From 788fb22732e36310274a4eeebb1d9008a89e04e2 Mon Sep 17 00:00:00 2001 From: Moritz 'e1mo' Fromm Date: Sat, 12 Aug 2023 10:59:40 +0200 Subject: [PATCH 1/3] services/monitoring: enable nginx by default Otherwise, building hosts that don't have any (nginx using) services configured will faill. --- services/monitoring/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/services/monitoring/default.nix b/services/monitoring/default.nix index 23a9bf5..7dbd71f 100644 --- a/services/monitoring/default.nix +++ b/services/monitoring/default.nix @@ -97,7 +97,8 @@ in { }; }; - services.nginx.virtualHosts."${fqdn}" = let + services.nginx.enable = lib.mkDefault true; + services.nginx.virtualHosts."${fqdn}" = let monitoring_htpasswd = config.sops.secrets."monitoring.htpasswd".path; in { enableACME = true; From d7d6b7e6ef3365e16ca52128fa848188d2525950 Mon Sep 17 00:00:00 2001 From: Moritz 'e1mo' Fromm Date: Sat, 12 Aug 2023 11:02:30 +0200 Subject: [PATCH 2/3] hosts/hamilton: init --- .sops.yaml | 7 +++ flake.nix | 6 +++ hosts/hamilton/configuration.nix | 31 +++++++++++ hosts/hamilton/hardware-config.nix | 8 +++ secrets/all/monitoring.htpasswd | 20 ++++--- secrets/all/secrets.yaml | 85 +++++++++++++++++------------- secrets/hamilton/secrets.yaml | 64 ++++++++++++++++++++++ 7 files changed, 175 insertions(+), 46 deletions(-) create mode 100644 hosts/hamilton/configuration.nix create mode 100644 hosts/hamilton/hardware-config.nix create mode 100644 secrets/hamilton/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index a9f0c81..45d6409 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -8,6 +8,7 @@ keys: # Servers - &shirley age14ysl953378r2vvy7ft3gwce9xp83pr6wypf5lgx2yjwx2lxra5qs6j8eqe - &goldberg age1w3wqxt5t00hjv43dcxlr5rjec5mvuzz9ajc8k04azq0gfx0ncgysu6mdmm + - &hamilton age1uw83n25fx9th2q5y2yedeyzmtzk5yjtwx0kh054v5r2mxc0utuwqacdf77 creation_rules: - path_regex: secrets\/all\/* key_groups: @@ -15,6 +16,7 @@ creation_rules: age: - *shirley - *goldberg + - *hamilton - path_regex: secrets\/shirley\/* key_groups: - pgp: [ *e1mo, *adb, *momme ] @@ -25,3 +27,8 @@ creation_rules: - pgp: [ *e1mo, *adb, *momme ] age: - *goldberg + - path_regex: secrets\/hamilton\/* + key_groups: + - pgp: [ *e1mo, *adb, *momme ] + age: + - *hamilton diff --git a/flake.nix b/flake.nix index fb6cab5..38d8881 100644 --- a/flake.nix +++ b/flake.nix @@ -42,6 +42,12 @@ ./hosts/shirley/configuration.nix ]; }; + hamilton = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = defaultModules ++ [ + ./hosts/hamilton/configuration.nix + ]; + }; goldberg = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; modules = defaultModules ++ [ diff --git a/hosts/hamilton/configuration.nix b/hosts/hamilton/configuration.nix new file mode 100644 index 0000000..061ab1b --- /dev/null +++ b/hosts/hamilton/configuration.nix @@ -0,0 +1,31 @@ +{ pkgs, baseDomain, ... }: { + cj.deployment.environment = "prod"; + + imports = [ + ./hardware-config.nix + ]; + + system.stateVersion = "23.05"; + networking.hostName = "hamilton"; + # Added by default by nixos-infect. It seems sensible to keep this + # For reference: https://wiki.archlinux.org/title/Zram + zramSwap = { + enable = true; + # But limiting to 25% at start to see how high usage will be and to limit the impact on "fast" normal RAM + memoryPercent = 25; + }; + + networking = { + # Fallback / for the monitoring v(x)lan + useDHCP = true; + defaultGateway = { address = "172.31.1.1"; interface = "ens3"; }; + defaultGateway6 = { address = "fe80::1"; interface = "ens3"; }; + nameservers = [ "213.133.98.98" "213.133.99.99" "213.133.100.100" ]; + + interfaces.ens3 = { + useDHCP = false; + ipv4.addresses = [ { address = "128.140.1.30"; prefixLength = 32; } ]; + ipv6.addresses = [ { address = "2a01:4f8:1c1e:b564::1"; prefixLength = 64; } ]; + }; + }; +} diff --git a/hosts/hamilton/hardware-config.nix b/hosts/hamilton/hardware-config.nix new file mode 100644 index 0000000..6679bdf --- /dev/null +++ b/hosts/hamilton/hardware-config.nix @@ -0,0 +1,8 @@ +{ modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.grub.device = "/dev/sda"; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; +} diff --git a/secrets/all/monitoring.htpasswd b/secrets/all/monitoring.htpasswd index e78bff3..43e4774 100644 --- a/secrets/all/monitoring.htpasswd +++ b/secrets/all/monitoring.htpasswd @@ -8,29 +8,33 @@ "age": [ { "recipient": "age14ysl953378r2vvy7ft3gwce9xp83pr6wypf5lgx2yjwx2lxra5qs6j8eqe", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwZVYvSzhUSjJMRWJYemdH\nRHFUTFVQTEdvbUgvRGpMNEFwUUFZOHdzMHg4CjFrS3JPb3ptVlY5YlY5ZkYxYXZ2\nM1RwN2N1b3UxRUpsQUUvem5RRHFGWVkKLS0tIEJNRmU4anQrVlo4dXJsWUZBN0xZ\nb1RGMVVWUFFteWpsajIvUHAwM0kvTm8KF4PVO81/7DnM5mH47ZXDQHaatGhnPGa4\n9KXj1oIWsw35YKoCg/zCukOZt5uoftfvcoSgKwUO30z5FXu53gFGgA==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmR21TejMwVXltZXlUdEFK\nZkF3V3gxSDBaS3d2UFNza2hmU29Jeks4TURVClV1bnZPTWZJT3A0cURyUzFMNVR1\nQjRTWUlPZ2t3TUMzbWxTZlZHU2lJajQKLS0tIDQ3VXp5cWpjWkdRZmwyR2FmUFNl\nMGMzaFY5VWlMdWcxWTZpNWxLYUU1bmsKwqKaRYTa+R08HIDx4jks2+Df6ny6xJgx\n3M7y7AfUeJXt4EK2nemGt885x8+RvPvsH+R3HtbhpCA9/dSXMlVD1Q==\n-----END AGE ENCRYPTED