diff --git a/docs/unlocking-root.md b/docs/unlocking-root.md deleted file mode 100644 index 511d2422..00000000 --- a/docs/unlocking-root.md +++ /dev/null @@ -1,17 +0,0 @@ -# Unlocking the root partition on boot - -After a reboot, the encrypted ZFS pool will have to be unlocked. This is done by accessing the server via SSH with user `root` on port 2222. - -Nachtigall: - -``` -ssh root@138.201.80.102 -p2222 -``` - -Metronom: - -``` -ssh root@49.13.236.167 -p2222 -``` - -After connecting, paste the crypt passphrase you can find in the shared keepass. This will disconnect the SSH session right away and the server will keep booting into stage 2. diff --git a/docs/unlocking-zfs-pool.md b/docs/unlocking-zfs-pool.md new file mode 100644 index 00000000..686f140c --- /dev/null +++ b/docs/unlocking-zfs-pool.md @@ -0,0 +1,20 @@ +# Unlocking the ZFS pool on boot + +After a reboot, the encrypted ZFS pool will have to be unlocked. This is done by +accessing the server via SSH as user `root` on port 2222. + +Nachtigall: + +``` +ssh root@nachtigall.pub.solar -p2222 +``` + +Metronom: + +``` +ssh root@metronom.pub.solar -p2222 +``` + +After connecting, paste the encryption passphrase you can find in the shared +keepass. This will disconnect the SSH session immediately and the server will +continue to boot into stage 2. diff --git a/modules/core/networking.nix b/modules/core/networking.nix index 765fdd43..0ec6eaf0 100644 --- a/modules/core/networking.nix +++ b/modules/core/networking.nix @@ -28,8 +28,14 @@ networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 22 ]; networking.hosts = { - "10.7.6.1" = [ "nachtigall.${config.pub-solar-os.networking.domain}" ]; - "10.7.6.2" = [ "flora-6.${config.pub-solar-os.networking.domain}" ]; + "10.7.6.1" = [ "nachtigall.wg.${config.pub-solar-os.networking.domain}" ]; + "10.7.6.2" = [ "flora-6.wg.${config.pub-solar-os.networking.domain}" ]; + "10.7.6.3" = [ "metronom.wg.${config.pub-solar-os.networking.domain}" ]; + "10.7.6.4" = [ "tankstelle.wg.${config.pub-solar-os.networking.domain}" ]; + "fd00:fae:fae:fae:fae:1::" = [ "nachtigall.wg.${config.pub-solar-os.networking.domain}" ]; + "fd00:fae:fae:fae:fae:2::" = [ "flora-6.wg.${config.pub-solar-os.networking.domain}" ]; + "fd00:fae:fae:fae:fae:3::" = [ "metronom.wg.${config.pub-solar-os.networking.domain}" ]; + "fd00:fae:fae:fae:fae:4::" = [ "tankstelle.wg.${config.pub-solar-os.networking.domain}" ]; }; services.openssh = { diff --git a/modules/loki/default.nix b/modules/loki/default.nix index cab6b8ed..bd28afe8 100644 --- a/modules/loki/default.nix +++ b/modules/loki/default.nix @@ -6,19 +6,9 @@ ... }: { - services.caddy.virtualHosts = { - "flora-6.