Start monitoring ghaf-proxy server

Signed-off-by: Joonas Rautiola <[email protected]>
tiiuae · Nov 13, 2024 · 9d42a40 · 9d42a40
1 parent d9a98c3
commit 9d42a40
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 4 deletions.
diff --git a/.sops.yaml b/.sops.yaml
@@ -9,6 +9,7 @@ keys:
   - &jrautiola age1hszrldafdz09hzze4lgq58r0r66p4sjftn6q8z6h0leer77jhf4qd9vu9v
   - &vjuntunen age194hljejmy63ph884cnuuume7z33txlkp9an7l3yt2n3sjjere52qkvlfju
   - &cazfi age10a2kt6f07urjv6ahutda3jgr73wferkcqjhkvukwm07eaaqyrqtsh08syf
+  - &fayad age18t3gss4l6l629rd8s93eh3ctycu9vjnsftehy38c8tstu2gqycxs64t4sw
 
   # hosts
   - &binarycache age1s47a3y44j695gemcl0kqgjlxxvaa50de9s69jy2l6vc8xtmk5pcskhpknl
@@ -21,6 +22,7 @@ keys:
   - &ghaf-log age15kk5q4u68pfsy5auzah6klsdk6p50jnkr986u7vpzfrnj30pz4ssq7wnud
   - &ghaf-coverity age172azvwv5vne79mqfhvdvk9j95gn5v04uk9t3fjdfe5p7dv7kucvqpygxkx
   - &ghaf-webserver age1f643hcr8xvzm6fha93xhn6dw552tfd6zvu7eulxk7vedgt09d9ysljsayq
+  - &ghaf-proxy age1sv50w7ydcqxxng4nfpvretqhusfkjewtrzpu4006z685xgplha2sa9tv9v
 
 creation_rules:
   - path_regex: hosts/binarycache/secrets.yaml$
@@ -72,6 +74,12 @@ creation_rules:
     - age:
       - *ghaf-coverity
       - *jrautiola
+  - path_regex: hosts/ghaf-proxy/secrets.yaml$
+    key_groups:
+    - age:
+      - *ghaf-proxy
+      - *jrautiola
+      - *fayad
   - path_regex: hosts/ghaf-webserver/secrets.yaml$
     key_groups:
     - age:

diff --git a/hosts/ghaf-proxy/configuration.nix b/hosts/ghaf-proxy/configuration.nix
@@ -6,11 +6,10 @@
   inputs,
   modulesPath,
   lib,
+  config,
   ...
 }:
 {
-  sops.defaultSopsFile = ./secrets.yaml;
-
   imports =
     [
       ./disk-config.nix
@@ -21,6 +20,7 @@
     ++ (with self.nixosModules; [
       common
       service-openssh
+      service-monitoring
       user-jrautiola
       user-fayad
       user-cazfi
@@ -41,6 +41,25 @@
   nixpkgs.hostPlatform = "x86_64-linux";
   hardware.enableRedistributableFirmware = true;
 
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    secrets = {
+      loki_password.owner = "promtail";
+    };
+  };
+
+  services.monitoring = {
+    metrics = {
+      enable = true;
+      ssh = true;
+    };
+    logs = {
+      enable = true;
+      lokiAddress = "https://monitoring.vedenemo.dev";
+      auth.password_file = config.sops.secrets.loki_password.path;
+    };
+  };
+
   networking = {
     hostName = "ghaf-proxy";
     useDHCP = true;

diff --git a/hosts/ghaf-proxy/secrets.yaml b/hosts/ghaf-proxy/secrets.yaml
@@ -1,4 +1,5 @@
 ssh_host_ed25519_key: ENC[AES256_GCM,data:oeYLXKvcYeyZ205mLhbHG1/dlDoKABH9pva1RbdlscvWoeVxDqzm3qsPe6HsDEuipfQtuZLXmdqle96Vxblq2goUC4WmZLKi+x7a2SZfhCeyqSCaQJqlzTwuTx2hrBQTLVRolHQBTC2xOdida645qWwc0JOB7xNtM8CFu83slGcgzel5IR32QVI2iHaXmdZXS6HMK1NMqQSf07nGxb0q3XZCdPbeAzlo+aJlqGL3ZyR5WTGEvihPKYCPNbdrpZjPWreW/JQQ8Lg69I8ZH8+4BXmD3Dy18M2RMIqs6Zs+IkneVSD1F08MAvWTTtP/QdQ7RwnLtGZqIqb3lW8QDHzB3Pz6mMD8uv03MUenGKHAiQ69yADKm8LHMLC6nb/HC6UZNx8gslj3adCexKHggE2+IhvOOVbglZWTWPTEhL+VeeCcozL1f5LnwjaXw/bObvCZXdFY8wk/A1I2jCyLClJk6TUfruGkoyw/orczLC7BxMwSDKFc2Xvo5XzN/+/wQ97HwhBABBPmPUts5OLX/1WwPcV2IBJRHlX7pE29,iv:ofPi/QQlYy01sRgbu6SqWY0aiNiCBtWG/80rvYaxsSY=,tag:K3cu3d0LXthA7iw7RkIm2g==,type:str]
+loki_password: ENC[AES256_GCM,data:O41JIKrxkpk4Jz+cEcapSVc3Zg==,iv:A8IKTalKCdtbL+MUmsFmPkhDuFpZAqTnyLZklzkJU4k=,tag:cA9KHKHur871iK8n4jM6IA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -32,8 +33,8 @@ sops:
             cG9FTEVqODdmVS9jRXplTGxOeSt0aE0KzuYgky0yMTr8d/O3hOGnFu9WDVr0wxFK
             GZwsVzNYf0tpQRBcCbFG3GpJKbheW/zLmTqTTSY0LXgrfpJlT/qO8g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-01T02:46:39Z"
-    mac: ENC[AES256_GCM,data:i2zk5aLnKky0u+qal75thalA5q7NFyXAILTIoCsOmN0qntMPs2yz3n+8QoFLCVS8IycR/E7qRDEytKchXu2J6XxZZkxEBIYmXxnp27Z1yBENzRrDN2Y5dBE41Rpn3HELhMLaBYYU0uNFcVqolOiozeNTtlQJVeoD+ye1FAz84I8=,iv:mDuvUplmC7oa7MDtyUHNR0wi4deOcPU7vB53hHEWe48=,tag:lPFggfy6ed/5VM7XQv7AVA==,type:str]
+    lastmodified: "2024-11-11T11:55:34Z"
+    mac: ENC[AES256_GCM,data:QvVl/SBfQDf/YblONz4ydAiaHRRlXmjQUo51EpFsyaBnXLfuWyG+AWK/er44omJ8q+rRXS0u1r5P8rdmY+jxB+iLBvOoI6qNNPU3JhzadPSqXxXmGcfbj+JNRqD8iFzhNW2XbR+fQqOwIYWrUhSj8EOJF/TijomRWLvtMDSbq0c=,iv:KTl4lcP+f4VfUCYh5b0mTQ+ht4xtOKPRHJUwx9KbyWk=,tag:UljRBpyj+jsM5eETNlxrvg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1
diff --git a/hosts/monitoring/configuration.nix b/hosts/monitoring/configuration.nix
@@ -52,6 +52,7 @@ in
   services.openssh.knownHosts = {
     "65.21.20.242".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILx4zU4gIkTY/1oKEOkf9gTJChdx/jR3lDgZ7p/c7LEK";
     "95.217.177.197".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICMmB3Ws5MVq0DgVu+Hth/8NhNAYEwXyz4B6FRCF6Nu2";
+    "95.216.200.85".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALs+OQDrCKRIKkwTwI4MI+oYC3RTEus9cXCBcIyRHzl";
   };
 
   # runs a tiny webserver on port 8888 that tunnels requests through ssh connection
@@ -245,6 +246,12 @@ in
               machine_name = "ghaf-log";
             };
           }
+          {
+            targets = [ "95.216.200.85:9100" ];
+            labels = {
+              machine_name = "ghaf-proxy";
+            };
+          }
         ];
       }
     ];