feat(nachtigall): send logs to loki, https+basic auth

Use caddy as reverse proxy for loki on flora-6, add basic auth

Add promtail to nachtigall, push logs to flora-6

hosts/flora-6/apps/caddy.nix

@@ -27,6 +27,17 @@
           reverse_proxy :4000
         '';
       };
+      "flora-6.pub.solar" = {
+        logFormat = lib.mkForce ''
+          output discard
+        '';
+        extraConfig = ''
+          basicauth * {
+	    hakkonaut $2a$14$mmIAy/Ezm6YGohUtXa2mWeW6Bcw1MQXPhrRbz14jAD2iUu3oob/t.
+          }
+          reverse_proxy :${toString config.services.loki.configuration.server.http_listen_port}
+        '';
+      };
       "grafana.pub.solar" = {
         logFormat = lib.mkForce ''
           output discard

hosts/nachtigall/apps/promtail.nix

@@ -0,0 +1,47 @@
+{
+  config,
+  lib,
+  pkgs,
+  flake,
+  ...
+}: {
+  age.secrets.nachtigall-metrics-prometheus-basic-auth-password = {
+    file = "${flake.self}/secrets/nachtigall-metrics-prometheus-basic-auth-password.age";
+    mode = "600";
+    owner = "promtail";
+  };
+
+  services.promtail = {
+    enable = true;
+    configuration = {
+      server = {
+        http_listen_port = 9080;
+        grpc_listen_port = 0;
+      };
+      positions = {
+        filename = "/tmp/positions.yaml";
+      };
+      clients = [{
+        url = "https://flora-6.pub.solar/loki/api/v1/push";
+        basic_auth = {
+          username = "hakkonaut";
+          password_file = "${config.age.secrets.nachtigall-metrics-prometheus-basic-auth-password.path}";
+        };
+      }];
+      scrape_configs = [{
+        job_name = "journal";
+        journal = {
+          max_age = "24h";
+          labels = {
+            job = "systemd-journal";
+            host = "nachtigall";
+          };
+        };
+        relabel_configs = [{
+          source_labels = [ "__journal__systemd_unit" ];
+          target_label = "unit";
+        }];
+      }];
+    };
+  };
+}

hosts/nachtigall/default.nix

@@ -18,19 +18,20 @@
       ./apps/mastodon.nix
       ./apps/mediawiki.nix
       ./apps/nextcloud.nix
-      ./apps/owncast.nix
       ./apps/nginx-mastodon.nix
       ./apps/nginx-mastodon-files.nix
       ./apps/nginx-prometheus-exporters.nix
       ./apps/nginx-website.nix
       ./apps/opensearch.nix
+      ./apps/owncast.nix
       ./apps/postgresql.nix
       ./apps/prometheus-exporters.nix
+      ./apps/promtail.nix
       ./apps/searx.nix
 
+      ./apps/matrix/irc.nix
       ./apps/matrix/mautrix-telegram.nix
       ./apps/matrix/synapse.nix
-      ./apps/matrix/irc.nix
       ./apps/nginx-matrix.nix
     ];
 }

