feat(prometheus): add node-exporter to nachtigall,

protect endpoint https://nachtigall.pub.solar/metrics
with TLS and basic auth
This commit is contained in:
teutat3s 2023-12-06 19:11:45 +01:00
parent fdda65eea9
commit d5b59ea18a
Signed by: teutat3s
GPG key ID: 4FA1D3FA524F22C1
6 changed files with 83 additions and 0 deletions

View file

@ -25,6 +25,21 @@
};
}];
}
{
job_name = "https-targets";
scheme = "https";
metrics_path = "/metrics";
basic_auth = {
username = "hakkonaut";
password_file = "${config.age.secrets.nachtigall-metrics-prometheus-basic-auth-password.path}";
};
static_configs = [{
targets = [ "nachtigall.pub.solar" ];
labels = {
instance = "nachtigall";
};
}];
}
];
};
}

View file

@ -0,0 +1,19 @@
{ config, flake, ... }:
{
age.secrets.nachtigall-metrics-basic-auth = {
file = "${flake.self}/secrets/nachtigall-metrics-basic-auth.age";
mode = "600";
owner = "nginx";
};
services.nginx.virtualHosts = {
"nachtigall.pub.solar" = {
enableACME = true;
addSSL = true;
basicAuthFile = "${config.age.secrets.nachtigall-metrics-nginx-basic-auth.path}";
locations."/metrics" = {
proxyPass = "http://127.0.0.1:${toString(config.services.prometheus.exporters.node.port)}";
};
};
};
}

View file

@ -0,0 +1,14 @@
{
config,
...
}: {
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = [ "systemd" ];
port = 9002;
};
};
};
}

View file

@ -21,9 +21,11 @@
./apps/owncast.nix
./apps/nginx-mastodon.nix
./apps/nginx-mastodon-files.nix
./apps/nginx-prometheus-exporters.nix
./apps/nginx-website.nix
./apps/opensearch.nix
./apps/postgresql.nix
./apps/prometheus-exporters.nix
./apps/searx.nix
./apps/matrix/mautrix-telegram.nix

View file

@ -0,0 +1,31 @@
age-encryption.org/v1
-> ssh-ed25519 Y0ZZaw FWuk2kYGB+GfoY3rWfeCosoBOLvUHrH7SR8Fv18o+XI
YyOTULtyOJ3vfAOnYSMzeCCyipJ4Fqrr3PJgRtbElJg
-> ssh-ed25519 iDKjwg Bq6lNuS5MOhsU/7ypHw/E70BktIA+SmN6e3pvrIqRBQ
Xo0OOUXfOkPQfArhqSJyiAkH5lxcJIAO7M5krkCZNfc
-> ssh-ed25519 uYcDNw EfB1B4CSNk8Oe5B7T+KSl9O5OsCrulaLOjR3PBtxpSk
xJxkmBSENc5JosdRiEAC3a41WI6TmTlTxm+lclup+g4
-> ssh-rsa kFDS0A
dYH3A43wClFnDQp8m3ZnhTK5d8LeG6ZkqDQ5dS1yB//4G5TaUnMqOp5Q2G1gbgXY
Zu9qYOHdUydn5HIRSwBXj/KbBm5xJ1zFImOszn7S5mk4iReHFyTnSzAi4utatQcY
DEjGnvKKRoc7ih08+F44kq6DYnhUBFqF8eigQZIsyeWpiW6C1FzasL0KnXoedPG2
AYJForNB8zKp7a2Evxi0MY7a+ldHAekktz1Fta2u9MvrWUtqP/yLqJhCwCNvos7J
kG+XO4j0kiOQCIO9TOeLAu59+VCVM64mY+dp+xc8tX0fWuu7ItSAh6jRHzfgSKjC
qDJc/1YpUG1EnYSH39mfVox3ndeMuVrG6Q1h509jZuxsw/zoDsbY3bbhTaUQ3X8Y
5ShCponnEGBLqeSm1gALCAnlgu8IS4gL6ePKuAhN0qMYj6iiXP/Ugp3lTcv1TvFD
KINnV/tas1CO3PApQm6JgijHEPT9zyUbqR/xN06+OCWbg4hHuEix+0OhM1T5w2xC
KvKF30iUK0tU2hZvKdku2MpbP4N0cQLqBEWiyrUKHRMCdXi3kyO5D84UdWXvETAt
BfEvZ8ZG5fiSXzbPLxVqObXFZUirLuWomWtstqkDuadL9xJkTcsbr8ZCCNpPhxdL
oOfao+tox3RBilAS3AfQVhrPvD2rVUptm+0nPtnO3rY
-> ssh-ed25519 YFSOsg T2OdtA0kY4DqDIxE1QxMV5aCygvKlI5LgXQ+QYYuOko
l0Kzo02jGISCT1zrGf5soXYj7FMVrN/9REF3Zscbmik
-> ssh-ed25519 iHV63A 75daRGD2TQ/mXRsckaH9sGGkHMkLxgHFhn0eDdkDsU8
TXeoLqfU0ywQucPayYoG43Gr56uZoYIWaK9F2YJJ0FM
-> ssh-ed25519 BVsyTA J/xNtG1CAzfoiKPsnWwDp4pId7d3MywXpfhKAmpze3I
8uMO07Se/6krP79flt+XZfjIsw12kWsoD6LqZyLG70M
-> B-grease y3$t@ ; Bs *w
dUrvWB09znCDyvO7RnduMguc9pWTn19q1fc0MHFUXk7WQWns+4kpJIX1qljB5hz/
NPAbNzwMDQKj6awHAth1iFLaEw
--- rI4jrrXCiUpV/EzGsla+lxONmL5/Eel/LODoIM80jcM
˜_°0àÆ7Jˆq•[÷ç<>è'/ù‘õŽi„Ü<E2809E>Òl°mÙ
ÌÂ!JPþ¼>œ… wk¡ž·³¤+ é™)ÚÈPhUÜóç²O=>k=?ÂTÐ

View file

@ -66,4 +66,6 @@ in {
"grafana-admin-password.age".publicKeys = flora6Keys ++ baseKeys;
"grafana-keycloak-client-secret.age".publicKeys = flora6Keys ++ baseKeys;
"grafana-smtp-password.age".publicKeys = flora6Keys ++ baseKeys;
"nachtigall-metrics-basic-auth.age".publicKeys = flora6Keys ++ nachtigallKeys ++ baseKeys;
}