conflatorio/telegraf

8 files changed, 271 insertions, 0 deletions

diff --git a/terraform/telegraf/conflatorio/.terraform.lock.hcl b/terraform/telegraf/conflatorio/.terraform.lock.hcl
new file mode 100644
index 0000000..5afe9c5
--- /dev/null
+++ b/terraform/telegraf/conflatorio/.terraform.lock.hcl
@@ -0,0 +1,60 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/template" {
+  version = "2.2.0"
+  hashes = [
+    "h1:94qn780bi1qjrbC3uQtjJh3Wkfwd5+tTtJHOb7KTg9w=",
+    "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386",
+    "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53",
+    "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603",
+    "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16",
+    "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776",
+    "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451",
+    "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae",
+    "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde",
+    "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d",
+    "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2",
+  ]
+}
+
+provider "registry.terraform.io/kreuzwerker/docker" {
+  version     = "2.24.0"
+  constraints = "2.24.0"
+  hashes = [
+    "h1:1z0/qA77T3PS/1m4vRO8UgWjHjk5/v+f3JfGbMyzX18=",
+    "zh:181fefd55c8eb75efe9815c43fdd76422b57951ef53b5d5f19273a00fdf0e2e2",
+    "zh:2ec84e029d169f188be2addf7f45c2555f226f67d4b6fb66c1749ed5b2c4a76a",
+    "zh:6f5cf945148485f57b919d31a30f1a5a93d45f4e8edfdb0b80b22258d51795d8",
+    "zh:8d00c2c459a48453f52a00a8d1ffdb7bcf72fe4b3b09ffcfd52218c4646fa7fa",
+    "zh:9bd6e06601e0a972b9ce01150e32e76b76b4caf1d9798daf4cf16d06e2a8d4a3",
+    "zh:af72591132dc8cd338f293e458403851e6b8a6ac4c4d25a3268940f9763df7aa",
+    "zh:c4a47c5c7ad2ff1fc5212e69c5ef837a127346264e46ce7b5d13362545e4aa70",
+    "zh:c6d68f33efcd3372331ed0d58ec49e8b01ddc132934b14d2d45977076950e4b3",
+    "zh:db228855ae7235095d367f3597719747e5be0dd9ce2206ea02062560b518c08a",
+    "zh:e8d6ce89642925f2e813d0b829bd5562582de37eaa39351e231ab474383e703a",
+    "zh:ec83d8c86a918d25eb824cc99f98924ef8949eb69aa40cb5ff2db24369e52d9c",
+    "zh:ee0032d3d86adeeca7fdd4922bb8db87dbb5cd0093c054ff8efe2260de0b624c",
+    "zh:f033b70f342f32eeb98c213e6fc7098d7afd22b3146a5cb6173c128b0e86d732",
+    "zh:f1bc3a2c4f152f8adc9a1f9c852496232ef31073b149945756c13bc9688cf08b",
+  ]
+}
+
+provider "registry.terraform.io/lokkersp/sops" {
+  version     = "0.6.10"
+  constraints = "0.6.10"
+  hashes = [
+    "h1:atU8NIBxpNTWY+qBubvEOfjOn4K1aCDoq1iUFocgIHQ=",
+    "zh:0f053a26392a581b1f1ce6316cb7ed8ec4cc75e7f5f1cf7cfd45050b6b3c87ea",
+    "zh:207bb96c4471fce9aeb1b3c217d772692c3d865d294cf4d2501dad41de36a15e",
+    "zh:28506e8f1f3b9eaa95d99043440328044ee6340143535e5751538328a529d001",
+    "zh:3cae3bcea9e35fdc5b3f2af1b4580cd625c996448ad0c676c772260e46b25289",
+    "zh:3e44daaf82986c2b0028aeb17b867f3c68ed5dd8ac8625ba0406cf2a5fd3d92e",
+    "zh:457fb8ca2e677af24f9a4bdd8b613b1d7b604ad7133541657e5757c19268da71",
+    "zh:473d727c228f021a3df8cc8dcc6231ad7f90ed63f9e47c36b597d591e76228da",
+    "zh:48c4c1df39fd76ec8bd5fe9ac70cdc0927ac8be95582dbe46458b3442ce0fcd9",
+    "zh:728b19cb5c07e5e9d8b78fd94cc57d4c13582ecd24b7eb7c4cc2bf73b12fe4d1",
+    "zh:c51ed9af591779bb0910b82addeebb10f53428b994f8db653dd1dedcec60916c",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
diff --git a/terraform/telegraf/conflatorio/ansible-config.yml b/terraform/telegraf/conflatorio/ansible-config.yml
new file mode 100644
index 0000000..3acab34
--- /dev/null
+++ b/terraform/telegraf/conflatorio/ansible-config.yml
@@ -0,0 +1,12 @@
+- hosts:
