loki, promtail, prometheus: remove basic auth, use

wireguard to secure connections
This commit is contained in:
teutat3s 2024-06-01 14:46:29 +02:00
parent a10027ed21
commit 20ebf92f1f
Signed by untrusted user: teutat3s
GPG key ID: 4FA1D3FA524F22C1
7 changed files with 12 additions and 150 deletions

View file

@ -6,19 +6,6 @@
... ...
}: }:
{ {
services.caddy.virtualHosts = {
"flora-6.${config.pub-solar-os.networking.domain}" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
basicauth * {
${config.pub-solar-os.authentication.robot.username} $2a$14$mmIAy/Ezm6YGohUtXa2mWeW6Bcw1MQXPhrRbz14jAD2iUu3oob/t.
}
reverse_proxy :${toString config.services.loki.configuration.server.http_listen_port}
'';
};
};
# source: https://gist.github.com/rickhull/895b0cb38fdd537c1078a858cf15d63e # source: https://gist.github.com/rickhull/895b0cb38fdd537c1078a858cf15d63e
# https://grafana.com/docs/loki/latest/configure/examples/#1-local-configuration-exampleyaml # https://grafana.com/docs/loki/latest/configure/examples/#1-local-configuration-exampleyaml
services.loki = { services.loki = {
@ -28,7 +15,8 @@
auth_enabled = false; auth_enabled = false;
common = { common = {
ring = { ring = {
instance_addr = "127.0.0.1"; instance_interface_names = [ "wg-ssh" ];
instance_enable_ipv6 = true;
kvstore = { kvstore = {
store = "inmemory"; store = "inmemory";
}; };
@ -81,7 +69,7 @@
}; };
clients = [ clients = [
{ {
url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push"; url = "http://flora-6.wg.pub.solar:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push";
} }
]; ];
scrape_configs = [ scrape_configs = [

View file

@ -14,16 +14,12 @@ let
synapseMetricsPort = "${toString listenerWithMetrics.port}"; synapseMetricsPort = "${toString listenerWithMetrics.port}";
in in
{ {
age.secrets.nachtigall-metrics-nginx-basic-auth = {
file = "${flake.self}/secrets/nachtigall-metrics-nginx-basic-auth.age";
mode = "600";
owner = "nginx";
};
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"nachtigall.${config.pub-solar-os.networking.domain}" = { "nachtigall.wg.${config.pub-solar-os.networking.domain}" = {
enableACME = true; listenAddresses = [
addSSL = true; "10.7.6.1"
basicAuthFile = "${config.age.secrets.nachtigall-metrics-nginx-basic-auth.path}"; "fd00:fae:fae:fae:fae:1::"
];
locations."/metrics" = { locations."/metrics" = {
proxyPass = "http://127.0.0.1:${toString (config.services.prometheus.exporters.node.port)}"; proxyPass = "http://127.0.0.1:${toString (config.services.prometheus.exporters.node.port)}";
}; };

View file

@ -6,11 +6,6 @@
... ...
}: }:
{ {
age.secrets.nachtigall-metrics-prometheus-basic-auth-password = {
file = "${flake.self}/secrets/nachtigall-metrics-prometheus-basic-auth-password.age";
mode = "600";
owner = "prometheus";
};
age.secrets.alertmanager-envfile = { age.secrets.alertmanager-envfile = {
file = "${flake.self}/secrets/alertmanager-envfile.age"; file = "${flake.self}/secrets/alertmanager-envfile.age";
mode = "600"; mode = "600";
@ -44,7 +39,7 @@
}; };
scrapeConfigs = [ scrapeConfigs = [
{ {
job_name = "node-exporter-http"; job_name = "node-exporter";
static_configs = [ static_configs = [
{ {
targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ];
@ -52,19 +47,8 @@
instance = "flora-6"; instance = "flora-6";
}; };
} }
];
}
{
job_name = "node-exporter-https";
scheme = "https";
metrics_path = "/metrics";
basic_auth = {
username = "hakkonaut";
password_file = "${config.age.secrets.nachtigall-metrics-prometheus-basic-auth-password.path}";
};
static_configs = [
{ {
targets = [ "nachtigall.${config.pub-solar-os.networking.domain}" ]; targets = [ "nachtigall.wg.${config.pub-solar-os.networking.domain}" ];
labels = { labels = {
instance = "nachtigall"; instance = "nachtigall";
}; };
@ -73,15 +57,10 @@
} }
{ {
job_name = "matrix-synapse"; job_name = "matrix-synapse";
scheme = "https";
metrics_path = "/_synapse/metrics"; metrics_path = "/_synapse/metrics";
basic_auth = {
username = "hakkonaut";
password_file = "${config.age.secrets.nachtigall-metrics-prometheus-basic-auth-password.path}";
};
static_configs = [ static_configs = [
{ {
targets = [ "nachtigall.${config.pub-solar-os.networking.domain}" ]; targets = [ "nachtigall.wg.${config.pub-solar-os.networking.domain}" ];
labels = { labels = {
instance = "nachtigall"; instance = "nachtigall";
}; };

