colmena initial implementation for sandbox and monitor

2025-07-06 21:25:57 +02:00 · 2025-07-06 21:25:57 +02:00 · 5feb74d56d
commit 5feb74d56d
parent a90630ecb6
40 changed files with 27629 additions and 141 deletions
--- a/machines/modules/default.nix
+++ b/machines/modules/default.nix
@ -0,0 +1,11 @@
+{
+  imports = [
+    ./node-exporter.nix
+    ./journal-log.nix
+    # ./wireguard.nix
+    # ./nomad.nix
+    # ./vault.nix
+    # ./vaultSecret.nix
+    # ./consul.nix
+  ];
+}
--- a/machines/modules/journal-log.nix
+++ b/machines/modules/journal-log.nix
@ -0,0 +1,95 @@
+{
+  lib,
+  config,
+  nodes,
+  # name,
+  # meta,
+  ...
+}:
+with lib; let
+  cfg = config.journalLog;
+in {
+  options.journalLog = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+    };
+
+    port = mkOption {
+      type = types.number;
+      default = 9080;
+    };
+
+    clientUrl = mkOption {
+      type = types.string;
+      default = "http://monitor.lab:3100/loki/api/v1/push";
+    };
+
+    extraConfig = mkOption {
+      type = types.attrs;
+      default = {};
+    };
+  };
+
+  config = mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = [cfg.port];
+
+    systemd.tmpfiles.rules = [
+      "d /var/lib/promtail 0755 promtail promtail -"
+    ];
+
+    services.promtail = {
+      enable = true;
+      configuration = {
+        server = {
+          http_listen_port = cfg.port;
+          grpc_listen_port = 0;
+        };
+        positions = {
+          filename = "/var/lib/promtail/positions.yaml";
+        };
+        clients = [
+          {
+            url = cfg.clientUrl;
+          }
+        ];
+        scrape_configs = [
+          {
+            job_name = "journal";
+            journal = {
+              path = "/var/log/journal";
+              labels = {
+                job = "promtail";
+                host = config.networking.hostName;
+                env = "proxmox";
+                instance = "${config.networking.hostName}.lab";
+              };
+            };
+            relabel_configs = [
+              {
+                source_labels = ["__journal__systemd_unit"];
+                target_label = "unit";
+              }
+              {
+                source_labels = ["__journal__hostname"];
+                target_label = "host";
+              }
+              {
+                source_labels = ["__journal__systemd_user_unit"];
+                target_label = "user_unit";
+              }
+              {
+                source_labels = ["__journal__transport"];
+                target_label = "transport";
+              }
+              {
+                source_labels = ["__journal_priority_keyword"];
+                target_label = "severity";
+              }
+            ];
+          }
+        ];
+      };
+    };
+  };
+}
--- a/machines/modules/node-exporter.nix
+++ b/machines/modules/node-exporter.nix
@ -0,0 +1,40 @@
+{
+  lib,
+  config,
+  # name,
+  # meta,
+  ...
+}:
+with lib; let
+  cfg = config.nodeExporter;
+in {
+  options.nodeExporter = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+    };
+
+    port = mkOption {
+      type = types.number;
+      default = 9100;
+    };
+
+    extraConfig = mkOption {
+      type = types.attrs;
+      default = {};
+    };
+  };
+
+  config = mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = [cfg.port];
+
+    services.prometheus.exporters.node =
+      {
+        enable = true;
+        enabledCollectors = ["systemd"];
+        port = cfg.port;
+        extraFlags = ["--collector.ethtool" "--collector.softirqs" "--collector.tcpstat" "--collector.wifi"];
+      }
+      // cfg.extraConfig;
+  };
+}