FILE-----\n" }, { "recipient": "age1w3wqxt5t00hjv43dcxlr5rjec5mvuzz9ajc8k04azq0gfx0ncgysu6mdmm", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5ZUJUYStUc3UxU1BSd3cr\nbzg4MWoycVRJMUx2NEJNU3JjYTBCaXA3aTM0CnFJN2o4MWRpa2x1Z2NmUTBHVE9F\ndzFCOTdUZ2NHUEwrRUFhYmNIREtnbFUKLS0tIDF6a0VITU0vS1lIOElzNFNibVp6\ncnB5SXVES3ZWRGNZZ1VZT0FzaDdLWGsKcEFPaLy/6vTlfLUwnjHbnLBMFgUVCTvv\nQHVGJMtYhdcNjTOuErR7ho1P2CjpSCY3Sl48PgrCbPgHZJrH+v+p9Q==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIYW9Gb3pPTTAwRC96a3Vp\nbFZyem8yQjZYemtYS2o4eDM5U252OVd1OVFjClFBam9pVjN5SFFQWFRIT3RhM1pV\nYkdxWGVhVjR0MklNMlpuSVFOWUVTZmMKLS0tIExPbGVRZUhIQ3Y5WDZtMityd3Vm\nSTlRODlTaGxTZkx2YUt0bUt5RmxiajgKww2Y2nKuZDlPyqwUIhbrxAXKnQhD7ymV\nQPz3yEKSnug2Z4UJzxigARKjOC5udJV0/OC+Pg+7EjaMViPheZKPkA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1uw83n25fx9th2q5y2yedeyzmtzk5yjtwx0kh054v5r2mxc0utuwqacdf77", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtb3diZVRiZmgra2JaeERP\nbnBhSHJqU01pK1Z1WFFwSW9EeFpFMXdTdGdNCjNoT0gwM1l4RGdCNFI1bmRLeHkx\nL05CWXpaeUYweVk5ekZQUFdSTHhrR3cKLS0tIG9IQlhxMEdSYitaUGczelNrK2JJ\nWkRZMFkyc0dxWVF6bzl4cVRPbU1lRU0KxNOmERyKlVhe0TmSwaWQccBFA+wstGjT\nTjRbBISfhiSrsET6sEdZtd4nzk2U1ovGNjMMQVig6f5HiIHrjHQq5Q==\n-----END AGE ENCRYPTED FILE-----\n" } ], "lastmodified": "2023-01-03T15:04:58Z", "mac": "ENC[AES256_GCM,data:4PTqDajceBpa2P/FCojNHIKbIDWpktIfID8x+M6cCCDm78yUcORnQhayQh6jnqx8BICD2tEtLZnaK/dkSgP15rlzPVeigkbLK7mcscJCPQKiVkAz7NghUvHK2humyd2ERsHd+vE8+lJ9TnLWap+nVamc0kTdWqgxJtm4w7MPP6s=,iv:PyfROMfOTP74hVlsVZIARe+0rlnFVyNEn4cmT1+Do44=,tag:MvUuLXDV5DkoY50FC5ELEg==,type:str]", "pgp": [ { - "created_at": "2023-07-23T14:01:50Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nwV4DOnsoj685gdcSAQdA2Iq55ou8udmveRjfbun2dDyL7Pq77TfluaRDkNi3eU4w\nYFi7rICoN9DEAP2XbGculIVBSbudCWh+uvX336Py48ZV76GLKOD3dG+HADbK800S\n0lEBGScx9xIwPiakOz+BIrxaYecn8g6LpBN5CggmQ9lEFUb9M23vIBivJGB1cl+q\neataWLxdxYE87d/aEPCCfTz5WXZ4wi0LU8TQFsQYs7z5GqE=\n=HlHl\n-----END PGP MESSAGE-----", + "created_at": "2023-08-12T09:40:00Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nwV4DOnsoj685gdcSAQdA1Ybc+5QxMtgirLjmBTsKh2qARuDxT/bbwsmwIsLC5i0w\nEJeP/A/uM+xQyidCNhGQTn5ummw2b6tEkbgsj0W+lw7rvpXmVv/fsmRUAd6Xle40\n0lEBygugsLr8Mxx2VtU0Q1zbUoAIE2Fmd4etqBQoDKUVsWzT4PQIrXxa1AO2psDK\nYRZ+urojM1PIviKHxUSTdx5iq1877QkMh1q6MwNdzd3bC7M=\n=0HCi\n-----END PGP