View file

@ -6,12 +6,6 @@
... ...
}: }:
{ {
age.secrets.nachtigall-metrics-prometheus-basic-auth-password = {
file = "${flake.self}/secrets/nachtigall-metrics-prometheus-basic-auth-password.age";
mode = "600";
owner = "promtail";
};
services.promtail = { services.promtail = {
enable = true; enable = true;
configuration = { configuration = {
@ -24,11 +18,7 @@
}; };
clients = [ clients = [
{ {
url = "https://flora-6.${config.pub-solar-os.networking.domain}/loki/api/v1/push"; url = "http://flora-6.wg.pub.solar:${toString flake.self.nixosConfigurations.flora-6.config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push";
basic_auth = {
username = "hakkonaut";
password_file = "${config.age.secrets.nachtigall-metrics-prometheus-basic-auth-password.path}";
};
} }
]; ];
scrape_configs = [ scrape_configs = [

View file

@ -1,43 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 iDKjwg iFrOyGN0zSpptFEy3mRmzFH/SpqvmQZRhMHaOvHggSc
HRTI1y0eUK0nAWO0Q/YVNYOyLU0OwY9KH0a3elGk1fs
-> ssh-ed25519 uYcDNw ojnoOpd7HElVjSlgSxrS53yz5ecb0ZZbZ4ZRa/C4vjc
YoBa3whKDyeOsdXFdzUJAIElTL/8o1blYlltNsvWCjs
-> ssh-rsa f5THog
j2mjjmsw8yj5gd6B6hHNiJrP2IICrupcaHcuPZHID5Bq9WbXcFlU9bsvLVtneBbD
YyGgpgUzejokeRT8EKieQSzcRCt99qVSO0cJWlvtVMpY5kNL7L6q9v3hlgOgAHPH
WgtnkHkXrGTiQQWSTaymt1dxtWBOfA3RvLnRubwrSzkIynqHuX1AqjXqQy3RL7BJ
nfpp9ctviR2CXyBgF2VvFXLUB7dV+SWe+Sp09293/sx3lTDAJOs5DTL32I+suNl7
g1VVgE+kgVt3B6aXqrIe1T/bDjb4IMu7saXL3q9dz7aZNysLcQgGI254HR7VkE3o
GFlMb6PWj9oHa0R0PqCzyL0NV+VfKEXkdYFebCUI2p9jKajy8VCcNfRmekf5ZBHP
tAmyjnKE8uO4qYyhcK7eZJHAMwIYC8LW+xcEo1ym27K0t6M9Ph2QbRslqPf8nWsP
9a/Ca1cSKBc0IXhG88ulsDCHIFpiAegLPTdZL5GFe0VwyfyLukG4I8fXNndRVhK+
RMxWl1ZGWYTBiQi/4a4JZvXP14JpTfC8DzvcZHXl8o2GqS/TEk7zAOsoGffwzqpO
Fid11Axy0BY1iPfH6S44W8uxQz9b9AUVrJD53f9YIOTGjfMOUrOCwTHv2DcN+LC7
02LmoCkSTsCqpnpJPDOXcGYh3nk75orQYqW5lnkwc8g
-> ssh-rsa kFDS0A
FeZXachOnQfqnotkRdNFtoiZL02DViImVhkIizJAUh1VgUXiCHlQX+8epshgP3dL
xYBf4yPx5RBKN/jKfNsjS0KyxwDlApemyD73JW83LJ5cm2JuUwvtGXVCBFrkD9OI
I4oeuBdl8oBQgjvUbp4BkXvqh+0Ymw7rMs5IWJDjwMOUgnsrpvp363IbVY5wc2Cp
tI9OeiP4Jx9zUVKTpeIXdH5U54tjBAr/n0D4OXRZC79CW2Sw475z0wbXzKkQMYL7
XidTyBpvj9b2IdaswhQpx21nDIlNKSQy1+gVgQTljxuHBcs/tOulTM+DC/UbA/hy
blKAs0HPOkodYGwl1VytIg6Qr1cczSUCUrgmZ4CxcFF/6earOT9uscjbT73jeyil
JSuzBjyULh59tueYqmuPcq5wCcsvCEYJrUtg/vrU6JhWvLjmOk6HKMls6KcB+qeg
pgkjSsSqgdN0k2mZaUOAe88bMC+z5oGL1Gi9dFEYmdN/gN8CFVaULxwrL/IXPnkw
O7LBeVSV31et2iGKE9Mf1GjyCZV4xSaYdtuSTSOPsRuctTIW2y7FyU0MdUGhZmIl
faEWPpnuBqDm6m8RUFuxy8un2k9mQzE2iroKWimj49kftqVdSAgUMgHws2G8GH/y
MrRkarMtyVFgzHF/4WkO1FPdsBWy9pVdRhFdr7BSeQc
-> piv-p256 vRzPNw A9xaGL246GekLk5G2Jy6+AdtmVoBc101XDkGdqmCU0Ow
NvuqIsu7dexWjLOJY8vCcZgyHjs9o9z8N2RrjjOGFDQ
-> piv-p256 zqq/iw A7A1tGYE+5KhtcWXQ5kE1FjY9teRnWb0HrmqkX5qqanK
t+ViJ41AuFrL6CH2cYnWx3XLB6iR0fxgp9TK1zt3DNE
-> ssh-ed25519 YFSOsg O2M/GJ0nXaCtasaqdZCzHwOPlnKoxjrEyhZsWcjrCTw
ZKQEI098YcHWNL6VBJ6JmRN7QLC1sQd3zUTQi1o3dbE
-> ssh-ed25519 iHV63A nARCFmD6Q9rj+ebUFckSf6rM0jTKRgHtDRS4qzCd9iE
peM7be/ngP+HQYPgpQruhdL9D2QArUrJWao0L++Y1js
-> ssh-ed25519 BVsyTA U6fvbra/fd4P6r7bUFCN5bwqiDBF0h+V5AB94ZOBtwI
UzDdo8fw7Ya7vHmPNLXSzOnAV4FVj3+2Ci3pStIuu/U
-> ssh-ed25519 +3V2lQ 8rvmvG/jd72rp0mhx+biUCihJcK7WjnkTPgwvcJYJEM
785YAEjC6xaTLZPzgcLhQPFigh6TVYbSkhn1aVc5PKg
--- X3mEGGX4yRgEZLBHEnFT2P59pGYxEKQCqBntP8OM24Q
×RÜÞ5Ö5~,ëÓÝõ?ÇÆ]¬ ¼s\i8`—9G?ðíÞ<C3AD>ÕÅÓ$LÚD´w3¼N{FB1Xü,zvÏ@a{²™å

