tsuki/monitoring: misc:

- Secure grafana better, it had secrets in the nix store
- Set up prometheus exporters for nginx and php-fpm
- Add urls for dashboards
- Disable automatic updates
This commit is contained in:
Oystein Kristoffer Tveit 2023-07-12 01:45:59 +02:00
parent 25b6f0f3e9
commit 8a42e97014
Signed by: oysteikt
GPG Key ID: 9F2F7D8250F35146
7 changed files with 3021 additions and 8 deletions

View File

@ -0,0 +1,567 @@
{
"__inputs": [
{
"description": "",
"label": "Prometheus",
"name": "DS_PROMETHEUS",
"pluginId": "prometheus",
"pluginName": "Prometheus",
"type": "datasource"
}
],
"__requires": [
{
"id": "grafana",
"name": "Grafana",
"type": "grafana",
"version": "5.0.0"
},
{
"id": "graph",
"name": "Graph",
"type": "panel",
"version": ""
},
{
"id": "prometheus",
"name": "Prometheus",
"type": "datasource",
"version": "1.0.0"
},
{
"id": "singlestat",
"name": "Singlestat",
"type": "panel",
"version": ""
}
],
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": "-- Grafana --",
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"type": "dashboard"
}
]
},
"description": "Official dashboard for NGINX Prometheus exporter",
"editable": true,
"gnetId": null,
"graphTooltip": 0,
"id": null,
"iteration": 1562682051068,
"links": [],
"panels": [
{
"collapsed": false,
"datasource": "${DS_PROMETHEUS}",
"gridPos": {
"h": 1,
"w": 24,
"x": 0,
"y": 0
},
"id": 4,
"panels": [],
"title": "Status",
"type": "row"
},
{
"cacheTimeout": null,
"colorBackground": true,
"colorPostfix": false,
"colorPrefix": false,
"colorValue": false,
"colors": [
"#E02F44",
"#FF9830",
"#299c46"
],
"datasource": "${DS_PROMETHEUS}",
"decimals": null,
"description": "",
"format": "none",
"gauge": {
"maxValue": 100,
"minValue": 0,
"show": false,
"thresholdLabels": false,
"thresholdMarkers": true
},
"gridPos": {
"h": 3,
"w": 12,
"x": 0,
"y": 1
},
"id": 8,
"interval": null,
"links": [],
"mappingType": 1,
"mappingTypes": [
{
"name": "value to text",
"value": 1
},
{
"name": "range to text",
"value": 2
}
],
"maxDataPoints": 100,
"nullPointMode": "connected",
"nullText": null,
"options": {},
"postfix": "",
"postfixFontSize": "50%",
"prefix": "",
"prefixFontSize": "50%",
"rangeMaps": [
{
"from": "null",
"text": "N/A",
"to": "null"
}
],
"repeat": "instance",
"repeatDirection": "h",
"sparkline": {
"fillColor": "rgba(31, 118, 189, 0.18)",
"full": false,
"lineColor": "rgb(31, 120, 193)",
"show": false
},
"tableColumn": "",
"targets": [
{
"expr": "nginx_up{instance=~\"$instance\"}",
"format": "time_series",
"instant": false,
"intervalFactor": 1,
"refId": "A"
}
],
"thresholds": "1,1",
"timeFrom": null,
"timeShift": null,
"title": "NGINX Status for $instance",
"type": "singlestat",
"valueFontSize": "100%",
"valueMaps": [
{
"op": "=",
"text": "Down",
"value": "0"
},
{
"op": "=",
"text": "Up",
"value": "1"
}
],
"valueName": "current"
},
{
"collapsed": false,
"datasource": "${DS_PROMETHEUS}",
"gridPos": {
"h": 1,
"w": 24,
"x": 0,
"y": 4
},
"id": 6,
"panels": [],
"title": "Metrics",
"type": "row"
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "${DS_PROMETHEUS}",
"decimals": null,
"description": "",
"fill": 1,
"gridPos": {
"h": 10,
"w": 12,
"x": 0,
"y": 5
},
"id": 10,
"legend": {
"alignAsTable": false,
"avg": false,
"current": false,
"hideEmpty": false,
"max": false,
"min": false,
"rightSide": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"options": {},
"percentage": false,
"pointradius": 2,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "irate(nginx_connections_accepted{instance=~\"$instance\"}[5m])",
