WIP: add grafana & victoriametrics

2025-03-27 18:35:57 +01:00 · 2025-03-27 18:35:57 +01:00 · a184d18f4b
commit a184d18f4b
parent a8e3c97ef4
6 changed files with 159 additions and 1 deletions
--- a/hive.nix
+++ b/hive.nix
@ -170,7 +170,7 @@ in
  };
  martagon = { name, nodes, ... }: {
-    deployment.tags = [ "prometheus" ];
+    deployment.tags = [ "victoria" "grafana" ];
    deployment.targetHost = "martagon.federez.net";
    federez.monitoring.apiKey = "370a181d-6b00-4c3d-af27-ca65e6e4c1b0";
    networking.hostName = name;
@ -182,6 +182,8 @@ in
    imports = [
      ./profiles/vm.nix
      ./profiles/victoria.nix
      ./profiles/grafana.nix
    ];
  };
 }
--- a/profiles/grafana.nix
+++ b/profiles/grafana.nix
@ -0,0 +1,73 @@
 { pkgs, lib, config, ... }: 
 let
  cfg = config.services.grafana;
  fileProvider = path: "$__file{${path}}";
 in {
  age.secrets = {
    grafana-admin-password = {
      file = ../secrets/grafana-admin-password.age;
      owner = "grafana";
      group = "grafana";
    };
    grafana-secret-key = {
      file = ../secrets/grafana-secret-key.age;
      owner = "grafana";
      group = "grafana";
    };
  };
  services.grafana = {
    enable = true;
    settings = {
      server.protocol = "socket";
      analytics = {
        reporting_enabled = false;
        feedback_links_enabled = false;
      };
      security = {
        admin_user = "admin";
        admin_password = fileProvider config.age.secrets.grafana-admin-password.path;
        secret_key = fileProvider config.age.secrets.grafana-secret-key.path;
      };
    };
    declarativePlugins = lib.mkIf config.services.victoriametrics.enable
      [ pkgs.grafanaPlugins.victoriametrics-metrics-datasource ];
    provision.datasources.settings.datasources = lib.mkIf
      config.services.victoriametrics.enable
      [
        {
          name = "VictoriaMetrics";
          type = "victoriametrics-metrics-datasource";
          uid = "vm";
          url = "http://localhost:8248";
          editable = false;
          jsonData = {
            isDefault = true;
          };
        }
      ];
  };
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
    upstreams.grafana.servers."unix:/${cfg.settings.server.socket}" = {};
    virtualHosts."grafana.federez.net" = {
      root = cfg.settings.server.static_root_path;
      enableACME = true;
      forceSSL = true;
      locations."/".tryFiles = "$uri @grafana";
      locations."@grafana".proxyPass = "http://grafana";
    };
  };