${config.pub-solar-os.networking.domain}" = { - logFormat = lib.mkForce '' - output discard - ''; - extraConfig = '' - basicauth * { - ${config.pub-solar-os.authentication.robot.username} $2a$14$mmIAy/Ezm6YGohUtXa2mWeW6Bcw1MQXPhrRbz14jAD2iUu3oob/t. - } - reverse_proxy :${toString config.services.loki.configuration.server.http_listen_port} - ''; - }; - }; + # Only expose loki port via wireguard interface + networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 3100 ]; + # source: https://gist.github.com/rickhull/895b0cb38fdd537c1078a858cf15d63e # https://grafana.com/docs/loki/latest/configure/examples/#1-local-configuration-exampleyaml services.loki = { @@ -28,7 +18,8 @@ auth_enabled = false; common = { ring = { - instance_addr = "127.0.0.1"; + instance_interface_names = [ "wg-ssh" ]; + instance_enable_ipv6 = true; kvstore = { store = "inmemory"; }; @@ -81,7 +72,7 @@ }; clients = [ { - url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push"; + url = "http://flora-6.wg.pub.solar:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push"; } ]; scrape_configs = [ diff --git a/modules/nginx-prometheus-exporters/default.nix b/modules/nginx-prometheus-exporters/default.nix index 391f7827..321bd7bb 100644 --- a/modules/nginx-prometheus-exporters/default.nix +++ b/modules/nginx-prometheus-exporters/default.nix @@ -14,16 +14,12 @@ let synapseMetricsPort = "${toString listenerWithMetrics.port}"; in { - age.secrets.nachtigall-metrics-nginx-basic-auth = { - file = "${flake.self}/secrets/nachtigall-metrics-nginx-basic-auth.age"; - mode = "600"; - owner = "nginx"; - }; services.nginx.virtualHosts = { - "nachtigall.${config.pub-solar-os.networking.domain}" = { - enableACME = true; - addSSL = true; - basicAuthFile = "${config.age.secrets.nachtigall-metrics-nginx-basic-auth.path}"; + "nachtigall.wg.${config.pub-solar-os.networking.domain}" = { + listenAddresses = [ + "10.7.6.1" + "[fd00:fae:fae:fae:fae:1::]" + ]; locations."/metrics" = { proxyPass = "http://127.0.0.1:${toString (config.services.prometheus.exporters.node.port)}"; }; diff --git a/modules/prometheus/default.nix b/modules/prometheus/default.nix index b8ce54f9..564d6506 100644 --- a/modules/prometheus/default.nix +++ b/modules/prometheus/default.nix @@ -6,11 +6,6 @@ ... }: { - age.secrets.nachtigall-metrics-prometheus-basic-auth-password = { - file = "${flake.self}/secrets/nachtigall-metrics-prometheus-basic-auth-password.age"; - mode = "600"; - owner = "prometheus"; - }; age.secrets.alertmanager-envfile = { file = "${flake.self}/secrets/alertmanager-envfile.age"; mode = "600"; @@ -44,7 +39,7 @@ }; scrapeConfigs = [ { - job_name = "node-exporter-http"; + job_name = "node-exporter"; static_configs = [ { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; @@ -52,19 +47,8 @@ instance = "flora-6"; }; } - ]; - } - { - job_name = "node-exporter-https"; - scheme = "https"; - metrics_path = "/metrics"; - basic_auth = { - username = "hakkonaut"; - password_file = "${config.age.secrets.nachtigall-metrics-prometheus-basic-auth-password.path}"; - }; - static_configs = [ { - targets = [ "nachtigall.${config.pub-solar-os.networking.domain}" ]; + targets = [ "nachtigall.wg.${config.pub-solar-os.networking.domain}" ]; labels = { instance = "nachtigall"; }; @@ -73,15 +57,10 @@ } { job_name = "matrix-synapse"; - scheme = "https"; metrics_path = "/_synapse/metrics"; - basic_auth = { - username = "hakkonaut"; - password_file = "${config.age.secrets.nachtigall-metrics-prometheus-basic-auth-password.path}"; - }; static_configs = [ { - targets = [ "nachtigall.${config.pub-solar-os.networking.domain}" ]; + targets = [ "nachtigall.wg.${config.pub-solar-os.networking.domain}" ]; labels = { instance = "nachtigall"; }; diff --git a/modules/promtail/default.nix b/modules/promtail/default.nix index 2e65a282..d0c792aa 100644 --- a/modules/promtail/default.nix +++ b/modules/promtail/default.nix @@ -6,12 +6,6 @@ ... }: { - age.secrets.nachtigall-metrics-prometheus-basic-auth-password = { - file = "${flake.self}/secrets/nachtigall-metrics-prometheus-basic-auth-password.age"; - mode = "600"; - owner = "promtail"; - }; - services.promtail = { enable = true; configuration = { @@ -24,11 +18,7 @@ }; clients = [ { - url = "https://flora-6.${config.pub-solar-os.networking.domain}/loki/api/v1/push"; - basic_auth = { - username = "hakkonaut"; - password_file = "${config.age.secrets.nachtigall-metrics-prometheus-basic-auth-password.path}"; - }; + url = "http://flora-6.wg.pub.solar:${toString flake.self.nixosConfigurations.flora-6.config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push"; } ]; scrape_configs = [ diff --git a/secrets/nachtigall-metrics-nginx-basic-auth.age b/secrets/nachtigall-metrics-nginx-basic-auth.age deleted file mode 100644 index f441b566..00000000 --- a/secrets/nachtigall-metrics-nginx-basic-auth.age +++ /dev/null @@ -1,43 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 iDKjwg iFrOyGN0zSpptFEy3mRmzFH/SpqvmQZRhMHaOvHggSc -HRTI1y0eUK0nAWO0Q/YVNYOyLU0OwY9KH0a3elGk1fs --> ssh-ed25519 uYcDNw