From 11da229f3f892d3346a83cbb11b5e26cf9974687 Mon Sep 17 00:00:00 2001
From: "Ricardo (XenGi) Band" <email@ricardo.band>
Date: Tue, 17 Feb 2026 19:22:11 +0100
Subject: [PATCH] grafana basic auth

---
 hosts/matrix/default.nix       |   1 +
 hosts/md/default.nix           |   1 +
 hosts/monitoring/default.nix   |   3 ++-
 hosts/monitoring/nginx.nix     |   2 +-
 hosts/sql/default.nix          |   1 +
 hosts/www/default.nix          |   1 +
 secrets/grafana_basic_auth.age | Bin 0 -> 942 bytes
 secrets/secrets.nix            |   1 +
 services/prometheus-node.nix   |  15 +++++++++++++++
 9 files changed, 23 insertions(+), 2 deletions(-)
 create mode 100644 secrets/grafana_basic_auth.age
 create mode 100644 services/prometheus-node.nix

diff --git a/hosts/matrix/default.nix b/hosts/matrix/default.nix
index 1b321d8..7ab9d3c 100644
--- a/hosts/matrix/default.nix
+++ b/hosts/matrix/default.nix
@@ -5,6 +5,7 @@
     ../common.nix
     ../../services/openssh.nix
     ../../services/nginx.nix
+    ../../services/prometheus-node.nix
     ./nginx.nix
     ./synapse.nix
     ./draupnir.nix
diff --git a/hosts/md/default.nix b/hosts/md/default.nix
index e30f687..437a864 100644
--- a/hosts/md/default.nix
+++ b/hosts/md/default.nix
@@ -4,6 +4,7 @@
   imports = [
     ../common.nix
     ../../services/openssh.nix
+    ../../services/prometheus-node.nix
     ./hedgedoc.nix
     ../../services/nginx.nix
     ./nginx.nix
diff --git a/hosts/monitoring/default.nix b/hosts/monitoring/default.nix
index fb2e323..18ccdce 100644
--- a/hosts/monitoring/default.nix
+++ b/hosts/monitoring/default.nix
@@ -4,8 +4,9 @@
   imports = [
     ../common.nix
     ../../services/openssh.nix
+    ../../services/prometheus-node.nix
     ../../services/nginx.nix
-    #./nginx.nix
+    ./nginx.nix
     #./prometheus.nix
     #./grafana.nix
   ];
diff --git a/hosts/monitoring/nginx.nix b/hosts/monitoring/nginx.nix
index 5712204..bb61893 100644
--- a/hosts/monitoring/nginx.nix
+++ b/hosts/monitoring/nginx.nix
@@ -7,7 +7,7 @@
     kTLS = true;
     forceSSL = true;
     enableACME = true;
-    #basicAuthFile = config.age.secrets.grafana_basic_auth.path;
+    basicAuthFile = config.age.secrets.grafana_basic_auth.path;
     locations = {
       "/" = {
         #proxyPass = "http://";
diff --git a/hosts/sql/default.nix b/hosts/sql/default.nix
index 707f731..50c94ce 100644
--- a/hosts/sql/default.nix
+++ b/hosts/sql/default.nix
@@ -4,6 +4,7 @@
   imports = [
     ../common.nix
     ../../services/openssh.nix
+    ../../services/prometheus-node.nix
     ./postgres.nix
   ];
 
