From d588764748f00d1b96fe6bc6873ff0b0fc4e11a4 Mon Sep 17 00:00:00 2001
From: Alex Auvolat <alex@adnab.me>
Date: Sun, 1 Jan 2023 20:44:28 +0100
Subject: don't rotate grafana password

---
 .../app/telemetry/deploy/telemetry-service.hcl     | 304 +++++++++++++++++++++
 cluster/staging/app/telemetry/deploy/telemetry.hcl | 296 --------------------
 cluster/staging/app/telemetry/secrets.toml         |   9 +-
 cluster/staging/node/caribou.nix                   |   2 +-
 cluster/staging/node/piranha.nix                   |   2 +-
 5 files changed, 310 insertions(+), 303 deletions(-)
 create mode 100644 cluster/staging/app/telemetry/deploy/telemetry-service.hcl
 delete mode 100644 cluster/staging/app/telemetry/deploy/telemetry.hcl

diff --git a/cluster/staging/app/telemetry/deploy/telemetry-service.hcl b/cluster/staging/app/telemetry/deploy/telemetry-service.hcl
new file mode 100644
index 0000000..e765bb9
--- /dev/null
+++ b/cluster/staging/app/telemetry/deploy/telemetry-service.hcl
@@ -0,0 +1,304 @@
+job "telemetry-service" {
+  datacenters = ["neptune", "jupiter", "corrin"]
+  type = "service"
+
+  group "prometheus" {
+    count = 2
+
+    network {
+      port "prometheus" {
+        static = 9090
+      }
+    }
+
+    constraint {
+      attribute = "${attr.unique.hostname}"
+      operator = "set_contains_any"
+      value = "cariacou,origan"
+    }
+
+    task "prometheus" {
+      driver = "nix2"
+      config {
+        nixpkgs = "github:nixos/nixpkgs/nixos-22.11"
+        packages = [ "#prometheus", "#coreutils", "#findutils", "#bash" ]
+        command = "prometheus"
+        args = [
+          "--config.file=/etc/prom/prometheus.yml",
+          "--storage.tsdb.path=/data",
+          "--storage.tsdb.retention.size=5GB",
+        ]
+        bind = {
+          "/mnt/ssd/prometheus" = "/data"
+        }
+      }
+
+      template {
+        data = file("../config/prometheus.yml")
+        destination = "etc/prom/prometheus.yml"
+      }
+
+      template {
+        data = "{{ key \"secrets/consul/consul.crt\" }}"
+        destination = "etc/prom/consul.crt"
+      }
+
+      template {
+        data = "{{ key \"secrets/consul/consul-client.crt\" }}"
+        destination = "etc/prom/consul-client.crt"
+      }
+
+      template {
+        data = "{{ key \"secrets/consul/consul-client.key\" }}"
+        destination = "etc/prom/consul-client.key"
+      }
+
+      resources {
+        memory = 500
+        cpu = 200
+      }
+
+      service {
+        port = "prometheus"
+        name = "prometheus"
+        check {
+          type = "http"
+          path = "/"
+          interval = "60s"
+          timeout = "5s"
+          check_restart {
+            limit = 3
+            grace = "90s"
+            ignore_warnings = false
+          }
+        }
+      }
+    }
+  }
+
+  group "grafana" {
+    count = 1
+
+    network {
+      port "grafana" {
+        static = 3719
+      }
+    }
+
+    task "restore-db" {
+      lifecycle {
+        hook = "prestart"
+        sidecar = false
+      }
+
+      driver = "nix2"
+      config {
+        packages = [ "#litestream" ]
+        command = "litestream"
+        args = [
+          "restore", "-config", "/etc/litestream.yml", "/ephemeral/grafana.db"
+        ]
+        bind = {
+          "../alloc/data" = "/ephemeral",
+        }
+      }
+
+      template {
+        data = file("../config/grafana-litestream.yml")
+        destination = "etc/litestream.yml"
+      }
+
+      resources {
+        memory = 100
+        memory_max = 1000
+        cpu = 100
+      }
+    }
+
+    task "grafana" {
+      driver = "nix2"
+      config {
+        nixpkgs = "github:nixos/nixpkgs/nixos-22.11"
+        packages = [ "#grafana" ]
+        command = "grafana-server"
+        args = [
+          "-homepath", "/share/grafana",
+          "cfg:default.paths.data=/grafana",
+          "cfg:default.paths.provisioning=/grafana-provisioning"
+        ]
+
+        bind = {
+          "../alloc/data" = "/grafana",
+        }
+      }
+
+      template {
+        data = file("../config/grafana-datasource-prometheus.yaml")
+        destination = "grafana-provisioning/datasources/prometheus.yaml"
+      }
+
+      template {
+        data = <<EOH
+GF_INSTALL_PLUGINS=grafana-clock-panel,grafana-simple-json-datasource,grafana-piechart-panel,grafana-worldmap-panel,grafana-polystat-panel
+GF_SERVER_HTTP_PORT=3719
+GF_SECURITY_ADMIN_PASSWORD={{ key "secrets/telemetry/grafana/admin_password" }}
+          EOH
+          destination = "secrets/env"
+          env = true
+      }
+
+      resources {
+        memory = 300
+          cpu = 800
+      }
+
+      restart {
+        interval = "30s"
+        attempts = 10
+        delay    = "1m"
+        mode     = "delay"
+      }
+
+      service {
+        name = "grafana"
+        tags = [
+          "grafana",
+          "tricot grafana.staging.deuxfleurs.org",
+          "d53-cname grafana.staging.deuxfleurs.org",
+        ]
+        port = "grafana"
+        check {
+          type = "tcp"
+          interval = "60s"
+          timeout = "5s"
+          check_restart {
