Torjus Håkestad
75210805d5
Some checks failed
Run nix flake check / flake-check (push) Has been cancelled
Removed:
- hosts/nix-cache01/ directory
- services/nix-cache/build-flakes.{nix,sh} (replaced by NATS builder)
- Vault secret and AppRole for nix-cache01
- Old signing key variable from terraform
- Old trusted public key from system/nix.nix
Updated:
- flake.nix: removed nixosConfiguration
- README.md: nix-cache01 -> nix-cache02
- Monitoring rules: removed build-flakes alerts, updated harmonia to nix-cache02
- Simplified proxy.nix (no longer needs hostname conditional)
nix-cache02 is now the sole binary cache host.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
93 lines
2.4 KiB
Nix
93 lines
2.4 KiB
Nix
{ pkgs, ... }:
|
|
let
|
|
# TLS endpoints to monitor for certificate expiration
|
|
# These are all services using ACME certificates from OpenBao PKI
|
|
tlsTargets = [
|
|
# Direct ACME certs (security.acme.certs)
|
|
"https://vault.home.2rjus.net:8200"
|
|
"https://auth.home.2rjus.net"
|
|
"https://testvm01.home.2rjus.net"
|
|
|
|
# Caddy auto-TLS on http-proxy
|
|
"https://nzbget.home.2rjus.net"
|
|
"https://radarr.home.2rjus.net"
|
|
"https://sonarr.home.2rjus.net"
|
|
"https://ha.home.2rjus.net"
|
|
"https://z2m.home.2rjus.net"
|
|
"https://prometheus.home.2rjus.net"
|
|
"https://alertmanager.home.2rjus.net"
|
|
"https://grafana.home.2rjus.net"
|
|
"https://jelly.home.2rjus.net"
|
|
"https://pyroscope.home.2rjus.net"
|
|
"https://pushgw.home.2rjus.net"
|
|
|
|
# Caddy auto-TLS on nix-cache02
|
|
"https://nix-cache.home.2rjus.net"
|
|
|
|
# Caddy auto-TLS on grafana01
|
|
"https://grafana-test.home.2rjus.net"
|
|
];
|
|
in
|
|
{
|
|
services.prometheus.exporters.blackbox = {
|
|
enable = true;
|
|
configFile = pkgs.writeText "blackbox.yml" ''
|
|
modules:
|
|
https_cert:
|
|
prober: http
|
|
timeout: 10s
|
|
http:
|
|
fail_if_not_ssl: true
|
|
preferred_ip_protocol: ip4
|
|
valid_status_codes:
|
|
- 200
|
|
- 204
|
|
- 301
|
|
- 302
|
|
- 303
|
|
- 307
|
|
- 308
|
|
- 400
|
|
- 401
|
|
- 403
|
|
- 404
|
|
- 405
|
|
- 500
|
|
- 502
|
|
- 503
|
|
'';
|
|
};
|
|
|
|
# Add blackbox scrape config to Prometheus
|
|
# Alert rules are in rules.yml (certificate_rules group)
|
|
services.prometheus.scrapeConfigs = [
|
|
{
|
|
job_name = "blackbox_tls";
|
|
metrics_path = "/probe";
|
|
params = {
|
|
module = [ "https_cert" ];
|
|
};
|
|
static_configs = [{
|
|
targets = tlsTargets;
|
|
}];
|
|
relabel_configs = [
|
|
# Pass the target URL to blackbox as a parameter
|
|
{
|
|
source_labels = [ "__address__" ];
|
|
target_label = "__param_target";
|
|
}
|
|
# Use the target URL as the instance label
|
|
{
|
|
source_labels = [ "__param_target" ];
|
|
target_label = "instance";
|
|
}
|
|
# Point the actual scrape at the local blackbox exporter
|
|
{
|
|
target_label = "__address__";
|
|
replacement = "127.0.0.1:9115";
|
|
}
|
|
];
|
|
}
|
|
];
|
|
}
|