"format": "time_series",
"instant": false,
"intervalFactor": 1,
"legendFormat": "{{instance}} accepted",
"refId": "A"
},
{
"expr": "irate(nginx_connections_handled{instance=~\"$instance\"}[5m])",
"format": "time_series",
"instant": false,
"intervalFactor": 1,
"legendFormat": "{{instance}} handled",
"refId": "B"
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Processed connections",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"decimals": 1,
"format": "short",
"label": "Connections (rate)",
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": "",
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "${DS_PROMETHEUS}",
"decimals": 0,
"fill": 1,
"gridPos": {
"h": 10,
"w": 12,
"x": 12,
"y": 5
},
"id": 12,
"legend": {
"alignAsTable": false,
"avg": false,
"current": false,
"max": false,
"min": false,
"rightSide": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"options": {},
"percentage": false,
"pointradius": 2,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "nginx_connections_active{instance=~\"$instance\"}",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "{{instance}} active",
"refId": "A"
},
{
"expr": "nginx_connections_reading{instance=~\"$instance\"}",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "{{instance}} reading",
"refId": "B"
},
{
"expr": "nginx_connections_waiting{instance=~\"$instance\"}",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "{{instance}} waiting",
"refId": "C"
},
{
"expr": "nginx_connections_writing{instance=~\"$instance\"}",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "{{instance}} writing",
"refId": "D"
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Active Connections",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"decimals": 0,
"format": "short",
"label": "Connections",
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "${DS_PROMETHEUS}",
"fill": 1,
"gridPos": {
"h": 8,
"w": 24,
"x": 0,
"y": 15
},
"id": 15,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"options": {},
"percentage": false,
"pointradius": 2,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "irate(nginx_http_requests_total{instance=~\"$instance\"}[5m])",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "{{instance}} total requests",
"refId": "A"
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Total requests",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
}
],
"refresh": "5s",
"schemaVersion": 18,
"style": "dark",
"tags": [
"nginx",
"prometheus",
"nginx prometheus exporter"
],
"templating": {
"list": [
{
"current": {
"selected": false,
"tags": [],
"text": "default",
"value": "default"
},
"hide": 0,
"includeAll": false,
"label": "datasource",
"multi": false,
"name": "DS_PROMETHEUS",
"options": [],
"query": "prometheus",
"refresh": 1,
"regex": "",
"skipUrlSync": false,
"type": "datasource"
},
{
"allValue": null,
"current": {},
"datasource": "${DS_PROMETHEUS}",
"definition": "label_values(nginx_up, instance)",
"hide": 0,
"includeAll": true,
"label": "",
"multi": true,
"name": "instance",
"options": [],
"query": "label_values(nginx_up, instance)",
"refresh": 1,
"regex": "",
"skipUrlSync": false,
"sort": 0,
"tagValuesQuery": "",
"tags": [],
"tagsQuery": "",
"type": "query",
"useTags": false
}
]
},
"time": {
"from": "now-15m",
"to": "now"
},
"timepicker": {
"refresh_intervals": [
"5s",
"10s",
"30s",
"1m",
"5m",
"15m",
"30m",
"1h",
"2h",
"1d"
],
"time_options": [
"5m",
"15m",
"1h",
"6h",
"12h",
"24h",
"2d",
"7d",
"30d"
]
},
"timezone": "",
"title": "NGINX",
"uid": "MsjffzSZz",
"version": 1
}

