diff --git a/bundles/influxdb2/README.md b/bundles/influxdb2/README.md new file mode 100644 index 0000000..b52283d --- /dev/null +++ b/bundles/influxdb2/README.md @@ -0,0 +1,10 @@ +# setup + +- apply influxdb to server +- write client_token into influxdb metadata: + `influx auth list --json | jq -r '.[] | select (.description == "client_token") | .token'` +- apply clients + +# reset password + +Opening /var/lib/influxdb/influxd.bolt with https://github.com/br0xen/boltbrowser might help diff --git a/bundles/influxdb2/items.py b/bundles/influxdb2/items.py index 00c87db..093ecc7 100644 --- a/bundles/influxdb2/items.py +++ b/bundles/influxdb2/items.py @@ -27,17 +27,26 @@ svc_systemd['influxdb'] = { ] } +actions['wait_for_influxdb_start'] = { + 'command': 'sleep 5', + 'triggered': True, + 'triggered_by': [ + 'svc_systemd:influxdb', + 'svc_systemd:influxdb:restart', + ] +} + actions['setup_influxdb'] = { 'command': 'influx setup --username={username} --password={password} --org={org} --bucket={bucket} --token={token} --retention=0 --force'.format( username=node.metadata.get('influxdb/username'), password=quote(str(node.metadata.get('influxdb/password'))), org=node.metadata.get('influxdb/org'), bucket=node.metadata.get('influxdb/bucket'), - token=str(node.metadata.get('influxdb/token')), + token=str(node.metadata.get('influxdb/admin_token')), ), 'unless': 'influx bucket list', 'needs': [ - 'svc_systemd:influxdb', + 'action:wait_for_influxdb_start', ], } @@ -45,7 +54,7 @@ files['/root/.influxdbv2/configs'] = { 'content': dumps({ node.metadata.get('influxdb/bucket'): { 'url': f"http://localhost:{node.metadata.get('influxdb/port')}", - 'token': str(node.metadata.get('influxdb/token')), + 'token': str(node.metadata.get('influxdb/admin_token')), 'org': node.metadata.get('influxdb/org'), 'active': True, }, @@ -54,3 +63,11 @@ files['/root/.influxdbv2/configs'] = { 'action:setup_influxdb', ], } + +actions['create_influxdb_client_token'] = { + 'command': 'influx auth create --description client_token --write-buckets --read-telegrafs', + 'unless': """influx auth list --json | jq -r '.[] | select (.description == "client_token") | .token' | wc -l | grep -q ^1$""", + 'needs': [ + 'file:/root/.influxdbv2/configs', + ], +} diff --git a/bundles/influxdb2/metadata.py b/bundles/influxdb2/metadata.py index b0e997a..75e5d61 100644 --- a/bundles/influxdb2/metadata.py +++ b/bundles/influxdb2/metadata.py @@ -13,13 +13,12 @@ defaults = { 'port': '8200', 'username': 'admin', 'org': 'default', - 'org': 'default', 'bucket': 'default', 'config': { 'bolt-path': '/var/lib/influxdb/influxd.bolt', 'engine-path': '/var/lib/influxdb/engine', 'reporting-disabled': True, - 'http-bind-address': ':8200' + 'http-bind-address': ':8200', }, }, 'zfs': { @@ -37,8 +36,8 @@ defaults = { def admin_password(metadata): return { 'influxdb': { - 'password': repo.vault.password_for(f"{node.metadata.get('id')} influxdb admin"), - 'token': repo.vault.random_bytes_as_base64_for(f"{node.metadata.get('id')} influxdb default token", length=64), + 'password': repo.vault.password_for(f"{metadata.get('id')} influxdb admin"), + 'admin_token': repo.vault.random_bytes_as_base64_for(f"{metadata.get('id')} influxdb default token", length=64), }, } diff --git a/bundles/telegraf/metadata.py b/bundles/telegraf/metadata.py index 31b75de..6f8b0db 100644 --- a/bundles/telegraf/metadata.py +++ b/bundles/telegraf/metadata.py @@ -67,7 +67,7 @@ def influxdb(metadata): 'outputs': { 'influxdb_v2': [{ 'urls': [influxdb_server_url], - 'token': str(influxdb_node.metadata.get('influxdb/token')), + 'token': str(influxdb_node.metadata.get(f'influxdb/client_token')), 'organization': influxdb_node.metadata.get('influxdb/org'), 'bucket': influxdb_node.metadata.get('influxdb/bucket'), }] diff --git a/nodes.py b/nodes.py index 8dc85bf..eb88394 100644 --- a/nodes.py +++ b/nodes.py @@ -1,9 +1,30 @@ from os import walk from os.path import join, basename, splitext +converters = { + '32_random_bytes_as_base64_for': lambda x: vault.random_bytes_as_base64_for(x, length=32), + 'decrypt': lambda x: vault.decrypt(x), + 'decrypt_file': lambda x: vault.decrypt_file(x), + 'password_for': lambda x: vault.password_for(x), +} + +def demagify(data): + if isinstance(data, str): + for name, converter in converters.items(): + if data.startswith(f'!{name}:'): + return converter(data[len(name) + 2:]) + else: + return data + elif isinstance(data, dict): + return type(data)({key: demagify(value) for key, value in data.items()}) + elif isinstance(data, (list, set, tuple)): + return type(data)([demagify(element) for element in data]) + else: + return data + for root, dirs, files in walk(join(repo_path, "nodes")): for filename in files: if filename.endswith(".py"): node = join(root, filename) with open(node, 'r', encoding='utf-8') as f: - nodes[splitext(basename(filename))[0]] = eval(f.read()) + nodes[splitext(basename(filename))[0]] = demagify(eval(f.read())) diff --git a/nodes/home.server.py b/nodes/home.server.py index 6792841..c780923 100644 --- a/nodes/home.server.py +++ b/nodes/home.server.py @@ -29,6 +29,7 @@ }, 'influxdb': { 'hostname': 'influxdb.sublimity.de', + 'client_token': '!decrypt:encrypt$gAAAAABg25z8fEYjuRkhg4XuYMtJsPO5SaqlexuricXPZAzZ51_iQtPe5v7S503hMFdZ7j-XQUP6Q2y3ovbzhouRYeRZy1W020csOOtBcH08X-ya9cCAOCMnJdujg0MVakxPJhNPa5Ip5XsI4Bjb0EcftNDayQWQsZw1vFHBHllD-ALTisoCdbImD6a1iT4NuT57JGydbWGW', }, 'users': { 'root': {