feat(nasp): sops and telegraf (experimental)
This commit is contained in:
parent
6b49e40596
commit
82da5eb829
66
.sops.yaml
Normal file
66
.sops.yaml
Normal file
|
@ -0,0 +1,66 @@
|
||||||
|
keys:
|
||||||
|
- &dictxiong-pgp 3E241558655D7FE06C6711A5A5D6250D1806CAA8
|
||||||
|
- &g2 age1rys66tr9cd38fag98wm4xe2a2z7ye0qzr00jgz2wdz6njvkp3scslfd0mh
|
||||||
|
- &g3 age1gfyfc6tqphyw64ygg4w8sj73pqzycfsc4ptwyhau0sk4q3ffqprqwxexsy
|
||||||
|
- &g5 age1fy8qhzakfy5wd47fc27jzp3yag6h4fzrkav2slahvw27v8hctdpsgkj0dm
|
||||||
|
- &g6 age19p9nxw3us3q3yu7gcvlhafw894jwe3ux8dcjmq7cz8z96we2qqrs7en54a
|
||||||
|
- &g7 age1zvcjq6dvsejnusny6czett98ld36sjxye5qxrazqup8we37kyf6qgkrqhw
|
||||||
|
- &g10 age15v6levndaa50p69d0hhgyhaduazre6zrgca9rcuc728umaenj36s2zqj93
|
||||||
|
- &g11 age19rgse270d0aq8kwzmnalafvrwqrjdhyrz7dejlar0dypf20hgclsx5h720
|
||||||
|
- &g12 age1mxqwn0gw25yaj48nkhe4nsc60l25nam0fdlaeqd8z5ft2rxhv9ksuc5fyq
|
||||||
|
- &g14 age14zehkczemky9y0gucf245zw73y4waq8w03lqakanlvjyxgwzcycqj47shq
|
||||||
|
creation_rules:
|
||||||
|
- path_regex: hosts/g2/[^/]+\.(yaml|json|env|ini)$
|
||||||
|
key_groups:
|
||||||
|
- pgp:
|
||||||
|
- *dictxiong-pgp
|
||||||
|
age:
|
||||||
|
- *g2
|
||||||
|
- path_regex: hosts/g3/[^/]+\.(yaml|json|env|ini)$
|
||||||
|
key_groups:
|
||||||
|
- pgp:
|
||||||
|
- *dictxiong-pgp
|
||||||
|
age:
|
||||||
|
- *g3
|
||||||
|
- path_regex: hosts/g5/[^/]+\.(yaml|json|env|ini)$
|
||||||
|
key_groups:
|
||||||
|
- pgp:
|
||||||
|
- *dictxiong-pgp
|
||||||
|
age:
|
||||||
|
- *g5
|
||||||
|
- path_regex: hosts/g6/[^/]+\.(yaml|json|env|ini)$
|
||||||
|
key_groups:
|
||||||
|
- pgp:
|
||||||
|
- *dictxiong-pgp
|
||||||
|
age:
|
||||||
|
- *g6
|
||||||
|
- path_regex: hosts/g7/[^/]+\.(yaml|json|env|ini)$
|
||||||
|
key_groups:
|
||||||
|
- pgp:
|
||||||
|
- *dictxiong-pgp
|
||||||
|
age:
|
||||||
|
- *g7
|
||||||
|
- path_regex: hosts/g10/[^/]+\.(yaml|json|env|ini)$
|
||||||
|
key_groups:
|
||||||
|
- pgp:
|
||||||
|
- *dictxiong-pgp
|
||||||
|
age:
|
||||||
|
- *g10
|
||||||
|
- path_regex: hosts/g11/[^/]+\.(yaml|json|env|ini)$
|
||||||
|
key_groups:
|
||||||
|
- pgp:
|
||||||
|
- *dictxiong-pgp
|
||||||
|
age:
|
||||||
|
- *g11
|
||||||
|
- path_regex: hosts/g12/[^/]+\.(yaml|json|env|ini)$
|
||||||
|
key_groups:
|
||||||
|
- pgp:
|
||||||
|
- *dictxiong-pgp
|
||||||
|
age:
|
||||||
|
- *g12
|
||||||
|
- path_regex: hosts/g14/[^/]+\.(yaml|json|env|ini)$
|
||||||
|
key_groups:
|
||||||
|
- pgp:
|
||||||
|
- *dictxiong-pgp
|
||||||
|
age:
|
||||||
|
- *g14
|
|
@ -6,6 +6,8 @@ let
|
||||||
dockerCfg = mainCfg.docker;
|
dockerCfg = mainCfg.docker;
|
||||||
nginxCfg = mainCfg.nginx;
|
nginxCfg = mainCfg.nginx;
|
||||||
registryCfg = mainCfg.registry;
|
registryCfg = mainCfg.registry;
|
||||||
|
sopsCfg = mainCfg.sops;
|
||||||
|
telegrafCfg = mainCfg.telegraf;
|
||||||
gCfg = mainCfg.gSeries;
|
gCfg = mainCfg.gSeries;
|
||||||
dnew = (pkgs.writeShellScriptBin "dnew" (builtins.readFile ./scripts/dnew));
|
dnew = (pkgs.writeShellScriptBin "dnew" (builtins.readFile ./scripts/dnew));
|
||||||
in
|
in
|
||||||
|
@ -25,6 +27,12 @@ in
|
||||||
registry = {
|
registry = {
|
||||||
enable = lib.mkEnableOption "the nasp registry";
|
enable = lib.mkEnableOption "the nasp registry";
|
||||||
};
|
};
|
||||||
|
sops = {
|
||||||
|
enable = lib.mkEnableOption "sops";
|
||||||
|
};
|
||||||
|
telegraf = {
|
||||||
|
enable = lib.mkEnableOption "telegraf";
|
||||||
|
};
|
||||||
gSeries = {
|
gSeries = {
|
||||||
enable = lib.mkEnableOption "the g-series server configurations";
|
enable = lib.mkEnableOption "the g-series server configurations";
|
||||||
