Переглянути джерело

add prometheus host

unify logging into lib/logging
cleanup registry
pull/1/head
Daniel Poelzleithner 1 рік тому
джерело
коміт
fb9d929bc4

+ 108
- 0
hosts/containers/prometheus/configuration.nix Переглянути файл

@@ -0,0 +1,108 @@
1
+# Edit this configuration file to define what should be installed on
2
+# your system.  Help is available in the configuration.nix(5) man page
3
+# and in the NixOS manual (accessible by running ‘nixos-help’).
4
+
5
+{ config, pkgs, lib, ... }:
6
+
7
+{
8
+  imports =
9
+    [ ../../../lib/lxc-container.nix
10
+    ../../../lib/shared.nix
11
+    ../../../lib/admins.nix
12
+  ];
13
+
14
+  environment.systemPackages = with pkgs; [
15
+    vim
16
+  ];
17
+
18
+  networking = {
19
+    hostName = "prometheus";
20
+    firewall = {
21
+      allowedTCPPorts = [ 
22
+        22
23
+        80
24
+        443
25
+        9090
26
+        9091
27
+        9093
28
+        9094
29
+      ];
30
+      enable = true;
31
+    };
32
+  };
33
+
34
+  services.prometheus = {
35
+    enable = true;
36
+
37
+    alertmanager = {
38
+      enable = true;
39
+      openFirewall = true;
40
+      webExternalUrl = "http://prometheus.serv.zentralwerk.org/alertmanager/";
41
+      listenAddress = "0.0.0.0";
42
+      configuration = {
43
+        "global" = {
44
+          "smtp_smarthost" = "mail.serv.zentralwerk.org:587";
45
+          "smtp_from" = "alertmanager@prometheus.serv.zentralwerk.org";
46
+        };
47
+        "route" = {
48
+          "group_by" = [ "alertname" "alias" ];
49
+          "group_wait" = "30s";
50
+          "group_interval" = "2m";
51
+          "repeat_interval" = "4h";
52
+          "receiver" = "team-admins";
53
+        };
54
+        "receivers" = [
55
+          {
56
+            "name" = "team-admins";
57
+            # "email_configs" = [
58
+            #   {
59
+            #     "to" = "devnull@example.com";
60
+            #     "send_resolved" = true;
61
+            #   }
62
+            # ];
63
+            # "webhook_configs" = [
64
+            #   {
65
+            #     "url" = "https://example.com/prometheus-alerts";
66
+            #     "send_resolved" = true;
67
+            #   }
68
+            # ];
69
+          }
70
+        ];
71
+      };
72
+    };
73
+
74
+    alertmanagerURL = [ "http://prometheus.serv.zentralwerk.org/alertmanager/" ];
75
+
76
+    pushgateway = {
77
+      enable = true;
78
+      web.external-url =  "http://prometheus.serv.zentralwerk.org/push/";
79
+    };
80
+
81
+    exporters.collectd.enable = true;
82
+    exporters.collectd.openFirewall = true;
83
+    
84
+    exporters.nginx.enable = true;
85
+
86
+  };
87
+
88
+  services.nginx = {
89
+    enable = true;
90
+    
91
+    virtualHosts."prometheus.serv.zentralwerk.org" = {
92
+    # serverAliases = [ "registry.serv.zentralwerk.org" ];
93
+      enableACME = true;
94
+      enableSSL = true;
95
+      # forceSSL = true;
96
+      locations.".well-known/acme-challenge/" = {
97
+            root = "/var/lib/acme/acme-challenge/.well-known/acme-challenge/";
98
+      };
99
+      locations."/" = {
100
+            proxyPass = "http://localhost:9090";
101
+      };
102
+    };
103
+  };
104
+
105
+
106
+  system.stateVersion = "19.03"; # Did you read the comment?
107
+
108
+}

