WIP: add grafana & victoriametrics

2025-03-27 18:35:57 +01:00 · 2025-03-27 18:35:57 +01:00 · a184d18f4b
commit a184d18f4b
parent a8e3c97ef4
6 changed files with 159 additions and 1 deletions
--- a/hive.nix
+++ b/hive.nix
@ -170,7 +170,7 @@ in
  };

  martagon = { name, nodes, ... }: {
-    deployment.tags = [ "prometheus" ];
+    deployment.tags = [ "victoria" "grafana" ];
    deployment.targetHost = "martagon.federez.net";
    federez.monitoring.apiKey = "370a181d-6b00-4c3d-af27-ca65e6e4c1b0";
    networking.hostName = name;
@ -182,6 +182,8 @@ in

    imports = [
      ./profiles/vm.nix
+      ./profiles/victoria.nix
+      ./profiles/grafana.nix
    ];
  };
 }
--- a/profiles/grafana.nix
+++ b/profiles/grafana.nix
@ -0,0 +1,73 @@
+{ pkgs, lib, config, ... }: 
+let
+  cfg = config.services.grafana;
+  fileProvider = path: "$__file{${path}}";
+in {
+  age.secrets = {
+    grafana-admin-password = {
+      file = ../secrets/grafana-admin-password.age;
+      owner = "grafana";
+      group = "grafana";
+    };
+    grafana-secret-key = {
+      file = ../secrets/grafana-secret-key.age;
+      owner = "grafana";
+      group = "grafana";
+    };
+  };
+
+  services.grafana = {
+    enable = true;
+
+    settings = {
+      server.protocol = "socket";
+      analytics = {
+        reporting_enabled = false;
+        feedback_links_enabled = false;
+      };
+      security = {
+        admin_user = "admin";
+        admin_password = fileProvider config.age.secrets.grafana-admin-password.path;
+        secret_key = fileProvider config.age.secrets.grafana-secret-key.path;
+      };
+    };
+
+    declarativePlugins = lib.mkIf config.services.victoriametrics.enable
+      [ pkgs.grafanaPlugins.victoriametrics-metrics-datasource ];
+
+    provision.datasources.settings.datasources = lib.mkIf
+      config.services.victoriametrics.enable
+      [
+        {
+          name = "VictoriaMetrics";
+          type = "victoriametrics-metrics-datasource";
+          uid = "vm";
+          url = "http://localhost:8248";
+          editable = false;
+          jsonData = {
+            isDefault = true;
+          };
+        }
+      ];
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+    upstreams.grafana.servers."unix:/${cfg.settings.server.socket}" = {};
+    virtualHosts."grafana.federez.net" = {
+      root = cfg.settings.server.static_root_path;
+      enableACME = true;
+      forceSSL = true;
+      locations."/".tryFiles = "$uri @grafana";
+      locations."@grafana".proxyPass = "http://grafana";
+    };
+  };
+
+  users.users.${config.services.nginx.user}.extraGroups = [ "grafana" ];
+}
--- a/profiles/victoria.nix
+++ b/profiles/victoria.nix
@ -0,0 +1,16 @@
+{ ... }: 
+let
+  mkScrapeConfig = name: targets: {
+    job_name = name;
+    static_configs = [ { targets = targets; } ];
+  };
+  nodesConfig = mkScrapeConfig "node"
+    (map (n: "${n}.federez.net:9100") [ "dodecagon" "saigon" ]);
+in {
+  services.victoriametrics = {
+    enable = true;
+    prometheusConfig = {
+      scrape_configs = [ nodesConfig ];
+    };
+  };
+}
--- a/secrets/grafana-admin-password.age
+++ b/secrets/grafana-admin-password.age
@ -0,0 +1,32 @@
+age-encryption.org/v1
+-> ssh-ed25519 Q17h8g u50zulUwOP0ilwOyPELNvzPflbjzqr96TOsUuINhvj0
+vacQsjf9fj422ZIMXyQEaRirrl0nxNTtzWNqBNa6upo
+-> ssh-rsa krWCLQ
+o9wtR/Q78YYzBP9aH2RJ8pWN5efiD0EdRai5wMIoSAhYHimQwUAc3NLfDoeX1bCY
+4qJTqzpRfkNUjb8DJkHnZfq8MtdUgUsI+8xeAb9ZgM7khvlWxnqtFZUkWkxXcpH
+B3brHnnn2VjJI0AnQ26UOn4HHa4ONxGhWNLgalryj9/FN68A5B2URwLW6K3OFgQs
+M3a0AN2yY1/B9fpomGN5qbGQDz2xgnvuWEQiSBrKOSozWeLAaZhRSw6gpjJG4oeQ
+Qq7m8LEceCsGZkOf5YM6MNIx23Cx5iagqN3KTN16YpXijUCwV7/IH/38ZSS4x/fq
+wCcStB4tDEGiuT1Vgf4dWw
+-> ssh-ed25519 /vwQcQ wLeY8pwPUc73EVUIRC+qxQkgIt09JEeagNVq5Wq08gU
+YcOPfmHp14hYo/DUGFxI05HfcPuABmTs7BrVbEtdgEY
+-> ssh-ed25519 0R97PA Pedy/Tq+w7TA17pk9pXr2Mc0/wnsL0AhXsSezRx/fXU
+BtK0XiUXe+fpwaMa39vbzbO4K5FJ1mJWQAY6Vxabu8o
+-> ssh-rsa jL+Elw
+Xe7pXZCG2T/Gq7f+mbl2j8P6rtLjgf9/yiO1TWT8HcqQivk/lZ9Uqb9Cs6wfGa49
+albzrBoq3Inmn3EE+jWvjPJdNmkZ8+d7M4It5y/MhW13KbaCYO07rcE1ydJmcsMW
+xE/SyrEhayFtdapD0pIMpCKoOJMv5Ry1iID8NZINhfXk4m0XMGIJtn4bGQ8VrG/E
+iP6rdNLGJ5LVQXIs9mr1w5Ek5n9UohrUR/aApQIn7kRABcDofsVPu2kLrz6BDM3j
+rTUXU08q7ER1GZ+keVp6v9qsj8JXiuV7fOcyx11Ug3Ux5b1CnrfxRoLr3YFM9i5b
+aHbEhZmhX7MQHsezIerngp2a841yeoPx6mk+eMtZzEc04sddLq7ACJkGIb9OQIP6
+LGL9MVA3y1cS+iqUxfX9ZeLAVzRIhvClQzhgYYC/RwVZw98Zt1vICc9N/7FlfvMe
+ViGXOmyZKnBoOrX1+kj3g0457vh9KRO7qOSmhmvn9+K28opOSP/dTC5G66R8adYM
+Jjc8uUlUkVQiPVfKX751Lyc1n58p47iSWVHr5CSl09eUgZ5FNss96gfnOUHsoTKl
+GUkDbwVBu/eLpUJxYigpoNfFzb5g/ze0L4S7vrtktECbpedmZNrfAGy0Q6+95jWO
+qXow/sZjaBzjY584tKU6KRs3tPnRe1sruc+k0FoRyME
+-> ssh-ed25519 jIXfPA gMyVRufenOREAR1BFqXR+cq67vKBZs8kyDArSGcG+i0
+Wm95Keanjns8JDk4cZfY5+WJ7neHln2zKDYZaucsWmE
+-> ssh-ed25519 um7xWA ZUkisqEY5fcan5E8JddB+o4PfltL7KKraK4sCe0Fkwk
+pXn5UmqTNyTZqXN8KU5Igc5Tel+T/qcKr1vykwwu4gg
+--- yhepD0IijU/0ee0DFQoOB4PrVA3EztUMMpvwRZJ7VUo
+æ<EFBFBD>ð»Ý%ôÎ„ék4]ã˜CZÓÔÛä#<ßbÃÄª„bß¸lV©Š^=³È	ŠÖ";ÂŸ«èí3k_¢×û1û\
--- a/secrets/grafana-secret-key.age
+++ b/secrets/grafana-secret-key.age
