From f2bfb278fbff1d02df0b6a377f3de24881172105 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Fri, 8 Apr 2022 22:43:06 +0200
Subject: prometheus

---
 hosts/surtr/prometheus/default.nix | 73 ++++++++++++++++++++++++++++++++++++++
 hosts/surtr/prometheus/tls.crt     | 10 ++++++
 hosts/surtr/prometheus/tls.key     | 26 ++++++++++++++
 3 files changed, 109 insertions(+)
 create mode 100644 hosts/surtr/prometheus/default.nix
 create mode 100644 hosts/surtr/prometheus/tls.crt
 create mode 100644 hosts/surtr/prometheus/tls.key

(limited to 'hosts/surtr/prometheus')

diff --git a/hosts/surtr/prometheus/default.nix b/hosts/surtr/prometheus/default.nix
new file mode 100644
index 00000000..3fdfc2aa
--- /dev/null
+++ b/hosts/surtr/prometheus/default.nix
@@ -0,0 +1,73 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  relabelHosts = [
+    { source_labels = ["__address__"];
+      target_label = "instance";
+      regex = "(localhost|127\.[0-9]+\.[0-9]+\.[0-9]+)(:[0-9]+)?";
+      replacement = "surtr";
+    }
+  ];
+in {
+  config = {
+    services.prometheus = {
+      enable = true;
+
+      exporters = {
+        node = {
+          enable = true;
+          enabledCollectors = [];
+        };
+      };
+
+      globalConfig = {
+        evaluation_interval = "1s";
+
+        remote_write = {
+          url = "https://prometheus.vidhar.yggdrasil/api/v1/write";
+          name = "vidhar";
+          tls_config = {
+            ca_file = ../../vidhar/prometheus/ca/ca.crt;
+            cert_file = ./tls.crt;
+            key_file = "/run/credentials/prometheus.service/tls.key";
+          };
+        };
+      };
+
+      scrapeConfigs = [
+        { job_name = "prometheus";
+          static_configs = [
+            { targets = ["localhost:${toString config.services.prometheus.port}"]; }
+          ];
+          relabel_configs = relabelHosts;
+          scrape_interval = "1s";
+        }
+        { job_name = "node";
+          static_configs = [
+            { targets = ["localhost:${toString config.services.prometheus.exporters.node.port}"]; }
+          ];
+          relabel_configs = relabelHosts;
+          scrape_interval = "1s";
+        }
+      ];
+
+      rules = [
+        (generators.toYAML {} {
+          groups = [
+          ];
+        })
+      ];
+    };
+
+    sops.secrets."prometheus.key" = {
+      format = "binary";
+      sopsFile = ./tls.key;
+    };
+
+    systemd.services.prometheus.serviceConfig.LoadCredential = [
+      "tls.key:${config.sops.secrets."prometheus.key".path}"
+    ];
+  };
+}
diff --git a/hosts/surtr/prometheus/tls.crt b/hosts/surtr/prometheus/tls.crt
new file mode 100644
index 00000000..ba958f40
--- /dev/null
+++ b/hosts/surtr/prometheus/tls.crt
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBXzCCARGgAwIBAgIBATAFBgMrZXAwHzEdMBsGA1UEAwwUcHJvbWV0aGV1cy55
+Z2dkcmFzaWwwIBcNMjIwNDA4MjAwMzU1WhgPMjA5MDA0MjYyMDAzNTVaMBoxGDAW
+BgNVBAMMD3N1cnRyLnlnZ2RyYXNpbDAqMAUGAytlcAMhAAJd8I32X/z9J0cO2Oz+
+4KAoIJq0igdMdbLBA+8WO+vgo3UwczAMBgNVHRMBAf8EAjAAMEQGA1UdEQQ9MDuC
+GnByb21ldGhldXMuc3VydHIueWdnZHJhc2lsgh1wcm9tZXRoZXVzLnN1cnRyLnln
+Z2RyYXNpbC5saTAdBgNVHQ4EFgQUN52tPcv5FFppzeJx2AiXk6UgPDgwBQYDK2Vw
+A0EAPN9zhaeBB2C1TursdARH0jVBz9g0dRhP7sO5ZG0K+xp24paLXiTF1rYub24p
+/yZw71p7M0BAE+hJqYBzYo5YBQ==
+-----END CERTIFICATE-----
diff --git a/hosts/surtr/prometheus/tls.key b/hosts/surtr/prometheus/tls.key
new file mode 100644
index 00000000..95e28db2
--- /dev/null
+++ b/hosts/surtr/prometheus/tls.key
@@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:YBbLT5kFi1KKQ4xOvyiJGkwQG/xoxz55/giVg2iY6+0nV+jEp3mF4oFjc14gFg3mIN9x6bLdFVY3DUHT1PrQdjrqIZtX8AVCA8BUIQj6JDY6YMi3/kK6mR9up9o/pxJfu8mQVjWjSx78Ko9aNat8/FltJnq69cA=,iv:PfslzrP5AbTNHpXfh4bz3q6CD9anQyCpmqtZ8ZTEG3k=,tag:eJLb0LIoNwDD1JQ6kUmACA==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2022-04-08T20:09:16Z",
+		"mac": "ENC[AES256_GCM,data:UW3ngxCjYl2kmOinRNmwNliBg2Xm/5rCrLp39bo7PXksZcuijV800IKuY91PWjkgaIbjD2jlU0ycJNDw3MzxfVim6gz91kUXQgQV+me8AEXAiO6Sf2j08jEtTh1SCr4qqdw0FE5aULDvGRtTgR+hhNk0xbbeG9fPhU95eeLW8vg=,iv:wG54336E4PouNgXhZbW4/onqbecsRrdYzTXSXDft/VI=,tag:BASCu9YNPMPfbScepLDiRQ==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2022-04-08T20:09:16Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAfzL8SSjlYxe8e5yOipQClJffUgxFnlew+N6VK4UhRGYw\naHaDmOmusuTRoBOX4V4PpRg3gLFRoPPy+q9L4Z+gtX97JK+9UgN1mxYPkB9X5M8K\n0l4BQ9caVjtlmMuKp3EROUYrSjau6Ulkzd43P+BwwQ6jv8T52EtKO8WLVnQEheIV\njOMH4DWaxKYbad7lXphix1oFhVvQQVGEzawceWolKDt/T+QS4spJBFoL7V1ml105\n=Cdh0\n-----END PGP MESSAGE-----\n",
+				"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+			},
+			{
+				"created_at": "2022-04-08T20:09:16Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdACGP5pn9MiRCa7CJYqosY9Aw4TJx+/9tOsdO5YZn1ZSIw\n/xOMfKjHvT5PlMT9gnk9187MhjR9G/2YcW5ggfyEypo8ei65RkJYzTG2m5Pdneg3\n0l4BzMEQtYAbmZBp9XSkqjacCTpc2y6YV55qcuFudtRfsFFi28JSb5NxZ61AKy0g\nSk/e+IHQvTGahD2akrHBNIPncUOo4GHHzEjADvdDuJNpMkYUgnhEUod2JPYBjFmL\n=JN/O\n-----END PGP MESSAGE-----\n",
+				"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.2"
+	}
+}
\ No newline at end of file
-- 
cgit v1.2.3