+ 19
- 38
hosts/containers/registry/configuration.nix Переглянути файл

@@ -1,19 +1,15 @@
1
-    [ <nixpkgs/nixos/modules/profiles/minimal.nix>
2
-    ];
3
-  nix.useSandbox = false;
4
-  nix.maxJobs = lib.mkDefault 4;
1
+# Edit this configuration file to define what should be installed on
2
+# your system.  Help is available in the configuration.nix(5) man page
3
+# and in the NixOS manual (accessible by running ‘nixos-help’).
5 4
 
6
-  boot.isContainer = true;
7
-  # /sbin/init
8
-  boot.loader.initScript.enable = true;
9
-  boot.loader.grub.enable = false;
10
-  #boot.supportedFilesystems = ["zfs" "ext2" "ext3" "vfat" "fat32" "bcache" "bcachefs"];
5
+{ config, pkgs, lib, ... }:
11 6
 
12
-  fileSystems."/" = { fsType = "rootfs"; device = "rootfs"; };
13
-
14
-  #networking.hostName = "docker-registry"; # Define your hostname.
15
-  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
16
-  #networking.useNetworkd = true;
7
+{
8
+  imports =
9
+    [ ../../../lib/lxc-container.nix
10
+    ../../../lib/shared.nix
11
+    ../../../lib/admins.nix
12
+  ];
17 13
 
18 14
   networking = {
19 15
     hostName = "registry";
@@ -29,8 +25,6 @@
29 25
 
30 26
     dhcpcd.denyInterfaces = [ "eth0" ];
31 27
 
32
-    nameservers = [ "8.8.8.8" "9.9.9.9" ];
33
-
34 28
     defaultGateway = {
35 29
        address = "172.22.99.1";
36 30
        interface = "eth0";
@@ -42,8 +36,6 @@
42 36
     #};
43 37
   };
44 38
   
45
-  services.openssh.enable = true;
46
-
47 39
   # Open ports in the firewall.
48 40
   networking.firewall.allowedTCPPorts = [
49 41
     22
@@ -52,13 +44,6 @@
52 44
     5000
53 45
    ]; 
54 46
 
55
-  # Set your time zone.
56
-  time.timeZone = "Europe/Berlin";
57
-  # Select internationalisation properties.
58
-  i18n = {
59
-    defaultLocale = "en_US.UTF-8";
60
-    supportedLocales = lib.mkForce [ "en_US.UTF-8/UTF-8" ];
61
-  };
62 47
 
63 48
   # List packages installed in system profile. To search, run:
64 49
   # $ nix search wget
@@ -66,21 +51,17 @@
66 51
     wget
67 52
     vim
68 53
   ];
69
-
70
-  # Create a few files early before packing tarball for Proxmox
71
-  # architecture/OS detection.
72
-  system.extraSystemBuilderCmds = 
73
-      ''
74
-          mkdir -m 0755 -p $out/bin
75
-          ln -s ${pkgs.bash}/bin/bash $out/bin/sh
76
-          mkdir -m 0755 -p $out/sbin
77
-          ln -s ../init $out/sbin/init
78
-      '';
79 54
   
80
-  services.dockerRegistry.enable = true;
55
+  services.dockerRegistry = {
56
+    enable = true;
57
+    storagePath = "/srv/docker-registry";
58
+    enableGarbageCollect = true;
59
+    enableDelete = true;
60
+  };
81 61
 
82 62
   services.nginx.enable = true;
83 63
   services.nginx.virtualHosts."registry.hq.c3d2.de" = {
64
+    # serverAliases = [ "registry.serv.zentralwerk.org" ];
84 65
     enableACME = true;
85 66
     enableSSL = true;
86 67
     # forceSSL = true;
@@ -91,7 +72,7 @@
91 72
            proxyPass = "http://localhost:5000";
92 73
     };
93 74
     extraConfig = ''
94
-      client_max_body_size 2048M;
75
+      client_max_body_size 4096M;
95 76
       gzip off;
96 77
     '';
97 78
   };
@@ -100,7 +81,7 @@
100 81
   # compatible, in order to avoid breaking some software such as database
101 82
   # servers. You should change this only after NixOS release notes say you
102 83
   # should.
103
-  system.stateVersion = "18.09"; # Did you read the comment?
84
+  system.stateVersion = "19.03"; # Did you read the comment?
104 85
 }
105 86
 