ojnoOpd7HElVjSlgSxrS53yz5ecb0ZZbZ4ZRa/C4vjc -YoBa3whKDyeOsdXFdzUJAIElTL/8o1blYlltNsvWCjs --> ssh-rsa f5THog -j2mjjmsw8yj5gd6B6hHNiJrP2IICrupcaHcuPZHID5Bq9WbXcFlU9bsvLVtneBbD -YyGgpgUzejokeRT8EKieQSzcRCt99qVSO0cJWlvtVMpY5kNL7L6q9v3hlgOgAHPH -WgtnkHkXrGTiQQWSTaymt1dxtWBOfA3RvLnRubwrSzkIynqHuX1AqjXqQy3RL7BJ -nfpp9ctviR2CXyBgF2VvFXLUB7dV+SWe+Sp09293/sx3lTDAJOs5DTL32I+suNl7 -g1VVgE+kgVt3B6aXqrIe1T/bDjb4IMu7saXL3q9dz7aZNysLcQgGI254HR7VkE3o -GFlMb6PWj9oHa0R0PqCzyL0NV+VfKEXkdYFebCUI2p9jKajy8VCcNfRmekf5ZBHP -tAmyjnKE8uO4qYyhcK7eZJHAMwIYC8LW+xcEo1ym27K0t6M9Ph2QbRslqPf8nWsP -9a/Ca1cSKBc0IXhG88ulsDCHIFpiAegLPTdZL5GFe0VwyfyLukG4I8fXNndRVhK+ -RMxWl1ZGWYTBiQi/4a4JZvXP14JpTfC8DzvcZHXl8o2GqS/TEk7zAOsoGffwzqpO -Fid11Axy0BY1iPfH6S44W8uxQz9b9AUVrJD53f9YIOTGjfMOUrOCwTHv2DcN+LC7 -02LmoCkSTsCqpnpJPDOXcGYh3nk75orQYqW5lnkwc8g --> ssh-rsa kFDS0A -FeZXachOnQfqnotkRdNFtoiZL02DViImVhkIizJAUh1VgUXiCHlQX+8epshgP3dL -xYBf4yPx5RBKN/jKfNsjS0KyxwDlApemyD73JW83LJ5cm2JuUwvtGXVCBFrkD9OI -I4oeuBdl8oBQgjvUbp4BkXvqh+0Ymw7rMs5IWJDjwMOUgnsrpvp363IbVY5wc2Cp -tI9OeiP4Jx9zUVKTpeIXdH5U54tjBAr/n0D4OXRZC79CW2Sw475z0wbXzKkQMYL7 -XidTyBpvj9b2IdaswhQpx21nDIlNKSQy1+gVgQTljxuHBcs/tOulTM+DC/UbA/hy -blKAs0HPOkodYGwl1VytIg6Qr1cczSUCUrgmZ4CxcFF/6earOT9uscjbT73jeyil -JSuzBjyULh59tueYqmuPcq5wCcsvCEYJrUtg/vrU6JhWvLjmOk6HKMls6KcB+qeg -pgkjSsSqgdN0k2mZaUOAe88bMC+z5oGL1Gi9dFEYmdN/gN8CFVaULxwrL/IXPnkw -O7LBeVSV31et2iGKE9Mf1GjyCZV4xSaYdtuSTSOPsRuctTIW2y7FyU0MdUGhZmIl -faEWPpnuBqDm6m8RUFuxy8un2k9mQzE2iroKWimj49kftqVdSAgUMgHws2G8GH/y -MrRkarMtyVFgzHF/4WkO1FPdsBWy9pVdRhFdr7BSeQc --> piv-p256 vRzPNw A9xaGL246GekLk5G2Jy6+AdtmVoBc101XDkGdqmCU0Ow -NvuqIsu7dexWjLOJY8vCcZgyHjs9o9z8N2RrjjOGFDQ --> piv-p256 zqq/iw A7A1tGYE+5KhtcWXQ5kE1FjY9teRnWb0HrmqkX5qqanK -t+ViJ41AuFrL6CH2cYnWx3XLB6iR0fxgp9TK1zt3DNE --> ssh-ed25519 YFSOsg O2M/GJ0nXaCtasaqdZCzHwOPlnKoxjrEyhZsWcjrCTw -ZKQEI098YcHWNL6VBJ6JmRN7QLC1sQd3zUTQi1o3dbE --> ssh-ed25519 iHV63A nARCFmD6Q9rj+ebUFckSf6rM0jTKRgHtDRS4qzCd9iE -peM7be/ngP+HQYPgpQruhdL9D2QArUrJWao0L++Y1js --> ssh-ed25519 BVsyTA U6fvbra/fd4P6r7bUFCN5bwqiDBF0h+V5AB94ZOBtwI -UzDdo8fw7Ya7vHmPNLXSzOnAV4FVj3+2Ci3pStIuu/U --> ssh-ed25519 +3V2lQ 8rvmvG/jd72rp0mhx+biUCihJcK7WjnkTPgwvcJYJEM -785YAEjC6xaTLZPzgcLhQPFigh6TVYbSkhn1aVc5PKg ---- X3mEGGX4yRgEZLBHEnFT2P59pGYxEKQCqBntP8OM24Q -R(ܑ55~,?] s\i8`9G[?