forked from pub-solar/infra
feat(prometheus): add node-exporter to nachtigall,
protect endpoint https://nachtigall.pub.solar/metrics with TLS and basic auth
This commit is contained in:
parent
fdda65eea9
commit
d5b59ea18a
|
@ -25,6 +25,21 @@
|
||||||
};
|
};
|
||||||
}];
|
}];
|
||||||
}
|
}
|
||||||
|
{
|
||||||
|
job_name = "https-targets";
|
||||||
|
scheme = "https";
|
||||||
|
metrics_path = "/metrics";
|
||||||
|
basic_auth = {
|
||||||
|
username = "hakkonaut";
|
||||||
|
password_file = "${config.age.secrets.nachtigall-metrics-prometheus-basic-auth-password.path}";
|
||||||
|
};
|
||||||
|
static_configs = [{
|
||||||
|
targets = [ "nachtigall.pub.solar" ];
|
||||||
|
labels = {
|
||||||
|
instance = "nachtigall";
|
||||||
|
};
|
||||||
|
}];
|
||||||
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
19
hosts/nachtigall/apps/nginx-prometheus-exporters.nix
Normal file
19
hosts/nachtigall/apps/nginx-prometheus-exporters.nix
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
{ config, flake, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
age.secrets.nachtigall-metrics-basic-auth = {
|
||||||
|
file = "${flake.self}/secrets/nachtigall-metrics-basic-auth.age";
|
||||||
|
mode = "600";
|
||||||
|
owner = "nginx";
|
||||||
|
};
|
||||||
|
services.nginx.virtualHosts = {
|
||||||
|
"nachtigall.pub.solar" = {
|
||||||
|
enableACME = true;
|
||||||
|
addSSL = true;
|
||||||
|
basicAuthFile = "${config.age.secrets.nachtigall-metrics-nginx-basic-auth.path}";
|
||||||
|
locations."/metrics" = {
|
||||||
|
proxyPass = "http://127.0.0.1:${toString(config.services.prometheus.exporters.node.port)}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
14
hosts/nachtigall/apps/prometheus-exporters.nix
Normal file
14
hosts/nachtigall/apps/prometheus-exporters.nix
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
services.prometheus = {
|
||||||
|
exporters = {
|
||||||
|
node = {
|
||||||
|
enable = true;
|
||||||
|
enabledCollectors = [ "systemd" ];
|
||||||
|
port = 9002;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -21,9 +21,11 @@
|
||||||
./apps/owncast.nix
|
./apps/owncast.nix
|
||||||
./apps/nginx-mastodon.nix
|
./apps/nginx-mastodon.nix
|
||||||
./apps/nginx-mastodon-files.nix
|
./apps/nginx-mastodon-files.nix
|
||||||
|
./apps/nginx-prometheus-exporters.nix
|
||||||
./apps/nginx-website.nix
|
./apps/nginx-website.nix
|
||||||
./apps/opensearch.nix
|
./apps/opensearch.nix
|
||||||
./apps/postgresql.nix
|
./apps/postgresql.nix
|
||||||
|
./apps/prometheus-exporters.nix
|
||||||
./apps/searx.nix
|
./apps/searx.nix
|
||||||
|
|
||||||
./apps/matrix/mautrix-telegram.nix
|
./apps/matrix/mautrix-telegram.nix
|
||||||
|
|
31