  users.users.${config.services.nginx.user}.extraGroups = [ "grafana" ];
 }
--- a/profiles/victoria.nix
+++ b/profiles/victoria.nix
@ -0,0 +1,16 @@
 { ... }: 
 let
  mkScrapeConfig = name: targets: {
    job_name = name;
    static_configs = [ { targets = targets; } ];
  };
  nodesConfig = mkScrapeConfig "node"
    (map (n: "${n}.federez.net:9100") [ "dodecagon" "saigon" ]);
 in {
  services.victoriametrics = {
    enable = true;
    prometheusConfig = {
      scrape_configs = [ nodesConfig ];
    };
  };
 }
--- a/secrets/grafana-admin-password.age
+++ b/secrets/grafana-admin-password.age
@ -0,0 +1,32 @@
 age-encryption.org/v1
 -> ssh-ed25519 Q17h8g u50zulUwOP0ilwOyPELNvzPflbjzqr96TOsUuINhvj0
 vacQsjf9fj422ZIMXyQEaRirrl0nxNTtzWNqBNa6upo
 -> ssh-rsa krWCLQ
 o9wtR/Q78YYzBP9aH2RJ8pWN5efiD0EdRai5wMIoSAhYHimQwUAc3NLfDoeX1bCY
 +4qJTqzpRfkNUjb8DJkHnZfq8MtdUgUsI+8xeAb9ZgM7khvlWxnqtFZUkWkxXcpH
 B3brHnnn2VjJI0AnQ26UOn4HHa4ONxGhWNLgalryj9/FN68A5B2URwLW6K3OFgQs
 M3a0AN2yY1/B9fpomGN5qbGQDz2xgnvuWEQiSBrKOSozWeLAaZhRSw6gpjJG4oeQ
 Qq7m8LEceCsGZkOf5YM6MNIx23Cx5iagqN3KTN16YpXijUCwV7/IH/38ZSS4x/fq
 wCcStB4tDEGiuT1Vgf4dWw
 -> ssh-ed25519 /vwQcQ wLeY8pwPUc73EVUIRC+qxQkgIt09JEeagNVq5Wq08gU
 YcOPfmHp14hYo/DUGFxI05HfcPuABmTs7BrVbEtdgEY
 -> ssh-ed25519 0R97PA Pedy/Tq+w7TA17pk9pXr2Mc0/wnsL0AhXsSezRx/fXU
 BtK0XiUXe+fpwaMa39vbzbO4K5FJ1mJWQAY6Vxabu8o
 -> ssh-rsa jL+Elw
 Xe7pXZCG2T/Gq7f+mbl2j8P6rtLjgf9/yiO1TWT8HcqQivk/lZ9Uqb9Cs6wfGa49
 albzrBoq3Inmn3EE+jWvjPJdNmkZ8+d7M4It5y/MhW13KbaCYO07rcE1ydJmcsMW
 xE/SyrEhayFtdapD0pIMpCKoOJMv5Ry1iID8NZINhfXk4m0XMGIJtn4bGQ8VrG/E
 iP6rdNLGJ5LVQXIs9mr1w5Ek5n9UohrUR/aApQIn7kRABcDofsVPu2kLrz6BDM3j
 rTUXU08q7ER1GZ+keVp6v9qsj8JXiuV7fOcyx11Ug3Ux5b1CnrfxRoLr3YFM9i5b
 aHbEhZmhX7MQHsezIerngp2a841yeoPx6mk+eMtZzEc04sddLq7ACJkGIb9OQIP6
 LGL9MVA3y1cS+iqUxfX9ZeLAVzRIhvClQzhgYYC/RwVZw98Zt1vICc9N/7FlfvMe
 ViGXOmyZKnBoOrX1+kj3g0457vh9KRO7qOSmhmvn9+K28opOSP/dTC5G66R8adYM
 Jjc8uUlUkVQiPVfKX751Lyc1n58p47iSWVHr5CSl09eUgZ5FNss96gfnOUHsoTKl
 GUkDbwVBu/eLpUJxYigpoNfFzb5g/ze0L4S7vrtktECbpedmZNrfAGy0Q6+95jWO
 qXow/sZjaBzjY584tKU6KRs3tPnRe1sruc+k0FoRyME
 -> ssh-ed25519 jIXfPA gMyVRufenOREAR1BFqXR+cq67vKBZs8kyDArSGcG+i0
 Wm95Keanjns8JDk4cZfY5+WJ7neHln2zKDYZaucsWmE
 -> ssh-ed25519 um7xWA ZUkisqEY5fcan5E8JddB+o4PfltL7KKraK4sCe0Fkwk
 pXn5UmqTNyTZqXN8KU5Igc5Tel+T/qcKr1vykwwu4gg
 --- yhepD0IijU/0ee0DFQoOB4PrVA3EztUMMpvwRZJ7VUo
 æ<EFBFBD>ð»Ý%ôÎ„ék4]ã˜CZÓÔÛä#<ßbÃÄª„bß¸lV©Š^=³È	ŠÖ";ÂŸ«èí3k_¢×û1û\
--- a/secrets/grafana-secret-key.age
+++ b/secrets/grafana-secret-key.age
@ -0,0 +1,32 @@
