2023-11-07 19:28:24 +01:00
|
|
|
{ config, pkgs, ... }:
|
2019-01-17 23:45:26 +01:00
|
|
|
|
2022-12-18 22:16:29 +01:00
|
|
|
{
|
2022-06-18 02:09:33 +02:00
|
|
|
microvm.mem = 4096;
|
2022-12-21 19:43:47 +01:00
|
|
|
c3d2.deployment.server = "server10";
|
2019-12-03 15:01:10 +01:00
|
|
|
|
2022-12-19 23:36:57 +01:00
|
|
|
environment.systemPackages = with pkgs; [ influxdb ];
|
2019-01-17 23:45:26 +01:00
|
|
|
|
2022-12-19 23:36:57 +01:00
|
|
|
networking = {
|
|
|
|
firewall = {
|
2022-12-20 04:31:37 +01:00
|
|
|
# influxdb
|
|
|
|
allowedTCPPorts = [ 8086 ];
|
2022-12-19 23:36:57 +01:00
|
|
|
# collectd
|
|
|
|
allowedUDPPorts = [ 25826 ];
|
2021-10-11 23:04:05 +02:00
|
|
|
};
|
2022-12-19 23:36:57 +01:00
|
|
|
hostName = "grafana";
|
2019-01-17 23:45:26 +01:00
|
|
|
};
|
2022-06-16 02:26:07 +02:00
|
|
|
|
2022-12-19 23:36:57 +01:00
|
|
|
services = {
|
|
|
|
grafana = {
|
2022-06-16 02:26:07 +02:00
|
|
|
enable = true;
|
2022-10-27 21:35:39 +02:00
|
|
|
|
2022-12-19 23:36:57 +01:00
|
|
|
provision = {
|
|
|
|
enable = true;
|
|
|
|
# curl https://root:SECRET@grafana.hq.c3d2.de/api/datasources | jq > hosts/grafana/datasources.json
|
|
|
|
datasources.settings.datasources = map
|
|
|
|
(datasource: {
|
|
|
|
inherit (datasource) name type access orgId url password user database isDefault jsonData;
|
|
|
|
})
|
|
|
|
(with builtins; fromJSON (readFile ./datasources.json));
|
|
|
|
dashboards.settings.providers = [{
|
|
|
|
settings = {
|
|
|
|
apiVersion = 1;
|
|
|
|
providers = [{
|
|
|
|
name = "c3d2";
|
|
|
|
}];
|
|
|
|
};
|
|
|
|
# for id in `curl https://root:SECRET@grafana.hq.c3d2.de/api/search | jq -j 'map(.uid) | join(" ")'`; do curl https://root:SECRET@grafana.hq.c3d2.de/api/dashboards/uid/$id | jq .dashboard > hosts/grafana/dashboards/$id.json;done
|
|
|
|
options.path = ./dashboards;
|
|
|
|
}];
|
2022-10-27 21:35:39 +02:00
|
|
|
};
|
2022-12-19 23:36:57 +01:00
|
|
|
|
|
|
|
settings = {
|
2022-12-23 08:22:28 +01:00
|
|
|
analytics.reporting_enabled = false;
|
2023-04-26 18:59:23 +02:00
|
|
|
"auth.anonymous" = {
|
|
|
|
enabled = true;
|
|
|
|
org_name = "Chaos";
|
|
|
|
};
|
2022-12-23 08:22:28 +01:00
|
|
|
"auth.generic_oauth" = {
|
|
|
|
enabled = true;
|
2022-12-24 00:04:58 +01:00
|
|
|
allow_assign_grafana_admin = true;
|
2022-12-23 08:22:28 +01:00
|
|
|
allow_sign_up = true;
|
|
|
|
api_url = "https://auth.c3d2.de/dex/userinfo";
|
|
|
|
auth_url = "https://auth.c3d2.de/dex/auth";
|
|
|
|
client_id = "grafana";
|
|
|
|
client_secret = "$__file{${config.sops.secrets."grafana/client-secret".path}}";
|
2022-12-26 02:53:59 +01:00
|
|
|
disable_login_form = true; # only allow OAuth
|
2022-12-23 08:22:28 +01:00
|
|
|
icon = "signin";
|
|
|
|
name = "auth.c3d2.de";
|
2023-11-07 19:28:24 +01:00
|
|
|
oauth_allow_insecure_email_lookup = true;
|
2022-12-26 02:53:59 +01:00
|
|
|
oauth_auto_login = true; # redirect automatically to the only oauth provider
|
2023-07-02 05:49:20 +02:00
|
|
|
role_attribute_path = "contains(groups[*], 'grafana-admins') && 'Admin'";
|
2022-12-24 00:04:58 +01:00
|
