loki, prometheus, promtail should connect via wireguard #200

Merged
teutat3s merged 7 commits from loki-prometheus-via-wireguard into main 2024-06-05 00:04:40 +00:00
Showing only changes of commit 56f692740e - Show all commits

View file

@ -28,8 +28,10 @@
networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 22 ];
networking.hosts = {
teutat3s marked this conversation as resolved Outdated
Outdated
Review

Is there a reason to move this into the global DNS? we can connect to other nodes in the network without DNS being available, so it might be nice to also have their local names without a DNS server being available.

Is there a reason to move this into the global DNS? we can connect to other nodes in the network [without DNS being available](https://git.pub.solar/pub-solar/infra/src/branch/main/hosts/nachtigall/wireguard.nix#L24), so it might be nice to also have their local names without a DNS server being available.

As the commit message states, the goal is to avoid surprises. I find it very confusing to have the same DNS name resolve to different IP addresses depending what host you're on. It would be my preference to remove this for clarity.

As the commit message states, the goal is to avoid surprises. I find it very confusing to have the same DNS name resolve to different IP addresses depending what host you're on. It would be my preference to remove this for clarity.

But to get this straight: We have the internal "wg.pub.solar" hosts that would could additionally set statically via networking.hosts right? @teutat3s

I tend to agree with @b12f about a possible fuckup because of broken DNS but the middle ground here would be to not have context based in relation to the host your on but cached dns entries. It creates a bit of additional maintenance work as we have to update both but that could be ruled out by mentioning it in the docs and hanging people for not RTFM.

But to get this straight: We have the internal "wg.pub.solar" hosts that would could additionally set statically via `networking.hosts` right? @teutat3s I tend to agree with @b12f about a possible fuckup because of broken DNS but the middle ground here would be to not have context based in relation to the host your on but cached dns entries. It creates a bit of additional maintenance work as we have to update both but that could be ruled out by mentioning it in the docs and hanging people for not RTFM.

I have no objections to setting *.wg.pub.solar in /etc/hosts as well if you're suggesting that. Not sure if I understood your comment correctly, @hensoko.

I have no objections to setting `*.wg.pub.solar` in `/etc/hosts` as well if you're suggesting that. Not sure if I understood your comment correctly, @hensoko.

Better like this? 56f692740e

Better like this? https://git.pub.solar/pub-solar/infra/commit/56f692740e31c183b7624f9d81f4ebf1237b08ec

Yessss. @b12f also happy?

Yessss. @b12f also happy?
"10.7.6.1" = [ "nachtigall.${config.pub-solar-os.networking.domain}" ];
"10.7.6.2" = [ "flora-6.${config.pub-solar-os.networking.domain}" ];
"10.7.6.1" = [ "nachtigall.wg.${config.pub-solar-os.networking.domain}" ];
"10.7.6.2" = [ "flora-6.wg.${config.pub-solar-os.networking.domain}" ];
"10.7.6.3" = [ "metronom.wg.${config.pub-solar-os.networking.domain}" ];
"10.7.6.4" = [ "tankstelle.wg.${config.pub-solar-os.networking.domain}" ];
};
services.openssh = {