Torjus Håkestad
3cccfc0487
Some checks failed
Run nix flake check / flake-check (push) Failing after 7m36s
Add exporters and scrape targets for services lacking monitoring: - PostgreSQL: postgres-exporter on pgdb1 - Authelia: native telemetry metrics on auth01 - Unbound: unbound-exporter with remote-control on ns1/ns2 - NATS: HTTP monitoring endpoint on nats1 - OpenBao: telemetry config and Prometheus scrape with token auth - Systemd: systemd-exporter on all hosts for per-service metrics Add alert rules for postgres, auth (authelia + lldap), jellyfin, vault (openbao), plus extend existing nats and unbound rules. Add Terraform config for Prometheus metrics policy and token. The token is created via vault_token resource and stored in KV, so no manual token creation is needed. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
99 lines
3.0 KiB
Nix
99 lines
3.0 KiB
Nix
{ config, ... }:
|
|
{
|
|
homelab.monitoring.scrapeTargets = [{
|
|
job_name = "authelia";
|
|
port = 9959;
|
|
}];
|
|
|
|
sops.secrets.authelia_ldap_password = {
|
|
format = "yaml";
|
|
sopsFile = ../../secrets/auth01/secrets.yaml;
|
|
key = "authelia_ldap_password";
|
|
restartUnits = [ "authelia-auth.service" ];
|
|
owner = "authelia-auth";
|
|
group = "authelia-auth";
|
|
};
|
|
sops.secrets.authelia_jwt_secret = {
|
|
format = "yaml";
|
|
sopsFile = ../../secrets/auth01/secrets.yaml;
|
|
key = "authelia_jwt_secret";
|
|
restartUnits = [ "authelia-auth.service" ];
|
|
owner = "authelia-auth";
|
|
group = "authelia-auth";
|
|
};
|
|
sops.secrets.authelia_storage_encryption_key_file = {
|
|
format = "yaml";
|
|
key = "authelia_storage_encryption_key_file";
|
|
sopsFile = ../../secrets/auth01/secrets.yaml;
|
|
restartUnits = [ "authelia-auth.service" ];
|
|
owner = "authelia-auth";
|
|
group = "authelia-auth";
|
|
};
|
|
sops.secrets.authelia_session_secret = {
|
|
format = "yaml";
|
|
key = "authelia_session_secret";
|
|
sopsFile = ../../secrets/auth01/secrets.yaml;
|
|
restartUnits = [ "authelia-auth.service" ];
|
|
owner = "authelia-auth";
|
|
group = "authelia-auth";
|
|
};
|
|
|
|
services.authelia.instances."auth" = {
|
|
enable = true;
|
|
environmentVariables = {
|
|
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
|
|
config.sops.secrets.authelia_ldap_password.path;
|
|
AUTHELIA_SESSION_SECRET_FILE = config.sops.secrets.authelia_session_secret.path;
|
|
};
|
|
secrets = {
|
|
jwtSecretFile = config.sops.secrets.authelia_jwt_secret.path;
|
|
storageEncryptionKeyFile = config.sops.secrets.authelia_storage_encryption_key_file.path;
|
|
};
|
|
settings = {
|
|
telemetry = {
|
|
metrics = {
|
|
enabled = true;
|
|
address = "tcp://0.0.0.0:9959";
|
|
};
|
|
};
|
|
access_control = {
|
|
default_policy = "two_factor";
|
|
};
|
|
session = {
|
|
# secret = "{{- fileContent \"${config.sops.secrets.authelia_session_secret.path}\" }}";
|
|
cookies = [
|
|
{
|
|
domain = "home.2rjus.net";
|
|
authelia_url = "https://auth.home.2rjus.net";
|
|
default_redirection_url = "https://dashboard.home.2rjus.net";
|
|
name = "authelia_session";
|
|
same_site = "lax";
|
|
inactivity = "1h";
|
|
expiration = "24h";
|
|
remember_me = "30d";
|
|
}
|
|
];
|
|
};
|
|
notifier = {
|
|
filesystem.filename = "/var/lib/authelia-auth/notification.txt";
|
|
};
|
|
storage = {
|
|
local.path = "/var/lib/authelia-auth/db.sqlite3";
|
|
};
|
|
authentication_backend = {
|
|
password_reset = {
|
|
disable = false;
|
|
};
|
|
ldap = {
|
|
address = "ldap://127.0.0.1:3890";
|
|
implementation = "lldap";
|
|
timeout = "5s";
|
|
base_dn = "dc=home,dc=2rjus,dc=net";
|
|
user = "uid=authelia_ldap_user,ou=people,dc=home,dc=2rjus,dc=net";
|
|
# password = "{{- fileContent \"${config.sops.secrets.authelia_ldap_password.path}\" -}}";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|