nixos-config/modules/services/grafana/default.nix

{ config, lib, pkgs, ... }:

{
  options.chvp.services.grafana.enable = lib.mkEnableOption "grafana";

  config = lib.mkIf config.chvp.services.grafana.enable {
    chvp.services.nginx.hosts = [{
      fqdn = "stats.chvp.be";
      options.locations."/" = {
        proxyPass = "http://grafana";
        proxyWebsockets = true;
      };
    }];
    users.users = {
      influxdb2.extraGroups = [ "acme" ];
      nginx.extraGroups = [ "grafana" ];
    };
    networking.firewall.allowedTCPPorts = [ 8086 ];
    services = {
      nginx.upstreams.grafana.servers = { "unix:/run/grafana/grafana.sock" = { }; };
      influxdb2 = {
        enable = true;
        settings = {
          reporting-disabled = true;
          tls-cert = "${config.security.acme.certs."vanpetegem.me".directory}/fullchain.pem";
          tls-key = "${config.security.acme.certs."vanpetegem.me".directory}/key.pem";
        };
      };
      grafana = {
        enable = true;
        dataDir = "${config.chvp.dataPrefix}/var/lib/grafana";
        settings = {
          analytics.reporting_enabled = false;
          "auth.anonymous" = {
            enabled = "true";
            org_name = "Van Petegem";
          };
          database = {
            user = "grafana";
            type = "postgres";
            host = "/run/postgresql/";
            name = "grafana";
          };
          security = {
            admin_user = "chvp";
            admin_password = "$__file{${config.age.secrets."passwords/services/grafana/admin-password".path}}";
            secret_key = "$__file{${config.age.secrets."passwords/services/grafana/secret-key".path}}";
          };
          server = {
            domain = "stats.chvp.be";
            http_port = 3000;
            protocol = "socket";
            root_url = "https://stats.chvp.be";
            socket = "/run/grafana/grafana.sock";
          };
          smtp = {
            enabled = true;
            host = "mail.vanpetegem.me:25";
            user = "noreply@vanpetegem.me";
            from_address = "noreply@vanpetegem.me";
            password = "$__file{${config.age.secrets."passwords/services/grafana/smtp".path}}";
          };
          users = {
            default_theme = "light";
            allow_sign_up = false;
          };
        };
      };
      grafana-image-renderer = {
        enable = true;
        provisionGrafana = true;
        chromium = pkgs.ungoogled-chromium;
      };
      postgresql = {
        enable = true;
        dataDir = "${config.chvp.dataPrefix}/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}";
        ensureDatabases = [ "grafana" ];
        ensureUsers = [{
          name = "grafana";
          ensurePermissions = { "DATABASE grafana" = "ALL PRIVILEGES"; };
        }];
      };
    };
    age.secrets."passwords/services/grafana/smtp" = {
      file = ../../../secrets/passwords/services/grafana/smtp.age;
      owner = "grafana";
    };
    age.secrets."passwords/services/grafana/admin-password" = {
      file = ../../../secrets/passwords/services/grafana/admin-password.age;
      owner = "grafana";
    };
    age.secrets."passwords/services/grafana/secret-key" = {
      file = ../../../secrets/passwords/services/grafana/secret-key.age;
      owner = "grafana";
    };
  };
}