 age-encryption.org/v1
 -> ssh-ed25519 Q17h8g 4KkjTXmVQx1SRFeyOQgSoxzk2ICYe81gogzGRiF+hAI
 1t+6FPg+wo01MMgsIHEn+N8U6RbEbgJmLRr/zzunkR0
 -> ssh-rsa krWCLQ
 NZsA2rCz6TJ1yuedjvP/7LvU9CCVBDXEACH1gIDwjWEE5BaEL3/kBdw/rEheyJ/R
 MLuZAJBfj3RnALqQ5b8eqO7RBpvLG4NW3zgLtSDZIqVEIZhwNT9XlSyEiziF4QJ9
 chs983W9TKgdsxcJggG+9/aRultOSMMRbg2fX3Zam690Bbe0n93gM+W+GVZIo6/k
 mAiFshp6ve7oi1KRFdSgvjjCFVwdwsk2lTHixYfNVYAbntG0DEYFrrOctgP6Lynq
 1D5po5z2nO2eKpHKb/4DKk8jrVYur/+DFQ3oYzApA6rZyTpCYsADVMLgvAgi7OUz
 +6ziNJMew5Yn6cDlc2gOYA
 -> ssh-ed25519 /vwQcQ xRm4zVTOq1/qANJr2w31y2IMV0fNUkj3AW15QaiR0Ds
 xAjzBi3GHnO2HPyzL5+rxkXKtwVVWxjAeA9Whj0zdC4
 -> ssh-ed25519 0R97PA m/xNOgZXzImBv+D/mZ3tsNMkiCvtDev2gs7A7qZiUD0
 GjA51qg8MLiqDhFKr5j/ZBlqhk9qywo6eR+utAMMUBo
 -> ssh-rsa jL+Elw
 o0mlesFQhVXv93nQWV1o2fFEw3kEtCyfQ9G7pmSiuofP/WzS4Pmen6ppfQHrO4Ev
 1NDcs3We+iuW5eQ6JZws2WkyG2TEC4t97ldWMo9unpva993oC+hIXNbwuxX5/k3h
 w14/oLDD4O6FWqOl7senKZK0k3Pt7edYUIac3y00/FF7ZzocGeR32s4Dand1ZlrG
 eP20pemv3qwAy2MNkP1d0MTXc5uAwbkIfwpwkGbMoZTFCWQql8R/KEO3Z+uzLwWX
 ofZzps2PUf/iqS/AtpcE/pIvoVd+jzvVfnuwvDnrMEUAJXCGr438gNaY7nNCDh49
 NzopcQsxxEPFrsawh2L/FQwnM33yKAQiS/94wDMwfLBYOm9Ap0rT56qxbdHW5sIK
 ycYsoXQ85+N5FZzY+hUztwr61zamWxwbnYTTgDo1sML1RoFioo0zMDUyz/bL9D76
 +VoJJ9ic+U1npHDk44DfQrjwqoKqrudF0wioNyzLgUD1B/ma94Z91OXbCpxVrycp
 szSY2tNsXTAWDLSCOBukvZMtUWmTLry4ATUSHCazXUrNlbhTVwfh2+8NWK/oEMdA
 Z6dmuN3xil4Dt2gau5KQdis9HTuLs5Dm3RsiFBJlQQp01Dq8Q96fIZQJYC+GVI6Z
 6YHnmo+wnOc3+nV+6HCZy0Fwhcwi0wVsKIyAE0moFuQ
 -> ssh-ed25519 jIXfPA IIVFhPn9FYuwd7UfRUYw18JxmJBzyYFT3LBHx1q7cmg
 ZJJj/Ni1d524OCPR0hlU9z65OC/vxeFTZiIN4xS/sE0
 -> ssh-ed25519 um7xWA Op/qg2cGiELroJCu9amY3TW1YQYMrn4oo/jOgQl0/nk
 YykRa+EM1RWYCOAB7NsRm7pIuL9zLnOHMjdMN38eZBw
 --- xAhunKSg7LVgqH5KsQwtXCo5c8Wxkbq61vF5b8rbxEg
 ¼+è¼Ó<C2BC>«<EFBFBD>¡˜âáÑ4;Q³5±Ä·;ïQ|Pû—<C3BB>,Áö™$D ¿Ì—„·Lúî<>Š´ñhÙQ,Äùc
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -22,6 +22,7 @@ let
  ldap-bind-admins = active-admins;
  discourse-admins = active-admins;
  indico-admins = active-admins;
  grafana-admins = active-admins;
  servers = [ estragon wagon lagon klingon aragon pendragon perdrigon martagon ];
 in
  {
@ -35,4 +36,6 @@ in
    "indico-ldap-bind-password.age".publicKeys = [ perdrigon ] ++ indico-admins;
    "indico-secret-key.age".publicKeys = [ perdrigon ] ++ indico-admins;
    "indico-mail-password.age".publicKeys = [ perdrigon ] ++ indico-admins;
    "grafana-admin-password.age".publicKeys = [ martagon ] ++ grafana-admins;
    "grafana-secret-key.age".publicKeys = [ martagon ] ++ grafana-admins;
  }