Setup grafana and influxdb

2022-04-28 23:09:07 +02:00 · 2022-04-28 23:09:07 +02:00 · ba12e0fb65
commit ba12e0fb65
parent a5c45be4c8
8 changed files with 138 additions and 0 deletions
--- a/machines/lasting-integrity/default.nix
+++ b/machines/lasting-integrity/default.nix
@ -32,6 +32,12 @@
            fast = true;
            location = "192.168.0.1";
          }
          {
            path = "zdata/big-apps/influxdb2";
            remotePath = "zdata/recv/lasting-integrity/big-apps/influxdb2";
            fast = true;
            location = "192.168.0.1";
          }
          {
            path = "zdata/big-apps/mail";
            remotePath = "zdata/recv/lasting-integrity/big-apps/mail";
@ -53,6 +59,7 @@
      tetris.server = true;
    };
    services = {
      grafana.enable = true;
      mail.enable = true;
      matrix.enable = true;
      nginx.hosts = [
--- a/machines/lasting-integrity/hardware.nix
+++ b/machines/lasting-integrity/hardware.nix
@ -50,6 +50,10 @@
      device = "zdata/big-apps/nextcloud";
      fsType = "zfs";
    };
    "/var/lib/influxdb2" = {
      device = "zdata/big-apps/influxdb2";
      fsType = "zfs";
    };
    "/cache" = {
      device = "zroot/safe/cache";
      fsType = "zfs";
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@ -6,6 +6,7 @@
    ./containers
    ./data-access
    ./deluge
    ./grafana
    ./mail
    ./matrix
    ./nextcloud
--- a/modules/services/grafana/default.nix
+++ b/modules/services/grafana/default.nix
@ -0,0 +1,85 @@
 { config, lib, pkgs, ... }:
 {
  options.chvp.services.grafana.enable = lib.mkEnableOption "grafana";
  config = lib.mkIf config.chvp.services.grafana.enable {
    chvp.services.nginx.hosts = [{
      fqdn = "stats.chvp.be";
      options.locations."/" = {
        proxyPass = "http://grafana";
        proxyWebsockets = true;
      };
    }];
    users.users = {
      influxdb2.extraGroups = [ "acme" ];
      nginx.extraGroups = [ "grafana" ];
    };
    networking.firewall.allowedTCPPorts = [ 8086 ];
    services = {
      nginx.upstreams.grafana.servers = { "unix:/run/grafana/grafana.sock" = {}; };
      influxdb2 = {
        enable = true;
        settings = {
          reporting-disabled = true;
          tls-cert = "${config.security.acme.certs."vanpetegem.me".directory}/fullchain.pem";
          tls-key = "${config.security.acme.certs."vanpetegem.me".directory}/key.pem";
        };
      };
      grafana = {
        enable = true;
        analytics.reporting.enable = false;
        port = 3000;
        domain = "stats.chvp.be";
        rootUrl = "https://stats.chvp.be/";
        dataDir = "${config.chvp.dataPrefix}/var/lib/grafana";
        protocol = "socket";
        auth.anonymous.enable = true;
        smtp = {
          enable = true;
          user = "noreply@vanpetegem.me";
          fromAddress = "noreply@vanpetegem.me";
          passwordFile = config.age.secrets."passwords/services/grafana/smtp".path;
        };
        database = {
          user = "grafana";
          type = "postgres";
          host = "/run/postgresql/";
          name = "grafana";
        };
        users = {
          allowSignUp = false;
        };
        security = {
          adminUser = "chvp";
          adminPasswordFile = config.age.secrets."passwords/services/grafana/admin-password".path;
          secretKeyFile = config.age.secrets."passwords/services/grafana/secret-key".path;
        };
        extraOptions = {
          USERS_DEFAULT_THEME = "light";
        };
      };
