From 7a17462557e15b162e56a908c727a3ee951f3f29 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Fri, 24 May 2024 13:13:18 +0200 Subject: [PATCH] nuc: init monitoring --- hosts/nuc/modules/monitoring/default.nix | 96 +++++++++++++++++++++++ secrets.nix | 1 + secrets/nuc/grafana/oidc.age | Bin 0 -> 451 bytes 3 files changed, 97 insertions(+) create mode 100644 hosts/nuc/modules/monitoring/default.nix create mode 100644 secrets/nuc/grafana/oidc.age diff --git a/hosts/nuc/modules/monitoring/default.nix b/hosts/nuc/modules/monitoring/default.nix new file mode 100644 index 0000000..6d2e61e --- /dev/null +++ b/hosts/nuc/modules/monitoring/default.nix @@ -0,0 +1,96 @@ +{ config, ... }: +let + domain = "monitoring.${config.networking.domain}"; +in +{ + sops.secrets."grafana/oidc_secret" = { + file = ../../../../secrets/nuc/grafana/oidc.age; + owner = "grafana"; + }; + # grafana configuration + services.grafana = { + enable = true; + settings = { + server = { + inherit domain; + http_addr = "127.0.0.1"; + http_port = 2342; + root_url = "https://${domain}"; + }; + database = { + type = "postgres"; + user = "grafana"; + host = "/run/postgresql"; + }; + "auth.generic_oauth" = { + enabled = true; + name = "Authentik"; + allow_sign_up = true; + client_id = "grafana"; + client_secret = "$__file{${config.age.secrets."grafana/oidc_secret".path}}"; + scopes = "openid email profile offline_access roles"; + + email_attribute_path = "email"; + login_attribute_path = "username"; + name_attribute_path = "full_name"; + + auth_url = "https://auth.rfive.de/application/o/authorize/"; + token_url = "https://auth.rfive.de/application/o/token/"; + api_url = "https://auth.rfive.de/application/o/userinfo/"; + role_attribute_path = "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'"; + + }; + + }; + + + }; + + services.postgresql = { + enable = true; + ensureUsers = [ + { + name = "grafana"; + ensureDBOwnership = true; + } + ]; + ensureDatabases = [ "grafana" ]; + }; + + services.prometheus = { + enable = true; + port = 9001; + exporters = { + node = { + enable = true; + enabledCollectors = [ "systemd" ]; + port = 9002; + }; + # postfix = { + # enable = true; + # port = 9003; + # }; + }; + scrapeConfigs = [ + { + job_name = "node"; + static_configs = [{ + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; + }]; + scrape_interval = "15s"; + } + # { + # job_name = "postfix"; + # static_configs = [{ + # targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.postfix.port}" ]; + # }]; + # # scrape_interval = "60s"; + # } + ]; + }; + + # nginx reverse proxy + services.caddy.virtualHosts.${domain}.extraConfig = '' + reverse_proxy 127.0.0.1:${toString config.services.grafana.settings.server.http_port} + ''; +} diff --git a/secrets.nix b/secrets.nix index 86010a7..025a849 100644 --- a/secrets.nix +++ b/secrets.nix @@ -24,6 +24,7 @@ in "secrets/nuc/keycloak/db.age".publicKeys = [ rouven nuc ]; "secrets/nuc/authentik/core.age".publicKeys = [ rouven nuc ]; "secrets/nuc/authentik/ldap.age".publicKeys = [ rouven nuc ]; + "secrets/nuc/grafana/oidc.age".publicKeys = [ rouven nuc ]; "secrets/nuc/cache.age".publicKeys = [ rouven nuc ]; "secrets/nuc/borg/passphrase.age".publicKeys = [ rouven nuc ]; "secrets/nuc/borg/key.age".publicKeys = [ rouven nuc ]; diff --git a/secrets/nuc/grafana/oidc.age b/secrets/nuc/grafana/oidc.age new file mode 100644 index 0000000000000000000000000000000000000000..504dbe95c2afa2755cb993f2a853ee570c4ea380 GIT binary patch literal 451 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSH4Nr3P2vqP4$Vu{W za(DMKiA>D*icBgf)7K9RGmHw)3`(s`%l9bEb}RQVG0V~qcI7hn^)^cjE)Vt2HjT^( zs7x^`b`L8usR|4A3`|LNb8#&zFmVk@OwZ5FF+sP@C?qH)B3;4X(!(dq(c3rFC_SpY z$RxZl**nRo)V#nwD!@O;$i>kmywa;6BqcG+C7UZX&BZ$~BGTWvG_@c%C)d2J!q~;5 zq^dNfJj5W>tH>-P&&{K%C`#MS(U(hCS63m^xH6+WuiQL0FgVF4%QDL_%+IS*KeVzW zG}|J$GN~Z7%ER2y+bloa*p;g*C24Wxk&hp>W1oIZl(b6=x!PZ%%5zFL?Ci;Dercs! zTog2)E$=JY@p0YzBhwNYD?csiR!GG8 zs&4cD&)z)|S3mnGXFgA(c7&sosV>82Yd2XV^%AYdkn8fVUwqlNXT{=ERm>tMgH&%B lOw#EyO;OSIc<=pT>%tXF6j}b6Y