nix-config/hosts/grafana/default.nix

{ config, pkgs, ... }:

{
  microvm.mem = 4096;
  c3d2.deployment.server = "server10";

  environment.systemPackages = with pkgs; [ influxdb ];

  networking = {
    firewall = {
      # influxdb
      allowedTCPPorts = [ 8086 ];
      # collectd
      allowedUDPPorts = [ 25826 ];
    };
    hostName = "grafana";
  };

  services = {
    backup = {
      enable = true;
      paths = [ "/var/lib/grafana/" ];
    };

    grafana = {
      enable = true;
      configureNginx = true;
      oauth = {
        enable = true;
        adminGroup = "grafana-admins";
        enableViewerRole = true;
        userGroup = "grafana-users";
      };

      provision = {
        enable = true;
        # curl https://root:SECRET@grafana.hq.c3d2.de/api/datasources | jq > hosts/grafana/datasources.json
        datasources.settings.datasources = map
          (datasource: {
            inherit (datasource) name type access orgId url password user database isDefault jsonData;
          })
          (with builtins; fromJSON (readFile ./datasources.json));
        dashboards.settings.providers = [{
          settings = {
            apiVersion = 1;
            providers = [{
              name = "c3d2";
            }];
          };
          # for id in `curl https://root:SECRET@grafana.hq.c3d2.de/api/search | jq -j 'map(.uid) | join(" ")'`; do curl https://root:SECRET@grafana.hq.c3d2.de/api/dashboards/uid/$id | jq .dashboard > hosts/grafana/dashboards/$id.json;done
          options.path = ./dashboards;
        }];
      };

      settings = {
        "auth.anonymous" = {
          enabled = true;
          org_name = "Chaos";
        };
        "auth.generic_oauth".client_secret = "$__file{${config.sops.secrets."grafana/client-secret".path}}";
        security = {
          admin_password = "$__file{${config.sops.secrets."grafana/admin-password".path}}";
          secret_key = "$__file{${config.sops.secrets."grafana/secret-key".path}}";
        };
        server.domain = "grafana.hq.c3d2.de";
        users.allow_sign_up = false;
      };
    };

    influxdb =
      let
        collectdTypes = pkgs.runCommand "collectd-types" { } ''
          mkdir -p $out/share/collectd
          cat ${pkgs.collectd-data}/share/collectd/types.db >> $out/share/collectd/types.db
          echo "stations  value:GAUGE:0:U" >> $out/share/collectd/types.db
        '';
      in
      {
        enable = true;
        extraConfig = {
          logging.level = "debug";
          collectd = [{
            enabled = true;
            database = "collectd";
            typesdb = "${collectdTypes}/share/collectd/types.db";
            # create retention policy "30d" on collectd duration 30d replication 1 default
            retention-policy = "30d";
          }];
        };
      };

    nginx = {
      enable = true;
      virtualHosts = {
        "${config.services.grafana.settings.server.domain}" = {
          default = true;
          enableACME = true;
          forceSSL = true;
        };
      };
    };
  };

  sops = {
    defaultSopsFile = ./secrets.yaml;
    secrets = let
      grafana = config.systemd.services.grafana.serviceConfig.User;
    in {
      "grafana/admin-password".owner = grafana;
      "grafana/client-secret".owner = grafana;
      "grafana/secret-key".owner = grafana;
    };
  };

  systemd.services = {
    # work around our slow storage that can't keep up
    influxdb.serviceConfig.LimitNOFILE = "1048576:1048576";
    influxdb.serviceConfig.TimeoutStartSec = "infinity";
  };

  system.stateVersion = "22.05";

