metrics

newinfra/nix/hive.nix

@@ -18,12 +18,22 @@
         dns1 = {
           publicIPv4 = "154.38.163.74";
           publicIPv6 = null;
+          wg = {
+            privateIP = "10.0.1.1";
+            publicKey = "7jy2q93xYBHG5yKqLmNuMWSuFMnUGWXVuKQ1yMmxoV4=";
+            peers = [ "vps3" ];
+          };
         };
         dns2 = {
           publicIPv4 = "128.140.3.7";
           # somehow this doesnt quite work yet, keep it out of DNS records
           #publicIPv6 = "2a01:4f8:c2c:d616::";
           publicIPv6 = null;
+          wg = {
+            privateIP = "10.0.1.2";
+            publicKey = "yfOc/q5M+2DWPoZ4ZgwrTYYkviQxGxRWpcBCDcauDnc=";
+            peers = [ "vps3" ];
+          };
         };
         vps1 = {
           publicIPv4 = "161.97.165.1";
@@ -40,7 +50,7 @@
           wg = {
             privateIP = "10.0.0.3";
             publicKey = "pdUxG1vhmYraKzIIEFxTRAMhGwGztBL/Ly5icJUV3g0=";
-            peers = [ "vps1" "vps4" "vps5" ];
+            peers = [ "vps1" "vps4" "vps5" "dns1" "dns2" ];
           };
         };
         vps4 = {
@@ -86,6 +96,7 @@
       (modulesPath + "/profiles/qemu-guest.nix")
       ./modules/contabo
       ./modules/dns
+      ./modules/wg-mesh
     ];
 
     # The name and nodes parameters are supported in Colmena,
@@ -97,6 +108,7 @@
     imports = [
       (modulesPath + "/profiles/qemu-guest.nix")
       ./modules/dns
+      ./modules/wg-mesh
     ];
 
     deployment.tags = [ "dns" "eu" "hetzner" ];

newinfra/nix/modules/dns/default.nix

@@ -39,4 +39,10 @@
       '';
     };
   };
+
+  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 9433 ]; # metrics
+  services.prometheus.exporters.knot = {
+    enable = true;
+    port = 9433;
+  };
 }

newinfra/nix/modules/dns/noratrieb.dev.nix

@@ -42,7 +42,6 @@ let
         www = vps1;
 
         # --- legacy crap
-        vps2 = vps2; # TODO REMOVE
         old-docker = vps2;
 
         # --- apps

newinfra/nix/modules/garage/default.nix

@@ -1,7 +1,10 @@
 { config, pkgs, name, ... }: {
   age.secrets.garage_secrets.file = ../../secrets/garage_secrets.age;
 
-  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 3901 ];
+  networking.firewall.interfaces.wg0.allowedTCPPorts = [
+    3901 # RPC
+    3903 # admin for metrics
+  ];
 
   services.garage = {
     enable = true;

newinfra/nix/modules/prometheus/default.nix

@@ -12,6 +12,8 @@
       {
         job_name = "node";
         static_configs = [
+          { targets = [ "dns1.local:9100" ]; }
+          { targets = [ "dns2.local:9100" ]; }
           { targets = [ "vps1.local:9100" ]; }
           { targets = [ "vps3.local:9100" ]; }
           { targets = [ "vps4.local:9100" ]; }
@@ -33,6 +35,22 @@
           { targets = [ "vps1.local:9011" ]; }
         ];
       }
+      {
+        job_name = "garage";
+        static_configs = [
+          { targets = [ "vps1.local:3903" ]; }
+          { targets = [ "vps3.local:3903" ]; }
+          { targets = [ "vps4.local:3903" ]; }
+          { targets = [ "vps5.local:3903" ]; }
+        ];
+      }
+      {
+        job_name = "knot";
+        static_configs = [
+          { targets = [ "dns1.local:9433" ]; }
+          { targets = [ "dns2.local:9433" ]; }
+        ];
+      }
     ];
   };
 

