garage: add monitoring, connect to grafana + loki

https://garagehq.deuxfleurs.fr/documentation/reference-manual/monitoring/
wireguard: add trinkgenossin, delite, blue-shell
2024-08-25 00:15:06 +02:00 · 2024-08-25 00:13:53 +02:00 · 2024-08-24 21:48:48 +02:00
22 changed files with 1523 additions and 14 deletions
--- a/flake.nix
+++ b/flake.nix
@ -139,15 +139,15 @@
              sshUser = username;
            };
            trinkgenossin = {
-              #hostname = "trinkgenossin.wg.pub.solar";
+              hostname = "trinkgenossin.wg.pub.solar";
              sshUser = username;
            };
            delite = {
-              #hostname = "delite.wg.pub.solar";
+              hostname = "delite.wg.pub.solar";
              sshUser = username;
            };
            blue-shell = {
-              #hostname = "delite.wg.pub.solar";
+              hostname = "blue-shell.wg.pub.solar";
              sshUser = username;
            };
          };
--- a/hosts/blue-shell/configuration.nix
+++ b/hosts/blue-shell/configuration.nix
@ -12,8 +12,6 @@
    "ip=dhcp"
  ];

-  services.openssh.openFirewall = true;
-
  # This option defines the first version of NixOS you have installed on this particular machine,
  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
  #
--- a/hosts/blue-shell/default.nix
+++ b/hosts/blue-shell/default.nix
@ -7,7 +7,7 @@
    ./disk-config.nix

    ./networking.nix
-    #./wireguard.nix
+    ./wireguard.nix
    #./backups.nix
  ];
 }
--- a/hosts/blue-shell/wireguard.nix
+++ b/hosts/blue-shell/wireguard.nix
@ -0,0 +1,49 @@
+{
+  config,
+  pkgs,
+  flake,
+  ...
+}:
+let
+  wireguardIPv4 = "10.7.6.7";
+  wireguardIPv6 = "fd00:fae:fae:fae:fae:7::";
+in
+{
+  networking.firewall.allowedUDPPorts = [ 51820 ];
+
+  age.secrets.wg-private-key.file = "${flake.self}/secrets/blue-shell-wg-private-key.age";
+
+  networking.wireguard.interfaces = {
+    wg-ssh = {
+      listenPort = 51820;
+      mtu = 1300;
+      ips = [
+        "${wireguardIPv4}/32"
+        "${wireguardIPv6}/96"
+      ];
+      privateKeyFile = config.age.secrets.wg-private-key.path;
+      peers = flake.self.logins.admins.wireguardDevices ++ [
+        {
+          # flora-6.pub.solar
+          endpoint = "80.71.153.210:51820";
+          publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU=";
+          allowedIPs = [
+            "10.7.6.2/32"
+            "fd00:fae:fae:fae:fae:2::/96"
+          ];
+        }
+      ];
+    };
+  };
+
+  services.openssh.listenAddresses = [
+    {
+      addr = wireguardIPv4;
+      port = 22;
+    }
+    {
+      addr = "[${wireguardIPv6}]";
+      port = 22;
+    }
+  ];
+}
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -96,10 +96,11 @@
          self.nixosModules.overlays
          self.nixosModules.unlock-luks-on-boot
          self.nixosModules.core
-          #self.nixosModules.prometheus-exporters
-          #self.nixosModules.promtail
+          self.nixosModules.prometheus-exporters
+          self.nixosModules.promtail

          self.nixosModules.garage
+          self.nixosModules.nginx
        ];
      };

@ -116,6 +117,7 @@
          #self.nixosModules.promtail

          self.nixosModules.garage
+          self.nixosModules.nginx
        ];
      };

@ -132,6 +134,7 @@
          #self.nixosModules.promtail

          self.nixosModules.garage
+          self.nixosModules.nginx
        ];
      };
    };
--- a/hosts/delite/configuration.nix
+++ b/hosts/delite/configuration.nix
@ -12,8 +12,6 @@
    "ip=dhcp"
  ];

-  services.openssh.openFirewall = true;
-
  # This option defines the first version of NixOS you have installed on this particular machine,
  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
  #
--- a/hosts/delite/default.nix
+++ b/hosts/delite/default.nix
@ -7,7 +7,7 @@
    ./disk-config.nix

