diff --git a/hive.nix b/hive.nix index 9104a66..a722560 100644 --- a/hive.nix +++ b/hive.nix @@ -170,7 +170,7 @@ in }; martagon = { name, nodes, ... }: { - deployment.tags = [ "prometheus" ]; + deployment.tags = [ "victoria" "grafana" ]; deployment.targetHost = "martagon.federez.net"; federez.monitoring.apiKey = "370a181d-6b00-4c3d-af27-ca65e6e4c1b0"; networking.hostName = name; @@ -182,6 +182,8 @@ in imports = [ ./profiles/vm.nix + ./profiles/victoria.nix + ./profiles/grafana.nix ]; }; } diff --git a/profiles/grafana.nix b/profiles/grafana.nix new file mode 100644 index 0000000..6d6fb2c --- /dev/null +++ b/profiles/grafana.nix @@ -0,0 +1,73 @@ +{ pkgs, lib, config, ... }: +let + cfg = config.services.grafana; + fileProvider = path: "$__file{${path}}"; +in { + age.secrets = { + grafana-admin-password = { + file = ../secrets/grafana-admin-password.age; + owner = "grafana"; + group = "grafana"; + }; + grafana-secret-key = { + file = ../secrets/grafana-secret-key.age; + owner = "grafana"; + group = "grafana"; + }; + }; + + services.grafana = { + enable = true; + + settings = { + server.protocol = "socket"; + analytics = { + reporting_enabled = false; + feedback_links_enabled = false; + }; + security = { + admin_user = "admin"; + admin_password = fileProvider config.age.secrets.grafana-admin-password.path; + secret_key = fileProvider config.age.secrets.grafana-secret-key.path; + }; + }; + + declarativePlugins = lib.mkIf config.services.victoriametrics.enable + [ pkgs.grafanaPlugins.victoriametrics-metrics-datasource ]; + + provision.datasources.settings.datasources = lib.mkIf + config.services.victoriametrics.enable + [ + { + name = "VictoriaMetrics"; + type = "victoriametrics-metrics-datasource"; + uid = "vm"; + url = "http://localhost:8248"; + editable = false; + jsonData = { + isDefault = true; + }; + } + ]; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + upstreams.grafana.servers."unix:/${cfg.settings.server.socket}" = {}; + virtualHosts."grafana.federez.net" = { + root = cfg.settings.server.static_root_path; + enableACME = true; + forceSSL = true; + locations."/".tryFiles = "$uri @grafana"; + locations."@grafana".proxyPass = "http://grafana"; + }; + }; + + users.users.