From fa1821798dcc645c329998dd6e1051a0164fa29d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= Date: Wed, 23 Oct 2024 15:52:13 +0200 Subject: [PATCH] Try grafana LXC + Agenix (forgejo-runner not working) --- secrets/secrets.nix | 10 +++-- services/grafana/default.nix | 47 +++++++++--------------- services/grafana/secrets/grafana-db.age | 8 ++++ services/grafana/secrets/kuma-token.age | Bin 0 -> 367 bytes 4 files changed, 32 insertions(+), 33 deletions(-) create mode 100644 services/grafana/secrets/grafana-db.age create mode 100644 services/grafana/secrets/kuma-token.age diff --git a/secrets/secrets.nix b/secrets/secrets.nix index f77f682..b42464b 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -2,14 +2,18 @@ let tbarnouin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos"; users = [ tbarnouin ]; - laptop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDYomb5vtXsfYGZiVjSY7eOzWI+tp1YRLlPkpKDXIwGl root@nixos"; + laptop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDYomb5vtXsfYGZiVjSY7eOzWI+tp1YRLlPkpKDXIwGl root@nixos"; - forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2NAam+nseSCzJV/1UTyO2LgMjx0xT7/vTOOi5EG9HV root@forgejo-runner"; + forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2NAam+nseSCzJV/1UTyO2LgMjx0xT7/vTOOi5EG9HV root@forgejo-runner"; + + grafana = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQxvO9vdd2f9aV4F3LEQrrTJaLwLvSLbLtjB9qNxc4z root@grafana"; - systems = [ laptop forgejo ]; + systems = [ laptop forgejo grafana ]; in { "forgejo-runner-token.age".publicKeys = [ tbarnouin forgejo ]; "../services/forgejo-runner/secrets/forgejo-runner-token.age".publicKeys = [ tbarnouin forgejo ]; + "../services/grafana/secrets/grafana-db.age".publicKeys = [ tbarnouin grafana ]; + "../services/grafana/secrets/kuma-token.age".publicKeys = [ tbarnouin grafana ]; } diff --git a/services/grafana/default.nix b/services/grafana/default.nix index fd83e6b..2f331a4 100644 --- a/services/grafana/default.nix +++ b/services/grafana/default.nix @@ -5,6 +5,10 @@ in { options.services.vm_grafana = { enable = lib.mkEnableOption "Enable minimal config"; + vm_ip = lib.mkOption { + type = lib.types.str; + description = "The VM IP address"; + }; proxy_ip = lib.mkOption { type = lib.types.str; description = "The Nginx proxy IP address"; @@ -14,7 +18,16 @@ in description = "The PostgreSQL host IP address"; }; }; - config = lib.mkIf cfg.enable { + config = lib.mkIf cfg.enable { + age.secrets.grafana-db = { + file = ./secrets/grafana-db.age; + mode = "0660"; + owner = "grafana"; + }; + age.secrets.kuma-token = { + file = ./secrets/kuma-token.age; + mode = "0660"; + }; services.rsyslogd = { enable = true; extraConfig = '' @@ -37,7 +50,7 @@ in settings = { server = { protocol = "http"; - http_addr = "${config.services.vm.vm_ip}"; + http_addr = "${cfg.vm_ip}"; http_port = 3000; domain = "logs.le43.eu"; root_url = "https://logs.le43.eu"; @@ -48,26 +61,7 @@ in host = "${cfg.pgsql_ip}:5432"; name = "grafana"; user = "grafana"; - password = "\$__file{/run/secrets/grafana/database_secret}"; - }; - auth = { - signout_redirect_url = https://authentik.le43.eu/application/o/grafana/end-session/; - oauth_auto_login = true; - }; - "oauth.generic_oauth" = { - name = "authentik"; - enabled = true; - client_id = "9HV82G8F92Jcbw4nP8eppMcPpLcAw5uYpejfReLy"; - client_secret = "\$__file{/run/secrets/grafana/client_secret}"; - scopes = [ - "openid" - "email" - "profile" - ]; - auth_url = "https://authentik.le43.eu/application/o/authorize/"; - token_url = "https://authentik.le43.eu/application/o/token/"; - api_url = "https://authentik.le43.eu/application/o/userinfo/"; - role_attribute_path = "contains(groups, 'admin') && 'Admin' || 'Viewer'"; + password = "\$__file{${config.age.secrets.grafana-db.path}"; }; }; }; @@ -83,7 +77,7 @@ in targets = [ "192.168.1.90:3001" ]; }]; basic_auth.username = "tbarnouin"; - basic_auth.password_file = "/run/secrets/grafana/kuma_token"; + basic_auth.password_file = config.age.secrets.kuma-token.path; } { job_name = "grafana"; @@ -170,13 +164,6 @@ in }]; } ]; - exporters = { - node = { - enable = true; - enabledCollectors = [ "systemd" ]; - port = 9002; - }; - }; }; services.loki = { enable = true; diff --git a/services/grafana/secrets/grafana-db.age b/services/grafana/secrets/grafana-db.age new file mode 100644 index 0000000..c3adad3 --- /dev/null +++ b/services/grafana/secrets/grafana-db.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 OWkVXw 1n49CouMzxgvdrQ+7gIbilN2oRkG3lfTJehpVwxeLXw +NBB8G9JeEmvbfXk6WdaDPYTaSBsNtDyqdTkJKG3RNtw +-> ssh-ed25519 wnEUpw LepRS+v4Jq+Z4VBtyDRw1BQkGOwOzI5HsjRSFP9SLA4 +hRZr5OauNH1VYHip7pifCuVxTTQa3S9VbjwjQEUuK00 +--- G3K8IsDtSXZ7Cqp0ehe7eczyzzEsiwwV9xfenlBz0Vo +@²W Jƒ–£0ÊH% +ƒ·Õ8Š4¼Ã\»‚&È©´ I^˜@5©ÂƒÏF \ No newline at end of file diff --git a/services/grafana/secrets/kuma-token.age b/services/grafana/secrets/kuma-token.age new file mode 100644 index 0000000000000000000000000000000000000000..3b9dd76c292959ca52f88507f8dfb6f1d9d868c3 GIT binary patch literal 367 zcmZ9_Jx;<<003YI7n_*qf^o8YQwy{OI|ymvK`BrIwiKA8P#(4P#};_4#tRs4;O6SU zCh-PNPA(=IO)xQ$$rz2JyWa)AE;LBP>G_d2HeF}e^&vG)U}Odlf+1=2lPsIy@S0{d zTL_<^$QeLM(egtrRn@&cUzaII>pLlBa>CHbK!sv4S5N}AjX5Krw38uSvV}&;*6XYc zJqiF(?(q!A)w^b`d_WKq&nfQz4LLyd5YEb@KF`Be#CHVHU}PUoYLlcMvdy3a6wfGD za{_8wTCNyi!}^h^gn$a|C|_xq1B0lK!YTqo7Mg@$RU{!&JdrhzdjUq0ByJbe5ER@N zF{Q;+!9-F%9rxp1fuq#&xS&ZDS07WB<}!U1+gN?gU_09VHh%p`J7`dTIb1G3=evC}RSGlRD$c2S<+tbJ}S