Setup grafana and influxdb

2022-04-28 23:09:07 +02:00 · 2022-04-28 23:09:07 +02:00 · ba12e0fb65
commit ba12e0fb65
parent a5c45be4c8
8 changed files with 138 additions and 0 deletions
--- a/machines/lasting-integrity/default.nix
+++ b/machines/lasting-integrity/default.nix
@ -32,6 +32,12 @@
            fast = true;
            location = "192.168.0.1";
          }
+          {
+            path = "zdata/big-apps/influxdb2";
+            remotePath = "zdata/recv/lasting-integrity/big-apps/influxdb2";
+            fast = true;
+            location = "192.168.0.1";
+          }
          {
            path = "zdata/big-apps/mail";
            remotePath = "zdata/recv/lasting-integrity/big-apps/mail";
@ -53,6 +59,7 @@
      tetris.server = true;
    };
    services = {
+      grafana.enable = true;
      mail.enable = true;
      matrix.enable = true;
      nginx.hosts = [
--- a/machines/lasting-integrity/hardware.nix
+++ b/machines/lasting-integrity/hardware.nix
@ -50,6 +50,10 @@
      device = "zdata/big-apps/nextcloud";
      fsType = "zfs";
    };
+    "/var/lib/influxdb2" = {
+      device = "zdata/big-apps/influxdb2";
+      fsType = "zfs";
+    };
    "/cache" = {
      device = "zroot/safe/cache";
      fsType = "zfs";
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@ -6,6 +6,7 @@
    ./containers
    ./data-access
    ./deluge
+    ./grafana
    ./mail
    ./matrix
    ./nextcloud
--- a/modules/services/grafana/default.nix
+++ b/modules/services/grafana/default.nix
@ -0,0 +1,85 @@
+{ config, lib, pkgs, ... }:
+
+{
+  options.chvp.services.grafana.enable = lib.mkEnableOption "grafana";
+
+  config = lib.mkIf config.chvp.services.grafana.enable {
+    chvp.services.nginx.hosts = [{
+      fqdn = "stats.chvp.be";
+      options.locations."/" = {
+        proxyPass = "http://grafana";
+        proxyWebsockets = true;
+      };
+    }];
+    users.users = {
+      influxdb2.extraGroups = [ "acme" ];
+      nginx.extraGroups = [ "grafana" ];
+    };
+    networking.firewall.allowedTCPPorts = [ 8086 ];
+    services = {
+      nginx.upstreams.grafana.servers = { "unix:/run/grafana/grafana.sock" = {}; };
+      influxdb2 = {
+        enable = true;
+        settings = {
+          reporting-disabled = true;
+          tls-cert = "${config.security.acme.certs."vanpetegem.me".directory}/fullchain.pem";
+          tls-key = "${config.security.acme.certs."vanpetegem.me".directory}/key.pem";
+        };
+      };
+      grafana = {
+        enable = true;
+        analytics.reporting.enable = false;
+        port = 3000;
+        domain = "stats.chvp.be";
+        rootUrl = "https://stats.chvp.be/";
+        dataDir = "${config.chvp.dataPrefix}/var/lib/grafana";
+        protocol = "socket";
+        auth.anonymous.enable = true;
+        smtp = {
+          enable = true;
+          user = "noreply@vanpetegem.me";
+          fromAddress = "noreply@vanpetegem.me";
+          passwordFile = config.age.secrets."passwords/services/grafana/smtp".path;
+        };
+        database = {
+          user = "grafana";
+          type = "postgres";
+          host = "/run/postgresql/";
+          name = "grafana";
+        };
+        users = {
+          allowSignUp = false;
+        };
+        security = {
+          adminUser = "chvp";
+          adminPasswordFile = config.age.secrets."passwords/services/grafana/admin-password".path;
+          secretKeyFile = config.age.secrets."passwords/services/grafana/secret-key".path;
+        };
+        extraOptions = {
+          USERS_DEFAULT_THEME = "light";
+        };
+      };
+      postgresql = {
+        enable = true;
+        dataDir = "${config.chvp.dataPrefix}/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}";
+        ensureDatabases = [ "grafana" ];
+        ensureUsers = [{
+          name = "grafana";
+          ensurePermissions = { "DATABASE grafana" = "ALL PRIVILEGES"; };
+        }];
+      };
+    };
+    age.secrets."passwords/services/grafana/smtp" = {
+      file = ../../../secrets/passwords/services/grafana/smtp.age;
+      owner = "grafana";
+    };
+    age.secrets."passwords/services/grafana/admin-password" = {
+      file = ../../../secrets/passwords/services/grafana/admin-password.age;
+      owner = "grafana";
+    };
+    age.secrets."passwords/services/grafana/secret-key" = {
+      file = ../../../secrets/passwords/services/grafana/secret-key.age;
+      owner = "grafana";
+    };
+  };
+}
--- a/secrets.nix
+++ b/secrets.nix
@ -53,6 +53,10 @@ in

