diff --git a/flake.nix b/flake.nix index 2fcb8db..2036630 100644 --- a/flake.nix +++ b/flake.nix @@ -53,6 +53,13 @@ ++ defaultConfig; in { + grafana = nixosSystem { + specialArgs = inputs; + modules = [ + ./hosts/vm/grafana + ] + ++ defaultVM; + }; # VL: Peut-être avoir de l'auto-discovery: On a beaucoup trop de machines jitsi = nixosSystem { specialArgs = inputs; diff --git a/hosts/vm/grafana/default.nix b/hosts/vm/grafana/default.nix new file mode 100644 index 0000000..3672d7a --- /dev/null +++ b/hosts/vm/grafana/default.nix @@ -0,0 +1,52 @@ +{ ... }: + +{ + imports = [ + ./grafana.nix + ]; + + networking = { + hostName = "grafana"; + domain = "ext.infra.auro.re"; + }; + + boot.loader.systemd-boot.enable = true; + + systemd.network = { + enable = true; + + links = { + "10-ext" = { + matchConfig.MACAddress = "ae:ae:ae:a4:7d:ab"; + linkConfig.Name = "ext"; + }; + }; + + networks = { + "10-ext" = { + domains = [ + "ext.infra.auro.re" + "auro.re" + ]; + matchConfig.Name = "ext"; + linkConfig.RequiredForOnline = "routable"; + address = [ + "10.211.1.7/16" + "2a09:6840:211::1:7/64" + ]; + routes = [ + { Gateway = "10.211.0.1"; } + { Gateway = "2a09:6840:211::1"; } + ]; + dns = [ + "10.206.1.1" + "10.206.1.2" + "2a09:6840:206::1:1" + "2a09:6840:206::1:2" + ]; + }; + }; + }; + + system.stateVersion = "25.05"; +} diff --git a/hosts/vm/grafana/grafana.nix b/hosts/vm/grafana/grafana.nix new file mode 100644 index 0000000..2aaf160 --- /dev/null +++ b/hosts/vm/grafana/grafana.nix @@ -0,0 +1,110 @@ +{ pkgs, config, ... }: + +let + cfg = config.services.grafana; + fileProvider = path: "$__file{${path}}"; + ldapServer = { + host = "re2o-ldap.adm.auro.re ldap-replica-edc 10.128.0.21 10.128.4.249"; + port = 389; + use_ssl = false; + start_tls = false; + bind_dn = "cn=grafana,ou=service-users,dc=auro,dc=re"; + bind_password = fileProvider config.age.secrets.grafana-ldap-password.path; + search_filter = "(&(objectClass=posixAccount)(cn=%s))"; + search_base_dns = [ "cn=Utilisateurs,dc=auro,dc=re" ]; + group_search_base_dns = [ "ou=posix,ou=groups,dc=auro,dc=re" ]; + group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"; + group_search_filter_user_attribute = "uid"; + attributes = { + email = "mail"; + }; + "group_mappings" = [ + { + group_dn = "cn=sudoldap,ou=posix,ou=groups,dc=auro,dc=re"; + org_role = "Admin"; + grafana_admin = true; + } + { + group_dn = "cn=technicien,ou=posix,ou=groups,dc=auro,dc=re"; + org_role = "Editor"; + } + { + group_dn = "*"; + org_role = "Viewer"; + } + ]; + }; + ldapConfig = (pkgs.formats.toml { }).generate "ldap.toml" { + servers = [ ldapServer ]; + }; +in +{ + age.secrets = { + grafana-admin-password = { + file = ../../../secrets/grafana/admin_password.age; + owner = "grafana"; + group = "grafana"; + }; + grafana-secret-key = { + file = ../../../secrets/grafana/secret_key.age; + owner = "grafana"; + group = "grafana"; + }; + grafana-ldap-password = { + file = ../../../secrets/grafana/ldap_password.age; + owner = "grafana"; + group = "grafana"; + }; + }; + + services.grafana = { + enable = true; + + settings = { + server.protocol = "socket"; + analytics = { + reporting_enabled = false; + feedback_links_enabled = false; + }; + security = { + admin_user = "admin"; + admin_password = fileProvider config.age.secrets.grafana-admin-password.path; + secret_key = fileProvider config.age.secrets.grafana-secret-key.path; + }; + "auth.ldap" = { + enabled = true; + allow_sign_up = true; + skip_org_role_sync = false; + config_file = toString ldapConfig; + }; + }; + + provision.datasources.settings.datasources = + [ + { + name = "Infrastructure 1"; + type = "prometheus"; + uid = "infra-1"; + url = "http://10.204.1.1:9090"; + editable = false; + jsonData = { + isDefault = true; + }; + } + ]; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + services.nginx = { + enable = true; + upstreams.grafana.servers."unix:/${cfg.settings.server.socket}" = { }; + virtualHosts."grafana-ng.auro.re" = { + root = cfg.settings.server.static_root_path; + locations."/".tryFiles = "$uri @grafana"; + locations."@grafana".proxyPass = "http://grafana"; + }; + }; + + users.users.${config.services.nginx.user}.extraGroups = [ "grafana" ]; +} diff --git a/profiles/common/ssh.nix b/profiles/common/ssh.nix index 49b1233..858abcc 100644 --- a/profiles/common/ssh.nix +++ b/profiles/common/ssh.nix @@ -1,16 +1,6 @@ { config, ... }: { - age.secrets = { - ssh_users_ca = { - file = ../../secrets/common/ssh/users_ca.age; - path = "/etc/ssh/users_ca.pub"; - owner = "root"; - group = "root"; - mode = "400"; - }; - }; - services.openssh = { enable = true; @@ -28,7 +18,6 @@ SyslogFacility AUTH UsePAM no TCPKeepAlive yes - TrustedUserCAKeys ${config.age.secrets.ssh_users_ca.path} VersionAddendum none ''; diff --git a/secrets.nix b/secrets.nix index 1ba3bab..94db669 100644 --- a/secrets.nix +++ b/secrets.nix @@ -1,17 +1,25 @@ let # responsable technique - korenstin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBu/fWY86IU7s5JIcxu8rsDwHd0JalvK1tUSzAAy3S3e korenstin@nixos"; - lafeychine = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHHt8Bk4HAmuLYif/K6JAXteZFyihX6KKL5gM7gCA2Cl lafeychine@P14s"; + korenstin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBu/fWY86IU7s5JIcxu8rsDwHd0JalvK1tUSzAAy3S3e"; + lafeychine = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHHt8Bk4HAmuLYif/K6JAXteZFyihX6KKL5gM7gCA2Cl"; + hachino = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCZ+Km78tkWXnmRTeg2F5kHgTGYS+JYM3SfAoTqvaisBRLpYHOtG889FvRjczVJn7A2q4aLGuejzjJ9V3wyF+aJjdzANPnVMUCGQXSnbHC4pMfL8fD67J+8gJil/QwGgpKpYlU0u81tgcjszYMv/ub8d9HnqLeYFkTvy2678vrsA2GoB/pO6iWOA4cubI0R0BYOP1zRnsgBM7L3swag/7lQ0L+6g+M8IcU2fr2Fp/L0gQ33e6H59fyuDaEp2GyQM66r0N+dMqjAyvB7tZlM2S28wji+DW46p4SJxNiqE8mzAjzWxV4rQDXfg+89LvzDN6iOKOtYAP9otWj14X4MOlQaKws4gicGjdUX9MiiChEjl3LET5i/zQqAMylMvm8qKTJ6PqIOootuUi6rv5d1IqLoaHXcU++h8HtYJU8o4MfGYBe4mFT4SRvJaX6C+UTdi6JKEJBmmBVwJIUCRCfXeqitc15Xb3xDgoOf0VsWiIaFnduYRDWfPKBCDl1raafxYO0="; respo_technique = [ korenstin lafeychine + hachino ]; # vm jitsi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFBwpK5qfEsuapx+8tOCmEY0hpy3V6M0OSqwoByriCX5 root@jitsi"; - vm = [ jitsi ]; + grafana = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIErGGJ9JNa7sZQOADXWCfcKpgF0xuYTLUC+ErMV9IkPJ root@grafana"; + vm = [ + jitsi + grafana + ]; in { - "secrets/common/ssh/users_ca.age".publicKeys = respo_technique ++ vm; + "secrets/grafana/admin_password.age".publicKeys = respo_technique ++ [ grafana ]; + "secrets/grafana/ldap_password.age".publicKeys = respo_technique ++ [ grafana ]; + "secrets/grafana/secret_key.age".publicKeys = respo_technique ++ [ grafana ]; } diff --git a/secrets/common/ssh/users_ca.age b/secrets/common/ssh/users_ca.age deleted file mode 100644 index 55b0f1b..0000000 Binary files a/secrets/common/ssh/users_ca.age and /dev/null differ diff --git a/secrets/grafana/admin_password.age b/secrets/grafana/admin_password.age new file mode 100644 index 0000000..c8a6890 --- /dev/null +++ b/secrets/grafana/admin_password.age @@ -0,0 +1,19 @@ +age-encryption.org/v1 +-> ssh-ed25519 6qBTxA rpz6GQsKHdPX+Hc6pMvSpWzgBMYpYpKPOjIyU+rX21A +KNLlxBgAVped7g3B24kHLJHyI0i8vwSB3tvXrMi+WiE +-> ssh-ed25519 tQAKMw mPZPUXxd9THMuuR4KGnQu/9zKAXuoijEMp1RecaDGgU +S8U2HxCLbHMMyo5JYsdhX6H+mtl9rkXgSVWBrX3Cf28 +-> ssh-rsa REaZBA +PkLlexB3ZsI+Gc4dP9SDUTHDScPnZTMJ+cU5msrquFXhUbZd3xMRh17E0bH8dFD0 +JkTYNsMdPH5NtcsN2uPLHlB3KMDO32boPhCZOrWqyFeJ/os/wZm9wY7HzrbEYNV2 +RBGCzb4EhvctKPhQL5J0CkuemJI3RL+E20p2BdwWfUDQxcqxdUQHzszm3ONpyTkf +20eN/rd0P2LBRc2NxHrbesRqsY4HmusTSBYBHqvNfkdBFV/GkMYUGlF1h2JhxLv0 +fK7AB3G+u+HX4Grhhl0Vdl+r7wjRVW6T6IC1iwHaPw7Iwg1QJ0PRuoJGo2+iJnnF +yC8HvaqDdq+M/Z17SnAbdGaW+wpFam/GOxBRaS4atltdeZGXu911l6PUzvPqHaIZ +FlhfGedLExcIetF1wzgvD/l+NT3Obu+On2Pa8JGec17d+bJekfG3Y1wXckOhoX26 +IbnT3iygJ99kxIXLvrYqEgJxL7QsgtIdlO1OMs1HYFT5H2X1O7ERW1z8htSKJF+A + +-> ssh-ed25519 1baUFg Q59tfDG1iM0EcTXiZ5pfEOJ7MjYSuuroljgtTvQ9CRE +Xrk54B1FFiYxFFKAhHjgZB9a0RNVeGzPtLH2ATUqQ6g +--- 3qwWrafWUzecR6Qxc3iBTsa1qHSgX6p9ef6H4svB0HI +̒OK )3Owɡ1Q(1}SP/N K F \ No newline at end of file diff --git a/secrets/grafana/ldap_password.age b/secrets/grafana/ldap_password.age new file mode 100644 index 0000000..d332a4c Binary files /dev/null and b/secrets/grafana/ldap_password.age differ diff --git a/secrets/grafana/secret_key.age b/secrets/grafana/secret_key.age new file mode 100644 index 0000000..cc98dee --- /dev/null +++ b/secrets/grafana/secret_key.age @@ -0,0 +1,20 @@ +age-encryption.org/v1 +-> ssh-ed25519 6qBTxA fzgvb33y/ccMbjxrzPiBRpcM5KqHGv8lDsn/LFCvbgU +HIQJNjELuFvyyncKiduNEwzII/Bcp9oYhbZWzvZkvK8 +-> ssh-ed25519 tQAKMw Jrhrys8NOiXukzc5fEbedoMV+ls8bW3wwzS7K41PS2Y +gPU1H2QI0XObePui5CKf1pO5C93igQTwMcJSwTC4xYY +-> ssh-rsa REaZBA +XUsv/XEoyb2ckPE7pGV9ntH+Gn8vd06uDL3pMIv4CesEQcvn1Ppn0Uymlmm096jw +umY66FHetl45tJbEWx9os2vNw420+ESHfyZCef32D+hM94VTYV6r3hMTPVEsHsrf ++lWXCLVhTaUpKfAb3w7E7gnKm0JTBX//hbrZKoQrBZ6nvn/5clkNBmRa43GKqi22 +FlfOe7y+DiNBp9c15K16FHijO2u8QONqcD/iHdVwOQncQAhVnzdTs048aLWefhFJ +VHXcmX3/LLc1LtMnMTloHsOUa3UU8TEG9xet7KeWxgyeMITBKuY3nmVFKPHEl6Ty +wSyarADyrTLV8tT2UUGPQmyGh868CHTg7Jy422riM8JG5FJRxg8sxK7UOokGflHI +vHPTUx+94/goN3IyyW9qum+2Mr+Dee3k2kBWb25gOAIme3vnxOBCAVgw7irz7Nsg +avYnQLuQR8T/8ldWgst2aDTIe0rijxtP2i6JwzfSQGfaENXe/6U06f50wuBcYdm9 + +-> ssh-ed25519 1baUFg iEpEJcziOF24syWa7TiUNi904a/ajacQaws2Y+NjnG8 +09a1FRksRWGYYdpHHyWZ96OfbGzXXKfqX+hnfGpUjL8 +--- H/TyEYeNgKY1Q5p6bdw8AyEjXYcBjftRRayvUVq9Dy0 +" +jܺʢf$%UvZ-]?KwQU}V \ No newline at end of file