modules/nixos/monitoring: add grafana

This reverts commit b7d0c7a.
nix-community · Sep 28, 2024 · 321e673 · 321e673
1 parent baafd76
commit 321e673
Show file tree

Hide file tree

Showing 4 changed files with 85 additions and 3 deletions.
diff --git a/docs/monitoring.md b/docs/monitoring.md
@@ -1,2 +1,3 @@
 - [monitoring.nix-community.org/alertmanager](https://monitoring.nix-community.org/alertmanager)
+- [monitoring.nix-community.org/grafana](https://monitoring.nix-community.org/grafana)
 - [monitoring.nix-community.org/prometheus](https://monitoring.nix-community.org/prometheus)
diff --git a/hosts/web02/secrets.yaml b/hosts/web02/secrets.yaml
@@ -1,6 +1,8 @@
 nix-community-matrix-bot-token: ENC[AES256_GCM,data:p9sQnsEIJEGi6AYLxemCN/zkf+lx6dEjrIVfFD28DWtOvCxIy7QKImWIMsbOjWHW/0sjHQYoGwDBrrBzpYed3+AK38J+WEnCi6MSGQ==,iv:BdV3bMjuXFLFTvcXLL/2l08qonIXHFtUvpj2QM0n3Ws=,tag:EhCwGinqZZuLa5CIpCaKeA==,type:str]
 nginx-basic-auth-file: ENC[AES256_GCM,data:andS+j0bOp4m7Xty1RuAmyNGz36rUChhl4dtY+mvguHzei2lYDfdZWilx2VUFT5mmsWCeyrT5otVVg==,iv:BuawT6dsaI6s/vXbfG2HijUBzHec2D47w8KRj6Bba2Y=,tag:PjkfdKhjWmP6+NKFGEPijg==,type:str]
 nginx-basic-auth-password: ENC[AES256_GCM,data:ne6h4KoBo7dNkrKhe4thFkgE/EmIOkfzDh0Bag==,iv:ZsHANsb6PI4a84K81fM1PHtPPa0mi8nYLfh1A9CbaqY=,tag:IYQyFasarwh/EPZ3iUNX3Q==,type:str]
+grafana-admin-password: ENC[AES256_GCM,data:VQGIE4nzIq8aJ8UKaMbQ3DxkwsTSSHHekyPwLuIL07mDVQ==,iv:wOi881EtWsrx5V2ybmR8+oiIphRe1UBYmZqAYigKYfM=,tag:l5lp5HAUg3dx3WNgcIjM1g==,type:str]
+grafana-client-secret: ENC[AES256_GCM,data:Sv51l7j6iaN0lwIX6JPrmHCaezqxoFSTt5vXH0xTZ+1fGd0uE9rLsw==,iv:eHF2TZP/RwvR4zN7IzbWKHbGRx7XigZ4EoWBqOjKHbk=,tag:F9lg6EMVGRq80McDFFJeOw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -61,8 +63,8 @@ sops:
             QnJZZzN1a1M5b1dwa3hvL3ZHYkpxQUkK1g9sQB0UHl9coaznjIn4WDpQv21Y8cl9
             LNqnv0Q6KrxNliq2JEJoEpjD5+xTcqV/5FgylKhtdNWUZ0eAX8taog==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-30T03:19:37Z"
-    mac: ENC[AES256_GCM,data:TScUSdUv+SEG2MJ5MdCP7/zuCDG857erbLYG1Vp3/4d3Pvq//Jp5nVtnFSw9Y63Do/r1gzfmiU/B4HFbn40hVo7+/KjKOl8wb9qUheh2UaW+m+gd05mDjjQvrnTVjJJ8/Rj4/kFYvYzsPag8KY37CG0dBqiE7esyk9hUf7kv/4w=,iv:gCsM4oGq0zAR1r0E5xeKAGezXSyh9Eqho/rsU+3x3E8=,tag:A/0KP15zdJUpS3fc9z6/0A==,type:str]
+    lastmodified: "2024-09-28T00:02:40Z"
+    mac: ENC[AES256_GCM,data:S6ytVwEeVjsVCFBLUlX0O3JSQwexcyfjAvBX3MOz25f7siPNfkaHtaq9IGuhD3JsP3J6bLr1JjPRvFqCb6h+GNQW44I8jqgiupKz2vELWPfbahBqDDJGm3Dj7x3E4nstmmaW+kxINj6Q2fkrjFUUSx4O7KmZ4gp4DLthVf+DuCo=,iv:VXIVLnSjl744G1lGSaIJxw6lITqKAuO9SRyOtT/ZGBk=,tag:qw6u5d9d1tXnX0OIErue+g==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.0
diff --git a/modules/nixos/monitoring/default.nix b/modules/nixos/monitoring/default.nix
@@ -3,6 +3,7 @@
   imports = [
