From 5fd94d85400ee5900b821b1a9acf662ef5ab84f9 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Fri, 24 May 2024 15:59:34 +0200 Subject: [PATCH] grafana: init --- hosts/falkenstein/default.nix | 1 + .../modules/monitoring/default.nix | 18 +++ hosts/fujitsu/default.nix | 1 + hosts/fujitsu/modules/monitoring/default.nix | 14 ++ hosts/nuc/modules/monitoring/default.nix | 27 ++-- hosts/nuc/modules/networks/default.nix | 3 +- overlays/default.nix | 148 ++++++++++-------- ...001-cleanup-also-catch-milter-reject.patch | 25 +++ 8 files changed, 154 insertions(+), 83 deletions(-) create mode 100644 hosts/falkenstein/modules/monitoring/default.nix create mode 100644 hosts/fujitsu/modules/monitoring/default.nix create mode 100644 overlays/prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch diff --git a/hosts/falkenstein/default.nix b/hosts/falkenstein/default.nix index 12f8398..9213bed 100644 --- a/hosts/falkenstein/default.nix +++ b/hosts/falkenstein/default.nix @@ -10,6 +10,7 @@ ./modules/dns ./modules/fail2ban ./modules/mail + ./modules/monitoring ./modules/networks ./modules/pfersel ./modules/purge diff --git a/hosts/falkenstein/modules/monitoring/default.nix b/hosts/falkenstein/modules/monitoring/default.nix new file mode 100644 index 0000000..ced57e6 --- /dev/null +++ b/hosts/falkenstein/modules/monitoring/default.nix @@ -0,0 +1,18 @@ +{ config, ... }: +{ + services.prometheus = { + exporters = { + node = { + enable = true; + enabledCollectors = [ "systemd" ]; + }; + postfix = { + enable = true; + }; + }; + }; + networking.firewall.allowedTCPPorts = [ + config.services.prometheus.exporters.node.port + config.services.prometheus.exporters.postfix.port + ]; +} diff --git a/hosts/fujitsu/default.nix b/hosts/fujitsu/default.nix index 6e5f8d7..bbac861 100644 --- a/hosts/fujitsu/default.nix +++ b/hosts/fujitsu/default.nix @@ -3,6 +3,7 @@ imports = [ ./hardware-configuration.nix ./modules/networks + ./modules/monitoring ]; boot.loader.grub.enable = true; diff --git a/hosts/fujitsu/modules/monitoring/default.nix b/hosts/fujitsu/modules/monitoring/default.nix new file mode 100644 index 0000000..e394028 --- /dev/null +++ b/hosts/fujitsu/modules/monitoring/default.nix @@ -0,0 +1,14 @@ +{ config, ... }: +{ + services.prometheus = { + exporters = { + node = { + enable = true; + enabledCollectors = [ "systemd" ]; + }; + }; + }; + networking.firewall.allowedTCPPorts = [ + config.services.prometheus.exporters.node.port + ]; +} diff --git a/hosts/nuc/modules/monitoring/default.nix b/hosts/nuc/modules/monitoring/default.nix index 6d2e61e..c9642a4 100644 --- a/hosts/nuc/modules/monitoring/default.nix +++ b/hosts/nuc/modules/monitoring/default.nix @@ -3,7 +3,7 @@ let domain = "monitoring.${config.networking.domain}"; in { - sops.secrets."grafana/oidc_secret" = { + age.secrets."grafana/oidc_secret" = { file = ../../../../secrets/nuc/grafana/oidc.age; owner = "grafana"; }; @@ -37,13 +37,11 @@ in auth_url = "https://auth.rfive.de/application/o/authorize/"; token_url = "https://auth.rfive.de/application/o/token/"; api_url = "https://auth.rfive.de/application/o/userinfo/"; - role_attribute_path = "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'"; + role_attribute_path = "contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'"; }; }; - - }; services.postgresql = { @@ -64,7 +62,6 @@ in node = { enable = true; enabledCollectors = [ "systemd" ]; - port = 9002; }; # postfix = { # enable = true; @@ -75,17 +72,21 @@ in { job_name = "node"; static_configs = [{ - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; + targets = [ + "nuc.vpn.rfive.de:${toString config.services.prometheus.exporters.node.port}" + "falkenstein.vpn.rfive.de:${toString config.services.prometheus.exporters.node.port}" + "cudy.vpn.rfive.de:${toString config.services.prometheus.exporters.node.port}" + "fujitsu.vpn.rfive.de:${toString config.services.prometheus.exporters.node.port}" + ]; }]; scrape_interval = "15s"; } - # { - # job_name = "postfix"; - # static_configs = [{ - # targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.postfix.port}" ]; - # }]; - # # scrape_interval = "60s"; - # } + { + job_name = "postfix"; + static_configs = [{ + targets = [ "falkenstein.vpn.rfive.de:${toString config.services.prometheus.exporters.postfix.port}" ]; + }]; + } ]; }; diff --git a/hosts/nuc/modules/networks/default.nix b/hosts/nuc/modules/networks/default.nix index eebf8f8..42d78e0 100644 --- a/hosts/nuc/modules/networks/default.nix +++ b/hosts/nuc/modules/networks/default.nix @@ -35,8 +35,7 @@ }]; networkConfig = { DNS = [ - "9.9.9.9" - "149.112.112.112" + "192.168.42.1" ]; LLDP = true; EmitLLDP = "nearest-bridge"; diff --git a/overlays/default.nix b/overlays/default.nix index 32a91de..0c98fd6 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -63,80 +63,92 @@ in adguardian-term = callPackage ../pkgs/adguardian-term { }; # upstream package is broken and can't be fixed by overriding attrs. so I just completely redo it in here - seahub = (python3Packages.buildPythonApplication - rec { - pname = "seahub"; - version = "11.0.1"; - format = "other"; - src = fetchFromGitHub { - owner = "haiwen"; - repo = "seahub"; - rev = "v11.0.1-pro"; - sha256 = "sha256-dxMvbiAdECMZIf+HgA5P2gZYI9l+k+nhmdzfg90037A="; - }; + seahub = (python3Packages.buildPythonApplication rec { + pname = "seahub"; + version = "11.0.1"; + format = "other"; + src = fetchFromGitHub { + owner = "haiwen"; + repo = "seahub"; + rev = "v11.0.1-pro"; + sha256 = "sha256-dxMvbiAdECMZIf+HgA5P2gZYI9l+k+nhmdzfg90037A="; + }; - dontBuild = true; + dontBuild = true; - doCheck = false; # disabled because it requires a ccnet environment + doCheck = false; # disabled because it requires a ccnet environment - nativeBuildInputs = [ - makeWrapper - ]; + nativeBuildInputs = [ + makeWrapper + ]; - propagatedBuildInputs = with python3Packages; [ - django - future - django-compressor - django-statici18n - django-webpack-loader - django-simple-captcha - django-picklefield - django-formtools - mysqlclient - pillow - python-dateutil - djangorestframework - openpyxl - requests - requests-oauthlib - chardet - pyjwt - pycryptodome - qrcode - pysearpc - seaserv - gunicorn - markdown - bleach - python-ldap - pyopenssl - (buildPythonPackage rec { - pname = "djangosaml2"; - version = "1.7.0"; - doCheck = false; - propagatedBuildInputs = [ - pysaml2 - django - defusedxml - ]; - src = fetchPypi { - inherit pname version; - sha256 = "sha256-WiMl2UvbOskLA5o5LXPrBF2VktlDnlBNdc42eZ62Fko="; - }; - }) - ]; + propagatedBuildInputs = with python3Packages; [ + django + future + django-compressor + django-statici18n + django-webpack-loader + django-simple-captcha + django-picklefield + django-formtools + mysqlclient + pillow + python-dateutil + djangorestframework + openpyxl + requests + requests-oauthlib + chardet + pyjwt + pycryptodome + qrcode + pysearpc + seaserv + gunicorn + markdown + bleach + python-ldap + pyopenssl + (buildPythonPackage rec { + pname = "djangosaml2"; + version = "1.7.0"; + doCheck = false; + propagatedBuildInputs = [ + pysaml2 + django + defusedxml + ]; + src = fetchPypi { + inherit pname version; + sha256 = "sha256-WiMl2UvbOskLA5o5LXPrBF2VktlDnlBNdc42eZ62Fko="; + }; + }) + ]; - installPhase = '' - cp -dr --no-preserve='ownership' . $out/ - wrapProgram $out/manage.py \ - --prefix PYTHONPATH : "$PYTHONPATH:$out/thirdpart:" - ''; + installPhase = '' + cp -dr --no-preserve='ownership' . $out/ + wrapProgram $out/manage.py \ + --prefix PYTHONPATH : "$PYTHONPATH:$out/thirdpart:" + ''; + + passthru = rec { + python = prev.python3; + pythonPath = python.pkgs.makePythonPath propagatedBuildInputs; + }; + }); + # (hopefully) fix systemd journal reading + prometheus-postfix-exporter = prev.prometheus-postfix-exporter.overrideAttrs (_old: { + patches = [ + ./prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch + ]; + src = fetchFromGitHub { + owner = "adangel"; + repo = "postfix_exporter"; + rev = "414ac12ee63415eede46cb3084d755a6da6fba23"; + hash = "sha256-m1kVaO3N7XC1vtnxXX9kMiEFPmZuoopRUYgA7gQzP8w="; + }; + }); - passthru = rec { - python = prev.python3; - pythonPath = python.pkgs.makePythonPath propagatedBuildInputs; - }; - }); } diff --git a/overlays/prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch b/overlays/prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch new file mode 100644 index 0000000..2b60316 --- /dev/null +++ b/overlays/prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch @@ -0,0 +1,25 @@ +From f4c5dd5628c873981b2d6d6b8f3bbf036b9fd724 Mon Sep 17 00:00:00 2001 +From: Rouven Seifert +Date: Thu, 2 May 2024 11:20:27 +0200 +Subject: [PATCH] cleanup: also catch milter-reject + +--- + postfix_exporter.go | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/postfix_exporter.go b/postfix_exporter.go +index f20d99c..676d767 100644 +--- a/postfix_exporter.go ++++ b/postfix_exporter.go +@@ -335,6 +335,8 @@ func (e *PostfixExporter) CollectFromLogLine(line string) { + e.cleanupProcesses.Inc() + } else if strings.Contains(remainder, ": reject: ") { + e.cleanupRejects.Inc() ++ } else if strings.Contains(remainder, ": milter-reject: ") { ++ e.cleanupRejects.Inc() + } else { + e.addToUnsupportedLine(line, subprocess, level) + } +-- +2.44.0 +