File diff suppressed because it is too large Load Diff

View File

@ -5,6 +5,18 @@
./loki.nix ./loki.nix
]; ];
sops.secrets = lib.genAttrs
[
"postgres/grafana"
"grafana/secretkey"
"grafana/oauth2_secret"
]
(lib.const rec {
restartUnits = [ "grafana.service" ];
owner = config.systemd.services.grafana.serviceConfig.User;
group = config.users.users.${owner}.group;
});
services.grafana = { services.grafana = {
enable = true; enable = true;
dataDir = "${config.machineVars.dataDrives.default}/var/grafana"; dataDir = "${config.machineVars.dataDrives.default}/var/grafana";
@ -33,23 +45,44 @@
in [ in [
{ {
name = "Matrix Synapse"; name = "Matrix Synapse";
type = "file";
url = "https://raw.githubusercontent.com/matrix-org/synapse/develop/contrib/grafana/synapse.json";
options.path = makeReadOnly ./dashboards/matrix-synapse.json; options.path = makeReadOnly ./dashboards/matrix-synapse.json;
} }
{ {
name = "PostgreSQL"; name = "PostgreSQL";
type = "file";
url = "https://grafana.com/api/dashboards/9628/revisions/7/download";
options.path = makeReadOnly ./dashboards/postgres.json; options.path = makeReadOnly ./dashboards/postgres.json;
} }
{ {
name = "Node"; name = "Node";
type = "file";
url = "https://raw.githubusercontent.com/rfmoz/grafana-dashboards/master/prometheus/node-exporter-full.json";
options.path = makeReadOnly ./dashboards/node.json; options.path = makeReadOnly ./dashboards/node.json;
} }
{
name = "Nginx";
type = "file";
url = "https://raw.githubusercontent.com/nginxinc/nginx-prometheus-exporter/main/grafana/dashboard.json";
options.path = makeReadOnly ./dashboards/nginx.json;
}
# TODO: activate when php-fpm exporter is backported
# {
# name = "php-fpm";
# type = "file";
# url = "https://raw.githubusercontent.com/hipages/php-fpm_exporter/master/grafana/kubernetes-php-fpm.json";
# options.path = makeReadOnly ./dashboards/php-fpm.json;
# }
# See https://github.com/grafana/grafana/issues/10786 # See https://github.com/grafana/grafana/issues/10786
# { {
# name = "Redis"; name = "Redis";
# options.path = ./dashboards/redis.json; type = "file";
# } url = "https://raw.githubusercontent.com/oliver006/redis_exporter/master/contrib/grafana_prometheus_redis_dashboard.json";
options.path = ./dashboards/redis.json;
}
# { # {
# name = "Minecraft"; # name = "Minecraft";
# options.path = makeReadOnly ./dashboards/minecraft.json; # options.path = makeReadOnly ./dashboards/minecraft.json;
@ -57,18 +90,34 @@
]; ];
}; };
settings = { settings = let
secretFile = sopsKey: ''$__file{${config.sops.secrets.${sopsKey}.path}}'';
in {
analytics.check_for_updates = false;
server = { server = {
domain = "log.nani.wtf"; domain = "log.nani.wtf";
http_addr = "0.0.0.0"; # TODO: use socket
# protocol = [ "socket" ];
http_addr = "127.0.0.1";
http_port = secrets.ports.grafana; http_port = secrets.ports.grafana;
}; };
security = {
disable_initial_admin_creation = true;
cookie_secure = true;
secret_key = secretFile "grafana/secretkey";
};
database = { database = {
type = "postgres"; type = "postgres";
user = "grafana"; user = "grafana";
host = "localhost:${toString secrets.ports.postgres}"; host = "/var/run/postgresql";
password = secretFile "postgres/grafana";
}; };
}; };
}; };
systemd.services.grafana = {
requires = [ "postgresql.service" ];
};
} }

View File

@ -0,0 +1,18 @@
{ config, ... }: let
cfg = config.services.prometheus;
in {
services.prometheus = {
scrapeConfigs = [{
job_name = "nginx";
scrape_interval = "15s";
static_configs = [{
targets = [ "${cfg.exporters.nginx.listenAddress}:${toString cfg.exporters.nginx.port}" ];
}];
}];
exporters.nginx = {
enable = true;
listenAddress = "127.0.0.1";
};
};
}

View File

@ -0,0 +1,18 @@
{ config, ... }: let
cfg = config.services.prometheus;
in {
services.prometheus = {
scrapeConfigs = [{
job_name = "php-fpm";
scrape_interval = "15s";
static_configs = [{
targets = [ "${cfg.exporters.php-fpm.listenAddress}:${toString cfg.exporters.nginx.port}" ];
}];
}];
exporters.php-fpm = {
enable = true;
listenAddress = "127.0.0.1";
};
};
}

View File

@ -3,11 +3,14 @@
imports = [ imports = [
./prometheus-exporters/matrix-synapse.nix ./prometheus-exporters/matrix-synapse.nix
./prometheus-exporters/minecraft.nix
./prometheus-exporters/nginx.nix
./prometheus-exporters/node.nix ./prometheus-exporters/node.nix
# TODO: activate when php-fpm exporter is backported
# ./prometheus-exporters/php-fpm.nix
./prometheus-exporters/postgres.nix ./prometheus-exporters/postgres.nix
./prometheus-exporters/redis.nix ./prometheus-exporters/redis.nix
./prometheus-exporters/systemd.nix ./prometheus-exporters/systemd.nix
./prometheus-exporters/minecraft.nix
]; ];
services.prometheus = { services.prometheus = {

