From ba12e0fb65c8ab52769776947f2381e9316e4b20 Mon Sep 17 00:00:00 2001 From: Charlotte Van Petegem Date: Thu, 28 Apr 2022 23:09:07 +0200 Subject: [PATCH] Setup grafana and influxdb --- machines/lasting-integrity/default.nix | 7 ++ machines/lasting-integrity/hardware.nix | 4 + modules/services/default.nix | 1 + modules/services/grafana/default.nix | 85 +++++++++++++++++++ secrets.nix | 4 + .../services/grafana/admin-password.age | 11 +++ .../passwords/services/grafana/secret-key.age | 14 +++ secrets/passwords/services/grafana/smtp.age | 12 +++ 8 files changed, 138 insertions(+) create mode 100644 modules/services/grafana/default.nix create mode 100644 secrets/passwords/services/grafana/admin-password.age create mode 100644 secrets/passwords/services/grafana/secret-key.age create mode 100644 secrets/passwords/services/grafana/smtp.age diff --git a/machines/lasting-integrity/default.nix b/machines/lasting-integrity/default.nix index d789dcf6..4d77c94e 100644 --- a/machines/lasting-integrity/default.nix +++ b/machines/lasting-integrity/default.nix @@ -32,6 +32,12 @@ fast = true; location = "192.168.0.1"; } + { + path = "zdata/big-apps/influxdb2"; + remotePath = "zdata/recv/lasting-integrity/big-apps/influxdb2"; + fast = true; + location = "192.168.0.1"; + } { path = "zdata/big-apps/mail"; remotePath = "zdata/recv/lasting-integrity/big-apps/mail"; @@ -53,6 +59,7 @@ tetris.server = true; }; services = { + grafana.enable = true; mail.enable = true; matrix.enable = true; nginx.hosts = [ diff --git a/machines/lasting-integrity/hardware.nix b/machines/lasting-integrity/hardware.nix index 342b3cbc..7afeaa2d 100644 --- a/machines/lasting-integrity/hardware.nix +++ b/machines/lasting-integrity/hardware.nix @@ -50,6 +50,10 @@ device = "zdata/big-apps/nextcloud"; fsType = "zfs"; }; + "/var/lib/influxdb2" = { + device = "zdata/big-apps/influxdb2"; + fsType = "zfs"; + }; "/cache" = { device = "zroot/safe/cache"; fsType = "zfs"; diff --git a/modules/services/default.nix b/modules/services/default.nix index 61cac99f..4dbccb0f 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -6,6 +6,7 @@ ./containers ./data-access ./deluge + ./grafana ./mail ./matrix ./nextcloud diff --git a/modules/services/grafana/default.nix b/modules/services/grafana/default.nix new file mode 100644 index 00000000..bd3e82db --- /dev/null +++ b/modules/services/grafana/default.nix @@ -0,0 +1,85 @@ +{ config, lib, pkgs, ... }: + +{ + options.chvp.services.grafana.enable = lib.mkEnableOption "grafana"; + + config = lib.mkIf config.chvp.services.grafana.enable { + chvp.services.nginx.hosts = [{ + fqdn = "stats.chvp.be"; + options.locations."/" = { + proxyPass = "http://grafana"; + proxyWebsockets = true; + }; + }]; + users.users = { + influxdb2.extraGroups = [ "acme" ]; + nginx.extraGroups = [ "grafana" ]; + }; + networking.firewall.allowedTCPPorts = [ 8086 ]; + services = { + nginx.upstreams.grafana.servers = { "unix:/run/grafana/grafana.sock" = {}; }; + influxdb2 = { + enable = true; + settings = { + reporting-disabled = true; + tls-cert = "${config.security.acme.certs."vanpetegem.me".directory}/fullchain.pem"; + tls-key = "${config.security.acme.certs."vanpetegem.me".directory}/key.pem"; + }; + }; + grafana = { + enable = true; + analytics.reporting.enable = false; + port = 3000; + domain = "stats.chvp.be"; + rootUrl = "https://stats.chvp.be/"; + dataDir = "${config.chvp.dataPrefix}/var/lib/grafana"; + protocol = "socket"; + auth.anonymous.enable = true; + smtp = { + enable = true; + user = "noreply@vanpetegem.me"; + fromAddress = "noreply@vanpetegem.me"; + passwordFile = config.age.secrets."passwords/services/grafana/smtp".path; + }; + database = { + user = "grafana"; + type = "postgres"; + host = "/run/postgresql/"; + name = "grafana"; + }; + users = { + allowSignUp = false; + }; + security = { + adminUser = "chvp"; + adminPasswordFile = config.age.secrets."passwords/services/grafana/admin-password".path; + secretKeyFile = config.age.secrets."passwords/services/grafana/secret-key".path; + }; + extraOptions = { + USERS_DEFAULT_THEME = "light"; + }; + }; + postgresql = { + enable = true; + dataDir = "${config.chvp.dataPrefix}/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}"; + ensureDatabases = [ "grafana" ]; + ensureUsers = [{ + name = "grafana"; + ensurePermissions = { "DATABASE grafana" = "ALL PRIVILEGES"; }; + }]; + }; + }; + age.secrets."passwords/services/grafana/smtp" = { + file = ../../../secrets/passwords/services/grafana/smtp.age; + owner = "grafana"; + }; + age.secrets."passwords/services/grafana/admin-password" = { + file = ../../../secrets/passwords/services/grafana/admin-password.age; + owner = "grafana"; + }; + age.secrets."passwords/services/grafana/secret-key" = { + file = ../../../secrets/passwords/services/grafana/secret-key.age; + owner = "grafana"; + }; + }; +} diff --git a/secrets.nix b/secrets.nix index c3844830..efd67548 100644 --- a/secrets.nix +++ b/secrets.nix @@ -53,6 +53,10 @@ in "secrets/passwords/services/acme.age".publicKeys = servers ++ users; + "secrets/passwords/services/grafana/smtp.age".publicKeys = [ lasting-integrity ] ++ users; + "secrets/passwords/services/grafana/admin-password.age".publicKeys = [ lasting-integrity ] ++ users; + "secrets/passwords/services/grafana/secret-key.age".publicKeys = [ lasting-integrity ] ++ users; + "secrets/passwords/services/nextcloud-admin.age".publicKeys = [ lasting-integrity ] ++ users; "secrets/passwords/services/syncthing-basic-auth.age".publicKeys = [ lasting-integrity ] ++ users; diff --git a/secrets/passwords/services/grafana/admin-password.age b/secrets/passwords/services/grafana/admin-password.age new file mode 100644 index 00000000..377f8350 --- /dev/null +++ b/secrets/passwords/services/grafana/admin-password.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 hKAFvQ M2oDcPI66Phg2oucaZ1S2CqW+kcZEj12Fd6l50sdCxo +8JfROfE5NIkaXHRfUr8dKxzoS3KOScNJGjWzlZKxIdY +-> ssh-ed25519 s9rb8g Ef6RVtSHevhdlLx6340G/YSc9ilTXDx+aQKZ+EFB+xM +VBFXlC1/CvZhUSOzrn7s/WvKUkxYjFdt48m4KYrsuDU +-> ssh-ed25519 yad4VQ yTvUg0VBrp0GKt7w1lMSh/BBOQStVliO7iIoU+xpk2A +gs3ANg5Shz3T3PCE3emitOXurtMTnXaPiDu0WWLNlVk +-> %P*-grease NZl=im; +0MVikhSYshqVcSL32A6esw +--- jArwS6u5T87KwiIi0o3gEEbgP+dY0QBQc77jaQOzajU +>ƀ[ePPU/2/b_Fů;v$khb&d!߇H \ No newline at end of file diff --git a/secrets/passwords/services/grafana/secret-key.age b/secrets/passwords/services/grafana/secret-key.age new file mode 100644 index 00000000..22c3a5a8 --- /dev/null +++ b/secrets/passwords/services/grafana/secret-key.age @@ -0,0 +1,14 @@ +age-encryption.org/v1 +-> ssh-ed25519 hKAFvQ JEsKpiSmjZD6d0HPSpHn0elm4+zHlmvWh1w32DYV8HA +ZMtBYBSA6iptaDmgGfkoErE4H2X+n+u7GMokmJIwT40 +-> ssh-ed25519 s9rb8g l03EU6FxKFrNgiGmuJ7Gl5pJ7qoCqyR8TCJPCIa1124 +fDTZnPk9mcXiJiBguTfL+jKGONd34wyP5Mv0yhAEkNU +-> ssh-ed25519 yad4VQ WNnsrVh97sIb41CjtY6E/g+wrJT6PMJKdOdNqhZR92g +Ky8Ymynft0OskvDtZ6HrvAD4Jfc1tGjqe2y2M9AU6uA +-> EC-grease ETVDr0 .hK i*eXg= +knbGlo1Vm9dAobjU7koWlvjRvbeeMf+bRjFAZ8gxFza/4eGXvEvGi9zX5jsMhFCD +IDOT2o3kxPJmKaTXaBy4QjQU +--- qtN9LAyEpQ28JP3KLFNmGZTDQCXFaVyFP3yIN4noWtw +P΢gyHYy|Ļ, +( +睊}mc"p12 8OIƁ! \ No newline at end of file diff --git a/secrets/passwords/services/grafana/smtp.age b/secrets/passwords/services/grafana/smtp.age new file mode 100644 index 00000000..b6f0537c --- /dev/null +++ b/secrets/passwords/services/grafana/smtp.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 hKAFvQ Ru0RT5OnV6BxjOZURHOtsckmLdsK3lrFfK3ZYryE50I +t1Z+oC3pU4E4rROIv5EYvX1zxVxQlEGfI35jMEJ1Xdo +-> ssh-ed25519 s9rb8g GBgtZ7SRpJfWwahctrmKDKUj6fFnIiJUwL1VwHcScF8 +AeRLU3RBxe8Z2i2NHBqm0mDrScg13P+iF6d7YqwQzRc +-> ssh-ed25519 yad4VQ EgKVtVuA9sY8EZVWRahvHUvPlSApKjgwzInZxT4/eh4 +GsDhQwj8v8mHQ5dGIH5HDa7gQofvvWvHR9+rAKNPiWw +-> 4jx.|a{}-grease W&IrU!` |_6t#xEx 5C GSCP +rs6njk3/FNicB/o33339HA +--- oJ/ZN5mRC/C2urrAF73Hejkon+TF80Is5gVB/rK7FEI +'rQ" Þ+CaB* +w3lпb!JzLxZ#p \ No newline at end of file