secrets/nachtigall-metrics-basic-auth.age
Normal file
31
secrets/nachtigall-metrics-basic-auth.age
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 Y0ZZaw FWuk2kYGB+GfoY3rWfeCosoBOLvUHrH7SR8Fv18o+XI
|
||||||
|
YyOTULtyOJ3vfAOnYSMzeCCyipJ4Fqrr3PJgRtbElJg
|
||||||
|
-> ssh-ed25519 iDKjwg Bq6lNuS5MOhsU/7ypHw/E70BktIA+SmN6e3pvrIqRBQ
|
||||||
|
Xo0OOUXfOkPQfArhqSJyiAkH5lxcJIAO7M5krkCZNfc
|
||||||
|
-> ssh-ed25519 uYcDNw EfB1B4CSNk8Oe5B7T+KSl9O5OsCrulaLOjR3PBtxpSk
|
||||||
|
xJxkmBSENc5JosdRiEAC3a41WI6TmTlTxm+lclup+g4
|
||||||
|
-> ssh-rsa kFDS0A
|
||||||
|
dYH3A43wClFnDQp8m3ZnhTK5d8LeG6ZkqDQ5dS1yB//4G5TaUnMqOp5Q2G1gbgXY
|
||||||
|
Zu9qYOHdUydn5HIRSwBXj/KbBm5xJ1zFImOszn7S5mk4iReHFyTnSzAi4utatQcY
|
||||||
|
DEjGnvKKRoc7ih08+F44kq6DYnhUBFqF8eigQZIsyeWpiW6C1FzasL0KnXoedPG2
|
||||||
|
AYJForNB8zKp7a2Evxi0MY7a+ldHAekktz1Fta2u9MvrWUtqP/yLqJhCwCNvos7J
|
||||||
|
kG+XO4j0kiOQCIO9TOeLAu59+VCVM64mY+dp+xc8tX0fWuu7ItSAh6jRHzfgSKjC
|
||||||
|
qDJc/1YpUG1EnYSH39mfVox3ndeMuVrG6Q1h509jZuxsw/zoDsbY3bbhTaUQ3X8Y
|
||||||
|
5ShCponnEGBLqeSm1gALCAnlgu8IS4gL6ePKuAhN0qMYj6iiXP/Ugp3lTcv1TvFD
|
||||||
|
KINnV/tas1CO3PApQm6JgijHEPT9zyUbqR/xN06+OCWbg4hHuEix+0OhM1T5w2xC
|
||||||
|
KvKF30iUK0tU2hZvKdku2MpbP4N0cQLqBEWiyrUKHRMCdXi3kyO5D84UdWXvETAt
|
||||||
|
BfEvZ8ZG5fiSXzbPLxVqObXFZUirLuWomWtstqkDuadL9xJkTcsbr8ZCCNpPhxdL
|
||||||
|
oOfao+tox3RBilAS3AfQVhrPvD2rVUptm+0nPtnO3rY
|
||||||
|
-> ssh-ed25519 YFSOsg T2OdtA0kY4DqDIxE1QxMV5aCygvKlI5LgXQ+QYYuOko
|
||||||
|
l0Kzo02jGISCT1zrGf5soXYj7FMVrN/9REF3Zscbmik
|
||||||
|
-> ssh-ed25519 iHV63A 75daRGD2TQ/mXRsckaH9sGGkHMkLxgHFhn0eDdkDsU8
|
||||||
|
TXeoLqfU0ywQucPayYoG43Gr56uZoYIWaK9F2YJJ0FM
|
||||||
|
-> ssh-ed25519 BVsyTA J/xNtG1CAzfoiKPsnWwDp4pId7d3MywXpfhKAmpze3I
|
||||||
|
8uMO07Se/6krP79flt+XZfjIsw12kWsoD6LqZyLG70M
|
||||||
|
-> B-grease y3$t@ ; Bs *w
|
||||||
|
dUrvWB09znCDyvO7RnduMguc9pWTn19q1fc0MHFUXk7WQWns+4kpJIX1qljB5hz/
|
||||||
|
NPAbNzwMDQKj6awHAth1iFLaEw
|
||||||
|
--- rI4jrrXCiUpV/EzGsla+lxONmL5/Eel/LODoIM80jcM
|
||||||
|
˜_°0àÆ7Jˆq•[÷ç<>è'/ù‘õŽi„Ü<E2809E>Òl°mÙ
|
||||||
|
ÌÂ!JPþ¼>œ…wk¡ž·³¤+ é™)ÚÈPhUÜóç²O=>k=?ÂTÐ
|
|
@ -66,4 +66,6 @@ in {
|
||||||
"grafana-admin-password.age".publicKeys = flora6Keys ++ baseKeys;
|
"grafana-admin-password.age".publicKeys = flora6Keys ++ baseKeys;
|
||||||
"grafana-keycloak-client-secret.age".publicKeys = flora6Keys ++ baseKeys;
|
"grafana-keycloak-client-secret.age".publicKeys = flora6Keys ++ baseKeys;
|
||||||
"grafana-smtp-password.age".publicKeys = flora6Keys ++ baseKeys;
|
"grafana-smtp-password.age".publicKeys = flora6Keys ++ baseKeys;
|
||||||
|
|
||||||
|
"nachtigall-metrics-basic-auth.age".publicKeys = flora6Keys ++ nachtigallKeys ++ baseKeys;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue