diff --git a/docs/monitoring.md b/docs/monitoring.md
index b8eeaf1..4dc6d33 100644
--- a/docs/monitoring.md
+++ b/docs/monitoring.md
@@ -1,2 +1,3 @@
- [monitoring.nix-community.org/alertmanager](https://monitoring.nix-community.org/alertmanager)
+- [monitoring.nix-community.org/grafana](https://monitoring.nix-community.org/grafana)
- [monitoring.nix-community.org/prometheus](https://monitoring.nix-community.org/prometheus)
diff --git a/modules/nixos/monitoring/default.nix b/modules/nixos/monitoring/default.nix
index 18592b7..e7b1f60 100644
--- a/modules/nixos/monitoring/default.nix
+++ b/modules/nixos/monitoring/default.nix
@@ -3,6 +3,7 @@
imports = [
inputs.srvos.nixosModules.roles-prometheus
./alert-rules.nix
+ ./grafana.nix
./matrix-hook.nix
./prometheus.nix
./telegraf.nix
@@ -19,6 +20,10 @@
basicAuthFile = config.age.secrets.nginx-basic-auth-file.path;
proxyPass = "http://localhost:9093/";
};
+ locations."/grafana/" = {
+ proxyPass = "http://localhost:3000/";
+ proxyWebsockets = true;
+ };
locations."/prometheus/".proxyPass = "http://localhost:9090/";
};
}
diff --git a/modules/nixos/monitoring/grafana.nix b/modules/nixos/monitoring/grafana.nix
new file mode 100644
index 0000000..575aadd
--- /dev/null
+++ b/modules/nixos/monitoring/grafana.nix
@@ -0,0 +1,81 @@
+{
+ config,
+ inputs,
+ pkgs,
+ ...
+}:
+{
+ systemd.services.grafana.after = [ "prometheus.service" ];
+
+ age.secrets.grafana-client-secret = {
+ file = "${inputs.self}/secrets/grafana-client-secret.age";
+ owner = "grafana";
+ };
+
+ services.grafana = {
+ enable = true;
+ settings = {
+ analytics.reporting_enabled = false;
+ analytics.feedback_links_enabled = false;
+
+ "auth.anonymous".enabled = true;
+
+ # https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/github/
+ "auth.github" = {
+ enabled = true;
+ client_id = "ea6aa36488df8b2dede6";
+ client_secret = "$__file{${config.age.secrets.grafana-client-secret.path}}";
+ auth_url = "https://github.com/login/oauth/authorize";
+ token_url = "https://github.com/login/oauth/access_token";
+ api_url = "https://api.github.com/user";
+ allow_sign_up = true;
+ auto_login = false;
+ allowed_organizations = [ "nix-community" ];
+ role_attribute_strict = true;
+ allow_assign_grafana_admin = true;
+ role_attribute_path = "contains(groups[*], '@nix-community/admin') && 'GrafanaAdmin' || 'Editor'";
+ };
+
+ server = {
+ root_url = "https://monitoring.nix-community.org/grafana/";
+ domain = "monitoring.nix-community.org";
+ enforce_domain = true;
+ enable_gzip = true;
+ };
+
+ database = {
+ type = "postgres";
+ name = "grafana";
+ host = "/run/postgresql";
+ user = "grafana";
+ };
+
+ security.disable_initial_admin_creation = true;
+ };
+
+ provision.datasources.settings.datasources = [
+ {
+ name = "prometheus";
+ type = "prometheus";
+ isDefault = true;
+ url = "http://localhost:9090";
+ }
+ ];
+ };
+
+ services.telegraf.extraConfig.inputs.prometheus.urls = [
+ "http://localhost:3000/metrics"
+ ];
+
+ services.postgresql = {
+ enable = true;
+ package = pkgs.postgresql_17;
+ ensureDatabases = [ "grafana" ];
+ ensureUsers = [
+ {
+ name = "grafana";
+ ensureDBOwnership = true;
+ }
+ ];
+ };
+}
diff --git a/secrets/grafana-client-secret.age b/secrets/grafana-client-secret.age
new file mode 100644
index 0000000..b92b402
Binary files /dev/null and b/secrets/grafana-client-secret.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index f175de6..d9abd93 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -18,6 +18,7 @@ let
web02 = knownHosts.web02.publicKey;
secrets = {
+ grafana-client-secret = [ web02 ];
hercules-binary-caches = [
build03
build04