diff --git a/.sops.yaml b/.sops.yaml index 0a17d239..1e82b33f 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -9,6 +9,7 @@ keys: - &jrautiola age1hszrldafdz09hzze4lgq58r0r66p4sjftn6q8z6h0leer77jhf4qd9vu9v - &vjuntunen age194hljejmy63ph884cnuuume7z33txlkp9an7l3yt2n3sjjere52qkvlfju - &cazfi age10a2kt6f07urjv6ahutda3jgr73wferkcqjhkvukwm07eaaqyrqtsh08syf + - &fayad age18t3gss4l6l629rd8s93eh3ctycu9vjnsftehy38c8tstu2gqycxs64t4sw # hosts - &binarycache age1s47a3y44j695gemcl0kqgjlxxvaa50de9s69jy2l6vc8xtmk5pcskhpknl @@ -21,6 +22,7 @@ keys: - &ghaf-log age15kk5q4u68pfsy5auzah6klsdk6p50jnkr986u7vpzfrnj30pz4ssq7wnud - &ghaf-coverity age172azvwv5vne79mqfhvdvk9j95gn5v04uk9t3fjdfe5p7dv7kucvqpygxkx - &ghaf-webserver age1f643hcr8xvzm6fha93xhn6dw552tfd6zvu7eulxk7vedgt09d9ysljsayq + - &ghaf-proxy age1sv50w7ydcqxxng4nfpvretqhusfkjewtrzpu4006z685xgplha2sa9tv9v creation_rules: - path_regex: hosts/binarycache/secrets.yaml$ @@ -72,6 +74,12 @@ creation_rules: - age: - *ghaf-coverity - *jrautiola + - path_regex: hosts/ghaf-proxy/secrets.yaml$ + key_groups: + - age: + - *ghaf-proxy + - *jrautiola + - *fayad - path_regex: hosts/ghaf-webserver/secrets.yaml$ key_groups: - age: diff --git a/hosts/ghaf-proxy/configuration.nix b/hosts/ghaf-proxy/configuration.nix index f3156776..69e9b6dd 100644 --- a/hosts/ghaf-proxy/configuration.nix +++ b/hosts/ghaf-proxy/configuration.nix @@ -6,11 +6,10 @@ inputs, modulesPath, lib, + config, ... }: { - sops.defaultSopsFile = ./secrets.yaml; - imports = [ ./disk-config.nix @@ -21,6 +20,7 @@ ++ (with self.nixosModules; [ common service-openssh + service-monitoring user-jrautiola user-fayad user-cazfi @@ -41,6 +41,25 @@ nixpkgs.hostPlatform = "x86_64-linux"; hardware.enableRedistributableFirmware = true; + sops = { + defaultSopsFile = ./secrets.yaml; + secrets = { + loki_password.owner = "promtail"; + }; + }; + + services.monitoring = { + metrics = { + enable = true; + ssh = true; + }; + logs = { + enable = true; + lokiAddress = "https://monitoring.vedenemo.dev"; + auth.password_file = config.sops.secrets.loki_password.path; + }; + }; + networking = { hostName = "ghaf-proxy"; useDHCP = true; diff --git a/hosts/ghaf-proxy/secrets.yaml b/hosts/ghaf-proxy/secrets.yaml index 853cebb1..b5f6531b 100644 --- a/hosts/ghaf-proxy/secrets.yaml +++ b/hosts/ghaf-proxy/secrets.yaml @@ -1,4 +1,5 @@ ssh_host_ed25519_key: ENC[AES256_GCM,data:oeYLXKvcYeyZ205mLhbHG1/dlDoKABH9pva1RbdlscvWoeVxDqzm3qsPe6HsDEuipfQtuZLXmdqle96Vxblq2goUC4WmZLKi+x7a2SZfhCeyqSCaQJqlzTwuTx2hrBQTLVRolHQBTC2xOdida645qWwc0JOB7xNtM8CFu83slGcgzel5IR32QVI2iHaXmdZXS6HMK1NMqQSf07nGxb0q3XZCdPbeAzlo+aJlqGL3ZyR5WTGEvihPKYCPNbdrpZjPWreW/JQQ8Lg69I8ZH8+4BXmD3Dy18M2RMIqs6Zs+IkneVSD1F08MAvWTTtP/QdQ7RwnLtGZqIqb3lW8QDHzB3Pz6mMD8uv03MUenGKHAiQ69yADKm8LHMLC6nb/HC6UZNx8gslj3adCexKHggE2+IhvOOVbglZWTWPTEhL+VeeCcozL1f5LnwjaXw/bObvCZXdFY8wk/A1I2jCyLClJk6TUfruGkoyw/orczLC7BxMwSDKFc2Xvo5XzN/+/wQ97HwhBABBPmPUts5OLX/1WwPcV2IBJRHlX7pE29,iv:ofPi/QQlYy01sRgbu6SqWY0aiNiCBtWG/80rvYaxsSY=,tag:K3cu3d0LXthA7iw7RkIm2g==,type:str] +loki_password: ENC[AES256_GCM,data:O41JIKrxkpk4Jz+cEcapSVc3Zg==,iv:A8IKTalKCdtbL+MUmsFmPkhDuFpZAqTnyLZklzkJU4k=,tag:cA9KHKHur871iK8n4jM6IA==,type:str] sops: kms: [] gcp_kms: [] @@ -32,8 +33,8 @@ sops: cG9FTEVqODdmVS9jRXplTGxOeSt0aE0KzuYgky0yMTr8d/O3hOGnFu9WDVr0wxFK GZwsVzNYf0tpQRBcCbFG3GpJKbheW/zLmTqTTSY0LXgrfpJlT/qO8g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-01T02:46:39Z" - mac: ENC[AES256_GCM,data:i2zk5aLnKky0u+qal75thalA5q7NFyXAILTIoCsOmN0qntMPs2yz3n+8QoFLCVS8IycR/E7qRDEytKchXu2J6XxZZkxEBIYmXxnp27Z1yBENzRrDN2Y5dBE41Rpn3HELhMLaBYYU0uNFcVqolOiozeNTtlQJVeoD+ye1FAz84I8=,iv:mDuvUplmC7oa7MDtyUHNR0wi4deOcPU7vB53hHEWe48=,tag:lPFggfy6ed/5VM7XQv7AVA==,type:str] + lastmodified: "2024-11-11T11:55:34Z" + mac: ENC[AES256_GCM,data:QvVl/SBfQDf/YblONz4ydAiaHRRlXmjQUo51EpFsyaBnXLfuWyG+AWK/er44omJ8q+rRXS0u1r5P8rdmY+jxB+iLBvOoI6qNNPU3JhzadPSqXxXmGcfbj+JNRqD8iFzhNW2XbR+fQqOwIYWrUhSj8EOJF/TijomRWLvtMDSbq0c=,iv:KTl4lcP+f4VfUCYh5b0mTQ+ht4xtOKPRHJUwx9KbyWk=,tag:UljRBpyj+jsM5eETNlxrvg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/hosts/monitoring/configuration.nix b/hosts/monitoring/configuration.nix index 51ae9c36..9b5d418e 100644 --- a/hosts/monitoring/configuration.nix +++ b/hosts/monitoring/configuration.nix @@ -52,6 +52,7 @@ in services.openssh.knownHosts = { "65.21.20.242".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILx4zU4gIkTY/1oKEOkf9gTJChdx/jR3lDgZ7p/c7LEK"; "95.217.177.197".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICMmB3Ws5MVq0DgVu+Hth/8NhNAYEwXyz4B6FRCF6Nu2"; + "95.216.200.85".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALs+OQDrCKRIKkwTwI4MI+oYC3RTEus9cXCBcIyRHzl"; }; # runs a tiny webserver on port 8888 that tunnels requests through ssh connection @@ -245,6 +246,12 @@ in machine_name = "ghaf-log"; }; } + { + targets = [ "95.216.200.85:9100" ]; + labels = { + machine_name = "ghaf-proxy"; + }; + } ]; } ];