Sfoglia il codice sorgente

add prometheus host

unify logging into lib/logging
cleanup registry
pull/1/head
Daniel Poelzleithner 2 anni fa
parent
commit
fb9d929bc4
  1. 108
      hosts/containers/prometheus/configuration.nix
  2. 57
      hosts/containers/registry/configuration.nix
  3. 24
      hq.nixops
  4. 52
      lib/logging.nix
  5. 1
      lib/shared.nix

108
hosts/containers/prometheus/configuration.nix

@ -0,0 +1,108 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).
{ config, pkgs, lib, ... }:
{
imports =
[ ../../../lib/lxc-container.nix
../../../lib/shared.nix
../../../lib/admins.nix
];
environment.systemPackages = with pkgs; [
vim
];
networking = {
hostName = "prometheus";
firewall = {
allowedTCPPorts = [
22
80
443
9090
9091
9093
9094
];
enable = true;
};
};
services.prometheus = {
enable = true;
alertmanager = {
enable = true;
openFirewall = true;
webExternalUrl = "http://prometheus.serv.zentralwerk.org/alertmanager/";
listenAddress = "0.0.0.0";
configuration = {
"global" = {
"smtp_smarthost" = "mail.serv.zentralwerk.org:587";
"smtp_from" = "alertmanager@prometheus.serv.zentralwerk.org";
};
"route" = {
"group_by" = [ "alertname" "alias" ];
"group_wait" = "30s";
"group_interval" = "2m";
"repeat_interval" = "4h";
"receiver" = "team-admins";
};
"receivers" = [
{
"name" = "team-admins";
# "email_configs" = [
# {
# "to" = "devnull@example.com";
# "send_resolved" = true;
# }
# ];
# "webhook_configs" = [
# {
# "url" = "https://example.com/prometheus-alerts";
# "send_resolved" = true;
# }
# ];
}
];
};
};
alertmanagerURL = [ "http://prometheus.serv.zentralwerk.org/alertmanager/" ];
pushgateway = {
enable = true;
web.external-url = "http://prometheus.serv.zentralwerk.org/push/";
};
exporters.collectd.enable = true;
exporters.collectd.openFirewall = true;
exporters.nginx.enable = true;
};
services.nginx = {
enable = true;
virtualHosts."prometheus.serv.zentralwerk.org" = {
# serverAliases = [ "registry.serv.zentralwerk.org" ];
enableACME = true;
enableSSL = true;
# forceSSL = true;
locations.".well-known/acme-challenge/" = {
root = "/var/lib/acme/acme-challenge/.well-known/acme-challenge/";
};
locations."/" = {
proxyPass = "http://localhost:9090";
};
};
};
system.stateVersion = "19.03"; # Did you read the comment?
}

