From f2bfb278fbff1d02df0b6a377f3de24881172105 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Fri, 8 Apr 2022 22:43:06 +0200 Subject: prometheus --- hosts/vidhar/prometheus/ca/.gitignore | 3 +++ hosts/vidhar/prometheus/ca/ca.crt | 12 ++++++++++ hosts/vidhar/prometheus/ca/ca.key.sops | 21 +++++++++++++++++ hosts/vidhar/prometheus/ca/certs/01.pem | 39 +++++++++++++++++++++++++++++++ hosts/vidhar/prometheus/ca/certs/02.pem | 38 ++++++++++++++++++++++++++++++ hosts/vidhar/prometheus/ca/index.txt | 2 ++ hosts/vidhar/prometheus/ca/index.txt.attr | 1 + hosts/vidhar/prometheus/ca/serial | 1 + hosts/vidhar/prometheus/default.nix | 30 +++++++++++++++++++++++- hosts/vidhar/prometheus/tls.crt | 9 +++++++ hosts/vidhar/prometheus/tls.key | 26 +++++++++++++++++++++ 11 files changed, 181 insertions(+), 1 deletion(-) create mode 100644 hosts/vidhar/prometheus/ca/.gitignore create mode 100644 hosts/vidhar/prometheus/ca/ca.crt create mode 100644 hosts/vidhar/prometheus/ca/ca.key.sops create mode 100644 hosts/vidhar/prometheus/ca/certs/01.pem create mode 100644 hosts/vidhar/prometheus/ca/certs/02.pem create mode 100644 hosts/vidhar/prometheus/ca/index.txt create mode 100644 hosts/vidhar/prometheus/ca/index.txt.attr create mode 100644 hosts/vidhar/prometheus/ca/serial create mode 100644 hosts/vidhar/prometheus/tls.crt create mode 100644 hosts/vidhar/prometheus/tls.key (limited to 'hosts/vidhar/prometheus') diff --git a/hosts/vidhar/prometheus/ca/.gitignore b/hosts/vidhar/prometheus/ca/.gitignore new file mode 100644 index 00000000..7c894574 --- /dev/null +++ b/hosts/vidhar/prometheus/ca/.gitignore @@ -0,0 +1,3 @@ +ca.key +ca.cnf +*.old \ No newline at end of file diff --git a/hosts/vidhar/prometheus/ca/ca.crt b/hosts/vidhar/prometheus/ca/ca.crt new file mode 100644 index 00000000..922fed28 --- /dev/null +++ b/hosts/vidhar/prometheus/ca/ca.crt @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBsjCCAWSgAwIBAgIUOzZ8XcFb8XtI2yyWp4S/WMD6QxQwBQYDK2VwMB8xHTAb +BgNVBAMMFHByb21ldGhldXMueWdnZHJhc2lsMCAXDTIyMDQwODE5NDgwMFoYDzIw +OTAwNDI2MTk0ODAwWjAfMR0wGwYDVQQDDBRwcm9tZXRoZXVzLnlnZ2RyYXNpbDAq +MAUGAytlcAMhAOoxPLBH6pnCRtE7V5gejM92gg1vLNLHw3rFIXXchOJmo4GvMIGs +MB0GA1UdDgQWBBRnwBkgZFnueEa7aV8aEAoMRzW4CTBaBgNVHSMEUzBRgBRnwBkg +ZFnueEa7aV8aEAoMRzW4CaEjpCEwHzEdMBsGA1UEAwwUcHJvbWV0aGV1cy55Z2dk +cmFzaWyCFDs2fF3BW/F7SNsslqeEv1jA+kMUMA8GA1UdEwEB/wQFMAMBAf8wCwYD +VR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwICBDAFBgMrZXADQQD9AC2OHtzW8QSC +HU/4rGdRWRqr3pfclKXimSWaAXMPly2M1qehPI402lhQrIAVF+D1pi/EAGJfbbzF +aurykEMB +-----END CERTIFICATE----- diff --git a/hosts/vidhar/prometheus/ca/ca.key.sops b/hosts/vidhar/prometheus/ca/ca.key.sops new file mode 100644 index 00000000..5313056e --- /dev/null +++ b/hosts/vidhar/prometheus/ca/ca.key.sops @@ -0,0 +1,21 @@ +{ + "data": "ENC[AES256_GCM,data:XW6h0psHOSV0cR03vRg479A5XRM7KfiBfVgvm4QlxCZzhkk5U1ToDJIaCxqKpxlEu8wm79wmz+/CmSLDEBcs7x05a5vBDt81mlWJ49PolOrG9bL9Qkyq5u8sB8HWXRXxCP5kg2su+n9NqdHX9AIhYCXy7VJDuGo=,iv:v661AhF2Q/O+a7JtwHtnSkSI0mL8ltu5rPny8vWCL/Q=,tag:c7b0a6o6y/MI5vG85uFuUg==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-04-08T20:12:22Z", + "mac": "ENC[AES256_GCM,data:W/IF6WgTscbkcMUTR3aeqM/H/UwgFgILDbKBxYJQxcFtt4kq3UqzSd/e0hk5NQ9IkagAC4X0gZDuzco2mc7caUGyzMKRdA2ekgcdDwzruQ4i+UYyr80dFhqHpV+aksdZJVR+dJzkmIRmza3Ia5e/X01XNIbIrU13JKYm9jCskd0=,iv:2g+UFcSTxcTrf+toi4BDVvAaY5ydk7yRnhpQ/rrNvVo=,tag:3X01wEqL/Q8cIiF+DEMnpg==,type:str]", + "pgp": [ + { + "created_at": "2022-04-08T20:12:22Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdADN+s7UQS8hEBc2mMRovD/zKuIoIAS3swLpP6ul9kRGMw\nDCUvOL41sxXmuodi4Pg69YB2YcL47Fod7nQWUYaK8L3CuyjWUq1cxomlYtTd03eH\n0l4BiyWTuZ+1OG4Xng8B4zdcM5jWfeTRWupDIXcnPFjwz47FetmrcCAaROKYL87e\nAjK76Y6gR/gSj0GTTAUIfKFpqsqAdBAf6oBekQcPgeqcrJcZ2ZZFWzmswGBvcGjs\n=gqhG\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.2" + } +} \ No newline at end of file diff --git a/hosts/vidhar/prometheus/ca/certs/01.pem b/hosts/vidhar/prometheus/ca/certs/01.pem new file mode 100644 index 00000000..81abe0b7 --- /dev/null +++ b/hosts/vidhar/prometheus/ca/certs/01.pem @@ -0,0 +1,39 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: ED25519 + Issuer: CN=prometheus.yggdrasil + Validity + Not Before: Apr 8 20:03:55 2022 GMT + Not After : Apr 26 20:03:55 2090 GMT + Subject: CN=surtr.yggdrasil + Subject Public Key Info: + Public Key Algorithm: ED25519 + ED25519 Public-Key: + pub: + 02:5d:f0:8d:f6:5f:fc:fd:27:47:0e:d8:ec:fe:e0: + a0:28:20:9a:b4:8a:07:4c:75:b2:c1:03:ef:16:3b: + eb:e0 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Subject Alternative Name: + DNS:prometheus.surtr.yggdrasil, DNS:prometheus.surtr.yggdrasil.li + X509v3 Subject Key Identifier: + 37:9D:AD:3D:CB:F9:14:5A:69:CD:E2:71:D8:08:97:93:A5:20:3C:38 + Signature Algorithm: ED25519 + 3c:df:73:85:a7:81:07:60:b5:4e:ea:ec:74:04:47:d2:35:41: + cf:d8:34:75:18:4f:ee:c3:b9:64:6d:0a:fb:1a:76:e2:96:8b: + 5e:24:c5:d6:b6:2e:6f:6e:29:ff:26:70:ef:5a:7b:33:40:40: + 13:e8:49:a9:80:73:62:8e:58:05 +-----BEGIN CERTIFICATE----- +MIIBXzCCARGgAwIBAgIBATAFBgMrZXAwHzEdMBsGA1UEAwwUcHJvbWV0aGV1cy55 +Z2dkcmFzaWwwIBcNMjIwNDA4MjAwMzU1WhgPMjA5MDA0MjYyMDAzNTVaMBoxGDAW +BgNVBAMMD3N1cnRyLnlnZ2RyYXNpbDAqMAUGAytlcAMhAAJd8I32X/z9J0cO2Oz+ +4KAoIJq0igdMdbLBA+8WO+vgo3UwczAMBgNVHRMBAf8EAjAAMEQGA1UdEQQ9MDuC +GnByb21ldGhldXMuc3VydHIueWdnZHJhc2lsgh1wcm9tZXRoZXVzLnN1cnRyLnln +Z2RyYXNpbC5saTAdBgNVHQ4EFgQUN52tPcv5FFppzeJx2AiXk6UgPDgwBQYDK2Vw +A0EAPN9zhaeBB2C1TursdARH0jVBz9g0dRhP7sO5ZG0K+xp24paLXiTF1rYub24p +/yZw71p7M0BAE+hJqYBzYo5YBQ== +-----END CERTIFICATE----- diff --git a/hosts/vidhar/prometheus/ca/certs/02.pem b/hosts/vidhar/prometheus/ca/certs/02.pem new file mode 100644 index 00000000..d908ca7d --- /dev/null +++ b/hosts/vidhar/prometheus/ca/certs/02.pem @@ -0,0 +1,38 