2026-02-08 22:58:24 +00:00
6 changed files with 44 additions and 4 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -49,11 +49,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1770422522,
-        "narHash": "sha256-WmIFnquu4u58v8S2bOVWmknRwHn4x88CRfBFTzJ1inQ=",
+        "lastModified": 1770590420,
+        "narHash": "sha256-Gih+2ufQXcZQzrlSrgZWcG7u9TjQT7z/6qybnX5yJn8=",
        "ref": "refs/heads/master",
-        "rev": "cf0ce858997af4d8dcc2ce10393ff393e17fc911",
-        "revCount": 11,
+        "rev": "acfb142788dc994cf64931f55063393d807c6ebf",
+        "revCount": 14,
        "type": "git",
        "url": "https://git.t-juice.club/torjus/nixos-exporter"
      },
--- a/flake.nix
+++ b/flake.nix
@@ -217,6 +217,7 @@
              pkgs.opentofu
              pkgs.openbao
              pkgs.kanidm_1_8
+              pkgs.nkeys
              (pkgs.callPackage ./scripts/create-host { })
              homelab-deploy.packages.${pkgs.system}.default
            ];
--- a/services/nats/default.nix
+++ b/services/nats/default.nix
@@ -35,9 +35,18 @@
        HOMELAB = {
          jetstream = "enabled";
          users = [
+            # alerttonotify (full access to HOMELAB account)
            {
              nkey = "UASLNKLWGICRTZMIXVD3RXLQ57XRIMCKBHP5V3PYFFRNO3E3BIJBCYMZ";
            }
+            # nixos-exporter (restricted to nixos-exporter subjects)
+            {
+              nkey = "UBCL3ODHVERVZJNGUJ567YBBKHQZOV3LK3WO6TVVSGQOCTK2NQ3IJVRV"; # Replace with public key from: nix develop -c nk -gen user -pubout
+              permissions = {
+                publish = [ "nixos-exporter.>" ];
+                subscribe = [ "nixos-exporter.>" ];
+              };
+            }
          ];
        };

--- a/system/monitoring/metrics.nix
+++ b/system/monitoring/metrics.nix
@@ -19,15 +19,32 @@
    ];
  };

+  # Fetch NKey from Vault for NATS authentication
+  vault.secrets.nixos-exporter-nkey = {
+    secretPath = "shared/nixos-exporter/nkey";
+    extractKey = "nkey";
+  };
+
  services.prometheus.exporters.nixos = {
    enable = true;
    # Default port: 9971
    flake = {
      enable = true;
      url = "git+https://git.t-juice.club/torjus/nixos-servers.git";
+      nats = {
+        enable = true;
+        url = "nats://nats1.home.2rjus.net:4222";
+        credentialsFile = "/run/secrets/nixos-exporter-nkey";
+      };
    };
  };

+  # Ensure exporter starts after Vault secret is available
+  systemd.services.prometheus-nixos-exporter = {
+    after = [ "vault-secret-nixos-exporter-nkey.service" ];
+    requires = [ "vault-secret-nixos-exporter-nkey.service" ];
+  };
+
  # Register nixos-exporter as a Prometheus scrape target
  homelab.monitoring.scrapeTargets = [
    {
--- a/terraform/vault/secrets.tf
+++ b/terraform/vault/secrets.tf
@@ -114,6 +114,12 @@ locals {
      auto_generate   = true
      password_length = 64
    }
+
+    # NKey for nixos-exporter NATS cache sharing
+    "shared/nixos-exporter/nkey" = {
+      auto_generate = false
+      data          = { nkey = var.nixos_exporter_nkey }
+    }
  }
 }

--- a/terraform/vault/variables.tf
+++ b/terraform/vault/variables.tf
@@ -73,3 +73,10 @@ variable "homelab_deploy_admin_deployer_nkey" {
  sensitive   = true
 }

+variable "nixos_exporter_nkey" {
+  description = "NKey seed for nixos-exporter NATS authentication"
+  type        = string
+  default     = "PLACEHOLDER"
+  sensitive   = true
+}
+