From 7169365fd87f0e53418a222ba94dcd810e646ef1 Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 23 Dec 2022 20:25:00 +0100 Subject: [PATCH] kibana: revive --- .sops.yaml | 8 ++ flake.nix | 7 ++ hosts/kibana/default.nix | 57 ++++++++++++ hosts/kibana/secrets.yaml | 181 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 253 insertions(+) create mode 100644 hosts/kibana/default.nix create mode 100644 hosts/kibana/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index 128e784b..aa7a6bd2 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -38,6 +38,7 @@ keys: - &hedgedoc age1jt5pj0c0fvmzg7quaucq4n2rzcx9ajzstp8ruwc8ewjpay5vqfqsdjaal8 - &hydra age1px8sjpcmnz27ayczzu883n0p5ad34vnzj6rl9y2eyye546v0m3dqfqx459 - &jabber age1tnq862ekxepjkes6efr282uj9gtcsqru04s5k0l2enq5djxyt5as0k0c2a + - &kibana age15nj7xkv7nrewxam4cd0uw6glxeh9xmq46lu4zdnq23trqch4pufqm9phq6 - &leon age1cm0cjk2764s4pv5g7e67as34g9xtcltex96ga87wckndw62wqqlsvkscqc - &leoncloud age1aw9s4kcd6ys64ddzzfya9ajzln2tv8pm9uvz6d85v0r6eq4dudqq5vts86 - &mailtngbert age1jr5mc4ekmjf4uk2ue4xcuy0yl202phlu2t6c544qfj45ahzag56s4d0kzj @@ -87,6 +88,7 @@ creation_rules: - *hedgedoc - *hydra - *jabber + - *kibana - *leon - *leoncloud - *mailtngbert @@ -175,6 +177,12 @@ creation_rules: age: - *hydra - *polygon-snowflake + - path_regex: hosts/kibana/[^/]+\.yaml$ + key_groups: + - pgp: *admins + age: + - *kibana + - *polygon-snowflake - path_regex: hosts/mailtngbert/[^/]+\.yaml$ key_groups: - pgp: *admins diff --git a/flake.nix b/flake.nix index b14e91f5..8b799d60 100644 --- a/flake.nix +++ b/flake.nix @@ -750,6 +750,13 @@ ./hosts/rc3ticker ]; }; + + kibana = nixosSystem' { + modules = [ + self.nixosModules.cluster-options + ./hosts/kibana + ]; + }; }; nixosModules = { diff --git a/hosts/kibana/default.nix b/hosts/kibana/default.nix new file mode 100644 index 00000000..1cdbaa17 --- /dev/null +++ b/hosts/kibana/default.nix @@ -0,0 +1,57 @@ +{ zentralwerk, config, pkgs, lib, ... }: + +{ + deployment = { + mem = 2048; + vcpu = 4; + storage = "big"; + hypervisor = "qemu"; + }; + networking.hostName = "kibana"; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + nixpkgs.config.allowUnfree = true; + services.elasticsearch = { + enable = true; + package = pkgs.elasticsearch7; + }; + services.kibana = { + enable = true; + package = pkgs.kibana7; + }; + + sops.defaultSopsFile = ./secrets.yaml; + sops.secrets."nginx/htpasswd" = { + owner = "nginx"; + path = "/run/nginx/htpasswd"; + }; + + services.nginx = let + vhost = url: { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = url; + extraConfig = '' + auth_basic "Chaos"; + auth_basic_user_file ${config.sops.secrets."nginx/htpasswd".path}; + ''; + }; + }; + in { + enable = true; + clientMaxBodySize = "100m"; + virtualHosts = { + "kibana.hq.c3d2.de" = + vhost "http://127.0.0.1:${toString config.services.kibana.port}"; + "kibana-es.hq.c3d2.de" = + vhost "http://127.0.0.1:${toString config.services.elasticsearch.port}"; + }; + }; + + # This value determines the NixOS release with which your system is to be + # compatible, in order to avoid breaking some software such as database + # servers. You should change this only after NixOS release notes say you + # should. + system.stateVersion = "22.11"; # Did you read the comment? +} diff --git a/hosts/kibana/secrets.yaml b/hosts/kibana/secrets.yaml new file mode 100644 index 00000000..c716f747 --- /dev/null +++ b/hosts/kibana/secrets.yaml @@ -0,0 +1,181 @@ +nginx: + htpasswd: ENC[AES256_GCM,data:I1/wMtEpkG/0SxtvWajL+3V97g==,iv:N08Vaqb7qWC5VWnIRVu+Y1T3EAlZkjMt2uTUcgXu0AU=,tag:nGkVd/TXDRp/3qUhV9T4tw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age15nj7xkv7nrewxam4cd0uw6glxeh9xmq46lu4zdnq23trqch4pufqm9phq6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzRUlBcmIyNXBlVnFJbWNS + RXY3T0d2R1ZGVGw4aGRWVWtpZTJlb1hIY0RzCkY3V1NJak02VWJYM3lid2RaQjRu + SUNUZkMwZlZhWk41TUFUY0IyTnFlcTAKLS0tIHdNenBISTJJbXNLVUVIb2wxUUJp + RGJYMnZwTm1TSVVmeWhkL2EyVFRFT00KL7x5DPK6JKxsJf3VygOppneGVHluh565 + RMQI+OcC0qbf7hGh/bDe5+HHykxLKbwmaZ3HXSSZgOLRm5N6kEuUtg== + -----END AGE ENCRYPTED FILE----- + - recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6N1RIdXFGYkpDWUlmaWx5 + NVIxSzN0MFZpUXlzK2o1WFloS09QMHhCTFJFClBsNm5LMjNwa2E4bVNNRm0zRjhw + K0pHWVRSRWhmSVFIQVM2NTJQT2I0QWsKLS0tIGMyZSt4VnlqaG1KQ2plTkFLZyt2 + WHVwT09QbjVvWnV3dGxSSzJGZDB3a2cKU23IEFYPRgjqn3CgEEeWzZCTVxaGOljc + T6RDdPZctKrFa6ABQuVt/GtJr0J13wkeNytpV3GPHE7eohNSJh87Ig== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-12-23T19:39:07Z" + mac: ENC[AES256_GCM,data:Ja2csLBTT2iI07G8sOJQABjmDcywXNZqYS+ZSzas0z/maBu+ODOLGntZ+KImomds4ZKGL1eduZ6soL4efdQHyaUGTk+P+X8OiAShQcFCv2Wq7SeKbvDuEXP5HRKyhKkYJFeoYrjUgrT3OBzbF1dPyZyveBnaHM4H7xJm8NAK06o=,iv:/DBkKeOI/OGepHndGtkaKpyu1R64vmXIoPHsKwS+fF4=,tag:QpUOSJWm8Gu4uwL077cEPA==,type:str] + pgp: + - created_at: "2022-12-23T19:38:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA6j84+xkv3y7AQ//UG1Hhe3FIkkwk4nyjfo9Z5Mk6AVLwVZoRvLHlJ6XujHQ + QGUIH3wwN9/8Jay7ciTyiAT6gFJjhXYCS6kToCRhiVblpWvngTBU0rqqdOYvb6yL + +k/8HW1ORoUeC6luuUx3gCf8A5JQWNitwhNeM+yQUr8rOUWRWejJ+IMYHVBw11dD + Q5oa9Aa0yl4Xs1NE4oCXOqs9mMY0Rvgto5aIZcTfMInyUWJp4EUbQJrlBv4dCeHv + qVVZIN+nX41MzK5Dgqm4EZmTXKxiX2rE+Pd7HSA/gEtHdHeGVV+w5y8YZg0Pn2K7 + fNJHv5G7jTX/usNB3jUD/LycvmnNiykNdIAsiSvG5hkXC6jaCLfnNVpcBgTtVns4 + fZ3OqGUiZaQ+Sm1mX84/hPMGWYIHiD7sXXlC2Zpvjymsuu5raSmI49dpepCP4NOH + wdlFRWI+Aep0VvhznEOJLEca6VjyHbN/QswmSCvWw5B2fHpobWXuTU4LqnVHIJxn + RElzL/1WMNA6Nv0WU5QbdI28cEZn17/Vmb9CUgy4JOIwL5FgsdVECzLJOw6Ge2zt + +gnLe61lBM/8zHQKf01rNyCF01xkVCgPo9DS2W5wF+igIfCTGgqGfx1/Tir1+MDI + ayeuCg2gOQpObg2dySDiAHFm+Du1dFASxGD9IIOaVv7rQQuG52M7g9zpbvVwb2TS + UQFpyvHZNW5zqfiq8SYfh3HyxO1khxumzR5+ecvmUNItvZuaSbnMPuPTZZiYuEjR + endK+gavia7ZcrA+/awB2cYfuZMHKHfGyqvCi92cJL37Zw== + =VoIN + -----END PGP MESSAGE----- + fp: A5EE826D645DBE35F9B0993358512AE87A69900F + - created_at: "2022-12-23T19:38:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA8zMZ+ak7y/zAQ/9EefSwn5eHfUz3fUtXXGtwl7RgqQ775lYRD5NshEFRkOr + sa+dR4p2tD6rgUAkz8wUcaYpj7VHxTEtyX095FBZoSl+OvVm165+Q3Mzy4GWO3gG + /9Ts8Sh7UtoRoqPeaTBacknyhXddneRfLfON4GaU3zsMej+LKhAY9UdUB3PKDT6+ + x+T4FVHf1UBIf2J/Ixhtn7OZJtgiSUjkE+9+6Niu3StmowsB/fys9BKor6kKDKdi + UwzYWCCAWyN6WvVeIotQej0IgosNTOkuffi1kbOl0MGx/8QUbHVZsLGNgCUi1uPe + sDK/EtLR7juYnSW8i5wZ6GnN2oTWF5egRAg1dg96uXeHV7K24mlvaXjjZvklIpjO + TFvuqjFg9nHgGrTdgItlE6/Lo0jdnebuCTObInsSgnu2ofpOSEGc04YCLgS476Wt + dmfbQHfiony8XswngCm2VUBHROur8MwdhB6uc8i7ceCwtt1W2qLB5NmNmzIfteoK + 3bMwj8XzTbmy0o9KOM4p2rW23Xxc382RMw1CWv5xSjQq8srWeoKcD7tu18RMkfwX + WLkOdafYgoF1hL7wbKWjgysJjOj4ZtmBABCCf8WVy47LEm3E6rmLJI9U86+SWB1A + MmyYavwkWT5ZnM1IT/dYmz82Ax9reKSmw9M1wFxToF8tKvnQkW28z1skeFBIZufS + UQHMHr9XKfvhnElg9lqIiaoQi4VOEZrMbG1pNrybeljeUF3Ru29IVkwy74oCapKR + 7MQJp/ZS2bE4vcR8P5IePgch95dg3/cWw7e12mO3o5bKfg== + =xZox + -----END PGP MESSAGE----- + fp: D4E89C6A0A58EE803EF708EFA9B23715F7AA3F1A + - created_at: "2022-12-23T19:38:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcBMA45bZkLXmBFpAQf+K2iUuPD/QQqIFgFRV1UvKGKtWI+sifN1YaJdTM79b3S7 + x44yHUFe1ONVyUsH9cYECqL37yENvfr6kbx/idOmbJj542TwC8vS47rJJFzz5TMe + cPbz3Y38gFQaL1tq5rkt57v5Mf9ohXUEeFbfjOwAMr3ohpBnFYQtAgQ5cnZVRg9y + y0c/VUXS5906SHEpTLjpgCJ5zLDOG+spsEiNkXRpWQuC1RoHWDr9UzgUklyc+e9B + QbCVGRCjPkdltDoGobEzNsezbkeqXiTVFouAhYUaZDT1LfkO/CdjxVEPqiDqsFrq + gUnhQIV0Eo1bfVaLyMqIDsvV6U5e0x87+1n6U8SgKdJRAb5Gq5XfanVpUskSeUX7 + UsmhphGBBKzAcslPevJ/30WX3Seo/m6R/UEr81PkUP8VPL88KucefOyffsL9yS3h + jKF/A9Amdwr13ifTI9X4fgnQ + =Jlh5 + -----END PGP MESSAGE----- + fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9 + - created_at: "2022-12-23T19:38:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMAwMCBBrc/JA6AQ//fHoX9DyMOM9sz0ZPhw/GWEX+dyVqb0Zz4/81WCWNy7Rf + eBPTEWXe/8wZNomLfweAUmHhZ4IVOq1ZsOVv4xAnjwZ56cbxeDjAymYzi67i+Zop + /uvGDswstjNxpzlWez7QAF0aws8FkYYU6cZXXd9hHb5cOBIiQB5mC94yPU9MVAIb + ZL/s47p6fKK8tWFo1UnB03YOwusWA3kiTrhGvMXsrdXlaO/s1QVWP/hD5lOoQGKy + YGEzMNplcjwlqqwz1AFgdg+rwfOKuzHViqXZrH/RdNEwrxY2c8hTGQq+HLs+GpAB + fApXSWTgOo23F1qP8c5dWdN14OwbHRfrA4qSIlq9FWzWnHkgfqmWMdG/1wsHFmCH + ZuMDwCbZgvtTEWcwfaagqmcuhw3vhKz6zJHU4bbWVCarej1N662gJbR89J4sV7lH + Zlu0mF2NFy3rMG1Cwycxdf0KU/H4OsqeJwY5DNXzikksvyb8BsIG8P/SROF+vuZl + iujVug0c6sJ/KJvGz3NwIZXvLYWrPHn+Wx3YBWGBAd/Rxrgc2R/+KuQ91tQ+OhNf + nIMc+ChdBaqnOzGxgNXhJIl/YQi+vHrndewob0X8s+4CqF1JORZUvyHXaVn5BNxo + jAc5VviPzX98+At5N3d5vJKT62nP6Gi13P+viMepID5dkAkP3lQAWLE/NFKqMvXS + UQE4I296j2D0axTNgm2eyxUaCcW3J2HUWwQib60UvKFH8Jw8DuGdcyNiLViJ/azO + 5kjDHn6RYfQFP9NCaUr72jAlohucfe+Za/aizylD/qeylA== + =zUMH + -----END PGP MESSAGE----- + fp: 4F9F44A64CC2E438979329E1F122F05437696FCE + - created_at: "2022-12-23T19:38:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA9XEenRNYVGHARAA2UsL7W7o53lH23VCNZuOqUCkkQLNLq02dM29ISbZV8Wh + VWBuntwQ5JAvRyV/UvjjRKRfbHqkLucOZ5zlELxnYrqHzJtOUIi4+zzSnTJu+ria + 1bh4AARim8IDHglL4s+bOhKcSMFl5s5WzH84MwkAkDLg/U3Tc0uBiYOUsi59t3+s + EhKv0oYJu4CiffoAVCqVLxoVbNB8qDpaT+gtasNRqzUBjTCQw4PYeed3h3/uj4/d + n1wY0D0u1gEuY73s+JBPknZshpYWxSsXnOFwnB7pgI5Fl+T0pSywvvZZYhSC3j22 + N00ug+DwFLy2gpKS6kIJpqLAt7sNHMgkULzXBNPLzf9oNETt59y/jwtFIQY6XxMx + ZkmHNNkueN25Mt2jFAzum5sdDRxTTcAjD2OspxT7eeZPadXn3Ola9RmEzB5HhNhA + ApNkeVIHAfQOvJzDO1QnvECjL/kfqp/+vIrhEikWl2e3BoXe67sg0r3AAuTTrL7Q + HVhv3sEeB7zK/gpt5fbtdscNXuCltdd3YZvjtIortwCtGkSHGy+w9MO0vp4GfApo + 0VNE74v8V0BOeOTKuaPGf7fO4FEUxGWu9+fhQQ82FeZTZQs6I+b1Fetdsw9Yp3Xo + IJXQ9XtsPolVn17irZxkkb3oy3dSXRGrVz2u9CTjv0E9Q+oAIu4FPZ9KqVSR0+DS + UQHxJPhlpHUESqNr8vbNxC5xtEWDX9//3wq7X4fcZP84oJKdJMr3dErQJluEMXUY + f1rvMq8+vj9g6ALOqX7SAxlkCFjBAvZgl0I2XZYJGjiQAA== + =KlD3 + -----END PGP MESSAGE----- + fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA + - created_at: "2022-12-23T19:38:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcBMA/Z87ylQaotQAQf/cfb8+CTRIgjvCjisWLY8hiH+VStw/v1A9i7UhrhFO4zN + xV5pCe3YHPeebsUdyhLJQz97b03Vq3Y5H8Z923q3XJVpvFdCrWSa+k4hYzb/dszX + UN4Ci/BCXFst3rY9RUNtcyBcJ2Ea8/2kaQXHxngWlsGkTZwfIb9/+7ru8NQGtCXo + cza3mWVcAiUw6fzawJaPNpSgeTLg/CebYkISHilCjAC7xMQfYfhPF2QtCVbT9jQj + wVyB3scbO94G5Lac1jH/5Bfbzb7Cc9XpgvTD5BHe5W/9iW88qfGjSJmbpUSNKUiX + C80y9n50xTZYPpckNEUVDc77l46onomQ7A4KxLhq2tJRAdRq/crQqGhQ625j9ft1 + mbw5pILYk5M4Z04ZcRC6Hpp4DJxEGtm3dtlNs72Tgw6BnADn2aaP6Qd/1yY4kdQU + VQ/s8TbTdqKrTXW/FOL95EHe + =qRBP + -----END PGP MESSAGE----- + fp: 9EA68B7F21204979645182E4287B083353C3241C + - created_at: "2022-12-23T19:38:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA9qJIVK2WMV7ARAAkaudjLtVa0E5Zi9+pnTlQeO5qw8jcVXWAdNYrt8LFY0P + 8XlLvk1h0AFn/wWAPdCkly9LorMWbT1edT7dKoWhGRMxGbq/RGMnMTyw+da+/LNm + eIqC7nETV+G58TF9HgzUlyR1BdRhwgjapGZ1RPkiNPAVRPstoxy7IKFaLaMwCCTf + 9Gd+F1KJ0CVgc679qUQ84Wpn27In85Z6a1t8oFfTvEoU9hVGz0rNBKbTuzFW8oze + hQDaD000OPzyGf7xWPMTnWaNjFco7wbXvMTmtbDcUNFfy31s89/2RiD9quU2p6ZF + M9wm36reAzsg5MuIObT4bPCUbHUs/ANzNFdbh3K84UKcr92isKUg01UZEOG4mecQ + tSDgWd6qmWGunuZPAo8hkvoCrAcn3XaUl7i1/iX81RzT2IoNJi8ds4GqLSlnISK3 + Whl96uRO4eH69Zmyq0+yydfpA3uWAkzvqAmjsEPlyj0UhwJy3JqWIonYYXEIHdai + Q/I17N/dw6Y+YEhmzrEFwrRd9PyW+J0OWuLJzLRQKI8+hQQ6h4AH+QQOsCncuW9S + V4yw9ZnU5t51pAgQwEQCXUGmAWOR16JXTPwRxogki97jJ/FLETg2hB/MEGtZCvkY + uLzQbToDMCaSNjMoTa3ssWElWHVU5EZqF/vcCwrbQVgyayha2HsQKg5EsQIZGxjS + UQHe2Xn/096dsqgYJiXM+FTn4nW0ITrCl1JD2uvD0u4FC+93sNHU6uHVcdGhDvNS + 4eY0wlcRDbPDJlCugC2nNdeq/PzDpPg/LQDGwLHkYMRa0Q== + =KxOA + -----END PGP MESSAGE----- + fp: 53B26AEDC08246715E15504B236B6291555E8401 + - created_at: "2022-12-23T19:38:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA/YLzOYaRIJJARAA1rra7B1wdtzbeaLuioigkcmmd0YoTUUEYWZjqXzxrZ5a + 1Lp9xoOaoNLvcoiGQwAjlTSlD41ONyyL3nV6WNXJIclcVeQ6d/FCcEHArtU6z/Ci + bOQxPTPRYWUp6ikPF3hoMfJmYLUFAH6M/lKhsEZ0F7F2CGw8ry/w2S28RZikY6fT + bfwx10GrlJxirXbW4VF7gPuvObqH1plPnzUWKcVLoO42hG47eVTRCyCtr1XexZdz + ko1hrAynx9cVZT6yvBeHAxJQDGuSJTRYQroLgbJnAGMU70sGQj3pI9cPbtCUzE+p + xvPIxvG+ODTokah4XlQVqR4iEstPNXZtQLvhcKmL1aOr12WcDhAgKAzOiMiRlgCO + urDPCM63CDpz9yNe+iato6SR36axNpqJIG35zTnEaqFV3iKa0fxBmfAP+oq0B8rA + 5Y6mWWCjaPMmTm+5TScTTt+PT4biySGBrakH6r0SL8PD3gd4qSbhy76kkE0uaupu + ZhicDI3r8BZd3kwFfWOSkdmXfSnEF61FuMbVo8X3HexpSxjaUe1IcrIL0JGv5/jb + u2eHRFUsGeUhNhTTcUGBBImPe3wEOQSIIDKe2hDm5bfxZjAI+Bljx/6s3I4NY6Vs + utTj7I0HGEC9a29+MD+hYoiXKsJkcj81OGvs65M47bxdRsGt+Tvwp/O7Orvvr/zS + UQHc9x/21x5OTqFKNP3ou6T50A58Sl4vKT7KUTSBJnnjy6u5RtJtgmJ5n88CetWM + RmXwps5Y1kI9JZkW4uaWnKCDvrb3g0trSn7NAJ4D4ZcQtg== + =iWEN + -----END PGP MESSAGE----- + fp: 91EBE87016391323642A6803B966009D57E69CC6 + unencrypted_suffix: _unencrypted + version: 3.7.3