From cf861eb4fb91a635085aa49eed1e7b1d2fe127b9 Mon Sep 17 00:00:00 2001
From: zowoq <59103226+zowoq@users.noreply.github.com>
Date: Sat, 28 Sep 2024 10:02:27 +1000
Subject: [PATCH] modules/nixos/monitoring: add grafana
This reverts commit b7d0c7a4c564815bd22237e91e799143678849e6.
---
docs/monitoring.md | 1 +
modules/nixos/monitoring/default.nix | 5 ++
modules/nixos/monitoring/grafana.nix | 81 +++++++++++++++++++++++++++
secrets/grafana-client-secret.age | Bin 0 -> 1059 bytes
secrets/secrets.nix | 1 +
5 files changed, 88 insertions(+)
create mode 100644 modules/nixos/monitoring/grafana.nix
create mode 100644 secrets/grafana-client-secret.age
diff --git a/docs/monitoring.md b/docs/monitoring.md
index b8eeaf1..4dc6d33 100644
--- a/docs/monitoring.md
+++ b/docs/monitoring.md
@@ -1,2 +1,3 @@
- [monitoring.nix-community.org/alertmanager](https://monitoring.nix-community.org/alertmanager)
+- [monitoring.nix-community.org/grafana](https://monitoring.nix-community.org/grafana)
- [monitoring.nix-community.org/prometheus](https://monitoring.nix-community.org/prometheus)
diff --git a/modules/nixos/monitoring/default.nix b/modules/nixos/monitoring/default.nix
index 18592b7..e7b1f60 100644
--- a/modules/nixos/monitoring/default.nix
+++ b/modules/nixos/monitoring/default.nix
@@ -3,6 +3,7 @@
imports = [
inputs.srvos.nixosModules.roles-prometheus
./alert-rules.nix
+ ./grafana.nix
./matrix-hook.nix
./prometheus.nix
./telegraf.nix
@@ -19,6 +20,10 @@
basicAuthFile = config.age.secrets.nginx-basic-auth-file.path;
proxyPass = "http://localhost:9093/";
};
+ locations."/grafana/" = {
+ proxyPass = "http://localhost:3000/";
+ proxyWebsockets = true;
+ };
locations."/prometheus/".proxyPass = "http://localhost:9090/";
};
}
diff --git a/modules/nixos/monitoring/grafana.nix b/modules/nixos/monitoring/grafana.nix
new file mode 100644
index 0000000..575aadd
--- /dev/null
+++ b/modules/nixos/monitoring/grafana.nix
@@ -0,0 +1,81 @@
+{
+ config,
+ inputs,
+ pkgs,
+ ...
+}:
+{
+ systemd.services.grafana.after = [ "prometheus.service" ];
+
+ age.secrets.grafana-client-secret = {
+ file = "${inputs.self}/secrets/grafana-client-secret.age";
+ owner = "grafana";
+ };
+
+ services.grafana = {
+ enable = true;
+ settings = {
+ analytics.reporting_enabled = false;
+ analytics.feedback_links_enabled = false;
+
+ "auth.anonymous".enabled = true;
+
+ # https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/github/
+ "auth.github" = {
+ enabled = true;
+ client_id = "ea6aa36488df8b2dede6";
+ client_secret = "$__file{${config.age.secrets.grafana-client-secret.path}}";
+ auth_url = "https://github.com/login/oauth/authorize";
+ token_url = "https://github.com/login/oauth/access_token";
+ api_url = "https://api.github.com/user";