${config.services.nginx.user}.extraGroups = [ "grafana" ]; +} diff --git a/profiles/victoria.nix b/profiles/victoria.nix new file mode 100644 index 0000000..99b6d1b --- /dev/null +++ b/profiles/victoria.nix @@ -0,0 +1,16 @@ +{ ... }: +let + mkScrapeConfig = name: targets: { + job_name = name; + static_configs = [ { targets = targets; } ]; + }; + nodesConfig = mkScrapeConfig "node" + (map (n: "${n}.federez.net:9100") [ "dodecagon" "saigon" ]); +in { + services.victoriametrics = { + enable = true; + prometheusConfig = { + scrape_configs = [ nodesConfig ]; + }; + }; +} diff --git a/secrets/grafana-admin-password.age b/secrets/grafana-admin-password.age new file mode 100644 index 0000000..7711ca2 --- /dev/null +++ b/secrets/grafana-admin-password.age @@ -0,0 +1,32 @@ +age-encryption.org/v1 +-> ssh-ed25519 Q17h8g u50zulUwOP0ilwOyPELNvzPflbjzqr96TOsUuINhvj0 +vacQsjf9fj422ZIMXyQEaRirrl0nxNTtzWNqBNa6upo +-> ssh-rsa krWCLQ +o9wtR/Q78YYzBP9aH2RJ8pWN5efiD0EdRai5wMIoSAhYHimQwUAc3NLfDoeX1bCY ++4qJTqzpRfkNUjb8DJkHnZfq8MtdUgUsI+8xeAb9ZgM7khvlWxnqtFZUkWkxXcpH +B3brHnnn2VjJI0AnQ26UOn4HHa4ONxGhWNLgalryj9/FN68A5B2URwLW6K3OFgQs +M3a0AN2yY1/B9fpomGN5qbGQDz2xgnvuWEQiSBrKOSozWeLAaZhRSw6gpjJG4oeQ +Qq7m8LEceCsGZkOf5YM6MNIx23Cx5iagqN3KTN16YpXijUCwV7/IH/38ZSS4x/fq +wCcStB4tDEGiuT1Vgf4dWw +-> ssh-ed25519 /vwQcQ wLeY8pwPUc73EVUIRC+qxQkgIt09JEeagNVq5Wq08gU +YcOPfmHp14hYo/DUGFxI05HfcPuABmTs7BrVbEtdgEY +-> ssh-ed25519 0R97PA Pedy/Tq+w7TA17pk9pXr2Mc0/wnsL0AhXsSezRx/fXU +BtK0XiUXe+fpwaMa39vbzbO4K5FJ1mJWQAY6Vxabu8o +-> ssh-rsa jL+Elw +Xe7pXZCG2T/Gq7f+mbl2j8P6rtLjgf9/yiO1TWT8HcqQivk/lZ9Uqb9Cs6wfGa49 +albzrBoq3Inmn3EE+jWvjPJdNmkZ8+d7M4It5y/MhW13KbaCYO07rcE1ydJmcsMW +xE/SyrEhayFtdapD0pIMpCKoOJMv5Ry1iID8NZINhfXk4m0XMGIJtn4bGQ8VrG/E +iP6rdNLGJ5LVQXIs9mr1w5Ek5n9UohrUR/aApQIn7kRABcDofsVPu2kLrz6BDM3j +rTUXU08q7ER1GZ+keVp6v9qsj8JXiuV7fOcyx11Ug3Ux5b1CnrfxRoLr3YFM9i5b +aHbEhZmhX7MQHsezIerngp2a841yeoPx6mk+eMtZzEc04sddLq7ACJkGIb9OQIP6 +LGL9MVA3y1cS+iqUxfX9ZeLAVzRIhvClQzhgYYC/RwVZw98Zt1vICc9N/7FlfvMe +ViGXOmyZKnBoOrX1+kj3g0457vh9KRO7qOSmhmvn9+K28opOSP/dTC5G66R8adYM +Jjc8uUlUkVQiPVfKX751Lyc1n58p47iSWVHr5CSl09eUgZ5FNss96gfnOUHsoTKl +GUkDbwVBu/eLpUJxYigpoNfFzb5g/ze0L4S7vrtktECbpedmZNrfAGy0Q6+95jWO +qXow/sZjaBzjY584tKU6KRs3tPnRe1sruc+k0FoRyME +-> ssh-ed25519 jIXfPA gMyVRufenOREAR1BFqXR+cq67vKBZs8kyDArSGcG+i0 +Wm95Keanjns8JDk4cZfY5+WJ7neHln2zKDYZaucsWmE +-> ssh-ed25519 um7xWA ZUkisqEY5fcan5E8JddB+o4PfltL7KKraK4sCe0Fkwk +pXn5UmqTNyTZqXN8KU5Igc5Tel+T/qcKr1vykwwu4gg +--- yhepD0IijU/0ee0DFQoOB4PrVA3EztUMMpvwRZJ7VUo +%΄k4]CZ#<bĪb߸lV^= ";Ÿ3k_1\ \ No newline at end of file diff --git a/secrets/grafana-secret-key.age b/secrets/grafana-secret-key.age new file mode 100644 index 0000000..4e70693 --- /dev/null +++ b/secrets/grafana-secret-key.age @@ -0,0 +1,32 @@ +age-encryption.org/v1 +-> ssh-ed25519 Q17h8g 4KkjTXmVQx1SRFeyOQgSoxzk2ICYe81gogzGRiF+hAI +1t+6FPg+wo01MMgsIHEn+N8U6RbEbgJmLRr/zzunkR0 +-> ssh-rsa krWCLQ +NZsA2rCz6TJ1yuedjvP/7LvU9CCVBDXEACH1gIDwjWEE5BaEL3/kBdw/rEheyJ/R +MLuZAJBfj3RnALqQ5b8eqO7RBpvLG4NW3zgLtSDZIqVEIZhwNT9XlSyEiziF4QJ9 +chs983W9TKgdsxcJggG+9/aRultOSMMRbg2fX3Zam690Bbe0n93gM+W+GVZIo6/k +mAiFshp6ve7oi1KRFdSgvjjCFVwdwsk2lTHixYfNVYAbntG0DEYFrrOctgP6Lynq +1D5po5z2nO2eKpHKb/4DKk8jrVYur/+DFQ3oYzApA6rZyTpCYsADVMLgvAgi7OUz ++6ziNJMew5Yn6cDlc2gOYA +-> ssh-ed25519 /vwQcQ xRm4zVTOq1/qANJr2w31y2IMV0fNUkj3AW15QaiR0Ds +xAjzBi3GHnO2HPyzL5+rxkXKtwVVWxjAeA9Whj0zdC4 +-> ssh-ed25519 0R97PA m/xNOgZXzImBv+D/mZ3tsNMkiCvtDev2gs7A7qZiUD0 +GjA51qg8MLiqDhFKr5j/ZBlqhk9qywo6eR+utAMMUBo +-> ssh-rsa jL+Elw +o0mlesFQhVXv93nQWV1o2fFEw3kEtCyfQ9G7pmSiuofP/WzS4Pmen6ppfQHrO4Ev +1NDcs3We+iuW5eQ6JZws2WkyG2TEC4t97ldWMo9unpva993oC+hIXNbwuxX5/k3h +w14/oLDD4O6FWqOl7senKZK0k3Pt7edYUIac3y00/FF7ZzocGeR32s4Dand1ZlrG +eP20pemv3qwAy2MNkP1d0MTXc5uAwbkIfwpwkGbMoZTFCWQql8R/KEO3Z+uzLwWX +ofZzps2PUf/iqS/AtpcE/pIvoVd+jzvVfnuwvDnrMEUAJXCGr438gNaY7nNCDh49 +NzopcQsxxEPFrsawh2L/FQwnM33yKAQiS/94wDMwfLBYOm9Ap0rT56qxbdHW5sIK +ycYsoXQ85+N5FZzY+hUztwr61zamWxwbnYTTgDo1sML1RoFioo0zMDUyz/bL9D76 ++VoJJ9ic+U1npHDk44DfQrjwqoKqrudF0wioNyzLgUD1B/ma94Z91OXbCpxVrycp +szSY2tNsXTAWDLSCOBukvZMtUWmTLry4ATUSHCazXUrNlbhTVwfh2+8NWK/oEMdA +Z6dmuN3xil4Dt2gau5KQdis9HTuLs5Dm3RsiFBJlQQp01Dq8Q96fIZQJYC+GVI6Z +6YHnmo+wnOc3+nV+6HCZy0Fwhcwi0wVsKIyAE0moFuQ +-> ssh-ed25519 jIXfPA IIVFhPn9FYuwd7UfRUYw18JxmJBzyYFT3LBHx1q7cmg +ZJJj/Ni1d524OCPR0hlU9z65OC/vxeFTZiIN4xS/sE0 +-> ssh-ed25519 um7xWA Op/qg2cGiELroJCu9amY3TW1YQYMrn4oo/jOgQl0/nk +YykRa+EM1RWYCOAB7NsRm7pIuL9zLnOHMjdMN38eZBw +--- xAhunKSg7LVgqH5KsQwtXCo5c8Wxkbq61vF5b8rbxEg ++ӏ4;Q5;Q|P,$D ̗LhQ,c \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index bc589fc..c856408 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -22,6 +22,7 @@ let ldap-bind-admins = active-admins; discourse-admins = active-admins; indico-admins = active-admins; + grafana-admins = active-admins; servers = [ estragon wagon lagon klingon aragon pendragon perdrigon martagon ]; in { @@ -35,4 +36,6 @@ in "indico-ldap-bind-password.age".publicKeys = [ perdrigon ] ++ indico-admins; "indico-secret-key.age".publicKeys = [ perdrigon ] ++ indico-admins; "indico-mail-password.age".publicKeys = [ perdrigon ] ++ indico-admins; + "grafana-admin-password.age".publicKeys = [ martagon ] ++ grafana-admins; + "grafana-secret-key.age".publicKeys = [ martagon ] ++ grafana-admins; }