2023-10-06 18:05:38 +02:00
|
|
|
{ pkgs, config, lib, ... }:
|
2022-11-24 15:20:43 +01:00
|
|
|
{
|
|
|
|
imports = [
|
|
|
|
./prometheus.nix
|
|
|
|
./loki.nix
|
|
|
|
];
|
|
|
|
|
2023-07-12 01:45:59 +02:00
|
|
|
sops.secrets = lib.genAttrs
|
|
|
|
[
|
|
|
|
"postgres/grafana"
|
|
|
|
"grafana/secretkey"
|
|
|
|
"grafana/oauth2_secret"
|
|
|
|
]
|
|
|
|
(lib.const rec {
|
|
|
|
restartUnits = [ "grafana.service" ];
|
|
|
|
owner = config.systemd.services.grafana.serviceConfig.User;
|
|
|
|
group = config.users.users.${owner}.group;
|
|
|
|
});
|
|
|
|
|
2022-11-24 15:20:43 +01:00
|
|
|
services.grafana = {
|
|
|
|
enable = true;
|
|
|
|
dataDir = "${config.machineVars.dataDrives.default}/var/grafana";
|
|
|
|
|
2023-01-20 19:55:52 +01:00
|
|
|
provision = {
|
|
|
|
enable = true;
|
|
|
|
|
|
|
|
datasources.settings.datasources = [
|
|
|
|
{
|
|
|
|
name = "Prometheus";
|
|
|
|
type = "prometheus";
|
|
|
|
access = "proxy";
|
|
|
|
url = "http://localhost:${toString config.services.prometheus.port}";
|
|
|
|
isDefault = true;
|
|
|
|
}
|
|
|
|
];
|
|
|
|
|
|
|
|
dashboards.settings.providers = let
|
|
|
|
makeReadOnly = x: lib.pipe x [
|
|
|
|
builtins.readFile
|
|
|
|
builtins.fromJSON
|
|
|
|
(x: x // { editable = false; })
|
|
|
|
builtins.toJSON
|
|
|
|
(pkgs.writeText (builtins.baseNameOf x))
|
|
|
|
];
|
|
|
|
in [
|
|
|
|
{
|
|
|
|
name = "Matrix Synapse";
|
2023-07-12 01:45:59 +02:00
|
|
|
type = "file";
|
|
|
|
url = "https://raw.githubusercontent.com/matrix-org/synapse/develop/contrib/grafana/synapse.json";
|
2023-01-20 19:55:52 +01:00
|
|
|
options.path = makeReadOnly ./dashboards/matrix-synapse.json;
|
|
|
|
}
|
|
|
|
{
|
|
|
|
name = "PostgreSQL";
|
2023-07-12 01:45:59 +02:00
|
|
|
type = "file";
|
|
|
|
url = "https://grafana.com/api/dashboards/9628/revisions/7/download";
|
2023-01-20 19:55:52 +01:00
|
|
|
options.path = makeReadOnly ./dashboards/postgres.json;
|
|
|
|
}
|
|
|
|
{
|
|
|
|
name = "Node";
|
2023-07-12 01:45:59 +02:00
|
|
|
type = "file";
|
|
|
|
url = "https://raw.githubusercontent.com/rfmoz/grafana-dashboards/master/prometheus/node-exporter-full.json";
|
2023-01-20 19:55:52 +01:00
|
|
|
options.path = makeReadOnly ./dashboards/node.json;
|
|
|
|
}
|
2023-07-12 01:45:59 +02:00
|
|
|
{
|
|
|
|
name = "Nginx";
|
|
|
|
type = "file";
|
|
|
|
url = "https://raw.githubusercontent.com/nginxinc/nginx-prometheus-exporter/main/grafana/dashboard.json";
|
|
|
|
options.path = makeReadOnly ./dashboards/nginx.json;
|
|
|
|
}
|
|
|
|
# TODO: activate when php-fpm exporter is backported
|
|
|
|
# {
|
|
|
|
# name = "php-fpm";
|
|
|
|
# type = "file";
|
|
|
|
# url = "https://raw.githubusercontent.com/hipages/php-fpm_exporter/master/grafana/kubernetes-php-fpm.json";
|
|
|
|
# options.path = makeReadOnly ./dashboards/php-fpm.json;
|
|
|
|
# }
|
2023-01-20 19:55:52 +01:00
|
|
|
|
|
|
|
# See https://github.com/grafana/grafana/issues/10786
|
|
|
|
|
2023-07-12 01:45:59 +02:00
|
|
|
{
|
|
|
|
name = "Redis";
|
|
|
|
type = "file";
|
|
|
|