diff --git a/hosts/www/default.nix b/hosts/www/default.nix
index fd41fe2..2a62713 100644
--- a/hosts/www/default.nix
+++ b/hosts/www/default.nix
@@ -5,6 +5,7 @@
     ../common.nix
     ../../services/openssh.nix
     ./openssh.nix
+    ../../services/prometheus-node.nix
     ../../services/nginx.nix
     ./nginx.nix
   ];
diff --git a/secrets/grafana_basic_auth.age b/secrets/grafana_basic_auth.age
new file mode 100644
index 0000000000000000000000000000000000000000..0a9d08f4464fe75aa5ea15f44982bb5f377b800b
GIT binary patch
literal 942
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSH_0Y~UELRBdP4V~5
z%L+Ggw9F}Ta}O;_G%GW6F3a=u%QiGl4@oYKO7`;%FgMh%G~hC~tk5?~GI!7NjwntJ
z)OOZ(&#y``@$t(t@CpcyN~!b<%QwvN$uaT{3`Muiwah0eyj&r*GBhpOEFwAAG$YBR
zGAF9SB+{ka$FwRtEI-_`Jh3R(saQMG#52RpAe}2*zc3>&GQ`<ayEwzWSi90MAS667
zpsb>z!ZWkTvC!N-+$}daB`UNm*aY3S6kqK$pFjmC|8(~tj|dZ&taA5A?J`Hhs-$4&
zbZvtIqj0x~6xVbQzo1n2D#JpH@^miqBExWt;5-u#cTauaB2$+rgU~W<3+>bbS96bC
zlaz4h0D~mM;E+6zpnP=OvMR!TjRF<SeLTG~olFDG41<G%vb=o)^ISbm)ANIZN}Tlr
z+&oQ_j7u^i1Kr&XgUh)rJU!CgjQu<#OG=$13{BD^3JfY89et{t9W#u|G6RB)GJ^9x
zOAAfP(|yrx)30<6bxv0(@(PFuh%60A@r@|=Hi}I2(=QLN3M%xj^7Rf)3n>gS$TV>*
zaSJwxat-7PaB=Y~4J!4_^)pLOcXTu?NDB1v%P;me&J4{ih%_{{w6rkR&nZd`$+AGV
z&CR{Q)G%Ek+1R`)*CI8$D!(9Azuep_$s)%+DLGTyPus-OG2K5^KQg!2E25+#Da4n{
z*VD-|pt7)7+qA&9Dm}$BG1<^G)jT~hGECpoHOb4#sid;lDc2_>-wh)qJrfH`lhYME
z{nEnSvQko9ihX_3GJTDMa*`dBowSW}Jv@qoO^X6TvlBCmJcHBB-OIT`!g9SMLe10D
z0t`dUjl)eXLY+e@q6~vAQ-gEU0@D0K&9fa#0ur;bBO|$Vb#)aC&4aWnl6-wi{EagV
zUDA?VQ?>mpbM%A#LyJm_lDw0=OWiDzlhc!;%0jt5Hhx?dxp|qnSLnAW*F%55%zOCo
zSAXB{8^1p)mbtyFch<fdrn2Ak)BW@PiH7_3RNEHkOq$>DqdB4=$YfnKAH#)HH=6zZ
nB3@i)kaf7?@$opr@=FOfJs*^uPY+2rEbe+dC;pJfp4j~W2r56&

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 3114dbe..d687b70 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -35,6 +35,7 @@ in
 
   "grafana_admin_password.age".publicKeys = users ++ [ _monitoring ];
   "grafana_secret_key.age".publicKeys = users ++ [ _monitoring ];
+  "grafana_basic_auth.age".publicKeys = users ++ [ _monitoring ];
 
   "postgres-matrix-synapse.age".publicKeys = users ++ [ _sql _matrix ];
   "postgres-hedgedoc.age".publicKeys = users ++ [ _sql _md ];
diff --git a/services/prometheus-node.nix b/services/prometheus-node.nix
new file mode 100644
index 0000000..71e75e7
--- /dev/null
+++ b/services/prometheus-node.nix
@@ -0,0 +1,15 @@
+{ ... }:
+
+{
+  services.prometheus.exporters.node = {
+    enable = true;
+    #listenAddress = "0.0.0.0";
+    firewallRules = ''
+      ip saddr 195.160.173.14/32 tcp dport ${config.services.prometheus.exporters.node.port} accept comment "Allow prometheus on monitoring.berlin.ccc.der"
+      ip6 saddr 2001:678:760:cccb::14/128 tcp dport ${config.services.prometheus.exporters.node.port} accept comment "Allow prometheus on monitoring.berlin.ccc.der"
+    '';
+    enabledCollectors = [];
+    disabledCollectors = [];
+  };
+}
+