      postgresql = {
        enable = true;
        dataDir = "${config.chvp.dataPrefix}/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}";
        ensureDatabases = [ "grafana" ];
        ensureUsers = [{
          name = "grafana";
          ensurePermissions = { "DATABASE grafana" = "ALL PRIVILEGES"; };
        }];
      };
    };
    age.secrets."passwords/services/grafana/smtp" = {
      file = ../../../secrets/passwords/services/grafana/smtp.age;
      owner = "grafana";
    };
    age.secrets."passwords/services/grafana/admin-password" = {
      file = ../../../secrets/passwords/services/grafana/admin-password.age;
      owner = "grafana";
    };
    age.secrets."passwords/services/grafana/secret-key" = {
      file = ../../../secrets/passwords/services/grafana/secret-key.age;
      owner = "grafana";
    };
  };
 }
--- a/secrets.nix
+++ b/secrets.nix
@ -53,6 +53,10 @@ in
  "secrets/passwords/services/acme.age".publicKeys = servers ++ users;
  "secrets/passwords/services/grafana/smtp.age".publicKeys = [ lasting-integrity ] ++ users;
  "secrets/passwords/services/grafana/admin-password.age".publicKeys = [ lasting-integrity ] ++ users;
  "secrets/passwords/services/grafana/secret-key.age".publicKeys = [ lasting-integrity ] ++ users;
  "secrets/passwords/services/nextcloud-admin.age".publicKeys = [ lasting-integrity ] ++ users;
  "secrets/passwords/services/syncthing-basic-auth.age".publicKeys = [ lasting-integrity ] ++ users;
--- a/secrets/passwords/services/grafana/admin-password.age
+++ b/secrets/passwords/services/grafana/admin-password.age
@ -0,0 +1,11 @@
 age-encryption.org/v1
 -> ssh-ed25519 hKAFvQ M2oDcPI66Phg2oucaZ1S2CqW+kcZEj12Fd6l50sdCxo
 8JfROfE5NIkaXHRfUr8dKxzoS3KOScNJGjWzlZKxIdY
 -> ssh-ed25519 s9rb8g Ef6RVtSHevhdlLx6340G/YSc9ilTXDx+aQKZ+EFB+xM
 VBFXlC1/CvZhUSOzrn7s/WvKUkxYjFdt48m4KYrsuDU
 -> ssh-ed25519 yad4VQ yTvUg0VBrp0GKt7w1lMSh/BBOQStVliO7iIoU+xpk2A
 gs3ANg5Shz3T3PCE3emitOXurtMTnXaPiDu0WWLNlVk
 -> %P*-grease NZl=im;
 0MVikhSYshqVcSL32A6esw
 --- jArwS6u5T87KwiIi0o3gEEbgP+dY0QBQc77jaQOzajU
 >苺[<5B>砮稰PU/渣2<E6B8A3>/鰰湁吚鵥鱛F暖;尬v忺$謐縣劈砨&慝d<E6859D>!邍H繓
--- a/secrets/passwords/services/grafana/secret-key.age
+++ b/secrets/passwords/services/grafana/secret-key.age
@ -0,0 +1,14 @@
 age-encryption.org/v1
 -> ssh-ed25519 hKAFvQ JEsKpiSmjZD6d0HPSpHn0elm4+zHlmvWh1w32DYV8HA
 ZMtBYBSA6iptaDmgGfkoErE4H2X+n+u7GMokmJIwT40
 -> ssh-ed25519 s9rb8g l03EU6FxKFrNgiGmuJ7Gl5pJ7qoCqyR8TCJPCIa1124
 fDTZnPk9mcXiJiBguTfL+jKGONd34wyP5Mv0yhAEkNU
 -> ssh-ed25519 yad4VQ WNnsrVh97sIb41CjtY6E/g+wrJT6PMJKdOdNqhZR92g
 Ky8Ymynft0OskvDtZ6HrvAD4Jfc1tGjqe2y2M9AU6uA
 -> EC-grease ETVDr0 .hK i*eXg=
 knbGlo1Vm9dAobjU7koWlvjRvbeeMf+bRjFAZ8gxFza/4eGXvEvGi9zX5jsMhFCD
 IDOT2o3kxPJmKaTXaBy4QjQU
 --- qtN9LAyEpQ28JP3KLFNmGZTDQCXFaVyFP3yIN4noWtw
 P¿ÂÎ¢òógýÖyHYí¶y|Ä»µ,¿â
 ¹(¨
 ïª©®}ämçc"¸¦–p12 8÷ø’ŽOø‚ôI<C3B4>Æ<EFBFBD>ßËú!÷Ô
--- a/secrets/passwords/services/grafana/smtp.age
+++ b/secrets/passwords/services/grafana/smtp.age
@ -0,0 +1,12 @@
 age-encryption.org/v1
 -> ssh-ed25519 hKAFvQ Ru0RT5OnV6BxjOZURHOtsckmLdsK3lrFfK3ZYryE50I
 t1Z+oC3pU4E4rROIv5EYvX1zxVxQlEGfI35jMEJ1Xdo
 -> ssh-ed25519 s9rb8g GBgtZ7SRpJfWwahctrmKDKUj6fFnIiJUwL1VwHcScF8
 AeRLU3RBxe8Z2i2NHBqm0mDrScg13P+iF6d7YqwQzRc
 -> ssh-ed25519 yad4VQ EgKVtVuA9sY8EZVWRahvHUvPlSApKjgwzInZxT4/eh4
 GsDhQwj8v8mHQ5dGIH5HDa7gQofvvWvHR9+rAKNPiWw
 -> 4jx.|a{}-grease W&IrU!` |_6t#xEx 5C GSCP
 rs6njk3/FNicB/o33339HA
 --- oJ/ZN5mRC/C2urrAF73Hejkon+TF80Is5gVB/rK7FEI
 'í–ørQ…Ù"¼¶Ãž+¥¦Caøö¡¿áÍÔB*›
 w3ˆl‘öÐ¿þb±!ý¦JzLŽÔêxZ#•µÉˆ¨pž