  users.users.nginx.extraGroups = [ "grafana" ];
}
grafana: fix ldap login when someone changed their mail 2023-11-07 19:28:24 +01:00			`{ config, pkgs, ... }:`
add grafana host 2019-01-17 23:45:26 +01:00
Default microvm mounts to etc, home, var; random cleanups 2022-12-18 22:16:29 +01:00			`{`
grafana: fix, microvmify 2022-06-18 02:09:33 +02:00			`microvm.mem = 4096;`
Drop c3d2.isInHq 2022-12-21 19:43:47 +01:00			`c3d2.deployment.server = "server10";`
Add c3d2 options to module at lib/default.nix Options are for assigning deterministic addresses, statistics collection, MOTD, /etc/hosts, etc. 2019-12-03 15:01:10 +01:00
Format 2022-12-19 23:36:57 +01:00			`environment.systemPackages = with pkgs; [ influxdb ];`
add grafana host 2019-01-17 23:45:26 +01:00
Format 2022-12-19 23:36:57 +01:00			`networking = {`
			`firewall = {`
Handle nginx open firewall by nixos-modules 2022-12-20 04:31:37 +01:00			`# influxdb`
			`allowedTCPPorts = [ 8086 ];`
Format 2022-12-19 23:36:57 +01:00			`# collectd`
			`allowedUDPPorts = [ 25826 ];`
grafana: replace caddy with nginx ...so that it's automatically included in public-access-proxy 2021-10-11 23:04:05 +02:00			`};`
Format 2022-12-19 23:36:57 +01:00			`hostName = "grafana";`
add grafana host 2019-01-17 23:45:26 +01:00			`};`
grafana: dump and configure dashboards and datasources 2022-06-16 02:26:07 +02:00
Format 2022-12-19 23:36:57 +01:00			`services = {`
grafana: turn on backups 2023-11-14 01:48:59 +01:00			`backup = {`
			`enable = true;`
			`paths = [ "/var/lib/grafana/" ];`
			`};`