    ./networking.nix
-    #./wireguard.nix
+    ./wireguard.nix
    #./backups.nix
  ];
 }
--- a/hosts/delite/wireguard.nix
+++ b/hosts/delite/wireguard.nix
@ -0,0 +1,49 @@
+{
+  config,
+  pkgs,
+  flake,
+  ...
+}:
+let
+  wireguardIPv4 = "10.7.6.6";
+  wireguardIPv6 = "fd00:fae:fae:fae:fae:6::";
+in
+{
+  networking.firewall.allowedUDPPorts = [ 51820 ];
+
+  age.secrets.wg-private-key.file = "${flake.self}/secrets/delite-wg-private-key.age";
+
+  networking.wireguard.interfaces = {
+    wg-ssh = {
+      listenPort = 51820;
+      mtu = 1300;
+      ips = [
+        "${wireguardIPv4}/32"
+        "${wireguardIPv6}/96"
+      ];
+      privateKeyFile = config.age.secrets.wg-private-key.path;
+      peers = flake.self.logins.admins.wireguardDevices ++ [
+        {
+          # flora-6.pub.solar
+          endpoint = "80.71.153.210:51820";
+          publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU=";
+          allowedIPs = [
+            "10.7.6.2/32"
+            "fd00:fae:fae:fae:fae:2::/96"
+          ];
+        }
+      ];
+    };
+  };
+
+  services.openssh.listenAddresses = [
+    {
+      addr = wireguardIPv4;
+      port = 22;
+    }
+    {
+      addr = "[${wireguardIPv6}]";
+      port = 22;
+    }
+  ];
+}
--- a/hosts/flora-6/wireguard.nix
+++ b/hosts/flora-6/wireguard.nix
@ -47,6 +47,33 @@
            "fd00:fae:fae:fae:fae:4::/96"
          ];
        }
+        {
+          # trinkgenossin.pub.solar
+          endpoint = "85.215.152.22:51820";
+          publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";
+          allowedIPs = [
+            "10.7.6.5/32"
+            "fd00:fae:fae:fae:fae:5::/96"
+          ];
+        }
+        {
+          # delite.pub.solar
+          endpoint = "5.255.119.132:51820";
+          publicKey = "ZT2qGWgMPwHRUOZmTQHWCRX4m14YwOsiszjsA5bpc2k=";
+          allowedIPs = [
+            "10.7.6.6/32"
+            "fd00:fae:fae:fae:fae:6::/96"
+          ];
+        }
+        {
+          # blue-shell.pub.solar
+          endpoint = "194.13.83.205:51820";
+          publicKey = "bcrIpWrKc1M+Hq4ds3aN1lTaKE26f2rvXhd+93QrzR8=";
+          allowedIPs = [
+            "10.7.6.7/32"
+            "fd00:fae:fae:fae:fae:7::/96"
+          ];
+        }
      ];
    };
  };
--- a/hosts/trinkgenossin/configuration.nix
+++ b/hosts/trinkgenossin/configuration.nix
@ -14,8 +14,6 @@
    "ip=dhcp"
  ];

-  services.openssh.openFirewall = true;
-
  # This option defines the first version of NixOS you have installed on this particular machine,
  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
  #
--- a/hosts/trinkgenossin/default.nix
+++ b/hosts/trinkgenossin/default.nix
@ -6,7 +6,7 @@
    ./configuration.nix

    ./networking.nix
-    #./wireguard.nix
+    ./wireguard.nix
    #./backups.nix
  ];
 }
--- a/hosts/trinkgenossin/wireguard.nix
+++ b/hosts/trinkgenossin/wireguard.nix
@ -0,0 +1,49 @@
+{
+  config,
+  pkgs,
+  flake,
+  ...
+}:
+let
+  wireguardIPv4 = "10.7.6.5";
+  wireguardIPv6 = "fd00:fae:fae:fae:fae:5::";
+in
+{
+  networking.firewall.allowedUDPPorts = [ 51820 ];
+
+  age.secrets.wg-private-key.file = "${flake.self}/secrets/trinkgenossin-wg-private-key.age";
+
+  networking.wireguard.interfaces = {
+    wg-ssh = {
+      listenPort = 51820;
+      mtu = 1300;
+      ips = [
+        "${wireguardIPv4}/32"
+        "${wireguardIPv6}/96"
+      ];
+      privateKeyFile = config.age.secrets.wg-private-key.path;
+      peers = flake.self.logins.admins.wireguardDevices ++ [
+        {
+          # flora-6.pub.solar
+          endpoint = "80.71.153.210:51820";
+          publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU=";
+          allowedIPs = [
+            "10.7.6.2/32"
+            "fd00:fae:fae:fae:fae:2::/96"
+          ];
+        }
+      ];
+    };
+  };
+
+  services.openssh.listenAddresses = [
+    {
+      addr = wireguardIPv4;
+      port = 22;
+    }
+    {
+      addr = "[${wireguardIPv6}]";
+      port = 22;
+    }
+  ];
+}
--- a/modules/garage/default.nix
+++ b/modules/garage/default.nix
@ -16,12 +16,77 @@
    mode = "400";
  };