secrets/nachtigall-metrics-prometheus-basic-auth-password.age

@@ -1,27 +1,30 @@
 age-encryption.org/v1
--> ssh-ed25519 Y0ZZaw OfW2lm8CNwkA+63jp04bIHztAyLPV+xXQnTw9mzZBxg
+-> ssh-ed25519 Y0ZZaw CxhF1nK1+6OmJb/68UQ4mBIqxGgr8ngkNsL9dfaPN2s
-E1utDkQScMHCbG5+hnBCHghcHXG1RzFaBZgP8rIqP/0
+jZ/JBaTCjFcL0SAGVx5ECDanVn4TGt0g2yn2OQOP9iY
--> ssh-ed25519 uYcDNw 1ctiOm2nIiOqk9emMqDiEV6A4TogX0QY3i3BpyyRLWQ
+-> ssh-ed25519 iDKjwg D/xqqA53Lw2UQJesg27wmK/UNCV+s914mvMlbKN1rhg
-8dmOuKM/ojRmv4Lhq8w9EZVmdnfdheLfrms9AqAwqSw
+AOg0SkPvSotuSHk33zVfRxB0wn67a29YWc/itDUZ/LQ
+-> ssh-ed25519 uYcDNw /QdfQUJmBMQZ+KRCst1gA0LqFGvM1K91ZL/RIRP+qBc
+Ttksa44OdwLuRmgYPC2rIn+wy/SooRPUq8gQTR+pF0k
 -> ssh-rsa kFDS0A
-RdurPDcUR4Qh49KcgWvZEXSf1cV5CQGZQ0NEaDN86EJmUGWx7lpUZK5EhYIpDMU5
+L9MGJFRceqbge3EF/rqXdT13jt9faxP1NmfRB3i2mrTasvCaovc/62bA0UmlsB/9
-hC15shUmU1Hij9s0I7K1cQ0M3icpWJYdTmOe2IYjXDNr/Z7SUetI/NgPgV32zhW+
+Y3hIzo28d6pZRcMm91l6PhWV0M33YNwPQf87vd7klv++1aMIdZ6/jHsQiohIBkRd
-jLl/NIoofFccFYvwgPbg+/pQcmKYAIl5X4B9Il8Z7a+uTDdCcEkdl0sHlf337mzE
+4pBe6rrx/lUqEqfQVYUFPfRE50ufkw+hRw/NJCvcBgHgNhhDoeb8keWRPZhhuv0Z
-ILPuc4B4tEySaoDAcWzYeUZYOwWkHeZtgV/zxqE1bZzaa7WBqDrOh0/WJhivd2iG
+f0eP9ORKjeKxjv3tsIPjiE7aqxE1zTdrnSr7FuqklJhMYRdwVv+2ofNEh05hU6pR
-PmTE+yK/hPV9wWeaAMQwL52UJb/TAjFXSi1iNRhtRkmEC6VbyDzMJ25na7ZN76ZH
+VL4AS7d6Di/0dWTWc/Je2ytsrdio2v0rPAUXN1fyTh4AtrAmGQzUXNWnr4sB5xH9
-76HaLffoM9yxCsvnA468vG6jr0MAgtstAgnqpb1DK7KAXCbIYeid2lN3gYo+CD8z
+QlL0Ea3IwndJSDNkqc4qI3JL0vx6QMUbsuNcMmVWSMkODP+gNQYXQNbnwNfeMAnE
-lhs+gxKoZPhw/PhBsqh/O1LYkLCngzC5ydS4VvYQ3CHSU9OAQhAkT6vx8Y+znQxu
+V++WBfyrA8+V+ES+usqeWoOXjApzShn+gnrV0DHHXDAzNR+M647rQcsLePSyNjf/
-wPEKDiEozAcW+flI9vC3Bg+uRCtGPOTufu+2qy6UNesOghbwiB+5BisjJcO3OtGz
+NKd7Z8VfEq7m65AxmSHPezSGdICMf63WLG/Bffj9rWiQxaoiayGF8jbALpXlu93X
-SHiN40POpi7GUXe2OZ4XnOxOMbs1RGMec+sB6Nno5dG1Mf6m7Vhe0TsVXWBjX+TP
+txOw8pK7zA8xFEBujmkrDPH3sJFPLOgOMYa0uuCMbrCGxeJ34nuQMhSUTamESSXb
-PuO1LlvUTOYld2xVMYk5intzeIRKljoDgheTf61zO1mwUbI6eMFM+QP9pH3IjETi
+AD3AgUrRvte1iXwy2PoZGolRLZfdq9zcAfFyq9KvIhvz/8b2F+KbqHQlAiKVPw8p
-a1kxHDIz6HOaTX5aAvYCPVUHmTU8Qq3GbZzFXth8Qbs
+XQo4sXcDAmF251WSCJGN1C6Doxj/6XLuWILbkobQqoI
--> ssh-ed25519 YFSOsg //jm3F459a1AT/e9Yjo0wEXae38rq4Rz3sf/E6nY7m8
+-> ssh-ed25519 YFSOsg FtIvWeEXI9blJIFAWMacXgPym5ePGXsuiOR+Gh3b3R8
-W7K7wOCeIeBQoaf4nj2inerWfr28XMTOo50SrKUi1Sc
+0rp/NIu4kCCt05Is2+eRdUmgNX8QPMsDPhZWIejnBDA
--> ssh-ed25519 iHV63A iTrGQu1a7GWq1b0+EnaQQwF3xD1b/MJW0FpWYd7tiTg
+-> ssh-ed25519 iHV63A 85G1w54UHS/gFcLvsXyYLPXvLHkJl3YQCi8ehb+ZrU8
-aOQXaXDMKId6vLhzcm/N0JlqEZgnIXsXQ1b+U7Smahs
+lXDaMXlPw5ohaaYpiEkCNAmE2tJ2824ydmp9EakPtD8
--> ssh-ed25519 BVsyTA MG1cUHckhKrF9zjyDEAFEPl63ouRDVWlZTXMpQhgpzY
+-> ssh-ed25519 BVsyTA XimcaonVCGGyyCfn3BSX/a7zjJkWeaVY/xAcdNDrl1U
-nMZFNhlEFaLmqSdG25AIM2b6rwH11nxzuYrFv7Gw7wQ
+RaqpXzUd54qrkYYRbRTUclTpZdZx2us42lkP6wBxjBM
--> }IFM4v@O-grease 3Dun
+-> CWM8^B-grease
-Bw
+HvBgzYx54YVP0M6pk1bp9qegLscQ4tHIV9DZhr7jnrW41adgY0D39wnE2IgIRc6g
---- E9LsfDYRjoDMTVbL2bfuFEl2mPIyMCZie1YgaMSc0p0
+keRHAr7QVqdPy/kr+u0GwQ1MGFKI8Jss8vRxKwv/UgQfmg
-¶R¤1Ùˆ,'zåêÀ2Î…|~‹’¤i7Ÿ^¾ú>¡]+
U”áØ|<1D>,¶b¥ø 3ÕŠ:å!îÓârzèòqǤ
+--- dJWXhQRYjxWchTW1u3TrF7KvQIOdrOvkEC7oUtFcGeE
+l>qTðFÞ®/®â
@tË\Å&Zò	êÄ:„Þ@ òÚKÏx©ªr¾áHKûĦEûb0ÊÖ—5Ëm¸/

secrets/secrets.nix

@@ -68,5 +68,5 @@ in {
   "grafana-smtp-password.age".publicKeys = flora6Keys ++ baseKeys;
 
   "nachtigall-metrics-nginx-basic-auth.age".publicKeys = nachtigallKeys ++ baseKeys;
-  "nachtigall-metrics-prometheus-basic-auth-password.age".publicKeys = flora6Keys ++ baseKeys;
+  "nachtigall-metrics-prometheus-basic-auth-password.age".publicKeys = flora6Keys ++ nachtigallKeys ++ baseKeys;
 }