wip

bundles/influxdb2/README.md

@@ -0,0 +1,10 @@
+# setup
+
+- apply influxdb to server
+- write client_token into influxdb metadata:
+  `influx auth list --json | jq -r '.[] | select (.description == "client_token") | .token'`
+- apply clients
+
+# reset password
+
+Opening /var/lib/influxdb/influxd.bolt with https://github.com/br0xen/boltbrowser might help

bundles/influxdb2/items.py

@@ -27,17 +27,26 @@ svc_systemd['influxdb'] = {
     ]
 }
 
+actions['wait_for_influxdb_start'] = {
+    'command': 'sleep 5',
+    'triggered': True,
+    'triggered_by': [
+        'svc_systemd:influxdb',
+        'svc_systemd:influxdb:restart',
+    ]
+}
+
 actions['setup_influxdb'] = {
     'command': 'influx setup --username={username} --password={password} --org={org} --bucket={bucket} --token={token} --retention=0 --force'.format(
         username=node.metadata.get('influxdb/username'),
         password=quote(str(node.metadata.get('influxdb/password'))),
         org=node.metadata.get('influxdb/org'),
         bucket=node.metadata.get('influxdb/bucket'),
-        token=str(node.metadata.get('influxdb/token')),
+        token=str(node.metadata.get('influxdb/admin_token')),
     ),
     'unless': 'influx bucket list',
     'needs': [
-        'svc_systemd:influxdb',
+        'action:wait_for_influxdb_start',
     ],
 }
 
@@ -45,7 +54,7 @@ files['/root/.influxdbv2/configs'] = {
     'content': dumps({
         node.metadata.get('influxdb/bucket'): {
             'url': f"http://localhost:{node.metadata.get('influxdb/port')}",
-            'token': str(node.metadata.get('influxdb/token')),
+            'token': str(node.metadata.get('influxdb/admin_token')),
             'org': node.metadata.get('influxdb/org'),
             'active': True,
         },
@@ -54,3 +63,11 @@ files['/root/.influxdbv2/configs'] = {
         'action:setup_influxdb',
     ],
 }
+
+actions['create_influxdb_client_token'] = {
+    'command': 'influx auth create --description client_token --write-buckets --read-telegrafs',
+    'unless': """influx auth list --json | jq -r '.[] | select (.description == "client_token") | .token' | wc -l | grep -q ^1$""",
+    'needs': [
+        'file:/root/.influxdbv2/configs',
+    ],
+}

bundles/influxdb2/metadata.py

@@ -13,13 +13,12 @@ defaults = {
         'port': '8200',
         'username': 'admin',
         'org': 'default',
-        'org': 'default',
         'bucket': 'default',
         'config': {
             'bolt-path': '/var/lib/influxdb/influxd.bolt',
             'engine-path': '/var/lib/influxdb/engine',
             'reporting-disabled': True,
-            'http-bind-address': ':8200'
+            'http-bind-address': ':8200',
         },
     },
     'zfs': {
@@ -37,8 +36,8 @@ defaults = {
 def admin_password(metadata):
     return {
         'influxdb': {
-            'password': repo.vault.password_for(f"{node.metadata.get('id')} influxdb admin"),
-            'token': repo.vault.random_bytes_as_base64_for(f"{node.metadata.get('id')} influxdb default token", length=64),
+            'password': repo.vault.password_for(f"{metadata.get('id')} influxdb admin"),
+            'admin_token': repo.vault.random_bytes_as_base64_for(f"{metadata.get('id')} influxdb default token", length=64),
         },
     }
 

bundles/telegraf/metadata.py

@@ -67,7 +67,7 @@ def influxdb(metadata):
                 'outputs': {
                     'influxdb_v2': [{
                         'urls': [influxdb_server_url],
-                        'token': str(influxdb_node.metadata.get('influxdb/token')),
+                        'token': str(influxdb_node.metadata.get(f'influxdb/client_token')),
                         'organization': influxdb_node.metadata.get('influxdb/org'),
                         'bucket': influxdb_node.metadata.get('influxdb/bucket'),
                     }]

nodes.py

@@ -1,9 +1,30 @@
 from os import walk
 from os.path import join, basename, splitext
 
+converters = {
+    '32_random_bytes_as_base64_for': lambda x: vault.random_bytes_as_base64_for(x, length=32),
+    'decrypt': lambda x: vault.decrypt(x),
+    'decrypt_file': lambda x: vault.decrypt_file(x),
+    'password_for': lambda x: vault.password_for(x),
+}
+
+def demagify(data):
+    if isinstance(data, str):
+        for name, converter in converters.items():
+            if data.startswith(f'!{name}:'):
+                return converter(data[len(name) + 2:])
+        else:
+            return data
+    elif isinstance(data, dict):
+        return type(data)({key: demagify(value) for key, value in data.items()})
+    elif isinstance(data, (list, set, tuple)):
+        return type(data)([demagify(element) for element in data])
+    else:
+        return data
+
 for root, dirs, files in walk(join(repo_path, "nodes")):
     for filename in files:
         if filename.endswith(".py"):
             node = join(root, filename)
             with open(node, 'r', encoding='utf-8') as f:
-                nodes[splitext(basename(filename))[0]] = eval(f.read())
+                nodes[splitext(basename(filename))[0]] = demagify(eval(f.read()))

nodes/home.server.py

@@ -29,6 +29,7 @@
         },
         'influxdb': {
             'hostname': 'influxdb.sublimity.de',
+            'client_token': '!decrypt:encrypt$gAAAAABg25z8fEYjuRkhg4XuYMtJsPO5SaqlexuricXPZAzZ51_iQtPe5v7S503hMFdZ7j-XQUP6Q2y3ovbzhouRYeRZy1W020csOOtBcH08X-ya9cCAOCMnJdujg0MVakxPJhNPa5Ip5XsI4Bjb0EcftNDayQWQsZw1vFHBHllD-ALTisoCdbImD6a1iT4NuT57JGydbWGW',
         },
         'users': {
             'root': {