ޝ$LD:w3N{FB1X,zv@a{ \ No newline at end of file diff --git a/secrets/nachtigall-metrics-prometheus-basic-auth-password.age b/secrets/nachtigall-metrics-prometheus-basic-auth-password.age deleted file mode 100644 index 7839fcae..00000000 --- a/secrets/nachtigall-metrics-prometheus-basic-auth-password.age +++ /dev/null @@ -1,45 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 Y0ZZaw nTNUxIC9LkrJ9hUdbihbpeHVMmLJxAvJ1owTGipKUSE -axyLEKraFg2oYLh28QyKxb5R+ao9Q374iqg0OcPKfao --> ssh-ed25519 iDKjwg htWAMOoRqftyzvn7uCmsrF80MdFwmomqvB+UMJ/NVTU -Wqe9W++Slv5ITX3C+89bsVWWytOM+SD3vISPmwVh87k --> ssh-ed25519 uYcDNw yBxYg49sXazNjQbX6v9Vah6StIw8mrVG/yjgxFesLhE -iDh8pDLGhmlTYkg3ESaM7P58gBbPn+tjFkr/+UthYos --> ssh-rsa f5THog -Rv+2zwwON/S9Ph3ZhC0oERqbaUw9r4mlJ+FfhOxt45fdy+DmcMRpZoUe/3Rb1LqE -VTXpYlcG3FScRt2u+MOYywCu3E5ForqUjHKKXKeK5JwvSOdrOZWgDmg9kc9GA0io -St+6EEQbBVXQ/l57+i8VQ/mSi+RlYBCVxoCvWm22i5cYV72SobAaJbITS4XWAdPb -hQbOBD+5X5Laj5ixDNsc1wxdU47S+uY/uFm1Mpw/eJYG+cUlYw1/Kd/UpoJVSdT+ -EQN+WUPmDYEHJSn3VVoYVF4969MLONb+9X3w5KITYr9r7lpc+uKvqPicDPpRdTAw -gtRPUDpz/MoBvP29NOsITFACavfiKJjYH443pn6JEQF7vtPdjyvCMLf/PxWmpIzw -2BPZmllvqGwYxeVcjzRSDbbsNG85RE+tSVM5p37lVYF6AZfxHG0tLPJt68AT5n36 -fu2mvkEhRZR84/iUuNRGhemma4CuhTZk82MZGefSHlaCI03Bl8VmHlfKLlEEoCTq -7EovI0mVyHzhfnRJyqcSm7rD3RKU2zH8K7aAB/zd9x4m2bk6mDnUJViObOcfMRjF -GUy2RHO/FuRgQtD3ZTsQ+eG37fvhb8dSDMfAIP9ug04pl55co3L18JlUMEwktq8m -AD+DDa0pXwLU1zminQRZwJIe7RU0li44lmqihxIlXGo --> ssh-rsa kFDS0A -jbDwJLKASE8aNqmgoyV8BO572dc7PoS1AMWnULJwv8JglL+KeYxU3HwlLulKQ1Ej -pDC/BVONirMx1KE8qm8RTgo/xhoA/GVognpR4T19Z9yslD6E2mtGozCi+zlAjn0u -BgThEp1pE9CCY54enXS9ADnTYYwZene+i2OkJsRpZ0qM3ULLRqrIl7otwvgHu7S3 -x5C9YJNTGPUE33aDwWFblAApgelQ9p7erXJOW35FVAs50WFcAeIh8FoV8AAgVXVL -/4LADst6xxkT/jGBZcilO/W2Yj/k+sG+FBMtsat+u57CHLzp5G0KFNWpej9fzUFB -xavyLn7HXhjhT9GmtFY3TT71mqKmbj1syNn19rs2liZwdeLfgYBKS0xRKDGmHLtn -2JpElmKGM9qRZXYsPgq/NR5TsLEG2o/v0CxYT0wAbJnSfZJniiwJs4E+rrh78F4X -0YzUzPbAsCs3G7SCEz/ow4EmQkOZkJjFkHb/bIXIAqgz8AaFWuaVJVeSEGexTUy5 -nXCOy9JOXJJC1O1CP/GwjmKKvqvYus/UBcCgVH+lQoxKWak1CD59ao+taCADevMu -BtL+KaLSwfrHpVZ/CTf5JqPKl8aYoQeubWdQttmF/DRyCsEDsiHAJFwgp4NC73zh -w1js8L5tt29ty2x3M7yY4bGQeC450+OwYsi50YpXE3Q --> piv-p256 vRzPNw AwvMDdyTEURDqHbfoq5odnWJYvfneezIuvpMP1UQRKWg -fil4sICJnowY8rRbxQouXUZdUwAoe9smsMw0lcKtSbA --> piv-p256 zqq/iw Aq5f+a77FpRI4Xe3zQe8If5aPkH2SJ0BHkWdlsrOtc4u -roBw1kwrU3OqKZZ38aVKdioUzfQ7d4ztwXgh/Icyni4 --> ssh-ed25519 YFSOsg 1c0L+d2frinozItIJB3NNOmdkttv9GLBhJTStTzG6Hg -Xy4TN3qZL1FF+thpQw/mRZq4jv4odgDjBK9/Wcc2QrE --> ssh-ed25519 iHV63A 8l9cP+kW+MfGiN3rXOh2rJQPf8g8bCAirBTz/jYTtw4 -w5FlcJiyDSN9D8GNNumLtWvv/E+0a2eoQPx81v/YzmU --> ssh-ed25519 BVsyTA q7aLkPRcT8rPKXbEiwn+w300j20WO8rNfCIt6oLcUXk -O9V5q98TG6UKFQJooUrVfX/Icab5UPYONvSH7mKa/pA --> ssh-ed25519 +3V2lQ NxpGLFMboFSAztflSWw+NFjByFfkBL/IG4r/hFvMjkQ -0uWTKEG3TAsNsrPcooLsrINmDTWKlVIx1/OAL2rlcgc ---- VrkwgHMM0SXQKvH6I1oz35B391zF9QHysr3AZxGTpxw -Ml0!w+ B