From 4293c51090c8aadcf5ae5e6ab7c135d0241252fd Mon Sep 17 00:00:00 2001
From: zowoq <59103226+zowoq@users.noreply.github.com>
Date: Sun, 13 Aug 2023 09:08:18 +1000
Subject: [PATCH] modules/nixos/monitoring: add grafana
---
docs/monitoring.md | 1 +
hosts/web02/secrets.yaml | 6 ++-
modules/nixos/monitoring/default.nix | 5 ++
modules/nixos/monitoring/grafana.nix | 73 ++++++++++++++++++++++++++++
4 files changed, 83 insertions(+), 2 deletions(-)
create mode 100644 modules/nixos/monitoring/grafana.nix
diff --git a/docs/monitoring.md b/docs/monitoring.md
index b8eeaf1..4dc6d33 100644
--- a/docs/monitoring.md
+++ b/docs/monitoring.md
@@ -1,2 +1,3 @@
- [monitoring.nix-community.org/alertmanager](https://monitoring.nix-community.org/alertmanager)
+- [monitoring.nix-community.org/grafana](https://monitoring.nix-community.org/grafana)
- [monitoring.nix-community.org/prometheus](https://monitoring.nix-community.org/prometheus)
diff --git a/hosts/web02/secrets.yaml b/hosts/web02/secrets.yaml
index 10b6d75..76f11ab 100644
--- a/hosts/web02/secrets.yaml
+++ b/hosts/web02/secrets.yaml
@@ -1,5 +1,7 @@
ssh_host_ed25519_key: ENC[AES256_GCM,data:mp33XErF8FL7/rxKUsXiVijkCcDlSmtopkxTA/tDpcVx1ft6e9/YIoGYvLwxMhwowlEjktuANnZXo0tPHoCaiRdsFL2XMlNhbMHz5PKdIwpQyGysbqJKzVSa81F8RS1IG0sY8YGaCXsOfWPBbNJFTapT+9Xb6niRwiQkwwPAxBN9zdS+nMvllNHEZSv4RQ84uKzvyaLPB9N3GU7GHPq5UzBYNO1eH0eHoDEvv3JI6W/C8dws4liAwCSoCOF0RTdBpVKZvlf2DMYCKEZYWlnyBvq/NVJr2JujNDhtKOozL0tVLCkh8QQrLiWucN1yCMiy+1VS5yqmvqa6Gvc4P9hgmMHRjA37oJtDrik4SWQZq0VfxJ00oC3ByGmH6mR4AZY/BTPMnRAgF/m3rjryEd4hCjlQ1jJhdWmRTchruK7oSz/FrZmtCp/fVsRulcJ2JmU2gEQF0rfP9+eq/LWLD0FPvsp9ytf18wPMAY6fYj7vQGj5dx9ZB6oJ0RxlgAhPFhjAztjmMQD43oSsNnm9FKISS5Vv07tQDQBUHe3d,iv:Z6SfUFsjfRaVc23CNM1NE4/c92MLmbdEXilPJomX9qM=,tag:xknd9rqBVvUg69ICvhXHcA==,type:str]
nix-community-matrix-bot-token: ENC[AES256_GCM,data:CHL3h0ttoBjj5xGfvQ9k4kYDMFdKV9V5DV9KOtz84LotVjZ7MRP9LDjvxfchO8T3kU1OMPWqBVYOS04da3xMLyRQRa1phkkGwjigjQ==,iv:pGyD4w4LLYfZmyZol52DTKeWMOniG96TX0aoF/4/uxM=,tag:Hw/eCheMjiUBj9bDTz0Ysw==,type:str]
+grafana-admin-password: ENC[AES256_GCM,data:imowUQJxi03QyhYBvMx8nWo6VvblOSaQ3YozWyl4w86cEQ==,iv:Pop10QAd9rSwwyXzhvfmIr+bCKOCEaVGTcvg7VH5BTo=,tag:eRJ8N9M/iaIC2rx5MFfsEw==,type:str]
+grafana-client-secret: ENC[AES256_GCM,data:ET2/XYYDTPuZtmQvvmxqFSVini+z4ap3hQfdkLKOMikFvHNzhEgHzw==,iv:JLM490Da0bDohB4Rm38c1eeKYlM4ODL+Loth9i/RPC8=,tag:3uepHgyot9EgUKPQqYWHBQ==,type:str]
sops:
kms: []
gcp_kms: []
@@ -60,8 +62,8 @@ sops:
QnJZZzN1a1M5b1dwa3hvL3ZHYkpxQUkK1g9sQB0UHl9coaznjIn4WDpQv21Y8cl9
LNqnv0Q6KrxNliq2JEJoEpjD5+xTcqV/5FgylKhtdNWUZ0eAX8taog==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2023-08-15T22:00:57Z"
- mac: ENC[AES256_GCM,data:caG26hmL2TlFVhufXG2lkhrKK0CtseYj+5HWnWYIaBo28jGesWONp9o3r3/eKa+7ZlBnQu1Xt+ctQmIOiyqavQtfTWYjlS8Pb2yvfjAKrKSYwg8gxRXnD+vqCzFAFsvlCdWV5uPdLmO6YuDWjO8QCccDQaJuo9ChAGDryngNPqY=,iv:cbS1zpaZFUr/HP4eDSOJe90IJ2IqxFzQdkBGfaHt6Uc=,tag:soKRVwIBbusdrcYLjA4B0w==,type:str]
+ lastmodified: "2023-09-17T00:19:44Z"