View File

@ -1,3 +1,6 @@
grafana:
oauth2_secret: ENC[AES256_GCM,data:zxfPtiB/o5cC27O9uQzPvQV1qWcp3xxnIi7/P84I2lJ/X4ovAwXuiEqnc7BDAE4E,iv:ZY8BDTMEvR2JiFHKM8iM90UQbmTqH/DoVklWno6Xa4U=,tag:E8GTGk9IJauCgjaoToShBg==,type:str]
secretkey: ENC[AES256_GCM,data:aVzqZqwFfm3FcYJE8USxsDbZVwtnF5NJXTAqshv9av4ZeR5YrDfDzLYHHztXMZt2Q7p/6A==,iv:A7x7oRUVvfxqSXRfi9+15z9pE6xX+GZrGU7gXrSKyXE=,tag:2uatRT0XePk2dqZj2ZlM3A==,type:str]
headscale: headscale:
oauth2_secret: ENC[AES256_GCM,data:Ois+s0O9wgL3zWpgk6E35o5HczIW/4wnSq2KU+F59u4FBFPAtbl/WD0N4AKgWMrm,iv:UX8vhNvHvA5BmNmx5eW8ugce+yZCE1lt2ux8sJajZ8Q=,tag:xOpdLLryt8MptiVsKibNew==,type:str] oauth2_secret: ENC[AES256_GCM,data:Ois+s0O9wgL3zWpgk6E35o5HczIW/4wnSq2KU+F59u4FBFPAtbl/WD0N4AKgWMrm,iv:UX8vhNvHvA5BmNmx5eW8ugce+yZCE1lt2ux8sJajZ8Q=,tag:xOpdLLryt8MptiVsKibNew==,type:str]
hedgedoc: hedgedoc:
@ -14,6 +17,7 @@ postgres:
invidious: ENC[AES256_GCM,data:r/Jzs7U1fkCi2j5L/tOcBfakR3virj8HGrDrVZdP7VwubG4BJLvoeb14eJo=,iv:3plNFOds+HeF0HAliedczpNgPL4ZgqhCOwqbnb2e8Ag=,tag:DHm/KM9UuPiqaRxqNDb7QA==,type:str] invidious: ENC[AES256_GCM,data:r/Jzs7U1fkCi2j5L/tOcBfakR3virj8HGrDrVZdP7VwubG4BJLvoeb14eJo=,iv:3plNFOds+HeF0HAliedczpNgPL4ZgqhCOwqbnb2e8Ag=,tag:DHm/KM9UuPiqaRxqNDb7QA==,type:str]
nextcloud: ENC[AES256_GCM,data:E1tD6Z2SDbi5TUDAACjXSJJIn+/ySu0+8xhvRVFxumxjex4ZsEw+mofKIxM=,iv:E4iPVF3M8GOoQghVQtn/kCEpXl0b8MueCbtyvzFM8AA=,tag:IF4kWOuTsylqrXMoXzQaVQ==,type:str] nextcloud: ENC[AES256_GCM,data:E1tD6Z2SDbi5TUDAACjXSJJIn+/ySu0+8xhvRVFxumxjex4ZsEw+mofKIxM=,iv:E4iPVF3M8GOoQghVQtn/kCEpXl0b8MueCbtyvzFM8AA=,tag:IF4kWOuTsylqrXMoXzQaVQ==,type:str]
headscale: ENC[AES256_GCM,data:UVPCZjcpm9j2dMwyAvrPfwOj84JJHrwoU5rs672FEeA=,iv:zq3J4mL/PB3EAl8LHxxC77Y4FMrZWT4QF+DOih+FIGk=,tag:UwfjKnjfJ3a6RwAWg/8BzQ==,type:str] headscale: ENC[AES256_GCM,data:UVPCZjcpm9j2dMwyAvrPfwOj84JJHrwoU5rs672FEeA=,iv:zq3J4mL/PB3EAl8LHxxC77Y4FMrZWT4QF+DOih+FIGk=,tag:UwfjKnjfJ3a6RwAWg/8BzQ==,type:str]
grafana: ENC[AES256_GCM,data:bsxzS/xkNdSJvOSQfZY8RRK03ckfKAoYeiZlgrSxXVqTEQ==,iv:wb8bFITgGLToagEczdm7MwUmXl3tyYmrYqSZOblEz0I=,tag:ZboMGI4QdmOK+LVBDCl2Pg==,type:str]
pgadmin: pgadmin:
oauth2_secret: ENC[AES256_GCM,data:A1Upe1Ja76++ZdOx5YhuKjpaont4m5ChRzn/YVpJbnFzWy1tFlBkOr6UgBj7Wopg,iv:hY+b7AVSrSgHu/10reIjUjJ8+yR4FrZe2JgGiAowfGs=,tag:thy6O1Y3FGTWaQXqlU9aYg==,type:str] oauth2_secret: ENC[AES256_GCM,data:A1Upe1Ja76++ZdOx5YhuKjpaont4m5ChRzn/YVpJbnFzWy1tFlBkOr6UgBj7Wopg,iv:hY+b7AVSrSgHu/10reIjUjJ8+yR4FrZe2JgGiAowfGs=,tag:thy6O1Y3FGTWaQXqlU9aYg==,type:str]
initialPassword: ENC[AES256_GCM,data:674lqcGTDCOYBNocf0LQuQB1cbMus0iZOcvwbadpAXrF4DPQSetqrg==,iv:y8hfzLh6i7LxR11fmM9T0z2t7202JMAiZzi/1iCWPvM=,tag:lHwCBWaWsArrAJ0rZ8Xk/w==,type:str] initialPassword: ENC[AES256_GCM,data:674lqcGTDCOYBNocf0LQuQB1cbMus0iZOcvwbadpAXrF4DPQSetqrg==,iv:y8hfzLh6i7LxR11fmM9T0z2t7202JMAiZzi/1iCWPvM=,tag:lHwCBWaWsArrAJ0rZ8Xk/w==,type:str]