clerie/nixfiles
1
0
Fork 0
Code Activity

hosts/monitoring-3: Alert when GPG key is about to expire

Browse Source
This commit is contained in:
clerie
2025-04-14 21:45:09 +02:00
parent cc00e92b51
commit e125d5d3bf
3 changed files with 31 additions and 1 deletions
hosts/monitoring-3
prometheus.nixrules.yml
pkgs/clerie-keys
default.nix

13
hosts/monitoring-3/prometheus.nix

@@ -419,6 +419,19 @@ in {
relabelAddressToInstance relabelAddressToInstance
]; ];
} }
{
job_name = "clerie_keys";
scrape_interval = "5m";
scheme = "https";
metrics_path = "/gpg/clerie@clerie.de.metrics.txt";
static_configs = [
{
targets = [
"clerie.de"
];
}
];
}
]; ];
alertmanagers = [ alertmanagers = [
{ {

14
hosts/monitoring-3/rules.yml

@@ -73,3 +73,17 @@ groups:
annotations: annotations:
summary: "Synapse of {{ $labels.target }} unavailable" summary: "Synapse of {{ $labels.target }} unavailable"
description: "The Synapse backend of {{ $labels.target }} is unreachable or returns garbage" description: "The Synapse backend of {{ $labels.target }} is unreachable or returns garbage"
- alert: ClerieKeysExpire
expr: last_over_time(clerie_keys_gpg_key_expire_time[15m]) - time() < 1209600
labels:
severity: critical
annotations:
summary: "GPG {{ $labels.fingerprint }} is expiring"
description: "GPG with fingerprint {{ $labels.fingerprint }} is expiring in less then two weeks"
- alert: ClerieKeysAlmostExpire
expr: last_over_time(clerie_keys_gpg_key_expire_time[15m]) - time() < 3628800
labels:
severity: warning
annotations:
summary: "GPG {{ $labels.fingerprint }} is expiring soon"
description: "GPG with fingerprint {{ $labels.fingerprint }} is expiring in less then six weeks"

5
pkgs/clerie-keys/default.nix

@@ -10,5 +10,8 @@ runCommand "clerie-keys" {
gpg --import-options import-export --armor -o $out/gpg/clerie@clerie.de.asc --import ${../../users/clerie/gpg.asc} gpg --import-options import-export --armor -o $out/gpg/clerie@clerie.de.asc --import ${../../users/clerie/gpg.asc}
gpg --import-options import-export -o $out/gpg/clerie@clerie.de --import ${../../users/clerie/gpg.asc} gpg --import-options import-export -o $out/gpg/clerie@clerie.de --import ${../../users/clerie/gpg.asc}
gpg --import-options show-only --with-colons --fingerprint --import ${../../users/clerie/gpg.asc} | awk -F: '$1 == "fpr" {print $10;}' | head -1 > $out/gpg/clerie@clerie.de.fingerprint.txt gpg --import-options show-only --with-colons --fingerprint --import ${../../users/clerie/gpg.asc} > colons.txt
cat colons.txt | awk -F: '$1 == "fpr" {print $10;}' | head -1 > $out/gpg/clerie@clerie.de.fingerprint.txt
cat colons.txt | awk -F: '$1 == "pub" {print "@", $7;}' | date -f - -Iseconds > $out/gpg/clerie@clerie.de.expires.txt
cat colons.txt | awk '{printf "%s:%s", $0, ($0 ~ /^(pub|sub)/) ? ":" : "\n" }' | awk '$0 ~ /^(pub|sub)/ { print $0}' | awk -F: '{if ($1 == "pub") { fingerprint=$32; keyid=$5 }} {printf "clerie_keys_gpg_key_expire_time{fingerprint=\"%s\", keyid=\"%s\", subkeyfingerprint=\"%s\", subkeykeyid=\"%s\", type=\"%s\"} %s\n", fingerprint, keyid, ($1 == "sub") ? $30 : "", ($1 == "sub") ? $5 : "", $1, $7}' > $out/gpg/clerie@clerie.de.metrics.txt
'' ''