+  age.secrets."acme-namecheap-env" = {
+    file = "${flake.self}/secrets/acme-namecheap-env.age";
+    mode = "400";
+  };
+
  networking.firewall.allowedTCPPorts = [
    3900
    3901
    3902
  ];

+  networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [
+    3903
+  ];
+
+  security.acme = {
+    defaults = {
+      environmentFile = config.age.secrets.acme-namecheap-env.path;
+    };
+    certs = {
+      # Wildcard certificate gets created automatically
+      "buckets.${config.pub-solar-os.networking.domain}" = {
+        # disable http challenge
+        webroot = null;
+        # enable dns challenge
+        dnsProvider = "namecheap";
+        dnsPropagationCheck = false;
+      };
+      # Wildcard certificate gets created automatically
+      "web.${config.pub-solar-os.networking.domain}" = {
+        # disable http challenge
+        webroot = null;
+        # enable dns challenge
+        dnsProvider = "namecheap";
+        dnsPropagationCheck = false;
+      };
+    };
+  };
+
+  services.nginx = {
+    upstreams.s3_backend.servers = {
+      "[::1]:3900" = { };
+    };
+    upstreams.web_backend.servers = {
+      "[::1]:3902" = { };
+    };
+    virtualHosts."buckets.${config.pub-solar-os.networking.domain}" = {
+      serverAliases = ["*.buckets.${config.pub-solar-os.networking.domain}"];
+
+      enableACME = true;
+      forceSSL = true;
+
+      locations."/" = {
+        proxyPass = "http://s3_backend";
+        extraConfig = ''
+          proxy_max_temp_file_size 0;
+        '';
+      };
+    };
+    virtualHosts."web.${config.pub-solar-os.networking.domain}" = {
+      serverAliases = ["*.web.${config.pub-solar-os.networking.domain}"];
+
+      enableACME = true;
+      forceSSL = true;
+
+      locations."/" = {
+        proxyPass = "http://web_backend";
+      };
+    };
+  };
+
  services.garage = {
    enable = true;
    package = pkgs.garage_1_0_0;
@ -42,6 +107,9 @@
        root_domain = ".web.${config.pub-solar-os.networking.domain}";
        index = "index.html";
      };
+      admin = {
+        api_bind_addr = "[::]:3903";
+      };
    };
  };

--- a/modules/grafana/default.nix
+++ b/modules/grafana/default.nix
@ -33,6 +33,11 @@
      group = "grafana";
      user = "grafana";
    };
+    "grafana-dashboards/grafana-garage-dashboard-prometheus.json" = {
+      source = ./grafana-dashboards/grafana-garage-dashboard-prometheus.json;
+      group = "grafana";
+      user = "grafana";
+    };
  };

  services.caddy.virtualHosts."grafana.${config.pub-solar-os.networking.domain}" = {
--- a/modules/grafana/grafana-dashboards/grafana-garage-dashboard-prometheus.json
+++ b/modules/grafana/grafana-dashboards/grafana-garage-dashboard-prometheus.json
--- a/modules/prometheus/default.nix
+++ b/modules/prometheus/default.nix
@ -69,6 +69,14 @@
              instance = "tankstelle";
            };
          }
+          {
+            targets = [
+              "trinkgenossin.wg.${config.pub-solar-os.networking.domain}:${toString config.services.prometheus.exporters.node.port}"
+            ];
+            labels = {
+              instance = "trinkgenossin";
+            };
+          }
        ];
      }
      {
@ -83,6 +91,18 @@
          }
        ];
      }
+      {
+        job_name = "garage";
+        static_configs = [
+          {
+            targets = [
+              "trinkgenossin.wg.${config.pub-solar-os.networking.domain}:3903"
+              "delite.wg.${config.pub-solar-os.networking.domain}:3903"
+              "blue-shell.wg.${config.pub-solar-os.networking.domain}:3903"
+            ];
+          }
+        ];
+      }
    ];