serial = lib.mkOption {
|
serial = lib.mkOption {
|
||||||
|
@ -234,6 +242,58 @@ in
|
||||||
%nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/ip
|
%nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/ip
|
||||||
'';
|
'';
|
||||||
})
|
})
|
||||||
|
# sops-nix
|
||||||
|
## gpg --fetch-keys "http://keyserver.ubuntu.com/pks/lookup?op=get&search=0xa5d6250d1806caa8"
|
||||||
|
## nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
|
||||||
|
## mkdir -p ~/.config/sops/age
|
||||||
|
## nix-shell -p ssh-to-age --run "ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key > ~/.config/sops/age/keys.txt"
|
||||||
|
(lib.mkIf sopsCfg.enable {
|
||||||
|
sops.defaultSopsFile = ../${mainCfg.hostName}/secrets.yaml;
|
||||||
|
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||||
|
})
|
||||||
|
# telegraf
|
||||||
|
(lib.mkIf (telegrafCfg.enable) {
|
||||||
|
sops.secrets.telegraf = assert sopsCfg.enable; {};
|
||||||
|
services.telegraf = {
|
||||||
|
enable = true;
|
||||||
|
environmentFiles = [ "/run/secrets/telegraf" ];
|
||||||
|
extraConfig = {
|
||||||
|
agent = {
|
||||||
|
interval = "3s";
|
||||||
|
round_interval = true;
|
||||||
|
metric_batch_size = 1000;
|
||||||
|
metric_buffer_limit = 10000;
|
||||||
|
collection_jitter = "0s";
|
||||||
|
flush_interval = "30s";
|
||||||
|
flush_jitter = "3s";
|
||||||
|
precision = "0s";
|
||||||
|
hostname = assert (mainCfg.netName != ""); mainCfg.netName;
|
||||||
|
omit_hostname = false;
|
||||||
|
};
|
||||||
|
outputs.influxdb_v2 = {
|
||||||
|
urls = [ "\${INFLUX_URL}" ];
|
||||||
|
token = "\${INFLUX_TOKEN}";
|
||||||
|
organization = "nasp.fit";
|
||||||
|
bucket = "trash";
|
||||||
|
bucket_tag = "bucket";
|
||||||
|
exclude_bucket_tag = true;
|
||||||
|
timeout = "5s";
|
||||||
|
};
|
||||||
|
inputs.system = {
|
||||||
|
name_override = "load";
|
||||||
|
tags = { bucket = "device"; };
|
||||||
|
fieldpass = [ "load1" "bucket" ];
|
||||||
|
interval = "15s";
|
||||||
|
};
|
||||||
|
inputs.mem = {
|
||||||
|
name_override = "memory";
|
||||||
|
tags = { bucket = "device"; };
|
||||||
|
fieldpass = [ "used" "total" "bucket"];
|
||||||
|
interval = "30s";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
})
|
||||||
# g series
|
# g series
|
||||||
(lib.mkIf (gCfg.enable) (let
|
(lib.mkIf (gCfg.enable) (let
|
||||||
ipSuffix = (builtins.toString (gCfg.serial + 100)); in {
|
ipSuffix = (builtins.toString (gCfg.serial + 100)); in {
|
||||||
|
@ -314,11 +374,24 @@ in
|
||||||
fsType = "nfs";
|
fsType = "nfs";
|
||||||
};
|
};
|
||||||
## packages and services
|
## packages and services
|
||||||
nasp.docker.enable = true;
|
nasp.docker.enable = lib.mkDefault true;
|
||||||
nasp.nvidia.enable = true;
|
nasp.nvidia.enable = lib.mkDefault true;
|
||||||
nasp.registry.enable = true;
|
nasp.registry.enable = lib.mkDefault true;
|
||||||
nasp.nginx.enable = true;
|
nasp.nginx.enable = lib.mkDefault true;
|
||||||
nasp.nginx.enableCodeServer = true;
|
nasp.nginx.enableCodeServer = lib.mkDefault true;
|
||||||
|
nasp.sops.enable = lib.mkDefault true;
|
||||||
|
nasp.telegraf.enable = lib.mkDefault true;
|
||||||
|
services.telegraf.extraConfig = {
|
||||||
|
inputs.net = {
|
||||||
|
interfaces = [ gCfg.eth0Name gCfg.eth1Name gCfg.eth2Name ];
|
||||||
|
ignore_protocol_stats = true;
|
||||||
|
tags = { bucket = "device"; };
|
||||||
|
};
|
||||||
|
inputs.nvidia_smi = {
|
||||||
|
bin_path = "/run/current-system/sw/bin/nvidia-smi";
|
||||||
|
tags = { bucket = "device"; };
|
||||||
|
};
|
||||||
|
};
|
||||||
}))
|
}))
|
||||||
]);
|
]);
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user