+            limit = 3
+            grace = "90s"
+            ignore_warnings = false
+          }
+        }
+      }
+    }
+
+    task "replicate-db" {
+      driver = "nix2"
+      config {
+        packages = [ "#litestream" ]
+        command = "litestream"
+        args = [
+          "replicate", "-config", "/etc/litestream.yml"
+        ]
+        bind = {
+          "../alloc/data" = "/ephemeral",
+        }
+      }
+
+      template {
+        data = file("../config/grafana-litestream.yml")
+        destination = "etc/litestream.yml"
+      }
+
+      resources {
+        memory = 100
+        memory_max = 500
+        cpu = 100
+      }
+    }
+  }
+
+  group "jaeger" {
+    count = 1
+
+    network {
+      port "jaeger-frontend" {
+        to = 16686
+      }
+      port "jaeger-otlp-grpc" {
+        static = 4317
+        to = 4317
+      }
+      port "jaeger-otlp-http" {
+        static = 4318
+        to = 4318
+      }
+    }
+
+    task "jaeger" {
+      driver = "docker"
+      config {
+        image = "jaegertracing/all-in-one:1.36"
+        ports = [ "jaeger-frontend", "jaeger-otlp-grpc", "jaeger-otlp-http" ]
+      }
+      resources {
+        memory = 2000
+        cpu = 1000
+      }
+
+      template {
+        data = <<EOH
+COLLECTOR_OTLP_ENABLED=true
+EOH
+          destination = "secrets/env"
+          env = true
+      }
+
+      service {
+        port = "jaeger-frontend"
+        address_mode = "host"
+        name = "jaeger-frontend"
+        tags = [
+          "tricot jaeger.staging.deuxfleurs.org",
+          "d53-cname jaeger.staging.deuxfleurs.org",
+        ]
+        check {
+          type = "tcp"
+          port = "jaeger-frontend"
+          address_mode = "host"
+          interval = "60s"
+          timeout = "5s"
+          check_restart {
+            limit = 3
+            grace = "90s"
+            ignore_warnings = false
+          }
+        }
+      }
+
+      service {
+        port = "jaeger-otlp-grpc"
+        address_mode = "host"
+        name = "jaeger-otlp-grpc"
+        check {
+          type = "tcp"
+          port = "jaeger-otlp-grpc"
+          address_mode = "host"
+          interval = "60s"
+          timeout = "5s"
+          check_restart {
+            limit = 3
+            grace = "90s"
+            ignore_warnings = false
+          }
+        }
+      }
+
+      service {
+        port = "jaeger-otlp-http"
+        address_mode = "host"
+        name = "jaeger-otlp-http"
+        check {
+          type = "tcp"
+          port = "jaeger-otlp-grpc"
+          address_mode = "host"
+          interval = "60s"
+          timeout = "5s"
+          check_restart {
+            limit = 3
+            grace = "90s"
+            ignore_warnings = false
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/cluster/staging/app/telemetry/deploy/telemetry.hcl b/cluster/staging/app/telemetry/deploy/telemetry.hcl
deleted file mode 100644
index a3dacf0..0000000
--- a/cluster/staging/app/telemetry/deploy/telemetry.hcl
+++ /dev/null
@@ -1,296 +0,0 @@
-job "telemetry" {
-  datacenters = ["neptune", "jupiter", "corrin"]
-  type = "service"
-
-  group "prometheus" {
-    count = 2
-
-    network {
-      port "prometheus" {
-        static = 9090
-      }
-    }
-
-    constraint {
-      attribute = "${attr.unique.hostname}"
-      operator = "set_contains_any"
-      value = "cariacou,origan"
-    }
-
-    task "prometheus" {
-      driver = "nix2"
-      config {
-        nixpkgs = "github:nixos/nixpkgs/nixos-22.11"
-        packages = [ "#prometheus", "#coreutils", "#findutils", "#bash" ]
-        command = "prometheus"
-        args = [
-          "--config.file=/etc/prom/prometheus.yml",
-          "--storage.tsdb.path=/data",
-          "--storage.tsdb.retention.size=5GB",
-        ]
-        bind = {
-          "/mnt/ssd/prometheus" = "/data"
-        }
-      }
-
-      template {
-        data = file("../config/prometheus.yml")
-        destination = "etc/prom/prometheus.yml"
-      }
-
-      template {
-        data = "{{ key \"secrets/consul/consul.crt\" }}"
-        destination = "etc/prom/consul.crt"
-      }
-
-      template {
-        data = "{{ key \"secrets/consul/consul-client.crt\" }}"
-        destination = "etc/prom/consul-client.crt"
-      }
-
-      template {
-        data = "{{ key \"secrets/consul/consul-client.key\" }}"
-        destination = "etc/prom/consul-client.key"
-      }
-
-      resources {
-        memory = 500
-        cpu = 200
-      }
-
-      service {
-        port = "prometheus"
-        name = "prometheus"
-        check {
-          type = "http"
-          path = "/"
-          interval = "60s"
-          timeout = "5s"
-          check_restart {
-            limit = 3
-            grace = "90s"
-            ignore_warnings = false
-          }
-        }
-      }
-    }
-  }
-
-  group "grafana" {
-    count = 1
-
-    network {
-      port "grafana" {
-        static = 3719
-      }
-    }
-
-    task "restore-db" {
-      lifecycle {
-        hook = "prestart"
-        sidecar = false
-      }
-
-      driver = "nix2"
-      config {
