Merge pull request #40 from RigglePrime/fix1

Add grafana default admin password, remove clutter, fix prometheus

flake.nix

@@ -105,7 +105,7 @@
         targetHost = "dallas.tg.lan";
         targetUser = "deploy";
         tags = [
-          "relay"
+          "relay-amd64"
         ];
       };
       imports =
@@ -218,7 +218,7 @@
         targetHost = "bratwurst.tg.lan";
         targetUser = "deploy";
         tags = [
-          "relay"
+          "relay-arm"
         ];
       };
       nixpkgs.system = "aarch64-linux";

modules/haproxy_common.nix

@@ -0,0 +1,21 @@
+{
+  config,
+  lib,
+  ...
+}: {
+  systemd.tmpfiles.rules = [
+    "d /var/lib/haproxy 770 ${config.services.haproxy.user} ${config.services.haproxy.group}"
+  ];
+  services.haproxy = {
+    enable = true;
+  };
+  systemd.services.haproxy = {
+    serviceConfig = {
+      AmbientCapabilities = lib.mkForce "CAP_NET_BIND_SERVCE CAP_NET_RAW";
+      CapabilityBoundingSet = "CAP_NET_BIND_SERVICE CAP_NET_RAW";
+    };
+    environment = {
+      PROMETHEUS_PORT = "8405";
+    };
+  };
+}

systems/edge-nodes/modules/haproxy_base/default.nix

@@ -1,26 +1,11 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}: {
-  systemd.tmpfiles.rules = [
-    "d /var/lib/haproxy 770 ${config.services.haproxy.user} ${config.services.haproxy.group}"
+{...}: {
+  imports = [
+    ../../../../modules/haproxy_common.nix
   ];
   services.haproxy = {
-    enable = true;
     config =
       "# ==== GLOBAL CONFIG ====\n"
       + builtins.readFile ./haproxy.conf;
   };
-  systemd.services.haproxy = {
-    serviceConfig = {
-      AmbientCapabilities = lib.mkForce "CAP_NET_BIND_SERVCE CAP_NET_RAW";
-      CapabilityBoundingSet = "CAP_NET_BIND_SERVICE CAP_NET_RAW";
-    };
-    environment = {
-      PROMETHEUS_PORT = "8405";
-    };
-  };
   services.tailscale.useRoutingFeatures = "server"; # IP Forwarding
 }

systems/game-servers/modules/haproxy_base/default.nix

@@ -1,27 +1,16 @@
 {
-  config,
   pkgs,
   lib,
   ...
 }: {
-  systemd.tmpfiles.rules = [
-    "d /var/lib/haproxy 770 ${config.services.haproxy.user} ${config.services.haproxy.group}"
+  imports = [
+    ../../../../modules/haproxy_common.nix
   ];
   services.haproxy = {
-    enable = true;
     config =
       "# ==== GLOBAL CONFIG ====\n"
       + builtins.readFile ./haproxy.conf;
   };
-  systemd.services.haproxy = {
-    serviceConfig = {
-      AmbientCapabilities = lib.mkForce "CAP_NET_BIND_SERVCE CAP_NET_RAW";
-      CapabilityBoundingSet = "CAP_NET_BIND_SERVICE CAP_NET_RAW";
-    };
-    environment = {
-      PROMETHEUS_PORT = "8405";
-    };
-  };
   services.tailscale.useRoutingFeatures = lib.mkForce "both"; # IP Forwarding
 
   networking.iproute2 = {

systems/game-servers/systems/tgsatan/modules/grafana/default.nix

@@ -13,24 +13,33 @@
     owner = "${config.systemd.services.grafana.serviceConfig.User}";
   };
 
-  networking.firewall.allowedTCPPorts = [
-    3000
-  ];
-  networking.firewall.allowedUDPPorts = [
-    3000
-  ];
+  age.secrets.grafana_admin = {
+    file = ../../secrets/grafana_admin.age;
+    owner = "${config.systemd.services.grafana.serviceConfig.User}";
+  };
+
   services.grafana = {
     enable = true;
     dataDir  = "/persist/grafana";
 
     settings = {
       analytics.reporting_enabled = false;
 
+      security = {
+        admin_email = "[email protected]";
+        admin_username = "admin";
+        admin_password = "$__file{${config.age.secrets.grafana_admin.path}}";
+        strict_transport_security = true;
+      };
+
       server = {
         http_addr = "100.64.0.1"; # tailscale IP
         http_port = 3000;
+        protocol = "https";
         enforce_domain = false;
         enable_gzip = true;
+        domain = "tgsatan.tg.lan";
+        cookie_secure = true;
       };
 