MESSAGE-----", "fp": "67BEE56343B6420D550EDF2A6D617FD0A85BAADA" }, { - "created_at": "2023-07-23T14:01:50Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAxFMPvz46t7rARAAjrlZXCzbwqER2r8wNecAovEEfDqZBoE4j5UTIsqiH9yT\ncjHN8E9Xvsq4Hru9/0ZQkBSYfawrn9+5bEb673XuCjUkwwCq4fnY/LjFNNtXaSEQ\n9fEqKQPXp0FoxwTuzBxMsJi/MYl7jYJEagVp9+LhrNoWGVMrv08NNM1ClCDKlpFn\n+S0JEZ6LfJobjBy2UGs5JDoV0lRjUyN7cgHd5KKRpzdjk+4yvCiNFoQZchT0Rxrr\nADhNj3vD628L8+ssve+Sb2XlAErMR6atFw4h4vdvemNoTkdZTeH2woDWLSND+mNi\nf32sHhaQ57Urv39VkJn7/8fIxYEk6nAEP/Y+7EdUhmgevYSeSMsXpnBIg2HghlPI\njURnjtG+PUmLgMO1iYYEqK0iCtqZhNGUPA87fkjzbfScpaekt+NEFO4D611MMEJs\n9wqkMeqUI1rkjKok1EyDiauRgdBiggZGVmk7oFF9W7De+vAxi+DJmc5WkQ/Ho6bA\nvQtndHdiqoP4aDwPVmwaHKlQFfdpyXZN5wHR9zfAoNqyAckNxFZxd8U5kXTk4+Oi\nZYqlYfd/iRltVe/qRdpNokK5eRgdNt/LfHSNFKdZtLLKcY7vU6u5XkZ3gg/frKbS\nnQeZzF3RydvJXmULb7UF/dBKYrrcpHyzVvHkf6rVoZz7uiya/HZy1LXjFarATPbS\nXgFXJ8V5C3/PdWgv3vgAQMPYQqLWP1obma6gRXagHlRGbNCxL41OJYxW9vgqd/U9\ngWvExE5MD3dSki0t4MMRSdkHcMuP9pHR8NWCtNZA6cmZsQy6h6nVoCCvVwDcpkM=\n=f/zT\n-----END PGP MESSAGE-----\n", + "created_at": "2023-08-12T09:40:00Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAxFMPvz46t7rAQ//d4UF77U2quxmZKgoCT/6I9qfO0EVPLklX9dvV9hWE3DS\niHDXBhbQEUiMWbHQMEM5xZOmayx95ljow3SQsB2ydPAmh/u56vN2Vi1iKj8dYZ90\nEc3OPJe6jx0uXN61h3jTA4Zd5fM6WfS4162YJE4qyCc+id6H9C4oQZUEKY9Yg1Lq\n7hXoVCYWz7E7fxc4hLyXXeK9PQNfzPkAZPA/nm5yc8fv6UNpmUdA1/TJapdjRYq5\n9krsPTksTyuiEu77HhL0MKXL2ohzN9nXbCSUSRMtVxUZLtcQ44NpW35RO26h3Vpi\ngmrT+mrpxW3oTBa+g9jiivQMHnn0o1xDPckMs3p4nSuSAJj6sNYIG5C0q3U+avRl\nSXbryfXebP0GezDFPduavOcJZ9XlGV3Oyrg7m2VZURK45muIcl0TFmSfr8FUE6dN\nul62w1qQXtVchh2xm1tu0a8nXI/1X9c1ciPbL8CZ88CQAFf9PLKHouef+bQnUdHU\n5qSleIehMKLI08PXDLvSgQW51boUJ3sqF97pPkWZIOFwzT6D2skN6Lflhdpugsbw\nc5qdDqSh+VpPJrlpaDgyCruCsypSFHb3NWOLW9wHL1mvFHCnNTbTX9rJz9/N/iFE\npQPjoEkYivayZ/VWW5oPAQ6YEnX4Mb30Je/Mj/piSBZSrdBMBEBYxh5ggME5GvbS\nXgFV/rYbKpW+KNtNZuwP9Z0bsocUfC96hnEAPRLLmhNIpAaUzU50lJD8XA7fZBOd\nlHe5c07iPyCqsiVrs4m+RVNmB7IULwr/L3gjTjAMxE4Z438nkrF4lrgO3wRzMV8=\n=mlBS\n-----END PGP MESSAGE-----\n", "fp": "B1480CFF9BBE8E2648A26A640B2E7C171E3AD6D7" }, { - "created_at": "2023-07-23T14:01:50Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyBlv2iMmB8kSAQdA4/evVT3haDIHvX9lPsK8nwKhQTAr2Vo7KObMvWV2zHQw\n6QHatxbZNsiZtt+dEizbt4TOiPN4q8FRfUSY5DjWxgas2GFkWLC6OhlzKzuPNpZv\n1GgBCQIQEdrM53JXp8afqk4ZOgEujLrsYvPB7fhojQFED+6wODYg4NgjtyjlN3tP\nhAc2cDHsntBeKAk8NpJ97hutnLNyBOXPGV0sucrm1D9ghW5NMAL9+4PBIUNjt7D8\nvn3PcHmhzOD1rg==\n=7sm9\n-----END PGP MESSAGE-----\n", + "created_at": "2023-08-12T09:40:00Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyBlv2iMmB8kSAQdA6svYhM1VtUlzZZBD2CUt7RpLMu/gEI7bvWuZZFMGlEUw\nEvg9ODjP9LqscGaE6Fg1XMRiseseuW2xLDfZ8cVI3DG90xmh9l85JqQV7QnZMjco\n1GgBCQIQXQfLSY7ASniqfJZvSIeEnOlig0thXhaRpkKXASS2Kjqt32rY5snFsVXi\nEt/j3h5Aay8MgSPE3yx3Jy4/43pMTuDbPfsaa5yE+4VmfKAHquJBQttrMU2QK5C2\nJTpLt9dwBvQFjg==\n=XsfZ\n-----END PGP MESSAGE-----\n", "fp": "5D22C6EC4A6E52469819B56D5EBCCEF2F33F7661" } ], diff --git a/secrets/all/secrets.yaml