From c651506fe6ccfe88309bf6b7050cc43ec62de0e7 Mon Sep 17 00:00:00 2001 From: Seth Flynn Date: Fri, 14 Feb 2025 23:55:18 -0500 Subject: nixos: add grafana + prom/vm mixins --- modules/nixos/mixins/default.nix | 3 ++ modules/nixos/mixins/grafana.nix | 68 +++++++++++++++++++++++++++++++++ modules/nixos/mixins/journal-upload.nix | 7 ++++ modules/nixos/mixins/node-exporter.nix | 11 ++++++ 4 files changed, 89 insertions(+) create mode 100644 modules/nixos/mixins/grafana.nix create mode 100644 modules/nixos/mixins/journal-upload.nix create mode 100644 modules/nixos/mixins/node-exporter.nix (limited to 'modules/nixos') diff --git a/modules/nixos/mixins/default.nix b/modules/nixos/mixins/default.nix index 8e77f34..f402776 100644 --- a/modules/nixos/mixins/default.nix +++ b/modules/nixos/mixins/default.nix @@ -7,11 +7,14 @@ ./comin.nix ./forgejo.nix ./gnome.nix + ./grafana.nix ./home-manager.nix + ./journal-upload.nix ./kanidm.nix ./lanzaboote.nix ./nginx.nix ./niri.nix + ./node-exporter.nix ./nvidia.nix ./pipewire.nix ./plasma.nix diff --git a/modules/nixos/mixins/grafana.nix b/modules/nixos/mixins/grafana.nix new file mode 100644 index 0000000..3385107 --- /dev/null +++ b/modules/nixos/mixins/grafana.nix @@ -0,0 +1,68 @@ +{ + config, + lib, + secretsDir, + ... +}: + +{ + config = lib.mkMerge [ + { + services.grafana = { + settings = { + analytics = { + feedback_links_enabled = false; + reporting_enabled = false; + }; + + "auth.anonymous".enable = true; + + server = { + http_port = 6000; + + domain = lib.mkDefault ("grafana." + config.networking.domain); + enable_gzip = true; + enforce_domain = true; + root_url = "https://" + config.services.grafana.settings.server.domain + "/"; + }; + }; + }; + } + + (lib.mkIf config.services.kanidm.enableServer { + services.grafana = { + settings = { + "auth.basic".enabled = false; + + "auth.generic_oauth" = { + enabled = true; + + name = "Kanidm"; + client_id = "grafana"; + client_secret = "$__file{${config.age.secrets.grafanaKanidm.path}}"; + scopes = "openid,profile,email,groups"; + auth_url = config.services.kanidm.serverSettings.origin + "/ui/oauth2"; + token_url = config.services.kanidm.serverSettings.origin + "/oauth2/token"; + api_url = config.services.kanidm.serverSettings.origin + "/oauth2/openid/grafana/userinfo"; + use_pkce = true; + use_refresh_token = true; + + allow_assign_grafana_admin = true; + allow_sign_up = true; + groups_attribute_path = "groups"; + login_attribute_path = "preferred_username"; + role_attribute_path = "contains(grafana_role[*], 'GrafanaAdmin') && 'GrafanaAdmin' || contains(grafana_role[*], 'Admin') && 'Admin' || contains(grafana_role[*], 'Editor') && 'Editor' || 'Viewer'"; + }; + }; + }; + }) + + (lib.mkIf (config.services.grafana.enable && config.services.kanidm.enableServer) { + age.secrets.grafanaKanidm = { + file = secretsDir + "/grafanaKanidmSecret.age"; + owner = config.users.users.grafana.name; + group = config.users.groups.grafana.name; + }; + }) + ]; +} diff --git a/modules/nixos/mixins/journal-upload.nix b/modules/nixos/mixins/journal-upload.nix new file mode 100644 index 0000000..4d780c9 --- /dev/null +++ b/modules/nixos/mixins/journal-upload.nix @@ -0,0 +1,7 @@ +{ + services.journald.upload = { + settings = { + Upload.URL = "http://atlas:9428/insert/journald"; + }; + }; +} diff --git a/modules/nixos/mixins/node-exporter.nix b/modules/nixos/mixins/node-exporter.nix new file mode 100644 index 0000000..752ff1d --- /dev/null +++ b/modules/nixos/mixins/node-exporter.nix @@ -0,0 +1,11 @@ +{ lib, ... }: + +{ + services.prometheus.exporters.node = { + openFirewall = lib.mkDefault true; + + enabledCollectors = [ + "systemd" + ]; + }; +} -- cgit v1.2.3