    ruleFiles = [
--- a/secrets/acme-namecheap-env.age
+++ b/secrets/acme-namecheap-env.age
--- a/secrets/blue-shell-wg-private-key.age
+++ b/secrets/blue-shell-wg-private-key.age
@ -0,0 +1,43 @@
+age-encryption.org/v1
+-> ssh-ed25519 eP5MMw xAObv9OBtCMHWnbnO9b9w5fiG3tkJJTvjFNWmYmGfhQ
+sXmgq1drzY3rap8aD8/iMbMgjGkajfENkBQDdK/2TKQ
+-> ssh-ed25519 uYcDNw sxw3K1xYG+OZQy+4U2UfX//ZElPaCieANzFHanJxfxw
+VyhqjYppfHVb2jTceXLL/yYwEJE2uD9TY4PliHu7c0E
+-> ssh-rsa f5THog
+hRIMIg4P7SOOS3IGr2vF/TAdvgAXjJ8CbjKQt+Bd8MUjxf769rD3bln3lF3DlfIU
+RMkicdnwRdWTnqp+HyV0/UsD4ZzVb0YY+ntK6wujqgEwhpef9NOE2Hsiyvv228l5
+pu6eUTrosmb0ysnw8zRmr4RYdv1+MsD9gbnLOnnuHkA+i28jAE6o4gXIdnKfDcIk
+ptJISTFwyzz+q8UvdfO4YGRBL4zSoWM5VEQS0IPjrt4+qBlOyC2IlXz1/aaGZk41
+ODgPUO68USpzFsLqsmRJJQOMxxkdnYWy4DoeHKUyZI4YO0t94zVEHIS3x6w2l+/Q
+9r7TdKXxniLFYW9t5+28ez5XfLruapXroA8kp2hy3S7ybuOyB2MIfCXVvK0kiOfw
+2kZnv7LvL4BLUMtgPKoAxj8Pzpi8HzFGxQudqNwSkjb4bvFg8eej0oP/WhvFalsY
+MGSdlFJkKKeLWh8MzmD2WXHJ5yVcRFHydyWGMHlZJ4soi0I3gTSQaNSPUxWtFSd3
+Trk3Jz4Qrd7EA6y6wn2Jc4xCX+cWb8Q3nrXVZJL/FSxss+zstQit5O3BwWupJQLt
+ubyqLxQI/PKP/gIU8sGhwKDWGjZUlwvjPBG+EdWJAxoI7S7+4UxkGgsNvx67VKgi
+xxz3ANlHPbGLgAZTtEk5AqHWLWE6ZRn/7i3Qv1HWZJ4
+-> ssh-rsa kFDS0A
+OqNv7KThlRd0aD1gixsI2LVb+Zj2r7OVm4lUD/UJ0WVe/ihlcBAeEj8noqNA3zgH
+djO53WpAkGrbt8CejuQcPYLyw8Bdk++cBu9Po+X0dAp2cCPqakgIpEI6qG1uiEty
+LOOF13TivCB802UrJmX/8HLDV3yv7IWIr2XV0V8s5UvasYlgCt1eg4suhXIngnJG
+wd7WFnXwtNtR/UcnWtpE8c6p5kaAn4wSAtx6hFqnkN5ANjKXHy29NkFR1Lgu55OU
+qoJPpcZpvEESYMQfPvfuCUSZgcSvJE8B1MJZzxdKBHFiaWa7BkkWOL2KNIARFji5
+nBrGzGLV9IaHWsS0UfIWixvM3OPl4wgwpdLtVJsnLX/ggFZrZmj+iR5DdqurfW7E
+0a8Ie1NKK7FU+HnzEk6+8aiDb0QozEhrmaE5olc8dBOKK13e1idDTCsquaQcSOEh
+DBP8r0LhqU7YwnNF6UpQiYs3Zs2HyPegfz2GwB3yeaHqc7+MnXm/j4B5qUcX5naz
+llQoNfddAtoXGeK3G0yjugkSluValw6o2hQ+4iRx4n1f3dVcurXkBr9fjCKMmjC4
+qbOHhsBU4dHCvFIOXY27Xvq5qZ4/ceNb6fq/NXvkD87eePMLg9R9hmtTaCDlEN2d
+a350/FxlWOZXEox+mRZhE+mE5qSIg+LbnFZ+zjWq+yc
+-> piv-p256 vRzPNw AzwIBCtS5Tx/zuFHRYsYSOffxAE79O5foV+ndpw0hR1t
+HDmWtvUS9wSnlNjbkD0Rc0jQ4tNhqpcqpeztW1GXC3g
+-> piv-p256 zqq/iw Av5ZYxbCJrjUImhX7hoO8nxtWEtd7mPWhofwCxtW5GNI
+tB/mFmw4U2NbeDKdasi/Z99VggQYhnv6+n9+VJekq/k
+-> ssh-ed25519 YFSOsg nl0SHBFBylYgoy4qrZ851AQ6NLuDpXtIQ5WffqQPckU
+/yk/gT3enujLcjHkYuE0XGUDrYUEEzvyPvIlKhHtf5c
+-> ssh-ed25519 iHV63A 2Gq6dIvLDJQmwgQwxhqrPpubkToiseczLkobeCZiOSA
+IXddfsh84BrA0v6X/SjqoFbUfJfw3v+zD3Dk5RdsfAE
+-> ssh-ed25519 BVsyTA 9oRVFqCqPoQ35/u+Cg4dPkG4eXw7vSRaPwhel430TGE
+C54Ofc94lPFMGLljqY4Ag0AhM/MHWeZjZ6x1fmyMmqI
+-> ssh-ed25519 +3V2lQ 2g1xRrQZy30nCaDq6RtfXQfUchtD8oOnmGYX+A2venQ
+oop5rNpGKvTUOLGN2HGc7B63H/8XYrhO+XsCjsKfPgA
+--- cMgwwO4kfMX17njkjYczc4R6FVRwC+cpK37g2cFAapc
+È
`Ñ<>Xéø¶Ó“¡;êR…Vàâ]tbM"N4×Éa§êš/æI×pšBâ7Qòe‡MÑ
§ºÀnpÊ±£†ç2Å}Éz-R4E<34>‚(éÀN
--- a/secrets/delite-wg-private-key.age
+++ b/secrets/delite-wg-private-key.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -21,6 +21,12 @@ let

