From da86fe8fac34c0c4eedb4926a718d578048c1c14 Mon Sep 17 00:00:00 2001 From: korenstin Date: Mon, 6 Oct 2025 20:51:12 +0200 Subject: [PATCH] grafana: configuration du service --- flake.nix | 7 ++ hosts/vm/grafana/default.nix | 52 +++++++++++++ hosts/vm/grafana/grafana.nix | 114 +++++++++++++++++++++++++++++ profiles/common/ssh.nix | 11 --- secrets.nix | 16 +++- secrets/common/ssh/users_ca.age | Bin 637 -> 0 bytes secrets/grafana/admin_password.age | 19 +++++ secrets/grafana/ldap_password.age | Bin 0 -> 1005 bytes secrets/grafana/secret_key.age | 20 +++++ 9 files changed, 224 insertions(+), 15 deletions(-) create mode 100644 hosts/vm/grafana/default.nix create mode 100644 hosts/vm/grafana/grafana.nix delete mode 100644 secrets/common/ssh/users_ca.age create mode 100644 secrets/grafana/admin_password.age create mode 100644 secrets/grafana/ldap_password.age create mode 100644 secrets/grafana/secret_key.age diff --git a/flake.nix b/flake.nix index 2fcb8db..2036630 100644 --- a/flake.nix +++ b/flake.nix @@ -53,6 +53,13 @@ ++ defaultConfig; in { + grafana = nixosSystem { + specialArgs = inputs; + modules = [ + ./hosts/vm/grafana + ] + ++ defaultVM; + }; # VL: Peut-être avoir de l'auto-discovery: On a beaucoup trop de machines jitsi = nixosSystem { specialArgs = inputs; diff --git a/hosts/vm/grafana/default.nix b/hosts/vm/grafana/default.nix new file mode 100644 index 0000000..3672d7a --- /dev/null +++ b/hosts/vm/grafana/default.nix @@ -0,0 +1,52 @@ +{ ... }: + +{ + imports = [ + ./grafana.nix + ]; + + networking = { + hostName = "grafana"; + domain = "ext.infra.auro.re"; + }; + + boot.loader.systemd-boot.enable = true; + + systemd.network = { + enable = true; + + links = { + "10-ext" = { + matchConfig.MACAddress = "ae:ae:ae:a4:7d:ab"; + linkConfig.Name = "ext"; + }; + }; + + networks = { + "10-ext" = { + domains = [ + "ext.infra.auro.re" + "auro.re" + ]; + matchConfig.Name = "ext"; + linkConfig.RequiredForOnline = "routable"; + address = [ + "10.211.1.7/16" + "2a09:6840:211::1:7/64" + ]; + routes = [ + { Gateway = "10.211.0.1"; } + { Gateway = "2a09:6840:211::1"; } + ]; + dns = [ + "10.206.1.1" + "10.206.1.2" + "2a09:6840:206::1:1" + "2a09:6840:206::1:2" + ]; + }; + }; + }; + + system.stateVersion = "25.05"; +} diff --git a/hosts/vm/grafana/grafana.nix b/hosts/vm/grafana/grafana.nix new file mode 100644 index 0000000..5f18ea8 --- /dev/null +++ b/hosts/vm/grafana/grafana.nix @@ -0,0 +1,114 @@ +{ pkgs, config, ... }: + +let + cfg = config.services.grafana; + fileProvider = path: "$__file{${path}}"; + ldapServer = { + host = "re2o-ldap.adm.auro.re ldap-replica-edc 10.128.0.21 10.128.4.249"; + port = 389; + use_ssl = false; + start_tls = false; + bind_dn = "cn=grafana,ou=service-users,dc=auro,dc=re"; + bind_password = fileProvider config.age.secrets.grafana-ldap-password.path; + search_filter = "(&(objectClass=posixAccount)(cn=%s))"; + search_base_dns = [ "cn=Utilisateurs,dc=auro,dc=re" ]; + group_search_base_dns = [ "ou=posix,ou=groups,dc=auro,dc=re" ]; + group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"; + group_search_filter_user_attribute = "uid"; + attributes = { + email = "mail"; + }; + "group_mappings" = [ + { + group_dn = "cn=sudoldap,ou=posix,ou=groups,dc=auro,dc=re"; + org_role = "Admin"; + grafana_admin = true; + } + { + group_dn = "cn=technicien,ou=posix,ou=groups,dc=auro,dc=re"; + org_role = "Editor"; + } + { + group_dn = "*"; + org_role = "Viewer"; + } + ]; + }; + ldapConfig = (pkgs.formats.toml { }).generate "ldap.toml" { + servers = [ ldapServer ]; + }; +in +{ + age.secrets = { + grafana-admin-password = { + file = ../../../secrets/grafana/admin_password.age; + owner = "grafana"; + group = "grafana"; + }; + grafana-secret-key = { + file = ../../../secrets/grafana/secret_key.age; + owner = "grafana"; + group = "grafana"; + }; + grafana-ldap-password = { + file = ../../../secrets/grafana/ldap_password.age; + owner = "grafana"; + group = "grafana"; + }; + }; + + services.grafana = { + enable = true; + + settings = { + server.protocol = "socket"; + analytics = { + reporting_enabled = false; + feedback_links_enabled = false; + }; + security = { + admin_user = "admin"; + admin_password = fileProvider config.age.secrets.grafana-admin-password.path; + secret_key = fileProvider config.age.secrets.grafana-secret-key.path; + }; + "auth.ldap" = { + enabled = true; + allow_sign_up = true; + skip_org_role_sync = false; + config_file = toString ldapConfig; + }; + }; + + provision.datasources.settings.datasources = + [ + { + name = "Infrastructure 1"; + type = "prometheus"; + uid = "infra-1"; + url = "http://10.204.1.1:9090"; + editable = false; + jsonData = { + isDefault = true; + }; + } + ]; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + upstreams.grafana.servers."unix:/${cfg.settings.server.socket}" = { }; + virtualHosts."grafana-ng.auro.re" = { + root = cfg.settings.server.static_root_path; + locations."/".tryFiles = "$uri @grafana"; + locations."@grafana".proxyPass = "http://grafana"; + }; + }; + + users.users.${config.services.nginx.user}.extraGroups = [ "grafana" ]; +} diff --git a/profiles/common/ssh.nix b/profiles/common/ssh.nix index 49b1233..858abcc 100644 --- a/profiles/common/ssh.nix +++ b/profiles/common/ssh.nix @@ -1,16 +1,6 @@ { config, ... }: { - age.secrets = { - ssh_users_ca = { - file = ../../secrets/common/ssh/users_ca.age; - path = "/etc/ssh/users_ca.pub"; - owner = "root"; - group = "root"; - mode = "400"; - }; - }; - services.openssh = { enable = true; @@ -28,7 +18,6 @@ SyslogFacility AUTH UsePAM no TCPKeepAlive yes - TrustedUserCAKeys ${config.age.secrets.ssh_users_ca.path} VersionAddendum none ''; diff --git a/secrets.nix b/secrets.nix index 1ba3bab..94db669 100644 --- a/secrets.nix +++ b/secrets.nix @@ -1,17 +1,25 @@ let # responsable