+ allow_sign_up = true;
+ auto_login = false;
+ allowed_organizations = [ "nix-community" ];
+ role_attribute_strict = true;
+ allow_assign_grafana_admin = true;
+ role_attribute_path = "contains(groups[*], '@nix-community/admin') && 'GrafanaAdmin' || 'Editor'";
+ };
+
+ server = {
+ root_url = "https://monitoring.nix-community.org/grafana/";
+ domain = "monitoring.nix-community.org";
+ enforce_domain = true;
+ enable_gzip = true;
+ };
+
+ database = {
+ type = "postgres";
+ name = "grafana";
+ host = "/run/postgresql";
+ user = "grafana";
+ };
+
+ security.disable_initial_admin_creation = true;
+ };
+
+ provision.datasources.settings.datasources = [
+ {
+ name = "prometheus";
+ type = "prometheus";
+ isDefault = true;
+ url = "http://localhost:9090";
+ }
+ ];
+ };
+
+ services.telegraf.extraConfig.inputs.prometheus.urls = [
+ "http://localhost:3000/metrics"
+ ];
+
+ services.postgresql = {
+ enable = true;
+ package = pkgs.postgresql_17;
+ ensureDatabases = [ "grafana" ];
+ ensureUsers = [
+ {
+ name = "grafana";
+ ensureDBOwnership = true;
+ }
+ ];
+ };
+}
diff --git a/secrets/grafana-client-secret.age b/secrets/grafana-client-secret.age
new file mode 100644
index 0000000000000000000000000000000000000000..b92b402b67c9175aa079800c5a3cf42174a65af4
GIT binary patch
literal 1059
zcmZ9Lxvt}607j=BOH;B4QCOlv(H-w`(p==&PMmm;<M@vo<mHd|HSrP`Q%!}?ZK#nD
z;srn&i2~8U0{|5b&p?Ba=(x>o?h_oH@6+)jcn8a%z17#GDqmM^g!Ke+caL5!@f{3F
zh9Q<{0Vj`)&>hSMx-1BqKelq$>ab0MtTzp=S&lm$sJFJO&cXl>qKG)sG6Ob2P(_*_
zMtQs$`eJvE%yN-*0_p6ovNBngq)I0JL~Ab|$|;)V3<#te@5HFkRaU*Fs+Cd-@?dUT
zee3%4u@{b^r4mMx)>ySW>p)_xx)|(!-pzZjFarWPY_yTmFSCN-vbnq$4|5}%V-4kQ
z$e66QW_r-!wgC*FSgap{#ptV%t(qX+i=a=P9--lWFdeP%A3fGKpsKV3P%6N}++I&(
z7mwD=a^>K}7cRfP5pto+o3!Bs!AX271rfs9PA&E^mNwN??3s05aNTk+FngD-Trm!-
z8C_TwC$D6?Kkl+Uui@hHR!Gu`Z!ukV5ZIS^Q^@B-yEr5!D=Tf6I!rsnm4DPHgYJ0O
zq&Mb7t%NM(;7S-=c1;DzRcS@JS6pP#NcJH3^g=oBtgQ|=@wk{rPisGYYbI>34d~ip
zTE`!-l4^URC32z*=+iQpm1%WdA8K&evYmQ^M3#uiL>g5fG=4Cpn2c4%+EaXZ=7i&J
zIc1|Tm^Ii)p?9ma>^V(!@G~EwYY$`jD(;Fv$=PCTNG`eI%a{*?wo7zMTLFnJayTzn
z0RoFP=q}0?HyM_Sv@yi0kUpxClj(lgKqVF&ds9tiC9BVAOVS4khej8xV(^^b9!Ff1
zdeOylBjuZE&z}rJd(?#)Hy`oJ6>-GinF*`+J$q)vc554&-QP%1FTBg%1$f!DAx;-y
zBi=IZIV~n~SaRst^BX|b9cWnUYHpM?Y$y`!>V{p>d9V3%AAltlbe>fqvx~%LH9rlG
zo?rKIw8>f3Yq3R{UM&VILg1-U!JoNR`B=%_9lBlPkD0CMeNUuL)^?_NnECW}srtMp
z_@%5nS-m`xUM`=IH=nQUuYW;5!Cr{SSMuL)K5Xwl`h$G&um8<E^XG@Zh=0CxKK|*?
qSby)c?_R$D61{&{|8|2v_TPW{g*yEA`@^rV?jOE=t^V-A+y4O?xnQLL
literal 0
HcmV?d00001
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index f175de6..d9abd93 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -18,6 +18,7 @@ let
web02 = knownHosts.web02.publicKey;
secrets = {
+ grafana-client-secret = [ web02 ];
hercules-binary-caches = [
build03
build04