  metronomKeys = [ metronom-host ];

+  trinkgenossinKeys = [ trinkgenossin-host ];
+
+  deliteKeys = [ delite-host ];
+
+  blueshellKeys = [ blue-shell-host ];
+
  garageKeys = [
    trinkgenossin-host
    delite-host
@ -35,6 +41,9 @@ in
  "tankstelle-wg-private-key.age".publicKeys = tankstelleKeys ++ adminKeys;
  "flora6-wg-private-key.age".publicKeys = flora6Keys ++ adminKeys;
  "metronom-wg-private-key.age".publicKeys = metronomKeys ++ adminKeys;
+  "trinkgenossin-wg-private-key.age".publicKeys = trinkgenossinKeys ++ adminKeys;
+  "delite-wg-private-key.age".publicKeys = deliteKeys ++ adminKeys;
+  "blue-shell-wg-private-key.age".publicKeys = blueshellKeys ++ adminKeys;

  "mastodon-secret-key-base.age".publicKeys = nachtigallKeys ++ adminKeys;
  "mastodon-otp-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
@ -100,4 +109,6 @@ in
  # garage
  "garage-rpc-secret.age".publicKeys = garageKeys ++ adminKeys;
  "garage-admin-token.age".publicKeys = garageKeys ++ adminKeys;
+
+  "acme-namecheap-env.age".publicKeys = garageKeys ++ adminKeys;
 }
--- a/secrets/trinkgenossin-wg-private-key.age
+++ b/secrets/trinkgenossin-wg-private-key.age
@ -0,0 +1,43 @@
+age-encryption.org/v1
+-> ssh-ed25519 NID4eA Q3E8hBMDQRxoJx6UGzECMZmkffdgyYlhGaloKFNmxw0
+37DKT5sgmAEritSoPuW+O5dvjCH23pOAdFyJG0TnY6w
+-> ssh-ed25519 uYcDNw zgfSabCBntiTnc0fdfDzpkq/AwUXSpyvsA14gkatP3w
+tLbZDE6UB/xvC153mSGcGSSWKH+Ph1Ek5D+JTrWjzdk
+-> ssh-rsa f5THog
+0THw5q/Aa/wCzfqO/9YFBOvSfISS/O2cMHBlQ7NXzF2hlj+hzGjJeL2USmL8iZ7X
+YToH0oy8lreVRYxfi/LUMyg14hQf11hTekT/sKc8m5eBm+8WiHbWJsQJKdRg6WVO
+B2Ju+3QIZXBk7ajCIcVjgoJQy1JydXm5YQkZnI69icdtAEnYSEoVEpaPHkT7Et65
+UUC/eegltWFSeJl4bzgceVXO3VtszoG/KkL7ToT2WX2Hbnb4R3U8cWLOTr4I6hzM
+90h6mNaorm3bd5fysOoU3G531/eAqcC7QZQQGyCOEBBHgx0w32ZKpjqu8q8c/f0M
+VMOgE0JfK4/iB5E3dwGqRZ2G8iXu/cx0CQY98YAFCDOYExMsQzFXzqKq8KecVd+g
+vaj598KJFxYskwrkGNXwIds2lPCte3HIa9XcGeQ4svaLYdQw5zsSIF32zOwAbxRn
+1ABzp/T7V3BYyykJbeJi3UMoHUo3nsq75xClmXRnlTvQ7I0x62DrXdMNE9tJtqAF
+lVUeD7gKlDPmYMK0QKbxFHYTVbdJ3d7UbJUgb2SxHpm5I8J7Wx29p6gLN7+swdIg
+y0Z8+qcABkeVHQ9OWwV0XYdMdLFovnc0pDAEvHL4rxv3E8W2Nv2mm0xW7I4HcG0
