Monitor awsarm through SSH

[joinemm]

sshified can be used to proxy prometheus metrics through ssh connection, meaning we do not have to open any ports to the world.

This PR adds a derivation to build sshified, a systemd service to run it, and the necessary ssh configuration to scrape metrics from awsarm.

Also added documentation that tells how to add new monitored targets, with either ssh or http authentication, though there are no more targets that are using http basic auth.

[henrirosten]

Looks good to me.
One item we possibly might want to simplify in a a follow-up PR:
I think we do not necessarily need the sshified but similar ssh tunnelling setup could be established using just ssh with option -L (or possibly -D). Or did you trial this already?

[joinemm]

@henrirosten ssh -L works but the problem is we would have to keep the ssh tunnel open indefinitely, which is not very reliable. sshified on the other hand opens a new ssh connection for each request.

[tervis-unikie]

Please make sure that the sshfied user on awsarm only has the permissions absolutely necessary for this to work.

[joinemm]

@tervis-unikie sshified user has whatever is default permissions when using adduser. Should something be restricted?

[tervis-unikie]

@tervis-unikie sshified user has whatever is default permissions when using adduser. Should something be restricted?

Then the user can do whatever a normal user can do, which for the purpose of sshfied is excessive.
This account could be set into a limited chroot environment for example.
But anyway, this is not a matter of this PR, just noting this...