move encrypted secrets near relevant files

2025-07-06 19:00:14 +00:00 · 2025-03-09 17:09:33 +00:00
parent f59ac536a2
commit 37d1d7724a
60 changed files with 27 additions and 94 deletions
--- a/platforms/nixos/modules/nmasur/presets/services/metrics/prometheus-exporters.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/metrics/prometheus-exporters.nix
@ -0,0 +1,58 @@
+# Prometheus is a timeseries database that exposes system and service metrics
+# for use in visualizing, monitoring, and alerting (with Grafana).
+
+# Instead of running traditional Prometheus, I generally run VictoriaMetrics as
+# a more efficient drop-in replacement.
+
+{
+  config,
+  lib,
+  ...
+}:
+
+let
+  cfg = config.nmasur.presets.services.prometheus-exporters;
+in
+{
+
+  options.nmasur.presets.services.prometheus-exporters = {
+    enable = lib.mkEnableOption "Prometheus exporters";
+    scrapeTargets = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      description = "Prometheus scrape targets";
+      default = [ ];
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+
+    # Default scrape the basic host information
+    nmasur.presets.services.prometheus-exporters.scrapeTargets = [
+      "127.0.0.1:${builtins.toString config.services.prometheus.exporters.node.port}"
+      "127.0.0.1:${builtins.toString config.services.prometheus.exporters.systemd.port}"
+      "127.0.0.1:${builtins.toString config.services.prometheus.exporters.process.port}"
+    ];
+
+    services.prometheus = {
+      exporters.node.enable = config.prometheus.exporters.enable;
+      exporters.node.enabledCollectors = [ ];
+      exporters.node.disabledCollectors = [ "cpufreq" ];
+      exporters.systemd.enable = config.prometheus.exporters.enable;
+      exporters.process.enable = config.prometheus.exporters.enable;
+      exporters.process.settings.process_names = [
+        # Remove nix store path from process name
+        {
+          name = "{{.Matches.Wrapped}} {{ .Matches.Args }}";
+          cmdline = [ "^/nix/store[^ ]*/(?P<Wrapped>[^ /]*) (?P<Args>.*)" ];
+        }
+      ];
+      scrapeConfigs = [
+        {
+          job_name = config.networking.hostName;
+          static_configs = [ { targets = cfg.scrapeTargets; } ];
+        }
+      ];
+    };
+
+  };
+}
--- a/platforms/nixos/modules/nmasur/presets/services/metrics/prometheus-remote-write.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/metrics/prometheus-remote-write.nix
@ -0,0 +1,52 @@
+# Prometheus is a timeseries database that exposes system and service metrics
+# for use in visualizing, monitoring, and alerting (with Grafana).
+
+# Instead of running traditional Prometheus, I generally run VictoriaMetrics as
+# a more efficient drop-in replacement.
+
+{
+  config,
+  lib,
+  ...
+}:
+
+let
+  inherit (config.nmasur.settings) hostnames;
+  cfg = config.nmasur.presets.services.prometheus-remote-write;
+in
+{
+
+  options.nmasur.presets.services.prometheus-remote-write = {
+    enable = lib.mkEnableOption "Prometheus remote write for agent machines";
+  };
+
+  config = lib.mkIf cfg.enable {
+
+    services.prometheus = {
+      remoteWrite = [
+        {
+          name = config.networking.hostName;
+          url = "https://${hostnames.prometheus}/api/v1/write";
+          basic_auth = {
+            # Uses password hashed with bcrypt above
+            username = "prometheus";
+            password_file = config.secrets.prometheus.dest;
+          };
+        }
+      ];
+    };
+
+    # Create credentials file for remote Prometheus push
+    secrets.prometheus = {
+      source = ./prometheus.age;
+      dest = "${config.secretsDirectory}/prometheus";
+      owner = "prometheus";
+      group = "prometheus";
+      permissions = "0440";
+    };
+    systemd.services.prometheus-secret = {
+      requiredBy = [ "prometheus.service" ];
+      before = [ "prometheus.service" ];
+    };
+  };
+}
--- a/platforms/nixos/modules/nmasur/presets/services/metrics/prometheus.age
+++ b/platforms/nixos/modules/nmasur/presets/services/metrics/prometheus.age
@ -0,0 +1,17 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBLekNB
+R0R0ekUzWTBxUlhLaDBkZWlER2NRd1RCSHFBaUwrZW1wUTJJaGdzCnFObW85eFRM
+REgxR1NHdWMwWXdYRmZvYStTekQzcTdJZDkxamlWd1NEdzAKLT4gc3NoLWVkMjU1
+MTkgWXlTVU1RIFZzaUZMYmJScE42RWJuMytIYWM4RU14eXFMVXNNczVXMlF3OVBu
+di9oVmMKOXZLemtGMGNVUmU5YTcxdTk5Wmk4TDJpMUlVSDdwK2VwMmdCZmtINWV0
+MAotPiBzc2gtZWQyNTUxOSBuanZYNUEgazhZcHZ0OVkzQ01vQnlDWmMvTEdpZWJn
+VVRCWXZ6enNPL3BySHRkY3gwQQpnNHRpbEZuY3pGd2R5L2hXY3FIeXpneE9nSEhM
+MU9UWVlScCtVSWhNY3FrCi0+IHNzaC1lZDI1NTE5IENxSU9VQSBMTDkzcUF5WXdN
+NTFnOUgzOEpoN3p1Uys2b2JMZVhnWThrNEFaT0N2RlFRCkhzd29qdEJLYWlyN3U5
+R3dnVHJZenIvTStoeGZXYkF1TGVkcVN2Y25acTQKLT4gc3NoLWVkMjU1MTkgejFP
+Y1p3IDh5czJHQUpvc0k1eFNRZDE3ZXdha0pzY3UwNzZsT2NIUUFieG1JSEk5MkkK
+SktlZDQwcm5ZYVZkOG1ybFU1RGY0bGdqSlVIRHQvaVdoQUN2MTNMNFVFMAotLS0g
+U0thOXRDNXFyRmJnZE9ydWRwMnZ6VGxIZDV3SW5yUEFEUkcyNUZNWFZxNAqpA6on
+uxWUMT9texQBeGLhj7tQ3QDzCKA4plpWncjvAgjcL/LzJOv90FeHV37UHY9cDo84
+KZleCZs7L3thj4um
+-----END AGE ENCRYPTED FILE-----
--- a/platforms/nixos/modules/nmasur/presets/services/metrics/victoriametrics.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/metrics/victoriametrics.nix
@ -0,0 +1,99 @@
+# VictoriaMetrics is a more efficient drop-in replacement for Prometheus and
+# InfluxDB (timeseries databases built for monitoring system metrics).