-        packages = [ "#litestream" ]
-        command = "litestream"
-        args = [
-          "restore", "-config", "/etc/litestream.yml", "/ephemeral/grafana.db"
-        ]
-        bind = {
-          "../alloc/data" = "/ephemeral",
-        }
-      }
-
-      template {
-        data = file("../config/grafana-litestream.yml")
-        destination = "etc/litestream.yml"
-      }
-
-      resources {
-        memory = 100
-        memory_max = 1000
-        cpu = 100
-      }
-    }
-
-    task "grafana" {
-      driver = "nix2"
-      config {
-        nixpkgs = "github:nixos/nixpkgs/nixos-22.11"
-        packages = [ "#grafana" ]
-        command = "grafana-server"
-        args = [
-          "-homepath", "/share/grafana",
-          "cfg:default.paths.data=/grafana",
-          "cfg:default.paths.provisioning=/grafana-provisioning"
-        ]
-
-        bind = {
-          "../alloc/data" = "/grafana",
-        }
-      }
-
-      template {
-        data = file("../config/grafana-datasource-prometheus.yaml")
-        destination = "grafana-provisioning/datasources/prometheus.yaml"
-      }
-
-      template {
-        data = <<EOH
-          GF_INSTALL_PLUGINS=grafana-clock-panel,grafana-simple-json-datasource,grafana-piechart-panel,grafana-worldmap-panel,grafana-polystat-panel
-          GF_SERVER_HTTP_PORT=3719
-          EOH
-          destination = "secrets/env"
-          env = true
-      }
-
-      resources {
-        memory = 300
-          cpu = 800
-      }
-
-      service {
-        name = "grafana"
-        tags = [
-          "grafana",
-          "tricot grafana.staging.deuxfleurs.org",
-          "d53-cname grafana.staging.deuxfleurs.org",
-        ]
-        port = "grafana"
-        check {
-          type = "tcp"
-          interval = "60s"
-          timeout = "5s"
-          check_restart {
-            limit = 3
-            grace = "90s"
-            ignore_warnings = false
-          }
-        }
-      }
-    }
-
-    task "replicate-db" {
-      driver = "nix2"
-      config {
-        packages = [ "#litestream" ]
-        command = "litestream"
-        args = [
-          "replicate", "-config", "/etc/litestream.yml"
-        ]
-        bind = {
-          "../alloc/data" = "/ephemeral",
-        }
-      }
-
-      template {
-        data = file("../config/grafana-litestream.yml")
-        destination = "etc/litestream.yml"
-      }
-
-      resources {
-        memory = 100
-        memory_max = 500
-        cpu = 100
-      }
-    }
-  }
-
-  group "jaeger" {
-    count = 1
-
-    network {
-      port "jaeger-frontend" {
-        to = 16686
-      }
-      port "jaeger-otlp-grpc" {
-        static = 4317
-        to = 4317
-      }
-      port "jaeger-otlp-http" {
-        static = 4318
-        to = 4318
-      }
-    }
-
-    task "jaeger" {
-      driver = "docker"
-      config {
-        image = "jaegertracing/all-in-one:1.36"
-        ports = [ "jaeger-frontend", "jaeger-otlp-grpc", "jaeger-otlp-http" ]
-      }
-      resources {
-        memory = 2000
-        cpu = 1000
-      }
-
-      template {
-        data = <<EOH
-COLLECTOR_OTLP_ENABLED=true
-EOH
-          destination = "secrets/env"
-          env = true
-      }
-
-      service {
-        port = "jaeger-frontend"
-        address_mode = "host"
-        name = "jaeger-frontend"
-        tags = [
-          "tricot jaeger.staging.deuxfleurs.org",
-          "d53-cname jaeger.staging.deuxfleurs.org",
-        ]
-        check {
-          type = "tcp"
-          port = "jaeger-frontend"
-          address_mode = "host"
-          interval = "60s"
-          timeout = "5s"
-          check_restart {
-            limit = 3
-            grace = "90s"
-            ignore_warnings = false
-          }
-        }
-      }
-
-      service {
-        port = "jaeger-otlp-grpc"
-        address_mode = "host"
-        name = "jaeger-otlp-grpc"
-        check {
-          type = "tcp"
-          port = "jaeger-otlp-grpc"
-          address_mode = "host"
-          interval = "60s"
-          timeout = "5s"
-          check_restart {
-            limit = 3
-            grace = "90s"
-            ignore_warnings = false
-          }
-        }
-      }
-
-      service {
-        port = "jaeger-otlp-http"
-        address_mode = "host"
-        name = "jaeger-otlp-http"
-        check {
-          type = "tcp"
-          port = "jaeger-otlp-grpc"
-          address_mode = "host"
-          interval = "60s"
-          timeout = "5s"
-          check_restart {
-            limit = 3
-            grace = "90s"
-            ignore_warnings = false
-          }
-        }
-      }
-    }
-  }
-}
diff --git a/cluster/staging/app/telemetry/secrets.toml b/cluster/staging/app/telemetry/secrets.toml
index 56df97d..f73c5b5 100644
--- a/cluster/staging/app/telemetry/secrets.toml
+++ b/cluster/staging/app/telemetry/secrets.toml
@@ -1,12 +1,11 @@
-[secrets."telemetry/grafana/s3_access_key"]
-type = 'user'
-description = 'S3 access key for grafana db'
-
 [secrets."telemetry/grafana/admin_password"]
 type = 'command'
-rotate = true
 command = 'openssl rand -base64 12'
 