b/secrets/all/secrets.yaml index 64bc369..e159a10 100644 --- a/secrets/all/secrets.yaml +++ b/secrets/all/secrets.yaml @@ -17,65 +17,74 @@ sops: - recipient: age14ysl953378r2vvy7ft3gwce9xp83pr6wypf5lgx2yjwx2lxra5qs6j8eqe enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaSVNDN2QzV1poc0VnWnJt - YVlCb09yczFUQzQrdEtGcllFMmhlZU1oYXk4CkMzV1hOTE92ekhHdUZ0ZW9iN3Bv - RFZ3eU5tM0pPcjVEUGtES1MvNkpQcjAKLS0tIEYydlRaN2ZxQ0h0aUtUeWhlTWNZ - YXJIcXA5VUlWWEVnQnAwb0FETmdpeW8KFNrvvr5BsDpM/7CirEf9N8NY8A38f4P2 - nZ5FIdwXc+7lRAoLeft7ekpAJHb51lMk5h/SuSFFs1w/xHBGEXXubA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFMTZBN1FpalRYNk51QTd0 + NWFvNkRINllNNVlSNE4xTGJKbUVXWlpDR0ZZCloyUklLMG9LOGhseER4SXRpSy96 + S2FGTXl6bnRxdDUyZDZJTzEyLy9CYk0KLS0tIGd2aVRGQUFZbldjY3BMQ21XaitF + RE5aQmtMRzVZSVFFUG9RMlV6WEFuckUK5KRZWrf2EXa6XHcono2XfX0Z10qsPzo+ + 3g/EAX9dBqC+ZUAhYNqtkgoOPcgW1G34Ab+YsFSxOddL8OCMLczw6Q== -----END AGE ENCRYPTED FILE----- - recipient: age1w3wqxt5t00hjv43dcxlr5rjec5mvuzz9ajc8k04azq0gfx0ncgysu6mdmm enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwY1huR0FPWGJpam9BbFpK - VlY3T0puZEEvOExhZTczWndhMmV5Uzd0ZWdNClE1akJDb1pSblUyMWlZekV3VHZs - VktGcGQrM2ZiOFNQVFZnemZzT1llUk0KLS0tIElLYTY3RE1ucDRBVGFYZkFLSU5o - eXZ0QUw4YlU0OURBbm91N21XQ2tWRzgKSbq+We0JpdsLLalXdKFEezH6l7GuvvT9 - xuwXEtJ+hi6jCedafROuzuEOsxwELkCUU0y/80CAf33BV0Wk1l3Jjg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYYjR4ejY2K3c1clV1TnlX + NVRjTEZCcytQZXVEYkpaSHFtRGZkN1gyaVFjCmlXbTRhMzllNVRnQ3BpbTlvQXpt + d1FwaUw5M3FVL0RnSzFIUEdoZDZWTmsKLS0tIHBRRmQvTEtMUnNJeklDYmlyUFgy + eEx2RGw2WXprcko1eG5DUVljNis5Y28Kh2fWZOyErmxGjcyXY51xLJBUS6sa6dyL + 8fXOgDhV/kd2gldwK0po3m083rVziuADBsuD7A8WOmR01YcRyODJZQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1uw83n25fx9th2q5y2yedeyzmtzk5yjtwx0kh054v5r2mxc0utuwqacdf77 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJTk5DdHhqTEtvMEdRVXJO + azVudUhhSVV3Z05VVmNsUThsenBrN285Z2dVCmtWYVVqYjZRT0xWMG84YVNiRG82 + T0hxMlpsZUlTRk9ZdGR2VHJmaXgxYmcKLS0tIHF3VDZUcWF0YmpadE5mYzZYUUQz + ZFo4UnJjRjRZUE1VSHZFSFRYaEdqbTAKxFzA8SwentyIhEbhdwCw75VrevuRuYGI + eFQzNf4MyFV1SZM6mgSNr8LEjhzyTIntTVMo0jq+8k9m2iRzE0LSEg== -----END AGE ENCRYPTED FILE----- lastmodified: "2023-01-06T15:51:57Z" mac: ENC[AES256_GCM,data:PPS3MV1tZJMtb1ITMhXTnseIBonpanjISFiUAV46LesJLDH7ag8UM8Vwgdrl5WOI3SIZcTiwvYGjRctLx69kWnbEJPFzg22EZSzvQJAIzdxHe1aac6th++5z2hPCFUp04/CYrB5zqIirku/pw7gLGzOlwVCvUJEvLf0V0mjn93A=,iv:v4RHMFHY/sADWv324thv8ZVTX41I3faRtXIyaB7QVWo=,tag:VXduStNDEPkFGPa9RyKSrw==,type:str] pgp: - - created_at: "2023-07-23T14:01:53Z" + - created_at: "2023-08-12T09:40:01Z" enc: |- -----BEGIN PGP MESSAGE----- - wV4DOnsoj685gdcSAQdAVOb1xVaaCsEM1wfaEhfD0phkdkHb7gI7EmOKIANyUwEw - s4ayKjTl08RcxuGKNdZWe5/OZ8kekT1BL6yhPfURZXeYXfDM/bcLCwsTaQpzN7IP - 0lEBU2Yy/gKUN486dIZG/y4hJZhrJuxv2JJbox9dALSHxsyOUpeQMaCWd+TDqEss - if6q70lHgtDnWFA8FtHqq5qYEVLB3JwZUyNXq3CX1RtR3g4= - =lJyK + wV4DOnsoj685gdcSAQdAi5kbjF9H4WB/BxgLT2LfOOv0FSQQeCRbmlwwm5jM6Wgw + 9RhEZzHhaPTuq/sgPOtT9Af666OuOPyu6g2gNttMeg2vzn0vbHFLfFVXKuaBomJF + 0lEBkqVifjuIhBDw97BnwVUGO4xsBQ2KCNfRLAEHEB2jLXfI0f0KyzbvopwukDpA + tith8z5+gfRBum2tnWqB1PRXHy5vpZhCXifW10+3OqaIWhw= + =8ehQ -----END PGP MESSAGE----- fp: 67BEE56343B6420D550EDF2A6D617FD0A85BAADA - - created_at: "2023-07-23T14:01:53Z" + - created_at: "2023-08-12T09:40:01Z" enc: | -----BEGIN PGP MESSAGE----- - hQIMAxFMPvz46t7rAQ//WRLRAtPXfn6v4tsMdqs2/XuPqYgEbYs2iJ8bKMfRDyra - mciYOKAb8O1dj0C5kzxLE0pUiT1WJSJJ/sFrAmfdPLgiYT1agNhDDw+gJXB5I0XU - O3nBCc15Di4cYdjF/tK8cHvIU6ip28BOEbtIK7w4IktpVQj4+Z9wuTW5S5Urj3xx - OeJrifErMCgcb3dq/b1GugHOeeDVp0QpHpzrPec/NWvQATnuemvQ3eNDpe9hq94H - PScKu47IoF0l85j84OHFf5WEPU8UjZY/ULXBInUlmLLGRUuWY3/JixqxSc0TfWHY - a16kzonLisKhqpJw5XeXaZpu+SgYHOVR0522+mSPMeB/5oTIA/lRDPT2XxIv86KI - i2MWS6duhU/4aGBJXQ/Elrf0I2D3dYdWokzSkQWg2oNKWGftb8x/AFTHHvwvH6wz - 95fR/c3prHrTt9BRD4dFYOZTZ0JJzvk2htrc4P0yjU/julkG0zIGaMzdHPg2P3J3 - OIUoaFCqab1QI8hBlkBadpIRiNFWupcDwN7acgD/KGMurqAuRxLdQl6UIsTQryMl - RQiVkjoe55R1LXmfRzBiDtsgNZxTBk6tui0kh4k3pWpXMc3t4eQGflQ+WRuntEbW - NqU7nIaPBiP6Fs8CzFfx9FGlk11sbXEa/IHPkz89YHFaoabACMCjUzt/jJk6JxPS - XgGX6NEoubA78wkxCrejMawxzwoSMR74sEgmQ31WOI9f5FL8QXFdM1z9QRSeekYl - Zx8wAjq15n4TGaZ30b3lASzAfjjFFU99hq28YoboyyKiruGugS23ELsS84ZiRZs= - =fmTi + hQIMAxFMPvz46t7rAQ/9GKUFfk0R14JVwQlkwjUlGo6m2TAx5K57tqIQ7QPkNR4y + ml/XdmMz19zo0iadrQJ+KhLXP2U7nsyXCjf9nkAXsYDGRCtBewkfuPaRWtu0O1vh + HpBY4yKWIj2uXYXkOAsDMU4IAnexYjvkRJkL2KF/j7ksQs/6UKB0GulZfo5CQCXj + XNB8HiuuJxddsSPBPu7UXouTKo4TAHEE83AhzJTIID6nb0sKcLpgivj9ixMf0qZ2 + tMoKoeLXZ43amzILH6cWeuBr9X0J0Up4+vcvfPfqdtu5U/RsyOJa2vlaGKchNFRe + 5KhYcNV1C3AdJLpXXH1wF0gyj0FE/W6FTsP7Tz68/4rmzlGFOWHbci0KITkaG6da + /JgAyxAcBbPRR2IUw72uSpATEhXhY7EnSYdV/9ythHw6BqC/1uOxaNHormTyVu7O + mLNBEo0s/6Lzl2/+WR/F7fRiUxZ0CKUJgsdQEyvwCF4p6OWBeYU4YcNGZmz2vQHO + +Sj6fBWLzIvhMkCI2evaGbCduv1L53reban2GYUO9teEDMUe5hoEe7E6DmccSFvl + rew7R4uAlH23BmHrp5lLAnTZeaeG9gML5qbWqt+9PVagNFCncgfHU7lwcUqv5hKx + pZI+5SJSE8+hxM7U40AJYwk+CnQc4ydN7lt/oWfPLxkHchKJ8WO+GOn1XtNDOuvS + XgF8qbKudvWbEYY9J1ZkJhuCyfA+JBnWs1Go9dHqbBaDXjajGiJ+l/QSJ1vUNV6E + ywvYIQ3Hm9Afzh7N3yYB01e9yY+cEh6OmzCpCwHY2CqiDKFlZoPOqQrbYuRJkNw= + =7iXC -----END PGP MESSAGE----- fp: B1480CFF9BBE8E2648A26A640B2E7C171E3AD6D7 - - created_at: "2023-07-23T14:01:53Z" + - created_at: "2023-08-12T09:40:01Z" enc: | -----BEGIN PGP