h7x4
8a42e97014
- Secure grafana better, it had secrets in the nix store - Set up prometheus exporters for nginx and php-fpm - Add urls for dashboards - Disable automatic updates
124 lines
3.6 KiB
Nix
124 lines
3.6 KiB
Nix
{ pkgs, config, lib, secrets, ... }:
|
|
{
|
|
imports = [
|
|
./prometheus.nix
|
|
./loki.nix
|
|
];
|
|
|
|
sops.secrets = lib.genAttrs
|
|
[
|
|
"postgres/grafana"
|
|
"grafana/secretkey"
|
|
"grafana/oauth2_secret"
|
|
]
|
|
(lib.const rec {
|
|
restartUnits = [ "grafana.service" ];
|
|
owner = config.systemd.services.grafana.serviceConfig.User;
|
|
group = config.users.users.${owner}.group;
|
|
});
|
|
|
|
services.grafana = {
|
|
enable = true;
|
|
dataDir = "${config.machineVars.dataDrives.default}/var/grafana";
|
|
|
|
provision = {
|
|
enable = true;
|
|
|
|
datasources.settings.datasources = [
|
|
{
|
|
name = "Prometheus";
|
|
type = "prometheus";
|
|
access = "proxy";
|
|
url = "http://localhost:${toString config.services.prometheus.port}";
|
|
isDefault = true;
|
|
}
|
|
];
|
|
|
|
dashboards.settings.providers = let
|
|
makeReadOnly = x: lib.pipe x [
|
|
builtins.readFile
|
|
builtins.fromJSON
|
|
(x: x // { editable = false; })
|
|
builtins.toJSON
|
|
(pkgs.writeText (builtins.baseNameOf x))
|
|
];
|
|
in [
|
|
{
|
|
name = "Matrix Synapse";
|
|
type = "file";
|
|
url = "https://raw.githubusercontent.com/matrix-org/synapse/develop/contrib/grafana/synapse.json";
|
|
options.path = makeReadOnly ./dashboards/matrix-synapse.json;
|
|
}
|
|
{
|
|
name = "PostgreSQL";
|
|
type = "file";
|
|
url = "https://grafana.com/api/dashboards/9628/revisions/7/download";
|
|
options.path = makeReadOnly ./dashboards/postgres.json;
|
|
}
|
|
{
|
|
name = "Node";
|
|
type = "file";
|
|
url = "https://raw.githubusercontent.com/rfmoz/grafana-dashboards/master/prometheus/node-exporter-full.json";
|
|
options.path = makeReadOnly ./dashboards/node.json;
|
|
}
|
|
{
|
|
name = "Nginx";
|
|
type = "file";
|
|
url = "https://raw.githubusercontent.com/nginxinc/nginx-prometheus-exporter/main/grafana/dashboard.json";
|
|
options.path = makeReadOnly ./dashboards/nginx.json;
|
|
}
|
|
# TODO: activate when php-fpm exporter is backported
|
|
# {
|
|
# name = "php-fpm";
|
|
# type = "file";
|
|
# url = "https://raw.githubusercontent.com/hipages/php-fpm_exporter/master/grafana/kubernetes-php-fpm.json";
|
|
# options.path = makeReadOnly ./dashboards/php-fpm.json;
|
|
# }
|
|
|
|
# See https://github.com/grafana/grafana/issues/10786
|
|
|
|
{
|
|
name = "Redis";
|
|
type = "file";
|
|
url = "https://raw.githubusercontent.com/oliver006/redis_exporter/master/contrib/grafana_prometheus_redis_dashboard.json";
|
|
options.path = ./dashboards/redis.json;
|
|
}
|
|
# {
|
|
# name = "Minecraft";
|
|
# options.path = makeReadOnly ./dashboards/minecraft.json;
|
|
# }
|
|
];
|
|
};
|
|
|
|
settings = let
|
|
secretFile = sopsKey: ''$__file{${config.sops.secrets.${sopsKey}.path}}'';
|
|
in {
|
|
analytics.check_for_updates = false;
|
|
server = {
|
|
domain = "log.nani.wtf";
|
|
# TODO: use socket
|
|
# protocol = [ "socket" ];
|
|
http_addr = "127.0.0.1";
|
|
http_port = secrets.ports.grafana;
|
|
};
|
|
|
|
security = {
|
|
disable_initial_admin_creation = true;
|
|
cookie_secure = true;
|
|
secret_key = secretFile "grafana/secretkey";
|
|
};
|
|
|
|
database = {
|
|
type = "postgres";
|
|
user = "grafana";
|
|
host = "/var/run/postgresql";
|
|
password = secretFile "postgres/grafana";
|
|
};
|
|
};
|
|
};
|
|
|
|
systemd.services.grafana = {
|
|
requires = [ "postgresql.service" ];
|
|
};
|
|
}
|