  "secrets/passwords/services/acme.age".publicKeys = servers ++ users;

+  "secrets/passwords/services/grafana/smtp.age".publicKeys = [ lasting-integrity ] ++ users;
+  "secrets/passwords/services/grafana/admin-password.age".publicKeys = [ lasting-integrity ] ++ users;
+  "secrets/passwords/services/grafana/secret-key.age".publicKeys = [ lasting-integrity ] ++ users;
+
  "secrets/passwords/services/nextcloud-admin.age".publicKeys = [ lasting-integrity ] ++ users;

  "secrets/passwords/services/syncthing-basic-auth.age".publicKeys = [ lasting-integrity ] ++ users;
--- a/secrets/passwords/services/grafana/admin-password.age
+++ b/secrets/passwords/services/grafana/admin-password.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 hKAFvQ M2oDcPI66Phg2oucaZ1S2CqW+kcZEj12Fd6l50sdCxo
+8JfROfE5NIkaXHRfUr8dKxzoS3KOScNJGjWzlZKxIdY
+-> ssh-ed25519 s9rb8g Ef6RVtSHevhdlLx6340G/YSc9ilTXDx+aQKZ+EFB+xM
+VBFXlC1/CvZhUSOzrn7s/WvKUkxYjFdt48m4KYrsuDU
+-> ssh-ed25519 yad4VQ yTvUg0VBrp0GKt7w1lMSh/BBOQStVliO7iIoU+xpk2A
+gs3ANg5Shz3T3PCE3emitOXurtMTnXaPiDu0WWLNlVk
+-> %P*-grease NZl=im;
+0MVikhSYshqVcSL32A6esw
+--- jArwS6u5T87KwiIi0o3gEEbgP+dY0QBQc77jaQOzajU
+>苺[<5B>砮稰PU/渣2<E6B8A3>/鰰湁吚鵥鱛F暖;尬v忺$謐縣劈砨&慝d<E6859D>!邍H繓
--- a/secrets/passwords/services/grafana/secret-key.age
+++ b/secrets/passwords/services/grafana/secret-key.age
@ -0,0 +1,14 @@
+age-encryption.org/v1
+-> ssh-ed25519 hKAFvQ JEsKpiSmjZD6d0HPSpHn0elm4+zHlmvWh1w32DYV8HA
+ZMtBYBSA6iptaDmgGfkoErE4H2X+n+u7GMokmJIwT40
+-> ssh-ed25519 s9rb8g l03EU6FxKFrNgiGmuJ7Gl5pJ7qoCqyR8TCJPCIa1124
+fDTZnPk9mcXiJiBguTfL+jKGONd34wyP5Mv0yhAEkNU
+-> ssh-ed25519 yad4VQ WNnsrVh97sIb41CjtY6E/g+wrJT6PMJKdOdNqhZR92g
+Ky8Ymynft0OskvDtZ6HrvAD4Jfc1tGjqe2y2M9AU6uA
+-> EC-grease ETVDr0 .hK i*eXg=
+knbGlo1Vm9dAobjU7koWlvjRvbeeMf+bRjFAZ8gxFza/4eGXvEvGi9zX5jsMhFCD
+IDOT2o3kxPJmKaTXaBy4QjQU
+--- qtN9LAyEpQ28JP3KLFNmGZTDQCXFaVyFP3yIN4noWtw
+P¿ÂÎ¢òógýÖyHYí¶y|Ä»µ,¿â
+¹(¨
+ïª©®}ämçc"¸¦–p12 8÷ø’ŽOø‚ôI<C3B4>Æ<EFBFBD>ßËú!÷Ô
--- a/secrets/passwords/services/grafana/smtp.age
+++ b/secrets/passwords/services/grafana/smtp.age
@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 hKAFvQ Ru0RT5OnV6BxjOZURHOtsckmLdsK3lrFfK3ZYryE50I
+t1Z+oC3pU4E4rROIv5EYvX1zxVxQlEGfI35jMEJ1Xdo
+-> ssh-ed25519 s9rb8g GBgtZ7SRpJfWwahctrmKDKUj6fFnIiJUwL1VwHcScF8
+AeRLU3RBxe8Z2i2NHBqm0mDrScg13P+iF6d7YqwQzRc
+-> ssh-ed25519 yad4VQ EgKVtVuA9sY8EZVWRahvHUvPlSApKjgwzInZxT4/eh4
+GsDhQwj8v8mHQ5dGIH5HDa7gQofvvWvHR9+rAKNPiWw
+-> 4jx.|a{}-grease W&IrU!` |_6t#xEx 5C GSCP
+rs6njk3/FNicB/o33339HA
+--- oJ/ZN5mRC/C2urrAF73Hejkon+TF80Is5gVB/rK7FEI
+'í–ørQ…Ù"¼¶Ãž+¥¦Caøö¡¿áÍÔB*›
+w3ˆl‘öÐ¿þb±!ý¦JzLŽÔêxZ#•µÉˆ¨pž