diff --git a/flake.nix b/flake.nix index 230b9591..1e0f1394 100644 --- a/flake.nix +++ b/flake.nix @@ -999,6 +999,13 @@ ]; # nixpkgs = nixos-unstable; }; + + prometheus = nixosSystem' { + modules = [ + self.nixosModules.cluster-options + ./hosts/prometheus + ]; + }; }; nixosModule = self.nixosModules.c3d2; diff --git a/hosts/prometheus/configuration.nix b/hosts/prometheus/default.nix similarity index 70% rename from hosts/prometheus/configuration.nix rename to hosts/prometheus/default.nix index caea2e29..38b4b0bf 100644 --- a/hosts/prometheus/configuration.nix +++ b/hosts/prometheus/default.nix @@ -1,9 +1,7 @@ { config, pkgs, lib, ... }: { - imports = [ - ../../../modules/lxc-container.nix - ]; + sops.defaultSopsFile = ./secrets.yaml; networking = { hostName = "prometheus"; @@ -19,7 +17,7 @@ alertmanager = { enable = true; openFirewall = true; - webExternalUrl = "http://prometheus.serv.zentralwerk.org/alertmanager/"; + webExternalUrl = "https://prometheus.serv.zentralwerk.org/alertmanager/"; listenAddress = "0.0.0.0"; configuration = { "global" = { @@ -51,11 +49,11 @@ }; }; - # alertmanagerURL = [ "http://prometheus.serv.zentralwerk.org/alertmanager/" ]; + # alertmanagerURL = [ "https://prometheus.serv.zentralwerk.org/alertmanager/" ]; pushgateway = { enable = true; - web.external-url = "http://prometheus.serv.zentralwerk.org/push/"; + web.external-url = "https://prometheus.serv.zentralwerk.org/push/"; }; exporters.collectd.enable = true; @@ -71,13 +69,17 @@ virtualHosts."prometheus.serv.zentralwerk.org" = { # serverAliases = [ "registry.serv.zentralwerk.org" ]; enableACME = true; - onlySSL = true; - locations.".well-known/acme-challenge/" = { - root = "/var/lib/acme/acme-challenge/.well-known/acme-challenge/"; + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:9090"; + extraConfig = '' + auth_basic "Prometheus"; + auth_basic_user_file ${config.sops.secrets."nginx/httpAuth".path}; + ''; }; - locations."