+
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+let
+
+  inherit (config.nmasur.settings) hostnames;
+  cfg = config.nmasur.presets.services.victoriametrics;
+
+  username = "prometheus";
+
+  prometheusConfig = {
+    scrape_configs = [
+      {
+        job_name = config.networking.hostName;
+        stream_parse = true;
+        static_configs = [
+          { targets = config.nmasur.presets.services.prometheus-exporters.scrapeTargets; }
+        ];
+      }
+    ];
+  };
+
+  authConfig = (pkgs.formats.yaml { }).generate "auth.yml" {
+    users = [
+      {
+        username = username;
+        password = "%{PASSWORD}";
+        url_prefix = "http://localhost${config.services.victoriametrics.listenAddress}";
+      }
+    ];
+  };
+
+  authPort = "8427";
+in
+{
+
+  options.nmasur.presets.services.victoriametrics.enable =
+    lib.mkEnableOption "VictoriaMetrics timeseries database";
+
+  config = lib.mkIf cfg.enable {
+
+    services.victoriametrics = {
+      enable = true;
+      extraOptions = [
+        "-promscrape.config=${(pkgs.formats.yaml { }).generate "scrape.yml" prometheusConfig}"
+      ];
+    };
+
+    systemd.services.vmauth = lib.mkIf config.services.victoriametrics.enable {
+      description = "VictoriaMetrics basic auth proxy";
+      after = [ "network.target" ];
+      startLimitBurst = 5;
+      serviceConfig = {
+        Restart = "on-failure";
+        RestartSec = 1;
+        DynamicUser = true;
+        EnvironmentFile = config.secrets.vmauth.dest;
+        ExecStart = ''
+          ${pkgs.victoriametrics}/bin/vmauth \
+                    -auth.config=${authConfig} \
+                    -httpListenAddr=:${authPort}'';
+      };
+      wantedBy = [ "multi-user.target" ];
+    };
+
+    secrets.vmauth = lib.mkIf config.services.victoriametrics.enable {
+      source = ./prometheus.age;
+      dest = "${config.secretsDirectory}/vmauth";
+      prefix = "PASSWORD=";
+    };
+    systemd.services.vmauth-secret = lib.mkIf config.services.victoriametrics.enable {
+      requiredBy = [ "vmauth.service" ];
+      before = [ "vmauth.service" ];
+    };
+
+    nmasur.presets.services.caddy.routes = [
+      {
+        match = [ { host = [ hostnames.prometheus ]; } ];
+        handle = [
+          {
+            handler = "reverse_proxy";
+            upstreams = [ { dial = "localhost:${authPort}"; } ];
+          }
+        ];
+      }
+    ];
+
+    # Configure Cloudflare DNS to point to this machine
+    services.cloudflare-dyndns.domains = [ hostnames.prometheus ];
+
+  };
+}
--- a/platforms/nixos/modules/nmasur/presets/services/metrics/vm-agent.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/metrics/vm-agent.nix
@ -0,0 +1,58 @@
+# VictoriaMetrics is a more efficient drop-in replacement for Prometheus and
+# InfluxDB (timeseries databases built for monitoring system metrics).
+
+{
+  config,
+  lib,
+  pkgs-stable,
+  ...
+}:
+
+let
+
+  inherit (config.nmasur.settings) hostnames;
+  cfg = config.nmasur.presets.services.vm-agent;
+
+  username = "prometheus";
+
+  prometheusConfig = {
+    scrape_configs = [
+      {
+        job_name = config.networking.hostName;
+        stream_parse = true;
+        static_configs = [
+          { targets = config.nmasur.presets.services.prometheus-exporters.scrapeTargets; }
+        ];
+      }
+    ];
+  };
+
+in
+{
+
+  options.nmasur.presets.services.vm-agent.enable =
+    lib.mkEnableOption "vm-agent VictoriaMetrics collector";
+
+  config = lib.mkIf cfg.enable {
+
+    services.vmagent = {
+      enable = true;
+      package = pkgs-stable.vmagent;
+      prometheusConfig = prometheusConfig;
+      remoteWrite = {
+        url = "https://${hostnames.prometheus}/api/v1/write";
+        basicAuthUsername = username;
+        basicAuthPasswordFile = config.secrets.vmagent.dest;
+      };
+    };
+
+    secrets.vmagent = {
+      source = ./prometheus.age;
+      dest = "${config.secretsDirectory}/vmagent";
+    };
+    systemd.services.vmagent-secret = lib.mkIf config.services.vmagent.enable {
+      requiredBy = [ "vmagent.service" ];
+      before = [ "vmagent.service" ];
+    };
+  };
+}