diff --git a/hosts.nix b/hosts.nix index 8a451d1..cb5887a 100644 --- a/hosts.nix +++ b/hosts.nix @@ -37,6 +37,9 @@ in hostNixpkgs = nixpkgs-unstable; site = "vs"; }; + metrics = { + site = "vs"; + }; netbox = { site = "vs"; }; diff --git a/hosts/metrics/configuration.nix b/hosts/metrics/configuration.nix new file mode 100644 index 0000000..c051c2d --- /dev/null +++ b/hosts/metrics/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "metrics"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/metrics/default.nix b/hosts/metrics/default.nix new file mode 100644 index 0000000..ef5c25c --- /dev/null +++ b/hosts/metrics/default.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./grafana.nix + ./prometheus.nix + ./nginx.nix + ]; +} diff --git a/hosts/metrics/grafana.nix b/hosts/metrics/grafana.nix new file mode 100644 index 0000000..c3ca63f --- /dev/null +++ b/hosts/metrics/grafana.nix @@ -0,0 +1,28 @@ +{ ... }: +{ + services.grafana = { + enable = true; + settings = { + server = { + domain = "grafana2.grzb.de"; + root_url = "https://grafana2.grzb.de"; + }; + security = { + cookie_secure = true; + cookie_samesite = "strict"; + admin_user = "yuri"; + admin_password = "$__file{/secrets/metrics-grafana-admin-password.secret}"; + admin_email = "yuri@nekover.se"; + }; + smtp = { + enabled = true; + host = "mail.grzb.de:465"; + user = "grafana"; + password = "$__file{/secrets/metrics-grafana-smtp-password.secret}"; + from_address = "grafana@robot.grzb.de"; + from_name = "Grafana"; + startTLS_policy = "NoStartTLS"; + }; + }; + }; +} diff --git a/hosts/metrics/nginx.nix b/hosts/metrics/nginx.nix new file mode 100644 index 0000000..660d06c --- /dev/null +++ b/hosts/metrics/nginx.nix @@ -0,0 +1,26 @@ +{ config, ... }: +{ + services.nginx = { + enable = true; + virtualHosts = { + "grafana2.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + locations."/" = { + proxyPass = "http://${config.services.grafana.settings.server.http_addr}:${builtins.toString config.services.grafana.settings.server.http_port}"; + }; + }; + }; + }; +} diff --git a/hosts/metrics/prometheus.nix b/hosts/metrics/prometheus.nix new file mode 100644 index 0000000..5c0d6a5 --- /dev/null +++ b/hosts/metrics/prometheus.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + services.prometheus = { + enable = true; + }; +} diff --git a/hosts/metrics/secrets.nix b/hosts/metrics/secrets.nix new file mode 100644 index 0000000..43b06b3 --- /dev/null +++ b/hosts/metrics/secrets.nix @@ -0,0 +1,19 @@ +{ ... }: +{ + deployment.keys."metrics-grafana-admin-password.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "metrics/grafana/admin-password" ]; + destDir = "/secrets"; + user = "grafana"; + group = "grafana"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + deployment.keys."metrics-grafana-smtp-password.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "metrics/grafana/smtp-password" ]; + destDir = "/secrets"; + user = "grafana"; + group = "grafana"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/hosts/web-public-2/virtualHosts/acme-challenge.nix b/hosts/web-public-2/virtualHosts/acme-challenge.nix index 9dc3b4b..2edecfd 100644 --- a/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -18,4 +18,13 @@ proxyPass = "http://netbox.vs.grzb.de:80"; }; }; + services.nginx.virtualHosts."grafana2.grzb.de" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://metrics.vs.grzb.de:80"; + }; + }; }