       database = {

systems/game-servers/systems/tgsatan/modules/monitoring/prometheus.nix

@@ -5,7 +5,7 @@
 }: let
   systemdPromPort = toString config.services.prometheus.exporters.systemd.port;
   nodeExporterPort = toString config.services.prometheus.exporters.node.port;
-  # Needs moved into a common config
+  # Needs to be moved into a common config
   tgsPromPort = "5001";
   prAnnouncerPort = "5004";
   # The following is already a string, so no need to convert it
@@ -15,18 +15,12 @@ in {
     enable = true;
     globalConfig.scrape_interval = "10s";
     scrapeConfigs = [
-      {
-        job_name = "tgsatan_node";
-        static_configs = [
-          {targets = ["tgsatan.tg.lan:${toString config.services.prometheus.exporters.node.port}"];}
-        ];
-      }
       {
         job_name = "tgsatan_gpu_1";
         static_configs = [{targets = ["tgsatan.tg.lan:9400"];}];
       }
       {
-        job_name = "tgsatan_caddy";
+        job_name = "caddy";
         static_configs = [{targets = ["tgsatan.tg.lan:2019"];}];
       }
       # {
@@ -93,18 +87,18 @@ in {
           }
         ];
       }
-      {
-        job_name = "systemd relay node";
-        static_configs = [
-          {
-            targets =
-              [
-                "warsaw.tg.lan:${systemdPromPort}"
-              ]
-              ++ (import ./relay-nodes.nix) systemdPromPort;
-          }
-        ];
-      }
+      # {
+      #   job_name = "systemd relay node";
+      #   static_configs = [
+      #     {
+      #       targets =
+      #         [
+      #           "warsaw.tg.lan:${systemdPromPort}"
+      #         ]
+      #         ++ (import ./relay-nodes.nix) systemdPromPort;
+      #     }
+      #   ];
+      # }
       {
         job_name = "stats relay node";
         static_configs = [

systems/game-servers/systems/tgsatan/modules/monitoring/relay-nodes.nix

@@ -9,7 +9,8 @@
             if
               (builtins.hasAttr "deployment" values)
               && (builtins.hasAttr "tags" values.deployment)
-              && (builtins.elem "relay" values.deployment.tags)
+              && (builtins.elem "relay-amd64" values.deployment.tags
+                || builtins.elem "relay-arm" values.deployment.tags)
             then values.deployment.targetHost + ":" + (toString portNum)
             else ""
         )

systems/game-servers/systems/tgsatan/secrets/grafana_admin.age

@@ -0,0 +1,24 @@
+age-encryption.org/v1
+-> ssh-ed25519 WbbH6w 57QfQbn8D1Lgm7lVla8Qvnk3vPIVbpvzZEisAW4SihQ
++GY8Ntswu6COVPs9MyFZC7bfB17tpXYFreww1ujzUnw
+-> ssh-ed25519 tfxpqw UZ2TfxX7OYA79idI3+9ZfdcS1DkoppmgQVihl/zXdTE
++GTYJsqHAeMgqLTG6C1y8RTIaP7+ep1jxpd77LpYKIc
+-> ssh-ed25519 YWFjQA ZBV5VL14FfUxnLigumQX0lIEim5GnBfv3xfF+wcsQAI
+6FdP32TTO3SqXBvIxNgBJmk8FOJYt7WTsLAIgc1DEdA
+-> ssh-ed25519 ngdYpA cOjh7jWQ+lydyN+t5e+WCQTECj4gcVZEekr+XZUvFTQ
+NwT2omlrnxyzya6T4QzKfg1x4KTjbjpdrHYdqEKFOsE
+-> ssh-ed25519 Iss0Mw ZtbnDx4UWS06VYqCrSSJ2stoicwkkGAh1EzOp0CKyk0
+Ae4KYK71ZQlo1YqhrsAb24CcR1NDpR9heodBO9OiE+I
+-> ssh-ed25519 lMQWBQ 1m1zF3oIYLaIV/w3ZRWoEeccP/XX8JoXzqTS6Yw7+WQ
+clFUgktsK55kE/B8lZBMSHBdlvRVM9lcpxuBsbOqQ1A
+-> ssh-ed25519 8Y0Pbw A3OVARjvv06IOoVWXAZyT3ZL9mVXeNLEUpiDkQsb9wA
+qNFPOTMMSYQ9iSioui3QtRmE711f+vbo/fW5YO+ks+Q
+-> ssh-ed25519 0A43Cw 2t9NnK3Q7yFZpih/XsV8eDJVa1QQ4qboJSZ1AkU34nw
+bPXnD5ZUv+lasYNquDmMIY45G2A442ffKYX+zm4wrI4
+-> ssh-ed25519 nd8Xaw hcBEChDOgV8yP4cZ2yF7ay5XSmRl1zD+H11r8Gz8EFw
+D4MhAlQd5FoR5nZXP1TIFPCrcYq5HqUeAOPRV4aTkak
+-> ssh-ed25519 1zD9Mg 6rYzGqauobBIES6SmFHR4cCFVVwUHg0Lz5LwtxRIYRQ
+IvVsfBR88BnhWi6xmDcqRw1+rI0z8LqtWgTnSXIwAdU
+--- pI1LqLKWKz7iBhro6Vp+vBx7e/RVp1qNn/yYB8Eo7f4
+� U��r�[?;@�7��gB:b+�w'�=}ϵ��S�5>��ø����>�����
+�#���ޥ��E;��iӤ��

systems/game-servers/systems/tgsatan/secrets/secrets.nix

@@ -28,4 +28,5 @@ in {
   # Grafana
   "grafana_db.age".publicKeys = users ++ systems;
   "grafana_smtp.age".publicKeys = users ++ systems;
+  "grafana_admin.age".publicKeys = users ++ systems;
 }