WIP grafana

hosts.nix

@@ -37,6 +37,9 @@ in
       hostNixpkgs = nixpkgs-unstable;
       site = "vs";
     };
+    metrics = {
+      site = "vs";
+    };
     netbox = {
       site = "vs";
     };

hosts/metrics/configuration.nix

@@ -0,0 +1,17 @@
+{ ... }:
+{
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/vda";
+  };
+
+  networking = {
+    hostName = "metrics";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 80 443 ];
+    };
+  };
+
+  system.stateVersion = "23.05";
+}

hosts/metrics/default.nix

@@ -0,0 +1,9 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ./grafana.nix
+    ./prometheus.nix
+    ./nginx.nix
+  ];
+}

hosts/metrics/grafana.nix

@@ -0,0 +1,28 @@
+{ ... }:
+{
+  services.grafana = {
+    enable = true;
+    settings = {
+      server = {
+        domain = "grafana2.grzb.de";
+        root_url = "https://grafana2.grzb.de";
+      };
+      security = {
+        cookie_secure = true;
+        cookie_samesite = "strict";
+        admin_user = "yuri";
+        admin_password = "$__file{/secrets/metrics-grafana-admin-password.secret}";
+        admin_email = "yuri@nekover.se";
+      };
+      smtp = {
+        enabled = true;
+        host = "mail.grzb.de:465";
+        user = "grafana";
+        password = "$__file{/secrets/metrics-grafana-smtp-password.secret}";
+        from_address = "grafana@robot.grzb.de";
+        from_name = "Grafana";
+        startTLS_policy = "NoStartTLS";
+      };
+    };
+  };
+}

hosts/metrics/nginx.nix

@@ -0,0 +1,26 @@
+{ config, ... }:
+{
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "grafana2.grzb.de" = {
+        forceSSL = true;
+        enableACME = true;
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 80;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 443;
+            ssl = true;
+          }
+        ];
+        locations."/" = {
+          proxyPass = "http://${config.services.grafana.settings.server.http_addr}:${builtins.toString config.services.grafana.settings.server.http_port}";
+        };
+      };
+    };
+  };
+}

hosts/metrics/prometheus.nix

@@ -0,0 +1,6 @@
+{ ... }:
+{
+  services.prometheus = {
+    enable = true;
+  };
+}

hosts/metrics/secrets.nix

@@ -0,0 +1,19 @@
+{ ... }:
+{
+  deployment.keys."metrics-grafana-admin-password.secret" = {
+    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "metrics/grafana/admin-password" ];
+    destDir = "/secrets";
+    user = "grafana";
+    group = "grafana";
+    permissions = "0640";
+    uploadAt = "pre-activation";
+  };
+  deployment.keys."metrics-grafana-smtp-password.secret" = {
+    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "metrics/grafana/smtp-password" ];
+    destDir = "/secrets";
+    user = "grafana";
+    group = "grafana";
+    permissions = "0640";
+    uploadAt = "pre-activation";
+  };
+}

hosts/web-public-2/virtualHosts/acme-challenge.nix

@@ -18,4 +18,13 @@
       proxyPass = "http://netbox.vs.grzb.de:80";
     };
   };
+  services.nginx.virtualHosts."grafana2.grzb.de" = {
+    listen = [{ 
+      addr = "0.0.0.0";
+      port = 80;
+    }];
+    locations."^~ /.well-known/acme-challenge/" = {
+      proxyPass = "http://metrics.vs.grzb.de:80";
+    };
+  };
 }