federez/nix
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nix/profiles/netdata.nix
Ryan Lahfa 600db7dd56 monitoring: stream children to klingon 
automagically.

more security will be nice for IP allowlists using their exact IPv4 in the future.

Signed-off-by: Ryan Lahfa <federez-infra@lahfa.xyz>
2024-02-14 04:09:52 +01:00

88 lines
3 KiB
Nix
Raw Blame History

{ nodes, pkgs, lib, ... }:
let
mkChildNode = apiKey: allowFrom: ''
[${apiKey}]
enabled = yes
default history = 5000
default memory mode = dbengine
health enabled by default = auto
allow from = ${allowFrom}
'';
isMonitorableChild = s: lib.hasAttrByPath [ "config" "federez" "monitoring" "apiKey" ] s && s.config.federez.monitoring.apiKey != null;
filterMonitorableChildren = lib.filterAttrs (_: isMonitorableChild);
monitorableChildren = filterMonitorableChildren nodes;
streamingChildren = lib.mapAttrsToList (name: peer: ''
# ${name}
${mkChildNode peer.config.federez.monitoring.apiKey "*"}
'') monitorableChildren;
in
{
# I wish it could be truly reproducible, but it cannot because of the access token secret.
environment.etc."netdata/health_alarm_notify.conf".enable = false;
environment.etc."netdata/health_alarm_notify.conf".source = pkgs.writeText "health_alarm_notify.conf" ''
SEND_MATRIX="YES"
MATRIX_HOMESERVER="https://matrix.federez.net"
MATRIX_ACCESSTOKEN="XXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
DEFAULT_RECIPIENT_MATRIX="!vdYmGGkFFxIRklSLcO:federez.net"
'';
services.netdata = {
enable = true;
package = pkgs.netdataCloud;
config = {
global = {
"access log" = "none";
"disconnect idle web clients after seconds" = 3600;
"enable web responses gzip compression" = "no";
"errors to trigger flood protection" = 8000;
"dbengine multihost disk space" = 4 * 1024; # 8GiB
"page cache size" = 1024; # 1GiB
};
db = {
mode = "dbengine";
"update every" = 5;
"storage tiers" = 3;
"dbengine multihost disk space MB" = 4 * 1024; # 4GiB
"dbengine tier 1 multihost disk space MB" = 2 * 1024; # 2GiB
"dbengine tier 2 multihost disk space MB" = 1 * 1024; # 1GiB
};
web = {
# "bind to" = "127.0.0.1 0.0.0.0 unix:/run/netdata/netdata.sock";
# "allow connections from" = "localhost 127.0.0.1 0.0.0.0";
# "allow dashboard from" = "localhost 127.0.0.1 0.0.0.0";
# "allow management from" = "localhost 127.0.0.1";
"allow streaming from" = "89.234.162.*";
"allow connections by dns" = "no";
"allow dashboard by dns" = "no";
"allow badges by dns" = "no";
"allow streaming by dns" = "no";
"allow netdata.conf by dns" = "no";
"allow management by dns" = "no";
};
"[plugin:timex]" = {
"update every" = 30;
"clock synchronization state" = "yes";
"time offset" = "yes";
};
};
configDir = {
"stream.conf" = pkgs.writeText "stream.conf" ''
[stream]
enabled = no
enable compression = yes
# From file
${lib.concatStringsSep "\n" streamingChildren}
'';
"go.d.conf" = pkgs.writeText "go.d.conf" (builtins.toJSON {
"modules"."systemdunits" = true;
});
};
};
networking.firewall.allowedTCPPorts = [ 19999 ];
# We are not the child.
federez.monitoring.enableChild = false;
}
Reference in a new issue View git blame Copy permalink