Format 2022-12-19 23:36:57 +01:00			`grafana = {`
grafana: dump and configure dashboards and datasources 2022-06-16 02:26:07 +02:00			`enable = true;`
grafana: move to nixos-modules 2023-12-03 16:57:50 +01:00			`configureNginx = true;`
			`oauth = {`
			`enable = true;`
			`adminGroup = "grafana-admins";`
			`enableViewerRole = true;`
			`userGroup = "grafana-users";`
			`};`
grafana: update to new settings format 2022-10-27 21:35:39 +02:00
Format 2022-12-19 23:36:57 +01:00			`provision = {`
			`enable = true;`
			`# curl https://root:SECRET@grafana.hq.c3d2.de/api/datasources \| jq > hosts/grafana/datasources.json`
			`datasources.settings.datasources = map`
			`(datasource: {`
			`inherit (datasource) name type access orgId url password user database isDefault jsonData;`
			`})`
			`(with builtins; fromJSON (readFile ./datasources.json));`
			`dashboards.settings.providers = [{`
			`settings = {`
			`apiVersion = 1;`
			`providers = [{`
			`name = "c3d2";`
			`}];`
			`};`
			# for id in `curl https://root:SECRET@grafana.hq.c3d2.de/api/search \| jq -j 'map(.uid) \| join(" ")'`; do curl https://root:SECRET@grafana.hq.c3d2.de/api/dashboards/uid/$id \| jq .dashboard > hosts/grafana/dashboards/$id.json;done
			`options.path = ./dashboards;`
			`}];`
grafana: update to new settings format 2022-10-27 21:35:39 +02:00			`};`
Format 2022-12-19 23:36:57 +01:00
			`settings = {`
grafana: reallow anonymous access 2023-04-26 18:59:23 +02:00			`"auth.anonymous" = {`
			`enabled = true;`
			`org_name = "Chaos";`
			`};`
grafana: move to nixos-modules 2023-12-03 16:57:50 +01:00			`"auth.generic_oauth".client_secret = "$__file{${config.sops.secrets."grafana/client-secret".path}}";`
Format 2022-12-19 23:36:57 +01:00			`security = {`
			`admin_password = "$__file{${config.sops.secrets."grafana/admin-password".path}}";`
			`secret_key = "$__file{${config.sops.secrets."grafana/secret-key".path}}";`
			`};`
			`server.domain = "grafana.hq.c3d2.de";`
			`users.allow_sign_up = false;`
grafana: update to new settings format 2022-10-27 21:35:39 +02:00			`};`
grafana: dump and configure dashboards and datasources 2022-06-16 02:26:07 +02:00			`};`
Format, clean out lib, remove sops default and implicit set options 2023-07-01 23:41:50 +02:00
Format 2022-12-19 23:36:57 +01:00			`influxdb =`
			`let`
			`collectdTypes = pkgs.runCommand "collectd-types" { } ''`
			`mkdir -p $out/share/collectd`
			`cat ${pkgs.collectd-data}/share/collectd/types.db >> $out/share/collectd/types.db`
			`echo "stations value:GAUGE:0:U" >> $out/share/collectd/types.db`
			`'';`
			`in`
			`{`
			`enable = true;`
			`extraConfig = {`
			`logging.level = "debug";`
			`collectd = [{`
			`enabled = true;`
			`database = "collectd";`
			`typesdb = "${collectdTypes}/share/collectd/types.db";`
			`# create retention policy "30d" on collectd duration 30d replication 1 default`
			`retention-policy = "30d";`
			`}];`
grafana: bump influxdb LimitNOFILES 2022-03-29 00:01:28 +02:00			`};`
Format 2022-12-19 23:36:57 +01:00			`};`
Format, clean out lib, remove sops default and implicit set options 2023-07-01 23:41:50 +02:00
Format 2022-12-19 23:36:57 +01:00			`nginx = {`
			`enable = true;`
			`virtualHosts = {`
grafana: move to nixos-modules 2023-12-03 16:57:50 +01:00			`"${config.services.grafana.settings.server.domain}" = {`
Format 2022-12-19 23:36:57 +01:00			`default = true;`
			`enableACME = true;`
			`forceSSL = true;`
			`};`
			`};`
grafana: bump influxdb LimitNOFILES 2022-03-29 00:01:28 +02:00			`};`
Format 2022-12-19 23:36:57 +01:00			`};`
add grafana host 2019-01-17 23:45:26 +01:00
grafana: update to new settings format 2022-10-27 21:35:39 +02:00			`sops = {`
			`defaultSopsFile = ./secrets.yaml;`
Add basic OIDC for grafana 2022-12-23 08:22:28 +01:00			`secrets = let`
Fix grafana backups 2023-11-14 01:38:25 +01:00			`grafana = config.systemd.services.grafana.serviceConfig.User;`
Add basic OIDC for grafana 2022-12-23 08:22:28 +01:00			`in {`
Fix grafana backups 2023-11-14 01:38:25 +01:00			`"grafana/admin-password".owner = grafana;`
			`"grafana/client-secret".owner = grafana;`
			`"grafana/secret-key".owner = grafana;`
grafana: update to new settings format 2022-10-27 21:35:39 +02:00			`};`
			`};`

grafana: add grafana group to nginx to access socket, remove ineffective overwrites 2023-12-06 23:42:13 +01:00			`systemd.services = {`
			`# work around our slow storage that can't keep up`
			`influxdb.serviceConfig.LimitNOFILE = "1048576:1048576";`
			`influxdb.serviceConfig.TimeoutStartSec = "infinity";`
			`};`
Format 2022-12-19 23:36:57 +01:00
grafana: update to new settings format 2022-10-27 21:35:39 +02:00			`system.stateVersion = "22.05";`
grafana: add grafana group to nginx to access socket, remove ineffective overwrites 2023-12-06 23:42:13 +01:00
			`users.users.nginx.extraGroups = [ "grafana" ];`
add grafana host 2019-01-17 23:45:26 +01:00			`}`