|
|
# https://dexidp.io/docs/custom-scopes-claims-clients/
|
|
|
|
scopes = "openid email groups profile offline_access";
|
2022-12-23 08:22:28 +01:00
|
|
|
token_url = "https://auth.c3d2.de/dex/token";
|
2022-12-19 23:36:57 +01:00
|
|
|
};
|
|
|
|
security = {
|
|
|
|
admin_password = "$__file{${config.sops.secrets."grafana/admin-password".path}}";
|
|
|
|
secret_key = "$__file{${config.sops.secrets."grafana/secret-key".path}}";
|
|
|
|
};
|
|
|
|
server.domain = "grafana.hq.c3d2.de";
|
|
|
|
users.allow_sign_up = false;
|
2022-10-27 21:35:39 +02:00
|
|
|
};
|
2022-06-16 02:26:07 +02:00
|
|
|
};
|
2023-07-01 23:41:50 +02:00
|
|
|
|
2022-12-19 23:36:57 +01:00
|
|
|
influxdb =
|
|
|
|
let
|
|
|
|
collectdTypes = pkgs.runCommand "collectd-types" { } ''
|
|
|
|
mkdir -p $out/share/collectd
|
|
|
|
cat ${pkgs.collectd-data}/share/collectd/types.db >> $out/share/collectd/types.db
|
|
|
|
echo "stations value:GAUGE:0:U" >> $out/share/collectd/types.db
|
|
|
|
'';
|
|
|
|
in
|
|
|
|
{
|
|
|
|
enable = true;
|
|
|
|
extraConfig = {
|
|
|
|
logging.level = "debug";
|
|
|
|
collectd = [{
|
|
|
|
enabled = true;
|
|
|
|
database = "collectd";
|
|
|
|
typesdb = "${collectdTypes}/share/collectd/types.db";
|
|
|
|
# create retention policy "30d" on collectd duration 30d replication 1 default
|
|
|
|
retention-policy = "30d";
|
|
|
|
}];
|
2022-03-29 00:01:28 +02:00
|
|
|
};
|
2022-12-19 23:36:57 +01:00
|
|
|
};
|
2023-07-01 23:41:50 +02:00
|
|
|
|
2022-12-19 23:36:57 +01:00
|
|
|
nginx = {
|
|
|
|
enable = true;
|
|
|
|
virtualHosts = {
|
|
|
|
"grafana.hq.c3d2.de" = {
|
|
|
|
default = true;
|
|
|
|
enableACME = true;
|
|
|
|
forceSSL = true;
|
|
|
|
locations = { "/".proxyPass = "http://localhost:3000/"; };
|
|
|
|
};
|
|
|
|
};
|
2022-03-29 00:01:28 +02:00
|
|
|
};
|
2022-12-19 23:36:57 +01:00
|
|
|
};
|
2019-01-17 23:45:26 +01:00
|
|
|
|
2022-10-27 21:35:39 +02:00
|
|
|
sops = {
|
|
|
|
defaultSopsFile = ./secrets.yaml;
|
2022-12-23 08:22:28 +01:00
|
|
|
secrets = let
|
|
|
|
grafanaUser = {
|
2022-10-27 21:35:39 +02:00
|
|
|
group = config.systemd.services.grafana.serviceConfig.User;
|
|
|
|
owner = config.systemd.services.grafana.serviceConfig.User;
|
|
|
|
};
|
2022-12-23 08:22:28 +01:00
|
|
|
in {
|
|
|
|
"grafana/admin-password" = grafanaUser;
|
|
|
|
"grafana/client-secret" = grafanaUser;
|
|
|
|
"grafana/secret-key" = grafanaUser;
|
2022-10-27 21:35:39 +02:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2022-12-19 23:36:57 +01:00
|
|
|
systemd.services =
|
|
|
|
builtins.foldl'
|
|
|
|
(services: service:
|
|
|
|
services // {
|
|
|
|
"${service}".serviceConfig = {
|
|
|
|
RestartSec = 60;
|
|
|
|
Restart = "always";
|
|
|
|
};
|
|
|
|
}
|
|
|
|
)
|
|
|
|
{ } [ "grafana" "influxdb" ]
|
|
|
|
// {
|
|
|
|
# work around our slow storage that can't keep up
|
|
|
|
influxdb.serviceConfig.LimitNOFILE = "1048576:1048576";
|
|
|
|
influxdb.serviceConfig.TimeoutStartSec = "infinity";
|
|
|
|
};
|
|
|
|
|
2022-10-27 21:35:39 +02:00
|
|
|
system.stateVersion = "22.05";
|
2019-01-17 23:45:26 +01:00
|
|
|
}
|