57
hosts/containers/registry/configuration.nix

@ -1,19 +1,15 @@
[ <nixpkgs/nixos/modules/profiles/minimal.nix>
];
nix.useSandbox = false;
nix.maxJobs = lib.mkDefault 4;
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).
boot.isContainer = true;
# /sbin/init
boot.loader.initScript.enable = true;
boot.loader.grub.enable = false;
#boot.supportedFilesystems = ["zfs" "ext2" "ext3" "vfat" "fat32" "bcache" "bcachefs"];
{ config, pkgs, lib, ... }:
fileSystems."/" = { fsType = "rootfs"; device = "rootfs"; };
#networking.hostName = "docker-registry"; # Define your hostname.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
#networking.useNetworkd = true;
{
imports =
[ ../../../lib/lxc-container.nix
../../../lib/shared.nix
../../../lib/admins.nix
];
networking = {
hostName = "registry";
@ -29,8 +25,6 @@
dhcpcd.denyInterfaces = [ "eth0" ];
nameservers = [ "8.8.8.8" "9.9.9.9" ];
defaultGateway = {
address = "172.22.99.1";
interface = "eth0";
@ -42,8 +36,6 @@
#};
};
services.openssh.enable = true;
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [
22
@ -52,13 +44,6 @@
5000
];
# Set your time zone.
time.timeZone = "Europe/Berlin";
# Select internationalisation properties.
i18n = {
defaultLocale = "en_US.UTF-8";
supportedLocales = lib.mkForce [ "en_US.UTF-8/UTF-8" ];
};
# List packages installed in system profile. To search, run:
# $ nix search wget
@ -66,21 +51,17 @@
wget
vim
];
# Create a few files early before packing tarball for Proxmox
# architecture/OS detection.
system.extraSystemBuilderCmds =
''
mkdir -m 0755 -p $out/bin
ln -s ${pkgs.bash}/bin/bash $out/bin/sh
mkdir -m 0755 -p $out/sbin
ln -s ../init $out/sbin/init
'';
services.dockerRegistry.enable = true;
services.dockerRegistry = {
enable = true;
storagePath = "/srv/docker-registry";
enableGarbageCollect = true;
enableDelete = true;
};
services.nginx.enable = true;
services.nginx.virtualHosts."registry.hq.c3d2.de" = {
# serverAliases = [ "registry.serv.zentralwerk.org" ];
enableACME = true;
enableSSL = true;
# forceSSL = true;
@ -91,7 +72,7 @@
proxyPass = "http://localhost:5000";
};
extraConfig = ''
client_max_body_size 2048M;
client_max_body_size 4096M;
gzip off;
'';
};
@ -100,7 +81,7 @@
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "18.09"; # Did you read the comment?
system.stateVersion = "19.03"; # Did you read the comment?
}

24
hq.nixops

@ -104,6 +104,28 @@
storeKeysOnMachine = true;
};
};
"registry" =
{ ... }:
{
imports = [
hosts/containers/registry/configuration.nix
];
deployment = {
targetHost = "2a02:8106:208:5201::34";
storeKeysOnMachine = true;
};
};
"prometheus" =
{ ... }:
{
imports = [
hosts/containers/prometheus/configuration.nix
];
deployment = {
targetHost = "2a02:8106:208:5282:8c46:d6ff:fe43:6afd";
storeKeysOnMachine = true;
};
};
}

52
lib/logging.nix

@ -0,0 +1,52 @@
{ config, pkgs, lib, ... }:
let
nginxGlobalLogging = ''
log_format graylog2_json escape=json '{ "timestamp": "$time_iso8601", '
'"remote_addr": "$remote_addr", '
'"body_bytes_sent": $body_bytes_sent, '
'"request_time": $request_time, '
'"response_status": $status, '
'"request": "$request", '
'"request_method": "$request_method", '
'"host": "$host",'
'"upstream_cache_status": "$upstream_cache_status",'
'"upstream_addr": "$upstream_addr",'
'"http_x_forwarded_for": "$http_x_forwarded_for",'
'"http_referrer": "$http_referer", '
'"http_user_agent": "$http_user_agent" }';
# replace the hostnames with the IP or hostname of your Graylog2 server
access_log syslog:server=graylog.server.org:12301 graylog2_json;
error_log syslog:server=graylog.server.org:12302;
'';
in
{
# add central logging
services.journalbeat = {
enable = true;
extraConfig = ''
journalbeat:
seek_position: cursor
cursor_seek_fallback: tail
write_cursor_state: true
cursor_flush_period: 5s
clean_field_names: true
convert_to_numbers: false
move_metadata_to_field: journal
default_type: journal
kernel: true
output.logstash:
# Boolean flag to enable or disable the output module.
enabled: true
hosts: ["logging.serv.zentralwerk.org:5044", "172.20.73.13:5044"]
'';
};
services.prometheus.exporters.node.enable = true;
services.prometheus.exporters.node.openFirewall = true;
}

1
lib/shared.nix

@ -1,6 +1,7 @@
{ lib, ... }:
{
imports = [./logging.nix];
# Set your time zone.
time.timeZone = "Europe/Berlin";
# Select internationalisation properties.

Caricamento…
Annulla
Salva