+[secrets."telemetry/grafana/s3_access_key"]
+type = 'user'
+description = 'S3 access key for grafana db'
+
 [secrets."telemetry/grafana/s3_secret_key"]
 type = 'user'
 description = 'S3 secret key for grafana db'
diff --git a/cluster/staging/node/caribou.nix b/cluster/staging/node/caribou.nix
index 02cb16d..f777e73 100644
--- a/cluster/staging/node/caribou.nix
+++ b/cluster/staging/node/caribou.nix
@@ -15,7 +15,7 @@
   deuxfleurs.ipv6 = "2001:910:1204:1::23";
 
   deuxfleurs.cluster_ip = "10.14.1.3";
-  deuxfleurs.is_raft_server = true;
+  deuxfleurs.is_raft_server = false;
 
   system.stateVersion = "21.05";
 }
diff --git a/cluster/staging/node/piranha.nix b/cluster/staging/node/piranha.nix
index 22f8108..bda7c1f 100644
--- a/cluster/staging/node/piranha.nix
+++ b/cluster/staging/node/piranha.nix
@@ -15,7 +15,7 @@
   deuxfleurs.ipv6 = "2a01:cb05:8984:3c00:223:24ff:feb0:ea82";
 
   deuxfleurs.cluster_ip = "10.14.3.1";
-  deuxfleurs.is_raft_server = false;
+  deuxfleurs.is_raft_server = true;
 
   system.stateVersion = "22.11";
 }
-- 
cgit v1.2.3