/" = { proxyPass = "http://localhost:9090"; }; }; }; + sops.secrets."nginx/httpAuth".owner = config.systemd.services.nginx.serviceConfig.User; - system.stateVersion = "20.09"; # Did you read the comment? + system.stateVersion = "22.11"; # Did you read the comment? } diff --git a/hosts/prometheus/secrets.yaml b/hosts/prometheus/secrets.yaml new file mode 100644 index 00000000..c4aa3278 --- /dev/null +++ b/hosts/prometheus/secrets.yaml @@ -0,0 +1,181 @@ +nginx: + httpAuth: ENC[AES256_GCM,data:PS7icDVNB4g7XBMP7mMSbalkvQ==,iv:0GOfGl97k1AjkRxm2x2f4LpeQOuJcFqAHgdRrbceW6U=,tag:GX5L0wI5zwHwuls7ZOPlOQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age13xhxqulvswuckmpkmy2fgeqd5jx0ar8e2hst33leljt69r6hsvnsrdw63k + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxZGJwdVkyejVHb1hLeU9Y + QVJ1bURJV2xwV3FaKzF6YXZHTHFyekR4TEJBCkZoUGxwU0trVXdLM3E5cmdPcmtu + bE5NNkRNNlBtclpsbXRNaVJtcnVpTW8KLS0tIFpzR1RlM2ZzYi9wSHRQWFZ6VUxs + Tml4ZENJd3Y0cmtTdnQ0ZCtTY256Sm8KRKvkk5WDaC8THCqgoKe2cD+AzdAqtfMH + GynKYyQU3rgXl4r8K4XUEkEX8g3+SLitfbo35E66531Q/+yQc79V8Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1M1F2N3FEY2xiRFZaVlJv + cXUyU1NZYXpKVmlDT2hGM2ltNmVHS0E3SFhVCkcwWmZuT2RZVzg3aC9zQXI3aDhk + cFp4RHN2b1RRcXRSNXFudmYrY3oydVEKLS0tIE1JUXdpVlFkQzZKNFBVaFFKTkxR + dkpOeVJIVnJtNDM5M0RQaWRudUcxOG8KZnHCLuyPFdx4j1WY6fk8nqMeACmpYZzU + EpNqjoBswCkUnaRMVcj5lrHvHDjdbQ0Ypn3s/YvI4UBsXMnnv9UD7w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-11-27T00:27:41Z" + mac: ENC[AES256_GCM,data:FsqddyIQqc0qZerOc6zXs39hBOOwh6Bnjd0gw+Kdq11NMxPFKd05/XGkpoHzVbAFioMc528XkpWubVO5rnCBsLKkwuCm+wtQbFU74oXXUbZKrF7Ucxk0bUSmCX1Y+YTsiO5SfUwWuO+YA5RZbdNekE19MYRnVQ4MDBnfWlrZERk=,iv:d8Rceuua4//ZEcDEoAziw70ySKv/PtPr46sM79s3Ex4=,tag:jfCwyfhjIrYlHgEyv8BaQA==,type:str] + pgp: + - created_at: "2022-11-27T00:27:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA6j84+xkv3y7AQ//bQe3Ci9UwmvIuNasPiFzRtI+872msVZWlthYHc0SkrU9 + A8exnBo0uQbA6h5sA/so+CCt4wIxhMGikzapgTQZ1oP24fzvInES0aSuUsBDfys8 + Mgp9lvRGCv5jaxhfF8gAeI46M0qvkIkbSInfaLjjFbQn9xFwPrejE4l8RQ8At4Di + NSWkvxNQlLH0qBVyXbFvToMhSYVZFsGoncHcNTOC4nEktnFNhptsjsvtA4u6aatv + QXSLrlDY5ng4hvjtDTvrzdS1UH5pE9gm9xgqdb95xiS24zwTUGbACP8sWVIUKPX/ + E38/g6H1AmaVadK/t9F/fP5sTcBI2dMHxHXbndpOb2MxS2lJ/sA4rbFmaVHmblgR + J3w1g7JqPOANEneKJ4JWVDRWYwfgQ2IpB4EAetiDtN7KJTWyUgSrB0unNcmy+4cd + 2H+/CM9ARDwnohPhypSIovjXeh8L1uHqniUXxlIUbXHoNugRybQZYMxZx3cLoH5a + WTTy+KJKLdRjeYxDyxVq00KCe9dXsxP/CTRpxZN+ejVAFvDqukzmI3yfSlgiX/M1 + Ysaa9su1NiFU5h4xsY828Vw4TsNfeiUB/MkHlQQc0f09cd0Aq7Z7lnGs9oWJQOKX + bqI6Fjw3nY1QYkfivFZ3baXq4rbt7kTN5WoA+tPXntNVibp93A4X3jl53X5coPbS + UQGz3jOgf7Vm5LUQ0VAErMClgKhddv9u+g0XH/uunfRO1ULw4fLFxBmpq/18Tfdg + YgiTyJRW/qEqXGzbRl+k2oJz49rn6uJ+Fj6quwZHU67EwA== + =kTaA + -----END PGP MESSAGE----- + fp: A5EE826D645DBE35F9B0993358512AE87A69900F + - created_at: "2022-11-27T00:27:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA8zMZ+ak7y/zARAA3O9dCE+hACJ84wcEQ+eOF9xlZo96cUbcI/v75+PX9mBG + js0ST9ykF8YFtAkAjpuS/B3dwPQY8PdA1fYX83Ke/tw4UeikF3e5kJ2SadlhryGE + XpV0qRp79QCHPMauVGYiMK9gLtkgZFGYRcy3GEIz8EDvRpgYnSKJNrJXjDOJhW++ + WyjwytvSE3WHogP+mhOMgRIn+uYuqirw5c6jIq33ZS3pPuaGe4IR3YysNL8vI+z5 + 6QFa/Vzrh+T2gE6/iGyZ+/Kc0N2Rbg8YwEec5nFGKMAyRsK4nO6e2h+nAjoCR2Hn + 3NZ4elSTJB+/yRCxcs+TECynPkFpjER49c0sHSvyaCvkoQmRc4kZChukbPEG4SDi + qMQnmYNfto5TgkM/2SDpzK+UFq3iYVt+lTySW2sdtn2Kv/oDy/iFfsqFuIix1Egu + rlwfSusdLFzvkzD0Lc8ynEevJAA2q7ZnVxSpY7EUgR+9RLfRn3m5KwHzvl20Ylvk + O3GU3tJSERY794WmCNiGlmz4q6G84WQTGFo/7e/fxGQJ1gz4btQdxnHMZFJywHzh + klO3ZxgFPWfKiBzI47ta/xHxUhcYwjVud3IG8rc/g8LSt4ZJ4aEBIRvrQk6m5v5h + 32AtP2c3bLz0uSyQWZ4z5OarAxKoReb+7aYPU7BZpoqciElQkyza/hAdC6iEf17S + UQFWWEbUvBNW3hWYNhv1sVcIownmObMP5jbwJ/1UuGVBK4MfCCpLcoJgIeVH0m5h + LHdHmgwkKO5Rpn7iO8EDn69lBYM2mhbCDeigCaAubLAnsQ== + =XHIF + -----END PGP MESSAGE----- + fp: D4E89C6A0A58EE803EF708EFA9B23715F7AA3F1A + - created_at: "2022-11-27T00:27:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcBMA45bZkLXmBFpAQgAtwj46Mv1ih23i4RUjW+WwqTrt+2d65JK4Kjm5oPvpGyO + hoYLuEV2V9dI1WoJgmp0+pUS/f8LxJdo1OxeZP82ctrOFPxcb1wLfoG+Vg94GPHx + wMtY9jNn0W3FX66a32AK0GNorSLl1miT7NRBimD2KAvoPSqKEGc1av4xDm9ue1fc + tdcFf8MJjAvaNtAfCvnQ4NqM+lJwPjNmH6CtAQlHHJMgHFuNXZvY8lYbGOw7JpKt + opGQD11FjMa5EUyxZfTk8vrPuhgTGknbj/hJOaRLJtTRjnjPfFkLULS9lwaJ0RxN + UVI0v6FfrBcC/rfRJC7Uda0UvDSaaUNAiYlSlQZ4c9JRAVKh3yUxGC4rEDP+ecGO + 8VPvF+H5c3xJ6Qe+81Q1B+vm6rq8WoguilPlQLD3fc8C3vqqNTWpA0b0vVUXm/oq + /yeF6f4+jLkZ16LNzIpQ9uyq + =qkB4 + -----END PGP MESSAGE----- + fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9 + - created_at: "2022-11-27T00:27:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMAwMCBBrc/JA6AQ/9G/+euKdVS9Jiqs9yRyqAujcPwPlYr85zAk+Rjzjo1tux + N07qtz6z7HRHgHhP4lGRw7PkvUkxdFB19nnF41jn4ohoXGJrSkHlKEXGcrCJP+Lm + 8bIKAkTqXvN3qqJH6Rbd76T3wpLAQuq9pm4fsxXl1qHU2PMxehbhVZnwHtPT5mD9 + YkJV0ZVW91tDeJT5Od93vPyD+z+vccS0kBTWVwlSG7I0fMwQsbQwkVtqrJWM2Foa + UPYHDgZEKIMEvpYwy33l9NHjrsLf/kul/xNtKxFCzcjOkw9k/pJdc6CVzX2rVhtp + shUOMdzFh/DYqdtwm1h7VVS8xGSdlcFb7nxgYGZuIY8QsWuRB/+j/p5vDmlE46P9 + SvsuwFJnNc7bE8EHuU1GJGJdQUpyVv+nPGam7L3zLoLRggB8OBS07e/z+ORLogB8 + I7AF6Pcx9g0AwZeeEczhBYQvFcGjuHGb6uJNMYLylxoNm8u197Fyu7On3l7/IJqX + q0w4ickZlkPySbx1OeqIEektiw69HwYhr3/E9B6O+0YL8JRJ5qVtDSw5cudhgIlB + b5AfMqt1l+KvjByalhCK6msfuOUDnMhbdjLvSOr8iDUXQ/ZGPtiPaJDJ2Htx32yh + zmhWfI7Ws0l/z8Ai939k5ssESccOAfsV4WaKcCcbAke581n+jYEwcTp4KQKzoLLS + UQE1vWLijpOjby3So2IMu9gBF0ZmN9EkCt12IP1oa3mMU2yZ5wV/VW1BLSezuVvE + v7/FuFnC3jvvYxLV9VUYKQ492PS8oLAwirxrL5a45IyrMA== + =of/K + -----END PGP MESSAGE----- + fp: 4F9F44A64CC2E438979329E1F122F05437696FCE + - created_at: "2022-11-27T00:27:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA9XEenRNYVGHARAAir30MBOtYtXP3K0hN++LgCtLefPi6455kns0KWkPI8Jd + tIrn7h7/O4Znd4QO8Iz1ouyubeEvLbLjS4wMc4NIUNVoDWpmlWveHDgp9ddLDLUG + MYBsswVVx2SwCzsIQHADpAa0m2MSfmhTxwBP+lieFg5T3LQi0Jo30DFrDtdIKLbN + GPeHuDFdQ8zB2dyPXvSgsOxW9ZNDXAObwewsuEAWhQtkNvtIH62fH+wopjtEdZAX + pbHwcAZCOVciWhbKo3zKme1Jq6XQE8Of+w0mBoMeeVr+f54s+1DRE6vy2hH5QDBK + 1oWRtWpoFrTKGO/KwN5QsehgP6FqZVaWiAMubAR17k2WGzlTQvIWoCxlpv+Mu7eN + tsqbLyEmMvmc1NoN06N2CP31KP1Z9bwpxPmiz9Ph8ZfzL9Qw68zJx+dFjrAJIEuo + T1KOuWkfPg6llE5Hs+1WqR4Kj0+uH7irNjRGCv6ruWVoYQXP/7dpnwcHBX/Is5IN + 2gR4Btn4t+nBNCfVcvOq0CUdFGrOr/O0sUDX7Ob0Gqu7fY3nrZpTwGQ5okPFSpJE + 1/OkWIUgAEHO1Y3X61nc2Iu5eI+jYmSaF12xjiHdKGwmkLfryt4taQBmxPJSN7ym + 0uiXf0d8SRuqHbz8keBCjp85RV/y1XGX08yltgPXpU2fmv1k5dKErBtNeAIudD/S + UQERFu1HIYfCPzAxwI3Z+WbTFo+euO0dZ1Uaw8CVMGcaMTufNQg7H99d+td2pM+D + /W8QfZAIGSYDjYWn6YffgRvDwsNZeMpGRo57XNvwZiIu7g== + =xRwC + -----END PGP MESSAGE----- + fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA + - created_at: "2022-11-27T00:27:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcBMA/Z87ylQaotQAQf/ceQh3zHJqWDRP2Q1l5rz69DfEweCJkuCxewVICRKYVie + p4LzKUjnZp+8KB3LjHzSEuQXc0eqNXNmGu908uwbwG9Z+xiFj+CIe7KMZWW42gY+ + I1/nOA0WRzOYevO3vlZSzfZgsN5tfFkQkrU4hMf6YFhuM1m3HOrz5P9pc7uJGETh + wHX7k0BSrUjmg8RYcJ+WIc2SPUqv/g0zceLSTE0Btpxg3XmrcHnvs/ThQ6afxHYN + K0QEAgIqWwzNU+1+1QkB+yFeAflY10Zbhv0K+WdTn7JzlJZrxyvY32x7lTfCH5c1 + ycZy/AvGfk5ohkLtSx9f1DxpRCUlOS5TvP7I5X47p9JRAZAaCM9HCG4uMKZwkmEF + /Yf7fTJHnIPPY7neR+2qUUg/Y3Th1mNbijBtV0A8XLFpNtWpn8Qzylmak2amYIql + l6cwBxhl5N3vg7LGxUQQJfEO + =dfLg + -----END PGP MESSAGE----- + fp: 9EA68B7F21204979645182E4287B083353C3241C + - created_at: "2022-11-27T00:27:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA9qJIVK2WMV7AQ/+JXfpbLEUdY8fSAmKo/MyaZi9K9cHDs7c4CnEU3Mi8enh + 9j1/0KTzs99zb6gZKQ/z4MMCiNQ70jK5XcTOgrKtUKeZ0sH969TDamsxxD1Ocfxh + Ts+MGTE9C+odIBFvQDOAazkWbPGQ8EheCDauFk8FFZDBj8oK3Vw7hKUxYFMBTM/z + UBLAHkbO6Sv38AHmqsHwzsP0+YZgA9pployt28arYXlwX+I7tYAK1V74SkxIWSD1 + 4YHSJvHpos25/MS/PNR4SEQFSceQGfDuFCdwfkC6bKi7tdp3Af34q4v6OqA/iFnx + hErcjrXPmlHm/YR2gd7AcLPb7WolB8/j/txl1TAxkSwCRodqcQH8L3bYoA9XxkHP + 7Yd5gfvivkQy0sjKF3dwpetu4bOdZUEwj+jY/54iHPECKTLK7TFGJ48A3v51Juw3 + 4uU4pPVCTkQnRnkknbhicvs2IzvgS/OfAJTUBKW8+3yPkWenQQfeje0VHSUfT9hO + KQ3zafhwGShqXPxbM0J9beigvL3iDE3U7YZYOfrryuHCveSkXobwQZY0Ylok52BX + 9t12lOldOKBLy127V0sQeZ4eWRiKjoyHC46DFByWN03dn6yRXrcE/8QGOyUgu2PR + 3SOEm1pnujVa5dhq0MVAxwgHH/+avI+HM0VHRsykYVVOR5O9ywpCAurgB0/wKJrS + UQEUAPEm/YDfg7no9GnD/tXCwIgjO1m+H8+Z8e3Mama4hPZV9fuSc4M8GQGhWqFY + jYvNgfR7UG/RsqAxoEA1hCoh0Jfu6uLX5/P9X0DQdM8WHA== + =KHuT + -----END PGP MESSAGE----- + fp: 53B26AEDC08246715E15504B236B6291555E8401 + - created_at: "2022-11-27T00:27:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA/YLzOYaRIJJARAAs33yYShXtNdy9N+7D0fs5EU7gWYmJfL/lETxkcmQjQg9 + baX2Zqc2z96jg9TcqFuwbvV6xb/JrSGOs/Qusq1lGPhGaSNHo1KWY8EyDM/6v04x + bE9poMb3D0HzIpm+fpDkKZyU15f3Mye5rauQm8a6qgHfd0Aus1HNs9R7RjBeU6pc + esEOFOAvbKhg5FcY+E7BVa6nHAHACaK0jiTKNEWU3qfTAqYqarGXhALhujywHMxh + YBtu1EQBGimAT6orZCaBMaLbH4LL6ozFk50jHQSgDxti/J4GHDtN4GVzIzySwfkS + 1S/8PYiM7UglxmdezxopOijzQD36DU0Sh6m44KWIWFPeN2P/Zkau16sfDQ49/K1w + sEoZK9RZlFXI+O0PsPHmUkewvUhHMbLF8oa4By8jS0I6rcR+zNPlXQ3Y44v5bEtk + y+9CaeJWg0mPf+rtqa5cwkbJhNgpMJM2k6sl5reczVzruYRkMcMO9QlIUF1Apxxa + Z6hkFS7TlY7GQ0mpeg7DgKzCOHzHxVPRetit5uH25zxluHzwxYF16G6K2fF+V71v + ERlryh/cJDuwAl64aXgIw1DBWMOwixJjO+qfyEUrb4taOXyv5wJ0p+ew6F6AeWue + RC1aHcfXN3QJsqXCRRqdI8ceu/Tfo5xTOOAqbNlDzM/kcEXj4rE8WS1cKNknLZHS + UQH9XIbJ70Nc5gWR35V7z2Lqos2TRp4WaeTbmr7z902wMDAl2GrjRoyo8EA7k2gG + 13XKgeObbkdmE7dTwOZbhzrBDFn2pcyI1NsC85iX154pKQ== + =wWjU + -----END PGP MESSAGE----- + fp: 91EBE87016391323642A6803B966009D57E69CC6 + unencrypted_suffix: _unencrypted + version: 3.7.3