{ config, pkgs, ... }: let domain = "monitoring.${config.networking.domain}"; in { imports = [ ./dmarc.nix ]; age.secrets."grafana/oidc_secret" = { file = ../../../../secrets/nuc/grafana/oidc.age; owner = "grafana"; }; age.secrets."maxmind" = { file = ../../../../secrets/shared/maxmind.age; }; users.users."promtail".extraGroups = [ "caddy" "systemd-journal" ]; networking.firewall.allowedTCPPorts = [ config.services.loki.configuration.server.http_listen_port ]; # grafana configuration # todo: move to own file services.geoipupdate = { enable = true; settings = { AccountID = 1018346; LicenseKey = config.age.secrets."maxmind".path; EditionIDs = [ "GeoLite2-ASN" "GeoLite2-City" "GeoLite2-Country" ]; DatabaseDirectory = "/var/lib/GeoIP"; }; }; services.grafana = { enable = true; declarativePlugins = with pkgs.grafanaPlugins; [ grafana-worldmap-panel grafana-piechart-panel ]; settings = { server = { inherit domain; http_addr = "127.0.0.1"; http_port = 2342; root_url = "https://${domain}"; }; database = { type = "postgres"; user = "grafana"; host = "/run/postgresql"; }; auth.disable_login_form = true; "auth.generic_oauth" = { enabled = true; name = "Authentik"; allow_sign_up = true; client_id = "grafana"; client_secret = "$__file{${config.age.secrets."grafana/oidc_secret".path}}"; scopes = "openid email profile offline_access roles"; email_attribute_path = "email"; login_attribute_path = "username"; name_attribute_path = "full_name"; auth_url = "https://auth.rfive.de/application/o/authorize/"; token_url = "https://auth.rfive.de/application/o/token/"; api_url = "https://auth.rfive.de/application/o/userinfo/"; role_attribute_path = "contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'"; }; }; }; services.postgresql = { enable = true; ensureUsers = [ { name = "grafana"; ensureDBOwnership = true; } ]; ensureDatabases = [ "grafana" ]; }; services.prometheus = { enable = true; port = 9001; exporters = { node = { enable = true; enabledCollectors = [ "systemd" ]; }; }; scrapeConfigs = [ { job_name = "node"; static_configs = [{ targets = [ "nuc.vpn.rfive.de:${toString config.services.prometheus.exporters.node.port}" "falkenstein.vpn.rfive.de:${toString config.services.prometheus.exporters.node.port}" "cudy.vpn.rfive.de:${toString config.services.prometheus.exporters.node.port}" "fujitsu.vpn.rfive.de:${toString config.services.prometheus.exporters.node.port}" ]; }]; scrape_interval = "15s"; } { job_name = "synapse"; static_configs = [{ targets = [ "matrix.rfive.de:8008" ]; }]; metrics_path = "/synapse/metrics"; scrape_interval = "15s"; } { job_name = "rspamd"; static_configs = [{ targets = [ "falkenstein.vpn.rfive.de:11334" ]; }]; } { job_name = "caddy"; static_configs = [{ targets = [ "falkenstein.vpn.rfive.de:2018" "nuc.vpn.rfive.de:2018" ]; }]; scrape_interval = "15s"; } ]; }; services.loki = { enable = true; # copied from https://gist.github.com/rickhull/895b0cb38fdd537c1078a858cf15d63e configuration = { server.http_listen_port = 3030; auth_enabled = false; common = { path_prefix = "/tmp/loki"; }; ingester = { lifecycler = { address = "127.0.0.1"; ring = { kvstore = { store = "inmemory"; }; replication_factor = 1; }; }; chunk_idle_period = "1h"; max_chunk_age = "1h"; chunk_target_size = 999999; chunk_retain_period = "30s"; # max_transfer_retries = 0; }; schema_config = { configs = [{ from = "2022-06-06"; store = "tsdb"; object_store = "filesystem"; schema = "v13"; index = { prefix = "index_"; period = "24h"; }; }]; }; storage_config = { boltdb_shipper = { active_index_directory = "/var/lib/loki/boltdb-shipper-active"; cache_location = "/var/lib/loki/boltdb-shipper-cache"; cache_ttl = "24h"; # shared_store = "filesystem"; }; filesystem = { directory = "/var/lib/loki/chunks"; }; }; limits_config = { reject_old_samples = true; reject_old_samples_max_age = "168h"; }; # chunk_store_config = { # max_look_back_period = "0s"; # }; table_manager = { retention_deletes_enabled = false; retention_period = "0s"; }; compactor = { working_directory = "/var/lib/loki"; # shared_store = "filesystem"; compactor_ring = { kvstore = { store = "inmemory"; }; }; }; }; }; # also copied services.promtail = { enable = true; configuration = { server = { http_listen_port = 3031; grpc_listen_port = 0; }; positions = { filename = "/tmp/positions.yaml"; }; clients = [{ url = "http://nuc.vpn.rfive.de:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push"; }]; scrape_configs = [ { job_name = "journal"; journal = { json = false; max_age = "12h"; path = "/var/log/journal"; labels.job = "systemd-journal"; }; relabel_configs = [ { source_labels = [ "__journal__systemd_unit" ]; target_label = "unit"; } { source_labels = [ "__journal__hostname" ]; target_label = "host"; } { source_labels = [ "__journal_priority_keyword" ]; target_label = "level"; } { source_labels = [ "__journal_syslog_identifier" ]; target_label = "syslog_identifier"; } ]; pipeline_stages = [ { match = { selector = ''{unit="promtail.servicel"}''; action = "drop"; }; } ]; } { job_name = "caddy_access_log"; static_configs = [ { targets = [ "localhost" ]; labels = { job = "caddy_access_log"; # host = "matrix.rfive.de"; agent = "caddy-promtail"; __path__ = "/var/log/caddy/*.log"; }; } ]; pipeline_stages = [ { # remove :443 from matrix or rspamd logs replace = { expression = ".*(de:443).*"; replace = "de"; }; } { json.expressions.remote_ip = "request.remote_ip"; } { geoip = { db = "/var/lib/GeoIP/GeoLite2-City.mmdb"; source = "remote_ip"; db_type = "city"; }; } ]; } ]; }; }; # nginx reverse proxy services.caddy.virtualHosts.${domain}.extraConfig = '' reverse_proxy 127.0.0.1:${toString config.services.grafana.settings.server.http_port} ''; }