+ mac: ENC[AES256_GCM,data:hu48nar/2Z2HrBopQ2cbeucqq+rbE4OqBVCaLNdldIukJza0GWD7kMkBNXciM6J8BkfxFwcFSDBnieth9N/4tEu8ssorCZmnG9VUioNL/dbNVMTAgBTSc+BTgcNg9jTRea0y82OCEqAAxzEFSwDi2uAkzuecoFu6de3sVmYOUsc=,iv:O9V9c6EW942bn4IIfX+UFU/2cYu2eKCOxQ3PFcXSEYA=,tag:IplW3Em3yulcKQeySzP3LQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3
diff --git a/modules/nixos/monitoring/default.nix b/modules/nixos/monitoring/default.nix
index e3e101b..7bb310d 100644
--- a/modules/nixos/monitoring/default.nix
+++ b/modules/nixos/monitoring/default.nix
@@ -1,5 +1,6 @@
{
imports = [
+ ./grafana.nix
./matrix-hook.nix
./prometheus.nix
./telegraf.nix
@@ -10,6 +11,10 @@
forceSSL = true;
locations."/".return = "302 https://nix-community.org/monitoring";
locations."/alertmanager/".proxyPass = "http://localhost:9093/";
+ locations."/grafana/" = {
+ proxyPass = "http://localhost:3000/";
+ proxyWebsockets = true;
+ };
locations."/prometheus/".proxyPass = "http://localhost:9090/";
};
}
diff --git a/modules/nixos/monitoring/grafana.nix b/modules/nixos/monitoring/grafana.nix
new file mode 100644
index 0000000..8a038ae
--- /dev/null
+++ b/modules/nixos/monitoring/grafana.nix
@@ -0,0 +1,73 @@
+{ config, ... }:
+{
+ systemd.services.grafana.after = [ "prometheus.service" ];
+
+ services.grafana = {
+ enable = true;
+ settings = {
+ analytics.reporting_enabled = false;
+ analytics.feedback_links_enabled = false;
+
+ "auth.anonymous".enabled = true;
+
+ # https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/github/
+ "auth.github" = {
+ enabled = true;
+ client_id = "ea6aa36488df8b2dede6";
+ client_secret = "$__file{${config.sops.secrets.grafana-client-secret.path}}";
+ auth_url = "https://github.com/login/oauth/authorize";
+ token_url = "https://github.com/login/oauth/access_token";
+ api_url = "https://api.github.com/user";
+ allow_sign_up = true;
+ auto_login = false;
+ allowed_organizations = [ "nix-community" ];
+ role_attribute_strict = true;
+ allow_assign_grafana_admin = true;
+ role_attribute_path = "contains(groups[*], '@nix-community/admin') && 'GrafanaAdmin' || 'Editor'";
+ };
+
+ server = {
+ root_url = "https://monitoring.nix-community.org/grafana/";
+ domain = "monitoring.nix-community.org";
+ enforce_domain = true;
+ enable_gzip = true;
+ };
+
+ database = {
+ type = "postgres";
+ name = "grafana";
+ host = "/run/postgresql";
+ user = "grafana";
+ };
+
+ security.admin_password = "$__file{${config.sops.secrets.grafana-admin-password.path}}";
+ };
+
+ provision.datasources.settings.datasources = [
+ {
+ name = "prometheus";
+ type = "prometheus";
+ isDefault = true;
+ url = "http://localhost:9090";
+ }
+ ];
+ };
+
+ services.telegraf.extraConfig.inputs.prometheus.urls = [
+ "http://localhost:3000/metrics"
+ ];
+
+ sops.secrets.grafana-admin-password.owner = "grafana";
+ sops.secrets.grafana-client-secret.owner = "grafana";
+
+ services.postgresql = {
+ enable = true;
+ ensureDatabases = [ "grafana" ];
+ ensureUsers = [
+ {
+ name = "grafana";
+ ensurePermissions = { "DATABASE grafana" = "ALL PRIVILEGES"; };
+ }
+ ];
+ };
+}