hosts/monitoring-3: Alert when GPG key is about to expire

hosts/monitoring-3/prometheus.nix

@@ -419,6 +419,19 @@ in {
           relabelAddressToInstance
         ];
       }
+      {
+        job_name = "clerie_keys";
+        scrape_interval = "5m";
+        scheme = "https";
+        metrics_path = "/gpg/clerie@clerie.de.metrics.txt";
+        static_configs = [
+          {
+            targets = [
+              "clerie.de"
+            ];
+          }
+        ];
+      }
     ];
     alertmanagers = [
       {

hosts/monitoring-3/rules.yml

@@ -73,3 +73,17 @@ groups:
     annotations:
       summary: "Synapse of {{ $labels.target }} unavailable"
       description: "The Synapse backend of {{ $labels.target }} is unreachable or returns garbage"
+  - alert: ClerieKeysExpire
+    expr: last_over_time(clerie_keys_gpg_key_expire_time[15m]) - time() < 1209600
+    labels:
+      severity: critical
+    annotations:
+      summary: "GPG {{ $labels.fingerprint }} is expiring"
+      description: "GPG with fingerprint {{ $labels.fingerprint }} is expiring in less then two weeks"
+  - alert: ClerieKeysAlmostExpire
+    expr: last_over_time(clerie_keys_gpg_key_expire_time[15m]) - time() < 3628800
+    labels:
+      severity: warning
+    annotations:
+      summary: "GPG {{ $labels.fingerprint }} is expiring soon"
+      description: "GPG with fingerprint {{ $labels.fingerprint }} is expiring in less then six weeks"

pkgs/clerie-keys/default.nix

@@ -10,5 +10,8 @@ runCommand "clerie-keys" {
 
   gpg --import-options import-export --armor -o $out/gpg/clerie@clerie.de.asc --import ${../../users/clerie/gpg.asc}
   gpg --import-options import-export -o $out/gpg/clerie@clerie.de --import ${../../users/clerie/gpg.asc}
-  gpg --import-options show-only --with-colons --fingerprint --import ${../../users/clerie/gpg.asc} | awk -F: '$1 == "fpr" {print $10;}' | head -1 > $out/gpg/clerie@clerie.de.fingerprint.txt
+  gpg --import-options show-only --with-colons --fingerprint --import ${../../users/clerie/gpg.asc} > colons.txt
+  cat colons.txt | awk -F: '$1 == "fpr" {print $10;}' | head -1 > $out/gpg/clerie@clerie.de.fingerprint.txt
+  cat colons.txt | awk -F: '$1 == "pub" {print "@", $7;}' | date -f - -Iseconds > $out/gpg/clerie@clerie.de.expires.txt
+  cat colons.txt | awk '{printf "%s:%s", $0, ($0 ~ /^(pub|sub)/) ? ":" : "\n" }' | awk '$0 ~ /^(pub|sub)/ { print $0}' | awk -F: '{if ($1 == "pub") { fingerprint=$32; keyid=$5 }}  {printf "clerie_keys_gpg_key_expire_time{fingerprint=\"%s\", keyid=\"%s\", subkeyfingerprint=\"%s\", subkeykeyid=\"%s\", type=\"%s\"} %s\n", fingerprint, keyid, ($1 == "sub") ? $30 : "", ($1 == "sub") ? $5 : "", $1, $7}' > $out/gpg/clerie@clerie.de.metrics.txt
 ''