From b7c1b860563eb080d6c09939a456776825c5347d Mon Sep 17 00:00:00 2001
From: korenstin <korenstin@auro.re>
Date: Mon, 6 Oct 2025 23:27:27 +0200
Subject: [PATCH] grafana-ng: configuration firewall, dns, caddy

---
 group_vars/infra/firewall.yml                 | 37 +++++++++++++++++++
 .../ns-master.int.infra.auro.re/knotd.yml     | 14 ++-----
 host_vars/proxy.pub.infra.auro.re.yml         |  4 ++
 shell.nix                                     |  1 +
 4 files changed, 46 insertions(+), 10 deletions(-)

diff --git a/group_vars/infra/firewall.yml b/group_vars/infra/firewall.yml
index 1d2b98f..53e5de4 100644
--- a/group_vars/infra/firewall.yml
+++ b/group_vars/infra/firewall.yml
@@ -90,6 +90,14 @@ firewall__zones:
     addrs:
       - 2a09:6840:128::98
       - 10.128.0.98
+  re2o-ldap.adm:
+    addrs:
+      - 2a09:6840:128::21
+      - 10.128.0.21
+  ldap-replica-edc.adm:
+    addrs:
+      - 2a09:6840:128::4:249
+      - 10.128.4.249
   nextcloud.adm:
     addrs:
       - 2a09:6840:128::58
@@ -123,6 +131,10 @@ firewall__zones:
     addrs:
       - 2a09:6840:211::1:1
       - 10.211.1.1
+  grafana.ext:
+    addrs:
+      - 2a09:6840:211::1:7
+      - 10.211.1.7
   ns-1.pub:
     addrs:
       - 2a09:6840:215::1:2
@@ -268,6 +280,25 @@ firewall__forward:
       tcp:
         dport: 9090
     verdict: accept
+  # Prometheus for Grafana nixos
+  - src: grafana.ext
+    dst: prometheus.int
+    protocols:
+      tcp:
+        dport: 9090
+    verdict: accept
+  - src: grafana.ext
+    dst: re2o-ldap.adm
+    protocols:
+      tcp:
+        dport: 389
+    verdict: accept
+  - src: grafana.ext
+    dst: ldap-replica-edc.adm
+    protocols:
+      tcp:
+        dport: 389
+    verdict: accept
   # Admin VPN clients
   - src: vpn-clients
     dst: infra
@@ -342,6 +373,12 @@ firewall__forward:
       tcp:
         dport: 3000
     verdict: accept
+  - src: proxy.pub
+    dst: grafana.ext
+    protocols:
+      tcp:
+        dport: 80
+    verdict: accept
   - src: proxy.pub
     dst: nextcloud.adm
     protocols:
diff --git a/host_vars/ns-master.int.infra.auro.re/knotd.yml b/host_vars/ns-master.int.infra.auro.re/knotd.yml
index bc50dae..5255a80 100644
--- a/host_vars/ns-master.int.infra.auro.re/knotd.yml
+++ b/host_vars/ns-master.int.infra.auro.re/knotd.yml
@@ -343,6 +343,9 @@ knotd__hosts:
     collabora.ext:
       - 2a09:6840:211::1:1
       - 10.211.1.1
+    grafana.ext:
+      - 2a09:6840:211::1:7
+      - 10.211.1.7
     proxy.pub:
       - 2a09:6840:215::1:1
       - 45.66.111.206
@@ -378,17 +381,14 @@ knotd__zones:
       - target:
           - ns-1.pub.infra
           - ns-2.pub.infra
-          - ns-3.ovh.infra
       - name: infra
         target:
           - ns-1.pub.infra
           - ns-2.pub.infra
-          - ns-3.ovh.infra
       - name: test
         target:
           - ns-1.pub.infra
           - ns-2.pub.infra
-          - ns-3.ovh.infra
       - name: adm
         target:
           - serge
@@ -436,6 +436,7 @@ knotd__zones:
         target: proxy-ovh
       - name:
           - grafana
+          - grafana-ng
           - nextcloud
           - cloud
           - office
@@ -495,7 +496,6 @@ knotd__zones:
       - target:
           - ns-1.pub.infra.auro.re.
           - ns-2.pub.infra.auro.re.
-          - ns-3.ovh.infra.auro.re.
     mx:
       - exchange: mx
         preference: 5
@@ -524,7 +524,6 @@ knotd__zones:
       - target:
           - ns-1.pub.infra.auro.re.
           - ns-2.pub.infra.auro.re.
-          - ns-3.ovh.infra.auro.re.
     hosts: "{{ knotd__hosts['infra.auro.re'] }}"
 
   108.66.45.in-addr.arpa:
@@ -541,7 +540,6 @@ knotd__zones:
       - target:
           - ns-1.pub.infra.auro.re.
           - ns-2.pub.infra.auro.re.
-          - ns-3.ovh.infra.auro.re.
   109.66.45.in-addr.arpa:
     dnssec_policy: ripe
     notify:
@@ -556,7 +554,6 @@ knotd__zones:
       - target:
           - ns-1.pub.infra.auro.re.
           - ns-2.pub.infra.auro.re.
-          - ns-3.ovh.infra.auro.re.
   110.66.45.in-addr.arpa:
     dnssec_policy: ripe
     notify:
@@ -571,7 +568,6 @@ knotd__zones:
       - target:
           - ns-1.pub.infra.auro.re.
           - ns-2.pub.infra.auro.re.
-          - ns-3.ovh.infra.auro.re.
     reverse_hosts: "{{ knotd__hosts['adh.auro.re']
                        | ip_filter(['45.66.110.0/24'])
                        | add_origin_keys('adh.auro.re.') }}"
@@ -589,7 +585,6 @@ knotd__zones:
       - target:
           - ns-1.pub.infra.auro.re.
           - ns-2.pub.infra.auro.re.
-          - ns-3.ovh.infra.auro.re.
     reverse_hosts: "{{ knotd__hosts['auro.re']
                        | ip_filter(['45.66.111.0/24'])
                        | add_origin_keys('auro.re.') }}"
@@ -607,7 +602,6 @@ knotd__zones:
       - target:
           - ns-1.pub.infra.auro.re.
           - ns-2.pub.infra.auro.re.
-          - ns-3.ovh.infra.auro.re.
     reverse_hosts: "{{ knotd__hosts['auro.re']
                        | ip_filter(['2a09:6840::/32'])
                        | add_origin_keys('auro.re.')
diff --git a/host_vars/proxy.pub.infra.auro.re.yml b/host_vars/proxy.pub.infra.auro.re.yml
index 80a583f..abb1ad0 100644
--- a/host_vars/proxy.pub.infra.auro.re.yml
+++ b/host_vars/proxy.pub.infra.auro.re.yml
@@ -37,6 +37,10 @@ caddy__routes_https:
     reverse:
       - "[2a09:6840:128::98]:3000"
       - 10.128.0.98:3000
+  grafana-ng.auro.re:
+    reverse:
+      - "[2a09:6840:211::1:7]:80"
+      - 10.211.1.7:80
   office.auro.re:
     reverse:
       - "[2a09:6840:211::1:1]:9980"
diff --git a/shell.nix b/shell.nix
index c04a11d..28b499d 100644
--- a/shell.nix
+++ b/shell.nix
@@ -4,6 +4,7 @@
       ansible_2_16
       python313Packages.jinja2
       python313Packages.requests
+      python313Packages.pydantic_1
       python313Packages.pysocks
       python313Packages.dns
     ];