technique - korenstin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBu/fWY86IU7s5JIcxu8rsDwHd0JalvK1tUSzAAy3S3e korenstin@nixos"; - lafeychine = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHHt8Bk4HAmuLYif/K6JAXteZFyihX6KKL5gM7gCA2Cl lafeychine@P14s"; + korenstin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBu/fWY86IU7s5JIcxu8rsDwHd0JalvK1tUSzAAy3S3e"; + lafeychine = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHHt8Bk4HAmuLYif/K6JAXteZFyihX6KKL5gM7gCA2Cl"; + hachino = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCZ+Km78tkWXnmRTeg2F5kHgTGYS+JYM3SfAoTqvaisBRLpYHOtG889FvRjczVJn7A2q4aLGuejzjJ9V3wyF+aJjdzANPnVMUCGQXSnbHC4pMfL8fD67J+8gJil/QwGgpKpYlU0u81tgcjszYMv/ub8d9HnqLeYFkTvy2678vrsA2GoB/pO6iWOA4cubI0R0BYOP1zRnsgBM7L3swag/7lQ0L+6g+M8IcU2fr2Fp/L0gQ33e6H59fyuDaEp2GyQM66r0N+dMqjAyvB7tZlM2S28wji+DW46p4SJxNiqE8mzAjzWxV4rQDXfg+89LvzDN6iOKOtYAP9otWj14X4MOlQaKws4gicGjdUX9MiiChEjl3LET5i/zQqAMylMvm8qKTJ6PqIOootuUi6rv5d1IqLoaHXcU++h8HtYJU8o4MfGYBe4mFT4SRvJaX6C+UTdi6JKEJBmmBVwJIUCRCfXeqitc15Xb3xDgoOf0VsWiIaFnduYRDWfPKBCDl1raafxYO0="; respo_technique = [ korenstin lafeychine + hachino ]; # vm jitsi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFBwpK5qfEsuapx+8tOCmEY0hpy3V6M0OSqwoByriCX5 root@jitsi"; - vm = [ jitsi ]; + grafana = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIErGGJ9JNa7sZQOADXWCfcKpgF0xuYTLUC+ErMV9IkPJ root@grafana"; + vm = [ + jitsi + grafana + ]; in { - "secrets/common/ssh/users_ca.age".publicKeys = respo_technique ++ vm; + "secrets/grafana/admin_password.age".publicKeys = respo_technique ++ [ grafana ]; + "secrets/grafana/ldap_password.age".publicKeys = respo_technique ++ [ grafana ]; + "secrets/grafana/secret_key.age".publicKeys = respo_technique ++ [ grafana ]; } diff --git a/secrets/common/ssh/users_ca.age b/secrets/common/ssh/users_ca.age deleted file mode 100644 index 55b0f1b725034e9b1f41d93b8742509bb120dc04..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 637 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSPD|8B}a8xjNF$zsA zNi_C1G%yG?&oB;h3G~aawD2(3b~ko+$;r$vcgr?1EzLG|j^y$%3aWHX(hjKd@yN-~ zt8{g94~Z%&4|cQ6t8fp_jZE?laW8bqNC_?t%tyDaB+${@w_KsrqcF&^$jrQ;$S5hK zve>L5tsujwD8Mf(skq$OG{h*#G0E6G$;h=Z&yg#vq&Ujb$ig@@)iTi3CABOhGp!=q ztjr`WG$+H!Gto6E&pE5K+&9A6)fL?~(_BA;l5~ZP)Cx1>tO&2NK=(X-ze@dplGHp8 zza$Go|3s(cB9r2j$dIf6SO1WZ91AYDJmbP*r%FF>pU^CqoRo~ffW-8w9FJV@@XGMW zj9iNhzassrw4B5oeG@KSU0sDLZR5_yV_YrPyTO^&XQ_HQ~S87=j}++R9a#&~~z%R{4^|!FLe5zbxiDrxo+Xle7(gRzTTT*qxo{uOS7NvFY0W5v+S+ ssh-ed25519 6qBTxA rpz6GQsKHdPX+Hc6pMvSpWzgBMYpYpKPOjIyU+rX21A +KNLlxBgAVped7g3B24kHLJHyI0i8vwSB3tvXrMi+WiE +-> ssh-ed25519 tQAKMw mPZPUXxd9THMuuR4KGnQu/9zKAXuoijEMp1RecaDGgU +S8U2HxCLbHMMyo5JYsdhX6H+mtl9rkXgSVWBrX3Cf28 +-> ssh-rsa REaZBA +PkLlexB3ZsI+Gc4dP9SDUTHDScPnZTMJ+cU5msrquFXhUbZd3xMRh17E0bH8dFD0 +JkTYNsMdPH5NtcsN2uPLHlB3KMDO32boPhCZOrWqyFeJ/os/wZm9wY7HzrbEYNV2 +RBGCzb4EhvctKPhQL5J0CkuemJI3RL+E20p2BdwWfUDQxcqxdUQHzszm3ONpyTkf +20eN/rd0P2LBRc2NxHrbesRqsY4HmusTSBYBHqvNfkdBFV/GkMYUGlF1h2JhxLv0 +fK7AB3G+u+HX4Grhhl0Vdl+r7wjRVW6T6IC1iwHaPw7Iwg1QJ0PRuoJGo2+iJnnF +yC8HvaqDdq+M/Z17SnAbdGaW+wpFam/GOxBRaS4atltdeZGXu911l6PUzvPqHaIZ +FlhfGedLExcIetF1wzgvD/l+NT3Obu+On2Pa8JGec17d+bJekfG3Y1wXckOhoX26 +IbnT3iygJ99kxIXLvrYqEgJxL7QsgtIdlO1OMs1HYFT5H2X1O7ERW1z8htSKJF+A + +-> ssh-ed25519 1baUFg Q59tfDG1iM0EcTXiZ5pfEOJ7MjYSuuroljgtTvQ9CRE +Xrk54B1FFiYxFFKAhHjgZB9a0RNVeGzPtLH2ATUqQ6g +--- 3qwWrafWUzecR6Qxc3iBTsa1qHSgX6p9ef6H4svB0HI +̒OK )3Owɡ1Q(1}SP/N K F \ No newline at end of file diff --git a/secrets/grafana/ldap_password.age b/secrets/grafana/ldap_password.age new file mode 100644 index 0000000000000000000000000000000000000000..d332a4c3b0cff619b5b00eefe24aa1ebcdd2eac2 GIT binary patch literal 1005 zcmZ9~yYHiP003}}@dh^k0F#d9NRRiUgGMM6TFSGf1rmoZkMf0<0_DvmH@NBO>}K3< zaJ$jj#l%4uW8!R_y}`uj@>~21KFbHB$uhY|kEv?2^8TWHq*zZN%TE?f1D8omG7Pa= zu(fy`g~g@1HP&TRwsUnHF%!>KF5QuFU>dpMhsO1Squ~{9fF|h(T*Wd|1F@3!+v_@D z1VTHQC&e>JN;s*e&dvH5PxwIg?*Fyc7BqcWNQZlhcZI??O;`D@ctC3pSa(}sNmo8K zUdc@sorH?6;)p(OVa5bCq-tU7jQLvIghE}QRFK{?ZZt}1d$K)c)kgZ0_GrMukwG8| zNL(>17CN_3V%%sjS;qrIYg-DIsLV{8u=j%qhzY?lTn-*^HKmxO@hCaaLeGL}L^iz% z+phDXD{iY^*I!H$%uo`nMvaA8f@jH135`+;*$&_QuL{(^68k%$LfnGm*0GYR#2qn0k=gf~j4MHPxrR7n z5?!w{MK=!l=o4p5Kg|ioK{A{(yrYMX%teEuC~V@4FcP`gs1fVoQudAW4G?-bPh3UO zjfjS2#M}{snK~-&F4>pcUBpI$t%QZsP=3K_78e+n3RDUyVcQPb{;)gj@Pb+~P2QT9 z%r^D2OCF>K@aNtBao2|P>MUCZjtX*l;&+ueZfJ&8DjI=#?6;eG;3B#8NHGSJFO=3X zA-2wRR?yb%BNpW8iRfNgsV+aItS=1?)t z9*HpcFXD2!nEe|7CPS+#3a0e*xXnUtRG_9a5>;6m$IR>6n$`x?Qsk{XeD?aoKmU6E zqyG6n*Pnt<(>HNEfBDA`U%dPMZ*SMXeDtDy_3iTymao5iM%!OSv+(z?&pu|}eB;0O N^6Phghs66o{|m84OiTa( literal 0 HcmV?d00001 diff --git a/secrets/grafana/secret_key.age b/secrets/grafana/secret_key.age new file mode 100644 index 0000000..cc98dee --- /dev/null +++ b/secrets/grafana/secret_key.age @@ -0,0 +1,20 @@ +age-encryption.org/v1 +-> ssh-ed25519 6qBTxA fzgvb33y/ccMbjxrzPiBRpcM5KqHGv8lDsn/LFCvbgU +HIQJNjELuFvyyncKiduNEwzII/Bcp9oYhbZWzvZkvK8 +-> ssh-ed25519 tQAKMw Jrhrys8NOiXukzc5fEbedoMV+ls8bW3wwzS7K41PS2Y +gPU1H2QI0XObePui5CKf1pO5C93igQTwMcJSwTC4xYY +-> ssh-rsa REaZBA +XUsv/XEoyb2ckPE7pGV9ntH+Gn8vd06uDL3pMIv4CesEQcvn1Ppn0Uymlmm096jw +umY66FHetl45tJbEWx9os2vNw420+ESHfyZCef32D+hM94VTYV6r3hMTPVEsHsrf ++lWXCLVhTaUpKfAb3w7E7gnKm0JTBX//hbrZKoQrBZ6nvn/5clkNBmRa43GKqi22 +FlfOe7y+DiNBp9c15K16FHijO2u8QONqcD/iHdVwOQncQAhVnzdTs048aLWefhFJ +VHXcmX3/LLc1LtMnMTloHsOUa3UU8TEG9xet7KeWxgyeMITBKuY3nmVFKPHEl6Ty +wSyarADyrTLV8tT2UUGPQmyGh868CHTg7Jy422riM8JG5FJRxg8sxK7UOokGflHI +vHPTUx+94/goN3IyyW9qum+2Mr+Dee3k2kBWb25gOAIme3vnxOBCAVgw7irz7Nsg +avYnQLuQR8T/8ldWgst2aDTIe0rijxtP2i6JwzfSQGfaENXe/6U06f50wuBcYdm9 + +-> ssh-ed25519 1baUFg iEpEJcziOF24syWa7TiUNi904a/ajacQaws2Y+NjnG8 +09a1FRksRWGYYdpHHyWZ96OfbGzXXKfqX+hnfGpUjL8 +--- H/TyEYeNgKY1Q5p6bdw8AyEjXYcBjftRRayvUVq9Dy0 +" +jܺʢf$%UvZ-]?KwQU}V \ No newline at end of file