url = "https://raw.githubusercontent.com/oliver006/redis_exporter/master/contrib/grafana_prometheus_redis_dashboard.json";
|
|
|
|
options.path = ./dashboards/redis.json;
|
|
|
|
}
|
2023-01-20 19:55:52 +01:00
|
|
|
# {
|
|
|
|
# name = "Minecraft";
|
|
|
|
# options.path = makeReadOnly ./dashboards/minecraft.json;
|
|
|
|
# }
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
2023-07-12 01:45:59 +02:00
|
|
|
settings = let
|
|
|
|
secretFile = sopsKey: ''$__file{${config.sops.secrets.${sopsKey}.path}}'';
|
|
|
|
in {
|
2023-01-16 17:09:06 +01:00
|
|
|
server = {
|
|
|
|
domain = "log.nani.wtf";
|
2023-07-28 21:53:53 +02:00
|
|
|
root_url = "https://log.nani.wtf";
|
|
|
|
enforce_domain = true;
|
2023-07-12 23:27:10 +02:00
|
|
|
enable_gzip = true;
|
|
|
|
protocol = "socket";
|
|
|
|
socket = "/run/grafana/grafana.sock";
|
2023-01-16 17:09:06 +01:00
|
|
|
};
|
|
|
|
|
2023-07-12 01:45:59 +02:00
|
|
|
security = {
|
|
|
|
cookie_secure = true;
|
2023-07-28 21:53:53 +02:00
|
|
|
csrf_trusted_origins = [ "https://auth.nani.wtf" ];
|
|
|
|
data_source_proxy_whitelist = [
|
|
|
|
(with config.services.prometheus; "${listenAddress}:${toString port}")
|
|
|
|
];
|
|
|
|
disable_gravatar = true;
|
|
|
|
disable_initial_admin_creation = true;
|
2023-07-12 01:45:59 +02:00
|
|
|
secret_key = secretFile "grafana/secretkey";
|
|
|
|
};
|
|
|
|
|
2023-01-16 17:09:06 +01:00
|
|
|
database = {
|
|
|
|
type = "postgres";
|
|
|
|
user = "grafana";
|
2023-07-12 01:45:59 +02:00
|
|
|
host = "/var/run/postgresql";
|
|
|
|
password = secretFile "postgres/grafana";
|
2023-01-16 17:09:06 +01:00
|
|
|
};
|
2023-07-28 21:53:53 +02:00
|
|
|
|
|
|
|
auth = {
|
|
|
|
# disable_login_form = true;
|
|
|
|
};
|
|
|
|
|
|
|
|
"auth.generic_oauth" = let
|
|
|
|
authServerUrl = config.services.kanidm.serverSettings.origin;
|
|
|
|
in {
|
|
|
|
enabled = true;
|
|
|
|
name = "KaniDM";
|
|
|
|
client_id = "grafana";
|
|
|
|
client_secret = secretFile "grafana/oauth2_secret";
|
|
|
|
auth_url = "${authServerUrl}/ui/oauth2";
|
|
|
|
token_url = "${authServerUrl}/oauth2/token";
|
|
|
|
api_url = "${authServerUrl}/oauth2/authorise";
|
|
|
|
scopes = "email openid profile";
|
|
|
|
auto_login = true;
|
|
|
|
use_pkce = true;
|
|
|
|
|
|
|
|
# I only have one user, and that one user should always be admin,
|
|
|
|
# no matter what kanidm sends.
|
|
|
|
role_attribute_strict = true;
|
|
|
|
role_attribute_path = "contains(info.groups[*], 'grafana_users') && 'GrafanaAdmin' || 'Viewer'";
|
|
|
|
allow_assign_grafana_admin = true;
|
|
|
|
};
|
|
|
|
|
|
|
|
analytics = {
|
|
|
|
check_for_updates = false;
|
|
|
|
feedback_links_enabled = false;
|
|
|
|
reporting_enabled = false;
|
|
|
|
};
|
2022-11-24 15:20:43 +01:00
|
|
|
};
|
|
|
|
};
|
2023-07-12 01:45:59 +02:00
|
|
|
|
2023-07-12 23:27:10 +02:00
|
|
|
users.groups."grafana".members = [ "nginx" ];
|
|
|
|
|
2023-07-12 01:45:59 +02:00
|
|
|
systemd.services.grafana = {
|
|
|
|
requires = [ "postgresql.service" ];
|
|
|
|
};
|
2022-11-24 15:20:43 +01:00
|
|
|
}
|