@ -0,0 +1,32 @@
+age-encryption.org/v1
+-> ssh-ed25519 Q17h8g 4KkjTXmVQx1SRFeyOQgSoxzk2ICYe81gogzGRiF+hAI
+1t+6FPg+wo01MMgsIHEn+N8U6RbEbgJmLRr/zzunkR0
+-> ssh-rsa krWCLQ
+NZsA2rCz6TJ1yuedjvP/7LvU9CCVBDXEACH1gIDwjWEE5BaEL3/kBdw/rEheyJ/R
+MLuZAJBfj3RnALqQ5b8eqO7RBpvLG4NW3zgLtSDZIqVEIZhwNT9XlSyEiziF4QJ9
+chs983W9TKgdsxcJggG+9/aRultOSMMRbg2fX3Zam690Bbe0n93gM+W+GVZIo6/k
+mAiFshp6ve7oi1KRFdSgvjjCFVwdwsk2lTHixYfNVYAbntG0DEYFrrOctgP6Lynq
+1D5po5z2nO2eKpHKb/4DKk8jrVYur/+DFQ3oYzApA6rZyTpCYsADVMLgvAgi7OUz
+6ziNJMew5Yn6cDlc2gOYA
+-> ssh-ed25519 /vwQcQ xRm4zVTOq1/qANJr2w31y2IMV0fNUkj3AW15QaiR0Ds
+xAjzBi3GHnO2HPyzL5+rxkXKtwVVWxjAeA9Whj0zdC4
+-> ssh-ed25519 0R97PA m/xNOgZXzImBv+D/mZ3tsNMkiCvtDev2gs7A7qZiUD0
+GjA51qg8MLiqDhFKr5j/ZBlqhk9qywo6eR+utAMMUBo
+-> ssh-rsa jL+Elw
+o0mlesFQhVXv93nQWV1o2fFEw3kEtCyfQ9G7pmSiuofP/WzS4Pmen6ppfQHrO4Ev
+1NDcs3We+iuW5eQ6JZws2WkyG2TEC4t97ldWMo9unpva993oC+hIXNbwuxX5/k3h
+w14/oLDD4O6FWqOl7senKZK0k3Pt7edYUIac3y00/FF7ZzocGeR32s4Dand1ZlrG
+eP20pemv3qwAy2MNkP1d0MTXc5uAwbkIfwpwkGbMoZTFCWQql8R/KEO3Z+uzLwWX
+ofZzps2PUf/iqS/AtpcE/pIvoVd+jzvVfnuwvDnrMEUAJXCGr438gNaY7nNCDh49
+NzopcQsxxEPFrsawh2L/FQwnM33yKAQiS/94wDMwfLBYOm9Ap0rT56qxbdHW5sIK
+ycYsoXQ85+N5FZzY+hUztwr61zamWxwbnYTTgDo1sML1RoFioo0zMDUyz/bL9D76
+VoJJ9ic+U1npHDk44DfQrjwqoKqrudF0wioNyzLgUD1B/ma94Z91OXbCpxVrycp
+szSY2tNsXTAWDLSCOBukvZMtUWmTLry4ATUSHCazXUrNlbhTVwfh2+8NWK/oEMdA
+Z6dmuN3xil4Dt2gau5KQdis9HTuLs5Dm3RsiFBJlQQp01Dq8Q96fIZQJYC+GVI6Z
+6YHnmo+wnOc3+nV+6HCZy0Fwhcwi0wVsKIyAE0moFuQ
+-> ssh-ed25519 jIXfPA IIVFhPn9FYuwd7UfRUYw18JxmJBzyYFT3LBHx1q7cmg
+ZJJj/Ni1d524OCPR0hlU9z65OC/vxeFTZiIN4xS/sE0
+-> ssh-ed25519 um7xWA Op/qg2cGiELroJCu9amY3TW1YQYMrn4oo/jOgQl0/nk
+YykRa+EM1RWYCOAB7NsRm7pIuL9zLnOHMjdMN38eZBw
+--- xAhunKSg7LVgqH5KsQwtXCo5c8Wxkbq61vF5b8rbxEg
+¼+è¼Ó<C2BC>«<EFBFBD>¡˜âáÑ4;Q³5±Ä·;ïQ|Pû—<C3BB>,Áö™$D ¿Ì—„·Lúî<>Š´ñhÙQ,Äùc
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -22,6 +22,7 @@ let
  ldap-bind-admins = active-admins;
  discourse-admins = active-admins;
  indico-admins = active-admins;
+  grafana-admins = active-admins;
  servers = [ estragon wagon lagon klingon aragon pendragon perdrigon martagon ];
 in
  {
@ -35,4 +36,6 @@ in
    "indico-ldap-bind-password.age".publicKeys = [ perdrigon ] ++ indico-admins;
    "indico-secret-key.age".publicKeys = [ perdrigon ] ++ indico-admins;
    "indico-mail-password.age".publicKeys = [ perdrigon ] ++ indico-admins;
+    "grafana-admin-password.age".publicKeys = [ martagon ] ++ grafana-admins;
+    "grafana-secret-key.age".publicKeys = [ martagon ] ++ grafana-admins;
  }