+    - conflatorio
+  tasks:
+    - become: yes
+      file:
+        state: directory
+        path: "/etc/trygvis"
+
+    - become: yes
+      template:
+        dest: "/etc/trygvis/telegraf.conf"
+        src: "telegraf.conf"
diff --git a/terraform/telegraf/conflatorio/backend.tf b/terraform/telegraf/conflatorio/backend.tf
new file mode 100644
index 0000000..bdc5b52
--- /dev/null
+++ b/terraform/telegraf/conflatorio/backend.tf
@@ -0,0 +1,12 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+terraform {
+  backend "s3" {
+    bucket                      = "terraform-a6726272-73ff-11ed-8bdd-c79eb8376e05"
+    key                         = "telegraf/conflatorio/terraform.tfstate"
+    skip_region_validation      = true
+    skip_credentials_validation = true
+    skip_metadata_api_check     = true
+    region                      = "eu-central-1"
+    endpoint                    = "eu-central-1.linodeobjects.com"
+  }
+}
diff --git a/terraform/telegraf/conflatorio/main.tf b/terraform/telegraf/conflatorio/main.tf
new file mode 100644
index 0000000..5d94503
--- /dev/null
+++ b/terraform/telegraf/conflatorio/main.tf
@@ -0,0 +1,37 @@
+terraform {
+  required_version = "~> 1.3.5"
+
+  required_providers {
+    docker = {
+      source  = "kreuzwerker/docker"
+      version = "2.24.0"
+    }
+    sops = {
+      source  = "lokkersp/sops"
+      version = "0.6.10"
+    }
+    template = {
+      source  = "hashicorp/template"
+      version = "2.2.0"
+    }
+  }
+}
+
+locals {
+  ansible_host = "conflatorio"
+  hostname     = "conflatorio.vpn.trygvis.io"
+
+  influx_url          = "https://influxdb.vpn.trygvis.io"
+  influx_token        = data.sops_file.vault.data["influx_token"]
+  influx_organization = "trygvis"
+
+  influx_bucket = "telegraf-lhn2ix"
+}
+
+provider "docker" {
+  host = "ssh://${local.hostname}"
+}
+
+data "sops_file" "vault" {
+  source_file = "vault.yml"
+}
diff --git a/terraform/telegraf/conflatorio/telegraf.tf b/terraform/telegraf/conflatorio/telegraf.tf
new file mode 100644
index 0000000..669476a
--- /dev/null
+++ b/terraform/telegraf/conflatorio/telegraf.tf
@@ -0,0 +1,105 @@
+#data "docker_network" "public" {
+#  name = "public"
+#}
+
+data "docker_registry_image" "telegraf" {
+  name = "telegraf:1.28.3-alpine"
+}
+
+locals {
+  docker_gid = 997
+  entrypoint = <<EOT
+#!/bin/sh
+set -x
+
+setcap cap_net_raw+ep /usr/bin/telegraf
+setcap cap_net_bind_service+ep /usr/bin/telegraf
+setcap cap_net_admin+ep /usr/bin/telegraf
+
+su-exec telegraf:${local.docker_gid} \
+  /usr/bin/telegraf --config /telegraf.conf
+EOT
+}
+
+resource "docker_image" "telegraf" {
+  name          = data.docker_registry_image.telegraf.name
+  pull_triggers = [data.docker_registry_image.telegraf.sha256_digest]
+}
+
+resource "docker_container" "telegraf" {
+  image = docker_image.telegraf.image_id
+  name  = "telegraf"
+
+  provisioner "local-exec" {
+    command = "ansible-playbook -l ${local.ansible_host} ansible-config.yml"
+  }
+
+  network_mode = "host"
+
+  mounts {
+    type      = "bind"
+    source    = "/"
+    target    = "/hostfs"
+    read_only = true
+  }
+
+  mounts {
+    type      = "bind"
+    source    = "/etc/trygvis/telegraf.conf"
+    target    = "/telegraf.conf"
+    read_only = true
+  }
+
+  mounts {
+    type      = "bind"
+    source    = "/var/run/docker.sock"
+    target    = "/var/run/docker.sock"
+    read_only = true
+  }
+
+  entrypoint = [
+    "sh",
+    "-c",
+    local.entrypoint,
+  ]
+#  command = [
+#    "--config",
+#    "/telegraf.conf"
+#  ]
+
+  # Needed to get group_add to apply, if not entrypoint.sh drops the extra
+  # group.
