yO5yjy0NE1e6jia/+BxOZ2tGv8uItRQxfyDCRT0+sWU=,iv:yDgjpubvnF2G07ulC+bopb90wMhfop3z3mEXgeIRQxg=,tag:+J6campz4SYk5xec1uHMog==,type:str]",
11 "pgp": [
12 {
13 "created_at": "2022-04-08T20:08:56Z",
14 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DbYDvGI0HDr0SAQdAvXcM76hJxWHJ0i/XMqtIUSxdT6AaHqduia7V1qUmEA8w\ntM89Pshkp8atxmCdRgTiS1e3qgGHRqp6pYEjt2gT6fGDh8nTmswWDNBqmAUw7gj6\n0l4BpBZgCgGsuAL49qiezBuR7BsrKmRxIPV7ZZFl5CNofy/38qjxY8FxJl+GsiHn\n3jkXh8kJEO3dPXSU+7ID7syxifFFkLcKhRcNXeeZdvz2J/8zYFUhqE4+7+S3AKjs\n=7IAZ\n-----END PGP MESSAGE-----\n",
15 "fp": "A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362"
16 },
17 {
18 "created_at": "2022-04-08T20:08:56Z",
19 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAfS68HcCu+AgaXTG9VdIakO+Jr6Y04INcZTJ6vkNQPFEw\nclmmwVcjylP6BHUML9tSHsgxyW9IK7CYdojtmqRsYF4NCvbWlFRBbehjPlLL4yKs\n0l4Ba+3HaHK8w+lCdMWCLcxzzd2dfkTPNAJUzIAl/AIOx6EwdZseitYN9EkeJStt\nNXcoDPDmnntVlqpUYwHkTKaLSUVuwesaQ8LdHHInvvOXZ97xEcN7575vI0Stde/u\n=dNgh\n-----END PGP MESSAGE-----\n",
20 "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
21 }
22 ],
23 "unencrypted_suffix": "_unencrypted",
24 "version": "3.7.2"
25 }
26} \ No newline at end of file