+h9uJ2lU4mn60YqBtso/cu+LzUHIPcHji5sRK8/qu+Tg
+-> ssh-rsa kFDS0A
+kXXvKZebwQLFofayT/0SFzdFl0e8xQbUJf+q47YHmPMlJY7nsQBs1fvmQsp7fsfW
+TRdh14uVImErEQsuqNYgYDR/jBUVtRkySOXde8Q9QM/CZwwR7NMu8P2vBzZ6uXKL
+amlZS8iYXWJKRgmxsgiONFZwfcB9TWhaDYsmeqFxV6ui2LGgtCBllttYzvyVNWZI
+NXMg0bbkLd+I2svBSBX/p8rECxq5gUmr8PB2k+yrHuXJvnR8Hop7YjvbrC2qSy5r
+6OOTButBV7cILTf03DPvd3f61uUqm/NapxN4UdEZDTmOYud2dF8Eqw+BCNIT2wZr
+/KD49ElPlcWM8cCxBGaSTTT66mP3FWwIcCZVfdVrhf//TN/SAo+lcoN7m/p9Uj0i
+Y5nM3JR7ZuiLHfXu+fTHBiWnWBtLkPYUDlGIGlFGinMQwi4CMqoUY7jROdjHuPkt
+S0VK2ViRxBB5Z5tQSnL02+TNsDd+CDURRiBgWfdmk1kkh9o2SrSiGcxCV03UVEaE
+4Q07ZjKJF9HeC6goK+QjSOvLHS2qHyJznUty7nAiAS+yPDlq6m13/dFTvFii7H2h
+UJ+5MJcVHLd6VQhzjmwTQXCrbTn/FI2LkZgR4HPRFDElkmnMUV1NU/2gkwm7Z0gu
+RaEAuYMoKZNBQ6eQgANst+LFA7ctwpz/d0PB8Gvjf6g
+-> piv-p256 vRzPNw AmCpZNeI8ggIr211niro2CalG6ELXYubjXj2J01eSwL+
+IPXLB01UKFj7tptbB7FmNbbjDGrqbEoizjNzzJvNsXs
+-> piv-p256 zqq/iw Auwb+rr9JfTX9VoTKaDobEGFPIwJZUFAMolG8SvZ5ix6
+e5IWW7Sxy1T2F0Ykm1tKQIvGGJFODIrNdvrCKREvrI
+-> ssh-ed25519 YFSOsg 5Eeo3PIUgfRgPrY/eR6aps8UB2NNNr9YJswZ5mPj5Fk
+cN4Dwp+ZFN8UCptfVsAp3iGesYhry7umwGc77jom2Vo
+-> ssh-ed25519 iHV63A RMH4ezLwPxlf9cLgFlWSrGMDdlySpIr22O3Nr4ESgkg
+8Ll31aL8PCOFp5+TIhv7qYVzjnBMepWJSlT6PGBMtdM
+-> ssh-ed25519 BVsyTA 9yQZMVRpIitqx4ggP9pswC2VBmtKHR8FqIiLAq6wdCs
+g/dA5SXBUNyLFGuOEVwsPIu2sEyAS4y+5RlccymLfL0
+-> ssh-ed25519 +3V2lQ unqrENNB2tJvICc/nAi31TZ8c7ilbFreww51f/Mi4nQ
+y7QWtFtEUq8elK+Q2HxpGav3nx3dxDQd5ikn9DpIJ20
+--- SJo44grQsKFl8WMnva4kMp88kMZ9D3EWnm3mN0Oe15c
+~°ÙìÚŒxÌ†Il`<60>u²”˜ôÿÁÙ@«Ž'B#ÅRaˆÙ£;«ã(»ÃÎïŠ<C3AF>Šò˜åŽ³&G3<Q<>sH‰ª~Gò)½¡®
--- a/terraform/dns.tf
+++ b/terraform/dns.tf
@ -24,6 +24,21 @@ resource "namecheap_domain_records" "pub-solar" {
    type     = "A"
    address  = "10.7.6.4"
  }
+  record {
+    hostname = "trinkgenossin.wg"
+    type     = "A"
+    address  = "10.7.6.5"
+  }
+  record {
+    hostname = "delite.wg"
+    type     = "A"
+    address  = "10.7.6.6"
+  }
+  record {
+    hostname = "blue-shell.wg"
+    type     = "A"
+    address  = "10.7.6.7"
+  }
  record {
    hostname = "nachtigall.wg"
    type     = "AAAA"
@ -44,6 +59,21 @@ resource "namecheap_domain_records" "pub-solar" {
