From 68337ff760ab04b714e46fe7ecf855079ec3af13 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sun, 3 Dec 2023 14:19:30 +0100 Subject: [PATCH] feat(flora-6): init grafana + prometheus on grafana.pub.solar --- hosts/flora-6/apps/caddy.nix | 8 +++ hosts/flora-6/apps/grafana.nix | 67 +++++++++++++++++++++ hosts/flora-6/apps/prometheus.nix | 27 +++++++++ hosts/flora-6/default.nix | 2 + secrets/grafana-admin-password.age | Bin 0 -> 1506 bytes secrets/grafana-keycloak-client-secret.age | 28 +++++++++ secrets/grafana-smtp-password.age | Bin 0 -> 1543 bytes secrets/secrets.nix | 4 ++ terraform/dns.tf | 5 ++ 9 files changed, 141 insertions(+) create mode 100644 hosts/flora-6/apps/grafana.nix create mode 100644 hosts/flora-6/apps/prometheus.nix create mode 100644 secrets/grafana-admin-password.age create mode 100644 secrets/grafana-keycloak-client-secret.age create mode 100644 secrets/grafana-smtp-password.age diff --git a/hosts/flora-6/apps/caddy.nix b/hosts/flora-6/apps/caddy.nix index a241de2..bc6fac3 100644 --- a/hosts/flora-6/apps/caddy.nix +++ b/hosts/flora-6/apps/caddy.nix @@ -27,6 +27,14 @@ reverse_proxy :4000 ''; }; + "grafana.pub.solar" = { + logFormat = lib.mkForce '' + output discard + ''; + extraConfig = '' + reverse_proxy :${toString config.services.grafana.settings.server.http_port} + ''; + }; "obs-portal.pub.solar" = { logFormat = lib.mkForce '' output discard diff --git a/hosts/flora-6/apps/grafana.nix b/hosts/flora-6/apps/grafana.nix new file mode 100644 index 0000000..2727b8e --- /dev/null +++ b/hosts/flora-6/apps/grafana.nix @@ -0,0 +1,67 @@ +{ + config, + lib, + pkgs, + flake, + ... +}: { + age.secrets.grafana-admin-password = { + file = "${flake.self}/secrets/grafana-admin-password.age"; + mode = "644"; + owner = "grafana"; + }; + age.secrets.grafana-smtp-password = { + file = "${flake.self}/secrets/grafana-smtp-password.age"; + mode = "644"; + owner = "grafana"; + }; + age.secrets.grafana-keycloak-client-secret = { + file = "${flake.self}/secrets/grafana-keycloak-client-secret.age"; + mode = "644"; + owner = "grafana"; + }; + + services.grafana = { + enable = true; + settings = { + server = { + # Listening Address + http_addr = "127.0.0.1"; + # and Port + http_port = 3000; + # Grafana needs to know on which domain and URL it's running + domain = "grafana.pub.solar"; + enable_gzip = true; + }; + smtp = { + enabled = true; + host = "mx2.greenbaum.cloud:465"; + user = "admins@pub.solar"; + password = "\$__file{${config.age.secrets.grafana-smtp-password.path}}"; + from_address = "no-reply@pub.solar"; + from_name = "grafana.pub.solar"; + ehlo_identity = "flora-6.pub.solar"; + }; + security = { + admin_email = "crew@pub.solar"; + admin_password = "\$__file{${config.age.secrets.grafana-admin-password.path}}"; + }; + "auth.generic_oauth" = { + enabled = true; + name = "pub.solar ID"; + allow_sign_up = true; + client_id = "grafana"; + client_secret = "\$__file{${config.age.secrets.grafana-keycloak-client-secret.path}}"; + scopes = "openid email profile offline_access roles"; + email_attribute_path = "email"; + login_attribute_path = "preferred_username"; + name_attribute_path = "full_name"; + auth_url = "https://auth.pub.solar/realms/pub.solar/protocol/openid-connect/auth"; + token_url = "https://auth.pub.solar/realms/pub.solar/protocol/openid-connect/token"; + api_url = "https://auth.pub.solar/realms/pub.solar/protocol/openid-connect/userinfo"; + role_attribute_path = "contains(info.roles[*], 'admin') && 'GrafanaAdmin' || contains(info.roles[*], 'editor') && 'Editor' || 'Viewer'"; + allow_assign_grafana_admin = true; + }; + }; + }; +} diff --git a/hosts/flora-6/apps/prometheus.nix b/hosts/flora-6/apps/prometheus.nix new file mode 100644 index 0000000..7ae27ea --- /dev/null +++ b/hosts/flora-6/apps/prometheus.nix @@ -0,0 +1,27 @@ +{ + config, + lib, + pkgs, + flake, + ... +}: { + services.prometheus = { + enable = true; + port = 9001; + exporters = { + node = { + enable = true; + enabledCollectors = [ "systemd" ]; + port = 9002; + }; + }; + scrapeConfigs = [ + { + job_name = "flora-6"; + static_configs = [{ + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; + }]; + } + ]; + }; +} diff --git a/hosts/flora-6/default.nix b/hosts/flora-6/default.nix index 6511a00..6478858 100644 --- a/hosts/flora-6/default.nix +++ b/hosts/flora-6/default.nix @@ -11,5 +11,7 @@ ./apps/drone.nix ./apps/forgejo-actions-runner.nix + ./apps/grafana.nix + ./apps/prometheus.nix ]; } diff --git a/secrets/grafana-admin-password.age b/secrets/grafana-admin-password.age new file mode 100644 index 0000000000000000000000000000000000000000..9ce754dfdb4172a7e7196658428151f4c00382d5 GIT binary patch literal 1506 zcmZXTx$fkI0f$ptN`G}PuFdwfrWG`7drcR zLk9>Uq(n-dfP!Kpr3@WQu_-oB@acDaL7F@zb<{uFF>mTWH+>4td*JEa-7sWNNsQq5 z{;>04-w&2uSo_sJV-whCq(!_PVgj~9W2St@s_J5p>aHh1&^q;K1Z0)tCBjwuO0kRR-Gak-{RJY{_Ky z$h%A}4H#2Ckdp`=!Xm(VRWOYO18DbMtSbFG&OU`DvTUFnrMVS+L1 ziiJj=D~OrXA~GtQj9t$viTl7K`JNwXp;0erQli>I)X3s%FnCsmi`Lnw4L z-$k)-Of+??#rfqyI5jAR+c6Gk32%B=Vb#Y`mnUFL!9AK>&@gMG)liGD>&obM>u30& z^V1P>)DD`@P`etU1BJ(G z>}}McCl6;dMkj)|ntKl-MPEAb9N$bhA`kXL{Z1SI5;R@^l=ew5Bs%6~bD-$~Ue82>zJDV4~K+Qf*?KliUz7O3r!1)ct(u3DsJmBf+ zY4^yksHWedfrnHXVZfnUS0bZ$aimAQab`)L!2EFLK==fF{kQemzmVtu30LGUciBI_ zQvdMn5AXc^-1_^+FaG_-H=lj<-3$MX{hObD@z-hta|?6 YKmAI*HGTj74y@hJKYZ`4Kbrsi4TlN$LI3~& literal 0 HcmV?d00001 diff --git a/secrets/grafana-keycloak-client-secret.age b/secrets/grafana-keycloak-client-secret.age new file mode 100644 index 0000000..b4c01fa --- /dev/null +++ b/secrets/grafana-keycloak-client-secret.age @@ -0,0 +1,28 @@ +age-encryption.org/v1 +-> ssh-ed25519 Y0ZZaw M6ha3gQ4Oq4PdymYZ5ZG0qGwFlpCYfJdhOBwH9n1gxg +zCtB0PJanufNdV0ShynDT0Z/2jxMFDRby8xsfv6YPaA +-> ssh-ed25519 uYcDNw V89Ll4HJ3ZkQegiCI6gswz736domVgDGSDCA8bZBwHs +W7IrEL+1xUXuVdy6A61z6P+pS/ajTGPL+qv+9Jh8UxI +-> ssh-rsa kFDS0A +SV6QVIW8MCQVB8ABiOGxLTXEMO6rfeG82CktBFtf76WeIYzlkho/IaGgWXoqoIQ0 +KC/ev7vNGnB01AOWe/xkuMZDRvK+qGaOLB7wpZG1cJhqSon9oZtztoDjd/Crp5K0 +nfeHjY9E/jgFr0KYeaLedw5OJuaOw4YiuKyTThVbpRZwbof30nvHXqrYKPZJi1gq +s5spoWYH2ijZi9mrJojP2ZqK5DJjCteXqP1YHdz3LjxomoDyl5cv/tLNsvrptfxD +FvZMcPrvrC/IWqJ8qGW+f8ENUGyjXxx6jFQ2WN9IMIdJYk5bz458ip3GKqnAlwi3 +SZbaxRuEYEoy6ikKGRuXMAwpJd3YXcRcaRdetw0a4grdD6hF21bTl2+LnTb1ydnb +frzeoXaqbBdhEyLpZFAmGLydteIyA/Kl/D/PEJ0MHc0G0EGofMm6YsNJJrP3mQgi +mXC2Kto6WV/JLVEnURayf12rPR1T/VPIyYZ/Xi9HfPh0p3Y21nadPAcEq/PltWgR +AqELfBbVpNtcxTP2pjEJqGskJCYKAmMeM+yQ0moKVmuMWicahMqjQRJO1jnvTwwd +GhJlUO32EuI6Fn6sApthv2FfLrle+x0H4/v9xvHDJIVSmLYtzK+9ueUPn/A1x8X1 +lGeJh+ecEV2r630insGAp8WQzyXhraHrn3lgyacwRmA +-> ssh-ed25519 YFSOsg KKhXh/XW7iF7wMA7JD9fbgmty5yVPaSS1vGdHz0Xh0M +eLJc+F/yIR1ckZX/npLI+l3I2iB+OrKBkJAQTkbWVF4 +-> ssh-ed25519 iHV63A xoJ7Tr8mKgYVPPeJYBnOHLBY5E0i34vEQR3pMVKxbAc +TKqc9Y/RpnfTP3CNvCearB4FuvNmW0mcGVLh7Ebjzeo +-> ssh-ed25519 BVsyTA LaMK6X/MJyQTQ24p9uHXh75leMcp/akCA2YZACEG03M +psw6sVlNGT8WsG3L9kbXdrhqxp8hIdSF7s4o60jTYgY +-> vcxmk`-grease 8^p$~+LB -G)+N&$^ P)7#7[wX +8TyK2RrSHFuMyFy9YY7ZI6RSduF5hw6xZKhiysVkif4Husb1flN8QVmWtoW8laWz +n8772TmNTcfq5ebUp+UA+S6MVgf75D1GnDumEDH/LbM4LNjRZzyw3nBGu/Q +--- Ouu56e69gTpAY1ouLPlzI/n6geKz1CMmTl8wAVyIDPM +57W>J@jl_/=ջ4(KѥzSs \ No newline at end of file diff --git a/secrets/grafana-smtp-password.age b/secrets/grafana-smtp-password.age new file mode 100644 index 0000000000000000000000000000000000000000..44cf171fcf5b446f2d37e23f371bd89981751cfa GIT binary patch literal 1543 zcmZXTyY9ng0mYduh7OfjgOI8s_g~**TSy=~PMr7>Ut{MpLc+Ivu^nGO+lehz^fh2% zL#RWiN_~Ke1t!>#cm#GjFz{z6LwSIs-#JI;#4vx$n{-&Zv1pr5+W`_Yg}wcJgV6mg z&uEUL#0?;$D1L72oNW)a96JH@nwPvZOHx@V$yl2n)Kmnr_yCf4B*1~ibe-G3yy+F& z6Q?_TdtwKo>ZRASIc32aA&({EX1(VnDSV$cfmAs^H|%tTfqkV=Q#;KTU+eAu?A?M! z=kR{M*qTj5Nv9E%p;p+@P_olBP%bxv9b_2y1@C$}?>%i2s=nr$2uDH2yRHPkqYWtD zR0qW)CCo7=W({{@ROCtFxWkif#0R0I%(^{_wR_|iJrCs_)K8P(LEbkz`>aN6mUFwd zeDWRkWX^z(ctW`6t$;^dbyUtGKaL@RaH#`AB~&T3UVzMOZ9f~WqZ%u|zOOAVBzX6R zW5a^P@UXB&r%dwhNx7*TvA!yFOqIkU-5#6S-pf z9jXxW0hHXn%3NIY7`@TD-Rn|bGCdG$rJd$S5jIHFQe?WI!Dpk8TiB=Q>dMX&hn>KDzN5UUq_&LrTiLX zHyF;fEd#%1pD}xH+pz7sSY^?pp5%)`9afc0&Ug~)m6q?Ib0Kfow5yN`ja_;q^FX0j zf!iyVif|x#M@N}=2360l=m_vYGNrs|BOv58+qdGuI&w#dusUs1(OCG^_j`6Y9oOw} zCWf|~w=^pY<_?ZhUz~fYVN;;JI0D(JCb?aG+rHG?mMpC3WAoulJ`JXWS_<~v->G|M zxwOdeEl4NhOY-e|8?VN-?D+W5f=Xn_e9skgwBj@1E9bS~a?-J38*UTbh2jMhfXnZ4u z?xS$9o(2Zg#CXgf+>{U5qVVFKR3&6er;1ZuS|{jUdIDkh{64KX23tnj&>~kj^eO8* zp4uB*Rd3D3FfAn(=}1u$d-Co)K%!?QE4O^P*B+MH(9 z;?Z`w${ew!-cJ<(RN7bhfg?ACC#~kYK4P8!X1mTFD!jBbC8vroX4gARG=U=4X?+Dt zP-1UyZ=1>k^LusfYaV4|G`4d%pM_%IshKb&mjih6{CuboF=`0=YfB3h5@LzoWP5=Af{^iF%`sfe;R-He8{?$J}`}VJ&+^>KC_CLiN`vm|1 literal 0 HcmV?d00001 diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 594748b..3abf74f 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -62,4 +62,8 @@ in { "mediawiki-secret-key.age".publicKeys = nachtigallKeys ++ baseKeys; "coturn-static-auth-secret.age".publicKeys = nachtigallKeys ++ baseKeys; + + "grafana-admin-password.age".publicKeys = flora6Keys ++ baseKeys; + "grafana-keycloak-client-secret.age".publicKeys = flora6Keys ++ baseKeys; + "grafana-smtp-password.age".publicKeys = flora6Keys ++ baseKeys; } diff --git a/terraform/dns.tf b/terraform/dns.tf index 57b230c..f7380ab 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -83,6 +83,11 @@ resource "namecheap_domain_records" "pub-solar" { address = "138.201.80.102" ttl = 300 } + record { + hostname = "grafana" + type = "CNAME" + address = "nachtigall.pub.solar." + } record { hostname = "hpb" type = "A"