torjus/nixos-servers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity

nixos-exporter: enable NATS cache sharing
Some checks failed
Run nix flake check / flake-check (pull_request) Successful in 2m17s
Details
Run nix flake check / flake-check (push) Failing after 5m16s
Details

Browse Source 
When one host fetches the latest flake revision, it publishes to NATS
and all other hosts receive the update immediately. This reduces
redundant nix flake metadata calls across the fleet.

- Add nkeys to devshell for key generation
- Add nixos-exporter user to NATS HOMELAB account
- Add Vault secret for NKey storage
- Configure all hosts to use NATS for revision sharing
- Update nixos-exporter input to version with NATS support

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Torjus Håkestad
2026-02-08 23:57:28 +01:00
parent 39e3f37263
commit 60c04a2052
6 changed files with 44 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
flake.lock generated
View File

@@ -49,11 +49,11 @@
]
},
"locked": {
"lastModified": 1770422522,
"narHash": "sha256-WmIFnquu4u58v8S2bOVWmknRwHn4x88CRfBFTzJ1inQ=",
"lastModified": 1770590420,
"narHash": "sha256-Gih+2ufQXcZQzrlSrgZWcG7u9TjQT7z/6qybnX5yJn8=",
"ref": "refs/heads/master",
"rev": "cf0ce858997af4d8dcc2ce10393ff393e17fc911",
"revCount": 11,
"rev": "acfb142788dc994cf64931f55063393d807c6ebf",
"revCount": 14,
"type": "git",
"url": "https://git.t-juice.club/torjus/nixos-exporter"
},

1
flake.nix
View File

@@ -217,6 +217,7 @@
pkgs.opentofu
pkgs.openbao
pkgs.kanidm_1_8
pkgs.nkeys
(pkgs.callPackage ./scripts/create-host { })
homelab-deploy.packages.${pkgs.system}.default
];

9
services/nats/default.nix
View File

@@ -35,9 +35,18 @@
HOMELAB = {
jetstream = "enabled";
users = [
# alerttonotify (full access to HOMELAB account)
{
nkey = "UASLNKLWGICRTZMIXVD3RXLQ57XRIMCKBHP5V3PYFFRNO3E3BIJBCYMZ";
}
# nixos-exporter (restricted to nixos-exporter subjects)
{
nkey = "UBCL3ODHVERVZJNGUJ567YBBKHQZOV3LK3WO6TVVSGQOCTK2NQ3IJVRV"; # Replace with public key from: nix develop -c nk -gen user -pubout
permissions = {
publish = [ "nixos-exporter.>" ];
subscribe = [ "nixos-exporter.>" ];
};
}
];
};

17
system/monitoring/metrics.nix
View File

@@ -19,14 +19,31 @@
];
};
# Fetch NKey from Vault for NATS authentication
vault.secrets.nixos-exporter-nkey = {
secretPath = "shared/nixos-exporter/nkey";
extractKey = "nkey";
};
services.prometheus.exporters.nixos = {
enable = true;
# Default port: 9971
flake = {
enable = true;
url = "git+https://git.t-juice.club/torjus/nixos-servers.git";
nats = {
enable = true;
url = "nats://nats1.home.2rjus.net:4222";
credentialsFile = "/run/secrets/nixos-exporter-nkey";
};
};
};
# Ensure exporter starts after Vault secret is available
systemd.services.prometheus-nixos-exporter = {
after = [ "vault-secret-nixos-exporter-nkey.service" ];
requires = [ "vault-secret-nixos-exporter-nkey.service" ];
};
# Register nixos-exporter as a Prometheus scrape target
homelab.monitoring.scrapeTargets = [

6
terraform/vault/secrets.tf
View File

@@ -114,6 +114,12 @@ locals {
auto_generate = true
password_length = 64
}
# NKey for nixos-exporter NATS cache sharing
"shared/nixos-exporter/nkey" = {
auto_generate = false
data = { nkey = var.nixos_exporter_nkey }
}
}
}

7
terraform/vault/variables.tf
View File

@@ -73,3 +73,10 @@ variable "homelab_deploy_admin_deployer_nkey" {
sensitive = true
}
variable "nixos_exporter_nkey" {
description = "NKey seed for nixos-exporter NATS authentication"
type = string
default = "PLACEHOLDER"
sensitive = true
}