basic grafana setup

2023-05-03 21:47:46 +02:00 · 2023-05-03 21:47:46 +02:00 · 62acfe3a5a
parent 310162c24f
commit 62acfe3a5a
4 changed files with 142 additions and 1 deletions
--- a/hosts/notice-me-senpai/configuration.nix
+++ b/hosts/notice-me-senpai/configuration.nix
@ -1,4 +1,4 @@
-{ self, pkgs, ... }: {
+{ self, pkgs, lib, ... }: {
  sops.defaultSopsFile = self + /secrets/notice-me-senpai/secrets.yaml;

  networking.hostName = "notice-me-senpai";
@ -8,5 +8,7 @@
    kernelPackages = pkgs.linuxPackages_latest;
  };

+  users.motd = lib.mkForce (builtins.readFile ./motd.txt);
+
  system.stateVersion = "22.11";
 }
--- a/hosts/notice-me-senpai/default.nix
+++ b/hosts/notice-me-senpai/default.nix
@ -3,6 +3,7 @@
  imports = [
    ./configuration.nix
    ./hardware-configuration.nix
+    ./grafana.nix
    ./uplink.nix
    ./wg.nix
  ];
--- a/hosts/notice-me-senpai/grafana.nix
+++ b/hosts/notice-me-senpai/grafana.nix
@ -0,0 +1,132 @@
+{ config, lib, self, ... }:
+let
+  grafana_host = "grafana.tlm.solutions";
+in
+{
+  # rules for public interface, ddvb-wg is considered trusted, no firewall there
+  networking.firewall = {
+    allowedTCPPorts = [
+      80 # nginx
+      443 # nginx
+    ];
+    allowedUDPPorts = [
+    ];
+  };
+  services = {
+    # metrics collector
+    prometheus =
+      {
+        enable = true;
+        port = 9501;
+        listenAddress = config.deployment-TLMS.net.wg.addr4;
+        scrapeConfigs =
+          let
+            prometheus_listen_address = config.deployment-TLMS.net.wg.addr4;
+
+            ### Autogenerate prometheus scraper config
+            # currently only wireguard-connected machines are getting scraped.
+            filterWgHosts = k: v: !(builtins.isNull v.config.deployment-TLMS.net.wg.addr4);
+            wgHosts = lib.filterAttrs filterWgHosts self.nixosConfigurations;
+
+            # collect active prometheus exporters
+            filterEnabledExporters = name: host: lib.filterAttrs (k: v: v.enable == true) host.config.services.prometheus.exporters;
+            enabledExporters = lib.mapAttrs filterEnabledExporters wgHosts;
+
+            # turns exporter config into scraper config
+            makeScrapeConfig = hostname: exporter: exporter-cfg: {
+              job_name = "${hostname}_${exporter}";
+              static_configs =
+                let
+                  ip = wgHosts."${hostname}".config.deployment-TLMS.net.wg.addr4;
+                in
+                [{
+                  targets = [ "${ip}:${toString exporter-cfg.port}" ];
+                }];
+
+              relabel_configs = [
+                {
+                  target_label = "instance";
+                  replacement = "${hostname}";
+                }
+                {
+                  target_label = "job";
+                  replacement = "${exporter}";
+                }
+              ];
+            };
+
+            # generate scraper config
+            makeScrapeConfigHost = name: exporters: lib.mapAttrs (makeScrapeConfig name) exporters;
+            ScrapeConfigByHost = lib.mapAttrs makeScrapeConfigHost enabledExporters;
+
+            TLMSScrapeConfigs = lib.lists.flatten (map lib.attrValues (lib.attrValues ScrapeConfigByHost));
+          in
+          TLMSScrapeConfigs;
+      };
+
+    # log collector
+
+    # visualizer/alerting
+    grafana = {
+      enable = true;
+      settings.server = {
+        domain = grafana_host;
+        http_addr = "127.0.0.1";
+        http_port = 2342;
+      };
+    };
+
+    # grafana reverse proxy
+    nginx =
+      let
+        headers = ''
+          # Permissions Policy - gps only
+          add_header Permissions-Policy "geolocation=()";
+
+          # Minimize information leaked to other domains
+          add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+          # Disable embedding as a frame
+          add_header X-Frame-Options DENY;
+
+          # Prevent injection of code in other mime types (XSS Attacks)
+          add_header X-Content-Type-Options nosniff;
+
+          # Enable XSS protection of the browser.
+          # May be unnecessary when CSP is configured properly (see above)
+          add_header X-XSS-Protection "1; mode=block";
+
+          # STS
+          add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+        '';
+      in
+      {
+        enable = true;
+        recommendedTlsSettings = true;
+        recommendedOptimisation = true;
+        recommendedGzipSettings = true;
+        commonHttpConfig = headers;
+
+        virtualHosts = {
+          "${grafana_host}" = {
+            enableACME = true;
+            forceSSL = true;
+            locations."/" =
+              let
+                g = config.services.grafana.settings.server;
+              in
+              {
+                proxyPass = "http://${g.http_addr}:${toString g.http_port}";
+                proxyWebsockets = true;
+                extraConfig = ''
+                  proxy_set_header Host $host;
+                '';
+              };
+          };
+        };
+      };
+  };
+
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "TLMS@protonmail.com";
+}
--- a/hosts/notice-me-senpai/motd.txt
+++ b/hosts/notice-me-senpai/motd.txt
@ -0,0 +1,6 @@
+    |\__/,|   (`\
+  _.|o o  |_   ) )
+-(((---(((--------
+MONITORING CAT IS WATCHING YOU MASTRUBATE
+AND FUCK UP SERVICES
+(AND LOGS EVERYTHING IT SEES)