From 62acfe3a5a61490fed127fba5857aa38580e06a4 Mon Sep 17 00:00:00 2001 From: Grigory Shipunov Date: Wed, 3 May 2023 21:47:46 +0200 Subject: [PATCH] basic grafana setup --- hosts/notice-me-senpai/configuration.nix | 4 +- hosts/notice-me-senpai/default.nix | 1 + hosts/notice-me-senpai/grafana.nix | 132 +++++++++++++++++++++++ hosts/notice-me-senpai/motd.txt | 6 ++ 4 files changed, 142 insertions(+), 1 deletion(-) create mode 100644 hosts/notice-me-senpai/grafana.nix create mode 100644 hosts/notice-me-senpai/motd.txt diff --git a/hosts/notice-me-senpai/configuration.nix b/hosts/notice-me-senpai/configuration.nix index 00550e5..89a86bb 100644 --- a/hosts/notice-me-senpai/configuration.nix +++ b/hosts/notice-me-senpai/configuration.nix @@ -1,4 +1,4 @@ -{ self, pkgs, ... }: { +{ self, pkgs, lib, ... }: { sops.defaultSopsFile = self + /secrets/notice-me-senpai/secrets.yaml; networking.hostName = "notice-me-senpai"; @@ -8,5 +8,7 @@ kernelPackages = pkgs.linuxPackages_latest; }; + users.motd = lib.mkForce (builtins.readFile ./motd.txt); + system.stateVersion = "22.11"; } diff --git a/hosts/notice-me-senpai/default.nix b/hosts/notice-me-senpai/default.nix index 34241f1..4c78c1c 100644 --- a/hosts/notice-me-senpai/default.nix +++ b/hosts/notice-me-senpai/default.nix @@ -3,6 +3,7 @@ imports = [ ./configuration.nix ./hardware-configuration.nix + ./grafana.nix ./uplink.nix ./wg.nix ]; diff --git a/hosts/notice-me-senpai/grafana.nix b/hosts/notice-me-senpai/grafana.nix new file mode 100644 index 0000000..1d5cf3a --- /dev/null +++ b/hosts/notice-me-senpai/grafana.nix @@ -0,0 +1,132 @@ +{ config, lib, self, ... }: +let + grafana_host = "grafana.tlm.solutions"; +in +{ + # rules for public interface, ddvb-wg is considered trusted, no firewall there + networking.firewall = { + allowedTCPPorts = [ + 80 # nginx + 443 # nginx + ]; + allowedUDPPorts = [ + ]; + }; + services = { + # metrics collector + prometheus = + { + enable = true; + port = 9501; + listenAddress = config.deployment-TLMS.net.wg.addr4; + scrapeConfigs = + let + prometheus_listen_address = config.deployment-TLMS.net.wg.addr4; + + ### Autogenerate prometheus scraper config + # currently only wireguard-connected machines are getting scraped. + filterWgHosts = k: v: !(builtins.isNull v.config.deployment-TLMS.net.wg.addr4); + wgHosts = lib.filterAttrs filterWgHosts self.nixosConfigurations; + + # collect active prometheus exporters + filterEnabledExporters = name: host: lib.filterAttrs (k: v: v.enable == true) host.config.services.prometheus.exporters; + enabledExporters = lib.mapAttrs filterEnabledExporters wgHosts; + + # turns exporter config into scraper config + makeScrapeConfig = hostname: exporter: exporter-cfg: { + job_name = "${hostname}_${exporter}"; + static_configs = + let + ip = wgHosts."${hostname}".config.deployment-TLMS.net.wg.addr4; + in + [{ + targets = [ "${ip}:${toString exporter-cfg.port}" ]; + }]; + + relabel_configs = [ + { + target_label = "instance"; + replacement = "${hostname}"; + } + { + target_label = "job"; + replacement = "${exporter}"; + } + ]; + }; + + # generate scraper config + makeScrapeConfigHost = name: exporters: lib.mapAttrs (makeScrapeConfig name) exporters; + ScrapeConfigByHost = lib.mapAttrs makeScrapeConfigHost enabledExporters; + + TLMSScrapeConfigs = lib.lists.flatten (map lib.attrValues (lib.attrValues ScrapeConfigByHost)); + in + TLMSScrapeConfigs; + }; + + # log collector + + # visualizer/alerting + grafana = { + enable = true; + settings.server = { + domain = grafana_host; + http_addr = "127.0.0.1"; + http_port = 2342; + }; + }; + + # grafana reverse proxy + nginx = + let + headers = '' + # Permissions Policy - gps only + add_header Permissions-Policy "geolocation=()"; + + # Minimize information leaked to other domains + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + + # Disable embedding as a frame + add_header X-Frame-Options DENY; + + # Prevent injection of code in other mime types (XSS Attacks) + add_header X-Content-Type-Options nosniff; + + # Enable XSS protection of the browser. + # May be unnecessary when CSP is configured properly (see above) + add_header X-XSS-Protection "1; mode=block"; + + # STS + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + ''; + in + { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + commonHttpConfig = headers; + + virtualHosts = { + "${grafana_host}" = { + enableACME = true; + forceSSL = true; + locations."/" = + let + g = config.services.grafana.settings.server; + in + { + proxyPass = "http://${g.http_addr}:${toString g.http_port}"; + proxyWebsockets = true; + extraConfig = '' + proxy_set_header Host $host; + ''; + }; + }; + }; + }; + }; + + security.acme.acceptTerms = true; + security.acme.defaults.email = "TLMS@protonmail.com"; +} diff --git a/hosts/notice-me-senpai/motd.txt b/hosts/notice-me-senpai/motd.txt new file mode 100644 index 0000000..99b9180 --- /dev/null +++ b/hosts/notice-me-senpai/motd.txt @@ -0,0 +1,6 @@ + |\__/,| (`\ + _.|o o |_ ) ) +-(((---(((-------- +MONITORING CAT IS WATCHING YOU MASTRUBATE +AND FUCK UP SERVICES +(AND LOGS EVERYTHING IT SEES)