Added lots of sops

2025-09-13 22:02:42 +02:00 · 2025-09-13 22:02:42 +02:00 · 01c04cd91c
commit 01c04cd91c
parent 84bec55415
25 changed files with 532 additions and 183 deletions
--- a/maskiner/desktop/alloy-systemd.yaml
+++ b/maskiner/desktop/alloy-systemd.yaml
@ -0,0 +1,20 @@
+loki.relabel "journal" {
+  forward_to = []
+
+  rule {
+    source_labels = ["__journal__systemd_unit"]
+    target_label  = "unit"
+  }
+}
+
+loki.source.journal "read"  {
+  forward_to    = [loki.write.endpoint.receiver]
+  relabel_rules = loki.relabel.journal.rules
+  labels        = {component = "desktop"}
+}
+
+loki.write "endpoint" {
+  endpoint {
+    url ="http://localhost:3100/loki/api/v1/push"
+  }
+}
--- a/maskiner/desktop/configuration.nix
+++ b/maskiner/desktop/configuration.nix
@ -19,9 +19,38 @@
    ../../moduler/vaultwarden.nix
    ../../moduler/signal.nix
    ../../moduler/uptime-kuma.nix
+    ../../moduler/services/monitoring
+    ../../moduler/services/wireguard-server
    # ../../moduler/wastring.nix
  ];

+  sops.defaultSopsFile = ../../secrets/sops.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops.secrets.gandi_key = {
+    path = "/run/secrets/gandi_key";
+    owner = "root";
+    mode = "0440";
+  };
+
+  grafana = {
+    enable = true;
+    host = "127.0.0.1";
+    domain = "grafana.wastring.com";
+  };
+
+  prometheus = {
+    enable = true;
+	exporters.enable = true;
+  };
+
+  loki = {
+	enable = true;
+  };
+
+  alloy = {
+	enable = true;
+	configPath = ./alloy-systemd.yaml;
+  };

  nix.settings = {
    trusted-public-keys = [
@ -44,7 +73,7 @@
    certs."shop.wastring.com" = {
      dnsProvider = "gandiv5";
      webroot = null;
-      credentialsFile = /run/secrets/gandi_key;
+      credentialsFile = config.sops.secrets.gandi_key.path;
      dnsPropagationCheck = true;
    };
  };
--- a/maskiner/jobb/configuration.nix
+++ b/maskiner/jobb/configuration.nix
@ -26,8 +26,20 @@ in
    ../../moduler/lsp.nix
    ../../moduler/hyprland.nix
    ../../moduler/sound.nix
+	../../moduler/programs/kubernetes-tools.nix
  ];

+  kubernetes-tools.enable = true;
+
+  sops.defaultSopsFile = ../../secrets/sops.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops.secrets.gandi_key = {
+    # This path is where the *decrypted* secret will be placed at runtime
+    path = "/run/secrets/gandi_key";
+    owner = "root";
+    mode = "0440";
+  };
+
  stylix = {
    enable = true;
    base16Scheme = "${pkgs.base16-schemes}/share/themes/catppuccin-latte.yaml";
--- a/maskiner/macmini/alloy-systemd.yaml
+++ b/maskiner/macmini/alloy-systemd.yaml
@ -0,0 +1,20 @@
+loki.relabel "journal" {
+  forward_to = []
+
+  rule {
+    source_labels = ["__journal__systemd_unit"]
+    target_label  = "unit"
+  }
+}
+
+loki.source.journal "read"  {
+  forward_to    = [loki.write.endpoint.receiver]
+  relabel_rules = loki.relabel.journal.rules
+  labels        = {component = "macmini"}
+}
+
+loki.write "endpoint" {
+  endpoint {
+    url ="http://192.168.1.227:3100/loki/api/v1/push"
+  }
+}
--- a/maskiner/macmini/configuration.nix
+++ b/maskiner/macmini/configuration.nix
@ -14,31 +14,18 @@
    ./hardware-configuration.nix
    ../../moduler/users.nix
    ../../moduler/base.nix
+    ../../moduler/services/monitoring
  ];

+  alloy = {
+	enable = true;
+	configPath = ./alloy-systemd.yaml;
+  };
+
  nixpkgs.config.permittedInsecurePackages = [
    "broadcom-sta-6.30.223.271-57-6.12.45"
  ];

-  networking.firewall = {
-    enable = true;
-    allowedTCPPorts = [
-      80
-      443
-      3000
-      8384
-      8008
-      8009
-      22000
-    ];
-    allowedUDPPortRanges = [
-      {
-        from = 1;
-        to = 65535;
-      }
-    ];
-  };
-
  nix.settings = {
    trusted-public-keys = [
      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="