     inputs.srvos.nixosModules.roles-prometheus
     ./alert-rules.nix
+    ./grafana.nix
     ./matrix-hook.nix
     ./prometheus.nix
     ./telegraf.nix
@@ -18,6 +19,10 @@
       basicAuthFile = config.sops.secrets.nginx-basic-auth-file.path;
       proxyPass = "http://localhost:9093/";
     };
+    locations."/grafana/" = {
+      proxyPass = "http://localhost:3000/";
+      proxyWebsockets = true;
+    };
     locations."/prometheus/".proxyPass = "http://localhost:9090/";
   };
 }
diff --git a/modules/nixos/monitoring/grafana.nix b/modules/nixos/monitoring/grafana.nix
@@ -0,0 +1,74 @@
+{ config, pkgs, ... }:
+{
+  systemd.services.grafana.after = [ "prometheus.service" ];
+
+  services.grafana = {
+    enable = true;
+    settings = {
+      analytics.reporting_enabled = false;
+      analytics.feedback_links_enabled = false;
+
+      "auth.anonymous".enabled = true;
+
+      # https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/github/
+      "auth.github" = {
+        enabled = true;
+        client_id = "ea6aa36488df8b2dede6";
+        client_secret = "$__file{${config.sops.secrets.grafana-client-secret.path}}";
+        auth_url = "https://github.com/login/oauth/authorize";
+        token_url = "https://github.com/login/oauth/access_token";
+        api_url = "https://api.github.com/user";
+        allow_sign_up = true;
+        auto_login = false;
+        allowed_organizations = [ "nix-community" ];
+        role_attribute_strict = true;
+        allow_assign_grafana_admin = true;
+        role_attribute_path = "contains(groups[*], '@nix-community/admin') && 'GrafanaAdmin' || 'Editor'";
+      };
+
+      server = {
+        root_url = "https://monitoring.nix-community.org/grafana/";
+        domain = "monitoring.nix-community.org";
+        enforce_domain = true;
+        enable_gzip = true;
+      };
+
+      database = {
+        type = "postgres";
+        name = "grafana";
+        host = "/run/postgresql";
+        user = "grafana";
+      };
+
+      security.admin_password = "$__file{${config.sops.secrets.grafana-admin-password.path}}";
+    };
+
+    provision.datasources.settings.datasources = [
+      {
+        name = "prometheus";
+        type = "prometheus";
+        isDefault = true;
+        url = "http://localhost:9090";
+      }
+    ];
+  };
+
+  services.telegraf.extraConfig.inputs.prometheus.urls = [
+    "http://localhost:3000/metrics"
+  ];
+
+  sops.secrets.grafana-admin-password.owner = "grafana";
+  sops.secrets.grafana-client-secret.owner = "grafana";
+
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_16;
+    ensureDatabases = [ "grafana" ];
+    ensureUsers = [
+      {
+        name = "grafana";
+        ensureDBOwnership = true;
+      }
+    ];
+  };
+}