newinfra/nix/secrets/secrets.nix

@@ -1,4 +1,6 @@
 let
+  dns1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBKoyDczFntyQyWj47Z8JeewKcCobksd415WM1W56eS";
+  dns2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINZ1yLdDhI2Vou/9qrPIUP8RU8Sg0WxLI2njtP5hkdL7";
   vps1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII4Xj3TsDPStoHquTfOlyxShbA/kgMfQskKN8jpfiY4R";
   vps3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvupo7d9YMZw56qhjB+tZPijxiG1dKChLpkOWZN0Y7C";
   vps4 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMpoLgBTWj1BcNxXVdM26jDBZl+BCtUTj20Wv4sZdCHz";
@@ -15,6 +17,8 @@ in
   "registry_htpasswd.age".publicKeys = [ vps1 ];
   "registry_s3_key_secret.age".publicKeys = [ vps1 ];
   "grafana_admin_password.age".publicKeys = [ vps3 ];
+  "wg_private_dns1.age".publicKeys = [ dns1 ];
+  "wg_private_dns2.age".publicKeys = [ dns2 ];
   "wg_private_vps1.age".publicKeys = [ vps1 ];
   "wg_private_vps3.age".publicKeys = [ vps3 ];
   "wg_private_vps4.age".publicKeys = [ vps4 ];

newinfra/nix/secrets/wg_private_dns1.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 LZU5Eg pVN2rgdPyq31DrUEiwYgqNyWrFie0pvW5g1gRC8o4lc
+asCocO7XssxBm9XbE7H0OfOekU1XkdZhyFwLEfVRAy0
+--- nlmoVm1A2xNAD4bZ5WHuI9sJbbr3RKyAa02d5aZUOzg
+ÿiÙœÁBËvLý<˜^UTÚ®<C39A>ôüå'yܱ×Yš¬]OR#ÆO›@ò¤ßг|‰W$¥_y+øÕ<Ì<>èü‡Ò&ôÊv{ËØø

newinfra/nix/secrets/wg_private_vps4.age

@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 51bcvA cvlpm3reQDmA9Faca2wB1M8a4diEUTAYnZ7scmbt+i0
-DNQrAzPoVvbDR7UVCft8m/6kjHySIpT1l+xl22TW9bk
---- PELEXNV7Ottz1Jgc+5U0ew9t2YEKfUVSsiaYehvwqnc
-WßÂLşŚ…Ł˙e·‘7Mč?Ěí™VŰý¬69)†ÚY%yú1›<31>J(uë<75>ż¸‚0)x@Y~Ąóhâ”<C3A2>żŽˇ çŇY5îËNÎd
+-> ssh-ed25519 51bcvA ji2zWkOp9u2bor9xScXWckGZN3733piHLN/gd+quiW0
+uzciBDLzZiizL3fFbn3vjiIoHGJWdFlHff3vjSWHs7g
+--- fE0bz9m5izwJX90w3RjhmzNaCPuKjhpM5M0qngI9c/A
+ð·ß/žéË3^é¥'%‹(<28>Ö¡!æk›eîG`ò<>ébÚ<62>깯ÅJ´ù×0£L.»™–д­Ê<C2AD>îp¯ ŽeŸs,<2C>1ÚÈ·øÖ

newinfra/nix/secrets/wg_private_vps5.age

@@ -1,5 +1,6 @@
 age-encryption.org/v1
--> ssh-ed25519 vT7ExA ZtMI/PoOE6fF7heY5Eq12bhzgn/ViE/PzeLRJlFOZxo
-kdRK08mwj0vCjhvJzX4TmI4H0dnRbnDC7kK+U7BW4mM
---- QSYK8SFsCQK0hrCG2ZjAG3KIpXPQTJqolMLj6aWHkcs
- ՚<>b<EFBFBD>C<EFBFBD>C<>x<EFBFBD><78>T<EFBFBD><54><EFBFBD>><05>I<EFBFBD><49>n<EFBFBD><6E>e<0E><>
<01><>3<EFBFBD><33><EFBFBD><EFBFBD>F<EFBFBD><46>n.<2E><>=<3D><>V~<7E><>(G<>8ӚGi<47><69>(<28><>3Yd:e<>u<EFBFBD>
+-> ssh-ed25519 vT7ExA XLzlq29RuNTBKTbK/zDa6hISekIGx+deGh34/q+jqWU
+OsWQtxeRD+6ILJ+X/PNvYFV4CO+BJ+JK5VCHjRHSseY
+--- LNaTQFOLpwFhtjPmpUsgrm0zhmNcAPMWG/AuhCzQJsk
+<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>̢*<0F><>[<5B>,<2C><><EFBFBD>	<09>5*<2A>qD_7<5F>6<EFBFBD>D6R<36>-m:<3A><>0)<29><06><>
+<EFBFBD><EFBFBD><EFBFBD>~<7E><><EFBFBD><EFBFBD><08><>d<06><>х<EFBFBD><15><>Pb<50>%']