feat(nasp): sops and telegraf (experimental)
This commit is contained in:
parent
6b49e40596
commit
82da5eb829
66
.sops.yaml
Normal file
66
.sops.yaml
Normal file
|
|
@ -0,0 +1,66 @@
|
|||
keys:
|
||||
- &dictxiong-pgp 3E241558655D7FE06C6711A5A5D6250D1806CAA8
|
||||
- &g2 age1rys66tr9cd38fag98wm4xe2a2z7ye0qzr00jgz2wdz6njvkp3scslfd0mh
|
||||
- &g3 age1gfyfc6tqphyw64ygg4w8sj73pqzycfsc4ptwyhau0sk4q3ffqprqwxexsy
|
||||
- &g5 age1fy8qhzakfy5wd47fc27jzp3yag6h4fzrkav2slahvw27v8hctdpsgkj0dm
|
||||
- &g6 age19p9nxw3us3q3yu7gcvlhafw894jwe3ux8dcjmq7cz8z96we2qqrs7en54a
|
||||
- &g7 age1zvcjq6dvsejnusny6czett98ld36sjxye5qxrazqup8we37kyf6qgkrqhw
|
||||
- &g10 age15v6levndaa50p69d0hhgyhaduazre6zrgca9rcuc728umaenj36s2zqj93
|
||||
- &g11 age19rgse270d0aq8kwzmnalafvrwqrjdhyrz7dejlar0dypf20hgclsx5h720
|
||||
- &g12 age1mxqwn0gw25yaj48nkhe4nsc60l25nam0fdlaeqd8z5ft2rxhv9ksuc5fyq
|
||||
- &g14 age14zehkczemky9y0gucf245zw73y4waq8w03lqakanlvjyxgwzcycqj47shq
|
||||
creation_rules:
|
||||
- path_regex: hosts/g2/[^/]+\.(yaml|json|env|ini)$
|
||||
key_groups:
|
||||
- pgp:
|
||||
- *dictxiong-pgp
|
||||
age:
|
||||
- *g2
|
||||
- path_regex: hosts/g3/[^/]+\.(yaml|json|env|ini)$
|
||||
key_groups:
|
||||
- pgp:
|
||||
- *dictxiong-pgp
|
||||
age:
|
||||
- *g3
|
||||
- path_regex: hosts/g5/[^/]+\.(yaml|json|env|ini)$
|
||||
key_groups:
|
||||
- pgp:
|
||||
- *dictxiong-pgp
|
||||
age:
|
||||
- *g5
|
||||
- path_regex: hosts/g6/[^/]+\.(yaml|json|env|ini)$
|
||||
key_groups:
|
||||
- pgp:
|
||||
- *dictxiong-pgp
|
||||
age:
|
||||
- *g6
|
||||
- path_regex: hosts/g7/[^/]+\.(yaml|json|env|ini)$
|
||||
key_groups:
|
||||
- pgp:
|
||||
- *dictxiong-pgp
|
||||
age:
|
||||
- *g7
|
||||
- path_regex: hosts/g10/[^/]+\.(yaml|json|env|ini)$
|
||||
key_groups:
|
||||
- pgp:
|
||||
- *dictxiong-pgp
|
||||
age:
|
||||
- *g10
|
||||
- path_regex: hosts/g11/[^/]+\.(yaml|json|env|ini)$
|
||||
key_groups:
|
||||
- pgp:
|
||||
- *dictxiong-pgp
|
||||
age:
|
||||
- *g11
|
||||
- path_regex: hosts/g12/[^/]+\.(yaml|json|env|ini)$
|
||||
key_groups:
|
||||
- pgp:
|
||||
- *dictxiong-pgp
|
||||
age:
|
||||
- *g12
|
||||
- path_regex: hosts/g14/[^/]+\.(yaml|json|env|ini)$
|
||||
key_groups:
|
||||
- pgp:
|
||||
- *dictxiong-pgp
|
||||
age:
|
||||
- *g14
|
||||
|
|
@ -6,6 +6,8 @@ let
|
|||
dockerCfg = mainCfg.docker;
|
||||
nginxCfg = mainCfg.nginx;
|
||||
registryCfg = mainCfg.registry;
|
||||
sopsCfg = mainCfg.sops;
|
||||
telegrafCfg = mainCfg.telegraf;
|
||||
gCfg = mainCfg.gSeries;
|
||||
dnew = (pkgs.writeShellScriptBin "dnew" (builtins.readFile ./scripts/dnew));
|
||||
in
|
||||
|
|
@ -25,6 +27,12 @@ in
|
|||
registry = {
|
||||
enable = lib.mkEnableOption "the nasp registry";
|
||||
};
|
||||
sops = {
|
||||
enable = lib.mkEnableOption "sops";
|
||||
};
|
||||
telegraf = {
|
||||
enable = lib.mkEnableOption "telegraf";
|
||||
};
|
||||
gSeries = {
|
||||
enable = lib.mkEnableOption "the g-series server configurations";
|
||||
serial = lib.mkOption {
|
||||
|
|
@ -234,6 +242,58 @@ in
|
|||
%nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/ip
|
||||
'';
|
||||
})
|
||||
# sops-nix
|
||||
## gpg --fetch-keys "http://keyserver.ubuntu.com/pks/lookup?op=get&search=0xa5d6250d1806caa8"
|
||||
## nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
|
||||
## mkdir -p ~/.config/sops/age
|
||||
## nix-shell -p ssh-to-age --run "ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key > ~/.config/sops/age/keys.txt"
|
||||
(lib.mkIf sopsCfg.enable {
|
||||
sops.defaultSopsFile = ../${mainCfg.hostName}/secrets.yaml;
|
||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
})
|
||||
# telegraf
|
||||
(lib.mkIf (telegrafCfg.enable) {
|
||||
sops.secrets.telegraf = assert sopsCfg.enable; {};
|
||||
services.telegraf = {
|
||||
enable = true;
|
||||
environmentFiles = [ "/run/secrets/telegraf" ];
|
||||
extraConfig = {
|
||||
agent = {
|
||||
interval = "3s";
|
||||
round_interval = true;
|
||||
metric_batch_size = 1000;
|
||||
metric_buffer_limit = 10000;
|
||||
collection_jitter = "0s";
|
||||
flush_interval = "30s";
|
||||
flush_jitter = "3s";
|
||||
precision = "0s";
|
||||
hostname = assert (mainCfg.netName != ""); mainCfg.netName;
|
||||
omit_hostname = false;
|
||||
};
|
||||
outputs.influxdb_v2 = {
|
||||
urls = [ "\${INFLUX_URL}" ];
|
||||
token = "\${INFLUX_TOKEN}";
|
||||
organization = "nasp.fit";
|
||||
bucket = "trash";
|
||||
bucket_tag = "bucket";
|
||||
exclude_bucket_tag = true;
|
||||
timeout = "5s";
|
||||
};
|
||||
inputs.system = {
|
||||
name_override = "load";
|
||||
tags = { bucket = "device"; };
|
||||
fieldpass = [ "load1" "bucket" ];
|
||||
interval = "15s";
|
||||
};
|
||||
inputs.mem = {
|
||||
name_override = "memory";
|
||||
tags = { bucket = "device"; };
|
||||
fieldpass = [ "used" "total" "bucket"];
|
||||
interval = "30s";
|
||||
};
|
||||
};
|
||||
};
|
||||
})
|
||||
# g series
|
||||
(lib.mkIf (gCfg.enable) (let
|
||||
ipSuffix = (builtins.toString (gCfg.serial + 100)); in {
|
||||
|
|
@ -314,11 +374,24 @@ in
|
|||
fsType = "nfs";
|
||||
};
|
||||
## packages and services
|
||||
nasp.docker.enable = true;
|
||||
nasp.nvidia.enable = true;
|
||||
nasp.registry.enable = true;
|
||||
nasp.nginx.enable = true;
|
||||
nasp.nginx.enableCodeServer = true;
|
||||
nasp.docker.enable = lib.mkDefault true;
|
||||
nasp.nvidia.enable = lib.mkDefault true;
|
||||
nasp.registry.enable = lib.mkDefault true;
|
||||
nasp.nginx.enable = lib.mkDefault true;
|
||||
nasp.nginx.enableCodeServer = lib.mkDefault true;
|
||||
nasp.sops.enable = lib.mkDefault true;
|
||||
nasp.telegraf.enable = lib.mkDefault true;
|
||||
services.telegraf.extraConfig = {
|
||||
inputs.net = {
|
||||
interfaces = [ gCfg.eth0Name gCfg.eth1Name gCfg.eth2Name ];
|
||||
ignore_protocol_stats = true;
|
||||
tags = { bucket = "device"; };
|
||||
};
|
||||
inputs.nvidia_smi = {
|
||||
bin_path = "/run/current-system/sw/bin/nvidia-smi";
|
||||
tags = { bucket = "device"; };
|
||||
};
|
||||
};
|
||||
}))
|
||||
]);
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user