106 87
 

+ 23
- 1
hq.nixops Переглянути файл

@@ -104,6 +104,28 @@
104 104
 				storeKeysOnMachine = true;
105 105
 			};
106 106
 	  };
107
+    "registry" =
108
+    { ... }:
109
+		{
110
+			imports = [
111
+				hosts/containers/registry/configuration.nix
112
+			];
113
+			deployment = {
114
+				targetHost = "2a02:8106:208:5201::34";
115
+				storeKeysOnMachine = true;
116
+			};
117
+	  };
118
+    "prometheus" =
119
+    { ... }:
120
+		{
121
+			imports = [
122
+				hosts/containers/prometheus/configuration.nix
123
+			];
124
+			deployment = {
125
+				targetHost = "2a02:8106:208:5282:8c46:d6ff:fe43:6afd";
126
+				storeKeysOnMachine = true;
127
+			};
128
+	  };
129
+
107 130
 
108
-    
109 131
 }

+ 52
- 0
lib/logging.nix Переглянути файл

@@ -0,0 +1,52 @@
1
+{ config, pkgs, lib, ... }:
2
+
3
+let
4
+
5
+  nginxGlobalLogging = ''
6
+    log_format graylog2_json escape=json '{ "timestamp": "$time_iso8601", '
7
+                     '"remote_addr": "$remote_addr", '
8
+                     '"body_bytes_sent": $body_bytes_sent, '
9
+                     '"request_time": $request_time, '
10
+                     '"response_status": $status, '
11
+                     '"request": "$request", '
12
+                     '"request_method": "$request_method", '
13
+                     '"host": "$host",'
14
+                     '"upstream_cache_status": "$upstream_cache_status",'
15
+                     '"upstream_addr": "$upstream_addr",'
16
+                     '"http_x_forwarded_for": "$http_x_forwarded_for",'
17
+                     '"http_referrer": "$http_referer", '
18
+                     '"http_user_agent": "$http_user_agent" }';
19
+
20
+    # replace the hostnames with the IP or hostname of your Graylog2 server
21
+    access_log syslog:server=graylog.server.org:12301 graylog2_json;
22
+    error_log syslog:server=graylog.server.org:12302;
23
+'';
24
+  
25
+in
26
+{
27
+
28
+  # add central logging
29
+  services.journalbeat = {
30
+    enable = true;
31
+    extraConfig = ''
32
+      journalbeat:
33
+        seek_position: cursor
34
+        cursor_seek_fallback: tail
35
+        write_cursor_state: true
36
+        cursor_flush_period: 5s
37
+        clean_field_names: true
38
+        convert_to_numbers: false
39
+        move_metadata_to_field: journal
40
+        default_type: journal
41
+        kernel: true
42
+      output.logstash:
43
+        # Boolean flag to enable or disable the output module.
44
+        enabled: true
45
+        hosts: ["logging.serv.zentralwerk.org:5044", "172.20.73.13:5044"]
46
+        '';
47
+  };
48
+
49
+  services.prometheus.exporters.node.enable = true;
50
+  services.prometheus.exporters.node.openFirewall = true;
51
+
52
+}

+ 1
- 0
lib/shared.nix Переглянути файл

@@ -1,6 +1,7 @@
1 1
 { lib, ... }:
2 2
 
3 3
 {
4
+  imports = [./logging.nix];
4 5
   # Set your time zone.
5 6
   time.timeZone = "Europe/Berlin";
6 7
   # Select internationalisation properties.

Завантаження…
Відмінити
Зберегти