    type     = "AAAA"
    address  = "fd00:fae:fae:fae:fae:4::"
  }
+  record {
+    hostname = "trinkgenossin.wg"
+    type     = "AAAA"
+    address  = "fd00:fae:fae:fae:fae:5::"
+  }
+  record {
+    hostname = "delite.wg"
+    type     = "AAAA"
+    address  = "fd00:fae:fae:fae:fae:6::"
+  }
+  record {
+    hostname = "blue-shell.wg"
+    type     = "AAAA"
+    address  = "fd00:fae:fae:fae:fae:7::"
+  }
  record {
    hostname = "flora-6"
    type     = "A"
@ -99,6 +129,51 @@ resource "namecheap_domain_records" "pub-solar" {
    type     = "A"
    address  = "80.71.153.210"
  }
+  record {
+    hostname = "buckets"
+    type     = "A"
+    address  = "85.215.152.22"
+  }
+  record {
+    hostname = "buckets"
+    type     = "A"
+    address  = "5.255.119.132"
+  }
+  record {
+    hostname = "buckets"
+    type     = "A"
+    address  = "194.13.83.205"
+  }
+  record {
+    hostname = "buckets"
+    type     = "AAAA"
+    address  = "2a01:239:35d:f500::1"
+  }
+  record {
+    hostname = "buckets"
+    type     = "AAAA"
+    address  = "2a04:52c0:124:9d8c::2"
+  }
+  record {
+    hostname = "buckets"
+    type     = "AAAA"
+    address  = "2a03:4000:43:24e::1"
+  }
+  record {
+    hostname = "*.buckets"
+    type     = "CNAME"
+    address  = "buckets.pub.solar."
+  }
+  record {
+    hostname = "web"
+    type     = "CNAME"
+    address  = "buckets.pub.solar."
+  }
+  record {
+    hostname = "*.web"
+    type     = "CNAME"
+    address  = "buckets.pub.solar."
+  }
  record {
    hostname = "tankstelle"
    type     = "A"
Author	SHA1	Message	Date
teutat3s	d0c587d142	garage: add monitoring, connect to grafana + loki Some checks failed Flake checks / Check (pull_request) Failing after 22s Details https://garagehq.deuxfleurs.fr/documentation/reference-manual/monitoring/	2024-08-25 00:15:06 +02:00
teutat3s	d32abd7a7f	wireguard: add trinkgenossin, delite, blue-shell	2024-08-25 00:13:53 +02:00
teutat3s	15b507904f	garage: init buckets.pub.solar, use nginx as reverse proxy https://garagehq.deuxfleurs.fr/documentation/cookbook/reverse-proxy/	2024-08-24 21:48:48 +02:00