View file

@ -1,45 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 Y0ZZaw nTNUxIC9LkrJ9hUdbihbpeHVMmLJxAvJ1owTGipKUSE
axyLEKraFg2oYLh28QyKxb5R+ao9Q374iqg0OcPKfao
-> ssh-ed25519 iDKjwg htWAMOoRqftyzvn7uCmsrF80MdFwmomqvB+UMJ/NVTU
Wqe9W++Slv5ITX3C+89bsVWWytOM+SD3vISPmwVh87k
-> ssh-ed25519 uYcDNw yBxYg49sXazNjQbX6v9Vah6StIw8mrVG/yjgxFesLhE
iDh8pDLGhmlTYkg3ESaM7P58gBbPn+tjFkr/+UthYos
-> ssh-rsa f5THog
Rv+2zwwON/S9Ph3ZhC0oERqbaUw9r4mlJ+FfhOxt45fdy+DmcMRpZoUe/3Rb1LqE
VTXpYlcG3FScRt2u+MOYywCu3E5ForqUjHKKXKeK5JwvSOdrOZWgDmg9kc9GA0io
St+6EEQbBVXQ/l57+i8VQ/mSi+RlYBCVxoCvWm22i5cYV72SobAaJbITS4XWAdPb
hQbOBD+5X5Laj5ixDNsc1wxdU47S+uY/uFm1Mpw/eJYG+cUlYw1/Kd/UpoJVSdT+
EQN+WUPmDYEHJSn3VVoYVF4969MLONb+9X3w5KITYr9r7lpc+uKvqPicDPpRdTAw
gtRPUDpz/MoBvP29NOsITFACavfiKJjYH443pn6JEQF7vtPdjyvCMLf/PxWmpIzw
2BPZmllvqGwYxeVcjzRSDbbsNG85RE+tSVM5p37lVYF6AZfxHG0tLPJt68AT5n36
fu2mvkEhRZR84/iUuNRGhemma4CuhTZk82MZGefSHlaCI03Bl8VmHlfKLlEEoCTq
7EovI0mVyHzhfnRJyqcSm7rD3RKU2zH8K7aAB/zd9x4m2bk6mDnUJViObOcfMRjF
GUy2RHO/FuRgQtD3ZTsQ+eG37fvhb8dSDMfAIP9ug04pl55co3L18JlUMEwktq8m
AD+DDa0pXwLU1zminQRZwJIe7RU0li44lmqihxIlXGo
-> ssh-rsa kFDS0A
jbDwJLKASE8aNqmgoyV8BO572dc7PoS1AMWnULJwv8JglL+KeYxU3HwlLulKQ1Ej
pDC/BVONirMx1KE8qm8RTgo/xhoA/GVognpR4T19Z9yslD6E2mtGozCi+zlAjn0u
BgThEp1pE9CCY54enXS9ADnTYYwZene+i2OkJsRpZ0qM3ULLRqrIl7otwvgHu7S3
x5C9YJNTGPUE33aDwWFblAApgelQ9p7erXJOW35FVAs50WFcAeIh8FoV8AAgVXVL
/4LADst6xxkT/jGBZcilO/W2Yj/k+sG+FBMtsat+u57CHLzp5G0KFNWpej9fzUFB
xavyLn7HXhjhT9GmtFY3TT71mqKmbj1syNn19rs2liZwdeLfgYBKS0xRKDGmHLtn
2JpElmKGM9qRZXYsPgq/NR5TsLEG2o/v0CxYT0wAbJnSfZJniiwJs4E+rrh78F4X
0YzUzPbAsCs3G7SCEz/ow4EmQkOZkJjFkHb/bIXIAqgz8AaFWuaVJVeSEGexTUy5
