From e3d4f61a42caddacffbf50515ad45c790653251e Mon Sep 17 00:00:00 2001 From: teutat3s Date: Wed, 13 Dec 2023 19:18:56 +0100 Subject: [PATCH] feat(nachtigall): send logs to loki, https+basic auth Use caddy as reverse proxy for loki on flora-6, add basic auth Add promtail to nachtigall, push logs to flora-6 --- hosts/flora-6/apps/caddy.nix | 11 ++++ hosts/nachtigall/apps/promtail.nix | 47 ++++++++++++++++ hosts/nachtigall/default.nix | 5 +- ...metrics-prometheus-basic-auth-password.age | 53 ++++++++++--------- secrets/secrets.nix | 2 +- 5 files changed, 90 insertions(+), 28 deletions(-) create mode 100644 hosts/nachtigall/apps/promtail.nix diff --git a/hosts/flora-6/apps/caddy.nix b/hosts/flora-6/apps/caddy.nix index bc6fac3..01847c4 100644 --- a/hosts/flora-6/apps/caddy.nix +++ b/hosts/flora-6/apps/caddy.nix @@ -27,6 +27,17 @@ reverse_proxy :4000 ''; }; + "flora-6.pub.solar" = { + logFormat = lib.mkForce '' + output discard + ''; + extraConfig = '' + basicauth * { + hakkonaut $2a$14$mmIAy/Ezm6YGohUtXa2mWeW6Bcw1MQXPhrRbz14jAD2iUu3oob/t. + } + reverse_proxy :${toString config.services.loki.configuration.server.http_listen_port} + ''; + }; "grafana.pub.solar" = { logFormat = lib.mkForce '' output discard diff --git a/hosts/nachtigall/apps/promtail.nix b/hosts/nachtigall/apps/promtail.nix new file mode 100644 index 0000000..9f2dfaf --- /dev/null +++ b/hosts/nachtigall/apps/promtail.nix @@ -0,0 +1,47 @@ +{ + config, + lib, + pkgs, + flake, + ... +}: { + age.secrets.nachtigall-metrics-prometheus-basic-auth-password = { + file = "${flake.self}/secrets/nachtigall-metrics-prometheus-basic-auth-password.age"; + mode = "600"; + owner = "promtail"; + }; + + services.promtail = { + enable = true; + configuration = { + server = { + http_listen_port = 9080; + grpc_listen_port = 0; + }; + positions = { + filename = "/tmp/positions.yaml"; + }; + clients = [{ + url = "https://flora-6.pub.solar/loki/api/v1/push"; + basic_auth = { + username = "hakkonaut"; + password_file = "${config.age.secrets.nachtigall-metrics-prometheus-basic-auth-password.path}"; + }; + }]; + scrape_configs = [{ + job_name = "journal"; + journal = { + max_age = "24h"; + labels = { + job = "systemd-journal"; + host = "nachtigall"; + }; + }; + relabel_configs = [{ + source_labels = [ "__journal__systemd_unit" ]; + target_label = "unit"; + }]; + }]; + }; + }; +} diff --git a/hosts/nachtigall/default.nix b/hosts/nachtigall/default.nix index 63a5cd5..53137aa 100644 --- a/hosts/nachtigall/default.nix +++ b/hosts/nachtigall/default.nix @@ -18,19 +18,20 @@ ./apps/mastodon.nix ./apps/mediawiki.nix ./apps/nextcloud.nix - ./apps/owncast.nix ./apps/nginx-mastodon.nix ./apps/nginx-mastodon-files.nix ./apps/nginx-prometheus-exporters.nix ./apps/nginx-website.nix ./apps/opensearch.nix + ./apps/owncast.nix ./apps/postgresql.nix ./apps/prometheus-exporters.nix + ./apps/promtail.nix ./apps/searx.nix + ./apps/matrix/irc.nix ./apps/matrix/mautrix-telegram.nix ./apps/matrix/synapse.nix - ./apps/matrix/irc.nix ./apps/nginx-matrix.nix ]; } diff --git a/secrets/nachtigall-metrics-prometheus-basic-auth-password.age b/secrets/nachtigall-metrics-prometheus-basic-auth-password.age index 842b1e9..4ce287c 100644 --- a/secrets/nachtigall-metrics-prometheus-basic-auth-password.age +++ b/secrets/nachtigall-metrics-prometheus-basic-auth-password.age @@ -1,27 +1,30 @@ age-encryption.org/v1 --> ssh-ed25519 Y0ZZaw OfW2lm8CNwkA+63jp04bIHztAyLPV+xXQnTw9mzZBxg -E1utDkQScMHCbG5+hnBCHghcHXG1RzFaBZgP8rIqP/0 --> ssh-ed25519 uYcDNw 1ctiOm2nIiOqk9emMqDiEV6A4TogX0QY3i3BpyyRLWQ -8dmOuKM/ojRmv4Lhq8w9EZVmdnfdheLfrms9AqAwqSw +-> ssh-ed25519 Y0ZZaw CxhF1nK1+6OmJb/68UQ4mBIqxGgr8ngkNsL9dfaPN2s +jZ/JBaTCjFcL0SAGVx5ECDanVn4TGt0g2yn2OQOP9iY +-> ssh-ed25519 iDKjwg D/xqqA53Lw2UQJesg27wmK/UNCV+s914mvMlbKN1rhg +AOg0SkPvSotuSHk33zVfRxB0wn67a29YWc/itDUZ/LQ +-> ssh-ed25519 uYcDNw /QdfQUJmBMQZ+KRCst1gA0LqFGvM1K91ZL/RIRP+qBc +Ttksa44OdwLuRmgYPC2rIn+wy/SooRPUq8gQTR+pF0k -> ssh-rsa kFDS0A -RdurPDcUR4Qh49KcgWvZEXSf1cV5CQGZQ0NEaDN86EJmUGWx7lpUZK5EhYIpDMU5 -hC15shUmU1Hij9s0I7K1cQ0M3icpWJYdTmOe2IYjXDNr/Z7SUetI/NgPgV32zhW+ -jLl/NIoofFccFYvwgPbg+/pQcmKYAIl5X4B9Il8Z7a+uTDdCcEkdl0sHlf337mzE -ILPuc4B4tEySaoDAcWzYeUZYOwWkHeZtgV/zxqE1bZzaa7WBqDrOh0/WJhivd2iG -PmTE+yK/hPV9wWeaAMQwL52UJb/TAjFXSi1iNRhtRkmEC6VbyDzMJ25na7ZN76ZH -76HaLffoM9yxCsvnA468vG6jr0MAgtstAgnqpb1DK7KAXCbIYeid2lN3gYo+CD8z -lhs+gxKoZPhw/PhBsqh/O1LYkLCngzC5ydS4VvYQ3CHSU9OAQhAkT6vx8Y+znQxu -wPEKDiEozAcW+flI9vC3Bg+uRCtGPOTufu+2qy6UNesOghbwiB+5BisjJcO3OtGz -SHiN40POpi7GUXe2OZ4XnOxOMbs1RGMec+sB6Nno5dG1Mf6m7Vhe0TsVXWBjX+TP -PuO1LlvUTOYld2xVMYk5intzeIRKljoDgheTf61zO1mwUbI6eMFM+QP9pH3IjETi -a1kxHDIz6HOaTX5aAvYCPVUHmTU8Qq3GbZzFXth8Qbs --> ssh-ed25519 YFSOsg //jm3F459a1AT/e9Yjo0wEXae38rq4Rz3sf/E6nY7m8 -W7K7wOCeIeBQoaf4nj2inerWfr28XMTOo50SrKUi1Sc --> ssh-ed25519 iHV63A iTrGQu1a7GWq1b0+EnaQQwF3xD1b/MJW0FpWYd7tiTg -aOQXaXDMKId6vLhzcm/N0JlqEZgnIXsXQ1b+U7Smahs --> ssh-ed25519 BVsyTA MG1cUHckhKrF9zjyDEAFEPl63ouRDVWlZTXMpQhgpzY -nMZFNhlEFaLmqSdG25AIM2b6rwH11nxzuYrFv7Gw7wQ --> }IFM4v@O-grease 3Dun -Bw ---- E9LsfDYRjoDMTVbL2bfuFEl2mPIyMCZie1YgaMSc0p0 -R1و,'z2΅|~i7^>]+ U|, b3Պ:!rzqǤ \ No newline at end of file +L9MGJFRceqbge3EF/rqXdT13jt9faxP1NmfRB3i2mrTasvCaovc/62bA0UmlsB/9 +Y3hIzo28d6pZRcMm91l6PhWV0M33YNwPQf87vd7klv++1aMIdZ6/jHsQiohIBkRd +4pBe6rrx/lUqEqfQVYUFPfRE50ufkw+hRw/NJCvcBgHgNhhDoeb8keWRPZhhuv0Z +f0eP9ORKjeKxjv3tsIPjiE7aqxE1zTdrnSr7FuqklJhMYRdwVv+2ofNEh05hU6pR +VL4AS7d6Di/0dWTWc/Je2ytsrdio2v0rPAUXN1fyTh4AtrAmGQzUXNWnr4sB5xH9 +QlL0Ea3IwndJSDNkqc4qI3JL0vx6QMUbsuNcMmVWSMkODP+gNQYXQNbnwNfeMAnE +V++WBfyrA8+V+ES+usqeWoOXjApzShn+gnrV0DHHXDAzNR+M647rQcsLePSyNjf/ +NKd7Z8VfEq7m65AxmSHPezSGdICMf63WLG/Bffj9rWiQxaoiayGF8jbALpXlu93X +txOw8pK7zA8xFEBujmkrDPH3sJFPLOgOMYa0uuCMbrCGxeJ34nuQMhSUTamESSXb +AD3AgUrRvte1iXwy2PoZGolRLZfdq9zcAfFyq9KvIhvz/8b2F+KbqHQlAiKVPw8p +XQo4sXcDAmF251WSCJGN1C6Doxj/6XLuWILbkobQqoI +-> ssh-ed25519 YFSOsg FtIvWeEXI9blJIFAWMacXgPym5ePGXsuiOR+Gh3b3R8 +0rp/NIu4kCCt05Is2+eRdUmgNX8QPMsDPhZWIejnBDA +-> ssh-ed25519 iHV63A 85G1w54UHS/gFcLvsXyYLPXvLHkJl3YQCi8ehb+ZrU8 +lXDaMXlPw5ohaaYpiEkCNAmE2tJ2824ydmp9EakPtD8 +-> ssh-ed25519 BVsyTA XimcaonVCGGyyCfn3BSX/a7zjJkWeaVY/xAcdNDrl1U +RaqpXzUd54qrkYYRbRTUclTpZdZx2us42lkP6wBxjBM +-> CWM8^B-grease +HvBgzYx54YVP0M6pk1bp9qegLscQ4tHIV9DZhr7jnrW41adgY0D39wnE2IgIRc6g +keRHAr7QVqdPy/kr+u0GwQ1MGFKI8Jss8vRxKwv/UgQfmg +--- dJWXhQRYjxWchTW1u3TrF7KvQIOdrOvkEC7oUtFcGeE +l>qTFޮ/@t\&Z :@ KxrHK ĦEb0֗5m/ \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 6944a90..712839d 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -68,5 +68,5 @@ in { "grafana-smtp-password.age".publicKeys = flora6Keys ++ baseKeys; "nachtigall-metrics-nginx-basic-auth.age".publicKeys = nachtigallKeys ++ baseKeys; - "nachtigall-metrics-prometheus-basic-auth-password.age".publicKeys = flora6Keys ++ baseKeys; + "nachtigall-metrics-prometheus-basic-auth-password.age".publicKeys = flora6Keys ++ nachtigallKeys ++ baseKeys; }