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: ED25519 + Issuer: CN=prometheus.yggdrasil + Validity + Not Before: Apr 8 20:07:13 2022 GMT + Not After : Apr 26 20:07:13 2090 GMT + Subject: CN=vidhar.yggdrasil + Subject Public Key Info: + Public Key Algorithm: ED25519 + ED25519 Public-Key: + pub: + 13:84:a6:01:07:7a:5e:8d:2b:8d:83:ee:73:1d:c6: + b8:9a:ad:b9:3d:40:51:ec:2c:f3:52:7d:81:90:e7: + ac:88 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Subject Alternative Name: + DNS:prometheus.vidhar.yggdrasil + X509v3 Subject Key Identifier: + 44:AA:8E:CC:AB:C9:A7:D1:A1:D0:FA:7F:DB:87:1E:08:AA:6E:4D:59 + Signature Algorithm: ED25519 + 47:65:87:17:50:96:77:56:20:ac:9e:f4:e4:6d:19:6d:b7:24: + 11:af:0c:c3:f3:fd:75:19:d9:77:06:41:79:7f:a5:00:0c:18: + ee:82:3e:9e:09:61:34:cf:8f:f5:83:d1:5d:b2:e4:42:b6:3f: + 9c:b6:5a:f3:40:92:e6:8f:24:0f +-----BEGIN CERTIFICATE----- +MIIBQTCB9KADAgECAgECMAUGAytlcDAfMR0wGwYDVQQDDBRwcm9tZXRoZXVzLnln +Z2RyYXNpbDAgFw0yMjA0MDgyMDA3MTNaGA8yMDkwMDQyNjIwMDcxM1owGzEZMBcG +A1UEAwwQdmlkaGFyLnlnZ2RyYXNpbDAqMAUGAytlcAMhABOEpgEHel6NK42D7nMd +xriarbk9QFHsLPNSfYGQ56yIo1cwVTAMBgNVHRMBAf8EAjAAMCYGA1UdEQQfMB2C +G3Byb21ldGhldXMudmlkaGFyLnlnZ2RyYXNpbDAdBgNVHQ4EFgQURKqOzKvJp9Gh +0Pp/24ceCKpuTVkwBQYDK2VwA0EAR2WHF1CWd1YgrJ705G0ZbbckEa8Mw/P9dRnZ +dwZBeX+lAAwY7oI+nglhNM+P9YPRXbLkQrY/nLZa80CS5o8kDw== +-----END CERTIFICATE----- diff --git a/hosts/vidhar/prometheus/ca/index.txt b/hosts/vidhar/prometheus/ca/index.txt new file mode 100644 index 00000000..41ebb0f4 --- /dev/null +++ b/hosts/vidhar/prometheus/ca/index.txt @@ -0,0 +1,2 @@ +V 20900426200355Z 01 unknown /CN=surtr.yggdrasil +V 20900426200713Z 02 unknown /CN=vidhar.yggdrasil diff --git a/hosts/vidhar/prometheus/ca/index.txt.attr b/hosts/vidhar/prometheus/ca/index.txt.attr new file mode 100644 index 00000000..8f7e63a3 --- /dev/null +++ b/hosts/vidhar/prometheus/ca/index.txt.attr @@ -0,0 +1 @@ +unique_subject = yes diff --git a/hosts/vidhar/prometheus/ca/serial b/hosts/vidhar/prometheus/ca/serial new file mode 100644 index 00000000..75016ea3 --- /dev/null +++ b/hosts/vidhar/prometheus/ca/serial @@ -0,0 +1 @@ +03 diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix index c60afd11..adcfdae9 100644 --- a/hosts/vidhar/prometheus/default.nix +++ b/hosts/vidhar/prometheus/default.nix @@ -26,7 +26,7 @@ in { enable = true; extraFlags = [ - "--enable-feature=remote-write-receiver" + "--web.enable-remote-write-receiver" ]; exporters = { @@ -387,5 +387,33 @@ in { AmbientCapabilities = lib.mkForce ["CAP_SYS_ADMIN"]; }; }; + + services.nginx = { + upstreams.prometheus = { + servers = { "localhost:${config.services.prometheus.port}" = {}; }; + }; + virtualHosts."prometheus.vidhar.yggdrasil" = { + forceSSl = true; + sslCertificate = ./tls.crt; + sslCertificateKey = "/run/credentials/nginx.service/prometheus.key"; + extraConfig = '' + ssl_client_certificate ${./ca/ca.crt}; + ssl_trusted_certificate ${./ca/ca.crt}; + ssl_verify_client on; + ''; + locations."/" = { + proxyPass = "http://prometheus/"; + proxyWebsockets = true; + }; + }; + }; + + sops.secrets."prometheus.key" = { + format = "binary"; + sopsFile = ./tls.key; + }; + systemd.services.nginx.serviceConfig.LoadCredential = [ + "prometheus.key:${config.sops.secrets."prometheus.key".path}" + ]; }; } diff --git a/hosts/vidhar/prometheus/tls.crt b/hosts/vidhar/prometheus/tls.crt new file mode 100644 index 00000000..792ed542 --- /dev/null +++ b/hosts/vidhar/prometheus/tls.crt @@ -0,0 +1,9 @@ +-----BEGIN CERTIFICATE----- +MIIBQTCB9KADAgECAgECMAUGAytlcDAfMR0wGwYDVQQDDBRwcm9tZXRoZXVzLnln +Z2RyYXNpbDAgFw0yMjA0MDgyMDA3MTNaGA8yMDkwMDQyNjIwMDcxM1owGzEZMBcG +A1UEAwwQdmlkaGFyLnlnZ2RyYXNpbDAqMAUGAytlcAMhABOEpgEHel6NK42D7nMd +xriarbk9QFHsLPNSfYGQ56yIo1cwVTAMBgNVHRMBAf8EAjAAMCYGA1UdEQQfMB2C +G3Byb21ldGhldXMudmlkaGFyLnlnZ2RyYXNpbDAdBgNVHQ4EFgQURKqOzKvJp9Gh +0Pp/24ceCKpuTVkwBQYDK2VwA0EAR2WHF1CWd1YgrJ705G0ZbbckEa8Mw/P9dRnZ +dwZBeX+lAAwY7oI+nglhNM+P9YPRXbLkQrY/nLZa80CS5o8kDw== +-----END CERTIFICATE----- diff --git a/hosts/vidhar/prometheus/tls.key b/hosts/vidhar/prometheus/tls.key new file mode 100644 index 00000000..eba3bb5c --- /dev/null +++ b/hosts/vidhar/prometheus/tls.key @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:/4D30JZoWEYJIM5SW4vzXkS8sMSSyjQHDBZghc54n+lxMCaIczIreiFQFChzlKpw+ai0EvT4q073AZ+xuMTOWI80UdgKyNvFNAk5Ybp0F90BouXu6u7fodg9U3LhP3GhfjtSyC1P4fPZP3siQh+5IuEfxNFHcl0=,iv:khbWHOpZ8rJ/hJlxRYb98wUDSJiNFAHCO8guoUJLrpA=,tag:YTQB1T9jzubBxOqNVK0unQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-04-08T20:08:57Z", + "mac": "ENC[AES256_GCM,data:UfFRVfPGtGle1yHVj3FrZGb+LKzIBdAsAWJY0qzJTXR+uMxAjCOIBmtBBmzGViBX4mBXFXVbYHvXVlpJPYw1kUhQW+uVERJHvhsRsC9cg3MyNrGNkZIi+QazJaI5Xe+9yO5yjy0NE1e6jia/+BxOZ2tGv8uItRQxfyDCRT0+sWU=,iv:yDgjpubvnF2G07ulC+bopb90wMhfop3z3mEXgeIRQxg=,tag:+J6campz4SYk5xec1uHMog==,type:str]", + "pgp": [ + { + "created_at": "2022-04-08T20:08:56Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DbYDvGI0HDr0SAQdAvXcM76hJxWHJ0i/XMqtIUSxdT6AaHqduia7V1qUmEA8w\ntM89Pshkp8atxmCdRgTiS1e3qgGHRqp6pYEjt2gT6fGDh8nTmswWDNBqmAUw7gj6\n0l4BpBZgCgGsuAL49qiezBuR7BsrKmRxIPV7ZZFl5CNofy/38qjxY8FxJl+GsiHn\n3jkXh8kJEO3dPXSU+7ID7syxifFFkLcKhRcNXeeZdvz2J/8zYFUhqE4+7+S3AKjs\n=7IAZ\n-----END PGP MESSAGE-----\n", + "fp": "A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362" + }, + { + "created_at": "2022-04-08T20:08:56Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAfS68HcCu+AgaXTG9VdIakO+Jr6Y04INcZTJ6vkNQPFEw\nclmmwVcjylP6BHUML9tSHsgxyW9IK7CYdojtmqRsYF4NCvbWlFRBbehjPlLL4yKs\n0l4Ba+3HaHK8w+lCdMWCLcxzzd2dfkTPNAJUzIAl/AIOx6EwdZseitYN9EkeJStt\nNXcoDPDmnntVlqpUYwHkTKaLSUVuwesaQ8LdHHInvvOXZ97xEcN7575vI0Stde/u\n=dNgh\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.2" + } +} \ No newline at end of file -- cgit v1.2.3