nXCOy9JOXJJC1O1CP/GwjmKKvqvYus/UBcCgVH+lQoxKWak1CD59ao+taCADevMu
BtL+KaLSwfrHpVZ/CTf5JqPKl8aYoQeubWdQttmF/DRyCsEDsiHAJFwgp4NC73zh
w1js8L5tt29ty2x3M7yY4bGQeC450+OwYsi50YpXE3Q
-> piv-p256 vRzPNw AwvMDdyTEURDqHbfoq5odnWJYvfneezIuvpMP1UQRKWg
fil4sICJnowY8rRbxQouXUZdUwAoe9smsMw0lcKtSbA
-> piv-p256 zqq/iw Aq5f+a77FpRI4Xe3zQe8If5aPkH2SJ0BHkWdlsrOtc4u
roBw1kwrU3OqKZZ38aVKdioUzfQ7d4ztwXgh/Icyni4
-> ssh-ed25519 YFSOsg 1c0L+d2frinozItIJB3NNOmdkttv9GLBhJTStTzG6Hg
Xy4TN3qZL1FF+thpQw/mRZq4jv4odgDjBK9/Wcc2QrE
-> ssh-ed25519 iHV63A 8l9cP+kW+MfGiN3rXOh2rJQPf8g8bCAirBTz/jYTtw4
w5FlcJiyDSN9D8GNNumLtWvv/E+0a2eoQPx81v/YzmU
-> ssh-ed25519 BVsyTA q7aLkPRcT8rPKXbEiwn+w300j20WO8rNfCIt6oLcUXk
O9V5q98TG6UKFQJooUrVfX/Icab5UPYONvSH7mKa/pA
-> ssh-ed25519 +3V2lQ NxpGLFMboFSAztflSWw+NFjByFfkBL/IG4r/hFvMjkQ
0uWTKEG3TAsNsrPcooLsrINmDTWKlVIx1/OAL2rlcgc
--- VrkwgHMM0SXQKvH6I1oz35B391zF9QHysr3AZxGTpxw
M°°<>l0<6C>â!wÏú™Þ+ ­B¼<s¤à`ÚEÂ*_<>Û„ÂݘÒ1þÁó¥Jâ¡[¥?ì¾Î|»‹

View file

@ -70,9 +70,6 @@ in
"grafana-smtp-password.age".publicKeys = flora6Keys ++ adminKeys; "grafana-smtp-password.age".publicKeys = flora6Keys ++ adminKeys;
"alertmanager-envfile.age".publicKeys = flora6Keys ++ adminKeys; "alertmanager-envfile.age".publicKeys = flora6Keys ++ adminKeys;
"nachtigall-metrics-nginx-basic-auth.age".publicKeys = nachtigallKeys ++ adminKeys;
"nachtigall-metrics-prometheus-basic-auth-password.age".publicKeys =
flora6Keys ++ nachtigallKeys ++ adminKeys;
"obs-portal-env.age".publicKeys = nachtigallKeys ++ adminKeys; "obs-portal-env.age".publicKeys = nachtigallKeys ++ adminKeys;
"obs-portal-database-env.age".publicKeys = nachtigallKeys ++ adminKeys; "obs-portal-database-env.age".publicKeys = nachtigallKeys ++ adminKeys;