+#  user = "telegraf:telegraf"
+#  group_add = [
+#    "997" # for docker input
+#  ]
+
+  capabilities {
+    add = [
+      "CAP_NET_RAW",
+      "CAP_NET_BIND_SERVICE",
+      "CAP_NET_ADMIN",
+    ]
+  }
+
+  #  cmd = [
+  #    "sudo",
+  #    "setcap",
+  #    "CAP_NET_ADMIN+epi",
+  #    "/usr/bin/telegraf"
+  #  ]
+
+  env = [
+    "INFLUX_URL=${local.influx_url}",
+    "INFLUX_TOKEN=${local.influx_token}",
+    "INFLUX_ORGANIZATION=${local.influx_organization}",
+    "INFLUX_BUCKET=${local.influx_bucket}",
+
+    "HOST_MOUNT_PREFIX=/hostfs",
+    "HOST_ETC=/hostfs/etc",
+    "HOST_PROC=/hostfs/proc",
+    "HOST_RUN=/hostfs/run",
+    "HOST_SYS=/hostfs/sys",
+    "HOST_VAR=/hostfs/var",
+  ]
+}
diff --git a/terraform/telegraf/conflatorio/templates/telegraf.conf b/terraform/telegraf/conflatorio/templates/telegraf.conf
new file mode 100644
index 0000000..369bd7b
--- /dev/null
+++ b/terraform/telegraf/conflatorio/templates/telegraf.conf
@@ -0,0 +1,20 @@
+[agent]
+ hostname = "{{ inventory_hostname }}"
+ omit_hostname = false
+
+[[outputs.influxdb_v2]]
+ urls = ["${INFLUX_URL}"]
+ token = "${INFLUX_TOKEN}"
+ organization = "${INFLUX_ORGANIZATION}"
+ bucket = "${INFLUX_BUCKET}"
+
+[[inputs.disk]]
+  ignore_fs = ["tmpfs", "devtmpfs", "devfs", "iso9660", "overlay", "aufs", "squashfs"]
+  mount_points = ["/"]
+
+[[inputs.mem]]
+[[inputs.net]]
+[[inputs.wireguard]]
+
+[[inputs.docker]]
+  endpoint = "unix:///var/run/docker.sock"
diff --git a/terraform/telegraf/conflatorio/terragrunt.hcl b/terraform/telegraf/conflatorio/terragrunt.hcl
new file mode 100644
index 0000000..e147285
--- /dev/null
+++ b/terraform/telegraf/conflatorio/terragrunt.hcl
@@ -0,0 +1,3 @@
+include "root" {
+  path = find_in_parent_folders()
+}
diff --git a/terraform/telegraf/conflatorio/vault.yml b/terraform/telegraf/conflatorio/vault.yml
new file mode 100644
index 0000000..90061a8
--- /dev/null
+++ b/terraform/telegraf/conflatorio/vault.yml
@@ -0,0 +1,22 @@
+influx_token: ENC[AES256_GCM,data:48AbbP7v1QRvK7h73J6RYb1BBXsKdF+8YREXqtvPlEk3DFHoncmPIVWCH0G8it21BJtBsAupnJCPoa9IR7nJMWZMy/2NotmjeJuBD7LYY05BFEs4K5y+yw==,iv:RbWI8JWTg1LHqNUAEsx42rFp7IIntkz7PR6l/kCl7z8=,tag:lCpcfh7xQR+29RhWEkG1lA==,type:str]
+config_url: ENC[AES256_GCM,data:tlhn8wfyD7EETkWGeeLEVOVQ3OS+PXnfWL6zXbuKYxz2I4EftRTAG9QAGCw2nb2VpTkBG4AE3kkLKLTiNWFBQsQ=,iv:V1pSBlTeE3zFBI29DtrzgAySHxhTS5jp8kuc7HtCKiI=,tag:Yo8vqUr9gohQYvuwqFkdFw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age13wv3rp0varlg4nvt3tca48fq8u9q3mc6yfdekjeapcmc7kaq4dysrzcmv3
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoakpmbW1sQSthL21NdVhw
+            a2lXd3F2VllDSHlBM3R4R0ZLQ1lzb3g0UG1JCmRSSTMvaXBWMVcycDZIV0Mvb01x
+            VDMvazFmc1lPZHUrN2Mwdnh5N1gwZ0EKLS0tIEh0T3FDUGtRSlVqQ2NzYTZLdCtL
+            Snd2V1FCL0hXUHA0R0FyUHBEUmNoeTAKK3uEAXKZetmJmn9vwleVzpfvIqyDMbuv
+            FEYrJ4oBr+NykSfWqZSLB+y4DPTNyE2jhZ1vOK1u/CcxisaVa3o7+A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-10-26T17:50:27Z"
+    mac: ENC[AES256_GCM,data:eFMCwmDaAvVaF1a45UQo/Z0lahAPVw5Mi7MH0m/UcVmvczad31gbPNuSZDAHyF+CWz4RmVCuqR0ukRBBXF5y18mVaTWC0zXhBaMsYIV3LR4CrdJ3wgmD5uY91X4un1aPJ/iR6T7w0wPfEaSnTR00n+f7tVhmyVfl6+9IwuUlcUo=,iv:Kme2RcQXWpYKPXfbzmK0JxbNyJqK1PEvLO6K4smWMLM=,tag:11nLZIVh7AYqhcO+1E6HmA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3