MESSAGE----- - hF4DyBlv2iMmB8kSAQdAt+l2hn9Mb6JjjmyjAbVhpT/YPkTHkfFOHH6GHGhU+F8w - Hbj+A8tWlRGoHStY2MPZCDftdYHz67Vzax/UNw8yJeNIq9ClDD5Kic9XLF7S3KS2 - 1GgBCQIQrrCMG2VzvQYMiFxJwYNOzcwNgPolpXVRHT9j3o+hgILlR8cYFGgJm2Vp - wvIsjvZen3gq7NX+kv/wYEUbwzcoChk/ZpIWTtRJuX/5fpgTblwImx2d6eGgVW7S - L4G5Yz1L5H402w== - =QJLH + hF4DyBlv2iMmB8kSAQdACDjorLuJYZsj3AeJffiI7uL2NJ+8PzMzGqcg4Kp3whYw + z2WigwqP+QnzrLinEG3Z9zHluMsVtVKfV9uhkPHIfCHq19Thl9sR3TuZq4GSJLRP + 1GgBCQIQdmUR3Ui7Aeu5CUXn/I3sDwtY1JzYFCrK2HNYmsoqoQ34hmlNRfQcno7/ + 3tRE6ZNodNEJM23u+alU2gF6wfn644aiApT4dCXy/2gM2tLXvmdWT1HWwZQY55h7 + XkJsqxqRiGnPmg== + =udOd -----END PGP MESSAGE----- fp: 5D22C6EC4A6E52469819B56D5EBCCEF2F33F7661 unencrypted_suffix: _unencrypted diff --git a/secrets/hamilton/secrets.yaml b/secrets/hamilton/secrets.yaml new file mode 100644 index 0000000..07c129a --- /dev/null +++ b/secrets/hamilton/secrets.yaml @@ -0,0 +1,64 @@ +placeholder: ENC[AES256_GCM,data:rzHtxg==,iv:cCQcC7FZJkGC1YIKNdqiTU+7W6YJ8hJlwT5XwdTyu/k=,tag:AfZlrP54Yh6U8l7bwCT3Bg==,type:bool] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1uw83n25fx9th2q5y2yedeyzmtzk5yjtwx0kh054v5r2mxc0utuwqacdf77 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLN2R3Nm1TUER6QWhPVVE0 + cW1Ubmd0SmtoWFdURkEwcFZ0NUNRcXcrQ2lNCnROM0plQ0RwejZrU0VoY0ZMTFhl + VDlxOFFMMWhPWFB5OFp4NmZ3V2VQbTAKLS0tIFRLZ2doSVpxMzF5NzRjSCtkVEh3 + aWQ2QW05a1lrbTZZci9VMldpVzNCZFkKCJwEd5TkZaIb2M1E149/NEUB1E5E8gLu + YSDnb7eKfx8auWCEVCMiHx6POdpVvwxKnxUWHEnUBIMHhx+Y1MSclg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-08-12T08:45:36Z" + mac: ENC[AES256_GCM,data:pjGhTGsY7I7AF2Pd2fINT0PzJOWSF6TvE26NTC6xNwJ2fnL+opANJnLkdRpZFw7rXVqGdjvZmtYV/Z4MZTH3n5NRM9cg/sQ1kRLS6LIgGFd0xqxhCE26gArquOSqbWb7BU9vyq9A4XFqi9Jx0yjP9+ywYOjrIuVN7OHDyWsN4sU=,iv:3nSB6qNHq9HRa1YCHDGRopiArXPWob10/ON8Y7rMeKc=,tag:2FElWlRUskM+Z/DlfeAs1w==,type:str] + pgp: + - created_at: "2023-08-12T09:39:58Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wV4DOnsoj685gdcSAQdAoB+nuYO7vGHr2cWga/fMP4+qFWlxBcFu9kA/qi09Vz4w + ZrUfL7KpT1d2c6QGUGcdxUGpJTZcgg8eir695HwbYZY4PJBYrz8VmyllJoNPnBw7 + 0lEBCn2B3ukwTFCvns4Go+dnm/4FZ+tqZSUrLUcfPUWuniM4rsAo5yBidU+QYg6+ + jnur+ISLjxpLUz8QFC7Z+fk6ScwGzv0lG8p3gQbNfRILXrQ= + =LjgW + -----END PGP MESSAGE----- + fp: 67BEE56343B6420D550EDF2A6D617FD0A85BAADA + - created_at: "2023-08-12T09:39:58Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMAxFMPvz46t7rAQ/9EBWtA0TMbi9bpfFfWYjs+8Gu7o12u//lnHB8bo/QCn0x + wOJf7ZziMgaXRnpepkU4nPY0MAMYl/wLZEBT0WGw+MlZqACeypEAXOcnfJo7aY8/ + ELb3qpG3K60OLgs2TTH8ZNtj6GUJ4BkpDVyOOFZqrNCtiTE/2RH8ZQfKVzdMScMo + mIPLjhkJGF14pH2MoAFxBDtyejm1o58s0q1e8H2LF9s8mheSWZivd3t4vyD64NiU + GGSnqxfZuGR7JFi3zRjcOJHC1anofux17vX21IIoncPRpdIaDjYl2QabzSLQ5CUR + l1p0OBh8M1s+iQSVLDP+GVacAy1RQDI6IgQuMWZY50DqTVSjRYcmF5DamgBDbXoR + MVJZ8KLSIDZ3U8yKV3A7cbYd7qxsAIS60ej0c4JX0AcwwhYTb7tAliEn7Nx02yzG + 3b+P9Mov0OVQJsXFlJar0nLlXU0ohitAEksFTn61ZTJV6PHALKamkRaH2jEv7ra8 + 8oxQG5mocuNUJtdkIzKLEDseALXImkQDlyAu/hj75bzQ3y6zlwVgSxRpeGLT+BHM + cySKYrPADLGYrRS1Ik95gAjo4y8PTrw1k/jZZmT7ISW6v5gjU/+7PBECgEg3Y4z6 + 3sv7A4lAhys3gH6hXVvFD6UJgQNa2fJOwV73stb5G3NsqSIhk6UMKSbnGnVptsHS + XAF8fw5kiO4o+grocMTFE+s879jOuhn+AqHlzqR1RpLDuOZarfdLuTGIKkOcDRB3 + 5WutQCRqWD/J5y2NMrlxKKo+ojLlbbFd5AlbxYuF7mBVwgYMvdgCSyJJ/ou7 + =eTdo + -----END PGP MESSAGE----- + fp: B1480CFF9BBE8E2648A26A640B2E7C171E3AD6D7 + - created_at: "2023-08-12T09:39:58Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4DyBlv2iMmB8kSAQdA6EyjnHd/2OSBpXwzIbak2ZFSs+yoK/cnQ3knqxEHxmww + TAENHwoQDzo+0w04p36d7YZkFo2EBl2c8J+3DdkH+SwDw5pFVUAQCKhwVoMx7A0j + 1GYBCQIQnI5zbMif/y2gGAn9uN/fgosQtlpuCjcsNraL/gCxoJQ/6X5BC++bi+y4 + As7y/Y9/vxqLHGR049OjorjH3cdDpzPOfFURl5Ew2T65Jx2DK2yqfTNC4xT1Slwk + cGhvygtLBfY= + =Web8 + -----END PGP MESSAGE----- + fp: 5D22C6EC4A6E52469819B56D5EBCCEF2F33F7661 + unencrypted_suffix: _unencrypted + version: 3.7.3 From 2e5d1690d44c70a62f53a1ded5ff9689b2f78826 Mon Sep 17 00:00:00 2001 From: Moritz 'e1mo' Fromm Date: Sat, 12 Aug 2023 11:03:58 +0200 Subject: [PATCH 3/3] services/monitoring: Only monitor non-dev hosts --- services/monitoring/default.nix | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/services/monitoring/default.nix b/services/monitoring/default.nix index 7dbd71f..464d0ed 100644 --- a/services/monitoring/default.nix +++ b/services/monitoring/default.nix @@ -39,18 +39,10 @@ monDomain = "mon.${config.networking.domain}"; - # deadnix: skip # Will be used as soon as we have two non-dev hosts isMe = host: host.config.networking.fqdn == fqdn; - # deadnix: skip # Will be used as soon as we have two non-dev hosts isDev_ = getAttrFromPath [ "_module" "args" "isDev" ]; allHosts = outputs.nixosConfigurations // externalTargets; - /* - Right now we only have one non-dev host in our NixOS setup (the ansible hosts don't monitor the NixOS hosts). - That's why we currently add all hosts to our little monitoring "cluster". As soon as we have two or more production hosts, - the dev host can be taken out of the equation - */ - # allTargets = filterAttrs (_: c: (isMe c) || !(isDev_ c)) allHosts; - allTargets = allHosts; + allTargets = filterAttrs (_: c: (isMe c) || !(isDev_ c)) allHosts; monTarget = service: config: "${config.networking.hostName}.${monDomain}:${toString service.port}"; targetAllHosts = servicePath: let