Merge pull request 'Add metronom + tankstelle to grafana + loki' (#202) from monitor-metronom-tankstelle into main

Reviewed-on: pub-solar/infra#202
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
This commit is contained in:
teutat3s 2024-06-06 16:41:22 +00:00
commit 3b865a688c
Signed by: pub.solar gitea
GPG key ID: F0332B04B7054873
7 changed files with 107 additions and 5 deletions

View file

@ -14,7 +14,7 @@ People with admin access to the infrastructure are added to [`logins/admins.nix`
publicKey = <pubkey-string>;
allowedIPs = [ "10.7.6.<ip-address>/32" "fd00:fae:fae:fae:fae:<ip-address>::/96" ];
}
}];
];
secretEncryptionKeys = {
<name> = <encryption-key-string>;
@ -30,6 +30,56 @@ SSH is not reachable from the open internet. Instead, SSH Port 22 is protected b
1. **SSH Public key**: self-explanatory. Add your public key to your user attrset under `sshPubKeys`.
2. **Wireguard device**: each wireguard device has two parts: the public key and the IP addresses it should have in the wireguard network. The pub.solar wireguard network is spaced under `10.7.6.0/24` and `fd00:fae:fae:fae:fae::/80`. To add your device, it's best to choose a free number between 200 and 255 and use that in both the ipv4 and ipv6 ranges: `10.7.6.<ip-address>/32` `fd00:fae:fae:fae:fae:<ip-address>::/96`. For more information on how to generate keypairs, see [the NixOS Wireguard docs](https://nixos.wiki/wiki/WireGuard#Generate_keypair).
Example NixOS snippet for WireGuard client config
```
{
networking = {
wireguard.enable = true;
wg-quick.interfaces = {
wg-pub-solar = {
address = ["10.7.6.201/32"];
address = ["10.7.6.201/32" "fd00:fae:fae:fae:fae:201::/96"];
privateKeyFile = "/etc/wireguard/wg-pub-solar.privatekey";
peers = [
{ # nachtigall.pub.solar
publicKey = "qzNywKY9RvqTnDO8eLik75/SHveaSk9OObilDzv+xkk=";
allowedIPs = [ "10.7.6.1/32" "fd00:fae:fae:fae:fae:1::/96" ];
endpoint = "[2a01:4f8:172:1c25::1]:51820";
# Use this endpoint in IPv4 only networks
#endpoint = "138.201.80.102:51820";
persistentKeepalive = 15;
}
{ # flora-6.pub.solar
publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU=";
allowedIPs = [ "10.7.6.2/32" "fd00:fae:fae:fae:fae:2::/96" ];
endpoint = "80.71.153.210:51820";
persistentKeepalive = 15;
}
{ # metronom.pub.solar
publicKey = "zOSYGO7MfnOOUnzaTcWiKRQM0qqxR3JQrwx/gtEtHmo=";
allowedIPs = [ "10.7.6.3/32" "fd00:fae:fae:fae:fae:3::/96" ];
#endpoint = "[2a01:4f8:c2c:7082::]:51820";
# Use this endpoint in IPv4 only networks
endpoint = "49.13.236.167:51820";
persistentKeepalive = 15;
}
{ # tankstelle.pub.solar
publicKey = "iRTlY1lB7nPXf2eXzX8ZZDkfMmXyGjff5/joccbP8Cg=";
allowedIPs = [ "10.7.6.4/32" "fd00:fae:fae:fae:fae:4::/96" ];
endpoint = "[2001:4d88:1ffa:26::5]:51820";
# Use this endpoint in IPv4 only networks
#endpoint = "80.244.242.5:51820";
persistentKeepalive = 15;
}
];
};
};
};
}
```
# Secret encryption
Deployment secrets are added to the repository in encrypted files. To be able to work with these encrypted files, your public key(s) will have to be added to your user attrset under `secretEncryptionKeys`.

View file

@ -119,19 +119,19 @@
deploy.nodes = self.lib.deploy.mkDeployNodes self.nixosConfigurations {
nachtigall = {
hostname = "10.7.6.1";
hostname = "nachtigall.wg.pub.solar";
sshUser = username;
};
flora-6 = {
hostname = "10.7.6.2";
hostname = "flora-6.wg.pub.solar";
sshUser = username;
};
metronom = {
hostname = "10.7.6.3";
hostname = "metronom.wg.pub.solar";
sshUser = username;
};
tankstelle = {
hostname = "80.244.242.5";
hostname = "tankstelle.wg.pub.solar";
sshUser = username;
};
};

View file

@ -67,6 +67,9 @@
self.nixosModules.overlays
self.nixosModules.unlock-zfs-on-boot
self.nixosModules.core
self.nixosModules.mail
self.nixosModules.prometheus-exporters
self.nixosModules.promtail
self.inputs.simple-nixos-mailserver.nixosModule
];
@ -79,6 +82,8 @@
./tankstelle
self.nixosModules.overlays
self.nixosModules.core
self.nixosModules.prometheus-exporters
self.nixosModules.promtail
];
};
};

View file

@ -28,6 +28,25 @@
"fd00:fae:fae:fae:fae:1::/96"
];
}
{
# metronom.pub.solar
endpoint = "49.13.236.167:51820";
publicKey = "zOSYGO7MfnOOUnzaTcWiKRQM0qqxR3JQrwx/gtEtHmo=";
allowedIPs = [
"10.7.6.3/32"
"fd00:fae:fae:fae:fae:3::/96"
];
persistentKeepalive = 15;
}
{
# tankstelle.pub.solar
endpoint = "80.244.242.5:51820";
publicKey = "iRTlY1lB7nPXf2eXzX8ZZDkfMmXyGjff5/joccbP8Cg=";
allowedIPs = [
"10.7.6.4/32"
"fd00:fae:fae:fae:fae:4::/96"
];
}
];
};
};

View file

@ -28,6 +28,15 @@
"fd00:fae:fae:fae:fae:1::/96"
];
}
{
# flora-6.pub.solar
endpoint = "80.71.153.210:51820";
publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU=";
allowedIPs = [
"10.7.6.2/32"
"fd00:fae:fae:fae:fae:2::/96"
];
}
];
};
};

View file

@ -1,5 +1,8 @@
{ config, ... }:
{
# Only expose prometheus exporter port via wireguard interface
networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 9002 ];
services.prometheus = {
exporters = {
node = {

View file

@ -53,6 +53,22 @@
instance = "nachtigall";
};
}
{
targets = [
"metronom.wg.${config.pub-solar-os.networking.domain}:${toString config.services.prometheus.exporters.node.port}"
];
labels = {
instance = "metronom";
};
}
{
targets = [
"tankstelle.wg.${config.pub-solar-os.networking.domain}:${toString config.services.prometheus.exporters.node.port}"
];
labels = {
instance = "tankstelle";
};
}
];
}
{