diff --git a/flake.lock b/flake.lock index 525749b..05416c8 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,26 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "systems": "systems" + }, + "locked": { + "lastModified": 1707830867, + "narHash": "sha256-PAdwm5QqdlwIqGrfzzvzZubM+FXtilekQ/FA0cI49/o=", + "owner": "ryantm", + "repo": "agenix", + "rev": "8cb01a0e717311680e0cbca06a76cbceba6f3ed6", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "base16": { "inputs": { "fromYaml": "fromYaml" @@ -147,6 +168,28 @@ "type": "github" } }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -197,6 +240,27 @@ } }, "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { "inputs": { "nixpkgs": [ "nixpkgs" @@ -217,7 +281,7 @@ "type": "github" } }, - "home-manager_2": { + "home-manager_3": { "inputs": { "nixpkgs": [ "stylix", @@ -241,8 +305,8 @@ "hyprland": { "inputs": { "hyprland-protocols": "hyprland-protocols", - "nixpkgs": "nixpkgs", - "systems": "systems", + "nixpkgs": "nixpkgs_2", + "systems": "systems_2", "wlroots": "wlroots", "xdph": "xdph" }, @@ -309,6 +373,22 @@ } }, "nixpkgs": { + "locked": { + "lastModified": 1703013332, + "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { "locked": { "lastModified": 1706191920, "narHash": "sha256-eLihrZAPZX0R6RyM5fYAWeKVNuQPYjAkCUBr+JNvtdE=", @@ -324,7 +404,7 @@ "type": "github" } }, - "nixpkgs_2": { + "nixpkgs_3": { "locked": { "lastModified": 1707268954, "narHash": "sha256-2en1kvde3cJVc3ZnTy8QeD2oKcseLFjYPLKhIGDanQ0=", @@ -339,7 +419,7 @@ "type": "indirect" } }, - "nixpkgs_3": { + "nixpkgs_4": { "locked": { "lastModified": 1700856099, "narHash": "sha256-RnEA7iJ36Ay9jI0WwP+/y4zjEhmeN6Cjs9VOFBH7eVQ=", @@ -357,9 +437,10 @@ }, "root": { "inputs": { - "home-manager": "home-manager", + "agenix": "agenix", + "home-manager": "home-manager_2", "hyprland": "hyprland", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs_3", "stable-nixpkgs": "stable-nixpkgs", "stylix": "stylix" } @@ -392,8 +473,8 @@ "base16-vim": "base16-vim", "flake-compat": "flake-compat", "gnome-shell": "gnome-shell", - "home-manager": "home-manager_2", - "nixpkgs": "nixpkgs_3" + "home-manager": "home-manager_3", + "nixpkgs": "nixpkgs_4" }, "locked": { "lastModified": 1707492526, @@ -410,6 +491,21 @@ } }, "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { "locked": { "lastModified": 1689347949, "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", diff --git a/flake.nix b/flake.nix index 55c78d3..4c8b589 100644 --- a/flake.nix +++ b/flake.nix @@ -10,6 +10,7 @@ }; stylix.url = "github:danth/stylix"; hyprland.url = "github:hyprwm/Hyprland/v0.35.0"; + agenix.url = "github:ryantm/agenix"; }; outputs = inputs: let diff --git a/lib/mkconf.nix b/lib/mkconf.nix index 9714b63..b59fade 100644 --- a/lib/mkconf.nix +++ b/lib/mkconf.nix @@ -5,7 +5,9 @@ userFullname, ... }: modules: home-modules: -with inputs; +let + inherit (inputs) home-manager nixpkgs hyprland agenix; +in nixpkgs.lib.nixosSystem { specialArgs = {inherit inputs;}; @@ -15,6 +17,7 @@ with inputs; modules ++ [ home-manager.nixosModules.home-manager + agenix.nixosModules.default { home-manager = { useGlobalPkgs = true; diff --git a/nixos/default.nix b/nixos/default.nix index 9ceb23f..19bd163 100644 --- a/nixos/default.nix +++ b/nixos/default.nix @@ -110,5 +110,8 @@ in { "net.ipv4.ip_unprivileged_port_start" = 53; }; - services.prometheus.exporters.node.enable = true; + services.prometheus.exporters.node = { + enable = true; + enabledCollectors = [ "systemd" ]; + }; } diff --git a/nixos/services/grafana.nix b/nixos/services/grafana.nix index 020de1c..6d8eae4 100644 --- a/nixos/services/grafana.nix +++ b/nixos/services/grafana.nix @@ -1,8 +1,31 @@ {config, ...}: let cfg = config.services.grafana; + secrets = config.age.secrets; in { + age.secrets.grafana_oidc_client_secret = { + file = ../../secrets/grafana/oidc/client_secret.age; + owner = "grafana"; + }; services.grafana = { enable = true; + settings = { + server = { + root_url = "https://${cfg.settings.server.domain}"; + }; + "auth.generic_oauth" = { + enabled = true; + name = "authentik"; + client_id = "TNMLGFxpovO0jPptxD0nYmjnuytXd1MphjFS20uE"; + client_secret = "$__file{${secrets.grafana_oidc_client_secret.path}}"; + scopes = toString ["openid" "profile" "email"]; + auth_url = "https://auth.tristans.cloud/application/o/authorize/"; + token_url = "https://auth.tristans.cloud/application/o/token/"; + api_url = "https://auth.tristans.cloud/application/o/userinfo/"; + redirect_url = "https://auth.tristans.cloud/application/o/grafana/end-session/"; + role_attribute_path = + "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'"; + }; + }; }; services.nginx.virtualHosts = { ${cfg.settings.server.domain} = { diff --git a/nixos/services/prometheus.nix b/nixos/services/prometheus.nix index c7a1feb..e93bedf 100644 --- a/nixos/services/prometheus.nix +++ b/nixos/services/prometheus.nix @@ -1,5 +1,22 @@ +{config, ...}: +let + inherit ( config.services ) prometheus; + nodes = [ + "100.65.29.110" + "100.106.241.122" + ]; + addPort = ip: "${ip}:${toString prometheus.exporters.node.port}"; +in { services.prometheus = { enable = true; + scrapeConfigs = [ + { + job_name = "nodes"; + static_configs = [{ + targets = builtins.map addPort nodes; + }]; + } + ]; }; } diff --git a/secrets.nix b/secrets.nix new file mode 100644 index 0000000..a624012 --- /dev/null +++ b/secrets.nix @@ -0,0 +1,9 @@ +let + alpine = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKkVkc3JV1rEMSxDhdxIbONLQPiXi3uANign9G3ap8PR"; + zenix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEyirMHhLksc5eLp1jL/NYLSv+2Z67mRJQdljVLWMqKs"; + tristan = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINl4Mbp0CwfLVuqxRdiUE66Rcj3HAw164XhI3WYGOnc6"; + hosts = [ alpine ]; +in +{ + "secrets/grafana/oidc/client_secret.age".publicKeys = [alpine tristan]; +} diff --git a/secrets/grafana/oidc/client_secret.age b/secrets/grafana/oidc/client_secret.age new file mode 100644 index 0000000..a6138ec Binary files /dev/null and b/secrets/grafana/oidc/client_secret.age differ