2025-07-13 00:51:31 +02:00
|
|
|
{
|
|
|
|
|
config,
|
|
|
|
|
lib,
|
|
|
|
|
...
|
|
|
|
|
}:
|
|
|
|
|
let
|
|
|
|
|
cfg = config.khscodes.infrastructure.vault-prometheus-sender;
|
|
|
|
|
fqdn = config.khscodes.networking.fqdn;
|
|
|
|
|
vaultRoleName = config.khscodes.infrastructure.vault-server-approle.role_name;
|
2025-07-14 23:34:02 +02:00
|
|
|
client_key = "/var/lib/alloy/prometheus.key";
|
|
|
|
|
client_cert = "/var/lib/alloy/prometheus.cert";
|
2025-07-13 00:51:31 +02:00
|
|
|
in
|
|
|
|
|
{
|
|
|
|
|
options.khscodes.infrastructure.vault-prometheus-sender = {
|
|
|
|
|
enable = lib.mkEnableOption "Configures the server approle to allow sending data to prometheus";
|
|
|
|
|
terranixBackendName = lib.mkOption {
|
|
|
|
|
type = lib.types.str;
|
2025-07-14 23:34:02 +02:00
|
|
|
description = "This should only be configured for the server hosting vault, to allow setting up dependencies in terraform";
|
2025-07-13 00:51:31 +02:00
|
|
|
default = "prometheus-mtls";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
|
|
|
khscodes.infrastructure.vault-server-approle = {
|
|
|
|
|
enable = true;
|
|
|
|
|
policy = {
|
|
|
|
|
"prometheus-mtls" = {
|
|
|
|
|
capabilities = [ "read" ];
|
|
|
|
|
};
|
|
|
|
|
"prometheus-mtls/issue/${fqdn}" = {
|
|
|
|
|
capabilities = [
|
|
|
|
|
"create"
|
|
|
|
|
"update"
|
|
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
stageModules = [
|
|
|
|
|
(
|
|
|
|
|
{ ... }:
|
|
|
|
|
{
|
|
|
|
|
khscodes.vault.pki_secret_backend_role."${vaultRoleName}-prometheus" = {
|
|
|
|
|
name = vaultRoleName;
|
|
|
|
|
backend = cfg.terranixBackendName;
|
|
|
|
|
allowed_domains = [ fqdn ];
|
|
|
|
|
allow_bare_domains = true;
|
|
|
|
|
enforce_hostnames = true;
|
|
|
|
|
server_flag = false;
|
|
|
|
|
client_flag = true;
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
)
|
|
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
khscodes.services.vault-agent.templates = [
|
|
|
|
|
{
|
|
|
|
|
contents = ''
|
|
|
|
|
{{- with pkiCert "prometheus-mtls/issue/${fqdn}" "common_name=${fqdn}" -}}
|
|
|
|
|
{{ .Key }}
|
|
|
|
|
{{ .Cert }}
|
|
|
|
|
{{ .CA }}
|
2025-07-14 23:34:02 +02:00
|
|
|
{{ .Key | writeToFile "${client_key}" "${config.khscodes.services.alloy.user}" "${config.khscodes.services.alloy.group}" "0600" }}
|
|
|
|
|
{{ .Cert | writeToFile "${client_cert}" "${config.khscodes.services.alloy.user}" "${config.khscodes.services.alloy.group}" "0644" }}
|
2025-07-13 00:51:31 +02:00
|
|
|
{{- end -}}
|
|
|
|
|
'';
|
|
|
|
|
destination = "/var/lib/alloy/cache.key";
|
|
|
|
|
owner = "alloy";
|
|
|
|
|
group = "alloy";
|
|
|
|
|
perms = "0600";
|
|
|
|
|
reloadOrRestartUnits = [ "alloy.service" ];
|
|
|
|
|
}
|
|
|
|
|
];
|
|
|
|
|
khscodes.services.alloy = {
|
|
|
|
|
enable = true;
|
2025-07-14 23:34:02 +02:00
|
|
|
environment = {
|
|
|
|
|
PROMETHEUS_CLIENT_KEY = client_key;
|
|
|
|
|
PROMETHEUS_CLIENT_CERT = client_cert;
|
2025-07-13 00:51:31 +02:00
|
|
|
};
|
|
|
|
|
};
|
2025-07-14 23:34:02 +02:00
|
|
|
environment.etc."alloy/prometheus.alloy" = {
|
|
|
|
|
source = ./prometheus.alloy;
|
|
|
|
|
};
|
2025-07-13 00:51:31 +02:00
|
|
|
};
|
|
|
|
|
}
|
