nixos: add grafana + prom/vm mixins

4 files changed, 89 insertions, 0 deletions

diff --git a/modules/nixos/mixins/default.nix b/modules/nixos/mixins/default.nix
index 8e77f34..f402776 100644
--- a/modules/nixos/mixins/default.nix
+++ b/modules/nixos/mixins/default.nix
@@ -7,11 +7,14 @@
     ./comin.nix
     ./forgejo.nix
     ./gnome.nix
+    ./grafana.nix
     ./home-manager.nix
+    ./journal-upload.nix
     ./kanidm.nix
     ./lanzaboote.nix
     ./nginx.nix
     ./niri.nix
+    ./node-exporter.nix
     ./nvidia.nix
     ./pipewire.nix
     ./plasma.nix
diff --git a/modules/nixos/mixins/grafana.nix b/modules/nixos/mixins/grafana.nix
new file mode 100644
index 0000000..3385107
--- /dev/null
+++ b/modules/nixos/mixins/grafana.nix
@@ -0,0 +1,68 @@
+{
+  config,
+  lib,
+  secretsDir,
+  ...
+}:
+
+{
+  config = lib.mkMerge [
+    {
+      services.grafana = {
+        settings = {
+          analytics = {
+            feedback_links_enabled = false;
+            reporting_enabled = false;
+          };
+
+          "auth.anonymous".enable = true;
+
+          server = {
+            http_port = 6000;
+
+            domain = lib.mkDefault ("grafana." + config.networking.domain);
+            enable_gzip = true;
+            enforce_domain = true;
+            root_url = "https://" + config.services.grafana.settings.server.domain + "/";
+          };
+        };
+      };
+    }
+
+    (lib.mkIf config.services.kanidm.enableServer {
+      services.grafana = {
+        settings = {
+          "auth.basic".enabled = false;
+
+          "auth.generic_oauth" = {
+            enabled = true;
+
+            name = "Kanidm";
+            client_id = "grafana";
+            client_secret = "$__file{${config.age.secrets.grafanaKanidm.path}}";
+            scopes = "openid,profile,email,groups";
+            auth_url = config.services.kanidm.serverSettings.origin + "/ui/oauth2";
+            token_url = config.services.kanidm.serverSettings.origin + "/oauth2/token";
+            api_url = config.services.kanidm.serverSettings.origin + "/oauth2/openid/grafana/userinfo";
+            use_pkce = true;
+            use_refresh_token = true;
+
+            allow_assign_grafana_admin = true;
+            allow_sign_up = true;
+            groups_attribute_path = "groups";
+            login_attribute_path = "preferred_username";
+            role_attribute_path = "contains(grafana_role[*], 'GrafanaAdmin') && 'GrafanaAdmin' || contains(grafana_role[*], 'Admin') && 'Admin' || contains(grafana_role[*], 'Editor') && 'Editor' || 'Viewer'";
+          };
+        };
+      };
+    })
+
+    (lib.mkIf (config.services.grafana.enable && config.services.kanidm.enableServer) {
+      age.secrets.grafanaKanidm = {
+        file = secretsDir + "/grafanaKanidmSecret.age";
+        owner = config.users.users.grafana.name;
+        group = config.users.groups.grafana.name;
+      };
+    })
+  ];
+}
diff --git a/modules/nixos/mixins/journal-upload.nix b/modules/nixos/mixins/journal-upload.nix
new file mode 100644
index 0000000..4d780c9
--- /dev/null
+++ b/modules/nixos/mixins/journal-upload.nix
@@ -0,0 +1,7 @@
+{
+  services.journald.upload = {
+    settings = {
+      Upload.URL = "http://atlas:9428/insert/journald";
+    };
+  };
+}
diff --git a/modules/nixos/mixins/node-exporter.nix b/modules/nixos/mixins/node-exporter.nix
new file mode 100644
index 0000000..752ff1d
--- /dev/null
+++ b/modules/nixos/mixins/node-exporter.nix
@@ -0,0 +1,11 @@
+{ lib, ... }:
+
+{
+  services.prometheus.exporters.node = {
+    openFirewall = lib.mkDefault true;
+
+    enabledCollectors = [
+      "systemd"
+    ];
+  };
+}